AMA with @fransrosen

Thank you for doing this interview! Can you please introduce yourself?

My name is Frans Rosén, based in Stockholm, Sweden. I started of as a developer back in the days. A few years ago I met a bunch of friends that were involved a lot in the web security community (avlidienbrunn & almroot) we started a company together with some more friends which became Detectify, doing security monitoring for the web. They also introduced and taught me a lot, ending up with me taking the journey into the community myself. About 4.5 years ago I learned about bug bounties, and my first attempts at it were against Paypal, Facebook, Google and Yandex.

I also realized I had been thinking about security during my whole time as a developer, which in return also made me know about common pitfalls and mistakes developers tend to do. (Regular expressions anyone?)

Q: How do you manage your personal life, work, and bug bounties? Do you do bug bounties as a job or a hobby?

I do it as a combined work and hobby. I have actually plotted a graph showing my activity in bug bounties since the beginning, and it seems I do bug bounties in intervals, I dip every 3.5 months, then it takes about 1-1.5 months not doing it at all, and then I become really active again for another 3.5 months.

Being a security advisor at Detectify I can really combine the bug hunting, which helps Detectify in finding issues that’s possible to automate, together with finding interesting research areas to blog and talk about.

I also have a 3 year old daughter, I’m trying to get her interested into taking stuff apart. Once, I got her help in a bounty program to trigger a race condition in a specific process on an Android tablet, that was really cool!

Q: How much time do you spend on Hunting for Bugs? On average, how many bugs do you think you report per month?

Due to the graph I made I really see how often and how active I am. Me and avlidienbrunn will release BountyDash soon, which is a local instance of a dashboard to visualize all the bounties from HackerOne, Bugcrowd and Synack. This was actually an eye opener to me in regards to how often and how many bugs I’m reporting. I can go from 40 to 1 report a month basically, it all depends on my focus area and my current research of interest. I’ve gotten at least 1 reward for every month since 2013-12 from H1, BugCrowd and/or Synack.

Q: How long did it take you until you found your first significant/high impact/payout vulnerability?

In the beginning the hardest thing was to figure out what I was actually supposed to look for. At first, it was basically “if I get an alert, they are vuln”, but this changed pretty quick since you had to think about “how can this actually get exploited?”. That’s probably the most important question and something I still see people not thinking about that much. To me, that question is often what makes me try to go deeper and to find chains with other bugs to find the highest impact possible. The best trigger in this case is when the company comes back and say “But we have mitigation X preventing this” and you continue digging for a few hours, responding back with a bypass of that mitigation.

Q: Of all the bugs you’ve found, what was your favorite/most interesting?

I have a bunch of favorites really. I had some fun bugs lately with two different password managers.

With the first password manager I started to look at their desktop app. I looked at the strings in the binary, and noticed some weird phrases and URLs connected to the login process.

It turned out that passing a specific prefix of your login email, would allow you to log in with a static password that was allowing anyone in, basically a “qwerty123” for all emails beginning with “qa123”. However, you still had to go through their 2FA-process.

The thing was, when signing in to one of the emails with that prefix, it triggered a call to a specific URL. Browsing to that URL, you would see each email together with the responding 2FA code. This turned out to be their QA-solution to have an external entity test their password manager with a bunch of services.

Looking at the URL for a while, other test-users showed up. Signing in to a few of these QA-accounts revealed logins for a bunch of services, one being the company’s JIRA (Imagine posting the vulnerability report in there instead..).

I contacted them by a proper report and they fixed it the same day.

The other password manager had the ability to store a password for arbitrary protocols, such as “javascript://”. This URL would then show up in the password list as “”.

If you clicked on the item in the Firefox extension to sign in, it would run the javascript on the current page you were on (not necessarily They also had a functionality to share credentials with people. When sharing this one, it would say “Frans wants to share credentials for with you”, if the person accepted it and clicked on it, it would run on the page they were on, which could be any site really. That one was also fixed pretty quick.

Q: When and how did you have your breakthrough? When did you realize hacking and bug bounties was something you wanted to dedicate your time to? Please share your insights and the problems you faced to become established Bug bounty hacker?

