Hi, my name is Orange Tsai, come from Taiwan. I am 25 years old now. The first time I started to learn security is about 16.
In web security, I love server-side vulnerabilities more than client-side. To take control of a server is more fun for me. So, I love Remote Code Execution in particular. I have reported RCE to several vendors, such as Facebook, GitHub, Apple, Uber, Yahoo and Imgur.
Even so, I still love to study all techniques no matter it is in server-side or client-side, in web or binary. For example, I also found XSS on Google, Onavo(Facebook), Apple and reported a Internet Explorer memory corruption RCE to Microsoft.
If you want to know more about me, here is my blog and twitter :)
I like to do research more. Bug Bounty is just a hobby to me. I usually do bug hunting when I get stuck in some research(You know, not every research you can get a result), or found something cool(like weird features, weird designs that may lead to security problems) and I will try to find is there any Bug Bounty Program which I can leverage.
For example, I was interested in Java Web Framework few months ago. When I traced the root cause of CVE-2013-3827. I noticed that the vulnerability can be easily found by Google Hacking. So I started hunting for vulnerable vendors and found some juicy information Apple.
Not often. I usually hunt bugs when I found something interesting!
For example, you can see the report about How I found SQL Injection on Uber.
It’s just a vacation trip, but…
I think the first high impact bug is RCE in b.login.yahoo.com (Sorry it’s only in Chinese)
At the first, I just saw the news and knew Yahoo is going to launch a Bug Bounty Program.
In that time, I also noticed the Struts2 vulnerabilities. I think I am lucky because I just use the dork “site:yahoo.com ext:do” and find the vulnerable site quickly.
I spent whole the night to bypass the WAF and wrote a working OGNL PoC to get the RCE and bounty :P
Oops, it’s very hard to make a choice. Could I choose two? :P
The most interesting:
How I Hacked Facebook, and Found Someone’s Backdoor Script
The most favorite:
How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!
Give yourself a target, and reach it! You need pressures
While I was learning security. I usually give myself a few months to accomplish a small aim, such as, be the top 10 in a wargame site or hack into some famous sites.
In order to reach the target, You will try to learn everything about the target. Search all the resource on the Internet, try all the possible method that can solve the challenge, use whole the month to achieve the target.
I keep all thre trends by RSS. I subscribed several security blogs, forums and mailing lists on feedly.com
I also keep trends by social networks:
The hackers in China love to use Weibo, ZhiHu and a private study group XiaoMiQuan
The hackers in U.S., Europe and other places love to use Twitter
GitHub, I followed some hackers in GitHub and see what projects they Stared and Forked
No, always alone :(
I think most of the recon process are the same. FuzzDB, DirBuster, NMAP, Google Hacking…etc.
I usually found something interesting in:
About the DNS Re-con
Big Data(I love Big Data :P)
Reverse IP range
hmmm… It is hard to list all. I don’t usually use them. But, maybe useful for you :)
Bugs can be anywhere. So, don’t miss any opportunity.
Look for as many vulnerabilities as possible!
I don’t often use tools. I think Firefox, BurpSuite, Google, Python, NMAP and a Linux can do everything.
But this is AMA. I need to write something. So I open my working directory and list some of my tools. However, most of tools are for the POST-Exploitation… haha. I think you still can check them:
I also wrote some scripts and maintained a custom dictionary to help me scan the DNS and sensitive files and directories.
I think finding server-side vulnerabilities is not about payloads. It depended on how you process the context, how you find the TINY detail that no one notice on each request.
However, the most important thing is, learned all the tricks, techniques and skills as much as possible. Whatever the skill, trick and technique in Web Security or not. It will open your mind!
I believe that hacking is an art. Information Security is not just a domain of Computer Science. It’s a combination of multiple domains. So I think learning other skills is helpful to you.
When you are facing some websites which are using CGI. You need the skill of Reverse Engineering and Binary Exploitation.
Also, some techniques in Cryptography are also good to you. Padding Oracle, Length Extension Attack, Bit-Flipping Attack, more and more… These are really possible be found in real web applications!
Finally, read CVEs, vulnerabilities and technique reports as much as possible. Oh, don’t just read. You need to analyse, know the root cause and if there is a PoC or Exploit, try to implement by yourself. The devil is in the details.
C-pop. Rene Liu, Lala Hsu
Surf on the Internet.
I think Bug Bounty is a way that keep me motivated.
When you find cool bugs and get listed in Hall of fames for example it gives you confidence and that results in more motivations which drives you to keep learning and dig deeper. This is a good circle!
Just play for fun. The money is not important. Learning something new is more important than the money!
Advanced binary exploitation. Although I can do binary pwning stuffs now. It’s still not enough. I need to learn more techniques and get more experiences on large applications.
There are some resources that you can read. For example:
CTF is also a good way to learn web tricks (I know CTF becomes more harder and harder nowadays. But you still can participate some CTF for beginners, like CSAW CTF or PicoCTF)
I have open-sourced all my CTF Web challenges on My-CTF-Web-Challenges. There are lots of web tricks you can check :P
I found a clever XSS in a popular product (The XSS uses an interesting feature in Struts2 and I think not so much people know that) and reported to the vendor. But the vendor only gave me a $20 coupon in their online shop store.
The most sadness is, the hoodie I like in their online store is 50 dollars…
I want to pick TWO!