1 00:00:00,240 --> 00:00:01,230 And I got a bounty for it. 2 00:00:01,350 --> 00:00:04,170 Got $1,000 bounty on my first bug, first bounty. 3 00:00:04,170 --> 00:00:05,700 So I was like, oh, this is, it's easy. 4 00:00:06,030 --> 00:00:12,240 I found with time that showing impact will result in better bounties and also 5 00:00:12,240 --> 00:00:15,510 better bounties means higher, impact. 6 00:00:15,690 --> 00:00:17,040 While still working full-time. 7 00:00:17,190 --> 00:00:20,799 I decided to apply as a triager at HackerOne. 8 00:00:20,799 --> 00:00:22,980 And fortunately, I got the job. 9 00:00:23,040 --> 00:00:28,290 I think I was always good technically, but OSCP gave me that mindset, like 10 00:00:28,440 --> 00:00:30,480 that hacker mindset that I did not have. 11 00:00:30,690 --> 00:00:35,490 sometimes the, you won't get in your error messages, but that the A team react 12 00:00:35,490 --> 00:00:36,840 differently depending on your input. 13 00:00:37,830 --> 00:00:38,290 Hello JR0ch. 14 00:00:38,309 --> 00:00:41,940 Thank you so much for joining me today for, the podcast. 15 00:00:42,449 --> 00:00:45,120 For those listeners who don't know you yet, can you please 16 00:00:45,180 --> 00:00:47,849 introduce yourself and tell us a little bit about your background? 17 00:00:48,000 --> 00:00:48,390 Sure. 18 00:00:48,839 --> 00:00:50,289 so my name is Jasmin Landry. 19 00:00:50,339 --> 00:00:51,959 It's a French Canadian name. 20 00:00:52,559 --> 00:00:57,760 I'm known as, JR0ch17 on internet currently, full-time bug bounty 21 00:00:57,780 --> 00:01:04,500 hunter but I started my career in it, in 2012, so almost 15 years now. 22 00:01:04,500 --> 00:01:05,155 Yeah, that's a lot. 23 00:01:05,699 --> 00:01:09,210 my first couple of years in my career I worked as a system administrator, 24 00:01:09,330 --> 00:01:14,490 so I worked a lot with Linux, networking for routing and switching, 25 00:01:14,550 --> 00:01:19,770 using like products like Cisco, windows as well, middle servers. 26 00:01:21,780 --> 00:01:23,580 I did lots of certifications as well. 27 00:01:24,449 --> 00:01:27,660 I was certified with Cisco, Microsoft, so VMware as well, 28 00:01:27,660 --> 00:01:29,550 which was big 10 years ago. 29 00:01:30,150 --> 00:01:31,140 Not as much now. 30 00:01:31,770 --> 00:01:35,460 And I did that for like roughly four or five years. 31 00:01:36,330 --> 00:01:40,950 And after a while I was, I wouldn't say bored, but I wanted more challenges. 32 00:01:41,039 --> 00:01:42,479 I wanted like something more challenging. 33 00:01:43,649 --> 00:01:46,470 and security was also something that was, I was interested in. 34 00:01:46,950 --> 00:01:53,250 at school I had classes on security, but it was like really like basics. 35 00:01:53,940 --> 00:01:57,840 and I wanted to, I guess work in security, but I wanted to 36 00:01:57,840 --> 00:01:59,460 do more than just basic stuff. 37 00:02:01,620 --> 00:02:05,460 and obviously hacking or penting was something that I always wanted to do. 38 00:02:06,660 --> 00:02:09,570 when I learned that we could do it as a adult was like, I wanna do that one day. 39 00:02:09,810 --> 00:02:11,009 It was my career goal. 40 00:02:11,009 --> 00:02:12,780 Yeah, I think so. 41 00:02:12,780 --> 00:02:14,340 I think a lot were like this. 42 00:02:14,340 --> 00:02:15,780 Yes, that's true. 43 00:02:16,410 --> 00:02:18,570 So I worked my way. 44 00:02:19,050 --> 00:02:20,550 To get there. 45 00:02:21,000 --> 00:02:25,080 so while I was working full-time assist admin, I spent my evenings, 46 00:02:26,160 --> 00:02:28,079 learning, reading as much as I could. 47 00:02:28,079 --> 00:02:35,130 I read many books on hacking, and did a few certifications such as OSCP, which to 48 00:02:35,130 --> 00:02:37,890 me was like the, game changer personally. 49 00:02:38,790 --> 00:02:44,040 I think I'm always good technically, but USCP gave me that mindset, like 50 00:02:44,070 --> 00:02:46,290 that hacker mindset that I did not have. 51 00:02:46,470 --> 00:02:46,829 Yeah. 52 00:02:46,920 --> 00:02:51,420 Because as a regular person you would just do what the app tells you to do. 53 00:02:51,870 --> 00:02:56,280 But the was CP helped me get the hacker mindset of can I do 54 00:02:56,280 --> 00:02:58,860 something else that you cannot, that I should not be able to do? 55 00:02:58,980 --> 00:02:59,340 Yeah. 56 00:03:00,390 --> 00:03:02,130 and yeah, so I did the recipes. 57 00:03:02,130 --> 00:03:02,250 P. 58 00:03:04,285 --> 00:03:09,145 and then after roughly six months after I got my first job in, in, information 59 00:03:09,145 --> 00:03:14,695 security or cybersecurity, I did stuff that were considered junior. 60 00:03:15,295 --> 00:03:18,715 but I got my foot in, so I was like, okay, yeah, now I can focus on. 61 00:03:19,225 --> 00:03:21,295 Was it more towards the networking since you've already 62 00:03:22,660 --> 00:03:23,935 had the experience with this? 63 00:03:26,935 --> 00:03:27,805 it did help like. 64 00:03:28,290 --> 00:03:33,240 Landing a job insecurity, but I did also did like it, but I found 65 00:03:33,240 --> 00:03:36,570 it, that it was not a passion. 66 00:03:36,570 --> 00:03:36,630 Yeah. 67 00:03:37,440 --> 00:03:40,200 While cybersecurity, it was more of a passion. 68 00:03:40,320 --> 00:03:40,650 Yeah. 69 00:03:40,920 --> 00:03:44,760 like I remember what I was studying, I, had to like, okay, 70 00:03:44,820 --> 00:03:47,370 go to bed late while networking. 71 00:03:47,370 --> 00:03:48,540 While I was studying networking. 72 00:03:49,920 --> 00:03:51,210 I was, did not have that passion. 73 00:03:51,240 --> 00:03:51,572 Yeah, I see. 74 00:03:51,577 --> 00:03:55,770 I, it was fun, but not like, cybersecurity or hacking in general. 75 00:03:58,590 --> 00:03:59,640 and I got my job. 76 00:04:00,240 --> 00:04:02,580 I had colleagues who were pen testers. 77 00:04:02,970 --> 00:04:05,790 I was not yet, I was just like a junior analyst. 78 00:04:07,290 --> 00:04:11,280 I did help them on, some like automation task, or not ion, but like 79 00:04:11,280 --> 00:04:12,960 running ES scans and stuff like that. 80 00:04:14,610 --> 00:04:18,870 and around that time, one of my colleagues did a bit of bug bounty. 81 00:04:19,560 --> 00:04:23,430 he wasn't really good, but he was talking to me about it. 82 00:04:23,430 --> 00:04:24,000 He was like, oh, you should. 83 00:04:24,175 --> 00:04:25,285 Yeah, she used Should try it. 84 00:04:25,495 --> 00:04:25,735 Yeah. 85 00:04:25,855 --> 00:04:26,875 I was like, okay, I'll try it. 86 00:04:29,155 --> 00:04:32,095 I registered on both Buck Grout and Hacker One. 87 00:04:34,135 --> 00:04:36,145 tried, did not really succeed. 88 00:04:37,765 --> 00:04:39,145 so what year was that? 89 00:04:40,120 --> 00:04:41,715 2017. 2017. Okay. 90 00:04:41,775 --> 00:04:41,925 Yeah. 91 00:04:42,405 --> 00:04:46,065 I did find one bug, which was like, luck. 92 00:04:47,595 --> 00:04:53,025 on the Microsoft, application, I just put in like a payload, and months 93 00:04:53,025 --> 00:04:55,935 later I noticed that it, worked. 94 00:04:56,145 --> 00:04:57,225 It was like a reflected excess. 95 00:04:57,435 --> 00:04:57,585 Yeah. 96 00:04:58,635 --> 00:05:02,565 And I got a bounty for it, like one K Bounty on my first bug, first bounty. 97 00:05:02,565 --> 00:05:03,375 So I was like, oh, this is. 98 00:05:03,430 --> 00:05:04,475 It's easy, you, 99 00:05:04,680 --> 00:05:06,035 you, learn through this scam as well. 100 00:05:06,275 --> 00:05:06,435 Yeah. 101 00:05:06,435 --> 00:05:06,635 Yeah. 102 00:05:06,735 --> 00:05:09,010 So this was like in February, 2017. 103 00:05:09,010 --> 00:05:09,070 Yeah. 104 00:05:09,550 --> 00:05:13,870 so I literally got my first job I took in January, so a month earlier. 105 00:05:14,530 --> 00:05:18,010 So I started doing bug mounty, one month later. 106 00:05:18,820 --> 00:05:22,715 And then for the next couple of months I. Not no bugs, no 107 00:05:22,715 --> 00:05:24,484 bounties, ab, absolutely nothing. 108 00:05:24,484 --> 00:05:28,145 So I was like, okay, I need to take a step back, improve my skills and 109 00:05:28,835 --> 00:05:31,054 more knowledge on, on, on the topics. 110 00:05:31,534 --> 00:05:33,335 so I did continue learning. 111 00:05:33,844 --> 00:05:38,135 I remember having, the hack one activity page open on my browser every day. 112 00:05:38,135 --> 00:05:41,255 So every day I looked at what was reported, what was disclosed. 113 00:05:41,315 --> 00:05:41,465 Yeah, 114 00:05:41,945 --> 00:05:42,395 read it. 115 00:05:44,465 --> 00:05:50,765 I looked at, Twitter back then X now, what people were talking about where there 116 00:05:50,765 --> 00:05:58,625 were, maybe they disclosing bugs, or, pub making public their, research or writeups. 117 00:05:58,655 --> 00:05:59,495 So I read a lot. 118 00:05:59,495 --> 00:06:02,465 I read some more books on web application. 119 00:06:03,395 --> 00:06:05,135 do you remember the names of the books? 120 00:06:05,615 --> 00:06:06,215 Yes. 121 00:06:06,604 --> 00:06:09,734 it was, I. Web Application Hacker's Handbook. 122 00:06:09,734 --> 00:06:10,340 Yeah, that, 123 00:06:10,580 --> 00:06:11,686 I think I read that one. 124 00:06:12,104 --> 00:06:12,164 Yeah. 125 00:06:12,164 --> 00:06:13,395 Like 900 page book. 126 00:06:13,400 --> 00:06:13,539 Yeah. 127 00:06:13,544 --> 00:06:13,815 Yeah. 128 00:06:13,815 --> 00:06:14,385 It's a big one. 129 00:06:14,385 --> 00:06:15,794 I think I read that one twice actually. 130 00:06:17,925 --> 00:06:20,474 Because I think the first time they read it was like, okay, I understand. 131 00:06:20,534 --> 00:06:22,275 The second time was okay, now I get it. 132 00:06:23,055 --> 00:06:23,865 You only have that. 133 00:06:24,015 --> 00:06:25,005 Okay, I get it. 134 00:06:25,005 --> 00:06:27,495 Now it's, this is the thing when you, this is like the time 135 00:06:27,495 --> 00:06:28,215 when you think you're ready. 136 00:06:29,325 --> 00:06:36,315 so fast forward from February to August, in August I found my, second bug, second 137 00:06:36,315 --> 00:06:40,755 Bounty, another X excess s This one was a bit more complicated, so I was 138 00:06:40,755 --> 00:06:43,125 happy that I was the first one on it. 139 00:06:43,935 --> 00:06:45,914 'cause I put in and put in the effort. 140 00:06:45,914 --> 00:06:49,424 So if it would've been a dupe, I probably would've been like discouraged, Yeah. 141 00:06:50,354 --> 00:06:54,645 so I was first one on and got a, Bounty, and then the month after. 142 00:06:55,080 --> 00:06:59,640 Started finding more bugs and I was not really, I wouldn't say like a 143 00:06:59,640 --> 00:07:04,710 good bug bunny, hunter, but I started finding stuff, had some Ds obviously. 144 00:07:06,030 --> 00:07:09,210 so I was like getting confidence, but I still felt 145 00:07:12,419 --> 00:07:14,400 I was not where I wanted to be. 146 00:07:14,645 --> 00:07:18,845 I feel like I could improve myself even more, if I had the 147 00:07:18,845 --> 00:07:20,285 chance to like, learn more. 148 00:07:20,525 --> 00:07:20,705 Yeah. 149 00:07:22,085 --> 00:07:26,465 while still working full time, I decided to apply as a triager at Hacker One. 150 00:07:27,215 --> 00:07:31,085 unfortunately, I, got the job, back then in, I. 151 00:07:31,094 --> 00:07:31,315 Yes. 152 00:07:31,315 --> 00:07:33,010 I think this was December, 2017. 153 00:07:35,260 --> 00:07:40,750 I worked at Hacker One as a triager for about a year, working 10 to 15 154 00:07:40,750 --> 00:07:42,940 hours a week on top of my full-time. 155 00:07:43,090 --> 00:07:44,530 Oh, so it was like a part-time? 156 00:07:44,739 --> 00:07:45,280 Yeah, part-time. 157 00:07:45,309 --> 00:07:45,580 Okay. 158 00:07:45,580 --> 00:07:46,000 Interesting. 159 00:07:46,030 --> 00:07:46,330 Yeah. 160 00:07:47,650 --> 00:07:53,500 by triaging reports I learned, that Hacker one does get a, lots 161 00:07:53,500 --> 00:07:55,869 of reports, not always good. 162 00:07:56,409 --> 00:07:58,659 some really good, yeah, a lot, of bad. 163 00:07:59,530 --> 00:08:00,190 we all know that. 164 00:08:01,330 --> 00:08:07,299 but I was able to, I guess learn, I would say learn how others work. 165 00:08:07,299 --> 00:08:10,780 'cause when, we write a report, we don't always write like 166 00:08:11,169 --> 00:08:12,309 how we got to that point. 167 00:08:12,309 --> 00:08:13,239 We just explain the bug. 168 00:08:13,419 --> 00:08:13,659 Yeah. 169 00:08:13,750 --> 00:08:16,090 But it still showed me like, okay, I didn't know, I dunno, 170 00:08:16,120 --> 00:08:17,049 post measure that existed. 171 00:08:17,049 --> 00:08:20,409 So now I knew what that existed, that it was vulnerable in some cases. 172 00:08:20,409 --> 00:08:22,659 So I was able to look into it, learn more about it. 173 00:08:23,109 --> 00:08:23,169 Yeah. 174 00:08:23,169 --> 00:08:24,130 And then the un exploit it. 175 00:08:26,280 --> 00:08:30,390 After a year of triaging, obviously it's a job that's not easy. 176 00:08:30,840 --> 00:08:33,419 so I figured, okay, I wanna spend those 10, 15 hours of 177 00:08:33,419 --> 00:08:35,400 triaging and do hunting instead. 178 00:08:36,120 --> 00:08:38,850 So I started doing a bit more bug balance in 2018. 179 00:08:40,049 --> 00:08:41,010 had a good year. 180 00:08:42,600 --> 00:08:44,520 like again, also having a full-time job. 181 00:08:44,580 --> 00:08:45,180 Full-time job. 182 00:08:45,810 --> 00:08:48,840 So I probably did 20 hours a week back then. 183 00:08:49,740 --> 00:08:54,270 I was like in my early mid twenties, had lots of energy and 184 00:08:54,569 --> 00:08:56,880 I was able to hack, late evenings. 185 00:08:57,600 --> 00:08:58,710 So I had a good year. 186 00:09:00,240 --> 00:09:06,720 I had met, Gilbert, founder of, Hacker One, and, Peter Yaki, who 187 00:09:06,720 --> 00:09:08,310 we worked at Shopify back then. 188 00:09:09,300 --> 00:09:14,340 so I had attended my first LHE, life hacking event with Shopify, was actually. 189 00:09:14,594 --> 00:09:15,824 In Montreal, ironically. 190 00:09:15,824 --> 00:09:16,334 Oh yeah. 191 00:09:17,954 --> 00:09:20,324 so I got my first electric experience over there. 192 00:09:21,704 --> 00:09:25,395 I remember finding a few books, but they were all closed as I think 193 00:09:25,395 --> 00:09:28,305 informative because Shopify nine needs not only needs to target. 194 00:09:28,395 --> 00:09:28,665 Oh yeah. 195 00:09:29,444 --> 00:09:31,875 especially as a beginner, it'll be even harder. 196 00:09:33,405 --> 00:09:38,265 but again, I learned a lot while working with, others, 197 00:09:38,564 --> 00:09:39,795 collaborating with other people. 198 00:09:40,425 --> 00:09:42,615 the show tell obviously was insane. 199 00:09:42,645 --> 00:09:43,125 I remember those. 200 00:09:43,189 --> 00:09:44,000 Yeah, it magical. 201 00:09:44,084 --> 00:09:44,564 Yeah. 202 00:09:45,045 --> 00:09:48,735 The tells are, like critical to it was critical to my learning anyways. 203 00:09:48,885 --> 00:09:49,214 Yeah. 204 00:09:49,214 --> 00:09:49,275 Yeah. 205 00:09:50,505 --> 00:09:57,015 And then, while with time got invited to Morally cheese and stuff, and while 206 00:09:57,015 --> 00:10:00,765 I was working at Hacker One, obviously had access to a lot of programs. 