“Keeping yourself motivated” as a Bug Bounty hunter is paramount given the feast-and-famine nature of vulnerability discovery, says Italian hacker leorac.

 – or Leo – also discusses his favoured type of vulnerability, tips for beginner bug hunters and the changes he’s observed in software development over the past two decades and the implications for hacking.

As he also explains in the video, Leo is a part-time hunter since he also works as a software engineer, and is married with two children.

The footage below was filmed in September 2024 at the RomHack cybersecurity conference in Rome, where Leo took part in Italy’s 

I started hacking in 2021. I wanted to be a penetration tester. And I started to do CTF, and then I discovered the Bug Bounty world. I tried myself and I was very lucky, because I found some bugs pretty soon, so I got motivated. And I have been hacking ever since.

On the most challenging aspect of bug-hunting…

The most challenging part, I think, is the psychological one, because Bug Bounty is not only technical.

It’s important also to keep yourself very motivated, and Bug Bounty is a rollercoaster of emotions. Sometimes you find some bugs, some critical bugs – and you see yourself at the top of the mountain, like the best hacker in the world. And next time you can’t find anything for weeks, for months – and you think that you’re just done.

You have to be intentional in keeping yourself motivated and to stay healthy, and maybe take some pauses – and start all over again.

On the three words that best describe him as a hacker…

I guess ‘consistent’, because from when I started, I always went through all the process and I never stopped. The second one, I guess, is ‘creative’, and that’s the counterpart of technical – because I’m not so technical. I prefer to see myself as a creative, finding creative ways to hack on the applications. And the third one is ‘passionate’, because Bug Bounty is a part-time job. But for me, it’s my very passion and what I’m very passionate about.

‘My best attribute is persistence – technical skills you can learn’: drak3hft7’s Bug Bounty story so far

I guess that my most critical or biggest-impact bugs are all broken authorisation bugs, because it’s what I keep testing. Testing that I was able to, most of the time, get to privilege escalation, to do stuff with low privilege users that was meant to be done by an admin. And this leads to account takeover or, with an IDOR, information disclosure. So my main bugs are mostly just like that.

On the evolution of software development and hacking techniques…

I guess that the main evolution is about technology. So some years ago, old websites for example were in PHP, and now you see that not so much anymore. Before there were no frameworks, and now everything is based on frameworks. As I said before, I’m 40 years old so I’ve seen a lot in 20 years. And right now, of course you can’t hack as if it were five years ago or 10 years ago. You have to focus on different classes of vulnerabilities. So I guess you have to follow the technology – and then understand what this technology is, where this technology is more prone to be vulnerable.

My main tip is: just start. Because I see so many people in the loop of trying to study, to understand – because they are scared to start, they are scared of the challenge. But there are a lot of public programs, a lot of platforms, so just start.

And on the technical side, something that helped me a lot was the PortSwigger Academy. So all the time I suggest that. If you’re able to go through the PortSwigger Academy, then you are just fine to start doing Bug Bounty.

Learn more about hunting through YesWeHack

, or learn about the latest hacking tools and techniques 

‘The most challenging part is the psychological one’ – leorac on the ups and downs of Bug Bounty hunting

The Dojo challenge, Hex Color Palette, required participants to exploit an XXE (XML External Entity) vulnerability in order to trigger a file disclosure. 

By crafting a malicious XML payload, they had to trick the parser into leaking the contents of a sensitive local file - specifically 

Want to create your own monthly Dojo challenge and won a contributing award? Send us a message on Twitter!

 feeds to be notified of upcoming challenges.

Read on to find out how one of the winners managed to solve the challenge.

This time, things were a little different – and some context is needed.
The challenge was created by myself – @

 – and while preparing it for release last month I realised that the original PoC no longer worked as expected.

After some investigation, I discovered that the issue was caused by an update to the Python 

 revealed that payloads relying on parameter entities had worked reliably until this update – including in scenarios involving DTD injection and indirect file disclosure. However, changes in the underlying 

This change explains why the challenge suddenly stopped working: 

although the intended solution remained valid,

 the parser no longer processed parameter entities the way it used to – effectively breaking the error-based XXE vector the intended solution relied on.

To address this, we added a feature to Dojo that allows us to use the previous version of 

 when creating challenges, and I left the challenge itself unchanged. 

Instead, I have decided to publish two separate reports for this community write-up: one detailing the intended PoC before the 

 update, and another showcasing the exploitation technique based on Anatoly Katyushin (heart1ess) discovery!

This challenge revolves around a Python web application that renders user-supplied XML data through a templated HTML interface. The application uses the 

 library to parse XML files and extract hexadecimal colour codes to populate a front-end colour palette. However, the XML parser is configured to allow external Document Type Definitions (DTDs) and resolve entities, which opens the door to an XML External Entity (XXE) injection vulnerability.

Due to insufficient input validation and insecure parser configurations, an attacker is able to inject arbitrary entity declarations, thereby allowing him to manipulate the server into disclosing files stored on it.

To identify potential vulnerabilities within an application, analysing the source code is an effective approach as it reveals insecure coding practices, such as improper input validation or the misuse of certain libraries. In this scenario, we are presented with a web application that accepts a user input, which is then parsed by the program - potentially influencing the contents returned to the user.

The first step in performing our taint tracking is to examine how our input is being handled by the program. In this scenario, a Web Application Firewall URL-encodes the user input before it reaches the web server.

Our user input is first decoded using the 

 function, returning to its original form (our raw input) before being passed to the 

function. The result of XML parsing, or any errors that occurs, is echoed back to the user in a templated HTML response. This hints that our payload could manipulate the contents of error messages, which often tend to be verbose.

 function is where the bulk of the data processing lies at. There are a few key points that can be noted regarding the function's implementation:

: allows the XML parser to load external DTDs

: enables the expansion of external entities

In the setup code, we can observe that there is a DTD file located at 

Note the reference to an undefined entity 

, we can deduce that the application will:

3. Attempt to resolve file paths provided within entity values

, we can deduce the possibility of overriding this entity with arbitrary ones, which will be subsequently loaded by the parser. Based on this idea, we can slowly piece together a payload:

To begin with, we need to load the local DTD at 

, which could have nested parameter entities that would be expanded via the parser's 

configuration. We need to include the following:

 that references a non-existent file path (

Finally, we just need the parser to load 

The parser will then read the contents of 

 most probably does not exist, an error containing the resolved path will be thrown, and the resolved path will be returned as part of the error message (hopefully).

Before we merge everything together, we need to note that some characters need to be replaced with their Unicode hex character codes to bypass parser restrictions and prevent premature expansions during entity parsing.

Double-encoding is also used to delay expansions. For example, 

This vulnerability presents a serious risk as it allows an attacker to read files on the server, leading to a loss of confidentiality. For example, we are able to leak the contents of 

To remediate this vulnerability, the configuration options of the 

 to prevent the loading of DTDs and entity expansions.

Input validation and sanitisation should be incorporated before the user input is processed by the 

 function to prevent blacklisted characters and keywords (e.g. 

Additionally, error messages returned to the user should avoid including the XML parser's error messages as these could unintentionally leak file paths, stack traces, and in this scenario, the contents of arbitrary files.

————– END OF 0necloud‘s REPORT —————

As explained earlier, this approach no longer works with the current version of 

, it's no longer possible to trigger an XXE using parameter entities - which were previously exploitable regardless of this setting.

Now it's time to take a closer look at the behavior we discussed earlier - illustrated through 

With this application, you can now display your own hex color palettes and unleash your inner UX designer! Simply upload your own XML files to generate custom palettes. Can you find the flag?

In this writeup, we'll review the latest YesWeHack 

Starting with the server setup code, we see that the flag is places in the 

 file is generated, I'll skip most of the CSS/HTML which does not seem relevant.

 which should make us think of SSTI and/or XXE vulnerabilities. It specifically loads version 

 so checking if it's the latest version or there are known vulnerabilities should be added to our TODO list.

 option will prevent XSS by escaping HTML variables.

 function is declared. First thing to note is it's susceptibility to XXE attacks:

 → allows loading external/internal DTDs.
- 

 → allows expanding general and parameter entities.

However, there is some regex on the XML elements to ensure they match a hex colour code format. It must start with a 

. It simply takes a string and passes it to the 

Dojo challenge #42 - Hex Color Palette winners & writeup

, failures to gather enough intel on enemy positions or terrain have often proved decisive in warfare.

Reconnaissance is every bit as fundamental for finding promising avenues of attack when probing digital systems for vulnerabilities.

Master the art of hacking recon, which involves gathering intelligence about your target system, and you can expand visible attack surfaces and make your hunt more targeted – considerably enhancing your chances of Bug Bounty success.

This all-in-one resource summarises each article that featured in our series on various essential Bug Bounty reconnaissance techniques, such as subdomain enumeration, port scanning, HTTP fingerprinting, hidden-parameter mapping, Google dorking and archive-based recon. These how-to guides also teach you how to unlock high-impact vulnerabilities using popular recon tools such as Nmap, Shodan and the Wayback Machine.

This recon recap consolidates six articles that each tackle a different set of popular methods used by ethical hackers and Bug Bounty hunters to learn about their targets. 

Recon Series #1: Discovering and mapping 

 – expand attack surfaces with active, passive techniques

 – sleuthing for a web application’s hidden vulnerabilities

 – uncovering attack vectors by revealing open ports and hidden services

Recon Series #6: Excavating hidden artifacts with 

: Recon is a bedrock for Bug Bounty and footprinting in cybersecurity

Recon Series #1: Discovering and mapping hidden endpoints and parameters to expand attack surfaces

Vulnerabilities often lurk in places that automated scanners typically fail to reach. While security tools excel at finding misconfigurations or known vulnerabilities with signatures, ethical hackers can uncover additional attack surface through manual reconnaissance techniques, such as force browsing for hidden directories, fuzzing for concealed endpoints and meticulously extracting URLs from client-side source code. The first article in our series explains how to manually map hidden assets that might uncover high-impact findings overlooked by researchers who rely more heavily on automation.

Recon Series #2: Subdomain enumeration – expand attack surfaces with active, passive techniques

You can dramatically expand your attack surface by exhaustively discovering all in-scope subdomains. The second instalment in our recon series explains how to map your target’s infrastructure by collecting all related subdomains and organising them within a file or database. This article covers both passive techniques like using public databases and Google dorking as well as active methods like DNS brute-forcing and virtual host fuzzing.

Recon series #3: HTTP fingerprinting – sleuthing for a web application’s hidden vulnerabilities

HTTP fingerprinting involves gathering detailed information about the technologies powering a web application. These cyber recon methods can glean vital intel about programming languages, software versions, firewalls or third-party services. From analysing HTTP headers to performing malformed HTTP requests, this guide explains various techniques for profiling a technology stack in ways that enable you to craft more targeted and effective exploits.

Recon series #4: Port scanning – uncovering attack vectors by revealing open ports and hidden services

Port scanning identifies open ports, running services and service versions on target hosts. By understanding what a host exposes, you can tailor your bug-hunting strategy to precisely target specific weaknesses. This article explores the advantages of different port scanning methods, recommends the most effective tools, and offers practical, real-world examples drawn from Bug Bounty engagements.

Recon series #5: A hacker’s guide to Google dorking

Google dorking (or Google hacking) leverages Google’s advanced search operators to find publicly available information about targets. This footprinting technique is especially effective for detecting information-disclosure issues such as exposed credentials, forgotten admin panels and unsecured services indexed by search engines. Read our Google hacking guide to learn how to craft dorks that yield valuable intel, such as the query site:example.com intitle:"index of" backup, which often reveals publicly accessible backup directories.

Recon Series #6: Excavating hidden artifacts with Wayback Machine and other web-archive tools

The Wayback Machine and similar tools serve as time machines for the internet. For Bug Bounty hunters, web archives can reveal deprecated or forgotten endpoints that may still be reachable and vulnerable, even if they’re no longer actively used by the modern application. The concluding part of our hacking reconnaissance series covers the value of archive-based recon, how to wield logs and snapshots, and some useful commands and tools for eliciting info that might point the way to high-impact vulnerabilities.

Conclusion: Recon is a bedrock for Bug Bounty and footprinting in cybersecurity

Reconnaissance is the vital foundation on which successful Bug Bounty hunts are built. The more you know about your target, the more potential entry points you can identify and exploit.

