Recent articles, tutorials, and thoughts on AI, coding, and automation.
Security analysis of AgriMarket (MoA) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Public Services of Indian citizens.
Security analysis of AP EAMCET (MoE) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Education Records of Indian citizens.
Security analysis of the Central Drugs Standard Control Organization portal (cdsco.gov.in, MoHFW) reveals a static, hardcoded 'CSRF' token shipped in every public homepage response, alongside a permissive Content Security Policy that fails to restrict script-src on India's central drug regulator website.
Security analysis of the Central Public Procurement Portal (etenders.gov.in, MeitY/NIC) reveals an antiquated Apache Tapestry 4 + Dojo 0.4 client stack last meaningfully updated in 2021, weak Content Security Policy, and deprecated security headers on the backbone of India's government e-procurement system.
Security analysis of IGNOU (MoE) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Education Records of Indian citizens.
Security analysis of Kisan Call Center (MoA) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Public Services of Indian citizens.
Security analysis of the National Pharmaceutical Pricing Authority portal (nppa.gov.in, Ministry of Finance / Department of Pharmaceuticals) reveals a broken TLS certificate chain, no HTTPS redirect or HSTS, no Content Security Policy, and HTTP-served assets on the HTTPS surface — systemic transport-layer weaknesses on India's drug price regulator.
Security analysis of ODOP (DPIIT) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Public Services of Indian citizens.
Security analysis of RKMS (MoA) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Public Services of Indian citizens.
Security analysis of Soil Health (MoA) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Public Services of Indian citizens.
Security analysis of UPSSSC (UP Govt) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Identity & Documents of Indian citizens.
Security analysis of DFPD TPDS (DoFD) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Public Services of Indian citizens.
Security analysis of Digital Police / CCTNS / National Cyber Crime Reporting Portal (MHA) reveals internal IP addresses hardcoded in production HTML, a permissive Content-Security-Policy allowing any origin in script-src, sample IIS tutorial headers shipped to production, and an HTTPS-to-HTTP downgrade redirect on the citizen services host.
Security analysis of eCourts Services (e-Committee, Supreme Court of India) reveals URL-embedded session tokens, commented-out CSRF protection, debug code shipped to production, and deprecated security headers on India's primary citizen-facing judiciary portal.
Deep analysis of FSSAI's FoSCoS and FICS portals reveals hardcoded AES keys in client-side JavaScript, client-side OTP verification, ECB-mode encryption, wildcard CORS, and MD5-based password hashing — architectural weaknesses that could expose food safety licensing and import clearance data of Indian businesses and citizens.
Security analysis of Makkal Sevai Portal (TNeGA / IT Dept TN) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Identity & Documents of Indian citizens.
Security analysis of the Passport Seva Online Portal (Ministry of External Affairs) reveals infostealer exposure, third-party trackers on a citizen identity portal, and an orphaned legacy infrastructure stack.
Security analysis of NAD/DigiLocker Academic Depository reveals hardcoded Firebase API keys, development/beta domains exposed in CORS headers, wildcard CORS on the API server, defunct CDN dependency, and outdated Firebase SDK — all in a system handling academic identity and degree records of Indian citizens.
Security analysis of Nambikkai Inaiyam (BaaS) (TNeGA / IT Dept TN) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Identity & Documents of Indian citizens.
Security analysis of SWAYAM (MoE) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Education Records of Indian citizens.
Security analysis of CBIC Customs (MoF) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Financial & Tax Data of Indian citizens.
Security analysis of GeM Portal (DPP) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Financial & Tax Data of Indian citizens.
Security analysis of MCA21 (MoCA) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Identity & Documents of Indian citizens.
Security analysis of NPCI PaySeva (NPCI) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Financial & Tax Data of Indian citizens.
Security analysis of RBI CEN (RBI) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Financial & Tax Data of Indian citizens.
Security analysis of SBI CMS (SBI (PSU)) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Financial & Tax Data of Indian citizens.
Security analysis of SSC Online (DoPT) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Identity & Documents of Indian citizens.
Security analysis of UPSC Portal (DoPT) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Identity & Documents of Indian citizens.
Security analysis of AIIMS Student Portal (MoHFW) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Education Records of Indian citizens.
Security analysis of BOI Star Connect (BOI (PSU)) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Financial & Tax Data of Indian citizens.
