Author Image

Hi, my name is Crystal

Crystal Mercier

whoami

I’m Crystal, a passionate security consultant specializing in web application security. With a keen interest in exploring the vast landscape of Information Technology, my blog is dedicated to delving into various topics that shape the industry. However, my true passion lies in Cyber Security, and I’m excited to share my knowledge and insights with you.

As someone who has benefited greatly from the generosity and expertise of the IT community, I’m committed to paying it forward. My goal is to create a valuable resource that helps others learn and grow in their own journeys. Through this blog, I aim to provide actionable advice, thought-provoking perspectives, and engaging stories that inspire and educate.

Whether you’re a seasoned professional or just starting out, I hope you’ll find my blog posts informative, insightful, and useful. Thank you for visiting, and I look forward to connecting with you on this journey of discovery and growth in the world of IT and Cyber Security!

CompTIA Security+
eJPT
Mitre
ISC2 Candidate
API Penetration Testing
OWASP API Security Top 10

Skills

Experiences

1
NetSPI

April 2024 - Present

Remote

NetSPI is the proactive security solution used to identify, protect, detect, and respond to security vulnerabilities of the highest importance, so businesses can protect what matters most.

Security Consultant II

April 2024 - Present

Responsibilities:
  • Conduct comprehensive web application penetration tests to identify and address vulnerabilities, ensuring robust security for clients.
  • Deliver actionable penetration test reports, providing detailed insights for security enhancement and remediation strategies.
  • Collaborate with clients to develop effective security roadmaps, improving their overall security posture.
  • Perform thorough reviews of AWS/Cloud Infrastructure, identifying potential security risks and recommending mitigation measures.
NetSPI

March 2023 - April 2024

Remote

Security Consultant

March 2023 - April 2024

Responsibilities:
  • Led comprehensive web application penetration tests, identifying and addressing vulnerabilities to safeguard clients’ assets.
  • Created and delivered detailed penetration test reports, offering actionable insights for security enhancement and remediation strategies.
  • Collaborated with clients to develop effective security roadmaps, improving their overall security posture.
  • Conducted thorough reviews of AWS/Cloud Infrastructure, identifying potential security risks and recommending mitigation measures.
2
3
NetSPI

September 2022 - March 2023

Remote

NetSPI secures the most trusted brands on Earth, including nine of the top 10 U.S. banks, four of the top five leading cloud providers, four of the five largest healthcare companies, and many of the Fortune 500.

Associate Security Consultant

September 2022 - March 2023

Responsibilities:
  • Assisted in web application penetration tests, contributing to the identification and remediation of security vulnerabilities.
  • Created and delivered detailed penetration test reports, providing clients with valuable insights into their security posture.

Education
INE Security
September 24, 2023
eJPT - Junior Penetration Tester
CompTIA
July 30, 2020
CompTIA Security+ Certified
RMIT University
August 2017
Bachelor in Information Technology
Taken Courses:
  • Security in Computing and Information Technology
  • Digital Business Security and Risk Management
  • Unix Systems Administration and Programming (Linux)
  • Web Servers and Web Technology
  • Advanced Programming Techniques
  • Web Programming
  • Building IT Systems
Extracurricular Activities:
  • MATES at RMIT Mentor

Recent Posts

Hero Image
Assessing Large Language Model (LLM) Vulnerabilities

In the landscape of technology advancement, Large Language Models (LLMs) stand as pivotal players, transforming our digital interactions. However, alongside their remarkable capabilities, there exists a critical need to acknowledge and address their vulnerabilities to ensure robust security measures. In this discourse, we embark on an exploration of the top vulnerabilities inherent in LLMs, providing actionable insights for detection and mitigation strategies. Mapping LLM API Attack Surface Understanding the API access of an LLM serves as a fundamental step in identifying potential vulnerabilities.
Friday, May 3, 2024 Read
Hero Image
Installing and running llama3 locally

I recently decided to install and run LLaMA 3, a popular AI model for generating human-like text, on my local machine. As someone who’s interested in exploring the capabilities and security of AI, I wanted to experience firsthand how this technology can be used. Installation The installation process was surprisingly straightforward when using ollama. And it has support for Windows, Linux, and macOS. So first visit https://ollama.com/ and select Download. This just brings us to a page to select the operating system we will be using for the instal.
Sunday, April 28, 2024 Read
Hero Image
Bug Bounty: Path Traversal in Snap Creek Duplicator plugin before 1.3.28 for WordPress

The Vulnerability The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init. Intro Early in my bug bounty journey, I picked a few programs from different platforms to learn how they work and respond to reports and to ultimately decide which platform I would choose to stick to. Knowing that WordPress plugins were often forgotten to update and a good place to find vulnerabilities I focused on finding WordPress vulnerabilities in the wild.
Wednesday, June 15, 2022 Read
Show More

Projects and Hobbies

TryHackMe Write-Ups
TryHackMe Write-Ups
Owner July 2021 - Present

Authored comprehensive write-ups for various hacktivities on tryhackme.com, demonstrating my expertise in penetration testing and vulnerability identification.

Write-up TryHackMe
Star
HackTheBox Write-Ups
HackTheBox Write-Ups
Owner July 2021 - Present

Curated a collection of detailed write-ups for hackthebox.com, showcasing my skills in exploiting vulnerabilties and developing effective penetration testing strategies.

Write-up HackTheBox
Star
BugCrowd
BugCrowd
Bug Bounty Hunter Feb 2022 - September 2022

My profile page on BugCrowd. Currently with 100% accuracy on 9 vulnerability submissions and the highest submission being of Priority P2 ranking.

Bug Bounty BugCrowd
Details
HackerOne
HackerOne
Bug Bounty Hunter Feb 2022 - September 2022

Contributed to private programs, resolving reports with teams that don’t pay bounties and achieving two consecutive resolved reports.

Bug Bounty HackerOne
Details

Accomplishments

eJPT - Junior Penetration Tester Certification
INE Security September 2023

View Certificate
Web Fundamentals Learning Path
TryHackMe October 2021

View Certificate
Jr Penetration Tester Learning Path
TryHackMe October 2021

View Certificate
Practical Ethical Hacking - The Complete Course
TCM Security May 2021

View Certificate