Pin It



Rafay Baloch is the founder and CEO of RHA InfoSec, He has been into security research for more than 6 years now, He core area of expertise include Network Security and Web Application Penetration Testing, and author of "Ethical hacking and penetration testing guide". He is specialiseds in finding security vulnerabilities in Web application and frameworks and browsers, bypassing web application firewalls, HTML 5 attack vectors and breaking filters of modern web-browsers.

He has helped securing lots of organization and has done hundreds of responsible disclosures. he is best known for finding a remote code execution vulnerability inside PayPal for which he was awarded 10,000$ and also was offered a job by PayPal, Rafay is an active participant is bug bounty programs and is listed in large number of hall of fames including Google, Facebook Microsoft, Twitter, Dropbox etc.


Following are some of my publications:

 Modern Day Web Application Firewall Bypass

HTML5 Modern Day Attack And Defence Vectors

Ethical Hacking And Penetration Testing Guide

Hall Of Fames

Google Hall Of Fame

Microsoft Security Researchers Award Microsoft (August) (October) (November)

Ebay Responsible Disclosure Page 

Ebay Reported an XSS in Ebay, bypassed their security filters to make the vulnerability work:

Adobe Security Acknowledgments 

“Adobe would like to thank the following individuals and organizations for reporting a security vulnerability or vulnerabilities in an Adobe online service, and for working with Adobe to help protect our customers.”

Acknowledged By RedHat And Twitter Found a Non-Persistent XSS: Twitter WhiteHat:

Apple's Responsible Disclosure Page:

Dropbox Hall Of Fame (Reported Oauth CSRF):

Zynga Whitehat (Got listed for reporting an XSS and a sqli)

Constant Contact Responsible Disclosures Page:

OwnCloud And Tuneti Hall-of-Fame: Tuneti Hall-of-Fame:

Acquia's Reponsible Disclosure Page:

ifixit Responsible Disclosure Page:

Github Responsible Disclosure Page:

Nokia Simens Hall Of Fame:

37Signals Security Fame:

Mahara Responsible Dislcosures List:

SoundCloud Responsible Disclosure List:

Reported few Self-XSS and finally a CSRF to get listed: Gallery Bounties 

EngineYard HallOfFame:

Kaneva Hall Of Fame:

Twilio Responsible Disclosure:

Get Harmony Responsible Disclosure:

Gitlab Vulnerability Acknowledgements: 

Netfix Responsbile Disclosure:

Nokia HallOf Fame:

Baracuda Labs Hall Of Fame

LastPass Security Hall Of Fame 

 Reported a Stored Cross Site Scripting (XSS) vulnerability under their Core products:

Acknowledgment By Eset Nod32 Antivirus Company:

Acknowledged By Avira

Acknowledgement By MEDIAFIRE

Acknowledgement By LAVASOFT

Acknowledged By National Bank Of Pakistan

Paypal's Job Offer

Internet Magazine


An Interview With EHN:

A detailed interview with Infinityloopers:

Inside NewsPapers

Tribune NewsPaper:

 “This was a basic-level attack,” said Rafay Baloch, a professional white hat who recently bagged $10,000 in Paypal’s bug bounty programme after exposing a critical vulnerability in the website. However, he said it is believed across many online forums that PKNIC is also vulnerable to SQL injection – the most powerful cyber attack, according to Open Web Application Security Project (OWASP). OWASP is the world’s largest organisation in terms of web application security and penetration testing. Through SQL injection, the hacker can extract the entire database from the target website, Baloch said.  

Brecorder News

ISLAMABAD: Rafay Baloch, an independent security researcher from Karachi, has been rewarded with $5,000 for reporting a remote command execution bug in the PayPal's website. According to details, the PayPal had announced that this reward initiative for those researchers who would report about the existence of a bug and its subsequent remote command execution, Technology Times Reported. 

