Growing up in the Netherlands, Melvin started hacking at a young age. Originally from HackerOne, he joined Hadrian as a hacker in November 2021 when the company was just a few months old. His main interests are attack surface mapping techniques and automating complex vulnerability checks. In this interview, Melvin will walk us through his hacking journey and how joining Hadrian allows him to automate web browsers to perform complex vulnerability checks.
I assume you get this question a lot already, but this is always on my mind when I meet a hacker: How did you become interested in hacking as a career?
I got interested in hacking at a young age. After programming for a while, I figured it would be cooler to break code instead of just writing it. At school, I always found issues in the IT infrastructure, and at home I was busy hacking my gaming consoles.
Fast forward to my first year of university, I met two people from Groningen who had started a security business by themselves when they were about my age. Having read about them in my local newspaper, their work came across as interesting to me. So I approached them through Twitter and asked them if I could hang out in their office sometime to have some coffee and chat. They invited me over, we had a really nice conversation, and in the end, they offered me a summer job where I could do some hacking for their customers. And that’s really where it started for me.
You’ve definitely come a long way with your hacking journey since then.
In your opinion, how has hacking changed?
I have noticed that many organizations are way more serious about security. Back in the day, we could find a lot of issues everywhere, even in critical infrastructure. There would be almost no way to approach the organization and tell them about the issue. However, most big companies and government organizations nowadays have good ways of reporting security issues. It has also become noticeably harder to find a bug. While this process used to take hours, now it has become a matter of days or weeks. It’s never impossible, but it can sometimes feel impossible.
Since one of your main interests is automating complex vulnerability checks, do you think Hadrian’s framework allows you to do that?
Absolutely! Before, as an ethical hacker, I spent a lot of my time worrying about provisioning servers and dealing with technical issues. Given the way the Hadrian framework is set up, I don’t have to worry about technologies, dependencies, or deployments. As hackers, we can focus on writing the tools (we call them modules) in any language that is the most efficient for the specific task or vulnerability check.
Recently, we have deployed a headless browser infrastructure-
Yes, headless! This is what we call browsers that are running autonomously in our modular framework. When hackers use a web browser, they have it on their screen and manually click all kinds of buttons. Our automated browsers are not visible, and every interaction with the website is done automatically by our modules.
Crawl modern websites that are based on the technologies mentioned above;
Perform advanced and more accurate vulnerability checks;
Take screenshots of web pages and use AI to analyze them;
Interact with a web page after it has loaded;
Perform static analysis on any intercepted background network requests.
As you may know, a full browser uses much more resources than a generic command-line HTTP client. Considering that at Hadrian, we intend to run hundreds of hacker modules in parallel, we also need hundreds of browsers. This poses quite an operational challenge, but the Hadrian framework provides an easy way for new hacker modules to spin up secure (remote) browser sessions.
That sounds exciting! But this definitely is not all.
What is the coolest project you’ve got the chance to do here?
This has been an ongoing project since I joined the hacker team at Hadrian, but I’ve been looking for ways to detect PII leakage. We want to train our software, scroll web pages, or look at everything on there, and if we notice something off. For example, if it’s showing a lot of addresses, names, or even passwords, that’s something that I would really love to be able to flag. This hasn’t been done yet, because it’s typically done manually. This is because PII leakage is highly context-based; for instance the phone number of an office reception may not be sensitive, but the phone number of a managing director for sure is. You have to look at the data and interpret it. I would really like to see how far we can automate that.