Author: shreyapohekar

This author has written 57 articles
csp
Information Security / Mitigations / OWASP top 10 / Source Code Review / Web application

Content Security Policy (CSP): A Key Mitigation for XSS and Clickjacking

Content Security Policy (CSP) is a powerful browser mechanism designed to prevent and mitigate common web vulnerabilities such as Cross-Site Scripting (XSS) and Clickjacking. CSP allows developers to specify which sources of content are trusted by the application. This guide will walk you through how CSP works, and how to use it to protect against Clickjacking with frame-ancestors. Real-world examples and practical…

0 Comments
May 29, 2025
csrf-tokens
csrf / Information Security / Mitigations / Web application

How Servers Handle CSRF Tokens: Generation, Validation, and Best Practices

Welcome to Part 2 of the CSRF series!While spotting CSRF vulnerabilities during testing or bug bounties is often straightforward, have you ever paused to think about what really happens behind the scenes when implementing mitigations? In Part 1, we explored the fundamentals of Cross-Site Request Forgery (CSRF), why it's dangerous, and how browsers now defend against it using mechanisms like SameSite cookies…

0 Comments
May 11, 2025
csrf-mitigations
Information Security

CSRF – Why PUT Requests Are Safer and How Modern Browsers Prevent CSRF Attacks

Hi everyone, I’m Shreya, and today I want to shed light on some lesser-discussed aspects of Cross-Site Request Forgery (CSRF). While identifying CSRF vulnerabilities during security assessments or bug bounties can often be straightforward, effectively mitigating them requires a deeper understanding of browser behavior, HTTP methods, and secure token handling. In this blog, I’ll share my learnings on how CSRF attacks actually…

0 Comments
May 11, 2025
Read more about the article Exploiting Cache: 20 Headers That Makes your Web App vulnerable to Cache Poisoning
Information Security / OWASP top 10 / Web application

Exploiting Cache: 20 Headers That Makes your Web App vulnerable to Cache Poisoning

In the fast-moving world of web applications, caching plays a pivotal role in ensuring quick and efficient content delivery. However, as with most technologies, it comes with its own set of vulnerabilities. One of the most insidious threats in this realm is cache poisoning. This subtle yet powerful attack can manipulate what users see, disrupt functionality, and lead to severe security and…

0 Comments
September 18, 2024
Read more about the article The informative findings: What Not to Submit on Bug Bounty Platforms
Information Security

The informative findings: What Not to Submit on Bug Bounty Platforms

Bug bounty programs have revolutionized the world of cybersecurity, enabling organizations to tap into the collective expertise of security researchers worldwide. As security researchers diligently identify and report vulnerabilities, they eagerly await the outcomes of their submissions. While many reports receive the coveted “resolved” status or a generous bounty, some find themselves closed out as “informative.” In this blog, we will explore…

1 Comment
September 16, 2024
Read more about the article Bluehat India 2024 – Slide deck – The lesser known business logic flaws
Uncategorized

Bluehat India 2024 – Slide deck – The lesser known business logic flaws

I had the incredible honor of speaking at the first-ever BlueHat India event, held in Hyderabad. This landmark conference brought together a diverse group of cybersecurity professionals, researchers, and enthusiasts from around the globe. The energy and enthusiasm at the event were palpable, and it was a privilege to be a part of such a vibrant conference. My presentation focused on business…

1 Comment
May 22, 2024
Uncategorized

Setting Up Elasticsearch and Kibana on EC2: A Step-by-Step Guide

Introduction:In the world of data analytics and log management, Elasticsearch and Kibana stand out as powerful tools for indexing, searching, and visualizing large volumes of data. In this tutorial, we'll walk through the process of setting up Elasticsearch and Kibana on an EC2 instance, enabling you to harness the full potential of these tools for your projects. Prerequisites:Before we dive into the…

0 Comments
March 19, 2024
winjactf 2023
Uncategorized

Winja CTF @ Nullcon Goa 2023 Edition Solutions

Hello, Everyone! I trust you had a fantastic time at Winja CTF 2023 - Goa Edition. I hope you found the challenges intriguing. In this blog post, I will be sharing the solutions to the challenges I built. Faulty Portal This was a web challenge that's based on collibra. Collibra is a software company that specializes in data governance and cataloging solutions.…

0 Comments
September 25, 2023
nullcon goa 2022
Conference / Information Security

My First Nullcon as a Speaker!

- [ ] Deliver a talk at Nullcon Are you wondering what this is? This was one of the to-dos I defined for myself in the new year's resolutions! Well new year's resolutions are something that just motivates us till end of Jan! However, this time I managed to get it done❤️ Nullcon 2022 was my 2nd Nullcon and 1st time as…

0 Comments
September 14, 2022
winja ctf 2022
Cloud / CTF / Information Security

Winja CTF – Nullcon Berlin Edition – Solutions

Hey there!!! This post is all about the solutions to the CTF challenges I created for Winja CTF - berlin edition. The category for the challenges is Cloud. If you are not aware, the challenges for this CTF were based on the money heist theme. Hence all the challenge description or context will be referring to money heist. Challenge 1 - The…

0 Comments
May 6, 2022