Mohammed Aloraimi, also known as ixSly, is a Cyber Team Leader from the UAE and a Yogosha Strike Force hunter. He shared with us a bit about his journey into ethical hacking.
How long have you been an ethical hacker?
Almost 8 years. It all started with a vulnerability that was affecting a major mail service provider, it was an account takeover due to a misconfigured password reset functionality. The exploit was very trivial, and the PoC was all over the internet. The “HOW” was real motivation for me, and it marked the beginning of my journey in cybersecurity.
At first, I was mostly into Web App security. But at some point I wanted to know more, so I went on the development side of the job. I started with iOS development with an Apple membership, and I published a couple applications out of curiosity. I wanted to see how developers push their apps, how it worked. The whole process was really exhaustive and instructive. But after all, I realized that development wasn’t what I wanted to do. I can’t stress enough how development is something really different than ethical hacking. It wasn’t my path, so I switched back to security.
In 2015, I began offering my services as a freelance pentester. And in 2020, I landed my current job. Currently, I am a Team Leader for a cybersecurity company based in Abu Dhabi.
You know both sides, so what is your view on the relationship between developers and security teams?
Feature-building is the primary output of the software development life cycle and frequently our favorite aspect of the job (SDLC). However, many developers continue to put features before security best practices. Most organizations are designed such that it is someone else’s responsibility. Static analysis scanning tools (SAST) and penetration testing are simply two parts of the whole process to reduce security risks.
Imagine that after spending several hundred hours creating a magnificent statue, someone comes along with a hammer and begins knocking pieces off of it after telling you that the base is incomplete.
That’s how the relationship between a pentester and a developer is believed to function, the latter gets their software features destroyed by an outsider who hasn’t gone through the process with them, but instead adding to their workload and delaying their ability to ship code.
There should be more communication between development and security teams. It shouldn’t come to the point where pentesters really need to test things and find vulnerabilities. It should be about working together before all of this.
According to you, what is the main benefit of bug bounty for companies and organizations?
Bug bounty programs are certainly appealing from a pricing perspective. A pentest, for example, can be very expensive. Pentesters sometimes have a very limited amount of time, and clients demand a black box approach. The auditors then do not have the full picture of how an app is functioning. So it may be more relevant to go for a bug bounty rather than spending thousands of dollars on a pentest. You offer bounties, and you only spend your budget when vulnerabilities are found.
But don’t get me wrong, it’s sometimes essential to involve teams of pentesters. I do believe that a comprehensive report provided by a pentest team is far more valuable than a finding reported by a hunter, with not much of a recommendation for the remediation part, especially since most of the programs don’t consider the recommendation as a primary requirement when submitting reports.
I like to think about pentests as if they’re snapshot in time. Findings and recommendations reflect the information gathered during the assessment and not any changes or modifications made outside of that period.
Also, I think there is room for improvement when it comes to the incentive amount that companies are willing to pay to hackers.
What is the best part of being a professional hunter?
For me, the best part is finding the deepest stuff. As a professional, I think performing comprehensive AppSec audits and complicated red team engagements is what really brings value.
I like chaining two attacks, finding several vectors and trying to combine them to get serious things. Also, chaining vulnerabilities really maximizes your bounty outcomes as a hunter. It can go from simple things like providing a string to a user agent header and then passing it to a log file for a RCE, to way more complicated vulnerabilities.
And what is the worst part?
I think many hackers would agree with me if I say that the worst part of bounty hunting are duplicates. It is really frustrating to have a report flagged as duplicate when you have done a comprehensive work on a vulnerability that is technically valid.
Is there a typology of site on which you particularly like to hunt?
It really depends on the target and the scope, I do believe that enumeration is the key to success in bug bounty hunting.
I like to deal with applications that are written in PHP. Don’t get me wrong, there’s nothing wrong with PHP. But there are a lot of functions and stuff that someone could easily miss. Something that was there since the beginning of PHP, functions that can be abused such as file_get_contents() or such functions. They are consistent to the point where you can find them in any kind of repository or application.
Of course, this applies to more or less all languages, but I feel that PHP is a good starting point for security researchers. It’s been there for a long time, and it’s not going anywhere.
What is the bug you are most proud of having found?
I think it was in 2018 if I remember correctly. It was not a bug bounty but a Responsible Disclosure [when a hacker reports a vulnerability spontaneously, also known as Vulnerability Disclosure Program, ed.]
There was this service provider here in the United Arab Emirates, and I stumbled upon a critical vulnerability in one of their perimeters. I can’t name it, but I can say that at the time, each and every citizen within the UAE was using this service. I double checked the vulnerability many times, and when I was sure it did indeed impact a lot of citizens, I submitted it through responsible disclosure.
I was really happy and proud to have found something that serious.
[Editor’s note] Speaking about Responsible Disclosure: ixSly attended GITEX 2022 in Dubai, which was held after this interview. There, he was awarded as part of a responsible disclosure. Congrats!
Your best memory related to the world of ethical hacking?
I don’t really have a best memory, but I can say that the community itself is an important factor of ethical hacking. It’s always a pleasure to participate in security conferences such as DefCon or BlackHat. To listen to security researchers presenting a Zero-Day vulnerability or explaining how they hacked their way into hardware, cars or IoT. It’s really inspiring to hear them talk about how they came up with these ideas. That’s what makes ethical hacking really interesting.
What is your view on the UAE ethical hacker community? On ethical hacking in the region?
The hacker community within the UAE is definitely growing. Back in the day, there was only one Capture The Flag competition (CTF) a year, and now there are many more. And I think there is more to come, as we see more and more bug bounty programs and events like the GITEX in Dubai that invite community hackers to participate.
Is there any advice you would like to give to new hunters?
A lot of people advise you to be patient. But for me, it’s more about being consistent.
Consistency is really important as a hacker because you can’t just throw scanners on hundreds of targets which are already part of a bug bounty program. That’s not how you find things. You have to take a deeper approach at the application, and always know why you are participating in this specific program. Consistency is key. So, to new hunters, I would say this: try fewer targets, but try deeper.
When he’s not chaining vulnerabilities, ixSly is also hanging on LinkedIn, Twitter and GitHub.