Rafay Baloch is the founder and CEO of RHA InfoSec, He has been into security research for more than 6 years now, He core area of expertise include Network Security and Web Application Penetration Testing, and author of "Ethical hacking and penetration testing guide". He is specialiseds in finding security vulnerabilities in Web application and frameworks and browsers, bypassing web application firewalls, HTML 5 attack vectors and breaking filters of modern web-browsers.

He has helped securing lots of organization and has done hundreds of responsible disclosures. he is best known for finding a remote code execution vulnerability inside PayPal for which he was awarded 10,000$ and also was offered a job by PayPal, Rafay is an active participant is bug bounty programs and is listed in large number of hall of fames including Google, Facebook Microsoft, Twitter, Dropbox etc.


Following are some of my publications:

 Modern Day Web Application Firewall Bypass

HTML5 Modern Day Attack And Defence Vectors

Ethical Hacking And Penetration Testing Guide


Hall Of Fames

Google Hall Of Fame


Microsoft Security Researchers Award Microsoft 

http://technet.microsoft.com/en-us/security/cc308575.aspx (August) http://technet.microsoft.com/en-us/security/cc308589.aspx (October) http://technet.microsoft.com/en-us/security/cc308589.aspx (November)

Ebay Responsible Disclosure Page 

Ebay Reported an XSS in Ebay, bypassed their security filters to make the vulnerability work: http://pages.ebay.com/securitycenter/ResearchersAcknowledgement.html

Adobe Security Acknowledgments 

“Adobe would like to thank the following individuals and organizations for reporting a security vulnerability or vulnerabilities in an Adobe online service, and for working with Adobe to help protect our customers.”


Acknowledged By RedHat And Twitter Found a Non-Persistent XSS: 

https://access.redhat.com/knowledge/articles/66234 Twitter WhiteHat: https://twitter.com/about/security

Apple's Responsible Disclosure Page: 


Dropbox Hall Of Fame (Reported Oauth CSRF): 


Zynga Whitehat (Got listed for reporting an XSS and a sqli) http://company.zynga.com/security/whitehats

Constant Contact Responsible Disclosures Page: 


OwnCloud And Tuneti Hall-of-Fame: 

http://owncloud.org/security/hall-of-fame/ Tuneti Hall-of-Fame:

Acquia's Reponsible Disclosure Page:


ifixit Responsible Disclosure Page:


Github Responsible Disclosure Page: 


Nokia Simens Hall Of Fame: 


37Signals Security Fame: 


Mahara Responsible Dislcosures List: 


SoundCloud Responsible Disclosure List:

Reported few Self-XSS and finally a CSRF to get listed: 

http://help.soundcloud.com/customer/portal/articles/439715-responsible-disclosure Gallery Bounties


EngineYard HallOfFame: 


Kaneva Hall Of Fame: 


Twilio Responsible Disclosure:


Get Harmony Responsible Disclosure: 


Gitlab Vulnerability Acknowledgements: 


Netfix Responsbile Disclosure: 


Nokia HallOf Fame:


Baracuda Labs Hall Of Fame


LastPass Security Hall Of Fame 

 Reported a Stored Cross Site Scripting (XSS) vulnerability under their Core products: https://lastpass.com/support_security.php

Acknowledgment By Eset Nod32 Antivirus Company:

Acknowledged By Avira

Acknowledgement By MEDIAFIRE

Acknowledgement By LAVASOFT

Acknowledged By National Bank Of Pakistan

Paypal's Job Offer

Internet Magazine


An Interview With EHN:


A detailed interview with Infinityloopers: 




Inside NewsPapers

Tribune NewsPaper: 



 “This was a basic-level attack,” said Rafay Baloch, a professional white hat who recently bagged $10,000 in Paypal’s bug bounty programme after exposing a critical vulnerability in the website. However, he said it is believed across many online forums that PKNIC is also vulnerable to SQL injection – the most powerful cyber attack, according to Open Web Application Security Project (OWASP). OWASP is the world’s largest organisation in terms of web application security and penetration testing. Through SQL injection, the hacker can extract the entire database from the target website, Baloch said.  

Brecorder News


ISLAMABAD: Rafay Baloch, an independent security researcher from Karachi, has been rewarded with $5,000 for reporting a remote command execution bug in the PayPal's website. According to details, the PayPal had announced that this reward initiative for those researchers who would report about the existence of a bug and its subsequent remote command execution, Technology Times Reported. 

Times Of India: 


In SoftpediaNews Several Times











Mentions in Other Popular Blogs:






http://www.soldierx.com/hdb/Rafay-Baloch http://www.mybloggertricks.com/2012/12/mohammad-chose-blogger-i-chose-hacking.html 




Featured Inside PaulDomCOM


"Pretty neat how you get offered a job if you can find bugs in someone's application. This is a slippery slope, some may get a job, others may get an orange jumpsuit and a cell mate named "bubba", but hey if it's worth the risk to you, go for it. This person is still in college, which is impressive. Less than impressive is just how many flaws are in Paypal. You would think that someone like Paypal would pay close attention to security, but it seems they do not. This makes me want to give up on security entirely, until I remember that I get paid to find vulnerabilities..."

