The Hacker Mind Podcast: Bug Bounty Hunters
You’ve probably heard of bug bounties. But did you know there’s an elite group of bug bounty hunters that travel the world? Meet Stok; he’s one of them.
In this episode, Stok talks about his beginnings in enterprise security and his transition into the top tier of bug bounty hunters. Star of his own popular YouTube channel, Stok believes in community and in giving back what he’s learned along the way.
Listen to EP 09: Bug Bounty Hunters
Vamosi: So there was this one time, during the annual Hacker Summer Camp in Las Vegas, I went to the casino at Caesars with a friend. I don’t gamble, but he did. And as I watched, it was clear to me that someone there knew how things worked, this unassuming guy across the table who was professional, cool and winning hand after hand. My friend didn’t do so well that night. He lost some money, but not a lot. As we were leaving the casino, I mentioned the guy and my friend said, “Yeah, I saw him, and I thought he was probably a pro, but I also thought maybe I could beat him.” Then my friend gestured to a bank of elevators where the door had just closed on three men in suits. They looked like they were going to the office, to work, but this was Caesar's Palace, and it was like 10pm. No, they were taking the express elevators to the more expensive rooms at the top. And once there, down one of the hallways, behind a nondescript hotel room door, there was a whole other level of gambling going on, one that only the elite players got invited to play. I can only imagine what kind of money and reputation got you invited to that world.
Turns out, there’s something similar within the hacking community. Sure, there are the elite researchers. There are the elite CTF players. There are even elite pen testers. But there’s also an elite group of bug bounty hunters, people who are sponsored to fly around the world to find and report vulnerabilities in products we use everyday -- like Uber, AirBnB-- and get paid well for their efforts. And in a moment, you’ll meet one of them.
Welcome to the Hacker Mind, an original podcast from ForAllSecure. It’s about challenging our expectations about people who hack for a living. I’m Robert Vamosi and this episode I’m talking about the Live Hacking Events sponsored by various bug bounty organizations and also about those who want to give back to the community, like Stok, a Swedish hacker who participates in some of these elite bug bounty challenges, is the star of his own popular YouTube channel, and has some advice for anyone wanting to get started in hacking.
Stok: In the early 90s, when everyone was just not having the internet, that's kind of where I started my journey.
Vamosi: Like a lot of us, information security wasn’t necessarily our first line of work. I started in journalism. Fortunately I was covering security for ZDNet from day one, and eventually got pretty good at explaining infosec to others. Stok, he also started out more with more humble interests.
Stok: I started building computers, that was the first thing because personal computers were one thing, but but back in the days they weren't really that you bought all off-the-shelf items. Laptops wasn't really a thing, so people were just building these custom computers. I started to do that, this is the mid-area between everybody running IBM stuff into the custom computer. So I did that. That's kind of where it all started for me and I was really deep into the bulletin board system thing.
Vamosi: I know, it’s hard to think back, but remember these were the dark ages, before the graphical internet we know today. You would literally have to know the phone number for a particular BBS then dial in-- and some times you were also charged long distance telephone rates, which meant that chatting online could be expensive. But, if you participated enough, you might hear of another BBS and another, so you wrote all those down and later could dial in and check them out. Mind you, this was pre-internet as we know it today. There was no central listing, except whatever you gathered on your own. No infosec Twitter or Discord. There was no webpage you could view; again, the internet we know today didn’t yet exist. . So you had to know someone who knew someone who was savvy enough to create and moderate these bulletin boards. Moderation was important; sometimes conversations got way out of hand quickly.
Stok: You actually put up a modem and just dialed a number in another modem answered and there was this ASCII art website-ish thing that you could use. You can post messages, you could download, maybe crude songs and pictures and that kind of stuff. Internet speeds were the best or bandwidth wasn’t the best because there were issues with shitty modems. And so I was really invested in that. I like that kind of social interaction part.
Vamosi: That changed in the early 1990s, with the graphical World Wide Web, with web browsers, and gradually with more direct access to the internet without the need for telephone modems.
