Hacked & Secured: Pentest Exploits & Mitigations

• Ep. 12 – Timing Attacks & Mobile OAuth Hijack: When Microseconds and Misflows Betray You

  A few microseconds. One silent browser session. That’s all it took for attackers to break into systems without tripping a single alert.In this episode of Hacked & Secured: Pentest Exploits & Mitigations, we explore two subtle but devastating flaws:🔹 Timing Attacks for Token Leaks – By measuring microsecond delays, attackers were able to recover secrets, without seeing them in responses.🔹 OAuth Hijack via Mobile App Flows – A crafted app abused in-app browser sessions and custom URL schemes to silently steal valid login tokens from users on iOS.These aren’t theoretical bugs—they were found in the wild and affect real apps. If you build or test auth systems, this episode is for you.Chapters:00:00 - INTRO01:11 - FINDING #1 - Timing Leaks That Speak Volumes06:56 - FINDING #2 - Hijacking Mobile OAuth with One Silent Redirect13:06 - OUTROWant your pentest discovery featured? Submit your creative findings through the Google Form in the episode description, and we might showcase your finding in an upcoming episode!🌍 Follow & Connect → LinkedIn, YouTube, Twitter, Instagram 📩 Submit Your Pentest Findings → https://forms.gle/7pPwjdaWnGYpQcA6A 📧 Feedback? Email Us → [email protected] 🔗 Podcast Website → Website Link

  --------  

  14:09

  --------

  14:09
• Ep. 11 – Account Takeover, Token Misuse, and Deserialization RCE: When Trust Goes Wrong

  One flawed password reset. One shared session token. One dangerous object.In Episode 11 of Hacked & Secured: Pentest Exploits & Mitigations, we break down three real-world vulnerabilities where trust between systems and users broke down—with serious consequences.Account Takeover via Forgot Password – A predictable ID and exposed tokens let attackers reset passwords without access to email.Session Hijack in OTP Login – A logic flaw in how login tokens were handled allowed full account access with just a user ID.Remote Code Execution via Java Deserialization – A community-contributed finding where an exposed service deserialized untrusted input, leading to code execution.These aren’t complex chains. They’re common mistakes with big impact—and important lessons for developers, security teams, and testers.Chapters:00:00 - INTRO00:59 - FINDING #1 - Account Takeover via Forgot Password06:26 - FINDING #2 - Shared Session Token in SMS Login Flow10:39 - FINDING #3 - Java Deserialisation to Remote Code Execution16:13 - OUTROWant your pentest discovery featured? Submit your creative findings through the Google Form in the episode description, and we might showcase your finding in an upcoming episode!🌍 Follow & Connect → LinkedIn, YouTube, Twitter, Instagram 📩 Submit Your Pentest Findings → https://forms.gle/7pPwjdaWnGYpQcA6A 📧 Feedback? Email Us → [email protected] 🔗 Podcast Website → Website Link

  --------  

  17:15

  --------

  17:15
• Ep. 10 – Cookie XSS & Image Upload RCE: One Cookie, One File, Full Control

  One cookie set on a subdomain triggered XSS and stole session tokens. One fake image upload gave the attacker a reverse shell.This episode breaks down two powerful exploits—a cookie-based XSS that bypassed frontend protections, and an RCE through Ghostscript triggered by a disguised PostScript file.Learn how subtle misconfigurations turned everyday features into full account and server compromise.Chapters:00:00 - INTRO01:08 - FINDING #1 - Cookie-Controlled XSS12:19 - FINDING #2 - Image Upload to RCE via Ghostscript19:03 - OUTROWant your pentest discovery featured? Submit your creative findings through the Google Form in the episode description, and we might showcase your finding in an upcoming episode!🌍 Follow & Connect → LinkedIn, YouTube, Twitter, Instagram 📩 Submit Your Pentest Findings → https://forms.gle/7pPwjdaWnGYpQcA6A 📧 Feedback? Email Us → [email protected] 🔗 Podcast Website → Website Link

  --------  

  20:12

  --------

  20:12
• Ep. 9 – Directory Traversal & LFI: From File Leaks to Full Server Crash

  One markdown link copied server files. One poisoned log triggered remote code execution. One LFI crashed the entire server. In this episode, we unpack three real-world exploits—directory traversal and local file inclusion flaws that went far beyond file reads. From silent data leaks to full server compromise, these attacks all started with a single trusted path.Chapters:00:00 - INTRO01:07 - FINDING #1 - Server File Theft with Directory Traversal09:23 - FINDING #2 - From File Inclusion to RCE via Log Poisoning16:20 - FINDING #3 - LFI to Server Crash24:09 - OUTROWant your pentest discovery featured? Submit your creative findings through the Google Form in the episode description, and we might showcase your finding in an upcoming episode!🌍 Follow & Connect → LinkedIn, YouTube, Twitter, Instagram 📩 Submit Your Pentest Findings → https://forms.gle/7pPwjdaWnGYpQcA6A 📧 Feedback? Email Us → [email protected] 🔗 Podcast Website → Website Link

  --------  

  25:05

  --------

  25:05
• Ep. 8 – OTP Flaw & Remote Code Execution: When Small Flaws Go Critical

  A broken logout flow let attackers hijack accounts using just a user ID. A self-XSS and an IDOR exposed stored data. And a forgotten internal tool—running outdated software—ended in full Remote Code Execution.This episode is all about how small bugs, missed checks, and overlooked services can lead to serious consequences.Chapters:00:00 - INTRO01:22 - FINDING #1 - The Logout That Logged You In07:12 - FINDING #2 - From Signature Field to Shell Access14:40 - OUTROWant your pentest discovery featured? Submit your creative findings through the Google Form in the episode description, and we might showcase your finding in an upcoming episode!🌍 Follow & Connect → LinkedIn, YouTube, Twitter, Instagram 📩 Submit Your Pentest Findings → https://forms.gle/7pPwjdaWnGYpQcA6A 📧 Feedback? Email Us → [email protected] 🔗 Podcast Website → Website Link

  --------  

  15:45

  --------

  15:45

Mais podcasts de Negócios

Podcasts em tendência em Negócios

Sobre Hacked & Secured: Pentest Exploits & Mitigations