Engineering notes from the trenches.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
7 posts ← reset filters

Playwright's request context goes far beyond replacing Postman — it's a programmable, scalable tool for API security testing, auth token replay, schema validation, and multi-step attack simulation. Here's how a pentester uses it.
A critical vulnerability in phpMyFAQ allows unauthenticated password resets by simply knowing a username and email, leading to full account takeover without any token validation.
A critical RCE vulnerability in PenPot's MCP module exposed instances to trivial code execution due to binding to all interfaces and an unauthenticated /execute endpoint. Learn what happened, why it matters, and how to secure your systems.
Before I integrate with any API — official or reverse-engineered — I run through this checklist to avoid surprises later.
JWTs are meant to be opaque to users. They're not. Here's what I learn about your architecture just by decoding one.
After years of poking at APIs that weren't meant to be poked at, these are the auth patterns that break most often — and why.
A quick checklist for reading HTTP response headers and spotting security misconfigurations before you even look at the response body.