Justin Gardner (@rhynorater) (00:00.65)
So before we started this episode, I was like, all right, man, tell me how to pronounce your name. And give it to me now, because I'm not gonna get it right.

avlid (00:10.104)
You mean my handle? Yeah, I have a broken leg.

Justin Gardner (@rhynorater) (00:11.07)
Yeah, I've lead you in, and that means what?

avlid (00:15.222)
It means like you want someone to fall down a well and die.

Justin Gardner (@rhynorater) (00:19.426)
Dude, I don't know. Why do we have the weirdest handles man? Mine is like some freaking like Video-game gun from when I was like 12 and you're telling people to fall down a well. That's well, that's lovely, man

avlid (00:30.62)
Yeah, but there's a little story to that. It's like, that was like something that a friend of mine or an ex-colleague of mine used to say as a...

as like an insult, because he's from Uptonor often, apparently they say it there. And so I was signing up for some service, I don't forget which one it was, it might have been Gmail, but it could have been something else too, and it was like, no that's... yeah, but it's like, oh that's taken, oh that's taken, oh that's taken, so I just put that in and I was like, you know what, this is never gonna be taken anywhere, I'm sticking to it.

Justin Gardner (@rhynorater) (00:52.26)
Might have been Gmail.

Justin Gardner (@rhynorater) (01:03.95)
Dude, that's freaking great, man. And so you named yourself, yeah, in English, there's like, you know, go jump in a lake is what people, or jump off a cliff or something like that people will say. That's hilarious that you put that as your name. Well, dude, welcome to the pod with that lovely start. Welcome to the pod and thanks for coming on. It's, you know, one of the things that I love about podcasting is that you kind of get to catch up with people a little bit, like.

avlid (01:14.533)
Yeah.

avlid (01:21.78)
Thank you.

Justin Gardner (@rhynorater) (01:30.57)
I'm kind of bad at keeping up with all my bug bounty friends and I haven't, I mean, we haven't spoken in like, man, it's probably been almost five years, maybe four years. So how have you been, man? What have you been up to? Why haven't you been at the live hacking events?

avlid (01:39.284)
Yeah.

Justin Gardner (@rhynorater) (01:47.694)
I'm sorry.

avlid (01:49.085)
I don't know, it's a long story. I got kind of burnt out I guess around 2020 or around when corona hit and the live hacking events stopped and then I was at home other issues like in my life my relationship wasn't going anywhere and we broke up and then instead of handling it I started playing World of Warcraft so yeah.

Justin Gardner (@rhynorater) (01:56.542)
Yeah, yeah 2020. Yeah.

Justin Gardner (@rhynorater) (02:05.356)
Mm. Mm-mm.

Justin Gardner (@rhynorater) (02:10.667)
Ah, classic. Classic move right there. Oh man.

avlid (02:14.664)
So I found some interesting stuff in the World of Warcraft. Yeah, well, they didn't let me do some stuff in like an add-on that I wanted to do, but you could do it.

Justin Gardner (@rhynorater) (02:20.202)
Hacking World of Warcraft?

Justin Gardner (@rhynorater) (02:28.678)
Nice. That's great, man. Well, you know, I will say the burnout thing is something that's real, you know, like pretty much everyone who's on the live hacking event circuit deals with it. And especially if you're, you know, you're doing every event for a little while, like you were, it becomes a lot. But you are you are actually did you came to Vegas this year, and you guys won, right? Freaking

avlid (02:40.927)
Yeah.

avlid (02:56.252)
Yeah, yeah, that's a good comeback.

Justin Gardner (@rhynorater) (02:58.418)
Yeah, now, oh, dang it, move your head a little bit to the side. Is that two? Is that two belts I see up there? Dang it, man. Freaking people, you know, for a little while, it was me and Franz with the two belts, and I was like, all right, you know, I can be happy with this, and now the number has grown substantially, and now I gotta, like, get my shit together and get another belt, so.

avlid (03:01.724)
Oh, that is too. So I need a new shelf.

avlid (03:11.101)
Yeah.

Justin Gardner (@rhynorater) (03:22.422)
Bummer man. Well, yeah, I would have loved to have been in Vegas this year and seen you, but you know, such is life and now we get to catch up here. So that works well. Um, yeah. So I guess 2020 burnout a little bit stopped doing bug bounty period for a while or what?

avlid (03:29.248)
Indeed.

avlid (03:35.568)
Yeah.

avlid (03:39.984)
Yeah, basically. The only thing I did in 2021 and 2 was like helping some people who asked me questions. So I got like a couple of collaboration reports. But other than that, nothing.

Justin Gardner (@rhynorater) (03:58.57)
Yeah, dude, that, uh, that, that was a underrated revenue stream for me as a, uh, as a podcaster, because what'll happen is, you know, people will message me. And, and like, let me just also put this out there for the people that are listening. I will definitely help with bugs, but they need to be actual bugs, you know, they need to be actually good leads. Right? So people will message me sometime. They'll be like, Hey, I.

avlid (04:05.96)
Yeah.

Justin Gardner (@rhynorater) (04:24.418)
I've got this, uh, you know, XSS I can't quite figure out, but clearly, you know, we're escaping the XSS context and there's a valid, you know, XSS here. We just got to like get around this WAF or we've got to like, you know, code golf in some, some exploit. Um, and I love that. And it's been a great, it's been, you know, people, I think on average I've made like two or three K a month from like people reaching out to me since I've launched the podcast being like, Hey, exploit this. So it definitely does help when you're, you know, well known for your exploitation capabilities.

avlid (04:53.348)
Yeah, I want to give a tip actually about collaboration and also what I've been doing this past week with some friends. I think that another thing that's super underestimated is to try to become maybe expert in this is the wrong word, but really knowledgeable about a specific technology or like development stack or some area. And then you can talk to people who specialize in like a couple of different.

Justin Gardner (@rhynorater) (04:56.184)
Mm. Yeah.

Justin Gardner (@rhynorater) (05:01.633)
Yeah.

Justin Gardner (@rhynorater) (05:12.79)
Yeah, 100%.

avlid (05:22.964)
programs and maybe they can just search their verbs and like, yeah, they use a blah thing here and you can get paid for that research extra if that doesn't.

Justin Gardner (@rhynorater) (05:31.978)
across all of the programs too. Yeah, and this is something that, you know, we've had Nogli on the podcast a couple of times, or well, I guess we've had him at least once, but there's more to come. And he, you know, he does a great job with this. He's like, he's got an automation setup that's, you know, pretty much one of the best around. And, you know, people will hit him up and be like, hey, I've got the zero day. And he'll just, you know, help everyone.

exploit it across all the programs and help everyone, you know, sort of tie up those loose ends and get a cut of it. So, you know, it's great on the distributor side and it's also great on the researcher side too. And definitely, yeah, that's a great tip and underestimated way to make a good chunk in book bounty, I think.

avlid (06:21.744)
Yeah, for sure.

Justin Gardner (@rhynorater) (06:25.509)
Yeah. And on top of that, you know, you get, if you're doing quality research, you know, you get access to the research as well. You know, you're doing quality research that you can release and it's good for, you know, publicity and that sort of thing. But the catch there is you've gotta find something that's widely used. So it's a little bit tricky because, you know, if you go down this rabbit hole and you research something and then it's not widely used.

You know, you'll be like, oh, I found this crazy bug, and then there's like three companies that use it or something like that.

avlid (06:55.024)
Yeah, it's pretty funny. I've had a lot of those too. Like I found a pre-off RC in a open source project that like a company put out which had a bug bounty program. But I couldn't find an instance that they were using it themselves. Yeah, so it was probably some internal system.

Justin Gardner (@rhynorater) (06:58.614)
Yeah.

Justin Gardner (@rhynorater) (07:08.059)
Oh my gosh.

Justin Gardner (@rhynorater) (07:17.204)
What?

avlid (07:21.86)
or behind BPM or whatever, somewhere. So I reported it to them and they were like, ah, we don't think this is such a big deal. And I got like, not that much. It was still a valid report, but, hey man, don't touch me. But I put in like a signature in my automation there. But I found a couple of them, but since it's patched now, like every time I see that pop up, I'm like, damn. So.

Justin Gardner (@rhynorater) (07:30.498)
How do you think a pre-auth RCE is not a big deal?

Justin Gardner (@rhynorater) (07:48.206)
Dude, that sucks man. You know, when I did the, it is, and when I did the Grafana bug in 2020, I had a pre-off full read SSRF on Grafana that like popped me like 70 companies or something ridiculous like that. It was like, and it was just always straight to the AWS metadata too, cause everyone always spins it up in AWS, right?

avlid (07:50.824)
It's like a double-edged sword there with open source.

avlid (08:01.736)
Oh.

Justin Gardner (@rhynorater) (08:12.186)
And I was like, okay, you know, I've kind of sprayed this around and then I finally released it. And, and, um, you know, before I did, I really, like, somebody told me like, Hey, I think it was Naffy. I think Naffy hit me up and was like, Hey man, um, I'm pretty sure GitLab has like an embedded version of Grafana in it. Right. And I was like,

oh my gosh, you know? And it was vulnerable to that too. So you could like hit up, you know, any GitLab instance that was publicly facing was also vulnerable. So it's also, I think another good tip for that is like, if you can take a piece of software and see if other pieces of software are actually utilizing that as a part of their stack, even if it's full applications, like Grafana being embedded inside a GitLab.

then sometimes you can pop an additional set of volums there.

avlid (09:02.712)
Yeah, and it does, like, the even better point, or if you can manage to find it, is to find, like, insecure defaults or ways of setting it up in an insecure way, because then it won't, it probably won't be even patched. And so now you're sitting on something that will not, like, have an end of life, I guess.

Justin Gardner (@rhynorater) (09:07.455)
Yeah.

Justin Gardner (@rhynorater) (09:13.553)
Mm.

Justin Gardner (@rhynorater) (09:19.839)
Yeah.

Justin Gardner (@rhynorater) (09:25.662)
Yeah, dude, insecure defaults is huge, man. That would be, yeah, looking into that and then spraying it wide is a great idea. You mentioned a second ago, your automation setup. And so I've got it here on our little doc, our doc that all of a sudden became very, very long as I've stalked you over the past five years to consolidate all of the content that you've produced down into one podcast.

avlid (09:37.672)
Yeah.

Justin Gardner (@rhynorater) (09:53.878)
But so I know you have a little bit of a origin with AssetNote, right? When AssetNote was just a baby, you were kind of sort of involved in that. So I'd like to hear about that. And then I'd also like to hear about what your automation setup looks like nowadays.

avlid (10:00.014)
Yeah.

avlid (10:10.864)
Yeah, so when it comes to AssetNote, and I guess the same is true for Detectify later, like, I don't think that anything is left of my contributions. Like, it evolved to like an actual product and everything. But back in the day, let's say, what happened was that Chubbz made the first, like, jank version of AssetNote.

Justin Gardner (@rhynorater) (10:16.257)
Yeah.

Justin Gardner (@rhynorater) (10:22.515)
Yeah, yeah, of course.

avlid (10:37.368)
and put it open source and then that project kind of died and I was interested in building something similar so I found this project and I asked him just straight up hey is there any like full request that you didn't merge or like code that you didn't commit can you can you do it because I'm gonna fork it and do something with this and he's like yeah but I mean like if there was bugs and you had to fix them can I come on just git push

Justin Gardner (@rhynorater) (10:54.19)
Heck yeah. Yeah, can I have any free code please? Yeah.

Justin Gardner (@rhynorater) (11:02.954)
Exactly. No, this is a great. I love this question.

avlid (11:07.576)
But anyway, it was like really excited that someone took an interest to it, I suppose, and we started building it together. Until I guess he or we realized that it became an effective enough solution, I guess, that could actually be turned into a real...

valuable product. And so then we forked again and I chose to keep my version, which is like, I rewrote almost all of it too. So now it's like we converged and we did whatever, it's the opposite word of that.

Justin Gardner (@rhynorater) (11:31.627)
Yeah.

Justin Gardner (@rhynorater) (11:41.502)
Oh yeah.

Justin Gardner (@rhynorater) (11:44.95)
Gotcha. Well, I know that he credits you a lot with, you know, some of the momentum that he had with Asano in the beginning, I'm sure with that, you know, initial interest sort of reviving the project. And then also, like, something about project man... you know, he was on the episode, like, there's some sort of like project management help they needed or something like that. And then you guys helped them out with that. I don't know what that was, but it must feel great to be.

avlid (12:08.636)
Ciao.

Justin Gardner (@rhynorater) (12:13.89)
a part of such a big thing. Because I don't know if you feel the same way, but I have so much respect for the people at Asset Note, what they've built technically. And also just to see shubs and the whole team really, Sean as well and all them, being in our hacker groups and then going and building this massive product that is used by so many companies nowadays and just kind of taking that entrepreneurial route. So that's gotta be pretty cool.

avlid (12:42.268)
Yeah, for sure. It's awesome. I love shops and those guys. They're great people and hackers.

Justin Gardner (@rhynorater) (12:46.922)
Yeah, yeah, for sure. So your automation, you said you've mostly rewritten it. What language are you using? What kind of stuff are you doing now in there that you're excited about?

avlid (12:51.828)
Yeah.

avlid (12:57.596)
It's still Python and Postgres. And yeah, no, it's just simple. I like simple code. So like the less complex it is, the more beautiful it is. And it goes for systems and code or networks or whatever. That's like my point of view of anything technical. So it has no...

Justin Gardner (@rhynorater) (13:00.626)
My man. Ha ha ha.

Justin Gardner (@rhynorater) (13:19.266)
Dude.

avlid (13:23.824)
No auto-scalability, no weird shit. It just collects data and that's about it.

Justin Gardner (@rhynorater) (13:26.062)
Thanks for watching!

Justin Gardner (@rhynorater) (13:31.27)
and does its job and sticks it in a database. I love that, man. You know, that's really underrated. You know, I've talked about it on the pod a couple times before, but I have, I was in the recon game for a long time. And like here and there, nowadays, I'll kind of think about like, oh, you know, maybe I'll go back to that real quick and like just kind of see if I can at least get my instance sort of spun up again and get some host monitoring in place and that sort of thing.

avlid (13:52.456)
Yeah.

Justin Gardner (@rhynorater) (13:59.65)
And then I go back and I look at the code and I'm like, this is so freaking complex. And even one of the guys in the Golden actually in the CTPD Discord, he was asking me, hey, how do we deal with wildcards, wildcard subdomains and how do we filter out the stuff that's not a wildcard in inside the wildcard definition, right? And I gave him.

avlid (14:16.138)
Yeah.

Justin Gardner (@rhynorater) (14:23.222)
I gave him this whole piece of code, which works. In my defense, it does work really well, and it does filter out the wild cards quite well. But it was like 500, 600 lines of code just to filter out a wild card. And so, yeah, I think it's a struggle to keep your code that simple. And if you can, it's so beautiful and helpful for automation.

avlid (14:37.053)
Yeah.

avlid (14:46.012)
Yeah, no, for sure. And like another tip there, maybe I'm not up to date with the real-time game because people are building such advanced awesome stuff. But one thing that I think might be underrated, and this is only based on that I found them and I've been surprised that like, why don't people do this? It's just that...

Justin Gardner (@rhynorater) (14:58.125)
Mmm.

avlid (15:10.68)
If you're gonna do headless browser stuff, like for screenshots for example, anyway, then you might as well audit the network logs or the DNS logs, because I've seen a lot of places where people have... Like maybe it's not on getslash and maybe it's on some other page, but they will...

Justin Gardner (@rhynorater) (15:14.924)
Mm.

avlid (15:34.02)
make some kind of external resource request, whether it's an image or like a script or something else to a domain that either has a takeover or that's just like, you can just buy the domain. And there you've got a bug.

Justin Gardner (@rhynorater) (15:48.494)
Dude, what the heck man? Freaking Matthias coming up the pod being like, okay guys, you know, I don't know if this is up to par for the pod, but like, and I've been doing this, I have been talking about this shit for like four years and I have not once ever thought to do that when you've already got it loaded up in the browser anyway. All of the resources are already resolving. Matthias, dude, that's genius. What the heck? Guys.

avlid (16:12.212)
Yeah.

Justin Gardner (@rhynorater) (16:16.93)
Go do this, all of you. See, this is the problem with you. You're about to learn after this episode because you say stuff on the pod, right? And then people actually listen to it, and then they go do stuff, and now your secrets are gone too. So I should have warned you before this episode, but I appreciate you dropping that awesome tip because I'm sure that will lead to many, many takeovers and many, many villains for lots of targets. So that's a freaking great tip, man.

avlid (16:27.048)
Yeah.

avlid (16:42.832)
Yeah, I want to give tips. Like, it's a good challenge to just put stuff out there. I think Francis noted it too, but like, it's good to get your secrets out there, because then you need to get new ones. And that motivates you to do research, I guess.

Justin Gardner (@rhynorater) (16:50.956)
Yeah.

It is.

