VORNAC RESEARCH
OWASP-adjacent vulnerability classes — from XSS to business logic flaws.
Featured
The canonical vulnerability catalog: every class with at least one concrete proof-pattern. The single most-cited entry in the index.
Each vulnerability class presented as an attack/defense pair, with the briefing-level overview and the protocol/header/encoding points where weaknesses recur.
The full XSS landscape: reflected, stored, DOM, mutation. Sink-versus-source structuring, CSP/WAF bypass, hook-and-control patterns, and the conditions under which payloads become worm-like.
Server-side request forgery, XML external entity weaponization, and path-traversal cousins — vector enumeration, blind-channel exfiltration, parser-quirk routing.
Password-recovery logic flaws, JWT/CORS/TLS architecture issues, the working top-10 business-logic patterns, and how a real intrusion looks in logs vs. test traffic.
Reference
Stack-specific notes for Java and PHP — deserialization gadgets, expression-language injection, tainted-input flow — paired with SQLmap operator flags and the OWASP testing checklist.
Background
Per-platform attack surface and skills reference: Android permission model and APK static/dynamic attacks, iOS entitlement reasoning, macOS TCC and codesign.
From reference to evidence