Hero

Explore our Blog

At elttam, research and development is at our core. We investigate novel technical problems identified in the field, and are passionate about staying on the bleeding edge of recent developments and emerging technologies.

Our research blog show-cases posts from our team on novel research pieces, tools, and vulnerabilities.




Blog New Method to Leverage Unsafe Reflection and Deserialisation to RCE on Rails

By Alex Brown March 04, 2025

This blog article documents a new unsafe reflection gadget in the sqlite3 gem, that can also be used in a deserialisation gadget chain to achieve RCE and is installed by default in new Rails applications.

web ruby rails unsafe reflection deserialisation constantize
Blog A Monocle on Chronicles

By Matt October 02, 2024

This post provides an overview of Talkback Chronicles for viewing snapshots of trending infosec resources for points in time, and also how to subscribe to a new weekly Newsletter feature.

infosec tool talkback
Blog DUCTF 2024 ESPecially Secure Boot Writeup

By daniel August 01, 2024

This blog post covers a DUCTF 2024 pwn challenge called "ESPecially Secure Boot", which required writing an exploit for CVE-2018-18558.

hardware iot esp32 esp-idf xtensa reverse-engineering embedded cve-2018-18558 mcu
Blog plORMbing your Prisma ORM with Time-based Attacks

By Alex Brown July 08, 2024

Part two of our ORM Leak series about attacking the Prisma ORM and leaking sensitive data in a time-based attack.

ORM ORM Leaks Prisma Web
Blog plORMbing your Django ORM

By Alex Brown June 23, 2024

This blog article explains what are ORM Leak vulnerabilities, how they could be exploited to access sensitive information with the Django ORM.

ORM ORM Leaks Django Web
Blog Keeping up with the Pwnses

By Matt, Seb January 09, 2024

This post provides an overview of Talkback, a smart infosec resource aggregator. The post details how the system works, steps through some of its key features, and also presents how to use the UI and GraphQL API.

infosec tool talkback
Blog Exploring the STSAFE-A110

By Zoltan Madarassy October 03, 2023

Using a sample application, this blog post gives a walkthrough of the I2C communication between the STSAFE-A110 secure element and a host MCU. A tool is released to aid in understanding the I2C flow using a logic analyser.

hardware stsafe-a110 iot secure element st32
Blog RE of LR3

By Victor Kahan September 06, 2023

This blog post provides a walk-through of ESP32 firmware extraction and analysis to understand the technical implementation of the Litter Robot 3.

iot embedded esp32 esp-idf xtensa reverse-engineering api mobile flutter
Blog Abusing Amazon VPC CNI plugin for Kubernetes

By berne July 17, 2023

This blog post covers exploring the Amazon VPC CNI plugin for Kubernetes, and how it can be abused to manipulate networking to expose access to other resources, including in other VPCs.

aws eks iam k8s cloud
in the media

What all the fuss is about