Stok: So when the internet came to Sweden in the late 90s, I fell head over heels in love with newsgroups and everything that was like IRC related, but I wasn't really interested in hacking or security. I knew hacking as a culture that was a part of, you know, the warez trading scene, and everything else, like cracking games, and do stuff, but I didn't. I wasn't really interested in security because I was mainly interested in enterprise infrastructure, how to design, big LANs for for networking on organizations like getting file shares up and running so I was an early adopter of Windows infrastructure like Windows, and early, Windows for Workgroups later on, like, NT 4.0 and such. And so when everyone else was running Novell networks, I was really deeply invested into what would become Active Directory at a later stage. So I kind of invested about 25 years into designing and hardening Active Directory solutions, and somewhere around 2013 or 2014, I was really invested in Azure, or cloud-based solutions. So, that was, that was a really, the turning point for me because I realized that okay if we're going to move all these servers that we spent so much time on hardening and security, securing behind a perimeter, now we are just putting it on somebody else's data center, without questioning what we're doing. I figured out that I kinda had a knack for identifying misconfigurations because I know where people cheated. And so you started to do more offensive work after that just hardening solutions by doing the offensive work trying to break in then fixing it trying to break in fixing it teaching other people how to do that. and then fixing it. That’s when bounties came on the radar for me. It kind of came on my radar somewhere around 2017.
Vamosi: In 2017, Stok created a YouTube channel designed around two things: teaching hacking skills and building community. The original episodes are in Swedish, but switched to English as his audience grew. And later that year he attended his first Hacker Summer Camp.
Stok: I went to DEF CON in 2017. That was the first time I got to go to DEF CON. It's not cheap to travel to the US and stay in Vegas. If you're not having a sponsor to pay for you to go. So I saved a lot of money to go. And when I got there, I was so inspired by the whole hacker culture that surrounded DEF CON and Black Hat and, I more or less kind of social engineer myself into a Hacker One Live Hacking Event, which used to be at the bar, and I saw these amazing hackers there that that were sitting at their Macbooks. Hacking away. They were breaking this kind of software target that they were hacking, and I was so amazed that you allowed to do that without getting, you know, getting legal issues with that. Like how to do these things, anything you want, and there will be no reprimand, there will be no consequences, and we get paid massive amount of money for it. Like, oh my god, this is too freakin amazing. How can I do this? And after that, I invested almost all my waking hours into learning web application pen testing, because coming from the infrastructure side. I never really poked at web apps I still, still can't code for shit. To be honest, I know PowerShell, but you're not building any web apps with PowerShell, are you? So for me that was kind of the whole journey, and I've been doing it. I wouldn't say daily but almost, it seems that poking at something is really, really fun. Also coming from those days where if you use by accident poked at something, would be like straight go to jail card, or it would be a really problematic thing where people think that hackers equals criminals, which is not true at all. Hackers are extremely curious people with a big skill set, and you can decide to be good or bad. I just fell in love with it, and I've been doing it ever since.
Vamosi: Something else happened at DEF CON that year, Stok began to make connections with some of the leaders of the bug bounty community that existed at the time.
Stok: Around 2017, and I went to DEF CON that that summer for hacker summer camp and I started to look up each and every talk that I could find. And there were particularly two people that stood out for me and it was. Jason Haddix, and Ben Sadeghipour who are, or Nahamsec -- I probably use trashed his name there. But those guys who stood out as two of the most leading people inside the bug bounty or web application pentesting space at that time, especially when you're not doing like the classic OWASP Top 10, you're doing more interesting fun stuff like recon and trying to identify things, and I said to myself, one day I'm like I'm so inspired I wouldn't be like those guys if I had the chance to meet those guys. I'm just gonna do whatever I can to give back to the community, just like they inspired me. And it didn't take too long until I met both of them and, and they really inspired me to start creating content on my own. So that was what super inspired me about their ability to share technical stuff and everything that I learned. I decided as soon as I learned something I'm going to give it back. The way that this community, the bounty community, you just sharing stuff in a very competitive space. I want to do that too, but I want to do it even more.
Vamosi: It’s true. I may not have a formal background in computer science, but I do have a CISSP credential. I learned infosec from hanging out with various people in the hacking community; I learned by reading and attending conferences, not just Hacker Summer Camp but also Shmoocon, BSides and others, and I really learned infosec by doing, by taking hands-on classes, and getting certificates in wireless and automotive hacking. So, again there’s no clear path to learning any of this stuff, Stok set out on a personal mission to change that.
Stok: I just want to give back and share and remove all kinds of gatekeeping and inspire people so anyone can just get into it and get started. Because even if they don't end up doing bounties, they will gain cybersecurity knowledge, and they will probably just end up at an organization somewhere where they can have a little bit of influence. They can say, I know this thing is called bug bounties and usually we do blah blah blah, maybe we should make sure our apps are secure as well. So, super inspiration.
Vamosi: By now you’re probably wondering what’s the difference between being a pen tester and being a bug bounty hunter. Both individuals are brought in by companies wanting to harden their systems more, but there are also differences.
Stok: Pen testing and bug bounties are particularly the same kind of concept. When you look for vulnerabilities, you send them in. The big difference between bug bounties and pentesting particularly is that you always do a lot of pen testing before you do bug bounties. So pen testing is a methodology and rule set based testing, which means that you check the boxes, you make sure that the is like building a house right if you want to build a new house you want to make sure that the power wiring is up to code. So, somebody needs to do the work. The electrician has done the work but then the certification guy that shakes that everything is cool, he's kind of the pen tester. He checks all the boxes makes sure that everything is safe, nothing is leaking out boundaries on the other hand. It’s when all this pen testing and hardening has been done, that the bounties begin because you don't you don't get the wiring report that shows how the wires have been pulled through the house. You just have to guess. Like, I wonder how they did the wiring on this house? So you need to start to map out things in a very different way. As a pen tester, you need to be an extremely good generalist. You need to know a little bit about a lot of stuff. But in bounties, you can be a super specialist in a very niche field, and researching a certain area. And because you don't need to write a general coverage report, the need to focus on one thing I would say that is kind of the biggest difference
Vamosi: Stok is quick to point out that bug bounty hunting is not for everyone. With Pen testing, it’s kind of a white box experience--you have visibility and some access to what you’re testing. With bug bounties - it’s the opposite. It’s a black box, in that you have no idea how this relates to that. And for some people not having that visibility, having to poke into the abyss is not possible.
Stok: The black box situation when it comes to bounties is almost ridiculous, but it's also, for me, extremely rewarding. And I have these hobbies that I like. I like to put down puzzles, so let's say I buy a box of puzzle. And if we compare this to bounties, that would be if I bought a box, but it didn't have any picture on the top of the box. It says that it might just contain a certain amount of pieces in it, and all the pieces are blank. So you need to start to sort up the pieces in their shapes; you need to try to figure out like what's going on here and do all this stuff yourself. You can't ask anyone. You can't find any reference. You need to do the research, so maybe you will start looking at this manufacturer of puzzles, seems to do almost the same thing every time because they have this framework and it looks the same. So you can start to look at the pattern, how the puzzle is built up, and try to figure things out. It's fully black and black. Everything is very blind. You need to rely on a time-based attack framework. You need to approach it as if you're always trying to figure things out on the way. And so I really enjoy that it's a very challenging target.
Vamosi: So, prior to 2017, prior to attending DEF CON 25, had Stok ever tried his hand at bug bounty hunting?
Stok: No, I never. I heard about bounties before but I didn't really understand it then you know heard about this super cool hackers like Franz Rosen that hack Netflix or go flown into Vegas to poke at let's say Snapchat or something. I don't know what kind of target they poked at, but that for me was mind blowing. Wow, super cool hackers that get to break into stuff. I want to do that. And it was all cloak and daggers for me at that time. I had no idea. It just looks mysterious, like these guys hacked websites, broke them down and got paid a lot of money. I want to do that.
