Home Unlabelled About

About

By
Saturday, March 14, 2009
Read
Add Comment
 

Rafay Baloch is the founder and CEO of RHA InfoSec, He has been into security research for more than 6 years now, He core area of expertise include Network Security and Web Application Penetration Testing, and author of "Ethical hacking and penetration testing guide". He is specialiseds in finding security vulnerabilities in Web application and frameworks and browsers, bypassing web application firewalls, HTML 5 attack vectors and breaking filters of modern web-browsers.

He has helped securing lots of organization and has done hundreds of responsible disclosures. he is best known for finding a remote code execution vulnerability inside PayPal for which he was awarded 10,000$ and also was offered a job by PayPal, Rafay is an active participant is bug bounty programs and is listed in large number of hall of fames including Google, Facebook Microsoft, Twitter, Dropbox etc.

Publications

Following are some of my publications:

 Modern Day Web Application Firewall Bypass






HTML5 Modern Day Attack And Defence Vectors






Ethical Hacking And Penetration Testing Guide




http://blogogist.com/wp-content/uploads/2014/07/10378962_10152320559943001_7410317485350141052_n.jpg

    Hall Of Fames

    Google Hall Of Fame

    http://www.google.com/about/appsecurity/hall-of-fame/distinction/

    Microsoft Security Researchers Award Microsoft 

    http://technet.microsoft.com/en-us/security/cc308575.aspx (August) http://technet.microsoft.com/en-us/security/cc308589.aspx (October) http://technet.microsoft.com/en-us/security/cc308589.aspx (November)

    Ebay Responsible Disclosure Page 

    Ebay Reported an XSS in Ebay, bypassed their security filters to make the vulnerability work: http://pages.ebay.com/securitycenter/ResearchersAcknowledgement.html

    Adobe Security Acknowledgments 

    “Adobe would like to thank the following individuals and organizations for reporting a security vulnerability or vulnerabilities in an Adobe online service, and for working with Adobe to help protect our customers.”

    http://www.adobe.com/support/security/bulletins/securityacknowledgments.html

    Acknowledged By RedHat And Twitter Found a Non-Persistent XSS: 

    https://access.redhat.com/knowledge/articles/66234 Twitter WhiteHat: https://twitter.com/about/security

    Apple's Responsible Disclosure Page: 

    http://support.apple.com/kb/HT1318

    Dropbox Hall Of Fame (Reported Oauth CSRF): 

    https://www.dropbox.com/special_thanks

    Zynga Whitehat (Got listed for reporting an XSS and a sqli) http://company.zynga.com/security/whitehats

    Constant Contact Responsible Disclosures Page: 

    http://www.constantcontact.com/about-constant-contact/security/report-vulnerability.jsp

    OwnCloud And Tuneti Hall-of-Fame: 

    http://owncloud.org/security/hall-of-fame/ Tuneti Hall-of-Fame:
    http://corporate.tuenti.com/en/dev/hall-of-fame

    Acquia's Reponsible Disclosure Page:

    https://www.acquia.com/how-report-security-issue

    ifixit Responsible Disclosure Page:

    http://www.ifixit.com/Info/responsible_disclosure

    Github Responsible Disclosure Page: 

    https://help.github.com/articles/responsible-disclosure-of-security-vulnerabilities

    Nokia Simens Hall Of Fame: 

    http://www.nokiasiemensnetworks.com/about-us/responsible-disclosure

    37Signals Security Fame: 

    http://37signals.com/security-response

    Mahara Responsible Dislcosures List: 

    https://wiki.mahara.org/index.php/Contributors#Security_researchers

    SoundCloud Responsible Disclosure List:

    Reported few Self-XSS and finally a CSRF to get listed: 

    http://help.soundcloud.com/customer/portal/articles/439715-responsible-disclosure Gallery Bounties

    http://codex.gallery2.org/Bounties 

    EngineYard HallOfFame: 

    http://www.engineyard.com/legal/responsible-disclosure-policy

    Kaneva Hall Of Fame: 

    http://docs.kaneva.com/mediawiki/index.php/Security_Hall_of_Fame

    Twilio Responsible Disclosure:

     https://www.twilio.com/docs/security/disclosure

    Get Harmony Responsible Disclosure: 

    http://get.harmonyapp.com/security/

    Gitlab Vulnerability Acknowledgements: 

    http://blog.gitlab.com/vulnerability-acknowledgements/ 

    Netfix Responsbile Disclosure: 

    http://support.netflix.com/en/node/6657#gsc.tab=0

    Nokia HallOf Fame:

    http://www.nokia.com/global/security/acknowledgements

    Baracuda Labs Hall Of Fame

    www.barracudalabs.com/bugbounty/halloffame.html

    LastPass Security Hall Of Fame 

     Reported a Stored Cross Site Scripting (XSS) vulnerability under their Core products: https://lastpass.com/support_security.php

    Acknowledgment By Eset Nod32 Antivirus Company:




    Acknowledged By Avira




    Acknowledgement By MEDIAFIRE




    Acknowledgement By LAVASOFT


    Acknowledged By National Bank Of Pakistan





    Paypal's Job Offer




    Internet Magazine


    Interviews


    An Interview With EHN:

    http://www.ehackingnews.com/2013/02/an-interview-with-rafay-baloch-security.html

    A detailed interview with Infinityloopers: 

    http://infinityloopers.com/an-interview-with-ethical-hacker-and-security-researcher-rafay-baloch/ 

    http://blog.bugcrowd.com/meet-the-bugcrowd-bounty-hunter-profile-rafaybaloch-rafay-baloch/

    http://known.pk/pride-of-pakistan/rafay-balochs-exclusive-interview/

    Inside NewsPapers






    Tribune NewsPaper: 

    http://tribune.com.pk/story/486506/working-a-desk-job-young-techie-bags-a-million-rupees-using-it-skills/ 

    http://tribune.com.pk/story/504256/pk-domain-under-threat-pknic-remains-at-risk-of-cyber-attacks/

     “This was a basic-level attack,” said Rafay Baloch, a professional white hat who recently bagged $10,000 in Paypal’s bug bounty programme after exposing a critical vulnerability in the website. However, he said it is believed across many online forums that PKNIC is also vulnerable to SQL injection – the most powerful cyber attack, according to Open Web Application Security Project (OWASP). OWASP is the world’s largest organisation in terms of web application security and penetration testing. Through SQL injection, the hacker can extract the entire database from the target website, Baloch said.  

    Brecorder News

    http://www.brecorder.com/epaper/page_2012_12_27_19.html





    ISLAMABAD: Rafay Baloch, an independent security researcher from Karachi, has been rewarded with $5,000 for reporting a remote command execution bug in the PayPal's website. According to details, the PayPal had announced that this reward initiative for those researchers who would report about the existence of a bug and its subsequent remote command execution, Technology Times Reported. 

    Times Of India: 

    http://timesofindia.indiatimes.com/tech/tech-news/internet/Pak-web-domain-pk-remains-vulnerable-to-cyberattacks/articleshow/18417191.cms

    In SoftpediaNews Several Times

    http://news.softpedia.com/news/Microsoft-Fixes-DOM-Based-XSS-Flaw-in-Learning-Site-After-Being-Notified-by-Expert-305788.shtml

    http://news.softpedia.com/news/Persistent-XSS-and-SQL-Injection-Flaws-on-ESET-Taiwan-Website-Fixed-303376.shtml

    http://news.softpedia.com/news/Expert-Finds-XSS-Flaw-on-eBay-After-Bypassing-Filtering-Mechanisms-295397.shtml

    http://news.softpedia.com/news/Researcher-Finds-Open-Redirect-Vulnerability-in-Facebook-Video-294780.shtml\

    http://news.softpedia.com/news/Microsoft-Addresses-XSS-and-HTML-Injection-Flaws-on-Websites-VIDEO-POC-294329.shtml

    http://news.softpedia.com/news/PayPal-Rewards-Researcher-with-5-000-for-Finding-Remote-Code-Execution-Flaw-314110.shtml

    http://news.softpedia.com/news/Researcher-Finds-XSS-Vulnerabilities-in-cPanel-WHM-11-34-Video-317356.shtml

    http://news.softpedia.com/news/Zynga-Fixes-XSS-and-SQL-Injection-Vulnerabilities-on-With-Friends-Website-318452.shtml

    http://news.softpedia.com/news/Expert-Finds-Security-Holes-in-Sites-of-Microsoft-Twilio-and-ProActive-CMS-321774.shtml

    http://news.softpedia.com/news/Directory-Traversal-and-XSS-Vulnerabilities-Found-in-Avira-s-BetaCenter-329867.shtml 

    Mentions in Other Popular Blogs:


    http://propakistani.pk/2012/12/13/paypal-rewards-pakistani-student-for-reporting-bugs/

    http://www.aaj.tv/2012/12/pakistani-student-recieves-5000-for-detecting-bug-in-paypals-website/ 

    http://www.hamariweb.com/articles/article.aspx?id=27713 

    http://www.brecorder.com/pakistan/general-news/97795-pak-student-gets-5000-reward-from-paypal.html 

    http://www.ehackingnews.com/2012/10/xss-vulnerability-in-stumbleupon.html 

    http://www.soldierx.com/hdb/Rafay-Baloch http://www.mybloggertricks.com/2012/12/mohammad-chose-blogger-i-chose-hacking.html 

    http://www.ehackingnews.com/2013/01/sharecash-vulnerable-to-persistent.html

    http://blog.bugcrowd.com/meet-the-bugcrowd-bounty-hunter-profile-rafaybaloch-rafay-baloch/ 

    http://known.pk/pride-of-pakistan/rafay-balochs-exclusive-interview


    Featured Inside PaulDomCOM




    "http://pauldotcom.com/wiki/index.php/Episode312" 

    "Pretty neat how you get offered a job if you can find bugs in someone's application. This is a slippery slope, some may get a job, others may get an orange jumpsuit and a cell mate named "bubba", but hey if it's worth the risk to you, go for it. This person is still in college, which is impressive. Less than impressive is just how many flaws are in Paypal. You would think that someone like Paypal would pay close attention to security, but it seems they do not. This makes me want to give up on security entirely, until I remember that I get paid to find vulnerabilities..."

    TV Shows

    Show On Kay2tv 

    Social Networks

    You can connect with me mostly on:



    Tags :

    Created By Nexus · Powered by Blogger
    © All Rights Reserved

    Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us