Shopify: Remote Code Execution · July 16, 2015 · Remote Code Execution Shopify ·

HackerOne Vulnerability: Common Response Title Leak through Triggers · October 15, 2014 · Elevation of Privilege HackerOne Insecure Direct Object Reference

Facebook MailChimp Application OAuth 2.0 Misconfiguration · August 8, 2014 · Facebook OAuth MailChimp

Facebook FriendFeed Stored XSS · August 8, 2014 · XSS Facebook API FriendFeed

Flipkart.com - Elevation of Privilege · March 27, 2014 · Elevation of Privilege Flipkart Insecure Direct Object Reference

SSRF/XSPA in MailChimp · February 18, 2014 · OAuth MailChimp SSRF/XSPA

PayPal CSRF aids in account takeover! · September 21, 2013 · CSRF PayPal

Triggering an unexploitable DOM-based XSS in Rediff Blogs automagically · June 29, 2013 · XSS Rediff DOM

Pwning Facebook accounts, taking a little help from Quora · June 14, 2013 · Open Redirect Facebook Quora OAuth

Flash-based XSS Mayhem: Most Security Solution Vendors Vulnerable · June 7, 2013 · XSS Flash

Dropbox for Business Mailing List Unsubscribe Users (Permission Issue) · May 22, 2013 · Dropbox Elevation of Privilege

Dropbox Team Website Open Redirection · May 17, 2013 · Open Redirect Dropbox

Google Website Translator (Add Editor) CSRF and Google Tasks Clickjacking · May 5, 2013 · Clickjacking Google VRP CSRF

File Upload Bug in PayPal's BillMeLater · March 13, 2013 · PayPal File Upload Vulnerability BillMeLater

Facebook Whitehat Vulnerability for 2013: Open Redirection in Facebook Mobile · February 22, 2013 · Open Redirect Facebook