I’m Sandeep Singh known by the handle ‘Geekboy’ and I’m from India. i got myself into hacking around 6 year ago when I decided to do to ethical hacking certification just for adding anything extra into my profile other than regular studies. I started doing bug bounties almost 3 years back when I saw some friends Facebook posts about rewards from companies like Facebook / Google more, at that time I heard of HackerOne platform so I started on HackerOne and got stick on it, almost 70-80% of my bug reports submissions is on HackerOne with 800+ valid reports submitted to 100+ programs but not to forget there are some other cool platforms as well like BugCrowd & Synack where I participated.
I started bug bounties as full time just after completing my graduation, so i just need to manage times for my friends and family but really you don’t need to worry about managing times if you doing full time, you are your own boss, so do whenever you feel & enjoy whenever you want and that’s the freedom you get if doing it as full time.
As i said i do bb as full time so most of time and usually all nights but not on daily basis, and i had no idea about my average numbers bugs p/m but few days before i used BBstats (still in beta) by Gwen and it shows 41 bugs p/m on average just on HackerOne since almost 3 years, believe me i was surprised too with those stats and now i’m really worried for the submission of this month.
It took almost 3 months to get 1st valid bug on HackerOne, it was logical one on Square program which allows any remote attacker to block any users to change their email address.
AirBnb one, i blogged about it here, it was interesting for me as it was chain of multiple low severity bugs to get the ATO, and this is why programs should care about those small bugs at 1st place as well.
I started hacking just as an optional carrier option for safe side, but when i actually got into hacking it was curiously/interest to know everything, how it happens , how i can do it and etc, after having some experience in web application security i switched to bug hunting just after i released that we can even eary also by seating home, so what else anyone want ? all these things happens while i was doing my graduation so i had no family pressure/tension of having job so that was good thing in my case, things which are not good at the time when i started is lack of resources, awareness about bug bounties but now we have tons of resources/talks to start with bug bounties if you are coming with right intent.
Yeah, if i do then most of time it’s Parth.
For the start i check with policy/scope section of the program and see what’s in scope and what’s not, once i got those information, of eg: if
*.site.com is in scope, i start with subdomain scan in both ways active/passive discovery, for bruteforcing i do use MassDNS and for passive there are various sources like crt.ch,shodan,censy/google,
in meantime i go through with all the functions core application which is most focused part in my testing. after understanding all the application i go through all the checklist whatever comes in mind against the application, it was hectic to maintain those checklist and get it whenever you need, but HUNT made it easy, just import that burp extension into your burp and it’s always with you, in fact both extensions are handy to use, credit goes to Bugcrowd team for this. apart from this i usually check for subdomain takeovers as well in case Frans didn’t took over it already.
Yes, but it depends how much time i’m spending on the target, like for the start i go with obvious issue like XSS, CSRF and more, if things looks interesting i dig deeper and spend more time on target to find as much as possible bugs i can.
Tools: - Sublister, Aquatone, MassDNS (For subdomain discovery) - DirSeach (For content discovery) - Second Order (for crawling endpoints & JS files) - Actarus (recon & management tool)
Burp Extensions: - Reflected Parameters (XSS) - Autorize (For privilege escalation) - Collaborator Everywhere (For detecting external service interaction) - JSON Decoder - Backslash Powered Scanner
It’s all about paying attention to parameters/functions, prams like url/file where any external reference getting called and then verify for possible SSRF/LFI and other things and sometimes we can use some tricks to escalate basic SSRF to make it critical, eg: in case where you can pass URL to parameter and see the content back, just check for if it’s running on Amazon cloud try pull some data, in case direct url call is block try with 302 redirect to call the url, use different IP notation to bypass the blacklisting. pay attention to upload forms, play with extensions, path etc, and always know the running environment of application where we can check for already published exploit like Struts, ImageTragick, python pickling etc.
Very rare, as i had very bad habit of not looking for bugs in old or already hunted programs but after seeing some demo by PHP hacker Jobert in SFO and couple of newly discovered bugs in public programs i changed my mind to check old programs after certain period of time.
I jumped into bug bounties after my studies so not sure about pentester but having background in development is big plus, if you developer you already know everything, they just need to change their thought process for breaking the applications instead of developing.
Classical indian remix :D
Playing computer games, hanging out with friends, traveling all cool places in my country.
I will say complete life changing, it’s my primary source of income with the work i love to do most will complete freedom.
In early days of bug hunting after initial failures i was about give up but few friends who are active in bug hunting that time advised me to have Patience & keep doing what i’m doing which actually works.
Mobile Application reversing & IOT
If someone with basic technical background asked you, “where should I start?”, what are 3 things you would recommend they do before diving into bug bounties?
Amul butter :[
Few fake programs who signed up on platform for reports and never came back to me or anyone else.
Frans Rosén (The hacker i admire most)
Enhanced profile page of hackers.