Throughout this series, we’ve explored essential ethical hacking reconnaissance techniques for uncovering hidden assets, forgotten subdomains, exposed services and other valuable intelligence about in-scope systems. Learn at least the basics of all these Bug Bounty recon methodologies and you can build a powerful reconnaissance workflow to suit a wide range of scopes and contexts.

Recon series recap: The ultimate guide to Bug Bounty reconnaissance and footprinting

 seems to be riddled with strange features that absolutely no one uses and no one even really knows about,” begins Jeppe Weikop in ‘

Funky chunks: abusing ambiguous chunk line terminators for request smuggling

’. Kicking off our latest monthly roundup for ethical hackers, the computer engineering student’s writeup says implementations of this standard often result in “parsing logic that is lax or incomplete – after all, why bother enforcing strict syntax rules for protocol elements that aren’t used for anything anyway?” The scene is duly set for a series of novel techniques, payloads, black-box detection methods and vulnerabilities in popular HTTP implementations that have won plaudits from 

 on r/netsec. “This is cool. I've added a module to my automation framework. Will add a follow-up once I find something in the wild!” said one.💻

 usually fall outside of Bug Bounty scopes because of reproducibility problems, Vsevolod Kokorin sets out to show that “Stored Self-XSS can actually be transformed into a regular Stored XSS using modern browser capabilities” – in particular credential-less frames. This pleasingly punchy post includes examples of CSRF on login forms, including one with a CAPTCHA to overcome, a CSRF-clickjacking combo, and an exploit that harnesses the fetchLater API to bypass X-Frame-Options: Deny.👏

Assetnote co-founder Shubham Shah has lived up to his high standards with a 

 documenting an innovative technique for 

achieving a full HTTP response from an SSRF

, and its deployment against a popular, unnamed enterprise application. Brisbane-based Assetnote’s security team harnessed HTTP redirect loops and incremental status codes that leaked the full response. Shah believes the technique could reap dividends elsewhere. “It could lead to other SSRF vulnerabilities being exploitable in a similar way,” he said. James Kettle was 

 by this one too, in particular the approach of finding the vulnerability first before reverse-engineering the root cause.🔥

A researcher netted $5k from Google for a vulnerability that could have enabled attackers to 

brute-force the private phone number of any user

 during recon that a password-recovery page still functioned without JavaScript, despite Google policy enforcing the use of the language on account recovery forms 

, the researcher was able to craft an exploit that could enable phishing and SIM-swapping attacks. ☎️

While we’re on the subject of phone numbers, in our previous edition we highlighted a vulnerability that potentially 

exposed the phone number and precise geolocation data of any user on the O2 mobile network

. 📱This is quite an impact, with O2 having 23 million mobile customers in the UK. Researcher Dan Williams 

 how attackers could access this data using only a VoLTE call, and that O2’s VoLTE network was leaking cell tower IDs and IMSI (International Mobile Subscriber Identity) numbers. O2 has now said it has 

 the flaw. A video of Williams discussing the research at an IOActive event in London has now landed on YouTube. 👇

Adolescents have been a perennial source of societal anxiety – in terms of threats posed 

 them – since the term ‘teenager’ emerged in the mid 20th century as a popular descriptor of a cohort that exists awkwardly between childhood and adulthood. Well alarm has reached fever pitch again amid concerns over not just social media and knife crime, but, recently, over 

teenagers’ remarkable role as cybercrime masterminds

brought a UK high street giant to its knees

 through the vehicle of ‘Scattered Spider’.

In rather fortuitous timing, BBC cyber correspondent Joe Tidy has just published a book entitled “

Ctrl+Alt+Chaos: How Teenage Hackers Hijack the Internet

”, which tells a story that Jack Rhysider of Darknet Diaries podcast fame says “grabs you, pulls you in, and doesn’t let go”. 

