.svg){kind=icon}
.svg){kind=icon}
The Cobalt Pentester Spotlight highlights the fascinating journey of our Core members. Through an interview style, we share their experiences, background, and insights into the world of an accomplished ethical hacker.
This month, we feature Shahrukh Rafeeq’s journey. With a career in Information Security since 2018, he currently leads security efforts at one of India's largest crypto exchanges, specializing in various domains including Android, iOS, Web, AWS, and blockchain.
From conquering bug bounty leaderboards to pioneering cybersecurity in the blockchain sector, his journey is one of expertise and a passion for continuous learning.
Tell us a bit about yourself and how you started pentesting?
I am an Information Security professional, with an extensive career spanning over six years. Currently, I hold a leadership position at one of the largest crypto exchanges in India. My expertise lies in Android, iOS, tvOS, API, Web, AWS, VAPT, Red Teaming as well as DeFi and Smart Contract Audits. Beyond my professional pursuits, I have a passion for traveling, exploring historical monuments and playing chess. I possess a profound enthusiasm for gastronomic experiences.
During my graduation, I was uncertain about choosing a career goal and field, a common dilemma in India. Later, a friend introduced me to his elder brother who was already working in the Information Security Industry. He recommended that I pursue CCNA, then CEH, and a few other courses of a similar level. While preparing for my CEH certification and job, I learned about Bug Bounty.
At that time, I was facing some financial difficulties, so I started participating in bug bounties to meet my daily needs. After spending a few months in bug bounty, I achieved a top 3 rank on the Synack Mobile leaderboard for five consecutive months, secured a place in the top 100 global rank on Bugcrowd, and was awarded Bugcrowd MVP three times. The experience I gained from bug bounties helped me secure a job at a Security Consulting firm in Mumbai, where I refined and organized my skill set and delivered numerous pentests.
During the Covid-19 lockdown, I learned about blockchain and cryptocurrency, which eventually led me to my job at my current organization. At the time it was a startup, so I had the opportunity to manage the entire platform's security, including infrastructure single-handedly. Now, with the help of the Cobalt Platform, I have the opportunity to serve various industries products and test a wide variety of applications. I strive to deliver my very best for each pentest engagement and learn about technologies and techniques. I thoroughly enjoy working with Cobalt.
What educational background and certifications prepared you for pentesting?
I started my academic journey in Engineering but ultimately transitioned to get a Bachelor of Science (BSc) degree. Recognizing the significance of certifications, I pursued and successfully obtained the Certified Ethical Hacker (CEH), eLearnSecurity Web Application Penetration Tester eXtreme (eWPTXv2), and Certified Web Application Security Analyst (CWASA) certifications. I am currently working to acquire the OSCP, CRT and CPSA certifications soon.
What are your go-to tools and techniques when pentesting?
Throughout my career, I have developed a couple of scripts and tools to streamline the process of identifying vulnerabilities, automating reconnaissance, and facilitating the exploitation of Mobile Application Security Issues. Additionally, I have created scripts for Infra Security to automatically assess and check for network-related issues. This allows me to focus more effectively on subsequent manual testing and exploitation efforts.
Listing all the tools I use is challenging because it largely depends on the scope or asset type. It is very crucial to understand the use case of the tools instead of shooting in the dark.
I categorize them based on the type of assessment, such as Web, Android, iOS, tvOS, Network, Cloud, etc.
WebApp: For web applications, Burp Suite is a must-have tool, though it's not the only one I rely on. I utilize Burp Suite along with its extensions (such as Autorize, AutoRepeater, Reflected Parameters, Content-Type Converter, HTTP Request Smuggling, Turbo Intruder, etc.) also prefer to check manually. However, if the scope includes wildcards, I start the assessment with my custom Bash script and specific web targets, I typically use Wappalyzer, dirsearch, ffuf, Arjun, Param Miner, SQLMap, XSStrike, Dalfox, among others and maintain comprehensive visibility through monitoring using proxy and Logger++. Verify any of the detected issues manually, I personally put more effort on manual tests. This approach significantly enhances the efficiency.
Mobile and TV Apps: For mobile application testing, I prefer using a physical device as virtual devices or emulators have some limitations. For static analysis and code review of Android apps, I generally use Jadx-GUI and MobSF on-premises. In cases where production apps are in scope, I use Oversecured. I have a couple of custom bash scripts to automate the exploitation of hardcoded issues and deeplinks/URL schemes, as well as to exploit webviews. If any misconfigurations are encountered, I check the issue manually and usually refer to the source code. For iOS, I extract the .ipa file; otool helps me identify iOS-related security issues in some activities. As a strong proponent of manual testing, I prefer manual testing throughout. For checking APIs consumed by the app, I use Burp Suite, Charles or Postman. I employ Frida and Objection to bypass security checks and patches.
Network / VAPT / Red Team: It would be unjustifiable to list specific names since it entirely depends on the infrastructure, product, and tools utilizing the infrastructure. However, Nmap, Nessus, and OpenVAS are a few must-have tools on my list.
What trends do you see emerging in Cyber Security, and how are they shaping how you approach your work?
In Cyber Security there are many trends in 2024 including Cloud Security, AI and Machine Learning, IoT Security, Zero Trust Security, Blockchain, Automotive Security etc. Mastering all of the trends and cutting-edge technology is challenging for an individual, but I choose a few of them to focus on.
Since I have been working in Application Security and Crypto my focus is more on advancing myself with the latest application security threats. There has been a trend of BAC, Authorization, Business Logic, Injections including SQL, STPI, XSS issues are still prevalent, these attacks may appear less prominent now due to the increased prevalence of Web Application Firewalls (WAFs), which block certain payloads, and the integration of defensive measures into frameworks.
I’m continuously working on Mobile Application security as well to build a couple of components i.e. Activity, URLScheme, WebView, Broadcast exploits and researching possible security threats through mobile applications. I’m also learning and implementing the Smart Contract, Defi and Wallet Security. I recently lead a DeFi Security App Project.
Can you share your experiences and preferences in terms of teamwork, communication and coordination when engaging in pentests?
Engaging in pentest requires not only technical expertise but also effective teamwork, clear communication, and efficient coordination. These soft skills are crucial for the success of a pentest project. Getting up close and personal with the team helps us tap into everyone's know-how and views, making our assessments super well-rounded. Plus, keeping a good relationship with the client and TPM is an extra bonus.
When it comes to teamwork, I've noticed that working together is the secret sauce. Each member often brings expertise in different domains with a diverse set of skills that helps to cover the entire scope with different aspects of assessing the application. I've found that leveraging these varied skills leads to a more comprehensive security assessment. Working on complex security challenges as a team enables more creativity and effectiveness.
Effective communication is also key to keeping the team aligned, I prefer an environment where ideas can be freely shared and discussed, allowing for collaborative problem-solving. Coordination in terms of scheduling and managing time efficiently is vital, it is also important to clearly define roles and responsibilities at the start of the test.
Looking ahead, how do you envision the future of cybersecurity evolving in 2024, and what do you believe will be the key challenges and opportunities?
In 2024, my focus is squarely on the evolution of Application Security a “The Never-Ending Saga” and Blockchain technology.
For Application Security, the main challenge I see is keeping pace with the rapid advancements in technology, especially as we integrate more AI into our processes. On the other hand, API testing appears to maintain its significance, remaining as prevalent as it has been in the past. In Application Security, the big challenge is keeping up with all the tech advancements and the unknown vulnerabilities lurking around each corner.
In Blockchain, the challenge is the complexity and novelty of the technology itself. As blockchain applications extend beyond crypto into things like supply chains and digital identities, we're going to see a whole new set of security concerns. The opportunity for me lies in specializing in this niche, particularly around smart contract security and DeFi, areas where I can leverage my expertise to make a significant impact.
The future of cybersecurity is about being proactive, continuously learning, and adapting to new technologies. Across both domains, the key to navigating these challenges is collaboration. I'm a strong believer in leveraging diverse skill sets within teams, like what we see in communities such as Cobalt. This collaborative approach not only enriches our solutions but also speeds up the identification and mitigation of vulnerabilities.
Looking ahead, I'm excited about the possibilities. It’s all about staying proactive, curious to learn, and ready to adapt and that's exactly where I see myself making a difference. I’m ready to lead the charge, break down barriers, and inject a dose of innovation into the cybersecurity world.
In this constantly evolving threat landscape, it’s clear that defenses need to be strengthened through proactive measures.
Leverage the expertise of Cobalt's community to identify and address vulnerabilities, secure your digital assets, and protect your organization against potential breaches.
Schedule a demo today to see how firsthand.
