Pentester, security consultant, and trainer by day and bug hunter by night, @edduu is an all around security expert.
Edduu started hacking at the age of 13 with genuine curiosity and a love for challenges and solving puzzles. At the time, money wasn’t a factor, but as a competitive and curious person, he was interested in how things worked. As he continued to learn more techniques and explore more vulnerabilities, he entered the world of bug bounties. Living in Argentina, these bounty earnings and opportunities go a long way. In this Q&A, he shares the benefits of hacking in Latin America, as well as his in-depth techniques and methodology to maximize bounties and submit even more robust reports.
How did you come up with your HackerOne username?
Well, my first name is Edu but it was already taken on all sites, so duplicating a few letters was a quick fix. Spend more time hacking rather than thinking of nicknames.
How did you discover hacking?
I think it was back in 2003. When I was 13, I started "breaking" all kinds of stuff, and that year everyone was playing console games on desktop computers through emulators. Instead of playing, I was curious about what was inside the ROM files so I started reading about editing those ROM files in hex editors. I ended up learning a lot of fun stuff, even a little bit of assembler.
Then I skipped to desktop games, I learned about memory hacking and made "hacks" or cheats for several games. This assembly language was easier than the console ones, so I even started learning reverse engineering with Ollydbg and doing some Crackmes. After breaking them I started learning to code a bit (I think was Visual Basic 6 or Delphi, at age of 15 or 16 I guess).
Then websites caught my attention. I remember a blog post about a PHP-Nuke/PhpBB SQLI exploit. I was amazed how copy-pasting a URL then the hash of the administrator will show up from the database, in that time I didn't even know what a database was. Also LFI/RFI issues. Then I started learning web coding later (PHP and MySQL).
All of that while I was between 14-18. It’s not that I saw a movie and I wanted to be a hacker. It was very fun for me to try to figure out how things work at a very young age, without having any monetary reward but just because I enjoyed it.
What motivates you to hack and why do you hack for good through bug bounties?
It motivates me that a hobby that I had when I was very young, "breaking" stuff like sites, mobile apps, or desktop apps, is now a solid source of income in my yearly balance. Another motivation is the challenge. I am a competitive guy so I worked hard to win my first HackerOne powered event here in Argentina when I got invited back in December 2019.
Also, I always thought that finding something on the big boys like Apple, Facebook, PayPal, etc. would be almost impossible for me, but within the first 6 months on the HackerOne platform, I found a few 5 figures bounties from some of them :).
The last thing but definitely worth mentioning is that you will learn a lot of nice stuff every week. That keeps me updated about the latest technologies and trends and not get bored.
As a hacker in Latin America, what are the benefits of hacking through bug bounties?
Here in Argentina, we are under strong currency devaluation. That's bad for the locals, but not that bad for bug hunters. You can get a junior IT salary from a critical in a single bug from most programs.
Second, my city is one of the cheapest in the region, a nice apartment can be rented for $150.00 USD monthly for example. You can eat for $2 almost everywhere. That allows Latin American hunters to save almost all of their money from bugs.
Lastly, is the time zone. We have only 1-2 hours of difference with New York so they can work with us. It is great for communication and iis pretty similar to talking with someone from the West coast to the East Coast.
What makes a program an exciting target?
The team, the scope, and the bounty table. I usually focus on programs with criticals of $3,000 and above. Generally, I find most of my bugs in the core of the apps. I also focus on features so the more features it has, the better, I love sites connecting to third party services to try SSRFs, or OAuth issues, importing files, printing uploaded files, that kind of stuff that leads to possible SSRFs.
What keeps you engaged in a program?
The response of the team, if it has a good team that doesn't "fight" to beat down the severity of all my reports each time that I send a new one I submit to them. Sometimes I even accidentally find issues a little out of scope and if the team tells me to send it anyways and that they will pay for it, that is the kind of program that keeps me engaged.
What makes you lose interest in a program?
I can accept a severity change but when the program is very slow at fixing bugs, I lose my interest. If they take a bug 6 months to get fixed, I get the impression that they aren't taking me seriously.
Do you recommend hacking on multiple programs or focusing only on one and why?
I have my methodology!
If its a huge paying program, like Facebook or PayPal, you can focus on 2 of them at a time, and learn about them, it could take up to 3 months until you will figure out how things works, but once the first bug start showing up, the trip just started, it will worth every day spent, bounties will start coming soon and every time with bigger amounts.
If you are maybe burned out from focusing too much on those 2 programs, and you think that you are stuck. I like to take a little run and I scan multiple core sites on the ones that are paying lower for easy vulnerabilities to have that mental energy back.
Do you focus on only one vulnerability attack scenario or do you focus on multiple types of vulnerabilities when you hack on an asset?
I look for all kinds of vulnerabilities, file uploaders, stored XSS, reflected XSS, dom XSS, open redirects, SSRFS, open redirects, CRLF, self XSS through cookies, or some stored, a CSP bypass, etc. Sometimes, those issues are not threats alone, because they are very low severity issues and end up in N/A's.
But in my experience, I can tell you that my biggest bounty on HackerOne is a chain of a CRLF->Cookie Injection->WAF Bypass with double encode->Self Cookie XSS->CSP bypass through angularJS->Abuse of SOP to steal credentials at login on one of those big boys.
It is like creating a puzzle to demonstrate the maximum possible impact. to get the maximum of the bounty and taking the chain and those small issues seriously.
Sometimes it takes a month to join those pieces, and sometimes some of them are reusable.
For example, if you took already 8 hours to find the first XSS on the site and if on the same domain are stored sensitive information (e.g. credit cards, PII or logins) and you can abuse the same site policy to steal credentials to get the high bounty, sometimes the gap between a mid XSS vs a high XSS is three times larger and it only takes one more hour of work to give a better proof of concept.
The same applies to open redirects - save them for Oauth issues or SSRFs, and don't send them for $100 because you may be able to price it together for a bigger bounty!
What are the top three websites, blog posts, accounts, articles, or other resources you follow to learn new vulnerability trends?
Twitter, not any particular profile. Also, the Telegram Channel of "The Bug Bounty Hunter”, post links of interesting write ups everyday if you don't have time to filter all the noise and memes on twitter.
How do you see the bug bounty space evolving over the next 5 years?
I think crowdsourcing is the future, transforming all industries, and it's now happening in hacking. For example, if you looked at a graph of Yellow Taxis vs Uber/Lyfts, there are already more Ubers and I think we will reach a point where more than 50% of the money invested in securing companies out there will be in the bounty platforms I think.
How important do you think collaboration is in bug bounties and what do you recommend hackers and platforms do about this?
I think live hacking events and collaborations are important. It's a bit solitaire and stressful job so sharing and interacting with other people is good for wealth, and you will learn something for sure. I’ve made some good friends at my first on-site live hacking event.
What educational hacking resources would you recommend to others?
I think the web application hackers handbook 1 and 2 are great for starters. I also recommend doing as many labs as possible including Burp Suite and Pentesterlab.
What advice would you give to the next generation of hackers?
It's getting more competitive faster, but there are slowly more programs out there, you will have to dig a bit deeper but keep learning and try harder!.
What do you like to do in your free time?
I like spending time with my family, and cars, adrenaline is a good hobby to beat down that stress of not finding a bug or getting a streak of duplicates. Also traveling! I would like to travel more often but when this covid thing slowed down a bit my plans.
Any last-minute thoughts you want to share?
Thanks for changing the lives of many independent security researchers :)