Episode 20: Hacker Brain Hacks - Overcoming Bug Bounty's Mental Tolls

Joel Margolis Teknogeek (00:02.238)
I just started during the countdown. What do you think of my new light?

Justin Gardner Rhynorater (00:05.188)
Yeah, smooth.

Justin Gardner Rhynorater (00:10.326)
Oh dude, I can see, okay, I can see quite better now. That's good.

Joel Margolis Teknogeek (00:11.278)
It's like pretty good here. I'll show you like the difference. It's like kind of noticeable, but only like if you see like the before and after, okay? So this is like with it on, this is with it off. Yeah. Yeah, yeah, it's pretty good. And I can like totally blind myself if I want to.

Justin Gardner Rhynorater (00:22.25)
Oh, okay, nice. You can see a pretty substantial difference there. I don't know, I feel like, I think I have a little bit more, I've got a ring light right there, so you can kinda see when I block it, but I think, you know, I don't think I'm that much tanner than you, so I think it's gotta be largely the yellow light that's above me as well that makes the difference on the video.

Joel Margolis Teknogeek (00:31.212)
Yeah.

Joel Margolis Teknogeek (00:41.594)
Yeah, it could be. I have like the color temp's all like, because I was having all sorts of weird like color temp problems with it. So I think I have it like kind of kind of okay for now.

Justin Gardner Rhynorater (00:51.966)
Got it worked out, nice. Well, sorry for everybody who's actually listening on an audio medium for this podcast. If you wanna check out the color difference of our skin in Joel's new light, head over to Critical Thinking Podcast on YouTube. But with that, let's see what we got for today. Okay, so actually I really like this topic. Today we're talking about hacker brain hacks.

Justin Gardner Rhynorater (01:17.81)
and essentially how to get over some of the things that make bug bounty so difficult. So I think that's going to be a really cool topic. Joel, I'm going to say check out this document. I did my research today and I have an outline with beautiful bullet points with look at these rhyming headers. Like this is pretty sick, right?

Joel Margolis Teknogeek (01:38.974)
This is incredible. I mean, most of the time, most of the time I'm the one who goes really crazy on the like the Google Doc side. So this is a, this is nice. This is cool, man.

Justin Gardner Rhynorater (01:44.646)
Yeah. Yeah.

Justin Gardner Rhynorater (01:48.51)
Thanks, man. I'm learning a thing or two. I'm flexing my Google Docs muscles a little bit. But, all right, before we get into that content, let's check out some new stuff. I'll take the first one. This is another, we've mentioned this guy on the pod before, demondev at D3mondev. I mentioned, I had to message him afterwards and apologize because I actually called him.

Joel Margolis Teknogeek (01:50.23)
Hahaha

Justin Gardner Rhynorater (02:15.434)
Demondove last time, which is not what it is, DemonDev. But I follow this guy, he puts out really good stuff. One of the things that I really liked that he put out recently was this website called sequencediagram.org, which allows you to really cleanly and easily make these sort of sequence diagrams where you've got like several, you know, pieces of the diagram.

Joel Margolis Teknogeek (02:15.682)
Demand of.

Justin Gardner Rhynorater (02:44.018)
vertically and then you've got lines sort of jumping between each one of them. It's really helpful for diagramming things like reverse proxies and POC flows. So I wanted to shout it out on the podcast because I think this could really help for creating really in-depth POCs and making sure your reports are really understandable. So we'll drop that link down in the description. Definitely check it out. Um, should really help with that.

Joel Margolis Teknogeek (03:05.95)
Yeah, for sure. And this is something that I see a lot in like the corporate type of space where like engineering documents have this, this type of stuff all the time, like just to help you understand like what's going on, how stuff is supposed to work. So I think that this is like a great step towards just like making your reports more readable and making them easier to triage.

Justin Gardner Rhynorater (03:23.69)
Yeah. And at the end of the day, your reports are going to be read by the enterprise corporate security people. So it's exactly what they want to see. It's a win.

Joel Margolis Teknogeek (03:28.062)
Yeah.

Joel Margolis Teknogeek (03:31.562)
Yeah, yeah, super awesome. Cool. Yeah. So next thing we've got, I'll jump, I'll jump one over, but Jay Haddix, previous podcast guest, he created this new tool called SubReconGPT. And it's, it's, you know, it's an awesome implementation of like, how do we apply AI and GPT and that kind of stuff into like the bug bounty hacking space. And so basically what he did is he created a very, very simple Python script.

Justin Gardner Rhynorater (03:46.494)
I love this.

Justin Gardner Rhynorater (03:55.477)
Mm-hmm.

Joel Margolis Teknogeek (03:58.678)
that just takes a list of subdomains as input, and then it feeds them into ChatGPT, and it asks for similar subdomains. And then it'll use that to essentially generate like a word list or something, and then it will try and resolve those domains. So it's super, super awesome way of just kind of manipulating that data. I think it's really tricky to do this type of stuff with.

Justin Gardner Rhynorater (04:13.146)
Mm-hmm. Yep.

Joel Margolis Teknogeek (04:21.878)
out some sort of like manual intervention and like coming up with like variation word lists and all that kind of stuff is really, really awesome for finding like super niche assets. I don't know if he wants to be shout out for this, but a mutual friend of ours who used to work with Zayat. That's what I'll say. I think you know, I'm talking about it. I will believe it. Ebrie. Yeah. So Ebrie is like a recon God. Okay. And the way that he does this is by generating super bespoke

Justin Gardner Rhynorater (04:26.294)
Mm-hmm.

Justin Gardner Rhynorater (04:41.568)
Okay.

Joel Margolis Teknogeek (04:50.774)
custom word lists for all of the targets that he acts on. He'll like, he has this whole custom flow that he does where he takes like data and he'll use it to generate all these like custom word lists. And then he uses it to like brute force, either subdomains or endpoints or whatever. And he finds like the craziest stuff by doing this.

Justin Gardner Rhynorater (04:56.766)
Mm, mm.

Justin Gardner Rhynorater (05:09.158)
Yeah, it's really gnarly when you've got stuff like that. But I remember I did, I went that far once. I've done it a couple of times, but it really paid off once at a live hacking event for PayPal.

Justin Gardner Rhynorater (05:20.734)
And I found this application that was old and everyone had forgotten about it. And I had to like go through all these hoops to even get access to it. But once I did, it was a vuln all over the place, right? It was just vulns everywhere. And I was like, man, this thing is a cash cow. I need to like milk this for all it's worth, right? And so I got ahold of the documentation for it. And I was trying to enumerate all of these endpoints that they were talking about in the documentation that I couldn't find, right? The functionality. And so I couldn't find it. So what I ended up doing was just.

Joel Margolis Teknogeek (05:35.798)
Yeah.

Justin Gardner Rhynorater (05:48.938)
parsing, you know, there's like some really old school tool. I can't remember the name of it, but essentially it goes out to the website, scrapes the, you know, the words used, and then uses that to, you know, do some brute forcing. And I did that and I, you know, outlined the common structures of the URLs and I brute forced, and I got so many hits and it probably resulted in over 50K of bounties from that one thing. And so, yeah, it's, it's.

Joel Margolis Teknogeek (06:14.969)
Wow, dude.

Justin Gardner Rhynorater (06:17.882)
It's crazy what you can do when you really take this extra level and go a little bit deeper. I think this is a great tool that does it. Also, I'm a little salty because this has been on my to-do list for a really long time. And if I wasn't in the middle of a reno right now, then I would absolutely have had this done. But anyway, Jay Haddix beat me to it. It's looking really cool. Yeah.

Joel Margolis Teknogeek (06:37.366)
Yeah, it's less than 100 lines of Python. It's super awesome. I think you probably could even have chat GPT write this itself, to be honest. Yeah. This is, it kind of reminds me of the asset note word lists, but like one step further, because asset note word lists are pulled from BigQuery. So they're more like, you know, modern, so to speak, right? They're more like up to date with like, what's going on right now. Like they're based off of analytics and like query data from...

Justin Gardner Rhynorater (06:47.122)
Yeah, it's like 50 lines. Yeah.

Justin Gardner Rhynorater (06:53.878)
Mm-hmm. Yeah. I'm gonna go ahead and turn this off.

Joel Margolis Teknogeek (07:06.102)
like real requests over like a recent time span versus, you know, just some word lists commonly used stuff, but not necessarily accurate to the current like date. And this is like, you know, that kind of like bespoke-ness, the like recency that's like very like targeted one step further. So I think it's really awesome. And I'm probably going to be throwing this in my flow.

Justin Gardner Rhynorater (07:11.187)
Mm-hmm.

Justin Gardner Rhynorater (07:25.138)
Yeah, and for sure, I mean, he says for sure, this is very beta here. And if you look at the code, it's pretty much asking ChadGPT, it's like, generate five subdomains similar to XYZ. I don't even think, yeah, it's not using lane chain or anything like that, it's just using the OpenAI Python API. So there's definitely rooms for improvement here if anybody wanted to go and do a pull request on this, I'm sure Jason would be thrilled.

Joel Margolis Teknogeek (07:49.899)
Yeah, yeah for sure.

Justin Gardner Rhynorater (07:52.69)
All right, nice. So next thing that I wanted to talk about was, we love to keep Kaido in the loop. We love to talk about Kaido. I think it's a great tool. It's the primary tool I'm using right now for web proxying. And love to see something like this. The cyber mentor actually put out a video recently entitled, This New Web Hacking Tool May Replace Burp Suite. And I was like, oh yeah, here we go. And he does quite a long walkthrough of what it.

Justin Gardner Rhynorater (08:21.534)
what it looks like to use Kaido, use it up against a target. So I was really thrilled to see that. It's like an 11 minute video. I think Kaido is gaining more and more traction and it's something that you might wanna go and subscribe to right now and get the pro access because it's only like, I wanna say it's only like $10 a month and...

Joel Margolis Teknogeek (08:41.47)
Yes, it's either ten dollars a month or one hundred dollars a year, depending on how you want to pay for it. And I mean, I'm just going to I'm just going to read some facts here. Okay. Port swagger currently costs, I think, five hundred dollars a year.

Justin Gardner Rhynorater (08:46.951)
Yeah.

Justin Gardner Rhynorater (08:49.822)
That might go up at some point, who knows, you know?

Justin Gardner Rhynorater (08:56.158)
Yeah, it's ridiculous, yeah.

Joel Margolis Teknogeek (08:57.714)
So if it's a cost thing for you, you know, there's the numbers.

Justin Gardner Rhynorater (09:05.554)
Yeah, for sure. And you also have an ability right now to influence the building of this product. You can submit issues, you can talk to the team. So definitely don't miss out on that opportunity. Just wanted to drop that one in there.

Joel Margolis Teknogeek (09:17.258)
Yeah. Yeah, for sure. It's not like there aren't features that like, like I use both a lot now. And it's like, I'll definitely be using Kaido and I'll be like, I wish there was this feature from burp, like it'll be just like little like, you know, quality of life things, but like those little things like they add up over time and they're just like little features that burp has just had more time to add in.

Justin Gardner Rhynorater (09:25.242)
Mm-hmm. Yeah, same.

Justin Gardner Rhynorater (09:33.802)
Yeah.

Justin Gardner Rhynorater (09:40.254)
But there's also those same things in Kaido, right? So like for example, every time I have to go back in Burp and I intercept a request and I have to click forward, forward, forward, forward, forward, forward, forward, instead of just going directly to the request and then heading forward, I'm like, oh, I hate this, you know? And Kaido, it just, it queues up all the requests. You can just click the request you wanna forward and just boom, forward. And it's like amazing. And, you know, switching projects is so much easier in Kaido.

Joel Margolis Teknogeek (09:42.015)
Yeah. Yeah.

Joel Margolis Teknogeek (09:57.333)
Yes.

Joel Margolis Teknogeek (10:05.396)
Yeah.

Joel Margolis Teknogeek (10:08.342)
Ah, so much easier.

Justin Gardner Rhynorater (10:10.362)
I can do hacking from my Chromebook on Kaido, while I'm sitting in my living room. So there's a lot of really great stuff to set up there. And so, yeah.

Joel Margolis Teknogeek (10:12.695)
Yeah.

Joel Margolis Teknogeek (10:17.834)
Yeah. And if you see those features that aren't there, just shoot a message to the dev team and they're like super responsive. They hop on stuff right away. So yeah, it's really awesome.

Justin Gardner Rhynorater (10:26.802)
real on top of it. I actually have a little thing set up with them now where I just like drop them a Loom video. So I don't even really have to do much else. I just like hit record on my desktop, it outputs a URL. I'm just like, boom. And I don't even say anything. I just send them the Loom video and it gets like put into an issue and it makes its way into the next dev cycle. So I really, I really appreciate it. You know, let's just say I got the inside scoop. No.

Joel Margolis Teknogeek (10:34.437)
You get the private line, that's crazy.

Joel Margolis Teknogeek (10:40.341)
Ah.

Joel Margolis Teknogeek (10:44.81)
So that's what the enterprise plan is.

Joel Margolis Teknogeek (10:51.39)
Jessica's the enterprise for himself. Yeah, you got the custom support Wow

Justin Gardner Rhynorater (10:55.79)
Oh my gosh. Okay, so actually, so two more things. I'm sorry, Joel, I actually didn't put it on the doc. Well, the one thing that I wanted to talk about was, I just wanted to give a shout out to Yobert, Hacker One co-founder. He has been pumping out, him and the Hacker One dev team, I will include them all in that, have been pumping out some crazy features lately. And one, I just wanna say, I have hacked with Yobert before, phenomenal hacker, very skilled, and you know.

Justin Gardner Rhynorater (11:24.554)
The guy's probably loaded at this point, you know, having been a HackerOne co-founder and HackerOne doing the way that it is. And he's still in there every day running the engineering team with HackerOne. So mad respect there. But two, man, have there been some nice features getting pushed out lately. They just released a command palette for HackerOne, which allows you to really quickly navigate around and, you know, submit new reports really easy, open policy pages really easily. That's amazing.

Justin Gardner Rhynorater (11:53.678)
There's some encoding tools, some new analytics, and it's just, it's wonderful. So if you haven't checked out your HackerOne dashboard recently, or if you're not seeing these tweets from Yobert about the new features that are going out, definitely give him a follow on Twitter. And just to be clear, it's J-O-B-R-T, Jobert, Yobert. Yeah, if you're looking it up afterwards, we'll link it in the description.

Joel Margolis Teknogeek (12:14.998)
Yes, Jobert, Jobert. Yeah, yeah, cool. Cool. Yeah. So this, this, this person, Justin L's LZ, ELZ. He, he tweeted out this awesome. I don't know if he wrote this blog or, or what. I'm not sure.

Justin Gardner Rhynorater (12:28.627)
Mm-hmm.

Justin Gardner Rhynorater (12:35.886)
No, I don't think so. I think he's just linking to a CloudFlare. Or actually, this is actually not even CloudFlare. This is somebody else.

Joel Margolis Teknogeek (12:42.654)
Yeah, it's on iq.thc.org and just as the author is root. So my assumption is this is just like somebody's like a self hosted blog. So I'm not really sure he wrote this. However. Yeah, it doesn't it doesn't really matter. However, it does talk about this really cool thing. I never heard of this. I've heard of very similar things, but it's called Cloud Flare D tunnels or Cloud Flare to tunnels. I'm not really sure which one it is, but essentially, if you're familiar with NGROC,

Justin Gardner Rhynorater (12:46.848)
Mm-hmm.

Justin Gardner Rhynorater (12:50.941)
Sure. Yeah, right. That's where the best content is though.

Justin Gardner Rhynorater (13:02.813)
Mm-hmm.

Justin Gardner Rhynorater (13:05.086)
Mm-hmm.

Justin Gardner Rhynorater (13:07.531)
Mm-hmm.

Joel Margolis Teknogeek (13:11.742)
and GR okay. It's kind of like a tunnel service that gives you a public endpoint. And you can tunnel it to basically any like TCP port on your local host. And that's really awesome for a lot of different things. It's awesome from like a developer perspective if you're doing testing, but it's also really awesome from a hacker perspective, where you can host your POCs without having to host your POCs.

Justin Gardner Rhynorater (13:14.378)
Mm.

Justin Gardner Rhynorater (13:23.818)
Mm-hmm.

Justin Gardner Rhynorater (13:34.962)
Yeah, you can absolutely do that. And one of the reasons why I wanted to add this to the list for today was this, I think there's also some really nice functionality here. And I'm realizing now that, you know, Cloudflare may have some terms of services against this. So, you know, read the docs before you do this. But I was thinking this would be amazing for, you know, hosting your payloads, for hosting your actions. And this is less than a bug bounty context, but more in just an actual like,

Justin Gardner Rhynorater (14:04.73)
internal assessment or, you know, red team perspective, where you're actually trying to hack into an organization. And we all know that probably the easiest way is gonna be to do social engineering or some sort of like, something like that, right? So this sort of thing is really great because a lot of times your domains get burned and stuff like that. Or like you've got some next gen firewall that's blocking, you know, domains that don't have a certain accretation score or whatever.

Justin Gardner Rhynorater (14:30.138)
So it's really helpful to host your C2 or anything like that behind an accredited domain like Cloudflare. So this is just a shout out for any of you that are actually actively doing Red Team stuff. This might be something you can utilize in your, in pivoting or in your day-to-day assessments.

Joel Margolis Teknogeek (14:48.546)
Yeah. Yeah. I also really liked that this, this blog talks about that you can do like SSH and stuff over this, which is, it's just a really interesting use case. I'm not sure if this adds any sort of like implicit security on top of what you're doing. I'm not sure like what kind of access controls or whatever you might be able to perform on this, but that's a really interesting use case. I'm not sure if you could do that with ngrok. So.

Justin Gardner Rhynorater (14:55.603)
Mmm.

Justin Gardner Rhynorater (15:13.75)
It seems like it's just a raw TCP tunnel, I think.

