ChatGPT Telemetry Crashes on Invalid Input (Yes, Really)
Everyone says telemetry “doesn’t matter”. Until it starts returning 500 Internal Server Error. I pointed Rentgen at one of ChatGPT’s internal telemetry endpoints — the one triggered when you click Copy under a message. Nothing exotic. I literally copied the cURL from the browser and pasted it into Rentgen. Then I let Rentgen do what it does best: mutate inputs. Result? Sending perfectly valid...
Clickjacking — when your users click things they never meant to
Clickjacking is one of those “everything works” security problems that teams ignore because nothing crashes, nothing burns, and monitoring stays green. And that’s exactly why it survives. Your API can be flawless, your backend locked down — but if your UI can be framed, a user can be tricked into clicking real actions through someone else’s page. Approvals, settings, payments, permissions. All...
Your API Is Leaking Its Server Version. Yes, That’s Still a Thing
There’s a special kind of security failure that doesn’t come from complex exploits or zero-days. It comes from your API politely introducing itself to the entire internet: “Hi, I’m nginx 1.18.0.” This isn’t advanced hacking. It’s basic fingerprinting — and it’s how attackers decide whether you’re worth attacking at all. Exposing server versions turns vulnerability scanning into shopping with a...
If a problem can be solved without AI, does AI actually make it better?
I recently had an interesting conversation with an investor. I was explaining a very concrete technical problem and the solution behind it. At some point he asked: “Won’t AI solve this in a few years? If so, doesn’t that make your solution irrelevant?” That question stuck with me — because my instinctive reaction was: why would that make it irrelevant? If a problem can be solved without AI,...
After testing hundreds of APIs, the biggest issues are still HTTP basics
After years of testing APIs across fintech, gov, and internal platforms, I keep seeing the same pattern: Most API bugs are not complex. They’re boring HTTP basics that teams quietly forget. A few examples I see again and again: Missing auth returns 403 instead of 401 — so clients debug permissions instead of authentication Unsupported HTTP methods return 200 — so people debug payloads instead...
I spent 18 years breaking software, now I built a tool that does it faster than I ever could
I’m Liudas — a QA engineer with 18 years of experience in backend/API testing, leading QA teams in security-critical environments in the UAE. I built Rentgen because most API bugs are simple edge cases no one has time to test manually. One cURL → hundreds of generated test cases. All local, no cloud, no telemetry. I believe in no-nonsense engineering, fast feedback loops, and tools that help...