Bug Bounty Forum AMA (x-post from BBF)
What is your name, if you do not want to disclose your name, what is your handle/nickname? Where are you from? How long have you been hacking? How did you get started? What platforms or popular public programs have you hacked on?
Hi folks, I’m Andy also known on the internet as @ZephrFish or Zephr. I am from bonny Scotland, lovely part of the world if you’ve never been! I’ve been hacking for as long as I can remember, probably started when I was 5 or 6, taking things apart and seeing how they work, flashing my gameboy and other things with custom firmware to do bits and pieces.
I moved onto apps and web in my teens and now I do hacking professionally as a job. I’ve been in the industry for about 4 years. By day I work as a penetration tester( great job title right?!) and by night I’m batman! (Well not quite, in my free time I do bug bounties).
Specifically I’ve been working on bug bounties for a little over 2 years, I mainly work on Synack & Hackerone in my free time. Most notably I was #1 for finding bugs on PH for a while(alas no longer), a lot of people will recognise my handle from there!
How do you manage your personal life, work, and bug bounties? Do you do bug bounties as a job or a hobby?
My life is fairly balanced between work, play, bounties, sports & general life. Bounties make up more of a hobby than a full time stint. I work Monday to Friday as a tester of pens with the odd evening spent hunting bugs on sites with programmes. Additional to the work of hacking I also write things.
I am a strong believer in passing knowledge on and supporting the information security community I do this by providing tutorials on my blog, attending conferences & running my local DEF CON Chapter(DC44141 for those interested). My life isn't completely spent behind a terminal as I also enjoy training martial arts, I currently hold a 1st Dan black belt in Karate & have fought and competed at full contact level.
How much time do you spend on Hunting for Bugs? On average, how many bugs do you think you report per month?
The time-scales for hunting vary for me as it really depends on what I’m going after, looking for or what the site even does. Some bugs I’ll spent <1 hour on and write them up for 30min-1hr after finding. Others I've seen days spent digging at services to find holes.
The longest I’ve spent on a bug is probs 3 weeks where I was developing an exploit for a bespoke app, to pop the box then download the data I needed, I'm no exploit dev but I find the odd thing now and again.
As mentioned previously this is a part time hobby so I don’t have an exact per month number, I’d say for average over the last 12 months maybe 5 a month?
How long did it take you until you found your first significant/high impact/payout vulnerability?
Does it count that my first bug reported was RCE? I found that accidentally before. However if we’re talking after that probs around 6-8 months later I found a pretty critical source code disclosure where I had access all of the session keys, private SSL certificate, root ssh certs & api keys.
Of all the bugs you've found, what was your favourite/most interesting?
The most interesting bug I’ve ever found has to be an app which I found had an open database query function, it would literally take straight SQL in an input box and run it! Not only that, I was able to leverage the ‘feature’ to enable xp_cmdshell and gain remote code execution(RCE).
Once I had basic RCE I was able to traverse the network using port forwarding, it was most fun as I was able to scan the internal network from a remote VPS via the RCE tunnel setup, from here I found several boxes that were vulnerable to the infamous MS08-067 exploit however halted exploitation there and wrote up my findings.
The program were very happy with the write-up and steps taken as it outlined several machines on their network that were forgotten, it later transpired that these boxes had unnecessary permissions to sensitive info! I didn’t find this out though, the program informed me later.
When and how did you have your breakthrough? When did you realize hacking and bug bounties was something you wanted to dedicate your time to? Please share your insights and the problems you faced to become established Bug bounty hacker?
I feel I’m still to have this breakthrough, always feel a little imposter syndrome when it comes to discussing if I’m skilled or not :-(. I love some kudos now and again and it transpired in May 2016 that it was something I wanted to do when Pornhub decided to up the awards on all previously submitted bugs! I woke up one morning to my inbox flooded with emails saying that awards had been upped and they were backdating payments on things which was pretty sweeeet!
In regards to insights and problems, I’d say the biggest one is dedicating time and being patient. I found in my early reports I was too eager to find things and submit straight away instead of taking the time to write them up with a decent structure or leveraging slightly less severe bugs to find more severe ones.
As a bottom line I’d suggest to all newbies coming into the industry take your time! Do nothing in haste, if you find something cool play with it keep tugging at that string and see what else it reveals because you never know.
Also please write it up properly, try to describe the issue you’ve found and have clear steps on how to reproduce it. As I deliver reports to clients on a weekly basis through my day job reports are a big part of the job and I’m a strong believer in transferring the reporting skillset to bug bounties too. Make reporting great again folks!
What do you do to keep up with all the new trends?
New trends, usually twitter however I have google alerts setup for some things. Additionally I have some RSS feeds I follow for updates on technologies. Aside from news I also have various chat clients for work in which my colleagues often pass across new stories, exploit techniques and other stuffs.
I also use /r/netsec on reddit for new things as it contains some goldmines however the admins can be pretty snooty meaning new things sometimes don’t make it to that page :(.
Do you collaborate with other hackers? Can you name a few?
