AMA with @zseano

Thank you for doing this interview! Can you please introduce yourself?

My name is Sean and I go by zseano online. I’m currently based in United Kingdom and I have been hacking since I was around 13. I saw people creating chatbots and “winbots” for StarCraft and I found it fascinating and wanted to learn how it was done. From that point I have just continued to read, learn and practise.

I’m currently #2 on bugcrowd with 99.9% of my bugs being to one company. I really enjoy their program because the scope is big, payouts are fair & quick, and the team are just awesome to work with.

Q: How do you manage your personal life, work, and bug bounties? Do you do bug bounties as a job or a hobby?

I do bug bounties as a job full time. Honestly, it is quite hard to manage doing bounties full time and my personal life. I am a work-a-holic and you can typically find me on my computer at any given time poking around with bounties. I do try to manage my time and take time away to spend with my fiancée, friends & family, however my mind is usually still on bounties and questioning why my latest bug isn’t working. ;)

Q: How much time do you spend on Hunting for Bugs? On average, how many bugs do you think you report per month?

I spend atleast 6-7hours a day hunting for bugs when life isn’t distracting me. When I first started on this “special” program on bugcrowd I was finding lots of bugs, but the rate of bugs has slowed down due to me running out of places to test. Typically I find maybe 30-40 bugs a month.

Q: How long did it take you until you found your first significant/high impact/payout vulnerability?

I found quite a few within the first week if i’m honest. I started submitting bugs to a company which had never ran a bounty program, so it was fresh material. I quickly found ways to get persistent XSS on every page they visited via an injected cookie, modify anyone’s photo (delete, change caption etc), and a method to use their service for free, bypassing all payment methods.

Q: Of all the bugs you’ve found, what was your favorite/most interesting?

A privilege escalation bug on a bugcrowd program. You could signup and claim a page, but you had to verify you was the correct owner by entering your CC details. After some playing around I found an url which when visited with the correct parameters would auto verify you and grant you full access without having to verify ownership.

Q: When and how did you have your breakthrough? When did you realize hacking and bug bounties was something you wanted to dedicate your time to? Please share your insights and the problems you faced to becoming an established bug bounty hacker?

I had my first breakthrough with the very first program I reported bugs to. I was finding bugs left right and center and the company was handling my reports extremely well. Our relationship grew and they ended up flying me out to meet the dev team, and now I try to see them at least once a year for an end of year party. Once I saw my “talent” was helping others, and I was getting paid fairly for my research, this industry became my home. :)

My next breakthrough was the program i’m submitting to on bugcrowd. I’ve only been submitting to them for 11 months, but I speak to their dev team on a weekly basis and I like to think i’m helping them secure their assets.

I’ve not really had many problems in bug bounties if i’m honest because i’ve been fortunate to be in programs where i’m the only researcher for a period of time. I typically only report to max 3 programs, and they all treat me fair. I’m a loyal researcher :)

However, if I do get a new invite, I will never invest a lot of time into a program unless they can prove to me they will take my reports seriously and pay me fairly for my time & research. To begin I will always try find something small & simple (typically XSS or CSRF) to see how they treat the report. If it goes well, they get my full attention. :)

Q: What do you do to keep up with all the new trends?

Twitter, reddit, news, telegram channel, the usual. Read read read!

Q: Do you collaborate with other hackers? Can you name a few?

I collaborate on a daily basis with @yaworsk, @zephrfish, @filedescriptor and @rohk_infosec in a private chat. These guys are all extremely talented have become like a family to me. It is really great to be able to bounce ideas with other researchers, or to get help with bugs.

Technical Questions

Q: How do you approach a target? What is your routine like? What is your recon process like? What kind of information do you seek in your information gathering process? And how does this information help you?

A lot of people have asked how i’ve found over 300 bugs in a short space of time, so for this question i’m going to detail what i’m currently doing on bugcrowd for that one program.

Firstly, since the scope was large I started with discovering everything they have pointing towards the internet. This was achieved by using sublist3r, wfuzz and altdns. Next I want to find out what (if any) interesting ports they have open, so i’ll scan their ip range.

With lots of play with, i’ll go for the obvious first. Subdomains/directories which contain words like staging, dev, production, qa, admin, test, etc. One key thing i’ve missed before (and many others still do) is not running a dir/file scanner on sub domains. If you visited and just saw ‘Access denied’, get a good list and start trying to discover what is on there. Phpinfo.php anyone?

Now, there is still more information to be discovered. In comes google dorking. Searching for things “site: inurl:&”, “inurl:redirect,redir,go,goto,login,register,upload,create,signin,admin”, and not forgetting “ext:swf,php,jsp,aspx,txt” will uncover more interesting endpoints to play with.

Next we see what’s leaked in /robots.txt and /crossdomain.xml (do not forget to scrape waybackmachine!!!), and i’d say at this point i’ve got enough information to start having fun! Now whenever I research, I will always note down recurring parameters i’ve found, as well as parameters which have been vulnerable. I started with looking for the simple things, XSS, CSRF etc and quickly found lots. I soon built a list of recurring parameters, and now in comes the automation.

