YESWEHACK PROPHILE ON S5S

1
2
3┌▄──────────────────────────────────────────────────────────────────────▄┐ 
4├■▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀■[ YESWEHACK PROPHILE ON S5S ]■▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄   ┤ 
5├■──────────────────────────────────────────────────────────────────────■┤ 
6├■▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀■┤
7└▀──────────────────────────────────────────────────────────────────────▀┘ 
823th of April, 2021.
9╔══════════════════════════════════ WHOIS ═══════════════════════════════╗
10║ Handle: saber                                                          ║
11║ AKA: s5s                                                               ║
12║ Age of your body: 28                                                   ║
13║ Produced in: China                                                     ║
14║ Urlz: http://sbim.github.io/                                           ║
15║ Computers: MacBook Pro (16-inch, 2019)                                 ║
16║ Active Since: 2020                                                     ║
17║ Superpowers: sleep                                                     ║
18║ Life in a sentence: Good good study, day day up                        ║
19╚════════════════════════════════════════════════════════════════════════╝ 
20
21                                  QUOTES 
22╔════════════════════════════════════════════════════════════════════════╗
23║ One of the worst traps to fall into is dooming a great idea            ║
24║ by assuming it won't works and not trying it                           ║
25╚════════════════════════════════════════════════════════════════════════╝
26
27                                  ARMORY 
28╔════════════════════════════════════════════════════════════════════════╗
29║ Burp Suite and BApps                                                   ║
30╚════════════════════════════════════════════════════════════════════════╝
31
32
33▀▄█▓▒░ Hello, how are you ?
34│ ─────────────────────────────────────────────────────────────────────────
35└─ I'm fine. Thank you, and you?
36
37
38▀▄█▓▒░ Do you remember your first contact with a computer ?
39│ ─────────────────────────────────────────────────────────────────────────
40└─ When I was 8 years old, I started to contact with a computer. During
41the next years, I become a computer lover because of some interesting
42computer games:)
43
44
45▀▄█▓▒░ Can you relate your first successful exploitation/abuse of a system ?
46│ ─────────────────────────────────────────────────────────────────────────
47└─ At college I found a hidden endpoints and an idor issue that would leak
48all students private information. At the time I din't know anything about
49hacking but it was a wonderful experience
50
51
52▀▄█▓▒░ What moment pushed you in the pro computer security whirlpool ?
53│ ─────────────────────────────────────────────────────────────────────────
54└─ Every time a bug was triaged or accepted.
55
56
57▀▄█▓▒░ Memorable people or readings you care to share about ?
58│ ─────────────────────────────────────────────────────────────────────────
59└─ The most memorable people is @albinowax, his writeups are really helpful.
60Also @PentesterLand who collect many bug bounty information.
61
62
63▀▄█▓▒░ What will you learn next ?
64│ ─────────────────────────────────────────────────────────────────────────
65└─ Improve my recon strategy and code review skill.
66
67For recognition, I don't have a precise plan, I could only do things that
68I didn't do or lazy to do before. Maybe I'll try more recon steps like vhost
69scan, wayback machine data gathering, shodan dork...etc.
70
71For code review, I have a plan that reads some of the high/critical reports
72at https://gitlab.com/groups/gitlab-org/-/issues?scope=all&utf8=%E2%9C%93
73&state=closed&label_name[]=HackerOne,
74since Gitlab is open-source I can check the code to know where the
75vulnerability happens. I believe such a process will improve my code review
76skill.
77
78
79▀▄█▓▒░ Three most important rules you would write in a Bug Hunter Manifesto?
80│ ─────────────────────────────────────────────────────────────────────────
81└─ 1. Learn 2. Practice 3. Persistent
82
83Learn and Practice. Continuous learning is very important. 2 years ago when
84I first start to learn about web hacking, I found Jams Kettle's wonderful
85writeup about Desync attacks by coincidence. I spend some time understanding
86the writeup and the tool. Then I try this exploit on bug bounty programs and
87result in many valid reports. That was also my first critical findings. It's
88a very amazing experience, a new attack surface appeared, As a starter I
89learned it and practiced it, then result in some valid findings
90
91Persistent. To be honest, I'm not a persistent-pro, but doing bug hunting
92is just a process that you failed 99 times and then succeed in the next 1.
93You won't know which try will give you a successful exploit. Also persistence
94will lead you to go deeper and deeper to a program. That's why it's very
95important. Also you will know why many great hunters will talk about
96**mental-health**, keep good and positive mental health will ensure
97your persistence.
98
99
100▀▄█▓▒░ You are active on YesWeHack and have practiced others BB platforms, 
101| What are your Do/Don't? 
102| What are your expectations ? 
103│ ─────────────────────────────────────────────────────────────────────────
104└─ == Do/Don't: ==
105- Read the program's policy carefully before start the hunt. Don't submit
106bugs that are out of scope. If a bug's final decision is not go your way,
107Just hunt your next one.
108
109== Expectations: ==
110- I hope the platforms will allow hackers to rate and leave comments on
111certain programs, build a point/reputation system on the program side.
112
113
114
115▀▄█▓▒░ What advice can you give to someone who wants to start in 
116│ bug bounty?
117│ ─────────────────────────────────────────────────────────────────────────
118└─ Read as much as possbile. Start with a program you use a lot or you are
119familiar with, this may make your first bug easier.
120
121Everything is hard in the beginning. My personal experience is that hunt on
122a program you use a lot will make it easier because you will notice the point
123that others won't. Another piece of advice is that you should focus on one
124program instead of going through different programs randomly. It could be
125hard to find the first valid bug, lots of hunters will experience a few
126duplicates/NAs when they join the bug hunting community. But remember it's
127also a process of learning. Read as much stuff as you can, think about how
128others hunt and how they write reports. 
129
130
131▀▄█▓▒░ Is there a life AFK ?
132│ ─────────────────────────────────────────────────────────────────────────
133└─ Yes of course. Sometimes duplicates or long time no response will make
134people feel upset. I'll have a short AFK time.
135
136
137▀▄█▓▒░ How do you see the future ?
138│ ─────────────────────────────────────────────────────────────────────────
139└─ More programs will appear and more hunters will join. Also more attack
140surface will be discovered by these talents.
141
142--------[ EOF 
143
144