When you forgot to parse that header correctly
A story of how I exploited a forgotten attack vector to easily achieve maximum vulnerability impact on a big company Read more
Mohamed Bal-Ghaoui
PhD, AI & Infosec enthusiast
Academic and technical background in AI and infosec. My work focuses on the intersection of AI and cybersecurity, both offensive and defensive.
Recent Posts
Fear the EAR Vuln
Fear the EAR (Exit After Redirect) is a simple yet often overlooked vulnerability that can allow authentication bypass. This short post walks through the discovery process, how I exploited the issue, and how it was responsibly reported back to the program. Read more
Struts your way into Strongkey [RCE]
![Struts your way into Strongkey [RCE]](/images/c3Ryb25na2V5LXJjZQo=.png)
Here's how I could pwned StrongKey, while exploiting an already released patch CVE. And this is why it's important to keep your component updated ! Read more
From academic research to LFD critical vulnerability
Local file include can be used by developers to retrieve files in the current working directory, however when an attacker locate the vulnerable endpoint, he can jump directories to read sensitive system files And this what happens when I was conducting my usual academic work till observing this LFI ! Read more
Automating some stuff with jq and bash
This is how I managed to solve a processing problem of a hudge json blob data, combining jq, and bash ! Read more
Inside a global leader in CyberSecurity [bitdefender dashboard]
![Inside a global leader in CyberSecurity [bitdefender dashboard]](/images/Ynhzcy1iaXRkZWZlbmRlcgo=.png)
In this post, I describe how I was able to access the internal administrator dashboard of one of the well-known antivirus softwares (Bitdefender) by exploiting a blind xss and session hijacking. Read more