Open in app

Sign In

Write

Sign In

Karol Mazurek
Karol Mazurek

487 Followers

Home

About

Pinned

Not usual CSP bypass case

CSP default-src ‘self’ — bypass using the error page. INTRODUCTION During one of the penetration tests, I managed to chain three application issues that finally enabled the execution of the Stored XSS vulnerability. The vulnerability combines three flaws in the application: Unrestricted file upload. Misconfigured Content Security Policy. Application error response…

Cybersecurity

5 min read

Not usual CSP bypass case
Not usual CSP bypass case
Cybersecurity

5 min read


Pinned

AppSec Tales X | SAML

Application Security Testing of the SAML protocol guidelines. INTRODUCTION The article describes the Application Security Testing of the SAML. The advice in this article is based on the following: OWASP Web Security Testing Guide OWASP Application Security Verification Standard NIST recommendations Bug bounty reports Portswigger Academy Own experience. TOOLING Constantly update the…

Cybersecurity

7 min read

AppSec Tales X | SAML
AppSec Tales X | SAML
Cybersecurity

7 min read


Pinned

Crimson — AppSec firearm I

Setting up the environment for testing and crimson_recon explanation. INTRODUCTION It has been a couple of months since the last article about the automatization of Web Application Penetration Testing. From that moment, Crimson had grown up from those few code snippets described in previous articles, and if you are a kind…

Cybersecurity

7 min read

Crimson — AppSec firearm I
Crimson — AppSec firearm I
Cybersecurity

7 min read


Pinned

AV EVASION TECHNIQUES

How to fool the Microsoft Defender and other anti-virus systems. INTRODUCTION During the Penetration Testing, if you come across a Windows OS, in most cases it will be protected at least by the basic anti-virus system called "Microsoft Defender". …

Cybersecurity

11 min read

AV EVASION TECHNIQUES
AV EVASION TECHNIQUES
Cybersecurity

11 min read


Pinned

The shades of tunneling

Solution of common pivoting problems during a Penetration Test — INTRODUCTION During penetration testing, you may encounter the scenario when you want to be able to pivot through one of the compromised hosts to gain access to other systems in the internal network and continue testing. …

Cybersecurity

9 min read

The shades of tunneling
The shades of tunneling
Cybersecurity

9 min read


Jan 23

PWN Space challenge — HTB

Buffer overflow and shell coding [x32] — This walkthrough refers to the methodology described here. It will be: concise, straight to the point. without the steps that lead to the rabbit hole. 0. Download the binary:

Cybersecurity

3 min read

PWN Space challenge — HTB
PWN Space challenge — HTB
Cybersecurity

3 min read


Jan 22

OSWE PREPARATION

Article about — how to prepare for the WEB-300 course and OSWE exam. INTRODUCTION This article is a short guide on preparation for the WEB-300 course and the OSWE exam. There are links to blogs, tools, other courses, exercises, and all kinds of sources I used for my preparations. WEB 300 — DESCRIPTION To make…

Cybersecurity

6 min read

OSWE PREPARATION
OSWE PREPARATION
Cybersecurity

6 min read


Oct 22, 2022

AppSec Tales IX | OAuth

Application Security Testing of the OAuth protocol guidelines. INTRODUCTION The article describes the Application Security Testing of the OAuth. The advice in this article is based on the following: OWASP Web Security Testing Guide OWASP Application Security Verification Standard NIST recommendations Bug bounty reports Portswigger Academy Own experience. TOOLING Constantly update the…

Cybersecurity

9 min read

AppSec Tales IX | OAuth
AppSec Tales IX | OAuth
Cybersecurity

9 min read


Sep 25, 2022

AWS Fortress guide – HTB

TIPS that can help complete the AWS fortress. INTRODUCTION This article is not a write-up. You will not find there any flags or copy-paste solutions. Instead, there are plenty of reference links and commands that I found helpful in the process of passing the AWS fortress. SERVICES DISCOVERY Always enumerate every IP address…

Information Technology

9 min read

HTB AWS Fortress — TIPS
HTB AWS Fortress — TIPS
Information Technology

9 min read


Sep 14, 2022

AppSec Tales VIII | JWT

Application Security Testing of the JWT guidelines. INTRODUCTION The article describes the Application Security Testing of JSON Web Tokens. The advice in this article is based on the following: OWASP Web Security Testing Guide OWASP Application Security Verification Standard NIST recommendations Bug bounty reports Portswigger Academy Own experience. I will provide…

Cybersecurity

8 min read

AppSec Tales VIII | JWT
AppSec Tales VIII | JWT
Cybersecurity

8 min read

Karol Mazurek

Karol Mazurek

487 Followers

Offensive Security Engineer

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech