Episode 53: In this episode of Critical Thinking - Bug Bounty Podcast,we’re joined by none other than NahamSec. We start by discusses the challenges he faced on his journey in bug bounty hunting and content creation, including personal struggles and the pressure of success.We also talk about finding balance and managing mental energy, going the extra mile, and the importance of planning and setting goals for yourself before he walks us through some Blind XSS techniques.
Follow us on twitter at: @ctbbpodcast
Feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Timestamps:
(00:00:00) Introduction
(00:01:37) Costs of Content Creation
(00:21:12) Hacking 'identities' and Pivoting
(00:36:49) Hacking Methodology
(00:58:59) Planning, Goals, and Nahamsec's 2023 Performance
(01:10:19) Blind XSS
(01:35:19) Going the extra mile in Bug Bounty
Justin Gardner (@rhynorater) (00:02.247)
We'll just jump right into the episode. All right, man, Ben, thanks for coming on the pod, dude. We had a little bit of a pre-chat right before this episode and we realized we were getting lost in the conversation and we said, oh, we gotta start the pod. Yeah, exactly. So, dude, so excited to have you on the pod. We've been saving you, actually, because when we launched the podcast, we were like, hey, could we have you on the pod? And then we realized, hey, let's get a little bit of traction first.
NahamSec (00:14.135)
I think it's a good time to start it, yeah, for sure.
Justin Gardner (@rhynorater) (00:29.583)
Let's get our training wheels off and then we're ready for the big guns. So I think we're here. I think we're ready to roll. And um.
NahamSec (00:35.467)
I don't know if I'd like to be called the big guy. I feel like you guys are putting the expectation all the way up here and then I hope I deliver for it, but I appreciate it. I hope I can keep, leave up to the expectations too.
Justin Gardner (@rhynorater) (00:41.808)
Yeah.
Well, that's good. I think it's a shared responsibility, but you know, we like to keep the pressure on. So in line with that, I think we're going to go ahead and start off the episode with a little story. And we're going to flash back to 2022. This is a sort of a memory I have of us sitting together at a table at a hotel in Colorado at a Hacker One life hacking event. And I think this was a pretty rough time period in your life and you were
you and I were collaborating together and talking about, you know, how to approach this target. And you were feeling a lot of insecurity and not confidence in the Bug Bounty journey, which is kind of crazy to me because I, you know, got into Bug Bounty watching your videos and seeing your content. And so I was glad to be able to be there for that time. But then I look back at that and then I look at now, which is, you know, years later, having just done a 500K year in Bug Bounty.
And I just wonder about that journey. So I was wondering if you could take us back to that spot and then bring us forward to today.
NahamSec (01:49.003)
Yeah, so I mean, the table you were talking about was me. So you and I were working on some projects in the past, non hacking related, and then I kind of ghosted you. And when we got in person, I was like, I owe this guy an apology. So I was like, hey, sorry, I have to ghost you guys. And there was context to it. And I think at the time I was actually on the come out of that entire problem. So a lot of people know this, I was married for a while. And then before COVID happened, I was.
Justin Gardner (@rhynorater) (01:54.839)
Yeah. Hmm. Ha ha ha.
NahamSec (02:16.491)
you know, really struggling with depression, anxiety, a lot of different issues. And then in 2020, I went through a divorce and actually like Joel, I think was one of the first people that found out about the breakup. We just, I think I found about some stuff in his life and then I messaged, I was like, hey, I heard you're going through some stuff and Christmas is coming up. What are you doing? It's like, oh, I'm not going back home. I'm gonna be in my area. I was like, do you wanna come hang out with me? We can just hang out. And I just got a puppy, you wanna come meet my new dog? And he came up and...
Justin Gardner (@rhynorater) (02:19.758)
Mm-mm.
Justin Gardner (@rhynorater) (02:30.606)
Mm.
NahamSec (02:43.627)
Funny enough, we put some furniture together that we broke and then I send it back to the manufacturer. We don't have a talk about that, but yeah. I think before I can talk about that though, there is a little bit to talk about what got me to 2022 where you and I sat at the table and I kind of told you about it, right? So about 2018, I want to say 2018, 2019 is when I got into content creation. I started with...
Justin Gardner (@rhynorater) (02:50.088)
Oh my gosh
Joel Margolis (teknogeek) (02:51.63)
What? Hahaha.
Justin Gardner (@rhynorater) (03:00.419)
Yeah, yeah, I'd like to hear that.
NahamSec (03:11.187)
live stream, this is when the first live recon happened. I didn't have this beautiful office, I had a bunch of Batman posters in the background because yeah, it was, but, and if, getting banned from Twitch, yeah, a lot of different crazy stuff that happened, and you know, the big thing with, I also applaud you guys for doing this, the consistency when it comes down to creating content. You guys are pushing out a podcast once a week, you're doing these calls.
Justin Gardner (@rhynorater) (03:14.935)
Yeah, legendary time.
Joel Margolis (teknogeek) (03:20.846)
I'm getting banned from Twitch.
NahamSec (03:39.035)
I just saw you guys doing a prep call before the podcast. I'm sure you guys spent hours before it. I want to say for every hour of content that you're making, you're putting into about five hours of work at least minimum, right? So now imagine that I'm doing four days of streams a week. I was streaming Friday, Saturday, Sunday, and Monday. And this is before we were stuck. This is before we were told we have to stay at home on Friday, Saturday, Sundays because of COVID, right? So I wasn't going out on Fridays in the-
Justin Gardner (@rhynorater) (03:44.196)
Mm.
Justin Gardner (@rhynorater) (03:50.91)
Mmm, yeah.
Justin Gardner (@rhynorater) (03:57.407)
No way! Oh my gosh.
NahamSec (04:07.303)
I wasn't going out Friday nights because I had to stream on Saturdays. I wasn't going out Saturday nights because I had to stream on Sundays and I couldn't go do stuff with family on Sunday mornings I had to stream and when you do that and you're away from family away from doing the things that you love and you have Members around you that miss you friends. I don't see everyone was like, oh we can't see you this weekend because you have to stream Right. That was the go-to with me. So I built up a lot of like pressure on the external People in my life that they wanted to see me and I couldn't see them and I put like a lot of pressure I couldn't travel anymore. There's all these things, right?
Justin Gardner (@rhynorater) (04:26.428)
Wow.
Justin Gardner (@rhynorater) (04:33.399)
So, yeah. So I wanna pause you there. Yeah, go ahead Joel. Yeah.
Joel Margolis (teknogeek) (04:36.982)
Yeah, so I actually, well we've all had so many questions about this. So I was going to say, I have a friend who I know personally, he was not a streamer and he transitioned into now full-time streaming. He's been doing it for about a year. And I've noticed this, I don't know how much it's affected him, but I was curious what it felt like in the moment for you. Because I think in the moment it's very easy to just sort of be like, I'm...
NahamSec (04:40.473)
One at a time, one at a time, one at a time. One at a time, one at a time.
Joel Margolis (teknogeek) (05:04.43)
growing, like things are going really well for this. I'm putting a lot of time and effort into this. Like it's working. I'm just going to keep doing that. And it's kind of easy to sort of justify the reasons for why the other aspects of your life sort of start to fall apart. What was it like, like from your perspective, like going into like, in hindsight, it's easy to see, like, you know, okay, yeah, I was spending too much time and energy on that. I probably should have focused on family, but like in the moment, what was it? What was it like from the inside?
NahamSec (05:24.084)
Yeah, absolutely.
NahamSec (05:30.683)
So the thing with me is I have a very addictive personality that I can control. I can't control when it comes down to the things that I enjoy doing. I can control when it comes to drinking and partying and things, I can control that part. But when it comes down to hacking, when you get that high of success that you're getting, whether it's content, bug bounties, whatever it is you're doing, that is the time that I can't control at all. So at first it was bug bounties. I was working full time, I was doing bug bounties and I took a break. I was like, okay, now I want to do content.
Justin Gardner (@rhynorater) (05:41.752)
Mmm.
Justin Gardner (@rhynorater) (05:51.314)
Mm.
NahamSec (05:57.451)
But when you're hitting success, it's hard to say no. It's hard to take a break because with hacking, the thing that I really struggled with was every time I went out to hang out with my friends, that was six hours of going out. And then if I went out drinking three hours of being hungover in the morning, that's about a nine hour of time that I lost without making bounties. Right. Now, if I'm streaming every day, if I miss one day, people are quick to forget you when you stop making content.
Justin Gardner (@rhynorater) (06:00.955)
Yeah.
Justin Gardner (@rhynorater) (06:13.979)
Hahaha
Justin Gardner (@rhynorater) (06:18.066)
Mmm.
NahamSec (06:25.111)
I've, you know, it's very hard to say no to doing things. And that's just one aspect of content that I've just talked to, there's more to how it changes your life. But just from a perspective like success, it is really hard to say no when you're, when your growth is like, it's not even like slowly going up. It was just huge. I had a huge growth with Twitch. I think I got like 10 to 15,000 followers within a couple, with a year and had a huge community. I would tweet out in a random shed on Twitter and
Justin Gardner (@rhynorater) (06:25.163)
Yeah.
Justin Gardner (@rhynorater) (06:42.15)
Mm.
Justin Gardner (@rhynorater) (06:45.968)
Mmm. Wow.
NahamSec (06:50.871)
and we get a lot of attention and I was just like, holy crap, this is becoming real. Like people actually like, and with, dude, Twitch has one of the most engaged communities. It is insane how many people can, you know, support you, have to interact with you. They wanna like be a part of your community. I've never seen it like that. And then when you come into that, it's just hard to give up. It's hard to like let go, right? So just, you know, taking a pause, you know, there was times that I would take a, like Hacker1 would say, hey, we're doing H1415, for example, you gotta come to San Francisco.
Justin Gardner (@rhynorater) (06:54.389)
It's addictive.
Justin Gardner (@rhynorater) (07:00.143)
Mm.
Justin Gardner (@rhynorater) (07:10.31)
Yeah.
Justin Gardner (@rhynorater) (07:18.023)
Mm.
NahamSec (07:18.911)
I would take a week off, but the whole time in my brain, I'm going, please don't drop my numbers when I go back next week. Please, I hope my regular has come back. I hope my regular viewers come back or at least I get the engagement. So it's really hard to say no to it. But the other thing that comes with content when you're doing streams is you showing a thin-thin version of yourself. You cannot hide who you are when you're doing a stream. And that comes when you're doing technical content, it's harder when I don't know a topic on stream. Guess what? I'm gonna look it up.
Justin Gardner (@rhynorater) (07:23.548)
Mmm.
Justin Gardner (@rhynorater) (07:28.537)
Yeah.
Justin Gardner (@rhynorater) (07:38.663)
Mm-hmm.
NahamSec (07:44.991)
those mistakes you made that you're not, you're inefficient, everybody sees it and everybody judges you. That's why people say, do you don't want to meet your heroes? And a lot of people got to meet their hero, you know?
Justin Gardner (@rhynorater) (07:51.707)
Well, it's vulnerable too. You're going on there and you know that that's going to happen time and time again. All of us know, even the pros, that we have to still Google how to write a markdown link or get the syntax right in a specific thing. So, yeah.
NahamSec (08:06.187)
But that's the thing though, people don't see it that way. People thought, you know, I was getting, some top hackers were like very disappointed in how I was doing things on streams. I had messages of people that I call these elite hackers that I've listed myself nowadays, that they're like, oh, this is how you do it. You didn't know how to do it on the stream. And I was like, no, I kind of know how to do it, but it's like, I'm also teaching things to people. So I was doing a lot of like things in a Google sheet, for example, because, you know, people, that was the early days and I didn't want to.
Justin Gardner (@rhynorater) (08:18.139)
Yeah.
Justin Gardner (@rhynorater) (08:26.308)
Mm-hmm.
Justin Gardner (@rhynorater) (08:30.634)
Yeah.
NahamSec (08:33.599)
jump into bash right away and people are like oh you don't know how to do basic stuff and i'm like which one is it do i teach people or do i come up and be the super lead hacker that knows everything right so that puts added pressure onto you
Justin Gardner (@rhynorater) (08:35.986)
Mm, mm.
Justin Gardner (@rhynorater) (08:41.595)
Well, even if you don't, I mean, even if you do it a different way, that's a part of your unique hacker identity too. There's no reason why somebody needs to come and say like, hey, you don't know like literally everything about Bash, what's wrong with you? Because that knowledge that they spent learning Bash, you've spent somewhere else, right? And then you've got that sort of knowledge trade off on the other side. And so it's never a good idea. You never like to see people shame.
other hackers for lack of knowledge in some areas because you never know where that knowledge got traded to.
NahamSec (09:17.431)
I want to answer your original question. Go ahead, Joel.
Joel Margolis (teknogeek) (09:20.826)
Well, this actually, we had a great discussion about this recently, and Rezo brought up this XKCD called, I think it's like one in 10,000 or something. And it's basically like, I don't know how real this statistic is or whatever, but it's basically that like every day, like 10,000 adults like learn something like for the first time. And if somebody hasn't heard about something for the first time, then they're,
Justin Gardner (@rhynorater) (09:24.062)
Mm.
Justin Gardner (@rhynorater) (09:30.453)
Mm-mm.
Joel Margolis (teknogeek) (09:48.642)
They're one in 10,000. Like that, they're, you know, they're part of the statistic and just like, that's okay. Like that's going to happen. You're going to be part of that someday too. Or you already have been. Um, I think the other aspect of it is like, there's so much emphasis to put nowadays on like being like a dictionary of things and like, I can appreciate that to some extent, but I also think it's equally important to be able to like.
Justin Gardner (@rhynorater) (09:50.533)
Yeah.
Justin Gardner (@rhynorater) (09:59.214)
Mm.
Joel Margolis (teknogeek) (10:15.138)
use the resources around you to find things without having to like know it explicitly. And that's like relying on Google or like relying on your peers or bookmarks or notes or whatever to like help you find things so that you don't have to because your brain can only hold so much. Right. Like you're gonna you're gonna have to like start to exchange some knowledge out for other things and having systems that you can like find that data in an efficient way is just as important.
Justin Gardner (@rhynorater) (10:19.799)
Mm-hmm.
Justin Gardner (@rhynorater) (10:30.182)
Hmm.
Justin Gardner (@rhynorater) (10:39.173)
And that's one of the things that I think you did great on those streams, Ben, was like equipping people with the knowledge of how to go and get the information. You know, like even if you, you know, like you were just talking about, even if you don't know off the top of your head, oh, what is the syntax? Well, I'm just going to open the man page. Well, some people didn't know about man page. And now that you've just equipped them with that, that way. And as a,
as a mentor to a couple young hackers, one of the things I'm struggling with right now is, how do I embed in them that confidence that they can go find the technical piece of information they need to solve their problem, you know, without relying on a mentor? And that's one of the best things that, you know, you can do to equip a mentee, I think. But yeah, sorry, so we got a little off topic, going back to the question, yeah.
NahamSec (11:24.187)
No, but I mean, the number one thing that I got on my streams always was, it makes me feel good that a pro like this has to look up the most basic concept and my answer would be like, that's how it's supposed to be. Like, that's how it's supposed to be at all time, right? And people that tell you they don't look things up, and I had people on my stream when I did the interviews, they were like, Oh, I know this from the back of my head. I'm like, cool. Like you're just storing shit in your back of your brain. That's, you know, you're going to use once a year. I applaud it, but you know, you learn things as you do it more and more. But
Justin Gardner (@rhynorater) (11:31.575)
Yeah, exactly.
Justin Gardner (@rhynorater) (11:44.262)
Yeah.
