My name is Sean and I go by zseano online. I’m currently based in United Kingdom and I have been hacking since I was around 13. I saw people creating chatbots and “winbots” for StarCraft and I found it fascinating and wanted to learn how it was done. From that point I have just continued to read, learn and practise.
I’m currently #2 on bugcrowd with 99.9% of my bugs being to one company. I really enjoy their program because the scope is big, payouts are fair & quick, and the team are just awesome to work with.
I do bug bounties as a job full time. Honestly, it is quite hard to manage doing bounties full time and my personal life. I am a work-a-holic and you can typically find me on my computer at any given time poking around with bounties. I do try to manage my time and take time away to spend with my fiancée, friends & family, however my mind is usually still on bounties and questioning why my latest bug isn’t working. ;)
I spend atleast 6-7hours a day hunting for bugs when life isn’t distracting me. When I first started on this “special” program on bugcrowd I was finding lots of bugs, but the rate of bugs has slowed down due to me running out of places to test. Typically I find maybe 30-40 bugs a month.
I found quite a few within the first week if i’m honest. I started submitting bugs to a company which had never ran a bounty program, so it was fresh material. I quickly found ways to get persistent XSS on every page they visited via an injected cookie, modify anyone’s photo (delete, change caption etc), and a method to use their service for free, bypassing all payment methods.
A privilege escalation bug on a bugcrowd program. You could signup and claim a page, but you had to verify you was the correct owner by entering your CC details. After some playing around I found an url which when visited with the correct parameters would auto verify you and grant you full access without having to verify ownership.
I had my first breakthrough with the very first program I reported bugs to. I was finding bugs left right and center and the company was handling my reports extremely well. Our relationship grew and they ended up flying me out to meet the dev team, and now I try to see them at least once a year for an end of year party. Once I saw my “talent” was helping others, and I was getting paid fairly for my research, this industry became my home. :)
My next breakthrough was the program i’m submitting to on bugcrowd. I’ve only been submitting to them for 11 months, but I speak to their dev team on a weekly basis and I like to think i’m helping them secure their assets.
I’ve not really had many problems in bug bounties if i’m honest because i’ve been fortunate to be in programs where i’m the only researcher for a period of time. I typically only report to max 3 programs, and they all treat me fair. I’m a loyal researcher :)
However, if I do get a new invite, I will never invest a lot of time into a program unless they can prove to me they will take my reports seriously and pay me fairly for my time & research. To begin I will always try find something small & simple (typically XSS or CSRF) to see how they treat the report. If it goes well, they get my full attention. :)
Twitter, reddit, news, telegram channel, the usual. Read read read!
I collaborate on a daily basis with @yaworsk, @zephrfish, @filedescriptor and @rohk_infosec in a private chat. These guys are all extremely talented have become like a family to me. It is really great to be able to bounce ideas with other researchers, or to get help with bugs.
A lot of people have asked how i’ve found over 300 bugs in a short space of time, so for this question i’m going to detail what i’m currently doing on bugcrowd for that one program.
Firstly, since the scope was large I started with discovering everything they have pointing towards the internet. This was achieved by using sublist3r, wfuzz and altdns. Next I want to find out what (if any) interesting ports they have open, so i’ll scan their ip range.
With lots of play with, i’ll go for the obvious first. Subdomains/directories which contain words like staging, dev, production, qa, admin, test, etc. One key thing i’ve missed before (and many others still do) is not running a dir/file scanner on sub domains. If you visited test.example.com and just saw ‘Access denied’, get a good list and start trying to discover what is on there. Phpinfo.php anyone?
Now, there is still more information to be discovered. In comes google dorking. Searching for things “site: example.com inurl:&”, “inurl:redirect,redir,go,goto,login,register,upload,create,signin,admin”, and not forgetting “ext:swf,php,jsp,aspx,txt” will uncover more interesting endpoints to play with.
