web application security · request smuggling & desync research

Example Name.

I'm J707 — a web app pentester focused on HTTP desync and edge case parser discrepancys. BSCP-certified, bug-bounty background.

raw-socket.py TCP 443
POST /checkout HTTP/1.1
Host: target.example
Content-Length: 6
Transfer-Encoding: chunked
Connection: keep-alive

0

G# front-end reads CL, back-end reads TE — smuggled bytes land in the next request

About

Several years of independent bug bounty work concentrated on web application security, with most of the PortSwigger Web Security Academy labs completed and a Burp Suite Certified Practitioner (BSCP) certification. Currently building toward a corporate/consultancy pentesting role, with a portfolio centered on original desync and parser discrepancy research rather than submission counts.

Tooling

rs_auto

Asyncio HTTP request smuggling scanner targeting novel and edge-case desync vectors excluded from standard tooling, with cross-connection follow-up probes.

python · asyncio

csd2

Analyzes JavaScript for client-side desync (CSD) exploitability signals — low-noise, high-signal, scoped to the target's registrable domain.

python

secret_recon

JS-focused recon and secret-discovery pipeline chaining trufflehog, katana, hakrawler, gau, ffuf, and jsluice with per-host attribution.

python · recon

http1.1

ALPN and keep-alive probing at scale, used to triage large scope lists down to viable CSD/smuggling candidates.

python · cli

Recent writeups

// no writeups published yet — see writeups.html

view all writeups →

Contact

email — james.appsec@gmail.com
githubgithub.com/yourhandle
linkedinlinkedin.com/in/yourhandle