Making it to a live hacking event is already a big accomplishment, but my guest today, Doomer Hunter, not only made it, but on all three events that he attended, he achieved the top 10 finish. So clearly he has some good methodology to find crits on well hardened targets. So we'll dive into this in this interview. Hello, Victor. How are you doing? Can you please introduce yourself to those viewers who don't know you yet? Hi Greg. Well, first, thanks for having me.
It's so cool to be here in Poland, in Krakow. So I really enjoy it. And thanks again for the tour yesterday. Uh, yeah, I have quite some of a specific background. So basically I was not into IT or into cyber. I was into the pharmacological industry. I have even a master's degree in marketing. Oh, and, uh, it all switched when, um, well, COVID hit. Thanks. And, uh, the job I should have in North America and Canada was frozen. So I was left with no other options.
And I was wondering to myself, Hey, this big boaty thing seems a bit cool. And I'm starting to make a bit of money with it. Could I make a living out of it? And so, yeah, I decided to switch full time into cyber, uh, offensive security, and I got a small first pen testing job at a local firm and met the guy who become next, my future partner. So we started our own business, uh, and it was a pen test writing in company.
We did work together for three years, brought the company to 1. 2 million euros, I think in turnover. So really nice, uh, stuff had good clients, did physical intrusion, you know, physical pen testing. It's awesome. And, uh, on the side, we did also bug bounty hunting because as a small business, it was like a cool, you know, um, front. For you to say, okay, I'm performing in real world on hardened targets.
And so that's how we started getting to, you know, more competitive events, such as the first AWC, the world cup that we won with the French team in 2022. And, uh, then we're all starting to get into live hacking events. I sold my shares of the company to my partner this year. So I'm back into full time backhunting entrepreneurship. That's pretty much what I do now. Backhunting, I do a bit of AI on the side. Uh, I do corporate talks also.
I'm invited to buy various companies to give cybersecurity talks across Europe. That's pretty much it. So how much time did it take for you to get into cybersecurity from the marketing or from the pharmacy background or whatever it is? That's why I lied a bit because, you know, hacking was always the things that I really wanted to do. Yeah. But I come from a family that is into, you know, health. They are mostly health practitioners.
And so I was more, you know, inclined to do that as a real job. And I didn't thought that it was possible to get into cyber route. And I thought that pentesting was reserved to kind of elites, you know, some few people. And, um, so I did a bit of hacking on this side. I remember buying an old book called The Art of Exploitation by John Erickson. Yeah. So it's a really old book, but it still gives, you know, first hands on approach with live CD. It was so good at the time.
And so I practiced a bit during, well, my university years, because I'd enjoy doing some CTF on the side and so on. And one day I had a friend, I was maybe in my third year of uni. And, uh, well, So she had a loan, you know, to pay her studies, her private school. And well, sadly she started like, um, buying stuff with the money from the loan. So when September came, it was like maybe June, she didn't have enough money to pay for the next year.
So what do you do at that point when you don't get much money, you want to help your friend and don't have like an actual job that makes that amount of money? Well, you take a look at your skillsets. Say, okay, I can do Hassam hacking. Can I make money hacking? Can I make legal money hacking? What's the boundary? Oh, Oh, that was a nice amount I can make. So yeah, that's where I landed my first create. I think maybe you did some free K on, uh, on Sam rush at the time.
And so he managed to go to cover the costs and get back into it. Then once again, I put it back into the closet because I thought that no, man, I'm in health carrier and must not like ruin my future health carrier by doing cybersecurity. And then when I decided to really make the switch, I had like a little background, you know, couple of skills. I know I could land some small bounties, but I decided to really prep.
And when I took the decision, maybe in, in May, 2020, I thought to myself, okay, in September, I got my job. So I got five months to get ready. So I just took everything that, that, uh, that I've already had and seek the, what I would call quality content to really grow. And so I first went to, uh, Louis. Uh, we spent just a lab because, uh, I really love the approach, the hands on approach.
And he's one of the few guys that really teaches you to, um, actually deep dive into the source code with like such an accessible platform and high quality contents. And also forces you to like, understand how it's going, um, dissect the CV, write the exploit code. And I did like maybe five or six badges that he had at the time. Just to feel comfortable and, you know, proud of myself and also set up the certification on my LinkedIn profile because I did not have enough money to pay for the sets.
Yeah, that's a good way. And then I did the thing, the full, um, OASP juice shop, which is also, I think a cool, um, you know, way to, uh, go into like, So the real world web applications, and then I got into a small bug bounty platform in France, which is called the yoga shop because I didn't know any better at the time. And so I'm making some, uh, some, uh, some more active bug bounty. And that allowed me to transition, you know, correctly.
Now let's skip to, to the present time after quitting the business, what made you choose the life of a full time bug bounty hunter? Freedom. Um, once you're used to entrepreneurship, you're used to producing value for yourself directly. Yeah. And you're used to, well, valuing your time and your efforts based on your skill sets and how you bring added value to the real world and to the companies.
And so once you have tasted that and you feel confident enough to be alone and stay by yourself, Honestly, it's very hard to going back to classic job. It's a one way ticket. Exactly. But it comes with a lot of costs and a lot of responsibilities. But, uh, I had like the money as from my shares money from my personal and professional bank accounts. So I could finance, you know, taking the risk of going back to full time back hunting.
And also, let's be honest, uh, when you start to perform a bit well on back hunting, you do make a lot of money and that allows you to open more opportunities for yourself in the future. So I was in a position where I had, like, I think a good network flowing the, my, my business here had a bit of money in the bank could make more with the, the big bounty parts.
And if you take all that by itself, you got potential, then you got to make this potential grow by the building new things, keep building your network and then keep making money. Yeah. So freedom and all the opportunities that he brought was like. Why I chose to, to go along this path. And also, if I understand correctly, you do use Back Bounty as sort of the, the way to grow your personal brand and to, to also details of fuels, the, the trainings that you give and, and other things that you do.
So, you know, whenever you find a bag, you're not only getting the bounty from this bag directly, but also it builds your personal brand, which, you know, grows and grows forever. You know? Yeah. Back in the days we used that, as of. Kind of a front for our business because as a small company, it was really helpful, you know, to legitimize yourself as, Hey, I was able to find a bug on X, Y, Z big company.
It gives you like, you know, this legitimacy and, uh, yeah, now that it's all just by myself. Yeah. It's still a pretty way because I still have like a small audience in France. Um, and still show that you're active, that you are indeed, you know, a real hacker. And I think it doesn't only like, it's not only useful for the audience. It's also used to comfort yourself. Think, okay, I'm still a hacker.
You know, you still can force your, your imposter syndrome or your ego, whatever you want to, you, you want to call it. And yes, it's also a way to, um, grow a bit, um, the business part, because when you, when you, for example, when I give, um, cybersecurity talks to companies and incorporate when they are looking for speakers, they are looking for what they consider. You know, special people.
So often there will be like high level athletes, you know, people from the government, ex special forces and so on. Yeah. So you're here, you know, and so it, it helps you legitimate, you know, your, your presence even through, uh, I feel, I still feel uncomfortable presenting myself, you know, in front of people, but sometimes you gotta do it just so that people, Hey. He knows what he's talking about. He seems to know what he's talking about.
Yeah. And it's a good way because a lot of bug bounty you can speak publicly about. So, you know, you can be the best pen tester ever. All your reports are confidential. You cannot, you know, share the defining from the pen test. Even if you try to write it on the blog, you have to redact the company name. And, you know, it doesn't sound as well when you find a good bug in bug bounty. You know, Oh, I hacked Microsoft. I had Google. I had, it just sounds nice.
So when you hunt, what is your hunting style? What are your favorite bug classes? That's a, that's honestly, it's even a, what I consider weakness on myself that, um, I remember, I think it's Justin from critical thinking writer who, um, shared, you know, his, um, his roadmap to, okay. If I had one year to make a hundred K in big bounty, how I would like, you know, uh, invest my time. during the different steps.
And I think one of those first steps is getting to, um, comfortable with access control bugs. And when you get inside the, when you, when you start your own business, of course, you have to be someone technical because you have to run the business and technical part of it. But then you start to, well, not be that much hands on the technical and offensive part of the set, but more on quality management, control, sales, marketing, and so on. Everything on the side.
And I felt that I. was kind of trapped inside that, you know, comfort zone of being okay. I'm pretty good with access control. Yeah. I think, uh, like I'm made a lot of money with access controls because it's easy to find it's repeatable. And I love hunting for them because often you get like very high impact full books. And that's where we're where I stayed for a long, long, long, long time. So yeah, it's still my pee pee view.
I know that if I'm going on a new program, first thing I'm going to look is for access control bugs and logic bugs, because I love that. But then you start going outside of this comfort zone. I started to more into business logic bugs, which are often, you know, more hidden and less covered by modern security tools, such as fast and dust. When you know that, let's say that you have an idle. Okay. You just increment a number.
Well, Once the issue is known, if the developers take some time to make unit testing, you can pretty easily test the fact that, okay, if I increment the number, then the result of the test should be 403 forbidden. Yeah, but then business logic bugs are way more hidden because it's nested inside like multi step workflows and you cannot test all of the possibilities of these workflows. And so you still find these issues. And I think it's all still easy for me to find.
And it's also hard to come up with a source code scanning rule to detect business logic because there is, there's no template for it. It's just, you know, every single code can have different logic, different rules, different bugs in it. So, um, so that's why I think these bugs will be with us for, for longer because, you know, obviously scanners are getting better and better. Frameworks are doing stuff like automatically sanitizing the HTML.
So there's less XSS, but bugs like this, they're not so easy to, to, To fix or the tag that scale, I think are the ones that will be with us for a long, long time. Yeah, they will. They will. You cannot have a bug free, like 20 step workflow. It doesn't happen in real life. And, and even there, we are just scratching the surface. Like, I don't know who made the talk a couple of years ago about, you know, everything second order on the server side.
It was a really great talk and even if you take like your five step workflow of buying something and start to mix up some parameters, add some parameters that shouldn't be there, add some ideas that are not matching, et cetera. This is like only the top levels of his bug. And We often miss like the second order bugs. Like, I don't know if you start to buy a TV and you put the insurance of a phone on it, will it work? But will it work if you like create a custom insurance policy?
Like what happens deep down, you know, further steps beyond that's what's really scratches my mind. But bug hunting, black box testing, we don't have access to the source code. And there is so many issues. Hidden surface, not being covered in it. And I think that's why we should spend more time fuzzing. Yeah. And also that's, you know, we are never sure how many different flows we didn't test.
Cause you know, I had a talk with, with Jonathan in Edinburgh that, you know, if you have, let's say Amazon, probably. Shipping from one country has a different code to handle the ship shipping to another country who has tested 200 countries in the world. Probably not even him and Zeeshan on Amazon in their six years. So on many programs, we just have a lot of code that we never touched, but I think GripMe has an interesting approach.
So GripMe is the one doing the notes for the critical thinking about him podcast. And he's also Rhino's mentee, a very cool guy. Yeah. Very crazy story. Uh, got into big bounty like nine months ago, did the two LH here at Vegas and Edinburgh. Very cool guy. He, by the way, he, he quit the work this month to be a full time hunter. And he has been very successful. And when talking with him, he told me that his own methodology was trying to be more comprehensive.
building his checklist of what could be the most impactful for the company, and then really try to assess all of these vectors. And so he is indeed trying to be more mythological and trying to build a comprehensive way to like really test the application, but through the lens, if I understood correctly, of his perspective of security model and what can impact it. And I think that's a good way, you know, to ensure that you have more coverage. Yeah. Yeah. That's a good way.
And there's pretty much There's no, no border to it. There's no boundary that, because there's just so much different possibilities everywhere. And that's the, uh, the overall answer to, well, no new hunters like don't, that don't want to hack on public programs and each year there are thousands of bugs, millions of dollars being paid to different hunters. I think once you are new to the back hunting, you have something that is called being naive.
And being naive allows you to explore with a fresh view of the program. When you start to hunt, you have your spider sense, you know, you got your instinct, you trust your guts and say, okay, DSL smells bad, I'm going to hack it. And you're hacking it and you find issues. That's, that's cool. You're starting to get trapped into your own routine, in your own way of things, seeing things. Whereas a newbie, Who is very naive, doesn't know that this is not going to work.
This is not going to work because he's going to test it. And by testing it, he's going to find these issues in the spots that you, your blind spot that you never tried. That's why it's very cool to hunt with like very new hunters because they are going to test everything that are going to find those little tracks that you would have missed. What are your, your top tips to like uncover parts of the application that nobody looked at?
Well, when I, um, start hunting on the, on a program, The, you know, I, I told you that my pet peeve was using, uh, was working on access controls. So when you want to uncover more access controls, you've got to unlock more feature. And what I think to myself is even when I think that I've covered the whole application, I always consider that I've missed something. And by keeping And keeping the grind on it, like trying to test all the damn feature everywhere, everywhere, everywhere.
That's how you start to understand the, Oh, I miss that workflow. workflow. workflow. And then you start to understand like, okay, there's way more hidden features because nowadays you eyes are, you know, very, um, like styled down, you know, you don't see much buttons anymore. So you have to really like test all the flows all around. Um, and so by. It's a bit stupid, but I keep brute forcing kind of the application. You want to cover most of this.
Of course, the good old JavaScript mining is very important. And that's why tools like JS Weasel by Steelman are very damn useful because, um, it gives a really, like, really one place to have everything stored, all JS files, even that hidden JS file that only is loaded on a, on a weird route. You will have it. And need. Processes you, you know, the potential path. So that's a pretty, a pretty nice one. And the thing, uh, the last thing is being, um, logging.
So you have your burp history or Cato history. What I like to do is to try to, you know, store that into a database. When I, I'm strict enough with myself to take the time to set up that. Uh, and sometimes when you look into your burp history or you look on to some, on some parameters, you will find like the hidden root or the hidden params that you needed to unlock that stuff. How exactly do you look for this? You have your database with all the requests logged. What do you do to find it?
Initially, what I used was the, um, with logger plus plus, you have a feature to export the request to Elasticsearch. Yeah. And using Elasticsearch, you can then use the, um, the, uh, well, the full, Elasticsearch, Logstash and Kibana. And so Kibana acts as a kind of front end. So we can type like SQL like requests, you know, to find the specific stuff. But the issue is that in Elasticsearch, uh, to find like specific words inside the requests or so, or the response, it goes through a tokenizer.
And so you have a limit on the length of the contents, for example, a very large JS file of 5 or 10 megabytes, it will not really work properly, except if you fine tune it. But that's, for example, a cool way to improve your coverage when you're testing for access control or business logic errors, because you're able to find like very hidden parameters, parameters that you missed, or parameters that have a similar name, but that you needed to craft like.
The Google write request for that newly uncovered routes that you understood that you found in the, in the GS. Yeah. So we just like have a reg X to look for the, to find all the parameters in all the JS files and history, something like this. No, because I am not disciplined enough to actually build that. And that's why I love SteelMans just result too, because it does that for you and it removes you the heavy lifting on that part. Yeah. Yeah. It's really nice.
How about some back classes you never look for, or do you think are there, like, present? Honestly, I suck at client side. I'm very bad at it. Because, you know, I used to do the classical, you know, HTML injection to popping in XSS and so on. And, like, being in the live hacking event and seeing the bugs shown on the show and tales clearly shows me that I'm years behind all those top hackers doing, like, crazy post message stuff, finding gadgets all over the source code. They're all there.
Yeah. They are found at each event and very impactful bugs are found with that. I just never took the time to actually, well, do all the CTF, do all the training. And it's, it's kind of have been the new hype, you know, since like solutions like Dumpurify has been where more implemented a bit everywhere. Synthesization is now a real standard in most of the web applications. Well, yeah. All the post message tricks, you know, and the CSPT, the traversals, been like the new craze.
And so the desktop hunters have quickly adapted and to learn these techniques. And I think the wider community would gain a lot to start working on those kinds of techniques, but it is additional work. Yeah. And it's also, you can see the shift, I think, from like more server side processing, moving to the client side, JavaScript also, you know, brings bugs with it and, and all the post message stuff and the things that they find, the things that they know about the client stuff, it's crazy.
All the like cookie, even yesterday in the newsletter, I shared like two different articles about sharing about. And there was like one article that compared parsing in browsers, in frameworks, uh, and then it was already so inconsistent. And then there was another article from Portswigger. I don't remember the name unfortunately, where you had like a version cookie, which changes the way cookies are parsed. So you get another layer of it.
And to be honest, I never think I played with cookies Uh, like the cookie parsing, I don't think I've had a bug which would like require me to mess with this. Yeah, during a life hacking event in France. I had another hunter called Brumance, who developed his own tool to start fuzzing, you know, other parts of HTTP requests that you don't really fuzz into. And he was fuzzing cookies at that time. I started to uncover some, like, beginning of an SQL injection just inside a cookie.
No, that's stuff that you have to test for, you know, or you just won't do it. It's just like sometimes, um, I think it's on petastore lab or something like that. When you start learning about SQL injection, you focus on the parameters and then, well, the challenge is actually to, well, inject that into your user agent header.
