Im also a Capture the Flag player.
What are some of your recent security projects?
I am currently involved in several security projects including the development of web-server testing tools.
Additionally,I have just finished authoring a book Methodology of Web software Securitywhich will be published soon.
You are also a “security vulnerability bounty hunter” - what does that mean?
These bug bounty programs pay for these discoveries on a scale proportionate to the severity of the bug.
What is the openbugbounty.org platform and how does it work?
Our purpose is to make the web a safer place for everyone.
We hold no monetary or business stake in the project.
How do you decide which sites to test for security flaws?
I like to test thepopular sites and sites thatmayappear to be strong and secure.
Do you do it for fun or profit?
I do it for fun because I enjoy new challenges, but yes, also for profit!
Do you find most companies appreciative when you report a vulnerability?
The security and protection of information and personal data has become a great concern for companies these days.
What are the most common vulnerabilities you encounter?
Cross-Site Scripting (XSS)is when malicious scripts are injected into otherwise benign and trusted websites.
These scripts can even rewrite the content of the HTML page.
If the victim is an administrative account, CSRF can compromise the entire web program.
An attacker could register to the External Service and claim the affected subdomain.
As a result, the attacker could host malicious code (ex.
for stealing HTTP cookies) on the organization’s subdomain and use it to attack legitimate users.
What are some of the most serious vulnerabilities you have seen?
The most serious vulnerabilities I have encountered are SQL injection for dumping databases and remote code execution.
Where do you see software security heading in the future?
hey, comment on how to improve this article.
