I hacked my own website
I sell AI-assisted pentesting tools. So I pointed them at my own production site. Found 13 vulnerabilities, including a publicly readable database containing every license key and customer email I had. Here's the full assessment.
Why audit your own site
Here's the situation. I'd just finished deploying siegeoffense.com — the landing page, the download portal, the admin panel, the license key validation system. Everything worked. Customer flow was smooth. I was feeling pretty good about it.
Then I remembered what I do for a living.
If you sell locks, your front door better be locked. If you sell pentesting tools, you should probably pentest your own infrastructure before someone else does it for you. So I fired up Kali MCP and pointed it at siegeoffense.com with the same methodology I'd use on any client engagement.
It was not a comfortable evening.
Methodology
Standard external assessment. No authenticated testing, no insider access — just what an attacker would see from the outside. The stack is simple: shared cPanel hosting running LiteSpeed, PHP 8.2, static HTML frontend, and a handful of PHP API endpoints handling license validation, downloads, signups, and admin functions.
Tools used through Kali MCP's AI-assisted workflow:
$ nmap -sV -sC siegeoffense.com # port scan + service detection $ dirb https://siegeoffense.com /usr/share/dirb/wordlists/common.txt $ curl -I https://siegeoffense.com # header analysis $ curl https://siegeoffense.com/api/ # directory listing check
Plus manual endpoint probing, CORS testing, rate limit verification, and source code exposure checks on every file in the /api/ directory.
The findings
Thirteen total. Three critical, four high, four medium, two low. I'll walk through the worst ones.
The file keys_export.json was directly accessible via browser. No authentication, no access control. It contained every license key I'd generated, the associated customer emails, product types, and key status. One GET request and an attacker had my entire customer database.
Root cause: The hardened .htaccess with file-blocking rules existed on my local machine. The version deployed to production was the original, unhardened copy. Classic deployment gap.
Navigating to /api/ returned a full LiteSpeed autoindex showing every file — PHP source, JSON data files, log files, the admin panel. An attacker didn't need to guess filenames. The server handed them a table of contents.
siege_keygen.py was sitting in the /api/ directory, downloadable. The file contained the complete key generation algorithm — character set, format, and generation logic. With the algorithm and the key database (C-1), an attacker could predict or forge valid license keys.
No HSTS, no Content-Security-Policy, no X-Frame-Options, no X-Content-Type-Options. The site was serving pages with no browser-side protections against clickjacking, MIME sniffing, or protocol downgrade attacks. Standard stuff that takes five minutes to configure and was completely absent.
Response headers disclosed LiteSpeed version, PHP 8.2.30, and an X-Turbo-Charged-By header confirming the LiteSpeed cache engine. Free reconnaissance for an attacker building a targeted exploit chain.
The deployed admin panel had password authentication but no CSRF tokens, no rate limiting on login attempts, and no session timeout. The hardened version with all of these controls existed locally. Again — deployment gap.
The license validation endpoint returned Access-Control-Allow-Origin: *, meaning any website on the internet could make cross-origin requests to validate or probe license keys. Combined with no rate limiting, this enabled automated key enumeration from any domain.
The pattern
Look at the root causes. Three criticals and two highs share the same origin: the hardened files existed but weren't deployed. I had built the security controls. They were sitting on my local machine. The production server was running the originals.
This is the most common vulnerability in the industry and it got me too. Not a lack of knowledge. Not a failure of design. A deployment process that didn't verify what was actually running in production matched what was tested locally.
The cobbler's children have no shoes. The pentester's website has no .htaccess.
Remediation
All 11 fixable findings were patched the same night. The remaining two are infrastructure-level (shared hosting limitations on the X-Turbo-Charged-By header and nmap port exposure) and accepted as residual risk.
| Fix | What changed |
|---|---|
| Root .htaccess | Security headers, Options -Indexes, server fingerprint stripping |
| API .htaccess | Block all .json, .txt, .py, .log files. Disable directory listing. |
| validate.php | Restricted CORS to siegeoffense.com only, rate limiting (20 req/15min), key format validation |
| download.php | POST-only, rate limiting (10 req/15min), path traversal protection |
| early-access.php | Rate limiting (5/hr), log injection prevention |
| download.html | POST-based downloads — no key leakage in URL parameters |
| admin.php | Deployed hardened version with CSRF, sessions, rate limiting |
| Exposed key | Revoked and replaced the key that had been publicly visible |
Post-deployment verification confirmed all 11 fixes working. Total time from discovery to remediation: one session.
Lessons
Audit your own infrastructure first. Before you hand a tool to a customer, point it at yourself. If you're not willing to do that, you're not confident in what you're selling.
Deployment gaps kill. Having security controls doesn't help if they're on your laptop instead of your server. Verify production state, not local state.
The boring findings matter most. Missing security headers and directory listing aren't exciting. They don't make conference talks. They're also the things that let an attacker map your entire attack surface in thirty seconds.
AI-assisted pentesting accelerates the loop. Discovery, analysis, remediation, and verification happened in a single session. The AI didn't find anything a skilled human wouldn't — it just found it faster, and contextualized the relationships between findings that a checklist-based approach might miss. C-1 plus C-3 plus H-4 is worse than the sum of its parts. The AI flagged that chain unprompted.
Full disclosure: The assessment and all remediation described in this post were performed using Kali MCP, the same tool available to Siege Offense customers. The 13 findings were real. The embarrassment was real. The fixes were real. No part of this was staged.
Point it at your own infrastructure
Kali MCP integrates 18+ offensive security tools into an AI-assisted workflow through Claude Desktop. Same toolset, same methodology, same uncomfortable truths.
Learn more