• Kulkan Newsletter
  • Posts
  • Client-Side Path Traversal, Ekoparty Takeaways, and AI-Driven Attack Trends

Client-Side Path Traversal, Ekoparty Takeaways, and AI-Driven Attack Trends

This month, we break down how Client-Side Path Traversal resurrects CSRF in modern header-based auth environments. Plus, we share our participation as sponsors at Ekoparty 2025 and highlight key offensive security trends emerging from AI-powered systems.

October 30, 2025

📝 Latest from Our Blog:

Client-Side Path Traversal: Exploiting CSRF in Header-based auth scenarios

Lucas Cebrero explains CSPT and how it resurrects CSRF risks in header-based auth scenarios. By manipulating client-side routing and path segments, attackers can force authenticated requests to unintended API endpoints. The article includes a hands-on lab, exploit payloads, and practical mitigations for both frontend and backend.

🗓️ Key Industry Events:

Kulkan took part in Ekoparty 2025 as an official sponsor, reinforcing our commitment to the offensive security community in Latin America. Throughout the event, our team discussed real-world security challenges and the growing need for attacker-led assessments that keep pace with evolving threats.

We were also present at EkoJobs, connecting with skilled professionals and inviting candidates to take on a technical challenge designed by our pentesters. Identifying and developing top talent remains key to delivering the high-impact testing our clients rely on.

At Kulkan, we continue helping organizations understand their risks, protect their systems and scale with confidence across the region.

💡 Security Highlights:

A selection of articles covering attack and methodology trends in offensive security and penetration testing:

Image downscaling: the attack vector many security teams are missing

Organizations increasingly rely on image uploads across multiple systems. But do security controls effectively validate what LLMs actually receive after image transformation?

Are you deploying AI faster than you can secure it?

Shadow AI environments and unassessed integrations introduce vulnerabilities and attack paths that adversaries may exploit (before security teams even know they exist).

Ready to strengthen your security posture?

If you’re planning upcoming penetration testing initiatives, let’s start the conversation and explore how our attacker-led approach can help secure your business and support its growth.