An Interesting Interview with Security Researcher & CTO of Defencely.com : Atul Shedage

E Hacking News had an interesting Interview with Atul Shedage, a Security researcher and CTO of Defencely.com. Here we go,

1. Please Introduce yourself to EHN's readers

Hello EHN World let me take this fragment of a moment to thank you all for this interview. That being said, I’m Atulkumar Hariba Shedage from Maharashtra – Pune. But you can call me “Atul”, as I am mostly known for my short name in the online world.

I am currently assigned as the CTO (Chief Technology Officer at Defencely.) It is an online platform for detecting, reporting and fixing website vulnerabilities for clients from all over the globe. Nothing pleases us more than being able to render our skills for popular companies, such as;

  • Google
  • GitHub
  • ZenDesk
  • RedHat
  • PayPal
  • Apple
  • Zendesk
  • Zynga

At the moment, I am in the middle of pursuing my academic career in Masters of Computer Science from Pune University. Besides pushing in boring assignments and taking notes, hacking and critically analyzing online security vulnerabilities is my second passion.

2. Why did you choose to become a security researcher?

Hmmm… this security researcher field wasn’t really planned. I’d say it was my destiny to become known in the online security field. Upon enrollment in the Bachelor Degree program, I had hopes of being one of the best web designers or programmers for that matter.

Back in 2008, I met this guy: Anil, who, later on, befriended me. He gave me the idea of giving online security a shot. As they say, “You ain’t got nothing to lose if you are going to try.” I put my hunches ahead of me and started taking introductory tutorials from every possible source.

Before you know it, I was drenched in the passion of creating or doing something worthwhile in this field, which is why we are having this interview. Fate and hard work brought me here; destiny brought us face to face

3. Tell me something about www.Defencely.com

Defencely is completely different than any automated website scanning or monitoring service. That’s because we take steps to secure your website before something goes wrong, rather than trying to pinpoint and clean up the mess after the fact. Our security experts have been trusted by dozens of top corporations, Fortune 500 companies and small businesses around the world to provide flexible, lightning-fast responses to security threats the moment they’re found.
What really matters is how we operate and render our services – these two elements are the crux of helping us signify ourselves. Defencely believes that nothing on the Internet is secure, which is the first and the foremost rule of online security services.

Secondly, we not only detect vulnerabilities, but we also provide long lasting solutions / fixes to them. On common grounds, any web security company can detect vulnerabilities. They can get small time scanner software to take the sting out of “manual labor”, if you’d like to put it that way. Defencely team, on the other hand, is able to fix and detect vulnerabilities because of robust knowledge base and real life experience of dealing with such situations.

4. What's your research that makes you especially proud?

Something that has made me proud…? Hmmm <scratching my chin>. I can’t or maybe I don’t want to say for sure about what has made me truly proud… yet. I believe that one can only feel proud when he or she has indeed achieved a lifelong goal.

However, I did stumble upon moments of happiness and rejoice. For instance, being able to talk to big online companies about gaping holes in their security system, contacting big shots such as; “Adam” from Google’s security panel, getting acknowledgements from ZenDesk security team and vice versa – this is what is taking the Defencely team and myself to an unknown destiny in the skies above.

Overall, it is a killer experience.

5. What advice would you give a website admin to secure their site?

As stated a little while ago, there is no such thing as security. Once your product or website has gone live, it is always exposed to unknown threats from all over. I would implore web admins to secure their websites by hiring able security researchers to help stop any possible damages.

Yes, it is true that you can never secure anything to a 100% extent. But, if adequate steps are taken, you can prevent a great deal of hassle in the long run. Also, your security levels will reach a point where so called hackers would have a hard time breaching all the parameters.

6. How did you step in the Information Security field?

It was year 2008; I was freshly enrolled in the BSC 1st Year Degree Program. Within a few months of meeting new people, the subject of online security piqued my interest way too much. I had to do something about it.

I joined forums, read stuff at Google, trained myself through various web security tutorials and never looked back. It was those hours of sheer self-motivation, endless nights of reading, watching and self-mentoring, which eventually paid off in huge dividends.

I also followed a couple of security researchers at Twitter, and made friends with some very interesting individuals. I am thankful to everyone for believing in me and supporting me throughout those tumultuous times.

7. What vulnerabilities have you discovered so far in your career as a Security Researcher?

I have gone through the OWASP Top 10 vulnerabilities, ClickJacking incidents, WASC 26 Vulnerability Classes and etc. Practically speaking, I don’t limit my knowledge to a particular set of vulnerabilities, as I try to learn and discover something new each day.

