Please tell me a little bit about yourself and how you got involved in cybersecurity research.

My name is Taha Smily; I’m an independent security researcher and cryptography analyst from Morocco. I’m self-taught in several programming languages (HTML, PHP, JavaScript, CSS, and python), cryptography as well as basic network, steganography, and forensics. I’m also a Capture the Flag player. I work in the Open Bug Bounty platform where I have uncovered about 3,000 vulnerabilities on various websites which I then report to the sites’ owners. As a result of my work, I am in the Hall of Fame of several major companies and organizations, including Microsoft, Apple, Nokia, Pivotal, and Cert-Europe.

What are some of your recent security projects?

I am currently involved in several security projects including the development of web-server testing tools. Additionally, I have just finished authoring a book “Methodology of Web Application Security” which will be published soon.

You are also a “security vulnerability bounty hunter” - what does that mean?

Security vulnerability bounty hunters are a new generation of ethical hackers who help companies discover and fix their security bugs. A “Bug Bounty” is the deal offered by companies to ethical hackers like me in exchange for uncovering security bugs. These bug bounty programs pay for these discoveries on a scale proportionate to the severity of the bug.

What is the openbugbounty.org platform and how does it work?

The Open Bug Bounty platform was started by a group of independent security researchers in June 2014. It is a non-profit platform designed to connect security researchers and website owners in a transparent, respectful and mutually valuable manner. Our purpose is to make the web a safer place for everyone. We have no financial or commercial interest in the project. Moreover, we pay hosting expenses and web development costs from our pocket and spend our nights verifying new submissions.

How do you decide which sites to test for security flaws?

I like to test the popular sites and sites that may appear to be strong and secure. Of course, I am especially interested in looking at sites who are concerned about their security and those who offer bounties.

Do you do it for fun or profit?

I do it for fun because I enjoy new challenges, but yes, also for profit!

Do you find most companies appreciative when you report a vulnerability?

Yes. The security and protection of information and personal data has become a great concern for companies these days.

What are the most common vulnerabilities you encounter?

The most common issues I see are Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and subdomain takeovers. Cross-Site Scripting (XSS) is when malicious scripts are injected into otherwise benign and trusted websites. These attacks are generally in the form of a browser side script and can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. While not actual theft of data, a successful CSRF attack can force the user to perform state-changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. Subdomain Takeover is a type of vulnerability which appears when a DNS entry (subdomain) of an organization points to an external service, but the service is no longer utilized. An attacker could register to the External Service and claim the affected subdomain. As a result, the attacker could host malicious code (ex. for stealing HTTP cookies) on the organization’s subdomain and use it to attack legitimate users.

What are some of the most serious vulnerabilities you have seen?

The most serious vulnerabilities I have encountered are SQL injection for dumping databases and remote code execution. SQL injection is a code injection technique, whereby nefarious SQL statements are inserted into an entry field for execution in order to dump the database contents to the attacker. Remote code execution is an attacker’s ability to execute any command of the attacker’s choice on a target machine or in a target process. It is one of the most powerful bugs because it allows an attacker to completely take over the vulnerable process. From there the attacker can potentially take complete control over the machine the process is running on, allowing malware to run on a computer without the owner’s consent.

From your experience as a cybersecurity researcher, what advice can you offer to today’s software developers?

The most important advice I can give is to keep pace with security gaps and the latest updates in the field of information security. In addition, it is crucial to work with researchers in cybersecurity to detect and fix any security issues before rolling products out to the public.

Where do you see software security heading in the future?

The real problem with software security is even deeper than can be addressed with best practices and specialized languages. A complete redesign of software architecture from the OS level up is likely required to solve the systemic problems with the Internet of Things and beyond.