Posts by Year

2024 3
2023 6
2022 4

2024

VulNyx: Diff3r3ntS3c

April 08, 2024

Writeup of the machine Diff3r3ntS3c from VulNyx.

VulNyx: HackingStation

March 31, 2024

Writeup of the machine HackingStation from VulNyx.

vulnyx nmap web command injection gtfobins binary exploitation

Human 1 - sqlmap 0: defeating automation through manual exploitation

March 19, 2024

Partial disclosure of a bug bounty report: human 1 - sqlmap 0: defeating automation through manual exploitation.

web collaboration osint google dorking portswigger burpsuite 0iq sqlmap sql injection mysql bypass

2023

Reflected XSS bypassing hidden input tag and auto-submit script in a form

December 10, 2023

Partial disclosure of a bug bounty report: reflected XSS bypassing hidden input tag and auto-submit script in a form.

web osint amass httpx gau kxss burpsuite xss bypass

Subdomain takeover via unclaimed Azure VM

November 13, 2023

Partial disclosure of a bug bounty report: subdomain takeover via unclaimed Azure VM.

web vps osint reconftw nuclei subdomain takeover

Reflected XSS through POST request in a login form

November 05, 2023

Partial disclosure of a bug bounty report: reflected XSS through POST request in a login form.

web osint amass httpx burpsuite portswigger xss sop cors

Reflected XSS in search filter clear button in an e-commerce website

June 24, 2023

Partial disclosure of a bug bounty report: reflected XSS in search filter clear button in an e-commerce website.

web osint amass httpx burpsuite portswigger xss

TE.TE HTTP request smuggling obfuscating the TE header

May 03, 2023

Partial disclosure of a bug bounty report: TE.TE HTTP request smuggling obfuscating the TE header.

web osint amass httpx burpsuite burp scanner portswigger http request smuggling xss

Reflected XSS bypassing a 302 Security Redirect due to the presence of Javascript function calls

March 06, 2023

Partial disclosure of a bug bounty report: reflected XSS bypassing a 302 Security Redirect due to the presence of Javascript function calls.

web osint amass httpx gau kxss utm parameters burpsuite portswigger xss bypass

2022

How to bypass the HttpOnly flag via the PHP info page to exfiltrate the user cookies during an XSS exploitation

November 12, 2022

Pentesting article: how to bypass the HttpOnly flag via the PHP info page to exfiltrate the user cookies during an XSS exploitation.

web burpsuite base64 metasploitable 2 xss exfiltrate cookies session hijacking php info page bypass

Time-based SQL injection in a login form

October 17, 2022

Partial disclosure of a bug bounty report: time-based SQL injection in login form.

web osint leakix portswigger burpsuite sql injection mysql information_schema sqlmap php info page

Reflected XSS bypassing HTML tag removal sanitization

September 20, 2022

Partial disclosure of a bug bounty report: reflected XSS bypassing HTML tag removal sanitization.

web osint amass httpx burpsuite gau kxss xss python bypass sanitization

Review of the eJPT (eLearnSecurity Junior Penetration Tester), certification of eLearnSecurity intended for students interested in obtaining the necessary training that a junior pentester should have.

elearnsecurity ejpt pentesting

Iván Santos Malpica
(Aka. HackCommander)

Posts by Year

2024

VulNyx: Diff3r3ntS3c

VulNyx: HackingStation

Human 1 - sqlmap 0: defeating automation through manual exploitation

2023

Reflected XSS bypassing hidden input tag and auto-submit script in a form

Subdomain takeover via unclaimed Azure VM

Reflected XSS through POST request in a login form

Reflected XSS in search filter clear button in an e-commerce website

TE.TE HTTP request smuggling obfuscating the TE header

Reflected XSS bypassing a 302 Security Redirect due to the presence of Javascript function calls

2022

How to bypass the HttpOnly flag via the PHP info page to exfiltrate the user cookies during an XSS exploitation

Time-based SQL injection in a login form

Reflected XSS bypassing HTML tag removal sanitization

eJPT certification review

Iván Santos Malpica(Aka. HackCommander)

Posts by Year

2024

2023

2022

Iván Santos Malpica
(Aka. HackCommander)