All work
SecuritySep 2020 – Sep 2021

Security vulnerability research & remediation

Found and fixed 4 severe server-side vulnerabilities out of own interest — including an RCE that gave full production server access — plus Angular upgrade and plugin migration.

RCE on production server prevented · All vulnerabilities verified legitimate


The problem

ACCELQ is an enterprise automation platform used by financial institutions, healthcare companies, and Fortune 500 companies — all with serious data security requirements. No systematic security review had been performed. Siddhartha took the initiative to audit the platform out of his own interest, applying a black-box attacker mindset to his own codebase.

What I built

Identified, documented, and fixed four severe server-side vulnerabilities:

1. Remote Code Execution (RCE) via .war upload: The manual run attachment API accepted file uploads without restricting the destination. Uploading a .war file directly to WildFly's deployments directory caused the application server to deploy and execute it. "By exploiting this vulnerability, it was possible to take control over the production servers completely." Fixed by restricting file types and upload destinations.

2. Arbitrary file read/write: The screenshot fetch API and manual run attachment API could be used to read and write arbitrary files on the server via path traversal. Fixed with strict path validation.

3. SQL Injection via URL parameter: The tenant_code path parameter was interpolated directly into SQL queries without sanitisation. "It was possible to update data / drop all tables from the database." Fixed with parameterised queries.

4. Server-Side Request Forgery (SSRF): The API connect modal could be used to make arbitrary internal network requests from the server. Fixed with URL allowlisting.

Also prepared the 2020 VAPT documentation. In 2022–2023: upgraded Angular from 1.3.2 to 1.8.3 as a security patch in a single day. Migrated MultiViewCapture plugin from Angular to Vue (security risk score on crxcavator.io: 323 → 161) in 2 working days without breaking any use case.

Approaches considered

External penetration testing firm — standard approach but expensive, infrequent, and often surface-level without deep application knowledge
Automated scanning tools (OWASP ZAP, Burp Suite scanner) — useful but miss business logic vulnerabilities like the RCE via the legitimate upload endpoint
Manual black-box testing with application knowledge — chosen: finds vulnerabilities automated tools miss; the RCE required knowing that WildFly auto-deploys from a specific path

Architecture

Black-box approach: tested every file upload endpoint for path traversal and type bypass → tested URL parameters for injection → tested connection endpoints for SSRF → documented each finding with reproduction steps, impact assessment, and fix. All fixes verified with retest before marking closed.

Result

All reported vulnerabilities confirmed legitimate by senior team members. Production servers secured before any exploitation. The RCE was the most critical: full server compromise was possible via a normal-looking API endpoint. MultiViewCapture security risk score on crxcavator.io: 323 → 161. No security incidents since remediation.

SecurityRCESQLiSSRFPen TestingVAPT
Back to all work