About Me.

Application Security Researcher & Tool Developer

I'm Aryan Akbar Joyia, an independent vulnerability researcher and tool developer with over 4 years of experience in web application security, advanced penetration testing, and responsible disclosure. My research focuses on Chained Exploitation Pipelines, Web Application Firewall (WAF) Filter Evasion Logic, and Logical Authorization Gap Auditing.

I have identified and reported critical security vulnerabilities affecting national infrastructure, government organizations, and global technology platforms. My expertise includes IDOR exploitation, Authentication Bypass, SSRF, and Business Logic Flaws. I develop proprietary security frameworks including WAFStrike for advanced authorization testing.

Currently pursuing FA(IT) in Computer Systems Networking and Telecommunications at Government Graduate College, Vehari, while actively conducting penetration testing and vulnerability research for national security contributions.

Professional & Research Portals

Download CV
Services

What I Can Do

Web Application Security Testing

Identify and validate critical vulnerabilities including IDOR, Authentication Bypass, SSRF, and Business Logic Flaws using advanced Chained Exploitation Pipeline methodologies.

WAF Filter Evasion Logic

Advanced Web Application Firewall (WAF) bypass testing and edge filtering analysis to identify hidden authorization gaps that standard scanners miss.

Custom Security Tool Development

Develop proprietary security frameworks and automation solutions using Python, including WAFStrike for advanced authorization testing and vulnerability validation.

API Security Assessment

Comprehensive API security testing focusing on authentication bypass, insecure token validation, and logical authorization gap auditing in REST and GraphQL endpoints.

National Infrastructure Shielding

Responsible disclosure and vulnerability research for government organizations, educational institutions, and critical infrastructure with impact boundary analysis.

Logical Authorization Gap Auditing

Deep-dive analysis of access control mechanisms, privilege escalation vectors, and business logic flaws in complex enterprise applications.

Methodology

Engagement Methodology

All security assessments follow a structured engagement lifecycle:

Projects

Advanced Security Tooling & Research Pipeline

WAFStrike Framework

Python | OWASP WSTG-ATHZ-02 | MITRE T1190

WAFStrike is a Python-based authorization testing framework that automates differential analysis between WAF-layer filtering and back-end enforcement logic to surface access control gaps that signature-based scanners (Burp Suite passive scan, OWASP ZAP) miss. The tool generates structured JSON output per endpoint, mapping findings to OWASP WSTG-ATHZ-02 and MITRE ATT&CK T1190. GitHub repository and methodology documentation available on request.

March 2026 – April 2026

WordPress Chained Exploit Testing

CVSS 9.1 Critical

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Black-box testing of production WordPress secured by Wordfence WAF. Chained WPBakery LFI and Authenticated Stored XSS vectors to achieve full admin session hijacking and privileged credential extraction.

Business Impact: Full administrative compromise enabling defacement, data exfiltration, and malware distribution to site visitors. Maps to MITRE ATT&CK T1190, T1059, T1078.

February 2026

Origin Protocol API Failure

CVSS 8.2 High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Unauthenticated financial vault statistics exposure via loose CORS mapping on endpoint /api/v2/arm/daily_stats/. Identified critical authorization bypass in financial infrastructure.

Business Impact: Unauthorized exposure of financial vault statistics enabling competitive intelligence theft and regulatory non-compliance under financial data protection obligations. Maps to OWASP A01:2021, MITRE ATT&CK T1530.

December 2025

Large-Scale Booking Engine

CVSS 8.4 High

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Insecure token validation leading to high-confidence Account Takeover (ATO). Halted testing immediately post-validation following strict ethical boundaries and responsible disclosure protocols.

Business Impact: Mass account takeover risk across entire user base, enabling fraud, identity theft, and platform reputation damage. Maps to OWASP A07:2021, MITRE ATT&CK T1539.

December 2025

FareHarbor Provider Dashboard

CVSS 9.4 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identified hardcoded production API keys for four payment processors (Stripe, PayPal, Adyen, dLocal) embedded in a client-side JavaScript bundle accessible to unauthenticated users. Any visitor could extract keys and initiate unauthorized payment capture or refund operations.

Business Impact: direct financial fraud exposure, PCI DSS breach notification obligation, and potential PA-DSS non-compliance.

Reported via coordinated disclosure with full reproduction steps and remediation guidance. Maps to: OWASP A02:2021 (Cryptographic Failures), CWE-312, NIST SP 800-53 SC-28, MITRE ATT&CK T1552.001.

December 2025

Booking.com Analytics Audit

CVSS 7.4 High

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Session ID Confusion, missing CSRF token rules, and Referrer bypass leaks identified in analytics infrastructure. Demonstrated logical authorization gaps in session management.

Business Impact: Session hijacking enabling unauthorized access to user travel data and payment history. Maps to CWE-352, MITRE ATT&CK T1185.

December 2025

Shakepay Core API Bypass

CVSS 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Authentication bypass on key production endpoint nodes. Security triage accepted finding under formal organizational risk management protocols.

Business Impact: Unauthenticated access to production financial endpoints risking unauthorized fund transfers and regulatory breach under FINTRAC obligations. Maps to OWASP A01:2021, MITRE ATT&CK T1190, CWE-306.

