Today, E Hacking News interviewed a Security Researcher and Famous Bug Hunter Rafay Baloch who got listed on a number of Hall of fame and received rewards from Google, PayPal, Nokia and more companies which conduct Bug Bounty programs.
1. Introduce yourself
Well, Name is "Rafay Baloch", I am the admin of http://rafayhackingarticles.net, My primary interests include Security Research, Penetration Testing and Blogging. Right now i am doing my bacehlors in computer science from Bahria University karachi.
2. How did you get into Information security field?
Well, From my childhood days i was interested in Information security, however if you are asking about the serious part, it has been around 3 years. Since I have started researching in this field.
3. When did you start Bug hunting?
I started bug hunting at the end of July 2012, when I saw Microsoft's resposnible disclosure page, that's where i started hunting bug.
4. What vulnerabilities have you discovered so far in your career as a Bug Hunter?
There are so many i cannot remember as i hunt for them every day, Almost all vulnerability types related to web application security i.e. RCE, LCE, RFI, LFI, Arbitary file upload, SQL Injection, XSS etc.
Usually, i find zero days and keep it private for testing purposes, however, i do release some of them periodically, you can check out my packet storm profile.
5. What is your first finding , how did you feel at that time?
I really don't remember, but my first big finding was an XSS vulnerability inside Microsoft India. I also reported Http parameter pollution vulnerability along with it.
6.What is the favorite vulnerability found by you?
My favorite vulnerability was a the remote code execution vulnerability i found last year inside paypal, i had access to very sensitive stuff, the paypal subdomain was behind a JBOSS server, I was able to bypass the authentication and upload my backdoor to execute commmands, Paypal paid me 10,000$ for it, though if i had found it inside Google they would have payed me 20,000$.
Along with it they offered me a job as a senior security Pentester. I was not able to go there due to my studies as i mentioned before that i am still doing bachelors.
7. How much have you earned so far from Bug hunting?
I would prefer to keep it confidential. But it's some where between 5 digits.
8. You're hunting bugs for fun, for profit, or to make the world a safer place?
Well, honestly, Little of every thing, First of all, I don't only hunt vulnerabilites on websites having bug bounty programs, I also report to websites that do not have them. Some to get listed in responsible disclosures and ofcourse to make the world a better place.
9.What is your future plans?
I am currently working on http://services.rafayhackingarticles.net, where i would be launching my own Penetration Testing company, along with it, I would be soon conducting some workshops related to Ethical hacking and Penetration testing, From educational perspective, i am planning to give my CCNP Switch paper this month.
10. What is your advice for new bug hunters?
For new bug hunters, i would say that the competition now is very high, almost every site having a bug bounty program has been researched by lots of researchers, so therefore you won't be lucky with tools automated tools like acunetix, netsparker. Therefore, try to look for the acquisitions and subdomains and go into places where no one has probably been before and try to do some unexpected things. You would have much much more chances of
11. What do you think about E Hacking News?
E Hacking News brings up with good content, however, what i would suggest you is to be more frequent with the website, it seems that you are alone doing the work, Any successful news website would have tons of authors to write the content, In this way, more people would subscribe to you.
12. Thanks for the advice , Is there anything else you want to add?
Just one thing that lots of companies have came up with responsible disclosures and hall of fames attracting security researchers to look at their websites for free, however, this would be decreasing the scope of Paid Penetration tests hence it would de-value it. Hence, i think we should all come up with a thing called "No-FREE BUGS".
1. Introduce yourself
Well, Name is "Rafay Baloch", I am the admin of http://rafayhackingarticles.net, My primary interests include Security Research, Penetration Testing and Blogging. Right now i am doing my bacehlors in computer science from Bahria University karachi.
2. How did you get into Information security field?
Well, From my childhood days i was interested in Information security, however if you are asking about the serious part, it has been around 3 years. Since I have started researching in this field.
3. When did you start Bug hunting?
I started bug hunting at the end of July 2012, when I saw Microsoft's resposnible disclosure page, that's where i started hunting bug.
4. What vulnerabilities have you discovered so far in your career as a Bug Hunter?
There are so many i cannot remember as i hunt for them every day, Almost all vulnerability types related to web application security i.e. RCE, LCE, RFI, LFI, Arbitary file upload, SQL Injection, XSS etc.
Usually, i find zero days and keep it private for testing purposes, however, i do release some of them periodically, you can check out my packet storm profile.
5. What is your first finding , how did you feel at that time?
I really don't remember, but my first big finding was an XSS vulnerability inside Microsoft India. I also reported Http parameter pollution vulnerability along with it.
6.What is the favorite vulnerability found by you?
My favorite vulnerability was a the remote code execution vulnerability i found last year inside paypal, i had access to very sensitive stuff, the paypal subdomain was behind a JBOSS server, I was able to bypass the authentication and upload my backdoor to execute commmands, Paypal paid me 10,000$ for it, though if i had found it inside Google they would have payed me 20,000$.
Along with it they offered me a job as a senior security Pentester. I was not able to go there due to my studies as i mentioned before that i am still doing bachelors.
7. How much have you earned so far from Bug hunting?
I would prefer to keep it confidential. But it's some where between 5 digits.
8. You're hunting bugs for fun, for profit, or to make the world a safer place?
Well, honestly, Little of every thing, First of all, I don't only hunt vulnerabilites on websites having bug bounty programs, I also report to websites that do not have them. Some to get listed in responsible disclosures and ofcourse to make the world a better place.
9.What is your future plans?
I am currently working on http://services.rafayhackingarticles.net, where i would be launching my own Penetration Testing company, along with it, I would be soon conducting some workshops related to Ethical hacking and Penetration testing, From educational perspective, i am planning to give my CCNP Switch paper this month.
10. What is your advice for new bug hunters?
For new bug hunters, i would say that the competition now is very high, almost every site having a bug bounty program has been researched by lots of researchers, so therefore you won't be lucky with tools automated tools like acunetix, netsparker. Therefore, try to look for the acquisitions and subdomains and go into places where no one has probably been before and try to do some unexpected things. You would have much much more chances of
11. What do you think about E Hacking News?
E Hacking News brings up with good content, however, what i would suggest you is to be more frequent with the website, it seems that you are alone doing the work, Any successful news website would have tons of authors to write the content, In this way, more people would subscribe to you.
12. Thanks for the advice , Is there anything else you want to add?
Just one thing that lots of companies have came up with responsible disclosures and hall of fames attracting security researchers to look at their websites for free, however, this would be decreasing the scope of Paid Penetration tests hence it would de-value it. Hence, i think we should all come up with a thing called "No-FREE BUGS".