1 00:00:00,000 --> 00:00:08,000 The mix of unpredictable bug bounty with stable pentesting can give you a really good balance 2 00:00:08,000 --> 00:00:13,760 and while I talk about bug bounty a lot, in this video we'll talk about pentesting, how 3 00:00:13,760 --> 00:00:20,260 to become a pentester, how to find clients for pentesting and of course the pentest methodology. 4 00:00:20,260 --> 00:00:24,960 My guest today is Christy Vlad, enjoy. 5 00:00:24,960 --> 00:00:30,120 So hello Christy, thank you so much for joining me in today's podcast. 6 00:00:30,120 --> 00:00:35,160 For those of you who don't know you, can you please tell us a bit about your background 7 00:00:35,160 --> 00:00:37,760 and where are you currently at? 8 00:00:37,760 --> 00:00:39,360 Sure, definitely. 9 00:00:39,360 --> 00:00:40,360 Hi Greg. 10 00:00:40,360 --> 00:00:47,120 So I'm going to probably try to be short because and I'm trying to catch the essence. 11 00:00:47,120 --> 00:00:58,400 So formally or by education I haven't followed like or I don't think that most of or a lot 12 00:00:58,400 --> 00:01:06,620 of the people in cyber security have not started via an educational or an education in cyber 13 00:01:06,620 --> 00:01:16,880 security background and I actually I'm a civil engineer by education so I did a bachelor's 14 00:01:16,880 --> 00:01:25,040 and a master's in civil engineering, construction engineering and about eight or nine years 15 00:01:25,040 --> 00:01:32,880 ago so I didn't actually work in the field because as I was still studying my interests 16 00:01:32,880 --> 00:01:34,220 have changed. 17 00:01:34,220 --> 00:01:40,060 So while I was doing my master's my interests have changed so about eight or nine years 18 00:01:40,060 --> 00:01:49,960 ago I started getting into Python and that also a little after that I became interested 19 00:01:49,960 --> 00:01:52,120 in cyber security. 20 00:01:52,120 --> 00:02:01,640 So that's how it all started, Python cyber security then I started doing some for a very 21 00:02:01,640 --> 00:02:06,620 short period of time I did some challenges. 22 00:02:06,620 --> 00:02:16,520 There was there was VulnHub back then you had to I guess it probably is you had to you 23 00:02:16,520 --> 00:02:21,480 had to install the Vulnerable Machine on your system and actually try to get into it. 24 00:02:21,480 --> 00:02:26,400 Yeah, it was a very difficult part when you had to install the machine and configure the 25 00:02:26,400 --> 00:02:30,200 network properly to access it from Verve. 26 00:02:30,200 --> 00:02:33,960 Yeah that was a very short period for me. 27 00:02:34,300 --> 00:02:40,820 And then another very short period was when Hack the Box started all out so I was on Hack 28 00:02:40,820 --> 00:02:47,500 the Box ever since it started but I was there only for a short period of time maybe a couple 29 00:02:47,500 --> 00:02:56,500 of months did a bunch of machines there and then I tried as I can remember now I believe 30 00:02:56,500 --> 00:03:03,660 I tried to get into the field like into the real world as soon as possible I didn't want 31 00:03:03,660 --> 00:03:11,800 to waste not necessarily waste I didn't want to spend time in in the theoretical realm 32 00:03:11,800 --> 00:03:18,120 like on the side I wanted I wanted to actually see how things work in the real world so yeah 33 00:03:18,120 --> 00:03:25,600 I guess I guess this is a very short intro but you can ask whatever follow-up questions 34 00:03:25,600 --> 00:03:26,600 you have. 35 00:03:26,600 --> 00:03:33,440 Yeah so tell me how did you start with with bug bounty and pentesting what was first? 36 00:03:34,220 --> 00:03:38,020 It was pentesting yeah pentesting. 37 00:03:38,020 --> 00:03:48,020 I think I started with that more on there was an opportunity locally here and I actually 38 00:03:48,020 --> 00:03:53,900 followed that opportunity I worked with the company with the local company here doing 39 00:03:53,900 --> 00:04:02,680 their cybersecurity thing and that was in in their offices that was for a couple of 40 00:04:02,680 --> 00:04:13,920 months back in 2018 I guess 2017-2018 and that's that's how it all started I saw how 41 00:04:13,920 --> 00:04:22,520 things work in the real world and after that became after that came other opportunities 42 00:04:22,820 --> 00:04:28,020 most of them have been online so yeah most of them 43 00:04:30,340 --> 00:04:33,060 100% of them have been online as far as I can tell. 44 00:04:33,620 --> 00:04:36,420 Yeah and how did you then get interested in bug bounties? 45 00:04:40,100 --> 00:04:47,620 I guess I started hearing about about bug bounties 2019-2020 I don't even actually 46 00:04:47,680 --> 00:04:56,160 remember exactly I think I think that when I took my OSCP yeah so I can look at that 47 00:04:56,160 --> 00:05:08,560 certificate it's 2019 as I got the OSCP the very same month I believe it was August 2019 48 00:05:08,560 --> 00:05:18,480 the very same month I started doing some some program online I learned about the platforms I 49 00:05:18,480 --> 00:05:27,120 learned about back then HackerOne and BugRoute were the the go-to but I didn't spend time on 50 00:05:27,120 --> 00:05:35,200 those platforms and I think I focused as far as I can remember I focused finding programs on 51 00:05:35,200 --> 00:05:48,000 Google using the self-hosted ones yeah and then then I focused on getting into SYNAC and that's 52 00:05:48,000 --> 00:05:58,960 actually how I believe it was 2020 or 2019 when I got into SYNAC that that's where my focus went 53 00:05:58,960 --> 00:06:05,280 but I didn't do a lot of bounties and I'm not doing I don't spend a lot of time on bug bounties 54 00:06:06,720 --> 00:06:12,800 yeah for right now from what I know you you focus much more on on pentesting these days 55 00:06:14,160 --> 00:06:22,240 yeah I mean it could be 90% pentesting so that's that's the majority of my working time 90% 56 00:06:22,240 --> 00:06:31,840 pentesting and maybe 10% or less in bug bounties and I mean I'm focusing on only one program and 57 00:06:31,840 --> 00:06:41,520 one platform right now I'm I'm solely on integrity like 99% of my bug bounty time is on integrity 58 00:06:41,520 --> 00:06:48,160 one program and then the rest of one percent is divided into all other programs on all other 59 00:06:48,160 --> 00:06:54,160 platforms so it's non-significant and it's not a bad it's not a bad deal that you just have one 60 00:06:54,160 --> 00:06:59,680 program that you come back to you're probably the expert of it and I imagine you just like 61 00:07:00,240 --> 00:07:08,240 like hacking there yeah so looking back in I started looking into this program in 2023 62 00:07:08,800 --> 00:07:17,680 and I actually have a have a list where I keep all my submissions and I sent about 63 00:07:18,800 --> 00:07:27,520 70 or 80 70 something 70 submissions to the program this year a lot must be huge 64 00:07:27,520 --> 00:07:36,160 yeah and I mean I love it I love I love their product it's um it's I don't know it it just 65 00:07:36,160 --> 00:07:42,080 feels right yeah yeah that's great and about pentesting are you are you employed are you a 66 00:07:42,080 --> 00:07:48,640 freelancer how do you how do you do pentests so I operate as a business I'm not employed 67 00:07:49,200 --> 00:07:56,800 um I'm not a freelancer so it's uh I actually have collaborators I have other businesses that 68 00:07:56,800 --> 00:08:02,800 I work with I have main collaborators that I've been working with for about two or three years 69 00:08:02,800 --> 00:08:11,360 now so they they bring all the most of the I mean the majority of the pentests are brought by them 70 00:08:11,360 --> 00:08:18,000 so I don't have to worry about going to people but there are people that approach me so those are the 71 00:08:19,040 --> 00:08:24,960 the majority of as I said the majority of my pentests come from my main collaborators but 72 00:08:24,960 --> 00:08:32,880 there are others that people approach me okay on on twitter on linkedin and then those are 73 00:08:32,880 --> 00:08:39,440 those are also part of the of my main work okay so isn't this freelancing because you said you're 74 00:08:39,440 --> 00:08:45,520 not a freelancer to me it sounds a bit like freelancing well I don't like to maybe that 75 00:08:45,520 --> 00:08:51,280 part of it but I don't like to call myself a freelancer because I think the the long-term 76 00:08:51,280 --> 00:08:56,320 collaboration that I have with this uh with these businesses and the fact that they actually 77 00:08:57,360 --> 00:09:02,640 in freelancing you don't know when you have I think that in freelancing you don't know 78 00:09:02,640 --> 00:09:10,240 when you have the