community
YESWEHACK PROPHILE ON HISXO
April 30, 2020
┌▄──────────────────────────────────────────────────────────────────────▄┐
├■▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀■[ YESWEHACK PROPHILE ON HISXO ]■▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄■┤
├■──────────────────────────────────────────────────────────────────────■┤
├■▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀■┤
└▀──────────────────────────────────────────────────────────────────────▀┘
30 of April, 2020.
╔══════════════════════════════════ WHOIS ═══════════════════════════════╗
║ Handle: HISXO ║
║ AKA: Adrien ║
║ Age of your body: 27 ║
║ Produced in: France ║
║ Urlz: https://medium.com/@adrien_jeanneau ║
║ Creator of: GitGraber ║
║ Superpowers: I use python2 ║
║ Life in a sentence: The less you sleep, the more you pwn ║
╚════════════════════════════════════════════════════════════════════════╝
QUOTES
╔════════════════════════════════════════════════════════════════════════╗
║ There's always a vuln! ${{7*7}} ║
╚════════════════════════════════════════════════════════════════════════╝
ARMORY
╔════════════════════════════════════════════════════════════════════════╗
║ The perfect combo: Burp Suite, FFUF and a good wordlist of course! ║
║ Good creativity is also important, to make sure you don't do the same ║
║ thing as the other Hunters. ║
╚════════════════════════════════════════════════════════════════════════╝
▀▄█▓▒░ Hello, what background can you safely disclose?:
│ ─────────────────────────────────────────────────────────────────────────
└─ After engineering study, I started to work in a french company and
now I'm a pentester & security auditor.
▀▄█▓▒░ How did you come to Bug Bounty ?
│ ─────────────────────────────────────────────────────────────────────────
└─ I started to learn hacking on CTF platforms & CTF events, it's fun
but the fact that this is not "real" makes the things less exciting
in my opinion.
The concept of Bug Bounty is nice: you pwn for real, it's legal and
you can be rewarded for your work (if it's not a dup lol).
▀▄█▓▒░ What is your feeling on how the Hacker Community is evolving ?
│ ─────────────────────────────────────────────────────────────────────────
└─ Overall I would say that things are evolving positively, more and
more people agree to share their knowledge and I thank them.
When I started Bug Bounty, I wish there was more writeups,
discussion spaces (like Slack) and more Hunters who agreed to help me.
Now that I have a little more experience, I try to help new Hunters
to progress and evolve as far as possible!
▀▄█▓▒░ Did you develop a love/hate relation to code ?
│ ─────────────────────────────────────────────────────────────────────────
└─ Sometimes, I code because I have no choice, because I know that to
exploit a specific vulnerability, I have to do it, but this is not
a priority for me.
I like to code but if a tool or script exist for what I want to do,
I don't want to spend time to code my own tool (I mean it for simple
features).
▀▄█▓▒░ You are active on YesWeHack and have practiced others BB platforms,
| What are the Pro & Cons on those platforms? / What are your
│ expectations ?
│ ─────────────────────────────────────────────────────────────────────────
└─ Like others Hunters, I think we check all theses informations before
we hunt on a program:
- Rewards grids (who don't check?)
- Scope
- Reponse time, Triaging and Patching reactivity (really important
to avoid frustration for all Hunters)
- The company (it's more "fun" and motivating when you know the company)
Regardless of the BB platform, respect in interactions always must be
present, both from Companies and Hunters.
I love to collaborate when it's possible, because it's more motivating
than to hunt alone (in the dark, with a hoodie and green lines on
the screen).
A "good platform" (in my opinion) need to: have clear rules, be
equitable with Hunters and propose a clear interface to write reports
nicely and easily.
If a company wants to run a successful Bug Bounty program, they need
to understand that it's important to respect the Hunters work, not
running a program just to be able to brag :
"we have a bug bounty program, we are secure".
If you run a program but don't actively patch, that doesn't make sense :
Hunters will waste their time on duplicates.
▀▄█▓▒░ What advice can you give to someone who wants to start in
│ bug bounty?
│ ─────────────────────────────────────────────────────────────────────────
└─ If I have learned something in recent years and have well observed,
I can give those advices:
- Focus on a scope, don't go from one program to another every weeks.
It is important to have a "background" program where you come back
regularly and have spent so many hours on, that you know every
subdomains, every pages, every forms & params.
- Keep going! The main quality of a hunter isn't to have 1000 tools
& scripts, it's actually having persistance and not giving up.
"There is always a vuln!"
- Don't be arrogant and respect the product teams. The developers are
like you, like me, they make mistakes. Stay humble.
- "Sharing is caring", don't be the guy who's never willing to share
anything because he has "a secret method to find vulnerabilities".
▀▄█▓▒░ Is there a life AFK ?
│ ─────────────────────────────────────────────────────────────────────────
└─ What? You mean real life? Yeah, luckily! It is important to disconnect
and take the time to enjoy your family, your friends and drink a beer
(in moderation).
Motorcycle riding (when the weather is fine only) and traveling when
possible.
If you don't want to go on burnout ( this is a very serious subject,
especially in the BB community) it's important to take breaks and do
something else to clear your mind a bit.
Duplicates, less rewards than expected, new invitations, new scopes,
new Hunters... all of this is puts an additional "pressure" that you
have to manage, take a step back before the burnout.
▀▄█▓▒░ What is the future ?
│ ─────────────────────────────────────────────────────────────────────────
└─ More and more Bug Bounty programs with new vulnerabilities.
In 5 years, vulnerabilities likes XSS will be less present but
Business Logic Error vulnerabilities occurences will increase, because
they can't be found with a tool!
I also think (and this will maybe have a negative impact) that Hunters
will increasingly automate hunting, we are at stake of losing the unique
human instinct that programs needs when they launch.
--------[ EOF