1 00:00:00,000 --> 00:00:02,590 For me, 20, 000 is a lot of money. 2 00:00:02,590 --> 00:00:06,910 But to get, I remember all the guys made a hundred thousand dollars, probably all 3 00:00:06,910 --> 00:00:11,640 my free time when I'm not at the gym or playing tennis or stay with my girlfriend. 4 00:00:11,679 --> 00:00:12,560 It's for a big bounty. 5 00:00:12,950 --> 00:00:13,280 Yeah. 6 00:00:13,299 --> 00:00:16,870 So still today, a lot of SQL injections on, on accurate one. 7 00:00:17,260 --> 00:00:18,084 So a lot of. 8 00:00:18,085 --> 00:00:24,805 Problems with all, with WAF 2, I was able to bypass some WAFs and some cases. 9 00:00:24,865 --> 00:00:28,335 My automation is only for recon, not to exploit anything, because 10 00:00:28,365 --> 00:00:32,465 probably, uh, the exploit thing with nuclear or something, there are 11 00:00:32,495 --> 00:00:35,344 guys doing this more fast than me. 12 00:00:37,100 --> 00:00:40,140 so much for joining me for the podcast this time. 13 00:00:40,680 --> 00:00:42,990 Uh, for the viewers who don't know you yet, can you please 14 00:00:43,020 --> 00:00:45,870 introduce yourself a little bit and tell us about your background? 15 00:00:46,190 --> 00:00:46,589 Okay. 16 00:00:46,589 --> 00:00:49,139 So thank you again for inviting me. 17 00:00:49,440 --> 00:00:53,019 I'm really excited about this pod questions and the question. 18 00:00:53,020 --> 00:00:54,209 So yeah. 19 00:00:54,230 --> 00:00:58,545 So about my background, So I'm a book hunter and pen 20 00:00:58,545 --> 00:01:00,645 test on Hacker one with four. 21 00:01:00,705 --> 00:01:05,865 I think I have four or five years on Hacker one I, and, and after that, 22 00:01:06,195 --> 00:01:12,325 uh, I, I work, I work uh, as uh, cybersecurity tech lead, uh, uh, 23 00:01:12,355 --> 00:01:13,945 cybersecurity constitute in Brazil. 24 00:01:14,185 --> 00:01:16,735 And I'm pen test leader in Hacker one two. 25 00:01:16,945 --> 00:01:21,040 So I work with both and, uh, this is me. 26 00:01:21,460 --> 00:01:25,700 I think and I was invited, um, five times to live hack events and 27 00:01:25,700 --> 00:01:29,390 hacker one and I really like it, send a lot of bugs on boot bounty. 28 00:01:30,360 --> 00:01:30,630 Yeah. 29 00:01:30,690 --> 00:01:32,850 So are you not the full time 30 00:01:32,850 --> 00:01:33,880 backbone hunter now? 31 00:01:34,209 --> 00:01:35,470 Yeah, not, not. 32 00:01:35,610 --> 00:01:36,260 Have you considered it? 33 00:01:37,220 --> 00:01:37,750 Yeah. 34 00:01:37,750 --> 00:01:42,619 Um, I think maybe it's a possibility to me because probably my income 35 00:01:42,629 --> 00:01:43,459 from boot bounty, it's pretty low. 36 00:01:43,940 --> 00:01:49,460 It's really, it's more than I receive from my, my work, really more, but I 37 00:01:49,460 --> 00:01:54,989 really like at work at, uh, this Brazilian cybersecurity, it's, it's good work there. 38 00:01:55,199 --> 00:01:57,910 I have some friends and I really, I really like at work there. 39 00:01:58,479 --> 00:02:00,769 So it's, it's, it's a good job. 40 00:02:01,039 --> 00:02:02,610 I can do really good things there. 41 00:02:03,199 --> 00:02:07,304 The vulnerability, uh, I showed to you was there. 42 00:02:07,414 --> 00:02:11,325 Using the, the serial kilobyte pass, get, get his collection. 43 00:02:11,325 --> 00:02:12,445 So I have good opportunities. 44 00:02:12,455 --> 00:02:15,115 That's to test Brazilian Brazilian companies. 45 00:02:15,115 --> 00:02:16,705 So, yeah, I like work there. 46 00:02:17,405 --> 00:02:20,774 Yeah, that's, I think that's, that's the common theme among all of the 47 00:02:20,785 --> 00:02:23,234 back hunters that we like like bounty. 48 00:02:23,590 --> 00:02:26,400 But also being alone is a little bit problematic. 49 00:02:26,420 --> 00:02:26,980 Yes. 50 00:02:27,280 --> 00:02:27,780 Yeah, 51 00:02:27,930 --> 00:02:29,130 you are really true. 52 00:02:29,220 --> 00:02:31,980 Very impressive That's still only work part time. 53 00:02:31,980 --> 00:02:36,671 You've got to almost 22, 000 reputation on HackerOne. 54 00:02:36,671 --> 00:02:37,269 Yeah 55 00:02:37,270 --> 00:02:39,180 So I I'm very excited to 56 00:02:39,219 --> 00:02:39,899 to speak with you. 57 00:02:40,260 --> 00:02:40,850 Awesome. 58 00:02:40,889 --> 00:02:41,189 Awesome. 59 00:02:41,190 --> 00:02:45,015 I probably owe my friends Free time when I'm not at the gym or 60 00:02:45,015 --> 00:02:47,625 playing tennis or stay with my girlfriend, it's for a big bounty. 61 00:02:48,024 --> 00:02:48,355 Yeah. 62 00:02:48,374 --> 00:02:52,045 So yeah, all my free time is for a big bounty and probably maybe this is 63 00:02:52,084 --> 00:02:53,734 the reason why I have this reputation. 64 00:02:55,204 --> 00:02:56,374 Well done one way or another. 65 00:02:56,784 --> 00:03:00,989 So Uh, are you more of a automation based hunter? 66 00:03:01,049 --> 00:03:02,310 Are you a manual hunter? 67 00:03:02,310 --> 00:03:03,840 Are you something, something in between? 68 00:03:03,989 --> 00:03:08,340 So, uh, yeah, maybe I'm in between these juice, the, these two options 69 00:03:08,340 --> 00:03:12,329 because I have automation, but only to, my automation is only 70 00:03:12,329 --> 00:03:14,100 for Rico not to exploit anything. 71 00:03:14,340 --> 00:03:18,600 Yeah, because probably, uh, the, the exploit thing with nuclear or 72 00:03:18,600 --> 00:03:23,100 something, there is more, there are, there are guys doing these more fast. 73 00:03:23,155 --> 00:03:24,534 Yeah. 74 00:03:24,535 --> 00:03:25,075 It's a race. 75 00:03:25,375 --> 00:03:25,745 Yeah. 76 00:03:25,775 --> 00:03:26,895 So it looked like a race. 77 00:03:26,905 --> 00:03:29,165 So I didn't, it's like this, this. 78 00:03:29,415 --> 00:03:32,375 So probably my, my, my automation is only for recon. 79 00:03:32,385 --> 00:03:36,994 What I have, it's, I have a huge, my SQL database, it's all my, 80 00:03:37,164 --> 00:03:38,224 yeah, with all my, all my, yeah. 81 00:03:38,370 --> 00:03:41,820 My scope from bookbug programs and all, all the time my script 82 00:03:41,880 --> 00:03:43,350 is running and do the record. 83 00:03:43,570 --> 00:03:48,990 And if I have some updates for hacker one, uh, uh, these updates notify me and 84 00:03:49,020 --> 00:03:51,599 I have the assets on my, my telegram chat. 85 00:03:51,810 --> 00:03:54,679 So I received that and maybe this is a good target. 86 00:03:54,680 --> 00:03:57,825 Oh, maybe this program, uh, this program has now with the car 87 00:03:57,825 --> 00:04:00,350 scope so I can look there and yes. 88 00:04:00,410 --> 00:04:05,810 So my, my automation, it's only for recon and receive the updates from the 89 00:04:05,810 --> 00:04:11,629 programs and my, but my, my hunting, it's only manual testing, looking 90 00:04:11,629 --> 00:04:13,300 at application and that's things. 91 00:04:13,370 --> 00:04:13,579 Yeah. 92 00:04:13,650 --> 00:04:18,040 How, how technically do you have connected hacker one updates to a telegram chat? 93 00:04:18,730 --> 00:04:20,089 So, uh, 94 00:04:20,329 --> 00:04:22,340 maybe in, uh, at the first time was. 95 00:04:23,130 --> 00:04:28,030 Really hard because we need we need to your scripts need to be hitting 96 00:04:28,030 --> 00:04:32,760 the hacker on API a lot of times to to get the updates in the time. 97 00:04:33,050 --> 00:04:38,579 But I think it's OK now because because I I I'm writing the script a lot of time. 98 00:04:38,579 --> 00:04:40,669 So maybe the script is stable. 99 00:04:40,870 --> 00:04:45,110 Now and I did have so problems, but maybe at first time I had a lot 100 00:04:45,110 --> 00:04:47,250 of a lot of books and description. 101 00:04:47,250 --> 00:04:51,240 Not the script is not working well and I have losing scope. 102 00:04:51,460 --> 00:04:52,000 An example. 103 00:04:52,010 --> 00:04:54,060 Some I remember to see some time. 104 00:04:54,289 --> 00:04:59,600 My script is not looking all the scope is only looking the first page. 105 00:04:59,750 --> 00:05:00,990 Not all the scope. 106 00:05:00,990 --> 00:05:08,640 So I fixed them, uh, making a for loop, uh, uh, looking all the pages of this 107 00:05:08,650 --> 00:05:13,229 scope from API, because I didn't know the API only show a page of scope, not 108 00:05:13,250 --> 00:05:18,210 all the scope is some progress that the huge scopes with a lot of domains and 109 00:05:18,220 --> 00:05:20,130 these, and probably I was missing that. 110 00:05:20,130 --> 00:05:24,530 So this, this is what, uh, This is one of the mistakes I have in the, 111 00:05:24,780 --> 00:05:28,950 in the way, but I think probably now it's more stable, but, but my 112 00:05:28,950 --> 00:05:30,230 automation is only for HackerOne. 113 00:05:30,480 --> 00:05:30,650 Yeah. 114 00:05:30,670 --> 00:05:34,950 Because probably implementing other APIs or others, uh, platforms will 115 00:05:34,960 --> 00:05:37,409 be more, I will be more work that. 116 00:05:37,460 --> 00:05:37,680 Yeah. 117 00:05:37,680 --> 00:05:37,760 And 118 00:05:37,760 --> 00:05:41,050 it's always when you write something, it's like, it's a, it's a cool idea and 119 00:05:41,050 --> 00:05:45,270 you think it's going to be quick and then it takes time and more time and bugs. 120 00:05:45,280 --> 00:05:45,870 Yeah. 121 00:05:45,870 --> 00:05:46,250 Yeah. 122 00:05:46,250 --> 00:05:46,600 Yeah. 123 00:05:46,600 --> 00:05:47,040 A lot of 124 00:05:47,080 --> 00:05:47,410 bugs. 125 00:05:47,660 --> 00:05:51,700 Sometimes I. I didn't receive the notifications on Telegram and I think, oh, 126 00:05:51,940 --> 00:05:55,300 probably there is something not working well, I need to check on the server. 127 00:05:56,020 --> 00:05:56,440 Yeah. 128 00:05:57,210 --> 00:05:58,700 What other alerts do you have? 129 00:05:58,710 --> 00:06:01,669 For some, I don't know, do you monitor JavaScript, for example? 130 00:06:02,050 --> 00:06:04,130 No, I didn't monitor any JavaScript. 131 00:06:04,500 --> 00:06:09,019 Uh, but what I, what I monitor with, with this, with my automation is, 132 00:06:09,560 --> 00:06:12,170 uh, every, every day I do the recon. 133 00:06:12,480 --> 00:06:13,090 And. 134 00:06:13,285 --> 00:06:21,735 I have the responses for the same domain in, in a time and in, uh, an example. 135 00:06:22,164 --> 00:06:25,904 I run the record yesterday, today, and there are going to be tomorrow. 136 00:06:25,904 --> 00:06:31,484 I have all the HTTPS, uh, Parameters in the MySQL database and I can 137 00:06:31,484 --> 00:06:36,184 compare if an example, if the status code yesterday was 401 138 00:06:38,264 --> 00:06:41,294 and today was 200 and yesterday will be 200. 139 00:06:41,324 --> 00:06:45,215 So I historical in my, in my automation. 140 00:06:45,705 --> 00:06:47,755 So you store the HTTPS parameters. 141 00:06:47,755 --> 00:06:50,594 So there's like the status code, number of words, number 142 00:06:50,594 --> 00:06:51,794 of lines, something like this. 143 00:06:51,844 --> 00:06:52,255 Yeah, 144 00:06:52,525 --> 00:06:52,994 you don't actually, 145 00:06:53,005 --> 00:06:57,684 you don't actually, Oh, yeah, because, because, um, HTTPS, 146 00:06:58,034 --> 00:07:00,034 uh, has a, uh, a parameter. 