While testing IOS app of the target application, I had found XXE vulnerability for which I’m going to share the writeup. Wanted to publish this since long time, but was only waiting for the disclosure. …


During one of the Red Team engagements, I got a chance to pentest a Biometric attendance device which was often used by the client to mark the attendance and to restrict access to specific rooms.

I did not popped any zero days here but in fact the device was poorly…


Most of the security vulnerabilities arises within the integration part due to the incorrect implementation of third party services. Integrating third party OAuth providers are often left misconfigured by developers which may lead to a bigger security impact such as account takeover.

While working on a bug bounty program, I…


While working on a pentest engagement, I found an interesting IDOR (Insecure Direct Object Reference) bypass using parameter pollution (a much overlooked test case). I was looking out for the IDOR vulnerabilities within the REST-API of the target application. Unfortunately, none of the endpoints were found to be vulnerable to…

Gaurang Bhatnagar

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store