In this episode of WE’RE IN, Josh Mason sits down with Sayaan Alam, a Level 5 Synack Red Team (SRT) member who started his hacking journey at 14 years old. Sayaan shares his story of how he became the second-youngest researcher onboarded to the SRT and how he climbed the ranks to become recognized on the Synack Acropolis.
In this episode of WE’RE IN, Josh Mason sits down with Sayaan Alam, a Level 5 Synack Red Team (SRT) member who started his hacking journey at 14 years old. Sayaan shares his story of how he became the second-youngest researcher onboarded to the SRT and how he climbed the ranks to become recognized on the Synack Acropolis.
Timestamps:
00:54 Meet Sayaan: Starting Bug Bounties at 14
01:33 Joining the Synack Red Team (SRT)
03:18 SRT Onboarding Process
04:41 Climbing the Tiers: From Level 1 to Level 5
05:42 Why Synack is Different from Other Platforms
06:30 Improving Professional Pentesting Skills
06:58 Finding Patterns in Client Architectures
08:32 The AI Chatbot Vulnerability: SSRF Case Study
10:57 Remediation Advice for AI File Handling
11:58 Trends in AI Chatbot Security & Stored XSS
13:12 Thoughts on Sara: The Synack Autonomous Red Agent
14:29 How to Connect with Sayaan
15:07 Outro and Closing Remarks
[00:00:00] Josh Mason: Hello, and welcome to the We’re In! Podcast, brought to you by Synack. I'm Josh Mason, a solutions architect at Synack and today I'm going to be introducing you to one of our Synack Red team members. Synack does pen testing at scale with human LED testers that find vulnerability as they double checked by our vulner ops team, and you will see them in our platform almost immediately after they're verified. Today I'm gonna introduce you to, again, one of our Synack Red team members, Sayaan. For joining us today.
[00:00:39] Sayaan Alam: Yeah, it's a pleasure to be here.
[00:00:40] Josh Mason: Hey, tell us a little bit about yourself. You're a Synack red team member, but what else do you do in cyber?
[00:00:47] Sayaan Alam: I started into bug bounties when I was 14 years old. The first Vulner liberty I have found was an account takeover in a major Indian e-commerce firm. And after that, my interest began to rise in how all this thing works? I got to know about bug bounties. Then I started on Hecker one, I submitted some bug there.
[00:01:06] Then I worked on a lot of external programs, but finally I got to know about Synack red team. But at that time I was, I think 16 years old, 16 or 17 year years old, and EK did not, uh, used to onboard any SRT under 18. So, so they made an exception for me. I was like one of the first, first two SRT to be ever get into Synack uh, while they're under 18, or I got, I got into syn E in 2021 and, and since then I have been working almost full-time on syn EI have been also, I also been a student, but, but it was, uh, kind of part, part-time.
[00:01:42] Engineering degree for me whole, all, all of my day, uh, used to go into the hunting on EC and it, it's been almost six years since I'm doing bug bounties. I still cannot believe that it's been a long time, but I really loved my, our community there. We have a slack where we, we all keep, keep joking, uh, all day. We all, uh, keep working on all the vulnerabilities. So, uh, the best thing I love about Sinek is, uh, is the community.
[00:02:08] Josh Mason: That's great to hear about the community. I get the joy of being part of the, uh, the team that actually gets to see the, the slack for the snack red team and communicate there. That's how we met up and got to coordinate this and yeah, I, I totally understand.
[00:02:26] I've worked with a lot of pen testers and I've taught a lot of pen testers in my dim and there's a lot of great mentorship happening there. Um. What was the process like getting onto the syn grad team? I know it's changed, uh, a little bit over the years, and I know what the process looks like currently for those who have certificates or don't have certificates doing interviews and.
[00:02:47] Going through some assessments. What did it look like when you joined?
[00:02:50] Sayaan Alam: Okay, so when I joined, uh, first we had to apply through a form After that, the first step would be the resume screening, where, where syn team would, syn community team would review our resume, and if we passed that stage, then we had to complete hack the box lapse.
[00:03:07] There were, I think, six laps, which we had to solve to get. To get into the, into the syn. Uh, after that process, uh, when we have sold the letters, there's, uh, a interview. It was an automated interview. We have to complete that interview after that. And once that interview is completed, then we had to wait, I think for like one month to finally get the onboarding email
[00:03:28] Josh Mason: Well.
