In this article, we will introduce our Alliance (formerly Red team) members from the Sun* team.
The Sun* team has been an Alliance member since March. Sun* (Sun Asterisk) is a Digital Creative Studio with the mission of connecting international businesses with top talents in Asia.
They have always made every effort to bring the world “awesome" values. They are offering services that include application development (web, mobile).
The cyber team in Sun* is in charge of pentesting projects, they are finding and reporting vulnerabilities, auditing source code. They are also improving Sun Asterisk’s web-app security by creating a checklist, documents, training, and seminars about cybersecurity in the company.
Patchstack Alliance is a community of independent security researchers who contribute to building a safer web.
Alliance members identify and report security vulnerabilities in WordPress plugins and themes to help software vendors address security issues before they pose risk to users and to the public.
Join the annual games of WordPress Bug Hunt and win prizes like HAK5 Essentials Field Kit, BurpSuite PRO annual license, PentesterLab PRO annual license, and more.
The interview has been made with the Sun* team members Tien, Thien, Tuan, and Khanh.
Besides contributing to the Patchstack Red Team project what other cybersecurity-related tasks do you have?
I am currently working as a researcher and pentester for Sun* company. At the company, I look for vulnerabilities in services on the internet (mainly web-based).
I do research on new attack techniques for the job, and pass that knowledge on to my peers.
In addition to research, I also participate in pentest projects of the company. I also participate in bug bounty programs like Bugcrowd.
I contribute to Exploit-DB for some POC and security papers. Besides I am finding security bugs on a few bug bounty flatform such as HackerOne and Bugcrowd.
I am currently working as a researcher and pentester for Sun* company. At the company, I look for vulnerabilities in services on the internet (mainly web-based). I do research on new attack techniques for the job, and pass that knowledge on to my peers.
In addition to the research, I participate in pentest projects of the company. In addition to working at the company, I also participate in bug bounty programs like Bugcrowd.
I contribute to Exploit-DB and WPscan. I also participate in the bug bounty platform called HackerOne.
How and why did you start looking for vulnerabilities in WordPress?
I just started looking at the various open-source projects and stopped at WordPress. WordPress plugins were a good place to test the PHP SAST tool that I was testing at the time: progpilot, PHP-Wander, etc.
After that, I also gave a talk about WP plugins security at Trada Hacking - an annual online security conference for the VN security community. This is just some of the research that I'm working on in the cybersecurity field.
I started to look at vulnerabilities in the WordPress ecosystem more than 1 year ago. Whenever I found a WordPress bug I submitted it to WPScan and Mitre to get a reputation in the security world. But all of them gave no money for finding a security vulnerability.
I simply started to find vulnerabilities on WordPress for the sake of the community (lol).
I started finding WordPress vulnerabilities about 1 year ago. I'm looking for bugs simply to find something to challenge myself as well as to improve my own skills and get experience.
When did you find your first vulnerability?
I studied cybersecurity at the Internet Security Lab at Keio SFC (a Japanese University).
I started looking at coding/reverse engineering software in high school. After joining Framgia (now Sun*) I worked as BrSE and in my free time, I played CTF with my friend from the BabyPhD team.
After Sun* created a cybersecurity research team, I joined as team leader and continued to work in the cybersecurity field from that on.
I don't remember the first vulnerabilities, but one thing that makes me feel that my finding is worthy is when I saw my unauthenticated SQLi that I reported to WPScan was actively exploited by a blackhat hacker.
That motivated me to find and secure more plugins.
I have worked in security research for more than five years. I have found a SQL injection bug on a website and tried to exploit it, but I got no bounty for that. ?
I studied Information Security at the Academy Of Cryptography Techniques (KMA) in Vietnam starting in 2015. I really went into research in 2018. I don't remember my first vulnerability, but I do remember my first bug bounty on Bugcrowd was a CORS bug and was rated as P2 severity (lol).
I studied Information Security at the Academy Of Cryptography Techniques (KMA) in Vietnam starting in 2016. I started security research in 2019.
I can't remember when did I find my first vulnerability, but I remember the first time I found a SQL injection vulnerability.
Is WordPress a secure CMS? If you could offer one solution to make the WordPress ecosystem more secure, what would that be?
WordPress core is pretty safe, but the plugins are always not. I think the plugin ecosystem lacks static code analysis and best practices to develop a plugin (I have seen many developers not using the WordPress-provided security guides).
In my opinion, WordPress is a safe ecosystem. And by that, I mean WordPress core which is checked correctly and regularly.
On the other hand, WordPress plugins sometimes are not secure. They are often developed by many vendors and some of them do not care about the security problems. If I would suggest a solution it would be that all the plugins would be managed by WordPress.
I think every system has bugs, but overall WordPress itself is pretty safe. ?
I've always believed that WordPress core still has bugs, but I haven't found them yet.
To make the WordPress plugins more secure, my idea would be when the plugin is pushed to the WordPress marketplace, it should run through SAST and report back to the WordPress operator.
Or we could create a separate tool for the WordPress plugins to serve the active developers in quickly checking for errors and fixing them. Even better would be to combine both of the above.
Which are your favorite security research software/tools (including OS, hardware, and overall setup)?
I use Burp Suite, obviously. I also use Obsidian to take notes, VSCode for developing payload and audit source codes. One 5$ VPS for all recon/automation tasks. A Windows PC with WSL2 for my workstation.
I use Burp Suite, Joplin, VSCode (I use quite a lot of other support tools, I can't list them all). I used to use Linux PC in the past, but I just moved to Windows because of its stability and Windows integrated WSL2 so I can still use Linux on Windows, quite convenient, isn't it. ?
My go-to operation system is Linux. The software tools I mainly use are BurpSuite, Nmap, and SQL map. For notes, I use Google Sheets and Cherry Tree. I also use VPS, VIM, Tmux, VSCcode, and Sublime Text.
Would you recommend others to join Patchstack Alliance? Why?
Yes, I would recommend joining the Patchstack Alliance. The team consists of many talented researchers, especially m0ze, with much respect to him.
We can share and learn from each other, and get insights into the WordPress ecosystem. The most valuable thing is to contribute my effort to the community, help secure the system and make people think more about security when going online.
Also, I like to get rewards for contributions. It's a nice thing, that keeps people motivated.
Absolutely yes! Patchstack is a professional community for sharing security and knowledge and cybersecurity professionals can get a lot of money from finding bugs. ?
Yes, I also refer my friends to Patchstack Alliance.
Of course, I would recommend it. Simply put, Patchstack Alliance brings value to the community and to researchers.
And the last question, what hobbies do you have? Besides cybersecurity related.
I play video games, read books, and do watercolor paintings.
I like to play some online games on my mobile and read the news in my free time.
I have many hobbies. I have a little passion for everything. For example, I like mechanical keyboards (I'm also a mechanical keyboard modder), I like music (mostly pop ballads, a little rock,... and I know how to play guitar), I like decor too.
This sentence you should understand in the Vietnamese sense: "Tao thích đi phượt". I like listening to music, playing the guitar, reading books, learning something new.