Real Name: Nidal Khan

About Me

I’m Nidal Khan, known online as MRKNIGHT-NIDU — a Pakistan-based security researcher, bug bounty hunter, and penetration tester with more than 3 years of hands-on experience in offensive security, vulnerability research, and responsible disclosure.

I focus on web applications, APIs, authentication systems, multi-tenant platforms, AI attack surfaces, and open-source software. My research includes RCE, broken access control, IDOR, authentication bypass, CSRF, XSS, SSRF, HTTP request smuggling, subdomain takeover, path traversal, prompt injection, and sensitive-data exposure.

My public research includes CVE-2026-46620, CVE-2026-54321, and CVE-2026-54322. I have responsibly disclosed security issues to organizations and programs including Binalyze, Hackerate, Amsterdam, Translated, Descope, Daytona, e107, Bambu Lab, and others, earning multiple public acknowledgments and Hall of Fame entries.

I hold the CWSE, CAPT, TryHackMe Junior Penetration Tester, and CEH certifications. I use tools and technologies such as Burp Suite, Python, Bash, Go, Kali Linux, OSINT, recon automation, API testing, OAuth testing, network security, and CVE research to turn technical findings into clear, reproducible, impact-focused reports.

3+ Years in Security
3 Credited CVEs
Multiple Hall of Fame Entries
Critical Impact Findings
scroll to explore ↓

MrKnightNidu

security researcher

click to remember
re-entering simulation
_ archive decrypted — displaying recovered records
further transmissions
realms secured
skill matrix
certifications
hall of fame
— and many more —
github contributions

Reported a path-traversal gap: WriteAllToZip() lacked the same .. guard already present in WriteAllToDisk(), letting a plugin emit zip/jar/srcjar archives containing traversal entries like ../../PWNED.txt. PR approved by @esrauchg on Apr 30, CLA satisfied, then closed by copybara-service[bot] on May 6 after internalizing the change into Google's internal monorepo — Google's standard process for landing external contributions, effectively a merge. The fix is live on main as of commit 28bef98.

BOUNTY $500
critical

Account takeover — user identity (email) was still sourced from client POST data instead of the validated token.

medium

Denylist for sensitive meta keys could miss keys; email should also be validated against token claims.

JWKS cache confusion in the Descope PHP SDK — a cross-project authentication bypass caused by cached signing keys not being scoped per project.

Respect email_verified during password migration, and redact PII from logs.

medium

Duplicate error message logged twice.

total bounty across Descope findings: $2,000
anomalies logged // cve

CSRF in e107 CMS allowed an attacker to trick a logged-in admin into deleting or approving comments without their knowledge, just by getting them to visit a malicious page. Affected all versions up to 2.3.4, reported responsibly, patched in v2.3.5.

CVE-2026-54321 auth bypass

Authentication bypass in Daytona — public sandbox previews could remain accessible without authentication for up to an hour after being switched to private, due to a stale visibility-state cache. Fixed in v0.184.0.

High-severity cross-organization IDOR in Daytona — any organization owner could modify or delete roles belonging to other organizations, leading to privilege escalation and broken access control across tenants. Fixed in v0.185.0.