Notes from real engagements.
Penetration testing research, vulnerability deep-dives, and practical security guidance from the BugSwagger team.
Subdomain Takeover: The Bug That Hides in Plain Sight
A hunt log from one day of authorized recon work. Four targets, four subdomain takeovers, four very different organizations — a Fortune 500 bank, a mid-market SaaS, a state university, a state government. The longest hunt took 47 minutes. The shortest took six. All of them were free, all of them were repeatable, and all of them have happened, in different forms, to companies whose names you'd recognize.
OAuth and OIDC: The Misconfigurations That Lead to Account Takeover
A working tour of the OAuth/OIDC bugs we routinely pull apart. Real attack flows, real CVE history, and the patches that actually stop them.
JWT Signature Bypasses That Lead to Auth Bypass
JWT bugs cost Okta $6B in market cap, fueled the CircleCI breach, and quietly underpin a third of modern account-takeover incidents. A field guide for founders and engineers — written so both can act on it.
Magic Links and Account Takeover: Where Teams Get It Wrong
A magic link is a password sent by email. We just stopped calling it that. An essay on how passwordless authentication won the SaaS world, what nobody wants to admit about it, and why the most secure-looking login flow in your product might be the worst one you ship.
More articles
32 additional
Authentication Bugs We Find in SaaS Pentests
Field notes from a year of SaaS pentests. Six auth bugs we walked into, the small decisions that put them there, and what the engineering teams said after we showed them. No checklists. No templates. Just the patterns you see when you spend enough time inside other people's login flows.
Insecure IPC on Mobile: When Apps Trust Each Other Too Much
An annotated tour of mobile IPC bugs through the actual code that ships them. The Android manifest line that exports your activity to every app on the device. The iOS URL scheme that any other app can claim. The JavaScript bridge that turns a WebView into RCE. With the patches that close each one.
API Security: The Attack Surface Most Teams Underestimate
If I were going to attack your company, I'd start with your API. Here's exactly how, in the order I'd do it, what I'd find on the way, and why your last security review almost certainly missed the same things. A field walk-through from the wrong side of the keyboard.
SSRF and the Cloud Metadata Endpoint: Still the Most Common Critical We Find
Server-side request forgery isn't new. The reason it's been a Top 10 critical bug since 2019 is the cloud — specifically, the metadata endpoint that grants credentials to anyone who can ask.
Beyond OWASP Top 10: The Business Logic Flaws That Hurt Most
OWASP Top 10 is great for technical bugs. The bugs that actually steal money from your business live one level higher.
Why a Vulnerability Report Is Only Half the Job
The report ends. The actual security work — the part that protects users — is what happens after.
Cloud Misconfigurations: The Quiet Source of Most Modern Breaches
The classic Hollywood breach is dramatic. The real one is usually an S3 bucket with the wrong checkbox enabled.
Mobile Apps Leak More Than You Think
A teardown of one mobile app, file by file, directory by directory, as if you'd just unzipped it on a desk. Eleven things found in two hours. The auth token in the world-readable shared preferences. The screenshot of the user's banking screen sitting in the app switcher cache. The SDK quietly shipping your customer's session ID to a server in another country.
Prototype Pollution: The JavaScript Bug You Probably Have
A single line in your JSON parser. A polluted property. Remote code execution on every Node.js server running React. CVE-2025-55182 hit a CVSS of 10.0 and was exploited in the wild within 48 hours of disclosure — and the underlying bug class is in libraries 4 million projects depend on.
Showing 13 of 36 articles
Security insights, in your inbox
Occasional notes on what we are seeing in real engagements — auth bugs, cloud incidents, and patterns worth knowing. No spam.