- MonkeHacks
- Posts
- MonkeHacks #05
MonkeHacks #05
MonkeHacks #05
This week, I did no hacking. Instead, I spent my time in Vienna, alternating between working and visiting museums such as the Vienna Art History Museum or the Natural History Museum. In the next few days I’ll be flying back to Cork to graduate from university and to help out as a volunteer at Zero Days CTF in Dublin. I'm a longtime CTF player - I’ve been on the Irish team for the European Cybersecurity Challenge three times. Nowadays, I don’t compete in CTFs anymore, but I help out occasionally.
Next week (March 26) I’ll be flying to Seoul, Korea as part of the next phase of my travel. I’ll be there for a week before I fly to Japan for a much longer period.
Bug Bounty Updates
Critical Thinking Episode 62 kindly shouted me out! Love you guys. Thanks to InsiderPHD as well, I hope to see you at an event again sometime!
I was in Vienna, Austria. I did absolutely nothing this week except continue my reading habits.
Somehow, no updates on that huge vulnerability from last week! It’s crazy. I have faith that this week I’ll finally get an update on it. The triager assigned to it is relatively new, so I’m not going to be too harsh here, but it’s nonetheless a very disappointing experience, especially considering the severity of the finding.
This week, I’ll get back to the 100-hour challenge. I have a few ideas.
Weekly Ideas / Notes
Let’s ask some difficult questions. I think it’s important to challenge yourself with discomfort sometimes.
Why are companies allowed to run VDPs and BBPs at the same time? You can argue that companies need a catch-all solution for out-of-scope findings, but in that case, these shouldn’t be rewarded with reputation points!
If you’re not finding vulnerabilities, you just need to keep studying and practicing. Public programs are public and relatively transparent. They’re not rigged or anything. Yes, the private program system is flawed, but for the most part, you can get many good private programs simply by finding paid bugs on public programs. These things take time and effort to attain. “Bug bounty is a scam” is a lie. Yes, some programs CAN be scams, but there are a lot of good opportunities still out there on equal playing fields.
Why is there no accountability for misbehaving programs? Platforms are allowing companies to get away with far too much. Yes, they’re customers, but hackers are suffering as a result. And in many cases, these incidents cause hackers to lose faith in the system.
My friend N0xi0us asked why programs are allowed to set a minimum severity for paid submissions, because programs can simply downgrade reports to below the paid threshold to steal findings. There is no transparency at all on nearly every bug bounty platform in this regard.
Why can programs simply claim “we found this during internal testing”? There’s no transparency at all here either, and as this becomes more commonplace, platforms should take this issue more seriously.
IIS has many interesting behaviours. It’s worth taking the time to learn about them. There’s too many for me to list here but you’ll find them if you go looking.
I posted this in the Critical Thinking Discord community recently, but you are able to create variables of functions in JavaScript to bypass WAF restrictions.
For example, a lot of WAFs will block the sequence of characters alert( but not just the word alert. This means you can use something like a=alert;a(1) to bypass the WAF.
I thought about a YouTube channel, but the time commitment is too big. Instead I think I’ll work on some kind of docuseries at my own pace. I love documentaries so this should be fun as I try to bring my vision to life.
I’ve been learning the Korean alphabet in anticipation of my upcoming trip. It’s not too difficult.
Resources
SaaS Risks in Healthcare: Anatomy of a Data Exposure at the HSE: The Irish government had a misconfigured Salesforce instance, and was leaking over 1 million records and several internal documents. You can read about this underrated technique here.