next project how long is it going to last but in what I do I have sort of a 79 00:09:10,240 --> 00:09:19,040 certain certainty that I'm going to have ongoing work so I don't have to worry about that okay 80 00:09:19,120 --> 00:09:28,000 okay fair enough um so you told me yeah I'm indeed naming I'm not not really strict about 81 00:09:28,000 --> 00:09:35,280 naming things uh anyway but you also told me that people approach you on linkedin on on twitter 82 00:09:35,840 --> 00:09:41,840 uh why do people approach you and and how can people how other pentesters can also attract 83 00:09:41,840 --> 00:09:48,640 people to approach them about pentests well there's a very from my perspective I think 84 00:09:48,640 --> 00:09:53,520 it's a very clear answer to this people approach when they see that you know something 85 00:09:54,800 --> 00:10:03,840 so oftentimes I post about stuff I'm quite active on twitter and also on linkedin basically posting 86 00:10:03,840 --> 00:10:11,680 the same things on both platforms so I actually post about stuff that I'm doing so other people 87 00:10:11,680 --> 00:10:22,240 actually see maybe connections on linkedin that are managers or own companies they see 88 00:10:23,040 --> 00:10:31,360 that I post stuff about pentesting findings um all that stuff and they actually approach me if 89 00:10:31,360 --> 00:10:37,840 if I want to look into their um their assets for example their apps their infrastructure 90 00:10:38,480 --> 00:10:40,880 so it's about sort of like 91 00:10:43,120 --> 00:10:51,280 establishing presence establishing solid presence on platforms I that's also due to my youtube 92 00:10:51,280 --> 00:10:57,200 channel back in the days I used to post my videos on these platforms and people will look at the 93 00:10:57,200 --> 00:11:04,000 videos and approach me due to the videos they saw that I know something and they wanted to 94 00:11:04,000 --> 00:11:12,240 see if I can help them in one way or another yeah so so basically you just put yourself out there 95 00:11:12,240 --> 00:11:21,840 and you show people that uh basically what you do so if if someone watches us who maybe just 96 00:11:21,840 --> 00:11:28,880 starts learning cyber security and they feel like they would like to be out there and show 97 00:11:28,880 --> 00:11:35,520 show things to people but they they kind of feel that they cannot do it because they cannot 98 00:11:35,520 --> 00:11:41,920 they do not know enough in this case if someone is actually you know just learning cyber security 99 00:11:42,480 --> 00:11:46,480 do you think they can still put something out there to the internet to see 100 00:11:47,760 --> 00:11:52,880 yeah definitely let's take for example I don't know maybe their learning journey 101 00:11:53,840 --> 00:11:59,200 maybe they're at the very beginning of their learning journey they're using a platform like 102 00:11:59,200 --> 00:12:04,720 try hack me hack the box or whatever other platform web security academy they could simply 103 00:12:04,720 --> 00:12:13,200 post about hey look I went through this challenge on I went through this uh learning path on web 104 00:12:13,200 --> 00:12:19,600 security academy I did this exercise and I learned this they could do a short post maybe on linkedin 105 00:12:20,240 --> 00:12:25,920 or on twitter or they could write something on medium or substack or whatever other platform 106 00:12:27,200 --> 00:12:34,080 write about their experience and then post it out there do that multiple times and people are 107 00:12:34,080 --> 00:12:40,320 going to start coming to you yeah and you also mentioned here a lot of platforms you mentioned 108 00:12:40,320 --> 00:12:45,680 twitter the substack the blog post how do you think they should choose on which platform to 109 00:12:45,680 --> 00:12:52,320 post up or maybe they should also do a youtube video definitely I mean youtube brought me a lot 110 00:12:52,320 --> 00:13:02,160 of opportunities so but you know most people are actually more comfortable writing something 111 00:13:03,040 --> 00:13:08,400 than starting to put themselves out there when I first started doing youtube videos back in 2015 112 00:13:08,400 --> 00:13:16,000 I did videos on python and on AI and only afterwards I began doing cybersecurity videos so 113 00:13:16,000 --> 00:13:26,000 it's it's not easy to start on youtube you it's it's and a significant portion of people in 114 00:13:26,000 --> 00:13:33,120 cybersecurity are geared towards introversion so I don't think it's easy especially if you 115 00:13:33,120 --> 00:13:44,640 account for that but to get back to your question doing posting on one of these 116 00:13:45,440 --> 00:13:54,880 blog platforms I'd say medium but you have to be careful because on medium if you want to reach a 117 00:13:54,880 --> 00:14:00,800 broader audience you should not be tempted on choosing their monetization for your for your 118 00:14:00,800 --> 00:14:08,240 writings because if you do that most people or a lot of people from my experience as a reader on 119 00:14:08,240 --> 00:14:15,280 medium are not actually going to be able to read your stuff because it's only going to show a short 120 00:14:15,280 --> 00:14:22,320 chunk from the video and if you want to read more you'll have to pay one dollar on medium per month 121 00:14:22,320 --> 00:14:29,040 and a lot of people aren't willing to pay one or ten or however their subscription is make sure you 122 00:14:29,040 --> 00:14:38,000 opt out of their monetization. Even if it was one cent people will just not add their credit card 123 00:14:38,960 --> 00:14:46,320 it's not worth it. Paywalling is paywalling. Yeah it's not worth it. For now Substack is free 124 00:14:47,600 --> 00:14:55,280 from what I know. Medium is also so I actually opted out of the the monetization on medium 125 00:14:55,280 --> 00:15:02,000 and whatever I post on there it's anyone can read right now maybe they'll change this in the future 126 00:15:03,360 --> 00:15:11,600 but yeah put yourself out there and do it frequently that's probably the gist of the question. 127 00:15:13,600 --> 00:15:20,960 Yeah and speaking maybe more specific about the resources what do you think would be a good 128 00:15:20,960 --> 00:15:27,120 learning path if you wanted to get into cyber security today as a 20 something year old computer 129 00:15:27,120 --> 00:15:38,000 science student? Depending on what you want to focus on so you mean as a bug bounty hunter? 130 00:15:39,440 --> 00:15:44,640 Well the problem is that the hypothetical person we are talking about doesn't know this yet. 131 00:15:45,600 --> 00:15:52,400 Exactly so that's when you have platforms like for example TriHackMe with their very introductory 132 00:15:52,400 --> 00:16:00,160 paths learning paths there's pre-security I guess there's a intro to cyber security 133 00:16:00,160 --> 00:16:07,360 that's where you get exposure with the multitude of careers or subfields in cyber security that 134 00:16:07,360 --> 00:16:13,520 you could pursue. I would go with that to actually get a bit of clarity on where I want to move 135 00:16:13,600 --> 00:16:19,840 because cyber security is a very very large field today so it's not it's not all about pen testing or 136 00:16:19,840 --> 00:16:26,880 bug bounty hunting there's there's a lot of stuff that you can do so start with getting clarity on 137 00:16:26,880 --> 00:16:34,560 who you want to be in the field afterwards it's afterwards I mean it's more simple. 138 00:16:35,200 --> 00:16:40,800 Yeah that's a that's a great answer and let's let's come back a little bit to to pen testing 139 00:16:40,800 --> 00:16:48,160 and to finding clients so let's say that all the clients that you have that you are working with 140 00:16:48,720 --> 00:16:54,240 just leave you today from just write you an email today you didn't work together anymore 141 00:16:55,120 --> 00:16:57,520 how do you find clients for 2024? 142 00:16:57,520 --> 00:17:04,880 Well exactly how I told you a few moments ago so I would actually maybe I would focus a little bit 143 00:17:04,880 --> 00:17:12,880 more on bug bounties not maybe probably I'll probably focus a little bit more on bug bounties 144 00:17:12,880 --> 00:17:22,560 and actually post about my findings and I'm pretty sure that if I if I grow a network on LinkedIn 145 00:17:23,040 --> 00:17:29,600 if I grow a network on LinkedIn and on on mostly on LinkedIn probably 146 00:17:30,960 --> 00:17:38,160 people are actually going to start asking me questions not only so it's very likely that I'm 147 00:17:38,160 --> 00:17:44,400 only going that I'm going to be approached by other people who want to become or become better 148 00:17:44,400 --> 00:17:50,960 in cyber security so other pen testers but I'm also going to be approached by by potential 149 00:17:50,960 --> 00:17:58,960 businesses potential interest potential interesting or interested clients that's 150 00:17:58,960 --> 00:18:12,960 what I would do I would actually do bug bounties and then have an ongoing stream of posts about my 151 00:18:12,960 --> 00:18:19,600 findings. Yeah that definitely seems like a like a winning strategy have you tried 152 00:18:21,440 --> 00:18:30,720 I wouldn't go about the formal route such as applying to companies applying to I wouldn't do 153 00:18:30,720 --> 00:18:40,400 that I would not apply or send jobs or send resumes on on LinkedIn because it's very likely that you're 154 00:18:40,400 --> 00:18:48,480 it's very unlikely that you're gonna get in in front of the person that makes decisions 155 00:18:49,280 --> 00:18:55,040 you want the person that makes decisions approaching you not you trying to approach 156 00:18:55,040 --> 00:18:59,040 them because if you try to approach them if you try to approach a business that's 157 00:18:59,040 --> 00:19:06,480 hiring pen testers you're first probably gonna encounter HR people a lot of them are not very 158 00:19:06,480 --> 00:19:15,040 experienced in cyber security and cannot actually assess or evaluate what you can do afterwards if 159 00:19:15,840 --> 00:19:23,680 you pass the HR you're gonna have multiple rounds of interviews it's probably not the best 160 00:19:24,880 --> 00:19:31,280 it's possible but it's probably not the best the path that you want to to follow you want people 161 00:19:31,280 --> 00:19:40,800 to come to you that's that's because you're in a position of good negotiation if people come to you 162 00:19:41,600 --> 00:19:49,840 you can operate on your terms let me let me know know your your your thoughts about this because 163 00:19:50,400 --> 00:19:55,680 you're you're from Romania I'm from Poland these are countries with relatively lower cost of living 164 00:19:55,680 --> 00:20:03,040 and also lower earnings than for example US and from I'm obviously not actively pursuing a job 165 00:20:03,040 --> 00:20:09,120 now but when I did I felt like when you just send a resume to a company even if it's like 166 00:20:09,280 --> 00:20:15,520 even if it's like a global remote company like GitLab the salary they're going to offer you 167 00:20:15,520 --> 00:20:22,400 will be comparable with other salaries in the same country so let's say a Polish salary which 168 00:20:22,400 --> 00:20:29,520 is probably like twice to half of this which what you can get in US and if you want to get a salary 169 00:20:29,520 --> 00:20:37,920 from a country like US or Germany or whatever I feel like the only way to do it is by networking 170 00:20:37,920 --> 00:20:49,360 and by by approaching people directly definitely so I can see this it's probably normal and common 171 00:20:49,360 --> 00:20:56,880 sense for for companies to offer salaries based on your position but like I said earlier it's 172 00:20:57,760 --> 00:21:04,240 since you're in the negotiations you want first of all you want to position yourself you want to 173 00:21:04,240 --> 00:21:12,320 see yourself as a global player here yeah so you you you should probably see yourself as a 174 00:21:13,200 --> 00:21:23,040 global entity global person and maybe maybe you want to set yourself or maybe you want to have 175 00:21:23,040 --> 00:21:31,040 expectations of course depending on your skills because if your skills are good if you have good 176 00:21:31,040 --> 00:21:37,200 skills you can ask whatever you want it this doesn't mean that you're going to get whatever 177 00:21:37,200 --> 00:21:44,960 you want you have to have some common sense because if like the median global range for a 178 00:21:44,960 --> 00:21:59,680 pentester starting could a good one would be $50 an hour you wouldn't want to ask $250 an hour 179 00:21:59,680 --> 00:22:05,520 because nobody's going to give that to you you have to know first of all you have to know the 180 00:22:05,520 --> 00:22:13,840 industry and I believe that a very large portion of cyber security people aspiring and actual 181 00:22:13,840 --> 00:22:20,720 pentesters don't know their worth and don't know the exact industry right now this could be probably 182 00:22:20,720 --> 00:22:29,360 due to the fact that not everyone is transparent on how much they make numbers are not quite public 183 00:22:30,080 --> 00:22:36,800 some of them are but you do get a feel for for how much a certain person with a certain 184 00:22:36,800 --> 00:22:42,480 year of experience is worth so if someone comes to me if a company approaches me and 185 00:22:43,680 --> 00:22:52,560 asks or says that they can pay $30 an hour or $20 an hour because they know that would be a good 186 00:22:53,200 --> 00:22:58,000 money so I'm hypothetically speaking because they know that would be good money for Romania 187 00:22:58,000 --> 00:23:04,720 I'm just going to say no thank you and it depends on how the conversation goes afterwards 188 00:23:04,720 --> 00:23:09,840 if if they're just looking for someone to fill a position they're actually going to keep looking 189 00:23:09,840 --> 00:23:16,000 but if there's someone who's actually interested in me personally and there is that situation as 190 00:23:16,000 --> 00:23:25,200 well we've seen examples of of companies that want a certain type of person on them like for example 191 00:23:25,200 --> 00:23:32,800 I think moving a bit from cyber security I think that and most people are not going to 192 00:23:33,840 --> 00:23:43,360 know the name I think that OpenAI pursued Andrew Karpathy who's who's a very big name in in AI 193 00:23:44,240 --> 00:23:52,400 to to go back to OpenAI after it had left a couple of years ago because 194 00:23:53,280 --> 00:24:02,960 they knew he this person was worth whatever he was worth so the company pursued a specific person 195 00:24:02,960 --> 00:24:08,480 an individual into their company so it depends it's very contextual 196 00:24:10,080 --> 00:24:16,000 yeah yeah I also didn't didn't know this name I admit and uh I suspect a lot of our audience 197 00:24:16,000 --> 00:24:20,560 as well but but yeah that's true and that's that's a really good position like sometimes 198 00:24:20,560 --> 00:24:27,760 we talk about maybe negotiation strategies and things like this but it always starts from a point 199 00:24:27,760 --> 00:24:33,520 where you position yourself before the negotiation even even begins and and as I said like the 200 00:24:33,520 --> 00:24:39,760 differences here in your positioning can have much greater impact than you you know negotiating 201 00:24:39,760 --> 00:24:46,960 10 percent more than than someone else with worse negotiation skills can get exactly so you have to 202 00:24:46,960 --> 00:24:53,760 know where you stand what is your skill level and what are your expectations what are your real 203 00:24:53,760 --> 00:24:58,640 expectations and also what are the expectations that could be 204 00:25:01,360 --> 00:25:08,800 seem or deemed as reasonable by the other party so you could say that you're worth hundred dollars 205 00:25:08,800 --> 00:25:15,040 an hour for example for a pen tester but the majority of the companies approaching you think 206 00:25:15,120 --> 00:25:22,720 that you're only worth 40 an hour so you have to actually understand whether or not they are right 207 00:25:22,720 --> 00:25:30,080 or you are right or where or whether or not the truth is somewhere in the middle so very contextual 208 00:25:30,720 --> 00:25:36,720 yeah yeah so let's assume we already have a client for a pen test uh can you talk me 209 00:25:36,720 --> 00:25:41,920 through the whole process from the initial contact to the to what happens after the pen test 210 00:25:42,560 --> 00:25:52,320 yeah so of course you have the scope the client tells you exactly what they want most of them know 211 00:25:52,880 --> 00:26:00,480 because you're not actually talking to um or in my experience i'm not actually talking to the owner 212 00:26:00,480 --> 00:26:05,360 of the business unless the owner approaches me it's a small company or the owner approaches 213 00:26:05,360 --> 00:26:11,360 me on linkedin and wants me to look into their stuff but for the majority of pen testers 214 00:26:12,560 --> 00:26:19,120 you're actually interacting with another person and not another cyber security people person from 215 00:26:19,120 --> 00:26:26,400 their company or maybe a technical manager or maybe a developer or someone who actually has 216 00:26:26,400 --> 00:26:33,120 an idea of what they want they give you the scope they tell you we want to test this