About
// who writes · what is researched · where to find
Web AppSec Engineer
Web application security engineer.
Researcher and explorer of faults in a controlled and didactic way.
The Blog's Purpose
This blog was born out of a simple need: documenting what is worth remembering. Web application security is a vast, constantly shifting discipline. Vulnerabilities evolve, frameworks change, attack surfaces expand — and accumulated knowledge without documentation is knowledge lost.
Here you'll find real technical notes, reproducible labs, CVE analyses, CTF write-ups, and reflections on secure development. No generic content produced for volume. Every post exists because it was useful enough to deserve being written down.
The Egyptian aesthetic is not random decoration — it's a deliberate metaphor. Egyptian scribes were the first engineers of structured knowledge. Every hieroglyph was a protocol. Every papyrus, documentation of a system. The idea is the same: build with precision, record with rigor.
Research Areas
Web Vulnerabilities
XSS, SQLi, SSRF, XXE, IDOR, deserialization, race conditions, and everything the OWASP Top 10 can't fully capture.
Authentication & Authorization
OAuth 2.0, JWT, OIDC, broken access control, privilege escalation, and identity flow flaws that open doors for attackers.
Secure Development
SAST, DAST, threat modeling, security-focused code review, and integrating secure practices into the development cycle.
DevSecOps
Shifting security left: CI/CD pipeline hardening, secrets management, container security, and integrating automated scanning into the software delivery lifecycle.
Philosophy
"Security is not a product, but a process." — Bruce Schneier
Security is not a checkbox to tick or a report to deliver. It is a continuous engineering discipline — one that demands deep understanding of the attacker, the system, and the context in which it operates.
The best defender understands how to attack. The best researcher knows how to build. This blog exists at that intersection: offensive enough to understand the threat, defensive enough to neutralize it.
Contact
Post suggestions, technical corrections, vulnerability discussions, or research collaborations are all welcome.