MonkeHacks #41

Another relatively busy week this week, which is in some ways good, and some ways not great. I hosted a friend in my place, so that took up some time. Towards the beginning of the week, it snowed, which was Edinburgh’s first snow of the season and precariously dangerous - the city is hilly, and all of the buses stopped running. I visited Dundee during the week, which was about 1-1.5hrs away by train.

Towards the end of the week, I flew back to Dublin for a day-trip to the National Cyber Security Centre in Dublin. They were congratulating us on our ECSC performance. I had the opportunity to speak with some of the people at the highest level of managing Ireland’s national security, which was an awesome experience. The NCSC themselves are amazing to work with - tragically underfunded by the government (surprise, surprise) but the ransomware attacks on Ireland’s health service a few years ago really kicked Ireland’s national cybersecurity program into gear, so I anticipate that I’ll be working with them a lot more in the next few years. They gave me a cool challenge coin too - thank you NCSC!

The next few weeks will be pretty much dedicated to bug bounty. I’m flying home to Cork for Christmas, but otherwise, December is going to be a busy month of hacking. Also, Mikey96’s birthday was recently, so be sure to wish him a late happy birthday.

Weekly Ideas / Notes 

• So many people take hacking lightly. Hacking is, first and foremost, a craft. Those who dedicate themselves to the craft - taking the time to master its nuances, carving out their niches, and practicing consistently daily - do the best long-term. Those who see it as “easy money” or a shortcut - will fail. You don’t become a craftsman overnight. Techniques shown to you are the tools of the craft. You need to learn to use the tools effectively to find bugs - just having the tools won’t find you very much. I repeat this a lot, but that’s because it’s true.

• You have my guarantee that I don’t, and will not, use AI for content in this newsletter. Everything I write is bona-fide monke thoughts. Hehehe. I’m open to sponsorship in the future but I have no intentions of gating content behind a paywall. First and foremost, this newsletter is for me to write down what I’ve done for the week. If you find value in my thoughts and ideas, then that alone is enough for me to continue doing this.

• I figured out a new variation of a client-side technique this week that I’ll hopefully talk about next week (I need to finish my POC first). It’s nothing groundbreaking, just something new and cool! Now that I think about it, I’ve got a pretty big backlog of stuff I said I’d talk about, but have been unable to for a few reasons (i.e disclosure terms). I’ll try to get through that backlog in the next few months.

• I want to compile an “infosec shitposts of the year” blog post before the end of the year. I think it would be good fun. If you’re a regular in infosec, you’ll know that December is when people start posting their accomplishments for the year, and goals for 2025. Sometimes we’re also blessed/cursed with a Log4j-grade security disaster, but let’s not jinx it.

• If you’re a beginner, you should check out the latest CTBB episode. There’s a lot of abstract ideas in security that they break down really well. Honestly, where were they when I was a complete beginner? This stuff is gold.

• I applied to give a workshop/talk at Bsides Dublin next year. Fingers crossed that they’ll accept it!

Resources

• Cross-Site POST Requests Without a Content-Type Header: A fun edge case of CSRF.

• Mutation XSS: Explained, CVE and Challenge: A really good breakdown of mutation XSS here, alongside some new concepts.

• InsiderPHD’s Gift Ideas: A bit of a spin-off from research resources but this is a great thread!

• Chargrid: Joaxcar’s little tool for showing the various encodings of a character.