Dashboard
Consultation requests
Agreements
My checklist — what I test for
Exposed secrets / API keys in client code
Missing database rules (Supabase RLS, Firebase rules)
Broken access control / IDOR
Front-door-only auth (open backend API)
No rate limiting on forms
Injection & XSS
Leaky errors / stack traces
CORS & security headers
Outdated / vulnerable dependencies
Business-logic gaps
My tools
Burp Suite / Caido / OWASP ZAP (proxy)
nuclei (template scanner)
ffuf / feroxbuster (content discovery)
trufflehog / gitleaks (secret scan)
sqlmap (authorized SQLi)
Browser DevTools (network + JS bundle)
retire.js (outdated libs)
PortSwigger Academy (learning)