top of page
All Posts
Week 1: Architecture of an AI Financial Platform
What happens when AI agents handle real financial workflows? I've been working on FinBot CTF — an AI-powered financial platform built for the OWASP Agentic AI project. The goal is to explore what happens when you give AI agents real financial responsibilities, such as onboarding vendors, processing invoices, flagging fraud, and authorizing payments. But before I write about how I test it, I need to explain what I'm actually testing. Because the architecture is what makes this
carocsteads
Mar 34 min read
Building a Production-Ready Database QA Automation Framework:
A Journey into Testing at Scale By Carolina Steadham | QA Automation Engineer --- Introduction Testing at scale is less about writing more tests and more about building systems that can be trusted under growth, change, and failure. As applications evolve, databases become the backbone of reliability—quietly enforcing correctness, performance, and consistency across the entire platform. This project began as an exploration into what it really means to test databases and backe
carocsteads
Dec 17, 20257 min read
Automating Privileged Access Management:
A QA Engineer's Journey with Apache Guacamole By Carolina Steadham | QA Automation Engineer Introduction In today's cybersecurity landscape, privileged access management (PAM) is critical for protecting sensitive systems. I recently completed a comprehensive QA automation project focused on testing Apache Guacamole, a clientless remote desktop gateway that provides secure access to RDP, VNC, SSH, and Telnet connections through a web browser. This project showcases my experti
carocsteads
Dec 15, 20253 min read
Building an AI Threat Analytics Framework: A Developer's Journey
How I created a security-focused AI testing framework with Python, pytest, and real-world threat detection By Carolina Steadham | QA Automation Engineer Introduction Security is one of the most critical concerns in today's digital landscape. With AI systems becoming increasingly prevalent in security operations, I set out to build a comprehensive AI Threat Analytics Framework - a proof-of-concept project that demonstrates how AI can be leveraged for threat detection, classi
carocsteads
Dec 12, 20254 min read
🔧 Self-Healing Locators
Transform Flaky Tests into Resilient Automation By Carolina Steadham | QA Automation Engineer 📚 About This Project The Selenium TestNG Automation Framework is a comprehensive learning platform designed for manual testers transitioning to test automation. This portfolio project demonstrates production-grade automation patterns, best practices, and real-world problem-solving skills. 🎯 Project Purpose Educational Framework: Built-in exercises with gradually detailed hints t
carocsteads
Dec 11, 20254 min read
Security Testing: Secure Code Review
1. Objective 2. Vulnerable eCommerce application 3. Step by step code review 3.1 Hardcoded credentials and DB configuration 3.2 Login function 3.3 Add product function 3.4 Purchase product function 3.5 Update Profile function 3.6 Leave Review function 1. Objective The objective of this document is to outline the secure code review process performed during a mock interview. It aims to identify vulnerabilities and security flaws within the provided code and to recommend remedia
carocsteads
Sep 17, 20253 min read
Threat Modeling exercise
1. Objective 2. Description of Power Utility Awareness app 3. Threat modeling methodology: STRIDE 3.1 Definition 3.2 Why use a threat model? 3.3 What are we working on? 3.4 What can go wrong? 3.5 What are we going to do about it? 3.6 Did we do a good enough job? 1. Objective The objective of this document is to present step by step threat modeling exercise conducted for the Power Utility Awareness application. It aims to identify, evaluate, and prioritize potential security
carocsteads
Sep 17, 20258 min read
PortSwigger Exploiting APIs
1. Objective 2. Lab: Exploiting an API endpoint using documentation 3. Lab: Finding and exploiting an unused API endpoint 4. Lab: Exploiting a mass assignment vulnerability 5. Lab: Exploiting server-side parameter pollution in a query string 1. Objective: This document showcases a set of hands-on API security testing exercises completed through the PortSwigger Web Security Academy. The goal is to demonstrate practical skills in identifying, analyzing, exploiting and mitiga
carocsteads
Jul 29, 20257 min read
PortSwigger Exploiting LLM APIs
Content 1. Objective 2. Introduction to vulnerabilities in LLM APIs 3. Lab : Exploiting LLM APIs with excessive agency 4. Lab : Exploiting vulnerabilities in LLM APIs 1. Objective The objective of this document is to identify vulnerabilities in Large Language Models APIs to detect, exploit and mitigate potential security flaws that could allow attackers to manipulate LLM behavior, exfiltrate sensitive data, bypass authorization, inject prompts or compromise system integri
carocsteads
Jul 29, 20253 min read
Hack the box OWASP Top 10: Baby todo or not todo
Baby todo or not todo: Synopsis: An application logic flaw results in compromised vertical privilege escalation, causing sensitive information to be exposed. Skills Required: Basic understanding of access control vulnerabilities. Ability to analyze and understand source code. Familiarity with the HTTP protocol. Knowledge of basic scripting using a programming language such as Python. Skills Learned: Understanding the vertical access control vulnerability. Familiarity with t
carocsteads
Feb 23, 20252 min read
Hack the box OWASP Top 10: Baby WAFfles
Baby WAFfles order: Synopsis: XML external entity injection by modifying Content-Type header . Skills Required: Basic understanding of XXE. Ability to analyze and implement an XXE injection attack that retrieves an arbitrary file from the server's filesystem . Basic understanding of XML. Skills Learned: Understanding the XXE vulnerability. Familiarity with the process of exploiting XXE vulnerability. Experience in analyzing and understanding Burp messages to inject a paylo
carocsteads
Feb 23, 20252 min read
Hack the box OWASP Top 10: Baby nginxatsu
Baby nginxatsu: Synopsis: Sensitive data exposure leads to leakage of MD5 hashed admin password . Skills Required: Basic understanding of information disclosure. Ability to analyze and understand source code. Familiarity with directory listing. Knowledge of basic to crack a hashed password. Basic understanding of HTTP web server . Skills Learned: Understanding the information disclosure vulnerability. Familiarity with the process of exploiting information disclosure vulner
carocsteads
Feb 13, 20252 min read
Hack the box OWASP Top 10: Baby Auth
Baby Auth: Synopsis: Broken Authentication leads to account takeover. Skills Required: Basic understanding of web application vulnerabilities. Ability to analyze and understand source code. Familiarity with the HTTP protocol. Knowledge of basic scripting using a programming language such as Python. Skills Learned: Understanding the Broken Authentication vulnerability. Familiarity with the process of exploiting a web application vulnerability. Experience in analyzing and und
carocsteads
Feb 13, 20252 min read
Hack the box OWASP Top 10: Sanitize
Sanitize: Synopsis: SQL injection leads to authentication bypass. Skills Required: Basic understanding of SQL Familiarity with Flask web framework. Knowledge of SQL injection vulnerabilities. Skills Learned understanding and exploiting SQL injection vulnerabilities in web applications. Analyzing Dockerfiles and Docker setup in web applications. The exercise: Can you escape the query context and login as admin at my super secure login page? Analysis: The first clue is in the
carocsteads
Feb 12, 20252 min read
Hack the box OWASP Top 10: Looking Glass
Looking glass: Synopsis: Unsanitized system function call leads to command injection. Skills Required: Knowledge of web application security Understanding of command injection vulnerabilities Basic knowledge of Docker and containerization Skills Learned: How to identify and exploit command injection vulnerabilities in a web application Techniques to bypass input validation and execute arbitrary commands Understanding of Docker and its components The exercise: This Looking Gla
carocsteads
Feb 12, 20252 min read
bottom of page