Episode 65: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with Sam Curry to discuss the ethical considerations and effectiveness of hacking, the importance of good intent, and the enjoyment Sam derives from pushing the boundaries to find bugs. He shares stories of his experiences, including hacking Tesla, online casinos,Starbucks, his own is ISP router, and even getting detained at the airport.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today’s Guest:
Resources:
Don’t Force Yourself to Become a Bug Bounty Hunter
Timestamps:
(00:00:00) Introduction
(00:02:25) Hacking Journey and the limits of Ethical Hacking
(00:28:28) Selecting companies to hack
(00:33:22) Fostering passion vs. Forcing performance
(00:54:06) Collaboration and Hackcompute
(01:00:40) The Efficacy of Bug Bounty
(01:09:20) Secondary Context Bugs
(01:25:01) Mindmaps, note-taking, and Intuition.
(01:46:56) Back-end traversals and Unicode
(01:56:16) Hacking ISP
(02:06:58) Next.js and Crypto
(02:22:24) Dev vs. Prod JWT
Justin Gardner (@rhynorater) (00:01.864)
Alrighty, Mr. Sam Curry, we have been prepping and we have so many stories in the queue here. Welcome to the podcast, man.
Sam Curry (00:09.978)
Hello, hello. Yeah, thank you for having me.
Justin Gardner (@rhynorater) (00:11.68)
Of course, man, this is exciting. Sam, you are just kind of like a legendary Bug Bounty storyteller. So I'm anticipating this podcast being largely me saying, all right, Sam, tell us about the time you got arrested at the airport, or tell us about the time you broke every car in existence. And then sort of hearing those stories, and then picking apart some technical details, I think that's how we're going to go today. But let's start with a story.
Sam Curry (00:38.914)
Easy.
Justin Gardner (@rhynorater) (00:41.684)
that is not super technical. Tell us about the time you got detained at the airport.
Sam Curry (00:49.218)
Yeah, sure. So I was just finishing up a trip from like, us to Japan, I was flying back from Japan and the like Washington Dulles airport. So I was like, getting to the airport, like I'm exhausted 15 hour flight, I'm going through the line like normal check in, you know, the immigration's process. But at the very end of the line, they like pull me aside for secondary, they're like, hey, you know, we just need to talk to you ask a couple questions. And I haven't traveled like too much internationally at that point. So I was like, you know, it's a normal thing, whatever will go. And I realized I'm like the only person and the secondary inspection and
The cop who walks me over there is like super nice. The process is just super, very easy. And they're being super nice to me. We're unloading all my luggage and going through everything. They're asking about my trip. I'm explaining everything about my trip. And then finally they asked me for my device. They say like, hey, can we just see your phone and can you unlock it? And you know, it's part of a normal immigration process. They asked for that. I didn't really think anything of it. So I gave the agent my unlocked phone. And then afterwards I did that. They're like, okay, cool. Now just come over into this room. There's some people who want to talk to you.
And that point, like kind of alarm bells. Yeah, and it turns out that there was a IRS CI, which is like their criminal investigation and the Department of Homeland Security officer in the room. And they're both sitting across from me and they said like, hey, you know, Sam, you work here, here's this. And I kind of was like...
Justin Gardner (@rhynorater) (01:48.98)
Oh my gosh.
Justin Gardner (@rhynorater) (02:04.8)
So they had planned this. They had knew that you were flying back into the country. And they're like, all right, we're going to snag them at the border. Wow, dude.
Sam Curry (02:11.242)
Yeah, it was really interesting because everything was planned and coordinated before too. When we arrived in Japan, everybody in our group had these little bag notices. I'd never seen them before. I've seen the normal TSA inspection things, but these were different notices. I was like, oh, I guess they changed the thing. When I went back and they pulled me into that room, what I realized is that I was under suspicion for wire fraud and I was being summoned to a grand jury in New York.
Justin Gardner (@rhynorater) (02:26.034)
Mm-hmm.
Sam Curry (02:41.002)
I immediately asked them, I said, like, hey, like, can I have my device back? Because I didn't realize this was like a, you know, targeted thing. And they say like, no, we're actually allowed to keep that because it's a like normal immigration process. So at that point, like I just have to sit there. It's super tricky too, because even if you're like the most clear, conscious person in the world or clear conscience, sorry, your friend could have said something that's like, you know, incriminating what they'll do is like parallel investigations. So like.
Justin Gardner (@rhynorater) (02:47.008)
Yeah.
Justin Gardner (@rhynorater) (02:53.696)
Dude, that's tricky as heck.
Justin Gardner (@rhynorater) (02:59.816)
Yeah.
Justin Gardner (@rhynorater) (03:04.692)
Yeah.
Sam Curry (03:08.234)
even though it was just me under suspicion and it was like a weird narrative, and I felt fine about it, it's still like a tricky thing where it's like, something on your phone is incriminating, right?
Justin Gardner (@rhynorater) (03:18.336)
So Sam, what did you do? Why were they pulling you over at the border?
Sam Curry (03:23.478)
Yeah, so what turned out happening, immediately after that, they let me have my device back and stuff and they let me through, I contacted my work and my work lawyers got involved. The company I worked for is like a Ugalabs, which is like a cryptocurrency company and what ended up happening is through my security work at Ugalabs, where we were investigating like a phishing website, I had found a scammers private key leaked in the JavaScript file and I'd taken that scammers private key and I'd plugged into my MetaMask to see like, are there any recoverable funds?
Justin Gardner (@rhynorater) (03:42.348)
Mm-hmm.
Sam Curry (03:53.494)
And by doing that, they thought that I was the scammer. Yeah. It was really tricky too, because it allowed them to do a full subpoena of my network. So for instance, they had, you know, my ISP logs, like in a paper thing. Yeah, they read my name, like, or they read my mom's name because my internet was like still in her name. So the whole thing was like very, yeah, you feel like you're, you know, you've like killed somebody or something, but.
Justin Gardner (@rhynorater) (03:56.618)
Oh no, oh no.
Justin Gardner (@rhynorater) (04:06.996)
Are you kidding me? Oh my gosh.
Joel Margolis (teknogeek) (04:13.56)
Thank you.
Joel Margolis (teknogeek) (04:20.406)
It really shows you how the sausage is made too, because now you have some insight into what lengths they can go to and what information they can get about you just without you even knowing. The first that you're hearing of it, they're sitting down with a stack of paper, hey, here's everything you've been doing for the last few months, and you're like, oh, cool. What have I been doing for the last couple months?
Sam Curry (04:40.395)
Yeah.
Justin Gardner (@rhynorater) (04:43.289)
Hahaha!
Sam Curry (04:44.418)
Well, exactly. Yeah, it's very, it feels, it's one of those things you read about. Like I've always had the stance that like, I'll never be important enough for them to like, look at my thing. But then you realize it could happen to anybody. So.
Justin Gardner (@rhynorater) (04:55.072)
Wow, dude, that's crazy. And just to think that, like, how much of the coordinated effort had to happen too, because they're like, you know, they were definitely contacting TSA and saying like, okay, here's this guy's picture. He's coming in on this flight, like, we need you to snag him and we need you to get his phone and then like shove him in this room. And it's like, oh my gosh. And like people are going there and it's like, oh man.
Joel Margolis (teknogeek) (05:19.87)
I do wonder if it was because it was international and they had your passport number but they knew it was you not to some other Sam Curry and that's why they knew for sure. Okay, let's take a look on the way in and on the way out.
Justin Gardner (@rhynorater) (05:26.952)
Yeah, I'm sure.
Sam Curry (05:33.046)
Oh yeah, 100%.
Justin Gardner (@rhynorater) (05:33.192)
Yeah. So I guess this is a good transition into a different topic, which is a topic that you and I have debated many, many times, which is, Sam, you do some, you know, for those of you that are listening on the actual audio medium of this podcast, I'm shaking my hand in kind of like a iffy sort of way. You do some borderline things, you know? And you don't.
really do it for the bounties. And this is a book bounty podcast, so we normally talk about book bounty, but I'm kind of wondering what your motivation is behind all this and why you're doing that. Ha.
Sam Curry (06:15.202)
Yeah, sure. And for those of you who are listening, who Justin just made it seem like I'm, you know, killed somebody or something, to clarify a little bit, the hacking, the sort of, I think what Justin's talking about is like, a lot of the hacking I do is like, not necessarily in bounty programs. And it's not necessarily scoped in like a specific like targeted way where it's like, you know, they're inviting you to come look at their stuff, right? I like a lot of the hacking I do and when I originally got into like web security and hacking
Justin Gardner (@rhynorater) (06:20.868)
No. Yeah.
Justin Gardner (@rhynorater) (06:32.181)
Mm.
Sam Curry (06:44.298)
It was a lot of like really like fun kind of curiosity, right? So a lot of the research we've been doing like recently, um, to, to kind of give context to that topic. When I started bug bounty, like eight years ago, right? I was like fresh out of high school and I really wanted to make as much money as I could, right? Yeah. I grew up like super like, I'm really hungry for, for money. Right. So I'm like, hell yeah. Like.
500 dollar bounty there, 1000 dollar bounty there, and it's just like feeding, like it's going perfect, right? And I did that for a while and I got a job in security and I'm like, you know, the amounts keep getting higher and like it doesn't like hit the same way. And then eventually I kind of realized like, you know, like I was, I'm not a really huge spender. I'm very comfortable. Like I think in terms of like, my, I think like,
Justin Gardner (@rhynorater) (07:22.099)
Mm.
Sam Curry (07:34.962)
I'm trying to find a good way to describe it, but I think what I'm trying to say... Oh, sorry, go ahead.
Justin Gardner (@rhynorater) (07:37.804)
I know that this is more of a, you know, this strays a little bit more into life philosophy as well because it's like, you know, it's about this interest that you have now and less about this financial motivation that you had in the beginning, right?
Sam Curry (07:43.386)
Sure.
Sam Curry (07:51.838)
Exactly. Yeah, not to kind of wrap it down a little bit. The hacking we do that we've done recently is like, you have a smaller group of people that I've been working with like Shabam Shah, like Ian Carroll. And I think like, as a group, we kind of have like this love for life for like hacking stuff. Like it's this deep, like childlike curiosity of like seeing something and like, again, like the example of like a subway card, you're like, I don't want to pay for the subway. Can I get a million dollar subway card to like go, you know, things like that.
Justin Gardner (@rhynorater) (07:54.304)
Yeah.
Justin Gardner (@rhynorater) (08:01.132)
Hmm.
Justin Gardner (@rhynorater) (08:07.073)
Mm.
Justin Gardner (@rhynorater) (08:17.83)
Oh my gosh.
Sam Curry (08:20.902)
We do it in good faith. And that's when people say like, I'm doing a great line or a great area where maybe they're not explicitly inviting us to hack them, but, you know, I report them through a security program or security team. The reason I've been able to do that so successfully for like so long where it's like, I'm not getting in trouble and I'm like helping these organizations is because I think I have like very, very good intent, like never once have I wanted to exploit something like maliciously it's always been kind of like. Found it. It's hilarious. We had a really good time. It's a good story.
Justin Gardner (@rhynorater) (08:25.717)
Mm-hmm.
Sam Curry (08:49.282)
But it's fixed now and that's good. Right. So to talk about like that hacking, like I've kind of fallen. That's, that's how originally gotten security. And that's kind of how I like keep my flame lit. Right. It's like that sort of.
Justin Gardner (@rhynorater) (08:51.152)
Mm-hmm. Yeah.
Justin Gardner (@rhynorater) (09:00.476)
Yeah, is this sort of interest-based hacking rather than like, you know, money-oriented or even, you know, and I guess some of this has to do with, you know, these are good stories as well and it's fun story to tell and to share that light, that invigoration, that passion for hacking with others. And so I guess the reason you're doing this is just because of that curiosity, is that accurate?
Justin Gardner (@rhynorater) (09:35.69)
Mm.
Sam Curry (09:53.587)
Yeah, I
Sam Curry (09:57.802)
the introduction song of this podcast, like Whitey Cracker. Like as a kid, like I grew up listening to Whitey. I'm 13 years old, 14 years old. And I'm like, you know, he's like deep in the matrix. It's crazy. Like that world is just like exciting, right? And I like, as I grew up, that's like my, I still have that world, right? Like it's three in the morning. I'm like deep in something. Like there's like that really, really deep passion where it's like you wanna do it because you love it, right? Yeah.
Justin Gardner (@rhynorater) (10:00.33)
Yeah.
Justin Gardner (@rhynorater) (10:20.14)
Mm.
Well, that's cool, Sam. I have to say, a lot of people in this industry are green hats, to reference back to YT, and looking for the money in it. And I mean, I'll say, I do bug bounty full-time, and I'm not financially independent yet. So that is definitely a motivation for me. But it's definitely cool to see someone a little bit more motivated by the passion for the, and letting that be the leading
factor, right? Like I think for me it's more of like, I look at a target that has good bounties on it, and then my passion for hacking comes out against that target because I love the day to day, and I love getting in the weeds with it, and I love reading the JavaScript files and figuring out how stuff's working, but it's still pointed at the top level by that financial incentive. And then also for me by the Safe Harbor incentive as well, which doesn't seem to be as big of a thing for you, like...
And we've debated this to the end that we can debate this in our little group chats or whatever, but talk to me a little bit about why you feel safe hacking all of these targets. And yeah, let's start there.
Sam Curry (11:38.938)
Sure. I think it's maybe the safety is kind of a, I think there's a lack, there's a small lack of safety where as I get older and I think I'm mature and I kind of settle into like this lifestyle of like less risk that I'm kind of like slowly like concising down. But like for me, I see like hacking, you know, if there's a company that doesn't have a security program, for instance, we looked at casinos recently, I'll give you an example where it was a really bad interaction.
Justin Gardner (@rhynorater) (11:52.012)
Mm-hmm.
Justin Gardner (@rhynorater) (12:04.266)
Hmm.
Sam Curry (12:06.87)
So we were investigating like online gambling and online casinos. We found this one online casino and there was a specific game in the casino where you're able to replay the requests and generate like an unlimited balance. And we were like, this is hilarious. We didn't try to withdraw it or anything. We just reported it immediately. We're like, Hey guys, like we found this bug and what, well, I think I end up with a balance of, I end up with a balance of $3 million in my account, right? A little excessive. However.
Justin Gardner (@rhynorater) (12:17.428)
Ha ha ha!
Justin Gardner (@rhynorater) (12:23.872)
How many times did you do it, Sam? Ha ha ha!
Sam Curry (12:34.954)
What ended up happening that I didn't realize is that the game providers on the online casinos, like let's say you're a slot company and you make the slot, they're like a sub company that sells the slot machine to the gambling website. And what ended up happening? Yeah, the gambling website saw the slot machine had generated $3 million and they just cut them off completely. And they said, we don't want to do business with you anymore because of this vulnerability. So I got on the phone with this guy in the UK who runs the slot company and I'm like, hey, I just want to report this vulnerability.
Joel Margolis (teknogeek) (12:34.966)
Thanks for watching.
Justin Gardner (@rhynorater) (12:46.596)
Oh, interesting. Okay.
Sam Curry (13:03.798)
And he says, so you're the guy who's committing fraud on our slot machine. And I'm like, so yeah, at that point it's like, you know, everything in your head's like, this wasn't my intent, blah, but they could still see you financially and it's like a tricky situation that you have to navigate. Right. And of course the complexities of like UK law versus US and like, whether or not you have permission, like it's very complicated, but like, I think the leading thing is like good intent, but it can in this case, like stray because it does and did cause like damage.
Justin Gardner (@rhynorater) (13:07.379)
Uh oh.
Justin Gardner (@rhynorater) (13:31.456)
So you can't leave us there, Sam. What happened, dude? How did you weasel your way out of this one?
Sam Curry (13:36.426)
Yeah, so I will use my way out by, I, we had like a continued effort to like report, we reported the bug, we worked on the fix, I communicated with the casino, I said, Hey, I'm a researcher who found this, we've talked to the company, and we kind of meshed it together and things were like, good. But it was
Justin Gardner (@rhynorater) (13:53.753)
And I'm sure you can convey to that company as well, like hey, the companies that are having their products assessed are the ones you want to work with, not the ones that you don't want to work with, right? Because the ones that don't have their product assessed, the bugs are just sitting there waiting for a malicious hacker to hack them. Mm.
Sam Curry (14:12.174)
Yeah, exactly. Right. Like, would you rather have like one example where someone, you know, it's $3 million, but it's never exploited or like, thousands of users that are just adding in $100, $200 and then slowly withdrawing money. It's a really interesting conversation. I did a training one time I was, I worked for a consultancy and during the training at the end of the training, we, my people who I was working with the web application security training we did.
Justin Gardner (@rhynorater) (14:22.858)
Right.
Sam Curry (14:38.614)
He said, let's just like go to this website here to kind of assess the, you know, like look at the security of it. And it wasn't like a full like test where he was like sending malicious traffic, but so when the audience was like, hey, you aren't really allowed to test random websites, right? And then he responds, well, it's like, it's like, it's a personal risk thing where it's like, if you're not doing enough damage or not causing enough noise, like, are you going to get sued? Probably not, but it's kind of like your risk profile, right?
Justin Gardner (@rhynorater) (14:59.52)
Mm.
Justin Gardner (@rhynorater) (15:03.084)
Mm-hmm. Yeah. I mean, is there, especially for you now, established, you know, very publicly as a, you know, white hat ethical security researcher, I bet that risk is probably minimized even more for you than somebody who doesn't have a track record of ethical security research because of the caveats in the, you know, Computer Fraud and Abuse Act, specifically for good faith security research.
Sam Curry (15:32.91)
Yeah, it reminds me of a skit actually. There's a TV show called Nathan for You. And in the show, he says, he's like, hey, I wanna do this like big public thing that it's a great show, it's fantastic. He says like, hey, I wanna do this thing which is like totally a joke. I wanna make this parody restaurant. And then he talks to the lawyer and he's like, to make this parody restaurant, what do I have to do? And the lawyer says, you need to establish yourself as like a comedian or a guy who does like pranks. So he quickly goes and does like a performance art thing.
Joel Margolis (teknogeek) (15:37.55)
You
Great show.
Justin Gardner (@rhynorater) (15:48.618)
Yeah.
Sam Curry (16:01.218)
tries to build a name for himself, right? But I think as a security researcher, you can Google Sam Curry, and it comes up with the past work, it's a legitimate person, right? Versus a lot of people I see who try to reach out over email, they'll use their alias since hacker447, and they're like, I'm not gonna give you my real name, but here's, and it's like, I get it, being anonymous, whatever, it's great, but you do come off a little more malicious like that, right?
Justin Gardner (@rhynorater) (16:09.312)
Hmm.
Justin Gardner (@rhynorater) (16:15.909)
Yeah.
Justin Gardner (@rhynorater) (16:20.042)
Yeah.
Justin Gardner (@rhynorater) (16:24.468)
Absolutely. Yeah, I think there's definitely something to be said for that established track record.
