I’ve been making my way through the Penetration Tester path on Hack the Box, in hopes of getting my CPTS. The Active Directory Enumeration & Attacks module in particular has been super helpful and loads of fun. I didn’t realize how little I knew about Active Directory attacks. The two skills assessments at the end…

This has been my favorite (and most rewarding) bug since I started my bug bounty journey. I was hacking on a private program testing for SQL injection on API endpoints that contained some data value in the URL (like /api/user/1234). I was fuzzing the value with typical characters you would use to test for SQLi…

I was testing on a private program when I came across several endpoints that utilized a customer ID to retrieve information about that user’s account. I was going through each one testing for IDOR and not having any luck. The server was doing proper authorization checks and denying me access to other account’s data. I…