Security analysis of Canara Net Banking (Canara (PSU)) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Financial & Tax Data of Indian citizens.
Security analysis of CUET NTA (MoE) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Education Records of Indian citizens.
Security analysis of Indian Bank (Indian Bank (PSU)) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Financial & Tax Data of Indian citizens.
Security analysis of National Scholarship Portal (MoE) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Education Records of Indian citizens.
PNB's internet banking portal ships with operatingMode=DEVELOPMENT in production JS, a CAPICOM ActiveX object from the Windows XP era, scripts loaded from a non-existent Oracle Cloud bucket, JSESSIONID URL-rewriting, and a CSP that trusts *.oraclecloud.com — a cascade of legacy and configuration findings on a PSU banking surface.
Security analysis of UCO Bank (UCO (PSU)) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Financial & Tax Data of Indian citizens.
Analysis of India's UMANG platform (web.umang.gov.in) reveals hardcoded API keys, MD5 salts, AES-ECB mode with localStorage keys, and a production CSP that trusts internal IPs, staging domains, and test payment gateways — affecting 71 million users of 2,000+ government services.
Security analysis of CBSE Academic (MoE) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Education Records of Indian citizens.
Security analysis of CDSL (MoF / SEBI-regulated depository) reveals AES encryption keys generated with non-cryptographic Math.random(), PBKDF2 with default 1-iteration parameters, and the same key+ciphertext coupling seen across Indian fintech — on a depository holding 5+ crore demat accounts.
Security analysis of eDistrict (MeitY) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Identity & Documents of Indian citizens.
Security analysis of Makkal Sevai Generic eKYC (TNeGA / IT Dept TN) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Identity & Documents of Indian citizens.
Security analysis of NHP Portal (MoHFW) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Health & Medical Data of Indian citizens.
Security analysis of NSDL (MoF / SEBI-regulated depository) reveals a hardcoded AES key in the Angular bundle of the Insta Demat KYC flow, plain-text authentication tokens rendered into e-voting HTML, and weak image CAPTCHA across multiple NSDL e-services endpoints.
Security analysis of PARIVAHAN (MoRTH) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Identity & Documents of Indian citizens.
Security analysis of Indian government pension portals (MoF / DoPPW) reveals client-side SHA256 password hashing with a hardcoded salt shipped in HTML, weak text CAPTCHA, and OTP routed to registered contact details.
Security analysis of PM-Kisan (MoA) reveals client-side AES 'encryption' with hardcoded keys shipped to every browser, weak text CAPTCHA, and OTP flow weaknesses on a portal serving 80M+ farmers.
Security analysis of TNeGA Face Auth KYC (Syntizen) (TNeGA / IT Dept TN) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Identity & Documents of Indian citizens.
Security analysis of Voter Helpline ECI (Law) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Identity & Documents of Indian citizens.
Security analysis of Aadhaar/UIDAI (MeitY) reveals CSP misconfigurations on the central identity portal, a history of critical data breaches affecting 815M+ records, and architectural concerns in the world's largest biometric identity system.
Security analysis of BHIM UPI (NPCI) reveals third-party ad tracking on government payment infrastructure, mixed CSP configuration, and systemic NPCI-wide tracking patterns across all payment platforms.
CoWIN (cowin.gov.in), India's COVID vaccination platform, is no longer operational. The portal returns empty server responses, indicating formal decommissioning. This analysis documents the platform's post-operational security posture.
Security analysis of EPFO UAN (MoL&E) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Financial & Tax Data of Indian citizens.
Security analysis of mAadhaar (MeitY) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Identity & Documents of Indian citizens.
Security analysis of NATGRID (MHA) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Identity & Documents of Indian citizens.
Security analysis of NDHM (MoHFW) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Health & Medical Data of Indian citizens.
Security analysis of NIVF (MoHFW) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Health & Medical Data of Indian citizens.
Security analysis of OASYS TNePDS (tnpds.gov.in) (Civil Supplies TN) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Identity & Documents of Indian citizens.
Security analysis of SBI YONO reveals CVE-2025-45080 (critical MITM vulnerability), internal data warehouse endpoint exposed in CSP, and CSP misconfiguration on India's largest bank's digital platform.