Justin Gardner (@rhynorater) (16:58.782)
Yeah, I'm glad you both have that mentality. That's really beneficial for me. Yeah.

avlid (17:04.944)
Yeah, but on that point though, there's different ways to publish your research too, I guess. Because I'm not very good at writing blog posts, or maybe I'm good at it, but I don't do it. Yeah, no, he's a beast. The same with writing reports. He could be one of those people, whatever they call them, when you're in court and you have to type really fast.

Justin Gardner (@rhynorater) (17:10.508)
Yeah.

Justin Gardner (@rhynorater) (17:16.798)
Yeah. Fricking Frons just like pumps them out, man. Like, what the heck?

Justin Gardner (@rhynorater) (17:26.495)
Yeah.

Justin Gardner (@rhynorater) (17:31.846)
Oh the... yeah I don't know what those things are called.

avlid (17:34.488)
Yeah, it could be one of those if like this bug bounty thing is going well anymore.

Justin Gardner (@rhynorater) (17:38.37)
Is it a stenographer? Yeah, yeah, stenographer, that's it. That's the word, yeah, dude. But he, I mean, it's crazy. And I was looking at, in prep for the episode of him, I was looking at the history of research that he's kinda put out over the past forever. And I missed, I had a full list of eight or nine or 10. I was like, man, this guy puts out so much research. And then we get in the episode and he's like.

avlid (17:42.4)
Yeah, baby. Yeah.

avlid (18:02.78)
Yeah.

Justin Gardner (@rhynorater) (18:04.338)
Oh yeah, I wrote about this and that blog and this blog and that blog that I didn't have in the list and I was like, you are just like a freaking, you know, writing machine. So yeah, that's very impressive. And let me tell you, Matias, man, podcasting is great. Can I highly recommend podcasting if you don't like writing reports? Because you can just get on the pod, you know, you don't have to do multiple takes or whatever, and you don't have to like refine your thing like you do on YouTube. And you get to just sit down, chat, you know, be authentic with the people.

and you get that information out there. So maybe we'll have to make you like a reoccurring guest on the podcast or something. That sounds great.

avlid (18:42.897)
Yeah, maybe. Another benefit of sharing is that if you're not very good at storing your information, I mean you have it in your brain obviously, but it's like you get an archive of your stuff so you don't forget it.

Justin Gardner (@rhynorater) (18:46.113)
Yeah.

Justin Gardner (@rhynorater) (18:52.862)
Yeah.

Justin Gardner (@rhynorater) (18:58.962)
Yeah, yeah, go back and if you can deal with listening to your own voice, right? Like I, um, I listened to the pod every single week, the, the critical thinking podcast every week, just for like quality assurance purposes and just to like make sure it's hitting, you know, the standards and that sort of thing that I want. And in the beginning, it was like nails on a chalkboard, man. It was like making me want to, uh, what is it? I've lead in Bruin. It was like, we want to jump in a well, man.

avlid (19:05.15)
Yeah.

Justin Gardner (@rhynorater) (19:26.926)
And, and, and yeah, but after, you know, a couple episodes, I kind of, that kind of wore off a little bit and now it's not as, not as terrible unless I laugh, you know, and then I'm just like, what the heck is that laugh? Justin, what are you, what are you, what are you doing? But yeah, it does help. And also when you talk about it and you, and you teach it, you know, or you discuss it with somebody, it concretes it a little bit more in your head. And we were talking about this, you know, before we, we started the recording, but

avlid (19:27.252)
Yeah

avlid (19:52.978)
Yeah.

Justin Gardner (@rhynorater) (19:56.362)
We've all got that sort of technical context window of sorts, right? So like you deep dive a specific piece of content, you know, of research and then like you're super excited about it, you've got it all in your head. And then if somebody asks you a question about that three months later, it's like, oh man, I swear I knew the answer to this question, you know? So, but if you get out there and you talk about it, it sticks a little bit better.

avlid (20:14.353)
Yeah.

avlid (20:17.66)
Yeah, I had that just like yesterday or if it was two days ago. Okay, so backstory. Frans and I have teamed up a little bit with Cicciano and Jonathan Bowman for some stuff. Yeah, we found good stuff. We started like last Friday or something. But anyway, we found something that...

Justin Gardner (@rhynorater) (20:27.256)
Mm-hmm.

Justin Gardner (@rhynorater) (20:31.866)
Oh man, oh gosh, that combination, man, holy crap.

Justin Gardner (@rhynorater) (20:40.837)
Mm.

avlid (20:46.32)
looked like a dynamoDB injection. And I was like, I should know this because this summer, so I'm helping out with running and building CTF challenges for a Swedish CTF called Midnight Sun CTF. And I made like a dynamoDB CTF challenge. So at the time I had like...

Justin Gardner (@rhynorater) (20:50.957)
Mmm. Yeah.

Justin Gardner (@rhynorater) (21:04.15)
Nice.

Oh, did you really?

avlid (21:10.384)
at least to me, novel research and stuff to do with DynamiteDB. But now when it came up just a few months later, it was like... I have no idea what that was.

Justin Gardner (@rhynorater) (21:14.507)
Right, right.

Justin Gardner (@rhynorater) (21:23.367)
Yeah dude, that's so discouraging. And then you're like, you know, all right, I gotta like go back in my notes. And then you're like, oh shit, I don't have any notes. And then you're like, you're just trying to piece it all back together. But the good thing is at least, you know, that, that I think.

you do have those neural pathways sort of primed of sorts, right? And it does become easier to re-access those once you've done it, but it is disappointing when you feel like you should know something right off the top of your head and it's not there. Yeah. All right, let me get back to this.

avlid (21:55.252)
Yeah, for sure.

Justin Gardner (@rhynorater) (21:59.21)
Let me get back to this, this doc here. You mentioned something, you know, about, about collaboration a second ago, you know, when we were talking about collaboration and I think you did a great talk about this and I'm trying to see if I can find the link to the YouTube. I took like, uh, like six screenshots of this YouTube video and then I didn't actually, uh, save the video to my, uh, to my doc here. So we'll link it down in the description below, but you did a talk at, I

avlid (22:06.778)
Mm-hmm.

Justin Gardner (@rhynorater) (22:29.984)
conference a while back talking about collaboration and mentioning that this sort of concept of bounty effectiveness and how collaboration sort of affects that. You increase the number of bugs found, you decrease the risk of duplicates, you decrease the time taken because of how you're getting sort of double time.

avlid (22:56.617)
Yep.

Justin Gardner (@rhynorater) (22:57.066)
And I love this concept, man, of creating, and we were kinda talking about it last week on the pod with Joel and Sam, even though they were kinda shitting on my idea of trying to minimize bug bounty down to a function of how many attack vectors, or reasonable attack vectors is what I should have said, that you try on a target over time. But I just kinda wanted to brainstorm a little bit on this together, this concept of how can we

Justin Gardner (@rhynorater) (23:28.891)
formula eyes turn into a formula that, you know, bug bounty, right? So I've got this concept around, like, taking optimizing for time spent actually trying reasonable attack vectors. And then you've got this concept of, like, calculating bugs found times risk of duplicate slash time taken or, you know, divided by time taken results in your effectiveness.

avlid (23:32.563)
Yeah.

Justin Gardner (@rhynorater) (23:56.758)
Have you had any sort of evolution in this formula or evolution in your bug bounty optimization journey over the past, you know, I think it was five years ago that you did this talk.

avlid (24:09.696)
I'm not sure, like on a high level I think that's still true because the end goal, at least for me with Bug Bounty, is the same. The only things that have changed is that there's been some additional factors added, I guess, to the time taken. So for example, I'm gonna take Hacker 1 for example.

Justin Gardner (@rhynorater) (24:24.355)
Mm-mm.

avlid (24:31.272)
But I'm sure the other platforms do too. They try to encourage you to use the C++ system. That takes more of your time. And more programs are using drive services, which, unfortunately, sometimes takes more of your time. So those are two subparts of time taken that you can try to optimize too.

Justin Gardner (@rhynorater) (24:37.535)
Yeah.

Justin Gardner (@rhynorater) (24:44.44)
Mm-hmm.

Justin Gardner (@rhynorater) (24:49.055)
Yeah.

Justin Gardner (@rhynorater) (24:56.382)
Yeah, yeah, trying to identify programs that will triage efficiently and are capable with their own products, I think is definitely a big thing. I wanted to get your thoughts on this, okay? So, I hate to even bring this up again, man, because every single time I say anything negative about collaboration, people kind of like shit on me a little bit, but the risk of duplicates thing that you talked about here, you said that went down.

avlid (25:09.295)
Hmm?

avlid (25:24.724)
Yeah.

Justin Gardner (@rhynorater) (25:26.006)
when you were working with, you know, Frans or working with any other collaborator, right? My qualm with that piece of your formula is that I think there would be overlap, you know? Everybody's gonna find that basic idor, and instead of getting, you know, a one and X portion of the bounty, you're getting one of X divided by two now because you're, you're...

collaborating with your friend and you're only getting half of one portion of that bug. So I feel like your risk of duplicates as it pertains to your actual bounty amount issued, this is largely within a live hacking context obviously because we're talking about dupe windows, I feel like that kind of affects the output of your bounty. So how do you think about that and what is your response to that?

avlid (26:13.469)
Yeah.

avlid (26:26.312)
I mean, I guess I agree with you when it comes to things that you expect everyone else, or everyone to find. But for the most part it's still better to get 1% of something than 0% of something.

Justin Gardner (@rhynorater) (26:28.417)
Yeah.

Justin Gardner (@rhynorater) (26:34.891)
Yeah.

Justin Gardner (@rhynorater) (26:44.362)
Yeah, yeah, I suppose that's true. And I guess also, you and Franz and your collaboration teams when they've been bigger in the past, you guys are less focusing on, I think, volume of reports and more focusing on like, okay, we found this thing that just blew up the whole program, right? And you find these crazy RCEs and then you're just splitting your, you know.

avlid (27:08.52)
Yeah.

Justin Gardner (@rhynorater) (27:13.122)
40k, 50k, you know, two ways or four ways or whatever, and that feels a little bit better.

avlid (27:19.324)
Yeah for sure, I think that if you don't like duplicates then you should go deep. Because I started bountying again, like March I think, or if it was April this year, and I've had zero duplicates, and like around a hundred bucks. So yeah.

Justin Gardner (@rhynorater) (27:31.446)
Mm-hmm.

Mm.

Justin Gardner (@rhynorater) (27:37.335)
Yes.

Wow, dude. Man, you guys are tearing it up. I know I've been talking to Franz a little bit, you know, the program that you guys have been working on. Yeah, I assume it's that program. Is that the one you're? Yeah.

avlid (27:50.224)
Yeah, it's like 95% of the problem.

Justin Gardner (@rhynorater) (27:54.962)
I just, I cannot believe the volume of bounties you guys have pulled from that program this year. Like, unbelievable. It's the most amount of money I've ever seen anyone earn in Bug Bounty. And that is in one year. And that includes like these recon gods out there that are just automating everything. And you guys are doing it manual. So that's...

kind of nuts. You are doing it almost entirely manual, right?

avlid (28:25.584)
Yeah, I mean, we have some program specific stuff that we try to automate like, wow, okay, this type of pattern seemed to emerge at multiple places. We should try to keep a lookout for that automatically if we can, with like some turbo intruder or something.

Justin Gardner (@rhynorater) (28:43.333)
Can you elaborate any more on that or your lips sealed for now?

avlid (28:48.22)
on that end I was specifics. I'm not sure, but.

Justin Gardner (@rhynorater) (28:49.93)
Well, no, not to specifics, but like, you don't need to leak your secrets, but like, you know, are you looking for routes? Are you looking for, you know, is it an authorization problem? You know, give the people a little juice, I guess.

avlid (29:03.664)
Actually, there's another tip for automation. And I know some people do it, but it's a good idea to have program or category specific signatures, let's say, or what is that tool called? With a bunch of Jaml files and people can run it.

Justin Gardner (@rhynorater) (29:18.603)
Yeah.

See, oh, why can't I think of it right now? It's contagious, whatever you, nuclei, right? Is that what you're talking about? Yeah.

avlid (29:30.3)
Yeah, yeah, yeah. Like think of it as, nuclear template is custom to that program, let's say.

Justin Gardner (@rhynorater) (29:39.219)
100%. Yeah, that makes sense. So.

avlid (29:42.38)
Yeah. And I also think that this is something that...

I have a big problem with, like automatically repeating requests in burp. Can someone please make a good burp extension for that?

Justin Gardner (@rhynorater) (30:00.818)
Okay, so hold on, there are some extensions. What do you mean by automatically repeating it? With a specific modification?

avlid (30:05.848)
I mean like, yes, if the request contains this, then just like give me the whole request and I will rewrite it with my Python or whatever code and then send it and then if it contains this in the response, like give me a heads up.

Justin Gardner (@rhynorater) (30:13.55)
Alright dude.

Justin Gardner (@rhynorater) (30:21.866)
I'm about to change your life, man. There is a plugin called Autorize that does this. And there's also another... Oh, it doesn't? Okay, so you've played around with this before?

avlid (30:29.152)
No, it doesn't work for everything.

avlid (30:35.26)
Yes, I've tried that, and I've tried auto-repeater, and I've tried... There was a couple more, and none of them can just, like, give me the whole raw request. Let them make changes to it, and then send it. But I know that Burp, what is called Montoya API, has support for that. So, it's like, now I'm using... There was someone in the Bugmountain forum who posted, like, a Turbo-Intruder hack.

Justin Gardner (@rhynorater) (30:45.91)
Yeah. Dude. Mmm.

Justin Gardner (@rhynorater) (30:50.878)
Yeah. Yeah, that's something.

Justin Gardner (@rhynorater) (30:59.371)
Yeah.

avlid (31:02.472)
to it, I guess, that can just monitor all the requests from proxy and then you can actually rewrite it. I can link to that. I forget his handle, but...

Justin Gardner (@rhynorater) (31:09.494)
Wow, yeah, definitely link to that. If you shoot that over to me afterwards, I'll, let me grab a notepad here.

avlid (31:15.48)
Yeah. But, but turbo intruder isn't perfect either because the turbo intruder's like output window is like not standard components. So, so I, you know, I spent the whole day just trying to make like a field red in the UI.

Justin Gardner (@rhynorater) (31:24.402)
No. Don't love that.

Justin Gardner (@rhynorater) (31:32.514)
Dude, we need freaking ChatGPT to like, ingest the Matoya API docs so you can just do that. But also, I'm just gonna say, you know, and also, I wanna clarify on this pod. I love Burp, I really do. I talk about Kaido all the time and I talk about the problems of Burp. The Portswinger in general, absolutely amazing company, the research they put out, the product is phenomenal. It's amazing. I also am a big fan of Kaido.

Kaido is one of the things that they're working on right now, I know, is pretty much the ability to do exactly what you just talked about. And it's just to have every request sort of shell out to a Python script or something like that. And I just think, wow, how beautiful is that? How simple and beautiful would that be? Because most of us can do basic coding anyway, right? If you're going to be using an HTTP proxy and stuff like that, sure, there are the exceptions of people that really just...

avlid (32:00.704)
Thanks for watching!

avlid (32:13.032)
Yeah.

Justin Gardner (@rhynorater) (32:26.026)
our business logic people and just focus primarily on HTTP and that sort of thing. But most of us can code in bash or code in Python or something like that. And the ability to just shell out to Python and modify the request and then send it through and then alert on anything that comes back, that's going to be golden and it's just going to be so easy to extend. So I'm really looking forward to that.

avlid (32:51.44)
Yeah, and to me, I agree about Portswigger. But it's like, we have the kind of same issue that I guess the reversing community had with Ida and X-Rays, which is like, well, I guess they're the best. So they get to decide what you have. So I am a trike, Kato. But I like the concept of that.

Justin Gardner (@rhynorater) (33:04.417)
Yeah.

Justin Gardner (@rhynorater) (33:11.05)
Yeah, exactly. Yeah.

avlid (33:20.02)
competition in this space.

Justin Gardner (@rhynorater) (33:21.61)
Yeah, me too. And I've got it open right now. I'm actually looking at it on my other monitor. And yeah, I've switched my workflow over entirely to Kaido now. There are still a couple of things that I have to do manually and that are kind of bothersome, but they've made promises to me that they're fixing it, next version. And I've just found, I found well into the five figures range of.

avlid (33:38.153)
Yeah.

avlid (33:42.272)
Thanks.

Justin Gardner (@rhynorater) (33:48.638)
of bounties in the past month with Kaido. So it's definitely working for me, which is good. And also they sent me a little, I don't know if I'm gonna get in trouble with them for leaking this, but they sent me a little video of the search functionality that they're implementing, which has like a very Wireshark-esque sort of query language that you can use.

And it's just very simple. You type it up in a search bar up at the top and it just, it works fast. It's clean and easy for you to write compound queries and that sort of thing. And I am just so freaking excited for that. So that should be great.

avlid (34:32.045)
So you can open like a search window and then it searches through everything with that. So it's like a local plus plus, but if you...

