## https://sploitus.com/exploit?id=20291B1A-76F5-54D4-ADC4-F5ACA03E0FB7
# Vulnerability Research & Responsible Disclosure
**Shivam Pajiyar** | [LinkedIn](https://linkedin.com/in/shivampajiyar) | [GitHub](https://github.com/shivampajiyar)
Independent security research conducted in 2021 across web applications and IoT devices. All findings were reported responsibly to the affected vendors before public documentation.
---
## Disclosures
| Target | Vulnerability | Severity | Status |
|--------|--------------|----------|--------|
| [Gyapu](./gyapu/gyapu-account-takeover.md) | Auth bypass via password reset brute force โ full account takeover | Critical | Acknowledged |
| [D-Link DCS-2530L](./dlink/dlink-credential-disclosure.md) | Credential disclosure + authentication bypass on IoT cameras | Critical | Reviewed by D-Link CISO |
| [Samsung](./samsung/samsung-csp-xss.md) | CSP misconfiguration enabling XSS on production domain | Medium | Acknowledged by Samsung InfoSec |
---
## Research Areas
- Authentication & session security flaws
- Rate limiting and brute force protections
- IoT device security and firmware exposure
- Web application header misconfigurations (CSP, XSS)
- Responsible disclosure methodology
---
## Methodology
All research was conducted on:
- Systems I owned or had explicit permission to test (IoT lab devices)
- Publicly accessible web endpoints (no authentication required to reach them)
- In compliance with responsible disclosure principles โ vendors notified before any public documentation
No user data was accessed, exfiltrated, or retained. Proof-of-concept demonstrations were limited to what was necessary to confirm the vulnerability.
---
## Tools Used
- **Burp Suite** โ HTTP interception, request manipulation, intruder for brute force testing
- **Browser DevTools** โ Header inspection, console-based XSS testing
- **Nmap** โ Network exposure identification
- **Wireshark** โ Traffic analysis
---
*GIAC Certified Incident Handler (GCIH) | GIAC Security Essentials (GSEC, 97%) | GIAC Advisory Board Member*