Persistence Pays: From Flames To Firewalls

Hello everyone. I feel very privileged to be talking to you all today. My name is Oliver Ellis and today I'll be talking about my journey from cyber cyber security student and chef to get my first bounty and payout ultimately landing a role as a junior pentester.

Doesn't seem to be moving on.

Just move away from Google. I'll try and do it. Look.

There we go. Yeah. So, onto the next slide. There we go. I'm a final year cyber security student at Manchester Metropolitan University and ethical hacking happened to be one of my modules last year, led by Katy Paxton Fear, also known as PhD Insider. Since then, I became a part-time bug bounty hunter and landed a junior pentesting role alongside my final year of study. Full transparency, I don't consider myself an expert. I'm very much still a beginner that has overcome the first few hurdles of ethical hacking. The purpose of this talk is to provide some guidance and confidence for those starting their journey. So, I was introduced to web hacking techniques and bug bounty by my ethical

hacking lecturer Katie in the second year of my degree. I was extremely excited for this module as I've always had a passion for ethical hacking. So the initial learning was on Portswiger Labs uh understanding HTTP requests and responses and common exploitation methods. After every lecture, I'd always go up to KT with a list of questions like how long did it take to find your first bug? And what vulnerability should I look for? What program should I hack on? How's the device focused on access control vulnerabilities when bug bunting? So that's what I did and I started to listen to the critical thinking podcast which is a great resource. I always did and still do come

away from it with motivation and drive to hunt for bugs. I started to submit bug bounty reports without much success resulting in many informative findings. I felt pretty lost at this point. The triages were helpful and gave valuable feedback on how I can find more impact or why something wasn't really a security vulnerability. So, it had been 2 months since I submitted my first report. I was doing over 50our weeks between university semesters working in the kitchen. I spent every spare minute learning and hunting, still without much success. I read countless bug bounty writeups and posts on X about the huge payouts on simple bugs, and this frustrated me. Months have gone by now. With no money

to show for my work, I began to lose hope due to countlessformational and duplicate findings. The imposter syndrome started to set in. I started to question if I was doing it right. And I measured my success by my zero payouts. This got me thinking, maybe I'm looking in the wrong place. I even started to wonder if programs even pay out or do they just make excuses. And I started to wonder, am I wasting my valuable time on pointless work? and his bug bounty saturated or private programs where people are finding all the all these vulnerabilities. I truly started to give up because I had nothing to show for all the time I had spent searching.

I was looking at my progress all wrong. It's easy to lose sight of how far you've come when you're so fixated on the money side. I realized that I shouldn't measure my success through just payouts. I'd learned so much about ethical hacking and realized duplicates are not losses. duplicates confirm you have indeed found a bug. You just weren't quick enough. This is a win. And finally, I need to appreciate that bug bounty is a deep end of ethical hacking. Of course, it's not going to be easy. And then it happened. Things finally turned around. I got that email. You've been awarded a $400 bounty. I finally did it. I found an access control vulnerability on Audible. I shared the

news on Twitter and LinkedIn. And [snorts] only two weeks after sharing my success on social media, I was offered a junior pen testing placement with a global fintech company. This finally allowed me to move away from working in the kitchen and gain some real industry experience. And it was all thanks to bug bounty. After many months of pentesting non-bug bounty systems, I can't explain how refreshing it is to work on systems that haven't been tested within an inch of their life. My knowledge gained through bug bounty hunting meant I wasn't just an intern that was getting in the way and slowing everyone down. I was and still am doing significant work and having a great time doing it.

[snorts] This all taught me that employers value real world experience like bug bounty and the best part is we all have access to it. Bug bounty hunting holds the same if not more value than a on your CV than a certification and cost nothing but your time. Where to start? I had endless questions when I was starting out. So, here's what I'd do if I was starting out a game. I would sign up to Port Swigger and learn the common vulnerabilities, understanding HTTP requests and responses using web proxies like Burp Suite or Kaido. I would read writeups on how people are finding these vulnerabilities. And when it comes to applying that knowledge to a live bug

bounty program, focus on one vulnerability category. I'd recommend access control cuz it's the simplest vulnerability type to find and is very common. Access control is as simple as incrementing a parameter in an attempt to view or modify data that you shouldn't. If you can understand that, you can understand access control. Here are some beginner mistakes that might slow you down. First, focusing on uncommon vulnerabilities. I know a few full-time hunters that are making a fortune and usually the vulnerabilities they find are access control and XSS, which is cross-sight scripting. And these are the two most common vulnerabilities. Secondly, I wouldn't hesitate. When I started out, I was terrified that a SWAT team is going to turn up at my house.

And just know it isn't illegal. All you need to do is follow the program guidelines. Try to avoid doing anything destructive, especially with access control. Don't delete any data. And if you do, make sure it's your own and not another users. Finally, constantly swapping programs. Stick to one program and go deep. This means understand how the application is supposed to work from the user's perspective and try to try to do things you shouldn't. Google stay is really good at this and has a good talk on finding the nos in application and it's definitely worth a watch. How to bug bounty first sign up to a bug bounce platform. There's many hacker one bug crowd. Yes, we hack integrity.

Choose a program. Don't be scared. It's not illegal. Just follow program guidelines. Look out for strings. They want you to send in all your requests. Do you need to sign up your bug bands platform email? Look how many requests per second they allow and what is in or out of scope. Number four, you should think outside the box. Find areas that slow down your hunting and persist through the process. Other hunters may have stopped at that obstacle. You could ask to join private programs or you could even pay a small subscription to unlock functionality which other may others may not have wanted to do. Ultimately, you're trying to find scope. My first bug required so many steps to

unlock the functionality. I even had the triagger asking me how I enabled it. Number five, you should learn what other others are doing. This is something difficult due to the nature of ethical hacking and the sensitivity that comes with it. So engage with the community, collaborate with others. You'll be amazed how many obstacles you can overcome. And finally, you need to be patient. Tackling imposter syndrome. When I started, I really struggled with this and I think nearly everyone in Bug Bounty has felt like this at some point. I remember when I used to open up Birch Suite on a website like Amazon and you're looking at all these requests and all this information and you can't help

but think, how on earth am I going to find a security vulnerability? But it is possible. First thing I'd do is find someone experienced. This will give you the confidence when you're starting to doubt yourself. And trust me, you'll need the sanity checks. Secondly, learn from others. When I started, I didn't know of anyone else that was into bug bounty hunting. So, find others and collaborate. Reach out and see what other hunters are doing. I recently collaborated with a guy and I was trying to upload an XSS payload in an image file, but Cloudflare was blocking it and he knew a trick to bypass it and that resulted in a stored XSS vulnerability. And finally, accept this is a learning

journey. I'm not saying ignore the money and focus on your skills because the drive to get the money is why I'm here today and part of the reason I kept trying. What I'm trying to say by this is when you're losing hope and have submitted 20 reports with nothing to show, you need to lean on the fact that you're a beginner and you're making progress. It's just hard to see when you're starting out. Three things you should take away from my talk. Firstly, you don't need to be an expert to find bugs. gain real world experience and make a bit of cash. Secondly, engage with the community for support and sanity like you're doing right now. You

should be going to events with other like-minded people to learn from. And finally, stay persistent. Bug Bounty is all about finding vulnerabilities in already secured systems that feel comfortable enough to allow the public to have a go. Use the fact you have unlimited time and can focus on one vulnerability type to your advantage because the pentester before you didn't have that luxury. Thank you all for listening. I have linked the critical thinking podcast and the Douglas day talk and some other stuff on the slide for anyone interested. I'm a final year student and cheeky plug. I'm open to any job opportunities. I'd like to say a massive thank you to Katie and my colleagues at PROC and

everyone else that has supported me on my journey. So, uh, does anyone have any questions or feel free to find me after? No questions, a silly question. Round of applause first, I think. That was great. [applause]

>> What was the access control vulnerability you found on the audible then? >> Um, well, I haven't got permission to disclose it, but basically just an id. >> Okay. Okay, it's as simple as imagine a URL slash so you've got example.com/ it wasn't as severe as this but bank account or and then a parameter ID equals one right just change that to two if you can see someone else's bank account information that is an IDOR it is as simple as that >> good stuff

Yes. So, you needed to be authenticated. There wasn't missing access control. Uh, it still required can't remember whether it was an or bearer token or some cookies to make sure you are logged in. You're just accessing I think that's horizontal access control vulnerability. >> Hi there. Hi. Um, I'm Shannon. I'm a researcher at UCL. Um my question is how much um of the information that helped you sort of get these bug bounties did you get from your university course and the courses offered there versus how much of that came from your own research on your own study and interactions with the community. >> Yeah. So I would say the fact that a book bouncer was leading one of my

modules gave me the confidence to then go more into independent research. It wasn't solely university that was teaching me. I did a lot of research by myself. Um, so yeah, I would say university gave me the confidence to then move into learning on my own and told me where to learn. Um, but when it came to actually learning the technical skills, I think you sort of have to go away yourself and uh, focus. >> Thank you.

is >> Hey, so um now you've landed your first job, do you see yourself continuing with bug bounties? >> Um yeah. Well, the issue is when you're pen testing a lot of the time, you start to not I wouldn't say get bored. I would say you just want a bit of a change. So you don't tend to spend as much time that you've got spare on Bug Bounty. But it is definitely something I'm going to stick with to as a little side hustle. Uh I know many people that have gone full-time. I think there are a few in the crowd actually. Um who started as a side hustle and then we're making so much money doing it.

They just decided, well, I don't need my job anymore. I can just do this time and uh do this all the time. And you're basically working for yourself. And you can hunt whenever you like. You can go on holiday whenever you like. So, it's quite a quite an appealing lifestyle really.

>> Yeah. Got time for one more question. Oh, go on then. They got You both got your hands up. Go on. Go fast. Hello. Uh, congratulations on finding your first bug. It's very inspiring story. Um, you mentioned you were a chef. That was your day job. In the evenings you did bod bounty hunting. Where did you find the strength to persist through that whole process? Yeah, it is tough because uh I was a chef for about four years about two years before university and then I started university and then this in the summer I was working as a chef like 50 60 hours a week and it's quite a demanding job and you don't really

have much energy after it but like I say when you're doing something like as a chef you don't want to go home and then cook a really nice meal for yourself because you've been doing it all day anyway. And it's the same with pentesting now and uh bug bounty after work. So I guess it was just a change and I just had this passion and I just wanted that first payout and to actually find a vulnerability. So yeah, I guess it was just drive and ambition that you just just need a passion really for it. >> Hey, great talk and thank you for the story. um you got me interested. Uh so if I make money, uh what's the tax

implication on it? >> Yeah, so you do have to do self assess tax forms and then if you do end up making a lot of money, I think you can start like a limited company and probably get better tax rates and stuff. I'm no expert on that. Um yeah, thank you. Awesome. Thanks. Round of applause again. Yeah. [applause]