Back to portfolio

MRKNIGHT-NIDU

Nidal Khan

Penetration Tester | BugBounty hunter | Application Security Researcher

Web & API Security - Vulnerability Research - Responsible Disclosure

Pakistan nidumrknight@gmail.com LinkedIn GitHub Bugcrowd HackRate
3+Years in offensive security
3Published CVEs
30+Public acknowledgments
4Upstream security fixes

Professional Profile

Independent penetration tester and security researcher with 3+ years of hands-on experience identifying, validating, and responsibly disclosing vulnerabilities in web applications, APIs, authentication systems, multi-tenant platforms, and open-source software. Published researcher credited on three CVEs, including two high-severity Daytona findings, and author of an accepted security-hardening contribution to Google Protocol Buffers. Experienced across the full assessment lifecycle: reconnaissance, manual exploitation, impact analysis, proof-of-concept development, technical reporting, remediation guidance, and fix verification.

Core Competencies

Application Security

Web application penetration testing, API security testing, OWASP Top 10, business-logic abuse, multi-tenant authorization, secure code review.

Identity & Access

Authentication and authorization testing, OAuth/OIDC, JWT, session management, IDOR/BOLA, privilege escalation, account takeover.

Vulnerability Classes

RCE, SSRF, XSS, CSRF, request smuggling, path traversal, subdomain takeover, cache-related authorization flaws, sensitive data exposure.

Tooling

Burp Suite, Nmap, Metasploit, Nuclei, Subfinder, httpx, Katana, Git/GitHub, Docker, Podman, Linux.

Programming

Python, Bash, and Go for reconnaissance automation, proof-of-concept development, data processing, and security workflow tooling.

Reporting

Reproducible proof of concept, CVSS-informed risk communication, remediation recommendations, coordinated disclosure, and retesting.

Professional Experience

Independent Security Researcher & Bug Bounty Hunter

Self-employed | Remote

2022 - Present

  • Conduct independent vulnerability research across public and private disclosure programs, with reported findings spanning web applications, APIs, open-source packages, and multi-tenant SaaS platforms.
  • Published three CVEs covering cross-site request forgery, stale authorization state, and cross-organization broken access control; two findings received High severity ratings.
  • Discovered authentication and authorization weaknesses in Descope projects, including account-takeover risk, cross-project JWKS cache confusion, unverified-email migration, and sensitive logging issues.
  • Earned recognition from 10+ public Hall of Fame and responsible-disclosure programs, including Check Point, Mercedes-Benz, SURF, Achmea, BASF, IBD, and movieXchange.
  • Create clear reproduction steps, impact demonstrations, root-cause analysis, remediation guidance, and follow-up verification for engineering and security teams.

Freelance Penetration Tester

Contract engagements | Remote

2023 - Present

  • Perform scoped web application, API, and infrastructure assessments focused on exploitable risk rather than scanner-only output.
  • Test authentication flows, access-control boundaries, session handling, input validation, exposed services, and common deployment weaknesses.
  • Deliver prioritized findings with practical remediation guidance and communicate technical risk in language suitable for developers and stakeholders.

Education & Professional Development

Self-directed Offensive Security Study

Hack The Box, TryHackMe, independent labs, and real-world disclosure programs

2022 - Present

Continuous hands-on development in web application security, API testing, exploitation, reconnaissance automation, vulnerability research, and technical reporting.

Secondary Education

Completed Grade 12

Selected Vulnerability Research & Evidence

CVE-2026-54322 - Cross-organization IDOR in Daytona

High | CVSS 7.7

Identified cross-tenant authorization failure in organization role update and delete operations. An owner of one organization could modify or remove roles belonging to another organization when the target role identifier was known. Fixed in Daytona v0.185.0.

CVE-2026-54321 - Stale authorization state in Daytona previews

High | CVSS 7.0

Reported a visibility-cache invalidation flaw that could leave previously public sandbox previews reachable without authentication after being switched to private. Fixed in Daytona v0.184.0.

Open-source Security Engineering & Evidence

Google Protocol Buffers - Archive path security hardening

Public report, reproduction steps, upstream patch, maintainer approval, and integrated fix

2026

  • Identified inconsistent handling of parent-directory components between WriteAllToDisk() and WriteAllToZip(), allowing archive entries such as ../../PWNED.txt.
  • Authored the upstream patch and revised it after review; the contribution was approved and integrated into the Protocol Buffers codebase through Google's Copybara workflow.

Descope WordPress - Authentication bypass and privilege escalation

Identity trust, dynamic-field abuse, sensitive meta keys, and missing capability checks

2026

Reported an account-takeover path caused by trusting client-supplied identity data and additional authorization weaknesses in administrative AJAX actions; re-tested the remediations in the public fix thread.

Descope PHP SDK - Cross-project JWKS cache confusion

Project-scoped key caching and researcher verification

2026

Reported cache isolation weaknesses that could allow signing keys from one project to influence token validation in another project; reviewed and verified the project-scoped remediation.

Descope Auth0 migration - Email verification and PII logging

Security report, merged patch, re-test, and maintainer feedback

2026

Reported migration logic that marked unverified Auth0 users as verified and error logging that exposed full user objects; re-tested both issues after the fix was merged.

Verified Professional Feedback

"Thanks @mrknight-n1du for the responsible disclosure process; please continue submitting quality reports!"

Descope maintainer Public feedback following remediation and re-testing View source thread

For additional company recommendations and endorsements, view the LinkedIn recommendations section.

Certifications

Selected Recognition

Check Point (2025) | Mercedes-Benz | SURF | Achmea | BASF | Informatiebeveiligingsdienst (IBD) | movieXchange | ActivTrak | Clear.bio | DataRag | and additional responsible-disclosure programs.