After a long day of trying and failing to find vulnerabilities on the Verizon Media bug bounty program I decided to call it quits and do some chores. I needed to buy gifts for a friends birthday and went online to order a Starbucks gift card.

👋 Hi, I’m Mehboob Khan, a Computer Science & Engineering graduate (2023). I’m obsessed with understanding how technology ticks and love bypassing logic to uncover hidden vulnerabilities. 🔍💻 As a…

What Is GraphQL API and how does it work? This article explains the common vulnerabilities and attacks on this type of system and security tips to secure APIs.

Time-Based Blind SQL Injection In GraphQL

The “sortc” parameter in the https://t.co/NrK100JSe5 endpoint was vulnerable to a SQL injection.

1) Login to the website.
2) Intercept the following request:
3) In the request body, add “OR SLEEP(20)” in sortc…

For the past few years, security research has been something I’ve done in my spare time. I know there are people that make a living off of bug bounty programs, but I’ve personally just spent a few hours here and there whenever I feel like it.

Millions of Americans can have their data stolen right now because of a deficiency in Google’s “Sign in with Google” authentication flow. If you’ve worked for a startup in the past - especially one that has since shut down - you might be vulnerable.