Inspirational interview of Raj Sukali - Security Researcher

An inspirational interview of an Indian security researcher Raj Sukali - A well known popular security researcher and bug bounty hunter. Raj has discovered many critical vulnerabilities and flaws in giant sites like Twitter, Facebook, Nokia etc and received gifts, fame and bounties as appreciation. Currently he is working as senior security analyst in a web security firm.

He's the first Security Researcher/ Hacker I've met in real life. He have guided me many times in this field. So today I've organized an exclusive casual text interview. He answered 10 questions related to his journey and field. There is lot to learn from Raj's journey and he also have little advise for you. I'm sure you'll like it and end up motivated

Hi Raj, please introduce yourself to readers

Hi , I’m Raj Dasharath Sukali, An Internet Geek who loves to learn new things. I have completed my graduation in IT and looking forward for my masters. Mean time completed MCITP and CCNA. My area of interest is Web Application and Network Security and bit in to APK development. Professionally I'm working as Senior Security Analyst at Defencely and in remaining time I handle my freelance projects.

How you got fascinated towards Security field?

As an IT student I was quite indulged in computing and networking field. So it all started for free internet, I learned to crack WEP key and access internet for free. That made me eager and curious to learn more; What else can be done, soon I was into defacing Websites (Honestly that was waste of time) but It was fun, Meanwhile I found few Responsible disclosure program, So I started hunting vulnerabilities and reported, which luckily got triggered and I was thanked, I felt good. It made me think that its rather good to be preventive than destructive. That's how I came into White Hat Community and started reporting vulnerabilities. Well nowadays I'm working on malware and forensic analysis.

What motivates you? and who stands as your ideal?

Motivation and Inspiration are the pillars which helps you reach your goal, As Per  the life, My parents motivates me at every journey I carry out, Their support inspires me to do things in more greater way. In Security it’s the people who report amazing bugs which motivates me to find even more logical and advance bugs, I idealize Neal Pole and Rahul Sasi for their findings which I liked.

What else you like to do except Hacking and Computing stuffs?

I like to sketch, visiting historic places and clicking pictures (I would be an Archaeologist if I was not into Security). My most favorite spot is sitting sea side and watching Sunset, It makes me calm.

Why did you chose Hacking / Security field?

My motto was to learn how this “Hacking” works and what else I can do with it which can make me grow and eventually help community. Security is a big field where you can learn new concepts every time. There is always some new discoveries in Information Security.

When did you begin to learn Hacking?

I started it 5 years back, when I was about to complete my graduation. As the word Hacking made me curious to learn its concept I joined few forums, IRC and use to spend my half time there exploring.

Where did you learn everything?

For most people Google is the best teacher same goes for me too most of the topic I learned from Google by searching and exploring them. Few forums like Rdot, Ashiyane, HackForums were my few sources in beginning. But Twitter is the best If you want to be updated with latest discoveries follow people who are in Information Security you can get enough information and resources to learn.

What are your future plans?

In future I want to start a security firm so that I can employee fresh minds and make them grow in InfoSec.

Do you recommend Hacking and Security field as a career choice?

Yes I do recommend security field as career choice but “Hacking” does not stand as a career if you are utilizing your skills in negative way. If you are using your skills for helping the community then it’s the best choice. But the fact remains the same most of the journey starts from Black Hat to White Hat. Security field have a vast scope both in learning and earning aspects. Every time you can learn new things and eventually you get paid if you are Good at your work. Day by day, New application, systems are Introduced in market so for that Security is must.

Which is your most favorite quote or thought?

Learning an Earning are two sides of coin, the more you Learn the more you Earn.

Which is your most favorite vulnerability found by you?

As for now I have handled many thick clients in my current company. The best one I remember was RCE vulnerability in one of the Matrimonial site, I was able to call my shell on server, It was a old kernel so I was able to get the root box.

Another one is CSRF using HPP in where you can delete the app created by another user.

What is your advice to beginners in Pentesting/ Hacking field? 

I am still a learner and yet to explore many things but I want to suggest few points

Most of the guys still think to start as a pentester they need to pursue security certifications, But the reality is for starting you don’t need such certification you can learn everything on Internet and clear your basics. Then you can go for certification like OSCP, CEH etc as after clearing basic you will actually know what they are teaching. I to started learning on my own by searching on Google reading blog post, following responsible disclosure programs. One should have eagerness to learn.
Don't learn to Hack – Hack to Learn
If one can try to learn at least few languages like perl, php, java any Language It helps you understand the mechanisms of the application. You can even code your own payload write your own scripts.

Try to keep your self updated with latest vulnerabilities. Google is your friend still you can check Packetstrom,  Exploit-db , Hackerone Follow other Security researchers on Twitter. Learn from their write ups and try to learn the mechanism how they found out the bug if not understood you can freely ask them, Youtube and Vimeo are good source to get video POC (Proof of Concepts)

For practicing one can download and install "Vulnerable web applications" like DVWA (Damn Vulnerable Web App), Webgoat, Mutillidae, Hackxor etc (Web Pentesting Apps)

Last suggestion would be if you are trying your hands on BugBounty avoid Automated scanners as already other guys must have used it so most probably your bug would go duplicate. XSS, CSRF, Clickjacking are quite easy to find but if you’ll try harder you would end up finding a RCE. It is about time and patience which can make you find good bugs. Be patience try learning and you are good to go.

What do you think about Hackw0rm blog (Share your thoughts)

Hackw0rm is one of the blog which I often visit, The write ups are quite interesting while reading with proper explanation. It is good to see how you guys have helped community by sharing knowledge by blogging which helps learners and IT experts. There is something new everyime; I wish good luck to Hackw0rm. Hope they grow more and keep helping people by sharing awesome articles.

Thank you very much Raj, Is there anything else you want to share?

Thanks team for giving me this opportunity to share my thoughts. Even I would like to thank people who have helped with my life journey for being there. My facebook mates Minhal, Nikki, Mohit, Manish, Abhishek, Gagan and Vivek . My facebook inbox is always open for Queries if any one would like to ask.

Thanks for reading my article. If you've any doubt or question for Raj please feel free to ask him in comment. Consider it AMA (Ask Me Anything). Find Raj on social sites Facebook | LinkedIn | Twitter | Google+

How to Get Started with Web Programming Languages

Programming languages are rid of all technology today, whether its Smart-phone, Computer Software, Internet or telecoms. All advance technology devices are programmed in specific programming language. There are many programming languages which you haven't heard of, but only few are popular and useful in today's world. Everyone must learn programming, its always good. Well so in this post I've shared few effective tips on How to start learning Web programming languages and become superior in it. I'm sure you'll find some helpful tips to get started with web codes.

Getting started with Web Programming Languages

You wanna become Web designer or developer? Then you've to learn web programming languages, Although this articles is also for those who is interested in becoming Web Hacker or Penetration tester, Because everything you see on web page is programmed in specific programming language and to Hack/ Pentest an application you must know web coding. So are you a computer geek? wow! that's great, then you know web programming languages, well if not follow the below guide on How to Get Started with Web Programming Languages.

Begin with Basic Web Programming language

Always begin with basic, Start with static web  markup language called HTML (Hyper Text Markup Language) one of the most basic and useful web language. Well its not officially considered a programming language but everybody prefers it calling programming language.

Now alongside HTML, I also suggest you to learn CSS (Cascading Style Sheet) for designing your web page in creative and unique manner. CSS is widely used for designing all your web contents. Its pretty easy and fun learning.

Its nothing hard learning HTML and CSS, It will hardly take a month for getting familiar with its codes, tags and attributes. All you need is little focus and practice. Okay after getting done with HTML and CSS move on to JavaScript.

JavaScript is light weight script language, It is widely used on almost all websites today. It reduces server load and bandwidth because its a client-side programming language. Its highly recommended you to learn JavaScript as its very popular and easy to learn.

Now choose an advance web language and stick to it

After learning static and client-side language move on to advance Dynamic server-side programming. It is important for you to choose your area of interest. For example ASP.NET, PHP or Java etc... are the most demanded and used languages. You can choose any based on your interest, just make sure you learn it very well. It is also recommended to learn database programming languages SQL (Structured Query Language).

Start coding simple web applications : After learning Static, Dynamic Web programming languages take on a project. Try to create your own web applications, design it, try to make it look little dynamic. Learn how web applications work and how to connect it with forms and database. Challenge yourself and your skills to create an web application login forms connected to Database. Start with basic and go on smoothly, If you get stuck use google to get solutions.

