YESWEHACK PROPHILE ON SONNY

1┌▄──────────────────────────────────────────────────────────────────────▄┐ 
2├■▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀■[ YESWEHACK PROPHILE ON SONNY ]■▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄■┤ 
3├■──────────────────────────────────────────────────────────────────────■┤ 
4├■▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀▄▀■┤
5└▀──────────────────────────────────────────────────────────────────────▀┘ 
6July 02, 2020.
7╔══════════════════════════════════ WHOIS ═══════════════════════════════╗
8║              Handle: SONNY                                             ║
9║                 AKA: delta0ne                                          ║
10║    Age of your body: 30+                                               ║
11║         Produced in: UK                                                ║
12║           Active In: Proxying the world                                ║
13║         Superpowers: Jedi Mind Tricks                                  ║
14║  Life in a sentence: I don't even see the code anymore                 ║
15╚════════════════════════════════════════════════════════════════════════╝ 
16
17                               QUOTES                                    
18╔════════════════════════════════════════════════════════════════════════╗
19║ Try ' then '' then ''' then '''' ... and to be sure ''''''             ║
20╚════════════════════════════════════════════════════════════════════════╝
21
22                               ARMORY                                    
23╔════════════════════════════════════════════════════════════════════════╗
24║  Burp Suite, Param Miner and Turbo Intruder (James Kettle is a legend!)║
25║  Decent playlist                                                       ║
26║  Right Click + Scan                                                    ║
27╚════════════════════════════════════════════════════════════════════════╝
28
29
30
31▀▄█▓▒░ Hello, who are you?
32    │   ──────────────────────────────────────────────────────────────────
33    └─ Hi, I'm a Security Researcher in Singapore looking to find tropical 
34       bugs!
35
36
37▀▄█▓▒░ Do you remember your first contact with a computer?
38    │  ──────────────────────────────────────────────────────────────────
39    └─ Yeah, we're talking a while ago, the only thing I could do with it 
40    was play solitaire from a keyboard but damn... when you get all those 
41    cards jumping out at the end, no greater feeling.
42
43
44▀▄█▓▒░ What will you learn next?
45    │  ──────────────────────────────────────────────────────────────────
46    └─ I'd like try a proper deep dive on a project which can be done with 
47    a local install, i'm reading interesting writeups on Whitebox testing 
48    where they do some cool .tar uploads and exploit symlinks in a strange 
49    path, I want to be that guy.
50
51
52▀▄█▓▒░ How did you come to Bug Bounty ? 
53    │  ──────────────────────────────────────────────────────────────────
54    └─ I have this bucket list of vulnerabilities that I wanted to find as 
55    I learned more about security and Bug Bounty provided a wider range of 
56    applications to find them. 
57    
58    I'm ticking them off one by one but seriously why can't I find Template 
59    Injection ... I think it would bring me more joy than a direct RCE.
60
61    A close friend of mine told me it's the ultimate personal reward in 
62    White hat Security, finding a bug which makes a company to stop, listen
63    and allocate resources to an issue you've found.. a team of people 
64    likely on the other side of the world has to devote their time to read 
65    your report and fix it ASAP... I thought it was cool.
66    
67
68▀▄█▓▒░ You are active on YesWeHack and have practiced others BB platforms, 
69    |  What are your Do/Don't? 
70    |  What are your expectations ? 
71    │  ──────────────────────────────────────────────────────────────────
72    └─ == Do: ==
73    - Always provide a well-structured report, this will likely be viewed 
74    by multiple people of different technical levels who ultimately decide
75    if it's accepted or not. 
76    "ALERT(1) PLZ GIVE $" probably doesn't help... this is me a year ago.
77    
78      == Don't: ==
79    - When a decision doesn't go your way, don't immediately respond with 
80    your complaint, take time to think about it from the program owners 
81    perspective and reply with a detailed response/evidence to support 
82    your view. (If still no joy, focus on and get the next bug).
83    
84      == Expectations: ==
85    - Communication from program teams goes a long way to entice me to 
86    look further, in terms of responding with detailed comments as to why
87    something may not be accepted or an open to discussion on 
88    impact/severity. (You give me time, I give you time)
89
90    - What happened to all the Swag?
91
92▀▄█▓▒░  What advice can you give to someone who wants to start in 
93    │   bug bounty?
94    │  ──────────────────────────────────────────────────────────────────
95    └─  Burnout and being deterred from a hardened target is a factor 
96    everyone faces, even more so when you're first starting out. 
97
98    Going in with an alternative motivation that’s not based on making $ 
99    for yourself is important to keep spirits high. Whether it be learning 
100    more, competing with others(Bug Hunters/Devs) or that desire to find 
101    something so broken you can repurpose it into a beautiful exploit... 
102    that’s art.	
103
104    There is a huge surge in the community of people publishing regular 
105    blogs/techniques/live streams and tweets on everything around the 
106    security industry, diversify your news stream and particularly those
107    outside of your spoken language too. You reading Vietnamese/Korean 
108    writeups? You should be!
109
110
111▀▄█▓▒░  You have displayed an impressive skillset on YesWeHack public 
112        programs, can you give away hints on your hunting methodology?
113    │  ──────────────────────────────────────────────────────────────────
114    └─ 	It's interesting how my methodology has developed, initially I was 
115    a messy hunter hitting wild card domains and relying on tools to reveal 
116    vulns only on the surface level, which was yielding results but it 
117    became a bit boring for me and I lost interest as I wasn't expressing 
118    any creativity.
119
120    Right now I'm focussing on small to medium sized projects with the goal 
121    of understanding the functions/flows to a really fine detail, this is 
122    where the high-critical vulnerabilities are, they're more than likely 
123    missed by Scanners, Developers and Internal Auditors... it might take 
124    me a couple of weeks to find it but it's worth it.
125
126    Protip: If you're not hunting for hidden parameters 
127    ...you should be...
128
129
130
131▀▄█▓▒░  Is there a life AFK ?
132    │  ──────────────────────────────────────────────────────────────────
133    └─ Right in the feels... Ask me next year
134
135
136
137▀▄█▓▒░  What is the future ?
138    │  ──────────────────────────────────────────────────────────────────
139    └─ I think the last few months have been pretty interesting in how the 
140    landscape of tech is changing, from an increase in telecommuting, 
141    development of apps built around supporting companies/people during a 
142    pandemic and overall digitalisation of industries which were slower 
143    to adapt.
144
145    This feels like 10+ years of progress rushed in a few months to make 
146    it work, even well planned/tested applications have issues, so I have 
147    concerns but I hope that Bounty Hunting will play a role in securing 
148    these new avenues of tech and I'd like to help :)
149
150
151--------[ EOF 
152
153
154
155
156