Hi, I'm Rohit πŸ‘‹
Cybersecurity researcher and backend engineer. I hunt bugs, build secure systems, and share what I find. Currently pursuing OSCP.
RK

About

I'm Rohit (Dedrknex) β€” a cybersecurity enthusiast, backend developer, and active bug bounty hunter. I've reported real-world vulnerabilities including IDOR exposing 6.4M users, broken access control in SaaS platforms, image upload bypass chains leading to RCE, and HTTP desync exploits β€” all documented in my Medium writeups. On the backend, my stack is Node.js, NestJS, Express, and Prisma, with PostgreSQL and MongoDB as my primary databases. I hold a B.Tech in Computer Science, actively solve machines on Hack The Box and TryHackMe, and maintain 41+ public repositories on GitHub. Currently focused on deepening my offensive security skills toward the OSCP certification.

WriteUps

H

Hack The Box Machines
Writeup
HTB

2021 - Present
HTB Write-ups
A collection of Hack The Box machine write-ups covering penetration testing techniques, privilege escalation, and exploitation methodologies.
T

TryHackMe Machines
Writeup
TryHackMe

2021 - Present
TryHackMe
Write-ups for Linux and Windows-based TryHackMe rooms, covering enumeration, exploitation, and post-exploitation techniques.
M

Medium Writeups
Writeup
Bug Bounty
BAC

Mar 2026 - Mar 2026
Broken Access Control in a SaaS Platform
Discovered full data exposure via a simple export button β€” a broken access control vulnerability in a real SaaS product. Documented the full attack chain and responsible disclosure process.
M

Medium Writeups
Writeup
Bug Bounty
IDOR

Nov 2025 - Nov 2025
IDOR Exposing PII for 6.4 Million Users
An accidental morning find that turned into a major disclosure β€” an IDOR vulnerability leaking personally identifiable information for 6.4 million users.
M

Medium Writeups
Writeup
Bug Bounty
RCE

Apr 2025 - Apr 2025
Image Upload Bypass Techniques β†’ RCE
Three core bypass techniques β€” MIME type spoofing, magic bytes tampering, and double extensions β€” chained to achieve Remote Code Execution through a file upload endpoint.

Skills

Linux
Bash
Burp Suite
Wireshark
Nmap
Docker
Kubernetes
TypeScript
JavaScript
Python
Go
Java
C++
PHP
React
Next.js
Node.js
NestJS
ExpressJS
GraphQL
Hono
Bun
RESTful API Design
Authentication (JWT, OAuth)
PostgreSQL
MySQL
MongoDB
SQLite
Prisma
Redis
Vulnerability Assessment
Bug Bounty Hunting
OWASP Top 10
CTF Challenges
Penetration Testing
Recon & OSINT
Git & GitHub
CI/CD
AWS
Nginx
Jenkins
My Projects

Check out my latest work

I've worked on a variety of projects, from simple websites to complex web applications. Here are a few of my favorites.

Social Media Microservice

A lightweight microservice built with Node.js and Express for social media platforms. Incorporates CORS, Helmet for HTTP header security, Morgan for logging, and Express Rate Limit to mitigate abuse. Focused on backend structure, security, and clean API design.

Node.js
Express.js
CORS
Helmet
Morgan
Express Rate Limit
REST API
GitHub

Secure Cookie-Based Authentication API

A production-grade NestJS authentication backend using HTTP-only cookies. Implements CORS, CSRF protection, rate limiting, input validation via DTOs, and secure cookie flags. Follows modular architecture and backend security best practices.

NestJS
TypeScript
Cookie-based Auth
CSRF Protection
Rate Limiting
Helmet
DTO Validation
CORS
PostgreSQL
Prisma
GitHub

Secure File Upload API

A NestJS backend service enabling secure file uploads with full CRUD operations. Protected with Helmet, CORS, file type and size validation, and storage handling. Built for systems requiring scalable and secure file management.

NestJS
TypeScript
Multer
PostgreSQL
Prisma
Helmet
CORS
Rate Limiter
Validation Pipe
GitHub
GitHub Scraper

GitHub Scraper

A Python-based GitHub scraper for passive reconnaissance and OSINT β€” collects public repository data, user metadata, and code patterns. Useful for bug bounty recon and security research.

Python
Requests
BeautifulSoup
GitHub API
OSINT
GitHub
Cybersecurity & Backend

I like building secure systems

During my time in university, instead of attending hackathons, I focused on building real-world applications and security tools. I enjoy learning by breaking, building, and fixing thingsβ€”a mindset that has helped me deeply understand how systems work, both from a development and cybersecurity perspective. This hands-on approach led me to participate in various bug bounty programs and solve vulnerable machines on platforms like TryHackMe and Hack The Box, sharpening my skills in ethical hacking and secure coding.

  • B

    Bug Bounty Hunter

    Bugcrowd Β· HackerOne Β· Self Hosted Β· VDP

    200+ accepted vulnerability reports across Bugcrowd, HackerOne, and VDPs with consistent acceptance rates across high and medium severity findings. Recognized in multiple Hall of Fames including Bugcrowd's CertIn government-recognized program for IDOR and Broken Access Control disclosures. Key findings: OAuth 2FA bypass (Google OAuth silently skipping 2FA verification), Stored XSS, Account Takeover, IDOR leaking PII for 6.4M users, HTML injection causing zombie access control states, and Broken Access Control via export endpoints. Write structured triage reports, deliver PoC scripts, and follow full responsible disclosure lifecycle with vendor security teams.
  • A

    Application Security Practice

    Hack The Box Β· TryHackMe Β· Medium

    Solving real-world vulnerable machines on Hack The Box and TryHackMe β€” focused on web exploitation, authentication bypass, and privilege escalation. Published technical writeups on Medium covering reconnaissance, endpoint discovery, OAuth security, and vulnerability analysis. Advanced JavaScript file analysis, hidden API discovery, and authentication flow mapping using both manual and automated techniques. Currently working toward OSCP certification.
  • B

    Backend Development

    GitHub

    My primary stack is Node.js, NestJS, Express, and Prisma. I've built production-grade APIs with cookie-based auth, CSRF protection, rate limiting, and role-based access control. I maintain 41+ public repositories covering everything from microservices to authentication systems.
  • D

    Databases

    GitHub

    Experienced with PostgreSQL, MySQL, MongoDB, SQLite, and Redis. Comfortable with relational and NoSQL data modeling, query optimization, indexing, transactions, and security-aware data validation.
  • N

    Networking & Systems

    Self-Learning / Labs

    Strong networking fundamentals from cybersecurity practice: TCP/IP, OSI layers, DNS, HTTP/S, firewalls, and VPNs. Extensive Linux experience across Kali, Ubuntu, and Debian environments. Comfortable with system internals, process exploitation, and lab environment setup for offensive security testing.
  • L

    Languages & Tools

    GitHub

    41+ public repositories across JavaScript, TypeScript, Python, and Bash. Frontend experience with React and Next.js. Backend expertise with NestJS and Express. Security tooling built in Python. I combine development and security skills to build things that are useful and safe.
Contact

Get in Touch

Want to chat? Just shoot me a dm with a direct question on twitter and I'll respond whenever I can. I will ignore all soliciting.

LinkedIn
X