Security research & writeups
Bug-bounty writeups, VAPT methodology deep-dives and notes from the field by Abhishek Bhaskar (Abhi HackZ).
The API Security Checklist I Run on Every Engagement
Broken object-level auth, mass assignment, GraphQL introspection and the rest — the OWASP API Top 10, the way I actually test it.
Finding Business Logic Flaws Scanners Always Miss
The high-impact bugs that look like perfectly valid requests — why automation can't see them and how I hunt them by hand.
Chaining an IDOR into Full Account Takeover
How a low-severity IDOR escalated into full account takeover by following the data instead of stopping at the first anomaly.
Android App Pentesting: From APK to Real Findings
A MASVS-mapped methodology for taking an Android app from a downloaded APK to a report full of proven findings.
Prompt Injection in Agentic Workflows
How tool-calling AI agents leak data and take unintended actions — a practical model of indirect injection and how to test for it.
Proof, Not Guesses: Why I Built SentryScan
The false-positive tax, and why a finding should be actively proven before it ever reaches your report.
Building a Recon Pipeline That Scales
From ASN seeding to live-change triage — the four-stage methodology behind my open-source recon automation.