Vamosi: So how do you get to Carnegie Hall? Practice, practice, practice. Stok has a full time job consulting, but he started devoting time in his week toward learning how to find vulnerabilities.
Stok: The first bug bounty I got was a race condition, and he was in something called a VDP program voluble vulnerable disclosure with bro program. It’s also the only bounty that I ever submitted that I never got paid for, because I was particularly no better I guess.
Vamosi: Two things here. One, a race condition is literally that -- a race. Here’s a really common example. Say you have a room with two light switches. They both control the same light. So you might enter the room and turn on the light. If someone else comes into the room and uses the other switch, the light will turn off. It will cancel the first operation. So if you both enter the room at the same time, it depends on the sequence of events whether the light is ultimately on or off. This is a race condition. Second point, there are many, many different kinds of bug bounty programs. And perhaps in a future episode I’ll explain all that. For this episode, know that individual companies can sponsor their own, such as Apple having an invite only bug bounty which can offer over a million dollars for specific bug classes, while Google and Intel have more open bounty programs. Then there are the aggregators, companies like BugCrowd or HackerOne. They work with different, sometimes smaller companies and with independent hackers, handling all the backend necessary. They pay, and often they pay very well. They have two tiers, one that is open for everyone, and one that you have to be invited to join, like Stok.
Stok: So I joined Hacker One. And usually what happens when you join this platform is that you gtt a large amount of different customers that you have a possibility to hack, the research stuff at, and that that's called the open programs, the ones that are available for anyone that signs up. And that could be pretty daunting because they are well-tested grounds and so I was lucky enough to get a after a while I got a private invite to a program that I started to test on, and it took me about from the day I started to I find my first bug maybe took like two months. But I had no prior experience in using tools like Burp or actually no web stuff, so I what I did is that I just turned Burp on, and then did my normal kind of browsing through any kind of website that I stumbled upon the way that I always do it. I looked at a traffic, almost like you're looking at the matrix for the first time you see that movie and all these green characters are just falling down You have no idea what's going on but these guys just sit there, they're like, Oh, yeah, no, I know what that is that's like totally different parts of this planet or another dimension. And you're like, Whoa, the those guys know what they're doing, but after a while I got that sense too because you see these posts and these GET requests going back and forth and server responses and the way things used to communicate with each other, so use train my mind and understanding how web traffic flowed and how communication with third parties worked and what kind of flows that were inside web applications.
Vamosi: Remember Stok has an extensive background in Microsoft Active Directory and Azure. He was particularly skilled in finding faults with configurations. So naturally he settled into his groove within bug bounties, his particular bug class, by taking the road less traveled by other bounty hunters.
Stok: I had some a bit of infrastructure background so I realized that I knew how things communicated so race conditions, which is a very logical bug is something that I focused primarily on because I figured that it was a fairly untested area. It wasn't on the top 10 of the OWASP Top 10, and it's really really hard to test for, but if you want to dedicate time to it, and you're able to make it work your way, it can have dire consequences because you can more or less form a money order or fiddle around with transactions and it is also very time based. Like I was going to do one bug class, and then I'm going to find a bug on that. And once I'm done with that, I'm just going to keep on to the next target, the next target, until I feel comfortable enough with the technique that I have to change to another bug class, then learn as much as possible on that one and then move on again. So I would say primarily two and a half years, and I still don't do exercises that well, because I never look for XSSes.
Vamosi: So Stok quietly began amazing bug bounties wins. There’s this thing, a leader board, where you are ranked based on how many vulnerabilities you find, how critical the vulnerabilities are, and how much money you’ve accumulated overall for your efforts. At some point, Stok got noticed. He got invited.
Fuzz Testing is a Proven Technique for Uncovering Zero-Days.