207 00:10:01,005 --> 00:10:04,005 So like, when I was not able to hack on those programs, 'cause obviously you would 208 00:10:04,275 --> 00:10:06,464 cheating, so I hacked a lot on background. 209 00:10:07,890 --> 00:10:12,030 my first couple of years, made my way in the top, I think 40 at 210 00:10:12,030 --> 00:10:14,010 one point all time on buck route. 211 00:10:15,930 --> 00:10:17,459 and then switched to hack one. 212 00:10:18,000 --> 00:10:21,660 'cause I think they were doing a bit more events and my friends were attending 213 00:10:22,170 --> 00:10:23,160 a lot, of them, so I figured out, 214 00:10:23,400 --> 00:10:23,670 yeah, 215 00:10:23,880 --> 00:10:24,810 one out attend those too. 216 00:10:25,740 --> 00:10:31,319 So did of, of life hacking events, bug mati, part-time as well. 217 00:10:32,670 --> 00:10:35,219 and then a couple of years ago during the covid, 218 00:10:37,410 --> 00:10:41,010 I was a bit tired of, my, my job. 219 00:10:41,610 --> 00:10:44,819 I wouldn't say tired, but I eventually scaled up. 220 00:10:44,969 --> 00:10:46,020 I was not a junior analyst. 221 00:10:46,020 --> 00:10:49,140 I became a pen tester as senior business as a matter of fact. 222 00:10:50,430 --> 00:10:56,760 so I was hacking 40 hours a week and then doing Ty 20 hours roughly a week. 223 00:10:56,880 --> 00:10:57,060 Yeah. 224 00:10:57,240 --> 00:10:57,810 So it was a lot. 225 00:10:57,814 --> 00:10:58,045 Yeah. 226 00:10:58,500 --> 00:10:59,250 so I was like, okay. 227 00:11:00,030 --> 00:11:01,620 Oh, my brain is tired. 228 00:11:03,210 --> 00:11:07,590 so I took another job, which was not related to pen testing, 229 00:11:07,620 --> 00:11:12,870 just like a, an AppSec, job as a consultant for a six month contract. 230 00:11:13,680 --> 00:11:13,950 okay. 231 00:11:14,040 --> 00:11:16,440 I could calm down my hacking stuff. 232 00:11:16,440 --> 00:11:20,320 I. take a breather and then still do bug bounty. 233 00:11:20,320 --> 00:11:25,390 But like after a while when I did pen testing, 40 hours and bug on the evenings, 234 00:11:25,840 --> 00:11:27,160 I was like, I'm not, wasn't motivated. 235 00:11:27,220 --> 00:11:27,310 Yeah. 236 00:11:27,310 --> 00:11:30,250 So I wanted like that motivation back because I was really enjoyed doing 237 00:11:30,250 --> 00:11:32,530 bug bounty like in the past few years. 238 00:11:34,120 --> 00:11:37,810 so I took that job, I did it for six months and then after the contract I was 239 00:11:37,810 --> 00:11:39,550 like, okay, should I do ba full time? 240 00:11:40,120 --> 00:11:42,010 Should I take another job? 241 00:11:42,010 --> 00:11:43,810 I was like, really, debating. 242 00:11:44,830 --> 00:11:50,680 And it was roughly a year after I had my, my, my son and as a father, like 243 00:11:51,100 --> 00:11:52,750 during bubble full time is a risk. 244 00:11:52,750 --> 00:11:54,370 'cause we all know that. 245 00:11:54,880 --> 00:11:55,090 Yeah. 246 00:11:55,150 --> 00:11:57,250 It's not like stable income, Yeah. 247 00:11:57,370 --> 00:11:59,620 It's, we don't decide when we get paid. 248 00:12:00,010 --> 00:12:04,060 with a regular job, you get paid every two weeks no matter what. 249 00:12:04,750 --> 00:12:05,320 So Okay. 250 00:12:05,650 --> 00:12:11,310 I'll, I won't take the risk, but I. It wasn't online, so I 251 00:12:11,310 --> 00:12:15,750 took a, job as in a startup in Montreal, as head of IT security. 252 00:12:15,930 --> 00:12:18,810 So I was leading the whole IT department and security department, 253 00:12:18,990 --> 00:12:20,340 and the department was me. 254 00:12:20,545 --> 00:12:20,985 I was alone. 255 00:12:22,105 --> 00:12:24,600 I was the very first employee in security over there in it. 256 00:12:26,824 --> 00:12:32,189 I was a startup, that was founded like 10 years earlier. 257 00:12:32,459 --> 00:12:34,824 So it was like a sas It was a long startup. 258 00:12:35,095 --> 00:12:40,290 Yeah, it was like a SaaS product, which had barely any security. 259 00:12:40,290 --> 00:12:43,230 So even the employee side of things, like there were no like basic 260 00:12:43,230 --> 00:12:46,740 stuff, like INCH varies on their laptops and EDR, there's nothing. 261 00:12:46,920 --> 00:12:47,069 Yeah. 262 00:12:47,640 --> 00:12:51,840 So I was like, okay, this is not what I. Was thinking of doing, but 263 00:12:51,840 --> 00:12:54,240 like the challenge is so interesting that I think I'll take the job. 264 00:12:54,240 --> 00:13:01,530 So I took the job, and eventually hired, more people, eventually put 265 00:13:01,530 --> 00:13:06,480 in like the basics in place, just to get like the regulars because 266 00:13:06,689 --> 00:13:10,500 like, a regular company would have as security, products or, whatnot. 267 00:13:12,650 --> 00:13:18,680 and then a year later, we got acquired by nasdaq, which was quite interesting. 268 00:13:19,100 --> 00:13:21,740 'cause I learned that the acquisition would not have 269 00:13:21,740 --> 00:13:23,090 happened because of my work. 270 00:13:24,380 --> 00:13:27,319 if it had happened like a year earlier, security would've been like, 271 00:13:27,590 --> 00:13:29,840 NF on the audit for due diligence. 272 00:13:30,260 --> 00:13:35,780 But when NASDAQ did the audit on the startup, they, we 273 00:13:35,780 --> 00:13:37,189 got an a plus on security. 274 00:13:37,194 --> 00:13:38,235 I was like, man, this is really cool. 275 00:13:39,225 --> 00:13:39,515 Yeah. 276 00:13:39,515 --> 00:13:40,400 So I felt like really cool. 277 00:13:40,430 --> 00:13:40,910 Yeah. 278 00:13:41,420 --> 00:13:45,050 Like even when, you had like the meeting internally where, the 279 00:13:45,050 --> 00:13:48,890 founders were like saying that, we're gonna get inquired by nasdaq. 280 00:13:49,400 --> 00:13:53,270 I got a shout out saying, look, you can't thank, Ja Manus without 281 00:13:53,270 --> 00:13:55,160 him, this won't be happening. 282 00:13:55,250 --> 00:13:55,460 Yeah. 283 00:13:55,730 --> 00:13:56,480 So that was pretty cool. 284 00:13:57,810 --> 00:14:02,430 and then while joining nasdaq, with the, title that I had at the previous 285 00:14:02,430 --> 00:14:08,550 company, with the work that I was doing, I got I guess hired as a senior director 286 00:14:08,610 --> 00:14:11,640 in, at nasdaq, in information security. 287 00:14:12,360 --> 00:14:18,569 so obviously Nasdaq is, was way bigger than, what I was doing, that had lost more 288 00:14:18,569 --> 00:14:20,579 departments, lot more people in security. 289 00:14:22,230 --> 00:14:24,510 so I stayed at NASDAQ for roughly two years. 290 00:14:26,100 --> 00:14:30,930 and then, again, still doing bug bounty as a hobby, part-time. 291 00:14:31,380 --> 00:14:35,730 now as a, family I could even do less bug bounty, but still did like 292 00:14:35,730 --> 00:14:39,420 maybe 10 hours a week on average, sometimes more, sometimes less. 293 00:14:40,199 --> 00:14:46,350 And then, back in Vegas this past summer, for the Life Hacker One 294 00:14:46,350 --> 00:14:50,189 event, life hacking event with Hacker One, I took two weeks off to 295 00:14:50,189 --> 00:14:52,980 do, just focus on the event itself. 296 00:14:53,069 --> 00:14:56,460 So that came just Took some time for myself and then hack. 297 00:14:56,640 --> 00:14:57,180 Just have fun. 298 00:14:57,330 --> 00:14:57,480 Yeah. 299 00:14:57,485 --> 00:14:57,505 Yeah. 300 00:14:58,020 --> 00:15:00,420 And had a time in my life, I really enjoyed it. 301 00:15:01,380 --> 00:15:04,020 So I was like, okay, should I leave now? 302 00:15:04,140 --> 00:15:05,070 Actually bug my full time? 303 00:15:05,070 --> 00:15:06,090 I was like, I can't think about it. 304 00:15:06,960 --> 00:15:08,340 and this is like in, in August, right? 305 00:15:08,340 --> 00:15:13,290 The live hacking in, Vegas, in September I get my resignation. 306 00:15:13,380 --> 00:15:15,180 So I was like, okay, man, I think it's time. 307 00:15:15,540 --> 00:15:16,140 I'll, give it a shot. 308 00:15:16,260 --> 00:15:16,470 Yeah. 309 00:15:18,150 --> 00:15:22,415 yeah, so I left Nasdaq in end of September, First week of August. 310 00:15:22,415 --> 00:15:25,295 Of October, I was full-time by Monte. 311 00:15:26,135 --> 00:15:28,715 Obviously I took some time off, for myself. 312 00:15:28,745 --> 00:15:32,165 So 2024 was, the rest of 2024 was a bit quiet. 313 00:15:33,515 --> 00:15:36,065 did, a bit of hacking, did a bit like recon building just to 314 00:15:36,065 --> 00:15:38,795 get some, passive income going. 315 00:15:40,655 --> 00:15:42,005 'cause I am like a deep dive hacker. 316 00:15:42,305 --> 00:15:43,985 so I recons like not my thing at all. 317 00:15:44,105 --> 00:15:44,225 Yeah. 318 00:15:45,305 --> 00:15:49,685 so I did a bit of, building, bit of hacking, a bit of hacker one pen testing 319 00:15:49,685 --> 00:15:52,265 as well, just to get back into it. 320 00:15:52,925 --> 00:15:57,485 And then starting in 2025, I really doing like a full-time hunting. 321 00:15:57,545 --> 00:15:59,225 And it's been doing, it's been going really well. 322 00:15:59,405 --> 00:15:59,645 Yeah. 323 00:15:59,735 --> 00:16:01,115 I saw your profile. 324 00:16:04,290 --> 00:16:06,330 yeah, I'm happy about that decision. 325 00:16:06,390 --> 00:16:06,510 Yeah. 326 00:16:07,920 --> 00:16:10,380 I get to work, work for me. 327 00:16:10,680 --> 00:16:11,160 It's, not work. 328 00:16:11,160 --> 00:16:14,880 I'm just having fun hacking, but I do work a lot less than I did. 329 00:16:15,060 --> 00:16:15,240 Yeah. 330 00:16:15,900 --> 00:16:20,370 I've been playing, obviously as a Canadian I play hockey, I've been playing hockey 331 00:16:20,370 --> 00:16:23,640 a lot more, even during the work days. 332 00:16:23,730 --> 00:16:23,820 Yeah. 333 00:16:25,110 --> 00:16:26,910 I've been playing golf a lot more as well. 334 00:16:27,360 --> 00:16:30,330 golf is also another passion that I've been building in the past year or so. 335 00:16:30,930 --> 00:16:33,810 so in the end, I work less and make more money and have like 336 00:16:34,020 --> 00:16:36,300 more like free time for myself. 337 00:16:36,390 --> 00:16:37,020 Yeah, that's great. 338 00:16:37,020 --> 00:16:37,140 For my 339 00:16:37,140 --> 00:16:37,470 family. 340 00:16:37,470 --> 00:16:40,680 So my son just goes to school now, so let's say he has a day off of school. 341 00:16:40,680 --> 00:16:45,360 While it's not a panic at home, I can just stay with them, and we can go out, we can 342 00:16:45,360 --> 00:16:46,710 go to the park and do anything we want. 343 00:16:46,920 --> 00:16:47,160 Yeah. 344 00:16:47,160 --> 00:16:47,355 That's awesome. 345 00:16:47,355 --> 00:16:47,755 It's not a 346 00:16:47,755 --> 00:16:48,030 big, yeah. 347 00:16:48,030 --> 00:16:50,610 So if I need to take some time off, I just take it. 348 00:16:51,420 --> 00:16:54,690 I don't need to ask for approval or whatnot, so I find 349 00:16:54,690 --> 00:16:56,550 that it's a lot less stress. 350 00:16:56,730 --> 00:16:56,850 Yeah. 351 00:16:56,850 --> 00:17:00,960 Even though we get, even though they'll get a stable income, but in the end. 352 00:17:01,620 --> 00:17:03,030 The income is bigger, right? 353 00:17:03,270 --> 00:17:03,359 Yeah. 354 00:17:03,689 --> 00:17:07,740 with bug, for me personally, so I really less stressed. 355 00:17:08,550 --> 00:17:09,780 and I've been really enjoying it. 356 00:17:09,780 --> 00:17:09,839 Yeah. 357 00:17:10,109 --> 00:17:11,879 So I don't regret it, one bit. 358 00:17:12,159 --> 00:17:13,470 Yeah, Unfortunately for na, that, but yeah. 359 00:17:14,819 --> 00:17:15,030 Yeah. 360 00:17:15,030 --> 00:17:19,994 No, that's great because, and also it's, there's a thing that 'cause 361 00:17:19,994 --> 00:17:22,560 obviously a, podcast about backbone. 362 00:17:22,770 --> 00:17:26,579 It's a podcast about making money, but I really like this, these beats where 363 00:17:26,579 --> 00:17:30,330 somebody says something about the worklife balance, spending time with the family. 364 00:17:30,899 --> 00:17:31,860 'cause I think this. 365 00:17:32,340 --> 00:17:36,600 At the end of the day, the, this is more important in your life 366 00:17:36,600 --> 00:17:40,590 than it is additional $2,000, additional five, $10,000. 367 00:17:40,590 --> 00:17:43,169 And yeah, it's just invaluable. 368 00:17:43,379 --> 00:17:43,770 It is. 369 00:17:43,770 --> 00:17:43,860 Yeah. 370 00:17:43,860 --> 00:17:47,010 And the time will, we will never get back, so. 371 00:17:47,010 --> 00:17:51,060 I'm really happy to, I, sometimes I try to smuggle in the podcast like 372 00:17:51,060 --> 00:17:53,669 this, but it's really hard, so I'm really glad to hear this from you. 373 00:17:53,729 --> 00:17:53,879 Awesome. 374 00:17:54,060 --> 00:17:54,330 Yeah. 375 00:17:54,330 --> 00:17:57,120 And like stuff like really basic, like taking naps. 376 00:17:57,419 --> 00:17:57,600 Yeah. 377 00:17:57,600 --> 00:18:00,780 Like with a full-time job, nine to five, you can't really take naps. 378 00:18:00,810 --> 00:18:00,929 Yeah. 379 00:18:00,929 --> 00:18:02,340 And like when I feel tired. 380 00:18:02,699 --> 00:18:07,860 I'll take a one hour an nap, I'm getting old, have rest, because I feel 381 00:18:07,860 --> 00:18:10,290 like sleep is really something that I lack in the past couple of years. 382 00:18:10,290 --> 00:18:13,875 'cause yeah, I was working full-time, doing my bouncy on 383 00:18:13,919 --> 00:18:16,199 evenings once in a while, so I feel like I need to catch up a bit. 384 00:18:16,469 --> 00:18:16,739 Yeah. 385 00:18:16,830 --> 00:18:20,550 I think maybe the way I have, a few white hairs in my beer now. 386 00:18:20,580 --> 00:18:21,389 Maybe I lack of sleep. 387 00:18:21,870 --> 00:18:25,050 So I'm trying to like, really work on my, my, my health. 388 00:18:25,050 --> 00:18:25,110 Yeah. 389 00:18:25,620 --> 00:18:28,199 worklife balance, make sure like I'm really happy and healthy. 390 00:18:28,199 --> 00:18:31,050 And for now I think Bug Monte is perfect for, me right now, 391 00:18:31,395 --> 00:18:31,554 Yeah. 392 00:18:31,554 --> 00:18:31,754 Yeah. 393 00:18:31,824 --> 00:18:36,030 It's, so you've, you've mentioned a few different ways of learning. 394 00:18:36,030 --> 00:18:39,479 You've mentioned books, you've mentioned just hunting you, you've 395 00:18:39,479 --> 00:18:40,889 been employed as a pan tester. 396 00:18:40,889 --> 00:18:42,209 You've mentioned some certificates. 397 00:18:43,020 --> 00:18:46,379 Which of these things, these methods of learning, you would 398 00:18:46,379 --> 00:18:51,600 say, are the most efficient in context of strictly bag bounty? 399 00:18:53,219 --> 00:18:54,929 I think it's really having your. 400 00:18:55,334 --> 00:18:58,185 Like deep diving and, working with it. 401 00:18:59,355 --> 00:19:04,695 I'm like a, learner where having someone teach me, is I won't 402 00:19:04,695 --> 00:19:06,195 learn as much as I as reading. 403 00:19:06,199 --> 00:19:06,250 Yeah. 404 00:19:06,254 --> 00:19:07,935 For some reason when I read, I learn Yeah. 405 00:19:08,385 --> 00:19:09,524 Faster and easier. 