Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

<
Back to Main

Pentester Spotlight: Nikhil Srivastava

Cobalt
Oct 29, 2020

Nikhil Srivastava has been a top-performing pentester on the Cobalt platform for the past five years. He is an active member within the security community as both a pentester and award-winning bug bounty hunter.

Additionally, Nikhil is the founder of Security BSides Ahmedabad, an international security conference. When he isn’t hacking Nikhil enjoys traveling and exploring untouched nature. His words to live by are “never give up,” and it is an attitude he applies to his security career and life as a whole.

We had a chance to hear from Nikhil to learn more about his pentester origin story and what he enjoys most about being a part of the Cobalt Core.

Pentester Origin Story: How did you get into security?

NS: To me, hacking can be summarized as anything acting outside the realm of normal. It is thinking outside the box, making things act in unintended ways, bypassing norms, and doing things in ways not previously thought of. Growing up, I had always been a curious kid who was notorious for acting outside the normal way of doing things.

I did not get my hands on a computer until university when I was studying Information Technology. In general, I choose my area of study because I was curious about computers and how technology works. This is when I was introduced to the fun technical side of hacking. During my bachelor’s, while interning at an infosec company, I was introduced to Aditya Modha. He became my mentor for getting started in pentesting; he guided me in choosing a focus, taught me about critical vulnerabilities like SQLi and RCE, and helped grow my interest in breaking software. This was over a decade ago, back when online resources were not as readily available. Much of my learning was self-taught. I started by reading several books like The Web Application Hacker’s Handbook, The Tangled Web, and Web Application Obfuscation. Later on, I came across Burp Suite and read more details on how to use it. I’m also quite active on Twitter, so I started and still do follow infosec pros like Mario Heiderich, Masato Kinugawa, kkotowicz, etc.

What motivates you when it comes to pentesting?

NS: Money is a big motivation for me. However, pentesting has also opened me up to a whole new world of like-minded security individuals, allowed me the ability to travel the world, and has given me meaningful recognition for my speciality, which contributes to my motivation for giving my all.

As mentioned previously, my motto in life is never to give up, and remains my driving force while pentesting. When given a tough application, I enjoy the challenge and won’t rest until I can achieve my intended outcome.

What does a good pentest engagement look like?

NS: When starting a pentest, kickoff calls with the customer are crucial for gaining a better understanding of the product. This helps pentesters get to know the critical areas of applications and develop an understanding of business logic. All product information related to the application as well as any additional information should be shared with the pentester(s). Details of all previously found vulnerabilities in their application can also be extremely beneficial.

In the past, I have found sharing or getting temporary access to a customer’s GitHub to be extremely useful during an engagement. It is useful to know what bugs have been found on the application previously, what they are still working on, and what bugs are pending. Knowing these details saves valuable time and also gives us a better idea about what areas and types of vulnerabilities to focus on.

In my experience on the Cobalt platform, the most successful engagements happen when both the customer and the pentesters are actively communicating during the engagement. This makes addressing any questions fast and easy which helps pentesters be as efficient as possible with their time. This helps eliminate response time delays which can occur when there is no direct way of communication.

What are the top 3 traits that a pentester should possess to be successful on Cobalt?

NS:

  1. Technically Sound: Being skillful in your area of technical expertise and having learning abilities for new technologies. Application security is a dynamic field. One needs to keep themselves updated about the latest vulnerabilities, tool suites, and techniques. Continuous learning is key when testing products against the latest attack vectors.

  2. Excellent Reporting Skills: The report is the final exhibit of your findings. It should be detailed oriented but concise. This skill goes a long way in helping the customer understand the impact of an issue, giving guidance in replication, aiding in actually fixing issues, and differentiating from any false negatives.

  3. Good Communication Skills: A pentester should be able to ask all the important questions during the kick off call and also communicate any assistance that he/she may require during the pentest. One should be able to address and articulate any questions that the customer may have regarding the test approach or the findings. Good communication also helps when it comes to working with other pentesters and can aid in finding interesting and impactful results.

