BugBountyHunter Chats — Getting to know 0xblackbird, YouGina, JTCSec and HolyBugx
BugBountyHunter.com opened early November 2020 and the amount of growth we have seen in members has been phenomenal! Members have been using BARKER to build confidence with testing web applications and leaving no stone unturned, with the end goal to apply this mindset on bug bounty programs..
0xblackbird, YouGina, JTCSec and HolyBugx have been members from very early on and have shown great progress, but recently they paused testing on BARKER and got together to collaborate on a chosen bug bounty program. I sat down with them to ask them a few questions about their collaboration, get to know them better and to see how things were going.
ZSEANO: Firstly, introduce yourself and tell us a bit about yourself:
JTCSec (https://www.bugbountyhunter.com/hunter/jtcsec): My name is James and my day job is as a member of a Cybersecurity team doing incident response, SIEM management/Use Case development, and managing the Threat Intelligence program. I got into Web Application security in college, where I was studying for my Bachelors degree in Computer Security. There were several Cybersecurity clubs on campus and one of them was hosting a red team/blue team competition that other schools could send teams too (ISTS). Basically, each team was a blue team made of students with assets to protect and tasks to complete, but they could attack other teams as well. Additionally, there was a red team made up of pros (including members of companies who sponsored the competition) and they did they’re best to mess with everyone. I assisted with creating injects by creating a vulnerable web application that the blue teams were supposed to stand up, protect, and then audit for vulnerabilities — I purposely built in an RCE so that if a blue team found it, they could own other teams servers if they didnt properly protect the app (unfortunately, no one found it :( ). That experience was a crash course in web development and web application vulnerabilities, so from there I got more and more interested in trying my hand against proper targets.
0xblackbird (https://www.bugbountyhunter.com/hunter/0xblackbird): Hello! I’m 0xblackbird, and I’m a 16 years old bug bounty hunter from Belgium. I got into hacking almost two years ago and started participating in bug bounties about a year and a half ago. Before that, I was just a game developer and an animator, but that didn’t last long. Right after I quit animating, I started to develop interests in cybersecurity. I found it really cool to be an ethical hacker and hack for good while also earning awesome rewards! So I came across thecybermentor’s Full Ethical Hacking course, the best free course at that time! I’m currently not following anything computer-related in school, so I took the course and learned everything in my free time after school. That’s where I started learning the basics of networking, Linux, and cybersecurity. A few months after completing the course, I started to focus on web application hacking. I enjoyed it a lot, and I still do of course! That was the reason why I went for doing bug bounties!
HolyBugx (https://www.bugbountyhunter.com/hunter/holybugx): So a brief introduction about myself, I just turned 20, I started bug bounties back in August 2020 (8 months now) with no backgrounds, well since I was a kid I was in love with computers and hacking but never tried to do it as a profession until when I turned 19, I took a step forward and took some basic networking and security courses and I quickly realized my passion in hacking goes to web security, so I started my career as a bug bounty hunter.
YouGina (https://www.bugbountyhunter.com/hunter/yougina): My name is Christiaan but in the community, I am commonly known as YouGina. I have been interested in development and security ever since primary school (about ten years old I guess) and continued doing both during middle school, making and breaking different websites, applications, and other stuff. After middle school I got my CEH certification via EC-Council and later ECSA and LPT as well. I have learned about bug bounties back in 2014 already when HackerOne just started, though I have only been actively hunting since recent years. Now when I look back at it, I wish I had started directly back then since it turned out to be such a fun thing to do.
ZSEANO: How did you come about to collaborate together? What sparked it?
HolyBugx: About a month ago I decided to do some collaboration with other hackers, I had many friends from the Bug Bounty Hunter community, so I messaged 4 of my great friends 0xBlackbird, YouGina, JTCSec, and Gprime31, and asked if they are up to collaboration, and they were all fine with it, so we are hunting together for a month now, and we had found +25 bugs from 2 companies.
YouGina: Since the collaboration on [redacted] started with the group from BugBountyHunter we have been sharing information between each other over private Discord chats already. At some point during that period, I got the question from HolyBugx if I would like to join him and 0xblackbird to start hacking on some other public programs on hackerone. Of course I accepted this. Later on three more of us joined and now we’re hacking on three different programs with a group of 6 hackers with different skillsets.
JTCSec: I started initially working with GPrime, we were working on some Barker bugs together and then expanded into the targets from the Hackevents and then we branched out into a second public program. Holybug reached out to both of us and asked if we were interested in looking at a program together and we hopped on. Most of our focus so far has been on larger scope programs, mapping out/fingerprinting assets that look interesting to create leads and then drilling into specific ones. i guess what you could say sparked it was like minded individuals who have different specialties but are interested in working together.
