Netflix Lemur
JWT verifier trusts attacker-supplied alg from the token header instead of pinning allowed algorithms — CWE-347 defense-in-depth gap in auth/service.py, chain-dependent ATO when paired with secret disclosure. Affects ≤1.9.2.
est. India offensive security IST 00:00:00
rootkid
$ penetration tester
If it's smart, it's vulnerable.
That's the job — red
team ops, end-to-end VAPT, and bug hunts on logic and config
nobody stress-tested before ship. Recruiters see deliverables.
Hackers see how it was done.
always chasing a harder target. here's who's chasing.
I'm Pavan Saxena — online, mostly rootkid. I break into things on purpose: web apps, APIs, networks, mobile, and more. Red teaming and full-scope VAPT are the day job — recon to root, then a report a developer can actually use. Bug bounties and CTFs keep the edge sharp; write-ups and workshops are how I pay it back. I spend a fair chunk of time training and mentoring — workshops, interns, teams.
No CS degree, no neat roadmap — just labs, broken VMs, and a lot of 2 a.m. "wait, why does this work" moments. That's why my Cyber Journal is free and hands-on: the guide I wish I'd had when I started.
Skills over knowledge. — the rule I learned everything by
There's always a harder target and a cleaner write-up to chase — that's the part I'm in no hurry to finish. Everything else here — findings, certs, the journal — is just the trail behind the work.
technical depth, training, leadership — the professional record behind the work.
career metrics
domains assessed
sectors — VAPT & red team
public vulnerability disclosures — credited research with CVE assignment.
JWT verifier trusts attacker-supplied alg from the token header instead of pinning allowed algorithms — CWE-347 defense-in-depth gap in auth/service.py, chain-dependent ATO when paired with secret disclosure. Affects ≤1.9.2.
SSO auto-provision at active=True chains with attacker-controlled ACME acme_url SSRF to EC2 IMDS (CWE-918) and creator-equality IDOR on cert private keys (CWE-639) — any federated user exfiltrates worker IAM creds and retains PKI keys after ownership transfer. Affects ≤1.9.0.
every harder target adds a line to the trail — from recon to report, repeat.
in motion · drag · pan · scroll to zoom
tools, domains and methods — built in labs, proven in production.
credentials that follow the work, not lead it.
talks that follow the practice — workshops, keynotes, and CTF builds.
Full workshop track on attacker mindset for offensive engineers.
Enumeration → relay → DCSync, walked end-to-end with live demos.
From Kerberoasting to domain admin — the AD kill-chain explained.
CL.TE, TE.CL & H2.CL — front/back-end desync demoed on vulnerable stacks.
Static + dynamic analysis, Frida hooks and IPA/APK teardown across both stacks.
Kali fundamentals → deep wireless-hacking track with hands-on practice.
VAPT fundamentals, standards & methodologies + hands-on SQLi/XSS on live apps.
Subdomain enum, JS bundle mining and asset discovery the attacker way.
Tooling walk-through plus a custom-built CTF for the practical block.
Organized a custom CTF for all participants alongside the keynote.
Why scanners miss the biggest payouts — pattern hunting for business-logic abuse.
open to freelance and consulting — project-based offensive security engagements.
engagement types
open to projects
Full-time roles welcome too — but freelance and consulting projects are actively open.
the journal behind the work — every finding worth sharing ends up here.
The live journal mirror needs http(s). Read directly at blog.rootkid.in.
Full archive at blog.rootkid.in.