./Alec Maly's Tech Blog

All Tags

Web (10) Hacking (10) POC (10) JavaScript (7) BugReports (5) reverse-engineering (4) Cloud (4) BugBounty (4) Debugging (3) Browser (3) Development (2) Electronjs (2) Joplin (2) TypeScript (2) SharePoint (2) Chromium (2) Game-Hacking (2) Tutorial (2) Security (2) XSS (2) PowerApps (2) Microsoft (2) Power-Platform (2) Privilege-Escalation (2) Browser-Extension (2) Credential-Dumping (2) Microsoft-Edge (1) Electron.js (1) Race-Condition (1) Unity (1) Blender (1) Payment-Gateway (1) Paypal (1) Dynamic-Testing (1) PowerShell (1) WinDbg (1) WinDbg-Preview (1) x32dbg (1) x64dbg (1) mona.py (1) pykd (1) Android (1) Frida (1) BurpSuite (1) .apk (1) Java (1) linux (1) il2cpp (1) adb (1) mobile (1) Wordpress (1) Email (1) Oracle (1) VPS (1) GraphQL (1) HackerOne (1) Pentesting (1) Python (1) CTF (1) Image-Manipulation (1) M365-Services (1) Phishing (1) Google-Maps (1) Optimization (1) CodeQL (1) BugCrowd (1) ExpressVPN (1) Power-Automate (1) M365 (1) Outlook (1) OneDrive (1) Microsoft-Teams (1) AWS (1) CodeBuild (1) Azure-DevOps (1) CICD (1) GitHub (1) TextMeshPro (1) Injection (1) C# (1)

POC [10]

Hasbro | MTG Arena: TextMeshPro injection via. WOTC DisplayName = 100% win rate against Desktop and iPad opponents (Nov 26, 2025)
Exploiting Cooke Based Self-XSS (Jul 16, 2025)
Resolving Undocumented AWS Codebuild Errors and Discussing CI/CD GitHub Integration Security (Jun 17, 2025)
[$15,000 Bounty] M365 Phish: Power Platform Privilege Escalation and Pivoting (Feb 29, 2024)
[$1250 - High Severity] Bypassing Brower Extension's Geolocation Spoofing with a Malicious Website (Location Guard & ExpressVPN) (Aug 28, 2023)
Optimizing Multi-Destination Routes with Google Maps and a Chrome Extension (Nov 07, 2022)
Image Slicing with Python (Jan 25, 2022)
Scanning and Hooking Dynamic, Client-Side Data in Modern Web Applications (Nov 22, 2021)
Exploring the WinDbg Preview JavaScript API (Oct 22, 2021)
Hacking Electron Apps: Joplin (Oct 12, 2021)

Hacking [10]

Hasbro | MTG Arena: TextMeshPro injection via. WOTC DisplayName = 100% win rate against Desktop and iPad opponents (Nov 26, 2025)
Exploiting Cooke Based Self-XSS (Jul 16, 2025)
[$15,000 Bounty] M365 Phish: Power Platform Privilege Escalation and Pivoting (Feb 29, 2024)
[$1250 - High Severity] Bypassing Brower Extension's Geolocation Spoofing with a Malicious Website (Location Guard & ExpressVPN) (Aug 28, 2023)
M365 Internal Phish: Abusing the Power Platform for SharePoint/OneDrive Privilege Escalation (May 13, 2022)
Download and Sort HackerOne Hacktivity Reports Using GraphQL Introspection (Jan 12, 2022)
Game Hacking: Extracting Meshes to Make a Minimap HUD (Dec 08, 2021)
Finding Vulnerabilities in an 18 Year Old MMO (Nov 12, 2021)
Hacking Electron Apps: Joplin (Oct 12, 2021)
Android Hacking Tips and Tricks with Frida & BurpSuite (Oct 10, 2021)

Web [10]

Resolving Undocumented AWS Codebuild Errors and Discussing CI/CD GitHub Integration Security (Jun 17, 2025)
[$15,000 Bounty] M365 Phish: Power Platform Privilege Escalation and Pivoting (Feb 29, 2024)
[$1250 - High Severity] Bypassing Brower Extension's Geolocation Spoofing with a Malicious Website (Location Guard & ExpressVPN) (Aug 28, 2023)
Optimizing Multi-Destination Routes with Google Maps and a Chrome Extension (Nov 07, 2022)
M365 Internal Phish: Abusing the Power Platform for SharePoint/OneDrive Privilege Escalation (May 13, 2022)
Download and Sort HackerOne Hacktivity Reports Using GraphQL Introspection (Jan 12, 2022)
My First Wordpress Site: olgastherapy.com (Jan 04, 2022)
Debugging a Race Condition Between Microsoft Edge and SharePoint (Nov 23, 2021)
Scanning and Hooking Dynamic, Client-Side Data in Modern Web Applications (Nov 22, 2021)
Finding Vulnerabilities in an 18 Year Old MMO (Nov 12, 2021)