Speaking at the recent Infosecurity Europe conference in London

teen black hats are typically a little lax on the OpSec front

 and therefore more likely to be caught. This is perhaps not only because their prefrontal cortex (responsible among other things for evaluating risk) is underdeveloped, but also, as Tidy mentions, an awareness that they’ll be exempt from the worst punishments on account of their young age. Citing Bug Bounty, Tidy also notes that these miscreants might be wise to consider ethical, less risky alternatives for making money from hacking. Reaffirming the wisdom of this point is the 

 facing up to 20 years in prison over US charges alleging that he led a hacking enterprise that caused more than £18 million of damage worldwide.👮

Before we summarise our own recent hacker-focused output, here’s a few more articles of note that we’ve spotted in the past month:

Unexpected security footguns in Go's parsers

 – Vasco Franco, The Trail of Bits Blog

Meta is able to track it’s users via WebRTC on Android including private mode and behind VPN

Can we really mitigate client-side prototype pollution by using iframes?

Talkback: An AI-powered InfoSec resource aggregator to boost productivity

Marketplace takeover: how we could’ve taken over every developer using a VSCode fork

“The past is never dead. It’s not even past,” wrote American literary giant William Faulkner. 📚 He could have been talking about the utility for present-day Bug Bounty exploits of 

. 😉 Because snapshots in time revealed on WayBack Machine and related tools often capture redundant website assets – debug panels, test APIs, credentials – that devs forgot to remove. 🔑 The latest instalment in our #BugBounty recon series explains the 

 and shares some useful commands and tools for performing these techniques.

Why does Argentinian hacker Adrián Pedrazzoli – aka 

 – particularly relish finding insecure direct object reference (IDOR) and broken access control vulnerabilities? 

 to find out, as well as what triggered the hunter’s interest in hacking, plus his favourite hacking tools, best bug discovery so far and tips for newbies. 👇 This interview was filmed during Ekoparty in Buenos Aires last year, during a live hacking event held by YesWeHack. Adrián finished third on the leaderboard.

📢 Are you a Caido user? Just in case you missed our recent announcement: YesWeHack is the first platform to integrate Bug Bounty programs with the security testing toolkit. A new plugin, now available in the Caido plugin store, enables you to 

fetch all your YesWeHack programs from within Caido

 French cloud provider OVHcloud has raised critical rewards by 25% and high-severity rewards by 50% for a specific scope for a limited time only – running until 31 July. Consult 

 concluded with a familiar-looking podium: hat’s off to the consistently brilliant rabhi (also all-time #1), Xel (all time #2) and Noam (all-time #9). Sitting in fourth, drak3hft7 (all-time #10) has continued his stellar rise of the rankings while Philippines-based xavoppa in fifth is making a big impact having registered with YesWeHack only in 2024. 👏

Next up on our 2025 schedule is the grandaddy of hacker cons, 

, where we’ll be debuting as exhibitors. If you’re attending the event, which takes place between 6-7 August in Las Vegas, swing by Booth 2367 to discuss Bug Bounty with the YesWeHack team – and to grab yourself some YesWeHack merch. We’ll also be running a casino-themed ‘Hide and Seek’ CTF challenge. 👀

Then in the autumn we're exhibiting from booth E8 at 

, in Jakarta, Indonesia, between 16-17 September.

Our next live hacking event will take place between 4-5 September at the fourth edition of 

. Anyone attending the conference is welcome to participate.

This follows our recent live Bug Bounty at LeHACK, the hacker con in Paris, where hunters surfaced a 

typically impressive number of significant vulnerabilities

. Thank you to all participants, in particular to the three who made the podium:

Well done also to the top three hackers on the scoreboard for Payload Plz, the CTF challenge our in-house researcher Bitk created for the event:

And that’s it for this edition. Happy hunting! 👋

Read this monthly roundup of content aimed at ethical hackers even sooner by subscribing to 

Are you a CISO, other security professional or security-conscious dev? Check out our CISO-focused sister newsletter, 

 – bringing you news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.

Chunked-body parsing flaws, making self-XSS great again, using HTTP redirect loops to achieve non-blind SSRFs – ethical hacker news roundup

Having “access to an unlimited number of security researchers with different skillsets” is among Bug Bounty’s most compelling benefits, according to Vittorio Addeo, Ferrero’s cyber offence manager.

Vittorio was speaking alongside Giulio Maria Gravante, offensive security project manager at Ferrero, at the RomHack conference in Rome last year.