So of course I never saw it or almost never saw it in real life in pen testing, but it still reminds you that once again, you have coverage that is not being done properly client side or server side. There's a lot of things that we don't test for. Yeah. And I also think it's the problem. You have relatively few bugs you found in your career because you have like a few back classes and then a few input sources.
So it's easy to like fall into the into testing the same same things all the time because they work. And then you have a thing like. SQL injection in the user agent header. I've never found this, so I don't test for it. So in the future, I also won't find it. So it's sort of the, the negative feedback loop where you don't find something, so we don't test it. So we don't test for it. And I struggle with like motivating myself to like fast more things and test more things that I think.
won't be successful because probably some of them will be successful at some point. Another book class, um, it's very, it's pretty wide. It's, uh, all the timing attacks were reported. So either you go for the James Kettle route, which is in my opinion, of course, the way that you will, you know, Uncover like very, very, very, very impactful bug, but everything related, you know, to also timing attack and sandwich attacks and also time based secrets.
So there is a talk on reset Tolkien where basically he's shown that even on some bug bounty targets, he still find like ideas that are generated, derivated from a secret that is derivated from time. And even if we know that he's insecure, or sometimes you have a gut feeling That this smells bad and you know that it's not secure, but you cannot prove it.
It's cool that he and, and all the researchers have started like building comprehensive solutions to test all variations of, for example, is it like your email plus underscore plus a timestamp passing to a shower one or MD five or unique ID and so on and all of these variations. And so I think.
Okay. Like we discussed yesterday, like, um, having more and more tool kits and more and more use case being ready to be tested automatically will greatly help us for all these time attacks and time based secrets. Yeah. There's so many things to be, to be found. Yeah. And it's a good, good way to think about it to try to automate this stuff. So, you know, okay.
I may not believe it will work, but if it just means pressing a button and, you know, generating something automatically, it's less of a hurdle. If I were to manually inject, let's stick to the example, SQL injection payload in the user agent header, in the cookie, in the parameter, in the body everywhere. Yeah. If it's just one button, then, then it's easier. So I think it's a good way to think about it, to try to automate this stuff.
And you know, then it's, if it doesn't work, doesn't work, not a problem. The issue is that we end up with the philosophical question, or are we in the end, rebuilding some kind of vulnerability scanner to automate ourselves? That's the issue that we, we, there's so many things to be tested and I got to develop like your instance, your spider, your spider sense, but.
Well, then you just have to avoid being stuck into your routine and, and the issue with bug bounty, and especially if you do it for money, uh, is that you need profitability. And so when you're stuck into that eternal cycle of, I need to make money, then you're less likely to be doing research and then going outside of your comfort zone. So you gotta find the right balance. And that's why, uh, that's what I strive for.
So is to just have hacking as a passion that can really research rather than say, okay, this makes money and I should keep doing it because. You know, it supports my, my lifestyle, my family. Yeah, it would be, would be fun to have this, this way I try to, this video won't be published, so maybe I can, I can say about it. I tried to hack some software that I use. I tried to make a video.
I had the idea to make the video of like hacking different software that I used that does not have a bug bounty program. It ended up with like me finding a full read SSRF in 19 minutes, because I But then I was like, and I plan to spend the whole week doing this, but then I just lost the motivation. It was like a week is too, too a lot. And then, you know, it's fairly easy to find bugs and would be, would be cool to, to feel allowed to just, okay, let's spend a week hacking on whatever I want.
Well, Yesterday we talked about, you know, um, the, the way that your brain process happiness and you know, everything related to your dopamine levels and the way we are also kind of victims of that because now that there is a financial rewards, we are often bound to, um, Consider yourself and Oego as hackers as somehow correlated to the bounty that you make and also the value of the bug that you find being correlated to the amount of money that you make.
Which is not a, which is of course good in a way because it stimulates you, you've got that dopamine, that adrenaline rush and you want to, you want, you want to go forward. You cannot stay in that loop forever because at any time though you will find less bugs or sometimes there are underrated value program. You cannot devalue yourself. Cause then you just go into a very bad spiral cycle of self deprecating, you know, faults. Yeah. That's bad. I do it.
I try to not do it, but still, even though it's financially, it's easy to like manage a time with no, with no bounty mentally, this is the hard part for me to like, okay. Cause I, I feel it's more of a sort of reward that the bounty itself is, of course it pays the bills, but it's more. a way to, to, you know, as you say, to express the, how well your, your, how good your bag was. And yeah, it's hard when you have a worse period, worse bags, downgraded severity and stuff like this.
And sorry, I'm keep going off road with you is this one. That's something that is not talked about, I think. I don't know if I, I think it affects all the people, but not a lot is like the blues or the small depression after a life hacking event. Yeah. Like the, the high and the personal investment of this cool live hacking events is crazy. Yeah. It ends up.
Like at the top, you know, of the climax, when you read all inside of the, the live hacking event, you see all the people, you see money flowing, you see crazy bugs, you see show and tells, and like, it's so much excite, excitement that, and I think when you go back home after, like everything feels less stimulating. And I kind of feel like a little bit depressed for a week after. Yeah. Because they're way less stimuli. I think, okay, well back to daily life, I guess.
To be fair, I didn't have this. I was surprised. I know some people have it. Yeah. And I spoke with Johan and he was like, Oh, how was the life? I can even argue depressed after. I'm like, no, I'm pumped up. I met so many people. I had so many ideas. I just want to hug man. I had like the complete opposite. And also the. The life hacking event is like more stressful because you want to find the bugs. You feel the pressure.
After I came back from Edinburgh, I slept so well because before each night, if I, if I, if I wake up and the bounties and updates, and then I came back and I slept so well for me, it's like, Oh, so the opposite school, let's go back to access control box. So what exactly is this? What, what is it that you test? Well, it ranges from the classic idle. So add one, decrease by one. That's a classical one.
But you know, um, depending on the tech stack and the type of ideas that are used, you have like various, um, uh, sneaky ways to get those access control issues. One thing that I liked, um, uh, I spent a month in on LinkedIn, that program made, I think, 30K, something like that in bounties overall. Crazy, not that crazy, but still, I think a good amount to express that I spent and invested time in that.
And so I was reading the activity and they have a few disclosed programs, um, sorry, reports on it. And LinkedIn use a lot of urns. So you have, for example, uh, URN, uh, columns, some, uh, prefix, for example, user ID colon and some, and some alpha animal string after it. And the guy found a, a very cool, uh, second level bug. where he filled inside of his profile, a value being an, uh, a new run. So it was the key was a URN and the value was also a URN.
And this value was later sourced by the application at a different location. And so it retrieved the value of this. Like, injected URN and this process didn't actually, uh, provide good access controls. It was able, for example, to access other people, uh, data through it. It's like a second order injection where you put, uh, instead of a string, like, uh, like, uh, an URN. That's, for example, in my opinion, a cool bug. Yeah. So it's like second order processing.
And then it's pretty much anything ranges from either to testing, uh, authenticate, not authenticated. And if I'm really, really trying to go into finding all the little scrap bugs that I can find, then it's like, take your time on the, um, metrics of rights of an application. Do you have? Yeah. Okay. Five levels for the authentication, like, are you sure that all of these five levels on the 200 like actions are properly implemented? And I sometimes I do that, but I find it a bit boring.
Yeah, that was supposed to be my question because 200 endpoints times five rows, it's 1000 tries. That's a lot. Yeah. And honestly, there's one guy that's way better than me at that. It's Frisek. He's a French hunter. And I remember in Edinburgh, I said, Hey, you should take a look at this application because it has maybe like 10 levels of privilege with almost all of that.
So enjoy this crazy guy, like push maybe 16 reports in the next hours, the next couple of hours, because you know, you got to feel, you got to get organized and then you just got to be efficient and compare it to the documentation. That honestly tires me too much to do it properly. Automate this process in Norway. No, I know a lot of people use odd matrix or odd Z and so on. Yeah. I can get my head around to get to, to use them. Even if they look like very great solutions.
Most of the time when I use them, it just to like test authenticated, not authenticated. Just to have a quick replay, but not that much. And it's also an issue for me because, um, uh, it doesn't work on complex workflows. So if you use, for example, a three step workflow and you want to test the last step or the workflow.
Uh, if you use something that replace your cookies, it won't work because sometimes you need like the correct ideas for step one, step two, step three, and then as step four, you have to modify and get the right idea. And so investing time in those multi step workflows will allow you to find the bugs that other people do not find, but mostly, well, you cannot automate them because it just breaks the whole chain. Yeah. From, from my tries is like, you can automate the get endpoints.
Most of the time, but then when it's posts of, um, update of resources or deleting resources, it's hard to modify them because either you will struggle to determine by the response, if it was successful or not, because if you're creating something with a post, you'd. Don't usually know from the response, if it was created on your account or the victim's account deleting, like as well, it might be problematic because you cannot directly replay the request. So I also just do the manual thing.
I think, uh, in the, in the next future, like even right now, uh, carefully crafted AI engines could help you for that because if you really decompose the problem. Uh, and you have like an AI agent that does one small thing, but that does it really well. You can have like more, uh, reliable results. I mean, um, if you first, I don't know, add a product to your baskets, uh, then, uh, add the customization option.
Then, you know, try something else, like put that item into the basket of another user. Like having just a very small AI agent that verifies, okay, uh, is the answer, uh, plausibly correct? Yes or no. Given that input, that input and that expected output, only does that real small task might be easier to apprehend or to understand the potential vulnerabilities that you have. And I think that it's a very, really underlooked the way to craft really, really small agents to do.
Yeah. That's a good one. It's way more powerful. Like, um, if people want to dive a bit into that, just take a look at Daniel's Miestro's Fabric tool. It has a lot of prompts that are pre made and really allows you to show, to understand how to customize those prompts. And I really like that. I have small agents that were perfectly unreliable. So would you, do you, do you use an agent like this or do you think it's, it's possible to create it?
No, I don't use them right now because I'm working on all the AI projects. But I think, yeah, it's, it could be, uh, it could be useful, but I think that's a couple months of, you know, fine tuning all this stuff and it's almost a project of a company by itself. Yeah. But I do see the potential in it. I think by the time we get like a full blown hacking agents.
It's going to be a long time because it's a lot of vulnerability classes, a lot of things to understand to create something that, you know, takes the 200 routes and the permission matrix and goes through the different resources. Yeah, it's, it, it should be fairly easy. The thing is that if you want to do build that, as I said, you have to have like very small agents that do one task and one task perfectly, then change those very small agents. And. Each agents.
So we'll take an input, provide an output to the next agent. And so you have this famous chain of faults between unit agents that do one thing and then one thing. Well, then you have to preserve the context and the context window is like limited. So maybe you have two, 200,000 tokens on, on the cloud, LLM, something like that. But the more context you provide and the less pertinent your result will be, and so your challenge will be to provide just enough relevant context.
Well, maintain, you know, the understanding of the application of, and of what you're doing, but that's possible. And it's a couple of months of work, I think. So we said you, you hacked on LinkedIn for a little bit. What is your usual bug bounty program? Cause I will tell you one thing I noticed when preparing for the interview in many of the profiles of top hunters, like top program is like a private one that I don't even have access to. And they have.
often thousands of reputation in a single program. Your profile looks different. You look your profile, there's many more well paying public programs. So you're like taking the program with a lot of competition and you still succeed. So, so what is your, your usual target? You know, it's, it hasn't been a long time since I got back into full time back hunting, maybe the end of March of this year of 2024. So maybe it makes like nine months in the year.
And out of those nine months, I think it might have taken three or four months just for me, like seeing people that I never saw before, going to see family, relatives, taking a bit of holidays, working on other side projects. So I wasn't hacking for that much time. That's why the data set is a bit more limited. But, um, yeah, I did a full month on LinkedIn. I did a full month on some private program that had like One 100 K in the potential reward was like a infrastructure related bug.
So it prepared, it put be a bit actually for double us. Uh, and then, yeah, there was, um, there was Amazon that I wanted to look into and have all over us and no, it's like, you got to get invited to the double us program. So I was really happy of getting into it after the, the LHC and mostly, uh, I think this is going to be my, my next program for the foreseeable future. But, um, you know, when you see a lot of top hunters in the end.
There's not that much of very big paying program that do also live hacking events. So in the end you still have like those, this small club of maybe, I don't know, there's Uber, Paypal, Capital One, Salesforce, AWS, Amazon. Epic games. Yeah. Now, TikTok, you've got a pretty small subset of programs.
So in the end, well, you're, you're running around the clock, hunting all of these programs, but, um, you, you, you're, you're right off, um, when you're talking about people specializing in one program, because most time you spend there, of course, you know, the bugs, you know, the steam, you know. How they handle the things, you know, how to maximize your output, how to keep the good relationship with the program.
So, yeah, I think I'm going to stick with, uh, with AWS, like very large scope allows you to be very creative. Both doing like classic web bugs to more infrastructure related bugs to like exploring in depth, some features. And I think it's a great all around program. I love it. Yeah, it's nice. And the attack serve is absolutely massive as well. How about YesWeHack? Because you also hack there. There, I do not have as much visibility into the stats.
How would you sort of compare hacking on HackerOne and YesWeHack? It's a bit different because YesWeHack is a European platform, French based. Uh, I've followed them and I've been friends with them for years and it's a great company and people in there are really, really, really awesome, really great people. And, um, it's a bit different.
Um, basically when you're in Europe, you don't necessarily have that much large companies like in the U. S. So, of course, the size of the programs and the payouts will not be as big as, uh, as it goes on, uh, on H1. You can expect from a company that's not on Amazon to pay a hundred K bucks. That's just not realistic. Um, but it's, uh, it's a small platform.
And, uh, from when I was very active on the platform at that time, I felt like the 3H quality was higher, you know, um, I'm less active there. So I cannot, you know, give factual feedback on how it is now and nowadays. But you know, it feels like a bit more humanizing than, you know, when you're on big platform that you feel that sometimes people don't read your report and, and so on. So. I really enjoyed that more, uh, you know, closer, more human, more family like, uh, concepts.
Um, the thing is, if you take a look at the, the bug bounty markets in the end, like how much areas in the world where you can sell bug bounty, Northern America, which is of course one of the richest countries, South America, which is emerging, but there are still not a lot of companies, Europe that does have money and Europe, you have mostly these Western parts. It's like starting to have enough companies with strong enough, you know, arms to, to bear the load of the Black Bounty.
And then you got this EA, so Southeast Asia, HAC 1 has the, the, the American market, ESWI HAC is mostly predominant on the European market and fights with Integrity on the rest. And so the next battlefield is Southeast Asia. So yes, he's implemented in, in SCA and now the CEO, uh, Kevin, who's an awesome guy in SCA, I know, well, I go on is also starting to get cleanser. I don't know. I know less about integrity, but then it just shows you that.
You know, the quality and the type of programs and the evolution of the bug bounty platform will be directly bound to the clients that are able to get. Yeah. And so you've got those big juicy programs on H1. You've got those European and start of SEI program on, on Yes React, and it gives you overall different targets and different ways to interact with the programs. It can be cool, I think, to change and rotate platforms.
If you feel burned out with working with certain types of companies, because the culture is different. Yeah. Working with European companies is different from working with American based companies or SEA companies. Like, it's a different way to interact with people. Yeah. Also like, uh, the LHEs, the live hacking events, how are they different on ESP Hack to the HackerOne events? HackerOne events are pretty large scale.
You often get like 100 users all flown out to some very cool location like in Vegas or wherever. Um, Yes React has two types of live hacking events. Uh, the first one being a small punctual event associated to like a larger event, let's say cybersecurity conferences or cybersecurity, you know, general public events.
And they will often hold a small competition like 24 to 48 hours, uh, in it a reduced price pool because often, well, these are just the people that are going by or people that are specifically going to the, to the LHC. So the wallet size is obviously lower. If you only hack for a day, you're not going to find as much bugs as you, as you would.
And then there are some dedicated, uh, life hacking events that are bigger, larger scale, uh, which are, for example, the last one being in Italy with, uh, no, in France, in France with the Louis Vuitton. Uh, luxury, uh, brand. And so they were flown out to Paris into like the real headquarters and they invited way more, uh, hunters, including North American hunters, uh, as well.
But it's, it's still a smaller scale where you cannot compare, I think the, the, the behemoth that is a hack one to European companies, not yet. How did you get involved with the HackerOne lifehacking events? Uh, in 2022 with the AWC, so the Ambassador World Cup, I was with, uh, Maybe for those who don't know what Ambassador World Cup is, could you maybe explain? Yeah, of course. The Ambassador World Cup is an annual event.
That started in 2022. It's a bit like a football or soccer for your US friends. It's football. So it's like a football competition where you have like, um, teams per country. Sometimes if there are too many people, there can be like multiple teams per country. Then you've got the selection phase. Which will eliminate some, uh, some teams. Then you go into a classical world cup style of football, where you got like 16 teams and eight fought and two one until the, well, the final one stands.