147 00:07:00,044 --> 00:07:04,174 You can get the hash of the body so you can, I did it. 148 00:07:04,174 --> 00:07:07,564 I have these, but I need to work to improve maybe the 149 00:07:07,564 --> 00:07:09,004 way to view these things. 150 00:07:09,335 --> 00:07:14,645 But I was capable, uh, if I search some, some domain example from a book 151 00:07:14,645 --> 00:07:18,364 balance program, I was capable to see if the page was changing in the time. 152 00:07:18,544 --> 00:07:21,634 If the, the hash gen bo I think it's gen body. 153 00:07:21,985 --> 00:07:22,105 Yeah. 154 00:07:22,105 --> 00:07:22,945 The name of the hash. 155 00:07:22,945 --> 00:07:26,245 If, if this has changed, probably the application changed and probably 156 00:07:26,245 --> 00:07:29,935 the application will, probably the application was update or 157 00:07:29,935 --> 00:07:31,825 something, or have the body change. 158 00:07:32,420 --> 00:07:33,510 Yeah, that's very interesting. 159 00:07:33,620 --> 00:07:33,960 Yeah. 160 00:07:33,960 --> 00:07:34,180 Doesn't 161 00:07:34,180 --> 00:07:34,860 it cause too 162 00:07:34,860 --> 00:07:37,950 many false positives because the hash is very, 163 00:07:37,950 --> 00:07:38,460 very strict. 164 00:07:38,520 --> 00:07:38,980 Yeah. 165 00:07:39,060 --> 00:07:39,400 Yeah. 166 00:07:39,400 --> 00:07:39,730 Yeah. 167 00:07:39,870 --> 00:07:42,749 We have a lot of many false positives, but sometimes I have 168 00:07:42,750 --> 00:07:46,439 good, I have good, good examples. 169 00:07:46,680 --> 00:07:49,599 So I will show an example to you. 170 00:07:49,599 --> 00:07:51,790 I really like PHP page because. 171 00:07:52,050 --> 00:07:56,510 When you saw PHP, probably we will find some books there. 172 00:07:56,740 --> 00:08:02,670 So I was monitoring this page and for this page, the page was the same, the same 173 00:08:02,670 --> 00:08:04,350 hash, same hash, same hash, same hash. 174 00:08:04,610 --> 00:08:06,890 And someday I will look and the hash change. 175 00:08:06,900 --> 00:08:09,240 Oh, probably is there an update here. 176 00:08:09,409 --> 00:08:12,229 And I was capable to find a new endpoint and access there. 177 00:08:12,450 --> 00:08:17,544 So it's, it's fine because if you look for the right, The right 178 00:08:17,545 --> 00:08:20,395 domains, the rights of domains, you can find good things there. 179 00:08:20,875 --> 00:08:24,925 Yeah, but it's hard to, to, to limit this because do you have like 180 00:08:24,925 --> 00:08:29,394 just, um, you monitor this just for the main page, like the slash? 181 00:08:29,495 --> 00:08:30,245 No, it's only the main 182 00:08:30,245 --> 00:08:30,715 page. 183 00:08:30,905 --> 00:08:31,674 Only the main page? 184 00:08:31,674 --> 00:08:32,655 Yeah, the main page. 185 00:08:32,714 --> 00:08:37,625 Because, uh, probably, uh, all the page will be more complex to do. 186 00:08:37,935 --> 00:08:38,914 And yeah. 187 00:08:39,145 --> 00:08:42,525 I don't know, maybe my SQL is not the best database to do that. 188 00:08:42,975 --> 00:08:44,785 Because imagine we store all these things. 189 00:08:44,975 --> 00:08:46,685 Yeah, that's what I'm afraid of. 190 00:08:46,685 --> 00:08:50,335 Like sometimes when I think of writing something like this, I want 191 00:08:50,364 --> 00:08:53,274 to, well, first of all, I don't want to spend all the time on the 192 00:08:53,274 --> 00:08:54,795 development, but I can accept it. 193 00:08:55,135 --> 00:08:59,699 But then I want to, Uh, somehow limit the amount of noise. 194 00:08:59,849 --> 00:09:00,089 Yeah. 195 00:09:00,165 --> 00:09:04,920 To, to actually, so it gives me leads, but doesn't give me everything every day. 196 00:09:04,925 --> 00:09:05,104 Yeah. 197 00:09:05,109 --> 00:09:05,310 Yeah. 198 00:09:05,339 --> 00:09:08,790 So it's a very nice balance that you, that you seem to have, I think 199 00:09:08,790 --> 00:09:13,140 probably in my automations, uh, what I really, really use is this, this 200 00:09:13,140 --> 00:09:15,689 scope update because it's, it's fun. 201 00:09:15,959 --> 00:09:20,520 This, it's really cool because, um, uh, sometimes. 202 00:09:20,824 --> 00:09:24,344 The program update the scope, but didn't send emails to other people's 203 00:09:24,344 --> 00:09:27,055 or, or the subscribe didn't work well. 204 00:09:27,444 --> 00:09:32,444 So this functionality to update scope, it's really awesome because 205 00:09:32,525 --> 00:09:36,754 give me the visibility of all the scope updates from the programs. 206 00:09:36,785 --> 00:09:41,685 I didn't have that because my, my, my telegram chat has a lot of 207 00:09:41,724 --> 00:09:45,844 messages all the day because all these problems that update changing as yeah. 208 00:09:46,050 --> 00:09:49,439 As more things, I will show an example to you here. 209 00:09:49,439 --> 00:09:52,990 So today I have 10 a. m. Yesterday, yesterday. 210 00:09:52,990 --> 00:09:55,329 So yeah, a lot of updates from these programs. 211 00:09:55,509 --> 00:09:55,959 Yeah, even 212 00:09:56,030 --> 00:10:01,849 in the beginning when you said it, I imagined that, uh, the way I thought 213 00:10:01,850 --> 00:10:05,699 it may be done is you have some webhook on the email mail hook, but 214 00:10:05,699 --> 00:10:09,510 now you realize, okay, there's not always an email sent no scope update. 215 00:10:09,510 --> 00:10:10,110 Not just now. 216 00:10:10,110 --> 00:10:10,910 I realize this. 217 00:10:11,180 --> 00:10:11,660 Yeah. 218 00:10:12,410 --> 00:10:18,070 So what I do really is get all the time the scope from HackerOne and after 219 00:10:18,070 --> 00:10:22,170 that compare it with my scope in my SQL database and comparing that, oh, there 220 00:10:22,170 --> 00:10:26,440 is some new here, send to Telegram and start storing in Yeah, that's very smart. 221 00:10:26,590 --> 00:10:27,110 Yeah. 222 00:10:27,279 --> 00:10:31,124 And do you, every day, do you hunt like on whatever your automation shows you? 223 00:10:31,275 --> 00:10:36,015 Yeah, when, when I have good targets, an example, I saw that, uh, I saw 224 00:10:36,065 --> 00:10:38,495 maybe here there's some good things. 225 00:10:38,715 --> 00:10:44,084 What I was thinking to do to improve my automation is, uh, use HTTPS in these 226 00:10:44,085 --> 00:10:46,464 new domains to check the technologies. 227 00:10:46,625 --> 00:10:51,535 Because if I have some good technology like PHP or something, probably this is 228 00:10:51,595 --> 00:10:53,695 really good and I can, maybe it's good. 229 00:10:53,925 --> 00:10:59,045 Take some, some, take some time here because probably will be good stuff here. 230 00:10:59,055 --> 00:10:59,314 Yeah, 231 00:10:59,465 --> 00:11:00,185 yeah, that's cool. 232 00:11:00,615 --> 00:11:03,925 You make, you motivate me to start doing something similar as well. 233 00:11:04,184 --> 00:11:09,564 Yeah, I have some kind of, I have some JavaScript monitoring which I use and, but 234 00:11:09,564 --> 00:11:13,854 I use it on programs I don't even handle anymore and I get updates every few days. 235 00:11:14,155 --> 00:11:17,215 And I never actually like created the automation. 236 00:11:17,215 --> 00:11:19,615 The automation where I would really stick to it and I would 237 00:11:19,615 --> 00:11:20,905 actually use it properly. 238 00:11:21,025 --> 00:11:21,445 Yeah. 239 00:11:21,505 --> 00:11:24,925 But I think it's, I think it's incre incredibly useful. 240 00:11:24,925 --> 00:11:25,555 So I have to, 241 00:11:25,705 --> 00:11:29,005 yeah, the texts from the updates were, it's useful. 242 00:11:29,005 --> 00:11:29,965 I really use that. 243 00:11:29,970 --> 00:11:29,980 Yeah. 244 00:11:29,985 --> 00:11:30,295 Yeah. 245 00:11:30,295 --> 00:11:30,700 That's really awesome. 246 00:11:31,075 --> 00:11:32,635 Yeah, that's very, that's very smart. 247 00:11:32,635 --> 00:11:33,175 And that's weird. 248 00:11:33,175 --> 00:11:36,135 There's no native functionalities do it. 249 00:11:36,135 --> 00:11:37,240 Not just now I realize. 250 00:11:37,350 --> 00:11:37,640 Yeah. 251 00:11:37,700 --> 00:11:40,755 So, uh, I, I was talking with Omi. 252 00:11:40,755 --> 00:11:41,355 I dunno. 253 00:11:41,355 --> 00:11:41,775 I, I'm. 254 00:11:42,150 --> 00:11:47,800 Talking about years, love me in the past, we're talking about maybe it's better 255 00:11:47,800 --> 00:11:53,949 for hacker one API if they use webhooks to send to us, because imagine all all 256 00:11:53,950 --> 00:11:58,499 the day my script is honey and it's running and hit the hacker one API, get 257 00:11:58,519 --> 00:12:00,649 all the programs and do this every, Okay. 258 00:12:00,865 --> 00:12:01,465 Minutes. 259 00:12:01,465 --> 00:12:02,495 Do, do, do, do. 260 00:12:02,495 --> 00:12:06,575 So maybe, maybe this, uh, uh, maybe this consume a lot of 261 00:12:06,605 --> 00:12:08,085 resource on HackerOne API. 262 00:12:08,085 --> 00:12:12,815 So maybe Webhooks can finish with this, this, consume enough resources. 263 00:12:13,134 --> 00:12:13,735 That would be easy. 264 00:12:13,764 --> 00:12:17,594 And also not only on the HackerOne API, but then you have to pull it yourself. 265 00:12:17,594 --> 00:12:18,875 You have to diff it yourself. 266 00:12:18,885 --> 00:12:19,375 Yeah. 267 00:12:19,405 --> 00:12:20,925 So it's, it's a lot of code. 268 00:12:20,925 --> 00:12:23,015 It's a lot of resources and the Webhook would be easier. 269 00:12:23,055 --> 00:12:23,445 Yeah. 270 00:12:23,495 --> 00:12:23,755 Yeah. 271 00:12:23,755 --> 00:12:25,965 Although for bug bounty, the thing is, if something is hard, 272 00:12:26,555 --> 00:12:30,234 it's, it is the reason Yeah. 273 00:12:30,235 --> 00:12:30,635 Yeah. 274 00:12:30,954 --> 00:12:31,744 Yeah, it's true. 275 00:12:32,665 --> 00:12:33,005 Okay. 276 00:12:33,015 --> 00:12:34,615 So you have the automation. 277 00:12:35,045 --> 00:12:39,275 You, you start handing on some new domain that automation gave you. 278 00:12:39,334 --> 00:12:40,875 What's, where do you start? 279 00:12:41,035 --> 00:12:41,755 What do you hack? 280 00:12:41,805 --> 00:12:42,745 A lot of fuzzing. 281 00:12:42,964 --> 00:12:43,474 Probably. 282 00:12:43,524 --> 00:12:45,125 I really like to do fuzzing. 283 00:12:45,165 --> 00:12:45,375 Yeah. 284 00:12:45,474 --> 00:12:47,875 I really like to use way more. 285 00:12:47,894 --> 00:12:54,424 And these, these tools would give me the historical things from this, this domain. 286 00:12:54,424 --> 00:12:55,314 So fuzzing. 287 00:12:55,395 --> 00:12:57,564 Historic, uh, historic things for this. 288 00:12:57,564 --> 00:13:01,194 I might use way more or other, other, others tools. 289 00:13:01,425 --> 00:13:07,544 So I really like, uh, I really like to search on Google being that the goal and 290 00:13:07,574 --> 00:13:14,564 others search to, I really like site, uh, two points, I think two points, two points 291 00:13:14,564 --> 00:13:17,415 are not two dots, uh, colon, colon, colon. 292 00:13:17,470 --> 00:13:22,000 I think, yeah, a site column and, uh, domain. 293 00:13:22,219 --> 00:13:22,520 com. 294 00:13:22,650 --> 00:13:27,609 So you, uh, it's, it's really awesome because when you do that, a 295 00:13:27,609 --> 00:13:33,129 lot of these, these searching genes give you a lot of good end points. 