1 00:00:00,150 --> 00:00:04,600 Making it to a live hacking event is already a big accomplishment, but my 2 00:00:04,610 --> 00:00:08,630 guest today, Doomer Hunter, not only made it, but on all three events that he 3 00:00:08,630 --> 00:00:11,310 attended, he achieved the top 10 finish. 4 00:00:11,320 --> 00:00:15,999 So clearly he has some good methodology to find crits on well hardened targets. 5 00:00:16,129 --> 00:00:19,110 So we'll dive into this in this interview. 6 00:00:19,160 --> 00:00:21,369 Hello, Victor. 7 00:00:21,429 --> 00:00:22,139 How are you doing? 8 00:00:22,169 --> 00:00:25,759 Can you please introduce yourself to those viewers who don't know you yet? 9 00:00:26,169 --> 00:00:26,330 Hi 10 00:00:26,330 --> 00:00:26,549 Greg. 11 00:00:26,549 --> 00:00:27,889 Well, first, thanks for having me. 12 00:00:27,899 --> 00:00:29,649 It's so cool to be here in Poland, in Krakow. 13 00:00:29,649 --> 00:00:30,759 So I really enjoy it. 14 00:00:30,810 --> 00:00:32,369 And thanks again for the tour yesterday. 15 00:00:32,950 --> 00:00:36,249 Uh, yeah, I have quite some of a specific background. 16 00:00:36,249 --> 00:00:38,910 So basically I was not into IT or into cyber. 17 00:00:39,560 --> 00:00:42,110 I was into the pharmacological industry. 18 00:00:42,390 --> 00:00:44,190 I have even a master's degree in marketing. 19 00:00:44,670 --> 00:00:44,970 Oh, 20 00:00:44,970 --> 00:00:47,820 and, uh, it all switched when, um, well, COVID hit. 21 00:00:47,820 --> 00:00:47,940 Thanks. 22 00:00:48,345 --> 00:00:52,505 And, uh, the job I should have in North America and Canada was frozen. 23 00:00:53,115 --> 00:00:55,635 So I was left with no other options. 24 00:00:56,055 --> 00:01:01,104 And I was wondering to myself, Hey, this big boaty thing seems a bit cool. 25 00:01:01,104 --> 00:01:02,955 And I'm starting to make a bit of money with it. 26 00:01:03,065 --> 00:01:04,345 Could I make a living out of it? 27 00:01:05,275 --> 00:01:09,655 And so, yeah, I decided to switch full time into cyber, uh, offensive security, 28 00:01:09,755 --> 00:01:15,725 and I got a small first pen testing job at a local firm and met the guy 29 00:01:15,745 --> 00:01:18,125 who become next, my future partner. 30 00:01:18,770 --> 00:01:23,009 So we started our own business, uh, and it was a pen test writing in company. 31 00:01:23,410 --> 00:01:26,630 We did work together for three years, brought the company to 1. 32 00:01:26,630 --> 00:01:29,020 2 million euros, I think in turnover. 33 00:01:29,049 --> 00:01:32,829 So really nice, uh, stuff had good clients, did physical intrusion, 34 00:01:32,839 --> 00:01:34,049 you know, physical pen testing. 35 00:01:34,060 --> 00:01:34,820 It's awesome. 36 00:01:35,519 --> 00:01:38,790 And, uh, on the side, we did also bug bounty hunting because 37 00:01:38,950 --> 00:01:42,690 as a small business, it was like a cool, you know, um, front. 38 00:01:43,060 --> 00:01:47,140 For you to say, okay, I'm performing in real world on hardened targets. 39 00:01:47,650 --> 00:01:52,529 And so that's how we started getting to, you know, more competitive events, such 40 00:01:52,529 --> 00:01:57,159 as the first AWC, the world cup that we won with the French team in 2022. 41 00:01:57,740 --> 00:02:00,569 And, uh, then we're all starting to get into live hacking events. 42 00:02:00,730 --> 00:02:04,500 I sold my shares of the company to my partner this year. 43 00:02:04,520 --> 00:02:07,240 So I'm back into full time backhunting entrepreneurship. 44 00:02:07,830 --> 00:02:09,110 That's pretty much what I do now. 45 00:02:09,149 --> 00:02:11,870 Backhunting, I do a bit of AI on the side. 46 00:02:11,939 --> 00:02:13,569 Uh, I do corporate talks also. 47 00:02:13,569 --> 00:02:17,929 I'm invited to buy various companies to give cybersecurity talks across 48 00:02:17,930 --> 00:02:18,220 Europe. 49 00:02:18,659 --> 00:02:19,280 That's pretty much it. 50 00:02:19,930 --> 00:02:24,490 So how much time did it take for you to get into cybersecurity from 51 00:02:24,600 --> 00:02:27,489 the marketing or from the pharmacy background or whatever it is? 52 00:02:27,720 --> 00:02:31,020 That's why I lied a bit because, you know, hacking was always the 53 00:02:31,030 --> 00:02:32,540 things that I really wanted to do. 54 00:02:32,660 --> 00:02:32,900 Yeah. 55 00:02:32,920 --> 00:02:36,210 But I come from a family that is into, you know, health. 56 00:02:36,870 --> 00:02:38,459 They are mostly health practitioners. 57 00:02:38,539 --> 00:02:41,480 And so I was more, you know, inclined to do that as a real job. 58 00:02:41,820 --> 00:02:44,540 And I didn't thought that it was possible to get into cyber route. 59 00:02:44,570 --> 00:02:47,370 And I thought that pentesting was reserved to kind of elites, 60 00:02:47,370 --> 00:02:48,900 you know, some few people. 61 00:02:49,560 --> 00:02:52,150 And, um, so I did a bit of hacking on this side. 62 00:02:52,330 --> 00:02:56,040 I remember buying an old book called The Art of Exploitation by John Erickson. 63 00:02:56,190 --> 00:02:56,470 Yeah. 64 00:02:56,710 --> 00:02:59,370 So it's a really old book, but it still gives, you know, first 65 00:02:59,410 --> 00:03:01,110 hands on approach with live CD. 66 00:03:01,120 --> 00:03:02,429 It was so good at the time. 67 00:03:02,970 --> 00:03:06,789 And so I practiced a bit during, well, my university years, because I'd enjoy 68 00:03:06,790 --> 00:03:09,460 doing some CTF on the side and so on. 69 00:03:09,999 --> 00:03:14,270 And one day I had a friend, I was maybe in my third year of uni. 70 00:03:14,960 --> 00:03:17,870 And, uh, well, So she had a loan, you know, to pay her 71 00:03:17,880 --> 00:03:19,710 studies, her private school. 72 00:03:21,080 --> 00:03:27,009 And well, sadly she started like, um, buying stuff with the money from the loan. 73 00:03:27,329 --> 00:03:32,029 So when September came, it was like maybe June, she didn't have enough 74 00:03:32,030 --> 00:03:33,539 money to pay for the next year. 75 00:03:33,849 --> 00:03:37,810 So what do you do at that point when you don't get much money, you want to help 76 00:03:37,810 --> 00:03:42,990 your friend and don't have like an actual job that makes that amount of money? 77 00:03:43,609 --> 00:03:45,079 Well, you take a look at your skillsets. 78 00:03:45,790 --> 00:03:47,320 Say, okay, I can do Hassam hacking. 79 00:03:47,510 --> 00:03:48,560 Can I make money hacking? 80 00:03:48,790 --> 00:03:50,130 Can I make legal money hacking? 81 00:03:50,990 --> 00:03:51,724 What's the boundary? 82 00:03:51,725 --> 00:03:55,855 Oh, Oh, that was a nice amount I can make. 83 00:03:56,195 --> 00:03:58,385 So yeah, that's where I landed my first create. 84 00:03:58,385 --> 00:04:02,315 I think maybe you did some free K on, uh, on Sam rush at the time. 85 00:04:02,315 --> 00:04:07,614 And so he managed to go to cover the costs and get back into it. 86 00:04:08,204 --> 00:04:11,155 Then once again, I put it back into the closet because I thought that 87 00:04:11,165 --> 00:04:15,405 no, man, I'm in health carrier and must not like ruin my future health 88 00:04:15,405 --> 00:04:17,255 carrier by doing cybersecurity. 89 00:04:18,565 --> 00:04:22,034 And then when I decided to really make the switch, I had like a little 90 00:04:22,044 --> 00:04:23,930 background, you know, couple of skills. 91 00:04:24,040 --> 00:04:28,670 I know I could land some small bounties, but I decided to really prep. 92 00:04:28,860 --> 00:04:34,690 And when I took the decision, maybe in, in May, 2020, I thought to myself, 93 00:04:34,690 --> 00:04:36,240 okay, in September, I got my job. 94 00:04:36,460 --> 00:04:38,500 So I got five months to get ready. 95 00:04:39,139 --> 00:04:44,120 So I just took everything that, that, uh, that I've already had and seek the, what I 96 00:04:44,130 --> 00:04:46,550 would call quality content to really grow. 97 00:04:47,010 --> 00:04:49,110 And so I first went to, uh, Louis. 98 00:04:49,669 --> 00:04:52,110 Uh, we spent just a lab because, uh, I really love the 99 00:04:52,110 --> 00:04:53,580 approach, the hands on approach. 100 00:04:53,580 --> 00:04:56,490 And he's one of the few guys that really teaches you to, um, 101 00:04:56,590 --> 00:05:00,220 actually deep dive into the source code with like such an accessible 102 00:05:00,230 --> 00:05:01,720 platform and high quality contents. 103 00:05:02,229 --> 00:05:07,100 And also forces you to like, understand how it's going, um, dissect 104 00:05:07,100 --> 00:05:09,000 the CV, write the exploit code. 105 00:05:09,430 --> 00:05:12,800 And I did like maybe five or six badges that he had at the time. 106 00:05:13,539 --> 00:05:17,870 Just to feel comfortable and, you know, proud of myself and also set 107 00:05:17,870 --> 00:05:20,420 up the certification on my LinkedIn profile because I did not have 108 00:05:20,420 --> 00:05:21,969 enough money to pay for the sets. 109 00:05:22,159 --> 00:05:23,390 Yeah, that's a good way. 110 00:05:23,500 --> 00:05:26,859 And then I did the thing, the full, um, OASP juice shop, which is also, 111 00:05:26,860 --> 00:05:31,705 I think a cool, um, you know, way to, uh, go into like, So the real world 112 00:05:31,935 --> 00:05:36,215 web applications, and then I got into a small bug bounty platform in France, 113 00:05:36,215 --> 00:05:39,135 which is called the yoga shop because I didn't know any better at the time. 114 00:05:39,785 --> 00:05:43,025 And so I'm making some, uh, some, uh, some more active bug bounty. 115 00:05:43,085 --> 00:05:46,035 And that allowed me to transition, you know, correctly. 116 00:05:47,624 --> 00:05:52,844 Now let's skip to, to the present time after quitting the business, 117 00:05:52,854 --> 00:05:55,974 what made you choose the life of a full time bug bounty hunter? 118 00:05:56,885 --> 00:05:57,265 Freedom. 119 00:05:57,675 --> 00:05:58,265 Um, 120 00:05:59,215 --> 00:06:02,645 once you're used to entrepreneurship, you're used to producing 121 00:06:02,645 --> 00:06:04,395 value for yourself directly. 122 00:06:04,505 --> 00:06:04,525 Yeah. 123 00:06:05,495 --> 00:06:10,615 And you're used to, well, valuing your time and your efforts based on your 124 00:06:10,615 --> 00:06:15,095 skill sets and how you bring added value to the real world and to the companies. 125 00:06:15,895 --> 00:06:20,095 And so once you have tasted that and you feel confident enough to be alone 126 00:06:20,095 --> 00:06:25,034 and stay by yourself, Honestly, it's very hard to going back to classic job. 127 00:06:25,184 --> 00:06:26,255 It's a one way ticket. 128 00:06:26,475 --> 00:06:27,025 Exactly. 129 00:06:27,875 --> 00:06:31,025 But it comes with a lot of costs and a lot of responsibilities. 130 00:06:31,405 --> 00:06:35,934 But, uh, I had like the money as from my shares money from my personal 131 00:06:35,934 --> 00:06:37,084 and professional bank accounts. 132 00:06:37,085 --> 00:06:40,995 So I could finance, you know, taking the risk of going back 133 00:06:41,025 --> 00:06:42,375 to full time back hunting. 134 00:06:42,845 --> 00:06:46,425 And also, let's be honest, uh, when you start to perform a bit well on 135 00:06:46,425 --> 00:06:50,715 back hunting, you do make a lot of money and that allows you to open more 136 00:06:50,834 --> 00:06:52,515 opportunities for yourself in the future. 137 00:06:52,854 --> 00:06:57,145 So I was in a position where I had, like, I think a good network flowing 138 00:06:57,145 --> 00:07:01,044 the, my, my business here had a bit of money in the bank could make 139 00:07:01,044 --> 00:07:02,565 more with the, the big bounty parts. 140 00:07:03,510 --> 00:07:08,470 And if you take all that by itself, you got potential, then you got 141 00:07:08,770 --> 00:07:13,100 to make this potential grow by the building new things, keep building your 142 00:07:13,100 --> 00:07:14,960 network and then keep making money. 143 00:07:15,289 --> 00:07:15,490 Yeah. 144 00:07:15,659 --> 00:07:19,680 So freedom and all the opportunities that he brought was like. 145 00:07:19,905 --> 00:07:21,015 Why I chose to, 146 00:07:21,045 --> 00:07:22,125 to go along this path. 147 00:07:22,795 --> 00:07:27,335 And also, if I understand correctly, you do use Back Bounty as sort of the, 148 00:07:27,335 --> 00:07:32,255 the way to grow your personal brand and to, to also details of fuels, 149 00:07:32,255 --> 00:07:35,165 the, the trainings that you give and, and other things that you do. 150 00:07:35,165 --> 00:07:38,705 So, you know, whenever you find a bag, you're not only getting the bounty 151 00:07:38,705 --> 00:07:41,615 from this bag directly, but also it builds your personal brand, which, 152 00:07:41,615 --> 00:07:42,875 you know, grows and grows forever. 153 00:07:42,875 --> 00:07:43,115 You know? 154 00:07:43,625 --> 00:07:44,045 Yeah. 155 00:07:44,045 --> 00:07:45,815 Back in the days we used that, as of. 156 00:07:46,125 --> 00:07:49,375 Kind of a front for our business because as a small company, it was 157 00:07:49,385 --> 00:07:53,145 really helpful, you know, to legitimize yourself as, Hey, I was able to 158 00:07:53,145 --> 00:07:55,505 find a bug on X, Y, Z big company. 159 00:07:55,664 --> 00:07:59,894 It gives you like, you know, this legitimacy and, uh, yeah, now 160 00:07:59,894 --> 00:08:02,034 that it's all just by myself. 161 00:08:02,115 --> 00:08:02,385 Yeah. 162 00:08:02,385 --> 00:08:05,964 It's still a pretty way because I still have like a small audience in France. 163 00:08:06,755 --> 00:08:10,205 Um, and still show that you're active, that you are indeed, 164 00:08:10,265 --> 00:08:11,650 you know, a real hacker. 165 00:08:12,130 --> 00:08:16,200 And I think it doesn't only like, it's not only useful for the audience. 166 00:08:16,230 --> 00:08:17,840 It's also used to comfort yourself. 167 00:08:17,849 --> 00:08:19,360 Think, okay, I'm still a hacker. 168 00:08:19,510 --> 00:08:22,990 You know, you still can force your, your imposter syndrome or your ego, whatever 169 00:08:23,120 --> 00:08:24,739 you want to, you, you want to call it. 170 00:08:25,260 --> 00:08:29,659 And yes, it's also a way to, um, grow a bit, um, the business part, because 171 00:08:30,430 --> 00:08:34,620 when you, when you, for example, when I give, um, cybersecurity talks 172 00:08:34,929 --> 00:08:39,850 to companies and incorporate when they are looking for speakers, they 173 00:08:39,850 --> 00:08:41,799 are looking for what they consider. 174 00:08:42,285 --> 00:08:43,505 You know, special people. 175 00:08:43,835 --> 00:08:48,015 So often there will be like high level athletes, you know, people from the 176 00:08:48,015 --> 00:08:50,505 government, ex special forces and so on. 177 00:08:50,575 --> 00:08:50,835 Yeah. 178 00:08:51,635 --> 00:08:52,655 So you're here, you know, 179 00:08:52,655 --> 00:08:55,074 and 180 00:08:55,075 --> 00:08:58,514 so it, it helps you legitimate, you know, your, your presence even through, 181 00:08:58,515 --> 00:09:01,945 uh, I feel, I still feel uncomfortable presenting myself, you know, in 182 00:09:01,945 --> 00:09:06,005 front of people, but sometimes you gotta do it just so that people, Hey. 183 00:09:06,370 --> 00:09:07,579 He knows what he's talking about. 184 00:09:07,580 --> 00:09:08,609 He 185 00:09:08,610 --> 00:09:09,920 seems to know what he's talking about. 186 00:09:10,209 --> 00:09:10,370 Yeah. 187 00:09:10,370 --> 00:09:13,949 And it's a good way because a lot of bug bounty you can speak publicly about. 188 00:09:14,370 --> 00:09:16,410 So, you know, you can be the best pen tester ever. 189 00:09:16,740 --> 00:09:18,079 All your reports are confidential. 190 00:09:18,079 --> 00:09:20,690 You cannot, you know, share the defining from the pen test. 191 00:09:21,069 --> 00:09:25,130 Even if you try to write it on the blog, you have to redact the company name. 192 00:09:25,140 --> 00:09:28,690 And, you know, it doesn't sound as well when you find a good bug in bug bounty. 193 00:09:28,915 --> 00:09:30,805 You know, Oh, I hacked Microsoft. 194 00:09:30,805 --> 00:09:31,385 I had Google. 195 00:09:31,385 --> 00:09:32,835 I had, it just sounds nice. 196 00:09:32,845 --> 00:09:37,685 So when you hunt, what is your hunting style? 197 00:09:37,685 --> 00:09:38,915 What are your favorite bug classes? 198 00:09:39,545 --> 00:09:45,064 That's a, that's honestly, it's even a, what I consider weakness on myself that, 199 00:09:45,474 --> 00:09:51,724 um, I remember, I think it's Justin from critical thinking writer who, um, shared, 200 00:09:51,844 --> 00:09:54,275 you know, his, um, his roadmap to, okay. 201 00:09:54,275 --> 00:09:57,295 If I had one year to make a hundred K in big bounty, how I would like, 202 00:09:57,464 --> 00:09:59,305 you know, uh, invest my time. 203 00:09:59,515 --> 00:10:00,485 during the different steps. 204 00:10:00,785 --> 00:10:04,725 And I think one of those first steps is getting to, um, comfortable 205 00:10:04,745 --> 00:10:05,895 with access control bugs. 206 00:10:07,295 --> 00:10:11,675 And when you get inside the, when you, when you start your own business, 207 00:10:12,005 --> 00:10:15,144 of course, you have to be someone technical because you have to run the 208 00:10:15,145 --> 00:10:16,425 business and technical part of it. 209 00:10:16,745 --> 00:10:20,495 But then you start to, well, not be that much hands on the technical 210 00:10:20,495 --> 00:10:23,875 and offensive part of the set, but more on quality management, 211 00:10:23,885 --> 00:10:25,344 control, sales, marketing, and so on. 212 00:10:25,395 --> 00:10:26,855 Everything on the side. 213 00:10:27,145 --> 00:10:28,425 And I felt that I. 214 00:10:28,935 --> 00:10:33,045 was kind of trapped inside that, you know, comfort zone of being okay. 215 00:10:33,045 --> 00:10:34,384 I'm pretty good with access control. 216 00:10:34,514 --> 00:10:34,785 Yeah. 217 00:10:34,814 --> 00:10:38,715 I think, uh, like I'm made a lot of money with access controls because 218 00:10:38,715 --> 00:10:40,575 it's easy to find it's repeatable. 219 00:10:41,074 --> 00:10:44,964 And I love hunting for them because often you get like very high impact full books. 220 00:10:45,750 --> 00:10:49,110 And that's where we're where I stayed for a long, long, long, long time. 221 00:10:49,490 --> 00:10:51,010 So yeah, it's still my pee pee view. 222 00:10:51,530 --> 00:10:54,130 I know that if I'm going on a new program, first thing I'm going to 223 00:10:54,130 --> 00:10:57,320 look is for access control bugs and logic bugs, because I love that. 224 00:10:57,739 --> 00:10:59,679 But then you start going outside of this comfort zone. 225 00:11:00,040 --> 00:11:03,940 I started to more into business logic bugs, which are often, you know, more 226 00:11:03,940 --> 00:11:08,520 hidden and less covered by modern security tools, such as fast and dust. 227 00:11:09,100 --> 00:11:11,080 When you know that, let's say that you have an idle. 228 00:11:11,120 --> 00:11:11,470 Okay. 229 00:11:11,520 --> 00:11:12,870 You just increment a number. 