Skip to main content
Mazin Ahmed

Mazin Ahmed

Application and Infrastructure Security Engineering

Projects, Researches, and Publications #

Products I’ve Built #

  • FullHunt.io Assets Database: The attack surface database of the Internet. FullHunt is one of the largest and most updated databases for internet-facing assets and external attack surfaces of organizations. Thousands of security professionals worldwide use the FullHunt community search engine. Link
  • FullHunt Attack Surface Management Platform: A solution that allows organizations to discover, monitor, and run continuous vulnerability scans on their attack surfaces. FullHunt ASM platform is used by security companies to monitor the security of their clients. Link
  • Stressful.io Platform: A cloud-based DDoS (Distributed Denial-of-Service) simulation platform that is deployed on Microsoft Azure to run DDoS simulation attacks at a large scale. It supports over 20 DoS modules that I’ve developed. Stressful.io started as a research project that led to the development of the stress-testing engine. Link
  • Phish-Catcher: a Node.JS library that can identify phishing emails based on modular checks on the client side. It does not require sending the email to an external party for analysis; instead, it runs scans on the user’s browser.
  • protonvpn-cli: Official ProtonVPN Command-Line Tool for Linux and macOS. Link

Open-Source Tools #

  • BFAC: (Backup File Artifacts Checker) - An automated tool that checks for backup artifacts that may disclose the web application’s source code. Link
  • struts-pwn: An exploit for Apache Struts CVE-2017-5638. Link
  • struts-pwn_CVE-2017-9805: An exploit for Apache Struts CVE-2017-9805. Link
  • GithubCloner: A script that clones Github repositories of users and organizations. Link
  • JWT-pwn: Security testing scripts for JWT (JSON Web Token). Link
  • Log4j-scan: A fully automated, accurate, and extensive scanner for finding log4j RCE CVE-2021-44228. It was recommended by the United States CISA (Cybersecurity and Infrastructure Security Agency) for scanning Log4Shell vulnerabilities to the US government and entities. Link
  • Firefox Security Toolkit: A tool that transforms Firefox browsers into a penetration testing suite. Link
  • ct-monitor: A monitoring tool for certificate transparency for domains. Link
  • Apache server-status PWN: A script that monitors and extracts requested URLs and clients connected to the service by exploiting publicly accessible Apache server-status instances. Link
  • xless: The serverless blind XSS app. Link
  • Tfquery: tfquery is a framework that allows running SQL queries on Terraform code. Link
  • Shennina: An AI-driven automated host exploitation framework. Link
  • Secrets-patterns-db: The largest open-source Database for detecting secrets, API keys, passwords, and tokens. Link
  • Whatsapp-chat-parser: A module to parse WhatsApp chats. Link
  • llmquery: A comprehensive framework for interacting with Language Model APIs. It leverages standard YAML templates for prompt management, validation, and dynamic generation. Designed to streamline complex workflows, it allows developers to integrate, query, and test LLMs with ease. Link
  • aws-bedrock-proxy-server: A proxy server that provides an OLLAMA-compatible API interface for AWS Bedrock Claude models. Link
  • detect_passive_secrets: A Node.JS library that detects secrets in codebases and texts through Shannon entropy. Link

Conferences #

Recorded Conference Talks #

  • Attack Vectors on Terraform Environments - DEF CON Cloud Village (2021). Watch the talk
  • Attack Vectors on Terraform Environments - DEF CON AppSec Village (2021). Watch the talk
  • Attack Vectors on Terraform Environments - Bsides Amman (2021). Watch the talk
  • Attack Vectors on Terraform Environments - ROOTCON (2021). Watch the talk
  • Hacking Zoom: Uncovering Tales of Security Vulnerabilities in Zoom - DEF CON 28 (2020). Watch the talk
  • Using Serverless To Build Pentesting Toolset - OPCDE (2020). Watch the talk
  • Practical Approaches For Testing And Breaking JWT Authentication - Hack in The Box (2019). Watch the talk

Conferences I’ve Spoken at #

  • OWASP PNW - Vancouver (2024) - Attacking GraphQL APIs
  • Black Hat MEA (2022) - DoS Attacks are Dead: Demystifying Practical DoS Attacks
  • OWASP Vancouver (2022) - Attack Vectors on Terraform Environments
  • @Hack (2021) - Attack Vectors on Terraform Environments
  • DEFCON Cloud Village (2021) - Attack Vectors on Terraform Environments
  • DEFCON AppSec Village (2021) - Attack Vectors on Terraform Environments
  • Bsides Amman (Jordan) (2021) - Attack Vectors on Terraform Environments
  • RootCon (2021) - Attack Vectors on Terraform Environments
  • DEFCON RedTeam Village (2020) - Hacking Zoom: Uncovering Tales of Security Vulnerabilities in Zoom
  • OPCDE (2020) - Using Serverless To Build Pentesting Toolset
  • Hack in the Box Abu Dhabi (2019) - Practical Approaches For Testing And Breaking JWT Authentication
  • Swiss Cyber Storm (2016) - Bug Bounty Hunting for Companies and Researchers
  • OWASP Khartoum Chapters (2015-2019)

Researches #


Projects #

  • HackBack: HackBack is an offensive security podcast that discusses security highlights and insights, delivered in English and Arabic.

CVEs #

Discovered #

Developed Exploit #