NahamSec (11:50.039)
I don't want to jump into the, I don't want to talk too much about their content piece of it because I know people want to do all sorts of technical stuff. But the biggest thing that I, you know, I came across this, I came across this bit of a podcast. I wish I knew what podcast that was. I just remember the message from it that it was, you know, when I was early in the days of like creating this brand and you know, the name of whatever you want to call it was if you want to become an online person or you're given two options, those two options are you either have to fully off yourself and unalive yourself.
Justin Gardner (@rhynorater) (11:53.646)
Mm.
Yeah.
Justin Gardner (@rhynorater) (12:03.26)
Mm.
NahamSec (12:20.059)
of who you are and create this new persona and be this new person that you can, put up the charade if you want to call it and become this person that you are online and live it up every day, day in and day out when you're on camera, or you have to amplify the crap out of who you are personally and people are either going to love you for it or they're going to hate you for it and you have to be okay with it. And I took the approach of just being myself and being okay with being who I am and...
I know a lot of people that don't like me for it. And I know a lot of people that have actually enjoyed seeing me, who I am, seeing my growth online and seeing the things that I do. And that was the biggest change that I applied and it helped a lot with the personality. But I want to kind of, you know, I want to answer your question about like what happened in Denver, but I feel like we'll need to understand the context of what was going on 2018 to 2022 in my life where I had no social life. I had no
Justin Gardner (@rhynorater) (13:05.018)
Yeah.
NahamSec (13:07.103)
You know, my partner at the time was fed up with it and had issues with her at the time too. And you know, I'm just not spending any time with anybody because I wanted it bad enough, right? And then get to 2022, COVID happens. And you know, we're locked in now. I hadn't seen my parents in five years. I was supposed to see them. That's not happening anymore. My brother had a kid. I was supposed to go see the baby. That's not happening anymore. We're locked into the house and there's nothing happening. And on top of it, I'm going through a divorce while everyone's locked in the house. So like, that's the reality of my life at the time.
Justin Gardner (@rhynorater) (13:11.881)
Mm-mm.
Justin Gardner (@rhynorater) (13:18.031)
Hmm.
Justin Gardner (@rhynorater) (13:28.17)
oof
NahamSec (13:37.551)
Luckily by 2022 is like literally, it's literally when I came out of it. And you know what the really fucked up part about all of it is? Like I hosted Nahomcon, I hosted Activitycon, I hosted all my streams with a smile on my face. While on the inside, there were so many things that were happening and nobody even knew. And when I say Joel was one of the people that knew about it, Joel came to the house and you could see the state that I was in. But when I was streaming, nobody knew, dude. Nobody had a clue about what was happening on the external like, you know, from the...
Justin Gardner (@rhynorater) (13:37.827)
Rough dude.
Justin Gardner (@rhynorater) (13:54.156)
Yeah.
Justin Gardner (@rhynorater) (14:00.75)
Mm.
NahamSec (14:06.871)
The optics of it, nobody knew I was still going. I think during ActivityCon, I think that was in September, a month before it, my old boss, Luke, you guys both know Luke, he sat me down, I was like, dude, you're not acting like yourself, what is going on? And that was like, you know, seven months into it, and I was like, well, since you're asking me, dude, he's like, you're not acting like yourself, you're like, you know, short tempered, that's not who you are, you're not friendly as you used to be, your lack in decision making has been like noticeable, like, because I'm quick to say, this is what we're doing, like, this is how we're going to do it.
Justin Gardner (@rhynorater) (14:15.742)
Mm, yeah.
Justin Gardner (@rhynorater) (14:22.233)
Love that.
Justin Gardner (@rhynorater) (14:28.832)
Mm-hmm.
NahamSec (14:35.823)
And he's like, what's going on? And I was like, okay, now I gotta tell somebody. So I started with him, then a couple of coworkers, and then more friends and more people.
Justin Gardner (@rhynorater) (14:44.483)
Yeah, so at that point you were starting to let some of this out. And I know I think one of the things that is tempting as a content creator is to not let that vulnerability be seen, right? Not put on that facade, put on that happy face, but it really, it does, you got to show up as a human each day to these things, or else it'll eat you away, like you were saying. And I'm wondering, in the midst of all of these stressors,
in the midst of a divorce, in the midst of some depression, in the midst of the pressure of streaming all the time. How did this affect you as a hacker? Because before this, you were really, really going really hard on all these programs, and you had a, oh, did we lose them? There we go. Before this, you had been going really hard as a hacker and hacking a lot of programs.
But if you're streaming four days a week and you're not allowed to find vulnerabilities live on the stream, it's mostly just focused on recon, how did this affect your methodology and how did this affect you as a hacker?
NahamSec (15:56.395)
So partially one of the reasons, actually, one of the videos I'm gonna make soon is about, I quit. I was gonna say, I quit streaming, and this is why, because people ask me, when are you coming back? I'm not gonna ever go back. I'm never gonna go back to doing live recon, probably ever again, because when you're doing these no vulnerability practices every week, what you practice is what becomes your reality. When you're not finding vulnerabilities, that becomes your reality. Especially when it's like recon, and I'm one of those people that loves data, man.
Justin Gardner (@rhynorater) (16:03.568)
Yeah.
Justin Gardner (@rhynorater) (16:06.884)
Yeah.
Justin Gardner (@rhynorater) (16:17.867)
Exactly, that's what I'm thinking, right? I'm like, oh no.
NahamSec (16:25.519)
I love looking at these data that I find from companies and like snoop around a company's infrastructure. It's fun. It's all fun and games, but it's not, it doesn't translate to money. So I want to do streams. I'm thinking about what I get back to making streams and all that stuff, but it's not going to be the recon stuff because I'm not finding vulnerabilities. I'm doing the same thing over and over and over again. I've hit this roadblock and I feel like I know a lot of people that have learned from these streams, but.
Justin Gardner (@rhynorater) (16:25.917)
Mmm.
Justin Gardner (@rhynorater) (16:36.003)
Mm.
Justin Gardner (@rhynorater) (16:47.077)
Mmm.
NahamSec (16:51.059)
I don't want to keep doing that for the new people. You can go read what I'm gonna maybe do a couple of them and put them on YouTube for people to watch, but it's just, you're not finding vulnerabilities and that becomes your reality of it. And I kind of want to say ever since I stopped doing it, I've gotten better at with what I want to do with it as a hacker, but I also don't want to believe that because I was doing okay when I was doing those streams. It's just, I got too comfortable.
Justin Gardner (@rhynorater) (16:57.177)
Mmm.
Justin Gardner (@rhynorater) (17:11.899)
Mm.
Joel Margolis (teknogeek) (17:11.958)
Yeah. I think this is a really common pattern actually that you see. I mean, I can think of multiple cases within the security industry alone, where you've seen this, but people get, they get known for a niche and they go, okay, this is my niche. And that's them for the next 40 years. And they just, right. Yeah. Any industry. It's not even just security, right? But like, I can think of examples everywhere, including in security where this happens.
NahamSec (17:26.487)
Absolutely.
NahamSec (17:30.071)
That's in any industry, right? It's not just with us, it's in any industry.
Justin Gardner (@rhynorater) (17:32.111)
Yeah.
Joel Margolis (teknogeek) (17:39.566)
And it's really easy because once you become known for something, when somebody goes, Hey, do you know somebody for this thing? Your name is going to come up and like you have like instant recognition. You have like association with being like a top person within like some certain like pillar or whatever. And like, people know your name. People know that you're like known for this thing, but it's really hard. One, it's really hard to expand the knowledge. So like at a certain point, like, you know, there's another XKCD about learning, but it's like, you know,
Justin Gardner (@rhynorater) (17:47.195)
Mm.
Joel Margolis (teknogeek) (18:08.05)
the learning curve is like exponential, right? In the beginning, you're learning like, or inverse log, whatever, you're learning like a ton, like right in the first, like, you know, a couple months, first year or two, whatever. And then like by year 20, you know, it's like half a percent over the last like decade, right? And so that same thing is true when you're like focusing, focusing on some niche where you're...
Justin Gardner (@rhynorater) (18:09.228)
Joel just lives in the XK CDs. Right.
Joel Margolis (teknogeek) (18:31.082)
now like an expert in this thing, but there's only so much room for growth for knowledge within that. Like you can maybe do some groundbreaking research, maybe there's some new stuff to expand on, but a lot of it is like marginal gains in overall experience and overall knowledge. And instead, if you just branch out into something new, you start that curve over again. And so the key is what you're doing, right? Which is like push yourself, don't like stick to what's comfortable, don't stick to the things that you know, but like take those things, push into new fields that you're not as familiar with.
Justin Gardner (@rhynorater) (18:48.983)
Mm, mm.
Joel Margolis (teknogeek) (18:59.958)
push into new techniques that you're not as familiar with so that you can keep yourself on your toes and keep yourself from falling into that comfort zone.
NahamSec (19:07.147)
And I feel like with Recon, it's just rabbit hole after rabbit hole, dude. It's like, you just find these things you're obsessed about and when do you give up? Like, when do you stop? Right. So just automate the boring task. If you know how to find some vulnerabilities automatically, make them a freaking crone job and have them just alert you on Discord or alert you on Slack and become your, you know, your, your cash cow and learn other things. It's just, I would be 100% correct. Or once you become, I was becoming like, you know, I was doing stuff with bug bounties and then I was becoming
Justin Gardner (@rhynorater) (19:07.672)
Yeah.
Justin Gardner (@rhynorater) (19:15.108)
Mm.
Justin Gardner (@rhynorater) (19:22.866)
Mm.
NahamSec (19:34.123)
very big in recon and I didn't enjoy recon anymore. It's like everyone that I was like, oh, when you're doing live recon again, oh, I love your live recon. Like that's the only thing that a lot of people like knew before where, you know, I did a lot of stuff in web and I realized with like bug bounties alone, I wasn't making a lot of money from recon. I was making money from finding good stuff, but I wasn't making money from automation, right? I had really good data a lot of time that people didn't have.
Justin Gardner (@rhynorater) (19:40.365)
Mm.
Justin Gardner (@rhynorater) (19:55.371)
Yeah. And that brings me back to one of my favorite quotes that we've had on, on this podcast so far, which was Jason had X episode 12. He said, the point of recon is to find more apps to hack, you know? And I think that's, that's just a great point is like at the end of the day, you know, you can do these recon finds and that sort of thing, but the best bang you're going to get for your buck is finding apps and then drilling deep into those, uh, those apps and finding the bugs. And, and so
And in light of that, there's two areas where we could go from here, both which are related to some content you've released recently and principles you've been kinda talking about in this content. The first of which is the switch from the recon to manual. And we've seen this a lot in a lot of the different...
top hackers where there used to be a lot more of a focus on, on recon. Um, and now there's more of a focus on manual hunting as you were making that switch, you know, in the, in the middle, you know, so did this switch occur in 2022 when you were coming out of that scenario, or is this something that happened a little bit later and how did that transition occur for you?
NahamSec (21:12.587)
The transition didn't really happen because of the content so much. The streaming was a big part of it, right? But it just happened. I needed a change. It wasn't just with hacking. I needed everything to change. So I was changing my personality to some extent, my appearance, I go to the gym and dieting and things like that, my hacking style, everything that I did. I just wanted to recreate who I was as a person. And even though my personality is in my hacking, but hacking was a part of my personality online, that's what it is.
Justin Gardner (@rhynorater) (21:16.495)
Mm. Yeah.
Justin Gardner (@rhynorater) (21:30.48)
Mm-hmm.
Justin Gardner (@rhynorater) (21:35.932)
Mm.
Justin Gardner (@rhynorater) (21:40.555)
Yeah.
NahamSec (21:41.947)
I really had to figure out what I wanted to do and I sat down and went through all of my reports. Why was I making so much money between the years of 2015 or 2014 and 2018? Well A. I wasn't a manager, I wasn't a senior manager at HackerOne, that took a lot of time but B. I was just niching down in one single program. At the time was Airbnb, a couple of other private programs but a lot of times and then I looked at the recon bugs that I was finding. The recon bugs that I was finding wasn't so much of having
it's nowadays like nuclei templates and things that were automated was just like, I was the first to find an asset or I was the first to find a functionality or even like I found an asset that people just looked over but it was just, people knew about it but no one found vulnerabilities in them. Those were my strengths. And with bug bounties, I really wanna tell people like the biggest things you have to find what your strengths are, there is no wrong and right with what you do. If your strength is to be really good at...
Justin Gardner (@rhynorater) (22:20.504)
Mm.
Mm.
NahamSec (22:34.495)
Recon and that's your niche. Good for you, you have to go do that. But if you're, you want to be a web app hacker, you want to be good at breaking apart vulnerabilities in a web application, if you're good at, you know, perverse bugs, there's nothing wrong with that. That's what you're good at and some people are shit at it. And you should be okay with that. And I had, you know, being a top hacker, I had a problem with like, well, I don't want to be this person that's not, you know, doesn't know these vulnerabilities, but I don't want to be the elitist anymore. I don't want to be this like top hacker. I just want to make money, make, do something I could do good with.
Justin Gardner (@rhynorater) (22:49.646)
Mm.
NahamSec (23:04.403)
teach people how I do the things that I do. So now I make the content of things that I enjoy doing. And if people wanna watch it, perfect. And if they don't, they don't. I no longer care to justify being a top hacker anymore. And that's become so easy now.
Justin Gardner (@rhynorater) (23:08.903)
Mm.
Justin Gardner (@rhynorater) (23:14.487)
Right. Yeah, no, that's excellent.
Joel Margolis (teknogeek) (23:17.79)
a lot of this with mobile hacking as well, where like for a long time I associated and a lot of like my identity was associated with like being the mobile hacking guy. And like, that's cool. Like it was awesome for a while, but then I grew to a point where I was like, I want to be doing more than that. And kind of for like the same reason you were talking like, I didn't want to fall into this niche where like that just became like the only thing I did. And like, I don't think, I think mobile hacking is probably big enough where it's not like.
a small niche, you know, where like you could still probably make a ton of money. And there's like a lot of research and stuff you can do there. But I just want like, I felt like there was just more that I, I could be doing. And so I started to like push away from that, but it was such a rough learning experience because like, I had been used to like, you know, things coming very easily with like all the mobile hacking stuff, cause I've been doing it for so many years and then it was like starting this, this different type of hacking. And I was like, Oh, wow. This is like.
running into a brick wall. Like what, what do I even do? Like, and just like, it really like took me through for a loop because it was such a learning experience of like adjusting my hacking flow and how I was approaching things to be less targeted towards like what I was used to and more targeted towards things I wasn't.
NahamSec (24:13.525)
down.
Justin Gardner (@rhynorater) (24:31.674)
Mmm.
NahamSec (24:32.103)
I think the biggest thing that people like, I feel there's a, when you become, when you get into hacking, I think everybody wants to make it to a certain point, right? You made it with mobile hacking, Justin, you have done a bunch of stuff, I can't even name one for you, but you have gone through these phases of doing things, right? But everybody at some point is going to hit a blockade of things they do with their niche. You hate, you know, you hit it with mobile, you didn't enjoy it or you learn everything about it, whatever the reasoning was. I think pivoting as a whole.
Justin Gardner (@rhynorater) (24:45.964)
Yep
Justin Gardner (@rhynorater) (24:54.99)
Mm.
NahamSec (24:59.327)
for us as humans, we gotta solve what we do in our life, in our careers, with hacking, with whatever we do in life, pivoting is a huge thing. And a lot of people don't want to do that. That includes me. I have a hard time going out of my comfort zone. But since I've started pivoting to different areas, whether it's with my content, they can, you know, inspirational content, it's not technical content, whether it's doing apps I've never hacked on before, collaborating with new hackers, putting myself out there, it's worked out because that's a part of who you are. I spoke with, that's a part of it, right?