230 00:11:13,210 --> 00:11:16,560 Well, Once the issue is known, if the developers take some time to 231 00:11:16,560 --> 00:11:21,370 make unit testing, you can pretty easily test the fact that, okay, if I 232 00:11:21,370 --> 00:11:24,460 increment the number, then the result of the test should be 403 forbidden. 233 00:11:24,750 --> 00:11:28,360 Yeah, but then business logic bugs are way more hidden because it's nested 234 00:11:28,360 --> 00:11:31,890 inside like multi step workflows and you cannot test all of the 235 00:11:31,900 --> 00:11:33,730 possibilities of these workflows. 236 00:11:33,770 --> 00:11:35,910 And so you still find these issues. 237 00:11:35,910 --> 00:11:37,770 And I think it's all still easy for me to find. 238 00:11:38,345 --> 00:11:42,445 And it's also hard to come up with a source code scanning rule to 239 00:11:42,445 --> 00:11:45,775 detect business logic because there is, there's no template for it. 240 00:11:45,775 --> 00:11:49,085 It's just, you know, every single code can have different logic, 241 00:11:49,124 --> 00:11:50,645 different rules, different bugs in it. 242 00:11:50,645 --> 00:11:57,185 So, um, so that's why I think these bugs will be with us for, for longer 243 00:11:57,285 --> 00:12:00,145 because, you know, obviously scanners are getting better and better. 244 00:12:00,555 --> 00:12:04,385 Frameworks are doing stuff like automatically sanitizing the HTML. 245 00:12:04,385 --> 00:12:09,235 So there's less XSS, but bugs like this, they're not so easy to, to, To fix or the 246 00:12:09,235 --> 00:12:13,745 tag that scale, I think are the ones that will be with us for a long, long time. 247 00:12:13,765 --> 00:12:14,285 Yeah, they will. 248 00:12:14,595 --> 00:12:14,885 They will. 249 00:12:15,175 --> 00:12:18,505 You cannot have a bug free, like 20 step workflow. 250 00:12:18,505 --> 00:12:19,995 It doesn't happen in real life. 251 00:12:20,034 --> 00:12:23,255 And, and even there, we are just scratching the surface. 252 00:12:23,255 --> 00:12:25,775 Like, I don't know who made the talk a couple of years ago 253 00:12:25,785 --> 00:12:29,165 about, you know, everything second order on the server side. 254 00:12:29,430 --> 00:12:34,790 It was a really great talk and even if you take like your five step workflow 255 00:12:34,790 --> 00:12:38,650 of buying something and start to mix up some parameters, add some parameters 256 00:12:38,650 --> 00:12:41,630 that shouldn't be there, add some ideas that are not matching, et cetera. 257 00:12:41,949 --> 00:12:44,170 This is like only the top levels of his bug. 258 00:12:44,580 --> 00:12:47,730 And We often miss like the second order bugs. 259 00:12:48,140 --> 00:12:52,250 Like, I don't know if you start to buy a TV and you put the insurance 260 00:12:52,250 --> 00:12:54,460 of a phone on it, will it work? 261 00:12:54,500 --> 00:12:57,670 But will it work if you like create a custom insurance policy? 262 00:12:57,670 --> 00:13:01,360 Like what happens deep down, you know, further steps beyond that's 263 00:13:01,379 --> 00:13:02,859 what's really scratches my mind. 264 00:13:02,860 --> 00:13:06,740 But bug hunting, black box testing, we don't have access to the source code. 265 00:13:06,940 --> 00:13:08,230 And there is so many issues. 266 00:13:08,550 --> 00:13:11,040 Hidden surface, not being covered in it. 267 00:13:11,190 --> 00:13:13,000 And I think that's why we should spend more time 268 00:13:13,010 --> 00:13:13,360 fuzzing. 269 00:13:13,800 --> 00:13:14,020 Yeah. 270 00:13:14,020 --> 00:13:17,799 And also that's, you know, we are never sure how many 271 00:13:17,799 --> 00:13:19,100 different flows we didn't test. 272 00:13:19,789 --> 00:13:24,900 Cause you know, I had a talk with, with Jonathan in Edinburgh that, you know, 273 00:13:24,959 --> 00:13:28,260 if you have, let's say Amazon, probably. 274 00:13:28,454 --> 00:13:31,824 Shipping from one country has a different code to handle the ship 275 00:13:31,824 --> 00:13:36,075 shipping to another country who has tested 200 countries in the world. 276 00:13:36,145 --> 00:13:39,595 Probably not even him and Zeeshan on Amazon in their six years. 277 00:13:40,084 --> 00:13:44,495 So on many programs, we just have a lot of code that we never touched, 278 00:13:44,835 --> 00:13:47,934 but I think GripMe has an interesting approach. 279 00:13:47,944 --> 00:13:52,375 So GripMe is the one doing the notes for the critical thinking about him podcast. 280 00:13:52,375 --> 00:13:54,875 And he's also Rhino's mentee, a very cool guy. 281 00:13:55,200 --> 00:13:55,490 Yeah. 282 00:13:55,590 --> 00:13:56,460 Very crazy story. 283 00:13:56,460 --> 00:13:59,240 Uh, got into big bounty like nine months ago, did the two 284 00:13:59,240 --> 00:14:00,830 LH here at Vegas and Edinburgh. 285 00:14:01,490 --> 00:14:02,020 Very cool guy. 286 00:14:02,300 --> 00:14:06,699 He, by the way, he, he quit the work this month to be a full time hunter. 287 00:14:07,300 --> 00:14:09,339 And he has been very successful. 288 00:14:09,340 --> 00:14:13,289 And when talking with him, he told me that his own methodology was 289 00:14:13,329 --> 00:14:14,949 trying to be more comprehensive. 290 00:14:15,150 --> 00:14:18,530 building his checklist of what could be the most impactful for 291 00:14:18,530 --> 00:14:21,270 the company, and then really try to assess all of these vectors. 292 00:14:21,620 --> 00:14:26,509 And so he is indeed trying to be more mythological and trying to build a 293 00:14:26,509 --> 00:14:31,620 comprehensive way to like really test the application, but through the lens, if I 294 00:14:31,620 --> 00:14:35,660 understood correctly, of his perspective of security model and what can impact it. 295 00:14:35,940 --> 00:14:38,620 And I think that's a good way, you know, to ensure that you have more coverage. 296 00:14:38,820 --> 00:14:39,230 Yeah. 297 00:14:39,450 --> 00:14:39,650 Yeah. 298 00:14:39,650 --> 00:14:40,310 That's a good way. 299 00:14:40,310 --> 00:14:43,960 And there's pretty much There's no, no border to it. 300 00:14:44,040 --> 00:14:48,069 There's no boundary that, because there's just so much different 301 00:14:48,180 --> 00:14:49,040 possibilities everywhere. 302 00:14:49,120 --> 00:14:53,540 And that's the, uh, the overall answer to, well, no new hunters like don't, 303 00:14:53,560 --> 00:14:57,599 that don't want to hack on public programs and each year there are 304 00:14:57,629 --> 00:15:01,619 thousands of bugs, millions of dollars being paid to different hunters. 305 00:15:03,880 --> 00:15:06,530 I think once you are new to the back hunting, you have something 306 00:15:06,530 --> 00:15:08,160 that is called being naive. 307 00:15:09,689 --> 00:15:14,100 And being naive allows you to explore with a fresh view of the program. 308 00:15:14,530 --> 00:15:17,439 When you start to hunt, you have your spider sense, you know, 309 00:15:17,439 --> 00:15:20,859 you got your instinct, you trust your guts and say, okay, DSL 310 00:15:21,140 --> 00:15:22,599 smells bad, I'm going to hack it. 311 00:15:22,760 --> 00:15:24,199 And you're hacking it and you find issues. 312 00:15:24,199 --> 00:15:25,030 That's, that's cool. 313 00:15:25,699 --> 00:15:27,980 You're starting to get trapped into your own routine, in your 314 00:15:27,989 --> 00:15:29,869 own way of things, seeing things. 315 00:15:30,189 --> 00:15:33,935 Whereas a newbie, Who is very naive, doesn't know that 316 00:15:34,045 --> 00:15:35,105 this is not going to work. 317 00:15:35,135 --> 00:15:37,445 This is not going to work because he's going to test it. 318 00:15:37,775 --> 00:15:41,354 And by testing it, he's going to find these issues in the spots that you, 319 00:15:41,385 --> 00:15:42,885 your blind spot that you never tried. 320 00:15:43,085 --> 00:15:46,215 That's why it's very cool to hunt with like very new hunters because 321 00:15:46,215 --> 00:15:48,945 they are going to test everything that are going to find those little 322 00:15:48,945 --> 00:15:50,114 tracks that you would have missed. 323 00:15:50,944 --> 00:15:53,754 What are your, your top tips to like uncover parts of the 324 00:15:53,754 --> 00:15:55,665 application that nobody looked at? 325 00:15:56,004 --> 00:16:02,550 Well, when I, um, start hunting on the, on a program, The, you know, I, I 326 00:16:02,550 --> 00:16:06,810 told you that my pet peeve was using, uh, was working on access controls. 327 00:16:07,430 --> 00:16:10,310 So when you want to uncover more access controls, you've 328 00:16:10,320 --> 00:16:11,720 got to unlock more feature. 329 00:16:12,289 --> 00:16:16,880 And what I think to myself is even when I think that I've covered 330 00:16:16,880 --> 00:16:20,319 the whole application, I always consider that I've missed something. 331 00:16:21,070 --> 00:16:24,540 And by keeping And keeping the grind on it, like trying 332 00:16:24,540 --> 00:16:28,550 to test all the damn feature everywhere, everywhere, everywhere. 333 00:16:28,760 --> 00:16:31,680 That's how you start to understand the, Oh, I miss that workflow. 334 00:16:31,740 --> 00:16:32,689 workflow. 335 00:16:32,750 --> 00:16:33,150 workflow. 336 00:16:33,590 --> 00:16:36,530 And then you start to understand like, okay, there's way more hidden features 337 00:16:36,729 --> 00:16:42,369 because nowadays you eyes are, you know, very, um, like styled down, you know, 338 00:16:42,369 --> 00:16:43,800 you don't see much buttons anymore. 339 00:16:43,800 --> 00:16:46,869 So you have to really like test all the flows all around. 340 00:16:46,880 --> 00:16:47,750 Um, and so by. 341 00:16:48,380 --> 00:16:51,449 It's a bit stupid, but I keep brute forcing kind of the application. 342 00:16:51,740 --> 00:16:52,740 You want to cover most of this. 343 00:16:53,439 --> 00:16:56,410 Of course, the good old JavaScript mining is very important. 344 00:16:56,410 --> 00:17:00,829 And that's why tools like JS Weasel by Steelman are very damn useful because, 345 00:17:01,340 --> 00:17:05,269 um, it gives a really, like, really one place to have everything stored, all 346 00:17:05,270 --> 00:17:09,780 JS files, even that hidden JS file that only is loaded on a, on a weird route. 347 00:17:09,899 --> 00:17:10,619 You will have it. 348 00:17:11,030 --> 00:17:11,480 And need. 349 00:17:11,714 --> 00:17:14,055 Processes you, you know, the potential path. 350 00:17:14,065 --> 00:17:16,045 So that's a pretty, a pretty nice one. 351 00:17:17,165 --> 00:17:19,825 And the thing, uh, the last thing is being, um, logging. 352 00:17:20,435 --> 00:17:22,565 So you have your burp history or Cato history. 353 00:17:22,875 --> 00:17:26,305 What I like to do is to try to, you know, store that into a database. 354 00:17:26,305 --> 00:17:30,795 When I, I'm strict enough with myself to take the time to set up that. 355 00:17:31,304 --> 00:17:34,715 Uh, and sometimes when you look into your burp history or you look on to 356 00:17:34,715 --> 00:17:37,965 some, on some parameters, you will find like the hidden root or the hidden 357 00:17:37,965 --> 00:17:39,975 params that you needed to unlock that 358 00:17:40,224 --> 00:17:40,574 stuff. 359 00:17:40,980 --> 00:17:42,180 How exactly do you look for this? 360 00:17:42,180 --> 00:17:44,710 You have your database with all the requests logged. 361 00:17:44,890 --> 00:17:46,100 What do you do to find it? 362 00:17:46,650 --> 00:17:51,990 Initially, what I used was the, um, with logger plus plus, you have a feature 363 00:17:51,990 --> 00:17:53,910 to export the request to Elasticsearch. 364 00:17:54,270 --> 00:17:54,530 Yeah. 365 00:17:55,209 --> 00:17:58,849 And using Elasticsearch, you can then use the, um, the, uh, well, the full, 366 00:17:59,470 --> 00:18:03,100 Elasticsearch, Logstash and Kibana. 367 00:18:03,430 --> 00:18:05,379 And so Kibana acts as a kind of front end. 368 00:18:05,400 --> 00:18:11,530 So we can type like SQL like requests, you know, to find the specific stuff. 369 00:18:11,590 --> 00:18:16,639 But the issue is that in Elasticsearch, uh, to find like specific words 370 00:18:16,729 --> 00:18:20,790 inside the requests or so, or the response, it goes through a tokenizer. 371 00:18:21,479 --> 00:18:25,449 And so you have a limit on the length of the contents, for example, 372 00:18:25,580 --> 00:18:29,110 a very large JS file of 5 or 10 megabytes, it will not really work 373 00:18:29,110 --> 00:18:30,879 properly, except if you fine tune it. 374 00:18:31,439 --> 00:18:35,439 But that's, for example, a cool way to improve your coverage when you're 375 00:18:35,439 --> 00:18:38,189 testing for access control or business logic errors, because you're able 376 00:18:38,189 --> 00:18:41,939 to find like very hidden parameters, parameters that you missed, or 377 00:18:41,939 --> 00:18:45,550 parameters that have a similar name, but that you needed to craft like. 378 00:18:45,610 --> 00:18:50,399 The Google write request for that newly uncovered routes that you understood 379 00:18:50,409 --> 00:18:51,830 that you found in the, in the GS. 380 00:18:52,010 --> 00:18:52,139 Yeah. 381 00:18:52,139 --> 00:18:57,100 So we just like have a reg X to look for the, to find all the parameters in all the 382 00:18:57,100 --> 00:18:58,969 JS files and history, something like this. 383 00:18:59,039 --> 00:19:02,549 No, because I am not disciplined enough to actually build that. 384 00:19:02,569 --> 00:19:05,780 And that's why I love SteelMans just result too, because it does that 385 00:19:05,800 --> 00:19:07,520 for you and it removes you the heavy 386 00:19:07,520 --> 00:19:08,300 lifting on that part. 387 00:19:08,340 --> 00:19:08,639 Yeah. 388 00:19:08,689 --> 00:19:08,860 Yeah. 389 00:19:08,860 --> 00:19:09,469 It's really nice. 390 00:19:10,280 --> 00:19:12,500 How about some back classes you never look for, or do you 391 00:19:12,510 --> 00:19:14,050 think are there, like, present? 392 00:19:14,270 --> 00:19:15,660 Honestly, I suck at client side. 393 00:19:16,080 --> 00:19:16,860 I'm very bad at it. 394 00:19:17,340 --> 00:19:22,330 Because, you know, I used to do the classical, you know, HTML injection 395 00:19:22,339 --> 00:19:23,969 to popping in XSS and so on. 396 00:19:23,969 --> 00:19:27,189 And, like, being in the live hacking event and seeing the bugs shown on the 397 00:19:27,190 --> 00:19:32,385 show and tales clearly shows me that I'm years behind all those top hackers 398 00:19:32,385 --> 00:19:36,140 doing, like, crazy post message stuff, finding gadgets all over the source code. 399 00:19:36,469 --> 00:19:36,960 They're all there. 400 00:19:37,410 --> 00:19:37,590 Yeah. 401 00:19:37,590 --> 00:19:40,900 They are found at each event and very impactful bugs are found with that. 402 00:19:41,500 --> 00:19:45,120 I just never took the time to actually, well, do all the CTF, do all the training. 403 00:19:45,610 --> 00:19:49,950 And it's, it's kind of have been the new hype, you know, since like 404 00:19:50,010 --> 00:19:54,370 solutions like Dumpurify has been where more implemented a bit everywhere. 405 00:19:54,370 --> 00:19:58,300 Synthesization is now a real standard in most of the web applications. 406 00:19:58,710 --> 00:19:59,244 Well, yeah. 407 00:19:59,515 --> 00:20:02,985 All the post message tricks, you know, and the CSPT, the 408 00:20:03,025 --> 00:20:06,085 traversals, been like the new craze. 409 00:20:06,675 --> 00:20:10,974 And so the desktop hunters have quickly adapted and to learn these techniques. 410 00:20:10,985 --> 00:20:15,454 And I think the wider community would gain a lot to start working on 411 00:20:15,454 --> 00:20:16,995 those kinds of techniques, but it is 412 00:20:17,034 --> 00:20:17,414 additional work. 413 00:20:17,975 --> 00:20:18,334 Yeah. 414 00:20:18,395 --> 00:20:22,554 And it's also, you can see the shift, I think, from like more server side 415 00:20:22,554 --> 00:20:25,824 processing, moving to the client side, JavaScript also, you know, brings 416 00:20:25,824 --> 00:20:29,455 bugs with it and, and all the post message stuff and the things that 417 00:20:29,465 --> 00:20:32,574 they find, the things that they know about the client stuff, it's crazy. 418 00:20:33,054 --> 00:20:36,425 All the like cookie, even yesterday in the newsletter, I shared like two 419 00:20:36,425 --> 00:20:38,405 different articles about sharing about. 420 00:20:38,565 --> 00:20:43,504 And there was like one article that compared parsing in browsers, 421 00:20:43,545 --> 00:20:48,365 in frameworks, uh, and then it was already so inconsistent. 422 00:20:48,405 --> 00:20:50,485 And then there was another article from 423 00:20:51,275 --> 00:20:51,485 Portswigger. 424 00:20:51,695 --> 00:20:55,334 I don't remember the name unfortunately, where you had like a version cookie, 425 00:20:55,465 --> 00:20:57,374 which changes the way cookies are parsed. 426 00:20:57,385 --> 00:20:58,955 So you get another layer of it. 427 00:20:59,554 --> 00:21:04,720 And to be honest, I never think I played with cookies Uh, like the cookie parsing, 428 00:21:04,780 --> 00:21:07,940 I don't think I've had a bug which would like require me to mess with this. 429 00:21:08,200 --> 00:21:11,129 Yeah, during a life hacking event in France. 430 00:21:11,725 --> 00:21:16,785 I had another hunter called Brumance, who developed his own tool to start 431 00:21:16,785 --> 00:21:20,925 fuzzing, you know, other parts of HTTP requests that you don't really fuzz into. 432 00:21:20,925 --> 00:21:22,505 And he was fuzzing cookies at that time. 433 00:21:22,775 --> 00:21:27,124 I started to uncover some, like, beginning of an SQL injection just inside a cookie. 434 00:21:27,715 --> 00:21:31,925 No, that's stuff that you have to test for, you know, or you just won't do it. 435 00:21:31,925 --> 00:21:36,365 It's just like sometimes, um, I think it's on petastore lab or something like that. 436 00:21:36,915 --> 00:21:39,534 When you start learning about SQL injection, you focus on the 437 00:21:39,535 --> 00:21:42,755 parameters and then, well, the challenge is actually to, well, inject 438 00:21:42,765 --> 00:21:44,395 that into your user agent header. 