Introduction

I am Marwane, an IT enthusiast, with a genuine passion for exploring the dynamic world of information technology. My fascination with IT goes beyond mere professional interest; it's a personal drive that fuels my continuous learning and exploration in this ever-evolving field. I am dedicated to leveraging technology to solve challenges and contribute to the exciting advancements within the IT landscape. Let's connect and delve into the limitless possibilities that IT has to offer.

  • Quality
  • Reliability
  • Consistency

DevOps

Web Skill 2 Web Skill 2 Web Skill 2 Web Skill 2

Full Stack

Web Skill 2 Web Skill 2 Web Skill 2 Web Skill 2 Web Skill 2 Web Skill 2

Web Security & API Testing

Web Skill 2 Web Skill 2 Web Skill 2 Web Skill 2 Web Skill 2 Web Skill 2 Web Skill 2 Web Skill 2

Automation

Web Skill 2 Web Skill 2 Web Skill 2

System Admin

Web Skill 2 Web Skill 2

Project Management & Data Visualization

Web Skill 2 Web Skill 2 Web Skill 2 Web Skill 2

What I Have Been Doing

O

  • 2019-ongoing — Web Application Security Researcher

    Proficient in identifying and mitigating web application vulnerabilities, both using manual processes that involve auditing Javascript source codes, HTTP requests and leveraging browser dev tools & automatically by making frameworks and workflows.
    Example vulnerabilities I can identify and help mitigate:

    Remote Code Execution (RCE), SQL Injection (SI), Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Broken Access Control (BAC), Web Cache Poisoning (WCP), Web Cache Deception (WCD), Insecure Direct Object References (IDOR), Denial Of Service (DOS)

    I have successfully identified and remediated numerous web vulnerabilities in high-profile corporate websites, such as:
    Microsoft: Cross-Site Scripting on their official webapp store, High Severity.
    Microsoft Security Response Center has acknowledged me for those findings. (Specific date: Jun 30, 2020).

    Impact?:
    In XSS attacks, an attacker injects malicious JavaScript scripts, into web pages that are then viewed by other users. These scripts execute in the context of the victim's browser, allowing the attacker to steal sensitive information, take-over user account, manipulate user sessions, deface websites, or launch other malicious activities.

    How I found it?:
    One of my automated frameworks crawled Microsoft website as a regular user and identifying injection points and user inputs, by manipulating those using sophisticated payloads, the XSS was triggered. Workflow then saved the vulnerability endpoint and other logs to my Server.

    How to mitigate it?
    Developpers when making web apps, should never trust user inputs. Always validate and sanitize user inputs on both client and server sides. Implement output encoding techniques. Employ Content Security Policy (CSP).


    Sendgrid: Account Take-Over (ATO), Critical Severity.

    Impact?:This happens when you escalate XSS to get user cookies and session ID, and thus be able to hijack and take over their account.

    How I found it?:
    This one was interesting because it needed thorough manual audit and review of Javascript source code, sending http requests and reviewing server responses, identifying their denfeses and RegEX filters to manipulate injected payloads accordingly to successfully bypass their WAF (Web Application Firewall: Cloudflare, Akamai)

    How to mitigate it?
    In addition to what is said above to mitigate XSS attacks. Devs should use httpOnly cookies to prevent access to cookies via JavaScript: HttpOnly cookies help protect sensitive session information from being accessed or manipulated in the event of an XSS attack. This is crucial for maintaining the integrity and security of user sessions.


    Miro: Broken Access Control, High Severity
    Backblaze: Cross-Site Scripting, High Severity.
    HuffingtonPost: Cross-Site Scripting on multiple websites, High Severity.
    CreditKarma: Cross-Site Scripting on support subdomain, Medium Severity.
    Datastax: Cross-Site Scripting, Medium Severity.

    ...

  • Automated Penetration Testing

    Conducted comprehensive penetration tests using frameworks and workflows that I personally developed, using Bash/Shell, Javascript/Nodejs, Python and or all of them combined to make some efficient frameworks and workflows to find web vulnerabilities.

    Highlights:

    Framework Development: Designed and created bespoke penetration testing frameworks from scratch, amalgamating the power of Bash/Shell, Javascript/Node.js, and Python. These frameworks were meticulously crafted to streamline and automate the identification of web vulnerabilities, ensuring a comprehensive evaluation of system security.

    Workflow Optimization: Implemented optimized workflows that seamlessly integrated different scripting languages, capitalizing on the strengths of each to create a cohesive testing environment. Integrated these workflows seamlessly into Jira, utilizing XRAY for test management and traceability. Maven was employed for project build automation, ensuring consistency and reliability in the testing process.

    Jira and XRAY Integration: Utilized Jira as a central project management platform and seamlessly integrated XRAY for test management. This integration facilitated efficient tracking of penetration testing tasks, providing clear visibility into the testing process, identified vulnerabilities, and their remediation status. Cucumber was incorporated for behavior-driven development (BDD), enhancing collaboration between development and testing teams through executable specifications.

    Data Export and Sync Add-On (XRAY to Power BI): Innovatively contributed to the development of an add-on that enabled the export and synchronization of data from XRAY to Power BI. This customization provided real-time insights into testing metrics and progress, improving decision-making processes.

    Comprehensive Testing: Conducted thorough and comprehensive penetration tests using the developed frameworks. This encompassed a range of assessments, including but not limited to, identifying injection vulnerabilities, cross-site scripting (XSS), cross-site request forgery (CSRF), and other common web application vulnerabilities. Test results and findings were diligently documented and linked directly within Jira issues for streamlined communication and collaboration.

    This multifaceted workflow not only showcased efficiency, but also demonstrated a commitment to enhancing organizational efficiency through the integration of cutting-edge technologies and the development of custom add-ons.

  • Mus Scelerisque

    Augue consectetur sed interdum imperdiet et ipsum. Mauris lorem tincidunt nullam amet leo Aenean ligula consequat consequat.

  • Mauris Imperdiet

    Augue consectetur sed interdum imperdiet et ipsum. Mauris lorem tincidunt nullam amet leo Aenean ligula consequat consequat.

  • Aenean Primis

    Augue consectetur sed interdum imperdiet et ipsum. Mauris lorem tincidunt nullam amet leo Aenean ligula consequat consequat.

  • Tortor Ut

    Augue consectetur sed interdum imperdiet et ipsum. Mauris lorem tincidunt nullam amet leo Aenean ligula consequat consequat.

Arcue ut vel commodo

Aliquam ut ex ut augue consectetur interdum endrerit imperdiet amet eleifend fringilla.