Blog

Things I have written about security, networks, and systems.

Buying Rekhta Tickets Worth INR 1499 for Free

How I found a critical parameter tampering vulnerability in Jashn-e-Rekhta's payment flow - where the backend blindly trusted the frontend.

security bug-bounty web-security parameter-tampering

Apr 07, 2025 3 min

I Reverse-Engineered a Live Phishing Operation Targeting My University

A credential harvesting campaign hit LPU from the inside. I traced the kill chain, broke into the attacker's Telegram C2, and found hundreds of compromised accounts.

security phishing incident-response threat-hunting

Mar 25, 2025 2 min

How I Found a Secret Backdoor to a University's News Feed

A broken access control vulnerability in a university's API let anyone create, edit, or delete official press releases. No auth required. CVSS 9.6.

security bug-bounty broken-access-control API-security

Jan 07, 2025 2 min