Thank you for doing this interview! Can you please introduce yourself?

My in real life name is Sam but I go by “zlz” on HackerOne and Twitter. I’m from the central United States and I’ve been hacking for about three years now. I got started after spending some time on a game called “Runescape” and exploiting non-technical logical issues like invisibility through a series of permitted actions within the client. I’m in love with HackerOne as of now and will probably be staying for a while.

Q: How do you manage your personal life, work, and bug bounties? Do you do bug bounties as a job or a hobby?

At the moment my only obligations I have are my work, girlfriend, and family. I’ll spend pretty much every night (11:00 P.M.-4:00 A.M.) on my computer either reading or hacking stuff, but this will change once the summer is over. If you haven’t already guessed bug bounty is just a hobby for me, but one that consumes a huge portion of my interests. It’s sometimes hard to manage my personal life because I’ll get super obsessed with an endpoint to the point of having it cloud my thoughts the next day. I’ve learned to systematically schedule my day so each event is isolated from one another, but it can be hard to mentally force myself into this pattern.

Q: How much time do you spend on Hunting for Bugs? On average, how many bugs do you think you report per month?

Each day I’ll spend maybe six hours doing infosec related stuff, but only about two of those are designated to actual hunting. Based on that I’m probably spending anywhere between 14-18 hours hunting bugs. I think it’s very important to spend time reading up on current events and techniques you have little experience with because one day you’ll glance over something during pentesting and either say “hey, I think I know what this is! <insert payload” or if you haven’t been reading that much “that is confusing, but I guess I can come back to it or phone a friend”. I’ll report anywhere between 5 and 15 bugs in a month but lately I’ve been spending more time searching for more critical bugs so that number has dipped.

Q: How long did it take you until you found your first significant/high impact/payout vulnerability?

Seven months, ten duplicates, four N/As, and one valid low severity.

Q: Of all the bugs you’ve found, what was your favorite/most interesting?

My favorite (and most interesting) bug was when I was able to inject carriage-return line-feed symbols into a Yahoo mail function. What I was able to accomplish was (1) ability to pretend to be any “@yahoo.com”, and (2) spear phish victims using malicious attachments and hyperlinks. This bug was really interesting because I hadn’t ever seen anyone exploiting this nor write about it. It was very similar to HTTP header injection but just with email headers. You can read the writeup here if you’d like.

Q: When and how did you have your breakthrough? When did you realize hacking and bug bounties was something you wanted to dedicate your time to? Please share your insights and the problems you faced to becoming an established bug bounty hacker?

Thinking back in time a little bit I had two moments when I knew I wanted to get fully involved with bug bounty. The first was when I received a $250 bounty from PornHub after emailing their security handle and stating that they invalidly closed my report, and the second was when I met Jon Bottarini and he invited me to the “bug bounty forum” slack group. It may sound super staged since this AMA is being hosted on bug bounty forum, but when I joined the community I felt super comfortable since everyone was super friendly and resourceful. From that point forward I established relationships with people who are now really close friends. One of my biggest insights as a hacker is that the “HTTP tamper” firefox extension shouldn’t be my go-to proxy tool. For any new hackers out there, please learn how to use BURP Suite. It’s an AWESOME tool that may look a little intimidating at first, but provides such an extensible array of tools that can be used in your day-to-day arsenal. One of the biggest issues I had was overcoming the mental gap of “the vulnerabilities on this host are few and far between, so it’s not worth pentesting”. The way in which I did so was deciding to primarily target the host I was so scared of until I identified SOMETHING vulnerable. It worked because when I did find that vulnerability, I felt as if there were dozens more just around the corner.

Q: What do you do to keep up with all the new trends?

I’ll spend a few hours on Twitter reading blogs, articles, and forum listings relative to infosec. I’d really recommend establishing a network of hackers to follow in order to easily get updates and content from within the community.

Q: Do you collaborate with other hackers? Can you name a few?

Of course. I spend a lot of time pentesting on Yahoo with @thedawgyg, speak to @jon_bottarini frequently, and keep in touch with @ibram and @RojanRijal about potential and current projects we’re working on.

Technical Questions

Q: How do you approach a target? What is your routine like? What is your recon process like? What kind of information do you seek in your information gathering process? And how does this information help you?

Before I ever start a scan (if it’s a new host) I’ll just load the website normally and try to understand its structure. I’ll keep notes of directories that I’ll go back and dir bruteforce later, file extensions, and different servers (noticing altering patterns of nginx, apache, etc.). After a while I’ll switch to a more active session where I’ll check each request one-by-one as well as any areas that I’ve marked as potentially vulnerable (file uploads, update profile, etc.). After a while I’ll brute force subdomains and fingerprint each one individually. The information I’m looking for is anything that will help increase severity of a discovered vulnerability or vulnerabilities themselves. I’d recommend a session spent understanding a host before actively looking for vulnerabilities. If you see something you’ve never seen before then spend some time getting to know it. There have been times where I’ve replicated environments so I could see what would work, wouldn’t work, and the result of each request.

