Pakistani hacker @hazimaslam’s first exposure to web security was in 2013 when his friend’s Yahoo! account was hacked. That experience inspired him to learn about XSS attacks. Fast forward to today and more than 250 vulnerability reports later, @hazimaslam is a pro who still chases that beginner thrill and spirit of adventure with every bug. In his free time, Hazim likes to work out and play Battle Royale while being an avid photographer and coffee lover.
How did you discover hacking?
I remember it was a morning in 2013. I went to my university where one of my friends told me that their Yahoo! email account got hacked. At that time, I had no prior knowledge of web security or hacking but this incident ignited the curiosity to learn about hacking. Soon enough, I started looking into various tools and online resources and found out about Cross-Site Scripting (XSS). It started with inputting basic XSS payloads into every input field I found and when I got my first alert pop-up, it felt very exciting! Then I made it my habit to spend entire nights looking for XSS vulnerabilities and to find at least one bug every night and then reporting them. It was pretty amazing to see myself learn a new technique, trick or payload every single day. That was the time when I did not know about bug bounties or HackerOne so I kept finding bugs and submitting them directly to these programs via their listed security emails.
What motivates you to hack and why do you hack for good through bug bounties?
Well, to be honest, money is the most important motivator for me! It feels awesome to be doing something you love and enjoy while earning at the same time. The other things that motivates me is the thrill and adventurous nature of hacking. You find a potential bug, then you start to explore it further and then you keep going down a rabbit hole until you have successfully exploited this bug. That is when it all pays off. The sense of accomplishment you get after spending hours or sometimes even days on exploiting a single bug is simply remarkable.
I would say learning new stuff is another major motivator for me. It feels exciting and powerful to be able to have more knowledge than you had the previous day. This feeling makes me keep learning and trying new techniques to level up my hacking skills every single day.
What makes a program an exciting target?
Private programs with large enough scope and competitive bounty payouts are my go-to.
What keeps you engaged in a program and what makes you disengage?
I always value the responsiveness of a program the most. If their triage and payout time is short, I keep working on them. If there are long waiting times, I normally stop working on such programs.
How many programs do you focus on at once? Why?
I focus on just one program at a time and try to find as many bugs as I can in that. The reason I do it this way is that it takes quite some time to properly familiarise yourself with a web application and to truly understand how it works. This knowledge is invaluable. If this phase is done properly, the chances of finding high quality bugs increase dramatically. I always prefer to focus on quality of my submissions over quantity, hence this reconnaissance phase is even more crucial for me.
How do you keep up to date on the latest vulnerability trends?
My twitter feed, blog posts by other hackers and Portswigger Research Papers. I also like to go through newly disclosed bugs on HackerOne Hacktivity everyday.
Do you have a mentor or someone in the community who has inspired you? Don't be shy, give a shout out!
I don't have a mentor but I lookup to James Kettle, Arne Swinnen, Frans Rosén, NahamSec and Pieter Hiele.
I do, however, reach out to Usama Masood whenever I need help with reverse-engineering or if I'm stuck with some complex programming related issues. The guy's an absolute genius when it comes to programming and source code review!
What advice would you give to the next generation of hackers?
Focus on the fundamentals and trust the learning process. While your efforts may seem futile at first, know that it's just a matter of time when you'll be tweeting about your first bounty.
What do you enjoy doing when you aren't hacking?
Fitness is my other passion! Working out every single day and taking care of my physical fitness is something I am addicted to. Other than that, I also enjoy playing Battle Royale games from time to time.