Episode 37: Tokyo Hacking & Interview with 0xLupin

1
00:00:00,000 --> 00:00:03,040
Like you do not need a mentor.

2
00:00:03,240 --> 00:00:06,080
You need someone to grow with you.

3
00:00:06,280 --> 00:00:10,800
And that's something that a lot of beginners have trouble with.

4
00:00:11,000 --> 00:00:12,800
I need someone to learn from.

5
00:00:13,000 --> 00:00:14,600
And that's not the fact.

6
00:00:14,800 --> 00:00:18,240
You need someone to learn with in order to grow up together.

7
00:00:18,440 --> 00:00:22,280
And I think that's the best part of hacking when you can just, you know,

8
00:00:22,280 --> 00:00:30,360
critical thing. Right. Right. Right.

9
00:00:46,000 --> 00:00:48,200
OK, like 30 seconds before we started recording.

10
00:00:48,400 --> 00:00:50,040
Just just say that again for the for the mic.

11
00:00:50,040 --> 00:00:54,800
Yeah, I never watched the podcast, so I don't know what we're going to talk about.

12
00:00:55,000 --> 00:00:56,400
Come on, man. You're killing me.

13
00:00:56,600 --> 00:00:59,360
I'm just kidding. I'm just kidding. Of course.

14
00:00:59,560 --> 00:01:01,600
All right, guys, we're here. We're in Japan.

15
00:01:01,800 --> 00:01:03,720
Yeah, in Nakone. That's awesome.

16
00:01:03,920 --> 00:01:07,320
The live hacking event is a wrap.

17
00:01:07,520 --> 00:01:10,880
And yeah, we've just been relaxing for the past couple.

18
00:01:10,880 --> 00:01:12,680
I don't know if you'd call it maybe relaxing.

19
00:01:12,680 --> 00:01:14,280
We've been doing some pretty intense sightseeing.

20
00:01:14,480 --> 00:01:16,920
The hacking was not relaxing.

21
00:01:17,120 --> 00:01:18,040
Yeah.

22
00:01:18,040 --> 00:01:20,760
But yeah, what did you guys think of the live hacking event?

23
00:01:20,960 --> 00:01:24,280
Any lessons learned or takeaways we want to share?

24
00:01:24,480 --> 00:01:28,920
Man, I thought that the live hacking event was really cool in Tokyo and everything.

25
00:01:29,120 --> 00:01:34,800
I think the lesson I learned is how to pick fights, you know,

26
00:01:35,000 --> 00:01:40,600
in a way that there is some bugs where you need to argue more than others

27
00:01:40,800 --> 00:01:45,160
and you do not have the time to argue on every bug when you're on the live hacking

28
00:01:45,160 --> 00:01:50,040
event scene. So we need to really pick, like, what are the most impactful bugs

29
00:01:50,240 --> 00:01:54,720
and which ones do you take time to explain to the program and which ones do you just

30
00:01:54,920 --> 00:01:56,840
kind of quit arguing about it?

31
00:01:57,040 --> 00:01:58,840
So that was a good lesson, I think.

32
00:01:58,960 --> 00:02:01,320
Yeah, absolutely. I mean, some of the some of the bugs that

33
00:02:01,320 --> 00:02:03,960
had come out of this event, especially the things that were shown at Show and Tell,

34
00:02:04,160 --> 00:02:06,640
were some of the most unexpected things, I'd say.

35
00:02:06,840 --> 00:02:09,200
Like, I was very surprised at like,

36
00:02:09,400 --> 00:02:12,200
honestly, a lot of them were very simple, straightforward, like things.

37
00:02:12,200 --> 00:02:13,960
Definitely. In hindsight, I was like, oh, I should have just.

38
00:02:13,960 --> 00:02:16,960
Yeah, I'm surprised I didn't see that or whatever it is.

39
00:02:17,160 --> 00:02:21,720
And some of them were just like insanely big brain, like,

40
00:02:21,920 --> 00:02:25,160
I don't want to go into too many details, but there was one with like,

41
00:02:25,360 --> 00:02:30,120
you would put like the same parameter in twice and I would probably just would have

42
00:02:30,120 --> 00:02:31,640
never even tried anything like that.

43
00:02:31,840 --> 00:02:35,280
I mean that like a lot of the bugs were

44
00:02:35,480 --> 00:02:39,160
simple technically, but you needed to find how to do it.

45
00:02:39,360 --> 00:02:43,800
And so this is like the frugality of bug bounty when you find like

46
00:02:43,800 --> 00:02:46,840
something really easy to reproduce, but at the same time, you need to be really

47
00:02:47,040 --> 00:02:49,240
creative about how you find those kind of bugs.

48
00:02:49,440 --> 00:02:53,480
And so there is a lot of people that went the extra miles in the recon because we

49
00:02:53,680 --> 00:02:58,240
had like a small scope and there was so much out of the box thinking.

50
00:02:58,440 --> 00:03:01,080
And it's really inspiring to see the show and tells.

51
00:03:01,080 --> 00:03:03,120
Yeah, man, that was that was the thing for me on this one.

52
00:03:03,320 --> 00:03:06,000
I have a lot of I have a lot of takeaways from this one.

53
00:03:06,200 --> 00:03:09,040
It was it was a little bit of a challenging one for me personally.

54
00:03:09,040 --> 00:03:14,920
So I was sitting in the in the hot bath with with Nugly last night, kind of

55
00:03:15,120 --> 00:03:18,160
running over what kind of stuff that we could have done differently.

56
00:03:18,360 --> 00:03:21,640
And just like you guys said, you know, there were just a lot of bugs at this

57
00:03:21,840 --> 00:03:26,040
event that were just like, wow, you know, why would you even try that?

58
00:03:26,240 --> 00:03:29,520
You know, like and and so definitely thinking out of the box.

59
00:03:29,720 --> 00:03:31,400
And then I think another another really

60
00:03:31,600 --> 00:03:34,520
thing that became really clear to me this event was,

61
00:03:34,520 --> 00:03:40,360
you know, the the team made it very clear that like if you are able to impact core

62
00:03:40,560 --> 00:03:45,160
components and PII that they don't they don't care like, you know, like you.

63
00:03:45,280 --> 00:03:46,200
That is what they want.

64
00:03:46,400 --> 00:03:49,480
You know, and so scope is not not a problem at that point, right?

65
00:03:49,480 --> 00:03:53,080
As long as their users are getting protected, which I think is really great.

66
00:03:53,080 --> 00:03:56,120
But it's something that I didn't prioritize quite as well, you know,

67
00:03:56,320 --> 00:04:01,560
during this event, and I think the hackers that that went around the scope and then

68
00:04:01,560 --> 00:04:05,920
found ways to, you know, attack the core assets in PII.

69
00:04:06,120 --> 00:04:07,720
I think they did the best this this event.

70
00:04:07,920 --> 00:04:09,400
That's really impressive. Yeah.

71
00:04:09,600 --> 00:04:12,600
Yeah. And I think one of the interesting things we actually talked about this,

72
00:04:12,600 --> 00:04:16,360
like last week on the last episode about where's sort of the ethical boundary

73
00:04:16,560 --> 00:04:20,240
about going out of scope and like, yes, is it OK to go out of scope if it

74
00:04:20,440 --> 00:04:24,720
provides impact? And I think one sort of caveat to this is it wasn't really like

75
00:04:24,920 --> 00:04:28,080
out of scope per se was it was more like out of scope for the event.

76
00:04:28,080 --> 00:04:29,800
It would be in scope for the main program.

77
00:04:29,800 --> 00:04:33,920
And I think like worst case scenario, if you had really gone like out of scope,

78
00:04:34,120 --> 00:04:36,160
they just moved it to the main program.

79
00:04:36,360 --> 00:04:39,880
But they were really looking for things that would cause impacts to this to this,

80
00:04:40,080 --> 00:04:43,680
you know, special scope that was being targeted and just in general to the

81
00:04:43,680 --> 00:04:46,800
program as a whole. And so I think it was really awesome that they were they said

82
00:04:46,800 --> 00:04:50,080
that was OK for you to, you know, sort of bend it a little bit as long as you're

83
00:04:50,080 --> 00:04:53,040
able to provide impact because they have that awesome relationship with the

84
00:04:53,040 --> 00:04:57,040
researchers. I think that every company should do that when they have the

85
00:04:57,040 --> 00:05:02,800
maturity, because like I don't like scope in the sense of domains.

86
00:05:03,000 --> 00:05:07,480
Right. But I like scope about the sense of where you are impacting the data.

87
00:05:07,680 --> 00:05:12,080
Right. So in my opinion, scope shouldn't be like there is this sub domain that is

88
00:05:12,080 --> 00:05:13,600
scope, but the other one is not in scope.

89
00:05:13,720 --> 00:05:16,960
Imagine that you have a sub domain that is exposed, you don't even know about.

90
00:05:16,960 --> 00:05:20,000
And there is directly into the database with a sequoia injection.

91
00:05:20,200 --> 00:05:23,800
This is the same database that is impacted with the same data, but it

92
00:05:23,800 --> 00:05:28,640
wouldn't be in scope. And so I prefer when programs say, for instance,

93
00:05:28,840 --> 00:05:32,640
the core database is in scope, but we do not care about the entry point.

94
00:05:32,840 --> 00:05:37,280
Right. And there is other programs are really mature about third parties

95
00:05:37,480 --> 00:05:43,040
because European companies actually, if there is a third party leaking data or

96
00:05:43,240 --> 00:05:44,960
anything, they are still responsible.

97
00:05:45,160 --> 00:05:47,240
The first party is always responsible.

98
00:05:47,440 --> 00:05:52,760
And so it's really cool when you can, you know, hunt on third parties also.

99
00:05:52,760 --> 00:05:56,680
So I really wish we had more maturities in that realm.

100
00:05:56,880 --> 00:05:59,000
Yeah, it's definitely cool to see.

101
00:05:59,200 --> 00:06:03,720
And I think, you know, like you said, that's something that's a more mature

102
00:06:03,920 --> 00:06:06,240
program decision, but it's really awesome to see.

103
00:06:06,240 --> 00:06:09,840
And it actually makes the most sense from a technical perspective, too, because like

104
00:06:10,040 --> 00:06:13,240
you run into these programs where it's like, OK, this domain is in scope.

105
00:06:13,240 --> 00:06:14,640
OK, well, what the heck does that mean?

106
00:06:14,840 --> 00:06:18,640
Because nine times out of 10, that domain is resolving to an IP that's a load

107
00:06:18,640 --> 00:06:21,760
balancer, and that load balancer serves many different applications.

108
00:06:21,760 --> 00:06:26,440
So if you're saying, OK, this IP is in scope, well, then I can modify the host

109
00:06:26,440 --> 00:06:29,120
header on that specific request to get routed to all sorts of different

110
00:06:29,120 --> 00:06:30,480
applications from those in scope.

111
00:06:30,680 --> 00:06:34,600
You know, and so it's cool to see a program, you know, like you said, take

112
00:06:34,800 --> 00:06:39,480
responsibility as the first party and do that.

113
00:06:39,680 --> 00:06:43,560
The other the other big takeaway for me from this event was,

114
00:06:43,760 --> 00:06:46,440
I guess, very thoroughly

115
00:06:46,440 --> 00:06:51,640
auditing JavaScript files that are not necessarily on the main asset.

116
00:06:51,840 --> 00:06:56,720
You know, and and for me, one of the things that I knew before this event

117
00:06:56,920 --> 00:07:03,440
and I actually did, but didn't thoroughly assess, was lazy loaded Webpack files.

118
00:07:03,440 --> 00:07:04,120
Right.

119
00:07:04,320 --> 00:07:08,600
Interesting. And so, you know, going that extra mile to

120
00:07:08,800 --> 00:07:14,360
open up the core main file, dump all of the, you know, dynamically loaded

121
00:07:14,360 --> 00:07:18,560
JavaScript files that are also in that same folder, grabbing all those down

122
00:07:18,760 --> 00:07:22,840
and then making sure you're thoroughly auditing all those to get the API, all

123
00:07:23,040 --> 00:07:26,560
the API resources you need, you know, that that was that would have made

124
00:07:26,560 --> 00:07:27,760
a big difference for me during this.

125
00:07:27,960 --> 00:07:28,880
Definitely. Yeah.

126
00:07:29,080 --> 00:07:32,600
And like, it's it's it's very counterintuitive because if you're hacking

127
00:07:32,800 --> 00:07:36,280
on that app and you look at it in burp, you say you just go to a login page,

128
00:07:36,480 --> 00:07:39,800
you're not going to see all of the other modules being loaded because they're

129
00:07:39,800 --> 00:07:42,760
lazy loaded. It's only going to load the things that are necessary.

130
00:07:42,760 --> 00:07:46,360
And so if you just see, oh, there's this JS file and you just see only a couple

131
00:07:46,560 --> 00:07:50,440
little endpoints or whatever that and that's it that you're you have to go.

132
00:07:50,480 --> 00:07:54,400
You have to explicitly pull apart those those JavaScript files and you're going

133
00:07:54,400 --> 00:07:56,600
to find the other functionality because it's in there.

134
00:07:56,720 --> 00:07:57,960
You just have to go and get it.

135
00:07:58,160 --> 00:08:01,440
And if you don't log in or something, say you'd say it's an admin portal, right?

136
00:08:01,560 --> 00:08:02,360
You can't log in.

137
00:08:02,560 --> 00:08:04,640
Well, you might not see those, but they're there.

138
00:08:04,840 --> 00:08:08,720
And if you go deeper, you may actually be able to access things within those files

139
00:08:08,720 --> 00:08:11,720
and you'll see the other functionality, but it'll take more time.

140
00:08:11,720 --> 00:08:15,040
And something like JS weasel, I think, you know, we've talked about this before.

141
00:08:15,240 --> 00:08:19,160
You know, tools like that are designed for analyzing JavaScript functionality.

142
00:08:19,360 --> 00:08:23,240
Those are really going to come into play as more and more like React apps and that

143
00:08:23,240 --> 00:08:25,920
kind of stuff that are doing this type of behavior come into play.