October 2025

Certifications

Certifications & Training

Offensive Security & Penetration Testing Core

  • Certified Network Pentester (CNSP) | The SecOps Group Verify →
    Credential ID: 8787025
  • Certified Network Security Practitioner (CNSP) | The SecOps Group Verify →
    Credential ID: 10233311
  • Web Application Hacking Mastery | Cybrary Verify →
    Credential ID: CC-fbf3e0ce-5ecf-42de-8d2f-d44dcf7fd2e1
  • Advanced Penetration Testing | IT Masters (Charles Sturt University)

Governance, Compliance & Critical Infrastructure

  • Introduction to Critical Infrastructure Protection (ICIP) | OPSWAT Academy Verify →
    Credential ID: PwTGeEcFkA
  • Cybersecurity Compliance & System Administration | IBM iX
    Credential ID: IBM iX Program Completion
  • ISO 27001 Associate | Information Security Governance Framework Verify →
    Credential ID: Self-Paced Completion
  • Applied in engagements involving access control gap analysis and security control mapping.

Threat Management, Defense & Incident Response

  • Certified Ransomware Protection Officer (CRPO) | EU Cyber Academy Verify →
    Credential ID: 64d63660ac9488bbf50f3e76
  • Cyber Threat Management | European Union Agency for Cybersecurity (ENISA)
  • Cybersecurity Essentials | EU4Digital Facility, European Union (Expires: Oct 2028)
  • Vulnerability Management Foundation | Qualys Enterprise Security Verify →
  • Tata — Cybersecurity Analyst Job Simulation | Forage | Issued: June 2026 Verify →
    Credential ID: mLYLJjd8n7sB4t57w

Computer Science Foundations

  • CS50x: Introduction to Computer Science | Harvard University Verify →
    Credential ID: HarvardX Verified Certificate
  • Foundational systems knowledge applied to exploit development and custom security tooling.
  • SOE.YDB-ADVSQL0001: Databases & Advanced Topics in SQL | Stanford Online (Focus: DBMS Injection Remediation & Advanced Query Structure) Verify →
    Credential ID: StanfordOnline Verified
National Security Contributions

PK-CERT Infrastructure Shielding

7+ Total Valid Security Disclosures Accepted & Remediated

Featured Disclosure
CVE-2024-5932 — GiveWP Plugin Remote Code Execution

Severity: Critical | CVSS 10.0

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description: Unauthenticated PHP object injection via the GiveWP WordPress donation plugin enabling remote code execution on affected installations without any authentication requirement.

Business Impact: Complete server compromise, data exfiltration, malware deployment, and defacement of donation-handling infrastructure.

Disclosure: Reported to PK-CERT via responsible disclosure process. Acknowledged and remediated. CVE assigned by NVD.

References: CVE-2024-5932 (NVD) | CWE-502 | MITRE ATT&CK T1190 | NIST SP 800-53 SI-10

Status: Fixed ✓

SQL Injection (SQLi)

CVSS 9.1 | CWE-89 | MITRE ATT&CK T1190

Bypassed database abstraction layers risking full backend data access.

Business Impact: Full backend database access enabling mass PII exfiltration and credential theft. Maps to NIST SP 800-53 SI-10, OWASP A03:2021.

Status: Fixed ✓

Reflected XSS to Session Hijacking (High)

CVSS 8.0 | CWE-79 | MITRE ATT&CK T1185

Cookie stealing leading to direct administrative Account Takeover (ATO).

Business Impact: Administrative account takeover enabling platform-wide data manipulation and unauthorized access. Maps to OWASP A03:2021, NIST SP 800-53 SI-10.

Status: Fixed ✓

Broken Access Control (High)

CVSS 8.1 | CWE-284 | MITRE ATT&CK T1078

Unauthorized administrative endpoint access leaking sensitive PII records.

Business Impact: Unauthorized access to sensitive PII records with potential regulatory exposure under data protection laws. Maps to OWASP A01:2021, NIST SP 800-53 AC-3.

Status: Fixed ✓

Exposed Cloud & API Production Credentials (High)

CVSS 8.8 | CWE-312 | MITRE ATT&CK T1552.001

Hardcoded deployment environment secrets allowing third-party abuse.

Business Impact: Third-party service abuse, unauthorized cloud resource consumption, and supply chain compromise risk. Maps to NIST SP 800-53 SC-28, OWASP A02:2021.

Status: Fixed ✓

SEO Poisoning via Malicious Content Injection (Medium)

CVSS 6.1 | CWE-79 | MITRE ATT&CK T1491.002

Manipulated application response loops altering index ranking paths.

Business Impact: Search engine ranking manipulation, reputational damage, and malicious redirect exposure for end users. Maps to OWASP A03:2021.

Status: Fixed ✓

Insufficient Anti-Automation Controls (Medium)

CVSS 5.3 | CWE-307 | MITRE ATT&CK T1110

Lack of rate limits enabling automated authentication brute-forcing.

Business Impact: Credential stuffing and brute-force attack surface enabling mass account compromise. Maps to NIST SP 800-53 AC-7, OWASP A07:2021.

Status: Fixed ✓

Verification

Verification & References

Professional references and engagement verification available upon request for qualified opportunities. Bug bounty acknowledgments and disclosure timelines available via PK-CERT and relevant platform Hall of Fame records.

Contact Me

Get In Touch

Secure Mail Gateway

Click to initialize connection pipeline

aryanakbarjoyia@gmail.com