At DEFCON 23 this year we interviewed a few members of the Bugcrowd Researcher community, getting their impressions of DEFCON and gathering some tips & tricks for bug bounty hunters. On the Saturday of DEFCON I had a chance to catch up with @avlidienbrunn and we chatted about his approach to bug hunting.
Mathias has also joined us here on this thread and will be answering any questions you ask him. Post your questions in this thread between now (August 17th, 2015) and end of Friday (August 21st, 2015) for Mathias to answer your questions.
Listen in to his interview here:
Thanks Mathias for joining us! I’m looking forward to your AMA!
Update August 24, 2015 -
AMA Answer Summary:
All @avlidienbrunn answer text will be in the quote boxes below.
Question from @SamHouston:
How do you keep your security skills current and competitive with others? Are there any good resources/blogs/sites that you read? (And is there anything else you do?)
Good question! For training skills applicable in web bounties I do a mix of things:
Work as a part-time pentest consultant at a pentesting firm. During this work I learn a lot about about web applications in corporate environments since the clients are most often very large companies. I also learn from my colleagues.
Participate in a lot of bug bounty programs. Practice is important to become good at anything and web bug bounty is no exception. I also think it’s a good source of knowledge because some bug bounty webapps runs new and (somewhat) untested libraries/frameworks. In many cases I find myself trying something new that I didn’t even know existed.
Randomly fiddle around with stuff. Sometimes I find myself just trying to understand something new that I use myself or that I think is cool. Learn how it works and then try to break it. Maybe that’s a cliché but I don’t know how to explain this part otherwise. I feel like its a significant part of my training so I need to include it.
Play CTF (Capture The Flag). This is something that I ignored for a long time because I thought that the web parts of CTF’s would be lame and that it would only be worthwhile if I wanted to get into rev/bin levels. But man was I wrong! I’ve learned something new in every single CTF that I’ve played, and playing with a team (shoutout to HackingForSoju smile ) is a ton of fun as well.
For “keeping up” I more or less rely on twitter, IRC, /r/netsec and a few Google alerts!
Question from @jayaradha:
How do you approach a target? What steps do you perform when you are looking for bugs? As far as I know most people do a recon looking for subdomains then use a browser to navigate all the domains + subdomains found and Burp in background scanning. However, this should generate a lot of duplicate bugs. Are you doing something different to avoid these duplicates?
Honestly, it’s different every time when it comes to bug bounty. Sometimes I learn about a new bug type I’ll re-visit the programs that I remember using functionality that could have such a bug. But the general flow that I use is:
- Map up the scope with crawlers/reading and adding by hand
- Identify parts of the scope where I think I will have the “highest payout per time spent”
- Look at and try to understand the parts, why they are implemented and if I can use them in unexpected ways
I evade duplicates in a few ways:
Prioritise private programs
Test parts of the scope that are hard to access. For instance; a scope which includes an API that’s only accessible to people who apply for a partner account with a real company. Most testers won’t bother.
I don’t give up easily. Anytime something strongly indicates that it’s vulnerable but I can’t prove it I’ll store it with my other notes on the target and every now and then when I feel like it I’ll go back and take another look.
Question from @jayaradha:
What is the most memorable bug you’ve found?
Hm! I have a lot of findings that I personally think were challenging and beautifully put together but if I have to choose just one I think it would be the time I bypassed the AngularJS sandbox. I got $5000 bug bounty, quiet a few people seemed to like the writeup and I even made a short talk about it.
Question from @justinsteven
would you rather fight one horse-sized duck, or 100 duck-sized horses?
Haha, I kind of expected this one. Ducks (and angry birds in general) are fucking scary so I’d choose 100 duck-sized horses any day.
Question from @Ebrietas
How old are you? You always look 15 in your profile pictures (no offense, I still quite enjoy all the writeups you’ve done).
Haha trust me, I get that a lot. I’m currently 23, believe it or not!
How old were you when you were awarded your first bug bounty too?
I think it was in 2011 so either 20 or 21!
Question from @geoffreyvdb
What did you study and until what age? You seem to have a lot of experience already for your age
I do, and one of the reasons for that is that I didn’t study at a higher level. I only studied until I was 18, a broader “technical education” which didn’t have anything to do with security. I started learning programming at around age 12 and got interested in security around 13-14.
Question from @jhaddix, asking Mathias to elaborate on how he will evaluate the scope of a target to find parts that will payout per time spent.
When I feel satisfied with scoping, I have usually gotten an idea about the different sections. It’s not an exact science, but you just know that a custom, giant e-commerce PHP app is going to have more goodies than a random informational site with static content. I guess it would be more effective to base it on some sort of data, but I just go with gut feel on this.
As for what they’re feeding us, I don’t know!
Question from @jhaddix:
What feature or service do you wish Bugcrowd offered, that it doesn’t right now? (besides globally higher payouts)
- A way to invite people of my choice to collaborate on an issue.
- Delayed/synchronised payout.
- Payout via invoice/wire transfer.
- Incentive to find cool bugs/dig deeper. This might be an issue with
NDA etc. but I would love to read a “Coolest bug of the month” post.
Maybe anonymise the content so it can’t be tied to a specific target?