TV Shows

Show On Kay2tv 

Social Networks

You can connect with me mostly on:

Subscribe to our Newsletter and receive updates directly via email - Get Ethical hacking and security tips directly to your inbox. Alternatively you can Join our Hackers Community on Facebook , Google+ and Twitter .

At RHA Infosec we provide different types of Security Testing from small business sites to Corporate Sites. Click Here to know more about our complete list of services.

Subscribe to RHA

Enjoyed this article?
Subscribe to "Rafay Hacking Articles" and get daily updates in your inbox for free!

Kindly Bookmark it and Share it with Friends:


  1. Great bro! you are doing really well. Would you like to join me @ internetgeeks.org as author. I will promote your ebook at my blog.


  2. Where & how can I get your book on ethical hacking?


  3. yar mujhe ye batayo ki aap ne adbrite apne blogspot mai kese add kiya ha plz help me yar jab mai adbrite code ko add a gadet mai add karta hu to your add here raha jata hai or kush nyi ata hai yar plz meri help kar do
    mera email id hai

  4. @Anonymous
    Just visit www.hacking-book.com and complete the payment process to download the book

    Ads wont display until an Advertiser buys an ad spot on your blog

    1. dear rafay sir a.o.a
      i am from Lahore i have done ICS(Inter mediate computer science) now i have continue studies in BS(IT) in 2nd semester.i will do something new about computer technology and hacking because i know hacking will never die just multiply ....so i work or learn with you please sir help me .please sir help me. please sir help me about learning technology and hacking
      thank you sir

  5. yar ap ye btao k login.php wala note pad wali file kxy bnti hay?ap nay apni video main jb login.php paste kya ,then u saved that notepad file but ux k baad google chrome k saath jo login wali file hay,wo kxy create hoti hay.plz tell me>

  6. Well i have search alot in your site for your email id but i dont get it.Well i just wana seek your advice.
    Firstly i want to tell u that i belong to India….yes india.
    So u may hav just imagine something about me :)
    Again further i wana tell i am just 18 now
    I belong to a middle class low family and i just wana persue my career on this field.I think u write awesome but its may be a advance for me or i am just stupid.
    I wana settle down in uk for my career.
    But for going their i need to have a strong knowledge base
    I tried hard but cant get it to know well about your recent articles here
    Will u plz give me a full proof advice in deep about how to begin and carry on
    And how u have just come to this place.
    I am assuiming that at some time u may be like me (may be at time when u are born)
    So will u plz sir give a direction to my career and solve my all queries.
    I am not sure this comment will be read by u or not or any other one else but if it comes to u plz sir just type something for me from your busy time and mail me
    Any other reader of this site can also help me
    I will be very thankful for ur kind act

  7. @Anonymous
    Well to master any thing you need to learn from basics, thats the same case with Ethical Hacking, Unless you dont know basics you would not be able to Learn It, I also recommend you to read my book on Ethical hacking, it is totally dedicated to beginners

  8. yes rafa no body would not tell anything about the ethical hacking we need to discover it own. infact u r doing a great jobs.i need do know abut online money jobs pls reply me

  9. Man..ace work..just keep up the great deeds dude...i just love usin' computers and spendin' as much hours as i can surfin' net...i enjoyed ur book it was thumbs up....anywayzz man just let us know some more hackin' tips n tricks.......

  10. Man you are going quite well! hats off to you!!

    Well I wanna show u up my blog so where should i give u link?

  11. @Wamiq Ali
    Thanks, You can give it here through the comment

  12. Dear,
    Rafay Baloch, great work, you are (paki ankit fadia). keep it continue. spared knowledge and get knowledge.
    can u send me you article.

    babar awan

  13. hi i have question tht if we are sharing screen through skype then how i can hack other pc how i can enter in his pc plz repli ty

  14. i just ask question about hacking while screen sharing i m not in pakistan so i can get ur book.and i m also student of programming languages if u like to help me here's my email account luckybouy2003@yahoo.com plz repli me.

  15. Hi Rafay,

    you said that you got around 40 visits a day when you just started.
    How did you get so much. Did you do any SEO to your blog?

  16. @David
    David I learned Internet marketing and Search engine optimization in order to promote my website

  17. rafay,

    you are really successful for someone who didnt know anything about the topic and you just jumped right in.

    I would be interested in reading a post about how you got your blog "out there" and what specific SEO techniques that you would recommend

  18. @David
    David the problem is that I can't write articles related to SEO on this blog because it's related to Ethical Hacking

  19. Hi rafay bhai myself nihkil karande frm kolhapur shivaji university.doing b.tech in comp sci i also want 2 be z ethical hacker wht can i do 4 it wht is the basics for that proffesion i wnt to protect our country frm outside hackes suggest me sum maxins or rss feeds to learn it plz i wnt to be a master in hacking crcking reply me @ karandenikhil.2009@gmail.com
    i hope u will help me 4 my bright future. I will lyk 2 job with u.
    1 thng is me nd my frnds wnts 2 develop OS.

  20. rafay can u help me for the software that can i use to see n disconnect people from my wifi? please help me.

