Detectify Crowdsource hacker Sebastian Neef, otherwise known as Gehaxelt, has an inspirational background in ethical hacking. Driven by curiosity, a sense of friendly competition, and an aspiration to do good for others, he has built a successful career as an ethical hacker and cybersecurity expert.
In our recent Detectify Crowdsource Awards, Gehaxelt was the winner of the Fabulous Feedbacker award, which acknowledged his constant willingness to help, great attitude, and proactive activity in our internal channels.
Read on as Gehaxelt shares how he started out on his career path, some of his current go-to resources and tools, and valuable pieces of advice for fellow ethical hackers who are looking to further their skills.
Detectify: How did you first become interested in ethical hacking, and what inspired you to pursue it as a career?
Gehaxelt: When I was eight years old, I got my first computer. Back then, I was just playing around with lame, 2D computer games. It wasn’t until I was 14 that my father showed me how to build simple websites using plain HTML and CSS. I was thrilled and became motivated to learn more about this. At some point, it slowly evolved into writing automation bots for the games I was playing. One might not consider this to be hacking, but it helped me begin to think outside the box.
While finishing high school two years later, the infamous hacks by Anonymous were all over the mainstream media. It was at that time that I asked myself, “Is hacking (websites) really that easy, or are these hackers just really skilled?” To find out, I began to investigate and spent many evenings browsing the internet learning about web security and various hacking techniques.
And it turned out that hacking can be really easy if you know a few tricks. At least back then (around 2010 or so), many web frameworks, web developers, and sysadmins weren’t as security-aware as they are today, so classic vulnerabilities like SQL Injection, cross-site scripting (XSS), and others were effortlessly found.
I first came across responsible disclosure and bug bounty programs sometime around 2011/2012, which presented a great opportunity for me: Legally being able to test my skills and knowledge against real-world targets and not just some simulated hacking challenges. Certainly enough, I began to find issues that were worth reporting and placed me in a few halls of fame (including those of Google, PayPal, and Twitter). That was a great feeling and a few programs handed out swag or money in return, which was a nice motivational boost. Especially as a soon-to-be student, it was great to earn some extra money doing what I enjoyed.
When I was hacking during those years, I often imagined a “challenge” between the website’s developers and myself — in other words, can they write code that I won’t be able to hack? Can I be better than them? Many times, the answer to these questions was yes, and the resulting rush of adrenaline did the rest. 😉
“Responsible disclosure and bug bounty programs presented a great opportunity for me: Legally being able to test my skills and knowledge against real-world targets.”
However, doing it alone can be boring at times. Luckily enough, bug bounty communities were beginning to form on Twitter and various online chat groups, so using those channels, I began to exchange writeups, techniques, and ideas with others. Although it was tough competition, it had a positive feedback loop, and collaborating was fun, too.
In the end, we were helping companies to make their websites more secure and thus protect customer data from being stolen.
Detectify: What steps do you take to ensure that your work as an ethical hacker is both legal and ethical?
Gehaxelt: Unfortunately, not all websites that I frequented had a responsible disclosure or bug bounty program, so in 2012, I founded the project internetwache.org. The main idea behind the project was to see how less security-aware companies or website administrators would react to my vulnerability notifications. Plus, as I often used the service myself, I wanted to have my data secured from bad actors.
Since Germany has “hacking laws” prohibiting security testing without authorization — and I assumed that just sending out emails from “email@example.com” would quickly land me in jail — I needed to be more clear about my intentions. Thus, the project’s domain and website were intended to convey my good, ethical intentions. The site was set up to explain who I am in detail and the fact that with my testing, I’m simply trying to help companies improve their security posture: I test solely for vulnerability symptoms, not exploiting anything or pivoting into things I shouldn’t see.
From a legal perspective, the intent might not have changed anything in front of the court, but I was still a teenager and a bit naive, so I believed that nobody would sue someone trying to help them. But to reiterate: I never tried to exploit a vulnerability; instead, I just looked for the symptoms (i.e. an SQL error message/page behavior when changing parameters, broken HTML when entering some tags, etc.). Also, I ensured that the emails I sent always had a friendly tone and never asked for anything in return.
