Today we present an interview with Dhabaleshwar Das. He’s a security professional with 3 years of experience across various domains, including web, network, API, and mobile VAPT, container, and cloud security, as well as red teaming. He also has a passion for traveling, writing, and photography.
Why did you end up in security? Was this your plan all along or was it an accident?
Life’s weird, isn’t it? You go about your day thinking everything’s under control, and then—out of nowhere—it hits you with some random twist. For me, that twist came in the form of a forgotten password.
You see, I used to play this online game religiously. It was more than just a game—it was my escape from real life. No school stress, no chores, no lectures about “responsibility.” Just me, my character, and hours of grinding for rare loot. But then… exams. My parents went full dictator mode: No screens until exams are over. I was grounded from my digital world like some kind of exile.
I thought, Okay, no big deal. I’ll survive. (Spoiler: I barely did.) Finally, after weeks of cramming equations and historical dates, exam season ended. Freedom! I raced to my computer, ready to reunite with my beloved game. But fate wasn’t done testing me.
I typed my password…
“Incorrect password.”
I paused. Maybe I’d mistyped it. Tried again. Same result. Now, panic started creeping in. I tried every possible password combination. Still nothing. I figured, No worries, there’s always the Forgot Password button. Except when I clicked it, I was greeted with this soul-crushing message:
“Oops! Something went wrong. Please try again later.”
Excuse me, what? My whole virtual life was locked behind a broken reset button. It felt personal—like the universe was saying, Let’s see what you’re made of, kid.
Most people would’ve given up, but not me. No, I was determined. My loot, my progress—my legacy—was on the line. So, like any resourceful nerd, I turned to Google. That’s when I discovered the art of SQL injection. I found this strange payload:
‘ OR ‘1’=’1′ —
I had no idea what it did, but I was desperate enough to try. I typed it into the username field like this:
dhabal’ OR ‘1’=’1′ —
Hit submit… and boom! I was back in. Just like that. I stared at the screen in shock, thinking, Wait, am I some kind of hacker now? Should I be wearing a hoodie in a dark basement with dramatic music playing?
But here’s the thing—what started as a random “hack” quickly turned into something much deeper. I began to wonder: Why did that work? How many other systems are this vulnerable? What does it mean for security if something so simple can break it?
That’s when I realized something important: security isn’t just about code. It’s about trust. People build entire lives on technology—businesses, relationships, dreams—and yet, all of it can be shattered in an instant because of a single flaw. One tiny crack in the system, and everything falls apart.
At that moment, I saw a reflection of life itself. We build walls around the things we care about—our identities, our dreams, our loved ones—but sometimes those walls aren’t as strong as we think. Vulnerabilities, both in systems and in life, are inevitable. What matters is how we respond to them. Do we ignore the cracks until everything collapses? Or do we confront them, learn from them, and make those walls stronger?
Life has this strange way of teaching you what matters through small, seemingly meaningless moments. A forgotten password. A broken reset link. A silly payload. These things might seem trivial, but they led me to a career filled with purpose and discovery. They taught me that curiosity, resilience, and a little creativity can open doors you never even knew existed.
So no, I didn’t plan on ending up in security. But I think I was meant to be here. Because sometimes the universe pushes you toward the right path… with a nudge as simple as a broken button.
What tips would you give a person interested in ethical hacking?
“A system isn’t hacked by breaking it—it’s hacked by understanding it better than the people who built it.”
Security isn’t about brute force or finding obvious bugs. The strongest systems fall not because they were weak, but because someone understood them on a level deeper than their creators. Developers build with a goal in mind, but they often fail to see beyond their intentions. They trust that every input, every condition, will behave according to the plan they designed.
But systems don’t care about plans—they follow every rule, loophole, and unintended connection in their architecture. The true vulnerability lies where design ends and reality begins, where assumptions about behavior are no longer valid. Hackers thrive here, in the spaces no one imagined—misordered processes, forgotten parameters, race conditions hidden in milliseconds.
The greatest hack is not about force; it’s about clarity. See the system for what it truly is, not what it was meant to be. Once you do, you’ll realize that security fails not from what’s known, but from everything that was never questioned. Understanding is the most powerful exploit of all.
How do you find vulnerabilities? Do you have some proven practices? Do you hunt for a specific type of vulnerability or not?
I usually start by looking for parameters and seeing how they behave when I mess with them. Parameters tell you a lot about how data flows through the system, and small changes can lead to big issues. I try things like altering inputs, switching request methods, or sending unexpected data to see if something breaks weirdly.