0xblackbird: A while ago, I asked some very talented Bug Bounty Hunter members if they wanted to collaborate with me. HolyBugx, YouGina, Gprime31, and JTCSec agreed and wanted to collaborate. Just a day later, after we got everything set up, we found our first vulnerability! It didn’t take long before we found lots of other vulnerabilities! At the moment, we’ve collaborated on two wide-scope programs and received our first bounties already!
ZSEANO; That’s great! Collaborating can be useful with sharing information! So overall, would you say things are going well at the moment?
0xblackbird: So far, we have been collaborating on two bug bounty programs where each one of them had a very wide scope, so a lot of (sub)domains to test! A few weeks ago, another researcher also agreed to join us! We already found multiple bugs and earned some nice bounties too! Besides that, it’s really awesome to see how other talented hackers approach each and every sort of web application and feature! I’ve learned from that alone a lot! Every researcher is unique and thinks differently, I think this is what makes collaborating awesome when all of us focus on one (sub)domain!
JTCSec: Overall we’ve been doing well! Our Most success has come from finding a bug in one place, and then replicating it on other endpoints and hosts (thus turning one report into 5 or 6 for each unique occurrence). The one I'm most proud of is one where we found a server status page that was returning web requests and noted what appeared to be internal web request being logged (maybe not internal in networking terms but definitely requests originating form the target company). Based off the requests I was seeing, I built a custom wordlist and fuzzed for endpoints matching their naming convention. I was able to find an older application that was located in a specific sub folder named with the target company — a name that is highly unlikely to be in any wordlist out there. From there, we fuzzed for additional endpoints (mostly standard names, prefixed with the company folder). in total we were able to find some XSS on the app pages, plus I got to an unauthenticated admin panel. When I reported it, we found that the server-status page had been reported over a month earlier — so someone else saw that page, reported and moved on, all the while the information for multiple bugs was right on that page if they had just looked further.
YouGina: We have had quite some luck in the first weekend when we started on our first program. We found one subdomain that was full of similar bugs on different endpoints. Later, when the other programs were added we have found some more bugs. Being in a group like this it goes quite fast. One person finds a fishy endpoint, the other one finds the vulnerability. Already 20+ bugs so far. I can hardly keep track of what we find sometimes :-)
HolyBugx: As I said before we found +25 bugs in less than a month, we are enjoying the journey as we go along, we are good friends which matter the most for me and we are learning together as well as finding some bugs, what can be better than that :)?
ZSEANO: How did you go about selecting a program and starting your testing? What did you do first? (Shameless plug but I have to ask — Did my methodology help you at all when starting your testing?)
JTCSec: The programs we’ve selected all have wide scopes and decent payout/response times. We wanted to follow your (aka zseano’s) recommendation from Nahamcon and focus on one target for a year — while we have a couple targets, were sticking to a selected scope for a while. Already were able to spot new assets, what similarities there are with existing assets, and have found things that are one or two layers deeper then the initial recon would find. We kind of have unofficial roles that align with what were good at — some people are constantly looking for new assets, some are focusing on the leads we have (digging deep into particular hosts rather then doing any widespread enumeration). I do a lot of fingerprinting of assets, and any bug we find that we think is repeatable I will scan for on other assets. I use nuclei alot (https://www.youtube.com/watch?v=bHXkQjtBOLo&t=389s&ab_channel=JTCSEC) with a tailored list of OOTB and custom templates to categorize assets. Since we only recently started hunting, I think were still in the “What do we do first” phase. Given the team size, we all don’t need to be doing recon, so were all working on our own specialties to fit together bet with the rest of the team — plus of course hopping on anything interesting that we found.
HolyBugx: Yes, it helped us to have the mindset of choosing programs with a wild scope and hacking on them for a long time, We chose 3 programs to hack on for a long time, but we are all focusing on one for the time being.
First, we did huge recon, both YouGina and I love doing recon, we did most of the essentials and zseano methodology enlighten us to make a custom tool to do some of his mentioned methods, for the time being, another tool is being developed to do some other tasks from zseano’s methodology.
You can download it for free at https://www.bugbountyhunter.com/methodology/
YouGina: When I joined the group, the program was already selected. They have selected this program because of the large scope. We first started mapping out the available scope and picked a target subdomain to start hacking on. If no bugs where found, we switch subdomain until we were tired of this target. When our group was complete, we decided to add two more targets so when we are out of inspiration for one target, we can switch to one of the others.
The methodology helped me in this assessment to keep my focus. Even with the available targets I try to stick to one and keep good notes and following up on my thought process when I think about something new.
