MonkeHacks #44

As we near Christmas, things are slowing down a bit. My brother is visiting me from Ireland because he finished his university exams. That said, the hacking does not stop, so for the most part I’ve continued digging into my various targets.

This week I spent most of my time reading documentation carefully and refining my threat model in my notes. There were several nuances and features that I had completely missed because they were in hard-to-reach parts of the application.

Some of my readers wanted me to go through my hacking process and outline how I approach a target. I’m still thinking about how best to present this information, but I’ll get around to it in 2025.

I hope you have a great Christmas (if you celebrate the occasion)! Be kind to the programs and try not to report a P0 on Christmas Eve. I’m flying back to Ireland this week to stay with my family for ~2 weeks, and then I’m going to Vienna for 4-5 days with a childhood friend, so I’ll be back in Scotland in mid-January.

Weekly Ideas / Notes 

• I started using Environments in Caido, which make access control or IDOR tests very easy. It’s simple to set up, so I highly recommend checking them out! However, my projects are getting kinda big, so I might need to script some way to trim down my request history.

• I switched up my hacking a bit and reported some information disclosure bugs this week. I also figured out a fun little trick for CSS injections: if you specify a font-family via your injection, and the font already exists (i.e Helvetica), your CSS will override the font’s existing configurations!

• I spent some time working on an inconsequential project around AI and some AI design patterns. It took two days or so, and it was time well-spent as I learned a lot of useful concepts. The project was focused around what I call the “common sense engine” - getting an LLM to act as a classifier to make a common-sense decision for XYZ purpose. I don’t have an idea to build yet, but now I have the skillset.

• I’ve been digging much deeper into one of my programs, and it has a very complex authorisation model that I’m currently trying to digest. This is part of the process, and sometimes you just need to sit down and grind through the documentation. No way around it! I will say that this type of authorisation model reminds me of how utterly complicated and sometimes painful the modern internet is, especially in organisations with hundreds of users.

• Other than that it was a relatively quiet week. I met my bounty goals for the month so I took my foot off of the pedal to rest.

• I started learning Hangul (the Korean alphabet) again (the last time I studied it was before my trip to Seoul). I’m doing this for fun, it’s nice being able to read multiple alphabets. Currently I have English, Japanese (Hiragana, Katakana, Kanji) and Arabic under my belt. Hangul, you’re next! I’ve been working on my German vocabulary as well. I’m making good progress on everything.

• I’ll publish an extra-large issue next week, before the end of the year. Stay tuned!

Resources

• Jswzl added the ability to hide Descriptor Types. This was a feature that I requested - it’s now possible to tailor the Descriptor pane to only the descriptors that you’re interested in, which is so powerful. Previously it was a bit of an information overload, but now it’s fast to spot the sinks that you’re interested in.

• How an obscure PHP footgun led to RCE in Craft CMS: Clever misuse of nuances in PHP’s behaviour led to RCE in CraftCMS.

• WorstFit: Orange Tsai’s gargantuan research on Windows BestFit behaviour and the dozen different ways he exploited it. The slides are very long and packed with good research.