Blog
Original research and disclosure write-ups.
One of the most under-tested web bugs: when an app trusts the inbound Host header to build absolute URLs, an attacker can hijack password-reset links and poison shared caches. Here is how it works and how to catch it.
Jun 13, 2026
Static analysis of an APK or IPA tells you about the client. The real attack surface is the backend API it calls — and most of those URLs are sitting right inside the binary.
Jun 13, 2026
Broken Object Level Authorization is the #1 OWASP API Top 10 risk. It needs two access tokens and an OpenAPI spec to detect. Most scanners do not bother.
Apr 30, 2026
Customers fix the A01/A02/A03 stuff. A09 - security logging and alerting failures - quietly stays broken on most production systems. Why, and how NANOTESTING surfaces it.
Apr 27, 2026
A leaked key in a public commit is a self-service breach. Why it keeps happening, and how to catch it before someone else does.
Apr 8, 2026
Server-side request forgery is one of the highest-impact web bugs. Here is what a read-only external scan can responsibly surface, and where the line is.
Mar 19, 2026