144
00:08:26,120 --> 00:08:31,880
Yeah, I think I found so many bugs that were so easy, but just like hidden in some

145
00:08:32,080 --> 00:08:35,320
JavaScript calls that were made by the front end because I didn't have the

146
00:08:35,520 --> 00:08:36,840
privilege or anything.

147
00:08:37,040 --> 00:08:41,480
And also what's really interesting about the JS files that there is a lot of

148
00:08:41,480 --> 00:08:44,720
calls that hasn't been released in production yet.

149
00:08:44,920 --> 00:08:46,960
So it's been A-B testing.

150
00:08:47,160 --> 00:08:52,560
And so if you manage to detect those A-B tests, you might end up with a new scope

151
00:08:52,760 --> 00:08:54,680
to play with, like a wider attack surface.

152
00:08:54,880 --> 00:08:59,120
And especially for companies that do continuous development, this is super true.

153
00:08:59,320 --> 00:09:03,400
So if you manage to change the A-B testing and look at all the JS files, you might end

154
00:09:03,600 --> 00:09:09,200
up with really simple vulnerabilities like the basic IDOR, but just because it was so

155
00:09:09,200 --> 00:09:13,440
hidden inside the scope, no one found it.

156
00:09:13,640 --> 00:09:15,000
So yeah, definitely interesting.

157
00:09:15,200 --> 00:09:19,560
Monitoring those endpoints has always been the JS files.

158
00:09:19,560 --> 00:09:22,440
And then, like I said, taking that extra layer, that's always been on my to-do list

159
00:09:22,640 --> 00:09:26,680
for automation, soft core automation, I guess, is like, OK,

160
00:09:26,880 --> 00:09:28,440
I'm really interested in this one program.

161
00:09:28,640 --> 00:09:32,600
I'm going to set up an automation system specifically designed around their

162
00:09:32,800 --> 00:09:37,480
cycle, their software development cycle, and have that pushed out.

163
00:09:37,480 --> 00:09:41,080
But yeah, I was going to ask as well regarding...

164
00:09:41,280 --> 00:09:46,320
You mentioned when we were walking down the street to the freaking

165
00:09:46,520 --> 00:09:49,640
shrine earlier today to meet up with friends,

166
00:09:49,840 --> 00:09:54,320
you mentioned that there was this VS Code plug-in that you've been using.

167
00:09:54,520 --> 00:09:58,960
And I imagine it actually would work well in conjunction with JS Weasel.

168
00:09:58,960 --> 00:09:59,480
Exactly.

169
00:09:59,480 --> 00:09:59,960
Yeah.

170
00:09:59,960 --> 00:10:01,000
Could you talk a little bit about that?

171
00:10:01,000 --> 00:10:02,280
Because that was a really interesting product.

172
00:10:02,480 --> 00:10:07,080
Yeah. So I saw the tweet of Corbin that basically used JS Weasel,

173
00:10:07,080 --> 00:10:11,200
with Cursor. And Cursor is like a wrapper around VS Code,

174
00:10:11,400 --> 00:10:13,400
since VS Code is mostly open source.

175
00:10:13,600 --> 00:10:18,640
And basically, they're embedding GPT-4 inside the VS Code.

176
00:10:18,840 --> 00:10:21,320
And you can directly ask questions about your code base.

177
00:10:21,520 --> 00:10:25,000
What's really interesting is that you can pay the subscription,

178
00:10:25,200 --> 00:10:29,280
but you can also directly, natively use your GPT-4 API key.

179
00:10:29,480 --> 00:10:33,640
So you directly pay to OpenAI and no need to go through their servers.

180
00:10:33,640 --> 00:10:37,560
And it's so amazing.

181
00:10:37,760 --> 00:10:42,840
Like right now, I'm using it to do JavaScript analysis on Google.

182
00:10:43,040 --> 00:10:45,960
They use a lot of RPC weird calls.

183
00:10:46,160 --> 00:10:46,680
It's horrible.

184
00:10:46,880 --> 00:10:48,440
Proprietary protocol.

185
00:10:48,640 --> 00:10:53,320
And basically, I'm going like, OK, that's the end point of the request.

186
00:10:53,520 --> 00:10:55,240
So what are the parameters?

187
00:10:55,440 --> 00:10:59,640
Because they are so embedded in one function to another function to another function.

188
00:10:59,840 --> 00:11:02,440
And basically, I'm just asking the AI,

189
00:11:02,440 --> 00:11:07,400
tell me which other function you want context to so I can provide it to you.

190
00:11:07,600 --> 00:11:09,360
And we can reconstruct the request.

191
00:11:09,560 --> 00:11:12,160
And I did that maybe five, six times.

192
00:11:12,360 --> 00:11:15,640
And at one point, I just got the request that I needed to send.

193
00:11:15,840 --> 00:11:18,080
And then the protobuf request.

194
00:11:18,280 --> 00:11:20,480
And I was like, oh, that's amazing.

195
00:11:20,480 --> 00:11:21,800
And it just built it automatically?

196
00:11:21,800 --> 00:11:22,320
Yeah.

197
00:11:22,520 --> 00:11:26,800
And so I use JS Whistle to detect which other endpoints.

198
00:11:27,000 --> 00:11:29,880
You did some automation also to get the ideas right.

199
00:11:30,080 --> 00:11:31,800
And then you just ask Cursor,

200
00:11:31,800 --> 00:11:33,760
OK, explain to me this code.

201
00:11:33,960 --> 00:11:36,040
And this is the job.

202
00:11:36,240 --> 00:11:39,880
Instead of having six to seven hours of code review,

203
00:11:40,080 --> 00:11:42,040
do it maybe in two hours.

204
00:11:42,240 --> 00:11:43,520
It's so great. I love it.

205
00:11:43,720 --> 00:11:44,720
Wow. It's really interesting.

206
00:11:44,920 --> 00:11:50,560
I think this is something before AI or like GPT was really more...

207
00:11:50,760 --> 00:11:52,480
Before it was as flushed out as it is,

208
00:11:52,680 --> 00:11:56,120
this would be something that you might have like CodeQL or maybe some more of a

209
00:11:56,320 --> 00:11:57,320
technical tool we're doing.

210
00:11:57,520 --> 00:12:01,440
But the approach is basically just feeding it into AI and saying, hey,

211
00:12:01,440 --> 00:12:03,160
what do I need to know about this?

212
00:12:03,360 --> 00:12:07,360
It's so much more powerful because it can do everything just like in an instant

213
00:12:07,560 --> 00:12:11,120
where it just analyzes this huge chunk of data and is able to just parse it and

214
00:12:11,120 --> 00:12:13,040
tell you, oh, yeah, here's what you need to know.

215
00:12:13,240 --> 00:12:15,600
I'm a little confused about how that works, though,

216
00:12:15,800 --> 00:12:19,520
because I feel like the code base would extend past the context window.

217
00:12:19,720 --> 00:12:20,440
Any...

218
00:12:20,640 --> 00:12:25,480
Do either of you guys know how that works or is it with GPT for like 8K or something?

219
00:12:25,680 --> 00:12:26,560
I don't know.

220
00:12:26,760 --> 00:12:28,520
So basically, when I use it,

221
00:12:28,520 --> 00:12:32,160
I select the lines of code I wanted to interpret,

222
00:12:32,360 --> 00:12:37,520
but they natively use a way to compress the file.

223
00:12:37,720 --> 00:12:41,000
And basically, they have like some kind of, if I understood correctly,

224
00:12:41,200 --> 00:12:46,640
a search engine on the client side that, depending on the question, will go look

225
00:12:46,840 --> 00:12:51,680
for the code before and then giving the context to open AI.

226
00:12:51,880 --> 00:12:53,640
So you do not have to give everything.

227
00:12:53,840 --> 00:12:54,600
I see.

228
00:12:54,600 --> 00:12:59,880
It's like Bing search is doing, like the search engine does the first request

229
00:13:00,080 --> 00:13:05,160
and then give the data back to open AI and open AI will put context.

230
00:13:05,360 --> 00:13:06,160
I see.

231
00:13:06,160 --> 00:13:07,920
Yeah, that's really interesting because like what you meant,

232
00:13:08,120 --> 00:13:12,680
we were talking earlier about like tokens and sort of how like AI looks at input

233
00:13:12,680 --> 00:13:15,800
as tokens and it splits it up into different segments that it can understand

234
00:13:15,800 --> 00:13:18,880
better and sort of looks at those pieces individually and then we'll build like

235
00:13:18,880 --> 00:13:19,640
the context together.

236
00:13:19,840 --> 00:13:21,240
And I think that's like what you said,

237
00:13:21,240 --> 00:13:26,240
like the way that it parses that is kind of counterintuitive because you might

238
00:13:26,440 --> 00:13:28,760
think like, oh, you know, I can't feed a giant file.

239
00:13:28,960 --> 00:13:35,080
But you can because it can do some more processing magic on it than before.

240
00:13:35,280 --> 00:13:38,680
I mean, like LLM are trained on so many

241
00:13:38,880 --> 00:13:43,000
data points that actually they can complete contexts.

242
00:13:43,200 --> 00:13:48,400
So if you say this function parses something, they can guess.

243
00:13:48,400 --> 00:13:51,920
It's not like the more accurate way to do it.

244
00:13:52,120 --> 00:13:57,320
But I think the cursor team did a great job about knowing what to feed to the AI

245
00:13:57,520 --> 00:14:02,600
and knowing like what they already know so you can like compress as much as possible

246
00:14:02,800 --> 00:14:06,480
the tokens to not pay the 8K subscription.

247
00:14:06,680 --> 00:14:08,400
Right, right, right.

248
00:14:08,600 --> 00:14:11,840
Yeah. And I think combining those two tools together,

249
00:14:12,040 --> 00:14:14,320
JS Weasel and what was it? Cursor.

250
00:14:14,520 --> 00:14:16,160
Cursor. OK. Like mouse cursor.

251
00:14:16,160 --> 00:14:17,960
Yeah. OK. Gotcha. Gotcha.

252
00:14:17,960 --> 00:14:20,920
Yeah. Combining those two tools together is a really powerful combo.

253
00:14:21,120 --> 00:14:24,320
So shout out to Corbin for that one.

254
00:14:24,520 --> 00:14:27,560
Yeah, I'm definitely I'm definitely interested to see where all that goes.

255
00:14:27,760 --> 00:14:30,600
And JS Weasel, I think we'll probably cover

256
00:14:30,800 --> 00:14:33,280
in a little bit more detail on a different episode.

257
00:14:33,480 --> 00:14:37,000
But I I booted it up for the first time during this live hacking event.

258
00:14:37,200 --> 00:14:38,200
And I've been using it.

259
00:14:38,400 --> 00:14:42,120
And it's really cool to see it do automatically what we talked about,

260
00:14:42,320 --> 00:14:44,960
breaking out those those

261
00:14:44,960 --> 00:14:49,840
Webpacked JS files and having it drop all of the things there.

262
00:14:50,040 --> 00:14:54,160
But I'm wondering, I don't know if you've used it, Joel, but for you, Lupin,

263
00:14:54,360 --> 00:14:56,400
I'm wondering

264
00:14:56,600 --> 00:14:59,440
how you've been using the tool, because for me,

265
00:14:59,640 --> 00:15:02,240
I've been having a little bit of a difficulty with and I talked to Charlie

266
00:15:02,240 --> 00:15:03,560
about this and I think he's fixing it.

267
00:15:03,560 --> 00:15:07,000
But I've been having a little bit of difficulty with identifying the portions

268
00:15:07,200 --> 00:15:11,440
of the JS code that I really want to analyze because there's not a search

269
00:15:11,440 --> 00:15:15,920
function presently. Yeah. And so, I mean, do you do you have that same struggle?

270
00:15:16,120 --> 00:15:17,480
Have you worked around it?

271
00:15:17,680 --> 00:15:19,040
How are you using the tool currently?

272
00:15:19,240 --> 00:15:22,840
Yeah, the tool misses like a search function.

273
00:15:23,040 --> 00:15:27,640
That's definitely something that needs to be implemented.

274
00:15:27,840 --> 00:15:31,600
The way I use it is more about like

275
00:15:31,800 --> 00:15:36,480
knowing the attack surface and the constructing word list out of it.

276
00:15:36,680 --> 00:15:39,400
So basically, I had

277
00:15:39,400 --> 00:15:45,160
this GraphQL API that was behind authentication.

278
00:15:45,360 --> 00:15:47,480
And so it was just for admins.

279
00:15:47,680 --> 00:15:52,520
Right. But you could with a low privileged user, just because, you know,

280
00:15:52,720 --> 00:15:54,280
cookies are well, I can get that.

281
00:15:54,480 --> 00:15:58,480
You could make a simple request to it, but without authorization, of course.

282
00:15:58,680 --> 00:16:02,760
And the introspection wasn't turned on.

283
00:16:02,960 --> 00:16:05,480
So how do you know which queries you do?

284
00:16:05,680 --> 00:16:06,880
You go to the JS files.

285
00:16:06,880 --> 00:16:07,360
Right.

286
00:16:07,360 --> 00:16:10,520
And what I did with JS Whizl, that was awesome.

287
00:16:10,720 --> 00:16:12,640
It listed all the queries.

288
00:16:12,840 --> 00:16:18,080
I just copied all the queries and generated a word list that I gave to

289
00:16:18,280 --> 00:16:24,040
clairvoyants and basically clairvoyants would try to brute force the schema,

290
00:16:24,040 --> 00:16:26,200
the GraphQL schema and give it back to you.

291
00:16:26,400 --> 00:16:30,600
And so then I fit the 70 MO.

292
00:16:30,800 --> 00:16:35,360
Like it was a big schema to GraphQL Voyager.

293
00:16:35,360 --> 00:16:39,920
And I had like everything, every call that it was being made, because

294
00:16:40,120 --> 00:16:45,040
when there is a GraphQL, everything is always documented in the front end.

295
00:16:45,240 --> 00:16:50,240
I don't know why there is some libraries that even have introspection inside the JS.

296
00:16:50,440 --> 00:16:54,800
Like if it's not turned on, go check the JS and you can copy the introspection

297
00:16:55,000 --> 00:16:58,680
and paste it just because they forgot to turn on a flag.