  21. i need to hack a hotmail account please email me


  22. Rafay What is the meaning of 40k visitors

  23. K means 1000 dude well in actual K represent 1024 .......40k=40,000

  24. slam
    frend i m umair from faisalabad yaar i belong with a poor family i want to earn money i have a blog but us per koi visitor nhi ata kiya ap mujhe bta sakte ho k mera blog kiss terha ka hona chahiye or is per visitors kaise aa sakte hai plz its my no 0323 6674165
    i will ait for your reply plz reply me as soon as possible its reuest i really need your help

  25. Please tell me in which province of Pakistan you live and in which university you are studying?
    I am very thank ful to you

  26. Hey Rafay
    Where did u know all these stuff
    btw which school r u in?

  27. rafay.......
    nice articles
    can you help me in increasing my traffic on my blog http://hackersofsujit.blogspot.com/
    please mail me at

  28. rafay i read about you.. i am really impressed by you..

    you know people take hacking in negative way n think and hacking and hackers are bad but its not..

    n hey add me on fb name herry lostn.

  29. hey Rafay!
    hope u doing well. i really appreciate ur work regarding hacking specially 'ethical hacking'. i just want to ask 'what is difference between hacking and cracking?' plz do tell me.

  30. @Anonymous
    This is a very big topic to discuss, I will explain you with an example from the topic Email hacking and cracking, If I say that some one is going to hack in your email, So I would refer to techniques such as phishing, keylogging etc, Now if I would say that some one is going to crack into your email, I would refer to techniques such as bruteforcing, dictionary attack, Usually cracking does not involve any user interaction, where as hacking is usually combined with social engineering to make the attack more devivasting.

  31. Rafay Baloch try disqus comment it will be better for your site :D and check my site too :D www.ultrapc1.com

  32. Salam bro need your help i am your very big fan reading your blog since three years ..!! nice collection you'v made but i neva commented but first time some one made me comment on your blog and that is my id hacked if you really wanna help me ( i am genuine) then i can give you id .. where you say as its not good to disclose email id here.. like other fools... !!

    hop to hear from you..



  34. Hi Rafay bro!.....i want to hack my girlfriend's facebook account.ma kya karu??????????..Ans Plzzzzzzz

  35. Hummm acha he saare hackers

  36. can u plz tell me how can we learn ethical haccking... did we well worst in programming skilllyk c,c++,java, etc.. to becaome an hacker..tell me wat we wanna to do bcome an hacker..plz gave sme of ur ideas ..

  37. how can i earn money through blogging????

  38. hello rafay...nice to see your blog ......believe me i m very impressed with it....i also created a blog which is dedicated to technology news....my blogs Pr is 5 but i have only 2K views per day ....please tell me why to do to get more visitors ...

  39. Salam Rafay ... Hope you will be fine .. rafay i need your help bro. it is very important for me you. bro kindly contact me here
    0333-3458420 or text me here i will call you

  40. hi need to hack onto this website-URL

  41. how hack to mobile call log histery in airtell&uninar

  42. u have the same story as i do...

  43. respected bhaijaan
    i am an engineering graduate and i made a facebook page and it became an instant hit in my college.
    i was the only admin of the page but someone hacked into the account and removed me as admin and took control of my page.
    i dont know who that person is
    i was going through a lot of facebook hacking articles and came across your website www.rafayhackingarticles.net
    i need your help regarding this.i need you to recover my page.
    i will be really grateful if you help me out of this.


  44. Today Is my First day at your blog! I am interested in Hacking but don't know the basics. When I First designed my blog i was inspired by Muhammad@MyBloggerTricks. He made some terrific series of articles which shows us the way step by step. But as I am new in Hacking basics will u tell me - From which lesson i shall start?

  45. hey how did you get so much info about all this "ethical hacking" stuff?? U must've learned it from somewhere or someone too right??

  46. Hi bro,

    When you free, please provide link,,,i mean clickable link :)

  47. rafay what is your bechlors in it weather it is in security related degree or you accidentally get in this field of hacking

  48. i know this comment might seem stupid to u....but, i wanted to ask, when did u start all this? i mean how could u manage all this along with ur studies?

  49. Hi, Rafay
    I am taking a class intro to computers, I do know a bit about them but not enough for what My degree is in. This week we are talking about the security risk of hacking, I was wanting to know what your thoughts are on this, and with hacking being against the law how can you sell a book telling people how to do it? Thank you for your time.

  50. When you actually started ethical hacking.
    I mean some people say I started online work from the last 5 years.
    So when you properly started researching and learning.
    And how did you learn all these things the sources and all that :)

  51. Rafay Baloch bhai If you have a fb account than plz give me the link of your id I want to talk with u ......


Blog Archive


Recent Comments


Rafay Baloch is an Independent security researcher, Internet marketer, Entrepreneur and a SEO consultant, He is the founder of RHA blog and multiple other blogs. Rafay got famous after finding a Remote Code Execution bug inside PayPal for which PayPal awarded him a sum of 10,000$ Read More..

Join In!

RHA © 2013. All Rights Reserved.