Chapter 1: Ethical Hacking websites for fun...but especially for profit

It has been almost ten years, since Ellis Levy also known as Aleph one, published in 1996 by Phrack magazine issue 49, one of the most interesting papers about buffer overflows and creating exploits: "Smashing the stack for fun and profit". In a certain way that sentence "for fun & profit" has resonated through the hacker community since then.</br>

For major web applications on the internet that operate as SaaS, the word 'fun' is out of question. Certainly, when hackers are able to comprise precious data and privacy of their clients and users, let alone of the embarrassment and bad publicity this carry on with it. </br>

It couldn't be more certain that hackers are not smashing the stack directly, but SQL injections and XSS are similar or equivalent attacks to web applications what a buffer overflow is to hacking the stack and injecting shell code. Nowdays we talk about 'XSS payloads' and SQL injections attacks more than ever. Buffer overflows continues to hunt embedded systems, software and OS, however, web vulnerabilities have become a common way to comprise systems.</br>

The word 'Profit' has become the major reason these days behind finding vulnerabilities. That profit comes in different forms. Blackhats can sell the compromised information in the underground market, such as credit cards or these vulnerabilities to mafia's operating in a very professional way to steal money or ransom data.

For the whitehats, that profit comes in the form of a 'bounty', a price to claim for hackers and pen testers through Bug Bounty Programs launched by major software companies.I could certainly change also that sentence to 'Hacking websites for fame and profit'. Hackers capable of finding a lot of bugs through these bounty programs, obtain rankings, money and kudos.</br>

Indeed, there is a lot that can motivate us to spend our free-time (or weekends) into bounty bug hunting but we should keep in mind the 'fun' part of it. We know it is not fun for those companies, like ORACLE who's CEO recently went into a rant criticizing penetration testing of their code, but responsible disclosure and helping organizations find weaknesses before the blackhats do, is definitely a major contribution from our part to make the internet a more secure place.