Joel Margolis (teknogeek) (16:29.482)
So when you're picking targets, I know a lot of it is just the interest, the love for hacking. Do you ever choose not to hack things or to go after certain things? I think there's lots of different levels that you can hack stuff at. You can go to the smallest level where it's an individual using a specific instance of a product, or you can go to the product itself, or the parent company who owns that product. You can step up the chain to larger and larger scopes.
where do you like to draw that line? Because I know a lot of people, like we have mutual friends who really love hacking small local businesses. And it's just like, they feel, you know, they get a really large amount of impact out of that. They feel, you know, like that they're creating a lot of good in their community. Like they have these really great relationships with those small businesses and stuff. But I would say you probably aren't hacking mostly small businesses. You're hacking mostly large businesses. So what sort of draws you in that direction versus the small business route?
Sam Curry (17:26.678)
Yeah, so I think like picking targets is really fun because like, mostly what I've been looking for recently is like choke points where it's like, for instance, like a single point of failure that has like this cascading effect where it's just like millions of people, right? I think like hacking small businesses is super fun. Like it's the every high schoolers dream is like hack their high school and like change their grades, whatever, or like people know, you know. But like...
Justin Gardner (@rhynorater) (17:47.04)
We do not endorse this behavior.
Joel Margolis (teknogeek) (17:49.178)
That's so true. I totally didn't do that when I was in high school.
Justin Gardner (@rhynorater) (17:52.756)
Yeah.
Sam Curry (17:53.706)
you know, to not endorse the behavior, good quality stuff. But like, the reason I think people want to hack their high school is because like, you can be the person like sitting in the classroom, and maybe the alarm bell goes off and you're kind of like sitting there smug, like I did that and nobody knows, right. So there's like this, there's this like kind of you can kind of do that with like small businesses or bigger things, like I tend to focus on like, big points of failure, like interesting things to me. So for instance, the research we did with like, Nico,
Justin Gardner (@rhynorater) (18:08.39)
Hahaha
Sam Curry (18:22.946)
Spectres with like car security stuff where it's like Something I didn't know up until like a few months ago is that You can scan a license plate and it'll give you the Venn number of the car, right? And basically what that means is for every car in the United States you go from Sorry, sorry not to
Justin Gardner (@rhynorater) (18:38.3)
Wait, wait, I'm gonna pause you there. How did you, how did you, how?
Sam Curry (18:44.242)
Oh yeah. So it's public. You can pay for an API that will basically do this because that, yeah, the DMV will sell these records to these like small companies or these like contractors that provide them to like, maybe you're a traffic endorsement camera company or something. Yeah. So for about like, you know, one and a half cents per API call, you can resolve someone's license plate to the rent number, right? So if you think about it, like if, if I want to have fun, like hacking stuff, and it's like an interesting thing, and I'm not.
Justin Gardner (@rhynorater) (18:49.096)
No way, really.
Justin Gardner (@rhynorater) (18:59.514)
Interesting, okay.
Sam Curry (19:14.498)
These companies do have safe harbors, a lot of them. It's like hilarious to me, like being in line at Starbucks and like the idea, just the idea of it, not actually doing it, but scanning someone's license plate and making their car honk. Like it's just hilarious because it's like really fun, right? And that's kind of how picking targets.
Justin Gardner (@rhynorater) (19:29.14)
Dude, you get the person in front of you, you know, you see them pull up a little bit before you. On the way in, you know, they're ahead of you, they're walking through the door, you just take a quick picture of their license plate. And then when they get in line in front of you, make the larva go off, they leave line, and you just keep going ahead. Sam, this is evil, man.
Sam Curry (19:46.73)
It's so good. It's a little, yeah, I mean, like, there's, there's kind of a, as like, it really is like, uh, something I describe it right is like, as an ethical hacker, you do have to kind of like put away the idea of like, you're never actually going to exploit it, right? And like your intent is always good. But like, to exchange that, like, I think you do kind of have to like, enjoy getting to that point and like, kind of dwell on that just a tiny bit, like.
Justin Gardner (@rhynorater) (19:52.005)
uh... but hilarious, I have to say.
Justin Gardner (@rhynorater) (20:05.568)
Mm-hmm.
Sam Curry (20:15.73)
What I'm trying to say is that like, since you never actually crossed that line, I think you kind of have to extract as much fun as possible from like, dancing around it a little bit, if that makes sense.
Justin Gardner (@rhynorater) (20:24.412)
Yeah, well, it's very interesting too, because the attack things, the attack scenarios, the attack things, the attack scenario that you're going after is really, they're what, if I were a malicious hacker, this is what I would wanna do. I would want the power to make somebody's alarm go off in their car, in my Starbucks line, and I would want the power to unlock locks at a hotel or something like that. And, and.
Sam Curry (20:38.914)
Yeah.
Sam Curry (20:51.31)
Yeah.
Justin Gardner (@rhynorater) (20:52.388)
So all of these targets that you're going after are very like tangible black hat stuff. Whereas, you know, like my little C-Surf or whatever that I submitted to this company is not something that most black hats are like, you know, chomping at the bit to find.
Sam Curry (21:00.418)
Yeah, I'm sorry.
Sam Curry (21:11.17)
Yeah, sure. There is that big difference, right? Where like, I think finding the CSRF can be just as fun and like getting paid for it. It's like still, it's still really valuable to the team, but like, you know, as like an individual, like let's say you're a homeowner and you have a security system, you kind of want to have a clear conscious that like nobody's like looking at you through your camera. Right? So maybe it's a fun thing to do is like hack your home security system, right? There's a good, there's a guy named Net Spooky, who's one of the most talented, like low level engineer people. It's just fantastic, like genuinely great.
Justin Gardner (@rhynorater) (21:18.453)
Mmm.
Justin Gardner (@rhynorater) (21:30.186)
Yeah.
Justin Gardner (@rhynorater) (21:37.952)
Great dude.
Sam Curry (21:41.186)
But I was having a conversation one day and he told me something that I didn't know. I'd never really thought about it. He's like, he's like, you know, you can like change your world. Like if you see something in the world that like you don't like or it's like you have impact on the world and like you can affect things. Like it's a really low level point. That's very cliche, but like very deep, you know, but he, he's like, you know, like if you don't like something in the world, you can change it. So like the idea of like, you know, I.
Justin Gardner (@rhynorater) (21:55.692)
deep.
Sam Curry (22:06.838)
I'm curious about the security of iPhones because I don't want to get like my iPhone hack or whatever. So it's like research iPhone security and then maybe you find something.
Justin Gardner (@rhynorater) (22:12.032)
Mm. But clearly this isn't coming from a place of privacy concerns for you, because you're a pretty public figure.
Sam Curry (22:20.394)
Yeah, I think it's like a lot of it. So like, very like, straightforward. There's like, I kind of dwell on I think that chaos and the fun and like the kind of the pandemonium of like creating like situations right where it obviously get kind of a rush from like, Oh, a journalist did a story about a bug you found and like, you know, there's people talking about like this, for instance,
Justin Gardner (@rhynorater) (22:41.228)
Sure, sure.
Sam Curry (22:45.942)
Recently there was a vulnerability. It was a huge effort by Ian Carroll and Leonard Wouders and their most like talented hardware people. But like they found this vulnerability where you could unlock any hotel room, right? Or from a company called Saflock whose parent company is Dormocaba. But to talk about that, it's kind of funny because it's like, you know, every American's like nightmare for nighttime television is like, someone's getting in my hotel room. So it's hilarious to see like.
Justin Gardner (@rhynorater) (22:50.944)
Mm.
Justin Gardner (@rhynorater) (23:12.841)
Yeah.
Sam Curry (23:14.662)
Oh, CBS did a story about this bug and like, you know, you're the person who helped with it. So it's, it's just fun.
Justin Gardner (@rhynorater) (23:19.66)
That is really cool, I have to say. That is pretty rad. And just jumping back to the online casino thing as well, this has been a pretty good entrance for you to do like pen testing or security consulting for these companies as well, right?
Sam Curry (23:37.462)
Yeah, absolutely. It's a really good like, it's a sales, it's a salesperson's kind of like dream, right? Like if I wanted to sell a product to a company, say like a pen test or something, when you report a vulnerability, you're immediately providing value to this company, right? So you say, Hey, I found this bug. Here's what it is. Here's how you can fix it. And they say, thanks, you know, great to meet you. You provided value, right? So you have this good relationship with this random company. It's a really good like pipeline if you did want to sell pen test, right? Which is like kind of an interesting thing because
Justin Gardner (@rhynorater) (23:43.276)
Mm-hmm.
Justin Gardner (@rhynorater) (23:51.433)
Mm-hmm.
Justin Gardner (@rhynorater) (23:58.01)
Mm-hmm.
Sam Curry (24:07.758)
There's a topic I've been really like always curious about where it's like, um,
inadvertently, I think I end up in a lot of situations where I'll report a vulnerability to a company, and they'll offer me money like not to disclose it, right. And even though I never it's very sketchy, because it's like, I never asked this company for money. I never wanted to like extract money from this company. But I plan on like blogging about it. And they're saying like, hey, you know, maybe you don't blog about this. And maybe we give you like five grand or something. And it's like to accept that feels it. Yeah, exactly. Like it feels like so
Justin Gardner (@rhynorater) (24:23.323)
Mmm, that's sketchy.
Justin Gardner (@rhynorater) (24:39.302)
No.
Sam Curry (24:43.678)
So like, I think there's a lot of situations that I think is a really interesting topic of like, you know, maybe you claim you're like a good faith researcher, but you're hacking all these companies and then you like publicly humiliate the companies and it builds up your reputation. Um, I think that's like, it, yeah, it's a tricky kind of world.
Justin Gardner (@rhynorater) (24:58.155)
Yeah.
Justin Gardner (@rhynorater) (25:02.3)
Yeah, no, it is for sure. And there's definitely a lot of positive attributes to public disclosure. But it does, I mean, I could understand the company's position as well in that scenario of like, yeah, we really don't want this coming out under our name. But it also makes that sort of.
Justin Gardner (@rhynorater) (25:24.94)
It helps shift the culture a little bit more towards something that makes security look like a good thing rather than a bad thing Which I think is good, you know So if at the end of the day a company comes out and says hey we were hacked by an ethical hacker Here's how we dealt with it Here's the disclosure process that sort of thing at the end of the day if they have a good PR team that should be spun Positively, you know we were able to Secure our devices, you know in this specific scenario or something like that and I think what most people just don't understand about that is that
Sam Curry (25:43.471)
I agree.
Justin Gardner (@rhynorater) (25:53.052)
every company has security vulnerabilities. So the fact that somebody's fixing a security vulnerability doesn't mean that it's bad that they had a security vulnerability in the first place. It means that there's one less of them. So I guess I'm sure you have to do some coaching with these companies too on how exactly to portray that to the public.
Sam Curry (26:11.254)
Yeah, it's super funny because I think a good parallel there is the power of marketing to make a company look so big and so secure, like the mythos of Apple. You now have this great big company of Apple, but then you have this security researcher who's able to hack Apple. Instead of, hey, maybe Apple as a company is like any other company and it has security vulnerabilities, the media story then becomes like, oh, this hacker is just so smart that they've hacked Apple. But it's like, well, no.
It's just any other company, right? Like if that makes sense, basically what I'm trying to say is like, you know, like, yeah.
Justin Gardner (@rhynorater) (26:41.388)
Mm-hmm.
Justin Gardner (@rhynorater) (26:45.728)
does.
Joel Margolis (teknogeek) (26:48.878)
Do you find that a lot of companies are, like is there any correlation between like size or revenue or anything with like how good their security is or is it pretty much, because I noticed like when you're picking targets, you really don't, like it never even seems to cross your mind like, oh, this might be difficult to hack. You're kind of just like, I want to do this thing on the, like I want to honk the horn, right? Whatever it is. And then you're just like.
Justin Gardner (@rhynorater) (27:09.673)
Mm-hmm. Ha ha.
Joel Margolis (teknogeek) (27:12.162)
fixated on that and figuring out how to get there. It doesn't really matter what the company is or what their infrastructure is. It's really just one step towards the goal. Does it ever get in your head, oh man, this company is so secure, I don't think I'm gonna be able to hack it or anything like that.
Sam Curry (27:27.566)
Yeah, sometimes to give an example, there's like, funny enough, I was going through like the San Francisco airport and there was a coffee machine that had like a robot arm and it was like a scan on your phone to order a coffee and the robot will make it for you. And I was like, that's hilarious, right? And it turns out that they deployed this machine inside like Tesla, like so Tesla has one inside their office and it's remotely connected to the internet and you can push commands to it through some website, right? And I tried super hard to hack this like coffee robot and it couldn't find a single vulnerability.
But then like as we're going along the airport, I see like, you know, Delta or like an airline and no sooner did I find like a critical vulnerability and like an actual airline than like a coffee company, right? And it's like, how do you tell like what's secure, what's not, it's really impossible, right?
Justin Gardner (@rhynorater) (28:06.196)
Yeah, yeah.
Justin Gardner (@rhynorater) (28:11.22)
Mm, yeah. I've thought a little bit about that. I was about to ask the same question, Joel, and it's like, one of the things that I do like about bug bounty in particular though, is that you do get some of the more hardened AppSec targets, right? Most of the very hardened AppSec targets are gonna have a bug bounty program, because otherwise how are you, you know, getting this hardened, I'd imagine. And so, where does that?
Joel Margolis (teknogeek) (28:13.346)
It's interesting.
Justin Gardner (@rhynorater) (28:37.748)
Where does the actual technical challenge come in for you versus these goals that you set up for what you want to accomplish?
Sam Curry (28:45.858)
Yeah, so I think that the technical challenge comes in when like, the technical challenge for me and like where I really delve into the world of like the technical challenge is like if I have a goal and I can't quite seem to get to the goal and I have to accomplish some hurdle to get there. Sometimes it's like, I'll discover some new attack method or I'll find like some interesting research because I want some you know end goal. But other times it's like very simple where there's like no research involved. Everything is very simple. So for instance, right, like
Justin Gardner (@rhynorater) (29:10.485)
Thank you.
Sam Curry (29:14.442)
One of the car vulnerabilities we found was like a company called Spearion and there's millions of connected devices that are behind this admin panel. And to get access to every single one of the devices, it was literally just SQL injection, like admin quote space pound dash or whatever. And then you're, and yeah, and it's like, you feel like one thing that's kind of frustrating for me is like, uh, I've done like, we've, we've done like a lot of really cool blog posts, right? Where it's cool research. It's interesting. And then like,
Justin Gardner (@rhynorater) (29:30.265)
No.
Justin Gardner (@rhynorater) (29:40.178)
Mm.
Sam Curry (29:43.326)
Maybe I wanted to blog about like car skater or something, but like to actually get there, like the actual method is like very simple and you kind of feel like you're cheating people a little bit. You're like, here's how we did this big thing. It's very simple. And you're like, well,
Justin Gardner (@rhynorater) (29:55.637)
Yeah.
Joel Margolis (teknogeek) (29:57.994)
Like you do wish it's, I know exactly what you mean, because you do wish it's like more of a challenge. Like some of these things are like, oh, this is gonna be so hard. Like I'm gonna have to go through all these layers of security and all these things. And it's literally just like one unauthenticated endpoint. And you're like, oh, that was really, I mean like, yeah, that's bad, but like that's so lame. Like I wish it was more fun than that to have to get to here.
Sam Curry (30:14.137)
Yeah.
Justin Gardner (@rhynorater) (30:14.198)
Yeah.
Sam Curry (30:18.634)
Exactly. Yeah, there's like no story to it. It just feels kind of like you're cheaping it out a little bit, but yeah, that's kind of thriving in that technicality bit.
Justin Gardner (@rhynorater) (30:27.02)
But that's the scary bit, though, too, is you have these goals, very realistic goals, very black hat-y goals that any black hat would like to have. And then they're like textbook SQL ingestion. And it's like, oh, no. So on one hand, it makes for less of a technically interesting story for us that are often in the weeds and hacking stuff that's really hardened and go in there and figure out, OK, it's just like a...
textbook SQL injection, but from the story perspective, it actually even makes it a little scarier, because it's like, oh, this was a textbook SQL injection. Somebody two months into their hacking journey could have found this, and it does make you understand, because we know the vast amount of people that have, there's a very big difference between the really, really pro security researchers and the amount of people that get.
far enough to do a textbook SQL injection, right? Like there's a way bigger group of people that can do that. So there's, by extension, there's a way bigger group of people that could do this from a black app perspective. So it's definitely a little bit scary to see that sort of thing. I wanna take a turn here and talk about this don't force yourself to become a Bug Bounty Hunter blog that you put out, I don't even know what, this was probably like what, five years ago maybe?
Sam Curry (31:26.37)
Yeah.
Justin Gardner (@rhynorater) (31:55.452)
But this is a very interesting blog, yeah, four years ago. Very interesting blog because essentially this is something that you and I kinda discuss on a regular basis, just because our personality types are very different and how we approach things. And essentially what you talked about in this blog was this whole concept of like, trying to foster the passion for bug bounty versus forcing yourself to be able to do bug bounty.
And I think you can kind of see this come through in your hacking as well, because you're spending your time focusing and hacking on things that you're passionate about. And when you became less passionate about making money, you know, your focus shifts from Bug Bounty to this more, I don't know, mercenary hacking or whatever you want to call this thing, right? And so, like, what advice do you have for people that are getting into Bug Bounty?
and are putting themselves through the challenge of listening to this podcast, in fostering that passion and using that as a motivator for their bug bounty experience.
Sam Curry (33:03.574)
Yeah, so to talk about that blog a little bit and kind of just like the advice is like when I wrote that blog, it was at a time where like a lot of people were reaching out to me like, hey, I really want to get in security. Can you give me tips? Can you mentor me? Can you give me these examples? Like how do I get started? What do I read? What do I do? And like you have like kind of this textbook person who they're sitting at their desk, it's five o'clock, they just got home from work or school or whatever. And they're really stressed out because they want to, you know, they see these people like finding bugs and like how do I get there? And they're trying to read through and like flip through these books and maybe it's not working super well where
they feel like you've, you're kind of in this mindset where you feel like you've got this end goal and you have to like really grind to get there. Maybe some like, there's something in your ethos where it's like, I need to be like military about my study and like my work routine and like commit to get there. But when I write about like, hey, it's like, don't force yourself to be a bounty hunter. It's kind of a, a preach to people, I think, like with the same mentality as me. There are people, for instance, Peter, Pete Yorsky, who
I worked at Shopify, I don't know if he's still there, but when he got into bug bounty, he was someone who I think was able to do it really, really like military kind of style where he got himself started really quickly, did courses, did trainings and it worked super well. Like Pete became one of the smartest people like in bug bounty and like insecurity that I knew. And he did it through like this kind of military training where it was just like a lot of like intensity. Um, but me on the other hand, it was never like that. Right. So when people came to me and were like,
How do I like grind like you grinded, you know, like you have this workout thing. It's like, well, no, I don't like what, what I did to get like bug bounty is like, I kind of just like, instead of like trying to pick the books to read, you know, I was playing video games and I like wanted to get rich in the video game. And like, that's, you know, like fostering that like flame for me was like so much better, right. Um, and it depends like per personality. Um,
I'm not comparing anybody in Bug Bounty whatsoever to like, Magnus Carlsen, but there's a really funny thing in the chess documentary about like, the world's greatest chess player, like total genius, like fantastic guy. But when he got into chess, like his parents realized he loved chess and they immediately got him this coach. And the coach guy, the first one was like, you need to read these books and do this. And it didn't work out. Like he immediately became, you know, but the second coach he got, he looks at Magnus Carlsen and he's like, let's just step away from it and like, let him play chess and like have a good time with it.
