Interview with Gabor Molnar, security expert, who co-discovered Rosetta Flash

Written by Gábor Pék

rosetta flash

In this new series we talk to security experts on how they started their journey in this exciting field. The first is Gabor Molnar (aka “mg”), (also on Twitter) who independently co-discovered the infamous Rosetta Flash vulnerability and got nominated for a Pwnie award for the best server-side bug at BlackHat 2014.

Here is his story.

Gabor Pek (avatao): Could you please tell a bit more about you? Why did you start to learn IT security? What was your first impression?

Gabor Molnar: I have a Software Engineering degree from Budapest University of Technology and Economics, and I got into computer security shortly before finishing my degree. There was a Capture The Flag competition called CrySyS SecChallenge organized by one of the university labs, CrySyS Lab, and I really enjoyed solving the challenges. After the competition, the lab started its student group called CrySyS Student Core to which I was invited to, and it was this group that helped me dive into information security. We’ve participated on international CTFs, gave presentations about interesting new security topics to the group and shared our own research. I’ve recently moved to Switzerland and work as information security engineer.

GP: Why do you think that this is a topic that youngsters should choose? Why do you think that web security is important today?

GM: Information security is becoming more and more important as we rely on computer systems more than ever. Web security is important because more than half of the attacks at companies target web interfaces. Many of the interfaces through which we interact with these systems are on the web, and users expect these to work reliably and securely. Security can be a good choice if you enjoy solving tricky problems.

GM: It usually starts with an idea that is then lingering for a few weeks. Then I find some time to experiment with it if it still looks like a good idea. The JSONP research idea came when I was looking at Prezi’s website to find vulnerabilities that are eligible for the bug bounty program. After discussing it with a few friends, the idea still looked like it could work, so I’ve dedicated a weekend to work out the details, which then became two weeks of intense research at night after work.

GP: Why do you think that XSS is still a real threat today?

GM: Web frameworks we regularly use still don’t have a framework level protection against it, which means that it’s up to each developer to properly generate HTML without introducing XSS. This approach is very error-prone. I think the situation is slowly improving as almost all browser support some version of Content Security Policy now, and developers of template systems have started to realize that a framework-level protection must be provided instead of relying on developers.

GP: Congratulations for winning The XSS Metaphor security challenge. Could you please talk about your strategy? How could you solve the challenge in 48 hours?

GM: Thanks. I had a pretty good idea on the topics the authors of the challenge are interested in, as I follow their web security research pretty closely. Two of the techniques I’ve tried first, and were the building blocks of the intended solution: new JavaScript features introduced in the ES6 standard, and abusing Internet Explorer’s XSS filter. Since I wanted to experiment with IE’s XSS filter for a long time, this was a good excuse to spend some time on this challenge.

GP: What would you say for beginners in one sentence?

GM: Find a CTF team and participate in competitions ????

GP: And finally. What is your favorite hacking tool? Why?

GM: Chrome Developer Tools and Burp Suite. These tools make it easier to experiment with web vulnerabilities, discover them in websites and automate tasks like brute forcing.

Related Articles

The Tutorial Framework: Containerizing IT Security Knowledge

The Tutorial Framework: Containerizing IT Security Knowledge

How can we make security education a whole lot more accessible and fun? The tutorial framework is the answer. In this article we dive into how to create interactive learning environments running inside containers. The Phantom Menace Something is not quite right with...

How cybersecurity contributes value to business

How cybersecurity contributes value to business

Cybersecurity: a tough reality Cybersecurity is an inherently negative asset. As with any protective measure, the major challenge is to measure the value (or Return on Investment, ROI) of cybersecurity. It is significantly more difficult to make this value apparent to...