Masaaki Stephane
Fullstack Web & Mobile App Developer
Ethical Hacker
Hey There !
I'm Masaaki Stephane — Fullstack Web & Mobile Developer, Ethical Hacker & Bug Bounty Hunter.
With 7+ years of experience building complex web and mobile applications, I deliver full-stack solutions with clean architecture and a deep respect for client privacy. Alongside development, I actively hunt security vulnerabilities as an ethical hacker and bug bounty hunter.
ACHIEVEMENTS
7 Years In The Industry
It started in 2019 with HTML and CSS — building clean, pixel-perfect interfaces and learning the fundamentals of the web. By early 2020, vanilla JavaScript entered the picture and everything changed. Making things interactive, dynamic, alive — I was hooked.
That curiosity drove me deeper. Frameworks, libraries, backends — React, Bootstrap, jQuery, Node.js, PHP — I absorbed everything the stack had to offer. Then came mobile development. Building cross-platform apps with React Native opened a completely different world: different constraints, different UX thinking, different architecture. I loved every second of it.
As I started delivering production-grade fullstack applications, I began asking harder questions: how secure is this? What could an attacker do with this endpoint? That mindset shift led me to offensive security. In 2024, I made a deliberate move into red teaming and penetration testing — earning the CRTP certification in 2025 through a gruelling 24-hour hands-on exam. Since then I have never stopped: daily practice on web application pentesting, active bug bounty hunting and CTF competitions keep my skills sharp and current.
Today I operate at the intersection of development and security. I don't just build applications — I understand how they can be compromised, which means I build them differently. Most developers ship features. I ship features that hold up under attack.
+7
Years
20+
Vulns Discovered
60+
Projects
15+
Countries
I hold the Certified Red Team Professional (CRTP), an internationally accredited offensive security certification widely regarded as one of the most challenging Red Team exams available globally. The certification is validated through a 24-hour practical examination requiring the full compromise of a live enterprise AD network — a benchmark aligned with industry-level Red Team and adversary simulation standards.
Technologies I Use
Skills I have collected.
SERVICES
What I Can Do For You.
From mobile and web development to advanced security testing — I cover the full stack.
01
Android & iOS Development
Custom mobile applications for Android and iOS built with React Native — clean UI, solid architecture, production-ready.
02
Corporate Website
Professional corporate websites with a strong digital identity — performant, SEO-optimised and tailored to your brand.
03
Advanced Web Application
Complex fullstack web apps with authentication, real-time features, REST APIs and scalable backends using Node.js or PHP.
04
Admin Panels & Dashboards
Custom back-office management systems and analytics dashboards — role-based access, data tables, charts and full CRUD.
05
Penetration Testing — Web & Mobile
Manual black-box and grey-box penetration testing of web and mobile applications. I go beyond automated scanners — hunting complex, logic-level vulnerabilities that require a human attacker to find.
HTTP Request Smuggling · Cookie Theft & Session Hijacking · Race Conditions · Auth Bypass & Broken Authentication · SQL & NoSQL Injection · SSRF · XXE · SSTI · Insecure Deserialization · IDOR · CORS Misconfigurations · JWT Attacks · OAuth Flaws · Business Logic Vulnerabilities · Host Header Injection · Cache Poisoning · Prototype Pollution · DOM-Based XSS · CSRF · Clickjacking
06
Red Team AD Engagement
Full adversary simulation inside your enterprise Active Directory environment. I operate as a real threat actor — mapping the network, finding misconfigurations, escalating privileges, moving laterally and reaching domain admin. Covers Kerberoasting, AS-REP Roasting, weak ACLs, unconstrained delegation and DCSync paths. Delivered with a complete written report and remediation roadmap.
Bug Bounty & Pentest
Require a Full Pentest
on Your Product?
Web apps, mobile apps — I go beyond scanners and hunt logic-level vulnerabilities as a real attacker would.
LATEST ARTICLES
From The Blog.
Writeups on ethical hacking, red teaming, bug bounty hunting and web development.
Blog articles are written in English — cybersecurity content is best understood in the industry's working language.
Burp Suite Advanced Guide — Proxy, Intruder, Collaborator & Extensions
Complete toolkit walkthrough: Repeater workflows, Intruder attack types, Collaborator OOB detection, and essential extensions for every pentest.
Read More → ExploitationServer-Side Attacks: Nmap Service Detection, Rapid7 & Metasploit
Port version detection, CVE research with Rapid7, exploiting vsftpd, Samba, EternalBlue and Tomcat, then Meterpreter post-exploitation and pivoting.
Read More → WirelessWPA and WPA2 Cracking: WPS Vulnerabilities & Handshake Attacks
Exploiting WPS PIN design flaws, capturing 4-way handshakes via deauth, and offline dictionary attacks with Aircrack-ng and Hashcat.
Read More → NetworkMan-in-the-Middle Attacks: ARP Poisoning & Traffic Interception
ARP spoofing with Bettercap, DNS poisoning, SSL stripping, and live injection of code into unencrypted HTTP responses.
Read More → AuthenticationJWT Attacks: Algorithm Confusion, Header Injection & Key Forging
RS256→HS256 confusion, alg:none bypass, JWK/JKU header injection, kid path traversal and SQL injection to forge arbitrary tokens.
Read More → API SecurityAPI & GraphQL Pentest: IDOR, Mass Assignment & Introspection Bypass
Hidden endpoint discovery, mass assignment to escalate roles, BOLA/BFLA exploitation, GraphQL introspection bypass, and query batching for rate limit abuse.
Read More → CachingWeb Cache Poisoning & Deception: Unkeyed Headers & Path Confusion
Poisoning via unkeyed X-Forwarded-Host, fat GET injection, parameter cloaking, and cache deception through path suffix and delimiter confusion.
Read More → InjectionSQL & NoSQL Injection: Blind, OOB, Second-Order & MongoDB Attacks
Boolean and time-based blind extraction, out-of-band DNS exfiltration, second-order injection, and MongoDB operator/JS/projection attacks.
Read More → AdvancedHTTP Host Header & Request Smuggling: Desync, Capture & ACL Bypass
Password reset poisoning, CL.TE and TE.CL desync, bypassing front-end access controls, capturing victim session tokens, and HTTP/2 desync attacks.
Read More → Internet SafetyInternet Safety for Everyone — How to Stay Safe Online Without Being a Tech Expert
Strong passwords, Instagram account security, phishing recognition, 2FA, public Wi-Fi risks, VPNs, backups, and what to do if you get hacked — in plain language.
Read More →CONTACT
Let’s get in touch.
Have a project in mind or want to collaborate? Send me a message — I’ll get back to you within 24 hours.