back

/

security reports

    
if you are interested in my consulting services, click here.

 _                 _                       _         
| |__  _   _  __ _| |__   ___  _   _ _ __ | |_ _   _ 
| '_ \| | | |/ _` | '_ \ / _ \| | | | '_ \| __| | | |
| |_) | |_| | (_| | |_) | (_) | |_| | | | | |_| |_| |
|_.__/ \__,_|\__, |_.__/ \___/ \__,_|_| |_|\__|\__, |
             |___/                             |___/ 

2011 - klix.ba          | Web     | SQL injection to remote code execution
2012 - olx.ba           | Web     | SQL injection to root takeover
2013 - klix.ba          | Web     | Path traversal to local file inclusion
2013 - klix.ba          | Android | Session manipulation, account takeover
2013 - bhtelecom.ba     | Web     | Bosnian Telecom provider, multiple vulns in CMS
2014 - radiosarajevo.ba | Web     | SQL injection, admin access
2014 - huawei.com       | Web     | Stored XSS, unrestricted redirect
2017 - klix.ba          | Web     | Account takeover, File upload, multiple API vulns
2020 - apple.com        | Web     | Sensitive Data Disclosure, publicly accessible .git directory


* all `.ba` targets are ccTLD most visited websites by Alexa ranking[1] in BA (Bosnia-Herzegovina)
* all vulnerabilities are responsibly discolsed; few are not disclosed due to NDA 

[1] https://www.alexa.com/topsites/countries/BA

                 _       _ _   
  _____  ___ __ | | ___ (_) |_ 
 / _ \ \/ / '_ \| |/ _ \| | __|
|  __/>  <| |_) | | (_) | | |_ 
 \___/_/\_\ .__/|_|\___/|_|\__|
          |_|                  

assigned:
2013 - CVE-2013-5099   | Anchor CMS         | Stored XSS, [exploit-db]
2020 - CVE-2020-13648  | http-protection    | A Crystal Shard (Library), IP Spoofing Bypass, [exploit-db]

non-assigned:
2013 - /               | Anchor CMS beta    | CSRF bypass 
2015 - /               | MeekroDB PHP       | Blind SQL injection

* all exploits are available in the public one way or another
* all exploits are reported previously to respected authors

                                   _     
 _ __ ___  ___  ___  __ _ _ __ ___| |__  
| '__/ _ \/ __|/ _ \/ _` | '__/ __| '_ \ 
| | |  __/\__ \  __/ (_| | | | (__| | | |
|_|  \___||___/\___|\__,_|_|  \___|_| |_|
                                         
2014 - Reverse engineering of Alina POS Malware  | for [@Public], seen on @MalwareMustDie 
2016 - Introduction to cyber-attacks on vehicles | for [@BalCCon]
2017 - Metasploit for your car - dev phase       | for [@Public]
2018 - Open-source intelligence gathering        | Academic research paper on Espionage Surveillance System