- MonkeHacks
- Posts
- MonkeHacks #22
MonkeHacks #22
Balance, Specialisation, and Bad Programs
MonkeHacks #22
It was a busy week. I reported a few vulnerabilities, so July is coming along decently well. My brother is visiting me to spectate the World Orienteering Championships, which are currently taking place in Edinburgh. I’ve been walking a lot, so it’s been a very exhausting week. rez0 sent me this a long time ago, but I highly recommend that you read The Tail End - a legendary blog post on time spent with family.
On Wednesday, I’m travelling to Copenhagen for a few days with my best friend from Ireland. After the Denmark trip, he’s staying at my house for a few days here in Scotland. As such, I won’t be hacking much while I take a much-needed summer holiday. The newsletter won’t be affected.
Awards ceremony for the WOC 2024 in the Princes St Gardens.
100-Hour Challenge Updates
Here are this week’s statistics:
⌛️ Hours This Week | 6 |
⏳️ Hours Left | 11 |
🗞️ Total Reports (All-Time) | 3 |
✅ Total Triages (All-Time) | 3 |
✨ New Triages (This Week) | 0 |
💸 Bounties | $25533 |
I pushed forward with some more hours - unfortunately the attack surface I looked at is incredibly complex, so I don’t think a bug will manifest here.
Weekly Ideas / Notes
Rhynorater published a short guide on how to go full-time in bug bounty. I read it and it’s pretty good - mostly targeted to the US folks for now, but I think a UK guide is also coming soon.
I can visibly see my hacking intuition improving. I was reading about a particularly opaque and under-appreciated JS feature in the Mozilla documentation. I spotted how it could be potentially abusable in a chain… so I contacted my acquaintance matanber to discuss it. It turns out that he’d already used that exact gadget in an insane bug chain a few weeks ago for a 5-figure bounty! This fun coincidence seriously boosted my self-confidence when it comes to client-side hacking. As I dig further into this side of bug bounty, I think I’ll specialise in it. I genuinely love chaining gadgets together like this. My mind is naturally pretty good at this type of problem-solving, and I want to play to my strengths.
Specialisation is a very difficult decision. I knew that I couldn’t compete on the automation stage - I do have effective automation written, but I don’t have the time to make it competitive. I enjoy coding, but I also want to get my hands dirty with hacking.
I have a talent for absorbing new concepts very quickly, and breaking systems into their individual components - and my time working at AppOmni only made this skill even more refined. I also have very good general problem-solving ability.
I want to present my work at some point as well.
All of the above points led me to decide that a mix of client-side and API hacking suits my skills best. I’m excited to see how this will go.
My two cents here is pretty simple. To specialise, identify the intersection between 1) what you enjoy and 2) what you’re good at. See the diagram of the Japanese concept of ikigai, meant for finding your purpose in life, below, which I find to be quite relevant here.
This is a good way to decide where to specialise in bug bounty.
Shopify was publicly criticized for its bad bug bounty practices. They’re not alone in this behaviour. Without drastic changes in how bug bounty hunters are treated, such as better transparency and mediation processes, I expect all major bug bounty platforms to encounter some serious issues in the next few years.
I’m still trying to balance time spent hacking and time spent living life. I could definitely be doing some more hacking at the moment. I have plenty of new ideas to bring to the table, and I do not have enough energy or time to act on them. Hopefully, I’ll figure out my optimal work-life balance and routine this month.
Gareth Heyes’ absolute URL trick. I didn’t know about this before, and if this makes sense to you, then you’ll understand how useful this is. Granted, HTML entities can be used too, but I find this type of thing to be very cool.
Short issue next week, as I’ll be on holiday!
Resources
Bidding Like a Billionaire - Stealing NFTs With 4-Char CSTIs: an absolutely wild thought process from Matanber to pop this bug.
Chaining Three Bugs to Access All Your ServiceNow Data: Several vulnerabilities in ServiceNow from the Assetnote team.
Evernote RCE: From PDF.js font-injection to All-platform Electron exposed ipcRenderer with listened BrokerBridge Remote-Code Execution: Self-explanatory in the title. The author of this, 0reg, is only 15 years old! Incredible talent and skills on display here.