My Hacker Toolkit

Keegan Curran

ā€” 3 min read

šŸ§  Why This Toolkit Exists

Every good exploit starts with curiosityā€”and sometimes a hunch.

Over the last few years, Iā€™ve disclosed vulnerabilities ranging from GraphQL overexposures in social apps like Fizz and YikYak to full API-level data leaks in life safety infrastructureā€”one of which became CVE-2025-0352 and was documented in a CISA advisory.

What those projects had in common wasnā€™t a zero-day exploit or a million-dollar toolchainā€”it was a small, carefully selected set of tools that got the job done cleanly, legally, and ethically.

This is that toolkit.

šŸ”Ž Interception & Traffic Analysis

šŸ•µļøā€ā™‚ļø Fiddler Everywhere

Used for: Mobile app traffic inspection, replay attacks, JSON body manipulation

The go-to for intercepting HTTPS traffic from mobile apps. Itā€™s lightweight, cross-platform, and ideal for reverse-engineering request structures without breaking anything.

Iā€™ve used Fiddler to:

  • Dump GraphQL schemas from YikYak
  • Intercept and replay POST requests in alarm system apps
  • Watch payloads for subtle patterns like user ID, point fields, or rate-limiting quirks

Bonus: its UI makes it easy to filter by method or domain when sifting through noisy app activity.

šŸ§µ Burp Suite (when needed)

Used sparingly, but still helpful for advanced manipulation

I lean on Fiddler more for mobile work, but Burp comes out when I need:

  • Fine-tuned intruder fuzzing
  • Cookie/session manipulation
  • Repeater + Collaborator for XSS or SSRF

Burp is also useful for HTTP2/GraphQL support if Fiddler hits limits.

šŸ§Ŗ Scripting & Enumeration

šŸ Python

Used for: Enumeration, API automation, analyzing scope without touching sensitive data

Python is my utility belt. Whenever I find an IDOR, wide-open API, or unauthenticated endpoint, Python lets me:

  • Safely test enumeration ranges (like SiteNum in the panel vuln)
  • Map exposed data at scale while stripping PII
  • Write controlled proof-of-concepts for reporting

Example from the alarm panel enumeration:

pythonCopyEditdef check_site_number(site_number):
payload["SiteNum"] = str(site_number)
response = requests.post(url, headers=headers, json=payload)
...

I never store raw user dataā€”just anonymized summaries for scope validation.

šŸ§  GraphQL Introspection + Voyager

Used for: Mapping entire API schemas in seconds

If a GraphQL API forgets to lock down introspection (a lot do), you can uncover everything.

Iā€™ve used this method on:

  • YikYak (to find point, userId, and undocumented mutations)
  • Smaller apps with insecure admin panels hidden in plain schema

Voyager is my visualizer of choiceā€”it makes API structure readable and fast to navigate.

šŸ” Auth & Session Testing

šŸ”‘ JWT.io + Header Manipulation

Used for: Analyzing token structure, checking claims, replaying sessions

A lot of mobile apps rely on JWTs with RS256ā€”great if signed properly, dangerous if mishandled.

I inspect tokens to:

  • Identify user scoping failures
  • Check for leaked or static secrets
  • Confirm session durations or misuse potential

In Fizz and YikYak, this helped me understand user linkage and permissionsā€”without needing access to other accounts.

šŸ› ļø Misc Tools I Keep Handy

  • Postman ā€“ clean for non-malicious API testing
  • curl ā€“ quick request mocking
  • Wireshark ā€“ rarely needed, but good for weird lower-level behavior
  • VS Code ā€“ for writing + executing API requests inline

šŸ“œ Toolkit Philosophy

I donā€™t use fuzzers first. I donā€™t lead with metasploit. Most of my work starts with observing how the app talks, and following where it shouldnā€™t go.

This toolkit is light on noise, heavy on signal.

Every tool here was used in at least one public vulnerability, including:

  • Unprotected CDN backups in Fizz
  • Exact GPS coordinates leaking from YikYak
  • Nationwide site data access in a fire alarm app
  • Moderator and admin visibility from misconfigured mobile APIs

You donā€™t need a weaponized lab to find high-impact vulnsā€”just sharp tools, ethical boundaries, and some patience.

šŸ§  Final Thoughts

My toolkit isnā€™t a pentesterā€™s dream or a red team vault. Itā€™s a curious hackerā€™s field kitā€”designed for clarity, precision, and responsible disclosure.

If youā€™re getting started in appsec or bug hunting, my advice?

  • Start with Fiddler, Python, and jq
  • Watch how data flows, then gently nudge it
  • Focus on real-world risk, not just bug type
  • Always disclose responsibly

The best part of all this? Finding something realā€”and fixing it for everyone else.

Read more