System Secure

Threat Level: Low

Last Scan: Active

Available for Security Engagements

Dhira Wahyu Febrian

$

Breaking things to make them secure. Specializing in web & mobile application security, API vulnerability research, and exploit chaining across bug bounty programs.

View Writeups View Projects Contact Me

terminal — security-recon

dhira@kali:~$ nmap -sV -sC target.com

dhira@kali:~$ nuclei -t cves/ -u https://target.com

dhira@kali:~$ sqlmap -r request.txt --dbs --batch

[ ✓ ] Vulnerabilities identified. Generating report...

SYS.STATUS: SECURE

NODE.CONN: 147

SCAN: ACTIVE

RECON.MODULE: STANDBY

THREAT.LVL: LOW

UPTIME: 00:47:23

Scroll

🎯

2024

Bug Bounty Since

Active hunter across multiple programs

🏆

Top 27

VVIP Program BSSN

National cybersecurity recognition

📋

OWASP WSTG

Testing Methodology

Systematic security assessment

🔍

Pentesting

Web & Mobile

Full-spectrum application security

🔗

Testing

API Security

REST, GraphQL, WebSocket analysis

📱

Dynamic Analysis

Android

Frida, ReFlutter, APK reversing

About Me

Security Professional

Offensive Security Engineer

I'm an offensive security practitioner specializing in web and mobile application penetration testing. My approach is rooted in the OWASP WSTG methodology, covering everything from information gathering and authentication testing to business logic flaws and client-side validation.

Active in bug bounty programs since 2024, I focus on authorization flaws, XSS filter bypass, API security, and exploit chaining. I've contributed findings to both government and private programs through platforms like YesWeHack.

As a former Red Team Security Engineer Intern at SysBraykr, I gained hands-on experience in web application penetration testing, vulnerability analysis, evidence collection, and professional security report writing.

2024

Active Since

WSTG

Methodology

Web/API

Specialization

Experience Timeline

2024 — Present work

Bug Bounty Researcher

Independent

Active bug bounty researcher focusing on web application security, API security, mobile security, authorization flaws, XSS filter bypass, and exploit chaining.

▹ Active in bug bounty since 2024
▹ Focused on web, API, and mobile application security
▹ Uses OWASP WSTG methodology during testing
▹ Experienced in vulnerability validation and report writing

2025 — 2026 work

Red Team Security Engineer Intern

SysBraykr

Worked as a Red Team Security Engineer Intern, performing web application security testing using OWASP WSTG methodology.

▹ Conducted web application penetration testing
▹ Used OWASP WSTG as the main testing methodology
▹ Performed information gathering, authentication testing, session testing, input validation testing, business logic testing, and client-side testing
▹ Assisted in vulnerability analysis, evidence collection, and security report writing

2021 — 2025 education

Informatics Student

University

Studied Informatics with a focus on cybersecurity, networking, software development, and data analysis.

▹ Cybersecurity and network security learning path
▹ Software development and database fundamentals
▹ Data analysis training experience
▹ Academic and research-based projects

