<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Home on aniket/awwfensive</title><link>https://awwfensive.github.io/</link><description>Recent content in Home on aniket/awwfensive</description><generator>Hugo</generator><language>en-US</language><copyright>Copyright (c) 2025, aniket.</copyright><lastBuildDate>Tue, 14 Jul 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://awwfensive.github.io/index.xml" rel="self" type="application/rss+xml"/><item><title>Breaking Flyto's MCP Recipe Runner: A Path Traversal Vulnerability</title><link>https://awwfensive.github.io/escaping-the-recipe-book-path-traversal-in-flytos-run-recipe/</link><pubDate>Tue, 14 Jul 2026 00:00:00 +0000</pubDate><guid>https://awwfensive.github.io/escaping-the-recipe-book-path-traversal-in-flytos-run-recipe/</guid><description>&lt;h2 id="what-is-flyto-core"&gt;What is flyto-core?&lt;/h2&gt;
&lt;p&gt;&lt;a href="https://github.com/flytohub/flyto-core"&gt;Flyto Core&lt;/a&gt; is the core execution engine of the Flyto platform that runs automation workflows by orchestrating modules, managing execution state, handling variables and secrets, and recording evidence throughout the workflow lifecycle.&lt;/p&gt;
&lt;figure class="clickable-img"&gt;&lt;img src="https://awwfensive.github.io/flyto/1.png"
 alt="repo"&gt;
&lt;/figure&gt;

&lt;h2 id="what-are-flyto-recipes"&gt;What are Flyto recipes?&lt;/h2&gt;
&lt;p&gt;Flyto supports reusable, pre-built YAML workflows called recipes. They are intended to live in the bundled &lt;code&gt;src/recipes/&lt;/code&gt; directory, be listed through &lt;code&gt;list_recipes()&lt;/code&gt;, and be executed by name through the CLI or MCP &lt;code&gt;run_recipe&lt;/code&gt; tool.&lt;/p&gt;</description></item><item><title>React2Shell: CVE-2025-55182 Technical Analysis</title><link>https://awwfensive.github.io/react2shell-cve-2025-55182-technical-analysis/</link><pubDate>Sat, 20 Dec 2025 11:51:55 +0530</pubDate><guid>https://awwfensive.github.io/react2shell-cve-2025-55182-technical-analysis/</guid><description>&lt;h2 id="executive-summary"&gt;Executive Summary&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;The Threat:&lt;/strong&gt; CVE-2025-55182 is a critical remote code execution vulnerability in React Server Components that allows unauthenticated attackers to execute arbitrary code on servers through a single malicious HTTP request. No credentials, no user interaction, no special configuration required.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;What is it?&lt;/strong&gt; An unsafe deserialization vulnerability in React&amp;rsquo;s Flight protocol that allows prototype chain traversal to access dangerous Node.js built-ins like &lt;code&gt;child_process&lt;/code&gt; and &lt;code&gt;vm&lt;/code&gt;.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h2 id="prerequisites-understanding-reacts-rendering-models"&gt;Prerequisites: Understanding React&amp;rsquo;s Rendering Models&lt;/h2&gt;
&lt;p&gt;To understand how CVE-2025-55182 works, you first need to understand how React evolved from client-side rendering to Server Components. Let&amp;rsquo;s build this foundation.&lt;/p&gt;</description></item><item><title>Container Escape: From Enumeration to Host Root</title><link>https://awwfensive.github.io/container-escape-from-enumeration-to-host-root/</link><pubDate>Mon, 10 Nov 2025 11:51:55 +0530</pubDate><guid>https://awwfensive.github.io/container-escape-from-enumeration-to-host-root/</guid><description>&lt;p&gt;Containers have become the backbone of modern infrastructure, powering everything from microservices to CI/CD pipelines. But here&amp;rsquo;s the uncomfortable truth: containers are not virtual machines. They&amp;rsquo;re processes with fancy namespaces and cgroups, sharing the same kernel as the host. This fundamental architecture creates a fascinating attack surface for security researchers and red teamers.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id="tldr-the-one-minute-version"&gt;TL;DR: The One-Minute Version&lt;/h2&gt;
&lt;p&gt;If you only have sixty seconds, here&amp;rsquo;s what you need to know about container escapes:&lt;/p&gt;</description></item><item><title>Breaking Authentication: Bcrypt Truncation &amp; Email Normalization</title><link>https://awwfensive.github.io/breaking-authentication-bcrypt-truncation-email-normalization/</link><pubDate>Sat, 25 Oct 2025 11:51:55 +0530</pubDate><guid>https://awwfensive.github.io/breaking-authentication-bcrypt-truncation-email-normalization/</guid><description>&lt;h2 id="introduction"&gt;Introduction&lt;/h2&gt;
&lt;p&gt;During ImaginaryCTF 2025, I tackled a very fascinating web challenge called &amp;ldquo;passwordless&amp;rdquo; that showcased how multiple subtle implementation flaws can combine to create a critical authentication bypass. The challenge presented a Node.js authentication system where users register with their email and receive a randomly generated temporary password—except the password delivery mechanism was never implemented.&lt;/p&gt;
