Web & API Penetration Tester (3+ Years)

AYESHA ATTARIA

Web Application & API Penetration Tester

*****************@*****.*** +92-317******* Multan, Punjab, Pakistan LinkedIn: linkedin.com/in/ayeshaattaria-penetrationtester PROFESSIONAL SUMMARY

Results-driven Web Application & API Penetration Tester with 3+ years of hands-on experience in manual security testing, bug bounty hunting, and vulnerability research. Ranked #5 globally at Bugcrowd x Black Hat USA International CTF 2025. Skilled in identifying business logic flaws, authentication bypasses, IDOR/BOLA, and API vulnerabilities aligned with OWASP Top 10 and API Security Top 10. Holds multiple Hall of Fame recognitions from Google, Pinterest, OPPO, and others. Experienced in delivering clear, risk-scored, dev- actionable security reports for B2B SaaS startups, helping them meet SOC 2, PCI-DSS, and DORA compliance requirements before audits and investor due diligence. CORE TECHNICAL SKILLS

• Penetration Testing: Web Application, REST API, GraphQL API, SaaS Platforms, Payment Flow Security

• Vulnerability Classes: IDOR/BOLA, Broken Access Control, Authentication Bypass, Business Logic Flaws, SSRF, XSS, CSRF, CORS, Injection, Session Management, Insecure Deserialization

• Frameworks & Standards: OWASP Top 10, OWASP API Security Top 10, PTES (Penetration Testing Execution Standard)

• Recon & Enumeration Tools: Subfinder, ffuf, Nuclei, Burp Suite (Pro), OWASP ZAP

• Development & Scripting: Python, JavaScript, and PHP, used for PoC development and tool building

• Reporting: Professional vulnerability reports with impact analysis, PoC exploits, and developer-friendly remediation guidance

• Compliance Awareness: SOC 2, PCI-DSS, DORA security requirements PROFESSIONAL EXPERIENCE

Penetration Tester (Internship) Resecurity Infosec Pvt. Ltd. May 2026 – Present

• Conducted manual web application and API penetration tests aligned with OWASP Top 10 to identify real-world critical security vulnerabilities

• Mapped attack surfaces using Subfinder, ffuf, and Nuclei to discover exposed endpoints, subdomains, and entry points

• Developed clear Proof-of-Concept (PoC) exploits to safely demonstrate vulnerability impact to development teams

• Translated technical security findings into developer-friendly remediation guidance within a professional security team environment

Bug Bounty Hunter YesWeHack (Public & Private Programs) June 2025 – Present

• Identified and responsibly disclosed OWASP Top 10 vulnerabilities including Broken Access Control, IDOR, SSRF, Broken Authentication, and Injection flaws across live targets

• Performed API security testing on REST endpoints, checking authentication, authorization logic, rate limiting, and data exposure per OWASP API Security Top 10

• Conducted subdomain enumeration and attack surface discovery using Subfinder, ffuf, and Nuclei

• Produced structured vulnerability reports with severity ratings, business impact analysis, and step-by- step PoC

Bug Bounty Hunter Standoff365 (Public & Invite-Only Programs) Dec 2024 – May 2026

• Specialized in authentication bypasses, business logic vulnerabilities, and API misconfigurations frequently missed by automated scanners

• Followed structured penetration testing methodology: scoping, passive recon, active enumeration, vulnerability identification, exploitation, and responsible disclosure

• Maintained consistent participation across multiple programs while adhering to program-specific disclosure policies

NOTABLE SECURITY PROJECTS

SaaS Platform Security Assessment

• Performed a comprehensive black-box penetration test on a live SaaS web application, uncovering a chain of misconfigurations that collectively exposed the entire application infrastructure including full .git repository exposure, database & third-party API credentials, and customer data to unauthenticated attackers. Delivered a structured report with business impact analysis and prioritized remediation roadmap.

Crypto Platform Security Assessment

• Conducted an in-depth manual security assessment of a cryptocurrency organization's web application, identifying critical authentication and session management weaknesses that could enable unauthorized account takeover and financial fraud. Findings spanned the full authentication lifecycle from login and 2FA to OAuth flows and session termination and were accepted across multiple severity levels including Critical.

REST API Security Assessment (Multi-Target)

• Assessed the security posture of multiple REST API targets across authentication, authorization, data protection, and business logic layers. Identified high-impact vulnerabilities including insecure object-level access controls, sensitive data exposure via API responses, and hardcoded credentials embedded in client-side assets. Findings were documented with full PoC and developer-ready fix guidance. ReconX – Reconnaissance & Attack Surface Mapping Tool

• Developed a Python-based reconnaissance platform automating subdomain discovery, endpoint enumeration, technology fingerprinting, and asset intelligence gathering

• Tech stack: Python, Kali Linux, VS Code, GitHub; designed to support web application penetration testing workflows

COMPETITIVE ACHIEVEMENTS & HALL OF FAME

• Ranked #5 Globally — Bugcrowd x Black Hat USA International Cybersecurity CTF 2025 (Team: Dark Army, 7,375 points)

• Ranked #18 Globally — Iran Tech Olympics International CTF 2025; first & only Pakistani girl to qualify for on-site finals in Tehran

• Top 100 Winners — BlackHat Middle East & Asia International Cybersecurity CTF 2025

• Hall of Fame: Google, Pinterest, OPPO, OZON, Ziverr, VK, recognized for responsible vulnerability disclosures

CERTIFICATIONS

• Certified Cybersecurity Educator Professional (CCEP)

• Certified Red Team Operations Management (CRTOM)

• Certified Bug Bounty Hunter (CBBH – Path completed)

Contact this candidate