This appeared to have worked: The majority of people that I contacted responded in a friendly manner, thanked me for pointing out the vulnerability, and sometimes even offered a token of appreciation. The worst experiences that I had were either being ignored or being told to not bother the recipient with such things.
Coming back to the initial question, though, I believe that it’s important to know the boundaries. Over the recent years, we’ve heard a few stories of security researchers going too far and getting in trouble. If one respects the scope of a program, tries not to break things when performing their tests, and doesn’t attempt to extort anything (a.k.a. “bounty plz”), chances are good that it will be a win-win situation.
But of course, my story could totally be survivor-biased and might not work out well for others, so take it with a grain of salt.
“If one respects the scope of a program and tries not to break things when performing their tests, chances are good that it will be a win-win situation.”
In the end, it all boils down to trust. Can you be trusted not to overstep visible (or invisible) boundaries? Can you effectively communicate your good faith effort?
In all cases, it certainly helps to be aware of the rules of a responsible disclosure and bug bounty program and follow them thoroughly. If you’re unsure, ask first.
Detectify: How do you stay up-to-date with the latest hacking techniques and technologies? What are some of your go-to research resources?
Gehaxelt: Back in the day, Twitter was a really great resource for this once you followed the right people who frequently shared their findings and techniques. However, I feel like this has changed over time – I now see fewer write-ups on blogs, but on the other hand, there are many publicized bug bounty reports that you can read, understand, and learn something from. There are also other sources of knowledge, like YouTube or podcasts, but in the end, nothing beats hands-on experience.
Personally, I really enjoy reading HackerNews to get a community-curated feed of technical news related to IT security. In terms of keeping my skills and knowledge up-to-date, my go-tos are capture the flag (CTF) competitions. Solving security riddles with a team of like-minded people has been — and still is — an invaluable learning resource for me. Well organized CTFs usually feature the latest vulnerabilities and hacking techniques, so you won’t be able to avoid them if you want to come in first place.
Talking to other people, collaborating, and attending conferences obviously also helps in staying up to date. Last but not least, as a Ph.D. candidate, I closely follow academic research, which can sometimes be applicable to bug bounties as well.
Detectify: What do you consider to be the biggest ethical challenges facing today’s ethical hackers and how do you address them in your work?
Gehaxelt: In regards to responsible disclosure and bug bounty programs, the steep competition is a big challenge. It can become quite demotivating if you’re unable to find vulnerabilities or only come across dupes — and this happens more often these days, since modern websites are more secure than they were 10 years ago.
It might be tempting to go out-of-scope and hack on endpoints that others haven’t yet looked at, but in doing so, you’ll void the Safe Harbor Agreement (SHA) that most bug bounty platforms have. You can avoid that if you stay inside the scope and keep true to a program’s rules. Ask the program owners if something is unclear.
Detectify: What are your favorite parts about working with Detectify Crowdsource?
Gehaxelt: Talking about abiding to the scope, Detectify can be a big help in this regard. Once a submitted module is validated and accepted, it will only be run against Detectify customer’s assets and endpoints, which Detectify is authorized to do. This saves Crowdsource hackers time hacking on other bug bounty targets — while Detectify runs your modules on other customer’s assets, you’ll have a greater reach running your vulnerabilities against targets you might not otherwise have access to. It’s also great if you don’t have the time to do hours-long or all-night bug bounty hunts. You’ll receive a monetary reward every time your module produces a hit.
In a nutshell, what I like about Detectify’s Crowdsource system is that they do the work and I can do the research — it’s a win/win for everyone. 🙂
Get involved with Detectify Crowdsource
Detectify Crowdsource embraces the talents of ethical hackers like Gehaxelt. If this work aligns with your interests, we encourage you to learn more about the opportunities made possible by joining Crowdsource.
Additionally, you can keep up with our team’s activities to stay looped in on our Crowdsource hackers’ latest and most significant research.