Writing

Blog Posts

Notes on software, systems, research, and the occasional tangent.

2026

• Unauthorized Access to PII via User Search on BDF Website
  January 5, 2026

  Discovered a critical broken access control vulnerability in bdf.belgium.be that exposed sensitive user information including emails and phone numbers of mil...

  responsible-disclosure broken-access-control cve javlo-cms

2025

• Framer Subdomain Takeover: A Complete Guide
  February 2, 2025

  Learn how to identify and perform a takeover of unclaimed Framer subdomains, such as *.framer.website, to demonstrate a security vulnerability.

  bug-bounty recon security vulnerability

2024

• From Subdomain Enum to GraphQL DoS: A Bug Hunter's Journey
  March 21, 2024

  A journey from basic subdomain enumeration to discovering a critical GraphQL denial-of-service vulnerability. What started as routine reconnaissance with sub...

  Api DOS High
• Self-XSS Reveals S3 Bucket Domain - 12K+ Chat Sessions Exposed
  March 9, 2024

  A self-XSS in an AI support chat led me to test document.domain, which unexpectedly revealed an S3 bucket. This discovery exposed 12.000+ customer conversati...

  Web XSS High S3