MonkeHacks #28

Big welcome to the new people who subscribed because of the methodology post! Hopefully you’ll find some value in this newsletter.

The Fringe festival is finally over and Edinburgh has returned to its normal tourist levels (thankfully). This week, my mom is visiting me from Ireland so I don’t expect to be too productive - family first, after all - but I do still have some work to do.

I was invited as a Local Hacker to H1-0131 in Edinburgh! Yes, funnily enough, HackerOne decided to hold their latest LHE in this city three months after I moved here. It’s beginning to feel like an episode of The Truman Show. No complaints here.

For obvious reasons I can’t share the targets, but I’ve been doing some reading and initial research to prepare myself for the upcoming event. I’ve been itching to prove myself for a while now and I’m really grateful to finally have the opportunity to do so.

Gadget of the Week

This week’s gadget is the same-origin redirect. If you have a page with two iframes with the same origin, and you have an XSS in one of the iframes - you can redirect the other iframe through window.parent.frames. This is incredibly useful if you need to escalate your XSS, because different iframes can have different restrictions in place. Remember that a window can alter the location.href of other windows with the same origin via a window reference - unless it’s being initiated from a sandboxed iframe.

Weekly Ideas / Notes 

• This week I published Monke’s Guide to Bug Bounty Methodology. It didn’t take too long to write - I churned it out over a 2-day period because I hyperfixated on the task. I hope you find it useful!

• Frans Rosen’s XSS challenge: I gave this a shot for a little bit - I fell down a rabbit hole of iframing the page to avoid navigation problems and trying to use the data protocol to pop this - unfortunately the / character was blocked after the protocol section, so unless there’s a media type without a / character that makes XSS possible, my approach would’ve failed. I still learned a ton, so thank you Frans.

• Browser URL parsing strips out tab and newline characters; this can be used as a WAF bypass for ../ patterns. It’s amazing how much we’re still discovering about such a simple concept: URLs.

• This is your reminder to get some decent exercise this week and to pay attention to your posture. If you’re reading this newsletter you’re probably spending a lot of time at a desk or at a computer - and long-term, this has very adverse effects on your health. Likewise, take care of your stress levels! Stress kills!

• I’m making an attempt to study my own mental state and frame of mind in the run-up to this upcoming LHE, in the interest of documenting it. I’ll try to interview some hackers at the event about this to see how they approach LHEs from a mental perspective.

Resources

• Microsoft Copilot: From Prompt Injection to Exfiltration of Personal Information: Interesting read on a prompt injection exploit with data exfiltration.

• SSRF in Microsoft Copilot Studio: Tenable Research’s finding of an SSRF - a more classic web vuln than the previous Copilot bug - to access an internal CosmoDB instance.

• RCE in Moodle: Moodle’s test templating system was vulnerable to RCE.