Justin Gardner (@rhynorater) (34:35.518)
Yeah, yeah, well, it is, yeah. And, but actually I haven't used Logger++ in as much detail, but the thing that I'm really excited for is the query language, right? Where you being able to, you know, you can just put plain, you know, text in there and it'll search for it as well, you know, in the body or whatever, but also, which is very useful, but also, you know, having being able to do compound queries and be like, okay, when the host header looks like this, and this cookie is set in the response, you know, like, you know, that sort of thing, I think will be really useful.

avlid (35:04.392)
Yeah, I really missed that in burp too. Like I really wish they at least had like a group by function in this burp search. Yeah. Or you know what, what I would like in that, like a attacking proxy or whatever we should call the tools, give me an API or like a database connection, something. Let me query the data that is in there. Don't make me export it to some, you know, XML format.

Justin Gardner (@rhynorater) (35:10.226)
Oh yeah. Yeah, yeah, no.

Justin Gardner (@rhynorater) (35:17.987)
Mm, mm. Yeah.

Justin Gardner (@rhynorater) (35:26.026)
Yeah.

Justin Gardner (@rhynorater) (35:31.438)
crappy XML based format and then yeah dude, me too man and actually I was fussing at Sighten, one of the developers for kind of the other day. I was like, please implement this feature and he's like, dude, that's such a pain and like just code it yourself and he gave me like, he said, all right, these are the GraphQL API request that you need to do it and just like, you do this in the meantime until I get around to implementing this and I haven't gone and done it yet because I've been busy with some stuff this past week

once they release the docs for the GraphQL API as well, that powers Kaido, whoo, that is gonna be big time helpful. So definitely looking forward to that. All right, man, well, we got down a little path there. Love talking about Kaido. Let's see, where do I wanna go from here? So.

Before we get into some of the more technical stuff, because I want to ask you some questions about mutation XSS and some XSS challenges that you've been putting out recently. I want to hear about Detectify and your experience with that. Because essentially, the story as Franz told it was, this young whippersnapper comes into his whatever e-commerce company or whatever it was.

avlid (36:46.815)
Yeah.

Justin Gardner (@rhynorater) (36:54.99)
And he's sitting in the corner, arp spoofing everybody in the office and doing hacking stuff. And then, you know, Franz walks up and he's like, wow, you know, this guy's a genius and we got to let him do what he's, you know, best at, which is security related stuff. And, you know, you guys started Detectify together. And I'm sure that's a little bit of a misrepresentation of the story, you know, from my memory and from Franz's memory. But I want to hear it.

avlid (37:21.775)
It's a little bit like golden edge on the story, but sure.

Justin Gardner (@rhynorater) (37:24.102)
Sure, sure. I want to hear your side of it and tell me how you and Franz originally met. Because you guys are like the, in my opinion, you guys are the most prolific, like the most well-known hacking duo that just like destroys everything they touch essentially when you guys hack together. And when you hack individually too. So, you know, obviously when you put it together, it's going to be better. So I want to hear about that origin story.

avlid (37:47.496)
Sure, so the origin of Detectify goes back to before that actually. So yeah, I can try to fast forward my origin story when it comes to hacking. So I met the Almrute, Fredrik Almrute, when I was super young, like we were like 7 and 8 years old or something.

Justin Gardner (@rhynorater) (37:53.907)
Oh really? Mmm.

Justin Gardner (@rhynorater) (37:59.582)
Yeah. Yeah, please.

Justin Gardner (@rhynorater) (38:05.707)
Mm-hmm.

Justin Gardner (@rhynorater) (38:11.083)
Mm-hmm, yeah.

avlid (38:12.64)
When we were 12 and 13, we started programming or trying to understand programming. And we fell into analyzing Windows VB script malware. So VB script was, yeah, I don't know. I don't know where the idea came from, but we did. And so the first...

Justin Gardner (@rhynorater) (38:31.434)
Well, okay, as you do.

Justin Gardner (@rhynorater) (38:36.428)
Just for fun.

avlid (38:40.18)
programming language or like scripting language or whatever you should call it that I learned was VB script actually. And I still remember to this day, that was like the first time I had this wow feeling that I still get today when hacking because it was, it took, I think it took three days or something of just staring at this VB script and like it was so foreign to me. It was just text.

Justin Gardner (@rhynorater) (38:54.882)
Hell yeah, man.

avlid (39:06.612)
But then suddenly I understood the concept of a variable. And that's what I like. Wow. That is when everything changed. But anyway, fast forward a couple of years, we start finding hacking RSI networks and more game sites and forums and stuff like this and starting learning IT security and web security. It was somewhat.

Justin Gardner (@rhynorater) (39:10.374)
Oh man, and that's when everything changed.

avlid (39:37.384)
How do you say? It did exist, but it was still kind of in its infancy if you compare it to today. And fast forward a little bit more, and the concept of defacements started to be popularized, I guess. Yeah, yeah, we're going way back, way back.

Justin Gardner (@rhynorater) (39:55.17)
Damn, we're getting a whole web security history right now, man. This is great. OK, so we're getting to defacements. People are overwriting websites and stuff. OK, all right, hit me.

avlid (40:06.864)
Yeah, and then there was this like sites that compiled the defense, like zone age was one of them. And we kind of, during that time, we had some weird insight, or like it was from like the old, old school hacker community where it's like read the fucking manual and like do everything yourself in some kind of way. So we didn't use any like external

Justin Gardner (@rhynorater) (40:15.01)
Sure. Yeah.

avlid (40:35.12)
I mean, we used the operating system, of course, but we tried to build everything ourselves as much as we could. Because if I say we built everything ourselves, someone in the comments is going to be, oh yeah, did you solder that to the board?

Justin Gardner (@rhynorater) (40:39.43)
Dude, what the heck? Why are you having to specify that? He's like

Justin Gardner (@rhynorater) (40:46.738)
No, what operator? Yeah, no, you're 100% right. No, I just love that was how far down you went.

avlid (40:51.464)
Yeah.

Justin Gardner (@rhynorater) (40:54.422)
You're like, oh yeah, we used the operating system, of course, but everything else was manual. That's sick. So this is a great, now that's a great thing to highlight though, because that's one of the best ways to learn all of this stuff, is implementing it yourself. And then after that, if somebody's tool does it better, use their tool, but if you, having implemented it yourself, will really assure that you understand everything about it. And that's something that I've done many times, and why don't really...

avlid (41:12.254)
Yeah.

Justin Gardner (@rhynorater) (41:22.41)
why I tell people to write their own automation stuff rather than using all of, you know, some of these great tools out there, sometimes, you know, at least in the beginning, because it'll help you understand the core concepts and understand where optimizations can be made. So it's cool that you did that too.

avlid (41:37.404)
For sure, for sure. And I think that it's a good exercise for anyone to like take an RLC and try to build an implementation of it. And then you'll come to realize that, OK, this is just code like anything else. It's not magic. But in any case, we joked around about this.

Justin Gardner (@rhynorater) (41:54.047)
Yeah, 100%.

avlid (41:59.74)
compilation defacement sites because a lot of people what they did was they went to like Millworm or similar places where public exploits were published and they just took it and like copy pasted it on a bunch of places so we were like yeah well that's not hacking we can build a program that's better than that what's kind of the and then we did

Justin Gardner (@rhynorater) (42:07.019)
Mm-hmm.

Justin Gardner (@rhynorater) (42:18.67)
classic script kiddie shit right there.

Yeah.

Justin Gardner (@rhynorater) (42:27.211)
Oh, and that's Detectify.

avlid (42:29.608)
Yeah, that was like their absolute first version of Detectify. And it didn't even... it wasn't called Detectify until later, I guess.

Justin Gardner (@rhynorater) (42:38.535)
So was this pre-you joining the company with Franz and how old were you?

avlid (42:43.095)
This was pretty fancy. At this point we were 17 and 18.

Justin Gardner (@rhynorater) (42:47.818)
17 and 18, okay, gotcha. But you've already been doing this for a while. When did you first start getting interested in IT security stuff?

avlid (42:55.028)
That was like 13 or 14.

Justin Gardner (@rhynorater) (42:57.258)
Yeah, same age here. So that's something you see pretty early. And I know you're like a timeless elf over there. You still look exactly the same. Everyone's like, oh, yeah, he's like 18 when we first met you, but it's different. And you've got a bunch of context on the early Bug Bounty sort of space and what it looked like when it first came out. And you remember being involved in that in the beginning.

avlid (43:05.245)
Yeah

avlid (43:23.614)
Yep.

Justin Gardner (@rhynorater) (43:24.222)
So I'm gonna ask you questions about that later, but first I want you to finish your story here. So you start building the early, early versions of Detectify because you're like, okay, we can make a better version of this, encoded ourselves where we implement our own exploits or whatever. And so how did that integrate with Franz and Franz's company or wherever you were at the time when you started working with him?

avlid (43:35.828)
Yeah.

avlid (43:50.364)
So we had a friend in the... ..arrow...

High school? I don't know how to translate that, but the school you go to when you're 18 and you graduate at 18 in Sweden. But we had a friend who had a job at Francis and his business partner's company as a programmer. So we were like, university? That sounds boring. You can get a job already if you know programming. We know programming. And so we talked.

Justin Gardner (@rhynorater) (43:56.035)
Mm. Yeah.

Justin Gardner (@rhynorater) (44:02.556)
Oh. Hmph.

Justin Gardner (@rhynorater) (44:08.86)
Oh cool.

Justin Gardner (@rhynorater) (44:14.975)
Love that.

Justin Gardner (@rhynorater) (44:18.975)
We can write VBScript.

avlid (44:20.728)
Yeah, actually we graduated through VV.net during these times. Yeah, and maybe Hot Tape, I don't know, I'm not sure. I still think that Visual Studio, not Visual Studio, it's the best idea that I've ever used. And the, what is it called? Visual Studio. Yeah, yeah.

Justin Gardner (@rhynorater) (44:24.374)
Ooh, nice.

Justin Gardner (@rhynorater) (44:36.063)
I'm sorry, what ID?

Justin Gardner (@rhynorater) (44:39.69)
A visual studio, yeah, no, 100%. I was a Vim boy for a long time, and obviously I still use Vim daily, but Joel sat me down one time when we were pair hacking, was like, all right, Justin, close everything, install visual code, VS code right now, and we're gonna set some things up, and that changed my life. And even right now with the Word Fence sponsorship that we did last week,

you know, I've been using VS code, and I've been, there's like a way that you can hook into Docker containers that are running, right? And so, and it's like one click, it's so easy. And so you install the Docker extension, you know, and then it just shows all the Docker instances you've got up and you just click attach to Visual Studio code, and now you're inside that Docker container modifying the plugin, you know, code for WordPress inside that container. And it's like, oh man, this is so easy, I freaking love it.

avlid (45:38.62)
Yeah, no, for sure. Wish it. Okay. So sorry I have to make the distinction, but I meant Wishless TV. That is different to Wishless TV Co. I love it.

Justin Gardner (@rhynorater) (45:42.645)
No, you're good.

Justin Gardner (@rhynorater) (45:46.482)
Oh dude, get out of here. Get out, no, you're off the pod now. What do you mean, visual studio? I can't even fathom that was what you meant. What?

avlid (45:50.78)
Okay, sorry. Sorry.

avlid (45:57.316)
But yeah, I use Wishless to decode for like everything now. But when I was doing the coding in.NET Framework, of course, we used that. And it has an awesome, I haven't tried it for a long time now, but I really like the debugger, the IntelliTrace, I think it's called. And you could do like, you could just jump around in threads and you can like go into a thread and like drag and drop the program counter and like change stuff.

Justin Gardner (@rhynorater) (46:06.079)
Yeah.

Justin Gardner (@rhynorater) (46:14.492)
Ah, yeah.

Justin Gardner (@rhynorater) (46:26.658)
That's awesome, man. No, that's cool. All right, continue, continue your story, sorry.

avlid (46:26.956)
But anyway, yeah, so we started working as developers at Francis Company, I guess, and we also had discussions. I don't know how it came up. Let's just say that we were in a corner and doing air-facebooking or something. And we presented the scanner. Actually we had...

Justin Gardner (@rhynorater) (46:42.614)
Yeah, exactly.

avlid (46:54.524)
It's pretty funny. The first time we were going to demo the scanner, Franz built an application and he like, purchased and planted a SQL injection somewhere. And we had made some like stupid change to the scanner, like a few, like a week before that. We're like, wouldn't it be funny if you could play videos inside of it? And then like, I don't know. It was, so we basically broke the whole thing.

Justin Gardner (@rhynorater) (47:20.81)
What? Did you like Rick Roll him or something like that?

avlid (47:25.688)
Now we broke it, so we were like, oh shit, we should have used version control. But we can rewrite this. And so we wrote the whole thing, and it didn't find the bug. But he is...

Justin Gardner (@rhynorater) (47:28.846)
Oh no.

Justin Gardner (@rhynorater) (47:32.936)
Oh my gosh.

Justin Gardner (@rhynorater) (47:37.906)
Yeah, well, the purpose of it was not to find bugs that, you know, exist in the, or at least as far as I understand it, it's not like crawling endpoints looking for SQL injection. It's like, Oh, it was that. Okay, cool. Interesting. That's cool. Yeah.

avlid (47:50.408)
Oh, it was done. So we were thinking of competing with this big, I think one of them was called IBM Rational AppScan this super enterprise products, which was doing basically that. But there wasn't any players that we could find at least in the low medium sized space. So that was the original pitch. But then it's shifted.

Justin Gardner (@rhynorater) (48:02.54)
Okay.

Justin Gardner (@rhynorater) (48:13.372)
Mm.

avlid (48:18.66)
and through the years. So now they have this monitoring thing and not much going on. But back then it was. But then we talked with Franz and his business associate and it was like okay we'll found a company together.

Justin Gardner (@rhynorater) (48:37.098)
Wow. That's awesome. And so, so the, from there, you guys, you know, launch detectify and, and are you still involved with that product or are you kind of hands off ish now?

avlid (48:49.612)
I'm super hands-off. If there's some research that I think can be implemented, the product, I submit it via the crowdsource platform. Yeah, like every now and then I'll visit the office and stuff, but I'm just some guy now.

Justin Gardner (@rhynorater) (48:50.998)
Okay.

Justin Gardner (@rhynorater) (48:57.346)
Sure. Oh, so you just like use the product, you know, as a researcher, yeah?

Justin Gardner (@rhynorater) (49:10.014)
So, I mean, let me ask then, you know, did you exit that company, like, intentionally? Or is there some reason you don't want to work, you know, in an entrepreneurial role? Or are you in an entrepreneurial role now? You know, what are you doing for your primary income source?

avlid (49:34.772)
So there was two questions there. Like, okay, let's see if I can finish the story. Where was I?

Justin Gardner (@rhynorater) (49:36.62)
Yeah.

Justin Gardner (@rhynorater) (49:41.786)
Oh no, and I cut off your story too. Alright, I'm sorry, go ahead.

avlid (49:45.34)
Yeah, we saw building detective I.

We make some decisions to build it like a traditional startup at the time. Oh, and at some point, Bugbundle as a concept in like web space started popping up like Google and like Facebook and PayPal and some others had programs which paid money and a bunch of others had which paid like t-shirts or other weird stuff. And

Justin Gardner (@rhynorater) (49:58.284)
Right.

Justin Gardner (@rhynorater) (50:13.198)
Sure.

avlid (50:16.656)
Yeah, we saw that as an opportunity to get like a foothold on bigger clients. Because if we could have a blog post saying like, oh, we hacked Google, then maybe it's okay that we don't have Google as like a reference customer per se. And yeah, that actually did work.

Justin Gardner (@rhynorater) (50:34.71)
Yeah, we see that time and time again in the Bug Bounty world.

avlid (50:38.396)
Yeah, so that was kind of like a two purpose thing with Bug Bronte. So me, Franz, me and Albert all started doing it back then. So yeah, that was a fun time. No platforms and it's the Wild West.

Justin Gardner (@rhynorater) (50:58.73)
Yeah, dude, I've got a bunch of questions about sort of OG bug bounty stuff. And you mentioned, you made some predictions about bug bounty, which I think were really accurate in a talk a couple of years back. So we'll swing back to that in a second. But yeah, so I guess, have you considered full time bug bounty or?

Do you want to be an entrepreneur? Do you want to work for a company? What does that decision look like for you as somebody who's clearly skilled enough in bug bounty to make it work full-time?

avlid (51:34.42)
So I did try full-time bug bounty actually for three months just as I left Detectify. And I left Detectify because I didn't like the way the company was going. Become too enterprise, too American startupy and there was just some decisions that I didn't feel like it was going right. So I decided well, all right I'm gonna work. I'm gonna do something else. Or actually I decided.

Justin Gardner (@rhynorater) (51:37.771)
Yeah.

Justin Gardner (@rhynorater) (51:40.972)
Yeah.

Justin Gardner (@rhynorater) (51:47.574)
Mm.

Justin Gardner (@rhynorater) (51:51.248)
Mm-mm.

Justin Gardner (@rhynorater) (52:01.794)
Sure.

avlid (52:03.548)
I'm gonna do back bumps and stuff. And I did for like three months until I just found myself one day like what day is it? Why don't I care? I need to get some structure in my life.

Justin Gardner (@rhynorater) (52:05.458)
Nice, okay.

Justin Gardner (@rhynorater) (52:16.717)
Yeah.