And though each country has an ambassador, uh, that represents, well, the country with his team and that is directly in, in, in relationship with hacker one and with the, with the programs to coordinate both the hackers. And the, the relationship with the platform. Um, and the rules have evolved a bit. Nowadays, it's like you've got a set of programs per round. So all teams hunt on a specific set of programs, usually two to three programs. But 2022 was wild, man. Very wild.
Like now it's, yeah, yeah, no, it's like properly set up, you know, you've got your free programs and they take time between it's in 2022. It was so wide. We were like all the World Cup teams on all of the managed public programs of HackerOne. Do your thing. And it was around, I think it took around one month. And, uh, and, uh, a sad story in the real world, but a fun, kind of fun, uh, joke here is that during that time, the war in Ukraine started getting worse and worse.
So they started banning, for example, well, because there was bans, you know, for, for recreation purpose on some Russian programs. So for example, the mail. ru program was present at the time and disappeared during the cup. So yeah, it was a bit chaotic, but very, very, very fun because like people were submitting All around the platform. And yeah, that's why, where we, we got the first World Cup with the French team. And the, in the end we spent a lot of time on Epic games.
And so as we specialize a bit more on that program and we had like very good hackers, Snorlax, who was very successful on Epic games to help a lot to. Really understand the program, find a box. And, uh, that's how basically we got the, the first, uh, I think, uh, how I got the, the, the first invite. I don't remember if I was a plus one or if I was invited. I think I was invited as a, as a, as a customer sector program. That was my first, yes, live hacking events.
Yeah, I had to take the time to brag because now the Ambassador World Cup this year, I'm also playing as, as, as the ambassador of team Poland. We are advancing to the final eight, France loses out. So it's a payback for, for the football World Cup, because in the football World Cup, you eliminated us. Now we didn't directly compete, but, uh, yeah. But you guys deserve it. Very talented people. You're doing an awesome work and it's great to, to see you go forward.
So, yeah, we, I didn't expect it as well. We didn't have so many hunters that would be so much so, so active. So now I'm, I'm really proud of the team 'cause uh, yeah, and, and it's also not that we just advanced, we actually scored a lot of points, so. Awesome man. Congrats. Yeah, congrats. Congrats to the whole team. How can somebody that, uh, would like to get involved in the a WC get? 'cause it's only 20 people. In Poland it's like fewer hundreds, so it's not as much of a problem.
But in France, I imagine there's. Hundreds of people that would like to be part of the team. So how can one get involved if they don't have as much reputation on the platform? The thing is, um, even it's like a big event in the bug bounty world. Um, it's not as much publicized yet. Yes, it's the first, third year. So people are getting more and more known to it and might want to, to get into it. But the first thing is, uh, also about fighting imposter syndrome.
So that you don't have to be okay with, I'm not able to get into, to get on, to get on board. Like I know that the French, French team, one of the French team last year was comprised of a lot of young, uh, of young hunters and they still perform pretty well. So that's, that's the first thing being confident.
The second thing is, well, um, even if there is more and more back hunters, finally the people that really wants to get involved, uh, go fewer and fewer with like the level of dedication that you put into. And so once you really start to be active in those kinds of circles, we are still kind of Not that numerous. They're not mad at much people who really want to go inside and to go on to the team.
And then as the ambassador is the one person that is making the final decision, final call on who's going and who's not going. Don't forget that ambassadors role is also initially to promote the bounty in their own country. So you're not just going to take like the old, Top performing guys all the time. You have to give the chance to your rising stars. And that's why you are in the roster. You will, I will have some new guys that are coming in, that coming fresh.
That's a great way, you know, to have your, like your own time of glory, if you feel like it. I would also say to, it's good to get involved in the community 'cause it's now it's, it's also as a, as the ambassador, I also want, I've, I've heard tips from other ambassadors, you know, it's good to put somebody in the team that maybe has a little bit less experience but is maybe more passionate, more motivated, active in the community. So I imagine it's also a good way to, to get involved.
Yeah. Consistency. Just being to able to put in the, the, the work and also keep in mind that. This, the World Cup takes almost a year, you know, and a year is very long. People sometimes get burnouts, people have other issues, have other stuff to deal with. And so even your top hunters might, well, at some point not be available at that time. And so you've got to have people on the roster who are able to take like the fight, keep going.
So, yeah, just, just get those young guys and girls and, you know, those rising stars. It's the moment. Yeah. Okay. Once you already get the LA to invitation, you perform really well and all the events you've, you've attended, you get to go the show and tell you got the top 10. So what's the key to perform? Well, The thing is, I think my only real capability is to, Deep to dive, but mostly, um, find the knowledge that I need for something that I feel is going to be vulnerable.
I'm don't consider myself as a good hacker. I suck at a lot of things. I suck at client side. That's finally coming from you. Yeah. But you know, uh, when I hang out with other guys, like, I don't know, maybe the worst guy in the room. Like, You know, you hang out with CTF guys who are like complete brutes on so many topics. They, yeah, that's true. Okay, well I suck at everything. good.
You go with some good clients, guys, they talking about you, they're talking about like, stuff you don't understand. You see the show and tell, say, uh, you, you asked me as a second slide , but I, I think I'm only good as much as the extent of my knowledge and so I have like. My monkey brain processing a bit of knowledge, then you have to find the right information at the right time to be able to find that bug.
And so even if you, when you start doing bug bounty a lot and pentesting a lot, you have your instinct of what is going to be vulnerable or not. And that's kind of your unique approach, but. Having the gut feeling of something being vulnerable is not enough. You gotta transform it just like into rugby, you know, you place it with the ball and then you gotta shoot it and transform it into a point.
And so that's where like being able to grasp and retrieve information from different people, different sources, really makes a difference on how well that feeling is going to be or not an actual vulnerability. And then it's pacing the cursor. Um, when to stop and when to keep investigating because bug bounty is kind of profitability. So if you invest too much time on a single bug and it doesn't pays out, well, finitely you have wasted a lot of time and you feel bad about yourself.
And then just it's, it's being able to place like the right course or one where you should stop or where you should invest more time or, but we'll simply keep that in the back for later for another friend who might be smarter than you, you know? Yeah. And. How they're going at the right time. So yeah, it's feeling good with the program and being able to seek the right information at the right time. For example, I never did, you know, AWS infrastructure hacking before.
Yeah. But you know, right people, right time, right information. It's finding that sweet spot, which makes a difference. So what were the things you focused on, on, on the hacking events? I knew in which event, for example, the last one, you focused on infrastructure on AWS, the previous ones. Did you also get like a one sort of one goal that you wanted to, or one area? Oh yeah. On Epic games, I focused on a very classic web app, purely marketplace.
And, uh, I did my usual thing with access controls. And the thing is sometimes, well, people don't care about it. Because it's not impactful or it's not impactful in their own security model and then you gotta accept it. So after like spending two weeks of doing everything like that and getting like, well, yeah, No, you're gonna get a low hanging, a low bug. Then you feel doubt. Damn, I spent really two times like covering the whole platform and covering secret features.
Uh, I even spent like 2, 000 on the premium subscription on it. It was worth it in the end. Oh, nice. But yeah. And so, yeah, well, I was quite, uh, confused. Kind of tired. And so what I did in the end was to fall back to something that I really never tested at scale before was trying to test denial of service issues. And that's when I started to find some, you know, nice bugs.
And paradoxically, the two weeks of work that I did when to uncover, you know, hidden attack surface, accessing premium features, like even broken features or things that were not implemented yet, accessing them and so on and so on, didn't pay. Much in the end. And I've made almost all the money in the end with a couple of those bugs. How about those bugs? Aren't they out of scope usually? Yeah, they, well, they are. They always are like almost all policy will have like those bugs.
I think it's, it's really program dependent. It's. Out of good sense, because they don't want people to spawn a thousand DPS and start doing some volumetric doses because it doesn't add any added value and anyone can do it. And you know, it just going to bring some issues for the, for the people in France, but application level doses or sometimes. accepted.
And once again, it depends on which program you're working on and the security maturity of that program and which parts of the application you're able to crash, potentially stop. Yeah. And so in the end, there's still an availability metric. And this availability metric is not related to. Destroying information. It's literally in the spec making a system not available, not the data in it. It's not making the system not available. So let's say that in a couple of requests, you're about to crash.
I don't know the shopping cart of all users in the marketplace. Yeah. Hell, that's, that's impactful. And then you've got to walk a fine line because you can't really test that in prod. Most of the time, either you have a suspicion, a very hard suspicion and life hacking events are cool in the way that you can talk with the final program or demand validation, that's a good thing.
Or, well, you just scale up properly and progressively and you just, I don't know, create enough objects to slow the server response to three seconds, five seconds, 10 seconds, 15 seconds. And you cross check with another user from another IP with another account to ensure that you indeed have a cross user, um, account impact. So would you also test DOS on a, let's say a public program where you don't have the direct connection of the customer?
