How I started in web security

Egor Homakov
Dec 1, 2015 · 3 min read

I get this question way too often. My answer isn’t going to be helpful for anyone: it was a black swan, but here is my story anyway.

I was 18 years old dude who just moved to St Petersburg to work full-time as Software Engineer. I arrived from a small Russian town Saransk, where I spent my entire (really, really dull) life. I used to be a PHP programmer working for $3/hour and was only using Ruby for a little while.

When I started playing with the new codebase I noticed there was no attr_accessible in the model. I asked the team lead, and he seemed to not know what’s that thing for. Then I asked a couple of other rubyists, and most of them were also not aware about whitelisting of attributes. It felt like a wrong default setting, so I created an issue in rails/rails repo on github (https://github.com/rails/rails/issues/5228).

Rails Core didn’t pay much attention to my annoying, poorly expressed arguments, and I totally understand them. But the past “me” didn’t, and the past “me” started poking around the nearest Rails website to prove them wrong: github.com

After mass assignment tricks with issue[created_at]=3012 which I showed to my colleagues, I went home.

Before going to bed I realized I could also try to assign foreign keys which might lead to bypassing some access-control checks. Public keys! Creating a new public key… Downloading the rails/rails repo… Trying to figure out what rails’s user_id is… Oh, api.github.com comes in handy, it’s 4223… Editing my public key and setting public_key[user_id]=4223… Creating a `hacked` file… git commit & git push…

Omg, it worked: https://github.com/rails/rails/commit/b83965785db1eec019edf1fc272b1aa393e6dc57

I was sitting there, in my tiny $200/mo room, and was looking at the Internet exploding, at all the job offers in my inbox from top companies. Back then I didn’t realize my dick move hurt the company powering entire open-source community. Sorry.

The success was both random, as winning a lottery, and (somewhat) deserved, as I was an IT bookworm since 14 with no social life. The attention temporarily pumped my self esteem to the moon, and I started doing more of “hacking”, even though I didn’t know what “XSS” or “CSRF” is before that day.

I became passionate about finding “combinations of keystrokes” that can lead to compromise of somebody’s business. I got, well, really good at it, and founded Sakurity, where along with best minds I can find “We Find Bugs Others Cannot” in startups and mature businesses.

So how can you start in security? Security of %thing% is basically finding logical flaws in implementations of %thing%. Hence to find flaws you need to learn everything about %thing% you want to exploit first.

Learn PHP, Ruby or Python to hack backends, learn HTML 5 standards, cross frame/site interactions and browser internals to hack client side, learn maths and cryptography to hack crypto implementations etc — it is that simple. Web security is easier to start in, because it is quite flawed by default, and finding flaws in a web app is rather routine these days.

Oh, also avoid certifications, and be careful about anything you find in books/blogs/OWASP. Use your own brain. After all any book is just a list of thoughts of another guy, who might be wrong.

The text above is preface to a little security book I write for newbie hackers and web developers. Backend-focused, down to Earth, tons of real world examples — you’ll get all that awesomeness in February. Follow @homakov for announcements.

Egor Homakov

Written by

Developing Fairlayer