Interview with Veteran Hacker/Bug Bounty Hunter — Jasmin Landry
The word hacker has been associated with negativity and anyone with a hoodie and a laptop is seen as a criminal. though there have been many incidents involving hackers with ill intent. In recent times Hackers have taken on a new dimension becoming the defenders. Various platforms have come up which provide services to organizations to secure their internet-facing applications, This has given rise to the white hat hacker. In continuation of my series where i speak with leading Cyber Security Professionals in the industry, I spent time speaking with Jasmin Landry(JR0ch17)
Can you give a little on your background
I started work in IT roughly 10 years ago as a system administrator. I worked a lot with Windows and Linux systems, virtualization technologies like VMware and networking technologies like Cisco. Through the first 5 years of my career working as a sysadmin, I was able to get a dozen of well known IT certifications such as MCSA, CCNA, VCP, etc. After a while I started to get more and more interested in security, especially the hacking or pentesting part of it. My career objective at that point was to become a pentester. Considering I didn’t have any experience, I decided to do the OSCP certification. I was able to complete it in 2 months. About 6 months later, I was starting a new job as a junior security analyst. My first 3 months there I had a lot of free time as I hadn’t gotten access yet to all of the tools that I needed to do my job. I ended up learning assembly and publishing a shellcode on Exploit DB. Looking back at it, I have no clue what I did as I forgot all of it as I never actually used that knowledge ever again. During my first 3 months I also started doing bug bounty and got my first bounty from a Stored XSS on a Microsoft application. Shortly after that, my boss saw that I had some hacking skills so I got promoted to a pentester. From there, I started to have a lot more success doing bug bounty as I was able to practice a lot with work while doing real world pentesting. So I was getting better at bug bounty because of the pentests that I did and I was also becoming a better pentester because of bug bounty. All of this greatly helped my career since I eventually got invited to HackerOne Live Hacking Events and Bugcrowd Bug Bashes where I won a few awards, I got mentioned and quoted a dozen times in articles on Yahoo, Forbes, etc, I did talks at security conferences and schools so on and so forth. I have now put bug bounty aside a bit as I’m now a father of a 2 year-old son so of course spending quality time with my family and my full time job have a bigger priority than bug bounty, which I now consider more of a hobby than work.
How did you get into IT and then cyber security
I actually started studying accounting but after a few semesters I realised it wasn’t for me. So I took a year off of studies to think about what I wanted to do. I always had some interest in computers but it was never a passion of mine, I was not a gamer and I especially never knew what programming was. One day I saw an ad about a school where they had a programming course and I was like I wonder how it works. So when I got home, I went online, Google’d and YouTube’d it as I had no idea what C, SQL, PHP, etc were but I found it really cool. So I registered without really knowing what I was getting into and started school a few weeks or months later. My first class was C, I kind of liked it but I wasn’t that good either so I looked at other options. My teacher had suggested that I look into the networking and security course. And I actually loved that! I learned the ins and outs of TCP, UDP, OSI model and all that kind of stuff. I also had an intro to hacking course where we got to learn tools from Backtrack 4 or 5 which is now called Kali. So I eventually graduated from the school, got a job as a system administrator and then like I mentioned previously, my interest and curiosity for security and hacking took over and I got motivated to do the OSCP and get a job in security, which I eventually did.
How did you get into Bug Bounty
I had first heard of bug bounty while doing the OSCP certification. I was researching a topic and stumbled on an article where someone had earned money for reporting a a vulnerability to a program. At first I was like wow that’s really cool, I’ll give it a shot eventually but for now I’m still too much of a beginner. After passing the OSCP, I thought to myself, well I think I can give it a shot now but I hadn’t realised the OSCP was a certificate for beginners and that I still knew barely anything related to hacking. So of course, after spending a day doing bug bounty, I realised I probably wasn’t good enough to do this so I’ll continue learning and improving my skills to eventually start doing it. Fast forward a year or two later, I was poking around a Microsoft application while at work and eventually found a Stored XSS! From that point on I was like wow I may be good at this and got hooked to bug bounty ever since.
What was the biggest bug you ever found
The best bug that I’ve found that had had the biggest impact was an unauthenticated SSRF which allowed me to fetch the AWS secret keys. Those keys gave me access to the target’s whole production environment in AWS. I had tweeted a screenshot of the ScoutSuite report actually
https://twitter.com/JR0ch17/status/1385675808002424833?s=20&t=44mR9kpMzTJFYk0es9vmDQ.
How would you describe your bug bounty methodology
I typically just do regular recon using well known tools, nothing out of the ordinary. Then I pick a website to look at, I usually start directly at the core applications like www, app, etc where there are the most functionalities. I prefer diving deep in web applications than finding vulnerabilities through automated recon. That way I can get a better understanding of how the application works and it may help me find bugs that other people won’t think of trying. So I identify what programming languages and technologies are used, where the application is hosted, what kind of data is stored in the application, what does the application do, how many types of users and roles are there, is there an admin panel, etc. After I’ve answered all of these questions, I do threat modeling of the application to try and determine what the most impactful bugs could be and set myself some goals. For example, if it’s a bank well most likely bugs that involve money would be impactful. If the app contains PII, then privacy-related bugs could be nice. From there, I start poking around and testing some stuff in Burp Suite and try to achieve my goals. However, I do have a preference for server-side vulnerabilities like RCE, SSRF, SQLi, Path Traversal etc so I’ll try and find vulnerabilities like these to achieve my goals.
When not doing anything to do with information security, what do you do
I like to spend some time with my family and do sports, especially hockey!
Every one talks about to get into Bug Bounty, how you advise someone to excel at Bug bounty
Nowadays, there are bug bounty programs for everything. There’s the typical web application hacking which I do, there’s mobile applications hacking, car hacking, IoT and hardware, smart contracts, code review, internal and external infrastructure including cloud like AWS, GCP and Azure, etc. So the first thing is to have fun, if you’re doing it for the money only and not having fun, I think you won’t last long so you need to do it for the good reasons. I also think it’s extremely difficult to be an expert on all these topics so the best would be to only hack on what you like and what you’re good at. You’ll have more success hacking on something you’re good at and when you have fun doing it!
What is the nastiest exploit you have found
I’m not sure if it’s the nastiest exploit I’ve found but for me it was quite interesting as it involved chaining a few things together to achieve the highest impact possible and I remember working on it for a few days to complete the chain. It started with a regular reflected XSS on www, which in this case was the useless corporate site. I was able to chain it with a cookie-based XSS on the main app using a cookie stuffing attack to then make API requests to a separate subdomain since the CORS policy was allowing that subdomain only and then luckily for me I was able to do a cache poisoning attack to have the XSS stored, temporarily that is until the cache was expired. So with the full exploit, I was able to leak sensitive data such as PII, banking information, credit card information, mortgage details, etc.
How does software development tie in with Bug Bounty do you think they go hand in hand or are very separateI
Software development does tie in pretty well with bug bounty but is not an obligation. I know plenty of people who have never done any software development and are still excellent at bug bounty. However, in some cases it does help a lot for automation and also to get a better understanding of how the application is built. If you know how something is built, you have a good chance of also understanding how to potentially break it. As for automation, it can be used to automate recurring tasks like recon and also automating fuzzing and/or exploits. I recently had a case where I had an SSRF which could only be triggered after executing 4 requests in specific order. To fuzz for internal hosts and data to show impact, it was easier for me to simply create a Python script than to try and use Burp Suite to automate it. Even though the end result would’ve been the same, it would’ve probably taken me more time configuring Burp than to write it up in Python.
Vim vs Nano
100% vim