Joel Margolis Teknogeek (15:16.33)
Yeah, so pretty interesting stuff. Definitely useful and I think I'm going to put this in my bookmarks for payloads and stuff.

Justin Gardner Rhynorater (15:25.93)
Oh no, they do have Secure. Yeah, yeah, yeah. They have TLS as well. Nice. Okay, so that's it for the news section. Onto the meat. Onto the meat for today. So, yeah, I guess I'll preface this by saying I'm a full-time bug bounty hunter, and I guess being a full-time bug bounty hunter, you have a lot more.

Joel Margolis Teknogeek (15:29.698)
Cool. Nice.

Joel Margolis Teknogeek (15:35.79)
I'm eating potatoes.

Justin Gardner Rhynorater (15:53.126)
I guess, mental challenges with Bug Bounty. You have different mental challenges. Let me just put that there. Because one, it's your livelihood and you're doing it every day and it becomes your job. But on the other hand, you're also not having to juggle Bug Bounty in your full-time job and that sort of thing. So at some point I wanna do, and I've got a little section at the end of this doc, I'm not sure if we'll get to it today, about just some of the tips that I've learned from doing Bug Bounty full-time.

Justin Gardner Rhynorater (16:22.482)
I know we talked about it a little bit on the full-time Pokebounty episode, but I've got some other stuff as well that we'll get to, but the main focus for today was like mentality stuff. So I broke it down into three sections. You can see them in the doc, Joel, before hacking, during hacking, and after hacking, okay? And these are the kind of, I just kind of brainstormed for a little while, and then I used, you know, chatGVT to come up with some snazzy names for each section about what kind of struggles

Justin Gardner Rhynorater (16:51.762)
you might be running into at each one of these phases on your hacking journey.

Joel Margolis Teknogeek (16:55.606)
I do feel like I'm reading a Dr. Seuss book right now. I'm not gonna lie. Ha ha.

Justin Gardner Rhynorater (16:59.33)
Okay, all right, I got, I went a little bit far with the, with the, you know, rhyming or whatever, but hopefully it'll be a little bit more memorable. I said, like, what did I say? Do some catchy names or something like that for X, Y, Z. So I don't know. Well, we'll see what we got. Okay, first one. This is in the before hacking section. I see this one all the time and I've, me aka,

Joel Margolis Teknogeek (17:03.382)
Did you tell it to rhyme them or did it just do that on its own?

Joel Margolis Teknogeek (17:11.695)
it's

Justin Gardner Rhynorater (17:27.114)
ChatGBT, AKA Dr. Seuss, has named this one procrastination education, okay? So essentially the topic behind this is like, you are scared to start hacking because you think you're gonna fail. So you just educate, educate, educate, educate, educate as a form of procrastination against, you know, doing actual hacking. See this all the time. Some people affectionately call it tutorial hell or

Justin Gardner Rhynorater (17:56.11)
not affectionately call it tutorial hell. Um, but this is definitely a pitfall and definitely something that. That yeah, a lot of people run into, what do you think about that? Joel.

Joel Margolis Teknogeek (18:04.586)
Yeah, I think we've touched on this a couple different times. It's really, really challenging because when you're new to this, you're like, what do I even start? What do I look at? Like, what do I need to know? Right. And that's a, those are like completely valid questions and ones that you need to answer. But the question is like, how much do you need to answer it? Right. Like, do you need to fully understand every aspect of the OWASP top 10 or like every conceptual part of like.

Justin Gardner Rhynorater (18:24.508)
Mm-hmm.

Joel Margolis Teknogeek (18:33.002)
a CSRF where you just need to know what it looks like and how to exploit it, right? And I think there's a fine line between how far you need to deep dive on learning a topic versus how far you need to deep dive just to exploit it. And I think this happens a lot, especially with new people where they just wanna absorb knowledge and keep learning and keep learning. And that's great, but when you're gonna start hacking, like you gotta branch at some point and...

Justin Gardner Rhynorater (18:38.184)
Mm-hmm.

Justin Gardner Rhynorater (18:57.673)
Yeah.

Joel Margolis Teknogeek (18:59.254)
and start, you can keep learning, but like, you got to start hacking and putting that knowledge to use. Cause that's what's really going to solidify it in your brain.

Justin Gardner Rhynorater (19:06.386)
Yeah, I totally agree. And I think one of the things I've told people is like, hey, do your basic introductions into how websites work. I have this flow that I go through with the people that I'm teaching, which disclaimer is not anyone that's ever messaged me online. I cannot take remote mentorships. Please stop messaging me about that. I really appreciate you reaching out, but I only mentor people that I know in real life. And so.

Joel Margolis Teknogeek (19:33.966)
Yes. Yes. Yes. I'm the same way, by the way. Like it's nothing personal. It's just like, it's a, it's a large time commitment. And like, we want to set expectations accordingly. We don't want to like, set, set you up for failure, set you up to expect something that's not going to happen. So we just kind of have signed it off entirely. And we basically only do mentorships on like, very rare one off cases. And it's usually people that we know.

Justin Gardner Rhynorater (19:34.662)
Sorry about that, disclaimer. But what, yeah, it's just too many.

Justin Gardner Rhynorater (19:56.134)
Yeah, yeah, so feel free to shoot me a message if you have a question, a pointed question or something like that, I'll definitely get to it, but I can't just do a formal mentorship with everyone. Okay, so what I was gonna say though was when I am mentoring people, I always walk them through this flow of like, okay, first we gotta understand how a website works. So, I'm gonna go ahead and start with this.

Justin Gardner Rhynorater (20:18.198)
and how HTTP works and how DNS works. And we walk through all that whole flow of what happens when you put a URL in your browser. And then they understand that. And they understand how to view it in burp. They understand how to modify parameters. They understand how to use an HTTP proxy. And then I have them start working on Portswigger WSA. And once they kind of get through that, I say a little bit into that.

Justin Gardner Rhynorater (20:47.914)
you know, once they've gone through the access control section or the broken, uh, or the business logic section, I say, okay, now we need to start pivoting part of your time from, from a very, very, very early stage into actual hacking. So take 10% of your time, do hacking, take 20% of your time, do hacking all the way up to 50, 60, 70% of your time doing hacking. And it's going to feel like crap in the beginning, cause you're not going to know what you're doing. And you're going to be looking at requests that don't make any sense.

Justin Gardner Rhynorater (21:16.182)
But just being in the HTTP request, reading the headers, reading the body, being curious, understanding how functionality in the UI maps to API requests in the backend, that is the meat. You need to be so comfortable with that before you can effectively do hacking. And the more time you spend, that's all, you know, that's all more experience that you've got.

Justin Gardner Rhynorater (21:40.366)
And that will serve you every single one, even if you don't find anything, if you don't understand anything, that will serve you in becoming a better hacker periodically as you continue, gradually as you continue to grow. So don't neglect that time or else you'll never get anywhere and you'll be stuck in tutorial hell forever.

Joel Margolis Teknogeek (21:55.147)
Yeah, yeah, no.

Joel Margolis Teknogeek (21:58.046)
Yeah, 100%. Like that just like asking like, why does this work or how does this work? Or like, where does this value come from is super instrumental to like understanding the core deep functionality of how an application is, is functioning and where data is going and all that kind of stuff. Um, cool. Yeah. So, so you got to start hacking, right? But here, this is like the next thing that I see, like second most common thing for new hackers analysis, paralysis. It's like, what program do I pick? What do I hack on? What do I focus on? Like.

Justin Gardner Rhynorater (22:04.831)
Mm-hmm.

Joel Margolis Teknogeek (22:27.382)
Man, this is such a common thing. We talked a little bit about this during the how to pick a good program. But I think especially when you're new and you're trying to pick the first program to hack on, just pick whatever sounds interesting. I think it's almost more important not to really focus on bounties. Bounties are very alluring. It's very tempting to want that big high cash money prizes and stuff. And I'm not saying that it's impossible to get those on larger

Justin Gardner Rhynorater (22:31.594)
Mm-hmm. Mm-hmm.

Justin Gardner Rhynorater (22:43.145)
Yeah.

Justin Gardner Rhynorater (22:50.59)
Mm-hmm.

Joel Margolis Teknogeek (22:55.478)
programs that typically have the higher bounty tables, but it's gonna be more challenging because there's a lot more people who have come before you who have looked at that stuff a lot more than you have and they have that leg up and you can get there for sure, but it's gonna take more time and you may not get the sort of instant gratification or satisfaction that you're looking for on one of those larger programs. So I recommend just picking whatever sounds interesting because that's gonna help you with the natural drive for hacking.

Justin Gardner Rhynorater (23:01.024)
Mm-hmm.

Justin Gardner Rhynorater (23:17.262)
Mm-hmm. Yeah.

Joel Margolis Teknogeek (23:24.374)
Pick a website that you're familiar with or like a tool that you've heard of or something that would be like, like for some people it's, oh, I wanna hack the government, okay? So focus on a DOD program. Don't worry about bounties. They have a huge program, huge scope. Just like hack some DOD stuff. Then you can be like, yeah, I hacked the government. You know, cool. Whatever you want, like for bragging rights, you know, or like, you know, whatever service you wanna hack. Like that's what I would recommend.