app strictly 217 00:26:34,400 --> 00:26:39,040 and you you want to make sure that you specifically understand the scope 218 00:26:40,000 --> 00:26:46,880 so that you're always on the target afterwards once you establish the scope of course there's 219 00:26:46,880 --> 00:26:53,920 contract there's the contract there's all the paperwork that needs to be done which in most 220 00:26:53,920 --> 00:27:03,680 cases i don't deal with uh with all the papers my collaborators do my collaborators and the client 221 00:27:04,320 --> 00:27:10,800 okay but there are there are a significant number of situations when i have to deal with everything 222 00:27:10,800 --> 00:27:18,000 especially when clients actually approach me so this regarding the paperwork once you have the 223 00:27:18,000 --> 00:27:23,840 scope you're actually the scope and the duration of the pen test of course you have established 224 00:27:23,840 --> 00:27:32,080 the pricing for the pen test you usually i mean this is very this is very customizable 225 00:27:33,760 --> 00:27:42,640 there are many situations with when companies say we only have this budget for pen testing 226 00:27:43,520 --> 00:27:53,440 what can we do with it and you having experience from other pen tests knowing how much your time 227 00:27:53,440 --> 00:28:00,160 is worth you can say well look we could do this for that amount of money so it often goes like 228 00:28:00,160 --> 00:28:05,760 that because not all the companies have unlimited budgets for cyber security even though that even 229 00:28:05,760 --> 00:28:16,560 though i feel that it's still an overlooked area and we can see leaks data breaches happening every 230 00:28:16,560 --> 00:28:22,560 day we can see ransomware every day going rampant so people companies businesses are not paying 231 00:28:22,560 --> 00:28:29,440 enough attention to to cyber security but to get back to the main point you establish the price 232 00:28:29,440 --> 00:28:37,040 the scope the duration you test you write a report you deliver it to the client you actually 233 00:28:37,760 --> 00:28:47,040 it often involves ongoing back and forth clarifications oftentimes check their fixes 234 00:28:47,840 --> 00:28:55,920 and of course if you have a business oriented perspective you want to over deliver 235 00:28:56,720 --> 00:29:03,040 and under promise so that the client comes back to you at a later time 236 00:29:04,960 --> 00:29:11,920 okay and how to make the process before when the appendix is already when you're already talking 237 00:29:11,920 --> 00:29:17,440 with a client how to make this process smooth of like giving credentials creating the environment 238 00:29:17,440 --> 00:29:22,960 because from my experience back back when i worked it was always a problem with credentials 239 00:29:22,960 --> 00:29:29,760 and everything and it caused delays and it was always very difficult yeah exactly 240 00:29:29,760 --> 00:29:38,880 so that's uh that's still a problem um whenever we get new clients um 241 00:29:40,640 --> 00:29:46,960 that's one of our first requirements is this i mean are we talking about an application with 242 00:29:46,960 --> 00:29:55,600 multiple roles with accounts with can we uh get the accounts ourselves uh can we self-register 243 00:29:55,600 --> 00:30:02,480 do we need to pay to actually test everything thoroughly you need to provide us with the 244 00:30:02,480 --> 00:30:08,800 premium plan with an account on the premium plan on the enterprise plan you you have to provide us 245 00:30:08,800 --> 00:30:17,280 with multiple roles give us everything that we need to test that's probably one of the first 246 00:30:17,280 --> 00:30:24,480 requirements that we have for everyone so accounts working accounts a lot of times 247 00:30:25,120 --> 00:30:31,120 not maybe not a lot of times but oftentimes we are provided with accounts that are not working 248 00:30:31,120 --> 00:30:38,320 or not have been set up properly so there's a little bit of back and forth in the beginning 249 00:30:38,400 --> 00:30:47,920 when it comes to testing roles and permissions but that's one of the first things that that you 250 00:30:47,920 --> 00:30:57,040 have to to establish do you use some templates some checklists for this part of the process 251 00:30:59,200 --> 00:31:01,200 well actually yes so um 252 00:31:01,200 --> 00:31:11,760 um first off is the web security testing guide by oas the checklist i actually i recently 253 00:31:12,720 --> 00:31:22,320 um made a version of it made what i think it's an optimized version of it and i posted it on github 254 00:31:22,320 --> 00:31:31,920 is a checklist it's a checklist with about 130 items on it it's as its name says web security 255 00:31:31,920 --> 00:31:40,080 testing guide it's actually quite comprehensive oas are very quite on point with uh their their 256 00:31:40,080 --> 00:31:47,280 stuff with the api security with the web security uh these are go-to so for someone who's starting 257 00:31:47,280 --> 00:31:53,200 in pentesting and doesn't have any colleagues to actually guide them how it all works um 258 00:31:54,160 --> 00:31:59,040 these are starting points these are documents that you want to have with you at all times for 259 00:31:59,040 --> 00:32:07,920 all the pentests that are specific to web apps and api stuff um but of course throughout the years i 260 00:32:07,920 --> 00:32:14,720 have my own i've developed alongside these i have my own methodology where i actually 261 00:32:15,280 --> 00:32:22,560 usually know where to look for and what types of vulnerabilities are most encountered 262 00:32:24,080 --> 00:32:33,920 and are of quite high impact okay and so we have oas testing guide that's definitely 263 00:32:33,920 --> 00:32:40,000 something to recommend for people do you also use other checklist or other documents by oas 264 00:32:40,480 --> 00:32:50,080 no so it's just the web security testing guide i don't actually they might have methodologies for 265 00:32:50,080 --> 00:32:56,320 i don't know maybe infrastructure testing they also have the mobile application the mspg the 266 00:32:56,320 --> 00:33:03,760 mobile security testing guide i do know of it i i actually referenced it or reference i'm 267 00:33:03,760 --> 00:33:15,360 referencing it a lot uh when i test mobile apps but uh it's not as a first-hand reference document 268 00:33:15,360 --> 00:33:24,080 as vstgs for example and the one involving api security and of course there are also there's the 269 00:33:24,080 --> 00:33:31,280 the the cheat sheet series by oas which is really really good all in one website these are very good 270 00:33:31,440 --> 00:33:40,800 uh go-to um references of course there's also the hack tricks book which is really good 271 00:33:42,000 --> 00:33:47,840 so as as a as someone who's working in in pen testing as a pen tester 272 00:33:48,720 --> 00:33:56,880 um these are some of the documents that i use myself okay okay these are great people 273 00:33:56,880 --> 00:34:02,400 save these because these are really really good resources for me also when i'm testing uh some 274 00:34:02,400 --> 00:34:08,480 vulnerability one of the first resources that i go to is is hack tricks to to see copy the basic 275 00:34:08,480 --> 00:34:14,800 payload see other references and stuff like this so it's really really really good and and really 276 00:34:14,800 --> 00:34:21,040 big as well like the amount of of information that's there on different uh different topics 277 00:34:21,040 --> 00:34:25,520 because it's not only web vulnerabilities i think there's now also cloud there are different ports 278 00:34:25,520 --> 00:34:33,520 described is really really extensive it's all in one place yeah yeah okay so what are the most 279 00:34:33,520 --> 00:34:44,320 common findings that you encounter during pentests okay so um probably the most encountered are low 280 00:34:44,400 --> 00:34:46,080 hanging fruits such as 281 00:34:49,040 --> 00:34:51,680 user enumeration um 282 00:34:55,520 --> 00:34:56,640 issues with cookies 283 00:34:58,800 --> 00:35:07,200 um session tokens not being invalidated overexposure of information these are the low 284 00:35:07,200 --> 00:35:14,080 hanging fruits like server headers and all that stuff these are i mean you could put these in a 285 00:35:14,080 --> 00:35:22,320 pentest in a report but you nobody's going to accept this as a finding in a bug bounty program 286 00:35:23,120 --> 00:35:30,240 these are all out of scope unless you somehow show impact that they they could negatively affect 287 00:35:30,240 --> 00:35:39,680 the asset or the company or the business so but these are actually relatively valid findings 288 00:35:39,680 --> 00:35:45,120 