Skip to main content

Posts

OSWE: The Review That You Should Read

  In the ever-evolving world of cybersecurity, certifications are often seen as milestones that mark one's journey from novice to expert. Among the myriad of certifications available, OffSec Web Expert (OSWE) stands out as one of the most challenging and respected. If you're considering pursuing OSWE, or if you're simply curious about what it entails, this review is for you. What is OSWE? OSWE, or OffSec Web Expert, is an advanced certification offered by OffSec, a renowned organization in the cybersecurity community. The certification is aimed at professionals who want to demonstrate their expertise in conducting white-box penetration testing on web applications. Unlike black-box penetration testing, where the tester has no prior knowledge of the target, white-box testing involves having access to the application's source code, allowing for a more thorough and in-depth analysis. The OSWE certification is not just another feather in your cap; it's a rigorous test of
Recent posts

XWiki - CVE-2024-37900: XSS through attachment filename in uploader

  CVE-2024-37900: XSS through Attachment Filename in XWiki Uploader In the world of cybersecurity, finding vulnerabilities isn't just about identifying problems — it's about making systems safer for everyone. Recently, I discovered a Cross-Site Scripting (XSS) vulnerability in XWiki, an open-source wiki platform. This post explains CVE-2024-37900, how it works, its implications, and the importance of contributing to open-source communities. What is XWiki? XWiki is a free and open-source wiki software platform written in Java, designed for extensibility and enterprise use. It features WYSIWYG editing, document import/export, annotations, tagging, and advanced permissions management. XWiki supports storing structured data and executing server-side scripts in languages like Velocity, Apache Groovy, Python, Ruby, and PHP within wiki pages. Users can define custom data structures, attach them to documents, and query them using XWiki's query language. Its robust extension ecosyst

Should You Become a Penetration Tester? Exploring the Pros and Cons

Are you considering a career in penetration testing? If so, you're likely weighing the pros and cons of diving into this dynamic and challenging field. As someone who transitioned from being a software developer to a penetration tester almost a year ago, I can offer some firsthand insights into what you might expect. In this blog post, we'll explore why becoming a penetration tester could be a fantastic career choice and why it might not be the right fit for everyone. We'll cover aspects like job satisfaction, career growth, salary potential, and the demands of the role. The Pros of Becoming a Penetration Tester 1. Extreme Satisfaction One of the most rewarding aspects of being a penetration tester is the extreme satisfaction that comes from successfully identifying and mitigating security vulnerabilities. When you uncover a critical flaw that could have been exploited by malicious hackers, you play a direct role in safeguarding sensitive data and protecting an organization

CTF: Portfolio Walkthrough

Scenario A passionate web developer recently launched his personal portfolio website, proudly displaying his projects and sharing his thoughts through a vibrant blog. His focus on design and functionality has left glaring security holes. As his blog gains popularity, you, a skilled hacker, spot the perfect target. Your mission is clear: exploit the vulnerabilities, compromise his site, and expose his negligence. Every weakness is an opportunity, every oversight a path to control. In this CTF challenge, you are the hacker. Uncover the flaws, break through the defenses, and leave your mark on the developer’s digital pride. Welcome to "Portfolio CTF" The game is on. Good luck! You can download the OVA for the Portfolio CTF from this  link SPOILER ALERT: Do not read further if you intend to solve the CTF challenge on your own. The write-up follows below. Introduction I created this Capture The Flag (CTF) machine with dual objectives: to provide a comprehensive training ground fo