YESWEHACK PROPHILE ON S5S

May 4, 2021



┌▄──────────────────────────────────────────────────────────────────────▄┐ 
├■▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀■[ YESWEHACK PROPHILE ON S5S ]■▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄   ┤ 
├■──────────────────────────────────────────────────────────────────────■┤ 
├■▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀■┤
└▀──────────────────────────────────────────────────────────────────────▀┘ 
23th of April, 2021.
╔══════════════════════════════════ WHOIS ═══════════════════════════════╗
║ Handle: saber                                                          ║
║ AKA: s5s                                                               ║
║ Age of your body: 28                                                   ║
║ Produced in: China                                                     ║
║ Urlz: http://sbim.github.io/                                           ║
║ Computers: MacBook Pro (16-inch, 2019)                                 ║
║ Active Since: 2020                                                     ║
║ Superpowers: sleep                                                     ║
║ Life in a sentence: Good good study, day day up                        ║
╚════════════════════════════════════════════════════════════════════════╝ 

                                  QUOTES 
╔════════════════════════════════════════════════════════════════════════╗
║ One of the worst traps to fall into is dooming a great idea            ║
║ by assuming it won't works and not trying it                           ║
╚════════════════════════════════════════════════════════════════════════╝

                                  ARMORY 
╔════════════════════════════════════════════════════════════════════════╗
║ Burp Suite and BApps                                                   ║
╚════════════════════════════════════════════════════════════════════════╝


▀▄█▓▒░ Hello, how are you ?
│ ─────────────────────────────────────────────────────────────────────────
└─ I'm fine. Thank you, and you?


▀▄█▓▒░ Do you remember your first contact with a computer ?
│ ─────────────────────────────────────────────────────────────────────────
└─ When I was 8 years old, I started to contact with a computer. During
the next years, I become a computer lover because of some interesting
computer games:)


▀▄█▓▒░ Can you relate your first successful exploitation/abuse of a system ?
│ ─────────────────────────────────────────────────────────────────────────
└─ At college I found a hidden endpoints and an idor issue that would leak
all students private information. At the time I din't know anything about
hacking but it was a wonderful experience


▀▄█▓▒░ What moment pushed you in the pro computer security whirlpool ?
│ ─────────────────────────────────────────────────────────────────────────
└─ Every time a bug was triaged or accepted.


▀▄█▓▒░ Memorable people or readings you care to share about ?
│ ─────────────────────────────────────────────────────────────────────────
└─ The most memorable people is @albinowax, his writeups are really helpful.
Also @PentesterLand who collect many bug bounty information.


▀▄█▓▒░ What will you learn next ?
│ ─────────────────────────────────────────────────────────────────────────
└─ Improve my recon strategy and code review skill.

For recognition, I don't have a precise plan, I could only do things that
I didn't do or lazy to do before. Maybe I'll try more recon steps like vhost
scan, wayback machine data gathering, shodan dork...etc.

For code review, I have a plan that reads some of the high/critical reports
at https://gitlab.com/groups/gitlab-org/-/issues?scope=all&utf8=%E2%9C%93
&state=closed&label_name[]=HackerOne,
since Gitlab is open-source I can check the code to know where the
vulnerability happens. I believe such a process will improve my code review
skill.


▀▄█▓▒░ Three most important rules you would write in a Bug Hunter Manifesto?
│ ─────────────────────────────────────────────────────────────────────────
└─ 1. Learn 2. Practice 3. Persistent

Learn and Practice. Continuous learning is very important. 2 years ago when
I first start to learn about web hacking, I found Jams Kettle's wonderful
writeup about Desync attacks by coincidence. I spend some time understanding
the writeup and the tool. Then I try this exploit on bug bounty programs and
result in many valid reports. That was also my first critical findings. It's
a very amazing experience, a new attack surface appeared, As a starter I
learned it and practiced it, then result in some valid findings

Persistent. To be honest, I'm not a persistent-pro, but doing bug hunting
is just a process that you failed 99 times and then succeed in the next 1.
You won't know which try will give you a successful exploit. Also persistence
will lead you to go deeper and deeper to a program. That's why it's very
important. Also you will know why many great hunters will talk about
**mental-health**, keep good and positive mental health will ensure
your persistence.


▀▄█▓▒░ You are active on YesWeHack and have practiced others BB platforms, 
| What are your Do/Don't? 
| What are your expectations ? 
│ ─────────────────────────────────────────────────────────────────────────
└─ == Do/Don't: ==
- Read the program's policy carefully before start the hunt. Don't submit
bugs that are out of scope. If a bug's final decision is not go your way,
Just hunt your next one.

== Expectations: ==
- I hope the platforms will allow hackers to rate and leave comments on
certain programs, build a point/reputation system on the program side.



▀▄█▓▒░ What advice can you give to someone who wants to start in 
│ bug bounty?
│ ─────────────────────────────────────────────────────────────────────────
└─ Read as much as possbile. Start with a program you use a lot or you are
familiar with, this may make your first bug easier.

Everything is hard in the beginning. My personal experience is that hunt on
a program you use a lot will make it easier because you will notice the point
that others won't. Another piece of advice is that you should focus on one
program instead of going through different programs randomly. It could be
hard to find the first valid bug, lots of hunters will experience a few
duplicates/NAs when they join the bug hunting community. But remember it's
also a process of learning. Read as much stuff as you can, think about how
others hunt and how they write reports. 


▀▄█▓▒░ Is there a life AFK ?
│ ─────────────────────────────────────────────────────────────────────────
└─ Yes of course. Sometimes duplicates or long time no response will make
people feel upset. I'll have a short AFK time.


▀▄█▓▒░ How do you see the future ?
│ ─────────────────────────────────────────────────────────────────────────
└─ More programs will appear and more hunters will join. Also more attack
surface will be discovered by these talents.

--------[ EOF