// portfolio.init() — 15 years experience

Web Developer & Security Researcher

I build high-performance web applications and custom websites using WordPress, Joomla, Drupal and more. Also a bug bounty hunter with confirmed findings on Facebook, VK, and dozens of other platforms.

Bug Bounty Penetration Testing Full-Stack Dev Server Security CMS Expert

View Hall of Fame Let's Talk

security_profile.sh

$ whoami Web Developer & Security Researcher $ cat experience.txt 15 years web development 10+ years vulnerability research $ ls ./hall_of_fame/ facebook.com confirmed vk.com confirmed [+48 more] various $ status ● AVAILABLE FOR HIRE

// 01 — about.me

About Me

15 YRS EXPERIENCE

Security-First Developer & Bug Bounty Hunter

I am a full-stack web developer and cybersecurity researcher with 15 years of hands-on experience building secure, scalable web applications and identifying critical vulnerabilities in production systems.

I build professional websites using WordPress, Joomla, Drupal, PrestaShop, Magento and custom-coded solutions — fully tailored to client needs with security hardening from day one.

My security research has led to responsible disclosure of vulnerabilities in major platforms including Facebook and VK.com, earning recognition in their official Hall of Fame programs.

50+ VulnerabilitiesResponsibly disclosed

15 YearsProfessional experience

CMS ExpertWordPress, Joomla, Drupal

AvailableFreelance & consulting

// 02 — security_research

Vulnerability Research

I specialize in identifying and responsibly disclosing vulnerabilities in web applications, APIs, and server infrastructure. Below are the main vulnerability classes I research and hunt.

💉Critical

SQL Injection

CWE-89 / OWASP A03

Database manipulation via unsanitized inputs. Can lead to full data exfiltration or remote code execution.

🔀High

XSS

CWE-79 / OWASP A03

Cross-site scripting enables session hijacking, phishing overlays, and client-side malware injection.

🔗Critical

SSRF

CWE-918 / OWASP A10

Server-side request forgery forces servers to make internal requests, exposing cloud metadata.

🔑Critical

Broken Auth

CWE-287 / OWASP A07

Weak authentication flows, predictable tokens, or improper session management allow account takeover.

📁High

Path Traversal

CWE-22 / OWASP A01

Directory traversal attacks allow reading arbitrary files outside the web root, leaking sensitive configs.

🌐Medium

CSRF

CWE-352 / OWASP A01

Cross-site request forgery tricks authenticated users into executing unwanted state-changing actions.

⚙️Medium

Misconfiguration

CWE-16 / OWASP A05

Security misconfigs including open S3 buckets, exposed admin panels, and verbose error messages.

🔓High

IDOR

CWE-639 / OWASP A01

Insecure direct object reference flaws let users access or modify other users' data by changing IDs.

// 03 — hall_of_fame

Notable Disclosures

2021

Critical

Facebook / Meta

Discovered a critical security vulnerability in Facebook's platform affecting millions of users. Responsibly reported and acknowledged in Meta's official security Hall of Fame.

2020

High

VK.com

Identified a critical security vulnerability in VK's platform infrastructure. Responsibly disclosed and acknowledged by VK's security team in their official bug bounty program.

2022

Critical

Multiple Platforms

Uncovered critical vulnerabilities on several high-traffic web platforms. All findings responsibly disclosed to respective security teams.

2019–2024

Medium–High

Server Infrastructure

Identified server misconfigurations, exposed admin panels, and privilege escalation paths across various companies through authorized penetration testing engagements.

2023

High

E-Commerce Platforms

Found critical access control flaws in multiple e-commerce platforms, exposing customer data and order management systems to unauthorized access.

Ongoing

Various

50+ Platforms Total

Active bug bounty hunter with 50+ accepted reports. Specialized in web application security, API vulnerabilities, and business logic flaws.

// 04 — skills.json

Technical Arsenal

Security & Pentesting

Web App Security98%

Server Pen Testing95%

API Security93%

SQL Injection / XSS97%

OWASP Top 1099%

Security Tools

Burp Suite

Metasploit Nmap

Nmap

Wireshark

OWASP ZAP

Nikto

Nessus

Shodan

SQLMap

Hydra

Aircrack-ng

John the Ripper

Volatility Maltego

Maltego

Gobuster

Web Development

JavaScript / TypeScript96%

Node.js / PHP / Python92%

React / Vue / Next.js90%

MySQL / PostgreSQL91%

Linux / Nginx / Apache94%

Dev Stack

WordPress

Joomla

Drupal

PrestaShop Magento

Magento

React

Next.js

Node.js

PHP

Python

Docker

Git

Linux

MySQL

MongoDB

AWS

// 05 — projects[]

Selected Work

SecurityNode.js

VulnScanner Pro

Automated web vulnerability scanner detecting XSS, SQLi, CSRF, open redirects, and misconfigurations across web applications.

View Project

WordPressJoomlaDrupal

CMS Website Development

Custom website builds using WordPress, Joomla, Drupal, PrestaShop and more — tailored themes, plugins, e-commerce integrations, and full security hardening.

View Projects

PythonPentesting

API Fuzzer Tool

Python-based API fuzzing tool for discovering broken authentication, rate-limiting bypasses, and hidden endpoints in REST and GraphQL APIs.

View Project

// 06 — contact.init()

Let's Work Together

Whether you need a secure web application, a penetration test, or a security audit — I'm available for freelance and consulting work.

Emailcontact@afraoua.it

LocationItaly 🇮🇹

Response TimeWithin 24 hours

Status● Open to Work