100% man, yeah.

avlid (52:21.296)
So, and like, there's some people who can do it and like props to you, but ever since after those three months, I've been, I've had like a part-time employment. So I've been working as a traditional pen tester. I've been working with like security training. I've been working like blue team.

Justin Gardner (@rhynorater) (52:37.92)
Mm.

avlid (52:46.756)
also and also had done some freelance projects. But it's always been something to keep me at bay, I guess. Swap. So yeah.

Justin Gardner (@rhynorater) (52:47.572)
Oh wow.

Justin Gardner (@rhynorater) (52:57.066)
Yeah, no, that makes a lot of sense, man. I mean, the structure thing is one of the hardest things about full-time buck bounty. And like, especially for the people that have the skills to make it actually work from a financial perspective, like they almost all have the tendency, myself included, you know, to just dive into it head first, like no, you know, no restraint.

You know, and just, you know, wake up and be like, wait, what day is this? You know, you know, you know, all I can think about is X, Y, Z, you know? Um, and so that's definitely one of the most common pitfalls, uh, that you, that you see, and it's, as you pointed out, it's, it's really unhealthy. And it's one of the things you got to beat if you want to do it, you know, full time in the longterm and, you know, it's like you pointed out, it's something that you need to shut off.

avlid (53:29.417)
Yeah.

Justin Gardner (@rhynorater) (53:52.554)
you know, and you need to go back to part-time employment or full-time employment if you can't because it's just too destructive, you know? And so I'm glad you had that wisdom to go down that path.

avlid (53:59.133)
Yeah.

avlid (54:04.54)
Yeah, no, for sure. That's, I might try again at some point when I'm older and wiser, but yeah, that's kind of, like I really enjoy having it like that. So, and I can also like, if there's like a hacking event coming up or like a new program or something that I'm super interested in, I can just take time off and then, and be a degenerate for like a couple of weeks and then go back to being a person.

Justin Gardner (@rhynorater) (54:12.135)
Cough.

Justin Gardner (@rhynorater) (54:17.643)
Yeah.

Justin Gardner (@rhynorater) (54:29.878)
Yeah, exactly. No, no, that makes a lot of sense, man. And I think at some point, you know, maybe I'll brainstorm a little bit about this afterwards, but I know that there are a couple people that I know that are doing full-time book bounty that are still struggling with this whole thing. And I am too, you know, I mentioned a couple weeks back on the pod how burnt I felt and like, you know, trying to restart that passion for hacking after going away from it for a little while to do some traveling and to do some other things.

So there's lots of struggles that full-time bug bounty hunters have. And I'm thinking maybe I should create like a, like a little support group or something like that in the CTPB podcast discord for anybody who's thinking about doing full-time bug bounty, because it is definitely a challenging environment to be a part of. Yeah. Well, you know, that's something everyone's talked about for years. And actually, yeah, I would be interested to see if anybody actually tries to tackle that project as.

avlid (55:16.805)
Yeah, there's no Buckman to Union.

Justin Gardner (@rhynorater) (55:29.11)
Bug Bounty continues to grow and it gets attention from non-Bug Bounty Hunter people. People like lawyers and business people are looking at the industry and there's opportunity there I think. So yeah, definitely be interested to see where that goes. Sort of on that note, I want to go to some thoughts on Bug Bounty and history of Bug Bounty and some predictions you made.

in the past about Bug Bounty. And then we're gonna dive into some technical shit. Okay, so first question I had, back seven years ago, I had to dive into the archives for this one, you said something along the lines of this in a Bug Crown interview. You said, now I look for programs to hack on, but in the future, we will see that programs being the ones to search for hackers to hack on their program, right?

avlid (55:59.578)
Mm-hmm.

Justin Gardner (@rhynorater) (56:27.182)
because there's just so many programs now and there's a there is a there's a lack of Talent out there in the bug bounty industry still and a lot of programs are sort of having to vie for attention Which is why we get our inbox is blown up every single day with like, you know This company's offering a you know, whatever promotion and you know that sort of thing You nailed that prediction on the head You know years back and I'm wondering if you have

avlid (56:49.514)
Yeah.

Justin Gardner (@rhynorater) (56:57.15)
And I know I'm putting you on the spot. So, you know, no is a perfectly valid answer to this. Do you have any thoughts on where the industry is headed in the future for bug bounty? Um, having seen it from the beginning, you know, 2012, you know, when the first, when the first sort of programs launched and that sort of thing up to today, where we've seen sort of a flip of the tables in this regard, um, yeah. Do you have any, any thoughts on, on where it'll go or any predictions you'd like to?

Put on the record right now.

avlid (57:30.364)
I think that...

I think there will be even more competition for bounty hunters. So I think that the average bounty amounts will probably increase and I think that more programs will attempt to make an effort to market themselves. Still it's like the same prediction but even more I think.

Justin Gardner (@rhynorater) (57:58.126)
Same, same position, so you're thinking it's gonna still gonna continue to grow.

avlid (58:01.828)
Yeah, because the thing is, whether the platforms like it or not, skilled manual labor is not scalable. So that's a big problem.

Justin Gardner (@rhynorater) (58:09.866)
Yeah, yeah. And that's what it takes at the end of the day. People can do automation stuff and you'll find bugs and that sort of thing. And that's great and we need that. But also at the end of the day, those are never gonna, you're never gonna find that weird little like, as Fran said in his episode, that weird little edge case if statement that I had to deduce from like three hours of playing with an endpoint that just destroys the whole company.

you know, via automation, that's just never gonna happen. And I also hold the position that I don't think that'll happen with AI either. And so, yeah, I think it will continue to grow, just like you said.

avlid (58:40.905)
Yeah.

avlid (58:52.62)
Yeah, but I think that there is some risk that is non-zero, that the bug bounty industry or concept as a whole can get into trouble due to some legislation. That's also a risk that I have thought about in the past when...

Justin Gardner (@rhynorater) (59:11.892)
What do you mean?

avlid (59:14.02)
like oh now this counts as exporting cyber weapons you can't do that anymore you can't do that too from the EU to the US or whatever it may be and all of a sudden like oh that's legal now

Justin Gardner (@rhynorater) (59:25.166)
Dude.

that is a big risk. That is something that I hadn't really thought of. And also, I was also kind of tossing around this idea a while back, and I guess I'll just kind of put it out there on the pod now because I think it would be challenging to get this through, but I thought about seeing if you could qualify individual vulnerabilities as intellectual property, and then have a vote, like a rate.

at which you can donate that intellectual property. The idea would be that bug hunters pay a lot of taxes, right? And how awesome would it be if we could hack on nonprofits that don't have the money to pay normal researchers anyway, donate intellectual property to that company in the form of a bug report, and then receive a tax write-off from that company for a standard vulnerability amount.

avlid (01:00:06.124)
Mm-hmm.

avlid (01:00:24.544)
Hmm.

Justin Gardner (@rhynorater) (01:00:26.954)
you know, for a critical 10K for a high, you know, 5K or whatever, and use that to offset some of this massive tax burden that we've got as, as hunters.

avlid (01:00:39.976)
Yeah, no, that was, it'd be awesome.

Justin Gardner (@rhynorater) (01:00:42.378)
Yeah, we gotta look into that. But that's an interesting point, man, about exporting cyber weapons. I need to go look into the risk of that because at the end of the day, we've already seen that with China, right? China already put a thing out that says, all right, researchers, you can't participate in Pondone or something like that. You've gotta do the inside of China, Pondone, where all the bugs go to the government, right?

avlid (01:01:09.149)
Yeah.

Justin Gardner (@rhynorater) (01:01:12.554)
At least that's what I've heard. And so, yeah, there's definitely risk of that sort of propagating, I think.

avlid (01:01:19.068)
Yeah, and the same is true for researchers from those countries. I'm thinking about these Russian people who suddenly got kicked out of all platforms because of the sanctions. So that's the same thing, something happens in the geopolitical world that you had nothing to do with, but it can affect you.

Justin Gardner (@rhynorater) (01:01:32.226)
Sanctions, yeah. Now that was.

Justin Gardner (@rhynorater) (01:01:41.046)
Yeah, 100%. No, I hated the way that they dealt with that situation. And I don't know whether that actually got reversed or not because I meant to look into it and I don't remember off the top of my head. But I know at one point HackerOne was like, okay, no bounties for people in Russia and we're donating them, all of them. And I'm like, what? Like, you're just gonna donate that money? You know, like, no, that's not how that works.

You know, if the sanctions were in place, that's fine. You can't pay it out, but leave it in the HackerOne account at least, you know? And so I don't know if they went back and fixed that, but if it not, that is very concerning. And so, yeah, definitely some risk there.

avlid (01:02:26.556)
Yeah, for sure. Yes. Unfortunate situation.

Justin Gardner (@rhynorater) (01:02:29.714)
Indeed. Okay, so I guess the other question that I had here was, what are some ways Bug Bounty has changed from the beginning of Bug Bounty? And obviously it's changed a ton with Hacker One and Bug Crowd and Integrity sort of coming on the scene and creating that sort of middleman rather than just submitting it by email form to Facebook or Google or whatever. Even though we do see some programs sort of moving.

avlid (01:02:49.981)
Yeah.

Justin Gardner (@rhynorater) (01:02:59.07)
again away from that, you know, with I think Hack Force, Salesforce launching their own thing and, you know, obviously Facebook is running their own program in conjunction with some of the big, you know, middlemen. So that's cool. But are there any trends you can see across Bug Bounty history? Because we have few guests that have been involved with this from the very beginning like you, you know, over 10 years ago.

any trends you're seeing or any things you want to highlight in Bug Bounty history.

avlid (01:03:36.756)
I'm gonna try and make an effort not to be too negative. I think that's like a true stereotype of hackers too. Like we love finding problems. So it sounds like you are so negative, but I try to find the positives too. So the positives is...

Justin Gardner (@rhynorater) (01:03:50.207)
Yeah.

Justin Gardner (@rhynorater) (01:03:55.351)
Yeah.

avlid (01:03:59.58)
like the platforms introduced, like that's so much better. You don't need like weird Google alerts and trying to find out who has a program, who doesn't have a program. So that's awesome. And also like the standardized reporting too. Like, okay, everyone can upload files, it's on the platform, you have a markdown, great.

Justin Gardner (@rhynorater) (01:04:10.976)
Yeah.

avlid (01:04:26.824)
So most of the core functionality for hunters of the platform, so I think has been an awesome change from the beginning. I also think that in general bounty amounts have gone up. So the first RCA I found, for example, which it was, I might be lying now, but I think it was one of the first at least RCs found on background.

But that was like $500 and back then it was like damn nice. Yeah.

Justin Gardner (@rhynorater) (01:04:58.338)
$500. But this is 10 years ago too, so that you know, cost of living and inflation and that sort of thing has gone up. Is it your opinion that, well I mean, I guess it hasn't gone up, you know, 100 times and you know, you can see some huge payouts for RCE nowadays. So do you think it's outpaced it?

avlid (01:05:17.148)
Yeah, no, I don't think... Yeah, for sure. I don't think that it's just following inflation. I think that it has come down to... Not entirely due to things with platforms. We'll get to that. But... Yeah, exactly, like competition of... Of hunters, I guess. And also like... The whole concept of bug bounty becoming more...

Justin Gardner (@rhynorater) (01:05:33.322)
Yeah, supply and demand as well, you know?

avlid (01:05:45.636)
accepted I guess on like higher levels within organizations. So it's an easier sell today probably than it was back then. So maybe you'll get bigger budgets or like actually have a budget for it at all.

Justin Gardner (@rhynorater) (01:05:51.938)
Hmm. Yeah.

Justin Gardner (@rhynorater) (01:06:00.486)
Which is amazing too, I have to say, because like, and obviously, you know, people point this out all the time. If a program is paying $2 million a year, one of some of these big companies, $2 million a year is like, you know, junk change, you know, like find a penny, pick it up on the ground, you know, to some of these big, big companies. But, um, a lot of these companies, they're just writing a blank check for it. You know, they're saying like, all right, you know that pay what you need to pay to, you know, cause the researchers find stuff. And I think that's.

avlid (01:06:23.413)
Yeah.

Justin Gardner (@rhynorater) (01:06:29.634)
that would have been such a hard sell in the beginning. So I'm thankful to all the people that sort of paved the path for that in the past because I'm definitely seeing that become more normalized now and I think we'll see that even go further in the future. And that's a steep slope for sure.

avlid (01:06:43.648)
Yeah, for sure. I think that if you can manage the time needed for handling reports and like, try to change the stuff, like the value add is through the roof for a bug bounty adder too. If you get, if you find a way to get good people to have a look at it. But I want to say also, it's like, now I say something good about platforms, now I'm going to shit on that also.

Justin Gardner (@rhynorater) (01:06:59.884)
Yeah.

Justin Gardner (@rhynorater) (01:07:06.282)
Yeah.

Justin Gardner (@rhynorater) (01:07:10.654)
Okay. All right. All right. All right.

avlid (01:07:14.092)
One change that has been extremely negative, I think, is that platforms... I've never purchased a standard program, but I assume that the sales reps on the platforms say, okay, this is the standard program, and this is how much medium is, this is so much high, this is so much cryptist, and that's freaking bullshit. Why are they telling...

Justin Gardner (@rhynorater) (01:07:34.1)
Yeah.

avlid (01:07:36.54)
clients, like maybe million or like billion dollar clients, like it's okay to pay $1,500 for a critical. And you can be, there's some like cop-out argument there where you're like, oh, but it starts at $1,500, but in reality, like most of them just pay the number that is there. So the fact that

Justin Gardner (@rhynorater) (01:07:40.886)
billion, yeah.

Justin Gardner (@rhynorater) (01:07:45.639)
No. That's ridiculous.

avlid (01:08:01.32)
Bounty Pattern suggests that to customers. It really annoys me. And it has annoyed me since they started doing that. I think that standard amounts per severity doesn't make sense for most critical bugs.

Justin Gardner (@rhynorater) (01:08:08.638)
Yeah, no, 100%.

Justin Gardner (@rhynorater) (01:08:20.742)
Especially like what we were talking about, you know, with the company size as well. You know, these are billion dollar companies sometimes, you know, and they're paying $1,500 for a crit. It's ridiculous. So definitely would like to see a little bit more of a push from there. And I think from the researcher side as well, I thought about, because, yeah, I should write this down. Because, you know, critical thinking has a position where we can talk with,

the people about things and try to influence change and try to guide the culture in a specific direction. And I think it would be interesting to have some standards, some like bug hunters standards essentially, right? And say like, okay, listen, if you've ever found an RCE, or if you've ever reached some certain standard, when you're in training, it's whatever.

avlid (01:09:04.475)
Yeah.

Justin Gardner (@rhynorater) (01:09:16.118)
But when you feel like you're actually serious about this and you're like, okay, I'm capable enough of a bug hunter where I'm gonna start holding some dignity or whatever, then these are our standards for bounties. I don't look at programs with a medium less than a thousand. I don't look at programs with crits less than 10K, or something like that, right? That's kind of where my standard kind of sits right now. And I would like to kind of get a, and this is sort of a union-ish thing of sorts.

But get some of the top hunters and say, okay, this is a summary of where our positions lie. And I wanna make sure that you all, in the other side of the bounty world, understand that. So that could be an interesting thing. What are your thoughts on that? And I also wanna hear your personal standards for where your low, medium, high crit should lie if you're gonna look at a program.

avlid (01:10:00.672)
Bye.

avlid (01:10:10.588)
Well, the thing is, I understand some like counter arguments, or like if I played Elvis Advocat, like a tenta or like a $50,000 budget is still $50,000, even if the whole company's crap you do is two billion. Um, so that's like one thing that I think that I can kind of understand. But the second thing is like.

Justin Gardner (@rhynorater) (01:10:31.242)
Yeah, that's true.

avlid (01:10:37.948)
It needs to be context dependent because if it's like a nonprofit, like you say, or some small business, then like, then that could make sense. But I think that.

Justin Gardner (@rhynorater) (01:10:41.592)
Mm-hmm.

Justin Gardner (@rhynorater) (01:10:50.111)
Mm.

avlid (01:10:56.592)
I think that they should make the best effort to put out what they feel like the low, medium, maybe highs could be worth to them. And I think that the critical should always be, will decide on the spot.

Justin Gardner (@rhynorater) (01:11:15.343)
and not.

to finding a minimum?

avlid (01:11:21.168)
Yeah, and especially not defining a maximum.

Justin Gardner (@rhynorater) (01:11:25.022)
That's tricky, man. I, hmm, that's a hot take, dude. I don't know that I would hack on a program that says we'll decide the critical unless they had sort of a track record of saying, okay, we've paid criticals 20 grand, 30 grand, 40 grand, 50, you know, like that sort of thing. Because if they say like, it's a critical and we're gonna give you, you know, three grand, then that would feel real bad.

avlid (01:11:53.14)
Yeah, but like, if you don't trust the program, then how can you take those numbers seriously anyway? And also it's like context dependent within the program too, you know, because it's like, oh, I got a shell here. Okay. So test box has no data, nothing of value here. But yes, technically, if you put the CFSs in, it is a crit. And then it's like bad to the other way too. And I only think that standard amounts make sense for.