439 00:21:44,535 --> 00:21:49,235 So of course I never saw it or almost never saw it in real life in pen testing, 440 00:21:49,685 --> 00:21:53,045 but it still reminds you that once again, you have coverage that is not being done 441 00:21:53,045 --> 00:21:55,535 properly client side or server side. 442 00:21:56,375 --> 00:21:57,835 There's a lot of things that we don't test for. 443 00:21:58,155 --> 00:21:58,534 Yeah. 444 00:21:58,564 --> 00:22:00,465 And I also think it's the problem. 445 00:22:00,514 --> 00:22:06,045 You have relatively few bugs you found in your career because you have like a few 446 00:22:06,095 --> 00:22:08,754 back classes and then a few input sources. 447 00:22:08,885 --> 00:22:14,165 So it's easy to like fall into the into testing the same same things 448 00:22:14,225 --> 00:22:15,474 all the time because they work. 449 00:22:15,825 --> 00:22:17,019 And then you have a thing like. 450 00:22:17,180 --> 00:22:19,010 SQL injection in the user agent header. 451 00:22:19,230 --> 00:22:21,730 I've never found this, so I don't test for it. 452 00:22:21,960 --> 00:22:23,680 So in the future, I also won't find it. 453 00:22:24,080 --> 00:22:28,320 So it's sort of the, the negative feedback loop where you don't find 454 00:22:28,320 --> 00:22:29,320 something, so we don't test it. 455 00:22:29,369 --> 00:22:30,659 So we don't test for it. 456 00:22:31,360 --> 00:22:35,439 And I struggle with like motivating myself to like fast more things 457 00:22:35,439 --> 00:22:36,989 and test more things that I think. 458 00:22:37,490 --> 00:22:41,690 won't be successful because probably some of them will be successful at some point. 459 00:22:42,100 --> 00:22:45,000 Another book class, um, it's very, it's pretty wide. 460 00:22:45,010 --> 00:22:47,799 It's, uh, all the timing attacks were reported. 461 00:22:47,799 --> 00:22:53,650 So either you go for the James Kettle route, which is in my opinion, of course, 462 00:22:53,650 --> 00:22:57,610 the way that you will, you know, Uncover like very, very, very, very impactful 463 00:22:57,640 --> 00:23:01,580 bug, but everything related, you know, to also timing attack and sandwich 464 00:23:01,629 --> 00:23:03,899 attacks and also time based secrets. 465 00:23:03,899 --> 00:23:10,810 So there is a talk on reset Tolkien where basically he's shown that even on some 466 00:23:10,810 --> 00:23:16,240 bug bounty targets, he still find like ideas that are generated, derivated from 467 00:23:16,240 --> 00:23:18,290 a secret that is derivated from time. 468 00:23:18,920 --> 00:23:22,649 And even if we know that he's insecure, or sometimes you have a gut feeling That 469 00:23:22,969 --> 00:23:26,830 this smells bad and you know that it's not secure, but you cannot prove it. 470 00:23:27,570 --> 00:23:31,669 It's cool that he and, and all the researchers have started like building 471 00:23:31,790 --> 00:23:35,020 comprehensive solutions to test all variations of, for example, is 472 00:23:35,020 --> 00:23:40,139 it like your email plus underscore plus a timestamp passing to a shower 473 00:23:40,139 --> 00:23:44,080 one or MD five or unique ID and so on and all of these variations. 474 00:23:44,539 --> 00:23:45,169 And so I think. 475 00:23:45,169 --> 00:23:45,289 Okay. 476 00:23:45,455 --> 00:23:50,215 Like we discussed yesterday, like, um, having more and more tool kits and more 477 00:23:50,215 --> 00:23:55,855 and more use case being ready to be tested automatically will greatly help us for all 478 00:23:55,865 --> 00:23:58,184 these time attacks and time based secrets. 479 00:23:58,705 --> 00:23:59,014 Yeah. 480 00:23:59,074 --> 00:23:59,904 There's so many 481 00:23:59,914 --> 00:24:00,544 things to be, to 482 00:24:00,544 --> 00:24:00,744 be found. 483 00:24:01,150 --> 00:24:01,340 Yeah. 484 00:24:01,440 --> 00:24:04,990 And it's a good, good way to think about it to try to automate this stuff. 485 00:24:05,450 --> 00:24:06,170 So, you know, okay. 486 00:24:06,170 --> 00:24:09,370 I may not believe it will work, but if it just means pressing a button 487 00:24:09,710 --> 00:24:13,129 and, you know, generating something automatically, it's less of a hurdle. 488 00:24:13,130 --> 00:24:17,820 If I were to manually inject, let's stick to the example, SQL injection payload in 489 00:24:17,820 --> 00:24:21,100 the user agent header, in the cookie, in the parameter, in the body everywhere. 490 00:24:21,100 --> 00:24:21,320 Yeah. 491 00:24:21,415 --> 00:24:24,475 If it's just one button, then, then it's easier. 492 00:24:24,475 --> 00:24:27,975 So I think it's a good way to think about it, to try to automate this stuff. 493 00:24:27,975 --> 00:24:30,944 And you know, then it's, if it doesn't work, doesn't work, not a problem. 494 00:24:31,254 --> 00:24:35,784 The issue is that we end up with the philosophical question, or are we in the 495 00:24:35,784 --> 00:24:39,745 end, rebuilding some kind of vulnerability scanner to automate ourselves? 496 00:24:40,614 --> 00:24:43,965 That's the issue that we, we, there's so many things to be tested and I 497 00:24:43,975 --> 00:24:47,344 got to develop like your instance, your spider, your spider sense, but. 498 00:24:47,685 --> 00:24:51,514 Well, then you just have to avoid being stuck into your routine and, 499 00:24:51,975 --> 00:24:55,145 and the issue with bug bounty, and especially if you do it for money, 500 00:24:55,465 --> 00:24:57,215 uh, is that you need profitability. 501 00:24:57,284 --> 00:25:01,305 And so when you're stuck into that eternal cycle of, I need to make 502 00:25:01,305 --> 00:25:04,514 money, then you're less likely to be doing research and then going 503 00:25:04,524 --> 00:25:05,764 outside of your comfort zone. 504 00:25:06,124 --> 00:25:08,095 So you gotta find the right balance. 505 00:25:08,145 --> 00:25:09,945 And that's why, uh, that's what I strive for. 506 00:25:09,945 --> 00:25:13,915 So is to just have hacking as a passion that can really research 507 00:25:14,314 --> 00:25:17,504 rather than say, okay, this makes money and I should keep doing it because. 508 00:25:17,675 --> 00:25:20,565 You know, it supports my, my lifestyle, my family. 509 00:25:21,004 --> 00:25:21,344 Yeah, 510 00:25:21,394 --> 00:25:25,355 it would be, would be fun to have this, this way I try to, 511 00:25:26,044 --> 00:25:28,995 this video won't be published, so maybe I can, I can say about it. 512 00:25:29,504 --> 00:25:33,145 I tried to hack some software that I use. 513 00:25:33,145 --> 00:25:34,175 I tried to make a video. 514 00:25:34,185 --> 00:25:38,225 I had the idea to make the video of like hacking different software that I used 515 00:25:38,225 --> 00:25:39,725 that does not have a bug bounty program. 516 00:25:40,324 --> 00:25:44,384 It ended up with like me finding a full read SSRF in 19 minutes, because 517 00:25:44,384 --> 00:25:49,389 I But then I was like, and I plan to spend the whole week doing this, 518 00:25:49,780 --> 00:25:51,200 but then I just lost the motivation. 519 00:25:51,200 --> 00:25:53,779 It was like a week is too, too a lot. 520 00:25:53,779 --> 00:25:58,649 And then, you know, it's fairly easy to find bugs and would be, would be cool 521 00:25:58,689 --> 00:26:03,320 to, to feel allowed to just, okay, let's spend a week hacking on whatever I want. 522 00:26:03,800 --> 00:26:08,125 Well, Yesterday we talked about, you know, um, the, the way that your brain 523 00:26:08,125 --> 00:26:13,345 process happiness and you know, everything related to your dopamine levels and the 524 00:26:13,345 --> 00:26:17,335 way we are also kind of victims of that because now that there is a financial 525 00:26:17,335 --> 00:26:23,550 rewards, we are often bound to, um, Consider yourself and Oego as hackers 526 00:26:23,980 --> 00:26:28,540 as somehow correlated to the bounty that you make and also the value of 527 00:26:28,540 --> 00:26:32,050 the bug that you find being correlated to the amount of money that you make. 528 00:26:32,760 --> 00:26:36,439 Which is not a, which is of course good in a way because it stimulates 529 00:26:36,440 --> 00:26:39,149 you, you've got that dopamine, that adrenaline rush and you want to, 530 00:26:39,149 --> 00:26:40,669 you want, you want to go forward. 531 00:26:41,009 --> 00:26:44,299 You cannot stay in that loop forever because at any time though you 532 00:26:44,409 --> 00:26:48,229 will find less bugs or sometimes there are underrated value program. 533 00:26:48,449 --> 00:26:49,829 You cannot devalue yourself. 534 00:26:50,115 --> 00:26:55,025 Cause then you just go into a very bad spiral cycle of self deprecating, 535 00:26:55,025 --> 00:26:55,815 you know, faults. 536 00:26:56,314 --> 00:26:56,844 Yeah. 537 00:26:56,894 --> 00:26:57,384 That's bad. 538 00:26:57,534 --> 00:26:57,975 I do it. 539 00:26:58,004 --> 00:27:03,114 I try to not do it, but still, even though it's financially, it's easy 540 00:27:03,114 --> 00:27:07,004 to like manage a time with no, with no bounty mentally, this is the 541 00:27:07,004 --> 00:27:08,685 hard part for me to like, okay. 542 00:27:08,975 --> 00:27:14,665 Cause I, I feel it's more of a sort of reward that the bounty itself is, of 543 00:27:14,665 --> 00:27:17,654 course it pays the bills, but it's more. 544 00:27:18,020 --> 00:27:22,500 a way to, to, you know, as you say, to express the, how well 545 00:27:22,800 --> 00:27:24,460 your, your, how good your bag was. 546 00:27:25,220 --> 00:27:29,970 And yeah, it's hard when you have a worse period, worse bags, downgraded 547 00:27:29,970 --> 00:27:31,169 severity and stuff like this. 548 00:27:31,439 --> 00:27:33,029 And sorry, I'm keep going off 549 00:27:33,030 --> 00:27:33,759 road with you 550 00:27:33,760 --> 00:27:34,040 is this one. 551 00:27:35,260 --> 00:27:37,279 That's something that is not talked about, I think. 552 00:27:37,665 --> 00:27:40,784 I don't know if I, I think it affects all the people, but not a 553 00:27:40,784 --> 00:27:46,034 lot is like the blues or the small depression after a life hacking event. 554 00:27:46,334 --> 00:27:46,674 Yeah. 555 00:27:46,745 --> 00:27:50,595 Like the, the high and the personal investment of this cool 556 00:27:50,595 --> 00:27:52,444 live hacking events is crazy. 557 00:27:52,764 --> 00:27:52,945 Yeah. 558 00:27:53,155 --> 00:27:53,794 It ends up. 559 00:27:54,705 --> 00:27:59,475 Like at the top, you know, of the climax, when you read all inside of the, the live 560 00:27:59,475 --> 00:28:02,904 hacking event, you see all the people, you see money flowing, you see crazy 561 00:28:02,904 --> 00:28:07,534 bugs, you see show and tells, and like, it's so much excite, excitement that, 562 00:28:07,704 --> 00:28:12,585 and I think when you go back home after, like everything feels less stimulating. 563 00:28:12,955 --> 00:28:16,125 And I kind of feel like a little bit depressed for a week after. 564 00:28:16,235 --> 00:28:16,555 Yeah. 565 00:28:16,575 --> 00:28:18,235 Because they're way less stimuli. 566 00:28:18,815 --> 00:28:21,974 I think, okay, well back to daily life, I guess. 567 00:28:24,274 --> 00:28:25,494 To be fair, I didn't have this. 568 00:28:25,865 --> 00:28:26,654 I was surprised. 569 00:28:26,685 --> 00:28:27,824 I know some people have it. 570 00:28:27,914 --> 00:28:28,124 Yeah. 571 00:28:28,164 --> 00:28:30,615 And I spoke with Johan and he was like, Oh, how was the life? 572 00:28:30,615 --> 00:28:31,784 I can even argue depressed after. 573 00:28:31,784 --> 00:28:33,385 I'm like, no, I'm pumped up. 574 00:28:33,385 --> 00:28:34,395 I met so many people. 575 00:28:34,395 --> 00:28:35,195 I had so many ideas. 576 00:28:35,195 --> 00:28:36,825 I just want to hug man. 577 00:28:37,325 --> 00:28:38,685 I had like the complete opposite. 578 00:28:38,685 --> 00:28:39,685 And also the. 579 00:28:40,095 --> 00:28:42,525 The life hacking event is like more stressful because 580 00:28:42,535 --> 00:28:43,445 you want to find the bugs. 581 00:28:43,445 --> 00:28:44,345 You feel the pressure. 582 00:28:44,965 --> 00:28:48,905 After I came back from Edinburgh, I slept so well because before each 583 00:28:48,905 --> 00:28:54,855 night, if I, if I, if I wake up and the bounties and updates, and then I 584 00:28:54,855 --> 00:28:58,465 came back and I slept so well for me, it's like, Oh, so the opposite school, 585 00:29:00,595 --> 00:29:01,905 let's go back to access control box. 586 00:29:02,395 --> 00:29:03,945 So what exactly is this? 587 00:29:03,945 --> 00:29:05,145 What, what is it that you test? 588 00:29:05,510 --> 00:29:07,680 Well, it ranges from the classic idle. 589 00:29:07,690 --> 00:29:08,030 So 590 00:29:08,470 --> 00:29:11,329 add one, decrease by one. 591 00:29:11,410 --> 00:29:12,370 That's a classical one. 592 00:29:13,080 --> 00:29:17,690 But you know, um, depending on the tech stack and the type of ideas that are used, 593 00:29:17,720 --> 00:29:22,340 you have like various, um, uh, sneaky ways to get those access control issues. 594 00:29:22,700 --> 00:29:27,110 One thing that I liked, um, uh, I spent a month in on LinkedIn, that 595 00:29:27,110 --> 00:29:30,840 program made, I think, 30K, something like that in bounties overall. 596 00:29:32,910 --> 00:29:36,300 Crazy, not that crazy, but still, I think a good amount to express that 597 00:29:36,300 --> 00:29:37,770 I spent and invested time in that. 598 00:29:38,510 --> 00:29:41,570 And so I was reading the activity and they have a few disclosed 599 00:29:41,570 --> 00:29:44,270 programs, um, sorry, reports on it. 600 00:29:45,080 --> 00:29:47,750 And LinkedIn use a lot of urns. 601 00:29:48,050 --> 00:29:52,640 So you have, for example, uh, URN, uh, columns, some, uh, prefix, for 602 00:29:52,640 --> 00:29:57,560 example, user ID colon and some, and some alpha animal string after it. 603 00:29:58,800 --> 00:30:01,501 And the guy found a, a very cool, uh, second level bug. 604 00:30:02,345 --> 00:30:08,555 where he filled inside of his profile, a value being an, uh, a new run. 605 00:30:09,325 --> 00:30:14,645 So it was the key was a URN and the value was also a URN. 606 00:30:14,645 --> 00:30:19,075 And this value was later sourced by the application at a different location. 607 00:30:19,415 --> 00:30:21,305 And so it retrieved the value of this. 608 00:30:21,620 --> 00:30:26,800 Like, injected URN and this process didn't actually, uh, 609 00:30:26,840 --> 00:30:28,540 provide good access controls. 610 00:30:28,790 --> 00:30:32,450 It was able, for example, to access other people, uh, data through it. 611 00:30:32,450 --> 00:30:36,700 It's like a second order injection where you put, uh, instead of a 612 00:30:36,700 --> 00:30:39,149 string, like, uh, like, uh, an URN. 613 00:30:39,549 --> 00:30:41,640 That's, for example, in my opinion, a cool bug. 614 00:30:42,025 --> 00:30:42,295 Yeah. 615 00:30:42,605 --> 00:30:44,025 So it's like second order processing. 616 00:30:44,965 --> 00:30:49,135 And then it's pretty much anything ranges from either to testing, uh, 617 00:30:49,305 --> 00:30:51,105 authenticate, not authenticated. 618 00:30:51,405 --> 00:30:55,915 And if I'm really, really trying to go into finding all the little 619 00:30:55,915 --> 00:31:00,594 scrap bugs that I can find, then it's like, take your time on the, um, 620 00:31:01,395 --> 00:31:04,004 metrics of rights of an application. 621 00:31:04,014 --> 00:31:04,384 Do you have? 622 00:31:04,405 --> 00:31:04,645 Yeah. 623 00:31:04,645 --> 00:31:04,714 Okay. 624 00:31:05,015 --> 00:31:08,915 Five levels for the authentication, like, are you sure that all of 625 00:31:08,915 --> 00:31:12,805 these five levels on the 200 like actions are properly implemented? 626 00:31:13,245 --> 00:31:15,855 And I sometimes I do that, but I find it a bit boring. 627 00:31:16,475 --> 00:31:19,515 Yeah, that was supposed to be my question because 200 endpoints 628 00:31:19,544 --> 00:31:21,975 times five rows, it's 1000 tries. 629 00:31:22,045 --> 00:31:22,485 That's a lot. 630 00:31:22,870 --> 00:31:23,110 Yeah. 631 00:31:23,110 --> 00:31:26,140 And honestly, there's one guy that's way better than me at that. 632 00:31:26,430 --> 00:31:27,090 It's Frisek. 633 00:31:27,110 --> 00:31:27,940 He's a French hunter. 634 00:31:28,400 --> 00:31:32,090 And I remember in Edinburgh, I said, Hey, you should take a look at this application 635 00:31:32,090 --> 00:31:35,930 because it has maybe like 10 levels of privilege with almost all of that. 636 00:31:36,170 --> 00:31:42,080 So enjoy this crazy guy, like push maybe 16 reports in the next hours, the next 637 00:31:42,080 --> 00:31:46,250 couple of hours, because you know, you got to feel, you got to get organized 638 00:31:46,280 --> 00:31:49,250 and then you just got to be efficient and compare it to the documentation. 639 00:31:50,070 --> 00:31:52,769 That honestly tires me too much to do it properly. 640 00:31:52,800 --> 00:31:54,209 Automate this process in Norway. 641 00:31:54,410 --> 00:31:57,990 No, I know a lot of people use odd matrix or odd Z and so on. 642 00:31:58,060 --> 00:31:58,310 Yeah. 643 00:31:59,620 --> 00:32:02,180 I can get my head around to get to, to use them. 644 00:32:02,210 --> 00:32:04,630 Even if they look like very great solutions. 645 00:32:04,900 --> 00:32:08,220 Most of the time when I use them, it just to like test 646 00:32:08,299 --> 00:32:09,640 authenticated, not authenticated. 647 00:32:10,339 --> 00:32:12,510 Just to have a quick replay, but not that much. 648 00:32:12,930 --> 00:32:18,080 And it's also an issue for me because, um, uh, it doesn't work on complex workflows. 649 00:32:18,080 --> 00:32:22,040 So if you use, for example, a three step workflow and you want to test 650 00:32:22,050 --> 00:32:23,340 the last step or the workflow. 651 00:32:23,880 --> 00:32:28,320 Uh, if you use something that replace your cookies, it won't work because 652 00:32:28,350 --> 00:32:31,210 sometimes you need like the correct ideas for step one, step two, step 653 00:32:31,350 --> 00:32:34,719 three, and then as step four, you have to modify and get the right idea. 654 00:32:35,209 --> 00:32:39,989 And so investing time in those multi step workflows will allow you to find the 655 00:32:39,990 --> 00:32:44,100 bugs that other people do not find, but mostly, well, you cannot automate them 656 00:32:44,110 --> 00:32:45,820 because it just breaks the whole chain. 657 00:32:46,000 --> 00:32:46,250 Yeah. 658 00:32:46,250 --> 00:32:50,270 From, from my tries is like, you can automate the get endpoints. 659 00:32:51,045 --> 00:32:56,245 Most of the time, but then when it's posts of, um, update of resources or 660 00:32:56,245 --> 00:33:01,165 deleting resources, it's hard to modify them because either you will struggle 661 00:33:01,205 --> 00:33:04,195 to determine by the response, if it was successful or not, because if you're 662 00:33:04,255 --> 00:33:06,995 creating something with a post, you'd. 663 00:33:07,165 --> 00:33:10,685 Don't usually know from the response, if it was created on your account or 664 00:33:10,995 --> 00:33:15,285 the victim's account deleting, like as well, it might be problematic because 665 00:33:15,285 --> 00:33:17,075 you cannot directly replay the request. 666 00:33:17,865 --> 00:33:20,814 So I also just do the manual thing. 667 00:33:21,025 --> 00:33:26,075 I think, uh, in the, in the next future, like even right now, uh, carefully crafted 668 00:33:26,105 --> 00:33:30,875 AI engines could help you for that because if you really decompose the problem. 669 00:33:32,060 --> 00:33:35,960 Uh, and you have like an AI agent that does one small thing, 670 00:33:36,170 --> 00:33:37,740 but that does it really well. 671 00:33:38,130 --> 00:33:41,060 You can have like more, uh, reliable results. 672 00:33:41,430 --> 00:33:46,070 I mean, um, if you first, I don't know, add a product to your baskets, uh, 673 00:33:46,090 --> 00:33:48,149 then, uh, add the customization option. 674 00:33:48,515 --> 00:33:52,104 Then, you know, try something else, like put that item into 675 00:33:52,105 --> 00:33:53,265 the basket of another user. 676 00:33:53,915 --> 00:33:58,325 Like having just a very small AI agent that verifies, okay, uh, is 677 00:33:58,334 --> 00:34:00,905 the answer, uh, plausibly correct? 678 00:34:00,925 --> 00:34:01,785 Yes or no. 679 00:34:01,795 --> 00:34:05,105 Given that input, that input and that expected output, only does 680 00:34:05,105 --> 00:34:09,995 that real small task might be easier to apprehend or to understand the 681 00:34:09,995 --> 00:34:11,805 potential vulnerabilities that you have. 682 00:34:12,215 --> 00:34:15,494 And I think that it's a very, really underlooked the way to craft 683 00:34:15,494 --> 00:34:17,064 really, really small agents to do. 684 00:34:18,690 --> 00:34:18,940 Yeah. 685 00:34:18,940 --> 00:34:20,299 That's a good one. 686 00:34:20,480 --> 00:34:21,490 It's way more powerful. 687 00:34:21,490 --> 00:34:26,980 Like, um, if people want to dive a bit into that, just take a look 688 00:34:26,980 --> 00:34:29,680 at Daniel's Miestro's Fabric tool. 689 00:34:29,879 --> 00:34:34,569 It has a lot of prompts that are pre made and really allows you to show, to 690 00:34:34,570 --> 00:34:36,140 understand how to customize those prompts. 691 00:34:36,390 --> 00:34:37,014 And I really like that. 692 00:34:37,155 --> 00:34:39,975 I have small agents that were perfectly unreliable. 693 00:34:40,655 --> 00:34:43,435 So would you, do you, do you use an agent like this or do you think 694 00:34:43,435 --> 00:34:44,915 it's, it's possible to create it? 695 00:34:44,985 --> 00:34:49,345 No, I don't use them right now because I'm working on all the AI projects. 696 00:34:49,554 --> 00:34:52,885 But I think, yeah, it's, it could be, uh, it could be useful, but I 697 00:34:52,925 --> 00:34:56,654 think that's a couple months of, you know, fine tuning all this stuff and 698 00:34:56,854 --> 00:34:58,174 it's almost a project of a company 699 00:34:58,174 --> 00:34:58,754 by itself. 700 00:34:59,184 --> 00:34:59,364 Yeah. 701 00:34:59,364 --> 00:35:00,775 But I do see the potential in it. 702 00:35:00,945 --> 00:35:04,385 I think by the time we get like a full blown hacking agents. 703 00:35:04,470 --> 00:35:07,280 It's going to be a long time because it's a lot of vulnerability classes, a 704 00:35:07,280 --> 00:35:12,240 lot of things to understand to create something that, you know, takes the 200 705 00:35:12,250 --> 00:35:15,400 routes and the permission matrix and goes through the different resources. 706 00:35:15,570 --> 00:35:16,960 Yeah, it's, it, it should be 707 00:35:17,220 --> 00:35:18,050 fairly easy. 708 00:35:18,809 --> 00:35:22,280 The thing is that if you want to do build that, as I said, you have 709 00:35:22,280 --> 00:35:26,240 to have like very small agents that do one task and one task perfectly, 710 00:35:26,550 --> 00:35:28,750 then change those very small agents. 711 00:35:29,300 --> 00:35:29,650 And. 712 00:35:30,015 --> 00:35:30,615 Each agents. 713 00:35:30,615 --> 00:35:33,585 So we'll take an input, provide an output to the next agent. 714 00:35:33,585 --> 00:35:37,905 And so you have this famous chain of faults between unit agents that 715 00:35:37,905 --> 00:35:39,135 do one thing and then one thing. 716 00:35:39,135 --> 00:35:42,075 Well, then you have to preserve the context and the context 717 00:35:42,075 --> 00:35:43,605 window is like limited. 718 00:35:43,605 --> 00:35:48,165 So maybe you have two, 200,000 tokens on, on the cloud, LLM, something like that. 719 00:35:48,525 --> 00:35:51,885 But the more context you provide and the less pertinent your result will 720 00:35:51,885 --> 00:35:55,365 be, and so your challenge will be to provide just enough relevant context. 721 00:35:56,400 --> 00:35:59,920 Well, maintain, you know, the understanding of the application of, and 722 00:35:59,930 --> 00:36:02,500 of what you're doing, but that's possible. 723 00:36:02,500 --> 00:36:04,100 And it's a couple of months of work, I think. 724 00:36:04,460 --> 00:36:06,840 So we said you, you hacked on LinkedIn for a little bit. 725 00:36:07,330 --> 00:36:09,630 What is your usual bug bounty program? 726 00:36:09,630 --> 00:36:14,419 Cause I will tell you one thing I noticed when preparing for the interview in 727 00:36:14,429 --> 00:36:18,500 many of the profiles of top hunters, like top program is like a private 728 00:36:18,500 --> 00:36:19,970 one that I don't even have access to. 729 00:36:19,970 --> 00:36:20,480 And they have. 730 00:36:21,055 --> 00:36:23,495 often thousands of reputation in a single program. 731 00:36:24,435 --> 00:36:25,645 Your profile looks different. 732 00:36:25,655 --> 00:36:31,095 You look your profile, there's many more well paying public programs. 733 00:36:31,315 --> 00:36:35,435 So you're like taking the program with a lot of competition and you still succeed. 734 00:36:35,435 --> 00:36:37,484 So, so what is your, your usual target? 735 00:36:37,745 --> 00:36:38,044 You 736 00:36:38,044 --> 00:36:41,215 know, it's, it hasn't been a long time since I got back into full 737 00:36:41,215 --> 00:36:45,155 time back hunting, maybe the end of March of this year of 2024. 738 00:36:45,950 --> 00:36:49,330 So maybe it makes like nine months in the year. 739 00:36:49,330 --> 00:36:53,470 And out of those nine months, I think it might have taken three or four 740 00:36:53,470 --> 00:36:57,600 months just for me, like seeing people that I never saw before, going to see 741 00:36:57,600 --> 00:37:02,080 family, relatives, taking a bit of holidays, working on other side projects. 742 00:37:02,600 --> 00:37:04,710 So I wasn't hacking for that much time. 743 00:37:04,840 --> 00:37:07,000 That's why the data set is a bit more limited. 744 00:37:07,730 --> 00:37:10,070 But, um, yeah, I did a full month on LinkedIn. 745 00:37:10,160 --> 00:37:14,740 I did a full month on some private program that had like One 100 K 746 00:37:14,740 --> 00:37:18,220 in the potential reward was like a infrastructure related bug. 747 00:37:18,220 --> 00:37:21,000 So it prepared, it put be a bit actually for double us. 748 00:37:21,949 --> 00:37:26,929 Uh, and then, yeah, there was, um, there was Amazon that I wanted 749 00:37:26,940 --> 00:37:30,439 to look into and have all over us and no, it's like, you got to get 750 00:37:30,450 --> 00:37:31,999 invited to the double us program. 751 00:37:31,999 --> 00:37:35,870 So I was really happy of getting into it after the, the LHC and mostly, uh, 752 00:37:36,150 --> 00:37:39,520 I think this is going to be my, my next program for the foreseeable future. 753 00:37:40,200 --> 00:37:44,214 But, um, you know, when you see a lot of top hunters in the end. 754 00:37:44,795 --> 00:37:50,105 There's not that much of very big paying program that do also live hacking events. 755 00:37:50,545 --> 00:37:54,615 So in the end you still have like those, this small club of maybe, I 756 00:37:54,615 --> 00:38:01,715 don't know, there's Uber, Paypal, Capital One, Salesforce, AWS, Amazon. 757 00:38:02,530 --> 00:38:03,260 Epic games. 758 00:38:03,470 --> 00:38:03,760 Yeah. 759 00:38:03,840 --> 00:38:08,140 Now, TikTok, you've got a pretty small subset of programs. 760 00:38:08,140 --> 00:38:12,330 So in the end, well, you're, you're running around the clock, hunting all 761 00:38:12,340 --> 00:38:17,339 of these programs, but, um, you, you, you're, you're right off, um, when 762 00:38:17,340 --> 00:38:20,330 you're talking about people specializing in one program, because most time you 763 00:38:20,579 --> 00:38:23,954 spend there, of course, you know, the bugs, you know, the steam, you know. 764 00:38:23,965 --> 00:38:26,985 How they handle the things, you know, how to maximize your output, how to keep 765 00:38:26,985 --> 00:38:28,575 the good relationship with the program. 766 00:38:28,935 --> 00:38:32,594 So, yeah, I think I'm going to stick with, uh, with AWS, like very large 767 00:38:32,594 --> 00:38:34,465 scope allows you to be very creative. 768 00:38:35,315 --> 00:38:39,665 Both doing like classic web bugs to more infrastructure related bugs to 769 00:38:39,674 --> 00:38:41,874 like exploring in depth, some features. 770 00:38:42,395 --> 00:38:45,134 And I think it's a great all around 771 00:38:45,134 --> 00:38:45,474 program. 772 00:38:45,474 --> 00:38:45,964 I love it. 773 00:38:46,195 --> 00:38:47,155 Yeah, it's nice. 774 00:38:47,155 --> 00:38:49,715 And the attack serve is absolutely massive as well. 775 00:38:50,835 --> 00:38:51,925 How about YesWeHack? 776 00:38:51,925 --> 00:38:53,075 Because you also hack there. 777 00:38:53,125 --> 00:38:56,545 There, I do not have as much visibility into the stats. 778 00:38:57,115 --> 00:39:00,555 How would you sort of compare hacking on HackerOne and YesWeHack? 779 00:39:01,545 --> 00:39:02,174 It's a bit different 780 00:39:02,175 --> 00:39:05,195 because YesWeHack is a European platform, French based. 781 00:39:05,595 --> 00:39:09,085 Uh, I've followed them and I've been friends with them for years 782 00:39:09,095 --> 00:39:12,805 and it's a great company and people in there are really, really, really 783 00:39:12,805 --> 00:39:13,925 awesome, really great people. 784 00:39:14,504 --> 00:39:15,814 And, um, it's a bit different. 785 00:39:15,865 --> 00:39:20,125 Um, basically when you're in Europe, you don't necessarily have that 786 00:39:20,155 --> 00:39:21,894 much large companies like in the U. 787 00:39:21,894 --> 00:39:22,114 S. 788 00:39:22,115 --> 00:39:26,335 So, of course, the size of the programs and the payouts will not be as big 789 00:39:26,335 --> 00:39:29,165 as, uh, as it goes on, uh, on H1. 790 00:39:29,185 --> 00:39:32,815 You can expect from a company that's not on Amazon to pay a hundred K bucks. 791 00:39:33,310 --> 00:39:34,710 That's just not realistic. 792 00:39:35,220 --> 00:39:37,880 Um, but it's, uh, it's a small platform. 793 00:39:38,020 --> 00:39:42,740 And, uh, from when I was very active on the platform at that time, I felt 794 00:39:42,750 --> 00:39:46,860 like the 3H quality was higher, you know, um, I'm less active there. 795 00:39:47,059 --> 00:39:52,929 So I cannot, you know, give factual feedback on how it is now and nowadays. 796 00:39:53,670 --> 00:39:57,240 But you know, it feels like a bit more humanizing than, you know, 797 00:39:57,240 --> 00:40:00,430 when you're on big platform that you feel that sometimes people don't 798 00:40:00,460 --> 00:40:02,140 read your report and, and so on. 799 00:40:02,140 --> 00:40:02,400 So. 800 00:40:03,050 --> 00:40:06,720 I really enjoyed that more, uh, you know, closer, more human, 801 00:40:06,720 --> 00:40:08,940 more family like, uh, concepts. 802 00:40:09,590 --> 00:40:15,060 Um, the thing is, if you take a look at the, the bug bounty markets in 803 00:40:15,060 --> 00:40:18,730 the end, like how much areas in the world where you can sell bug bounty, 804 00:40:18,739 --> 00:40:24,310 Northern America, which is of course one of the richest countries, South 805 00:40:24,310 --> 00:40:27,360 America, which is emerging, but there are still not a lot of companies, 806 00:40:27,800 --> 00:40:31,579 Europe that does have money and Europe, you have mostly these Western parts. 807 00:40:32,335 --> 00:40:35,685 It's like starting to have enough companies with strong enough, 808 00:40:35,715 --> 00:40:38,365 you know, arms to, to bear the load of the Black Bounty. 809 00:40:39,155 --> 00:40:44,405 And then you got this EA, so Southeast Asia, HAC 1 has the, the, the 810 00:40:44,405 --> 00:40:49,894 American market, ESWI HAC is mostly predominant on the European market 811 00:40:50,154 --> 00:40:52,075 and fights with Integrity on the rest. 812 00:40:52,995 --> 00:40:55,845 And so the next battlefield is Southeast Asia. 813 00:40:56,145 --> 00:41:00,984 So yes, he's implemented in, in SCA and now the CEO, uh, Kevin, who's an 814 00:41:00,984 --> 00:41:05,485 awesome guy in SCA, I know, well, I go on is also starting to get cleanser. 815 00:41:05,485 --> 00:41:06,175 I don't know. 816 00:41:06,205 --> 00:41:09,165 I know less about integrity, but then it just shows you that. 817 00:41:09,965 --> 00:41:13,285 You know, the quality and the type of programs and the evolution of the bug 818 00:41:13,285 --> 00:41:16,555 bounty platform will be directly bound to the clients that are able to get. 819 00:41:16,985 --> 00:41:17,285 Yeah. 820 00:41:17,445 --> 00:41:19,764 And so you've got those big juicy programs on H1. 821 00:41:20,075 --> 00:41:24,025 You've got those European and start of SEI program on, on Yes React, and it gives you 822 00:41:24,025 --> 00:41:27,274 overall different targets and different ways to interact with the programs. 823 00:41:27,835 --> 00:41:30,775 It can be cool, I think, to change and rotate platforms. 824 00:41:31,135 --> 00:41:35,115 If you feel burned out with working with certain types of companies, 825 00:41:35,115 --> 00:41:36,145 because the culture is different. 826 00:41:36,535 --> 00:41:36,765 Yeah. 827 00:41:36,960 --> 00:41:39,910 Working with European companies is different from working with American 828 00:41:39,920 --> 00:41:41,520 based companies or SEA companies. 829 00:41:41,560 --> 00:41:43,990 Like, it's a different way to interact with people. 830 00:41:44,190 --> 00:41:44,560 Yeah. 831 00:41:44,720 --> 00:41:48,959 Also like, uh, the LHEs, the live hacking events, how are they different 832 00:41:48,960 --> 00:41:51,050 on ESP Hack to the HackerOne events? 833 00:41:52,040 --> 00:41:54,610 HackerOne events are pretty large scale. 834 00:41:55,125 --> 00:41:58,675 You often get like 100 users all flown out to some very cool 835 00:41:58,675 --> 00:42:01,805 location like in Vegas or wherever. 836 00:42:02,275 --> 00:42:05,925 Um, Yes React has two types of live hacking events. 837 00:42:06,365 --> 00:42:10,994 Uh, the first one being a small punctual event associated to like a 838 00:42:10,995 --> 00:42:14,484 larger event, let's say cybersecurity conferences or cybersecurity, 839 00:42:14,494 --> 00:42:16,725 you know, general public events. 840 00:42:16,735 --> 00:42:22,535 And they will often hold a small competition like 24 to 48 hours, uh, 841 00:42:22,585 --> 00:42:27,035 in it a reduced price pool because often, well, these are just the people 842 00:42:27,035 --> 00:42:30,745 that are going by or people that are specifically going to the, to the LHC. 843 00:42:30,745 --> 00:42:33,324 So the wallet size is obviously lower. 844 00:42:33,325 --> 00:42:36,415 If you only hack for a day, you're not going to find as 845 00:42:36,415 --> 00:42:38,104 much bugs as you, as you would. 846 00:42:39,174 --> 00:42:42,655 And then there are some dedicated, uh, life hacking events that are 847 00:42:42,665 --> 00:42:47,375 bigger, larger scale, uh, which are, for example, the last one being 848 00:42:47,385 --> 00:42:50,725 in Italy with, uh, no, in France, in France with the Louis Vuitton. 849 00:42:51,430 --> 00:42:53,080 Uh, luxury, uh, brand. 850 00:42:53,500 --> 00:42:57,670 And so they were flown out to Paris into like the real headquarters and they 851 00:42:57,680 --> 00:43:02,520 invited way more, uh, hunters, including North American hunters, uh, as well. 852 00:43:03,200 --> 00:43:06,399 But it's, it's still a smaller scale where you cannot compare, I think 853 00:43:06,400 --> 00:43:10,349 the, the, the behemoth that is a hack one to European companies, not yet. 854 00:43:10,870 --> 00:43:12,050 How did you get involved with 855 00:43:12,050 --> 00:43:13,230 the HackerOne lifehacking events? 856 00:43:13,700 --> 00:43:19,510 Uh, in 2022 with the AWC, so the Ambassador World Cup, I was 857 00:43:19,510 --> 00:43:22,450 with, uh, Maybe for those who don't know what Ambassador World 858 00:43:22,450 --> 00:43:23,629 Cup is, could you maybe explain? 859 00:43:23,629 --> 00:43:24,050 Yeah, of course. 860 00:43:24,060 --> 00:43:26,279 The Ambassador World Cup is an annual event. 861 00:43:26,440 --> 00:43:27,870 That started in 2022. 862 00:43:28,320 --> 00:43:31,920 It's a bit like a football or soccer for your US friends. 863 00:43:32,510 --> 00:43:33,050 It's football. 864 00:43:33,050 --> 00:43:38,980 So it's like a football competition where you have like, um, teams per country. 865 00:43:39,000 --> 00:43:41,719 Sometimes if there are too many people, there can be like 866 00:43:41,720 --> 00:43:42,919 multiple teams per country. 867 00:43:43,430 --> 00:43:45,029 Then you've got the selection phase. 868 00:43:45,250 --> 00:43:47,820 Which will eliminate some, uh, some teams. 869 00:43:48,120 --> 00:43:52,390 Then you go into a classical world cup style of football, where you got like 870 00:43:52,390 --> 00:43:57,930 16 teams and eight fought and two one until the, well, the final one stands. 871 00:43:59,119 --> 00:44:02,669 And though each country has an ambassador, uh, that represents, well, 872 00:44:02,679 --> 00:44:06,559 the country with his team and that is directly in, in, in relationship 873 00:44:06,909 --> 00:44:10,700 with hacker one and with the, with the programs to coordinate both the hackers. 874 00:44:10,855 --> 00:44:14,415 And the, the relationship with the platform. 