On the HUNT for a cool new Recon tool, but don’t know where to start? Caleb Kinney is your guy!
As an Application Security Enthusiast and Developer Hobbyist, Caleb has worked on a number of free, open-source tools to contribute to the InfoSec community. He recently partnered with Bugcrowd to rebuild and improve a Burp Suite extension called HUNT, originally designed by Jason Haddix and JP Villanueva. HUNT identifies and monitors Burp Suite’s incoming traffic and highlights interesting targets to help you prioritize your testing. You can try HUNT out for yourself by downloading it from the BApp Store!
You can also visit derail.io to learn more about other tools that Caleb has developed!
We sat down with him recently to learn more about his background and get some advice on applying programming knowledge to the bug hunting field.
How did you get into Cybersecurity? How long have you been hunting?
I have been a computer enthusiast since an early age. My Dad was an early adopter of technology and gave me his old Apple IIe while I was still in elementary school. He encouraged me to self-learn programming and I set off to be a web developer and graphic designer while in high school in the late 90s, which later transitioned into a passion for information security. I started bug hunting in 2015 after discovering Bugcrowd at DEF CON 23.
Why did you choose your Bugcrowd handle? Does it have any specific meaning?
LOL. I chose “Caleb” because apparently I have no imagination – look at my OSS projects, I am terrible at names.
How have bug bounties impacted your life?
Bug bounty hunting has affected me immensely – it has made me become a better penetration tester by notably increasing and diversifying my skill set, helping me focus on what is impactful (thank you VRT), and honing my time management skills. However, the most important of all has been the honor of being part of the bug bounty community, which constantly gives back and helps one another.
Do you hunt full time? If not, why?
I was always a part-time hunter. I am actually currently on a hiatus from bug bounty hunting in order to spend more time with my family, since the birth of my daughter, but I miss it and am looking forward to my return!
Do you have any favorite tools or resources to learn? Why?
I am a huge fan of both OWASP ZAP and Burp Suite, the power and depth of those tools are amazing. For learning, I follow some great hunters (including JHaddix who had a profound influence on me with his Bug Hunters Methodology) on Discord, Slack, and Twitter who are constantly giving back to the community in the form of advice, feedback, blog posts, write-ups, tools, etc – the community is awesome.
Do you have any simple tips that you use when you are hunting?
I covered some hunting tips way back when during my talk at LevelUp 0x01 (How to Fail at Bug Bounty Hunting) but mainly it’s: Think outside of the box, automate what you can, focus on what you can’t, and keep digging.
Do you have any advice for new hackers or people transitioning into bug bounty?
Be hungry for knowledge, give back to the community, don’t be afraid to fail, and enjoy the ride.
When you aren’t hunting bugs, what do you do for hobbies/fun?
I enjoy spending time with family (my wife, daughter and dog), learning new programming languages and I am also an avid runner (I am on a bit of a hiatus there too ;)).
Why do you hunt with Bugcrowd?
Bugcrowd has always been the most welcoming community and has directly impacted my life and career since DEF CON 23.
Follow Caleb on Twitter @OptionalValue to keep up with his bug hunting stories!
Stay tuned for more Researcher Spotlights. Want to join Caleb and be part of the Crowd? Join our Discord and sign up for a Researcher Account!