Abhishek's Blog

Abhishek's BlogTechnical writeups and articles about web exploitation, CTF challenges, and security research.https://ahh.bet/en-usCryptoCTF 2023: Bertrand - Breaking Image Encryption with Hilbert Curves and Z3https://ahh.bet/blog/cryptoctf-2023-writeup-bertrand/https://ahh.bet/blog/cryptoctf-2023-writeup-bertrand/Mon, 10 Jul 2023 05:18:14 GMTcryptographyz3-solverhilbert-curvespythonctf-writeupimage-encryptionconstraint-solvingNewportBlakeCTF 2023: sudoku-revenge - Idempotent Latin Squareshttps://ahh.bet/blog/newportblakectf-2023-sudoku-revenge/https://ahh.bet/blog/newportblakectf-2023-sudoku-revenge/Fri, 08 Dec 2023 00:40:38 GMTcombinatoricslatin-squaresmathematicsalgorithmspythonctf-writeupgraph-theoryLACTF 2024: ctf-wiki - CSP Bypass via Cookieless Iframehttps://ahh.bet/blog/lactf-2024-ctf-wiki/https://ahh.bet/blog/lactf-2024-ctf-wiki/Fri, 01 Mar 2024 01:58:35 GMTweb-securityxsscsp-bypassflaskiframesame-origin-policyctf-writeupSDCTF 2024: SNOWfall - ServiceNow Prototype Pollutionhttps://ahh.bet/blog/sdctf-2024-snowfall/https://ahh.bet/blog/sdctf-2024-snowfall/Wed, 15 May 2024 18:00:00 GMTsdctf-2024web-securityprototype-pollutionservicenowctf-writeupauthor-writeupSDCTF 2024: fancy_text_viewer - DOMPurify Bypass via CSS Injectionhttps://ahh.bet/blog/sdctf-2024-fancy-text-viewer/https://ahh.bet/blog/sdctf-2024-fancy-text-viewer/Wed, 15 May 2024 14:00:00 GMTsdctf-2024web-securitydompurifycss-injectionctf-writeupauthor-writeupForging service_role From an Anon Key: Chaining Two Supabase Bugs Into a CVSS 10.0 RLS Bypasshttps://ahh.bet/blog/supabase-rls-bypass-anon-to-service-role/https://ahh.bet/blog/supabase-rls-bypass-anon-to-service-role/While building a Supabase security scanner, I found two bugs that chain together to escalate a public anon key into service_role access on older Supabase Cloud projects.Fri, 10 Apr 2026 00:00:00 GMTsupabasepostgrestjwtrls-bypasssecurity-researchvulnerability-disclosuresupascanThree Unauthenticated Ways to Introspect a Supabase Database Schemahttps://ahh.bet/blog/supabase-schema-introspection/https://ahh.bet/blog/supabase-schema-introspection/Supabase exposes database schema information through three different mechanisms: OpenAPI, schema_cache, and GraphQL introspection. Here's how each one works.Wed, 25 Mar 2026 00:00:00 GMTsupabasepostgrestgraphqlschema-introspectionsecurity-researchsupascanSDCTF 2024: Blackjack Card Counting and Python 3.11 Bytecode Cache Exploitationhttps://ahh.bet/blog/sdctf-2024-misc-challenges/https://ahh.bet/blog/sdctf-2024-misc-challenges/Wed, 15 May 2024 10:00:00 GMTsdctf-2024pythonbytecodecard-countingmiscctf-writeupauthor-writeup