Amin Malekpour

Hacked & Secured: Pentest Exploits & Mitigations

If you know how attacks work, you’ll know exactly where to look—whether you’re breaking in as an ethical hacker or defending as a blue teamer. Hacked & Secured: Pentest Exploits & Mitigations breaks down real-world pentest findings , exposing how vulnerabilities were discovered, exploited, and mitigated. Each episode dives into practical security lessons , covering attack chains and creative exploitation techniques used by ethical hackers. Whether you're a pentester, security engineer, developer, or blue teamer , you'll gain actionable insights to apply in your work. 🎧 New episodes every mont...

Author

Amin Malekpour

Category

Technology

Latest episode

Sep 29, 2025

Where to listen?

Podcasts in the app Replaio Radio Coming soon

Podcasts are coming to the app soon. Install now and be the first to see a whole new take on podcasts

Get it on Google Play Install for free Android 5M+ downloads · 4.8 rating iOS soon

Episodes

Ep. 13 – nOAuth Account Misbinding & Assumed-Breach to Domain Admin (Season Finale) 29.09.2025

One misbound identity. One exposed internal path. Two routes to total compromise. In this season finale of Hacked & Secured: Pentest Exploits & Mitigations , we break down two real-world findings that show how small trust assumptions can unravel entire systems: nOAuth (SSO account misbinding) — Multi-tenant SSO auto-linked accounts by email instead of a stable subject/issuer identifier. Wi...

Ep. 12 – Timing Attacks & Mobile OAuth Hijack: When Microseconds and Misflows Betray You 28.08.2025

A few microseconds. One silent browser session. That’s all it took for attackers to break into systems without tripping a single alert. In this episode of Hacked & Secured: Pentest Exploits & Mitigations , we explore two subtle but devastating flaws: 🔹 Timing Attacks for Token Leaks – By measuring microsecond delays, attackers were able to recover secrets, without seeing them in responses...

Ep. 11 – Account Takeover, Token Misuse, and Deserialization RCE: When Trust Goes Wrong 24.07.2025

One flawed password reset. One shared session token. One dangerous object. In Episode 11 of Hacked & Secured: Pentest Exploits & Mitigations , we break down three real-world vulnerabilities where trust between systems and users broke down—with serious consequences. Account Takeover via Forgot Password – A predictable ID and exposed tokens let attackers reset passwords without access to ema...

Ep. 10 – Cookie XSS & Image Upload RCE: One Cookie, One File, Full Control 26.06.2025

One cookie set on a subdomain triggered XSS and stole session tokens. One fake image upload gave the attacker a reverse shell. This episode breaks down two powerful exploits—a cookie-based XSS that bypassed frontend protections, and an RCE through Ghostscript triggered by a disguised PostScript file. Learn how subtle misconfigurations turned everyday features into full account and server compromis...

Ep. 9 – Directory Traversal & LFI: From File Leaks to Full Server Crash 29.05.2025

One markdown link copied server files. One poisoned log triggered remote code execution. One LFI crashed the entire server. In this episode, we unpack three real-world exploits—directory traversal and local file inclusion flaws that went far beyond file reads. From silent data leaks to full server compromise, these attacks all started with a single trusted path. Chapters: 00:00 - INTRO 01:07 - FIN...

Ep. 8 – OTP Flaw & Remote Code Execution: When Small Flaws Go Critical 24.04.2025

A broken logout flow let attackers hijack accounts using just a user ID. A self-XSS and an IDOR exposed stored data. And a forgotten internal tool—running outdated software—ended in full Remote Code Execution. This episode is all about how small bugs, missed checks, and overlooked services can lead to serious consequences. Chapters: 00:00 - INTRO 01:22 - FINDING #1 - The Logout That Logged You In...

Ep. 7 – IDOR & SSTI: From File Theft to Server-Side Secrets 10.04.2025

A predictable ID exposed private documents. A crafted name leaked backend files. In this episode, we break down two high-impact flaws—an IDOR that let attackers clone confidential attachments, and an SSTI hidden in an email template that revealed server-side files. Simple inputs, big consequences. Learn how they worked, why they were missed, and how to stop them. Chapters: 00:00 - INTRO 01:28 - FI...

Ep. 6 – 403 Bypass & Request Smuggling: Tiny Tricks, Total Takeover 27.03.2025

A single uppercase letter unlocked an admin panel. One malformed request hijacked user sessions. In this episode, we break down two real-world exploits—a 403 bypass and a request smuggling attack—that turned small oversights into full system compromise. Learn how they worked, why they were missed, and what should have been done differently. Chapters: 00:00 - INTRO 01:18 - FINDING #1 – The 403 Bypa...

Ep. 5 – Stored XSS & SQL Injection: Small Flaws, Big Breaches 13.03.2025

A simple filename triggered stored XSS, hijacking accounts and stealing API keys. A SQL injection bypassed a web firewall, dumping an entire database in one request. Both attacks exploited basic security flaws—flaws that should have been caught. Learn how these exploits worked, why they were missed, and what should have been done differently. Chapters: 0:00 - INTRO 01:39 - FINDING #1 – Stored XSS...

Ep. 4 – Exposed Secrets & Silent Takeovers: How Misconfigurations Open the Door to Attackers 27.02.2025

Exposed secrets, overlooked permissions, and credentials hiding in plain sight—each one leading to a critical breach. In this episode, we break down three real-world pentest findings where a forgotten file, a misconfigured setting, and a leaked credential gave attackers full control. How did they happen? How can you find similar issues? And what can be done to stop them? Listen now to learn how at...

Ep. 3 – One Request, One URL, One Bluetooth Hack: Three Takeovers That Shouldn’t Have Happened 13.02.2025

How can attackers take over accounts, networks, and devices—without credentials? In this episode, we break down three real-world security flaws that prove authentication alone isn’t enough: Account Takeover – A single request bypassed email verification, locking out store owners. Internal Network Compromise – A hidden admin URL and hardcoded access key gave attackers full control. Smart Device Hij...

Ep. 2 – Chaining IDORs, CSRF Account Takeovers & Token Manipulation for Privilege Escalation 30.01.2025

What if you could take over an account—not by cracking a password, but by chaining two overlooked vulnerabilities? What if a single CSRF exploit let attackers reset security questions and hijack accounts? And what if manipulating an authorization token could escalate privileges? In this episode of Hacked & Secured: Pentest Exploits & Mitigations , we break down three real-world pentest fin...

Ep. 1 – Breaking OTP Security, Exploiting Static Domains & Privilege Escalation via Role Misconfigurations 30.01.2025

What if your OTP security wasn’t secure at all? What if a static domain—something most people ignore—could lead to full account takeover? And what if flawed role management allowed admins to escalate privileges? In this episode of Hacked & Secured: Pentest Exploits & Mitigations , we break down three real-world security failures that turned minor oversights into critical exploits: Leaking...

Intro to Hacked & Secured: Pentest Exploits & Mitigations – What to Expect! 30.01.2025

If you know how attacks work, you’ll know exactly where to look—whether you’re breaking in as an ethical hacker or defending as a blue teamer. Welcome to Hacked & Secured: Pentest Exploits & Mitigations —the podcast that breaks down real-world pentest findings and exposes critical security flaws before attackers do. Red team tactics – How vulnerabilities are found and exploited.   Blue tea...

Listen to the Hacked & Secured: Pentest Exploits & Mitigations podcast in Replaio

Radio and podcasts in one app - free, with no sign-up. Install today and do not miss the launch

Get it on Google Play

Replaio is not a podcast publisher; show names, artwork and audio belong to their authors and are distributed through public RSS feeds.