Writings

Technical writeups on engineering, web exploitation, and security research.

2026

Forging service_role From an Anon Key: Chaining Two Supabase Bugs Into a CVSS 10.0 RLS Bypass

supabase postgrest jwt

Apr 10, 2026 14 min read

Three Unauthenticated Ways to Introspect a Supabase Database Schema

supabase postgrest graphql

Mar 25, 2026 10 min read

2024

SDCTF 2024: SNOWfall - ServiceNow Prototype Pollution

sdctf-2024 web-security prototype-pollution

May 15, 2024 7 min read

SDCTF 2024: fancy_text_viewer - DOMPurify Bypass via CSS Injection

sdctf-2024 web-security dompurify

May 15, 2024 11 min read

SDCTF 2024: Blackjack Card Counting and Python 3.11 Bytecode Cache Exploitation

sdctf-2024 python bytecode

May 15, 2024 14 min read

LACTF 2024: ctf-wiki - CSP Bypass via Cookieless Iframe

web-security xss csp-bypass

Mar 1, 2024 5 min read

2023

NewportBlakeCTF 2023: sudoku-revenge - Idempotent Latin Squares

combinatorics latin-squares mathematics

Dec 8, 2023 5 min read

CryptoCTF 2023: Bertrand - Breaking Image Encryption with Hilbert Curves and Z3

cryptography z3-solver hilbert-curves

Jul 10, 2023 12 min read