Arsenal

Skills & Technologies

Tools and techniques in my offensive security toolkit

🌐

Web Pentesting

Burp Suite 95%

OWASP WSTG 93%

SQL Injection 90%

XSS Exploitation 92%

SSRF 85%

CSRF 82%

IDOR / BOLA 94%

📱

Mobile Pentesting

Frida 72%

Android Studio 68%

ReFlutter 60%

APK Decompilation 70%

SSL Pinning Bypass 74%

Dynamic Analysis 70%

🔗

API Security

REST API Testing 93%

GraphQL Security 90%

JWT Exploitation 86%

OAuth Attacks 78%

API Fuzzing 82%

🎯

Bug Bounty

Recon & OSINT 92%

Exploit Chaining 90%

Report Writing 93%

Vulnerability Research 88%

🛜

Networking

Nmap 78%

Wireshark 65%

TCP/IP 72%

DNS Security 68%

💻

Programming

Python 72%

JavaScript 68%

TypeScript 60%

Bash 75%

Flask 66%

🛠️

Tools

FFUF 88%

Dirsearch 90%

SQLMap 92%

Nuclei 86%

Metasploit 76%

Burp Suite 95%

Credentials

Certifications & Achievements

Professional certifications, training credentials, and academic achievements

Showing 3 of 3 certifications

★ Featured

🛡️

Dinas Kominfo Bali

View Details

CYBERSECURITY

Certificate of Appreciation — XSS Reflected Finding

Dinas Kominfo Bali·2026

Awarded for responsibly disclosing a Reflected XSS vulnerability on the Bali Satu Data government platform through the official bug bounty program.

Bug BountyXSS+1

🌐

University

View Details

NETWORKING

Computer Network Practicum Assistant

University·2023–2024

Served as a practicum assistant for the Computer Network course, guiding students through networking fundamentals, configuration labs, and troubleshooting exercises.

NetworkingTeaching+1

📚

Training Program

View Details

TRAINING

Data Analyst Training 2024

Training Program·2024

Completed a professional data analyst training program covering data collection, analysis methodologies, visualization techniques, and reporting.

Data AnalysisTraining

Bug Bounty

Vulnerability Discoveries

Selected findings from bug bounty programs and security assessments

HIGH resolved

2025-12

Reflected XSS Filter Bypass — Government Portal

Government Data Portal • Public Program

Bypassed blacklist-based XSS filter using String.fromCharCode obfuscation to achieve JavaScript execution in application origin context.

XSS Filter Bypass Government

Hall of Fame

HIGH resolved

2026-05

GraphQL Authorization Chain — Financial Platform

Financial Platform • Private Program

Exploited GraphQL introspection + IDOR + alias batching to access cross-tenant customer data and admin-only resolvers.

GraphQL IDOR Authorization

Bounty Awarded

Coming Soon

Details will be published after responsible disclosure review.

Coming Soon

Details will be published after responsible disclosure review.

Security Research

Case Studies

Detailed technical case studies of vulnerability discoveries and exploitation techniques

Web Security · HIGH RESOLVED

Government Bug Bounty

Reflected XSS Filter Bypass via Search Parameter

A reflected XSS vulnerability was found in the search parameter of a government data portal. Common XSS payloads were blocked by a blacklist filter, but the filtering was bypassed using obfuscated JavaScript construction and character-code based string generation, allowing JavaScript execution in the application origin context.

2025-12-15 · 10 min XSS Reflected XSS

Read →

API Security · HIGH ACCEPTED

YesWeHack

GraphQL Authorization Bypass via Alias Batching & Resolver Enumeration

Exploited enabled GraphQL introspection to enumerate hidden resolvers, then leveraged alias batching to bypass per-query rate limiting and authorization checks, gaining unauthorized access to cross-tenant customer data.

2026-05-09 · 15 min GraphQL Authorization

Read →

Web Security · HIGH RESOLVED

BSSN / Government Bug Bounty

Stored XSS in Master Kategori Produk Hukum

A stored Cross-Site Scripting vulnerability was discovered in the Master Kategori Produk Hukum functionality. Injected JavaScript payloads were stored by the application and executed when the affected page was rendered, demonstrating insufficient input sanitization and unsafe output handling.

2026-03-06 · 12 min Stored XSS Web Security

Read →

Web Security · HIGH RESOLVED

BSSN / Government Bug Bounty

Lack of Rate Limiting and CAPTCHA Reset on Login Authentication Mechanism

Weak rate limiting and insufficient CAPTCHA enforcement on a government authentication endpoint allowed repeated login attempts without effective throttling, significantly increasing brute force attack feasibility.

2026-03-06 · 14 min Brute Force Rate Limiting

Read →

Access Control · HIGH DUPLICATE

YesWeHack

IDOR on Support Ticket Creation via User-Controlled Customer Parameter

Broken object-level authorization in a support ticket workflow allowed authenticated users to create tickets on behalf of other accounts via manipulation of a user-controlled customer parameter.