406 00:19:10,574 --> 00:19:14,895 but having like really like testing stuff, is I think is the way to that. 407 00:19:15,225 --> 00:19:15,855 The way to go. 408 00:19:15,975 --> 00:19:16,155 Yeah. 409 00:19:17,355 --> 00:19:21,435 along with reading for example, when at one point you will get stuck on something, 410 00:19:21,435 --> 00:19:24,764 so you will have to look it up, which is equivalent to reading in the end. 411 00:19:24,855 --> 00:19:25,034 Yeah. 412 00:19:26,084 --> 00:19:30,345 so that's how I. Work, in terms of, learning. 413 00:19:31,215 --> 00:19:37,064 let's say I wanna learn something new, I will try to do it or whatever it is, 414 00:19:37,665 --> 00:19:43,004 manually and then read a bit on it and go back to it and, so for me personally, 415 00:19:43,004 --> 00:19:44,745 that's the, that's my way of learning. 416 00:19:44,774 --> 00:19:44,865 Yeah. 417 00:19:45,555 --> 00:19:45,765 Yeah. 418 00:19:46,605 --> 00:19:46,995 I, see. 419 00:19:46,995 --> 00:19:52,185 And I think the, it's easy to, get lost in different methods. 420 00:19:52,215 --> 00:19:53,925 'cause they are very satisfying. 421 00:19:54,015 --> 00:19:57,105 Getting a certificate, having a task done is very satisfying. 422 00:19:57,795 --> 00:20:00,915 But I think just getting your hands dirty, right? 423 00:20:01,365 --> 00:20:02,535 it's the thing. 424 00:20:02,805 --> 00:20:03,225 I think so 425 00:20:03,225 --> 00:20:03,226 do. 426 00:20:03,231 --> 00:20:03,410 Yeah, 427 00:20:04,065 --> 00:20:04,425 for sure. 428 00:20:05,355 --> 00:20:08,025 so as mentioned, I saw your hacker profile recently. 429 00:20:08,085 --> 00:20:13,305 It looks really good with a reputation of, with an impact 430 00:20:13,365 --> 00:20:15,555 of over 37 in the last 90 days. 431 00:20:15,555 --> 00:20:15,645 Yes. 432 00:20:15,645 --> 00:20:16,455 Which is huge. 433 00:20:16,455 --> 00:20:19,455 It basically means you, you have only Cris 434 00:20:20,055 --> 00:20:20,475 almost. 435 00:20:20,475 --> 00:20:20,535 Yeah. 436 00:20:20,715 --> 00:20:21,045 Almost. 437 00:20:21,315 --> 00:20:22,785 So what's the, secret? 438 00:20:22,785 --> 00:20:24,045 What's what happens recently? 439 00:20:26,055 --> 00:20:26,475 I don't know. 440 00:20:26,475 --> 00:20:29,955 I remember like sitting and golf for myself I think, for a long time. 441 00:20:31,635 --> 00:20:34,335 if you look at my overall impact all time. 442 00:20:35,129 --> 00:20:36,990 It used to be like around 20 something. 443 00:20:36,990 --> 00:20:38,550 I was like, I want increase that. 444 00:20:38,610 --> 00:20:38,790 Yeah. 445 00:20:39,030 --> 00:20:40,500 'cause it's always fun. 446 00:20:40,500 --> 00:20:41,905 Half really and a half. 447 00:20:41,909 --> 00:20:42,149 Yeah. 448 00:20:42,929 --> 00:20:47,310 So I think now my impact, what is it all time? 449 00:20:49,139 --> 00:20:50,429 25.95 all time. 450 00:20:50,730 --> 00:20:51,179 That's good. 451 00:20:51,300 --> 00:20:52,470 It used to be like 20 ish. 452 00:20:52,560 --> 00:20:52,620 Yeah. 453 00:20:52,620 --> 00:20:55,889 So it's I want to get, I want to increase that to 25. 454 00:20:55,889 --> 00:20:58,169 So like my average would be like equivalent of a high. 455 00:20:58,490 --> 00:20:58,730 Yeah, 456 00:20:59,270 --> 00:21:04,280 so in the past year or so, I focused mainly on highs and credits. 457 00:21:04,730 --> 00:21:08,150 if I found a low, I would try to change it with something else instead of 458 00:21:08,150 --> 00:21:10,730 reporting it as is something for mediums. 459 00:21:10,730 --> 00:21:14,030 I did submit a few mediums, but I think mostly highs and credits 460 00:21:14,030 --> 00:21:17,420 and even like for mediums, let's say reflected excess success. 461 00:21:18,590 --> 00:21:22,610 I don't think I reported one Xs, which was medium. 462 00:21:22,670 --> 00:21:25,370 I've always increased it to high and even some cases it's critical. 463 00:21:25,415 --> 00:21:25,615 Yeah, 464 00:21:25,760 --> 00:21:26,000 yeah. 465 00:21:26,150 --> 00:21:28,460 By basically taking over the account. 466 00:21:28,670 --> 00:21:29,450 Yes, exactly. 467 00:21:30,950 --> 00:21:34,160 and I found I, won't say it's, a new technique, but like 468 00:21:34,190 --> 00:21:35,450 it's just thinking of how to. 469 00:21:37,440 --> 00:21:39,960 use the XS to show impact. 470 00:21:41,250 --> 00:21:44,730 so I, won't say, I won't say I've submitted only x success, obviously not, 471 00:21:45,300 --> 00:21:50,280 and actually barely any success, maybe like 10 maximum, throughout the year. 472 00:21:50,490 --> 00:21:55,050 But I did focus on high criticals, on, I did focus on 473 00:21:55,740 --> 00:21:57,750 how to maybe better show impact. 474 00:21:58,380 --> 00:22:00,660 for example, again, exercise as an example. 475 00:22:01,260 --> 00:22:02,370 I used to just do an alert. 476 00:22:02,680 --> 00:22:03,040 Yeah. 477 00:22:03,190 --> 00:22:09,580 But I found with time that showing impact will result in better bounties and also 478 00:22:09,580 --> 00:22:12,880 better bounties means higher, impact. 479 00:22:13,090 --> 00:22:13,360 Yeah. 480 00:22:13,420 --> 00:22:14,230 So in the end, 481 00:22:16,600 --> 00:22:22,270 showing impact on all of my reports, showing, I would say 482 00:22:24,880 --> 00:22:26,110 focusing on certain stuff. 483 00:22:26,140 --> 00:22:27,160 'cause I focus on everything. 484 00:22:28,240 --> 00:22:29,680 but lots of service side issues. 485 00:22:29,680 --> 00:22:37,240 And I try to chain issues, show impact, look for stuff that is a bit hidden. 486 00:22:37,330 --> 00:22:37,540 Yeah. 487 00:22:38,410 --> 00:22:40,750 and in the end, I reported lots of. 488 00:22:41,015 --> 00:22:43,745 Bugs that were high and, critical, which increased my impact. 489 00:22:43,840 --> 00:22:44,130 Yeah. 490 00:22:44,315 --> 00:22:45,755 And now it's just like habit. 491 00:22:45,935 --> 00:22:50,195 So let's say in the ni 90 days lecture, it's 37, but now it's like 492 00:22:50,285 --> 00:22:56,255 the way I work, I look for, stuff that everybody looks for, I think. 493 00:22:56,795 --> 00:22:57,875 But I try to, 494 00:23:00,065 --> 00:23:01,385 show impact a bit more than I used to. 495 00:23:01,625 --> 00:23:02,015 Yeah. 496 00:23:02,315 --> 00:23:05,435 So what are your most common commonly reported back classes? 497 00:23:06,275 --> 00:23:10,595 probably SSRF, as you guys saw, or not yet. 498 00:23:10,835 --> 00:23:11,525 I have, 499 00:23:13,565 --> 00:23:15,275 I reported an interesting one. 500 00:23:15,755 --> 00:23:16,325 so we, 501 00:23:16,325 --> 00:23:18,635 we published it on, YouTube two weeks ago. 502 00:23:18,635 --> 00:23:19,805 The writeup with it together. 503 00:23:19,805 --> 00:23:22,475 So if you haven't watched it, make sure you, do. 504 00:23:22,475 --> 00:23:25,625 'cause it's an amazing SSR with a huge impact. 505 00:23:25,625 --> 00:23:27,155 And it's also. 506 00:23:28,095 --> 00:23:31,875 some techniques of both the exploitation and detection that are probably 507 00:23:31,875 --> 00:23:33,315 universal across more targets. 508 00:23:33,645 --> 00:23:35,415 so definitely worth that. 509 00:23:36,735 --> 00:23:37,004 yes. 510 00:23:37,004 --> 00:23:37,304 Sorry. 511 00:23:37,304 --> 00:23:37,784 For sure. 512 00:23:38,294 --> 00:23:41,294 one of my, go-to one, those, one of the bug classes I like to look for 513 00:23:41,294 --> 00:23:44,264 personally, on all, kind of applications. 514 00:23:44,774 --> 00:23:49,784 But I will not ignore address stuff like, either service at our client 515 00:23:49,784 --> 00:23:52,155 side, whether it's XS or C srf. 516 00:23:52,304 --> 00:23:52,455 Yeah. 517 00:23:53,205 --> 00:23:55,665 past reversal, both client and service side. 518 00:23:56,145 --> 00:23:57,315 c injection, ecstasy. 519 00:23:57,315 --> 00:23:58,065 I'll look for everything. 520 00:23:58,185 --> 00:23:58,485 Yeah. 521 00:23:58,575 --> 00:23:59,595 Depending on what I see. 522 00:24:00,945 --> 00:24:05,085 I'll look at it, but I tend to find more service side stuff. 523 00:24:06,345 --> 00:24:09,135 my, like my client side skills are limited a bit. 524 00:24:10,575 --> 00:24:14,385 so I will, rarely find anything related to the dom. 525 00:24:14,804 --> 00:24:15,405 do success. 526 00:24:15,405 --> 00:24:17,205 I probably won't even look for it. 527 00:24:17,415 --> 00:24:17,625 Yeah. 528 00:24:19,784 --> 00:24:23,715 but I, use like the JavaScript to find end points to look for 529 00:24:23,715 --> 00:24:24,794 service side stuff, for example. 530 00:24:25,064 --> 00:24:25,215 Yeah. 531 00:24:25,245 --> 00:24:25,365 So 532 00:24:25,365 --> 00:24:29,774 I tend to find more service side bugs, a bit client side. 533 00:24:30,825 --> 00:24:33,314 so yeah, a bit of a generalist I'd say. 534 00:24:33,345 --> 00:24:33,675 Yeah. 535 00:24:33,675 --> 00:24:38,145 When I was preparing for the interview I saw so, a big variety 536 00:24:38,145 --> 00:24:43,544 of different bug you report and also bags that I ignore and I never look 537 00:24:43,544 --> 00:24:45,014 for them and I, so that's, oh yeah. 538 00:24:45,014 --> 00:24:49,425 That's why I wanted to interview for example, server, site template injection. 539 00:24:50,115 --> 00:24:55,335 It's, 'cause for me the, problem of it is that in theory it can be everywhere. 540 00:24:57,195 --> 00:24:58,274 I dunno, and I don't like. 541 00:24:58,590 --> 00:25:02,760 Putting the payloads everywhere if I don't have some clue that the back can be there. 542 00:25:03,240 --> 00:25:04,230 So what is your approach? 543 00:25:04,230 --> 00:25:08,129 Do you just have the, SSTI payloads everywhere or do you look for some 544 00:25:08,129 --> 00:25:09,690 kind of clues that it can be there? 545 00:25:10,290 --> 00:25:11,220 a mix of both. 546 00:25:11,220 --> 00:25:14,159 So I used to be, like you were, I would not necessarily put payloads everywhere. 547 00:25:14,970 --> 00:25:16,800 at one point I was like working on an app. 548 00:25:17,310 --> 00:25:18,720 I had found absolutely nothing. 549 00:25:18,930 --> 00:25:19,110 Yeah. 550 00:25:19,110 --> 00:25:21,360 And at one point I put my pillow everywhere and eventually. 551 00:25:21,565 --> 00:25:22,075 It worked. 552 00:25:22,225 --> 00:25:22,465 Yeah. 553 00:25:22,465 --> 00:25:22,675 Okay. 554 00:25:22,675 --> 00:25:24,565 Maybe I should put it everywhere. 555 00:25:24,565 --> 00:25:25,525 So I started doing that. 556 00:25:26,365 --> 00:25:28,015 But the, so sorry to interrupt. 557 00:25:28,465 --> 00:25:30,879 Which, S-S-T-I-P do you put, do you have that's the thing, 558 00:25:31,195 --> 00:25:32,305 a polyglot for all language? 559 00:25:33,175 --> 00:25:33,805 not really. 560 00:25:33,865 --> 00:25:34,705 It depends on the app. 561 00:25:34,915 --> 00:25:35,065 Okay. 562 00:25:35,065 --> 00:25:39,775 Because certain applications, depending on language that is used, the template 563 00:25:39,805 --> 00:25:41,425 engine will have its own syntax. 564 00:25:41,455 --> 00:25:41,575 Yeah. 565 00:25:42,205 --> 00:25:46,254 So let's say, Python engine will be different than on Java. 566 00:25:46,315 --> 00:25:46,435 Yeah. 567 00:25:46,435 --> 00:25:49,615 From pH p Ruby, it looks all different. 568 00:25:49,615 --> 00:25:53,635 So I try to focus on, what could be used in the backend. 569 00:25:53,875 --> 00:25:54,115 Yeah. 570 00:25:55,165 --> 00:25:59,035 for client side, I do have like more of a poly cloud 'cause I have 571 00:25:59,245 --> 00:26:04,045 a angular JS view, which has a similar syntax in terms of templates. 572 00:26:05,275 --> 00:26:07,675 but for service side, I try to be more specific. 573 00:26:08,065 --> 00:26:08,245 Yeah. 574 00:26:08,725 --> 00:26:09,835 also to bypass the wall. 575 00:26:09,835 --> 00:26:14,035 'cause a lot of cases they're, they blocked like curly brackets and whatnot. 576 00:26:15,350 --> 00:26:19,219 If you're a bit more specific, sometimes you can work around bypassing off. 577 00:26:21,800 --> 00:26:21,980 yeah. 578 00:26:21,980 --> 00:26:22,459 So yeah. 579 00:26:23,790 --> 00:26:26,670 Technique now, specific, but I've put it everywhere. 580 00:26:26,670 --> 00:26:31,410 'cause I've had cases where, it worked and I was not expecting it. 581 00:26:33,780 --> 00:26:38,400 Does everything also mean like a default headers, like user agent, I don't 582 00:26:38,400 --> 00:26:42,030 know, host header or is it just inputs? 583 00:26:42,090 --> 00:26:43,020 Just inputs, yeah. 584 00:26:43,020 --> 00:26:43,021 Yeah. 585 00:26:43,080 --> 00:26:45,390 And maybe you should try headers as you're bringing a good 586 00:26:45,390 --> 00:26:47,850 point, but, yeah, just inputs. 587 00:26:48,300 --> 00:26:48,630 Yeah. 588 00:26:48,660 --> 00:26:53,610 For me, I, dunno, I feel stupid for not testing so many things, but, 589 00:26:54,930 --> 00:27:00,600 one thing I noticed, is some, a lot of the applications, the way that build 590 00:27:00,600 --> 00:27:06,300 these days is your input will is like on the application, but it will be brought. 591 00:27:06,490 --> 00:27:07,090 Elsewhere. 592 00:27:07,450 --> 00:27:07,720 Yeah. 593 00:27:08,889 --> 00:27:12,370 and those, sometimes those, elsewhere will be vulnerable. 594 00:27:12,370 --> 00:27:15,159 So your payload may trigger on that one. 595 00:27:15,310 --> 00:27:15,520 Yeah. 596 00:27:15,520 --> 00:27:19,210 So like a second order injection in this case, Yeah. 597 00:27:19,210 --> 00:27:24,485 I I had a few cases like that, with Ansible, 598 00:27:26,679 --> 00:27:31,270 where I put in my payload, like in my, my, in my email address. 599 00:27:31,389 --> 00:27:31,570 Yeah. 600 00:27:31,659 --> 00:27:35,350 And it eventually worked like in a totally different application. 601 00:27:35,590 --> 00:27:39,220 I put my, in my payload, like I think seven times seven, like the typical Yeah. 602 00:27:39,250 --> 00:27:39,820 Testing thing. 603 00:27:41,290 --> 00:27:44,320 and then my email address, it was like JRO plus 49. 604 00:27:44,320 --> 00:27:45,010 I was like, whoa. 605 00:27:45,250 --> 00:27:47,950 And it was like totally different code, different everything. 606 00:27:47,950 --> 00:27:51,490 It's yeah, something's happening on the way there or over there. 607 00:27:52,389 --> 00:27:56,530 So yeah, I've been just trying to put it everywhere if I can. 608 00:27:56,889 --> 00:27:58,600 'cause you never know where you, your input will, 609 00:27:58,750 --> 00:27:59,470 will end up. 610 00:27:59,560 --> 00:27:59,770 Yeah. 611 00:27:59,800 --> 00:28:01,240 Do you have some kind. 612 00:28:02,775 --> 00:28:05,925 I dunno, a word list that you always put in the, pillow. 613 00:28:05,925 --> 00:28:07,935 Do you manually type it into each input? 614 00:28:08,055 --> 00:28:10,582 What's the, like, how exactly do you, do it? 615 00:28:11,415 --> 00:28:12,825 just like a match and replace rule. 616 00:28:13,050 --> 00:28:13,340 Okay. 617 00:28:14,415 --> 00:28:19,125 so I have a interesting, let's say I would put SSTI and in the pillow 618 00:28:19,125 --> 00:28:21,825 it would be like my public lot for client side or that's smart. 619 00:28:22,395 --> 00:28:24,585 Or another, keyword. 