Deconstruct an online application : This is one of the best way to learn advance web coding, Just deconstruct any online application using view-source and understand its logic and method. This would help you to understand advance coding and logic. You can also copy and create your own to understand.

Practice coding daily : Don't miss it single day. Practice makes man perfect! To become a programming champ you'll need to practice daily and get used to every code. It requires lot of experience and coding knowledge to become professional programmer or web developer.

Ultimate Guide to Penetration Testing Web Apps

Web Penetration Testing also known as Web Pentesting is an act of exploring web application security, finding vulnerabilities and learning about its weakness and patch. Pentesting always had been my favorite topic on Hackw0rm blog. I've already published many pentesting articles on this blog, but this is the Ultimate guide to Penetration Testing Web Apps.

Why you need to start learning Web Pentesting?

Web pentesting is always good practice for beginners in hacking and security. It helps honing your skills, learning about how to secure web application, what causes vulnerability, how to patch and most important how to discover vulnerabilities, flaw and bugs in an application. Security is a never ending race daily we see sites and applications getting hacked. Web Pentesting can really help you lot discovering advance flaws and vulnerabilities. If you want to become a Professional Hacker, Security expert then you must know everything about Web Pentesting and Security.

Things you must know before learning Pentesting

You might think, What are the things I must know before learning web pentesting. Well as always I strongly suggest you to learn Programming, Networking and basic of Hacking before starting web penetration testing.

Must Read : Important Programming Languages for Ethical Hackers and Pentesters

How to Learn Web Pentesting?

After learning programming, networking and basic of hacking it will be easier to understand web pentesting concepts and topics. The best method which I prefer for learning web pentesting is to create a Virtual vulnerable web application also known as Web pentesting lab. There are many open source vulnerable web apps for hackers to practice their skills or demonstrate tutorials. For guidelines you can refer e-books, video tutorials and last but not least read pentesting blogs.

Must Read : Learn Web App Pentesting by Web for Pentesters E-book (Very helpful e-book)

What tools and softwares should I use for Pentest

There are many penetration testing tools but I recommend all in one like Penetration Testing OS (BackTrack or Kali Linux) and Owasp Mantra Security Framework (A special web-browser) for hackers and penetration testers with pre-installed tools.

Must ReadImportant Tools for Ethical Hackers & Pentesters

How to create web pentesting lab

There are many open-source vulnerable web app which can act as a web pentest lab in your localhost server but all of them there is only one ultimate and most advance vulnerable web app called OWASP BWA (Broken Web Application) Actually its a virtual Linux OS which acts as a web penetration testing lab. I highly recommend BWA to everyone.

Must Read : How to Install OWASP BWA Pro Pentesting Lab - Installation and Guide

Create Penetration testing Lab in Linux (Kali Linux and BackTrack)

When it comes to pentesting I always prefer BWA with Kali Linux or BackTrack. Its the great combination which creates an amazing penetration testing lab in your system. Below is the video tutorial How to create Pentesting lab in Kali Linux. (Watch in full screen + HD)  Read PostHow to create Pentesting Lab in Kali Linux

This was just a small penetration testing guide, Pentesting is far deep and broad. Hope you'll stay connected to Hackw0rm blog and I'll soon share lots of gazing pentesting and ethical hacking stuffs. Check below best article list of Hackw0rm.

Thanks for reading, Join our official Hackw0rm Group on Facebook.

Top 4 Ethical Hacking Pentesting and Security Courses

Hi friends, In this post I've compiled Top 4 Ethical Hacking, Pentesting and Security courses. After writing How to become Professional Ethical Hacker, readers asked me what are some good professional courses for ethical hacking and security to get certified. Well here is an answer, I've described best and top 4 courses which is definitely very good for your career.

Hacking Fact : Nobody becomes Hacker or Security expert just by reading books or getting certified. Professional certificates merely acts as a proof that this person has completed and passed Ethical Hacking, Security or Pen Testing exam. To become a security expert or hacker one must have dedication and passion of learning. I strongly recommend you to learn programming and networking before applying to any certification courses. If you think you can hack any application or computer after getting certified then you're totally wrong. Security keeps changing.

Must Read : Important Programming Languages for Hackers

Top 5 Ethical Hacking Pentesting and Security Courses
If you're aiming to become Security Professional / Expert, Ethical Hacker or Penetration tester then I recommend you to apply for any courses which you think is suitable and perfect for your career. Below mentioned courses are professional certification courses which also requires examination, If you fail then surely won't get any certificates you'll have to re-appear for exam. (Image Credit :

Top 4 Professional Ethical Hacking, Pentesting and Security Courses

Certified Information System Security Professional (CISSP) is professional course for security experts or professional. It offers many opportunities and it is considered one of the most advance security course. It is consist of top ten security practices such as Access Control, Cryptography, Software Development Security, Network Security and Architecture etc...  I recommend CISSP training to those who are aiming to get job in giant companies as a Security Professional or Expert.

Licensed Penetration Tester (LPT) is a professional training for Penetration Testers. If you crack LPT exam test, You'll get a certificate and license for penetration testing. You can't apply for LPT until you hold a CEH certificate and you can only get admission if your criminal background is clear. If you want to become a Penetration tester go for LPT, It is one of the best Pentesting and Hacking course. There is lot of scope and opportunities for LPT holders.

Computer Hacking Forensics Investigation (CHFI) is a computer forensics training for Cyber Security Experts or Cyber Space Investigators. In CHFI you'll be trained with professional skills to track down any hacking crime activity. Computer Forensics application . You'll learn advance concepts of Computer Forensics Application including digital crime scene analysis, Cyber Crime Investigation etc. CHFI is recommended to those who interested in joining Cyber crime department.

Certified Ethical Hacker (CEH) is one of the most popular Ethical Hacking course. CEH is for beginners interested in Ethical Hacking. CEH is a base training course of all advance courses. CEH syllabus is very interesting, It is consist of Web Hacking, Software Hacking / Cracking, Vulnerability Hunting, Network hacking guide etc... If you're interested in Hacking but not getting started or not u, You can apply for CEH without any eligibility. It is good to have CEH certificate.

Conclusion : Think twice before applying to any course, If you're really interested in Hacking and Security then I strongly recommend you to go for CISSP and LPT, these two courses has the most demand and As I said in Hacking Fact paragraph don't apply for any courses until and unless you learn programming, networking and basic knowledge of Hacking. Also make sure you choose proper institute for courses. Thanks for reading, If you've any doubt feel free to comment. Good luck.

OWASP Insecure Web Pentesting App Installation and Guide

Hi guys I'm back with an interesting web penetration testing lab article. This time its OWASP Insecure, It includes common web vulnerabilities. It is coded very poorly which helps security beginners learn lot how to secure application. Pentesters and Hackers also uses it as testing lab for manual penetration testing, source code analysis and vulnerability assessment. I recommend you to get hands on OWASP Insecure app.

Things you can learn and practice using OWASP Insecure

OWASP Insecure WebApp Pentesting Installation and Guide
SQL Injection, HTML flaws and other injection vulnerabilities such as XSS (Cross Site Scripting). You can learn how to patch these vulnerabilities and how to exploit it. You can learn web app security, hacking and pentesting. But the most important it will help you to hone your pentesting and source code analysis skills. However you can also demonstrate in tutorials, presentation or articles. It's an open source project by OWASP so its totally free and customizable. Follow below tutorial on how to install OWASP Insecure and get started.

How to Install and Create Penetesting lab using OWASP Insecure

It's very simple just download OWASP Insecure (Download file). Its a ZIP file contaianing .war file, XML and some notes. Now download and install XAMPP Server.

Step 1. After XAMPP installation start its Control Panel and click on Start Tomcat. See below image.

XAMPP Start Tomcat Server

Step 2. You'll see CMD pop-up with lots of commands raining, Do not close it. Now open your favorite browser and follow this URL http://localhost:8080 Its tomcat local server address, If you see Tomcat homepage, It means you've successfully installed Tomcat server. Now its time to install OWASP Insecure and get started with it.

Step 3. But first we'll set-up users. Download Modified Tomcat User file (2KB) Go to C:\xampp\tomcat\conf  Delete tomcat-users.xml file and paste modified tomcat user file. Replace downloaded file with existing one, that's all.

Step 4. Now Go back to Tomcat homepage (http://localhost:8080) Refresh page and click on Manager App. It will ask for login details so Username is Okay and password is Lets (You can change login credentials in tomcat-users.xml which you downloaded. (Open it with notepad and go to bottom page and there on you'll see <role rolename="manager-gui"/> If you want you can change username and password or let it be.

Step 5. After logging in you'll land on server WebApp managing page. Go to bottom of page and there you'll see an option to deploy WAR file. Click on Choose and select insecure.war file which you've downloaded in beginning. Deploy it.

Step 6. You've successfully deployed insecure app on server, Now its time to access it. After deployment it will reload page and you'll see tables, Just find insecure app name and click on it. As shown in below image.

OWASP Insecure WebApp installation

That's all, OWASP Insecure Web page has loaded. Now penetrate its application, analyze its source code, try SQL Injection and XSS techniques. Most important learn about vulnerabilities security and hack it.

Important Programming Languages for Ethical Hackers

In my previous post, I explained How to become Professional Ethical Hacker, However still it wasn't complete guide, Many people's asked me which programming languages should i learn, So here I'm with new article - which programming language one should know and learn to become a successful professional Ethical hacker.

Can I learn Hacking without Knowing Programming?

Simply you just can't, Even if you managed to learn it step-by-step tutorial, You'll never be able to hack or pentest on your own. Its because you don't know the core and logic of target application, If you understand application logic you can easily play with it. So that's why it is highly recommended to learn programming languages to become an Ethical Hacker.

Which Programming language should I learn to become Ethical Hacker 

Here comes the main question which programming should i learn. Read below guide

Web Hacking

So if you're interested in web hacking. You should follow below guide.

HTML : Hyper Text Markup Language. Always learn from basic and HTML is important and most basic markup language. One should know it very well to understand web action/reaction and logic. HTML is static markup language.

JavaScript : JavaScript is the most used as client-side programming. You should learn it on high priority mode. Understanding JavaScript code logic can help you find web-apps flaw.

SQL : Structured Query Language is database programming language. Each and every data is stored in database so you should know about database programming and vulnerability as it is the most sensitive part of Web.

PHP : PHP is most popular dynamic programming language, Unlike JavaScript It is server-side programming language. PHP is strongly recommended to every beginner in Hacking and Penetration testing.

Programming Languages for Exploit Writing

Exploit writing is difficult and advance part of Hacking, It requires higher level of programming language. Every professional hacker must know Exploit Writing, It can be done in any programming language like C, C++, Ruby, Python etc.

C : The mother of all programming language, C is most used in software creation for Linux, Windows etc... However it is also used for Exploit writing and development. I would prefer to learn C first and recommend to you as well.

Python : Python is most used language for exploit writing, It is highly recommended you to learn Python Socket Programming because it helps lot learning exploit creation.

Ruby : Ruby is simple but complicated object oriented programming language. Ruby is very useful in exploit writing. Ruby is used for meterpreter scripting and do you know Metasploit Framework itself programmed in Ruby.

Programming Languages for Reverse Engineering

Assembly language, the one and only Assembly nothing but Assembly.

Assembly Language : Assembly Language is low level programming language but very complicated. One can instruct a machine hardware or software using Assembly language. Reverse Engineers uses Assembly language, and if you want to learn Reverse Eng, you must need to know Assembly Language.

Thanks for reading my article, It is purely based on my knowledge few resources and advice by Security Researchers. If you've any doubt feel free to ask in comment.

How to become Professional Ethical Hacker

Hi guys, In this article I'm gonna tell you some effective tips on How to become professional Ethical Hacker. Well I'm neither a professional nor an expert, the below article is totally based on my experiences, knowledge and some tips by professional security experts. Since last few days I've been receiving few email questioning How can I become an ethical hacker? Its hard for me to explain everyone particularly, So that's why I wrote this article.

4 Things you must know to become Pro Ethical Hacker

  1. Right definition and meaning of Hacker 
  2. You must know Programming and Networking
  3. Proper and right sources/resources of learning
  4. Determination, Passion and Curiosity to learn

I'll explain and elaborate above all tips in short, that will definitely help you in learning.

