First steps in bug hunting

How did you get into bug bounty hunting?

When I began studying network security I came across some bug bounty platforms and started to commit to those in my free time.

Hacker insight

Do you have any tips for our audience on what you do when you approach a new target?

The advice I would give to anyone who is starting now, is what nobody told me in the beginning: do not be put off by the number of issues that had already been reported! Safely ignore those and start to do your own checkup on the tests. It can be a real issue if you check how many reports have already been submitted and you decide that it is “not worth it”. I have found so many high-risk issues in applications that were open for many months and had a ton of reports that I don’t even remember…

About the testing methodology

Do you follow a pre-defined methodology or do you prefer to change your methods regularly?

Well, majority of the bug bounties are web application and API based ones. When it comes to these, to me it is vital to understand what the application is trying to do under the hood, what was the intended purpose of the way the application passes the messages and so on. So, to begin with I always do a click around and simply build a mind map of what is going on. Unless you understand the application thoroughly it is easy to miss access controls issues that are usually critical in nature but are also very easy finds if you see through the code.

Favorite bug classes

Do you have any favorite vulnerabilities to focus on during testing?

My favourite are access control issues and PDF generation functionalities. Some old type of PDF generators are terrible and aside of SSRF you can most of the time achieve LFI or even RCE with some messing around.

Certifications and Achievements

Do you have any security certificates? How important do you think certifications are nowadays?

I do have a handful of certificates and whereas they are important, I believe knowledge is before any kind of certificates. I have seen guys with zero certs being able to explain the full working of Kerberos whereas some seniors don’t know why they can not authenticate to a Domain Controller when the local time is more than 5 minutes off. In this industry knowledge and willingness to learn is more valuable than certs in my view.

Some of my certs:

• CISSP (Certified Information Systems Security Professional)
• OSCP (Offensive Security Certified Professional)
• eWPTXv2 (Web Application Penetration Tester eXtreme)
• CREST CRT (Crest Registered Tester)
• CRTO (Certified Red Team Operator)
• CRTP (Certified Red Team Professional)
• AWS-CCP (Amazon Certified Cloud Practitioner)
• CREST CPSA (Crest Practitioner Security Analyst)
• CompTIA Network +

What would you consider your most impressive achievement? What bounty are you most proud of?

I have found several serious injection type vulnerabilities and access control bypass issues for large companies.

Future of bug bounty

Can bug bounty hunting be a full-time job?

I think bug bounty can definitely be a full-time job however it is a competitive field and requires one to be on tope of their game if they want to make a living solely out of bug bounty.

What is the role of automation in security testing?

Automation is absolute key, especially nowadays. The big bug bounty guys have it all automated where most issues get evidence automatically generated (such as DNS takeover). If you take bug bounty, seriously get very familiar with Kubernetes!

What are your expectations of bug bounty platforms?

When it comes to bug bounty platforms, I have always looked for ease of communication and how well the application was built.

What is your impression of HACKRATE?

As a reason I am quite happy with HACKRATE as it is very convenient to get around it and has all the main functions that a good bug bounty platform should have in my opinion.