Sam Curry (35:26.894)
So like he's reading like, you know, like Donald Duck novels and playing chess at the same time. And it's like, he becomes like the greatest like chess player of all time, right? Where someone else like, there are other chess players who are like world champions here who have like different regiments, right? Maybe they're born into, you know, very routine oriented, like normal stuff. But I guess what I was trying to get from the blog post is basically like.
If you feel like it's not working well, and you feel like there's all this pressure, I've never once found the bug like in that pressure. I've always like when I find good bugs, it's like relaxed and good, you know, so maybe don't force yourself. So.
Justin Gardner (@rhynorater) (36:07.656)
Yeah. Wow. Yeah, no, that's, I'm sorry, go ahead, Joel.
Joel Margolis (teknogeek) (36:12.494)
Well, I was just gonna say, like, I definitely felt a lot of this as I progressed throughout my career, both through Bug Bounty and like professionally, especially with like the lack as I've had both. There's a lack of financial dependence for me for Bug Bounty. And that's also changed my mindset on it significantly where when I was first starting Bug Bounty, I was like, you know, a lot of other people who are just starting Bug Bounty, they don't have a lot of money. There it's like a really good way to earn money and like put your skills to use. And it's like engaging, but then it's shifts.
just like any other job where it becomes work and it becomes like a thing that you feel like you start to have to do. And like, especially when they take it full time, like, you know, I'm sure there are some days you wake up and you don't want to hack Justin, but you have to, right? Like you need to submit a bug to get, you know, some money today or in three weeks or whatever. But, you know, and so I think one of the things I really like about how you hack Sam is that like, you, it's not like, it's almost never about the money.
Justin Gardner (@rhynorater) (36:56.413)
Mm-hmm. Yep.
Joel Margolis (teknogeek) (37:10.866)
It's about like, oh, this seems really interesting. Like, I wanna just follow this and this is so engaging. And that's when I find, just like what you said, for me, that's how I feel engaged when I'm hacking. It's not when I'm stressed, not when I'm like, oh, I need to hack, oh, I need to be doing, I feel like I have to hack, no, it's I want to hack. Oh, that's really interesting, I wonder how that works. Oh, that's a super interesting thing. It's not about the bounty, it's not, oh, do they have a bounty program? It's like, oh, that'd be really cool if I could do XYZ. I wonder if that's possible.
Justin Gardner (@rhynorater) (37:30.036)
Mm.
Joel Margolis (teknogeek) (37:40.918)
And I think like that natural curiosity is so much better of a driving factor than like chasing after money because the money will like facilitate things in life, but it's not gonna really necessarily make you happy and I would like to know sort of how you balance that because I know you didn't always have a full-time job and so Hacking a lot of time was a source of money for you Did you have to do like sort of dual like hacking where you're like hacking for money and then also hacking for fun? Or like how did you manage that?
Justin Gardner (@rhynorater) (37:46.732)
Mm.
Sam Curry (38:10.562)
Yeah, sure. So I can actually share my full kind of progression, right? So my first job I worked at a fast food restaurant. So it was very like, at that time, it's like in the high school, I'm trying to balance paying certain bills or whatever. And then I got into Bug Bunny where I'm earning, let's say, an extra $1,500 a month. And for me, that was huge. That was enough to quit my job. I'm still living with my parents this time. And then after that, I started doing Bug Bunny full-time where I was maybe earning, I think like...
In a year or two, I earned like 100,000 USD a year, which is great for like Bug Bounty. And at that point, I was like really enthusiastic about it, but I wanted more stability because I felt kind of stressed. I was in college and I was like still earning money from Bug Bounty, but I was like, this is really unstable. Wife it all falls apart. So then I got a job at HackerOne where I worked as a security analyst or triager. So when I was in college, I worked as doing triage for HackerOne and I had that kind of consistent income.
I wasn't doing enough bug bounty on the side. So I was actually making, I think less, but it was like stable air quotes, you know? And then I transitioned, sorry, this is like the full recap, but maybe it'll help somebody. Okay.
Justin Gardner (@rhynorater) (39:17.696)
No, no, this is good. Keep going.
Joel Margolis (teknogeek) (39:18.178)
No, this is good because I think this is, I mean, I took a very similar approach. I think a lot of people do, especially when they're going back and forth between like full-time work and bug bounty work and all that. So yeah, this is awesome.
Sam Curry (39:28.098)
Yeah, right. Yeah, like the transition part's really good. But after kind of college, I did like a year of college and I stepped away. And at that point, I wanted to transition to more like a real security role. So I worked at a security consultancy where I was doing 40 hours of pen testing. It was like, you know, a pen test grind, you know, that was a, that was definitely a grind. It's probably more than 40 hours, but it's very routine, like hacking the same thing, but it's very, it's good money and it's a good salary.
And I didn't feel like content at that point because I felt like I was losing potential because you know, I, there's like Tommy DeVos, who's making like, you know, it's like my SSRF was like 50 K and like, geez, like what is going on? Like, uh, and that was like the yacht, the peak of the Yahoo program, right? And at that time with the Yahoo program, like going off, I was like, I need to step away from consulting. So I kind of like put my two weeks. I was like, Hey, I really appreciate the opportunity, but I want to do full-time bug money. So then I transitioned to like maybe.
Joel Margolis (teknogeek) (40:09.654)
Yeah.
Sam Curry (40:25.538)
three or four years of like full time hard like bug bounty, which was like, your income goes up a lot and like it's you learn a lot, but it's really stressful. And at the end of that, at the end of that four or five years was when cryptocurrency stuff started to kind of take off. And I thought like, there were so many. Oh, yeah, go ahead. Yeah.
Justin Gardner (@rhynorater) (40:42.672)
Can I pause you here for a second? I'm wondering why that was stressful and what kind of, is it because the income was inconsistent? Because for me, one of the things that's been really interesting with Full-Time Buck Bounty is you get a big, you know, windfall essentially from, you know, a great event or, you know, popping a target or whatever. And then, you know, the next month comes around and sometimes you still feel like, oh, I need to hack again to pay my bills, but my bills are paid for the next year, you know? Like, so...
Sam Curry (41:10.338)
Yeah.
Justin Gardner (@rhynorater) (41:12.)
Can you talk a little bit about how that was stressful for you?
Sam Curry (41:15.446)
Yeah, sure. I think one big thing for me at the time, it's like, I think when I'm hacking or when I'm involved in something, I'm either like zero or a hundred, right? And one thing that's for me that is like, I didn't really address until like later in my life is I'm a type one diabetic, right? I take like insulin every day for like meals and stuff. And I like neglected like caring for myself pretty much up until I was like 20, 22 or something, you know? So basically, my blood sugar.
Justin Gardner (@rhynorater) (41:24.36)
Mmm.
Sam Curry (41:44.278)
it was like four times the normal level was supposed to be from when I was like 12 to like 20, right? And that like took like, yeah, it was really, really bad. There's probably gonna be some, you know, like I have like nerf damage and stuff and things like that. But like, when I was like doing full-time bug bounty, there were other things too that kind of came up where every morning, like, it was kind of funny. I think the other day I was like, I was like, am I allowed to call myself like a bug bounty person? And I realized that like,
Justin Gardner (@rhynorater) (41:51.276)
Wow.
Sam Curry (42:14.318)
Pretty much every day for the last seven years, I've consistently just woken up, immediately gone to my computer, the whole day is at my computer doing security related stuff, every single day. And a lot of the people I know are the same, right? But it doesn't really help go towards a balanced lifestyle. The version of me in high school, I wanted to make a ton of money, I wanted to do these really cool things, and I really committed to that one bit, right? But now I have a girlfriend.
responsibilities, like duties, and I'm doing full-time bug bounty and I can't like let that go where it's like very stressful because like, I'm committed to like, you know, if I don't out earn myself the month before, I just kind of blow up a little bit. So yeah, sorry.
Justin Gardner (@rhynorater) (42:55.548)
Yeah, so that's a really tricky piece, right? Because it's like, why do we feel like shit if we have a down trending month after we just had us, you know, yeah. Go for it, Joel, let me hear your opinion.
Sam Curry (43:07.563)
Yeah.
Joel Margolis (teknogeek) (43:09.607)
answer this. It's because your performance is directly based on your personal, you know, like how good did you do, right? Did you find the bug? Did you break through the really hard wall? And if you don't, then you see it as a personal failure, even though you're dealing in a world where you can be hacking on the coffee machine for three hours and find nothing and you can hack on Delta for 30 minutes and find a critical, right? And the world's just weird and unfair like
Sam Curry (43:37.722)
I totally agree. Yeah, like the unfairness I totally agree with. It's like, you know, you're looking for like, ideally, you know, if you like lift weight, you're slightly increased your whatever over time, it's a very consistent good word. But like, you know, like some people like shoves like one of the best hackers ever has like a blog where he's like, I wasn't able to find bugs for months and it like burned me out. But it's like people have down months, like you say, but like, mentally being able to separate that is like, for a lot of us, it's really hard.
Justin Gardner (@rhynorater) (44:07.686)
Yeah.
Joel Margolis (teknogeek) (44:07.786)
Yeah. So what was your mental during that time, those like four or five years when you were doing Bug Bounty full time? Was it because now, again, like now it seems very much like goal oriented hacking. Back then, was it just money, like just focusing on paying bills and finances and all that kind of stuff and just doing hacking as a job more than anything? Or like, did you find any fun in it?
Sam Curry (44:29.538)
Yeah, I think it was a mix of like bills, but also the community at that time. That was when I was like most involved, I think in the bug bounty community. That was like live hacking event after live hacking event. Everybody I know was doing full-time bug bounty and like my whole world was like bug bounty, right? Like everybody I kind of talked to bug bounty, bug bounty, bug bounty. Where now it's like, you know, I have friends in security who are doing consulting or like EDR or like these things and there's all these different worlds. Right. But at that time, the only thing I cared about is like, am I going to get NVH like I gotta go for these awards?
Justin Gardner (@rhynorater) (44:58.144)
Hahaha, I definitely feel that. Yeah, no that-
Sam Curry (44:59.159)
Yeah, I mean.
Joel Margolis (teknogeek) (45:00.59)
Gotcha, gotcha. It's a different type of goal, you know?
Sam Curry (45:01.75)
Yeah.
Justin Gardner (@rhynorater) (45:05.224)
It definitely is, yeah. And there's a lot of aspects to it, because the, and I know for me, just sort of on the flip side, going back to the motivation conversation is like, for me, my passion, I have a strong passion for hacking, obviously, but for me, I think the dopamine payout or whatever, is oriented a little bit more towards success as a generic entity, rather than hacking in general.
You know, like I love the process of hacking, but my payoff comes from succeeding in some way, right? So that's why, like for bug bounty, that's why I can pick a target, and I can say, okay, my goal is to hack this target or whatever and make this money or whatever. And it's not, and goal-oriented hacking is really helpful. We've talked about that on the pod. It's super invigorating when you actually pop the goal of what you wanna do.
But I think for me, it's more of a success-oriented thing. And that's why I have a little bit more, I think, sustainability than most people in Bug Bounty, because it's like, OK, let me just set these arbitrary little goal posts. OK, I want to get this extra gadget. And we've talked about this as well. It's like, you got to.
recognize little pieces of success on the way with hacking because sometimes you are gonna slam your head against the wall and you're not gonna get anywhere. But if you recognize, oh, hey, there's a gadget that allows me to, you know, do a path traversal in an OAuth flow, even though I don't know how to leak the code, I can lend it on any page in the domain, right? That gadget alone should be a little bit of a payoff for you, you know, from a motivation perspective. And keeping those up, I think, really...
that's kind of where my motivation comes from in these sort of scenarios, which is pretty different. And the long time bug bounty flow is really tricky to stay healthy throughout that whole thing. And you mentioned, I think in that blog post that we were talking about, that don't force yourself to be a bug bounty hunter, that you have dealt with burnout along the way. And I'm wondering how you deal with that and how, because four years as a full-time bug bounty hunter is a long stint.
Justin Gardner (@rhynorater) (47:26.12)
So how did you get over those and how did you return to hacking when you were kind of burnt?
Joel Margolis (teknogeek) (47:31.19)
Yeah, and also maybe that'll cycle back in, because I know we kind of paused your story as you were going through sort of how you got to where you were, so I'm also curious how that played in.
Justin Gardner (@rhynorater) (47:37.805)
Mm. Yeah.
Sam Curry (47:42.106)
Oh yeah, absolutely. I think like four years is a long stent for like anything I think too. And like one big part of that is like you're learning like the whole rest of your life. Like, you know, like I'm talking to people who are having kids are getting married. There's like so much like you're trying to. So maybe like you've got your I mean, it's just so much to try to process. Right. But to go to the bug bounty part where it's like burnout can be really tough where I mean, some of seriously like maybe.
Justin Gardner (@rhynorater) (47:54.974)
Hmm.
Sam Curry (48:10.778)
I think a year and a half ago, I probably had like the worst year of my life because I was removed from, I kind of removed myself from Bug Bounty. I'll talk more about that. And I didn't really have any metric to kind of feel successful or like anything to tie my success to or happiness to. And I just felt very stagnant. And the reason for Bing was to go all the way back, the four years of Bug Bounty, it had its highs and lows, like its rollercoaster, like everything else, you know.
Events like I know like working with like Doggy G, we got like first and second place is really, I was really happy with. And that's like a really high moment for me is like being able to get the awards and like going out on stage. And it's like, you've done a really good job. You feel great. But then the other months where it's like, you don't find anything and it's, you know, but like dealing with that is super tricky. And it's like a life thing, I think, where you're trying to learn how to deal with that. But.
What ended up helping me was transitioning to starting a consultancy, which is what kind of I did after that, where instead of doing bug bounty, I wanted to get kind of more involved in the pen test world. And I kind of started the story a little bit, but at that time we were auditing a lot of like cryptocurrency stuff, because there's all these crypto bug bounty programs and they, we realized that they didn't really have a lot of web security. So we started doing web consulting for like, you know, these big exchanges like Bitfinex or Coinbase or like, uh, OpenSea, things like that. Right. And we.
Me, Brett Beerhouse, Mike Robert, we had this small team of people who built this company out over a little bit over a year, right? And it was really, really fun where you started this big process where you've got your statement of work, these documents, everything's signed up and you're getting clients and stuff and you have that growth, right? So it was a year of building something great and like you're really happy about it. But what ended up happening was like we, one of our customers that we worked really closely with, they actually acquired the company and we went over to work as employees.
And at that point in time, like it was really great and we're doing a lot of work, but it slowly kind of the less work and less work. And, uh, I wasn't really, I was working like private company now, and there wasn't a lot of security people. And the work we were doing, like, wasn't, I didn't really feel like I was like, maybe doing the same level of work I was doing before. And it kind of turned into just not really having any positive feedback. Right. And that year of my life, I think was like really not knowing how to like manage that was really, really hard.
Sam Curry (50:36.289)
Um, but yeah.
Joel Margolis (teknogeek) (50:38.818)
Yeah, I mean, it sounds like you were kind of in a bit of a flux where it's like, you know, you just come off this sort of high intensity push for the last couple years of just like nonstop grind. And then you suddenly fell into this very stable situation. Um, but almost like too stable where it's like, oh, there's no, like, where's the excitement? Like there's nothing really like it's so. Day in, day out, just like come to work, leave work, come to work, leave work. Like, you know,
Justin Gardner (@rhynorater) (50:38.869)
Yeah.
Joel Margolis (teknogeek) (51:08.938)
And there's it's just like not very fulfilling. And is that sort of the point where you started doing the big target hacking or like were you already kind of doing a little bit of that and you were like, let's get back to that.
Sam Curry (51:22.414)
Yeah, so I think I was doing a little bit of that, but I kind of transitioned to it a lot harder at the end of it because it really does suck because bug bounty specifically too is like, you work, you put in the hours, you get a bounty. Like it's a very, the cycle is there, right? But with a salary, it's just so disconnected of like, do you do extra work this month, no work this month, and shifts a lot. Like realistically, like it's gonna shift a lot, right? But you still get that consistent paycheck every month. And then your brain kind of stops, it like removes that association you had before of like,
time, effort, money, right? So like, yeah, it really sucks. And at that point, yeah, I kind of was like, I wanna do more of what I love that has like results and stuff, right? Like working, the Shubs, I think too, kind of felt the same way and I had a long conversation about it where he has done like so much security work and like provided like so much value and done bug bounty so much, but like he, at the end of the day, he wanted to do.
Joel Margolis (teknogeek) (51:54.594)
so true.
Sam Curry (52:21.078)
like high impact vulnerability research. So we kind of worked together on that and that changed a lot. Right.
Joel Margolis (teknogeek) (52:26.366)
Yeah, so I will say I noticed that you do a lot of collaboration and stuff with other hackers. Oftentimes a lot of the same hackers, but what has sort of led you to like what I know a lot of this stuff, like what you'll just like be in one of our group chats and it'll be like four in the morning and just suppose I just found some crazy vulnerability like exercise and just like, okay, I'm going to go to sleep now. And you're like, Oh, okay, that's pretty wild.
Sam Curry (52:50.382)
Hahaha
Joel Margolis (teknogeek) (52:54.602)
But that's not all the time. I know sometimes you do sort of fall off into your little hacking cave, and you're there secluded doing your own thing. But other times, there's this secret sort of huge force of hackers behind a lot of the work that's being done of really, really talented people working together to sort of exploit large systems at scale. I like to think of it sort of as putting together like an A-Team, where you're like, you know.
all these action movies are always like, you got the hacker and the tech guy and the driver and the gun guy. And it's kind of like that when you're building together this team, but you know so many people, we all know so many people that are really, really good at these things. How do you pull your team together? How are you deciding who you want to work on stuff? Like when to reach out for help and not just do something yourself? Because it's not like there's a bounty here. It's not like you're at risk
Justin Gardner (@rhynorater) (53:26.106)
Hahaha
Sam Curry (53:26.755)
Hahaha
Justin Gardner (@rhynorater) (53:29.785)
That's great.
Sam Curry (53:37.678)
Ahem.
Joel Margolis (teknogeek) (53:53.814)
you know, duping or anything like that. Like you're very deep into these systems most times to the point that nobody else is. So it's not really like there's a pressure thing. What sort of, what's the thought process when you start to reach out and build, like pull more people into these projects?
Sam Curry (54:10.006)
A lot of times, the initial thing for me is a specific question. For instance, Joel, you're one of the greatest mobile hackers. I know nothing compared to you, for instance. Whenever something mobile related that's confusing or is really difficult to approach, I'll often just reach out to you and hit you up. At that point, you're in Karelia making a script and it's this collaborative process where now you're involved because you've done the thing and you're invested. You're like, okay, what's going on? Then maybe you want to keep working on it.