Next we see what’s leaked in /robots.txt and /crossdomain.xml (do not forget to scrape waybackmachine!!!), and i’d say at this point i’ve got enough information to start having fun! Now whenever I research, I will always note down recurring parameters i’ve found, as well as parameters which have been vulnerable. I started with looking for the simple things, XSS, CSRF etc and quickly found lots. I soon built a list of recurring parameters, and now in comes the automation.
This site was leaking quite a few endpoints in their robots.txt file, so I simply scraped that, as well as the past 7years thanks to waybackmachine and loaded it into BURP Intruder. With a list of known recurring vulnerable parameters I simply tested over 5000 endpoints with ?example=lol” and was quickly presented with lots of vulnerable endpoints.
I was not done yet. I knew there was more bugs. I built a custom script to visit each endpoint and extract all input names, then simply visited that endpoint with all parameters as lol”. More vulnerabilities appeared! (note: if you plan on doing this, make sure to try more than just lol”, try lol’ lol’\ lol< etc. Different reflections etc etc).
Lastly, when visiting a site, always look through their .js files. There are always calls to other endpoints you might not find elsewhere. You can automate scanning .js files to save you time.
So to sum up, find EVERYTHING you can about this site, no matter how old that information is. This means endpoints, sub domains, interesting params, js files etc. Then go crazy! The more information you can find about a site, the more chance you have at finding a vulnerability.
(interesting fact: i am still not done going through all interesting endpoints on this program.. :P)
Of course. I try to automate as many as possible so I can spend more time on high impact bugs such as RCE.
I don’t use any burp extensions since I feel all I need is intruder and repeater. I have written a few of my own custom tools, such as scanning .js files, extracting input names from a list, automatically telling me what’s on a sub domain without me visiting (if the list is big).
For SQLi I will use sqlmap. Now RCE is tricky since a lot of cases are different, but typically when testing I will look for serialized data (either in post data or a cookie), endpoints which “call out” to another site (such as get.php?site=example.com). One common place for LFI is sometimes the “photo viewer” on a website. They sometimes reference it like photo.php?file=derp.jpg. Try and think of common places that might make calls to a database or include a file.
Quite often. Simple things like changing the language of a site can uncover more bugs.
Yes 100%, especially when it comes to those tricky XSS which require you to create some random HTML that makes zero sense, yet somehow works. I find you can learn a lot by just simply reading the site you’re testing. For example try and understand what their js files are doing, and at the same time you’re learning coding.
I really enjoy listening to technobase.fm whilst hacking.
Chill with my fiancée, friends & family. Play games. Eat. Sleep? :P
It’s enabled me to move out with my girlfriend, purchase a new car, and take many many holidays. It’s also helped me invest in cryptocurrencies!
Never give up & test everything possible. If you get that “tingly feeling” about a certain endpoint, do as much research as possible and find that bug! However, you must also not spend too much time on certain things. Know your limits, and don’t be afraid to ask for help.
Hardware and getting better at mobile hacking. I’ve submitted quite a few bugs within mobile apps, but i’d like to expand my knowledge on this area. I’d also like to get better at spotting areas with RCE. Mongo amazes me how he looks at a site and RCE pops out.
Learn how the internet & websites actually work. Understand it’s YOU who controls what is sent to the endpoint. Fuzz fuzz fuzz! You can send anything you want. Read the response, and go from there. Learn about the most common vulnerabilities, such as XSS, CSRF etc. Read disclosed bugs (blog posts, hackerone activity etc) to see what others are doing
Just butter usually. I’m a fan of crumpets personally. (highly recommend you all try them if you ever visit UK!)
One company was really keen on me testing their assets and when I did.. they disappeared. My bugs are still in the “New” state, although bounties have been paid out (after 6months of emailing them). Very weird experience.
Just one? Oh now that’s tough as there is so many talented researchers i’d love to collaborate with. I’d have to say Luke Young (@TheBoredEng) because he is extremely talented and I feel like I could learn a lot from him.
Each program is lacking some features, so this is a hard question to answer. :P