The player is loading ...
Sign up to get updates from us
Episode 77: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin discuss some fresh writeups including some MongoDB injections, ORMs, and exploits in Kakao and iOS before pivoting into a conversation about staying motivated and avoiding burnout while hunting.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Resources:
MongoDB NoSQL Injection
https://soroush.me/blog/2024/06/mongodb-nosql-injection-with-aggregation-pipelines/
Mongo DB Is Web Scale
https://www.youtube.com/watch?v=b2F-DItXtZs
1-click Exploit in Kakao
https://stulle123.github.io/posts/kakaotalk-account-takeover/
Unsecure time-based secret and Sandwich Attack
https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html
Reset Tolkien
https://github.com/AethliosIK/reset-tolkien
iOS URL Scheme Hijacking Revamped
https://evanconnelly.github.io/post/ios-oauth/
PLORMBING YOUR DJANGO ORM
https://www.elttam.com/blog/plormbing-your-django-orm/#content
Timestamps:
(00:00:00) Introduction
(00:02:07) MongoDB NoSQL Injection
(00:12:42) 1-click Exploit in Kakao
(00:33:21) Time-based secrets and Reset Tolkien
(00:39:26) iOS URL Scheme Hijacking Revamped
(00:51:42) ORMs
(00:58:57) Community Bug Submission
(01:07:45) Motivation, Mental Sharpness, and Burnout avoidance
Joel Margolis (teknogeek) (00:00.318)
All right. I've had a thought while I was sitting on the toilet. So, you know, I was just thinking like the bathroom, definitely one of the most.
Justin Gardner (@rhynorater) (00:04.59)
Great, thank you. Thank you for starting the episode that way. That's lovely.
Joel Margolis (teknogeek) (00:17.214)
like
Justin Gardner (@rhynorater) (00:21.07)
Hahaha
Joel Margolis (teknogeek) (00:21.278)
What's the word I'm looking for? Looked under a microscope? Like scrutinized? Yeah, most scrutinized part of the house, you know? Because you're just sitting there, you're just looking at it. There's this tile's missing grout. There's this wall, you know? You're just staring.
Justin Gardner (@rhynorater) (00:25.038)
You're diced?
Justin Gardner (@rhynorater) (00:35.502)
Yeah. If there's a place for perfection in the house, it's the bathroom, I think. Just for perfectionism. No.
Joel Margolis (teknogeek) (00:42.046)
True. Anyways, that was just, that was the thought I had.
Justin Gardner (@rhynorater) (00:47.438)
Well, thank you for starting this podcast on information security and hacking out with an analysis of what parts of the house are most scrutinized. Love that.
Joel Margolis (teknogeek) (00:56.926)
Listen, I'm just saying with our backgrounds, we could very easily do at least one whole episode about construction.
Justin Gardner (@rhynorater) (01:04.526)
Dude, we absolutely could, we absolutely could. That's gonna have to be a Critical Thinkers exclusive, I think, episode of me and you just yapping about real estate and construction. All right, man, we don't have time to play today. There is an absolute onslaught of awesome research that got published in the news for this week, so let's hit the ground running with that. And of course, we have to start with our man, Saurush.
Joel Margolis (teknogeek) (01:10.654)
Yeah. Yeah. Renovation and all that. Yeah, absolutely.
Joel Margolis (teknogeek) (01:31.486)
course.
Justin Gardner (@rhynorater) (01:31.95)
Yeah, I think there was some thread too that he's like, man, I've got this like thing that I need to write up and like, I just don't really want to do it. And then it was like a comment under something and then that comment like ratioed and blew up. It was like, Sarush, write it up, please, please write it up. And I think this is the result of that. So way to go, Sarush, for actually getting the blog posted. I know how difficult that is to stay on top of all that stuff. Yeah, we have, we all have been there.
Joel Margolis (teknogeek) (01:56.606)
Absolutely, we've all been there.
Justin Gardner (@rhynorater) (02:01.326)
And okay, so you've got the next one, so I'll go ahead and take this one. This one is a blog by Sush, and it is a MongoDB NoSQL injection sort of technique that he's releasing. And essentially, it's describing a scenario where you have a NoSQL injection into a collection, which is like a table in NoSQL, that is not really...
Joel Margolis (teknogeek) (02:24.862)
I appreciate you translating this for us normies, because even I am not like a MongoDB aficionado. I've used it maybe like two or three times in the last 10 years from a development perspective, and I rarely ever hack on it. So it's just one of those things that having it in.
Justin Gardner (@rhynorater) (02:28.046)
Yeah.
Justin Gardner (@rhynorater) (02:40.622)
Yeah.
Justin Gardner (@rhynorater) (02:44.59)
It's an edge case, you know, technology. And I did actually use MongoDB for my recon system as my core database, which was like really not the right choice. And I discussed that for all of you.
Joel Margolis (teknogeek) (02:55.102)
interesting.
I will say every time I've used it, I have somewhat regretted it. NoSQL is one of those things that it's really good for certain things. I would say, I think, if you're doing O of one type stuff where you know the key, then it's really quick for that. For storing documents where you're not trying to really filter, where SQL and MySQL and
Justin Gardner (@rhynorater) (03:04.942)
Dude.
Justin Gardner (@rhynorater) (03:15.982)
Mm -hmm.
Justin Gardner (@rhynorater) (03:20.654)
Mm. Mm.
Joel Margolis (teknogeek) (03:27.582)
that whole type of, yeah, relational, right? Like those are much better for like querying select star from blank where X is Y and Z, you know, like that type of querying is so much better in relational database than it is in a NoSQL database.
Justin Gardner (@rhynorater) (03:27.726)
Relational databases, yeah.
Justin Gardner (@rhynorater) (03:34.67)
Mm. Yeah.
Justin Gardner (@rhynorater) (03:42.769)
Would you say that relational databases are better at relationships?
Joel Margolis (teknogeek) (03:50.014)
They also have that advantage, right? There is that whole implicit thing with linked foreign keys and all that kind of stuff that I don't think that exists at all in NoSQL. And that does like, it's not necessary, right? You can build those relationships out yourself. You can store the same value in two fields or whatever. But again, it has to go through every single document because it's not stored in that way.
Justin Gardner (@rhynorater) (03:55.374)
Yeah.
Justin Gardner (@rhynorater) (04:14.669)
Yeah, it's definitely, it's definitely a different, a different approach. And it definitely was not the right choice for me from a. Yeah. Well, yeah, because at the end of the day, you're, you're, when you're doing like mass guilt recon, you're going to be doing a ton of rights and, and not a lot of reads, right? You're just going to be writing, writing, writing, writing, writing constantly. Right.
Joel Margolis (teknogeek) (04:20.222)
Was that the same reason why you regret? Yeah.
Justin Gardner (@rhynorater) (04:41.454)
because you're gonna be updating all these rows every second, you know? And so that was one of the things. It's just, Mongo doesn't scale super... Despite MongoDB being web scale, it doesn't do a bunch of writes like that super well in my experience. And there's lots of other stuff. We discussed it on the episode with Sean, Sean Yeo from Asset Note. I hope I'm pronouncing his name right.
Joel Margolis (teknogeek) (04:57.854)
The
Joel Margolis (teknogeek) (05:09.214)
I wonder if people know what we're talking about when we say MongoDB is web scale.
Justin Gardner (@rhynorater) (05:12.558)
Dude, we've definitely talked about it on the podcast before, but, all right, did we? I believe we did. Yeah.
Joel Margolis (teknogeek) (05:16.51)
I think we actually talked about it in the Sean Yo episode. I think so. I'm gonna put a link. I'm copying it right now. I'm putting a link. Here's the video. It's in the description if you wanna watch it.
Justin Gardner (@rhynorater) (05:28.686)
Yeah, it will actually be in the description. So go check that out. Or maybe just like put the graphic up on the screen. Dude, it like opened up a little card in the dock and I just see that character's face and it just makes me laugh so much. Okay, Joel, let me explain the freaking write up, okay? So anyway, Svrush, no.
Joel Margolis (teknogeek) (05:38.366)
You just clicked it.
Joel Margolis (teknogeek) (05:50.686)
And now it's playing in the background. Okay. I did conclude. So I'm sorry.
Justin Gardner (@rhynorater) (05:54.798)
So Sush mentions this way to deal with no SQL injection. And essentially the scenario is you're in have a no SQL injection in a public collection. So let's say for example, a products collection or something like that, I think was the one he used in the writeup. How can you pivot this to affect other collections when the collection is like sort of statically defined? And the way that he did this,
is he uses this whole feature of MongoDB called aggregates. Aggregates are ways to process these multiple documents and run various computations on them, get them into a specific format, filter them, that sort of thing. There's two ways to do this. You can use aggregate pipelines or you can use single purpose methods in MongoDB. Single purpose methods are pretty single purpose and not very useful for this. Aggregate pipelines are kind of
the way to go. And essentially what that allows you to do is use a bunch of different functionality to perform what would be the equivalent of like a union of sorts with other collections in the database. And.
Joel Margolis (teknogeek) (07:04.19)
Okay.
Joel Margolis (teknogeek) (07:10.27)
I'm scrolling through this blog as well and it looks like there also is like an actual union thing that you can do as well. Is that that separate from this or so these are all. OK.
Justin Gardner (@rhynorater) (07:15.566)
Yes. Yeah, no, no, no, that's the same thing. Yeah, so there's multiple, I don't actually know the technical term for these. They are...
essentially dollar sign operations. I don't know the technical term for them, but I'm going to call them functions for lack of a better term here. But there's dollar sign lookup, dollar sign union with, dollar sign replace with, and dollar sign merge. And those are the ones he highlights in the write up, which essentially allow you to do various operations within that aggregate pipeline. And that pipeline is an array of various operations that you want to perform.
on the given data set. So for example, if you use $lookup, it'll allow you to look up an object in a different collection and attach that to a specific field in the object that you're querying. And you can combine that with limit so that you only get one object back so you can query things very specifically.
Joel Margolis (teknogeek) (08:19.55)
Okay, so really quick. So I did a little Google search here. So the aggregation thing basically just takes a list of operations that it's expecting to do in order. And yeah, and so they're called aggregation operations. And there's a variety of them like match group, you know, what was it? Lookup, et cetera, union with, right.
Justin Gardner (@rhynorater) (08:26.414)
Mm -hmm. Maybe operations. Okay.
Justin Gardner (@rhynorater) (08:32.782)
That's right.
Mm -hmm.
Justin Gardner (@rhynorater) (08:40.942)
union with, yeah, all those. Okay, that's right. I knew I had the name in there somewhere, aggregate operations, that's the one. And so essentially the whole concept here, the takeaway, if you didn't listen to all that rambling and Joel and I's back and forth, is that if you have a NoSQL injection, then you should absolutely be looking for ways to, even if the collection is limited, you should be looking for ways to use these aggregate pipelines to be able to,
reach into other collections and pull data out. And he includes a really helpful section in the blog post called how to identify if it's an aggregate in black box testing. So essentially if you're no SQL injection includes the ability to have aggregates. And essentially what he mentions here is that you should always look for anything that has like dollar sign match or dollar sign lookup in it or that sort of thing.
built into the application because that sort of indicates the use of these aggregate functionality. And I've absolutely seen these before in applications. So I had definitely missed something here. So be on the lookout for those and then also be on the lookout for an array that seems to be providing some sort of filtering because this would be pretty much where you would define an aggregate pipeline. So if an API request is taking in like a JSON array and there's some various
defining a fields that are being pulled back or like operations, aggregate operations, like, like Joe mentioned, then that's kind of the indicator of like, okay, maybe I've got an aggregate and no SQL injection that supports aggregates here.
Joel Margolis (teknogeek) (10:18.686)
Yeah, and it's one of those things that now that you know it, like you said, like you're thinking back and you're like, I've definitely seen some like dollar sign weird stuff in those requests. Like I probably missed some stuff. Make sure this is in your word list too, right? So that you can, you know, either hit some errors. Maybe you can, you know, as an exercise to the listener, go ahead and figure out some sort of query or some sort of parameter combination that will trigger an error with these aggregate.
Justin Gardner (@rhynorater) (10:23.918)
Mm -hmm.
Yeah.
Justin Gardner (@rhynorater) (10:32.974)
Yeah.
Justin Gardner (@rhynorater) (10:46.445)
Mm. Mm.
Joel Margolis (teknogeek) (10:47.166)
You know, call so that you can put that in your word list and you'll get a hit on your your fuzzes when you're going through and you'll know, OK, I need to poke at that further. That's probably, you know, a no sequel injection.
Justin Gardner (@rhynorater) (10:56.782)
Yeah, that's a great point. Maybe there's some endpoints that sort of aren't using this function in the front end, but may have it in the back end and by fuzzing for parameters inside the JSON body or that sort of thing, you might be able to identify these. I know that that NoSQL is pretty JSON heavy, so I imagine you'll find this mostly in a JSON environment. Not to say that you won't find it outside of that, but you know, this is probably something that you're going to be brute forcing for in a JSON.
Joel Margolis (teknogeek) (11:06.75)
Yeah, yeah, like maybe an operation that doesn't exist or something. I don't know. Yeah.
Joel Margolis (teknogeek) (11:20.958)
That's good to know.
Justin Gardner (@rhynorater) (11:25.87)
environment.
Joel Margolis (teknogeek) (11:27.23)
Although I am thinking about all those grown bugs, like the show and tells type stuff where it's gonna be some no sequel injection through a URL form encoded that nobody was anticipating.
Justin Gardner (@rhynorater) (11:32.814)
man.
Justin Gardner (@rhynorater) (11:38.414)
Yeah, it's like, man, yeah, I always hesitate even say stuff like that on the pod sometimes because it's like, okay, clearly this is true because of the way that things work. But also there's going to be some caveat and I don't know, maybe I shouldn't even say it, but no, at the end of the day, it's better for us to do sort of detection based hunting. Yeah. All right. What's this next one we got here?
Joel Margolis (teknogeek) (11:56.222)
Yeah, but generally speaking, yeah. Yeah, yeah.
Okay, so this is a really cool blog post that I don't know what the researcher's name is other than Stooley, S -T -U -L -L -E, 123. Did they link any socials anywhere? they did actually. D Schmid, Schmid. S -C -H -I -D -T, even not, I'm sorry. D Schmid,
Justin Gardner (@rhynorater) (12:17.454)
Not that I saw, but I'll try to hunt it down. did they? Nice.
Joel Margolis (teknogeek) (12:31.87)
815
has like 75 followers, make that 76, because I just followed them. Anyways, so they did a really cool blog post about a one click account takeover in a very large chat app in South Korea called Kakao Chat. So if anybody's ever been to Korea or knows anybody in Korea or friends in Korea or anything like that, you definitely know about this app. Kakao is like massive.
Justin Gardner (@rhynorater) (12:38.926)
Nice.
Joel Margolis (teknogeek) (13:03.486)
in Korea. They're like one of the largest sort of like technology companies, I'd say, but they're definitely more than just technology. They are in a lot of sectors. I think one thing that was really interesting when I went to Korea was two things. One, like the emphasis of local companies and local businesses. So like Google Maps barely works in Korea, but Kakao Maps made by the same company works great. Right. And so
Justin Gardner (@rhynorater) (13:09.006)
Mm.
Joel Margolis (teknogeek) (13:32.894)
You know, most of the cars that people drive, South Korean manufacturers, Hyundai, Kia, that kind of stuff. You don't see that to the same level at all in the US. Like people aren't like exclusively driving American cars. We drive tons of import cars. So you see Toyotas and Nissans everywhere. So it's very interesting. The emphasis that I noticed in Korea on like local companies.
Justin Gardner (@rhynorater) (13:42.766)
Hmm.
Justin Gardner (@rhynorater) (13:46.734)
Mm.
Justin Gardner (@rhynorater) (13:54.574)
So I've been waiting for my moment to now derail you, good sir, since you derailed me during the NoSQL. I got kinda nerd sniped by this, because this is, I pulled the Joel moment here, okay? So I was reading about this, and I didn't actually get but like, you know, a little bit into the blog, so I'm gonna rely on you to explain most of everything that happened here. But I got like two seconds into it, and it was like,
Joel Margolis (teknogeek) (14:02.59)
Okay. Okay.
Justin Gardner (@rhynorater) (14:23.982)
KakaoTalk, the biggest app in Korea. And I was like, wait a second, isn't Lion Korean? Because I lived in Japan and everyone in Japan uses Lion. It seems like, yeah. And so I was like, wait, okay, let me suss this out. And it actually looks like Lion is actually gaining popularity in Korea now. But KakaoTalk is by far the leader there, which is pretty cool.
Joel Margolis (teknogeek) (14:35.454)
Line is also pretty big over there.
Joel Margolis (teknogeek) (14:45.118)
interesting.
Joel Margolis (teknogeek) (14:48.798)
Yeah. Like I have KakaoTalk on my phone because I have a friend who lives in Korea and that's how I talk with them. Yeah.
Justin Gardner (@rhynorater) (14:53.55)
Really? Wow, that's that's pretty rad. Yeah insane for line, you know, I use that for all my Japanese friends but it made me also sort of think like As far as like all these different countries go they all have their all -in -one app, right line does payments Kakao Talk does payments You said maps, you know, there's the all -in -one app for that country, right? China has like what is it like we chat or something like that? Yeah, and so the US doesn't have one of those and I think Europe kind of does
Joel Margolis (teknogeek) (15:16.99)
We chat, yep.
Justin Gardner (@rhynorater) (15:23.502)
like WeChat or something or what is it? WhatsApp, that's it.
Joel Margolis (teknogeek) (15:26.782)
WhatsApp. Yeah, primarily WhatsApp. So I think it's mostly a cultural thing, a cultural thing combined with
Justin Gardner (@rhynorater) (15:32.43)
Yeah.
