I'm Aryan Akbar Joyia, an independent vulnerability researcher and tool developer with over 4 years of experience in web application security, advanced penetration testing, and responsible disclosure. My research focuses on Chained Exploitation Pipelines, Web Application Firewall (WAF) Filter Evasion Logic, and Logical Authorization Gap Auditing.
I have identified and reported critical security vulnerabilities affecting national infrastructure, government organizations, and global technology platforms. My expertise includes IDOR exploitation, Authentication Bypass, SSRF, and Business Logic Flaws. I develop proprietary security frameworks including WAFStrike for advanced authorization testing.
Currently pursuing FA(IT) in Computer Systems Networking and Telecommunications at Government Graduate College, Vehari, while actively conducting penetration testing and vulnerability research for national security contributions.
Identify and validate critical vulnerabilities including IDOR, Authentication Bypass, SSRF, and Business Logic Flaws using advanced Chained Exploitation Pipeline methodologies.
Advanced Web Application Firewall (WAF) bypass testing and edge filtering analysis to identify hidden authorization gaps that standard scanners miss.
Develop proprietary security frameworks and automation solutions using Python, including WAFStrike for advanced authorization testing and vulnerability validation.
Comprehensive API security testing focusing on authentication bypass, insecure token validation, and logical authorization gap auditing in REST and GraphQL endpoints.
Responsible disclosure and vulnerability research for government organizations, educational institutions, and critical infrastructure with impact boundary analysis.
Deep-dive analysis of access control mechanisms, privilege escalation vectors, and business logic flaws in complex enterprise applications.
All security assessments follow a structured engagement lifecycle:
Written scope definition, authorized target boundaries, and communication protocols established before any testing begins.
Passive and active enumeration mapped against MITRE ATT&CK to prioritize high-probability attack surfaces.
Manual testing with tool-assisted verification. All findings validated for exploitability before reporting. No automated scanner results reported without manual confirmation.
Findings documented with CVSS v3.1 vector strings, business impact narrative, proof-of-concept reproduction steps, and remediation guidance mapped to OWASP, NIST SP 800-53, or ISO 27001 controls as applicable.
All critical findings reported through official channels (security@, HackerOne, Bugcrowd, or direct CERT coordination) with remediation support offered.
WAFStrike is a Python-based authorization testing framework that automates differential analysis between WAF-layer filtering and back-end enforcement logic to surface access control gaps that signature-based scanners (Burp Suite passive scan, OWASP ZAP) miss. The tool generates structured JSON output per endpoint, mapping findings to OWASP WSTG-ATHZ-02 and MITRE ATT&CK T1190. GitHub repository and methodology documentation available on request.
March 2026 – April 2026
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Black-box testing of production WordPress secured by Wordfence WAF. Chained WPBakery LFI and Authenticated Stored XSS vectors to achieve full admin session hijacking and privileged credential extraction.
Business Impact: Full administrative compromise enabling defacement, data exfiltration, and malware distribution to site visitors. Maps to MITRE ATT&CK T1190, T1059, T1078.
February 2026
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Unauthenticated financial vault statistics exposure via loose CORS mapping on endpoint /api/v2/arm/daily_stats/. Identified critical authorization bypass in financial infrastructure.
Business Impact: Unauthorized exposure of financial vault statistics enabling competitive intelligence theft and regulatory non-compliance under financial data protection obligations. Maps to OWASP A01:2021, MITRE ATT&CK T1530.
December 2025
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Insecure token validation leading to high-confidence Account Takeover (ATO). Halted testing immediately post-validation following strict ethical boundaries and responsible disclosure protocols.
Business Impact: Mass account takeover risk across entire user base, enabling fraud, identity theft, and platform reputation damage. Maps to OWASP A07:2021, MITRE ATT&CK T1539.
