Recently an amazing hacker gave me a request to answer a Q&A. I think it’s fun to let you guys know about me :) Have fun reading.
Tell me a bit about yourself, what is your current position, what are your current responsibilities, what’s something interesting about yourself?
Hello amazing hackers! My name is Wesley and i am 30 years of age (just like fine cheese, i get better with age). My alter ego is The XSS Rat which is also a legal entity and my company. Besides owning my own company i have a dayjob as a QA engineer and i am a certified expert in performance testing.
If you participate in bug bounty hunting, what your typical day look like, and what’s an interesting or unique technique you like to employ when hunting?
When i get up in the morning on a weekend, i usually make time for my daughter so i don’t get to hunt like i used to for 8 hours a day. I usually hunt with clients to show them how i perform my bug bounties and i allow them to perform the hacking while i correct them and guide them on how i would do it. It usually starts with exploring my target, that is very important. I need to get a good feel of what is supposed to happen so i know when something happens that is not supposed to happen. I use things like use guides, documentation and common sense while doing this. I study every parameter in depth and try to get well known with my target. I will try to change every parameter testing for things like logic flaws, XSS and CSRF issues. After i am done, i make another pass looking for XSS more carefully and to finish off, i try to randomly throw data at the application to see how it handles this, maybe even making use of my skills as a performance tester and using jmeter to try and trigger race conditions.
What got you interested in infosec? What does the path look like that lead you into your current role, or how did you get started as a bounty hunter?
When i was a kid, the hacker scenes in movies are what got me interested. There always was a veil of mystery behind that wall of green scrolling text. When i got more serious about IT of course i learned there was nothing behind that facade but my attention was caught. I studied general IT for several years before i did anything infosec related and bug bounties are what i needed to earn money but not in a way that you might think. I wanted a job in cybersecurity but to do that i had to first get some experience. I was determined to show my skill after OSCP so i went straight into bug bounties and used it to show my merit.
Do you think a formal (four year degree) is recommended for getting into an infosec career?
Not at all, I think that most of all, a hacker is just someone that uses the same tools as engineers do but in a slightly different manner. This requires thorough understanding of a topic the hacker wants to sink their teeth into as to be able to mis-use something, we need to know how to use it first. That being said, i don’t think hacking is easy either but it can be as simple as changing a number in the case of an IDOR.
Do you think certifications are a good way to get into the field or to start hunting bugs? What, if any, do you personally have? Do you think they’ve been beneficial in the long-run?
I am personally a big proponent of certificates as long as they related directly to the work that someone is currently doing or wants to evolve towards and as long as that ambition is not bug bounties. The use of certificates is mainly to level the playing field and make sure we are all talking about the same thing in a demonstrable manner. The beauty about bug bounties is that you can investigate what you like and that you are not bound by having to display certain skills that a job would normally bind you to.
I have my OSCP certificate and am planning of getting my OSWE certificate after taking the training sometime soon and i believe that certificate has been my entry into the infosec scene. Besides those i hold a range of other certificates that are not related to infosec such as neoload performance testing tool expert certification and ISTQB technical test analyst.
What do you think is something often overlooked by people interested in entering/transitioning into the field or just starting out as a bug bounty hunter?
There is a learning curve that makes it easy to initially learn new things but as we go along, the curve grows exponentially harder. This is why it’s often easy to bring up the initial motivation to get into the field but to keep up with it is often mentally taxing as we are forever bound to keep learning lest we get left behind.
What challenges do you believe newcomers to infosec may face when starting out? What are some common career mistakes people make, and what advice would you give them?
An overwhelming sense of dread and inadequatie is what almost killed my motivation several times. I was looking around me and seeing all these amazing hackers who are so much better than me even though i know i should not compare on a “level” basis. That is going to be a big trap that’s easy to fall for so make sure you compare yourself to yesterday and not to someone else.
What do you feel is something organizations continue to miss/ignore when implementing security practices/features?
The sheer ease of hacking the human aspect of a company. I can trust a companies security policy all i want but unless the company stops the employees from going through the data collected, that will be the weakest link. An example i read online a while ago was of an attacker holding a victim at gunpoint and how it would take quite a strong will and disregards for danger to ignore that.
Do you find it difficult to maintain a proper work-life balance?
I used to find it difficult but as cliche as it may sound i really started enjoying working for my own company and the hours fade away into oblivion however i insist on spending several hours a day with my wife and daughter.
If you weren’t working in infosec, what would you be doing instead?
Besides my own company, The XSS Rat, i still have my day-job as a QA engineer as well which i really enjoy doing but my dream job would be to work in a theme park. I go there on a regular basis as is and to get to spend time in one of the places i love is a dream I can not afford to live just yet.
What advice would you give to someone looking to make the move into infosec?
Think very carefully about what direction in infosec you wish to take before diving too deep into one topic and having the sunken cost fallacy stop you from picking up a new target. There is a wide range of flavours to your infosec soup and you can even have croutons in there.
What’s a major accomplishment you’ve had (work related or not)?
That would be the creation of my 10 hour long bug bounty course where i focus on things that you can’t find on google easily such as “The Intricacies of bug bounties” etc. but that is quickly getting replaced by my OWASP top 10 issues which includes to regular top 10, API top 10 and Mobile top 10 (Might also include the AWS and IOT top 10).
What are one/two things you believe the current infosec field is missing?
First of all would be a place to make mistakes without them being punished so hard for them as it can be daunting to be making those mistakes while for some it might be the only way they learn.
If you could go back 5-10 years and give yourself one piece of advice regarding your path in the infosec world, what would it be?
To start as early as possible while I’d still be flexible and more willing to learn new things. Now that i am turning 30, i did notice it’s become a bit harder to pick up new things and it might seem like I’d always keep the learning speed I already have to train my overly active head.