Aspiring cybersecurity "something".
Just starting my journey, lets see where I end up!
Discord: marduk_james
Twitter: @Marduk_James
Medium: @marduk.i.am
New write-up published: Prototype Pollution in Practice
Using three PortSwigger labs, I walk through a repeatable methodology.
Less about lab solutions, more about the process.
https://medium.com/@marduk.i.am/prototype-pollution-in-practice-437958d27751
Published a new article: “Gadget Hunting in Practice”
The article focuses on practical prototype pollution hunting methodology:
• confirming pollution correctly
• identifying gadgets
• tracing execution sinks
• understanding weak vs strong sinks
• using DOM Invader and ppmap effectively
One of the biggest mistakes beginners make is trying to prove pollution, gadget discovery, and exploitation all at once.
I just published a write-up on prototype pollution and how it leads to XSS.
The key idea: you’re not injecting into the sink—you’re controlling the property lookup that eventually reaches it.
Pollute → Gadget → Sink → Execution
Includes examples and common vulnerable patterns (merge functions, __proto__, etc.)
https://medium.com/@marduk.i.am/prototype-pollution-15f47d9e5c6a
DOM XSS isn’t always in the HTML.
Sometimes your input never appears in the Source because JavaScript is building the page.
Source → Sink → Execution in real-world DOM flows.
A lot of XSS testing turns into guessing payloads and hoping something works.
It doesn’t have to be that way.
I wrote a short guide on a 3-step process to identify context quickly and approach reflections more methodically.
https://medium.com/@marduk.i.am/stop-guessing-xss-payloads-881cad409624
A lot of XSS write-ups focus on HTML injection (innerHTML, document.write, etc).
But navigation-based sinks are just as dangerous.
If user input reaches location.href, a javascript: URI can turn a redirect into code execution in the page’s context.
I put together a practical breakdown with examples and real-world patterns:
https://medium.com/@marduk.i.am/why-location-href-isnt-just-a-redirect-f7c77c0e4bcd
A breakdown of how execution context determines whether your payload fails or fires — using hands-on PortSwigger labs.
#xss #BugBounty #ethicalhacking #CyberSecurityAwareness
https://medium.com/@marduk.i.am/context-is-everything-a-practical-guide-to-xss-eff8d30421df
One of my first Kali Linux VMs… and I forgot the password
Instead of rebuilding it, I explored snapshot disk analysis and mounted the VDI to recover the data.
#Linux #digital-forensics #cybersecurity #ethical-hacking #virtualization
https://medium.com/@marduk.i.am/vm-snapshot-disk-recovery-657019478cbe
New CTF walkthrough for TryHackMe's RootMe. This is a fun one!
I just published RootMe (CTF Walkthrough) https://medium.com/p/rootme-ctf-walkthrough-efe69ef73510?source=social.tw
#TryHackMe #Cybersecurity #ReverseShell #CTF #PenetrationTesting
