Interview with Gabor Molnar, security expert, who co-discovered Rosetta Flash

Written on August 30, 2016 by Gabor Pek

In this new series we talk to security experts on how they started their journey in this exciting field. The first is Gabor Molnar (aka “mg”), (also on Twitter) who independently co-discovered the infamous Rosetta Flash vulnerability and got nominated for a Pwnie award for the best server-side bug at BlackHat 2014.

Here is his story.


Gabor Pek (avatao): Could you please tell a bit more about you? Why did you start to learn IT security? What was your first impression?

Gabor Molnar: I have a Software Engineering degree from Budapest University of Technology and Economics, and I got into computer security shortly before finishing my degree. There was a Capture The Flag competition called CrySyS SecChallenge organized by one of the university labs, CrySyS Lab, and I really enjoyed solving the challenges. After the competition, the lab started its student group called CrySyS Student Core to which I was invited to, and it was this group that helped me dive into information security. We’ve participated on international CTFs, gave presentations about interesting new security topics to the group and shared our own research. I’ve recently moved to Switzerland and work as information security engineer.

GP: Why do you think that this is a topic that youngsters should choose? Why do you think that web security is important today?

GM: Information security is becoming more and more important as we rely on computer systems more than ever. Web security is important because more than half of the attacks at companies target web interfaces. Many of the interfaces through which we interact with these systems are on the web, and users expect these to work reliably and securely. Security can be a good choice if you enjoy solving tricky problems.

GP: How do you you start your research generally? Could you please talk a bit about your amazing finding around JSONPs (which became popular as Rosetta Flash)?

GM: It usually starts with an idea that is then lingering for a few weeks. Then I find some time to experiment with it if it still looks like a good idea. The JSONP research idea came when I was looking at Prezi’s website to find vulnerabilities that are eligible for the bug bounty program. After discussing it with a few friends, the idea still looked like it could work, so I’ve dedicated a weekend to work out the details, which then became two weeks of intense research at night after work.

GP: Why do you think that XSS is still a real threat today?

GM: Web frameworks we regularly use still don’t have a framework level protection against it, which means that it’s up to each developer to properly generate HTML without introducing XSS. This approach is very error-prone. I think the situation is slowly improving as almost all browser support some version of Content Security Policy now, and developers of template systems have started to realize that a framework-level protection must be provided instead of relying on developers.

GP: Congratulations for winning The XSS Metaphor security challenge. Could you please talk about your strategy? How could you solve the challenge in 48 hours?

GM: Thanks. I had a pretty good idea on the topics the authors of the challenge are interested in, as I follow their web security research pretty closely. Two of the techniques I’ve tried first, and were the building blocks of the intended solution: new JavaScript features introduced in the ES6 standard, and abusing Internet Explorer’s XSS filter. Since I wanted to experiment with IE’s XSS filter for a long time, this was a good excuse to spend some time on this challenge.

GP: What would you say for beginners in one sentence?

GM: Find a CTF team and participate in competitions :)

GP: And finally. What is your favorite hacking tool? Why?

GM: Chrome Developer Tools and Burp Suite. These tools make it easier to experiment with web vulnerabilities, discover them in websites and automate tasks like brute forcing.