Web Security Academy

Kamil Vavra

High flyers in the Hall of Fame

Interviewing the Web Security Academy high flyers

Kamil is an Application Security Engineer from a small town in the Czech Republic. He got into hacking at around 14 years old, and has continued to hone his skills for the past 15 years. He's passionate about the security community, and loves how much it's developed and grown in the time he's been involved in the industry.

"When I started hacking, I didn't even know how to speak English. I knew how to exploit XSS, SQLi, everything in the OWASP Top 10, but my English was so bad. After I got comfortable with the language, when I could read books and blogs, it opened a whole new world for me."

A high flyer in the Web Security Academy Hall of Fame

After overcoming his language barriers, and self-skilling himself to the point where he's ranked in second place on our Hall of Fame leaderboard (at the time of interview), he now spends most of his time trying to give back to the community who gave so much to him.

"So many people have shared their knowledge with me over the years, so now everything I do, I try and open-source it and make it available to everyone else. I think everybody should do this, we all have things to learn and knowledge to share."

After understanding how hard Kamil worked to get to where he is today, we wanted to find out what impact the Web Security Academy had on his road to success.

Emma S (PortSwigger): You've been hacking since you were 14 - what was your first paid bug bounty?

Kamil Vavra: It was sometime in 2016 - I was exploiting a weird vulnerability called right to left override. You basically change the file name, which lets you spoof the extension of the file. I reported it to Dropbox, and Edge Browser, along with a few others - most of them quietly issued a fix but some of the other companies gave me a bounty. I was actually invited into a private programme because of it, that's when I really started getting excited about bug bounty hunting.

ES: So, do you use Burp Suite?

KV: I used Burp Suite Community Edition for years but after I got that first bounty, I got myself a Burp Suite Pro license straight away! I use Burp Suite Pro in my day-to-day work, but I also spend a lot of time teaching developers so I still use the Community version for that. It's easier for them because they are still learning how it all works, so we use Community together during teaching.

Blockquote

I like the simplicity, the amount of features, and the possibility you get with all of the extensions and different configurations. Some of the labs in the Web Security Academy will really showcase to you how powerful Burp Suite is.

Kamil Vavra

ES: What was the first topic you ever completed on the Web Security Academy?

KV: When I first saw that the Web Security Academy had launched, I was curious. Once I realized that the learning materials and labs are free, I was sold on the whole thing and got stuck in! The first vulnerability that I ever learned about, roughly 15 years ago, was cross-site scripting. It's my favorite vulnerability to this day, so I naturally started with XSS - I even learned a few new things.

ES: And what has been your favorite topic on the Web Security Academy?

KV: I found the authentication topic really impressive - there was one where you needed to use Burp Intruder, it focused on bypassing 2FA. I was so impressed with that lab. I started in the evening and I was at my computer all night - I remember finishing the last lab in the authentication topic at about four in the morning. I was about the eighth person to finish the topic overall, the sun was coming up, and that was when I decided I was going to try and complete every one of the topics.

ES: Have you seen any benefits in your professional life or career from working on the Web Security Academy?

KV: My boss and I actually integrated the Web Security Academy into my careers skill metrics, so he never minds if I miss a morning of work because I've stayed up all night completing a lab. At work, I'm graded on my progress within the labs. I had the option from my employer to do some of the paid certifications, any of them that I wanted, but I'm not really a fan of those kinds of qualifications.

So I suggested that he use my progress on the Web Security Academy instead, since I'd be learning all the same skills but in a much more realistic environment. So that's what we do now. My employer tracks my progress, and right now it's helping me work towards getting a more senior position within the company. So that's cool.

Blockquote

I was allowed by my employer to spend time on the Web Security Academy regularly at work, and it definitely helped with my career growth and personal development goals. I would say that after completing all the labs, I'm more confident in myself and my skills.

Kamil Vavra

ES: You must want to know straight away when a new topic comes out then - how do you find out?

KV: I get an alert when a Tweet comes out. When the new labs come out, I drop everything. The last lab to be released, before Christmas, they Tweeted that a new lab was coming so I canceled all of my plans. No shopping, no Netflix. I sat there waiting, refreshing the page over and over. I think I waited for three days at home just refreshing the page to see if the lab had come out. That's when I realized that there might be a chance I was addicted ...

ES: Are there any topics (or sets of labs) that you found particularly challenging on the Web Security Academy?

KV: Probably the insecure deserialization and server-side template injection topics. I don't usually focus on these vulnerability classes when I'm bug bounty hunting, so I really admire people who are skilled in those areas. The authentication bypass via encryption oracle lab from the business logic vulnerabilities topic was probably the hardest for me. I got stuck on that one the whole night - I wouldn't have been able to exploit it without the hints from Bella DeShantz-Cook and Johnny Villarreal. They're also in the top five on the Hall of Fame, and it's been great connecting with them as now we share advice and tips with each other. I love that I've made two new friends because of the academy - it's brilliant having people working on the same things who I can share the experiences with.

ES: What has training on the Web Security Academy enabled you to do/achieve that you couldn't before?

KV: It helped me to realize that there are attack vectors that I wasn't even aware of, or paying attention to, before - there is always something to look for if you think outside of the box. I don't think it's an industry standard right now, but I can see in the future that it could be a benchmark to be on the leaderboard and show the skills you've got from working through the Web Security Academy. There's labs I've solved where I've come across new things, and learned new skills that I never knew about before. I was able to then find that same vulnerability in my own company's code base.

Blockquote

I saw the talk from James Kettle on web cache poisoning, then I completed the topic that came out on the same subject, then a couple of hours after that I found a few websites with that vulnerability and I was able to exploit it. That really showed me that as soon as you've completed the labs, you can use your new skills in the wild.

Kamil Vavra

ES: What do you think is the best thing about the Web Security Academy?

KV: The best thing is that it's completely free, and the value you get back from it as someone learning is so damn high! I love that the topics on the Web Security Academy are created based on PortSwigger Research, it's brilliant. I read everything on your website, the blogs, the research - the research for me is probably more valuable than Burp Suite itself. I've learned so much in the past year from just reading all of the research. I can't tell you how much I appreciate the amount of time that everyone at PortSwigger puts into creating this information and making it available to everyone.

Blockquote

PortSwigger Research is brilliant, it's always up to date and so interesting. Anytime they publish anything, it has all of the information you need to then go and find that vulnerability and exploit it for yourself somewhere else.

Kamil Vavra

ES: What advice would you have for someone trying to get started with the Web Security Academy?

KV: Don't get overwhelmed with the amount of labs, it took me more than six months to solve everything. You don't need to hurry, just take your time and try to solve at least a few labs every other week or so. You will progress naturally, and it's always fun to learn something new. My methodology was to pick up a topic and stick to it, trying to finish all the labs in that topic before moving to another one.

ES: And finally, what are your plans for the future?

KV: I'd like to write a book someday, but I don't know if it would be possible. Maybe I need to find a ghostwriter, or write something in the Czech language. There aren't many resources out there for young people that are available in the Czech language. Right now though, I'm focussing on spreading the message out there, and sharing the knowledge I've found.

Blockquote

I find it amazing that I'm just a guy from a small town, and I'm on the top of the leaderboard on the PortSwigger Hall of Fame. It's not just for beginners, professionals should do the labs too to keep their skills sharp. I plan on doing it all again one day to refresh my knowledge.

Kamil Vavra

Embark on the same learning journey Kamil has undertaken - get started on the Web Security Academy