In our ‘meet the hacker’ series, we’re taking the time to talk with Intigriti community members that have an impressive track record, an unusual methodology or have made valuable contributions to the community. This time, we were talking to Katie Paxton-Fear (aka. InsiderPhD), who is well-known for her Youtube channel where she helps hacking newcomers and veterans to gain new knowledge.
Hi Katie! Please tell us a bit about yourself, who is Katie Paxton-Fear?
Hi everyone, my name is Katie.
In ascending order, I am a lecturer, I am an application security engineer, I am a hacker. And when I have free time, I also make YouTube videos teaching other people how to get into bug bounties and hacking of all kinds of web things.
We, as Intigriti, are obviously always interested in hearing about bug bounties. When was the first time that you heard about the term “bug bounty”?
I was in university for doing my undergraduate during my PhD. So, this was about five years ago, six years ago, probably.
Speaking of bug bounties, do you remember what the first bug was that you handed in to any program?
I don’t think I could forget that experience. I was really fortunate to be able to go to a life hacking event that was hosted in London.
When I got there, we had half an hour, here’s how to set up Burp (I’ve never heard about before). Had a nice 30 minutes on how to do recon (never done recon before, didn’t even really know what I was doing). But while I was there, I found my first bug.
It was not a very complex bug. I mainly noticed an exposed API. A PUT request that was doing the kind of normal thing and I started playing around with it. I was able to remove the cookies and it still worked. This is how I found my first IDOR.
Let’s talk a little bit about your YouTube channel. When exactly was it that you started it?
After I’d been to that live event 2 years ago, I actually was very fortunate to get invited to another live event as a mentee that was in Vegas while DEFCON was running. When I was there, I met with some of the other mentees. I had a little bit more experience with hacking at that point as some of the other mentees. And I realised that one of the hardest things for the other mentees was how to actually use Burp.
Burp is an incredible tool, but oh my god does no one explain how to use it properly. And there is a need to know what each tab does and what each tab should be used for. I really realised that I struggled with that, but also, they struggled with that. We could not be the only people who struggle with that. So, my first video I ever made was about “here’s what every tab in Burp does, here’s how you can use it”.
I checked your YouTube videos and the video with the most views on your channel is called “Choosing your target”. I’m wondering, why do you think that people are having so many troubles with choosing the right target? Why is this your most successful video?
I think it comes down to two things. One is that no one really talks about how to do that part. A lot of people who write write-ups, people that are very successful, don’t really talk about how they actually chose that target in the first place. They kind of just skipped to the hacking part. And there’s many other reasons why that could be because maybe it was just a private invite that they got given. That could be because they didn’t really put that much thought into it.
But it’s one of the biggest questions you hackers have. It’s like, well, how, how do I actually pick what to hack? How do I know I’m hacking the right thing?
Back to hacking. What is it, if you sit down and you hack along on a bug bounty program, that excites you the most?
I always think of myself as like a Sherlock Holmes character. I really like the whole, finding a lead and then chasing it down, see where it ends up. The process of exploitation point to exploitation is really enjoyable. But I think what really excites me the most at the moment, is seeing how everyone, who follows me, is getting success, because I’ve always been more of an educator.
What is the first thing you do when you approach a new target? And what would be your number one advice to new hackers, if you can only give away one?
The first thing I do when I get started on a program is pressing all the buttons. I will want to find out what things I want to see. Can I change my account name? Can I change my email address, country and my password? What’s this functionality? What does it do? It’s always press the buttons.
On top of that my number one advice is don’t get caught up in recon. Recon is really popular right now. A lot of people have the experience of you know, I’ve done recon, what next? It can be quite challenging to go from recon to actual exploitation, I’d say don’t get caught up in that. Do basic recon to find things to increase your attack surface, but focus on those manual exploitation bugs, because the top hackers are already doing the recon part.
It’s going to be very difficult to compete with them. However, it’s going to be much easier to compete with people who are doing manual exploitation. So don’t get caught up and recon. And, you know, press all the buttons whenever you start working on a target. They’re very related, pressing all the buttons is my recon strategy.
The first thing I do when I get started on a program is pressing all the buttons
What is your number one tool hacking that you would recommend to people to use, except for Burp Suite?
So apart from Burp and your brain (which I think are the two most important tools)?
I’d say one of my favourite tools is first a programming language. So, Python for me. If I had to pick a tool that you could just run and go, then right now Kiterunner. It is one of my favourite API hacking tools because it is so good at finding API endpoints.
Okay, I do have a couple of “Would you rather” questions for you? Here we go! Would you rather choose a bug bounty programme with a very tiny scope or a really large scope?
Difficult to say because I think it really depends on the application. Though, I would probably prefer to hack on a smaller scope because other people don’t like it and I think might be like less competition.
Would you rather want to be listed in Facebook’s or in Google’s Hall of Fame?
Google, though, it’s a reluctant answer. And explain why. I would much rather be helping out smaller organisations than going for like massive multinational corporations that have too much money. I feel like there’s a lot of good that can be done in smaller companies because they need the help more.
Do your own thing. You got this!
One more. Would you rather try to teach your mom how to hack or a school class of 10-year-olds?
I’ve already taught my mom how to hack, so it has to be the 10-year-olds because my mom’s a bit of a technophobe. But teaching her to hack was an experience and a half because she wouldn’t touch the computer. So, I guess yeah, I’ve taken on the challenge of teaching my mom how to hack, so now it’s time to go teach a class of 10 year olds.
Thank you, Katie, for this interview! Do you have any final words for our audience?
Yes, to everyone who is stuck finding their first bug and ends up doom-scrolling through social media and feeling kind of bad because of other’s success. Don’t do that. You’ll find your first bug when it’s time. And then it might take a while before it is time, but you’ll find it. Just keep on being persistent. Don’t end up getting caught up in the hype. Do your own thing. You got this!
Did you like the short form of the interview? Do you want to hear more from Katie? Watch the full conversation between Pascal and Katie right now on Youtube: