I am security engineer - currently working as application security penetration tester. Security certs in my pocket: OSCP, OSWE. This blog was created to have my own place online to post the security releated articles.

Slides from public presentations

  • Warszawskie Dni Informatyki WDI - 12.12.2020; Title: Hunt for security bugs in GraphQL; slides: SFI - Hacking GraphQL
  • OWASP Poland - 28.04.2021; Title: Apollo Caching 1on1; slides: OWASP - Apollo Caching
  • The Hack Summit- 05.11.2021; Title: Security Implication of Root principal in AWS KMS; slides: THS - AWS KMS
  • OWASP Poland - 18.11.2021; Title: Discovery and exploitation of CSRF to RCE in CloverDX Server; slides: OWASP - CSRF Clover

Publicly disclosed security issues

  • CVE-2020-11011 - RCE on Phproject via Unrestricted File Upload
  • CVE-2021-29448 - Stored DOM XSS in PiHole Web Admin Interface
  • CVE-2021-30133 - Reflected XSS to RCE in CloverDX Server Simple HTTP API
  • CVE-2021-29995 - CSRF to RCE in CloverDX Server
  • CVE-2021-32791 - Hardcoded static IV and AAD with a reused key in AES GCM encryption in Apache mod_auth_openidc