1 00:00:00,140 --> 00:00:06,040 XSS is still the most common vulnerability class, so there's a lot of bounties 2 00:00:06,080 --> 00:00:11,570 to be earned here, especially if, like my today's guest, you're so good at it 3 00:00:11,679 --> 00:00:14,619 that you can get bounties like 50, 000. 4 00:00:15,280 --> 00:00:19,739 We'll talk about this bug, about many other things, for example, how you can 5 00:00:19,740 --> 00:00:24,420 speed up your workflow by, instead of copying things from your browser to your 6 00:00:24,459 --> 00:00:29,720 terminal to run some tools, you can do things with one click from your browser. 7 00:00:30,314 --> 00:00:32,324 Enjoy my interview with renniepak. 8 00:00:33,625 --> 00:00:34,515 So hello, René. 9 00:00:34,725 --> 00:00:37,075 Thank you so much for joining me here. 10 00:00:37,695 --> 00:00:42,695 We're recording this in Prague, just as we finish the Elite 8 11 00:00:42,704 --> 00:00:44,485 round of the Ambassador World Cup. 12 00:00:45,135 --> 00:00:48,205 And it's great meeting you here, and thank you for being my guest today. 13 00:00:48,265 --> 00:00:49,724 Likewise, thank you for having me. 14 00:00:50,285 --> 00:00:54,055 for those who don't know you yet, can you please tell us a 15 00:00:54,065 --> 00:00:55,635 little bit about your background? 16 00:00:56,125 --> 00:00:56,525 Sure. 17 00:00:57,235 --> 00:01:05,665 I'm Rene, renniepak on most platforms, I'm from the Netherlands, I'm 40 years old. 18 00:01:07,685 --> 00:01:14,555 Yeah, and I, my background, I studied, at the conservatory actually to become 19 00:01:14,555 --> 00:01:17,365 a like a professional school for music. 20 00:01:17,375 --> 00:01:17,904 Oh, yeah, 21 00:01:17,905 --> 00:01:20,794 So to become a musician, percussionist. 22 00:01:20,794 --> 00:01:21,964 Yeah. 23 00:01:22,855 --> 00:01:27,664 and while I liked my studies, I quickly realized that it wasn't really for 24 00:01:27,664 --> 00:01:29,955 me to be a professional musician. 25 00:01:30,355 --> 00:01:31,645 Hobbies was fine. 26 00:01:33,875 --> 00:01:34,725 but I did finish it. 27 00:01:34,735 --> 00:01:36,005 So then, yeah. 28 00:01:36,440 --> 00:01:41,250 Then I got my diplomas and, the great journey started off 29 00:01:41,589 --> 00:01:45,409 discovering what I do and did want to do with my professional career. 30 00:01:45,810 --> 00:01:50,799 So I did all kinds of jobs like starting in, a call center doing 31 00:01:50,799 --> 00:01:52,480 support, tech support stuff. 32 00:01:52,689 --> 00:01:52,929 Yeah. 33 00:01:52,980 --> 00:01:56,899 And then slowly but surely I moved towards IT a bit more. 34 00:01:58,255 --> 00:02:03,825 I think my first real I. T. job was like a tester and at that at 35 00:02:03,825 --> 00:02:08,945 the time really working through big excels like click here and check 36 00:02:08,955 --> 00:02:11,104 that and then check mark it's done. 37 00:02:11,624 --> 00:02:13,415 Sounds very boring to me, to be honest. 38 00:02:13,774 --> 00:02:18,435 it was, but then I moved to a test automation and later to development. 39 00:02:18,555 --> 00:02:18,935 Yeah. 40 00:02:19,025 --> 00:02:20,115 And then. 41 00:02:20,545 --> 00:02:23,355 I think my last real job was at bold. 42 00:02:23,375 --> 00:02:23,805 com, 43 00:02:24,235 --> 00:02:24,315 which 44 00:02:24,315 --> 00:02:27,415 is a big, like a retailer in the Netherlands and 45 00:02:27,415 --> 00:02:29,655 Belgium, a bit like amazon. 46 00:02:29,815 --> 00:02:35,154 com, but, but more localized, there I worked also as a test in the 47 00:02:35,165 --> 00:02:36,714 beginning, then as a developer. 48 00:02:36,714 --> 00:02:40,670 And then I. Became a developer in the security team of Bold. 49 00:02:40,690 --> 00:02:46,429 com because they have some applications that are more sensitive, in nature. 50 00:02:46,429 --> 00:02:51,660 So I worked there and then I had the opportunity to make the switch 51 00:02:51,679 --> 00:02:53,270 to become an ethical hacker. 52 00:02:53,389 --> 00:02:53,589 Yeah. 53 00:02:53,589 --> 00:02:54,969 In the security team because. 54 00:02:54,980 --> 00:02:56,250 Still within the same company. 55 00:02:56,309 --> 00:02:56,589 Yeah. 56 00:02:56,639 --> 00:02:56,939 Yeah. 57 00:02:57,869 --> 00:03:01,910 and I was also responsible for the, big bounty program actually there. 58 00:03:02,195 --> 00:03:07,234 And then, three years ago almost, I decided to become a 59 00:03:07,654 --> 00:03:09,284 full time Bug Bounty Hunter. 60 00:03:09,304 --> 00:03:11,524 And that's So it's been three years already? 61 00:03:11,845 --> 00:03:13,075 Yeah, In May it's three years. 62 00:03:13,075 --> 00:03:14,654 So not there yet, 63 00:03:14,654 --> 00:03:16,074 but it's coming there. 64 00:03:16,355 --> 00:03:17,174 How is it going? 65 00:03:17,194 --> 00:03:18,894 How do you like it after two years? 66 00:03:19,535 --> 00:03:20,375 Ups and downs. 67 00:03:20,375 --> 00:03:20,795 Ups and downs. 68 00:03:21,704 --> 00:03:28,024 No, I still I'm Anyone that knows me and talks to me knows that it's a bit of a 69 00:03:28,024 --> 00:03:31,625 rollercoaster for me all, all the time. 70 00:03:31,674 --> 00:03:34,295 So I like, I really liked having the freedom. 71 00:03:34,355 --> 00:03:34,635 Yeah. 72 00:03:34,754 --> 00:03:37,225 That's still one of the best parts still. 73 00:03:37,265 --> 00:03:37,535 Oh yeah. 74 00:03:37,794 --> 00:03:40,894 Also the freedom to choose what's interesting to you. 75 00:03:41,005 --> 00:03:41,929 I really like that. 76 00:03:43,940 --> 00:03:50,079 but I struggle with season, seasonal depressions, winter is not great 77 00:03:50,090 --> 00:03:55,079 for me for being alone in my, my workspace and, typing away. 78 00:03:57,289 --> 00:04:02,630 yeah, and I, sometimes, sometimes I'll, I dislike the frustration 79 00:04:02,630 --> 00:04:06,480 and the drama around bug bounty reports getting downgraded or 80 00:04:07,090 --> 00:04:09,630 decisions you don't agree with. 81 00:04:09,640 --> 00:04:11,990 So that's a bit harsh sometimes, but. 82 00:04:12,800 --> 00:04:16,860 On the other hand, I'm also not prepared to go back to like office life. 83 00:04:16,860 --> 00:04:22,200 And yeah, so that's still a bit, yeah, I'm still not sure what's next for me. 84 00:04:22,200 --> 00:04:23,700 But so far so good. 85 00:04:23,880 --> 00:04:24,390 I understand. 86 00:04:24,390 --> 00:04:26,489 I also have some moments where Oh, it's backbound. 87 00:04:26,489 --> 00:04:30,460 It's, it's annoying and you're getting frustrated or something, but then I 88 00:04:30,539 --> 00:04:34,799 really could imagine myself going back to a nine to five and it would be really, 89 00:04:34,799 --> 00:04:40,469 hard at this point, but I think we all at times where it would be really nice 90 00:04:40,469 --> 00:04:44,909 to just have a job, don't care about anything, get the same pay, salary every 91 00:04:44,909 --> 00:04:45,229 month. 92 00:04:45,269 --> 00:04:45,989 Yeah, exactly. 93 00:04:46,049 --> 00:04:46,390 Yeah. 94 00:04:46,760 --> 00:04:47,419 Same for me. 95 00:04:48,169 --> 00:04:54,020 I was, just telling someone that I made a mistake of, looking, I, I filtered all 96 00:04:54,020 --> 00:04:59,510 my, duplicate reports from the past years , and it was like two or 300 of them. 97 00:04:59,510 --> 00:04:59,989 So Wow. 98 00:05:00,169 --> 00:05:05,150 I really got frustrated with all the time that I, lost spending there. 99 00:05:05,150 --> 00:05:06,760 But yeah, that's part of the game, 100 00:05:07,210 --> 00:05:07,480 Yeah. 101 00:05:07,510 --> 00:05:10,060 On the other side, what there, on the other hand, what the 102 00:05:10,150 --> 00:05:11,530 best sides about Bagman Tea? 103 00:05:12,370 --> 00:05:12,550 Yeah. 104 00:05:12,550 --> 00:05:14,020 Like I said, I really like. 105 00:05:14,775 --> 00:05:16,175 Doing stuff that I like. 106 00:05:16,175 --> 00:05:20,155 Yeah, it sounds obvious when you put it like that, but obviously in 107 00:05:20,155 --> 00:05:22,815 a job you need to fulfill some task. 108 00:05:22,995 --> 00:05:23,205 Yeah. 109 00:05:23,705 --> 00:05:28,734 and in Bug Bouncer you can really spend time on the parts, on just the parts 110 00:05:28,734 --> 00:05:30,654 that you're good at or that you like. 111 00:05:31,989 --> 00:05:33,409 yeah, that's the best part for me, 112 00:05:34,789 --> 00:05:37,320 Also didn't say it in the intro, but you're the only person I know 113 00:05:37,320 --> 00:05:40,859 that has the, payload tattooed on, your, you can show it to the 114 00:05:40,859 --> 00:05:42,640 camera for the podcast viewers. 115 00:05:42,640 --> 00:05:43,029 We're sorry. 116 00:05:43,029 --> 00:05:46,889 He has the SVG on load XSS payload on the forearm. 117 00:05:48,095 --> 00:05:51,485 And I think this is something I think every hacker thought about having 118 00:05:51,485 --> 00:05:52,905 it through like this at some point. 119 00:05:53,295 --> 00:05:55,534 But, you're the only one that I know that actually did it. 120 00:05:55,875 --> 00:05:56,605 So well done. 121 00:05:57,965 --> 00:06:02,575 So the three years, what, how does your routine look like now? 122 00:06:03,005 --> 00:06:06,264 and how did it change in during this time? 123 00:06:09,680 --> 00:06:17,659 I guess my, routine is pretty nine to five still, actually, I'm a dad and a husband, 124 00:06:17,659 --> 00:06:25,530 so I just have a daughter to take to school and daily life is, yeah, it's just, 125 00:06:26,020 --> 00:06:28,460 going as, as it's supposed to go for me, 126 00:06:30,469 --> 00:06:33,989 I'm not really a nighttime hacker in that sense. 127 00:06:34,020 --> 00:06:38,250 I try to stick to my nine to five and then, it's okay for me. 128 00:06:39,530 --> 00:06:44,690 I guess in the beginning I was more, how do you call it? 129 00:06:45,520 --> 00:06:51,130 Motivated to jump on new programs, pick, pick, pick up the low hanging 130 00:06:51,160 --> 00:06:55,289 fruits, et cetera, and race to get the first bounties nowadays. 131 00:06:56,260 --> 00:06:56,710 Yeah. 132 00:06:56,780 --> 00:07:02,210 Like I, I guess just said, I'm, working more towards what I'm actually 133 00:07:02,210 --> 00:07:07,090 interested in rather than, joining the rat race for the first bounties. 134 00:07:07,880 --> 00:07:09,590 So I guess that changed a lot. 135 00:07:10,069 --> 00:07:17,140 Also in the beginning, I was really heavy on, working on integrity, climbing 136 00:07:17,140 --> 00:07:19,070 leaderboard, staying in the top 10. 137 00:07:19,100 --> 00:07:22,770 And, currently I don't really care about leaderboards anymore. 