The player is loading ...
frans (00:00.966)
I'm still uploading to you, right? It's just, it's breaking for you while, okay. Yeah. Okay. Justin Gardner (@rhynorater) (00:05.059) Yeah, I'm not really sure why that's happening, but you know, we'll see. All right, dude, Franz is we're rolling. Welcome to the podcast, man. frans (00:12.258) Thank you so much. Thanks for inviting me. Justin Gardner (@rhynorater) (00:14.343) Of course. And so actually before we jump into this episode, I've got to highlight what the heck this thing is behind you. There's like a, it looks like it's like a framed poster of you with a shell on Google. Is that exactly what that is? frans (00:20.196) Yeah. frans (00:27.498) Yeah, yeah it is. It's from 2014 I think. It's uh... Yeah, no, yeah, it's 2014. Yeah, yeah. Were you born then? No. Yeah, just kidding. Justin Gardner (@rhynorater) (00:31.493) 2014? Are you kidding me? Holy crap. Dude, shut up. I was, I was, I, that's the year I graduated high school, actually. That's. Joel Margolis (teknogeek) (00:37.006) Ha ha frans (00:42.25) Okay, yeah, yeah. No, it's I think it was from an xx e if I recall it correctly Justin Gardner (@rhynorater) (00:48.523) Wow, dude, that's nuts. So he just got like Etsy password on, from a Google box on the wall behind him. That's pretty fricking neat. All right guys, so as we often do when we start off the Critical Thinking Podcast, I'm gonna have to go into Justin's story time a little bit, okay? So Justin's story time is this. I was at my, the setting was this. Justin was a new bug bounty hunter, and I had just... Joel Margolis (teknogeek) (00:48.567) That's awesome. frans (00:52.472) Yeah. Joel Margolis (teknogeek) (00:55.726) That's amazing. Justin Gardner (@rhynorater) (01:17.167) weaseled my way into my first live hacking event, okay? And I had, I was very nervous. I was the plus one of a plus one. And it was amazing to get to see all of these hackers that I have respected for so long. But there was one guy in particular, you may be able to guess who, that I had not gone and talked to because I was just too nervous. I was too nervous, man. I was like, there's no way I can go up and talk to Franz Rosen. And I was talking to my wife, Mariah, and I was like, listen, Franz is like a legend. Like, I can't go up and talk to him. And she's like, Justin, you're at this live hacking event. You have to go up and talk to him. And at that event, you had found a crazy bug with an S3 bucket, pulling stuff in and stuff like that. And so I went up and talked to you, and you were so kind to explain the whole bug to me and just chat. And that was my first fanboy moment where I was like, wait a second. frans (02:15.13) I'm gonna go to bed. Justin Gardner (@rhynorater) (02:17.003) Franz is a real human, what's up with that? So, yeah, yeah dude, you know normally they say don't meet your heroes, but I must say Franz, you did not disappoint, so. That, yeah, so there's your little flattering intro. For those of you that don't know Franz, Franz is a legend, a hacker, a bug bounty OG, and. frans (02:20.148) Yeah, wow, that's amazing. That's an awesome start. frans (02:29.594) That's awesome. Thank you. Justin Gardner (@rhynorater) (02:44.627) Dude, I'm looking at this plan that we have for this episode and it's so long. I'm not even sure we're going to be able to get through all of this because there's just so much good content that you've put out. So thank you for that. But before we get into all that, let's go ahead and talk about how you got into Bug Bounding in the first place because you got in when it was really early on the scene and give us a little career walkthrough that brought you to the point where you could do Bug Bounding. frans (02:57.242) Thank you. frans (03:08.974) Sure. I think, I mean, initially everything started off as hiring two young people to my company as developers. And these two young guys, Mattias Karlsson and Fredrik Alnrute, they were lurking always inside in the corner in the office doing stuff together always. And you didn't figure, like you couldn't really understand what they were doing. But when you started talking with them, you realized like they were... Probably like art spoofing the whole office and laughing laughing. This was like Yeah Justin Gardner (@rhynorater) (03:40.971) Oh my gosh, that's hilarious. Okay, so wait, I'm gonna pause you really quickly there. So you were, at this point, you were already an entrepreneur. So you started, you had already started your company. frans (03:49.162) Yeah. So I, yeah. Yeah. So I can start when, when I was born. No, just kidding. No, no. So I, yeah, exactly. No. So I started as a developer like super early on, and then, uh, I, I built the company together with, uh, with a business partner of mine. And we hired a Frederick and, and Mattias. And at that time I wasn't into hacking. I, I knew that like sanitize your inputs. That was, that was basically the. Justin Gardner (@rhynorater) (03:54.695) No, no, shh, shh. Joel Margolis (teknogeek) (03:56.667) Take us back. Justin Gardner (@rhynorater) (04:10.656) Hmm. Justin Gardner (@rhynorater) (04:18.132) Sure, sure. frans (04:19.494) the idea that I knew was something in regards to security. But this was very timed also because like this was 2010 I think 10 or 11 or something. And I got curious on what they were doing and at some point they told us that they were planning on building like a security company, automating security issues. So we were pretty interested in that and we started talking more deep. Justin Gardner (@rhynorater) (04:41.536) Wow. frans (04:47.67) around like, what would you do? What, like, what is the product? And we kind of realized early on that we could do this together, especially because we saw a need for it in terms of what we were building. We were building like e-commerce websites and CMS websites and so we, we then created Detectify. And, and at that point, just when we got started, the bug bounty scene basically was initiated. Justin Gardner (@rhynorater) (04:55.2) Hmm frans (05:18.41) So it started with like Mozilla and I think it was PayPal and Google and I think Facebook was early on as well and then you had you had like Russian things as well and some what was it there was something else also that was like super early on I think eBay was early on as well like there was a few of those that started and you basically had like a way to do like research on Justin Gardner (@rhynorater) (05:19.051) Wow. Justin Gardner (@rhynorater) (05:30.199) Pssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss Justin Gardner (@rhynorater) (05:38.973) Mm-mm. frans (05:46.846) a huge amount of surface. Like you could test a bunch of things on this attack surface. And so that was very helpful in like getting to understand what they were looking for. But because now you didn't have to like hide or simulate fake things, you could literally like focus on looking for real bugs. So that got me curious on like what should I start with. And I think they basically showed me a bunch of XSS things. And that's where I like started off. And... and played like XSS was my, you know, where I was born and then, and then it grew from there. So I think that was, I think it was very helpful for me to have people next to me that I could ask and also to, you know, whenever I didn't know anything, I could just ask them and then I could play myself and then I could come back and like get that feedback. Justin Gardner (@rhynorater) (06:20.669) Sure, sure. Justin Gardner (@rhynorater) (06:38.475) Dude, this is so awesome because you were in a position of owning this company or whatever, and you hire Matthias. I didn't know that was actually how you met Matthias in the first place. And then you're willing and engaged at a level where you can say like, hey, what are you doing? And then you start this company with them and it just shows this really learner mentality. And Matthias is young at this point, right? frans (07:02.391) Absolutely. frans (07:05.994) Yeah, I think they were they were drop-offs from university. I think it was like they were like 18 or 19 if even that. Yeah, so they yeah, absolutely. And they came basically in and like they were they were OK developers, but they were much better when it comes to like security and security related things. That's when they were like shining in terms of skills. So we felt that like it's much better for you to like focus on those things than, Justin Gardner (@rhynorater) (07:12.167) No way, wow, so they were real young. Justin Gardner (@rhynorater) (07:23.221) Hahaha Justin Gardner (@rhynorater) (07:30.676) Yeah, dude. frans (07:35.57) making an integration with an invoice provider. Like, yeah, no, not really. Like write other code that it's like much more fun to like run. Yeah. Justin Gardner (@rhynorater) (07:38.807) Yeah, please stop writing code. Ha ha ha. Right. You know, that's great. I've been meaning to get Matthias on the pod as well, so I think I'm gonna send him a message right after this episode, because I'd love to hear his origin story as well and his side of this situation where he's like, so there's this guy and he hired me onto this company and then he's like, why are you arps spoofing the whole office? You know, like. frans (07:54.154) Yeah. Yeah, exactly. Joel Margolis (teknogeek) (07:59.421) Oh frans (08:02.054) I love that he's like, he probably has a totally different story. He's like, no, I wasn't hired. I just came there. Yeah. I didn't get paid. Yeah. Justin Gardner (@rhynorater) (08:07.303) Yeah, I hacked into this company and then. Yeah. Right. Exactly. Okay. So, yeah. Joel Margolis (teknogeek) (08:09.079) I just shut up one day, yeah. Joel Margolis (teknogeek) (08:14.586) So that's really interesting to hear that shift. So you were basically just doing entirely software development. When you learned about the security side of it, what sort of piqued your interest to make that pivot that really drew you towards security? Because I imagine if you're doing a lot of software development stuff, you probably could have just kept doing that and not made a switch into security. So what was that draw? frans (08:38.162) I think, I think, so I've been like, I was building, you know, systems, like you, you say you're building a system, but like, what is a system in, in reality? But I was always like, as a developer, I always try to like, Oh, I can reuse this. I need to build this like modular and, and all these things. So I was always curious on how others were doing it. And this was like, I've realized this. probably now after like 14 years, but I kind of know that like through the whole time, but like I'm super curious on how other people thought about problems and issues. And I've always like I've almost made it a challenge to myself to write like pseudo code of how something is implemented so I can make a black box a white box. Justin Gardner (@rhynorater) (09:31.113) Right, right. frans (09:32.13) just because that's the way I understand how they thought about things. And also that's how you find that specific little if statement that they forgot about. And I think, I think that was, that was the point where I realized that I could do this on other companies and nobody will like get me into trouble and I can just, you know, start poking at them and see what's, what, what will happen. And I think that was. Justin Gardner (@rhynorater) (09:41.879) Sure, sure. frans (09:57.002) That was something that I'd like, I can do this and also get paid. Like this was something I was poking at before, you know, just figuring out how stuff worked, and now I could do it, help other companies and also, you know, get paid for it. So I think that was, that was the trigger to like, okay, I can actually gain knowledge by doing this. And also I have like a side effect of I can actually, you know, make, make money for it. Justin Gardner (@rhynorater) (10:12.054) Yeah. Justin Gardner (@rhynorater) (10:22.663) Yeah, absolutely. And I think, go ahead. frans (10:25.546) No, and I think what happened in the beginning also, when we started with the bug bounty was like those, those money came in to our company so we could fund, you know, this company, like start these other companies. So it kind of, it was like a very, like a beautiful environment of like, we get to poke on other companies and that creates other companies. And it was like, it was a very nice, you know, circling effect of. Justin Gardner (@rhynorater) (10:42.987) Yeah. frans (10:54.403) of hunting for bugs and yeah. Justin Gardner (@rhynorater) (10:56.159) Yeah, you see this a lot with Bug Bounty origin companies. Like in the beginning when you're trying to like make ends meet and stuff like that, you can even use Bug Bounty to fund your own company, as income into the company. So I think that provides a really nice launching place for Bug Bounty hunters to become entrepreneurs in that context. frans (11:09.239) Absolutely. frans (11:18.55) Yeah, for sure. There are many that has popped up from, yeah. Justin Gardner (@rhynorater) (11:22.099) Yeah, yeah, and I've got, I actually was just speaking to another one this morning who will have on the pod. So there's definitely some, that's one of the things I'm really interested in is bug bounty plus entrepreneurship. So we'll definitely cover more of that later. And I've actually got a section on this doc if we get through all of it to pick your brain a little bit more about that. But I think you said a really interesting thing relating to how you think about hacking, which was that you try to write pseudo code so that you can kind of understand how the developers, you know, would have written this code and turn it from a black box into a white box. And I kind of saw this when we were collaborating at the last live hacking event we were at. And you did a great job with that. Yeah. frans (11:59.382) Hmm. Yes. You can get like small indicators and that like this indicator confirms that they've done something like this because if this doesn't happen then, and, and it turns almost into a, like a game where you can like, I'm going to guess what happens if I do this, I'm going to get an error and then like, yes, I'm getting an error. Okay. Then I know that they've done this and that. Yeah, exactly. Like that. Justin Gardner (@rhynorater) (12:08.096) Yeah. Justin Gardner (@rhynorater) (12:22.451) Yeah, that's, and I think that's probably one of the things that makes you such a good exploit, exploiter, exploitationist, you know, like, I don't know the, I don't know the actual word, but, you know, someone who's really able to take an issue and just poke, until you turn it into a crazy vulnerability. So that's definitely a cool tip for anybody who has that sort of developer-like brain to kind of, you know, really. frans (12:30.562) I don't know. Yeah. Poker. Yeah. Justin Gardner (@rhynorater) (12:50.255) Be intentional about theorizing because I think to some degree we're all doing this a little bit when we're when we're hacking But I think if you take it that extra step and really start thinking in the forefront of your brain Hey, how did they write this? How is this? How can I confirm this? You know what little errors might tell me whether it's this or that You can flesh it out a lot frans (12:54.051) Absolutely, absolutely. frans (13:02.855) Mm. Yeah. Exactly. And it's the same thing. Like when, when you've done it with one place and they have done, you know, a similar thing somewhere else, then you can like start comparing them and like, okay, but it behaves differently there. Like you can, so as soon as you've done that for like one code block, you can see other implementations in the same company. If they done like done a mistake on one, like that, that happens a lot. Like there's one single thing that, that makes everything break. Joel Margolis (teknogeek) (13:09.59) Yeah, I feel like. Justin Gardner (@rhynorater) (13:16.425) Yeah. Justin Gardner (@rhynorater) (13:21.664) Yeah. Justin Gardner (@rhynorater) (13:25.16) Yeah. Mm. Justin Gardner (@rhynorater) (13:32.406) Oh yeah. Justin Gardner (@rhynorater) (13:36.277) Yeah. frans (13:36.342) Sorry, Joel. Joel Margolis (teknogeek) (13:36.502) Yeah. No, no, absolutely. I mean, there's almost like two different buckets of this type of stuff when you're doing testing where like the cat, sorry, he's part of the show too. Yeah. But there's almost like two buckets where like you can, there's like lots of like almost totally like Adelaide field. frans (13:45.337) Yeah. Joel Margolis (teknogeek) (13:55.766) type of stuff where you'll test, you'll be like, maybe they did this, maybe they did that, like you never know, maybe they made this weird mistake, like I saw this somewhere else. And then there's the very logical approach where you think about it sort of basically as if you're one of the developers or you're coming from the developer's perspective, which is you know some of the technologies that they're using, you know some of the common mistakes that happen within those languages and those technologies. And so you can sort of piece things together. You can try things that are a little more targeted towards like, say you're testing, frans (13:58.039) Yeah. Joel Margolis (teknogeek) (14:21.718) you know, a Java application, right? You're going to test stuff that's similar to Spring, or you know, you're going to be testing for like Java specific things instead of like Ruby issues or JavaScript issues. And that type of testing, like it's not to say that if you test a Ruby issue on a Java stack, that like maybe there's something further down the line that might pop and the, you know, but oftentimes having that context as like a developer is really, really useful because you have that like that background of like, oh, maybe they, you know, this is something weird that they might've done. frans (14:23.498) Absolutely, absolutely. Yeah. Absolutely. frans (14:38.723) Yes. frans (14:44.49) Absolutely. Yeah. And I would say, yeah. And I would say one, one of the things you're mentioning there is like, I don't know why I think people are talking about it in a different context, but like typing is like one of the most, one of the best things and one of the worst things in combination that you can use. Like that's one of our biggest tools that we have is, is when, like, for example, when you have PHP, you don't have typing. Justin Gardner (@rhynorater) (15:12.882) Mm-hmm. frans (15:12.95) So that's what you have there is like, then you can start figuring out where they screwed up and thought it was an int, but it's a string. And in other languages, it's like, just because you have the typing errors, you can start fussing, you know, variables that didn't exist because you're getting a typing error. And so like, when you think about it, like that's one of my best clues that there's, you know, that I can hunt for things. It's like typing issues or typing errors, basically. Justin Gardner (@rhynorater) (15:29.305) Mm-mm. Joel Margolis (teknogeek) (15:40.298) Yeah, yeah, absolutely. And I feel like that's a really good transition into one of the tools that you wrote. When was this, like 2017 or something? This like, this S3 decloaking tool or whatever, this bucket disclosure tool. Yeah, do you wanna like talk about that a little bit? Cause there's, you did a whole blog post and stuff, but I feel like, yeah, I've got you right here, so. frans (15:48.226) Yeah frans (15:52.063) Oh yeah, oh yes. frans (15:58.106) Sure. Yeah, the blog post is... So what happened with that blog post was like I had fun bugs that I wanted to explain, but then I realized, okay, I need to take one step back. Like, do people know what this is? And like, do people know why this bug happens? And do people know what S3 is? And then like, do people know what the internet is? And like that the blog post just grew up. No. Did I lose you? I saw that. Justin Gardner (@rhynorater) (16:22.599) Yeah, yeah, so it's looking right now, it says you're 1% uploaded. Do you have any, do you have, so normally, yeah, so do you have a way to make your internet stronger? Like are you etherneted in right now or are you? Joel Margolis (teknogeek) (16:23.53) little bit. frans (16:29.194) Yeah, I see. One percent uploading. But it goes from 1 to 0 always. frans (16:41.946) Hmm. I can try. I wonder what I have for... what I have on my phone instead. It's weird because it says... Oh wow, maybe... could I have been the stupid person in the room. Justin Gardner (@rhynorater) (16:56.627) Yeah, so. Justin Gardner (@rhynorater) (17:03.801) What did you do? frans (17:05.707) I don't want to say. Justin Gardner (@rhynorater) (17:08.41) Is he, he's got proxy on right now. frans (17:12.491) I turn it off. I think it works. Justin Gardner (@rhynorater) (17:15.488) Oh, now he's at 9% offloaded, that was definitely it. Alright, so, alright, we're... What do you mean it goes to S3? frans (17:20.59) It goes to S3! Wait, wait. I need to check my... Oh, fuck yeah, sorry. It was my mistake. So, yeah, everything went through burp, man. Justin Gardner (@rhynorater) (17:34.227) You had proxy on? Dude, that's hilarious. Okay, so we've been dealing with some issues with Franz cutting in and out for this past like 20 minutes. And you know what it was? He left freaking BERT proxy on. So classic hacker mistake here. So I'm not really sure where it cut out, but we'll bring it back around in. Yeah, dude, your BERT file just blew up. frans (17:51.33) That's embarrassing. Yeah. frans (17:58.261) Rest in peace, BurpState! Joel Margolis (teknogeek) (18:00.471) Hehehehe Justin Gardner (@rhynorater) (18:04.927) But yeah, okay, so you talked a little bit about the testing methodology where you're thinking about the code structures, you're thinking about things like variable typing. And I will say, when you said typing for the first time, I was like, yeah, man, everybody types when they're hacking. You know, I was like, what the heck are you talking about? Typing is one of our greatest tools. Oh my gosh, that's really funny. frans (18:05.422) Oh man, that sucks. frans (18:22.356) Ah, okay, yeah, yeah. Yeah. Joel Margolis (teknogeek) (18:25.09) I also thought you were talking about typing as well. frans (18:27.086) Sorry, sorry. Yeah. Justin Gardner (@rhynorater) (18:29.451) But so I guess I wanted to dive a little bit into that. So we've seen the side already, or at least we've talked a little bit about the side of like exploitationist fronds. Once you see a weird issue, you poke at it, you model out the code, you're thinking about how the developer would have implemented it, and you're thinking about how you can validate those assumptions by triggering different edge cases throughout the code base. I'm curious about fleshing a little bit more out about your hack. hacker methodology because one of the things we've seen in the past with hackers that have come on here is that you have a couple of extremes, right? You have people that are, you know, that go really hard on the recon stuff and you've got people that go really hard on the, you know, on the manual hacking stuff, right? And so there's definitely different types of hackers but I've seen you do frans (19:18.316) Mm-hmm. Yeah. Justin Gardner (@rhynorater) (19:25.247) do both and I think when you've got someone that can do both it creates