James ‘@albinowax’ Kettle is well-known in the hacking community for his creativity and expertise, despite only taking up hacking after becoming bored of playing Counter-Strike in college. Currently, he is the Director of Research at PortSwigger Web Security and an avid researcher himself. He’s been featured on numerous blogs, podcasts, interviews and conferences for inventing novel techniques to hack websites and automating hunting unknown vulnerability classes. On HackerOne, he’s found quite a few highly-rated vulnerabilities with the most upvoted XSS on hacktivity for a bug on PayPal. He also wrote three of the ten most popular Burp Suite extensions — ActiveScan++, HTTP Request Smuggler, and Backslash Powered Scanner. When he’s not behind the screen researching attack techniques or automation, you can find him gaming and endurance cycling across the U.K. Check out his website for more on his recent work projects and read below to hear how he continues to raise the bar.
What motivates you to hack and why do you hack for good through bug bounties?
I love the creative side of hacking — it's just great fun. I especially love inventing new hacking techniques, and I use bug bounties to find out if my ideas really work. Most don't :).
What makes a program an exciting target?
A massive scope and a high max bounty.
What keeps you engaged in a program and what makes you disengage?
When the program is happy with bug disclosure, and sharing the code/config behind bugs that make no sense.
How many programs do you focus on at once? Why?
I target every program that doesn't ban automated testing simultaneously.
How do you prioritize which vulnerability types to go after based on the program?
I just go after whatever I'm researching at the time.
How do you keep up to date on the latest vulnerability trends?
Twitter, mostly. I have a huge keyword blacklist to filter out political junk, etc.
What do you wish every company knew before starting a bug bounty program?
Banning automated testing might mean you get an unpleasant surprise when I release a new hacking tool and it pawns your site out of the box. Just ban off-the-shelf tools, and require a rate limit.
How do you see the bug bounty space evolving over the next 5-10 years?
I think bug bounty automation and collaboration will continue to build.
How do you see the future of collaboration on hacking platforms evolving?
So much duplicated effort goes into recon tasks like subdomain discovery. I think sharing of this data would be great for security. But maybe that's because I'm just too lazy to do good recon myself :).
Do you have a mentor or someone in the community who has inspired you?
I always looked up to @lcamtuf - Turbo Intruder was inspired by his tool Skipfish and it's no coincidence https://skeletonscribe.net/ bears a striking resemblance to https://lcamtuf.coredump.cx/.
What educational hacking resources do you wish existed that doesn't exist today?
PortSwigger's Web Security Academy still needs to cover some more topics, but I'm working on fixing that!
What advice would you give to the next generation of hackers?
Understanding the target is absolutely crucial to finding good bugs.