From IT Support to Bug Bounty Hunting: A Journey into Cybersecurity with CJ Fairhead
Reading time: 15 minutesIn today's interconnected digital landscape, cybersecurity has become an indispensable aspect of our lives.
With the increasing reliance on technology and the ever-growing sophistication of cyber threats, organizations and individuals are constantly seeking ways to fortify their digital defenses. Among the many warriors in this battle against malicious actors are bug bounty hunters–skilled individuals who tirelessly hunt for vulnerabilities in computer systems, networks, and software applications. They possess a unique blend of technical expertise, creativity, and tenacity, making them invaluable assets in the quest for improved cybersecurity.
But what drives someone to become a bug bounty hunter? How does one navigate the complex and ever-changing landscape of vulnerability discovery?
We had a chance to sit down with CJ Fairhead, better known as xYantix, and delve into the mind of a bug bounty hunter, exploring their journey, methodologies, challenges, and triumphs. We had the privilege of interviewing an experienced and passionate bug bounty hunter who generously shared their insights and experiences.
CJ began their career in the field of general IT, gradually progressing through various technical roles over a span of ten years. Despite facing challenges and obstacles, their unwavering interest in cybersecurity persisted, leading them on a path of continuous learning and exploration.
1. How did you get into bug bounty hunting?
I come from a diverse background in general IT, starting from a role in tech support and gradually progressing through various technical positions over the course of ten years. While I always had a keen interest in cybersecurity, finding a way to break into the field proved to be quite challenging. However, I persevered and continuously sought opportunities to integrate security into my work, whether it was organizing events like BSides or participating in monthly security catch-ups in Western Australia. Through these engagements, I had the fortune of meeting knowledgeable individuals who provided me with valuable advice on how to enter the cybersecurity domain. Their guidance paved the way for my journey into this fascinating field.
It's worth mentioning that my path to cybersecurity was a self-taught one, as I did not complete high school and faced difficulties as a student. Coming from a small town with a population of around 6,000 to 7,000 people, I eventually made my way to the city in pursuit of knowledge and opportunities. I immersed myself in learning, participating in CTF competitions, and was thrilled when my team emerged victorious, earning me access to the prestigious Penetration Testing with Kali Linux (PWK) course, which led to obtaining the Offensive Security Certified Professional (OSCP) certification. Interestingly, I was the only one from my team who completed the OSCP, as the others didn't share the same enthusiasm. Alongside my studies, I managed to secure a pentesting job at a consulting firm, and the timing coincided with the COVID-19 pandemic, allowing me to focus and complete the OSCP certification.
Although I have been actively involved in the security field for three years, which is relatively short compared to my overall IT career, I must admit that my relationship with bug bounty hunting is a bit of a love-hate one. Nevertheless, I engage in bug bounty hunting quite frequently. Even when I'm not actively participating in bug bounty programs, I dedicate time to reading blog posts from fellow hunters, exploring new tools being developed, and staying updated on the latest trends and techniques. It's a constant endeavor to stay on top of things because the cybersecurity landscape is ever-evolving. The sheer volume of information resources, blogs, and websites can be overwhelming, making it challenging to keep pace and easy to fall behind.
2. How would you describe your bug hunting methodology?
When it comes to my approach, there are certain aspects that align with what others in the field do. One of these key areas is reconnaissance, which involves gathering information about a target. However, I strive to go beyond the obvious and avoid focusing solely on low-hanging fruit. While many people may examine subdomains of a target and stop there, I aim to supplement this information with as much additional data as possible. For instance, I explore other domain names that the company might own, including development and staging domains. By doing so, I can identify subdomains within those environments that may serve as potential entry points into the production environment. This logical approach, coupled with my background in IT, has proven beneficial. Having worked in infrastructure roles, I possess insights into how systems are typically set up and the common pitfalls and habits that arise. This knowledge allows me to pinpoint areas where vulnerabilities may exist and exploit them effectively.
3. Did you find that the OSCP helped you? Would you recommend certs to aspiring bug bounty hunters?
The OSCP certification has undoubtedly had a significant impact on my career trajectory. Interestingly, at one of my previous workplaces, this certification was deemed a minimum requirement for certain roles. While I may not entirely align with that mindset, I can attest to the invaluable knowledge and skills I acquired during my OSCP journey. It was a challenging yet highly rewarding experience, and I'm grateful for having pursued it.
However, it's worth noting that a considerable portion of the exam content doesn't directly apply to my current position, which primarily involves working in a pure software-as-a-service (SaaS) environment. Nevertheless, it's essential to recognize that there are various alternative training paths available. It's crucial to conduct thorough research and seek feedback from the cybersecurity community to ensure that you invest in the most suitable course based on your specific circumstances. Each career path may have its own unique requirements, and finding the right training program can make all the difference in acquiring the necessary skills and knowledge for success.
4. What helped you find your methodology, and how long did it take you to find your style?
The field of bug bounty hunting is in a constant state of flux, continuously evolving with the emergence of new techniques and resources. As a result, I haven't yet established a rigid methodology that I consistently follow. Instead, my approach is ever-evolving, adapting to the dynamic nature of the cybersecurity landscape. It took me approximately 18 months to 2 years to reach a level of consistency in my methods.
In the earlier stages, I would embark on similar paths of investigation; however, I often found myself getting sidetracked or lacking a structured approach. I would reach a certain point in my exploration and become easily distracted, deviating from a rigorous methodology. Over time, I've learned the importance of maintaining a high-level understanding of my objectives and staying focused throughout the process. It's crucial to recognize when to stop searching, avoiding unnecessary distractions, and regaining my focus on the task at hand.
By continuously refining my methodology and learning from past experiences, I strive to strike a balance between adaptability and maintaining a disciplined approach. This allows me to effectively navigate the ever-changing landscape of bug bounty hunting while maximizing my chances of discovering vulnerabilities and contributing to improved system security.
5. Walk us through your recon workflow.
This is something that is always evolving and varies from program to program, but I always try to cover the following:
- [Subdomain enumeration][4]: I personally like to use findomain for this because it natively supports storing data in a postgresql database. I also make sure I have properly configured the API keys for the various supported services.
- Researching ASN's for the target to identify the IP ranges they might own.
- Use the data from the first 2 steps to test for vhosts and try to identify possible source IP addresses (for cases where I'm up against a WAF like Cloudflare or Akamai)
- Work my way through the list of targets to identify things like what kind of technology they're using. What kind of web server is it? Which programming languages are in use?
6. What SecurityTrails API™ feature do you most commonly use in your hunts?
I consider myself lucky to have had the opportunity to participate in the SecurityTrails Recon Master competition, which granted me access to the powerful SurfaceBrowser™ tool. This tool has proven to be an invaluable asset in my bug bounty hunting. When I approach a target, I rely on SurfaceBrowser™ for a quick initial assessment. By inputting a domain name, I can retrieve the number of records available in SecurityTrails' database, giving me an estimation of the target's footprint.
When I receive an invitation to a bug bounty program, I enter the domain into SurfaceBrowser™. If the target is relatively small in scope, I don't invest significant time in its analysis. However, when the results yield a substantial number, such as 10,000 records, it becomes more intriguing. A larger footprint indicates more potential areas to explore and a higher likelihood of discovering vulnerabilities or errors on their end. This piques my interest and motivates me to delve deeper into the target's infrastructure.
The subdomain API also plays a vital role in my daily work, especially in the automation I've developed. By leveraging historical DNS results, I can track changes over time and identify crucial information. For instance, I often encounter challenges posed by services like Cloudflare, which can complicate the identification of underlying IP addresses. With historical DNS data, I can search for origin IP addresses that were in use before the target implemented Cloudflare, providing me with valuable insights and circumventing potential roadblocks.