Times Of India:

In SoftpediaNews Several Times\ 

Mentions in Other Popular Blogs:

Featured Inside PaulDomCOM


"Pretty neat how you get offered a job if you can find bugs in someone's application. This is a slippery slope, some may get a job, others may get an orange jumpsuit and a cell mate named "bubba", but hey if it's worth the risk to you, go for it. This person is still in college, which is impressive. Less than impressive is just how many flaws are in Paypal. You would think that someone like Paypal would pay close attention to security, but it seems they do not. This makes me want to give up on security entirely, until I remember that I get paid to find vulnerabilities..."

Social Networks

You can connect with me mostly on:

Subscribe to our Newsletter and receive updates directly via email - Get Ethical hacking and security tips directly to your inbox. Alternatively you can Join our Hackers Community on Facebook , Google+ and Twitter .

At RHA Infosec we provide different types of Security Testing from small business sites to Corporate Sites. Click Here to know more about our complete list of services.

Subscribe to RHA

Enjoyed this article?
Subscribe to "Rafay Hacking Articles" and get daily updates in your inbox for free!

Kindly Bookmark it and Share it with Friends:


Azad @ Internet Geeks on September 16, 2010 at 10:58 AM said...

Great bro! you are doing really well. Would you like to join me @ as author. I will promote your ebook at my blog.


Anonymous said...

Where & how can I get your book on ethical hacking?


Gagandeep on September 20, 2010 at 9:56 PM said...

yar mujhe ye batayo ki aap ne adbrite apne blogspot mai kese add kiya ha plz help me yar jab mai adbrite code ko add a gadet mai add karta hu to your add here raha jata hai or kush nyi ata hai yar plz meri help kar do
mera email id hai

Rafay Baloch on September 21, 2010 at 12:02 AM said...

Just visit and complete the payment process to download the book

Ads wont display until an Advertiser buys an ad spot on your blog

Anonymous said...

yar ap ye btao k login.php wala note pad wali file kxy bnti hay?ap nay apni video main jb login.php paste kya ,then u saved that notepad file but ux k baad google chrome k saath jo login wali file hay,wo kxy create hoti hay.plz tell me>

Anonymous said...

Well i have search alot in your site for your email id but i dont get it.Well i just wana seek your advice.
Firstly i want to tell u that i belong to India….yes india.
So u may hav just imagine something about me :)
Again further i wana tell i am just 18 now
I belong to a middle class low family and i just wana persue my career on this field.I think u write awesome but its may be a advance for me or i am just stupid.
I wana settle down in uk for my career.
But for going their i need to have a strong knowledge base
I tried hard but cant get it to know well about your recent articles here
Will u plz give me a full proof advice in deep about how to begin and carry on
And how u have just come to this place.
I am assuiming that at some time u may be like me (may be at time when u are born)
So will u plz sir give a direction to my career and solve my all queries.
I am not sure this comment will be read by u or not or any other one else but if it comes to u plz sir just type something for me from your busy time and mail me
Any other reader of this site can also help me
I will be very thankful for ur kind act

Rafay Baloch on October 9, 2010 at 12:41 AM said...

Well to master any thing you need to learn from basics, thats the same case with Ethical Hacking, Unless you dont know basics you would not be able to Learn It, I also recommend you to read my book on Ethical hacking, it is totally dedicated to beginners

Anonymous said...

yes rafa no body would not tell anything about the ethical hacking we need to discover it own. infact u r doing a great jobs.i need do know abut online money jobs pls reply me

Anonymous said...

Man..ace work..just keep up the great deeds dude...i just love usin' computers and spendin' as much hours as i can surfin' net...i enjoyed ur book it was thumbs up....anywayzz man just let us know some more hackin' tips n tricks.......

Wamiq Ali on November 30, 2010 at 6:24 AM said...

Man you are going quite well! hats off to you!!

Well I wanna show u up my blog so where should i give u link?

Rafay Baloch on November 30, 2010 at 10:01 AM said...

@Wamiq Ali
Thanks, You can give it here through the comment

nawa-i-hazara on December 4, 2010 at 6:39 AM said...