138 00:07:23,020 --> 00:07:23,220 Yeah. 139 00:07:23,220 --> 00:07:24,690 What is your main platform these days? 140 00:07:27,390 --> 00:07:32,650 I think I don't, at this point, it's even with like background 141 00:07:32,660 --> 00:07:34,610 hacker one and integrity. 142 00:07:34,670 --> 00:07:35,210 All three? 143 00:07:35,230 --> 00:07:35,520 Yeah. 144 00:07:36,100 --> 00:07:38,540 What is, how would you compare the differences between 145 00:07:38,540 --> 00:07:39,450 hacking on each of them? 146 00:07:45,080 --> 00:07:45,760 honestly? 147 00:07:46,080 --> 00:07:46,700 Yeah. 148 00:07:47,039 --> 00:07:49,220 Not a huge difference anymore nowadays. 149 00:07:49,690 --> 00:07:49,950 No, 150 00:07:50,289 --> 00:07:55,020 Because I've heard from multiple people that the Integrity has better triage. 151 00:07:55,050 --> 00:07:58,194 I don't have a single bug on Integrity, unfortunately, so I cannot. 152 00:07:58,194 --> 00:08:01,580 I don't want to say anything bad about Integrity because I really love 153 00:08:01,580 --> 00:08:02,990 them and I've done a lot on them. 154 00:08:02,990 --> 00:08:06,819 But you can also, you can, you do notice that they also are growing. 155 00:08:06,820 --> 00:08:08,439 Like when I started back then. 156 00:08:09,865 --> 00:08:14,645 I was really in the beginning working on integrity and, at that time 157 00:08:14,645 --> 00:08:19,875 you could literally send the CEO, a question about your report on a 158 00:08:19,875 --> 00:08:21,354 Sunday morning and he would respond. 159 00:08:22,034 --> 00:08:24,544 Of course, that's not something that's feasible when you're, 160 00:08:24,935 --> 00:08:25,964 when your company grows. 161 00:08:25,964 --> 00:08:31,955 So it's only, logical, that they're, becoming more standardized with, 162 00:08:32,314 --> 00:08:33,724 with their support, et cetera. 163 00:08:34,294 --> 00:08:35,315 but it's still fine. 164 00:08:35,315 --> 00:08:40,350 And I, I actually enjoy working all the platforms and I have also, 165 00:08:40,490 --> 00:08:42,740 frustrations of all the platforms, Yeah. 166 00:08:43,130 --> 00:08:43,940 So these days you just 167 00:08:43,940 --> 00:08:46,440 choose by, who has the program that you want to hack. 168 00:08:46,500 --> 00:08:46,700 Yeah. 169 00:08:46,950 --> 00:08:47,130 Yeah. 170 00:08:47,130 --> 00:08:47,620 Definitely. 171 00:08:47,679 --> 00:08:47,919 Yeah. 172 00:08:48,090 --> 00:08:48,700 How about events? 173 00:08:50,125 --> 00:08:51,564 Do you, attend a lot of them, this, 174 00:08:52,385 --> 00:08:57,584 I did attend a lot of integrity events and then it's been like, quiet for like 175 00:08:57,585 --> 00:09:00,515 the past one and a half year or something. 176 00:09:00,525 --> 00:09:03,725 And this is the first one actually for, for Echo One for me. 177 00:09:05,744 --> 00:09:06,154 Let's 178 00:09:06,154 --> 00:09:07,055 hope it's not the last. 179 00:09:07,064 --> 00:09:07,814 No, let's hope. 180 00:09:08,054 --> 00:09:09,385 Let's hope we meet in the final. 181 00:09:09,525 --> 00:09:09,755 Yeah. 182 00:09:10,160 --> 00:09:14,260 Because the, background is for, you at home is that now we 183 00:09:14,260 --> 00:09:15,610 are at the quarterfinal stage. 184 00:09:15,930 --> 00:09:20,430 If we advance through this stage, we'll meet again in the final round in Dubai. 185 00:09:20,760 --> 00:09:24,180 Even if we lose the semifinal, the we'll go, we'll play the 186 00:09:24,180 --> 00:09:25,710 match for the third place. 187 00:09:25,710 --> 00:09:30,360 So yeah, if we pass this round, we'll, meet in, in Dubai in what, 188 00:09:30,360 --> 00:09:31,710 two months or something like that? 189 00:09:32,190 --> 00:09:32,521 I think so. 190 00:09:32,521 --> 00:09:32,523 In May. 191 00:09:32,523 --> 00:09:32,525 I think. 192 00:09:32,530 --> 00:09:33,210 Yeah, in May. 193 00:09:33,210 --> 00:09:33,540 Yeah. 194 00:09:33,545 --> 00:09:33,705 Correct. 195 00:09:36,450 --> 00:09:37,020 so what was 196 00:09:39,650 --> 00:09:42,470 the, your main motivation to actually quit Avanti? 197 00:09:42,470 --> 00:09:46,760 Because I assume for some time you were hunting for bags after hours 198 00:09:46,760 --> 00:09:50,150 and working at the same time, and at some point you decided to quit. 199 00:09:50,180 --> 00:09:53,090 What was the, thing that actually motivated you? 200 00:09:53,090 --> 00:09:54,410 Okay, this is the time to quit. 201 00:09:56,020 --> 00:09:59,950 What was right after Covid, Okay. 202 00:09:59,950 --> 00:10:04,060 I was already working at my previous employer like five, six years. 203 00:10:06,199 --> 00:10:09,590 yeah, it was like a natural time for me to look for something else. 204 00:10:09,790 --> 00:10:10,120 Okay. 205 00:10:10,400 --> 00:10:16,529 I had grown there, new experiences and I was, yeah, I needed to make a 206 00:10:16,529 --> 00:10:22,049 next step and I was always wanting to try bug bounty, like full time, 207 00:10:22,200 --> 00:10:23,820 but of course it's a scary step. 208 00:10:23,820 --> 00:10:30,730 So I first, saved a lot of bounties to have a financial buffer to make. 209 00:10:30,740 --> 00:10:30,760 Yeah. 210 00:10:31,040 --> 00:10:31,360 That's important. 211 00:10:31,420 --> 00:10:31,439 Yeah. 212 00:10:31,510 --> 00:10:31,819 Yeah. 213 00:10:31,820 --> 00:10:31,989 Yeah. 214 00:10:31,990 --> 00:10:33,149 And, yeah. 215 00:10:33,319 --> 00:10:38,060 Yeah, and then I just tried it and still, trying it actually. 216 00:10:38,790 --> 00:10:41,840 What do you say to people that are considering quitting their 217 00:10:41,840 --> 00:10:44,640 job for a full black and white bounty or are just about to quit? 218 00:10:45,240 --> 00:10:50,979 I think the financial part is really important, to have a buffer to be 219 00:10:51,009 --> 00:10:56,430 able to fail not only for a week, but actually, yeah, I had a buffer. 220 00:10:56,430 --> 00:11:00,479 I think I could fail for six months. 221 00:11:00,989 --> 00:11:02,729 I could survive six months at a time. 222 00:11:03,660 --> 00:11:07,630 Luckily, it's a bit bigger now, but yeah, I think that really helps for 223 00:11:07,630 --> 00:11:14,230 bug bounty because otherwise, you'll get frustrated and, you'll get, if you 224 00:11:14,240 --> 00:11:19,250 need the money, in my experience, it becomes even harder to find something. 225 00:11:20,350 --> 00:11:20,940 something good. 226 00:11:21,459 --> 00:11:24,680 I don't even imagine like having to rely on bug bounty 227 00:11:24,680 --> 00:11:27,800 for let's say next month's rent. 228 00:11:28,449 --> 00:11:30,590 I, cannot imagine myself in this situation. 229 00:11:30,590 --> 00:11:30,990 I would be, 230 00:11:31,100 --> 00:11:32,360 I think I would be just stressed. 231 00:11:32,369 --> 00:11:32,699 Yeah. 232 00:11:32,880 --> 00:11:33,079 Yeah. 233 00:11:33,079 --> 00:11:33,739 And that, yeah. 234 00:11:33,789 --> 00:11:36,370 In my experience that lowers your creativity as well. 235 00:11:36,370 --> 00:11:40,744 So then, yeah, it all becomes harder and harder actually. 236 00:11:40,744 --> 00:11:41,529 Yeah. 237 00:11:41,810 --> 00:11:45,670 Let's, let's now jump into a little more technical topics. 238 00:11:47,755 --> 00:11:51,825 A year ago, or I guess now it would be more closer to two years ago, 239 00:11:51,825 --> 00:11:55,675 you published a blog post with like your top vulnerability types. 240 00:11:55,714 --> 00:11:58,974 The top one was XSS, the second one was IDERS, and the third 241 00:11:59,244 --> 00:12:01,084 one was access control bugs. 242 00:12:01,695 --> 00:12:04,734 Would you still put them in the same order today? 243 00:12:05,725 --> 00:12:06,235 I think so, 244 00:12:06,364 --> 00:12:06,774 yes. 245 00:12:06,784 --> 00:12:07,194 So 246 00:12:07,435 --> 00:12:08,905 XSS is your favorite bug class? 247 00:12:08,944 --> 00:12:09,345 Yes. 248 00:12:10,229 --> 00:12:12,360 yeah, it's a blessing and a curse in that sense. 249 00:12:12,630 --> 00:12:13,390 Why is it a curse? 250 00:12:15,560 --> 00:12:19,459 like my last year wasn't as successful as the year before. 251 00:12:20,089 --> 00:12:24,310 And that's mainly because I followed my interests. 252 00:12:24,319 --> 00:12:27,289 It was, I did a lot of post message XSS. 253 00:12:27,449 --> 00:12:27,839 Yeah. 254 00:12:28,260 --> 00:12:32,459 Which I find very interesting and also very abundant. 255 00:12:32,490 --> 00:12:34,110 Like it's everywhere. 256 00:12:34,970 --> 00:12:36,439 Even this event, I found some. 257 00:12:38,525 --> 00:12:45,545 The only problem is that it's often caused by third parties, because the, 258 00:12:45,645 --> 00:12:51,125 like the technology of post messages really links to like, the relation 259 00:12:51,374 --> 00:12:54,974 between third parties and like main scope, because if you're in the same 260 00:12:54,975 --> 00:12:55,975 origin, you don't need the post. 261 00:12:55,984 --> 00:12:56,494 Exactly. 262 00:12:57,874 --> 00:13:05,035 So, often these type of bugs are like, partly, correctly 263 00:13:05,255 --> 00:13:06,645 blamed on the third party. 264 00:13:06,995 --> 00:13:10,094 And, yeah, and then you'll lose some money. 265 00:13:10,324 --> 00:13:12,064 So it's hard to get paid for them, is what you mean? 266 00:13:12,065 --> 00:13:13,344 Yeah. 267 00:13:13,344 --> 00:13:16,634 Do you, when you look for these bugs, do you only look at what 268 00:13:16,745 --> 00:13:18,285 post messages are being sent? 269 00:13:18,304 --> 00:13:21,405 Or do you also like manually see the source code to see what 270 00:13:21,405 --> 00:13:22,844 listeners are there as well? 271 00:13:22,935 --> 00:13:23,405 Yeah, 272 00:13:24,274 --> 00:13:25,305 both actually. 273 00:13:25,395 --> 00:13:30,295 Actually, yeah, I, think I mentioned this before in another 274 00:13:30,325 --> 00:13:33,095 podcast, but, I use Franz Rosen's. 275 00:13:33,255 --> 00:13:34,495 PostMessageTracker. 276 00:13:34,565 --> 00:13:34,905 Yeah. 277 00:13:34,985 --> 00:13:37,935 And I actually made a lot of enhancements since then. 278 00:13:38,425 --> 00:13:45,404 Also to actively alert me if some, XSS syncs are already present in the listener. 279 00:13:45,685 --> 00:13:46,395 Okay. 280 00:13:46,935 --> 00:13:48,964 So then I'll get a pop up saying, check 281 00:13:48,964 --> 00:13:49,445 this out. 282 00:13:49,674 --> 00:13:54,464 This is, this sounds like it's more than just a source code scan. 283 00:13:54,464 --> 00:13:58,415 It sounds like you're actually parsing the, interpreting the functions. 