JavaScript [7]

Exploiting Cooke Based Self-XSS (Jul 16, 2025)
[$1250 - High Severity] Bypassing Brower Extension's Geolocation Spoofing with a Malicious Website (Location Guard & ExpressVPN) (Aug 28, 2023)
Scanning and Hooking Dynamic, Client-Side Data in Modern Web Applications (Nov 22, 2021)
Exploring the WinDbg Preview JavaScript API (Oct 22, 2021)
Hacking Electron Apps: Joplin (Oct 12, 2021)
Adventures in Open Source Contributing: Joplin (Oct 11, 2021)
Android Hacking Tips and Tricks with Frida & BurpSuite (Oct 10, 2021)

BugReports [5]

Hasbro | MTG Arena: TextMeshPro injection via. WOTC DisplayName = 100% win rate against Desktop and iPad opponents (Nov 26, 2025)
Exploiting Cooke Based Self-XSS (Jul 16, 2025)
[$15,000 Bounty] M365 Phish: Power Platform Privilege Escalation and Pivoting (Feb 29, 2024)
[$1250 - High Severity] Bypassing Brower Extension's Geolocation Spoofing with a Malicious Website (Location Guard & ExpressVPN) (Aug 28, 2023)
M365 Internal Phish: Abusing the Power Platform for SharePoint/OneDrive Privilege Escalation (May 13, 2022)

BugBounty [4]

Cloud [4]

Resolving Undocumented AWS Codebuild Errors and Discussing CI/CD GitHub Integration Security (Jun 17, 2025)
[$15,000 Bounty] M365 Phish: Power Platform Privilege Escalation and Pivoting (Feb 29, 2024)
M365 Internal Phish: Abusing the Power Platform for SharePoint/OneDrive Privilege Escalation (May 13, 2022)
My First Wordpress Site: olgastherapy.com (Jan 04, 2022)

reverse-engineering [4]

Game Hacking: Extracting Meshes to Make a Minimap HUD (Dec 08, 2021)
Exploring the WinDbg Preview JavaScript API (Oct 22, 2021)
Hacking Electron Apps: Joplin (Oct 12, 2021)
Android Hacking Tips and Tricks with Frida & BurpSuite (Oct 10, 2021)

Browser [3]

Exploiting Cooke Based Self-XSS (Jul 16, 2025)
[$15,000 Bounty] M365 Phish: Power Platform Privilege Escalation and Pivoting (Feb 29, 2024)
[$1250 - High Severity] Bypassing Brower Extension's Geolocation Spoofing with a Malicious Website (Location Guard & ExpressVPN) (Aug 28, 2023)

Debugging [3]

Debugging a Race Condition Between Microsoft Edge and SharePoint (Nov 23, 2021)
Scanning and Hooking Dynamic, Client-Side Data in Modern Web Applications (Nov 22, 2021)
Adventures in Open Source Contributing: Joplin (Oct 11, 2021)

XSS [2]

Exploiting Cooke Based Self-XSS (Jul 16, 2025)
Finding Vulnerabilities in an 18 Year Old MMO (Nov 12, 2021)

Credential-Dumping [2]

Resolving Undocumented AWS Codebuild Errors and Discussing CI/CD GitHub Integration Security (Jun 17, 2025)
[$15,000 Bounty] M365 Phish: Power Platform Privilege Escalation and Pivoting (Feb 29, 2024)

Microsoft [2]

[$15,000 Bounty] M365 Phish: Power Platform Privilege Escalation and Pivoting (Feb 29, 2024)
M365 Internal Phish: Abusing the Power Platform for SharePoint/OneDrive Privilege Escalation (May 13, 2022)

PowerApps [2]

[$15,000 Bounty] M365 Phish: Power Platform Privilege Escalation and Pivoting (Feb 29, 2024)
Scanning and Hooking Dynamic, Client-Side Data in Modern Web Applications (Nov 22, 2021)

Power-Platform [2]

[$15,000 Bounty] M365 Phish: Power Platform Privilege Escalation and Pivoting (Feb 29, 2024)
M365 Internal Phish: Abusing the Power Platform for SharePoint/OneDrive Privilege Escalation (May 13, 2022)

