Vaibhav Barkade
mumbai
Summary
Demonstrated expertise in WEB vulnerability research and responsible disclosure by identifying and reporting multiple security flaws in widely used software. Notable CVEs include:
- CVE-2024-37818
- CVE-2024-40342
- CVE-2024-40343
- CVE-2024-42600
Overview
5
5
years of professional experience
3
3
Certificate
Work History
Sr Pentester
Deloitte USI
Mumbai
04.2023 - Current
- Web Application Testing:
Performed comprehensive penetration testing of web applications, identifying vulnerabilities such as injection flaws, cross-site scripting (XSS), insecure authentication, and business logic errors. Provided actionable remediation guidance to development teams. - Network, Active Directory (AD), and Cloud AD Security:
Conducted thorough network penetration assessments, simulating internal and external attack scenarios to uncover weaknesses in network infrastructure.
Led in-depth security reviews of on-premises Active Directory and cloud-based AD environments (e.g., Azure AD), mapping privilege escalation paths, detecting misconfigurations, and recommending improvements for identity and access management. - API Security Testing:
Assessed RESTful and SOAP APIs for security issues including improper authentication, authorization flaws, injection vulnerabilities, and sensitive data exposure. Collaborated with developers to secure API endpoints. - Thick Client Application Testing:
Executed penetration testing of thick client (desktop) applications, identifying issues such as insecure local storage, weak encryption, improper input validation, and vulnerabilities in client-server communication. Utilized reverse engineering techniques to analyze application logic and security controls.
Penetration Tester
Qseap InfoTech
Mumbai
07.2020 - 04.2023
- Web Application Testing:
Conducted comprehensive penetration testing of web applications, identifying critical vulnerabilities such as injection attacks, cross-site scripting (XSS), authentication weaknesses, and business logic flaws. Provided actionable remediation guidance to development teams to enhance application security. - Network Infrastructure and Active Directory (AD) Security:
Performed thorough network infrastructure assessments, simulating both internal and external attack scenarios to uncover weaknesses in firewalls, routers, and network segmentation.
Led security reviews of on-premises Active Directory environments, mapping privilege escalation paths, detecting misconfigurations, and recommending improvements for identity and access management. - Mobile Application Testing:
Assessed the security of Android and iOS applications, identifying issues such as insecure data storage, improper platform usage, weak authentication, and vulnerabilities in mobile communications. Provided clear remediation steps and best practice recommendations to mobile development teams. - API Security Testing:
Evaluated RESTful and SOAP APIs for security flaws including improper authentication, authorization bypass, injection vulnerabilities, and sensitive data exposure. Worked closely with developers to secure API endpoints and improve overall API security posture. - Thick Client Application Testing:
Executed penetration testing of thick client (desktop) applications, uncovering issues such as insecure local storage, weak encryption, improper input validation, and flaws in client-server communication. Utilized reverse engineering techniques to analyze and test application logic and security controls. - Source Code Review:
Performed detailed source code reviews for web, mobile, API, and thick client applications, identifying hidden security flaws and providing secure coding recommendations to development teams. - Delivered clear, prioritized technical reports and executive summaries, ensuring effective communication of risks and remediation strategies to both technical and non-technical stakeholders.
- Enhanced internal testing methodologies and mentored junior team members, promoting a culture of continuous improvement and security awareness.
Cybersecurity Analyst (Intern)
Prisitne InfoSoultions
Mumbai
09.2019 - 12.2019
- Assisted in identifying vulnerabilities using security assessment tools and techniques.
- Participated in incident response activities, documenting findings and actions taken.
Education
Bachelor of Education - Information Technology
06-2019
Skills
Research and learning focus:
Binary Exploitation (Windows & Linux):
Proficient in advanced binary exploitation techniques on both Windows and Linux platforms, including:
- Stack-based Exploitation:
Skilled in crafting and leveraging stack-based attacks such as buffer overflows, Return-Oriented Programming (ROP) chains, ret2libc, and ret2plt to achieve arbitrary code execution or privilege escalation Experienced in bypassing modern mitigations like ASLR, DEP, and stack canaries - Heap-based Exploitation:
Experienced in exploiting heap memory management vulnerabilities, including classic and modern heap attacks Familiar with advanced exploitation techniques such as House of Orange, House of Rabbit, House of Force, House of Spirit, and House of Lore for manipulating heap structures and achieving code execution or information disclosure - Tooling & Debugging:
Proficient with tools such as GDB, pwndbg, IDA, GHIDRA, WinDbg, and pwntools for exploit development, debugging, and automation - Mitigation bypass: knowledgeable in analyzing and bypassing common binary protections such as ASLR, NX/DEP, stack canaries, and SafeSEH
- EDR bypass :
- Investigating advanced techniques for EDR (Endpoint Detection and Response) evasion, including both static and dynamic detection-bypass strategies
- Researching and experimenting with attacks on kernel callbacks to disable or circumvent security monitoring mechanisms, with a focus on disrupting process and thread creation callbacks used by EDR solutions
- Utilizing Win32 APIs to facilitate EDR bypass, including methods for terminating or impairing EDR processes and evading detection through low-level system interactions
- Exploring the use of kernel-mode drivers to interfere with security controls, such as manipulating or unregistering kernel callbacks to neutralize Microsoft Defender for Endpoint (MDE) and similar solutions
- Integrating knowledge from the CEPT (Certified Expert Penetration Tester) course by Altered Security to develop and validate proof-of-concept techniques in real-world scenarios
Certification
- Offensive Security Certified Professional (OSCP)
- Certified Red Team Professional (CRTP)
- Certified Azure Red Team Professional (CARTP)
- Rastalab (HTB)
- Exploit Development (Udemy)
- Malware Analysis and Reverse Engineering (Udemy)
Timeline
Sr Pentester - Deloitte USI
04.2023 - Current
Penetration Tester - Qseap InfoTech
07.2020 - 04.2023
Cybersecurity Analyst (Intern) - Prisitne InfoSoultions
09.2019 - 12.2019
Mumbai University - Bachelor of Education, Information Technology
Affiliations
- Participating in various CTF competitions
Programing Languages
- C
- C++
- Python
- x86 Assembly
- Java
- Javascript
Tools
- IDA pro, Windbg, X64DBG, GHIDRA, Nessus, Burp Suite, Nmap, CheckMarx, Fortify, Dnspy, ILspy, Impackets
Similar Profiles
GURUPRASATH KRGURUPRASATH KR
Senior Consultant at Deloitte USI Consulting - Deloitte DigitalSenior Consultant at Deloitte USI Consulting - Deloitte Digital
Akhtar KhanAkhtar Khan
DC Senior Consultant at Deloitte Consulting India Private Limited (Deloitte USI)DC Senior Consultant at Deloitte Consulting India Private Limited (Deloitte USI)
Frivita DsouzaFrivita Dsouza
L&D Asst.Manager, Centre of Excellence at Deloitte USI (Payroll by Aston Carter India)L&D Asst.Manager, Centre of Excellence at Deloitte USI (Payroll by Aston Carter India)
Meet NaikMeet Naik
Lead Solution Advisor/Sr. Consultant at Deloitte USILead Solution Advisor/Sr. Consultant at Deloitte USI
Shubham PatilShubham Patil
SAP Associate Consultant at Inteliwaves Technologies Pvt LtdSAP Associate Consultant at Inteliwaves Technologies Pvt Ltd