284 00:13:59,115 --> 00:13:59,635 No, it's, 285 00:13:59,635 --> 00:13:59,919 it's. 286 00:14:00,610 --> 00:14:01,780 much more basic than that. 287 00:14:02,130 --> 00:14:07,880 So it's like really looking for if there's a href, equals in there and 288 00:14:07,890 --> 00:14:11,939 it's probably something with, so it's really rudimentary in that sense. 289 00:14:12,295 --> 00:14:19,194 But I really like, in any of my bug mounting to have, I prefer false 290 00:14:19,235 --> 00:14:22,475 positives over, false negatives. 291 00:14:22,475 --> 00:14:23,314 False negatives. 292 00:14:24,854 --> 00:14:24,964 Yeah. 293 00:14:24,964 --> 00:14:28,824 So I'd rather check something out and it's nothing than the other way around. 294 00:14:29,054 --> 00:14:29,264 Yeah. 295 00:14:29,344 --> 00:14:29,655 Yeah, of course. 296 00:14:30,185 --> 00:14:30,464 Yeah. 297 00:14:30,574 --> 00:14:34,214 Is your version of the PostMessageTracker public or is it your private? 298 00:14:34,344 --> 00:14:35,454 Okay, that's a shame. 299 00:14:35,455 --> 00:14:37,514 Yes. 300 00:14:37,515 --> 00:14:39,745 Have you tried other tools for PostMessages like 301 00:14:39,754 --> 00:14:41,284 DOMInvader has something? 302 00:14:41,344 --> 00:14:42,154 Yes, 303 00:14:42,214 --> 00:14:47,544 yes, I have tried it and I occasionally use DOMInvader for 304 00:14:47,564 --> 00:14:49,334 if you need to spoof an origin. 305 00:14:49,734 --> 00:14:49,854 Okay. 306 00:14:50,234 --> 00:14:54,105 Because they can do just out of, it works out of the box, 307 00:14:54,875 --> 00:14:55,074 Yeah. 308 00:14:56,900 --> 00:15:04,040 But I typically just use Chrome DevTools, set breakpoints and, if I need to, 309 00:15:04,509 --> 00:15:07,319 change, edit data on the fly, yeah. 310 00:15:07,930 --> 00:15:11,760 So you just write the, post message in JavaScript consoles or stuff like that? 311 00:15:12,140 --> 00:15:12,460 Yeah. 312 00:15:12,790 --> 00:15:13,040 Yeah. 313 00:15:13,330 --> 00:15:13,759 I see. 314 00:15:14,439 --> 00:15:17,800 What's, what other tools do you use apart from the post message tracker? 315 00:15:19,370 --> 00:15:20,540 Burp, of course. 316 00:15:22,780 --> 00:15:24,510 I'm not that great with command line. 317 00:15:25,090 --> 00:15:32,170 I use, Fuff occasionally, but I'm like, my attention span is too short 318 00:15:32,650 --> 00:15:34,270 to keep waiting for the end result. 319 00:15:34,290 --> 00:15:37,159 So typically halfway through, I'm like, ah, it's probably 320 00:15:37,160 --> 00:15:38,320 not going to find something. 321 00:15:40,209 --> 00:15:40,569 yeah. 322 00:15:40,570 --> 00:15:41,870 And I have some other browser tools. 323 00:15:41,900 --> 00:15:46,650 Like I guess people also know me for JavaScript bookmark. 324 00:15:46,650 --> 00:15:49,000 Let's say I do a lot of browser stuff. 325 00:15:49,020 --> 00:15:51,950 Also building small tools to help myself. 326 00:15:52,575 --> 00:15:53,105 Within the browser. 327 00:15:53,135 --> 00:15:53,535 So yeah, 328 00:15:53,675 --> 00:15:56,375 so we just write some JavaScript and put it as a bookmark to 329 00:15:56,515 --> 00:15:57,485 click it and do something. 330 00:15:58,175 --> 00:16:01,685 Yeah, I remember, I don't know who mentioned this, that they 331 00:16:01,685 --> 00:16:02,795 learned this trick from you. 332 00:16:03,255 --> 00:16:04,175 Could be, yeah, I have, 333 00:16:04,745 --> 00:16:09,285 yeah, I have one that is fairly known, that finds endpoints 334 00:16:09,295 --> 00:16:10,585 in JavaScript sources. 335 00:16:10,854 --> 00:16:11,044 Yeah. 336 00:16:11,045 --> 00:16:12,925 It tries to pull all the yeah, that's, the one. 337 00:16:12,925 --> 00:16:15,315 I don't know who, mentioned it, but I saw it, yeah. 338 00:16:15,474 --> 00:16:15,644 Yeah. 339 00:16:16,075 --> 00:16:20,720 I use this trick as well for I don't remember the context now, but I had some 340 00:16:20,720 --> 00:16:23,500 mobile browser or maybe some other device. 341 00:16:23,890 --> 00:16:26,740 And I wanted for some reason to execute JavaScript, but there 342 00:16:26,740 --> 00:16:28,310 is no JavaScript console there. 343 00:16:28,700 --> 00:16:33,190 And I remember I used the, I saw this tip and I was like, Oh yeah, I 344 00:16:33,190 --> 00:16:34,709 can do the bookmark with JavaScript. 345 00:16:34,709 --> 00:16:38,650 And I don't remember what was I doing, but it's nice. 346 00:16:38,735 --> 00:16:40,205 Yeah, I really like it. 347 00:16:40,285 --> 00:16:42,375 I like it because it's quick. 348 00:16:42,375 --> 00:16:43,905 I don't need an external tool. 349 00:16:43,905 --> 00:16:46,505 I don't need to move away from my focus. 350 00:16:46,535 --> 00:16:49,075 I can just click the button and move along. 351 00:16:49,365 --> 00:16:49,565 Yeah. 352 00:16:49,565 --> 00:16:53,504 I generally, I think I underestimate the bookmark button. 353 00:16:53,794 --> 00:16:55,775 Sometimes, for example, I'm testing the overflow. 354 00:16:56,415 --> 00:17:01,954 And instead of going to repeat or copy the URL pasted again, I just do the bookmark 355 00:17:01,954 --> 00:17:03,535 and I just go through the flow instantly. 356 00:17:03,564 --> 00:17:05,814 It just feels so nice for some reason. 357 00:17:05,815 --> 00:17:07,264 And I only started doing it recently. 358 00:17:07,265 --> 00:17:09,855 I don't know why, but it's nice. 359 00:17:10,025 --> 00:17:12,704 So would you say you're a manual hacker? 360 00:17:12,875 --> 00:17:14,074 Yes, definitely. 361 00:17:14,105 --> 00:17:14,395 Yeah. 362 00:17:14,954 --> 00:17:18,855 So it's just burp, browser and some fuzzing occasionally. 363 00:17:18,925 --> 00:17:19,234 Yeah. 364 00:17:19,605 --> 00:17:19,984 Yeah. 365 00:17:20,295 --> 00:17:21,845 I think my main burp. 366 00:17:22,750 --> 00:17:24,909 Tools are like intruder and repeater. 367 00:17:24,910 --> 00:17:25,477 Yeah. 368 00:17:25,477 --> 00:17:27,179 And that's it. 369 00:17:27,460 --> 00:17:27,649 Yeah. 370 00:17:27,649 --> 00:17:30,740 So I'm mainly a manual hacker, Yeah. 371 00:17:30,909 --> 00:17:32,070 Do you use any checklist? 372 00:17:34,470 --> 00:17:37,679 It's how do you call it in English? 373 00:17:37,929 --> 00:17:38,939 I try to do it. 374 00:17:38,989 --> 00:17:42,809 And then, after a while I forget about the checklists and I'm 375 00:17:42,840 --> 00:17:45,139 back to gut feeling again. 376 00:17:45,199 --> 00:17:45,520 Yeah. 377 00:17:45,600 --> 00:17:45,949 So yeah, 378 00:17:45,960 --> 00:17:48,169 I didn't find myself so much with what you're saying. 379 00:17:48,490 --> 00:17:49,679 I, have created a checklist. 380 00:17:50,290 --> 00:17:54,400 And sometimes I look at it, but it's like the last thing if 381 00:17:54,400 --> 00:17:56,150 I've already run out of ideas. 382 00:17:56,750 --> 00:18:00,250 Let's look at that checklist and make sure it's everything, but I 383 00:18:00,250 --> 00:18:01,750 really would like to do it more. 384 00:18:01,800 --> 00:18:07,199 I feel you will identify it as well that I would like to fast more because I do 385 00:18:07,209 --> 00:18:12,239 very much manual hacking and I struggle to fast things where I know the probability 386 00:18:12,239 --> 00:18:17,459 of it working is low, but if I do it like often enough, the probability is 387 00:18:17,559 --> 00:18:22,250 probably will be higher, but I'm in the sense of okay, I want to see the 388 00:18:22,250 --> 00:18:24,230 motivation for the payload I'm trying. 389 00:18:24,580 --> 00:18:26,699 And if it's like blind, I'll just fast every input. 390 00:18:27,310 --> 00:18:28,240 I'm not doing it. 391 00:18:28,439 --> 00:18:29,230 And I think I should. 392 00:18:30,615 --> 00:18:30,875 Yeah. 393 00:18:30,885 --> 00:18:31,635 Would you say the same? 394 00:18:31,725 --> 00:18:32,245 Yeah. 395 00:18:33,215 --> 00:18:35,324 yes, Okay. 396 00:18:35,324 --> 00:18:39,455 But I, like I just said, it's, it was partly a joke and partly the truth. 397 00:18:39,475 --> 00:18:40,814 My attention span is not good. 398 00:18:41,534 --> 00:18:45,274 If I don't know if it's ever going to work, I tend to 399 00:18:45,284 --> 00:18:47,484 really, quit ahead of time. 400 00:18:47,485 --> 00:18:48,954 Yeah. 401 00:18:48,954 --> 00:18:50,424 Yeah. 402 00:18:51,365 --> 00:18:55,155 But, it is a consideration, especially since last year wasn't great. 403 00:18:55,600 --> 00:18:59,250 So I'm trying to move more again, towards the I Doors 404 00:18:59,250 --> 00:19:01,770 and, the, access control stuff. 405 00:19:02,920 --> 00:19:06,719 which is also stuff that you can find in JavaScript sources, like endpoints, 406 00:19:06,719 --> 00:19:08,240 et cetera, that we just mentioned. 407 00:19:09,310 --> 00:19:09,670 yeah. 408 00:19:09,919 --> 00:19:10,899 Do you actually use some 409 00:19:10,899 --> 00:19:14,249 productivity tricks to help with your short attention span? 410 00:19:17,820 --> 00:19:19,950 No, You just power through it. 411 00:19:20,050 --> 00:19:25,490 Except for putting on the, noise cancelling headset with 412 00:19:25,490 --> 00:19:28,760 some focus music and try, Do you still work from co working? 413 00:19:29,110 --> 00:19:29,480 No. 414 00:19:29,550 --> 00:19:30,149 From home? 415 00:19:30,150 --> 00:19:30,639 I don't. 416 00:19:30,970 --> 00:19:32,610 That's changed since the last podcast. 417 00:19:32,610 --> 00:19:33,349 Yeah. 418 00:19:33,350 --> 00:19:33,510 Yeah. 419 00:19:33,510 --> 00:19:35,169 So I had a co working space. 420 00:19:36,389 --> 00:19:39,629 it was mainly also to get out of the house, meet some 421 00:19:39,639 --> 00:19:40,649 people, et cetera, et cetera. 422 00:19:40,839 --> 00:19:41,019 Yeah. 423 00:19:41,370 --> 00:19:42,600 But in reality. 424 00:19:42,960 --> 00:19:48,340 There were, like all self employed people on that floor, meaning that 425 00:19:48,340 --> 00:19:52,300 there was no one there all the time because most of the people working 426 00:19:52,300 --> 00:19:55,320 there had it like a backup place. 427 00:19:55,659 --> 00:19:59,949 if they weren't at a customer, they would go there for a few hours and not then 428 00:19:59,959 --> 00:20:01,560 not be there for the rest of the week. 429 00:20:01,949 --> 00:20:08,120 So it wasn't really worth my money, So I moved back home. 430 00:20:08,470 --> 00:20:08,700 Yeah. 431 00:20:08,860 --> 00:20:09,300 Okay. 432 00:20:10,280 --> 00:20:15,070 This is going to be a hard question because I sense you're very 433 00:20:15,110 --> 00:20:16,800 much an intuition based hacker. 434 00:20:18,400 --> 00:20:21,560 and it's always hard to, ask questions about it, but what 435 00:20:21,560 --> 00:20:24,040 are some things that you do? 436 00:20:24,230 --> 00:20:26,780 And maybe when working with younger hackers or less 437 00:20:26,780 --> 00:20:28,180 experienced hackers, I want to say. 438 00:20:29,284 --> 00:20:32,284 they do not do the things that, that you do, or things they 439 00:20:32,284 --> 00:20:33,274 struggle with that for you. 440 00:20:33,274 --> 00:20:34,185 Oh, that's easy. 441 00:20:37,284 --> 00:20:37,635 Cool. 442 00:20:37,715 --> 00:20:38,784 That's a really hard question. 443 00:20:38,784 --> 00:20:39,185 It is. 444 00:20:39,544 --> 00:20:39,724 It is. 445 00:20:40,214 --> 00:20:45,234 It is really hard to ask about the intuition and I'm trying, hard. 446 00:20:46,604 --> 00:20:47,094 Yeah. 447 00:20:49,284 --> 00:20:55,304 I guess it sounds like such a cliche, but follow something that 448 00:20:55,304 --> 00:20:56,495 you're really interesting in. 449 00:20:56,604 --> 00:20:56,784 Yeah. 450 00:20:56,785 --> 00:20:57,615 I. Okay. 451 00:20:57,960 --> 00:21:03,200 I often am amazed by people that claim on their social media that they have a 452 00:21:03,200 --> 00:21:07,440 certain methodology that they always go step by step and doing this and that. 453 00:21:07,940 --> 00:21:09,320 Yeah, I don't have that. 454 00:21:09,740 --> 00:21:13,019 I think people ask about it, but nobody who actually hacks 455 00:21:13,030 --> 00:21:15,060 has such a strict methodology. 456 00:21:15,149 --> 00:21:20,610 No, and I think some starting bug bounty hunters get blindsided by the 457 00:21:20,610 --> 00:21:25,429 methodology rather than getting to know the technology that they're hacking. 458 00:21:25,800 --> 00:21:30,980 I think that's maybe something That's, that can be a takeaway, yeah, that's 459 00:21:30,990 --> 00:21:34,430 good to know the technology that you're trying to hack rather than, 460 00:21:36,430 --> 00:21:38,469 following a methodology to hack. 461 00:21:38,470 --> 00:21:38,700 It's 462 00:21:40,750 --> 00:21:42,130 yeah, I must confess. 463 00:21:42,160 --> 00:21:44,270 I use chats, GPT all the time. 464 00:21:45,869 --> 00:21:50,130 and even when I worked in the office and chat GPT didn't exist, I was asking 465 00:21:50,160 --> 00:21:52,150 colleagues questions all the time. 466 00:21:52,680 --> 00:21:56,000 And now I have a colleague that, that always answers my 467 00:21:56,000 --> 00:21:57,880 questions happily for me, but, 468 00:22:00,440 --> 00:22:05,600 often it's just about how does this work, the happy flow, not 469 00:22:05,629 --> 00:22:07,019 even trying to hack anything. 470 00:22:07,019 --> 00:22:09,819 I'm just interested in how things work. 471 00:22:10,089 --> 00:22:15,179 And then, when you have a good feeling about that, then you can start thinking 472 00:22:15,179 --> 00:22:19,025 about, okay, how can I abuse this, Yeah, 473 00:22:19,025 --> 00:22:19,545 that's true. 474 00:22:19,825 --> 00:22:24,165 And the word methodology is also something I noticed from the, creator perspective, 475 00:22:24,555 --> 00:22:26,285 people ask about it all the time. 476 00:22:26,645 --> 00:22:32,235 And, sometimes my answer is like my, each article or each video that I 477 00:22:32,255 --> 00:22:36,614 produce about how do I hack, it's just, you can call it part of my methodology. 478 00:22:36,864 --> 00:22:40,774 So we can say I disclose part of my methodology every week when doing some, 479 00:22:40,774 --> 00:22:44,754 part of content, but people ask about it, like it was some kind of magic. 480 00:22:45,195 --> 00:22:46,655 Process or magic checklist. 481 00:22:46,655 --> 00:22:52,415 And I think they, they do expect it to be something crazy, but the reality is 482 00:22:52,415 --> 00:22:56,615 what you say, the ability to use the app properly, the ability to, be in a 483 00:22:56,615 --> 00:23:02,435 good place, do the happy flow, have the account, have the like KYC, whatever. 484 00:23:03,160 --> 00:23:06,950 this is the part that actually hardened the part that sort of gets, 485 00:23:06,960 --> 00:23:09,070 the bugs and not actually some, magic 486 00:23:09,490 --> 00:23:09,770 payloads. 487 00:23:10,460 --> 00:23:10,720 true. 488 00:23:11,140 --> 00:23:16,060 And I think the only thing that I might do that a beginner doesn't do is I try, 489 00:23:16,430 --> 00:23:18,369 like with the JavaScript bookmarklets. 490 00:23:18,949 --> 00:23:22,990 if I notice, and I think, that's really typical for IT. 491 00:23:23,689 --> 00:23:26,669 People in general, but if I notice I'm doing the same thing over and 492 00:23:26,669 --> 00:23:30,399 over again manually, then I'll start automating stuff like with a 493 00:23:30,399 --> 00:23:32,649 JavaScript bookmarklet or whatever. 494 00:23:33,239 --> 00:23:37,139 So I guess that's, that helps in some cases to get to 495 00:23:37,139 --> 00:23:38,379 know your target, et cetera. 496 00:23:38,429 --> 00:23:38,959 But yeah. 497 00:23:40,280 --> 00:23:40,969 But sometimes 498 00:23:40,970 --> 00:23:43,770 we do use the, more advanced tricks. 499 00:23:44,915 --> 00:23:48,895 I saw your tool about, or maybe not a tool, the, website, we've 500 00:23:48,895 --> 00:23:50,705 gathered all the CSP bypasses. 501 00:23:50,875 --> 00:23:51,625 I really like it. 502 00:23:51,805 --> 00:23:52,425 it's really good. 503 00:23:52,425 --> 00:23:52,485 Thank you. 504 00:23:54,485 --> 00:23:58,635 how often do you actually you also sometimes do some challenges with a 505 00:23:58,635 --> 00:24:00,835 short XSS payload, something like that. 506 00:24:01,224 --> 00:24:05,325 How often would you say you actually need those things like CSP bypasses, 507 00:24:05,325 --> 00:24:09,415 short payloads, weird car sets to, to exploit an XSS in the real world? 508 00:24:10,425 --> 00:24:10,915 Very 509 00:24:10,915 --> 00:24:11,925 rarely, actually. 510 00:24:11,965 --> 00:24:12,165 Yeah. 511 00:24:12,205 --> 00:24:12,435 Yeah. 512 00:24:14,635 --> 00:24:19,115 the CSP bypass really came out of frustration of not being able 513 00:24:19,504 --> 00:24:21,215 to find a bypass, basically. 514 00:24:21,835 --> 00:24:25,344 Because that's also the thing with XSS, you often have to show 515 00:24:25,345 --> 00:24:30,544 impact and you often have to show, have to find a bypass for a CSP. 516 00:24:31,750 --> 00:24:36,910 And I got frustrated that probably every hacker that reports XSS to a specific 517 00:24:36,910 --> 00:24:42,800 program has to bypass the same CSP, and probably uses the same endpoint 518 00:24:42,800 --> 00:24:46,519 or the same library that's hosted somewhere in a, whitelisted domain. 519 00:24:46,920 --> 00:24:48,750 So I got a bit frustrated with that. 520 00:24:48,750 --> 00:24:53,480 And of course you have the Google CSP evaluator that works great and it has 521 00:24:53,510 --> 00:24:55,510 some domain somewhere in the code. 522 00:24:56,110 --> 00:24:56,610 But it's, 523 00:24:56,629 --> 00:24:57,840 it just tells you the domain. 524 00:24:57,949 --> 00:24:58,040 That's 525 00:24:58,040 --> 00:24:58,260 hard. 526 00:25:00,500 --> 00:25:03,070 Yeah, I was like, that would be a great idea. 527 00:25:03,590 --> 00:25:03,889 Yeah. 528 00:25:03,909 --> 00:25:04,419 To do it. 529 00:25:04,720 --> 00:25:06,060 How did you gather all of these? 530 00:25:08,120 --> 00:25:13,519 the first batch I was basically like, I, checked the Google ones. 531 00:25:13,559 --> 00:25:17,870 Then, somebody quickly told me to open source it so people 532 00:25:17,909 --> 00:25:19,559 could contribute actively. 533 00:25:19,620 --> 00:25:20,300 So I did that. 534 00:25:20,310 --> 00:25:23,060 So a lots of new ones came from that. 535 00:25:24,760 --> 00:25:27,160 and also a lot came from just. 536 00:25:27,324 --> 00:25:36,325 Just, GitHub regex searches, just search for plausible, JSON P endpoints. 537 00:25:36,365 --> 00:25:37,065 Oh, I see. 538 00:25:37,585 --> 00:25:40,135 searched for angular, stuff. 539 00:25:40,385 --> 00:25:40,855 So yeah. 540 00:25:41,674 --> 00:25:44,674 How many sort of bypasses are there now in the tool? 541 00:25:44,674 --> 00:25:45,094 Do you know? 542 00:25:46,544 --> 00:25:47,144 Don't know. 543 00:25:47,594 --> 00:25:52,565 No, I'm not a hundred percent sure, but I think over a hundred at least. 544 00:25:52,735 --> 00:25:53,735 That's that is great. 545 00:25:55,255 --> 00:25:57,375 Yeah, there are many more, but I try to, 546 00:25:59,405 --> 00:26:02,015 keep the list to ones that are actually useful. 547 00:26:02,015 --> 00:26:09,024 I guess one guy was really actively contributing and he contributed some, 548 00:26:09,024 --> 00:26:15,259 great stuff, but he also once got a list of A few thousand, all, there were 549 00:26:15,259 --> 00:26:20,420 all blocks, all WordPress blocks that had like a jsonp endpoint or something. 550 00:26:21,799 --> 00:26:27,909 Technically, yeah, technically they could be used for a CSP bypass, but it was 551 00:26:27,919 --> 00:26:30,399 very unlikely that anyone would have it. 552 00:26:30,495 --> 00:26:31,945 In the, their CSP headers. 553 00:26:31,965 --> 00:26:36,175 So especially as I think every web, every WordPress website has the JSONP. 554 00:26:36,185 --> 00:26:36,925 Yeah, exactly. 555 00:26:36,925 --> 00:26:40,634 So I typically, if I get a new one, I try to just do like a 556 00:26:40,634 --> 00:26:42,024 GitHub search for the domain name. 557 00:26:42,025 --> 00:26:46,335 And if it's more than a thousand times in there in different repositories, then 558 00:26:46,524 --> 00:26:48,074 it's probably something that's yeah. 559 00:26:48,284 --> 00:26:48,674 Yeah. 560 00:26:48,985 --> 00:26:49,345 Cool. 561 00:26:49,645 --> 00:26:50,515 How about some. 562 00:26:52,385 --> 00:26:57,925 xxxxx xx cross site scripting techniques like dom clobbering Have 563 00:26:57,925 --> 00:26:59,674 you ever exploited this in the wild? 564 00:26:59,675 --> 00:27:03,595 No, no Interesting, not 565 00:27:03,715 --> 00:27:06,074 intelligent enough to To 566 00:27:06,075 --> 00:27:09,955 do that But I was, speaking with Johan Carlsson that in the last podcast and 567 00:27:10,135 --> 00:27:12,475 he was like, oh, this is actually more useful than you think and I'm like, 568 00:27:13,355 --> 00:27:15,335 sure cause I think it's not useful 569 00:27:15,845 --> 00:27:20,645 Johan is in a league of his own yea he is crazy No, I think the most. 570 00:27:22,630 --> 00:27:27,950 Advanced XSS I did was like prototype solutions, but also mainly from 571 00:27:28,240 --> 00:27:30,550 the public repository of Blackfan. 