BSides Ahmedabad Hacker Interview - Eugene Lim aka spaceraccoonsec

[Music] hi Eugene please tell us something about yourself yeah hi so I'm Eugene and I go by space raccoon online and I work as a security researcher and white hat hacker okay how long did it take you until you found your first significant or a high impact payout vulnerability so I remember starting uh in the start of 2019 because there was a government bug Bounty program and I really wanted to find a bug but unfortunately it was a duplicate and I was really frustrated and I think about I just kept learning and I kept you know trying new things I did hacker 101 CTF I tried different programs and finally I think about three months later in this my Black Mountain

journey I was able to get my first significant bounty great so what has been your favorite or let's say your most interesting bug fight wow I think everyone has their own favorite um change there's so many and you know some of them you can't discuss them publicly um the best bugs are always the ones that you can't talk about um but I would say definitely one of my early bucks uh that's actually publicly discussed was uh some of them in the Starbucks program because they're a really great team I recommend that everyone looks at them and a contributes their program but I was able to discover SQL injection via XML file upload so that was a really complex kind of uh

chain or rather it was not at all obvious because most people would try for example xxe on XML but they wouldn't expect to try SQL injection within the XML itself so that was a really interesting Vector for me okay so what do you do to keep up with all the new trends yeah I mean to be honest because I I work a full-time job you know uh it's also important for me to keep up with you know the latest happenings in info security as well as white hat hacking and application security um I subscribe to a ton of useful newsletters uh so for example uh there's some really interesting newsletters that you can keep up keep an eye out on from Twitter

uh I know Clint uh from Sam grab has R2 has a really great info security newsletter it just keeps me up to date on not just Whitehead hacking or bug Bounty but also Blue Team Tools new research new programs so it gives me a very broad idea of what's going on across the whole of info security and of course I do like to do some white hacking when I have free time as well all right so do you collaborate with other hackers FPS can you name a few yeah of course I mean in my very first year uh I I created a team with some of my friends from the bug Bounty Community I was

called disturbance you know it was one of the big I think a big splash back then uh people like Stoke Italian Raider Kobe neck Fisher you know some of these guys have gone on to become like Hall of Famers they've become most valuable hackers and now whenever I have a life hacking event or if I notice a challenge with people I know in it I always like to reach out to them see what they're doing if they want to collaborate or not just to make new friends sometimes you might be a bit hard to start collaborating with new people if you've never met them before so I really do like coming to events like besides just because you know once

you've seen someone you can trust them a bit more and you can make new connections okay so how do you approach a Target um I like to approach a Target to manual uh research I think there's some fantastic talks today that talked about how you can expand the scope um I like to go to browse through the functionality see everything that's going on about these days I also try to do a bit more reverse engineering right so I'm not just looking at servers but I'm also looking at applications native applications mobile applications uh even the JavaScript source code that's shared online is also useful source of reverse engineering so I do recommend people also pick up some skills data to have to

do with reverse engineering all right um what is your recon methodology yeah I think that's an interesting question because I don't really do Recon I mean my Recon is the scope that they give you right um at most I just run some of the standard tools but if you want to think about non-traditional Rubicon uh so we have some again we have some good talks that talk discuss this uh you can expand the scope of a single application just by looking at the source code right whatever domains they have in their secrets they have in there you can also look at some of the API calls so I'd like to look from a single scope but

then expand out from there rather than trying to expand out and then go into a single School okay how do you balance your personal life and work yeah I mean I I try to kind of keep my hacking in bursts of time uh you know I don't hack every day I don't hack all every week I I tend to hack when their new scope or new events coming out you know when there's time for me to focus fully on one thing or another and so I like to keep it in a regular you know a proper schedule I don't try to hack every day because that's a really great recipe to get burnt out if it's not your

main job right so I try to keep things at the appropriate time right how has been your experience with besides Ahmedabad there's been so many Fantastic talks um besides and also so many amazing people I've met at besides I really enjoyed just getting new ideas uh some of the talks here have just made me so excited to just go back home and try the new tricks and apply them to my hacking to apply them to my coding so I really learned a lot at these sites and I really appreciate uh just everyone sharing the information out here well thank you Eugene it has been a pleasure hosting you and we hope to see you next year as well thank you for

having me