7. How do you tackle false positives during fingerprinting?
The process of filtering out false positives in bug bounty hunting can be challenging. It's an aspect that I'm continuously working on refining. While I understand that there will always be a certain level of false positives, I strive to minimize them by adopting various strategies.
One approach I employ is leveraging multiple sources of information. Rather than relying solely on a single data set, I cross-check the obtained information with other reputable sources. This helps validate the accuracy and reliability of the findings, reducing the chances of false positives.
Additionally, I find it beneficial to run certain tools or perform reconnaissance from multiple locations. This is particularly important when dealing with services like Cloudflare, where access may be restricted or limited due to security measures. By utilizing geographically dispersed locations to run my tools, I can ensure that any issues encountered are not a result of being blocked or cut off from the target, but rather due to the absence of relevant information or vulnerabilities.
8. What are some of the other must-have tools in your stack?
I have a great admiration for the Project Discovery team, as they have developed a comprehensive suite of tools that cater to various aspects of bug bounty hunting. Their toolset covers a wide range of functionalities, and I find that I can accomplish about 90% of my tasks using their tools alone. However, there are instances where I encounter certain challenges or limitations.
One tool that I have a bit of a love-hate relationship with is Burp Suite. While it is a powerful tool, it can be quite memory-intensive and sometimes slows down my workflow. Nonetheless, it remains a valuable asset in certain scenarios, depending on the nature of the task and the specific target I'm working on.
For larger targets like Tesla, which encompass a vast range of IP addresses within their scope, I may need to employ additional tools to enhance my testing. In such cases, I find tools like Nmap, despite being considered an older and perhaps less trendy option, to be highly effective. In fact, I know of a successful bug bounty hunter who relies solely on Nmap for their testing needs. It goes to show that sometimes the tried-and-true tools can still deliver remarkable results.
Among the tools that I frequently utilize are HTTPX and Findomain. HTTPX proves useful for various tasks, while Findomain specifically aids in subdomain enumeration. I integrate the SecurityTrails API™ into Findomain, which enhances its capabilities by providing access to a comprehensive backend database. This allows me to automate daily tasks of searching for new subdomains and query the information whenever necessary. Additionally, I find immense value in having historical data at my disposal. Even if the data may be considered outdated, I can extract valuable insights by incorporating it into newly developed tools and observing the outcomes.
The ability to access and utilize historical information is truly remarkable. It provides a wealth of insights and strengthens my approach to bug bounty hunting. As new tools continue to emerge, I can leverage my extensive historical data, accumulated over a span of 2.5 years, by running it against renowned programs like Tesla. This approach enables me to extract every possible advantage from the available resources, even if the data is older, and test the effectiveness of these innovative tools.
9. You remarked upon the many different resources for bug bounty hunting and that it can get overwhelming at times. How do you distinguish the good and practical resources and advice from the rest? How do you know which are worth applying?
One aspect that significantly influences my bug bounty hunting endeavors is whether a target appears intriguing and captivating enough to pique my interest. This factor holds substantial weight in my decision-making process, as I believe that maintaining a genuine sense of excitement and curiosity is crucial for sustained motivation and dedication. However, it is important to note that the allure of a target does not always directly correlate with the number of vulnerabilities or bugs it may yield.
While the allure factor is significant to me, I understand that it may not always result in a fruitful outcome in terms of bug discovery. Nonetheless, I prioritize my personal engagement and interest in the process, as it ensures that I remain enthusiastic and fully invested in the pursuit of uncovering vulnerabilities. I firmly believe that when I am genuinely captivated by the target, the quality and depth of my testing improve, leading to a more comprehensive analysis.