on pentests but of course these are the most common findings you don't want to focus 289 00:35:45,120 --> 00:35:51,440 on these because you want to deliver good work so most of the the findings most of the impact 290 00:35:51,440 --> 00:35:58,880 findings that i have have to do with broken access control authorization authentication issues um 291 00:35:59,840 --> 00:36:10,560 authentication bypass other bypasses these that impact people that actually have an impact on the 292 00:36:10,560 --> 00:36:20,560 underlying infrastructure there's also i see a lot of um ssrf there's there's a lot of i see a lot of 293 00:36:20,640 --> 00:36:30,320 ssrf in my findings i also see there's still xss i don't actually at in bug bounty hunting i don't 294 00:36:30,320 --> 00:36:41,520 look for xss but in pentesting i find xss and i also find xss even in apps that actually use 295 00:36:41,520 --> 00:36:51,840 frameworks so it's hard to explain i cannot even explain to myself why i why this was there for 296 00:36:51,840 --> 00:37:00,880 example so xss is still present i don't like it but it's still there um injection other injection 297 00:37:00,880 --> 00:37:08,640 issues a lot of stuff that has to do with business logic business logic is um where you actually have 298 00:37:08,640 --> 00:37:16,240 to understand what the application is meant to do and how can you make it do something that is not 299 00:37:16,240 --> 00:37:24,800 been meant to do with an impact with a security impact this is probably one of the types of 300 00:37:24,800 --> 00:37:32,960 vulnerabilities that's gonna be long there even in the age of ai because it's you cannot find it 301 00:37:32,960 --> 00:37:38,720 with scanners you cannot find it with automation you have to think through the entire process 302 00:37:38,720 --> 00:37:46,720 for example the authentication flow something might be disrupted there um and if you actually 303 00:37:46,720 --> 00:37:52,640 look at it closely try to understand it you you you'll probably find something that's 304 00:37:52,640 --> 00:38:01,920 not working as intended also rate um rate limiting stuff these are these could be high or low impact 305 00:38:01,920 --> 00:38:09,360 i've seen instances where we're bypassing rate limits has had high impacts for example when 306 00:38:09,360 --> 00:38:16,560 there's a multi-factor authentication you get a code and that code is brute forcible that's high 307 00:38:16,560 --> 00:38:25,200 impact issue because if you're able to brute force uh the mfa for any account it's account takeover 308 00:38:26,160 --> 00:38:32,800 so it's it's still the wild west there yeah it's something that as a 309 00:38:33,840 --> 00:38:39,920 inex inexperienced pentester i thought about the rate limiting bug as a lame vulnerability class 310 00:38:40,560 --> 00:38:45,200 but but yeah in the context of otp it's basically an account takeover so we also 311 00:38:45,200 --> 00:38:52,240 have seen bounties of i don't know 20 or maybe even 50 000 for for those and i'm not surprised 312 00:38:52,480 --> 00:38:56,640 and i also definitely agree with the thing you said about the business logic bugs 313 00:38:56,640 --> 00:39:02,800 like many vulnerability classes will probably be fixed with time with better scanners because i 314 00:39:02,800 --> 00:39:08,240 don't know sql injection is very easy to fix by look just spots by looking at the code and then 315 00:39:08,240 --> 00:39:17,200 by fix even automatically uh but xss i think has many contexts and that's probably the reason why 316 00:39:17,200 --> 00:39:24,160 it's still so prevalent but still the number of of context is limited and scanners do get better 317 00:39:24,160 --> 00:39:30,800 over time but i think authorization bugs eidos business logic bugs they do require the context 318 00:39:31,520 --> 00:39:37,040 and it's very difficult to for a scanner to understand this context so i think these are 319 00:39:37,040 --> 00:39:44,000 vulnerabilities that that if people learn they will just uh be more and more impactful over time 320 00:39:44,320 --> 00:39:48,320 as the general number of vulnerabilities i hope will will go down 321 00:39:51,440 --> 00:39:59,760 yeah i mean but we still we also still hope that we will have some work to do in the future as well 322 00:39:59,760 --> 00:40:08,480 so if the number goes down we have to find other ways that we can position ourselves 323 00:40:09,120 --> 00:40:17,920 valid as valued assets in the entire ecosystem of the business for example i don't think that 324 00:40:17,920 --> 00:40:25,040 over the long term um all cyber security issues are going to be fixed by ai or by something else 325 00:40:25,680 --> 00:40:32,000 because there's also there's always the human component where things go wrong we can see this 326 00:40:32,000 --> 00:40:38,000 with all the breaches that occur on an ongoing basis where credentials are leaked 327 00:40:39,520 --> 00:40:43,600 high impact credentials are leaked for example from a developer or from 328 00:40:43,600 --> 00:40:49,440 from someone even in the context of for example github having all sorts of 329 00:40:50,400 --> 00:40:56,960 checks and implementations on their platform when when people deploy code there are still 330 00:40:56,960 --> 00:41:04,320 leaks occurring and i think this is going to be quite hard to prevent unless we put everything in 331 00:41:05,520 --> 00:41:09,360 in the hands of ai which i don't think that's actually doable in the near 332 00:41:09,360 --> 00:41:11,760 at least in the near future yeah probably not 333 00:41:14,320 --> 00:41:18,320 speaking of uh do you use ai during your your hacking 334 00:41:19,200 --> 00:41:25,200 yeah so i used it a lot i actually use it quite extensively when it comes to 335 00:41:25,760 --> 00:41:33,840 minute stuff such as scripting prepping one-liners uh i used to before chad gpt4 336 00:41:34,400 --> 00:41:44,160 because i don't think chad gpt 3.5 is decent i don't think it is decent but chad gpt4 is quite 337 00:41:44,960 --> 00:41:51,680 good and it actually understands what you want even if you cannot express it yeah exactly what 338 00:41:51,680 --> 00:41:57,920 you want you put in some you put in something there half a request and it actually understands 339 00:41:57,920 --> 00:42:04,160 what you want or at least that's what my version of chad gpt4 with my system prompt 340 00:42:04,800 --> 00:42:11,520 uh is actually doing for me so i use it a lot when it comes to scripting one-liners bash stuff 341 00:42:12,160 --> 00:42:20,560 um it's saving me tremendous amount of time because it actually took maybe one two three 342 00:42:20,560 --> 00:42:25,440 hours for example in the past when i had to do something custom and i would actually have to 343 00:42:25,440 --> 00:42:32,400 look into stack overflow see what other people did adapted to my own personal situation and uh 344 00:42:32,560 --> 00:42:41,920 so now it's it's a matter of 30 seconds to two minutes maybe at most until i get the answer 345 00:42:42,560 --> 00:42:48,800 yeah yeah it definitely saves a lot of time how about regular tools uh normally in when 346 00:42:48,800 --> 00:42:53,440 when we're talking about bug bounties i don't even ask about automatic scanners because i don't 347 00:42:53,440 --> 00:42:59,840 believe that that they are worth uh even if they can find something i it's probably a duplicate 348 00:42:59,840 --> 00:43:04,000 but in context of of pentesting uh do you use any scanners 349 00:43:05,840 --> 00:43:13,280 scanners no i don't use scanners nothing no so uh i mean the go-to i used to be the bug i used to 350 00:43:13,280 --> 00:43:21,120 be the recon guy back in when i started looking into bug bounties but i'm actually doing maybe 351 00:43:21,920 --> 00:43:28,400 for example specifically for bug bounties maybe i do 10 percent of my scanning is recon 352 00:43:28,400 --> 00:43:34,240 and only with the purpose of increasing the attack surface this should be i just had this 353 00:43:34,240 --> 00:43:40,480 thought a few days ago the whole purpose of recon and i have a recon course that it's free on 354 00:43:40,480 --> 00:43:46,400 youtube now uh the whole purpose of recon should be to increase the attack surface and not actually 355 00:43:46,400 --> 00:43:54,880 to find bugs there might be people who actually keep finding bugs with recon but the majority of 356 00:43:54,880 --> 00:44:00,960 them are not so the whole purpose of recon i think it should be to increase the attack surface 357 00:44:00,960 --> 00:44:09,600 now when it comes to pentesting uh i mean the tool that i use the most is burp suite so 358 00:44:10,400 --> 00:44:17,040 for example web stuff web apps that's burp suite that's uh 359 00:44:17,520 --> 00:44:26,400 probably paid it's burp suite probably paid or my findings with burp suite probably paid 360 00:44:26,400 --> 00:44:32,560 its investment it's pro version multiple times over so it's probably is one of the 361 00:44:32,560 --> 00:44:37,760 best investments ever so it's all burp suite yeah what are your favorite burp extensions 362 00:44:37,760 --> 00:44:53,360 authorize what else own fox what's that it's a colorizer for sessions for example if you're 363 00:44:53,360 --> 00:44:58,560 using firefox with multiple containers each container has its own color in burp history 364 00:44:58,560 --> 00:45:04,320 and it's actually it's very useful when you're testing for different roles and permissions 365 00:45:04,320 --> 00:45:10,720 so authorizing combination with own fox and uh multi containers in firefox 366 00:45:11,360 --> 00:45:15,920 this is this is a very good combination i i tested other um 367 00:45:18,480 --> 00:45:26,320 extensions but i usually spend my time in the repeater and analyzing uh 368 00:45:26,320 --> 00:45:36,640 the stuff with these three with this uh this environment of the three the three extensions or 369 00:45:36,640 --> 00:45:45,120 the two extensions that that i told you about i looked into minor plugins for example jazz miners 370 00:45:45,120 --> 00:45:53,040 that actually grab endpoints but but i rather actually spend my time um looking into the code 371 00:45:53,040 --> 00:46:00,640 myself instead of having a parser go through the jazz file because if i'm looking into the code 372 00:46:00,640 --> 00:46:07,040 myself i can actually understand stuff i can actually maybe understand the logic behind a 373 00:46:07,040 --> 00:46:12,560 function and it's that's something that no extension or tool is going to unless you plug the 374 00:46:12,560 --> 00:46:22,080 entire uh the entire code into chat gpt or some ai uh but i don't think it still can it can still 375 00:46:22,080 --> 00:46:26,960 keep the entire context and give you good findings for example an ai tool that's that's 376 00:46:26,960 --> 00:46:33,680 why i choose to do it manually going back to the extensions i think that there's also the graph ql 377 00:46:34,480 --> 00:46:40,720 um there's a graph ql extension you can remember from the top maybe right there 378 00:46:42,000 --> 00:46:50,480 it i think so which adds uh adds a tab to to all the requests where you can actually 379 00:46:51,440 --> 00:46:52,240 better edit 380 00:46:54,320 --> 00:46:58,480 uh better edit the graph ql request for example 381 00:47:01,280 --> 00:47:12,240 yeah these are this is the cream so to speak of uh extensions yeah yeah okay and you also told 382 00:47:12,240 --> 00:47:18,160 me before that you do some mobile hacking mobile hacking or mobile pandas thing what's your setup 383 00:47:18,160 --> 00:47:24,800 for this yeah well the setup is a bit more complex so you have to have a 384 00:47:27,120 --> 00:47:35,440 i do so in the in in the bug bounty program that i'm working on that i've been working on in 2023 385 00:47:35,440 --> 00:47:41,200 they also have an app a mobile app and luckily i can test it on my own device 386 00:47:42,160 --> 00:47:48,240 uh because it doesn't have um it's made for testing it it doesn't have ssl pinning 387 00:47:49,120 --> 00:47:59,040 and i can test it on my non uh rooted phone okay but it usually involves having an emulator for 388 00:47:59,040 --> 00:48:07,040 example i also have an iphone for testing uh iphone apps i've tested iphone apps uh in the past 389 00:48:07,120 --> 00:48:15,040 um so the testing usually involves an emulator for example like it used to be jenny motion but 390 00:48:15,040 --> 00:48:24,000 i think it's very heavy in terms of and non-convenient for example right now it's nox 391 00:48:24,640 --> 00:48:32,800 so nox it's um it's really good really easy to set up nox you have to have installed adb 392 00:48:33,680 --> 00:48:46,560 um to be able to bridge between uh your laptop there's of course there's frida 393 00:48:48,240 --> 00:48:53,680 so the setup is comprised of nox frida 394 00:48:53,680 --> 00:48:59,680 your laptop of course and bird suite this is for dynamic testing 395 00:49:01,840 --> 00:49:05,520 so when you're testing actually the communication 396 00:49:07,040 --> 00:49:13,280 of the app with the api because it usually involves the communication with an api 397 00:49:14,320 --> 00:49:20,080 of course there's also uh looking into the code itself decompiling the app for this 398 00:49:20,080 --> 00:49:27,680 for example you can use apk studio which is a gui graphical user interface tool that you can 399 00:49:28,880 --> 00:49:34,800 decompile the app try to get the sources and look into the code itself sometimes the the 400 00:49:34,800 --> 00:49:43,120 app is obfuscated and it's not as straightforward but it usually works um so then you have that 401 00:49:43,120 --> 00:49:52,880 component you also have to look into the device security itself so how is the um how is the 402 00:49:52,880 --> 00:50:00,560 information or the data stored on the device itself where is it stored is it stored in plain 403 00:50:00,560 --> 00:50:08,720 text you usually look into the data folder the name of the app you look into the shared preferences 404 00:50:09,520 --> 00:50:15,760 inside the shared preferences there's also leak stuff there's also the cache folder in in the 405 00:50:15,760 --> 00:50:22,880 app folder there is also the database folder the files folder that has to do with uh 406 00:50:24,080 --> 00:50:31,360 uh if you look into mstg mobile security testing guide it's gonna give you more insights on um 407 00:50:31,680 --> 00:50:40,320 um on the device itself or the data that's on the device um the security of that of course there's 408 00:50:40,320 --> 00:50:48,480 also quirks like if you are able so let's say a company wouldn't accept your submission because 409 00:50:50,400 --> 00:50:53,040 they don't accept rooted devices 410 00:50:53,440 --> 00:51:02,400 uh as part of the scope so they say that if you're able to extract solid information from the app or 411 00:51:02,400 --> 00:51:07,840 from the user or from the phone without having the phone to be without having a rooted phone 412 00:51:07,840 --> 00:51:14,320 then your submission is valid but there's also the situation when the where the manifest file 413 00:51:14,320 --> 00:51:21,200 allows backups so if you're able to um if you're dealing with a non-rooted device 414 00:51:21,760 --> 00:51:27,600 and you're able to backup the app move the backup onto another device 415 00:51:29,760 --> 00:51:35,600 the backup usually is going to include the data folder which is only accessible by root 416 00:51:36,880 --> 00:51:44,160 so when you're actually extracting the backup from a non-rooted device you're getting the 417 00:51:44,160 --> 00:51:50,480 information that's only available to the root so if there's sensitive information in there 418 00:51:51,200 --> 00:52:00,560 um that's a valid impactful finding and there are a lot of situations where the manifest 419 00:52:01,520 --> 00:52:09,120 allows where you can see the manifest that allow backup is set to true and that's a security issue 420 00:52:10,160 --> 00:52:18,080 okay for the context of bug bounty what how can back hunters use mobile apps to to get bounties 421 00:52:18,080 --> 00:52:25,040 is it mostly listening to the web traffic using the mobile app and maybe the app uses some apis 422 00:52:25,040 --> 00:52:32,160 that the web application doesn't use or is there also a lot of like mobile attack surface that 423 00:52:32,160 --> 00:52:42,640 that is severe enough for a bounty finding okay so yeah there is um there is mobile attack surface 424 00:52:42,640 --> 00:52:49,200 that's not readily available readily available to most testers because that attack surface often 425 00:52:49,200 --> 00:52:58,160 involves coding your own uh exploit app for example to exploit intents to exploit components 426 00:52:58,160 --> 00:53:08,320 of the android system that would actually um compromise the application um ecosystem itself 427 00:53:08,320 --> 00:53:14,000 so if you're able to actually trigger something in the app from another app due to 428 00:53:18,080 --> 00:53:24,960 not well configured permissions due to bad intent uh that's something that's not readily 429 00:53:24,960 --> 00:53:30,720 available readily available to most pen testers but or most bug bounty hunters for example 430 00:53:31,680 --> 00:53:40,160 but yes of course listening to the traffic looking at the communication that's probably 431 00:53:40,160 --> 00:53:45,520 in the context of bug bounties that's probably where a lot of the findings are going to be even 432 00:53:45,520 --> 00:53:54,800 if it's a little bit um not easy to set up once you have set it up it actually it's quite convenient 433 00:53:54,800 --> 00:54:00,000 to look into the communication of course stuff that's on the device itself or stuff that 434 00:54:00,720 --> 00:54:05,200 most people can do with the click of a button like for example decompiling the app and looking 435 00:54:05,200 --> 00:54:15,280 for strings that's probably not gonna um you won't have good findings in programs and solid programs 436 00:54:15,280 --> 00:54:21,840 because most of them know that they shouldn't share their secret keys their api keys their 437 00:54:21,840 --> 00:54:28,000 credentials inside the apps most of them have already been found most of that stuff has already 438 00:54:28,000 --> 00:54:36,400 been found by pen testers usually companies with bug bounty programs with solid established bug 439 00:54:36,400 --> 00:54:48,320 bounty programs um have harder to find static related vulnerabilities when it comes to mobile 440 00:54:48,320 --> 00:54:55,360 apps so communication api the communication the traffic analyzing that is probably one of the best 441 00:54:55,360 --> 00:55:04,000 ways to go okay okay and uh in the context of of regular web website hacking web hacking web 442 00:55:04,000 --> 00:55:10,880 security uh how is your hacking style different when pentesting versus doing bug bounty 443 00:55:13,040 --> 00:55:20,080 well in pentesting it's much easier because in pentesting you often have the exclusivity 444 00:55:20,880 --> 00:55:30,240 um most often than not you have the exclusivity you have the first eyes first privy eyes first 445 00:55:30,240 --> 00:55:38,800 security oriented glasses on on the infrastructure itself so um you often find permissions where 446 00:55:39,600 --> 00:55:42,320 a normal user can do admin stuff 447 00:55:42,720 --> 00:55:53,520 and this is a common find in the pentests but in in bug bounties you have to you often have to look 448 00:55:53,520 --> 00:56:04,560 deeper especially if you're if you're hunting on programs um that a lot of hunters are all already 449 00:56:05,920 --> 00:56:09,360 hunting on as well like for example public programs or 450 00:56:09,920 --> 00:56:16,640 i think right now it's most mostly about uh private programs everybody everybody is invited 451 00:56:16,640 --> 00:56:23,680 to private programs but still in private programs uh from my experience i know that companies 452 00:56:24,320 --> 00:56:30,480 uh have already done their due diligence in their public programs because most of 453 00:56:31,680 --> 00:56:37,520 not most but a large portion of private programs they also have a public program 454 00:56:38,400 --> 00:56:45,440 the public program is often used as a funnel to get people into the um into the into the 455 00:56:45,440 --> 00:56:54,480 private programs as well um so not only that but also the fact that those companies have also had 456 00:56:54,480 --> 00:57:01,600 multiple rounds of pentests on their assets so it's not going to be as easy you have to have a 457 00:57:01,600 --> 00:57:06,320 you have to have a little bit different approach often involving going deeper 458 00:57:06,320 --> 00:57:15,280 going deeper into the functions going deeper into the uh features going deeper into permissions 459 00:57:16,800 --> 00:57:24,320 that's where the bread and butter is and of course looking into the business logic i think business 460 00:57:24,320 --> 00:57:36,400 logic is is um probably one of the best ways that you would go when you're competing with others 461 00:57:37,600 --> 00:57:43,600 okay that's a that's a good tip i like to think about pentesting versus bug bounty as 462 00:57:44,400 --> 00:57:49,840 short distance and long distance running like from the from the outside like both 463 00:57:50,560 --> 00:57:56,880 pentesters and bug bounty hunters hack web applications both marathon runners and 464 00:57:56,880 --> 00:58:02,480 sprinters run but in reality there are a lot of difference in in both of these activities 465 00:58:03,520 --> 00:58:08,400 and probably a person with better endurance will be better off in in long distance running 466 00:58:08,400 --> 00:58:15,120 a stronger taller person will be better for sprint and my question is what feature people 467 00:58:15,120 --> 00:58:20,560 with what features will feel better doing pentesting and people with what features will be 468 00:58:21,840 --> 00:58:23,920 better off in doing bug bounty hunting 469 00:58:28,160 --> 00:58:31,040 i'm not sure if i understand completely so 470 00:58:33,280 --> 00:58:40,480 you're actually asking what are the features that are actually most certain to get a to get you 471 00:58:40,480 --> 00:58:47,840 into a vulnerability so okay i will give you an example when bug bounty you don't have a boss 472 00:58:47,840 --> 00:58:53,920 so naturally people that are more more self-organized and can organize the type 473 00:58:53,920 --> 00:59:00,080 themselves they will do better in bug bounty a person that needs a boss will do better in 474 00:59:00,080 --> 00:59:08,960 pentesting that's that's one of the obvious things that so specifically for um specifically 475 00:59:08,960 --> 00:59:19,280 for features or specifically for for what exactly um because of course let's say that 476 00:59:19,280 --> 00:59:29,200 in pentest you have you also have as you said you can view this as a sprinter or a marathoner 477 00:59:29,760 --> 00:59:35,600 for example you often act as a sprinter in pentesting because you have a timeline 478 00:59:36,400 --> 00:59:44,000 and it's best if you can deliver something impactful in that timeline because even though 479 00:59:44,000 --> 00:59:53,200 some customers might actually be um on it just for the paperwork just for their uh compliance 480 00:59:53,200 --> 00:59:57,920 testing and they don't actually care about their findings there are a lot of companies that don't 481 00:59:57,920 --> 01:00:03,200 care about this their their pentesting findings you have to deliver something if you want that 482 01:00:03,600 --> 01:00:09,680 customer or that client to come back to you so it's it's it's a matter of time there now when 483 01:00:09,680 --> 01:00:17,120 it comes to of course when it comes to bug bounties um you have the luxury of doing 484 01:00:18,320 --> 01:00:23,280 doing it for how long you want but then there's also the component of losing motivation 485 01:00:24,160 --> 01:00:27,680 which is often the case so uh 486 01:00:30,080 --> 01:00:34,800 in the context of bug bounties you probably have to 487 01:00:36,800 --> 01:00:46,960 think try to think a little bit differently than everybody else because as bad as it sounds 488 01:00:47,920 --> 01:00:54,160 there's a tendency there's a group think not only in cyber security in pentesting in bug bounty 489 01:00:54,160 --> 01:00:59,360 hunting but in most of the fields there's this concept of group think group think everybody 490 01:00:59,360 --> 01:01:07,600 using the same tools the same tactics the same one-liners so in bug bounties you have to if you 491 01:01:07,680 --> 01:01:11,760 go slightly differently chances are that 492 01:01:15,040 --> 01:01:20,720 you're going to find something yeah yeah that's a good one i'm not sure if this answers your 493 01:01:20,720 --> 01:01:32,320 question yeah okay we'll be we'll be uh we're closing into to the end of our interview so 494 01:01:32,320 --> 01:01:36,400 but let's talk before we end about some non-technical stuff because i saw on twitter 495 01:01:36,400 --> 01:01:46,000 you have an amazingly impressive streak of 1100 days on Duolingo how on earth do you keep this up 496 01:01:46,000 --> 01:01:58,480 for so long um well it's simple i mean it's on my to-do list for every day so that's that's one of 497 01:01:58,480 --> 01:02:04,000 the things that's one of the streaks that i have to take care of every day and there are days when 498 01:02:04,000 --> 01:02:11,040 i just do the streak do the the work that counts for the streak and there are other days when i 499 01:02:11,040 --> 01:02:19,360 have more time and spend more time on the platform um it's i think it all boils down to consistency 500 01:02:20,400 --> 01:02:26,160 consistency you can ensure consistency by having 501 01:02:26,400 --> 01:02:34,560 checks for example in this case a simple checklist maintains the consistency 502 01:02:35,600 --> 01:02:44,240 a very simple to-do list today i must do Duolingo brilliant try hack me web security academy 503 01:02:44,240 --> 01:02:50,160 for whatever amount of time through time doing this for two or three weeks or one month 504 