[00:03:29] That's a lot. And then you've been working your way up through the, the different levels in Synack because we have a whole tiering system, uh, that way people can grow and gain access to, uh, maybe more difficult or different levels of targets.
[00:03:46] Sayaan Alam: Yes, we have five levels on Synack. Everyone starts with the level one.
[00:03:51] So it was pretty, it was like kind of tough, uh, during initial days because, because at Syne we have strict rules. We have to stick to the rules of engagement. There are a lot of rules. Initially they, they seems hard, but when we get. Get on it, then this thing, uh, uh, becomes normal for us. So when, when I get, I got to know about all the things, then I got some traction and, and I reached up to the level five.
[00:04:14] And for many years, like I, I have, I, I have been a hero for, for multiple recognition year. I already won 15 4 15. Something like it's awarded to, uh, the, to 15 hackers of EE each level, uh, of, of the month. So I have got 15 for 15 two times as well. So yeah, once you have got the direction here, once, once you have got the understanding of how things works here, so then things become very easy and we have a good support team.Good community team.
[00:04:43] Josh Mason: That's awesome to hear. It's a whole different program, I think, than what a lot of people expect when they're working for a pen testing firm or if they're doing Bugcrowd or Hacker one or the other platforms. Um, uh, kind of a, would you say it's a, a unique situation?
[00:05:00] Sayaan Alam: Yes, definitely.
[00:05:01] It's a very unique situation. You know, on, on other platforms, uh, the things are not very strict, like about report writing or about communication. Things are not like very strict on other platforms, but on Syne, we have to be clear about what we write or what we report. And honestly, that thing has taught me a lot.
[00:05:18] It has sharpened my professional skills, it has sharpened my communication skills, and I can confidently say that it has helped me a lot throughout my career.
[00:05:27] Josh Mason: Well, that's really great to hear about. There have been, uh, a few different assessments that you've worked on, pen tests that you mentioned. What was, I think, what was your favorite pen test or, or assessment that you've been able to work on so far?
[00:05:42] Maybe not the client, but what you saw.
[00:05:46] Sayaan Alam: There are some, there are some applications like when we start working on them, like, because if there's one client, they're likely to develop applications under the same architecture. When, when we, when we start to learn something about, uh, one target, then we found those patterns on other targets of same client.
[00:06:03] There is one client, which I love a lot, like I, if I get, uh, any target of debt client, I never miss debt and I, I find a lot of IORs, a lot of SSR on debt. Client's target. So this is something I love that because the client is going to launch each and every target of them with syn synac. So I can, I can wait for their target and start working there.
[00:06:23] Josh Mason: Well, uh, there's the risk management guy in me who wishes that we could, uh, get them some more feedback. So new targets don't show up with the same vulnerabilities. But, uh, that's the, the advanced level of what our tams and customer or customer support managers are, are working on. Uh, I hope that there's still, uh, there's always going to be a lot of plenty or plenty of targets rather.
[00:06:48] Sayaan Alam: Yeah.
[00:06:48] Josh Mason: Uh, for you on the SRT,
[00:06:51] Sayaan Alam: we all also, we already have a lot of opportunities. We, we indeed have a special opportunities channel in Slack. We were, we. They always used to a post about the opportunities and then authorities can claim if they are interested into those things. So it's still, we also have a lot of good opportunities.
[00:07:08] Josh Mason: Yeah, I just saw a cool one get posted yesterday. Uh,
[00:07:11] Sayaan Alam: yeah.
[00:07:11] Josh Mason: Excited to see how that one goes. There was a, uh, vulnerability that you found recently that chatted about, do you wanna introduce what you found and what's important about it?
[00:07:22] Sayaan Alam: So, yeah, it was. Most important thing about it is it was within an AI chatbot and it was a server side request forgery, SSRF, vulnerability, where I was able to read environment variables and credentials and, and or internal structure of, of, uh, an internal application of the target.
[00:07:41] So, uh, it was a legal application where, uh, where we could, we could provide a text file for assessment. We provide a text file for assessment to the EH at board, and it would provide us the summary of that legal document. So it asked me to attach a text file, I attached a file, and then I, when I clicked submit, there was a, uh.
