Everything From Rookie Mistakes to a New Feature: My Passion Project's Wildest Week

Written by kuwguap | Published 2025/07/07
Tech Story Tags: debugging | cybersecurity | bug-bounty | penetration-testing | kanban-project-management | firebase | rawpa | hackernoon-top-story

TLDRKuwguap is the founder of RAWPA, a penetration testing assistant. His passion project has completely hijacked his brain, and he wouldn't have it any other way. He's written about his mistakes and the madness that caused all the chaos.via the TL;DR App

Hey HackerNoon, Kuwguap here.

Guess what? I have exams in two days. Yes, actual university exams. And what am I thinking about 24/7? RAWPA(My penetration testing assistant). My passion project has completely hijacked my brain, and I wouldn't have it any other way.

So, while I should be memorizing lecture notes, I thought I’d get you up to speed on the wild ride of the last few weeks. Before I dive into the bugs and the new feature, I have to say—I honestly think the number one skill in any tech career is debugging.

It’s not just about finding errors; it's about problem analysis, understanding, and solving. It's a superpower. It’s cool to create something new, but being able to fix what's broken—whether it's your own code or a target system—is where the real magic happens.

Anyway, let's dive into the mistakes and the madness.

My First Mistake: The "Responsive What?" UI

I’ll start with the rookie mistake that came back to bite me. I had never done any real UI/UX design before this project. I watched a couple of YouTube videos, got inspired by the clean look of Whimsical (the tool I used for wireframing), and just started… drawing.

No device responsiveness. No specific screen sizes. Just rectangles on a screen. It looked good on my development PC, so I figured, "Ship it!" A few weeks ago, a tester rightfully pointed out that the mobile view was completely broken. I spent two full days untangling that mess and making the app truly responsive. Lesson learned: think about all screens from day one.

The Bug That Shut RAWPA Down

That aside… about two days ago, I noticed features on RAWPA were failing. The methodologies weren't loading, and other data was missing. A quick look at my console told the story:

FirebaseError: [code=resource-exhausted]: Quota exceeded.

I had hit 16,000 reads and 20,000 writes in a single day. That's the entire free quota on Firebase. With just 33 users, this was insane. I was dumbfounded. I could either wait a day for the quota to reset, or I could put on my detective hat and debug.

The culprit? A series of logical bugs born from late-night coding sessions.

  1. The Infinite Loop: I had created a function that continuously checked Firestore for updates, in case I used my admin panel to disable a methodology. It was a dumb, brute-force way to solve a problem, and it was hammering the database.

  2. Sleepy-Dev Syndrome: The new feature I was building needed to save its state. Instead of using localStorage for frequent, small updates, I was writing to Firestore on every single change. Why? Because I was sleepy and not thinking straight.

On top of that, the app was loading all Firestore functions on startup, creating a queue that led to insane load times—sometimes up to 10 seconds. I knew the fix was probably caching with something like Redis, but I was hesitant. It meant more complexity and moving things around on Vercel, which has a 12-API limit on the free plan.

Guess what? I did it anyway. I integrated Upstash Redis, added the environment variables, made a few tweaks, and boom—the speed improved dramatically. Sometimes, I wish I’d started with Next.js, but after a failed attempt to migrate, I'm sticking with my React + Vite setup and making it work.

The New Feature, Born from a Real Pentest

So, what was this new feature I was building that caused all the chaos?

It started while I was working on a target from HackerOne. I was using my other tool, AAweRT, for recon and realized my thought process has completely changed since building RAWPA. I had 79 subdomains to check. Instead of using an automated tool like Eyewitness, I went through them manually (I know, I like the hassle).

I found interesting endpoints and potential vulnerabilities, but I had no organized way to track them without losing my main train of thought. Then it hit me.

Introducing the Hunter's Board.

It’s a Kanban-style board built directly into RAWPA, designed for the way a pentester thinks. You can create cards for anything: domains, methodologies, findings, reports, code snippets, tools, you name it.

As I was checking those 79 subdomains, I was developing this board. I found an unfiltered search parameter on one endpoint—a bypass of the main UTF-8 filter—and immediately created a card for it, adding the link and my notes. It just… clicked.

The Hunter's Board is now live on the site! You can check it out now.

As a quick update, I've temporarily removed the RAWPA AI and Pentest Orchestrator features. I need to optimize them and fix some backend issues before they're ready for prime time, and I want the user experience to be perfect.

Did I mention I have exams in two days? Ugh. I’ll try to post a couple more updates before I go dark for studying.

Until next time, remember that RAWPA is a community project. If you have ideas, feedback, or want to contribute, use the "Contribute" feature on the site or connect with me on LinkedIn. Check out the project at https://rawpa.vercel.app/.

The brain is just getting started.

Written by kuwguap | From Big dreams to reality
Published by HackerNoon on 2025/07/07
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy