Peter Yaworski and I go by the handle Yaworsk. I am from Toronto, Canada and I started hacking in December, 2015.
I was always interested in security but never knew where to get started. Then in the fall of 2015, I read a book on Anonymous, We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency and again wondered how this group was doing it and how could internet sites still so vulnerable? That got me looking around for information and I noticed a Coursera specialization on cyber security. I started watching the video lectures and finally started to understand concepts like SQLi, Buffer Overflows, etc. I kept digging and found the Bugcrowd forums where someone referenced the HackerOne hacktivity and it took off from there. I read everything I could to learn from disclosed reports. I then realized so much of it was complex and over my head that I’d need to read a lot of them a second time. It was when I read Egor Homakov’s explanation of OAuth that I finally realized if I was having that problem, others probably were too so I started writing Web Hacking 101. But who wants to read a book on hacking by someone who isn’t a successful hacker? That idea made me become obsessive about finding vulnerabilities so I wasn’t some fraud selling a book on a topic I knew nothing about.
Up until recently, I probably had zero time management, I was hacking any spare moment I had. While I love it, you definitely can’t keep that up indefinitely so I’ve been trying to find balance. Bounties are my hobby and I do them in my spare time. But I’m also trying to manage keeping the book current, recording interviews, family and other personal commitments.
I likely spend 30 - 40 hours hacking a week now. The amount of bugs I report really varies. I’ve been trying to focus on higher impact vulnerabilities on programs that pay a little more which means it take more time to find bugs. As a result, in March 2017, I only submitted two bugs on HackerOne.
I started in December 2015 and submitted my first paid report January 26, 2016. It got rewarded February 23 - it was on HackerOne’s platform. However, my first four figure bounty was also on HackerOne and I submitted that April 3, 2016 and it was paid $2500 on April 4, 2016. After that one, a lot of people started messaging me.
I have more than a few favorites including my S3 bucket finding against HackerOne, my first RCE using Smarty Template Injection but the one’s I think I like the most all really come down to not recognizing the actual vulnerability until a few days after my initial finding. I knew something wasn’t right but wasn’t sure how to exploit: - A stored XSS against a very large site which allowed me to send the payload to any user. However, because of their CSP policy, it was only exploitable against user’s using IE11. When I first found it, I was using Firefox so the payload didn’t execute but I saw the CSP message in the console. I didn’t realize it was exploitable until about a week later and then reported it. - My first SSRF which allowed internal port scanning but the way the site worked didn’t make it easy to exploit (I’m planning on writing this up). I was manually verifying common ports but couldn’t find anything except port 80 open so I thought it was a false positive and didn’t want to report using just that port. Then I saw one of the site’s headers included a random port and tried that. It worked via the SSRF but from my own machine, it didn’t. That provided the spark to dig a little deeper and validate the vulnerability.
I think my entire experience has been a series of breakthroughs. My first book sale was awesome (thanks Michiel Prins!!), it let me know I was on to something with the whole hacking thing. Then my first bounty from HackerOne was another, it confirmed that I wasn’t totally lost in what I was doing and that success was possible (I hacked hackers after all, even though it wasn’t the best vulnerability). Then the S3 bucket vulnerability on HackerOne was a huge breakthrough. That one was cool because I found hidden content, for lack of a better term. I like to think that vulnerability was out there waiting to be found for a while. After that, the breakthroughs have been incremental, finding new vulnerability types and consistency. I’d say they are still happening.
As soon as I learned about them really. Unfortunately, or fortunately I suppose, when you’re new, you see all these people making money but the impression is it’s easy money since there aren’t a lot of people blogging about the countless hours they put into their work. So, when all you see is messaging about the money being paid but not the effort being put in, you get this false sense of reality. So, all that to say, I didn’t think it would include as much hard work as it has.
I think the biggest problem I faced was my own unrealistic expectations. As I mentioned previously, when you start out, it all seems so easy for other people so I thought it would be the same. Writing the book at the same time, I didn’t want to be a fraud so I kept pushing myself wanting to find something, anything to prove I could hack. But when I found those vulnerabilities or got those rewards, the euphoria only lasted a few minutes because self-doubt crept back in. So I’d tell myself I needed to find more and after the next bounty I’d be content but that didn’t happen.
I still read anything and everything I come across. Twitter has been awesome for that, I follow a lot of people that share infosec related articles with very little noise about their cats, dogs and lunch time meals. I also have a stack of books to read which seems to be growing faster than I’m reading. I still try to do Hacking Pro Tips interviews which helps pick the brains of other top hackers for the benefit of the community. Lastly, the slack group and personal relationships I’ve developed with others, sharing information continues to be one of the top ways.
I don’t think I collaborate with other hackers so much as I keep in touch with others and share information. Sometimes that’s sharing blog posts on the slack channel, other times it’s letting others know what types of vulnerabilities I’ve found on programs we are both working on. I do talk to a few hackers on a daily basis but that’s more keeping in touch, having random conversations and occasionally helping each other out.