Justin Gardner (@rhynorater) (01:11:59.543)
Yeah.

Justin Gardner (@rhynorater) (01:12:18.326)
Yeah.

avlid (01:12:24.168)
bugs that will have the same or the same ish impact. So an XSS, it can be the case like, okay, an XSS under blood.com will always have ish this impact. So, okay, we can put a standard on it. Doesn't matter if it's this subdomain or this subdomain or this API or this parameter, it's the same. But for crits is like almost always different. So that's just what, yeah. Yeah.

Justin Gardner (@rhynorater) (01:12:41.175)
Yeah.

Justin Gardner (@rhynorater) (01:12:48.65)
Yeah, how would you, if you were on the other side of the table, how would you?

decide how much a crit is worth to your organization.

I know that that's a tricky question. We like to ask the tricky questions here on the CTV podcast. I should have given you a heads up. I've been asking you to prophesy about the bug bounty industry. I've been asking you putting yourself in other people's shoes. So I know this isn't the easiest thing, but yeah, give me your thoughts.

avlid (01:13:04.637)
Yeah.

Yeah, no.

avlid (01:13:18.388)
Bye bye.

avlid (01:13:22.584)
One thing you could do is, like it depends on if you're just starting out and have no data at all, then you can't really do it. But one thing you could do is like based on the previous year or whatever, like this is how many criticals we expect to get. And given that the budget is this, we can have a crit budget within that budget. So like 10% of that or something.

But you can also try to evaluate what the cost of an attacker exploiting it would be too, you know, in terms of like if you have SLAs or if you have, if there's some legislation, like GDPR fines, yeah, or some, some other stuff. But that's like, yeah, there are some hard costs you can calculate pretty good, like with GDPR. But when it comes to...

Justin Gardner (@rhynorater) (01:14:03.438)
GDPR fines.

avlid (01:14:17.648)
alternative costs it's so difficult. Got like okay what about brand damage? What's that worth you know?

Justin Gardner (@rhynorater) (01:14:24.642)
Mm-hmm. So much money, dude. Heh heh.

avlid (01:14:30.594)
And given how little companies seem to be affected when they get hired, I guess not much but it's still a topic.

Justin Gardner (@rhynorater) (01:14:36.938)
Well, you know, it's common though, you know, that's the problem is like, it's been, I guess normalized of sorts, and the average person isn't saying like, okay, well, clearly, I think also, there could be a problem with cybersecurity reporting representation. So, you know, we can hear, okay, you know, Facebook got hacked or whatever, and it could be like, you know, some freaking.

avlid (01:14:59.817)
Yeah.

Justin Gardner (@rhynorater) (01:15:03.794)
Matthias and Franz shit where you like, you know Reverse this thing and it's like crazy RCE that like the best people in the world could have never find except for you guys You know and they got hacked that way which is in my opinion pretty much unavoidable right or it could be There's a numeric IDOR on the home page that allows you that leaks password hashes You know like you know and the difference to the average You know cybersecurity

avlid (01:15:27.114)
Yeah.

Justin Gardner (@rhynorater) (01:15:34.122)
news listener is nothing. And so I wonder if there's a niche sort of reporting market for something like that would actually tell people like, hey, this is essentially negligence, right? The company didn't do what they were supposed to do, or this is like pretty much unavoidable because of how security works.

avlid (01:15:52.948)
Yeah.

avlid (01:15:57.948)
Yeah, and like, here's the kicker. Most of the time it's gonna be shit that isn't even in scope and bug bounty. Some person got phished, some person reused a password. Well.

Justin Gardner (@rhynorater) (01:16:05.079)
Yeah.

Justin Gardner (@rhynorater) (01:16:10.99)
That's true. Yeah, man, it's a scary world out there for this sort of thing, man. It really is. And there's so many, one of the things that I love about Bulk Bounty is it's so tangible. You get what you pay for with Bulk Bounty, you know? Like, you're never paying a report where you're not making a change, which is great. And so unlike anything else in the security industry that's like, you know, pay us 15K a month to run this tool, you know?

avlid (01:16:28.362)
Yeah.

Justin Gardner (@rhynorater) (01:16:39.706)
or whatever and who knows what it actually does or like, you know, we tell you that this is the results or whatever, right? But Bug Bounty is exactly what you pay for. So I think a Bug Bounty program is the best way to sure up your technical environment, but there needs to be some serious investment made into securing up your personal environment as well, you know, your human environment. And that's what I like that people are doing with the whole...

avlid (01:16:39.944)
Yeah.

Justin Gardner (@rhynorater) (01:17:08.226)
keys that you put into your computer. I can't remember the name of them right now. Yeah, yeah, and you've got that and it validates the website that you're on so you can't get evil proxied, evil NGINX, that sort of thing too. So I think there's definitely a big area there and I think programs that, people that have bug bounty programs should absolutely have already implemented that in their organization because we all know the easiest way into an organization is to fish someone. So.

avlid (01:17:10.632)
Yeah, you have the keys?

avlid (01:17:37.156)
Yeah, no, I know for sure. Like I wouldn't recommend to anyone to like take the entire security budget and put it on bugbundle. That's kind of a lot of stuff too.

Justin Gardner (@rhynorater) (01:17:44.074)
Yeah, that's very different. Matias, this has gone a little bit long already and we haven't even got into some of the good stuff. Do you have a hard end or are you free for a little bit?

avlid (01:17:57.872)
No, no, we can do it. I'm just more nervous like for the listeners and stuff. I don't want to take up people's time too much.

Justin Gardner (@rhynorater) (01:17:58.849)
Okay, awesome.

Justin Gardner (@rhynorater) (01:18:04.026)
No dude, you know the last response we got to the Franz episode was like This is amazing two and a half hours of you know Ramblings, this is amazing. So, um, you know Okay

avlid (01:18:14.286)
Oh, okay, let me say that. Just put it on like 1.25 speed.

Justin Gardner (@rhynorater) (01:18:20.422)
Exactly, right? You know, that's I listen to all of my podcasts on two or 2.3 speed and You know when I go back to normal speed, I'm like, why does this person's voice sound so weird, you know, like it's like this is Yeah, exactly. Exactly All right, man, so I think All right. Well, we've gone down the whole path of almost all of the stuff that I wanted to cover from the non-technical side But I will ask you one more thing. Okay?

avlid (01:18:34.109)
Where does Murph go?

Justin Gardner (@rhynorater) (01:18:48.658)
And Joel isn't here today, Joel has got a new cat. So he is dealing with some baby kitten craziness this morning. And I wanted to make fun of Joel a little bit. I've even got a note to myself in the document, make fun of Joel here on the topic of nerd snipability. Now Joel is a great partner for me in hacking and in the pod for so many reasons, but one of the primary reasons that I love him is he's nerd snipable as heck.

avlid (01:18:48.96)
Sure.

Justin Gardner (@rhynorater) (01:19:17.21)
You can tell, you can say like, hey Joel, I just really don't understand this thing. Like what, what does this mean Joel? And then he has like a obsessive like, oh, let me, I'm going to figure that out right now, you know, sort of response to that. It's this great concept of nerd snipability. And you mentioned that you got nerd sniped by a tweet that I did a while back on, on XSS stuff. And I'm wondering, do you consider yourself a particularly nerd snipable person?

avlid (01:19:17.971)
Yeah.

avlid (01:19:39.389)
Yeah.

Justin Gardner (@rhynorater) (01:19:43.77)
And do you think that is a weakness or a superpower in your own sort of above bounty journey, but also I guess knowledge journey in, in security.

avlid (01:19:54.544)
I think yes I am and I also think it's a net positive. But the thing is, nerd snipability doesn't always only apply to good stuff like learning A-C, IT security stuff. Like I have the same thing with, like I got nerd sniped into the World of Warcraft I guess. They were like, yeah I need to stay away from non-productive stuff that can get too interesting. So.

Justin Gardner (@rhynorater) (01:20:14.242)
World of Warcraft, yeah.

Justin Gardner (@rhynorater) (01:20:22.75)
Yeah, that's good to hear. I think at the end of the day, it is a net positive because you do get that hyper focus. But I also know that there are a lot of struggles that come with that too.

avlid (01:20:36.176)
Yeah, you know, it's strange. Like when I, it's same when I'm hacking, I love understanding how things work. It's awesome to go from, what the hell is this black box? Until I understand what it does. And I know exactly why you wrote the code like this. And I would do it too, if I didn't think about this. And that's why there is a bug here.

But the way there is sometimes like frustrating. And it's, yeah, no, it's strange. Like sometimes, like if my girlfriend's home or if I'm sitting somewhere, I keep like excusing myself because I'm like swearing and like, damn it. And they're like, I just copy and paste it. Like, why did you select that extra space? Like, I'm really like, yeah, yeah.

Justin Gardner (@rhynorater) (01:21:29.934)
Do you talk to yourself out loud? Oh yeah, yeah.

avlid (01:21:33.628)
So I'm always like, no, I'm not angry. I just, it's just this thing and it needs to, I need to bend it to my will, you know?

Justin Gardner (@rhynorater) (01:21:40.662)
Hey dude, yeah, and that that's such a great way of saying it to bending it to your will. And I think that is so much what happens with bug bounty. And I think that's another way to classify researchers is there are researchers who will bend the application to their will. And there are researchers that will look at the application and find problems that exist in it. Just, you know, authentically, by looking at the application, right? You know, it's not like I've got a goal and I'm going to make that goal happen.

it's I'm gonna find the problems with this application based off of thread assessment. Both of those researchers are incredibly needed and high value, right? But lately, I've been doing the bend it to your will thing. Like I went into a live hacking event, this is London actually, and I said, okay, I'm doing something a little bit different this event. I'm gonna pick one thing that I want to have happen and I'm gonna make it happen.

avlid (01:22:09.48)
Yeah.

avlid (01:22:18.821)
I agree.

avlid (01:22:22.889)
Yeah.

Justin Gardner (@rhynorater) (01:22:34.362)
And I sat down and it actually only took like three to three or five days out of the two week, you know, prep period. Right. Um, and I made it happen and it's just like, Oh, I love this, you know, like it's just so, it warms the heart. Right. Um, so when you're, when you're going deep and you're really bending the application to your will, I think there's a lot of really good, um,

avlid (01:22:46.548)
Nice.

Justin Gardner (@rhynorater) (01:22:57.95)
emotional payoff for that sort of thing.

avlid (01:23:01.18)
Yeah, no, for sure. For sure. And I agree. Like, one of the bad parts though is like, sometimes I get too much in a rush, I guess, to get to the goal. So I'm like, not documenting enough. My files name, one, two, three, four. Like, my burp tabs are everywhere. My Chrome tabs. And also, like, I'll catch myself.

Okay, I'm gonna go get coffee and then like, I don't walk to the coffee machine. I like skip and run and like, what am I doing? I don't, I'm not in a rush.

Justin Gardner (@rhynorater) (01:23:35.982)
Yeah, yeah. That's great, dude, I love that. Or, and then you run to the coffee machine, you pour the coffee, you get back as fast as you can without spilling it, you set it on the desk, don't even drink it, get back to the thing, right? And then it's freezing cold by the time you take the first sip. So no, I totally get that, and it's so funny, man. 123.txt, astiff.txt, I think it was Cosman, the first guy that said that on the pod, but.

avlid (01:23:49.864)
Yeah.

Justin Gardner (@rhynorater) (01:24:04.522)
It's really funny how so many of us are having that, you know, be a problem. And this is something that I'm actually really looking forward to in the AI space is like, can I have an AI assistant that will just organize stuff for me? Right? Like how helpful would it be if, you know, you were in Kaido and you like send a click, you know, a request to repeater or something like that, and it like smart named it for you or something like that. Right. By looking at the request and.

avlid (01:24:20.296)
Yeah.

avlid (01:24:33.16)
Yeah.

Justin Gardner (@rhynorater) (01:24:33.67)
Or like, you create astiff.txt and it says, okay, astiff.txt and then in parentheses it says, notes on x, y, z target, right? You know, like, that sort of thing would be so helpful. And so that's something I'm really looking forward to in the AI space. I think that'll be here before long with the rate at which people are going after AI startups right now.

avlid (01:24:45.012)
Yeah.

avlid (01:24:50.676)
Thank you.

avlid (01:24:58.936)
Yeah, can I give another tip actually on that note? Okay, so one recommendation I have when it comes to documentation and knowing what the hell you did is...

Justin Gardner (@rhynorater) (01:25:00.65)
Yeah, dude, I love the, just, yes.

avlid (01:25:14.468)
Um, how should I phrase this? Okay, just... If you have some startup script or when you're opening burp or your tool of choice KEDO, just... I recommend sending everything through there and then doing the filtering in the tool itself, instead of having like filters in the... in like your proxy extension, etc. Because then you...

you have everything. Nothing can just vanish and go missing. And yes, it will require like more RAM and resources, but it has helped me so many times.

by doing that. And also, the first thing I also do in my startup script is I SSH into one of my boxes, but you can also send a request through verb. Maybe someone has talked about this already. Yes, so you know like this is what my IP was, my external IP was at the time in case you need it for later.

Justin Gardner (@rhynorater) (01:26:12.043)
Yeah.

Dude, that's great. And you mentioned that in the talk, and I did find the talk, by the way, it's how to differentiate yourself as a bug bounty hunter. And I will link that in the description. But you mentioned that in there as well, saying like, never, ever, ever let go of your data. Just, you know, storage is cheap, go to the store, get a eight terabyte, you know, external hard drive, drop those burp files onto it, you know, after you're done.

avlid (01:26:33.64)
Yeah.

Justin Gardner (@rhynorater) (01:26:43.858)
And then someday when you're like, oh, I've got this zero day, you know, that affects everything that has the perimeter, you know, XYZ one, two, three. You just go to that, that whole folder, you set up like a rip grip and you just say, all right, give me everything that has XYZ one, two, three in it. And now you've got years of data sort of piling up there. Um, it's awesome. I definitely do that. I've got an external hard drive right in front of me that has over a hundred gigabytes, probably, probably over 500 gigabytes of, of burp and.

avlid (01:26:52.561)
Yeah.

Justin Gardner (@rhynorater) (01:27:14.068)
I don't know that I have all my Kaido stuff on it yet because Kaido is so efficient with it that I can grep through which is really handy.

avlid (01:27:14.492)
Nice.

avlid (01:27:22.568)
That's actually something I'm curious about too. Like, do you have any Cado projects which are really big? Because I feel like around the 500,000 request mark, Burp is like really struggling, even opening and using it.

Justin Gardner (@rhynorater) (01:27:34.878)
Yeah, let me look at this right now. I have a Kaido project, it's this one right here, that is 22 gigabytes. And it's the same thing that is the, let me tell you how many requests are on it. Yeah. 350,000 requests in the actual project and then I've probably got, I've got,

avlid (01:27:48.48)
Yeah, I was going to say, yes, roughly.

Justin Gardner (@rhynorater) (01:28:04.642)
over 200, probably close to 300 repeater tabs, and then like 20 automate sessions, which is the equivalent of Intruder, right? And the thing still works just like it did whenever I booted up Kaido for the first time, with the exception of obviously searches are going to take a little bit longer. And who knows, maybe they'll have optimized that with the next search patch or whatever. But...

avlid (01:28:12.18)
this.

avlid (01:28:26.986)
Yeah.

avlid (01:28:31.804)
Yeah, I hope they did build something to make it searchable, like in memory. I think that's one of the differences, if I'm not mistaken, with like Logger++ versus general search. Like Logger++ will actually load everything into RAM and obviously that's why I'm faster to search. Yeah, so.

Justin Gardner (@rhynorater) (01:28:42.008)
Yeah.

Oh my God. Yeah, that's not great. That is real bad. Yeah, and I also just want to shout out the fact that when you asked me that, it took me less than 10 seconds to switch into that project and from the project that I had open and check their request count, which is just so beautiful. And my workspaces in Kaido are so much cleaner because you can literally, it's like one click to change projects, no lag time. So really.

avlid (01:28:58.793)
Nice.

Justin Gardner (@rhynorater) (01:29:14.474)
love that. Okay, so yeah, technical shit. Yes, I'm sorry. We've been waiting, you know, it's an hour and a half in. I might actually add a little disclaimer at the beginning of this episode, you know, that a lot of the technical shit will be, you know, at the, you know, 1 hour 30 mark or whatever. Yeah, it's funny. Yeah, all the tips are great too. So you know, those are technical as well.

avlid (01:29:16.992)
Okay, should we technical check or? Okay.

avlid (01:29:36.724)
You should mark the tips. No.

Justin Gardner (@rhynorater) (01:29:44.074)
Yeah, dude, you can't leak my super secret titles for the document that we have on this side of the pod. I send him this document and there's two categories. It's like technical shit and personal shit. And we spent a little bit long in the personal shit section. I should have just introduced you and then went right into the technical shit. But here we are and we got some great tips along the way. So I'm happy with it. So a part of...

my research for the technical shit section is going through every tweet you've ever tweeted and finding all the interesting stuff and getting ready to talk about that. So you put out this tool, hack a planet tin.

avlid (01:30:20.117)
him.

avlid (01:30:32.54)
No, it's Hack the Planet in Swedish.

