Ethical Hacking

After obtaining my OSWE, I started appreciating white box analysis much more. So every now and then I pick an open-source project I like, analyze the source code, try to understand how it works, and when I come across critical functions I ask myself: “what if this didn’t work as expected?”. Today I’ll tell you how I discovered this Arbitrary File Upload via MIME-type spoofing that led to a Stored XSS in Postiz, an open-source social media management tool with over 600 instances exposed on the internet. The vulnerability allows an attacker to act as the victim: steal API keys, exfiltrate tokens from all connected social integrations (Instagram, X, LinkedIn, Facebook, TikTok and 23 other providers), publish and delete posts on their behalf, and create persistent OAuth backdoors that survive password changes. ...

The OffSec Web Expert (OSWE) exam is known for its white-box methodology. You don’t simply “scan” a webapp to find potential vulnerabilities, you read the code, understand it, and find the flaws to forge the perfect exploit. Nothing out of reach with the right technical preparation and experience. AWAE/OSWE/WEB-300 Let’s first clarify what we’re talking about. OSWE (Offensive Security Web Expert) is the certification, while AWAE (Advanced Web Attacks and Exploitation, also known as WEB-300) is the course that prepares you for the exam. ...

It doesn’t happen every day that you receive a letter of recognition from NASA - National Aeronautics and Space Administration, but it actually happened. I received an official acknowledgment for finding and reporting vulnerabilities in their systems. How It All Started While browsing the web, I decided to analyze some of NASA’s public servers. Among them, I found some that were vulnerable, so I decided to report my findings to their security team, following their responsible disclosure policy. ...

Preparing for OffSec’s OSCP exam is a complex challenge that requires both technical skills and mental organization. During my preparation, I realized how difficult it was to remember every command and syntax. That’s why I created a structured note-taking system to quickly retrieve information, making my workflow more efficient. I collected everything on GitBook, creating a practical guide to tackle the OSCP in a more organized and effective way. 👉 Check out my GitBook ...

PwnDoc up to version 0.5.3 allows remote attackers to identify disabled account usernames by exploiting response messages during authentication attempts. Product CVE CVSSv3 Score CWE PwnDoc CVE-2022-44023 5.3 (Medium) CWE-307 Exploitation Steps This vulnerability allows username enumeration of disabled accounts in PwnDoc (tested on version 0.5.3 - 2022-07-19) by observing server responses to login attempts. Example Scenario: Suppose the following users were registered and subsequently disabled in PwnDoc: ...

PwnDoc up to version 0.5.3 allows remote attackers to identify valid usernames by exploiting response timings during authentication attempts. Product CVE CVSSv3 Score CWE PwnDoc CVE-2022-44022 5.3 (Medium) CWE-307 Exploitation Steps This vulnerability allows username enumeration in PwnDoc (tested on version 0.5.3 - 2022-07-19 and earlier) by observing web server response timings during login attempts. Example Scenario: Suppose the following users are registered in PwnDoc: ...

Finding your first CVE is one of those things that stays with you. Not so much for the assigned number, which is ultimately just an identifier in a database, but for the process: the moment you realize the bug is real, that nobody has reported it before you, and that you have the responsibility to handle it correctly. I’m telling this story in this post from start to finish: the discovery, the exploit, and finally the responsible disclosure process with MITRE. ...