I really don’t have any magical formula. It’s pretty much still the same as what I detailed in Web Hacking 101. While it’s probably not the best, I tend to do similar to what zseano talked about in our interview and just start using the app that I’m targeting, get a feel for what they offer, what’s important for them and start poking away. I try to keep an eye out for oddities and look for patterns - like do they do any funny type of escaping on input? If so, are there different ways to submit malicious input, like an API, form upload, etc that’s different from their web forms. Sometimes you can find patterns in the types of vulnerabilities a site has, information disclosure being a great one. For example, in my experience if you can find a couple information disclosure vulnerabilities in a site, there’s probably a whole lot more to be found because of a common programming approach the site has taken. Another example, while I didn’t find them but you’ll see it reading my book, is HPP on Twitter. A lot of my examples come from them and there’s probably more that could be included.
My recon process sucks, it’s definitely something I need to improve and automate. I’ve been thinking of ways to do that but I only have so much time to dedicate to hacking. That said, I use all the same tools others are probably using minus a few key ones like dorking - I use Sublist3r (pronounced sublister, not “Sublist 3 R” - it’s an awesome tool, thanks Secgeek), namp, knockpy, bucket finder, burp and the occasional custom code to do something specific.
I think I focus too much on XSS now to be honest but I try to keep an eye open for everything. I usually submit a payload which includes a bunch of random special characters to see how it gets rendered, so ‘“};//><img src= However, I’m starting to realize that I’ve missed more than a few vulnerabilities by just using that so I may need to go back to the drawing board. Beyond that, I try to look for oddities and if I spot something, especially application logic related, how could an attacker exploit that. Or if there’s a mobile and web app, do the security features on one match the other (example, login notifications/history, changing profile info, etc – all extra security features some look for on platforms which collect sensitive personal information)
I don’t use much beyond what I listed above. I don’t use any special burp extensions beyond what’s included in the store. However, I do really like wappalyzer since it can usually spot technologies used pretty quickly which helps target your payloads.
I’m probably the wrong person to ask as I haven’t found a tonne of these. But when I have been successful, it’s been because of observation - getting a 500 error from a server is a good indicator something is wrong, that’s where I’ve been successful. Additionally, if I get a weird response, I’ll usually send the request to intruder, single out the param causing the issue and actively scan that param. However, this is only on sites that allow for this. If you’re reading this and want to do it too - make sure you’re not testing an annoying POST request that emails admins or generates a tonne of noise for the site you’re testing.
I haven’t been doing this that long to say but I’ve been successful on a handful of programs that were established and mature, including HackerOne. It’s not always easy but I agree with others who say you need to ignore other people’s successes when starting on a program. I joined a very popular program late and saw a lot of big names on their activity list. I almost didn’t look at the platform figuring everything must have been found but luckily I didn’t. I ended up spending quite a bit of time hacking on them and was very successful.
Definitely. All experience is good experience but you also shouldn’t be too focused on your own lane. Switch things up when you have some free time and try out different fields. If you’re a pentester, try developing a small web app or signing up for a programming course online (there’s so many now). Alternatively, if you’re a web developer, read the write-ups and get into the heads of successful hackers and try to understand how they found what they did, instead of just understanding what they found.
I’ll listen to mostly anything. But if I had to choose, I still prefer Linkin Park, Korn, Deftones, Alexis on Fire, etc. Patrick Fahrenbach got me hooked on Leo Moracchioli. Occasionally I throw his YouTube playlist on while working but more often than note, I prefer quiet while I’m working.
I still work out 5 days a week every morning, am trying to get back into programming during my commute, spend time with family/friends and occasionally sit down for some Xbox One or to read a novel.
They’ve been huge and given my wife and I some nice financial freedom.
Stick to it. Perseverance is a huge part of hacking. It isn’t easy.
I think I need to focus on it all to be honest. I’ve been trying to focus on deeper learning across all areas of web hacking - to do so, I just signed up for Pentester Pro Labs. But beyond that, I’m trying to learn more about strategic approaches to web app testing and would love to learn more about reverse engineering.
Ketchup chips, just to drive Smiegles nuts…. I’m actually a plain peanut butter man.
Not having a program know what Amazon S3 storage is (the popularity of which was made apparent when one of the AWS data centers went down and affected a tonne of sites…) and then accusing me of wasting their time but not validating a bug when you can’t always be 100% sure who owns a bucket since buckets can be for internal purposes. Then when I requested disclosure, they went with limited disclosure and played dumb about that whole situation. That one still annoys me.
I’ve had the pleasure of talking and meeting so many amazing hackers, I’d love the opportunity to sit down and collaborate with any of them. Some I already consider close friends so excluding them, I’d say Mongo is definitely my hacking hero but not only because he clearly kicks hacking ass, but because he’s humble, grounded and sets an amazing example of what the community is all about. Whenever he and I chat, it’s always a pleasure and encouraging.
Some type of incentive based mentorship