Justin Gardner Rhynorater (23:35.296)
Mm-hmm.

Justin Gardner Rhynorater (23:43.707)
Yeah.

Justin Gardner Rhynorater (23:49.042)
I sort of agree with that Joel. I think the DOD is a little bit of an exception. I do mention the DOD as well to most people just because it does give you some sort of payment, you know, you're, you get to say, Hey, you know, I hacked the DOD and that feels cool. And that's nice. I normally recommend people to start from the beginning with bounty programs because, and skip the VDP stage because it feels so much better to get an actual bounty.

Justin Gardner Rhynorater (24:14.118)
Right, and some people will say, hey, I just want a valid bug, and you know what, that's fine, maybe VDPs are for you then. But my suggestion is to actually go and get an actual bounty. And if it takes extra time, great. But here's the problem with the VDP programs. One, nobody looks at them. And so, you can go on there, and you may be able to find some vulns, but you're not gonna get a good...

Justin Gardner Rhynorater (24:42.314)
indicator of how deep you need to go to find bugs on an actual bug bounty program. Yeah, and two, obviously you're not getting paid for your time, which is, it's not gonna help you with some of the other stuff we'll talk about a little bit later, which is bug bounty being a results for money based system, right? It's a, it's, some would call it a meritocracy, but I'll say it's a, it's a results for money based system.

Justin Gardner Rhynorater (25:09.766)
So if you spend a bunch of time, you don't get the results, you don't get any money, right? And so I think that's something that kind of takes some time to get used to and something that you can, you know, sort of edge into from the beginning. I will say from before, Joel, that was episode 13, how to pick a good bug bounty program. We probably shouldn't spend too much more time, too much time on how to actually, you know, pick a program on here. I will say one tip from that episode.

Justin Gardner Rhynorater (25:36.222)
Go, go watch the whole episode and understand it. But one tip that I'll pull away from that is if you can hack a website that you use.

Joel Margolis Teknogeek (25:44.602)
Yeah. Yeah. And I'll clarify. I don't know if I may have missbooking. I'm not really advocating that you pick VDPs over bug bounty programs. I think I would always try and pick a bug bounty program except in, you know, like we talked about, like maybe the edge case for the DOD. But what I want to say is don't focus on how high the bounties are. Right. So if it's like 1K crits versus 3K crits versus 5K crits. Yeah, we all want a 5K crit, but.

Justin Gardner Rhynorater (25:51.07)
Mm-hmm.

Justin Gardner Rhynorater (26:00.138)
Hmm, the OD is cool.

Justin Gardner Rhynorater (26:05.611)
That's true.

Joel Margolis Teknogeek (26:10.898)
a bounty is a bounty and it's really just like what interests you if the thing. Yeah, if the thing you want to hack has a one K bounty, that's fine. Like I would I would push towards that. And then like once once you feel more confident, then like go hack whatever. And don't care so much about what the target is. But for that initial drive, it's really it's really important to like, you know, want to hack what you're hacking.

Justin Gardner Rhynorater (26:13.39)
Mm-hmm. In the beginning, yeah.

Justin Gardner Rhynorater (26:32.434)
Yeah, totally agree, man. Okay, next one is automation obsession. Now I'm feeling silly about all these. Automation obsession is the next one, very aptly named because this is actually a pitfall that I fell into and I got very fortunate and that I actually got a crazy automation bug which got me started. My first bug was a 4K subdomain takeover which is high even by today's standards. But,

Joel Margolis Teknogeek (26:38.963)
Eheh, eheh!

Joel Margolis Teknogeek (26:57.806)
crazy.

Justin Gardner Rhynorater (27:02.762)
What I wanted to say on this one was a lot of people will feel like they need to build out their whole recon automation system and do all this programming. And a lot of these people are programmers by the way. So it makes sense that you wanna do the thing that you already know how to do. I would say do not do that if you really wanna get good at this because automation is a great field and is something that you can absolutely make a lot of bounties off of. But first you need to know how to hack. And for this I will...

Justin Gardner Rhynorater (27:32.106)
go ahead and refer you all, and we're gonna talk about this a little bit more in the recon section, but the point of this automation is to find vulns, right? And you're not gonna know how to find vulns until you actually find vulnerabilities. So I would recommend putting the automation aside, even if it's small automation, like, oh, I wanna be able to take this thing from Gal and put it into something else, which is a part of normal hacking. I would say hold off on that as much as you can. When you're hacking, hack, and when you're automating, automate, but try not to mix the two too much.

Joel Margolis Teknogeek (28:00.694)
Yeah, yeah, cool. Yeah, so for the next one, I wish this one rhymed and was more fun to talk about, but imposter syndrome. It's just, that's just, you know, that's not an easy one to swallow. I'm just gonna say that it doesn't go away. It gets easier to deal with because you can understand it and spot it much easier as you deal with it more, but.

Justin Gardner Rhynorater (28:08.822)
Shhh, heck.

Joel Margolis Teknogeek (28:28.238)
It's kind of one of those things that's always going to be there. And you just have to figure out the right ways to like, stop thinking about it or stop like, you know, just like thinking and thinking and thinking and, and, and, you know, mulling it over in your brain and just like, oh, I'm not good enough. Oh, like this FOMO and whatever. It's like, just, you know, go back to, to like the early beginner tips, right? Like procrastination, education, analysis, paralysis. Okay. Stop thinking about it.

Justin Gardner Rhynorater (28:45.672)
Mm-hmm.

Justin Gardner Rhynorater (28:52.872)
Mm-hmm.

Justin Gardner Rhynorater (28:55.528)
Mm-hmm.

Joel Margolis Teknogeek (28:56.83)
Stop trying to learn so much, just do it, right?

Justin Gardner Rhynorater (28:58.034)
Yeah. Yeah. And the imposter syndrome thing, I think as well is like, it's something that, it's something that you fight with while you're hacking, but it's also something that you fight with before you're hacking. And that's why I have it in the before you're hacking section here. Before you're hacking, if it's preventing you from hacking, I'm not good enough to do that. You need to punch that in the face. You need to get upset about at that imposter syndrome and say, listen, that's wrong. Hacking is not a

Justin Gardner Rhynorater (29:27.638)
a you're good enough or you're not good enough sort of thing. It's a process. And I'm saying this from being, you know, having done this a lot, guys. This is not some wishy washy, you know, you can do it, go get it, Tony Robbins BS, right? This is actually a fact. You know, spending time in the application, learning the application is a pivotal part of this. So even if you don't feel like you're good enough yet, get in there, start learning, get your hands on it.

Joel Margolis Teknogeek (29:55.318)
Yep. Yeah. And it's not like that meritocracy, like where people think like, oh, the more time I spend, like, I'm for sure going to find something. Like there are going to be times where you're going to spend a ton of time and effort looking for something and you're not going to find something and you're going to feel extremely like beat up and worn down and you just have to remember like, that's normal. Okay. You didn't do anything wrong. Like that is literally just part of the process. And you have to realize that you're, you're hunting for gold in...

Joel Margolis Teknogeek (30:23.022)
a river. You know, your, your life's like the 1850s. It's the gold rush. Like, yeah, needle in a haystack and there's no guarantee the needles there, you know, like there's five haystacks. Which one is the needle in? Start looking. Yeah. Yes. It's a golden needle. Like, yeah.

Justin Gardner Rhynorater (30:27.411)
Needle in a haystack.

Justin Gardner Rhynorater (30:36.046)
a very valuable needle in many haystacks. No, no golden needle in the Haystack River.

Joel Margolis Teknogeek (30:43.886)
And then he said, yeah, there's an analogy in there somewhere. I don't know. But yes, like, just remember, like, none of this is guaranteed. Like we hope to find bad vulnerabilities so that we get paid out, but none of it is ever like for sure. And so if you don't find anything, that's kind of a good thing, right? Like that's that's kind of that's kind of a good thing.

Justin Gardner Rhynorater (30:46.514)
Something like that. Haha.

Justin Gardner Rhynorater (31:02.13)
Yeah, yeah, and I wanna say this as well. There are a lot of people that, for most of you, let me just say, there are a lot of people that are a lot less skilled than you that are getting pounties right now. I can promise you that. So get out there and do it. Okay, next one for the before hacking section was motivation deprivation. And,

Joel Margolis Teknogeek (31:21.302)
Yeah. Yeah.

Justin Gardner Rhynorater (31:34.72)
This is a sort of a situation that kind of comes into play when after you found a dupe, after you haven't been finding anything for a while and you're starting up hacking again, it can be really challenging to like take on the huge task of looking at a big application and that sort of thing. And what I would encourage you all on this one is to just stay curious, okay? Stay, be in it.

Justin Gardner Rhynorater (31:59.262)
Don't be focused too much on the bounties. Don't be focused too much on the finding something. Be focused on becoming an expert on the specific application. One of the live hacking events that I participated in a while back, I spent so much time on this one application, two weeks every day in the JS files, finding everything I possibly could. And when I got to that live hacking event, I was like, you know what? I bet I know everything about this application. I bet no one here knows more about this application than I do.

Justin Gardner Rhynorater (32:28.714)
So I put a message out in the chat, I was like, hey, anybody wanna teach me something that I don't know about this application, right? And I got taken to school that day. Like, but that sort of confidence is the confidence that you need. Like, by the time that that life hacking event day came around, I felt like I knew everything about that application. But the cool part about it is you never will know everything about the application. And so you can keep on, so I had probably pushed through two or three layers at that point of

Justin Gardner Rhynorater (32:58.334)
Yeah, I think I found everything on this, right? And I said, well, let me do another double check. Let me do another double check. Let me do another double check. And then I got to this point, and then I still got taken to school by some of the other people that are at the live hacking event. So there's always gonna be more to find. Dive in, get it.

Joel Margolis Teknogeek (33:14.514)
Yeah, yeah, super amazing. And I think you don't have to like, don't, don't take away from that, that you have to be at a live hacking event to have that kind of moment. Just like ask yourself, like when you feel like you're at the edge of knowledge, be like, is there anything else that I don't know about or I haven't fully explored? And that's where your note taking and all that kind of stuff will really come into play.

Justin Gardner Rhynorater (33:23.635)
Yeah, yeah.

Justin Gardner Rhynorater (33:35.498)
Dude, I actually wanna share this really cool tidbit. I mentioned a guy a while back, I shouted them out, that I said, hey, write down all your attack vectors and go, and he messaged me the other day cause he said, I think I found everything. And I was like, okay, do it again. And he was like, okay, I trust you, man. He found four more bugs, one of them, which was a crit. And I was like, dude, you rock. Way to continue persevering through all that. So big, he did, he did, man.

Joel Margolis Teknogeek (33:55.111)
Exactly.

Joel Margolis Teknogeek (34:00.086)
And not only that, he had it written down. It was there, it was right in front of him.

Justin Gardner Rhynorater (34:05.714)
So cool. Okay, one more thing I wanted to talk about on this. This is a little bit of live hacking event hack that Mariah and I put together. For those of you that don't know, Mariah's my wife. And so when we were going into live hacking events, I guess sometimes it's easy to get overwhelmed, it's easy to not feel motivated, especially when you're on the live hacking event circuit and you're doing them every month or every other month, it can get kind of intense. And so...

Justin Gardner Rhynorater (34:32.778)
One of the things Mariah came up with was this goal system for me. So we would say, okay, Justin, here are the tiers. At this tier, you can do X, Y, Z. So for example, one of my tiers for the Vegas Hell Life High events last year was to get a hot tub. So if I earn more than X amount, boom, hot tub. If I earn more than Y amount, boom, cruise. And so setting tiers and goals for yourself.

Justin Gardner Rhynorater (35:01.866)
can be really motivating. And if you can see that sort of prize in the distance, it's easier to stay on top of it and remember what you're hacking for. So that's a nice little hack. You know, define a couple weeks sprints. If you're not doing a live hacking event, say, all right, I'm gonna hack for the next three weeks. If at the end of this three weeks, I've submitted bugs that, you know, sum up to X thousand dollars, then I'm gonna go out to a nice dinner or something like that. I think that can be really motivating.

Joel Margolis Teknogeek (35:26.774)
Yeah, for sure. I was gonna go into goals and stuff, but I think we're gonna talk about it a little bit more in the during hacking session. So let's dive into that. So yeah, during hacking. So like the first one, automation obsession. Now this is like a recurring theme. And yeah, go ahead.

Justin Gardner Rhynorater (35:34.558)
Yeah. Okay, cool.

Justin Gardner Rhynorater (35:40.242)
Yeah, so I copied that one in there. I copied that one in there from the other one just to throw a curve ball at you, Joel. I copied that one in from the before session as well, and here's why. This one should be pretty quick. I often found when I was trying to shift away from automation obsession that I was, I would get into hacking, I'd be like, all right, yeah, cool, I'm doing this hacking thing. And then I'd find something interesting, and I'm like, oh man, I need to like.

Justin Gardner Rhynorater (36:08.902)
I need to scan for this, you know, or I need to like, be able to evaluate for this vulnerability very quickly. And so then I would stop what I was doing, instead of staying in my zone, in my mode hacking, I would, you know, fire up Python and start trying to automate that. And that's an obsession with automation. Don't do that. When you're hacking, hack. When you're automating, automate. Take notes, you know, on what things you want to automate, come back to it later, but stay in the zone.

Joel Margolis Teknogeek (36:26.638)
Mm-hmm.

Justin Gardner Rhynorater (36:38.846)
you're in the zone when you have the application context in your brain, you need to minimize distractions. And so automation can be one of those distractions.

Joel Margolis Teknogeek (36:47.658)
Yeah, for sure. Notes, notes, notes, notes, write everything down. Come back to it later. Yeah. Cool. Recon cognizance, reconnaissance, cognizance. That's a that's a mouthful. Yeah. So basically just like. Yeah. Reconnaissance, recon, shmikon. I don't know. Yeah. So so recon.

Justin Gardner Rhynorater (36:51.934)
Yeah. Yep.

Justin Gardner Rhynorater (36:58.41)
There you go, there you go. There's nothing that really rhymes well with recon. Like recon.

Justin Gardner Rhynorater (37:09.431)
Yeah, but it's not like that, you know? Reconnaissance, cognizance.

Joel Margolis Teknogeek (37:12.766)
Yeah. So like, how do you, how do you like get your brain around recon in like a meaningful way? Right. I think it's a really easy trap to fall into this like recon hole because for one, there are so many tools that are just like literally just for recon subdomain brute forcing path traversal path brute forcing host brute forcing fuzzers, you know, everything like scanners.

Justin Gardner Rhynorater (37:23.958)
Mm-hmm.

Justin Gardner Rhynorater (37:36.287)
Mm-hmm.

Justin Gardner Rhynorater (37:39.314)
Yeah, V-host.

Justin Gardner Rhynorater (37:42.366)
parameter brute forcing. Yeah.

Joel Margolis Teknogeek (37:42.474)
Yeah, yeah, it's all like, you know, it's a bunch of brute forces and that's cool and stuff. But like, I think it's really easy to fall down a rabbit hole where you're like, I don't get it. I ran all seven tools that I have and I haven't found a bug yet. What's going on? I guess I'm just going to go to the next target. Right. And like, there are a lot of hackers who do that, which should tell you that if you don't do that, you're going to find the stuff that they missed. So I think recon is really good for.

Justin Gardner Rhynorater (38:01.812)
Yeah.

Joel Margolis Teknogeek (38:08.382)
Identifying attack surface and like seeing what things might be interesting to poke at or or maybe taking some notes and and and checking those things out later But once you have like, you know ten things or whatever not even like, you know once you have a couple things just start looking into them and you're gonna find other stuff as you look because The recon isn't really like the end-all be-all some bugs do end there, but but the majority I say don't

Justin Gardner Rhynorater (38:12.991)
Mm-hmm.

Justin Gardner Rhynorater (38:25.428)
Yeah.

Justin Gardner Rhynorater (38:34.534)
Yeah. And, and I just love this quote and we clipped it and we put it at the beginning of episode 12 with Jay Haddix. Probably one of the most valuable takeaways that he, he, he, we have from that episode from the recon God himself, Jay Haddix, he says, I make all these talks about recon to help you find more apps to hack. Right. That's the goal. So do your recon until you found an interesting app to hack and then just hack that app instead of doing recon eternally.

Joel Margolis Teknogeek (38:52.814)
Mm-hmm.

Justin Gardner Rhynorater (39:04.218)
Um, that's, that's my take. There are some people that have different takes and there are people that subscribe to a lot more recon heavy methodology, but at the end of the day, even people like Nagli, right? Um, you know, he's a big recon guy, but when it comes to the life hacking events, the way he kills it, the way he ranks top is he gets his head on straight and he focuses and he hacks the main app. So yeah, very important there.

Joel Margolis Teknogeek (39:27.382)
Yep. Dives deep. Cool. Let's talk about goals a little bit, shall we?

Justin Gardner Rhynorater (39:33.93)
Okay, okay, so let me just say this one. It says, bad rabbit holes rip your goals. So this, no, this one was me. I'm not gonna, I can't even play this one on chat.gbt. This one's for me. Bad rabbit holes rip your goals. So let me just explain this one. A while ago on the pod, I think we were talking about a treat from Rezo and

Joel Margolis Teknogeek (39:42.227)
Wait did chat GPT come up with that?

Justin Gardner Rhynorater (40:02.126)
I had said, I actually think it's good to rabbit hole. And I do still hold that, but I do wanna mention that I think there's a little bit more nuance to the topic. And I would love to have Rezo on sometimes to debate it, but essentially my current place is that you have to be able to identify what these bad rabbit holes are. And I've got a couple of little notes here and I'd be interested in hearing your thoughts as well, Joel.