This site was leaking quite a few endpoints in their robots.txt file, so I simply scraped that, as well as the past 7years thanks to waybackmachine and loaded it into BURP Intruder. With a list of known recurring vulnerable parameters I simply tested over 5000 endpoints with ?example=lol” and was quickly presented with lots of vulnerable endpoints.

I was not done yet. I knew there was more bugs. I built a custom script to visit each endpoint and extract all input names, then simply visited that endpoint with all parameters as lol”. More vulnerabilities appeared! (note: if you plan on doing this, make sure to try more than just lol”, try lol’ lol’\ lol< etc. Different reflections etc etc).

Lastly, when visiting a site, always look through their .js files. There are always calls to other endpoints you might not find elsewhere. You can automate scanning .js files to save you time.

So to sum up, find EVERYTHING you can about this site, no matter how old that information is. This means endpoints, sub domains, interesting params, js files etc. Then go crazy! The more information you can find about a site, the more chance you have at finding a vulnerability.

(interesting fact: i am still not done going through all interesting endpoints on this program.. :P)

Q: Do you always look for all vulnerabilities types when you approach a website?

Of course. I try to automate as many as possible so I can spend more time on high impact bugs such as RCE.

Q: Do you use any tools? Do you have your own tools that you have written to automate/facilitate your work? What Burp extensions do you use? Is there a tool that not a lot of people use that you think they should?

I don’t use any burp extensions since I feel all I need is intruder and repeater. I have written a few of my own custom tools, such as scanning .js files, extracting input names from a list, automatically telling me what’s on a sub domain without me visiting (if the list is big).

Q: This is one of our most popular questions: How do you test for Server Side vulnerabilities such as RCE, SQLi, etc?

For SQLi I will use sqlmap. Now RCE is tricky since a lot of cases are different, but typically when testing I will look for serialized data (either in post data or a cookie), endpoints which “call out” to another site (such as get.php? One common place for LFI is sometimes the “photo viewer” on a website. They sometimes reference it like photo.php?file=derp.jpg. Try and think of common places that might make calls to a database or include a file.

Q: How often do you find a bug that has been overlooked after a bounty program has been established and a horde of researchers have been digging?

Quite often. Simple things like changing the language of a site can uncover more bugs.

Q: Do you think being a pentester, web developer, or being in a related field, helps you with bug bounties? Where should they start?

Yes 100%, especially when it comes to those tricky XSS which require you to create some random HTML that makes zero sense, yet somehow works. I find you can learn a lot by just simply reading the site you’re testing. For example try and understand what their js files are doing, and at the same time you’re learning coding.

Time to wrap it up!

Q: What kind of music do you listen to?

I really enjoy listening to whilst hacking.

Q: What do you do when you aren’t hacking?

Chill with my fiancée, friends & family. Play games. Eat. Sleep? :P

Q: What kind of impact/role have bug bounties played in your life?

It’s enabled me to move out with my girlfriend, purchase a new car, and take many many holidays. It’s also helped me invest in cryptocurrencies!

Q: What is an advice you received as a beginner that helped you with your bug bounty career?

Never give up & test everything possible. If you get that “tingly feeling” about a certain endpoint, do as much research as possible and find that bug! However, you must also not spend too much time on certain things. Know your limits, and don’t be afraid to ask for help.

Q: What is one area of hacking (web, mobile, hardware, etc) you wish you knew more about / plan on focusing your learning on?

Hardware and getting better at mobile hacking. I’ve submitted quite a few bugs within mobile apps, but i’d like to expand my knowledge on this area. I’d also like to get better at spotting areas with RCE. Mongo amazes me how he looks at a site and RCE pops out.

Q: If someone with basic technical background asked you, “where should I start?”, what are 3 things you would recommend they do before diving into bug bounties?

Learn how the internet & websites actually work. Understand it’s YOU who controls what is sent to the endpoint. Fuzz fuzz fuzz! You can send anything you want. Read the response, and go from there. Learn about the most common vulnerabilities, such as XSS, CSRF etc. Read disclosed bugs (blog posts, hackerone activity etc) to see what others are doing

Q: Someone was eager to know, what do you put on your toast?

Just butter usually. I’m a fan of crumpets personally. (highly recommend you all try them if you ever visit UK!)

Q: What’s your worst bug bounty story/experience?

One company was really keen on me testing their assets and when I did.. they disappeared. My bugs are still in the “New” state, although bounties have been paid out (after 6months of emailing them). Very weird experience.

Q: If you had to pick one hacker to collaborate with, who would it be?

Just one? Oh now that’s tough as there is so many talented researchers i’d love to collaborate with. I’d have to say Luke Young (@TheBoredEng) because he is extremely talented and I feel like I could learn a lot from him.

Q: What’s the one feature you would like to see in the platforms?

Each program is lacking some features, so this is a hard question to answer. :P