December 2025
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identified hardcoded production API keys for four payment processors (Stripe, PayPal, Adyen, dLocal) embedded in a client-side JavaScript bundle accessible to unauthenticated users. Any visitor could extract keys and initiate unauthorized payment capture or refund operations.
Business Impact: direct financial fraud exposure, PCI DSS breach notification obligation, and potential PA-DSS non-compliance.
Reported via coordinated disclosure with full reproduction steps and remediation guidance. Maps to: OWASP A02:2021 (Cryptographic Failures), CWE-312, NIST SP 800-53 SC-28, MITRE ATT&CK T1552.001.
December 2025
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Session ID Confusion, missing CSRF token rules, and Referrer bypass leaks identified in analytics infrastructure. Demonstrated logical authorization gaps in session management.
Business Impact: Session hijacking enabling unauthorized access to user travel data and payment history. Maps to CWE-352, MITRE ATT&CK T1185.
December 2025
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Authentication bypass on key production endpoint nodes. Security triage accepted finding under formal organizational risk management protocols.
Business Impact: Unauthenticated access to production financial endpoints risking unauthorized fund transfers and regulatory breach under FINTRAC obligations. Maps to OWASP A01:2021, MITRE ATT&CK T1190, CWE-306.
October 2025
7+ Total Valid Security Disclosures Accepted & Remediated
Severity: Critical | CVSS 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Description: Unauthenticated PHP object injection via the GiveWP WordPress donation plugin enabling remote code execution on affected installations without any authentication requirement.
Business Impact: Complete server compromise, data exfiltration, malware deployment, and defacement of donation-handling infrastructure.
Disclosure: Reported to PK-CERT via responsible disclosure process. Acknowledged and remediated. CVE assigned by NVD.
References: CVE-2024-5932 (NVD) | CWE-502 | MITRE ATT&CK T1190 | NIST SP 800-53 SI-10
Status: Fixed ✓
CVSS 9.1 | CWE-89 | MITRE ATT&CK T1190
Bypassed database abstraction layers risking full backend data access.
Business Impact: Full backend database access enabling mass PII exfiltration and credential theft. Maps to NIST SP 800-53 SI-10, OWASP A03:2021.
Status: Fixed ✓
CVSS 8.0 | CWE-79 | MITRE ATT&CK T1185
Cookie stealing leading to direct administrative Account Takeover (ATO).
Business Impact: Administrative account takeover enabling platform-wide data manipulation and unauthorized access. Maps to OWASP A03:2021, NIST SP 800-53 SI-10.
Status: Fixed ✓
CVSS 8.1 | CWE-284 | MITRE ATT&CK T1078
Unauthorized administrative endpoint access leaking sensitive PII records.
Business Impact: Unauthorized access to sensitive PII records with potential regulatory exposure under data protection laws. Maps to OWASP A01:2021, NIST SP 800-53 AC-3.
Status: Fixed ✓
CVSS 8.8 | CWE-312 | MITRE ATT&CK T1552.001
Hardcoded deployment environment secrets allowing third-party abuse.
Business Impact: Third-party service abuse, unauthorized cloud resource consumption, and supply chain compromise risk. Maps to NIST SP 800-53 SC-28, OWASP A02:2021.
Status: Fixed ✓
CVSS 6.1 | CWE-79 | MITRE ATT&CK T1491.002
Manipulated application response loops altering index ranking paths.
Business Impact: Search engine ranking manipulation, reputational damage, and malicious redirect exposure for end users. Maps to OWASP A03:2021.
Status: Fixed ✓
CVSS 5.3 | CWE-307 | MITRE ATT&CK T1110
Lack of rate limits enabling automated authentication brute-forcing.
Business Impact: Credential stuffing and brute-force attack surface enabling mass account compromise. Maps to NIST SP 800-53 AC-7, OWASP A07:2021.
Status: Fixed ✓
Professional references and engagement verification available upon request for qualified opportunities. Bug bounty acknowledgments and disclosure timelines available via PK-CERT and relevant platform Hall of Fame records.