875 00:44:15,105 --> 00:44:17,955 Um, and the rules have evolved a bit. 876 00:44:18,285 --> 00:44:21,564 Nowadays, it's like you've got a set of programs per round. 877 00:44:21,564 --> 00:44:26,404 So all teams hunt on a specific set of programs, usually two to three programs. 878 00:44:27,064 --> 00:44:29,815 But 2022 was wild, man. 879 00:44:29,934 --> 00:44:30,845 Very wild. 880 00:44:31,385 --> 00:44:35,365 Like now it's, yeah, yeah, no, it's like properly set up, you know, 881 00:44:35,365 --> 00:44:39,974 you've got your free programs and they take time between it's in 2022. 882 00:44:40,044 --> 00:44:41,715 It was so wide. 883 00:44:42,205 --> 00:44:46,855 We were like all the World Cup teams on all of the managed 884 00:44:46,855 --> 00:44:48,165 public programs of HackerOne. 885 00:44:49,635 --> 00:44:50,224 Do your thing. 886 00:44:52,714 --> 00:44:55,405 And it was around, I think it took around one month. 887 00:44:56,480 --> 00:45:02,360 And, uh, and, uh, a sad story in the real world, but a fun, kind of fun, uh, joke 888 00:45:02,360 --> 00:45:07,200 here is that during that time, the war in Ukraine started getting worse and worse. 889 00:45:07,260 --> 00:45:10,230 So they started banning, for example, well, because there was 890 00:45:10,250 --> 00:45:13,679 bans, you know, for, for recreation purpose on some Russian programs. 891 00:45:13,679 --> 00:45:14,469 So for example, the mail. 892 00:45:14,470 --> 00:45:19,240 ru program was present at the time and disappeared during the cup. 893 00:45:19,660 --> 00:45:23,210 So yeah, it was a bit chaotic, but very, very, very fun because like people were 894 00:45:23,220 --> 00:45:25,400 submitting All around the platform. 895 00:45:25,780 --> 00:45:29,990 And yeah, that's why, where we, we got the first World Cup with the French team. 896 00:45:30,650 --> 00:45:33,920 And the, in the end we spent a lot of time on Epic games. 897 00:45:34,640 --> 00:45:38,570 And so as we specialize a bit more on that program and we had like very 898 00:45:38,570 --> 00:45:43,009 good hackers, Snorlax, who was very successful on Epic games to help a lot to. 899 00:45:43,545 --> 00:45:45,165 Really understand the program, find a box. 900 00:45:45,745 --> 00:45:49,215 And, uh, that's how basically we got the, the first, uh, I think, uh, how 901 00:45:49,215 --> 00:45:50,635 I got the, the, the first invite. 902 00:45:50,655 --> 00:45:53,355 I don't remember if I was a plus one or if I was invited. 903 00:45:53,805 --> 00:45:57,455 I think I was invited as a, as a, as a customer sector program. 904 00:45:58,045 --> 00:46:00,484 That was my first, yes, live hacking events. 905 00:46:00,630 --> 00:46:01,989 Yeah, 906 00:46:02,370 --> 00:46:06,950 I had to take the time to brag because now the Ambassador World Cup 907 00:46:06,960 --> 00:46:10,270 this year, I'm also playing as, as, as the ambassador of team Poland. 908 00:46:10,660 --> 00:46:13,750 We are advancing to the final eight, France loses out. 909 00:46:13,769 --> 00:46:17,159 So it's a payback for, for the football World Cup, because in the 910 00:46:17,160 --> 00:46:18,779 football World Cup, you eliminated us. 911 00:46:19,170 --> 00:46:21,780 Now we didn't directly compete, but, uh, yeah. 912 00:46:22,110 --> 00:46:22,600 But you guys 913 00:46:22,600 --> 00:46:23,010 deserve 914 00:46:23,010 --> 00:46:23,160 it. 915 00:46:23,520 --> 00:46:23,750 Very 916 00:46:23,810 --> 00:46:24,510 talented people. 917 00:46:24,520 --> 00:46:24,640 You're 918 00:46:24,640 --> 00:46:25,290 doing an awesome 919 00:46:25,400 --> 00:46:25,560 work 920 00:46:25,560 --> 00:46:27,730 and it's great to, to see you go forward. 921 00:46:28,080 --> 00:46:29,785 So, yeah, we, I didn't expect it as well. 922 00:46:29,785 --> 00:46:33,505 We didn't have so many hunters that would be so much so, so active. 923 00:46:33,985 --> 00:46:37,375 So now I'm, I'm really proud of the team 'cause uh, yeah, and, and it's 924 00:46:37,375 --> 00:46:40,735 also not that we just advanced, we actually scored a lot of points, so. 925 00:46:40,735 --> 00:46:41,395 Awesome man. 926 00:46:41,455 --> 00:46:41,905 Congrats. 927 00:46:42,085 --> 00:46:42,895 Yeah, congrats. 928 00:46:42,895 --> 00:46:43,915 Congrats to the whole team. 929 00:46:45,395 --> 00:46:50,885 How can somebody that, uh, would like to get involved in the a WC get? 930 00:46:50,915 --> 00:46:52,265 'cause it's only 20 people. 931 00:46:52,355 --> 00:46:55,655 In Poland it's like fewer hundreds, so it's not as much of a problem. 932 00:46:55,655 --> 00:46:57,275 But in France, I imagine there's. 933 00:46:57,605 --> 00:47:00,055 Hundreds of people that would like to be part of the team. 934 00:47:00,565 --> 00:47:05,305 So how can one get involved if they don't have as much reputation on the platform? 935 00:47:06,155 --> 00:47:06,755 The thing is, 936 00:47:06,755 --> 00:47:11,935 um, even it's like a big event in the bug bounty world. 937 00:47:12,245 --> 00:47:15,215 Um, it's not as much publicized yet. 938 00:47:15,670 --> 00:47:17,360 Yes, it's the first, third year. 939 00:47:17,370 --> 00:47:20,880 So people are getting more and more known to it and might want to, to get into it. 940 00:47:20,880 --> 00:47:24,670 But the first thing is, uh, also about fighting imposter syndrome. 941 00:47:25,030 --> 00:47:28,469 So that you don't have to be okay with, I'm not able to get 942 00:47:28,469 --> 00:47:30,219 into, to get on, to get on board. 943 00:47:30,450 --> 00:47:33,570 Like I know that the French, French team, one of the French team last 944 00:47:33,570 --> 00:47:37,629 year was comprised of a lot of young, uh, of young hunters and 945 00:47:37,629 --> 00:47:39,019 they still perform pretty well. 946 00:47:39,970 --> 00:47:42,070 So that's, that's the first thing being confident. 947 00:47:42,070 --> 00:47:47,130 The second thing is, well, um, even if there is more and more back 948 00:47:47,130 --> 00:47:51,270 hunters, finally the people that really wants to get involved, uh, go 949 00:47:51,270 --> 00:47:55,600 fewer and fewer with like the level of dedication that you put into. 950 00:47:56,189 --> 00:48:00,390 And so once you really start to be active in those kinds of circles, we 951 00:48:00,390 --> 00:48:03,370 are still kind of Not that numerous. 952 00:48:03,370 --> 00:48:06,820 They're not mad at much people who really want to go inside 953 00:48:06,830 --> 00:48:08,310 and to go on to the team. 954 00:48:08,900 --> 00:48:12,019 And then as the ambassador is the one person that is making 955 00:48:12,020 --> 00:48:15,240 the final decision, final call on who's going and who's not going. 956 00:48:15,940 --> 00:48:20,230 Don't forget that ambassadors role is also initially to promote 957 00:48:20,240 --> 00:48:22,020 the bounty in their own country. 958 00:48:22,020 --> 00:48:27,125 So you're not just going to take like the old, Top performing guys all the time. 959 00:48:27,395 --> 00:48:30,255 You have to give the chance to your rising stars. 960 00:48:30,815 --> 00:48:32,425 And that's why you are in the roster. 961 00:48:32,425 --> 00:48:36,284 You will, I will have some new guys that are coming in, that coming fresh. 962 00:48:36,555 --> 00:48:39,364 That's a great way, you know, to have your, like your own time 963 00:48:39,364 --> 00:48:40,705 of glory, if you feel like it. 964 00:48:41,520 --> 00:48:45,150 I would also say to, it's good to get involved in the community 'cause 965 00:48:45,150 --> 00:48:51,170 it's now it's, it's also as a, as the ambassador, I also want, I've, I've 966 00:48:51,170 --> 00:48:54,260 heard tips from other ambassadors, you know, it's good to put somebody in the 967 00:48:54,260 --> 00:48:57,500 team that maybe has a little bit less experience but is maybe more passionate, 968 00:48:57,500 --> 00:48:59,510 more motivated, active in the community. 969 00:49:00,160 --> 00:49:03,730 So I imagine it's also a good way to, to get involved. 970 00:49:03,970 --> 00:49:04,180 Yeah. 971 00:49:04,180 --> 00:49:04,960 Consistency. 972 00:49:04,960 --> 00:49:09,385 Just being to able to put in the, the, the work and also keep in mind that. 973 00:49:10,485 --> 00:49:16,375 This, the World Cup takes almost a year, you know, and a year is very long. 974 00:49:16,495 --> 00:49:20,005 People sometimes get burnouts, people have other issues, 975 00:49:20,015 --> 00:49:21,694 have other stuff to deal with. 976 00:49:22,314 --> 00:49:25,254 And so even your top hunters might, well, at some point 977 00:49:25,325 --> 00:49:27,375 not be available at that time. 978 00:49:27,584 --> 00:49:30,275 And so you've got to have people on the roster who are able to 979 00:49:30,275 --> 00:49:33,265 take like the fight, keep going. 980 00:49:33,515 --> 00:49:37,805 So, yeah, just, just get those young guys and girls and, 981 00:49:37,824 --> 00:49:39,685 you know, those rising stars. 982 00:49:39,725 --> 00:49:40,705 It's the moment. 983 00:49:41,140 --> 00:49:41,450 Yeah. 984 00:49:42,060 --> 00:49:42,420 Okay. 985 00:49:42,540 --> 00:49:47,150 Once you already get the LA to invitation, you perform really well and all the events 986 00:49:47,150 --> 00:49:50,510 you've, you've attended, you get to go the show and tell you got the top 10. 987 00:49:50,510 --> 00:49:52,500 So what's the key to perform? 988 00:49:52,500 --> 00:49:54,989 Well, The thing is, I think my 989 00:49:56,059 --> 00:50:04,980 only real capability is to, Deep to dive, but mostly, um, find the 990 00:50:04,980 --> 00:50:10,220 knowledge that I need for something that I feel is going to be vulnerable. 991 00:50:11,250 --> 00:50:13,250 I'm don't consider myself as a good hacker. 992 00:50:13,280 --> 00:50:14,700 I suck at a lot of things. 993 00:50:14,700 --> 00:50:15,950 I suck at client side. 994 00:50:16,969 --> 00:50:18,659 That's finally coming from you. 995 00:50:18,660 --> 00:50:18,939 Yeah. 996 00:50:18,939 --> 00:50:23,539 But you know, uh, when I hang out with other guys, like, I don't know, 997 00:50:23,729 --> 00:50:25,199 maybe the worst guy in the room. 998 00:50:25,209 --> 00:50:30,225 Like, You know, you hang out with CTF guys who are like complete 999 00:50:30,945 --> 00:50:33,345 brutes on so many topics. 1000 00:50:33,345 --> 00:50:34,095 They, yeah, that's true. 1001 00:50:34,595 --> 00:50:36,245 Okay, well I suck at everything. 1002 00:50:36,755 --> 00:50:37,115 good. 1003 00:50:37,115 --> 00:50:40,655 You go with some good clients, guys, they talking about you, they're talking 1004 00:50:40,655 --> 00:50:42,335 about like, stuff you don't understand. 1005 00:50:42,365 --> 00:50:47,105 You see the show and tell, say, uh, you, you asked me as a second slide , but 1006 00:50:47,105 --> 00:50:52,425 I, I think I'm only good as much as the extent of my knowledge and so I have like. 1007 00:50:53,175 --> 00:50:58,155 My monkey brain processing a bit of knowledge, then you have to find 1008 00:50:58,165 --> 00:51:01,945 the right information at the right time to be able to find that bug. 1009 00:51:02,425 --> 00:51:06,664 And so even if you, when you start doing bug bounty a lot and pentesting 1010 00:51:06,664 --> 00:51:09,695 a lot, you have your instinct of what is going to be vulnerable or not. 1011 00:51:09,984 --> 00:51:12,564 And that's kind of your unique approach, but. 1012 00:51:12,875 --> 00:51:16,285 Having the gut feeling of something being vulnerable is not enough. 1013 00:51:16,295 --> 00:51:19,955 You gotta transform it just like into rugby, you know, you place it with 1014 00:51:19,955 --> 00:51:22,885 the ball and then you gotta shoot it and transform it into a point. 1015 00:51:23,485 --> 00:51:29,425 And so that's where like being able to grasp and retrieve information 1016 00:51:29,445 --> 00:51:32,535 from different people, different sources, really makes a difference 1017 00:51:32,885 --> 00:51:36,505 on how well that feeling is going to be or not an actual vulnerability. 1018 00:51:36,965 --> 00:51:38,325 And then it's pacing the cursor. 1019 00:51:39,635 --> 00:51:43,545 Um, when to stop and when to keep investigating because bug 1020 00:51:43,545 --> 00:51:45,525 bounty is kind of profitability. 1021 00:51:45,575 --> 00:51:49,355 So if you invest too much time on a single bug and it doesn't pays out, 1022 00:51:49,814 --> 00:51:54,385 well, finitely you have wasted a lot of time and you feel bad about yourself. 1023 00:51:54,854 --> 00:51:58,695 And then just it's, it's being able to place like the right course or one where 1024 00:51:58,704 --> 00:52:03,175 you should stop or where you should invest more time or, but we'll simply keep that 1025 00:52:03,175 --> 00:52:06,705 in the back for later for another friend who might be smarter than you, you know? 1026 00:52:06,885 --> 00:52:07,125 Yeah. 1027 00:52:07,175 --> 00:52:07,435 And. 1028 00:52:07,705 --> 00:52:09,755 How they're going at the right time. 1029 00:52:09,765 --> 00:52:13,425 So yeah, it's feeling good with the program and being able to seek the 1030 00:52:13,425 --> 00:52:14,765 right information at the right time. 1031 00:52:15,505 --> 00:52:19,905 For example, I never did, you know, AWS infrastructure hacking before. 1032 00:52:20,195 --> 00:52:20,515 Yeah. 1033 00:52:21,045 --> 00:52:23,585 But you know, right people, right time, right information. 1034 00:52:24,170 --> 00:52:26,490 It's finding that sweet spot, which makes a difference. 1035 00:52:26,770 --> 00:52:28,180 So what were the things you 1036 00:52:28,190 --> 00:52:30,530 focused on, on, on the hacking events? 1037 00:52:31,700 --> 00:52:33,239 I knew in which event, for example, the 1038 00:52:33,240 --> 00:52:37,260 last one, you focused on infrastructure on AWS, the previous ones. 1039 00:52:37,890 --> 00:52:41,600 Did you also get like a one sort of one goal that you wanted to, or one area? 1040 00:52:41,730 --> 00:52:42,149 Oh yeah. 1041 00:52:42,150 --> 00:52:42,410 On 1042 00:52:42,599 --> 00:52:46,850 Epic games, I focused on a very classic web app, purely marketplace. 1043 00:52:46,900 --> 00:52:49,750 And, uh, I did my usual thing with access controls. 1044 00:52:50,590 --> 00:52:53,790 And the thing is sometimes, well, people don't care about it. 1045 00:52:54,245 --> 00:52:59,215 Because it's not impactful or it's not impactful in their own security 1046 00:52:59,215 --> 00:53:00,855 model and then you gotta accept it. 1047 00:53:01,675 --> 00:53:03,755 So after like spending two weeks of doing 1048 00:53:03,755 --> 00:53:04,485 everything like 1049 00:53:04,485 --> 00:53:10,795 that and getting like, well, yeah, No, you're gonna get a low hanging, a low bug. 1050 00:53:11,865 --> 00:53:12,645 Then you feel doubt. 1051 00:53:13,185 --> 00:53:15,975 Damn, I spent really two times like covering the whole platform 1052 00:53:15,975 --> 00:53:17,675 and covering secret features. 1053 00:53:17,675 --> 00:53:22,565 Uh, I even spent like 2, 000 on the premium subscription on it. 1054 00:53:22,565 --> 00:53:23,925 It was worth it in the end. 1055 00:53:24,135 --> 00:53:24,734 Oh, nice. 1056 00:53:25,465 --> 00:53:25,775 But yeah. 1057 00:53:26,465 --> 00:53:29,009 And so, yeah, well, I was quite, uh, confused. 1058 00:53:29,200 --> 00:53:29,990 Kind of tired. 1059 00:53:30,640 --> 00:53:34,630 And so what I did in the end was to fall back to something that I really 1060 00:53:34,630 --> 00:53:38,320 never tested at scale before was trying to test denial of service issues. 1061 00:53:39,350 --> 00:53:42,630 And that's when I started to find some, you know, nice bugs. 1062 00:53:42,789 --> 00:53:47,529 And paradoxically, the two weeks of work that I did when to uncover, 1063 00:53:47,720 --> 00:53:51,699 you know, hidden attack surface, accessing premium features, like 1064 00:53:52,479 --> 00:53:56,060 even broken features or things that were not implemented yet, accessing 1065 00:53:56,070 --> 00:53:57,990 them and so on and so on, didn't pay. 1066 00:53:58,870 --> 00:53:59,630 Much in the end. 1067 00:53:59,980 --> 00:54:03,800 And I've made almost all the money in the end with a couple of those bugs. 1068 00:54:03,880 --> 00:54:04,680 How about those bugs? 1069 00:54:04,730 --> 00:54:06,250 Aren't they out of scope usually? 1070 00:54:06,830 --> 00:54:09,260 Yeah, they, well, they are. 1071 00:54:09,530 --> 00:54:14,360 They always are like almost all policy will have like those bugs. 1072 00:54:15,719 --> 00:54:17,519 I think it's, it's really program dependent. 1073 00:54:17,520 --> 00:54:18,679 It's. 1074 00:54:19,540 --> 00:54:24,010 Out of good sense, because they don't want people to spawn a thousand 1075 00:54:24,010 --> 00:54:28,920 DPS and start doing some volumetric doses because it doesn't add any 1076 00:54:28,940 --> 00:54:31,400 added value and anyone can do it. 1077 00:54:31,400 --> 00:54:36,479 And you know, it just going to bring some issues for the, for the people in France, 1078 00:54:37,560 --> 00:54:40,780 but application level doses or sometimes. 1079 00:54:41,185 --> 00:54:41,855 accepted. 1080 00:54:42,275 --> 00:54:45,405 And once again, it depends on which program you're working on and the 1081 00:54:45,405 --> 00:54:51,145 security maturity of that program and which parts of the application you're 1082 00:54:51,145 --> 00:54:53,375 able to crash, potentially stop. 1083 00:54:53,754 --> 00:54:53,964 Yeah. 1084 00:54:54,105 --> 00:54:57,594 And so in the end, there's still an availability metric. 1085 00:54:58,515 --> 00:55:01,234 And this availability metric is not related to. 1086 00:55:01,935 --> 00:55:03,065 Destroying information. 1087 00:55:03,255 --> 00:55:08,175 It's literally in the spec making a system not available, not the data in it. 1088 00:55:08,185 --> 00:55:10,455 It's not making the system not available. 1089 00:55:11,545 --> 00:55:14,035 So let's say that in a couple of requests, you're about to crash. 1090 00:55:14,035 --> 00:55:17,274 I don't know the shopping cart of all users in the marketplace. 1091 00:55:18,770 --> 00:55:18,950 Yeah. 1092 00:55:18,950 --> 00:55:20,240 Hell, that's, that's impactful. 1093 00:55:22,120 --> 00:55:25,960 And then you've got to walk a fine line because you can't 1094 00:55:26,030 --> 00:55:27,620 really test that in prod. 1095 00:55:28,239 --> 00:55:34,149 Most of the time, either you have a suspicion, a very hard suspicion and life 1096 00:55:34,149 --> 00:55:38,030 hacking events are cool in the way that you can talk with the final program or 1097 00:55:38,039 --> 00:55:39,740 demand validation, that's a good thing. 1098 00:55:40,299 --> 00:55:46,150 Or, well, you just scale up properly and progressively and you just, I don't 1099 00:55:46,150 --> 00:55:50,059 know, create enough objects to slow the server response to three seconds, 1100 00:55:50,059 --> 00:55:53,210 five seconds, 10 seconds, 15 seconds. 