Thank you for doing this interview! Can you please introduce yourself?

I am Mathias Karlsson, from Sweden. I’ve been hacking for 12-13 years now. I started (trying at least) programming when I was 11, a year or so after I discovered IRC, wargames and different hacking forums. Fast forward a couple of years, I co-founded Detectify where I got to know the one and only @fransrosen. After that it’s been an ongoing learning experience :)

I’ve participated on Bugcrowd, Hackerone, Synack, Zerocopter, Cobalt and a bunch of non-platform one’s too.

Q: How do you manage your personal life, work, and bug bounties? Do you do bug bounties as a job or a hobby?

Currently I work 50% with application (mostly web) security assessment as a consultant. The other 50% (really more than that) goes to research, bug bounty, tool development or whatever else is fun at the moment. I’ve participated in bug bounty consistently since the end of 2013 and I do consider it my job.

Q: How much time do you spend on Hunting for Bugs? On average, how many bugs do you think you report per month?

In bug bounty, I hunt between 20 and 80 hours per month. My average bugs per month is 7.317, since february 2013. My average 2017 is 12.6.

Q: How long did it take you until you found your first significant/high impact/payout vulnerability?

High impact: A week or two. I found an RCE (file upload image.php.png) in one of the first Bugcrowd sprint bounties. With that said, I already had a lot of experience with web application testing so I didn’t “start from scratch”.

High payout: I found an XXE together with @almroot on Google around 3 months in. That one paid $10k How we got read access on Google’s production servers.

Q: Of all the bugs you’ve found, what was your favorite/most interesting?

Favorite: I discovered an AngularJS sandbox bypass that the Google team used to confirm an XSS ($5k bounty). It’s my favorite because I honestly didn’t think I could do it, so when I realised I was more than excited :) http://avlidienbrunn.se/angular.txt

Most interesting: I found a really weird SSRF in a private program. They had an API where you could update an image via URL. Naturally I tried local addresses, different ports and finally different protocols.

I setup a listener on my server, and when I tried “telnet://myserver:80/example.png”, expecting it to connect and fetch the image, it actually sent a memory dump. In it was all kinds of sensitive data, DB credentials, API keys, bcrypt hashes cached in user’s session, cached source code… You name it. This was almost a year ago and I’m still dumbfounded by it.

Q: When and how did you have your breakthrough? When did you realize hacking and bug bounties was something you wanted to dedicate your time to? Please share your insights and the problems you faced to become established Bug bounty hacker?

In the beginning I just saw it as a way to get some extra cash, as well as (blogging) good PR for Detectify. Dupes made me stop for a while, but dupes was also the reason I got hooked. The excitement of “ha! I found this before everyone else :D” never gets old for me.

Being active on twitter/IRC, blogging about techniques/bugs, meeting bug bounty people IRL helped to get into the community. I never really had any problem with getting into the platforms since I was participating from the start.

To be successful in bug bounty I think these two things are critical:

Don’t think “everyone else has looked, there’s nothing left”. Approach every target like nobody’s been there before. Don’t find anything? Choose another one, there’s literally hundreds these days. Find an unexplored niche. Notice a lot of bounty programs run the new FancyPantsXYZ framework/platform/system? Check what kind of security issues that can arise from that and apply it. Look at previous research on them and/or set up a test system and play with it.

Same applies to client-side bugs. Keep your attention at researchers in the area (for the client-side example, @0x6D6172696F, @garethheyes, @filedescriptor etc), follow the browser dev blogs and/or issue trackers. Crave more? Fiddle with browser features and try to find anomalies that would fit in The Tangled Web. Oh and on that note, read a book/see a talk on the subject. Understanding what you’re attacking is key.

Q: What do you do to keep up with all the new trends?

Twitter, /r/netsec, IRC, colleagues, issue trackers, CVE list, security mailing lists (honestly I almost never read the mailing lists, but I do recommend it).

Q: Do you collaborate with other hackers? Can you name a few?

Yes, for tools and bugs! @fransrosen, @nnwakelam, @almroot, @0x4A6448/@jelmer, @infosec_au. If anyone would like to collaborate, I’m more than happy to add to that list.

It can be a bit of a pain with the platforms though. The way that I’ve done it in the past is for one of the hunters to create a “dummy report” where 50% of the bounty is assigned. Would really like to see the platforms push more for collaboration. Technical Questions

Q: How do you approach a target? What is your routine like? What is your recon process like? What kind of information do you seek in your information gathering process? And how does this information help you?

My routine is basically to start all automation for the target and then head right in and examine. Spending too much time on recon has been a mistake I’ve done in the past. By the time I start to hunt for bugs I would then be either too exhausted or bored to dig deep.

Tools: wfuzz, massdns, private fork of assetnote, masscan, different OSINT, some other custom/not custom depending on tech stack.

