Rising Star in Pakistan for Cyber Security & Research

Rising Star in Pakistan for Cyber Security & Research 

Pakistani Star

Rafay Baloch is the founder/CEO of RHAinfosec, He runs one of the top security blogs in Pakistan with more than 25k+ subscribers and 100k+ Facebook fan. Rafay has helped major industrial giants such as Google, Facebook, twitter, paypal, adobe, apple etc to improve and secure their online presense. Rafay managed to find a Remote Code execution vulnerability inside paypal for which he was awarded 10,000$ and also was offered a job inside of Paypal as a security ninja.

Currently, the major area of Rafay's research are bypassing modern security defenses, HTML 5 and other client side javascript. Rafay holds CPTE, OSCP, CCNP Route, WAPT certifications. He also earned ECCS from Voice of Green Hats. Rafay's work has been featured in enormous amounts of articles, newspaper, magazines and local TV channels.

Q: What was your first finding? How did you felt at that moment?

I really don’t remember if it was my first finding, However as far as i can catch up my memory it was a SQL injection authentication bypass attack, at that time i really didn’t know why it worked but i felt really surprised at that time.

Q: You hunt bugs for what? Money, Fun, Fame or you want to make the Internet a safe place?

Well, honestly, Little of every thing, First of all, I don’t only hunt vulnerabilities on websites having bug bounty programs, I also report to websites that do not have them. Some to get listed in responsible disclosures and ofcourse to make the world a better place.

Q: Rafay, you have received a bug bounty of $10,000 from PayPal. What was the real story behind it?

It was a remote code execution vulnerability i found inside paypal, which allowed me to execute any commands on the server. For that Paypal rewarded me 10,000$.

Q: Why you didn’t accepted Job Offer from PayPal? I think that was a Golden Chance for you.

Well, I am in middle of my bachelors, therefore i think i did not accept that offer and honestly i am not in a favor of doing a job or working for something, i would rather prefer working with some one rather than working for some one. However, i still think i can avail it after my bachelors.

Q: Every one have someone who have inspired him. Who is your inspiration

Kevin Mitnick is definitely an inspiration for every one, his social engineering techniques were really amazing, he has shown a different approach towards hacking.

Q: Google and Facebook have also Paid you Bug Bounties, how you feel when you receive Bounties?

Bounties add an extra income to my pocket every month, however, i really feel lucky to receive bounties from so many companies.

Q: You are much Famous my bro, tell me on how many sites you are listed as a Security Researcher?

Alot, On linkedin profile i listed more than 50 websites who have listed me on their responsible disclosure/whitehats pages. However, there are lots of websites who do not have an acknowledgment list on their website, so they thanked me via an email or sometimes by sending a gift T-shirt, toolkit etc etc.
linkedin.com/in/rafaybaloch

Q: PKNIC is always been targeted my site was also down for some hours. What you recommend them to increase their Security?

The threat is on their web application level, which allowed the attacker to access it’s database, I remember, i saw a screen shot on a forum where it was vulnerable to SQL Injection attack, So i would recommend them to review their security policies and validate inputs properly to prevent any kind of these attacks in the future.

Q: If you don’t mind, can you tell me what courses are essential to do to become a successful Security Researcher?

Honestly speaking i never did any courses, nor i did any certifications though i have tought courses like CEH, CPTE to lots of people, but i never did any of these certifications, However, in terms of value i believe CEH, GPEN is at the top, in terms of knowledge i think CEH is only good for beginners, it’s just a catalog of tools, In terms of knowledge i would recommend any one to go after learn security (ecPPT), OSCP (Offensive security Certified Professional), ECCS (Executive Certificate in Cyber Security) by Voice of Green Hats and SANS gpen.

Q: What are your future plans. Would go for a job or start your own Company?

I would be launching my book "Ethical hacking and penetration Testing" this year inshA ALLAH, after that i 'll work on DOM based XSS wiki and something cool related to HTML 5.