Privilege-Escalation [2]

[$15,000 Bounty] M365 Phish: Power Platform Privilege Escalation and Pivoting (Feb 29, 2024)
M365 Internal Phish: Abusing the Power Platform for SharePoint/OneDrive Privilege Escalation (May 13, 2022)

SharePoint [2]

[$15,000 Bounty] M365 Phish: Power Platform Privilege Escalation and Pivoting (Feb 29, 2024)
Debugging a Race Condition Between Microsoft Edge and SharePoint (Nov 23, 2021)

Browser-Extension [2]

Chromium [2]

Optimizing Multi-Destination Routes with Google Maps and a Chrome Extension (Nov 07, 2022)
Debugging a Race Condition Between Microsoft Edge and SharePoint (Nov 23, 2021)

Security [2]

M365 Internal Phish: Abusing the Power Platform for SharePoint/OneDrive Privilege Escalation (May 13, 2022)
Finding Vulnerabilities in an 18 Year Old MMO (Nov 12, 2021)

Development [2]

My First Wordpress Site: olgastherapy.com (Jan 04, 2022)
Adventures in Open Source Contributing: Joplin (Oct 11, 2021)

Tutorial [2]

My First Wordpress Site: olgastherapy.com (Jan 04, 2022)
Game Hacking: Extracting Meshes to Make a Minimap HUD (Dec 08, 2021)

Game-Hacking [2]

Game Hacking: Extracting Meshes to Make a Minimap HUD (Dec 08, 2021)
Finding Vulnerabilities in an 18 Year Old MMO (Nov 12, 2021)

Electronjs [2]

Hacking Electron Apps: Joplin (Oct 12, 2021)
Adventures in Open Source Contributing: Joplin (Oct 11, 2021)

Joplin [2]

Hacking Electron Apps: Joplin (Oct 12, 2021)
Adventures in Open Source Contributing: Joplin (Oct 11, 2021)

TypeScript [2]

Hacking Electron Apps: Joplin (Oct 12, 2021)
Adventures in Open Source Contributing: Joplin (Oct 11, 2021)

TextMeshPro [1]

Hasbro | MTG Arena: TextMeshPro injection via. WOTC DisplayName = 100% win rate against Desktop and iPad opponents (Nov 26, 2025)

Injection [1]

Hasbro | MTG Arena: TextMeshPro injection via. WOTC DisplayName = 100% win rate against Desktop and iPad opponents (Nov 26, 2025)

C# [1]

Hasbro | MTG Arena: TextMeshPro injection via. WOTC DisplayName = 100% win rate against Desktop and iPad opponents (Nov 26, 2025)

AWS [1]

Resolving Undocumented AWS Codebuild Errors and Discussing CI/CD GitHub Integration Security (Jun 17, 2025)

CodeBuild [1]

Resolving Undocumented AWS Codebuild Errors and Discussing CI/CD GitHub Integration Security (Jun 17, 2025)

Azure-DevOps [1]

Resolving Undocumented AWS Codebuild Errors and Discussing CI/CD GitHub Integration Security (Jun 17, 2025)

CICD [1]

Resolving Undocumented AWS Codebuild Errors and Discussing CI/CD GitHub Integration Security (Jun 17, 2025)

GitHub [1]

Resolving Undocumented AWS Codebuild Errors and Discussing CI/CD GitHub Integration Security (Jun 17, 2025)

Power-Automate [1]

[$15,000 Bounty] M365 Phish: Power Platform Privilege Escalation and Pivoting (Feb 29, 2024)

M365 [1]

[$15,000 Bounty] M365 Phish: Power Platform Privilege Escalation and Pivoting (Feb 29, 2024)

Outlook [1]

[$15,000 Bounty] M365 Phish: Power Platform Privilege Escalation and Pivoting (Feb 29, 2024)

OneDrive [1]

[$15,000 Bounty] M365 Phish: Power Platform Privilege Escalation and Pivoting (Feb 29, 2024)

Microsoft-Teams [1]

[$15,000 Bounty] M365 Phish: Power Platform Privilege Escalation and Pivoting (Feb 29, 2024)

CodeQL [1]

[$1250 - High Severity] Bypassing Brower Extension's Geolocation Spoofing with a Malicious Website (Location Guard & ExpressVPN) (Aug 28, 2023)

BugCrowd [1]