How would you, and if you would, how would you watch out to not cross the line? With those bugs that are kind of, you know. on the fine line that you felt not really cross. Um, there are two things. The first being, um, don't look like a complete fool to the program.
So if you're starting to, you know, cross that line, at least make sure that you've got a really nice impact and not that you're crushing like some small things that, No, the program doesn't really care about make sure that you've got actual like potential that you have actual potential impact on something that is really big because, you know, if you are going to do something, do it well, especially if you're, you know, crossing the line. Second part is, uh, if you have like something like.
You send one request and it's permanently crashed, yeah, don't do it. But you're going to have a very hard time with triaging and then the final program. So it depends on who you are talking with during the triage and how the program receives it. Sometimes it's going to be yes, sometimes it's going to be a no. And if it's just a no, well, You know, you lost your bug, but at least you didn't have any issue.
But if sometimes it's something that can be like a bit smoother, uh, for example, you create a lot of objects in the database and then you return all of these objects at once. At least you control the amount of data that is returned. So you can create them progressively 1000, 2000, 3000 and so on and so on. And just assess the response time of the server.
And so if some of you start seeing like response time for five to 10 seconds, In its case, like linearly with the amount of object or action that you perform, then logically, you know that it's sufficient to make a first report. And then often it's going to end up like, yeah, no, that's not enough. So you ask, okay, should I go further? Let's say go further. You do show a significant, uh, higher delay or sometimes it would just say, no, it's out of scope.
Yeah. And then it's quite a weird situation because they want you to show impact, but they not allowing you to show impact, but it's just the role of the game that you decided to play by trying to use this, uh, this kind of, uh, our books, but honestly on more major program is less of an issue. So would you send the report, let's say when you have a response of 10 seconds, or would you look for, for a higher delay?
What is sort of the, the ideal response time that you would think shows the impact without actually impacting too much? It depends also on, um, how it impacts other users, because sometimes you can augment, improve the response time for yourself, but this is going to be, for example, a very short spike. At one set point in time, for example, that's a book a, and so when another user user site, if it's at a book, a plus one millisecond, maybe he will not be impacted.
So The thing is, you gotta cross check to ensure that it actually works, and if you cross check with another user and get a delay of 5, 10, 15 seconds, I think it's enough. And, um, consider that in a lot of DOS cases, the proof of concept that you're going to push is not going to crash your platform instantly, but rather provide like a sufficient delay enough at a fixed point in time.
And it's only if you really continue way past that point that you might consider crashing the platform for a bit longer of time. So it's often scary, but you often have like a lot of room, you know, between having an actual worst case scenario impacts. So do you actually, when sending the report, you also like, Test that the delay is present for another user with another IP address, then the sort of attacker user. Yeah. For me, that's the gold standard.
Okay. And that's what I was often asked on some programs. And at least it really shows that if you have no bias and even as though it's like less cool to do because it's actual additional work to have like kind of a second computer or second IP and so a second account. Yeah. Uh, at least it ensures for yourself.
But by applying this methodology, you have a real applicable reports and not just like being almost all of us hunters being very bound to your own vulnerability, say, no, I know it's true. I know it works. Sometimes it doesn't. And being a bit strict about that kind of methodology allows you at least to be a hundred percent sure that you have an actual bug. It still feels good because even if that's rejected. You found something and you feel good about yourself.
Doesn't it feel, because when I think about it, the sort of problem in my head is if it's a, let's say there's a single worker and let's say I have a second, it causes a 30 second delay. I know that if the, if I tested from the another account, It may get routed to a different worker. So let's say there are four workers. I would have to send four 30 second requests so that this user is affected.
So I would have to sort of brute force how many workers are there by essentially sending requests that I would prefer avoid to avoid sending too many of. So like, how do you, do you manage this? In my opinion, there's no good solution. Um, I was talking with Blacklist about another bug, the class, so not another By doing statistical work, he understood that he's run a bit if worked like one out of four times.
So once again, possibly different workers on different code bases, it just had to, well, repeat until he got the right worker. And I think that the same issue, but once again, it depends on how much room you have until actually crushing the, the, the, the, the Walker. So sadly there's no good solutions in my opinion. Yeah. It's a hard problem. How much. If you were to estimate the percentage of how many of your DOS reports were accepted, is it like 50%? Something like this? More? Less?
Well, I did most of them during LHEs, I think. And so during LHEs, I'd say 70 percent of them. And outside LHEs, Well, I, what I found was way less impactful. So it was still accepted, but it was like a, a low or medium bounty. Okay. So I think that the context and the impact makes a difference, but it's not to be generalized to all programs. Yeah. It's also good to know at the LHE, you're one of the 100 hunters, so you're kind of trusted. Yeah, exactly.
It's also helped if you have already, if you accepted bugs that show the team out, this guy. Exactly. Yeah. He doesn't report only DOS bugs, he also reports good stuff, so. But if you take DOS on a more general scale, for example, you know, CP, DOS, things like that, it's often like pretty well accepted all around bug bounty programs, or at least more major ones. So things should not be too much of an issue if you have something that's really impactful.
Yeah. Coming back to, to the topic of, of LATs, you've been to, to free life hacking events. So how has your approach changed from the first one when everything was new to the third one when you already know what to expect? I think it grows with your own maturity. You know, being a bit more organized, knowing the common pitfalls, knowing like your own issue with your own mental problems. And so it's similar to be, I think, just a better bug bounty hunter overall.
Like, I don't know, when I was first doing that Epic Games LHE in 2023, it was It was cool, but I was a bit more lost, you know, and yeah, organization thing, I think makes, uh, makes a good difference. Like for example, in Edinburgh, uh, I worked with another French hacker, Gerusha. That's where we got the most impactful team. Quite a nice award to have.
Yeah. And, uh, Right at the beginning, like we created a dedicated discord server with different channels so that we can have, you know, stuff sorted out, but that was not too much into organization. Like if you have too much channels or too much, you know, cases, not going to use it. It still has to be a little chaotic. And for example, the other thing I did on AWS was, um, I spent like, uh, just maybe one day before the event.
Like a whole day of spending time, uh, reviewing all of the services. Like I went to the catalog and click and read the description of maybe 30 percent of the services, because there's a lot of services and just making small spreadsheets on saying, Oh yeah, that may be cool. That may be cool. That might be cool. That might be cool. But that's why I think it's cool.
And it lowered me when I have like, when we endured hardships or, you know, it was hard not finding bugs, losing motivation to have like kind of a spreadsheet Hey. That one, I didn't test it. And so you can keep your motivation high by having like fallback scopes and avoid that the, the eternal cycle of, I'm not finding bug. I need to find a new scope. I'm not finding bug. I need to find a new scope. I'm stuck finding new scope. I think it helps a lot with, um, maintaining morale.
And morale is honestly my, for me, that, that's the key because if you or your team is depressed, you're not going to find any bug, you're going to maintain your confidence, you're going to maintain your inertia. And it's like almost all esports. If your guys are motivated, if your guys have high morale, high confidence, they're going to be on a roller coaster of, you know. As soon as moral drops, you think like, no, this is not worth the time.
This is not worth the effort and you feel less energetic, less motivated. And of course you're going to miss bugs because you're less involved in doing the actual work to find the bugs. So yeah, that, that makes a good difference. A little bit more of organization and being able to better maintain you, you, your mental health during the, during the events. How do you.
Manage your focus during the event, because the mistake I've done was like, I wanted to focus completely on the LHE and it was just too much and it ended up being worse than if I, you know, stuck to my, to my routine, to my sports. So how do you manage your, your time during the LHE? Well, I'm going to jump a little bit out of the box and, um, It all comes down to how you handle your performance yourself as entrepreneur, as a backhunter.
Um, back in the days, and that's why also I think caused health degradation for me was I was all about the grind. So. If I'm something important, I'm going to wake up early, I'm going to grind very late and I'm going to stop until I've done what I've done for extended periods of time. That was my first LHE and honestly I felt it on my health because I didn't sleep much, I smoked a lot of cigarettes, drank a lot of caffeine and it hasn't impacted anybody. And the grind works.
If you're able to maintain a certain amount of work, even do your performance drops, if you're just putting the raw brute hours, you will make a difference. That's not something that you should do in my opinion in the long run. And then when you gain more maturity, you understand that is more akin to a marathon and not a sprint. So you gotta manage yourself properly. And so if you manage yourself properly as an individual, you gotta take advantage of your peak focus hours.
