Search This Blog

Showing posts with label Rafay Baloch. Show all posts

An Interview with Rafay Baloch - Security Researcher and Famous Bug Hunter

Today, E Hacking News interviewed a Security Researcher and Famous Bug Hunter Rafay Baloch who got listed on a number of Hall of fame and received rewards from Google, PayPal, Nokia and more companies which conduct Bug Bounty programs.

1. Introduce yourself

Well, Name is "Rafay Baloch", I am the admin of http://rafayhackingarticles.net, My primary interests include Security Research, Penetration Testing and Blogging. Right now i am doing my bacehlors in computer science from Bahria University karachi.

2. How did you get into Information security field?

Well, From my childhood days i was interested in Information security, however if you are asking about the serious part, it has been around 3 years. Since I have started researching in this field.

3. When did you start Bug hunting?

I started bug hunting at the end of July 2012, when I saw Microsoft's resposnible disclosure page, that's where i started hunting bug.

4. What vulnerabilities have you discovered so far in your career as a Bug Hunter?

There are so many i cannot remember as i hunt for them every day, Almost all vulnerability types related to web application security i.e. RCE, LCE, RFI, LFI, Arbitary file upload, SQL Injection, XSS etc.

 Usually, i find zero days and keep it private for testing purposes, however, i do release some of them periodically, you can check out my packet storm profile.

5. What is your first finding , how did you feel at that time?

I really don't remember, but my first big finding was an XSS vulnerability inside Microsoft India. I also reported Http parameter pollution vulnerability along with it.

6.What is the favorite vulnerability found by you?

My favorite vulnerability was a the remote code execution vulnerability i found last year inside paypal, i had access to very sensitive stuff, the paypal subdomain was behind a JBOSS server, I was able to bypass the authentication and upload my backdoor to execute commmands, Paypal paid me 10,000$ for it, though if i had found it inside Google they would have payed me 20,000$.

Along with it they offered me a job as a senior security Pentester. I was not able to go there due to my studies as i mentioned before that i am still doing bachelors.

7. How much have you earned so far from Bug hunting?

I would prefer to keep it confidential. But it's some where between 5 digits.

8. You're hunting bugs for fun, for profit, or to make the world a safer place?

Well, honestly, Little of every thing, First of all, I don't only hunt vulnerabilites on websites having bug bounty programs, I also report to websites that do not have them. Some to get listed in responsible disclosures and ofcourse to make the world a better place.

9.What is your future plans?

I am currently working on http://services.rafayhackingarticles.net, where i would be launching my own Penetration Testing company, along with it, I would be soon conducting some workshops related to Ethical hacking and Penetration testing, From educational perspective, i am planning to give my CCNP Switch paper this month.

10. What is your advice for new bug hunters?

For new bug hunters, i would say that the competition now is very high, almost every site having a bug bounty program has been researched by lots of researchers, so therefore you won't be lucky with tools automated tools like acunetix, netsparker. Therefore, try to look for the acquisitions and subdomains and go into places where no one has probably been before and try to do some unexpected things. You would have much much more chances of

11. What do you think about E Hacking News?

E Hacking News brings up with good content, however, what i would suggest you is to be more frequent with the website, it seems that you are alone doing the work, Any successful news website would have tons of authors to write the content, In this way, more people would subscribe to you.

12. Thanks for the advice , Is there anything else you want to add?

Just one thing that lots of companies have came up with responsible disclosures and hall of fames attracting security researchers to look at their websites for free, however, this would be decreasing the scope of Paid Penetration tests hence it would de-value it. Hence, i think we should all come up with a thing called "No-FREE BUGS".

Rafay Baloch found Non-persistent XSS vulnerability in Mcafee and Symantec


A Security Researcher and Bug Hunter , Rafay Baloch has discovered a Non-Persistent Cross Site Scripting vulnerability in the websites belong to Internet Security giants : Mcafee and Symantec.

The download parameter in the Product Advisory Council sub-domain of McAfee(portal.mcafee.com) is found to be vulnerable to xss attack.

Researcher claimed that he notified McAfee about the xss vulnerability several times but they refused to fix.

McAfee xss


Reflected xss in Symantec

Few weeks before, he discovered xss in Storage Foundation DocCentral sub domain of Symantec(sfdoccentral.symantec.com) and sent notification to them. Symantec immediately fixed the vulnerability but McAfee fails to.

At the time of writing, The vulnerability is not yet patched.

Sharecash vulnerable to Persistent Cross Site Scripting vulnerability

Security Researcher, Rafay Baloch, the founder of Rafay Hacking Articles,  has discovered a Cross Site scripting (XSS) Vulnerability in ShareCash website(sharecash.org). ShareCash is the highest paying Pay-Per-Download network around.

The vulnerability affects the  "Manage Widget" page of ShareCash.  The XSS vulnerability found to be stored one.

Stored XSS Vulnerability

Stored XSS is critical one since the script is being stored on the server and is being executed every time user visits the affected page.

In an Email Sent to EHN, Researcher provided the screenshot of the Proof-of-concept.  From the POC, I come to know that the "Widget Name" is vulnerable to xss attack.  It seems like the developer fails to validate the input.

Rafay claimed that he sent more than 10 emails to share cash to notify them about the vulnerability, but they failed to respond.

StumbleUpon vulnerable to Reflected Cross site scripting


A security researcher, Rafay Baloch, has discovered Cross site scripting vulnerability in the StumbleUpon , One of the famous social bookmarking website with alexa rank of 149.

"Few days before, while i was hunting for vulnerabilities inside stumbleupon.com," Rafay said in his blog post. "Fiddler helped me obtain a non persistent XSS vulnerability inside stumbleupon"

He send notification about the vulnerability to StumbleUpon, however there is no response from other side.

"For security reasons i cannot disclose the URL and parameters for the injection, I hope stumbleupon fixes the vulnerability pretty soon." researcher said.

At the time of writing, the vulnerability is not patched and we are able to exploit the vulnerability.  In fact, i inject a redirection code that successfully redirects me to the given url.  So , an attacker can exploit this vulnerability for launching social engineering attack and redirect user to malicious site. Also it is possible to hijack session that allows attacker to take control of your stumble upon account.

Few days back, Rafay also discovered a redirection vulnerability in Facebook.