Skip to main content
Important Update Banner

Resources

Research, experimentation, and continuous improvement are fundamental to how we operate at elttam. Our consultants spend a significant amount of time exploring new technologies, building tooling, analysing vulnerabilities, and turning interesting problems encountered in the field into deeper technical investigations.

This section brings together that work - from detailed research posts and vulnerability disclosures to tools, publications, and updates from the team. By sharing what we learn, we aim to contribute back to the security community while pushing our own knowledge and capabilities forward.

Browse by Category

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

By

elttam
March 25, 2026

Talkback

talkback
Read More
Release

By

Alex Brown
December 18, 2025

ORM Leaking More Than You Joined For

A follow-up article in our ORM Leaks series covering newly susceptible ORMs, techniques for bypassing ORM Leak protections, and demonstrating how ORM Leaks can exist in any web application that uses one.

ORM
ORM Leaks
web
Read More
Blog Post

By

Jia Hao Poh
November 17, 2025

Gotchas in Email Parsing - Lessons From Jakarta Mail

This writeup goes through the various primitives in Jakarta Mail that could lead to high impact bugs if developers are unaware of the library's quirks. Primitives discussed here can be applied to other mail parsing libraries.

web
java
jakarta mail
input validation
footguns
Read More
Blog Post

By

elttam
November 2, 2025

A collection of publications for advisories, write-ups, and presentations.

publications
Read More
Release

By

elttam
September 1, 2025

A collection of semgrep-rules for security researchers and product security teams to leverage.

semgrep-rules
Read More
Release

By

Alex Brown
March 4, 2025

New Method to Leverage Unsafe Reflection and Deserialisation to RCE on Rails

This blog article documents a new unsafe reflection gadget in the sqlite3 gem, that can also be used in a deserialisation gadget chain to achieve RCE and is installed by default in new Rails applications.

web
ruby
rails
deserialisation
constantize
Read More
Blog Post

By

Matt Jones
October 2, 2024

A Monocle on Chronicles

This post provides an overview of Talkback Chronicles for viewing snapshots of trending infosec resources for points in time, and also how to subscribe to a new weekly Newsletter feature.

infosec
tool
talkback
Read More
Blog Post

By

Daniel Hodson
August 1, 2024

DUCTF 2024 ESPecially Secure Boot Writeup

This blog post covers a DUCTF 2024 pwn challenge called 'ESPecially Secure Boot', which required writing an exploit for CVE-2018-18558.

hardware
iot
esp32
esp-idf
xtensa
Read More
Blog Post

By

elttam
August 1, 2024

A collection of CTF levels developed by our team.

libctf.so
Read More
Release

By

Alex Brown
July 8, 2024

plORMbing your Prisma ORM with Time-based Attacks

Part two of our ORM Leak series about attacking the Prisma ORM and leaking sensitive data in a time-based attack.

ORM
ORM Leaks
Prisma
web
Read More
Blog Post

By

Alex Brown
June 23, 2024

plORMbing your Django ORM

This blog article explains what are ORM Leak vulnerabilities, how they could be exploited to access sensitive information with the Django ORM.

ORM
ORM Leaks
Django
web
Read More
Blog Post

By

Matt Jones
and
Sebastien Macke
January 9, 2024

Keeping up with the Pwnses

This post provides an overview of Talkback, a smart infosec resource aggregator. The post details how the system works, steps through some of its key features, and also presents how to use the UI and GraphQL API.

infosec
tool
talkback
Read More
Blog Post

In the News

What all the fuss is about

Key: 87169502a105dcb5
Suite 343

3 Albert Coates
Ln
Melbourne, VIC, 3000
© {{year}} elttam Security Pty Ltd. ABN 54 684 907 702
Privacy Policy
Vulnerability Disclosure Policy