Back to Blogs

Smart Skills Internship: Penetration Testing Experience

Hybrid Internship | June 2025 - August 2025
Penetration Testing Web Security Internship
Smart Skills Internship

About Smart Skills

Smart Skills is an ANCS-certified audit desk specializing in cybersecurity solutions. The company provides comprehensive technical and organizational audit services, along with professional training programs, to both public and private sector clients internationally and across Tunisia. Their mission is to deliver reliable, stable, and secure solutions to enterprises and administrations.

Visit Smart Skills's official website for more details.

Role Overview

During my internship as a Penetration Tester, I gained hands-on experience in:

  • Conducting black-box and white-box penetration tests
  • Preparing detailed reports with severity ratings (CVSS)
  • Providing remediation recommendations

Critical Vulnerabilities
Remote Code Execution

Identified remote code execution (RCE) vulnerabilities through file upload bypass and Apache Tomcat exploitation.

SQL Injection

Identified SQL injection allowing complete database extraction.

High-Severity Issues
Cross-Site Scripting (XSS) - Multiple Variants
  • Stored XSS with CSRF exploitation chains
  • File upload XSS via SVG and HTML files
  • Session hijacking due to missing HttpOnly flags
Authentication Bypass
  • Two-factor authentication bypass via exposed API keys
  • Weak password policies enabling brute force attacks
  • MD5 hash storage vulnerabilities
Access Control Failures
  • Insecure Direct Object References (IDOR)
  • Privilege escalation vulnerabilities (CVE-2025-32463)
  • Unauthorized access to admin-only resources
Medium-Risk Vulnerabilities
  • Information Disclosure: Exposed debug files, system information, and sensitive configuration data
  • XML-RPC Exposure: Publicly accessible XML-RPC interfaces enabling brute force attacks
  • User Enumeration: Via REST APIs and password reset functionality
  • Spring Boot Actuator Exposure: Heap dumps and HTTP trace endpoints accessible
Low-Risk Issues
  • Outdated WordPress plugins and components
  • Debug mode enabled in production environments
  • Inadequate error handling revealing system details

Impact Assessment

The vulnerabilities discovered posed significant risks to the organizations:

  • • Complete system compromise
  • • Data exfiltration and manipulation
  • • Service disruption
  • • Account takeover
  • • Privilege escalation
  • • Information disclosure
  • • Users enumeration
  • • Session hijacking

Skills Developed

Technical Skills
  • Web application penetration testing
  • Static and dynamic code analysis
  • CVSS scoring and risk assessment
  • Vulnerability research and exploitation
  • Security tool proficiency (Burp Suite, Snyk, SQLmap)
Professional Skills
  • Technical report writing
  • Risk prioritization
  • Remediation planning

Conclusion

My internship at Smart Skills provided invaluable hands-on experience in penetration testing. Working with real-world applications and discovering critical security flaws reinforced the importance of security testing in protecting organizations from cyber threats.

The hybrid work model allowed me to experience both collaborative team environments and independent security research. This internship has significantly strengthened my technical skills and prepared me for a career in cybersecurity.

Note: All vulnerability details have been anonymized and sanitized for confidentiality. The specific applications and organizations tested during this internship remain confidential in accordance with professional ethics and non-disclosure agreements.