Search What is Detectify?
×

Undetected e.04: TomNomNom – Hacking things back together

July 3, 2020

We know “go hack yourself,” but what about unhack yourself? According to Laura and Tom (@TomNomNom), it means understanding how something is built and how it works, before you can know if you’ve successfully hacked it apart. 

There were many valuable soundbites to take from this dynamic conversation between host Laura Kankaala and guest Tom Hudson of Detectify. Their discussion covers the importance of learning and the often undetected Imposter Syndrome issue that’s common amongst working professionals today. Here are highlights from this episode, and the dialogue has been edited for brevity. Let’s dive in:

Featuring Tom Hudson, Security Research Team Lead

Undetected – a web security podcast is a Detectify production that uncovers different depths of web security. You can listen to the full length of Episode 4 on SimpleCast or your preferred podcast platform. The video version is also available online on the Detectify Youtube channel.

Who is Tom?

Laura Kankaala:
I’ve seen and used some of your projects on GitHub, for example, Gron, which makes JSON more greppable. Httprobe is another which lists out domains and, in your words, probe for working HTTP and HTTPS servers, and also Assetfinder, for finding subdomains and other assets related to a domain. I’ve used some of your tools for recon and for parsing through the information that I’ve collected, and I find them extremely useful. Tell me more about you and what you do.

Tom Hudson:
Thank you for using my tools. I’m glad you found them useful. I think that’s one of the things that makes me the happiest is when people get good use out of them. 

So, I lead a team of security researchers/engineers, who build modules for our scanning systems based on the submissions that we get from Crowdsource researchers. I also do some of my own security research… I always try to get help where I can and join in with what other people are doing. Still, I do my own security research, as well, to see how we can improve the way our scanners work. I research new types of vulnerabilities that we’re not detecting yet, and how we can automate new classes of vulnerabilities that we can’t automate so well right now.

Building and tinkering through school

Tom Hudson:
I sort of taught myself a little bit of programming here and there in my teenage years. I first got access to the Internet at school and learned about HTML, started building webpages, and eventually learned some about PHP, a little bit of JavaScript, and that sort of thing. Sometime later, after school, I managed to get my first programming job, which was kind of transformational in a lot of ways for me. 

I’d been tinkering, playing with things, and making my own programs and things, but I was never really that good. I almost did consider myself a hacker in a lot of ways, but almost more in the pejorative sense. I was hacking things together rather than breaking things.

A DEFCON dream come true

Tom Hudson:
I used to get .NET magazine when I could convince my parents to buy it for me. I remember reading about DEFCON back sometime in the late Nineties and thinking, “That sounds like the most amazing thing ever. I hope I can maybe go there one day.”

I spent a lot of time as a Software Engineer, then as a DevOps sort of a person, and later became a Lead Software Engineer. At the time, the company I was working for launched a bug bounty program. They were relatively enlightened and invited staff to find bugs, submit them to the program, and get rewarded. I turned out to be quite good at it and made myself a little bit of money, which got me hooked.

At some point, I found myself on the Hackerone leaderboards without really realizing it. I got myself an invite to a live event in Vegas, and 17 years later, I finally got to go to DEFCON. It wasn’t quite as my young teenage brain had made it out to be, but it was still a fantastic experience. I met so many great people. Before that, I wasn’t in the community, and after that, I was suddenly in a community.

Unhacking oneself

Laura Kankaala:
Yeah. I want to go back to what you said about hacking things back together so that basically, you try to unhack yourself. Do you think that your passion for fixing stuff and programming has helped you be a better hacker?

Tom Hudson:
Definitely. My main goal for things like that, apart from when I had to fix them before my parents found out, was to figure out how things work. Before we had a computer, I had spent much of my childhood taking things apart and often getting into trouble for taking things apart. But it got to the point where every time I went to visit my grandparents, my grandfather would have found something that he kept for me to take apart that he thought might be interesting because he knew that I would take apart something I wasn’t supposed to. Also, he had a very scientific mind throughout his entire life, but that emphasis on figuring out how things work really gave me enough of a better understanding of how to break things. 

Something I’ve said before is that if you want to break something, the first step is to make it do what it’s supposed to do. Otherwise, how can you know when it’s not doing it properly, or when something’s different, or something’s gone awry?

Laura Kankaala:
Absolutely. When I was a sysadmin, doing a little bit of coding helped me realize how the systems are supposed to work. If you think about, for example, black-box or white-box testing, that means like, “Do you have access to source code or do you not have access to source code while doing testing?” I find that doing white-box testing, where you have full access through the source code, can also get better results.

Tom Hudson:
Yeah, definitely. I’ve spent a fair amount of time in my bounty career, as it were, doing white-box testing, both on open source code and proprietary code that I happen to have access to. Having spent that time as a software engineer and building software made that job so much easier. Even with the black-box side of things, as well, if you have built tools and stuff, then you have a better idea of what’s likely to be true under the hood. If you’re looking at a filtering function, you think, “Well, I’ve written my own filtering functions. What did I do? What would I have done in the situation?” 

Tom the Trainer

Laura Kankaala:
You’ve led courses in the past for graduate students in programming and in Security. What are some of the things that people commonly struggle with when they start out, for example, with programming or with learning about Security?

Tom Hudson:
In the early stages, I think many people struggle with not having a mental model for how a program should work. When I’m writing code, I’m thinking about components, pieces of code, and functionality that I can join together in a particular order, in a specific structure to make them do what I want. But if you don’t have that model yet, and you don’t have that awareness of what it’s even possible, I think it’s incredibly hard to do.

Another thing that I think a lot of people struggle with when they’re first starting out is how precise you have to be. Many people are used to computers as being like almost magic in a way, and they kind of figure out what it is you mean, and in programming they don’t do that at all. You have to be explicit about things like types of data. I find the key there is really finding the right analogy for people, and that depends on what their background is.

Laura Kankaala:
Do you have any useful analogies that you could share with us right now?

Tom Hudson:
In terms of how specific and literal you have to be, I usually describe a scenario of teaching one of my young children to set the table. For example, you can’t tell a child, “Go and set the table,” or at least not a young child who’s not done it before. 

You have to literally say, “Go to the drawer, open the drawer, take out four forks, go to the table, put them down in this place.” You have to be really specific, but once you’ve done it the first time and you’ve described it, you can refer to it by name, and you can say, “Please set the table,” and it’s like defining your own function. Not everyone has kids, but mostly they can imagine that scenario, at least. I find that that works quite well.

Apply Just-in-Time Learning

Laura Kankaala:
Definitely. Understanding the basic functionality of computers is the main ingredient in knowing how to break stuff. What are some other learning methods that you have?

Tom Hudson:
My main approach is to try and be quite broadly read. I try and read around a lot of different subjects, still, usually within technology for me, because that’s what interests me the most. I verge into electronics and science. That sort of thing, despite not being a scientist even slightly, still interests me, especially if I can find an article that’s written in an accessible way. That broad knowledge really is a basis for this thing that I’ve taken to calling Just-in-Time Learning.

I find it quite challenging to learn something in-depth if I don’t have a practical application for it right away. I need a problem to solve. Being broadly read gives me an awareness of the capabilities and applications of the learned subject or technique. When I encounter a situation where I need that knowledge, that’s the point that I can go and learn it properly. That’s where JIT learning comes in.

Laura Kankaala:
I love reading, and I start reading a lot of things, and I just like to graze it through to grasp new ideas or new concepts. For myself, I guess I’m not as motivated to do the “hello world” kind of software, like getting started and going through tutorials or demos. 

Tom Hudson:
Just having a problem to solve is such a powerful guide from my perspective, because it drives you to ask more questions. After all, you need to know the answer. It’s not a case of want anymore. If you want to solve this problem, you’re going to have to do it. Personally, it means I have to stray into things that are maybe a little bit more difficult, and a little bit more out of my comfort zone than ordinarily, I would do if I was just trying to learn for the sake of it.

Laura Kankaala:
What is something you’ve definitely dug deeper into and had to learn by heart?

Tom Hudson:
Recently, I’ve been spending quite a bit of time looking at driving Headless Chrome using Go. It’s something I’ve been using for some work projects recently. Again, it’s something I’ve been meaning to experiment with for a long time, but I never get round to experimenting with things. I only actually seem to get things done when I have a problem to solve.

Embracing Imposter Syndrome

Laura Kankaala:
Yeah. It’s interesting. I remember when I started all with Security, I was more interested in programming. When I did my first hacking courses, I thought that I needed to know everything, and if I didn’t know everything, then I would be a failure, and I wouldn’t be good at this. 

Web security is a niche of the cybersecurity industry, so even in this niche of web security, there are many ways to specialize. It took time for me to understand that I needed to do what I wanted to do and not worry as much about knowing everything. There’s just no way that anyone could ever learn everything… absolutely everything when it comes to web security.

Tom Hudson:
I personally still struggle with that Imposter Syndrome So, what advice do you have to try and get over that feeling of, “Everyone else knows more than me. I don’t know enough. I’m not supposed to be here”?

Laura Kankaala:
I don’t think that I have gotten over it. It’s just something that I’ve tried to embrace in myself. I tried to accept my own limits that I cannot know everything, and I can contribute to some things that I know of, I can give some kind of advice, and I have the background knowledge that I can use to make sophisticated guesses. 

Tom Hudson:
I don’t have a great deal of concrete advice other than to listen to other people talk about their own imposter syndrome. That will help you realize just how common it is and that it affects everybody.

One of the things that I always suffer from quite a bit is I think, “If I know something, it must be common knowledge; therefore, it’s not interesting, so nobody will want to hear about it,” but the more I talk to people, the more I find out that that’s not true. “Talk to people about it” is probably my best advice.

Admitting, I don’t know.

Laura Kankaala:
When you were teaching, how did you handle situations where you didn’t know the answer?

Tom Hudson:
I tried to make a point of explicitly stating, “I don’t know, but here is how I would find out.” I was on a laptop connected to a projector at the front of the room at the time. I did my first bit of Googling in front of students, and sort of talked through which of the results I was looking at and why, and which ones I trusted and why, and part of that is from experience: “If you go and read, if you click the experts exchange link a few times, you will eventually learn. Maybe it’s not the best one, and maybe you should go for Stack Overflow or something instead, maybe you should go for Mozilla Developer Network over W3Schools, for example. All of these things can be excellent resources, but these sorts of rules of thumb, etc.”

Tom Hudson:
But that first time of being confronted with a question that I didn’t know the answer to, once it was done with, I think I was almost instantly a better trainer. I was more confident and actually began to relish those questions because those are the times I get to learn. 

That really became a catalyst for learning plenty of things that I otherwise wouldn’t have done. It has been teaching things and also learning them in more depth, as well. What have your experiences been like, especially with teaching beginners, if that’s something you’ve done?

Laura Kankaala:
When it comes to admitting stuff that you don’t know, I think that’s also something that I had to learn after giving talks and putting myself out there. The first time someone asked me a question I didn’t know how to answer was about cloud security about four years ago. I felt so intimidated and wondered, “Why are they asking me this question?” Especially when I realized that I don’t really know the answer.

I answered something along the lines: “I cannot give a good answer with my knowledge right now. I can only give a sophisticated guess.” 

I believe that admitting when you don’t know something is really a superpower, and you should really exercise that.

Asking about the edge cases

Tom Hudson:
Asking questions is an excellent subject to cover from a learning perspective. I get a lot of questions myself online from people looking to learn security stuff, and I try to answer them when I can, but I think getting good at asking questions is probably one of the best things that you can do. 

Not every person that you ask questions of will be receptive to what I consider to be the perfect questions. When I’m trying to really understand something and figure out how something works, I tend to ask questions about edge cases, because they’re the ones that really show how a system really works fundamentally rather than working off sort of rules of thumb.

Tom Hudson:
In Security, many especially have the attitude of asking questions about the edge cases. One would ask, “Well, what happens when this obscure scenario happens?” The response is often, “Well, it will never happen, so it will never happen. doesn’t matter.” I think if you really understand how something works, you should at least be able to have a go at answering those questions. Those are the points that bugs happen, right? That’s where the vulnerabilities are in those edge cases that people weren’t asking about. I think those kinds of questions are doubly useful in that way. 

Tom’s approach to hacking and finding bugs

Tom Hudson:
If you can build something, especially a web app or something like that, and try to break it yourself, that experience will be invaluable. Keep looking at things and try and spot when they seem weird or different. Then, try and figure out why they’re weird or why they’re different. 

My approach to hacking, bug bounty, and that sort of thing is mostly to try and spot something that’s different, and figure out how it works. I’m not necessarily looking for a vulnerability of a specific class, or at times, not even looking for a vulnerability at all… I’m just looking for information. How does this thing work? If I put this value in, what does it do? If you shake it hard enough, sometimes the bugs fall out. I think other people have different approaches, but hacking is almost like a secondary thing to finding out how things work in a lot of ways.

Laura Kankaala:
Can you recommend some links or hackers for our audience to follow and learn from?

Tom Hudson:
I think in terms of learning the actual mechanics of doing hacking and sort of bug bounty type activities, my friend Ben Nahamsec has a great YouTube channel. Hacker101, as well, which is HackerOne’s sort of CTF training platform and associated videos that a lot of which were done by my good friend, Cody. Also, there’s a video on there by me and my friend STÖK as well, which I’m quite proud of. I think it might even be the most viewed one there now. That’s my own little shameless plug.

To get good at it, early on especially, be curious, learn how things work.

 

You’ll find the full video episode on the Detectify Youtube channel:


Did you like the highlights of this episode? Check out the full episode in the web player. It’s also available on Spotify, Apple Podcasts, Google Podcasts or another preferred podcast platform.

——

Keeping up with the fast-pace of web security is a challenge if you are only relying on standard CVE libraries and annual security checks. Detectify works with some of the best ethical hackers in the world to deliver security research and modules from the forefront of security, so you can stay on top of emerging threats. Interested in giving Detectify a go? Start your 14-day free trial today.