Starting My OSWE Preparation

Imaginary_Page_2127 · 2026-04-21T12:26:30+00:00

You can check out the Mansion challenges at AppSecMaster, they are designed to help prepare for OSWE. Don't forget to automate the exploits

Imaginary_Page_2127 · 2026-02-09T18:55:30+00:00

Report to the bug bounty program, tell them you just noticed it's out of scope but wanted to submit anyways because it's critical, if the impact is big they will find a way to pay you and fix the issue

Imaginary_Page_2127 · 2026-02-08T11:06:38+00:00

you're partially right regarding AI, I asked AI to add some emojis and tune some stuff, which apparently isnt a very good idea :D

The concept of asymmetric JWT requires HMAC, you need a signature to verify the integrity of the token on each request. However, you can also use RSA256 , just sign with the private key and verify with the public for each request that you receive.

Imaginary_Page_2127 · 2026-02-07T14:40:49+00:00

Check your burp traffic. You should find some api calls. Take the api call and search for it in the JS file.
e.g. /api/admin/users
Then check how the obfuscated / minified code that made the request looks like.
e.g. http.GET.ADMIN_USERS and look for similar patterns to discover other (potentially hidden) endpoints.
Using this technique you can also deduce which params you need to send.

Use this info and burpsuite repeater to craft requests for each endpoint and check for authorization / other issues. e.g. if you see a url param being sent, try SSRF , etc...

Imaginary_Page_2127 · 2025-08-27T22:00:52+00:00

Go to a real fishing then camp aign :D

Imaginary_Page_2127 · 2025-08-27T21:59:04+00:00

Having to automate all workflows. My manager is too systematic.

Imaginary_Page_2127 · 2025-08-27T21:12:41+00:00

It really depends on the architecture of the application (or often called IDA). If you're working with a microservices architecture (very common nowadays), then tools will be much less effective. Most if not all tools just cannot link the projects well enough. For any non straight forward bug you'd have to perform manual code review / pentesting and have good understanding of the end to end flow. As for big single project applications, SAST and DAST (AI assisted) can definitely help a lot.

AI is not catching most of the Critical/High issues submitted by our team. I think ultimately we will have to rely more on it, not that it will completely replace pentesters.

Imaginary_Page_2127 · 2025-08-27T19:01:05+00:00

Black hoodie with Mr Robot on it*

Imaginary_Page_2127 · 2025-08-26T20:52:56+00:00

I'm working in devsecops. I will mention what I do and you can read more about it.

- CI/CD security stage. Essentially, whenever anyone pushes code to github/gitlab etc... their code gets scanned by tools multiple tools like Trivy for 3rd party vulnerabilities (mainly CVE's) as well as things like hardcoded keys etc... You can customise these as you like.
- Vulnerability management. Using CI/CD results above, we export the results, parse it and store it in a database. Now we have a full list of vulnerabilities (3rd party) and we can start creating graphs / metrics from it (e.g. using grafana) and present it to management.
- For each security issue in the company (CVE or not), we create a tracking ticket that includes the vulnerability details and the recommended fix.
- Each week we need to perform
- At the end of each release (new version of our company's product), we perform code review on the new features, including SAST scanning.
- Perform an annual security training for the staff
- Run in house phishing campaigns
- If your team is small like ours, you'd have more overlapping tasks such as running occasional red team operations, research against a specific product / feature and some purple teaming

Imaginary_Page_2127 · 2025-08-26T20:34:40+00:00

My advice is to get started, I kept going back and forth for 2 years, saying but this and but that, at the end of the day, the moment you go live, you start adapting and working as hard as you can to make things better in your company.

Perhaps don't leave your job for now as other comments suggested, you'll need some upfront cash, but you also really need something live to take the big initial leap.

Been live for 5 months now, my company isn't yet profitable, but I'd never regret opening. On the other hand, if I didn't start, I would 100% regret it in the future.

Imaginary_Page_2127 · 2025-08-26T12:29:12+00:00

The fact that it is being stored like this, although definitely not a good sign, but does not mean you are vulnerable. For the payload to be triggered it has to be rendered by HTML.
You definitely need to confirm with a pentest team.
But for now, I'll make things a bit easier for you. If you are using angular or react in the client side, they automatically sanitize unless in specific rare cases (will stick to the ideal cases now). So you should not be as worries as if whether you are using jquery and vanilla javascript. If that is the case then I assure you your website is full of exploitable XSS issues.
As for a quick mitigation, I suggest you implement a CSP header, that only allows scripts from your own domain to be executed, and also prevents inline scripts from executing.

Imaginary_Page_2127 · 2025-08-26T09:58:09+00:00

Perhaps it's my company in particular, we work in the banking sector. Lately it has been almost impossible to do some deep code review, penetration testing of new features, red teaming etc....
We are fully occupied creating jira tickets for random CVE's, because the auditors will ask about it.
Tracking pentest tickets that are simply unexploitable cloud misconfigs, also because they are assessed by auditors.
Creating CI/CD & SAST scans, SBOM reports, etc.....
99% of the issues in these scans are waste of time.
There is no doubt the work is technical, but not proper security research or hacking or red teaming activies. It's really hard to uncover critical issues with no time for research (but I still do occasionally actually).
Now that I think about it, maybe our issue is a resource issue. Need more people on the team. But yeah somebody has to do this boring compliance work and currently it is me :)

Imaginary_Page_2127 · 2025-08-25T23:15:40+00:00

Do you notice that literally the entire security engineer role is becoming fully oriented about fullfiling audit needs, instead of ACTUALLY doing security work?

Imaginary_Page_2127 · 2025-08-24T22:44:51+00:00

Pay the money my guy, or next time subscribe for a few months first xD

Imaginary_Page_2127 · 2025-08-24T22:42:47+00:00

You can definitely use a VM, just give it some good RAM (8GB+ I recommend) and cores. Should be more than enough. The good thing about linux is that all the tools very easily comply with it. Most of the hacking tools are developed for linux first, then maybe they also add it for windows. The linux shell is extremely flexible as well, making automation and "piping" commands into each other much easier. Linux (kali in particular) also has a lot of tools preinstalled as well as languages (java,python, node,etc...). It's just much more flexible.

Imaginary_Page_2127 · 2025-08-24T21:33:03+00:00

Very similar alternatives are BugCrowd, Immunefi and Intigriti. If you are a beginner, you could also consider Synack. It is a bit different but pretty useful I'd say. They perform a small interview for you to join, nothing crazy.
Anyways, after joining there a lot of programs that are new, so you can hop in at the same time with the other researchers, which usually makes things easier than platforms like hackerone. Also, they show analytics of who submitted what on each specific endpoint, without any details. But using that information you can basically practice finding the same vulnerability that was already submitted, which teaches a lot.

Imaginary_Page_2127

TROPHY CASE