I am Ron Chan, a Hong Kong bug hunter. I started to learn about hacking in 2016 April, I have no clue where to start at that time, then I found an interesting online hacking course, OSCP. I paid for 60 days of labs and start to pwn them one by one. By the time I finished my OSCP exam, I found something called bug bounty, I find it through Orange Tsai’s Facebook SQLi to RCE blog post. The technical details alone of the bug is amazing, and the idea of bug bounty amazed me the most. I never knew people can make legal money through hacking. After that I start to read more and more bug bounty write-ups, and eventually I found my first bug in Yahoo Pay, I can buy anything with any price I want. And then I decide to dedicate my time to bug bounty. Since then, Yahoo and Uber have been my favourite program.
Personal life: 20% Work: 10% Bug Bounty: 70%
I had a rough start, I can only report 5-10 low impact bugs per month in first six months, for the recent six months, I report 20-40 bugs per month, it really depends on the luck. If that month Yahoo decide to have some major change in Flickr, then I may find more for that month.
My first bug in Yahoo has pretty high impact, I can buy anything with any price. I am super lucky that only Hong Kong residents could have access to the Yahoo Pay function. And there are not many bug hunters in Hong Kong.
Google Bug Hunter’s Account Takeover, you can read it here It is interesting because Google actually didn’t do anything wrong, in terms of technical vulnerability. They were just encoding the character in 302 response header, it is IE’s weird behavior that lead to this finding.
The way I see my major breakthrough is right after reading zseano’s tutorial, he showed how a open redirect could be leveraged to a full fb linked account takeover. This is not just a technical details that strike me the most, but the concept to increase the impact even it is trivial bug(open redirect). After reading his blog, I started to go through the existing bug bounty programs one by one, and it turns out quite a few of the programs are vulnerable to this open redirect+ fb ATO attack. I was not just looking for open redirect + fb account ATO. I also applied his concept to Oauth login flow exploit. That’s the moment I found out Uber multiple Oauth bugs, Flickr ATO bugs and earned around ~40k(?) because of his tutorial. Since then I know I can’t ever leave bug hunting because it is so fun.
The major problem before I reach this breakthrough is that I don’t have a thorough understanding of what those write up means. I think this is the problem of most of the new hunters. For example, when I first read about fin1te’s self xss to good xss. It seems I can grab the general idea of the method, but deep inside I don’t understand why he needs to use CSP, what is the problem of Login CSRF etc. All these little details make up to a good write up but I failed to understand them. After the break through, all of the little bugs he talked about finally makes sense to me. After knowing have improved myself, I read all the old write ups that I did not understand previously, and the world was never the same.
Twitter.
I worked with cache-money to hack Uber together for a few bugs recently. And I asked filedescriptor a lot of question when I have something I don’t understand, not exactly collaboration, more like tutorial class from him.
I mainly look at Yahoo and Uber, so I routinely check their front page and see what is new in their product, check their engineering blog, follow their twitter, never miss an update when they push the feature to production. Subdomain brute force, nmap, google dorks I do them occasionally but not always, only when I think it is needed.
My weakest area is asset discovery, I seldom use dirbuster or sublist3r. Cause my main target is Yahoo and Uber, they generally have enough function/features that could occupy my time, all I do is follow the UberEng twitter and keep an eye on what is updating on their product. Like the latest tipping features, social features, uberpool features etc. though I live in HK and the features in Uber are ALWAYS two steps later than US Uber, I still find this approach effective. About Yahoo, the attack surface is giant in itself, Yahoo sports, Gemini, news, finance, its more than you can test, so I usually don’t spend the time to do subdomain brute force or dirbuster. Testing the function alone is occupying most of my time. To sums up, I am lazy, test whatever is presented to me.
I mainly use Burp, and VPS to perform brute force sometimes. JSON beautifier is my recent favourite extension in Burp. Not much automation when I hunt.
I test for IDOR, and authentication bypass, these two are easy to test and have high impact. IDOR is nothing new, just replace your parameter with victim’s identifier. Authentication bypass is reset password/oauth/saml etc.
Not sure cause I left private program for a long time.
I am a Security Consultant, it doesn’t really help in bug bounty. Two responsibility and different goal.
Random youtube trending song
Spend time with family, friends, like everyone else.
Hobby and major source of income.
Keep reading the write ups and replicate it in your local environment when you don’t understand it.
Definitely iOS jailbreak, it’s a another new level of hacking.
OSCP, the Web application hacker’s handbook, Learn Python the Hard Way.
No toast in Hong Kong ;)
A private program, it is a chinese company, it doesn’t acknowledge a ATO bug after fixing it silently. Closed as NA and no reward.
Filedescriptor ;)
Bounty bonus in short period of time.
Vim