AMA with @Zombiehelp54

Thank you for doing this interview! Can you please introduce yourself?

My name is Mahmoud aka Zombiehelp54 from Egypt and I have been hacking since 2015. I started my technical career as a freelance web developer doing web tasks in my free time then I decided to try my luck with bug bounty programs when I read a facebook post about HackerOne and how to get started on it. I am mostly active on Synack and Hackerone and I have submitted valid vulnerabilities to Google, Microsoft, Yahoo! and Twitter.

Q: How do you manage your personal life, work, and bug bounties? Do you do bug bounties as a job or a hobby?

I am a 19 year old, so I don’t really manage my time. I hack and do other hobbies in my spare time and I am almost always free if not having exams. I started doing bug bounty as a hobby among with other hobbies such as gaming, but now it’s more like a job that have a lot of impact in my life.

Q: How much time do you spend on Hunting for Bugs? On average, how many bugs do you think you report per month?

About 40 hours a week. I started hunting bugs when I was in high school and my mother allowed me to use the computer only in the weekend (2 days a week) at which I used to report about 4-6 bugs. Now I report about 5-15 bugs each month but that sometimes really varies..

Q: How long did it take you until you found your first significant/high impact/payout vulnerability?

One of the first valid reports I submitted was a reflected XSS in Google image search which required some user interaction and google rewarded me the minimum $500, but after I explained how it can be exploited easily and provided a scenario at which it would be highly likely that the user will trigger the XSS, they increased my bounty to the $1337 reward.

Q: Of all the bugs you’ve found, what was your favorite/most interesting?

My favorite bug was a SQL injection vulnerability that is really weird and I haven’t even figured out the root cause yet. I was testing for Angular Template injection with a very long payload that triggered an error value too long for type character varying(255) which seemed interesting that the endpoint was returning server errors (it was the only one). I looked at the request and it was a JSON request so I tried the basic sql injection tricks but everything was filtered. After a lot of trial and error, I tried to do some type casting and see how json objects and arrays are handled, so I set the request data to {“name”:{“xxx”:”xxx”}} which returned a syntax error disclosing the query UPDATE users SET name= Where… The value I have set for name was never used in the query causing a syntax error. After more testing I tried setting name to an array [“xx”,”yy”] which resulted in the query UPDATE users SET name=yy WHERE ... which returned an error Column yy does not exist, hence SQLi! I am not sure why the 2nd index of the array was added in the query without any filtration or even quotes, I even asked some friends and they also couldn’t figure it out. when I asked the vendor about the root cause they said it was a problem with one of their permission control and didn’t provide any other details.

Q: When and how did you have your breakthrough? When did you realize hacking and bug bounties was something you wanted to dedicate your time to? Please share your insights and the problems you faced to becoming an established bug bounty hacker?

I realized hacking and bug bounties was the thing for me since the first day I signed up on HackerOne and started testing, it was so much fun to try to find bugs in other people’s website as I already used to build similar things, also the amount of money you get for working 2-3 hours to find a vulnerability plays a huge factor.

The only problem I faced at the beginning of my bug bounty career was convincing my mother to let me spend more time online, but that wasn’t a big problem, I always used to sneak my laptop into bed to do some late-night testing. (sorry mom!)

Q: What do you do to keep up with all the new trends?

Twitter was my main source for new trends, but now it’s the new HackerOne ZeroDaily newsletter.

Q: Do you collaborate with other hackers? Can you name a few?

I always work with my team in the company I am currently employed. I have also collaborated with some fellows from the bug bounty community such as: @0xibram, @secgeek, @zigoo0 and I also have played CTFs with @ibrahim_mosaad, @RojanRijal and some other fellows.

Technical Questions

Q: How do you approach a target? What is your routine like? What is your recon process like? What kind of information do you seek in your information gathering process? And how does this information help you?

The first thing I do when I try testing a target is passing it to a small tool I made that will automatically run other tools such as sublister, dirsearch ..etc. it will log all the results and highlight things that might be interesting. While the tool is running, I might read some docs about the target to understand how it works then test the main functionality and look for logical bugs such as IDOR and access violation vulnerabilities, while doing this I normally test for other vulnerabilities such as XSS and CSRF ..etc. To find some juicy/hidden stuff, I sometimes check the social media accounts for the target as the new features are always announced there and sometimes there are links to pages that you can’t find through google dorks and other search methods.

