What I learn is what I BLOG!

Read more about the article The Right Way to Handle Permissions in GitHub Actions: A Practical Guide to Staying Secure
Uncategorized

The Right Way to Handle Permissions in GitHub Actions: A Practical Guide to Staying Secure

GitHub Actions permissions can make or break the security of your CI/CD pipeline. This blog explains how to apply least-privilege principles, why default write permissions in `pull_request` workflows are still safe, and how thoughtful permission design protects you from common supply-chain risks. It also includes simple examples to help you understand what to allow, what to restrict, and how to keep your workflows secure without slowing development.

0 Comments
November 25, 2025
Read more about the article How Attackers Exploit pull_request_target: Secure Your GitHub CI/CD Workflows
Github / Information Security / rce

How Attackers Exploit pull_request_target: Secure Your GitHub CI/CD Workflows

GitHub Actions is powerful—but with great power comes… a long list of workflow security pitfalls. If you’ve spent any time around GitHub Actions, you’ve probably seen people casually using pull_request_target without fully understanding what it does. And honestly, that’s where most of the security issues begin. I’m Shreya Pohekar, and I work as a Security Researcher at Microsoft. Over the years of…

0 Comments
November 25, 2025
find owner of ip
Cloud / Information Security

Bugbounty – How to find the owner of IP address

Hi everyone — I’m Shreya. In this post, I’ll explain how to identify the owner or owning organization of an IP address. When doing bug bounty work, we often use tools like FOFA and Shodan to discover IPs that might belong to the organization we’re targeting. Many times, the program you are submitting to may respond that the IP isn’t owned by…

0 Comments
October 17, 2025
job-at-microsoft
landing job at microsoft
Information Security / Interview

Landing a Microsoft Cybersecurity Role: My Journey and Tips for Aspiring Security Professionals

If someone had told me a few years ago that I’d be working in cybersecurity at Microsoft, I probably wouldn’t have believed them. My path wasn’t straightforward or glamorous—it was messy, full of late nights small wins, rejections, and unexpected turns. But every step, from writing code at TCS to triaging bugs at HackerOne, added up and eventually brought me here. This…

10 Comments
September 29, 2025
Read more about the article What is OAuth, real-world examples and various OAuth attacks
Information Security / Mitigations / OAuth / OWASP top 10

What is OAuth, real-world examples and various OAuth attacks

OAuth is everywhere—from signing into your favorite apps using Google or GitHub to enabling secure access between APIs. But while OAuth is incredibly powerful, it’s also one of the most misunderstood and misconfigured components in modern applications. And that’s exactly why knowing its fundamentals isn't optional—it's critical. Misconfigurations in OAuth can open doors to serious vulnerabilities such as account takeover, token leakage,…

0 Comments
July 12, 2025
Read more about the article 5 Things Developers Should Know Before Breaking Into Security
Information Security

5 Things Developers Should Know Before Breaking Into Security

Hi everyone! I'm Shreya Pohekar Agrawal, currently working as a Security Researcher at Microsoft. But my journey into cybersecurity didn’t start here-- Back in college, I was equally drawn to both development and security—and choosing between the two wasn’t easy. But after some exploration, I realized I didn’t have to pick just one. I chose to begin my journey as a developer…

0 Comments
June 24, 2025
csp-part-2
Information Security / Mitigations / OWASP top 10 / Web application / XSS

CSP Part 2: Securing Inline Scripts with Nonces and Hashes

In Part 1 of the CSP series, we explored how CSP plays a major role in mitigating XSS and clickjacking attacks. Now that you're familiar with the basics of setting up a CSP and its importance, let's take it one step further. Today, we'll dive into two powerful CSP techniques: nonces and hashes. These allow us to safely run specific inline scripts…

1 Comment
June 23, 2025
csp
Information Security / Mitigations / OWASP top 10 / Source Code Review / Web application

Content Security Policy (CSP): A Key Mitigation for XSS and Clickjacking

Content Security Policy (CSP) is a powerful browser mechanism designed to prevent and mitigate common web vulnerabilities such as Cross-Site Scripting (XSS) and Clickjacking. CSP allows developers to specify which sources of content are trusted by the application. This guide will walk you through how CSP works, and how to use it to protect against Clickjacking with frame-ancestors. Real-world examples and practical…

1 Comment
May 29, 2025
csrf-tokens
csrf / Information Security / Mitigations / Web application

How Servers Handle CSRF Tokens: Generation, Validation, and Best Practices

Welcome to Part 2 of the CSRF series!While spotting CSRF vulnerabilities during testing or bug bounties is often straightforward, have you ever paused to think about what really happens behind the scenes when implementing mitigations? In Part 1, we explored the fundamentals of Cross-Site Request Forgery (CSRF), why it's dangerous, and how browsers now defend against it using mechanisms like SameSite cookies…

0 Comments
May 11, 2025
csrf-mitigations
Information Security

CSRF – Why PUT Requests Are Safer and How Modern Browsers Prevent CSRF Attacks

Hi everyone, I’m Shreya, and today I want to shed light on some lesser-discussed aspects of Cross-Site Request Forgery (CSRF). While identifying CSRF vulnerabilities during security assessments or bug bounties can often be straightforward, effectively mitigating them requires a deeper understanding of browser behavior, HTTP methods, and secure token handling. In this blog, I’ll share my learnings on how CSRF attacks actually…

0 Comments
May 11, 2025
Read more about the article Exploiting Cache: 20 Headers That Makes your Web App vulnerable to Cache Poisoning
Information Security / OWASP top 10 / Web application

Exploiting Cache: 20 Headers That Makes your Web App vulnerable to Cache Poisoning

In the fast-moving world of web applications, caching plays a pivotal role in ensuring quick and efficient content delivery. However, as with most technologies, it comes with its own set of vulnerabilities. One of the most insidious threats in this realm is cache poisoning. This subtle yet powerful attack can manipulate what users see, disrupt functionality, and lead to severe security and…

0 Comments
September 18, 2024
Read more about the article The informative findings: What Not to Submit on Bug Bounty Platforms
Information Security

The informative findings: What Not to Submit on Bug Bounty Platforms

Bug bounty programs have revolutionized the world of cybersecurity, enabling organizations to tap into the collective expertise of security researchers worldwide. As security researchers diligently identify and report vulnerabilities, they eagerly await the outcomes of their submissions. While many reports receive the coveted “resolved” status or a generous bounty, some find themselves closed out as “informative.” In this blog, we will explore…

1 Comment
September 16, 2024
Read more about the article Bluehat India 2024 – Slide deck – The lesser known business logic flaws
Uncategorized

Bluehat India 2024 – Slide deck – The lesser known business logic flaws

I had the incredible honor of speaking at the first-ever BlueHat India event, held in Hyderabad. This landmark conference brought together a diverse group of cybersecurity professionals, researchers, and enthusiasts from around the globe. The energy and enthusiasm at the event were palpable, and it was a privilege to be a part of such a vibrant conference. My presentation focused on business…

1 Comment
May 22, 2024