298
00:16:58,880 --> 00:16:59,640
I've never seen that.

299
00:16:59,840 --> 00:17:04,080
Yeah, I've seen like a lot of times and it's so interesting.

300
00:17:04,080 --> 00:17:08,600
So it's so funny you mention that because I literally did the exact same thing.

301
00:17:08,800 --> 00:17:11,400
Except I didn't use JS Whizl for it.

302
00:17:11,600 --> 00:17:16,040
I used my own parsing script to expand the Webpack files.

303
00:17:16,240 --> 00:17:17,680
And then I did exactly that.

304
00:17:17,880 --> 00:17:19,040
I took a regex.

305
00:17:19,240 --> 00:17:23,240
I pulled every string that was compliant with GraphQL,

306
00:17:23,440 --> 00:17:29,120
naming standards essentially for queries and for field names and that sort of thing.

307
00:17:29,320 --> 00:17:31,920
I put it all in a word list and I fed it to clairvoyants.

308
00:17:31,920 --> 00:17:34,480
And for those of you that are listening that aren't familiar,

309
00:17:34,680 --> 00:17:39,480
we'll link it down below. But clairvoyance is a tool that

310
00:17:39,680 --> 00:17:44,880
I guess sort of plays on the problem with GraphQL, where they will recommend you

311
00:17:45,080 --> 00:17:48,760
fields if you have the improperly defined fields.

312
00:17:48,960 --> 00:17:52,280
So, you know, let's say there's a field called store.

313
00:17:52,480 --> 00:17:56,640
And, you know, sometimes it's even like pretty far.

314
00:17:56,840 --> 00:17:58,400
You might even get away with like sport.

315
00:17:58,600 --> 00:18:00,640
And it may be like, did you mean store?

316
00:18:00,640 --> 00:18:01,760
And it'll tell you.

317
00:18:01,960 --> 00:18:03,600
It really depends on the back end.

318
00:18:03,800 --> 00:18:05,520
So depending on the language,

319
00:18:05,720 --> 00:18:10,800
you can set up the amount of token that needs to be the same.

320
00:18:11,000 --> 00:18:12,360
So really, it's interesting.

321
00:18:12,560 --> 00:18:15,560
So sometimes it's like two tokens apart, so two letters.

322
00:18:15,760 --> 00:18:17,680
Sometimes it's three, four.

323
00:18:17,880 --> 00:18:20,000
And they can set up that on the back end side.

324
00:18:20,200 --> 00:18:25,640
And depending on the framework, they will have a different kind of far away or not.

325
00:18:25,840 --> 00:18:26,920
You know, yeah.

326
00:18:27,040 --> 00:18:29,760
Well, I mean, it's really interesting that you mentioned that that that started

327
00:18:29,760 --> 00:18:32,800
with GraphQL because I was going to say the same thing about not even just GraphQL,

328
00:18:32,800 --> 00:18:34,320
but same thing with API requests.

329
00:18:34,320 --> 00:18:38,720
Like, yes, if you're pulling apart those Webpack files and the lazy loaded files,

330
00:18:38,920 --> 00:18:42,160
not only will you see the endpoints, but you also see how they're being used.

331
00:18:42,160 --> 00:18:43,360
Where is that data coming from?

332
00:18:43,480 --> 00:18:44,840
And one of the really powerful things

333
00:18:44,840 --> 00:18:47,200
about having all of that just right in front of you in JavaScript,

334
00:18:47,200 --> 00:18:49,880
it's just like Android apps where you can decompile it.

335
00:18:49,880 --> 00:18:51,760
You can see how everything is working like right in front of you.

336
00:18:51,760 --> 00:18:53,240
You can do the same thing with the JavaScript.

337
00:18:53,400 --> 00:18:54,560
All you have to do is pull it apart.

338
00:18:54,560 --> 00:18:58,320
You can see, oh, it's making a post request and it builds the body with these

339
00:18:58,320 --> 00:19:01,040
fields that are named this and that data comes from here.

340
00:19:01,040 --> 00:19:02,640
It's a parameter and that's fed in through here.

341
00:19:02,640 --> 00:19:06,320
And you can track it all and you can see sort of how that data flows through

342
00:19:06,320 --> 00:19:08,080
the application to get to that request.

343
00:19:08,160 --> 00:19:11,200
And you can piece it together without ever having used the application at all.

344
00:19:11,200 --> 00:19:12,960
You can do it completely from static analysis.

345
00:19:13,000 --> 00:19:14,720
Yeah. Yeah. Cool.

346
00:19:14,720 --> 00:19:17,280
All right. Well, we went on a little bit of a tangent there.

347
00:19:18,040 --> 00:19:19,040
I told you so.

348
00:19:19,880 --> 00:19:22,960
It's true. It's true. Right before we started, you're like, we're definitely going to go on.

349
00:19:24,240 --> 00:19:26,680
I feel like we should at least have you introduce yourself.

350
00:19:26,680 --> 00:19:28,680
But it's a good one.

351
00:19:28,760 --> 00:19:30,200
OK, listen, listen, listen, listen.

352
00:19:30,200 --> 00:19:33,760
I turned I turned it on, you know, at the time that I did on purpose.

353
00:19:34,480 --> 00:19:37,000
Well, we'll give you a little bit of a preintroduction on this episode.

354
00:19:37,000 --> 00:19:40,800
But yeah, let's hear the self-introduction or the jiko shokai

355
00:19:42,000 --> 00:19:45,080
for you, Lupin. So what does she want to do this?

356
00:19:45,480 --> 00:19:47,520
Oh, man. Yeah.

357
00:19:47,720 --> 00:19:51,920
So Ronnie, also known as Lupin on the Internet.

358
00:19:52,720 --> 00:19:56,320
I've been doing security since I was 13 years old.

359
00:19:56,320 --> 00:19:58,560
Because I wanted to become like Arsene Lupin.

360
00:19:58,720 --> 00:20:02,320
I knew a bit of programming and I was I read the book of Arsene Lupin.

361
00:20:02,320 --> 00:20:04,400
I was like, how can I become that guy?

362
00:20:04,960 --> 00:20:08,040
At the moment, I read the book and I made the association with programming.

363
00:20:08,080 --> 00:20:10,440
I thought I created hacking.

364
00:20:10,440 --> 00:20:15,600
But then I learned about all the history, all the culture from the fifties and everything.

365
00:20:15,800 --> 00:20:17,560
And I love it so much.

366
00:20:17,560 --> 00:20:19,280
I started to say, how's that?

367
00:20:19,280 --> 00:20:21,320
I mean, are you Lupin? I feel like you're Lupin.

368
00:20:21,320 --> 00:20:26,120
I feel like you've done that, you know, like I mean, Lupin is a gentleman thief.

369
00:20:26,120 --> 00:20:28,160
I'm not stealing from anyone.

370
00:20:29,600 --> 00:20:33,120
Maybe stealing from companies because they're giving booty.

371
00:20:33,120 --> 00:20:34,360
I don't know. That's a stretch.

372
00:20:34,360 --> 00:20:36,800
You're the top Lupin that I'm aware of.

373
00:20:36,800 --> 00:20:39,080
When I think Lupin, I think you, not anyone else.

374
00:20:39,520 --> 00:20:40,600
Thanks a lot.

375
00:20:40,600 --> 00:20:45,840
And yeah, so and I started bug bounty hunting like three years and a half ago.

376
00:20:46,400 --> 00:20:48,680
Four years, maybe I don't remember correctly, but

377
00:20:49,520 --> 00:20:51,960
and it has been a wild ride.

378
00:20:51,960 --> 00:20:57,920
I started the live hacking scenes one year ago in Vegas.

379
00:20:57,920 --> 00:21:02,640
And it's just amazing experience. It's awesome.

380
00:21:02,640 --> 00:21:05,560
How did you how did you get on the live hacking scene?

381
00:21:05,560 --> 00:21:06,560
Did you just get it?

382
00:21:06,560 --> 00:21:08,880
You just open your mail one day and there was an invite or?

383
00:21:09,560 --> 00:21:12,280
I think it was like the first ambassador woke up

384
00:21:12,560 --> 00:21:17,480
because since I'm an ambassador for France and apparently I did well,

385
00:21:17,480 --> 00:21:22,120
I don't think so, but they gave me an invite to Vegas.

386
00:21:22,400 --> 00:21:25,600
We actually won the first World Cup, even though the second one,

387
00:21:25,600 --> 00:21:26,800
we didn't get the first.

388
00:21:26,800 --> 00:21:28,360
I think I did well. They won.

389
00:21:31,400 --> 00:21:33,520
I didn't get out of the first round of the World Cup.

390
00:21:33,520 --> 00:21:35,520
And it's just, I don't know, man, sometimes it's just,

391
00:21:36,600 --> 00:21:39,920
you know, I'm not even going to throw any salt, but it happens.

392
00:21:39,920 --> 00:21:43,040
Yeah, it happens. No comment.

393
00:21:43,040 --> 00:21:46,400
And yeah, live hacking are way different.

394
00:21:46,400 --> 00:21:49,720
And the bug bounty is so tiresome.

395
00:21:49,720 --> 00:21:55,920
You get like one month straight of, you know, no social interaction anymore.

396
00:21:55,920 --> 00:21:59,800
You know, going to bed at five a.m., starting your day at ten a.m.

397
00:21:59,800 --> 00:22:03,680
and you're like, oh, it's so interesting seeing how how things have shifted

398
00:22:03,680 --> 00:22:05,160
in the very early days of live hacking events.

399
00:22:05,160 --> 00:22:07,280
It used to be, I mean, sometimes you wouldn't even know the scope

400
00:22:07,280 --> 00:22:08,480
until you got there.

401
00:22:08,480 --> 00:22:11,240
And and it would just be like hack fest.

402
00:22:11,240 --> 00:22:13,600
Everybody's just like finding really cool bugs on the same day.

403
00:22:13,600 --> 00:22:16,920
And now it's evolved so that there's like a pre hacking window.

404
00:22:16,920 --> 00:22:18,320
There's a duplication window.

405
00:22:18,320 --> 00:22:22,160
People are basically, you know, work 12 hours a day, sometimes more

406
00:22:22,760 --> 00:22:25,520
just every single day leading up to the event, finding all these really,

407
00:22:25,520 --> 00:22:28,200
really crazy bugs. And then they convened together.

408
00:22:28,200 --> 00:22:31,400
And even more crazy bugs get found because of the minds connecting together

409
00:22:31,400 --> 00:22:33,280
and having these awesome discussions between hackers.

410
00:22:33,280 --> 00:22:37,680
Amazing. Something that Jonathan said, Jonathan Boomin, Dr.

411
00:22:37,680 --> 00:22:41,600
Boomin, Dr. Boomin that I really liked is he said

412
00:22:41,600 --> 00:22:46,200
that he wanted to have the show and tells before the event starts on site

413
00:22:46,400 --> 00:22:49,680
to inspire other people to find stuff.

414
00:22:50,080 --> 00:22:52,520
And I think it's an amazing idea.

415
00:22:52,520 --> 00:22:55,920
So imagine you two weeks you're down the rabbit hole.

416
00:22:55,920 --> 00:22:56,800
You didn't find anything.

417
00:22:56,800 --> 00:22:58,840
And you have like people showing you verbatim.

418
00:22:58,840 --> 00:23:01,400
It's like, this is how we've done it.

419
00:23:01,640 --> 00:23:04,440
And like inspiring you to find new stuff on site.

420
00:23:04,440 --> 00:23:07,240
That could be so awesome. Oh, yeah, that would be that would be amazing.

421
00:23:07,240 --> 00:23:10,040
And we always walk away from those show and tells like, you know,

422
00:23:10,040 --> 00:23:13,560
your brains are just buzzing, you know, and you're like, oh, man,

423
00:23:14,080 --> 00:23:15,600
maybe I could apply that here or there.

424
00:23:15,600 --> 00:23:18,640
And then and then, you know, you go out and, you know, hit the bar or whatever.

425
00:23:18,640 --> 00:23:20,600
And then the next day you don't even check it.

426
00:23:20,600 --> 00:23:24,280
But yeah, that would be that would be a really good idea.

427
00:23:24,280 --> 00:23:28,120
The last show entails in Vegas, there was France Rosen that had two show

428
00:23:28,120 --> 00:23:30,680
entails back to back. So salty. I missed this.

429
00:23:30,680 --> 00:23:36,640
Yeah. And and then like I went out of the show and tell with an addict

430
00:23:36,640 --> 00:23:41,480
like because of him, it was just so many stuff going on.

431
00:23:41,480 --> 00:23:44,120
And I was like, what the heck is he talking about?

432
00:23:44,280 --> 00:23:48,920
And I want to go back again, reading his reports, get better at it.

433
00:23:48,920 --> 00:23:51,200
Right. Because show and tell are like this.

434
00:23:51,200 --> 00:23:56,080
You get creativity from other people and you don't need to do what they did,

435
00:23:56,080 --> 00:24:00,000
but you need to apply what you learn for your own creativity.

436
00:24:00,000 --> 00:24:02,880
And I really like this format because of that.

437
00:24:03,520 --> 00:24:06,200
Yeah. I mean, oftentimes I'd say it's like

438
00:24:06,200 --> 00:24:10,680
maybe twenty five seventy five, like, you know, one third, like two thirds

439
00:24:10,680 --> 00:24:13,320
kind of split or whatever, where I'll see a bug and I'll be like, oh,

440
00:24:13,320 --> 00:24:15,880
I was looking at that thing. I almost thought about trying that.

441
00:24:15,880 --> 00:24:19,120
Or maybe I did try it and I just didn't really push far enough.

442
00:24:19,120 --> 00:24:20,280
And I was like, I just tried it.

443
00:24:20,280 --> 00:24:21,800
I was like, OK, this isn't going to work.

444
00:24:21,800 --> 00:24:23,960
I just moved on. And that ended up being a bug.

445
00:24:23,960 --> 00:24:27,640
But so many other times there'll be something completely out of left field.

