Xaliom's Blog

 Certified Azure Red Team Professional (CARTP) Course & Exam Review In this blogpost, I will write down my thoughts about both the course and the exam to obtain the Certified Azure Red Team Professional (CARTP) certification. Even though I don't usually write about the certification I obtain, this time I will make an exception to thank Nikhil Mittal. The Course Material The Course material provided by the Altered Security team consists of: The Course Videos The Course Videos are the Main resource if you take the self-paced version of the course. Those videos will cover both the theory and the Learning objectives that you can see as the practical section of the course.  The Walkthrough Videos The Walkthrough videos, a resource that I did not use. But I see why they exist and how a learner can rely on them to review his steps to understand what he is doing wrong. The Lab Manual In short, this is a well-written PDF where a learner can find the command used to solve the Learni...

 From SAST to CVE-2025-46337 From the start of my career in cybersecurity, I have always worked as a black box pentester. Since I believe that learning new topics is always a good use of my time and that I should increase my knowledge of white box pen testing, I decided to explore the Static Analysis Security Testing (SAST) topic. I started my journey into SAST using the well-known tool SonarQube. To practice with the tool and to become familiar with the GUI and the mechanisms that are behind it, I decided to analyze the code of a few known projects. I chose two projects to analyze. The first one is "Moodle", a very well-known open-source project whose main purpose is to create websites for universities. The second is VtigerCRM, a familiar project on which I discovered several CVEs last summer. I started the SAST first against the source code of Moodle and then against the source code of VtigerCRM. Surprisingly, SonarQube found an SQL Injection on both projects! Since the sou...