2026-05-08 · 16 min IDOR BOLA

Read →

Web Security · CRITICAL DUPLICATE

YesWeHack

Stored XSS in Support Ticket Workflow via response.content Parameter

Stored XSS vulnerability in a support/helpdesk workflow allowed attacker-controlled JavaScript execution when support tickets were viewed by users or internal staff, enabling session hijacking and privileged workflow abuse.

2026-05-08 · 18 min Stored XSS Support Workflow

Read →

Coming Soon

Full technical writeup will be published after the responsible disclosure review process is completed.

HIGH

Open Source

Security Projects

Open-source tools and research projects for the security community

🌐

Web Development

In Progress

🌐 Web Development

Security Portfolio Website

A cinematic cybersecurity portfolio built with Astro, Tailwind CSS, Three.js, and GSAP. Features immersive scroll-linked animations, 3D cyber environments, and interactive case study pages.

Astro TypeScript Tailwind CSS Three.js GSAP

GitHub

🔒

Security Tools

Coming Soon

🛡️ Security Tools

Coming Soon

Security tooling project currently in development. Details will be published upon release.

Coming Soon

🔒

Automation

Coming Soon

⚡ Automation

Coming Soon

Offensive security automation project currently in development. Details will be published upon release.

Coming Soon

Published Research

Academic Research

Peer-reviewed cybersecurity research and penetration testing analysis

Peer Reviewed Cybersecurity Research Penetration Testing CVSS Analysis Web Security

Analisis Keamanan Website Perguruan Tinggi di Nusa Tenggara Barat terhadap Serangan SQL Injection, Cross Site Scripting, dan Insecure Direct Object Reference melalui Pengujian Penetrasi

Security Analysis of University Websites in West Nusa Tenggara Against SQL Injection, XSS, and IDOR Attacks Through Penetration Testing

Dhira Wahyu Febrian, Raphael Bianco Huwae, Ahmad Zafrullah Mardiansyah

Journal

Jurnal BITe

Bumigora Information Technology

Volume

Vol. 7 No. 1

June 2025

DOI

10.30812/bite.v7i1.5032

✓ Peer-Reviewed Publication

Abstract

This research analyzes the security posture of university websites in West Nusa Tenggara against SQL Injection, Cross Site Scripting (XSS), and Insecure Direct Object Reference (IDOR) attacks through penetration testing methodologies. The study combines automated and manual penetration testing approaches using tools such as Burp Suite, SQLMap, Xray, Nmap, and Wappalyzer, evaluating vulnerability severity using CVSS v3.1 and providing mitigation recommendations for higher education institutions.

Read Research View on DOI Download PDF

Jurnal BITe — Vol. 7 No. 1, June 2025

DOI: 10.30812/bite.v7i1.5032

Key Findings

50%

Universities Vulnerable to XSS

30%

Universities Vulnerable to SQLi

20%

Universities Vulnerable to IDOR

9.0

Critical

Highest CVSS Score

Research Domains

SQL Injection Analysis

• SQLMap validation
• False-positive elimination
• Manual verification

Cross Site Scripting

• Burp Suite payload injection
• Reflected XSS validation
• Browser execution testing

IDOR Assessment

• Authorization testing
• Parameter manipulation
• Access control validation

Reconnaissance

• Wappalyzer fingerprinting
• Nmap port analysis
• Attack surface enumeration

Penetration Testing Methodology

01

Literature Review

Academic foundation

02

Reconnaissance

Technology fingerprinting

03

Vulnerability Scanning

Automated discovery

04

Manual Validation

False-positive elimination

05

SQLMap Exploitation

Injection testing

06

XSS Payload Testing

Script injection

07

IDOR Analysis

Authorization bypass

08

CVSS Scoring

Severity evaluation

09

Security Reporting

Finding documentation

10

Mitigation

Recommendations

Contact

Get in Touch

Interested in collaboration, security engagements, or just want to connect?

$ connect --with dhirawahyu

Let's Build Something Secure

Whether you need a security assessment, want to discuss vulnerability research, or have an interesting project — I'm always open to new opportunities.