Earlier this year OWASP announced a planned release of brand-new OWASP TOP10 2021. OWASP released an open survey to gather information about vulnerabilities which cannot be easily identified during black/grey box testing, but are still relevant for overall security posture of applications. As a result I decided to submit a…

Earlier this year I had participated in Advanced Web Application Exploitation course by Offensive Security and after 60 days of lab, I managed to pass the Offensive Security Web Expert exam. By writing this article I would like to provide some more information about this course and certification for people…

Earlier this year my colleague has identified an application which was clearly vulnerable to Cross-Site-Scripting as special characters were not encoded. However, he quickly learned that the application is behind a WAF as attempts to exploit XSS resulted in HTTP 403 error message. After talking to application owners we learned…

Foreword It has been some time since I published my first article on inter-application vulnerabilities in modern web applications. Recently I identified one of them during bug bounty hunting and I personally think it is too good not to be shared with the broader community. If you are one of tl;dr…

Summary For the last couple of years I have been participating in various bug bounty programmes. Usually these programmes are ran by security-mature companies who take a lot of effort to make sure that their applications are secure. …