Reported critical vulnerabilities in multiple corporate web applications.
Developed and published multiple original tools focused on Android and web application security testing.
Covered topics like Broken Access Control, Injection Vulnerabilities, and Business Logic Flaws.
A detailed write-up on how I discovered and exploited a vulnerability to access my college's internal panel without needing any credentials.
A write-up on how a single unauthorized request exploiting Insecure Direct Object Reference (IDOR) allowed me to take control of the comment section on the GFG platform.
A powerful search tool by Biscuit to uncover sensitive files, login panels, and vulnerable parameters using curated Google dorks.
A one-stop script to set up essential bug bounty tools instantly. Simplifies your recon and automation setup in a single run.
View on GitHubA lightweight tool to extract and display exported components from Android apps, helping identify exposed activities, services, and receivers for security analysis.
View on GitHub
A quick walkthrough on how JS recon uncovered an HTML injection vulnerability for potential exploitation.
A case study on how a vulnerability in a hospital system led to unauthorized access and exposure of sensitive patient information.
A curated list of 30 essential books covering ethical hacking, web security, networking, malware analysis, and more for all skill levels.
A curated list of the best YouTube channels to learn ethical hacking, bug bounty, and cybersecurity from experts around the world.
Detailed writeup on identifying and exploiting IDOR vulnerabilities with mitigation strategies.
Read DocumentationGuide to identifying and exploiting common WordPress issues like vulnerable plugins, weak admin panels, and misconfigurations with remediation tips.
Read DocumentationShort guide on exploiting GraphQL flaws like introspection, unauthorized access, and data leaks, with tips for secure implementation.
Read DocumentationComplete guide to using Burp Suite for web application security testing.
Read DocumentationA handpicked list of browser extensions that enhance productivity, automation, and reconnaissance during bug bounty hunting.
Read Documentation
Discovered multiple issues in Supabase APIs and business logic, including lack of rate limiting and input handling flaws. These findings allowed abuse of user invitation flow and potential phishing vectors.
Reported multiple issues in Zerodha's Android apps and website, targeting business logic and security misconfigurations. Findings affected core functionalities and exposed potential risks to user privacy and app integrity.
Improper validation in social media link fields allowed insertion of arbitrary URLs instead of usernames. This business logic flaw enabled user tracking and privacy violations through redirection to external tracking domains.
Discovered an IDOR vulnerability in the email update functionality, where changing the user ID in the request exposed other user's email addresses without proper authorization checks.
