Written by Gábor Pék
In this new series we talk to security experts on how they started their journey in this exciting field. The first is Gabor Molnar (aka “mg”), (also on Twitter) who independently co-discovered the infamous Rosetta Flash vulnerability and got nominated for a Pwnie award for the best server-side bug at BlackHat 2014.
Here is his story.
Gabor Pek (avatao): Could you please tell a bit more about you? Why did you start to learn IT security? What was your first impression?
Gabor Molnar: I have a Software Engineering degree from Budapest University of Technology and Economics, and I got into computer security shortly before finishing my degree. There was a Capture The Flag competition called CrySyS SecChallenge organized by one of the university labs, CrySyS Lab, and I really enjoyed solving the challenges. After the competition, the lab started its student group called CrySyS Student Core to which I was invited to, and it was this group that helped me dive into information security. We’ve participated on international CTFs, gave presentations about interesting new security topics to the group and shared our own research. I’ve recently moved to Switzerland and work as information security engineer.
GP: Why do you think that this is a topic that youngsters should choose? Why do you think that web security is important today?
GM: Information security is becoming more and more important as we rely on computer systems more than ever. Web security is important because more than half of the attacks at companies target web interfaces. Many of the interfaces through which we interact with these systems are on the web, and users expect these to work reliably and securely. Security can be a good choice if you enjoy solving tricky problems.
GP: How do you you start your research generally? Could you please talk a bit about your amazing finding around JSONPs (which became popular as Rosetta Flash)?
GM: It usually starts with an idea that is then lingering for a few weeks. Then I find some time to experiment with it if it still looks like a good idea. The JSONP research idea came when I was looking at Prezi’s website to find vulnerabilities that are eligible for the bug bounty program. After discussing it with a few friends, the idea still looked like it could work, so I’ve dedicated a weekend to work out the details, which then became two weeks of intense research at night after work.
GP: Why do you think that XSS is still a real threat today?
GM: Web frameworks we regularly use still don’t have a framework level protection against it, which means that it’s up to each developer to properly generate HTML without introducing XSS. This approach is very error-prone. I think the situation is slowly improving as almost all browser support some version of Content Security Policy now, and developers of template systems have started to realize that a framework-level protection must be provided instead of relying on developers.
GP: Congratulations for winning The XSS Metaphor security challenge. Could you please talk about your strategy? How could you solve the challenge in 48 hours?
GP: What would you say for beginners in one sentence?
GM: Find a CTF team and participate in competitions ????
GP: And finally. What is your favorite hacking tool? Why?
Reading Time: 9 minutes Security champions play a vital role in establishing and maintaining a security culture in an engineering organization. See how to turn your developers into security champions!
Reading Time: 6 minutes As the company grows the leadership wants to establish a security program to ensure the solid and undisrupted operation of the business. Security at this point is essential, especially when calculating the loss from a halted business, even for a few hours.
Reading Time: 9 minutes OWASP Top 10 Vulnerabilities in 2021 based on the non-official proposal of Phillippe De Ryck. Here is what we know.
Reading Time: 7 minutes Security champions represent an essential part of any security programs. They lead their teams on security projects, ensure internal security and help keeping security on the top of your mind. But how exactly they operate in a business? We asked Alexander Antukh, Director of Security at Glovo for professional insights.
Reading Time: 6 minutes For most companies, security is considered a side quest, which is partly related to the daily processes. In reality, security ought to be a strong foundation of any organization. To ensure the defense of the enterprise, the relevant teams need strong security knowledge and abilities.