AMA with @Yaworsk

Thank you for doing this interview! Can you please introduce yourself?

Peter Yaworski and I go by the handle Yaworsk. I am from Toronto, Canada and I started hacking in December, 2015.

Q: How did you get started?

I was always interested in security but never knew where to get started. Then in the fall of 2015, I read a book on Anonymous, We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency and again wondered how this group was doing it and how could internet sites still so vulnerable? That got me looking around for information and I noticed a Coursera specialization on cyber security. I started watching the video lectures and finally started to understand concepts like SQLi, Buffer Overflows, etc. I kept digging and found the Bugcrowd forums where someone referenced the HackerOne hacktivity and it took off from there. I read everything I could to learn from disclosed reports. I then realized so much of it was complex and over my head that I’d need to read a lot of them a second time. It was when I read Egor Homakov’s explanation of OAuth that I finally realized if I was having that problem, others probably were too so I started writing Web Hacking 101. But who wants to read a book on hacking by someone who isn’t a successful hacker? That idea made me become obsessive about finding vulnerabilities so I wasn’t some fraud selling a book on a topic I knew nothing about.

Q: What platforms or popular (public) programs have you hacked on?

  • I’m active on HackerOne and Synack.
  • I have at least one valid report on HackerOne, Twitter, Starbucks, DoD, Gitlab, Synack, etc, among other reports on private programs.

Q: How do you manage your personal life, work, and bug bounties? Do you do bug bounties as a job or a hobby?

Up until recently, I probably had zero time management, I was hacking any spare moment I had. While I love it, you definitely can’t keep that up indefinitely so I’ve been trying to find balance. Bounties are my hobby and I do them in my spare time. But I’m also trying to manage keeping the book current, recording interviews, family and other personal commitments.

Q: How much time do you spend on Hunting for bugs? On average, how many bugs do you think you report per month?

I likely spend 30 - 40 hours hacking a week now. The amount of bugs I report really varies. I’ve been trying to focus on higher impact vulnerabilities on programs that pay a little more which means it take more time to find bugs. As a result, in March 2017, I only submitted two bugs on HackerOne.

Q: How long did it take you until you found your first significant/high impact/payout vulnerability?

I started in December 2015 and submitted my first paid report January 26, 2016. It got rewarded February 23 - it was on HackerOne’s platform. However, my first four figure bounty was also on HackerOne and I submitted that April 3, 2016 and it was paid $2500 on April 4, 2016. After that one, a lot of people started messaging me.

Q: Of all the bugs you’ve found, what was your favorite/most interesting?

I have more than a few favorites including my S3 bucket finding against HackerOne, my first RCE using Smarty Template Injection but the one’s I think I like the most all really come down to not recognizing the actual vulnerability until a few days after my initial finding. I knew something wasn’t right but wasn’t sure how to exploit: - A stored XSS against a very large site which allowed me to send the payload to any user. However, because of their CSP policy, it was only exploitable against user’s using IE11. When I first found it, I was using Firefox so the payload didn’t execute but I saw the CSP message in the console. I didn’t realize it was exploitable until about a week later and then reported it. - My first SSRF which allowed internal port scanning but the way the site worked didn’t make it easy to exploit (I’m planning on writing this up). I was manually verifying common ports but couldn’t find anything except port 80 open so I thought it was a false positive and didn’t want to report using just that port. Then I saw one of the site’s headers included a random port and tried that. It worked via the SSRF but from my own machine, it didn’t. That provided the spark to dig a little deeper and validate the vulnerability.

Q: When and how did you have your breakthrough?

I think my entire experience has been a series of breakthroughs. My first book sale was awesome (thanks Michiel Prins!!), it let me know I was on to something with the whole hacking thing. Then my first bounty from HackerOne was another, it confirmed that I wasn’t totally lost in what I was doing and that success was possible (I hacked hackers after all, even though it wasn’t the best vulnerability). Then the S3 bucket vulnerability on HackerOne was a huge breakthrough. That one was cool because I found hidden content, for lack of a better term. I like to think that vulnerability was out there waiting to be found for a while. After that, the breakthroughs have been incremental, finding new vulnerability types and consistency. I’d say they are still happening.

Q: When did you realize hacking and bug bounties was something you wanted to dedicate your time to?

