// WEB · MOBILE · IOT · API SECURITY

BLOW UP BAD SECURITY BEFORE THEY DO

KaboomSec is where AppSec, Mobile, IoT, and API security collide. Real research. Real labs. Real consulting. Tinker & find out.

⚡ Web
📱 Mobile
📡 IoT
🔑 API
💾 Firmware
🤖 AI Sec
READ WRITEUPS → HIRE ME
🏆 TINKER & FIND OUT
📡 FLAG INSIDE
5ATTACK SURFACES
0+ WRITEUPS
FREELAB CONTENT
THINGS TO BREAK
// THE FULL STACK

THE ATTACK SURFACE

The modern attack surface is a phone, a router, a cloud API, and a $9 microcontroller running unpatched firmware. We cover all of it.

01
🌐
Web AppSec
OWASP Top 10, business logic, auth bypasses, deserialization, SSRF. The vulns scanners never find.
SQLiXSSIDORSSRFXXE
02
📱
Mobile Security
Android & iOS. APK reversing, Frida hooks, cert pinning bypass, deep link hijacking, insecure storage.
AndroidiOSFridaJADXADB
03
📡
IoT & Embedded
If it blinks, it's vulnerable. UART, JTAG, hardcoded creds, weak OTA, cloud backend misconfigs.
UARTJTAGBinwalkBLEZigbee
04
🔑
API Security
REST, GraphQL, gRPC. Broken object auth, mass assignment, JWT confusion, rate limit bypasses.
RESTGraphQLJWTOAuthBOLA
05
🤖
AI Security
Prompt injection, model extraction, training data poisoning, insecure RAG pipelines, LLM jailbreaks. The new frontier.
Prompt InjJailbreakRAGLLMPoisoning
// THE HUMAN BEHIND THE BOMB
WANTED FOR RESPONSIBLE DISCLOSURE
KaboomSec
KABOOMSEC
KNOWN FOR:
Unauthorized access to firmware filesystems
Bypassing certificate pinning in broad daylight
Making developers question their life choices
Leaving systems more secure than found
REWARD FOR SECURE CODE
PRICELESS
SSCP CompTIA+ ISC2 VP OSINT Linux+ Healthcare TraceLabs

WHO'S HOLDING THE FUSE?

Security researcher · Educator · ISC2 Chapter VP · Tinkerer

Currently accepting consulting engagements — Pentest · Training · IR Retainer

I'm a cybersecurity professional with a background most people don't have: time as a medical assistant and pharmacy technician before pivoting hard into security. That healthcare lens shapes everything — especially in environments where getting it wrong has real consequences.

Currently VP of the ISC2 Vietnam Chapter, founder of Code Blue Security (healthcare-focused cybersecurity), contributor to Trace Labs OSINT tooling and VM infrastructure, and the person behind OSINTChallenges.com.

15 years of martial arts — 10 teaching — taught me that the best defense comes from understanding the offense. That's the KaboomSec philosophy. Tinker. Break. Learn. Repeat.

💥Web & API penetration testing
📱Mobile app security (Android/iOS)
📡IoT & firmware analysis
🏥Healthcare cybersecurity
🔍OSINT & threat intelligence
🎓Security training & workshops
// NO HAND-WAVY MAGIC

WRITEUPS & RESEARCH

Real breakdowns of real vulnerabilities. The methodology, the rabbit holes, the discoveries.

MOBILEAPI● HARD
Add your first writeup in WordPress admin
Go to Writeups → Add New in your WordPress dashboard. Set a featured writeup to show it here.
ADD WRITEUP →
$ kaboomsec --add-writeup [+] Ready for your first post...
ALL WRITEUPS →    GET NOTIFIED
// BREAK STUFF SAFELY

HANDS-ON LABS

Browser-based. No setup. Real vulnerable environments. Find the flag. Learn the technique.

root@kaboomsec — bash
root@kaboomsec:~$ ls /labs/
jwt-jackpot/ apk-autopsy/ mqtt-mayhem/ ssrf-safari/ firmware-fun/ ???/
root@kaboomsec:~$ cat /labs/???/README
Permission denied. Find the key first.
 
// This terminal actually works. Try: help, whoami, flag, hint, boom
root@kaboomsec:~$ 
● EASY💡
JWT Jackpot
Algorithm confusion. Flip RS256 to HS256, forge a token, become admin.
APIJWTAuth
● EASY💡
MQTT Mayhem
Subscribe to the wildcard topic. Intercept device commands. Send your own.
IoTMQTTWireless
● MEDIUM💡
APK Autopsy
Decompile the APK. Find hardcoded API keys. Access the private backend.
MobileAndroidJADX
● MEDIUM💡
SSRF Safari
Hunt for SSRF. Pivot to internal services. Reach the metadata endpoint.
WebSSRFCloud
● HARD💡
Firmware Fun
Download the firmware, extract the filesystem, find the vuln, get RCE.
IoTBinwalkRCE
● UNKNOWN
???
Find the key. You will know when you are close.
???
🔒  FIND THE KEY
// CONTROLLED DEMOLITION FOR HIRE

CONSULTING SERVICES

You built something. I'll try to break it — before someone else does.

Web & Mobile Pentest
💥
Full black/grey/white box assessment of web apps and mobile (Android + iOS). OWASP methodology with custom test cases.
Web AppAndroidiOSAPIsRetest Included
IoT Security Assessment
📡
Hardware analysis, firmware extraction & RE, network traffic analysis, cloud backend assessment.
Firmware REHardwareWirelessCloud API
Security Training
🎯
Hands-on workshops for dev and security teams. Secure coding, threat modeling, OWASP, custom curriculum.
Dev TeamsCustom LabsHealthcare Focus
IR Retainer
When something goes boom for real. Triage, forensics, containment, post-incident reporting. Ransomware experience.
TriageForensicsRansomware

LET'S TALK 💣

Tell me what you've built. I'll tell you how I'd break it — and how to fix it before someone else does.

🔒 NDA FirstSigned before any engagement begins
📋 Clear ScopingROE doc before any testing starts
🏥 Healthcare ExpHIPAA-aware, clinical environments
📄 Real ReportsExec summary + technical + remediation
DON'T MISS THE BOOM 💥

New writeups, lab drops, and field notes from real engagements. No marketing fluff. Just signal.

NO SPAM · UNSUBSCRIBE ANYTIME · flag hidden here
👋 Psst... try typing in the terminal!