Abdul Moiz
Offensive security engineer. I find ways to break web applications, identity providers, cloud platforms, and the chains that hold them together — then I help fix them. Currently shipping AI-assisted application security at a HIPAA / SOC 2 healthcare platform; on the side, I disclose vulnerabilities in open-source software.
Latest Writeups
view all →FileGator v7.14.0 — Privilege Escalation via Unvalidated chmod Endpoint
A low-privileged authenticated user with the chmod permission could set arbitrary Unix special permission bits (setuid, setgid, sticky) on any file or directory they could reach across all three storage adapters (Local, SFTP, FTP). With one recursive call, the entire repository tree could be flipped to setuid root.
Starlette — Form-Parser Limits Silently Ignored for URL-Encoded Bodies
Starlette's Request.form() advertises max_fields, max_files, and max_part_size as resource-consumption guards. They are correctly enforced for multipart/form-data but quietly dropped on the application/x-www-form-urlencoded path, so any FastAPI or Starlette app that calls request.form() and accepts URL-encoded bodies is exposed to a one-request event-loop-blocking DoS.
From Domain User to Golden Ticket — PetitPotam → AD CS ESC8 → DCSync
A full internal Active Directory compromise chain, walked end-to-end. Starting from an unprivileged domain account on a three-DC Windows Server 2019 forest, the assessment coerced a Domain Controller into authenticating against an attacker-controlled SMB relay, relayed the NTLM auth to AD Certificate Services, obtained a machine certificate, used it to issue a TGT, and dumped krbtgt — closing with a Golden Ticket for indefinite, log-quiet Domain Admin persistence.
Sequelize Raw-Query SQL Injection via the Sort Parameter
Sequelize is the default ORM for most Node.js teams, and almost every team using it has at least one place where they reach past the parameterised API and write a raw query — typically to handle a feature the high-level API doesn't ergonomically support, like ORDER BY on a user-supplied column. That single shortcut is where the SQLi sneaks in. Walked end-to-end against a PostgreSQL backend serving PHI: error-based exfiltration in one path and time-based blind in another, both from the same root cause.
One-Click Account Takeover via OAuth Implicit Flow and Lax Redirect URI Validation
Azure AD tenants that still allow the OAuth 2.0 implicit grant — paired with redirect URI lists that accept arbitrary domains, or with hosts in the allow-list that proxy redirects — give an attacker a single-link account takeover. The victim clicks a normal Microsoft login URL, authenticates against their real tenant, and the access token is delivered to an attacker-controlled domain in the URL fragment of the response.
Angular bypassSecurityTrustHtml + Missing httpOnly = Session Hijack on a PHI App
Angular ships a sanitiser specifically to keep developers out of trouble. Calling bypassSecurityTrustHtml() turns that protection off for the rest of the request lifecycle, and most codebases that reach for it do so without grasping how complete the bypass is. Combine that with an auth-token cookie that's missing the httpOnly attribute, and the result is a single stored payload that exfiltrates every viewer's session — including the administrators reviewing the affected record. Walked end-to-end on a HIPAA-scope application; client identifiers redacted.