nikitastupin

https://infosec.exchange/@nikitastupin Contact

Projects

  1. clairvoyance obtain GraphQL API schema even if the introspection is disabled
  2. pwnhub how GitHub Actions workflows can be hacked
  3. orgs-data mapping from bug bounty and vulnerability disclosure programs to respective GitHub organizations

Talks

  1. “Bug Hunting in Smart-Contracts: Where to Begin”
    • VolgaCTF 2022, Online. Slides: EN.
  2. “Client-side JavaScript prototype pollution” (made in collaboration with @Black2Fan):
    • VolgaCTF 2021, Samara. Slides: EN.
    • ZeroNights 2021, Saint Petersburg. Slides: EN, recording: RU.
  3. “Access control vulnerabilities in GraphQL APIs”:
  4. “Vulnerabilities of mobile OAuth 2.0”:
  5. “IoT hacking from web perspective”:
    • VolgaCTF 2020, Samara. Slides: EN.

Writings

  1. “Not is not iszero” [EN]
  2. “JavaScript prototype pollution: practice of finding and exploitation” [EN|RU]
  3. “Security of mobile OAuth 2.0” [EN|RU]
  4. “GraphQL Voyager as a tool for API security testing” [EN|RU].
  5. “Охота за уязвимостями на 7% эффективнее” [RU]

Courses

  1. Безопасность компьютерных систем 21/22, ПМИ ФКН ВШЭ. Курс создан в сотрудничестве с @sms-system.
  2. Безопасность интернет-приложений, образовательный центр VK в МГТУ им. Н.Э. Баумана

CVEs

  1. CVE-2021-22957
  2. CVE-2021-22944
  3. CVE-2020-28460
  4. CVE-2020-28450
  5. CVE-2020-28449