I had my breakthrough after HackerOne changed their reputation model around 2014. I suddenly popped up as #1 for quite some time back then. At that point I realized I was doing something right. Back then, I also realized I had a responsibility to share as much as possible. Both to actually help other people in getting started, but also to challenge myself to always keep up. Also, the feeling of sharing is one of the best feelings there is.

I try to say that reporting bugs gives you a bunch of “kicks” (like, a rushing feeling in your body). You can divide them into the following bullet points:

The kicks of a bug bounty:

  1. When you see something that “feels weird”. This feeling makes me going really, it triggers me and often makes me want to stay up wayyy late.
  2. When you find a way to use that weird thing to make something break bad. This feeling is really the reason why you stayed up late.
  3. The story telling/reporting. This is when you writeup the story about what you did, you explain all the steps of what you found and how you did it, and you send it to the company. This is hopefully well received and also creates a new chapter in the story you want to tell when the bug is gone by either talking or writing about it.
  4. The response. When the company responds to your report, depending on how bad it is, this feeling could be absolutely priceless.
  5. The follow up. When the company actually has acted on the bug and also responds with a potential payout. This is really super exciting, but it all depends on how well received the report was in the first place.
  6. The blog post/talk. This is when you can summarize the whole story about what happened. The fun part here is when the points above actually creates a fun story. I’ve had so many of these stories where the bug is one great story, but the response is some next level shit in addition to the actual bug.
  7. The public response. When people actually comes back to you, telling you that they have found similar bugs due to your post or talk. Often you also learn a lot more from people with similar knowledge about similar bugs. This is probably the rush I get most out of from all the ones above and probably where I learn the most in the end.

Q: What do you do to keep up with all the new trends?

I read A LOT. The interesting thing here is that you can never read too much. It’s really just a game of addition, you never lose your knowledge. Keep reading. By the way, Warren Buffett have suggested a similar technique to succeed in business, reading about 80% of the day.

Q: Do you collaborate with other hackers? Can you name a few?

Absolutely, primarily I talk a lot and do stuff with avlidienbrunn and almroot, but I’ve done some magic both with for example @nnwakelam and @ITSecurityguard as well.

Technical Questions

Q: How do you approach a target? What is your routine like? What is your recon process like? What kind of information do you seek in your information gathering process? And how does this information help you?

Being a developer, combined with working with a company doing automation, I do a lot of my research using automation. The recon process is very similar to what avlidienbrunn wrote about in his AMA, basically fetching a bunch of data from many different resources trying to get a proper view of the company’s assets. Being good at asset discovery is very much a key to success. Since my research around subdomain takeovers back in 2014, a lot of stuff has happened both in terms of recon tools but also the actual process of looking for similar issues.

I’m actually speaking on Appsec EU on the 18th of May in Belfast about my latest techniques in the domain hijacking area. All the slides will be out after that talk as well. I will actually tell a bit on how to improve the tools out there to create a better coverage of a company’s assets.

Q: Do you always look for all vulnerabilities types when you approach a website?

My technique is that I start on the surface then I dig deeper and deeper. A typical flow for me could look something like this: 1. Look for regular input validation mistakes like XSS etc. 2. Proxy all requests and look at them at a later point, marking the ones that looks interesting or responds funky. 3. Go through their javascript, look for endpoints or parts of the code that does something weird with user provided data. I have taught myself to read minified javascript just to be fast and comprehend what’s going on as quick as possible (I do recommend beautifiers though, you get no chicks by knowing how to read minified code).

Q: Do you use any tools?

My Burp is pretty clean still, I have some protobuf extensions and some JSON-fiddling tools, but nothing spectacular. I use Chrome JS-Console a LOT. It’s probably the best and fastest developer tool right now to debug javascript, create breakpoints and walk through the code.

I have some recon-tools running, pinging me about interesting stuff, it’s a nice combo of a completely a transformed version of SubBrute together with Altdns, Massdns and a bunch of bash.

Q: This is one of our most popular questions: How do you test for Server Side vulnerabilities such as RCE, SQLi, etc?

The input validation process of my flow sometimes also catches cases where specific input ends up as parsed in different ways, so I’ve been finding server side vulns often together with actually looking for XSS or similar. In the case of template injections, which is becoming so increasingly common, there are some common ways to detect them. I recommend looking at some strings in the most common template engines to find a payload that works for you, being able to detect when it is actually parsed server side.

