Web & API Security
Manual testing of authentication, authorization, session management, and business logic vulnerabilities across web applications and REST APIs.
@artefhack
Kilian MURPHY
Web & API Penetration Tester
Not CTFs. Not labs. Production. Offensive security analyst focused on real-world Web & API systems. Multiple critical vulnerabilities (CVSS ≥ 9) validated in authorized production environments. Authentication bypass chains. Unauthenticated API access. Business logic flaws leading to account takeover and unauthorized execution. Every finding is reproducible, impact-driven, with exploit evidence and remediation guidance.
Profile
Offensive security driven by evidence, not automation.
Attack Chain Validation
Chained vulnerabilities into reproducible exploit paths leading to account takeover, unauthorized actions, and business impact.
Offensive Tooling
Built 12+ offensive AppSec tools focused real-world web, API, and infrastructure security testing, covering reconnaissance, authentication abuse, secrets discovery and attack path analysis.
Reporting & Remediation
Delivered CVSS-based findings with exploit validation, reproduction steps, remediation guidance, and fix verification.
Blockchain Security
Security reviews of Solana and Ethereum smart contracts focused on logic flaws, state validation issues, and exploitability analysis.
Research & Training
PortSwigger Web Security Academy · INE eJPT (In Progress) · Security+ (In Progress)
Skills
The technical stack
Web & API Security
- SQLi
- XSS
- IDOR
- SSRF
- JWT Security
- CORS Misconfigurations
- Broken Access Control
Tooling
- Burp Suite
- Nmap
- FFUF
- Nessus
- Wireshark
- Docker
Systems
- Linux
- Windows
- TCP/IP
- Network Enumeration
- Asset Discovery
Methodology
- OWASP Testing Guide
- OWASP API Security Top 10
- MITRE ATT&CK
- CVSS
Experience
In the field
Production security testing across Web, API and blockchain environments.
INE · CompTIA
Certifications
- eJPT — In Progress [Expected Q3 2026]
- Security+ — In Progress [Expected Q3 2026]
- eWPT — Planned
Cyber Experts · Internship · Paris, France
Offensive Security Analyst
Web & API Penetration Testing
Security assessments across production and pre-production environments targeting authentication, authorization, session management, and business-critical workflows.
- 80+ API endpoints mapped and assessed.
- 40+ vulnerabilities validated.
- 60+ structured findings with CVSS scoring, exploitation evidence, and remediation guidance.
- Produced detailed pentest reports and individual finding reports covering reproduction steps, business impact, and prioritised remediation recommendations.
- Participated in remediation review cycles: tracking fixes applied by development teams, performing commit-level validation, and confirming full closure of identified vulnerabilities.
Critical Findings
- CVSS 9.8 — Authentication bypass via JWT manipulation and session fixation.
- CVSS 9.6 — Unauthenticated API access enabling full account compromise.
- CVSS 9.1 — Business logic bypass enabling unauthorized transaction execution.
Blockchain Security
Static reviews on Solana (Rust/Anchor) and Ethereum smart contracts and backend infrastructure.
- 20+ vulnerabilities identified, including 7 critical (CVSS 9+).
- Logic flaws, state validation errors, cryptographic weaknesses.
- Full PoC exploitation and remediation-retest cycle.
JEDHA · Paris
Secure Infrastructure Administrator
Training focused on offensive security, Active Directory, network security, Linux/Windows administration, and security operations.
Saint Laurent · JYSK · Jo Malone London · Geneva, Switzerland
Operations & EMEA Logistics Management
10 years managing multi-site operational environments across luxury retail and consumer goods in EMEA markets.
- Multi-site operations across 3 enterprise environments.
- 20,000+ product references managed.
- SAP ERP deployment across multiple countries.
- 20% reduction in operational reporting errors through process optimisation.
- Cross-functional incident resolution across logistics, procurement, and support teams in high-pressure environments.
- Coordination across EMEA regions with international stakeholders.
Aix-Marseille University
BTS Management
Business management fundamentals, operations, and organizational management.
Projects
What I build
Main projects
XSS Payloads Platform
Browser-based XSS payload generation and analysis platform for security testing workflows.
Provides context-aware payload engineering, encoding pipelines, and WAF bypass techniques.
Rust · WebAssembly · Next.js 15 · TypeScript
Client-side
Rust/WASM
XSS Research
xsspayloads.app ↗
Live demo
Shellcodes Builder
Browser-based shellcode generation platform for Linux and Windows (x86/x64).
Includes encoding pipeline, bad character handling, multi-format export for exploit development workflows.
Rust · WebAssembly · Next.js 15 · TypeScript
Client-side
Rust/WASM
Security Tool
shellcodes.app ↗
Live demo
Reverse Shell Builder
Browser-based reverse shell generation tool supporting multiple languages and payload types.
Includes shell stabilization workflows and execution-ready payload generation for real-world exploitation scenarios.
Rust · WebAssembly · Next.js 15 · TypeScript
Client-side
Rust/WASM
Payloads
reverseshell.app ↗
Live demo
JWT offensive workbench
Browser-based tool to decode, analyze, attack, and forge JWTs.
Brute-force HMAC secrets, escalate privileges, run algorithm confusion and injection attacks with one click. No backend, no requests sent anywhere.
Rust · WebAssembly · Leptos · Tailwind
Client-side
Rust/WASM
JWT Security
jwttool.com ↗
Live demo
Offensive tooling
Tooling overview
- ReconPulse
- High-performance TCP reconnaissance.
- ATLAS
- Attack path mapping from reconnaissance data.
- VulnForge
- Dependency vulnerability scanning with OSV.dev.
- VaultSentry
- Secrets detection across codebases and Git history.
- AuthRecon
- Linux credential and sensitive artifact discovery.
- BeaconForge
- MITRE-aligned offensive workflow simulation.
All tools on GitHub
All offensive tools are open source and available on GitHub — more are added as they reach a shareable state.
github.com/Kiliankm19 ↗Writeups
Research notes and technical writeups, coming soon.
This space will host practical notes on Web/API security, offensive tooling, and vulnerability research once the first articles are ready to publish.
First writeups in progress
HackTheBox
PortSwigger Web Security Academy
Security research.
HackTheBox
PortSwigger
Research Notes
Planned topics
Web & API attack chains · XSS payload engineering
Shellcode tooling · Reconnaissance workflows
Smart contract security notes
Methodology
Sanitized
Actionable
Contact
Get in touch
Focused on Web & API penetration testing, attack chain validation, and offensive security research.
Available for offensive security and AppSec roles in Amsterdam and across Netherlands.
Start a conversation- kilian.murphy1@gmail.com
- linkedin.com/in/kilianmurphy
- GitHub
- Kiliankm19
- Location
- Geneva, relocating to Amsterdam