I nagged a lot, like for the Apple research, like Brett, when I first started it, it was just me and I was doing it and I was sending everything to Brett. He must have gotten like, he's got kids, he's got a wife, it's dinner time, his phone's probably blown up. I'm like, Zaya dude, like please, like, please hop on this, like. And he eventually did, right? And then he's like, what's all the fuss about? He joins in, he's like, oh, this is actually interesting. So I think like, I don't know, I don't have like, there's no elitist, like, there's like this concept of like...
a hacker group or whatever, where like you used to have like this hacker name and like this big, you know, be like team poison or something. You've got like the eight members and it's like this kind of elite organization or something. But for bug bounty stuff, it's just like, hey, I'm gonna spam you with stuff and if you can help if you want to, and then maybe you like add one thing and add another thing and then like we build the full picture and then like people get credited and stuff, right? So yeah.
Joel Margolis (teknogeek) (55:32.81)
Yeah, that's good. No, that's good. I mean, I think what I see especially is everybody has these skillsets. It's just like you said, like I'm good at mobile. So if somebody needs to unpin an app instead of spending four hours like trying to break their head through their computer screens to like figure out how that works, they just send me a message. I'm like in 30 minutes, I'm like, OK, here you go. All done. And like that sort of outsourcing of work can be so useful when you're attacking these big targets, because.
Justin Gardner (@rhynorater) (55:52.246)
Mm.
Joel Margolis (teknogeek) (56:00.182)
the it's just like lots of different skill sets, right? I think that's one of the one of the really awesome things I've noticed as you attack targets across all spectrums of things, whether it's airlines, whether it's hotel key cards, whether it's ISPs, TLDs, Starbucks, whatever it is, right? Like they're all using different technologies. They're all using different, you know, setups and configurations and the method of attack can be different a lot of the time, but you have a really good way of identifying
like, hey, you're good at this thing, like help me with this. And then not only that, but you like pick up that skill yourself really well, and then you're able to sort of like foster it and use it later. And I think it's really amazing to just sort of see the research as it goes. I did want you to talk a little bit about Hack Compute actually, because as we're talking about sort of these like big hacking projects and stuff, I know that this is something that you and Shubs and a couple other people have been working on sort of maybe quietly-ish behind the scenes.
But yeah, can you just tell a little bit about what that is and everything?
Sam Curry (57:03.458)
Yeah, sure. So how compute is kind of like this fun group we put together where it's like, we wanted to have like this idea of like old school style zine publication where it's like fun hacking research that's maybe not, you know, either bug bounty that it doesn't end in like, oh, and then we got 20,000 to it's mostly just kind of fun research, right. And the idea for it originally is that it would kind of exist as like this kind of like nameless, each blog post would have a different group of collaborators. And each post is just, you know,
Um, and then we would do cool, like high impact research or things that were interesting to the people who wanted to contribute to it. Um, and the way it came about was because, uh, when we did the car hacking research a few years ago, um, I like, it was kind of like me and a few people originally who were pushing towards like, let's do car hacking. And it had this big group chat and there's a lot of people involved, but the blog actually got, ended up getting published on samcurry.net, my domain. And even though like the names were listed as collaborators, I still like
there's this like kind of small tension of like, hey, like we all this work, but it's hosted on samkara.net. And also like, I just feel super guilty about it because it's like, when people go to see the blog posts, it's on samkara.net. Like it, you know, it's like the Facebook, like a Mark Zuckerberg production, whatever for, and I just like, it doesn't feel good because you feel like you're stealing people's credit, right? And the idea for HACK compute is like this idea where it's like intentionally collaborative, where it's behind a name. And that's kind of like the origin of it, right?
Joel Margolis (teknogeek) (58:35.095)
That's awesome.
Justin Gardner (@rhynorater) (58:35.164)
Yeah, that makes a lot of sense. And that way, you know, it can be, and that way lots of different hackers can contribute it to, and it can sort of just be a hub for really awesome hacking achievements. Definitely excited to see where that goes. And if I ever pop anything not bounty related, I'll let you know, and we can see if we can put it up there. Yeah.
Sam Curry (58:36.014)
Cheers.
Sam Curry (58:56.52)
Oh, please. Yeah, we love that.
Joel Margolis (teknogeek) (59:00.558)
Okay, I did want to talk about some technical stuff too.
Justin Gardner (@rhynorater) (59:03.292)
Okay, okay, hold on, Joel, I'm sorry. Just before we get, because I do as well, but I actually wanted to hit one more non-technical topic before we transition, is that fine? Okay, so last one, and then we'll transition into some hacking stories and getting the technical content.
Joel Margolis (teknogeek) (59:11.214)
Okay. Yeah, yeah, go for it.
Justin Gardner (@rhynorater) (59:21.524)
We have our little doc over here and it says, one of the things you wrote down here, are we really even solving problems here with Bug Bounty? And I think this is a really interesting question and one that I kind of wanna flesh out a little bit with you, like, what are your thoughts on the efficacy of Bug Bounty with regards to security as a whole? Yeah, let's leave it at that.
Joel Margolis (teknogeek) (59:29.166)
It's so real.
Sam Curry (59:29.23)
Hahaha
Sam Curry (59:46.274)
Yeah, absolutely. So the conversation around like, is bug bounty solving the issues? Like, I think you could approach it at every angle and pick the supporting evidence and prove every point. So, for instance, I could say like, bug bounty isn't solving any problems because your CSURF isn't fixing any real bug that a nation state and someone's always going to social engineer and blah, blah. And it's like, but on the other hand, it's like, bug bounty has like created this like culture of like.
Justin Gardner (@rhynorater) (59:57.907)
Mm.
Sam Curry (01:00:13.634)
AppSec focus, like web security, like heavy, like it's, it's kind of brought itself. Like there's these old school hackers who are doing like internals and windows. And like they saw web security is like this kind of lame, like cross-site scripting, it's like, who cares? But like nowadays, like everything is web. Like if you wanted to pick a single category of research to get into where you have the most impact and most, you know, expandability, it's like web security. Right. And I think bug bounty has like, have I, everybody having
Justin Gardner (@rhynorater) (01:00:27.402)
Mm.
Sam Curry (01:00:42.07)
Bug bounty programs, like pretty much every company has a bug bounty program now or at least a security contact, right?
Justin Gardner (@rhynorater) (01:00:47.808)
Well, okay, all right, with that caveat, I'll let you off, but there's still so many programs that don't pay for bounties, which is really crazy to me. But yeah, there's definitely been a big expansion of like security.txt and that sort of thing in the past couple of years.
Sam Curry (01:00:50.947)
Caviar.
Sam Curry (01:01:05.302)
Yeah, I'll even name drop like cloudflare, like 5k max like you run the internet dude, like you've got like 80% of every website. It's like, please, you know, like, increase your bounties because nobody's like hacking on it for money because you're Yeah. Exactly. Right. Like, I totally agree that like some companies like 100% but like the difference between like, you know,
Justin Gardner (@rhynorater) (01:01:07.679)
Yeah.
Justin Gardner (@rhynorater) (01:01:12.762)
Come on.
Justin Gardner (@rhynorater) (01:01:18.888)
Nobody's interested in a 5K bounty with that big of a target.
Sam Curry (01:01:29.994)
And it's such a, I'm not that old, but even like five years ago or six years ago is like, you've got like Yahoo and like the big companies and like, but like companies, like a big, big companies are being brought in, like doing bug bunny. Right. So with the question of like, are we even solving stuff? Um, I think that like AppSec and like patching out these like single issues is contributing to this big kind of security culture and knowledge base that is like really, really affecting change and like security stuff.
Justin Gardner (@rhynorater) (01:01:36.266)
Mm-hmm.
Justin Gardner (@rhynorater) (01:01:42.728)
Mm.
Sam Curry (01:01:58.218)
And you're seeing a lot of pushes now from, for instance, like a Jack Cable was a very prolific bug bounty hunter and he got involved in like CISA and like us government stuff and he's helping with this push towards like secure code by design, right, which is a, a huge, really great effort of like, you know, can we fix, can we, can we take what we've made, adjust it a little bit and fix it like fundamentally. And I think that's like a really great push, but that's kind of my conversation about that and how I feel.
Justin Gardner (@rhynorater) (01:02:24.904)
Yeah, so go ahead, Joel.
Joel Margolis (teknogeek) (01:02:26.122)
Yeah. Well, I would say definitely like from a program side and like a security team side. You know, I think most companies should have some sort of at least a security contact, but maybe a bug bounty program as well. Like all the bug bounty program really does is like offer people an incentive as well, right? Like if you want people to come and hack on your company and find vulnerabilities externally, then you can offer money for that and you can put money where your
Joel Margolis (teknogeek) (01:02:55.978)
You can do that without a cause. I think it's important that no product is going to be free of vulnerabilities. Eventually, there's going to be some hacker who's going to want something from your company and they're going to try and find some way to do that. If you have some ethical way for them to reach out, that's fine. It's not an end all be all solution. It's not a silver bullet. It doesn't actually create security in a sense.
It's just part of the, it's like what you said, it's like it all flows into like what is security as a whole, like what's your security posture and like having some way for external researchers, ethical or bug bounty or whatever to reach out is just part of that posture, but it's not like, oh, we have bug bounty program now, like, thankfully all the hackers are now going to submit their vulnerabilities to us and we'll never, like fire all those app sec engineers. We just need one guy to triage. Like that's.
I think that's a really common misconception that a lot of companies think is like, oh, once they spin up a blog bounty program, now they're secured on all fronts. And it's like, all you've done is created a doorway or a mailbox for people to insert letters, but people could just ignore that and just walk past it and not give you the letter or post it on a blog or reach out via email or all these other ways. So I think it's a good...
Justin Gardner (@rhynorater) (01:04:09.376)
Mm.
Justin Gardner (@rhynorater) (01:04:15.008)
posted on a blog. Ha ha ha. Exactly. Ha ha ha.
Sam Curry (01:04:16.969)
Haha
Joel Margolis (teknogeek) (01:04:17.038)
Yeah, maybe like hackcompute.com or something, I don't know. Yeah, but no, I totally agree. I think it's definitely just a little piece. And it does solve some things for sure. There are absolutely things that get caught through bug bounty that wouldn't get caught otherwise. But it's such a niche almost, right? It's not pen testing. It's not internal security. It's bug. It's like its own little part of the pie chart.
Sam Curry (01:04:20.054)
Oh.
Justin Gardner (@rhynorater) (01:04:37.896)
Mm.
Justin Gardner (@rhynorater) (01:04:44.212)
Well, there's definitely an order of operations there too. Like, I feel like you should not have a bug bounty program if you don't have 2FA enabled, you know? Or if you don't have like a hardware key or something like that, because at the end of the day, most of the attacks are occurring from phishing and stuff like that. But one other thing, and I've been kind of toying around with this in my head for the past couple years of like, okay, you know, if an attacker's really gonna go in, they're gonna go in via this pathway, right? But at the end of the day,
If you have a bug that is just gonna let you, let's just say theoretically, you had a zero day RC on Nginx, right? Like, you're always gonna use that. Like, you're not gonna go fish somebody if you've got a way in where you have no interaction with any other people, especially when these hackers are spending, especially the highly technical ones, are spending a lot of time with the computer, you know? And less time, you know.
deceiving people and building those skills required to do that. So I definitely think there's two sides of the coin, and I definitely think there is a lot of risk from an AppSec perspective. And I think the biggest risk, though, that I think Bugmoney really helps absolve is getting users very, very deep into your application, where actual you're getting hackers really deep in the application where the users are, and then getting trained security eyes on that, incentivized trained security eyes on that.
Because all it takes is one user that says, oh, in this weird, obscure functionality, we're up at the deep, deep in the application where the URL says, oh, user ID equals 123. What happens if I change that to a four? And then now your database is gone. And so getting deep into that and getting hackers that deep will help prevent those very obvious vulnerabilities as well as secure some of those more APT type threats. I mean.
it you with me on that i mean
Sam Curry (01:06:40.446)
Yeah, 100%. I mean, like the idea of like, an exploitable CVE that comes out and then like, you have like 20,000 researchers who immediately spray it on every organization. Like that has, it reduces the time to fix, I think significantly. Yeah.
Justin Gardner (@rhynorater) (01:06:47.35)
Mm.
Justin Gardner (@rhynorater) (01:06:53.162)
Oh yeah.
Joel Margolis (teknogeek) (01:06:54.294)
Yeah, yeah, absolutely. I love that it, how it highlights like key areas that need fixing, right? Like systemic things, like if you see researchers, like every time an XSS comes in, like they're getting an ATO because your cookies are not properly secured or your auth token is stored in a bad place. Like that's a really easy business justification to be like, hey, we have external security researchers who are finding this problem, we need to fix this like ASAP, right? And like there's like a one-to-one correlation there, but...
Sam Curry (01:07:19.747)
Right.
Joel Margolis (teknogeek) (01:07:23.082)
It's not always that like it's like sometimes it'll be like a broken social media link and you're like, how do I bring this to my engineering team and be like, Hey guys, the Twitter link is broken. They're like what is what security? Oh god. Yeah.
Sam Curry (01:07:27.812)
Haha.
Sam Curry (01:07:36.91)
Haha.
Justin Gardner (@rhynorater) (01:07:38.432)
Yeah, no, that is a pain. All right, so with that, let's set those stories and more philosophical stuff aside and let's go deep into some technical stuff. Sound good? All right, cool. So Sam, you have so much research online, so many stories, so many cool things that we need to unpack here. But one of the things you are most...
well known for is secondary context bugs. I don't know, did you, like my first exposure to secondary context was you. Did you coin that term? Dude, so badass. Ha ha.
Sam Curry (01:08:18.922)
I did, yeah. It was funny, I appreciate it. It's funny seeing that term used, because I'm like, oh my God, someone's actually using that word. I just put those two things together. That's like a talk title.
Justin Gardner (@rhynorater) (01:08:30.024)
Dude, that's clutch, man. But I mean, obviously I'm sure some OG on some blog back in like, you know, 28, well, you know, 2028, 2008. Yeah, in the future. No, you know, way back, wrote something about it. But you know, that blog or that talk that you did on secondary context stuff was my first exposure to that. And I think it really made it more.
Joel Margolis (teknogeek) (01:08:41.55)
2008. There you go.
Sam Curry (01:08:42.489)
Yeah.
Justin Gardner (@rhynorater) (01:08:59.06)
widely recognized in the industry. And we have a cool bug we can talk about that with, the Starbucks bug, and that's on simcurry.net as well, that you guys can go read about. But talk to me about when you started realizing secondary context bugs were a thing, and how you started working through that whole concept.
Sam Curry (01:09:17.05)
Right. Yeah. So my initial exposure to like secondary context bugs was on a Yahoo's Luminate, which was like Yahoo's small business platform for like deploying websites and stuff. And what I realized was that I originally thought it was like path, like file path traversal, right? Because I was like able to traverse and like add directories. And I'd been spending so long on this one app and I was just like getting, and I eventually started testing for it. And I'm like, oh my God, there's file path traversal.
Justin Gardner (@rhynorater) (01:09:39.058)
Mm-hmm.
Sam Curry (01:09:44.022)
And even then it's funny too, because I blogged about it. And even in the blog post, I refer to it as like, you know, local file inclusion. Yeah. It was not. Yeah. It was actually HB path traversal. But even at the time, like, I'm like, I guess the et's password files didn't exist and it's like, no, that's just not, that's not what was happening. Um, so with that kind of exposure to it, uh, I started looking for similar stuff in more and more places and I eventually realized that like,
Justin Gardner (@rhynorater) (01:09:49.372)
I remember this, I remember this. So this was not a file path traversal.
Justin Gardner (@rhynorater) (01:10:01.832)
Hahaha
Sam Curry (01:10:12.482)
The internet was slowly being built towards this like interesting like network model where like, Oh, you want to serve a CDN from like www.yahoo.com where like you want to serve images, but you don't have to like, you've got this very complicated configuration of like proxy rules and different passes. So maybe that, you know, slash images, instead of being like a folder on like one box because of like load balance, how crazy that would be if it was just all served from the same box now the slash images route is being proxied to like some internal server for a CDN, right?
Justin Gardner (@rhynorater) (01:10:42.124)
Hmm. That's interesting. Do you think this is a function of needing to do load balancing more effectively?
Sam Curry (01:10:42.934)
And at that point...
Sam Curry (01:10:49.154)
I think it's a mix of things, right? I think that if you're a team who you have like, maybe a static blog, but at the same time, like you have authentication functionality on your static blog and the team who deploys, you've got like DevOps team one, DevOps team two, and then like you have to kind of merge them together. Sometimes the easiest way to like differentiate routes and folders and things, I think, is by adding that reverse proxy and then separating the services into two. So like...
Justin Gardner (@rhynorater) (01:11:13.428)
Hmm.
Joel Margolis (teknogeek) (01:11:16.214)
Yeah, that's probably the biggest thing that I've seen from the engineering side is it's the service, that service aspect. A lot of people don't think about this because they're not in engineering org, but for engineering orgs, they split up functionality into services, right? And services are separately deployed. And in order for these things to interact with each other, instead of having just one giant application that's handling everything from one place that can interact internally with everything itself, it has to make some sort of call, whether that's like gRPC or
Kafka or whatever, and a lot of times it's just HTTP. They build an HTTP client for that service that just calls internal endpoints on that other service on their internal network, and it passes data back and forth. And it's a lot more simple than people would think where they're like, oh, they must have.
their load balance, it's like, no, there's two separate services and they have to talk to each other somehow and they just did that with an HTTP request and they did it really, really quickly and effectively in an insecure way and that's where things are starting to fall apart.
Sam Curry (01:12:22.91)
Yeah, exactly. And like even external services to like API is like maybe you've got like a maps plugin and like, you want to serve that data and you pass on a path that goes like Google Maps API. And like it's very, very interesting how like complicated it goes. I think one of the reasons like this kind of research kind of came about, there's different people who had worked on like similar things in the past. There's really excellent blog posts, like Franz Rosen. He should have been like
he should be the originator. His work with like Matthias and others like I think probably even a few years before that talk and I even messaged him when I gave the talk I said like I feel like this is similar to a lot of work that you've done in the past and I was like if there's anything here like I'm going to make sure to credit you for a lot of this I want to make sure I'm not like stepping on your toes a little bit but I wanted to say like the way that the way that I totally lost my train of thought but oh sorry.
Justin Gardner (@rhynorater) (01:13:19.408)
So maybe I can redirect you then if that's fine. So as you're starting to develop this understanding of essentially modern web architecture where these reverse proxies are in place like that, and the tricky part for me still lies in where does the authentication live? Because there's a lot of secondary context pass-diversals all over the place. But...
Sam Curry (01:13:20.386)
Go ahead, yeah.
Justin Gardner (@rhynorater) (01:13:46.4)
the backend server is also using auth, and it's just like, okay, well, I can hit a different endpoint, you know? And sometimes you can do weird stuff with that, like, like C-surf, or like, you know, some sort of method confusion and that sort of thing. But the majority of the time that, understanding that auth piece is really pivotal, right?
