Gerben Janssen van Doorn, a 21-year old ethical hacker from The Netherlands, is one of our Detectify Crowdsource hackers. He smiles when asked about his first bug report, “a possible XSS”, reported to Yahoo about 4 years ago, but a lot has happened since then. He has quickly become one of the most skilled security researchers in the community, currently on HackerOne’s Top 10 List, and a very appreciated member of our Crowdsource network. In this interview, he shares his best advice on getting started with ethical hacking, favorite sources for security, and method when looking for vulnerabilities.
Tell us a little about yourself; how and when did you start hacking?
I am Gerben Janssen van Doorn, 21-years-old and besides hacking, I am doing a masters in organisational design and development. When I was around 15 years old, I used to play around with PhotoShop quite often which led to a part-time job where I did the marketing and web stuff for a small retail company. Here one of my tasks was to replace ads to make sure they wouldn’t expire. I got so bored of this task I ended up learning PHP to automate the task for me. Out of curiosity, I read more and more about web vulnerabilities, and started to secure my own script. When I eventually found HackerOne and noticed I could make money doing what I loved, I stuck with it.
Tell us about the first bug you reported.
Haha, the first bug I reported was a “possible XSS Vulnerability” to Yahoo on the 9th of March 2014. I didn’t provide any PoC, but my report mentioned certain characters being unescaped between script tags. Two days later (11 March), I was able to exploit the vulnerability using a new line and reported this separately. It is interesting going back to my old reports and realizing how much you learn using the feedback of HackerOne and the programs. I can remember googling the difference between XSS and CSRF at the time and not being able to understand it ;).
What methods do you use when you look for new vulnerabilities?
Today, after close to four years of hunting, I’m still amazed by some of the findings the bug hunting community shares. While I do know all of the “standard” OWASP vulnerabilities and related issues, the websites you are testing are rarely standard. You often need to do some creative thinking to get to the high severity bugs. Examples here could be vulnerability chains or nice recon techniques. Thus, to keep up with the other hunters you need to keep reading and try to find security problems in creative ways.
While a lot of security research in the bug bounty community is focused on subdomains nowadays, I like to focus on the main domain. In my experience, it is true that subdomains are often more vulnerable, however they often do not have the same impact as vulnerabilities of the main domain have. Thus, I focus to dive deep into the domains that are critical to the program/client, which I do by analyzing their JavaScript files using LinkFinder or by using specific Google, Github, StackOverflow or DuckDuckGo searches. When testing specific endpoints I often let the context decide how I am going to start. When seeing ID=3, I’ll test for SQLi, XSS and IDORS for example, but if I see url=http://www.example.com/ I’ll focus more on SSRF or RFI.
What are your experiences with bug bounty programs?
Almost solely positive. If I don’t like a program because I feel the process is unfair in any way, I just move on. Bug bounties are a buyers market and my opinion is that it is easiest to navigate through it by focusing on your own performance and the programs you like, instead of wasting time on programs you don’t like.
What motivates you in your bug bounty hunting?
The way I see it is that I got interested and keep being interested in bug bounties because I really like breaking software. The money allows me to spend a significant amount of time on it.
Do you have any role models in the bug bounty community?
My role models in the bug bounty community are those who are either very skilled or those who share a lot of information (or both of course). I feel like naming names is going to exclude some awesome people but many whom I met during H1-3120 are on that list.
What unites the white hat hacker community according to you?
It is hard to put your finger on it, but above all I think the bug bounty industry is so young that many people who are very involved believe in the concept itself and want to push it further together. You need a tightly knit community for that. Secondly, harder bugs are rarely trivial and thus often require advice from other hackers, which is why many people work together.
You’re currently ranked #10 on HackerOne – is your next goal to be #1?
No, it is not. First of all the HackerOne leaderboard is great, especially with the additions of signal and impact, however reputation in itself doesn’t mean too much. Furthermore, I’ll be done with my studies this June and haven’t decided yet whether I’ll be doing full time bug hunting or whether I’ll be working for an organisation.
What is your favorite source for the latest security research?
For me that would be blogs from skilled bug bounty hunters. These blogs are often very practical and allow you to get an insight in the methodology or thinking process of these guys. For example the recent Detectify writeup of the ACME TLS-SNI-01 vulnerability by Frans Rosen was insane.
What advice do you have for anyone who wants to pursue ethical hacking – how do you get started?
I often advise people to really understand XSS first for multiple reasons. First of all, XSS teaches you the basics of the importance of user input sanitation while showing both the input and the output of the payload. Other more complex bugs like RCE, SQLi and SSRF basically rely on the same principle but are often lacking output and thus exploited blind. Secondly, XSS is by far the most common bug in web applications which makes it relatively easy to find and thus easy to improve on.
What makes Crowdsource different from other bug bounty programs from your perspective?
Crowdsource allows the company to tap into knowledge of many security researchers, while the bug hunters get access to a large network of companies that are potentially vulnerable to the bug they submitted. In this sense the main value comes from its facilitated network. Secondly, Crowdsource is unique in the sense that it allows you to submit vulnerabilities in almost any widely used software application. Sometimes normal bug bounty programs exclude third-party software vulnerabilities.
What would be the perfect submission to Crowdsource according to you?
Unauthenticated remote code execution in a widely used software application. Besides the type of bug a good submission should include enough information to reproduce but not too much so that the task becomes time consuming for the review staff.
Find out more about Gerben:
Twitter: @gerben_javado
Website: https://gerbenjavado.com/
Are you interested in joining Gerben and other security researchers on Detectify Crowdsource? Drop us an email: hello [at] detectify.com and we’ll tell you more, or check out this blog post where we have explained what we look for in a Detectify Crowdsource hacker.