1101 00:55:53,449 --> 00:55:57,090 And you cross check with another user from another IP with another 1102 00:55:57,240 --> 00:56:01,780 account to ensure that you indeed have a cross user, um, account 1103 00:56:01,780 --> 00:56:02,210 impact. 1104 00:56:02,969 --> 00:56:06,910 So would you also test DOS on a, let's say a public program where you don't have 1105 00:56:06,910 --> 00:56:08,310 the direct connection of the customer? 1106 00:56:08,310 --> 00:56:12,510 How would you, and if you would, how would you watch out to not cross the line? 1107 00:56:12,780 --> 00:56:15,290 With those bugs that are kind of, you know. 1108 00:56:15,510 --> 00:56:18,220 on the fine line that you felt not really cross. 1109 00:56:18,520 --> 00:56:21,040 Um, there are two things. 1110 00:56:21,060 --> 00:56:25,330 The first being, um, don't look like a complete fool to the program. 1111 00:56:25,440 --> 00:56:29,600 So if you're starting to, you know, cross that line, at least make sure 1112 00:56:29,600 --> 00:56:33,429 that you've got a really nice impact and not that you're crushing like some 1113 00:56:33,429 --> 00:56:38,650 small things that, No, the program doesn't really care about make sure 1114 00:56:38,650 --> 00:56:43,890 that you've got actual like potential that you have actual potential impact 1115 00:56:44,060 --> 00:56:49,779 on something that is really big because, you know, if you are going to do 1116 00:56:49,780 --> 00:56:53,760 something, do it well, especially if you're, you know, crossing the line. 1117 00:56:54,589 --> 00:56:58,794 Second part is, uh, if you have like something like. 1118 00:56:59,665 --> 00:57:04,555 You send one request and it's permanently crashed, yeah, don't do it. 1119 00:57:05,655 --> 00:57:11,205 But you're going to have a very hard time with triaging and then the final program. 1120 00:57:11,215 --> 00:57:16,344 So it depends on who you are talking with during the triage 1121 00:57:16,345 --> 00:57:17,775 and how the program receives it. 1122 00:57:18,665 --> 00:57:21,255 Sometimes it's going to be yes, sometimes it's going to be a no. 1123 00:57:21,655 --> 00:57:24,550 And if it's just a no, well, You know, you lost your bug, but at 1124 00:57:24,550 --> 00:57:25,740 least you didn't have any issue. 1125 00:57:27,160 --> 00:57:30,510 But if sometimes it's something that can be like a bit smoother, 1126 00:57:31,200 --> 00:57:35,410 uh, for example, you create a lot of objects in the database and then you 1127 00:57:35,419 --> 00:57:37,370 return all of these objects at once. 1128 00:57:38,089 --> 00:57:41,259 At least you control the amount of data that is returned. 1129 00:57:41,590 --> 00:57:45,770 So you can create them progressively 1000, 2000, 3000 and so on and so on. 1130 00:57:46,060 --> 00:57:48,420 And just assess the response time of the server. 1131 00:57:48,940 --> 00:57:52,980 And so if some of you start seeing like response time for five to 10 seconds, 1132 00:57:53,725 --> 00:57:57,425 In its case, like linearly with the amount of object or action that you 1133 00:57:57,425 --> 00:58:03,305 perform, then logically, you know that it's sufficient to make a first report. 1134 00:58:03,715 --> 00:58:09,485 And then often it's going to end up like, yeah, no, that's not enough. 1135 00:58:09,564 --> 00:58:12,185 So you ask, okay, should I go further? 1136 00:58:12,895 --> 00:58:14,874 Let's say go further. 1137 00:58:15,595 --> 00:58:20,045 You do show a significant, uh, higher delay or sometimes it would 1138 00:58:20,045 --> 00:58:21,185 just say, no, it's out of scope. 1139 00:58:21,855 --> 00:58:22,155 Yeah. 1140 00:58:22,305 --> 00:58:27,045 And then it's quite a weird situation because they want you to show impact, but 1141 00:58:27,045 --> 00:58:31,244 they not allowing you to show impact, but it's just the role of the game that you 1142 00:58:31,455 --> 00:58:37,245 decided to play by trying to use this, uh, this kind of, uh, our books, but honestly 1143 00:58:37,245 --> 00:58:39,305 on more major program is less of an issue. 1144 00:58:40,545 --> 00:58:44,925 So would you send the report, let's say when you have a response of 10 seconds, 1145 00:58:44,955 --> 00:58:46,765 or would you look for, for a higher delay? 1146 00:58:46,765 --> 00:58:51,755 What is sort of the, the ideal response time that you would think shows the impact 1147 00:58:51,755 --> 00:58:53,654 without actually impacting too much? 1148 00:58:54,054 --> 00:58:58,154 It depends also on, um, how it impacts other users, because sometimes you 1149 00:58:58,154 --> 00:59:06,964 can augment, improve the response time for yourself, but this is going to 1150 00:59:06,964 --> 00:59:08,384 be, for example, a very short spike. 1151 00:59:09,120 --> 00:59:14,620 At one set point in time, for example, that's a book a, and so 1152 00:59:14,620 --> 00:59:19,970 when another user user site, if it's at a book, a plus one millisecond, 1153 00:59:20,370 --> 00:59:22,009 maybe he will not be impacted. 1154 00:59:23,420 --> 00:59:28,230 So The thing is, you gotta cross check to ensure that it actually 1155 00:59:28,230 --> 00:59:32,190 works, and if you cross check with another user and get a delay of 5, 1156 00:59:32,190 --> 00:59:34,820 10, 15 seconds, I think it's enough. 1157 00:59:35,570 --> 00:59:41,919 And, um, consider that in a lot of DOS cases, the proof of concept that 1158 00:59:41,919 --> 00:59:45,339 you're going to push is not going to crash your platform instantly, 1159 00:59:45,975 --> 00:59:50,135 but rather provide like a sufficient delay enough at a fixed point in time. 1160 00:59:50,335 --> 00:59:53,585 And it's only if you really continue way past that point that 1161 00:59:53,585 --> 00:59:57,074 you might consider crashing the platform for a bit longer of time. 1162 00:59:57,074 --> 01:00:02,825 So it's often scary, but you often have like a lot of room, you know, between 1163 01:00:02,865 --> 01:00:04,835 having an actual worst case scenario 1164 01:00:04,835 --> 01:00:05,355 impacts. 1165 01:00:05,355 --> 01:00:10,585 So do you actually, when sending the report, you also like, Test that 1166 01:00:10,595 --> 01:00:14,535 the delay is present for another user with another IP address, 1167 01:00:14,605 --> 01:00:15,925 then the sort of attacker user. 1168 01:00:16,025 --> 01:00:16,295 Yeah. 1169 01:00:16,295 --> 01:00:17,565 For me, that's the gold standard. 1170 01:00:17,605 --> 01:00:18,075 Okay. 1171 01:00:18,205 --> 01:00:21,165 And that's what I was often asked on some programs. 1172 01:00:21,315 --> 01:00:24,364 And at least it really shows that if you have no bias and even as though 1173 01:00:24,624 --> 01:00:29,254 it's like less cool to do because it's actual additional work to have 1174 01:00:29,255 --> 01:00:33,421 like kind of a second computer or second IP and so a second account. 1175 01:00:33,421 --> 01:00:33,717 Yeah. 1176 01:00:33,717 --> 01:00:36,155 Uh, at least it ensures for yourself. 1177 01:00:36,530 --> 01:00:40,730 But by applying this methodology, you have a real applicable reports and 1178 01:00:40,730 --> 01:00:46,400 not just like being almost all of us hunters being very bound to your own 1179 01:00:46,420 --> 01:00:48,110 vulnerability, say, no, I know it's true. 1180 01:00:48,280 --> 01:00:49,190 I know it works. 1181 01:00:49,969 --> 01:00:51,089 Sometimes it doesn't. 1182 01:00:51,089 --> 01:00:54,930 And being a bit strict about that kind of methodology allows you 1183 01:00:54,930 --> 01:00:57,810 at least to be a hundred percent sure that you have an actual bug. 1184 01:00:58,380 --> 01:01:00,890 It still feels good because even if that's rejected. 1185 01:01:01,165 --> 01:01:02,105 You found something 1186 01:01:02,215 --> 01:01:03,085 and you feel good about yourself. 1187 01:01:04,235 --> 01:01:07,655 Doesn't it feel, because when I think about it, the sort of problem in my 1188 01:01:07,655 --> 01:01:11,944 head is if it's a, let's say there's a single worker and let's say I have 1189 01:01:11,944 --> 01:01:14,345 a second, it causes a 30 second delay. 1190 01:01:15,934 --> 01:01:20,030 I know that if the, if I tested from the another account, It may 1191 01:01:20,030 --> 01:01:22,420 get routed to a different worker. 1192 01:01:22,530 --> 01:01:24,060 So let's say there are four workers. 1193 01:01:24,110 --> 01:01:28,670 I would have to send four 30 second requests so that this user is affected. 1194 01:01:29,610 --> 01:01:34,220 So I would have to sort of brute force how many workers are there by essentially 1195 01:01:34,220 --> 01:01:38,130 sending requests that I would prefer avoid to avoid sending too many of. 1196 01:01:38,710 --> 01:01:40,490 So like, how do you, do you manage this? 1197 01:01:41,310 --> 01:01:43,200 In my opinion, there's no good solution. 1198 01:01:43,240 --> 01:01:47,260 Um, I was talking with Blacklist about another bug, the class, so not 1199 01:01:47,350 --> 01:01:53,985 another By doing statistical work, he understood that he's run a bit if 1200 01:01:54,415 --> 01:01:57,165 worked like one out of four times. 1201 01:01:57,755 --> 01:02:00,585 So once again, possibly different workers on different code bases, 1202 01:02:00,945 --> 01:02:05,154 it just had to, well, repeat until he got the right worker. 1203 01:02:05,614 --> 01:02:08,485 And I think that the same issue, but once again, it depends on how much 1204 01:02:08,665 --> 01:02:13,725 room you have until actually crushing the, the, the, the, the Walker. 1205 01:02:13,725 --> 01:02:16,025 So sadly there's no good solutions 1206 01:02:16,145 --> 01:02:16,715 in my opinion. 1207 01:02:16,945 --> 01:02:17,155 Yeah. 1208 01:02:17,155 --> 01:02:17,964 It's a hard problem. 1209 01:02:19,034 --> 01:02:19,475 How much. 1210 01:02:20,160 --> 01:02:23,540 If you were to estimate the percentage of how many of your DOS reports 1211 01:02:23,540 --> 01:02:25,570 were accepted, is it like 50%? 1212 01:02:25,570 --> 01:02:26,290 Something like this? 1213 01:02:26,720 --> 01:02:27,090 More? 1214 01:02:27,100 --> 01:02:27,450 Less? 1215 01:02:28,030 --> 01:02:31,390 Well, I did most of them during LHEs, I think. 1216 01:02:32,140 --> 01:02:35,750 And so during LHEs, I'd say 70 percent of them. 1217 01:02:36,320 --> 01:02:41,115 And outside LHEs, Well, I, what I found was way less impactful. 1218 01:02:41,345 --> 01:02:45,035 So it was still accepted, but it was like a, a low or medium bounty. 1219 01:02:45,725 --> 01:02:46,095 Okay. 1220 01:02:46,125 --> 01:02:51,575 So I think that the context and the impact makes a difference, 1221 01:02:51,815 --> 01:02:53,165 but it's not to be generalized 1222 01:02:53,185 --> 01:02:54,135 to all programs. 1223 01:02:54,665 --> 01:02:54,845 Yeah. 1224 01:02:54,845 --> 01:02:58,765 It's also good to know at the LHE, you're one of the 100 hunters, 1225 01:02:58,775 --> 01:02:59,925 so you're kind of trusted. 1226 01:02:59,995 --> 01:03:00,485 Yeah, exactly. 1227 01:03:00,505 --> 01:03:03,645 It's also helped if you have already, if you accepted bugs 1228 01:03:03,655 --> 01:03:05,145 that show the team out, this guy. 1229 01:03:05,145 --> 01:03:05,205 Exactly. 1230 01:03:05,205 --> 01:03:05,224 Yeah. 1231 01:03:05,235 --> 01:03:08,805 He doesn't report only DOS bugs, he also reports good stuff, so. 1232 01:03:09,345 --> 01:03:14,814 But if you take DOS on a more general scale, for example, you know, CP, DOS, 1233 01:03:14,925 --> 01:03:20,274 things like that, it's often like pretty well accepted all around bug bounty 1234 01:03:20,274 --> 01:03:22,234 programs, or at least more major ones. 1235 01:03:22,244 --> 01:03:24,965 So things should not be too much of an issue if you have 1236 01:03:25,094 --> 01:03:25,865 something that's really impactful. 1237 01:03:26,600 --> 01:03:26,930 Yeah. 1238 01:03:27,420 --> 01:03:31,100 Coming back to, to the topic of, of LATs, you've been to, 1239 01:03:31,150 --> 01:03:32,550 to free life hacking events. 1240 01:03:32,560 --> 01:03:36,230 So how has your approach changed from the first one when everything 1241 01:03:36,240 --> 01:03:40,119 was new to the third one when you already know what to expect? 1242 01:03:40,589 --> 01:03:42,619 I think it grows with your own maturity. 1243 01:03:42,635 --> 01:03:47,295 You know, being a bit more organized, knowing the common 1244 01:03:47,295 --> 01:03:51,865 pitfalls, knowing like your own issue with your own mental problems. 1245 01:03:52,515 --> 01:03:56,844 And so it's similar to be, I think, just a better bug bounty hunter overall. 1246 01:03:57,505 --> 01:04:04,835 Like, I don't know, when I was first doing that Epic Games LHE in 2023, it was It 1247 01:04:04,835 --> 01:04:09,725 was cool, but I was a bit more lost, you know, and yeah, organization thing, I 1248 01:04:09,725 --> 01:04:11,545 think makes, uh, makes a good difference. 1249 01:04:11,935 --> 01:04:15,135 Like for example, in Edinburgh, uh, I worked with another 1250 01:04:15,135 --> 01:04:16,235 French hacker, Gerusha. 1251 01:04:16,935 --> 01:04:18,674 That's where we got the most impactful team. 1252 01:04:19,524 --> 01:04:20,914 Quite a nice award to have. 1253 01:04:21,075 --> 01:04:21,375 Yeah. 1254 01:04:22,375 --> 01:04:27,600 And, uh, Right at the beginning, like we created a dedicated discord server 1255 01:04:27,640 --> 01:04:32,109 with different channels so that we can have, you know, stuff sorted out, but 1256 01:04:32,249 --> 01:04:34,529 that was not too much into organization. 1257 01:04:34,539 --> 01:04:36,619 Like if you have too much channels or too much, you know, 1258 01:04:36,619 --> 01:04:39,080 cases, not going to use it. 1259 01:04:39,150 --> 01:04:40,850 It still has to be a little chaotic. 1260 01:04:41,400 --> 01:04:46,180 And for example, the other thing I did on AWS was, um, I spent like, uh, 1261 01:04:46,190 --> 01:04:48,020 just maybe one day before the event. 1262 01:04:48,620 --> 01:04:52,760 Like a whole day of spending time, uh, reviewing all of the services. 1263 01:04:52,800 --> 01:04:56,660 Like I went to the catalog and click and read the description of 1264 01:04:56,690 --> 01:05:01,869 maybe 30 percent of the services, because there's a lot of services 1265 01:05:02,280 --> 01:05:05,209 and just making small spreadsheets on saying, Oh yeah, that may be cool. 1266 01:05:05,209 --> 01:05:05,809 That may be cool. 1267 01:05:05,809 --> 01:05:06,430 That might be cool. 1268 01:05:06,430 --> 01:05:06,970 That might be cool. 1269 01:05:07,090 --> 01:05:08,180 But that's why I think it's cool. 1270 01:05:08,770 --> 01:05:14,290 And it lowered me when I have like, when we endured hardships or, you know, it was 1271 01:05:14,290 --> 01:05:18,780 hard not finding bugs, losing motivation to have like kind of a spreadsheet Hey. 1272 01:05:19,240 --> 01:05:20,450 That one, I didn't test it. 1273 01:05:20,490 --> 01:05:25,050 And so you can keep your motivation high by having like fallback scopes 1274 01:05:25,300 --> 01:05:28,950 and avoid that the, the eternal cycle of, I'm not finding bug. 1275 01:05:29,090 --> 01:05:30,140 I need to find a new scope. 1276 01:05:30,320 --> 01:05:31,070 I'm not finding bug. 1277 01:05:31,260 --> 01:05:32,249 I need to find a new scope. 1278 01:05:32,619 --> 01:05:33,630 I'm stuck finding new scope. 1279 01:05:33,630 --> 01:05:38,494 I think it helps a lot with, um, maintaining morale. 1280 01:05:39,115 --> 01:05:43,595 And morale is honestly my, for me, that, that's the key because if you 1281 01:05:43,595 --> 01:05:46,585 or your team is depressed, you're not going to find any bug, you're 1282 01:05:46,585 --> 01:05:49,204 going to maintain your confidence, you're going to maintain your inertia. 1283 01:05:49,874 --> 01:05:52,064 And it's like almost all esports. 1284 01:05:52,095 --> 01:05:55,614 If your guys are motivated, if your guys have high morale, high 1285 01:05:55,614 --> 01:05:58,265 confidence, they're going to be on a roller coaster of, you know. 1286 01:05:58,555 --> 01:06:03,165 As soon as moral drops, you think like, no, this is not worth the time. 1287 01:06:03,165 --> 01:06:06,685 This is not worth the effort and you feel less energetic, less motivated. 1288 01:06:06,975 --> 01:06:09,845 And of course you're going to miss bugs because you're less involved in 1289 01:06:09,845 --> 01:06:11,925 doing the actual work to find the bugs. 1290 01:06:12,735 --> 01:06:14,605 So yeah, that, that makes a good difference. 1291 01:06:14,605 --> 01:06:17,974 A little bit more of organization and being able to better maintain 1292 01:06:17,975 --> 01:06:20,875 you, you, your mental health during the, during the events. 1293 01:06:21,405 --> 01:06:21,825 How do you. 1294 01:06:23,065 --> 01:06:27,155 Manage your focus during the event, because the mistake I've done was like, 1295 01:06:27,595 --> 01:06:32,795 I wanted to focus completely on the LHE and it was just too much and it ended up 1296 01:06:32,805 --> 01:06:37,064 being worse than if I, you know, stuck to my, to my routine, to my sports. 1297 01:06:37,275 --> 01:06:40,044 So how do you manage your, your time during the LHE? 1298 01:06:40,374 --> 01:06:40,764 Well, 1299 01:06:41,284 --> 01:06:47,445 I'm going to jump a little bit out of the box and, um, It all comes down to 1300 01:06:47,455 --> 01:06:52,255 how you handle your performance yourself as entrepreneur, as a backhunter. 1301 01:06:53,325 --> 01:06:58,564 Um, back in the days, and that's why also I think caused health degradation 1302 01:06:58,594 --> 01:07:01,555 for me was I was all about the grind. 1303 01:07:01,714 --> 01:07:02,114 So. 1304 01:07:02,625 --> 01:07:06,275 If I'm something important, I'm going to wake up early, I'm going 1305 01:07:06,275 --> 01:07:09,935 to grind very late and I'm going to stop until I've done what I've 1306 01:07:09,965 --> 01:07:11,525 done for extended periods of time. 1307 01:07:11,865 --> 01:07:15,894 That was my first LHE and honestly I felt it on my health because I 1308 01:07:15,905 --> 01:07:20,724 didn't sleep much, I smoked a lot of cigarettes, drank a lot of caffeine 1309 01:07:21,455 --> 01:07:22,645 and it hasn't impacted anybody. 1310 01:07:23,985 --> 01:07:25,385 And the grind works. 1311 01:07:25,855 --> 01:07:31,185 If you're able to maintain a certain amount of work, even do your performance 1312 01:07:31,225 --> 01:07:36,785 drops, if you're just putting the raw brute hours, you will make a difference. 