Sam Curry (01:14:08.034)
Right. Yeah, a hundred percent. I mean, the off component is so important to everything because like, if you're a, like a lot of structures, for instance, we saw this a lot in the car hacking where as an example, like you have SiriusXM at the top or there's all these different vehicle brands beneath it, like Ford, you know, whatever, but the SiriusXM service is like the authenticated one. So each of those car companies has like an API key that they use globally. So it's like, once you, if you can leak that key, change the context between like
one user with access to one thing. And then like you leave the key and then you can talk to that service and you get access. Yeah, exactly. Right. So one example there is like, you know, maybe you're fuzzing for, you know, secondary context stuff and you throw in like a new line character for a URI parameter instead of like your account ID, maybe you do one, two, three percent zero D and then you get a stack trace back where it's like the API call to internal.com.com question mark API key equals, and you're like, aha, I see the API key. You take that.
Justin Gardner (@rhynorater) (01:14:42.188)
directly to that backend service.
Sam Curry (01:15:07.33)
and then you're like, hey team, this is allowing me to access anybody's stuff. So you give it to them, right? But like you said, the off, yeah, it's tricky to figure out.
Justin Gardner (@rhynorater) (01:15:12.629)
Wow.
This sounds like a very real example, Sam. Hahaha.
Sam Curry (01:15:18.762)
Maybe, yeah, maybe it is, but, you know, doing some hacking on the (REDACTED) program recently, and I don't know if you can disclose their bugs, but there's a lot of similar stuff like there, right?
Justin Gardner (@rhynorater) (01:15:28.224)
Mm.
Justin Gardner (@rhynorater) (01:15:31.397)
with the secondary context stuff? I've heard that.
Sam Curry (01:15:33.59)
Yeah, it's like, yeah, there's tons of a lot of the, for instance, like a lot of people hunt for actuators, like really heavily. And like, when you start exploring, like actuator secondary context stuff, it's really fun because it's like, you know, in some JavaScript file somewhere, there's like this route, which is reverse proxy. Maybe it's like API GW dash, you know, internal slash or something. Then you hit that route and then that's where you append your actuator ends or like dot semi colon slash actuator ends. And then like,
It lets you kind of hunt more thoroughly, I guess.
Justin Gardner (@rhynorater) (01:16:05.432)
So you're hitting, I guess in this scenario, you're hitting API dev endpoints using this secondary context sort of path traversal. So going through the front end, then traversing on the back end, hitting these actuator endpoints, which wouldn't be exposed publicly because of probably path limitations through the reverse proxy. And then, are you normally hunting for things where it's going to dump the full response back to you without any modification?
Or are you trying to hit these things blind? Because a lot of times there's a parsing of the response from that back-end API. And then that kind of hex up your visibility into the back-end, right?
Sam Curry (01:16:46.498)
Right, yeah, having a response is beautiful. It makes you so happy when you see that HP response leaked back to you, you feel amazing. But a lot of times it is blind, right? And I was with another researcher, Nathaniel. It really is. It's like a, I would say too, to finish up a bit, like Nathaniel Latimer or Donut, I was with him on a trip and I stormed into his hotel room, like manically with my laptop.
Justin Gardner (@rhynorater) (01:16:57.684)
That scares me, man. Yeah.
Justin Gardner (@rhynorater) (01:17:07.241)
Yeah.
Sam Curry (01:17:12.47)
I'm like, if I do dot slash ABC, it doesn't do anything. But if you do data slash XYZ, it does this thing. But like, I can't reproduce it on this one. And like, he's looking at me. I've sat there for six hours trying to figure it out. And he's like, this guy, like, what is he talking about? Like, it's absurd because there are so many conditionals that relate to like the, uh, you know, like you're trying to explain to your friend, you're like, if I do a pound sign, it does this behavior. And if I do an ampersand, it's this behavior. And like, you have to like.
really build out this like brain map for each individual case. Right. I think the most complicated, like secondary context bug I had was like this. Stored, uh, you would add a value to a database with like an and sign and like change the print, you change the format from XML to Jason. Yeah. And then like on another end point, you call it and it would get retrieved it. Like, and it was just like. To P.
Justin Gardner (@rhynorater) (01:17:56.064)
Oh.
Justin Gardner (@rhynorater) (01:18:02.764)
How did you identify? So it's like a stored secondary context. I've never even thought about a stored secondary context.
Sam Curry (01:18:08.086)
Yeah, logically, a lot of times it can be some things I think you can look for there. If it's like external services, like external APIs that you know, for instance, are they leveraging some third party API that has an API key or like, is there one you've already identified that's like, you can kind of add onto. But they're so case by case, right? Like one service has like one behavior and you have to build those mind maps, I guess.
Justin Gardner (@rhynorater) (01:18:09.92)
Yeah.
Justin Gardner (@rhynorater) (01:18:24.155)
Mm-mm.
Justin Gardner (@rhynorater) (01:18:35.536)
Mm, yeah. When you're talking about the external services, it reminds me of the Starbucks bug. And just to give a quick overview of this, like essentially, in this scenario, we actually had access to the full response, right, that was coming back. And we were able to, on that one, we were able to path traverse back on this Starbucks API and hit, it was a third party, right? It was Microsoft, was it Graph?
Sam Curry (01:19:04.29)
Yeah, it was a Microsoft Graph Search, I think. It was like a, they had like a, I don't know if it was a third party service or it was a utility they had, but it was connected to their core, their core Starbucks, 100 million user records was it was connected to, but.
Justin Gardner (@rhynorater) (01:19:19.336)
Yeah, and so essentially, like, we were working on this together, and what amazed me when we were working on this together was, one, that you identified one that leaked the full response, which allowed us to get so much more artistic data back. But for two, you were able to brute force these paths along the way. And I just, I don't know, man, I don't know, maybe it's just because I don't do a lot of brute forcing as a part of my methodology.
But it's just, that's just some, and Franz, Franz does it even weirder. I mean, Franz brute forces it as well, but Franz also just has like this. Sick sense of like, you know what? I bet customer is before this. And it's like, and then he'll guess because we were working on this target. And it was like, and it was, we weren't allowed to brute force. They said explicitly, literally no brute force. Please do not brute force it. Okay. And so we're like, we need to brute force it because how are we going to figure out the paths, you know, that we're traversing.
Sam Curry (01:19:58.958)
Hahaha
Joel Margolis (teknogeek) (01:20:03.303)
Yeah.
Justin Gardner (@rhynorater) (01:20:15.164)
And Fron's just guessed four paths deep. And I was like, you've got to be kidding me, man. So I guess for this, in your experience with the brute forcing, what is your approach to that? What word lists are you using? Are you generating custom things? Is it just something I've got to start doing that I'm not doing?
Sam Curry (01:20:19.034)
That's so good.
Joel Margolis (teknogeek) (01:20:19.767)
So funny.
Sam Curry (01:20:35.106)
Yeah, I mean, a really, a really simple list. So I like to use, um, it's in BERT by default, but it's like server side variable names and it's just like, you know, path parameter. Yeah. Exeally, uh, Mike Robert showed me this, like he uses it from time to time for like parameters and stuff. But I think if you go to the simple list, it's like server side variable names. But, uh, the thought process for trying to brute force the paths or guess the paths is like. One that lets you confirm that like, you're not just.
Justin Gardner (@rhynorater) (01:20:43.658)
Never heard that.
Sam Curry (01:21:03.918)
traversing to like the same request you're on. Cause a lot of the times what will happen is like, you think you're traversing, but in reality it's like a normal side, like API request where it's been condensed down to the normal request. So you're actually just calling yourself. Um, but yeah, it's very, you're like, oh, I'm just, you know, you like spam someone about it and you're like, delete our messages. You're like, nevermind, ignore me. Um, but the, uh, but brute forcing the paths is really fun because like.
Justin Gardner (@rhynorater) (01:21:17.836)
So annoying.
Sam Curry (01:21:32.094)
You know, you can kind of guess like friends since friend, if it's Frans, I've missed Brown's his name for 10 years, you know, so I apologize. Um, but he, he would doing customer like makes a lot of sense where. You can kind of guess the format ish like V1, you know, V2, V3, whatever, but building it out. Um, I wish there was more general tips, but it really is case by case basis. You know, are they using camel case lowercase upper, are they separating with underscores, you know?
Justin Gardner (@rhynorater) (01:21:58.46)
And are you looking at the front end like paths for that to determine that information or you, because I guess at some point it's getting proxied back through, so maybe they're using similar name conventions on the back end as well.
Sam Curry (01:22:11.926)
Yeah, that's one thing that you can kind of pick up on is like on the front end, if they refer to your account as like account underscore ID or something like you know, those variable names that are like normal, you can kind of like interplace those. Um, most of the time I'll just send it through. If there's no rate limiting, I have like a massive word list that Shubz gave me that is like 500,000 or something like absurd. They're really good. Yeah. Um,
Justin Gardner (@rhynorater) (01:22:19.115)
Mm-hmm.
Justin Gardner (@rhynorater) (01:22:25.248)
Mm.
Justin Gardner (@rhynorater) (01:22:34.036)
Yeah, the AssetNote word lists are really good.
Joel Margolis (teknogeek) (01:22:39.57)
So I did want to ask, you mentioned that you have these mind maps that you do. Can you maybe talk a little bit about what that means to you and sort of like how that plays into any note taking you do and like, because again, like you typically are hacking on very large scale targets and these are ongoing engagements for weeks, months at a time.
And so there's a lot of information, a lot of data, a lot of connecting parts together. And even on single, like small scope programs that exists, and that can be hard to track. We've talked a lot about note taking and all that kind of stuff. How do you keep track of everything? How are you remembering these guys? Is it all just like a bulletin board in your mind that is very, just like fragile or is, or are you writing stuff down? Like, can you talk a little bit about that?
Sam Curry (01:23:29.182)
I wish I can hardly remember what I had for breakfast yesterday. Um, mostly it's a discord channel with people, like mostly if I find something interesting, anything interesting whatsoever, I'll post like the JavaScript file I found it in, if it was a JavaScript file and then like the route, and then maybe talk a little bit about it because I'm normally trying to communicate it to somebody else in the group chat, like, Hey, this is interesting for this reason. So I kind of like catalog that and I can go back to it. Um, and then like 10 messages, things like that, but for building out like.
you know, on like the longer engagements, like building out an understanding. It's a lot of like, uh, you know, maybe you go to developer.com.com. You register for an API key and you kind of look through their API requests. So for instance, uh, we can kind of transition this if you wanted to, but we found a vulnerability. I think it was on, uh, Vercell. Um, yeah, but Vercell is a really good example because for Vercell, Vercell has this API where they talk about like all of their
Justin Gardner (@rhynorater) (01:24:14.757)
Mm, mm.
Sam Curry (01:24:24.126)
API requests that you can make yourself as a developer. And there's a custom endpoint on the Vercell website that takes in a parameter of your account ID and it basically generates a screenshot of your website. So it was like slash account ID slash. Yeah, it was super fun. Um, but what was really interesting is that when you give it the parameter for the website, so it's like your slash account ID slash website ID, maybe like one, two, three slash one, two, three, four or something.
Justin Gardner (@rhynorater) (01:24:38.26)
Very fun functionality there, yeah.
Sam Curry (01:24:55.442)
you could actually traverse the 1234 and overwrite the full API call. And what I realized is that from reading the normal documentation for Vercell, it was actually making an API request to itself. That was a normal documented process that you could read as a person. Right. So we reproduced it and we realized that what it was doing is it was fetching a JSON response from a particular endpoint and it was parsing out the URL parameter. So this API request is make a screenshot.
it would pull the URL from the website ID and then it took a screenshot of that specified URL. But what it was doing.
Justin Gardner (@rhynorater) (01:25:28.948)
How did you suss that out? How did you know that it was pulling that from the JSON response? You had to have seen the response somehow, right?
Sam Curry (01:25:34.798)
So I never, I never felt so the response, but what I did is I figured out the request by I did the thing that you know, Frans said where you're backtracking every single request until you rebuild the full request. And then, uh, in that response, I was like, it has to be hitting this specific endpoint and the only thing from this response that makes sense is the real parameter. So yeah, it's.
Justin Gardner (@rhynorater) (01:25:54.924)
What? Sam, this is the kind of shit I'm talking about, dude. Like, how? So you traverse back, you look at the path, and then you just say, okay, guess. There is going to be, in the JSON response, at the root level, no like data, you know, data colon this or whatever. There's gonna be a URL attribute. And then they're gonna read that. And that's the only thing they're reading from the response. Are you kidding me?
Sam Curry (01:26:18.754)
Yes.
Sam Curry (01:26:22.506)
Yeah, it's a bit of like, you know, there's you use the website enough a little bit. I don't know. There's just something like he slowly build it up, I think from like hacking on the same target for awhile, right? And then like, you can leverage that. Like, and I think the, I think the final exploit for that was like, uh, you could upload your own data to Vercell and then you could backtrack the API to load your own data and then you would load your uploaded JSON and it would sign that URL and then you could basically load anybody's staging domains or bypass.
because what it was doing was like, you know, signing that URL using your own token. So like, or signing the URL using a master token from Bercel that had access to everybody's stuff. Right. Um, yeah, I mean, yeah.
Justin Gardner (@rhynorater) (01:27:04.916)
Wow, okay, hold on, so let me get this straight. This is nuts. So what you did is you find a secondary context path traversal, you identify by using whatever the heck that was a second ago, big brain nonsense, that you need to put a URL.
Sam I really actually can't even wrap my head around this so because you're not even getting a hit You're not even hitting an external server. What you're guessing is that You went all the way through This this whole thing and then you uploaded a JSON file to the account and then traversed and hit that and then you were Deciding okay. I need to put a URL parameter in there like a URL JSON value in there Sam that's ridiculous. That doesn't make any freaking sense Sam
Sam Curry (01:27:25.358)
Ha ha.
Joel Margolis (teknogeek) (01:27:27.054)
This is
Sam Curry (01:27:47.49)
Yeah, exactly. Well, it's a lot of a, I don't know, it made sense to me that day.
Joel Margolis (teknogeek) (01:27:50.446)
Hehehehe
Justin Gardner (@rhynorater) (01:27:55.912)
It's a lot of guessing is what it sounds like, man. It's a lot of guessing and intuition, which is very, for me, that is definitely not my strong suit in bounties. Most of my stuff is very much, I think, logically oriented and logical flows, but this was a lot of guessing and a lot of intuition. I mean, is it just something that you feel when you're doing this? Because that, and I can understand that in some scenarios, the Franz thing with traversing back and then guessing the path, like.
Sam Curry (01:28:01.294)
Yeah.
Joel Margolis (teknogeek) (01:28:05.451)
Yeah.
Justin Gardner (@rhynorater) (01:28:24.916)
That amazes me for sure, but I can understand it a little bit because it's like, OK, you understand the architecture of APIs. But something like this where you're guessing the structure of the response and you don't even have it hitting your own server, but you have to upload a JSON file and then traverse to that and then.
Sam Curry (01:28:42.85)
Yeah.
Justin Gardner (@rhynorater) (01:28:42.965)
Help.
Joel Margolis (teknogeek) (01:28:44.658)
Yeah, so I'd like to say, you mentioned intuition here, and I was listening yesterday to a really interesting podcast about intuition and when you can and cannot trust your intuition, okay? And intuition is one of those things that's really built up over time as a skill, where like, back to chess, right? You see this all the time with chess. Where chess grandmasters, they have played chess for so long that they have a mental intuition of what moves.
make the most sense, even if they can't really explain why it makes sense, because they've done it so many times for so long, they've thought about so many different hands and scenarios and moves and everything that they're like, you know, this makes the most sense. I can't really explain why, but it does, and they're right. And I think a lot of that is the same with bug bounty, where it's like this intuition that you hone in over time, both on individual targets, but also like as a whole, right? So I think, I was looking back through our messages,
Uh, like a month ago, you, you'd said this thing that really stuck with me. And you're like, there's a five day hump on any program quote Franz Rosen on this. And if you brute force, brute path, brute force past this, you become an unsupple force and I love that because I think that is like your intuition being like, hang on a second. I'm a, I'm a dull right now. You got to sharpen me up a little bit. And after five days, then you've got this specific intuition for the target you're looking at, right? Like.
Justin Gardner (@rhynorater) (01:30:05.164)
priming it.
Joel Margolis (teknogeek) (01:30:11.434)
When you're testing stuff and you're like, you know, it's got to be a URL parameter in the response in this JSON body. It's because you've got five plus days of like banging your head against the wall, basically going back and forth with like, what is this developer doing? Like, why, why did they make this choice? Oh, they do things like that. Oh, okay. That's weird. But all right. I guess that's just how they do things. And you just sort of build this, this like understanding of how a specific company does things internally.
And back to the intuition part, right? When you can trust your intuition is when you're in an environment that is like slow to change. And so especially when you've honed your intuition on a target, that target is not going to be like yesterday we were doing things this day, this way, but tomorrow we're going to do it completely differently. Right? And so you can actually hone your intuition on a target like really, really well because you do understand.
Sam Curry (01:30:55.211)
Hahaha, yeah.
Joel Margolis (teknogeek) (01:31:03.214)
how they do things. You can build up an understanding, like implicitly internally, like, okay, this is probably how they're actually doing this. And I think like that's something you do a really good job of capitalizing on.
Sam Curry (01:31:13.454)
Right, I totally agree with that. That happened too with Tesla. This is sort of a similar bug where it's like, I'm sorry. Ha ha ha. Hey. Ha ha ha.
Justin Gardner (@rhynorater) (01:31:19.396)
No, no, Sam, don't, no, hold on. I'm not letting you weasel your way out of that last one, okay, don't even start with me right now, okay? So, so, okay, we're gonna go to that one, and I wanna hear that one, but let's just, you know, rewind a little bit here, and finish this one up, okay? So you do some big brain shit, and you figure out, okay, there's a URL parameter. What do you put in the URL, the URL parameter in the, parameter, JSON attribute in the response?
Joel Margolis (teknogeek) (01:31:26.958)
Yes.
Sam Curry (01:31:33.857)
Yep, yep.
Justin Gardner (@rhynorater) (01:31:48.808)
of this traversed backend API request. Are you putting in your own host? Are you putting in initially or?
Sam Curry (01:31:56.43)
Yeah, so originally what I did is I put in my own host and I saw that there's a like signed header, which is like a session. It's like, this is the URL signed that way the server can like access it, you know, because we're sells God key is being signed here and it loads the website. But.
Justin Gardner (@rhynorater) (01:32:08.268)
Hmm. Dude, I wish it would just send you the God key, man.
Sam Curry (01:32:12.926)
I agree, I was kind of annoyed by it. And funny enough, one of the reasons that we ended up going so deep on this bug is, I think Ian Carroll knows how to psychologically manipulate me, because whenever we hack together, he just tells me, I was sitting next to him at a hotel, and we were trying to hack one of our cells, and he's like, there's no bug there, he can't find anything. I'm like, I'm gonna show you, I will pull a bug out if it's through a tiny little fishing wire, you know what I mean? Yeah.