296 00:13:33,680 --> 00:13:39,100 Uh, so I really do that way more in a lot of fuzzing and fuzzing over fuzzing. 297 00:13:39,110 --> 00:13:40,310 In example, you find a new path. 298 00:13:40,935 --> 00:13:43,065 Oh, probably I need to do f more here. 299 00:13:43,380 --> 00:13:49,455 I, I need, I need to do rec recursive f because sometimes this can be, uh, can 300 00:13:49,455 --> 00:13:54,495 be a problem to the customer because you, maybe you can turn, turn it all 301 00:13:54,675 --> 00:13:58,425 or off or maybe, uh, stop the server. 302 00:13:58,755 --> 00:14:02,895 This, this is normal, so you need to, uh, for me, uh, the 303 00:14:02,895 --> 00:14:05,145 normal, now it's use low threads. 304 00:14:06,200 --> 00:14:11,710 Big word, least fuzzing out the past looks for for good things and after 305 00:14:11,710 --> 00:14:14,029 fight a bad fuzzy and again and again. 306 00:14:14,029 --> 00:14:16,850 And look what's back classes do fast for. 307 00:14:17,439 --> 00:14:18,510 I really like access. 308 00:14:18,520 --> 00:14:20,570 Yes, improper access control. 309 00:14:20,769 --> 00:14:22,910 Insecure sterilization, sickle injection. 310 00:14:23,229 --> 00:14:25,905 I have a lot of For me. 311 00:14:25,995 --> 00:14:28,425 So you have like a one large word list with everything? 312 00:14:28,425 --> 00:14:28,815 Yeah. 313 00:14:29,475 --> 00:14:33,705 What, what I can, what I can see on the application, probably I will 314 00:14:33,705 --> 00:14:40,785 test an example, uh, a few months ago I, I saw in pdf f reader, in 315 00:14:40,785 --> 00:14:42,735 this PDF reader, I was capable to. 316 00:14:43,460 --> 00:14:44,670 Attach files. 317 00:14:44,670 --> 00:14:47,650 I don't know if you saw this kind of vulnerabilities and I 318 00:14:47,750 --> 00:14:50,220 was able to local file inclusion. 319 00:14:50,650 --> 00:14:56,709 So yeah, maybe probably for me when I found an application, I try, I try to 320 00:14:56,709 --> 00:14:58,800 test all these things on the application. 321 00:14:58,999 --> 00:15:03,940 XSS, misconfiguration, information disclosure, SQL injection, 322 00:15:05,990 --> 00:15:06,420 XSXXE. 323 00:15:06,470 --> 00:15:08,420 So all these things I try. 324 00:15:08,845 --> 00:15:11,935 Application and if I have some specifications and 325 00:15:11,965 --> 00:15:14,155 with, and this PF reader. 326 00:15:14,155 --> 00:15:20,975 So this is interesting and I test all, I I want to test this, uh, uh, SSRF on 327 00:15:20,975 --> 00:15:24,395 this PDF reader, LFE on this PF reader. 328 00:15:24,455 --> 00:15:30,365 So what I, I, everything I, I, I, I can le see on the application. 329 00:15:30,365 --> 00:15:33,275 I try, I really like it to the Hack Tricks book. 330 00:15:33,425 --> 00:15:34,625 I don't know if you know this. 331 00:15:34,625 --> 00:15:34,760 Yeah, of course. 332 00:15:34,760 --> 00:15:36,240 This domain, this is really, really good. 333 00:15:36,844 --> 00:15:38,055 Didn't it disappear recently? 334 00:15:38,334 --> 00:15:44,155 Yeah, I don't know because the, the, the URL, the domain is working, but 335 00:15:44,165 --> 00:15:45,604 the Google is not showing anymore. 336 00:15:45,645 --> 00:15:46,425 I don't know why. 337 00:15:46,474 --> 00:15:46,805 Okay. 338 00:15:47,064 --> 00:15:47,405 Interesting. 339 00:15:47,545 --> 00:15:48,194 I don't know why. 340 00:15:48,194 --> 00:15:48,794 Maybe. 341 00:15:49,265 --> 00:15:52,555 I don't know, but the Google is not, is not showing anymore. 342 00:15:52,555 --> 00:15:56,265 But if you have the, the URL, the URL of Hacktrix, it's working. 343 00:15:56,525 --> 00:15:56,815 Okay. 344 00:15:56,825 --> 00:15:57,065 Yeah. 345 00:15:57,065 --> 00:15:57,095 Okay. 346 00:15:57,095 --> 00:15:59,355 I don't know what's happened. 347 00:16:00,425 --> 00:16:05,395 Yeah, so your, your word list, how many, how many positions does it have? 348 00:16:05,925 --> 00:16:09,704 Oh, probably, I have, I have some huge, uh, word lists. 349 00:16:10,025 --> 00:16:15,095 The one that you use, just you open an endpoint parameters by default? 350 00:16:15,385 --> 00:16:20,155 Uh, no, uh, the, the word list to fuzzing a path in a web application 351 00:16:20,155 --> 00:16:21,765 probably wants to meet an entry. 352 00:16:22,035 --> 00:16:22,435 Okay. 353 00:16:22,605 --> 00:16:30,150 And to fuzzing parameters, maybe, Uh, 300, I think, entries to fuzzing parameters. 354 00:16:30,310 --> 00:16:35,640 An example, I have an endpoint, I, I try to see if it gets, um, if in this 355 00:16:35,640 --> 00:16:39,709 endpoint there is some get parameter interesting and I, I fuzzing again. 356 00:16:40,009 --> 00:16:40,669 I really like it. 357 00:16:40,729 --> 00:16:43,999 XH, these two, two fuzzing parameters is really nice. 358 00:16:43,999 --> 00:16:44,819 I don't know if you know this. 359 00:16:44,819 --> 00:16:45,614 No, I don't. 360 00:16:45,765 --> 00:16:51,145 It's really nice because, uh, for me, the param, parameter is, it's really slow. 361 00:16:51,165 --> 00:16:54,535 I don't know because I didn't have good experience with parameter. 362 00:16:54,885 --> 00:16:57,034 So these two, do you mean paraminder? 363 00:16:58,114 --> 00:17:00,245 Sorry, my English is very good. 364 00:17:00,985 --> 00:17:05,704 So I really like in my burp suite, my setup, I have another 365 00:17:05,704 --> 00:17:07,184 extension called ascend 2. 366 00:17:07,185 --> 00:17:07,385 Yeah. 367 00:17:07,575 --> 00:17:11,005 And I use it This extension to pipe the request. 368 00:17:11,245 --> 00:17:16,125 Just these tools like XH, XSQL map and other custom tools. 369 00:17:16,125 --> 00:17:16,954 I have an example. 370 00:17:16,954 --> 00:17:19,045 I have a custom tool to say as far as application. 371 00:17:19,355 --> 00:17:23,974 So I pipe the request to these tools and it's really good 372 00:17:24,085 --> 00:17:25,105 work with that. 373 00:17:25,394 --> 00:17:26,485 Yeah, but do you fast? 374 00:17:26,665 --> 00:17:29,715 You said there is a word is of how big? 375 00:17:31,295 --> 00:17:33,065 My, my main words list. 376 00:17:33,405 --> 00:17:33,625 Yeah. 377 00:17:33,625 --> 00:17:34,985 An example. 378 00:17:34,995 --> 00:17:37,075 I have the normal words list. 379 00:17:37,235 --> 00:17:37,465 Yeah. 380 00:17:37,505 --> 00:17:41,904 If, if I use the normal, the normal words list and the words list didn't 381 00:17:41,935 --> 00:17:47,245 work, uh, probably, uh, this words list has one or two millions entries. 382 00:17:47,465 --> 00:17:49,835 And you always fast with one or two million entries. 383 00:17:49,894 --> 00:17:51,534 No, no. 384 00:17:51,534 --> 00:17:53,984 Probably give a few days working. 385 00:17:54,034 --> 00:17:55,355 So yeah, I do a lot. 386 00:17:55,775 --> 00:17:58,405 And waiting, do my, do my work and stay where it is. 387 00:17:58,405 --> 00:17:59,785 So you just leave it in the background, don't you? 388 00:18:00,365 --> 00:18:07,904 Yeah, sometimes, yeah, sometimes I'm looking, but I'm afraid to, to, how 389 00:18:07,904 --> 00:18:12,798 can I say, I'm afraid to turn off, it's not turning off the servers of the 390 00:18:12,798 --> 00:18:16,588 customers, but I'm really afraid of that. 391 00:18:16,588 --> 00:18:20,735 So, uh, what I do is look the polish of the problem. 392 00:18:20,755 --> 00:18:23,605 If, if the problem allow, you can only do. 393 00:18:23,895 --> 00:18:25,785 20 racks per second. 394 00:18:25,785 --> 00:18:30,455 I, I, I use these metrics to, to configure the fuzzy. 395 00:18:30,645 --> 00:18:30,985 Okay. 396 00:18:30,995 --> 00:18:31,525 So, yeah. 397 00:18:31,555 --> 00:18:32,165 Interesting. 398 00:18:32,715 --> 00:18:32,905 Yeah. 399 00:18:32,905 --> 00:18:39,335 I, I, I know I'm, but it's fuzzing, but, but I had no idea, like Someone 400 00:18:39,355 --> 00:18:40,925 fathers with such a large world list. 401 00:18:41,575 --> 00:18:41,885 Yeah. 402 00:18:41,895 --> 00:18:44,835 I think he, I'm a, I'm, I'm patient. 403 00:18:44,925 --> 00:18:52,044 So I get, yeah, I start the fluffy, putting another monitor and see 404 00:18:52,045 --> 00:18:53,444 working what I'm due to working. 405 00:18:53,785 --> 00:18:55,764 Sometimes I minimize and look there. 406 00:18:55,985 --> 00:19:00,564 Because sometimes you, sometimes, uh, the, the, the program has a policy, you 407 00:19:00,564 --> 00:19:04,115 are in the policy, but the application down and you need to turn off. 408 00:19:04,164 --> 00:19:05,405 Yes, and stop. 409 00:19:05,495 --> 00:19:09,894 You are, you are right because you are in the policy, but the application is 410 00:19:09,894 --> 00:19:15,104 not, uh, good enough to, to, is not capable to deal with, with that request. 411 00:19:15,104 --> 00:19:19,384 So I stopped and didn't test, didn't do fuzz in there anymore because 412 00:19:19,384 --> 00:19:22,884 probably the application will be down and a lot of problems will be happen. 413 00:19:22,934 --> 00:19:23,644 Yeah, yeah. 414 00:19:23,850 --> 00:19:25,590 So this is for fuzzing the paths. 415 00:19:25,679 --> 00:19:28,209 Uh, so then how do you fuzz parameters? 416 00:19:28,210 --> 00:19:31,610 Do you also use a big word list to fuzz all the parameters? 417 00:19:31,799 --> 00:19:32,059 I 418 00:19:32,059 --> 00:19:34,409 really like to use a tool called GAP. 419 00:19:35,590 --> 00:19:36,939 I don't know if you know this tool. 420 00:19:36,939 --> 00:19:39,360 I really like the dev from these extensions. 421 00:19:39,889 --> 00:19:42,779 I use it way more from this guy to get. 422 00:19:43,260 --> 00:19:47,550 More information about to recon and these extensions really good gap 423 00:19:47,600 --> 00:19:52,379 burp extension because with that extension, you can use your burp story, 424 00:19:53,750 --> 00:19:57,700 uh, an example, all your navigation story with all the path and points, 425 00:19:57,750 --> 00:20:03,229 parameter and the response containing parameters, uh, containing points. 426 00:20:03,229 --> 00:20:06,620 You can use the extension to get all these things and generate wordless. 427 00:20:07,040 --> 00:20:07,550 This is very nice. 428 00:20:07,780 --> 00:20:08,190 Yeah. 429 00:20:08,190 --> 00:20:13,210 So sometimes when I'm spending a lot of time in some programs, I use 430 00:20:13,210 --> 00:20:17,889 that word release to add to my word deletion and do fuzzing with that. 431 00:20:17,919 --> 00:20:22,549 So yeah, the result with this case is, with this case and this extension 432 00:20:22,569 --> 00:20:23,819 and way more are really good. 433 00:20:24,030 --> 00:20:24,189 Yeah. 434 00:20:24,189 --> 00:20:26,820 Can you send this to me so I can put it in the description for the viewers? 435 00:20:26,820 --> 00:20:27,909 Sure, sure, sure. 436 00:20:28,260 --> 00:20:34,929 Really, uh, let me send this and another, I really like this way more. 437 00:20:35,040 --> 00:20:35,419 Yeah, way more. 438 00:20:35,720 --> 00:20:36,250 Very good as well. 439 00:20:37,540 --> 00:20:39,149 It's really, really good. 440 00:20:39,259 --> 00:20:41,189 I really like the tools from this guy. 441 00:20:41,219 --> 00:20:45,019 I give a lot of, because his guy has, uh, Coffee. 