620 00:28:24,645 --> 00:28:24,885 Yeah. 621 00:28:25,785 --> 00:28:31,425 for server side stuff, I use lots of, matching replace rules. 622 00:28:31,425 --> 00:28:33,285 Just bypass like client side restrictions and whatnot. 623 00:28:33,285 --> 00:28:33,555 Yeah. 624 00:28:33,945 --> 00:28:34,785 That's super nice. 625 00:28:35,205 --> 00:28:36,285 I never thought about this. 626 00:28:36,315 --> 00:28:39,675 I use uman, it's called Okay. 627 00:28:40,455 --> 00:28:46,755 But I don't use it enough, I think, and it does not always work. 628 00:28:46,755 --> 00:28:49,260 Especially if you have some kind of weird input or whatever. 629 00:28:49,265 --> 00:28:49,425 Okay. 630 00:28:49,425 --> 00:28:49,725 Yeah. 631 00:28:50,175 --> 00:28:53,565 So that's, yeah, I'm definitely going to, use this from now on. 632 00:28:53,745 --> 00:28:54,015 Awesome. 633 00:28:54,585 --> 00:28:59,655 Another, the backlash I never find, 'cause I never test for it at school injection. 634 00:28:59,715 --> 00:28:59,985 Yeah. 635 00:29:00,135 --> 00:29:04,035 You have, I saw a Twitter picture from last year from 2024. 636 00:29:04,125 --> 00:29:04,785 Yeah, you had some. 637 00:29:05,325 --> 00:29:07,365 So it's still around. 638 00:29:07,695 --> 00:29:07,935 I 639 00:29:07,935 --> 00:29:10,755 found four more in 20, 25. 640 00:29:11,505 --> 00:29:11,715 So 641 00:29:11,715 --> 00:29:12,495 centuries. 642 00:29:12,495 --> 00:29:12,885 Yes, 643 00:29:12,885 --> 00:29:14,085 it still exists for sure. 644 00:29:15,225 --> 00:29:16,365 I think like in the end. 645 00:29:17,004 --> 00:29:18,504 First SQL injection. 646 00:29:18,565 --> 00:29:18,835 Yeah. 647 00:29:18,925 --> 00:29:24,115 Even if you have your database like in, AWS, like I've forgotten the name. 648 00:29:24,715 --> 00:29:28,885 but anyways, or like in Azure, it's still in the end the code that is vulnerable. 649 00:29:29,275 --> 00:29:29,365 Yeah. 650 00:29:29,365 --> 00:29:33,264 So the developers still code, vulnerable code. 651 00:29:34,045 --> 00:29:34,885 you'll still find some. 652 00:29:36,655 --> 00:29:40,825 and so yeah, so the ones that I found this year were really simple. 653 00:29:40,885 --> 00:29:44,725 Like I just added like a single quote and see how it reacted. 654 00:29:45,504 --> 00:29:48,504 It gave me an error message showing that it's probably vulnerable. 655 00:29:49,615 --> 00:29:53,860 and indeed it was, and it's nothing that really complicated. 656 00:29:53,930 --> 00:29:57,475 yeah, sometimes there are, they are complicated, but the ones that 657 00:29:57,475 --> 00:30:04,975 I found, in, this year, 2025, it's just like single code, send it 658 00:30:04,975 --> 00:30:07,014 to ESCO map and the rest is done. 659 00:30:07,825 --> 00:30:08,211 Yeah, I think so. 660 00:30:08,216 --> 00:30:11,185 It's literally minutes of, testing and Yeah. 661 00:30:11,425 --> 00:30:11,695 Yeah. 662 00:30:11,695 --> 00:30:14,035 I think the exploitation part is the. 663 00:30:15,100 --> 00:30:17,050 The more doable one, I think. 664 00:30:17,290 --> 00:30:19,125 Detect the more difficult to, detect. 665 00:30:19,185 --> 00:30:19,885 Detect it. 666 00:30:20,830 --> 00:30:25,990 So I have a few methods of, like testing, but something that is hard is 667 00:30:26,320 --> 00:30:28,750 identifying the database that is used. 668 00:30:29,020 --> 00:30:29,260 Yeah. 669 00:30:29,560 --> 00:30:33,040 sometimes like the, you won't get any error messages, but you'll 670 00:30:33,040 --> 00:30:35,770 see that the application reacts differently depending on your input. 671 00:30:36,730 --> 00:30:39,790 so that, that is usually hard to identify. 672 00:30:39,790 --> 00:30:42,669 Some cases like it, the application is built on Ruby, on Rails. 673 00:30:43,300 --> 00:30:45,580 A lot of times it works best with Postgres. 674 00:30:45,580 --> 00:30:48,879 So you can guess that it's Postgres or PP, it'll probably 675 00:30:48,879 --> 00:30:50,800 be minus but you never know. 676 00:30:51,024 --> 00:30:51,790 You can be anything. 677 00:30:52,840 --> 00:30:54,580 same thing for apps. 678 00:30:54,585 --> 00:30:59,085 Built on C or Microsoft products will most likely be, MSS grill. 679 00:30:59,355 --> 00:30:59,475 Yeah. 680 00:30:59,505 --> 00:31:01,035 But again, you never know it can be anything. 681 00:31:01,035 --> 00:31:01,305 Right? 682 00:31:01,575 --> 00:31:01,815 Yeah. 683 00:31:02,505 --> 00:31:04,335 so this is usually something that's quite hard. 684 00:31:05,145 --> 00:31:11,325 we had a technique doesn't always work, but sometimes it does, for 685 00:31:11,325 --> 00:31:13,065 identifying what is used in the backend. 686 00:31:13,395 --> 00:31:17,955 And it's really simple just looking at like job applications or job offers. 687 00:31:17,955 --> 00:31:22,665 Sometimes they, list oh, we're looking for a, database administrator. 688 00:31:22,725 --> 00:31:24,825 Yeah, this is what we're using, so okay, this, they use that. 689 00:31:24,825 --> 00:31:27,225 So maybe it's, that's, what it's used in the backend. 690 00:31:28,545 --> 00:31:31,065 so sometimes that's just a simple thing, need that, that can work. 691 00:31:32,925 --> 00:31:35,205 but, so yeah, there's, they still exists in 2025. 692 00:31:35,295 --> 00:31:35,535 Yeah. 693 00:31:35,535 --> 00:31:36,490 I saw, I 694 00:31:36,790 --> 00:31:42,585 saw in one of your, I think it was an article on background that sometimes 695 00:31:42,585 --> 00:31:44,415 for Rico you browse job applications. 696 00:31:44,415 --> 00:31:47,295 And I was like, yeah, what information do you find? 697 00:31:47,295 --> 00:31:49,395 Job applications and Yeah, that makes sense. 698 00:31:49,755 --> 00:31:49,995 Yes. 699 00:31:49,995 --> 00:31:51,615 I find that it's interesting 'cause. 700 00:31:51,975 --> 00:31:56,264 And, when you look at application itself, you'll see like language, 701 00:31:56,264 --> 00:31:59,895 like quick plugins, like you were built with, and with error messages. 702 00:31:59,895 --> 00:32:05,564 You can see a bit what's used in the backend, but you, it won't go in detail 703 00:32:05,564 --> 00:32:07,155 as much as like a job application. 704 00:32:07,245 --> 00:32:07,514 Yeah. 705 00:32:08,655 --> 00:32:11,145 I find that some companies have started like hiding that a bit, 706 00:32:11,205 --> 00:32:14,445 but some others, like they'll show like, oh, elastic search, MongoDB. 707 00:32:14,774 --> 00:32:18,105 they, so everything what developers need to know, and this is a good 708 00:32:18,105 --> 00:32:23,534 indicator of what is potentially used in the background around that product. 709 00:32:23,655 --> 00:32:23,865 Yeah. 710 00:32:24,554 --> 00:32:28,034 like I said, like your input can go from one app to the other. 711 00:32:28,965 --> 00:32:32,655 let's say, it can go from the app to Elastic search, or maybe your 712 00:32:32,655 --> 00:32:37,155 data is stored MongoDB and then a job fetches the data from MongoDB 713 00:32:37,155 --> 00:32:38,655 and puts it in a admin dashboard. 714 00:32:38,655 --> 00:32:39,554 Like you never know, right? 715 00:32:39,675 --> 00:32:39,885 Yeah. 716 00:32:40,784 --> 00:32:42,495 so knowing what is used. 717 00:32:43,230 --> 00:32:46,320 In the product or around, I think it's like an indicator or not an 718 00:32:46,320 --> 00:32:49,890 indicator, but like it helps in terms of recon For me personally. 719 00:32:49,920 --> 00:32:50,130 Yeah. 720 00:32:50,400 --> 00:32:51,840 Of what it could, test for. 721 00:32:52,080 --> 00:32:55,260 Also, one thing I saw in, one of the interview, in, in the same 722 00:32:55,260 --> 00:32:58,530 blog post background was that you think what infrastructure 723 00:32:58,530 --> 00:33:00,900 as a code used, tools are used. 724 00:33:01,710 --> 00:33:04,500 And my question is, first, how do we even determine this? 725 00:33:04,500 --> 00:33:08,610 And the second is, if you know what tools are used, how do you use this information? 726 00:33:09,180 --> 00:33:09,480 Yeah. 727 00:33:09,510 --> 00:33:11,430 So this is like really context dependent. 728 00:33:13,080 --> 00:33:13,770 so in. 729 00:33:14,550 --> 00:33:17,580 When I wrote that article with background, it's 'cause I recently 730 00:33:17,580 --> 00:33:26,280 found an SSTI, with Terraform where my input landed in, a Terraform file. 731 00:33:26,395 --> 00:33:26,685 Okay. 732 00:33:26,784 --> 00:33:29,159 So it, so Terraform evaluated my input. 733 00:33:29,699 --> 00:33:30,270 Okay. 734 00:33:30,510 --> 00:33:32,205 It's a very specific functionality, isn't it? 735 00:33:32,235 --> 00:33:32,524 Yeah, 736 00:33:32,639 --> 00:33:35,639 it was, and in the end I could see that it validated because it 737 00:33:35,879 --> 00:33:37,379 rendered it back to the application. 738 00:33:37,710 --> 00:33:38,040 Yeah. 739 00:33:38,764 --> 00:33:42,125 and with testing at, the time I had no idea it was Terraform. 740 00:33:42,300 --> 00:33:42,570 Yeah. 741 00:33:42,600 --> 00:33:44,429 So I knew something was happening, but not sure what. 742 00:33:44,429 --> 00:33:47,820 So with testing and all, I figured okay, maybe it's a Terraform 743 00:33:47,820 --> 00:33:50,725 'cause I worked with it in the past while I was working in, AppSec. 744 00:33:50,835 --> 00:33:51,125 Yeah. 745 00:33:51,689 --> 00:33:52,685 I was like, is it that? 746 00:33:52,800 --> 00:33:54,570 So I tested it and indeed it was, 747 00:33:54,659 --> 00:33:54,929 yeah. 748 00:33:55,439 --> 00:34:00,330 Was this, some kind of functionality, which was it like, testing a cloud 749 00:34:00,330 --> 00:34:03,030 provider which allowed you to deploy somehow something like this? 750 00:34:03,360 --> 00:34:03,720 yes. 751 00:34:04,169 --> 00:34:04,350 okay. 752 00:34:04,409 --> 00:34:04,770 Not. 753 00:34:05,220 --> 00:34:09,389 A cloud provider, but you could deploy, like products, like you could deploy 754 00:34:09,389 --> 00:34:10,650 like WordPress and stuff like that. 755 00:34:10,770 --> 00:34:11,159 Yeah. 756 00:34:11,159 --> 00:34:11,161 Yeah. 757 00:34:11,161 --> 00:34:11,264 I see. 758 00:34:11,264 --> 00:34:13,050 So you so contact dependent. 759 00:34:13,050 --> 00:34:13,290 Yeah. 760 00:34:13,409 --> 00:34:17,040 So you won't probably, won't see that like in regular applications. 761 00:34:17,639 --> 00:34:20,699 But again, if it's something that you can deploy stuff or maybe 762 00:34:20,699 --> 00:34:22,500 sometimes not, it really depends. 763 00:34:22,560 --> 00:34:23,009 Yeah. 764 00:34:23,040 --> 00:34:25,500 but something that I only find once with Yeah. 765 00:34:25,500 --> 00:34:25,679 I see. 766 00:34:27,285 --> 00:34:28,515 I found this so it exists. 767 00:34:28,515 --> 00:34:29,505 So maybe others target. 768 00:34:29,745 --> 00:34:29,955 Yeah. 769 00:34:29,955 --> 00:34:32,085 And these targets are very interesting, right? 770 00:34:32,475 --> 00:34:35,715 Anything built for developer developers is very interesting, 771 00:34:35,720 --> 00:34:36,440 at least from my experience. 772 00:34:36,446 --> 00:34:36,885 exactly. 773 00:34:36,885 --> 00:34:37,245 Yeah. 774 00:34:37,305 --> 00:34:38,985 Because the functionality is very complex. 775 00:34:39,705 --> 00:34:45,525 The what happens under the hood often, like executes comments, creates clusters. 776 00:34:45,525 --> 00:34:45,795 Exactly. 777 00:34:45,795 --> 00:34:45,915 True. 778 00:34:46,005 --> 00:34:46,965 This is very complex. 779 00:34:46,965 --> 00:34:47,955 This is very hard to get. 780 00:34:48,345 --> 00:34:48,495 True. 781 00:34:49,125 --> 00:34:53,775 And they may not think about the security impact or maybe you have 782 00:34:53,775 --> 00:34:57,375 some kind of separation, so they don't, we don't need security. 783 00:34:57,375 --> 00:34:59,055 'cause you have your own instance and then you have. 784 00:34:59,290 --> 00:35:00,490 A client side bug. 785 00:35:01,299 --> 00:35:04,270 Which allows us to do anything and Exactly from my, yeah. 786 00:35:04,569 --> 00:35:06,310 these targets are very interesting. 787 00:35:06,490 --> 00:35:06,940 That's true. 788 00:35:09,220 --> 00:35:13,630 one other bag class that, that I saw your report and I also, sometimes 789 00:35:13,630 --> 00:35:17,890 I do test for it, but rarely, probably not often enough is XXC. 790 00:35:18,970 --> 00:35:22,240 Because this is very specific, I guess this is not a case where you 791 00:35:22,240 --> 00:35:26,830 spam the payloads 'cause you need like the XL XML parer to, do it. 792 00:35:27,640 --> 00:35:34,060 But do you have some experience of maybe cases where it wasn't so 793 00:35:34,060 --> 00:35:38,259 obvious XML is par, but you through some trick you made it parts xml? 794 00:35:40,210 --> 00:35:45,490 not really I'll when I test for XXC is 'cause I saw something XML related. 795 00:35:45,549 --> 00:35:45,759 Yeah. 796 00:35:46,120 --> 00:35:50,529 But what I did have luck with is look at features that people 797 00:35:50,529 --> 00:35:52,930 did not think X ml was used. 798 00:35:52,990 --> 00:35:53,380 Yeah. 799 00:35:53,380 --> 00:35:53,381 Yeah. 800 00:35:53,435 --> 00:35:53,555 I 801 00:35:53,680 --> 00:35:58,569 had one case, Two years ago, I think, where. 802 00:36:00,839 --> 00:36:01,560 what was it again? 803 00:36:01,830 --> 00:36:02,790 I'm trying to remember here. 804 00:36:05,190 --> 00:36:12,390 but yeah, you could convert, like a doc file or a PDF to, another file type. 805 00:36:12,569 --> 00:36:12,870 Yeah. 806 00:36:13,200 --> 00:36:16,620 And one of the options was, XCL F file. 807 00:36:17,670 --> 00:36:20,520 What, yeah, what exactly? 808 00:36:20,520 --> 00:36:21,180 It proves a point. 809 00:36:21,509 --> 00:36:25,080 So I looked at what is an X lift file, so X-L-I-F-F. 810 00:36:25,529 --> 00:36:25,920 Okay. 811 00:36:26,279 --> 00:36:28,259 And by looking into it, it was X and L. 812 00:36:28,410 --> 00:36:28,770 Okay. 813 00:36:29,040 --> 00:36:32,609 So I just put a regular existing payload and it worked. 814 00:36:34,109 --> 00:36:37,950 how did you get to, to, how did you discover a file like this exists? 815 00:36:40,049 --> 00:36:40,350 type, 816 00:36:40,920 --> 00:36:41,220 I mean, 817 00:36:41,220 --> 00:36:42,990 in the options on the UI itself. 818 00:36:42,990 --> 00:36:46,319 On application, you could do like a doc Excel. 819 00:36:46,649 --> 00:36:46,799 Yeah. 820 00:36:46,859 --> 00:36:49,440 PowerPoint, regular T xt, HTML. 821 00:36:49,500 --> 00:36:50,819 And in the bottom there was X lift. 822 00:36:50,910 --> 00:36:51,270 Yeah. 823 00:36:52,020 --> 00:36:54,870 So probably people tested for DOC and PowerPoint, Excel. 824 00:36:54,899 --> 00:36:58,340 'cause it's a known technique where you can, it's a, it's a. XML document in end. 825 00:36:58,340 --> 00:36:58,460 Yeah. 826 00:36:58,670 --> 00:37:00,170 That just compressed or zip whatever. 827 00:37:00,710 --> 00:37:04,400 So people probably tested for that, but have they tested, I mean they also 828 00:37:04,400 --> 00:37:09,020 probably tested from HTML to other stuff, but have they tested for X lift? 829 00:37:09,020 --> 00:37:10,190 And you said what? 830 00:37:10,190 --> 00:37:12,410 So yeah, you, yeah, exactly. 831 00:37:12,410 --> 00:37:13,100 So have no idea. 832 00:37:13,100 --> 00:37:15,680 I was like, probably not, Yeah. 833 00:37:15,710 --> 00:37:16,955 So I tested it and it worked. 834 00:37:16,955 --> 00:37:18,470 I was the first one and it got a bounce for it. 835 00:37:18,470 --> 00:37:20,120 And yeah. 836 00:37:20,120 --> 00:37:25,759 So I look for stuff where maybe people will not look or think the XL is used. 837 00:37:25,940 --> 00:37:26,180 Yeah. 838 00:37:27,080 --> 00:37:34,009 I had another case on that same application, in regards to, site map 839 00:37:34,009 --> 00:37:38,270 parsing just a bit more of a known technique where site map is, an XML file. 840 00:37:38,300 --> 00:37:38,480 Yeah. 841 00:37:38,930 --> 00:37:42,080 So I had one case like that where you can give it like a remote, 842 00:37:42,830 --> 00:37:44,960 site map file and it'll parse it. 843 00:37:46,130 --> 00:37:47,810 and then XML XXC. 844 00:37:47,990 --> 00:37:48,200 Yeah. 845 00:37:48,950 --> 00:37:49,820 apart from that, like it's. 846 00:37:50,370 --> 00:37:53,940 I won't necessarily put like accessy, pay payloads blindly. 847 00:37:54,029 --> 00:37:57,180 I'm just trying to find a function that functionality or like 848 00:37:57,210 --> 00:38:01,380 other, other XML related specs. 849 00:38:01,590 --> 00:38:05,279 I've had luck with that as well, where it's like format that is 850 00:38:05,279 --> 00:38:08,610 X ML based and you can put SY in there 'cause it doesn't expect it. 851 00:38:09,060 --> 00:38:12,180 the parer won't expect it, but it'll still parse it in some, cases. 852 00:38:14,520 --> 00:38:14,910 so yeah. 853 00:38:15,420 --> 00:38:15,690 How, what do 854 00:38:15,690 --> 00:38:15,900 you mean 855 00:38:15,900 --> 00:38:17,220 other XML specs? 856 00:38:18,090 --> 00:38:18,569 what does it mean? 857 00:38:19,560 --> 00:38:24,661 So one that I found recently, I'm not sure if I can disclose, the 858 00:38:24,665 --> 00:38:25,740 spec name, I guess it spec name. 859 00:38:25,799 --> 00:38:26,430 It can be anything. 860 00:38:26,580 --> 00:38:26,790 Yeah. 861 00:38:26,819 --> 00:38:26,940 It's 862 00:38:26,940 --> 00:38:27,960 called CXML. 863 00:38:28,170 --> 00:38:28,529 Okay. 864 00:38:28,650 --> 00:38:30,060 I forgot what CX ML is. 865 00:38:30,060 --> 00:38:31,080 We can look it up real quick. 866 00:38:33,520 --> 00:38:35,230 commerce extensible markup language. 867 00:38:35,500 --> 00:38:35,590 Okay. 868 00:38:35,590 --> 00:38:38,290 And this is like one example, but there were others that I found in 869 00:38:38,290 --> 00:38:44,110 the past, which, it was completely different, spec related to, I 870 00:38:44,110 --> 00:38:45,400 think like translation stuff. 871 00:38:45,700 --> 00:38:46,090 Okay. 872 00:38:47,140 --> 00:38:50,620 and it was like, XML based spec. 873 00:38:51,250 --> 00:38:54,400 so I just looked at the docs online, see how it worked. 874 00:38:55,600 --> 00:38:57,610 and then in the end, maybe you can get an EC to see with that. 875 00:38:58,330 --> 00:38:59,590 'cause in the end it is xml. 876 00:38:59,590 --> 00:39:03,790 So maybe the pars in the backend will parse it even though it doesn't look 877 00:39:03,790 --> 00:39:06,010 like, not that look doesn't look like XXC. 878 00:39:06,460 --> 00:39:08,470 It's maybe a feature that others don't think it. 879 00:39:08,890 --> 00:39:09,705 There is XML parsing. 880 00:39:09,910 --> 00:39:10,420 It's not as 881 00:39:10,420 --> 00:39:11,830 obvious for not as obvious. 882 00:39:11,830 --> 00:39:12,370 Yeah, exactly. 883 00:39:12,520 --> 00:39:12,880 I see. 884 00:39:13,540 --> 00:39:13,750 Yeah. 885 00:39:14,050 --> 00:39:14,320 Yeah. 886 00:39:14,320 --> 00:39:17,320 Although now I thought about this probably spamming the payload. 887 00:39:17,700 --> 00:39:21,509 Once every hundred targets it will probably work as well. 888 00:39:21,509 --> 00:39:21,660 Maybe. 889 00:39:21,660 --> 00:39:22,049 Yeah. 890 00:39:22,259 --> 00:39:22,770 Potentially. 891 00:39:22,770 --> 00:39:23,009 Yes. 892 00:39:23,015 --> 00:39:23,214 Yeah. 893 00:39:23,455 --> 00:39:27,720 It's, crazy how many things we, probably miss as hunters in general, 894 00:39:27,900 --> 00:39:28,170 right. 895 00:39:28,470 --> 00:39:33,210 For like weird, things that happen that you can never guess blindly. 896 00:39:33,630 --> 00:39:33,900 True. 897 00:39:34,830 --> 00:39:35,069 yeah. 898 00:39:35,279 --> 00:39:35,400 And 899 00:39:35,400 --> 00:39:42,569 one thing as well that has, has happened in the past, recently is external, 900 00:39:42,750 --> 00:39:44,520 these don't work, but internal ones do. 901 00:39:45,000 --> 00:39:46,200 What's an internal entity? 902 00:39:46,589 --> 00:39:48,240 internal DTD internal document. 903 00:39:48,480 --> 00:39:51,839 Oh, yeah, I forgot what d it stands for document type definition, I think. 904 00:39:52,740 --> 00:39:53,490 so internal dt. 905 00:39:53,490 --> 00:39:56,069 So instead of pointing to like your own DTD file Yeah. 906 00:39:56,069 --> 00:39:57,299 You have to point to an internal one. 907 00:39:57,720 --> 00:40:00,390 so I've had a few cases where external word is allowed, 908 00:40:00,390 --> 00:40:01,620 but internal ones did work. 909 00:40:02,190 --> 00:40:03,240 So we have to test for both. 910 00:40:03,330 --> 00:40:03,480 Yeah. 911 00:40:03,509 --> 00:40:07,290 'cause I guess there's one that's defaulting, UB. 912 00:40:07,845 --> 00:40:08,895 That's like always Yeah. 913 00:40:08,895 --> 00:40:09,314 Depending on the os. 914 00:40:09,825 --> 00:40:10,035 Yeah. 915 00:40:10,035 --> 00:40:11,955 You'll have always these files available. 916 00:40:11,955 --> 00:40:12,254 Yeah. 917 00:40:12,314 --> 00:40:12,495 Yeah. 918 00:40:12,495 --> 00:40:17,055 'cause it sounds pretty, because the thing is you don't fetch 919 00:40:17,055 --> 00:40:18,404 the DTD from your server. 920 00:40:19,035 --> 00:40:23,654 You need to know a local DTD, which sounds like something that's really hard to know. 921 00:40:23,654 --> 00:40:24,674 The black box test. 922 00:40:24,884 --> 00:40:25,125 Right. 923 00:40:25,274 --> 00:40:26,294 But there are a few that are. 924 00:40:26,755 --> 00:40:31,194 In, I guess it was Debian that is always in the same directory. 925 00:40:31,285 --> 00:40:34,915 And if you can use the file protocol, it's not like a guesswork, it's a 926 00:40:34,915 --> 00:40:35,485 Exactly. 927 00:40:35,485 --> 00:40:35,845 Yeah. 928 00:40:36,384 --> 00:40:40,915 and there are, I have a GitHub repo, not, not mine, but like I start 929 00:40:40,915 --> 00:40:46,825 a GitHub repo that has a bunch of payloads containing, internal dds. 930 00:40:46,884 --> 00:40:47,125 Yeah, 931 00:40:47,365 --> 00:40:47,995 that's pretty interesting. 932 00:40:47,995 --> 00:40:50,424 So I usually just use that list, test it out. 933 00:40:50,424 --> 00:40:52,105 'cause in the end you're a black box. 934 00:40:52,285 --> 00:40:54,205 So you don't know what OS is used in the backend. 935 00:40:54,265 --> 00:40:55,735 Yeah, I think I, or not the 936 00:40:55,740 --> 00:40:56,755 backend, yeah. 937 00:40:56,755 --> 00:40:59,995 I think I remember using these Ripple once as well for, something. 938 00:41:00,775 --> 00:41:00,985 Yeah. 939 00:41:01,045 --> 00:41:04,975 So for HTCI keep in mind of texting for internal disease as well. 940 00:41:05,005 --> 00:41:09,895 'cause yeah, I found that not a lot of times, but sometimes, like I said, by 941 00:41:09,895 --> 00:41:15,625 default, I think now more, nowadays, by default they disabled external disease. 942 00:41:15,625 --> 00:41:17,365 But maybe forget about internal ones. 943 00:41:17,370 --> 00:41:17,620 Yeah. 944 00:41:17,995 --> 00:41:18,205 Yeah. 945 00:41:18,205 --> 00:41:18,805 That's a good one. 946 00:41:21,460 --> 00:41:21,700 Good. 947 00:41:22,750 --> 00:41:25,840 These are, the bug that were, that are painful for me. 948 00:41:25,960 --> 00:41:29,860 'cause I, know I miss them because I just don't test for them. 949 00:41:30,250 --> 00:41:33,340 I don't know why, but, yeah. 950 00:41:33,430 --> 00:41:37,904 Another bag that I do actually test for it, but I, I. I want to test more. 951 00:41:37,904 --> 00:41:40,185 'cause I see the potential secondary past reversal. 952 00:41:40,305 --> 00:41:40,545 Yes. 953 00:41:41,595 --> 00:41:42,855 How, is your experience with them? 954 00:41:43,275 --> 00:41:46,935 One of my favorite bug, I test it for on every app that I, use. 955 00:41:46,935 --> 00:41:46,995 Yeah. 956 00:41:46,995 --> 00:41:49,005 If I see that it's probably happening, 957 00:41:51,194 --> 00:41:56,595 I, it's not something that I found often, but I do looking forward and then I 958 00:41:56,595 --> 00:42:01,995 think, it can be like a really impactful bug if you're able to show impact. 959 00:42:02,055 --> 00:42:02,235 Yeah. 960 00:42:03,615 --> 00:42:06,915 it's funny 'cause when I was, when I started looking for that, it's roughly 961 00:42:06,915 --> 00:42:11,325 the same time around, when Sam Curry published his research about it. 962 00:42:12,015 --> 00:42:15,105 And I actually, the him, have you seen this before? 963 00:42:15,134 --> 00:42:16,845 'cause I know this, it's his type of thing. 964 00:42:16,904 --> 00:42:19,665 So he's oh, I'm actually doing a, research on it. 965 00:42:19,665 --> 00:42:21,105 I published it like in the, week or something. 966 00:42:21,105 --> 00:42:21,765 It was like really late. 967 00:42:21,765 --> 00:42:21,944 Yeah. 968 00:42:22,140 --> 00:42:24,120 Around the same time I say, oh, cool, I'll just look it up. 969 00:42:26,490 --> 00:42:29,549 and yeah, like I said, it's, common. 970 00:42:29,640 --> 00:42:33,120 It's not something that I've found too many times, but I think it's 971 00:42:33,120 --> 00:42:39,299 sometimes, a lot of times it's hard to, I mean it won't be verbose, a lot. 972 00:42:39,450 --> 00:42:41,609 It'll show that maybe it's happening, maybe not. 973 00:42:41,700 --> 00:42:41,790 Yeah. 974 00:42:41,790 --> 00:42:42,960 Depending on the error message. 975 00:42:45,509 --> 00:42:49,500 and there's a lot, lots of guessing work as well needed if it's a bit blind. 976 00:42:49,859 --> 00:42:50,129 Yeah. 977 00:42:50,250 --> 00:42:54,299 Do you fast all the path parameters or all, the parameters or what? 978 00:42:55,560 --> 00:42:55,830 I 979 00:42:56,490 --> 00:42:58,350 go a bit logically. 980 00:42:58,470 --> 00:42:58,740 Okay. 981 00:42:59,700 --> 00:43:03,000 'cause some parameters, for example, let's say it's like a, 982 00:43:03,000 --> 00:43:05,850 an JSO body of a, post request. 983 00:43:06,540 --> 00:43:12,629 If the parameter is like id, then let's say it's like a digit, then maybe in the 984 00:43:12,629 --> 00:43:17,940 backend it, there will be like a call, let's say a PIV one slash object name. 985 00:43:18,700 --> 00:43:19,210 Than the ig. 986 00:43:19,510 --> 00:43:19,750 Yeah. 987 00:43:19,810 --> 00:43:21,460 So maybe this is a good parameter test. 988 00:43:21,670 --> 00:43:21,850 Yeah. 989 00:43:22,060 --> 00:43:27,280 If it's, let's say like a parameter just looks more like a metric related, for 990 00:43:27,280 --> 00:43:31,090 example, it'll have like your Chrome version for example, then probably not. 991 00:43:31,120 --> 00:43:31,450 Yeah. 992 00:43:31,450 --> 00:43:33,100 I try to go a bit more logically. 993 00:43:34,810 --> 00:43:39,400 but I, would test every, that I, let's say, I'm not sure. 994 00:43:39,765 --> 00:43:42,045 It's like really specific to the application. 995 00:43:42,165 --> 00:43:45,045 And I would test maybe all parameters to check. 996 00:43:45,225 --> 00:43:46,035 'cause you never know, right? 997 00:43:46,095 --> 00:43:46,305 Yeah. 998 00:43:47,924 --> 00:43:49,275 so yeah, that would be my approach. 999 00:43:49,455 --> 00:43:49,665 Yeah. 1000 00:43:49,695 --> 00:43:53,895 'cause yeah, it makes sense to basically test every parameter 1001 00:43:53,895 --> 00:43:55,575 that can be in the path later. 1002 00:43:55,575 --> 00:43:57,134 That test would make sense to test. 1003 00:43:57,134 --> 00:44:00,825 So most of the time it's gonna be IDs, Maybe a 1004 00:44:00,825 --> 00:44:01,305 type. 1005 00:44:02,205 --> 00:44:07,485 And, regarding to that, I discovered a new, I won't say new technique, 1006 00:44:07,485 --> 00:44:11,625 but something relates to secondary pat reversal, with GraphQL. 1007 00:44:12,975 --> 00:44:13,186 I'm gonna. 1008 00:44:13,515 --> 00:44:15,404 Talk about it, at a future conference. 1009 00:44:15,404 --> 00:44:19,605 But, I think we need to keep in mind that it's not always just like 1010 00:44:19,605 --> 00:44:21,285 an a PIA rest, API in the backend. 1011 00:44:21,315 --> 00:44:22,214 Could be something else. 1012 00:44:22,305 --> 00:44:22,515 Yeah. 1013 00:44:24,045 --> 00:44:26,415 yeah, I think it'll be a fun, yeah, the, 1014 00:44:26,415 --> 00:44:28,305 the backends can be really, complex. 1015 00:44:28,305 --> 00:44:30,944 I wait for the full talk. 1016 00:44:32,595 --> 00:44:37,365 but yeah, we, sell many times that what happens on the backend can be crazy 1017 00:44:37,605 --> 00:44:40,065 and, that, we don't expect can happen. 1018 00:44:41,265 --> 00:44:44,569 yeah, it's nice when, you fast for the, secondary pass. 1019 00:44:44,685 --> 00:44:48,495 'cause I guess for template injection, usually you need like one payload. 1020 00:44:49,125 --> 00:44:51,975 Maybe two free or, for different engine, depending on the 1021 00:44:52,004 --> 00:44:54,674 technology for secondary erso. 1022 00:44:55,845 --> 00:44:57,525 how many payloads do you test? 1023 00:44:57,525 --> 00:44:59,205 'cause I guess you need different depths. 1024 00:44:59,265 --> 00:45:03,915 I need, you need different, iterations of, your own coding. 1025 00:45:04,335 --> 00:45:08,295 So how long is your, word is for fuzzing? 1026 00:45:09,194 --> 00:45:10,455 I actually rarely fuzz. 1027 00:45:10,515 --> 00:45:11,835 I do it like. 1028 00:45:12,210 --> 00:45:12,870 Manually. 1029 00:45:12,930 --> 00:45:12,960 Okay. 1030 00:45:12,960 --> 00:45:14,100 Just see how he reacts. 1031 00:45:14,100 --> 00:45:14,400 Okay. 1032 00:45:15,720 --> 00:45:19,980 my typical go-to is like traverse back one path and comment out the rest. 1033 00:45:19,980 --> 00:45:21,990 So I put like a question mark or hashtag 1034 00:45:22,200 --> 00:45:22,380 Yeah. 1035 00:45:23,250 --> 00:45:27,810 vault with all coding without depending on, on, on what's going on. 1036 00:45:28,530 --> 00:45:32,040 'cause a lot of times if you're not giving it, what is what it's expecting, 1037 00:45:32,100 --> 00:45:33,630 it'll give you an error message. 1038 00:45:33,810 --> 00:45:34,020 Yeah. 1039 00:45:34,860 --> 00:45:36,270 so if you just comment out. 1040 00:45:37,110 --> 00:45:41,730 The rest of the, UL maybe there are hardcoded parameters that you're 1041 00:45:41,730 --> 00:45:45,750 not seeing, in the code and that in the error message it'll tell you, 1042 00:45:45,750 --> 00:45:47,460 oh, you're missing X parameter. 1043 00:45:47,700 --> 00:45:47,970 Yeah. 1044 00:45:47,970 --> 00:45:50,460 So that way you have an idea that, okay, maybe there is 1045 00:45:50,460 --> 00:45:51,570 like a de patcher vessel here. 1046 00:45:52,500 --> 00:45:57,990 or just like the path itself, it's if by going back one it may say oh, object 1047 00:45:57,990 --> 00:46:00,270 X or whatever's going on is not there. 