Hi! I’m Borja Berastegui, and I’m from Bilbao, Spain. I work full time breaking things and I dedicate some of my spare time to Bug Hunting. I started hacking out of curiosity, like most researchers, asking myself : “what if I try this instead…?”. Most people who work in infosec have this lateral thinking and interest in understanding how things are built.
Nowadays, all the easy targets are quickly found by hunters with great automated setups, or by hordes of bounty hunters avid to cash out some easy bounties.
Either you continuously run recon and enumeration tools manually, or you build a good automated setup. I’ve built an automated environment, which I manage through Slack.
I have a Slack bot with some slash commands that I use to perform a lot of enumeration activities by doing something like :
When the message with the command is sent, the Slack server sends a HTTP request to the endpoint you specify in the configuration.
In my case, this endpoint is a Google Cloud Platform function, that will perform some basic validations, and then push the domain into a Pub/Sub queue.
In parallel, I have some workers pulling messages from that queue periodically. When a new domain is retrieved from the queue, several checks will be performed, such as subdomain enumeration, port scanning, fingerprinting, screenshotting, checks for takeovers, etc.
When the process is over, the bot generates an HTML report, uploads it in a bucket, and notifies through Slack, in the same room where the message was sent from, that the report can be checked in the bucket.
I’ve participated in small CTFs, and even collaborated on creating some easy challenges, but I wish I played more!
In my opinion, the CTF “mindset” differs from skills you need in cybersecurity : you can only train by playing CTFs. Therefore, starting to play CTFs is quite frustrating at the beginning!
Well, it depends on the company you’re working with. If the company potentially has easy targets, you may want to detect those vulnerabilities before anyone else does. On the contrary, if you feel like the organization has a solid security background, it may be worth focusing on some specific features which aren’t widely used.
I like the idea of using skills that I’ve never been able to use before. Imagine you’re a pentester or a security engineer, working for a company where you only have some specific technologies and scenarios (i.e.: Your company only uses Java and you’ve never exploited a .NET application). Training on a completely different environment will help you understand other vulnerabilities & exploitation scenarios.
Obviously, the bounty you get when you find a high impact vulnerability is always a great motivation 🙂
I like to hunt on web application, as most people (remember that there are companies offering bounties for thick clients or mobile applications). And inside this category, I enjoy working on links and URLs unfurling, or with complex backend process of entities (SSRF, XXE, deserializations of all kinds).
You shouldn’t take anything for granted, and always review everything ! I’ve missed bounties at least two times because I was thinking, “yeah, there won’t be a vulnerability there, it’s too obvious”. After a couple of weeks, I saw a report on that vulnerability which I thought was too obvious.
You never know! I’ve worked hard to increase my skills in security, and I’ve collaborated with startups or companies who needed cybersecurity consultants. I’d like to keep helping companies this way. I also enjoy being a bug hunter, and I believe it’s the best way to stay on top with security, which can only help me to improve my work.
Thanks to Borja for this interview ! You can join Yogosha‘s private community by filling this form. You will receive an email from us when we release a new challenge, and if you pass it, you will be invited to our bug bounty programs.
Find all the news and cybersecurity trends directly in your mailbox.