WEB/API SECURITY MOBILE SECURITY APPSEC PRODUCT SECURITY BURP SUITE FRIDA OSCP SECURITY AUTOMATION LABS REPORTING WORKFLOWS
Focus
What I work on
Security disciplines and workflows I spend most of my time on.
Web/API Pentesting
Mobile Application Security
Application Security
Product Security
Security Automation
AI-assisted Security Workflows
Selected work
Featured work
A mix of public projects and sanitized case studies. Public projects link to repositories when available; case studies share only high-level, non-confidential details.
Public project In progress
evidence-sanitizer
Local-first CLI for sanitizing authorized pentest evidence before reports, tickets, notes, PoCs, or internal sharing.
Methodology-first writeups and short technical notes.
Writeup Proving Grounds Practice Medium
SpiderSociety — Proving Grounds
A Proving Grounds Linux walkthrough covering virtual-host discovery, default control-panel credentials, FTP access to application source code, a hidden environment file exposing reusable credentials, SSH access as spidey, and privilege escalation through a writable systemd service with limited passwordless systemctl permissions.
An exposed rConfig instance was taken over through an administrator password reset, then leveraged through an upload-validation bypass to obtain a shell as apache and escalate through a SUID find binary.
A Proving Grounds Linux walkthrough covering ZoneMinder SQL injection, a MySQL file write into the Apache web root, a reverse shell as www-data, and privilege escalation through a MySQL UDF.
Building a Repeatable Lab Notes Workflow for OSCP Preparation
A practical note on organizing private lab practice for OSCP preparation around enumeration, evidence, and lessons that support clearer public writeups.
I'm open to conversations about application security, offensive security, mobile security, security automation, CTFs and labs, and open-source security tooling.