This blog was created to have my own place online to post the security releated articles. I am security engineer - currently working as application security penetration tester. Security certs in my pocket: OSEP, OSWE, OSCP
If you would like to write me a private message here is my PGP public key.
Slides from public presentations
- Warszawskie Dni Informatyki WDI - 12.12.2020; Title: Hunt for security bugs in GraphQL; slides: SFI - Hacking GraphQL
- OWASP Poland - 28.04.2021; Title: Apollo Caching 1on1; slides: OWASP - Apollo Caching; recording: OWASP - Apollo Caching
- The Hack Summit- 05.11.2021; Title: Security Implication of Root principal in AWS KMS; slides: THS - AWS KMS
- OWASP Poland - 18.11.2021; Title: Discovery and exploitation of CSRF to RCE in CloverDX Server; slides: OWASP - CSRF Clover; recording: OWASP - CSRF Clover
- SysOps Poland - 26.01.2022; Title: Security Implication of Root principal in AWS KMS; recording: SecOps - AWS KMS
- WDI Poland 2022 - 02.04.2022; Title: Hijacking the calls to AWS API; slides: THS - AWS KMS
Publicly disclosed security issues
- CVE-2020-11011 - RCE on Phproject via Unrestricted File Upload
- CVE-2021-29448 - Stored DOM XSS in PiHole Web Admin Interface
- CVE-2021-30133 - Reflected XSS to RCE in CloverDX Server Simple HTTP API
- CVE-2021-29995 - CSRF to RCE in CloverDX Server
- CVE-2021-32791 - Hardcoded static IV and AAD with a reused key in AES GCM encryption in Apache mod_auth_openidc