See other zero-days Mayhem, a ForAllSecure fuzz testing technology, has found.
Learn More Request Demo
Stok: I guess I was lucky enough to find a couple of really cool bugs, like bugs that really put me on the map as a researcher, like, well, this guy knows what he's doing. He doesn't have that high reputation, but he's good at reproducing results. So I got invited to a live hacking event in Amsterdam. And, because we're in Europe, I was flown there, and the target was Dropbox at the time. I was nervous, but I got there, and I met all these other amazing hackers and. And I did terribly. I did so bad at that event that I didn't really know what to say. I sent in a couple of really crappy bugs, but then again I got a network of cool people to talk to. I created a lot of new friends and realized like this is finally the place where I totally belong. And I said to myself that day I'm going to do everything I can get invited to another one. So, after that event, I got home, and every week, every hour I had, I kind of more or less focused on learning more techniques or practicing my skills, and eventually was lucky enough to get invited to Vegas for H1702, which is Hacker One’s flagship event. And once I was there, I submitted a couple of really nice credits and got some amazing awards. I can't disclose the targets. But it was really big, big time for me, a big thing to be there were all these amazing hackers to see that I could prove myself to deliver results under high pressure. So, and I've been doing that ever since.
Vamosi: So, previously I’ve covered what it’s like being inside a CTF, being on a time like PPP, the structure of the DEF CON CTF, the way it unfolds over several days, episodes one and two of The Hacker Mind for example. A Live Hacking Event, like the ones hosted by BugCrowd or HackerOne, is different. I’ll let Stok explain.
Stok: It's either HackerOne or BugCrowd or Integrated that have these live hacking events usually those players but Hacker One particularly works like this. Normally, there's a vetting process where you get selected to be a part of the hackers that's going to be able to hack on that live event and it's everything from. I don't know, 20 to 100 people depending on how big the event is like. Ihe flagship event is in Vegas. A lot of people get invited to some of the smaller ones, a lesser group. So, if you make the cut and you get invited, there's a two week presentation from the day that the scope is getting released. Normally that's how it works. In the beginning, you would get the scope on the same day, but hey, that doesn't work. Like you can't take 30 people in and expect they found magic stuff in eight hours. So everybody needs at least two weeks to prepare. So, what they do is that they, they have a call, and they release the scope and they explain what they're interested in finding. You can ask questions, and you can talk to the program managers. And then it just kicks off. Usually what I do is just eat sleep and function that target for two weeks until it's time to travel to the location. At the location that, you have a tiny, small window for two or three hours where you get to send all your reports in. Once the reports are in, the window closest, so if you find the same vulnerability somewhere else after that period you won't get paid anything, because they don't have day to fix it. And then you hack for about eight hours. After that there's, there's a break, and there's open bar and then he says show and tell where the best bugs get reported or some of the bugs that are creative and fun are getting shared with that group that are there, and then it's just a party and it's all over. That’s kind of how it works.
Vamosi: Sounds pretty cool. You get to fly around the world, with this amazing community of elite hackers, and, if you are lucky, you have some extra money to take away from it. Meanwhile, the company being tested has new vulnerabilities to patch, hardening their systems even more. A win-win for all. So, listening to this, what advice does Stok have for anyone wanting to follow in his footsteps?
