Security Testing & Evaluation Specialist
Practitioner-level certification for security testing specialists. Covers AppSec evaluation, API testing, cloud/container/crypto assessment.
Test Plan, Criteria and Evaluation Protocol [Non-CTF]
GraphQL Token Abuse (Static Artifact): Authentication Bypass via GraphQL Operation Manipulation
PASETO Weak Key (Static Artifact): Brute-Force Recovery of Low-Entropy PASETO Symmetric Keys
Text whitespace steganography
Text acrostic steganography
ZIP archive forensics
AppSec and API Evaluation
IDOR (numeric)
IDOR (UUID guessable)
Parameter pollution IDOR
Horizontal Privilege Escalation: Cross-User Resource Access via Insufficient IDOR Controls
Vertical Privilege Escalation: Role Bypass and Unauthorized Administrative Function Access
Role misassignment
Mass Assignment Vulnerability: Unfiltered Object Binding for Unauthorized Property Modification
Hidden admin endpoint
GraphQL overexposure
REST verb confusion
CORS misconfiguration
Multi-tenant data leak
SQL injection (classic)
SQLi blind time-based
SQLi second order
NoSQL Injection: MongoDB Operator Injection for Authentication Bypass and Data Enumeration
LDAP Injection: Filter String Manipulation for Authentication Bypass and Directory Enumeration
Template injection (Jinja2/Twig)
SSTI chain
OS Command Injection: Shell Metacharacter Exploitation for Server-Side Command Execution
Argument injection
Path traversal
LFI
RFI
SSTI to RCE chain
Reflected XSS: URL-Based Script Injection and Single-Interaction Client-Side Code Execution
Stored XSS: Persistent Script Injection for Session Hijacking and Admin Panel Exploitation
DOM-based XSS
CSP Bypass: Content Security Policy Circumvention via JSONP Endpoints, Trusted Domain Abuse and Nonce Prediction
AngularJS expression injection
Markdown rendering XSS
File upload XSS
Service worker abuse
Basic SSRF Exploitation: Internal Service Enumeration via Server-Side URL Fetch Manipulation
SSRF to Cloud Metadata: AWS IMDS Credential Theft via Server-Side Request Forgery
SSRF via PDF Renderer: Headless Browser Exploitation for Internal Service Access via HTML Injection
SSRF via webhook
SSRF Filter Bypass: IP Encoding, URL Redirection and Parser Confusion for Blocklist Evasion
DNS rebinding (simulated)
Gopher Protocol SSRF: Arbitrary TCP Payload Injection for Redis, Memcached and FastCGI Exploitation
SSRF → Redis (mocked)
SSRF → internal admin
Unrestricted file upload
Extension bypass
Content-Type Bypass: MIME Sniffing and Type Header Manipulation for Upload Restriction Evasion
Zip Slip Path Traversal: Archive Extraction Directory Escape for Server-Side File System Write
Archive bomb (simulated)
Insecure deserialization (generic)
PHAR deserialization (simulated)
Pickle deserialization
YAML unsafe load
Prototype Pollution in Node.js: __proto__ Injection for Object.prototype Manipulation and RCE Gadget Chaining
Race condition
TOCTOU
Double-spend
Coupon stacking
Quantity manipulation
Order status tampering
Payment bypass
Feature flag abuse
Logic-Based Privilege Escalation: Exploiting Flawed Business Rules for Unauthorized Role Promotion
API Rate Limit Bypass: Request Throttling Circumvention via Header Manipulation and IP Rotation
Pagination bypass
Batch endpoint abuse
Swagger exposed secrets
API key leakage
PNG metadata stego
WAV LSB stego
Nested archive
Weak zip password
Verifying Cryptographic Log Integrity by Detecting SHA-256 Hash Chain Breaks
Detecting Log Injection Attacks Through CRLF Forensics and Entry Authenticity Analysis
Detecting Timestamp Manipulation via MFT and NTP Cross-Correlation Sequence Analysis
Reconstructing Event Timelines from Log Rotation Artifacts and Surviving Log Fragments
Detecting Pass-the-Hash Attacks via NTLM Logon and Multi-Source Log Correlation
Identifying Service-Based Persistence Through New Service Anomaly and Baseline Comparison
Correlating Brute-Force Authentication Failures with Successful Lateral Pivot Events