1048 00:46:00,270 --> 00:46:00,330 Yeah. 1049 00:46:00,630 --> 00:46:05,550 So it gives you an idea of something is happening in the backend. 1050 00:46:05,550 --> 00:46:05,820 Yeah. 1051 00:46:06,120 --> 00:46:10,140 Now you mentioned actually, 'cause I do have, I do use a longer, list, 1052 00:46:10,140 --> 00:46:14,220 but when I test manual, I would start with going back and going forward. 1053 00:46:14,430 --> 00:46:19,470 Right now, I think actually you, you say it maybe putting in a question mark. 1054 00:46:20,370 --> 00:46:23,880 Is more likely to give us a useful error rather than anything else. 1055 00:46:24,030 --> 00:46:24,510 Question mark. 1056 00:46:24,510 --> 00:46:30,900 Maybe the, full UL is like your input than other path in the end, right? 1057 00:46:30,960 --> 00:46:31,140 Yeah. 1058 00:46:31,140 --> 00:46:31,350 So 1059 00:46:31,350 --> 00:46:34,170 if you put a question mark, it'll remove everything else. 1060 00:46:34,380 --> 00:46:34,680 Yeah. 1061 00:46:34,740 --> 00:46:38,850 So it'll give an error message indicating what is happening. 1062 00:46:39,840 --> 00:46:45,810 if you just put like a, let's say double slash or whatever without removing the 1063 00:46:45,810 --> 00:46:47,760 rest, it'll just say maybe knock out. 1064 00:46:48,060 --> 00:46:48,270 Yeah. 1065 00:46:48,390 --> 00:46:51,900 Compared to if you put a question mark, it may be more ose. 1066 00:46:52,350 --> 00:46:52,620 Yeah. 1067 00:46:52,775 --> 00:46:53,065 Yeah. 1068 00:46:53,070 --> 00:46:53,340 Yeah. 1069 00:46:53,550 --> 00:46:54,090 That's interesting. 1070 00:46:54,570 --> 00:46:55,530 And also, 1071 00:46:58,080 --> 00:47:01,230 if there's some kind of filter for the dot slash, which I think is 1072 00:47:01,230 --> 00:47:05,010 rare, but probably can happen You are not gonna have problems with this. 1073 00:47:05,580 --> 00:47:05,940 True. 1074 00:47:06,295 --> 00:47:06,585 Yeah. 1075 00:47:07,890 --> 00:47:07,950 Yeah. 1076 00:47:09,105 --> 00:47:11,355 Especially if the input is in the body. 1077 00:47:13,245 --> 00:47:14,415 obviously it depends on the valve. 1078 00:47:14,775 --> 00:47:16,785 Let's say Akamai is really annoying with the l slash 1079 00:47:16,935 --> 00:47:17,325 Yeah, but 1080 00:47:17,325 --> 00:47:23,415 other, but usually like you can get away with it just with the regular, 1081 00:47:23,565 --> 00:47:23,895 yeah. 1082 00:47:23,895 --> 00:47:24,225 Yeah. 1083 00:47:24,225 --> 00:47:24,795 It's the body. 1084 00:47:24,795 --> 00:47:25,220 It's not a problem, 1085 00:47:25,545 --> 00:47:27,525 but it, sometimes you need to encode it. 1086 00:47:28,515 --> 00:47:31,215 really depends on, the context of the, application. 1087 00:47:31,245 --> 00:47:31,515 Yeah. 1088 00:47:31,515 --> 00:47:31,575 Yeah. 1089 00:47:32,475 --> 00:47:33,825 So we mentioned GraphQL. 1090 00:47:34,275 --> 00:47:41,265 I know the research is coming later, but, in general, what's, your 1091 00:47:41,265 --> 00:47:43,095 methodology for, testing GraphQL? 1092 00:47:43,095 --> 00:47:43,515 I guess you. 1093 00:47:43,775 --> 00:47:47,015 So you, start by checking the introspection is enabled. 1094 00:47:47,255 --> 00:47:47,585 Yes. 1095 00:47:47,585 --> 00:47:49,145 That's usually my, first thing that I do. 1096 00:47:49,745 --> 00:47:53,525 I find that it's disabled most of the time, unfortunately. 1097 00:47:53,705 --> 00:47:54,395 Unfortunately. 1098 00:47:55,565 --> 00:47:58,775 so what I do typically first is try to find the queries 1099 00:47:58,775 --> 00:48:00,515 themselves in the JavaScript files. 1100 00:48:02,645 --> 00:48:06,275 a lot of times they'll be there, so just look for like query space 1101 00:48:06,365 --> 00:48:06,725 and Yeah. 1102 00:48:06,905 --> 00:48:07,145 Yeah. 1103 00:48:07,145 --> 00:48:08,315 It's easy to prep for. 1104 00:48:08,375 --> 00:48:08,915 Exactly. 1105 00:48:10,295 --> 00:48:16,385 or just like the operations name and try to, find, those, queries or mutation 1106 00:48:16,475 --> 00:48:22,290 that way I. let's say I do have a query, I valid query and networks. 1107 00:48:22,770 --> 00:48:26,340 I try to add more parameters to it, see if I can get those in response 1108 00:48:26,340 --> 00:48:29,250 or disclose more information that I would not be able to access. 1109 00:48:31,950 --> 00:48:32,490 secondary patch. 1110 00:48:32,490 --> 00:48:37,770 Russell's also, one that I've had success with in GraphQL queries OR mutations. 1111 00:48:37,920 --> 00:48:38,310 Okay. 1112 00:48:41,865 --> 00:48:46,040 yeah, so, you would use the DO slash or whatever the character in 1113 00:48:46,040 --> 00:48:48,049 like a variable As the variable? 1114 00:48:48,080 --> 00:48:48,470 Okay. 1115 00:48:48,470 --> 00:48:48,709 Yeah, 1116 00:48:49,040 --> 00:48:49,040 yeah, 1117 00:48:51,140 --> 00:48:55,939 typical stuff like DOS, like non GRA techniques. 1118 00:48:55,970 --> 00:48:56,149 Yeah. 1119 00:48:56,660 --> 00:48:57,620 I call hacking techniques. 1120 00:48:57,620 --> 00:48:57,950 Yeah. 1121 00:48:57,950 --> 00:48:57,950 Yeah. 1122 00:48:58,339 --> 00:49:02,000 How successful are you with reporting the denial of service bugs? 1123 00:49:02,509 --> 00:49:03,109 Not successful. 1124 00:49:03,305 --> 00:49:04,069 When, they are mentioned 1125 00:49:04,069 --> 00:49:04,879 as our scope. 1126 00:49:05,959 --> 00:49:08,209 not successful 'cause everybody probably tests for it. 1127 00:49:08,330 --> 00:49:08,600 Yeah. 1128 00:49:09,290 --> 00:49:12,259 I actually started like not testing for it 'cause I found that in 1129 00:49:12,259 --> 00:49:14,870 impact's not always there either. 1130 00:49:15,470 --> 00:49:20,540 'cause a lot of times it'll just do os GraphQL service. 1131 00:49:20,750 --> 00:49:20,990 Yeah. 1132 00:49:20,990 --> 00:49:21,979 Everything else works. 1133 00:49:22,515 --> 00:49:26,145 And then, sometimes impacts there, sometimes not. 1134 00:49:26,145 --> 00:49:31,095 Depends on, application, but I just started looking for other, stuff. 1135 00:49:31,125 --> 00:49:31,395 Yeah. 1136 00:49:31,845 --> 00:49:32,085 Yeah. 1137 00:49:32,085 --> 00:49:36,435 And also if you're testing the target, which you showed the writeup from LA 1138 00:49:36,705 --> 00:49:38,654 recently, which has separate instances. 1139 00:49:39,315 --> 00:49:44,174 Sometimes you, can only dose if it's a post authentication, sometimes 1140 00:49:44,174 --> 00:49:45,404 you can only dose your own instance. 1141 00:49:45,404 --> 00:49:45,944 Exactly. 1142 00:49:45,944 --> 00:49:46,335 Yeah. 1143 00:49:47,235 --> 00:49:50,505 If, that's a dose and you have to be a user of the organization 1144 00:49:50,505 --> 00:49:51,225 which you're dosing Yeah. 1145 00:49:51,225 --> 00:49:51,944 The impact is really 1146 00:49:52,665 --> 00:49:52,725 low. 1147 00:49:52,725 --> 00:49:53,145 Exactly. 1148 00:49:53,265 --> 00:49:53,565 Yeah. 1149 00:49:53,565 --> 00:49:57,555 And yeah, and I had this case recently, I reported the denial of service. 1150 00:49:57,615 --> 00:49:59,415 'cause the response time was really long. 1151 00:50:01,964 --> 00:50:09,464 And turned out that I could, even though my instance was, was, 1152 00:50:09,464 --> 00:50:12,674 having a long, response time, the other instance was unaffected. 1153 00:50:12,674 --> 00:50:12,705 Okay. 1154 00:50:12,734 --> 00:50:16,875 So even though it was like a very similar case to what it, what you described, 1155 00:50:16,875 --> 00:50:22,634 like the domain was similar, so I assumed some resources are shared as well. 1156 00:50:24,194 --> 00:50:27,585 it still was separated enough that the dose just didn't affect on the 1157 00:50:27,765 --> 00:50:29,685 users, so it was, pretty useless. 1158 00:50:30,045 --> 00:50:35,325 One thing as well that I just remembered, that I test for, a lot of times the 1159 00:50:35,355 --> 00:50:38,595 query augmentation will be in the body request, but if you put it as, 1160 00:50:38,595 --> 00:50:40,005 a get request, sometimes it'll work. 1161 00:50:40,005 --> 00:50:42,585 So that can help in terms of CSRF or whatnot. 1162 00:50:42,589 --> 00:50:42,650 Yeah. 1163 00:50:43,005 --> 00:50:43,185 Yeah. 1164 00:50:43,185 --> 00:50:47,234 Sometimes it works and usually if it works, it also allows mutations, doesn't 1165 00:50:47,234 --> 00:50:47,295 it? 1166 00:50:49,755 --> 00:50:50,055 I don't, know. 1167 00:50:50,055 --> 00:50:54,325 Maybe I. I haven't, I think last time that I found it, it was only 1168 00:50:54,325 --> 00:50:56,515 queries, no, it was mutation. 1169 00:50:56,545 --> 00:50:59,545 'cause I reported as a CSR, so I did an action. 1170 00:50:59,545 --> 00:50:59,875 Yeah. 1171 00:50:59,995 --> 00:51:00,235 Yeah. 1172 00:51:00,235 --> 00:51:03,025 I said about the question, I realized it doesn't really make sense. 1173 00:51:04,195 --> 00:51:07,795 How about OI on the Critical Thinking podcast, you mentioned, 1174 00:51:08,275 --> 00:51:10,975 a very interesting back in purify. 1175 00:51:11,455 --> 00:51:15,175 Can you please remind, us or, tell the users that didn't listen? 1176 00:51:15,385 --> 00:51:15,985 what was the bug? 1177 00:51:15,985 --> 00:51:16,435 Yeah, sure. 1178 00:51:17,275 --> 00:51:25,015 so it was a case, where Dump Purify was used along with, obviously Chrome, 1179 00:51:26,215 --> 00:51:30,685 and Dump Purify did block the metal tag, but for some reason it still, 1180 00:51:31,915 --> 00:51:34,675 existed in the dom, I guess in Chrome. 1181 00:51:34,765 --> 00:51:35,005 Yeah. 1182 00:51:35,005 --> 00:51:35,006 Yeah. 1183 00:51:36,855 --> 00:51:45,315 The bug itself was, I was able to leak, an nawa token by putting 1184 00:51:45,315 --> 00:51:49,125 the meta tag, which, what was it? 1185 00:51:49,185 --> 00:51:54,645 The refer policy so that the token would be sent through, I think an image, I think 1186 00:51:54,645 --> 00:51:56,415 I put an image, payload image tag, yeah. 1187 00:51:57,135 --> 00:51:59,265 as of my HML injection payload. 1188 00:52:00,195 --> 00:52:04,815 so that way the cookies would be sent to the URL along with the token. 1189 00:52:06,585 --> 00:52:11,535 and from what I heard recently, just last month, that technique still works. 1190 00:52:11,535 --> 00:52:14,655 So it still applies, probably today. 1191 00:52:16,395 --> 00:52:22,005 I guess Chrome or number four, number five has having not fixed it, so Yeah, because 1192 00:52:22,005 --> 00:52:22,665 the bug is the. 1193 00:52:22,875 --> 00:52:29,265 When your HTML on the client side is being parsed, maybe you have, a, very 1194 00:52:29,265 --> 00:52:34,095 restrictive, list of allowed tags and usually meta tag will not be allowed. 1195 00:52:34,185 --> 00:52:34,545 Usually. 1196 00:52:34,545 --> 00:52:34,785 Yeah. 1197 00:52:35,505 --> 00:52:38,595 But, still, after parsing it, it is applied to the website. 1198 00:52:38,595 --> 00:52:39,105 So even though. 1199 00:52:39,730 --> 00:52:41,950 Don't purify the HT m other returns. 1200 00:52:41,950 --> 00:52:42,694 Strips it in. 1201 00:52:42,694 --> 00:52:43,420 Yeah, strips it. 1202 00:52:43,420 --> 00:52:45,130 It's still in the website, 1203 00:52:45,310 --> 00:52:45,640 right? 1204 00:52:45,640 --> 00:52:45,970 Yeah. 1205 00:52:46,060 --> 00:52:46,240 Yeah. 1206 00:52:46,240 --> 00:52:47,170 That's a very cool bag. 1207 00:52:47,560 --> 00:52:51,640 I stumbled on it like a bit by chance because I was literally just trying any 1208 00:52:51,640 --> 00:52:56,380 payloads thought of meta of metatech 'cause it did apply to my scenario. 1209 00:52:56,440 --> 00:52:56,650 Yeah. 1210 00:52:57,700 --> 00:53:02,470 and I later learned through critical thinking of how to look for the 1211 00:53:02,650 --> 00:53:04,569 allow listed tags and dumper five. 1212 00:53:04,569 --> 00:53:06,819 So I did not do that last time, which we literal just like 1213 00:53:06,940 --> 00:53:08,140 trying some, strike some stuff. 1214 00:53:08,350 --> 00:53:08,560 Yeah. 1215 00:53:09,490 --> 00:53:13,060 and yeah, like I said, ended up working and then still works to this day. 1216 00:53:13,060 --> 00:53:14,500 So even this dumper five blocks it. 1217 00:53:14,620 --> 00:53:14,980 Yeah. 1218 00:53:14,980 --> 00:53:14,981 It 1219 00:53:15,220 --> 00:53:18,975 still for some reason applies in the dam yeah. 1220 00:53:19,060 --> 00:53:19,299 Yeah. 1221 00:53:19,299 --> 00:53:25,210 So if you have do purify on the client side and you have something 1222 00:53:25,390 --> 00:53:28,990 sensitive, you can put in the URL, use this 'cause it still works. 1223 00:53:28,990 --> 00:53:31,299 So Yeah, it's a very interesting bug. 1224 00:53:31,600 --> 00:53:33,670 I'm trying to think if I have some target using it. 1225 00:53:34,509 --> 00:53:34,900 Maybe. 1226 00:53:34,904 --> 00:53:38,200 'cause dify is used often a lot more. 1227 00:53:38,550 --> 00:53:39,030 Yeah. 1228 00:53:39,120 --> 00:53:41,070 Than it used to be like just two or three years ago. 1229 00:53:41,220 --> 00:53:42,300 Felix now is everywhere. 1230 00:53:42,420 --> 00:53:42,780 Yeah. 1231 00:53:42,780 --> 00:53:44,340 I think it became the standard. 1232 00:53:44,340 --> 00:53:44,370 I 1233 00:53:44,550 --> 00:53:45,090 think so, yes. 1234 00:53:45,150 --> 00:53:47,130 Which we should be happy about. 1235 00:53:47,670 --> 00:53:50,700 At the end of the day, we wouldn't think to be success, but as 1236 00:53:50,700 --> 00:53:54,365 backhanders, we, not which, means they do a good job of Right, exactly. 1237 00:53:55,260 --> 00:53:56,940 Of being hard to bypass. 1238 00:53:57,090 --> 00:53:57,540 That's true. 1239 00:53:58,650 --> 00:54:04,800 speaking of, of oath, so if we have, this bag which allows us to, 1240 00:54:05,430 --> 00:54:10,110 to leak the URL, but for, this to. 1241 00:54:10,125 --> 00:54:14,745 To be a value attack, we have, we should put an unused code in the URL, right? 1242 00:54:14,745 --> 00:54:16,965 So what are some methods we, can do it with? 1243 00:54:18,465 --> 00:54:22,845 so when I test for aot, I find it like so many attack scenarios and techniques. 1244 00:54:22,845 --> 00:54:26,895 So I usually just open up, France Roses, like dirty 1245 00:54:26,895 --> 00:54:28,575 dancing article, which is great. 1246 00:54:28,755 --> 00:54:29,400 Yeah, it's awesome. 1247 00:54:29,400 --> 00:54:29,535 Just 1248 00:54:29,535 --> 00:54:32,205 trying to think of okay, I should maybe try this and that. 1249 00:54:33,225 --> 00:54:36,225 I also look at the, I think there's a guide for oas. 1250 00:54:37,525 --> 00:54:40,105 hacking, like created from Oasp, I believe. 1251 00:54:42,265 --> 00:54:42,565 sorry. 1252 00:54:42,595 --> 00:54:44,125 Oasp awa hacking guy. 1253 00:54:44,581 --> 00:54:47,485 yeah, so look at that for like ideas. 1254 00:54:48,444 --> 00:54:50,935 but a lot of time I just look for the basic stuff. 1255 00:54:51,505 --> 00:54:56,154 can I send the code to, an attacker server, attacker own server 1256 00:54:56,154 --> 00:54:57,865 to do a direct UI parameter? 1257 00:54:58,765 --> 00:55:00,205 is the state validated? 1258 00:55:02,964 --> 00:55:07,225 what else am I, what am I missing in terms of, the, basic regular stuff? 1259 00:55:07,225 --> 00:55:07,585 Yeah. 1260 00:55:07,735 --> 00:55:08,035 Yeah. 1261 00:55:08,694 --> 00:55:12,895 I af I remember after the article from France, I started 1262 00:55:12,924 --> 00:55:14,214 testing it on every flow. 1263 00:55:14,935 --> 00:55:20,245 But I, got to a point where usually it's, if there's a, the outflow, 1264 00:55:20,305 --> 00:55:21,985 it's fairly easy to break it. 1265 00:55:22,420 --> 00:55:24,595 And to, land with the code on the page. 1266 00:55:25,580 --> 00:55:27,685 the harder part is to leave the URL. 1267 00:55:28,315 --> 00:55:28,585 Yes. 1268 00:55:28,980 --> 00:55:29,160 Yeah. 1269 00:55:30,510 --> 00:55:36,420 usually it means needing an exercise or the value mentioned, or the 1270 00:55:36,420 --> 00:55:40,890 one he described was some kind exercise, but on the sandbox domain. 1271 00:55:40,890 --> 00:55:44,550 But it is allowed to, leak the, URL, but it's usually quite 1272 00:55:44,550 --> 00:55:46,200 difficult to do, unfortunately. 1273 00:55:46,200 --> 00:55:46,740 Yes. 1274 00:55:46,740 --> 00:55:47,070 Yeah. 1275 00:55:47,160 --> 00:55:50,610 And then like you said, so you need an success, but you always had success, so 1276 00:55:50,610 --> 00:55:54,630 you don't often, you don't always need to exploit that part to do something bad, 1277 00:55:56,220 --> 00:55:59,730 Yeah, you can you can probably use it as a gadget to show the impact of 1278 00:55:59,730 --> 00:56:03,420 their success if you cannot address it, change the email, stuff like this. 1279 00:56:03,420 --> 00:56:03,750 Yes. 1280 00:56:04,710 --> 00:56:06,150 actually reminded me of something. 1281 00:56:06,210 --> 00:56:09,540 One thing that did work recently is something that 1282 00:56:09,540 --> 00:56:12,690 Dorian sek, published recently. 1283 00:56:12,750 --> 00:56:13,020 Yeah. 1284 00:56:13,350 --> 00:56:15,780 I think also Justin spoke about it in critical thinking. 1285 00:56:16,470 --> 00:56:18,060 I think they called it client side. 1286 00:56:18,060 --> 00:56:19,500 No, client application. 1287 00:56:19,500 --> 00:56:19,980 Fusion 1288 00:56:20,065 --> 00:56:20,845 Client application. 1289 00:56:20,845 --> 00:56:21,165 Oh, I know 1290 00:56:21,165 --> 00:56:21,445 what you mean. 1291 00:56:21,480 --> 00:56:22,200 Client id, yeah. 1292 00:56:22,200 --> 00:56:22,560 Confusion. 1293 00:56:22,560 --> 00:56:23,100 Something like that. 1294 00:56:23,130 --> 00:56:23,430 Yeah. 1295 00:56:23,430 --> 00:56:23,431 Yeah. 1296 00:56:24,300 --> 00:56:25,410 actually I think I pulled it up here. 1297 00:56:25,500 --> 00:56:27,420 I wanted, I remembered I wanna talk about it. 1298 00:56:28,770 --> 00:56:28,980 Yeah. 1299 00:56:28,980 --> 00:56:30,840 The blog post from about is very good. 1300 00:56:30,840 --> 00:56:31,170 Yeah. 1301 00:56:31,170 --> 00:56:32,250 I actually don't, so yeah. 1302 00:56:34,080 --> 00:56:37,080 you can create like your own, if you can, depending on the context. 1303 00:56:37,110 --> 00:56:37,200 Yeah. 1304 00:56:37,260 --> 00:56:38,400 Use like different client id. 1305 00:56:38,400 --> 00:56:40,110 Sometimes they won't validate the client Id. 1306 00:56:40,555 --> 00:56:45,205 But once it's time for the application to validate the token, it'll notice 1307 00:56:45,205 --> 00:56:48,535 that it's not, for the client. 1308 00:56:49,435 --> 00:56:52,705 And, so the token will not be consumed. 1309 00:56:52,705 --> 00:56:55,134 So you can try to steal it in another way or not. 1310 00:56:55,134 --> 00:56:58,705 But there are ways by manipulating the client ID where you can get 1311 00:56:59,365 --> 00:57:01,855 access to the token or, Yeah. 1312 00:57:01,884 --> 00:57:04,255 Lots of testing to be done with, with a lot. 1313 00:57:06,444 --> 00:57:11,305 and also I remember one bag and I tracked the origin of why it was possible. 1314 00:57:11,335 --> 00:57:13,944 'cause it was possible to use, like my client authenticate 1315 00:57:13,944 --> 00:57:15,235 to somebody's instance, right? 1316 00:57:15,325 --> 00:57:15,505 Yeah. 1317 00:57:16,015 --> 00:57:16,990 it was using kognito. 1318 00:57:16,995 --> 00:57:17,185 Okay. 1319 00:57:18,055 --> 00:57:22,315 And I tracked back that in the AWS documentation there was, or still is, 1320 00:57:22,315 --> 00:57:28,375 I haven't checked, a code snippet to, to validate the, token in that case. 1321 00:57:29,665 --> 00:57:34,770 And this code did not have, because basically what you need to do in, In 1322 00:57:34,770 --> 00:57:36,779 that case, it's to validate the issuer. 1323 00:57:36,960 --> 00:57:40,470 If it's the one you are, you're trying to authenticate user against. 1324 00:57:41,610 --> 00:57:45,480 And basically the code in the dogs didn't have this validation of the issuer. 1325 00:57:45,900 --> 00:57:49,259 But the dog said, this code does not have the validation of the 1326 00:57:49,259 --> 00:57:53,160 issuer, but for the production, code, you should do it yourself. 1327 00:57:53,190 --> 00:57:53,520 Oh really? 1328 00:57:54,840 --> 00:57:58,410 But of course, the developer would copy the code and use it as this. 1329 00:58:00,180 --> 00:58:00,990 So, we'd work like this. 1330 00:58:01,020 --> 00:58:05,279 I think they did fix this part in documentation, but it was very kind. 1331 00:58:05,895 --> 00:58:06,115 Yes. 1332 00:58:07,529 --> 00:58:11,819 I also remember one AAT bug from WAN to Africa, who it was, recently. 1333 00:58:12,960 --> 00:58:15,840 I remember it was, I wasn't answering that 'cause I had something that I had tested 1334 00:58:15,840 --> 00:58:21,540 for, in the outflow, the product, the. 1335 00:58:21,950 --> 00:58:25,640 Application, there were like custom parameters that were added in the OT flow. 1336 00:58:25,759 --> 00:58:26,060 Yeah. 1337 00:58:26,420 --> 00:58:29,120 And I was like, it's probably just like metrics stuff, like for them 1338 00:58:29,120 --> 00:58:30,920 to know who connected from where. 1339 00:58:31,819 --> 00:58:35,509 it turns out that by manipulating those, parameters, you could just put 1340 00:58:35,509 --> 00:58:39,290 any redirect UI and the token would be directed redirected over there. 1341 00:58:40,069 --> 00:58:45,799 So since the custom parameter had like arbitrary data, it like did dirty 1342 00:58:45,799 --> 00:58:46,910 dancing and messed up everything. 1343 00:58:47,060 --> 00:58:47,630 Yeah. 1344 00:58:47,750 --> 00:58:51,109 so yeah, it was one case where I was like, oh, I should have thought about that. 1345 00:58:51,859 --> 00:58:54,920 Wait, so another parameter was used as the redirect, right? 1346 00:58:55,370 --> 00:58:58,040 No, like another parameter was part of the oat flow. 1347 00:58:58,100 --> 00:58:58,460 Yeah. 1348 00:58:58,609 --> 00:59:00,560 It contain I forgot what it was. 1349 00:59:01,549 --> 00:59:02,660 but just like something that. 1350 00:59:03,800 --> 00:59:07,605 It's not necessarily part of the AWA spec and the regular AWA flow. 1351 00:59:07,725 --> 00:59:08,955 Just like an arbitrary like 1352 00:59:09,255 --> 00:59:09,555 yeah. 1353 00:59:09,735 --> 00:59:12,735 Parameter specific to the application. 1354 00:59:12,825 --> 00:59:13,095 Yeah. 1355 00:59:13,095 --> 00:59:13,365 I see. 1356 00:59:13,455 --> 00:59:18,855 And by manual manipulating it, you could put in any value as you redirect 1357 00:59:18,855 --> 00:59:20,930 your I parameter, you can redirect it. 1358 00:59:21,070 --> 00:59:22,634 It could redirect the code anywhere. 1359 00:59:22,785 --> 00:59:23,205 Yeah. 1360 00:59:24,225 --> 00:59:25,125 Yeah, That seems, yeah. 1361 00:59:25,365 --> 00:59:30,405 I always love to see the, custom parameters or when the state is like 1362 00:59:30,405 --> 00:59:33,650 adjacent and contains Yeah, true. 1363 00:59:34,050 --> 00:59:35,009 I love to see this, but when 1364 00:59:35,009 --> 00:59:38,535 there's like the, pk CE thing with a challenge 1365 00:59:38,535 --> 00:59:38,715 Yeah. 1366 00:59:39,580 --> 00:59:40,690 you just remove those parameters. 1367 00:59:41,110 --> 00:59:42,250 Sometimes it works, 1368 00:59:42,830 --> 00:59:43,510 Yeah, yeah, 1369 00:59:45,280 --> 00:59:49,570 how successful have you been recently with the typical ovary direct URI 1370 00:59:50,050 --> 00:59:53,470 takeovers where the redirect URI just isn't validated properly? 1371 00:59:54,610 --> 00:59:55,420 it's been a while. 1372 00:59:56,350 --> 01:00:00,760 I think last one was through like a pastoral vessel in the redirect U eye. 1373 01:00:00,850 --> 01:00:01,030 Yeah. 1374 01:00:01,180 --> 01:00:05,440 So it stays on the same application and same origin, but you need ans or something 1375 01:00:05,470 --> 01:00:10,390 or like a direction with the metal tag, whatever, another technique to leak. 1376 01:00:10,390 --> 01:00:10,570 Yeah. 1377 01:00:10,571 --> 01:00:10,573 or redirect. 1378 01:00:10,685 --> 01:00:11,350 Or the redirect. 1379 01:00:11,350 --> 01:00:11,650 Yeah. 1380 01:00:13,180 --> 01:00:14,110 but it's been a while. 1381 01:00:14,920 --> 01:00:20,745 I found I think a few last year, but I don't think I found one yet in 2025. 1382 01:00:20,805 --> 01:00:22,155 In regards to OT or, 1383 01:00:22,365 --> 01:00:22,965 yeah, it's hard. 1384 01:00:22,965 --> 01:00:23,835 The programs are starting 1385 01:00:23,835 --> 01:00:28,395 to configure it a bit more properly, but I think there's always some, 1386 01:00:28,425 --> 01:00:30,255 weird bug thing around in ot, so 1387 01:00:30,345 --> 01:00:30,585 Yeah. 1388 01:00:30,585 --> 01:00:31,455 Yeah, of course there is. 1389 01:00:31,455 --> 01:00:36,975 And you have some hidden parameters it lead to that are just forgotten and 1390 01:00:36,975 --> 01:00:38,235 the validation is exactly not there. 1391 01:00:39,285 --> 01:00:40,995 You know what bug actually reminds, it reminds 1392 01:00:40,995 --> 01:00:43,515 me of one bug actually, and it's quite interesting. 1393 01:00:45,465 --> 01:00:48,735 and part of the AWA flow, like I manipulated the scope part. 1394 01:00:49,065 --> 01:00:49,155 Yeah. 1395 01:00:49,155 --> 01:00:52,335 And I added myself a privilege that I usually do not have. 1396 01:00:52,395 --> 01:00:52,665 Yeah. 1397 01:00:53,295 --> 01:00:56,325 And in the end it was redirected to. 1398 01:00:56,895 --> 01:00:59,175 Arbitrary host that did not even know existed. 1399 01:01:00,255 --> 01:01:00,465 Yeah. 1400 01:01:00,525 --> 01:01:01,725 Because of a different scope. 1401 01:01:02,235 --> 01:01:06,435 And it gave me like, you're not allowed to access that permission. 1402 01:01:06,495 --> 01:01:06,795 Yeah. 1403 01:01:07,065 --> 01:01:11,265 But it was, the token was sent in the URL and the other host, so I 1404 01:01:11,265 --> 01:01:15,135 just found another excess on that other host and then was able to 1405 01:01:15,135 --> 01:01:17,025 leak the token in the whole flow. 1406 01:01:17,025 --> 01:01:17,026 Flow. 1407 01:01:17,115 --> 01:01:17,415 Yeah. 1408 01:01:17,415 --> 01:01:18,135 That's interesting. 1409 01:01:18,315 --> 01:01:18,495 Yeah. 1410 01:01:18,495 --> 01:01:19,455 It was the one was weird. 1411 01:01:19,935 --> 01:01:20,325 Yeah, 1412 01:01:20,805 --> 01:01:23,685 because why would it redirect to a completely different host? 1413 01:01:24,315 --> 01:01:24,885 doesn't make sense. 1414 01:01:25,005 --> 01:01:25,065 Yeah. 1415 01:01:25,065 --> 01:01:26,055 What was the other host? 1416 01:01:26,055 --> 01:01:28,145 Was it like a. Server. 1417 01:01:28,150 --> 01:01:29,185 It was like server or something 1418 01:01:29,185 --> 01:01:29,390 like this. 1419 01:01:29,390 --> 01:01:32,089 Some kind of SSO server, But it was not used. 1420 01:01:32,089 --> 01:01:33,440 It was like used for another product. 1421 01:01:33,495 --> 01:01:33,984 Yeah, I see. 1422 01:01:33,984 --> 01:01:34,384 Completely. 1423 01:01:34,384 --> 01:01:34,386 Yeah. 1424 01:01:35,815 --> 01:01:36,830 That, that's cool. 1425 01:01:37,700 --> 01:01:41,660 and usually it was like in the login or like some kind of sso, but 1426 01:01:41,660 --> 01:01:43,190 usually like in login application. 1427 01:01:43,220 --> 01:01:43,460 Yeah. 1428 01:01:43,940 --> 01:01:47,930 But that one was sent to completely different one, which was not even 1429 01:01:47,930 --> 01:01:51,049 used as like a what for my obligation. 1430 01:01:51,134 --> 01:01:51,424 Yeah. 1431 01:01:51,859 --> 01:01:52,069 Yeah. 1432 01:01:52,069 --> 01:01:52,400 I see. 1433 01:01:53,000 --> 01:01:57,350 Do you often test for, let's say lower severity of related 1434 01:01:57,350 --> 01:02:00,770 bug where, for example, I. 1435 01:02:01,044 --> 01:02:05,964 When you go through the authentication flow with some restricted set of 1436 01:02:05,964 --> 01:02:10,134 scopes, and then you want to redo the authentication flow, but with 1437 01:02:10,134 --> 01:02:13,435 more scopes, it should reprompt the user to confirm the new scopes. 1438 01:02:13,975 --> 01:02:18,265 So if, there's no reconfirmation, it's like a lower medium level bag. 1439 01:02:19,674 --> 01:02:21,625 there are a, few different ones as well. 1440 01:02:21,625 --> 01:02:24,384 I know Johan is sometimes looking for, bags like this. 1441 01:02:24,654 --> 01:02:26,125 Do you also spend time on this or. 1442 01:02:26,730 --> 01:02:29,700 Because you of your resolution to look for high increases you ignore. 1443 01:02:29,700 --> 01:02:30,000 Yeah. 1444 01:02:30,000 --> 01:02:30,210 Not 1445 01:02:30,210 --> 01:02:30,540 really. 1446 01:02:30,600 --> 01:02:34,770 Maybe I should, maybe you could lead to like more, more bugs and 1447 01:02:34,770 --> 01:02:36,960 more interesting bugs that can maybe change with other stuff. 1448 01:02:38,460 --> 01:02:40,740 but yeah, I usually just try to link the code somehow. 1449 01:02:40,740 --> 01:02:40,741 Yeah. 1450 01:02:40,800 --> 01:02:41,130 Yeah. 1451 01:02:41,130 --> 01:02:45,510 Because it directly to a TO which is my goal for oau. 1452 01:02:45,990 --> 01:02:46,980 Yeah, for heis and kids. 1453 01:02:47,400 --> 01:02:48,105 That's, the only goal. 1454 01:02:48,135 --> 01:02:48,425 Yeah. 1455 01:02:48,960 --> 01:02:51,990 Because the other, why do I have started recently to hunt? 1456 01:02:52,200 --> 01:02:56,190 'cause I, hunt on the target that paid really well for mediums. 1457 01:02:57,300 --> 01:03:00,750 so I also hunted for these attack scenarios that are a little 1458 01:03:00,750 --> 01:03:02,430 bit more difficult to exploit. 1459 01:03:02,460 --> 01:03:05,070 'cause the attack scenarios, like the app is the attacker. 1460 01:03:05,940 --> 01:03:09,780 So it has more privileges than it should and it's clearly a back. 1461 01:03:10,140 --> 01:03:10,440 Right. 1462 01:03:10,500 --> 01:03:11,970 But the tax ary is not there. 1463 01:03:12,480 --> 01:03:17,730 But on a good target that pays, like for the, this target paid I up to 1464 01:03:17,730 --> 01:03:22,500 1000 lows and up to 8,000 mediums. 1465 01:03:22,505 --> 01:03:22,775 Okay. 1466 01:03:22,775 --> 01:03:22,895 Yeah. 1467 01:03:22,895 --> 01:03:24,810 That's worth it. 1468 01:03:24,811 --> 01:03:24,814 That's, worth it. 1469 01:03:24,819 --> 01:03:25,080 Yeah. 1470 01:03:25,140 --> 01:03:25,410 Awesome. 