Q: Do you always look for all vulnerabilities types when you approach a website?

Both yes and no. If I see something that looks vulnerable to something specific, I’ll attack it with whatever’s specific. Most of the time I approach a website with an open mind, but if there’s something individually I want to look for then I’ll orient myself to look for that. I keep references of file upload, image update, and interesting little functions that may one day be vulnerable to something cool (an example is the recent FFmpeg vulnerability).

Q: Do you use any tools? Do you have your own tools that you have written to automate/facilitate your work? What Burp extensions do you use? Is there a tool that not a lot of people use that you think they should?

I’ll use sublist3r and dirsearch, but that’s about it. No. I’d recommend using “PwnBack” for BURP Suite as it allows you to check the site as it was in the past. A lot of the time you’ll discover that developers never deleted that old vulnerable file. I’d love to start developing my own tools but don’t have an issue that I’d like to solve as of now.

Q: This is one of our most popular questions: How do you test for Server Side vulnerabilities such as RCE, SQLi, etc?

I’ll use input like “sleep” when checking for code/command/SQL injection but host a separate domain that logs all DNS requests for SSRF. This area can be iffy, because most of the time you’re attempting one of these server side vulnerabilities there won’t be a window to see what’s going on. My best tip for this is to check the programs policies. If they don’t want you to use an automated scanner, then don’t use an automated scanner. If that’s not listed then by all means use SQLmap to prove that there is in fact a vulnerability. As a hacker you shouldn’t ever overextend your engagement unless explicit permission is granted. There are dozens of stories where people will lose 50-100% of their bounties for sending “cat dbpasswords.txt” instead of “touch iwashere”.

Q: How often do you find a bug that has been overlooked after a bounty program has been established and a horde of researchers have been digging?

Pretty often. Something that stands out was an XSS I reported on sports.yahoo.com where I was able to inject inside the parameter instead of the parameter value. The request looked something like ?value[“a”]=1, but I changed it to ?value[“<script>”]=1 and it executed. This is a good example because I’ve never seen an automated tool that scans the parameter itself meaning that a pair of human eyes on a “scanned to death” portion of the site is all it really takes to find something interesting.

Q: Do you think being a pentester, web developer, or being in a related field, helps you with bug bounties? Where should they start?

Yeah of course! There are DOZENS of places to start, but I’d personally suggest developing with a LAMP/WAMP stack (PHP, Apache, MySQL) in order to both create code and break code for those first couple poorly designed applications. I’ve known people who come from reverse engineering backgrounds as well as completely non-technical backgrounds.

Time to wrap it up!

Q: What kind of music do you listen to?

I listen to a lot of everything, but mainly Ska.

Q: What do you do when you aren’t hacking?

Breaking and entering - duh. Just kidding. I spend a lot of time job hunting and preparing for college.

Q: What kind of impact/role have bug bounties played in your life?

After just a few months of doing bug bounty I was able to purchase a car that everyone in my family uses. We used to be somewhat financially bent, but things have progressed since then. I’ve been working less at my fast food job and focusing more on school/career related ventures.

Q: What is an advice you received as a beginner that helped you with your bug bounty career?

Nothing comes easy. Sure - maybe you hit the jackpot and find something by mistake - but that won’t repeat often. If you dedicate your time towards widening your scope of knowledge instead of slashing a knife at a program blindfolded you’re more likely to make a career out of it.

Q: What is one area of hacking (web, mobile, hardware, etc) you wish you knew more about / plan on focusing your learning on?

Low level stuff! Assembly! C! If it deals with memory, I couldn’t tell you more than a couple sentences about it.

Q: If someone with basic technical background asked you, “where should I start?”, what are 3 things you would recommend they do before diving into bug bounties?

Put some time towards understanding the basics of the internet. What is HTTP? How does it work? What is a “SYN” request? Find a programming language you like and code in it for a while. You don’t have to get super involved, but spend some time making mistakes. Come to the realization that you’re probably not some genius who knows more than everyone. I’ve seen so many people fail in this because they feel that they’re some incredible computer prodigy because they succeeded in a smaller environment.

Q: Someone was eager to know, what do you put on your toast?

Cinnamon and butter!

Q: What’s your worst bug bounty story/experience?

Having something marked as invalid because it fell under the realm of “social engineering” through existing as a technical attack. Note: this was not me attempting to talk to a staff member, but an embeddable image being used to trigger “HTTP 401 Basic Authentication” on every page on the website. You seriously couldn’t browse without being asked to enter credentials that would go to my domain, and in addition it logged your browser agent and IP address.

Q: If you had to pick one hacker to collaborate with, who would it be?

I’d probably pick @dawgyg. He’s a great hacker and we have matching approaches that work well together.

Q: What’s the one feature you would like to see in the platforms?

Additional documentation, tutorials, and demonstrations on how to manage taxes. There are a lot of people making a lot of money who don’t know anything about taxes.

Q: What’s your favorite text editor?

Notepad++. I’m a windows fan boy.