Justin Gardner (@rhynorater) (25:16.76)
Mm.
Justin Gardner (@rhynorater) (25:24.453)
Yeah.
Yeah, absolutely. And I want to double click that. Go ahead, Joel.
Joel Margolis (teknogeek) (25:28.394)
Yeah, so I actually wanted to... No, you go ahead. No, no, you go ahead, because I was going to turn this a whole other way.
Justin Gardner (@rhynorater) (25:36.295)
I was going to say I want to double click into that for just a second and talk about a little bit how you did that from a technical perspective. So I know largely recon and web oriented in the beginning and then now you're kind of pivoting a little bit. Over this past year you mentioned that you found some vulnerabilities in desktop apps and other contexts. How did you cut your teeth with that? How did you get into it?
NahamSec (26:01.407)
Well, I was pushed into it, right? So two of the instances, one of them was the LA event. We can't talk about the company. That was a big event, right? And there was a small web portion of it, but most of it wasn't web. And that forced my hand. I didn't know anything about that niche of like hardware hacking at all. That forced my hand to learn stuff or in mobile hacking as an example. I didn't know a whole lot about mobile hacking. I knew a little bit about like just, you know, what you can do with a mobile app. You just, you know.
Justin Gardner (@rhynorater) (26:03.731)
Mm-hmm.
Justin Gardner (@rhynorater) (26:08.388)
Mmm. Yeah.
Justin Gardner (@rhynorater) (26:14.573)
Exactly.
Justin Gardner (@rhynorater) (26:19.555)
Hmm.
Justin Gardner (@rhynorater) (26:23.941)
Mm.
NahamSec (26:29.319)
intercept your traffic and that's it. But I never did more than that. That really pushed my hand to do more, right? But then I found zero bugs at that event. I showed up, I refused to do the web stuff. I was like, no, I'm gonna look at the web stuff. And then I realized people were making money from the web portion of it, which is fine. But then the London event happened. And this London event was another two programs that everybody says looked at them for years at a time. But
Justin Gardner (@rhynorater) (26:34.833)
Hmm.
Justin Gardner (@rhynorater) (26:38.588)
Mm.
Justin Gardner (@rhynorater) (26:49.198)
Mm.
NahamSec (26:55.307)
there is a reason why they're doing a life hacking event. These companies aren't doing a life hacking event for no reason. There is more to hack on. There's definitely more vulnerabilities. And me as someone who has been at almost every life hacking event with these companies, I've learned, there's always about two to $600,000 of bounties coming out every freaking time when there's companies come back, right? And it happened again. Those companies paid about a million dollars in bounties. So those pushed me and I was like, okay.
Justin Gardner (@rhynorater) (27:01.401)
Absolutely.
NahamSec (27:22.267)
If everybody's going to look at this London event that one of the customers, everyone's going to go after the web applications and everyone's going to struggle with finding easy ones. How do I change that approach? Right? How do I find these cool bugs within the context of the desktop app? Those are the reasons why it pushed me. Right.
Justin Gardner (@rhynorater) (27:33.779)
Mm.
Justin Gardner (@rhynorater) (27:37.34)
Yeah.
So when you're looking at, so in this scenario, you decided to go after the desktop app, and you said, okay, I'm gonna start looking into this. I know you ended up teaming up with Shmuel as well, and Alex Chapman, two people that have, you know, that are pro in the desktop app space. How much of that was, would you say, collaboration-based stuff versus you just kind of sitting down, cutting your teeth on desktop apps, reading as much documentation as you can?
NahamSec (27:52.107)
Yep.
Justin Gardner (@rhynorater) (28:08.408)
versus combining multiple different skills from different hackers together, you bringing your web expertise, them bringing their desktop expertise, and creating a wonderful result.
NahamSec (28:18.323)
Funny enough, the collaboration didn't happen until the last four hours of that event entirely on day two. So I have this vulnerability in this desktop app. I couldn't exploit it. We couldn't figure out what to do with it. I'm sitting out inside looking at the door. It's me, a couple other hackers, and God bless his soul, Sam Curry, he's the LZ, he's sitting right next to me. And he's like, you guys know how Sam is. He's very quiet. He just makes...
Justin Gardner (@rhynorater) (28:42.055)
Mm. Yeah.
NahamSec (28:43.027)
He has these comments he makes very randomly, right? So I'm sitting here, I'm like, dude, I know I can RCE this bug, but I don't know what I'm doing. Like I have this bug, we don't know what to do. I think you were maybe at the table too. I don't know. What have you guys been at the table? And then you say something about, um, well, why don't you go find someone to work with? And then Alex is walking in at this time. Alex Chapman is just literally walking. She's sitting right here next to me. And then Sam goes, yeah, Alex is walking. I want you to go talk to him. Maybe I bet you he can exploit it.
Justin Gardner (@rhynorater) (28:52.419)
Yeah, yeah, I was around, yeah.
NahamSec (29:09.115)
I go and do that with Shmuel and we export it. And I think I put Sam on that bug for like a five or 10% as a five years fee, right? But the point of the story is like, it wasn't like the collaboration was planned. I was working on a bunch of different vulnerabilities. You know, I found stuff like, so the back to the story for this customer was, there was a lot of CSP limitations. You couldn't bypass CSP a lot of times. I think no one was able to bypass. Yep.
Justin Gardner (@rhynorater) (29:13.779)
Yeah, of course.
Justin Gardner (@rhynorater) (29:22.514)
Mmm.
Justin Gardner (@rhynorater) (29:34.664)
And this is within the desktop app, right? Yeah.
NahamSec (29:37.235)
But also on the desktop, on the web, on the mobile, on the core web app of this company, there's a CSP that no one could bypass. I found the way to bypass the limitations, which I can talk about a little bit, but I keep finding these like HTML injections. Like I could insert hyperlinks and then I would do SMB tricks, but I couldn't, because you know, you can use only one slash. If you do two slashes, it wouldn't work, right? So I have all these, I have all these different vulnerabilities, but I can't explore a single thing, except I find a bypass.
Justin Gardner (@rhynorater) (29:43.844)
Mm.
Justin Gardner (@rhynorater) (29:58.491)
Sure, sure, sure.
NahamSec (30:07.143)
within the desktop app or the mobile app or even the web app that you could do a meta refresh, but instead of doing two slashes, you can do a backslash, and your Chrome browser or your browser actually translates that to slashes. So the limitation of doing two slashes with SMB, you can do two backslashes with SMB to do an SMB connection for an RCE. But when you're doing a meta refresh, you can do a backslash, site.com and it refreshes the entire webpage to another one. In the context of the web app,
Justin Gardner (@rhynorater) (30:15.337)
Mmm.
Justin Gardner (@rhynorater) (30:27.771)
Right.
NahamSec (30:37.023)
doesn't worth, isn't worth anything, right? But in a context of a desktop app, you can now control that entire desktop app that you're working on, and you can do whatever you want with it. And we wanted to go to the next phase of it. And just having that bypass is what made it sweet. I know three other hackers who had that vulnerability that couldn't exploit and no one reported it, except one of them was like, hey, I knew this, can we collaborate? And we collaborated with him. And then...
Chapman was able to exploit it fully.
Justin Gardner (@rhynorater) (31:07.531)
Wow, dude, that's amazing. So, so to recap that there, you're finding an HTML injection inside of the desktop app. I don't know. I imagine it's like an electron app or something like that. And then, and then you're, you're using that HTML injection along with a meta tag to refresh and use backslashes instead of slashes. Now you're on your attacker controlled page inside of the app. And now you've, you've gained control of the application. And then Mr. Chapman took it from there. Yeah.
NahamSec (31:15.723)
Yep. That is.
NahamSec (31:24.019)
and redirect.
NahamSec (31:32.031)
of the application. It's easier debugging it. And those are the things that I talk about. There are so many HTML addictions that you can have HTML addictions on this app, but nobody, for some reason, thought about the meta-refresh. The problem with the slashes on this particular app was you can't do URLs because a double slash transits through a URL, a website, to them. So they didn't allow it. The back section would save their ass. So that was the example of saying pivoting. OK, this web application, I had a web app bug that got paid really decently.
Justin Gardner (@rhynorater) (31:45.668)
Yeah.
Justin Gardner (@rhynorater) (31:52.742)
Mm-mm.
NahamSec (32:01.719)
It was a cool bug, but this particular one was the highest bounty I've gone to a laughing event, I feel like. Right? And it's just pivoting from, I think it was, I want to say it was a 40K bounty. They didn't want to give us, they didn't give us critical, they gave us high because we couldn't prove full RCE, but they knew it's exploitable and they honored it as a high. But that's the point of pushing yourself out of your boundaries, right? It's just going, okay, I know web.
Justin Gardner (@rhynorater) (32:06.608)
Wow.
Justin Gardner (@rhynorater) (32:12.589)
Yeah.
Justin Gardner (@rhynorater) (32:26.841)
Mm.
NahamSec (32:28.243)
I know there's Electron apps are pretty much like web applications, but you have more, there's more impact if you can exploit them than the traditional XSS. And if there's CSP in place, you have the ability of abusing other functionality that's not XSS particularly if that makes sense.
Justin Gardner (@rhynorater) (32:37.902)
Mmm.
Justin Gardner (@rhynorater) (32:42.236)
So I guess in this scenario, the thing you were talking about that allowed you to get around CSP, that was the MetaConnect thing. There wasn't some other thing that allowed you to get around CSP or, okay. Got.
NahamSec (32:49.131)
Correct. Nope, it was just a meta connect because now you can point it to another website that you control and you can put whatever you want on there. And if you have XSS and if you have JavaScript in that context for an Electron app, it doesn't matter. Right, it doesn't matter where the JavaScript is getting executed from. As long as you need, you know, you're calling the right functions to download and execute a file, right?
Justin Gardner (@rhynorater) (33:03.194)
Mm, yeah, so.
Justin Gardner (@rhynorater) (33:11.163)
Wow, that's awesome, man. So you used HTML to redirect the whole page, and that's pretty much the only thing I can really think of that does that is the meta tag. The only other thing that I can think of is maybe like with an iframe, you know, getting it able to iframe another page in and then execute it, but then that wouldn't be the top level page, it would be a sub page. So that's...
NahamSec (33:28.599)
Correct. Yep, we can do hyperlinks, but when you do a hyperlink also sometimes it opens up an actual web browser, right? Cause those are the things that I looked at. I was like, okay, what if I make a hyperlink? But no, the easiest route was SMB stuff. You just do an SMB to your box and then that's like automatic RSE usually, but none of that was working. And I really wanted to, I really, this was like one of the first live hacking events that I was actually participating. It's my like second or third at this point, right? And I really wanted to find something cool.
Justin Gardner (@rhynorater) (33:35.729)
Ah.
Justin Gardner (@rhynorater) (33:40.563)
Mm.
Justin Gardner (@rhynorater) (33:44.123)
Yeah.
Justin Gardner (@rhynorater) (33:51.444)
Mm.
Yeah.
NahamSec (33:54.823)
and just pushing yourself out of my comfort zone. It's not super out of your comfort zone, but it's just, I don't know what I think about electronic apps at this point. I'm not really big on JavaScript either. I'm just learning things as I go. But just doing that, it just opened up a whole different world for me, dude.
Justin Gardner (@rhynorater) (34:04.281)
Hmm.
Justin Gardner (@rhynorater) (34:08.567)
Yeah, that totally makes sense. So the last question I had with regards to that is like, and I don't know if you can talk about it without giving away too many details, but I'm wondering where your source was for this. You know, obviously you're manipulating the DOM inside the app, but in a desktop application context, you know, how are you passing data into the app? Is this something that you put into the web application and then it popped up in the desktop app, or is this like a scheme, a custom URL scheme that they registered, or what?
NahamSec (34:34.163)
Yeah.
NahamSec (34:38.683)
No, it was actually one of your user details that showed up on the app a lot. So you could put your, I don't know what it was. It may have been like a signature or username or whatever, your name or something like that. One of the profile attributes we'll call it, right? And it was coming up in this specific page, but it was only in this page that it would actually pop up with the HTML. So a lot of times, like, you know, I don't think that I see with XSSes, people are quick to jump to an alert, right? Everyone's just like image source alert, right?
Justin Gardner (@rhynorater) (34:47.325)
Mm, sure, sure.
Justin Gardner (@rhynorater) (35:06.395)
Hmm. Mm-hmm.
NahamSec (35:08.339)
My go-to isn't that, my go-to is just underline H1 test 123. Just because I want HTML injection, I don't care because once you have HTML injection opens up a whole different world of things you can do, whether it's mobile, whether it's web, whether it's these binaries, for example, desktop apps. I just care about the HTML injection. So seeing that pop was step one. Okay, now you go to the mobile, you go to the web app, you go from the web app to the desktop app. Is it also vulnerable?
Justin Gardner (@rhynorater) (35:29.999)
Yeah.
NahamSec (35:38.267)
here. But then that connected me to a bunch of different things because then I also realized some of the things I wasn't rendering on the web app was rendering in the desktop app as an HTML tag, right? So that opens up a lot more. Same thing with mobile. You put something, so many of the bugs that I found this year were exclusively only popping up on this mobile application and not on the web version of it.
Justin Gardner (@rhynorater) (35:39.401)
Mmm.
Joel Margolis (teknogeek) (35:48.854)
Yeah.
Justin Gardner (@rhynorater) (35:48.939)
Ah, wow, okay.
Joel Margolis (teknogeek) (36:01.258)
Yeah, so I was going to ask like, sort of how this speaks to sort of your overall hacking methodology. And, and I think this is maybe a good time to start to like talk about sort of like how you approach targets. I'm sure you've talked a bunch about this on your on your streams and on your videos and stuff. Yeah, yeah, never. Yeah, talk about hacking. I don't think you've ever done that. But, but like, it sounds like a lot of it sort of comes from very, like simple, straightforward testing, right?
NahamSec (36:17.023)
Me never.
Justin Gardner (@rhynorater) (36:18.832)
Hahaha
Joel Margolis (teknogeek) (36:30.774)
ASC123 like look, just spray and pray. And like how much further than just like that payload are you testing before like, obviously when you see something that's like HTML injection, you're gonna follow up on that, but how much are you modifying your payloads? Like how much will you test one field? Like do you spend all day on one page or how fast are you switching between stuff? Can you walk me through that a little bit?
Justin Gardner (@rhynorater) (36:53.307)
Mmm.
NahamSec (36:54.627)
Um, depends. Yeah. So a lot of times, like I think it's pattern recognition. I think like 99% of bug boundaries is I don't care what you say is pattern recognition, you identify a pattern of mistakes with a particular company and you just exploit the shit out of it. That's what it is. That's the reality of it. Right. So if I know a company is, you know, um, good, I know that exercise is a big part of like their issues, then I'm probably spending more time fuzzing specific fields, but it's. I don't.
Justin Gardner (@rhynorater) (37:03.92)
Mm-hmm.
Mm.
Hahaha
NahamSec (37:24.191)
change the input that I put in that often. It's one thing that I put, it's like a couple of different quotes, different encrypting, different HTML entities or something like that, for example. It's just a bunch of different characters that I put in as a polyglot, for example, and I put it in there and I analyze or overanalyze the shit out of it until I move on to the next field. But a lot of times, I'm trying to explain how to say this. So it's the same payload until it fires up, right?
Justin Gardner (@rhynorater) (37:35.605)
Mm-hmm.
Justin Gardner (@rhynorater) (37:44.166)
Hmm.
