Vanguard of Cybersecurity Advancements: Milind Purswani

Additional Info

Job title of nominated professional (or team name)Security Engineer II at Amazon Inc,
Company (where nominated professional or team is working)Amazon Inc
Websitehttps://milindpurswani.com
Company size (employees)10,000 or more
CountryUnited States
Headquarters RegionNorth America

Overview

Milind Purswani, a 26-year-old cybersecurity enthusiast, is currently employed at Amazon. Hailing from India, Milind’s zeal for cybersecurity drove him to pursue a Master of Engineering in Cybersecurity from UMD. He self-funded his education entirely through bug bounty-hunting and assistantships, earning an exceptional $100,000 along the way.

Through his remarkable expertise, Milind has saved Amazon millions of dollars and decades of technical security debt. He has played a vital role in prioritizing security issues and safeguarding Amazon FireTV and Amazon Kindle, leading to his rapid promotion to Security Engineer II within 18 months.

Additionally, Milind has been recognized as world’s top 25 hackers. He competed in the world’s largest ethical hacking competition, organized by HackerOne H1-2010, where he outperformed over 4,500 hackers from 59 different countries. Highly respected security researchers like Nahamsec and Codingo have praised Milind’s remarkable contributions to creating innovative tools, including WhoxyRM and Syborg, which he voluntarily maintains to advance the community and make the internet a safer place.

At the young age of 19, he earned his CEH certification and was awarded the prestigious 1st Prize at the all-India Braintech Cybersecurity Championship. This accolade helped him gain widespread recognition and earned him over Rs 50,000, which he used to fund the remainder of his bachelor’s education. Milind is also the proud holder of two CVEs, CVE-2021-22193 and CVE-2023-29066, latter recognized by CISA.

Furthermore, Milind’s blogs on pandaonair.com, where he shares his knowledge and learning, have been recognized by multiple cybersecurity bodies, Intigiti, hacktricks, and Sprocket Security. Milind is an exceptional cybersecurity professional, and his skills and talents have earned him several accolades. He was selected as a finalist for Outstanding Young Cyber Security Professional at the 2024 Cyber Outstanding Security Performance Awards, and his expertise has led to his selection to judge applications at the 2024 Cybersecurity Globee Awards and the 2023 Brandon Hall Technology and Educational Technology Awards.

Accomplishments

Amazon hosts millions of services to enable people to utilize its platform. Understanding the interplay of these systems and the impact of any security issue is a considerable challenge that Milind is primarily working on. The prioritization framework helps the entire Amazon workforce prioritize and mitigate security issues on time. This allows Amazon to stay ahead of threat actors and increases the overall security of all its products.


Milind has open-sourced the Syborg on GitHub, which recursively scans for subdomains for any given domain. This tool is revolutionary as it identifies the deeper hidden domains within subdomains using the Depth First Search algorithm and has a built-in dead-end avoidance system. Security researchers can use it to explore an organization's DNS and discover deeper hidden domains that may otherwise be invisible. Such domains may contain security vulnerabilities that are difficult to detect. Traditional subdomain enumerators do not explore an organization's DNS recursively. Instead, they either obtain a list of subdomains from public sources or perform a brute force attack on DNS to identify subdomains using a Breadth First Search (BFS) approach. While this method can quickly identify a wide range of domains in a short amount of time, it has a fundamental flaw. Unlike DFS, which focuses on traversing the deepest node of a tree, BFS focuses on covering the breadth of a tree. Therefore, other tools may miss deeper domains such as dev/test/qa/corp domains where a service may have been deployed and forgotten for the last 10 years. In the field of crowdsourced security and bug bounty hunting, people use multiple automation setups to take over unused subdomains quickly. A tool like this gives an advantage to those who aim to delve deeper into understanding an organization's infrastructure. It significantly increases the chances of finding dangling or misconfigured subdomains. This tool has over 145 stars on Github which highlights the level of trust the community puts in it. Milind voluntarily maintains this tool without any crowdsource funds just to make the Internet safer and help bug bounty hunters and security researchers find those hidden domains.


Milind has also developed the WhoxyRM tool, which lets people map out their target by querying the Whoxy API. Organizations often struggle to keep track of their registered domain names, but many lack a solution to do so. These unchecked domain names may be prone to more vulnerabilities and takeovers. Utilizing WhoxyRM, security researchers can dive deep into public DNS records and discover all the domains one might have registered for their target organization. The WhoxyRM tool allows for easy and efficient domain searches using name, email, or keyword parameters, as well as seamless integration into automation pipelines.


Milind's GitHub repository, website, and blogs contain many other useful tools, such as takemeon, a state-of-the-art dangling DNS subdomain finder that lets you take over nxdomain subdomains. If you are interested in learning more about Milind's work, please check out the URLs below:
https://github.com/milindpurswani/Syborg
https://github.com/milindpurswani/WhoxyRM
https://github.com/milindpurswani/takemeon
https://pandaonair.com
https://milindpurswani.com
https://www.youtube.com/watch?v=yffOjRhvhZw&t=676s
https://www.hackerone.com/hackerone-community-blog/worlds-largest-live-hacking-event