Rafay Baloch, great work, you are (paki ankit fadia). keep it continue. spared knowledge and get knowledge.
can u send me you article.

babar awan

Anonymous said...

hi i have question tht if we are sharing screen through skype then how i can hack other pc how i can enter in his pc plz repli ty

Anonymous said...

i just ask question about hacking while screen sharing i m not in pakistan so i can get ur book.and i m also student of programming languages if u like to help me here's my email account plz repli me.

Anonymous said...

Guys you rock.

David and Won Jung on December 15, 2010 at 11:50 AM said...

Hi Rafay,

you said that you got around 40 visits a day when you just started.
How did you get so much. Did you do any SEO to your blog?

Rafay Baloch on December 15, 2010 at 12:56 PM said...

David I learned Internet marketing and Search engine optimization in order to promote my website

David and Won Jung on December 15, 2010 at 3:10 PM said...


you are really successful for someone who didnt know anything about the topic and you just jumped right in.

I would be interested in reading a post about how you got your blog "out there" and what specific SEO techniques that you would recommend

Rafay Baloch on December 15, 2010 at 11:29 PM said...

David the problem is that I can't write articles related to SEO on this blog because it's related to Ethical Hacking

Anonymous said...

Hi rafay bhai myself nihkil karande frm kolhapur shivaji university.doing in comp sci i also want 2 be z ethical hacker wht can i do 4 it wht is the basics for that proffesion i wnt to protect our country frm outside hackes suggest me sum maxins or rss feeds to learn it plz i wnt to be a master in hacking crcking reply me @
i hope u will help me 4 my bright future. I will lyk 2 job with u.
1 thng is me nd my frnds wnts 2 develop OS.

Anonymous said...

rafay can u help me for the software that can i use to see n disconnect people from my wifi? please help me.

Anonymous said...

i need to hack a hotmail account please email me

Hasan Ali on February 4, 2011 at 3:18 AM said...

Rafay What is the meaning of 40k visitors

Irfan Shakeel on February 13, 2011 at 4:41 AM said...

K means 1000 dude well in actual K represent 1024 .......40k=40,000

Anonymous said...

frend i m umair from faisalabad yaar i belong with a poor family i want to earn money i have a blog but us per koi visitor nhi ata kiya ap mujhe bta sakte ho k mera blog kiss terha ka hona chahiye or is per visitors kaise aa sakte hai plz its my no 0323 6674165
i will ait for your reply plz reply me as soon as possible its reuest i really need your help

Only Gill on March 9, 2011 at 5:15 AM said...

Please tell me in which province of Pakistan you live and in which university you are studying?
I am very thank ful to you

Anonymous said...

Hey Rafay
Where did u know all these stuff
btw which school r u in?

Sujit Ugale on July 11, 2011 at 2:06 AM said...

nice articles
can you help me in increasing my traffic on my blog
please mail me at

Anonymous said...

rafay i read about you.. i am really impressed by you..

you know people take hacking in negative way n think and hacking and hackers are bad but its not..

n hey add me on fb name herry lostn.

Anonymous said...

hey Rafay!
hope u doing well. i really appreciate ur work regarding hacking specially 'ethical hacking'. i just want to ask 'what is difference between hacking and cracking?' plz do tell me.

Rafay Baloch on July 17, 2011 at 3:40 AM said...

This is a very big topic to discuss, I will explain you with an example from the topic Email hacking and cracking, If I say that some one is going to hack in your email, So I would refer to techniques such as phishing, keylogging etc, Now if I would say that some one is going to crack into your email, I would refer to techniques such as bruteforcing, dictionary attack, Usually cracking does not involve any user interaction, where as hacking is usually combined with social engineering to make the attack more devivasting.

ultrapc1 on August 7, 2011 at 6:40 AM said...

Rafay Baloch try disqus comment it will be better for your site :D and check my site too :D

Safwan Patel on August 14, 2011 at 7:44 PM said...

