Images in this blog have been intentionally blurred to protect the company’s confidentiality.
The Beginning
After over 6 years of coding experience, especially in game and web development, I became really interested in trying out the cyber community. At first, I was mostly just doing it for silly (..seriously silly) stuff and not so much for career knowledge.
But then, all of a sudden, a company (not just any company) invited me to do an internship in cybersecurity, playing the role of a penetration tester. I was obviously shocked to receive this letter, because this was my first time applying this knowledge to a real-world case.
But well, why shouldn’t I accept it? I guess it really is time to test my skills.
My Task
So my task is simple: just find a vulnerability without knowing the backend structure (basically Black Box Penetration Testing). No, it’s not actually simple (😭)..
The existing security features
On my first visit to the “sandbox” environment, I was shocked to see that it was actually much harder than doing CTF problems—or at least that’s what I thought.
Simple login page of one of the websites at TACO
The first thing I saw was a simple login page with a PHP backend. I immediately thought about SQL Injection or Request Poisoning, but when I tried to brute-force those requests, I noticed that the backend had a rate limiter (probably some kind of WAF implemented) that blocked them. I then had to change my IP to unblock the requests, so I figured I should try using a rotating IP/Proxy.
But with no luck… I’m sure the backend has a secure way of communicating with the SQL database. I almost gave up at this point because of the lack of findings.
An interesting find
But then, I ran the company’s domain through a Certificate Search, and it turned out there were a lot of subdomains that might be useful in helping me find a vulnerability. Most of them were unused, but I found one really helpful domain that used a Strapi interface.
From this finding, I was really shocked to discover that Strapi has a lot of vulnerabilities, so I searched for more information about them. I then tried to apply those vulnerabilities and, surprise-surprise, I managed to create a privileged user on the backend with administrative access to the company’s API.
Me attempting a payload pollution attack to create a privileged user
Report
Of course after doing all of these, I need to make a report of my findings. This was also the first time making reports for these stuffs, so I asked ChatGPT for a help in making the report sound professional and easy to read to general people.
Respond from the company
I received a response from the company about a week after sending my report. And to my surprise, they were genuinely impressed with my findings. They acknowledged the severity of the vulnerability and thanked me for responsibly disclosing it.
This was the moment I truly realized that my passion for cybersecurity could go beyond just curiosity and practice—it could actually make a real impact in the industry.
New skills I learn
This internship didn’t just teach me new skills — it made me even more passionate about cybersecurity. I also got a real look into how security works in the real industry, and how insanely important cybersecurity is in today’s digital world (to stop those pesky lil’ hackers!).