She was barely sixteen when she first came across bounty hunting. Now a full-time bug hunter, Alyssa Herrera shares her experiences in the first of a series of HackInterviews brought to you by InfoSec Write-ups publication.
- If you had to explain what you do to someone not from a security background, what would you say?
Companies have teams of individuals who try to identify weak areas in their computers. Even so, they can miss vulnerabilities. I go in and identify vulnerabilities that have been missed, and assist these teams in correcting the flaws so that when malicious individuals attempt to attack them, they’re unable find any footholds.
- We heard that you started hacking at the age of 16. What was it that got you interested in bounty hunting in the first place?
I got really interested when I heard about Google offering rewards for finding issues in their websites and services. It really intrigued me and led to numerous Google searches to figure out how to do this stuff. I eventually found Hackerone and submitted my first bug. I was really surprised that it was legitimate thing. It started off as a hobby from there on, until I decided I wanted to do this full time. It sent me down the path of learning more in-depth about web application security. And the rest, as they say, is history.
- What was the biggest challenge you encountered while reporting a bug or a flaw?
A lot of times it is unresponsive companies that tend to take months to check a report and triage it or even to close a ticket for a report. It can get frustrating especially if you found a serious issue that should been taken a look at. That’s why I tend to only spend time on programs who are responsive to security researchers.
- What was the most satisfying vulnerability you found?
The most satisfying one has been the recent critical vulnerabilities that I found in the DoD by exploiting Jira. The vulnerability was quite trivial to exploit but the process of mapping my attack surface to creating and demonstrating the various sensitive internal networks I could access, was quite fun for me. I even did a write up on it.
- What would you consider the turning point of your journey as a security researcher?
I’d say h-415 event, that’s been a massive point of motivation for pushing myself further and working much hard to improve my own skills.
- How has your experience in reporting vulnerabilities (w.r.t. the response received, the bounty awarded etc.) changed now that you have been featured in the news so many times, as compared to when you first started out?
With structured bug bounty programs, nothing really has changed. There aren’t special privileges due to just fame. In fact, that is how I think it should be. With working companies who don’t have structured vulnerability programs, I have noticed that they tend to be more willing to investigate security issues I discover when I’m researching a new attack method.
- Let’s say you gain access to someone else’s computer for five minutes. What would you try to find out?
If this wasn’t authorized testing, I wouldn’t even attempt anything. If I was given authorization to test it, I would connect a usb rubber ducky and harvest credentials and create a reverse shell on the computer.
- Can you tell us a bit more about the type of bugs you enjoy hunting the most?
Server side request forgery is my favorite vulnerability , you can leverage the vulnerability to perform various actions from accessing sensitive internal administrator panels to achieving RCE.
- Do security teams understand the gravity of the situation when you report a vulnerability?
Most security teams do understand the gravity of the vulnerabilities I report. In rare cases when they don’t, I tend to clarify the impact of the vulnerabilities, what can be done with the vulnerability, how an attacker could use it to attack the company, etc. When a team doesn’t understand, it’s in your best interest as a bug hunter to help them understand your reported vulnerability, i.e highlight things you might of missed in your initial report, any vague wording, etc. Additionally this ties back into creating a very concrete report which explains the issue you discovered, the impact, proof of concept and what an attacker could achieve with your vulnerability.
- Is there anything you would do differently if you could go back in time?
I would never stop trying and working towards the goal of improving myself. I hurt myself a lot when I took a year long hiatus and didn’t touch anything relating to web application security due to being burnt out. Even if you want to take a break at least try to keep up to date on the current security affairs going on such as recently published exploits or write ups will benefit you immensely and something I didn’t really keep up to date on.
- I know you must be tired of hearing this, but any advice for newbie hackers?
The biggest advice is to start reading write ups, and publicly disclosed reports so they have an understanding what tends to go into discovering vulnerabilities and reporting them. Another thing is to look capture the flag type websites like hackthebox, root-me, etc to have hands on experience with working with discovering vulnerabilities to exploit.
- What are some tools that can’t be left out from a hacker’s arsenal?
I think the biggest one would be burp suite community edition. It provides a lot of different tools necessary for bug hunting, from proxying and modifying requests to having the ability to decoding application data. I would also say you don’t really need to have pro version of burp suite either as the community already provides you with more than enough functionality.