Recon

Web App

Bypassing Input Filters to Land Reflected XSS via URL Encoding

A client-side input filter on a fleet management portal's search function looked solid — until I encoded the payload. A walkthrough of how Google dorking, a filter bypass, and an obscure event handler combined into a confirmed reflected XSS.

xss filter-bypass web-app recon google-dorking

Apr 12, 2026

Medium

Mobile

What's Inside the APK: Finding Hardcoded Secrets in Android Apps

Android APKs are zip archives. Everything inside them — including secrets developers assumed were hidden — is one decompile away from being readable. A walkthrough of mobile recon methodology for extracting hardcoded credentials from production apps.

mobile android recon api-keys secrets apk-analysis

Apr 12, 2026

Medium

Research & Findings

Bypassing Input Filters to Land Reflected XSS via URL Encoding

What's Inside the APK: Finding Hardcoded Secrets in Android Apps