<SECURITY RESEARCH/>

Welcome to my security research portfolio. Here you'll find a comprehensive showcase of my work in both defensive security engineering and offensive security research. Each project represents a commitment to making the digital world more secure through responsible disclosure, innovative engineering, and continuous learning.

3

Major Projects

2

Bounties Awarded

100%

Responsible Disclosure

Defensive Security

High-Performance Web Application Firewall Engine

Role: Lead Security Engineer

2024 - Present

Technology Stack

Go (Golang)Redis Pub/SubNode.jsNext.jsModSecurity LogicDocker

Project Overview

Architected and developed a production-grade Web Application Firewall (WAF) from scratch, designed to protect web applications from the most common and critical security threats including SQL Injection, Cross-Site Scripting (XSS), Local File Inclusion (LFI), and Remote Code Execution attempts.

Implemented an intelligent request analysis engine using Go for maximum performance and concurrent request handling, capable of processing thousands of requests per second with minimal latency overhead.

Built a sophisticated pattern matching system based on ModSecurity Core Rule Set (CRS) logic, with custom rule adaptation for modern web application architectures and API endpoints.

Designed and implemented a revolutionary "Hot-Reload" security rule system using Redis Pub/Sub architecture, enabling security teams to update attack signatures, blacklists, and security policies across distributed WAF instances without any downtime or service interruption.

Created a real-time monitoring and analytics dashboard using Next.js, providing security teams with live insights into blocked attacks, traffic patterns, threat intelligence, and detailed attack vector analysis.

Developed a comprehensive logging and alerting system that categorizes threats by severity, provides detailed attack signatures, and integrates with incident response workflows.

Key Features & Capabilities

Zero-downtime rule updates via Redis Pub/Sub
High-concurrency handling (10,000+ requests/second)
Real-time attack detection and blocking
Custom rule engine with regex and signature-based detection
Distributed deployment support
Comprehensive attack analytics and reporting
API protection with rate limiting
Automated threat intelligence updates

Impact & Outcome

Successfully deployed in production environments, protecting critical web applications from thousands of daily attack attempts while maintaining sub-millisecond latency impact on legitimate traffic.

Bug Bounty

Diskominfo Bali - Critical Security Vulnerability Discovery

Target: Bali Provincial Government - Business Management Center (BMC) System

Dinas Komunikasi dan Informatika Provinsi Bali

Vulnerabilities Discovered

Rate Limiting Bypass

High Severity

Discovered a critical flaw in the password reset functionality that allowed unlimited password reset attempts without proper rate limiting

Null Byte Injection

Critical Severity

Identified null byte injection vulnerability that could potentially bypass file access controls and security validations

Discovery Process & Timeline

1

Reconnaissance

Identified the BMC (Business Management Center) system as a critical government infrastructure requiring security assessment

January 30, 2025

2

Vulnerability Discovery

Found weakness in password reset mechanism at https://bmc.baliprov.dev/password/reset/request endpoint that accepted null byte characters in email field

January 30, 2025

3

Exploitation Analysis

Demonstrated that the system: 1) Opened password reset link in browser, 2) Clicked "Lupa Password", 3) Injected email with null byte (contoh:root@ragel.io%00), 4) Confirmed that email was still sent despite null byte injection, creating potential for bypass attacks

February 6, 2025

4

Impact Assessment

Analyzed potential risks: 1) SQL Injection or exploitation possibilities, 2) Server overload from unlimited requests without rate limiting, 3) Potential unauthorized access vectors

February 6, 2025

5

Responsible Disclosure

Reported findings through official channels with detailed reproduction steps, security recommendations, and proposed solutions

February 6, 2025

6

Validation & Fix

Vulnerability confirmed by security team. Recommendations implemented: 1) Rate limiting implementation, 2) Input validation for special characters including null bytes

February 9, 2025

7

Recognition

Received official Certificate of Appreciation from Bali Provincial Government for responsible disclosure and contribution to government infrastructure security

February 10, 2025

Technical Details

endpoint:

https://bmc.baliprov.dev/password/reset/request

vulnerability:

Rate Limiting Bypass & Null Byte Injection

method:

POST

impact:

High - Potential for brute force attacks and security control bypass

Official Certificate Available

Issued by Dinas Komunikasi dan Informatika Provinsi Bali

February 10, 2025

Download

Outcome & Recognition

Successfully identified and reported critical vulnerabilities in government infrastructure, contributing to the security of public digital services used by thousands of citizens and businesses in Bali.

Bug Bounty

IDCloudHost - Information Disclosure Vulnerability

Target: Leading Indonesian Cloud Infrastructure Provider

PT Cloud Hosting Indonesia (IDCloudHost)

Vulnerabilities Discovered

Information Disclosure

Medium-High Severity

Discovered sensitive service management data leakage in email/console system exposing internal infrastructure details

Discovery Process & Timeline

1

Initial Discovery

While performing security testing on IDCloudHost platform, identified unusual data exposure in console and email notification system

November 3, 2025

2

Vulnerability Analysis

Confirmed that internal service management data, including configuration details and system information, was accessible through customer-facing interfaces

November 3, 2025

3

Security Report Submission

Submitted detailed vulnerability report via email (root@ragel.io) and official bug bounty form at https://idcloudhost, including reproduction steps and potential security implications

November 3, 2025

4

Vendor Confirmation

IDCloudHost security team (Roful Z. Santosa) acknowledged the report and confirmed the vulnerability after thorough internal testing

November 10, 2025

5

Additional Findings

Provided supplementary security observations and recommendations for strengthening overall platform security

November 11, 2025

6

Remediation & Validation

Vendor deployed patches to address the information disclosure. Performed re-testing to confirm the vulnerability was properly fixed

February 13, 2025

7

Bounty Awarded

Received security bounty reward totaling Rp. 650,000 (Rp. 150,000 + Rp. 500,000) in recognition of responsible disclosure and comprehensive security research

February 14, 2025

Technical Details

platform:

IDCloudHost Cloud Management Console

vulnerability:

Sensitive Service Data Leakage

data Exposed:

Internal service management information, system configurations, and infrastructure details

impact:

Medium-High - Potential for reconnaissance and targeted attacks on infrastructure

Bounty Reward

Rp. 650.000

Total Security Bounty Awarded

Primary vulnerability discovery and detailed reportRp. 150.000
Additional security findings and comprehensive remediation guidanceRp. 500.000

Outcome & Recognition

Successfully identified and responsibly disclosed information leakage vulnerability affecting a major cloud infrastructure provider, helping protect thousands of customer workloads and sensitive data. Recognized by vendor with security bounty award for contribution to platform security.

Interested in Security Research?

I'm always open to discussing security research, collaboration opportunities, or sharing knowledge about defensive and offensive security practices.

Get in Touch