Writing — SecurityBugFocus / Sim4n6

§ 03

Field notes.

2 POSTS PUBLISHED

Apr 12, 2026

DNS rebinding in 2026 — why egress allowlists aren't enough

A short field guide to why a TTL-window race against your own DNS resolver beats most 'block private IPs' controls, drawn from cases against MobSF, MindsDB, and a recent GitLab importer.

SSRF 9 min read Feb 08, 2026

Late-Unicode normalisation as a DoS primitive

Filenames, email addresses, identifiers — anywhere user input gets normalised after a length check, the multiplier between bytes-in and bytes-out becomes a denial-of-service primitive. Three case studies.

UNICODE 12 min read