1313 01:07:38,690 --> 01:07:41,840 That's not something that you should do in my opinion in the long run. 1314 01:07:41,920 --> 01:07:45,130 And then when you gain more maturity, you understand that is more akin 1315 01:07:45,130 --> 01:07:46,949 to a marathon and not a sprint. 1316 01:07:46,950 --> 01:07:48,769 So you gotta manage yourself properly. 1317 01:07:49,200 --> 01:07:52,569 And so if you manage yourself properly as an individual, you gotta take 1318 01:07:52,569 --> 01:07:55,250 advantage of your peak focus hours. 1319 01:07:55,810 --> 01:08:00,510 And you know the saying, like, people can work being productive at most 1320 01:08:00,510 --> 01:08:02,840 five, four, five hours per day. 1321 01:08:03,320 --> 01:08:04,390 And then what is the rest? 1322 01:08:05,500 --> 01:08:09,139 I don't believe in purely being productive for four or five hours a day. 1323 01:08:09,250 --> 01:08:10,140 I feel the difference. 1324 01:08:10,399 --> 01:08:13,170 I think like my top hours or maybe three hours of full focus. 1325 01:08:13,670 --> 01:08:15,940 And that's where most of the work get done. 1326 01:08:16,459 --> 01:08:19,189 But for me, you've got to find the right balance between the 1327 01:08:19,209 --> 01:08:25,179 pure and dumb grind and only, you know, maximizing your peak focus. 1328 01:08:25,179 --> 01:08:26,599 You've got to find the right balance. 1329 01:08:27,199 --> 01:08:29,679 And then in between of that, you gotta go. 1330 01:08:29,960 --> 01:08:36,000 And enjoy, uh, indeed your rest, your hobbies, life, your wife, and so on. 1331 01:08:36,540 --> 01:08:39,950 And so you, you do see the difference when you start to find that right balance 1332 01:08:40,620 --> 01:08:43,870 because you maintain your moral, you maintain your routine, you feel good 1333 01:08:43,870 --> 01:08:48,810 as an individual, and it just shows off in your, in the, in the final walk. 1334 01:08:49,070 --> 01:08:49,400 Yeah. 1335 01:08:49,730 --> 01:08:54,400 For me, the sort of problem that, um, that I have with this sort of, because 1336 01:08:54,400 --> 01:08:58,070 I do believe there's few hours during the day that can be really productive, 1337 01:08:58,650 --> 01:09:00,059 but in the background with you, I feel. 1338 01:09:00,590 --> 01:09:05,150 It's as important to have these, you know, really focused hours to solve a 1339 01:09:05,150 --> 01:09:09,859 problem, write a script, come up with a bypass, but also the hours you're just 1340 01:09:09,920 --> 01:09:14,860 at the computer using the app, triggering different flows, looking for the, the 1341 01:09:14,860 --> 01:09:19,460 one point where you can then find, spend this, this focused time bypassing. 1342 01:09:20,450 --> 01:09:23,250 So it's necessary to also like just spend a lot of time. 1343 01:09:23,570 --> 01:09:28,230 You don't really have to be super focused and, uh, yeah, it's sort of, 1344 01:09:28,230 --> 01:09:29,610 you know, you can never plan for it. 1345 01:09:30,020 --> 01:09:34,350 And that's sort of why, where, where I struggle is, you know, just three hours 1346 01:09:34,350 --> 01:09:38,550 a day is not enough because you know, if two and a half hours are just browsing 1347 01:09:38,550 --> 01:09:43,969 the app and not actually finding a particular bug, it's too, too little. 1348 01:09:44,509 --> 01:09:48,000 And then, you know, that's, that's where I find myself having a very various. 1349 01:09:48,515 --> 01:09:50,635 Amounts of hours on different days. 1350 01:09:50,845 --> 01:09:53,245 That's if you just got to find the right balance. 1351 01:09:53,285 --> 01:09:53,605 Yeah. 1352 01:09:53,895 --> 01:09:59,235 And if you get that sweet spot on you're going to have bugs, you just, you have to 1353 01:09:59,235 --> 01:10:02,084 work on all, you know, of your workhorses 1354 01:10:02,085 --> 01:10:03,295 to get the actual job done. 1355 01:10:03,365 --> 01:10:03,925 That's perfect. 1356 01:10:04,605 --> 01:10:09,875 How to not feel that, you know, Especially in the, in the group of 1357 01:10:09,875 --> 01:10:14,815 like 100 hackers with so many top guys, how to, to still stand out, how 1358 01:10:14,815 --> 01:10:16,694 to not feel the imposter syndrome. 1359 01:10:17,115 --> 01:10:18,595 Honestly, I still feel terrified. 1360 01:10:19,085 --> 01:10:23,485 Like, I know that I'm maybe likely because of, you know, the rankings, 1361 01:10:23,905 --> 01:10:25,895 going to get a next LHC invite. 1362 01:10:25,895 --> 01:10:27,215 And I told you about that yesterday. 1363 01:10:27,245 --> 01:10:32,925 I'm damn terrified of the next LHC because I don't feel confident or I don't 1364 01:10:32,925 --> 01:10:38,330 feel like, uh, I I'm going to perform well and I'm afraid of the scope that 1365 01:10:38,340 --> 01:10:42,460 is going to be if there is one and I'm afraid of the, none of the people there 1366 01:10:42,460 --> 01:10:46,460 because people are quite friendly, but I'm afraid of, um, that competition. 1367 01:10:48,210 --> 01:10:52,250 So what I do is, uh, forget about that. 1368 01:10:52,690 --> 01:10:58,380 The thing is you're, even if you're kind of competing with other guys and girls, 1369 01:10:58,960 --> 01:11:05,820 uh, actually you're just competing with yourself and you just run your own race. 1370 01:11:05,830 --> 01:11:08,819 The thing is, at an LHC, you got a lot of people working on the 1371 01:11:08,820 --> 01:11:14,560 same program right now, but you only know it because it's an LHC. 1372 01:11:15,820 --> 01:11:18,590 Which work on Amazon or other good program. 1373 01:11:18,830 --> 01:11:21,690 Do you see the people hacking in the same time, the same focus? 1374 01:11:21,690 --> 01:11:22,410 No, you don't see them. 1375 01:11:22,410 --> 01:11:22,590 No, I don't. 1376 01:11:22,590 --> 01:11:22,909 No, I don't. 1377 01:11:23,300 --> 01:11:28,180 And so what you do is simply, well, put in the work, stay in your bubble, enjoy the 1378 01:11:28,180 --> 01:11:32,919 ride, talk with other people, because it's cool, it's an emulation, people are having 1379 01:11:32,919 --> 01:11:35,340 fun together, finding cool bugs, etc, etc. 1380 01:11:35,970 --> 01:11:40,900 But disconnect yourself from the, from the direct competition, or else You're 1381 01:11:40,900 --> 01:11:45,710 going to try to rush some things and get them badly and poorly done because you 1382 01:11:45,710 --> 01:11:50,120 must keep in mind that in LHE you have a duplicate window which means that during 1383 01:11:50,120 --> 01:11:57,040 the two first week of remote hunting, uh, every bug that is duplicates will be 1384 01:11:57,040 --> 01:12:01,940 split between all of the duplicates so if you are duped you will still get paid. 1385 01:12:02,520 --> 01:12:06,140 Which means that if you have like a super cool bug chain, you don't 1386 01:12:06,140 --> 01:12:09,919 care about having your bug stolen by another one, you can just put 1387 01:12:09,919 --> 01:12:11,030 in the work to have a quality. 1388 01:12:11,865 --> 01:12:13,175 Time and quality bug chain. 1389 01:12:13,555 --> 01:12:17,375 And so when you start forgetting about the competition and just focusing on having a 1390 01:12:17,675 --> 01:12:21,664 nice bug, you will find cool bugs because you invest two weeks of time and you 1391 01:12:21,664 --> 01:12:23,185 will find something that is very nice. 1392 01:12:24,364 --> 01:12:28,475 But in the end, isn't that just the advice that generally applies to bug bounty? 1393 01:12:28,845 --> 01:12:32,385 Forget about the other people, find cool bugs, get the reward. 1394 01:12:33,490 --> 01:12:34,630 In the end, that's the secret 1395 01:12:34,780 --> 01:12:36,880 that's, in my opinion, that it's the same thing. 1396 01:12:37,200 --> 01:12:37,510 Yeah. 1397 01:12:37,580 --> 01:12:37,750 Yeah. 1398 01:12:37,750 --> 01:12:38,780 For me, for me, it works. 1399 01:12:38,780 --> 01:12:42,489 At the first event, I looked at the leaderboard and stuff like this. 1400 01:12:42,840 --> 01:12:45,830 The second event, you know, I'm sitting here, you made as a team 1401 01:12:45,830 --> 01:12:49,299 200k on AWS, I made like 18. 1402 01:12:50,090 --> 01:12:53,420 If, if I just compare myself as always, he made five times as 1403 01:12:53,420 --> 01:12:57,690 much for me, 18 K for three, three weeks of work, it's still a lot. 1404 01:12:57,720 --> 01:13:00,769 So, you know, I'm happy with this and it's probably the only way to 1405 01:13:00,770 --> 01:13:03,130 like keep the, the same mentality. 1406 01:13:03,659 --> 01:13:07,559 So yeah, it's, it's really, really smart to, to, you know, look 1407 01:13:07,559 --> 01:13:09,040 at yourself, look at your box. 1408 01:13:09,739 --> 01:13:10,119 Also. 1409 01:13:10,770 --> 01:13:15,570 Being a duplicate of somebody at an LHC, it can be kind of an honor. 1410 01:13:15,910 --> 01:13:16,900 Oh, I do this guy. 1411 01:13:16,900 --> 01:13:17,250 It's cool. 1412 01:13:17,810 --> 01:13:20,240 So, so you don't even see it as negative. 1413 01:13:20,410 --> 01:13:25,269 I don't get the exact quote, but if I remember correctly, it's from Miyamoto 1414 01:13:25,269 --> 01:13:28,809 Musashi, you know, the book of five wheels and, uh, and everything he 1415 01:13:28,809 --> 01:13:33,730 related to samurai fighting on the Bushido, the way of the samurai is that 1416 01:13:35,570 --> 01:13:39,690 today's victory is to be greater than the person that you were yesterday. 1417 01:13:39,989 --> 01:13:40,209 Yeah. 1418 01:13:40,250 --> 01:13:41,600 And tomorrow's victory. 1419 01:13:42,130 --> 01:13:45,550 is to be greater than what he calls the lesser man, which 1420 01:13:45,550 --> 01:13:47,390 includes, well, basically yourself. 1421 01:13:47,500 --> 01:13:49,450 That's the way that you should see it. 1422 01:13:49,500 --> 01:13:52,400 You're walking your own road and find your own bugs. 1423 01:13:52,839 --> 01:13:56,109 In the end, competing with other people and pushing them, trying 1424 01:13:56,110 --> 01:13:59,030 to find the bugs before them, it's not going to work well for you. 1425 01:13:59,689 --> 01:14:03,720 That's what I wrote, you know, I wrote a small blog article about, 1426 01:14:03,760 --> 01:14:05,300 you know, performing in LHE. 1427 01:14:05,760 --> 01:14:10,150 And the thing is, thousands of hackers made Thousand, millions of 1428 01:14:10,650 --> 01:14:13,110 dollars per year on those events. 1429 01:14:13,950 --> 01:14:17,160 And it works because they are not fighting with photo, they just have 1430 01:14:17,160 --> 01:14:19,110 their own style, own unique approach. 1431 01:14:19,320 --> 01:14:23,220 Yeah, that's, that's a really good, and honestly, the unique approach is not 1432 01:14:23,220 --> 01:14:25,500 like I have a super secret nested bug. 1433 01:14:25,500 --> 01:14:26,580 No, that's not the case. 1434 01:14:26,580 --> 01:14:29,670 It's based sometimes only, for example, the, the way you 1435 01:14:29,670 --> 01:14:30,615 perceive the security model. 1436 01:14:33,595 --> 01:14:36,405 You also mentioned collaborating during the, during the event. 1437 01:14:36,765 --> 01:14:39,225 So can you tell us more a bit, you know, how does it work? 1438 01:14:39,225 --> 01:14:40,535 How do you split the bounties? 1439 01:14:40,545 --> 01:14:42,195 What sort of, how do you split the tasks? 1440 01:14:42,684 --> 01:14:42,804 The 1441 01:14:42,804 --> 01:14:46,004 gentlemen agreement for me is the standard 50 50. 1442 01:14:46,185 --> 01:14:50,365 Uh, obviously by bounties, complex situations can evolve. 1443 01:14:50,884 --> 01:14:51,764 People can stop. 1444 01:14:51,765 --> 01:14:52,339 Can. 1445 01:14:52,640 --> 01:14:53,890 get more or less involved. 1446 01:14:54,050 --> 01:14:57,850 And of course, in a lot of cases, people might feel not comfortable 1447 01:14:57,860 --> 01:15:00,669 with, you know, doing the full 50 50. 1448 01:15:01,350 --> 01:15:05,550 I'd rather do it even if my teammate doesn't work, because at least I know 1449 01:15:05,550 --> 01:15:07,820 that I will always be full clean. 1450 01:15:08,300 --> 01:15:09,709 Get your 50 percent cut. 1451 01:15:10,150 --> 01:15:12,190 If you like, we will stick together. 1452 01:15:12,440 --> 01:15:14,130 If you don't like, we'll split ways. 1453 01:15:14,200 --> 01:15:17,670 It was fun working with you, but at least that's a gentleman agreement for me. 1454 01:15:18,939 --> 01:15:22,399 That's what I did, for example, with Noxious in, uh, in the, in the, um, 1455 01:15:22,689 --> 01:15:26,200 in the Las Vegas, uh, event where we finally collaborated on some 1456 01:15:26,200 --> 01:15:27,830 bugs and say, okay, don't worry. 1457 01:15:27,830 --> 01:15:30,060 We are collaborating on that type of bug class. 1458 01:15:30,070 --> 01:15:31,840 So I had a couple of reports before. 1459 01:15:32,200 --> 01:15:34,330 I'll put you at 50 50 because I trust you. 1460 01:15:35,100 --> 01:15:36,610 I want that to be fully fair. 1461 01:15:37,120 --> 01:15:42,100 And that's what we did with Gerusha again at Enumbr, it was, okay, are 1462 01:15:42,100 --> 01:15:43,740 you willing to invest your fully? 1463 01:15:43,960 --> 01:15:44,450 Yes. 1464 01:15:44,450 --> 01:15:46,669 Are you willing to do a 50 50? 1465 01:15:46,670 --> 01:15:47,000 Yes. 1466 01:15:47,000 --> 01:15:48,059 That's the standard agreement. 1467 01:15:48,070 --> 01:15:52,149 He told me, okay, I have a, I have a day job, so maybe sometimes I will 1468 01:15:52,149 --> 01:15:54,040 not be as available as yourself. 1469 01:15:54,090 --> 01:15:54,760 Is it okay for you? 1470 01:15:55,095 --> 01:15:56,705 Yes, I don't care because I trust you. 1471 01:15:57,555 --> 01:15:59,885 And then you just find the right people at the right time. 1472 01:16:00,475 --> 01:16:06,285 Gentleman agreements go on and then it's just trust and being a complimentary 1473 01:16:06,354 --> 01:16:07,965 on your skillset helps a lot. 1474 01:16:08,215 --> 01:16:10,335 So what do you get out of the collaboration? 1475 01:16:10,665 --> 01:16:14,364 Um, three things, moral and confidence, because it's always cool to have 1476 01:16:14,365 --> 01:16:18,280 an all hacker with you and not just alone fighting the odds, the Kraken, 1477 01:16:18,280 --> 01:16:23,514 the Titans of big bounty, it's cool to have like a, a teammate, uh, 1478 01:16:23,535 --> 01:16:25,485 just to hang out and grow out with. 1479 01:16:25,620 --> 01:16:28,970 Don't mind me, don't you care about you enjoy being around. 1480 01:16:29,740 --> 01:16:30,460 That's the first thing. 1481 01:16:30,520 --> 01:16:32,340 And as I said, moral is very important. 1482 01:16:33,250 --> 01:16:36,179 Uh, second part is indeed when you have complimentary skill set. 1483 01:16:36,219 --> 01:16:37,900 I'm terrible at client side. 1484 01:16:37,980 --> 01:16:41,470 Gerusha considers himself bad at server side, but that's a lie. 1485 01:16:42,759 --> 01:16:45,489 And so at least when I had something that I didn't, I had 1486 01:16:45,489 --> 01:16:47,070 no idea about, he helped me. 1487 01:16:47,420 --> 01:16:51,870 He, uh, he was doing some very cool code review, for example, like, 1488 01:16:52,505 --> 01:16:55,955 There's so many things where, you know, people get complimentary, or even when 1489 01:16:55,955 --> 01:16:59,805 they have both the same skillset, at least you have a, you know, different 1490 01:16:59,835 --> 01:17:01,474 point of view, different perspective. 1491 01:17:01,995 --> 01:17:05,705 And so, you know, uh, you know, when I arrived here, you, I told you 1492 01:17:05,705 --> 01:17:09,914 about a potential bug that I had, you start talking me away, maybe 1493 01:17:09,914 --> 01:17:11,204 you can do that, that, that, that. 1494 01:17:11,575 --> 01:17:13,225 Hey, wait, wait, wait, wait, wait, slow down. 1495 01:17:13,265 --> 01:17:14,875 Cause I just told you about the bug. 1496 01:17:15,225 --> 01:17:16,345 I didn't even thought about that. 1497 01:17:16,345 --> 01:17:19,064 We were just having a coffee and I couldn't, couldn't resist. 1498 01:17:19,064 --> 01:17:20,605 And that's, that's pretty crazy. 1499 01:17:20,605 --> 01:17:24,764 And I think that's still what's impressed me the most when I talk with other hunters 1500 01:17:24,764 --> 01:17:30,284 at LHs or other events is the way that they perceive the potential attack path 1501 01:17:30,934 --> 01:17:32,844 based on the signal potential flow. 1502 01:17:33,334 --> 01:17:36,344 Each time I, Oh, I never thought about that. 1503 01:17:37,634 --> 01:17:39,494 And so, yeah, it's a moral. 1504 01:17:40,220 --> 01:17:44,410 Where a complementary skill set and you know, the way to perceive 1505 01:17:44,440 --> 01:17:45,240 the potential attack path. 1506 01:17:45,750 --> 01:17:45,950 Yeah, 1507 01:17:45,950 --> 01:17:46,460 that's nice. 1508 01:17:47,210 --> 01:17:49,470 Let's, let's talk about tools a little bit. 1509 01:17:49,739 --> 01:17:51,490 Uh, are you using Burp or Kaido? 1510 01:17:51,949 --> 01:17:54,890 I'm a Burp guy, but I have like a lot of tools. 1511 01:17:54,890 --> 01:17:56,890 I have a love hate relationship with them. 1512 01:17:57,420 --> 01:17:59,210 Like, Burp is battle tested. 1513 01:17:59,520 --> 01:18:00,539 That's why I stick with it. 1514 01:18:00,739 --> 01:18:01,759 Know how it behaves. 1515 01:18:01,779 --> 01:18:02,109 I know. 1516 01:18:02,405 --> 01:18:03,415 It's limitations. 1517 01:18:04,295 --> 01:18:08,425 I know that it evolves quite quickly since the Kaido being more competitive. 1518 01:18:09,035 --> 01:18:12,935 I love how they are implementing cool stuff like BAMDAS, B checks, 1519 01:18:12,935 --> 01:18:16,295 and so on, but I also hate the way they are implementing them. 1520 01:18:16,534 --> 01:18:18,545 They have a low heavy relationship with them. 1521 01:18:19,035 --> 01:18:20,554 Kaido is a new cool kid in town. 1522 01:18:20,555 --> 01:18:24,695 A lot of top hunters are switching to Kaido and I feel I understand why. 1523 01:18:25,325 --> 01:18:26,275 I don't know for now. 1524 01:18:26,275 --> 01:18:31,335 I, uh, when I tested it, like, Months ago, I felt like it had not yet all 1525 01:18:31,335 --> 01:18:32,485 the features that I wanted to have. 1526 01:18:32,735 --> 01:18:36,545 But at the same time, it has features that I wanted to see, like, natively in Burp. 1527 01:18:37,235 --> 01:18:38,514 It just bothered me, so. 1528 01:18:39,065 --> 01:18:41,534 Burp Suite, extensions, custom extensions. 1529 01:18:42,045 --> 01:18:43,715 For now, it does the trick for me. 1530 01:18:44,255 --> 01:18:44,995 What extensions? 1531 01:18:46,144 --> 01:18:53,059 Top three, I would say, um, So when I need logging, It's logger to send to 1532 01:18:53,060 --> 01:18:58,140 Elasticsearch or log resource, log request to SQLite, who logs the request to SQLite. 