AMA with @_ruby

Thank you for doing this interview! Can you please introduce yourself?

My name is Ruby although most hackers know me as rubyroobs, or the one with the anime profile picture on HackerOne! I’ve been hacking for 5 years, doing bounties since last June or so and hack almost exclusively on HackerOne (excluding some private company programmes). Full disclosure - I also work for HackerOne! I got into bug bounties after an “incident” last year involving drying paint and a chain of IDORs and Marten Mickos (CEO of HackerOne) reached out to me on Facebook. I started off super slow but during my internship at Riot Games I picked up pace a bit, and after reporting some minor bugs in Twitter H1 invited me to their office. I’ve been a strict loyalist ever since. 💖

Q: How do you manage your personal life, work, and bug bounties? Do you do bug bounties as a job or a hobby?

As a part of keeping myself from going insane, bug bounties are strictly a hobby for me and I see them as pure fun and entertainment. I focus on my personal life and work strictly first, but most bug bounty “sessions” end up starting by me playing around with something I’ve used.

Q: How much time do you spend on Hunting for Bugs? On average, how many bugs do you think you report per month?

Some months I report 1, some months I report 10. I spend time looking for bugs usually later on at night and as I mentioned before when I feel I’m onto something - excluding hackathons and fun with friends I don’t really dedicate time just to bounties.

Q: How long did it take you until you found your first significant/high impact/payout vulnerability?

My first high impact vulnerability was what attracted Marten’s attention although I wasn’t paid out for that. I got a $10k bug during the Zenefits night at h1-702 which is my first big payout. That was fun (and only about 2-3 months into serious hunting).

Q: Of all the bugs you’ve found, what was your favorite/most interesting?

I pin this as my favorite/most interesting right now because it was such a weird way of finding the bug, but it was a bug I found in China on one of the big tech companies sites allowing a bypass that could have lead to a big breach of trust in the service if exploited maliciously by a hacker. Oh, and that content injection bug I found on a plane.

Q: When and how did you have your breakthrough? When did you realize hacking and bug bounties was something you wanted to dedicate your time to? Please share your insights and the problems you faced to becoming an established bug bounty hacker?

I had the advantage of building faster rapport with hackers as I interned at Riot Games (who may or may not have a bug bounty programme <.<… >.>…) and ended up talking to some of the researchers who reported to the programme there. Since then, I’ve kept contact with some of the people I’ve worked with and made some awesome friends; mostly I felt motivated by the people I know in the community. I guess the big shoutout here goes to Jobert for inviting me to h1-702 when I only had 140~ rep on H1, and I ended up taking in 20x what I’d earned in bounties until that point!

Q: What do you do to keep up with all the new trends?

Read what other people are doing, and find stuff like that. It’s a bit of an oversimplification, but that’s really all there is to it.

Q: Do you collaborate with other hackers? Can you name a few?

I’ve only really directly worked with Smiegles and Ebrietas, but I’ve looked at stuff and given my input on stuff with many, many hackers. All the hackers even. Maybe not all, but you know - a good chunk?

Technical Questions

Q: How do you approach a target? What is your routine like? What is your recon process like? What kind of information do you seek in your information gathering process? And how does this information help you?

I usually approach a target looking at something I’m using as an end user when I realise they have a bug bounty programme. Typically I’m looking at something because it’s either very new, very old or very obscure. I like to look around from there and build a mental map of the structure of the application I’m trying to hack and only then will I think “OK - maybe this is weak here and here, but what can I try to do?”

Q: Do you always look for all vulnerabilities types when you approach a website?

Never. I’m confident I’ve missed a lot of low hanging fruit in my time, but my approach has got me so far and I’m reluctant to change. I usually look for less complex but more policy based vulnerabilities. It might be hard to realise it as a hacker, but sometimes an org cares more about a hacker publishing something without approval than rooting a box on an isolated network with nothing on.

Q: Do you use any tools? Do you have your own tools that you have written to automate/facilitate your work? What Burp extensions do you use? Is there a tool that not a lot of people use that you think they should?

