Karim Rahal

About

I am security researcher and computer science student at the University of Southern California. My experience is primarily in web-application bug bounties, having reported security issues to Google, Microsoft, Spotify, Grammarly, and more.

During the summer of 2022, I was an Associate Application Security Engineer at Bugcrowd, where I triaged security issues for customers like Dell Technologies, Pinterest, and 1Password.

I’ve built security tools, contributed browser code (Firefox), written browser extensions, and worked on other development projects.

Projects

sourcegraph-scripts (2022)

A set of Python scripts to identify vulnerabilities in GitHub projects using Sourcegraph. The scripts download code files from Sourcegraph results; subsequently, static analysis is applied to identify vulnerabilities en masse. This demonstrates a unique use-case of Sourcegraph for security research.

Tech stack: Python, Bash, Semgrep, Git

dns-exfil (2021)

A Python tool to start a DNS server for exfilitration or ping-back detection. The tool supports hex encoding and outputs JSON, allowing easy parsing with something like jq. The project has been successfully used to detect the Log4Shell vulnerability.

Tech stack: Python, DNS, Git

censorship-detector (2021)

A browser extension (in JavaScript) that identifies website censorship techniques. Although experimental, it can recognize DNS, HTTP, SNI filtering—all from a browser extension. I built the extension to tackle censorship of sites in Lebanon, my home country.

Tech stack: JavaScript, HTML, CSS, npm, Webpack, WebExtensions API, Git

Contributions & Publications

Press Appearances