When hunting, I focus on stuff like CSRF, BAC, SSRF, and XSS, but I don’t lock myself into just those. If the system shows me something unusual—like odd error messages, timing differences, or redirects—I dig deeper. For me, it’s all about understanding how the system reacts to the unexpected. That’s where most vulnerabilities tend to show up.
What makes Patchstack’s bounty program different from the rest?
Let’s be real: WordPress powers a huge chunk of the internet, but in the security world, it often gets dismissed as ‘just another CMS.’ Most programs don’t prioritize it, but Patchstack does. They care. They understand how critical it is to protect the plugins, themes, and sites that millions rely on every day.
It’s inspiring to see a team that not only recognizes this responsibility but acts on it with speed and respect. Their triaging process is incredibly fast, almost as if they feel the urgency themselves.
That’s what makes their program special. They give importance to something that many ignore, and by working with them, I feel like I’m helping protect more than just code. I’m helping secure the future of a platform that powers countless lives and businesses. That kind of purpose is rare.
Can bounty programs help in your career?
Yes, bounty programs can help your career. You gain real-world experience, improve your problem-solving skills, and build a reputation in the security community. Each vulnerability you find adds to your expertise, and the connections you make can open up new opportunities. It’s hands-on learning that directly translates to growth. Also, It helped me a lot in building connections.
Is there a vulnerability you found that you are most proud of? How did you find it and why do you consider it so special?
One of the most complex vulnerabilities I found was during a pen test on a cloud-based data management platform, and it all started with a low-severity SSRF. The SSRF allowed limited access to internal APIs, but most sensitive endpoints like localhost and the metadata service were blocked. However, after probing various endpoints, I found that one internal API returned partial error messages containing service configuration details.
These details exposed a misconfigured internal file storage service, which supported file uploads for automated workflows. The service had an open redirect vulnerability in its URL parameter, allowing me to trick the system into fetching a file from an internal location. By chaining this with parameter tampering, I bypassed file type restrictions and uploaded a malicious XML file, leading to an XXE exploit that leaked system environment variables.
Among the leaked information was a service account token for a privileged automation service. With this token, I accessed an internal task orchestration system that was responsible for executing backend scripts. Here, I found a race condition vulnerability where two separate tasks—one for script execution and another for logging—were processed asynchronously. By abusing the timing gap, I injected a serialized payload that triggered insecure deserialization when the log processing task was executed, leading to remote code execution (RCE) on the backend infrastructure.
It took me a full 8 days to exploit it and by the end of the 7th day, I started losing hair out of frustration.
If you had unlimited power and could change one thing in WordPress’ security – what would it be and why?
I would implement self-healing security mechanisms in WordPress. Each component—core, plugins, and themes—would have built-in behavior that detects and mitigates exploitation attempts in real time. For example, if a plugin experiences abnormal input patterns or repeated failures (indicative of SQLi, XSS, or RCE attempts), it would automatically quarantine itself, disable risky functionality, and notify the admin.
This would shift WordPress security from reactive updates to autonomous resilience, allowing sites to defend themselves in real-time, and reducing the reliance on delayed patches and external interventions. It would be like giving WordPress the ability to adapt and protect itself without waiting for human response.
How have your hacker skills and mindset come in handy elsewhere?
My hacker mindset came in handy when a friend lost ₹100,000 in a scam. Using OSINT, I tracked down key details like the scammer’s phone number, fake account activity, and connections. I put together enough evidence for the bank and authorities to step in, and my friend eventually got his money back.
It wasn’t just about tech skills—it was about thinking creatively, following small leads, and solving a problem others might have given up on. But that’s a story for some other time.
You recently announced that you are stepping away from Patchstack bounties because of new career challenges. Can you share a bit about it?
Security has given me so much over the years—knowledge, opportunities, and the thrill of solving challenges. Now, I feel it’s time for me to give back by building something of my own. I’m currently developing a product, which involves everything from coding to managing a team, all while balancing a full-time job and preparing for certifications.
It’s a lot to handle, and stepping away from Patchstack’s bounty program was a tough decision. But I knew I needed to focus my energy on these new goals. The skills I’ve gained through pen testing—critical thinking, problem-solving, and adaptability—are guiding me through this journey. It’s both exciting and overwhelming, but I’m driven by the same mindset: identify the cracks, find solutions, and build something stronger.
Though I’m stepping away for now, Patchstack will always be a part of my story. I’ll carry the lessons and experiences with me as I take on this next chapter.
You can connect with Dhabaleshwar on:
