Nov 19, 2014

Meet Jasminder Singh - Security Researcher

This is an exclusive interview of an Indian security researcher Jasminder Pal Singh ― A very passionate InfoSec enthusiast, Web developer and a Bug bounty hunter. What's catchy about Jas is, he is a very humble and have lots of patience towards his work. Recently he discovered critical stored XSS flaw in YouTube, as a white hat he immediately reported it to Google Security team and received positive reply.

Jasminder Singh
Jas has discovered multiple bugs in Nokia, Facebook etc

1. How you got fascinated towards security field?

I was attracted by the term hacking but before it I was into Security Researches - Malwares, Trojans etc I studied how they work, did stuffs practically. I really loved these things but I had to drop it because there was no peace of mind working and so I engaged in web development but I was also aware that there are destructive minds and methods to break my apps and in the process of learning to secure them, I also learned how to break.

2. Who is your inspiration?

Actually there were many inspirations during the journey and its still ON, If you're ask about Web App Security, it is necessary for a web developer to secure their developed applications. I want to give credit to two persons. I was inspired by the research of Rafay Baloch A a very genuine person and helped me quite a few times. The other one is Siddhesh Gawde, he once sent my name for Microsoft Hall of fame even though I hadn't anything. This made me happy and I decided to start pentesting.

3. Which is your most favorite quote?

Getting Inspired instead of being jealous on someone's success will lead you towards the Success.

4. What is your advice to beginners in Hacking?

Learn the Basics: This is the key, without basics we are like shooting in dark. It may hit correct sometime by chance but majority will go in vain. I would like to quote few words of Amine Cherrai.

Never try to think outside the box before you know what's inside

Learn Programming: I was into web applications development before pentesting, so I had some command over web development languages like php,js,html/xhtml,css etc. It helped alot to understand the behavior of the application. I was able to code my own payloads instead of injecting static ready made vectors.

Watch POCs and Read Write-Up: Its a good practice to watch video Proof of Concepts and read the write-Ups of bugs discovered by other security researchers. It will increase your area of thinking about injecting into application. Some good resources are: Hackerone.com, vulnerability-lab.com or on Youtube set the search filter to "Last Week" and input search terms like "XSS" , "CSRF" etc

Avoid Pentesting sites which doesn't have a vulnerability disclosure program its kinda illegal. There are many websites where you can practice pentesting - Bug bounty programs list and last but not least follow InfoSec and researchers on twitter, I follow some good researchers on twitter. You can also navigate to HOF pages of different websites and read their researches.

5. Which is your favorite vulnerability found by you?

Last year I discovered a DOM based Cross Site Scripting bug which abused CORS in Nokia's Ovi Store which affected whole site. It was quite interesting bug, I had to work lot to make the payload. Second one which is also XSS in YouTube.