1
00:00:00,541 --> 00:00:04,499
Getting to Facebook bug bounty
leaderboard is a great achievement.

2
00:00:05,083 --> 00:00:07,874
Being the top one is insane.

3
00:00:08,457 --> 00:00:13,374
But today, I'm interviewing the hunter,
who has been to one for three

4
00:00:13,374 --> 00:00:17,998
consecutive years there and has found
multiple account takeovers on Facebook.

5
00:00:18,623 --> 00:00:22,956
He's one of the million dollar hackers
and his name is Youssef Sammouda.

6
00:00:23,206 --> 00:00:24,456
Enjoy the interview!

7
00:00:25,123 --> 00:00:28,123
Hello Youssef, thank you so much for joining me today.

8
00:00:28,123 --> 00:00:34,122
First, for those of you who somehow don't know you, could you tell us a few words about yourself?

9
00:00:35,122 --> 00:00:38,122
Hello Greg, thanks for the invitation.

10
00:00:39,122 --> 00:00:46,122
So my name is Youssef Sammouda, I'm 24 years old and I'm from Tunisia.

11
00:00:46,122 --> 00:00:56,121
I started hacking when I was 13 or 14 years old and it's been a long journey.

12
00:00:57,121 --> 00:01:09,120
So now I do mainly bug bounty hunting and penetration testing for some firms and that's it.

13
00:01:09,120 --> 00:01:15,120
How did it start? What did you hack when you were 14 years old?

14
00:01:16,120 --> 00:01:33,119
So when I was 14 years old, it was like, I'm not sure, I started nerfing first, like a bunch of few abilities, and with abilities.

15
00:01:33,119 --> 00:01:46,118
At that time, PHP was the main programming language used for web development and I started to ban PHP.

16
00:01:47,118 --> 00:01:59,117
After that, I kind of teach myself a few things, like I noticed when I was developing web applications.

17
00:01:59,117 --> 00:02:14,117
For example, sometimes I noticed that I can bypass or gain permissions to a few things that I shouldn't have permission to access.

18
00:02:14,117 --> 00:02:29,116
And from that point on, I started to access forums, like it was RTC forums, I guess, RTC or something like that.

19
00:02:29,116 --> 00:02:43,115
After that, when I was 16 or 17, I started doing bug bounty, 3 or 4 years after learning about web bans and web learning.

20
00:02:44,115 --> 00:02:48,115
What bug bounty programs did you start with?

21
00:02:49,114 --> 00:02:53,114
I started with the Facebook bug bounty program.

22
00:02:53,114 --> 00:03:05,114
We'll skip to Facebook in a second, because there's a lot we can talk about Facebook.

23
00:03:06,113 --> 00:03:17,113
But before we go there, so I believe you have to call yourself self-taught, but as from what I know, you did go to university.

24
00:03:17,113 --> 00:03:28,112
Yes, so when I went to university, I went to Canada, studying in Canada to have a computer science degree.

25
00:03:29,112 --> 00:03:41,111
I studied for 3 months or 4 months and I stopped. I found out that I knew everything I was learning in the university.

26
00:03:41,111 --> 00:03:57,110
So I stopped. At that time, it happened that HackerOne had a live hunting event and I made there like $100,000 in one day.

27
00:03:58,110 --> 00:04:04,110
So that changed my mind to go to a lot of universities.

28
00:04:04,110 --> 00:04:10,110
So I started and focused mainly on bug bounty hunting.

29
00:04:11,110 --> 00:04:23,109
So you made $100,000 of bounties in one day. Before this day, approximately, more or less, how much did you make in all the previous years?

30
00:04:23,109 --> 00:04:33,108
At that point, I was doing very well with Facebook, so that's why I got invited to this HackerOne event.

31
00:04:34,108 --> 00:04:42,108
So I guess I made before that, higher than $50,000 or $200,000 for a period of like 2 years.

32
00:04:42,108 --> 00:04:57,107
Okay, so it was really, let's say, maybe not life-changing, but a lot of money compared to in 2 years you made $150,000 or $200,000.

33
00:04:58,107 --> 00:05:05,106
And then all of a sudden you get $100,000 in one day. I'm not at all surprised you decided to drop out of university.

34
00:05:05,106 --> 00:05:14,106
Did you then start hacking full-time or did you still have another job?

35
00:05:15,106 --> 00:05:22,105
Yeah, so after that event, I'm not feeling ashamed of the university, I started mainly doing bug bounty hunting.

36
00:05:23,105 --> 00:05:31,105
I did some penetration testing jobs. It was for like 1 month or 2 months, but mainly it was bug bounty hunting.

37
00:05:31,105 --> 00:05:35,105
And mainly with Facebook program.

38
00:05:36,105 --> 00:05:41,104
Okay, so why did you choose Facebook?

39
00:05:42,104 --> 00:05:56,103
So at that time, starting from 2017 up to I guess last year, it was, to my point of view, from my point of view, it was the best program.

40
00:05:56,103 --> 00:06:02,103
Because I was getting paid more than the other programs.

41
00:06:03,103 --> 00:06:11,103
It made, for example, an average of $40,000 per month.

42
00:06:12,102 --> 00:06:17,144
And I was getting paid like in 3 weeks from reporting the bug.

43
00:06:18,144 --> 00:06:24,143
So that was the best, like the ideal environment for me.

44
00:06:24,143 --> 00:06:31,143
I tried other programs, sometimes I'll get paid well, but after 3 or 4 months.

45
00:06:32,143 --> 00:06:39,143
And sometimes I'll get paid instantly, but the bounty would be less than expected.

46
00:06:40,142 --> 00:06:52,142
Yeah, I saw a lot of your blog posts and it's absolutely amazing how consistently can you get those payouts around the $50,000 mark.

47
00:06:52,142 --> 00:06:59,141
When you decide you want to hack, how do you choose your target?

48
00:07:00,141 --> 00:07:10,141
Yeah, so first of all, the target should be in Facebook, the Facebook ecosystem or the Facebook company now named Meta.

49
00:07:10,141 --> 00:07:21,140
So I chose, for example, I have a few scripts that I made before that would look for inside JavaScript files in each website.

50
00:07:22,140 --> 00:07:31,139
For example, Facebook business, Facebook main website, Facebook store, for example, and Instagram, all of them.

51
00:07:31,139 --> 00:07:52,138
And it would, for example, each day try to find changes in these JavaScript files and if these script files are critical change or a few lines or new JavaScript files were created that may contain something special.

52
00:07:52,138 --> 00:08:04,138
It depends on the filter and the classifier for this case. It would give me a notification on that try and start to manually test it.

53
00:08:04,138 --> 00:08:25,136
I actually thought about doing something like this a long time ago and I've never finally did it. Is this script complex? Because I guess JavaScript files change very often and a lot of times it's not a change that's interesting to us.

54
00:08:25,136 --> 00:08:37,136
Yeah, it's like, of course, the change should be more than two letters, for example. It's obvious maybe they just changed the variable name.

55
00:08:38,135 --> 00:08:46,135
So it has to be, for example, a new line or two lines and with Facebook they developed using React.

56
00:08:46,135 --> 00:08:57,134
So it's like modules. I can, for example, extract the module's name and try to detect new modules added.

57
00:08:58,134 --> 00:09:05,134
And after that from the module name I can, for example, get a hint what this might be.

58
00:09:05,134 --> 00:09:17,133
For example, they have if the module is for client side communication with the backend for Ajax, for example, or Hadoop.

59
00:09:18,133 --> 00:09:32,132
They'll have a certain word in the module name. So, for example, I'd focus on that. Sometimes I will ignore other things like CSS, like things related to graphics.

60
00:09:32,132 --> 00:09:47,131
So I guess it's more specific to the target. You can pull it, you can find hints in other targets and build your script using that information.

61
00:09:47,131 --> 00:10:01,131
So when you see a change in JavaScript, what tools do you use to deobfuscate the JavaScript to understand the JavaScript if you use any tools apart from the browser?

62
00:10:01,131 --> 00:10:24,129
Actually, I use like, there are many Klib based tools like the GS Beautifier or GS Beautify, I guess. So this one I would just try to like add tabs, add spaces and make it readable.

63
00:10:24,129 --> 00:10:46,128
But the actual obfuscation with time I just got used to reading the script very fast. So if you get used to reading variables named as A, B, C, D instead of their real names, it's starting to become very easy.

64
00:10:46,128 --> 00:10:56,127
And do you often use the browser debugger to understand the code or you just don't need it?

65
00:10:56,127 --> 00:11:24,126
I use it like mainly for when I try to drag something in the JavaScript execution. So I try to make breakpoint and after that find the next function and after that until I reach one point where, for example, I'm looking for a symbol or I'm looking for a source or an instance or another.

66
00:11:24,126 --> 00:11:39,125
So I use it, actually I only use three tools. I use the browser and the MIRB suite. So I use those two.

67
00:11:45,124 --> 00:11:48,124
Do you use any extensions in MIRB?

68
00:11:48,124 --> 00:12:11,123
Actually, no, I don't like. I use, for example, a tool called Metamproxy. So it's similar to BIRB, but you have more freedom to write scripts and everything. It doesn't have a graphical interface, a GUI.

69
00:12:11,123 --> 00:12:22,122
So I have it in the middle, this proxy, Metamproxy in the middle and it will forward a request to PIR so I can see the history and everything.

70
00:12:22,122 --> 00:12:42,121
And in the middle, in Metamproxy, I'll program scripts with Python that would do some similar things to BIRB. Just I'll have more freedom. Like, for example, I'm not sure if this is possible in BIRB.

71
00:12:42,121 --> 00:12:53,120
This script would be like instantly monitoring any requests, like in the background, all this stuff.

72
00:12:54,120 --> 00:13:05,120
So in the same type, I want to extract secrets from the requests.

73
00:13:06,120 --> 00:13:08,120
I don't understand, what's that?

74
00:13:08,120 --> 00:13:17,119
Like the Python script, what this Python script would be extracting from those requests or responses?

75
00:13:17,119 --> 00:13:41,118
Yeah, so for example, if I'm looking for, if I have a specific, for example, like a BIRB suite extension that would, for example, for B64 decoded strings and try to decode them and try to find out what's coded or what's inside.

76
00:13:41,118 --> 00:13:48,117
So I'll have a script like that doing it in the JavaScript instantly and it would be saving anything.

77
00:13:48,117 --> 00:14:10,116
For example, in the folder, I'll have another script looking for, I'm not sure, like if I have, I'll have like scripts that are in the middle, like between the browser when I browse their work.

78
00:14:10,116 --> 00:14:28,115
And then have other scripts that do their jobs in the background, like they'll try to scrape the website and look for certain, like inject, for example, XSS payloads and see the response.

79
00:14:28,115 --> 00:14:42,114
A few things like this, but it would get like, for example, the endpoint, the website, everything from the browser or from the browsing history.

80
00:14:45,114 --> 00:14:47,114
Okay, okay, I understand.

81
00:14:48,114 --> 00:14:52,113
And do you have a favorite vulnerability class?

82
00:14:52,113 --> 00:15:00,113
Yeah, it's actually a vulnerability, but an impact, I love account takeovers.

83
00:15:01,113 --> 00:15:19,112
So I actually like GlideSite more than server-side because I enjoy reviewing codes and for an application like Facebook, the only port available would be the GlideSite code, the JavaScript code.

