MonkeHacks #52

Well, here we are. One year of MonkeHacks! Thank you so much for reading and following my journey through bug bounty and cybersecurity. If you’re a new reader - welcome! And consider subscribing. On at least three different occasions in the past year, someone has popped a specific bug several months after I’ve written about it. Subscribing could be the difference between a Low and a Crit someday!

Anyway, today is a long issue, so onto the good stuff.

The first and foremost objective of this newsletter is to provide you with both information and motivation to better your hacking. The secondary objective is to hold myself accountable each week so I have something to write about and some resources to link. With this in mind, I want to look back on my progress in the past year of writing this. These weekly issues form a rough chronicle of my journey into hacking and infosec, as well as life in general, so it makes sense to review what’s happened since the beginning.

Looking Back 

In February, I visited Mikey96 in Scotland. Through March I went to Vienna, and helped to staff Zero Days CTF in Dublin, and wrote some easy web challenges for the event. I had my university graduation ceremony and graduated with my BSc in Computer Science from University College Cork.

In April, I travelled to Seoul in South Korea, visited the border with North Korea. That was a jarring, surreal experience. I flew to Japan, where I travelled all around the country - I visited Tokyo and Osaka to see friends and experienced the cherry blossom season, and I took the bullet train all the way to Hokkaido in northern Japan, visiting my grandmother and relatives in Sendai on the way.

While I was in Hokkaido, I retreated to a remote mountain lake called Shikotsu Lake and wrote about it here. While there, I quit my job at AppOmni after 2 years of working in SaaS security research to do bug bounty full-time and leap into the unknown. I ended up spending over 40 days in Japan. I started learning client-side hacking - my prior experience was only basic XSS bypasses. I did a 100-Hour Challenge on Grammarly, finding a $22,000 SSRF bug with Mikey96.

In June, I decided to leave The Hague, and I moved to Edinburgh. That proved to be a great decision. I spent two weeks living in a hostel while I found a place to live, and had the worst sleep of my life - thanks to a Mongolian man who achieved the impossible and managed to snore loudly despite lying on his side.

In September, I was invited to, and competed in, H1-0131 in Edinburgh. It was a crazy coincidence that HackerOne chose to hold a Live Hacking Event a mere half-hour walk away from where I used to live. I found several bugs, including a High client-side bug with Matanber, on AWS.

In October, I moved to a new flat in Edinburgh that suited me much better than my old place. I took part in the European Cybersecurity Challenge in Turin, Italy as part of Team Ireland. I travelled around Basel, Strasbourg, Freiburg and revisited The Hague.

In November, I gave a talk on bug bounty to Edinburgh Napier University and reported my first bug to the Google VRP, and went to the headquarters of the National Cybersecurity Centre in Dublin with the ECSC team. I started lifting - 3 months in, I’ve made great progress, and now I can squat 5×5 ~70kg/155lb.

In December, I started going to therapy (it’s like the gym, but for your mind, hehe), and I returned to consistently reading books - I now get through about one or two books every month.

In January, I found my first few automation bugs. I joined the Bugcrowd Hacker Advisory Board, and HackerOne Pentests. I went to Vienna with a good friend of mine and competed in my first bouldering competition. I did two pentests that gave me good financial stability for the quarter.

And here we are! I have some really cool things to share soon, but it’s too soon to talk about them. I’m really looking forward to writing about them.

Weekly Ideas / Notes 

• This week, I optimised my workflows significantly. Hive Five wrote about it recently, but I want to be able to hack at the speed of thought, and remove as much friction as possible from my hacking process.

  • I started using the Hyperkey, which you can read about here on Hive Five. Combined with Raycast, most of my daily applications are mapped to quick hotkeys.

  • I also installed Espanso, a productivity utility favoured by Rhynorater. Now, my most commonly used text (such as Kubernetes restart commands) automatically expand from short snippets of text that are much faster to type.

• I also made progress on my automation. The data quality is improving, and I think I’ll have a few more findings from it this month. Coding introduces some nice variety into my week.

• I’m giving away a 1 year voucher to Caido Pro to somebody to celebrate this 1-year milestone. All you need to do to enter is to follow me and retweet my tweet with this post linked. I’d appreciate it if you subscribed to this newsletter too, but that’s not a requirement - just subscribe if you enjoy my content!

• That’s it for MonkeHacks 52! Thank you again for reading!

Resources

There were a lot of really cool writeups in the past week, which is perfectly fitting for the 1-year issue!

• Exploring the DOMPurify library: Hunting for Misconfigurations (2/2): This giant blog post from Kevin Mizu is the most thorough examination of DOMPurify I’ve ever seen. It’s a goldmine of knowledge and bypasses.

• Leaking the email of any YouTube user for $10,000: Excellent demonstration of deep program knowledge.

• Hacking Gemini's Memory with Prompt Injection and Delayed Tool Invocation: A very interesting AI hacking technique. Veeeery nice.

• The Rise of AI Hackbots | Joseph Thacker | TEDxUKY: rez0 had a TED talk! Very cool!

• How We Hacked a Software Supply Chain for $50K: Another fantastic find from Lupin and his work in supply-chain hacking.

• Nginx/Apache Path Confusion to Auth Bypass in PAN-OS (CVE-2025-0108): Yet again demonstrating that differentials in between layers of processing can cause really serious problems.

• Fragility of The Internet: How Sacrificial Nameservers allowed potential DNS hijacking of 1.6+ million domains: This is one of the best explanations of DNS I’ve ever read. Incredibly articulate article on a very interesting quirk of DNS.