Meet the hacker europa, a white hat hacker on the Detectify Crowdsource platform. He is based in Italy with a great passion for infosec and relatively new to the bug bounty scene, but seasoned in infosec. We asked him about the kind of bugs he likes to find, why he joined Crowdsource and how persistence helped him turn a duplicate finding into a bug with 8 different bypasses.
Tell us a little about yourself; how and when did you start hacking?
I’m Alessandro, also known as europa, and I’m an infosec aficionado from Italy. I took my first steps in infosec at the age of 12, back in 1997, via IRC channels #hackita and #hack.it on IRCnet, and never really stopped since. I coded exploits back when you could remote root almost anything by sneezing in its general direction, moved to reverse code engineering to derive WPA PSK keys for some Italian internet service providers, then onto more reverse engineering in video games and malware in order to code anti-cheat tools. I dabbled in CTFs for fun, and moved onto bug bounties because realized I could essentially do real-life CTFs and get paid for it. That’s a good 21 years of passion!
You started bug bounties hunting not that long ago. What have you learned since you started?
True, I started back in September 2017, if my spreadsheet doesn’t lie. I’ve documented my bug bounty process on Medium and every time someone mentions that Medium post I think to myself, I should really update that however there’s just too much knowledge to put into words that I’ve pick up along the way! Back when I wrote my first post, I had a fairly decent understanding of the reconnaissance process thanks to the work of Nahamsec, and Jhaddix, but I still hadn’t found my own flow yet. Some of the things may still apply but are superseded by either more efficient processes, built anew, or moved around. For instance: building or customizing wordlists for domain recursion against a particular scope using hosts found previously; curating wordlists of previously found bugs and their URIs; moving the FDNS parsing from my local machine to Amazon Athena; building a powerful regex to parse content against sensitive data during the recon phase, and the list goes on.
“… its “fire & forget” approach ensures that companies can reap the benefit of continuous testing against systematic issues…” – europa on what makes Crowdsource interesting.
What kind of bug do you enjoy finding the most?
I’m a simple man, I like escalating innocuous reflected cross-site scripting issues to account takeovers, data leaks, sensitive API calls abusing lenient CORS policies, and so on. I also enjoy finding some god-forgotten asset somewhere deep in the scope, building the perfect wordlist using entries from Github, and Google against that particular framework, finding all those nice endpoints, and spend the night filing reports: SQL injections, XXE, SSRF, XSS. I definitely have so much to improve still!
Based on all the bugs you have found, what advice do you have for website owners about better web security?
Run a bug bounty program, and If it’s sensitive, keep it offline. Also don’t commit your keys to the repo. Don’t trust user input. The web was a mistake.
In April 2018, you combined eight different bypass techniques in a report to Rockstar Games. How do you motivate yourself to keep going as you can never be sure the last step is going to work?
Finally, as a Crowdsource hacker, what makes Detectify Crowdsource interesting as a platform?
Sometimes I happen to stumble upon a finding displaying a footprint wider than just the current asset, something more systematic that might apply to other targets as well, targets I can’t test on because they’re not part of the platforms I hunt on. That’s where Detectify Crowdsource comes into play: its “fire & forget” approach ensures that companies can reap the benefit of continuous testing against systematic issues, whose real-world impact has been vetted by skilled security researchers like @_zulln and @almroot. As a hacker I’m a big fan of automation, and automation that periodically rewards you for your past research without lifting the same finger twice is amazing. Plus, all the published research on the Labs blog is a goldmine!
Find out more about europa: