<feed xmlns="http://www.w3.org/2005/Atom"> <id>https://hansmach1ne.github.io/</id><title>Mateo Hanžek's Security blog</title><subtitle>Pentesting &amp; security research blogspot.</subtitle> <updated>2026-06-04T01:13:04+00:00</updated> <author> <name>Mateo Hanžek</name> <uri>https://hansmach1ne.github.io/</uri> </author><link rel="self" type="application/atom+xml" href="https://hansmach1ne.github.io/feed.xml"/><link rel="alternate" type="text/html" hreflang="en" href="https://hansmach1ne.github.io/"/> <generator uri="https://jekyllrb.com/" version="4.4.1">Jekyll</generator> <rights> © 2026 Mateo Hanžek </rights> <icon>/assets/img/favicons/favicon.ico</icon> <logo>/assets/img/favicons/favicon-96x96.png</logo> <entry><title>Case study: Attacking Ajenti Control Panel Authentication</title><link href="https://hansmach1ne.github.io/posts/case-study-ajenti-control-panel/" rel="alternate" type="text/html" title="Case study: Attacking Ajenti Control Panel Authentication" /><published>2026-01-21T03:00:00+00:00</published> <updated>2026-06-04T01:12:26+00:00</updated> <id>https://hansmach1ne.github.io/posts/case-study-ajenti-control-panel/</id> <content type="text/html" src="https://hansmach1ne.github.io/posts/case-study-ajenti-control-panel/" /> <author> <name>Mateo Hanžek</name> </author> <category term="Case study" /> <summary>The new “Case study” blog series is aimed to present security research for a particular software, protocol or system. Its purpose is to demonstrate how a single, average but a dedicated attacker might approach a certain attack surface. The blog series will focus on critical issues, such as pre authentication and privilege escalation vulnerabilities. The first blog in the series relates to Ajen...</summary> </entry> <entry><title>CSRF in GraphQL and REST APIs - Attack and defend JSON endpoints</title><link href="https://hansmach1ne.github.io/posts/csrf-attacks-in-json-endpoints/" rel="alternate" type="text/html" title="CSRF in GraphQL and REST APIs - Attack and defend JSON endpoints" /><published>2025-07-23T18:26:00+00:00</published> <updated>2026-02-27T01:23:48+00:00</updated> <id>https://hansmach1ne.github.io/posts/csrf-attacks-in-json-endpoints/</id> <content type="text/html" src="https://hansmach1ne.github.io/posts/csrf-attacks-in-json-endpoints/" /> <author> <name>Mateo Hanžek</name> </author> <category term="Pen test tips &amp; tricks" /> <summary>This blogpost explores how CSRF attacks can be executed against JSON-based endpoints, the role of SOP/CORS preflight mechanism and bypasses that allow attackers to exploit endpoints expecting JSON content. Cross-Site Request Forgery (CSRF) remains a high severity web security issue, even in the modern APIs that rely mostly on JSON in the request body. While Same-Origin policy (SOP) and Cross-O...</summary> </entry> <entry><title>Chrome Referrer-Policy override Cross-Site data leak and strict CSP bypass</title><link href="https://hansmach1ne.github.io/posts/chrome-refferer-policy-override/" rel="alternate" type="text/html" title="Chrome Referrer-Policy override Cross-Site data leak and strict CSP bypass" /><published>2024-08-09T04:01:00+00:00</published> <updated>2026-01-21T17:34:51+00:00</updated> <id>https://hansmach1ne.github.io/posts/chrome-refferer-policy-override/</id> <content type="text/html" src="https://hansmach1ne.github.io/posts/chrome-refferer-policy-override/" /> <author> <name>Mateo Hanžek</name> </author> <category term="Novel Techniques" /> <summary>One of discoveries of this research was that it is possible to chain few functionalities and misconfigurations together in order to achieve Cross-Site (XS) leak with HTML injection, while strict Content-Security-Policy (CSP) is present. This abuse is possible due to the Chrome following RFC strictly. Specifically, if a site uses forms to send user-supplied data, the usual CSP directive to pre...</summary> </entry> <entry><title>Weaponizing lesser known event handlers for XSS</title><link href="https://hansmach1ne.github.io/posts/weaponizing-lesser-known-event-handlers-for-xss/" rel="alternate" type="text/html" title="Weaponizing lesser known event handlers for XSS" /><published>2024-02-27T00:00:00+00:00</published> <updated>2024-02-27T00:00:00+00:00</updated> <id>https://hansmach1ne.github.io/posts/weaponizing-lesser-known-event-handlers-for-xss/</id> <content type="text/html" src="https://hansmach1ne.github.io/posts/weaponizing-lesser-known-event-handlers-for-xss/" /> <author> <name>Mateo Hanžek</name> </author> <category term="Novel Techniques" /> <summary>In the ever-evolving landscape of cybersecurity, one threat remains a persistent adversary - Cross-Site Scripting (XSS). Despite many efforts to mitigate XSS vulnerabilities, hackers continually find new ways to exploit them. In this blog post, we delve into the realm of XSS exploitation through event handlers, exploring cutting-edge techniques that challenge traditional defenses. XSS occurs wh...</summary> </entry> </feed>
