Blog

Notes on APIs, automation, and security.

Technical posts on reverse-engineering, security research, automation patterns, and the day-to-day of solo engineering work.

Sort:

10 results

Security ResearchMay 19, 20266 min read
How I got free cinema credit by ordering -2 popcorns
A missing input validation on M-Tix Cinema XXI's food ordering API let me increase my account balance by submitting negative quantities. No tools needed — just a browser.
Automation PatternsMay 19, 20268 min read
CloakBrowser: I tested it against 5 bot detectors — here's what happened
CloakBrowser claims to be a stealth Chromium that passes every bot detection test. I installed it, ran it against reCAPTCHA v3, Cloudflare Turnstile, and FingerprintJS to see if the hype is real.
Indie WorkflowMay 19, 20266 min read
Mole: the open-source CleanMyMac replacement I actually use now
Mole is a single CLI binary that replaces CleanMyMac, AppCleaner, DaisyDisk, and iStat Menus. I tested it on my 256GB MacBook — here's what it found.
Security ResearchMay 18, 20267 min read
How I analyze API security headers in 30 seconds
A quick checklist for reading HTTP response headers and spotting security misconfigurations before you even look at the response body.
Security ResearchMay 18, 20269 min read
Common auth mistakes I find when reverse-engineering APIs
After years of poking at APIs that weren't meant to be poked at, these are the auth patterns that break most often — and why.
API Reverse EngineeringMay 18, 20268 min read
What your JWT tokens reveal about your backend
JWTs are meant to be opaque to users. They're not. Here's what I learn about your architecture just by decoding one.
API Reverse EngineeringMay 18, 20268 min read
5 things I check before trusting an API
Before I integrate with any API — official or reverse-engineered — I run through this checklist to avoid surprises later.
Automation PatternsMay 18, 202610 min read
Automating web3 workflows at scale — a sanitized case study
How I built custom tooling to manage hundreds of wallets, automate on-chain transactions, and run social bots across multiple protocols.
API Reverse EngineeringApr 22, 202612 min read
How I reverse-engineered an HR attendance API in 3 days
A practical walkthrough of the methodology I use when there's no documentation: capturing traffic, mapping endpoints, and validating assumptions before writing a single line of automation.
API Reverse EngineeringApr 8, 20268 min read
Reading the network tab without losing your mind
DevTools shows you everything, which is the problem. Here's how I filter signal from noise when reverse-engineering a web application's API.

← hometools →

Notes on APIs, automation, and security.

How I got free cinema credit by ordering -2 popcorns

CloakBrowser: I tested it against 5 bot detectors — here's what happened

Mole: the open-source CleanMyMac replacement I actually use now

How I analyze API security headers in 30 seconds

Common auth mistakes I find when reverse-engineering APIs

What your JWT tokens reveal about your backend

5 things I check before trusting an API

Automating web3 workflows at scale — a sanitized case study

How I reverse-engineered an HR attendance API in 3 days

Reading the network tab without losing your mind

How I got free cinema credit by ordering -2 popcorns

CloakBrowser: I tested it against 5 bot detectors — here's what happened

Mole: the open-source CleanMyMac replacement I actually use now

How I analyze API security headers in 30 seconds

Common auth mistakes I find when reverse-engineering APIs

What your JWT tokens reveal about your backend

5 things I check before trusting an API

Automating web3 workflows at scale — a sanitized case study

How I reverse-engineered an HR attendance API in 3 days

Reading the network tab without losing your mind