SpZ

Harold Zang

I'm a pentester, white hat Hacker, gamer

About Me

SpZ

I am a senior security specialist who is passionate about information security, especially in the area of web and network penetration testing. I obtained OSCP, OSWP and OSWE certifications in six months and I also held a standing record on Hack-the-Box and identified more than 5 Common Vulnerabilities and Exposures (CVE) within my first full-time career year.

I'm truly passionate about my work and always eager to connect with other pentesters. While I enjoy all aspects of my job, I think my favorite part of my job is identifiying unknown vulnerabilities and writing a profession report for our clients.

Web Penetration

85%

Database Penetration

90%

Network Penetration

70%

117

Projects completed

735

Cup of green tea

513

Fantastic friends

24

Rewards

Experience

November 2021 = Present

Senior Security Specialist at Trustwave

• Penetration Testing Web Applications.
• Penetration Testing Mobile Applications.
• Penetration Testing Database and Servers.
• Penetration Testing Infrastructures & Network.
• Penetration Testing Cloud and others.

November 2018 - November 2021

Security Specialist at Trustwave

• Penetration Testing Web Applications.
• Penetration Testing Mobile Applications.
• Penetration Testing Database and Servers.
• Penetration Testing Infrastructures & Network.
• Penetration Testing Cloud and others.

November 2018 - Present

Security Specialist at Hivint

• Penetration Testing Web Applications.
• Penetration Testing Mobile Applications.
• Penetration Testing Database and Servers.
• Penetration Testing Infrastructures & Network.
• Penetration Testing Cloud and others.

July 2017 — November 2018

Security Engineer at Pulse ID

• Penetration testing Web Applications, Mobile Application and APIs.
• Black box testing Web Applications security issues; For example, SQL Injection, XSS and XXE etc.
• Design and deploy security policies on the cloud environment, include two-step authentication, user management, user privilege control.
• Design and Deploy Vulnerability Scanner and 3rd party packages scanner for Dockers, cloud, servers and databases.
• Management System.

December 2015 — June 2017

Security Analyst at Proximiti

• Penetration testing Web Applications, Mobile Application and APIs.
• Black box testing Web Applications security issues; For example, SQL Injection, XSS and XXE etc.
• Design and deploy security policies on the cloud environment, include two-step authentication, user management, user privilege control.
• Design and Deploy Vulnerability Scanner and 3rd party packages scanner for Dockers, cloud, servers and databases.
• Management System.

February 2016 — June 2018

Presentator at RMIT University

• Penetration testing Web Applications, Mobile Application and APIs.
• Delivered workshops of varying content.
• The topics included: Web Security, Signal Security and WIFI Security.
• Based on the topics to create PPT and workshop experiment and practice exercises.

July 2015 — June 2017

RISC Coach at RMIT

• Delivered Security knowledge to the club members.
• Based on the topics to create PPT and workshop experiment and practice exercises.

Education & Certification

March 2022

Evasion Techniques and Breaching Defenses (OSEP)

October 2021

Offensive Security Web Expert (OSWE/AWAE)

June 2021

Offensive Security Wireless Professional (OSWP)

April 2021

Offensive Security Certified Professional (OSCP)

July 2015 — July 2018

Bachelor of Computer Science, RMIT, Melbourne

• Penetration Testing Web Applications.
• Web Programing.
• Java Programing.
• Artificial Intelligence.
• Algorithms and data structures.

2011

Oracle Certified Professional



2010

Red Hat Certified Engineer

Achivements

October 2020

CVE-2020-24581

Report a Hidden Functionality vulnerability to D-Link.

October 2020

CVE-2020-24580

Report an Improper Authentication vulnerability to D-Link.

October 2020

CVE-2020-24579

Report an Insufficient Authentication vulnerability to D-Link.

October 2020

CVE-2020-24578

Report a FTP Misconfiguration vulnerability to D-Link.

October 2020

CVE-2020-24577

Report an Information Leakage vulnerability to D-Link.

January 2020

OWASP Volunteer

Contributed OWASP Mobile Application Security Verification Standard (MASVS) official document.

October 2019

CVE-2020-2677

Report an information disclosure vulnerability to Oracle.

October 2019

CVE-2020-2676

Report a Search Results Web results Cross Site Scripting (XSS) vulnerability to Oracle.

October 2019

CVE-2020-2675

Report a Server-Side Request Forgery (SSRF) vulnerability to Oracle.

August 2019

Ruxmon Presentation

I gave a presentation regarding a vulnerability that I found and published earlier in the year, on a conference media device. The presentation included how I bypassed restricted use of special characters, the challenges involves and how I ended up exploiting the command injection.

May 2019

CVE-2019-11224

Report a remote OS Command Injection vulnerability to HARMAN.

2019

Guest Lecture

I delivered a guest lecture in RMIT university.

October 2019

Private Presentation

Delivered a presentation to a country's Government Department of Defence.

September 2018

System Forensics

Nginx and Linux Log Forensics for an Australia start-up company.

November 2018

CVE-2018-19453

Report a file upload issue to Kentico CMS.

October 2018

HackTheBox Top100

Reached Top100 in Hack-the-Box.

2018

Report Security Vulnerabilities

Report security issues to Telanto.com.

2018

CheckPoint Security Challange

Won the first prize in the CTF game in 2018.

2018

Report a System Security Vulnerability

Report a system security issue to RMIT University.

2017

CheckPoint Security Challange

Won the 5th prize in the CTF game in 2017.

September 2018

Report a Security Vulnerability

Report a CTF Game security issue.

2017

CySCA Security Challange

Won the 14th prize in the game.

2017

Report a Security Vulnerability

Report a security vulnerability to iFixIt.com.

2017

Golden Key International Honour Society

2015

CySCA Security Challange

Won the 28th prize in the game.