If you follow Cobalt on social media, you’ve likely seen promo for a fuzzing workshop led by two Core Pentesters, Dhiraj Mishra and Zubin Devnani. The two met through another Core Pentester, Hardik Mehta, and have become a dynamic duo. Dhiraj and Zubin have now led ten pieces of training together and have no intention of slowing down.
Zubin Devnani always had a knack for computers and was fascinated by how they worked. In 2014, he was about to graduate from university when he stumbled across blog posts about the need for cybersecurity. He realized he could make a career out of breaking things.
“I picked up on a few certifications from Offensive Security back in 2014-2015; at the time, I did not have any professional experience, but I went on to do them anyway, they weren’t the easiest to crack, but I somehow managed,” he said.
His first professional job took him to Dubai, and ever since then, he’s gained expertise ranging from web applications to cloud security.
Dhiraj Mishra started in cybersecurity as an instructor while still in school. His class focused on OWASP Top 10 and network exploitation. After graduating, he took his first full-time pentesting role at a Big 4 company and became an IoT device security expert.
How the fuzzing workshop got started
“So I still remember how this started,” Dhiraj recalls. “While I was on a call with Zubin discussing random infosec things, he said, ‘We should start doing fuzzing; it has a good scope,’ and at that time he had a Xenserver with 32 cores which is pretty neat for fuzzing, he shared the server access with me.”
The two had frequent calls to spend time learning about fuzzing and joined groups to learn even more.
“Back then, it was all about finding vulnerabilities in commonly used or open-source software,” Zubin said. “For us, it was intriguing; however, as we started learning more and explored fuzzing, we realized that it goes down a rabbit hole and has a lot of ground to cover.”
Eventually, after finding many vulnerabilities, the two realized they had become experts on the subject. One night when hanging out with fellow Core Pentester Prateek Gianchandani, the idea of presenting at a conference came up.
“Prateek endorsed us a lot to create a fuzzing workshop and submit in some conferences,” Dhiraj said. “He also tipped us that PHDays, one of the best conferences in Moscow, Russia, has their CFP open.”
They submitted the CFP, and their very first submission was accepted in 2019. Since then, they have presented at Black Hat US, Black Hat EU, BruCON, OWASP AppSec, Hack in Paris, Hacktivity, etc.
Why have the trainings been so successful?
Zubin: What we learn during our time fuzzing is what we try to demonstrate in our training and workshops. It comes from our own learning experience and the hands-on exercises that we do. The best part is we try to focus on the practical applications and how they would be useful for an attendee.
Dhiraj: The effort we put into starting from content to delivery, the lab setup, and promoting everything is helping us achieve a successful workshop/training.
Additionally, one of the important things is feedback from the attendees. We have received some good and constructive feedback in the past and are improving our content based on that feedback. Also, it's a bit niche top, so we barely have hand-pick training on fuzzing.
The future of fuzzing
Our dynamic duo plans to keep presenting the trainings at future cons, including BruCon, which is coming up.
“Currently, we’re planning on expanding the duration of our training and adding further new content with techniques that are still considered novel,” Zubin said. “Apart from that, we’re trying to set up a platform where we can better serve the training requirements for our attendees and manage them effectively.”