01:02:50,160 --> 01:03:00,560 i can understand how long does it take me to actually do these in a in any given day and then 505 01:03:00,560 --> 01:03:06,560 adapt accordingly whether or not i want to focus more on one than to another so it's just 506 01:03:07,520 --> 01:03:14,320 simple checklist it's a matter of checklist to maintain consistency and of course as you see 507 01:03:14,320 --> 01:03:20,480 results through time you're going to be more motivated to to maintain that consistency or 508 01:03:20,480 --> 01:03:28,400 streak in this case and now it would be really painful to break this streak well sometimes the 509 01:03:28,400 --> 01:03:36,000 the apps are actually make it easier for you to lose a day for example if i lose a day on Duolingo 510 01:03:36,000 --> 01:03:42,000 i'm not actually gonna lose everything because they have streak freeze so you can lose your 511 01:03:42,000 --> 01:03:49,760 streak for two or three or four and in my case right now for five days in a row and they're 512 01:03:49,760 --> 01:03:57,360 actually going to maintain my streak due to my five-day streak freeze but there are situations 513 01:03:57,360 --> 01:04:04,800 where that's not the case like for example when it comes to the kindle with reading yeah if you 514 01:04:04,800 --> 01:04:12,320 lose your your streak it's hard to actually get it back it's possible but it's hard i think that 515 01:04:12,320 --> 01:04:19,920 trihag me also has a let's you lose your streak for one day or something okay okay this one i 516 01:04:19,920 --> 01:04:25,440 didn't know do you always do these habits at a particular time of the day or do you group them 517 01:04:25,440 --> 01:04:36,000 together or how does it look like uh yeah so if i look back in the recent past i i can see that 518 01:04:36,560 --> 01:04:45,360 i i usually do them in the first part of the day so up until noon i actually do trihag me 519 01:04:46,320 --> 01:04:56,640 then i also do upon waking i think i do duolingo and brilliant and the reading in the second part 520 01:04:56,640 --> 01:05:02,880 of the day first off i'm doing the reading i have to read a couple of pages on kindle just to get 521 01:05:03,040 --> 01:05:16,320 streak and the streak uh is um is better if you if i read on kindle at 9 a.m chances are that 522 01:05:16,320 --> 01:05:25,920 they're not going to count that day for me because i think their timer is their base time is in san 523 01:05:25,920 --> 01:05:34,960 francisco or in la where my 9 a.m is the previous day there so i have to make sure that i read later 524 01:05:34,960 --> 01:05:40,880 in the day so that i have the streak that's interesting and this is actually i've seen this 525 01:05:40,880 --> 01:05:47,040 through trials and errors for example through losing my streak okay what happens when you have 526 01:05:47,040 --> 01:05:52,000 a really bad day like i don't know a hangover you're really tired you don't feel like doing 527 01:05:52,000 --> 01:06:03,360 anything how do you keep those habits then um well first off luckily thank god i didn't have 528 01:06:04,160 --> 01:06:09,200 a bad day in a long time i didn't have a hangover 529 01:06:11,520 --> 01:06:19,040 i don't know how many years it's been okay i do drink alcohol like very infrequently 530 01:06:19,040 --> 01:06:26,160 extremely infrequently have a glass or two of wine but when i have a bad day for example due to 531 01:06:26,160 --> 01:06:36,400 other reasons it's not taking me long to do my work for the day in an hour i can do all the 532 01:06:36,400 --> 01:06:47,120 necessaries that i have to do in the day and whatever else is after that it's optional so i 533 01:06:47,120 --> 01:06:58,240 can just take in the bad day as it is or try to fight it and actually try to win over it because 534 01:06:58,240 --> 01:07:08,240 it often happens that you have a bad day starting but with efficient struggle you can get over it 535 01:07:08,240 --> 01:07:18,320 and win win the day by the end of the day this this can happen as well okay okay that's great 536 01:07:18,320 --> 01:07:22,720 and my final question is what are you looking forward to achieve in 2024 537 01:07:25,120 --> 01:07:34,960 2024 depends i mean i actually depends on what area of life because it's not all about 538 01:07:35,120 --> 01:07:46,000 i try to pursue objectives in all areas of my life when it comes to career when it comes to 539 01:07:46,000 --> 01:07:52,240 relationships when it comes to health when it comes to emotional well-being for example 540 01:07:52,880 --> 01:08:01,440 so if we're strictly speaking about career wise expertise wise cyber security oriented 541 01:08:02,400 --> 01:08:08,160 i want to at least achieve the performance of this year which has been 542 01:08:11,200 --> 01:08:18,720 it's going to be hard to beat so it's going to be hard to what my personal performance this 543 01:08:18,720 --> 01:08:28,320 year is going to be hard to beat so hopefully i can if i get to 70 of it 544 01:08:28,560 --> 01:08:35,680 i'm going to say okay it was a good year but my goal is to go over it so i'm shooting for 545 01:08:35,680 --> 01:08:42,880 going over my performance in terms of in terms of first off the quality and the number of pen tests 546 01:08:42,880 --> 01:08:52,240 the number of clients that i have so my focus is going to be specifically on numbers here and 547 01:08:52,320 --> 01:09:00,160 specifically on numbers here and numbers plus the quality and this also has to do with my level of 548 01:09:00,160 --> 01:09:07,360 expertise and i'm actually going to try to get better into some areas that i see that i'm most 549 01:09:07,360 --> 01:09:14,400 interested in such as authorization authentication broken access controls these are my favorites but 550 01:09:14,400 --> 01:09:20,720 when when you're dealing with the pen test you have to include everything that has so you're 551 01:09:20,720 --> 01:09:27,760 testing but through a methodology i cannot just deliver authorization issues to a pen test 552 01:09:27,760 --> 01:09:34,480 because that that's against the methodology i'm testing against oasp top 10 usually if you're 553 01:09:34,480 --> 01:09:40,400 dealing with mobile with uh with banking applications with fintech stuff you're also 554 01:09:40,400 --> 01:09:48,240 using other methodologies but um where actually i don't want to diverge too much from the main 555 01:09:48,240 --> 01:09:57,440 subject so i want to get better in terms of my expertise so that i can maybe get more clients 556 01:09:58,720 --> 01:10:05,360 and do as many pen tests this is strictly speaking for pentest when it comes to bug bounty hunting 557 01:10:06,320 --> 01:10:13,440 i think i i'm taking this i want to keep focusing on the same program 558 01:10:14,400 --> 01:10:22,160 and actually try to become specialized in um 559 01:10:24,400 --> 01:10:30,880 in the area that that company actually operates so okay i don't want to be 560 01:10:32,240 --> 01:10:37,760 um i know what i don't want to be i don't want to be shooting for the leaderboards 561 01:10:38,080 --> 01:10:43,600 i don't want to be in the top 10 i want to actually become very good at one thing 562 01:10:45,520 --> 01:10:50,560 specifically in this case for that program and if i get interest in other programs but 563 01:10:50,560 --> 01:11:00,000 but i i saw that if i focus on one program alone i can find vulnerabilities that their team of 564 01:11:00,000 --> 01:11:08,640 dozens of security engineers didn't find in the years their assets are on so that that's a very 565 01:11:08,640 --> 01:11:14,960 strong point for me that that's a very strong motivator for me if i can find stuff that their 566 01:11:14,960 --> 01:11:22,400 teams of security engineers didn't find i'm all in for that yeah yeah that's a good one that's a 567 01:11:22,400 --> 01:11:27,920 very good one and also if you're aiming for 70 of what you achieved this year it means you had a 568 01:11:27,920 --> 01:11:33,280 really really good year so congratulations on that and thank you so much for for joining me in 569 01:11:33,280 --> 01:11:38,800 today's chat uh if viewers are interested in following you for more stuff where do they go 570 01:11:40,320 --> 01:11:50,560 on twitter you are on twitter christie vlad 25 christie vlad 25 okay that's perfect we will also 571 01:11:50,560 --> 01:11:57,440 link this down in the description and once again thank you so much for joining me today thank you 572 01:11:57,440 --> 01:12:05,360 brian thank you for listening to this episode if you're hungry for more i recommend you this one 573 01:12:05,360 --> 01:12:12,560 with shops about source code review which is helpful both for pentesting and for bug bounty