a crazy result. But I did want to ask you if you identify a little bit more as one or the other. Do you identify a little bit more as a manual hacker or as a wide hacker focusing on recon to find weird stuff or do you see yourself as a mix of the two? frans (19:30.97) Mm. frans (19:46.874) So I began mostly, so I think it's a matter of difference in terms of like where I'm at. So I would say I started off of course manual because everybody does that. You need to figure out what to do before you can automate it. I then went into like full on automation. But there was always, like I always had the argument on like, you can't automate if you don't know what you're looking for. Justin Gardner (@rhynorater) (19:54.986) Yeah. Justin Gardner (@rhynorater) (20:01.225) Yeah. Justin Gardner (@rhynorater) (20:04.52) Sure. Justin Gardner (@rhynorater) (20:07.965) Yeah. Justin Gardner (@rhynorater) (20:16.596) Yeah. frans (20:16.618) And if your whole idea is to find something you don't know of, you can't really automate it all. So I was never, I was never a full on automationist, if that's a word. I was more on like, I automated a bunch of things. I knew what I was looking for, but then I always kept this thing where I'm like, I'm going to save it all and I'm going to look through it. Then I'm going to see the oddities myself because I don't know what, what I will find. Justin Gardner (@rhynorater) (20:27.771) Yeah. Yeah, yeah, yeah. Justin Gardner (@rhynorater) (20:42.06) Sure. frans (20:45.518) things will happen much faster than my knowledge about what it is basically. But then it came, I think it happened, I took a break from bug hunting or like break, it was probably like one and a half year or something, like probably during COVID mostly, where I didn't want to do any live hacking events. I wasn't really looking for bugs in any way during almost two years, I think. And when I came back, I kind of realized that. Justin Gardner (@rhynorater) (21:00.032) Mmm. Yeah. Justin Gardner (@rhynorater) (21:10.857) Yeah. frans (21:15.698) similar to I think what other bug hunters that like want to start off realize is that there's so many people that are doing automation that is like ridiculous like seriously like they do things so fast I tend to I spoke a lot about my automation back in the day and I told them like yeah I'm doing like every eight hours I'm looking and they're like every eight hours I'm doing it every 20 minutes and I'm like okay yeah exactly and I'm like Justin Gardner (@rhynorater) (21:26.408) Yeah, absolutely. Justin Gardner (@rhynorater) (21:36.727) Mm. every eight seconds, you know, like, yeah. Joel Margolis (teknogeek) (21:41.314) Yeah. frans (21:43.258) They're like, you're missing out on so many things. I'm like, I can imagine. And I'm like, do I want to invest the time to like speed up my, my automation just for those bugs? And I came to the conclusion that like, no, I don't. I, I rather, I rather spend, you know, manual time trying to figure out really cool bugs than trying to like, like reach to the point where I'm like at level with other automationists. Justin Gardner (@rhynorater) (21:46.569) Yeah. Justin Gardner (@rhynorater) (22:04.128) Mm. Justin Gardner (@rhynorater) (22:11.411) Yeah, no. Yeah, no, I think we're gonna coin that term. Automationist, you know, yeah. And it's actually funny, you know, I actually had that exact same path, you know, except I sort of skipped to the part where I was doing manual hacking in the beginning, like, because there were so many resources by the time I started, you know, when I started, I guess in 2017, 2018, you know, you had already put out talks, you know, people were putting out talks on how to do stuff, so I had a pretty decent flow of like, frans (22:11.87) Automationists, I love that word. Like it's an awesome work. It's like art, arts and automationists. Yeah. Justin Gardner (@rhynorater) (22:40.671) bug bounty write-ups and stuff like that to read. And then I leveraged into automation. But then I came to the same conclusion you did, which is like, well, maybe a little bit different of one, but essentially in order to compete at this game at the top level, you have to be constantly refactoring your code and it's a grind, right? And it's gonna make it more of a pro, you're gonna become more of a programmer than you are of a hacker because, you know, you're constantly having to refactor code. frans (22:58.326) Yeah. Sure. Justin Gardner (@rhynorater) (23:09.976) And so I also sort of leveraged a little bit more or switched over into manual hacking a little bit more. And it's been fun to see the results of that as well. frans (23:18.986) Yeah, I think like, when I also when I think about it, like when I mentally think about like, what do I want to like, end up with or like, what do I want to succeed with? It's not that I like, oh, I dream of finding an unclaimed F3 bucket. Like that's, that's really not the bug that I'm like, I will go home and be happy about. Justin Gardner (@rhynorater) (23:38.235) Yeah. Justin Gardner (@rhynorater) (23:42.588) Exactly. frans (23:44.822) The, the bug I will go home, be happy about is the one where I'm like, I did this thing over there and that gave me a little piece of the puzzle. And then I went over there and did that. And now I can access the server. Like with an RC, like those are the kinds of bugs that I'm like, Oh, I'm going to feel so proud and it's like, it's gonna, it's going to hold up for, you know, more than a week, probably sometimes a year that bug has the value of like. Justin Gardner (@rhynorater) (23:52.779) Right. Justin Gardner (@rhynorater) (24:09.032) Mmm. Yeah. frans (24:11.474) And I will not find that by writing automation and finding an unclaimed bucket or a, you know, environment variable file laying somewhere that might be helpful into doing other things. But you know, it's the fun, the fun things happen when, when I go deep. So I absolutely shifted over to like go deep, full on, you know, go. You know, so deep that, that people are like, but move on, man, like stop looking at that thing. Justin Gardner (@rhynorater) (24:40.504) Yeah. Joel Margolis (teknogeek) (24:41.396) Yeah. frans (24:41.574) But I'm like, keep digging and like sometimes there's something falling out from it. And like you realize, you know, and I have all these examples of, you know, running on the private program, but still, you know, grinding it for months and even collaborating with Matthias in this case. And like, we couldn't figure one thing out. And it was like, how does this work? And why is it happening? Justin Gardner (@rhynorater) (25:02.869) Mm-mm. frans (25:11.538) He was he was at a concert. I think it was I don't know if it was like Iron Maiden or something But he was at a concert and I was writing him messages because we often chat without the other one responding like that's how we communicate like asynchronous very much asynchronous and I was writing to him like okay, but this worked Like I don't know and like it took probably two or three hours and that chat message history is like is a beauty of itself Because it's like this happened. I think this Justin Gardner (@rhynorater) (25:15.927) Thank you. Joel Margolis (teknogeek) (25:16.968) Yeah. Justin Gardner (@rhynorater) (25:22.347) Sure, sure. Async, yeah. frans (25:40.894) Oh my God. Oh, like it ended up being like being like total disaster. And, and it was like, you know, ring the bells and it was like one of the most beautiful bugs I've ever seen. And it was just, just that grind of like, we've been having this for, for months, knowing that there's something there, but we couldn't figure it out. And then came to that conclusion. It's like, it's so beautiful. And it's, and it's like, that's the kind of bugs I want to come like. Justin Gardner (@rhynorater) (25:51.648) Mmm. Justin Gardner (@rhynorater) (26:03.071) Hmm. frans (26:07.294) like continue to, you know, bring home or, you know, talk about in the future. Justin Gardner (@rhynorater) (26:10.679) Mm, mm. Joel Margolis (teknogeek) (26:13.374) Absolutely. I feel like for a long time, there was this, like there was a lot of manual hacking that went on. And then there was like a few years, kind of like right before COVID, like around COVID, and then like during COVID, where like a lot of people realized that there's so much scope and there's so much stuff out there that you can make a lot of money just by doing automation. And like automation isn't a particularly difficult thing. There's a lot of tools out there, stuff like nuclei and all these like frameworks and things that exist that let you kind of just like. Justin Gardner (@rhynorater) (26:24.311) Hmm. frans (26:28.267) Yes. Yeah. Justin Gardner (@rhynorater) (26:32.843) Mm. frans (26:32.983) Absolutely. Justin Gardner (@rhynorater) (26:35.796) Mm. Joel Margolis (teknogeek) (26:41.046) duct tape and bootstrap stuff together and just like build these little pipelines that do like a lot of like really efficient work. And so a lot of people just really like dove headfirst into that and just started like scanning for stuff, finding subdomain takeovers, finding bucket takeovers, finding like, you know, CVEs that you could just like automate into, you know, easily reproducible reports and bugs. And like, that's a, it's almost like a separate bug bounty space, right? Because it's like, you're basically at this point, you're not really like... Justin Gardner (@rhynorater) (26:51.069) Mm. frans (27:05.451) Absolutely. Joel Margolis (teknogeek) (27:09.206) fighting over like complexity of bugs or like how this app like interacts with other parts of the app or how this service or this website might like, you know, be leveraged by another part of the application or another part of the company. It's more just like how fast is your tooling and like how good can you beat the other person? Is your internet better? Is you know, are you are you're scanning faster? You looking at the right things? And I really love this manual hacking. frans (27:12.31) Yeah. frans (27:32.898) Yes, I agree. Joel Margolis (teknogeek) (27:36.322) type of mentality. Like me and Justin have discussed this a little bit because as a full-time hunter I think it's a lot easier to either fall more towards automation or at least towards like less complex findings because you need that cash flow, you need to be having reports going in all the time. But I also like, I love not feeling obligated to have reports in because that gives you that opportunity to do what you're talking about. Like go deep with the application, get intimate as we like to say, and just like really like... Justin Gardner (@rhynorater) (27:45.946) Mmm. Justin Gardner (@rhynorater) (27:50.175) Yeah. frans (27:57.414) Mm. Yeah. Justin Gardner (@rhynorater) (28:02.667) Get intimate with the application. frans (28:03.958) Absolutely. Yeah. Joel Margolis (teknogeek) (28:04.086) learn the ins and outs of this application, become like almost a developer, essentially, at the company, where you understand more about how stuff is going on in the back end than even somebody who works at the company does, because that really gives you all those insights into where stuff is like faltering or where there might be weird mechanisms or the systemic patterns like you talked about, where you realize, oh, this is like a common mistake or pitfall that they made. Maybe they made this here and here and here and so on. And I just love that mentality of just like, you know. frans (28:12.782) Yes. Joel Margolis (teknogeek) (28:32.734) Ignore the sort of the flash and the glamour and stuff, which is like bug after bug after bug, and find that really, really cool deep shit. frans (28:35.315) Yeah. But it. Yeah. And I agree. I think, I think one of the, so I went full bug hunting mode last, I would say in beginning of September, October, kind of, and, and the decision I made was happening during that summer. And I, because I had those kind of, you know, anxious things also, like, will I be able to like, pay my own salary or like, how, how can I figure out the economics around? doing this full time. And at that point, I had luck because I did a few bugs on Zoom and they paid me out that summer and they paid really well for those bugs. So at that point I'm like, okay, this is my buffer. So I have a buffer now of like, if I would take like my normal salary, I would last these amount of months. Okay, so these months I can figure out if I should, you know, go automation or continue doing, because those bugs I found was like no automation, it was just like trying to figure out how everything worked. And I used that time to like figure out first, like where should I hunt? Like what program takes care of me? What program, you know, treats my bugs in a way that I feel appreciated or like they value my time? And then also like economical wise, like where should I spend my time to like align the return on investment in a way that makes me not stressed, you know, going forward. And when I figured those things out, like where to look, I still trying to figure out like what programs I should focus on, but when I figured out some of it, at least that helped me a lot in into like deciding that going deep was actually, you know, frans (30:29.835) monetary wise a good decision for me to like don't be afraid that I won't be able to pay myself a salary basically. Justin Gardner (@rhynorater) (30:37.811) Yeah, yeah, I think you definitely see, if you look at the numbers, I think you'll see a higher return on investment of time, right, and a higher hourly rate if you do deep bugs. But the thing with automation is you get to have this, and I experienced this when I was in the automation game, if you take time off, you still get bugs, right? Which is just huge for like relief. frans (31:00.842) Yeah, yeah, yeah. Yeah. That's like, yeah. That's true. Justin Gardner (@rhynorater) (31:05.799) Right? You know, like, because I don't know what it is for me, but like, even if I have a ton of money sitting in the bank, if I see that trending downward while I'm taking a break, or if I know like, hey, I'm not finding bugs right now, that just bothers me, you know? And it's kind of like a, it's definitely a psychological problem, you know, for sure. But, because I think you should be able to rest in both states, whether you just popped, you know, 100K in bugs and now you take, you know, a couple of weeks off and you've got that 100K sitting in the bank and you're like, all right, I'm fine. frans (31:14.34) Mm. frans (31:19.67) Yeah, I can imagine, yeah. Justin Gardner (@rhynorater) (31:35.547) or whether you've got 20K in the bank and you see it going up and up and up and up with the bugs, you know, those are the same things. But psychologically, it's very different, I think. Joel Margolis (teknogeek) (31:48.418) We also have a whole episode about picking the right program. And I think you covered this a little bit, but it's really important, especially when you're doing full-time hacking, to have the right program. Like you mentioned, once you find a program who really respects you as a researcher in your reports and handles the things that you're submitting and takes it very seriously and is responsive and all these types of things, it makes a really big difference to... I almost want to say that it increases the quality of the bugs that you find later on. Justin Gardner (@rhynorater) (31:58.037) Yeah. frans (31:58.198) Yeah, for sure. frans (32:10.616) Yes. Justin Gardner (@rhynorater) (32:17.092) Mm. Joel Margolis (teknogeek) (32:17.27) because you have this relationship with the company where you wanna show them, hey, I found this really cool thing on your app. Let me show you, let me take it one step further. Let me, I bet you thought that last bug was cool, but how about this one? And it's almost like a challenge. And if you find a company that not only treats you right, but pays correctly, if you have a program, say they pay like 5K crits and their mediums are like 750, frans (32:29.01) Yeah, yeah, exactly. 100%. Yes. Justin Gardner (@rhynorater) (32:29.411) Mm, mm, yeah. Joel Margolis (teknogeek) (32:44.286) a couple of media, like, you know, you're like five mediums, you're almost there, right? And so it's like, if you have automation that's finding a bunch of mediums versus it takes you a week or two to find like a really bad crit, but it's only gonna get paid 5K, then that trade-off isn't always worth it. But if you have a program that's paying like 30K crits, and maybe their mediums are like one or 2K, well, that makes a big difference. And then your time is really, really worth like spending that time finding that critical and not spending it doing automation or like trying to find a subdomain takeover. Justin Gardner (@rhynorater) (32:45.619) Yeah. frans (32:59.07) No, that's true. Yes. No, that's true. Justin Gardner (@rhynorater) (33:05.832) Mm. Justin Gardner (@rhynorater) (33:12.743) Yeah, let me jump in here and say, you know, I think we've made it clear enough, but I wanna clarify, we have tremendous respect for people on both sides of the game. You know, and, you know, there's definitely so many challenges of recon and so many challenges of deep diving stuff. So hopefully this has given a little bit of insight into the thought, because I think all of us, Joel more so than me, frans (33:21.23) Sure, 100%. Justin Gardner (@rhynorater) (33:38.655) but have leveraged a little bit more into the whole finding very high impact bugs with the majority of your time and fronds as well. And so, okay, but we've already been talking for a while and I have two bullet points down on my little list. So let me, let me, let me, let me. frans (33:43.694) Yeah. Joel Margolis (teknogeek) (33:53.902) Oh yeah. Justin started the episode, he's like, we got so much to cover for like 30 minutes, we've talked about two topics. frans (33:57.337) Okay. Yeah. Okay. Yeah. Justin Gardner (@rhynorater) (33:59.223) I'm like, yeah, I'm like super stressed over here because we're not gonna yeah, let me get back to my list. Okay. No. Okay. So I do want to ask a couple things. We'll keep these pretty, pretty rapid fire, I think. So you know, you said you identify more now as sort of a deep dive hacker, which I think is on point. And so, and I think I know the answer to this, because you already alluded to it, but I'm wondering how much time it takes you to frans (34:03.764) Yeah. Bam, bam, next, next. That's good. Yeah. Joel Margolis (teknogeek) (34:07.19) Ha ha ha! Justin Gardner (@rhynorater) (34:27.527) how much time you normally spend on a program on average, and how much time it normally takes you to find some bugs that you're proud of. frans (34:34.274) I would say, so I haven't jumped between programs that much since I started with this methodology, but the times I've done it during these two years, I would say, I think, and this is like where the imposter syndrome also hits hard every time. It's because whenever you change or switch program, you basically have these, you know, sometimes for me it can take up to like three days. Justin Gardner (@rhynorater) (34:39.029) Yeah. Justin Gardner (@rhynorater) (34:54.251) Right. Justin Gardner (@rhynorater) (35:02.059) Hmm. frans (35:02.238) until I actually find something that I think is relevant or valuable. And I train myself to not... You feel shit during that time. You hate yourself and you think you're a fraud and all these kind of thoughts come up. But at some point you're like, okay, but no, I know this time is there. You need to invest the time. Justin Gardner (@rhynorater) (35:06.791) Yeah. Justin Gardner (@rhynorater) (35:15.247) Oh yeah, yep, yep. frans (35:28.742) And you know, because it's interesting also, because if you compare the first day, you see a bunch of, you know, variable names or like parameter names and like, what, what is this? What is this? I have no idea. I just want to find a bug, like ignore what they are like. And the third day you're like, Oh, I know exactly what that parameter does. And like, what it does. Okay. So that's why, so you need to like spend those three days to like, get that, you know, mindset of like. Justin Gardner (@rhynorater) (35:37.197) Mm. Justin Gardner (@rhynorater) (35:47.241) Yeah. frans (35:55.85) Like the taxonomy, for example, taxonomy is a huge thing. Like what do they call, you know, this kind of object and model? Like as soon as, so I tend to like write down taxonomy for myself just to like understand what is referencing what then at some point, like that's also a really good receipt for, okay, they're calling it a little bit different here. Like they use, they use, you know, a Pascal case over here, but there's snake case over there and like. Justin Gardner (@rhynorater) (36:02.987) Yeah. Justin Gardner (@rhynorater) (36:18.645) Mmm, yeah. Justin Gardner (@rhynorater) (36:24.243) Yeah, yeah. frans (36:25.026) Those kind of things is like indicators that there are multiple people doing things here and they've named it differently, like that's an indicator. And those things takes probably like three days to realize that this is an outlier, for example. Justin Gardner (@rhynorater) (36:39.307) So let me just highlight that just for the listeners, okay? Do you guys hear the level of depth that he's describing here? He's describing the case of parameters and he's taking notes on the verbiage, the wording, the taxonomy of the various parameters and endpoints and this is the kind of stuff that you would think is getting to. frans (36:44.846) Hahaha Justin Gardner (@rhynorater) (37:08.335) minute to detailed, but it's totally not. No, because every single thing, every time you go that deep, you get a further and further, a little bit, just a little tiny bit closer to understanding what it's looking like for this whole application. And that little step by step there makes all the difference in the world when it comes to sort of black box texting, when at the end of the day, you're totally, you know. frans (37:12.319) No. frans (37:20.218) Sure. Yeah. frans (37:29.482) Yeah, absolutely. Justin Gardner (@rhynorater) (37:38.019) you're totally looking at a black box. You have no idea what you're working with. So I will say as well, the three day number, I'm with you man. Like I, yeah. frans (37:39.838) Yeah, absolutely. Yeah. And there's some, there's some good tricks there. There's some good tricks you can. Yeah. I mean, there's some good tricks you can do. Like sometimes I just take the full scope and I, I search for the host in burp search and then I copy everything into an XML file and I have like an unpack, unpack burp state or unpack burp list. And then I take the body of the request and then I take all the words I have. Justin Gardner (@rhynorater) (37:54.592) Yeah. Justin Gardner (@rhynorater) (38:05.623) Sure. frans (38:09.634) And then I sort them and make them unique. And then I can see like, okay, there's like intent ID, but there's intent underscore ID. And then suddenly I can like go that way to like find oddities in parameters as well. Justin Gardner (@rhynorater) (38:24.647) Yeah, and those are, those, you know, if you've got intent ID snake case and intent underscore ID, you know, those are parameters that were clearly implemented by different developers, right? Or different, you know, lifecycle flows right there, right? And so, you know, there's definitely a good chance that if every single intent uppercase ID is secure, that sometimes the intent underscore ID will not be secure. frans (38:40.43) Yes. Justin Gardner (@rhynorater) (38:54.567) Right, so having that sort of frameworks in place can really help you understand the app from a holistic perspective. And just take, you know, also I just wanna shout out that ability to take notes to, or not necessarily take notes, but like to process the data that you've got there. Exporting to Burp, taking the time to write the XML unpacked script, which is something I've never done by the way because it's just such a pain in the ass. Yeah, that would be great. frans (39:19.242) I can share it. I can share it. It's awesome. Justin Gardner (@rhynorater) (39:24.259) is something that will differentiate you from other hackers. You don't even have to know that it's the right thing to do. So many people are like, man, should I spend my time doing this? Doesn't matter. It's gonna make you unique as a hacker. Let's say you do that, nothing comes of it. You still saw more of the application than someone else who hasn't done that. You looked at those parameters a little bit differently because you unpacked everything. So it's the things that make us unique hackers like that really allow different people to find different crazy bugs. frans (39:53.814) Yeah, yeah, absolutely. Joel Margolis (teknogeek) (39:54.678) Yeah, I also think that there's like a whole aspect, like the whole becoming almost like a developer within that environment, where if you learn the terminology and you learn what things mean, so many developers use abbreviations and stuff to like represent things. Like they might take something that represents some system, right? And they might abbreviate it as three characters and just start using that as an acronym, like throughout their application, throughout different like, you know, endpoints or parameter calls and stuff. Justin Gardner (@rhynorater) (40:00.874) Mm. Justin Gardner (@rhynorater) (40:08.037) Unh. Justin Gardner (@rhynorater) (40:18.176) Yeah. Joel Margolis (teknogeek) (40:23.818) A lot of times I'll look at something like that and I'll say like, what, like, what is, what is this? Like, what is this? These three letters, what is this supposed to mean? Like, what, what does this represent to the developer? And once you identify at a lower level, like what does this actually mean? What are they referencing when they're saying, you know, these three characters or whatever, you can really start to unpack hidden functionality. And this type of stuff that may even exist that, you know, you'll start to stretch to different ideas, like, oh, maybe if they're calling. frans (40:44.505) Yes. frans (40:50.074) for sure. Joel Margolis (teknogeek) (40:52.074) an endpoint with a different three-letter acronym. Maybe I can toss my three-letter acronym and then I know what this means. Maybe I can hit a different service or something, right? And I think getting to that level of just being like, what does that mean? Or what is this parameter doing? Or what does this represent? Can let you get that much deeper understanding and be able to dive deeper within the application so much easier. Justin Gardner (@rhynorater) (40:56.788) Mmm. frans (40:57.27) Yeah, sure. frans (41:10.778) For sure. Yeah. Justin Gardner (@rhynorater) (41:11.423) Hmm. Yeah. 100%. Um, so let me, let me ask this then. Um, I, I have seen, I'm thinking specifically at the last live hack event we were both at when we were sitting at this table and we were like slamming our heads into a wall, um, on this one specific bug for a while. Um, how, how often do you find yourself sitting in front of a request and trying things sort of incessantly versus sitting back? frans (41:22.65) It's- frans (41:38.38) Mm-mm. Justin Gardner (@rhynorater) (41:40.539) staring at the ceiling and thinking about the bug. Like, and I know that this is kind of a hard question because it's very, you know, abstract, but just give me your gut feelings on how much time you spend actually hands-on iterating versus just sort of thinking and ideating. frans (41:58.594) Yeah, so I have a bunch of things I tend to do when I get to the point where I can't figure it out. Like it's all everything from, you know, collecting my own kind of word list from that asset, just to like find, you know, things in there that like can make me understand what this is, up to the point where, as you said, like I take a walk and I'm like thinking about it and like how... Justin Gardner (@rhynorater) (42:06.932) Yeah. Justin Gardner (@rhynorater) (42:11.56) Yeah. Justin Gardner (@rhynorater) (42:19.041) Sure. frans (42:28.054) Why does it behave like it does or what is it trying to, you know, what data is it trying to fetch or, or similar. So sometimes I would say both work sometimes, you know, complete brute together with very context related information. Like for example, generic word lists for me is not really helping that much. I wouldn't say that, you know, word lists found on, you know, a really large word list works that well. Justin Gardner (@rhynorater) (42:45.337) Mm. Yeah. frans (42:57.118) I would, the ones that work are, are when, when you can like apply the context to what you're actually looking at. That's when you're getting the nice, nice hits. And, and, but, but in, in the other aspect also is like, sometimes you just need to think about it and you know, Google error messages is like an awesome thing as well. As soon as you see an error message that is like, this is not a generic error message. Like then you can start digging down, like maybe it's this and maybe. Justin Gardner (@rhynorater) (43:03.624) Yeah. Justin Gardner (@rhynorater) (43:15.819) Sure. Yeah. frans (43:25.058) This is the database I'm injecting into or whatever. Justin Gardner (@rhynorater) (43:27.931) Yeah, or even maybe an error message that kind of looks like a generic error message, but is worded specifically, you know Yeah frans (43:32.246) But it's not, yes. Or it has a format that is very different from. Also, if error messages look the same on a target, and suddenly one error message doesn't, that is also like, okay, all the other ones have square brackets around the error code, but this one does not. Those could be also indicators that, okay, there's another thing causing this error message. Justin Gardner (@rhynorater) (43:57.831) Yeah, no, absolutely. Joel Margolis (teknogeek) (43:59.054) Absolutely. I think one of the really underutilized things is Googling stuff with quotes around it. This is something I use all the time. It's just like if I see an error, if you Google something with quotes around it, it does the exact, yeah, exactly. We did that at the last event, the thing that we're talking about right now, we're just like, what is this? What is this system? What is this using? What is this technology? And just search the error message and immediately there's 100 Google results all mentioning the same exact thing and you're like, oh, okay, it's that. frans (44:04.21) Yeah, yeah, absolutely. 100%. Absolutely. Yeah. And minus this minus that. Yeah. Justin Gardner (@rhynorater) (44:04.235) Yeah, yeah. Pro Tips. Justin Gardner (@rhynorater) (44:12.411) Yeah. Justin Gardner (@rhynorater) (44:15.829) Yeah. frans (44:17.018) Yeah. frans (44:22.68) Yes. frans (44:26.743) Yeah, okay, that's it. Justin Gardner (@rhynorater) (44:27.423) Yeah, so last question about the hacker methodology piece. So it seems like you spend a good amount of time on your targets. Give me just sort of like a gut feeling on like how much time you spend on the average target. frans (44:46.303) I would say three days is an investment first. You might not get anything from it. So I've done these short assessments kind of thing where I'm like, okay, I'm going to focus on this program. And what has happened for me is like one and a half week is a time for me where I know I'm going to find something good. I don't know how bad it will be, but I know I will find something that will be good. So Justin Gardner (@rhynorater) (44:51.829) Yeah. Justin Gardner (@rhynorater) (44:55.658) Yeah. Justin Gardner (@rhynorater) (45:01.066) Yeah. Justin Gardner (@rhynorater) (45:06.983) Yes, yeah. Yeah. frans (45:12.454) One and a half week has been a really good way for me, but also like you have kids. So it's like, you don't know where you're going to spend that one and a half week. Are you going to spend it on the night? Are you going to spend it, you know, in the office times or are you going to spend it like at all? Like there could be, you know, and often like when you submit, you know, a bunch of bugs at the same time, or like in the, in the matter of, of days, you always have this triage, you know. Justin Gardner (@rhynorater) (45:18.495) Right. Justin Gardner (@rhynorater) (45:26.239) Sure. Hehehehehehe Joel Margolis (teknogeek) (45:30.155) haha frans (45:42.642) Massage that is like it can be especially like my reports are like sometimes two to four thousand words My my reports are insane man Like they are they are my blog posts are sometimes are small compared to my blog like and I'm writing them manually It's not like copy pasting a boilerplate of like how it's actually like step-by-step showing, you know sometimes I'm showing even how I came to the Justin Gardner (@rhynorater) (45:43.579) Yeah. Justin Gardner (@rhynorater) (45:55.019) Holy moly. Justin Gardner (@rhynorater) (46:01.089) Oh my gosh. frans (46:12.842) conclusion that there's a bug and I have like a very long impact explanation and you know, everything is like typed from the frontal cortex or like, I don't know. But then you have, so that half week afterwards is like triage massage basically. Just to get it through. Yeah, it's... Justin Gardner (@rhynorater) (46:15.223) Sure. Justin Gardner (@rhynorater) (46:24.327) Yeah, right. 100%. Yeah. Joel Margolis (teknogeek) (46:26.754) That's so true. Justin Gardner (@rhynorater) (46:34.003) Mm, yeah, yeah. Joel Margolis (teknogeek) (46:35.21) Yeah. There's always that like getting through. Yeah. You get it through. They find out it's not a dupe and then it's another week of yes, this is how you reproduce it. Have you tried this? frans (46:43.391) Yeah. But that's a good side effect also of going deep into a program. Like live hacking events are an exception to the rule, but I haven't duped once in this full time since August last year. Except for live hacking events. Except for live hacking events. Absolutely. Yeah, yeah, yeah. Yes. Oh yeah. Yeah, you got duped. Justin Gardner (@rhynorater) (46:52.341) Yeah. Justin Gardner (@rhynorater) (47:01.291) But you've duped me, you stupid fricker, on Whole Foods. I was like, and we'll bleep that if we need to. So let's say, for example, that program, right? That was a challenge. And so how long would you spend on something like that? frans (47:18.746) That one I spent... To be honest, that one was new for me, so I didn't know what to expect. So I submitted that bug only. And it was two hours or something. I mean, I didn't spend shit on that. But the funny thing was that it was... I think it was very valuable for me not to spend more time, because I had a hunch that they might not be as, you know, receptive to the report as I thought. Justin Gardner (@rhynorater) (47:24.693) Yeah. Justin Gardner (@rhynorater) (47:28.207) And of course, that was the one. Justin Gardner (@rhynorater) (47:32.599) Everything. Justin Gardner (@rhynorater) (47:41.907) receptive to that vulnerability type. frans (47:45.378) So in that sense, I think I did a good investment not to spend more time. And that's also a thing where you like, especially when it comes to new programs, I'm like very, very restrictive on like, like the worst thing you can do is like, you spend much time, you find a really bad bug and then you continue and you submit bugs and you have no response yet. And you're like investing so much time and then suddenly they respond and they don't treat you in a good way. And you're like, why did I? Justin Gardner (@rhynorater) (47:49.834) Yeah. Justin Gardner (@rhynorater) (48:05.931) Hmm. Justin Gardner (@rhynorater) (48:11.827) Yeah. frans (48:14.786) continue. And I've heard that before from other people in the in the in the podcast also is like, do don't invest too much in the beginning, like you won't you won't gain anything from submitting, you know, 50 bugs in the beginning, you're only gambling with your own time, like don't do that. You can gamble with that time when you know, the receiver and you know what to expect from them. That's that's when you Justin Gardner (@rhynorater) (48:15.795) Yeah, you spoke really wisely. Justin Gardner (@rhynorater) (48:25.623) Mmm. Justin Gardner (@rhynorater) (48:32.808) Absolutely. Yeah. Justin Gardner (@rhynorater) (48:39.487) You have to validate the program and validate your threat model. Because on one hand, you know, you could be, it could be the program just being shit, right? That's one possibility. You know, they could just be a bad program. frans (48:44.023) Yes. frans (48:50.87) Yeah, or you have misaligned your exe exactly what they think is a threat or not. Yeah Justin Gardner (@rhynorater) (48:54.307) Exactly. Or you could have misaligned your threat model. And that's not anybody's fault, except maybe one could argue that the team should have provided more insight into their threat model in their policy, which I would love to see more of in general. But like you said, it's a gamble if you're not validating that threat model in advance, because it's very easy for issues to come out of frans (49:07.098) Sure. Yeah. Justin Gardner (@rhynorater) (49:24.175) All right, first section of my notes are done here. So here's where I'm thinking we're gonna go from here, okay? I have compiled together, let's see, one, two, three, four, five, six articles, some of the best hacking articles I've ever read. frans (49:29.13) Yes! Awesome. Justin Gardner (@rhynorater) (49:49.679) written by Frans over the years starting in 2017 spanning all the way up to I think 2022 or 2023 the latest one and I just want to kind of walk through these and talk about mentality I want to talk about the technical details of them So I hope you reviewed them because I don't know about you But I if I if I wrote something, you know six months ago and then somebody asked me about it You know six months later, then I'm screwed because I don't remember anything, but we'll see frans (49:50.094) Thank you. Wow. frans (50:03.42) Sure. Yeah. frans (50:11.773) Yeah, yeah, we'll see. Justin Gardner (@rhynorater) (50:17.967) Okay, so the first one, and I will link all these in the description as well, I would, it's not even something that I would recommend. It is mandatory reading for any listener of critical thinking to go and read all of these. So please keep that in mind. The first one that I wanted to talk about was this whole AWS S3 thing. So if any, you know, for the listeners here. S3 bucket takeovers and S3 bucket issues now are one, it's one of the most hottest, it's one of the hottest topics in cloud security. And all of this originates with this man right here, Franz, who sort of coined the S3 bucket, yeah, the S3 bucket takeover. And so I wanna kinda flash back to 2017 here. frans (50:53.946) Thanks for watching! frans (50:58.277) Thanks for the credit. Justin Gardner (@rhynorater) (51:07.099) You're seeing this new technology sort of coming on the scene and you're seeing it implemented in lots of different places on all these different programs How do you? Come how do you? Identify this issue of s3 buckets. Yeah Wow frans (51:19.514) So it was actually earlier, it was actually 2014. The first blog post about it was in 2014, October I think. And back then, it was basically, every time you saw a 404, you just like moved on because it's like nothing is there, right? So I think we came to the conclusion, I think it was... Justin Gardner (@rhynorater) (51:26.204) Okay. Yeah. Justin Gardner (@rhynorater) (51:35.869) Yeah, exactly. frans (51:45.858) both S3 and there was something else that was also like, I think Heroku was, and GitHub, GitHub Pages was one of those. So I think we just came to the realization because we were looking at, like Detectify was getting built at the same time. And a lot of things we were doing was around, finding subdomains and trying to identify what they were running. And at some point, I think we figured out that like, okay, so, Justin Gardner (@rhynorater) (51:51.623) Yeah. Yep. frans (52:16.186) We started signing up on these, I think it was Shopify as well, like these SaaS services, and suddenly realized that you could just like, there were no verification at all. We were under the assumption in the beginning that you need to validate that you own the domain because that's how you do everything else when it comes to Gmail or when you want to run Gmail, for example. Justin Gardner (@rhynorater) (52:20.275) Providers, yeah. Justin Gardner (@rhynorater) (52:33.908) Sure. frans (52:42.238) and realized that, okay, nobody's actually doing this because it's like a convenience thing to, to like not to use that validation part. And we started reaching out to all these companies and writing like, okay, somebody can just hijack all these, these companies, because they're pointing to you. And some of these, some of the providers were just like, yeah, but they're not our customer anymore. So why? Justin Gardner (@rhynorater) (52:47.039) Yeah. Justin Gardner (@rhynorater) (53:05.975) Yes! Oh my gosh. frans (53:06.91) Like, like reading between the lines, that was what they were saying. Like it's not our fault that, you know, they're not paying us anymore. Or, you know, uh, so exactly, exactly. Yeah. Go for it. No, but so, so I think, and, and a lot of them were like, we already know about this, this is no, no big deal. And, and we were, we were screaming loud, like, please do something about it. Like add the validation do, you know, Justin Gardner (@rhynorater) (53:15.691) You mean somebody's gonna have to pay us to hack them? I like that. To hack someone that's not our customer? Yeah. Joel Margolis (teknogeek) (53:18.51) Hehehehehehe Justin Gardner (@rhynorater) (53:28.423) Yeah, sure. Ha ha. frans (53:35.722) whatever, like something you need to do something. And, and when everybody responded, like not a single company responded with like, yeah, you're right. We, we realized like, we need to get it, get it out there. And then it was just a matter of like, how many more are there? And I think the first blog post we had, we had like 14, maybe providers, like big providers that we decided to, to announce. Uh, but at the same time, there were, you know, a huge amount. Justin Gardner (@rhynorater) (53:45.404) Oh my gosh. Justin Gardner (@rhynorater) (53:58.162) Yeah. frans (54:04.974) popping up since then of course, still popping up to this day. And S3 is one of those that keeps on lingering. I know that there are some changes happening. Like you can't change S3, but you can do implementations above it that is safe. So there's something called S3 access points, which is their addition to it. And access points... Justin Gardner (@rhynorater) (54:24.713) Mmm. Mm, yeah. frans (54:31.106) always get like a unique hash in it, so you can't reclaim an access point. So that's AWS solution to the problem is to make access point the way to actually access a bucket. But yeah, I think one of the big challenges in the beginning also when it comes to S3 was to figure out what the bucket name was. It wasn't always clear, even though you have it in the error message, it wasn't always clear. what the bucket and especially sometimes you do want to know the bucket name even if it's exists and I think that was the whole idea with the bucket disclose was to figure out what the bucket was named because if you knew what the bucket was named you can make additional API calls on the side to that bucket to see access level errors and stuff. Justin Gardner (@rhynorater) (55:09.663) Mmm. Justin Gardner (@rhynorater) (55:21.031) Yeah, that's such an amazing little script there. And we'll link it down below. Yeah, we'll link it down below. And it does still work to allow you to identify what the name of a bucket is. And there's lots of really cool error-based stuff you can do with that too, where you're creating invalid signed URLs that fail in such a specific way that it leaks the bucket name. So cool. frans (55:24.47) Yeah, yeah, still works. Yeah. frans (55:35.734) Yes. Yeah. frans (55:41.93) Yes. We have the same one. Me and Mattias built the same one in the beginning of this year for Google Cloud Storage. So we have seven decloaking methods for Cloud Storage. And it's kind of helpful in Cloud Storage as well, because sometimes you really want to know the name, and it's very important for depending on how your setup looks like. So... Joel Margolis (teknogeek) (55:44.758) Yeah, I love this. Justin Gardner (@rhynorater) (55:51.516) Nice, yeah. Joel Margolis (teknogeek) (56:00.098) That's awesome. Justin Gardner (@rhynorater) (56:04.416) Yeah. frans (56:08.626) I think I will talk with Mattias to get it out as well. I think it's very fun to have. Joel Margolis (teknogeek) (56:14.734) That's awesome. De-cloaking. I love that terminology because I think this applies to more than just S3 buckets. It's very similar to origin server detection where if you're trying to bypass a WAF, for example, if you find what the origin server is, is there a way to talk to the origin server directly and mimic as if your requests are going through the WAF, then oftentimes you can just bypass the WAF directly. It's very similar to S3 where you might have some subdomain that maybe it's talking to a backend service instead of actually just being a CNAME. frans (56:17.995) Yes, me too. frans (56:24.306) Yeah, for sure. Yes. Justin Gardner (@rhynorater) (56:24.844) Mm-hmm. frans (56:41.699) Yes. Joel Margolis (teknogeek) (56:44.406) to the bucket directly and if you can figure out some way to error it or get it to basically Oracle to what the bucket is, then you can maybe read some data that you shouldn't have access to, maybe you can list the bucket, maybe you can do whatever, it really depends on the context, but I love that methodology. frans (56:54.743) Absolutely. Justin Gardner (@rhynorater) (56:58.003) Yeah. The decloaking is applicable in so many aspects, like you mentioned as well, like with a reverse proxy or an origin structure. You know, if you can leak that backend URL, there's a decent chance that you might be able to use that in a vhost, you know, somewhere else at a load balancer level and hit that backend server directly and just bypass all of the middleware authentication that they've got in place. So we've seen that time and time again, and it's an awesome technique. And that's another one of the things that kind of comes out of frans (56:58.423) Yes. frans (57:11.832) Absolutely. frans (57:18.859) Yes. Justin Gardner (@rhynorater) (57:26.175) the security research is the impact, the conceptual impact is very wide reaching. It's applicable to lots of different areas, which is really cool. So there's lots of other stuff you can dive into with this blog post that will link the, and