As soon as I learned about them really. Unfortunately, or fortunately I suppose, when you’re new, you see all these people making money but the impression is it’s easy money since there aren’t a lot of people blogging about the countless hours they put into their work. So, when all you see is messaging about the money being paid but not the effort being put in, you get this false sense of reality. So, all that to say, I didn’t think it would include as much hard work as it has.

Q: Please share your insights and the problems you faced to become established Bug bounty hacker?

I think the biggest problem I faced was my own unrealistic expectations. As I mentioned previously, when you start out, it all seems so easy for other people so I thought it would be the same. Writing the book at the same time, I didn’t want to be a fraud so I kept pushing myself wanting to find something, anything to prove I could hack. But when I found those vulnerabilities or got those rewards, the euphoria only lasted a few minutes because self-doubt crept back in. So I’d tell myself I needed to find more and after the next bounty I’d be content but that didn’t happen.

Q: What do you do to keep up with all the new trends?

I still read anything and everything I come across. Twitter has been awesome for that, I follow a lot of people that share infosec related articles with very little noise about their cats, dogs and lunch time meals. I also have a stack of books to read which seems to be growing faster than I’m reading. I still try to do Hacking Pro Tips interviews which helps pick the brains of other top hackers for the benefit of the community. Lastly, the slack group and personal relationships I’ve developed with others, sharing information continues to be one of the top ways.

Q: Do you collaborate with other hackers? Can you name a few?

I don’t think I collaborate with other hackers so much as I keep in touch with others and share information. Sometimes that’s sharing blog posts on the slack channel, other times it’s letting others know what types of vulnerabilities I’ve found on programs we are both working on. I do talk to a few hackers on a daily basis but that’s more keeping in touch, having random conversations and occasionally helping each other out.

Technical Questions

Q: How do you approach a target? What is your routine like?

I really don’t have any magical formula. It’s pretty much still the same as what I detailed in Web Hacking 101. While it’s probably not the best, I tend to do similar to what zseano talked about in our interview and just start using the app that I’m targeting, get a feel for what they offer, what’s important for them and start poking away. I try to keep an eye out for oddities and look for patterns - like do they do any funny type of escaping on input? If so, are there different ways to submit malicious input, like an API, form upload, etc that’s different from their web forms. Sometimes you can find patterns in the types of vulnerabilities a site has, information disclosure being a great one. For example, in my experience if you can find a couple information disclosure vulnerabilities in a site, there’s probably a whole lot more to be found because of a common programming approach the site has taken. Another example, while I didn’t find them but you’ll see it reading my book, is HPP on Twitter. A lot of my examples come from them and there’s probably more that could be included.

Q: What is your recon process like? What kind of information do you seek in your information gathering process? And how does this information help you?

My recon process sucks, it’s definitely something I need to improve and automate. I’ve been thinking of ways to do that but I only have so much time to dedicate to hacking. That said, I use all the same tools others are probably using minus a few key ones like dorking - I use Sublist3r (pronounced sublister, not “Sublist 3 R” - it’s an awesome tool, thanks Secgeek), namp, knockpy, bucket finder, burp and the occasional custom code to do something specific.

Q: Do you always look for all vulnerabilities types when you approach a website?

I think I focus too much on XSS now to be honest but I try to keep an eye open for everything. I usually submit a payload which includes a bunch of random special characters to see how it gets rendered, so ‘“};//><img src= However, I’m starting to realize that I’ve missed more than a few vulnerabilities by just using that so I may need to go back to the drawing board. Beyond that, I try to look for oddities and if I spot something, especially application logic related, how could an attacker exploit that. Or if there’s a mobile and web app, do the security features on one match the other (example, login notifications/history, changing profile info, etc – all extra security features some look for on platforms which collect sensitive personal information)

Q: Do you use any tools? Do you have your own tools that you have written to automate/facilitate your work? What Burp extensions do you use? Is there a tool that not a lot of people use that you think they should?

I don’t use much beyond what I listed above. I don’t use any special burp extensions beyond what’s included in the store. However, I do really like wappalyzer since it can usually spot technologies used pretty quickly which helps target your payloads.

Q: This is one of our most popular questions: How do you test for Server Side vulnerabilities such as RCE, SQLi, etc?

