Security Researcher & Penetration Tester

Parth Padhiyar

Tech Lead @ EY · 5+ yrs VAPT across web, API, mobile & cloud
3 CVEs published · AI security automation · OSCP candidate
450+ security assessments delivered

View Research Blog & CVEs → GitHub Medium
scroll
5+
Years Exp
450+
Assessments
3
CVEs
12
Repos
3
Blog Posts
EY
Tech Lead
/research

Vulnerability Research

Published CVEs discovered through responsible disclosure in production frameworks — from SQL injection to authentication bypass.

🔬 My research focuses on web application security, authentication mechanisms, and input validation flaws. I've identified critical vulnerabilities in widely-used CMS and web frameworks, with a growing interest in AI/LLM security and cloud security misconfigurations. All findings were responsibly disclosed and patched by the respective vendors.

CVE-2024-48814
Critical SQL Injection in Silverpeas CMS (v6.4). Unauthenticated attacker can execute arbitrary SQL queries through unsanitized search parameter — findByWhereClause function directly incorporated untrusted inputs into SQL statements.
CriticalSQLiCMS
CVE-2024-55470
Authentication Bypass in Oqtane Framework. Missing authorization checks allow privilege escalation — attackers can gain elevated access without valid credentials, compromising tenant isolation.
HighAuth Bypass.NET
CVE-2024-55471
IDOR in Oqtane Framework. Authenticated users can access resources and data belonging to other tenants due to missing object-level access controls — breaking multi-tenant isolation.
HighIDORPrivEsc
/blog

Technical Write-ups

Deep dives into vulnerability research, exploitation techniques, and security analysis — published on Medium.

CVE-2024-48814
When SQL Injection Strikes: Critical SQLi in Silverpeas CMS
A comprehensive breakdown of how we discovered, analyzed, and responsibly disclosed a critical SQL injection vulnerability affecting Silverpeas CMS v6.4 — including code-level analysis of the vulnerable findByWhereClause function and the inadequate CheckValueForInjection safeguard.
Jan 7, 2025 · 6 min read
CVE-2024-55471
Analyzing the IDOR Vulnerability in Oqtane Framework
Deep dive into an Insecure Direct Object Reference vulnerability in Oqtane Framework — how broken object-level authorization in a multi-tenant .NET framework can expose cross-tenant data access and the remediation strategies applied.
Jan 15, 2025 · 5 min read
CVE-2024-55470
Authentication Bypass in Oqtane Framework
Technical analysis of an authentication bypass vulnerability discovered in Oqtane's permission handling — how missing authorization checks at the framework level allowed privilege escalation without valid credentials.
Jan 15, 2025 · 5 min read
Read all on Medium →
/skills

Expertise

Battle-tested across 450+ assessments — from mobile instrumentation to cloud security reviews.

Penetration Testing

VAPTDASTSASTIAST Web AppAPI (REST/GraphQL)Mobile NetworkOWASP Top 10Business Logic

Cloud Security

AWS (IAM/S3/EC2/VPC)Cloud MisconfigPrivEsc OAuth2/OIDC/JWTSession MgmtAccess Control

Tools & Automation

Burp SuiteNessusQualysAppScan FridaMobSFNucleiKatana SQLMapffufDockerPython

DevSecOps & Code Review

CI/CD SecurityJenkinsGitLab CIGitHub Actions Java / .NETCheckmarxVeracode

Mobile Security

FridaMobSFMagiskReFlutter KernelSUCert Pinning BypassRuntime Instrumentation

Active Focus Areas

AI/LLM SecurityPrompt InjectionCloud (CCSP) DevSecOpsReverse EngineeringThreat Modelling
/timeline

Career Path

From IT infrastructure to enterprise security leadership.

Apr 2025 — Present
Tech Lead — VAPT
EY
Lead penetration testing engagements across web, API, mobile (Android/iOS), cloud (AWS). Exploit auth bypass, IDOR, OAuth2/OIDC flaws. Direct technical quality for enterprise clients. Team lead of 5 senior testers. Built AI-driven VAPT automation tooling.
Jun 2021 — Mar 2025
Senior Security Analyst / Consultant
iAppSecure Solutions
450+ security assessments. Led source code reviews (Java, .NET) with custom SAST rule-writing. Created SharePointDirBuster tool. Mentored 5-10 analysts. Dedicated security consultant for a financial institution's full security portfolio.
Jun 2018 — Jun 2021
IT Manager
The South International School
Designed end-to-end IT/network infra — LAN/WAN, VLAN segmentation, firewalls, AD, IP surveillance. Hosted/secured on-prem web servers with SSL. Regular security testing for PII data protection.
/projects

Open Source

Security tools and utilities I've built for the community.

📦pyservx
HTTP file server with QR code, retro terminal UI, and zero-config sharing — published on PyPI.
⭐ 1Python
file-serverhttp-serverqrcode
📄pentest-report-generator
Automated pentest report generation with customizable templates and executive summaries.
JavaScript
🔍SharePointDirBuster
Identify anonymous page access in Microsoft SharePoint — uncover hidden security gaps.
⭐ 1Python
+ View all 12 repositories
/lab

Security Lab

Live hosted tools available on subdomains.

📱
MOBSF
Mobile Security Framework
🎯
DVWA
Web vulnerability practice
📋
AI VAPT Reporter
AI reporting tool
🛡️
Valkyrie
Security monitoring