Our crowd of application security experts are the engine which powers Bugcrowd. Over the coming few weeks we’re going to introduce you to a few of them.
Want to join the Bugcrowd and participate in our bug bounties? Head over to http://bgcd.co/join-the-bugcrowd and sign up!
Today’s Bugcrowd profile is on Johnathan Kuskos.
What’s your name?
Johnathan Kuskos – He takes being a Bugcrowd Ninja very, very, seriously.”
How long have you been hunting bugs?
A little over a year. I graduated with my B.S. in Computer Science from University of Houston-Downtown last year and have been working in the InfoSec industry ever since as a black box web application vulnerability researcher. This has been one of the most fun hobbies/jobs that I think I’ve ever had the pleasure of being involved with. Breaking another developer’s code puts a bigger smile on my face than writing something cool myself =)
What’s most memorable bug you’ve discovered?
I once found this on an application(not twitter) where you can follow people or be followed. If you follow someone, it shows on their profile as “”this person is followed by x, y, z, john smith,, bob”", etc..
I registered an account with my g+ test account, followed a few people, quickly realized it was worm potential and had to inform the application’s security staff immediately to have them delete the account(It was persistent and I couldn’t remove it). All I needed to do was follow everyone and XSS would pop on every single user profile page. This had the potential to compromise every single account(of which there were hundreds of thousands) The developer’s mistake here was trusting another application will validate input, sanitize it, and then output encode it for you.”
What do you like about bug bounties?
What do you like about bug bounties?
“I’m pretty driven by the thought of everyone competing against each other. It puts more pressure on me to find the “”game over”" vulnerability faster than everyone else, since ultimately the first submission is the only one that ever gets credit. I really like CTF’s and sadly they are just not too plentiful. Bug bounties seem like the next closest competition.
I also like being credited as someone that has been part of the solution and not the problem. Having a responsible disclosure list, as several participating bug bounty programs do, makes you feel all warm and fuzzy inside when you’re on it!”
If there was one thing you could suggest to improve the way bug bounties are run, what would it be?
Bug bounties are great. Hundreds of people testing the same application is great, because the end result is the application being more secure. Hundreds of people sharing the same authenticated credentials, not so great. For applications requiring authenticated testing, I really really really want to be able to create my own account or have one supplied to me. It both 1) allows me to not be bothered by another testers injections, and 2) doesn’t give away what I’m working on to other tester’s. I.e, what If I’ve found SQL Injection, yet someone else is viewing the page that it reports on?
What methodology do you use when participating in a bug bounty?
Think like a lazy developer. If I were to implement this a certain functionality, what would get me from point A(conceptualizing) to point B(finished product) the quickest? Assume the developer’s boss is someone very interested in the opportunity cost of that developer not being on the next big project, so he needs to be done quick. When you start thinking about applications from the business standpoint and not the technological standpoint, I think it opens up more areas to focus on where vulnerabilities may be more plentiful.
A big thanks to Jonathan for agreeing to be interviewed and posted on our blog!