Samuel Eng is not your typical Singaporean hacker. He started hacking at 23 focusing on server-side vulnerabilities, including Server-Side Request Forgery (SSRF), Server-Side Template Injection (SSTI) or code injection bugs.
Like most hackers, however, he is self-taught. But recognising that technology is evolving rapidly, he keeps abreast of the latest by taking certification courses, such as Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE). He also reads security blogs from China, South Korea and Russia.
Asked if there was one hacker from which he draws inspiration, he pointed to @filedescriptor because his reports always require multiple reads to fully understand the attack chain!
He says: “I do not want to miss any information.”
Eng recalls his first bug bounty at HackerOne was from Zomato. It was a SQL injection (SQLi) in a cookie.
“On Saturdays, I usually spend my time doing physical activities, but on that particular day, I was sick with the flu. Since I am a person that cannot sit still, I decided to start hacking (not advisable!). I decided to try weird stuff and start fuzzing weirdly named cookies. I was shocked that it actually worked. The moral of the story is that if you never try, you will never know!”
He also admitted that recon is not something he is good at.
“That is why I prefer programs which have a lot of unique features. Of course, a bigger program scope is awesome for hackers. A bigger program scope means more attack surface and of course more bounties.”
While he acknowledges that hacking started out as a hobby, he relishes in “the feeling of accomplishment when a company replies with an appreciative message for the work that we do cannot be found elsewhere.”
He also noted that hacking today doesn’t carry the sinister stigma that it once had. True there are good and bad hacking activities, but his own family found his chosen profession an interesting career.
He believes that it is important to market ethical hacking not only as a job that pays well but also a hobby that can be fun and meaningful.
Asked what advice could he give to aspiring hackers, Eng said: “Have an appetite for knowledge or be hungry for more knowledge. Whenever one stumbles across an interesting topic, it is important to also dive deep and do deep work (30 hours) to fully understand the concepts before moving on.”
In an exclusive with FutureCIO, he shared a few more tidbits about life as hacker.
What tools do you use as part of the hacking trade?
Samuel Eng: Basically, I use Burp Suite and Proxifier for thick clients. I also use some basic custom enumeration scripts.
Can you share your methodology?
Samuel Eng: There are two main parts. The first part will involve recon such as subdomain enumeration and spidering of sites. After spidering, my script will filter all the endpoints with parameters and feed it to a scanner that will check for basic technical vulnerabilities such as SQLi and XSS.
The other part involves diving deep into an application that Ii find interesting. The definition of interesting refers to domains that have unique features or an odd domain (by looking at the title). I will then look out for application specific issues that scanners cannot pick up.
If you look at the bug bounty market in Singapore today, do you see areas where further development needs to happen?
Samuel Eng: I think Singapore companies should take security beyond compliance. Penetration testing can go hand-in-hand with bug bounties. When done properly, a well-developed bug bounty program can discover amazing bugs that cannot be easily found in penetration testing. Dedicated bug bounty hunters will hunt for months or even years on your program in comparison to a few days or weeks that is typical for a normal penetration testing assessment.
What if you’re suggestion to bug bounty platforms to encourage greater participation by individuals such as yourself?
Samuel Eng: I think for many hackers, having a large scope and responsive triage team will always lure hunters to take a good look at the program.