442 00:20:45,199 --> 00:20:45,540 Yeah. 443 00:20:45,620 --> 00:20:46,019 Yeah. 444 00:20:46,080 --> 00:20:47,530 Uh, oh, yeah. 445 00:20:47,540 --> 00:20:48,549 Buy me a coffee. 446 00:20:48,549 --> 00:20:49,660 I do a lot of coffee. 447 00:20:51,190 --> 00:20:56,010 Yeah, I give a lot of coffee to this guy because the tools are really, really good. 448 00:20:56,269 --> 00:20:57,960 That's very nice to get to give back to 449 00:20:57,960 --> 00:20:58,650 the tool creators. 450 00:20:58,660 --> 00:20:59,080 Yeah. 451 00:20:59,425 --> 00:21:00,995 Yeah, it's awesome. 452 00:21:01,084 --> 00:21:01,495 Yeah. 453 00:21:01,815 --> 00:21:08,654 So, um, when you fast these parameters, do you fast for all back classes at once? 454 00:21:08,955 --> 00:21:10,084 Yeah, I really like to 455 00:21:10,084 --> 00:21:11,564 use Burpee Bounty Pro. 456 00:21:11,754 --> 00:21:15,004 I don't know if you know, some people don't, don't, some people 457 00:21:15,004 --> 00:21:17,674 don't like this, this Burpee Bounty. 458 00:21:17,884 --> 00:21:24,790 I like because the, the tests of Burpee Bounty are more Because, an example, 459 00:21:24,800 --> 00:21:30,730 the Burp Suite Scanner, it's, I have the feeling it's huge and do a lot of things. 460 00:21:30,970 --> 00:21:35,130 I really like the Burp Bounty because you can create custom templates 461 00:21:35,669 --> 00:21:38,190 and you can create custom rules. 462 00:21:38,389 --> 00:21:43,320 And the rules there and the templates there are really, are really nice. 463 00:21:43,330 --> 00:21:44,639 So, I use a lot. 464 00:21:44,885 --> 00:21:48,455 Uh, this template when I have the parameters to, to find if I 465 00:21:48,455 --> 00:21:50,965 have some SQL injection or XSS. 466 00:21:51,105 --> 00:21:51,555 Yeah. 467 00:21:51,815 --> 00:21:53,345 But I really like to use BuffProf. 468 00:21:54,155 --> 00:21:56,154 But sometimes I use the BuffScanner. 469 00:21:56,385 --> 00:22:00,855 It's not the best option because the scanner for me, it's really heavy. 470 00:22:00,925 --> 00:22:01,275 Yeah. 471 00:22:01,335 --> 00:22:03,774 So, but sometimes I use them too. 472 00:22:04,045 --> 00:22:04,375 Yeah. 473 00:22:04,375 --> 00:22:07,405 You seem to, to rely a lot on burp and different extensions. 474 00:22:07,885 --> 00:22:08,335 Yeah. 475 00:22:08,335 --> 00:22:10,826 I, I have a lot of extinctions and Yeah. 476 00:22:11,035 --> 00:22:11,335 Yeah. 477 00:22:11,335 --> 00:22:15,775 I really like to automate my process to hunting, to be, to, to, how can I 478 00:22:15,775 --> 00:22:18,735 say, to have to, to easier my life. 479 00:22:18,765 --> 00:22:18,945 Yeah. 480 00:22:18,945 --> 00:22:19,635 To be efficient. 481 00:22:19,665 --> 00:22:20,055 Yeah. 482 00:22:20,055 --> 00:22:20,715 To be, yeah. 483 00:22:20,715 --> 00:22:21,495 To be efficient. 484 00:22:21,495 --> 00:22:27,555 And example with xh in the past when, when I didn't know send to you, I will 485 00:22:27,585 --> 00:22:29,900 send the linking to send it to you. 486 00:22:29,905 --> 00:22:30,825 To you too. 487 00:22:31,035 --> 00:22:31,125 Oops. 488 00:22:33,245 --> 00:22:34,685 Because, uh, in the past. 489 00:22:34,965 --> 00:22:39,565 I copy the request, saving a file, run the command. 490 00:22:39,565 --> 00:22:45,354 So this is really, uh, really slow, but with this, this extension sent 491 00:22:45,374 --> 00:22:50,314 to you and the comment pipe, you can send it to a Mac terminal and 492 00:22:50,374 --> 00:22:52,485 sent to X eight sent to SQL map. 493 00:22:52,485 --> 00:22:56,075 So yeah, it's really, for me, it's really productive. 494 00:22:56,410 --> 00:22:56,610 Yeah. 495 00:22:56,610 --> 00:22:59,500 I use Piper for the similar thing. 496 00:22:59,500 --> 00:23:01,409 So Piper, have you, are you familiar with it? 497 00:23:01,760 --> 00:23:02,040 Yeah. 498 00:23:02,060 --> 00:23:04,429 I think Piper do the same has sent to, right. 499 00:23:04,469 --> 00:23:04,810 Okay. 500 00:23:04,969 --> 00:23:05,240 Yeah. 501 00:23:05,550 --> 00:23:05,929 Yeah. 502 00:23:06,279 --> 00:23:07,500 A few options as well. 503 00:23:07,659 --> 00:23:12,585 Oh, it has, uh, sometimes you can also have like Inside the verb, you can like 504 00:23:12,595 --> 00:23:17,005 have commentators or, uh, which means for each request that matches particular, 505 00:23:17,185 --> 00:23:21,255 uh, criteria, you run some command and then the output of this command is in 506 00:23:21,265 --> 00:23:23,205 the comment of the request in verb. 507 00:23:23,944 --> 00:23:25,434 You can also have the message viewer. 508 00:23:25,434 --> 00:23:28,550 So when you have like pretty, raw, uh, I don't know, GraphQL 509 00:23:28,580 --> 00:23:29,980 hex view in the request. 510 00:23:30,270 --> 00:23:32,010 You can also have some output of a command. 511 00:23:32,400 --> 00:23:35,300 And you can also just do, do, do what you say, send it. 512 00:23:35,300 --> 00:23:40,470 And it's very efficient when, yeah, it's when something just automatically 513 00:23:40,470 --> 00:23:41,530 gets run in the background. 514 00:23:41,530 --> 00:23:44,669 It's so nice because you don't have this time, copy, paste. 515 00:23:44,930 --> 00:23:48,390 Yeah, you do what you need to do and the things are working automatically. 516 00:23:48,390 --> 00:23:49,740 So, yeah, yeah, it's awesome. 517 00:23:49,820 --> 00:23:51,130 I need to test Piper. 518 00:23:51,130 --> 00:23:52,230 I think I remember today. 519 00:23:55,104 --> 00:23:58,834 I don't know, I didn't remember who was, who was it, but it's very powerful. 520 00:23:58,834 --> 00:23:59,594 It's very open 521 00:23:59,594 --> 00:24:01,225 and you can do so many things with it. 522 00:24:01,564 --> 00:24:01,905 Yeah. 523 00:24:01,905 --> 00:24:05,974 Uh, I'm, I'm using, uh, send to you because I, I 524 00:24:06,185 --> 00:24:07,324 remember to see the extension. 525 00:24:07,324 --> 00:24:08,664 Yo, this is, this is awesome. 526 00:24:08,895 --> 00:24:10,304 I need to use that. 527 00:24:10,304 --> 00:24:11,094 And now it's. 528 00:24:11,269 --> 00:24:13,139 It's the normal to me is use that. 529 00:24:13,189 --> 00:24:13,639 Yeah. 530 00:24:14,239 --> 00:24:15,739 What other extensions do you use? 531 00:24:16,009 --> 00:24:17,850 Uh, let me check here. 532 00:24:17,850 --> 00:24:21,759 I have a lot of, this is my, my work. 533 00:24:21,929 --> 00:24:22,979 I really like this extension. 534 00:24:23,299 --> 00:24:27,819 W X D L E R this extension. 535 00:24:27,849 --> 00:24:28,670 I don't know if he, 536 00:24:29,169 --> 00:24:35,860 Oh, the, I dunno how, how to . It's WSDL is is some type of format, isn't it? 537 00:24:36,010 --> 00:24:36,280 Yeah. 538 00:24:36,280 --> 00:24:39,790 It looks like, looks like an API format. 539 00:24:40,000 --> 00:24:46,120 Yeah, and you can, and you can send the, uh, the, the WSDL to the extension 540 00:24:46,120 --> 00:24:49,479 and they will give the request to you and for create the request and 541 00:24:49,479 --> 00:24:51,040 you can only send to B two test. 542 00:24:51,040 --> 00:24:51,250 Yeah. 543 00:24:51,310 --> 00:24:52,090 Because some. 544 00:24:52,165 --> 00:24:58,735 Some XML, uh, API are really hard to create the request. 545 00:24:58,765 --> 00:25:02,425 It's more difficult than Swagger, for example. 546 00:25:02,435 --> 00:25:03,755 So I really like this extension. 547 00:25:04,275 --> 00:25:06,264 I really like the Flow extension. 548 00:25:06,475 --> 00:25:10,244 I don't know why, but I really like this extension because What does Flow do? 549 00:25:10,245 --> 00:25:11,084 I'm not familiar. 550 00:25:11,085 --> 00:25:15,840 Flow is the same as Let me, let me open a new BURP suite here. 551 00:25:16,210 --> 00:25:22,160 I really like Flow because it's, uh, there is Logger but I didn't, um, I'm 552 00:25:22,160 --> 00:25:27,760 not familiar with Logger So I use Flow to get the request for an extension. 553 00:25:28,160 --> 00:25:31,479 So, an example, I really like the extension Reflector. 554 00:25:31,750 --> 00:25:35,410 This extension is really good to get some XSS. 555 00:25:35,905 --> 00:25:39,305 So, but sometimes he doing a lot of requests. 556 00:25:39,335 --> 00:25:43,095 I didn't know what is happen and with flow extension, I can 557 00:25:43,095 --> 00:25:44,555 solve the extension requests. 558 00:25:44,815 --> 00:25:45,865 So I really like it. 559 00:25:45,865 --> 00:25:46,245 Flow. 560 00:25:46,284 --> 00:25:48,014 This is, this is why I like it. 561 00:25:48,015 --> 00:25:48,295 Flow. 562 00:25:48,445 --> 00:25:48,535 Yeah. 563 00:25:48,755 --> 00:25:51,815 So an example of gap as shows to you. 564 00:25:52,020 --> 00:25:55,620 With all this really good in what we can do there. 565 00:25:55,860 --> 00:25:59,400 The BuffBot Pro, I have the license, I paid for the license. 566 00:25:59,420 --> 00:26:03,229 They support Eduardo, I think Eduardo is a great guy too. 567 00:26:03,790 --> 00:26:05,300 Create this, this rate too. 568 00:26:05,669 --> 00:26:08,399 Uh, I really like this extension, burp. 569 00:26:08,470 --> 00:26:09,600 js like Finder. 570 00:26:09,950 --> 00:26:12,560 Because when you are, I don't know if you know this extension. 571 00:26:12,680 --> 00:26:13,110 Uh, 572 00:26:13,120 --> 00:26:14,140 link finder, yes. 573 00:26:14,170 --> 00:26:17,960 But yeah, but the one in burp, is it some kind of wrapper around it? 574 00:26:18,509 --> 00:26:19,310 Uh, uh. 575 00:26:19,500 --> 00:26:20,440 I don't know. 576 00:26:20,440 --> 00:26:23,910 Does it call link finder CLI to under the hood or is it something you 577 00:26:24,000 --> 00:26:24,660 let me? 578 00:26:24,880 --> 00:26:25,170 Yeah. 579 00:26:25,170 --> 00:26:25,980 JS link finder. 580 00:26:26,190 --> 00:26:26,350 Yeah. 581 00:26:26,350 --> 00:26:26,620 Okay. 582 00:26:26,620 --> 00:26:27,019 Okay. 583 00:26:27,020 --> 00:26:27,280 Yeah. 584 00:26:27,310 --> 00:26:32,129 It's, it's really cool because you are, uh, testing the web 585 00:26:32,129 --> 00:26:33,800 page and loading other page. 586 00:26:33,830 --> 00:26:37,950 And this extension, it's using rejects to get some endpoints and 587 00:26:37,980 --> 00:26:40,720 some good stuff from the GS file. 588 00:26:40,730 --> 00:26:42,210 So it's really, it's really awesome. 589 00:26:42,210 --> 00:26:43,310 Use the extension. 590 00:26:43,770 --> 00:26:48,070 Um, I sent to you reflect or gap. 591 00:26:48,070 --> 00:26:48,100 Yeah. 592 00:26:48,600 --> 00:26:52,170 The Hubbard Bouncing Flow, the Digitalization Scanner, I use a lot. 593 00:26:52,170 --> 00:26:56,930 Login Plus Plus, I use because it's necessary on a HackerOne paint testing. 594 00:26:57,240 --> 00:27:02,210 Because you need to have, you need to auto save your paint, your log. 595 00:27:02,610 --> 00:27:04,600 Because it's important to have it installed this. 596 00:27:04,769 --> 00:27:05,129 Okay. 597 00:27:05,480 --> 00:27:06,460 Because of the testing. 598 00:27:06,880 --> 00:27:08,654 And this guy works. 599 00:27:08,655 --> 00:27:10,245 One or two times with me. 600 00:27:10,275 --> 00:27:12,735 So I have this extinction too, to test 601 00:27:13,425 --> 00:27:15,585 It maybe sometimes work, maybe sometimes not. 602 00:27:15,825 --> 00:27:22,485 It's curious because, uh, my first bug was with this extinction different. 