MonkeHacks #49

This week, I focused almost all of my time on automation again. Full-time bug bounty is a careful balance of making some money in the present, and investing my time in things that will make me money in the future.

I was going to go to the UK HackerOne Ambassador Club meetup in London over the weekend, but a strong storm system cancelled all of the trains, so I had no way to get there. It sucks but it happens - I’m hoping to attend the next one. It was a really strong storm as well - back in Ireland, there was a new wind speed record.

Weekly Ideas / Notes 

• I finished reading Brave New World by Aldous Huxley, which was a very good book that made me think. I wonder how Huxley would view the rise of LLMs - would it replace our capacity to “think” in some form? Thoughts are a commodity now, when you pay for a subscription to ChatGPT or Claude or some other AI service. I’m sure Huxley would’ve had some thoughts on this. Next book on my list is An Artist of the Floating World by Kazuo Ishiguro.

• I added more services to my automation. While adding these services, I observed some limitations in my current implementation, so I also did some reworking of the core components of the codebase for efficiency and flexibility. So now the automation is in a much better state - not profitable yet but getting much closer to that point. It’s always an internal battle to work on these things as they don’t provide immediate returns, and for now I’m just racking up some compute costs.

• I got bouldering shoes at last. I also slightly injured my finger attempting a V6, so that was a bit stupid of me. I have my first competition coming up on the 31st. I cross my injured fingers.

• I think it would be interesting to look into COOP bypasses (assuming the page is not frameable). The latest episode of CTBB touches on this topic. I have a few target-specific bypasses, but the easiest one I’ve found so far is to have some way to receive a postMessage from the target page, and use the event.source window reference. See my blog post from last year on Exfiltrating Data from Sandboxed Documents for a more detailed, real-world example. I’d love to know what other methods exist for bypassing the COOP+unframeable combo.

Resources

Unexpectedly, this week had a lot of great writeups!

• Report Pointers for Collaborative Chains: Douglas Day writes about a useful way to “borrow” other people’s work (with their permission) for chains without requiring them to disclose the specifics of what they found.

• De-anonymisation using Cloudflare: hackermondev notes a brilliantly innovative method to pinpoint someone’s location within 300 miles.

• Stealing HttpOnly cookies with the cookie sandwich technique: Interesting writeup detailing some more obscure tricks with cookies to escalate XSS. A classic case of abusing differentials to achieve a vulnerable state - really cool stuff.

• System Prompt Storytelling: Douglas Day leaks the system prompt of a chatbot by abusing what the model has been taught to prioritise.

• Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel: As per usual, Sam Curry is back with a great bug chain, this time on Subaru.