About

About Me

I’m Tran Khanh Duy, an independent application security researcher focused on web applications, APIs, and WordPress plugin security.

My work combines source-code review, manual testing, patch-diff analysis, and controlled runtime validation. I am especially interested in vulnerabilities where trust is misplaced across authentication, authorization, persistence, and rendering boundaries.

Current focus areas include:

Broken access control and IDOR
Authentication and session-management flaws
Privilege escalation
Stored cross-site scripting
Webhook authenticity and trust-boundary failures
Unsafe file operations
Business-logic vulnerabilities
Security testing automation

I approach research with a simple rule: prove reachability, prove impact, and document only what the evidence supports.

Research Workflow

My usual workflow is:

Confirm the target is in scope and identify the latest relevant version.
Review source code, recent patches, and exposed attack surfaces.
Trace attacker-controlled data across trust boundaries.
Validate actor requirements, authorization checks, persistence, and impact.
Reproduce the issue in an isolated local lab.
Collect minimal, repeatable evidence.
Submit through coordinated disclosure or an authorized bug-bounty program.

I prioritize findings with clear security impact over code patterns that only appear dangerous in isolation.

Skills and Tooling

Web and API penetration testing
WordPress plugin source-code review
PHP and JavaScript analysis
Burp Suite and manual HTTP testing
Python and Bash automation
Docker-based WordPress labs
Git, SVN, and patch-diff analysis
Linux security workflows
Vulnerability reporting and coordinated disclosure

Training

Profiles and Contact

GitHub
TryHackMe
LinkedIn
Email: duyytrann22@gmail.com

All research published on this site is conducted in authorized environments, local labs, or public vulnerability-disclosure programs.

Validate carefully. Report honestly. Disclose responsibly.