Justin Gardner (@rhynorater) (01:30:35.042)
Can you say it?

avlid (01:30:36.884)
hacka planeten.

Justin Gardner (@rhynorater) (01:30:39.058)
planet. I don't know, man. That's great. You own that domain, the.se domain. And HTML parse in it. This is super awesome. So essentially what it does, you go to this thing here, you submit an HTML document, and then it runs down Purify on it, and it puts it through all of these different server-side HTML renderers and shows you the result. So...

avlid (01:30:40.572)
Yeah.

avlid (01:31:05.653)
Yeah.

Justin Gardner (@rhynorater) (01:31:07.714)
Tell me why you did this and can you, well first explain, you're looking for mutation XSS here, apparently. Why are you looking for mutation XSS and what is mutation XSS?

avlid (01:31:15.626)
Well...

avlid (01:31:20.168)
Okay, so mutation XSS is like, if you take a payload and just give it to the browser, no alert box will pop essentially. But if you put it through some...

parser first, like even one that's inside of the browser itself, which is MXSS, like inner HTML setting or like the DOM parser, etc. And then it will essentially try to fix errors in the markup. And while inserting those fixes, it actually turns it into a CSS, let's say.

Justin Gardner (@rhynorater) (01:31:53.078)
Mm-hmm.

Justin Gardner (@rhynorater) (01:32:00.906)
So if I'm understanding correctly, the browser or the sort of, I guess, DOM rendering engine, whatever it is, it could be a server-side HTML parser, it could be a browser, it could be some other modification within the browser, when you give it some HTML document that is not spec-compliant typically, right? It will look at this thing and say, okay, can't render this because it's not spec-compliant, let me see what I can do to fix it. And when it does that,

avlid (01:32:08.818)
Mm-hmm.

avlid (01:32:14.857)
Yeah.

avlid (01:32:22.077)
Yeah.

avlid (01:32:29.448)
Yeah.

Justin Gardner (@rhynorater) (01:32:30.258)
it will inadvertently cause XSS, is that right?

avlid (01:32:34.012)
Yeah, that's exactly right. It's a bug in the, I'll fix your bed, markup functional. Ha ha.

Justin Gardner (@rhynorater) (01:32:40.474)
Love that. Thank you for your help, browsers and DOM renders all around. We love that we can rely on you for this sort of thing. So what was the motivation for this tool, man? What did you, why did you build this? And what kind of stuff have you been finding with it?

avlid (01:32:50.697)
Yeah.

Well, the motivation was... It actually had nothing to do with XSS. But... Yeah. It was like a... It was like a XML bug. But I knew they accepted... It was weird. Because you could send HTML to it instead of XML. And I was like, hmm, I wonder what parser they were using. Because there were certain tags they wouldn't allow me to use. And I needed them to exploit stuff.

Justin Gardner (@rhynorater) (01:33:01.194)
Love that.

Justin Gardner (@rhynorater) (01:33:19.726)
Mm. Yeah.

avlid (01:33:23.044)
And I had this idea like I wonder if I can hide the tags from them somehow, but when it forwards it will actually be unhidden because Some other parser where it actually ends up after that

treats it in a different way. So I was like, okay, how surely there's some tool you can just spin up all of these things and see like how does each parser parse it. And it's like, nope. And then standard moment in all its life. Man, someone should build this. I guess I'm someone. So

Justin Gardner (@rhynorater) (01:33:38.565)
Mm.

Justin Gardner (@rhynorater) (01:33:47.65)
Surely.

Justin Gardner (@rhynorater) (01:33:56.262)
I'm that someone. That's great, man. So you went and you built it. You took how many? Geez. I mean, you press parse in here and it just keeps on going. So you've got so many. 16 parsers. Wow, dude. How much of a pain in the butt was that to do?

avlid (01:34:09.504)
It's like 16 or a ton, yeah, a bunch of them. Yeah. And...

avlid (01:34:19.656)
I mean, the biggest problem was choosing whether I should implement like a whole web stack for it or if I should make like a hack, which I ended up doing. Like, do I need to have like a web server and a whole MVC framework just to call this parsing function and see what it does? But instead, do we build it with Apache and CGI actually? And then it will just run like CLI version of it.

Justin Gardner (@rhynorater) (01:34:30.486)
Mm.

Justin Gardner (@rhynorater) (01:34:36.056)
Mm-hmm.

Justin Gardner (@rhynorater) (01:34:49.418)
Wow, very cool man.

avlid (01:34:50.488)
the parsers. Yeah, so that's it. I took the shots about this actually, which way to do it in a practical way, because I'm like, it's gonna take a long time if I have to build an actual application with all of this. So that's what I did. And then I just put...

Justin Gardner (@rhynorater) (01:35:03.574)
Heck yeah it is dude. Oh I see you open sourced it too.

Justin Gardner (@rhynorater) (01:35:11.402)
Oh, it's got a Docker. It's got, dude, I did not see this when I did the research. This, this, uh.

avlid (01:35:15.132)
Yeah, each one of them is its own Docker container.

Justin Gardner (@rhynorater) (01:35:19.41)
No, dude, and then so, okay, so you've got it in a Docker container and then you can literally just do echo your DOM, pipe it into Docker exec and then give it the name of the parser you want and it'll just do it.

avlid (01:35:30.078)
Yeah. Yeah, you can. Yeah, that's correct. So you can like fuzz it through that if you like to, or you can use the beautiful web interface that I made.

Justin Gardner (@rhynorater) (01:35:35.31)
Dude, this is...

Justin Gardner (@rhynorater) (01:35:44.418)
This is really well architected, dude. I'm really impressed. Nice work with this. Do you have any, so did you pop the XML thing or no?

avlid (01:35:48.244)
Thank you. Yeah, so.

I did, I did. And like, because I managed to hide tags with it because it parsed HTML comments incorrectly. So it didn't recognize dash exclamation greater than as an end of a comment. But you can also like...

Justin Gardner (@rhynorater) (01:36:08.904)
Ah!

Justin Gardner (@rhynorater) (01:36:16.73)
Ah, okay.

avlid (01:36:20.928)
If you saw some like, OVLIT in Brunt.si, that's like a, I have put in like a combination of those things that I found for different parsers that will like hide the content of the document. So...

Justin Gardner (@rhynorater) (01:36:35.546)
Oh, up at the top there? Or that? No, what are you, like, on just the homepage of leadinbroom.se?

avlid (01:36:44.832)
If you take, for example, a standard beautiful soup and HTML parser and you try to scrape my site and take the links, you cannot do it. And it's the same with Floki, a couple of hours. But that was the second interesting challenge I thought of when building that. It's just like, hmm.

Justin Gardner (@rhynorater) (01:36:50.336)
Yeah, yeah.

Justin Gardner (@rhynorater) (01:36:56.242)
No way. Really?

avlid (01:37:12.648)
I wonder if we can hide from scrapers, like what implications could have that for security.

Justin Gardner (@rhynorater) (01:37:19.318)
Man, can't beat the good old regex though.

avlid (01:37:23.783)
That's true. That is true.

Justin Gardner (@rhynorater) (01:37:25.846)
Yeah, no, that's really cool though. I love that you built that in. That's like some serious hacker, hacker shit right there. When you like make your own way, you implement this on your own website just for the kicks. Yeah. So that they can't, you know, pull your LinkedIn and your Twitter from avaladeinbrew.sc that's high value, high value links you've got there only for human eyes.

avlid (01:37:41.48)
Yeah.

avlid (01:37:47.716)
Yeah, no, I did find some stuff and I have been thinking about implementing the same with XML parsers too, because that's something that I think could have specific bugs too. And if someone wants a research area, pick a bunch of different standardized XML parsers, see how they treat external type or other type of XXE.

Justin Gardner (@rhynorater) (01:38:01.282)
100%.

avlid (01:38:16.112)
issues and play around with it because there was someone in the critical thinking podcast discord actually, I don't think they meant what I thought they meant, but they gave me an idea that like okay maybe there's a parser that doesn't require the docta declaration to be at the start of the document and I checked a couple and then they all did but

Justin Gardner (@rhynorater) (01:38:24.494)
Mmm. Yeah.

Justin Gardner (@rhynorater) (01:38:40.82)
Oh, I saw that conversation. That looked interesting.

avlid (01:38:43.772)
But that would make XXC like a new type of XSE, I guess, which would be like external dock type injection. So when you're injecting into the body of the XML lock nut, instead of controlling the whole thing.

Justin Gardner (@rhynorater) (01:38:58.358)
So I actually have a piece of research that I wanna say, I don't remember whether I actually put it into the SAML episode for critical thinking, but there is a Chrome browser exploit that was a couple weeks ago, not the one that dropped in the critical thinking research, XSE one recently, where they were using XSLT transforms.

avlid (01:39:15.401)
Yeah.

avlid (01:39:19.557)
Oh, okay.

avlid (01:39:27.423)
Yeah.

Justin Gardner (@rhynorater) (01:39:27.606)
to do some crazy stuff with the placement of that entity, you know, the doctype tag. And so essentially it was like, it was using the parser to stick it up at the top and on the first parser it would.

it would not have it at the top and on the next one it would and trigger the xxc. So the other cool thing you can do with that is the xslt transforms, which I am really excited to dive into deep more. I hope some of the listeners go and do this research because I'm super swamped with stuff right now, but I would love to see any research on xslt. Maybe I can nerd snipe you on it. Dude, the transforms are so cool. Have you learned at all about xslt transforms?

avlid (01:40:00.861)
Nice set.

avlid (01:40:11.921)
Yeah, I found XSLT bug one and a half week ago, actually.

Justin Gardner (@rhynorater) (01:40:16.238)
Oh my gosh, of course you have. All right, whatever, Matthias. All right, we're...

avlid (01:40:19.956)
But that means it was one and a half week ago, so it means I forgot everything.

Justin Gardner (@rhynorater) (01:40:22.458)
Yeah, your context window is gone. No, that's great, man. So, all right. Well then, so you've actually done some more hands-on stuff with it than I have because I've just done mostly reading and ideating on it. Um, what is your, yeah, share, share a little bit about that. Would you?

avlid (01:40:34.938)
But I want like that

I can share about that, but it was a really interesting point that you brought up with this XSLT, because XSLT is basically meant to transform the incoming XML document to something else.

Justin Gardner (@rhynorater) (01:40:54.186)
It's pre-parsed.

avlid (01:40:55.801)
you could transform it into something that now has an XSC in it. I guess that's what you meant, but I had to revisit that because it's awesome.

Justin Gardner (@rhynorater) (01:41:03.019)
It is.

That's great, man. I could see it. He's, for those of you that are listening, not watching on YouTube, there's like this far off look in his eyes that is the mark of a bug forming. I can see it. That's great, man. I love that.

avlid (01:41:15.484)
Yeah

avlid (01:41:21.232)
Yeah, but there's also a lot of stuff, or there are a couple of different XSLT libraries, but you can do file system stuff too, and get environment variables and stuff. So you can even do more stuff than with just normal XSLT.

Justin Gardner (@rhynorater) (01:41:28.844)
Yeah.

Justin Gardner (@rhynorater) (01:41:36.522)
Yeah, 100%. And so, yeah, I'd like to, normally before people come on the podcast, I message them and I say, hey, you know, check out this document, you know, that sort of thing, right? And then I also tell them, hey, bring a bug or two so that we can talk about it on the pod. And I totally forgot to do that for you for this episode. So I'm sorry about that. But yeah, can you give us some info on that? That'd be great.

avlid (01:41:57.175)
Yeah, we can talk about that one, I guess.

So that one was you could upload an XML through a bunch of different hoops you had to jump through, but it ended with like you could provide an XML and then in another place you could provide an XSLT document. And

Justin Gardner (@rhynorater) (01:42:06.975)
Okay.

Justin Gardner (@rhynorater) (01:42:17.962)
Mm.

avlid (01:42:20.564)
The funny thing is the XSLT document is also specified as XML. And that one was vulnerable to XSE, but I didn't find it. Because I tried it in the original document. That was not vulnerable. So then I was like, OK, XSLT, I'm going to learn it, XSLT-specific bugs. And then after I played with it and talked to Frans Wouda about it, he's like, but this is XSE. And I was, shut up, Frans.

Justin Gardner (@rhynorater) (01:42:44.334)
Frickin' Fronz, dude. Shut up, Fronz. Like, what? Get outta here. Who invited you to this anyway?

avlid (01:42:51.528)
But in another way, so one novel trick that I learned with that was that I forget exactly what the operation was called but there's like a couple of ways you can read files and you can read JSON files with one operation. I can try and write it later and we can we can link to this documentation and you could write or you can read XML documents.

Justin Gardner (@rhynorater) (01:43:12.046)
Yeah, that'd be super cool.

avlid (01:43:18.32)
but you can also read raw files. But the problem is, oh, this is connecting to the next part actually of this secret document. You could also, in the parser you weren't allowed to read null bytes into the resulting document. So you're like, oh damn, can't read like Procself and Myron, because they're separated with nulls.

Justin Gardner (@rhynorater) (01:43:37.774)
Ah, interesting.

Justin Gardner (@rhynorater) (01:43:44.718)
Yeah.

avlid (01:43:47.332)
But what you could do is specify the encoding of the file. So what you could do is you could tell it, treat it as like UDEV 16, for example, and it would spit out like a bunch of Chinese characters. And then you could like transform that back. And I knew that it was a Java application, so I could just use HackWorker and know that it's like Java versus Java.

So I actually extracted the environment via reading the file as UTIF 16 and then turned it back.

Justin Gardner (@rhynorater) (01:44:23.118)
Dude, you've been doing so much crazy charset stuff lately, man. That's really cool that you bypassed that with that, though. That's an amazing idea.

avlid (01:44:30.44)
Yeah, but they are.

avlid (01:44:34.428)
I like, I suppose, type confusion bugs. Like it's a broad area, but they are one of my favorites. And encoding is like, I'm still not entirely sure. There is a blog post actually, I can link to it too. It's like really old, like it doesn't, it's either or something. And it's called something like everything you need to know about encodings and short sets as a developer.

Justin Gardner (@rhynorater) (01:44:39.982)
Yeah. It is.

Justin Gardner (@rhynorater) (01:44:52.878)
Mm.

Justin Gardner (@rhynorater) (01:44:56.59)
Sure.

Justin Gardner (@rhynorater) (01:45:03.694)
Okay, I need that. Okay, so...

avlid (01:45:06.64)
Yeah, and it starts from the beginning. In the beginning there was Apiccatic, and within that there was ASCII. And then the high bytes was not used for anything. And then so people started implementing whatever they wanted over 0x80.

That wasn't really standardized, but then IBM was like, okay, we take all of them and then we give them each a code page number. So now when you see like a short set, it's like CP1234, that's a code page number for it.

Justin Gardner (@rhynorater) (01:45:34.094)
Yeah.

Wow, dude, that's cool, man. I would love to read that document. I think a lot of our listeners would love to read that too. So I'll follow up with you after that and try to get that in the description.

avlid (01:45:48.712)
Yeah, and encoding bugs is really, really interesting. And also things like injecting like byte order mark to confuse, like a byte order mark. So it tells, yeah, so you can use it in like UTF-16, for example, or like multi-byte encodings.

Justin Gardner (@rhynorater) (01:45:55.694)
Yeah.

Justin Gardner (@rhynorater) (01:46:02.414)
Injecting what?

Obyte order mark.

Justin Gardner (@rhynorater) (01:46:13.038)
Is this the like flip it around thing, like the left to right override?

avlid (01:46:18.28)
Yeah, exactly. It's like if it's a little engine or a big engine. So like should the top bite come first or second.

Justin Gardner (@rhynorater) (01:46:24.142)
Oh, oh, yeah, yeah, yeah. So you're talking about like, like, UTF 16 LE UTF 16 B. Is that what you're talking about? Yeah. Right. Right.

avlid (01:46:32.248)
Exactly, exactly. So if you have to say UTF-16, then it's ambiguous, but you can start the document or the string of strings with like this byte order mark, which is like F E F F, I think, for one of them. And then it's like, aha, you're telling it to what the coding is basically.

Justin Gardner (@rhynorater) (01:46:41.134)
Yeah.

Justin Gardner (@rhynorater) (01:46:51.406)
Okay, so hold on, wait a second. So you can actually put that in the data.

avlid (01:46:55.954)
Yeah.

Justin Gardner (@rhynorater) (01:46:57.326)
What? Byte order mark, byte order mark. Dang dude, I need a bigger notepad for this episode. Byte order mark, and so you can put that in the data and it will define how the rest of that data string is read.

avlid (01:46:59.688)
Yeah, yeah, it's cold, uh, bye!

Yeah.

avlid (01:47:18.7)
It should have to start with it, but I wouldn't be surprised if some people or some of our interpreters could have it in the middle.