TNeGA's State Family Database portal (tnega.tn.gov.in) is unreachable — connection timeouts on HTTPS. A critical identity system serving 72 million Tamil Nadu citizens is not publicly accessible for security audit, raising questions about infrastructure resilience and transparency.
Security analysis of ABDM Health ID (MoHFW) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Health & Medical Data of Indian citizens.
Security analysis of Ayushman Bharat PMJAY (MoHFW) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Health & Medical Data of Indian citizens.
Security analysis of Co-WIN (MoHFW) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Health & Medical Data of Indian citizens.
Security analysis of eSanjeevani (MoHFW) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Health & Medical Data of Indian citizens.
Security analysis of PFMS (MoF) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Financial & Tax Data of Indian citizens.
Security analysis of RBI CIMS (RBI) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Financial & Tax Data of Indian citizens.
Security analysis of RCH Portal (MoHFW) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Health & Medical Data of Indian citizens.
Security analysis of CBIC GSTN (MoF) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Financial & Tax Data of Indian citizens.
Security analysis of the Co-WIN vaccination portal (MoHFW) reveals exposed API infrastructure, client-side auth token handling, and staging environment leakage affecting COVID-19 vaccination records of Indian citizens.
Security analysis of NIKSHAY (MoHFW) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Health & Medical Data of Indian citizens.
Security analysis of the Digital Gujarat Common Service Portal (Gujarat Government) reveals expired TLS certificates, historical Aadhaar data exposure, and systemic risks in Aadhaar-OTP authentication across 56 crore+ transactions.
Security analysis of GJ Digital Gujarat (GJ Govt) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Public Services of Indian citizens.
Security analysis of ePathshala (MoE) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Education Records of Indian citizens.
Security analysis of eTenders Government eProcurement System (MeitY) reveals MD5 password hashing, outdated framework, and session management weaknesses that could expose procurement data of Indian government contracts.
Security analysis of INRES (MoRTH) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Public Services of Indian citizens.
Security analysis of NeGPA (MoA) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Public Services of Indian citizens.
Security analysis of NPCI MAP/Aadhaar Mapper (NPCI) reveals third-party marketing trackers on Aadhaar-linked banking infrastructure, exposed Akamai RUM credentials, and a dead primary domain.
Security analysis of SARANSH (MoE) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Education Records of Indian citizens.
Security analysis of Soil Health Card (MoA) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Public Services of Indian citizens.
Security analysis of Aarogya Setu (MeitY) — India's COVID-19 contact tracing app with 100M+ installs. Covers historical vulnerabilities, open source code review findings, and persistent privacy concerns.
Security analysis of Bhuvan (ISRO's geoportal) reveals a public CORS proxy in the CSP connect-src directive, universal unsafe-inline/unsafe-eval, and extensive infrastructure exposure through the Content Security Policy.
Security analysis of MP eUparjan (MP Govt) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Public Services of Indian citizens.
Security analysis of MyGov (MeitY) — India's citizen engagement platform built on Drupal. Moderate findings around CSP weakness and third-party script loading.
Security analysis of WB Banglar Shiksha (WB Govt) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Education Records of Indian citizens.
Security analysis of CCTNS (MHA) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Identity & Documents of Indian citizens.
Security analysis of Digital Police (MHA) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Identity & Documents of Indian citizens.
Security analysis of E-Courts Services (Law) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Identity & Documents of Indian citizens.
Security analysis of India's National Academic Depository reveals publicly accessible development/testing infrastructure, wildcard CORS on the academic records API, and vendor domain exposure affecting millions of student records.
Security analysis of SEBI (Securities and Exchange Board of India) reveals that India's market regulator doesn't follow its own cybersecurity framework on its public-facing portals.
Security analysis of SeedNet (Department of Agriculture) reveals that the primary portal is completely inaccessible while its replacement exposes 400+ API endpoints and uses client-side encryption for India's seed supply chain management system.
Security analysis of ESIC Portal (MoL&E) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Financial & Tax Data of Indian citizens.
Security analysis of NPCI (National Payments Corporation of India) reveals missing CSP and security headers on the main portal, exposed Akamai bot management keys, and the shadow of a ransomware attack that disrupted UPI for 300 banks.
Security analysis of the Reserve Bank of India website reveals missing CSP, SameSite cookie vulnerabilities, and the staggering scale of 61 million cyber attack attempts in Q4 2025 alone.