0xblackbird: Yes, your methodology did help us! We went looking for bug bounty programs that had a very wide scope, so far it helped us a lot and we found a lot of bugs by just doing proper reconnaissance!
ZSEANO: I’m glad to see it’s helped you! A big thing I like to try get through to people is to not overthink what it means to be a “hacker”, you are simply looking at what’s in front of you and testing how it works, parameters used, expected result, and trying various things to identify if you can change that result!
Moving on, let’s talk a bit about bug bounties, what’s your current bug bounty experience been like and how long have you participated?
0xblackbird: I currently have almost a year and a half of experience in web application hacking. I started hacking on programs after getting the basics of web application hacking. At the moment, I’m still in high school, and combining bug bounties and school can sometimes be quite challenging, especially when you have exams. That’s why I try to manage my time and try to spend it wisely. Most of the time, I spend it on bug bounty programs on Intigriti or on Barker. But I also try to read lots of blog posts and write-ups to keep updated with the latest techniques. It helps me a lot, but that is only reading material. Ever since I got an invitation from Zseano the legend himself to join Bug Bounty Hunter, I started to spend more time on the platform and I learned lots of new things by hacking Barker! I did find a lot of bugs during my bug bounty journey, and I also received awesome rewards for them!
JTCSec: I started properly looking for bugs ~a year ago, but honestly didn't really know what I was doing until end of last year, early this year. I started by basically copying #bugbountytips on twitter and running burp scan on everything I could find hoping to get lucky (spoiler: I didn't). In the last 6 months or so, I’ve really forced myself to sit down, learn about what im trying to do instead of blindly throwing payloads, and then properly manually hunt instead of relying on tools (that's where BBHunter comes in). After I properly learned what to do, ive become much more successful. I have a VDP on Hackerone that I've spent a lot of time on and been gaining rep from — at almost 300 (one bug away!). More recently with collaboration I’ve been spending more time on Bugcrowd and have had several verified reports (up to 70 points there). While none of my profiles have jaw dropping numbers by any sense of the imagination, I'm very proud of the fact that a lot of my bugs have been found through manual testing, and very few would have been caught by automated scanners. It definitely helps me feel better that I actually know what I'm doing, even if I'm not raking in the money and getting ready to retire.
HolyBugx: The First 5 months of my bug bounties (August 2020 — December 2020) was simply just reading materials and books about web security, and no hunting at all, I love reading and learning, even now I’m not hunting all the time, I do it beside my web security learning experience, for people wondering how is my time management, I split my daily time between hacking and learning I do hackings for 7 hours a day and I study 7 hours as well. Since January I started hacking more, and I have found a couple of bugs from well-known companies, currently collaborating with a couple of my friends from the Bug Bounty Hunter community.
YouGina: During the past three years I have started actively looking for bugs every now and then. During these years I have climbed towards the 500 reputation points. In this time, I have found one valid critical, ten medium and for the rest low severity bugs. Most of these bugs are interesting business logic bugs which I stumbled upon while using the application in a “normal” way with a hacker mindset.
ZSEANO: Your best piece of advice you’ve learnt since starting hacking / bug bounties?
YouGina: My advice to people who just started is to keep track of what you have learned and try to focus on the things you enjoy doing most. That is the only way to stay motivated in my opinion. It is however important to use whatever you learn in practice. What I did wrong when I started actively hunting is wanting to keep track of all the information out there and read as much as I could. At some point I did not even have the time left to hunt anymore!
HolyBugx: No professional was born professional, love what you do and enjoy as you go on, never give up soon and, have the passion for improvement :)
JTCSec: My biggest piece of advice is make sure you learn first, then always keep learning while you hack. I know its very hard to ignore all the sick bounties on twitter, but if you don’t learn what to do you’ll never be able to consistently replicate that. learn the basics, be persistent, then keep building on that knowledge as you start to find success. Its very tough, but it pays off in the end. While I haven't had a ton of monetary success, it was definitely better for me to focus on training programs and then VDPs that were less picked over to help me hone my skills. I've made more in the last month then I did in the 12 months before that — the bugs are out there, and if you're smart about how you're looking and you're persistent, you’ll find them.
0xblackbird: Manual hacking. The number of bugs that I’ve found while only hacking manually is just insane. If I automated everything and did not end up double-checking manually, I would for sure have missed a lot of bugs! And I also would more likely report duplicates instead of valid bugs.
ZSEANO: And lastly, what are all your goals for 2021?
HolyBugx:
1- Learning more about web security
2- Helping others as lots of great people helped me when I first started
3- To have more collaboration and to help to secure the internet.