Justin Gardner (@rhynorater) (01:47:28.622)
Holy crap, that's amazing. That is super, I'm just kind of, yeah, now I've got the thing in my, I'm looking off into the distance and ideating on what could become of that. That's really, really interesting, dude. I'm definitely gonna have to look into that after this. Yeah, thanks so much for sharing that. I'm sure that'll result in a bunch of bugs.

avlid (01:47:48.98)
Yeah.

avlid (01:47:53.452)
There's also some encodings that have special, I don't think it's called byte or remarks, but it's like a special sequence of characters that transform it. So like in the middle of the document you can have byte blah and blah, and then it tells it to like, okay now it's this other way of interpreting it and it ends with something else.

Justin Gardner (@rhynorater) (01:48:15.726)
No way.

avlid (01:48:15.752)
So you can have, there is encodings, which is like, okay, now it's standard ASCII, everything's fine. It's like, no, now it is not. Now it's this other thing.

Justin Gardner (@rhynorater) (01:48:24.75)
dude, that is so interesting. So if you could get them to parse it with that char set, then you could really use that to bypass some security controls because, you know, whatever parser will be looking at it and being like, okay, you know, this is just meaningless text. And then when the actual end, you know, program runs it, it's something completely different because it's actually parsing the char set differently.

avlid (01:48:50.352)
Yeah, yeah, exactly. So if they had like a string contains, for example, then it could be treated differently. Or if they do, this was a topic too, in the discord I saw, like normalization, you can like transform it into some other shard set.

Justin Gardner (@rhynorater) (01:48:57.23)
Dude, this has gotta be...

Justin Gardner (@rhynorater) (01:49:04.366)
Yeah, well, this is very, and of course my mind goes directly to web servers and reverse proxies and WAFs, and this is actually pretty much exactly what Sam Erb and I were talking about, and I don't know if you saw it in the document, but I did a talk on this at DEF CON on how you can define host headers for some HTTP servers, and you can define them in different encodings, right? So literally our exploit for this bug was

host, and this is a host header, host colon equals question mark ISO 8859-1 question mark Q and then a bunch of hex data. And that actually got converted into our exploit on the backend of that server that we were talking to, a bypass to NGINX configuration that had some limits on the host header characters being used and allowed us to inject right into the NGINX config file.

on the backend because of the way that we could smuggle characters like a space and stuff like that into the host header. And so now I'm thinking like, man, there's got to be even more possibilities of this sort of thing with stuff that can change mid, you know, mid flow and change into something else because maybe the nginx proxy on the front end reads, decodes the character set, but the one on the backend doesn't and it doesn't normalize it and then it just treats it like normal text.

and then you can pop XSS or you can bypass any sort of filtering that there's in place.

avlid (01:50:33.299)
Yeah.

avlid (01:50:39.undefined)
Yeah, but you also need to... When you're talking about the excess, you need either you need server-side normalization for it to transform, because when you're sending, like if you're using your Dev16, for example, what you are actually sending is just two bytes. And if you want like a less than characters, those two bytes will be no byte and 3C. So if it filters 3C in...

like an 8-bit ASCII encoding, it would go like, okay, is this a 3C? Is this a 3C? No. Is this a 3C? Yes. And so you need to need normalization or you need some kind of encodings put in the client that were like 003C or 0303F means less than.

Justin Gardner (@rhynorater) (01:51:09.934)
Sure, sure, sure, sure.

Justin Gardner (@rhynorater) (01:51:26.382)
Yeah, I'm wondering if there's other, there's gotta be other encodings besides, you know, UTF-8, UTF-16 that put those at different code points, right? Well, you know, and I linked actually, funny you mentioned that, Matias, because I did my homework for this episode, and if you click the first link under the character sets heading in the secret document, I have a link directly to

avlid (01:51:39.452)
in browsers.

avlid (01:51:47.56)
Yeah.

Justin Gardner (@rhynorater) (01:51:55.438)
the chromium source code and all of the different character encodings that can be used in here. And I see one of them is this ISO 8859-1 that I'm more familiar with from the DEF CON talk. And so I'm wondering if there's different ways any of these different encodings put a different, put the less than sign or greater than sign or whatever at a different code point.

avlid (01:51:57.664)
Yeah.

Justin Gardner (@rhynorater) (01:52:21.902)
so that if it bypasses the front end and says, okay, the front end says this is a question mark, but the back end says, okay, I'm actually not reading this as Windows dash one, one, two, five, two, and actually I'm interpreting this as UTF-8 or interpreting this as ASCII, and then you get the output as an actual script tag. Does that make sense, or am I thinking about this incorrectly?

avlid (01:52:37.44)
Yeah.

avlid (01:52:48.96)
I mean it's a good idea, but ISO 8859 is no, it is ASCII based, so that would be the same.

Justin Gardner (@rhynorater) (01:52:52.91)
Yeah, it's different.

No, I know, I know. It doesn't meet the standards of what we're looking at.

avlid (01:53:01.44)
But if there is something like that, then yes. Unfortunately, I don't think that there is any non-NASCII-supported for sets for HTML and dangerous content types in browsers. But I could be wrong. Anyway, they used to be. Especially in like Internet of the Core had some special cases. And like all of them at some points were the UTF-7, which is just like 7-bit encoding.

Justin Gardner (@rhynorater) (01:53:16.366)
Ah, so the overlap.

Justin Gardner (@rhynorater) (01:53:26.382)
So ASCII would be the base for all of these, is what you're saying. So the first 256 characters of every single one, that 3C is always gonna be the angle bracket for XSS. Yeah.

avlid (01:53:33.792)
Yeah, ASCII is actually...

avlid (01:53:40.672)
Yeah, but ASCII is the all the characters you need and punctuation for the English language. So it starts at 0x20 and stopped at 7, like small letters C. At least that's how I learned in my mom.

Justin Gardner (@rhynorater) (01:53:57.518)
Yeah.

Yeah, yeah, and.

avlid (01:54:01.92)
Oh, actually speaking of, I was going to say this in the start, but one of the best ways to learn, I believe, is to be wrong. So if I say something that is wrong, please tell me. And also, like, trust but verify when it comes to people teaching you. That's like a super free way to learn.

Justin Gardner (@rhynorater) (01:54:13.102)
Yeah.

Justin Gardner (@rhynorater) (01:54:17.87)
Yeah.

Justin Gardner (@rhynorater) (01:54:30.926)
Heck yeah, dude, I love this. And I also love that you're in the CTVB Discord. I appreciate that, by the way. People are asking questions in there all the time about stuff like XML and about character sets or some of these more advanced topics, right? And you're in there responding to questions and getting nerd sniped by the content, which I definitely appreciate. And I totally agree, man. Once again.

Matias, I think you'd like podcasting man, because I'm not trying to drum me up some Bug Bounty competition, Bug Bounty podcast competition, but you're out there every week, you're talking for an hour and a half, and you're making mistakes. And people are messaging you saying, hey, you messed this up, and then you just get free correction. And if you're not taking yourself too seriously, then it's great.

avlid (01:55:21.184)
Yeah.

Justin Gardner (@rhynorater) (01:55:26.83)
and you learn so much. So yeah, we might have to, you know, get the Mattias show started, or we might have to get you on here on a regular basis. Maybe you'll be the, Joel is having some cat problems, you know, sub host in the future. But yeah, definitely be interesting.

avlid (01:55:36.128)
Yeah.

avlid (01:55:46.752)
Yeah, actually it reminds me of this... There's some late night show, I think it's Conan or one of them Where they have like special episodes where like The viewers come on and like, How you were wrong about this because it's a night Like, that's an idea for you Like, I would love to see No, like people can like point out like Actually Yeah, yeah If you could stomach that

Justin Gardner (@rhynorater) (01:56:02.542)
Oh, just like a roast episode. Oh my gosh.

Justin Gardner (@rhynorater) (01:56:09.966)
Dude, that's a great idea. I gotta, I gotta, no, no, no, no, 100%. I've gotta, I'm gonna write that down. I'm gonna try to make a channel in the Discord, in the CTV Podcast Discord of like, corrections. Stuff Justin said that was wrong. And it's gonna make me feel so bad, but I'm gonna learn so much. That's a great idea, dude.

But yeah, I would be really interested to see, especially with some of these character sets that are oriented specifically towards other languages, like the Japanese, the ISO 2022 JP character set, or some of these other stuff, what is actually, if they're all ASCII compliant, or whether there's ways to represent different code points in different ways that are outside of ASCII's definitions and still get an ASCII result back.

avlid (01:57:04.928)
Yeah.

Justin Gardner (@rhynorater) (01:57:05.23)
That would be really interesting. And then also, but of course you've got the sort of normalization piece, which is often in place. You know, I've got the Japanese keyboard set up on my computer and I always just switch it over to Japanese and drop in the, you know, the full width, less than and greater than, you know, for the XSS stuff. And I've definitely had that pop quite a few times.

avlid (01:57:26.944)
Yeah.

avlid (01:57:31.968)
Yeah, well, there can actually be an easy way to bypass WAFs too. Like if the server side supports UTF-7, but the WAF doesn't, just send it. That's that encoding and the WAF won't see it.

Justin Gardner (@rhynorater) (01:57:43.31)
Yeah, I want to say, was it, was it Seroosh? Laff bypass, I think.

avlid (01:57:51.168)
Oh yeah, that's an umbrella to do.

Justin Gardner (@rhynorater) (01:57:54.734)
Yeah, yeah, a hundred percent. I would love to have him on the, on the, on the podcast sometime. I believe. Yeah. I'll link it in the, in the description as well, for those of you guys that are listening, but Sush, um, uh, Dali Lee, sorry, or still is, is, is his handle. I don't really know how to pronounce last name sometimes or first names in that regard, but I will link it in the description below. He has an article from 2018 on using character sets to bypass wafts. And this is incredibly.

incredibly applicable and often used to bypass WAFs. And I also saw a tweet going around the other day, I'm not sure if you saw this from J.S. I think is his name, I don't know how to, I don't have it in front of me, so I'm not sure, but he's been dropping a bunch of cool tips lately, and we talked about a couple of them on the pod. And one of the ones he did was a WAF bypass that just says,

content encoding as the header, as the HTTP header, and then the content is just WAF bypass. So essentially, if there's any content encoding header, the WAF's like, ah, you know what, actually I don't know how to deal with that shit, I'm just gonna pass it through and hope you figure it out. And I just thought that was hilarious, like what kind of BS WAFs people are using.

avlid (01:58:59.36)
Yeah.

avlid (01:59:06.592)
Yeah, I mean, they have basically never been effective, except for maybe specific automated attacks.

Justin Gardner (@rhynorater) (01:59:07.534)
It's...

Justin Gardner (@rhynorater) (01:59:13.774)
Yeah, yeah, for sure. I think they ought to look at the, the WAF should look at, or maybe they shouldn't look at, but the port swagger cheat sheets on like impossible XSS scenarios, like, you know, if you can just block less, you know, less than bracket, or less than bracket A through Z, then you're screwed, right? There's no way you can really get around that.

as far as HTML context injection goes, because that's just a part of the spec, you know? It has to be an alpha character, you know, coming right after it, so. It's a bummer, hopefully someone will crack that one someday, because if they do, there's gonna be a lot of XSS's popping left and right. All right, man, let's see. We are at two hours already. I, let's skip over some of this and talk about,

Justin Gardner (@rhynorater) (02:00:10.382)
your favorite go-to vulnerabilities and stuff that you find yourself finding often. You know, if you had to profile, so a while ago, let me add some context to this question while you think about that. A while ago, you released this dashboard with Frons, I believe, Bounty Dash, and you know, it would pull in, before the programs were doing this sort of thing, it would pull in all your reports and like categorize them and give you earnings, you know, per certain period of time and you know, what kind of severity bones they were and that sort of thing.

avlid (02:00:19.808)
Thank you.

Justin Gardner (@rhynorater) (02:00:40.398)
and vulnerability classes I think were included as well. If you were to profile Matias as a book bounty hunter, what kind of stuff would be your bread and butter? What would be your go-to vulnerabilities that you often find?

avlid (02:00:56.064)
I often look for

high or crit level stuff. So it's always context dependent, depending on the organization. I always always start with trying to understand what does the organization have that's worth protecting so that I can then follow up with, okay.

Justin Gardner (@rhynorater) (02:01:10.798)
Hmm

Justin Gardner (@rhynorater) (02:01:18.19)
What do they value? Yeah.

avlid (02:01:23.392)
What are they protecting it with? And how is it supposed to work? Okay, there's authentication authorization. Okay, how is that supposed to be implemented? Just so they can have in the back if you have like, okay, these are the things that they probably care about. But the specific bugs, like I found a bunch of bugs on the way, like exorcists that just are obvious. But.

Justin Gardner (@rhynorater) (02:01:51.566)
So you don't ignore those lower medium impact volumes in search of the highs or crits, but you, yeah.

avlid (02:01:56.096)
No, no, no. Why use Matthias in this field if I can just use a bunch of quotes and some stuff? It takes me the same amount of time.

Justin Gardner (@rhynorater) (02:02:03.022)
Yeah, yeah, yeah. Yep.

avlid (02:02:07.488)
But yeah, I don't know, I like type confusion and I like different kinds of injections. And I also like...

Like this reverse proxy typo box too.

Justin Gardner (@rhynorater) (02:02:20.174)
Mm-hmm reverse proxy types of bugs. Let's let's talk a little bit about that How do you are you doing the host level? Fuzzing for that. Is that the sort of thing you're talking about? Are you talking about secondary context path reversals or?

avlid (02:02:33.792)
Yeah, yeah, exactly, secondary context stuff. But also like...

Justin Gardner (@rhynorater) (02:02:36.718)
One of the tips we've dropped before on the pod for that sort of thing is, you know, traversing all the way back past the document root and then cutting off everything after will result in a 400 getting dropped on the status code. So with that, you can determine the document root on the backend server that you're traversing with. Do you have any other cool tips or tricks you can drop on secondary context bugs, identifying them and exploiting them?

avlid (02:02:59.136)
Yeah.

Justin Gardner (@rhynorater) (02:03:07.246)
Or is it just mostly a fuzz game? Because that is part of it, I know for sure.

avlid (02:03:07.552)
I mean...

avlid (02:03:11.52)
I mean request smuggling is the same. That's also a thing where you can get like the different applications in the chain to treat the request differently. What else? Like one good.

Justin Gardner (@rhynorater) (02:03:22.51)
Mm.

Do you actively exploit request smuggling in these sort of scenarios on a, let's say, multiple times a year basis, you think?

avlid (02:03:32.384)
I don't automatically scan for it or anything, but I will look at it if I sporadic it. I guess. I don't know. If I feel like it, I guess. Bad answer, but that's just intuition I suppose. But also, one actual tip is, it's kind of fuzzy in the standard whether a hashtag or fragment character is allowed in a path or not.

Justin Gardner (@rhynorater) (02:03:37.262)
Yeah.

Justin Gardner (@rhynorater) (02:03:42.51)
Yeah.

Justin Gardner (@rhynorater) (02:04:01.134)
Yeah.

avlid (02:04:01.984)
So a lot of times what I see is that like the first load balancer or whatever is like okay that's just a part of the path but then when it forwards it to the back end the path is cut off so that's like another way if you can't if you need a way to truncate the rest of the path because maybe there's some reverse proxy match so you need to have a suffix so that's like a good tip.

Justin Gardner (@rhynorater) (02:04:27.822)
Yeah, yeah, using that, using the query parameter, you know, the question mark as well, will get you that sometimes for sure. And that truncation is so helpful, man. One of the things I've struggled with though, let's see if you've got any thoughts on this. I don't know if you've had this one, and I'm not sure there's a great solution to it, but there's this concept of like, okay, I'm injecting in the middle of a secondary context, you know.

situation, right? So I've got some text before and I've got some text after, right? The text before, you can brute force by, you know, path traversing, deleting it, and then brute forcing, and if it completes the request the way that you would anticipate that it should be completed, then you've identified the correct path there, right? But on the right side,

avlid (02:05:14.336)
Mm-hmm.

Justin Gardner (@rhynorater) (02:05:17.326)
How can we, without some sort of verbose error, I struggle to enumerate what is on the right side of our injection point? Yeah, are you tracking with me or no? Yeah, okay.

avlid (02:05:26.752)
without some kind of verbose error, that might be hard. But yeah, we're still talking about like the path part, like the first line of the request, yeah. Well, one thing you could do is like, try to make it extremely long. And then you can maybe see like path, ah, and then it just ends with that. That's one way to do it. Another way you could do it is,

Justin Gardner (@rhynorater) (02:05:37.166)
Yeah, yeah.

Justin Gardner (@rhynorater) (02:05:49.742)
Interesting.

Justin Gardner (@rhynorater) (02:05:55.118)
A size inflation, yeah. Interesting. Oh yeah, and then it would drop back, what is it, a 414? Like a 414 status code, I believe, which is like, yeah, URI too long response status code, right? So, and then you could use that to protect you, like potentially determine, if you know the full path to the left, and you don't know the path to the right,

you could at least get a character count at least probably on the how much is there by determining by inflating the size and then determining where you get the 414 status code.

avlid (02:06:23.36)
Yeah.

avlid (02:06:27.872)
Yeah, how much is left.

avlid (02:06:38.144)
Yes, that's not what I meant, but that's a good idea.