Joel Margolis (teknogeek) (15:38.622)
probably a lot of like smaller factors like, you know, economic factors and stuff. But in the U S you see primarily people either text, right? It's either text or it's iMessage. And then if it's not, it's one of the apps that the rest of the world also uses. Telegram, Signal, WhatsApp, or maybe one of the more niche ones. There are a couple like uses, so like Line.
Justin Gardner (@rhynorater) (15:49.326)
It's SMS. Yeah.
Mm -hmm.
Justin Gardner (@rhynorater) (16:04.942)
Messenger, Facebook Messenger.
Joel Margolis (teknogeek) (16:06.846)
Right, like Facebook Messenger, so like Line, like you almost never see somebody in the US using it unless they're talking to somebody in Asia, right? So it's kind of interesting that the US never like really adopted like a single chat app, but I think that's primarily because iMessage is very, very popular here. And one of the things that was pushed, at least in my memory, is that iMessage works over data. So it doesn't take
Justin Gardner (@rhynorater) (16:09.038)
Mm -hmm.
No. Right.
Justin Gardner (@rhynorater) (16:23.598)
Mm -mm.
Joel Margolis (teknogeek) (16:33.758)
international charges or anything like that. It works over Wi -Fi. So if you're on Wi -Fi or you have, you know, internet connectivity, it's not using like your SMM, like, you know, you used to pay per message and all that kind of stuff. And yeah, right. So I think that was a big reason why people were using WhatsApp in other countries was so that they could chat, you know, cross country without international texting fees and all that kind of stuff, especially with SMS. But
Justin Gardner (@rhynorater) (16:34.51)
Mm -hmm.
Justin Gardner (@rhynorater) (16:44.462)
Usage, yeah.
Justin Gardner (@rhynorater) (16:57.966)
Yeah. And with the U S just being as huge as it is, I think the issue isn't there quite as much, but I also made me think like, this is something that I've heard Elon Musk talk about a little bit with X is that he kind of wants it to be the all in one app for the U S you know, have payments, have chatting, have social media, that sort of thing. And, you know, I don't know if he's going to pull it off. It doesn't seem like it, at least they haven't moved.
towards that direction very substantially in the time that he's been running it. But the vision is there, right? That model is validated in lots of other countries. So it just kind of made me think like, hmm, Xs seems to be the only one that is actually really aggressively going after that. So maybe it'll happen.
Joel Margolis (teknogeek) (17:31.87)
Yeah.
Joel Margolis (teknogeek) (17:42.91)
Yeah, yeah, maybe it will happen. I don't know. It's interesting. I still find myself feeling that Twitter is like a extremely niche and becoming more niche social network where like the people who do use it are already like at a certain point in terms of like social connectivity, like, you know, random, you know, boomer is probably not like going and signing up for
Justin Gardner (@rhynorater) (17:56.718)
Mm.
Joel Margolis (teknogeek) (18:11.262)
twitter today you know what i mean like maybe they are but i think it's more like younger people who are like hooked into social media already who are signing up as like twitter users more than like people are like let's see what's on twitter today you know what i mean like but maybe i'm wrong about that i don't know
Justin Gardner (@rhynorater) (18:15.918)
Mm.
Justin Gardner (@rhynorater) (18:24.014)
Yeah, I don't know. That would definitely take more research. But I think just the fact that X has that vision is pretty cool. So I don't know. We'll see where it takes. I'm a big fan of X. I use it pretty regularly. It's my top social media. I get a lot of the stuff that we talk about on the podcast from X. So yeah, I don't know. Could be cool. All right, sorry. Back to your bug.
Joel Margolis (teknogeek) (18:46.142)
Yeah. Yes. Anyways, anyways. Okay. So Kakao. Kakao is a very large software company, company in general in Korea. Kakao Chat, very large, probably the most popular chat app in South Korea. So there was a really interesting chain of bugs that this researcher found. So essentially it started out with the fact that
there was a deep link that could be used to open somewhat arbitrary URLs and it had JavaScript enabled. So that's always interesting because JavaScript enabled means that you can potentially do an excess. You have an excess. So there are a couple different attack vectors, mainly JavaScript interfaces or potentially redirecting the user to an arbitrary URL. But even then you kind of need to chain that with something else.
And there was a couple other interesting things that they had noticed that you could use in 10 URIs, which I don't think is enabled by default. So that is a little odd. And I don't actually think that they ended up using that. So it was interesting. They called it out, but I don't think it was part of the final exploit. But it is pretty interesting thing to check for just to see if it's possible because as they noted, it would allow you to interact with non -exported.
parts of the app via JavaScript through redirecting them to a URL. So it's an interesting attack vector. But basically what they found is that if you hit this specific URL scheme, it would open a set URL with something following the path. And so they tested a bunch of things. And one other thing that they noticed was that you could leak the auth
Justin Gardner (@rhynorater) (20:17.198)
Hmm, interesting, okay.
Joel Margolis (teknogeek) (20:42.846)
token to basically any URL.
Justin Gardner (@rhynorater) (20:43.726)
Okay, a set URL with something, so it's like one of those short URLs or one of those deep links.
Joel Margolis (teknogeek) (20:49.854)
Yeah, so like example colon slash slash host. And then that would take you to like example .com slash host slash blank.
Justin Gardner (@rhynorater) (20:58.574)
Okay, okay, so it's allowing you to open up in the web views. It's allowing you to control somewhat what is being opened up in the web view. Okay.
Joel Margolis (teknogeek) (21:05.662)
Right, right, somewhat, yeah. So pretty interesting. And so they were like, all right, well, we have JavaScript functionality and we have this somewhat controllable URL. Like, let's see if we can do this. And there was a check function that they looked through and basically it was strict enough that they couldn't really find some way to bypass the parsing. So they would have to do...
essentially a secondary vulnerability like an open redirect or something like that. So sure enough, they find an open redirect on this subdomain specifically. So the way that this worked was it would actually take them to a subdomain with like a clean path. So the path wasn't set on the URL, it was just taking them to a specific subdomain with like arbitrary path. So they found a path underneath this host.
that would allow them to do an open redirect to any other host within that root domain. So, yeah, I don't need to talk so obfuscated here because it's all in the blog post. So let me try and clear it up. So basically, cacao talk colon slash slash buy takes you to buy .cacao .com slash path, right? And then they found an open redirect under buy .cacao .com that would
Justin Gardner (@rhynorater) (22:08.846)
Okay, so this is like the semi -closed redirect that we were talking about with.
Justin Gardner (@rhynorater) (22:19.438)
Mm -hmm.
Mm -hmm. Mm -hmm.
Joel Margolis (teknogeek) (22:29.47)
take them to any cacao .com URL, allow them to redirect to any subdomain under cacao .com. So then they search even further. They're like, okay, so we can hit this deep link, we can use the open redirect on that subdomain to now go to any URL within the root domain. How do we escalate this? And one thing I mentioned, I don't know if I fully got through it, but
Justin Gardner (@rhynorater) (22:36.686)
of kickau .com. Okay.
Justin Gardner (@rhynorater) (22:52.526)
Mm.
Joel Margolis (teknogeek) (22:59.55)
they've noticed that the auth token gets set on every request. So it doesn't matter if they're specifically going to a cacao domain, in that web view, if they request to any host, including an attacker control URL, that auth token gets sent as a header. So.
Justin Gardner (@rhynorater) (23:16.814)
Dude, this is something that I see fairly often in a mobile environment. I wonder why that is. Do you know why they, like, it's just some, when I think about it from like a web perspective, I'm like, okay, there's like some sort of service worker sitting in place there just adding the auth header to every single request. Is that something you see pretty often in mobile?
Joel Margolis (teknogeek) (23:35.902)
Yeah, so one of the things I actually covered this a little bit in the recent SSL unpinning master class that I did, but Retrofit is a very popular Android like request library. And I think it's a good example for this because it has this concept of interceptors and basically an interceptor runs on every single request that goes through the request factory and it'll add headers, check various things, whatever, add auth, all that kind of stuff. So what's
Justin Gardner (@rhynorater) (23:42.35)
Mm -mm.
Joel Margolis (teknogeek) (24:03.87)
My guess is what is happening is that they just have a generic interceptor that adds auth to every single request because the assumption is it's never gonna be possible to hit any URL that's attacker controlled. So it's not even like on their radar, but all it takes is some crafty work here and now you can figure out how to get, right? Because they weren't expecting, there's an open redirect somewhere else on this subdomain, right?
Justin Gardner (@rhynorater) (24:27.214)
Mm.
Justin Gardner (@rhynorater) (24:30.702)
limited domain.
Joel Margolis (teknogeek) (24:33.694)
So with that open redirect, they can get to any root domain. They keep digging. They do some Google dorking and they find, I found this very interesting. They found a DOM invader canary that was like cached by Google. And they were like, that looks like, that looks like a DOM invader canary. So they, it ended up being an XSS. It's like a DOM XSS or like a stored XSS.
