Hackers Use This: Jason Haddix

Welcome to a new blog series call “Hackers use This.” This is an attempt at a low maintenance, interview-esque series aimed at security folk. I’ll be inviting all sorts of hackers asking them questions about their preferred software, hardware, etc. Basically what they use to get their jobs done.

This site is almost directly inspired by the author of usesthis.com. Thanks Daniel!

I’ll be posting the 1st article to showcase the type of content hopefully seen here in the future. Here we go:


Jason Haddix

Senior Security Researcher (Fortify on Demand – an HP Company)

Who are you, and what do you do?

My name is Jason Haddix (jhaddix). I am a Senior Security Researcher at a dynamic/static security testing SaaS. I currently architect and develop solutions and methodologies to address security problems. Before this I was the director of penetration testing and before that I was a penetration tester. I focus on several areas including web application testing, static code analysis, mobile hacking, and anything else that is needed. I’m a former prolific bug bounty addict, current gamer (Destiny and DOTA2 atm), (former-ish) blogger, sometimes CTF player, and family man.

You can find me on twitter ranting, github (hardly coding), several sites blogging, and LinkedIn barely paying attention.  I have a “soft CV” here.

What hardware do you use?

I work from home so I have some space in my lab. My primary testing rig is also my gaming rig. It’s a custom built PC running on an Intel Core i7 870. It has 16GB of RAM, dual AMD Radeon R9 290 graphics cards, a 300GB SSD for the OS, and four 1TB storage drives. I have 5 24 inch diplays on this rig, 4 coming from the graphics cards and one via USB extender. I use a Razer Naga for mouse and a Razer Black Widow keyboard.
My secondary rig is a HP z600 fully upgraded (Dual Xeon’s, 32GB RAM, SSD, ++). This box runs all my practice virtual machines in my lab.
My laptop is a newgen Macbook Pro with the Nvidia graphics card, making it able to handle my gaming addiction as well.
My mobile lab includes an iPad 3rd generation, Galaxy Nexus, an iPhone 5, all jailbroken/rooted for mobile testing.
My home network is handled by a prosumer wireless router (maker and firmware omitted) with dual wireless networks and an attached NAS of 1TB.
My office also houses a generic 32″ LCD TV connected to my PS4. I use a XIM4 converter to enable a mouse and keyboard on the PS4. It makes head shots easy.

What does your testing network or lab look like?

I have a few “labs”. One is simply a guest wireless network with several severs that are vulnerable to different exploits. I peruse the CTF and vulnerable-software-for-leaning scene and stand them up here. This is mostly for my hacker friends who visit and myself to keep sharp.
All my mobile lab is connected to my main PC where I use the various SDK’s and shell into the devices. I also use the Mac for Xcode as well.

And what about tools and software?

For web security testing:

I mostly use Burp Suite bolstered by a few other projects. I love the Seclists Project’s fuzz lists as they don’t tether me to any type of web scanner.  I’ve heard great things about the development of ZAP Proxy though. I use Fiddler frequently with thick client type apps on Windows.

I use all the major browsers because you need them to validate all types of XSS. There are few really cool plugins I use though on Chrome. uBlock for ad blocking, snaplinks for mapping a site rapidly, EditThisCookie, BuiltWith Technology Profiler, Wapplyzer, Recx Security Analyzer, Foxy Proxy, Openlist, Chrome UA Switcher, and Hola just name a few.

Other than this I use our homegrown web/mobile testing methodologies. For general purposes though the best guides are The Web Application Hackers Handbook and the OWASP Testing Guide.

For mobile security testing:

On iOS I prepare my environments with all the normal *nix tools (see here). We use custom made analysis tools written in a mash-up of Bash, Ruby, and Python as well. I do keep the device armed with several of the stand alone tools mentioned in the OWASP iOS Application Testing Cheatsheet as well. For Android (which I do less of these days) I have the SDK set up and have our custom mobile testing framework installed (think Metasploit for mobile). We call it Mobius. I really like Hopper Dissembler too.

For productivity:

I’m pretty old-school, I just use Pandora for music.  If I’m on my main rig I sometimes use Chrome Remote Desktop to get into my Mac to use iMessage. If I’m in a world obsessed with texting I’d rather use a keyboard as an input device. I use Skype for Chat with hacker friends (but long live IRC). I use Logitech G930‘s for my wireless headset which seems to give the best range for a wireless set I could find. I do most of my coding in Sublime Text (although I’m slowly learning VIM finally).

What is your dream setup?

I could really use a monitor stand/arm that could accommodate my monitors but didn’t break the bank. That or I would want a few Apple Thunderbolt displays.

Anything Else?

I reserve the right to update this self interview with new developments!

Leave a Reply

Your email address will not be published. Required fields are marked *