84
00:15:19,112 --> 00:15:24,111
So I enjoy like testing these codes.

85
00:15:25,111 --> 00:15:37,111
I enjoy testing the browsers where this code is getting executed and usually I'll find bugs in the browser or bugs in the files themselves.

86
00:15:37,111 --> 00:15:51,110
Yeah, so I'll get that category like browser-based bugs or XSS, more specifically, I like that.

87
00:15:51,110 --> 00:16:05,109
Yeah, I could definitely foresee this based on the write-ups on your blog with a few of them covered already on my channel.

88
00:16:06,109 --> 00:16:13,109
And what do you think you do differently from other hunters that you have extraordinary results and other hackers don't?

89
00:16:13,109 --> 00:16:33,107
Yeah, so we talked about what's the, so if you have the perfect, like strategy, you'll get the files that you need to manually like test or manually review.

90
00:16:34,107 --> 00:16:39,107
So at that point, you have that will be at the same level.

91
00:16:39,107 --> 00:16:50,106
After that, it depends on the knowledge of JavaScript, knowledge of the browsers, security policies, everything.

92
00:16:51,106 --> 00:16:54,106
So relations between a few features.

93
00:16:55,106 --> 00:17:01,106
So it's mainly knowledge of the JavaScript, how JavaScript works and how browser works.

94
00:17:02,106 --> 00:17:06,105
So you can detect if something's wrong, you'll easily detect it.

95
00:17:06,105 --> 00:17:21,105
And one more thing, like for me, I tried to, if I found something like a weakness, but it's not very critical, it can be used and try to save it.

96
00:17:22,104 --> 00:17:27,104
So for later, for example, it doesn't have any impact, but I tried to save it there.

97
00:17:27,104 --> 00:17:36,104
And if I find, for example, another weakness that can be leaked with that one, I'd come back and change them together.

98
00:17:37,104 --> 00:17:48,103
So that's a good thing you can do, especially in browsers, in 9-Cycle, because you can have like relations between two windows.

99
00:17:49,103 --> 00:17:54,103
You can have iframe, you have relation, parent relation, so you can do a lot of things.

100
00:17:54,103 --> 00:18:01,144
What do you use to keep those notes?

101
00:18:02,144 --> 00:18:11,143
Like, I don't know, Gedi, I guess. Like any text editor in Linux or Windows.

102
00:18:12,143 --> 00:18:16,143
Okay, just simple solution.

103
00:18:17,143 --> 00:18:18,143
Yes.

104
00:18:18,143 --> 00:18:34,142
Okay. And also by looking on your blog, there are a lot of those XSS or account takeovers that have a words of usually at least 40k, I think.

105
00:18:35,142 --> 00:18:42,141
Are there many bugs with lower severity and lower bounties that you just don't write about?

106
00:18:42,141 --> 00:18:49,141
What's the question? Like, why I only focus on big bounties or big impact bugs?

107
00:18:50,141 --> 00:18:58,140
The question is, do you find low impact bugs and not write them on your blog or do you not find low impact bugs?

108
00:18:58,140 --> 00:19:13,140
So in the first 3 or 4 years, I used to report medium impact or not very low, but medium, like the bounty would be around 4 to 5k.

109
00:19:13,140 --> 00:19:28,139
I stopped after that because like most of the time these issues take a long time to fix, so I wait for 3 months to get, for example, 5 or 4k.

110
00:19:28,139 --> 00:19:44,138
And personally, I like to enjoy my work, so when I get paid, I can get motivated to work more. So I'll just be waiting for that bounty to come so I can test again.

111
00:19:44,138 --> 00:19:57,137
So I stopped doing low or medium severity lags and I only focus on big ones.

112
00:19:58,137 --> 00:20:10,136
Okay, that's very interesting. Like for a lot of people, a payout of 4, 5, 6k is a lot and I guess for you it works better to wait for the big one.

113
00:20:10,136 --> 00:20:20,136
This will be a super hard question to answer, but how long do you stay on one functionality until you move on?

114
00:20:20,136 --> 00:20:43,134
Okay, so for the scripts I have, I get a big red notification that this is interesting and I just spend like 3 to 4 days examining everything, trying to attack it from different angles with different tools.

115
00:20:43,134 --> 00:21:02,133
Not tools, like with different attacks. And yeah, after 4 days I just move on. As I said, I try to save the little weaknesses that I can't currently exploit, but I save them for later.

116
00:21:02,133 --> 00:21:13,132
Okay, and how often can you find a bug?

117
00:21:13,132 --> 00:21:38,131
I guess I'll try it, because I'm not very productive I guess. I like to have a balance of 50% work, 50% personal life. I'll have like 80% personal life and 20% work.

118
00:21:38,131 --> 00:21:59,130
So I don't do a lot of work. So it would be for example, I hunt for 2 weeks, I have a confirmation that I reported a valid ATO or a valid critical bug and I'll be testing again after 2 months for example.

119
00:21:59,130 --> 00:22:24,128
Yeah, so it's for example, yeah. And sometimes I'll have like a crazy month where I'm bored and I like to work very hard. So I'll report 4 or 5 ATOs in one month. It happened last year.

120
00:22:24,128 --> 00:22:30,128
Oh wow. All of them valid ATOs on Facebook in one month?

121
00:22:31,128 --> 00:22:37,127
Yeah, I guess it was 4 I guess.

122
00:22:38,127 --> 00:22:45,127
That's crazy. And how does the preparation for the live hacking event look like?

123
00:22:45,127 --> 00:23:03,126
So live hacking events, I'm not like very focused on, I wasn't very focused on HackerOne. Like now I plan to engage more with HackerOne for a bad breath.

124
00:23:03,126 --> 00:23:19,125
But when I was invited, I'll just be familiar like about the target. It won't be familiar like Facebook. So I try to use the same techniques.

125
00:23:19,125 --> 00:23:40,124
And for example, in the last hacking event it worked. But the problem with reporting to another company or target that doesn't know you or your work, it's hard to see the impact of the event.

126
00:23:40,124 --> 00:24:02,122
For example, if I report the Pentax ATOs that I usually report to Facebook, if I report the same back to for example, AmateurZoom for example, they won't have like the same response as Facebook.

127
00:24:02,122 --> 00:24:12,122
They'll be like slow, this is a blind side back. We want our user base won't be infected for example.

128
00:24:13,122 --> 00:24:26,121
Didn't happen with Zoom but I just named one target. So Facebook cares about its client base. The others like it's not that much.

129
00:24:26,121 --> 00:24:35,121
And that's why for example, Simon will pay $500 for XSS that would lead to a can't take off.

130
00:24:35,121 --> 00:25:00,119
I completely understand. Also regarding your hacking style, it seems like you are much more based on understanding what happens, understanding flow and the JavaScript. Do you often brute force or fuzz anything?

131
00:25:00,119 --> 00:25:15,118
Yeah, so if it's one thing about finding like you can find the null bag in JavaScript or a chain of bags, but they explode to write to achieve an attack.

132
00:25:15,118 --> 00:25:30,117
Sometimes it requires brute force for example, but I use brute force with other things. Sometimes for example, I use it to extract data from the server.

133
00:25:30,117 --> 00:25:52,116
For example, if I'm looking for client side bugs, but sometimes you need to access JavaScript files that are not available to you. For example, I need to get JavaScript files in an admin dashboard, but I don't have access to the admin dashboard.

134
00:25:52,116 --> 00:26:08,115
Okay, so I'm trying to, for example, find the CDN that serves JavaScript files and try to brute force a few things. And that would make me download the JavaScript files of the admin dashboard.

135
00:26:08,115 --> 00:26:27,114
From there, I can, for example, prepare an XSS attack, even though I don't have access to the dashboard to test it. I will, for example, find a DOM XSS in the JavaScript file and I know it's loading when slash admin is accessed.

136
00:26:27,114 --> 00:26:45,113
So I can have an attack. Also, for example, I try to extract int pints from these JavaScript files and prepare for server side attacks like IDORS or anything.

137
00:26:45,113 --> 00:27:06,112
Okay, well, these are crazy, crazy sounding attacks. And also, probably there is someone who listens to this podcast who thinks I am also monitoring JavaScript files for changes.

138
00:27:06,112 --> 00:27:25,110
I'm also focusing on client side bugs. I like account takeovers, but I don't have as good results as Józef does. What is your advice to this person? What likely they are doing wrong that they just don't have as great results as you do?

139
00:27:25,110 --> 00:27:49,109
So I would advise to read more about JavaScript, like web docs about JavaScript, spec about JavaScript, especially features in the browsers. Read more about browsers, features and security policies and everything.

140
00:27:49,109 --> 00:28:13,108
Like when you read everything, why this header is present in the request, why this header is present in the response. When it's missing, you notice that and you can notice this weakness and you can link it with other weaknesses to achieve, to have a full working attack or bug.

141
00:28:13,108 --> 00:28:32,106
So I think in the last three years, browsers added a lot of security features. So sometimes people would read the blog, how to, for example, exploit a CSR attack.

142
00:28:32,106 --> 00:28:53,105
They find vulnerable CSR endpoint and everything, and they wonder why it's not working. Sometimes you have like security policies or security features added and the browser would protect against CSR even if it's present.

143
00:28:53,105 --> 00:29:11,104
So they just try and waste time. And if they know new about, for example, an attribute in a cookie or a header, they immediately know that the attack won't work.

144
00:29:11,104 --> 00:29:22,104
So I guess that's the problem, lack of knowledge and specifics in JavaScript and browsers in general.

145
00:29:22,104 --> 00:29:44,144
Ok, and when you want to learn something new, let's assume you know nothing about OAuth, about the protocol itself and you want to learn it. How would you do this? Would you set up your own servers to understand the flows or you just hack?

146
00:29:44,144 --> 00:30:06,143
No, I try to understand, of course, the protocol, how the protocol works. So first thing would do to have like test environment set up. After that, I try to each time have a configuration.

147
00:30:06,143 --> 00:30:21,142
Another configuration than the previous one, for example, for OAuth, I try to have four or five types of OAuth communications type, for example, or exchange type.

148
00:30:21,142 --> 00:30:46,140
And I try to test them all. After that, in the meanwhile, I need to read the spec of OAuth. So I try to read the spec of OAuth, what's recommended by the spec writers, what's recommended, what's enforced by the spec writers.

149
00:30:46,140 --> 00:31:00,139
And yeah, after that, I prepare, for example, I prepare Facebook OAuth and see if they apply the same specs mentioned in the specs.

150
00:31:00,139 --> 00:31:16,138
So if they do it, they do it in the right way and I won't find a bad, if they do it wrong way, like I know and I can explain that.

151
00:31:16,138 --> 00:31:39,137
Also, I try to, for example, sometimes the spec has a fault or is wrong. So sometimes the spec has weakness. So I try to exploit that and report it, for example, to a big company like Facebook.

152
00:31:39,137 --> 00:31:57,136
I get paid even though Facebook is not faulty here because it followed the spec, but I try to get a bounty out of it. And after that, I report to the, for example, the spec writers or to the net bros.

153
00:31:57,136 --> 00:32:11,135
And when you have a specification in front of you, which usually is a huge document, what do you pay special attention to?

154
00:32:11,135 --> 00:32:31,134
Inputs, of course, like user or the inputs that can be controlled by me or, for example, the redirect URI in OAuth. I uncheck, for example, the checks made to that redirect URI to verify it's a valid one.

155
00:32:31,134 --> 00:32:48,133
Yeah, so I focus on that and focus, for example, response type. If it's possible to have in a certain exchange tied with OAuth to have both token and the code.

156
00:32:48,133 --> 00:33:03,132
And if that's possible, can I leak the code or token to, for example, answer open redirects. So I focus on things that I can't control, I can't change in the Nandtech.

157
00:33:04,132 --> 00:33:13,131
Few other things like dark constants or won't have the Nandtechs, I won't read them.

158
00:33:13,131 --> 00:33:27,131
Okay. Do you use any websites with labs like Pentester lab or Hack the Box or maybe do you play any CTFs?

159
00:33:27,131 --> 00:33:43,130
Actually, no, but for example, I read a lot of white papers. I read a lot of write-ups and especially like the new research.

160
00:33:43,130 --> 00:34:04,128
And after I do that, the research, I try to do like a home lab where I can test how to exploit this pen. I have like different levels of difficulties, different cases and try to exploit them.

161
00:34:04,128 --> 00:34:13,128
Oh, wow. I believe those labs are golden, somewhere on your computer.

162
00:34:13,128 --> 00:34:34,127
You can do labs too, like I get two lines are better than one. So if the lab, the one week of the thought about a trick that you do the same code, it's better also to do labs. I encourage people to do labs, but for me, it's about time.

163
00:34:34,127 --> 00:34:42,126
I don't have much time to do that.

164
00:34:43,126 --> 00:34:48,126
Okay. What programming language do you use to create those labs?

165
00:34:48,126 --> 00:35:09,125
So I'm old school, so I use PHP, but I try to, because I have maximum control of the web application, but now I do both JavaScript in the back here and sometimes when I'm testing, I'm testing back there in the front end.

166
00:35:09,125 --> 00:35:17,124
So it became more easier to program.

167
00:35:18,124 --> 00:35:27,124
Okay. You now, you are not a full-time backbound hatter, you also work employed, is this correct?

168
00:35:27,124 --> 00:35:44,123
I'm employed, so I have a company, so I don't from now on, let's say I don't operate as a person, but as a company, so I do my backbound hunting as a company, I do penetration testing jobs as a company.

169
00:35:45,123 --> 00:35:51,122
So it's similar to a full-time backbound hunter, but I operate as a company.

170
00:35:51,122 --> 00:35:57,122
Okay. So you also do pen tests, sort of like a freelancer.

171
00:35:57,122 --> 00:36:21,120
No, because I can have a contract with the company, I do it myself, I have a few people that I know that would help me sometimes, so I outsource some things. I have an employee, so I can also ask them to work on that.

172
00:36:21,120 --> 00:36:32,120
Okay, I understand. And how is your hacking style different when you do pen tests versus when you do backbound t?

173
00:36:32,120 --> 00:36:58,118
So with pen tests, the big privilege is sometimes I have the source code, it would be for example white box testing or gray box testing. That's perfect for me because I like code review, I'm very good at good code review, even for the backend.

174
00:36:58,118 --> 00:37:22,117
So that's a big plus for me. It's easier. Also, I'll try to have like, I'll have like my passive or analysis tool or static analysis tools that I can use directly, so it can make my work easier.

175
00:37:22,117 --> 00:37:29,116
What tools do you use for this?

176
00:37:29,116 --> 00:37:56,115
No, I have my own tools that I use. It's not special, but I have for example, I have like filters or like conditions, let's say, to get something, to add something, for example, variable or not.

177
00:37:56,115 --> 00:38:13,114
The database of conditions or sense gets always updated by Steam, so it might be fine. And it's similar to one tool, I'm not sure, nuclei or something like that.

178
00:38:14,114 --> 00:38:17,114
It's similar to nuclei, yeah, it's very popular.

179
00:38:18,113 --> 00:38:19,113
Yeah, I guess.

180
00:38:19,113 --> 00:38:38,112
Okay. So how much do you work? Because from this podcast, we know that you usually hunt for a few days, then when you find a valid bug, you like to chill out for some time. So what do you do in this chill out time?

181
00:38:38,112 --> 00:38:59,111
So chill out time, so it would be like, I travel, I'll, my chill out time also can be reading books, learning, so I try to learn more about like hacking or even other fields like AI or blockchain. So it would be my chill out time.

182
00:38:59,111 --> 00:39:25,109
Also, I just go out, yeah. But it's not always the case. Because sometimes I'll have, for example, maintenance jobs, they have a fixed time lapse. So I'll work on that.

183
00:39:29,109 --> 00:39:37,109
Okay. And after such a chill time, what gives you the motivation to come back to hunting again?

184
00:39:37,109 --> 00:40:03,107
It's on the rock. No, like, I'm not sure, like, I just feel about hacking, or maybe I learned something, I read something new in a book or something and it encourages me to like go that step and make profits.

185
00:40:03,107 --> 00:40:25,106
Okay, okay, I understand. And you prefer to work from the office than from home, as we've talked about previously. What are the other productivity things that you do to just be more effective at your work?

186
00:40:25,106 --> 00:40:50,104
Yes, I have a clean setup and I have multiple monitors, like each monitor is for a task, let's say. Also, I encourage to have like lights, a lot of light in the room, to have a green area, like a plant or something.

187
00:40:50,104 --> 00:41:03,104
Yeah, sometimes I'll just have TV open, just to have an accompaniment, let's say. Yeah, in that sense.

188
00:41:04,104 --> 00:41:09,103
And when is your hunt?

189
00:41:10,103 --> 00:41:14,103
I said I consume a lot of coffee.

190
00:41:14,103 --> 00:41:28,144
That's of course. And when is your hunting day? How does this day look like? What time do you get up? What time do you start working? Do you have any other habits that you like to do?

191
00:41:28,144 --> 00:41:50,143
So, before, when I didn't have the company, it was like random. I can, for example, stay for 14 hours. I can stay up all night and sleep all day.

192
00:41:50,143 --> 00:42:07,142
But now, since I have this, like I have work hours, let's say, I try to, for example, wake up at 7 or 6 and work for 8 or 9 hours.

193
00:42:07,142 --> 00:42:24,141
Okay. And do you have some structured approach to taking breaks in the middle of the day or do you just go with the gut feeling?

194
00:42:24,141 --> 00:42:44,139
Yeah, I actually have a lot of breaks. Like, if I feel I finished a task, I finish it, like something, like I made progress, I just take a break, like 15 minutes break.

195
00:42:44,139 --> 00:42:56,139
If I reach something bigger, I take 30 minutes. It's like motivation thing to get done to have a break.

196
00:42:57,139 --> 00:43:11,138
Okay, I understand. Let's now switch gears a little bit. There is a topic so hot that we can't just not talk about it. Of course, it's the AI.

197
00:43:11,138 --> 00:43:19,137
What uses of AI did you try? How did you try to make AI help you at your job?

198
00:43:19,137 --> 00:43:44,136
So, as I said, I guess most of my work is manual, but of course, if I can get free second hand, I would use it. So, AI, I use it for specific search in certain databases.

199
00:43:44,136 --> 00:44:03,135
For example, I refer Google as a database. So, if I take, if Shadgy can analyze, for example, the code and decide what things to search for to get this, for example, exploitable.

200
00:44:03,135 --> 00:44:30,133
For example, if I find in one JavaScript file, I don't have an example now, but it would make very specific search in free archive.org, Google, other databases and get me the response without really like analyzing the code

201
00:44:30,133 --> 00:44:48,132
and finding that interesting line. So, that's at the moment the only thing that I use. So, in the future, I guess it's possible to do make the Shadgy BT, at least for me, not complex ones,

202
00:44:48,132 --> 00:45:11,131
because I had like, I made an experience and with a friend and they asked about it in an interview. And yes, it was in GD. So, I tested Shadgy BT to find the bag that I found.

203
00:45:11,131 --> 00:45:27,130
So, it wasn't able to find it. And even though that Shadgy BT maybe was trained based on my article, even though that's the case, it wasn't able to find it.

204
00:45:27,130 --> 00:45:50,128
So, I guess it won't be like helpful to get complex bags found, but to get multiple weaknesses that could, that would mean that you may be able to analyze and there may be shade to get a big impact.

205
00:45:50,128 --> 00:46:04,128
Do you think in the future AI will be able to take a job of Pentesters or bug bounty hunters?

206
00:46:04,128 --> 00:46:20,127
I think, I'd say 60% of bug bounty can be done by an AI. Like the 60% work of current bug bounty hunters can be done.

207
00:46:20,127 --> 00:46:37,126
That's why I encourage bug bounty hunters to always find a special talent or something very specific to you and learn more about it, learn all the complexity behind it.

208
00:46:38,126 --> 00:46:45,125
Because that won't be an easy task for an AI, for any AI.

209
00:46:45,125 --> 00:47:04,124
Yeah, that's a great tip. I think for anyone who now wants to learn something, the thought process should involve, can AI replace me doing this in some time in the future?

210
00:47:04,124 --> 00:47:33,122
Or is this a unique skill, which at least for upcoming years, AI won't be able to do and looking at security, AI may find simple bugs, but I don't see in upcoming years that it will be able to understand the complex, multi-component infrastructure, all the microservices, different contexts, it's just too complex.

211
00:47:34,122 --> 00:47:40,122
So I think if we can find bugs like this, then we are secure.

212
00:47:41,122 --> 00:47:43,122
How about...

213
00:47:44,122 --> 00:47:46,121
Go ahead.

214
00:47:46,121 --> 00:48:15,120
Okay, so it's like, I guess, even currently, since ShadGBT for example is not operating by itself, so when API is available I guess, so you can, bug bounty hunters can do, I guess they can do some jobs with ShadGBT or find bugs in ShadGBT at least.

215
00:48:16,120 --> 00:48:30,119
It's only about the way you do it, since it doesn't have an internet access, so you have to give clues, you have to, of course, describe the behavior of the application.

216
00:48:31,119 --> 00:48:41,118
Also, yeah, do you encourage like people or hunters to use AI?

217
00:48:41,118 --> 00:49:00,117
I try to use AI in my job, but so far, most of the uses when I see it's useful is more in the content creation side than actually when hacking.

218
00:49:00,117 --> 00:49:10,117
When hacking, so far, the good use of ShadGBT is to generate a template.

219
00:49:11,116 --> 00:49:18,116
This is maybe more for CTFs, when you need, I don't know, a Python script to send a payload over web sockets.

220
00:49:18,116 --> 00:49:35,115
With Google it will take you at least a few minutes to find out the fellow word, modify it and so on, and for things like that ShadGBT is awesome because it really generates something that can be a base of your exploits.

221
00:49:36,115 --> 00:49:43,115
So this is, for me so far, it's the only real good use of AI in my security work.

222
00:49:43,115 --> 00:49:51,114
Yeah, nice. Yes, it's a good way to use it.

223
00:49:52,114 --> 00:50:04,113
Yeah, I also saw it's integrated now in Semgrep for verifying if, Semgrep is a source code scanner and they integrated it to verify if the finding is a false positive or not.

224
00:50:04,113 --> 00:50:18,112
So it takes the alert from Semgrep and takes the context of the code and says if it's good or not. I haven't tested it, but I think it makes sense and it's a very good context for AI.

225
00:50:19,112 --> 00:50:20,112
So let's see how it works.

