Two weeks ago, Facebook awarded their largest single bug bounty award ever. Reginaldo Silva was rewarded $33,500 for his XML external entities vulnerability. Bugcrowd had a chance to catch up and interview with Reginaldo to learn more about how he tests and his journey to becoming an expert security researcher.
How did you first become interested in security?
I wish I remembered that one… I knew I wanted to work with computers from a very young age. I actually tried to learn how to program by myself when I was 11 or so, but that didn't work out. What I know for sure is that it was more than 10 years ago. I once had a boss who didn't believe a computer could be hacked. His machine was one sendmail exploit away from being rooted (with his permission, of course). By that time I already wanted to know not only how to use those things, but how to build them as well.
What resources and techniques did you use to become a better security tester?
I read a lot. Right now I'm thinking very hard, trying to give you an example of something special that I do, but the truth is that I don't do anything magic. I just read a lot and try to really grok things. When I was younger, I spent a lot of time reading Phrack Magazine. I believe it helped me a lot, even though I had the hardest time trying to grok even the simplest articles. Issue 49 was literally life changing. It showed me that some things still look like magic even after you already know the trick.
What particular skills or traits do you think are required to be effective as a researcher?
Some people say that I just have a twisted mind. People love generalizations, myself included, but I'm always looking for the counterexamples. If a given assumption is valid 99 out of 100 times, I'm always trying to find the 1 time where the assumption is not valid. Since we're talking about assumptions, whenever I'm reading code, I'm always thinking about the assumptions the developer made, literally keeping notes. Also, when someone who works with security tells me that I have to do something a certain way, I try to think what happens if I don't follow that advice. Usually there's a bug lurking in there.
What tools do you like to use?
I use the Burp Suite a lot. When I'm not doing something in Burp, I'm creating my own scripts and running them in the command line. If it's small, I'll use a shell script, with curl being the tool I use the most. If it needs a bit more structure, I'll use Python.
What do you do when you’re not hacking?
What do you mean by when you're not hacking? Kidding apart, I live a pretty normal life.
Big thank you again to Reginaldo for taking the time to be interviewed :-). How long will Reginaldo's throne as biggest Facebook bug bounty last for? Feel free to comment below.
Interested in having your vulnerability or story covered on our blog, or looking for bug bounty press material? We'd love to try and help. Get in touch!