On duplicates and persistence
A couple weeks ago I jokingly asked Brute on Twitter to settle whether the proper terminology to define a permanent XSS was “stored” or “persistent”. His reply was lighthearted and technically correct:
While amusing and in line with what you would expect from his sincere approach at first, it got me thinking later on.
I’ve never thought I was good enough to do well in bug-bounty programs: I’ve always preferred doing CTFs for fun rather than cash (and, ironically enough, I thought I wasn’t good enough for CTFs either, until I broke top 20 on RingZer0 before sliding to the 30th place in the last year of hiatus), yet I decided to give bounty hunting a try for fun, once summer was over.
Yesterday — december 1st, 2017 at the time of writing — marked my one-hundredth day of hunting bugs on Bugcrowd and HackerOne, my first submitted report being on august 23rd. A disarming experience at times, let me tell you; yet enthusing and rewarding in every aspect—obviously sprinkled with wontfix-es, informative-s, and the occasional dreaded duplicate but never once straight-on unjust.
When I first started I took this new challenge as a game with a potential reward, which was extremely welcome but neither granted nor to be expected; thus, armed with Burp, a Debian VM and a terminal I ventured yonder and obviously submitted a few low-quality reports.
Let me get this straight—I used to code exploits between 1999 and 2003, and I’m a reverse-engineer by day; hunting vulnerabilities, especially in web-app contextes, has never been my go-to activity. Sure I knew the basics, the do-s and don’t-s, and how to avoid leaving gaping holes the size of a hallway in my code but I knew zero, nada, nihil, about how dangerous Cross-Site-Scripting really was, target reconnaissance, or why an IDOR might be so valuable… Almost 33, and, once again, a newbie—just like 21 years ago on IRCNet.
What drove me back then was the hunger for knowledge, the will to sacrifice my own time and energy to pursue something so fascinating and complex—I wanted to know more, and that I did. I’ve never really stopped doing that, mind you—it’s not something you can just turn off—but diving head-first in the bug-hunting challenge essentially kicked this instinct in fifth gear.
Don’t get me wrong—I still know so little. I read your (yes, yours) disclosed reports, posts and insights daily and I still wonder «how the hell did they do that? How do you even think about that?!». Accepting that there’s still so much to learn, understanding that this thing you love has still got so much to give is something I’ve never quite found anywhere else.
When I got my first duplicate I was livid: I had found something so peculiar, so weird that nobody should have found that also, it was against any sensible logic! Only I could possibly have found something like that! So many hours spent for nothing! So much excitement for nothing!
Obviously, the first thing I thought was that something “was up”: that bug bounty programs were flawed and were screwing researchers (me) over—my understanding and patient friends remember the talk we had the day of the first duplicate. My bad mood persisted until I had the chance to talk to the person responsible. Of course I was well-behaved in my complaint, yet I firmly demanded for an explanation—which nobody was obliged to give me—stating how our (my) time was precious and our (my) efforts were sincere, therefore it was very important to ensure the correctness of the final decision.
That person was extremely helpful and available to me, giving me answers to questions it wasn’t even my right to ask; eagerly providing me with proof of their decision, establishing with facts that they were playing by the rules and nothing “was up”. I’m very grateful for that. Since then, I completely changed my approach to bug hunting—I’m doing this to become a better pentester, to learn something new every day, to be taken by surprise by the unthinkable and unforeseeable that this scene has to offer.
And here “torniamo a bomba” (italian for “we’re back at the beginning”): persistence. Getting better at something comes with time, failures and perseverance: 100 days, 60 reports; 375 reputation points gained on HackerOne and 116 on Bugcrowd, with 7 more open reports still to process; 13% reward rate for the first month, then 25%, then 57%. Then the invites for private programs started getting in. It’s getting better every day, and I’m learning so many new things I can never repay that.
One day I’ll dive into more details on some techniques and insights I’ve learned throughout this journey, when I feel I’m ready to actually say something worthwhile and decent. For the time being, though, if you’re reading this and you’re still on day 1: every unsuccessful report counts, every failure and every duplicate counts. Sure you weren’t the quickest but that still means you have learned something new, maybe something you have probably never even heard of before. Maybe something that might leave someone wondering—«how the hell did he do that…»