The sides of Cyber world
As everyone knows, Hacking is one of the serious discussions when it comes to computers and technology. As the world is getting advance in technology, the risks of getting compromised gets higher due to the fact that the criminals are getting advanced too by using the technology we use. There is always a good side and a bad side of people in every field, just like it there are Hackers who hacks and targets people and there are Hackers who protect them from these kind of attacks. The good ones are mostly known as the White Hats and the other ones are referred as Black Hats. Most of the companies and organizations hire hackers in order to identify security flaws and glitches in their products or applications that can help them prevent cyber attacks and breaches.
Who am I?
I’m
Shawar Khan, a Security Researcher & a
Synack Red Team (SRT) Member from Pakistan. As the advancements of technology increases, I play my role in protecting the cyber world from security breaches. Consider me a person on the positive side of the community, It’s been over years in the field of Computer Science and Hacking and I have experienced many things in my career as a Hacker which includes data breaches, challenges and tough targets but still I am on my track to get the job done. Basically, the initial job of people like me is to keep the web safe. I mostly participate in Bug Bounty programs on Hackerone and pentest applications so that I can help the companies get safer with time. In my career there were many achievements that I got with a period of time. Over 100 Halls of Fame were awarded by companies like Google, Microsoft, Apple, Amazon, Ebay and some other companies
How i got into Hacking?
This all started with an initial interest in Computers. Before some years ago when I was around 11 years old, I got my first computer and I was quite interested in learning how to use it. At that time I used to play computer games and stuff. I was not having internet connection at that time so I used buy DVDs of softwares and programs that I can explored. After a few years I got interested in designing 3d Models using some programs like 3dsmax, Maya etc. I got quite good grip on computers at that time as I became familiar with most of the things. I was mostly interested in VFX designing and 3d modeling at that time when I was around 13, 14 years old and I created my Facebook account. The step towards the usage of internet was quite interesting, I met few people over there. The main thing was the interest in Hacking that attracted me towards it when one of my friend’s account was hacked and he told me his password was changed unintentionally. I was quite amazed that how come someone change a password remotely. At that time the web application were not very secure and people easily managed to compromise accounts. I started looking for methodologies for doing it. Sadly, all methodologies on the internet were fake as they told me to crack md5 hashes returned by fake websites and all tools available were fake and infected.
The first step on the stairs
I contacted some people on Facebook who claimed to be “Hackers” and they told me to learn PHP and other languages. So I was not sure how I would proceed towards my goal but still I took it as a first step. I learnt different languages like PHP, JS, HTML, Python from codeacademy.com which was a site I used to learn from. I was able to develop scripts and websites using those languages and I got quite good grip over it. By learning those languages i was able to understand how web applications and websites are made but that wasn’t enough as I was still unable to reach my goal. I started to Google for topics related to Hacking and methods on how I can hack websites. In a short period of time I learnt techniques like SQL Injections, Backdooring, Keylogging, Shelling. I was able to hack most of the websites, computers and mobile phones using the techniques that I learnt.
Being on the good side
Instead of hacking websites and compromising things, I wanted to be on the good side and wanted to protect them from people who used to hack and compromise. I identified different vulnerabilities in websites and reported it to them. I was then introduced to Bug Bounty program these were the policy of web applications that if someone report a security issue to them they will reward the researcher. In a few years I earned some decent amount and a number of gifts when I was around 17. In a few years, I was awarded by Google, Microsoft and many other companies and I was featured in many websites and pages which was a turning point in my career. I became well known in the community and kept the good work by learning more. I studied books and blogs of different researchers and had some interesting discoveries which I mostly upload and discuss on my website shawarkhan.com, I do most of my write-ups and articles on my site regarding my discoveries.
Be Independent or Do a Job?
This is another important question from the people who are on track. Most of the people who used to be an independent researcher while some of them want to be on a job. Both things have some cons and pros. I am an independent researcher and I work independently because by working alone I can educate myself and can learn things in my own schedule plus I will be able to face challenges myself. When a person works alone, he can target anything he want and he can work according to his needs while in a job the person has to work on the projects or things selected by the company etc. Doing a job will allow the person to gain professional experience and will also help him adopt a better working environment. I choose to work on my own and everyone has a different perspective.
How can one become a researcher from scratch?
