Home

Blogs

Notes from the field

Clear, practical writeups on the vulnerabilities I find and the tools I use to find them, across web, cloud, and hardware security.

Web SecurityMay 20254 min read

Environment Variable XSS to Account Takeover (CVE-2025-5352)

A custom script environment variable rendered with dangerouslySetInnerHTML turned a configuration value into stored XSS and a full account takeover in Lunary.

Sahil OjhaSahil Ojha
Read article
NRF24 and Node MCU board wired to a Flipper Zero showing the GPIO menu
HardwareApr 20244 min read

Flipper Zero: The Pentester's Swiss Army Knife

A portable multitool for pentesters and geeks in a toy like body, and the cool things you can actually do with it.

Sahil OjhaSahil Ojha
Read article
VAPTAug 20235 min read

Unmasking the Armor: Multiple Vulnerabilities in eScan Antivirus

Privilege escalation and cross site scripting I found in the eScan Management Console during a VAPT engagement.

Sahil OjhaSahil Ojha
Read article
CloudAug 20234 min read

Elastic Beanstalk Subdomain Takeover

A rare cloud takeover where a forgotten CNAME record let me deploy my own app on another organization's domain.

Sahil OjhaSahil Ojha
Read article
VAPTJul 20234 min read

Uncovering Multiple Vulnerabilities in Issabel PBX

More than 6000 instances exposed on Shodan, and a set of CSRF flaws hiding in the phone system nobody tests.

Sahil OjhaSahil Ojha
Read article
Bug BountyJul 20234 min read

Shopify Subdomain Takeover

My first subdomain takeover writeup, where a script left running overnight handed me three claimable subdomains.

Sahil OjhaSahil Ojha
Read article
Web SecurityMar 20223 min read

How I Exploited SQL Injection to a SQL Shell within 15 Minutes

My very first writeup on SQL injection, and how I turned it into a command shell on a live target overnight.

Sahil OjhaSahil Ojha
Read article
Coming soon
Research

Peeking into Attacker's Web Server

A new writeup is on the way. Check back soon.

Sahil OjhaSahil Ojha
Coming soon
Bug Bounty

Microsoft SharePoint Blind XSS worth $XXXX

A new writeup is on the way. Check back soon.

Sahil OjhaSahil Ojha

Building in the open

Tools and research projects

Open source work where security testing meets automation.

MCPScan TypeScript

An offensive auditor for Model Context Protocol servers. It detects tool poisoning, credential leaks, remote code execution vectors, server side request forgery, session hijacking, and supply chain weaknesses across stdio, HTTP, and SSE transports.

Explore on GitHub

Subdomain Takeover Research Methodology

A field tested approach to finding dangling DNS records and reclaiming abandoned cloud services. I have used it to safely demonstrate takeovers across Shopify and AWS Elastic Beanstalk, then reported each one for remediation.

Read the writeups