Yes! It is a team game folks! I enjoy knowledge sharing with @zseano, @rohk_infosec, @yaworsk, @pwndexter, @filedescriptor, @InfosecPS & all of my colleagues @pentestlimited. The list goes on and on as I’m always happy to help, it’s a more enjoyable experience when folks share.
How do you approach a target? What is your routine like? What is your recon process like? What kind of information do you seek in your information gathering process? And how does this information help you?
My approach for targeting will usually follow the suit of read the scope? Are we dealing with one app or an open
If it’s an app I start to look at what the stack is, does the inf show anything obvious e.g app is on port 80/443 but there’s an admin interface for the server on 8080? Run nmap against the domain & IP to see what is available then move on to scope out the application see what it does, work out where the logic is, is there a payment feature? Is this done on-site or in an iframe? Can I bypass it?
Generally the first port of call for me is to look at the infrastructure for any easy wins, then look at the application for functionality I usually aim to look for business logic issues or if the app is running a framework of some description.
On the other hand, if it’s an open scope I’ll generally run a brute of subdomains using a variety of tooling, specifically I’ve found dns-queue to be useful recently, shout-out to Don Lor for building it!
Once I have a substantial list of hostnames, I’ll throw nmap at it with a top port list of 100 or 1000 depending on the amount of subdomains. Once this has run if any easy wins appear go after them before moving onto juicy looking domains, note any internal IP addresses(these are useful if SSRF is achieved).
Alongside targeting the domain or app, I use https://shodan.io a lot for finding holes in similar assets of the company, I also employ open source intel gathering to identify other points of entry or endpoints that relate to the target. I’m planning on doing a talk at my local Defcon chapter soon about how I approach a target start to finish, maybe you can come along and learn something irl? ;-).
Do you always look for all vulnerabilities types when you approach a website?
No, there’s not enough hours in the day to do that madness! Well that’s not entirely true, it really depends on a few factors, mainly how big the site is, what its function is and if I’m familiar with it. If it is a moderately sized application with a known framework I tend to look for more critical vulnerabilities however always noting the mediums as they might be useful for later sploits.
Do you use any tools? Do you have your own tools that you have written to automate/facilitate your work? What Burp extensions do you use? Is there a tool that not a lot of people use that you think they should?
Burp as a given for web applications with the majority of application testing done manually. However when it comes to enumeration and OSINT I use maltego, google, dirb, wfuzz, nmap, masscan, I also use dns-queue(linked above) for subdomains, sublist3r, fierce and many more.
How do you test for Server Side vulnerabilities such as RCE, SQLi, etc?
I tend to test for server side vulns mainly through fuzzing an application and manually checking responses, in regards to RCE usually I’ll look at the framework that the application is running and look for either publicly available exploits or download the framework locally and look for flaws in it.
How often do you find a bug that has been overlooked after a bounty program has been established and a horde of researchers have been digging?
From time to time but not frequently, it just depends on the program or what you’re looking at/for.
Do you think being a pentester, web developer, or being in a related field, helps you with bug bounties? Where should they start?
Yes, I 100% think doing this as a day job(pentesting) helps as it exposes you to different systems and it also gives you the reporting backing meaning when it comes to describing the issue in a report it is a lot easier to outline the risk of said issue identified. Likewise having a background in development helps a lot too as if you know how to build something you will be better equipped to break it.
I wrote a book on how to get into this field it details some of the basics to understand and look into.
What kind of music do you listen to?
A mad mix of just about anything, Metal, DnB, EDM, Jazz, Classical, Trance, Triphop, Rock, Punk. Really depends on the mood, what I’ve been testing, what time of day it is what I’ve got headphones or speakers on?
Here are some of the spotify playlists I listen to:
What do you do when you aren’t hacking?
Write blog posts, Martial Arts, spend time with my other half.
What kind of impact/role have bug bounties played in your life?
Met a load of amazing folks and grown my technical skillset exponentially.
What is an advice you received as a beginner that helped you with your bug bounty career?
Not so much as a bug bounty piece of advice but general testing advice I got when I started a few minor things. DON’T run spider on sites, you’ll have a bad time! Report both with the techy in mind but also management, you never know who’s reading at the other side. Be proud of your work, if it’s a shit report make it better!
What is one area of hacking (web, mobile, hardware, etc) you wish you knew more about / plan on focusing your learning on?
I really enjoy hardware hacking, want to spend more time looking into it
If someone with basic technical background asked you, “where should I start?”, what are 3 things you would recommend they do before diving into bug bounties?
Shameless plug: Read my blog( GHOST_URL/)
Check out the web application hacker’s handbook 2
Read past reports on Hackerone publicly disclosed
Someone was eager to know, what do you put on your toast?
My mate inputted this question to the AMA, didn’t think it’d come up! I have a piece and butter, that’s how I roll.
What's your worst bug bounty story/experience? (Please do not mention a customer name or platform in your answer)
Have several reports open with a certain program which have been open unattended for ~1 year each, with no UPDATES from said program :’(.
If you had to pick one hacker to collaborate with, who would it be?
What's the one feature you would like to see in the platforms?
Pay on triage.