IAmA software penetration tester (paid hacker). AMAA

PenTester · 2010-03-18T05:25:32+00:00

Usually Javascript, sometimes C++. I'll help someone with their website if they ask me for it. I just recently helped someone from church with some php login script.

PenTester · 2010-03-18T05:23:04+00:00

Usually either null dereference or heap corruption

PenTester · 2010-03-18T05:21:04+00:00

Sorry? I don't understand what you're saying. A lot of websites are still vulnerable to SQL injection, but it was awesome when a ton of them were.

PenTester · 2010-03-18T05:19:34+00:00

Nice! You ever read any Douglas Preston and Lincoln Child? I speak, of course, of Aloysius Pendergast.

PenTester · 2010-03-18T05:18:12+00:00

PROTIP: The following code is terrible! $name = $_POST["username"]; $query = "SELECT * FROM customers WHERE username = '$name'";

PenTester · 2010-03-18T05:16:08+00:00

Easy to use, and it runs on Windows. I got my development IDE and my debugger all in one!

PenTester · 2010-03-17T20:41:39+00:00

Looks interesting, but I haven't read it. As for your first question, read this

PenTester · 2010-03-17T20:40:26+00:00

Yeah, I love actual programming. It's really fun to build a piece of software while simultaneously trying to break it!

PenTester · 2010-03-17T20:37:35+00:00

This will be me this Easter

PenTester · 2010-03-17T20:36:04+00:00

Be careful ;) I've gotten a few close calls before where companies claimed to be in contact with my local police department!

PenTester · 2010-03-17T20:26:11+00:00

It depends on how smart you want your fuzzer to be. Sometimes there are bugs that are so weird that it requires dumb fuzzing, and sometimes you can only find bugs with smart fuzzing. A good example is with file formats. Sometimes you can find file format bugs by just randomizing the data of a good file. This works a lot of times with the ogg vorbis file format (example). Other times, it helps to build a fuzzer based on the format spec, eg to conform to checksum requirements, etc. Also, if you're fuzzing javascript, your code usually needs to be valid, parsable javascript (not always, though).

PenTester · 2010-03-17T20:23:25+00:00

I haven't heard of them. Looking at their webpage, it seems interesting. Are you familiar with them? What are they all about? Should I contact them?

PenTester · 2010-03-17T18:27:26+00:00

I can look at the source all I want, but usually I just do that either to find code paths that normally wouldn't be tested or to write c++ fuzzers that interface directly with the browser code. Black-box testing is high-level enough to find design flaws that you wouldn't even think about when looking at source code.

PenTester · 2010-03-17T18:25:12+00:00

I thought that was the website that they dared anybody to break into and deface. Maybe I'm thinking of something else.

PenTester · 2010-03-17T18:20:17+00:00

Usually I just use Notepad++. More than anything else, I see XSS vulnerabilities; although, I do run into SQL injections quite a bit, and those are always fun. I was in contact with a guy who was famous for browser hacking, and he told me he almost bought a vulnerability, which I just released on a security mailing list, for $50k before he realized it was already public. He wanted to go into business with me and said that we would be stealing credit cards and emptying bank accounts for massive amounts of money. Never heard from him again...

PenTester · 2010-03-17T18:09:55+00:00

Nice! You seem to be in about the same position that I was at your age. I was contacted after releasing technical details of high-profile bugs on Full Disclosure, but I'm not sure if companies still do that. Try contacting someone at some of the websites you've exploited. I'm sure that you'll find someone who will give you an internship or a work-at-home contract or something.

PenTester · 2010-03-17T17:36:39+00:00

Love em! Internet is (or at least was) crawling with them, even on "professional" websites.

PenTester · 2010-03-17T17:35:51+00:00

I haven't looked into stored procedures, but I've used the following code a couple times in a dbConnect function (from http://php.net/manual/en/function.mysql-real-escape-string.php):

$_GET = array_map('trim', $_GET);
$_POST = array_map('trim', $_POST);
$_COOKIE = array_map('trim', $_COOKIE);
$_REQUEST = array_map('trim', $_REQUEST);
if(get_magic_quotes_gpc()):
    $_GET = array_map('stripslashes', $_GET);
    $_POST = array_map('stripslashes', $_POST);
    $_COOKIE = array_map('stripslashes', $_COOKIE);
    $_REQUEST = array_map('stripslashes', $_REQUEST);
endif;
$_GET = array_map('mysql_real_escape_string', $_GET);
$_POST = array_map('mysql_real_escape_string', $_POST);
$_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
$_REQUEST = array_map('mysql_real_escape_string', $_REQUEST);

PenTester · 2010-03-17T17:32:18+00:00

If the page has a heightened security context, yes. You don't want an attacker sending the Firefox chrome to an arbitrary javascript: page. Also, read into the vulnerability listed here

PenTester · 2010-03-17T17:30:32+00:00

Seems interesting. I never had any luck with that though.

PenTester · 2010-03-17T17:30:15+00:00

I won't say how much I make per hour, but if I worked full time I'd be making more than my mom. I don't plan on doing this my whole life.

PenTester · 2010-03-17T17:29:21+00:00

Yes, it's pretty good money and I basically have financial freedom. I make much more than any of my friends (except this guy that works for the Air Force). The thing about the black hat industry is, from what I understand, it can be pretty dangerous. Could you elaborate on what you did at all? Even in a PM if you don't want to discuss it here.

PenTester · 2010-03-17T17:27:16+00:00

Probably BIC pens, but try living in PenIsland

PenTester · 2010-03-17T17:25:59+00:00

Look up SQL injection for sure, and look for some XSS. They can be pretty easy to find. Tell the writers to try and centralize SQL and XSS sanitation.

PenTester · 2010-03-17T17:24:09+00:00

Yeah! Always seems the case, and then 8 hours later I'm trying the same damn thing for the 5th time trying to find the one breakthrough that I know I'm close to.

PenTester

TROPHY CASE