Hey, I'm Oleg
Learning pentesting. Writing code. Taking notes along the way.
This is where I document what I learn — mostly security research, some frontend, and a bit of devops.
Browse by category
Pentesting — security tools, techniques, CTF writeups
Cheatsheets — in-depth security reference guides
Frontend — Vue.js, Nuxt, web development patterns
DevOps — shell one-liners, automation, tooling
Cheatsheets
Server-Side Request Forgery (SSRF)
Complete breakdown of SSRF — where to look, types, protocols, filter bypass, cloud metadata, paths to RCE, defenses. Theory, methodology, cheat sheet.
Server-Side Template Injection (SSTI)
Complete SSTI breakdown — detection, engine identification, sandbox escape, per-engine exploitation, blind SSTI, defense. Theory, methodology, cheatsheet.
XML External Entity (XXE)
Complete XXE breakdown — XML entities, DTD, all attack vectors, blind/error-based, bad character bypasses, defense by language. Theory, methodology, cheatsheet.
Recent posts
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.
Web Shell Upload via Content-Type Restriction Bypass (PortSwigger Lab)
The server only checks the Content-Type header — flip it to image/jpeg and the PHP shell sails through.
Web Shell Upload via Path Traversal (PortSwigger Lab)
Filename with `../` gets stripped, but URL-encoded `%2e%2e%2fshell.php` slips through — climb out of /avatars into a directory where PHP actually executes.