Stok: I'm gonna say. First off, we need to understand that this is not, this is not for everyone. In the beginning I thought that anyone could do this, but I realized that since it's a very competitive space, and it requires time and interest, you need to be passionate about this kind of stuff. You need to really like what you do because just following the checkbox or just following let's say if you follow me in the trail of money, you will not be satisfied because there's gonna be something else. You need to be seriously curious about breaking webapps if you want to get into this today. And, like what I do, I approach it as a hobby. I do it one day a week and primarily one day because if I get too excited I can't sleep and it fucks my life up, because I am getting so consumed about the whole process of putting that puzzle together. And if I'm really really close. I'm like, man, I can't think about anything else and. I research stuff and I try to figure things out. So, I can't do it every day because then I wouldn't end up with any sleep at all. So, I need to pace myself, but I would say anyone that's interested is start to dabble with JavaScript. JavaScript is everywhere. If you know how that works, it is going to give you a really, really big leg up to everyone else that has no idea on how it works. And try to understand the basic principles on how web applications works, especially in 2020, because it's going to be load balancers, there's going to be a front end server, and a back end server. How does communication work? Understand the logic between how our web application functions. Right now, with all these different proxies and routing paths, if you figure that out, you will realize that you can actually send poison requests, you can dabble with things. There's so many new attack surfaces that are beyond copy and pasting XSS payloads everywhere
Vamosi: We started off talking about the community, about early BBSs, about meeting people at hacking conferences, about the Live Hacking community. Stok remains very committed to that, and he offers this advice.
Stok: So I think collaboration is also something that's very important if you're doing this, and especially now, because the more eyes that look at a target together the better. I always suggest for anyone that doing this find a friend that are at your level. Let's say that I say I was interested in finance. I wouldn't go to Warren Buffett, and say, could you mentor me? That would be a problematic thing but maybe there's somebody in my neighborhood or a friend of mine that also likes to save money, and we can both research, you know, the art of compounding together. So, instead in hacking, should we poke at this stuff together. You will grow. You can communicate. You can code together. You can just create. You will have some person to test your ideas on because otherwise you will sit there and you won’t know what's going on. I can't figure this out. Who should I ask? You can't use as random people on Twitter, because maybe you're on an NDA. Maybe there's some information that you're not supposed to talk about. So you need to be very careful with that. But finding a friend, or a couple of friends, like I hacked with a group of amazing hackers called Disturbance, and we really complete each other with different skill sets and and how we approach things. It's really really fun to work as a organized unit. I wouldn't say there key and defined areas that we do as a team. I would suggest anyone that that that's want to do that is to have that kind of team approach because it's way more fun, and you will you can cover more ground, and you don't need to do the same thing as the next guy is doing.
Vamosi: And, even if you live in Kansas, you can still become an elite hacker. Stok comes from a city on the opposite side of Sweden from Stockholm. So what advice does he offer to people who maybe can’t just get on a plane to DEF CON, or don’t think there’s anyone out there like them to help them?
Stok: I would say there's a plethora of Discord channels out there. There's a lot of them, like each and every content creator has one. Nahamsec has a really good Discord called the homies, I think, and, and inside psds got one too. There's a lot of people that have their own discord, so I would use start to hang out on YouTube, Twitch, or any kind of space where there's people doing CTFs, sort of talking about bounties and stuff. And so you get some peeps to play with, and and start from there. It's like I'm going to do this hack unbox tonight. Anyone want to tag along? Do you want to do it together, and then that's usually like, it's kind of like a JFK-ish thing to say, but don't don't ask what others can you do for you, ask what you can do for them kinda approach. If you say that I'm going to hack on this target, do you want to join me and usually people say yeah. But just be very concrete on that and say Okay, so let's hunt on this together. We're going to do a 50/50 split. Whatever happens, we split it, and then you remove the whole monetization part out of the way. You know that you are gonna smash it and, because there's a lot of trust in this, if I'm working on a bug that I want to share with somebody, and we're, and you're not on the same private program as I am, I can share with you because you need to be on the same program. So if you're hacking with somebody take an open program and hack together and just have fun, because it's supposed to be fun.
Vamosi: I really want to thank Stok. And if you want to learn more about him, check out his YouTube channel for weekly updates on the bug bounty world, or maybe support him on his Patreon account.
Hey, before you go, check us out on Spotify, Amazon, Google or Apple, or wherever you listen to podcasts, and subscribe to never miss another episode.
For the Hacker Mind, I’m not clearly not hacking enough these days Robert Vamosi
Add Mayhem to Your DevSecOps for Free.
Get a full-featured 30 day free trial.