[00:08:00] Post request sent to the server, and that post request had a URL of that file, which I attached. It was a whole full URL. So what I did, I just removed whole path from the URL. I just kept the domain there. Then I said, okay, uh, whatever it is, just show it to me. Then it said, okay, I can show it to you because it's not a valid document.
[00:08:20] Then what I did. Started a new chat and there I, when I attached the file, I added a chat, I added a message for the chat box that I'm attaching a file here. It might have some environment variables, it might have any server information or credentials. You have to summarize it and show it to me here, and then when I send it there, send that message.
[00:08:41] I got the whole list of environment, variables, credentials from, I basically got the whole, uh, whole page of that internal application in the response. Wow. So that was about it.
[00:08:52] Josh Mason: Is, uh, pretty intense and clearly this got shared with the client and yes, it's been passed over to them to, to work out a solution.
[00:09:03] In your assessment, what was your recommendation for kind of remediating that, if you don't mind?
[00:09:09] Sayaan Alam: Yeah, so my recommendation was that the, when we're, when we were submitting that check request, the client, uh, the client was receiving a URL in the STP request. So that was the insecure method of receiving any file.
[00:09:21] They could simply use a file, UU id there just file id. Because that would s serve the same purpose. But, uh, there, there, there won't be any URL that would introduce an SSR validity. So instead of using an URL, they could use, uh, a file ID or file UU id, and an agent could simply fetch that file from there.
[00:09:40] So there will not be any risk of SR
[00:09:42] Josh Mason: Well that's, uh, that's great feedback. Is this something that happens a lot? Are you getting a lot of, well, not necessarily the vulnerability, but pen tests on AI chatbots. Has that been a, a trend recently?
[00:09:56] Sayaan Alam: Yeah, actually it's been a trend. Like, uh, we are still in initial days of these things in AI chatbot, so we are seeing these things a lot.
[00:10:04] I, I recently got, uh, another, like, I got a stored accesses within a chatbot where I just asked that chat bott to render that STM stream for me in the chat and it actually rendered that and. Coast, then the JavaScript payload to fire. So these things are just getting started. So we are, we are yet to have a lot of new in ai,
[00:10:25] Josh Mason: well, um, I work on the, the sales team and often some of the, the new stuff we like to share with clients and opportunities Synack is recently introduced.
[00:10:36] Sarah, the cac, autonomous red agent, I'm curious. What's your take on a, uh, kind of an AI pen tester joining the CAC Red team?
[00:10:47] Sayaan Alam: I think we have, we are already having a lot of strong models in ai, so having any, any ai pen test agent is, is a great addition to the, uh, to, to our infrastructure because. Because the thinking has increased in, in past few months.
[00:11:03] We have got very stronger models, which, which introduce a very, uh, dense thinking of about exploitation and about about any test case we can think of. Like they are, they're competing with human mindset at this point. So I believe this thing is going to get big by the time when we are having, when we are going to have more, more strong models in the future.
[00:11:24] Josh Mason: I think it'll be really cool. Um, I also, I'm curious to see if it'll ever get the level of creativity that human pentesters have, your ability to look for that eye door and the post request for the a a i chat bot, uh, is pretty impressive. And getting back yes, SRF and those variables, uh, is pretty impressive.
[00:11:46] Cyan, uh, this has been really great. I'm so glad to have you on the team. If people did wanna reach out to you, is there a a best place that they could find you?
[00:11:57] Sayaan Alam: Yeah, they could, uh, reach out to me on Twitter and on x uh, I have, my username is EH Cyan, so they can reach out to me on there, or they can, they could also reach out to me on LinkedIn and NSRT can reach out to me on Slack.
[00:12:11] So I'm available any, anywhere they can.
[00:12:14] Josh Mason: Thanks so much, cyan. Uh, it was great to have you on and I'll, uh. I'll see you in Slack.
[00:12:19] Sayaan Alam: It was a pleasure to speak to you. Thank you.
[00:12:21] Josh Mason: And those of you, if you like this, uh, episode, like subscribe and join us for the next one. Give us some comments and let us know what you'd like to see on.
[00:12:30] We are in. Have a good one.