446
00:24:27,640 --> 00:24:32,200
I'm like, I never would have like never ever would have tried anything like that.

447
00:24:32,200 --> 00:24:35,960
And I sort of have to take mental notes and be like, OK, that's something that I need to

448
00:24:35,960 --> 00:24:38,360
see if that's going to work. Why did that work?

449
00:24:38,360 --> 00:24:41,080
Was it like a specific system? Was it how it was set up?

450
00:24:41,080 --> 00:24:43,320
What went wrong in the back end to make that happen?

451
00:24:43,320 --> 00:24:46,600
There was like my first event in Vegas.

452
00:24:46,600 --> 00:24:53,560
It was a great show and tell from Tom Anthony and the one in London.

453
00:24:53,560 --> 00:24:55,640
There was a customer that was the same one.

454
00:24:55,640 --> 00:25:00,040
And I remember like this feature, I had never hacked on that customer,

455
00:25:00,040 --> 00:25:03,320
like on the other event I hacked on the other customer.

456
00:25:03,320 --> 00:25:06,520
But I remember he mentioned a really interesting feature.

457
00:25:06,520 --> 00:25:11,480
And so I went looking for that feature and I was like, that's interesting.

458
00:25:11,480 --> 00:25:12,920
Remember what it did?

459
00:25:12,920 --> 00:25:16,360
And like I was remembering like the bug and everything.

460
00:25:16,360 --> 00:25:22,760
And I found a bypass, like a simpler version, but complex because like it was a lot of parsing

461
00:25:22,760 --> 00:25:24,280
requirements and stuff like that.

462
00:25:24,280 --> 00:25:28,920
So the payload was simpler, but it was like so hard to find.

463
00:25:28,920 --> 00:25:34,040
And basically because of your show and tell, I got like a bypass of one of his vulnerability

464
00:25:34,040 --> 00:25:35,320
for one year ago.

465
00:25:35,320 --> 00:25:41,560
And it was like, that's the purpose of trying to like getting new visibility and new creativity.

466
00:25:41,560 --> 00:25:45,160
Yeah, I think that's something that we could think about implementing in the ambassador

467
00:25:45,160 --> 00:25:45,960
program as well.

468
00:25:45,960 --> 00:25:49,000
The HackerOne ambassador program is like if we...

469
00:25:49,000 --> 00:25:51,480
You're the ambassador for France.

470
00:25:51,480 --> 00:25:53,480
I'm the ambassador for Virginia.

471
00:25:53,480 --> 00:25:59,640
And I think it would be really cool after we go do a spree of hacking to have a little

472
00:25:59,640 --> 00:26:02,440
show and tell for our locality or whatever.

473
00:26:02,440 --> 00:26:03,080
That'd be really good.

474
00:26:03,080 --> 00:26:06,760
And we'd learn a little bit more from all the other hackers and stuff like that.

475
00:26:06,760 --> 00:26:09,800
Yeah, we'll have to think about implementing that one.

476
00:26:09,800 --> 00:26:11,400
Brainstorming session.

477
00:26:11,400 --> 00:26:11,960
Okay.

478
00:26:11,960 --> 00:26:18,440
So I guess bringing it back, LupinU recently started a company called Lupin at Holmes.

479
00:26:18,440 --> 00:26:19,000
Yeah.

480
00:26:19,000 --> 00:26:21,960
Beautiful website, LNH.tech.

481
00:26:21,960 --> 00:26:23,480
LNH.tech.

482
00:26:23,480 --> 00:26:23,960
Is that what it is?

483
00:26:23,960 --> 00:26:25,160
LNH.tech, yeah.

484
00:26:25,160 --> 00:26:26,040
Beautiful website.

485
00:26:26,040 --> 00:26:30,840
Everything Lupin designs or has designed is super gorgeous.

486
00:26:31,720 --> 00:26:35,240
Talk to me a little bit about that company, what your goals are for the company, how it

487
00:26:35,240 --> 00:26:36,680
correlates to Bug Bounty, that sort of thing.

488
00:26:37,720 --> 00:26:42,280
So it really started before finding this company.

489
00:26:42,280 --> 00:26:49,400
I was a senior security engineer at Mano Mano, so a European company like marketplace online.

490
00:26:49,400 --> 00:26:52,920
And I entered that company when I was 18 years old.

491
00:26:54,280 --> 00:26:57,240
I did two years there and I learned so much.

492
00:26:57,240 --> 00:27:05,320
And I learned also the purpose of research in security and how it can be applied to companies.

493
00:27:05,320 --> 00:27:10,120
And from that learning, I was like, I need to do more research in security.

494
00:27:10,120 --> 00:27:10,360
Right?

495
00:27:10,360 --> 00:27:12,680
Okay. I'm going to interrupt and then we're going to come back to that.

496
00:27:12,680 --> 00:27:16,280
So actually, you said you were at Mano Mano.

497
00:27:16,280 --> 00:27:17,400
You joined when you were 18.

498
00:27:17,400 --> 00:27:17,880
Yeah.

499
00:27:17,880 --> 00:27:19,880
And then you left like when?

500
00:27:20,520 --> 00:27:22,280
When I was 21.

501
00:27:22,280 --> 00:27:22,680
21.

502
00:27:22,680 --> 00:27:23,080
Yeah.

503
00:27:23,080 --> 00:27:23,800
Which is now.

504
00:27:23,800 --> 00:27:24,120
Yeah.

505
00:27:24,120 --> 00:27:25,160
Okay. Gotcha.

506
00:27:25,160 --> 00:27:28,120
And what was your title at Mano Mano?

507
00:27:28,120 --> 00:27:29,320
Senior security engineer.

508
00:27:29,320 --> 00:27:30,360
Okay. Gotcha. Wow.

509
00:27:30,360 --> 00:27:37,160
So how the heck did an 18 year old just jump right into big marketplace and get to be a

510
00:27:37,160 --> 00:27:38,360
security... How did that work?

511
00:27:38,360 --> 00:27:39,240
What was that process?

512
00:27:39,880 --> 00:27:43,720
So basically, I was never good at school.

513
00:27:43,720 --> 00:27:45,160
I always hated it.

514
00:27:45,160 --> 00:27:47,160
That's a good sign.

515
00:27:47,160 --> 00:27:49,080
Yeah. It's a good sign.

516
00:27:49,080 --> 00:27:54,600
Yeah. But I always wanted to do a creative job.

517
00:27:54,600 --> 00:27:55,000
Right?

518
00:27:55,000 --> 00:28:00,680
And I was hacking and someone introduced me to BagBunty.

519
00:28:00,680 --> 00:28:01,160
Right?

520
00:28:01,160 --> 00:28:05,880
Actually, it was like my teacher that told me, hey, there's this CTF.

521
00:28:05,880 --> 00:28:07,000
Do you want to participate?

522
00:28:07,000 --> 00:28:08,200
In high school?

523
00:28:08,200 --> 00:28:08,840
Yeah.

524
00:28:08,840 --> 00:28:09,480
In high school?

525
00:28:09,480 --> 00:28:16,840
Yeah. It was like a European CTF, the CISO for high schoolers from all around Europe.

526
00:28:16,840 --> 00:28:22,120
And I brought like two friends with me and I told them, you do not have to play the CTF.

527
00:28:22,120 --> 00:28:27,560
I just need people from my team to go there, like to put someone on the list.

528
00:28:27,560 --> 00:28:34,040
And we qualified to the finals and there was all the conferences and stuff.

529
00:28:34,040 --> 00:28:35,960
And it was a conference from Yes React.

530
00:28:35,960 --> 00:28:36,280
Right?

531
00:28:36,280 --> 00:28:41,080
And they were telling, hey, you can actually get paid for finding security vulnerabilities.

532
00:28:41,080 --> 00:28:42,520
And I was like, that's legal.

533
00:28:42,520 --> 00:28:43,240
That's awesome.

534
00:28:43,240 --> 00:28:43,480
Yeah.

535
00:28:43,480 --> 00:28:44,920
I have a mind block.

536
00:28:44,920 --> 00:28:45,480
Yeah.

537
00:28:45,480 --> 00:28:49,880
And so I got back at home and I was like, okay, what is BagBunty?

538
00:28:49,880 --> 00:28:54,680
And somebody across hack one and you call disclose vulnerabilities.

539
00:28:54,680 --> 00:28:57,320
And that's the only reason I went on hack one.

540
00:28:57,320 --> 00:29:02,200
So ironically, Yes React gave me the idea to go on hack one.

541
00:29:02,200 --> 00:29:02,520
Yes.

542
00:29:02,520 --> 00:29:11,720
But yeah, I really like the disclosure because actually you could share vulnerabilities and

543
00:29:11,720 --> 00:29:15,240
you could prove your experience.

544
00:29:15,240 --> 00:29:15,720
Right?

545
00:29:15,720 --> 00:29:17,640
And so I started BagBunty hunting.

546
00:29:17,640 --> 00:29:21,800
It was hard at the beginning, but because of the reputation and the fact that you have

547
00:29:21,800 --> 00:29:26,200
a public profile, I use that as my CV, my resume.

548
00:29:26,200 --> 00:29:31,320
And I showed companies that, hey, I actually managed to hack those big companies.

549
00:29:31,320 --> 00:29:33,480
And I have the technical skills.

550
00:29:33,480 --> 00:29:34,360
Right?

551
00:29:34,360 --> 00:29:36,920
And I did some research.

552
00:29:36,920 --> 00:29:39,160
There was stuff published in the media.

553
00:29:39,160 --> 00:29:41,480
I did some interviews and television.

554
00:29:42,120 --> 00:29:43,480
Visibility also helps.

555
00:29:44,040 --> 00:29:52,680
And all of that, one day a friend of mine, Zach, told me, hey, there is this company that

556
00:29:52,680 --> 00:29:54,840
will hire a security engineer.

557
00:29:55,560 --> 00:29:59,480
They didn't open the job yet, but I recommended you.

558
00:29:59,480 --> 00:30:06,360
And two days afterward, I got a ping and they actually hired me before the job was opened.

559
00:30:07,320 --> 00:30:08,040
Wow.

560
00:30:08,040 --> 00:30:12,520
And actually based only off of a recommendation or did you do an interview?

561
00:30:12,520 --> 00:30:14,520
I did an interview.

562
00:30:14,520 --> 00:30:16,200
I did several interviews with the team.

563
00:30:16,200 --> 00:30:19,000
I was going to say they saw his work and they were like, we need to hire this guy.

564
00:30:19,720 --> 00:30:21,160
I did several interviews.

565
00:30:21,160 --> 00:30:22,040
They were great.

566
00:30:22,040 --> 00:30:24,040
Really funny interviews, actually.

567
00:30:24,040 --> 00:30:27,640
And Jules, that was my manager, not the one that you know, but

568
00:30:27,640 --> 00:30:31,880
he was so great with me.

569
00:30:31,880 --> 00:30:33,640
He's also really young at the time.

570
00:30:33,640 --> 00:30:38,920
I think he was 24 and he was my manager and I was his first employee.

571
00:30:39,640 --> 00:30:41,720
And we had like a great relationship.

572
00:30:41,720 --> 00:30:43,480
He helped me grow.

573
00:30:43,480 --> 00:30:49,800
And that led to research and to creating my own company.

574
00:30:49,800 --> 00:30:53,640
So basically my brother has like a similar story with studies.

575
00:30:53,640 --> 00:30:58,760
He did seven years of first years of college.

576
00:30:58,760 --> 00:31:01,320
Seven times?

577
00:31:01,320 --> 00:31:05,160
Yeah, because he was bored of it.

578
00:31:05,160 --> 00:31:13,880
And so he did actually the first years of my other brothers in law stuff and in philosophy.

579
00:31:13,880 --> 00:31:15,800
And he never liked anything.

580
00:31:15,800 --> 00:31:20,760
But my father one day said, hey, you don't know anything about programming, about development.

581
00:31:20,760 --> 00:31:27,080
You barely know how to use a computer, but there is like the 42 school network that opened.

582
00:31:27,080 --> 00:31:30,920
It was like really new at the time, 2017, I think.

583
00:31:30,920 --> 00:31:35,000
And he said to him, go do that school.

584
00:31:35,000 --> 00:31:36,920
And basically it's a school without teachers.

585
00:31:37,720 --> 00:31:39,640
And there is no courses.

586
00:31:39,640 --> 00:31:42,760
You just have exercises of programming.

587
00:31:42,760 --> 00:31:45,880
And you do not need to know programming to get into that school.

588
00:31:45,880 --> 00:31:49,000
It's 100% free and the school is open 24-7.

589
00:31:49,000 --> 00:31:49,480
Wow.

590
00:31:49,480 --> 00:31:53,320
So to get into that school, you need to pass a logical test.

591
00:31:53,320 --> 00:31:56,040
And then you have something called the P-SIN, which is the pool.

592
00:31:56,680 --> 00:32:02,120
And the pool, basically you have one month of intensive programming where you need to

593
00:32:02,120 --> 00:32:05,880
learn from scratch to become like an expert in C and C++.

594
00:32:05,880 --> 00:32:06,440
Oh, wow.

595
00:32:06,440 --> 00:32:06,920
Okay.

596
00:32:06,920 --> 00:32:08,040
Which is horrible.

597
00:32:09,240 --> 00:32:12,440
And if you pass all the tests, you get in the school.

598
00:32:13,080 --> 00:32:14,840
So it's hardcore mode.

599
00:32:14,840 --> 00:32:15,800
You need to try it out.

600
00:32:15,800 --> 00:32:19,800
And what's the incentive to pass that test?

601
00:32:19,800 --> 00:32:22,280
Is there some sort of like, is it very exclusive?

602
00:32:22,280 --> 00:32:26,040
Is there a certain like, once you're there, it helps you get a better job?

603
00:32:26,840 --> 00:32:31,720
Why would people want to push through that and learn C and C++ and stuff in order to get there?

604
00:32:31,720 --> 00:32:35,880
You learn so much in a condensed time.

605
00:32:36,520 --> 00:32:43,240
So in one month, you actually know how to program fully in C and C++, which is astonishing,

606
00:32:43,240 --> 00:32:44,440
what they managed to do.

607
00:32:44,440 --> 00:32:51,240
And in one year, you can get a job for the better students, or otherwise in two, three years.

608
00:32:51,240 --> 00:32:55,960
But you do not need any degrees and you will get hired by companies.

609
00:32:55,960 --> 00:32:57,400
So that's the incentive.

610
00:32:57,400 --> 00:32:59,000
You do not know what to do with your life.

611
00:32:59,000 --> 00:33:01,560
Go to that school if you're remotely computer-s.

612
00:33:02,120 --> 00:33:03,720
And he actually did.

613
00:33:03,720 --> 00:33:08,040
And he became like a good back-end developer, but like really good.

614
00:33:08,600 --> 00:33:13,000
And he worked for many different startups.

615
00:33:13,000 --> 00:33:19,080
And we were talking and sharing knowledge about our jobs.

616
00:33:19,080 --> 00:33:24,040
And one time we're like, I do research in security, you do development.

617
00:33:24,040 --> 00:33:25,080
We need to do something.

618
00:33:25,080 --> 00:33:25,400
Yeah.

619
00:33:25,400 --> 00:33:26,360
We need to do something.

620
00:33:26,360 --> 00:33:27,240
Together.

621
00:33:27,240 --> 00:33:30,440
And so we wanted to create that R&D company.

622
00:33:30,440 --> 00:33:34,360
And because my nickname was Lupin, we needed to find a nickname for him.

623
00:33:34,360 --> 00:33:36,520
And like, Holmes was the perfect one.

624
00:33:36,520 --> 00:33:37,160
Like Sherlock.

625
00:33:37,160 --> 00:33:37,560
Yeah.

626
00:33:37,560 --> 00:33:43,560
And it goes really good with him because I guess Holmes used deduction.

627
00:33:43,560 --> 00:33:49,400
Like when you are programming, you need to find the best path to create something.

628
00:33:49,400 --> 00:33:51,080
And Holmes really liked that.

629
00:33:51,080 --> 00:33:54,600
And also my brother did not like to talk in the media.

630
00:33:54,600 --> 00:33:55,640
Do not like the fame.

631
00:33:55,640 --> 00:33:58,200
He exactly like Sherlock Holmes.

632
00:33:58,200 --> 00:34:00,760
And we're like, this is like the great persona for him.

633
00:34:00,760 --> 00:34:01,480
Right?

634
00:34:01,480 --> 00:34:06,840
And so Lupin and Holmes is really about trying to complete one another.

635
00:34:06,840 --> 00:34:11,160
We are opposite sides, but like the opposite of a coin.

636
00:34:11,160 --> 00:34:11,720
Right?

637
00:34:11,720 --> 00:34:13,400
We just, yeah.

638
00:34:13,400 --> 00:34:13,640
Yeah.

639
00:34:13,640 --> 00:34:14,280
A coin is like.

640
00:34:14,280 --> 00:34:16,840
They must be together, but never at the same time.

641
00:34:16,840 --> 00:34:17,480
Exactly.

642
00:34:17,480 --> 00:34:21,800
And so I use Bug Boon T as a way to do research.

643
00:34:21,800 --> 00:34:26,280
And then everything that I learned from Bug Boon T about maybe fixing vulnerabilities

644
00:34:26,280 --> 00:34:31,240
or finding the vulnerabilities, I then asked my brother to code tools.

645
00:34:31,240 --> 00:34:36,760
And then those tools are going to be on products that we are going to sell to companies.

646
00:34:36,760 --> 00:34:39,080
Maybe to bug hunters, but mostly for companies.

647
00:34:41,080 --> 00:34:46,200
On that line, you've got a secret product that we won't talk about on this episode,

648
00:34:46,200 --> 00:34:47,960
but we will be talking about on a future episode.

649
00:34:49,080 --> 00:34:52,840
And your brother is primarily doing the coding for that?

650
00:34:52,840 --> 00:34:53,320
Yeah.

651
00:34:53,320 --> 00:34:53,800
Oh, wow.

652
00:34:53,800 --> 00:34:56,120
He's doing the entire backend.

653
00:34:57,720 --> 00:35:05,400
And it's pretty good because sometimes I ask him to do something security related.

654
00:35:05,400 --> 00:35:07,000
And he's like, why?

655
00:35:08,280 --> 00:35:10,120
Why would anyone try that?

656
00:35:10,120 --> 00:35:12,440
And I'm like, that's the whole purpose of the research.

657
00:35:12,440 --> 00:35:12,920
Exactly.

658
00:35:12,920 --> 00:35:13,480
Yeah.

659
00:35:13,480 --> 00:35:14,760
Yeah. That's great.

660
00:35:16,120 --> 00:35:20,840
And so I guess, how is it with you then working with somebody else's code?

661
00:35:20,840 --> 00:35:24,680
Because for me, especially within my automation framework,

662
00:35:24,680 --> 00:35:26,760
I feel like I need to know the ins and outs of it.

663
00:35:26,760 --> 00:35:30,840
And even sometimes when I look at a piece of code that I wrote three years ago,

664
00:35:30,840 --> 00:35:33,640
four years ago, it's like, who the frick wrote this?

665
00:35:33,640 --> 00:35:34,140
Yeah.

666
00:35:35,000 --> 00:35:37,480
Before Joel started influencing my Python programming.

667
00:35:38,120 --> 00:35:41,240
So has that worked all right for you?

668
00:35:41,240 --> 00:35:42,760
Have you written any of the code yourself?

669
00:35:43,320 --> 00:35:48,360
I've written some of the code, mostly for the clients, but not for the backends.

670
00:35:49,160 --> 00:35:51,800
I think it's better if I do not touch the code.

671
00:35:55,240 --> 00:35:56,440
That's what he tells you, at least.

672
00:35:58,280 --> 00:35:58,760
Definitely.

673
00:35:58,760 --> 00:36:07,160
It's more like we need to separate our jobs.

674
00:36:07,160 --> 00:36:13,080
My job is to actually find new ways to do research and his job is to develop.

675
00:36:13,080 --> 00:36:16,360
And it's actually good that I do not touch the code because

676
00:36:16,360 --> 00:36:18,840
I'm doing a bit of the product manager.

677
00:36:19,720 --> 00:36:24,360
I ask things that are not possible and he needs to find a way to do them.

678
00:36:24,360 --> 00:36:29,080
Yeah, I actually love that separation of roles where normally you would say research and

679
00:36:29,080 --> 00:36:33,160
development is sort of like gloved into one thing where you're doing research and you're

680
00:36:33,160 --> 00:36:38,040
developing, but research and development, one of you is doing research, one of you is

681
00:36:38,040 --> 00:36:43,640
doing development, and it sort of allows you to have a singular focus and really hone in on that.

682
00:36:43,640 --> 00:36:48,920
Because one of the things that we've talked about is there's the XKCD, where it's about

683
00:36:48,920 --> 00:36:53,560
automation and over time, all of your time starts to get taken up by having to maintain

684
00:36:53,560 --> 00:36:57,480
and manage the system. And that is going to take away from the amount of time that you have to do

685
00:36:57,480 --> 00:37:01,640
research and actually learn new things, learn new techniques, and explore and find new bugs

686
00:37:01,640 --> 00:37:05,480
and that kind of stuff. And so if you can separate that out and say, here, you managed with the

687
00:37:05,480 --> 00:37:10,920
development, I'll manage with the research, that really allows each of you to sort of hone in that

688
00:37:10,920 --> 00:37:16,600
craft to 100%. I would take an example of a proof of concept that we're doing right now.

689
00:37:17,480 --> 00:37:22,040
Basically, there was like this target that is renowned for blind XSS.

690
00:37:22,040 --> 00:37:27,720
And I was like, we need to find a way to automate blind XSS, but not in the way that

691
00:37:27,720 --> 00:37:34,440
do dumb automation about just putting everything out there and just see what will happen. But,

692
00:37:35,960 --> 00:37:41,160
try to find the right payload for the right context. And this is hard, but I know that some

693
00:37:41,160 --> 00:37:49,160
hunters are really good at understanding how the panel, admin panel side works, right? And they

694
00:37:49,160 --> 00:37:55,400
know the right payload to it. And I was like, we can do some detection out of it, right? And so

695
00:37:56,040 --> 00:38:03,960
I asked him to create a semi automation tool. So, I don't like to automate everything. I like to

696
00:38:03,960 --> 00:38:09,880
understand what I'm doing and to have hands on everything happening on the process. But there

697
00:38:09,880 --> 00:38:15,560
are things that, like finding the right payload and putting it, writing it again, or copy pasting,

698
00:38:15,560 --> 00:38:21,080
it takes so much time. And so we created like this blind XSS framework where basically you can put

699
00:38:21,080 --> 00:38:27,640
templates and you have your own config files and you can actually put in the request templates.

700
00:38:27,640 --> 00:38:33,400
It would do some smart match and replace to actually put the right payload. And so you

701
00:38:33,400 --> 00:38:38,920
do not need to know the payload by heart. Just create your templates and you go for it. And

702
00:38:38,920 --> 00:38:50,040
this tool is highly modulable. And right now we are giving it to a few back hunters to test it and

703
00:38:50,040 --> 00:38:57,880
see like what people need out of it. One feature that I really would like to do is that creating

704
00:38:57,880 --> 00:39:04,760
data flows, like request flows, better said. Where for instance, there is blind XSS that may happen

705
00:39:04,760 --> 00:39:09,880
in the checkout. And that's something it's really hard to automate. And what I want to do is like

706
00:39:09,880 --> 00:39:18,120
from the login up to the checkout, you could record all the requests. And so replay all the requests.

707
00:39:18,120 --> 00:39:22,360
Yeah. Like logging in, adding a product, going to checkout and then...

708
00:39:22,360 --> 00:39:33,720
But you modify one request at a time. And if the request is not, like since you record the request

709
00:39:33,720 --> 00:39:38,920
and response, if the response is not expected, you drop the entire flow and you start from the

710
00:39:38,920 --> 00:39:41,000
beginning with a new request. Almost like fuzzing.

711
00:39:42,040 --> 00:39:49,400
Almost like fuzzing, but in a way that you keep the logic of adding a product in your cart and

712
00:39:49,400 --> 00:39:53,160
then from the cart you are paying... I should have said more like symbolic execution,

713
00:39:53,160 --> 00:39:57,400
where it's like you have a certain flow and you say it has to meet all of this specific criteria.

714
00:39:57,400 --> 00:39:59,720
And if so, this is a success case. Exactly.

715
00:39:59,720 --> 00:40:06,520
So I'm a little bit curious. How does that flow correlate to blind XSS? Are you trying to get

716
00:40:06,520 --> 00:40:11,320
the application into different states where you think that it may trigger some sort of

717
00:40:11,320 --> 00:40:14,680
appearance in a log on an admin panel or something like that?

718
00:40:14,680 --> 00:40:20,440
Exactly. There was a research from someone that was really interesting about using log4j,

719
00:40:20,440 --> 00:40:30,040
like trying to trigger log4j payloads, but in a real situation. And basically, the research was

720
00:40:30,040 --> 00:40:37,400
about doing error-based requests. So you will trigger a lot of requests. You will try to,

721
00:40:37,400 --> 00:40:43,000
you know, get banned, your IP banned, stuff like that, and put beacons in the headers, stuff like

722
00:40:43,000 --> 00:40:49,080
that. Everything that the app shouldn't do, you try to do it in order to generate a log.

723
00:40:49,080 --> 00:40:53,880
And those kind of flows, I'm saying like... Like an incident or something like that.

724
00:40:53,880 --> 00:40:56,920
Yeah. Like someone look at this guy, he's doing something weird. And then that...

725
00:40:56,920 --> 00:41:02,440
Exactly. And that will trigger the flow. For instance, you have a checkout page and you put

726
00:41:02,440 --> 00:41:08,920
a product. Imagine, maybe imagine that the API, you can change the product name or the cart name.

727
00:41:08,920 --> 00:41:13,720
And that's, you know, you need to test those kind of things. But it takes so much time to test all

728
00:41:13,720 --> 00:41:17,400
the different possibilities that my dream will be to have those data flow.

729
00:41:17,400 --> 00:41:21,320
And when you say possibilities, do you mean... Because this is going back to what you were

730
00:41:21,320 --> 00:41:27,480
saying earlier about a payload. Are you talking about like using a polyglot payload for like

731
00:41:27,480 --> 00:41:29,720
where it will trigger on the admin side? Or are you talking about...

732
00:41:29,720 --> 00:41:32,440
At the entry point, like the parameter that you are changing.

733
00:41:32,440 --> 00:41:38,040
Okay. So you're saying, okay, you know, log in, add a product, go to the cart, change the cart

734
00:41:38,040 --> 00:41:42,840
name, submit the order. And then the payload's in the cart name. And then go back to it again.

735
00:41:42,840 --> 00:41:45,080
And then change the shipping.

736
00:41:45,080 --> 00:41:48,200
Do it in the notes. The order notes. The shipping. Exactly.

737
00:41:48,200 --> 00:41:50,680
Gotcha. Very cool. Yeah. That would be a really cool automated flow.

738
00:41:50,680 --> 00:41:56,280
Yeah. We're still working on that. It's a lot of work and especially...

739
00:41:56,280 --> 00:42:02,600
Yeah. Yeah. Sessions make that very difficult. It's interesting because I'm a little ashamed

740
00:42:02,600 --> 00:42:07,480
to admit this, but I haven't, I didn't even use nuclei or like HTTPX or anything until like

741
00:42:07,480 --> 00:42:12,440
a couple of weeks ago. And I think one of the things that really pushed me over the edge to

742
00:42:12,440 --> 00:42:17,320
start doing that is that I, like you did basically entirely manual testing for a very long time.

743
00:42:17,320 --> 00:42:21,880
I would focus on specific things. I would see weird behavior and I would chase that down.

744
00:42:21,880 --> 00:42:28,120
And I came to a point where I realized like, I need to do more breadth, but it doesn't have

745
00:42:28,120 --> 00:42:32,920
to be necessarily in depth. If I just want to identify, oh, this host is online. I don't have

746
00:42:32,920 --> 00:42:37,480
to go open 15 tabs. I can just run a tool that does that automatically and make my life a little

747
00:42:37,480 --> 00:42:41,720
bit easier. And then maybe I can do some manual testing to figure it out. Or I can take a polyglot

748
00:42:41,720 --> 00:42:47,400
payload or a tool like what you're writing and use that to even go one step further and narrow

749
00:42:47,400 --> 00:42:53,960
down my scope even more. Yeah. Well, go ahead. Yeah. What's interesting about automation is that

750
00:42:54,680 --> 00:43:00,600
there is, in my opinion, three ways of doing background testing. You have full manual. So you

751
00:43:00,600 --> 00:43:03,640
just check the requests one by one. This is exactly what I was going to say. Good. Good.

752
00:43:03,640 --> 00:43:10,600
There is full automation where you basically trust your servers and computers to do everything. And

753
00:43:10,600 --> 00:43:18,360
there is where I kind of see semi-automation. So my problem with automation is that it's not becoming

754
00:43:19,320 --> 00:43:24,280
about getting creative with your ability and understanding your scope. It's about doing a race

755
00:43:25,080 --> 00:43:30,760
against all the people that does automation. You do not need to have the most accurate results. You

756
00:43:30,760 --> 00:43:37,720
need to be the first one. For instance, the subdomain takeover scene is really like that right

757
00:43:37,720 --> 00:43:43,960
now. So if someone has a specific automation and someone maybe knows how to code in Go or Rust,

758
00:43:44,600 --> 00:43:51,320
this person will get the subdomain first. Right. Right. And that's not in the way that I like to do

759
00:43:51,320 --> 00:43:56,760
hacking, but you can be really good at it. Right. Right. There is manual testing where it's really

760
00:43:56,760 --> 00:44:02,120
long. You need to go through. You made a tweet about knowing the application until you get sick

761
00:44:02,120 --> 00:44:07,960
of it. Yes. Yes. Yes. And I'm sick of getting sick of applications. Yes. Yes. 100%. Yeah. Because it's such a grind.

762
00:44:07,960 --> 00:44:11,720
Like I think exactly we've talked about this a lot. Like you have to get intimate with the application,

763
00:44:11,720 --> 00:44:17,320
right? Got to get intimate with it. But that I mean, some applications, the amount of features,

764
00:44:17,320 --> 00:44:22,600
the amount of depth there is to an application that can take weeks, maybe even months to fully

765
00:44:22,600 --> 00:44:28,680
understand every little piece. I mean, I'm thinking about like a great example where, I mean, such a

766
00:44:28,680 --> 00:44:34,120
huge complicated application where it can take so long to get a full grasp of how does this thing

767
00:44:34,120 --> 00:44:39,640
work? How do these systems connect together? And if you aren't using tools to your advantage to sort of

768
00:44:40,840 --> 00:44:45,640
take, you know, jump up five stairs up or whatever, right? Like you just have to kind of

769
00:44:45,640 --> 00:44:49,720
use some of the tools that are out there because even though it might feel like, you know, I really

770
00:44:49,720 --> 00:44:53,160
want to just do this manually. I don't want to, you know, let the tools tell me what to do.

771
00:44:54,040 --> 00:44:58,600
You know, it's really worth it. It's worth your time and it's worth the amount of effort and

772
00:44:58,600 --> 00:45:02,280
energy that you're going to spend, you know, days, weeks, whatever it would take to learn that

773
00:45:02,280 --> 00:45:08,040
application just to, you know, get one step ahead because, you know, the subdomain takeover is a

774
00:45:08,040 --> 00:45:12,840
great example. I know tons of people who do automation for that kind of stuff and that's

775
00:45:12,840 --> 00:45:17,080
not really what my focus is, right? Like I understand like, yeah, you could maybe code up

776
00:45:17,080 --> 00:45:21,320
a really fast example, but you're starting at the beginning compared to all these people who've been

777
00:45:21,320 --> 00:45:26,040
automating for a very long time. They're already multiple steps ahead. And instead you could focus

778
00:45:26,040 --> 00:45:31,480
on something that is deeper that the automation is not necessarily going to pick up, but you can get

779
00:45:31,480 --> 00:45:36,760
there by taking a couple shortcuts, right? You can learn some of the, you know, nuance to that

780
00:45:36,760 --> 00:45:41,720
application without having to go through the whole manual process. And from the very beginning,

781
00:45:42,280 --> 00:45:45,080
I think about it kind of like learning a language, right? This is a great example.

782
00:45:45,880 --> 00:45:51,400
You've been learning Japanese and it's like, you know, it's instead of, you know, learning one word

783
00:45:51,400 --> 00:45:55,880
at a time and then we're learning 2,000 words and being like, okay, now I'm going to try and say,

784
00:45:55,880 --> 00:46:01,560
hello, my name is Joel. It's like, learn, hello, my name, right? Just hello, my name is.

785
00:46:01,560 --> 00:46:08,600
The pieces that actually help you in your daily life. That's like a really good example with

786
00:46:08,600 --> 00:46:15,640
Japanese is that instead of understanding like every word, what I'm trying to do is actually say

787
00:46:15,640 --> 00:46:22,760
sentences that I will use during my trip. Like for instance, I want this thing, kure wo kudasai.

788
00:46:22,760 --> 00:46:26,760
And that's it. Like I do not need to know everything, but.

789
00:46:26,760 --> 00:46:29,320
For the record, he's been learning Japanese for like four days.

790
00:46:30,760 --> 00:46:35,720
Very, very, very fast. He picked it up so fast.

791
00:46:35,720 --> 00:46:43,560
Oh yeah. I can't have a discussion here. That's my goal in two weeks, you know? But yeah, like

792
00:46:43,560 --> 00:46:49,880
this is a good example. For instance, you also like with semi-automation, you need to know what

793
00:46:49,880 --> 00:46:57,880
is worth automating. For instance, yesterday we were looking with Justin on Google and Google

794
00:46:58,520 --> 00:47:05,160
has a lot of proprietary protocols. And is it worth automating? At one point we were asking

795
00:47:05,160 --> 00:47:09,240
this question, this application we want. I asked you this exactly. I was like Lupin,

796
00:47:09,240 --> 00:47:14,200
is this, you know, we read a great write-up on essentially how it works, which we'll link.

797
00:47:14,200 --> 00:47:20,200
And we're like, okay, so do we want to build a, you know, essentially a burp extension surrounding

798
00:47:20,840 --> 00:47:25,640
making this much easier to test? Or do we want to just look at, you know, take our knowledge of the

799
00:47:25,640 --> 00:47:32,600
protocol and essentially just every single time burn that additional mental cycles to, you know,

800
00:47:32,600 --> 00:47:37,000
translate in our brain to, you know, what we're seeing. And that was a discussion we had. And I

801
00:47:37,000 --> 00:47:41,640
think that's a really important discussion to have for automation. Yesterday we landed on building

802
00:47:41,640 --> 00:47:49,480
the automation because we, those mental cycles really inhibit creativity in hacking. And this

803
00:47:49,480 --> 00:47:55,160
is something we talk about on the podcast a lot, but anytime you can reduce friction to testing,

804
00:47:56,040 --> 00:48:00,440
you know, you want to be able to, ideally in an ideal world, you want to be able to have an idea,

805
00:48:00,440 --> 00:48:05,800
oh, what if I did this? And then test that immediately. Yeah. And that's what we're kind

806
00:48:05,800 --> 00:48:08,440
of shooting for with that. So yeah, it's exciting for sure.

807
00:48:08,440 --> 00:48:13,800
What's really interesting about this specific application and why we went on the automation

808
00:48:13,800 --> 00:48:21,080
route of it is because this application use this Google proprietary protocol called batch execute

809
00:48:21,080 --> 00:48:27,320
to doing RPCs call, but this is not the only application that use this protocol. And so

810
00:48:27,320 --> 00:48:34,040
basically if we build automation with that specific app in example, like for instance, you went like

811
00:48:34,040 --> 00:48:39,560
for manual testing and I went from automating what he learned from the manual testing. And so

812
00:48:39,560 --> 00:48:44,760
if we have a good proof of concept with that application, every other Google application

813
00:48:44,760 --> 00:48:51,080
using that protocol, we will be able to assess it faster and to understand it better. And so that's

814
00:48:52,040 --> 00:48:57,800
what was the reason why we're coming for you, Google. And that was the reason why the automation

815
00:48:57,800 --> 00:49:02,360
made sense. But at the same time, we didn't went on the route of, okay, we're going to get all the

816
00:49:02,360 --> 00:49:07,560
requests from the JavaScript and then play it and pass them. It's just like getting all the requests

817
00:49:07,560 --> 00:49:15,880
and having like a template of what to send. And then we can do manual testing. So we save hours

818
00:49:15,880 --> 00:49:22,040
of reverse engineering the JavaScript for concentrating only on the creativity part,

819
00:49:22,040 --> 00:49:29,880
not the searching, but on the, hey, is a pollution on that parameter. What if I put this ID here,

820
00:49:29,880 --> 00:49:34,600
you know, that kind of stuff. Yeah. And I want to say as well, it just before we jumped into

821
00:49:34,600 --> 00:49:42,280
something else, but the, it's very tempting to think about it like a math equation, like, okay,

822
00:49:43,560 --> 00:49:50,600
am I going to save brain sort of CPU cycles by spending, let's say three hours up front to build

823
00:49:50,600 --> 00:49:56,040
the automation, right? Is that going to save me three hours worth of time? And I thought about it

824
00:49:56,040 --> 00:50:00,040
like that for a while, but then I realized this is really not the best way to think about it,

825
00:50:00,040 --> 00:50:05,720
because precisely we were not catching and quantifying that whole piece of like how much

826
00:50:05,720 --> 00:50:12,680
it's inhibiting our creativity or inhibiting our, our attack vector formulation to constantly be

827
00:50:12,680 --> 00:50:15,960
having to, all right, now I got to, you're on code this and I got to stick this in this little

828
00:50:15,960 --> 00:50:21,320
Jason blob and I got to fix the escaping and bloody, bloody blah. And so, you know, I think

829
00:50:21,320 --> 00:50:25,320
oftentimes like that, especially when you're committing to a target for a longer period of

830
00:50:25,320 --> 00:50:31,320
time, even if you think you won't necessarily get that time back, you will get ROI on that because

831
00:50:31,320 --> 00:50:35,720
your brain will work more efficiently in that environment. That's true. Yeah. 100%. I've also

832
00:50:35,720 --> 00:50:40,680
done some hacking on Google, maybe like a month ago. And I ran into a very, very similar situation

833
00:50:40,680 --> 00:50:47,160
where just like the entry point to hacking, it can be very difficult because of these specific

834
00:50:47,160 --> 00:50:51,960
protocols and these weird formats that they use. And so it's not so much that you're building out

835
00:50:51,960 --> 00:50:55,960
like a tool that's going to automate the entire thing, but it's really almost just like a helper

836
00:50:55,960 --> 00:51:01,320
script, right? It's like in the same way that burp has a pretty tab and a raw tab, right?

837
00:51:01,320 --> 00:51:05,720
You can just make it format it for you. You can make it decode that for you or make it readable

838
00:51:05,720 --> 00:51:09,800
for you so that when you hover over the request or when you're scrolling through, you can identify

839
00:51:09,800 --> 00:51:15,160
and you can pattern match manually significantly faster and easier than you would by doing it over

840
00:51:15,160 --> 00:51:19,000
and over again, manually and being like, hold on, where's that weird bite that I'm looking for?

841
00:51:19,000 --> 00:51:24,840
Okay, there's the type and that is very mentally draining. And it's just like having, you know,

842
00:51:24,840 --> 00:51:28,200
sometimes I'll do it with Python. I'll just write like a little function or a script or something

843
00:51:28,200 --> 00:51:31,560
and I'll have it in my terminal and I'll just have it like read from my clipboard or something

844
00:51:31,560 --> 00:51:36,040
to do it automatically. And that's so much easier than like writing an entire piece of tooling.

845
00:51:36,040 --> 00:51:39,880
Definitely. Yeah. Actually, Joel, I steal it from you because I actually want you to talk about

846
00:51:39,880 --> 00:51:43,000
that a little bit because that's like one of the coolest things that I've seen about your

847
00:51:43,000 --> 00:51:48,680
hacking methodology. So essentially, please expand, but he's got a set of functions that

848
00:51:48,680 --> 00:51:54,120
he's built over time. And then you essentially just open up the Python terminal. It reads from

849
00:51:54,120 --> 00:51:57,640
the clipboard and then you can kind of chain together these automations, right?

850
00:51:57,640 --> 00:52:02,600
Yeah, a hundred percent. I have a little module I call Pyhack. And basically whenever I use

851
00:52:02,600 --> 00:52:07,720
IPython as my terminal and essentially I'll just import this file and it has a bunch of little,

852
00:52:07,720 --> 00:52:11,560
they're like aliases, like bash aliases for me, but they're more complex and it's easier for me

853
00:52:11,560 --> 00:52:16,680
to write in Python than it is in bash. And it'll do stuff like URL decode or slash escape. Like a

854
00:52:16,680 --> 00:52:21,080
common scenario is I'll copy something that has slash ends in it, right? And I want to see it

855
00:52:21,080 --> 00:52:24,920
without, I want to see them literally as slash. And so I have a just a little helper function that

856
00:52:24,920 --> 00:52:29,080
takes them, decodes them and prints it out manually. And just to make it like so much easier.

857
00:52:29,800 --> 00:52:34,760
HTML decoding, hex encoding, hex decode, like, and just little tiny helper things,

858
00:52:34,760 --> 00:52:39,640
things to group stuff. These are the types of like very little, you know, nuance that makes it so

859
00:52:39,640 --> 00:52:45,320
much easier. And you have them for everything. Yeah. All sorts of things. Like every single time

860
00:52:45,320 --> 00:52:49,320
I'm like, okay, Joel's going to have to code something. Like, cause we, we pair hack, you know,

861
00:52:49,320 --> 00:52:53,880
from time to time. So like, you know, I see your screen, you know, when you do this and I'm like,

862
00:52:53,880 --> 00:52:57,480
all right, this time he's going to have to do like some like dot replace shit or something like that.

