Note that during these interviews I also moderate thus quality may vary.
Profile 🐝
- cofounder HackerOne
- 29 years old
- started hacking at 11 years old
HackerOne 🐝
- Genesis when 13 years old
- Visual Basics book
- Website got defaced -> learned about hacking and perform hacking
- Started company after graduating, worked for Dutch government and companies etc.
Workflow 🐝
- deep dive
- read docs
- ask questions
- always be learning
- take a lot of notes
- what’s interesting -> defenses that are in place
- read up on company -> what is impact for bug besides technical
- look for one bug type at a time (a lot of work)
- helps you go deeper on each iteration
- better coverage
- use knowledge for continuous integration
Tips 🐝
- Never stop learning
- Be eager to understand what you’re looking at
- Focus on learning to keep you motivated
- Focus on one target -> leverage information to find more
- Use what you know
- GitLab uses similar stack as HackerOne
- Pay for features once you feel confident in bug hunting
- Mention it in bug report for clarity and perhaps reimburstment or bonus
- Attack surface not always in new additions but in deleted ones
- IDOR
- Don’t use existing ID’s authorization is already in place
- Beginners
- Hack your own code
- sunny day vs rainy day
- write test with random input for example
- sunny day vs rainy day
- Try all the things that you expect to go wrong
- Try to break it
- Think outside of the box
- Structure it for yourself and focus on learning
- Hack your own code
- Security is thinking about defensive programming – anticipate tampering and how you handle these cases.
- book atomic habits
Tools 🐝
- Burp
School 🐝
- Learned how technology works
- Spend 10 weeks on IP stack
- Learned more about software dev and architecture
- Made him a better hacker
Certificates 🐝
- Not needed
- Forces you to learn a particular thing
- HackerOne profile > certificate
Links 🐝
- Interview