Justin Gardner (@rhynorater) (01:32:22.86)
Hahaha
Justin Gardner (@rhynorater) (01:32:38.604)
Ah, this is starting to make sense now. Ian was trolling you into this bug. Okay, I see.
Sam Curry (01:32:44.694)
He did this at the (REDACTED). He did this at the recently, yeah. But yeah, like there, I tested my own URL. I saw it was sending a request. I saw it was signed. And then I was like, well, I can't really sign anything arbitrarily because I tried all the bypasses. I did like backslash at, you know, at credentials, basic auth, you know, to try to get it to sign a URL that like try to parse out part one of the URL where it's like
Sam Curry (01:33:13.478)
HBS, sorry, victim.com backslash at attacker.com where like it would sign the URL for the victim website, but give me the signed credentials. And then I could take those credentials and authenticate. But what ended up happening, that was a lot easier is we could just pass in the victim URL directly. So there's no bypass needed because it would just screenshot the website. Right.
Justin Gardner (@rhynorater) (01:33:33.364)
Okay, okay, so what you were trying to do there was somehow leak to yourself the signed headers, but the request has to be sent to you, so it isn't gonna work that way, right? Because you can only sign things that are gonna be pointing towards your own domain. So then you just put in the victim's website directly and use the functionality on the website.
Sam Curry (01:33:56.234)
Exactly right. Cause I was annoyed. I was like, there has to be some like differentiated between the HP requests actually firing and then like the security parsing for the URL. So I was looking for any difference between the two, right? Because if the security parsing was slightly different, yeah, exactly. But yeah, that was kind of the process for that.
Justin Gardner (@rhynorater) (01:34:09.608)
Yeah, that makes sense.
Justin Gardner (@rhynorater) (01:34:16.02)
But then how did you, no, Sam. But then how did you know, I mean, did you just pass in, was it just like, hgpsvictim.com, whatever? Oh, really?
Sam Curry (01:34:18.71)
Yeah.
Sam Curry (01:34:27.154)
Exactly. Yeah. Yeah, yeah. It was very simple for that part.
Justin Gardner (@rhynorater) (01:34:31.376)
Okay, so you didn't have to guess some sort of path or anything like that with the IDs for the victim. It was literally just, you give them the victim website and it just returns you an image of the victim's website. Nice. That is solid. Very clean. Okay, solid. Very cool, man. Okay, all right, let's go. Let's go, next story.
Sam Curry (01:34:41.898)
Exactly, yeah, and I was really happy with that. Very simple, so that part was simple. Yeah.
Joel Margolis (teknogeek) (01:34:48.386)
Okay, so now talk about Tesla. So yes, intuition, you honed your intuition and you said this happened on Tesla as well.
Sam Curry (01:34:50.263)
Sure, sure.
Sam Curry (01:35:20.372)
Yeah, sure.
at email.com and then in the URL, they'll pass in like email, email.com. And then to validate that you're off, they just compare the two, right? For Tesla in particular, I noticed they had an account ID or a vehicle ID. And I was like in the jwt. So or jot, however you want to say it, don't correct me podcast listeners. But but uh, anyway, the good stuff. But for Tesla is really cool because there's this endpoint where you pass in the vehicle ID and it was like signing the jwt.
Justin Gardner (@rhynorater) (01:35:39.62)
No, no.
Joel Margolis (teknogeek) (01:35:41.55)
No, nobody's right on that one.
Sam Curry (01:35:53.014)
What you could actually do is it was using a particular integer parsing where if you appended like ABC at the end of the integer, it would run parse sent on it where only retrieve the number. So in the actual logic check for authorization, it would pull out, you know, parse, parse ant, whatever you provided check if it's valid and that you're authorized to access it and it would take the raw value that you originally sent and it would send it in a second request, right.
So what you could actually do that was really neat is you could do like your ID, a percent two F dot percent two F victim ID. And then it would basically, it would bypass the check via the parsant and then it would take your raw requests, but it actually on the backend and traverse to the victim account and then you get access to victims vehicle. So
Justin Gardner (@rhynorater) (01:36:44.972)
Wow, dude. Okay, so I'm looking at this. So the reason that works is parse int in JavaScript. If you pass it a string that says 1234 slash test, it will return 1234.
Sam Curry (01:36:59.158)
Yeah, exactly right. Yeah.
Justin Gardner (@rhynorater) (01:37:00.58)
Okay, that's hecked up. That is some JS shit if I've ever seen it. But that's really helpful to know, especially on node targets, because it's like they might be using parseInt to get the integer value for this thing, and then if they're using that, so then they don't use the parsed value, they use the original value again in the second backend API request.
Sam Curry (01:37:05.451)
Yeah!
Sam Curry (01:37:23.574)
Exactly. And that's the fun part because you can just provide them like the victim ID. It's really neat. And there's a similar thing too with PHP. This is the kind of one some people like I said, no, is that there's a dollar sign underscore request. There's dollar sign underscore get and dollar sign underscore post and put and whatever. Right. But what's really interesting is that if you do dollar sign request and you do a logic check with dollar sign request, like let's say the ID parameter, and then you validate that parameter.
Um, you can actually do if, if for any reason it switches to get a post after that, uh, requests could be like the one from the get and then post could just be the one from the post. Uh, what I'm trying to say is that request is indifferent to or, or request is like.
specific to one of those, it's either get or post. And the logic switches up once you switch to like either get or post, where you can basically provide like question mark ID equals one to three in the URL. And then in the post body, you provide one to four and request pulls the top one and then post is the second one. And yeah, it's led to like a lot of, yeah.
Justin Gardner (@rhynorater) (01:38:31.568)
Ah, interesting. Wait, so you've seen that in the back end, in the same back end API call. So like, where you'll put the victim's ID, or let's say your ID in the URL. And then, wait, is this a part of the normal functionality of this application where they have the ID in two spots, or is the U specifically adding? No way, dude. That's freaking weird. That's super weird.
Sam Curry (01:38:55.274)
I, yeah, specifically adding. And it was really, yeah dude, it was funny. Yeah, it was really funny too, because it was a four, I was playing like a Korean MMO, which was like super grindy and like, you had to pay like a hundred dollars if you wanted to like level your character up or get a special item or something. And I ended up reporting the bug, so don't get mad at me yet. But what you could do is, it would have like your package value. So it's like a $400 package and I'd pass that in.
and then it would sign the whole request and pass it off to the payment provider. But what you could do is like, in the get request you're like, okay, fine, I'll pay $500. And then the post request you do, let's actually change it to a penny. And then it gives you the sign checkout URL that's passed to like the payment provider. And you complete the checkout process and you can only buy it for a penny. So then you get your $500 package. And I think I got a really funny email from the game developer. It says, we noticed some erratic activity in your account. You spent $3 million in end game items.
Justin Gardner (@rhynorater) (01:39:52.672)
See, this is what I'm talking about. Like, why do you do this shit? Like, I understand the hacking things that don't, you don't have like, you know.
Sam Curry (01:39:53.059)
So, yeah.
Joel Margolis (teknogeek) (01:40:00.718)
I'd love to know the thought process actually. Like when you receive an email like that, are you excited or are you like, oh shit, like uh oh.
Sam Curry (01:40:07.818)
It's a little, it's a little bit of both. I hope they understand that like, my thing is like, I like to like walk the line between both, it's like, I hope you're not gonna like, fool out like Sue me and get me in trouble. And I hope that me doing it isn't like too terrible for you to deal with. I think it's similar to like maybe if I did $100 or $1,000 or whatever, but like, I don't know, that line is like interesting to walk, I think. Yeah, exactly, right? Like.
Joel Margolis (teknogeek) (01:40:31.718)
ask for forgiveness than permission.
Justin Gardner (@rhynorater) (01:40:34.664)
except when you're gonna go to jail.
Joel Margolis (teknogeek) (01:40:37.54)
It's fine
Sam Curry (01:40:38.39)
You know, like, I think like, it's a very particular thing because like, you try, I try my best not to like actually, I'm not like going out and impacting the game economy. I'm immediately contacting them to report it. And like, they're aware of my account and stuff, you know. But for this case, exactly right. Like, well, it's funny too, because my buddy, a long time ago, when I was like 11 or 12 years old, even, I played video games for this guy named Buzz Man. And Buzz Man
Justin Gardner (@rhynorater) (01:40:54.848)
but you still have the coolest tape in the game, for sure.
Sam Curry (01:41:07.758)
did video game hacking and he did tons of video game hacking and I looked up to him a lot and he was like this Belgian researcher and then when I was 17 I checked his Facebook and he runs like one of the biggest game security companies and he actually had these people as a client and I like passed it to him and he got good PR because he's like hello we found a bug from you know and this researcher reported it. So really funny story but Buzzman is a genius yeah very smart guy.
Justin Gardner (@rhynorater) (01:41:20.48)
No way.
Justin Gardner (@rhynorater) (01:41:34.956)
Wow, so okay, so just to bring that back to the technical takeaway there, which was sometimes you can add parameters to the, see, and this is a very common IDOR tactic as well, where you'll see an ID in the URL parameter and in the post body, and what it'll do is the auth check for the URL and then not auth check the post body. So that one's a well-established IDOR mentality. But this is also applying.
Joel Margolis (teknogeek) (01:41:35.692)
awesome.
Justin Gardner (@rhynorater) (01:42:01.772)
in this sort of scenario where you can add it specifically to one or the other. And I kind of am curious how that actually would work on the backend, because it's like, okay, I can see how they would do path level authorization in those other scenarios, but I can't really see how they'd be like, all right, let's just say it's PHP here. $ get, you know?
that and then check, but maybe it's request, but then it's overriding it, you know, but you know what I'm saying? Like, how does this work?
Sam Curry (01:42:34.314)
Yeah. So I think what originally happened was it was a put request and the auth check was using underscore request, right? And when it was a put request, I think PHP was like, Oh, cool. It's a request. It's a put request. It's coming from the body. Right. But then in the actual logic of the application, it did underscore get, right. So all check requests, actual functionality was get. Yeah, exactly. Right.
Justin Gardner (@rhynorater) (01:42:42.41)
Mm-hmm.
Justin Gardner (@rhynorater) (01:42:53.889)
weird.
Justin Gardner (@rhynorater) (01:42:59.556)
Or maybe there's like a, if there's a get parameter that has this specific, you know, like user ID or whatever, then perform the auth check and then auth check equals true or whatever, you know, after that, that could be it too. Wow, very interesting Sam. I hadn't, I had never thought of that. That's, that's a, that's a pretty cool one to, to take away. And that's mostly regarding authorization stuff for these, or I guess like you said, it could override values, application level values as well. And it makes me think of a...
Sam Curry (01:43:08.836)
Yeah.
Justin Gardner (@rhynorater) (01:43:26.956)
client-side path traversal that I recently found, which is my shit right now. I just love client-side path traversal vulnerabilities, but essentially what it was is, you know, the target would send an empty post request to a given endpoint once I've done the client-side path traversal in the URL. And I needed to send parameters in that request. And to manipulate the application-level logic add an admin user to the organization.
And what I did instead was just added them to the query parameter with the path traversal. So I just did, you know, question mark, yeah, user ID equals one, two, three, you know, and, you know, at type equals admin, yeah.
Joel Margolis (teknogeek) (01:44:00.811)
Same type of thing, yeah.
Joel Margolis (teknogeek) (01:44:06.122)
Yeah, and you see this a lot actually where modern web frameworks, they've made it significantly easier to use one thing to reference parameters, right? Whether that's get or post or it's like, I just want I don't really care how it comes in. If it's post request or get request, I just want the parameter called ID. Right. It makes my web application more flexible for what for an attacker. It's like, OK, well, what if I provide both like what is what is request up parameters ID now?
Justin Gardner (@rhynorater) (01:44:25.364)
Mm.
Mm-hmm.
Yeah, I really like that. That's pretty rad. Very, very cool tip. I'm trying to look through here and see some of the other things we have associated with secondary context path traversals before we move on to some of your research-oriented stuff. The other thing that I see here is, so we covered fuzzing for endpoints. We've kind of mentioned this on the pod before, but figuring out where you are in that sort of backend API.
is something you're really good at. And also, actually, I want to come back, because we didn't finish the Starbucks thing. One of the other things that I realized was really awesome about your Starbucks path traversal was that the traversal was backslash dot backslash dot backslash. That was the traversal sequence, where normally it's just dot slash or dot backslash. But in this one, you had to space it out with dots in between.
Why were you doing that and what kind of similar methodologies do you have with that may help?
Sam Curry (01:45:31.534)
Yeah, at the time I think that was an Akamai WAF bypass, which is really funny because Akamai's grown so much since then. Yeah, so if you did like dot slash dot slash, it's like stop, that's too many backward slashes, but you're like dot slash dot slash dot slash. And I'm like, all right, you know, like that checks out. And I think maybe Akamai even like, in the blog post it was like kind of a call out because I was like, yeah, WAFs are bad, this is why this worked. So I think maybe they're like, damn, we gotta fix, not saying Akamai, I'm the reason Akamai fixed their thing, but.
Justin Gardner (@rhynorater) (01:45:35.752)
Are you kidding me? Oh my gosh.
Justin Gardner (@rhynorater) (01:45:42.464)
Hahaha
Justin Gardner (@rhynorater) (01:45:58.197)
Mm, mm.
Sam Curry (01:46:00.17)
It was a little call out to act my ass like damn this was like kind of embarrassing you guys need to get yourself together Maybe pay better bounties
Justin Gardner (@rhynorater) (01:46:06.58)
Yeah, so I mean, when you're doing this, I've seen you do like even spaces and new line character. What kind of stuff are you trying in order to achieve these back end traversals? And what kind of stuff have you seen work with any consistency?
Sam Curry (01:46:19.99)
Yeah. So one person who really kind of helped and like kind of give my methodology good to this is Andre or sorry, Andre zero X ACB. Um, Andre Baptista, I think is how you say his last name, but he is, uh, one of the best, like has one of the best methodologies. He made a tool for this where it's like, if you're trying to traverse directories, there are certain areas where you should be fuzzing. So for instance, you could do dot percent zero to FF slash. So then instead of.
Justin Gardner (@rhynorater) (01:46:29.263)
Mm.
Sam Curry (01:46:50.026)
You would basically add before the slash a character there, and then you enumerate through all the hex code. And then, you know, maybe percent zero D gets removed when it gets like transacted in the next API. And then it turns into. Yeah. Recollapse. Yeah. Uh, reclapse is great. Um, so my methodology for like trying to figure out if structure traversal works is like try the normal stuff, you know, dot backslash dot percent zero D slash dot whatever.
Joel Margolis (teknogeek) (01:47:03.123)
This is Recollapse, is that right?
Sam Curry (01:47:17.582)
But then if I can't figure it out, I'll just send it to intruder and then do zero to FF and I've had like really. Yeah. I've had some good luck just like with random stuff, like percent zero nine, like a tab or something sometimes for like.net applications would work. And yeah, it's really fun. Um,
Justin Gardner (@rhynorater) (01:47:23.401)
Okay.
Justin Gardner (@rhynorater) (01:47:30.557)
Oh yeah.
No, I like that whole brute force the URL decoding space, essentially, percent zero to percent FF. That's quite good. And I use that often as well. And sometimes there's some weird unicode bypasses that won't hit, but those are pretty rare edge cases. And I kind of, that's something that I would like to put a little bit more thought into is how can we apply
Like, I essentially, I mean, there's too many Unicode characters, so we can just brute force the whole Unicode space. But it would be really interesting to categorize, like, okay, these are like white space-ish Unicode characters or something like that, that might get converted and make those into a list for brute forcing as well, because that would be really helpful to have in that list as well.
Sam Curry (01:48:22.326)
And there was a good blog post too. I think it was like Unicode S's for GitHub to bypass email. OAuth flows. I could maybe Google it really quick. It was a GitHub, Unicode, bug bounty. We'll see. Find it.
Justin Gardner (@rhynorater) (01:48:31.133)
Yeah.
Sam Curry (01:48:46.154)
is the Google part. Turkish, yeah, Turkish dotless I. Yeah.
Justin Gardner (@rhynorater) (01:48:46.637)
You said it was GitHub?
Justin Gardner (@rhynorater) (01:48:50.848)
Turkish time.
Joel Margolis (teknogeek) (01:48:58.638)
This is one of my favorites. Andre has another thing for this. I'm not gonna give the exact URL, but it's somewhere on his website. He has a normalization table that I use all the time. And it's very similar to this, where it's just like, you know, all the standard characters, and then under every single one, it's just a list of all the normalization possibilities, like different varieties and stuff of that character. And you can just go through and you can try them, you know, on your...
Sam Curry (01:48:58.713)
Yeah.
Justin Gardner (@rhynorater) (01:48:59.057)
Oh wow.
Joel Margolis (teknogeek) (01:49:27.122)
your target and I use that all the time when I'm trying to bypass filters. Yeah, I'll send you a link to it. We'll keep arriving, but yeah.
Justin Gardner (@rhynorater) (01:49:28.956)
Oh dude, I need that. I'm gonna DM you right now. Send me Unicode list. That's great. Okay, so Sam, just why don't you talk us through this. So hacking GitHub's OAuth with Unicode Turkish.list I, how does this work?
Sam Curry (01:49:30.754)
Yeah, it's super useful.
Sam Curry (01:49:51.83)
Yeah, so I think it was a email issue where basically like GitHub supported a bunch of different workflows. So I think that when you did a scroll through really quick, you do.
Justin Gardner (@rhynorater) (01:50:03.224)
Ah, so they would put the Turkish dotless i after the g in GitHub at github.com.
Sam Curry (01:50:12.926)
Right. Yeah, exactly. And then, uh, yeah, it emails the original one and actually showed us up as the second one. So you could just basically steal people's. So I think what happened was like the email client or the authorization was like, Oh, that's, you know, uh, a different domain. That's not a GitHub.com. But yeah, there's an issue there somewhere where it confused both.
Justin Gardner (@rhynorater) (01:50:14.566)
Oh. And.
Justin Gardner (@rhynorater) (01:50:35.072)
Wow. Yeah, dude, these Unicode normalization bugs are, every time I see this, I think of Andre, because of his just legendary bugs he's pulled off. At almost every live hack event he's been to, he's done something crazy with these Unicode normalization bugs.
Sam Curry (01:50:41.337)
Yes.
Joel Margolis (teknogeek) (01:50:50.686)
There's a lot of stuff. I mean, Andre is one of those people, I think, that especially us three have pulled a lot of... We've done a lot of hacking with him and we pulled a lot of inspiration off him as well. Even just the leaking header stuff that we were talking about earlier, that was Andre's first LHG MVH, was leaking a token through an external request to his server from an internal thing that was a master token. Same...
Sam Curry (01:50:50.766)
Yeah.
Justin Gardner (@rhynorater) (01:50:59.67)
Mm.
Joel Margolis (teknogeek) (01:51:16.278)
very, very similar type stuff. And that was five plus years ago. So here we are full circle. Yep.
Justin Gardner (@rhynorater) (01:51:22.101)
I'll never forget that bug. That was crazy.
Sam Curry (01:51:22.218)
Yeah. And I, yeah, I have to call it out too. Cause like, Andre's one of those people where it's not just computers. Like when he's hacking, he's like, this is the galaxy. Like this is the matrix. Like we're in space right now, like going through like portals and like, it's so much larger than just like an API for him. It's like, yeah, it's, I love the energy is so good. Love Andre so much. Yeah.
Joel Margolis (teknogeek) (01:51:32.662)
Yeah.
Joel Margolis (teknogeek) (01:51:36.49)
Ha ha
Joel Margolis (teknogeek) (01:51:44.106)
love Andres energy. Yeah. So actually on the topic of energy and we'll circle, we can, we can circle back to technical stuff, but this was something on the philosophy thing that I did want to want to highlight with you. Um, you have this really intense energy, um, in a good way, like when it, when it comes to hacking, like when you are focused on a target, Justin always describes me as like a laser beam that he can, uh, he can nerd snipe to point at the right direction.
Justin Gardner (@rhynorater) (01:51:45.429)
That's that.
Joel Margolis (teknogeek) (01:52:09.97)
And I, I view Sam as like, uh, the death star Ray in that same sense. Right. So like, it's like a hundred X where when you're really fixated on something, when you're focused on like, I want to get this thing, like there's nothing that's going to really stop you from doing that. Um, and you have like this, like industrial sized fan on your flame. Right. So how do you like, how are you?
Justin Gardner (@rhynorater) (01:52:14.231)
Hahaha
Joel Margolis (teknogeek) (01:52:36.882)
able to like do you does it just come naturally all the time like you just find yourself in these situations or do you find that you fall out of that headspace and that you have to do certain things to get yourself back in there?
Sam Curry (01:52:48.366)
Yeah, I don't know. I think honestly, a lot of it stems from like, uh, hacking was like one of the original things where it's like, I felt like a, this is going to sound so like convoluted psychologists, whatever, but like, the, uh, original, like a sense of, uh, I don't know, appreciation was like finding something cool. So like I have this really deep down thing where it's like, if I want to like prove a point and like find the bug, that's how I feel like a sense of validation from my peers and stuff or whatever. So like, if I, if I have a goal, which I feel like is like,
Justin Gardner (@rhynorater) (01:53:06.316)
Mm.
Justin Gardner (@rhynorater) (01:53:14.688)
Mm-mm, mm.
Sam Curry (01:53:18.278)
Interesting to me and like I prove a point to somebody or something like that, you know, like it's like I want to I'm gonna do it so like it transitions and it comes up pretty naturally where like I'm like, yo like that thing looks interesting and I bet I could do it And it's like a fun. I don't know how to describe it, but it comes very naturally where it's like, you know, for instance like
Joel Margolis (teknogeek) (01:53:39.598)
something just gets under your skin a little bit. Like Ian being like, there's nothing here, or like whatever it is, or you just being like, that's really interesting, I wonder if that's possible, or whatever it is, and just sort of like following that dopamine or whatever that interest.
Sam Curry (01:53:48.908)
Exactly.
Sam Curry (01:53:53.954)
Yes. Exam, a perfect example of that, like recently too, is like, uh, is it okay if I transition to the ISP hacking a little bit? Okay. Yeah. So, uh, yeah, like I had a call with my ISP technician because like I moved into a new house and like, I couldn't get it set up and like, it was just kind of frustrating. They're like, I'm going to remotely change your password. I'm like, you can do that. Like you can remotely change my voter's path. I was like, I had no idea that was possible. And I was like, I wonder what they have access to do that because I have a. Yeah. It was.
Justin Gardner (@rhynorater) (01:54:00.532)
Go for it, man. Go for it.
Joel Margolis (teknogeek) (01:54:01.342)
Yeah, absolutely.
Justin Gardner (@rhynorater) (01:54:21.564)
Oh my gosh, dude.
Sam Curry (01:54:23.518)
It was fascinating because I'm like, this is really cool. So like I spent a while investigating my own ISP and I eventually found this vulnerability because like deep down at the core of the ISP, they had built this internal API called sale and what sale was used for was customer support agents and normal people to manage their router, to push commands, to update their router, view router settings. And it was called sale and it would basically bypass the authorization later to do things like update DNS or.
fetch device password or things like that. And I was like, if that's possible, you can do everything. I mean, you can do, this is a modem and this is the modem they issued. It's not just their ISP modem. It's any compatible modem. It's fascinating, right? Because to even go back two years ago, to give a little even more context is like.
Justin Gardner (@rhynorater) (01:54:56.446)
device password, not just reset to fetch it as well.
Joel Margolis (teknogeek) (01:55:02.954)
This is the modem, right?
Joel Margolis (teknogeek) (01:55:07.607)
Yeah.
orange.
Sam Curry (01:55:19.978)
I was hacked, I got hacked, I was on my laptop and I curled a box and what I realized was that a third party DigitalOceanIP was resending my exact same HTTP request. So I thought originally my computer was owned and then I opened the URL on my iPhone and I saw the exact same DigitalOceanIP was resending that same traffic. So somebody somewhere was like intercepting my traffic and I researched it and it was an IP that was related to like a phishing campaign and basically,
what I think happened was someone had compromised my modem, right? And, uh, sorry for so much background to this, but, um, it got me really interested in like hacking ISPs. But anyway, I found a way to remotely, uh, you can remotely take over anybody's router. Um, you can update their DNS, update their password settings, things like that. Um, via just their serial number, which is.
Justin Gardner (@rhynorater) (01:56:15.598)
So how did you find that API in the first place?
Sam Curry (01:56:19.658)
Yeah. So what it was, uh, there's a (REDACTED), uh, is the ISP that was affected. Um, there's a business management website. So for business customers and they have access to like a little bit more functionality. So if you're a business customer and you want to manage your, uh, router modem, um, to like update stuff remotely or see the connected devices remotely, it would take in your request and like pass it down. And what I realized is that there was a bypass to traverse down and access the swagger.
files for the API routes. Yep. Sorry, yeah.
Justin Gardner (@rhynorater) (01:56:49.804)
So I'm sorry, I'm gonna pause you and back up a little bit there. Why were you looking at the business? I mean, do you have access to that business panel yourself? Or were you just looking at this as like, oh, this looks like something related?
Sam Curry (01:57:01.974)
Yeah, that's what I was doing originally. Well, what I originally assumed is that there isn't any segmentation between (REDACTED) and (REDACTED). I thought that at the protocol level, from a support level, it's using the same like sale protocol. I assumed it was based on like a little bit of research.
Justin Gardner (@rhynorater) (01:57:16.46)
Okay, but this you know about the sale protocol beforehand or no? I'm just trying to get into the head space a little bit here.
Sam Curry (01:57:20.339)
Uh, a little bit. Yeah. Sorry.
Sam Curry (01:57:25.75)
I think at the time I didn't know about that it was specifically called sale, but I realized that there's a tool set internally and there was like a little documentation that was like scattered across like GitHub or whatever where it had like reset device, whatever. But to clarify, like I knew it was possible and then I kind of thought about it and there's the customer facing website, which is very restricted, mocked down. And then there's like the business website, which has, you know, if you're
Justin Gardner (@rhynorater) (01:57:34.976)
Mm-hmm.
Sam Curry (01:57:53.354)
like a business, you can manage more stuff. You have multiple devices. It's like an easier interface, right? So that was the thought process, but I dug at the business website and, uh, I eventually found an API which let you do those sale commands. And I found the second vulnerability where there was a leaked secret, which was used to encrypt the router serial number in the pipe and the flow. Um, so I could basically decrypt and encrypt any router serial number that was passed in that protocol.
to do like anything. So you could like it.
Justin Gardner (@rhynorater) (01:58:25.9)
Was this an unauthed API or were you authed into the business website?
Sam Curry (01:58:29.402)
Well, it was a fully on off. Yeah. It was on off. Everything was, uh, it was in JavaScript. It was basically the flow was website to JavaScript to directory traversal, the swagger files to API call, uh, from a traversal. So it was like a secondary context thing where you traverse to another internal routing thing. And then, uh, in the JavaScript, it has the encrypt functionality because I saw the router value and I was like, that's like not a normal string. It's not.
Justin Gardner (@rhynorater) (01:58:33.352)
And you just found it in the JS files? Were you brute forcing it?
Sam Curry (01:58:59.138)
So I realized it's encrypted so you could decrypt it. And then, uh, through that you could, it's absurd to think about to me because. It's if you're the FBI, you have an office building that uses this ISP for your internet, right? And if someone was like man in the middle of your network, they'd have to like go in your network and do the whatever. But like, you can just update DNS via this, via the serial number. And it's like a new rule.
And it's just, we could also search by customers by name or a business name. So it's like, you could target like, it's just, you know, like it's a, yeah. Yeah.
Justin Gardner (@rhynorater) (01:59:27.604)
No.
Justin Gardner (@rhynorater) (01:59:34.548)
Wow, dude, that's crazy. So, go ahead, Joel, sorry.
Joel Margolis (teknogeek) (01:59:39.63)
Well, and this is on your ISP, who's like, you know, one of the largest, I mean, they also have Monopoly where I live. They're like one of two ISPs in my area. I think most people use them. And, um, you know, they're, they're a huge, huge massive mega corp. Did they even have a security contact? Like I'm almost certain they don't have a bug bounty program, right?
Sam Curry (01:59:57.61)
No, they had like a, they maybe had a security page, like a responsible, they did have a responsible disclosure page, but you had to like go through a couple of people that actually get to somebody. Um, yeah, they didn't really seem to have like a super sophisticated, I couldn't find the security contacts. Um, they maybe had a CISO, but they weren't reachable. They didn't have an email or LinkedIn that accepted the invite or anything like that. Um, yeah, no way to contact it. Yeah.
Justin Gardner (@rhynorater) (02:00:19.712)
Wow, so let me just, I'm gonna try to concisely do this because Sam, this is really something special. Like the way that you have found this whole path. And it's something a little bit more foreign to me because for me, a lot of what hacking looks like is get the main application, figure out all of the functionality, figure out all of the logic, you know, find all the requests, start correlating information, deep dive the stack, you know, that sort of thing.
Sam Curry (02:00:24.802)
Okay.
Justin Gardner (@rhynorater) (02:00:49.184)
But this whole thinking about it from an architectural level is very different. So you had a call with a support agent. The support agent said the wrong thing to Mr. Sam Curry and said, I'm gonna reset your.
Sam Curry (02:00:59.47)
Ha ha.
Joel Margolis (teknogeek) (02:01:00.734)
Same here as like mental note. Very interesting. Oh, thanks. Uh, okay. Bye. Immediately starts hacking.
Justin Gardner (@rhynorater) (02:01:03.908)
Yes. So, exactly. That lit the fire in you thinking, okay, so they have some way to remotely reset my router. I bet that it's easier to access that through the business portal than it is through the customer portal. Maybe you went to the customer portal first or whatever, but then you decided to go to the business portal. Go to the business portal, no auth, no nothing. That doesn't scare you off. You're just looking at the JS files. You find unauthed API access that you can have.
You pass reverse and hit the swagger. Then using the swagger, you find, I mean, I imagine the swagger, did it have documentation in it for all the, yeah, okay. So at that point, you're like, all right, I'm good to go. Then from the swagger file, are you hitting, is it a reverse proxy or is it a secondary context thing on that API or was it a secondary context thing before that to hit the swagger file?
Sam Curry (02:01:44.18)
Yeah.
Sam Curry (02:01:55.426)
It was a secondary context to hit the Spire file and that opened the door. Everything was connected at that point in the secondary context. Yeah.
Justin Gardner (@rhynorater) (02:02:00.296)
Okay. And then now you've got the keys to the kingdom with the swagger file and the unauthored API, and you can just encrypt and decrypt IDs because of that secret. And then you can take over any, any freaking router in your whole ISP.
Sam Curry (02:02:13.474)
Yeah. It's crazy to think about because it's like, and shout out to Zayat for helping me with the JavaScript too, because the encrypt function was at a certain point. So it's had a break point in the JavaScript to actually call that JavaScript. Zayat is the master at this. He's done like a lot of really cool research. Jads to him.
Justin Gardner (@rhynorater) (02:02:25.024)
Mm-hmm.
Justin Gardner (@rhynorater) (02:02:30.816)
So, but if you're setting an encrypt, or if you're setting a breakpoint, then that JS would have to be triggering, which I imagine would only happen after auth, right? So did he have to like somehow hijack that flow and trigger that function or?
Sam Curry (02:02:45.262)
So there was a submit registration endpoint that you could hit and it would encrypt your PEN code. So you didn't actually get approved or anything, but you could encrypt your like, you know, once before it would send encrypt the value. That's how I found it. Yeah.
Justin Gardner (@rhynorater) (02:02:58.06)
Gotcha. And so, and so.
Joel Margolis (teknogeek) (02:02:59.97)
This is such a cool little like pocket of research too, because I've thought a lot about this, like modems are such a weird spot. A lot of modems, especially like the provided ones, they don't give you any way to interface with them, right? Like my modem, for example, has like a fiber line going into it, it's an ONT I guess, but, and then it just outputs ethernet to my network, right? But how do I talk to the box that like gets fiber, right? Like that.
is that's talking to the ISP that does some theoretically some negotiation or communication back with the ISP so that some random person can just plug a fiber in and get internet for free. Right? Like, you know, it's like, how, how does all that work? It's such a, such a weird, like, yeah, I love just like peering into that. I think there's a lot more interesting research you could do there.
Justin Gardner (@rhynorater) (02:03:38.732)
Hmm. Dude.
Sam Curry (02:03:51.866)
The ONT boxes too are super proprietary. Like I had the guys at my house and I was like, could I buy one of those? And he's like, nope, they gotta come from the ISP. And you go to the ONT website, yeah, you can't buy them yourself. Like you can maybe get them off eBay, but yeah, very proprietary.
Joel Margolis (teknogeek) (02:03:59.806)
Uh, yeah.
Justin Gardner (@rhynorater) (02:04:05.664)
Wow, dude, that would be such a fun live hacking event if some Verizon or Cox or whatever is just like, all right, here's your house. They give us a little router, hack us. That would be so much freaking fun. All right, dude, so that was a great vulnerable story. Thank you for getting into the technical details with that. That really helps me understand from a bigger perspective what your methodology is for finding these sort of fringe assets.
Joel Margolis (teknogeek) (02:04:17.176)
Yeah
That'd be awesome.
Sam Curry (02:04:22.286)
I'd love it, yeah.
Justin Gardner (@rhynorater) (02:04:35.448)
and going after these goals that you've got. The next one that I kind of want to talk about is your next JS research that you did in 2022, I think. And if I understand correctly, this was something that came from the fact that a lot of companies are using this framework now, specifically in the crypto space, and that motivated you to look into it, right?
Sam Curry (02:05:00.762)
Right, exactly. Like one big thing for me was like, with crypto, it's always been kind of crazy to me because like the huge thing for crypto is integrity, right? If you look at the CIA triad, confidentiality is like, the only thing you need to really worry about is like leaking your keys. The like availability, it's like, if it goes down, it's like whatever, you still have the chain access. It's like a static website, who cares, right? But the integrity is like super important, right? So like.
Justin Gardner (@rhynorater) (02:05:11.584)
Mm-hmm.
Sam Curry (02:05:27.658)
If I'm a normal person and I want to go to Uniswap to like trade a million dollars for this over a million dollars of that, I trust Uniswap.org and I'm not really going to do too much additional verification. Like, you know, nobody's doing like hash verifications of the JavaScript or whatever they're in. It's all very like Metamask, swap, I trust the domain name. Right. So the idea for me is like, if you can get XSS on Next.js, which is what all the crypto
then you have this like huge, huge integrity issue where it's like, you know, there's nonstop fishing domains. And this was the first case that I'd personally seen someone leverage subdomain takeover for a fishing domain because I saw on Twitter, someone had taken over like some and then hosted like an NFT giveaway or something. Right. And it's like, yeah, it was really cool to see. Cause I'm like, Hey, something to take over. Like someone's actually exploiting that for like a malicious purpose. Right. Yeah, exactly. And.
Justin Gardner (@rhynorater) (02:06:12.894)
Oh really, wow.
Justin Gardner (@rhynorater) (02:06:19.12)
Oh cool, oh wait, that's not good. Yeah.
Joel Margolis (teknogeek) (02:06:22.99)
The one actual instance of it being exploited in the wild.
Sam Curry (02:06:25.982)
Exactly. Like so that was always fascinating to me. So like the next day, yes, like every single website you proxy it, you see underscore next and you're like, oh my God, same thing over and over and over. So for me, it's like let's investigate this and maybe there's like a core issue because personally like Vercell and Netlify and all these companies, they're like great. They're great companies, but like the bloat associated with it. There's a really funny quote actually from like Whitey Cracker on a blog he wrote a long time ago.
And he says, if any one of these, like all it takes is like one of these like French JavaScript framework developers to die of like Adderall overdose and like a quarter of the internet goes down. Nobody can ever fix it again because like it's such a particular library. So.
Joel Margolis (teknogeek) (02:07:12.194)
Like the XZ thing that's happening right now, like live XZ, we came like so close, just like graze the sun with, uh, with how that could have been. And it's the same thing, right? It's like all it takes is one really widely used library or framework or something to get popped in a fundamental way. And everybody's like, Oh shit, that, that affects everything. Yeah.
Justin Gardner (@rhynorater) (02:07:13.195)
Yeah.
Justin Gardner (@rhynorater) (02:07:19.004)
Oh my gosh.
Sam Curry (02:07:19.114)
Yeah.
Justin Gardner (@rhynorater) (02:07:31.816)
Everyone's screwed.
Sam Curry (02:07:33.506)
Yeah. Yeah, exactly. And for next JS, especially too, it's like, at the time, I was so focused on crypto, I was like, let's try to target all the crypto websites. So I work with shubs on this one. And we went deep on the source code for the actual like image proxy functionality. Basically, what they've done is they've baked down this like image optimization feature where, you know, maybe in the past, you've had like an external image that has to load each time but like
Justin Gardner (@rhynorater) (02:07:51.349)
Yeah.
Sam Curry (02:08:01.79)
instead of reaching out to the other website, it does the closer server and it optimizes it and caches it. So you don't have to like waste the network traffic. So what that actually does is like the server itself is originally making that request to fetch the image. Right. So if you loaded like, uh, I think it was underscore IPX slash external URL, it would, uh, or underscore IPX slash trusted URL, like percent two F image.png.
What you could actually do through investigating the source code is you could add a header to overwrite the external URL that it reaches out to and then it would cache it. And what we realized is that you could do, yeah, SVG files and by doing an external SVG file and caching it on that URL, you could save like %2f test.html or test.svg and then it would cache that because that's payload and you could send it to somebody else. And since it was at like a library level.
Justin Gardner (@rhynorater) (02:08:40.008)
Ah.
Sam Curry (02:09:00.094)
You could do it like on any website, right? Yeah.
Justin Gardner (@rhynorater) (02:09:01.94)
Wow. And so did you get that from reading the source code? For that, I imagine that wasn't just experimentation.
Sam Curry (02:09:09.366)
No, yeah, it was a bit of both. Mostly it was source code because like you could trace everything is public, which is kind of, it's one of those like Silicon Valley, like open source, but sort of will like give you a trial or something.
Justin Gardner (@rhynorater) (02:09:17.824)
Yeah.
So, yeah, I actually want to ask about this, because I think I'm being a little, I don't fully understand the whole infrastructure for this. So, obviously we see a lot of Next.js stuff on the client side, but is this, you know, I'm having a little bit of trouble correlating this to what it is. I mean, obviously they've got some server-side functionality. We see a bunch of stuff with that on the client side. Is it like a full stack solution for that, or?
Sam Curry (02:09:39.755)
Yeah.
Sam Curry (02:09:48.194)
Yeah. So next VS is, uh, it's a full stack solution or it's kind of like a framework. It's essentially what it is, is a JavaScript framework and it does both front end and backend. So, and what's it's, it's offered by, I think for sale, for sales, the originally they're the original builders, maybe of, of next VS and Vercell is like, here's next VS. And if you really want an easy way to deploy it, just come to our website. Right. So a lot of next VS that you see is actually deployed through Vercell's website through a sort of like AWS setup, right. Um,
Justin Gardner (@rhynorater) (02:09:52.536)
Mm.
Justin Gardner (@rhynorater) (02:09:56.477)
Okay.
Justin Gardner (@rhynorater) (02:10:13.372)
Okay. Okay, so this is a full, so, and this is very interesting. So there's certain trade-offs between the server side and the client side that are baked right into it, just like this image optimization thing. I see why this sort of put off the alarms in your head, because I hadn't really looked at the structure before, but what I had seen is like, it does make me think a little bit of this Cloudflare stuff that we talked about on the pod maybe last week or a couple weeks ago.
of like these slash CDN CGI endpoint that's on literally every single website. There's got to be some weird stuff there, man. I swear. Yeah, any-
Sam Curry (02:10:51.95)
Right. I, yeah.
Joel Margolis (teknogeek) (02:10:53.15)
Yeah. I mean, there's a lot of things that are like this, right? Like imagine if somebody finds an access in Google Tag Manager, right? Like, right. It's like every website in the world, it's, you know, yeah.
Justin Gardner (@rhynorater) (02:10:59.244)
Oh my gosh, yeah.
Sam Curry (02:10:59.766)
Oh my God. Yeah.
Sam Curry (02:11:06.298)
I think I was hacking on like, that was one of those things where it's like, I was hacking on like some really hardened target and it was used by everybody. It was like something similar to like Venmo or something like that, right? And what I saw was that there was a JavaScript dependency and the source and I'd never seen that domain before. And it was like a tenant based JavaScript file. So like you could customize your JavaScript for your tenant on that third party SaaS product. And it was being added to this.
Justin Gardner (@rhynorater) (02:11:15.18)
Hmm.
Sam Curry (02:11:32.59)
So if somebody compromised that, you've now added the single point of failure. It's crazy, yeah, it's so interesting.
Justin Gardner (@rhynorater) (02:11:33.909)
That well.
Yeah, especially on these bigger hardened programs, this is something that I've talked a little bit about post a live hacking event that happened in the past year with some of the guys afterwards. It was just kind of discussing, when you've got these big targets that pay for impact that are very, very secure and locked down, many times the weakest link is gonna be these third party endpoints that they, or these third party providers that they pull in without doing too much of a security assessment on it. Because...
You know, they may have very solid security controls from, just like you were talking about before the episode with Donut, you know, and trying to build an authorization framework that just makes it impossible at compile time to do an authorization issue. You know, they may have protocols like that in place at their organization, but when the freaking marketing team says, I need this, you know, plugin or whatever for my front end, they're not gonna audit that whole source code base, you know?
Joel Margolis (teknogeek) (02:12:35.618)
Yeah. And they can't continuously audit it either, right? Maybe they audit it once and then in a year or two, you know, they never get to see what happens and a vuln gets accidentally snuck in there or committed by accident and you know, it's GG.
Justin Gardner (@rhynorater) (02:12:35.926)
and
Justin Gardner (@rhynorater) (02:12:49.492)
Yeah, such a risk. It's a huge risk and then, you know, like you guys were saying as well, all of the whole internet is built on these maintainer building blocks. Ah, it's depressing to see, to be honest, and it makes me wonder. Yeah, dude, I don't know. There needs to be some massive government grant or something like that for open source maintainers that are just like, please continue doing the thing you're doing so that we don't lose our whole internet infrastructure.
Joel Margolis (teknogeek) (02:13:02.491)
It's an open source awesome.
Sam Curry (02:13:04.372)
Yeah.
Sam Curry (02:13:17.73)
Yeah, it really is tricky.
Joel Margolis (teknogeek) (02:13:18.666)
Yeah, yeah, no kidding.
Justin Gardner (@rhynorater) (02:13:18.764)
That would be big. So yeah, I think it makes a lot of sense why you would target Next.js and that target or that IPX piece of how you're able to cache that. Pretty rad. The other vulnerability that I was looking at in here that seemed pretty interesting to me was the open redirect via underscore next slash image. And just to be clear for anybody listening to this, these vulnerabilities are long patched. If they're running.
I don't know, something super old and it's not hosted, then maybe you'll still find these, but these are long patched, so it's mostly just useful for the methodology. And having, man, having an OpenRedirect on any website that has underscore next, would be so clutch, because it's so helpful to have these. And when you're looking for OpenRedirects, I see the payload here was slash, backslash, slash, backslash, slash, right? So there's slashes in between.
And essentially what's happening here, or backslashes in between, is it's getting normalized to a slash redirect, right? Or a slash payload, and that's why it's redirecting, correct? Do you have any other cool tricks like that you look for when you're doing open redirect searching?
Sam Curry (02:14:23.652)
Yeah.
Sam Curry (02:14:28.237)
Yeah, and it's also...
Sam Curry (02:14:34.106)
Um, there's so many and they're so dependent on the actual like implementation. Uh, honestly sitting there and like my tips and tricks, like, I don't know. Um.
Justin Gardner (@rhynorater) (02:14:39.809)
Mm.
Justin Gardner (@rhynorater) (02:14:46.36)
See, this is why podcasting is tricky, right? Because I said what I said earlier about intuition, and I said I'm not a bunch of intuitive hunter, but that's more so from a top level architecture perspective. When you're trying to explain on a podcast why you test the things you test or what is your methodology, it's so hard when you don't have your hands on something.
Sam Curry (02:14:50.199)
Yeah.
Justin Gardner (@rhynorater) (02:15:13.556)
Like if you were just, if you had your hand, if I handed you a closed redirect, when I said, Sam, make this an open redirect, I'm sure you would be able to talk through the concepts of what you're doing as you're fiddling with it. But when I say, Sam, what's your methodology for open redirects, it's real tricky, right?
Sam Curry (02:15:32.878)
Right. Yeah, exactly. It's kind of funny, like trying to come up with like, condense like the knowledge into like a, you know, a sense or whatever. So be it podcasting, that's like informative. Um, I totally agree. Like searching for this in particular was fun because like the goal for me was like, well, it essentially was allowing local images like explicitly. So like, for instance, if you wanted to proxy underscore next slash IMG question mark image equals splash image.png.
Justin Gardner (@rhynorater) (02:15:41.836)
Mm.
Sam Curry (02:16:00.718)
Totally fine. Loves it says, well, we're going to try to find an image and if we can, we're going to proxy it for you and serve it. Right. And for me, that's kind of interesting because it's like, well, I know that slash will route to an internal, like a, uh, external domain and, uh, yeah, yeah. So I was trying to play with that for a while. And then when I realized that I was like, well, it doesn't like, uh, two slashes in a row, so like.
Justin Gardner (@rhynorater) (02:16:16.2)
Yeah, that's TLD, you know, or like a fully qualified domain name.
Sam Curry (02:16:29.834)
I could do like forward slash backslash and then to make it finish, you can do a forward slash backslash again, and then you've got the FQDN, right? And then, uh, what I realized after that too, is that I think if you ended the URL and a path that was not completed, or if I look back through it really quick, um, yeah, if you, if you ended it in a slash, so next.js has this behavior, which is really funny. The reason this one really exists is because, uh, in next.js, if you hit
Justin Gardner (@rhynorater) (02:16:36.853)
Mm.
Justin Gardner (@rhynorater) (02:16:49.682)
Hmm.
Sam Curry (02:17:00.726)
And if you hit a path and the path doesn't exist, that ends in a slash. For instance, if you hit slash test slash, and that's not a real thing, what it tries to do is take you back to slash test to see if it's a real thing without the slash. Yeah. So what's cool about that though, is that at the time of reporting it, the, the underscore next, uh, slash IMG would actually send the nature request to itself, and then you could abuse that functionality because it would return the redirect to the user.
Justin Gardner (@rhynorater) (02:17:13.26)
Mm-hmm. I've seen this before
Sam Curry (02:17:30.606)
So then basically you would get open redirect for any site because it would try to send that request to itself and then it would serve the response that it got from itself, which had the forward slash backslash, forward slash backslash attacker.com.
Justin Gardner (@rhynorater) (02:17:45.088)
Wow, so it was creating, you were sort of creating a loop of sorts there.
Sam Curry (02:17:50.359)
Exactly.
Justin Gardner (@rhynorater) (02:17:51.924)
Very cool, dude. Yeah, it's tricky to explain all of those different open redirect pieces, but one thing that's consistent with that is you have to have a very solid understanding of browser redirect mechanics and URLs and how URLs are parsed in order to find all these. And then you just got to try to figure out the places where, oh, the developer didn't consider the double slash being a top level redirect versus a
Joel Margolis (teknogeek) (02:18:17.664)
Yeah.
Justin Gardner (@rhynorater) (02:18:21.624)
a relative, so an absolute redirect versus a relative redirect. And so, yeah, no, I really like this one, and man, I wish this still existed, because what a gadget that would be, man, on so many websites.
Sam Curry (02:18:31.65)
Ha ha.
Sam Curry (02:18:34.923)
Yeah, and that's an interesting snippet. Oh, sorry, go ahead.
Joel Margolis (teknogeek) (02:18:35.579)
Yeah, and. Well, I was going to ask like, did you approach it at all from like the static canal or like the just because you have like the jazz right in front of you. So it's but it wasn't just easier to test it sort of black box and it was to dig through a bunch of JavaScript code and figure out how that works.
Sam Curry (02:18:53.558)
Yeah, luckily for me, I'm a very non source code person. I'll do fine with source code and I enjoy it and I appreciate it. But for me, I like to just test the actual functionality versus trying to dig into the code. Because one thing that my philosophy a little bit is when the developers wrote that code, they wrote what they intended it and wanted it to do. And even though if you know the tricks around it, sometimes you'll trick yourself into thinking that something's working intended. And if you take the approach of like an external person who's like, well,
I don't think it's working as intended. We'll try to figure it out. Then sometimes you can get better results, but it's cool to work with shubs because shubs is a fantastic like source code auditor. So we kind of merged a little bit where I was like smashing the keyboard and he's like analyzing stuff in the source. Yeah.
Justin Gardner (@rhynorater) (02:19:33.618)
Mm.
Joel Margolis (teknogeek) (02:19:40.258)
That's awesome. That's awesome.
Justin Gardner (@rhynorater) (02:19:40.496)
And you can bounce off of each other too, where you say, hey, I'm seeing something weird in dynamic analysis, go figure out why that's happening. And then they go figure out why that's happening and it leads you to a clearer picture of like, okay, that's why that's happening. And you can exploit it further because you now have introspection into the code surrounding the fringe weird functionality. I like that, I like that. All right, man, we are.
Sam Curry (02:20:02.158)
Right, yeah.
Justin Gardner (@rhynorater) (02:20:05.364)
two hours and 20 minutes in right now. So let's go ahead and wrap up. The last thing that I wanted to talk about here was you mentioned before that you have a lot of success with dev versus prod in the context of JWTs being used as a form of authentication. Can you talk a little bit about that and maybe, I don't know if you have a story about it, but you can feel free to share a story if you do.
Sam Curry (02:20:07.371)
Oh wow.
Sam Curry (02:20:32.29)
Yeah, sure. So the dev versus prod thing is really fun because if you're a developer and you're writing like a Next.js application and you have like, you know, if I'm a startup and I start a company and I use Next.js and I do all the things correctly, but let's say I accidentally reuse the same key and I store it in my source code and then I deploy a dev site and a prod site and I'm provisioning user IDs for each registered user. If I register in dev, I'll be user ID three or whatever, but in prod I'm like user ID 463.
Justin Gardner (@rhynorater) (02:20:54.666)
Mm.
Justin Gardner (@rhynorater) (02:20:59.765)
Mm-mm.
Sam Curry (02:21:00.046)
But a lot of times what I could do is just copy over the dev JWT to prod, and then I could access account number three. And then like some funny stories too, with that, um, it's just kind of part of my attack methodology now for like next JS websites, because it's just one of the things I saw like a few times. Yeah. I think specifically for next JS, because, uh, honestly with next JS, it's getting a lot harder to test for bugs. I feel like, because like you've got everything in the JavaScript and like,
Justin Gardner (@rhynorater) (02:21:15.468)
specifically, RxJS. Interesting.
Sam Curry (02:21:28.566)
I don't know. It's all there, but like, it just gets boring. It's the same thing over and over again. So it's just not like entertaining to hack on. So I kind of, I've been trying to do this for a next just websites because I know it's a common thing I've seen. Um, but yeah, copying the staging JBT to prod and then seeing if there's an indifference for which account you get, if the secrets are the same.
Justin Gardner (@rhynorater) (02:21:49.352)
And you find that there's normally one piece of information they're basing their auth off of there, like an ID versus like an email or anything like that.
Sam Curry (02:21:58.786)
Yeah, a lot of times, a lot of times it's ID, but other times it's email. The ID ones are sometimes harder to exploit because it's like UUID based and then you can't really do anything unless you can control it. But the ones that are fun are the email ones that don't like require confirmation. Um, cause say you register like admin at company.com and like you do on one and the other and the other one's not registered, then yeah, you generate it. Good access. Um.
Justin Gardner (@rhynorater) (02:22:13.631)
Mm-mm.
Justin Gardner (@rhynorater) (02:22:22.772)
You can just target whatever account you want and then just opt into it. That's pretty cool, man.
Sam Curry (02:22:26.658)
Exactly. Yeah. It's been a Vaughn for a long time or like kind of a Vaughn class, but I've seen it kind of pop back up a tiny bit with Next.js.
Justin Gardner (@rhynorater) (02:22:35.696)
I think I think Irby also mentioned that this is a part of his function or normal methodology for this sort of thing And I know he's popped some cool bugs with that in the past So there's definitely there's definitely bugs to be found in that in that area, and I'm kind of wondering as well what you were What your recon looks like then because you do have this whole thing where you're like Where you're going deep for sure
Sam Curry (02:22:56.604)
Ahem.
Justin Gardner (@rhynorater) (02:23:00.992)
but you're also finding the fringe assets you need to find to get the impact. So to what degree do you spend time on recon versus focusing on hacking applications you've discovered?
Sam Curry (02:23:11.054)
Yeah, so recon, like I love recon for getting an understanding and feel of the app. For instance, finding like, you know, dev.ant.com versus prod or, and like kind of understanding the infrastructure. Um, I'm not a really big fringe asset hunter, so I'm not really somebody who goes at like, you know, some crazy subdomain that popped up for four seconds on cert.sh. Right? Like I can't do that. It's not my style. Um,
But what I'll do is I'll use recon data to kind of get an understanding, like whether or not there's Akamai hosts for everything. And one of them is a non Akamai host and they can change the host header and do, you know, like that's how you gain info. But, um, what I'll do for targeting assets is like, try to pull together an understanding. Like maybe there's a domain that has like a swagger file. Maybe there's domain that has this. And then I'll try to use it to attack whatever has the most functionality, whether that's www my account dot app.
Joel Margolis (teknogeek) (02:23:48.366)
Thank you.
Sam Curry (02:24:04.458)
Mostly those core ones I try to stick to. Yeah.
Justin Gardner (@rhynorater) (02:24:07.388)
Dude, that's one of the most balanced approaches I've heard of. It takes on the pod is like, use recon data to the extent that it gives you a picture of the organization and to explain the full architecture of the organization. And then from there, you attack the thing that has the most features in the most attractive features as well. Very, very cool.
Joel Margolis (teknogeek) (02:24:20.89)
Thank you.
Sam Curry (02:24:27.83)
Right, yeah, I love that because it's, yeah. There's another, yeah, there's a hacker, Cash Money, Tanner. He has a similar attacking style, like Jack Cable, maybe even Urby, but they're all like swear to the fact they're like manual hackers who they'll employ stuff, like they'll script stuff, definitely. Like I've seen Tanner script like crazy stuff and he's done really well. But like mostly they seem like they're manual testers where it's like, it's like, why wouldn't you go after the part of the app with the most functionality?
Justin Gardner (@rhynorater) (02:24:34.17)
Mmm, tanner.
Justin Gardner (@rhynorater) (02:24:38.965)
Mm.
Sam Curry (02:24:57.858)
Like if I could, some random assets can have two API calls that are like integers and not versus the main app is like six years of like 400 developers rotating in and out of being fired or new ones and like, you know what I mean? But.
Justin Gardner (@rhynorater) (02:25:09.704)
Yeah, yeah, 100% dude. Wow, that's a great way to wrap off this pod is that really balanced approach to recon and looking at an organization holistically rather than an individual web app. That's definitely something for me to chew on. Joel, did you have anything else you wanted to toss out there before we bounce?
Joel Margolis (teknogeek) (02:25:32.863)
No, I mean, I'll open it up to Sam because, you know, I know we've talked about a bunch of different things, but, you know, obviously, Hack Compute and some of the other stuff you're working on, your blog, just, you know, where can people find you and watch out for more of your awesome research.
Justin Gardner (@rhynorater) (02:25:35.498)
Mm.
Justin Gardner (@rhynorater) (02:25:44.94)
SamCurry.net.
Sam Curry (02:25:49.43)
Yeah. Uh, I think samcurry.net and then, uh, hackcompute.com. Uh, yeah, I'm trying to continue to publish like cool web stuff to samcurry.net, but I haven't done too, I've been doing a lot more, so I'm kind of happy to be able to publish some more stuff, but, uh, besides that, like hackcompute.com, I want to publish more AppSec stuff. Um, yeah, mostly thank you to Justin and Joel for putting this together. Like, I don't know if to the listener, like behind the scenes is so much effort. Like there's a full Google doc of like.
10 hours of like writing out like and then researching and figuring stuff out. Yeah, so it's total honor. Really really appreciate them. So that's it.
Justin Gardner (@rhynorater) (02:26:27.308)
Well, thanks for coming on, Sam. We'd love to have you on. And we'll definitely have you back on in the future to share some of this cool research that's coming off at samcurry.net. All right, that's the pod. Peace.
Sam Curry (02:26:36.413)
Cheers. Peace.