Who I Am
Not a theoretical learner — a hands-on security professional.
I'm Shreyas K U, a final-year engineering student and Application Security Intern at Accenture. I specialize in finding and documenting vulnerabilities in web applications.
My daily work involves conducting DAST assessments using Burp Suite Pro, identifying OWASP Top 10 vulnerabilities, and producing professional-grade security reports. I've documented 25+ vulnerabilities across multiple applications — with real Burp screenshot evidence.
A full-stack development background (React, Node.js, MongoDB) gives me a builder's eye for how these apps actually work — and where they break. Contributor to Equifax's Vulnerability Disclosure Program (VDP).
I'm based in Bangalore, Karnataka, India and actively looking for full-time AppSec roles, freelance penetration testing engagements, and security consulting opportunities.
Where I Work
Currently doing real-world application security at a Big 4 firm.
- DAST on an enterprise insurance platform (ALIP NYL) using Burp Suite Pro — 5 OWASP Top 10 vulnerabilities identified and documented with CVSS ratings and remediation steps
- IDOR via account ID parameter tampering, SQL injection login bypass, WEB-INF path traversal, outdated Apache Tomcat (CVE-2005-2090), missing HSTS/CSP headers
- 6-phase internal penetration tests in an isolated Kali Linux lab — recon (Nmap, Maltego, theHarvester), scanning (Nikto, dirb), exploitation (Metasploit, Hydra), post-exploitation (LinPEAS, Meterpreter)
- Phishing simulations (GoPhish, SET), ARP poisoning (Bettercap), and payload generation (MSFvenom) in a controlled lab environment
- Developed and deployed full-stack web applications using React, Node.js, Express, and MongoDB
- Secure REST API design — input validation and JWT-based authentication
- Built reusable UI components and backend services; collaborated across design, development, and QA phases of the SDLC
Proof of Work
Real assessments, real vulnerabilities, real reports — not just CTF writeups.
Altro Mutual — DAST Assessment
CompletedFull dynamic application security assessment of a banking/financial web application. Identified 6 vulnerabilities with OWASP 2025 mapping, detailed impact analysis, and remediation recommendations.
USociety / VulnWebApp — Security Audit
CompletedComprehensive security audit of an intentionally vulnerable web application. Combined dynamic testing with Burp Suite and static analysis using Bandit on Python source code.
PJ Bank — Udacity Pentest
CompletedCapstone penetration test for Udacity's Application Security course. Full-scope 6-phase pentest across 4 targets — OSINT, RCE via a vulnerable WebDAV module, SSH key exfiltration via directory brute-forcing, and SSH brute force on a payroll server.
OWASP Juice Shop — Vulnerability Analysis
CompletedComprehensive vulnerability analysis of the OWASP Juice Shop — an intentionally insecure web application. Documented multiple OWASP Top 10 vulnerabilities with exploitation proof and remediation guidance.
devhance.in — Repo to Case Study Tool
CompletedLive SaaS tool that converts GitHub repositories into VC-style technical case study reports. Implemented authentication, rate limiting, input sanitization, and secure API key handling.
ExampleCorpNet — Home Pen Testing Lab
ActiveSelf-built penetration testing lab on VirtualBox with a custom network (10.10.10.0/24). Used for hands-on ethical hacking skill development and Linux exploitation practice.
Tools & Expertise
The techniques, tools, and knowledge I bring to every engagement.
Real Vulnerabilities Found
Actual security issues identified during professional assessments — with OWASP 2025 mapping.
| # | Vulnerability | Severity | OWASP | Endpoint | Technique | Tool |
|---|---|---|---|---|---|---|
| 01 | Broken Access Control — IDOR on Account Listing | High | A01:2025 Broken Access Control | /bank/showAccount?listAccounts=800001 | Parameter tampering to access another user's financial data | Burp Repeater |
| 02 | SQL Injection — Authentication Bypass | High | A05:2025 Injection | /doLogin | Classic auth bypass SQLi via username field — no input sanitization | Burp Repeater |
| 03 | Plaintext Password Transmission | High | A04:2025 Cryptographic Failures | /doLogin | Password visible as plaintext in HTTP request body | Burp Proxy |
| 04 | Sensitive Information Disclosure via Verbose Error | Medium | A02:2025 Security Misconfiguration | /index.jsp?content=../WEB-INF/web.xml | Path traversal causing verbose error exposure | Burp Repeater |
| 05 | Outdated Apache Tomcat with Known CVE | Medium | A03:2025 Supply Chain Failures | Server Header | CVE-2005-2090 — HTTP Request Smuggling | Burp Proxy |
| 06 | Missing Security Headers | Low | A02:2025 Security Misconfiguration | All Responses | Absent HSTS, CSP, X-Content-Type-Options headers | Burp Proxy |
/bank/showAccount?listAccounts=800001/doLogin/doLogin/index.jsp?content=../WEB-INF/web.xmlServer HeaderAll ResponsesLearning & Credentials
Structured formal training alongside hands-on professional work.
Cybersecurity Fundamentals 101 completed — actively climbing the leaderboard
Practical junior penetration tester certification — actively pursuing
Entry-level security certification — actively pursuing
Internal AppSec training — DAST methodology & OWASP mapping
Capstone: PJ Bank penetration test report
Let's Work Together
Looking for a security professional? I'm available for full-time roles, freelance pentesting, and security audits.
Whether you need a penetration test for your web application, a comprehensive security audit, or you're hiring for an AppSec role — I'd love to connect. I bring real-world Accenture experience, professional-grade reporting, and a proof-driven approach to every engagement.
Prefer email? Reach me directly — I typically respond within 24 hours.
shreyasku31@gmail.com