Work · National food brokerage · May 2026
Authorized penetration testing
Skills exercised
External web-application penetration tests on three production web properties operated by a third-party developer in the company's web ecosystem, May 2026. Authorized internal testing with written authorization on file. 47 findings total: 7 critical plus 40 medium and low. Specific targets and brand names redacted on this public site; findings have been remediated.
Methodology
OSCP-style external assessment: reconnaissance, fingerprinting, content discovery, exploitation, pivot, reporting. Subdomain enumeration via subfinder, port scanning with nmap, TLS fingerprinting, content discovery with SecLists wordlists, credential validation against cloud auth endpoints, CVE research and CVSS-based risk prioritization.
Critical-finding categories (generic)
- Demonstrated unauthenticated remote code execution on a production target via an unauthenticated admin panel accepting arbitrary file uploads. Benign proof-of-concept executed under written authorization.
- Supply-chain attack chain identified through an admin-panel file-replacement primitive that would have delivered attacker-controlled files to tens of thousands of customer rows through a trusted channel.
- Live cloud service-account RSA private key publicly readable from the web root. Exploitation confirmed via successful token acquisition.
- Same key reused across a sibling target after pivoting via hardcoded API references in source code exposed on the first target.
- Additional warehouse-platform private keys exposed in publicly readable application directories.
- Customer CRM data leak Tens of thousands of rows of customer-account, sales-rep, and supplier-relationship data publicly downloadable, along with dashboard access tokens.
- Vendor materials exposure Dozens of NDA-covered partner documents publicly downloadable.
- Account takeover chain via an exposed employee-email list plus an unauthenticated account-activation endpoint with no CAPTCHA and no rate limiting. Live forced re-activation of an employee account confirmed during testing.
- Additional admin panel exposed to the internet with no IP restriction, no rate limit, and no lockout. Wordlist enumeration completed without throttling.
- End-of-life PHP stack with double-digit unpatched CVEs, including a known actively-exploited RCE class, on shared hosting.
Reporting
Formal Markdown reports per target with severity ratings, CVE mapping, evidence preservation, exploit chains, and prioritized remediation guidance, written for both technical and executive audiences. Plus a 3-minute executive brief with a "30-minute decision today" ask covering immediate exposure closure, secret rotation, vendor notification recommendation, and remediation roadmap acceptance.