My name is Jason Haddix, I am from Southern California and I have been hacking for 10 years.
Ten years ago the internet was a very different place. I took a college course on “Ethical Hacking & Network Defense” and liked the topic but thought many of the attacks seemed unsophisticated or outdated. I took my interest online to some of the shadier IRC and underground forums. While working a nightshift job (IT helpdesk), I self taught myself network and web application hacking. The network stuff was tried and true but the web stuff, SQL injection, command injection, and XSS were all relatively new. I learned from reading and following everything/everyone I could. Back then SANS was one of the best certs for the ethical side of the scene so I payed my own way to get my GSEC, GPEN, and GWAPT certifications. I found a bunch of web related vulns at my employer and helped dev understand their impact. Shortly after I got my 1st job at a small consultancy. I worked with a stellar team there, and learned a ton. I helped define their web testing processes and expand their vuln assessment into actual pentesting. After a while there I needed to move on, and I took a Blackhat training with @danielmiessler. We teamed up on the CTF, got 2nd place, and I joined his team at HP/Fortify shortly after. I led the pentesting efforts there with another stellar team, and worked my way up the corporate ladder to become Director of Pentesting there. I started being a bughunter in parallel on private programs and then as part of Bugcrowd. I became obsessed and battled @bitquark for the top slot on the leaderboard for 6 months, eventually in 2015 I got the top spot. I left HP Fortify soon after to join the Bugcrowd team leading their triage and validation teams, as Director of Technical Operations. I have since “graduated” to Head of Trust and Security.
Yahoo, Google, some game companies, and a billion Bugcrowd programs. Some private disclosures before Bug Bounty was really a thing too.
Full disclosure, I work for Bugcrowd now, but when I wasn’t I would work my 9-5 as the leader of a pentest team, then come home and replace my gaming time with bug bounties (about 4 hours a night). Minus family dinner, family chill time, and tucking the kids in. In the pentest profession you can never really gauge how good you are at your job, so I wanted to see if I could get to the number one spot on the Bugcrowd leaderboard. I achieved that personal goal in 2014 and 2015. I remain in the top 50 today. It’s not really about the money for me, so I’d say hobby, but I did pay for my wedding with my bounty money so it was a nice bonus.
When I was hunting actively it was about 20 hours a week, averaging 2-3 bugs a day, varying in criticality. Coming from pentest I submit everything, regardless of how small. It’s just how I test.
On private programs it usually takes me 1-2 days to know the app well enough to find something high priority (unless something falls in my lap). Most of my submissions are medium level criticality.
There’s been a few. Bypassing a WAF by forging headers was a fun one. Literally all the other hunters were being blacklisted because of too many requests. I found that the WAF plugin accepted a custom header to whitelist a client so I started testing and adding that header to all my requests, in which I told the WAF I was itself (127.0.0.1). I literally had the bounty all to myself for 50% of the duration.
Wordpress’s public/charity mobile bounty sponsored by Bugcrowd was fun too. I found several 0-days in that app (you can actually Google the results of the bounty).
At a Bug Bash once I managed to find some leftover source fragments, that had credentials for an employee of a target. I tried these credentials and they logged me into some super scary backends I had identified via discovery.
I’ve had a ton of private program and pentest bugs I’ve found that are interesting but can’t really talk about =(
I knew from the 1st bounty I participated in it was something I was going to do long term. Some the newer hunters don’t remember a time where this kind of hacking could get you arrested. I do. So the opportunity to use my skills and get paid for it (in my free time) was just too good to miss out on. The 1st hurdle for bug hunters is always getting enough submissions in to get into the tier of hunters that gets invited to private programs. It was the same with me. Just don’t give up!
Mostly twitter. It’s so funny but that’s where our industry is, like it or not.
Alright… here we go!
For wide scope programs I have a script that does what I call “Phase 1”:
Subdomain discovery via scraping: enumall.py & sublist3r
Subdomain discovery via brute force: same as above but with custom list:
Results get fed into:
Nmap & Eyewitness:
Around this point I do some manual discovery:
Results then get fed into Gobuster or filebuster w/custom lists:
I now have a lot of scope to work with. Eyewitness will give me screenshots which I parse through for interesting targets 1st. I then begin to connect with a browser to opportune looking sites, look for exploits associated to old versions, and begin web hacking with Burp.
I do. Some testers only look for certain classes of bugs, I tend to (because of my pentester and VA background) look for everything and anything.
I just switched to running a ton of tools out of docker containers, one particularly cool one contains my DNS scripts and some other tools, called Brutesubs by Anshuman Bhartiya.
It’s definitely in a hunters best interest to get familiar with SQLmap too.
Fro Burp plugins I (currently) use: Active Scan ++, Additional Scanner Checks, AuthMatrix, Backslash Powered Scanner, CO2, Flow, Hackvertor, Meth0dMan, Paramalyzer.
I have a few custom tools to look for classes of vulnerabilities. I’ll be releasing them soon at DEF CON and Blackhat. Stay tuned. I also did a talk on bug hunting at DEF CON 23 which goes into a lot more depth. You can see the video here and the associated transcribed github (to be updated soon) here. There are definitely some basic questions you should think about when interacting with the site:
Does the page look like it might need to call on stored data? (check for SQLi, XMLi/XXE, etc)
Does the page functionality display something to the users (and does it reflect your input)? (Check for XSS)
Does the page functionality look like it might interact with the server file system (or can it)? (Check for LFI/CMDi)
Does the page functionality deal with redirects or use a path in a parameter? (check for SSRF)
Does the page upload files? (Check for file upload vulns)
A lot. I don’t know where testers got the notion of a target being not valuable after running a long standing bounty. Some low hanging fruit may be gone, but p1’s and p2’s are still there!
Pentesting and bug bounty hunting share a ton of the same skills, so that helped me a lot. I recommend starting with reading:
The Web Application Hacker’s Handbook by Dafydd Stuttard & Marcus Pinto
Breaking into Information Security by Andy Gill
Web Hacking 101 by Peter Yaworski
Mastering Modern Web Penetration Testing by Prakhar Prasad
SQL Injection Attacks and Defense by Justin Clarke
Also keep a look out for my “The Bug Hunters Methodology v2” coming out soon ;)
I also highly recommend installing and completing every single practice application you can find:
A large range of EDM mostly. I like Zedd, Marshmello, 3LAU, Bro Safari, Firebeatz, Pegboard Nerds, Glitch Mob, ++
Game! I have played DoTA2, WoW, Destiny, Diablo, ++. I also parent and hang out with my wonderful wife and kids. I also love paintball!
They allowed me to pay for my wedding, my new family minivan, work for one of the most impactful security companies in existence, and meet some of the best hackers in the world… so I’d say a pretty big impact!
Keep at it. Good vulns don’t just shake out of the target in the 1st day (usually). Just keep looking!
Exploit Dev. I know basics-intermediate but, would love to be better at the hardcore stuff. I also lack a “traditional” software dev background so, someday, I’d like to remedy that.
Before there were platforms for this, I reported several issues on mobile apps to big companies. Credential logging available to all apps, data stealing through intents, global photo sharing, no data protection API designations, ++. All were not rewarded and then fixed a few weeks later. Hurt my feelings! c'est la vie !
ONE? No way (i’m a hacker)! A few? Sure: @ITSecurityguard, @bitquark, @mongobug, @darkarnium, @justinkndy, @TheColonial, @justinsteven, @nahamsec, @theboredeng, @avlidienbrunn, @fransrosen, @yaworsk, @zseano, @bbuerhaus, @nnwakelam, @bugbountyhq, @ablinowax, @taviso, @darkieduck, @zephrfish, @thedawgyg, @smielgles, @brutelogic, @yappare, @soaj1664ashar, @merttasci_ , ++. All for various reasons (mostly b/c I’d learn a ton). I have tremendous respect for all of them. That’s just people I know have done some bug hunting for BB programs or disclosure… there are mountains of hackers from other parts of the scene I would love to work with (and already do/have).
Can’t think of anything that I can talk about atm, I’m pretty biased ;)