1471 01:03:25,920 --> 01:03:29,580 And I think there's a lot of, bags like this, but it's quite difficult 1472 01:03:29,580 --> 01:03:30,870 to test or it's a bit annoying. 1473 01:03:30,924 --> 01:03:31,215 Yeah. 1474 01:03:31,875 --> 01:03:33,935 But yeah, sometimes it is worth it. 1475 01:03:34,470 --> 01:03:34,650 Okay. 1476 01:03:35,160 --> 01:03:39,690 Last, question, 'cause you said that you are more like a deep dive 1477 01:03:39,690 --> 01:03:41,250 guy, more like a manual hacker. 1478 01:03:41,580 --> 01:03:43,170 But you did build some automation. 1479 01:03:43,440 --> 01:03:43,620 Yep. 1480 01:03:43,680 --> 01:03:44,910 So what does the automation do? 1481 01:03:46,259 --> 01:03:47,700 it's pretty, I wouldn't say simple. 1482 01:03:47,700 --> 01:03:51,390 Like I don't do like any nuclei hacking or, scanning. 1483 01:03:51,420 --> 01:03:53,310 'cause I feel like everybody's already doing it. 1484 01:03:53,310 --> 01:03:54,779 So it would be a waste of resources. 1485 01:03:54,870 --> 01:03:54,930 Yeah. 1486 01:03:54,930 --> 01:03:55,950 And time to do it. 1487 01:03:56,700 --> 01:03:59,279 So I have put like an infrastructure in place where. 1488 01:04:01,315 --> 01:04:06,265 I get alerted when a new app, has been put online 1489 01:04:06,745 --> 01:04:07,135 on, internet. 1490 01:04:07,255 --> 01:04:07,285 Okay. 1491 01:04:07,945 --> 01:04:10,765 By, from the DNS sources. 1492 01:04:10,765 --> 01:04:10,945 Yeah. 1493 01:04:10,945 --> 01:04:11,155 D 1494 01:04:11,155 --> 01:04:11,455 Ns. 1495 01:04:11,455 --> 01:04:11,815 Yeah. 1496 01:04:12,085 --> 01:04:15,325 So it sometimes it resolves actually a lot of time. 1497 01:04:15,325 --> 01:04:16,015 It doesn't resolve. 1498 01:04:16,395 --> 01:04:17,595 But at least I know when it's there. 1499 01:04:17,925 --> 01:04:18,135 Yeah. 1500 01:04:18,135 --> 01:04:22,485 And I put like a bot in place that would constantly test the resolution. 1501 01:04:22,665 --> 01:04:24,765 no, sorry, lemme start again. 1502 01:04:25,905 --> 01:04:31,335 So I have a, a tool in place where, it alerts me of new assets. 1503 01:04:31,870 --> 01:04:33,850 whether they're on internet or not. 1504 01:04:34,330 --> 01:04:35,950 Sometimes it resolves, sometimes it doesn't. 1505 01:04:35,950 --> 01:04:36,009 Yeah. 1506 01:04:36,009 --> 01:04:41,590 If it does resolve, I'll do with HT PX on it, see if HP is running, if it 1507 01:04:41,590 --> 01:04:43,060 doesn't, just store it in the file. 1508 01:04:43,120 --> 01:04:48,130 And then, the bot that I built will constantly do resolution, constantly. 1509 01:04:48,250 --> 01:04:49,960 Once I think every week that I did it. 1510 01:04:49,990 --> 01:04:50,170 Yeah. 1511 01:04:50,410 --> 01:04:52,029 To see if it does resolve and if it does. 1512 01:04:52,070 --> 01:04:53,390 Then do HPS. 1513 01:04:53,395 --> 01:04:53,635 Okay. 1514 01:04:54,275 --> 01:04:54,435 Interesting. 1515 01:04:54,470 --> 01:04:54,770 Yeah. 1516 01:04:55,130 --> 01:04:59,330 Do you some somehow note all the domains that resolve to internal 1517 01:04:59,330 --> 01:05:03,230 IP addresses to use it later for, I 1518 01:05:03,230 --> 01:05:04,310 do store it. 1519 01:05:04,820 --> 01:05:04,940 Yeah. 1520 01:05:05,960 --> 01:05:09,410 but I don't go back to it, much. 1521 01:05:09,830 --> 01:05:12,230 I go back to it when I do need it for R Okay. 1522 01:05:12,350 --> 01:05:12,830 Yeah, 1523 01:05:13,670 --> 01:05:19,700 yeah, 'cause I thought it's, it useful to, let's say we have, 1524 01:05:20,480 --> 01:05:24,110 loads of IP addresses resolved from a wildcard domain, let's say. 1525 01:05:24,950 --> 01:05:27,380 It's useful to just save all the internal ones. 1526 01:05:27,530 --> 01:05:27,800 Yeah. 1527 01:05:27,920 --> 01:05:30,950 And once you have the SSRF, that's, the ones that you use. 1528 01:05:31,160 --> 01:05:31,700 Exactly, yes. 1529 01:05:31,820 --> 01:05:32,660 So that's what you do. 1530 01:05:32,840 --> 01:05:33,080 Yeah. 1531 01:05:33,290 --> 01:05:33,710 Nice. 1532 01:05:33,710 --> 01:05:33,950 Yeah. 1533 01:05:33,980 --> 01:05:37,490 It's, I thought about it, didn't do it. 1534 01:05:38,600 --> 01:05:38,720 Yeah. 1535 01:05:38,720 --> 01:05:43,190 I think in the end, it's like I kinda changed my, technique a bit. 1536 01:05:43,340 --> 01:05:43,670 Yeah. 1537 01:05:44,210 --> 01:05:46,430 so I used to just like open burp. 1538 01:05:46,890 --> 01:05:47,190 Hack. 1539 01:05:47,430 --> 01:05:47,490 Yeah. 1540 01:05:47,490 --> 01:05:48,000 And that's it. 1541 01:05:48,090 --> 01:05:53,430 Now I've been like gathering a bit more data, taking a lot more notes. 1542 01:05:53,550 --> 01:05:55,770 My notes are, a lot more structured. 1543 01:05:56,370 --> 01:06:00,480 Oh, and I do note like internal domains and yeah, take note of everything that 1544 01:06:00,480 --> 01:06:04,110 I see that can be, can lead to a bug. 1545 01:06:04,710 --> 01:06:07,950 So I think I probably missed some bugs in the past where I was like, 1546 01:06:07,950 --> 01:06:10,860 oh, I remember that, but where was it? 1547 01:06:10,920 --> 01:06:11,310 I don't know. 1548 01:06:11,310 --> 01:06:15,360 But by taking notes, yeah, sometimes it's easier to, go back. 1549 01:06:15,870 --> 01:06:17,310 How do you organize the notes? 1550 01:06:19,200 --> 01:06:23,010 I have a, let's say a hack on, one application. 1551 01:06:23,040 --> 01:06:26,010 'cause I'm a deep dive, so I don't really do recon or not much. 1552 01:06:26,010 --> 01:06:26,400 Anyway. 1553 01:06:27,990 --> 01:06:32,430 I have like technologies used, like my recon in terms of hacking on an app. 1554 01:06:32,430 --> 01:06:36,660 I like, not like ESE scanning, just like recon on the apps system. 1555 01:06:36,660 --> 01:06:42,645 So I'll note that technologies used, I'll note the, 1556 01:06:44,685 --> 01:06:53,775 API endpoints, the reverse proxy APIs sometimes slash I don't know, water will 1557 01:06:54,194 --> 01:06:56,745 have a different backend than another. 1558 01:06:57,105 --> 01:06:57,525 Another one. 1559 01:06:57,525 --> 01:06:57,585 Yeah. 1560 01:06:57,585 --> 01:07:00,915 So I know which one leads to another end, another, backend. 1561 01:07:02,565 --> 01:07:06,345 sometimes like slash Water will have an known JS app, but slash 1562 01:07:06,555 --> 01:07:08,745 Glass will have, a Java app. 1563 01:07:08,745 --> 01:07:10,634 So I take note all of, this. 1564 01:07:11,955 --> 01:07:17,234 take note of GraphQL endpoints, things that I notice that are like interesting 1565 01:07:17,295 --> 01:07:20,475 or weird sometimes just something as simple as like a metrics like sex. 1566 01:07:21,385 --> 01:07:24,745 slash metrics endpoints, are pretty usefully. 1567 01:07:24,745 --> 01:07:26,515 Usually we report them as a little bit like informative, 1568 01:07:26,575 --> 01:07:28,615 but it can help in other stuff. 1569 01:07:28,615 --> 01:07:29,635 So I take note of that. 1570 01:07:32,335 --> 01:07:36,025 I take note of like lows and mediums that I will not report. 1571 01:07:36,055 --> 01:07:36,115 Yeah. 1572 01:07:36,115 --> 01:07:36,835 Report, yeah. 1573 01:07:36,865 --> 01:07:38,425 But can be trained with something else. 1574 01:07:39,325 --> 01:07:41,995 I take note of what I see is interesting and what to test. 1575 01:07:42,835 --> 01:07:44,665 kinda like a bit of threat modeling. 1576 01:07:44,905 --> 01:07:52,015 okay, this app, this has this, a bit of, a bit of logic behind what to test. 1577 01:07:54,355 --> 01:07:56,875 and, actually could probably take a look here. 1578 01:07:58,075 --> 01:07:58,795 Forgetting something 1579 01:07:59,305 --> 01:08:02,335 so you, things for, to you save for later. 1580 01:08:02,545 --> 01:08:03,565 internal domains, right? 1581 01:08:04,135 --> 01:08:06,085 Obviously lows, mediums and 1582 01:08:08,215 --> 01:08:09,865 that, you can potentially change with something. 1583 01:08:09,925 --> 01:08:10,255 Yes. 1584 01:08:10,675 --> 01:08:13,705 What else are like the typical things you save for later? 1585 01:08:15,570 --> 01:08:19,800 stuff that I find that are probably vulnerable but 1586 01:08:19,800 --> 01:08:20,970 have a hard time exploiting. 1587 01:08:21,120 --> 01:08:21,450 Okay. 1588 01:08:22,529 --> 01:08:27,390 or that they disclose information, which can probably help in another place. 1589 01:08:27,870 --> 01:08:34,319 For example, I had one case where, when I uploaded a file for some reason, once in a 1590 01:08:34,319 --> 01:08:37,290 while it said, ok, find file in this path. 1591 01:08:37,319 --> 01:08:38,580 This was the internal path. 1592 01:08:39,060 --> 01:08:39,510 Okay. 1593 01:08:39,510 --> 01:08:39,720 Yeah. 1594 01:08:39,720 --> 01:08:40,620 So I could, 1595 01:08:40,620 --> 01:08:45,390 know where it was being uploaded, and maybe I could pa do like a petro Russell 1596 01:08:45,390 --> 01:08:47,130 and upload it elsewhere or whatnot. 1597 01:08:47,729 --> 01:08:48,899 So information like that. 1598 01:08:49,649 --> 01:08:52,050 I also store, custom headers. 1599 01:08:52,290 --> 01:08:57,490 I've had luck recently with like custom headers that the company's, Use, 1600 01:08:59,529 --> 01:09:00,730 success in what sense? 1601 01:09:00,730 --> 01:09:03,790 In the sense of putting one header in and different request that 1602 01:09:03,790 --> 01:09:05,170 normally did not have that header? 1603 01:09:07,390 --> 01:09:08,470 yeah, sometimes yes. 1604 01:09:08,470 --> 01:09:08,500 Okay. 1605 01:09:08,560 --> 01:09:09,100 I see. 1606 01:09:09,100 --> 01:09:10,359 I saw different behavior. 1607 01:09:11,680 --> 01:09:16,480 and one trick as well that I think France, obviously France knows everything, right? 1608 01:09:17,950 --> 01:09:21,399 it's looking at the access control allowed headers, I think. 1609 01:09:21,399 --> 01:09:21,520 Yeah. 1610 01:09:21,520 --> 01:09:22,240 In response, yeah. 1611 01:09:22,240 --> 01:09:26,560 Sometimes you have like custom headers in there and putting them in the requests. 1612 01:09:26,560 --> 01:09:28,600 We'll have an adjusting behavior. 1613 01:09:29,260 --> 01:09:31,330 so I had a few cases like that, which like interesting. 1614 01:09:31,840 --> 01:09:34,990 I was not always able to exploit it, but like I know something is happening. 1615 01:09:34,990 --> 01:09:36,160 They're doing something with that header. 1616 01:09:38,000 --> 01:09:38,929 I didn't look at this part. 1617 01:09:39,800 --> 01:09:43,309 the headers that are disclosed in the access control allow allowed headers. 1618 01:09:43,309 --> 01:09:43,609 Yeah. 1619 01:09:43,849 --> 01:09:44,929 Sometimes you have a bunch of them. 1620 01:09:44,929 --> 01:09:50,750 So if you put one by one or all of them in your request and put like any 1621 01:09:50,750 --> 01:09:55,580 value, sometimes the application will reply like with something interesting. 1622 01:09:55,610 --> 01:09:55,880 Okay. 1623 01:09:55,880 --> 01:09:56,210 Yeah. 1624 01:09:56,240 --> 01:09:56,719 Okay, I see. 1625 01:09:57,290 --> 01:09:57,950 Interesting. 1626 01:09:58,880 --> 01:10:05,540 and also cases where, the app used like, custom headers for admins 1627 01:10:06,200 --> 01:10:07,880 and by putting like that header. 1628 01:10:08,220 --> 01:10:11,700 In the request and putting like a, let's say it was like a X 1629 01:10:11,700 --> 01:10:13,170 dash user ID in the request. 1630 01:10:13,170 --> 01:10:17,850 I could put another id, it got me access to another user's. 1631 01:10:18,240 --> 01:10:18,420 Yeah. 1632 01:10:18,420 --> 01:10:19,260 So like that, yeah. 1633 01:10:19,260 --> 01:10:19,680 That's cool. 1634 01:10:20,190 --> 01:10:21,480 So that should not work, but works 1635 01:10:22,770 --> 01:10:23,130 after. 1636 01:10:23,490 --> 01:10:27,510 speaking of things that should not work, but they work or they worked, 1637 01:10:28,235 --> 01:10:30,930 after the recent next JS bug. 1638 01:10:30,930 --> 01:10:31,200 Oh yeah. 1639 01:10:31,500 --> 01:10:36,480 I'm tempted to just take a look at the source code of each web framework. 1640 01:10:37,290 --> 01:10:38,190 Just create for. 1641 01:10:38,835 --> 01:10:40,900 All the headers that I thought about that 1642 01:10:40,905 --> 01:10:41,055 too. 1643 01:10:41,115 --> 01:10:41,385 Yeah. 1644 01:10:41,385 --> 01:10:42,195 I actually thought about it. 1645 01:10:42,255 --> 01:10:42,885 About it too. 1646 01:10:43,125 --> 01:10:43,425 Yeah. 1647 01:10:43,425 --> 01:10:45,645 Because I'm sure something weird happens. 1648 01:10:45,645 --> 01:10:46,575 There must be something 1649 01:10:46,575 --> 01:10:47,055 else. 1650 01:10:47,265 --> 01:10:47,325 Yeah. 1651 01:10:47,325 --> 01:10:48,225 There must be something 1652 01:10:48,225 --> 01:10:48,525 else. 1653 01:10:48,525 --> 01:10:52,815 It's not the first time that guy in, in particular has found next 1654 01:10:52,815 --> 01:10:55,365 J bugs specific to, headers. 1655 01:10:55,365 --> 01:10:58,665 I think he had found two or three regarding to cash poisoning. 1656 01:10:58,695 --> 01:10:59,025 Yeah. 1657 01:10:59,355 --> 01:11:02,325 And now an authorization bypass with headers. 1658 01:11:02,325 --> 01:11:05,895 And I think I found a future where it led to some interesting stuff. 1659 01:11:05,895 --> 01:11:10,785 So I think headers are definitely, an interesting, attack surface. 1660 01:11:10,790 --> 01:11:10,980 Yeah. 1661 01:11:11,175 --> 01:11:11,775 Yeah, for sure. 1662 01:11:14,245 --> 01:11:19,885 we'll end our interview here, but before we do, tell me what are your plans 1663 01:11:19,885 --> 01:11:24,715 for 2025 as this is your first full year as a full-time background hunter, 1664 01:11:25,105 --> 01:11:26,905 what are your goals for this year? 1665 01:11:28,255 --> 01:11:30,685 I have my, financial goals and sort background. 1666 01:11:31,495 --> 01:11:34,705 I'm on pace to pass that. 1667 01:11:34,885 --> 01:11:35,095 Yeah. 1668 01:11:36,235 --> 01:11:39,415 I think by a lot, if I can continue hacking and finding more bugs. 1669 01:11:39,655 --> 01:11:39,835 Yeah. 1670 01:11:40,315 --> 01:11:43,465 I'm hoping to get invited to a few, more life hacking events. 1671 01:11:43,585 --> 01:11:46,405 'cause those usually like boost, a bit. 1672 01:11:46,975 --> 01:11:47,185 yeah. 1673 01:11:48,295 --> 01:11:50,845 And, hoping to take more vacation as well. 1674 01:11:52,305 --> 01:11:53,655 I actually go on vacation a couple of weeks. 1675 01:11:53,655 --> 01:11:59,505 I'm hoping, to be able to, schedule some, more, later this 1676 01:11:59,505 --> 01:12:00,945 summer, maybe in the fall as well. 1677 01:12:00,945 --> 01:12:01,305 We'll see. 1678 01:12:02,955 --> 01:12:08,775 just, have fun, play more golf, play more hockey, and, have fun doing multi full 1679 01:12:08,775 --> 01:12:11,205 time or part-time, but like full-time, 1680 01:12:11,205 --> 01:12:12,285 part-time was full-time. 1681 01:12:12,315 --> 01:12:12,375 Yeah. 1682 01:12:12,660 --> 01:12:13,150 Awesome. 1683 01:12:13,665 --> 01:12:17,510 I wish you a lot of good luck with this and thank you so much for the interview. 1684 01:12:17,510 --> 01:12:17,910 Thanks 1685 01:12:17,910 --> 01:12:18,255 for having me.