572 00:27:30,570 --> 00:27:37,810 He has a few gadgets and, yeah, so that's still fairly easy and fairly. 573 00:27:38,299 --> 00:27:38,479 Do you 574 00:27:38,479 --> 00:27:40,520 always look for these for the protopollution? 575 00:27:40,820 --> 00:27:41,210 No. 576 00:27:41,210 --> 00:27:42,239 What 577 00:27:42,720 --> 00:27:44,230 happened that time that you looked for them? 578 00:27:46,120 --> 00:27:49,770 it was one of my, failed attempts of automation. 579 00:27:51,910 --> 00:27:56,940 I had some automation running for a while, but, like a true amateur, 580 00:27:56,940 --> 00:27:58,360 I did it on my home computer. 581 00:27:58,420 --> 00:28:00,049 Just leave it overnight, et cetera. 582 00:28:00,250 --> 00:28:05,470 It worked quite well and got some leads and I even got some nice bounties from it. 583 00:28:05,510 --> 00:28:06,290 But, Yeah. 584 00:28:06,870 --> 00:28:10,660 Again, the attention span, once it breaks and I have to fix it like 585 00:28:10,660 --> 00:28:14,510 five times, I get, bored of it. 586 00:28:14,700 --> 00:28:15,130 Oh, so your 587 00:28:15,140 --> 00:28:16,949 automation found the proto volution? 588 00:28:16,950 --> 00:28:17,250 Yeah, 589 00:28:17,250 --> 00:28:17,470 I found 590 00:28:17,470 --> 00:28:18,029 some stuff. 591 00:28:18,029 --> 00:28:18,520 Okay, that's 592 00:28:18,520 --> 00:28:18,740 good. 593 00:28:18,790 --> 00:28:18,810 Yeah. 594 00:28:19,240 --> 00:28:20,680 And now you don't look for it manually. 595 00:28:20,680 --> 00:28:21,980 No, not enough. 596 00:28:22,039 --> 00:28:22,679 Not enough. 597 00:28:22,720 --> 00:28:26,280 I have a JavaScript bookmarklet for it, but I don't click on it as much. 598 00:28:26,280 --> 00:28:26,989 Okay. 599 00:28:26,990 --> 00:28:27,210 I should. 600 00:28:28,280 --> 00:28:29,300 Is it for? 601 00:28:30,205 --> 00:28:31,934 putting things in the URL bar. 602 00:28:32,134 --> 00:28:32,884 Yeah, basically. 603 00:28:32,885 --> 00:28:33,824 So basically, 604 00:28:35,915 --> 00:28:40,565 it just puts all of them in the URL bar and then checks in the console if it 605 00:28:40,595 --> 00:28:44,075 can find a polluted object, basically. 606 00:28:44,225 --> 00:28:44,754 Okay. 607 00:28:45,145 --> 00:28:47,774 And then, yeah, then you still have to find the gadget to 608 00:28:47,774 --> 00:28:50,074 make XSS out of it, but, yeah. 609 00:28:50,554 --> 00:28:51,225 How do you do it? 610 00:28:51,754 --> 00:28:54,874 if you have seen the proto pollution and you need the gadget, what's 611 00:28:54,884 --> 00:28:55,995 the first thing you look at? 612 00:28:57,615 --> 00:29:02,345 I think the same repository I just mentioned has like a short script to 613 00:29:02,365 --> 00:29:07,385 do to check for these gadgets, like just by looking at the important, 614 00:29:08,665 --> 00:29:13,345 JavaScript files and determine if that, if it's at jQuery and stuff like that. 615 00:29:14,225 --> 00:29:19,295 and again, I made a JavaScript bookmarklet out of it to just show me an alert, 616 00:29:19,295 --> 00:29:21,415 like these, you can try these a few. 617 00:29:22,055 --> 00:29:22,205 So, 618 00:29:22,205 --> 00:29:25,895 you took the, created the Java book bookmarks from it? 619 00:29:25,955 --> 00:29:26,165 Yeah. 620 00:29:26,315 --> 00:29:26,675 Oh, nice. 621 00:29:26,675 --> 00:29:28,385 How many of these bookmarks do you have? 622 00:29:28,445 --> 00:29:29,200 Too many too. 623 00:29:29,225 --> 00:29:30,786 You have a full yeah. 624 00:29:30,905 --> 00:29:31,415 Bar. 625 00:29:31,415 --> 00:29:31,655 Yeah. 626 00:29:31,655 --> 00:29:32,615 My, my home 627 00:29:32,615 --> 00:29:35,600 bar is like full wedding and then, yeah, two more I guess. 628 00:29:35,600 --> 00:29:35,915 That's nice. 629 00:29:35,945 --> 00:29:36,035 I 630 00:29:36,035 --> 00:29:37,025 don't have a single one. 631 00:29:37,805 --> 00:29:38,015 I, 632 00:29:38,015 --> 00:29:38,675 think I should. 633 00:29:40,005 --> 00:29:40,125 Yeah. 634 00:29:40,125 --> 00:29:41,205 It's really nice again. 635 00:29:41,205 --> 00:29:41,505 Yeah. 636 00:29:42,000 --> 00:29:47,890 I used for all kinds of stuff, like I have one for making a quick, word list of all 637 00:29:47,890 --> 00:29:49,690 the words that are on the present page. 638 00:29:50,330 --> 00:29:54,520 So once I had like a swagger doc file and I wanted to use that as a word 639 00:29:54,520 --> 00:29:59,040 list for fuzzing further, I just can, I can now just click the button and I 640 00:29:59,040 --> 00:30:00,780 get all the words in the swagger doc. 641 00:30:01,110 --> 00:30:01,580 Wow. 642 00:30:02,120 --> 00:30:02,660 So yeah. 643 00:30:02,760 --> 00:30:03,510 So useful. 644 00:30:03,630 --> 00:30:03,800 Yeah. 645 00:30:04,930 --> 00:30:08,480 What are the, other ones that you think are, what are the, 646 00:30:08,990 --> 00:30:10,510 what is the one you use the most? 647 00:30:11,860 --> 00:30:13,000 the endpoint one. 648 00:30:13,010 --> 00:30:14,510 Yeah, I think so. 649 00:30:14,510 --> 00:30:14,830 Yeah. 650 00:30:15,315 --> 00:30:20,265 And it's also a public one because the rest one I assume is your private one and 651 00:30:20,275 --> 00:30:22,960 that one is yeah I think I will share to 652 00:30:22,960 --> 00:30:24,645 the word list one 653 00:30:29,015 --> 00:30:33,605 But yeah, that's it because it makes the workflow very quickly because you don't 654 00:30:33,615 --> 00:30:35,415 have to copy something from the browser 655 00:30:35,535 --> 00:30:36,115 No, exactly. 656 00:30:36,125 --> 00:30:40,265 Even if you're proficient with bash or whatever tool you use If you 657 00:30:40,265 --> 00:30:42,875 can, do something with one click, 658 00:30:43,165 --> 00:30:46,735 it's just No, and that's what I really like, because every time I share 659 00:30:46,735 --> 00:30:51,655 one of these, bookmarklets, people comment, oh, you have a command line 660 00:30:51,695 --> 00:30:56,110 tool that does exactly this, and I know, and it works, and that's This is 661 00:30:56,110 --> 00:30:58,140 so much quicker and easier for me at 662 00:30:58,140 --> 00:30:58,510 least. 663 00:30:58,570 --> 00:30:58,830 Yeah. 664 00:30:58,950 --> 00:31:03,550 And that's going to be my resolution for 2025 to, to move my workload 665 00:31:03,770 --> 00:31:04,790 in this direction a little bit. 666 00:31:04,850 --> 00:31:05,090 Yeah. 667 00:31:06,010 --> 00:31:09,600 Have you tried some of the, sort of client side hacking techniques that 668 00:31:09,620 --> 00:31:14,930 were new, at least for me, 2024, like we had the cross window hijacking. 669 00:31:15,360 --> 00:31:17,630 We had the double click jacking, which. 670 00:31:17,765 --> 00:31:22,015 I, two days ago, I think, Portugal published the top 10 list and the double 671 00:31:22,015 --> 00:31:23,725 clickjacking was I think number six. 672 00:31:24,115 --> 00:31:25,225 Have you tried this? 673 00:31:25,505 --> 00:31:25,845 Not 674 00:31:25,865 --> 00:31:26,245 really. 675 00:31:26,245 --> 00:31:26,815 Actually. 676 00:31:26,925 --> 00:31:28,685 I must confess. 677 00:31:28,685 --> 00:31:30,315 I don't know both. 678 00:31:30,505 --> 00:31:31,485 I don't know either of them. 679 00:31:32,975 --> 00:31:35,600 I have some reading up to do, They 680 00:31:35,600 --> 00:31:36,915 are interesting. 681 00:31:36,925 --> 00:31:37,505 They are. 682 00:31:38,510 --> 00:31:41,250 Yeah, it's something new that there is impact of a very 683 00:31:41,250 --> 00:31:42,730 creative techniques for sure. 684 00:31:44,670 --> 00:31:49,770 I'm yet to know how well do companies respond to, to cross window hijacking. 685 00:31:49,770 --> 00:31:53,640 I already know that companies do accept that sometimes and 686 00:31:53,640 --> 00:31:54,670 they can pay really well. 687 00:31:54,680 --> 00:31:55,620 The double click jacking. 688 00:31:55,650 --> 00:32:00,250 I don't think we've seen a public report that was rewarded, but we'll see. 689 00:32:00,550 --> 00:32:01,360 I'll look into it. 690 00:32:01,450 --> 00:32:01,720 Yeah. 691 00:32:04,360 --> 00:32:07,660 I also saw you have you, you hacking a little bit on metamask 692 00:32:08,250 --> 00:32:10,020 on the browser extension. 693 00:32:10,810 --> 00:32:14,110 Do you spend a lot of time in general on browser extensions? 694 00:32:14,120 --> 00:32:19,340 No, I would like to though, also because they also use their own kind 695 00:32:19,340 --> 00:32:21,190 of post messages to communicate. 696 00:32:21,380 --> 00:32:22,730 Yeah, it is crazy what happens there. 697 00:32:23,755 --> 00:32:28,814 And also because I'm into the crypto thingies. 698 00:32:28,815 --> 00:32:32,825 Of course all have their own wallet in their own extension. 699 00:32:32,825 --> 00:32:35,705 So that's how I got into it basically. 700 00:32:35,715 --> 00:32:40,375 It's not that I specifically look for browser extensions to hack. 701 00:32:40,485 --> 00:32:42,875 It's more of like a side quest. 702 00:32:44,175 --> 00:32:44,415 Yeah, 703 00:32:45,905 --> 00:32:46,655 yeah, yeah. 704 00:32:46,655 --> 00:32:47,805 I think they are very interesting. 705 00:32:47,805 --> 00:32:50,465 And the impact of the browser extensions is so big. 706 00:32:50,715 --> 00:32:55,374 Because a lot of them just ask you for all the permissions on all the websites. 707 00:32:55,375 --> 00:32:56,835 So if you can get something there. 708 00:32:57,410 --> 00:32:58,690 It is really, serious. 709 00:32:59,040 --> 00:32:59,120 I 710 00:32:59,120 --> 00:32:59,680 still have a lot of 711 00:32:59,680 --> 00:33:00,150 learning to 712 00:33:00,150 --> 00:33:01,270 do in that area, 713 00:33:01,720 --> 00:33:05,010 Yeah, you probably listened to the Critical Thinking episodes 714 00:33:05,010 --> 00:33:06,570 with Matan about the extensions. 715 00:33:07,670 --> 00:33:09,110 It is crazy what happens 716 00:33:09,120 --> 00:33:09,360 there. 717 00:33:09,360 --> 00:33:13,550 I wasn't even aware that you have this so many different contexts, this 718 00:33:13,550 --> 00:33:18,445 post messaging from the page to One thing and then another post message. 719 00:33:18,765 --> 00:33:23,555 It is crazy, but especially for you looking for a lot of XSS, it should 720 00:33:23,565 --> 00:33:31,035 be the, a very good area because the impact is so high with these things. 721 00:33:31,035 --> 00:33:31,215 Yeah, 722 00:33:31,295 --> 00:33:31,765 definitely. 723 00:33:31,845 --> 00:33:32,265 Similarly, 724 00:33:32,515 --> 00:33:36,925 like, Web3, where XSS all of a sudden is so, severe. 