Bug Bounty hunter Alex Brumen explains how to detect and exploit syntax confusion in real web apps, recounts how he turned an SSRF and blind file read into a full arbitrary file read, and offers mitigation advice for ambiguous parsing exploits.