The archetypal hacker is a solo freelancer who sits alone at their laptop trying to induce software into misbehaving – but this does not tell the full story.
Because some seriously impressive vulnerabilities have emerged from cooperation between ethical hackers (not least at live hacking competitions that are as much about collaboration as competition).
YesWeHack spoke to a pair of hunters about the merits of pooling hacking expertise with trusted peers, as well as the importance of perseverance in a process that is intrinsically about trial and error.
In this interview, ‘Chackal’ and ‘Serizao’ – aka Esdras Dago and William Le Berre of French cybersecurity firm BZHunt – also reflect on their favourite vulnerability finds so far and offer some invaluable tips to aspiring and inexperienced hunters.
Their advice carries no little weight given their presence on the all-time leaderboard: Chackal currently in 12th position, Serizao in 21st (note: their positions were different when the interview was conducted).
SERIZAO AND CHACKAL ON HOW THEY GOT STARTED IN BUG BOUNTY…
Serizao: I started in Bug Bounty thanks to a co-founder of YesWeHack, who came to give courses at CentraleSupélec [an elite engineering school in France] about finding vulnerabilities in applications. All the reports were made on YesWeHack. After meeting him, I decided bug hunting was something I liked and tried to dig into.
Chackal: I started Bug Bounty with a friend, and we spent every evening bug hunting together, but we couldn’t come up with much because we didn’t have a good methodology.
Then I was lucky enough to meet Serizao and Hisxo as well as other bug hunters from the YesWeHack platform, with whom I started to collaborate, and since then we’ve continued talking about Bug Bounty and doing more of it.
ON WHAT THEY LIKE MOST ABOUT YESWEHACK…
Serizao: What I like most about YesWeHack is how close it is to the community. It doesn't matter what you want to talk about: as long as it has something to do with Bug Bounty, you'll find someone on the other side who will understand and even give you ideas.
In particular, it’s not unusual for me to talk to [hacker and YesWeHack R&D engineer] BitK about certain bugs where I sometimes get stuck, in order to progress and achieve a successful exploitation. Sharing is caring!
Chackal: I like hunting on YesWeHack because the platform is pretty cool, pretty simple and I'm a very simple person – so I like when the options are straightforward and there aren't 50 sub-menus!
ON THE THREE WORDS THAT BEST DESCRIBE THEM AS HACKERS…
Serizao: Resilient, passionate and, once again, passionate – because you have to be resilient.
Chackal: I'd define myself as patient and persistent because I like to stay on the same targets for a long, long time, which allows me to find bugs that some people won't find because they haven't spent as much time on the target.
And lastly, passionate, because without passion it would be impossible to stay on these targets for so long.
ON THEIR FAVOURITE HUNTING TOOLS…
Serizao: I like everything that involves recon, so the tools I use include Burp Suite of course. But there are other tools that I’ve created that correspond to my needs.
Chackal: Mainly, I use Burp Suite because it allows me to inspect requests, especially Burp Suite with the PwnFox plugin, which allows me to quickly see differences between requests and therefore between the privilege levels used for the test accounts I create.
I also use 2-3 small extensions like Wappalyzer to try and quickly see the technologies associated with a target I’m attacking. And if I need to do a bit of recon because we have quite a wide scope, I use the wonderful tools that William [Le Berre] and Jomar have developed, like ‘EyesInTheSky’, WappaGo or Hunt3r.
ON THEIR HUNTING METHODOLOGY…
Chackal: I start by reading the description very scrupulously, because I know that many people sometimes go over it quickly – despite the fact you can learn a lot, especially if there’s a link to the application documentation.
Then, as I’m very focused on vulnerabilities relating to access control, I try to understand the application as much as possible, so that I can spot any behaviour that isn’t normal and could lead to a security problem.
Serizao: My thing tends to be everything around XSS. I search in the JavaScript and in the JavaScript files, looking for new parameters, new endpoints… something to build on what I initially saw of interest in the application – like other parts of the application or platform that I didn't see at first glance.
ON THE VULNERABILITIES THEY ARE MOST PROUD OF…
Serizao: With a certain bank [application] I discovered that it was possible to make negative transfers – which meant that instead of taking money from my account and paying it to a third party, it took it from the third party and put it in my account. So the reaction of the internal team was funny!
Chackal: It’s a fairly simple vulnerability: a blind XSS present in an account deletion feature.
To delete your account, you were asked why you wanted to delete it, so in that field I injected a payload that gave me access to the administrator section, which normally isn’t accessible to a normal user of the site. This gave me access to the underlying functionality of this section, as well as any personal data it could contain.
THEIR ADVICE TO WOULD-BE AND NEWBIE HUNTERS…
Serizao: Above all to be very patient, to get to know as much as possible about the applications you're going to target, and to try and understand how the platform has designed its functions.
Chackal: Based on my own experience, I’d say you need to be surrounded by people who want to teach you, which makes it easy to share ideas and go a bit further than you might have otherwise thought possible.
And secondly, you need to find a program with a huge number of features, so that you can stay on it as long as possible and get to know the application well. This way you can spot potential features that will lead to the discovery of vulnerabilities or behaviour that shouldn't be there – and enable you to dig even deeper.
Interested in emulating Chackal and Serizao? Learn more about hunting through YesWeHack, sharpen your hacking skills on Dojo, or learn about the latest hacking tools and techniques on our blog.