iltosec
Penetration Tester at LoreSecurity | OSWE | eWPTXv2
About Me
I started my career as a graduate of Akdeniz University Management Information Systems and took my first steps in the field of cyber security, especially CTI, by doing research on dark web forums. Later, I transitioned into the field I wanted to pursue, pentesting, to further develop my technical skills and security knowledge. Currently, I am focused on strengthening information security systems and detecting vulnerabilities, with a focus on web security. I constantly follow innovations in my field.
CVEs
CVE-2024-11406 - Stored XSS Vulnerability in Django CMS 3.0.0 (Attributes Fields)
Reported on Nov 2024
The vulnerability resides in the Django CMS admin panel under the Page Editing interface, specifically when utilizing the "Add plugin to placeholder 'Page Content'" feature. Malicious payloads can be injected into the "Attributes" field of plugins like "card" or "badge," leading to Stored XSS attacks.
CVE Link Git Commit Vendor Patch Blog PostCVE-2024-11404 - File Upload Bypass Vulnerability in Django Filer 3.2.3
Reported on Nov 2024
The vulnerabilities were identified in django-filer 3.2.3, a file management application commonly used with django CMS. These issues allow attackers to bypass upload restrictions for HTML and SVG files, potentially uploading malicious files containing scripts that execute on the client side.
CVE Link Vendor Patch Blog PostCVE-2024-11319 - Stored XSS Vulnerability in Django CMS 4.1.3
Reported on Nov 2024
Django CMS version 4.1.3 is affected by a stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject arbitrary JavaScript code that is executed in the context of the web application, potentially compromising the safety of all users visiting the affected page.
CVE Link Git Commit Vendor Patch Blog PostExperience
Awards & Certifications
OffSec Web Expert (OSWE)
Nov 11, 2024
OffSec’s Advanced Web Attacks and Exploitation (WEB-300) course dives deep into the latest web application penetration testing methodologies and techniques.
Go Certificate
eWPTXv2 (Web application Penetration Tester eXtreme)
Feb 14, 2024
The eWPTX is our most advanced web application penetration testing certification. This 100% practical and highly respected certification validates the advanced skills necessary to conduct in-depth penetration tests on modern web applications.
Go Certificate
Web Application Pentester
Dec 04, 2024
The Web Application Pentester Career Path is a comprehensive learning journey designed for professionals aiming to identify and exploit vulnerabilities in web applications. This career path covers a broad range of topics, starting from foundational concepts like Web and SQL Fundamentals to advanced.
Go Certificate
Bug Hunter
Dec 05, 2024
The Bug Bounty Hunter Career Path is a comprehensive and practical training program designed to equip individuals with the skills and knowledge needed to excel in bug bounty hunting. This career path offers a structured learning journey that covers essential topics, starting from Basic Fundamentals
Go CertificateProjects
Flask Authentication Bypass and RCE Exploit – Chain Lab Writeup
Published: Dec 2024
This repository contains a Python script that exploits authentication bypass and remote code execution (RCE) vulnerabilities in a Flask web application. The goal is to demonstrate how these vulnerabilities can be used for a reverse shell attack.
Source CodeCVE-2022-29464-Bypass-CloudFlare
Published: Feb 2024
WSO2 RCE (CVE-2022-29464) exploit and bypass CloudFlare. the vulnerability is an unauthenticated unrestricted arbitrary file upload which allows unauthenticated attackers to gain RCE on WSO2...
Source CodePython For Hackers
Published: May 2022
There are simple python scripts for penetration testing. Hacking with Python is a simple and extensible tool for getting started with ethical hacking activities and running python scripts. Scripts will be constantly updated and new scripts will be added.
Source Code