Security vulnerability research & remediation
Found and fixed 4 severe server-side vulnerabilities out of own interest — including an RCE that gave full production server access — plus Angular upgrade and plugin migration.
RCE on production server prevented · All vulnerabilities verified legitimate
The problem
ACCELQ is an enterprise automation platform used by financial institutions, healthcare companies, and Fortune 500 companies — all with serious data security requirements. No systematic security review had been performed. Siddhartha took the initiative to audit the platform out of his own interest, applying a black-box attacker mindset to his own codebase.
What I built
Identified, documented, and fixed four severe server-side vulnerabilities:
1. Remote Code Execution (RCE) via .war upload: The manual run attachment API accepted file uploads without restricting the destination. Uploading a .war file directly to WildFly's deployments directory caused the application server to deploy and execute it. "By exploiting this vulnerability, it was possible to take control over the production servers completely." Fixed by restricting file types and upload destinations.
2. Arbitrary file read/write: The screenshot fetch API and manual run attachment API could be used to read and write arbitrary files on the server via path traversal. Fixed with strict path validation.
3. SQL Injection via URL parameter: The tenant_code path parameter was interpolated directly into SQL queries without sanitisation. "It was possible to update data / drop all tables from the database." Fixed with parameterised queries.
4. Server-Side Request Forgery (SSRF): The API connect modal could be used to make arbitrary internal network requests from the server. Fixed with URL allowlisting.
Also prepared the 2020 VAPT documentation. In 2022–2023: upgraded Angular from 1.3.2 to 1.8.3 as a security patch in a single day. Migrated MultiViewCapture plugin from Angular to Vue (security risk score on crxcavator.io: 323 → 161) in 2 working days without breaking any use case.
Approaches considered
Architecture
Black-box approach: tested every file upload endpoint for path traversal and type bypass → tested URL parameters for injection → tested connection endpoints for SSRF → documented each finding with reproduction steps, impact assessment, and fix. All fixes verified with retest before marking closed.
Result
All reported vulnerabilities confirmed legitimate by senior team members. Production servers secured before any exploitation. The RCE was the most critical: full server compromise was possible via a normal-looking API endpoint. MultiViewCapture security risk score on crxcavator.io: 323 → 161. No security incidents since remediation.