MonkeHacks #01

Introduction

Welcome to MonkeHacks! I’m Ciarán, a.k.a monke. Briefly about me - I work as a SaaS security researcher at AppOmni alongside rez0, and this is my fourth year doing bug bounty as a hobby. The goal of this newsletter is to provide some useful notes, ideas, and other resources. There will be minimal structure - this is just an assembly of my thoughts for the week. So, stay tuned!

100-Hour Challenge Updates

As some of you know, I’m currently doing a challenge to hack for 100 hours on a public program. This week, I picked a hardened public program, after considering a variety of factors such as payouts, response times and report volume. I conducted a complete assessment of the obvious attack surface and identified the priority surfaces that I wanted to attack first. I spent the remainder of my time investigating how those features worked and established what limitations I had with the feature I was actively attacking.

Here are this week’s statistics:

The bug was very weird, so I’ll definitely write a post about it if I can get permission to do so.

Bug Bounty Updates

• I found a bug on my 100-hour target after 2-3 days of looking at it. It’s a good start.

• This week, I found an XSS with Jayesh25. He’s a machine!

• I educated myself on more GraphQL attack vectors.

• I worked on Go code to optimise some recon flows. My automation doesn’t fully work yet, but the completed body of work is very fast.

• I’m nearly at 3,000 reputation points on HackerOne. I hope I’ll reach that milestone before the next issue.

Weekly Ideas/Notes

• I started putting hacking ebooks into GPT-4 using the Create GPT functionality. It was able to propose attack vectors for my HTTP requests by applying the book’s methods to it. If you’re a beginner and you have access to GPT-4 and you’re a bit lost, this is a great way to learn.

• I’ve been following Kei0x’s work on Aiko, their hackbot, closely on Twitter/X. I’ll probably give this a shot myself. Last year, I built the foundation of an automated API hacking system with my college friend. We were several months ahead of the rest at the time, but since everyone’s caught up - give it a shot! I’d like to see how people tackle the challenges around different API contexts.

• Do you farm medium bugs on mediocre programs? Are you making decent money, but long for those highs and crits? Well, I guarantee that if you dig into a program with much better payouts such as Epic Games or AirBnB, you’ll find stuff. Give the 100-hour challenge a go. If you can find Mediums you can find Highs.

• Do you run a program? The best way for you to get better reports, is to treat your reports like a conversation rather than a task or ticket. I’m a lot more motivated to hack on programs with nice people behind them and fast response times, than programs that are slow to respond and don’t care about their hackers.

• Hacking in other languages - consider dorking for useful information in languages other than English. These can be overlooked easily in places like Github or in source code.

• Portswigger’s Top 10 Web Hacking Techniques, Nominations: I highly recommend going through every nominated technique on Portswigger’s blog. It’s an incredibly informative resource.

Resources

• ChatGPT Account Takeover - Wildcard Web Cache Deception

• Howto: Use Burp Hackvertor Plugin to Re-sign Requests

• Full Analysis to License Generation Process of Github Enterprise

• Top 10 Web Hacking Techniques, 2023

Have a great week!

— Monke / Ciarán