Binit Ghimire
Read what Binit writes @ WHOISpublish!

Read what Binit writes @ WHOISpublish!

Blog Author Picture

Binit Ghimire

Hi! I am a Tech Enthusiastic full-stack web developer, programmer and web/network penetration tester from Nepal.

Subscribe to my newsletter and never miss my upcoming articles

postMessage XSS Write-up | null Ahmedabad Meet, April 2021

Apr 18, 20212 min read 21 views

Exploiting the postMessage() method to achieve XSS in a challenge!

postMessage XSS Write-up | null Ahmedabad Meet, April 2021

Dangling DNS Records on surf-test.xwf.internet.org (Amazon EC2)!

Mar 10, 20216 min read 126 views

The "surf-test.xwf.internet.org" subdomain was pointing to a AWS EC2 hostname that the Internet.org team had removed, making it susceptible to hijacking. Summarizing the vulnerability When I was looking for Dangling DNS records across the assets of m...

Dangling DNS Records on surf-test.xwf.internet.org (Amazon EC2)!

Sub-domain Takeover on api.techprep.fb.com (AWS Elastic Beanstalk)!

Feb 16, 20214 min read 220 views

It was possible to claim the api.techprep.fb.com subdomain by registering the techprep-backend service on AWS Elastic Beanstalk. Some of the text presented here is an excerpt from my original vulnerability report to Facebook, so the sentences being i...

Sub-domain Takeover on api.techprep.fb.com (AWS Elastic Beanstalk)!

NepHack Online CTF June 2020 Write-up

Jun 13, 202026 min read 9 views

Find out how I was able to solve the NepHack Healthcare CTF 2020 and become the fourth solver during this special edition of NepHack Online CTF!

NepHack Online CTF June 2020 Write-up

Adding anyone including non-friend and blocked people as co-host in personal event!

Jan 28, 20206 min read 3 views

This IDOR vulnerability in the Facebook Events platform allowed an attacker profile to add anyone as co-host in his/her personal event including non-friends, non-friends-of-friends and people who have blocked him/her. Summarizing the vulnerability Wh...

Adding anyone including non-friend and blocked people as co-host in personal event!

Creating unauthorized comments on Facebook Live Stream!

Nov 15, 20183 min read 4 views

This vulnerability could have let a malicious Facebook user to add a comment on any live stream even if it has a friends only privacy. The comment text was limited to a given set of quick comments. Summarizing the overall story Everything started ou...

Creating unauthorized comments on Facebook Live Stream!