Skip to content
View m2hcz's full-sized avatar

Block or report m2hcz

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Maximum 250 characters. Please don’t include any personal information such as legal names or email addresses. Markdown is supported. This note will only be visible to you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
m2hcz/README.md

> About

Offensive security research: finding out what an attacker can actually do, and proving it safely enough that engineers trust the fix.

Scanner output dressed up as a finding doesn't count. A result is only done when it's reproducible, scoped, and actionable for the team that has to remediate it.

> Focus, 2026

Area In practice
Identity & auth OAuth/OIDC edge cases, missing state/nonce binding, callback trust, session & account fixation
Web & local apps CSRF against local management UIs, IDOR, access-control failures, request smuggling, SSRF
Cloud & IAM Workload identity boundaries, IAM misconfiguration chains, metadata-service pivots, secret exposure
Supply chain CI/CD runner isolation, GitHub Actions hardening, dependency confusion, artifact/build-cache poisoning
AI tooling Connector trust boundaries, agent workflow abuse, review-payload exposure in AI-assisted pipelines

> Toolbelt

Languages
languages

Infra & Platforms
infra

Workflow
burp suite mitmproxy frida ghidra semgrep nuclei playwright

> Methodology

scope check -> recon -> candidate finding -> reproduce locally
            -> validate exploitability -> calibrate impact
            -> report for engineers -> retest on fix

Three rules that don't change per engagement:

  1. Scope is a hard boundary, not a suggestion — testing stays inside explicit authorization.
  2. Reproduce before reporting — scanner output and exploitable behavior are not the same thing.
  3. Prove impact without causing it — controlled PoCs, local fake services, non-destructive payloads.
Two engagement types, side by side

External — bug bounty / disclosure recon → scope check → exploitability validation → impact calibration → report → triage response → retest

Internal — repo / architecture review threat model → source–sink mapping → auth boundary review → dynamic validation → minimal PoC → report-ready evidence

> Selected Work

  • CVE-2026-28740
  • CVE-2026-54094

> GitHub Activity

github stats top languages
github streak

> Contact

m2hczs@proton.me

For security reports: scope, affected asset, reproduction steps, impact, remediation context. No scope, no read.


responsible disclosure authorized testing only evidence over noise

footer

Pinned Loading

  1. reconmapper-v2.0 reconmapper-v2.0 Public

    > 🛰️ Async web recon tool that crawls and maps directories, parameters, inputs, and APIs — powered by Playwright & Python.

    Python 6 1

  2. ParamHunter-Pro ParamHunter-Pro Public

    ParamHunter Pro v6.9 - Advanced web application parameter discovery & security scanner with built-in crawler, SQLi/XSS fuzzer, and external tool integration (subfinder, nuclei, sqlmap). Async Pytho…

    Python 1

  3. PoC-for-Next.js-Middleware PoC-for-Next.js-Middleware Public

    > 🔓 Proof-of-Concept for a fictional Next.js middleware bypass (CVE-2025-29927) — craft sub-requests to test protected routes.

    Python 1

  4. Sqli-Automaticly-Scanner Sqli-Automaticly-Scanner Public

    Discovers same-origin links/forms and probes common web vulnerabilities with fast, lightweight heuristics — easy to audit and CI-friendly

    JavaScript

  5. CVE-2025-6440-Poc-Exploit CVE-2025-6440-Poc-Exploit Public

    Python 1 2

  6. pathward pathward Public

    Defensive Python library against path traversal, symlink escape, Zip Slip, and TOCTOU

    Python