NahamSec (37:52.835)
then what you do next is different based on the target, based on your end goal, what you're going to do with it. Like you want to do an XSS or maybe you can push it into PDF, for example, or maybe you can push this into some server side stuff and we can do blind XSS, then that objective changes, right? But a lot of times it's the same payload that I put in just to see how the application is going to react to my user input.
Justin Gardner (@rhynorater) (37:53.392)
Hmm
Justin Gardner (@rhynorater) (37:57.49)
Mm.
Justin Gardner (@rhynorater) (38:07.965)
Mm.
Justin Gardner (@rhynorater) (38:16.383)
That's really interesting because there's like this concept of a benign polyglot payload, right? Because if you look up XSS polyglot, you'll kind of see all sorts of JavaScript URLs and weird comments and text quotes. Exactly. But no.
Joel Margolis (teknogeek) (38:17.054)
So testing those behaviors.
Joel Margolis (teknogeek) (38:30.718)
15 different ways to write script here
NahamSec (38:32.883)
Yeah, those I don't use. Yeah, that's not what I use though. I'm saying just, I make my own. It's like my own homemade few tags, few characters, things that I know is gonna break out of an input field, it's gonna break out of a script tag, it's gonna break out of a text area, it's gonna break out of X, Y, and Z. And then looking at the DOM, I spend a lot of time chasing those. The reason why I do like test one, two, three, four is because I chase that test one, two, three within the DOM and see where it all shows up, right?
Justin Gardner (@rhynorater) (38:43.472)
Mm.
Justin Gardner (@rhynorater) (38:48.049)
Mmm.
NahamSec (38:59.999)
That's a lot of things that if you just put like, if you just put test, test is not an easy thing to chase, but if you do test one, two, three, four, something very unique to you, then it's easier to follow up.
Justin Gardner (@rhynorater) (39:00.419)
Yeah.
Justin Gardner (@rhynorater) (39:08.279)
It will be. Yeah, that's great, and it really makes sense on why you would do the benign payloads, but also have the polyglot. So it is a really good exercise for the listener to go look at what the polyglot payloads are out there are doing in particular, and why they have to be as complex as they are, and then simplify them down to make a polyglot that works only in the HTML injection context, that doesn't have the goal.
of cross-site scripting because the first step to getting cross-site scripting is getting HTML injection in X amount of the scenarios. Obviously you've got to account for the location based sinks or whatever, but I think that's a really great piece and not using a polyglot and just using double quote H1, you're going to miss stuff. If you use the polyglot, you're going to miss stuff. You've got to find that nice sweet, sweet spot where you're not getting too verbose.
NahamSec (39:41.492)
I should know.
NahamSec (39:57.055)
Yep.
Justin Gardner (@rhynorater) (40:04.759)
and you're not being too simple either.
NahamSec (40:06.827)
But there's also two things to that. One is if you put like, you know, very obvious HTML tags, sometimes it gets filtered. So the objective isn't just to get HTML injection in there, it's also to break out of whatever current context you're in. Because there's gonna be times where I put my payload in and it breaks out, but the filtering takes out some of the HTML or the filtering actually helps me break out of it because it's taking things out and putting it together or it's converting it, it's replacing converting it, right? So that's a big part of it, but I also wanna, you know, I wanna really.
Justin Gardner (@rhynorater) (40:18.727)
Mm-hmm.
Justin Gardner (@rhynorater) (40:27.828)
It's replacing or whatever, yeah.
NahamSec (40:34.539)
kind of like caution people of this also, like when you put something like a script or if you put event handlers in there, it might just strip out the entire string you gave it. By default, it's gonna say, oh, I see bad, I'm gonna take it all out, right? So that's why I do it is the particular order, particular way, just to see, can I break out of this before I even think about exploitation? Can I break out of this thing that hints to me like, hey, this is a vulnerability here and look at it?
Justin Gardner (@rhynorater) (40:43.182)
Mm-hmm.
Justin Gardner (@rhynorater) (40:46.488)
Yeah.
Justin Gardner (@rhynorater) (40:55.364)
Yeah.
Joel Margolis (teknogeek) (41:00.438)
Yeah, and this kind of goes back to what I was, what I was gonna say, this kind of meant like, the whole like dictionary encyclopedia thing I was talking about, and you mentioned rabbit holes as well. Like I feel like all these things sort of play together where it's so easy to like fall down an infinite rabbit hole of just like, you could test every possible, every payload, everything on one field, and you can do that for every single field, but you have to draw the line somewhere. Do you have a-
Justin Gardner (@rhynorater) (41:00.447)
I always think it's...
Joel Margolis (teknogeek) (41:28.822)
like a spot where you draw that line, like where do you, where you decide like, okay, I think this is like enough testing on, on this settings panel or whatever.
NahamSec (41:32.152)
Um.
NahamSec (41:38.092)
I feel like by the dictionary, by the definition of dictionary, I may be considered as insane because a lot of times I keep repeating the same thing that's not like doing anything for me. And then like suddenly it works because you know, back, it didn't work three months ago and now it works because they made a change in the code, right? So I feel by definition, I may be a little crazy, but I don't have a, you know, it's not like I'm sitting here going, oh, I spent like four days on this thing because I feel like
Justin Gardner (@rhynorater) (41:44.935)
Hehehe
NahamSec (42:04.371)
One, there's your instincts, right? That says, I know there is something here, right? You have this instinct that like, it comes after years of experience that you go, I can feel there is something here. And then maybe you don't exploit it and somebody else does, right? And you go, fuck, I could have done that or I should have done that, so I should have to sit for it. So for that reason, I spend a lot of time. It goes back to my personality of being addicted to wanting to do these specific way.
Justin Gardner (@rhynorater) (42:29.104)
Hmm.
NahamSec (42:29.259)
But then that's why I get burnt out sometimes is because I'm spending countless days on the same thing over and over and over again. And then suddenly I have this, my ADHD kicks in, it's like, okay, let's jump around a little bit. So no, if there is a particular portal or a settings page or something that looks really fishy, I'm gonna throw a bunch of things at it. So my thing goes, I'm gonna try everything I know. Everything I know in the books, in my tricks, in my sleep, everything I try. Then I shit out with my inner circle, right? If I'm not collaborating with them.
Justin Gardner (@rhynorater) (42:57.125)
Mm.
NahamSec (42:58.763)
a lot of times, you know, if I'm doing something solo, then I go, yo, I found this thing. I think Justin has gone a bunch of like random shit. Even you, Joel, I've seen you come like random stuff over time that I'm like, dude, I smell a vuln here. Like, can you like look at it? And then they throw me ideas, right? Like they give you things that you didn't think about or it may be like an idea. And then I do that. Then it's when I go, okay, I'm gonna open source this. And I go on Twitter, I go, I have this thing. I think you've seen like a bunch of times I tweet these things. I go...
Justin Gardner (@rhynorater) (43:04.194)
Hmm.
Justin Gardner (@rhynorater) (43:13.375)
Mm-hmm.
NahamSec (43:25.083)
I'm fighting this thing, these are the things I have tried, give me your best shot, and then people give me ideas and then I just give up at some point. But I have to go through that list to make sure I've covered it because a lot of times I've learned with the life hacking events, I look at it and I go, well, son of a bitch, I should have tested that.
Justin Gardner (@rhynorater) (43:31.404)
Yeah, yeah.
Justin Gardner (@rhynorater) (43:41.444)
Yeah, yeah.
Joel Margolis (teknogeek) (43:42.078)
Yeah, I will say nowadays it's great because during the show and tell I'd say like Earlier on in the live hacking cycle. I would see the show and tells and I'd be like, oh I should have tested that thing But like I just didn't and like that's why I missed it now It's like I should have tested that thing and there's no way in hell I would have tested what they just tested to get that bug. So good on them
NahamSec (44:05.887)
But also the other thing is like, but for me also the other thing of it is it's sometimes I sit and I go, well good for them. At least somebody figured it out or this book would have gone to waste, right? Like I sit there and I go, damn, I should have tried that. But then at least somebody figured it out, right?
Joel Margolis (teknogeek) (44:13.004)
Yeah.
Joel Margolis (teknogeek) (44:19.207)
Yeah, yeah, exactly, exactly.
Justin Gardner (@rhynorater) (44:19.351)
Yeah, for sure. So from there, I kind of want to continue in going down this path of hacking methodology, and then we'll bounce around a little bit into some technical stuff, into some, I guess, bug bounty-related statistics. So basically, what you just said, it sounds like you're a little bit more of a thorough hacker. One of the questions we ask a lot on the pod is like, how soon do you jump around before you...
you know, if you haven't found a bug, how long do you give a program? And so it sounds like if you're throwing your whole hat of tricks at it, you know, it might take a little while. Is that accurate or?
NahamSec (44:57.799)
It honestly depends. It all depends on my workload, to be honest. Like, it depends on what I got going on that week. So there's times when, you know, when it's like a life hacking event, there is no, there's no giving up because it's a life hacking event coming up. There's a lot of, there's a lot of grabs. And then it's like a personal event that I'm like, I need to make this work. I want to have a bug. I want to contribute to this event, right? That's a different story. But with like, with the programs that I hack on, I've become very selective. I just, I select programs that I know,
Justin Gardner (@rhynorater) (45:02.468)
Ah.
Justin Gardner (@rhynorater) (45:18.155)
Exactly.
NahamSec (45:27.655)
It's going to pay me enough. It's going to be worth the three days of not finding rules or three weeks of not finding rules on going down this rabbit.
Sorry.
Justin Gardner (@rhynorater) (45:38.933)
All good.
Joel Margolis (teknogeek) (45:39.662)
I like that it has its own like effect for it. It's like when my camera dies. It's not nearly that cool. It just dies
Justin Gardner (@rhynorater) (45:45.83)
Yeah
NahamSec (45:46.523)
Yeah, for some reason I've now figured out how to get this out of idle for every 30 minutes it does this.
Justin Gardner (@rhynorater) (45:50.756)
That's hilarious. Yeah, for those of you listening, his camera's going off into rainbow mode every once in a while. Yeah, sorry, go ahead.
NahamSec (45:53.239)
I'm out.
every 30 minutes. But yeah, it all depends. It depends on my workload, but with live hacking events, there is no stopping. And then there are times where a company comes that I really wanna hack on, right? So I'll give you an example. I got asked to do a presentation for this company, have a web app, mobile app, desktop app. And I had a month and a half to prepare for it, but naturally I was traveling, live hacking events, live, whatever, I have a week.
Justin Gardner (@rhynorater) (46:09.945)
Mmm.
NahamSec (46:25.035)
That whole week I did not stop until I found the phone the night before the presentation. There's no stopping until that goal happens. I don't have a, I wish I had a good way of saying, this is where I draw the line. It all comes down to my workload. If I know that tomorrow I have to make content, the next day I have to do X, Y, and Z, and then I have to travel to somewhere else, I'm probably gonna give up within the, you know, when my first three days are up. Like I spend two, three days on this app, nothing happens, time to move on, time to cut my losses.
But if it's a company I've hacked on in the past, I've had good results with, then I pushed out more and more because I know I've gone a bounty from this company before. I know the pattern's a mistake. I'm willing to spend more time because I know the ROI is there.
Justin Gardner (@rhynorater) (46:57.636)
Mm.
Justin Gardner (@rhynorater) (47:06.775)
Yeah, that makes a lot of sense when you've established a relationship with a company. And even three days is pretty long for some of the researchers that we've talked to. I always think Douglas is hilarious. Douglas is like, if I don't find a bug in three hours, then I normally just move on. And I'm like, what the heck? What are you doing, man?
NahamSec (47:25.235)
Well, I mean, the three days, it's a thing though, that depends on the three days. Cause the three days isn't like I'm doing eight hour days. It's the first day I'm doing, you know, the first four, you know, the way I look at it is like the first four hours is really like, what the fuck am I doing? You know, like what is this app? What am I supposed to do? What are the patterns of mistakes? I'm just plugging things in and just observing and like taking in everything that the application does. The second day is like.
Joel Margolis (teknogeek) (47:25.858)
He's like, yeah, I hack like three hours a day.
Justin Gardner (@rhynorater) (47:28.814)
Yeah.
Justin Gardner (@rhynorater) (47:34.65)
Right.
Justin Gardner (@rhynorater) (47:41.747)
Exactly. Yeah.
Yeah.
Justin Gardner (@rhynorater) (47:51.323)
That's funny, yeah.
NahamSec (47:52.867)
Okay, now you're really, now you're getting, I'm getting pissed off, right? And then I'm going to go a little bit harder to find. I'm going to like extend my attack surface as we call it. Right. Then the script is like, okay, dude, like either I fucking find something today or I just don't, I give up. I'm fucking done. And I feel like you guys see this a lot in your groups, right?
Justin Gardner (@rhynorater) (47:56.655)
Mm-hmm.
Justin Gardner (@rhynorater) (48:02.228)
That's great.
Justin Gardner (@rhynorater) (48:10.543)
Oh my gosh, he's pounding the table too. It's so funny. Yeah, dude, 100%. And I think it's funny you mentioned four hours, because that's exactly the same length of time that I always allot for that first little bit. It's like, all right, the first four hours or so, I'm just trying to figure out what this app does, how to use it, reading the documentation, stepping through it. I have no expectations of finding bugs within the first four hours of hacking.
NahamSec (48:30.387)
Right. Yep.
Justin Gardner (@rhynorater) (48:37.131)
And then after that, like you said, the stage is continuing to grow where it's like, if I haven't found anything by day three, I'm like really having a vendetta against this app. So that's hilarious that we're both sort of on that same front.
NahamSec (48:52.383)
So I looked it up online. It's the, there's four stages of anger. It's annoyed, frustrated, hostile, and enraged. I don't get to enrage unless it's required. I just looked it up. I stopped at the third level. And I think it kind of described it pretty well at this point, so.
Justin Gardner (@rhynorater) (49:02.74)
That's hilarious.
Justin Gardner (@rhynorater) (49:08.645)
Yeah, so actually I want to go back and talk about that because you said, you know, sometimes you're working for four hours
I struggle, especially with having another thing, right? Having the podcast to, to cause I need contiguous time. I need, you know, long periods of time where I can stay focused and hack. I can't hack for an hour, then go do something, then come back, hack for an hour. Then go do something, come back, hack for an hour. Um, do you have that same experience and how do you balance hacking with content creation? Like, do you lot certain days of the week or do you, do you, you know, just hack after a certain time or how does that work?
NahamSec (49:44.503)
So a day in life, if not I'm sick, a day in life for me it's like usually I wake up, I do my, so funny enough I don't consider hacking something that takes a lot of brain power because I feel like once you sit down on your computer you're an autopilot, right? Like you know what to do, you know, it's the comfort thing for me. I get comfortable with hacking, right? So morning is like all the calls, all the meetings, working with the stuff that I'm building, working on content, emailing.
Justin Gardner (@rhynorater) (49:47.65)
Yeah, seriously.
Justin Gardner (@rhynorater) (49:56.269)
Sure.
Justin Gardner (@rhynorater) (49:59.694)
Mm.
Justin Gardner (@rhynorater) (50:03.665)
Mmm. Yeah.
NahamSec (50:14.843)
whatever you want to call it. That's what I do in the mornings. It's my first, you know, eight to noon, maybe eight to two sometimes. Then at about two o'clock is when I want to switch. So I go to the gym usually for about an hour, then I come home, maybe take an hour off. I mean, I go to like my hot tub or I shower and like do other stuff around the house. Hot tub. But I feel like, Joe, why don't you come over and we'll redo this episode at one point from my hot tub, because he's got one too at the house.
Justin Gardner (@rhynorater) (50:16.303)
Mm.
