Covid-19 lockdowns gave people unprecedented amounts of spare time to reconsider their careers and try out new hobbies.
Among those to pursue their dreams was 19-year-old ethical hacker Harel, who discovered the joys of breaking into applications for legitimate reasons while still at school.
In our latest bug hunter Q&A, the US-based Israeli – alias ‘RL’ – also reflects on how long it takes to learn Bug Bounty and why going straight into Bug Bounty might not be the wisest first step.
RL ON HOW COVID LOCKDOWN SPARKED HIS INTEREST IN HACKING…
I was 15, it was quarantine and we had no school. I honestly had nothing to do, so I kind of picked up hacking for some reason.
I played a little bit of Hack The Box and then a few months later I moved on to Bug Bounty. I found my first bug, which was a reflected XSS. After that was triaged, I picked it back up again and started hacking even more – and that’s pretty much it.
ON HIS FAVOURITE HACKING TOOLS…
My browser! Burp Suite is the one that I use 24/7. [It also depends] on what program I’m hunting on and what I’m currently doing.
ON THE UNDERAPPRECIATED VALUE OF DOCUMENTATION…
Documentation is highly underrated in my opinion.
If you’re working on WAF bypasses, which I do a lot, [it gives you] a strong understanding of whatever you’re hacking. For me, it would be JavaScript usually or little browser quirks. [Documentation is] a goldmine of information in my opinion.
ON HIS HACKING METHODOLOGY…
When I approach a target I don’t have much of a methodology, but I try to see what’s going on in the website, how it works, all of the different technologies, all of the weird stuff that happens in it – specific things like parser confusion, things that I really like looking for.
And when I find a lot of these weird little pieces of the puzzle, I kind of put it together and eventually create a really cool bug. And that is, I think, the most fun part about it.
Sometimes I also have the documentation by my side and just scroll through the documentation if I’m trying to find a WAF bypass or something.
So: a lot of documentation-reading, a lot of trial and error and a lot of putting pieces of the puzzle together.
ON HIS MOST IMPRESSIVE BUG FIND SO FAR…
My most interesting bug was not necessarily my most critical one, but was a cache poisoning vulnerability in Glassdoor. It was pretty interesting because it abused the URL parser confusion between the front-end server and the back-end server.
So I was actually able to use an uncacheable header XSS and trick the CDN into caching it by abusing a caching rule and the path traversal, and pretty much get a stored XSS through there.
ON THE THREE WORDS THAT BEST DESCRIBE HIM AS A HACKER…
I think I’m creative – I always like finding new ways to abuse vulnerabilities or find them; lazy – I don’t have much of a set methodology, but in some ways it actually helps me; and motivated.
HIS ADVICE FOR HUNTERS STARTING OUT IN THEIR ETHICAL HACKING CAREER…
The biggest mistake that I think I see people make – well, there are a few – but the biggest one is expecting results immediately and not staying consistent. It took me a year to find my first bug, maybe two years to get my first paid bug, so it takes time.
Meanwhile, what you want to do is, instead of getting frustrated with Bug Bounty, don’t start out with Bug Bounty. You can, but it’s hard.
What you do instead is play CTFs, do hacking labs, stuff like that, and, honestly, just have fun with it. You won’t be making money – you likely won’t be making money for quite a while – so just have fun, learn, challenge yourself, stay consistent.
Stay consistent – consistency is very important. Make sure you actually have fun and enjoy what you’re doing. If you don’t enjoy what you’re doing – and I think that goes with anything – you probably won’t be very good at it.
So you really want to enjoy it. The more you enjoy it, the more you’ll want to do it; the more you want to do it, the more consistent you will be. So the more you do it, the better you’ll get. I think that’s my biggest advice. Also, [do] CTFs!
Interested in emulating RL? Learn more about hunting through YesWeHack, sharpen your hacking skills on Dojo, or learn about the latest hacking tools and techniques on our blog.