Caffeine Powered
Research fueled by quality coffee
A personal security research platform featuring cutting-edge vulnerability research, custom security tools, educational videos, and timely security advisories. Fueled by coffee, driven by curiosity.
Coffee has always played a major role in the life of most security professionals. Whilst beer serves the purpose of socialising, a good coffee always provides a quick energy boost. It's the beverage of choice among most hackers and security professionals that assists with prolonged subversive work online.
I also believe that when it comes to good to great thinking it has always been powered by coffee. However, anything in excess is bad. Therefore, it is essential to regulate your coffee intake per day. While I coined the name, I thought of two key elements that are mutually inclusive and runs in our industry's DNA i.e. coffee and security.
Research fueled by quality coffee
25+ years of expertise
Transparent methodologies
Ethical vulnerability reporting
Part 2 of our nation-state simulation series. A deep dive into the phishing and social engineering campaign -- cloned login pages, credential harvesting, vishing with MFA bypass, and full account takeovers through patient manipulation.
A real-world engagement where we simulated a nation-state style attack against a large enterprise that had already hardened its defences through five red team engagements over two years — and we still broke through using staged social engineering over 7-8 weeks.
Complete technical exploit development and shellcode analysis of MS08-067 (CVE-2008-4250) NetAPI buffer overflow. Includes a working exploit, detailed shellcode breakdown, execution flow, PEB walking and ROP chain construction. Published November 2008 on coffeeandsecurity.com by Debasis Mohanty, a security practitioner since 1998.
Upcoming conferences & past speaking engagements
This talk covered some crucial aspects of software security engineering and strategy that most organisations have overlooked or ignored. Primarily the presentation provides some insights on why we still continue to see two decades old bugs and recommendations to consider going ahead. This is a slightly extended version of the OWASP 20th Anniversary talk.
Presented at OWASP 20th Anniversary virtual event, this talk covered some crucial aspects of software security engineering and strategy that most organisations have overlooked or ignored. Primarily the presentation provides some insights on why we still continue to see two decades old bugs and recommendations to consider going ahead.
Presentation on Windows Kernel Exploitation providing insights into common Windows kernel exploitation techniques and the current state of kernel mitigation. Presented at Insomnia Security's internal security conference known as Roachcon (2017).
Proof-of-concept exploit demonstrations by Debasis Mohanty - showcasing real-world vulnerability exploitation techniques.
This vulnerability was made public in Feb 2008. The exploit was written in Oct 2008 but could not be released due to IP agreement with the contractor. A demo video was released instead.
This vulnerability was made public in Oct 2007 with no publicly available exploit until 2008. The exploit was written in April 2008 but could not be released due to IP agreement. A demo video was released instead.
This is not a CVE leaderboard. It is a curated record of research published when the attack class, the target, or the technique was still considered niche, theoretical, or uninteresting by the broader industry. Each item is included for what it documented at the time, not for the size of its identifier.
Pick issues where the industry disputes the impact. XSS in 2004, PDF JavaScript in 2008, Office as a malware carrier in 2006. Prove the impact concretely before the industry consensus catches up to the finding.
Old operating system mechanisms keep returning as attack vectors. DDE, COM interop, OLE embedding. Document them properly the first time so they are not rediscovered a decade later under a different name.
When a product class markets a guarantee, personal firewalls, virtual keyboards, anti-piracy attestation, test the guarantee rather than the product. The shape of the bypass usually outlives the vendor that shipped it.
Every advisory is written so a researcher reading it years later still extracts a transferable pattern. The CVE identifier is only the receipt, the writeup itself is the artifact worth keeping.
Released within days of MS08-067 going public, when no reliable independent exploit existed outside of vendor and a handful of closed circles. The same primitive later powered Conficker. At that moment the choice was: wait for someone else, or write it.
Reliability beats novelty when the window of relevance is days. Studying the canonicalization primitive taught more about Windows path parsing than any of the dozens of follow-up writeups that came months later.
Published when public Adobe Reader exploit code was almost non-existent. PDF was still considered a 'safe document format' by most enterprises. JavaScript-in-PDF was a niche even within client-side research.
The interesting surface is rarely the parser, it is the embedded interpreter. JavaScript engines bolted onto document readers became the dominant client-side attack class for the next decade.