Justin Gardner (@rhynorater) (50:32.835)
Yeah, Hot Tub Squad, let's go!
Joel Margolis (teknogeek) (50:36.886)
I feel like I'm the only hacker without a hot tub. Ha ha ha.
Justin Gardner (@rhynorater) (50:39.723)
Hehehe
Joel Margolis (teknogeek) (50:43.134)
Okay, okay. All right.
Justin Gardner (@rhynorater) (50:43.224)
Dude, I would love that. Love that.
NahamSec (50:45.543)
We'll do a hot tub. But I have a disconnect of a shift in my brain. I shifted over to something else, whether I'm doing a pen test, I'm bug bounty hunting or whatever. That's the case for like my regular days. That doesn't include life hacking events, but a lot of times you'll see me do like get all my meetings out of the way, two o'clock, three o'clock, go to the gym, come back and switch over to hacking because it's just easier. And then I can, you know, I can have stuff happening. I'll make food and I know do something and then go back and forth.
Justin Gardner (@rhynorater) (50:55.348)
Mm.
NahamSec (51:13.803)
four to six hours a day. But there's also times when you're getting success that makes it harder though, right? Like there's tape, there's, when I hit those huge bug bounty month that I was doing, there was no boundaries at all. It was eight o'clock, I was waking up, I was doing bug bounty things like for two hours, then doing calls, meetings, going to the gym, coming back, doing it, and that just, you know, I'm just going to start crazy because I'm so hyped over it. Those are the edge cases, you know, lifehacking was our edge case for it.
But typically I try to have that shift where I do my day work, just get all the boring tasks out of the way. Everyone's awake, Adam I work with is in London, so I have to wake up early to work with him sometimes. People have nine to fives, they wanna meet with you, they're not gonna meet with you, and they wanna meet within the morning. So prioritize those, but then I do that. You have to have that mentality shift. And also surprisingly, don't wanna hack out of this room. This is purely meeting, content, whatever. I like to sit, I like to.
Justin Gardner (@rhynorater) (52:05.283)
Really interesting.
NahamSec (52:07.683)
I set crisscross applesauce headphones in on the couch. I don't care whether something's on the TV or not, but no, I have to sit on the couch comfortably with my feet like crisscross and just sitting there in like a position where I'm comfortable and just hack on the couch.
Justin Gardner (@rhynorater) (52:09.98)
Ha ha.
Joel Margolis (teknogeek) (52:21.806)
I agree. I was gonna say that I had a couple things I was gonna say, but like that's true for me too. Like I find it, even though I have like this really nice setup, it's very difficult for me to like feel comfortable hacking when I'm like in such a structured environment. I feel like a lot of the time the best hacking that I do is when I'm just like sort of on the fly like ad hoc, I'm just sitting next to somebody or I'm just like chilling and I've just like got my laptop pulled out or whatever and I'm just like fiddling with stuff. Yeah, that's awesome. The other thing I was gonna say,
was how do you manage the energy aspect of it? Because you mentioned you start hacking at three o'clock after a day of meetings and whatever and stuff. For me, I can be totally drained by three o'clock and that's very difficult to keep up the energy level and the mental stamina to keep pushing after that hump in the day. Do you have like...
NahamSec (53:02.315)
Yeah.
Justin Gardner (@rhynorater) (53:04.731)
I could never do that.
NahamSec (53:15.945)
Yeah.
Joel Margolis (teknogeek) (53:17.75)
hacks that you use personally to get over that or how do you deal with it?
NahamSec (53:21.599)
Well, it depends on the day, right? Like you are going from a, your daytime job where you have, I'm sure you have someone you report to and who will then report to you. You have responsibilities that the, the structure of a corporate job is different than when you work for yourself. I feel like, because I don't have, except for the couple of people that work with me on my team, I don't have to manage them, right? They have their projects. I do my part. They do their part. We're good. Right? I don't have that mental block of like, Oh, I got to meet with my boss and explain the things that I've done this week.
Justin Gardner (@rhynorater) (53:35.396)
Mm.
Justin Gardner (@rhynorater) (53:42.905)
Mm.
NahamSec (53:51.019)
because I'm responsible for them. No, it's me and me. Oh, let me call my boss. Can I get today off? Yep, you're off today, right? That's the truth of it, right? When I make friends, I do this with my friends. Can you do this on Friday? When my buddies were hanging out like, hey, can you message your, can you tell us if you can do this on Friday? I go, hey, can you get today off? Oh wait, I have Friday off now. Okay, cool. Like I said, that's a good thing about working for yourself, right? So, but...
Justin Gardner (@rhynorater) (53:58.061)
Hahaha
Justin Gardner (@rhynorater) (54:01.591)
It's... Dude...
Joel Margolis (teknogeek) (54:04.294)
My boss is really on my ass right now.
Justin Gardner (@rhynorater) (54:14.267)
Dude...
Joel Margolis (teknogeek) (54:14.382)
Oh, yeah.
Justin Gardner (@rhynorater) (54:18.189)
It is.
NahamSec (54:19.392)
It doesn't mean that I don't have the days where I have back to back meetings and then I have a really fucking hard day and I don't want to hack. I have those days and I go, eh, whatever, I'm not going to hack today. It happens. Because life-hacking events are not included in that. But you know.
Justin Gardner (@rhynorater) (54:30.007)
Yeah, well, and that's, yeah. That's the nice part about being, yeah, no, those are different animals. That's the nice part about being self-employed, and particularly full-time Bug Bounty, is I feel like if you're good enough at Bug Bounty, you can do that, right? Because you're making enough money to say, like, hey, I actually really don't feel like hacking today. And that was one of the mistakes I made earlier on in my full-time Bug Bounty career, was like, I was getting on my own ass every single day if I wasn't out there, you know.
hacking stuff and then Mariah tells me one day she's like Justin you don't need to you know if you don't feel like hacking today just take the day off, you know and Come back at it when you love it and when you're inspired by it and when you're you know Hyped for it and you're gonna get way better results Which I think is really true and I'm glad you know, you've learned that lesson and it seems like from the way that you've described it you have you've managed the stress aspect of
NahamSec (55:20.649)
Absolutely, man.
Justin Gardner (@rhynorater) (55:27.431)
having the content and the hacking together really well, which is something I'm still trying to balance out myself. Yeah.
NahamSec (55:33.831)
You have to be gentle with yourself, man. Like only you know what internally you're going through. I'm sure with like Morad knows a lot of it, but you know what's going on inside, right? There are days when I just, even with life I can give it sometimes, I go, you know what, fuck it. Worst is I don't find anything. Like I have to be okay with it. It's not an easy shift. So when I went from a daytime job to working for myself, it was really hard because how do you, what is the, how do you measure that, right? How do you measure success with when you're not working a nine to five, you can't.
Justin Gardner (@rhynorater) (55:40.283)
Hmm, yeah.
Mm.
Justin Gardner (@rhynorater) (55:49.891)
Yeah.
Justin Gardner (@rhynorater) (56:00.359)
It's hard.
NahamSec (56:01.779)
Right? It's really hard because you know, you go, oh, if I don't make money, who do I blame? Or if I make more money, right? It's just you have you're the only one that responsibly is responsible. So you also have to have that relationship with yourself to be able to say, you know what? Today was a rough day and I just want to hang out and like watch movies or I just want to play video games or whatever that is. My thing is a lot of times I try not so when I'm doing like these, I go through these sprints, right? I try to do like I go, I'm going to do I'm going to grind out bug bounties for a while and then I'm going to be done for it.
Justin Gardner (@rhynorater) (56:20.664)
Yeah.
NahamSec (56:30.167)
During those times, I tell myself by 8 o'clock, 9 o'clock, try and disconnect and go play some video games or watch a movie, watch a TV show or something. So about 8, 30, 9 o'clock, if my friend sticks me like, hey, call of duty tonight, fuck it, yeah, I'm gonna get on and play games with him. You have to be okay with having those because if you're not doing that, then that's how burnout's happening, man. The reality of it is it's gonna happen.
Justin Gardner (@rhynorater) (56:38.545)
Mm-hmm.
Justin Gardner (@rhynorater) (56:45.447)
100%.
Justin Gardner (@rhynorater) (56:51.012)
Hmm. What about weekends? Do you work on weekends or do you mostly take weekends off?
NahamSec (56:58.535)
I don't have a concept of working. I've tried to get rid of the concept of nine to five and weekdays, weekends. If I feel like Saturdays are the day I kind of do stuff, it's like I catch up on some stuff. Sundays, no, I don't work because I tell myself you need one day for yourself. And it's not to not work. I still work on Sundays. I make my thumbnails and like I prep videos on Sundays, but it's not, I don't have a set schedule. Sundays is laundry day.
Justin Gardner (@rhynorater) (57:11.94)
Hmm.
NahamSec (57:25.307)
and maybe some bug brownies if I feel like it, like if I have the time, but I wanna have a day where I don't have a schedule. Monday through Friday, I have a schedule of like, I gotta do calls and all these things, and then Saturdays, like it's a mix of both, but I'm not putting the pressure on myself to say, I have to work this Saturday. But if I go, oh, I kinda wanna do this right now, it's work that I'm gonna jump on and do it. So you wanna have, you know, on my Sundays, it's a no play, but Saturday is like, I'm gonna work, I play chess on Saturdays, every Saturday I go and play this guy at a...
Justin Gardner (@rhynorater) (57:25.863)
That's great.
Justin Gardner (@rhynorater) (57:40.656)
Mm.
Justin Gardner (@rhynorater) (57:45.257)
Mm.
Justin Gardner (@rhynorater) (57:52.032)
Ah, cool.
NahamSec (57:53.503)
at a coffee shop, I met him randomly like two months ago, not every Saturday I go play with him, but I make that time, I go, okay, if you're working, at least take the time to go play chess with Roy, hang out with him and then go back to whatever you were doing. Shout out to Roy, he will never watch this, but shout out to him.
Justin Gardner (@rhynorater) (58:05.579)
Nice. Hahaha.
Joel Margolis (teknogeek) (58:06.926)
That's so cool. Shout outs to Roy. Yeah, that's awesome, dude. Well, okay, so this isn't a great transition, but I did wanna talk a little bit about, cause you mentioned this in the beginning. You mentioned that you saw like huge growth during one quarter of your journey. And I guess this kind of does play a little bit with like the motivation and burnout aspects and stuff. I'm looking at this photo that you put in the doc here. And yeah, you had.
Justin Gardner (@rhynorater) (58:32.642)
This is bug bounty stats right now you're looking at, Rachel.
Joel Margolis (teknogeek) (58:35.218)
Yeah, bug bounty stats. Yes, bug bounty stats. I mean, this spike in Q3 is bananas, right? It's like twice your best quarter. Like maybe even more than twice your best quarter otherwise. Can you tell me a little bit about sort of what happened there? Was there anything in particular that changed that sort of created that? Was it is it sustainable to keep at that pace? Like tell me a little bit about what happened in Q3.
NahamSec (58:48.575)
Yeah.
NahamSec (59:03.9)
A lot of things happened. So in...
November of 2022 is when I left my job and I was jobless and it was more of a, okay, well, time to find, I was thrown into like the dream that I had, like eventually working for myself, not on my terms, but I was pushed to finally have to do this. Right. So naturally the first quarter, I'm just going insane. What am I going to do? You know, I want to, what am I going to work on? How am I going to make money? What am I going to do to like enjoy what I do? All that stuff.
Justin Gardner (@rhynorater) (59:14.099)
Mmm.
Justin Gardner (@rhynorater) (59:23.131)
Hmm.
Justin Gardner (@rhynorater) (59:27.098)
Mm.
NahamSec (59:39.679)
So you are just like planning planning. These are my goals. I'm very much I go orientated like I have to write out my goals Like how am I gonna achieve them? I? Wish I had this hold on you showed you
Justin Gardner (@rhynorater) (59:44.773)
Mmm.
NahamSec (59:51.419)
I have this journal, if anyone wants to actually follow along and do this also I really recommend it. It's called the best self journal and it allows you to set up three goals. I'm not going to share those with you but this is what a day to day looks like. It gives you this page right here it says today's goal, what you're grateful for, today's three targets, your to do list and what will make today great. It is insanely cool and let me see if I have an empty page of it so I can show you how you can set up your goals.
Justin Gardner (@rhynorater) (59:53.616)
Hmm
Justin Gardner (@rhynorater) (01:00:13.787)
Dude, this rocks. Hmm.
NahamSec (01:00:22.476)
So it lets you set up goals and it says like, how do you, you know, what is this goal? What is the, the milestones for it? And that's how you plan it. So every week you plan it and you put your goals right here and you go after it. I'm very much. So I want to do this. So in Q2, it was just more of a get it together for bug boundaries. Like, you know, if you want it to do, if you want to make decent amount of money, bug bounties is probably the easiest way to do it where you can make enough money.
Justin Gardner (@rhynorater) (01:00:39.591)
Mm.
Justin Gardner (@rhynorater) (01:00:47.239)
Mm.
NahamSec (01:00:48.427)
to also not worry about your bills, but you want to launch your company and do things. Q3 was when that came to reality because I started packing more on this Bug Bounty program. They did a live event with Hacker One and I also started collaborating with people that I didn't collaborate with in the past. I can more seriously collaborate. And then finally finding the balance in Q3 between content, hacking.
Justin Gardner (@rhynorater) (01:01:05.423)
Mmm.
NahamSec (01:01:12.147)
And what do I want to do? Like, what do I want to do that I'm going to at least be happy? So in the beginning of the year, I was happy. I told myself, if I make 80K this year, I'll be happy.
Justin Gardner (@rhynorater) (01:01:21.859)
Mm-hmm. Yep, sit, sit. Ha ha ha.
Joel Margolis (teknogeek) (01:01:23.786)
you do
NahamSec (01:01:26.565)
But it's a scary thing though, because I've never done bug bounties like this, right? Bug bounties was never my source of income. It was always like, I knew it was doable. I was just like, okay, no, sorry, it's not fair to say 80k. 80k was what I could do to be comfortable living. So if I make 80k, I can comfortably live and pay my bills and not be, you know, not be stressed. But that's what happened in Q3, a lot of it. It was more of a figuring out the balance, figuring out the day to day that I told you, like, oh my God, this is working, you know, working on content in the morning, gym and then hacking is working.
Justin Gardner (@rhynorater) (01:01:32.519)
Mm.
NahamSec (01:01:53.387)
collaborating with people like Zayad, Sean, and other people really helped. So just figuring that out and just saying, okay, I'm gonna keep doing this until the wheels fall off.
Justin Gardner (@rhynorater) (01:01:53.464)
Right, right.
Justin Gardner (@rhynorater) (01:02:02.212)
Yeah, it.
Joel Margolis (teknogeek) (01:02:03.362)
So then when I look at the graph, if I could just follow up on that, I then see Q4. Now Q4 was second best quarter of the year, but what did you sort of get more relaxed, like holidays and stuff, like what was, what was the difference because it sounds like you kind of had figured it figured out in Q3. So I would expect a Q4 to be like the same or better, but I understand things happen.
NahamSec (01:02:24.139)
So.
NahamSec (01:02:28.435)
Well, no, with Q3, so I wasn't, with this specific program, we'll call it kit, with this program, I was hacking on them before and I wasn't taking it serious. It was like, okay, I'm gonna make some money and it's great, they're giving me some money here and there, cool, I'm making a bounty every week, cool. But then H1702 happened and a lot of people think at H1702, I was hacking on some specific app that no one had access to.
half of it is correct, I found something no one had access to, but also I realized like there is so much of this specific company you can hack on that you can't even wrap your head around it. It's such a ginormous company, right? So Q3 is that realization and then going from the H1702 event to Q4 is when I was like, okay, time to double down on this company. People are making a ton of money, why can't I do the same thing? And Vegas was an example of it. When I came out of Vegas, it was just, I wrote that high of Vegas for three months, dude.