To keep it short I’ll mention two tricks that I think are valuable and not too widely applied:

Use an auto-updating wordlist. Found the subdomain “assets.example.com” on more than 2 different targets? Add “assets” to the wordlist. Want speed? Sort by whichever subdomain “name”/“part” is most common throughout your programs.

For example, let’s say you have access to 3 targets, A.tld, B.tld, C.tld and these are your subdomain results:

A.tld

blog.A.tld www.A.tld

B.tld

blog.B.tld admin.B.tld

C.tld

s3.C.tld blog.C.tld admin.C.tld

Since the word “blog” has been found 3 times and “admin” only 2 times, you should test “blog” before “admin”.

That’s how I sort my wordlists.

Use change detection to find new bugs in old programs. Some programs will give updates when they made a change, but most will not. So how will you know when there’s new code/potential bugs? I use three methods to detect changes in old programs.

The first is a custom tool that will index “interesting” parts of a given application and when one of those changes I get notified.

The second is pretty similar, it’s a monitoring tool called visualping (https://visualping.io/). Basically, you get an e-mail when the visual changes for a given application (think: they take a screenshot every day and see if it changes).

Third is to simply sign up for any dev/general newsletter they have. Yes you will be spammed. But some will be valuable spam!

Q: Do you always look for all vulnerabilities types when you approach a website?

I try to look for all bug types relevant to the tech stack that the target is using, as well as exclude any bug types that are likely not there. Since bug bounty is a constant struggle to keep a high time vs. bounty I think it’s important to also consider what not to look for.

Q: Do you use any tools? Do you have your own tools that you have written to automate/facilitate your work? What Burp extensions do you use? Is there a tool that not a lot of people use that you think they should?

Yes. Yes, 99% of my recon and some testing is automated. I use a bunch of different Burp extensions based on what the target is running. One that I use for all is “Reflected Parameters”, it’s great for quickly finding XSS/other client-side bugs.

Q: This is one of our most popular questions: How do you test for Server Side vulnerabilities such as RCE, SQLi, etc?

Well. I use a “one-payload-for-all” approach for server-side template injection/XSS, so that can find RCE I suppose. For SQLi I just try manually especially in common places like ?order_by=desc where they might have been forced to write custom queries instead of prepared statements. Sometimes I use this https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/, but WAF’s gonna WAF, so…

Q: How often do you find a bug that has been overlooked after a bounty program has been established and a horde of researchers have been digging?

No idea. I try not to think about how many have looked before me. There’s really no way to know if a certain part is well tested (except maybe on Synack where you get to see other people’s report titles). I find subdomain takeovers regularly, so I guess for those it’s pretty often?

Q: Do you think being a pentester, web developer, or being in a related field, helps you with bug bounties? Where should they start?

Absolutely! How can you know how to abuse a system if you don’t know how to use it? I’ve worked as a web developer and pentester and both have taught me things that I have used in bug bounty.

Web developers: Read up on common web application flaws, pick a program that seems interesting then go for it! Reach out to me or someone else in the community if you want help.

Pentesters: Do you want to do bug bounty? Then pick a program and do it. It’s the same principle except that your goal is more inclined to finding bugs fast instead of “wide”. It’s excellent training for working as a pentester too.

Time to wrap it up!

Q: What kind of music do you listen to?

I like silence + noise cancelling when I hunt/build. Otherwise, Sabaton has been my gym buddy for the past few months.

Q: What do you do when you aren’t hacking?

Play chess and get angry like a child when I lose. Drink beer. Go to the gym… Play CTF? I guess that’s hacking…

Q: What kind of impact/role have bug bounties played in your life?

Huge! It’s given me the freedom to work towards my own goals. Since I have a stable income from bug bounty, I only have my other job(s) because I want to. And that’s awesome!

Q: What is an advice you received as a beginner that helped you with your bug bounty career?

Honestly, I mostly remember “RTFM” as far as advice went when I started out. It did help though, I try to think “will 10 minutes of research give me the answer?” before I ask questions and a lot of times that gives me the answer (and more).

Q: What is one area of hacking (web, mobile, hardware, etc) you wish you knew more about / plan on focusing your learning on?

Reverse engineering/binary exploitation. I’ve become decent at x86/x64 pwnables in the last year but I would like to also become decent at windows, arm and maybe mips.

Q: If someone with basic technical background asked you, “where should I start?”, what would you recommend him/her do before diving into bug bounties?

RTFM.

On a serious note: don’t jump into bug bounty before you’ve at least got the basics down. When you do, don’t let dupes get you down. Let them be in-data to improve your bug bounty hunting process.

Q: Someone was eager to know, what do you put on your toast?

Marmalade and cheese. Mmmm…