And you know the saying, like, people can work being productive at most five, four, five hours per day. And then what is the rest? I don't believe in purely being productive for four or five hours a day. I feel the difference. I think like my top hours or maybe three hours of full focus. And that's where most of the work get done. But for me, you've got to find the right balance between the pure and dumb grind and only, you know, maximizing your peak focus. You've got to find the right balance.
And then in between of that, you gotta go. And enjoy, uh, indeed your rest, your hobbies, life, your wife, and so on. And so you, you do see the difference when you start to find that right balance because you maintain your moral, you maintain your routine, you feel good as an individual, and it just shows off in your, in the, in the final walk.
Yeah. For me, the sort of problem that, um, that I have with this sort of, because I do believe there's few hours during the day that can be really productive, but in the background with you, I feel.
It's as important to have these, you know, really focused hours to solve a problem, write a script, come up with a bypass, but also the hours you're just at the computer using the app, triggering different flows, looking for the, the one point where you can then find, spend this, this focused time bypassing. So it's necessary to also like just spend a lot of time. You don't really have to be super focused and, uh, yeah, it's sort of, you know, you can never plan for it.
And that's sort of why, where, where I struggle is, you know, just three hours a day is not enough because you know, if two and a half hours are just browsing the app and not actually finding a particular bug, it's too, too little. And then, you know, that's, that's where I find myself having a very various. Amounts of hours on different days. That's if you just got to find the right balance.
Yeah. And if you get that sweet spot on you're going to have bugs, you just, you have to work on all, you know, of your workhorses to get the actual job done. That's perfect. How to not feel that, you know, Especially in the, in the group of like 100 hackers with so many top guys, how to, to still stand out, how to not feel the imposter syndrome. Honestly, I still feel terrified. Like, I know that I'm maybe likely because of, you know, the rankings, going to get a next LHC invite.
And I told you about that yesterday. I'm damn terrified of the next LHC because I don't feel confident or I don't feel like, uh, I I'm going to perform well and I'm afraid of the scope that is going to be if there is one and I'm afraid of the, none of the people there because people are quite friendly, but I'm afraid of, um, that competition. So what I do is, uh, forget about that.
The thing is you're, even if you're kind of competing with other guys and girls, uh, actually you're just competing with yourself and you just run your own race. The thing is, at an LHC, you got a lot of people working on the same program right now, but you only know it because it's an LHC. Which work on Amazon or other good program. Do you see the people hacking in the same time, the same focus? No, you don't see them. No, I don't. No, I don't.
And so what you do is simply, well, put in the work, stay in your bubble, enjoy the ride, talk with other people, because it's cool, it's an emulation, people are having fun together, finding cool bugs, etc, etc. But disconnect yourself from the, from the direct competition, or else You're going to try to rush some things and get them badly and poorly done because you must keep in mind that in LHE you have a duplicate window which means that during
the two first week of remote hunting, uh, every bug that is duplicates will be split between all of the duplicates so if you are duped you will still get paid. Which means that if you have like a super cool bug chain, you don't care about having your bug stolen by another one, you can just put in the work to have a quality. Time and quality bug chain.
And so when you start forgetting about the competition and just focusing on having a nice bug, you will find cool bugs because you invest two weeks of time and you will find something that is very nice. But in the end, isn't that just the advice that generally applies to bug bounty? Forget about the other people, find cool bugs, get the reward. In the end, that's the secret that's, in my opinion, that it's the same thing. Yeah. Yeah. For me, for me, it works.
At the first event, I looked at the leaderboard and stuff like this. The second event, you know, I'm sitting here, you made as a team 200k on AWS, I made like 18. If, if I just compare myself as always, he made five times as much for me, 18 K for three, three weeks of work, it's still a lot. So, you know, I'm happy with this and it's probably the only way to like keep the, the same mentality. So yeah, it's, it's really, really smart to, to, you know, look at yourself, look at your box.
Also. Being a duplicate of somebody at an LHC, it can be kind of an honor. Oh, I do this guy. It's cool. So, so you don't even see it as negative. I don't get the exact quote, but if I remember correctly, it's from Miyamoto Musashi, you know, the book of five wheels and, uh, and everything he related to samurai fighting on the Bushido, the way of the samurai is that today's victory is to be greater than the person that you were yesterday. Yeah. And tomorrow's victory.
is to be greater than what he calls the lesser man, which includes, well, basically yourself. That's the way that you should see it. You're walking your own road and find your own bugs. In the end, competing with other people and pushing them, trying to find the bugs before them, it's not going to work well for you. That's what I wrote, you know, I wrote a small blog article about, you know, performing in LHE.
And the thing is, thousands of hackers made Thousand, millions of dollars per year on those events. And it works because they are not fighting with photo, they just have their own style, own unique approach. Yeah, that's, that's a really good, and honestly, the unique approach is not like I have a super secret nested bug. No, that's not the case. It's based sometimes only, for example, the, the way you perceive the security model. You also mentioned collaborating during the, during the event.
So can you tell us more a bit, you know, how does it work? How do you split the bounties? What sort of, how do you split the tasks? The gentlemen agreement for me is the standard 50 50. Uh, obviously by bounties, complex situations can evolve. People can stop. Can. get more or less involved. And of course, in a lot of cases, people might feel not comfortable with, you know, doing the full 50 50.
I'd rather do it even if my teammate doesn't work, because at least I know that I will always be full clean. Get your 50 percent cut. If you like, we will stick together. If you don't like, we'll split ways. It was fun working with you, but at least that's a gentleman agreement for me. That's what I did, for example, with Noxious in, uh, in the, in the, um, in the Las Vegas, uh, event where we finally collaborated on some bugs and say, okay, don't worry.
We are collaborating on that type of bug class. So I had a couple of reports before. I'll put you at 50 50 because I trust you. I want that to be fully fair. And that's what we did with Gerusha again at Enumbr, it was, okay, are you willing to invest your fully? Yes. Are you willing to do a 50 50? Yes. That's the standard agreement. He told me, okay, I have a, I have a day job, so maybe sometimes I will not be as available as yourself. Is it okay for you? Yes, I don't care because I trust you.
And then you just find the right people at the right time. Gentleman agreements go on and then it's just trust and being a complimentary on your skillset helps a lot. So what do you get out of the collaboration? Um, three things, moral and confidence, because it's always cool to have an all hacker with you and not just alone fighting the odds, the Kraken, the Titans of big bounty, it's cool to have like a, a teammate, uh, just to hang out and grow out with.
Don't mind me, don't you care about you enjoy being around. That's the first thing. And as I said, moral is very important. Uh, second part is indeed when you have complimentary skill set. I'm terrible at client side. Gerusha considers himself bad at server side, but that's a lie. And so at least when I had something that I didn't, I had no idea about, he helped me.
He, uh, he was doing some very cool code review, for example, like, There's so many things where, you know, people get complimentary, or even when they have both the same skillset, at least you have a, you know, different point of view, different perspective. And so, you know, uh, you know, when I arrived here, you, I told you about a potential bug that I had, you start talking me away, maybe you can do that, that, that, that. Hey, wait, wait, wait, wait, wait, slow down.
Cause I just told you about the bug. I didn't even thought about that. We were just having a coffee and I couldn't, couldn't resist. And that's, that's pretty crazy. And I think that's still what's impressed me the most when I talk with other hunters at LHs or other events is the way that they perceive the potential attack path based on the signal potential flow. Each time I, Oh, I never thought about that. And so, yeah, it's a moral.
Where a complementary skill set and you know, the way to perceive the potential attack path. Yeah, that's nice. Let's, let's talk about tools a little bit. Uh, are you using Burp or Kaido? I'm a Burp guy, but I have like a lot of tools. I have a love hate relationship with them. Like, Burp is battle tested. That's why I stick with it. Know how it behaves. I know. It's limitations. I know that it evolves quite quickly since the Kaido being more competitive.
I love how they are implementing cool stuff like BAMDAS, B checks, and so on, but I also hate the way they are implementing them. They have a low heavy relationship with them. Kaido is a new cool kid in town. A lot of top hunters are switching to Kaido and I feel I understand why. I don't know for now. I, uh, when I tested it, like, Months ago, I felt like it had not yet all the features that I wanted to have. But at the same time, it has features that I wanted to see, like, natively in Burp.
It just bothered me, so. Burp Suite, extensions, custom extensions. For now, it does the trick for me. What extensions? Top three, I would say, um, So when I need logging, It's logger to send to Elasticsearch or log resource, log request to SQLite, who logs the request to SQLite. Uh, Piper, Piper is super iterated. It's crazy. I have like a ton of scripts for, for Piper. To do what?
