Hi, I am Vikrant. I am a software developer and vulnerability researcher from India. I provide freelance development services to the companies. Along with that, I also do bug bounty hunting and vulnerability research. Some of the bug bounty programs I have reported vulnerabilities to includes Flickr, Coda, JFrog, Acronis, FanDuel, Smartsheet, CoinSpot, Harvest and many more.
Contact Me
- PGP:
5881 D9F2 A01D D7DA F698 8B4F FE4E F87D E603 A2BB - Email: vi [at] hackberry [dot] xyz
- Discord / Twitter / Youtube / LinkedIn / Keybase
Vulnerability Research
- CVE-2021-21705: SSRF Bypass in PHP 8
- CVE-2021-27902: Stored XSS in CraftCMS
- CVE-2021-27903: Code Execution via SSTI in CraftCMS
- CVE-2021-3603: Function injection vulnerability in PHPMailer
- Function Injection Vulnerability in Laravel
- URL validation check bypass in Laravel
- Acronis: Account Takeover on unverified emails in File Sync & Share
- Coda: Unrestricted access to any “connected pack” on docs
- Open Redirect in Flattr
- Cross-site Scripting (XSS) - Stored in OctoberCMS
- Code Execution using Reflected Cross Site Scripting in TagSpaces
- Cross-site Scripting (XSS) - Reflected in TagSpaces
- Relative Path Traversal in Flarum
- Site wide stored XSS via CSTI (Authenticated) in Monica CRM
- Stored XSS (Authenticated) via Unrestricted file upload in Monica CRM
- Stored XSS (Authenticated) via Unvalidated Input in Monica CRM
- Cross-site Scripting (XSS) - Stored in Mautic
Open Source Projects
- takeover.py – A script to detect availability of host for service takeover from a big list of hosts
- Whack – Whack is a makefile to scrape wordlists from package managers, plugin databases and other known sources.
- webdetect – Detects technologies of a web page using Wappalyzer in a headless browser.