I’m probably the wrong person to ask as I haven’t found a tonne of these. But when I have been successful, it’s been because of observation - getting a 500 error from a server is a good indicator something is wrong, that’s where I’ve been successful. Additionally, if I get a weird response, I’ll usually send the request to intruder, single out the param causing the issue and actively scan that param. However, this is only on sites that allow for this. If you’re reading this and want to do it too - make sure you’re not testing an annoying POST request that emails admins or generates a tonne of noise for the site you’re testing.

Q: How often do you find a bug that has been overlooked after a bounty program has been established and a horde of researchers have been digging?

I haven’t been doing this that long to say but I’ve been successful on a handful of programs that were established and mature, including HackerOne. It’s not always easy but I agree with others who say you need to ignore other people’s successes when starting on a program. I joined a very popular program late and saw a lot of big names on their activity list. I almost didn’t look at the platform figuring everything must have been found but luckily I didn’t. I ended up spending quite a bit of time hacking on them and was very successful.

Q: Do you think being a pentester, web developer, or being in a related field, helps you with bug bounties? Where should they start?

Definitely. All experience is good experience but you also shouldn’t be too focused on your own lane. Switch things up when you have some free time and try out different fields. If you’re a pentester, try developing a small web app or signing up for a programming course online (there’s so many now). Alternatively, if you’re a web developer, read the write-ups and get into the heads of successful hackers and try to understand how they found what they did, instead of just understanding what they found.

Time to wrap it up!

Q: What kind of music do you listen to?

I’ll listen to mostly anything. But if I had to choose, I still prefer Linkin Park, Korn, Deftones, Alexis on Fire, etc. Patrick Fahrenbach got me hooked on Leo Moracchioli. Occasionally I throw his YouTube playlist on while working but more often than note, I prefer quiet while I’m working.

Q: What do you do when you aren’t hacking?

I still work out 5 days a week every morning, am trying to get back into programming during my commute, spend time with family/friends and occasionally sit down for some Xbox One or to read a novel.

Q: What kind of impact/role have bug bounties played in your life?

They’ve been huge and given my wife and I some nice financial freedom.

Q: What is an advice you received as a beginner that helped you with your bug bounty career?

Stick to it. Perseverance is a huge part of hacking. It isn’t easy.

Q: What is one area of hacking (web, mobile, hardware, etc) you wish you knew more about / plan on focusing your learning on?

I think I need to focus on it all to be honest. I’ve been trying to focus on deeper learning across all areas of web hacking - to do so, I just signed up for Pentester Pro Labs. But beyond that, I’m trying to learn more about strategic approaches to web app testing and would love to learn more about reverse engineering.

Q: If someone with basic technical background asked you, “where should I start?”, what are 3 things you would recommend they do before diving into bug bounties?

  • Shamelessly I always ask if they’ve read my book. I documented my learning process in it and think it’ll help - it’s why I’m selling it…
  • After that, I think people should dive right in to be honest. It isn’t easy and I don’t think you should sugarcoat that. But that said, things like Pentester Pro Labs, Google Gruyere, etc. helped me. I like to think hacking is ⅓ knowledge, ⅓ observation, ⅓ determination so whatever you do, you should be developing those soft skills. Sometimes the successful hacker is the one who stays with a platform when it seems like there’s nothing there (there’s no better example of this than Florian Courtial’s success on Trello and FileDescriptor’s success on Twitter)

Q: Someone was eager to know, what do you put on your toast?

Ketchup chips, just to drive Smiegles nuts…. I’m actually a plain peanut butter man.

Q: What’s your worst bug bounty story/experience?

Not having a program know what Amazon S3 storage is (the popularity of which was made apparent when one of the AWS data centers went down and affected a tonne of sites…) and then accusing me of wasting their time but not validating a bug when you can’t always be 100% sure who owns a bucket since buckets can be for internal purposes. Then when I requested disclosure, they went with limited disclosure and played dumb about that whole situation. That one still annoys me.

Q: If you had to pick one hacker to collaborate with, who would it be?

I’ve had the pleasure of talking and meeting so many amazing hackers, I’d love the opportunity to sit down and collaborate with any of them. Some I already consider close friends so excluding them, I’d say Mongo is definitely my hacking hero but not only because he clearly kicks hacking ass, but because he’s humble, grounded and sets an amazing example of what the community is all about. Whenever he and I chat, it’s always a pleasure and encouraging.

Q: What’s the one feature you would like to see in the platforms?

Some type of incentive based mentorship