A collection of my public infosec related stuff.

Tools / Websites

can-i gtfo An extensive collection of kubernetes RBAC permissions that can be abused

Web Cache Vulnerability Scanner Scanner for Web Cache Poisoning and Web Cache Deception

TInjA (Template INJection Analyzer) SSTI / CSTI scanner using novel template injection Polyglots

Template Injection Playground SSTI/CSTI Playground with 46 Template Engines

Template Injection Table Collection of novel CSTI / SSTI Polyglots

Thesis

Master’s Thesis: Improving the Detection and Identification of Template Engines for Large-Scale Template Injection Scanning

Bachelor’s Thesis: Automated Scanning for Web Cache Poisoning Vulnerabilities

External Blog Posts

I Know What You Shipped Last Summer - RCE, SQLi and More in Logistics Software e-TMS

Harvesting the Database - 5 CVEs in TOPqw Webportal

Template Injection Vulnerabilities– Understand, Detect, Identify

How Does FIDO2 Try to Solve the World’s Password Problem?

The New OWASP Top 10 API Security Risks 2023 – What Has Changed?

Multi-Factor Authentication (MFA) - Comparison of the 5 Most Used Possession Factors

BOLA - The #1 most critical API risk exemplified

How to Secure APIs?

Web Cache Vulnerability Scanner (WCVS) - Free, Customizable, Easy-To-Use

Is Your Application Vulnerable to Web Cache Poisoning?

CTF WriteUps & Videos

OWASP Juice Shop
Videos: 22

HackTheBox
Videos: 33
WriteUps: 9 (+22 still not finalized)

Practical Pentest Labs
Videos: 2

PicoCTF 2017
Videos: 2

HackThis!! (now: Defend the Web)
Videos: 1
WriteUps: 1

OverTheWire
WriteUps: 2