Right definition and meaning of Hacker

The very first thing you should know is meaning of Ethical Hacker. An Ethical hacker is someone who is trained with Hacking skills not to hack or exploit but to secure target or software. An ethical hacker finds vulnerability in app (vulnerability means weakness, flaw or weak point of an application and fix or report it to owner). Unlike ethical hacker, the hacker will exploit vulnerability. An ethical hacker has legal license and rights to test application for vulnerabilities.

Another thing Don't rely on tools, If you're thinking there is an application or tool that can hack anything for you, so let me tell that you're completely wrong. However there are few hacking tools that can be use to extract target information but there isn't anything that can hack or find vulnerabilities for you easily. At some point few automated vulnerability scanners can be used to find flaws but they are automated programmed to act in same ways. Logical bugs like Auth, 0-Days, Advance Input validation etc require human brain to understand logic and find vulnerabilities.

You must know Programming and Networking

Without knowing Programming and Networking you cannot hack anything, because every application is created using particular programming language logic and connected through Network. Unless and until you don't understand logic of application you won't be able to find its vulnerable point. Just keep in your mind that all application runs on logic all you've to do is find a way to alter its code/logic and gain unauthorized access. As you know every application is moving on clouds so knowing networking is another important thing.

Must ReadImportant Programming Languages for Ethical Hacker

Proper and right sources/resources of learning

This is another important thing you should know. Not everyone knows about OWASP, Black-Hat, Securitytube, Vulnerability Lab, White-Hat community and other sources of learning. Don't be fooled by any website saying become hacker in 30 days. It takes years to become an expert hacker. Join forums, read blogs, watch training videos, Read e-books, white-papers and vulnerability POCs (Proof of Concept) by security researchers or organization and last but not least create a pentesting lab (Vulnerable app for learning)

In Hackw0rm blog you'll find many tutorials for creating penetration testing lab, training videos and ebooks to learn. Just click on the links, and explore.

Now all above tips won't make you professional licensed (Ethical) Hacker until and unless you don't apply for course and get valid license and certificate. Here are some few best courses to become ethical hacker, Security expert or professional penetration tester.

Professional Ethical Hacking and Licensed Pentesting courses

Must Read : Top 4 Ethical hacking Security and Pentesting courses for your career

CEH - Certified Ethical Hacker
LPT - Licensed Penetration Tester
CCSN - Certified Cyber Security Ninja
CHFI - Computer Hacking Forensics Investigation
CISSP - Certified Information System Security Professional

Determination, Passion and Curiosity to learn

Determination and Passion isn't just words, It's everything. Be determined and focus on learning, Always remember that "Expert in anything was once a beginner" and beginning is always the hardest part. Motivate yourself, Keep up learning. Make it your passion, Read inspirational interviews of security researchers on our blog. Always have the curiosity to know how things, How stuffs work, Remember Hacking is an art.

Thanks for reading article, I haven't elaborated it deeply but do not worry. I'm gonna write some more posts on programming, ethical hacking and networking. If you've any doubts feel free comment

OWASP Web Application Pentesting Guide Ebook

Hi, I hope you'd read my previous post - An Inspirational interview of a very passionate pentester and security researcher. Today I've shared latest release of an Ebook by OWASP - Web Application Pentesting Guide v4.0, I'm reading it from last 3 days and trust me its one of the best ebook to learn lots of Web Application Penetration Testing. The Ebook is contains 224 pages of web application pentesting guide.

What are the benefits of reading this Ebook?

If you want to learn Web Application Penetration Testing There are many benefits of reading this ebook, It covers almost all web application vulnerability testing guide, which helps lot in learning and exploring web application penetration testing. Very informative for beginners who are curious and willing to learn penetration testing.

Table of Contents (In short)

Here is a short glimpse of OWASP Testing Guide Ebook. Note this is only short glimpse of table of contents please download and you'll learn lots of advance web application penetration testing and vulnerabilities.

  1. Authorization Testing
  2. Session Management Testing
  3. Input Validation Testing
  4. Client Side Testing
  5. Authentication Testing
  6. Identity Management Testing

Click Here to Download OWASP Web App Testing Guide v4.0

Many more such as; Testing for Authorization and Authentication vulnerabilies, Input Validation is one of the most common for eg: SQL, XSS, LDAP, XML, RCE testing guide. Session management, And Identity management testing. If anyone interested in Web Application Penetration Testing its highly recommended for you.

Subscribe for free & Receive Post via Email