Samuele Gugliotta
whoami
Hi, my name is Samuele Gugliotta and I'm from Rome, Italy. I'm an offensive security researcher as well as a bug bounty hunter who, despite the young age, has been working in IT Security for almost 5 years now, primarily as a consultant. Upon completion of ordinary activities, I unleash my obsession with application vulnerabilities on public and private bug bounty programs in order to provide my contribution to enhance their security and consequently take what comes of it. From the adrenaline that builds up when you realize you've found something, to the satisfaction of having put your own spin on someone else's project. Bounty is only the frame of the picture.
Profile on Hackrate
Profiles on Social Media
Tell us a bit about yourself: what does your life look like now?
Honestly? It's a question I've asked myself often over the past few years, and the answers have always been different, but better each time. I don't know if it's too early to tell, I guess I'll try to reap what I sow especially in the coming future, but I feel like I'm shaping my life the way I want to, doing something useful and rewarding for myself and beyond.
Hard to answer precisely. I think I spend an average of 4 hours a day, which tends to swing either when I feel I've found something to exploit, or when I think I've reached my daily limit and need to catch up on some rest. It may seem obvious, but rest and breaks are very important points both for your health and for achieving your goals in bug bounty.
First steps in bug hunting
How did you get into bug bounty hunting?
While deepening my studies of unsafe deserialization exploitations, looking for references that contained more detail and code, I came across one of the first full public disclosures I had seen. The idea that there could be platforms outside of CTFs where you could hack freely in the real world and also get paid seemed pretty utopian to me. So I started reading the documentation and inquiring about it on multiple sources. I then came across STÖK and realized that there was much more to it than that. I fell victim to his contagious enthusiasm and the emotions with which he spoke about it, so much so that I wanted not only to be a part of this reality, but also to try to inspire someone else in turn, as he did with me.
I didn't hesitate and immediately registered in the main platforms that were most popular at that time. However, the time between registration and my first submission was significant. Becoming familiar with this reality, learning to understand, respect and especially apply the policies of the clients offering the programs, is not something you can do superficially. In hindsight, I still don't see this as a mistake. Having the opportunity to become familiar with these platforms, having access to the training and resources they offer, as well as reading reports and submissions from other researchers, are all valuable stepping stones.
Hacker insight
- Don't hack just for money. Learning and improving yourself is priceless.
- Read the reports made public by other researchers. Some references that have been and are still useful to me are PentesterLand (https://pentester.land/) and Twitter.
- Study, understand and respect the guidelines described in the policies of the customers who offer bug bounty programs. They will also save you a lot of time.
- Before submitting an alleged vulnerability, always ask yourself the question, "How can an attacker take advantage of this?"
- Write your report as clearly as possible.
- Be persistent in research, transparent in reporting, and responsible in disclosure.
Do you have any tips for our audience on what you do when you approach a new target?
Out of my experiences so far, I can say that most of the vulnerabilities come from non-used or disregarded resources, old implementations that have not been properly removed, and paths that applications do not use for ordinary service delivery. Enumeration here plays the substantial role. From enumerating subdomains, to web application fuzzing, going through the reconnaissance phase is definitely the key when approaching a new target.
About the testing methodology
Do you follow a pre-defined methodology or do you prefer to change your methods regularly?
Basically, I follow a pre-determined methodology, but considering that every application is unique and the bug bounty isn't just a copy-paste of a set of publicly available payloads, it's equally important to be able to understand when you need to break habits.
Do you have any favorite tool or favorite wordlist to test with?
Yes. I always use BurpSuite Professional when testing web applications. I invested the money for the paid license years ago and have always renewed it since then using the money gained from bug bounty. I think that already says a lot about how useful it can be to a researcher. As for my favorite wordlist for fuzzing, I started with the one included in dirsearch (https://github.com/maurosoria/dirsearch), that was pretty good and I modified it by adding some of the paths that have gotten me results in the past, customizing it.
Favorite bug classes
Do you have any favorite vulnerabilities to focus on during testing?
IDOR, without any doubt. It's one of the most underrated vulnerabilities because of the ease with which it can be found. In fact, you wouldn't even need such prior knowledge of concepts like improper access control to find it. However, the impact can be devastating. I happened to exploit one just this year to get a horizontal privilege escalation. I published the CVE of it (CVE-2021-21326).
Certifications and Achievements
Do you have any security certificates? How important do you think certifications are nowadays?
Yes, I do. I became CompTIA Security+ certified in 2018, then obtained CEHv10 in the following year, both theoretical and practical. This year I renewed the latter and am currently preparing for the OSWE certification by Offensive Security. I think certifying yourself is essential at the beginning of your career in IT Security. After that I think it's more something you do for yourself, rather than for others. It becomes a goal, a chance to gain satisfaction and prove something to yourself. No longer a necessity.
What would you consider your most impressive achievement? What bounty are you most proud of?
Last year I was able to exploit an error-based in-band SQL Injection vulnerability on a mailing list signup feature, to the point of taking out the entire database. This was a reminder that no functionality can truly be overlooked. Unfortunately the public disclosure request was not accepted, not even partially. Maybe in the future the customer will change his mind.
Future of bug bounty
Can bug bounty hunting be a full-time job?
Why not. I've honestly never experienced this, but I don't see why it couldn't be possible.
What is the role of automation in security testing?
It depends. Automating those pre-defined checks can be really helpful in optimizing the researcher's times. However, you must keep in mind that it cannot replace manual testing, basically for the same reason that a Vulnerability Assessment can never replace a Penetration Test. So yes, it can be useful, if done accordingly.
What are your expectations of bug bounty platforms?
What I expect from a bug bounty platform is protection of the researcher, with clarity in policy and regulations. Also, that it be maintained and updated with new programs. As for events, training, prizes and swag, I personally consider all of these, something additional that allow the creation of a greater bond and loyalty with the platform.
What is your impression of HACKRATE?
HACKRATE is awesome! I appreciated that one of the first features implemented was training on Avatao for both novice and experienced researchers. This is not something that should be underrated, it means a lot about how much importance is placed on the researcher by the platform. Additionally, by actively using the platform it's evident how often features are added and curated, how much trust is placed in researchers' suggestions, and how this isn't overlooked. In addition, triagers' response times are competitive with other similar platforms, program policies clear and straightforward. I'm sure it will grow disproportionately in the coming months. Also, I cannot wait for the HACKRATE swag to come!