How a pentester struggled with bug bounties until this new mindset helped him breakthrough
This story is extracted from Cybr’s podcast episode with Hakluke. Check it out along with our other podcast episodes.
“It was a long, arduous, journey to finding my first bug.”
Then one day, Hakluke attended a talk by @shubs that changed his mindset about how to approach bug bounties and helped him breakthrough in finding his first bugs.
Hakluke, a self-made hacker and content creator from Australia, didn’t have a smooth transition from his pentesting background to bug bounties. At first, it was a struggle.
He talked to us on the Cybr Podcast about this transition, what it was like working at Bugcrowd, and how he found his very first bug.
On working at Bugcrowd: “the job title didn’t fully describe what I did”
Hakluke was The Manager of Training and Quality Assurance at Bugcrowd before striking out on his own.
That role came around because he was already a bug bounty hunter and doing quite well at that point. That led to him working closely with them as a bounty hunter. One of the people he was working with for his bug reports eventually got a job at Bugcrowd, and that sparked his interest in the company. That person ended up bringing him into their team.
“The job title didn’t fully describe what I did.” Quality assurance was a huge part, and he was constantly trying to iterate on their triage process to give researchers the best experience that he could.
There was also a training aspect to the role, and he built a new team of triagers that came through their program in order to prepare for the job.
On top of that, Hakluke also managed community aspects, which included creating blog posts and videos for their resources. He even held a virtual hacking conference with lots of great speakers “and that was really fun.”
Of course, sometimes they had to field questions or comments on social media from researchers that might not be happy with a result, so there were certainly challenges to the job.
On finding his first bug: “it was a long, arduous, journey to finding my first bug”
“I had been interested in hacking for a long time, and I had been working as a web developer.”
Instead of sticking to purely to web development, he was curious to focus more on cybersecurity, and he managed to convince his manager to pay for the OSCP certification.
After getting his OSCP and being involved in the community, that same organization hired him as a junior pentester “which was such an exciting day of my life.”
Hakluke mentioned that being involved and active in the cybersecurity community (especially on Twitter) was huge for him. He started following people in the industry and started noticing that a lot of them were bug bounty hunters. “It’s a very strong community on Twitter” and “there’s a lot of great tools and research coming out of it.”
“Bug bounties pay for impact, not for time spent like with pentests.” So tools that get developed by bug bounty hunters can end up having a high impact.
After seeing people developing awesome projects, he wanted to get more involved. Of course, the tweets about people saying “I got a $10,000 bounty!” certainly helped motivate him even more.
Seeing this, and seeing the types of bugs that were earning that amount of money made him really curious, because “a lot of those bugs were bugs that I regularly found in my pentests […] so how hard could it be?”
Turns out, “that was quite naïve because finding bugs like that on bug bounty programs tends to be a lot harder than finding them on a pentest.”
So he signed up for HackerOne and Bugcrowd accounts, and then “didn’t do anything for a long time.” But after a while, he started trying to find bugs during the evening after work.
“I was basically just performing penetration tests on the targets and not finding any bugs at all.”
“The standard penetration testing methodology is something that everyone already knows about and everyone’s already tried all of the things you’re going to try in public programs.”
Hakluke was getting pretty demotivated after not making the progress he was hoping for.
Then one day he saw a talk by @shubs that explained how to use automation to find bugs. By monitoring for changes in an application over time, he was able to find bugs that others weren’t even looking for. Because applications are constantly receiving updates, eventually something will change. That’s when he’d look at it. That’s just not something you do as a pentester, so that really started to change his perspective. It helped him think about bug bounties in an entirely different way.
“Shout out to Shubs if you ever [read] this.”
After that, Hakluke developed a bash script to try and monitor for changes in programs that he was interested in. But he ended up re-coding the entire thing in Python with Django. He then heard that a couple of his friends were working on something similar, so they collaborated on a new platform. They found a bunch of bugs by doing this.
As the automated bugs were coming in, they were able to spend more time manually hacking as well.
On automation that monitors for changes: “that’s a huge advantage”
Let’s say that you’re interested in a Tesla bug bounty program. Since that will likely be a very popular program, the basics will already be covered.
“If you go to Tesla.com and try to XSS the search bar, no doubt, there have been hundreds of people who have tried that before.”
However, if you’re monitoring Tesla for code changes, and one day your automation notifies you that Tesla changed one of the JavaScript files related to the search function, then maybe those changes have introduced a DOM XSS vulnerability. Because it just came out, no one else will have looked at it yet.
This helps you focus and “use your time more wisely.”
On recommendations for bug bounty beginners: “should you focus on one class of vulnerabilities?”
A question that we hear a lot is “should I focus on one class of vulnerabilities as a beginner, or should I look for just about everything?”
This is a tough one to answer because if you focus on more popular vulnerability types, you have more competition. Versus if you are able to find a niche vulnerability that not as many people know about, then you can do very well with that.
Or, if you know of a specific framework, library, or platform vulnerability, you could focus on finding bounty programs that run this vulnerable software and make that “your specialty.”
You could even have automation looking for basic bugs, and then you can focus manually on one or two areas that you enjoy or are really good at.
On automation versus manual bug hunting: “you can categorize bug bounty hunters into 3 buckets”
According to Hakluke, you can categorize bug bounty hunters into 3 buckets:
- 100% automation (ie: todayisnew) – they rely almost exclusively on automation
- The deep diver – they go really deep on a web application and research it as much as they can
- The hybrid – a mixture of automation and manual
“Tooling will never fully replace — or at least not for a very long time — a human looking for issues.” So Hakluke’s philosophy is to let automation help you and enhance your manual efforts. Let automation find low-hanging fruit bugs, and then manually explore more complex apps.
On how long you should spend on a target before moving on: “that’s a really tough one”
“I’ve never been a person who has focused on one program for a long period of time.”
Hakluke actually thinks that’s to his detriment because he’s heard a lot of bounty hunters say that focusing on one program is the way to go. You can go much deeper into that program.
“If you can push through that initial urge to jump ship [and go to a different program], it will serve you well.”
This interview has been edited for length and clarity. The original is available here.
More on bug bounties:
Stored XSS vulnerability in image alt attribute to steal cookies (Bug Bounty)
great idea