Johnny Villarreal

Having worked through all manner of training, including OSCP and various other certifications, he found himself interested in trying to up his game in the field of web application security.

He spent the first few months of the COVID-19 lockdown meticulously working his way through each and every one of the topics on the Web Security Academy, working for hours every day until he had completed them all. Ranked in 4th place in our Hall of Fame (at the time of this interview), we wanted to find out how the Web Security Academy helped Johnny to further his knowledge of web application security.

Emma S (PortSwigger): So what was the first lab you completed on the Web Security Academy?

Johnny Villarreal: Server-side request forgery, that's where I started. For a lot of us bug bounty hunters, it's a pretty hot topic. There are a lot of people who walk off with $10k bounties from these programs and it's always "SSRF", "SSRF", "remote code execution", "SSRF" ...

"To find a place that had all of that information in one location, with a consistently high quality of labs, especially being free, it's a no-brainer. Why wouldn't you dive right into it?!"

ES: A new topic release would be a pretty exciting day for you then! How do you find out about the launch?

JV: I actually have an alert set up, so I get buzzed whenever there are any updates from the Web Security Academy on Twitter. I absolutely love the labs, so I have to know straight away when there's a new challenge for me to try and beat!

ES: And do you have any favorite topics on the Web Security Academy?

JV: HTTP host header attacks, without a doubt, that whole topic blew my mind. The host header attack class is the focus, but it's also relative to server-side request forgery. This one was really interesting to me because it's one of the weird, interesting quirks that I run into on real applications all of the time.

"I run into this so much that I've actually made a scanner for SSRF. I'm not calling it an SSRF scanner, but it kind of is ... It uses some of the things that I learned with that whole vulnerability class where I could basically throw a few hundred URLs in, walk away, grab a beer, come back and have a bunch of callbacks to my C2 server."

ES: Are there any topics on the Web Security Academy that you've revisited after completing the labs?

JV: The ones I like to go back to are usually the topics that have multiple vulnerability classes in them. In one of the deserialization labs for example, you had to achieve SQLi. That was mind blowing because you're doing deserialization, so you're expecting remote code execution right off the bat to some degree, but it just didn't happen that way. This particular lab reminded me that while certain restrictions in an application's environment will limit one path to exploitation, you can definitely still maximize impact by taking another exploit chain path such as deserialization to SQLi.

ES: Do you ever use the Web Security Academy to train other people?

JV: Every time I run into newcomers, whether that's in the industry, students, or just friends, even when I'm hosting my workshops for people, I always recommend it. Within the Synack Red Team, we have roughly 1500 researchers assessing assets every day. Whenever some of my fellow researchers figure out how to really push or chain certain vulnerabilities they discover or just train in a certain vulnerability class, I often point them straight to you guys and the Web Security Academy. It's a great resource.

ES: Is Burp Suite essential to you, and your use of the Web Security Academy?

JV: I think having Burp Suite Pro is extremely convenient, because the features are all there. If I'm bruteforcing multi-factor authentication, something like Burp Suite macros makes it ten times easier to accomplish that goal. You technically have everything you need to do it without Burp Suite, it just depends whether or not you want to rip your own hair out ...

ES: If you had to pick one thing, what would you say is your favorite thing about the Web Security Academy?

JV: There are so many good things, but a really unspoken benefit for me is having an exploit server provided. I've ruined my own exploit server a whole load of times so it's brilliant to have one there to work with. You can carry out out-of-band exploitation, or attacks that would normally require you to have some sort of infrastructure of your own, so I really liked that it was provided for you.

ES: Are there any topics you'd really love to see on the Web Security Academy in the future?

JV: I loved the business logic vulnerabilities lab with the encryption oracle, that was properly fascinating. I literally spent days doing the mental equivalent of running into a brick wall trying to solve that one. I'd love to see more stuff on that, but maybe with some tutorials or at a level more suited to beginners.

"When I finally solved that business logic vulnerabilities lab I got such an adrenaline rush - we need more content on that so that more people get to enjoy that feeling!"

ES: Has training on the Web Security Academy enabled you to do anything you couldn't do before?

JV: I feel much more confident in my knowledge on how certain vulnerability classes work now. It's been such a huge benefit for me, and none of that would ever have been possible if I hadn't had those labs and learning materials available to me.

ES: And finally, do you have any advice for people just starting out on the Web Security Academy?

JV: I would tell people that they should always start with command injection, because they'd start seeing the impact of being able to run commands on somebody else's server - that just makes it a lot more realistic in their perspective.