Q: Do you always look for all vulnerabilities types when you approach a website?

If the target I am testing is fresh, I usually test for all types of vulnerabilities, but for old targets I ignore obvious vulnerabilities such as XSS and CSRF.

Q: Do you use any tools? Do you have your own tools that you have written to automate/facilitate your work? What Burp extensions do you use? Is there a tool that not a lot of people use that you think they should?

I almost use sublist3r and dirsearch everyday or everytime I test a target. I have written a small python tool that runs other tools and highlights interesting results and sometimes try to exploit common WP vulnerabilities if a wordpress installation is found.

I have recently known about a tool called sandcastle used for S3 bucket enumeration, it’s very useful but be careful and make sure the company owns the bucket before performing further testing.

Q: This is one of our most popular questions: How do you test for Server Side vulnerabilities such as RCE, SQLi, etc?

I never run automated tools to find server side vulns, I prefer manual testing, I may, however, use tools such as sqlmap to exploit them.

For SQL injection I would add a single quote and see how the server responses, if it returns an error or a different response then I double it ’’ or escape it with a backslash \’ and if the error disappeared then it’s probably SQL injection and I continue to try to fetch data, if it the error is still there I try to remove the quotes and test using basic and 1=1/1=0, If the response never changes, I try time-based payloads. If a SQL injection is found the first thing I do is trying to escalate it to RCE using the available functions or by fetching the admin credentials (if any) and trying to see if he has some kinda upload feature or something that can be used to execute code.

For RCE it really depends on the target I am testing, I test common bugs such as ImageTragick or try to abuse file upload handlers ..etc.

Q: How often do you find a bug that has been overlooked after a bounty program has been established and a horde of researchers have been digging?

Well, it all depends the target itself, if the scope is huge I am more likely to find something. I have always found DOM-XSS vulnerabilities that most researchers don’t notice because I read the JavaScript of the application. last week I spent about 3 hours reading JavaScript files and got two DOM-Based XSS vulnerabilities in an old Synack target.

Q: Do you think being a pentester, web developer, or being in a related field, helps you with bug bounties? Where should they start?

Absolutely, you need to understand how things work before trying to break them. If someone wants to start doing bug bounty, they should at least have a technical background about the field they are willing to hack on.

Time to wrap it up!

Q: What kind of music do you listen to?

Mostly rock, Rap, Hip-Hop and underground egyptian music.

Q: What do you do when you aren’t hacking?

Playing video games, watching movies or playing football (soccer).

Q: What kind of impact/role have bug bounties played in your life?

A great impact. I get the chance to work with big companies and very talented hackers. It helped me develop my knowledge and improve my skills. And of course the bounties are life-changing.

Q: What is an advice you received as a beginner that helped you with your bug bounty career?

Be patient and keep digging, you’ll find something.

Q: What is one area of hacking (web, mobile, hardware, etc) you wish you knew more about / plan on focusing your learning on?

Mobile. I recently started learning Android development for a project with my college friends so I decided to learn about mobile security to expand my testing scope.

Q: If someone with basic technical background asked you, “where should I start?”, what are 3 things you would recommend they do before diving into bug bounties?

  1. Read public write-ups to see how other people think and learn from their experience.
  2. Read a book about security in the area you want to hack on. (Web hacking 101 is awesome if you want to do web hacking)
  3. Try your luck with programs that don’t offer monetary rewards.

Q: Someone was eager to know, what do you put on your toast?

What normal people put in their toast.

Q: What’s your worst bug bounty story/experience?

A program to which I reported a XSS, they triaged it, but never fixed it or replied to my comments and it’s been more than a year and a half now. They are not fully inactive, they have fixed and closed bugs a month ago, that’s what makes it so annoying.

Q: If you had to pick one hacker to collaborate with, who would it be?

Mark litchfield or Frans Rosen.

Q: What’s the one feature you would like to see in the platforms?

No ideas….

Q: What’s your favorite text editor?

Notepad++ on windows and Gedit on linux.