Justin Gardner Rhynorater (40:29.95)
but essentially some ways to identify bad rabbit holes are the following. One, it does not expand your scope. So if this rabbit hole that you're going down doesn't give you access to more scope, maybe you're trying to figure out a way to access a specific application by getting an account there, registering an account or something like that, that might be a good rabbit hole. But if you're doing something that doesn't really expand your scope and doesn't meet any of the following conditions,

Justin Gardner Rhynorater (40:58.974)
then it might not be a good rabbit hole. The next one is low impact. It doesn't, it doesn't mesh with the application's threat model. You need to understand what kind of things the application finds valuable and what will happen at the end of the rabbit hole. It needs to be a destination rabbit hole. It needs to be one of those holes that goes down and then you pop off on the other side, you know? It can't be one that just goes straight down and then you die at the bottom of the hole, okay? So you need to have a goal with where your rabbit hole should lead you.

Justin Gardner Rhynorater (41:29.031)
And if you can't clearly see that, it's a very big risk to go down that rabbit hole. The next one was non-deterministic. If you think that there is a...

Justin Gardner Rhynorater (41:43.506)
If you don't know, I guess this is kind of similar to the low impact one, but if you don't have a good idea of whether this is gonna work out or not, or you don't see a clear path to whether it's gonna work out or not, then this may be a tricky rabbit hole, right? If you have a very clear condition like, oh, I just need to bypass this one piece, and then I've got like an SSRF, or this one piece, and then I've got, you know, an ATO, then that could be a good example.

Justin Gardner Rhynorater (42:11.614)
But if it's like, you know, I think once I bypass this one piece, then there could be like, maybe there's other controls in place, but very likely, you know, if you, if you, you know, hear yourself having that little internal conversation, then could be a bad rabbit hole. You have any other thoughts on bad rabbit holes ripping your goals? Joel?

Joel Margolis Teknogeek (42:30.902)
Yeah, yeah. So I think I agree with both of you. Like rabbit holes are both useful and not useful. And like you said, there are there are key things that can really help you identify whether or not you're going down a bad rabbit hole, so to speak. I think it's really. Easy to like be able to see it from both sides. So if you're like, for example, something that catches me a lot is

Justin Gardner Rhynorater (42:47.626)
Mm-hmm.

Justin Gardner Rhynorater (42:55.198)
Mm-hmm.

Joel Margolis Teknogeek (43:01.558)
proxying or something. If I'm proxying a mobile app, I might be able to proxy the whole app except for like just the beginning request or something or like the account creation request. And while that is a really useful attack scenario, it's also only one piece of like the whole application. It's only one piece of the flow. So instead of like rabbit-holing down and like spending three hours trying to figure out why I can't proxy this one request, just write it down, move on, come back to it later.

Justin Gardner Rhynorater (43:08.789)
Mm-hmm. Mm-hmm.

Justin Gardner Rhynorater (43:19.581)
Mm-hmm.

Justin Gardner Rhynorater (43:25.29)
Mm-hmm. Right. And that's a great point because that does expand your scope a little bit, right? That expands your scope to account creation, but it doesn't vastly expand your scope, right? And so it's a very limited scope expansion. Could be a bad rabbit hole.

Joel Margolis Teknogeek (43:39.638)
Right. Right. Right. And not only that, you might be restricted by like, oh, it's a one-time thing. Like, depending on what the vuln is, you have to think about, like, what might be the worst case scenario? Like, if I can imagine of just like being able to get access to this scope and if it's not like the worst possible thing or worse than other things you could think of, again, just write it down and come back to it later because you're spending a lot of that.

Justin Gardner Rhynorater (43:47.927)
Mm-hmm. Yeah.

Joel Margolis Teknogeek (44:05.474)
valuable time just like trying to debug something when you could be spending that like doing hacking and expanding your scope and like Learning about the application all that kind of stuff Yeah

Justin Gardner Rhynorater (44:15.458)
Totally agree on this. Just want to provide a disclaimer. I'm pretty sure this is what Rezo was saying from the beginning anyway. So shout out to him. Yeah, no, you know, yeah, you know, I'm pretty sure this is what Rezo was talking about from the beginning anyway, but you know, just throwing that out there. I think there are good rabbit holes and I think there are bad rabbit holes.

Joel Margolis Teknogeek (44:22.578)
Yeah, okay, then maybe I don't agree with you at all. I don't know. I did agree with what you said though

Justin Gardner Rhynorater (44:38.666)
And these are some descriptors of a bad rabbit hole. So hopefully that'll be helpful. And I will say, I have this one little note before I move on. You gotta trust your intuition on some of these things too. And this is not as much for you newer hackers, but for you more experienced hackers, let's say maybe you've looked at 30 to 50 plus applications. Trust your intuition though, because sometimes your brain knows something that you don't know.

Joel Margolis Teknogeek (44:40.234)
Yeah, yeah. Okay, but.

Justin Gardner Rhynorater (45:07.022)
And if you think, man, I just really can't get this one piece of the application out of my mind, take the hour and just dive in and get a little deeper. Um, because I actually have found some cool stuff by doing that. And this goes back to the curiosity thing as well. Sometimes you just want to do cool shit. And you know, even if that doesn't end up with a vuln, if you understand how the specific process works and that makes that feels good, that feels cool to you, definitely go after it.

Joel Margolis Teknogeek (45:29.61)
Yeah, before we move on to the to the next the next thing, I did want to talk about goals really quick because this is talked about like talking about like rips your goals and stuff. But but goals are like really, really important, in my opinion, about like for for for hacking. Right. I think I think one of the most important things you can do when you're hacking at target is set set a specific goal. OK, I want to become a super admin. I want to take over this account. I want to.

Justin Gardner Rhynorater (45:37.311)
Share.

Justin Gardner Rhynorater (45:40.606)
Yeah.

Justin Gardner Rhynorater (45:43.162)
Mm-hmm. This is a great point.

Joel Margolis Teknogeek (45:57.986)
get an XSS, whatever it is, right? Like I just, just wrote, set your goal polls. Okay, well, maybe we can workshop that one a little bit. Okay, all right, set your goal polls. Yeah, yeah, so yeah, just set goals. I think goals are really important, even if it may seem unattainable in the beginning.

Justin Gardner Rhynorater (46:02.678)
Hahahaha Hahahaha

Justin Gardner Rhynorater (46:08.902)
That's what we're calling this section. Set your goal polls. No, it's great, it's great. Goal polls.

Joel Margolis Teknogeek (46:22.178)
having some sort of frame of reference, just like how with earnings you have goals, just so you have something to look towards, something to like picture and think about. Goals when hacking are really important as well, because it's gonna help you frame your entire reference about the application. What could I do with this endpoint? What can I do with that endpoint? Oh, this is weird functionality. What can I do with that? If you frame all of that towards your singular goal, it's gonna make you think much more creative and it's gonna help you get to that goal much, much easier.

Justin Gardner Rhynorater (46:27.402)
Mm-hmm.

Justin Gardner Rhynorater (46:48.63)
Hmm. Yeah, totally agree with that. One of the biggest bounties I've ever seen paid out in person was from a, uh, I don't even know what they were called at that point. Verizon Media, Yahoo, Oath, Payout, where they set a goal and they said, hey, anyone who can do arbitrary account takeover gets, you know.

Justin Gardner Rhynorater (47:09.47)
50K bonus or something ridiculous like that, right? And somebody, lo and behold, someone did it because they set up a goal. So this is actually a tip for the program side as well, if there are any program managers listening to this pod, and I know there are, definitely consider setting specific bonuses for things that are high value to you, like arbitrary account takeover or like full read internal SSRF or something like that, because that is a great way to motivate hackers in a very specific direction.

Joel Margolis Teknogeek (47:37.198)
Grammarly is a great example of that. Grammarly has a 100K, I think it's 100K if you can read a secret within a specific account or document or something. And that's just in their policy page, you know? It's just been there. So if you wanna get that 100K, like frame everything you can to get that. I've heard it's very difficult. So yeah, yeah, cool.

Justin Gardner Rhynorater (47:40.416)
Mm, yeah.

Justin Gardner Rhynorater (47:46.236)
Yeah. Yep.

Justin Gardner Rhynorater (47:54.118)
Yeah, we gotta go after that. We gotta check that out. I think that'd be cool. Okay, the last one in the during hacking section is called impact lacked. Impact lacked. And this is sort of situation that you can fall into where you swing to the other side and you get too curious or you get too focused on just some weird functionality that is like funky and odd but doesn't necessarily have impact. I see this.

Justin Gardner Rhynorater (48:21.498)
all the time with new hunters like, oh, I found this like directory listing and look at all these directories in here and like, you know, oh, I can access all these files and this is amazing, this is a vuln. No, that's not a vuln because there's no impact to the customer. So before you DM someone and you say, hey, Justin, is this a vuln? You should ask yourself, why do I think this is a vuln? And you need to be able to answer that question. What can I do?

Justin Gardner Rhynorater (48:49.726)
that the company doesn't want me to be able to do. And there could be an argument made that the company doesn't want you to be able to see all of their directories in the directory listing, right? To that I would say that doesn't meet the impact standards. But you need to outline that sort of thought, that sort of mentality from the very beginning and make sure that the thing you're going after actually has impact to the company.

