Recently we had a chance to sit down with zseano, a long-time hacker and the creator of BugBountyNotes (BBN), to ask him a few questions about his hacking experience, thoughts on bug bounty programs and the idea behind BBN.
Hi there! I’m Sean, 26 and currently living in the United Kingdom. I do bug bounties full time and I like to think I’m helping a little bit with helping the internet become safer from vulnerabilities. I’ve reported 528 bugs on the bug bounty platform Bugcrowd, whilst managing to keep a 100% accuracy. I think my proudest achievement is the fact 300+ of those are just to one company.
When I was young I use to play a game called StarCraft. People were creating WinBots to cheat and I wanted to learn how they were doing it. From there I was introduced to programming (Visual Basic 6:D) and that lead onto me learning to build websites, modding my Xbox (Halo 2, the good days) and I have just kept going & kept learning. I have mostly self-taught myself everything I know. The very first vulnerability is actually one I have never told anyone about, but I was quite young and I found a source code disclosure on a huge site. It was as simple as visiting http://www.theirsite.com//endpoint – yup, appending another / caused the server to disclose everything on the server along with a ton of chmod errors. I was young and very inexperienced at the time and honestly didn’t mean to type that, but looking back I realize that they really f**ked up! To this day using ‘//’ is useful on bypassing filters, causing weird behavior etc. Some things never change.
I like the euphoric feeling you get when you get a bug to work. Especially those bugs that you have spent hours on, chaining various things and the impact is big. Because then you get that added feeling of “Wow! Yes! Look at this!”, and you want to impress the company. It’s hard to explain.
Anything with impact. I don’t just hunt for certain types really and try to always think out the box and try new interesting things. I really like to get a “feel” for how the site works, what they have running on the internet, what they’re coded in, features available on the site. From there I can create a sort of “mindmap” as to what vulnerabilities may exist in this web app and begin testing.
The most creative in my opinion was chaining 3 accounts to achieve XSS. The website I was testing wouldn’t allow for HTML characters in your first name, however setting it via the mobile app WOULD. Commenting on public posts would reflect our HTML, but I was limited to just 12 characters. The end payload was to create 2 accounts with the names, <script>/* and */</script>. The third account could be anything and was used as the payload ‘carrier’ as the comment contained the code we wanted to execute, with no character limits. This is how it looked in the end:
<script>/* commented: hello there Account3: commented: */ alert(0); /* */</script> commented: hello
Can you spot it? The /* acts as a multi-comment which comments out “commented”, uncomments at our comment: alert(0) – and then executes. Then proceeds to comment out the rest until it reaches our last account. (was various HTML I had to comment out, hence need for multi-comment).
The key takeaway is to always test mobile version/apps of the sites you are testing, and get creative!
I really enjoy playing Overwatch on the Xbox. Apart from that, relax with friends/family, or sleep?
I like the idea behind bug bounties in the sense that a researcher can work with a company to discover bugs, report them safely, and work together to get it fixed. The company gets multiple eyes with a wide variety of talent testing for bugs and in turn learn new attack techniques, vulnerability types, and etc. This helps developers create a safer and more secure code. The problem, in my opinion, arises when companies want platforms to manage the program for them. Analysts don’t understand the bug they’re triaging, don’t understand the target as well as the hacker, and etc. I feel like companies are giving the “dirty work” to the platforms and in my opinion, if you need to do this, you are not ready for a bug bounty program. Bug bounties are a GREAT way for you to work with very talented researchers from various parts of the world, don’t waste it. I know a lot of people will say “but it’s to eliminate noise”, but then you have to ask yourself: why is there so much noise? Who exactly are they trying to stop the noise from? The idea behind bug bounties is to report a bug > validate > fix/pay/etc. Where has this noise come from?
I like to hack on wide scopes honestly with lots to play with and chain things with. I am the type of hacker who likes to focus purely on one target for months on end and get a really good feel for how it works.
Ask yourself, why do you want to start one? Do you need one? What do you actually hope to achieve from one? Coming from a researcher’s perspective if I’ve just finished writing a report of the 200th XSS found on your site, you should probably look at how much money you’re chucking away and not ACTUALLY fixing the problem. As mentioned above, bug bounties are a really great way to “tap” into the mind of a hacker and learn some really cool stuff, they just need to be executed correctly. XSS over and over is boring, but they’ve gotta be reported.
To teach researchers about hacking and to introduce them to bug bounties, whilst hoping long term to help companies be introduced to the researchers of the world. As a researcher, I have created multiple tutorials and written many write-ups but I am still faced with the same questions daily in my DMs. “How to get started?”, “Can you help me with XYZ”. I would link them to my write-ups but they’d say, “I’ve seen it but I just don’t get it.. and I can’t find anything to test it on”. I want to be able to help researchers read write-ups/tutorials and then try them in a safe environment on user created challenges. They know the bug is there, they’ve just got to try to find it. This creates that “euphoric” feeling when you get a bug to work which I feel creates a bigger “imprint” in your memory/brain when it comes to learning to hack. You chase that feeling again and it becomes sorta addictive. You’re creating your own path and if they’re getting stuck there are hints and a forum.
From lots of deep thinking. I like to try to think outside the box with everything I do and put the “zseano” twist on things. I wanted researchers to actually try to find the bug they’ve just read about. A hacker writes their own story when it comes to hacking. Everyone has their own thought path, and it’s about finding what works for YOU. This is one KEY idea behind BugBountyNotes challenges, to give you the opportunity to write your own story as a hacker. Find what works for you. Read, learn, practice, and then share. BugBountyNotes gives a voice to everyone, experienced or new.
When I first released BugBountyNotes it was under DDoS attack a few times. Strangely the attacker actually reached out to me and pointed out a cool method for revealing the IP to sites behind Cloudflare. A very weird experience, but a very nice person in the end. Hackers like to show off, right?
I just recently finished releasing the latest re-design and update and I still have lots of features in the pipeline for BugBountyNotes. I’ve personally created new challenges and content which will be coming soon, and I am also hoping to host a live hacking event to help people learn, rather than just earn. Nothing more to share just yet on that The community have already been amazing at contributing, so keep being amazing! Try the challenges, create your own or request one is made or why not try writeup your next issue on our site. Become part of the community. Anyone is welcome!
No mentors but I really admire filedescriptor. Such a calm collective and very respectful guy. Extremely talented at what he does.
I have been asked this many many times, so can you guess what is coming? The BugBountyNotes Getting Started in Bug Bounty guide! There is honestly too much information to write here.
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.