actually I didn't even have the one, I'm looking back now because you said there's one in 2014, and then there's also another one which I missed in 2016, where you're talking about CloudFront stuff. frans (57:52.122) Oh yeah, that was fun. Yeah, that was good memories. Justin Gardner (@rhynorater) (57:56.738) And the trailing dot, dude, like... frans (57:58.538) Yeah, oh, yeah. There was a bug, there was a bug like in a live hacking event, right? Just like two years ago or something that one of the bugs, the best bugs in that live hacking event was a trailing dot. So it still happened. Joel Margolis (teknogeek) (58:00.924) That's a throwback. Justin Gardner (@rhynorater) (58:11.283) Yeah, so for those of you, excuse me, for those of you that don't know about that, actually, you know, Franz, why don't you tell them a little bit about trailing dot and what that does conceptually? frans (58:19.81) Sure. Yeah. So I think the blog post mentioned specifically cloud front. So what happened with cloud front was that when you went to, in this case, it was like PayPal.com, it wasn't PayPal.com. I think it was car.com. So you went to car.com and you would be served a page through cloud flare. But the whole idea with like how internet works or like the dub works was that Justin Gardner (@rhynorater) (58:32.767) Sure. frans (58:47.49) You can always add a trailing dot to a domain. CloudFront. CloudFront, yeah. You can always add like a trailing dot to a domain because that's the, it's called like FQDN, like a fully qualified domain name. It's actually ending with a dot. They've just removed it for like, I think for like simplicity or something. So a trailing dot should always, you know, serve similar things or just give an error or whatever. And in CloudFront, it gave an error, but it gave the error. Justin Gardner (@rhynorater) (58:48.319) Now was this Cloudflare or Cloudfront? Cloudfront, okay, yes, yeah. Justin Gardner (@rhynorater) (58:56.309) Yeah. Justin Gardner (@rhynorater) (59:01.918) Mm. Justin Gardner (@rhynorater) (59:06.538) Yeah. frans (59:16.686) that looked like nobody has claimed that domain. So I went into CloudFront. Now you can't do this anymore because CloudFront wants you to validate that you own the domain, but back then you could just add it as a C name to your CloudFront and it had like a client side validation. So you couldn't add a trailing dot. It would say you can't, but if you'd like capture the proxy, if you take the like, it was like a G, GRPC request and you modify that little thing in the request with a dot. Justin Gardner (@rhynorater) (59:20.268) Mmm. Justin Gardner (@rhynorater) (59:41.815) Mmm. frans (59:44.994) You would add that to your to your own host and then you could serve whatever you want on the, on the trailing dot. And funny thing was that cloud front has cookie logging, so it will log your cookies also and cookies are working both on the FQDN and the regular domain. So if you had cookies sign into PayPal and our car.com and then went to car.com. Dot you would, I would get your cookies. Um, and I started getting those logs and I saw like. Justin Gardner (@rhynorater) (01:00:03.239) Holy crap. frans (01:00:13.154) people were clicking on emails. And then I realized why are they getting this from clicking on emails? Because they write, please, hello, my dear friend, go to car.com dot. And then the dot would be included in the link because I mean, it's a link, right? So that was the reason why so many came to the dot domain because it was like in the end of a sentence. Justin Gardner (@rhynorater) (01:00:18.833) Ah, period. Justin Gardner (@rhynorater) (01:00:35.191) Dude. Wow, so this doesn't even really require user interaction at that point, because people are just going to that domain natively. Wow, dude. frans (01:00:42.73) Yeah, yeah. Yeah, yeah, absolutely. Yeah. So that was, that was the scary part. And, and it was a long process from that part. Like PayPal obviously fixed it by, by reclaiming it themselves. But then it was a long discussion with AWS also getting them to like, you know, you need to normalize this. And so they also treated this as a, as a bug themselves. Justin Gardner (@rhynorater) (01:00:54.517) Yeah. Joel Margolis (teknogeek) (01:01:05.998) Do you feel like a lot of the bugs that you found have led to those sweeping sort of AWS changes? Like, uh, the, yeah. Justin Gardner (@rhynorater) (01:01:11.274) Hahaha frans (01:01:11.346) Yeah, yes, I do. Like one of the, one of the, one of the things that I talked a lot on, I had a OWASP event talking about the DNS and route 53. Uh, and, and suddenly they took a, took a couple of years, but they fixed it. And that is one of the most impressive patches I've ever seen. Like I have no, I like, I dream of the day. Justin Gardner (@rhynorater) (01:01:22.196) Mmm. frans (01:01:37.974) somebody tells me how that mitigation was done. It's like, seriously, like it's impressive as hell. Like they do something out of the box thinking there, to be honest. Justin Gardner (@rhynorater) (01:01:42.9) Yeah. Yeah. Justin Gardner (@rhynorater) (01:01:51.559) They really do and I've tried, me and Shubs and plenty of other hackers have spent so much time trying to bypass that mitigation. Because if you can, there's a treasure trove of bugs there, being able to reclaim these domains. But yeah, dude, that was a sad day for me, man, whenever they fixed that bug, because that was my cash cow when I was in recon automation. Joel Margolis (teknogeek) (01:01:56.161) Yeah. frans (01:01:57.686) Yes. Yeah. For sure. frans (01:02:11.334) Yeah. But there you see automation also have these, you know, oh shit, now the curve going down, right? It happens in automation as well. It, I think it punches you harder when those things happen in automation. I forgot to say that, but when automation gets, when something happened with your automation and goes like that, that's a panic you don't want to end up with. Like that panic is worse. Justin Gardner (@rhynorater) (01:02:21.729) Exactly. Especially, yeah. Justin Gardner (@rhynorater) (01:02:36.768) Yeah. frans (01:02:38.898) worse than having a vacation and you see it go down. So... Yes. Justin Gardner (@rhynorater) (01:02:41.939) Absolutely, 100%, especially when you've dumped so much time into a technique. I spent weeks, months of actual time, hands on the keyboard time, refining my Route 53 flow. And just to be clear, Route 53 takeovers are still possible in some capacity. But it's... Yeah, yeah. And so... frans (01:03:00.202) Yeah, very limited compared to before. Joel Margolis (teknogeek) (01:03:02.678) Very, very limited. Justin Gardner (@rhynorater) (01:03:05.855) definitely changed a lot and that was the day the music died for me. That was the day that I was like, you know what, I think I'm done with this shit. And so, yeah. Alright, so man, I missed so many articles. You know, when I was just going back, I just kind of cherry picked some of my friends' favorite moments, but now I'm starting to remember. frans (01:03:13.447) Yeah. frans (01:03:22.846) No worries. You know why I post things? Because the bugs turn boring after a while, right? So this is my outlet to eliminate me from looking at them anymore because I hope that someone else will look for them. That sounds pretty cocky, but it's my way of moving forward. If I out myself in a way that... Justin Gardner (@rhynorater) (01:03:30.012) Yeah, yeah. Justin Gardner (@rhynorater) (01:03:38.228) Yeah. Joel Margolis (teknogeek) (01:03:38.843) I was going to ask if you take notes, but... frans (01:03:50.378) like my secret tricks, if I just get them out there, I can move on in finding new things. It pushes me forward. Justin Gardner (@rhynorater) (01:03:55.603) Yeah, that's amazing for the community too. What a benefit. And friends, can I ask, I mean, do you like writing in particular? Like, would you say that you enjoy writing? frans (01:04:07.55) Yeah, I think, I think it's a necessity almost since I spend so much time on like writing reports. However, like it's hard for me to like sit down and say, no, I'm going to skip hacking and now I'm going to write the, you know, a blog post about something because. What often happens is like, I'm not writing a short little blog post of what I did yesterday. It's like, it's going to be like a huge article and I need like, I have one here. Justin Gardner (@rhynorater) (01:04:13.224) Yeah. Justin Gardner (@rhynorater) (01:04:27.978) No. frans (01:04:35.67) That I'm still cooking on. It's been cooking since January and I know for a fact that I like I can't start You know directly going at it I need I need to explain a lot of shit before I can come to the To the conclusion of what I found and it's gonna take it's gonna take a week two weeks Maybe and it's gonna be painful like a lot a big part of writing blog posts for me is like painful painful, you know going back and realize how hard everything was or Justin Gardner (@rhynorater) (01:04:54.741) Yeah. Justin Gardner (@rhynorater) (01:05:04.329) Yeah. frans (01:05:04.526) how long it took and like, I really want to emphasize that also in the latest blog post I have, it's like, it's a big focus on how much pain goes into like, spending that time. Justin Gardner (@rhynorater) (01:05:13.473) Yeah. And it's great that you mentioned that because I will, and I'm not sure if you're talking, because you mentioned just a second ago, you had a blog post you were working on, I think yesterday, so I'm very interested to pick your brain on that. But I'm talking about the account hijacking using dirty dancing one. One of my notes for that one, and it's on the list that we'll talk about later, but that blog post is so beautiful because it talks about the ups and downs of doing security research, right? frans (01:05:42.506) Yeah. Justin Gardner (@rhynorater) (01:05:43.783) And it talks about this whole concept of, well, these gadgets needed to leak these tokens and stuff like that. The stars have to align in so many ways for these to be there. And when you go out there and you're like, man, I feel like this might be a systemic issue. You're challenging something and you're betting against the odds there and you're really putting yourself out there by spending a shit ton of time to assess so many different things. And I think it was great that you represented it that way in the article. frans (01:05:53.498) Sure, absolutely. frans (01:06:07.518) Yes. Yeah. I mean, yeah. And I think not to not to destroy the discussion later about it, but I one big thing with that, the whole the whole idea about like my whole theory was not based on finding that bug. Like I had zero bugs such for such a long time during that. I didn't even have one, you know, I had zero bugs. I just had a theory that Justin Gardner (@rhynorater) (01:06:26.567) Yeah. No way! Wow. frans (01:06:35.706) Oh, this would be so beautiful if, if you could get this working. Like I had a discussion in the office here. I came here and like, yeah, I'm, I'm having a, like a theory I'm working on, but I don't know if it's going to work. Like this is my idea. And if this works, then maybe like crazy. Right. And then, and then like, I had nothing. So, so that was, it was such a gamble. It was, it was a hundred percent the gamble on like, let's then go look for it. Like how, like I had no idea how to do it. So. That was very painful also in the way of like, oh, I'm really trying to, as you said, like getting the stars to align. But then suddenly like one of my favorite programs turned out to have that thing. That was the trigger that, okay, I'm right. Like there is something here. Can I come up with other gadgets or whatever? So everything came out of ideas, not from like real life. Justin Gardner (@rhynorater) (01:07:13.666) Mmm. Justin Gardner (@rhynorater) (01:07:18.932) Mmm. Justin Gardner (@rhynorater) (01:07:24.021) Hmm. frans (01:07:35.138) That was the big difference with that blog post. All other blog posts are based on reality first, and then I'm moving backwards, trying to like see a systemic issue about it. This was a hundred percent idea trying to squeeze it in like very fitted into 10 years since the blog post I learned from, like everything was aligned. Like, can I, can I write a good OAuth blog post 10 years after my idols wrote one? That would be, that would be so. Justin Gardner (@rhynorater) (01:07:59.659) Wow. Justin Gardner (@rhynorater) (01:08:02.975) Wow. frans (01:08:04.818) It was very much like, I really need to find a way for this to work. Justin Gardner (@rhynorater) (01:08:09.736) Hmm. Joel Margolis (teknogeek) (01:08:10.154) Yeah. So when you're like approaching stuff, like we've talked a little bit about this of sort of like the really out of the box type of thinking versus the like more like data driven context driven developer driven type of methodology, do you, do you like going down that route of more just like maybe this is happening or do you find that it doesn't really pay off most of the time? frans (01:08:31.534) So it doesn't pay off a lot of the times. So I mentioned the Google cloud storage, the cloak. Like that was the whole idea with that research was to find systemic issues around that. Like we found some of them, but they weren't, you know, I wouldn't say you couldn't execute them in bug bounty programs. You could maybe execute them, you know, if you want to report things to Google. But, but. For Google in Google's aspect, they wouldn't be like really bad bugs. They would be like coincidental misconfigures together with like all the, you know, like all the configurations for Google, but also for the customer using them and stuff. But so that turned out to be like, we don't really have anything. We have a decloak tool. Maybe that could be fun to blog about. Maybe we can do like a decloak blog post talking about the ways we found this decloaking mechanisms. and maybe that could be interesting like now i'm like now i'm forcing myself to write these books but it would be weird talking about the blog post that i i'm with rick Justin Gardner (@rhynorater) (01:09:35.931) Yeah, so do you, I mean, you mentioned before one motivation for writing the blog posts is, you know, it gets it out of your head and allows you to move on to something different. So I think that's a really great takeaway. I wanted to ask about because you're releasing all of these on Detectify, you know, on the Detectify blog. And so is that an intentional decision? Is that to help, you know, Detectify build brand recognition? Because let me just provide some context from my perspective as a hacker. frans (01:09:45.131) Yes. frans (01:10:03.19) Yeah. Mm. Justin Gardner (@rhynorater) (01:10:07.423) I don't use Detectify, I'm not an organization where I could use Detectify. But my respect for Detectify is very high because of all this super high quality research. Same sort of thing you see with Asinote, where they're constantly putting out high quality research. So besides the motivation of getting it out of your head, what are some other motivations that you have for doing the blog post and hosting them on Detectify? frans (01:10:14.498) Yeah. frans (01:10:34.674) I think one important aspect is like, I've been a part of it for so long. So it's important for me to like, I respect the whole team so much that I want to show them that it's like very important part of who I am and where I'm at. As well as like, sometimes I actually, like me and Fredrik sometimes collaborate on blog posts and he's, you know, working here from day to day as well. So I think. Justin Gardner (@rhynorater) (01:10:46.312) Yeah. Justin Gardner (@rhynorater) (01:10:50.891) Yeah. frans (01:11:03.73) It's like this office for me is a very good way of doing, you know, what's it called? Like brainstorming and things like trying to figure out things. So most often I tend to present to them first what I'm thinking about. And then because of the knowledge here, I can get like feedback on like, maybe you should do this. Maybe you should do that. Or maybe you should call it dirty dancing, which was like, it was like. Justin Gardner (@rhynorater) (01:11:13.48) Mmm, yeah. Justin Gardner (@rhynorater) (01:11:22.231) Sure. Justin Gardner (@rhynorater) (01:11:30.963) Yeah, yeah, that's great. frans (01:11:32.894) Emily in the office, like you should call it. It's like, sounds like dirty dancing to me. Like, yeah, that's, that's a, that's a good name. So I think it's very helpful having a context nearby where, where a lot of people know exactly what you're talking about and, and you know, the technology. So I think that's, that's very helpful. Also, like, I'm, I'm obviously still a part of the text by not, not that I'm writing any code and I shouldn't, but, but it's, and I think also like. Joel Margolis (teknogeek) (01:11:33.214) Mm-hmm Justin Gardner (@rhynorater) (01:11:37.268) Yeah, that's great. Justin Gardner (@rhynorater) (01:11:46.817) Mmm. Justin Gardner (@rhynorater) (01:11:57.119) Right. frans (01:12:02.106) I don't have a big gain, I think, on making my own personal blog and creating a name out of that. I'm more than happy to attach myself to a company that I value and am a part of, much more than doing it privately trying to build a brand. Justin Gardner (@rhynorater) (01:12:14.047) Yeah. Justin Gardner (@rhynorater) (01:12:22.487) Well, and you kind of get a two for one when you do it because I mean, I don't know, maybe it's just the fact that your brand is already established in the community, right? But when we look at this blog post and we say, okay, Detectify is releasing this, but Franz is writing it, you kind of get, it's almost like, to put it in SEO terms, it's almost like you get domain authority on Detectify and you get, you know, frans (01:12:25.592) Sure. Justin Gardner (@rhynorater) (01:12:49.707) community authority from France. So it's a good thing. And man, when I'm thinking about where to go next here, there's so many, you know, we could go down the route of like, let's talk about dirty dancing. We could talk about, you know, hacking plus entrepreneurship. And I think that is where I wanna go with this next one, which is like, so you come into this company, you know, you started Detectify with, you know. frans (01:12:49.898) Yeah, yeah, yeah. Justin Gardner (@rhynorater) (01:13:14.943) years ago with Matthias and them all based off of that security research. What role do you play in this company? To me it seems like you just run around and you're like, hey guys, what if we did this blog post? Have you seen this cool technical idea? Who the heck are you to this company? frans (01:13:31.658) Yes, no. Yeah. So it's a good that you say that because like one of the things happening with the companies that I have built, when they are growing up, there is like a big discussion on like how do we squeeze France into the regular, you know, day-to-day basis? Like what can we do? So I was, I was a scrum, what was that called? I was like a scrum breaker. No, scrum breaker. Justin Gardner (@rhynorater) (01:13:59.539) Scrum Master? Scum break. Joel Margolis (teknogeek) (01:13:59.714) Crumb Master. Okay. frans (01:14:03.874) So I went in and like, we should do this. And like the whole scrum team is like, we hate you. So I was the, I was the scrum breaker. And, and, and so, and every time when, when it gets like more than 40, 50 people, it's like, how do we fit this weird person, individual into this organization? And it's like, yeah, it's. Justin Gardner (@rhynorater) (01:14:09.028) I hear ya! Joel Margolis (teknogeek) (01:14:09.838) Ha ha ha. Justin Gardner (@rhynorater) (01:14:23.799) So, but how did you, how did you, so one of the things that I find really difficult and even just the small entrepreneurial endeavors that I've been a part of is delegating. Like, and so when you've started these companies, have you had other players that are, you know, the executive players from the very beginning? Or how do you, how, was it hard for you to give up control or delegate, you know, jobs to different people? And how did you move out of that? frans (01:14:42.455) Yes. frans (01:14:49.518) So, okay, so I can say like this. One of the benefits I had was to have a business partner early on that was very much into sales and also into managing. I think that was the helpful part. So I always had to take the technical jacket on and be the one in both in charge of the team doing the technical things, but also together with the team trying to figure out how to solve certain things. Like in the beginning, it was me building, you know. Justin Gardner (@rhynorater) (01:15:00.676) That's awesome. frans (01:15:18.53) building everything. And then we got like our first employee that was a developer and we worked really well together so we could start building it also. Like this was an e-commerce platform. It's still alive. It's called Sentra. It was smaller then, it's bigger now. But so when we started building Sentra, I was always down on the floor, so to say. Justin Gardner (@rhynorater) (01:15:30.188) Hmm. Justin Gardner (@rhynorater) (01:15:43.732) Mm. frans (01:15:44.702) I was always a part of the team. That was like my whole concept of like, my way of managing in the technical team was to be just one of the guys. Like I was never, you know, doing any salary talks. That was never my job. I was not doing any one at once. So one at once was done by someone else. I was the, you know, CTO in the way that like, I'm going to play with new technologies, I'm going to try to execute them if I find something and I'm Justin Gardner (@rhynorater) (01:15:55.287) Mm. Justin Gardner (@rhynorater) (01:16:13.469) I love that. frans (01:16:14.514) I'm gonna, I'm gonna together with the team, like sometimes make a smaller team out of the bigger team, just to make something in reality as fast as possible. But that thing only works when you go up to like, when we, we turn into 50 or 60 people, that's when it's like really hard to like take some people out of the dev team and get to do some fun new thing. And then trying to move them, put them back again and like, everybody's happy. Like that's not how it works. So. It became really hard for me to like be squeezed in and like get to play with the fun toys. So I've come to the realization that like I can build, I'm really good at like starting from zero. And then when we get up to 40, 50 people, I'm like... Justin Gardner (@rhynorater) (01:16:57.705) Yeah. Justin Gardner (@rhynorater) (01:17:04.347) Yeah, just roll it out of the picture. frans (01:17:04.366) going this. It's like, yeah, exactly. That's basically, yeah. And I think it's good for everyone if I do that, because else it's just so much politics around focus on like, else. If else then that. Yeah. Throw exception on it. Yeah, exactly. Justin Gardner (@rhynorater) (01:17:16.819) I love how he says that. Else, else it's this, you know, like he, he's literally the programming is, is making into the verbiage. That's, that's amazing. Yeah. Joel Margolis (teknogeek) (01:17:20.078) Uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh... uh frans (01:17:30.154) Yeah, so I think that's the aspect of it. I don't know if that was an answer to the question. Justin Gardner (@rhynorater) (01:17:35.815) Yeah, no, it is man, it's a great, I mean what a great position to be in, what a dream of a position, and