Justin Gardner (@rhynorater) (01:03:07.867)
Mmm.
Justin Gardner (@rhynorater) (01:03:21.275)
Mm.
Justin Gardner (@rhynorater) (01:03:27.236)
Mm. Yeah, that's that.
Joel Margolis (teknogeek) (01:03:29.23)
That's awesome. I mean, I know that you like you once you like, you know, you hit those goals you're like, you know what? I'm going on a trip. I'm enjoying my birthday like I was saying and I was like, yeah hell Yeah, dude, so it's so well deserved and I think you still actually like got a bunch more bounties after that too, right? Yeah
Justin Gardner (@rhynorater) (01:03:36.646)
Ha ha.
Justin Gardner (@rhynorater) (01:03:40.431)
Well, de-
Yeah.
NahamSec (01:03:43.911)
Absolutely, yeah, but I just want to mention like, it's a lot of figuring things out, like figuring out what work, figuring out what schedule worked for me, figuring out like, holy shit, I have this program that's paying a lot of money. You can see the buildup, Q1, they paid me a little bit of bounty, Q3 is when I was like, holy crap, like this is the reality of it, I can make this money, you know, if I can make 30, 40K a month from this bug bounty program, that's a lot of money, right? And you just hit this high, dude.
Joel Margolis (teknogeek) (01:03:54.463)
Yeah.
Justin Gardner (@rhynorater) (01:04:06.735)
Yeah, yeah, 100%. And I think it shows as well. It took you a year to crack that code. You started in November, 2022, and then Q3 of 2023 is when this really started manifesting. And I'm looking at this chart as well. This is the same chart that we talk about a lot. This is the submissions by severity or submissions in a quarter period from the Hacker One Performance tab. And I'm seeing...
Joel Margolis (teknogeek) (01:04:07.052)
Yeah.
Justin Gardner (@rhynorater) (01:04:36.287)
almost all of these are highs. There's almost no mediums and no lows. And there's quite a few criticals, but overall the vast majority of these are highs. And I imagine that's because you sort of cracked the code on how to get a bug, you know, qualified as a high on kit. And that would really allow you to increase your earnings a lot because every little mistake they make, now you figured out a way to work that into a high and you can repeat that success over and over.
Is that accurate?
NahamSec (01:05:07.279)
It is, but it's also how they perceive a vulnerability, like what they consider as a high. But also a lot of times it's just connecting things, like saying, okay, maybe like they call this a medium, but then you extend that to another application and you can elevate that to a high, right? I'm trying to like talk about these vulnerabilities vaguely as I can. But yeah, it's a lot of times just knowing if you prove one case to them as a high, then everything else is considered as a high to them.
Justin Gardner (@rhynorater) (01:05:12.068)
Mm.
Justin Gardner (@rhynorater) (01:05:15.481)
Mmm.
Justin Gardner (@rhynorater) (01:05:23.171)
Mm.
Mm-hmm. Ha ha ha.
NahamSec (01:05:38.143)
But some of these bugs were also like things that I've never explored in the past. Like there are a couple of things that I never thought I could find in this company. It's just going down a list of these vuln types and being able to go, I did this one, I did this one, I did this one, I did this one, and going through it.
Justin Gardner (@rhynorater) (01:05:48.019)
Mm.
Justin Gardner (@rhynorater) (01:05:56.287)
Yeah, and I'm looking at the other breakdown here, submissions by weaknesses, and we're seeing a lot of XSS, seeing a lot of access control and a lot of IDOR as well. Would you say that those are like the bread and butter for you as far as vulnerabilities goes? And then I know XSS is such a huge category.
NahamSec (01:06:13.711)
There's a big category, yeah, but there's also the no weakness type because a lot of those, the no weakness ones are a chain of different vulnerabilities. And with the XSS ones, so I'll give an example for the XSS ones. So this is a mistake on my end. For example, if I RCE'd a desktop app because of the, with the cost of scripting, the root cause is the cost of scripting, right?
Justin Gardner (@rhynorater) (01:06:18.587)
Mmm, yeah.
Justin Gardner (@rhynorater) (01:06:22.894)
Ah.
Justin Gardner (@rhynorater) (01:06:40.391)
Mm-hmm. Mm, yeah, that's true.
NahamSec (01:06:42.763)
So there's a couple of those that I, I wanna say there's like 10 of those that I like that. The root cause is still cross-site scripting. The reality is it's cross-site scripting, but it's just how you exploit it and how you show impact to get more money. Some of them are like mobile related and I own the mobile app a couple of times, but again, the root cause is cross-site scripting again. So it's a lot of those things. It's just that comes through going to like finding out different contexts of vulnerabilities and how they work in different areas of this company, mobile apps, web apps, desktop apps and stuff like that.
Justin Gardner (@rhynorater) (01:06:59.117)
Mm.
Sure.
Justin Gardner (@rhynorater) (01:07:13.329)
Hmm.
Joel Margolis (teknogeek) (01:07:14.466)
This is a little on the spot. How many dupes did you get this year? Do you know?
Justin Gardner (@rhynorater) (01:07:18.739)
Mm.
NahamSec (01:07:19.624)
Actually, can I check for that? Let me see.
Justin Gardner (@rhynorater) (01:07:21.495)
Yeah, go ahead and check on that. And I think it's interesting that you highlighted that piece about XSS because it is so, so like you're able to do so much with it. You can escalate it in a web context. You can try to pivot it to a mobile app or to a desktop app.
And then even just within the web context, you have a lot of ways that you can exploit with getting access to session information, cookie bombing. There's just very few other vuln types that you can chain as well as an XSS to achieve some crazy stuff.
NahamSec (01:07:56.651)
So with the duplicates and its loading, you have to think about, a bunch of them are duplicates of my own, like my own bugs also. So it's two pages worth, I'm assuming it's 25 a page, so one page for 25, it's about less than 50. No way, there's more, actually it's a third page, hold on, there's three pages, so about 50 to 75. But there's a large number of them that's like, oh, you know, it's different functionalities, but...
Justin Gardner (@rhynorater) (01:07:59.795)
Mm.
Justin Gardner (@rhynorater) (01:08:03.779)
Right, right, that's tricky, yeah.
Justin Gardner (@rhynorater) (01:08:10.532)
Yeah, 50.
Justin Gardner (@rhynorater) (01:08:14.895)
Wow, that's...
Justin Gardner (@rhynorater) (01:08:19.844)
Nice.
NahamSec (01:08:26.207)
you know, is the root cause the same? But yeah, about 75 and I don't, submission wise, I wish I had the number for how many I submitted, but I think I submitted a lot this year.
Justin Gardner (@rhynorater) (01:08:35.971)
Mm, yeah, I think you can find that number somewhere, and I think it would be interesting to see the dupe to valid ratio.
Joel Margolis (teknogeek) (01:08:37.195)
awesome.
NahamSec (01:08:45.335)
Let me see what my triage and resolves are.
Justin Gardner (@rhynorater) (01:08:48.655)
Yeah, or you can say one of the easiest ways to do it is to do bounty awarded and then select that date range within the filtering settings there.
NahamSec (01:08:57.911)
146 is my number of closed as resolved and triage right now for one, one.
Justin Gardner (@rhynorater) (01:09:06.246)
Wow, dude. So you reported like 200, probably over 200 bugs in 2023.
NahamSec (01:09:06.647)
146 is what is showing.
NahamSec (01:09:14.495)
Oh, 61 duplicates, there we go. The number for customers going to 61 duplicates and the 140 something, that was my valid triage 10.
Joel Margolis (teknogeek) (01:09:22.274)
Yeah, so right about 200 and about 25, a little over 25%. Yeah, that's pretty solid.
Justin Gardner (@rhynorater) (01:09:24.476)
Wow.
NahamSec (01:09:25.27)
201.
Justin Gardner (@rhynorater) (01:09:29.115)
Wow, that's amazing. So, you know, jumping off the back of that XSS piece, one of the technical sections that we wanted to talk about while you were on here is the blind XSS. And I think that this is a category that not a lot of people specialize in, so it's cool to have you come on the show and say like, yeah, blind XSS is kind of my thing. So can you talk a little bit about it as a vulnerability class, perhaps just provide an introduction to it, and then we'll kind of dive into what kind of payloads you're using, what kind of platform.
you know, using for that and custom mods to access payloads.
NahamSec (01:10:02.007)
So first of all, I don't consider myself to say Blacksail is my thing. I just happen to be very blessed with it this year. Big portion of this also goes to, I gotta give a big shout out to Zshano for this specifically because he has also pushed me a lot, pushed my buttons also a lot to find more and more Black Crosshead scripting and just bouncing ideas with me and just going to him and inventing to him sometimes. Same thing with Zyatt also. I just gotta give them two shout outs before I start.
Justin Gardner (@rhynorater) (01:10:09.315)
Sure, sure, sure.
Justin Gardner (@rhynorater) (01:10:14.799)
Hmm
Justin Gardner (@rhynorater) (01:10:20.48)
Hahaha
Justin Gardner (@rhynorater) (01:10:29.936)
Hmm.
NahamSec (01:10:31.667)
But blanks is just the same as your regular stored accesses. I want to say a lot of times it's stored more than reflected but the difference is instead of it happening on the front up that you see, it happens on the backend where the company's team sees it. So think about, you know, if HackerOne had a back portal for example, where they could see your reports, you have a cost scripting payload that doesn't fire in the report section, but it fires in HackerOne's backend. Funny enough, if you look up, I actually had that happen to HackerOne once while I was working there.
Justin Gardner (@rhynorater) (01:10:36.219)
Mm-hmm.
Justin Gardner (@rhynorater) (01:10:49.36)
Mmm.
Justin Gardner (@rhynorater) (01:10:59.411)
No way! Oh my gosh, that's amazing.
NahamSec (01:11:01.199)
I had a blind access fired off an internal network on HackerOne. But yeah, it's just a lot of it is, you just learn that these companies make mistakes. They, the mistakes don't happen in the front and a lot of times it happens in the backend because they go, well, no one's gonna ever see this and we don't have to worry about it. And guess what? It does happen a lot more than you can expect.
Justin Gardner (@rhynorater) (01:11:20.98)
And so that exact rationale was what I wanted to talk to you about. How do you identify what pieces of information are going to end up in an admin panel somewhere? You know, where do you get those ideas?
NahamSec (01:11:31.275)
So I think it's very, I don't want to say it's common sense, but it's just very like, it's a thing that you think a company wants to collect on you, right? So when you register, what matters so that you, this your name, your email address, your address, your credit card information in some cases, anything that could identify you as a duplicate account, for example, like they could say these are the same user. So that could be your browser information, for example, and things like that. And then things that could also trace as you.
Justin Gardner (@rhynorater) (01:11:36.963)
Mm.
Justin Gardner (@rhynorater) (01:11:41.048)
Yeah.
Justin Gardner (@rhynorater) (01:11:49.229)
Hmm.
Justin Gardner (@rhynorater) (01:11:55.675)
Mm.
NahamSec (01:12:01.015)
and you now have different websites and things like that. It's how do they identify you as a user and you as a browser or not the user itself, but like the browser for example, or the device, it will say the device for itself. So those are the things that I look at. Those are the things that I always assume companies are collecting on you, but then also it goes the information that you put in to the company. So let's talk about...
Justin Gardner (@rhynorater) (01:12:13.948)
Mm, mm, device.
NahamSec (01:12:28.563)
let's say like Spotify, for example, you guys post your podcast on there, the description, the guest, the name of the, you know, you guys, and those are also for which they collect. But they could, you know, people probably find those XSS early on and these are those programs, but they don't think about like, oh, I wonder if this fires here, is it going to also fire in the backend? And if it does, how do I get them to fire on that backend? Right? Those are the things that you have to figure out. You have to assume.
Justin Gardner (@rhynorater) (01:12:33.113)
Mm-hmm.
Mm-hmm.
Justin Gardner (@rhynorater) (01:12:52.573)
Mmm.
NahamSec (01:12:55.019)
How do I go from A to B? Your A is app access on the core app. How do I get to fire on the backend? How do I get this engineer, the support person without social engineering? Naturally go click on it.
Justin Gardner (@rhynorater) (01:13:06.615)
Okay, so that's where I was going next with that, was like, okay, so we've got information, we've put it in, we're using a blind XSS payload that we can get a callback from. How are we gonna be the one user that the support agent clicks on or the backend analytics admin clicks on?
NahamSec (01:13:26.719)
I'm laughing because I don't know how to say this. I don't want to, I know, I'm trying to think of how to, what do you, Joel, what do you think I'm gonna say? I wanna see what you think.
Justin Gardner (@rhynorater) (01:13:29.051)
Tell me, man, tell me.
Joel Margolis (teknogeek) (01:13:31.398)
I know what you're gonna say here.
Joel Margolis (teknogeek) (01:13:36.022)
We can cut this out if we need to, but you just, you open a support chat and you say, Hey, I'm having an issue with this thing. And you send them a link and they click it.
Justin Gardner (@rhynorater) (01:13:36.098)
Oh my gosh.
NahamSec (01:13:37.87)
Nah, go for it, go for it.
Justin Gardner (@rhynorater) (01:13:42.487)
Hahaha!
NahamSec (01:13:45.74)
No, that's a very good approach. But no, I don't want to promote committing fraud. I want to start with that. But fraud detection is a big part of technology.
Justin Gardner (@rhynorater) (01:13:53.155)
Yeah. Ha ha ha!
Justin Gardner (@rhynorater) (01:13:59.758)
HAHAHAHAHA
NahamSec (01:14:02.035)
How do you get, what's the easiest way to get banned on a platform? Right. Okay. What's the easiest way? What is the easiest way for them to be like, holy crap, who is this guy? What do we do? What do we do to get rid of this person? Right. That is the number one step. It's either fraud or too much traffic, things like, Hey, look at me. Like screaming, like ban me. Number one step is get banned. Like that's the first step. Like how do I get them to go ban me? Right. This could be me reporting my own account with like.
Justin Gardner (@rhynorater) (01:14:06.623)
fried. Yeah.
Joel Margolis (teknogeek) (01:14:08.907)
Yeah.
Justin Gardner (@rhynorater) (01:14:14.449)
Mm, mm.
Justin Gardner (@rhynorater) (01:14:24.987)
Sure.
NahamSec (01:14:29.627)
other accounts for example. I could just do that right? So what Joel said is it's to first of all please don't go and hassle support people but it's but listen but there's a difference between saying hey I have a problem it's a legitimate problem that causes an issue versus going like hey click on this thing I'm never asking a support stuff to click on a link but I am using the site like an actual like user and I go hey
Justin Gardner (@rhynorater) (01:14:31.231)
Oh my gosh, this is great, dude. Yeah.
Justin Gardner (@rhynorater) (01:14:39.415)
Yeah, please don't do that, to be real. Yeah.
Justin Gardner (@rhynorater) (01:14:50.914)
Mm-mm.
NahamSec (01:14:55.247)
I can't find this information, where do I find it? And I go, oh, I still can't find it. I really can sometimes, because guess what? My page is broken. Like I have a script tag and that's broken. I'm not lying to them, right? So I asked, I'm like, hey, could you send that information for me? It's a lightweight social engineering, but I try to avoid as much as I can. A lot of times, a lot of these blind access that I'm getting nowadays, isn't the support staff being included. It's me figuring out these companies, how their processes work, and what does it happen?
to get them to look into something I do. Whether it's like, you know, I put my credit card number in there, but the last digit is wrong. A lot of times with, when you order something online, for example, they process that manually. They check for your order manually sometimes, especially for your brand new user. That's been one of the biggest things, dude. The number one thing that I used to do a couple of years ago was every single time, John Badarini and I were sitting at a hotel one day.