725 00:33:37,665 --> 00:33:41,775 Yeah, So that's why, that's also why I'm moving, sometimes moving towards 726 00:33:41,835 --> 00:33:51,685 Web3 stuff, Typically, an XSS in a, a stored XSS in a Web3 program is 727 00:33:51,685 --> 00:33:57,975 like a critical, plus the bounties in Web3 programs are typically, higher. 728 00:33:57,995 --> 00:34:03,395 So yeah, from an XSS point of view, it's a, good decision to, yeah, to 729 00:34:03,415 --> 00:34:05,345 do and do stuff in the crypto scene. 730 00:34:05,845 --> 00:34:10,074 Your 50k bounty, was it on one of these sort of Web3 websites? 731 00:34:10,075 --> 00:34:10,395 Yes. 732 00:34:10,415 --> 00:34:11,994 Can you tell us what it was or is it not? 733 00:34:11,995 --> 00:34:12,811 It's undisclosed. 734 00:34:12,811 --> 00:34:18,523 I think, people know what program it was, but I won't mention it. 735 00:34:18,523 --> 00:34:23,865 But it was a, since you have multiple, it was an NFT marketplace. 736 00:34:23,895 --> 00:34:24,205 Yeah. 737 00:34:25,905 --> 00:34:35,225 and I had a stored XSS there that's, that I got there because I re, I, deployed a 738 00:34:35,225 --> 00:34:37,355 smart contract, an NFT Smart Contract. 739 00:34:37,685 --> 00:34:42,905 And what, these marketplaces typically do, they'll just monitor the blockchain. 740 00:34:43,655 --> 00:34:46,865 and every smart contract that fits the, 741 00:34:49,715 --> 00:34:53,555 the, format of A NFT, they'll just import and show in there. 742 00:34:54,345 --> 00:34:59,425 in their marketplace basically, so I just, yeah, I actually, found a few of those 743 00:34:59,425 --> 00:35:06,435 bugs on different marketplaces, and all have their own kind of problems, because 744 00:35:06,435 --> 00:35:12,485 one, for the one it's in a title for another one, it's like in a metadata URL. 745 00:35:12,665 --> 00:35:12,925 Yeah. 746 00:35:12,935 --> 00:35:17,825 So there are some different flavors, in that, but the basics are all the same. 747 00:35:17,835 --> 00:35:23,220 Like I deploy a smart contract and they fail to sanitize it or to encode it. 748 00:35:23,380 --> 00:35:23,770 Yeah. 749 00:35:24,060 --> 00:35:26,110 So pretty, straightforward, right? 750 00:35:26,110 --> 00:35:26,880 Yeah, basically. 751 00:35:26,940 --> 00:35:32,080 But I guess for a lot of people, it's a really big hurdle to do like a 752 00:35:32,090 --> 00:35:34,030 smart contract deployment, et cetera. 753 00:35:34,090 --> 00:35:34,300 Yeah. 754 00:35:34,890 --> 00:35:38,210 Half of the audience now is wouldn't have an idea. 755 00:35:38,290 --> 00:35:39,770 Like, how do you send a smart contract? 756 00:35:40,050 --> 00:35:40,490 Exactly. 757 00:35:40,710 --> 00:35:41,299 So, I 758 00:35:41,300 --> 00:35:47,605 did do some deep dive there, but basically, Deep Dive is relative because 759 00:35:47,605 --> 00:35:53,074 it's like a smart contract deployment 101. 760 00:35:53,115 --> 00:35:57,685 everyone can do this, who is a blockchain developer, Yeah. 761 00:35:58,565 --> 00:36:01,635 and it's way easier than most people think. 762 00:36:01,715 --> 00:36:05,765 So you need to have a crypto wallet and for the rest, it's like a few 763 00:36:06,285 --> 00:36:09,495 clicks and you deploy a smart contract. 764 00:36:12,090 --> 00:36:12,840 Congrats on that. 765 00:36:12,840 --> 00:36:13,529 It 766 00:36:13,530 --> 00:36:14,500 is a big impact. 767 00:36:15,680 --> 00:36:21,250 Did you also, look for some web free sort of server side stuff in 768 00:36:21,250 --> 00:36:22,800 the smart contracts themselves? 769 00:36:23,350 --> 00:36:24,750 Yes, I 770 00:36:24,760 --> 00:36:25,270 have. 771 00:36:26,080 --> 00:36:33,370 But I like, what I dislike about really like smart contract vulnerability. 772 00:36:33,675 --> 00:36:37,005 hunting is that it's mostly code review. 773 00:36:37,185 --> 00:36:40,175 It is, which sounds to me like a heaven. 774 00:36:40,515 --> 00:36:45,345 Yeah, but I like, I also do a lot of code review and I found a lot of stuff 775 00:36:45,345 --> 00:36:50,725 on like open source projects, etc. But what I really like is like the, how would 776 00:36:50,725 --> 00:36:55,025 you call it, is the gray box approach that you can On the one hand, click an 777 00:36:55,025 --> 00:36:59,405 application, intercept stuff, et cetera, and then use the code to determine, 778 00:37:00,175 --> 00:37:02,535 what code paths to take, et cetera. 779 00:37:02,715 --> 00:37:03,055 Yeah. 780 00:37:03,125 --> 00:37:06,915 While with smart contracts, it's only codes, Really? 781 00:37:06,955 --> 00:37:11,145 Can you Is it not possible to attach a debugger if you have Yeah, but 782 00:37:11,145 --> 00:37:15,595 then you can only trigger stuff by writing your own code, interacting 783 00:37:15,595 --> 00:37:16,965 with a smart contract, basically. 784 00:37:16,965 --> 00:37:17,015 Yeah, I see. 785 00:37:17,015 --> 00:37:22,325 It's not really You won't have a UI to press buttons or whatever, and it's 786 00:37:22,335 --> 00:37:28,265 not that I need it, but I noticed that it's, yeah, not really my cup of tea, 787 00:37:29,205 --> 00:37:34,185 But have you, learned it or are you at the level where you just thought 788 00:37:34,205 --> 00:37:36,230 about it and decided it's not for you? 789 00:37:36,230 --> 00:37:39,675 I've learned some stuff, but I've never successfully found anything, no. 790 00:37:40,015 --> 00:37:40,285 Okay. 791 00:37:40,525 --> 00:37:41,875 I'm, in the, same boat. 792 00:37:42,625 --> 00:37:46,375 I had a period maybe two or three years ago when I was learning a little bit. 793 00:37:46,795 --> 00:37:51,475 I, I, at least then I knew about some back classes in smart contracts, but I never 794 00:37:51,775 --> 00:37:54,025 spent a minute hunting for them in the, in 795 00:37:54,025 --> 00:37:54,565 the reward. 796 00:37:54,565 --> 00:37:59,645 No, and it's hard because in, in some sense, they are so completely 797 00:37:59,645 --> 00:38:01,295 different than the buck types. 798 00:38:01,295 --> 00:38:02,110 You are used to like. 799 00:38:02,740 --> 00:38:08,880 If I don't know if you like to lose a few cents somewhere in a smart contract, 800 00:38:08,880 --> 00:38:13,690 then it's considered a high or a critical and in the real world you would like me. 801 00:38:13,820 --> 00:38:14,360 Oh, okay. 802 00:38:14,360 --> 00:38:16,670 Maybe they'll accept it as a low or something. 803 00:38:16,670 --> 00:38:18,219 Yeah. 804 00:38:18,880 --> 00:38:21,440 How about let's go back to, to web two. 805 00:38:22,070 --> 00:38:24,950 you said eithers and access control bugs are, still at 806 00:38:24,960 --> 00:38:26,250 the sort of top of your list. 807 00:38:26,290 --> 00:38:26,390 Yeah. 808 00:38:27,310 --> 00:38:27,770 And. 809 00:38:28,545 --> 00:38:29,505 For me, it is crazy. 810 00:38:29,525 --> 00:38:34,525 How does it happen that these bugs often when they are found, they look like really 811 00:38:34,525 --> 00:38:39,955 simple bugs, but still people like you, people at the, top find them all the time. 812 00:38:40,545 --> 00:38:41,655 So how does it happen? 813 00:38:41,865 --> 00:38:43,995 How, do you all still find all of these 814 00:38:44,005 --> 00:38:44,415 bugs? 815 00:38:45,745 --> 00:38:52,610 I don't know, In my case, again, it really boils down to, the manual hacking, 816 00:38:53,630 --> 00:38:59,450 So I'm not looking for fuzzing, lots of endpoints, but typically, especially 817 00:38:59,450 --> 00:39:04,800 with nowadays with these huge, JavaScript client side frameworks where like 818 00:39:05,120 --> 00:39:06,820 basically all the endpoints are in there. 819 00:39:06,830 --> 00:39:10,020 Also the admin endpoints are in there because the admin probably 820 00:39:10,020 --> 00:39:11,760 use the same UI as you do. 821 00:39:12,215 --> 00:39:16,175 But it has a lot of different accounts, but all the stuff is typically in there. 822 00:39:17,465 --> 00:39:19,425 that's how I find that stuff. 823 00:39:21,635 --> 00:39:27,505 and, where, actually where I did start to do some fuzzing is, recently it's like a 824 00:39:27,565 --> 00:39:33,835 GraphQL, endpoints, especially the ones that don't have introspection, but will 825 00:39:34,035 --> 00:39:40,530 say did you mean, if you put something in there, they will give you a response 826 00:39:40,550 --> 00:39:42,630 with a suggestion that is correct. 827 00:39:42,840 --> 00:39:43,670 did you mean this? 828 00:39:44,130 --> 00:39:45,320 yes, I did mean this. 829 00:39:45,320 --> 00:39:48,490 And then you can start enumerating all the stuff by yourself. 830 00:39:48,500 --> 00:39:50,390 So I did find some stuff like that. 831 00:39:50,420 --> 00:39:55,864 I also think you have some tools for it, but, I made my own scripts for it. 832 00:39:56,785 --> 00:39:58,305 but yeah, is it a JavaScript book? 833 00:39:58,385 --> 00:39:58,695 No, 834 00:40:00,765 --> 00:40:04,375 yeah, I was about to ask you if you use the tool for this, but no, I did. 835 00:40:05,215 --> 00:40:07,965 did you try the clairvoyance? 836 00:40:07,965 --> 00:40:08,550 Yeah, that's it. 837 00:40:08,550 --> 00:40:08,744 Yeah. 838 00:40:08,745 --> 00:40:09,635 It didn't work for me. 839 00:40:09,635 --> 00:40:12,675 So for some reason, so yeah, I built my own. 840 00:40:13,675 --> 00:40:14,225 Okay. 841 00:40:14,775 --> 00:40:18,425 So what's, your workflow with, with GraphQL? 842 00:40:18,425 --> 00:40:22,055 You see the GraphQL endpoint, you see there's no introspection, you run the 843 00:40:22,055 --> 00:40:24,355 tool and then you manually go from there? 844 00:40:24,495 --> 00:40:25,055 Yes. 845 00:40:25,335 --> 00:40:25,585 Yeah. 846 00:40:25,585 --> 00:40:29,565 And then I'll, just, so I'll try to have a tool to. 847 00:40:31,370 --> 00:40:36,753 resemble like the typical GraphQL introspection schema that you 848 00:40:36,753 --> 00:40:37,065 will 849 00:40:37,065 --> 00:40:37,376 get. 850 00:40:37,376 --> 00:40:37,688 Yeah. 851 00:40:37,688 --> 00:40:41,380 It's not complete, but it does highlight, some keywords that 852 00:40:41,380 --> 00:40:42,500 are potentially interesting. 853 00:40:42,500 --> 00:40:47,560 So I'll try to manually reconstruct a query that, that uses those keywords. 854 00:40:47,580 --> 00:40:47,950 Okay. 855 00:40:48,480 --> 00:40:49,270 and go from there, 856 00:40:50,090 --> 00:40:52,080 Do you just send it from verb repeater? 857 00:40:52,110 --> 00:40:52,470 Yes. 858 00:40:52,490 --> 00:40:52,880 Okay. 859 00:40:52,920 --> 00:40:56,230 And do you switch, cause there are two or three GraphQL extensions? 