- MonkeHacks
- Posts
- MonkeHacks #08
MonkeHacks #08
A friend in Tokyo, Burp2Caido, Hacker Efficiency
MonkeHacks #08
I am currently in Osaka, Japan. I spent my week in Tokyo. I met a lot of cool people in my hostel - UnPlan Shinjuku. If you’re considering solo travel, I’d highly recommend it. I shared a story on Twitter of how I met a Pwn2Own participant in my hostel last week! We had an amazing chat about our experiences in the hacking world. The cherry blossoms are blooming at the moment, so the scenery in Tokyo was incredible. I have a ton of travel tips and tricks - if people want to know them, I can write them into the newsletter too. I have a friend in Osaka, so yesterday I took the bullet train down to Osaka to hang out with him. Tomorrow I’m going to Sendai to visit my grandmother.
I decided to do some bug bounty during the 2.5 hour journey there - and somehow I found two good bugs in that short time. I hope they don’t dupe. I did no other bug bounty this week. I had planned the past week to be the most hectic part of my overall trip, so I will hopefully have more time to work on bug bounty stuff now.
100-Hour Challenge Updates
Here are this week’s statistics:
⌛️ Hours This Week | 3 |
⏳️ Hours Left | 60 |
🗞️ Total Reports (All-Time) | 2 |
✅ Total Triages (All-Time) | 2 |
✨ New Triages (This Week) | 0 |
💸 Bounties | $13550 |
Unfortunately, the program closed the report and just… ignored my comments, so I’ve been forced to open mediation. This is the first time in four years that I’ve ever had to open mediation on a report. This is not the route I wanted to take, but I have no other choice.
Weekly Ideas / Notes
This week I wrote Burp2Caido - a tool that allows you to migrate your HTTP history from Burpsuite to Caido. It’s imperfect but it works. I have nothing against Burpsuite but honestly, it’s hindered by memory issues and a lack of clear direction. Please fix this! If people are putting version 1.7 of your software on a pedestal, you need to fix your newer stuff ASAP.
HackerOne’s Detailed Platform Standards came into effect this week. It would be great if every platform implemented something like this.
I saw Hakluke repost his old article on automation. This is an excellent resource to understand how your automation framework evolves. My automation is too small but it’s allowed me to become a much more competent developer.
Take care of your back! Pomme shared his chair. Pomme will always claim that he’s a terrible hacker, but in reality, he’s very very good at what he does. I’m not letting you be humble this time, my friend.
I’ve been thinking about hacker efficiency. Reflect on your workflow. Without compromising thoroughness, are there any optimisations you can make to reduce the amount of time you spend hacking between findings?
To examine this more closely - what is the duration of time you have to spend hacking before a consistent pattern emerges in your bounties? For me, it’s quarterly. I can have good months and bad months, but the quarterly averages are incredibly consistent. A good metric to examine my bug bounty performance might be to try to reduce this metric. If I can reduce consistency from quarterly to monthly, my hacker efficiency should be significantly better.
Ultimately, to achieve the best balance between hacking and living life, achieving optimal hacker efficency is key. Some people achieve this through automation. Others achieve this through manual hacking. I’m hopefully in the latter camp.
Resources
Cloudflare's handling of a bug in interpreting IPv4-mapped IPv6 addresses - Cloudflare
Bypassing DOMPurify with good old XML - by my friend Ryotak
Leaking ObjRefs to Exploit .NET Remoting - mentioned in CTBB Podcast, written by Markus Wulftange