I am Mathias Karlsson, from Sweden. I’ve been hacking for 12-13 years now. I started (trying at least) programming when I was 11, a year or so after I discovered IRC, wargames and different hacking forums. Fast forward a couple of years, I co-founded Detectify where I got to know the one and only @fransrosen. After that it’s been an ongoing learning experience :)
I’ve participated on Bugcrowd, Hackerone, Synack, Zerocopter, Cobalt and a bunch of non-platform one’s too.
Currently I work 50% with application (mostly web) security assessment as a consultant. The other 50% (really more than that) goes to research, bug bounty, tool development or whatever else is fun at the moment. I’ve participated in bug bounty consistently since the end of 2013 and I do consider it my job.
In bug bounty, I hunt between 20 and 80 hours per month. My average bugs per month is 7.317, since february 2013. My average 2017 is 12.6.
High impact: A week or two. I found an RCE (file upload image.php.png) in one of the first Bugcrowd sprint bounties. With that said, I already had a lot of experience with web application testing so I didn’t “start from scratch”.
High payout: I found an XXE together with @almroot on Google around 3 months in. That one paid $10k How we got read access on Google’s production servers.
Favorite: I discovered an AngularJS sandbox bypass that the Google team used to confirm an XSS ($5k bounty). It’s my favorite because I honestly didn’t think I could do it, so when I realised I was more than excited :) http://avlidienbrunn.se/angular.txt
Most interesting: I found a really weird SSRF in a private program. They had an API where you could update an image via URL. Naturally I tried local addresses, different ports and finally different protocols.
I setup a listener on my server, and when I tried “telnet://myserver:80/example.png”, expecting it to connect and fetch the image, it actually sent a memory dump. In it was all kinds of sensitive data, DB credentials, API keys, bcrypt hashes cached in user’s session, cached source code… You name it. This was almost a year ago and I’m still dumbfounded by it.
In the beginning I just saw it as a way to get some extra cash, as well as (blogging) good PR for Detectify. Dupes made me stop for a while, but dupes was also the reason I got hooked. The excitement of “ha! I found this before everyone else :D” never gets old for me.
Being active on twitter/IRC, blogging about techniques/bugs, meeting bug bounty people IRL helped to get into the community. I never really had any problem with getting into the platforms since I was participating from the start.
To be successful in bug bounty I think these two things are critical:
Don’t think “everyone else has looked, there’s nothing left”. Approach every target like nobody’s been there before. Don’t find anything? Choose another one, there’s literally hundreds these days.
Find an unexplored niche. Notice a lot of bounty programs run the new FancyPantsXYZ framework/platform/system? Check what kind of security issues that can arise from that and apply it. Look at previous research on them and/or set up a test system and play with it.
Same applies to client-side bugs. Keep your attention at researchers in the area (for the client-side example, @0x6D6172696F, @garethheyes, @filedescriptor etc), follow the browser dev blogs and/or issue trackers. Crave more? Fiddle with browser features and try to find anomalies that would fit in The Tangled Web. Oh and on that note, read a book/see a talk on the subject. Understanding what you’re attacking is key.
Twitter, /r/netsec, IRC, colleagues, issue trackers, CVE list, security mailing lists (honestly I almost never read the mailing lists, but I do recommend it).
Yes, for tools and bugs! @fransrosen, @nnwakelam, @almroot, @0x4A6448/@jelmer, @infosec_au. If anyone would like to collaborate, I’m more than happy to add to that list.
It can be a bit of a pain with the platforms though. The way that I’ve done it in the past is for one of the hunters to create a “dummy report” where 50% of the bounty is assigned. Would really like to see the platforms push more for collaboration. Technical Questions
My routine is basically to start all automation for the target and then head right in and examine. Spending too much time on recon has been a mistake I’ve done in the past. By the time I start to hunt for bugs I would then be either too exhausted or bored to dig deep.
Tools: wfuzz, massdns, private fork of assetnote, masscan, different OSINT, some other custom/not custom depending on tech stack.
To keep it short I’ll mention two tricks that I think are valuable and not too widely applied:
For example, let’s say you have access to 3 targets, A.tld, B.tld, C.tld and these are your subdomain results:
A.tld
blog.A.tld
www.A.tld
B.tld
blog.B.tld
admin.B.tld
C.tld
s3.C.tld
blog.C.tld
admin.C.tld
Since the word “blog” has been found 3 times and “admin” only 2 times, you should test “blog” before “admin”.
That’s how I sort my wordlists.
The first is a custom tool that will index “interesting” parts of a given application and when one of those changes I get notified.
The second is pretty similar, it’s a monitoring tool called visualping (https://visualping.io/). Basically, you get an e-mail when the visual changes for a given application (think: they take a screenshot every day and see if it changes).
Third is to simply sign up for any dev/general newsletter they have. Yes you will be spammed. But some will be valuable spam!
I try to look for all bug types relevant to the tech stack that the target is using, as well as exclude any bug types that are likely not there. Since bug bounty is a constant struggle to keep a high time vs. bounty I think it’s important to also consider what not to look for.
Yes. Yes, 99% of my recon and some testing is automated. I use a bunch of different Burp extensions based on what the target is running. One that I use for all is “Reflected Parameters”, it’s great for quickly finding XSS/other client-side bugs.
Well. I use a “one-payload-for-all” approach for server-side template injection/XSS, so that can find RCE I suppose. For SQLi I just try manually especially in common places like ?order_by=desc where they might have been forced to write custom queries instead of prepared statements. Sometimes I use this https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/, but WAF’s gonna WAF, so…
No idea. I try not to think about how many have looked before me. There’s really no way to know if a certain part is well tested (except maybe on Synack where you get to see other people’s report titles). I find subdomain takeovers regularly, so I guess for those it’s pretty often?
Absolutely! How can you know how to abuse a system if you don’t know how to use it? I’ve worked as a web developer and pentester and both have taught me things that I have used in bug bounty.
Web developers: Read up on common web application flaws, pick a program that seems interesting then go for it! Reach out to me or someone else in the community if you want help.
Pentesters: Do you want to do bug bounty? Then pick a program and do it. It’s the same principle except that your goal is more inclined to finding bugs fast instead of “wide”. It’s excellent training for working as a pentester too.
I like silence + noise cancelling when I hunt/build. Otherwise, Sabaton has been my gym buddy for the past few months.
Play chess and get angry like a child when I lose. Drink beer. Go to the gym… Play CTF? I guess that’s hacking…
Huge! It’s given me the freedom to work towards my own goals. Since I have a stable income from bug bounty, I only have my other job(s) because I want to. And that’s awesome!
Honestly, I mostly remember “RTFM” as far as advice went when I started out. It did help though, I try to think “will 10 minutes of research give me the answer?” before I ask questions and a lot of times that gives me the answer (and more).
Reverse engineering/binary exploitation. I’ve become decent at x86/x64 pwnables in the last year but I would like to also become decent at windows, arm and maybe mips.
RTFM.
On a serious note: don’t jump into bug bounty before you’ve at least got the basics down. When you do, don’t let dupes get you down. Let them be in-data to improve your bug bounty hunting process.
Marmalade and cheese. Mmmm…