Everything. Um, first thing is I want to right click and be able to save any number of requests or response to the disk. Okay. Clear text. Not that burp. Weird format. I want the full clear text. I want to be able to extract only the JSON request or response. I want to have it beautify. I want to be able to compare it. I want to be able, I don't know, to replace dynamics, dynamically some stuff. I want to be able, for example, sometimes to apply. Like specific GQ features to some specific stuff.
And so a lot of things just to process data, to save data, to disk and, uh, yeah, to sometimes have like graphical interfaces to, well, do dynamic divs or, um, I have even one that calls, uh, JSON crack. So for example, if I have a very big, uh, JSON, I send a, um, I do a right click. Send to JSON crack and then I have a graphical Explorer to show me the visualization of the JSON file and some fuzzy finding to find like the, the right keys and how it's nested. Yeah. I use Piper a little bit.
I think it's underrated. I think it can do a lot of things. Although recently, since they introduced BAMPDAS, I also use some custom columns. So things I used to do by like Piper scripts, I now just have a custom column with the BAMPDA and, uh, I don't know, extracting GraphQL name of the operation. For example. I used to have a, a, um, Piper script to do it now, it's just, you know, another column. So, so it was nice.
What, what, what about them does it's a very cool feature, but they just like, and, uh, I've been in an interview with them to give them some feedback and they like the, the way to save, you know, your Banda. So you can quickly switch, uh, between, uh, code, you know, snippets. Yeah. For search. Yeah. For, for columns. Yeah. That's pretty cool. Uh, what was the extension? You mean? Yeah. Uh, I had at one point I used a bit of CSTQ, I think it's, um, uh, it's like, uh, an embedded cyber chef.
inside burp and it can also do like custom manipulations. For example, all the operations that you're able to chain in cyber chef, you can apply them to some, uh, ingoing or outgoing requests. And so, you know, when you're a dumb guy like me, who cannot learn hack Vector, who didn't take the time to learn hack Vector, you have at least a graphical way to, you know, move blocks with your monkey brain. Decode base 64. So yeah, I like this one. Uh, and then yeah, just mostly additional bandas.
Like for example, I know Ryan Ratter has, well, it was on his discord. I think that I saw, you know, something with the HTTP header, like just to highlight, for example, the beginning of a sequence of requests, it's very cool to have that band that to apply your specific coloring on the flight. So you see the beginning of each sequence when you click an action, something like that. And that's pretty much it. I started using Burp Bounty, but never really stuck with it.
Uh, and the GS result to have the, you know, the GS stored inside Visual Studio Code. And outside Burp? Outside Burp? Um, depends. When I need to do some fuzzing, it's a good old Fuff. Does the trick for me. Really like it. Uh, GQ, of course, and the JSON crack to graphically explore it. I really like the, the way you can like quickly explore the stuff. Let me think because. I'm using any stuff.
Some extensions like TempleMonkey, you know, when you need to modify the DOM quickly to remove some elements or do some quick actions, like know to remove the disabled part of something. That's pretty, that's pretty nice. Uh, I've got a self hosted interactor slash server for out of bounds interactions. I've got a couple DNS zone for, um, you know, um, DNS rebinding. And, uh, and various variations, uh, around that, uh, man, I think that's pretty much it.
And of course you got to know some classic toolkit that you once in a while you go with, you know, some SQL map or GW to track, but you know, it's very specific to an issue. Variations of DNS rebinding. Did you mean? If I'm correct, there's like a three, four, five different methods, you know, where the browser goes onto your website and then you hold it for a couple of seconds and you change the DNS record. There's one where you send two DNS record at the same time.
Uh, and, uh, it's, uh, I think it's Rhino who made a tool for that, which is DNS. Rebind multi A, something like that. Okay. There are other ways, also some variations to clear the, to clear the cache by no saturating the, the, the number of, of DNS respondents you send them. So it's, uh, well, like there was five or six variations, I think, in the tool singularity when you set up it properly. And then you got other tools like DNS rebind multi A and a couple other ones on GitHub.
Okay. I didn't know all of them, so I have to check this. Yeah. It's, uh, it's, it's cool to set up, but it's boring because you have to set correctly your DNS zone and all the tools and so on. And then you can just customize the JavaScript on the page and the tests. It's cool. Yeah. How about AI? I know you have some great ideas for using AI in the future, but today, how, how does it help your hacking? That's multiple levels. Um, I don't know.
I love what, uh, Justin was saying, uh, regarding, uh, you know, keeping yourself in a good flow state. And there's another French hunter called LaLuca who takes a lot about, who talks about, about that, about keeping yourself in a good flow state and avoid having like breaking interactions and so on. So I love how, um, When AI is correctly integrated into your workflow, so you don't have to open Chrome, go to chat GPT, create a new chat or something like that.
So I have a lot of bindings, you know, so just, I can interact quickly with AI. I have like, uh, self hosted, uh, LibreChats, which is, uh, you know, simply in the, um, Using the, the APIs of the most paper popular LMS providers. And you can self force it. So you can like have a graph, nice graphical interface with all your power methodized queries, your prompts that are all correctly stored in one place. Yeah. So it's pretty cool. And uh, it also adds some other features.
For example, big A GI, which is another application, allows you to do something called bim, which allows you to query multiple random providers with the same. Prompt, so we can compare the questions that you like. Uh, and sometimes there is also multi step rezoning, for example, where you take two or three LLMs, different LLMs, working on the same things, and then makes a diff and unified response. That's a lot of cool stuff. Um, I started working on Daniel Niestereur Fabric.
So it's a CLI tool, which, um, has like a collection of prompts, maybe a hundred, 200 prompts. Very cool. And so basically you can pipe anything in it. So from your command line, you can say, for example, uh, SQL map, uh, dash dash help, and then you pipe it into fabric and specify the prompt that you want to use.
So for example, you provide, well, your inputs from your terminal into, well, your AI agent and your prep and your pref configure prompt, for example, to ask him to, well, generate you the perfect SQL map, I don't know, command at some point in time. And, um, It's very cool because it integrates natively, you know, into your environment, but mostly, um, it has like very high quality prompts or, or to organize them and how to ensure that you get quality results. So it's pretty nice as well.
Um, I was starting to develop also a BURP extension, you know, and I recently saw Justin sharing the, the, um, and his team, um, the integration that they made into Kaido, you know, you do a shift L and you got, uh, that. And, uh, I was initially developing something like that for myself. I got to check if I have the time and the strength to endure, you know, coding in Java for that much time. But yeah, that's the kind of thing I do. How do you see the future of, of AI in hacking?
Is AI going to replace bug bounty? Not necessarily, but you know, as all things, um, you know, and the maturity level of different Sorry, the technical capabilities of the attackers also, uh, also improve. And so not necessarily because for now we are pretty far from having the real, you know, artificial general intelligence, um, and we are still stuck by context. So context is pretty much everything.
It's a, it's the state machine, you know, and if you don't have, you're not able to maintain context for a long period of time, you're not able to, you know, Have really meaningful in depth assessment of something. And that's why I talk so much about, you know, those little agents, this chain of thought and the way to go around the limitations of not having enough context. So yeah, maybe one day we'll be replaced and that's, that's not a bad thing, but we will find other things to hack on.
AI is a black box. No one understand really how it works. Even like you've got machine learning engineers who walk under the hood, but. It's a black box for a lot of people. Once AI has replaced us, we will hack AI and then we hack other things. We hack quantum computers, I don't know. Yeah, that's the good mindset, like, if the technology changes, we'll adapt. There's always been need for security somewhere. Yeah, we can't be, um, like attached to a technology or to a specific time.
Like by nature, it's always evolving technologies or rapidly, you know, also deprecating like how many weeks can you wait before there is a new JavaScript framework? Two weeks, maybe. It's bound to evolve. And, um, hacking is the art of learning, not necessarily the art of exploiting, but it's mostly the art of learning and then applying those skills. Yeah. Good. We'll, we'll come to an end. Uh, Tell me, what are you looking to achieve in, in the upcoming year, 2025?
Uh, basically, I'll, I'll try to keep around because of very cool events. And of course we make big money with them. And, uh, I need, I think to, to keep building some wealth very honestly. Yeah. And, uh, I'd like to also, uh, diversify myself outside of the cybersecurity world. So for now I have said project with AI, but I also like, for example, to have, you know, some real world businesses to ensure that, you know. This is, we are living exciting times, but also very dangerous times.
And I think it's good to have like a little fit in the, in the real world, maybe a small restaurant, maybe a small house, something like that. You know, you can touch. Great. Thank you so much. It was awesome. Thanks for listening. If you want to listen to another one, I recommend you, uh, this one in the description and on the screen right now with Louis from Pentester Lab, where we talked about getting into the field, learning about cybersecurity and, uh, many other things.
For now, thank you so much for listening and goodbye.