Identifying Base-Encoded Chunk Queries in DNS Exfiltration Log Records
Tracing SUID Binary Exploitation via Setuid Syscall and Privilege Transition Correlation
Detecting Cron-Based Persistence via Scheduled Task Forensics and Download-Execute Patterns
Detecting Unauthorized Group Membership Changes via Privilege Escalation Audit Logs
Detecting Sudo Abuse Through GTFOBins Traces and Sudoers Modification Forensics
Tracing Unauthorized Shadow File Access Using Auditd Event Log Forensics
SMTP Inbox OSINT: Mail Content Analysis, Sender Tracing and Inbox-Based Identity Discovery
LDAP Anonymous Reconnaissance: Unauthenticated Directory Traversal and User Attribute Harvesting
Git Repository History Secret Recovery: Identifying Deleted Credentials via Commit Log Forensics
PDF first-letter acrostic forensics
PDF JavaScript action forensics
PDF hidden AcroForm field forensics
PDF incremental update revision forensics
Terraform State File Exposure: Extracting Infrastructure Secrets from Public S3 Backends
Cloud, Container, Crypto and System Evaluation
Advanced GOT Overwrite: 64-Bit Multi-Byte %hn/%hhn Writes with Null-Byte Bypass
Format String Arbitrary Write: Exploiting %n for GOT Overwrite and Code Redirection
Integer Truncation Exploitation: 64-to-32-Bit Narrowing, Size Check Bypass and Memory Corruption
Signed/Unsigned Confusion Exploitation: Negative Index Underflow and Memory Corruption via Sign Mismatch
Advanced seccomp Bypass: 32-Bit int 0x80 Syscall Table Exploitation Outside 64-Bit Filter Coverage
Docker Volume Misconfiguration: Sensitive Host Path Exposure and Container-to-Host Escalation
Privileged Container Escape: Linux Capability Abuse and Host Device Access for Breakout
Kubernetes Dashboard Unauthenticated Access: Pod Creation, Secret Enumeration and Admin Escalation
Kubernetes RBAC Privilege Escalation: ClusterRoleBinding Abuse and Service Account Token Misuse
Kubernetes Secret Enumeration in Cluster: Namespace Traversal and Sensitive Data Extraction
Kubernetes Service Account Abuse: Token-Based API Access and Lateral Movement Within Cluster
IAM policy misconfig
Vigenère Cipher Cryptanalysis: Kasiski Examination and Index of Coincidence Attack
Cracking Columnar Transposition Ciphers: Key-Length Detection and Column Reordering
AES-ECB Block Alignment Attack: Exploiting Deterministic Encryption for Oracle Leakage
CBC Padding Oracle Attack: Byte-by-Byte Plaintext Recovery via PKCS#7 Error Responses
AES-CTR Nonce Reuse Attack: XOR-Based Keystream Recovery and Plaintext Decryption
Exploiting Symmetric Key Reuse Across Users: Cross-Account Ciphertext Oracle Attacks
Extracting Hardcoded Symmetric Keys from Binaries via Static Reverse Engineering
Attacking Weak Key Derivation Functions: Dictionary Attacks on Under-Iterated Password Hashing
XOR Keystream Reuse Attack: Many-Time Pad Cryptanalysis and Statistical Key Recovery
Cracking RSA Small Public Exponents: Cube-Root Recovery and Low-Exponent Bias
RSA Broadcast Attack: CRT-Based Plaintext Recovery Across Multiple Recipients
Factoring Weak RSA Primes via Fermat Factorisation and Pollard p-1 Method
Analyzing Kerberoasting PCAP Captures via TGS-REQ Identification and Hashcat Ticket Extraction
Decrypting TLS Traffic via SSLKEYLOGFILE Integration and Encrypted Session Reconstruction
Analyzing gRPC PCAP Captures via HTTP/2 Stream Identification and Protobuf Parameter Extraction
WAV spectrogram stego
WAV echo stego
LSB RGB stego
Bit plane image stego
Alpha channel LSB stego
XOR two-image stego
DCT block image stego
Recovering Wide Strings (UTF-16LE) from Memory: C2 URL and Credential Extraction via Volatility
Detecting XOR-Encoded Payloads in Memory Dumps: Entropy Analysis and Brute-Force Key Recovery
Evidence, Reproducibility and Recommendations [Non-CTF]
No cards in this course yet.
CTFFactory Security Testing & Evaluation Specialist
Practitioner credential — awarded upon completion