These days, I’m mostly focusing on collaborating with Defencely and 0 Day Vulnerabilities. So far, the result and the feedback have been quite good. We also reported some vulnerabilities in WordPress Plugin and a Gallery Project that was patched right after we sent notifications to the developers.

8. Where do you see Defencely in a few years?

Right now, it is still too early to say where Defencely would be in a few years. Things look very bright and there are no worse case scenarios to foresee. The reason being is that Defencely excels where others don’t. We are all backed up by very supportive individuals and a set of minds that are extremely proficient in their relevant fields.

Like I said before, it takes knowledge of the unknown and vast experience to report those vulnerabilities that aren’t even discovered yet. We don’t work a lot with scanners. Manual man hours and lots of hard work are going to take Defencely to new heights of stardom in the tech niche industry. The next few years are absolutely going to be rewarding, and awesome.

I have strong faith in Leadership of Ritesh Sarvaiya, who is CEO of Defencely.com & with his vision I look forward to see Defencely growing leaps and bounce in coming years to come.

9. What is your advice to newbie who interested in PenTesting field?

Newbie testers and ethical hackers are strongly advised to stay motivated. As a friend, I am telling you guys to never give up on your dreams. Keep learning and keep looking for answers. I know it is very easy to partake in words of wisdom but I have experienced adversity in my life.

The key to remaining successful in online security field or anything is to believe in what you’re doing. Believe in your goals wholeheartedly as if your entire life depends on them. By the way, join forums, engage in talking to security panel members and start by reporting vulnerabilities for the sake of helping other individuals on the internet.

Soon you will start getting recognition.

If you guys need any kind of extended support from my end do not hesitate to connect with me on FaceBook, Twitter & LinkedIn

10. It is nice to talk to you. What do you think about E Hacking News?

I think that with a staggering 18K + Facebook users, a constantly updated content database and lots of interesting information, ‘E Hacking News’ is aggressively doing the right thing. You guys are one of the few who believe in creating a buzz with actual reports and not just filler articles.

I’d love for ‘E Hacking News’ to go beyond the horizon and get more recognition from the entire World Wide Web Community. Thank you Sabari and two thumbs up to you for undyingly pursuing your goals on the internet.

11. Is there anything else you like to add?

I’m glad you asked this question. Without mentioning a few names, I would be feeling ethically impugned, which is why I need to give credit where it is due.

Let me thank Mr. Ritesh A. Sarvaiya; CEO and Founder of Defencely. With his ingenious thinking skills and a drive to find new talent, Ritesh is always at the verge of creating something new. I believe that he has a brain of a whizz kid because of the way he has been creating teams and helping people discover their true potential.

Followed by that, I’d like to thank Mr. Rahul Varshneya. He is Defencely Advisory Board Member. But trust me; Rahul’s position goes beyond as that of an advisor. He has more than a decade of pure entrepreneurial skills, a knack for mentoring and aiding startup businesses get up on their feet.

Rahul is currently administering several ongoing projects and businesses. There is Arkenea Technology, a partner to entrepreneurs and clients, who seek professional help concerning mobile apps and businesses. Then there is his invite only membership to the ‘YEC – Young Entrepreneurs Council’, which he is using to guide bright minds.

Mr. Rahul Varshneya is also a writer, and a pretty good one at that. He is a published author at ‘Under30CEO’, Entrepreneur.Com and VentureBeat. His experience is indeed enlightening way for digital marketers and various internet based brands.

Finally, there’s Bilal Malik, who is designated at Defencely as our ‘Lead Content Manager’. Mr. Ritesh scooped him up after believing in his talents at the break of their first online encounter.

Anything that needs to go down in written form, it is always run by this guy. Be it documentation, haphazard survival guides for security service seekers, PRs – I mean anything. Merely calling Bilal: a writer, would probably be unnerving for us.

All other members of Defencely; and people from technical departments are equally acknowledged. Without you guys, and without an amazing team, I wouldn’t have been here today working together as brothers in arms.

Sabari, it was fun answering all your questions. My regards to you and your loved ones. Have a great day

An Interview with Bug Bounty Hunter M.R. Vignesh Kumar ,from TamilNadu


Hello E Hackers, today E Hacking News interviewed One of the Best Bug Bounty hunters, Vignesh Kumar, who got listed on all Hall of Fame pages that includes Google, Twitter and rewarded by lot of companies for his findings.

1. Introduce yourself
Hi, I am Vignesh Kumar from TamilNadu, INDIA. I hold a Bachelor of Engineering in Electrical Engineering and in addition an Information Security Enthusiast, budding Bug Bounty Hunter.

