Meet the hacker europa, a white hat hacker on the Detectify Crowdsource platform. He is based in Italy with a great passion for infosec and relatively new to the bug bounty scene, but seasoned in infosec. We asked him about the kind of bugs he likes to find, why he joined Crowdsource and how persistence helped him turn a duplicate finding into a bug with 8 different bypasses.
Tell us a little about yourself; how and when did you start hacking?
I’m Alessandro, also known as europa, and I’m an infosec aficionado from Italy. I took my first steps in infosec at the age of 12, back in 1997, via IRC channels #hackita and #hack.it on IRCnet, and never really stopped since. I coded exploits back when you could remote root almost anything by sneezing in its general direction, moved to reverse code engineering to derive WPA PSK keys for some Italian internet service providers, then onto more reverse engineering in video games and malware in order to code anti-cheat tools. I dabbled in CTFs for fun, and moved onto bug bounties because realized I could essentially do real-life CTFs and get paid for it. That’s a good 21 years of passion!
You started bug bounties hunting not that long ago. What have you learned since you started?
True, I started back in September 2017, if my spreadsheet doesn’t lie. I’ve documented my bug bounty process on Medium and every time someone mentions that Medium post I think to myself, I should really update that however there’s just too much knowledge to put into words that I’ve pick up along the way! Back when I wrote my first post, I had a fairly decent understanding of the reconnaissance process thanks to the work of Nahamsec, and Jhaddix, but I still hadn’t found my own flow yet. Some of the things may still apply but are superseded by either more efficient processes, built anew, or moved around. For instance: building or customizing wordlists for domain recursion against a particular scope using hosts found previously; curating wordlists of previously found bugs and their URIs; moving the FDNS parsing from my local machine to Amazon Athena; building a powerful regex to parse content against sensitive data during the recon phase, and the list goes on.
“… its “fire & forget” approach ensures that companies can reap the benefit of continuous testing against systematic issues…” – europa on what makes Crowdsource interesting.
What kind of bug do you enjoy finding the most?
I’m a simple man, I like escalating innocuous reflected cross-site scripting issues to account takeovers, data leaks, sensitive API calls abusing lenient CORS policies, and so on. I also enjoy finding some god-forgotten asset somewhere deep in the scope, building the perfect wordlist using entries from Github, and Google against that particular framework, finding all those nice endpoints, and spend the night filing reports: SQL injections, XXE, SSRF, XSS. I definitely have so much to improve still!
Based on all the bugs you have found, what advice do you have for website owners about better web security?
Run a bug bounty program, and If it’s sensitive, keep it offline. Also don’t commit your keys to the repo. Don’t trust user input. The web was a mistake.
In April 2018, you combined eight different bypass techniques in a report to Rockstar Games. How do you motivate yourself to keep going as you can never be sure the last step is going to work?
Back when I first started, one of my earliest reports was to Rockstar Games, surely guided by the impressive $1,000 reward for a stored cross-site scripting findings on their SocialClub. After a few days of work I was able to find one using a pretty simple bypass: a tabulation character between the angle bracket, and the HTML tag. I was over the moon, but that ended pretty quickly when a few hours later the report was marked as duplicate. Albeit calmly (I was slightly livid), I requested feedback about the outcome—I wanted to make sure I was being treated fairly. The analyst was impeccable: they didn’t have to reply, I wasn’t entitled to an answer, but they did and they were fair, explicative, and understanding. That moment largely changed in my approach to this field: respect is always due on both sides, and I always trust my gut when I get the feeling that “something is there”. You just know when there’s something to find—that weird response, that WAF tripping and removing some characters, that JSP endpoint you found in a minified javascript. Sometimes you get the feeling that it’s just a matter of not giving up—case in point that report, depicting 5 or 6 different stored XSS on the Rockstar Games SocialClub, with progressively harder bypasses.
Finally, as a Crowdsource hacker, what makes Detectify Crowdsource interesting as a platform?
Sometimes I happen to stumble upon a finding displaying a footprint wider than just the current asset, something more systematic that might apply to other targets as well, targets I can’t test on because they’re not part of the platforms I hunt on. That’s where Detectify Crowdsource comes into play: its “fire & forget” approach ensures that companies can reap the benefit of continuous testing against systematic issues, whose real-world impact has been vetted by skilled security researchers like @_zulln and @almroot. As a hacker I’m a big fan of automation, and automation that periodically rewards you for your past research without lifting the same finger twice is amazing. Plus, all the published research on the Labs blog is a goldmine!
Find out more about europa:
Twitter: @eur0pa_
Medium blog: https://medium.com/@europa_
Are you interested in joining europa and other security researchers on Detectify Crowdsource? Email the Crowdsource team at crowdsource@detectify.com or learn more on the blog.