Joel Margolis Teknogeek (49:14.326)
Yeah, yeah. And on that, you got to understand the threat model, right? So like if you are trying to explain this to a company, the best way to prove impact is to explain it in a way that demonstrates impact. Okay. And so like think about what does the company care about? Is it user data? Is it their data? Is it intellectual property? Whatever. Right. Like.

Justin Gardner Rhynorater (49:19.37)
then

Justin Gardner Rhynorater (49:36.402)
Pay well by pass, yeah.

Joel Margolis Teknogeek (49:36.79)
But most of the time, that's not going to be a directory listing, unless that directory listing has something in it that is impactful. And so I think instead of just reporting a directory listing, look at the stuff in the directory listing and see if you can find something more impactful. Maybe then consider just reporting that as is, but I don't think that would meet my criteria either in terms of like, oh, I'm going to report this and get a sick bounty. You're going to get like a hundred dollar bounty.

Justin Gardner Rhynorater (49:44.595)
Right.

Justin Gardner Rhynorater (49:59.828)
Yeah.

Justin Gardner Rhynorater (50:04.222)
Yeah, for sure. Totally agree. And nothing against $100 bounties. You know, $100 bounties is $100 bounty. And I would say, you know, if it meets the organization's threat model, and they've outlined that in the policy, then you should absolutely report that. Take the 100 bucks, help the company, win, win, win. But also, that's not gonna be the case a large percentage of the time for something like directory listings. Okay, so after hacking, yeah?

Joel Margolis Teknogeek (50:10.918)
$100 is $100, yes.

Joel Margolis Teknogeek (50:29.195)
Yeah, cool.

Joel Margolis Teknogeek (50:32.598)
Yeah, after hacking. Burnout.

Justin Gardner Rhynorater (50:37.503)
No, you gotta say the whole title, you can't skip the...

Joel Margolis Teknogeek (50:37.946)
Oh, sorry. My bad. I, after hacking. The burnout turnout.

Justin Gardner Rhynorater (50:44.574)
There you go. After hacking, the burnout turnout. Okay, so you wanna take this one first?

Joel Margolis Teknogeek (50:52.114)
Sure. Yeah. So I think you're going to have lots to say on this. I definitely have dealt with burnout so much. It definitely comes from different areas. Sometimes it's that you've been doing a ton of hacking and you're not getting a ton of bounties. Sometimes it's that you have been doing a ton of hacking and you haven't gotten a single bounty. Sometimes it's that, you know, you've been.

Justin Gardner Rhynorater (51:13.321)
Yeah.

Joel Margolis Teknogeek (51:15.322)
Looking at a target you submitted a bunch of cool things turns out they were all internal dupes There's a lot of different reasons that you can get burnout And I think again kind of like imposter syndrome you you have to remember this is completely normal and It's not like you've done anything wrong to feel this way burnout is like a very normal thing It's it's probably more important to try and figure out what caused it and how you can try and avoid it or ease that burnout in the future

Justin Gardner Rhynorater (51:21.546)
Mm-hmm.

Justin Gardner Rhynorater (51:35.605)
Yeah.

Justin Gardner Rhynorater (51:46.258)
Yeah, I totally agree. There has to be a mending process and a maintenance process. Um, and so, you know, the mending piece is like, ah, all right, I'm burnt out. How do I get out of this funk? Right. And the maintenance process is how do I not get burnt out in, in, in the first place and a lot of this, a lot of the, the things that for me with bug bounty that causes burnout is this whole results for money impact, right? Like if I, if I put all this effort in at my day job and something doesn't work out, I still get a salary, you know, if I'm a salaried employee.

Justin Gardner Rhynorater (52:18.132)
But if I put all this effort in and get no results out in bug bounty, nada. You know? And that's what happens from a material basis. However, you've got to understand that for every moment you're putting into not finding a bug and getting a bounty, that's another minute that you will not have to spend until you find your next bug. So it's not actually...

Justin Gardner Rhynorater (52:46.026)
useless, it's not actually wasted time, it's just a part of the process, right? And it's absolutely, and you're learning a ton, and that's very, very tangible. And this is one of the things that I've kind of talked to some of my friends that are starting, trying to like upstart some local businesses and trying to do sales, right? For every like ex-customers that you talk to and you get declined, like have something that makes it feel worthwhile, like pay yourself an extra dollar.

Joel Margolis Teknogeek (52:49.558)
Yeah, and you're learning a lot when that's happening.

Justin Gardner Rhynorater (53:15.518)
or something like that if you have startup money or like say, all right, if I get 30 customers that say no to me today, I'm gonna just go get some Chick-fil-A or something like that, right? Have some sort of metric that makes it still feel like even though that person said no, your time wasn't wasted. And the same thing happens here with Bug Bounty. For every 100 attack vectors that you try or for every 50 attack vectors that you try, whatever it is, do something that's self-care so that you don't end up getting.

Justin Gardner Rhynorater (53:45.098)
burnt out.

Joel Margolis Teknogeek (53:45.49)
I was just thinking about like, uh, you're at your 29th rejection of the day. You're you're you got three calls left and you're like, please just say no. I want the Chick-fil-A.

Justin Gardner Rhynorater (53:50.707)
Yeah.

Justin Gardner Rhynorater (53:54.066)
Please just say no. Please say no. Yeah, the worst scenario is like, you have a goal for 10 calls, you know, and then you get the hot tub, or 10 yeses, then you get the hot tub, and then you get a call for 30, you know, 30 rejections and you got 29, nine, and you just walk away, because you're done for the day. It's like, shoot, you know? No, that's funny.

Joel Margolis Teknogeek (54:07.574)
Hahaha

Joel Margolis Teknogeek (54:12.878)
Cool man. So do you have like, what do you use for personal tactics to deal with this? Because I'm sure you deal with burnout all the time.

Justin Gardner Rhynorater (54:19.846)
Yeah, yeah, yeah, I do. And it's hard. I think post live hacking event, I spent at least a week of downtime. And a lot of times, and we'll talk about this a little bit later, I've got some stuff to catch up on after the live hacking event season, just some responsibilities that have fallen to the side. But as far as my long-term solutions for burnout, I've actually suffered from burnout very little in my three years, yeah.

Justin Gardner Rhynorater (54:48.61)
as a full-time Bug Bounty hunter. And I attribute that largely to having a stable, you know, marriage and personal life, and then also to prayer and to finding my identity in something that is not Bug Bounty. Because I have the inclination to say like, man, if I'm not crushing in Bug Bounty, I suck. I am worthless, you know? And you know, it's not something I'm actively saying, but it's something that I'm feeling, right?

Justin Gardner Rhynorater (55:15.122)
And so you really have to address that first. You've gotta put your hope, your identity, your self-worth in something that is not your work. Because especially in bug bounty, it's extremely dangerous. There is a whole team of people on the other side of the computer whose job it is, non-stop, nine to five, every single day, to make your job impossible, right? That is a lot of pushback, right? And so...

Joel Margolis Teknogeek (55:36.59)
That's great.

Justin Gardner Rhynorater (55:43.838)
You know, keeping that in mind and, you know, finding your identity elsewhere, really good. Also for me, I find it really helpful to get out in the sun, play some volleyball, you know, have a decent workout routine, spend time with loved ones and family, even though, you know, you're in the middle of a live hacking event or a really intense hacking season. And that will just allow you to move refreshed into the next target.

Joel Margolis Teknogeek (56:05.826)
Chillin' your well-earned hot tub. Yeah.

Justin Gardner Rhynorater (56:09.442)
Exactly. Yeah. Yeah. Yeah. You get that first set of goal. Get a hot tub. Then make that happen. Get in the hot tub. That's the solution to burnout. Exactly. At all costs, get the hot tub. No. Yeah. Do you have any comments on that or do you want to hop to the next one?

Joel Margolis Teknogeek (56:13.079)
Yeah

Joel Margolis Teknogeek (56:16.782)
Everything else doesn't matter once you're in the hot tub. Awesome. Awesome.

Joel Margolis Teknogeek (56:26.398)
Um, no, I mean, I think I have a lot of the same type of just like try and separate yourself away from it. Um, this is again, we talked about this in, uh, in, in both the before hacking and the during hacking, but bug bounty is not a guaranteed thing. Right. Finding a bug, finding a security vulnerability, especially a critical one, not guaranteed. And you have to remember that like, we are trying to like, almost do the impossible here, right? We are, we are pushing against talented security teams here to try and find the holes that they missed.

Justin Gardner Rhynorater (56:45.712)
Mm-hmm. Yeah.

Joel Margolis Teknogeek (56:56.39)
And when you find something that's awesome, but it's not guaranteed and you can't like beat yourself up for not for like not finding a myth, like a mythical thing that may or may not exist. You know, it's like nothing that you did could have controlled that like and made it appear. Right. It either exists or it doesn't. And what really matters is whether or not you can identify it. And that's like completely separate from like finding it. You know what I mean? Like, I think like.