2. You are an Electrical Engineer, How did you get interest in Information security field?
Yes, I am. But I am more obsessed with Electronics and Networking. Also I have a huge passion for Information security too. I was introduced and inspired into "Bug Bounty Hunting" by one of my close friend Ahamed Nafeez(@skeptic_fx).

3. When did you start Bug hunting?
Around 5 months ago. But started in full swing from the last 3 months.

4. I have seen your name in lots of Hall of Fame, I am really proud to have you as my friend. How did your Parents/Friends react when you got rewards?
Thank you so much for your compliments. At the outset, I would like to thank my Family and all my Friends for all their support and encouragement. Well, when i received my first Bug Bounty (Cash reward), I told my friends about it and they looked at me like I was a Cyber Criminal. After I explained about “Bug Bounty Program” to them with “Proof of Concept”, I could see smiley faces. . No wonder!! Even many IT Geeks aren’t aware of the term “Bug Bounty”. Awareness is necessary.

5. What vulnerabilities have you discovered so far in your career as a Bug Hunter?
The vulnerabilities categorized by The OWASP Foundation.

6. What is your first finding, how did you feel at that time?
I can barely remember the exact first one. But whatever it was, it really had driven me to dig more deeply into it.

7. What is the favorite vulnerability found by you?
Each and every one of the vulnerabilities I found in Top Ranked Sites which includes Facebook, Twitter, is my favorite. As you know, finding bugs in Top Internet Giant sites like Google, Facebook, Twitter would be really hard in upcoming days since thousands of researchers are into it. I would like to rephrase a nice quote said by some researchers. “Not only Ninja Skills, but also you must have an Eagle Eye to hunt for Bugs”. Well said.

8. You're hunting bugs for fun, for profit?
Actually, bit of both. Beyond those you could gain more knowledge from around and develop your own skill set which is primary. Also I am glad that I have earned good friends around the world from this Bug Bounty program.

9. What are your future plans? Electrical Engineer or Information Security Researcher?
Obviously, Electrical/Network Engineer it is. And I believe I have the potential to handle multitasks. So I would continue my InfoSec Research too, either as an Independent or as a Team.

10. What is your advice for new bug hunters?
Well, that question is for Experts which I am not. I am a Beginner too. But from my experience, I may have few things. “Bug Bounty Hunting” is totally competitive. You shouldn’t jump into this one just by aiming on money. Have thirst of gaining knowledge which will fetch you HOFs, money and all. Don’t feel depressed when you fail for the first few times. Learn to the core and keep hunting which will definitely fetch you the rewards. Follow the InfoSec experts in Twitter /Facebook and try learning new hunting methodologies from their personal blog. Moreover, patience is highly recommended if you are a beginner. Once you jump in, you will get used to it.

11. What do you think about E Hacking News?
E Hacking News (EHN) is doing a great job and it is one of the Best IT Security/Hacking News Portal I have ever come across. I must appreciate your efforts in bringing up the real news on IT Security from around the world to all the Readers. Also must mention BreakTheSecurity.com which is with a hand full of Tutorials on Penetration Testing & Ethical Hacking for Beginners. Kudos to your efforts!! I would suggest continuing the publication of monthly Security Magazine from EHackerNews.

12. Is there anything else you want to add?
Nothing else I have. I wish all Bug Hunters very Good Luck for their hunting and have a bright future. Thank you, Mr.Sabari Selvan for this opportunity to share my experience with all. Thanks everyone!!

Cross Site Scripting Vulnerability In Times of India and NDTV


A Security Researcher Vedachala from ICD, has identified Cross site scripting security flaw in one of the famous news paper web site Times of India.

Times of India is one of leading news paper which brings brings the Latest & Top Breaking News on Politics and Current Affairs in India & around the World, Cricket, Sports, Business, Bollywood News etc.

POC [Unfixed] :
http://epaper.timesofindia.com/Daily/skins/TOI/welcome.asp?QS="><iframe src="http://www.breakthesecurity.com" width=2000 height=900>

The researcher also found XSS Vulnerability in NDTV goodtimes website ..NDTV Good Times is the flagship channel of NDTV Lifestyle, part of the NDTV Group.

POC [Unfixed] :
 http://goodtimes.ndtv.com/video/video.aspx?id=52733"><iframe src="http://www.breakthesecurity.com" width=2000 height=900>

Recently the researcher also found a xss vulnerability in popular sites like Airtel, ooowebhost,IBN CNN  etc.