863
00:52:57,480 --> 00:53:01,000
No, every single time you've got a function for it. Yes. Yeah. Yeah. On that, on that note,

864
00:53:01,000 --> 00:53:09,800
on the pair hacking, I was sitting in front of them at the PayPal event. It's just the best thing

865
00:53:09,800 --> 00:53:17,720
ever to watch them, both of them all day on one single problem. I haven't seen that many use of

866
00:53:17,720 --> 00:53:27,960
muscular faces over the day. Like both of them were like, Oh, Oh, why? It's like, I think, I think I

867
00:53:27,960 --> 00:53:35,480
figured it out. Oh no. Yes. No. That was just so funny. But you guys really complete one another.

868
00:53:35,480 --> 00:53:40,760
And I think it really works well for you. Yeah. I think pair hacking works specifically well for,

869
00:53:40,760 --> 00:53:48,040
for Joel and I, like, I think, I think, I like to say it. I point Joel, you know, at the thing,

870
00:53:48,040 --> 00:53:55,800
like Joel, brain power that, you know, like, to be honest, I think that like every person's

871
00:53:55,800 --> 00:54:02,760
like doing BlackBin T needs a pair hacker with them. And that's what we've seen in the top,

872
00:54:02,760 --> 00:54:08,520
BlackBin T Hunter community. Like if you see Franz Rosen, Mathis Carlsen, if you see Jonathan,

873
00:54:08,520 --> 00:54:16,360
there's Sean. And like everyone is like, there is one hacker always with you. 100%. Yeah. I mean,

874
00:54:16,360 --> 00:54:20,040
it's like, so we've always said like two brains are better than one. And this doesn't have to be

875
00:54:20,040 --> 00:54:25,240
an in-person thing. I think one of the advantages of being in person is that you can feed off of

876
00:54:25,240 --> 00:54:29,160
each other. Like we don't even like, there'll be things that we just don't even like talk, like

877
00:54:29,160 --> 00:54:32,920
we'll just be like looking at the same thing and we'll be picking up things at the same pace. And

878
00:54:32,920 --> 00:54:35,480
I'll be like, oh, did you see that? And you'll be like, yeah, yeah, that's really interesting.

879
00:54:36,520 --> 00:54:40,440
It's like, what's that? Right. But it's like, we're, we're just sort of on that level where

880
00:54:40,440 --> 00:54:47,720
we're able to sort of go. And when you get to that point, your efficiency is literally two X or more

881
00:54:47,720 --> 00:54:53,800
because you have two people, two, two perspectives. Like he has seen things that I haven't seen. I've

882
00:54:53,800 --> 00:54:57,640
seen things that he hasn't seen. I know techniques that he doesn't know. He knows techniques that I

883
00:54:57,640 --> 00:55:02,040
don't know. You've got little scripts that can encode things faster. And I can't hear you.

884
00:55:02,040 --> 00:55:06,040
Right. And he knows like, he's like, oh, just here, do this. You know, I found it like,

885
00:55:06,040 --> 00:55:09,000
just run this thing. And I'm like, what? I don't even know how this works. Whatever. I'll just run

886
00:55:09,000 --> 00:55:15,960
it. Like last time in Vegas, I met Matt Skarsson and we were talking about that. And he told me

887
00:55:15,960 --> 00:55:22,600
what you need to do is to find someone with the same technical skill as you. But at the same time,

888
00:55:22,600 --> 00:55:28,920
that can complete you. Like you do not need a mentor. You need someone to grow with you.

889
00:55:28,920 --> 00:55:33,960
And like that's something that a lot of beginners have trouble with is that, oh,

890
00:55:33,960 --> 00:55:39,880
I need someone to learn from. And that's not the fact. You need someone to learn with in order to

891
00:55:39,880 --> 00:55:45,560
grow up together. And I think that's the best part of hacking when you can just, you know, critical

892
00:55:45,560 --> 00:55:52,680
thing. Honestly, one of the most amazing things that I see, especially with like a mentor

893
00:55:52,680 --> 00:55:57,880
relationships, it's not always like mentors. So many times I'll be mentoring like someone who's

894
00:55:57,880 --> 00:56:02,920
new to Bug Bounty and they will ask what might seem as a simple question. But I'm like, why haven't

895
00:56:02,920 --> 00:56:07,800
I ever thought about that? Like why? Like I just made like some sort of assumption because I was,

896
00:56:07,800 --> 00:56:12,440
you know, I was, I'm more advanced and I just like, was like, oh, it's definitely going to behave

897
00:56:12,440 --> 00:56:16,600
this way. And the beginner will be like, is it going to behave that way? And I'm like, actually,

898
00:56:16,600 --> 00:56:22,600
is it? Like I should probably look and check. And that again, it's like you are learning with them.

899
00:56:22,600 --> 00:56:26,760
You're growing together. It's not just like, oh, let me teach you this. Right? Like some of it is

900
00:56:26,760 --> 00:56:30,680
that, but it's also, you have to feed off of each other and be willing to open and change your

901
00:56:30,680 --> 00:56:37,160
perspective and learn new techniques. Yeah. That's actually how I learned hacking. Like

902
00:56:37,160 --> 00:56:43,000
uh, I went on discourse, like beginner discourse, because I was a beginner at the time and all the

903
00:56:43,000 --> 00:56:48,360
questions that the beginners, I was trying to answer them, but not like I was doing the RTFM

904
00:56:48,840 --> 00:56:54,760
for them. And I was like, but I was like, all the questions that they have is a question that I will

905
00:56:54,760 --> 00:56:59,240
have. And if I can answer them right now, when I will confront it, it will be easier for me.

906
00:56:59,240 --> 00:57:06,200
That's great. Yeah. And I think that's like, if you do not have anyone to learn with, it's

907
00:57:06,200 --> 00:57:11,240
great to do it that way because you have like so much questions from all over the people, like,

908
00:57:12,040 --> 00:57:17,080
you know, getting access to attack surface that you do not have. Like for instance, hey, what is

909
00:57:17,080 --> 00:57:23,560
this protocol? Hey, what is this? Can you hack it? And like, I just went like grinding for like

910
00:57:23,560 --> 00:57:29,560
three, four months. And by the end of the day, you get actually like a good skills about what an

911
00:57:29,560 --> 00:57:34,760
attack surface is. And when you are going on backbunty hunting, it's easier for you and you feel

912
00:57:34,760 --> 00:57:39,640
easier for you and you feel safer. Yeah. So much of this goes back to like, when I try and describe

913
00:57:39,640 --> 00:57:44,200
how you should be picking up hacking, it's really, you should be in the beginning, question

914
00:57:44,200 --> 00:57:50,280
everything, right? Like, what is HTTP? What is this get slash HTTP slash one point? What does this

915
00:57:50,280 --> 00:57:55,080
mean? Like, what is this structure? Why does it look this way? How does it behave? How does it get

916
00:57:55,080 --> 00:58:00,280
interpreted? When I, when I click a button, what's happening and like just breaking that down and

917
00:58:00,280 --> 00:58:06,040
understanding it at a, at a like fundamental level builds those core building blocks that you can then

918
00:58:06,040 --> 00:58:10,120
use forever, right? Just like what you said, like building out a tooling that will make your life

919
00:58:10,120 --> 00:58:15,640
easier when you're testing some specific protocol. It just sets the ground floors so that you can go

920
00:58:15,640 --> 00:58:22,840
up from there and you have a solid foundation. That happened to me when I was trying to use

921
00:58:22,840 --> 00:58:30,200
a bypass for SSRF. And basically I went, you know, on the cheat sheet and took like a

922
00:58:30,920 --> 00:58:37,080
octal bypass, like basically the IP is in auto format and you put it and I was like,

923
00:58:37,640 --> 00:58:45,560
what is this format? And so I went directly at the source, the corvid, the RFC of IP and it started

924
00:58:45,560 --> 00:58:53,160
at 6 PM and ended up at 5 AM. The freaking rabbit hole of what the heck is an IP. But by the end of

925
00:58:53,160 --> 00:59:00,280
the day, it helped me so much to bypass stuff because an IP can be so many things. It just needs

926
00:59:00,280 --> 00:59:08,120
to be a 32 bit integer, but they do not specify how, like if it's an extra decimal in octal,

927
00:59:08,120 --> 00:59:15,480
like the point that the four dots format is just, you know, a convention, but actually every

928
00:59:16,360 --> 00:59:23,720
caller needs to interpret all the different kinds of formats, which is insane. And when you know

929
00:59:23,720 --> 00:59:30,280
that, you know how to actually bypass those kinds of stuff. Absolutely. And those sort of tricks are

930
00:59:30,280 --> 00:59:35,480
the only, you know, you're going to find those tricks by diving deep and getting far into those.

931
00:59:35,480 --> 00:59:43,640
We had a thread really recently, like you went, you just gave me a domain and said, oh, there's

932
00:59:43,640 --> 00:59:49,640
an XSS on it. Just try to find it. And like one hour later, I was like, oh, that was a really cool

933
00:59:49,640 --> 00:59:57,240
challenge, but we didn't have the same answer to that challenge. And like we looked at it and like,

934
00:59:57,240 --> 01:00:03,400
why your payload works? And actually created a lot of debates on Twitter.

935
01:00:03,400 --> 01:00:07,640
Yeah. I actually saw something like this recently. Somebody made a great Twitter post. We'll have to

936
01:00:07,640 --> 01:00:12,120
find it. I don't remember who it was, but they showed an example of a command injection where

937
01:00:12,120 --> 01:00:17,000
you could encode the command in this really, really weird, it was like, there was like backslashes

938
01:00:17,000 --> 01:00:20,760
before each letter and it's like all sorts of weird things. I was like, I looked at it, I was like,

939
01:00:20,760 --> 01:00:25,320
how the heck does this even work? And I actually bookmarked it because I need to go back later

940
01:00:25,320 --> 01:00:27,640
and I need to figure out how it works. And it's one of those things where you're like,

941
01:00:27,640 --> 01:00:32,760
if you can figure out fundamentally how this works, the fundamental parts of why it's working

942
01:00:32,760 --> 01:00:37,320
and what's going on there apply in other scenarios. You don't have to do it exactly like the exact

943
01:00:37,320 --> 01:00:42,440
same way, but you can use those pieces together to build it. And I think this is a great transition

944
01:00:42,440 --> 01:00:47,160
because you made a video recently about UUID V1 and want to talk about like deep dive and like

945
01:00:47,160 --> 01:00:54,440
understanding like weird nuance in something that seems very typical. UUID V1 versus UUID V2,

946
01:00:54,440 --> 01:00:58,200
three, four, it's a lot of nuance in there. So can you talk a little bit about that?

947
01:00:58,200 --> 01:01:05,800
Yeah, definitely. So I was hacking with Snorlax, like the French team, we really hack a lot together

948
01:01:05,800 --> 01:01:14,680
and this target, we re-hammered it for months and months and we knew everything. And this target had

949
01:01:14,680 --> 01:01:20,600
everything in scope. So even third parties and acquisitions. And so we were on this new

950
01:01:20,600 --> 01:01:28,680
acquisition that wasn't explicit in scope. And he was like, oh, that's weird. Like the password

951
01:01:28,680 --> 01:01:34,920
reset is on another domain. And he just linked it to me. And I was like, wait a minute, that's UUID

952
01:01:34,920 --> 01:01:42,520
V1. And why did that trigger? It's because I don't know why. And I don't know how, but I think it was

953
01:01:42,520 --> 01:01:48,120
because I was programming something that needed UUID. I was like, what's the difference between V4

954
01:01:48,120 --> 01:01:54,360
and V1? Right? Actually, it's because at Mano Mano, we were fixing a third party stuff that had

955
01:01:54,360 --> 01:01:59,320
collision with V4. And I was like, what's the difference with UUID anyway? And I found this

956
01:01:59,320 --> 01:02:05,640
blog post from a Vergeprites team, actually talking about UUID V1 being generated on

957
01:02:06,440 --> 01:02:13,800
timestamps. And I was like, that doesn't seem secure. And it doesn't just use timestamps,

958
01:02:13,800 --> 01:02:19,880
it also uses the MAC address and the clock ID of the machine. So the MAC address is basically the

959
01:02:19,880 --> 01:02:25,080
MAC address and it has a similar format. So if the same machine generates two UUIDs, it will stay

960
01:02:25,080 --> 01:02:30,280
the same. The clock ID is the same. It's a value that is set at the creation of a machine, like the

961
01:02:30,280 --> 01:02:36,040
first boot. And it will always stay the same. So you actually have like two chunks of the UUID that

962
01:02:36,040 --> 01:02:42,840
always stay the same. And the last chunks are the version. So if it's UUID V1, you will see that the

963
01:02:42,840 --> 01:02:48,120
first chunk, the first number will be the version. So it's one, two, three, four, five.

964
01:02:48,120 --> 01:02:53,480
It's the first thing I look at whenever I see UUID is like third octet, first character. And if it's

965
01:02:53,480 --> 01:02:59,800
a four, I go, and if it's a one, I go, oh. Yeah, exactly. And so when you see one, you know that

966
01:02:59,800 --> 01:03:07,800
it's generated on timestamps, right? And so then you see that the first chunk is actually the high,

967
01:03:07,800 --> 01:03:13,720
and then you have the mid and the low. And I don't know exactly why they are called like that,

968
01:03:13,720 --> 01:03:20,040
but when you are put together, like you just concatenate them, it's doing an exact decimal

969
01:03:20,040 --> 01:03:27,480
value. And this exact decimal value, when you put it in decimal, give you a timestamp in the Julian

970
01:03:27,480 --> 01:03:33,640
calendar. So I went on the internet searching why the Julian calendar, and I didn't find the reason.

971
01:03:33,640 --> 01:03:42,760
Like, why the heck would you use that calendar? Use epoch, like normal people. And then you can

972
01:03:42,760 --> 01:03:50,520
do some basic math. I'm really bad at math, so of course those have to be basic. And to put it in the

973
01:03:51,480 --> 01:03:57,960
epoch timestamp, and you get the date with a normal converter. And you can have some kind

974
01:03:57,960 --> 01:04:05,000
of disclosure of when this ID has been generated. And now they use UIDV1 for the password reset.