[$1250 - High Severity] Bypassing Brower Extension's Geolocation Spoofing with a Malicious Website (Location Guard & ExpressVPN) (Aug 28, 2023)

ExpressVPN [1]

[$1250 - High Severity] Bypassing Brower Extension's Geolocation Spoofing with a Malicious Website (Location Guard & ExpressVPN) (Aug 28, 2023)

Google-Maps [1]

Optimizing Multi-Destination Routes with Google Maps and a Chrome Extension (Nov 07, 2022)

Optimization [1]

Optimizing Multi-Destination Routes with Google Maps and a Chrome Extension (Nov 07, 2022)

M365-Services [1]

M365 Internal Phish: Abusing the Power Platform for SharePoint/OneDrive Privilege Escalation (May 13, 2022)

Phishing [1]

M365 Internal Phish: Abusing the Power Platform for SharePoint/OneDrive Privilege Escalation (May 13, 2022)

Python [1]

Image Slicing with Python (Jan 25, 2022)

CTF [1]

Image Slicing with Python (Jan 25, 2022)

Image-Manipulation [1]

Image Slicing with Python (Jan 25, 2022)

GraphQL [1]

Download and Sort HackerOne Hacktivity Reports Using GraphQL Introspection (Jan 12, 2022)

HackerOne [1]

Download and Sort HackerOne Hacktivity Reports Using GraphQL Introspection (Jan 12, 2022)

Pentesting [1]

Download and Sort HackerOne Hacktivity Reports Using GraphQL Introspection (Jan 12, 2022)

Wordpress [1]

My First Wordpress Site: olgastherapy.com (Jan 04, 2022)

Email [1]

My First Wordpress Site: olgastherapy.com (Jan 04, 2022)

Oracle [1]

My First Wordpress Site: olgastherapy.com (Jan 04, 2022)

VPS [1]

My First Wordpress Site: olgastherapy.com (Jan 04, 2022)

Unity [1]

Game Hacking: Extracting Meshes to Make a Minimap HUD (Dec 08, 2021)

Blender [1]

Game Hacking: Extracting Meshes to Make a Minimap HUD (Dec 08, 2021)

Microsoft-Edge [1]

Debugging a Race Condition Between Microsoft Edge and SharePoint (Nov 23, 2021)

Electron.js [1]

Debugging a Race Condition Between Microsoft Edge and SharePoint (Nov 23, 2021)

Race-Condition [1]

Debugging a Race Condition Between Microsoft Edge and SharePoint (Nov 23, 2021)

Dynamic-Testing [1]

Scanning and Hooking Dynamic, Client-Side Data in Modern Web Applications (Nov 22, 2021)

Payment-Gateway [1]

Finding Vulnerabilities in an 18 Year Old MMO (Nov 12, 2021)

Paypal [1]

Finding Vulnerabilities in an 18 Year Old MMO (Nov 12, 2021)

WinDbg [1]

Exploring the WinDbg Preview JavaScript API (Oct 22, 2021)

WinDbg-Preview [1]

Exploring the WinDbg Preview JavaScript API (Oct 22, 2021)

x32dbg [1]

Exploring the WinDbg Preview JavaScript API (Oct 22, 2021)

x64dbg [1]

Exploring the WinDbg Preview JavaScript API (Oct 22, 2021)

mona.py [1]

Exploring the WinDbg Preview JavaScript API (Oct 22, 2021)

pykd [1]

Exploring the WinDbg Preview JavaScript API (Oct 22, 2021)

PowerShell [1]

Hacking Electron Apps: Joplin (Oct 12, 2021)

Android [1]

Android Hacking Tips and Tricks with Frida & BurpSuite (Oct 10, 2021)

Frida [1]

Android Hacking Tips and Tricks with Frida & BurpSuite (Oct 10, 2021)

BurpSuite [1]

Android Hacking Tips and Tricks with Frida & BurpSuite (Oct 10, 2021)

.apk [1]

Android Hacking Tips and Tricks with Frida & BurpSuite (Oct 10, 2021)

Java [1]

Android Hacking Tips and Tricks with Frida & BurpSuite (Oct 10, 2021)

linux [1]

Android Hacking Tips and Tricks with Frida & BurpSuite (Oct 10, 2021)

il2cpp [1]

Android Hacking Tips and Tricks with Frida & BurpSuite (Oct 10, 2021)

adb [1]

Android Hacking Tips and Tricks with Frida & BurpSuite (Oct 10, 2021)

mobile [1]

Android Hacking Tips and Tricks with Frida & BurpSuite (Oct 10, 2021)