Q: How often do you find a bug that has been overlooked after a bounty program has been established and a horde of researchers have been digging?

I would say there are at least three steps of a program: 1. When they launch, A LOT OF PEOPLE LOOKING. A bunch of dupes. You can find some really good stuff here, but you either need to be fast or thorough, you don’t stumble upon stuff in this step. 2. When the program has been running for a while. Depending on the company this could either be a minefield of dupes or a pretty good, patched up system. You need to gamble here if it’s worth spending the time here. 3. When the program has been running for a longer period of time (like between 6 months - 1.5 year). The focus is a lot less on this program, but the company continues to ship code all the time. This is actually a really good point in approaching the company, as there will be a lot of areas people haven’t been looking at. I sometimes do a old program walkthrough, going to old programs just to take a look. Reading newsletters from the companies are one of my triggers.

Q: Do you think being a pentester, web developer, or being in a related field, helps you with bug bounties? Where should they start?

Developer, absolutely. If you are a developer, try think of times when you thought “Oh shit, I did this wrong, or what if I didn’t had done this, imagine what could have happened”. If you really think about that, you will find a lot of cases where there are anti-patterns or pitfalls in your area of expertise that most likely not all developer have realized. Try use those moment to make a note and then try look for the same mistake in bug bounty programs. I promise you it will work.

Time to wrap it up!

Q: What kind of music do you listen to?

This is just as broad as “What do you eat?”, so, I will give you five tracks I listen a lot to: I’m going to end with some “Swedish Sauce” by Todd Terje:

Q: What do you do when you aren’t hacking?

I build a bunch of businesses together with my partner in crime, @piotrzaleski. I travel and talk a lot on conferences, research for Detectify and a lot of tech and architecture for a company called Centra. I also enjoy biking, I’m riding an old women’s bike that’s just as solid as a tank every day to work.

Q: What kind of impact/role have bug bounties played in your life?

Huge impact, apart from the community which has been the biggest gain for me personally, I’ve also been able to fund companies of mine using bug bounties. I’ve gotten to know so many people all over the world, and also, being able to go out and speak on conferences has been a huge change in my life. I was really scared going up on a stage in the beginning, but as soon as I got into it it became so extremely fun and exciting.

Q: What is an advice you received as a beginner that helped you with your bug bounty career?

Keep digging. Really. You will have times where you just want to quit. Then do that. But come back later. The feeling you get of the kicks I explained a bit above is so rewarding that you really should keep trying.

Q: What is one area of hacking (web, mobile, hardware, etc) you wish you knew more about / plan on focusing your learning on?

I have some friends doing hardware and to me they are still doing magic. Magic for me is knowledge about a subject I don’t know anything of, so it’s magic to me. Magic gets you interested, and the goal is often to figure out the tricks. I’m trying to mind pick them as much as I can.

Q: Someone was eager to know, what do you put on your toast?

I didn’t have anything to put on it yesterday, so I put some grapes on it. It was weird.

Q: What’s your worst bug bounty story/experience? (Please do not mention a customer name or platform in your answer)

Probably one of those where you expected to get something but got nothing. To me, those are just to be ignored, no need to scream a lot, except to maybe the platform having them as a customer.

One time I got a .NET RCE on a Bitcoin site, resulting in a amazing payout of 0.002BTC. I partied like a boss that night.

Q: If you had to pick one hacker to collaborate with, who would it be?

Wow, long list, but I think I would get some stuff to break, talking or playing around with: @NahamSec, @infosec_au, @IAmMandatory, @TheBoredEng, @filedescriptor, @0x6D6172696F, @insertScript, @albinowax, @garethheyes, @magicmac2000, @bbuerhaus, @OrenHafif, @aboul3la, @BenHayak, @irsdl, @shafigullin, @NightRang3r, @sirdarckcat and @Nirgoldshlager.

Q: What’s the one feature you would like to see in the platforms?

Techniques enabling collaboration. Collaboration is the logical next step in the progress of how to do bug bounties, and platforms and companies should enable researchers to come together in joint efforts.