Being a security researcher means to be someone who has mastered the aspects of cyber security. This means if we are referring to Web Application then we have to know about almost everything about it. We need to know about each mechanism and functionalities of it and how things interacts with it. We need to learn about API and how things communicate using that. Once we know how these things works, we will understand each thing from a security perspective. I suggest that a person should learn languages such as PHP, JS, HTML first so the person will learn how to create a web application using them. I did the same at the initial stage when i was learning them, after learning the web application and its creation we have to study these from a security perspective. The book I studied first was the “
Web Application Hackers Handbook” (
https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470 ). This book includes everything you need to know about Web Application Security including its flow and the techniques used to exploit them. The next step is to learn the testing methodology, the book
WAHH teachers everything but the OWASP Testing Guide v4 teaches a proper methodology on how one should approach its target. You can find the book at this address (
https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents ). For the people who are on track, I’d suggest them to read disclosed reports on Hackerone.com if they want to polish their skills. Resources such as Blogs, Slides and Conference Talks are another important thing to study, they can be found on Youtube and slideshare.com. Conferences such as
BlackHat,
DEFCON have videos on Youtube regarding different researches and discoveries.
How should a person work daily?
On an average, a beginner should be focusing on Learning Languages around 3, 4 hours daily which includes practice and learning as well while the person who is on track and who is willing to polish his skills should focus on Conference talks and Researcher’s blog and should invest maximum time in it. Learn from your seniors, their research is your source of advancement.
How do i educate myself?
As most of you know, I'm a self learner. When I first started, I only knew XSS vulnerability and using that one vulnerability I XSSed many companies including Google and some other companies so the main goal is to practice more and more. Most of my study material includes “Books” and “Blogs”. In my free time, I select random targets and test them in order to learn new techniques and get maximum experience. Getting experience is the main thing no matter what you are doing, always try to hack into something and everytime you will learn something new. Learn about the services that the target is using. For example if a site is using Wordpress, learn how to hack Wordpress and retest the target once you have mastered its techniques. Whenever you find a vulnerability, don’t just report it. Try to understand the cause, achieve the maximum access possible, chain different vulnerabilities to maximize the impact scale. For example, an XSS vulnerability can be used to achieve Remote Code Execution if we are able to interact with functionalities that make server side changes and can also be used to bypass CSRF protections by stealing CSRF tokens via XHR calls. Similarly, there are many methods to achieve higher impact by chaining vulnerabilities, There are many articles on that on my website. This is another discovery where i chained multiple issues to hijack a user’s account: https://www.shawarkhan.com/2017/09/exploiting-multiple-self-xsses-via.html .
My Approach
My testing methodology is mostly based on server-side penetration testing. When I get a target, I first understand how it works and what the functionalities are. I try to exploit the logic of the application first if the target is a bug bounty program. On the other side, when I am targeting a huge company or a top organization i invest maximum time in the Recon phase of my testing. This includes capturing credentials, sensitive information and panels that the company uses to access higher level functionalities. You can see one of my recent articles https://www.shawarkhan.com/2018/06/getting-php-code-execution-and-leverage.html and https://www.shawarkhan.com/2017/10/remote-code-execution-from-recon-to-root.html that are based on proper Recon. When first approaching a target, the first thing is to map the targets and the structure. Tools like “dirsearch”,”dirb” will help identifying sensitive paths and files on the target server. Tools like “sublist3r”,”amass”,”subfinder” are mostly used for identifying subdomains. When I find a vulnerability, I try to maximize its impact and I write exploit for the vulnerability for the demonstration. This was one of my XSS exploitation tool that was built for exploiting a vulnerability in a famous social app named Sarahah: https://www.shawarkhan.com/2017/08/sarahah-xss-exploitation-tool.html
Covering things up
Now the final thing everyone wants to know is, how can one become a hacker? Well, this isn't easy to answer but keep a few points in mind. You have to be the best out there, you need to learn the fundamentals of what you are targeting first after that you need to learn how it is made how it works and how it interacts with things.
Hacking isn't easy, it's like being Ronaldo or Messi
Some of the points to be noted:
- By a Self-Learner: Why? Because without it you won't learn from things you experience, you won't be able to solve your problems.
- Educate your self on daily basis: read articles, write-ups, videos or slides to educate yourself
- Know your target, before proceeding make sure to know your target. Invest most of your time in identifying your target identifying the services the target uses.
- Map the target: get a better view of the target's infrastructure in order to get a better understanding on what to target.
- Walk the path no one travels: Don't be the common dude out there. Think out of the Box, think what the developer missed think what common guys are targeting, depending on that choose your path.
- Be a ninja: You need to be fast and precise as a Ninja. Know,Map,Target your victim precisely and quickly. This only works if you are good are talking the different path and if you are unique.
now I hope you guys got my point, you have to be the best of the best. So now go ahead and learn how things work :) You got a long journey to go.