603 00:27:22,905 --> 00:27:27,285 It was, uh, uh, it was a remote code execution, but it was fun because 604 00:27:27,315 --> 00:27:31,695 it's a program with a large scope, and I use this extension in the. 605 00:27:31,835 --> 00:27:35,795 The main page, because the main page are a blank page. 606 00:27:36,095 --> 00:27:38,895 When I use this extension, you see the headers here. 607 00:27:39,785 --> 00:27:41,305 Which extension are we talking about? 608 00:27:41,505 --> 00:27:42,645 Uh, sorry? 609 00:27:42,675 --> 00:27:43,385 Which extension? 610 00:27:43,385 --> 00:27:44,445 403 Bypasser? 611 00:27:44,475 --> 00:27:44,795 Yeah, 612 00:27:44,885 --> 00:27:46,094 403 Bypasser. 613 00:27:46,095 --> 00:27:52,085 So, it worked only one time, but this time we're so happy I have the extension here. 614 00:27:52,275 --> 00:27:56,605 Because with this specified header, I was capable to access the application. 615 00:27:56,835 --> 00:27:59,535 The application, before the application was only a white box. 616 00:27:59,635 --> 00:28:00,965 page with this header. 617 00:28:00,985 --> 00:28:03,525 I was capable to assess the application and all the application 618 00:28:03,525 --> 00:28:05,595 with the CV for remote code. 619 00:28:05,595 --> 00:28:07,314 Yeah. 620 00:28:07,315 --> 00:28:09,335 So, so I have the extension too. 621 00:28:10,234 --> 00:28:10,624 Yeah. 622 00:28:10,654 --> 00:28:11,224 That's cool. 623 00:28:11,425 --> 00:28:11,745 Yeah. 624 00:28:11,745 --> 00:28:12,184 It's a lot. 625 00:28:12,245 --> 00:28:16,654 You seem to have like your, some people, for example, um, the 626 00:28:16,654 --> 00:28:20,630 last, the last podcast that was published was with, uh, RemyPack. 627 00:28:21,220 --> 00:28:24,170 He seems to have like his center of hacking in the browser. 628 00:28:24,170 --> 00:28:28,000 He has like JavaScript bookmarklets and trying to be able to do 629 00:28:28,030 --> 00:28:29,210 everything from the browser. 630 00:28:29,680 --> 00:28:33,360 And you on the other hand, you have like your verb, all the extensions too. 631 00:28:33,370 --> 00:28:35,620 So this is like your center of, of hacking. 632 00:28:35,820 --> 00:28:36,410 Yeah. 633 00:28:36,450 --> 00:28:36,830 Yeah. 634 00:28:36,970 --> 00:28:41,410 But I, but I really like hacking in Google Chrome because of an example, 635 00:28:41,410 --> 00:28:46,110 I have this Chrome for my, my personal stuff and this Chrome better 636 00:28:46,150 --> 00:28:47,890 Chrome to only use it with work. 637 00:28:48,180 --> 00:28:53,539 And there I, I, I really like this version because, um, I really like 638 00:28:53,549 --> 00:28:57,580 using work to hack because the developers too are really good. 639 00:28:57,830 --> 00:29:03,560 Uh, I really like the, these options because sometimes, uh, when you have some. 640 00:29:04,040 --> 00:29:04,940 Uh, apps. 641 00:29:04,970 --> 00:29:09,950 You can debug the app using the dev tools and you can override the books. 642 00:29:10,110 --> 00:29:15,950 The burp says, give this name overriding can change the GS and changing there. 643 00:29:16,180 --> 00:29:19,940 You have different response in the, in the single page application. 644 00:29:20,199 --> 00:29:22,400 And with that, sometimes you can bypass. 645 00:29:22,600 --> 00:29:27,050 Out in the front end out and assess all the application and understand how 646 00:29:27,050 --> 00:29:29,690 the API is used by the application. 647 00:29:29,690 --> 00:29:31,860 So yeah, I use a lot. 648 00:29:32,349 --> 00:29:32,689 How 649 00:29:33,670 --> 00:29:34,959 about browser extensions? 650 00:29:34,960 --> 00:29:38,900 Do you also have as many browser extensions as crow as burp extensions? 651 00:29:38,900 --> 00:29:40,239 Oh, let me. 652 00:29:40,889 --> 00:29:43,359 So I didn't have a lot browser extension. 653 00:29:43,529 --> 00:29:45,600 I have this extension because it's good. 654 00:29:46,080 --> 00:29:47,159 What's the name? 655 00:29:47,160 --> 00:29:47,610 gitch. 656 00:29:47,610 --> 00:29:48,560 It's only to find. 657 00:29:48,850 --> 00:29:52,745 Uh, when you have Oh slash gee slash Yeah, because sometimes I, I, 658 00:29:52,750 --> 00:29:56,170 I, I just use nuclei a lot because nuclei probably will show that. 659 00:29:56,230 --> 00:29:56,410 Yeah. 660 00:29:56,530 --> 00:30:00,070 So this is a, a really good, you can find some good stuff here to 661 00:30:00,070 --> 00:30:03,745 get so cold and tokens and something when you, when you have a, a look 662 00:30:03,745 --> 00:30:08,880 at a look at dot, gee, I use this extinction for my blind and success. 663 00:30:08,880 --> 00:30:09,180 Yeah. 664 00:30:09,180 --> 00:30:10,560 This is a really good extension. 665 00:30:10,560 --> 00:30:11,400 I dunno if you know that. 666 00:30:11,400 --> 00:30:11,640 No. 667 00:30:11,700 --> 00:30:12,120 What's the name? 668 00:30:12,120 --> 00:30:13,020 I, I have all my. 669 00:30:13,315 --> 00:30:14,155 Pay blind. 670 00:30:14,155 --> 00:30:15,525 She says payloads here. 671 00:30:15,685 --> 00:30:18,495 I didn't know the name and it's out blind access manager. 672 00:30:18,495 --> 00:30:18,815 Okay. 673 00:30:18,985 --> 00:30:19,335 Interesting. 674 00:30:19,395 --> 00:30:19,725 Yeah. 675 00:30:19,745 --> 00:30:23,355 Because I have my blind XSS payloads here. 676 00:30:23,535 --> 00:30:29,245 My domain gives you in the history with the page and where I use the payload. 677 00:30:29,275 --> 00:30:30,404 Oh, that's very nice. 678 00:30:30,425 --> 00:30:30,895 Yeah. 679 00:30:30,925 --> 00:30:34,315 It's really good because when you saw the blind, she says, yes, you 680 00:30:34,315 --> 00:30:35,865 didn't know where you are sending. 681 00:30:36,745 --> 00:30:40,767 So this extension really good to, to manage my blind XSS. 682 00:30:40,767 --> 00:30:41,059 Yes. 683 00:30:41,890 --> 00:30:44,160 For blind XSS, what do you use as the, I 684 00:30:44,160 --> 00:30:44,460 use, 685 00:30:44,460 --> 00:30:46,479 I 686 00:30:46,480 --> 00:30:48,650 think, uh, let me see. 687 00:30:48,650 --> 00:30:51,239 Is it XSS Hunter? 688 00:30:51,610 --> 00:30:52,240 Yeah. 689 00:30:52,290 --> 00:30:52,619 Yeah. 690 00:30:52,619 --> 00:30:53,639 XSS Hunter. 691 00:30:53,670 --> 00:30:55,350 Let me see, self hosted. 692 00:30:55,350 --> 00:30:58,279 I only self hosted this. 693 00:30:58,279 --> 00:31:04,240 Let me see if he's, yeah, this guy, the pre cut ad, but I use this guy. 694 00:31:04,680 --> 00:31:05,430 It's really good. 695 00:31:05,460 --> 00:31:06,570 I didn't have any problem. 696 00:31:06,720 --> 00:31:12,990 The only problem I have with this guy was sometimes, uh, the webpage are so huge, 697 00:31:13,250 --> 00:31:20,290 so huge, and when the, the request are trying to upload the, the, the screenshot 698 00:31:20,290 --> 00:31:22,210 to the server, we have this problem. 699 00:31:22,210 --> 00:31:26,440 So I need to change the no js limit size for the final. 700 00:31:26,440 --> 00:31:26,770 Yeah. 701 00:31:27,195 --> 00:31:33,695 Yeah, maybe, maybe I lose some, I lose in the past some, some byte access for that. 702 00:31:33,705 --> 00:31:34,365 I don't know. 703 00:31:34,705 --> 00:31:35,854 I didn't remember if 704 00:31:36,145 --> 00:31:40,935 So travel security, uh, took over, bought this extension. 705 00:31:40,935 --> 00:31:44,905 So now they, I think they maintain it now because I think the original 706 00:31:44,925 --> 00:31:47,325 maintainer sort of stopped supporting it. 707 00:31:47,505 --> 00:31:49,205 Oh, okay. 708 00:31:49,365 --> 00:31:50,665 So this is the, the new extension. 709 00:31:51,395 --> 00:31:56,835 Yeah, yeah, but it's still the, the version that's hosted by 710 00:31:56,845 --> 00:31:58,055 them is a little bit limited. 711 00:31:58,425 --> 00:31:58,825 Okay. 712 00:31:58,835 --> 00:32:01,705 So if you want to have full functionality, you have to self host it. 713 00:32:02,085 --> 00:32:02,475 Okay. 714 00:32:02,635 --> 00:32:04,024 Maybe I use this express. 715 00:32:04,024 --> 00:32:04,695 I don't know. 716 00:32:05,484 --> 00:32:05,804 Yeah. 717 00:32:05,805 --> 00:32:06,545 I use that. 718 00:32:06,745 --> 00:32:08,174 I use that because I remember. 719 00:32:08,174 --> 00:32:08,514 I think it's 720 00:32:08,514 --> 00:32:08,934 the same. 721 00:32:09,024 --> 00:32:09,404 Yeah. 722 00:32:09,405 --> 00:32:12,015 I remember because there is this Docker config. 723 00:32:12,015 --> 00:32:12,075 Yeah. 724 00:32:12,075 --> 00:32:13,785 I remember to, to. 725 00:32:13,785 --> 00:32:13,907 Okay. 726 00:32:13,907 --> 00:32:14,029 Yeah. 727 00:32:14,190 --> 00:32:18,880 I remember to change here and because I changed from, uh, 728 00:32:18,970 --> 00:32:21,650 email to discord notification. 729 00:32:21,840 --> 00:32:24,320 There is a, there is a pull request here. 730 00:32:24,670 --> 00:32:27,870 Uh, change here at these discord and Slack integration. 731 00:32:27,880 --> 00:32:28,180 Yeah. 732 00:32:28,230 --> 00:32:30,609 So this guy made this all the work for me. 733 00:32:30,610 --> 00:32:32,870 So yeah, thank you. 734 00:32:33,110 --> 00:32:33,970 Adam G yesterday. 735 00:32:35,270 --> 00:32:36,260 Yeah, very nice. 736 00:32:36,500 --> 00:32:36,950 Yeah. 737 00:32:37,300 --> 00:32:37,530 Yeah. 738 00:32:37,530 --> 00:32:40,220 You're amazing in terms of how many tools you use. 739 00:32:40,500 --> 00:32:43,520 You like, especially that now I'm now in the moment where I 740 00:32:43,520 --> 00:32:45,099 feel always, I don't fuzz enough. 741 00:32:45,099 --> 00:32:46,460 I don't use enough tools. 742 00:32:46,460 --> 00:32:47,520 I mostly hack manually. 743 00:32:48,040 --> 00:32:49,599 And I only sort of fast something. 744 00:32:49,599 --> 00:32:51,689 If I have really big suspicion, something is there. 745 00:32:52,025 --> 00:32:55,335 And I think it's my big problem that I don't, like, blindly fast so much. 746 00:32:55,335 --> 00:32:56,945 I don't brute force pass so much. 747 00:32:57,415 --> 00:33:00,964 So it's really nice for me to see, to see you, speak with you, to see, like, 748 00:33:00,965 --> 00:33:04,954 how many, how many you can actually use, that you can have a brute force that's 749 00:33:04,955 --> 00:33:06,685 running for a few days in the background. 750 00:33:06,705 --> 00:33:10,884 Yeah, because you, you turn on and for using low, because 751 00:33:11,134 --> 00:33:13,215 the use of memory often Fuffy. 752 00:33:13,315 --> 00:33:15,005 Uh, it's increasing. 753 00:33:15,115 --> 00:33:20,615 When you have huge word release and use the command minus E 754 00:33:21,115 --> 00:33:22,195 because you have more extensions. 755 00:33:22,235 --> 00:33:26,765 And I think, but probably fluffy, uh, added to the memory. 756 00:33:26,814 --> 00:33:28,505 And you were deletion with your extension. 757 00:33:28,925 --> 00:33:31,234 So this is the real, it's your memory. 758 00:33:31,535 --> 00:33:36,924 So I try to use, I try to use not a lot of, Yeah. 759 00:33:36,925 --> 00:33:43,075 And, uh, when you, you can test that when you have a lot of instance of running, 760 00:33:43,335 --> 00:33:46,114 you can, you didn't use a lot of memory. 