How do you manage your time and avoid burnout?

NS: The best way to avoid burnout is to take time to shift your focus and do something completely different from your work. Sitting for long hours in front of the computer has an impact on your brain, body, and overall health. To combat this, I make it a point to exercise every day. For me, it’s a great way to kick start the day but also releases pent-up energy that can lead to stress. A healthy body leads to a healthy mind.

What kind of targets excite you the most? Do you have a favorite vulnerability type?

NS: I like to get my hands on all kinds of applications, especially the ones which offer higher incentives. I love to discover XXEs.

How do you learn about different security concepts? Where do you go?

NS: Google is my ultimate Guru for searching for resources on any topic that I want to specialize in. Apart from that, I follow #BugBountyTips on Twitter, which lends itself to several cool tips and techniques around exploiting vulnerabilities. There are a lot of blogs and articles shared by hackers describing their approach to a target and insights on finding a particular bug. All these are great for knowledge enrichment.

How do you conduct research and recon for a pentest?

NS: It depends on the type and scope of the pentest as well as the details a customer shares.

For a web application with a single domain in scope where credentials are provided, I start with some Burp Suite extensions. I also find ffuf to be very handy for directories and file fuzzing. Apart from this, I run scriptfinder to find all javascript files in a given domain and then run secretfinder to look for any hardcoded secrets inside those.

If a web application is given with wildcard scope, I usually run sub-finder, amass, Gobuster, etc to discover subdomains. Then, httpx helps in discovering active services on those subdomains. As a final step for recon, I run nuclei templates to check for any known issues or security misconfigurations that might be present. And, then I start manual exploration for vulnerabilities.

Additionally, seclists are really useful for any kind of list you need. Also, I use Commonspeak2 wordlist for subdomain bruteforce, if required. In the case of a network or host pentest, I run nmap or masscan on in-scope IP ranges to discover ports and services and start looking for vulnerabilities on discovered services.

Do you leverage any tools? What are your go-to tools?

NS: I am all about Burp Suite Pro with a few extensions like burpjslinkfinder, wsdler, param miner, backslash powered scanner, saml raider, etc. In addition, I’m a big fan of project discovery tools.

Other tools I use include but are not limited to Amass, Goaltdns, masscan, SecretFinder, Gobuster, recon.dev, getallurls (gau), scripthunter, url-tracker, etc.

What do you enjoy the most about being a part of the Cobalt Core?

NS: The best part about being in the Cobalt Core is the environment of mutual knowledge sharing. I enjoy being able to connect with top pentesters from around the world and learn from them and their findings. You can simply throw out a question in the channel and whoever knows it readily shares their insights to help you out.

What advice would you offer to someone who is interested in getting into pentesting?

NS: Focus on learning, play CTFs, stay up to date on the latest security vulnerabilities, and learn a programming language– not required, but will add value!

What do you wish every customer knew before starting a pentest?

NS: Be ready to interact with pentesters! Communication is vital and to get the most out of your pentest you should be ready to work with the pentesters. Create a list of prerequisites (documentation, test credentials, etc.) and keep them up to date. These will also come in hand for future pentests.

What do you like to do outside of hacking?

NS: I love to travel to different places and hang out with friends in my spare time. Before the world stopped and traveling was put on pause, I had been visiting several cities. Spending the previous New Year’s in Sydney and spending time in Las Vegas for Blackhat/Defcon where I got to go on a helicopter ride and hang out with the Cobalt Team!

What are your short term and long term personal or career goals?

NS: I strive to be a better version of myself every day. I am actively involved in the security community and am a huge proponent of giving back. I am one of the founders of BSides Ahmedabad, a community-driven security conference in India. Through this initiative, we have helped peak a lot of people’s interest in application security and bug bounties. Not only that, it has opened doors for many organizations to find their potential security researchers. My goal is to constantly keep learning and contributing to the community.

You can take a look at other Core pentester profiles here. Interested in joining the Cobalt Core? Apply here.