I think so many people that have the entrepreneurial itch that are also technical people, dream of positions like that, of like, okay, I'm C-suite, I have influence on this organization, but all the crappy stuff, like sales and management. frans (01:17:47.126) Yeah, absolutely. frans (01:17:56.458) Yeah. Yes. Not do that. Yeah. Justin Gardner (@rhynorater) (01:17:57.823) I'm gonna just not do that and I'm gonna do, I'm gonna, we all know that this is how it works best too when you're operating in your area of expertise, when you're operating in your passion. So that just highlights the importance of trying to find someone who, you know, that's a partner that's very passionate about sales and management and that sort of thing so that you each can operate in your own sort of, you know, expertise, yeah. frans (01:18:05.899) Absolutely, yeah. frans (01:18:22.479) genre. Yeah, exactly. Yeah, expertise. Joel Margolis (teknogeek) (01:18:24.106) Yeah, I also love that like co-founder model where like it's really hard to be good at everything. And I think it's much more of an anomaly to be good at like both aspects of the business, like both the technical and like the, the really refined, like fine point, like how does the product or feature service or whatever actually work versus like getting it sold and like getting customers and getting it marketed and that kind of stuff and trying to balance both of those things as one person is really, really difficult. Justin Gardner (@rhynorater) (01:18:29.428) Yeah. Joel Margolis (teknogeek) (01:18:53.862) subsidize that temporarily by like either taking debt or using your own personal money to like pay people to do that, or you get just like drowned in doing everything by yourself and every single day is like a 12 to 16 hour day of just like doing sales and also writing the product and also sending emails and yeah, doing like everything at once. And so if you can start out by having that balance, it's just like really, really huge. frans (01:19:00.25) for sure. Justin Gardner (@rhynorater) (01:19:04.096) Yeah. frans (01:19:06.955) Yeah. frans (01:19:10.716) everything else yes yeah Justin Gardner (@rhynorater) (01:19:14.145) That's. frans (01:19:16.978) Yeah. But it's not that I, it's not that we realized that to begin with, like I had salary talks, but the only thing happening was that I raised everybody's salary, like way too much. So it's like, we, we came, like we, we had a gift, like, no, and I had, we had like a Christmas gift thing and we're like giving away iPhones. And it's like, we had so little money on the first day of the year afterwards. And it was like, maybe I shouldn't do this. Justin Gardner (@rhynorater) (01:19:30.643) No more celery talks for Frans. Justin Gardner (@rhynorater) (01:19:37.445) Oh my gosh. frans (01:19:45.084) I should not be the one in charge of like because I wanted everybody happy like that was my because yeah, so it's Justin Gardner (@rhynorater) (01:19:51.443) So I came into this podcast thinking Fronze is like some hacker entrepreneurial genius, and now I'm leaving thinking Fronze is running around annoying people until he doesn't have to do the parts of the job that he doesn't want it to. That's great, man. frans (01:20:04.986) Probably yeah, there's that's the truth. I guess but it's like yeah, I mean there's some truth also to like We we kind of realized like where do where is my execution the best Like the best place to be and then like that was the there was the way to like grow very fast Yeah Justin Gardner (@rhynorater) (01:20:14.003) Well, yeah. Justin Gardner (@rhynorater) (01:20:19.951) Exactly. Yeah. Yeah, no, I make a joke about that. But but really, you know, it that's the wisest thing to do, truly. And and so, yeah, there's, I guess one, this is more of a personal question for from my perspective, one of the things I've struggled with is, you know, releasing that and being like, all right, you know, I actually just need to delegate this job to someone else. And the reason why I struggle with that is because it's like, okay, well, a lot of times in the beginning, that means giving up equity, right? And because you don't have the money or if you do have the money, you don't want to, you know, I don't know, just sink all of your life savings into a thing, which actually you hear about entrepreneurs doing all the time, which is just, you know, awesome and inspiring. I mean, is that what you had to do? I mean, is that what you need to do is you just need to give the equity so that you don't have to do this part of the job. And that's the... frans (01:20:53.09) Mm-hmm. Yeah. frans (01:21:00.182) Yeah. Sure. frans (01:21:15.838) Yeah, I think I wouldn't say we had to do that from the get go at all to begin with, but we came, I think our perspective of it has changed because of experience. Like in the beginning, we could actually, you know, with a salary, get people engaged and get people to actually do things and build and have fun. Like we had a lot of fun building these companies because Justin Gardner (@rhynorater) (01:21:15.883) the right decision from your perspective? Justin Gardner (@rhynorater) (01:21:23.611) Mm. Justin Gardner (@rhynorater) (01:21:43.147) Sure. frans (01:21:43.762) It was so much hands on. We were like out there. We were, you know, I was developing things next to the customers, you know, like there was a big like spectacle around, you know, how we, how we did business in the beginning. But, but then I think, um, I lost the thread. Uh, what was the question? Justin Gardner (@rhynorater) (01:21:54.676) Yeah. Justin Gardner (@rhynorater) (01:22:02.067) Yeah, yeah, well, the question is, I guess at the end of the day, what I need you to tell me is that it's worth it to delegate these jobs, right? frans (01:22:09.322) Oh yeah, capital white, yeah. Yeah. So what happened then was that I, when it comes to, oh, I had it. It came and then I lost it. Yeah. Yeah, I had so much to explain there, but it's like, I lost it. I think it's, yeah, so what happened was that we got people Justin Gardner (@rhynorater) (01:22:22.075) Yeah, dude, and it's funny, I get those same sort of things when I'm in these situations on a podcast in particular, because it's so hard to keep the thread of it. Dude, yeah. frans (01:22:36.758) employed without like giving away actual equity because we both had a really fun place to be at because of the spectacle, but also because they like we were paying a fair kind of salary. But then we like during all these years, and I think also it's like, like how the society works, like there's a much more talk now about, you know, getting equity when you're building a startup and stuff. Justin Gardner (@rhynorater) (01:22:47.915) Yeah. Justin Gardner (@rhynorater) (01:22:59.261) Mm-hmm. frans (01:23:01.77) And we never really called ourselves a startup because we made money from day one. So we never had a problem with money-wise. But I think, yeah, so... Justin Gardner (@rhynorater) (01:23:13.863) That's important. That's an important factor there because if you're making money from day one, if you build your MVP and you actually have that validated by receiving money, then all of these issues of like start to disappear. Because at the end of the day, you can just hire someone and pay them. frans (01:23:22.359) Yes. frans (01:23:29.13) Yes, exactly. Because you do have the money. But then, I mean, a lot of the money I made in Bug Bounties have been invested into these companies. So we had that all, we didn't have that from the beginning because that wasn't how it worked in the beginning. But during all these years, we had that as a kind of a way to solve a bunch of problems with money, obviously. But then we also realized that a lot of people that... Justin Gardner (@rhynorater) (01:23:52.535) Mmm. Yeah. frans (01:23:57.57) that stayed for a really long time. It was much more valuable for them and for us to give them equity and a part of the company. So that happened after a longer while, but now it's like almost, you know, standard thing. Like if you join a startup, you're getting a part of the equity in some form of, you know, like pool similar, equity pool. Justin Gardner (@rhynorater) (01:24:05.706) Yeah. frans (01:24:23.29) And, but, but back then it wasn't. And I think that was helpful also into like, you know, coming, getting into that. But, but I would say like what, what happened now later on with, you know, getting a CEO, for example, like we, we didn't want to be the CEO of this company. So we, you know, found or the CEO found us in those cases, it's always, you know, you need to give up equity, obviously, because you, you want them to be like, you know, Justin Gardner (@rhynorater) (01:24:48.755) Yeah, of course. They have to be, yeah. frans (01:24:53.018) fully on, you know, active on getting the company to where everybody else wants it. But so I would say it depends on what kind of position you want to fill or what kind of things you like. You don't need to give away equity for every single, you know, person that joins unless you like you can find some good, you know, yeah, that's true. But I mean, you can find some nice equity pooling. Justin Gardner (@rhynorater) (01:25:13.139) Yeah. Unless you have zero money. Ha ha. frans (01:25:21.114) kind of things where you get like a, you know, a vesting time and stuff. So, you know, that people stay at least that time, like, but, but it all matters if you, if you have like very key positions, like then, then that discussion is relevant. Justin Gardner (@rhynorater) (01:25:24.887) Sure, sure. Justin Gardner (@rhynorater) (01:25:36.043) So I wanted to ask one more thing, and I think Critical Thinking is a podcast focused specifically on bug bounty hunting. So the entrepreneurial piece of this, while is absolutely fascinating to me, and I think many of our listeners share that interest, I think I may move a lot more of my entrepreneurial questions into a different segment that maybe we'll release under the premium Discord channel or something like that. But one last thing that I wanted to ask about this was, when you were taking bug bounty money, and putting it into the companies, how were you thinking about that mentally? Were you thinking about that as this is Franz's money that he's investing into the company? Or were you thinking, I'm working for the company and I'm generating this income that is just getting directly put right into the company? frans (01:26:22.494) Yeah. So what happened was we, me and my business partner, we're 50 50. And, uh, this was my way of, uh, providing, uh, so what I did was providing quick capital and like monetary wise, the capital, but he was building, like he, he was in charge of being the CEO and everything in the beginning. So, so he was in charge of building the company, you know, making the company more valuable. Justin Gardner (@rhynorater) (01:26:36.043) Sure. Yeah. Justin Gardner (@rhynorater) (01:26:43.828) Sure. frans (01:26:50.338) But I was bringing in the quick bucks to actually make it, you know, much more, uh, easy to solve problems. Uh, yeah, it's a scale easier. So, so we, we both agreed that like we're putting in different things, but we need to align somewhere here where like it's fine for me and still fine for him. And like, I think it's a weird balance also, especially when, when the bug bounty is like, you can go from one month, you're getting, you know, Justin Gardner (@rhynorater) (01:26:56.934) And to scale easier, yeah. frans (01:27:18.722) this amount and a live hacking event you get this amount and it turned really complex in the end and it turns into a lot of money if you're good at what you're doing. So I think in the end it was probably like we don't have this setup anymore and I think that's probably for the best because it can clearly like misalign interests over time especially when it's... Justin Gardner (@rhynorater) (01:27:22.44) Yeah, yeah. Justin Gardner (@rhynorater) (01:27:29.941) Yeah. Justin Gardner (@rhynorater) (01:27:45.651) 100%. Now you've got a bug bounty company where Franz does hacking and then we pay employees, you know, like, primary income stream is Franz's bugs. No, that's great. frans (01:27:48.186) when it, you know... frans (01:27:55.87) Yeah, no, it's complex. Yeah. Yeah, exactly. It's like, like bug hunting as a, I don't know what to call it. Even it's like funding by bug bounty hunting. I guess. Yeah. Justin Gardner (@rhynorater) (01:28:07.892) Yeah, for sure. Okay, so I'm gonna go ahead and cross off my hacking plus entrepreneurial section here. Thank you for those awesome insights, Franz. That's awesome. And I know you and I have had some personal chats from time to time about entrepreneurship plus, what was it, automationist entrepreneurship? No, you know. frans (01:28:28.022) That's a good one. Entrepreneurial shit. Justin Gardner (@rhynorater) (01:28:35.275) plus hacking, so definitely a lot of wisdom to be received there. Bringing us back on track to the hacking stuff, I did want to talk about one of my favorite talks that you've ever done, which just essentially looked like prophecy to me looking back in the past, which is your Attacking Modern Web Technologies talk that you did in 2018, almost exactly five years ago. frans (01:28:54.226) Oh yeah. Justin Gardner (@rhynorater) (01:29:02.339) and attacking modern web technologies. There were so many awesome pieces to this. There was app caches and service workers. You know, there was post-message stuff. There was, I mean, yeah, the policies, the S3 policies, all sorts of stuff all over the place. So once again, mandatory reading for anybody who's listening. The crazy thing to me about this talk is like, this is still the stuff that we're talking about today. Like, and this was five years ago, right? And, frans (01:29:11.827) Upload policies. frans (01:29:27.562) Absolutely. Yes, it's still applicable. Yes, it's still applicable. Yeah, like I find bugs Like like sometimes I need to go back to those slides because I find bugs for those things They have extremely long lifespan those blog posts. I'm surprised myself that it's like still working Justin Gardner (@rhynorater) (01:29:32.405) Yeah. Justin Gardner (@rhynorater) (01:29:38.023) Yeah, exactly. Justin Gardner (@rhynorater) (01:29:44.167) Yeah, and this is something that's really, I think, a key listen and also helps for your brand as well, Franz, is that Franz was talking about this stuff, not only doing this stuff, but talking about it publicly in 2018, five years ago, and we talk about PostMessage still being an underserved technology even to this day. So keep an eye on anything Franz releases because it will very likely be applicable for the future. So talk to me a little bit about frans (01:30:03.738) 100%. Justin Gardner (@rhynorater) (01:30:14.196) App cache and service worker stuff and then in conjunction with that the beauty of the synergies between cookie stuffing and these technologies frans (01:30:24.646) Yeah. So I think the interesting part with the app cache that happened there, there were many, many fun things with it. But my aspect of it was that I had a really old Dropbox account and the old Dropbox account were like grandfathered into a place where you could actually host websites on Dropbox user content.com. And if you created a new Dropbox account back then, you couldn't really run your own, like you couldn't render HTML pages and stuff. But if you had a legacy Dropbox account, you could, but it was very limited into what you could actually trigger with it or like get it to, to render. And I came to the conclusion that like, what can I do with an XSS or running an XSS on, on Dropbox user content? Justin Gardner (@rhynorater) (01:31:02.923) Hmm. frans (01:31:21.522) And I remember I was talking with Matthias then and like, what can we do? Like, can we do something? And we came to the conclusion like, okay, cookie stuffing we can do. So you can make it like unable to actually load because you're filling up the cookie jar so much. So when you're making a request later on, it will fail. Um, yeah. Justin Gardner (@rhynorater) (01:31:31.339) Mm. Justin Gardner (@rhynorater) (01:31:38.711) So question here, so essentially what was happening is you were able to host your attacker-controlled content on a domain with other victim content on that same domain, right? frans (01:31:52.754) Yeah, so yeah, exactly. What happened was you've got like a user directory on Dropbox user content that you could host the data on and then you could, I think it was that whenever you should. Yeah. Justin Gardner (@rhynorater) (01:32:04.743) Oh, I can see it now and I'll reference it. It's slide 15 for any of those of you that are following along here. You know, he's got dldropboxusercontent.com slash u and then the user ID and then wherever you would update stuff and you got the XSS, not by uploading an HTML file but by using, well, I think it was an XML. Yeah, yep. frans (01:32:22.59) SVG. No, XML, you're right, you're right. Yes, XML. Yeah, so that was the thing. Everything else was like, you know, getting downloaded and content disposition attachment. But that was the way. But if you had a new Dropbox account, you would never get the URL to Dropbox user content. It was only the legacy Dropbox account that had that feature enabled. So that was the, you know, the weird part first with Justin Gardner (@rhynorater) (01:32:32.681) Sure, sure, sure. Justin Gardner (@rhynorater) (01:32:44.555) That's really cool. frans (01:32:49.998) with having that. So we knew that we could do cookie stuffing and what would happen then if somebody else sent a link that would like 404 and or the four or five or something. Or five, five zero something. Yeah, yeah, exactly. Justin Gardner (@rhynorater) (01:33:01.611) Yeah, 400 or, 411, I think maybe actually, yeah. So that concept of cookie stuffing, I learned that from you and from File Descriptor. And so I'm wondering, it was from, I was gonna ask, where did you get that knowledge? And of course it goes back to another legend, File Descriptor. frans (01:33:16.15) I think it was file descriptor that I learned it from as well. Yeah. So, yeah, file descriptor, man. And the funny thing with this bug was that I think Mattias was the one mentioning, we're coming back to file descriptor, so he mentioned AppCache. And I started reading up on what AppCache was doing and Mattias as well. And we started like playing with that and realized that we could, you know, host a reference, a manifest in the XML file. Justin Gardner (@rhynorater) (01:33:34.048) Yeah. frans (01:33:45.838) That manifest would then be loaded, and that manifest could be like a regular text or whatever, and that text could contain and say that if you're unable to reach this website, you should have a fallback page of this and that. Because the whole AppCache thing was based on you running an app and you're going offline with your cell phone, so if you reload the page, you can still visit it. Justin Gardner (@rhynorater) (01:33:51.574) Sure. Justin Gardner (@rhynorater) (01:34:02.476) Sure. Justin Gardner (@rhynorater) (01:34:11.279) This is crazy. frans (01:34:12.558) And it absolutely crazy. And what happened was that we realized that in our user path, we could put an HTML file or an XML file. And we could say that this is the one that should be loaded if you can't reach the website. And then we realized, okay, does the cookie stuffing result in this thing? And it turns out that yes. So we cookie stuffed and made sure that if you clicked on any other link, we would just steal the URL and then steal the page of that signed URL ourselves. But the weird part of us that when we did this. Justin Gardner (@rhynorater) (01:34:38.798) Wow, that's amazing. frans (01:34:42.266) Blog post. I don't know exactly date wise. So our bug to Dropbox was here and then here and Then file descriptor comes out with a talk Explaining this bug and we were like but we what we what so that was when we wanted we got the Dropbox Bug published so we could show that we also figure this out And and so he actually did a talk on I think on the OS Justin Gardner (@rhynorater) (01:34:50.548) Yeah. Justin Gardner (@rhynorater) (01:35:05.247) That's crazy. frans (01:35:10.95) OS talk or something else. But, and so we like, we came to the same kind of conclusion, which was great. So I wanted to like highlight that, that like, sometimes people can like figure out the same kind of things at the same time. And as you mentioned, like, there's like the new thing, I think I mentioned it as well, like service workers was a, was a like a replacement for AppCache. Justin Gardner (@rhynorater) (01:35:11.899) No way. Same conference. Yeah. frans (01:35:35.554) But back then, I think it was very hard to get a service worker to work, because you needed to have a specific header on the service worker file to allow it to run as a service worker. And there were a lot of if this and that's that had to work to make it actually exploitable. Justin Gardner (@rhynorater) (01:35:35.701) Yeah. Justin Gardner (@rhynorater) (01:35:41.undefined) Yeah. Justin Gardner (@rhynorater) (01:35:55.239) Yeah, it seems like there's definitely been some change in that area now. And so, you know, I've definitely seen service workers used in lots of different contexts. I believe you... And I always have to, you know, go back and look at it, but I'm not 100% sure, but I'm 99% sure that service workers can be installed without a header now. The header that... If you do supply an HTTP response header, what that will allow you to do is reassign frans (01:36:08.928) Yeah. frans (01:36:18.062) I won't. Justin Gardner (@rhynorater) (01:36:25.195) the root path, the authority for that service worker. So if you, you know, even though you're installing the service worker at like slash JS slash SJ dot JS or whatever, or SW dot JS, then you know, you would normally just have authority for the slash JS directory. But if you're able to serve that service worker allowed I think header, then you can get and say, hey, give it permission to slash, then you can now affect all the resources inside of slash. frans (01:36:25.439) existing. Okay. frans (01:36:30.266) Mmm. Yeah. frans (01:36:52.748) Mmm... run everywhere. Nice. Justin Gardner (@rhynorater) (01:36:54.271) And it's such an interesting technology, especially when you pair it with something like sub-domain takeover or file upload because you can gain sort of a persistence in the browser as well using service workers. And we've seen this also with Truffle Security released a tool called OfCores. I'm not sure if you've seen it, Franz. frans (01:37:00.491) Yes, yeah, for sure. frans (01:37:20.373) Hmm? Yeah. Justin Gardner (@rhynorater) (01:37:20.863) But it uses a service worker in the background to gain more time to be able to attack different websites that have vulnerable course configurations, even if you just visit the page for just an instant. So there's so many, I think, applicable exploitation scenarios for service workers that we gotta keep our eye on because they have tremendous impact. frans (01:37:31.063) Mmm, yeah. Interesting. frans (01:37:47.454) Yeah, no. And I agree. But like, I guess the core concept first is like, you need to have an XSS to begin with and, and then you probably need to have arguments on why that XSS wasn't important in the beginning. And I guess like storage, like a bucket storage is a, is a, is a good argument on like an XSS there doesn't do anything, but if you have persistence, you can like show. And I think that was what the, the bug showed was like. Justin Gardner (@rhynorater) (01:37:53.557) Yes. Joel Margolis (teknogeek) (01:37:59.212) Thanks for watching! Justin Gardner (@rhynorater) (01:38:02.539) Sure. frans (01:38:14.974) It's a sandbox domain. It doesn't have any impact, but you have persistence. And that's the way to like gain access to other URLs and stuff. Justin Gardner (@rhynorater) (01:38:23.071) I just thought about something, Franz. One of the things we're gonna talk about a little bit later, assuming we don't have to cut for time, is this middleware misconfigurations that you talked about. So what if we changed that, right? Like we changed the middleware misconfiguration, and so now we can use that to hit a different bucket on the, so just to be, I'm gonna give the TLDR of the middleware misconfiguration thing. If you essentially, frans (01:38:31.946) Yes, yeah, that's a good, that's a great aspect. Yeah. frans (01:38:43.598) Sure. Yeah, yeah. Justin Gardner (@rhynorater) (01:38:50.323) with some NGINX configurations, if you put a bunch of escape characters, new lines and stuff like that in the URL and they have some specific proxy pass rules, then you will be able to rewrite the rest of the request and hit other S3 buckets or other backend entities. Exactly, so what if we chained that with service workers, where you could then hit your own S3 bucket and issue, but I'm wondering, frans (01:39:06.614) Yeah, and host your own content, basically. Yeah. frans (01:39:18.722) I mean, you still have stored XSS, I guess. Like somebody needs to visit your URL still. And that one would still make you host whatever content you want on that website. So, but the thing you're gaining is the persistent thing that you can actually make it load, but they still need to visit it once. Justin Gardner (@rhynorater) (01:39:19.228) Do you know if you can sit? Yeah, you do. Justin Gardner (@rhynorater) (01:39:37.803) Can you, can you, I'm wondering though, can you set response headers in S3? frans (01:39:45.386) Yeah, it depends if it's S3 website you can, some of them. But I mean, you could also, if it's S3 website, you can still redirect it to whenever. Like, and depending on like the CSP, for example, you can still redirect it elsewhere. I don't know if that helps you though. No. Justin Gardner (@rhynorater) (01:40:04.795) No, no, because what I'm thinking is like, wouldn't it be cool if we could insert some new line characters, overwrite the backend bucket, right? Have the bucket serve a service worker and then insert the service worker header to slash so that we gain that service worker authority and get XSS, sort XSS on every single page that the user visits within their browser. I think that could be really cool. frans (01:40:20.575) Oh yeah. frans (01:40:30.838) Yeah, I mean S3 website would allow you to do this. If it's proxying you to S3 website and you can inject something to modify what bucket it's going to serve as a website, you can inject whatever header you want, I think. Justin Gardner (@rhynorater) (01:40:43.433) Yeah. I guess it depends on the host, because I wonder if we are hitting, so let's say they're sending a request to, you know, whatever.s3.amazonaws.com, and then we overwrite the host header on that, I wonder if it uses that same load balancer, origin IP, for you to insert a header to hit S3 websites. Like if you put in, it doesn't, okay. Bummer. frans (01:41:07.914) No, no, no. S3 website is also quirky because it only responds on HTTP and not HTTPS. I have no idea why. I think it has something to do with like, you're supposed to put it behind something else kind of cloud front or whatever, but so they don't have the same load balancer and you can't really get to S3 website from S3, as far as I know. At least. Yeah. Justin Gardner (@rhynorater) (01:41:16.069) Oh, what? Joel Margolis (teknogeek) (01:41:18.862) Mm. Justin Gardner (@rhynorater) (01:41:34.015) Weird. Yeah, that's definitely an area. frans (01:41:35.582) It's very isolated. It's like a totally, it's like an overlay over S3. It's like S3 website is like its own thing that renders whatever you want basically. Justin Gardner (@rhynorater) (01:41:44.403) Yeah, we'll definitely have to research that a little bit more in depth. The other area that I was thinking that this could be interesting is with CRLF injection into the response headers, right? If you can do response splitting, assign the service worker a loud header. frans (01:41:47.623) Yeah, sure. frans (01:41:59.458) Then you can make a service worker out of the response planning. Yeah, sure. But do you need something to load it? I mean, you could probably make two CRLF, one CRLF to load a fake document and one CRLF that loads a fake service worker with the header to install it. Absolutely. That should work. Yeah, sure. Yeah, nice. Yeah. Yeah, that's fun. Then you get persistence. Justin Gardner (@rhynorater) (01:42:03.647) That would be pretty lit, right? Justin Gardner (@rhynorater) (01:42:21.346) That's some good shit right there. Justin Gardner (@rhynorater) (01:42:25.607) Yeah. Huh. I'm just, I'm thinking about all the possibilities of that. Shh. Huh. Gotta just note that down really quick. frans (01:42:28.338) Interesting. Play with it. Yeah, it's like... Joel Margolis (teknogeek) (01:42:30.606) I can see the gears turning and Justin's as soon as he hangs up. He's gonna he's got three programs. He's got to go look at frans (01:42:35.938) But then you can probably escalate it to steal access tokens and stuff. Yeah, I mean, you can probably do things with that, I guess. Justin Gardner (@rhynorater) (01:42:47.219) And it makes it a lot more, it makes it, I mean, it's a little bit interesting, right? Because technically what that could result in then is we could get plain, we could leak the user's plain text password without user interaction, right? Because like you said, what are we actually, what do we actually gain from this? Because at that point, if we have stored XSS, right, then we can just open up whatever pages we want in an iframe and then do whatever we want, right? frans (01:43:05.782) At first, I guess. Yeah. frans (01:43:14.658) and do whatever. Justin Gardner (@rhynorater) (01:43:15.559) Yeah, but one of the things that we can't do is, without more intra-user interaction, is leak the user's plain text password, assuming they don't have any crazy thing. But... frans (01:43:25.438) Yeah, yeah, but due to the persistence you can you can get them to yeah sure Justin Gardner (@rhynorater) (01:43:31.164) which really escalates pretty much any... And then if you... frans (01:43:35.21) I guess it's a reflected more than stored, but you turn it into more of a stored. Yeah. Client size. Yeah. Justin Gardner (@rhynorater) (01:43:41.703) A client-side stored, a client-side stored XSS. That's really interesting. And then this is a really good ATO mechanism because especially if you then proceed to cookie bomb, like a specific path. that issues an auth token or something like that, it forces the user to clear their cookies and re-auth the next time that they go into the application. And at that point, if you've got the service worker, you can hijack the plaintext password. We get, this is some good, I didn't get you on this podcast more often. This is great. No, no, this is really good. Okay, so, wow, as much as I would like to sit there and just think on that for the next little while. frans (01:44:05.915) Yeah, to log in. frans (01:44:15.026) Interesting. Yeah. Yeah, yeah, yeah. That's fun. frans (01:44:26.534) I'm sorry. Justin Gardner (@rhynorater) (01:44:27.675) Let's try to keep rolling. It's probably a sin, but I'm gonna skip this whole section on S3 policies and cloud policy uploads, which is a really awesome part of the Attacking Modern Web Technologies talk. And I'm gonna jump to something that we've talked a little bit more about on the podcast often, which is the post-message stuff. Justin Gardner (@rhynorater) (01:44:54.807) How did you, because once again, you're one of the first people that sort of introduced me to post message stuff. How did you come up with this and then what was it like seeing this? Did somebody else's research spur this thought in you or was it just how does this work? Sort of vibes. Do you remember, I guess is the first question. frans (01:45:12.934) No, that's a really good question actually. No, I actually don't 100% remember where... I think like this, I think there were examples of vulnerable cases already post... Like I wasn't the one showing that you can exploit it. But I started to... So I think I did a lot of focus back then on... I think it was Dropbox maybe? Justin Gardner (@rhynorater) (01:45:20.757) Yeah. Justin Gardner (@rhynorater) (01:45:41.815) Sure. Yeah. frans (01:45:42.99) And I think it was, so it was also like payment providers. There was something because payment providers tend to do a lot of, and you had to talk yourself about it. Yeah. And what happened was that there was a huge amount of payment providers that started moving over to post message. And you always had a really hard part finding all the post message listeners. So as I did back then, I was discussing with Mattias. Justin Gardner (@rhynorater) (01:45:52.531) Yep. Yeah. frans (01:46:12.522) Like, how, how do we figure these things out? And, and we came to the conclusion that like, okay, probably an extension. And then I sat down and wrote a bunch of like, you know, inside iframes deep, you know, a post message that, that get listeners that get triggers by actions and, and a lot of different, I think it's still in the repository. There's like an example of HTML with a bunch of listeners and, and just to like. Justin Gardner (@rhynorater) (01:46:16.64) Mmm. Justin Gardner (@rhynorater) (01:46:38.152) Yeah. frans (01:46:41.37) try to figure out what we can do about it. And I made my first version of the extension and like, okay, this will be usable. Like, oh, just the number, even though you have like five iframes deep, a listener, the number counter on the post-message listener Chrome extension would still increase versus looking at the source events, global events, and you only see the iframe you're currently selected. Justin Gardner (@rhynorater) (01:47:01.047) Mmm. Justin Gardner (@rhynorater) (01:47:09.238) Yeah. frans (01:47:09.45) I was like, this is a terrible functionality. Uh, so I made my first version of this and I talked with the Google team because I told them like, why can't you just like, I don't want to start building an extension, like, can't you just fix so you can see all the listeners in all I frames and they were like, no, this is how it's supposed to be and blah, blah. And like, okay. Yeah. Justin Gardner (@rhynorater) (01:47:26.196) Yeah. Justin Gardner (@rhynorater) (01:47:29.915) It's terrible and it's something that I talked about in my talk as well but like, yeah, you gotta do your, you still even have to do your due diligence to go and show where all of the, you know, to go sus all of the listeners because something may not be utilizing that listener, right? So in that case it won't show up in PostMessageTracker. So you've still gotta go through and do it. One of the, you know, it's my fault as well because I haven't contributed to that nice private repo you put me on for. frans (01:47:46.647) Yes. Yeah. frans (01:47:58.239) Yeah, no worries. Justin Gardner (@rhynorater) (01:47:58.559) for PostMessageTracker, but I think it would be really cool to add a line that shows every time a PostMessageTracker is registered and where it's registered. So, you know, just like you get a request where, you know, you get a log in your console when it gets sent through, when a PostMessage is sent through, you can also get a log when one is registered, so you can know, okay, well, the, you know, my child windows, frans (01:48:08.695) Yep. frans (01:48:15.03) Yes. Yeah. Justin Gardner (@rhynorater) (01:48:27.211) This third iframe has registered a listener. That could be really cool because that attack surface is all over the place, like you mentioned. frans (01:48:28.598) Yes, launched. Yeah, yeah, yeah. And frans (01:48:35.026) Absolutely. And I would say the most common ones I found nowadays are the ones not initiated from start, but by action. So they just because you so I have an example in one talk I did in Amsterdam for like a live hacking event. Basically, what happened was that when you clicked on upload document, there was a listener started at that action. And then you could do whatever you could basically read whatever document you uploaded, you could read it from the sandbox. Justin Gardner (@rhynorater) (01:48:42.111) Yeah. Justin Gardner (@rhynorater) (01:48:56.573) Huh? frans (01:49:05.182) But but so there's a bunch of those like action based listeners that gets triggered by things And what I've seen lately like lately also I think one of the biggest tricks that up my sleeve with the postman's listener was the unpacking of the rappers so basically everything is wrapped through new relic or roll bar or There's a bunch of those but and jQuery also has its own rapper, but the way of Justin Gardner (@rhynorater) (01:49:22.215) Yeah. Justin Gardner (@rhynorater) (01:49:27.109) Yeah. frans (01:49:32.782) figuring out how to bypass the wrapper and then go directly to the function. So you can get like the real function that is actually being triggered. That was, I think the golden nugget in the extension that is that, that was really helpful. And what I've seen lately now is like people using message ports, which is like an addition to, to post message where you send an initial post message with the port. And that port can then be, you know, Justin Gardner (@rhynorater) (01:49:52.832) Yeah. frans (01:50:01.27) You can shuffle that port between iframes, but the one having the port is the one getting the messages. Justin Gardner (@rhynorater) (01:50:07.347) Yeah, dude, I'm so glad you mentioned that because I just found my first bug using message ports in a live hacking event, maybe, well, I won't say exactly when because that'll give it away, but within the past year, right? And it was very interesting. And I think one of the things that was crazy there is it sometimes people will just get a port and then they'll just shove data into it without doing origin checks or anything like that too. And so, frans (01:50:19.158) Nah, yeah. Yeah. frans (01:50:36.154) No, no, exactly. Justin Gardner (@rhynorater) (01:50:37.063) you know it actually even creates more complexity and more room for vulnerabilities when you when you're utilizing the message port stuff frans (01:50:43.582) Yeah. And it's fun because you can, you can have a message port from one little iFrame and if you get hold of that message port, you can take it into a different iFrame and then the, the window thinking it sends, sends it to the iFrame, it's actually sending it across the main somewhere else. So that message port can be, you can juggle that message port wherever you want, which is kind of funny that it's like just a connection. It's basically like a socket that you can, that shuffles data. Justin Gardner (@rhynorater) (01:50:59.805) Yeah. Justin Gardner (@rhynorater) (01:51:10.259) Yeah, I'm also kind of surprised that we haven't seen more post-message based tooling out there. Like maybe I'm just naive, but your post-message tracker is pretty much the only extension that I've seen that does anything like this. So one, thanks for doing that, because otherwise we would have no introspection into this. Yeah. frans (01:51:28.778) Yeah, yeah, I use it. I use it every day myself. It's my the only probably extension I use myself and Every every day i'm looking at it. So it's like i'm It's a good example of like writing something that would you would use yourself? And it's 100 like that like it doesn't go a day without me looking at it Justin Gardner (@rhynorater) (01:51:44.607) Yeah. Justin Gardner (@rhynorater) (01:51:49.143) I'd kind of like also to just to highlight the importance of understanding browser mechanics and stuff like that. So let's say for example, post-message stuff was just coming out or something like that, right? You go to a page and you see an iframe open up, or not an iframe, a pop-up open up, and it does something. That change somehow seems to appear back on the original window. frans (01:52:16.986) Mm-hmm. Yeah. Justin Gardner (@rhynorater) (01:52:17.875) Right? And you don't see any HTTP requests, so it's not pushing it out to the server and not coming back, right? So you're like, wait a second, how the heck is this working? Because if you have an understanding of browser mechanics, you need some sort of reference to pass it and that sort of thing. So yeah, same origin is fine for that. Yeah, so it's important to understand, if it's happening cross origin like that, you can't just say parent. frans (01:52:22.008) Yes. frans (01:52:33.642) Yeah, same origin kind of works still. So yeah, yeah. Justin Gardner (@rhynorater) (01:52:46.243) or opener.window, whatever, and just define variables or trigger callbacks in the parent window if it's cross origin. So having a strong understanding of same origin policy, having a strong understanding of window references, those sort of things are essential to be able to identify these sort of issues as the technology evolves. So. frans (01:53:02.476) Yes. Yeah. frans (01:53:08.086) Yeah, for sure. Yeah, absolutely. And I think one thing that I did some talks on it, but I think there will be a lot more bugs on it. It's client side race conditions with post message. I think I was early on with it, but I think that there are much more places to investigate that might be similarly vulnerable to it still. Justin Gardner (@rhynorater) (01:53:35.443) I don't have, so I've got a couple of client side race conditions in place, bugs that I've found. And I'm actually doing some research on them right now, which I'll share with you after this chat. And maybe we can collab on it because the implications of it are pretty gnarly, but I need to do what you did with a lot 30 dancing and just like, work through all the pathways. frans (01:53:38.285) Hmm? frans (01:53:44.6) Nice. frans (01:53:58.934) Yeah. Iterated. Yeah. Justin Gardner (@rhynorater) (01:54:02.883) work with all the pathways to it. But yeah, I mean, there's so many things that can be said about that. One piece that is not super relevant to the bug, or to the research that I'm talking about, is the concept of client-side variation conditions via post message when one of the people is using JSON.parse. So the thing about JSON.parse is that when you're parsing that JSON data from a string back into a JSON object, frans (01:54:23.405) Hmm? Justin Gardner (@rhynorater) (01:54:31.103) that takes computational power to load up all those objects. So I had a scenario when I was getting a post message at two different windows at the same time. And I needed to be, so this window was relaying, the first window that would receive the post message was relaying it to me, the attacker. But then that first window would respond to the post message and set some configuration settings. So I had to receive it. Yeah. frans (01:54:33.994) Yeah? Hmm? frans (01:54:47.896) Ah yeah. frans (01:54:55.114) You needed the message to be first, but you also needed to read it faster than the other one. Yeah, string matching, I guess. Justin Gardner (@rhynorater) (01:55:00.123) Exactly. So the first window that received it was using JSON parse. And instead, exactly, I used just substring, right, to extract this variable that I needed to send the message and was able to win the race back to the first window. And so that's a cool little tip for the listeners there. JSON parse is a little bit computationally intense there. frans (01:55:09.098) Yeah. I.D. Yeah. Nice. frans (01:55:16.179) That's awesome. frans (01:55:20.398) I love those things are beautiful. Yeah. Also, I think like the whole concept of sending object like arbitrary objects. I know FilerScript are made one of those using blob, but there are a bunch like you can send the regex object. And so there's a bunch of these like, if this is not a string kind of bugs that you can find just because you're sending Justin Gardner (@rhynorater) (01:55:35.924) Yeah. Justin Gardner (@rhynorater) (01:55:40.564) Yeah. frans (01:55:48.646) a completely different object with post message. I think it's like file, blob, regex. There's a bunch more that you can send over. Yeah. Justin Gardner (@rhynorater) (01:55:57.875) Wow, I didn't know that actually. I gotta look into that. And I know that some providers have implemented frameworks where like serialization and deserialization frameworks that just make my life terrible. Yeah. frans (01:56:06.514) Oh yeah, yeah. Yeah. They are crazy. I know, I know exactly what you mean. I've seen those as well. It takes a lot of time, but sometimes in those cases, I rather look for the sinks first, or like, is it even, you know, can I actually do something fun? Yeah, exactly. Yeah, those are tricky. Justin Gardner (@rhynorater) (01:56:13.641) Yeah. Justin Gardner (@rhynorater) (01:56:20.936) Exactly. Justin Gardner (@rhynorater) (01:56:25.363) worth my time to go down this path. Yeah, no, totally. I agree, wow. All right, moving along, I'm gonna hit this next one pretty quickly, but I will say for any of you that are aspiring to be live hacking event participants, this talk by Franz, Live Hacking Like an MVH, A Walkthrough on Methodology and Strategies to Win Big, is an amazing talk that talks about the live hacking event experience. and how to do well at live hacking events. So we talk about a lot of this stuff as well. Also, let me just say, as of this past Vegas, I have been, what is it, de-seeded, un-seeded as tied for the most NVHs, and now Franz has taken back his rightful title as, you know, NVH master of sorts. So I will get that back, Franz. Give me some time. Joel Margolis (teknogeek) (01:57:12.514) That's true. frans (01:57:19.414) Yeah, at some point. At some point, I guess. Justin Gardner (@rhynorater) (01:57:24.968) This talk goes through essentially the live hacking event flow and actually some of the OG live hacking event flow where you would have to use Bounty Please, which is a tool that Franz wrote to automatically submit all your bugs in the beginning. What a crazy time, man, where you would just not, where you would get, if you didn't get your bug in fast enough, it was just, there was no bounty. What the heck? frans (01:57:36.595) Oh yeah, the speeder? Yeah. frans (01:57:50.77) No, exactly. I think it was also you got duped because if someone posted it before, you didn't have a dupe window basically. So yeah, it was kind of weird. It like incentivized building those toolings. But I know people, I think there have been live hacking events lately also needed, that needed to get in things quick. So I've gotten requests to like, reignite that project man because Justin Gardner (@rhynorater) (01:57:55.124) Yeah. Justin Gardner (@rhynorater) (01:57:59.655) Yeah, it's crazy. Justin Gardner (@rhynorater) (01:58:06.4) for sure. Justin Gardner (@rhynorater) (01:58:14.88) Yeah. Justin Gardner (@rhynorater) (01:58:19.092) Yeah. frans (01:58:20.198) And I think it's also, to be honest, because a lot of people tend to write markdown reports themselves first, and then trying to squeeze it into the bounty platforms. Justin Gardner (@rhynorater) (01:58:29.194) Yeah. So for those of you that... Joel Margolis (teknogeek) (01:58:33.27) My favorite part about Bounty Please, by the way, is that it's all written in bash. frans (01:58:36.734) Yeah, yeah, I love bash. Damn, I write everything in bash, man. Yeah. Justin Gardner (@rhynorater) (01:58:37.246) Okay. Justin Gardner (@rhynorater) (01:58:40.507) Yeah, so I was gonna ask that same question Joel like dude, why do you write everything in bash like like? frans (01:58:46.33) Pipelines man, you can it's like a functional language because you can pipe everything through everything like it's like That's where Python and me doesn't Sure, but now you like your whole script is based on piping data through You know conversions and things so I think I think it's just My mentality is not like this is a script and this is a pipeline with the script it's more like my script is my pipeline or Justin Gardner (@rhynorater) (01:58:54.347) But you can pipe a Python script into some other Python. I mean like. frans (01:59:16.018) Often I think it's like an organic thing of like my script is becoming, it's becoming a script because I used a pipeline and now I'm like, so I think it's just my mentality of like that's and I think I tend to use it so much also because it's like it goes so fast on building it. And but to be honest. Justin Gardner (@rhynorater) (01:59:17.003) Wow. Justin Gardner (@rhynorater) (01:59:46.883) I do hear you now. frans (01:59:47.192) I do hear you now. Yes. Let me... We had a little bit of a hiccup with the mic or airpod setup here. Let me go ahead and ask about... Wait, you hear that echo, right? I need to convert my... I can't change the settings because we're... You're good. We'll cut. Okay, I leave. I join again, okay? You can if you need to. Yeah. Joel Margolis (teknogeek) (01:59:47.383) Yes. Justin Gardner (@rhynorater) (01:59:50.711) We had a little bit of a hiccup with the mic or AirPod setup here. Let me go ahead and ask about. Joel Margolis (teknogeek) (02:00:00.782) Wait, you hear that echo, right? Justin Gardner (@rhynorater) (02:00:07.304) You're good. We'll cut. Justin Gardner (@rhynorater) (02:00:13.162) You can if you need to, yeah. You should be able to change on the right hand side. Joel Margolis (teknogeek) (02:00:14.259) or you might've. frans (02:00:15.644) You should be able to change on the right hand side. Yeah, it's like read only in... Oh, is it? We should probably stop the recording and start it again. Well, maybe try to leave and then... Yeah, I try that. Justin Gardner (@rhynorater) (02:00:21.428) Oh, is it? Joel Margolis (teknogeek) (02:00:22.242) We should probably stop the recording and start it again so it uploads. Justin Gardner (@rhynorater) (02:00:24.435) Well, maybe try to leave and then rejoin. because he should get a prompt when he goes to join that says stuff like that. Joel Margolis (teknogeek) (02:00:44.447) I have a meeting in like 22 minutes Justin Gardner (@rhynorater) (02:00:47.027) Okay, yeah, I know this one's going mega long. Do I have a meeting in? Justin Gardner (@rhynorater) (02:00:54.631) No, I don't. I'm good. Yeah, dude, I'm feeling good enough. I think we can record the Hacker One video later today if you want. Joel Margolis (teknogeek) (02:01:02.242) Okay, all right, I haven't even opened my work laptop, so I need to deal with some of that, but yeah. Justin Gardner (@rhynorater) (02:01:06.567) Okay. Solid. That's fine. Dude. Um, sales stuff has been going really well the past couple of days. So. Joel Margolis (teknogeek) (02:01:13.526) Nice, that's awesome. Yeah, I saw that message this morning, so that's really good to see. Justin Gardner (@rhynorater) (02:01:17.927) Yeah. So I also got a message back from Ninja jobs, which is a, uh, a, a company that does penetration testing and security jobs, uh, about, uh, you know, that they'd be interested in talking about a sponsorship and that sort of thing. So I think we'll start rolling here soon. Joel Margolis (teknogeek) (02:01:35.758) Cool. Sweet. Justin Gardner (@rhynorater) (02:01:43.359) What were we talking about right before we left? Joel Margolis (teknogeek) (02:01:48.477) Uhhhhhh Justin Gardner (@rhynorater) (02:01:53.611) Pash, yeah. Joel Margolis (teknogeek) (02:01:58.67) Uh oh. The fact that he's not back here already is a little concerning. Justin Gardner (@rhynorater) (02:02:01.363) Little concerning, yeah, maybe he has to do a reset or something. I feel like we do have an unacceptable amount of technical difficulties at this current time. I think I need to work on that. Because I think largely... Well, when I was recording off of my phone, things kept on cutting in and out, which is not great. And then, you know, we've got this, so maybe we need to figure that out. No problem. frans (02:02:30.978) Oh, okay. Yeah, sorry for that. And my we talked for so long, my AirPods died. Joel Margolis (teknogeek) (02:02:32.874) Yeah. No worries. Joel Margolis (teknogeek) (02:02:40.942) Ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha Justin Gardner (@rhynorater) (02:02:41.155) That's great. Now that's fine, man. So I guess just sort of bringing it back around, we were on the live hacking event, MBH, and I think we were giving you some shit about using bash all the time and Bounty Please and stuff like that. But, you know, we'll roll away. We'll let that fly. We'll let that slide. No worries. And I wanted to talk to you about collaboration in live hacking events. And I want to read a quote from... frans (02:02:48.411) Yes. Yeah, yeah, yeah. frans (02:02:59.939) It's okay. Justin Gardner (@rhynorater) (02:03:08.283) this article and you give a lot of great advice in this article or in this slide deck about essentially doing the work that other people aren't willing to do, focusing on the boring stuff and configuring all the things that other hackers won't configure. That's the way to get the big bounties and the way to hit sort of untapped attack surface. And that's great, so I wanted to shout that out. But I also wanted to talk about this section where you said. frans (02:03:18.011) Oh yeah. Justin Gardner (@rhynorater) (02:03:34.855) when you're talking about teaming. Because teaming is something that we talk about on critical thinking a lot. Joel and I, Joel is one of the few people, actually one of the only people I think that I have ever done, in my opinion, successfully done a collaboration with over the past five years, where it was a full, from the beginning to the end, collaboration, right? And I think that's because I've been burned a little bit in the past on large teams. And that is what it is. Everyone needs to have that learning experience. frans (02:03:52.07) Yeah. frans (02:04:00.455) Yes. Justin Gardner (@rhynorater) (02:04:04.107) But I get a little bit of a bad rap for being anti-collaboration now. I'm not anti-collaboration by any stretch, but you give some really great advice here, so let me read that. With regards to teaming, team up with someone that, one, will put similar effort into as you, two, might know stuff you don't, three, helps you cover more attack surface, four, you can communicate with and brainstorm. And then you say, yeah, right, exactly. Joel Margolis (teknogeek) (02:04:31.086) I mean both, right? Justin Gardner (@rhynorater) (02:04:33.487) If you look at freaking Mattias's DMs, it might be seem more of a brain stream than a brainstorm Yeah, and then you say keep teams small two to four if three or more effort will differ allow splitting differently for two people 50% is always the simplest so that was sort of like the brain dump of Collaboration wisdom you did back in the day. Do you still hold tall that? Joel Margolis (teknogeek) (02:04:38.644) Uh, heheheheh frans (02:04:39.186) I mean, it makes sense, Brainstream also. frans (02:04:53.831) Yeah, yeah. Absolutely, 100%. I think it's very interesting also in terms of where... I do try to collaborate with new people all the time. Once or twice, sometimes maybe around one bug and sometimes maybe during an event or during just a target sometimes even. And I always come to the conclusion that it's a lot easier to do it two people because then it's much easier to, you know, it's very simple then if both are collaborating then the full team is there but if you're three, maybe two of them are working together one night, the other one can't and like it's just after two it becomes like really hard to align that everybody's doing equal work because you do... You don't want to end up in like me personally would not like to end up in the scenario where I get paid for doing nothing. And I hope that other people don't feel great about that either. It's like because I wouldn't I sometimes feel bad with one person when that person is providing much more than I do. But I at least try to put in the time trying to find things. But so I struggle a lot with. you know, often with like, I'm like, I don't need to be collaborator on this thing, because I didn't do anything, that kind of mentality, myself, so I really like I enjoy people having the same kind of mentality themselves. And you quite quickly notice the ones that don't really care and like, almost gets to, you know, frans (02:06:45.258) ride on a sandwich, it's a Swedish proverb, but like, gets to do things, are getting paid for not doing anything. It's actually ride on the shrimp sandwich. Yeah, it's like, yeah, I don't know, I, yeah, it's weird. But yeah, so it's, and so that's why like, when you identify the people that like, Justin Gardner (@rhynorater) (02:06:53.275) What the frick kind of proverb is that? Ride on a sandwich? Joel Margolis (teknogeek) (02:06:56.137) riding on a sandwich Justin Gardner (@rhynorater) (02:07:01.208) What the frick? Joel Margolis (teknogeek) (02:07:05.312) That's awesome. Yeah. frans (02:07:13.37) kind of align with you on those things, it becomes so much easier to like collaborate and like just focus on the fun stuff, which is the hacking part and try to find the best way to escalate the bug. Joel Margolis (teknogeek) (02:07:28.27) I mean, that's one of the things I really love about live hacking events is that I find that more often than not, any random person at a live hacking event that I walk up to, I'm able to almost like jump the line and get to a communication level that like, it's very hard to establish with other people just out of the gate. And part of that I think is just that like, we all have a similar kind of technical background. We all have a very common like base of knowledge about like web security or just even just security in general. and the types of bugs and stuff. And if you can get past that and just start talking immediately about technical problems and being on the same page, that helps so much with actually making progress with bugs. I see this all the time when me and Justin co-hack, essentially, where we'll sit down at a live hacking event and maybe one of us will drive and the other one's just really just sitting there looking, seeing. And the communication, we don't even speak in sentences. It's just like, he'll be like, frans (02:08:22.734) Yeah, yeah, exactly. Joel Margolis (teknogeek) (02:08:26.562) doing X, Y, like, and we don't even, like, we kind of just, like, we're looking at the same thing, we're consuming the same thing, we can kind of jump through communication, almost in shortcuts, and I really love being able to do that. When you get to, like, more and more people, that starts to fall apart and it becomes less scalable. I think probably the most you can do that with is maybe, like, four people, where you have four people, like, sort of huddled around, like, throwing ideas before you start to run into communication problems, not even just, like, the, like, barrier to... frans (02:08:43.707) I agree. Joel Margolis (teknogeek) (02:08:55.106) to communication, but just like too many people are talking at the same time or like there's too many ideas running around. frans (02:08:58.583) Yeah. Justin Gardner (@rhynorater) (02:08:59.936) Yeah, or there's too many perspectives where it's like we're not, you know, like we're never really going down a full path because somebody, you know, if three people think one thing and the other person's like, wow, but like, you know, what about this thing? And then you get sidetracked. So it definitely does work best with two, I think. frans (02:09:03.162) Yeah. We're not going... Yeah. frans (02:09:12.306) Hmm. Yeah. Yeah, for sure. And the times we've been for, it has naturally become pairs. So you have two and two. That is very much a line. And we have done some live hacking events for people. But sometimes also, you need to be prepared to have very tough discussions. If it goes well, you need to have tough discussions on, hey, guys. Justin Gardner (@rhynorater) (02:09:28.864) Yeah. Justin Gardner (@rhynorater) (02:09:41.195) Yeah. frans (02:09:45.13) me and X put in a little bit more time than you guys. Are you all fine with us getting a larger percentage of whatever it is? And those kinds of discussions. And if you can't have those, or if they turn ugly, then it's going to be a really hard time to collaborate in the future. But if you can have those great ones, then it doesn't hurt. Justin Gardner (@rhynorater) (02:09:49.109) Yeah. Justin Gardner (@rhynorater) (02:09:54.58) Yeah. Justin Gardner (@rhynorater) (02:10:04.307) Yeah. I just... You... Justin Gardner (@rhynorater) (02:10:10.795) The reason I bring this topic up often on the podcast is because I want people to be aware of the fact that there are some sticky situations you can get into with this, right? And so anyone going into collaboration needs to know that there's risk and there's reward. And you need to be ready to have these conversations. And here's the other thing. A lot of people will take the high road and say like, you know, it's just money, it's not a big deal. But I've found that those people will harbor resentment. frans (02:10:17.678) Absolutely, yeah. frans (02:10:40.222) Mm-hmm. Yeah. Justin Gardner (@rhynorater) (02:10:40.751) They'll leave that resentment in their heart, right? And that's not exactly, sometimes without knowing. And that's not helpful for the community, you know? And so, yeah. frans (02:10:44.414) Sure, yeah. Sometimes without knowing even. frans (02:10:51.782) No, no, I think it's absolutely important to like, if you can feel that you dare to have that discussions with the people you collaborate with, that's a really good situation to be in. Because if you feel that you can't take that up, then maybe you should, I don't know, then it becomes like, if you feel that like, I will put that back even personally, like I will avoid not saying anything, even though I feel bad. Like... Justin Gardner (@rhynorater) (02:11:04.106) Yeah. Justin Gardner (@rhynorater) (02:11:11.755) Totally agree. frans (02:11:20.418) As you said, you would feel bad going forward. It's much better to ease it up and say, hey guys, I put in a lot of time in this, and so did he or something. Can we do something about it? And let them see what they are suggesting, or maybe they are saying, yeah, we 100% agree. Then, okay, then you can align that, and then everybody's happy. You don't really have these problems when you don't find bugs, though. Justin Gardner (@rhynorater) (02:11:39.467) Mm. Justin Gardner (@rhynorater) (02:11:50.003) Yeah, that's true. These are good problems to have, yeah. frans (02:11:51.363) These are like the happy problems. Yeah, it's good problems to have and it's really good to train yourself to have those discussions because you might get stepped on if not and that's not a great feeling to have either. So I know some people are like trying to measure how much work they put in compared to each other and stuff but I don't think that's a good way either. It's just gonna get dirty. But... Justin Gardner (@rhynorater) (02:12:14.452) Yeah, I agree. frans (02:12:17.386) I think it's all around finding the people that you know are putting in the time. You need to try, right? You need to try with people and collaborate. Sometimes you find those matches. Me and Shubs hadn't collaborated, but we did last year for the first time. After that, we've been collaborating maybe once a month, sometimes more. It's so easy to do it together. And also him in Australia. Justin Gardner (@rhynorater) (02:12:24.19) Uh-uh. Justin Gardner (@rhynorater) (02:12:34.451) Mm. Justin Gardner (@rhynorater) (02:12:38.482) Mm. Yeah. frans (02:12:45.306) Like I have a bug, I go to bed, I write to him before I go to bed like this is what I found. I wake up and he's like, I found it. And it's like, this is magic. Like this is such a good collaboration. And turn the high into a crit just because like he found something I didn't. And that's just the power of collaboration. Me and Mattias does that every single day. So it's such a great thing to be able to utilize. Justin Gardner (@rhynorater) (02:12:51.137) Yeah. Justin Gardner (@rhynorater) (02:13:01.599) Yeah. Joel Margolis (teknogeek) (02:13:14.39) Yeah, yeah, I love that about collaborating. Like often when I find somebody who's who I collaborate with really well together, it's not like it's not so much like I don't really think about who's found what bug or like how should this be balanced? It's like usually if it's going really well, it's that we're both frustrated about like the same things and maybe like one person finds something that's really critical. But it's never like. just like by themselves, like in a corner, like you two have both been putting in like a lot of the same amount of brain effort. And for me, that's what really matters is like, like what you said in your slide is like, find somebody who contributes like a similar amount of like effort and, you know, time and that kind of stuff, because it's not really like how many bugs they're finding. It's like, are you on the same page? Are you both engaged at the same level? Like, does it feel like we're both putting in the same amount of energy? Because that combined energy will get frans (02:13:42.518) Yeah, absolutely. Justin Gardner (@rhynorater) (02:13:43.866) Mm. frans (02:13:50.254) Yes. Yeah. frans (02:14:00.605) Yes. Justin Gardner (@rhynorater) (02:14:03.261) Yeah. Joel Margolis (teknogeek) (02:14:06.538) Satisfying outputs for both people even if you didn't like to find the exact payload or whatever like you were there the whole time frans (02:14:08.218) Yes, absolutely. Yes, yeah, exactly. And that's exactly 100% that. And also, like, I think with the whole collaboration thing, I mean, sometimes it's like the wins you do together is it's like they last much longer than winning yourself, like they do. And it's not it's absolutely not only money mattering. Like it's actually like we did this together. We we Justin Gardner (@rhynorater) (02:14:14.015) 100%. Justin Gardner (@rhynorater) (02:14:28.68) Yeah. frans (02:14:38.938) We spent this time to like we did all these things and that win is like so much bigger than doing it yourself Justin Gardner (@rhynorater) (02:14:45.887) Yeah, for sure. You know, Joel, one of the most foremost times that we collaborated together, that we did a full split collab, that is one of my favorite life hacking events I've ever done. And I think I was asked recently in an interview, what's your favorite hacking memory? The time that shell popped was my favorite hacking memory. So. Joel Margolis (teknogeek) (02:15:07.796) Absolutely. frans (02:15:08.098) I think I remember this event to be honest. You guys were similarly tired. Yeah, on that event. Justin Gardner (@rhynorater) (02:15:09.851) Yeah, it's amazing. Joel Margolis (teknogeek) (02:15:10.987) Yeah, yeah. Justin Gardner (@rhynorater) (02:15:17.439) Heck yeah we were. Okay, so the middleware everywhere and lots of misconfigurations to fix blog post, phenomenal, I think we're gonna skip it for now. We talked a little bit about it when we were talking about the service worker stuff and we're gonna jump right to account hijacking using dirty dancing and sign in OAuth flows. Wanna get in some technical details here. First, I just gotta say, I love this concept of Joel Margolis (teknogeek) (02:15:18.071) Yeah, yeah. Justin Gardner (@rhynorater) (02:15:46.859) breaking the state intentionally, right, in the OAuth flow. Could you give us, talk a little bit about that technique and why that's so helpful, because I freaking love it. frans (02:15:49.164) Mm, yeah. frans (02:15:58.274) Yeah, so to be honest, when I found that it was a technique, I kind of like, yeah, obviously it is. But I also realized like, there's not that many things other than the post message that would be relevant for doing that or doing so, because there's not that much things other than post message today that might leak your full URL. So the whole thing with OAuth breaking the state intentionally is basically that Justin Gardner (@rhynorater) (02:16:16.136) Yeah. frans (02:16:27.738) you often have this state parameter where combined with the code that you're getting back. And the whole idea with the state parameter is that it's first initiated by the website that you're trying to sign into. And then the state parameter basically just gets sent through the OAuth dance and then comes back identical to what you send it, the website sent it as. And if it's matching, then it will go through the OAuth flow. So. It's a fully, the whole mitigation factor here is that if the website itself decides on a state specifically for this user, it can set the cookie or whatever to make sure that it's the same state that comes back. It's actually a mitigation to prevent, you know, somebody to send you a link and get you to connect to their attacker account or, you know, a bunch of other CSRFish. attacks with OAS. But the funny thing is that the whole implementation of validating the state is happening before you acquire the code, which is like the best thing for the attacker. If you can leak through your URL, if you can get the victim to use your state instead, because then you can just take everything. The code will never be used because the validation of state is before and then you can take it and rerun the same code and it will work. So it's like Justin Gardner (@rhynorater) (02:17:45.963) It's gonna fail, yeah? Justin Gardner (@rhynorater) (02:17:50.567) And you know the original state because you generated the original state. Yeah. So, so the concept here is you've got an attacker. He's positioned in such a way that he can redirect a victim somewhere. So yeah, or send a link to them. Yeah. And, and, um, so they, they generate an OAuthflow URL that has a state that only the attacker knows, right? And he gives it a different state to the victim. When the victim goes through. frans (02:17:53.306) Yeah, yeah, yeah. I regenerated it and sent it to the victim. So... frans (02:18:02.731) Send a link to it and send a link to the victim. Yeah Justin Gardner (@rhynorater) (02:18:18.435) and tries to even maybe exchange that code plus the state for an auth token once it bounces back from the auth provider, that will fail because the state does not match the internal state. But, and then the code is just sitting in the fragment. And then you can go and get that code and exchange that code plus the state that you know for the, and I've actually seen some scenarios with this where when the auth flow fails, it will redirect to a different location, right? frans (02:18:33.126) Yes. frans (02:18:38.566) Yes. frans (02:18:47.054) Yes. Yeah. Well, start site, for example. Yeah. Justin Gardner (@rhynorater) (02:18:47.567) And that can expose you, exactly, that can expose that data to more risks, which is RAD. frans (02:18:53.998) attack surface. Yes. Yeah. And the funny part with the whole state thing is also like you don't oftentimes you don't because there's a difference between if you get a code back in the OAuth flow, you need to get the code to convert into an access token. And most often you need to provide what redirect URI that was being used. And if that redirect is differing from the redirect URI that was actually being used in the OAuth dance, you might not get the access token. But breaking the state is like you're ending up on the correct redirect URI. It's there's like that validation is just like completely avoided because the same redirect URI, you will end up on the same correct place. And, and, but, but the state is the only thing that's breaking it. So it's, it's actually like one of the reasons why some of the parts are automatable when it comes to dirty dancing gadgets and things, because Justin Gardner (@rhynorater) (02:19:27.008) Yeah. Justin Gardner (@rhynorater) (02:19:40.295) It's awesome. Justin Gardner (@rhynorater) (02:19:46.088) Yeah. frans (02:19:50.426) What you can do is like, you can figure out if there are listeners when you're intentionally like changing the state in a login flow, if there are listeners somewhere in that, you know, coming back on the error page, you can like easily figure out that something is, is there for investigation. Justin Gardner (@rhynorater) (02:19:57.748) Yeah. Justin Gardner (@rhynorater) (02:20:06.708) That's awesome. So the only other thing I wanted to ask about this one, we already mentioned before how it really shows the ups and downs of research. Excuse me. Joel Margolis (teknogeek) (02:20:23.124) We almost avoided all the coughing for Justin frans (02:20:23.259) Godspeed. Yeah. Justin Gardner (@rhynorater) (02:20:27.519) Whew, man, got a little cold. Yeah, so we talked about the ups and downs of doing the research in this article, which is phenomenal. The other piece that I wanted to talk about was subbing the response type, to token slash ID token, or ID token, versus code, and how that affects how the redirect URI is used. Could you talk a little bit about that? frans (02:20:50.718) Sure, I mean, the concept I found was that there are certain transfer mechanisms that the OAuth specification tells you to use depending on what type of data the OAuth provider is sending back to the website. What that means is basically like, for example, if you want to get back an access token, the access token is never supposed to be sent as a query parameter. It's actually supposed to be sent as a fragment. part of the URL. And the reason for that is basically that it doesn't show up in access logs on the website. You can still reach it with JavaScript. So the website can still get it, but it's not leaked to access logs or anything. The fragment stays on the client side and it's client side script that needs to fetch it. Same thing happens with ID token. ID token is like a little bit in between, but it tends to be more on the fragment side than than on the query parameter side. But in addition to this, you have response modes. And some of the response modes will fail if you try for example, to get like a token and you have a response mode query, sometimes response mode query is a thing, then you should be, you should getting an error. You should, you couldn't get it through either through fragment or it's called web post or web message, I think. which is like actually sending data over through post message. It all depends on the OAuth provider, what they've decided on being the response modes. Apple made up them their own. There's also one called form post where it's submitting the access token as a post request to the website. And that one is, I think I mentioned it in the end as a potential exploitation factor because Justin Gardner (@rhynorater) (02:22:38.58) Wow. Justin Gardner (@rhynorater) (02:22:46.016) Yeah. frans (02:22:47.134) Google has, even though you have like really locked up redirect URIs on Google, you can still enable a mode with parameters that tells you that it should post the data as a post request. But then you can select whatever URL on the website you want, even subdomains. Justin Gardner (@rhynorater) (02:23:10.143) What? frans (02:23:10.77) So that one is ripe for exploitation, I think. I think that one is not supposed to work as it should. I mention it because I want it to be fixed and I do still think it's possible to utilize it. The thing I found with it though, it's like, it's really, there you can talk about stars being aligned because you need something that either reflects post data. Justin Gardner (@rhynorater) (02:23:14.6) Absolutely. frans (02:23:37.082) in a way that you can read it somewhere else through post message or whatever. So because post data you can't reach with JavaScript unless you reflect it. The other thing you might be able to do is like is there somewhere on this domain where you can get the post data to be read and I talked with one of the team in Google and he said on Google there is one. So you have scripts.google.com which is like a script gadget. Justin Gardner (@rhynorater) (02:23:44.147) Right, right. Justin Gardner (@rhynorater) (02:24:03.088) Oh, interesting. frans (02:24:05.542) There you can have a URL that can receive a post request and you can read the logs of it. That's basically it. But they don't have OAuth Dense on their own website. So Google don't have it for Google. I haven't found an exploitable place that can be used to submit the post request where you can later on read it. But yes. Yeah. Justin Gardner (@rhynorater) (02:24:10.175) Wow. Justin Gardner (@rhynorater) (02:24:25.847) Dude, I gotta go reread that because that section seems so interesting. Joel, I know that this episode has gone long. Do you have to bounce right now? Okay, all right. Joel Margolis (teknogeek) (02:24:35.17) do have to bounce. So I don't want to cut this short, but I'm going to let you, I'm going to have to hop on and listen to the rest of this because I have. Justin Gardner (@rhynorater) (02:24:40.891) Yeah, dude, you're gonna miss the rest of this, you know, a lot of stuff. But yeah, we'll definitely we'll talk about this more. And you can go back and review it afterwards because there's going to be some good stuff here I can tell already. So peace, Joel. frans (02:24:43.782) Wow. Joel Margolis (teknogeek) (02:24:53.052) Yeah, yeah, but yeah, it was awesome talking with you and hopefully you guys have a good rest of your conversation. All right. frans (02:24:54.606) Peace. Yeah, you too. Justin Gardner (@rhynorater) (02:24:58.411) Thanks, man. Yeah, no, that sounds nuts. And I think playing with those different types is really something that I haven't played around with too much and something that I wanna look into. Because the impact of that is massive too if you are able to leak those in any capacity. One thing that I was thinking about for the post-message thing is like, it's very rare, but if you could find a 307 open redirect as well, you could hit. frans (02:24:59.549) Thanks. frans (02:25:11.707) Yes. frans (02:25:24.662) Yeah, exactly. It's extremely rare. But it might be like misconfigurations in their load balancer kind of things. But 307s are hard. I'm collecting 307s, man. They're hard to find. Justin Gardner (@rhynorater) (02:25:32.968) Yeah. Justin Gardner (@rhynorater) (02:25:37.807) Yeah, if you could do that, or, you know, like, well, I guess most of the time, yeah, because you couldn't really do it with a, with a CRLF either. You'd really need, yeah, you really need a 307. It's tricky, man. It is. But that's, so, the redirect, so, you said sometimes different response types will have different places that they can redirect to. That's, like, is that accurate or no? frans (02:25:50.734) Yeah, yeah, it's super hard. frans (02:26:07.49) No, I mean, I would say that one is an exception, especially for Google. I would say that they are, in some sense, you're right. Because what happens with the web message or the post message response type or response mode is that then any page on that, because it needs to normalize the origin, right? So the origin turns into the domain. Justin Gardner (@rhynorater) (02:26:32.331) Sure. frans (02:26:34.478) And that means that any page on that origin can read the message sent by post message. So in a sense, yes, the redirect URI will change in that sense because it will just be any page on the origin getting that message. But there you also have an attack vector because there's a bunch of post message listeners that works as proxies. Justin Gardner (@rhynorater) (02:26:51.813) I'm not fully wrapping my head around that yet, I don't think so. Justin Gardner (@rhynorater) (02:27:00.456) Yeah. frans (02:27:01.246) What happens is that when they get a message, they will relay that message to an iframe, for example. So if you can chain the OAuth web message, posting a message to one of those relays, that just relays it to another iframe, and then you can find something on that origin of the iframe, then you can also find... like that's another sort of gadget, you could say. Justin Gardner (@rhynorater) (02:27:27.711) Wow. frans (02:27:28.582) But you still need to find something. Maybe it's a sound like the Reddit bug I had was quite similar. Yeah. So the Reddit bug was basically that they used the window name to transfer data over to their sandbox and the sandbox had a bunch of XSS. People knew about it like long before. You could literally run your own Google Analytics on it. So if I ran my Google, no, Google Tag Manager. Justin Gardner (@rhynorater) (02:27:34.06) Mm, I saw that one, yeah. frans (02:27:56.49) And if I ran my own Google time manager, I could run script on their sandbox. But, but, but because they named the window with the payload, the payload was transferred down through window name, and then you can read the fragment through the window name. Justin Gardner (@rhynorater) (02:28:09.959) Wow, dude. Yeah, we mentioned a different one, a bug sort of similar to that. There was a report that came out on Pixiv Hacker One program, which is essentially the vulnerability was the app allows you to specify your own Google Analytics token. And if you can do that, then you can leak all sorts of stuff. And with that, you could redirect the OAuth code to a page that was using that Google Analytics token, which would allow you to. frans (02:28:26.85) Yeah, yeah, I love that. frans (02:28:31.314) Yes. frans (02:28:36.782) Yes. Yeah. Through stats. Yeah. That's awesome. Justin Gardner (@rhynorater) (02:28:38.835) to leak the content. So there's all sorts of ways. Yeah, there's all sorts of ways that you can access that. Yeah, and I think this account, hijacking by dirty dancing one, it's a very long one, like you've mentioned. You like to do long write ups, but this is something I'm gonna go ahead and reread after this episode again, because there's so many pieces to this where, yeah. frans (02:29:01.114) Yeah, I mean the out of band things there, there are so many things that I've forgotten. Like that's not even, to be honest, it's not even post message. Like imagine just having a tracker service or something that you can leak that has some form of API somewhere else that you can leak data. So the out of band gadget is like, there's huge potential for research there because what happens if you... Justin Gardner (@rhynorater) (02:29:12.543) Mm. frans (02:29:28.774) Break the state, for example, you end up on the page, it sends it over to tracking service X and Y, but that tracking service has some form of, you know, history or whatever, not through post message or anything, but you can just utilize the same API key or whatever. Like there's so many things there that you might be able to exploit. Yes, just because that one could be sent so deep into something else somewhere, and you can pick it up. Those are the nice ones where you like, Justin Gardner (@rhynorater) (02:29:45.683) Yeah, lots of application level stuff as well that you can use. frans (02:29:58.278) You sent the victim over there. It does a bunch of things. And then you're sitting here pulling an API and suddenly it shows up a API, you know, a code or an access token and you can steal it from there. Those are the most beautiful ones. Justin Gardner (@rhynorater) (02:30:09.959) Yeah, this is the kind of, and the way you describe it as well, beautiful, that even shows a little bit more to the fact that, you know, these things, they take so much art, you know, and it kind of goes back to what we were talking about earlier of like, I want to find a bug that I'm proud of. And sometimes that takes time, you know, and so spending time looking at applications, like you said, sometimes it's three days, three or four days before you find a bug, and I think a lot of people newer to the industry would really stress out about that. frans (02:30:22.65) Yeah. frans (02:30:28.966) Yes. Justin Gardner (@rhynorater) (02:30:39.551) But if you put in the time and you really understand all of the fringe application logic, then you start to be able to chain together crazy stuff like leaking OAuth tokens via application functionality that, you know, logs stuff. So it's definitely cool to see. Last section that I wanted to talk about before I let you go, do you have time? I know we're over time. Okay, great. Was hacking plus parenthood. frans (02:30:46.589) Yes. frans (02:30:51.334) Yes. frans (02:30:58.91) Sure. Justin Gardner (@rhynorater) (02:31:02.803) So I wanted to, so you know, you mentioned before, sometimes you've got a week, a week and a half, and then you never know what that's gonna look like with kids. You know, I'm thinking about starting a family soon, and I'm a little bit worried about what it's gonna look like to do full-time bug bounty and have kids around. Do you normally hack from your home? Do you normally hack from the office? Do you have any general advice about bug bounty with kids? I know that that's a broad question. frans (02:31:28.122) Yeah, it's a broad question. It depends on the age of the kids, I guess. But I would say like this, I was lucky with my first kid being a really good sleeper. But so that helped me hacking a lot during nights. That was also in the time where I was like almost addicted to it. So I really had to, I wanted to put in that time. Justin Gardner (@rhynorater) (02:31:40.671) That's awesome. Justin Gardner (@rhynorater) (02:31:50.732) for sure. Yeah. frans (02:31:54.75) And I invested almost like sleep hours just because I was like almost monomania kind of thing. But then I think with my second kid, which was not such a great sleeper, I kind of came to the point where I'm like, that was also when I was working, like working bug hunting and having two kids. And then I like I had to remove something. Justin Gardner (@rhynorater) (02:31:57.718) Yeah. You had to, yeah. Yeah. Justin Gardner (@rhynorater) (02:32:10.555) Mm-hmm. frans (02:32:25.054) And it turned out to be work. No, the work went out the door actually. Because I felt that I really want to continue doing hacking and kids are going to stay. So I think one of the aspects of it was that it helped me. What happened then was that I replaced my working hours with hacking hours. Justin Gardner (@rhynorater) (02:32:25.599) So the kids went out the door. No. Right, exactly. Justin Gardner (@rhynorater) (02:32:38.345) Right, right. Justin Gardner (@rhynorater) (02:32:52.086) Sure. frans (02:32:52.57) which has always been like, I've been scared about it because I felt like the funniest bugs I find is always 3 a.m. Like that has been a mantra to me that that's the way it is because my minds work in, you know, in a weird way during, during nights. Uh, so, but, but that has kind of shifted now when I'm going deep diving and because it's, you know, you're spending like five days on one specific functionality. Justin Gardner (@rhynorater) (02:32:55.499) Yeah. Justin Gardner (@rhynorater) (02:32:59.657) Yeah. Justin Gardner (@rhynorater) (02:33:03.083) Yeah. Justin Gardner (@rhynorater) (02:33:08.479) Yeah. Justin Gardner (@rhynorater) (02:33:14.365) Mmm. frans (02:33:20.686) It doesn't really matter if it's happening on night and day because you're getting into that zone regardless during those hours. Are you sure? Probably. Yeah, I guess. Yeah. Justin Gardner (@rhynorater) (02:33:27.319) seems like there's some maturing that's happening here. You know, like in the beginning, I very much had the same experience where I was like, wow, I'm very addicted to this. And I would easily say, okay, let me not go to bed and let me go and hack, you know? And I feel like that was pretty, and it did get great results, but I think it was unsustainable for me in some capacity. frans (02:33:42.671) Yeah, yeah, yeah. frans (02:33:50.17) Yes. Justin Gardner (@rhynorater) (02:33:51.271) And so I think as you kind of grow as a bug bounty hunter and you figure out, you know, hey, maybe there are different options for this, it becomes a little bit more sustainable. Would you agree with that? frans (02:33:58.81) Yes, yeah, I agree. And I think, to be honest, like I still have this thing where I'm like, oh, I need to continue this. But what I've realized also is like, the worst thing that can happen is that I stop hacking at the time where I don't have anything to continue with. That feeling is the worst because it makes it really hard to start doing it again because you're like, where should I go? Where should I go? So I realized like the best way, the best place I am Justin Gardner (@rhynorater) (02:34:05.863) Yeah, yeah, yeah. Justin Gardner (@rhynorater) (02:34:18.773) Mm-hmm. Justin Gardner (@rhynorater) (02:34:22.227) Ah! That's a great, wow. frans (02:34:28.714) is where I'm like, oh my God, and then I'm like, closing down the computer. And I'm like, oh, like the day after, I will wake up the earliest, I will go like do all the chores, everything, and then I go back to it compared to like, I'm empty now. And it's like, yeah, yeah. Yeah. Of all the things you said, yeah, yeah. Justin Gardner (@rhynorater) (02:34:30.791) Yeah. Dude. Justin Gardner (@rhynorater) (02:34:40.832) What? Dude, what an amazing tip. That is something that I've never, out of all the things you've said this time, I feel like this little tidbit is kinda crazy because that's so counterintuitive to me. No, I wouldn't wanna give up, right, as I'm, or stop right as I'm about to find something, but if you do, you're so motivated to come back. And everything else just kinda seems to, it becomes so much easier to do, like the chores or the waking up early, because as soon as your eyes open in the morning, you're like, wait. frans (02:34:56.122) Yes, exactly. Yeah, yeah. frans (02:35:03.93) Yes, yes, yes. Yes. Yeah, yeah, exactly. Justin Gardner (@rhynorater) (02:35:13.447) I gotta try it, you know? And so that's amazing. frans (02:35:13.754) Yeah, yes. And then you get like, so I really wanna, I always wanna find the place where I'm like, I mean, I understand like if you're in the middle of like popping a shell, like you probably can't stop. But yeah, but suddenly like you see an error message that stands out or something like, ooh, like that's when I close my computer. That's when, because I'm like, okay, I have something for tomorrow. Justin Gardner (@rhynorater) (02:35:26.619) Oh yeah, plus there's dupes and stuff like that too, you know. Justin Gardner (@rhynorater) (02:35:35.825) Yeah. frans (02:35:40.118) It's almost like it's night here. I will focus on something else, but there is something here. And I have a huge attack surface tomorrow that I can, you know, squeeze and fiddle around with. But so it's a very short amount of time where I have the ability to like stop doing it because I can continue. And I will get to a point where I'm like, it's 5 a.m. and I'm going to, you know, take the kids to school and I'm going to be terrible tomorrow. Justin Gardner (@rhynorater) (02:35:59.348) Yeah, yeah. Justin Gardner (@rhynorater) (02:36:05.684) Yeah. frans (02:36:08.366) And I've been there a hundred times, but I've realized also like it takes time to realize that, okay, I have a short time spent here where I'm like, okay, I can get a good amount of sleep, but I will have some really fun days tomorrow or fun hours tomorrow to play with. But it takes practice, I would say. Yeah, for sure. Justin Gardner (@rhynorater) (02:36:22.987) Wow, dude, that's amazing. It takes practice and it takes self-control and it takes discipline, you know? And like, the longer and longer I'm in this industry, you kind of see how all of this sort of becomes an art. Managing your creativity and your, you know, motivation. Yeah, and so any techniques like this which can allow you to maintain that creative... frans (02:36:46.318) Yeah, yeah, it's similar to painting, I guess. Yeah. Justin Gardner (@rhynorater) (02:36:58.163) That creative energy that creative motivation very important. I think Franz dude, this has been an amazing podcast Thank you so much for coming on here and sharing all the wisdom which you've had over the over the over the years of doing bug Bounty, do you have any anything you want to shout out or any socials you want us to advertise at the end of this? frans (02:37:00.676) Yeah. frans (02:37:06.927) Yeah, thank you. frans (02:37:17.462) No, I mean shout out to my collaborators that I often collaborate with. Kjöps, Avlid Inbrunn, Fredrik sitting in the office behind me. I'm having fun. Peter as well, a new collaborator. I haven't done anything. P4FG. That was a great collab. Zayat, we're always poking at each other as well, so shout out. Justin Gardner (@rhynorater) (02:37:21.972) Yeah. Justin Gardner (@rhynorater) (02:37:25.268) Mm. Justin Gardner (@rhynorater) (02:37:29.236) Sure. Justin Gardner (@rhynorater) (02:37:33.768) Yeah. Justin Gardner (@rhynorater) (02:37:37.351) Yeah, dude. Awesome. Justin Gardner (@rhynorater) (02:37:42.219) That's, yeah. I'm gonna stop you there because I know the experience of like, you know, you're trying to think about like, ah, I gotta think of all these people. Yeah, but I'm sure there are many more you could list, but yeah, Franz Rosen everybody. You can find him on Twitter, pretty much everywhere as Franz Rosen, just write out the name. And then definitely, we're gonna link down into the description all the Detectify blogs and stuff like that which contain all the awesome content from. frans (02:37:47.426) Yeah, I have so many. I can continue. Yeah, I forgot about... Justin Gardner (@rhynorater) (02:38:13.94) This episode in more depth so Franz. Thank you so much, man Bye frans (02:38:17.508) Thank you. Bye.
