My name is Mahmoud aka Zombiehelp54 from Egypt and I have been hacking since 2015. I started my technical career as a freelance web developer doing web tasks in my free time then I decided to try my luck with bug bounty programs when I read a facebook post about HackerOne and how to get started on it. I am mostly active on Synack and Hackerone and I have submitted valid vulnerabilities to Google, Microsoft, Yahoo! and Twitter.
I am a 19 year old, so I don’t really manage my time. I hack and do other hobbies in my spare time and I am almost always free if not having exams. I started doing bug bounty as a hobby among with other hobbies such as gaming, but now it’s more like a job that have a lot of impact in my life.
About 40 hours a week. I started hunting bugs when I was in high school and my mother allowed me to use the computer only in the weekend (2 days a week) at which I used to report about 4-6 bugs. Now I report about 5-15 bugs each month but that sometimes really varies..
One of the first valid reports I submitted was a reflected XSS in Google image search which required some user interaction and google rewarded me the minimum $500, but after I explained how it can be exploited easily and provided a scenario at which it would be highly likely that the user will trigger the XSS, they increased my bounty to the $1337 reward.
My favorite bug was a SQL injection vulnerability that is really weird and I haven’t even figured out the root cause yet.
I was testing for Angular Template injection with a very long payload that triggered an error value too long for type character varying(255)
which seemed interesting that the endpoint was returning server errors (it was the only one).
I looked at the request and it was a JSON request so I tried the basic sql injection tricks but everything was filtered.
After a lot of trial and error, I tried to do some type casting and see how json objects and arrays are handled, so I set the request data to {“name”:{“xxx”:”xxx”}}
which returned a syntax error disclosing the query UPDATE users SET name= Where…
The value I have set for name was never used in the query causing a syntax error. After more testing I tried setting name
to an array [“xx”,”yy”] which resulted in the query UPDATE users SET name=yy WHERE ...
which returned an error Column yy does not exist
, hence SQLi!
I am not sure why the 2nd index of the array was added in the query without any filtration or even quotes, I even asked some friends and they also couldn’t figure it out. when I asked the vendor about the root cause they said it was a problem with one of their permission control and didn’t provide any other details.
I realized hacking and bug bounties was the thing for me since the first day I signed up on HackerOne and started testing, it was so much fun to try to find bugs in other people’s website as I already used to build similar things, also the amount of money you get for working 2-3 hours to find a vulnerability plays a huge factor.
The only problem I faced at the beginning of my bug bounty career was convincing my mother to let me spend more time online, but that wasn’t a big problem, I always used to sneak my laptop into bed to do some late-night testing. (sorry mom!)
Twitter was my main source for new trends, but now it’s the new HackerOne ZeroDaily newsletter.
I always work with my team in the company I am currently employed. I have also collaborated with some fellows from the bug bounty community such as: @0xibram, @secgeek, @zigoo0 and I also have played CTFs with @ibrahim_mosaad, @RojanRijal and some other fellows.
The first thing I do when I try testing a target is passing it to a small tool I made that will automatically run other tools such as sublister, dirsearch ..etc. it will log all the results and highlight things that might be interesting. While the tool is running, I might read some docs about the target to understand how it works then test the main functionality and look for logical bugs such as IDOR and access violation vulnerabilities, while doing this I normally test for other vulnerabilities such as XSS and CSRF ..etc. To find some juicy/hidden stuff, I sometimes check the social media accounts for the target as the new features are always announced there and sometimes there are links to pages that you can’t find through google dorks and other search methods.
If the target I am testing is fresh, I usually test for all types of vulnerabilities, but for old targets I ignore obvious vulnerabilities such as XSS and CSRF.
I almost use sublist3r and dirsearch everyday or everytime I test a target. I have written a small python tool that runs other tools and highlights interesting results and sometimes try to exploit common WP vulnerabilities if a wordpress installation is found.
I have recently known about a tool called sandcastle used for S3 bucket enumeration, it’s very useful but be careful and make sure the company owns the bucket before performing further testing.
I never run automated tools to find server side vulns, I prefer manual testing, I may, however, use tools such as sqlmap to exploit them.
For SQL injection I would add a single quote and see how the server responses, if it returns an error or a different response then I double it ’’
or escape it with a backslash \’
and if the error disappeared then it’s probably SQL injection and I continue to try to fetch data, if it the error is still there I try to remove the quotes and test using basic and 1=1/1=0, If the response never changes, I try time-based payloads.
If a SQL injection is found the first thing I do is trying to escalate it to RCE using the available functions or by fetching the admin credentials (if any) and trying to see if he has some kinda upload feature or something that can be used to execute code.
For RCE it really depends on the target I am testing, I test common bugs such as ImageTragick or try to abuse file upload handlers ..etc.
Well, it all depends the target itself, if the scope is huge I am more likely to find something. I have always found DOM-XSS vulnerabilities that most researchers don’t notice because I read the JavaScript of the application. last week I spent about 3 hours reading JavaScript files and got two DOM-Based XSS vulnerabilities in an old Synack target.
Absolutely, you need to understand how things work before trying to break them. If someone wants to start doing bug bounty, they should at least have a technical background about the field they are willing to hack on.
Mostly rock, Rap, Hip-Hop and underground egyptian music.
Playing video games, watching movies or playing football (soccer).
A great impact. I get the chance to work with big companies and very talented hackers. It helped me develop my knowledge and improve my skills. And of course the bounties are life-changing.
Be patient and keep digging, you’ll find something.
Mobile. I recently started learning Android development for a project with my college friends so I decided to learn about mobile security to expand my testing scope.
What normal people put in their toast.
A program to which I reported a XSS, they triaged it, but never fixed it or replied to my comments and it’s been more than a year and a half now. They are not fully inactive, they have fixed and closed bugs a month ago, that’s what makes it so annoying.
Mark litchfield or Frans Rosen.
No ideas….
Notepad++ on windows and Gedit on linux.