Security analysis of Karnataka One portal (EDCS/DPAR) reveals a publicly accessible vendor UAT environment on a non-government domain, MD5 password hashing, and conflicting security configurations that could expose citizen data across Karnataka.
Security analysis of KL eDistrict (KL Govt) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Identity & Documents of Indian citizens.
Security analysis of Maharashtra's Aaple Sarkar portal (MahaIT) reveals a publicly accessible API integration document exposing encryption algorithms, test endpoints, and MD5 password hashing, combined with chronic portal outages affecting essential citizen services.
Security analysis of Pradhan Mantri Jan-Dhan Yojana portal (MoF) reveals architectural weaknesses including hardcoded localhost URLs, exposed password salts, and outdated infrastructure that could expose financial data of 50+ crore Indian bank account holders.
Security analysis of Rajasthan SSO (RJ Govt) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Identity & Documents of Indian citizens.
Security analysis of Tamil Nadu eSevai portal (TNeGA) reveals an active phishing clone with UPI payments, historical data breaches affecting millions, and an unreachable official portal forcing citizens toward unsafe alternatives.
Security analysis of TS Meeseva (TS Govt) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Public Services of Indian citizens.
Security analysis of Uttar Pradesh's eSathi portal reveals State Data Center malware attacks, e-Nagarpalika ransomware, localhost URLs in production CSP, and an unreachable portal affecting India's most populous state's citizen services.
Analysis of AIIMS Delhi's web infrastructure reveals a split security posture — a hardened Next.js exam portal alongside a legacy Joomla CMS missing critical security headers — compounded by a history of ransomware attacks and a 2025 data exposure vulnerability affecting organ donor records.
Security analysis of Dhanraksha Portal (MoR) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Public Services of Indian citizens.
Security analysis of IPPB (MoC) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Financial & Tax Data of Indian citizens.
Analysis of India's National Scholarship Portal (NSP) reveals production CSP misconfiguration exposing development infrastructure, alongside an alleged February 2026 data breach affecting millions of students' Aadhaar, banking, and academic records.
Security analysis of Post Info (MoC) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Public Services of Indian citizens.
Security analysis of Election Commission of India's voter services portals reveals weakened CSP on the main site but properly secured voter search APIs with CAPTCHA and OTP verification.
Security analysis of PM-Kisan (MoA) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Financial & Tax Data of Indian citizens.
Security analysis of CBSE OASIS (MoE) reveals dual legacy technology stacks, inconsistent security headers, client-side password hashing with predictable seeds, and a legacy application co-hosted on the same domain.
Security analysis of IRCTC Rail Connect and web portal reveals a history of IDOR vulnerabilities, data breaches affecting millions, aggressive WAF protection masking underlying issues, and Akamai CDN information leakage.
Security analysis of NTA portals reveals completely broken security headers on the main site, ASP.NET runtime errors exposed, WordPress REST APIs on exam portals, and inconsistent security posture across sub-domains.
Security analysis of Passport Seva (MEA) reveals Blowfish encryption, hardcoded internal IPs, OAuth2 client secrets in native app, and DigiLocker token handling weaknesses.
Security analysis of GST Portal (MoF) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Financial & Tax Data of Indian citizens.
Analysis of the Ayushman Bharat PM-JAY ecosystem (10M+ users) reveals infrastructure hardening gaps, Aadhaar-based auth concerns, and governance risks in India's largest health insurance scheme.
Security analysis of DigiLocker (MeitY) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Identity & Documents of Indian citizens.
Security analysis of eHospital (MoHFW) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Health & Medical Data of Indian citizens.
Security analysis of Income Tax e-Filing (MoF) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Financial & Tax Data of Indian citizens.
Security analysis of Police NCRB (MHA) reveals architectural weaknesses in client-side data protection, authentication, and API security that could expose Identity & Documents of Indian citizens.
A deep-dive into the U-WIN (Universal Immunization) portal's client-side architecture reveals hardcoded secrets, weak data protection, and OTP routing flaws that expose sensitive health data of India's mothers and children.
How I get curated video suggestions from nanobot without leaving my chat
Track your Z.AI GLM Coding Plan usage in real-time
A walkthrough of the blog's design evolution, from a basic layout to a consistent, themeable experience with a new TMUX mode.
Projects and tools built with nanobot — a lightweight, agentic AI assistant by Srikanth