761 00:33:46,515 --> 00:33:48,815 So yeah, it's, it's a really good tool. 762 00:33:49,320 --> 00:33:53,610 Yeah, do you do you run it from your local computer or from a cloud? 763 00:33:54,720 --> 00:34:01,479 in the past I have a history by and I use that for for for that, but Today now 764 00:34:01,479 --> 00:34:10,258 because in the past I have my my homie address blocking on Uh, Akamai, I think. 765 00:34:10,258 --> 00:34:11,265 An example. 766 00:34:11,265 --> 00:34:12,760 Yeah, I was capable. 767 00:34:12,780 --> 00:34:16,630 I wasn't able to open TikTok. 768 00:34:16,859 --> 00:34:22,020 Because TikTok uses Akamai and I was able to see TikTok on some other web page. 769 00:34:22,020 --> 00:34:24,880 I need to call the provider to change my IP address. 770 00:34:25,310 --> 00:34:27,320 So, yeah. 771 00:34:27,645 --> 00:34:31,035 Uh, so now I, I really like these guys. 772 00:34:31,715 --> 00:34:36,625 I, I always recommend it to, to all because they are, they have the 773 00:34:36,655 --> 00:34:39,304 dedicated servers with a cheap price. 774 00:34:39,394 --> 00:34:39,514 Yeah. 775 00:34:39,515 --> 00:34:40,635 Can you send me the link as well? 776 00:34:40,695 --> 00:34:41,015 Yeah. 777 00:34:41,015 --> 00:34:41,365 Yeah. 778 00:34:41,425 --> 00:34:43,764 So, uh, I really like these guys. 779 00:34:44,215 --> 00:34:46,874 Um, let me send it to you. 780 00:34:46,904 --> 00:34:51,689 It's not only Amsterdam, but it's not only Amsterdam servers. 781 00:34:51,690 --> 00:34:53,640 But other servers are, are good. 782 00:34:53,970 --> 00:34:56,700 So an example I have, I have my server running. 783 00:34:56,700 --> 00:35:03,500 The, my SCO has, uh, I think it's 64 memory honey. 784 00:35:03,500 --> 00:35:07,570 It's, it's really cheap for the price and, and the config I have. 785 00:35:07,570 --> 00:35:09,040 So I have a lot of memory. 786 00:35:09,340 --> 00:35:09,820 Memory. 787 00:35:09,820 --> 00:35:14,350 And for a cheap price, maybe 20, $30, yes, for that. 788 00:35:14,470 --> 00:35:18,190 Good, nice and unlimited, unlimited traffic key and 789 00:35:18,190 --> 00:35:19,870 one, one gigabyte connection. 790 00:35:19,870 --> 00:35:20,230 So, yeah. 791 00:35:20,515 --> 00:35:20,775 Yeah, 792 00:35:20,815 --> 00:35:21,435 it's really good. 793 00:35:21,665 --> 00:35:22,475 So I really like it. 794 00:35:22,505 --> 00:35:25,935 These guys, they are really cheapy with good servers. 795 00:35:25,985 --> 00:35:26,285 Yeah. 796 00:35:26,285 --> 00:35:27,554 Yeah. 797 00:35:27,555 --> 00:35:27,785 Okay. 798 00:35:27,785 --> 00:35:31,085 So you have your, you have your automation, you have your tools. 799 00:35:31,215 --> 00:35:33,755 So what bugs do you find most commonly? 800 00:35:34,505 --> 00:35:35,215 Probably, 801 00:35:35,424 --> 00:35:39,655 I find a lot of bugs, but probably Uh, a lot of improper 802 00:35:39,705 --> 00:35:41,815 access control bugs access. 803 00:35:41,815 --> 00:35:47,334 Yes, when I have the opportunity, because when you have access to scope with 804 00:35:47,685 --> 00:35:51,125 legacy scope and scope without F what? 805 00:35:51,554 --> 00:35:55,404 Yeah, probably sickle injection has has. 806 00:35:55,624 --> 00:35:58,115 I remember to see a lot of sickle injection. 807 00:35:58,625 --> 00:35:59,935 Yeah, still today. 808 00:36:00,125 --> 00:36:01,125 Yes, still today. 809 00:36:01,125 --> 00:36:01,534 A lot of sickle injection. 810 00:36:01,595 --> 00:36:03,315 SQL injection on accurate one. 811 00:36:03,705 --> 00:36:08,455 So a lot of problems with all, with, by, with WAF two, I was able 812 00:36:08,455 --> 00:36:11,265 to bypass some WAFs and some cases. 813 00:36:11,265 --> 00:36:15,375 I remember to see one case, it was really, really strange because 814 00:36:15,384 --> 00:36:17,964 these guys use a different. 815 00:36:18,030 --> 00:36:18,900 Type of database. 816 00:36:18,900 --> 00:36:26,950 There is no home SQL map and this database, it's used, it's IBM mainframe. 817 00:36:27,230 --> 00:36:30,230 So what's, what's, yeah, what's really insane. 818 00:36:30,230 --> 00:36:30,510 Yeah. 819 00:36:30,510 --> 00:36:33,969 What's really insane in SQL map was not working there. 820 00:36:34,349 --> 00:36:40,810 I was needed to write custom Python script to, uh, make that blind assumptions. 821 00:36:41,010 --> 00:36:44,950 And with this blind, blind question, blind questions that to the database, I was 822 00:36:44,950 --> 00:36:46,860 capable to get the database with a name. 823 00:36:46,870 --> 00:36:47,230 Okay. 824 00:36:47,250 --> 00:36:47,520 Nice. 825 00:36:47,530 --> 00:36:48,100 So, yeah. 826 00:36:48,645 --> 00:36:49,695 It's, it's awesome. 827 00:36:50,005 --> 00:36:57,445 Uh, you need to, uh, probably spend time is the thing with, with bug bounty. 828 00:36:57,445 --> 00:37:01,645 You need to spend a lot of time and have, and be patient with the fuzzing, 829 00:37:01,685 --> 00:37:05,745 for example, because the fuzzing it's running days, a few days, because you, 830 00:37:05,915 --> 00:37:10,745 you, you can't, uh, turn off the rate limits, but probably this will, uh, 831 00:37:10,875 --> 00:37:14,685 generate problems with the customers and probably the server will be down. 832 00:37:14,865 --> 00:37:17,525 So low fuzzing, fuzzing with a low. 833 00:37:17,795 --> 00:37:23,075 Uh, requests, fuzzing a lot, different hosts and, and be patient and 834 00:37:23,085 --> 00:37:26,924 have, uh, have, uh, go constancy. 835 00:37:26,925 --> 00:37:27,384 Is that right? 836 00:37:27,545 --> 00:37:27,665 Yeah. 837 00:37:27,665 --> 00:37:28,175 Consistency. 838 00:37:28,205 --> 00:37:28,795 Consistency. 839 00:37:28,955 --> 00:37:33,364 So have constancy every day when you have free time, do it at probably 840 00:37:33,655 --> 00:37:36,215 you will be get good results. 841 00:37:36,224 --> 00:37:36,244 Yeah. 842 00:37:36,485 --> 00:37:39,805 How do you, but because you said broken access control, which. 843 00:37:40,140 --> 00:37:44,590 I think of access control as the bug which is quite hard to, like, fuzz. 844 00:37:44,590 --> 00:37:48,160 It is more, at least in my head, like a manual testing. 845 00:37:48,350 --> 00:37:49,410 So how do you, do you? 846 00:37:49,730 --> 00:37:50,020 I 847 00:37:50,020 --> 00:37:51,730 really like to use authorize. 848 00:37:51,740 --> 00:37:52,030 Okay. 849 00:37:52,070 --> 00:37:54,429 When, when, because I'm doing fuzzing. 850 00:37:54,730 --> 00:37:58,110 Uh, and, uh, you say about fuzzing and broken access control, right? 851 00:37:58,110 --> 00:37:58,669 Yeah. 852 00:37:58,740 --> 00:38:04,030 Uh, I do fuzzing to get more paths and more applications and when when 853 00:38:04,060 --> 00:38:07,599 I get access to more applications because the application is probably 854 00:38:07,599 --> 00:38:12,099 not visible to all the other people, you have a sex to older logging 855 00:38:12,099 --> 00:38:14,800 systems and older systems and there. 856 00:38:14,960 --> 00:38:18,220 In this application, you are capable to find a lot of improper sess control. 857 00:38:18,390 --> 00:38:20,250 Yes, basically just manually for them. 858 00:38:20,390 --> 00:38:21,120 Yeah, yeah. 859 00:38:21,120 --> 00:38:25,990 Because an example you have, you have this domain, the path and in the path, 860 00:38:26,329 --> 00:38:30,139 this strange path, you have access, you have assistant with the logging. 861 00:38:30,310 --> 00:38:32,310 But if you fuzz in again, you have. 862 00:38:32,485 --> 00:38:37,695 Access to other path of the application didn't, uh, other paths. 863 00:38:37,735 --> 00:38:39,905 And you can find a lot of broken access control there. 864 00:38:39,905 --> 00:38:41,885 XSS, SQL injections. 865 00:38:42,345 --> 00:38:44,734 So yeah, you need to spend time for doing fuzzing. 866 00:38:44,995 --> 00:38:48,144 So how, how would you describe your normal day? 867 00:38:48,145 --> 00:38:51,505 How much time do you spend running tools versus manual hacking? 868 00:38:52,085 --> 00:38:55,295 Uh, because running tools is so fast. 869 00:38:55,335 --> 00:38:55,865 I only. 870 00:38:56,155 --> 00:39:01,065 I only see the endpoint, get, get, uh, the URL or send it to you or get 871 00:39:01,065 --> 00:39:06,455 the endpoint sent, create the command and, uh, use the command on cloud and 872 00:39:06,465 --> 00:39:09,134 wait and spend time testing the app. 873 00:39:09,345 --> 00:39:12,875 Because I was testing what I can see on the app. 874 00:39:13,174 --> 00:39:18,155 An example, I was testing the app and I saw a lot of functions, a lot of, uh, a 875 00:39:18,155 --> 00:39:20,105 lot of possibilities in this application. 876 00:39:20,135 --> 00:39:20,815 I will test everything. 877 00:39:20,980 --> 00:39:25,120 Every single part of the application, every piece of this application 878 00:39:25,120 --> 00:39:29,240 to understand how this work is and what, what I can see and the fuzzy, 879 00:39:29,240 --> 00:39:34,009 it's running to, it's running and I was looking in the fuzzy and maybe 880 00:39:34,009 --> 00:39:35,890 there is some, some interest in here. 881 00:39:36,080 --> 00:39:39,949 I do fuzzy in API too, because sometimes you are capable to get 882 00:39:39,950 --> 00:39:45,100 swagger's and other important things with if you fuzzy and get a swagger. 883 00:39:45,370 --> 00:39:49,090 Swagger, you can't stop because you have all the API endpoints. 884 00:39:49,500 --> 00:39:51,760 So, yeah, I do a lot of fuzzing. 885 00:39:51,860 --> 00:39:56,240 Yeah, so Justin, how do you send requests directly from 886 00:39:56,240 --> 00:39:57,660 Bairp to your cloud instance? 887 00:39:57,720 --> 00:40:02,760 Yeah, this case I need to work in And way to, I was thinking to 888 00:40:02,760 --> 00:40:07,200 create a Python script to send the request directly to my cloud. 889 00:40:07,620 --> 00:40:12,999 But today I copied the URL, an example, generate a first comment 890 00:40:13,020 --> 00:40:15,079 and, and, and put in my cloud. 891 00:40:15,080 --> 00:40:18,499 I use the screen to, I don't know if you know the screen software. 892 00:40:18,609 --> 00:40:26,080 No, it's a software on, on Linux and you can, uh, there is a lot of servers here. 893 00:40:30,660 --> 00:40:32,870 So I use this screen a lot. 894 00:40:32,950 --> 00:40:33,320 Let me 895 00:40:33,320 --> 00:40:33,560 see. 896 00:40:33,560 --> 00:40:36,310 Is it like backgrounding terminal or something like this? 897 00:40:36,560 --> 00:40:37,459 Uh, sorry? 898 00:40:38,170 --> 00:40:41,340 Putting one terminal in the background and the other in the foreground? 899 00:40:41,549 --> 00:40:41,959 Yeah. 900 00:40:42,169 --> 00:40:43,966 Oh, there's a lot of fuzzing right here. 901 00:40:43,966 --> 00:40:44,500 Yeah, I see. 902 00:40:44,509 --> 00:40:48,460 Yeah, so with the screen, I was capable to enable a new screen. 903 00:40:48,480 --> 00:40:50,030 And here I fluffy. 904 00:40:50,220 --> 00:40:54,095 After that, I Press this and a new screen is running. 905 00:40:54,405 --> 00:40:55,075 So I do that. 906 00:40:55,295 --> 00:41:01,165 It's a manual working, but I was, I was working to automate that with Python 72. 