Time Now Tv & Shiksha Official Websites Vulnerable To XSS Security Flaw

An 21 Years Old Information Security Expert, Narendra Bhati(R00t Sh3ll The Untracable) From Sheoganj Rajasthan ,Who Recently Acknowledge By Acquia.com and also find Many Persistent XSS And One SQL Injection In A Bank Website has discovered a non-persistent XSS security flaw in the official website of Shiksha.com,Times Of India, News Bullet Sub Domain Of Start News Channel.

Narendra Says- Kailash Bhayya ,Ravi Sir & Sabari Sir This Is For You :-)

Shiksha.com is part of the naukri.com group-Indias No.1 job portal. Other portals owned by our parent company Info Edge are 99acres.com, JeevanSathi.com, Brijj.com and AskNaukri.com.


TIMES NOW(timesnow.tv) is a Leading 24-hour English News channel that provides the Urbane viewers the complete picture of the news that is relevant, presented in a vivid and insightful manner, which enables them to widen their horizons & stay ahead.

In all these websites search fields are found to be vulnerable to the XSS injection.

POC code for Times Of India Tv:
http://www.timesnow.tv/videosearchresult.cms?query="/><iframe+src="http://www.breakthesecurity.com"+width="1000px"+height="1000px"></iframe>&srchcombo=1&x=0&y=0




POC FOR Shiksha.com :
http://www.shiksha.com/search/index?keyword="/><iframe+src="http://www.breakthesecurity.com"+width=1000+height=1000></iframe>&start=0&institute_rows=-1&content_rows=-1&country_id=&city_id=&zone_id=&locality_id=&course_level=&course_type=&min_duration=&max_duration=&search_type=&search_data_type=&sort_type=&utm_campaign=site_search&utm_medium=internal&utm_source=shiksha&from_page=homepage&autosuggestor_suggestion_shown=5
 Narendra also found that shiksha.com is also vulnerable to CSRF that allow attacker to change mobile no. of victim by a malicious web page .

Narendra also claimed that he try a lot to contact these all website by email,facebook page etc. But they not replied him from 1 month. After this he decided to disclose this vulnerability and reported to EHN. 

An Interview with Rafay Baloch - Security Researcher and Famous Bug Hunter

Today, E Hacking News interviewed a Security Researcher and Famous Bug Hunter Rafay Baloch who got listed on a number of Hall of fame and received rewards from Google, PayPal, Nokia and more companies which conduct Bug Bounty programs.

1. Introduce yourself

Well, Name is "Rafay Baloch", I am the admin of http://rafayhackingarticles.net, My primary interests include Security Research, Penetration Testing and Blogging. Right now i am doing my bacehlors in computer science from Bahria University karachi.

2. How did you get into Information security field?

Well, From my childhood days i was interested in Information security, however if you are asking about the serious part, it has been around 3 years. Since I have started researching in this field.

3. When did you start Bug hunting?

I started bug hunting at the end of July 2012, when I saw Microsoft's resposnible disclosure page, that's where i started hunting bug.

4. What vulnerabilities have you discovered so far in your career as a Bug Hunter?

There are so many i cannot remember as i hunt for them every day, Almost all vulnerability types related to web application security i.e. RCE, LCE, RFI, LFI, Arbitary file upload, SQL Injection, XSS etc.

 Usually, i find zero days and keep it private for testing purposes, however, i do release some of them periodically, you can check out my packet storm profile.

5. What is your first finding , how did you feel at that time?

I really don't remember, but my first big finding was an XSS vulnerability inside Microsoft India. I also reported Http parameter pollution vulnerability along with it.

6.What is the favorite vulnerability found by you?

My favorite vulnerability was a the remote code execution vulnerability i found last year inside paypal, i had access to very sensitive stuff, the paypal subdomain was behind a JBOSS server, I was able to bypass the authentication and upload my backdoor to execute commmands, Paypal paid me 10,000$ for it, though if i had found it inside Google they would have payed me 20,000$.

Along with it they offered me a job as a senior security Pentester. I was not able to go there due to my studies as i mentioned before that i am still doing bachelors.

7. How much have you earned so far from Bug hunting?

I would prefer to keep it confidential. But it's some where between 5 digits.

8. You're hunting bugs for fun, for profit, or to make the world a safer place?

Well, honestly, Little of every thing, First of all, I don't only hunt vulnerabilites on websites having bug bounty programs, I also report to websites that do not have them. Some to get listed in responsible disclosures and ofcourse to make the world a better place.

9.What is your future plans?

I am currently working on http://services.rafayhackingarticles.net, where i would be launching my own Penetration Testing company, along with it, I would be soon conducting some workshops related to Ethical hacking and Penetration testing, From educational perspective, i am planning to give my CCNP Switch paper this month.