1533 01:18:58,850 --> 01:19:02,240 Uh, Piper, Piper is super iterated. 1534 01:19:03,380 --> 01:19:03,800 It's crazy. 1535 01:19:03,800 --> 01:19:06,500 I have like a ton of scripts for, for Piper. 1536 01:19:07,069 --> 01:19:07,529 To do what? 1537 01:19:08,470 --> 01:19:08,870 Everything. 1538 01:19:08,919 --> 01:19:15,070 Um, first thing is I want to right click and be able to save any number 1539 01:19:15,110 --> 01:19:17,180 of requests or response to the disk. 1540 01:19:17,680 --> 01:19:18,060 Okay. 1541 01:19:18,230 --> 01:19:18,770 Clear text. 1542 01:19:18,780 --> 01:19:19,390 Not that burp. 1543 01:19:20,000 --> 01:19:20,680 Weird format. 1544 01:19:20,680 --> 01:19:21,790 I want the full clear text. 1545 01:19:22,080 --> 01:19:26,020 I want to be able to extract only the JSON request or response. 1546 01:19:26,250 --> 01:19:27,620 I want to have it beautify. 1547 01:19:27,840 --> 01:19:29,639 I want to be able to compare it. 1548 01:19:29,920 --> 01:19:34,099 I want to be able, I don't know, to replace dynamics, dynamically some stuff. 1549 01:19:34,410 --> 01:19:36,489 I want to be able, for example, sometimes to apply. 1550 01:19:36,875 --> 01:19:39,415 Like specific GQ features to some specific stuff. 1551 01:19:39,605 --> 01:19:43,155 And so a lot of things just to process data, to save data, to disk 1552 01:19:43,665 --> 01:19:47,394 and, uh, yeah, to sometimes have like graphical interfaces to, well, 1553 01:19:47,405 --> 01:19:53,115 do dynamic divs or, um, I have even one that calls, uh, JSON crack. 1554 01:19:53,355 --> 01:19:58,745 So for example, if I have a very big, uh, JSON, I send a, um, I do a right click. 1555 01:19:58,895 --> 01:20:02,605 Send to JSON crack and then I have a graphical Explorer to show me the 1556 01:20:02,605 --> 01:20:06,095 visualization of the JSON file and some fuzzy finding to find like the, 1557 01:20:06,315 --> 01:20:08,225 the right keys and how it's nested. 1558 01:20:08,615 --> 01:20:08,935 Yeah. 1559 01:20:09,225 --> 01:20:10,705 I use Piper a little bit. 1560 01:20:10,905 --> 01:20:12,185 I think it's underrated. 1561 01:20:12,245 --> 01:20:13,714 I think it can do a lot of things. 1562 01:20:13,955 --> 01:20:18,075 Although recently, since they introduced BAMPDAS, I also use some custom columns. 1563 01:20:18,455 --> 01:20:22,955 So things I used to do by like Piper scripts, I now just have a custom column 1564 01:20:22,955 --> 01:20:28,025 with the BAMPDA and, uh, I don't know, extracting GraphQL name of the operation. 1565 01:20:28,025 --> 01:20:28,685 For example. 1566 01:20:28,915 --> 01:20:32,375 I used to have a, a, um, Piper script to do it now, it's 1567 01:20:32,375 --> 01:20:33,405 just, you know, another column. 1568 01:20:33,405 --> 01:20:34,725 So, so it was nice. 1569 01:20:34,935 --> 01:20:35,385 What, what, 1570 01:20:35,385 --> 01:20:41,985 what about them does it's a very cool feature, but they just like, and, uh, 1571 01:20:41,985 --> 01:20:45,324 I've been in an interview with them to give them some feedback and they like the, 1572 01:20:45,335 --> 01:20:47,324 the way to save, you know, your Banda. 1573 01:20:47,325 --> 01:20:51,475 So you can quickly switch, uh, between, uh, code, you know, snippets. 1574 01:20:51,955 --> 01:20:52,235 Yeah. 1575 01:20:52,465 --> 01:20:53,085 For search. 1576 01:20:53,085 --> 01:20:53,425 Yeah. 1577 01:20:53,505 --> 01:20:54,485 For, for columns. 1578 01:20:54,485 --> 01:20:55,914 Yeah. 1579 01:20:56,095 --> 01:20:56,775 That's pretty cool. 1580 01:20:57,255 --> 01:20:58,525 Uh, what was the extension? 1581 01:20:58,535 --> 01:20:58,855 You mean? 1582 01:20:58,985 --> 01:20:59,255 Yeah. 1583 01:20:59,865 --> 01:21:06,674 Uh, I had at one point I used a bit of CSTQ, I think it's, um, uh, it's 1584 01:21:06,675 --> 01:21:08,885 like, uh, an embedded cyber chef. 1585 01:21:09,310 --> 01:21:12,940 inside burp and it can also do like custom manipulations. 1586 01:21:12,970 --> 01:21:15,660 For example, all the operations that you're able to chain in cyber 1587 01:21:15,660 --> 01:21:20,049 chef, you can apply them to some, uh, ingoing or outgoing requests. 1588 01:21:20,400 --> 01:21:23,999 And so, you know, when you're a dumb guy like me, who cannot learn hack Vector, who 1589 01:21:23,999 --> 01:21:27,749 didn't take the time to learn hack Vector, you have at least a graphical way to, you 1590 01:21:27,770 --> 01:21:30,100 know, move blocks with your monkey brain. 1591 01:21:30,460 --> 01:21:31,630 Decode base 64. 1592 01:21:31,990 --> 01:21:33,770 So yeah, I like this one. 1593 01:21:34,510 --> 01:21:37,040 Uh, and then yeah, just mostly additional bandas. 1594 01:21:37,360 --> 01:21:41,610 Like for example, I know Ryan Ratter has, well, it was on his discord. 1595 01:21:41,610 --> 01:21:45,790 I think that I saw, you know, something with the HTTP header, like just to 1596 01:21:45,790 --> 01:21:49,600 highlight, for example, the beginning of a sequence of requests, it's very 1597 01:21:49,600 --> 01:21:52,410 cool to have that band that to apply your specific coloring on the flight. 1598 01:21:52,410 --> 01:21:54,670 So you see the beginning of each sequence when you click 1599 01:21:54,670 --> 01:21:56,530 an action, something like that. 1600 01:21:56,990 --> 01:21:58,990 And that's pretty much it. 1601 01:21:58,990 --> 01:22:02,320 I started using Burp Bounty, but never really stuck with it. 1602 01:22:03,360 --> 01:22:07,709 Uh, and the GS result to have the, you know, the GS stored 1603 01:22:07,709 --> 01:22:08,660 inside Visual Studio Code. 1604 01:22:08,959 --> 01:22:09,879 And outside Burp? 1605 01:22:10,959 --> 01:22:11,559 Outside Burp? 1606 01:22:11,770 --> 01:22:12,969 Um, depends. 1607 01:22:13,010 --> 01:22:15,719 When I need to do some fuzzing, it's a good old Fuff. 1608 01:22:15,849 --> 01:22:16,870 Does the trick for me. 1609 01:22:17,600 --> 01:22:18,240 Really like it. 1610 01:22:19,010 --> 01:22:23,710 Uh, GQ, of course, and the JSON crack to graphically explore it. 1611 01:22:23,730 --> 01:22:27,810 I really like the, the way you can like quickly explore the stuff. 1612 01:22:28,249 --> 01:22:29,060 Let me think because. 1613 01:22:30,220 --> 01:22:31,280 I'm using any stuff. 1614 01:22:33,000 --> 01:22:36,940 Some extensions like TempleMonkey, you know, when you need to modify the 1615 01:22:36,940 --> 01:22:40,780 DOM quickly to remove some elements or do some quick actions, like know to 1616 01:22:40,780 --> 01:22:43,609 remove the disabled part of something. 1617 01:22:43,620 --> 01:22:45,080 That's pretty, that's pretty nice. 1618 01:22:45,530 --> 01:22:48,269 Uh, I've got a self hosted interactor slash server for 1619 01:22:48,270 --> 01:22:49,849 out of bounds interactions. 1620 01:22:50,469 --> 01:22:54,239 I've got a couple DNS zone for, um, you know, um, DNS rebinding. 1621 01:22:55,100 --> 01:22:58,750 And, uh, and various variations, uh, around that, 1622 01:23:00,940 --> 01:23:03,390 uh, man, I think that's pretty much it. 1623 01:23:03,390 --> 01:23:07,139 And of course you got to know some classic toolkit that you once in a 1624 01:23:07,139 --> 01:23:11,290 while you go with, you know, some SQL map or GW to track, but you 1625 01:23:11,290 --> 01:23:12,930 know, it's very specific to an issue. 1626 01:23:14,480 --> 01:23:16,080 Variations of DNS rebinding. 1627 01:23:16,090 --> 01:23:16,600 Did you mean? 1628 01:23:16,830 --> 01:23:21,020 If I'm correct, there's like a three, four, five different methods, you know, 1629 01:23:21,020 --> 01:23:26,609 where the browser goes onto your website and then you hold it for a couple of 1630 01:23:26,609 --> 01:23:28,519 seconds and you change the DNS record. 1631 01:23:28,819 --> 01:23:31,729 There's one where you send two DNS record at the same time. 1632 01:23:32,250 --> 01:23:36,894 Uh, and, uh, it's, uh, I think it's Rhino who made a tool for that, which is DNS. 1633 01:23:37,605 --> 01:23:39,645 Rebind multi A, something like that. 1634 01:23:39,825 --> 01:23:40,185 Okay. 1635 01:23:40,605 --> 01:23:44,695 There are other ways, also some variations to clear the, to clear the cache by 1636 01:23:44,725 --> 01:23:49,774 no saturating the, the, the number of, of DNS respondents you send them. 1637 01:23:50,155 --> 01:23:54,414 So it's, uh, well, like there was five or six variations, I think, in the tool 1638 01:23:54,414 --> 01:23:56,415 singularity when you set up it properly. 1639 01:23:56,764 --> 01:23:59,965 And then you got other tools like DNS rebind multi A and a 1640 01:24:00,315 --> 01:24:01,405 couple other ones on GitHub. 1641 01:24:01,610 --> 01:24:01,840 Okay. 1642 01:24:01,880 --> 01:24:04,150 I didn't know all of them, so I have to check this. 1643 01:24:04,230 --> 01:24:04,500 Yeah. 1644 01:24:04,500 --> 01:24:07,200 It's, uh, it's, it's cool to set up, but it's boring because you 1645 01:24:07,200 --> 01:24:10,120 have to set correctly your DNS zone and all the tools and so on. 1646 01:24:10,400 --> 01:24:13,620 And then you can just customize the JavaScript on the page and the tests. 1647 01:24:14,260 --> 01:24:14,620 It's cool. 1648 01:24:14,849 --> 01:24:15,159 Yeah. 1649 01:24:15,970 --> 01:24:16,480 How about AI? 1650 01:24:16,820 --> 01:24:22,430 I know you have some great ideas for using AI in the future, but today, 1651 01:24:22,430 --> 01:24:24,300 how, how does it help your hacking? 1652 01:24:24,640 --> 01:24:25,910 That's multiple levels. 1653 01:24:25,950 --> 01:24:26,829 Um, I don't know. 1654 01:24:27,080 --> 01:24:32,780 I love what, uh, Justin was saying, uh, regarding, uh, you know, keeping 1655 01:24:32,780 --> 01:24:35,350 yourself in a good flow state. 1656 01:24:35,650 --> 01:24:39,790 And there's another French hunter called LaLuca who takes a lot about, who talks 1657 01:24:39,790 --> 01:24:43,670 about, about that, about keeping yourself in a good flow state and avoid having 1658 01:24:43,680 --> 01:24:45,669 like breaking interactions and so on. 1659 01:24:46,199 --> 01:24:50,435 So I love how, um, When AI is correctly integrated into your workflow, so you 1660 01:24:50,435 --> 01:24:55,315 don't have to open Chrome, go to chat GPT, create a new chat or something like that. 1661 01:24:55,315 --> 01:24:59,725 So I have a lot of bindings, you know, so just, I can interact quickly with AI. 1662 01:25:00,975 --> 01:25:05,405 I have like, uh, self hosted, uh, LibreChats, which is, uh, you know, 1663 01:25:05,424 --> 01:25:10,685 simply in the, um, Using the, the APIs of the most paper popular LMS providers. 1664 01:25:11,255 --> 01:25:12,635 And you can self force it. 1665 01:25:12,635 --> 01:25:16,895 So you can like have a graph, nice graphical interface with all your power 1666 01:25:16,985 --> 01:25:21,185 methodized queries, your prompts that are all correctly stored in one place. 1667 01:25:21,335 --> 01:25:21,605 Yeah. 1668 01:25:21,725 --> 01:25:22,715 So it's pretty cool. 1669 01:25:22,865 --> 01:25:25,175 And uh, it also adds some other features. 1670 01:25:25,175 --> 01:25:29,005 For example, big A GI, which is another application, allows you to do something 1671 01:25:29,005 --> 01:25:33,260 called bim, which allows you to query multiple random providers with the same. 1672 01:25:33,795 --> 01:25:36,275 Prompt, so we can compare the questions that you like. 1673 01:25:36,925 --> 01:25:40,625 Uh, and sometimes there is also multi step rezoning, for example, where you 1674 01:25:40,625 --> 01:25:45,505 take two or three LLMs, different LLMs, working on the same things, and then 1675 01:25:45,515 --> 01:25:47,435 makes a diff and unified response. 1676 01:25:48,075 --> 01:25:49,665 That's a lot of cool stuff. 1677 01:25:50,525 --> 01:25:53,794 Um, I started working on Daniel Niestereur Fabric. 1678 01:25:53,795 --> 01:25:57,755 So it's a CLI tool, which, um, has like a collection of prompts, 1679 01:25:58,175 --> 01:25:59,705 maybe a hundred, 200 prompts. 1680 01:25:59,725 --> 01:26:00,155 Very cool. 1681 01:26:00,785 --> 01:26:02,974 And so basically you can pipe anything in it. 1682 01:26:03,740 --> 01:26:08,130 So from your command line, you can say, for example, uh, SQL map, uh, dash dash 1683 01:26:08,140 --> 01:26:13,530 help, and then you pipe it into fabric and specify the prompt that you want to use. 1684 01:26:14,470 --> 01:26:18,579 So for example, you provide, well, your inputs from your terminal into, 1685 01:26:18,580 --> 01:26:22,839 well, your AI agent and your prep and your pref configure prompt, for 1686 01:26:22,840 --> 01:26:27,310 example, to ask him to, well, generate you the perfect SQL map, I don't 1687 01:26:27,350 --> 01:26:29,290 know, command at some point in time. 1688 01:26:29,670 --> 01:26:33,065 And, um, It's very cool because it integrates natively, you know, into 1689 01:26:33,065 --> 01:26:39,325 your environment, but mostly, um, it has like very high quality prompts 1690 01:26:39,685 --> 01:26:43,294 or, or to organize them and how to ensure that you get quality results. 1691 01:26:43,364 --> 01:26:44,965 So it's pretty nice as well. 1692 01:26:45,685 --> 01:26:51,215 Um, I was starting to develop also a BURP extension, you know, and I recently 1693 01:26:51,225 --> 01:26:55,905 saw Justin sharing the, the, um, and his team, um, the integration that 1694 01:26:55,905 --> 01:26:59,925 they made into Kaido, you know, you do a shift L and you got, uh, that. 1695 01:27:00,385 --> 01:27:03,885 And, uh, I was initially developing something like that for myself. 1696 01:27:04,655 --> 01:27:08,125 I got to check if I have the time and the strength to endure, you know, 1697 01:27:08,185 --> 01:27:10,084 coding in Java for that much time. 1698 01:27:10,574 --> 01:27:11,835 But yeah, that's the kind of thing 1699 01:27:12,035 --> 01:27:12,424 I do. 1700 01:27:13,495 --> 01:27:16,105 How do you see the future of, of AI in hacking? 1701 01:27:16,285 --> 01:27:18,295 Is AI going to replace bug bounty? 1702 01:27:19,694 --> 01:27:24,385 Not necessarily, but you know, as all things, um, you know, and 1703 01:27:24,395 --> 01:27:25,695 the maturity level of different 1704 01:27:28,845 --> 01:27:33,805 Sorry, the technical capabilities of the attackers also, uh, also improve. 1705 01:27:34,485 --> 01:27:39,535 And so not necessarily because for now we are pretty far from having the real, you 1706 01:27:39,535 --> 01:27:45,145 know, artificial general intelligence, um, and we are still stuck by context. 1707 01:27:45,405 --> 01:27:48,404 So context is pretty much everything. 1708 01:27:48,405 --> 01:27:51,715 It's a, it's the state machine, you know, and if you don't have, you're 1709 01:27:51,725 --> 01:27:55,105 not able to maintain context for a long period of time, you're not able 1710 01:27:55,105 --> 01:28:00,075 to, you know, Have really meaningful in depth assessment of something. 1711 01:28:00,695 --> 01:28:04,614 And that's why I talk so much about, you know, those little agents, this chain 1712 01:28:04,614 --> 01:28:09,675 of thought and the way to go around the limitations of not having enough context. 1713 01:28:10,275 --> 01:28:14,465 So yeah, maybe one day we'll be replaced and that's, that's not a bad thing, but 1714 01:28:14,585 --> 01:28:16,305 we will find other things to hack on. 1715 01:28:16,305 --> 01:28:18,945 AI is a black box. 1716 01:28:18,945 --> 01:28:20,755 No one understand really how it works. 1717 01:28:20,785 --> 01:28:25,275 Even like you've got machine learning engineers who walk under the hood, but. 1718 01:28:25,635 --> 01:28:27,325 It's a black box for a lot of people. 1719 01:28:27,655 --> 01:28:31,975 Once AI has replaced us, we will hack AI and then we hack other things. 1720 01:28:31,975 --> 01:28:34,725 We hack quantum computers, I don't know. 1721 01:28:35,835 --> 01:28:39,045 Yeah, that's the good mindset, like, if the technology changes, we'll adapt. 1722 01:28:40,005 --> 01:28:42,544 There's always been need for security somewhere. 1723 01:28:42,755 --> 01:28:47,825 Yeah, we can't be, um, like attached to a technology or to a specific time. 1724 01:28:47,835 --> 01:28:52,245 Like by nature, it's always evolving technologies or rapidly, you know, 1725 01:28:52,315 --> 01:28:56,425 also deprecating like how many weeks can you wait before there 1726 01:28:56,425 --> 01:28:58,704 is a new JavaScript framework? 1727 01:28:59,370 --> 01:29:00,210 Two weeks, maybe. 1728 01:29:01,640 --> 01:29:02,570 It's bound to evolve. 1729 01:29:02,660 --> 01:29:07,480 And, um, hacking is the art of learning, not necessarily the art of exploiting, 1730 01:29:07,480 --> 01:29:10,690 but it's mostly the art of learning and then applying those skills. 1731 01:29:11,200 --> 01:29:11,550 Yeah. 1732 01:29:11,940 --> 01:29:12,240 Good. 1733 01:29:12,880 --> 01:29:14,139 We'll, we'll come to an end. 1734 01:29:14,500 --> 01:29:18,900 Uh, Tell me, what are you looking to achieve in, in the upcoming year, 2025? 1735 01:29:20,050 --> 01:29:25,110 Uh, basically, I'll, I'll try to keep around because of very cool events. 1736 01:29:25,120 --> 01:29:27,010 And of course we make big money with them. 1737 01:29:27,010 --> 01:29:31,560 And, uh, I need, I think to, to keep building some wealth very honestly. 1738 01:29:31,770 --> 01:29:32,030 Yeah. 1739 01:29:32,259 --> 01:29:36,490 And, uh, I'd like to also, uh, diversify myself outside of the cybersecurity world. 1740 01:29:36,490 --> 01:29:40,740 So for now I have said project with AI, but I also like, for example, 1741 01:29:40,740 --> 01:29:45,059 to have, you know, some real world businesses to ensure that, you know. 1742 01:29:46,120 --> 01:29:49,860 This is, we are living exciting times, but also very dangerous times. 1743 01:29:49,860 --> 01:29:53,390 And I think it's good to have like a little fit in the, in the real world, 1744 01:29:53,390 --> 01:29:56,050 maybe a small restaurant, maybe a small house, something like that. 1745 01:29:56,070 --> 01:29:58,570 You know, you can touch. 1746 01:30:00,860 --> 01:30:01,200 Great. 1747 01:30:01,249 --> 01:30:02,080 Thank you so much. 1748 01:30:02,080 --> 01:30:04,049 It was awesome. 1749 01:30:04,530 --> 01:30:06,230 Thanks for listening. 1750 01:30:06,320 --> 01:30:10,350 If you want to listen to another one, I recommend you, uh, this one 1751 01:30:10,350 --> 01:30:13,659 in the description and on the screen right now with Louis from Pentester 1752 01:30:13,660 --> 01:30:17,030 Lab, where we talked about getting into the field, learning about 1753 01:30:17,030 --> 01:30:19,920 cybersecurity and, uh, many other things. 1754 01:30:20,530 --> 01:30:23,029 For now, thank you so much for listening and goodbye.