907 00:41:01,255 --> 00:41:01,745 Yeah, yeah. 908 00:41:01,845 --> 00:41:03,215 Okay, that's cool. 909 00:41:04,614 --> 00:41:05,384 Yeah, that's nice. 910 00:41:05,885 --> 00:41:07,175 So much, so much things I would 911 00:41:07,175 --> 00:41:07,725 like to do. 912 00:41:07,864 --> 00:41:09,014 Yeah, I really like it. 913 00:41:09,184 --> 00:41:10,644 There is, there is other. 914 00:41:11,050 --> 00:41:12,740 Uh, tools like no hub. 915 00:41:12,890 --> 00:41:15,190 I think, uh, no hobby. 916 00:41:15,190 --> 00:41:16,870 That's the way I use usually no hub. 917 00:41:16,910 --> 00:41:21,029 I didn't like the hub because it's making running in background and 918 00:41:21,029 --> 00:41:23,100 you can see the screen running. 919 00:41:23,100 --> 00:41:24,826 I think, Oh, I don't know how to 920 00:41:24,826 --> 00:41:26,199 put it to a file. 921 00:41:26,570 --> 00:41:28,810 So you have to like the tail dash 922 00:41:29,539 --> 00:41:29,909 file. 923 00:41:29,959 --> 00:41:30,630 Yeah, yeah, yeah. 924 00:41:31,090 --> 00:41:32,960 But that's that's what I use when I use something. 925 00:41:33,600 --> 00:41:37,930 So maybe he screen works well to me because An example, nohub, it's 926 00:41:37,940 --> 00:41:44,200 running and you can stop, you only stop nohub if you use ps and kill the 927 00:41:44,260 --> 00:41:49,450 task, but in screen you can access the screen and for if it's running I can 928 00:41:49,450 --> 00:41:51,180 press enter and for if it is pause. 929 00:41:51,180 --> 00:41:51,890 Yeah, that's nice. 930 00:41:51,890 --> 00:41:52,950 I should probably switch. 931 00:41:53,030 --> 00:41:53,470 Yeah. 932 00:41:53,470 --> 00:41:53,799 So. 933 00:41:53,980 --> 00:41:56,300 So it's more advanced version basically. 934 00:41:56,350 --> 00:41:56,830 Yeah. 935 00:41:56,890 --> 00:41:57,370 Yeah. 936 00:41:57,420 --> 00:42:01,240 So I really like how to use the screen to generate my all terminals on the server. 937 00:42:01,240 --> 00:42:01,729 Yeah. 938 00:42:01,730 --> 00:42:02,070 Yeah. 939 00:42:02,870 --> 00:42:05,760 How about, um, cause XSS it's. 940 00:42:06,360 --> 00:42:10,500 Also that much problematic that it's, I think, harder to detect with a tool 941 00:42:11,050 --> 00:42:17,180 because yeah, you can just look at the response, but the only like proper, 942 00:42:17,220 --> 00:42:20,749 proper way to detect something is to have like a tool with a headless Chrome. 943 00:42:21,040 --> 00:42:21,920 And this is heavy. 944 00:42:22,300 --> 00:42:26,080 So do you use headless Chrome or do you just use some kind of For 945 00:42:26,180 --> 00:42:28,260 Doom XSS are you talking about, right? 946 00:42:28,280 --> 00:42:29,000 For XSS. 947 00:42:29,060 --> 00:42:29,330 Yeah. 948 00:42:29,330 --> 00:42:29,389 Yeah. 949 00:42:29,390 --> 00:42:30,170 For XSS. 950 00:42:30,200 --> 00:42:31,610 I really like this guy. 951 00:42:31,610 --> 00:42:31,640 Okay. 952 00:42:32,005 --> 00:42:34,305 But always So Reflector extension. 953 00:42:34,585 --> 00:42:35,745 Reflector is really good. 954 00:42:35,745 --> 00:42:42,435 But always I'm looking flow, because flow has this, this thing here reflecting. 955 00:42:42,535 --> 00:42:42,775 Yeah. 956 00:42:42,845 --> 00:42:46,365 And this you can see the parameters are reflected in the page. 957 00:42:46,605 --> 00:42:49,424 So with that, um, probably there's some good things here. 958 00:42:49,614 --> 00:42:54,235 But every time Reflector, it's working in the scope and send request and I'm 959 00:42:54,245 --> 00:42:56,595 looking that and look at the issues. 960 00:42:56,890 --> 00:43:01,360 He, uh, the issues have vector created and for doing XSS. 961 00:43:01,400 --> 00:43:06,069 I really look, I really like uses, uh, their birth browser. 962 00:43:06,070 --> 00:43:12,280 I, I, I, I really, I didn't use burp browser a lot because sometimes he's 963 00:43:12,289 --> 00:43:17,280 browsing these browsers, some problematic, I think, but I really like doing Vader. 964 00:43:18,060 --> 00:43:22,030 So it's really, really awesome to do XSS because I, I grabbed 965 00:43:22,040 --> 00:43:24,380 this canary, DC canary, canary. 966 00:43:25,195 --> 00:43:27,785 Yeah, put in the URL and look and do invader. 967 00:43:27,865 --> 00:43:32,295 If you're doing very good alert, Oh, probably there is a DOOM XSS here, but 968 00:43:32,345 --> 00:43:38,345 I really like to look at the JS and look if I have some possibilities in, in the 969 00:43:38,354 --> 00:43:41,644 JS to, to get, to get some DOOM XSS. 970 00:43:41,684 --> 00:43:41,964 Yeah. 971 00:43:42,365 --> 00:43:42,655 Yeah. 972 00:43:42,655 --> 00:43:44,115 So I use Reflector. 973 00:43:44,155 --> 00:43:49,695 I do a lot of fuzzy parameters, use the sends to you, or I have these 974 00:43:49,705 --> 00:43:52,855 extensions and sends to you, sends to you. 975 00:43:52,875 --> 00:43:54,455 I select my, my. 976 00:43:54,835 --> 00:43:59,245 My programs here, XO, XH, XLMAP, SeriousForce. 977 00:43:59,855 --> 00:44:00,045 So, 978 00:44:00,045 --> 00:44:00,325 yeah. 979 00:44:01,035 --> 00:44:05,655 I also saw you have a repository on GitHub with TamperMonkey scripts. 980 00:44:06,104 --> 00:44:08,225 Do you still use it a lot these days? 981 00:44:08,295 --> 00:44:10,964 That repo wasn't so too fresh, I have to say. 982 00:44:10,965 --> 00:44:14,595 So, yeah, I really like to use TamperMonkey in the past, but 983 00:44:14,595 --> 00:44:18,695 it's because I didn't know about, I didn't know about the DevOps 984 00:44:18,705 --> 00:44:20,364 tool and how this work on Chrome. 985 00:44:20,365 --> 00:44:22,175 So now you just use overriding of tools. 986 00:44:22,245 --> 00:44:23,805 I didn't use a lot. 987 00:44:23,975 --> 00:44:28,115 Today, but yes, the, the, the scripts are really, the temporary 988 00:44:28,115 --> 00:44:31,005 multiscripts are good because you can change the app in the runtime. 989 00:44:31,805 --> 00:44:34,805 And with that, maybe you can assess other page of the application. 990 00:44:34,805 --> 00:44:35,624 So I really like that. 991 00:44:36,305 --> 00:44:40,695 But now using the develop tools in Chrome, it's more, it's better. 992 00:44:40,785 --> 00:44:40,915 Yeah. 993 00:44:40,915 --> 00:44:43,644 Uh, 994 00:44:43,645 --> 00:44:50,565 so a lot, another thing I really like had to do it's, uh, because, uh, When 995 00:44:50,565 --> 00:44:57,275 I was, when I, uh, when, uh, when, uh, when I, I started doing, doing 996 00:44:57,285 --> 00:45:02,625 hockey and, and some things, I really like to see how these PHP apps, uh, 997 00:45:02,635 --> 00:45:05,424 works and, and how the PHP apps work. 998 00:45:05,675 --> 00:45:09,434 And it's really fun when, an example, when I have a local file inclusion 999 00:45:09,435 --> 00:45:13,955 with PHP apps, because with that, you can find the source code of the 1000 00:45:14,035 --> 00:45:17,600 app and you can look, oh, Probably here there is a way to get remote 1001 00:45:17,600 --> 00:45:20,320 code execution or upload a php file. 1002 00:45:20,630 --> 00:45:23,430 So our deserialization on php. 1003 00:45:24,120 --> 00:45:27,110 So it's it's really, I really like it called review. 1004 00:45:28,040 --> 00:45:33,050 But what I do sometimes in some scope, some scopes is an example. 1005 00:45:33,050 --> 00:45:33,470 I have. 1006 00:45:33,545 --> 00:45:38,465 This program with a large scope, I find some apps of this program. 1007 00:45:38,655 --> 00:45:45,095 I search the, these paths of these apps using URL scan, because there 1008 00:45:45,105 --> 00:45:49,745 you can search only for the paths and you, the path, and you can find 1009 00:45:49,774 --> 00:45:51,625 other applications with the same path. 1010 00:45:51,635 --> 00:45:51,935 So. 1011 00:45:52,135 --> 00:45:52,415 Pro. 1012 00:45:52,635 --> 00:45:57,205 Probably this application is, uh, it's, uh, it's not, it's hosted by this client, 1013 00:45:57,415 --> 00:45:59,275 but the code is not for these clients. 1014 00:45:59,505 --> 00:46:03,364 And sometimes you are capable to get the source code on the internet 1015 00:46:03,615 --> 00:46:06,644 and he was capable to reveal the source called the source code. 1016 00:46:06,665 --> 00:46:09,125 So it's, I really do that a lot. 1017 00:46:09,134 --> 00:46:10,195 And it's really good. 1018 00:46:10,374 --> 00:46:10,644 Yeah, 1019 00:46:11,365 --> 00:46:11,984 yeah, it's nice. 1020 00:46:12,550 --> 00:46:15,910 I dunno if it was you the other day here telling me about it or somebody 1021 00:46:15,910 --> 00:46:17,890 else, but yeah, I didn't use it. 1022 00:46:17,890 --> 00:46:19,615 And the second time somebody mentions it here. 1023 00:46:20,285 --> 00:46:20,575 . Yeah. 1024 00:46:20,595 --> 00:46:21,055 Uh uh. 1025 00:46:21,215 --> 00:46:24,015 I really like, I really like how do that, because sometimes you, 1026 00:46:24,490 --> 00:46:28,180 you are fine for zero days, but not in the really purple software. 1027 00:46:28,270 --> 00:46:30,040 You are looking in that software. 1028 00:46:30,040 --> 00:46:31,615 You use it by some company. 1029 00:46:31,615 --> 00:46:31,960 Yeah. 1030 00:46:32,050 --> 00:46:32,200 Yeah. 1031 00:46:32,200 --> 00:46:32,830 That's nice. 1032 00:46:32,860 --> 00:46:33,220 Yeah. 1033 00:46:34,140 --> 00:46:34,380 Okay. 1034 00:46:34,380 --> 00:46:36,540 We'll now talk a little bit about LEDs. 1035 00:46:36,540 --> 00:46:37,020 Okay. 1036 00:46:37,800 --> 00:46:40,050 Did you attended, you said, you said you attended four LEDs in the 1037 00:46:40,050 --> 00:46:42,180 past, I think five, five times. 1038 00:46:42,180 --> 00:46:47,420 Yeah, I remember LAGs from Amazon, AWS, PayPal, Zoom. 1039 00:46:47,980 --> 00:46:53,050 So I think probably the life hack events, the life hack events are 1040 00:46:53,050 --> 00:46:57,750 really hard because you have a lot of good hackers together. 1041 00:46:58,190 --> 00:47:00,050 Uh, testing the same scope. 1042 00:47:00,100 --> 00:47:06,840 So there is a lot of dupes, but for me, probably life hack events are best because 1043 00:47:06,840 --> 00:47:13,849 I have some friends together with me, so I have F6X, Amstrad, I see Amstrad, but. 1044 00:47:14,020 --> 00:47:21,870 A M S D A, so Manuel, T, Herrera, Caio, uh, so Amir, so these guys 1045 00:47:21,870 --> 00:47:25,889 together with me, we working together, we can do a lot of things. 1046 00:47:26,040 --> 00:47:29,920 I, I, that, that report, uh, with the remote coding execution, 1047 00:47:29,930 --> 00:47:31,700 that scenario, it was together. 1048 00:47:31,889 --> 00:47:33,820 A lot of guys working together to get that. 1049 00:47:33,860 --> 00:47:34,090 So 1050 00:47:34,090 --> 00:47:36,490 do you work as one big group with so many people? 1051 00:47:36,570 --> 00:47:36,950 Yeah. 1052 00:47:36,950 --> 00:47:37,949 When, when, uh. 1053 00:47:38,160 --> 00:47:42,760 When, uh, the Brazilians guys are, the Brazilians guys are together, 1054 00:47:42,790 --> 00:47:46,150 we work together, and I'll, I'll agree with share the bounty. 1055 00:47:46,490 --> 00:47:46,849 So, yeah. 1056 00:47:47,209 --> 00:47:50,190 So it's, it's report like a six way split. 1057 00:47:50,539 --> 00:47:53,029 Yeah, sometimes six, five, five splits. 