ProductsHall of FameProjectsBlogContact

Security research & writeups

Bug-bounty writeups, VAPT methodology deep-dives and notes from the field by Abhishek Bhaskar (Abhi HackZ).

API

The API Security Checklist I Run on Every Engagement

Broken object-level auth, mass assignment, GraphQL introspection and the rest — the OWASP API Top 10, the way I actually test it.

Jan 28, 2026 · 8 min · read →
Web

Finding Business Logic Flaws Scanners Always Miss

The high-impact bugs that look like perfectly valid requests — why automation can't see them and how I hunt them by hand.

Jan 24, 2026 · 7 min · read →
Bug Bounty

Chaining an IDOR into Full Account Takeover

How a low-severity IDOR escalated into full account takeover by following the data instead of stopping at the first anomaly.

Jan 20, 2026 · 6 min · read →
Mobile

Android App Pentesting: From APK to Real Findings

A MASVS-mapped methodology for taking an Android app from a downloaded APK to a report full of proven findings.

Jan 16, 2026 · 8 min · read →
AI

Prompt Injection in Agentic Workflows

How tool-calling AI agents leak data and take unintended actions — a practical model of indirect injection and how to test for it.

Jan 10, 2026 · 9 min · read →
Web

Proof, Not Guesses: Why I Built SentryScan

The false-positive tax, and why a finding should be actively proven before it ever reaches your report.

Jan 05, 2026 · 6 min · read →
Recon

Building a Recon Pipeline That Scales

From ASN seeding to live-change triage — the four-stage methodology behind my open-source recon automation.

Dec 28, 2025 · 8 min · read →