When Gregxsunday embarked on a career in offensive security he expected increasingly secure development practices to result in dwindling opportunities for Bug Bounty hunters.
How these expectations were confounded by the hacking community’s impressive creativity is among the topics covered during this interview with the Polish hacker and popular YouTuber and podcaster.
During our Q&A, Gregxsunday also reflects on the attractions that sparked and sustain his interest in Bug Bounty, why authentication bugs are a particular area of interest, his experiences using both Caido and Burp, his antidote to procrastination, and his hobbies beyond hacking.
gregxsunday – real name Grzegorz Niedziela – documents his exploits on his hugely popular YouTube channel, Bug Bounty Reports Explained (almost 64,00 subscribers and counting) and conducts his own interviews with his peers on a companion podcast.
Gregxsunday on how he became a hacker…
I got into web hacking through CTFs. I found out you can also make money while doing this. So I wanted to become a pentester, and I was successful with becoming a pentester.
I gained a lot of experience. But I knew Bug Bounty is something that I wanted to do in the long run. So always, even as a pentester, I learned from a lot of Bug Bounty reports, from write-ups, from disclosure reports, and from basically anywhere I [could] because I knew I wanted to become a Bug Bounty hunter one day.
And eventually, I quit my job. And for about three years now, I’ve been doing Bug Bounty and YouTube full-time.
On what he enjoys most about Bug Bounty…
I think it’s the challenge. Every once in a while, you find a functionality where you feel the potential of how bad it will be if something that you are trying works. And it’s just so addictive: feeling so close to discovering a critical vulnerability is incredibly addictive and it just keeps me going, keeps me willing to explore new ideas to eventually exploit a bug.
On his favourite types of vulnerability…
I’m really paying a lot of attention to authentication – specifically if it’s single sign-on or SAML-based flaws. I do really know a lot about these flaws. There are a lot of things that can go wrong, especially with OAuth.
This is definitely something that I started to pay more attention to last year. And a big part of my findings this year are authentication-related bugs.
On his use of hacking tools…
I mostly just use proxy [tools]. I’m very much a manual hacker, so I do not rely a lot on tools.
I’ve been testing Caido and Burp this year, and I’ve been switching from one to another every single time. I even had a period when I used both of them: I just proxied the traffic through both Caido and Burp. And I’m still undecided on which one I want to use in the long run.
No matter which proxy I choose, I know that it’s good that they are now competing for the hackers’ market, because it just makes our proxy tools better and makes our hacking easier.
On an unexpected Bug Bounty trend…
I expected that [the] Bug Bounty [market] would maybe become smaller with time, because the natural process I expected was that apps become more and more secure. But it’s not actually what we see.
I think we as hackers evolve quicker, and we develop new hacking techniques quicker than developers are able to create new processes and new frameworks that are secure by default. And whereas there are some bug classes getting fixed by something like SameSite cookies that fix a big part of CSRFs – we just come up with so many different attacks that… it’s something I’m surprised about.
With more time, we just find more bugs, more critical bugs – and luckily for us, [it results in] more bounties being paid by the programs.
On his hobbies outside of hacking…
Outside of hacking, I spend a lot of time doing sports. Different kinds of sports: I do jujitsu, I do some climbing, some calisthenics. I also like to travel around the world, especially when it’s winter and it gets cold in my home, in Poland. I like to travel to some warmer countries, like Spain or Argentina. But most of my days I work, then I go do some sports. And also, a lot of sports are these days the way for me to connect with my friends.
On his top tip for new hackers…
I think the most important thing is to not procrastinate, to start too late. The truth is that while advanced techniques are important, some people treat it as a way to procrastinate, and they think they must reach extremely high levels of web hacking skills to start Bug Bounty – which is not necessarily true, because equally important is just learning to discover a lot of functionalities of the app.
So for beginners: they should learn some basics of web security, but then they should start actual hunting fairly quickly and learn along the way. Because learning can be a great thing – everyone must learn, but it can also be a way of procrastinating.
Interested in emulating Gregxsunday? Learn more about hunting through YesWeHack, sharpen your hacking skills on Dojo, or learn about the latest hacking tools and techniques on our blog.