Justin Gardner (@rhynorater) (01:15:38.279)
Wow.
Justin Gardner (@rhynorater) (01:15:49.019)
Freakin' John, I love John.
NahamSec (01:15:49.031)
And I look at him as a joke. I love, I love John. Dude. I look at him. I go, John, you want to make a thousand bucks today? And he goes, what do you mean? I go, let's make an order on this side. And he goes, what do you mean? I'm like, I'm banned, but I bet you, if you put this on this website with a blind cross-executing in the address, the second address line, I promise you like a cross-executing the way we wake up tomorrow, he looks at me and goes, bet we do it the next morning. We'll wake up. Sure enough. It fired fast forward.
Joel Margolis (teknogeek) (01:15:51.703)
or we're done.
Justin Gardner (@rhynorater) (01:16:13.718)
No way.
NahamSec (01:16:15.363)
Fast forward to five years later, this is this quarter, this last quarter, I call him again and I go, John, do you want to make some money, buddy? He's like, what do you got this time, Ben? And I go like, you have an account on this particular site that I want to use, I'm banned, can you just go and do this? He goes, well, I have a problem with my account. I'm like, perfect, that's even better. Can you try this? Sure enough, tries it. Another black cros starts off. It's just getting an understanding of how these companies work, what requires them to manually have someone click on your page.
Justin Gardner (@rhynorater) (01:16:37.166)
Wow.
NahamSec (01:16:43.639)
And then you assuming this is the information they're gonna see about.
Justin Gardner (@rhynorater) (01:16:43.931)
Mmm.
Justin Gardner (@rhynorater) (01:16:47.239)
I'm wondering, is there any merit to sending your cross, like say it's like some sort of logging endpoint or something like that, is there any merit to sending it on a time-based basis? Okay, like every five minutes, we're gonna send another one through. And because whenever somebody first opens up the admin portal, there's always gonna be a paginated list or something like that. And if you land in that first, you know,
25 or whatever, then you might get in that front area. Have you ever thought about that or any, tried anything like that?
NahamSec (01:17:21.831)
I haven't done it on purpose because when you do stuff in a contained manner, it's a little bit spammy and I said, last thing I want is, but I've had that happen a couple of times. A couple of like fun ones is, um, it asks you for like a note. Sometimes I put on the note, it doesn't fire. It doesn't mean fire on their backend. They copy my note into an internal net into the internal app for them to track. And then it fires. Right. I've seen that happen before. Um,
Justin Gardner (@rhynorater) (01:17:27.1)
Mmm. It is spammy.
Justin Gardner (@rhynorater) (01:17:42.283)
No!
Justin Gardner (@rhynorater) (01:17:46.843)
Dude...
NahamSec (01:17:47.647)
The typical, like, in my email was a fun one. One of the really cool one was a website. My password was a blank, I should have done payload.
Justin Gardner (@rhynorater) (01:17:50.468)
Mmm.
Justin Gardner (@rhynorater) (01:17:58.231)
No it was not. Oh my gosh.
NahamSec (01:18:00.739)
That fired once. This is just me copy pasting the same thing for my name, email, everything. And then the password was clear text. It was saving a clear text in there. Yeah. That one hasn't happened. This was like eight, nine years ago. This was like, no, not, yes, 2015, 2016. So six, seven years ago, it happened. It's just, you never know, right? You never know. There's a couple of times where
Justin Gardner (@rhynorater) (01:18:08.839)
Plain text? No way. That's ridiculous, man. I-
Justin Gardner (@rhynorater) (01:18:21.731)
Yeah. Wow.
NahamSec (01:18:29.531)
It's fired off in a engineers local machine because they downloaded everybody's feedback. And they were parsing it.
Justin Gardner (@rhynorater) (01:18:36.987)
Ah, that's crazy, that's so cool. And so with that, I kinda wanna ask, how do you track where your payload source was? Because what always happens to me when I do blind XSS is I'll throw this payload in there, and then I'll get a callback, and then I'm like, shit, where did I put that in a form somewhere? And then how do I report it?
NahamSec (01:19:00.487)
Well, let me ask you a question. What are you doing for tracking? What are you using like a XSS Hunter?
Justin Gardner (@rhynorater) (01:19:07.563)
Yeah, I'm just using XSS Hunter, normal XSS Hunter from Truffle.
NahamSec (01:19:09.751)
Question number two, if you give, oh, okay, that's why. Oh, I don't know how that works. I don't know if Truffle allows you to do this. Can you give it a path?
Justin Gardner (@rhynorater) (01:19:18.679)
What do you, oh yeah, like a specific path at the end? Oh, that's interesting. Yeah.
NahamSec (01:19:21.191)
Yeah, so you can say, yeah. So see, this is what I do. I have my own domain. If you go to the London event, it was spammed everywhere. I think people were like trolling me at some point. Sorry, I started deleting it, but I have a domain that is not a, it's a call site. It's a XSS Hunter JavaScript without the backend of XSS Hunter. So it's just a JavaScript that they have. And it just hooks into a PHP file, and that PHP file is what processes the.
Joel Margolis (teknogeek) (01:19:21.654)
Yeah, but you get your own path. You only get one path.
Justin Gardner (@rhynorater) (01:19:26.841)
Yeah.
Justin Gardner (@rhynorater) (01:19:44.155)
Yeah.
NahamSec (01:19:51.003)
entire like when it fires right that's a back end it's a php file that's like garbage it's actually written by chat gbti should you not and then the front end of it i have a htt access rule and in there that catches every single path you give and it serves that javascript file if it if it's not valid so my 404 is that js file that pops up so when i do a cross-section
Justin Gardner (@rhynorater) (01:19:58.018)
Oh my gosh.
Justin Gardner (@rhynorater) (01:20:14.732)
Mmm.
NahamSec (01:20:19.403)
domain.com slash whatever I want to make a note of. So the note could be first name and profile. That's an invalid path. So when it fires, it fires with my JS file and it shows me where it's at. But a lot of times it's also easy to track because it's something like your name or your password and things like that. It's obvious. The feedback ones are always the hardest one to track, but a lot of companies don't care where it came from because they know where it came from.
Justin Gardner (@rhynorater) (01:20:48.435)
Yeah, that's really crazy. I mean, I can imagine in scenarios where developers are like copy and pasting your data into different applications or something like that, how you trace it back to the source. It has to be done on the company side, I imagine.
NahamSec (01:20:48.853)
They know where they came from.
NahamSec (01:21:01.827)
That one was a hard one because yeah, there was some issues with that one. I'd be like, oh, well you messaged RTL. I'm like, no, I didn't message anybody. They copy pasted this, dude. And I'm like, I did not say this to them. And it turned out it was a note that I left. They copied the note into the internal app and then it fired.
Justin Gardner (@rhynorater) (01:21:17.031)
Hmm. Wow. That's crazy, man. What a crazy hacking story.
Joel Margolis (teknogeek) (01:21:21.514)
super interesting. Yeah, I know your XSS hunter instance, because I know Mr. Samequery likes to use it, and I have my own XSS hunter setup. That one's not?
Justin Gardner (@rhynorater) (01:21:28.012)
Hahaha
NahamSec (01:21:28.795)
Oh, that's not mine. That's not mine. The only person that uses mine is, no, I think that's X. That's not mine. That's X's. I also use that domain sometimes. It must be, yeah.
Joel Margolis (teknogeek) (01:21:35.47)
Okay, he must be using your script, because I was looking through it and there's like a bunch of like Nahamsec references in the JS. I'm like...
NahamSec (01:21:42.535)
It could be that they're using a version of it. I shared that with everybody in you guys' group. I have no problem with people wanting to use it because it's not something that I wrote. It's also like, I also saw Sean using it in a specific way. I incorporated it in mine. But the biggest thing that I have is the PHP file in the backend and me and Zayad have a, I can't actually say the name of our bot. I'll send you guys the name of the bot later. But we have a bot that we have created. I almost said the name. It could have gotten me a lot of trouble.
Justin Gardner (@rhynorater) (01:21:48.101)
Yeah, yeah, yeah.
Joel Margolis (teknogeek) (01:21:48.544)
I see.
Joel Margolis (teknogeek) (01:21:54.03)
Mm.
NahamSec (01:22:11.551)
But we have, the name of the bot is the name of the CEO of the company. Okay. So we have a, we have a, and then the team has also seen this bot when I screenshot it for them, but we have a, we have a bot that it just says like, Hey everyone on Discord, it's at everyone new blog and content scripting. And it gets the URL from that report.
Justin Gardner (@rhynorater) (01:22:16.83)
Okay.
Justin Gardner (@rhynorater) (01:22:28.623)
That's so funny.
NahamSec (01:22:40.371)
And then also links to the report that I have as a text file. I store it all on my server. It's password protected. You know, we have to have a credentials to log into it. And I just go look at it and then analyze it and things like that. That system is one of the most. Fucked up, addicting things I've ever done because when I was getting a lot of blank, cross-cut scripting suit, I was waking up at 5 a.m. rolling over and looking at my phone to see if a new one popped up. And then when you see it pop, then you can't go back to sleep. So.
Justin Gardner (@rhynorater) (01:22:42.971)
Mmm.
Justin Gardner (@rhynorater) (01:22:57.526)
That's great.
Justin Gardner (@rhynorater) (01:23:03.839)
Yeah. Yeah, it's the same thing.
Joel Margolis (teknogeek) (01:23:07.57)
Yeah, dude, I just set up my own XSS hunter and I saw how yours was set up because I thought it was like standard and I really like it because I'm going to set up something to do the same thing with the path catch all and the sub domain catch all because it's just a huge
Justin Gardner (@rhynorater) (01:23:20.888)
Yeah, that's brilliant.
NahamSec (01:23:22.603)
But here's one more thing I gotta tell you guys with just cross-stripting in general. I, by default, just use my blindXSS payload everywhere because it also helps me track where it is fired. And then there's been times when somebody finds some like anomalies somewhere where they're browsing the website and it fires. Like it didn't fire for me, right? Like...
Justin Gardner (@rhynorater) (01:23:45.991)
Hmm. Ah.
NahamSec (01:23:47.951)
on this app and then they found some weird page and I had embedded and it fired and like I get the notification now. And like you go with the mobile app that sometimes the mobile pages are different, right? The path of the mobile page is different than what you see on the web app. And then you get a whole new place of like testing. So always, always use that for that reason.
Justin Gardner (@rhynorater) (01:23:59.87)
Mmm.
Justin Gardner (@rhynorater) (01:24:04.299)
Yeah, that makes a lot of sense. And, and, and I want to come back to that CSP thing, but real quick, I, this compares, this is sort of contrast with what we said before about using, you know, H one tags for your, for checking for XSS versus spraying around all of these blind cross site scripting payloads that by nature of cross site scripting have to have some sort of callback, either a JS or just an external resource call back. So how do you balance the two?
Joel Margolis (teknogeek) (01:24:05.57)
What about CSP?
NahamSec (01:24:29.862)
Yes and no.
So yes and no. So when I'm looking for blind cross-site scripting, that whole methodology is out the window because I'm assuming it's going to fire somewhere, right? When I'm looking for cross-site scripting, if it fires, then I go, OK, now how do I get it to go from exorcist to blind exorcist? But when I, there's a, so how do I explain this? There's times when I know most of these companies are, there's behavior you observe on an application sometimes.
Justin Gardner (@rhynorater) (01:24:37.178)
Yeah.
Justin Gardner (@rhynorater) (01:24:40.621)
Okay.
Mm.
NahamSec (01:24:59.903)
When you can tell somebody has reported a cross-cut scripting here, because now they're filtering specific tags, right? But what they fail to do is look for blind cross-cut scripting now. So now my objective is just solely blind cross-cut scripting and with blind access, you don't know. You just put your payloads in. But then what becomes interesting with blind access is the assumptions you have to make with the context of where your payload is going to end up. So I'm not just putting a image tag or a script tag or, I don't know.
Justin Gardner (@rhynorater) (01:25:10.221)
Hmm.
Justin Gardner (@rhynorater) (01:25:25.027)
Mm, mm.
NahamSec (01:25:29.375)
whatever tag you want to call it, I'm also thinking about, right, no, what is the, where is this gonna get indexed on the backend, right? Because like, if my name is being shown to me on my profile in a, you know, it's not in a text area, right? More than likely where they see it is in an input field in a box, in a text area, because they have the ability to edit that, right? So that in mind, I have to think about where that's gonna show up, right? If...
Justin Gardner (@rhynorater) (01:25:30.063)
Yeah, what does the payload look like? Yeah.
Justin Gardner (@rhynorater) (01:25:37.744)
Mm-hmm.
Justin Gardner (@rhynorater) (01:25:50.105)
Mmm.
Mmm.
NahamSec (01:25:56.691)
If I can't close the HTML tag in an input tag, should I just add an event handler for example? Like I have to think about all these different things, right? So you have to think where do I put these? Do I put them before, do I put them after? Does the, for the input tags, do I put it before my actual payload? Do I close it first? There's all these different things you gotta think about.
Justin Gardner (@rhynorater) (01:26:11.32)
So.
Justin Gardner (@rhynorater) (01:26:17.487)
So are you doing that intelligently? Like are you thinking, okay, this is where this is gonna, okay, you are, you're not just using like a polyglot that has, you know, end text area. Okay, wow, that's really interesting. And you've had a lot of success with that.
NahamSec (01:26:20.992)
Yes.
Yes.
NahamSec (01:26:32.117)
I test out the theories, right? First of all, I don't know if this is unethical, but it is the reality of it. When you're blind cross-dressing files, you have an advantage, right? Because you have the entire DOM of that page that you can look at. I'm not saying look for ways to explore the vulnerabilities, but look at how that backend is created, dude. Are they using a lot of like...
Justin Gardner (@rhynorater) (01:26:33.733)
Mm.
Justin Gardner (@rhynorater) (01:26:38.701)
Mmm.
Justin Gardner (@rhynorater) (01:26:43.814)
Mm-hmm.
Justin Gardner (@rhynorater) (01:26:55.901)
Mm-hmm. Absolutely.
NahamSec (01:26:57.503)
Text areas, are they doing a lot of like, what is the way they store data? And chances are they reuse the same templates everywhere. So you have the advantage, this is what the backend looks like once one fires. And you see the, where does my data go? Is it always going to be in a title? Is it gonna be in a script tag? Where is it gonna go? You have that advantage now.
Justin Gardner (@rhynorater) (01:27:06.147)
Mmm.
Justin Gardner (@rhynorater) (01:27:17.463)
No, that makes a lot of sense. Joel, swinging back around to the CSP-related question. Go ahead, sorry.
Joel Margolis (teknogeek) (01:27:25.698)
Yeah, I was going to ask, so you mentioned that for blind XSS, you use XSS Hunter, you know, payload or whatever. I... Yeah, huge. I mean, yeah, it's been like one decade now and it still works. Yeah, so crazy. But one thing that has always sort of puzzled me around how to exploit that successfully is the whole CSP aspect. Which is that basically like...
NahamSec (01:27:33.233)
Yeah. But shout out to mandatory for that. We gotta give a big shout out to that.
Justin Gardner (@rhynorater) (01:27:35.619)
Yeah, legend.
Justin Gardner (@rhynorater) (01:27:40.763)
Yeah.
NahamSec (01:27:40.852)
game changer man.
