MonkeHacks #04

A pretty busy week. Next week, from March 13-17, I’ll be in Vienna, Austria. If you’re based in Austria, and want to chat about hacking over a coffee, let me know! In more personal news, I graduate from university soon with a degree in Computer Science, so I’ll be returning to Cork in Ireland (my home city) for that after my trip. The degree was honestly pretty useless for me in our line of work, but I made some great friends there over the past few years. I did learn that academia is not for me. Anyhow, let’s dig into some bug bounty stuff.

Bug Bounty Notes

Inspired by ajxchapman, here are my 2024 YTD stats.

Analysis

Last year, I reported 84 vulnerabilities, but over 50% of them were Medium severity, and typically access control or IDOR. As you can see, I am reporting less vulnerabilities this year, but the quality of my findings is much, much higher. This has translated to more fulfilling hacking and better bounties.

This change is due to two decisions I made very intentionally.

• Firstly, I am intentionally looking on attack surface that is more difficult to hack, but much more likely to yield High or Critical issues. As such, I am simply not finding Medium issues.

• Secondly, I am hacking on harder programs. The problem with my approach last year was that I wasn’t learning very much. It used the same set of skills every time. Hacking on more difficult attack surface forced me to adapt my skillset and to try new ideas.

These changes have been very fruitful in January and February, so I’ll keep going with this and continue to log my journey here. I am reporting about 5 bugs a month, or 1-2 bugs a week.

100-Hour Challenge Updates

Here are this week’s statistics:

Unfortunately, HackerOne triage were very slow to get to the finding from last week, so it’s still in New state. Somehow my two reports are the only reports that have fallen out of the program’s SLA metrics. Fingers crossed that I’ll have more news to share on this soon.

Bug Bounty Notes 

• On Friday, I attended the Intigriti Open Port in Antwerp, Belgium. It was about 1-2 hours away from me by train, which was fortunate. I met my good friend hg_real, who is an incredibly skilled game hacker, and floerer, who gave a talk on XXEs at the event. I also met GOO53, who runs Hacker Hideout.

• I listened to several episodes of the Critical Thinking podcast. It’s hard to understate just how useful this podcast is. The depth of what they discuss is incredible.

• I started reversing-engineering some software, and identified a promising lead for RCE. I started trying to set up the lab environment, which has proven to be more challenging than finding the bug itself…

Weekly Ideas / Notes 

• I work in SaaS security, and seeing my mentality change over the past year as I’ve gathered more security experience has been interesting. My bugs aren’t limited to techniques anymore, and are now much more context-dependent and creative. Incorporate other fields of expertise into your work and see how it affects your bug bounty work.

• Apply the scientific method to bug bounty. Create a hypothesis; test this hypothesis against the evidence, then draw a conclusion and alter the hypothesis and test again. This is how you find unusual behaviours that may turn into findings. Don’t test blindly, be methodical.

• Ask yourself what you’re hacking for. Recognition? Money? Fulfilment? You should alter your methodology to fit this. If you want recognition, focus on farming more medium-grade findings, as this will give you more reputation. If you want money, focus on High/Critical bugs. If you want fulfilment, hack the technologies that interest you. Some hackers will hack for their own entertainment, and some will use automation so they can do less manual hacking. There’s no wrong motivation so long as it’s ethical. Turn yourself into a happy hacker. Personally, I hack for both money and to scratch that problem-solving itch.

• Last year, I did Jason Haddix’s TBHM training. Here’s my honest review; for certain hacking styles, that focus on large-scale recon (wildcard scopes or scopes that say “you can report bugs on any of our assets”), this training is invaluable and definitively the cutting-edge of the industry. If this is a hacking style that you like (personally, for me, I prefer to dig very deeply, so not me) then I would highly recommend it. Jason Haddix is an excellent teacher, and as a quick anecdote - although he probably doesn’t remember it - I met him two years ago in Las Vegas, and got to thank him for his methodology videos that I got so much value from as a beginner. Those videos helped me immensely - back then, I didn’t realise just how deep the recon rabbit hole goes. It blew my mind. The TBHM trainings are what I would consider to be a “natural evolution” of those videos for the more experienced hacker. Is it worth $500? Well, on average, that’s one medium bug, right? So if you can find a medium bug or better with the techniques he discusses, then it’s worth it.

Resources 

• Finding All Paths on Next.js websites

• Cognitive Biases in Hacking - (disclaimer: I wrote this a few months ago)

• HackerNotes - I was blown away by how thorough HackerNotes, the text-based companion to the Critical Thinking podcast, is. It’s a goldmine if you’re a busy person.

• Exploiting Kubernetes Through Operator Injection - an interesting post that follows a growing trend of “configuration file injection” issues.