10. Tell us about your most challenging bug hunt.
Lately, I've been delving into Adobe Experience Manager instances, and I've noticed that it has become quite a popular topic within the bug bounty community. While I'm not entirely sure about the exact reasons for its popularity, I find this platform to be incredibly fascinating and worth exploring. One aspect that particularly captivates my attention is the challenge of bypassing the dispatcher, which acts as a web application firewall and reverse proxy. It effectively diverts traffic based on a set of predefined rules, and mastering these rules is crucial for successful exploitation.
The dispatcher's rule-based configuration leaves room for error, and it requires meticulous adherence to its specifications. This intricate nature presents an exciting opportunity for exploration, as appending specific elements to queries can sometimes lead to successful workarounds. Recently, I encountered a bug where the target had implemented an extensive set of rules that effectively blocked any file type I attempted to append. This is a common tactic in web exploitation, where appending file extensions like ".css" or ".ico" often provides fruitful results. However, in this case, my attempts to append these file types were fruitless due to the target's vigilant defense measures.
Undeterred, I continued my investigation and discovered a fascinating loophole. It turned out that appending ".xml" at the end of my query consistently triggered a failure, except for one notable exception—sitemap.xml. This file is a common component found on most websites. Leveraging this knowledge, I skillfully constructed my query to include the specific string "sitemap.xml." To my delight, this maneuver bypassed the target's defenses, exposing a vulnerability that ultimately led to a successful exploit and subsequent bounty reward. What makes this discovery even more intriguing is the fact that it occurred within a banking environment, highlighting the universal truth that no organization is impervious to security issues.
11. Are there particular types of bugs you tend to favor?
I must admit that when it comes to certain areas like XSS (cross-site scripting), I struggle a bit. It's not my forte, and perhaps my background plays a role in this. However, I've found my niche in focusing on general misconfigurations instead. My approach involves diving into documentation and paying close attention to what developers have documented. Interestingly, many people who implement these systems tend to overlook the documentation, which works to my advantage.
By immersing myself in the mindset of administrators and developers, I attempt to envision how they might have configured the system and then work backward from there. This approach allows me to explore the realm of potential misconfigurations and vulnerabilities. Rather than solely relying on specialized techniques like XSS, I take a broader perspective and focus on understanding the system's intended functionality and potential areas of vulnerability.
Analyzing documentation and grasping the configuration choices made by administrators and developers often leads me to discover overlooked weaknesses or areas where the system's security may have been inadvertently compromised. By putting myself in their shoes, I can gain valuable insights into potential misconfigurations that may be present and then leverage that knowledge to uncover vulnerabilities.
12. As someone who has experience in pen tests and bug bounty hunting, what are the main differences in your approach?
Bug bounty hunting offers a unique advantage in terms of time pressure compared to traditional pentesting. In bug bounty hunting, there is a certain level of flexibility, allowing hunters to take as much time as they need to thoroughly investigate a target. While this flexibility can be advantageous, it also poses a challenge as it opens the possibility of spending excessive time on less fruitful avenues.
In contrast, pentesting follows a more structured approach with specific time constraints. Typically, pentesters are given a set period, often two or three weeks, to complete the testing process. This limited timeframe necessitates a strategic approach, prioritizing tasks and focusing on areas that are most likely to yield vulnerabilities.
Bug bounty hunting, on the other hand, allows for a more extended reconnaissance phase. Since there is no immediate deadline to meet, bounty hunters can invest more time in gathering comprehensive information about the target. This prolonged reconnaissance process enables them to build a stronger understanding of the target's infrastructure, potential weak points, and potential attack vectors.
However, the absence of a deadline in bug bounty hunting also means that hunters need to exercise caution. Spending too much time on the wrong areas or getting overly immersed in extensive recon can lead to diminishing returns. It is crucial for bug bounty hunters to strike a balance between comprehensive reconnaissance and timely exploitation.
13. What is the most essential skill for a bug bounty hunter?
Something that everyone should be doing, and what I’m bad at, is keeping notes! It’s something I’m always trying to be better at and it’s an incredibly useful and underrated skill.