Joel Margolis (teknogeek) (01:27:53.562)
you're inserting an arbitrary script tag into a page. And even nowadays, script tags, especially loading from a URL, oftentimes will just get hit by, blocked by CSP or they just don't work in general. Why does it seem to sort of work in the blind XSS context?
NahamSec (01:28:12.435)
I don't think a lot of these like, so first of all, like what CSP one is like, I don't know if CSP is there. Like I don't even know if it's, I don't even know if it's Firewall.
Joel Margolis (teknogeek) (01:28:20.83)
It's been 30 minutes.
NahamSec (01:28:22.515)
Now you know we have been on for a while, but no, like with the context of it, like you never, so I don't know if it's a CSP, I'm never gonna see it, it's not gonna fire, not my problem really, I'm not gonna dwell on it. A lot of times I don't think companies, maybe like Facebook and Google and all these companies implement CSP on their internal stuff, but I don't think a lot of companies care. The whole thing is no one's gonna see it, it's in our, you know, it's in our private network, no one's gonna have access to it, why bother? Third model is different.
Justin Gardner (@rhynorater) (01:28:24.354)
Yeah, yep.
Justin Gardner (@rhynorater) (01:28:33.487)
Mm.
Justin Gardner (@rhynorater) (01:28:46.823)
Threat model is different.
NahamSec (01:28:50.731)
So a lot of times I've never, you know, I've any, there hasn't been a company that I've tried blind access on, you know, minus the fan companies, for example. Most of those fan companies, at least, like, you know, the big ones, they don't have this problem, right? But with the smaller ones, as I'm in a company where CSP was an issue, when I thought there's a CSP. For some of those companies, when there is a CSP in the front end, you can assume that there is gonna probably be CSP in the back too, but that also turns out to be not true in some cases. So.
Justin Gardner (@rhynorater) (01:28:59.683)
Mm.
Justin Gardner (@rhynorater) (01:29:04.752)
Mm.
Justin Gardner (@rhynorater) (01:29:18.063)
Yeah.
NahamSec (01:29:20.287)
There is a graph I would like to do is that the more you f around, the more you find out. And honestly, that's what I've done with bug bounties do with like blind access. The more you fuck around, the more you find out. So you have nothing to lose to do that. You have nothing to lose to go report yourself as, as a spam or as a fraud, or you know, your, whatever it is, like reporting, for example, is a big one of those things. You're not going to, it's not going to hurt. The only thing you have is to gain or it's because you lose your account. You make an
Justin Gardner (@rhynorater) (01:29:22.215)
Hehehe
Justin Gardner (@rhynorater) (01:29:26.046)
Yeah, yeah, that's great.
Joel Margolis (teknogeek) (01:29:26.66)
hahahaha
Justin Gardner (@rhynorater) (01:29:43.035)
Mm. Yeah.
Justin Gardner (@rhynorater) (01:29:48.939)
That makes sense. And then from the CSP front, I'm wondering if it would make sense ever to submit more benign blind XSS payloads like an image tag or like a style tag or something that's not necessarily going to get caught in the script source area of the CSP. And I know recently Gareth Hayes and the Portswigger team released a sort of a blind CSS injection framework.
NahamSec (01:30:03.731)
Um.
Justin Gardner (@rhynorater) (01:30:18.011)
where you can exfiltrate all of the contents of the inputs and text areas and stuff like that. Do you have any theories on that? Do you have any experience with non-JS executed blind XSS?
NahamSec (01:30:29.895)
The thing with non-JS executor is sometimes you only have one shot to get this blind XSS to fire. I think you both know I like to gamble once in a while and I would rather just gamble on the XSS popping up than worrying about CSP because my only worry with that is if I get an image tag for example to pop up and whatever it is, then you have to prove to them that you also have JS to work. I don't want to go down that path of having to go through triage and telling them why this is vulnerable.
Justin Gardner (@rhynorater) (01:30:35.279)
That's true.
Justin Gardner (@rhynorater) (01:30:39.313)
Hahaha
Justin Gardner (@rhynorater) (01:30:52.74)
Mmm. Yeah.
NahamSec (01:30:59.447)
engineer-wise is vulnerable, some companies don't get it. So I'm gonna gamble the fact that the JavaScript's gonna execute and I have no CSP issues, and if I do, then screw it, I don't get paid for it, and I just never know.
Justin Gardner (@rhynorater) (01:31:11.023)
Yeah, that makes a lot of sense. Well, that was a positively intriguing conversation surrounding blind XSS. I'm very interested in this. And I had a phase of like, oh, I'm finding a lot of blind XSS. And then I stopped looking for it. And then it's great to talk with people about these sort of vulnerabilities types because it gets you really excited for it again. And I know there was a phase where everyone was kind of putting them in their user agent. And then all of the freaking.
you know, WAFs and stuff started blocking everybody and it was like, ah, this is just kind of a pain and it fell off the map for me. But this is definitely something I'm going to reintegrate into my workflow again.
NahamSec (01:31:50.855)
Yeah, for sure man. I think, I don't think blind exercise is gonna go anywhere for as long as exercise is around. I don't think the blind ones are gonna go anywhere. So it's still an issue. It's, you know, it's, I just wanna like, you know, preface that if you are looking for exercise, it's better to just use your own blind exercise payload than just a vanilla exploit because it also allows you to track and everything else. So it just makes your life easier.
Joel Margolis (teknogeek) (01:31:51.63)
Absolutely.
Justin Gardner (@rhynorater) (01:31:55.577)
Mm.
Justin Gardner (@rhynorater) (01:31:59.92)
Yeah.
Justin Gardner (@rhynorater) (01:32:10.68)
Mm.
Justin Gardner (@rhynorater) (01:32:14.947)
Yeah. So, so just, just for the listeners, because we, we had that all over the place in that conversation, the setup that you've got is a JS file that X fills data out. You stole that from the, uh, you know, mandatory payload or whatever. Yeah. XSS a Hunter. And then you've got a PHP file, a custom PHP file that will parse that out on your own server, break that into a report, hit a, a discord callback. And that report is, you know, hidden behind basic auth or whatever. So nobody can just log in and see the report. Wow.
NahamSec (01:32:26.679)
Is that right, Access Hunter? Correct.
NahamSec (01:32:43.111)
Yep, absolutely. I'll try and see if I can send it in visuals. You can also put it in the, at the bottom right here.
Justin Gardner (@rhynorater) (01:32:45.371)
That's freaking brilliant.
Yeah, yeah, I would love to do that. That sounds like a really good system and something that would be really worthwhile doing. And then the other thing that I wanted to ask about that specific thing is as far as customizations to the payload goes, are you exfiltrating local storage and anything you can get access to beyond the normal payload or?
NahamSec (01:33:10.835)
XCLE has been trying to push me to do that a lot more. I haven't done any local storage stuff. Mine is just, that'd be cool. But yeah, mine is, the only thing that I have on there is I modify at the bottom. I sometimes have like an alert sometimes, or also I have it like, from mobile apps, I have it dumped stuff specific for that app. But no, the vanilla itself, it's just commented out there. Like I take it out sometimes, or I put it back on, or I comment it out, whatever it is. But just, I wanna, the reason why I wanna...
Justin Gardner (@rhynorater) (01:33:13.529)
Yeah.
Joel Margolis (teknogeek) (01:33:15.182)
I can send you mine. I just update. Yeah.
Justin Gardner (@rhynorater) (01:33:16.771)
Mm.
Justin Gardner (@rhynorater) (01:33:25.145)
Mm.
Justin Gardner (@rhynorater) (01:33:30.041)
Ah.
NahamSec (01:33:39.511)
I tell you guys that again, use this with everything that you test for XSS wise, because A, it helps you track all your ones. So if you want to go back to them and see if you can bypass them, you have that. In the context of other applications, devices, there has been a time where it happened on a device and I only had one shot at this happening on the device. Like it popped up on an actual like physical device. It wasn't a mobile app. It wasn't, it was an actual like hardware. It popped up on there, right?
Justin Gardner (@rhynorater) (01:33:48.809)
Mm-mm. Mm.
NahamSec (01:34:07.347)
and I couldn't modify the payload, but guess what? Because it was my JavaScript file, I could modify it all I wanted to. So that gives you a huge advantage. The whole thing with XSS is sometimes you get one shot, and if it happens on a device, for example, you can modify that, but you can modify your JavaScript payload. So keep that in mind when you do it.
Justin Gardner (@rhynorater) (01:34:13.545)
Mmm.
Justin Gardner (@rhynorater) (01:34:24.843)
Mm.
Joel Margolis (teknogeek) (01:34:26.324)
awesome.
Justin Gardner (@rhynorater) (01:34:27.223)
Yeah, that was excellent with regards to blind XSS. I'm hype about that. And the last thing that we wanted to cover, cause I know we're into the, well into the hour and a half mark here, but you know, the intriguing ones always go a bit long. We wanted to discuss the going the extra mile on a bug bounty program to set up your environment. And this is something that we talk about on the pod quite a bit. You know, we say pay the extra money to go and get the premium feature.
you know, go through the vigorous sign up process you need to get everything set up. Could you tell me a little bit about your experience with that and why that's such a pivotal part of your methodology?
NahamSec (01:35:09.275)
Yeah, I mean, a lot of times, like going to the extra mile could be the premium. It could be. Um, so like, I know a lot of people are scared of like, Ooh, I don't want to give them my ID because what if it gets hacked? Like I get that, like I'm with you, but there's been times when I've like ID verified myself and I was gone and open up to so much more stuff. I've sat on like, um, onboarding calls. Uh, I've sat on like QA calls, like the customer service calls. Uh, you name it, dude. Like it helps. The other thing is like, it also goes as far as like.
Justin Gardner (@rhynorater) (01:35:13.411)
Mm.
Justin Gardner (@rhynorater) (01:35:24.132)
Yeah.
Justin Gardner (@rhynorater) (01:35:36.708)
Yeah.
NahamSec (01:35:39.287)
customizing your instance, right? Like some of these companies allow you to like configure everything, yeah, or styling everything. And there's all of these, the more you give them, unfortunately, that's the reality of it. The reason, first of all, there's two things. One, they want your money or they want your data, right? Like they want your money because you want to purchase something, so you pay them, they open up more stuff. Sometimes it's expensive, so you can't pay for it. You can ask the companies, they'll give it to you.
Justin Gardner (@rhynorater) (01:35:42.851)
Mmm. Configuring everything.
Justin Gardner (@rhynorater) (01:35:57.691)
Mm.
Justin Gardner (@rhynorater) (01:36:03.343)
Yeah.
NahamSec (01:36:06.507)
But then the other one is like, sometimes I want to verify like Airbnb is a big one. You can't be a host without giving them your ID and stuff. A lot of hackers stop at that phase because I don't want, you know, what if when he gets hacked, I don't want to have my information, I don't want to have my social, but you have to do those things because it opens up a lot of more stuff. But also keep in mind of like, again, I want to say the whole, like the ROI of your time. If you are, if a company is maybe giving you 1000 for a critical, maybe not worth it, unless you're going to like, you know,
Justin Gardner (@rhynorater) (01:36:14.907)
Mmm.
Justin Gardner (@rhynorater) (01:36:34.596)
Yeah.
NahamSec (01:36:36.107)
ask instead of, you know, you're gonna go for a quantity of criticals, then that is worth it. But if a company is like 25k max or even 10k max, right, that is still worth it. That is the return in your time. You know, there was a company I hacked on that required me to send them a bunch of letters. Like I had to actually ship letters to them. And I spent like three days in the post office with this company, dude. I did it and it yielded out in a really good bug, right?
Justin Gardner (@rhynorater) (01:36:46.435)
serious money.
Justin Gardner (@rhynorater) (01:36:57.303)
No way. Oh my gosh.
NahamSec (01:37:03.059)
My tax documents right now, every year I get them as a script tag inside of it. Because I went into this company, as my taxes on a bug bounty program, I paid them to do my taxes one year. I did all that stuff, right? I've gone as far as opening retirement accounts with particular companies so I can test them more, dude. So it's not that I'm trying to, I think about it, I go, oh, I'm gonna open a retirement account, right? Who should I do it with? I think about these companies that are big, do they have a bug bounty program that I can also test out?
Justin Gardner (@rhynorater) (01:37:17.616)
No way, that's amazing.
Justin Gardner (@rhynorater) (01:37:30.367)
Mmm. Yeah.
NahamSec (01:37:31.923)
Right? There's also, you want to invest money, like all these different things, like think about it, like it's always the mentality of how you are a hacker too.
Justin Gardner (@rhynorater) (01:37:34.768)
Pfft
Justin Gardner (@rhynorater) (01:37:39.647)
I'll never forget this time where you and I were collaborating on a target where you could open up a credit card with this target. And you gave me access to your credit card. You're like, here, just log into my account. Yeah.
NahamSec (01:37:46.689)
Ah.
NahamSec (01:37:51.211)
I had a credit card, I had their most expensive credit card, I had their checking account and like two other services with them too, dude. And I didn't open up their most expensive credit card because I wanted it. It was because of that event, dude. I really wanted to see what that company had.
Justin Gardner (@rhynorater) (01:37:59.536)
Yeah.
Justin Gardner (@rhynorater) (01:38:03.447)
Yeah, and it's, and I was like, dude, why the heck are you doing this? But at the same time, I was telling you about all of these benefits I was getting from signing up for these credit cards and then doing the point hacking thing, and you're like, bro, if we find one bug, you're gonna get so much more value out of this than all of these credit card hacking points things you're doing, so.
NahamSec (01:38:24.603)
Yeah, the maximum thing you pay, the maximum you pay for a credit card is like $700 a year. Yeah, 700 is probably the one that I pay the most. The maximum bounty you can get from a company that size is what, like 15, 20K? Right? So, I mean, also like the chicken count is free, so who cares? The credit card, I wanted that credit card at some point, and then the program pushed me, but those are just like things to think about, right? Like if you're making an order with a company that has a bug bounty program, think of like, oh, what else can I do with this?
Justin Gardner (@rhynorater) (01:38:30.369)
Yeah, yeah.
Justin Gardner (@rhynorater) (01:38:37.351)
Yeah, for sure. At least.
Justin Gardner (@rhynorater) (01:38:45.464)
Yeah.
NahamSec (01:38:55.424)
So yeah, that's like the biggest thing to it, man. Like you just gotta think about like, I'm gonna make this decision for my personal life. Obviously don't base it all on your bug bounty experience, but if you have the option and you think, you know, you're deciding between two companies, one has a bug bounty program, I'm gonna go with that one, I can also test it out.
Justin Gardner (@rhynorater) (01:39:03.994)
Right.
Justin Gardner (@rhynorater) (01:39:11.607)
Yeah, yeah, so you can test it and also just because you know it's going to be more secure as well, you know, like people are in there testing on it every day, so there's value to that. Ben, dude, this has been legendary, man. Thank you so much for coming on and sharing all this knowledge and I'm so glad to see the, you know, completed rise from the low lows to the high highs after doing, you know, half a million bug bounty and really crushing the video scene and seeming
NahamSec (01:39:26.103)
Of course.
Justin Gardner (@rhynorater) (01:39:38.571)
much more happy and stable and it's really inspiring.
NahamSec (01:39:44.327)
Yeah, of course and kudos to you guys for making such a good podcast and staying consistent and bringing so many amazing guests. I thank you guys for having me and I'm excited to see what else you guys put out.
Justin Gardner (@rhynorater) (01:39:51.269)
Yeah.
for sure. Thanks, man.
Joel Margolis (teknogeek) (01:39:54.914)
Yeah, absolutely dude. Yeah, that's the pod.
Justin Gardner (@rhynorater) (01:39:57.863)
Peace.