Cybersecurity Lab

Hands-on offensive and defensive security in a self-built home lab — with live, in-browser demos you can run right now.

This page collects the security work I do outside the classroom: exploiting deliberately-vulnerable web apps, practicing OSINT, running a Raspberry Pi lab, and building security tooling (including LLM Protector, my LLM prompt-injection scanner). As a US citizen I'm building toward the federal cybersecurity field, and everything below is meant to be inspected, not just read.

Ethics: every technique here was practiced against systems I own or against intentionally-vulnerable training apps (DVWA). Nothing on this page attacks a real target, and no exploit tools are hosted live.


Home Lab


A self-contained lab built around a Raspberry Pi running DVWA (Damn Vulnerable Web Application) as a safe target, with an attacker box on the same isolated network.
┌──────────────┐ ┌─────────────────────┐ │ Attacker box │ ─────▶ │ Raspberry Pi │ │ (Kali/Linux) │ HTTP │ • DVWA (PHP/MySQL) │ │ Burp, nmap │ ◀───── │ • isolated subnet │ └──────────────┘ └─────────────────────┘ (no route to the public internet)
Inspectable setup: the lab is built around a local Raspberry Pi DVWA target, an attacker machine on the same isolated subnet, and tools such as Burp Suite and nmap. The public page documents the network shape without exposing private lab photos or target details.

Web App Exploitation


Walkthroughs of the core web vulnerability classes, practiced against DVWA and summarized below. Requests were intercepted and modified with Burp Suite.

SQL Injection

Bypassing authentication and dumping the user table with classic ' OR '1'='1 and UNION-based payloads.

Lab evidence: practiced on DVWA, then documented as the login-bypass and UNION-query path rather than publishing a raw database dump.

Cross-Site Scripting (XSS)

Stored and reflected XSS — injecting script that runs in another user's session.

Lab evidence: kept to the training app and described at the behavior level, so visitors can see the exploit class without a live payload.

Command Injection

Chaining OS commands through an unsanitized input field to read server files.

Lab evidence: demonstrated through DVWA command execution in the isolated lab, with the public write-up stopping before reusable commands.

OSINT


Open-source intelligence methodology — footprinting and reconnaissance using only publicly available information. Practiced on consenting targets and my own infrastructure.
Method: collect public domain, DNS, certificate, repository, and social-profile signals, then record only redacted findings. The page names the workflow without exposing private target details.

Defensive / Blue Team


The defensive counterpart to the offensive work: a Windows USB watchdog that monitors for unauthorized removable-storage events, plus log analysis for brute-force and failed-login patterns.

LLM Security


LLM Protector is my own security tool: it scans a local LLM for prompt-injection and jailbreak vulnerabilities, running 50 attacks across 11 categories and grading each model with a severity-weighted risk score. It's where my AI and security work meet.

Try the LLM Protector live demo

Interactive Demos


These run entirely in your browser — no server, nothing sent anywhere. Open your DevTools and dig in.

1. Hash + Dictionary Cracker

Type a password to see its MD5/SHA-256 hash, then watch a dictionary attack crack a weak hash against a 20-word list. Real attackers use lists of millions — this is why weak passwords fall instantly.

2. Capture the Flag

A flag is hidden somewhere on this page. Find it and submit it. Hint: security people live in DevTools (press F12) — and flags love hiding in HTML comments and the console.



Tools & Skills


Burp Suite Wireshark nmap DVWA Linux / Bash Python Cryptography OSINT Raspberry Pi Log Analysis

← Back to all projects

Back to top