Justin Gardner Rhynorater (57:09.651)
Yeah.

Justin Gardner Rhynorater (57:13.428)
Yeah.

Joel Margolis Teknogeek (57:24.446)
You can always just take your notes and stuff. You can always keep hunting, but don't beat yourself up for a good security team being good. That's kind of an unjustified reason to beat yourself up.

Justin Gardner Rhynorater (57:38.098)
Yeah, totally agree. Okay, so we've got two left in after hacking. I know you gotta bounce here in a bit, Joel, so we'll try to move through them pretty quickly because I want you to be around for this report that I wanna tell you about. Responsibility volatility is the next one.

Joel Margolis Teknogeek (57:48.088)
Yeah.

Joel Margolis Teknogeek (57:53.331)
Oh yeah.

Justin Gardner Rhynorater (57:56.674)
And essentially, this is what I was talking about before, where you get so pulled into hacking that you've neglected other responsibilities, whether that be your relationship with your significant other, whether it be your chores, the dishes, the lawn, whatever. It's very easy to get focused and in the zone and then let everything else fall behind and it's not sustainable. And when you do that and you let all the things fall behind and you let that get...

Justin Gardner Rhynorater (58:23.15)
and you don't communicate well with your spouse or you don't hire someone to do your lawn or something like that, then it becomes, that's a very easy way to get burnt out because you'll come out of the hacking thing, you'll be like, ah, and you'll have like a panic reaction and then you'll be stressed out trying to get all this stuff done and get back up, caught up and it's just an easy, really easy way to get yourself in a rough situation. So don't become so fixated that, you know, you're not spending time with your loved ones, that you're not carrying with your responsibilities.

Joel Margolis Teknogeek (58:51.406)
For sure. It's important to treat Bug Bounty like a job if it is your full-time job, right? Don't let those hours abuse you. Just take it in a reasonable pace. Don't be working 15 hours a day every single day unless you feel like that's going to really drive the results. And I still wouldn't recommend doing that for a long period of time. You know what I mean? That's a lot.

Justin Gardner Rhynorater (58:58.28)
Mm-hmm.

Justin Gardner Rhynorater (59:00.984)
Mm-hmm.

Justin Gardner Rhynorater (59:06.111)
Mm-hmm. Yeah.

Justin Gardner Rhynorater (59:10.559)
Yeah.

Justin Gardner Rhynorater (59:13.19)
Yeah, yeah, well, one of the best things about being full-time bug bounty is you have a lot of freedom, you know, and so make sure you're not.

Justin Gardner Rhynorater (59:21.742)
squandering that because we're all, especially if you're younger, you know, you're a time billionaire if you're not a money billionaire, right? And so, you know, you're trading your time for money and you, you know, you, you can trade your money for time when you do stuff like, you know, pay people to do your lawn or whatever. Um, make sure you're not squandering that asset of like, I can make good money and still have a lot of freedom. Um, and I think that's something that I've learned recently and something that I'm struggling to implement right now, cause I'm in the middle of a reno too.

Justin Gardner Rhynorater (59:51.636)
So my time is getting really crunched. But once I get done with this rental property reno, I think I'll be a lot more enjoying the freedom that comes along with being full-time bug bounty.

Joel Margolis Teknogeek (01:00:01.866)
Yeah, for sure. All right. And for the last one, pay out phase out. I think this one is a lot more relevant for like the full time hunters, but really this is, you know, you, you, you're waiting for a bounty. Things start to slow down. You're like, I got the report in. Just wait and see when they pay it and, and see how I feel. But like that is a really easy trap to fall into.

Justin Gardner Rhynorater (01:00:07.86)
Hey out.

Justin Gardner Rhynorater (01:00:12.798)
Yeah.

Justin Gardner Rhynorater (01:00:19.946)
Mm-hmm.

Justin Gardner Rhynorater (01:00:23.591)
Yeah.

Justin Gardner Rhynorater (01:00:26.842)
Oh yeah, yeah. And I think, I think, um, I think. It's very tempting and there's, there's two sides of this. Cause one hand, you kind of want to validate your threat model before you spend a bunch of time on an organization that doesn't, that you think you understand their threat model and you don't really understand. So that's one, you know, that's the positive side on waiting for the bounty, but the negative side is like, you get into an app, you find some great bugs, you write them up, you send them in, and then you just lose all context on that app. And that's not, that's not great because a lot of the time, if there's

Justin Gardner Rhynorater (01:00:56.586)
there's probably more vulns there. So go back, don't get too overexcited about the vuln that you found that you miss other vulns and hit it again because there's likely other vulns there.

Joel Margolis Teknogeek (01:01:08.79)
Yeah, yeah, super, super awesome advice and notes, you know, take notes. If you're, if you've just like submitted a bug and you're like, this is going to be a sick payout and you're not sure what to do next, check your notes, go and look at the other stuff that you wrote down and you didn't feel like you had fully investigated. That's a great opportunity to go look at some of that other stuff. Now that you've kind of completed, you know, your, your train of thought and finished reporting the bug, you know.

Justin Gardner Rhynorater (01:01:22.342)
Yep, that's true.

Justin Gardner Rhynorater (01:01:35.2)
Yeah.

Justin Gardner Rhynorater (01:01:36.302)
Joel, I know you gotta bounce here in a second. Feel free to leave if you want. I can wrap things up. But I did wanna talk about this one report. I put it in the doc. It's one that got disclosed this week on LinkedIn. And the title of it, Entire Database of Emails Exposed Through URN Injection. So when I saw this, I was like, what the heck is URN injection? And I read this report and I was really impressed. So from what I can tell here,

Joel Margolis Teknogeek (01:01:55.428)
That was exactly what I just asked.

Justin Gardner Rhynorater (01:02:06.136)
individual found out that the system that LinkedIn is using has this concept of a urn. And I'll see if I can find the quote right here.

Justin Gardner Rhynorater (01:02:17.554)
it is possible to trigger a urn resolution by assigning a urn value to a text field inside of the profile and using a decoration expansion in a Voyager query. So essentially what he found out was that he could take this urn, and I think in the report he puts it in the website field. And this urn, just for those of you that are listening in the audio medium, looks like urn colon li colon,

Justin Gardner Rhynorater (01:02:47.694)
object that you're looking at, fs underscore email address, colon, and then the actual ID. And so it's sort of like a structured ID, right? And so he takes that, he puts it in the website field, and when the call, he makes this call to the API, to the Voyager API on LinkedIn, that...

Justin Gardner Rhynorater (01:03:06.554)
API will look at that urn that was there and say, okay, if this field is urn, then I need to resolve that urn. So it will go to the database, pull that value out, and stick it in the included field. And I think he said that there was some sort of...

Justin Gardner Rhynorater (01:03:24.09)
a parameter that allowed him to tell it to resolve the included urns, and then that gets included in this little, I said included a lot of times, in this little included section in the response. This was a type of vulnerability that I've not seen before, and I have seen these urns around. So this is definitely something to be aware of, I think.

Joel Margolis Teknogeek (01:03:43.626)
Yeah, super interesting. I think this urn stuff is like maybe a Microsoft thing. I don't know why it took me until today to realize that Microsoft owns LinkedIn, which is really interesting. I was just looking at the Wikipedia. Apparently this happened in 2016, but I don't ever remember. Maybe I just wasn't paying attention at the time, but yeah, so I was like, why are these docs on the Microsoft?

Justin Gardner Rhynorater (01:03:49.49)
Yeah, yeah.

Justin Gardner Rhynorater (01:03:55.206)
Yeah. Yeah, didn't, didn't realize that.

Justin Gardner Rhynorater (01:04:03.286)
Yeah. Just missed that, huh?

Joel Margolis Teknogeek (01:04:10.014)
on the Microsoft.com site. And yeah, that's why that's really, really, really interesting. I wonder where else you could use this within Microsoft owned services.

Justin Gardner Rhynorater (01:04:19.526)
Yeah, I totally, I totally agree. And I want to say there was even some mention of this in the, um, in the writeup that Sam Curry did on the Starbucks, uh, bug that we found together leaking the 99 million records on Starbucks. So, um, that could definitely be something to, to keep your eye on. And like we always say, you know, these, these sorts of things are the kind of things we love to cover the most here. New techniques coming out, um, stuff that y'all ought to be aware of. So we'll link this, uh, report in the, in the description. Uh, definitely go check it out.

Joel Margolis Teknogeek (01:04:27.018)
Mm.

Joel Margolis Teknogeek (01:04:36.226)
Your ends.

Justin Gardner Rhynorater (01:04:49.6)
and shout out to UltraPOWA, the guy who found this vuln. This is really, really good fun.

Joel Margolis Teknogeek (01:04:56.47)
Yeah, super awesome. Cool, you got anything else?

Justin Gardner Rhynorater (01:04:59.891)
Alright man, that's it for me.

Joel Margolis Teknogeek (01:05:01.77)
Alrighty, catch you next week then. Peace.

Justin Gardner Rhynorater (01:05:04.455)
Sweet, that's the pod.