In this blog I present two vulnerabilities I found in the Azure Functions and another very interesting case of a padding oracle, available as an undocumented HTTP endpoint on every Function instance. Initially I was ecstatic about this finding as theoretically it would have allowed me to achieve remote code execution over arbitrary Azure Functions. However, in a twist of irony, an implementation bug in Microsoft’s Cryptography codebase made this oracle dysfunctional (a false oracle!) and I could not achieve RCE.

The first vulnerability allowed an attacker with code execution over a Function to escalate privileges by installing a permanent…

For more than 2 years, Blockfolio was vulnerable to any attacker stealing their source code and perhaps even injecting his own code into their repositories.
This is a quick write-up about how I was able to find a Github token to Blockfolio.

Blockfolio is the most popular Cryptocurrency price tracking app, with more than 1 million downloads on Android alone. They offer an interface to watch Cryptocurrency prices, set alerts for price movements and even monitor your portfolio (through inputting read-only exchange API keys).

I’ve been into Crypto coins for a little while now, and its common knowledge that using…

Welcome to a tutorial on building your first LLVM based obfuscator!
In this post we will briefly present LLVM, discuss popular obfuscation approaches and their shortcomings and build our own epic LLVM-based string obfuscator.

All the code I present in this article is also available in Github.


LLVM is a compiler framework built with the purpose of reducing time and cost of constructing new language compilers. With LLVM, all a language has to do is implement a “front-end” to LLVM. …

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store