I have a few personal scripts to automate very me-specific stuff, but mostly I do stuff manually; for me at least, it’s more fun and authentic. To answer the last question specifically, I think one tool people need to use more is themselves. Scanners can find a lot, but scanners are dumb. They don’t know what they should and shouldn’t be able to do. Scanners are also not entirely private; if your scanner found it then someone else’s might have too.

Q: This is one of our most popular questions: How do you test for Server Side vulnerabilities such as RCE, SQLi, etc?

Stuff like this is way easier to test when you’re not black box testing, but when trying against a server, this is mostly where recon can help you. Try to see if you can identify vulnerable code snippets or libraries that have been used based on parameter names/error messages and work backwards that way. For full on testing where you can’t see the source code, I’d say a lot of the time it’s just experience from hacking on knowing where to probe. James Kettle from Portswigger did a brilliant talk on probing completely black-box style with a simple but effective technique and released a Burp extension based on his research here.

Q: How often do you find a bug that has been overlooked after a bounty program has been established and a horde of researchers have been digging?

Very often. The key here is looking where other researchers are not :)

Q: Do you think being a pentester, web developer, or being in a related field, helps you with bug bounties? Where should they start?

I think having experience knowing how web applications work and how they are structured helps, and so does having a decent fundamental understanding of computing and networking. It’s kind of cringeworthy to see people reporting HTTP Header issues without understanding what a HTTP Header is and it really reflects in your research.

Time to wrap it up!

Q: What kind of music do you listen to?

A really weird mix. I like a lot of K-Pop, J-Pop, Electronic, Hip-hop, Funk and Pop Punk. Here’s my current playlist I put on shuffle sometimes when I’m not listening to a full album.

Q: What do you do when you aren’t hacking?

I really love fashion and it’s role in culture, and I can spend a lot of time just reading or looking for inspiration. I also love anime and when I do manage to get a chance I’ll watch a series or plan a cosplay. Kimi no Na wa is worth a watch if you haven’t already.

Q: What kind of impact/role have bug bounties played in your life?

Overall a positive effect, but I’d like to think the achievements and discoveries made from the research has impacted me more than the bounties themselves.

Q: What is an advice you received as a beginner that helped you with your bug bounty career?

I started my career triaging instead of submitting reports. This really gave me some perspective on to what is a valid issue and what’s not. Sadly not every hacker is going to get this experience but I’d recommend you read your report before you submit it and try to imagine you’re the lucky security engineer on the other end assigned to the report. What do you really think of it?

Q: What is one area of hacking (web, mobile, hardware, etc) you wish you knew more about / plan on focusing your learning on?

I think there is a lot of missed opportunity in browser extensions and I’ve found a few bugs here already. I want to look beyond web applications but keeping things within my familiarity.

Q: If someone with basic technical background asked you, “where should I start?”, what are 3 things you would recommend they do before diving into bug bounties?

  1. Build a web application without a tutorial as best as you can.
  2. Break it without a tutorial as best as you can.
  3. Fix it as best as you can.

Knowing how web applications work on the server side is only going to be a benefit for you when it comes to breaking them in the real world.

Q: Someone was eager to know, what do you put on your toast?

I believe my work for HackerOne creates a conflict of interest answering questions about my toast preferences, and I’m afraid this is something I won’t be able to answer.

Q: What’s your worst bug bounty story/experience?

Upon reflection, I’m yet to have a truly negative experience. There are back and forths that I’m sure annoy us in the moment but I’ve never had a really bad encounter with a programme yet.

Q: If you had to pick one hacker to collaborate with, who would it be?

I love reading research that truly makes you go “holy fucking shit I see what you did there”. Orange Tsai and Jack Whitton (or fin1te if he doesn’t mind people still calling him that) come to mind.

Q: What’s the one feature you would like to see in the platforms?

Just like my position on toast, there’s a conflict of interest here and I’ll have to politely decline this.

Q: What’s your favorite text editor?

Vim.