Justin Gardner (@rhynorater) (02:06:38.766)
Huh. Ha ha ha ha. Well, that's what happens when we get on these pods. We just kinda ideate and bounce off, bounce off of each other. That's good though, I like that.

avlid (02:06:47.168)
Yeah.

Yeah, like the same thing with the query and stuff too. Like you can make a question mark and then put something you think is an invalid character and it might spit back, like query names cannot be named, blah, blah, blah. So that's like another thing you could try as well.

Justin Gardner (@rhynorater) (02:07:05.166)
Mmm.

Yeah, try it, so, so, fuzz the path, fuzz the query, fuzz the query parameters themselves that you might be able to identify are getting parsed, right? Cause those might throw a weird error. Inflate the request size, yeah, okay.

avlid (02:07:13.344)
Yeah.

avlid (02:07:23.104)
And you can also throw a Hail Mary and try a Yessir Seraph in it. Because sometimes there will be like... Hail Mary? Isn't that the name? But like slash static slash blah goes to...

Justin Gardner (@rhynorater) (02:07:31.918)
Throw a what?

Oh, Hail Mary. No, no, no, you're good. I didn't hear it. You're good. It cut out. Yeah.

avlid (02:07:44.064)
some other backend would say, but then instead of, they might have a bad rule. So you can do like slash static at example.com and then there will be like SSRF and you can look at the logs and you get the rest. But I understand I'm kind of cheating in your scenario.

Justin Gardner (@rhynorater) (02:07:45.134)
Yeah.

Justin Gardner (@rhynorater) (02:07:57.102)
interesting and you should be able, no, no, no, that's great because let's say for example, the backend is like slash API slash, you know, bloody blah.com or whatever, right? You traverse back, you do, or no, slash API and then whatever path. And instead you put, you can delete the API, right? Part and then write API again at whatever.

And that will, interesting, that's something I've always struggled with, because I was like, man, wouldn't it be great if we could traverse all the way back up and then make it a slash slash, right, and have it point to a different domain? It doesn't really make a lot of sense in a lot of scenarios, but in some normalization scenarios, I actually have popped that vulnerability before, which is insane, and I'll actually show you a very impactful one I've got after this episode. But.

avlid (02:08:26.88)
Yeah.

avlid (02:08:38.976)
Yeah.

Justin Gardner (@rhynorater) (02:08:51.95)
Yeah, no, that's another great way to get around it is if you can figure out what that mapping might be, you can find some NGINX style reverse proxy misconfigurations even on that backend and try to use those to hit different domains.

avlid (02:09:05.28)
Yeah, like here's another like hellmender trick that probably should never work, but I've seen it once at least. So the host header.

Justin Gardner (@rhynorater) (02:09:08.43)
Yeah.

avlid (02:09:15.744)
I don't know if it's in the spec, but usually they allow to put port there. I think it's because you can have a port if you provide a full URI instead of like a relative in the like get space HTTP. So a lot of the parsers are lenient for the web service or whatever with the port part of the host and port. So one time at least I've seen you can do like host example.com colon 80 at.

Justin Gardner (@rhynorater) (02:09:23.406)
Yeah. Yeah.

avlid (02:09:45.056)
of Lillebrun.se and you'll have an SSR. Yeah.

Justin Gardner (@rhynorater) (02:09:45.678)
No.

Dude, you know what that, I wanna say, who was it? It was James Kettle, HTTP, I can't remember the name. It's like hitting the.

avlid (02:10:01.504)
Practical H2P, like whole-cellular injections or something like that. Is that what you mean?

Justin Gardner (@rhynorater) (02:10:04.814)
Yeah, it's like, what is the name of that research? It's like the untapped attack surface or like, ah, I can't remember, HTTP host header, no, no, no, no, no, it's, no, it's not just practical HTTP host header attacks, I don't think, there's just the first one that comes up when I Google it. But there is, there is,

avlid (02:10:12.96)
Oh my god, I'm not thinking of the same thing.

Justin Gardner (@rhynorater) (02:10:25.294)
There was, because now he's got all of this stuff on, exploiting HTTP's hidden attack surface, I think is the one that I was thinking of. A report, or a talk he did back in, I wanna say it was 2017, or maybe even before that, at Defcon, has this very similar thing. And I know at the time, you know, if you were in the live hacking event scene, which I'm sure this is why you thought of this as well, people were destroying stuff

avlid (02:10:32.736)
Hi.

Justin Gardner (@rhynorater) (02:10:55.248)
on Yahoo with this. It was like, like, Yahoo must have paid out hundreds of thousands, if not millions, of dollars in bounties from this specific vulnerability. So, hopefully you've got that fixed now, Yahoo. Sorry about that if I just, you know, called out your problems that are still active, but if you don't have it fixed by now, five years later, you're doing something wrong, so.

avlid (02:10:57.472)
Yeah.

avlid (02:11:08.48)
You want your app?

avlid (02:11:19.616)
I want to.

I want to give some motivation actually based on that. So Yahoo launched the program what, 2012, 13? 2019, I found an RCE on the root domain of Yahoo. So don't give up just because it's like, oh this shit is so hard and whatever. First up, 19, yeah.

Justin Gardner (@rhynorater) (02:11:24.654)
Yeah.

Justin Gardner (@rhynorater) (02:11:29.006)
Yeah, yeah.

Justin Gardner (@rhynorater) (02:11:43.31)
in 2019? Wow dude.

avlid (02:11:50.208)
Yeah, so there you go. The first point.

Justin Gardner (@rhynorater) (02:11:52.206)
That is many, many years later. You know, people fuss about this sort of thing all the time, like, ah, you know, this program's been around for three years, like, I got this private program invite, it's three years old, woe is me. Many years later, seven, eight years later.

avlid (02:12:04.512)
Yeah, but if you think like that, just go to any company or do your job for something that has like, put their stuff as open source. Look at the change log and scroll back to whatever and look how many changes there are. Of course there will be new stuff.

Justin Gardner (@rhynorater) (02:12:25.198)
Yeah, I'm gonna send you something after this as well. There's this host right now that I'm working on or that I've been working on and Nogli finally convinced me to give it up, I guess. But there's, the version number says that it has patched this severe vulnerability that's at that specific version. If you see the version number in the HTTP response, it says version whatever, and the vulnerability is patched at that version. But...

If you go into the GitHub history and you click the patch right before that, before they fix the vulnerability, the commit right before that, it's a change to the readme for this and it changes a lowercase h to an uppercase h. And I hit that readme file and it's still a lowercase h, which means I know that they haven't actually patched that specific vulnerability yet, even though the version number aligns with the patched.

version. And so I've been trying to build out this exploit. I had to rewrite it because of a HTTPS problem. And something isn't, something isn't, the attack complexity might be too much in this scenario because there's some mitigating factors. But I might pass it to you anyway and see if I can nerdsnipe you and get you to pop it. Because it'd be a 15K bug if we could. Yeah, man.

avlid (02:13:26.208)
Interesting.

avlid (02:13:46.752)
giving a shot.

Justin Gardner (@rhynorater) (02:13:48.718)
But that sort of thing, looking at the change log, looking at the git commit history for open source software is super duper important. Yeah.

avlid (02:13:53.888)
Yeah. Oh, hey, one more tip. If the program you're targeting has like an SDK,

Justin Gardner (@rhynorater) (02:14:04.654)
Mmm. Oh my gosh.

avlid (02:14:07.264)
in your automation, pull git updates from the SDK and then you get a feed of like, here something changed. And then you don't need crawling, you don't need scraping, they will just tell you, here this changed. That's the thing.

Justin Gardner (@rhynorater) (02:14:22.798)
Yeah, dude, and the SDK is a very underestimated attack surface as well for a lot of companies as well. That's one thing that I didn't look at for years until freaking Ryotak, the guy that won Vegas two years back, like just started because his whole thing is like source code review. He's just like literally a source code monster. And he just, you know, just

avlid (02:14:44.896)
Hmm.

Justin Gardner (@rhynorater) (02:14:46.766)
He'll open up a page, right? This is how you know you're dealing with someone who's like a savant, right? Like he opens up a page and then he'll read the JavaScript from top to bottom. Like not jump around, not trace the functions. He'll read it from top to bottom and then tell you what's happening with it. And I'm like, what? Like, what are you, how? What are you doing? And he just destroys any SDK that he works on, you know, on these programs because it's open source stuff.

avlid (02:15:04.832)
there.

Justin Gardner (@rhynorater) (02:15:16.878)
and he loves open source stuff, so really amazing to see him work on that, really inspiring for me to go after SDK related vulns, and then I found a bunch after that, which is really exciting. So yeah, definitely a great tip there, as far as attack surface and as far as recon goes.

avlid (02:15:29.856)
Nice guys. Yeah, but also, like another tip I guess, is that modern development or if they have an SDK or something of the sort, it's usually built with like...

Is it called test-driven development? I don't know, but it has a bunch of tests, and a lot of times those have like security-related tests because they use the other bug. So that can be like a really good tip to like, oh, if you can just bypass one of these tests, you've got a free bug. That's like, they giving you a tip on where to look.

Justin Gardner (@rhynorater) (02:15:54.03)
Yeah.

Justin Gardner (@rhynorater) (02:16:01.166)
Wow, that's an interesting. Yeah. They, they sort of say, okay, hey, this is what we've, this is how we've designed it to work, you know? And then you can look at, at the holes from that perspective and you know what not to try. That's that is helpful. Man, you know, Matias, you have probably done one of the best jobs of, of anyone on the podcast that we've had on of actually giving actionable hands on advice and tips to people.

avlid (02:16:10.72)
Yeah.

Justin Gardner (@rhynorater) (02:16:30.478)
I have it in my notes right now. I'm gonna have some of the viewers play a drinking game of how many times Mathias says, here's a tip, during this episode, people are gonna be like, wasted as heck after that. That's great.

avlid (02:16:45.728)
Yeah, but it's like I listen to the podcast too. So I will not contribute.

Justin Gardner (@rhynorater) (02:16:48.302)
Yeah.

That's great, man, I appreciate that. So we're getting to the point where it gets way too long. But I do wanna have a conversation real quick about GraphQL. I think we'll skip Docker escapes, which is the other thing that we were gonna talk about, even though that would be really, really interesting. GraphQL stuff, talk to me about GraphQL stuff. What kind of stuff have you been popping with that recently and what kind of stuff are you finding interesting?

avlid (02:16:59.456)
Yep.

avlid (02:17:05.632)
Yeah.

avlid (02:17:09.312)
So.

avlid (02:17:16.032)
So I had this notion of, or idea of graph QL is being like, it's the same thing to test like, by the way, background, I started, I just started learning like.

more about GraphQL, but my previous idea of it was like, it's the same thing as REST API, and if introspection is on, you get the documentation of the REST API. Basically, you get a bunch of input arguments that you can put payloads in them and such, and that's for traditional vulnerabilities. But it turns out there's a lot more to that, because you have a bunch of, not fields, what are they calling?

Justin Gardner (@rhynorater) (02:17:31.79)
Mm. Sure.

avlid (02:17:58.56)
not models, you have a bunch of whatever semantics, you have a bunch of operations, let's say, so they can be three types, they can be query, notation or subscription. And the subscription one is also interesting. And we did, and there's a bunch of different like query names, for example, but those names can return an object.

Justin Gardner (@rhynorater) (02:17:59.15)
Attributes? What are you?

Justin Gardner (@rhynorater) (02:18:05.23)
Yeah, query mutation, yeah.

Justin Gardner (@rhynorater) (02:18:12.142)
I want to pick your brain about that actually, but continue.

avlid (02:18:25.439)
that has a subquery in it. And this, I didn't know. So it's like a really fun game of like, okay, I'm getting back this. It has a field contacts. And in the contacts field, it's actually has a user contact type. And that one has a user. And now I can get the user's PII. Yeah.

Justin Gardner (@rhynorater) (02:18:29.005)
Yep.

Justin Gardner (@rhynorater) (02:18:44.046)
can I map all of these different types? How can I follow this sort of train of data to the actual data type that I wanna get access to?

avlid (02:18:54.656)
Exactly. So that's something I didn't know.

Justin Gardner (@rhynorater) (02:18:59.79)
Yeah, that's freaking amazing, man. I love embedding subqueries like that and trying to map it out. And when it has introspection enabled, it's so much easier because you can put it through stuff like, you know, what is it? GraphQL, I forget what it's called, but you can paste the schema in there. I've got it in my bookmark somewhere. And it will actually create like a graphical representation of it and you can say, okay, this type's linked to this type's, linked to this type, linked to this type. And actually I've...

avlid (02:19:00.896)
before.

avlid (02:19:27.168)
Yeah. But there's like... Sorry.

Justin Gardner (@rhynorater) (02:19:29.005)
Yeah, I've had it before where they'll actually link like password reset tokens and like literal password hashes if you chain it, you know, to a point and then you ask for that specific field, which is like nuts to me that they would just expose their whole database like that.

avlid (02:19:46.975)
Yeah, I know, it's a lot more complex than I thought it would be.

Justin Gardner (@rhynorater) (02:19:52.846)
So I'm more familiar with the query and the mutation thing. Talk to me about the last one. Subscribe, is it? Yeah, subscription.

avlid (02:19:56.352)
Yeah, subscriptions. Subscriptions are like, how should you call it? Asynchronous queries or mutations. So you create a subscription and then you have either a web socket or a multi-part mixed request. We didn't talk about like excess challenge, but it uses this. And then you just have like an open socket and whenever something...

Justin Gardner (@rhynorater) (02:20:06.51)
Okay.

avlid (02:20:23.68)
is answered or put into that subscription, whatever you ask for, you can get data back.

Justin Gardner (@rhynorater) (02:20:29.198)
Wow, that is very interesting. I did not know that it was using that multi-part thing that you had in your, I didn't solve your hard challenge by the way, that was challenging.

avlid (02:20:33.44)
So that's our subscription book. And take care.

avlid (02:20:41.792)
Okay, I don't think it's like, or I'm not sure if it's GraphQL standard, but like Apollo GraphQL, I think it's using that, which is like almost, or like a lot of new stuff.

Justin Gardner (@rhynorater) (02:20:46.958)
Yeah. Yeah, that's the one.

Justin Gardner (@rhynorater) (02:20:54.062)
Yeah, no, that's a lot. And I, yeah, we meant, I meant to kind of try to talk through actually that XSS challenge and it kind of got lost in the whole, um, content, content type, uh, description, but, or the, um, sorry, char set description or a conversation we had, but I'll leak it, link it below the writeup that you have, uh, to this, to this XSS challenge, you did a great job of actually.

writing up something at the end that explains all of the different techniques that you can use to do it. And there's one, the multi-part mix that you mentioned. I was on that trail, by the way, when I was trying to explain it, but I just didn't have the time to get all the way through it.

avlid (02:21:31.968)
Nice.

Justin Gardner (@rhynorater) (02:21:32.462)
very, very cool piece of functionality that essentially allows, if I understood it correctly, it allows them to almost sort of keep an, it's almost like WebSockets, but for HTTP, and you can kind of like continue to stream data over time that have individual content documents within one long streamed HTTP response, is that right?

avlid (02:21:43.424)
Yeah.

avlid (02:21:53.92)
That's exactly right, yeah.

Justin Gardner (@rhynorater) (02:21:55.534)
Wow, what an interesting piece of functionality there. And I have to imagine that the impact of that is substantial in the context of things like HTTP request smuggling and stuff like that too. So definitely some room for some cool research there for anybody who is into request smuggling and sort of server confusion, confusing servers.

avlid (02:22:10.848)
Yeah.

avlid (02:22:18.816)
Yeah, that's like if it's one way you can do something with a response header injection for example, or something like that for sure.

Justin Gardner (@rhynorater) (02:22:27.534)
Oh yeah, yeah, because then, huh, if you could redefine the content type, I wonder, but you have to control the content type header the first time anyway to get it multi-part mixed because there's a lot of times where you're injecting after the content type definition and that sort of thing and you can't override it. That's, huh, interesting. I gotta do some more research into that, man. There's, there's...

My notepad is full. Yeah, I have my to-do list today, and it's like record podcasts with Matthias and a couple other things. I was getting ready to check this one off the list, but when I check it off, I've gotta add seven additional items of go research this and document it and put it in things. Thank you very much for that, Matthias. Appreciate that, man. No, seriously though, it's been a great episode.

avlid (02:22:54.432)
So much stuff.

Justin Gardner (@rhynorater) (02:23:21.646)
Thank you so much for sharing all your knowledge about all these different areas. And I hereby give you permission in the future to invite yourself back onto the pod whenever you have something interesting in your technical context window so you can get it off your chest and give it to the world and that we can all benefit from that, including your own memory having had to put it into words. So that'll be helpful for everyone involved, I think.

avlid (02:23:32.576)
Okay.

Thanks for watching!

avlid (02:23:49.344)
I'll leave that for sure. Yeah, thanks for having me on.

Justin Gardner (@rhynorater) (02:23:50.062)
Awesome man, that sounds great. Of course, have a good one man.

avlid (02:23:54.304)
See ya.