860 00:40:56,670 --> 00:40:57,510 Which one do you use? 861 00:40:57,855 --> 00:40:58,335 Remember, don't 862 00:40:58,335 --> 00:40:58,376 use them. 863 00:40:58,380 --> 00:40:59,010 You don't use them? 864 00:40:59,010 --> 00:40:59,340 No. 865 00:40:59,790 --> 00:41:03,170 I think a Burp has their own GraphQL tap. 866 00:41:03,910 --> 00:41:04,240 Okay. 867 00:41:04,240 --> 00:41:04,780 Nowadays. 868 00:41:04,810 --> 00:41:05,290 Okay. 869 00:41:05,710 --> 00:41:05,980 So I 870 00:41:05,980 --> 00:41:07,030 use that . Okay. 871 00:41:07,035 --> 00:41:07,315 Yeah. 872 00:41:07,390 --> 00:41:08,200 Yeah, maybe. 873 00:41:09,550 --> 00:41:09,970 Yeah. 874 00:41:10,540 --> 00:41:14,410 I don't, I know there's in ql, there's GraphQL Explorer, a few 875 00:41:14,410 --> 00:41:18,620 of them, but maybe they actually I'm using the, just GraphQL tab. 876 00:41:18,620 --> 00:41:18,920 Whatever. 877 00:41:19,100 --> 00:41:19,250 Yeah. 878 00:41:19,250 --> 00:41:19,910 If it's just 879 00:41:19,910 --> 00:41:22,310 in the repeated tab, I think it's like burps own. 880 00:41:22,405 --> 00:41:22,515 okay. 881 00:41:23,735 --> 00:41:24,055 Okay. 882 00:41:24,055 --> 00:41:24,445 Nice. 883 00:41:25,195 --> 00:41:29,005 About the, and about the end points, cause the problem that I always 884 00:41:29,005 --> 00:41:32,855 encounter when I find end points, I will send them for intruder. 885 00:41:33,305 --> 00:41:35,815 And then, if there's sometimes it's easy cause you have 886 00:41:36,135 --> 00:41:37,945 variables error, or we need the. 887 00:41:38,490 --> 00:41:42,490 User parameter in this endpoint, but sometimes you just get the generic, 888 00:41:42,780 --> 00:41:49,650 502, 500, 400, and how do you, first of all, how do you prioritize? 889 00:41:49,690 --> 00:41:53,539 Because I imagine you will often have, I don't know, 100, 200 endpoints. 890 00:41:53,720 --> 00:41:56,830 How do you prioritize which endpoints to, to focus on and then 891 00:41:56,830 --> 00:41:58,080 how do you construct the request? 892 00:42:00,055 --> 00:42:05,025 focus is really based on just what seems juicy, like I'll just scroll 893 00:42:05,025 --> 00:42:09,275 to the list and if it's like a reset password or whatever, something 894 00:42:09,275 --> 00:42:12,705 admin y, then I'll, prioritize those. 895 00:42:15,515 --> 00:42:19,645 and I either do what you just said, I hope that it will return 896 00:42:19,645 --> 00:42:22,135 something like you missed this parameter, et cetera, et cetera. 897 00:42:22,355 --> 00:42:23,505 That's the easy approach, 898 00:42:24,395 --> 00:42:24,715 Yeah. 899 00:42:25,095 --> 00:42:29,810 Another thing that I. Often do is like with these client side applications, 900 00:42:30,250 --> 00:42:35,290 you can often trick it like just the front end into thinking you are an admin 901 00:42:35,600 --> 00:42:40,230 while you're not an admin on the back end, but it will show you the UI, for 902 00:42:40,230 --> 00:42:46,560 example, some sometimes it's as easy as, changing some JavaScript in the 903 00:42:46,560 --> 00:42:51,465 response that says, Is admin false, and then you move it to true and suddenly 904 00:42:51,465 --> 00:42:53,355 you get a UI from a foreign, an admin. 905 00:42:53,445 --> 00:42:53,775 Yeah. 906 00:42:54,105 --> 00:42:54,825 But what's 907 00:42:54,825 --> 00:42:56,565 really, so sorry to interrupt. 908 00:42:56,565 --> 00:42:59,925 Would you make this change in matching replace rules? 909 00:42:59,925 --> 00:43:00,015 Yes. 910 00:43:00,285 --> 00:43:00,585 Okay. 911 00:43:00,585 --> 00:43:01,275 Typically, yeah. 912 00:43:01,425 --> 00:43:02,025 Typically, yeah. 913 00:43:04,025 --> 00:43:07,475 and other, yeah, other types that you'll see sometimes if you use an 914 00:43:07,475 --> 00:43:11,585 endpoint and it will, give you a 4 0 1, then the JavaScript has some 915 00:43:11,585 --> 00:43:14,795 parts that it will redirect you to the logout page or something like that. 916 00:43:14,855 --> 00:43:15,095 Yeah. 917 00:43:16,165 --> 00:43:18,895 then I'll just remove it completely and, Yeah. 918 00:43:18,895 --> 00:43:19,535 I'll load it like that. 919 00:43:19,535 --> 00:43:20,475 The part of the JavaScript. 920 00:43:20,475 --> 00:43:20,685 Yeah. 921 00:43:20,685 --> 00:43:22,225 The part of the redirection. 922 00:43:22,225 --> 00:43:22,391 Yeah. 923 00:43:22,391 --> 00:43:24,325 So you don't get to the logout screen anymore. 924 00:43:24,625 --> 00:43:24,795 Yeah. 925 00:43:25,045 --> 00:43:25,615 that's cool. 926 00:43:26,055 --> 00:43:30,255 and what that really allows you to do is just click stuff that an admin would click 927 00:43:30,665 --> 00:43:34,935 and then you don't need to minify or don't need to reconstruct the whole JavaScript, 928 00:43:35,195 --> 00:43:39,935 et cetera, but it will just send a request through your repeat or through your burp. 929 00:43:40,235 --> 00:43:44,225 And then you don't have to think about basically reconstructing the 930 00:43:44,265 --> 00:43:46,135 endpoints and the parameters, etc. 931 00:43:46,135 --> 00:43:52,485 Do you also, because I know Justin was saying about turning on some feature flags 932 00:43:52,755 --> 00:43:56,095 and having success with this, which is like what you said about the admin panel, 933 00:43:56,095 --> 00:43:57,985 but in a little bit different context. 934 00:43:58,105 --> 00:43:58,325 Yeah. 935 00:43:58,365 --> 00:43:59,825 Have you also had success with this approach? 936 00:43:59,865 --> 00:44:00,005 Yes. 937 00:44:00,760 --> 00:44:06,640 Actually, yeah, I, think one fun finding I had once was like, 938 00:44:09,170 --> 00:44:10,010 it was exactly that. 939 00:44:10,050 --> 00:44:15,490 I think it was like, it had defined some user roles and I had the role user. 940 00:44:16,010 --> 00:44:22,020 And I just, replaced it to the role admin and it showed the admin 941 00:44:22,020 --> 00:44:22,649 UI 942 00:44:22,650 --> 00:44:30,420 and basically nothing worked, except for, the password resets UI, which allowed 943 00:44:30,480 --> 00:44:37,140 me to enter my, it was pre filled with my own email address, but I could enter 944 00:44:37,150 --> 00:44:43,750 any email address and it would show the password resets, yeah, to screen like. 945 00:44:43,780 --> 00:44:44,480 So nice. 946 00:44:44,920 --> 00:44:45,700 yeah, that was really nice. 947 00:44:46,130 --> 00:44:46,610 Yeah. 948 00:44:47,520 --> 00:44:53,080 How do you usually, like the feature flags, if they are in 949 00:44:53,090 --> 00:44:54,760 the one request, it's easy. 950 00:44:55,220 --> 00:44:57,680 But sometimes I think it's a little bit more hidden, maybe in the 951 00:44:57,680 --> 00:45:00,980 JavaScript, do you sometimes get as deep to find these feature flags? 952 00:45:01,470 --> 00:45:06,080 Personally, I've never spent time on finding the, feature flags or whatever. 953 00:45:06,110 --> 00:45:06,750 Yeah, I'm 954 00:45:06,830 --> 00:45:09,360 typically pretty deep into the JavaScript stuff. 955 00:45:09,590 --> 00:45:09,860 Yeah. 956 00:45:10,010 --> 00:45:10,390 Okay. 957 00:45:10,800 --> 00:45:15,120 Sometimes even too deep that I get blindsided by, for example, like 958 00:45:15,120 --> 00:45:18,980 if a backend request just returns the feature flags, it's much 959 00:45:18,980 --> 00:45:23,200 easier to replace them there than to spend time in the JavaScript. 960 00:45:23,230 --> 00:45:23,700 But yeah. 961 00:45:25,050 --> 00:45:30,360 What other things are, cause yeah, we know you look for the post message listeners. 962 00:45:30,830 --> 00:45:32,330 We know you look for feature flags. 963 00:45:32,350 --> 00:45:37,390 What are the other sort of most important things you look for JavaScript? 964 00:45:37,430 --> 00:45:41,500 Because sometimes it's so much code, it's just hard to focus somewhere. 965 00:45:43,510 --> 00:45:43,720 Yeah. 966 00:45:43,720 --> 00:45:49,700 So like, roles, permission roles is always interesting feature flags and points. 967 00:45:49,710 --> 00:45:52,480 And typically I think that's about it. 968 00:45:52,970 --> 00:45:56,090 Typically if you have a juicy end points and then you try to dive 969 00:45:56,110 --> 00:45:59,920 into that JavaScript and see what's happening around it, et cetera. 970 00:45:59,950 --> 00:46:02,320 But yeah, I think that's mostly it actually. 971 00:46:02,590 --> 00:46:04,640 And I guess it makes sense. 972 00:46:04,660 --> 00:46:08,300 It's stuff that you won't have access to normally that, yeah. 973 00:46:09,550 --> 00:46:09,910 It is. 974 00:46:09,910 --> 00:46:10,010 It's 975 00:46:10,020 --> 00:46:15,570 just, yeah, these, things that analyzing JavaScript is also something I would 976 00:46:15,820 --> 00:46:19,700 really, like to ask you a smart question about it, but I know it's just impossible. 977 00:46:19,700 --> 00:46:22,900 You just know how to do it and you know what to focus on. 978 00:46:22,900 --> 00:46:25,120 But it's just called experience. 979 00:46:25,500 --> 00:46:27,180 There's no question to ask 980 00:46:27,180 --> 00:46:27,560 about it. 981 00:46:27,825 --> 00:46:28,125 Yeah. 982 00:46:28,895 --> 00:46:29,075 Yeah. 983 00:46:29,075 --> 00:46:34,125 I, especially with the post messages, I came to a point where I would just 984 00:46:34,125 --> 00:46:40,485 recognize like the library based on the structure of the phy, JavaScript. 985 00:46:40,815 --> 00:46:40,845 Oh. 986 00:46:40,905 --> 00:46:45,825 Like the, it was a phy in a different way, but I was like, oh, that's the same. 987 00:46:46,605 --> 00:46:47,385 No, not interesting. 988 00:46:47,535 --> 00:46:48,165 Not interesting. 989 00:46:48,195 --> 00:46:48,405 Yeah. 990 00:46:48,785 --> 00:46:49,055 Yeah. 991 00:46:49,055 --> 00:46:51,125 That's, but yeah, it's mostly experience. 992 00:46:51,125 --> 00:46:51,395 Yeah. 993 00:46:51,795 --> 00:46:52,155 Yeah. 994 00:46:52,965 --> 00:46:53,115 And 995 00:46:56,255 --> 00:47:00,065 experience with the, like the Chrome debugging tools is also really handy. 996 00:47:00,425 --> 00:47:01,085 Yeah, it's really helpful. 997 00:47:01,085 --> 00:47:05,855 Knowing where to set break points and editing stuff on the fly is really useful 998 00:47:05,915 --> 00:47:07,445 for getting to know the JavaScripts. 999 00:47:07,775 --> 00:47:08,135 Yeah. 1000 00:47:08,375 --> 00:47:12,905 Do you use the 'cause when you set the break point, you can have the break point, 1001 00:47:13,205 --> 00:47:14,736 log point and conditional break points. 1002 00:47:15,390 --> 00:47:19,150 Do you use all three of them regularly or is it mostly 1003 00:47:19,350 --> 00:47:22,199 typical breakpoints? 1004 00:47:22,200 --> 00:47:22,520 Yeah, 1005 00:47:23,170 --> 00:47:24,140 basically it works. 1006 00:47:24,160 --> 00:47:24,550 Yeah. 1007 00:47:25,630 --> 00:47:25,810 Yeah. 1008 00:47:25,810 --> 00:47:27,220 Dev tools are very, powerful. 1009 00:47:27,460 --> 00:47:32,040 At some point I was not aware of how many features there are in the, in dev tools. 1010 00:47:32,040 --> 00:47:33,900 It was just all the, yeah. 1011 00:47:35,170 --> 00:47:43,300 It's super, super helpful apart from the discovering endpoints because also, okay. 1012 00:47:43,300 --> 00:47:44,790 One, one question for this. 1013 00:47:45,100 --> 00:47:47,140 So either an access control box. 1014 00:47:47,580 --> 00:47:51,060 In your sort of, what are your definitions of these two back classes? 1015 00:47:51,110 --> 00:47:51,760 Because for me, they are 1016 00:47:52,350 --> 00:47:53,370 Yeah, they're the same. 1017 00:47:53,370 --> 00:47:57,020 I guess access control in this sense is like an endpoint that you have 1018 00:47:57,050 --> 00:48:00,920 access to that you shouldn't have access to without an identifier, 1019 00:48:02,430 --> 00:48:02,890 Yeah. 1020 00:48:03,020 --> 00:48:05,240 That's the only difference in my mind, But 1021 00:48:05,240 --> 00:48:07,070 the sort of methodology is similar. 1022 00:48:07,070 --> 00:48:09,650 Find an endpoint that you shouldn't do and, 1023 00:48:09,800 --> 00:48:10,220 Yeah. 1024 00:48:10,490 --> 00:48:10,810 Okay. 1025 00:48:10,810 --> 00:48:11,270 Definitely. 1026 00:48:11,775 --> 00:48:17,065 Do you think that accessing these endpoints from JavaScript is the only 1027 00:48:17,095 --> 00:48:22,035 thing that make you find the access control bugs in IDORS, which other 1028 00:48:22,075 --> 00:48:25,625 people don't, that don't find, or do you think there's something else that 1029 00:48:25,635 --> 00:48:28,005 you also do that, could be the reason? 1030 00:48:30,875 --> 00:48:31,425 Not sure. 1031 00:48:31,925 --> 00:48:32,765 Not sure, honestly. 1032 00:48:32,795 --> 00:48:33,725 No, I don't know. 1033 00:48:34,485 --> 00:48:36,315 Yeah, it's, for me, it's crazy. 1034 00:48:36,365 --> 00:48:40,245 I don't have the, you say you have short attention span, but for these bugs, 1035 00:48:40,285 --> 00:48:44,245 from my perspective, you do, maybe not attention span, but you need a lot of 1036 00:48:44,275 --> 00:48:46,125 persistence to go through all of them. 1037 00:48:46,125 --> 00:48:46,261 Yeah, 1038 00:48:46,261 --> 00:48:46,534 that's true. 1039 00:48:46,815 --> 00:48:49,809 For me, I like, I check two or three, and I'll have a look for. 1040 00:48:49,810 --> 00:48:51,749 Yeah. 1041 00:48:51,750 --> 00:48:55,900 And I guess that's also tied to what you're interested in, Because I 1042 00:48:55,910 --> 00:49:00,070 have that, that, my attentions plan is short with five tools and such. 1043 00:49:00,070 --> 00:49:00,430 Yeah. 1044 00:49:00,430 --> 00:49:05,040 But for this, if I'm locked in, I'll, yeah, I'll forget to eat and drink 1045 00:49:05,040 --> 00:49:05,310 and such. 1046 00:49:05,320 --> 00:49:05,730 So yeah. 1047 00:49:06,800 --> 00:49:07,000 Good. 1048 00:49:07,040 --> 00:49:07,500 Awesome. 1049 00:49:08,200 --> 00:49:11,710 I also read you run something called Hacker Hideout. 1050 00:49:12,440 --> 00:49:13,400 Can you tell us what this is? 1051 00:49:14,850 --> 00:49:23,250 It's a bit stale at the moment, but, me and, Stefan, we have a, like a small 1052 00:49:23,320 --> 00:49:28,320 discord community with a bunch of hackers that we know, or that we get to know. 1053 00:49:29,140 --> 00:49:31,660 and we try to organize regular meetups. 1054 00:49:31,670 --> 00:49:37,810 So we had one last year, in May in Utrecht in the Netherlands, people 1055 00:49:37,830 --> 00:49:42,060 came from all over Europe, people from Poland, people from France. 1056 00:49:42,195 --> 00:49:46,955 And we did some hacking actually, where we arranged some private 1057 00:49:46,965 --> 00:49:48,295 invites for the afternoon. 1058 00:49:48,305 --> 00:49:53,495 We did some hacking, ate some pizza, had a few drinks and basically that was it. 1059 00:49:53,745 --> 00:49:54,105 Yeah. 1060 00:49:55,955 --> 00:50:02,195 and it's, It originated basically out of a need of doing like 1061 00:50:02,205 --> 00:50:03,535 these life hacking events. 1062 00:50:03,585 --> 00:50:03,905 Yeah, exactly. 1063 00:50:03,905 --> 00:50:07,845 But having the control of to do what you want to do basically. 1064 00:50:07,845 --> 00:50:11,245 And people don't need to hack when they come, but we like to offer 1065 00:50:11,245 --> 00:50:12,905 them the opportunity to hack. 1066 00:50:13,725 --> 00:50:18,405 yeah, it's basically just a fun side project where we get 1067 00:50:18,405 --> 00:50:20,565 to do fun events that we like. 1068 00:50:20,795 --> 00:50:21,085 Yeah. 1069 00:50:21,655 --> 00:50:23,295 Are you planning something for this year as well? 1070 00:50:23,305 --> 00:50:29,555 Yes, I'm actually, planning, I'm going to, we're going to make a plan next weekend. 1071 00:50:30,085 --> 00:50:30,465 Okay. 1072 00:50:31,265 --> 00:50:31,695 Hopefully 1073 00:50:31,715 --> 00:50:31,995 soon. 1074 00:50:32,025 --> 00:50:34,415 Any idea of the location or dates? 1075 00:50:35,315 --> 00:50:35,925 Probably the 1076 00:50:35,935 --> 00:50:36,825 Netherlands again. 1077 00:50:36,865 --> 00:50:37,315 Okay. 1078 00:50:38,230 --> 00:50:40,180 but, nothing is decided yet. 1079 00:50:40,360 --> 00:50:40,690 Okay. 1080 00:50:40,690 --> 00:50:42,250 I hope I get an invitation for it. 1081 00:50:42,670 --> 00:50:44,560 I've never been there and it would be cool. 1082 00:50:44,590 --> 00:50:45,460 Cool, cool. 1083 00:50:45,460 --> 00:50:46,210 Reason to go there. 1084 00:50:46,300 --> 00:50:50,740 I'll, I'll be sure to invite you And also for me, I, especially from the 1085 00:50:50,740 --> 00:50:56,570 interviewing the critical thinking podcast, I sense you also like struggle 1086 00:50:56,750 --> 00:51:01,220 with hacking, which is very, you do it alone and you don't talk to anyone. 1087 00:51:01,250 --> 00:51:01,400 Yeah. 1088 00:51:01,670 --> 00:51:04,340 And for me as well, I, I am a team player. 1089 00:51:04,340 --> 00:51:05,330 I like to talk with people. 1090 00:51:05,330 --> 00:51:05,895 That's why I like this. 1091 00:51:06,505 --> 00:51:07,635 this tournament as well. 1092 00:51:08,225 --> 00:51:12,245 And, yeah, so you surprised me with the, thing that you're 1093 00:51:12,245 --> 00:51:14,514 not no longer in the coworking. 1094 00:51:14,855 --> 00:51:20,115 but, yeah, for me, the, sort of shock connecting the, bug bounty, which 1095 00:51:20,115 --> 00:51:24,375 is very you go alone with the social aspects or the team competitions here. 1096 00:51:24,435 --> 00:51:25,205 I do really love it. 1097 00:51:25,235 --> 00:51:25,645 Yeah. 1098 00:51:25,895 --> 00:51:26,275 Yeah. 1099 00:51:26,815 --> 00:51:27,035 The, 1100 00:51:27,145 --> 00:51:32,040 origin of the hacker hideout idea was In fact, a bit broader 1101 00:51:32,400 --> 00:51:33,790 because I was struggling with it. 1102 00:51:35,290 --> 00:51:42,060 so my first idea actually was to have a, a flex working space, targeted towards bug 1103 00:51:42,060 --> 00:51:45,510 bounty hunters or hackers or IT persons. 1104 00:51:46,000 --> 00:51:51,300 And then, and then I was looking into, the logistics of it and looking into. 1105 00:51:51,745 --> 00:51:56,835 What, bug bounty hunters from the Netherlands would be interested 1106 00:51:56,985 --> 00:51:58,735 in an office space in Utrecht? 1107 00:51:59,525 --> 00:52:05,085 I could count like, 10 bug bounty hunters from the Netherlands who 1108 00:52:05,085 --> 00:52:06,485 were all over the Netherlands. 1109 00:52:07,065 --> 00:52:08,035 Probably not the best idea. 1110 00:52:08,035 --> 00:52:08,485 Yeah, this 1111 00:52:08,725 --> 00:52:10,325 is very, very, niche. 1112 00:52:12,665 --> 00:52:12,925 cool. 1113 00:52:13,895 --> 00:52:17,665 Soon head to the end of the interview because we have the show and tell soon. 1114 00:52:17,725 --> 00:52:18,015 Yeah. 1115 00:52:18,295 --> 00:52:22,675 But can you please tell me what are your goals for 2025 back bounty wise? 1116 00:52:24,905 --> 00:52:26,105 focus more on 1117 00:52:26,115 --> 00:52:27,195 backend stuff, 1118 00:52:27,755 --> 00:52:28,235 Okay. 1119 00:52:30,530 --> 00:52:33,690 Are you planning to learn the web free a little bit or you 1120 00:52:33,790 --> 00:52:35,530 completely let go of the idea? 1121 00:52:35,580 --> 00:52:40,380 No, I'm actually, I don't know if I can disclose the targets for this 1122 00:52:40,380 --> 00:52:44,770 round, but I actually looked into like blockchain node codes more. 1123 00:52:44,770 --> 00:52:46,770 Yeah, I think that the customers are public. 1124 00:52:47,130 --> 00:52:48,840 Okay, so I did that this round. 1125 00:52:48,980 --> 00:52:49,180 Yeah. 1126 00:52:49,240 --> 00:52:53,120 Wasn't really successful, but it did spark some interest to maybe do that. 1127 00:52:53,670 --> 00:52:55,000 on all the targets as well. 1128 00:52:56,080 --> 00:53:01,960 also, re read some, blogs about other people finding stuff, by that approach. 1129 00:53:01,970 --> 00:53:04,730 So that's something I'm actually interested in. 1130 00:53:04,970 --> 00:53:08,620 And the funny part is that it's actually not specifically web free, 1131 00:53:09,220 --> 00:53:14,580 but it does, of course, have impact on these, these web free, programs. 1132 00:53:14,580 --> 00:53:17,210 So that's something I aim to do more. 1133 00:53:17,210 --> 00:53:17,460 Yeah. 1134 00:53:17,560 --> 00:53:17,850 Yeah. 1135 00:53:18,070 --> 00:53:18,480 Awesome. 1136 00:53:18,980 --> 00:53:19,880 Good luck with this. 1137 00:53:20,080 --> 00:53:20,540 Thank you very much. 1138 00:53:20,580 --> 00:53:21,930 Good luck in this round. 1139 00:53:21,960 --> 00:53:22,950 I hope Netherlands. 1140 00:53:23,185 --> 00:53:29,665 And Poland will advance to the next round and we'll meet, meet in Dubai. 1141 00:53:29,945 --> 00:53:31,115 Thank you so much for the interview. 1142 00:53:31,175 --> 00:53:31,815 Thanks for having me. 1143 00:53:33,225 --> 00:53:37,725 If you enjoyed this episode, also check out the one with Johan Carlsson. 1144 00:53:37,855 --> 00:53:41,195 That's on your screen right now and also linked in the description. 1145 00:53:41,515 --> 00:53:44,905 For now, thank you so much for listening and goodbye.