MonkeHacks #37

This week I’m back in Scotland. I had a great few days back in The Hague, and I went back to my old bouldering gym and discovered that I’d progressed immensely and gotten a lot stronger, so that felt really good. Travel is always so liberating but so exhausting, so for the next few months the only travel I’ll be doing is back to Ireland to see my family.

In more personal news, I’m moving to a new apartment, so that’ll keep me busy this month. When I initially moved to Edinburgh, I had to rent somewhere slightly expensive because the demand was huge in the summer - a lot of places were rented out as short-term lets just for the Fringe festival, so the supply of long-term lets is significantly smaller around the July/August period every year. Thankfully that period of time has passed, and the housing market is much more kind to me now, and as a result I was able to find a nice apartment that was more suited to my needs.

I’m flying back to Ireland next week for a few days to see some friends (most of who are graduating from university this week). I did one year less of university (Bsc Ordinary instead of Honours) but I can still do Masters degrees in Europe (due to the credit system). Most people in Ireland tend to do the 4-year course instead, and so the ones I know are graduating this year.

On the hacking side, I had a mildly productive week. I wrote some code for my own use.

Weekly Ideas / Notes 

• I built a cool tool for my own use. This one isn’t going to be public. I will say that it is well worth building tools for yourself once you’ve got a clear picture of what your hacking workflow is.

• Now that we’re into November, I’m focused on making money. I do love what I do but money is still a huge part of it, and after a lazy October I need to focus.

• There’s always some weird APIs out there. I went looking after the Cache API thing, and I found the Battery API! Super fun.

• I was foiled for a cool bug by browsing context isolation. Suppose you visit Site A, and something is put in localStorage. This is tied to the domain, so if you open a new tab of Site A and open localStorage, it’ll show the data you pushed in the first tab. This is not true for iframes. If you iframe Site A, then it won’t have a shared localStorage.

• I’m stepping away from Twitter a bit - I need to detox from it a bit and focus on my work. That said, I’ll still post the newsletter as usual.

Resources

We were spoiled for cool writeups this week!

• HeroCTF v6 Writeups: Some really crazy techniques in here. Like, the Caching API being accessible by the window scope?? Huh???

• XSS WAF Bypass One payload for all: Interesting and surprising bypass.

• What Are My OPTIONS? CyberPanel v2.3.6 pre-auth RCE: My good friend DreyAnd found a fun 0-day. Unfortunately it was used by ransomware gangs. CyberPanel probably shouldn’t have given him permission to publish, and they absolutely should’ve put out a major security advisory given the severity of the issue.

• Exploiting Fortune 500 Through Hidden Supply Chain Links: A classic Lupin-esque supply chain attack. Great read.

• Concealing payloads in URL credentials: An interesting observation from Joaxcar.