10. What is your advice for new bug hunters?

For new bug hunters, i would say that the competition now is very high, almost every site having a bug bounty program has been researched by lots of researchers, so therefore you won't be lucky with tools automated tools like acunetix, netsparker. Therefore, try to look for the acquisitions and subdomains and go into places where no one has probably been before and try to do some unexpected things. You would have much much more chances of

11. What do you think about E Hacking News?

E Hacking News brings up with good content, however, what i would suggest you is to be more frequent with the website, it seems that you are alone doing the work, Any successful news website would have tons of authors to write the content, In this way, more people would subscribe to you.

12. Thanks for the advice , Is there anything else you want to add?

Just one thing that lots of companies have came up with responsible disclosures and hall of fames attracting security researchers to look at their websites for free, however, this would be decreasing the scope of Paid Penetration tests hence it would de-value it. Hence, i think we should all come up with a thing called "No-FREE BUGS".

5 Months old XSS vulnerability in AOL and DMoz still not fixed

An Indian Security Researcher , Suriya has discovered A reflected xss vulnerability in the AOL website, an American global brand company that develops, grows, and invests in brands and web sites. 

Initially , the researcher discovered the xss vulnerability in Dmoz. After notifying the "In partnership with AOL search" text in the Dmoz website, he decided to test the AOL also for the vulnerability and got success.

According to Researcher, the vulnerability was discovered five months ago.  He immediately tried to contact the AOL Security team.  Unfortunately, he is not able to find the contact address for the security team, so he tried to contact some emails provided in the site but they failed to respond properly.

AOL xss

After few months, he published the vulnerability details in his own blog on October 2012.  But the XSS vulnerability is still there and unfixed.

POC code for the AOL xss:
 http://www.aol.com/?icid=';alert(String.fromCharCode(69, 32, 72, 97, 99, 107, 105, 110, 103, 32, 78, 101, 119, 115))//'
POC code for the Dmoz:
 http://www.dmoz.org/search?q="><script>alert("E Hacking News")</script>


Dmoz XSS

"You might be wondering why I included the alexa.com rank for the site’s, that’s cause I wanted to show you all how even a small site has more instinctive to fix a vulnerability but AOL with its hundreds of workers could not even bother giving me a proper reply." Suriya said.

"Well I really dint know. But I think I wanted to show the world how people treat us and to tell AOL to follow the path of Paypal , Microsoft etc allowing people to at least securely report vulnerabilities ,even if you are not paying them at least acknowledge the people who give time and resources out of their lives to help you!"

Nir Goldshlager found vulnerability in Facebook Employees Secure Files Transfer service

A Web Application PenTester , Nir Goldshlager, has identified a Security flaw in the Facebook's Employee Secure File Transfer that allowed him to reset the password of accounts.

The Secure File Transfer service provider "Acellion" provide service to Facebook's Employee for transferring files.  The Acellion had removed the registration page to prevent unauthorized users from creating accounts.

However, the Researcher discovered that the registration page could still be accessed by someone who know exact direct location of registration form.

After he created the account, he started to analyze the service for a security flaw. He successfully managed to find a critical vulnerability. There is a html file "wmPassupdate.html" which is used for a Password Recovery in Accellion Secure Files Transfer.

Facebook Security Flaw

He identified that there is referrer parameter used in the cookie that encoded with base64. By changing the values of this parameter, he could change the password of any account.

Facebook and Accellion fixed the issue after being notified by the Researcher.  The also claimed to have reported 20+ different bugs in Accellion Secure File Transfer Service. They fixed all of those bugs.

The POC for the vulnerability:


Clickjacking vulnerability in Microsoft Social Network Socl

clickjacking

An Indian Security Researcher , Nikhil P Kulkarni, has discovered Clickjacking vulnerability in the Microsoft's Social network SOCL(so.cl).
Clickjacking, also referred as "User Interface redress attack" and "UI redress attack", is one type of website hacking technique where hacker use multiple transparent layers to trick a user into clicking on something different to what the user perceives they are clicking on.


In a POC provided to EHN, the researcher demonstrated the clickjacking vulnerability.  In a html file, the top layer says "click below to win your prize money". But , in background, the SOCL page was loaded. When a user click the "click here" button, it will post message in the victim's wall.

The researcher discovered the vulnerability in August and sent notification to Microsoft. Initially, Microsoft rejected it nearly 5 times and told researcher that it was not a vulnerability.

But recently, they realized that all his POC's were right and have rectified that vulnerability. They have decided to put his name in their hall of fame page.