Ferrero is an Italian multinational operating in the sweet-packaged food sector, with its iconic brands including Nutella, Kinder and Ferrero Rocher.

In the interview below, we quizzed Vittorio and Giulio about Ferrero’s Bug Bounty evolution since the launch of its program in February 2023, the hurdles they’ve surmounted, the security benefits observed so far, and their tips for maximising the effectiveness of crowdsourced security testing.

Further down the page you can also watch highlights from Ferrero’s live Bug Bounty at RomHack – 

 – which was held in partnership with YesWeHack.

Vittorio on Ferrero’s rise to prominence…

Ferrero began its journey in Italy in 1946, and today it’s one of the world’s largest companies within the sweet-packaged food sector.

Giulio on why they launched a Bug Bounty Program and it’s subsequent evolution…

To enhance the security and the protection of our digital data – in particular to complement the security tests that we perform on a daily basis.

We started with few assets and then we extended it to our related companies.

It was a real success. We were able to identify thousands of criticalities. Additionally, we started with only a few hunters, and today we count more or less 130 hunters.

Our goal is to achieve 200 hunters by the end of this year [Note: the interview took place in September 2024].

Giulio on the biggest challenges so far and how they overcame them…

First challenge: bug reports spiked when we launched the first Bug Bounty Program. As a solution, we expanded our resources mainly on bug analysis and remediation implementation.

And the second challenge is: always keep the program attractive for the hunters. We try every day to add new assets to the scope and keep the level of the rewards as attractive as possible.

Vittorio on the most notable benefits of Bug Bounty…

One of the most important is the ROI, so the return on investment. You just pay for valid vulnerabilities, without having to pay for the time needed to detect them.

Another important aspect and benefit related to Bug Bounty is the access to an unlimited number of security researchers with different skillsets who can discover bugs on your external attack surface.

So you have an unlimited team working with you, collaborating with you, trying to bring the security level of your company to the next level.

Hack Me I’m Famous #2: Louis Vuitton sets trend with first live hacking event in luxury fashion sector

Vittorio on the key factors for a successful Bug Bounty Program…

Always try to update your program and refresh your scope with new juicy targets, in order to allow security researchers to always work with a continuously evolving attack surface.

Another key aspect is to always try to increase the number of Bug Bounty hunters working in your program, just to keep the level of the competition very high. This is always good for all the security researchers, because they even work together, collaborating, trying to find the most useful bug.

Bug Bounty Programs have become a security best practice nowadays. You have to embed it in your security program. Don’t waste time and start soon!

Is your security team managing a Bug Bounty Program yet? 

 to find out more about the benefits of crowdsourced security testing and how this model can be adapted to the specific needs of your organisation.

The YesWeHack Blog

‘The most challenging part is the psychological one’ – leorac on the ups and downs of Bug Bounty hunting

‘The most challenging part is the psychological one’ – leorac on the ups and downs of Bug Bounty hunting

Dojo challenge #42 - Hex Color Palette winners & writeup

Recon series recap: The ultimate guide to Bug Bounty reconnaissance and footprinting

‘The most challenging part is the psychological one’ – leorac on the ups and downs of Bug Bounty hunting

Chunked-body parsing flaws, making self-XSS great again, using HTTP redirect loops to achieve non-blind SSRFs – ethical hacker news roundup

‘Bug Bounty has become a security best practice’: Why Ferrero is sweet on crowdsourced testing

‘Feeling close to a critical vulnerability is incredibly addictive’ – YouTuber gregxsunday on the joys of Bug Bounty

Chunked-body parsing flaws, making self-XSS great again, using HTTP redirect loops to achieve non-blind SSRFs – ethical hacker news roundup

OpenAI VDP for bugs found by AI, CVE funding fears persist, ‘shift left’ towards vulnerability overload – OffSec roundup for CISOs

Flashback to the L’Oréal Live Bug Bounty: Watch last year’s highlights as anticipation builds for leHACK 2025

YesWeCaido: a new Caido plugin for tracking Bug Bounty Programs

OpenAI VDP for bugs found by AI, CVE funding fears persist, ‘shift left’ towards vulnerability overload – OffSec roundup for CISOs

Don't wait for threats to strike

Products

Researchers

Resources

Company

Follow us