Welcome to our new blog series, Meet 1337! Each month, we will shine a light on one of the genius minds within our awesome network of hackers!
Today, we would like to introduce you to Mahmoud Osama. Mahmoud effortlessly navigates between the roles of an application security engineer and a penetration tester.
Please tell us a bit about yourself. Who are you?
Hi, I am Mahmoud Osama. I am 21 years old and from Egypt. I am an application security engineer by day and a penetration tester by night, known as Mahmoud0x00.
How much time do you spend on hacking?
It depends on my availability, but 5-7 hours per day is the minimum.
When did you start hacking?
I started hacking when I was 15 years old.
Could you share some challenges you faced while hacking or in this industry?
Yes, sure. A prominent challenge in pen testing is understanding the different technologies that targets are using to build a mindset about how everything is working in the backend and to start thinking about applicable attacks that might be found.
What was your most interesting/crazy hack?
When I was able to leak credentials for employees, that gave me access to an admin panel. This admin panel belonged to one of the big corporations in the sunglasses manufacturing field.
Could you share some surprising stories or fun facts that occurred to you during your career?
When I found an IDOR vulnerability that allowed me to leak the personally identifiable information (PII) data of 1 billion users for a big eCommerce website, the vulnerable function was easy to find. However, it required an extra step to identify the specific attribute that was responsible for leaking the user data.
What are your favorite tools/resources/content/people to learn from and which you could recommend to others?
For tools, I like the ones created by the folks of ProjectDiscovery. They are doing a very good job utilizing various techniques to make the recon step easier for researchers.
For blogs, I’d like to mention the blogs created by the Assetnote team. I like the way they write about how they find critical vulnerabilities in various enterprise systems that are widely used. The most interesting part of their blogs is source code reviewing.
Why do you hack with a Zerocopter?
The folks behind Zerocopter are doing their best to build a good environment for both customers and hackers, starting from selecting good targets to implementing a smooth triage process. Honesty is the key. Additionally, the team is friendly, and they know exactly how to handle the entire process to make it the best.
What is your favorite swag that you ever got?
Zerocopter Hoodie and a T-shirt.
What is, in your opinion, the best conference to go to?
Honestly, I have never been to a conference outside my country, but one of my dreams is to go to Defcon and Blackhat.
What would you like to learn in the future?
I would like to learn more about the DevSecOps field. I love automation and security, so it would be the best choice for me to pursue.