Salam bro need your help i am your very big fan reading your blog since three years ..!! nice collection you'v made but i neva commented but first time some one made me comment on your blog and that is my id hacked if you really wanna help me ( i am genuine) then i can give you id .. where you say as its not good to disclose email id here.. like other fools... !!

hop to hear from you..


BHATTI on August 30, 2011 at 2:41 PM said...


Anonymous said...

Hi Rafay bro!.....i want to hack my girlfriend's facebook kya karu??????????..Ans Plzzzzzzz

Anonymous said...

Hummm acha he saare hackers

Anonymous said...

can u plz tell me how can we learn ethical haccking... did we well worst in programming skilllyk c,c++,java, etc.. to becaome an hacker..tell me wat we wanna to do bcome an hacker..plz gave sme of ur ideas ..

Anonymous said...

how can i earn money through blogging????

Tracker on December 15, 2011 at 7:27 AM said...

hello rafay...nice to see your blog ......believe me i m very impressed with it....i also created a blog which is dedicated to technology blogs Pr is 5 but i have only 2K views per day ....please tell me why to do to get more visitors ...

Anonymous said...

Salam Rafay ... Hope you will be fine .. rafay i need your help bro. it is very important for me you. bro kindly contact me here
0333-3458420 or text me here i will call you

Anonymous said...

hi need to hack onto this website-URL

moonstar on March 18, 2012 at 2:36 AM said...

how hack to mobile call log histery in airtell&uninar

Rimal Aayush on March 25, 2012 at 9:21 PM said...

u have the same story as i do...

Anonymous said...

respected bhaijaan
i am an engineering graduate and i made a facebook page and it became an instant hit in my college.
i was the only admin of the page but someone hacked into the account and removed me as admin and took control of my page.
i dont know who that person is
i was going through a lot of facebook hacking articles and came across your website
i need your help regarding this.i need you to recover my page.
i will be really grateful if you help me out of this.

Md. Alamin Mahamud on December 19, 2012 at 9:59 AM said...

Today Is my First day at your blog! I am interested in Hacking but don't know the basics. When I First designed my blog i was inspired by Muhammad@MyBloggerTricks. He made some terrific series of articles which shows us the way step by step. But as I am new in Hacking basics will u tell me - From which lesson i shall start?

tooba said...

hey how did you get so much info about all this "ethical hacking" stuff?? U must've learned it from somewhere or someone too right??

Anonymous said...

Hi bro,

When you free, please provide link,,,i mean clickable link :)

Anonymous said...

rafay what is your bechlors in it weather it is in security related degree or you accidentally get in this field of hacking

Usama Bin Nadeem on September 19, 2013 at 9:49 AM said...

i know this comment might seem stupid to u....but, i wanted to ask, when did u start all this? i mean how could u manage all this along with ur studies?

Anonymous said...

Hi, Rafay
I am taking a class intro to computers, I do know a bit about them but not enough for what My degree is in. This week we are talking about the security risk of hacking, I was wanting to know what your thoughts are on this, and with hacking being against the law how can you sell a book telling people how to do it? Thank you for your time.

Amir Bakhsh Baloch on October 6, 2013 at 4:26 AM said...

Proud of you Rafay Baloch..

fahad saleem on September 18, 2014 at 12:49 AM said...

When you actually started ethical hacking.
I mean some people say I started online work from the last 5 years.
So when you properly started researching and learning.
And how did you learn all these things the sources and all that :)

Anonymous said...

Rafay Baloch bhai If you have a fb account than plz give me the link of your id I want to talk with u ......

Dare to ask? :)

Blog Archive


Recent Comments


Rafay Baloch is an Independent security researcher, Internet marketer, Entrepreneur and a SEO consultant, He is the founder of RHA blog and multiple other blogs. Rafay got famous after finding a Remote Code Execution bug inside PayPal for which PayPal awarded him a sum of 10,000$ Read More..

Join In!

RHA © 2013. All Rights Reserved.