226
00:50:21,112 --> 00:50:22,112
Yeah.

227
00:50:22,112 --> 00:50:36,111
Another sort of new, although now with the AI hype a bit forgotten trend is the web-free and blockchain. Did you do any hacking of web-free apps?

228
00:50:36,111 --> 00:50:51,111
To be honest, I'm still studying the technology. I know it's like a new technology, it's very old, but I didn't have the time to switch from web2 to web3 hacking.

229
00:50:51,111 --> 00:51:08,110
It's the same concept and maybe it would work best for me because I like code review and it would be a good way to analyze smart contracts and everything.

230
00:51:08,110 --> 00:51:20,109
But yeah, however, I had some bad reviews from other hackers that tested web-free applications.

231
00:51:20,109 --> 00:51:37,108
Sometimes they won't get paid as much as they promised, like as the program promised. Sometimes they get paid after six months or a year.

232
00:51:38,108 --> 00:51:43,107
And for me it's a critical thing, like the timing of the payout.

233
00:51:44,107 --> 00:51:46,107
But I guess I'll try it.

234
00:51:46,107 --> 00:51:59,107
Yeah, I noticed over the course of this podcast that for you the quick feedback loop of getting a payout is very important.

235
00:52:00,106 --> 00:52:09,106
And I saw in some of the bugs I covered on my channel with web-free, the bounty was paid out over a year.

236
00:52:09,106 --> 00:52:21,105
So in the write-up it was written that the bounty is 1 million that's paid over a year. So it's like someone with a reverse credit.

237
00:52:22,105 --> 00:52:31,105
So you get the bounty paid over a year. I don't know exactly how it works, but I don't think in web2 bounties we saw anything like this.

238
00:52:31,105 --> 00:52:38,104
Yeah, I see.

239
00:52:39,104 --> 00:52:44,104
I mean, exactly the same boat as you. I also like to review the code and understand the code.

240
00:52:45,104 --> 00:52:53,103
And I felt like smart contracts should be something for me because of this, because there you always can access the code, at least the compiled one.

241
00:52:53,103 --> 00:53:02,103
And yet I still didn't use it and I still didn't transfer. I did some learning, but not enough to find real-world bugs with it.

242
00:53:03,103 --> 00:53:21,143
Yeah, also the bugs are very limited. Like if you want to make a full switch from web2 to web3 bug bounty hunting, you'll have to find reliable programs.

243
00:53:21,143 --> 00:53:39,142
I can think about, let's say, it's like 50 programs would be competing with other hackers, of course, and especially black hat hackers, which I guess have more experience than some.

244
00:53:40,142 --> 00:53:48,142
So it can't be easy. Bugs would be really limited, but the layout is huge.

245
00:53:48,142 --> 00:53:58,141
Yeah, so if you can work with these things, you can choose web3.

246
00:53:58,141 --> 00:54:20,140
Yeah, so coming back to the regular backhanding of yours. Last, I think, three years you were top one on the leaderboard of Facebook, but you tweeted that this year you will not be on the Hall of Fame of Facebook.

247
00:54:20,140 --> 00:54:27,139
What is this about?

248
00:54:27,139 --> 00:54:49,138
Moving on, like I said at the beginning, I was happy with Facebook and I stayed working with Facebook because they had the best payouts and they had the best report to bounty type. Now they don't have that.

249
00:54:49,138 --> 00:55:05,137
Many headrun programs have bigger bounties than Facebook. Also, it happened to me that I would wait six months for the report to get resolved and get inbate.

250
00:55:05,137 --> 00:55:28,136
So that doesn't work for me and that's why I switched. So I still didn't fully start with the hacker one, but that's the plan for now, to focus on headrun programs and finish with Facebook.

251
00:55:28,136 --> 00:55:44,135
Okay, that's a big loss for Facebook right there. Apart from waiting for payouts, what are the things you don't like about Bad Bounty?

252
00:55:44,135 --> 00:56:10,133
Yeah, so I guess with Bad Bounty, sometimes I feel it's not like a good relationship with the hacker and the company. Most of the time you have a third party in the middle, which is the triager, which is employed by a third party.

253
00:56:10,133 --> 00:56:32,132
Or by the platform, a hacking platform. So you can't have a direct relationship with the company. Sometimes the problem would be in the triager, then understand it wrongly and he or she won't follow it to the company, for example.

254
00:56:32,132 --> 00:56:46,131
Sometimes if you have a relationship with the company, they know about little details, for example, from previous reports or from previous work that you did with them.

255
00:56:46,131 --> 00:57:05,130
And they understand that the report is critical and need to get triaged immediately. With the triager, it's not the case. Facebook actually worked on this, even though triagers are employed by Facebook.

256
00:57:05,130 --> 00:57:28,129
But for example, for some people, for example, like me, they'll have a single triager assigned to me, for example, and I can ask them or contact them about, like, for example, I get the report triaged in one day.

257
00:57:28,129 --> 00:57:44,128
That helps a lot to make the process fast. I guess that with hunters, the main issue is time and understanding of the weakness.

258
00:57:44,128 --> 00:58:06,126
Of course, I can blame the hacking platforms or the companies. They need to filter a lot. So I guess it's on us to try to learn as much as possible and not to try to spam these companies and these triagers.

259
00:58:06,126 --> 00:58:29,125
Let's assume I am a CEO of HackerOne or a big bug bounty platform. And I ask you, Yousef, we want to make our platform better for hackers. What are the things you would recommend me to change?

260
00:58:29,125 --> 00:58:48,124
So with HackerOne, I guess it's, yeah, they did a lot. I won't say they're perfect, but they did. They had a lot of ideas. They applied them. The only issue that I can see is sometimes the misunderstanding of the triager.

