AMA with @thedawgyg

Thank you for doing this interview! Can you please introduce yourself?

My name is Tommy, I go by the alias dawgyg (@thedawgyg on twitter). I am from Richmond Virginia, in the US. I have been hacking off and on for a little over 20 years now, started in the mid 90s. I got into hacking because of IRC back in the 90s. After spending a bit of time on EfNet, I ran into a couple of the old school hackers and whats instantly fascinated by the concept of hacking. I am currently most active on Synack, and have participated in programs such as Yahoo, Facebook, Hack the Army, Hack the Pentagon, and Etsy.

Q: How do you manage your personal life, work, and bug bounties? Do you do bug bounties as a job or a hobby?

I recently made the switch to doing bug bounties full time last month (April 2017). It originally started as a hobby, just because it was so cool to me that companies were willing to pay me to hack them when I am bored.

When it comes to managing personal life with the bug bounty thing and other work that I do, I basically like to have fun. So I spend a couple days here and there per month hacking until I have what I think is enough coming in from bug bounties to cover my expenses for the month + whatever that months adventure will be. Then I may spend some extra time other days through the month, but basically when I get bored, or if I find a new toy or adventure I want.

Q: How much time do you spend on Hunting for Bugs? On average, how many bugs do you think you report per month?

This varies a bit, but I generally spend about 8-10 hours a week spread through the 7 days hunting. Sometimes its more if there happens to be some good programs launched on Synack, and other times it may be a little less.

I think I generally average about 20 or so bugs per month across all platforms/programs.

Q: How long did it take you until you found your first significant/high impact/payout vulnerability?

With regards to bug bounties, I started in March of 2016 after finding my first bug for Yahoo’s bug bounty, and fund what is still today my most critical issue. (RCE on 2 different servers with the ImageTragik vulnerability, with a combined reward of $5,000)

Q: Of all the bugs you’ve found, what was your favorite/most interesting?

I think my favorite so far was a recent one. About 3 weeks ago I managed to find a Auth Bypass in a Employee login portal for a Synack target. While testing this, I ended up being able to get it into a Blind Error Based SQL Injection (huge shoutout to @jstnkndy and @secgeek for their help in figuring out how to manually exploit and extract information on this)

Q: When and how did you have your breakthrough? When did you realize hacking and bug bounties was something you wanted to dedicate your time to? Please share your insights and the problems you faced to become established Bug bounty hacker?

I figured this out in March of last year as well. When I got my first bounty from Yahoo and realized that it was something totally legit. (I am an old school hacker, and former blackhat. So I was, and still am, quite weary of hacking a bunch of different companies again).

I have always loved hacking, and reading about other people’s hacks. I spent a very good portion of my teen/young adult years hacking for free. Just because we were told we couldn’t do it. They were smarter than us. So we wanted to prove them wrong. This led me to what would become my biggest hurdle when it comes to being a bug bounty hunter.

Because of my bad choices as a kid, and I guess the reluctance to use a new alias, I am not allowed to participate in some bug bounties, and feel that I have to be extra careful when I am actually doing the bug bounties that I can do. I constantly worry that I may go too far and upset a company and just cause problems from there. So now I try to make sure I read the scope of each program before even opening their page in my browser, and will constantly go back and check for updates on programs before I take a new look at them each time. I have also found that reporting issues the instant I find them, then asking for permission to attempt to escalate it has been accepted by most of the programs, and puts me a bit more at ease.

Q: What do you do to keep up with all the new trends?

I read every blog post that is shared by any hacker (regardless of their hat) that comes across my Twitter account, or in the blogs room on slack. I also check out Packetstorm Security for news from various different links, and I follow /r/netsec occassionally.

Q: Do you collaborate with other hackers? Can you name a few?

I have done some hacking with a few guys from the community. @nahemsec @bbuerhaus @rohk @zeano @secgeek @yaworsk come to mind, there are others as well. (Sorry if I didnt list you)

Technical Questions

Q: How do you approach a target?

I generally run sublister first, and include the brute force flag, and port scan for about 15 ports I have found to be pretty common. While that is running, I will spend some time googling, checking the facebook cert tool, and other cert pages to find some other subdomains. If I find any that seem like they might be interesting, I will run dirsearch on them to see if I can find any interesting files or folders and start googling the subdomain to see what its generally used for. From there its basically just wash and repeat until I find something that deserves more attention.

Q: Do you always look for all vulnerabilities types when you approach a website?

It really depends on the web app itself. There are some very basic pages/apps that I dont really look for much other than XSS or info disclosure on, but if its more than just a page or 2 then I will try to spend atleast some time looking for any vuln category for the most part.

Q: Do you use any tools?

I have written simple bash scripts to help me run programs quicker and easier, and sending the output to various places or onto the next phase of my recon. I use the basic tools, sublist3r, dirsearch, burp repeater, parameth

Q: This is one of our most popular questions: How do you test for Server Side vulnerabilities such as RCE, SQLi, etc?

I have had a bit of luck using ImageTragik, so now I hve several images that test for this in various ways, and I make sure I upload this in every place that is available, just on the off chance it gets processed somewhere somehow. (It has worked a couple of times in the last year)

Q: How often do you find a bug that has been overlooked after a bounty program has been established and a horde of researchers have been digging?

Quite often. My 2 biggest programs have both been running bug bounty programs for quite some time. Just because something is older, doesn’t mean it is secure. We all think about things differently and approach them differently. So never skip something just because you think to many people have looked at it.

Q: Do you think being a pentester, web developer, or being in a related field, helps you with bug bounties? Where should they start?

I am a Unix (mainly Linux) Sys Admin by job, so I deff think this has helped, as it lets me think like some of the other sys admins for the companies I may be targeting, and I know some of my common mistakes, or those of coworkers/friends, so gives me a decent place to start out when looking at something new.

Time to wrap it up!

Q: What kind of music do you listen to?

American Country, Hip Hop and R&B

Q: What do you do when you aren’t hacking?

Travel, watch Spongebob, play with my dog and my daughter

Q: What kind of impact/role have bug bounties played in your life?

Almost out of debt, traveling alot more, and allowing me to help out some family and friends when they need it.

Q: What is an advice you received as a beginner that helped you with your bug bounty career?

Don’t give up. I think I heard that the most. Hearing it from Sean Melia (@meals) and Ben (@nahemsec) helped prevent me from giving up on several bugs that ended up being worth the extra effort.

Q: What is one area of hacking (web, mobile, hardware, etc) you wish you knew more about / plan on focusing your learning on?

I want to get into hardware hacking and do more mobile. Most of what I do now is host or web app, but I am constantly trying to learn more to expand what I am able to do.

Q: If someone with basic technical background asked you, “where should I start?”, what are 3 things you would recommend they do before diving into bug bounties?

Read. You can never read to much or stop learning. Dont ever think you know all there is to know about a topic. Start out by reading blog posts from people doing bug bounties and start learning what types of things to look for, what others have had success with or no success with. It’s all about constantly learning and doing what you can to keep up with newer technology.

Q: Someone was eager to know, what do you put on your toast?

Strawberry jam and butter

Q: What’s your worst bug bounty story/experience?

Worst experience so far has been an ongoing issue with trying to get a response from a free program for bugs submitted more than 9 months ago. Its discouraging but have to remember that this is not the norm.

Q: If you had to pick one hacker to collaborate with, who would it be?

Mark Litchfield or filedescriptor

Q: What’s the one feature you would like to see in the platforms?

A way for the researchers to provide feed back on experiences with a program.

Q: What’s your favorite text editor?

Gedit if I am on my laptop nano if I am doing it from the command line