Welcome to Corvra Labs

This is a space for cybersecurity research, CVEs, and tooling.

---

Latest Posts

Using Claude and Burp Suite to Triage SAST Alerts

March 22, 2026

As engineering teams adopt agentic AI tools and begin to push code at a more rapid pace, application security teams will become overwhelmed by alerts and issues from existing tooling. NIST found existing SAST tooling may produce false and insignificant findings at rates of up to 60%. As the velocity of development increases, this is only going to generate more noise and alert fatigue for development and security teams. Prioritizing all of these alerts can become an arduous manual process for security teams while also causing engineering teams to lose trust in the tools, creating tension between the two teams.

EvilNeko: Operationalizing Browser in the Browser Attacks

January 01, 2026

Browser in the Browser (BITB) attacks work by presenting a fully attacker controlled browser environment to the user which can mimic typical login flows. This subverts the standard guidance such as “check the URL” and builds more trust in targets with the site that they are interacting with. It also simplifies the theft of sessions by having the target perform the login process on red team infrastructure meaning MFA bypass is not required. When I first read about BITB phishing in mr.d0x’s article, I was interested in exploring this further.

CVE-2025-48709 and The Forgotten Half of Secrets Management

August 19, 2025

Secrets management can be a pain, from discovering all of the issues in code, to excel files on desktops, to standing up proper vaults and convincing people to use them. But let’s say you have done all this. Pop the champagne, tell your boss to give you a huge bonus, leaked secrets have been conquered…or have they?