261
00:58:48,124 --> 00:59:04,123
For example, the item that should be correct, for example, sometimes they'll peer a report and duplicate to another report which is not related.

262
00:59:04,123 --> 00:59:18,122
For example, it can't be the same issue and they'll find like common keywords and the common words in both reports and just click them. So I think that's the current problem with HackerOne.

263
00:59:18,122 --> 00:59:36,121
I won't say they have one job and they have a problem in it, but if they work more on the triaging process, it would be great. Also, I don't blame them.

264
00:59:36,121 --> 00:59:50,120
I mean, imagine receiving a thousand reports, I'm not sure, per week or per day and only 10 are valid. So it's stressful.

265
00:59:50,120 --> 01:00:06,119
Yeah, it's really hard. I also had similar problems. A few months ago, I had a situation where I would report a bug. It was like a cross-site leaks.

266
01:00:06,119 --> 01:00:21,118
So a bug really not easy to reproduce. It was time-based. So it was like the worst version, but I had no change, so I reported it. And the triager couldn't make it work.

267
01:00:22,118 --> 01:00:27,118
And after like a few going back and forth, I'm just okay. It's a low payout, so I'm just leaving it as it is.

268
01:00:27,118 --> 01:00:40,117
And then I had another bug mishandled by the same triager. So I asked the program if another report that was already triaged, maybe even fixed.

269
01:00:41,117 --> 01:00:52,117
I asked them that this triager is not really handling the reports well and things like that. And they actually triaged both my other reports immediately.

270
01:00:52,117 --> 01:01:03,116
And it showed me that talking with the program owners or the program maintainers or whatever is completely different than talking with the triager.

271
01:01:03,116 --> 01:01:26,115
So I definitely hear what you say. And on the other hand, also from HackerOne point of view, there are so many hackers that I think it's a reasonable business decision for them to just prioritize their relationship with the clients rather than prioritize hackers, which is bad for us.

272
01:01:27,115 --> 01:01:29,114
But I think it's the sad truth.

273
01:01:29,114 --> 01:01:53,113
I guess that's true too. Like always, the client is right, I guess. And when I understand that too, because they get paid from the client, they're not getting bad from us, for example, for having us in contact with the program.

274
01:01:53,113 --> 01:02:15,112
So I guess for that, they have to maintain a relationship with the clients. And a few of us could have bad reports, but in general, for example, you'll have, like, on average, you'll have a good experience with that program.

275
01:02:15,112 --> 01:02:22,111
Like some of us would take the fall, let's say.

276
01:02:28,111 --> 01:02:36,110
By the way, you said you had an assigned triager in Facebook. After how many reports did they assign a triager to you?

277
01:02:36,110 --> 01:02:53,109
Yeah, so it's not assigned. It's not like a triager only works for my reports. But at certain points, I always have the same triager for any report.

278
01:02:53,109 --> 01:03:10,108
So for example, yeah, it happened like, I guess, two years ago, or like for anyone in the diamond league, they'll have someone that only focusing on that person.

279
01:03:10,108 --> 01:03:32,107
And it's good to have the researchers have a certain style or a certain history of reporting certain bad. It's better to have only one person that would understand the exploit code.

280
01:03:32,107 --> 01:03:36,107
Yeah.

281
01:03:37,107 --> 01:03:52,106
For those listeners who don't know that Facebook has a ranking system based on your performance in last year, and the diamond league is like the highest tier of this ranking. This is what Yusuf mentioned here.

282
01:03:52,106 --> 01:04:01,105
Okay, finally, what are you looking forward to achieve in 2023?

283
01:04:01,105 --> 01:04:24,104
Okay, of course, I need to make more money, similar as last year or more. Yeah, I guess for this year, I tried to switch fields, not in the security field, but I'm trying to focus on mobile security.

284
01:04:24,104 --> 01:04:43,103
And yeah, at least for example, account takeovers via mobile, I guess nowadays, it's rare to find one and try to focus on that, like mobile security in general.

285
01:04:43,103 --> 01:04:58,144
And it's possible to make the same amount that I made last year, but only focusing on mobile security, it wouldn't be a great achievement for me.

286
01:04:59,144 --> 01:05:04,143
Of course, not with Facebook, but other programs.

287
01:05:04,143 --> 01:05:26,142
Awesome, that's awesome. I wish you lots of luck with this. Thank you so much for joining me today. It has been a goldmine of tips for me and for my viewers as well. If they want to follow you, where can they find you?

288
01:05:26,142 --> 01:05:51,141
So yeah, thank you for having me. It was a nice interview, I guess. And if you want to follow me, you can find me on Twitter. Like my handle is SAWN0UDA. And yeah, I am available on Twitter.

289
01:05:51,141 --> 01:05:57,057
Awesome, we'll of course link this in the description.

290
01:05:58,265 --> 01:06:00,682
What an amazing interview.

291
01:06:00,723 --> 01:06:04,890
Myself, I have lots of takeaways,
and I hope you do too.

292
01:06:05,140 --> 01:06:08,431
In fact,
if you do, let me know by leaving a like

293
01:06:08,431 --> 01:06:12,681
if you're watching this on YouTube,
or a review, if you're listening to it

294
01:06:12,681 --> 01:06:17,306
on Apple Podcasts, Spotify
or another podcasting app.

295
01:06:17,306 --> 01:06:21,222
And if you want to hear another interview
with a hunter

296
01:06:21,222 --> 01:06:24,930
that likes to go deep into the application
listen to this one

297
01:06:25,180 --> 01:06:28,180
that's on your screen right now
with Johan Carlsson,

298
01:06:28,263 --> 01:06:32,888
who has incredible success
in his first year of bug bounty.

299
01:06:33,263 --> 01:06:36,096
For now,
thank you for listening and goodbye!