Matías Schiappacasse
Self-taught pentester focused on web application security.
Penetration Tester, Chile
About
Cybersecurity Specialist with experience in web, mobile, and internal network penetration testing. I have led and executed security assessments, as well as participated in security research. I am experienced in various security frameworks and penetration testing methodologies.
Work Experience
- Conducted comprehensive web application and internal network penetration tests leveraging industry-standard methodologies (OWASP, WSTG) to effectively identify, validate, and prioritize security vulnerabilities.
- Analyzed and categorized security findings using established frameworks and scoring systems (CWE, CVSS), facilitating accurate risk assessment and informed decision-making for both technical and business stakeholders.
- Authored and presented detailed technical vulnerability reports with clear, actionable mitigation recommendations, actively supporting teams throughout the remediation lifecycle.
- Led security assessment teams of up to three penetration testers, coordinating task delegation, defining engagement scopes, and ensuring the precise execution of ethical hacking activities.
- Contributed to the security research team by conducting public and private research focused on the identification and in-depth analysis of vulnerabilities across applications, services, and software components.
- Performed penetration testing and ethical hacking engagements targeting web and mobile applications, internal networks, and ad-hoc wireless environments, identifying security weaknesses from a realistic, threat-actor perspective.
- Leveraged industry-standard security methodologies (e.g., OWASP) to uncover technical and business logic vulnerabilities, documenting findings systematically and providing practical, actionable remediation guidance to facilitate risk mitigation by development and security teams.
Certifications
Skills
Projects & Publications
BlackKali Dotfiles
A minimal, old-school hacker aesthetic inspired by Kali Linux 1.x and BlackArch Fluxbox
CVE-2024-55374
REDCap 14.3.13 allows an attacker to enumerate usernames due to an observable discrepancy between login attempts
CVE-2025-34467
ZwiiCMS versions prior to 13.7.00 contain a denial-of-service vulnerability in multiple administrative endpoints due to improper authorization checks combined with flawed resource state management
CVE-2025-57130
An Incorrect Access Control vulnerability in the user management component of ZwiiCMS up to v13.6.07 allows a remote, authenticated attacker to escalate their privileges
CVE-2025-7022
The My Reservation System WordPress plugin through 2.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
National Cybersecurity Hall of Fame #1
Recognized by the CSIRT for contributing to the responsible disclosure of vulnerabilities
National Cybersecurity Hall of Fame #2
Recognized by the CSIRT for contributing to the responsible disclosure of vulnerabilities
National Cybersecurity Hall of Fame #3
Recognized by the CSIRT for contributing to the responsible disclosure of vulnerabilities