I’m Inti De Ceukelaire from Oilsjt, Belgium. I grew up being a typical script kiddie browsing the web for hacks and cheats for the video games I played. Whenever I bought a new console or handheld, I would immediately go on the internet to look for softmods or jailbreaks.
In 2011, I bought a brand new Playstation Portable and things changed. I came home from the store, went online to check how to jailbreak the device and was devastated to find out that there was no jailbreak available the latest firmware at that time (6.35). I came to the conclusion that if I wanted a jailbreak, I would have to find the exploit myself. I locked myself into my room for days and literally tried anything that came into my mind. I was extremely lucky to find a buffer overflow in the browser’s bookmark feature that allowed arbitrary code execution. Check the crappy video I made as a proof of concept here.
I found out being a hacker is so much cooler than being a skid so I bought some books to learn about web application security. The Google VRP program just started so there were plenty of vulnerabilities to discover back then. I believe I found about 5 XSS issues on Google in my first week of hacking, most of which were duplicates. But the few bucks I got motivated me to quit my student job at the local shopping mall (I hated it) and spend my free time bug bounty hunting. That was probably one of the best decisions I’ve ever made, next to joining HackerOne and Intigriti.
I work as a creative developer / social media guy at Studio Brussel, a Belgian radio station. I get a lot of time to play with the Facebook API and improve my coding skills. I don’t spend as much time on bug bounty hunting as I’d like to. It varies from month to month, but usually no more than a few hours a week. Sometimes I report 20 bugs a month, sometimes I don’t report anything for three months. Quality over quantity!
Sad but true: I found my most significant bugs by accident. The Playstation vulnerability that got me into the bug bounty scene was a pretty cool, but didn’t really come down to skills. The first five-figure bounty I got was for a bug I discovered while trying to return some shoes my wife ordered at an online shop. I’m so glad she didn’t like them!
I think my Ticket Trick was pretty interesting. It was a logic flaw that allowed remote attackers to gain access to internal company assets such as their private Slack instance, Twitter account and support portal. What made this bug so cool is that, once you know how it works, it’s fairly simple, yet it was never discovered before. Testing every single bug bounty program was really exciting and there was no rush because I knew I was the only one aware of it.
My personal breakthrough came when I realized the low-hanging fruit was simply not worth looking into. Most of the bugs I found in my first year were reflected cross site scripting issues that didn’t really have an impact. I was in it solely for the money and didn’t really enjoy looking for the bugs. As time passed by I realized I could earn more money by investing some more time on a target to improve my skills to find the really juicy stuff. I decided to stick with the next program I was invited for and I’m still working on it. I didn’t find the best bugs up until recently. It’s been three years since I started working on that program.
Twitter and the bug bounty community Slack. The cool thing with our community is that we help each other moving forward by sharing knowledge. Technically, you may lose out on some bug bounties by sharing your methods with other hackers, but I’ve found that the return the community is much more rewarding than playing this game on your own.
The first member of the community I got in touch with was @smiegles. We were both working on Yahoo and shared some of our findings in a Skype chat. Then @itsecurityguard, @ziot and @nahamsec joined and we decided to open the discussion to other hackers. This group chat would later evolve to the Bug Bounty Forum Slack channel as we know it.
At H1-702 in 2016, I met @arneswinnen, also from Belgium. I wasn’t aware of any other bug bounty hunters from my country so it was really cool to meet him and exchange experiences. Later @preben_ve and @jerome joined HackerOne’s CTF’s and we united under the name #TeamBelgium.
Disclaimer: I am probably one of the most inefficient hackers out there. I really don’t have a routine. I use Sublist3r, knock, dirsearch, nmap, GitHub, BitBucket, Pastebin, HaveIBeenPwned, Censys, WayBack machine, Twitter, Google and Shodan for recon, but for big targets that have been looked at, I usually focus on the documentation. RTFM is the best advice I could give to pwn a target.
No. I usually start with one main goal. I recently challenged myself to find a way for an external website to discover the age or gender of a Facebook user without having to ask for permission. It only took a few hours to find one. I would have never found that vulnerability just by testing for the classic textbook vulnerabilities.
I have a confession to make: I only started using Burp in 2017. As I said, I’m probably not the most efficient hacker out there, but you don’t need Burp to find cool stuff. Sometimes it even helps to close burp for a while when stuck on a target, you’ll approach it from a different perspective.
Other than that, the usual, standard tools like sqlmap, nmap, dirsearch, knock, sublist3r, … Whenever I need something non-standard and I’m not in a rush, I write the tool myself to improve my programming skills. I’m still far behind looking at the custom tools and dashboards other hackers have built though. I really need to work on that.
I only focus on the blind stuff. Blind RCE, blind SQLi, blind template injection, … whatever. As long as it’s blind, I’ll take it. Not necessarily because it’s easier (it’s not), but mainly because it is often overseen by other hackers, can have a huge impact and requires the hacker to think about the application, what’s going on behind the scenes and to look for creative ways to blindly execute a payload.
I try to avoid duplicates as much as possible. I don’t go after the low hanging fruit but instead look for a specific pattern or behavior. For example: I may spend a day or two fiddling with the account deletion functionality. Most of the times I won’t get anything useful out of it, but if I’m lucky enough and discover a specific behavior that introduces a security vulnerability related to this functionality, I can test lots of bug bounty programs without having much risk of getting duped.
Yes. You don’t need to be a 1337 programmer to get into bug bounty hunting, but knowing the basics will definitely help. I would recommend reading HackerOne’s hacktivity and Pete Yaworski’s web hacking 101.
Anything from heavy metal to classical music. When I’m hacking, I prefer that kind of hip hop that makes you feel like a 1337 matrix gangsta.
Traveling, going out with friends and ironing. I spend way too much time ironing and I absolutely hate it. If there was some kind of automatic ironing machine, I’d immediately buy it. It’d be a bounty well spent!
Bug bounties changed my life. I have my own appartement, don’t have to worry about money, had some awesome experiences (like the HackerOne events abroad) and made a ton of friends in the community. I am incredibly grateful for that, I mean, ten years ago we could go to jail for this! I try sharing some of this luck with my friends and family. For example, whenever I get a big bounty, I take my wife out for a #BugBountyDinner.
As a beginner I would just submit a ton of low quality reports with little impact. Instead of ignoring my reports some security engineers would offer helpful feedback. I always admired Neal Poole from Facebook for his long and informative replies on why something is not considered a bug. I remember him showing some support after the third duplicate in a row. Showing that you care really pays off for program owners in the long run.
I’d love to learn more about hardware hacking and malware. It’s on my list, but I keep getting distracted by bug bounty programs. For bug bounty programs in 2018, I will be focussing on logic flaws with a financial impact in webshops.
Don’t ask where to start, just start. The internet has plenty of resources on web application security. Believe in yourself, set some goals and don’t stop until you achieve them. Create a twitter account, then follow @fransrosen and anyone he follows. Follow the people they follow. Repeat. Then focus on one target and one vulnerability class. It will take some time. Persist.
I’m a nutella guy.
There was this one company that almost sued me over a blog post they initially gave permission to publish after proofreading it, but later changed their mind.
Hands down: @jobert.
I’d like to be able to communicate with a program to ask questions about the scope or the application.
Atom and vim.