975
01:04:05,560 --> 01:04:11,640
And UIDV1, since you can know the time that have been generated, and you can reconstruct them really

976
01:04:11,640 --> 01:04:20,440
easily because it's just trying to do plus one in the hexadecimal values, you can actually do

977
01:04:20,440 --> 01:04:27,480
something called the sandwich attack. So basically you generate a password reset for the attacker.

978
01:04:27,480 --> 01:04:34,600
Then you generate one for your victim and again for the attacker. And the attacker power is the

979
01:04:34,600 --> 01:04:40,280
layer of bread, and the victim is like the ham, the garniture, everything. And you basically sandwiched

980
01:04:40,280 --> 01:04:47,560
the reset token of your victim between your two tokens. And someone asked me, why do you need the

981
01:04:47,560 --> 01:04:53,080
other layer? Like you can just put the first one and the victim one, and you can just brute force

982
01:04:53,080 --> 01:04:59,960
until you have the victim. It's just to give you a sense about if your script is working, if you

983
01:05:00,520 --> 01:05:08,040
go over that value, it means that you didn't find the ID. And so there is another thing going on.

984
01:05:08,040 --> 01:05:11,960
So that's why it's better to sandwich. That's awesome. So much of this reminds me of

985
01:05:11,960 --> 01:05:20,200
CTFs. Security CTFs do such a good job with these weird things. Stuff like UIDV1 is a great example

986
01:05:20,200 --> 01:05:26,680
where there's weird nuance to how things that might seem intuitive work. And that makes it

987
01:05:26,680 --> 01:05:31,400
perfect for a CTF where it'll be like, hey, look at this piece of code. This looks completely normal,

988
01:05:31,400 --> 01:05:36,120
but what's wrong with it? And you have to go, wait a second. Yeah, what is wrong with this? Oh,

989
01:05:36,120 --> 01:05:41,400
it's UIDV1. And why is that vulnerable? Oh, because you can use timestamps and you can predict

990
01:05:41,400 --> 01:05:47,880
the next value and so forth. And having that type of training, even though it's not like a

991
01:05:47,880 --> 01:05:52,360
bug bounty, it's very, very related and it builds some of that fundamental knowledge and the

992
01:05:52,360 --> 01:05:56,920
understanding of those weird technologies, which honestly they're weird, but they're used in the

993
01:05:56,920 --> 01:06:02,120
real world so often that it's not like a useless thing to know. It's a very, very useful, powerful

994
01:06:02,120 --> 01:06:12,280
piece of thing to learn. So I was just going to ask about that. There was a really cool comment

995
01:06:12,280 --> 01:06:20,600
on the Twitter post for that. And essentially it was saying, using the new Smashing the State stuff.

996
01:06:22,120 --> 01:06:25,560
So, okay. Well, we'll say it for those that are listening. I haven't seen it.

997
01:06:26,120 --> 01:06:30,920
One of the comments on Twitter said, using the Smashing the State research that James Kettle

998
01:06:30,920 --> 01:06:38,520
recently released, you should be able to get sub one millisecond, almost collisions with your

999
01:06:38,520 --> 01:06:43,880
requests, right? They can be processed within the same millisecond. Assuming that that process is

1000
01:06:43,880 --> 01:06:52,280
generating a UUID V1, a UUID, do you know if they will collide or how will that work? Do you know?

1001
01:06:53,480 --> 01:07:03,320
So UUID V1s are on the nanoseconds. Okay. So no, never. James, do your shit.

1002
01:07:03,320 --> 01:07:10,120
Shit. And make it faster, James. It might collide, but I don't really know the

1003
01:07:10,120 --> 01:07:16,120
probability of that. But I think that was a really interesting comment because that's basically,

1004
01:07:16,120 --> 01:07:24,600
I've seen the article from James Kettle about, so you want to be a security researcher. And he says,

1005
01:07:24,600 --> 01:07:31,720
you need to go hunt for forgotten knowledge. So stuff that other people missed for many,

1006
01:07:31,720 --> 01:07:37,240
many years, for instance, DNS rebinding, 2005, everyone was using DNS rebinding. And then it

1007
01:07:37,240 --> 01:07:44,040
got lost. And someone was like, what if it works on the client side of browsers?

1008
01:07:44,040 --> 01:07:49,080
DNS rebinding, that makes me remember something. I've heard that name in years.

1009
01:07:49,720 --> 01:07:55,800
And try to create diversity from this forgotten knowledge. So basically, this applied the logic

1010
01:07:55,800 --> 01:08:00,520
of vulnerability to other types of technologies and stuff like that. DNS rebinding is a prime

1011
01:08:00,520 --> 01:08:07,960
example of that. And then you have to get outside of your comfort zone. Your own comfort zone is

1012
01:08:07,960 --> 01:08:12,680
the same as many other people. And so if you get outside of your comfort zone, you will be on

1013
01:08:12,680 --> 01:08:19,320
untouched territory. And this kind of comment about, hey, can we take this research and this

1014
01:08:19,320 --> 01:08:25,960
other research and smash them together? Go for it. No idea is stupid until proven wrong. And so

1015
01:08:25,960 --> 01:08:33,800
I thought that this comment was so great. And kudos to the person that thought about it.

1016
01:08:33,800 --> 01:08:38,280
Totally agree with that. Yeah. Always looking for those sort of opportunities to combine those two

1017
01:08:38,280 --> 01:08:44,760
pieces together and generate something new. So we're getting close to that. What time is it,

1018
01:08:44,760 --> 01:08:50,280
actually? 10.45. Okay. We need to wrap up soon. But I did want to ask one last thing regarding

1019
01:08:50,280 --> 01:08:57,240
your experiences at live hacking events. Like you said, we all have these people that we

1020
01:08:57,240 --> 01:09:05,160
collaborate with that help and that we kind of complete, right? And complete us. So you

1021
01:09:05,160 --> 01:09:09,800
collaborate often with the French team. Can you talk a little bit about the dynamics and what kind

1022
01:09:09,800 --> 01:09:15,880
of lessons you've learned from that collaboration? Yeah. The French team is super great. We didn't

1023
01:09:15,880 --> 01:09:23,560
have a better name than just the French team. The croissant team now. The croissant man. The baguette.

1024
01:09:25,400 --> 01:09:34,360
Yeah. The baguette. The baguette. Dude. That's it. That's it. Okay. I'm going to bring some with

1025
01:09:34,360 --> 01:09:40,920
them. That'll be great. Yeah. And yeah, we have an interesting... I'm actually really proud of that.

1026
01:09:40,920 --> 01:09:46,520
You should. You should be. Oh man. The royalties are going to be too expensive.

1027
01:09:48,360 --> 01:09:53,400
It's actually really great because on every live hacking event, we always managed to invite one of

1028
01:09:54,120 --> 01:10:01,160
the team. And what's interesting is that the team is composed of five people. So we have

1029
01:10:01,160 --> 01:10:09,720
Doomer, Zax, that they both work at the BZ Hunt. They created the company. We have Snorlax, who is

1030
01:10:09,720 --> 01:10:16,920
an amazing hunter. There is Bonsoir-D, who is an upcomer, but he did an amazing job with OpenSea

1031
01:10:16,920 --> 01:10:21,640
recently. Yeah. Yeah. Yeah. Crit after crit. And there is me. And...

1032
01:10:22,600 --> 01:10:29,800
Again. Which speaks for itself. And you know me, of course. Needless to say.

1033
01:10:29,800 --> 01:10:35,960
I'm saying that because we are so different in our ways to hunt. For instance, Zax is

1034
01:10:35,960 --> 01:10:41,880
really methodological about the way. He does everything on the checklist. I'm going to check

1035
01:10:41,880 --> 01:10:47,640
that, then that, then that. Doomer is really good at spreading and finding attack surfaces.

1036
01:10:47,640 --> 01:10:55,880
Snorlax is really good about finding specific vulnerabilities and also finding some weird stuff.

1037
01:10:56,440 --> 01:11:04,440
And I think I'm good about finding new research. And so what happened is that Snorlax and I,

1038
01:11:04,440 --> 01:11:11,800
it's like a counter-strike esports team. We are with Snorlax, the pivot. We are going on another

1039
01:11:11,800 --> 01:11:18,600
direction while they are hunting on the main scope. And we are doing some crazy, weird stuff.

1040
01:11:18,600 --> 01:11:25,160
And once we find something interesting, we give it to them to first to Doomer to find an attack

1041
01:11:25,160 --> 01:11:30,680
surface and to spread this vulnerability everywhere. And then to Zax to add to the

1042
01:11:30,680 --> 01:11:35,960
checklist of things to check and everything. This reminds me of, I mean, Shubz is especially

1043
01:11:35,960 --> 01:11:40,920
a great example because his recon game is insane. And he'll just find like 15 different weird things.

1044
01:11:40,920 --> 01:11:43,960
And he'll be like, hey, man, I have this weird thing. Do you want to go check it out? I'm like,

1045
01:11:43,960 --> 01:11:48,200
yeah. And just like how Justin was saying, oh, I'll point Joel in the right direction.

1046
01:11:48,200 --> 01:11:52,840
It's very much so like that where you'll find a lead and you'll be like, I think we can get this,

1047
01:11:52,840 --> 01:11:56,440
but let me let you take a crack at it because I know you can do it. Shubz is like, you get a

1048
01:11:56,440 --> 01:12:01,640
weird thing. You get a weird thing. You get a weird thing. He's the Oprah recon. I love it.

1049
01:12:02,440 --> 01:12:09,160
But yeah, like the way the dynamics works, we are, everyone, each one of us have their own role.

1050
01:12:09,160 --> 01:12:15,160
And the Counter-Strike team is amazing because it's like, it's a good example because you have

1051
01:12:15,160 --> 01:12:19,800
the guys doing the entry points. You have the other one doing the support and you have like

1052
01:12:19,800 --> 01:12:24,600
the lurkers that are going to another direction. And that's basically what we're trying to apply

1053
01:12:24,600 --> 01:12:29,640
within the team. We do not want to be on, you know, all looking at the same thing.

1054
01:12:29,640 --> 01:12:36,840
We want to slide overlapping. And for instance, at the Epic Games event at the beginning of the year,

1055
01:12:38,120 --> 01:12:45,320
we were all looking at different stuff. And there was like this moment where, hey, I got this thing

1056
01:12:45,320 --> 01:12:51,000
working. Do you think that on your scope it will work? And we spread it, that shit everywhere.

1057
01:12:51,000 --> 01:12:57,560
And it worked everywhere. And that's the dynamic like we want to do. And we do not

1058
01:12:57,560 --> 01:13:03,800
any overlap. So that works great. And also we are like really, really great friends. And we love to,

1059
01:13:03,800 --> 01:13:11,640
yeah, you know, when we're hunting 10 days in a row, not sleeping, the last day we have mental

1060
01:13:11,640 --> 01:13:18,120
breakdown and just at 2 a.m. not managing to write a report and like just someone breathing to the

1061
01:13:18,120 --> 01:13:24,040
microphone makes us laugh for hours and hours. And we're like, this is like the greatest thing

1062
01:13:24,040 --> 01:13:31,960
ever about like being with your friends and not just, you know, working. It's definitely an amazing

1063
01:13:31,960 --> 01:13:36,520
experience. And I want to talk, you know, because last time, maybe it was last episode or the episode

1064
01:13:36,520 --> 01:13:40,280
before, I talked a little bit about some of the difficulties of collaboration. Just to be clear,

1065
01:13:40,280 --> 01:13:45,080
I am not, you know, against, I'm not anti-collaboration. I just think that there

1066
01:13:45,080 --> 01:13:49,160
are some challenges and it seems like you and some of the other people that have, you know,

1067
01:13:49,160 --> 01:13:53,400
been doing collaboration successfully, consistently have really ironed out those details. And I think

1068
01:13:53,400 --> 01:13:58,280
that's awesome. And if you do it in a way that's intentional and aligns with everyone's goals,

1069
01:13:58,280 --> 01:14:02,440
then it rocks. And I experienced that as well. So it's great to see you doing that.

1070
01:14:02,440 --> 01:14:07,400
What I like with collaboration, like I like to do, for instance, when I'm not collaborating

1071
01:14:07,400 --> 01:14:14,040
with the French team, is that from the beginning I said, I say like, how do you want to collaboration?

1072
01:14:14,040 --> 01:14:19,080
How do you want to split? And before even finding vulnerabilities. So you say everything straight.

1073
01:14:19,080 --> 01:14:24,120
And what I like to do is even if the other person does not find anything, but I know that they're

1074
01:14:24,120 --> 01:14:32,360
actively searching, I want to still give them 50% of the report. Because I know that if I continue

1075
01:14:32,360 --> 01:14:39,080
collaborating with that person and that if I trust the person, they will do the same thing for me.

1076
01:14:39,080 --> 01:14:45,400
And we're going to balance out bounties over the time. And that's how you create real bond

1077
01:14:45,400 --> 01:14:50,040
and friendship. It's not about money. It's about having human interaction with one another.

1078
01:14:50,040 --> 01:14:55,160
It's trust. Exactly. Awesome. Well, I think that's like a perfect note to end it on. I mean,

1079
01:14:55,720 --> 01:14:59,640
was there anything you want to shout out? Obviously your company, what is it? L&H or LNH?

1080
01:14:59,640 --> 01:15:07,640
Lupin and Holmes. L-I-A-N-D-H.Tech for the website. I just want to say thank you guys for everything

1081
01:15:07,640 --> 01:15:12,360
you've been doing on the podcast. It's just amazing. All the debates that is created,

1082
01:15:12,360 --> 01:15:18,520
like the one about programs, I love it. That's what we needed in the community. So shout out

1083
01:15:18,520 --> 01:15:21,960
to you guys for everything you've been doing. Yeah. Well, thank you for being on. We really

1084
01:15:21,960 --> 01:15:38,360
appreciate it. And yeah, that's the pod, right?