Engineering notes from the trenches.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
6 posts ← reset filters

The Go team just shipped an official API for pkg.go.dev. Here's what it exposes, how to use it for automation, and why this matters for anyone building tooling around the Go ecosystem.
A missing input validation on M-Tix Cinema XXI's food ordering API let me increase my account balance by submitting negative quantities. No tools needed — just a browser.
Before I integrate with any API — official or reverse-engineered — I run through this checklist to avoid surprises later.
JWTs are meant to be opaque to users. They're not. Here's what I learn about your architecture just by decoding one.
After years of poking at APIs that weren't meant to be poked at, these are the auth patterns that break most often — and why.
A quick checklist for reading HTTP response headers and spotting security misconfigurations before you even look at the response body.