YouGina: My first goal for this year is to get 500 reputation points. I almost reached that already, so that is great! I would also like to grow within the group that I joined and find more serious bugs both with the group and on the private programs I am active on. I never found high severity bugs yet and only one critical. I want to focus more on finding those.
JTCSec: There's lots of stuff that I want to do but I'm not good about setting concrete markers and trying to achieve them. First of all is working on my work/life balance — work-work vs. hacking-work vs. actually leaving my desk. Trying to maintain a healthy lifestyle while also ignoring the itch to hack is not easy! As for bug bounty specific goals, I don’t have any particular milestones for points/rep, I just want the number to keep consistently increasing. I'm definitely hopeful for increasing the number of bounties, partly because I'm only focusing on paid programs at this point. I also would love to make more content, whether that's writeups or videos, but first I need something to talk about. I don’t want to be duplicating stuff that's been talked about 100s of times — trying to find my niche :)
0xblackbird: I want to reach the top 100 all-time on Intigriti and spend more time on other bug bounty platforms as well! I’m also very close to reaching level 3 on Bug Bounty Hunter so hopefully, I will make it at least to level 3 and aim for level 4!
ZSEANO: Thanks everyone for answering! It all sounds like you’re doing great, your mindset is there and you’re on the right path to crushing it in the infosec world. I can’t wait to hack again with you all.
If you don’t mind, I'd love to just ask you one final question. As you know I love to look after hackers and one key thing is helping our members learn the mindset and to then apply this on bug bounty .
What’s your bugbountyhunter experience been like? Do you feel it has helped you when hacking on bug bounty programs?
YouGina: I have been using BugBountyHunter for almost half a year now. The Barker application combined with the methodology has helped me to get in a better mindset and focus more on one target at a time. Apart from the website and the barker application the community is great. This has helped me a lot to stay motivated and keep learning.
0xblackbird: Bug Bounty Hunter helped me a lot when doing bug bounties, especially Zseano’s methodology and Barker where you can practice and learn new techniques! I first thought that it was some sort of CTF, but I was wrong! It’s like a bug bounty program! It aided me a lot in thinking differently when approaching a new function or feature. I became more curious and learned to ask myself different kinds of questions that help me abuse certain features. I also noticed that I started to report fewer duplicates and more valid issues! And the best thing of all, I learned that manual hacking is way better than only using tools and create a lot of noise! So far, I’ve had a lot of success with it. Reading JavaScript files has also got me a lot of bugs! I recently also found my very first server-side request forgery thanks to reading one of them! And also, the Bug Bounty Hunter community is just awesome! I always get help whenever I have doubts or questions!
HolyBugx: It was Christmas night that zseano gifted BugBountyHunter.com subscription to me, Let’s take a moment to appreciate this great mankind and all the help and works he did for the community.
BugBountyHunter was just what I needed, I had studied lots of materials on web security but I had never tried practical stuff, I studied Zseano’s methodology in a day and jumped into barker (BugBountyHunter.com hacking training platform), I can say it was just beyond great experience for me, I learned lots of stuff from hacking into barker, I converted my theoretical knowledge into practical hacking and it didn’t take me long to be in barker’s top 10. Barker’s bug types are not simulated and they are similar to the real world, I had found a couple of bugs on well-known platforms and they were similar to the ones I had found in barker.
Zseano methodology is now a part of my methodology and I follow it as I go on. I highly recommend this platform to everyone, especially to the starters.
JTCSec: I have absolutely loved my BBHunter experience so far. I like the more general “There's bugs out there, go find them!” Approach rather then something like the Hackerone CTFs where you are looking for one specific bug type on a limited application, or something like HTB where half the part is figuring out what random CVE or vulnerable protocol is in use (definitely a generalization, but I just don't find them that rewarding :D ). First, just knowing there's more bugs out there's motivates me to keep looking — I struggle with motivation, so if I'm not having luck on an endpoint I usually am too quick to move on and just thinking there’s nothing there. With Barker, I know there are more of certain bug types out there and I just have to keep looking. Also, the bugs that are in the application are definitely realistic — while some of the low level ones have long since been reported on probably every program, some of the more complex ones I’ve already found similar ones on in the wild. Barker also forced me to be more organized and methodical. Without being able to use automated tools, I was forced to go endpoint to endpoint manually, which in turn forced me to start taking very good notes. Even if I didn't learn a single novel bug technique, it definitely helped me form a proper mentality for hunting on a live program as well as helping to make good habits. I've said it before and Ill keep saying it, BBHunter is the best thing I did to further my bug hunting knowledge.