&lt;p&gt;What made this challenge particularly interesting is that every security component appeared properly implemented at first glance: bcrypt for password hashing, email normalization to prevent duplicates, input validation, and rate limiting. However, the devil was in the details. The interaction between bcrypt&amp;rsquo;s 72-byte truncation limit, inconsistent email processing, and user-controlled password components created a perfect exploit chain allowing complete authentication bypass.&lt;/p&gt;</description></item><item><title>Exploiting Symlink Upload and Session Forgery</title><link>https://awwfensive.github.io/exploiting-symlink-upload-and-session-forgery/</link><pubDate>Mon, 01 Sep 2025 00:00:00 +0000</pubDate><guid>https://awwfensive.github.io/exploiting-symlink-upload-and-session-forgery/</guid><description>&lt;h2 id="introduction"&gt;Introduction&lt;/h2&gt;
&lt;p&gt;During TFC 2025 CTF, I encountered a fascinating web challenge that showcased how multiple seemingly minor vulnerabilities can be chained together to achieve complete system compromise. The application appeared simple on the surface: upload a ZIP file, extract it, and serve the contents for download. However, beneath this straightforward functionality lurked a perfect storm of security issues.&lt;/p&gt;
&lt;p&gt;This writeup demonstrates a complete exploit chain combining symlink traversal, path traversal, session forgery, and authentication bypass. What makes this particularly interesting is how each vulnerability alone might seem insignificant, but together they create a devastating attack vector.&lt;/p&gt;</description></item><item><title>Exploiting CVE-2025-29744: When Prepared Statements Aren't Safe</title><link>https://awwfensive.github.io/exploiting-cve-2025-29744-when-prepared-statements-arent-safe/</link><pubDate>Sat, 02 Aug 2025 00:00:00 +0000</pubDate><guid>https://awwfensive.github.io/exploiting-cve-2025-29744-when-prepared-statements-arent-safe/</guid><description>&lt;p&gt;This post analyzes a subtle SQL injection vulnerability — &lt;strong&gt;CVE-2025-29744&lt;/strong&gt; — in pg-promise, a popular PostgreSQL library for Node.js built on top of node-postgres.&lt;/p&gt;
&lt;p&gt;Discovered by the Sonar team, this flaw affects how pg-promise handles certain prepared statements when using the simple query protocol. Under specific conditions, it may allow attackers to inject SQL—even if first-party code uses parameterized queries.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Exploitation requires:&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Use of prepared statements in a particular structure.&lt;/li&gt;
&lt;li&gt;Use of the simple query protocol instead of the extended one.&lt;/li&gt;
&lt;/ul&gt;
&lt;hr&gt;
&lt;h2 id="vulnerability-details"&gt;Vulnerability Details&lt;/h2&gt;
&lt;p&gt;The vulnerability involved injecting inline comments in a situation where subtraction from a value was possible, such as:&lt;/p&gt;</description></item><item><title>Projects</title><link>https://awwfensive.github.io/projects/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://awwfensive.github.io/projects/</guid><description>&lt;p&gt;A few security projects and labs I keep within reach.&lt;/p&gt;
&lt;ul class="project-list" aria-label="Projects"&gt;
 &lt;li class="project-item"&gt;
 &lt;a class="project-card" href="https://github.com/awwfensive/cWee"&gt;
 &lt;span class="project-title"&gt;cWee&lt;/span&gt;
 &lt;p class="project-desc"&gt;Focused CVE discovery and analysis tooling built on nvdlib for searching, filtering, and exploring NVD vulnerabilities.&lt;/p&gt;
 &lt;/a&gt;
 &lt;/li&gt;
 &lt;li class="project-item"&gt;
 &lt;a class="project-card" href="https://github.com/awwfensive/auditPlayground"&gt;
 &lt;span class="project-title"&gt;auditPlayground&lt;/span&gt;
 &lt;p class="project-desc"&gt;Intentionally vulnerable web labs for hands-on exploitation, secure code review, and real-world vulnerability analysis.&lt;/p&gt;
 &lt;/a&gt;
 &lt;/li&gt;
 &lt;li class="project-item"&gt;
 &lt;a class="project-card" href="https://github.com/awwfensive/JWack"&gt;
 &lt;span class="project-title"&gt;JWack&lt;/span&gt;
 &lt;p class="project-desc"&gt;Experimental JWT security toolkit for exploring implementation flaws, misconfigurations, and practical token-level attack paths.&lt;/p&gt;
 &lt;/a&gt;
 &lt;/li&gt;
 &lt;li class="project-item"&gt;
 &lt;a class="project-card" href="https://github.com/awwfensive/susDLL/"&gt;
 &lt;span class="project-title"&gt;susDLL&lt;/span&gt;
 &lt;p class="project-desc"&gt;Research tooling for crafting and analyzing DLLs to study hijacking techniques and Windows load-order abuse.&lt;/p&gt;
 &lt;/a&gt;
 &lt;/li&gt;
&lt;/ul&gt;</description></item></channel></rss>