Collaborating with ethical hackers whose skills complement his own has apparently been pivotal to the success of ‘Nagli’, one of the biggest earners in the world of Bug Bounty.
In just a few years of bug hunting, the 26-year-old hacker has achieved more than simply racking up points and bounties from a steady stream of impressive vulnerabilities.
Nagli – full name Gal Nagli – has also harnessed automation creatively to scale up vulnerability discovery, and leveraged his Bug Bounty experience in bootstrapping attack surface management brand Shockwave. The Israeli hunter, who has presented security research at DEFCON, currently also works at Wiz, the cloud security platform.
In the following interview, Nagli additionally recounts how he became a hacker, details his most memorable bug discovery, and offers several golden tips to peers with designs on emulating his success.
Nagli on becoming a hacker…
I was always into computers and video games – Counter-Strike, Combat Arms, MapleStory and so on… So I was always technical with computers and the field of hacking was always interesting when you play video games and see people gain advantage in an unwanted way, and do those kinds of other things.
So it was always an interesting world. When you’re a hacker you have some superpower… you can do stuff that other people can’t, and you can actually make an impact and conduct some amazing things. So that’s what I’m doing with hacking and that’s what got me to actually explore it a few years ago.
On the secrets of his bug-hunting success…
I think what helped me to become successful is a lot of collaboration, networking with other people. I got the insight that I can’t be the best hacker on every section – like hacking Salesforce products or hacking other components – so just find a lot of people who are experts in what they do and give a lot of dedication. Then, whenever you stumble on a lead, you can just pass it to them and you can explore it with them together.
But basically: just a lot of dedication, not giving up and just constantly looking, investing a lot of hours into finding bugs.
On his favourite bug discovery so far…
So I had a lot of interesting and pretty critical bugs. It can be code executions… but the one I most like was a few weeks ago, on my birthday actually: there was one portal that suddenly became alive and there was tons of production data of a company – like years of development, internal communications… it’s very hard to configure all your SaaS products to make sure they are always configured to have authentication, to have a login panel.
So, every time you have a bug, it allows you to see the PII of customers, of a lot of customers, so every customer of a company; or just to see a lot of internal discussions from the past. It’s a goldmine for attackers so it’s a good thing on your side to report it to the company.
On the importance of staying abreast of fast-evolving tech and techniques…
So we need to evolve and learn for every new technology, like GraphQL, which was introduced a few years ago, APIs, nowadays AI hacking as well. So if you don’t stay on top of the latest trends, latest methodologies, you won’t make it to the top and you won’t be able to do it successfully for a lot of time. So, every time there’s a new technique or new methodology in the manual hacking space or automation, I just like to adapt it as soon as I can into my systems.
On the most productive scopes right now…
A lot of the automation bugs I saw that were very active like one year or two years ago are getting fixed. Like a lot of subdomains takeovers, like on Heroku or Route 53.
Eventually the vendors rolled them out, so you can’t only rely on vendors that have a misconfiguration and use it for your favour so… I think hacking is very valuable if you have credentials, so inside to an inner system, because then it’s constantly evolving, it’s different developers from different companies who don’t know all the security nuances, and then you can find goldmines there.
So definitely focus on manual sides, on companies, getting credentials, getting access, and then, yeah, going deep into the targets.
On founding and running his own SaaS company…
So one year and a half ago, I took my hacking side of automation, which is what I do mostly – automation and participating in live hacking events – into an actual business, a SaaS product. I saw my own vision into a product to help companies as well. It’s called Shockwave, my company.
There’s a lot of other stuff you need to learn, from being a technical hacker to being a businessman. You need to do a lot of sales calls, legal, contracts… it’s pretty challenging but it’s also fun to do and explore.
On his hobbies outside of hacking…
I’m very much a soccer/football fan. Arsenal is the team I’ve liked for many years. So this season we have a very good season. Watching Netflix shows, playing FIFA [football video game] with friends… so basically around soccer/football/friends is a lot of stuff that I like to do outside of hacking. Also hitting the gym and just maintaining a healthy lifestyle.
His advice for inexperienced Bug Bounty hunters…
My top tip will definitely be: follow everyone on Twitter, ask them questions – like if someone is making a Twitter thread and you don’t understand something, ask him a question.
It’s good to be curious for insights and look for products that you have extra authentication or extra privileges for – like if your bank has a Bug Bounty Program, so you have a privileged account that is not that easy to create, you have an advantage over the other hackers and you could use it to your favour.
Interested in emulating Nagli? Learn more about hunting through YesWeHack, sharpen your hacking skills on Dojo, or learn about the latest hacking tools and techniques on our blog.