You need luck to succeed in bug bounty ❌ You need to create luck to succeed in bug bounty ✅

The journey of TeamNepal 🇳🇵comes to an end for the AWC-2024. Had a fun time hacking together with the team for almost a whole year. Excited for the next edition of the competition. We will come back stronger 💪

🚨Call for Bug Bounty Hunters in Nepal🚨 We are hosting the first-ever Live Hacking Meetup for Nepal's bug bounty hunters. Join us for exciting hacking and collaboration from May 10th to May 17th!! DM me for the Discord server invitation. h1.community/events/details…

I will be talking at SteelCon on the topic "Hacking Stripe Integrations to Bypass E-Commerce Payments". Really excited to talk about the cool yet simple findings I uncovered recently ;)

We have a list of all our speakers and workshop who have confirmed so far up on our site: steelcon.info/the-event/talk… steelcon.info/the-event/work… If any of these excite you (they excite us) then the last ticket drop will be this Friday, May 2nd. ti.to/steelcon/2025

Challenge time: Can you access /secret? I missed a privilege escalation in a BBP, not being aware of that quirk. I came back to the codebase a year later and saw a commit. The fix commit made me realize there was a vuln and it was possible to do such stuff. Tough lesson!

The intended solution for this challenge is /Secret. Express route is case-insensitive by default. We had an unintended solution as well: GET http://HOST/secret HTTP/1.1 Even such a seemingly simple app has so many small details under the hood. This is why I love hacking!

Just published an article on full walkthrough of unauth admin account creation on Eventin WordPress plugin. Kudos to Patchstack Alliance member for discovering it. Give it a read to understand a bit about WordPress REST API ;) patchstack.com/articles/criti…

We just wrapped up our first open-for-all bug bounty event. Lots of hacking, collabing, networking. We also did live interviews of the AWC members and some of the best bug hunters of Nepal. Huge thanks to HackerOne and Cedar Gate Technologies for the sponsorship. #togetherwehitharder

Just attended the workshop by SinSinology on .NET Exploitation and gotta admit it was really awesome🔥 The depth he went to explain the concepts was really amazing! Maybe I'll take the training someday :P

Had a really great time talking at SteelCon Giving talks, meeting people, playing games and stuffs. Fun times!

The harder the configuration, the more the bugs. I used to give up when something was very annoying to setup, but it attracts me more now. Apparently, almost everyone avoids those, which leads to really simple yet impactful findings :P

Every critical I find in major corp has been through the most obscure feature that is annoying as hell to setup. It never ceases to give.

Published an article with full analysis of a subscriber+ account takeover on Password Policy Manager plugin found by Rafie M Give it a read! patchstack.com/articles/accou…

Me and Rafie M will be presenting the research we did internally at Patchstack in Bsides Canberra! See you this september, Australia!

You get high on drugs I get high on bugs We are not the same, bro! #bugbounty

Found the most beautiful payment bypass of my hacking payment-integrations streak. Chained multiple small leads to land that perfect bypass. I would love to do a writeup about this if the program allows, which is tough but I will give it a shot. #bugbounty

Just published an in-depth walkthrough of an unauthenticated SQLi and arbitrary file read on WP Job Portal plugin. Kudos to LVT-tholv2k for discovering it. Check it out! patchstack.com/articles/multi…

Revamped my personal site after procrastinating for months and finally started drafting the upcoming blog post, hopefully it will be out next week. Might as well publish SteelCon slides around that time ;) Stay tuned 💪 dhakal-ananda.com.np