1058 00:47:53,260 --> 00:47:58,575 So, yeah, I'm okay because, uh, in the most part of the case, we are, We 1059 00:47:58,615 --> 00:48:01,355 earn a lot of money and we stay okay. 1060 00:48:01,355 --> 00:48:06,315 I remember an example for me, an example for me, 20, 000 is a lot of 1061 00:48:06,315 --> 00:48:11,094 money, but together, uh, together, I remember all the guys made, uh, a 1062 00:48:11,094 --> 00:48:13,635 hundred, a hundred thousand dollars. 1063 00:48:13,895 --> 00:48:16,265 So five guys made a hundred thousand dollars in the heaven. 1064 00:48:16,265 --> 00:48:16,764 So. 1065 00:48:16,945 --> 00:48:21,605 Yeah, it's, it's, for me, it's good, probably because probably if I stay alone, 1066 00:48:21,835 --> 00:48:24,685 I will be not perform like that to that. 1067 00:48:24,715 --> 00:48:29,485 So for me, work together in life hack events, it's really important. 1068 00:48:29,925 --> 00:48:34,205 I think you're the biggest team because I think there were some teams in 1069 00:48:34,205 --> 00:48:39,235 the past, but these days I feel like most people were, if there are teams, 1070 00:48:39,235 --> 00:48:40,855 there are teams of two, maybe three. 1071 00:48:41,245 --> 00:48:45,375 I'm not aware of any other group that's like sticks with so many people. 1072 00:48:45,375 --> 00:48:45,405 Yeah. 1073 00:48:45,405 --> 00:48:45,434 Cool. 1074 00:48:45,785 --> 00:48:52,384 Yeah, so this case was five, last year was three, me, F6X, and Amzda, 1075 00:48:52,385 --> 00:48:55,715 because we only, only we are invited. 1076 00:48:56,114 --> 00:49:01,205 So yeah, when, when, when the, all the guys are invited, we do together. 1077 00:49:01,225 --> 00:49:02,834 When not, it's okay. 1078 00:49:02,835 --> 00:49:04,645 We do with the guys we have. 1079 00:49:05,645 --> 00:49:10,135 Um, I probably the Brazilian guys like work together and I really like 1080 00:49:10,135 --> 00:49:16,304 it because are really skilled at guys because they are guys with a 1081 00:49:16,304 --> 00:49:20,595 really good skills and probably we complement we complement all together. 1082 00:49:20,725 --> 00:49:22,564 So yeah, that's a nice strategy. 1083 00:49:22,784 --> 00:49:23,224 Yeah. 1084 00:49:23,235 --> 00:49:23,734 Did you ever 1085 00:49:23,735 --> 00:49:24,565 have problems 1086 00:49:24,705 --> 00:49:26,045 with managing such a big team? 1087 00:49:26,455 --> 00:49:26,695 No. 1088 00:49:27,300 --> 00:49:30,780 I didn't remember to have problems, only, only good bautis. 1089 00:49:30,780 --> 00:49:35,850 So the guys are really, are really nice to do. 1090 00:49:36,659 --> 00:49:40,189 A lot of, they, they are really friend, friendly. 1091 00:49:40,609 --> 00:49:40,960 Do you 1092 00:49:40,960 --> 00:49:45,029 change your hacking methodology a little bit when working in the team or is it 1093 00:49:45,059 --> 00:49:46,860 exactly the same as when working alone? 1094 00:49:47,250 --> 00:49:52,390 So when we are, we are working in the team, probably I do a lot 1095 00:49:52,390 --> 00:49:56,080 of fuzzing and recon and get all. 1096 00:49:56,450 --> 00:50:00,120 Uh, good information about the scope and send to the team to we work together. 1097 00:50:00,120 --> 00:50:03,920 So, uh, I really like at working at some good information. 1098 00:50:03,920 --> 00:50:05,930 Good, good information about the scope. 1099 00:50:06,150 --> 00:50:09,499 Uh, an example, find some legacy application on some, 1100 00:50:09,589 --> 00:50:11,419 some good applications to test. 1101 00:50:11,419 --> 00:50:14,359 An example, probably this application I find here is good. 1102 00:50:14,600 --> 00:50:17,830 Maybe you can spend time here of fuzzing here and that's here. 1103 00:50:18,140 --> 00:50:19,540 So, yeah, I remember to. 1104 00:50:19,760 --> 00:50:23,330 I remember to do that with some guys in the past and we find a 1105 00:50:23,330 --> 00:50:26,300 lot of zero days and applications sent to, to lifehack haven. 1106 00:50:26,330 --> 00:50:31,770 So I remember, I remember to send and, and, and vulnerability with a hater, uh, 1107 00:50:32,520 --> 00:50:40,750 maybe it's, it's missing, maybe, uh, Uh, maybe, uh, the, the submission will close. 1108 00:50:41,610 --> 00:50:45,060 The submission will close in 30 minutes. 1109 00:50:45,060 --> 00:50:47,950 I think we found some good vulnerability link. 1110 00:50:47,950 --> 00:50:52,900 A lot of PII we sent and the team paid, I think the team paid 50, 000. 1111 00:50:54,100 --> 00:50:55,280 It was, it was really awesome. 1112 00:50:55,560 --> 00:50:56,500 It was really awesome. 1113 00:50:56,800 --> 00:50:59,980 So, yeah, it's really good work with these guys and work together. 1114 00:51:00,900 --> 00:51:03,940 We really, we really find good, good veneer 1115 00:51:03,940 --> 00:51:04,640 updates together. 1116 00:51:04,670 --> 00:51:04,900 Yeah. 1117 00:51:04,900 --> 00:51:09,430 Do you physically go to the same location to hack together or is it mostly online? 1118 00:51:09,710 --> 00:51:10,100 So, 1119 00:51:10,150 --> 00:51:14,480 uh, when you, when you are Uh, because lifehack haven't had two steps. 1120 00:51:14,510 --> 00:51:18,840 The first step is, uh, before the, the, the presence here. 1121 00:51:19,270 --> 00:51:23,370 And after, after the ritual, you have these guys together. 1122 00:51:23,370 --> 00:51:28,019 So sometimes we work together in a discord cow and hacking, but 1123 00:51:28,030 --> 00:51:33,365 there is Async, uh, moments when you send, Oh, there is some good. 1124 00:51:33,445 --> 00:51:35,885 We created telegram groups to talk about 1125 00:51:35,885 --> 00:51:36,095 that. 1126 00:51:36,095 --> 00:51:39,295 But for the virtual face, you did not try to, I don't know, rent the 1127 00:51:39,515 --> 00:51:40,744 hacker house or something like this. 1128 00:51:40,745 --> 00:51:41,639 Yeah, 1129 00:51:41,639 --> 00:51:45,804 there is a problem because we work far in Brazil. 1130 00:51:45,805 --> 00:51:46,815 It's really huge. 1131 00:51:47,135 --> 00:51:48,345 So I work in the north. 1132 00:51:48,355 --> 00:51:49,415 An example, I work in the north. 1133 00:51:49,415 --> 00:51:51,545 I stay in the north of Brazil. 1134 00:51:51,815 --> 00:51:55,285 F6X, uh, in this, in the south of Brazil. 1135 00:51:55,485 --> 00:51:57,035 But now in the, in the. 1136 00:51:57,575 --> 00:51:59,025 Northeast of Brazil. 1137 00:51:59,035 --> 00:52:01,105 So all are from a different 1138 00:52:01,115 --> 00:52:01,415 place. 1139 00:52:01,415 --> 00:52:01,485 Yeah. 1140 00:52:01,565 --> 00:52:04,555 I saw a few maps of Brazil that really show the scale. 1141 00:52:04,575 --> 00:52:10,025 For example, the most Northern part is closer to any other country in 1142 00:52:10,235 --> 00:52:15,314 North and South America than the Southern part, the part, most Southern 1143 00:52:15,314 --> 00:52:17,255 part of Brazil or the other one. 1144 00:52:17,735 --> 00:52:23,905 The most eastern part of Brazil is closer to the other side of the ocean than to the 1145 00:52:23,985 --> 00:52:26,655 uh, western, most western part of Brazil. 1146 00:52:27,065 --> 00:52:27,475 It's huge. 1147 00:52:27,504 --> 00:52:28,064 Yeah. 1148 00:52:28,065 --> 00:52:33,345 So imagine, uh, uh, from even the north of Brazil, really near to the top of Brazil. 1149 00:52:33,624 --> 00:52:36,315 And we didn't have direct flights from there. 1150 00:52:36,364 --> 00:52:37,985 So I need to go to the south. 1151 00:52:38,275 --> 00:52:39,305 And after that, go. 1152 00:52:39,790 --> 00:52:44,090 In example, we are going to Atlanta, so I need to go down to Sao Paulo 1153 00:52:44,090 --> 00:52:45,680 and after that go to Atlanta. 1154 00:52:46,010 --> 00:52:46,180 Yeah. 1155 00:52:46,180 --> 00:52:50,890 I spent, I've been maybe, uh, my city to Sao Paulo, I spent 1156 00:52:50,900 --> 00:52:53,199 four, five hours in plane. 1157 00:52:53,200 --> 00:52:55,610 And after that, 90 hours go to Atlanta. 1158 00:52:55,610 --> 00:52:55,800 Yeah. 1159 00:52:55,800 --> 00:52:55,989 Yeah. 1160 00:52:55,990 --> 00:52:56,420 Yeah. 1161 00:52:57,530 --> 00:53:01,380 Which of the four or five life hacking events, which one was the best? 1162 00:53:01,380 --> 00:53:13,390 Um, um, I really liked the, um, the life hacking event with, with the five guys, 1163 00:53:14,100 --> 00:53:15,809 because it was really, really good. 1164 00:53:15,840 --> 00:53:19,910 Um, the last year was really, really good because I saw a lot of good 1165 00:53:19,910 --> 00:53:22,259 vulnerabilities with Manu, with Amazon. 1166 00:53:22,660 --> 00:53:23,730 Sorry, with Amish. 1167 00:53:24,000 --> 00:53:29,890 nf6x, we are capable to send good vulnerabilities, but I really like the 1168 00:53:29,890 --> 00:53:33,030 last year of, last, I think it's 2023. 1169 00:53:33,130 --> 00:53:37,570 Yeah, 2023, because it was five guys together and some 1170 00:53:37,570 --> 00:53:39,790 good bugs are sending together. 1171 00:53:39,790 --> 00:53:42,450 We sent a lot of bugs, that's like hacking events. 1172 00:53:42,450 --> 00:53:44,100 So it was really, really good. 1173 00:53:44,280 --> 00:53:46,370 So I really like these two years. 1174 00:53:46,440 --> 00:53:46,660 Yeah. 1175 00:53:46,790 --> 00:53:50,279 Probably the first live hacking event I was. 1176 00:53:51,235 --> 00:53:54,295 was, are not, are not my best performance. 1177 00:53:54,295 --> 00:53:58,045 See, so together with these guys, I really increased my, my performance. 1178 00:53:59,165 --> 00:53:59,725 Nice. 1179 00:54:00,315 --> 00:54:03,974 Uh, we'll, we'll, uh, we're closing in on the, on the episode 1180 00:54:03,974 --> 00:54:06,625 is I have the flights today. 1181 00:54:07,355 --> 00:54:10,735 Um, what before, but before we go, what are your plans 1182 00:54:10,745 --> 00:54:13,360 for the Uh, rest of the 2025, 1183 00:54:13,920 --> 00:54:20,550 uh, so my plans is improving my recon automation and spend most part of my 1184 00:54:20,550 --> 00:54:25,610 free time doing book bounties to save, um, a lot of money and be in my house. 1185 00:54:26,210 --> 00:54:27,909 This is what I'm doing. 1186 00:54:27,909 --> 00:54:30,330 I'm, I'm building my house building from the ground. 1187 00:54:30,710 --> 00:54:31,090 Yeah. 1188 00:54:31,090 --> 00:54:33,780 So I bought the, I bought the lane, I buy the lanes. 1189 00:54:34,170 --> 00:54:41,280 And I bought, I, I contract and, and some company to build the house. 1190 00:54:41,830 --> 00:54:42,330 Yeah. 1191 00:54:42,330 --> 00:54:45,200 So we are, we are building the house and contracts. 1192 00:54:45,200 --> 00:54:50,849 I try to draw, draw, draw the house, think out the, this thing. 1193 00:54:50,850 --> 00:54:56,210 So, yeah, but it's cool because, uh, if, if, if I think in that, 1194 00:54:56,460 --> 00:54:57,840 HackerOne is paid for my house. 1195 00:54:58,105 --> 00:55:00,154 It's true. 1196 00:55:00,155 --> 00:55:00,675 It's true. 1197 00:55:01,095 --> 00:55:02,785 I wish you good luck with this. 1198 00:55:02,795 --> 00:55:03,125 Thank 1199 00:55:03,135 --> 00:55:04,595 you so much for joining me for the 1200 00:55:04,595 --> 00:55:04,955 podcast 1201 00:55:04,955 --> 00:55:05,255 today. 1202 00:55:05,455 --> 00:55:06,945 Thank you so much for inviting me. 1203 00:55:07,135 --> 00:55:09,444 I really, I'm really happy with that. 1204 00:55:10,114 --> 00:55:10,254 Lovely.