Episode 51: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are back for the last episode of 2023. We discuss some noteworthy news items including a Hacker One Crit, Caido updates, and some Blind CSS. Then we dive into our own personal ‘Hackers Wrapped’ recap of the year, before laying out some goals for 2024.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Resources
Timestamps
(00:00:00) Introduction
(00:08:43) Keyboard Shortcut Utility Systems
(00:21:28) CTF Challenge By Franz
(00:32:40) Hacker One 25K Crit Disclosure
(00:36:31) Caido Searchbar Rework.
(00:40:51) Blind CSS Exfiltration
(00:44:10) 2023 Personal Bug Bounty Stats
(01:01:15) 2024 Personal Bug Bounty Goals
Justin Gardner (@rhynorater) (00:00.47)
Alright, we're rolling. So you were saying 10, you have 10 gig now in your house?
Joel Margolis (teknogeek) (00:05.266)
Yeah. So I mean, technically I'm only getting like 7.8 gig down and like four gig up, but I mean, it could be worse. Yes. Yeah. Per second.
Justin Gardner (@rhynorater) (00:10.726)
Set. Oh.
Justin Gardner (@rhynorater) (00:16.197)
7.8 gig down, is that what you said? Per second?
Holy crap, dude. What'd you have to do to get that?
Joel Margolis (teknogeek) (00:27.222)
They wanted me to sign up. Honestly, they sent me a letter in the mail. They were like, hey, we're rolling out 10. They sent out all these things in the mail and they were like, you know, speeds up to 10 gigs. And I was like, okay, you know, we'll see about that. It's a local one to the Bay Area called Sonic.
Justin Gardner (@rhynorater) (00:32.314)
They said, all right, this guy's a sucker.
Justin Gardner (@rhynorater) (00:39.374)
Holy crap, what ISP is this?
Justin Gardner (@rhynorater) (00:45.562)
Wow. That's crazy, man. I guess that's some Bay Area shit.
Joel Margolis (teknogeek) (00:47.134)
Yeah, so they, um, yeah, it's crazy. So it's, it's dude, it's $50 a month. Yeah.
Justin Gardner (@rhynorater) (00:53.822)
No way! Oh, I thought they were at least priced? That's cheaper than mine, dude!
Joel Margolis (teknogeek) (00:59.298)
That's what cheap, it's cheaper than what, so I used to pay for a different ISP. I used to get 1000 down and I paid for higher upload speed for 35 megabits up. And I paid $85 a month for that. And then I got this letter in the mail and they were like, speeds up to 10 gig. I was like, okay, yeah, sure, whatever. I look it up and they're like, oh yeah, it's available in your area, 50 bucks a month, three months free. I was like, okay.
Justin Gardner (@rhynorater) (01:12.718)
That's what mine is, yeah.
Justin Gardner (@rhynorater) (01:25.276)
He says, yeah, okay, whatever, as he types it into the search bar, as he clicks the sign up button. Oh my gosh.
Joel Margolis (teknogeek) (01:29.018)
Yeah, I'm like, yeah, we'll see. We'll see. Yeah, because I'm always, I always look for, you know, a better deal if there's one there, so, um, and sure enough, they had it and they were like, you know, here's the status, we're laying lines and, uh, you know, I signed up and sure enough, they, they came and they, they installed like a fiber termination box and stuff and yeah.
Justin Gardner (@rhynorater) (01:35.607)
Yeah, dude.
Justin Gardner (@rhynorater) (01:39.334)
I can't believe that's real.
Justin Gardner (@rhynorater) (01:47.574)
I was gonna say, did they have to like dig through your whole front yard or something like that?
Joel Margolis (teknogeek) (01:51.198)
No, so they run the fiber on the poles here, because we don't have like snow or anything like that. And they basically just teed it off from the pole up to the like the roof of my house. And then they ran it through my attic and down into my office. And they terminated it with an ONT just like on the wall. There's like, there's a fiber line like coming through my ceiling.
Justin Gardner (@rhynorater) (01:53.898)
Okay. Sure.
Justin Gardner (@rhynorater) (02:01.318)
Wow.
Justin Gardner (@rhynorater) (02:09.23)
Did you have to cut, did you have to cut like a bunch of holes in your wall?
Joel Margolis (teknogeek) (02:13.822)
No, there's a single drill hole that they put like a little flange around and the fiber line just like runs along my ceiling, along the wall, terminates here, because I don't have ethernet throughout my house, otherwise I would have done it somewhere else. And then it just connects to my server and my server pushes everything out. It's crazy.
Justin Gardner (@rhynorater) (02:18.063)
Wow.
Justin Gardner (@rhynorater) (02:24.887)
Right, right.
Justin Gardner (@rhynorater) (02:31.65)
Wow, dude, that's crazy. Your server rack behind you there has better internet connection than in some freaking data centers now.
Joel Margolis (teknogeek) (02:39.802)
Yeah, dude, yeah, you could probably see it. So I've got, I've got some really fancy, smancy stuff here. This is, this is a 24 port 10 gig switch. Okay. So it's got 24 ethernet ports and each ethernet port puts out 10 gigs. It does like 300 gig per second throughput. It can do 25 gig service. It's like
Justin Gardner (@rhynorater) (02:51.166)
Oh my gosh.
Justin Gardner (@rhynorater) (02:58.642)
Oh my goodness. Did you buy all of this recently? So it cost you $50 to upgrade, but then he spent an extra $1000 in hardware in the first week.
Joel Margolis (teknogeek) (03:04.286)
These two, yes.
Joel Margolis (teknogeek) (03:10.434)
Yeah, yeah, no, these two, these two are new. These are, these are new fancy upgrades that I, yeah. So no, yeah. So, so both of my computers, the best adapters that I have do two and a half gig. So I can saturate those for sure. Like I've done speed tests on my laptop at like two and a half gig. The speeds that I can get that I'm getting right now are coming directly from the gateway. But
Justin Gardner (@rhynorater) (03:13.83)
Can your computer even deal with it? Like...
Joel Margolis (teknogeek) (03:36.742)
Yeah, I have cards, adapters coming in the mail that will give me 10 gig on my devices.
Justin Gardner (@rhynorater) (03:40.77)
Alright, so real talk though, how much did you spend on all of the crap surrounding your new 10 gig upgrade? Also you're moving, you're gonna be moving in the next, right? So why are you... You ain't gonna get those speeds in East Coast man, it's not gonna happen.
Joel Margolis (teknogeek) (03:49.026)
Yeah.
Joel Margolis (teknogeek) (03:53.13)
Yeah, yeah, okay, so here's the thing. Yeah, I probably won't get those speeds from my ISP. What this does do is it gives me internal 10 gig, so my whole internal network has 10 gig speeds now. So I can transfer files between my NAS at 10 gig speeds, I can transfer things between devices, all that kind of stuff at 10 gig speeds, which is a nice perk.
Justin Gardner (@rhynorater) (04:03.386)
Yeah.
Justin Gardner (@rhynorater) (04:08.527)
Alright, well...
Justin Gardner (@rhynorater) (04:16.414)
Yeah, I guess that's cool if you have like a media server or something like that. Okay, nice.
Joel Margolis (teknogeek) (04:20.278)
Which I do, yeah, yeah. That's what that is. And then the hardware was about $2,000 for the upgrade. Dude, 10 gig stuff is expensive.
Justin Gardner (@rhynorater) (04:24.311)
Nice.
Justin Gardner (@rhynorater) (04:31.526)
Oh my god, Joel! That was, that's more expensive than I was thinking, man. What the heck? I was getting ready to cringe at you saying $500. Oh no.
Joel Margolis (teknogeek) (04:39.027)
It's expensive.
No, no, no. So so the gateway like the gateway, if it was just the gateway, that would have been 500 bucks. The real expensive stuff is when you start to have like multiple terminations of 10 gig. So just for some context here, and I know we're rambling a little bit, but. If like a like a USB slash Thunderbolt adapter for like a laptop, so like a Mac, right, it has all USB-C Thunderbolt four ports or something. An adapter for that does 10 gig is $250. Yeah. And
Justin Gardner (@rhynorater) (04:54.734)
We are, but hey, it's Christmas time.
Mm-hmm.
Justin Gardner (@rhynorater) (05:04.165)
Yeah.
Justin Gardner (@rhynorater) (05:09.214)
Oh my gosh.
Joel Margolis (teknogeek) (05:11.818)
like all the switching, honestly, like the switches and stuff are cheaper than it is to buy the adapters for the actual end points. Like my PC is gonna use a PCI Express 10 gig adapter. That's like $70. That's not like too bad, right? Like that's doable. $250 for like, you know, it's crazy. Some of these things are like really, really expensive just because it's not a widely used, like most people, right? Like you can buy a two and a half gig adapter readily. Most people
Justin Gardner (@rhynorater) (05:26.327)
Right, right.
Justin Gardner (@rhynorater) (05:30.042)
That's nuts, dude.
Justin Gardner (@rhynorater) (05:40.259)
Yeah.
Joel Margolis (teknogeek) (05:41.078)
don't need more than two and a half gig. I contacted my ISP because I was like, hey, I got like all my, I got my equipment set up and I did test it. I'm not getting my full 10 gig speeds. I'm only getting like seven and a half down and like four up. And they were like, okay, well like, on our end it looks like we're, it looks like we're delivering that full 10 to you, but like, I don't think anybody in your area is gonna have anything close to that, but let me look. And like he looked at, he was like, all right, well, nobody has anything close to that, but like,
Justin Gardner (@rhynorater) (05:44.9)
Joel, you've got problems, man.
Justin Gardner (@rhynorater) (05:55.246)
That's still pretty good. Ha ha ha.
Justin Gardner (@rhynorater) (06:04.641)
Hahaha!
Joel Margolis (teknogeek) (06:09.014)
The closest I could find is somebody has an ERO that's got like two and a half gigs symmetric and they're not having any problems. So you know, let me know like if you find what the problem is. I was like, okay, whatever.
Justin Gardner (@rhynorater) (06:14.908)
Oh my gosh.
Justin Gardner (@rhynorater) (06:18.798)
That's crazy. Yeah, they didn't expect you to go drop, you know, freaking two grand on all the equipment you needed to like call them out on their bullshit on their 10 gigs up and down. That's crazy, man.
Joel Margolis (teknogeek) (06:29.558)
Yeah, for sure. Like, I don't think most people have this level of equipment, but, you know, I like fancy toys, so...
Justin Gardner (@rhynorater) (06:36.074)
Yeah. Your home setup is pretty badass, and your automation setup and that sort of thing, it's pretty great, so, definitely makes sense that you would invest in that. And since we're already off topic, I might as well take us a little bit further. Well, this one's tangentially on topic that I was just gonna talk about a little later. I'm gonna go ahead and share my screen for anyone who is following along on YouTube. But, dude, check this out. So I recently, can you see my screen yet?
So I recently set up, so sort of inspired by your Python-based sort of encoding, decoding systems, you know, the various modules you've set up over the years, I told you I was working on my own sort of keyboard shortcut oriented.
sort of utility system, let's call it that, right? Where you can do URL encoding, decoding, base64 encoding, decoding, and that sort of thing. And then I thought, man, this would be really cool if it had a sort of a UI-based portion of it, right? And so I found this tool right here. This is called Flow. And it's like a little launcher, and you can program it with Python modules. And so I wrote a bunch of Python, I just installed it last night, but I wrote a bunch of Python modules for it, and one of them is like this,
And then I can paste in a JWT and it will go ahead and open it right away in like JWT.io or something like that. Let me see if I can get it to show. Yeah, like this. And then it will inject it right into JWT.io to make it easy to see. And I've got it doing various hex parsing and URL encoding and decoding really quickly. And one of the ones that I found the most useful is this one. Check this one out. So I pop this open and I type MRR, right? Match and replace regex.
Joel Margolis (teknogeek) (07:55.371)
Mm-hmm.
Joel Margolis (teknogeek) (07:59.096)
Mm.
Joel Margolis (teknogeek) (08:08.503)
Okay.
Joel Margolis (teknogeek) (08:21.454)
Okay. Yeah.
Justin Gardner (@rhynorater) (08:24.104)
is it'll allow me to specify, in the first parameter of this, I'll specify a, and for those of you listening, it's just a small box on my screen that's popping up, and I type a little command into it, and it will show me the output in that same little box, or copy it to my clipboard. So what this one does is it does match and replace regex on what is in my clipboard. So I can say like, okay, let me go ahead and replace every, you know, A character.
with a B character, right? And if I go ahead and just copy this command and run it, now the contents of my clipboard is MRRBB instead of MRRAB, right? So all of the time when I'm trying to work on stuff, I'm wanting to strip out new line characters or I'm wanting to remove every character that's not a number or something like that, and then I've gotta either do it manually, I've gotta write a little Python script for it, and now I've just kinda got this really easy
launcher system that will go ahead and run all those match and place regexes for me and that sort of thing and remove various, you know, like for example, the scenarios where you need to remove a backslash, right, because you're copying escaped JSON into normal JSON. So you can do that sort of thing. And then some of the other things I've got on my list that I haven't fully built out yet is I wanna have it like quick query, quick query chat GPT 3.5.
and be able to do that. And I also want to be able to have it do OCR automatically, where I'll have a picture in my clipboard and then I'll just hit OCR and it will take all the text out of that picture and copy it into my clipboard. I just feel like that'd be super bad ass.
Joel Margolis (teknogeek) (10:06.19)
All right, so for OCR, I have a thing for you. There's a tool called Power Toys. It's actually written, I think, by Microsoft. Yeah, the guy who, yeah, so he has, there's like an OCR utility built into that. That's open source. OCR. Yeah, I have it. Yeah. Yeah, the other thing, show Finny's text grab. Here it is.
Justin Gardner (@rhynorater) (10:11.406)
This is, yeah, I saw this, yeah. Power Toys run.
Justin Gardner (@rhynorater) (10:21.15)
Oh really? So have you set up this power toys run thing? Oh nice.
Justin Gardner (@rhynorater) (10:31.438)
So why aren't you using this for your like Power Toys or Flow or anything like that for your encoding modules?
Joel Margolis (teknogeek) (10:39.982)
So there's a couple reasons. The main thing is it's extra overhead. So for Mac, this reminds me a lot of this. There's a tool called Alfred. Yeah, Alfred, which is a, it's kind of like, it basically just looks like your spotlight, but it has a bunch of different tools and you can do all the same kind of stuff. You can have it run scripts and custom handling and all that kind of stuff. It's very, very similar. So I imagine you could probably do the same thing with Alfred on Mac.
Justin Gardner (@rhynorater) (10:51.083)
Yeah, yeah.
Justin Gardner (@rhynorater) (11:06.397)
Mm.
Yeah.
Joel Margolis (teknogeek) (11:09.746)
Um, for me, I like being able to like chain them together and like have sort of the flexibility that I have because it's a programming language. So because I'm doing it in Python, I have all the manipulation factors of like strings and indexes and lists and like the subtypes, like the primitive types and stuff that you have access to in Python that make it easy to sort of manipulate data in more ways than, um, like you could technically do it with like the setup that you have.
Justin Gardner (@rhynorater) (11:18.394)
Mm-hmm.
Justin Gardner (@rhynorater) (11:29.111)
Yeah, yeah, yeah.
Joel Margolis (teknogeek) (11:38.71)
For me, I could basically, just because they're functions, I could just easily like, you know, scrap something together and it's a little less, you know, yeah.
Justin Gardner (@rhynorater) (11:41.304)
Mm.
Justin Gardner (@rhynorater) (11:45.378)
And I guess, yeah, and I guess in a Python context as well, you can press the up button or whatever and it'll show you the previous command and you can redo the same command over and over again rather than having to like save it and then paste it and that sort of thing. I'll have to see if my flow has like a history thing. But what I was thinking was like, you could actually just define a query in flow launcher. Dude, bagel is running around. Yeah.
Joel Margolis (teknogeek) (11:57.919)
Right.
Joel Margolis (teknogeek) (12:10.666)
This cat. Yeah. I don't know if we told people. I got another cat. Her name's Bagel. She's a kitten and she's just like the most curious little. She looks like she's hunting something right now, which is. Interesting. Yeah. She's very, very cute.
Justin Gardner (@rhynorater) (12:21.39)
She's so cute, I can't even deal with it, man.
Justin Gardner (@rhynorater) (12:28.332)
But what I was thinking was you could use the flow plugin system to actually just be able to write all of your stuff in the flow. In the flow.
little box that pops up, right? And then you have it just copy it back to you. I don't know, there's something really cool to me about having something in your clipboard and then modifying it, and then being able to paste it again. Or even maybe having it selected and then you hit something and it does it because it just makes everything a lot more seamless, I think. So I don't know, that's something I really like. So,
Joel Margolis (teknogeek) (12:42.254)
Mm-hmm.
Joel Margolis (teknogeek) (12:52.65)
Yeah, for sure.
Joel Margolis (teknogeek) (12:59.51)
Yeah, I was just talking about this. I was talking about this with somebody else, but I use my clipboard as like a buffer, basically like a temporary buffer, like all the time. And I use, especially in Python, there's this module called PiperClip, P-Y. Yeah, like it's basically paperclip, but P-Y. And it's cross-platform clipboard reading and writing. And it's so, so useful because you know, you just from PiperClip import copy paste, and then you have two functions, copy paste, and they copy and paste from your clipboard.
Justin Gardner (@rhynorater) (13:06.931)
Mm-hmm. Yeah.
Justin Gardner (@rhynorater) (13:12.854)
Yeah, Piper Clip, yeah. That's what I'm using.
Justin Gardner (@rhynorater) (13:20.888)
Yeah.
Joel Margolis (teknogeek) (13:29.714)
you know, yeah, it's really, really awesome. Because you can change stuff together, like you said, you can basically, you know, copy, wrap it around something that reads from your paste and it just transforms your clipboard and, you know, makes everything super, super easy. So I love that kind of the little flows makes the little helper functions, all that kind of stuff makes it so much easier.
Justin Gardner (@rhynorater) (13:44.014)
Yeah, I love that.
Justin Gardner (@rhynorater) (13:49.538)
It really does. And I guess just one last question on this note. Do you know if Power Toys has the capability to do Python-based plugins?
Joel Margolis (teknogeek) (14:00.354)
I don't know about that, but the reason I brought up Power Toys was because Power Toys uses this OCR project, and I think I sent it to you. It's called Tech Scrab. But you can probably use that because you're on Windows. You can probably use that for the OCR stuff. On Mac, I think there's built-in libraries like the preview and stuff, you know, like on Mac, the OCR is like really, really good. I don't know what they're what like.
Justin Gardner (@rhynorater) (14:08.337)
Mm. Okay.
Justin Gardner (@rhynorater) (14:15.738)
Yeah.
Joel Margolis (teknogeek) (14:29.506)
thing that Apple does, but it works really, really well. You can just take a picture and you can just select text from it. Oh, like everywhere. Yeah, you could just open. If you open a PNG, yeah, on your phone, on your Mac, it works the same on all of them. And basically, if there's text in an image, it will just let you highlight it and copy it out. And yeah, oh, yeah.
Justin Gardner (@rhynorater) (14:31.834)
Hmm. When do you when do you use it? Oh, just like on your phone or?
Justin Gardner (@rhynorater) (14:47.262)
No way. Oh my gosh dude, frick. You know, I'm pretty-
firmly anti-Mac, but you've been kinda winning me over the past year of talking to you every week for at least an hour and a half, you know? There is a lot of stuff that it just comes built in and is simple and easy to use that I probably would have to go and set up and think I'm so cool for setting up, but like then I realize everyone's got this if you're just using a Mac, so.
Joel Margolis (teknogeek) (14:59.44)
It's really good, dude.
Joel Margolis (teknogeek) (15:17.702)
Yeah, and like the thing is I, you know, my powerful computer is mainly my Windows desktop, but I really hate hacking on it because it's like, it's not that you can't set everything up. I think like for almost everything, there is a parallel or even just you can install it in one way or another using WSL or some Windows wrapper of the same tool or whatever. But like, it's really just having to do that extra stuff of like, does this work on Windows? Is this a Windows problem?
Justin Gardner (@rhynorater) (15:23.639)
Yeah.
Justin Gardner (@rhynorater) (15:38.226)
Mm-hmm. Yeah.
Joel Margolis (teknogeek) (15:46.366)
okay, what do I need to install to make this work on Windows? And now what do I have to do to like make it work within those bounds? Instead of on Mac, I just feel like most of the time, if it's a, some sort of Unix based tool, there's probably a Mac port for it. Uh, if not, I could probably install it from source and I'm going to be good to go like, you know, just like I would be on a Linux box. Um, and that's like, that just makes things a lot easier to work with, but it's expensive. It's expensive and like,
Justin Gardner (@rhynorater) (16:11.33)
Yeah.
Joel Margolis (teknogeek) (16:13.41)
they tend to have sort of planned obsolescence, where after five, six years, your Mac is not gonna be as good as the ones that are coming out now and you're gonna wanna upgrade.
Justin Gardner (@rhynorater) (16:18.862)
Sure, sure.
Justin Gardner (@rhynorater) (16:25.434)
But I mean, that's the same case for everything, man. I bought a laptop in 2020, like mega powerful, three and a half K laptop. And I was like, this thing's gonna last me forever and I can really use it now. It's just thing, when we're using it every single day and we're traveling with it to the live hacking events and that sort of thing, you put some miles on the thing and you just gotta replace them every couple of years. I've kind of come to grips with that.
Joel Margolis (teknogeek) (16:51.758)
Yeah, for sure. It's definitely like one of the more unfortunate costs of doing business within like Bugvani is that like we use expensive, high power hardware and we use the shit out of it. And it, we burn it into the ground basically.
Justin Gardner (@rhynorater) (16:58.815)
Yeah.
Justin Gardner (@rhynorater) (17:04.63)
Yeah. But, you know, with Kaido, now we may not even need to use that high expensive, highly expensive hardware. Seriously, man, there's no reason I need to have 128 gigs of RAM in this computer that I'm on right now. It's like, this is ridiculous. This is overkill from almost everything except for opening just the smallest BERT project.
Joel Margolis (teknogeek) (17:12.777)
Maybe I'll downgrade my RAM amount perhaps.
Joel Margolis (teknogeek) (17:22.528)
It's so crazy.
Joel Margolis (teknogeek) (17:26.73)
It's so crazy. Honestly, if I could install if I could have like a hackintosh easier. Like in an easier way, I would probably like strongly consider doing that. I really only use windows for like gaming and like. You know.
Justin Gardner (@rhynorater) (17:31.909)
Yeah.
Justin Gardner (@rhynorater) (17:42.596)
Yeah.
Makes sense. Well, I, uh, I just want to bring that back, that conversation back around to bug bounty, um, about the launcher thing, because I've used it already today and yesterday and a little bit yesterday when doing bug bounty related stuff. And it's so handy for getting, you know, if you have a system in place to be able to write plugins quickly to transform data in your clipboard, uh, or transform data that you're highlighting, or maybe even like Joel does, transform data that you're sort of pasting into a, you know, Python module or whatever.
It really helps reduce the friction of ideation during exploitation and also you just feel leet as heck when you're doing it. So I would encourage any of you guys when you're like, you know, you're too brain fried or you're too, you know.
Joel Margolis (teknogeek) (18:24.556)
Yeah.
Justin Gardner (@rhynorater) (18:31.062)
in the weeds and you got to step out and do something else for a little bit. Maybe you might set up, you know, work on setting up your launcher or your automation setup when it comes to this sort of thing. I think it'll, I think they get value for that.
Joel Margolis (teknogeek) (18:41.374)
Yeah. Yeah, I will say also like because of the way that you've set it up where it's running Python, that means that it's extensible. So like you could take the stuff that I'm doing all the functions and stuff that I've already written. You could just wrap them in like a, you know, a script that runs that function specifically. Yeah, no, for sure. Yeah, I'll send you. I'll actually send you it because I'll send you whatever I have.
Justin Gardner (@rhynorater) (18:47.182)
Mm-hmm. Yeah.
so extensible.
Justin Gardner (@rhynorater) (18:59.084)
Yeah, could you send that to me?
Justin Gardner (@rhynorater) (19:03.859)
That'd be good. I would like that. Yeah.
Joel Margolis (teknogeek) (19:06.366)
And you can, you know, you can basically just do that where then if you want to use them sort of in a, in like a IPython or whatever in the console, you can do that, but you can also run them sort of from anywhere.
Justin Gardner (@rhynorater) (19:11.98)
Yeah.
Justin Gardner (@rhynorater) (19:16.11)
We should clean it up actually and release it to the critical thinkers tier on Discord. I think they'd probably really like that. Yeah, that'd be good.
Joel Margolis (teknogeek) (19:21.422)
sure. I'm super down. Yep, I have a module called pie hack, so I'll send it over to you.
Justin Gardner (@rhynorater) (19:27.054)
Sweet, that sounds good. All right, well, we're already 20 minutes in and we haven't even covered any of the things that we were gonna talk about. So let's get to the news. Nice old-fashioned Justin and Joel style episode this time around. We've been doing a lot of guest and master class and all sorts of special stuff lately. So good to get back to the good old Justin and Joel structure.
Joel Margolis (teknogeek) (19:51.424)
Yeah, absolutely.
Justin Gardner (@rhynorater) (19:52.574)
The thing that I had first on the news for today was the CTF by Franz Rosen that went out December 15th. There's been a revival of CTF, particularly XSS CTF on Twitter. We see a lot of releases from...
Joel Margolis (teknogeek) (20:05.088)
Yeah.
Justin Gardner (@rhynorater) (20:12.086)
JoexCar and Franz and Matias and I did one or two. So it's really cool to see those come back. And this one that Franz did was definitely something I've never seen before. I actually didn't have the chance to solve it before he released the solution because I had a really busy week. But this is definitely a really cool payload. Did you see it? It's in the dock.
Joel Margolis (teknogeek) (20:36.894)
Yeah, I did. I did. So I spent a bunch of time looking at this and I was, I was going down that route down like the right path actually, because I noticed, um, like I, I noticed right away that in the escape for regex function, and this will make more sense if you've actually looked at the challenge, but there there's essentially two parts, right? There's escape for regex, escape for HTML and the escape for regex takes in like the regex parameter name and then
Justin Gardner (@rhynorater) (20:40.966)
Hahaha Yeah, yeah
Justin Gardner (@rhynorater) (20:52.984)
Yeah.
Justin Gardner (@rhynorater) (20:59.6)
Mm-hmm.
Joel Margolis (teknogeek) (21:05.058)
escapes it so it can be used as a regex and then the escape for HTML takes the value escapes it so it can be used in HTML puts it in the HTML does like a match and replace and I had noticed pretty early on that there was some really weird replace they were using a very strange syntax okay they were using backslash dollar sign ampersand and I was like what the fuck is that like that's like super weird and so I actually I looked into it and I found oh you know it references like
Justin Gardner (@rhynorater) (21:07.311)
Mm-hmm.
Justin Gardner (@rhynorater) (21:12.251)
Mm-hmm.
Justin Gardner (@rhynorater) (21:22.679)
Yeah.
Justin Gardner (@rhynorater) (21:27.864)
Yeah.
Justin Gardner (@rhynorater) (21:31.789)
Mm.
Joel Margolis (teknogeek) (21:35.486)
It references some like, what was it, like the last?
Justin Gardner (@rhynorater) (21:39.178)
It's like a, it's a syntax language for replacing things with exactly.
Joel Margolis (teknogeek) (21:43.318)
Yeah, the match substring. Yeah, yeah. So if you're familiar with regex, you probably know that like dollar sign number is very common for replace groups. Like if you have select groups, dollar sign zero is the whole match, dollar sign one is the first group, dollar sign two is the second group, dollar sign three is the third group, so on. But I had never seen dollar sign ampersand or any of these other ones. I only knew about the indexes. And for named groups, you can also do like dollar sign with like a name.
Justin Gardner (@rhynorater) (21:51.211)
Mm-hmm.
Justin Gardner (@rhynorater) (22:06.84)
Yeah.
Joel Margolis (teknogeek) (22:12.886)
if you have a name on it's assigned with the group, but that's also a less common syntax. And that was kind of as far as I got, like I'd spent a bunch of time looking at, you know, possible like how it was escaping and all that kind of stuff. I had a suspicion that potentially there was something with the regex, but I didn't really go down that. And then I got sidetracked and never really got to finish it. And so when I saw that he tweeted out the hint and was like dollar sign, I was like, okay, for sure, this is something with the regex. I just don't have time to do this.
Justin Gardner (@rhynorater) (22:17.518)
Yeah, yeah.
Justin Gardner (@rhynorater) (22:40.059)
Mm-hmm.
Joel Margolis (teknogeek) (22:41.494)
but that kind of confirms my suspicion. And then he came out with the hint. And when I saw what the intended solution was, it caught me off guard again, because it was not just the dollar sign, but also like another nuance. And so it was very cool. He linked out to the Mozilla JavaScript reference docs. Yeah, and there's this section called specifying a string as the replacement. And this is on the string.
Justin Gardner (@rhynorater) (23:00.878)
Yeah, the MDN.
Joel Margolis (teknogeek) (23:09.366)
dot replace like prototype function docs. And it says that there's these different patterns, dollar sign, dollar sign for a dollar sign literal dollar sign ampersand for the match substring dollar sign back tick for the portion of the string that precedes the match substring dollar sign apostrophe for the portion of this the string that follows the matched substring and then dollar sign N for the numbers like we talked about in dollar sign.
Justin Gardner (@rhynorater) (23:11.532)
Mm-hmm.
Joel Margolis (teknogeek) (23:39.266)
name for named groups. And I was just like.
Justin Gardner (@rhynorater) (23:41.614)
Yeah, it's kind of crazy, man. There's so much functionality here. It's like, what the heck?
Joel Margolis (teknogeek) (23:46.586)
Yeah, so I really I haven't gotten to mess with this yet, but did you did you mess with it?
Justin Gardner (@rhynorater) (23:51.93)
I messaged it a ton and well, after he released the solution and I was like, wow, this is super cool. And whenever I see this sort of thing, it makes me think like, how can I look at this exploit this specific scenario where this worked and try to apply this to a bigger concept or idea? And, and I, and the thing that kind of came to mind was this is like input modification or input expansion, right? Like how can you take your user input?
and get it to do something different or do something, what am I trying to say, or to modify the content of that. And we see this all the time when you're bypassing sanitization. We see this when there's modifications being done or functions being called on your input after a certain check is being done, something like that. Those are common patterns. And this as well, anytime your input is being placed into a scenario where it's being used as,
Yeah, as a modifier, whereas like, almost like code, right? It's like a pseudo code. It's not really code, but it's like a, could be interpreted as string, or it could be interpreted as code. You need to look at those situations very closely because there's almost always some weird shit that can go on.
Joel Margolis (teknogeek) (24:51.137)
Yeah.
Joel Margolis (teknogeek) (25:08.158)
Yeah, because I think if you look at this challenge, in retrospect, obviously, I knew from the very beginning this isn't gonna require me to find a zero day in Google Tag Manager. Like, for sure, he's not hinting at a zero day, this is using the latest version, it's gotta be something about the implementation. That's one of the advantages about CTFs and challenges like this in general, that you know there's a solution. So the question is, what are you missing? And that gives you more opportunities to sort of think creatively.
Justin Gardner (@rhynorater) (25:11.791)
Mm-hmm.
Justin Gardner (@rhynorater) (25:17.515)
Mm-hmm. Yeah.
Justin Gardner (@rhynorater) (25:23.288)
Mm-hmm.
Justin Gardner (@rhynorater) (25:29.978)
Mm-hmm.
Justin Gardner (@rhynorater) (25:34.274)
Mm-hmm.
Joel Margolis (teknogeek) (25:38.066)
which is what I really like about these types of things. Yeah, think critically even. But I will say like, definitely your Spidey Sense probably should have been triggered a little bit if when you were looking at like how this is working and seeing that it was taking your input and making a regex out of it, right? Because
Justin Gardner (@rhynorater) (25:38.35)
Think critically.
Justin Gardner (@rhynorater) (25:56.454)
Mm-hmm. Yeah. Well, it's pretty much the only functionality on the page. The script is only like what?
35 lines long, and when you look at it, everything else is pretty standard. There's like 10 lines that go to like parsing out a query string and that sort of thing. So pretty much the only weird part of this situation is the replace function. And I guess we kind of dove into the details and we didn't give quite as good of an explanation for those of you that haven't seen the XSS challenge. So if you're still hanging in there with us at this point, thank you. But the scenario was that there was
Joel Margolis (teknogeek) (26:07.926)
Right.
Justin Gardner (@rhynorater) (26:34.324)
a script tag that was being dynamically created. What ended up happening, and they were using string replace in JavaScript for it. What ended up being the problem with this is this whole concept of being able to inject these group modifiers into the replace portion of the replace call, which will allow you
to take the preceding bit of what actually was being matched. So in this scenario, that was a script tag that had access to the double quote character. So when you put that in, that same double quote that was preceding your user input would get put into the replace text. And then that would break out of the HTML attribute context and give you the ability to insert a arbitrary HTML attribute, which led to XSS.
Joel Margolis (teknogeek) (27:31.182)
Right, yeah, it's super interesting. Yeah, like when I write at regex, I've definitely come across an instance where I understand why this exists, you know, because oftentimes you'll try and match something before a group or whatever, and like maybe you need to know what that is, so you'll put it in a separate group and then you just reference it by its index or whatever. But instead, this essentially takes the default behavior that you can have a regex that matches a whole string but also has groups within it,
Justin Gardner (@rhynorater) (27:31.5)
So, really crazy bug.
Justin Gardner (@rhynorater) (27:40.484)
Mm-hmm.
Justin Gardner (@rhynorater) (27:43.715)
Mm-hmm.
Justin Gardner (@rhynorater) (27:48.363)
Mm-hmm.
Justin Gardner (@rhynorater) (27:57.808)
Mm-hmm.
Joel Margolis (teknogeek) (28:01.91)
you know, a portion before that, like before that, Matt, it's, it's a very niche use case, but I can understand why it exists. And I'm definitely gonna have to look at some of the bugs I submitted because I think that, yeah.
Justin Gardner (@rhynorater) (28:17.846)
Yeah, well, it underlies, you know, it emphasizes one of the things that we've talked about here often, which is regex. They're used all the time for security.
and they're very hard to make properly secure. So really knowing your regex stuff inside, outside, upside down in PHP, in JavaScript, in Python, in all of these various languages, all of them have different quirks. And this whole concept of getting control or being able to inject the pre-match.
string and the post match string and that match string in the result of a replacement is something that you'll also see in other languages and is something that is more widely applicable to regex in general. So whenever these sort of techniques come out you got to go back and look at, okay, what reports have I submitted that have anything to do with regex and how can I go back and re-break it again?
Joel Margolis (teknogeek) (29:14.562)
Yeah, exactly. And there's always like, you know, it's good to know about these things because some of these things are changes within like how the default functionality works. These are improvements or things that, you know, maybe this didn't exist. I don't know when this was introduced, but I'm sure this didn't exist for a period of time. And so now it's been introduced. And now it's just something that you have to sort of keep an eye out for and be like, okay, this I know, I know now that like you can do this, you know,
Justin Gardner (@rhynorater) (29:20.005)
Mm.
Justin Gardner (@rhynorater) (29:25.039)
Mm-hmm.
Joel Margolis (teknogeek) (29:43.978)
put that in my notebook for later.
Justin Gardner (@rhynorater) (29:44.088)
Mm-hmm. And it's so.
It's so common to like this sort of templating thing where you're taking user input and you're using it to replace a placeholder in a template, right? Like that happens all the time. It's not like some weird scenario where, oh, you know, the user's input is almost never placed in the actual, you know, replace portion of the of the regex match and replace. So anytime there's templating, this is something I'm going to keep in mind because the context is so important in those scenarios.
Joel Margolis (teknogeek) (30:04.299)
In the regex itself, yeah.
Justin Gardner (@rhynorater) (30:15.536)
able to inject everything before your match. And it's not even that pre-pended string is a part of the match. It's not. It's just before the match. So it's very odd and I think it will break a lot of stuff. So shout out to Franz for an amazing challenge. This one really superb. It's the only word I can come up with for it. It's amazing.
Joel Margolis (teknogeek) (30:36.086)
Yeah, yeah, absolutely. Yeah, this is a very, very cool one. I liked it a lot.
Justin Gardner (@rhynorater) (30:41.122)
Alright, let's take a look at the next one here. Yeah, oh man, this was nuts. This is the HackerOne disclosed 25k crit, which is kind of nuts. This is one of the things you think you'll probably never see and then you see it. But what day was this that they released this? December 8th, HackerOne disclosed a critical SSRF.
Joel Margolis (teknogeek) (30:58.828)
Yeah.
Justin Gardner (@rhynorater) (31:08.474)
on the analytics report functionality in Hacker 1. And essentially this was, I mean, not to underscore, or not to undermine the coolness of this vulnerability because it was very cool.
But it was pretty much a textbook PDF render injection and he was able to inject a iframe in a PDF renderer and that iframe was able to point to the AWS metadata and pull AWS credentials and just get access to everything. And I just, I don't know, man, I feel like I would've, I would've probably not looked for this as much on Hacker One because of how crazy.
a bug this is and you would assume that they'd have their bases covered but I guess that's not the case.
Joel Margolis (teknogeek) (31:56.79)
Yeah, I mean, if you it's kind of wild because if you look at I don't know if you expanded like the full submission, all the activity to look at what the actual report was, but like you literally just.
You know, you create a new report, you choose some filters. And then in the template, uh, or yeah, you go to the analytics and you go to create a new report and then in the, in the template thing.
you just, you know, you put, you just HTML ejected. It's, it's GG, you know, like, yeah, it's a, it's super, super crazy. I actually, this is really interesting because I was looking at this functionality not long ago. Uh, definitely after the, no, definitely after this was reported though, they, it wasn't, it wasn't, uh, it wasn't before November 23rd when this was first submitted, but I was looking at this function. I was like, that's kind of weird. Why does it do that?
Justin Gardner (@rhynorater) (32:28.487)
Oh my gosh.
Justin Gardner (@rhynorater) (32:39.755)
No way. Oh, I hate that.
Mm.
Justin Gardner (@rhynorater) (32:49.564)
Mm.
Joel Margolis (teknogeek) (32:53.694)
Um, that makes a lot of sense. This is really interesting.
Justin Gardner (@rhynorater) (32:56.746)
Yeah, yeah, dude. The fact that they was able to get an iframe in there is kind of crazy. And you look at the exploit and it's like, he's like, all right, Etsy password, we're going to hit, you know, 169.254.169.254. He's just like going at it. And then the funny thing, too, is if you look at the comment.
He says, I sent a message 10 minutes ago to all of these triagers and he just pings all of the triagers that he can think of, which is amazing. Um, but I mean, I would, I would too, man, I'd be pinging people right off the bat if I submitted something like this. So it just goes to show, man, like even, even crazy security oriented companies that have had this type of bug reported multiple times on their own platform. Um, you know, can make these sort of mistakes as well, because not all the developers are tied into this. And what kind of becomes.
Joel Margolis (teknogeek) (33:18.undefined)
Yeah.
Joel Margolis (teknogeek) (33:22.33)
Yeah.
Justin Gardner (@rhynorater) (33:43.649)
Everyday stuff for us doesn't necessarily become that sort of thing for all the developers, even in a security-oriented organization. It's encouraging to see, and it makes you, it kind of refreshes the knowledge that everything's vulnerable, it just takes time.
Joel Margolis (teknogeek) (33:59.414)
Yeah, yeah, for sure, for sure. Cool. Yeah, it's always nice. And I love that they disclose all that kind of stuff too. So definitely go check out that report.
Justin Gardner (@rhynorater) (34:02.029)
So, cool.
Justin Gardner (@rhynorater) (34:06.554)
Yeah, that one must have been a hard one for HackerOne to disclose. I don't know if they like to disclose that sort of thing. It seems to me that they try to put forth that precedent for the rest of the programs and stuff like that. But I'm sure Yobert, when he saw that report, kind of cringed a little bit, thinking, all right, got to send that one to the rest of the folks. But, no, it is good that they do that.
Joel Margolis (teknogeek) (34:25.194)
Well, yeah, exactly. Cool.
Justin Gardner (@rhynorater) (34:32.394)
Next I had on the list here, and I'm really excited about this one, Kaido has finally finished the issue that I submitted months ago, and I guess I sort of cheated the system a little bit on this one. I submitted an issue to Kaido saying, hey, I'd really like the search tab to be reworked, and they're like, okay, well, you know, we prioritize the issues by upvotes, so.
we'll get to it if it gets upvoted. I'm like, hmm, I think I know some people that would like to upvote this. And so I ended up like tweeting out and calling on some of the critical thinking listeners to go upvote it. And all of a sudden it like skyrocketed to the top of the upvoted list to get a cool search functionality included into Kaido, which is a very needed functionality, I think. And they did it, they did it. They prioritized it. So.
Joel Margolis (teknogeek) (35:19.774)
Yeah. Yeah, that's awesome, dude.
Justin Gardner (@rhynorater) (35:23.702)
Kaido now has this really awesome easy to use just search bar and it's got also a Wireshark esque query language associated with it where you can query specific parts of the request.
in this URL bar and this sort of search bar inside of Kaido. So I was really hyped about that I've been using it a lot and it's been mega helpful and Man, the only thing they need now is plugins and then I'll be sated for a little while I won't be knocking on their door every day being like hey, where's my feature? Where's my feature? So and
Joel Margolis (teknogeek) (35:55.958)
Yeah, dude, I just need better scope management. That's like scope management and plugins like.
Justin Gardner (@rhynorater) (36:01.118)
Okay, let me add a caveat to that, man. They messaged me after we talked about that on the pod. I don't know if we've released that episode yet or not. And they said, dude, you can do that. It's just star, the word that you want, star. And I tried it and it works. It doesn't say it in the little documentation. No, apparently it's been like that for a while. And they don't say it in the little documentation if you click the little question mark next to that section in the preset scope.
Joel Margolis (teknogeek) (36:21.258)
they updated it?
Joel Margolis (teknogeek) (36:25.228)
Okay.
Justin Gardner (@rhynorater) (36:30.651)
area but um
Joel Margolis (teknogeek) (36:31.534)
OK, because I tested that and it wasn't like that. So I think that might be a bit of a change. But it used to be that, like, because I have a habit of when I add a domain, I do like, say it's example.com. I add example.com just by itself, and then I add star.example.com. And that catches both root domain and then any of the subdomains under it, because sometimes they'll go to example.com and it'll send you to www.example.com.
Justin Gardner (@rhynorater) (36:44.728)
Mm-hmm.
Mm-hmm.
Justin Gardner (@rhynorater) (36:55.412)
I thought you were doing just example star, you know, just... Yeah.
Joel Margolis (teknogeek) (36:59.442)
No, I mean, now I will. Now I'm gonna do it just like I do in burp cause now that's...
Justin Gardner (@rhynorater) (37:04.97)
Oh, that's what you were doing in Kaido. Gotcha, gotcha, yeah, yeah. Yeah, no, that makes sense. Yeah, you should be able to do the same thing that you're doing in burp now in Kaido with just star word star, and that will give you anything that has the word in the host name. So that's a big improvement. I'm happy to see that. So it looks like the wishlist for both of us now is kinda down to those plugins. So it will be great to have some Python plugins though. I love a good extensibility.
Joel Margolis (teknogeek) (37:07.864)
Yeah.
Joel Margolis (teknogeek) (37:34.658)
Yeah, for sure. And I'm looking and yeah, definitely it works. It works.
Justin Gardner (@rhynorater) (37:37.205)
Joel is distracted. He's... Okay, great. That's good.
Joel Margolis (teknogeek) (37:41.166)
That's good. I like to see it. Awesome, awesome stuff from the Keta team. I like to see when stuff works. So yes, that's definitely awesome. Cool.
Justin Gardner (@rhynorater) (37:43.03)
Well, validated right here on the pod.
Justin Gardner (@rhynorater) (37:51.534)
Good shit, man. All right, let's jump over to the last thing on the news. We had the blind, not blind, I almost said blind XSS. It's blind CSS exfiltration research released by Portswager. And once again, I just wanna say, just because I'm a Kaido fanboy and I love Kaido, doesn't mean I have anything against Portswager as a company. Their product, it's heavy, you know, it requires a lot of RAM, but it's amazing, and burp is a phenomenal tool, and Portswager research is.
Joel Margolis (teknogeek) (38:00.514)
Almost.
Joel Margolis (teknogeek) (38:04.898)
So crazy.
Justin Gardner (@rhynorater) (38:21.146)
So great. And this time around, it was Gareth releasing a blind CSS injection tool, which is such an interesting concept and a relatively new, I guess, attack vector or vulnerability type. Not something that I've heard about before this writeup, where he releases a tool for essentially being able to do for, it's like what XSS Hunter is.
but for CSS and being able to exfiltrate the contents of various input fields and text areas and that sort of thing. And the writeup is really detailed and includes a lot of, I guess, sort of research mentality in there as well, which is something we really like to see about how he figured out how many input fields there are by using the has and not selectors in CSS and then be chaining that together with the, what is it, sick?
cyclical import chain, I want to say it's called, technique sort of coined in my mind by Donut, although there's another researcher, Pepe Villa, that also released something almost the exact same time as Donut about CSS exfiltration, and using the import sort of directive in CSS to, along with some delaying and responding to HTTP requests in order to create a chain where you can exfiltrate data.
Joel Margolis (teknogeek) (39:21.954)
Yeah.
Justin Gardner (@rhynorater) (39:45.23)
very quickly and effectively out of CSS, via CSS, out of input fields. So really cool research here. You love to see it. And I'm excited to give it a shot. I haven't used the blind CSS, I almost said blind CSS again, because it's just a habit. The blind CSS exfiltrator, yeah. And I'm sure the use cases are pretty niche, but I guarantee you will see this at a live hacking event sometimes, because people always come up with the craziest shit.
Joel Margolis (teknogeek) (40:09.614)
Yeah, yeah, no, dude. This is I love this research. This is such a such interesting stuff. It's awesome They actually shout it out to donut and pepe Villa In the in the in the research that this was you know, this sort of this technique Was based on that sort of work the import chaining stuff. So it's very cool. I think CSS I Mean you can kind of tell based on how Gareth has been doing CSS research for the past like
Justin Gardner (@rhynorater) (40:17.787)
They did.
Joel Margolis (teknogeek) (40:37.398)
years that CSS is definitely in unexplored territory. And there's a lot of really interesting stuff there. And they keep adding functionality, too, right? They keep making it easier. They're adding more selectors to do different things with CSS instead of having to use SCSS or what's the other one? SAS and S- yeah. But yeah, it's really, really cool stuff. I love this kind of research. So.
Justin Gardner (@rhynorater) (40:37.715)
Yeah.
Justin Gardner (@rhynorater) (40:42.367)
Yeah.
Justin Gardner (@rhynorater) (40:50.616)
Mm-hmm.
Yeah.
I don't know, you always see them in the web pack or whatever.
Justin Gardner (@rhynorater) (41:03.874)
Yeah, as on the note of CSS features expanding, I've got a couple areas in my pocket where, because I was doing some CSS-based stuff as well when I was doing the post-message-based CSS injection to credit card exfiltration exploits. And I've got a couple areas on high-impact programs where I can inject CSS in a credit card number.
context, but I don't have all the gadgets I need to fully exfiltrate the card data. So I'm just waiting and waiting and waiting. There are a couple key features that I need CSS to release before I can actually start to exfiltrate that data. So I've been keeping a close eye on the CSS change logs because I know they're going to come out with it. And some of the stuff, one of the keys I can think of in particular.
Joel Margolis (teknogeek) (41:50.222)
That's crazy.
Justin Gardner (@rhynorater) (41:54.926)
They say that they're gonna release it, and I'm just like, when, please release it for Christmas, please. So.
Joel Margolis (teknogeek) (42:01.858)
That's funny. There's some large companies out there who are sweating bullets right now, just knowing that their credit card flow is insecure, but Justin's waiting for the CSS release.
Justin Gardner (@rhynorater) (42:05.062)
know. Check out your credit card flow. Yep. Alright man, so that's it for the news this time and what I was thinking for the rest of the show is to talk a little bit about the past year in Bug Bounty for the both of us, how our stats kind of landed, if we're satisfied with...
our performance over the past year and also talk about some of the top earning bug classes that we were able to identify and then also sort of go after some goals for the new year. I'm a little bit of a, some people say you know you shouldn't talk about your goals and stuff like that in public before you accomplish them because you get that sort of adrenaline hit by saying alright I'm going to do this you know and that kind of takes away from the motivation. But I kind of get that.
opposite. I'm like, if I call my shot, then I gotta do that, you know? And so it's a little bit scary to come on a podcast, you know, with several thousand people listening every week and sort of talk about it, but we'll see how it goes. I've definitely got some stuff I've got my eye on and I think is the most effective way to accomplish my bug bounty goals, but we'll see if that changes as we get into the new year.
Joel Margolis (teknogeek) (43:05.045)
Yeah
Justin Gardner (@rhynorater) (43:27.886)
But first, let's do the year in review. Do you want to go first or should I?
Joel Margolis (teknogeek) (43:30.198)
Yeah. Yeah, sure. We'll we'll start small here because I'm not the full time hacker. Here you are. So yeah. So I my breakdown was I submitted just under 25 reports, 23 reports this year, which is pretty good. That's, you know, about one every two weeks, give or take. So you know, that's pretty solid considering I work full time job. So 30. Yeah, yeah, I
Justin Gardner (@rhynorater) (43:34.414)
Hahaha, right, no.
Justin Gardner (@rhynorater) (43:44.472)
Mmm.
Justin Gardner (@rhynorater) (43:48.312)
Mm-hmm. Yeah.
Justin Gardner (@rhynorater) (43:53.25)
Yeah. You've had a busy year too. Promotion and such. Yeah. So many weddings and stuff like that. Yeah.
Joel Margolis (teknogeek) (43:59.862)
cats and everything. Yeah. Two cats in under you. Yeah. So 30% crits, 17% high, 34% medium, 13% low, 4% none. So yeah, I'm about even between highs and crits or sorry, between mediums and crits, which kind of tells me that basically I either end up in the middle or I end up away at the top. So that's kind of interesting.
Justin Gardner (@rhynorater) (44:16.808)
Mmm.
Justin Gardner (@rhynorater) (44:21.248)
Exactly, yeah.
Joel Margolis (teknogeek) (44:24.53)
Maybe it would be good to spend some time trying to focus on seeing if I can get some more of those highs next year. Because I mean, high payouts are usually still quite good. So, you know, it's not all about focusing on that.
Justin Gardner (@rhynorater) (44:29.69)
Mm. Quite good, yeah. And I think this makes sense too, because a lot of times when you look for critical vulnerabilities, but there's some major...
precondition that's needed or mitigating factor, you land at a medium instead of a high, which is a little bit of a shame, but it is something that you see pretty often. So it makes, that makes sense to me that about, those would be about even, because about half the time they're gonna have some weird thing that you can't quite work around, or even, you know, when we work together, you know, there's some preconditions that were required for some exploits that we just really couldn't work around. And, because you can't really do anything if you don't have access to
Joel Margolis (teknogeek) (44:45.275)
Mitigating factor, yeah.
Justin Gardner (@rhynorater) (45:15.024)
functionality and sometimes that functionality is gated behind privileges or something like that.
Joel Margolis (teknogeek) (45:21.026)
Right, absolutely, yeah. So the breakdown for what type of engagements these are mostly on, it was basically 50-50 for me, I'm excluding some of the smaller stuff, but it was essentially 50% bounty programs and 50% challenge programs, which is gonna be like live hacking events, H1Cs, maybe, I don't know, pen tests are included in that, maybe, maybe not, I don't know.
Justin Gardner (@rhynorater) (45:37.687)
Mm, mm.
Justin Gardner (@rhynorater) (45:47.779)
I don't think so.
Joel Margolis (teknogeek) (45:50.378)
But yeah, about 50 between live hacking events and bounty programs, which is pretty much expected for me. That's basically all I do for bug bounty is that. And then pen test is the little bit of the portion that's on the side.
Justin Gardner (@rhynorater) (45:58.295)
Yeah.
Justin Gardner (@rhynorater) (46:02.978)
Yeah, yeah, so I guess that's true. Pentests are not probably included in these stats, which is interesting. I haven't done many pentests, but I know you do them on a pretty regular basis, right?
Joel Margolis (teknogeek) (46:12.746)
Yeah, I try and keep them going on somewhat of a regular cycle. It's just a good, you know, you can do them at the same time as you do bounty stuff, if you have the capacity for it. And I think it's a good source of income. Like even if you're just a pen tester and let's say you book them back to back every two weeks, uh, I want to say the pay is let's, you know, it's a couple thousand dollars per pen test, uh, per person. So if you, you know, multiply that twice a month.
Justin Gardner (@rhynorater) (46:19.902)
Mm-hmm.
Justin Gardner (@rhynorater) (46:37.446)
Mm.
Joel Margolis (teknogeek) (46:42.222)
24 a year, you know, even if it's, you know, $2,000 per pen test, right? That's almost 50 almost 50k a year, right? So It's it's a good amount of side income if you can do them all the time
Justin Gardner (@rhynorater) (46:42.403)
Yeah, it's pretty great.
Justin Gardner (@rhynorater) (46:49.282)
Yeah, that's awesome.
Justin Gardner (@rhynorater) (46:53.686)
Yeah, that's great, dude. I'm, yeah, I think...
The other thing that comes to mind on this sort of thing is that you've mentioned in the past that you feel like the areas that you research take a lot of upfront investment. So it's not as easy for you to just kind of hop in and say, all right, I've got three hours, let me go find a bug. You know, it's more like, all right, I'm gonna hack this target now. This is gonna be my thing for the next two weeks. And I'm only gonna think about that and that's gonna be my life, you know? Like...
Joel Margolis (teknogeek) (47:11.916)
Yeah.
Joel Margolis (teknogeek) (47:18.094)
Yeah.
Joel Margolis (teknogeek) (47:22.702)
Yeah, one of the interesting things I've noticed about my hacking style is that like, it's not, it's not so much like, like the bounty is cool and stuff, but I'm more enticed by the challenge. And so when I see something that's like been set up to be challenging, that's what really will get me like, I want to get around that. So a good example, and this is a public program, Hyatt. Hyatt is, they have a bug bounty program. They pay pretty well. It is. Yeah. Yeah. Hyatt hotels. They, they pay pretty well.
Justin Gardner (@rhynorater) (47:32.526)
Mm-mm.
Justin Gardner (@rhynorater) (47:40.183)
Mm.
Justin Gardner (@rhynorater) (47:44.651)
Is that a public program?
Justin Gardner (@rhynorater) (47:49.246)
Oh, it is a public program.
Joel Margolis (teknogeek) (47:51.31)
I think they have 10K crits and I was spending a lot of time looking at their mobile app and it's very, very intensely obfuscated. And that just has got, it's really grinding my gears, you know, cause I'm like, I want to know, I want to know how this works. I want to dive into this. I want to find like what's the juice that they're hiding behind the, the, you know, the walls or whatever. So it's that kind of stuff where, but it's like huge upfront investment. Like you said, like I'm going to spend maybe more than a month.
Justin Gardner (@rhynorater) (48:00.768)
oof
Justin Gardner (@rhynorater) (48:04.041)
Hahaha
Justin Gardner (@rhynorater) (48:13.528)
Yeah.
Joel Margolis (teknogeek) (48:20.846)
just trying to figure out how this stuff is working and get the ins and outs. But once I'm there, I'm ahead of everybody else. So that's kind of the risk reward, is that once you spend that time and you get past that, you get the understanding, it takes everybody else the amount of time to get there too.
Justin Gardner (@rhynorater) (48:28.979)
Mm.
Justin Gardner (@rhynorater) (48:36.322)
I know that this is a little challenging for you, but when you do something like this, you should probably stick with that program for like a year, Joel. You should probably like not just throw that whole investment in the trash and move on to the next program the next time you see a shiny object.
Joel Margolis (teknogeek) (48:50.702)
I see how it works. I figured out I'm like, okay, that's cool. What what next?
Justin Gardner (@rhynorater) (48:54.486)
Oh, yeah. Finally, you know, Joel presses Enter. He sees the code. Sweet. OK, well, what's the hell? Oh, I got a private program invite. You know what I mean?
Joel Margolis (teknogeek) (49:01.422)
I'm not, dude, I wish I was lying because like that is honestly like that's how like the dopamine feels where I like I'll finally like I'll solve it and then I'll be like, oh, all right, well, that's not exciting anymore. Like what, what now? What what do I go like figure out how this works now? So I do need to, I need to need to work on that a little bit. I will talk a little bit more about this in the gold section, but I'll let you go ahead and why don't you give your year in review and then we can. Yeah.
Justin Gardner (@rhynorater) (49:08.622)
Oh no.
Justin Gardner (@rhynorater) (49:15.159)
Yeah.
Justin Gardner (@rhynorater) (49:26.486)
Okay, yeah, sure. I'll do mine and then we'll strategize together on how to solve your bug bounty. HD, yeah. Okay, so for me, 2023, I actually didn't compare it with last year. I kind of wish I had done that. So let me see, can I actually just press this and change it? So yeah, it looks like
Joel Margolis (teknogeek) (49:33.486)
My ADHD.
Joel Margolis (teknogeek) (49:44.558)
Oh, I didn't either.
Justin Gardner (@rhynorater) (49:56.878)
my last year was actually slightly better than this year as far as performance goes. And I'm going to go ahead and reselect the correct...
items here because I don't have the whole thing up for what it looks like for last year. But just a quick look at the numbers suggests that last year was slightly higher performing than this year. But this year I had exactly 100 submissions, which makes me feel great. And I can't submit any more bugs in 2023 now because I'm locked into that. I have to stick with that, which is really cool.
Joel Margolis (teknogeek) (50:28.654)
Ha ha.
Justin Gardner (@rhynorater) (50:35.814)
I got 125 payments, which means that it's kind of weird. It's kind of odd that they say payments because it could be multiple.
bounties on the same report that's happened to me quite a few times. It could be collabs that I've been paid out from, or they could be talking about payments as in like how many times it actually paid out to your bank account, in which case I know at the beginning of the year they were capping payouts at 10k, so that's a little bit odd, but yeah, any combination of those. And then my breakdown as far as severity was 18% critical.
26% high, 46% medium, 6% low, and 4% none. And I looked into the none and I was like, man, did I really not even care enough to assign a severity rating to this before I submitted it? And I believe those 4% none are reimbursement reports and stuff like that for purchasing hardware or getting bonuses for doing.
well at a specific thing, you know, they sometimes ask you to submit a report and they'll close it and they'll just pay you a bonus on top of that. So that's what those were. I was really surprised to see I only have 6% low. But I went back and looked at it and it seems like it's accurate. There's not very many bugs that actually came through as low in the end. And I think another part of this is that
There was a lot of dupes as well that might have been paid out as lows, but they didn't care to adjust the severity from medium to low because it was a dupe, so they just didn't bother to change it. So that could be where some of the thing is to where most of those are landing in medium rather than a low and that low number is looking artificially low. But yeah, I was pretty happy with 18% crits. I went back and looked at it and those are all like true crits, which I was happy about.
Justin Gardner (@rhynorater) (52:33.713)
And I feel like the crit to high ratio is pretty solid as well And kind of expected for where this will lay out So I was pleased with that distribution
Joel Margolis (teknogeek) (52:44.11)
Yeah, dude. I mean, I was just comparing while you were, while you were giving your, your rundown. I was just comparing my mind to last year. And I think I must've had like a slump last year or something. Cause I, I mean, I didn't even submit a crit last year. And, and I, I forexed my bounties between last year and this year. So yeah. Yep. So definitely, uh, you know, don't, uh, don't let one bad year ruin your, uh,
Justin Gardner (@rhynorater) (52:46.617)
Mm-hmm.
Justin Gardner (@rhynorater) (52:51.044)
Yeah.
Justin Gardner (@rhynorater) (52:54.362)
Yeah.
No, I don't believe that.
Did you really? Wow, congrats dude.
Joel Margolis (teknogeek) (53:10.926)
You know your your mentality because you can definitely get into little slumps and not have the best year but next year you know look forward to next year right what did what did you not do. Right this year so actually let's let's let's go over that because I think we both put some goals together here to kind of go over like maybe things that we could do better next year and things that we want to work on next year.
Justin Gardner (@rhynorater) (53:15.682)
Yeah. For sure.
Justin Gardner (@rhynorater) (53:25.625)
Yeah.
Well, one other thing before we hop into goals that I wanted to share was that the challenge to bug bounty ratio that you mentioned before was a lot higher for me. It was 73% challenges and 26% bug bounty. And so roughly 75% of my reports were being submitted to.
Joel Margolis (teknogeek) (53:31.886)
Oh yeah.
Justin Gardner (@rhynorater) (53:48.662)
Hacker One Live Hacking events or hacking challenges or campaigns or something like that, which I think is pretty telling because when you're doing the live hacking events every other month, you know, there's rarely enough energy for you to put more time into other programs. And I think probably this 26%, I wanna say this percentage would be even higher if we look earlier in the year before Q4, where the Bug Bounty Live Hacking events sort of slowed down a little bit. And I was focusing more on other programs.
So, really the predominant amount of my income is coming from the live hacking events, which is a little bit scary for me moving into 2024 because I'm hoping to start a family in 2024 and I know that that's going to be really busy and I might not make it out to the live hacking events quite as much. So we'll see how that manifests but there's always the opportunity to participate remotely too so I think I'll probably be taking advantage of that.
Joel Margolis (teknogeek) (54:34.862)
Yeah.
Joel Margolis (teknogeek) (54:42.83)
Yeah, dude, for sure. If you actually change your breakdown from like yearly or whatever to quarterly, you can see that over time. Like I see it in mine as well, where there are basically large spikes, where it's just like all challenge, like that whole quarter is just like all challenge submissions or maybe mostly challenge submissions. Um, so yeah, I have a lot of the same thing. I think it's just very difficult to balance it, right? Where it's like, you know, you want to take time off too, and like, not just be like hacking 24 seven. So after an event, that's a great time to take a little breather.
Justin Gardner (@rhynorater) (54:45.446)
Mm-hmm. Yeah.
Justin Gardner (@rhynorater) (54:49.815)
I'll check that out.
Justin Gardner (@rhynorater) (54:54.847)
Mmm. Yeah.
Justin Gardner (@rhynorater) (55:00.066)
Yeah, that's, it's very accurate.
Justin Gardner (@rhynorater) (55:04.843)
Mm-hmm.
Joel Margolis (teknogeek) (55:10.126)
And then usually the next event sort of starts to come up and then you're doing prep and here you go again, right? So yeah, yeah, it's really cool.
Justin Gardner (@rhynorater) (55:15.222)
Yeah, 100%. And just to be clear, for those of you listening, the graphs that we're looking at can be found at hackerone.com slash hacker underscore dashboard slash dashboards slash performance. So if you go to your hacker dashboard, there's a performance tab at the top that you can find. Mm-hmm.
Joel Margolis (teknogeek) (55:28.622)
Yeah. Yeah. Yeah. The easy way is just on that little sidebar or whatever in the menu, you click dashboard and then there's a tab at the top called performance. And that'll give you all the graphs, all the breakdowns. You can change the time ranges. You can add filters. You can see your overall numbers. So all the, all the everything that you can imagine, um, should be there. So definitely go check out.
Justin Gardner (@rhynorater) (55:48.986)
So the other stat that I wanted to talk about is the payouts by bugs for me.
And I'm curious to hear yours too Joel, but for me I was looking at the bugs that I made the most money on this year and It looks like I door is like a substantial amount of my income. Let me run the numbers Roughly in my head. It's like a sixth one sixth or one seventh of my of my income comes from I doors One I had one huge XSS payout So XSS is my next one, but it would be a little bit less if I didn't have that one huge XSS payout
Joel Margolis (teknogeek) (56:21.934)
Mm-hmm.
Justin Gardner (@rhynorater) (56:26.376)
And then the next one is improper authentication generic. And then I think beneath that as well is the broken access control stuff. And so those are the big categories for me, which kind of shows my testing style is largely...
oriented towards some client side, but also the other one on here was information disclosure is a huge one. And so my style is a little bit moved towards information disclosure and IDOR and access control stuff as well as authentication. And I think code injection came in at like fourth or fifth on the list. So that one makes a
Joel Margolis (teknogeek) (56:50.19)
Mmm.
Justin Gardner (@rhynorater) (57:07.674)
and appearance as well, but I'm mostly looking for authorization and authentication related issues along with client side stuff.
Joel Margolis (teknogeek) (57:14.894)
Yeah, so for me, my top one was a privilege escalation. I'm not really sure. I have some ideas as to why that probably is. I think a lot of things probably fall into that, but that's not really what I've been looking for. The next two, which are kind of what I would expect, excluding no weakness. I have a lot, like my third highest one is no weakness. So either I'm not setting it or H1's not setting it. I think I always said it though. I don't know.
Justin Gardner (@rhynorater) (57:25.43)
Yeah, it's a pretty wide category.
Justin Gardner (@rhynorater) (57:36.07)
Hahaha He says he says yeah, it's broken, you know, I promise
Joel Margolis (teknogeek) (57:44.654)
It's not me, okay. But the next two named ones are information disclosure and insecure storage of sensitive information. All right, so those are basically the same thing. Yeah, and I kind of view those as essentially PII, right? So it's user data, user PII, maybe a lack of access controls that's leading to PII disclosure or something like that. So those two kind of make sense.
Justin Gardner (@rhynorater) (57:52.046)
Mmm. Yeah, that one made an appearance on my list as well.
Justin Gardner (@rhynorater) (57:59.009)
Mm-hmm.
Justin Gardner (@rhynorater) (58:04.747)
Mm-hmm.
Joel Margolis (teknogeek) (58:11.31)
And then everything else, you know, I've got some OS command injection, reflected XSS, couple, you know, functionality bypass, some, some more random things. Yeah.
Justin Gardner (@rhynorater) (58:19.522)
Yeah, who knows what that is. So this is a little bit challenging. I think this is an area that HackerOne could improve on as far as the classification of bugs go and kind of helping us.
sort of formula-ize or organize our hacking data to represent what kind of vulnerabilities we're finding. Because these vulnerability categories are so large, it's kind of hard to select the correct one. And then also, when you're writing the report, the last thing you really wanna do is spend time scrolling through this giant list of 200 different things you could select for the weaknesses when you're just trying to get the report in and you're excited and you're kinda on that high.
I think this is the best data we've got and it's definitely an improvement from last year, you know, the way that they were doing the dashboards and stuff like that over the past couple of years. I think there's definitely still room for improvement here.
Joel Margolis (teknogeek) (59:11.342)
Yeah, yeah, absolutely. It's nice to be able to see this breakdown in the granularity that we have it.
Justin Gardner (@rhynorater) (59:17.027)
Let's talk about the goals for 2024. I guess you started on the year in review, so I'll start on this one. And actually, I wanted to kind of talk through with you.
Joel Margolis (teknogeek) (59:19.374)
Okay.
Joel Margolis (teknogeek) (59:25.838)
Yeah, yeah, go for it.
Justin Gardner (@rhynorater) (59:30.698)
something sort of as a friend talking about goals for 2024. So obviously the podcast has become a big part of my life in, in 2023, cause we launched it early 2023 and we're coming up on the one year anniversary of launching it around this time last year, I was messaging Joel being like, Hey man, maybe we should start a podcast. Um, and so that's cool. Um, with that, I am trying to think about what is the best.
Joel Margolis (teknogeek) (59:44.782)
Yep.
Justin Gardner (@rhynorater) (59:58.626)
technique or the best approach to bug bounty for this year that will give me the best ROI for Bug bounty and also for critical thinking right and so I want to be able to tell you guys about cool stuff every week And I want to come in here pumped. You know like I've just found a bug and share some awesome Technical shit with you guys and just kind of share that joy that comes along with Bug bounty and I think probably the best way for me to do that is to try to bring
a little bit more into my flow. Because I could go in there and I could find a bunch of access control issues and I-doors and stuff like that. And sometimes those are really engaging bugs that are really exciting and very fun. But a lot of times those also just kind of pay the bills. And what's really more exciting is like, oh wow, if I'm replacing a string, I can actually insert the pre-match into the replacement by using this syntax and just being like, boom, my mind is blown, you know? And bringing these sort of cool tips.
We've talked a lot of stuff about client-side quirks and post-message related stuff that's really exciting. So I think in 2024, the best way to add value to my own wallet as a book bounty hunter and add value to critical thinking is probably to do more research oriented stuff. What do you think about that?
Joel Margolis (teknogeek) (01:01:19.822)
Yeah, for sure. I think doing like cool, unique, sort of like taking technologies and like finding the nuances, especially for like bug bounty. We've talked about this a little bit with like, there's some blog posts out there that are like, here's all the ways to do X, Y, like window and top and like all the ways to reference window, like that kind of stuff. Right. Like it's very difficult to find that kind of stuff unless you found it and bookmarked it. And so like,
Justin Gardner (@rhynorater) (01:01:27.462)
Mm-hmm. Yeah.
Justin Gardner (@rhynorater) (01:01:36.31)
Yeah, window references and character sets, yeah.
Justin Gardner (@rhynorater) (01:01:45.859)
Mm-hmm.
Joel Margolis (teknogeek) (01:01:48.494)
going the extra step and being like, there's no research on this, let's create research on that and let's give it to the community. I think that is a really powerful opportunity to share knowledge, unique knowledge and research and get cool opportunities and ideas and all that kind of stuff, plus find cool bugs.
Justin Gardner (@rhynorater) (01:01:52.898)
Mm-hmm.
Justin Gardner (@rhynorater) (01:02:03.194)
Yeah.
Justin Gardner (@rhynorater) (01:02:06.998)
I'm a little bit unsure how that, I mean obviously I could pick a specific area and then come up with like a sort of artificial scenario and then do, you know, exploit that scenario and have that be the research. But.
The kind of way I've done it up until this point is like, let me look at an actual target. Let me look at the way that people are actually implementing things, break that and then turn it into research. And so I'm wondering if I'm not doing enough on the turn it into research part or, and obviously we've had a lot of cool stuff to talk about this year, so I'm satisfied with that and it was a great year. But I'm wondering if I should approach it more from like a actual research perspective or if I should focus on really attacking what's in front of me
I know is actually being implemented by these 20 to 30 companies we assess every single year.
Joel Margolis (teknogeek) (01:03:00.206)
Yeah, so I think, I mean, a lot of this, a lot of the research stuff comes like naturally, right? So what happens is you'll like spend some time exploring something, maybe it goes a little deeper than you might've expected, and then you kinda are like, you know, I've seen this on other apps, like let me spend some time like figuring out how this works and like finding this bug across other platforms, et cetera. So I think that is probably
Justin Gardner (@rhynorater) (01:03:05.221)
Yeah.
Justin Gardner (@rhynorater) (01:03:19.247)
Mm-hmm.
Joel Margolis (teknogeek) (01:03:29.23)
Like, I don't think you're like under doing it. You know what I mean? I think as a full-time researcher, it's difficult to find the balance between research you want to publish and research you want to keep to yourself. And also then doing that research while hacking all that kind of like it's difficult, right? Um, so yeah, I, but I feel like overall we're doing a pretty good job and we'll just spend a little more time on like some research.
Justin Gardner (@rhynorater) (01:03:31.088)
Mm, yeah.
Justin Gardner (@rhynorater) (01:03:37.579)
Yeah, that's another thing as well.
Justin Gardner (@rhynorater) (01:03:49.134)
Yeah. And I, I see it on your list as well for the goals for 2024 that you've got unique research on there. And I think also one of the things in the past is like, I'm not particularly a Twitter
you know, clout person or, you know, I don't have a lot of motivation to go and take these research things and write like a massive blog post about it and then post it, you know, to share it. And even though I would like to share it, it's just I don't see the most ROI for my time in doing that in the past. But now I think with critical thinking a little bit more established and the subscribers on the discord and that sort of thing, there's a little bit more of an impetus for me to say, okay, well, let me take one day, you
calendar day here and devoted into taking this research and like getting it into a document and then getting some people to review it and that sort of thing and getting it published and so we'll see how that manifests itself in the new year I think I think we will see some more stuff come out especially to the premium discord and definitely to the world as well since we have a little bit more of a focus on that now
Joel Margolis (teknogeek) (01:04:57.39)
Yeah, yeah, absolutely. Yeah, I did have unique research in there for myself. I mean, it's kind of what we just talked about, which is basically, you know, I'd like to find some, you know, cool tools, or cool, you know, architectures, whatever, infrastructure. You know, I just wanna do some deep dives on stuff, figure out how stuff works. And some of that, I think, will be spurred by the ongoing hacking and research that I'm doing like outside, but also just...
Justin Gardner (@rhynorater) (01:05:14.639)
Mm.
Mm.
Justin Gardner (@rhynorater) (01:05:23.469)
Mm-hmm.
Joel Margolis (teknogeek) (01:05:27.118)
maybe from the community as well as friends as we discuss and see different things on the internet.
Justin Gardner (@rhynorater) (01:05:32.258)
Yeah. And I think the whole, just going back to the whole conversation surrounding research for research sake rather than research for hacking a company's sake. I think the research for research sake, sort of like a James Kettle style stuff is like, is super great. But then you've got that extra step of like, all right, now I've got to figure out how to scan for this across all of the book bounty programs. And if you don't have like a very identifiable fingerprint for that.
Like for example, I'm thinking about doing some post-message-based research. Sure, I can scrape all the JS files and find every message, you know, reference to post-message or whatever, but it's not going to be every single reference to post-message. It's going to be like a very specific subset of those. So it's a little bit harder to, you know, programize that sort of thing, which I'm a little bit intimidated by. But also, you know, you see some great results come out of that. So maybe it's something I should try. I don't know. I guess we'll see.
Joel Margolis (teknogeek) (01:06:26.414)
Yeah, yeah, absolutely. Did you?
Justin Gardner (@rhynorater) (01:06:28.974)
Let's see, what else we got on the list here? Yeah, I'll talk about this next one and then we'll kind of go back and forth because I've got a couple more than yours. So the next one I have on my list is non-traditional automation stuff that I'd like to do in 2024. And that includes JS monitoring, which is something we've talked about a lot here to kind of...
Joel Margolis (teknogeek) (01:06:32.782)
Yeah.
Justin Gardner (@rhynorater) (01:06:47.926)
alert when new features are being added to applications that you already have a large context for, and source code monitoring for things that you actually have the source code for, which I think will be really big for me. If I can identify some vulnerable patterns in open source software that's being either propagated to a bunch of companies or is actually having a bug bounty program themselves, then I think that could be a source of semi-passive income where it's like, hey, there's very likely a bug here.
and it takes maybe an hour to exploit it, and you can get a report out of it, but it's not the traditional subdomain takeover or whatever XSS that you see in automation.
Joel Margolis (teknogeek) (01:07:27.438)
Yeah.
Yeah, dude, I feel like that kind of pipeline is really, really useful for those who don't see the cat, Miss Bagel, is climbing on me right now. She's trying to nap. Yes, but no, I think that pipeline is very, very almost necessary for full-time hackers because the reality is, if you don't have something like that,
Justin Gardner (@rhynorater) (01:07:36.71)
See you.
Justin Gardner (@rhynorater) (01:07:45.658)
Very cute, very cute cat.
Justin Gardner (@rhynorater) (01:07:55.248)
Mm-hmm.
Joel Margolis (teknogeek) (01:07:59.63)
then you're going to be spending time looking for things to hack. And that takes time, which takes away from your money. Right. And so like, if, like, if you don't spend some time building an automation or some sort of monitoring or whatever, that's like constantly feeding you new things to look at, then you're going to have to take your own time out of your hacking or extra time, right? Where you could be making money to go then find those targets or spend time looking at those things and tracking down those signals.
Justin Gardner (@rhynorater) (01:08:04.924)
Mm-hmm. Away from the hacking, yeah. Ha ha ha.
Joel Margolis (teknogeek) (01:08:26.765)
And it just makes it a whole lot easier for you to have basically like a little assistant kind of who's just like, hey, take a look at this. Take a look at that.
Justin Gardner (@rhynorater) (01:08:34.508)
And sort of refreshing your context too, because we kind of talked about that before as well of like...
you kind of lose context for a specific program after a little while. But if you've written, if you've taken notes with code, that was one of the big takeaways that I had from Sam Herb's episode was if you've taken notes with code and you've said, Hey, there was a reason why I had thought that it was really important that this, I should alert on this specific string. And then those neural pathways refire a lot more quickly and you can get right back into where you were, uh, versus if you're coming in with no context. So that's, that's something I'm currently doing on, on a
programs but the pipeline isn't like fully built out and sometimes my scripts kind of flake out or whatever so that's something that I'll be doing more of in 2024 and getting a good pipeline in place for. All right what's the next one on your list?
Joel Margolis (teknogeek) (01:09:23.31)
I wanted to be more consistent with reports and hacking. I think we talked about that. I'm about, you know, one every two weeks right now. I think I'd like to get that more, just in general across the board. I'd like to be doing more hacking, submitting more reports, looking at more stuff. It's very difficult to find the time and the energy with all the million things I have going on to sit down and like spend some quality time hacking and finding bugs. I find that all
Justin Gardner (@rhynorater) (01:09:29.331)
Mm.
Justin Gardner (@rhynorater) (01:09:36.613)
Mm.
Justin Gardner (@rhynorater) (01:09:45.686)
Yeah.
Joel Margolis (teknogeek) (01:09:52.75)
I'm just kind of like looking at stuff and noticing interesting things But it it takes a little bit more to get it to sort of that endpoint So I would like to be a little more consistent on that for sure
Justin Gardner (@rhynorater) (01:10:00.344)
Yeah.
Justin Gardner (@rhynorater) (01:10:04.418)
Yeah, consistency as a part-time hunter is difficult because it ebbs and flows with your job, with your personal life, with all this other stuff. And the next one on my list is trying to accomplish all of this, like lofty goals stuff that I've got for the podcast and for about bounty hunting in normal business hours in, you know, an eight hour day, because here's what I've come to realize, Joel is like, you can accomplish really amazing stuff.
Joel Margolis (teknogeek) (01:10:22.094)
Yeah.
Justin Gardner (@rhynorater) (01:10:31.038)
if you work 80 hours a week, and it's not that hard. Besides the working 80 hours a week part, which is just physically and sort of mentally challenging, if you're working double the amount as other people, you're gonna have crazy oversized results, right? And that's just kind of to be expected and not that crazy. The crazy thing to me is when people work less than other people or less than expected,
and still get outsized results, right? So that's kind of something that, and that kind of shows that you've really got your system down or you're really looking at something differently, you know? Or you got really lucky, right? Which I feel like that's the case every single time I submit a bug. But the data would suggest otherwise, considering either that or I'm the luckiest human on Earth. And so for me, 2024, I want to...
Joel Margolis (teknogeek) (01:11:09.006)
Or you got really lucky.
Joel Margolis (teknogeek) (01:11:15.214)
Yeah.
Justin Gardner (@rhynorater) (01:11:27.782)
limit that and really just work within a certain period of time, whether it be a sliding 8-hour window or a flexible 8-hour window, whatever it is, and then just work more efficiently and still accomplish great results within that timeframe.
Joel Margolis (teknogeek) (01:11:44.366)
Yeah, yeah, absolutely. I think that's a really interesting takeaway is like, you know, what you mentioned is that like, being able to do the same thing that other people do in less amount of time means that you can do more than them or you can make more than them or whatever. Like, and that's a really, like, if you can figure out how to optimize what you're doing to do it in less time, that's huge, right? So I love that. I feel very similarly, which is like, I'm doing a ton of things.
Justin Gardner (@rhynorater) (01:11:48.344)
Mm.
Justin Gardner (@rhynorater) (01:11:55.455)
Mm. Mm-hmm.
Justin Gardner (@rhynorater) (01:12:06.714)
Mm-hmm.
Joel Margolis (teknogeek) (01:12:13.614)
And generally I'm pretty good about keeping it within work hours, but I also feel like the burden of doing all those things makes it very challenging to keep all of them going at the same time. So maybe it's rebalancing them to do them on certain days instead of everything every day or whatever it is. I'm not quite sure, but I think it's definitely something to be worked on.
Justin Gardner (@rhynorater) (01:12:15.534)
Mm-hmm. Mm.
Justin Gardner (@rhynorater) (01:12:26.135)
Yeah.
Justin Gardner (@rhynorater) (01:12:37.954)
Yeah, and just for those of you listening that might feel like you haven't achieved the sort of success that you're looking for, whether it be in Bug Bounty or career and stuff like that, one tip that kind of goes contrary to what we're talking about right now is that if really you just want the success, one of the best ways to get that is just put in more time.
You know, and you got to decide whether that's going to be healthy for you or whether you're in a position in life where you're going to benefit from that. Um, and whether that's actually what you want with your goals. Uh, but if you're really just looking for success, you can probably find that by doing it more. And I've noticed this in multiple areas of life, you know, um, not just book bounty, but fitness as well was one of the other ones I was like, I used to be doing a three by five program where I would do three sets of five reps. And when I, once a week.
But then I switched to twice a week, five by five, and I noticed the results dramatically changed, just because I'm pushing more weight and I'm spending more time doing it. And so I think that's another hack, but obviously comes at the cost of a bunch of time and effort. So the next thing I had on my list was, I want to hack more IoT stuff, or I want to do more hardcore source code review. And those are...
Joel Margolis (teknogeek) (01:13:46.926)
Yeah, yeah, totally.
Justin Gardner (@rhynorater) (01:13:57.906)
not entirely disjointed from each other, but...
I'll just say, Joel, that experience that we had of hacking on that live hacking event together earlier this year, and we just had this massive Python code base and we were just tearing it apart and finding all the sources and syncs. And even now with the Wordfence stuff we've done over the past couple weeks doing a lot of PHP source code review and that sort of thing, I just realized how much I love actually having source code. It's phenomenal. You know? And, uh-oh.
Joel Margolis (teknogeek) (01:14:27.438)
Okay dude, I have a program for us. I've been working on something, I'll DM you. I can, I don't know if we should, because I'd like to work on it with you. It's a public program, but yeah.
Justin Gardner (@rhynorater) (01:14:30.838)
What have you got? Can you say it? Okay, do you? No, no, don't say it, don't say it, it's fine. All right. Oh, all right, well, we'll see how it goes. I would definitely like to do more of that, and I love the concept of IoT stuff being where, like, you dump the firmware and then you get the source code and now you're doing source code review. That's the ideal situation, but this is going back to what we were talking about before. IoT stuff, the bounties aren't...
good enough relative to the time you have to invest. Really, IoT bounties need to be high, high five figures to make it worth the time if you're a decent web hunter. Because you can go to programs like PayPal and Shopify where they're paying massive bounties for web stuff and find stuff quicker than you would on an IoT based program and it's easier and your eyes aren't bleeding and you're not having to fight with hardware and there's not a bunch of setup without the thought of
return on investment. So I think IOT space needs to expand its bounties and pay a little bit more into the five figure range and some even in the six figure range to see the real big sort of attraction from other hunters that have diverse skill sets as well. So one of those two will be good. And then this is the other thing that I wanted to talk about. And this is kind of a I think probably something that you and I both have on our goals for 2024 would be
this concept of influencing tool creation or influencing the sort of development in the industry that we'd like to see that we don't necessarily have time to do, right? So I've just been really blown away by how awesome the critical thinking community is and how you guys have taken a lot of the ideas that we've presented here on the podcast and actually turned them into tools. And I think that that's something that could be scaled well.
You know, like we, us mentioning these sort of things, us having sort of the inside scoop from a lot of top hunters, taking it to the podcast, giving it to the public, and then the public turning this into actual actionable tools that can be used by all hackers and making it a little bit more accessible. Um, so that's something I definitely want to keep doing in 2024.
Joel Margolis (teknogeek) (01:16:41.934)
Yeah, for sure. Same here. You know, I want to keep working on that. All that kind of like influencing, influencer, you know, this is like a whole new, yeah, like there's a whole new space, I think for both of us. So it's definitely been interesting, all the stuff that we've learned in the last year. So it's really...
Justin Gardner (@rhynorater) (01:16:50.65)
positive change in the industry.
Justin Gardner (@rhynorater) (01:16:56.996)
Mm-hmm.
Justin Gardner (@rhynorater) (01:17:02.266)
Mm. And influencing kind of has a little bit of a negative connotation, but really, at the end of the day, it's educating. It's sharing knowledge, right? Which is what this whole content creation thing is about, is coming on here, giving that knowledge, giving that, okay, so there's the knowledge piece and there's also the energy piece, right? Because you can come in here and, man, sometimes I've been on this podcast and I'm freaking grabbing my mic so tight and I'm yelling into the microphone because I'm so hype about these sort of things, right?
And that's great to share with the community and the community has shared with me that is a source of a lot of energy for them and can lead to the development of some really awesome tools that I've seen. So, definitely excited for that.
Joel Margolis (teknogeek) (01:17:45.998)
Yeah, yeah, absolutely. And the last thing on mine was I want to hack more web stuff, honestly. You know, I hack some web stuff. Yeah, yeah, we are basically flipping, because I've done a lot of IoT stuff. I do source code review all the time. It's all mobile. It's just reading code. And I've done a lot of that kind of stuff. And it's not that I'm bored of it. It's just that I want to do new stuff. I want to learn new things. I want to get.
Justin Gardner (@rhynorater) (01:17:51.182)
Oh, okay, so we're flippin'. Yeah.
Justin Gardner (@rhynorater) (01:17:59.43)
A lot of mobile.
Justin Gardner (@rhynorater) (01:18:12.688)
Mm-hmm.
Joel Margolis (teknogeek) (01:18:14.574)
better at stuff, like I see, I feel like there's a part of, like there's a whole bunch of vulnerabilities that I am not good at, that I'd like to be better at, and I haven't been good at them because, yeah, and the web space, just because like, I don't do them as much, like I don't exploit them as often, I'm not looking at those technologies as often, so it's just something that I'm not as familiar with, and I definitely would like to get there with it, so, yeah.
Justin Gardner (@rhynorater) (01:18:26.896)
In the web space. Mmm. Yeah.
Justin Gardner (@rhynorater) (01:18:41.338)
Sweet, man. Well, we can trade a little bit. I feel comfortable with almost every web-based vulnerability that I'm aware of. And so we can trade off knowledge there, and you can teach me how to do some good source code review and IoT hacking. Should be great, man. Alrighty, dude, I think that's a wrap. You got anything else you wanna say before we kick it to 2024?
Joel Margolis (teknogeek) (01:18:43.854)
Yeah, we'll do some trading.
Joel Margolis (teknogeek) (01:18:55.598)
You got it.
Absolutely.
Joel Margolis (teknogeek) (01:19:05.486)
No, you know, honestly, this was a great year. Um, thanks to everybody for listening to the podcast, being with us on this, on this, uh, this first year, it's been really exciting and I'm looking forward to what happens next year.
Justin Gardner (@rhynorater) (01:19:08.194)
Mm.
Justin Gardner (@rhynorater) (01:19:12.835)
Yeah.
Justin Gardner (@rhynorater) (01:19:18.967)
Yep, same here. I really appreciate the community and thanks for a great year, critical thinking listeners. See you guys.
Joel Margolis (teknogeek) (01:19:24.878)
Yeah, absolutely. Peace.