We’re back with the Hacker Spotlight series and this week we’re giving a shoutout to Sam Curry. Sam is from Omaha, Nebraska, and has been a rising star in the bug bounty community for the last couple of years. We are excited to have Sam as a Researcher Ambassador, where he’ll be working to help teach his local hacker community about hacking and bug bounty hunting.
Follow Sam on Twitter at @samwcyo.
“Hey – my name is zlz, I’m from Omaha, Nebraska, and I’ve been hacking websites for the last five years.”
How did you get started in security and how did you start in bug bounties?
I’ve always been interested in information security, but got started hacking video games. I got into bug bounties after someone showed me what a bug bounty platform was and challenged me to be the first to find a vulnerability on a particular program.
How have bug bounties impacted your life?
I’m comfortable financially and get to spend my time traveling and building up side projects that I’m personally interested in. I love hacking – the fact that someone pays me to do it is just a bonus.
Tell us about a favorite tool(s) that you use and why:
I don’t use many tools, but I like Sublist3r, dirsearch, and Burp. If you’re not using Burp, you’re probably doing something wrong. Sublist3r and dirsearch are good for targets with wide scopes. I’ve found a lot of success with just Burp Browser, but I recently bought Burp Pro.
What’s one of the most interesting bugs that you’ve found lately?
I recently found a Path Traversal in the Path, on a javascript Node application. There’s the application that talks to an underlying API. What you’re able to do is double encode path traversal characters and then traverse out of that argument. You’re then able to overwrite that API call and then access other user profiles. It’s a path traversal that would be exploitable, giving you full access to the application. I was able to access any API on the application.
When hacking, how much time do you spend on something that you find that seems interesting but you’re not able to exploit?
When I find something that I can’t exploit but was interesting, I’ll keep it in mind for the future because I usually find something relative to it in the future and come back to it. It doesn’t happen too often but if I do find something that is particularly interesting, I might spend a few hours on something and then take a break, and come back to it later. My philosophy is that one day you may have exhausted all options, but you’ll read something or hear some news, and you’ll have a new idea.
You’re probably very busy, how do you balance your time?
When it comes to managing my time, I like to schedule my day where I can knock out everything in the morning then stay up late doing research.
What advice would you give to a beginner or someone new to hacking?
Don’t stress out about finding bugs. You’ll find one eventually if you put time into it, but just enjoy the process and figure out how things work.
You seem pretty low stress when you’re hacking. How do you keep your cool when hacking and looking for bugs?
I do totally get to a point where if I haven’t found something for awhile, I’ll think ‘Am I really good at this?!’, but then a while later I’ll end up finding something. To keep cool, I often hack with friends. There’s constant communication, we’ll share notes on what we’re working on and help each other out. I like to hack with people that are super open about what they’re doing and who are easy to work with.
What resources would you recommend that beginners check out? What do you recommend to people that are getting started?
I love reading blog posts and /r/netsec on Reddit. I would totally suggest starting a new twitter account or a twitter list and follow people that are interesting, who share writeups and blogs. Try to build relationships with others in the community, particularly others that are also building relationships in the community. Find someone that you respect in the community and admire, learn from what they do and try to be as respectful as possible in the community.
You’re involved in your university’s infosec group, right? Tell us about that.
I’m at the University of Nebraska Omaha. We have a computer security group called Nullify. I’m an officer and we have about 30 people that come in and we do lessons. It’s often more of an education-focused thing, where we help guide people through CTFs and help people with coursework. Eventually, we’d like it to be more of a club, but right now it’s more of a tutorship. A lot of people are interested in bug bounties and have to find the time to do it.
Someone I know in real life actually just found a bug. They found an asset and I helped them find a vulnerability. The payout should be low four figures, so I hope I can get him hooked a little bit 🙂
What do you like to do in your free time, outside of bug bounties?
I love longboarding and spending time with friends/family. Most of my time in my day is spent on the computer or in class, to be honest. I’ve been getting into Chess lately!
Lastly, do you have any quick tips to share?
Spend more time digging deep into particular functionalities. Recon is awesome, but can only get you so far.
Thank you so much to Sam for his time and for his great contributions to the bug bounty community!
Interested in becoming an ambassador? Apply to become a Bugcrowd Ambassador today! If you have any questions, please Twitter direct message @ChloeMessdaghi or @SamHouston
To find out more information about the whitehat hacker community, download our 2019 Inside the Mind of a Hacker Report.
[button link=”https://www.bugcrowd.com/inside-the-mind-of-a-hacker?utm_source=website&utm_medium=blog&utm_content=report&utm_campaign=itmoah”]Download Now[/button]