Justin Gardner (@rhynorater) (25:00.398)
man.
Joel Margolis (teknogeek) (25:00.574)
that like popped an alert and they're like, okay, actually I think it might, well, I guess it's a DOMX that says, I don't know, they call this, they call it a store, but I think it's DOMX. Anyways, so they keep digging, they keep digging. They find another endpoint where this search parameter or whatever is getting passed in and they get another DOMX assess basically. So they find a bypass on a different endpoint and get a functional,
Justin Gardner (@rhynorater) (25:05.422)
Yeah, I think it's a DomXSS, yeah.
Joel Margolis (teknogeek) (25:29.822)
DOM XSS on this separate subdomain. It's, what is it, .shoppinghow .huckow .com. So now, they have an XSS on a different subdomain, and they have a way to redirect to that subdomain, and they have a way to open that redirect through a deep link. So, what you would do is, as an attacker, or the victim or whatever, you send them a link through the chat, and they click on that link, and
that link.
is a deep link that opens the by, you know, cacao talk colon slash slash by that redirects everything after that to the open redirect, which then triggers the open redirect goes to a different subdomain, which pops the XSS, which then open uses that JavaScript execution to send them to an attacker controlled URL, which then loads the attacker controlled page with your auth token being sent automatically.
Justin Gardner (@rhynorater) (26:10.606)
Mm -hmm.
Joel Margolis (teknogeek) (26:34.334)
And now the attacker has your, your off and it's one click ATF.
Justin Gardner (@rhynorater) (26:37.454)
wow, dude, that is quite a flow. So deep link to open redirect to XSS, which is essentially just a client -side open redirect in this scenario. And then, which is fine because JavaScript is set to enable in the web view. And then it redirects to an attacker control domain, which is where that piece you mentioned where the auth header gets added to every request comes in and you just snag the victims auth token.
Joel Margolis (teknogeek) (27:05.374)
Right. It's basically like a limited redirect to an open redirect to an ATO because the first one only lets you go to domains within cacao .com, but then by pivoting that to an XSS, you use the XSS to actually just set the target URL. Like they're literally just setting, you know, like document all the location. Yeah, exactly. So it's not like anything crazy. They're just sending them to the attacker control URL because the
Justin Gardner (@rhynorater) (27:22.894)
Hmm. Document .location.
Joel Margolis (teknogeek) (27:33.438)
attack vectors that the token gets set as like a header automatically. So all they need to do is load the URL.
Justin Gardner (@rhynorater) (27:35.73)
Wow.
Wow. Dude, that's pretty freaking sick. This is a great example of a mobile attack chain that...
Joel Margolis (teknogeek) (27:45.726)
Yeah, well, I was going to say like, you know, a lot of the times like, you know, you get very caught up in like the weeds on like, you know, trying to find a JavaScript interface or something. But sometimes it's the very simple behavior like this, like setting the auth token on every request. And one thing that I liked is that they included a way for you to test this where well, most of the way to test this, I have a, I have a little free to gadget that I love that I use all the time that globally sets all web views to be debugable.
Justin Gardner (@rhynorater) (28:10.702)
Mm.
Joel Margolis (teknogeek) (28:15.838)
And if I notice that something has a web view, one of the first things I do is I run that script so that I can use the Chrome inspect tool to attach to it and check stuff like this. One of the things you can do is you can literally just open the console in the Chrome inspect on the device and you do document delocation equals attacker URL .com and then you check the request and you see, did it send a token anywhere? And if you did, then you go, okay, now
Justin Gardner (@rhynorater) (28:23.758)
Mm, mm.
Joel Margolis (teknogeek) (28:43.613)
You're looking for open redirects. You're looking for arbitrary URL, like arbitrary URL opens, like that kind of stuff, because all you need to do is load one attacker control page and it's ATO.
Justin Gardner (@rhynorater) (28:54.734)
Hmm. The, the, another takeaway for me here is that any deep link that results that interacts with a web view or controls the destination that web view will be sent to is extremely interesting and should be very thoroughly vetted because anytime you can control that sort of thing. Once again, we're just weaponizing redirects and we're getting gadgets in our pocket that we can use in full attack chains. And, and I think, I think we mentioned this last episode or the episode before, but I think there's a lot to be said for.
going and finding the gadget that you need. Like, I think oftentimes as we start looking for gadgets, there's like a couple levels of that and it's like, yeah, identify a gadget, great, I'll have it in my pocket and I'll use it whenever I find, you know, just happen to stumble upon the other piece that I need. But then the next level is like, okay, I've got this gadget, how can I force this gadget to work, right? And you go and you find the open redirect. You don't just give up on the closed redirect or whatever, or semi -open redirect.
Joel Margolis (teknogeek) (29:45.63)
Yeah.
Justin Gardner (@rhynorater) (29:52.91)
that they found that allowed them to get to a different domain, a sub domain within the same top level domain. And you push it further and further and further until you find the XSS and pop the full attack chain. Really, really good write up. I like this a lot.
Joel Margolis (teknogeek) (30:06.654)
Yeah, yeah, absolutely. I totally agree. I think it's one of those really good cases that shows that you don't necessarily, you don't need like full mobile skills like to find like a really impactful mobile bug. Like a lot of the times it relies on stuff like this, like open redirects and just like standard XSS to get that full attack vector. And it doesn't need to be anything crazy like, like all the stars have to align to open a.
Justin Gardner (@rhynorater) (30:17.39)
Mm.
Justin Gardner (@rhynorater) (30:26.638)
Mm.
Justin Gardner (@rhynorater) (30:31.406)
Mm.
Joel Margolis (teknogeek) (30:34.398)
arbitrary URL, like all you need is some web view that has JavaScript execution in some way to even get like partial control of that URL or get JavaScript execution within there, like, you know, opening it to like a product page that has an excess payload or something like, you know, there's a lot of different ways where this can manifest. So, you know, just thinking creatively and outside of the box and having those gadgets in your brain will let you get there.
Justin Gardner (@rhynorater) (30:53.678)
Hmm. Yeah.
Justin Gardner (@rhynorater) (30:59.918)
It's another, it's another thing as well. It's another reason that you should try to expand your abilities as a hacker. You shouldn't just stay in your lane, right? Because marginal mobile skills, like, like I've very confident that I could have found this bug if I was looking at this app, right? because all it takes is knowledge of deep links. And with that, something we covered in our mobile episodes back on like episode eight or something like that. And, it stuck in my head ever since. And.
then everything after that is essentially just web hacking. So just a little bit of knowledge in your target area combined with your current expertise can really allow you to pop some very impactful bugs. So I will say one last comment that I had on this as you were talking through it, I was reading through the blog. It says, we reported this vulnerability in December, 2023 to Kakao's bug bounty program. However, we didn't receive any reward as only Koreans are eligible to receive a bounty.
Which is like so messed up, dude
Joel Margolis (teknogeek) (32:02.078)
It's very interesting. I have a feeling there's some weird financial regulations or who knows what. Yeah, that is kind of unfortunate, but maybe you can find a friend in Korea who...
Justin Gardner (@rhynorater) (32:06.446)
tax thing or yeah.
Justin Gardner (@rhynorater) (32:12.462)
Bummer.
Justin Gardner (@rhynorater) (32:16.974)
Yeah, exactly. Just DM it to your Korean friend. Hey man, you want 500 bucks? It's funny, man. Exactly, exactly. And I think actually we were trying to find someone mentioned in the Critical Thinking Discord who's like, hey, is anyone here Korean? Because it's like, I need someone from Korea to do something. And really, okay, that's great. No, I dig it. All right, dude, once again, we are 30 minutes in and still on the second news item. So I'm gonna breeze through this next one pretty quickly.
Joel Margolis (teknogeek) (32:20.638)
Yeah, it's a good time to make friends in Korea.
Joel Margolis (teknogeek) (32:37.15)
Yeah.
Justin Gardner (@rhynorater) (32:46.862)
This next one is a writeup on essentially secret -based or time -based secrets and being used for various different things like password resets and that sort of thing. It's called ResetTolken, which is just an absolutely amazing name. One token to rule them all, a play on JRTolken. JR, no, I'm kind of...
Joel Margolis (teknogeek) (33:16.35)
Jay, yes.
Justin Gardner (@rhynorater) (33:17.23)
Yeah, JRR Tolkien. I forgot an R. I was like, wait a second. Do I know things about literature? Do I know things about anything besides hacking? Yeah, so cool name, cool write up. I dig it. I'm intrigued. I'll click. You know, I'll click. And essentially, I read through it. It's pretty long. The author does a really good job of sort of addressing the methodology used throughout this whole research.
Joel Margolis (teknogeek) (33:20.03)
Yes, Lord of the Rings.
Justin Gardner (@rhynorater) (33:45.134)
So I'm going to condense it down to top tips and TLDRs for you here. And essentially, those are that you should be on the lookout for anything that uses PHP's unique ID function. I think we mentioned this in the PHP episodes as well. That is not secure and generated based off of the current time and date. And also MongoDB's object ID is also not secure and is based off of a timestamp, a process ID, and a counter.
So that can also be guessed with a decent amount of accuracy. And the other tip that I had in here that was just kind of in this nice little blue tip box, which was awesome, which is anytime you're doing any sort of time -based attacks against a server, there is this mandatory header that must be returned with every single request called date. And that is the current server time.
And so that is really helpful if you're trying to figure out, okay, what time does the server think it is? If they're generating these sort of time -based tokens. And so you can use that date header to perform various operations. And that's exactly what the author does. They create this tool called, I think it's called ResetToken. Yeah, it is. It's called ResetToken. And essentially it does something that I've actually had success with in the past, which is it takes...
the current date from the server, which is awesome, using that date header, you just copy and paste the date header into the tool. And you give it a token and you give it some data about your account, like your email, that sort of thing. And it will try six different formats with a bunch of different hashes, a bunch of different flows to see if they can get a collision with the hash that you provided. So let's say you do a password reset.
You get the date on that, you pass it to the thing, you give it the password reset token, you give it your email, and it's just gonna brute force, you know, milliseconds backwards, milliseconds forwards, you know, SHA -1, SHA -256, you know, timestamp plus your email, SHA -256, concatenate, you know, and then shortened, you know, all these different combinations to see if you can get a collision. And I just wanted to shout out.
Justin Gardner (@rhynorater) (36:05.358)
that because I think that's awesome and I would love to see some more community contributions to the structures that they have in there because there's only six currently and I think they're pretty good but there's only six. And I also wanted to say that I've talked about this on the podcast before but I have found this bug. This was one of the first bugs that I ever or one of the first criticals I ever submitted was a password reset token that was being generated by MD5 of the user's email plus the current Unix timestamp.
And I just guessed that shit, dude. I guessed it. I looked at that. I did. I guessed it. And I was like, and I was like, man, I feel like that's an MD5 hash. And I feel like they're just doing email plus it is just like one of those scenarios of just crazy. No, it was like some serious psychic shit happening here. Like they're very kind of crazy. And on that one time I wrote the Python script to generate it and somehow it actually worked on that same target.
Joel Margolis (teknogeek) (36:35.518)
Very secure. You guessed it. Bro.
Joel Margolis (teknogeek) (36:47.998)
That is not normal.
Justin Gardner (@rhynorater) (37:03.15)
And so they are out there. They are out there for sure. So I was excited to see this actually put into practice. And I think this could make a really good Kaido extension or a burp extension where you're able to select a tool or like a specific token and pass it to the tool and see if there are any results come back. I think that'd be pretty awesome.
Joel Margolis (teknogeek) (37:23.55)
Yeah, yeah, absolutely. That's really crazy. That's such a good tip.
Justin Gardner (@rhynorater) (37:26.126)
Yeah.
Yeah. And I think, I think also just regarding this, James Kettle will also be James Kettle retweeted this, which is why it kind of popped into my feed. And I think he's doing some timing based stuff. and I wouldn't be surprised if he also uses this really cool tip with the date being in the response, header and, and, using that to do some other time based attacks.
Joel Margolis (teknogeek) (37:41.022)
Hmm.
Joel Margolis (teknogeek) (37:51.486)
Yeah, I will say like, I feel like there's a bunch of attacks that probably 10 years ago, 15 years ago would have been like, theoretically this is possible, but we don't really at scale, it would take too long. Now we have very powerful computers and AI and all sorts of fancy things that can optimize these problems and make them more solvable. And we're starting to see like actual POCs for these things coming out now.
Justin Gardner (@rhynorater) (38:00.462)
Mm -hmm.
Justin Gardner (@rhynorater) (38:08.174)
Mm -hmm. Yeah.
Justin Gardner (@rhynorater) (38:18.83)
Mm -hmm.
Joel Margolis (teknogeek) (38:19.902)
And so all the old systems that are stuck around that are like, that'll never be exploited. What is it? It's RSA. It'll be fine. And so now here we are. So it's really interesting to see this type of research. And I'm excited to see more of this kind of stuff.
Justin Gardner (@rhynorater) (38:28.302)
Mm -hmm. Yeah.
Justin Gardner (@rhynorater) (38:38.574)
Yeah, yeah, same, man. It's definitely, yeah, scary to see where all that stuff will go. All right, you want to do the iOS, the next iOS one, or should I talk about the Django one?
Joel Margolis (teknogeek) (38:51.07)
Yeah, so I'm gonna try this iOS one because it's kind of complicated to understand. And I've sat here reading through it a couple times and I'm just like, you know, I don't know. It's still a little bit confusing to me. So I'd recommend that you go and read through it. But my understanding is that essentially, you've probably seen it, well, you don't have an iPhone, but if you have an iPhone, you've probably seen this thing where you go to sign in to
Justin Gardner (@rhynorater) (38:55.95)
Mm -hmm.
Justin Gardner (@rhynorater) (38:59.854)
Mm -hmm.
Justin Gardner (@rhynorater) (39:13.518)
Thank you for that. Thank you.
Joel Margolis (teknogeek) (39:20.99)
I don't know, like with Google or something. It's a some app. And you click that and it opens up a web view and it says, you know,
X would like to use Google .com to sign in. And it will open this URL and it'll do this whole sign in process. And so there's some mischecks on the backend when there's multiple apps that register the same auth URL redirect scheme, basically, with the authenticated web view pop -up thing. And so you can use an attacker domain
Justin Gardner (@rhynorater) (39:52.43)
Mm.
Joel Margolis (teknogeek) (40:00.67)
to redirect to that URL, it will go through the normal auth flow. Like if they have a session there, it'll like say, yep. And then you can also use prompt equals none, which was, I guess, the big key to make this work to allow it to essentially skip through any sort of user confirmation or verification or anything like that. So it just like opens, verifies, skips right through, sends the code to the attacker domain, and then continues on.
Justin Gardner (@rhynorater) (40:10.382)
Mm -hmm.
Joel Margolis (teknogeek) (40:26.558)
so it's a, it was super, super interesting. I don't actually know what the fix was because they said that in the mitigation, they go app store reviews, not a mitigation here. so I don't know if there is an actual mitigation that has been implemented.
Justin Gardner (@rhynorater) (40:33.39)
Mm.
Justin Gardner (@rhynorater) (40:40.206)
Yeah, the mitigation that they mentioned was instead of using some of these other links, I forget what the other ones are called that are just the domain name reversed, instead use universal links. So the quote here would be, Apple offers universal links that are not hijackable, meaning an attacker would not be able to retrieve the redirect with the authentication code. So that's the redirect. I will add.
Joel Margolis (teknogeek) (41:03.71)
There you go. Which sounds a little bit more like the Android flow.
Justin Gardner (@rhynorater) (41:07.598)
Yeah, and I will add a couple things to this, because I did get the chance to go through this one. So custom URL schemes, that's the thing that you're not supposed to use for this, that are hijackable. Like you said, apps can register multiple different apps can register these. And I think there was a fix put into place for that. But essentially what they did now is using this AS web authentication session feature to authenticate.
using the cookies that are active inside of the Safari app inside of your app, instead of your malicious app is what I think triggered this whole thing. And essentially when you use that AS web authentication session thing, it will pop open that little prompt that you mentioned that I have never seen because I never use an iPhone. And then, but it'll say like, hey, you know, we're trying to authenticate with like, this is Evan Connelly's right up in conjunction with Julian, Mr. Tux Racer.
And so the screenshot that he has there is like, you know, Oauthie wants to use evanconnelly .com to sign in and the user would say, okay, sure. But then as soon as you open evanconnelly .com, you can just redirect. Since you control that domain, you can just redirect to like google .com and do the prompt none, like you said. And when the callback happens, it'll automatically go back to your app that triggered that start. So it requires you to have a malicious app on the device.
Joel Margolis (teknogeek) (42:32.094)
Yeah. Right.
Justin Gardner (@rhynorater) (42:35.278)
And then it requires you to set up this sort of redirect inside of this web view that is defined via this AS web authentication session functionality. And that allows you to hijack the code when it comes back, which can be used to do account takeover in a ton of different environments. So I think they said like 30 apps or something were vulnerable to this because they're not using the universal links. Instead, they're using the custom URL scheme.
Joel Margolis (teknogeek) (43:01.342)
Yeah, and I want to say there was an interesting discussion I saw on Twitter somewhere, either it was from Evan Connolly or Evan had chimed in or something that was discussing the severity evaluations of mobile app bugs, especially ones that require an app to be on the device. And that's always definitely like a tricky scenario because, and again, we've talked about this, we talked about this a couple of episodes actually, or last episode or so, where it'd be really interesting to see some data.
Justin Gardner (@rhynorater) (43:03.822)
Mm -hmm.
Justin Gardner (@rhynorater) (43:07.789)
Mm.
Justin Gardner (@rhynorater) (43:13.614)
Mm.
Justin Gardner (@rhynorater) (43:17.646)
Mm -hmm.
Justin Gardner (@rhynorater) (43:22.926)
Yeah.
Justin Gardner (@rhynorater) (43:28.078)
Mm -hmm.
Joel Margolis (teknogeek) (43:30.718)
from people like Google and Apple about, did they? No, did they find the data?
Justin Gardner (@rhynorater) (43:30.958)
Well, somebody posted it. Did you see that? Yeah, I think it was in the Critical Thinking Discord or maybe it was Twitter or something. I don't remember exactly where it was, but someone heard you say that in the past episodes and tracked down some data on that that somebody had released. I should have saved it and sent it to you. I thought you would have seen it. But essentially, it's pretty common. Essentially, the TLDR that was attached to that comment was...
Yeah, it happens all the time that a malicious app is actually on a user's device. So I think that, yeah.
Joel Margolis (teknogeek) (44:04.538)
yeah, here it is from Evan. And it's a link from Facebook. On the latest pod, you all said you were interested in research on the frequency of malicious mobile apps making through App Store review. This is something I came across and used to make our case when we needed with the iOS OAuth account takeover attack. In short, it seems to happen fairly often. And then there's a quote from this. This is a post from Meta's own blog.
in October of 2022 that says, our security researchers have found more than 400 malicious Android and iOS apps this year in 2022 that were designed to steal Facebook login information and compromise people's accounts. These apps were listed on the Play Store and Apple's App Store and disguised as photo editors, games, VPN services, business apps, and other utilities to trick other people into downloading them. So 400 malicious, did I say 400 million? I meant 400 malicious. Okay, yeah, 400 malicious Android. So that's across Android and iOS, 400.
Justin Gardner (@rhynorater) (44:51.502)
No, you said 400. Yeah. Yeah.
Joel Margolis (teknogeek) (44:59.806)
It sounds like a lot, but when you think about how many apps there are, it's like, you know, there's probably actually millions of apps, right? So,
Justin Gardner (@rhynorater) (45:00.814)
Yeah, it's a lot.
Justin Gardner (@rhynorater) (45:07.886)
But that's only focused towards attacking meta. So that's kind of interesting. And I think if you...
Joel Margolis (teknogeek) (45:13.182)
Yeah, which is like one of the top five largest companies in the world. But yeah, like I will say like it for sure happens, right? Like, and if there's going to be a target, it's going to be Facebook, Google, Twitter, like probably, right? Like those are like, at least Facebook and Google are going to be, and Apple probably are going to be like your top three, like target Microsoft, right? Like, but that being said, I think I'd like to see what that means. Like 400 again, like it sounds like a lot.
Justin Gardner (@rhynorater) (45:17.71)
Yes, so you know.
Justin Gardner (@rhynorater) (45:25.07)
Mm -hmm.
Justin Gardner (@rhynorater) (45:34.126)
I totally agree.
Joel Margolis (teknogeek) (45:42.238)
I'm not saying 400 is not a lot, but I would be really curious to know like, okay, you're right. Like how many, like, okay, like how many, yeah, what's the install count for that? Now compare that to the total install counts of all the apps during 2022. What percentage of installs were malicious apps? Is it like 0 .1 % or, yeah, right, sure. Right, yeah, exactly. And like, I know these are really hard things to quantify, so I'm not.
Justin Gardner (@rhynorater) (45:47.406)
get like an install count or something like that.
Justin Gardner (@rhynorater) (45:57.326)
Mm.
Yeah, what percentage of devices have had a malicious app installed on them in the past three years or something like that?
Joel Margolis (teknogeek) (46:10.654)
expecting anybody to have an answer. But that's, I think what I, especially from like a program perspective, like if that article works and that numbers, like if that's what you need to prove it, like rock on. But I, from like the program side would be really interested for like the threat evaluation to see some like in perspective statistics again on like what that means and what that looks like in like the overall picture and like what the risk is as a whole.
Justin Gardner (@rhynorater) (46:22.382)
Mm -hmm. Yeah.
Justin Gardner (@rhynorater) (46:38.958)
Yeah, I totally agree. I think that'd be really interesting area. One last thing I wanted to mention on this super cool iOS OAuth thing. One, of course, the prompt none, super helpful. Please keep that in your brains. Prompt none works on so many different OAuth implementations. Of course, the prerequisite of that is that the user has to already have authorized a certain application or whatever. But...
Joel Margolis (teknogeek) (47:05.086)
Was it prompt none in the thing that we talked about last week as well or was that separate?
Justin Gardner (@rhynorater) (47:10.318)
I don't remember. We'll have to go back and check. But the last thing that I wanted to mention was that this, so you mentioned being able to, multiple apps being able to register the same scheme. And in Android, if I understand, if I remember correctly, like if it's trying to redirect back, it'll prompt you to select the app that has precedent to have the callback for this specific custom scheme or whatever. And it mentions in here that
with the AS Web Authenticated Session piece. The reason why it doesn't do that is it's because whichever app originated that auth flow inside of the WebView will get the callback if they have that scheme registered without any sort of prompting or any sort of other reprioritization. So that's another one of the problems with that whole flow is like.
That's not great. So hopefully Apple will go ahead and get this fixed. If not, in the meantime, I imagine Mr. Tuxer, Sir, and Evan Connolly have kind of cleaned this up across various bug bounty programs. And I think they were discussing it in the Critical Thinking Discord. I think they said that this was most of the time accepted as a high.
And there were some scenarios where it was dropped to a medium or a low, but of those 30, probably at least 20 accepted it as a high, which I think is pretty rad. And it kind of speaks to the impact of doing this sort of larger scale research on applications that can be applied across the board. So very, very cool work there.
Joel Margolis (teknogeek) (48:36.542)
Cool.
Joel Margolis (teknogeek) (48:46.91)
Yeah, for sure. For sure. Yeah. So real quick, I did go find the link from last episode. It was specifically it was the zoom account takeover bug. And it was not the same thing. It was the fact that you could set response type to code, comma ID token to multiple values. So I think I would love to see some research on this. But even if you don't decide to publish it, I think
Justin Gardner (@rhynorater) (48:51.118)
Mm. Mm.
Justin Gardner (@rhynorater) (48:59.054)
Mmm. Yep.
Joel Margolis (teknogeek) (49:16.926)
it would be a very worthwhile time investment to go take a look at OAuth, take a look at the OpenID OAuth implementation, available parameters, take a look at the spec, take a look at where it's possible to send multiple values, where it's possible to send values that are optional.
Justin Gardner (@rhynorater) (49:22.093)
Mm -hmm.
Joel Margolis (teknogeek) (49:36.094)
either write some tooling or add into your testing flow to be testing for these things like prompt none, sending multiple things to response type, sending, you know, what is it, client, the,
Justin Gardner (@rhynorater) (49:50.734)
The response token, is that what you're talking about?
Joel Margolis (teknogeek) (49:52.862)
Yeah, ID credentials as the token type or whatever. You know, there's a lot of different things that you can test here. And I think it seems to be a really ripe area for research.
Justin Gardner (@rhynorater) (49:57.806)
Mm.
Justin Gardner (@rhynorater) (50:04.878)
Yeah, yeah, I agree. And I will say, now that you mentioned that, I did go back and look at the zoom right up. And they actually do say that, just not very explicitly. They say, quote, meanwhile, in window B, the OAuth flow takes place as we have modified the prompt parameter to no longer ask the user to select an account. Everything will happen automatically. And if you look at the exploit code, they're using prompt none for that. At the very end of the window B's location sort of piece there.
Yeah, I think that is a killer tip, the prompt none, and then this additional piece about understanding the mechanics surrounding how OAuth is implemented inside of an iOS application. I think iOS applications are a little bit tricky too. A lot of people can do more Android stuff than iOS, so props to them for going after iOS stuff. All right, so I'm gonna hop over to another writeup that
Joel Margolis (teknogeek) (50:58.206)
Yeah, yeah, totally.
Justin Gardner (@rhynorater) (51:03.918)
will be the last one for our news section today. And that is some research that just came out, I wanna say yesterday or day before yesterday, on ORMs. And this research is done by LTAM, more specifically Alex Brown. I've seen a lot of cool stuff come out of LTAM, so that's pretty rad. And this whole concept of object relational mappers or ORMs are often found in CRMs.
such as Django and that sort of thing. And essentially they are layers of extraction on top of the database so that you can connect your various types of database. yeah, yeah.
Joel Margolis (teknogeek) (51:41.054)
I love ORMs, by the way. Like from the developer side, yeah, like anytime I'm doing any work with the database, I'm always using an ORM. You know, it's basically just like you create a class and you say like, here's the fields, here's the type of those fields. And then through magic ORMs, it does all that in the database and it creates those relationships between classes and objects. So you can just be like, get me 50 of this. And it'll be like, here's a class with all the
Justin Gardner (@rhynorater) (51:47.31)
Wow.
Justin Gardner (@rhynorater) (51:50.87)
Mm. Mm -hmm.
Joel Margolis (teknogeek) (52:08.574)
attributes and everything that are set to these field values that are and it's all stored in the database and it all there's for the foreign keys work and all that kind of stuff. So it just makes working with databases really nice.
Justin Gardner (@rhynorater) (52:15.918)
Wow, it's beautiful. It does, but it also adds another layer of abstraction. And abstraction is dangerous because you don't exactly understand what's happening at the lower level sometimes, especially if you're a more junior developer or something like that. So the TLDR of this writeup, and you should absolutely go read it because I think this applies to a lot of different frameworks and structures. ORMs, as Joel mentioned, are a pretty popular sort of abstraction on top of the database.
Joel Margolis (teknogeek) (52:22.59)
Of course.
Justin Gardner (@rhynorater) (52:45.678)
So I could definitely see this happening in other different areas. And the writer here, the author of this write up, describes a couple scenarios where it's like, okay, you know, now we need to be able to filter on various fields inside this thing and they keep on changing the fields. So now we're just gonna make it filterable on every field. And essentially what's happening here is if there is a situation, which there was in Django ORM, where you're able to supply a specific
a JSON blob, which then gets passed directly into the filter piece of this ORM, you may be able to specify filter chains of sorts, essentially supplying arbitrary parameters to this filter function. And as like, this is a common theme that I've seen across a lot of different exploits is like any scenario where you are able as the user to provide arbitrary parameters, like,
Keyword parameters, call arbitrary functions with no defined parameter, you know, that sort of thing like we saw with the indirect object invocation from the GitHub enterprise.
Joel Margolis (teknogeek) (53:55.71)
The name of the game nowadays is parameter testing, parameter fuzzing, like finding those things that the developers are using behind the scenes that are sent in internal API requests and weren't supposed to be seen by the public.
Justin Gardner (@rhynorater) (53:58.222)
Yeah.
Justin Gardner (@rhynorater) (54:03.502)
Mm.
Justin Gardner (@rhynorater) (54:07.95)
Yeah, absolutely. And this whole thing kind of reminds me of the reflection or indirect method invocation thing that we discussed with the GitHub Enterprise bug. But essentially what it's allowing you to do here is filter off of any field. And what it will allow you to do then is provide things like password, underscore underscore starts with where underscore underscore is a specific filter or selector on that field. And then the author also shows how, so.
Obviously using that if it provides any response, if you can get it to do like a true or false response. Even if it's not returning that password, you can determine what that character is. Line, you know, by just brute forcing all the possible character space line by line or character by character. And the exploit that they wrote is really, really beautiful. So definitely check out the write up and look at those gifts on seeing a password hash just appear on your screen one character at a time. It's just super like.
you know, hacker porn essentially there. But the writeup was really good and it also shows how you can chain these. So how in Django ORM you're able to say like, okay, for every article, the article that was created by and that references to like the user object and then you can select the user's password and then underscore underscore contains or like underscore underscore starts with or whatever set of filters that they have.
can be applied to these fields, which can allow you to leak the output character by character. And then one last thing on this was that even if you don't have something that provides sort of a boolean output, whether you have a match or not, the author was able to utilize regex -dos, essentially, to tell you whether you have successfully selected a character. So...
You'll instead of defining, you know, underscore underscore contains, you have some sort of regex that's in place that when it matches, it will cause a regex dos, which will stall the system until you have the correct character.
Joel Margolis (teknogeek) (56:13.982)
It's such a creative way of like basically doing like a sleep or like a sleep based or air based like injection or it's basically you're doing like a look behind or a look ahead. And then after that you're doing like a really intensive rejects. That's going to take a lot of time or it's going to time out. And so if it matches and like proceeds then it's going to you know error and if it you know just
Justin Gardner (@rhynorater) (56:33.55)
Mm -hmm.
Joel Margolis (teknogeek) (56:43.102)
exits really quickly then it's not a match.
Justin Gardner (@rhynorater) (56:45.038)
Exactly, exactly. So I think this is a really cool technique that I've seen used by super elite hackers in a lot of contexts is this sort of character by character exfiltration and even usage of error -based implementations of this sort of thing. So definitely kind of have that in your brain as you're thinking about the structures of some of these APIs.
And if there is any functionality that allows you to search or provide specific characters or reject something, you often see these used in cross -site leaks as well. Definitely be on the lookout for these is the big takeaway for me.
Joel Margolis (teknogeek) (57:25.566)
Yeah, yeah, totally.
Justin Gardner (@rhynorater) (57:27.566)
All right, let me see. I'm gonna take a look at the notes really quickly here. Yeah, the only other thing that I had here is like this sort of makes me think of GraphQL related stuff on how they're hopping from object to object within the database. And this ORM mapping sort of allows you to do that. So any scenarios, we see that in GraphQL all the time where it's like, okay, I can't access this user object directly, but if I go through like the article and then created by and then author and then user, then I can access this.
Any type of times where you can do chains of various object relationships, I think that area is sort of ripe for vulnerabilities because the complexity goes way up on the development side and it's hard to sort of think of all those scenarios.
Joel Margolis (teknogeek) (58:13.15)
Yeah, yeah, totally, totally.
Justin Gardner (@rhynorater) (58:14.67)
All right, so that's the news and now we're in and and now we're gonna go ahead and move to a Community bug submission and for those of you that aren't aware of this essentially we offer to the critical thinkers tier on discord The ability to submit a bug that they might want to have featured on the podcast and if that bug is selected Then we're gonna go ahead and air it on the podcast and sort of discuss it as well
Joel Margolis (teknogeek) (58:19.646)
Ha!
Justin Gardner (@rhynorater) (58:42.19)
and very apt for today's podcast. This community bug submission is by Evan Connolly, the same guy that did the iOS OAuth write up. So, congrats for absolutely crushing it lately, Evan. You've been rocking it. and we'll go ahead and jump into that, that explanation of the bug by him now. Okay. So, that's like exactly at the 59 minute mark. So 59.
Justin Gardner (@rhynorater) (59:22.958)
Cool. Let's go ahead and listen to that so we can provide commentary on the back end. We've got 50 minutes until you have a hard stop.
Justin Gardner (@rhynorater) (59:36.046)
Are you listening to it now or?
Joel Margolis (teknogeek) (59:39.454)
started it.
Justin Gardner (@rhynorater) (01:04:10.19)
Got through it? Okay, great.
All right, so we'll hop back on air. Here in five, four, three, two, one. Dang, dude, what a freaking bug.
Joel Margolis (teknogeek) (01:04:27.806)
It was cool. The whole time I was listening, as soon as he was like, there's this physical ethernet port, I'm thinking, no. Like I know where this is going because it's such a hard, you know, like I think with something like a car, it's a little bit of a different attack vector because there's like, it's like a physical thing where like, you know, you can just like bust a window and the hot wire aspect is a really strong attack scenario. But if we're anything else,
Justin Gardner (@rhynorater) (01:04:34.734)
Yeah.
Justin Gardner (@rhynorater) (01:04:50.03)
Mm -hmm.
Joel Margolis (teknogeek) (01:04:56.638)
than like remote start or something like, you know, maliciously like, you know, intercept, like doing something during the software update or anything like that. Like for sure that would have been like now mitigating factor. And the other funny thing was when he was like, that, that it got closed as a dupe. I have only ever reported one bug to Tesla with Sam Curry and it was not the same bug, but it
Justin Gardner (@rhynorater) (01:05:19.342)
No.
Joel Margolis (teknogeek) (01:05:25.982)
was also a dupe and it ended up being that, you know, Sam like picked me up at the airport in his Tesla and I was just like fiddling with the back and like immediately like found something. And so we reported it and then like a little while later we're here back and they're like, hey, this is actually fixed in the latest update. Make sure that your car is up to date. But sure enough, we had to go out and update the car.
Justin Gardner (@rhynorater) (01:05:50.254)
Sam hadn't done a software update on his car.
Joel Margolis (teknogeek) (01:05:51.838)
Sam hadn't done a software update, which is good because he was avoiding a hot wire, I guess.
Justin Gardner (@rhynorater) (01:05:56.366)
Yeah, I guess so. No, that is really cool though. And I think it's awesome, the tip that he said about trying things in different states I think is really cool, especially for IoT related stuff. Things really do change during software updates on a pretty regular basis for IoT stuff. So really great, great takeaway there. Hacking Tesla cars, I don't know man, seems like there's a high due percentage there. Maybe it's just because people are...
very interested in the technology, so they spend more time looking at it, or maybe it's because their patch cycle is really slow, but definitely something to be aware of. The other thing I really liked from this write -up was his persistence, how motivated he was, he pored over diagrams, he spent hours, he was really just hobbying it, right? A lot of times, bug bounty, you kind of think about, well, you know, I'm not earning millions of dollars doing bug bounty, I'm not succeeding, it's not the case. Like, try to be a hobbyist about it.
Joel Margolis (teknogeek) (01:06:30.91)
Yeah, I don't know.
Justin Gardner (@rhynorater) (01:06:54.414)
You know, before Bug Bounty, people would just do this shit for fun, you know? And yeah, so like, try to be a little bit more hobbyist about it, I think is a good takeaway. And then also, he slows down and he shows full impact once he has a thing, a lead. And I think this is an interesting thing because my experience in the Bug Bounty arena has said, just go ahead and report it.
Joel Margolis (teknogeek) (01:06:57.95)
Yeah. Try not to get arrested.
Justin Gardner (@rhynorater) (01:07:19.95)
like just, I mean, especially with something like a car where they actually can't patch it, you know, without your permission, just go ahead and report it. And then add to the report when you had, when you flushed out more impact. And, but, but don't stop, right? Report it and then keep moving. Cause I think it's easy for once you've kind of lost your momentum a little bit when you went and wrote the report or whatever to kind of like just wait and then kind of get in that post report stall where you're like, I reported it. I want to see what they say before I spend more time on it.
Don't do that, just keep building out that impact if you think the possibility is there. And so props to Evan for doing that fully. I like that. All right. Yeah.
Joel Margolis (teknogeek) (01:07:57.566)
Yeah, totally. Well, speaking of that mental aspect, right? I think that's that's kind of our topic for today, right? Yeah.
Justin Gardner (@rhynorater) (01:08:04.686)
It is. Yeah. We've got a good little segment for that today. And actually we're already an hour in, so we should be on the lookout for that. But I kind of wanted to discuss staying sharp and motivated inside of Bug County. Okay. So I think there's a couple, there's a couple little segments that I kind of broken this into. One, you know, staying sharp and motivated and two, avoiding the opposite of that.
avoiding burnout, avoiding getting stagnant or stale. So we'll kind of take that from two angles. But first I wanted to ask you something, okay? So I was writing this out and I was like, you know, what are some of the common mistakes people make, you know, that kind of get them disappointed and kind of get them in a rut with book bounty. And I think one of them is sort of getting a really painful dupe or getting a really painful NAR informative, and then just kind of sitting in that valley.
of sorrow, you know? And I think maybe for people that are new to bug bounty, that don't have a lot of self -confidence in their abilities as a bug bounty hunter, then it could be good advice to say like, hey, don't get your hopes up until you see that report moved to triage or until you see that bounty report, you know, or bounty awarded in your email. But for me as a more experienced hacker, I don't know, maybe it's just kind of like, like,
Like I need to feel something, you know, like from Bug Bounty, you know, like I just, I just want to feel something, man. But I kind of like to ride the highs and lows. Like I kind of like to, as soon as I find something, freak out, run, tell my wife, jump up and down, scream. And then, you know, when it's a low, I kind of like to, you know, flop on the ground and like take some time, go sit in the hot tub, drink my coffee, be all sullen or whatever.
Joel Margolis (teknogeek) (01:09:32.958)
Justin Gardner (@rhynorater) (01:09:55.758)
And then move through it because I think it kind of keeps things emotionally charged for me, which I think is more helpful in the long term. So what do you think about all this?
Joel Margolis (teknogeek) (01:10:04.03)
Yeah, I mean, I guess it all just depends on like how you deal with and process emotions, right? Like some people it's better for them to just sort of like feel through it and let it pass. Other people, like I think generally trying to stay positive about it is always a good thing. Like I'm definitely not positive 100 % of the time. I definitely like, like I almost quit Bug Bounty like a month ago. So like I've definitely been there, you know? But I think
Justin Gardner (@rhynorater) (01:10:10.638)
Mm -hmm.
Justin Gardner (@rhynorater) (01:10:16.302)
Mm -hmm.
Justin Gardner (@rhynorater) (01:10:29.806)
Yeah.
Joel Margolis (teknogeek) (01:10:33.534)
Especially around dupes. Just one thing I want to note is a lot of people see dupes as a failure. A dupe is literally like you literally found a valid bug. Like it's literally been accepted by the program. It's not a failure. The only thing I failed is that you didn't get paid for it. And the only thing that you lost was your time. So there's nothing really that you can do about that. But I would encourage you to just, you know, try and stay positive that like you found
Justin Gardner (@rhynorater) (01:10:44.814)
Mm -hmm.
Joel Margolis (teknogeek) (01:11:03.358)
You did find a valid bug that was accepted by the program is you just got you know screwed over by timing Maybe I don't know just as food for thought for some of the program people who are sorry the platform people who are listening like from hacker one and whatever it might be interesting to see some sort of root shift on like the framing of duplicate and The fact that there's no award no nothing like
Justin Gardner (@rhynorater) (01:11:26.606)
Mmm.
Joel Margolis (teknogeek) (01:11:31.422)
At minimum, listen, if we're giving freaking points for VDP, like why aren't we giving points to doofs? Come on. wow.
Justin Gardner (@rhynorater) (01:11:37.742)
I mean, they give you like two reputation points or something like that, but I think they want to, you know, minimize gaming of the system, but it would be nice if there was some additional like, yeah, seriously, but I mean, like, it would be nice if there was some sort of additional like, yeah, framing around, surrounding that. And I don't have a great suggestion for it, but like you said, validating, showing that it's a valid bug, like.
Joel Margolis (teknogeek) (01:11:49.246)
system's already gamed.
Justin Gardner (@rhynorater) (01:12:06.286)
Affirming the hacker, that sort of thing. And I will say, you know, you mentioned you do lose your time, which is true. You know, if you're looking at it from a monetary perspective, you do lose your time. But, also as a hacker, you kind of grow more with each bug and you found a valid bug. You submitted the report. It got duped. That is what it is. But also that bug is a valid bug in your repertoire as a hacker. And you fully exploited that. You submitted a report, you outlined it in a report. You went through the steps to do that. So.
From a hacker development perspective, it's not a loss, even though it can feel like a loss because your wallet isn't thicker.
Joel Margolis (teknogeek) (01:12:42.494)
Yeah, yeah. And like being failure versus totally normal. Like I think that's a good instinct to have of like not wanting to get a dupe and not wanting to like have something fall through. Like that's totally normal. You know, loss aversion, failure aversion, all that kind of stuff. Like it's very, very normal. So, you know, it's...
Justin Gardner (@rhynorater) (01:12:45.134)
Mm -hmm.
Justin Gardner (@rhynorater) (01:13:01.006)
I don't know, Joel, you and I, we've debated this on the pod before, but whenever I hear you say failure aversion is a good thing, like...
Joel Margolis (teknogeek) (01:13:10.494)
No, I'm not necessarily saying it's a good thing, but it's a normal thing. And to some extent, it can be good. If you let it control you and you ignore, you need to be able to push through it in some cases.
Justin Gardner (@rhynorater) (01:13:14.797)
It is a normal thing.
Justin Gardner (@rhynorater) (01:13:19.47)
Mm -hmm.
Justin Gardner (@rhynorater) (01:13:24.718)
Mm, mm. In most cases, I would say.
Joel Margolis (teknogeek) (01:13:28.958)
Yeah, like it depends on the goal, right? Like it depends on what the outcome is. And, you know, probably in the cases that we're talking about for like bug bounty, where it's like more of a mental thing than it is any like actual loss or like failure, then it's like, yeah, like just, you know, the worst thing that happens is that your book gets closed or lowered in severity. Does that suck? Yes. Is that worth not reporting it? Is that not worth like not following through on it? No, like because the financial incentive
Justin Gardner (@rhynorater) (01:13:31.662)
Mm -hmm.
Justin Gardner (@rhynorater) (01:13:40.75)
Mm.
Joel Margolis (teknogeek) (01:13:58.686)
is there is still like a potential large upside.
Justin Gardner (@rhynorater) (01:14:01.358)
Yeah, yeah, I agree. Yeah, it's a little bit tricky with the failure version thing because my experience with failure version is like, I think it's one of the things that most people do not have that muscle sort of developed and flexed. And essentially the first thing I tell all of my mentees is like, listen, you are gonna fail 98 % of the time as a extremely talented hacker. Like as a top tier hacker, your success rate is gonna be like,
2 % on the attack vectors that you implement, right? And you know, this varies with your, you know, if you're doing white box, then sure, you might be more, but you know, as a black box extra, you have to test everything. You're gonna fail all the time and it's gonna suck. So you have to build out that whole concept of like, a failure should be redefined as something where you...
can now affirmatively say this doesn't work and cross that off the list and feel like you've made progress. That reframing is absolutely essential, I think, for staying sharp and motivated and on top of Vogue Pownee.
Joel Margolis (teknogeek) (01:15:10.462)
Yeah. Yeah. I mean, like we encounter quote unquote, like failures all the time, right? It just depends on how you view it. It's like is testing for RCE and command injection on like the ID on the CMD perimeter. If that doesn't work, is that a failure? No, that's like, that's like extremely well, that's like roll. That's like gambling. You know what I mean? It's like, you know, don't get mad at yourself if you lose at the casino because like it's literally like everything is a gamble. Everything is a test.
Justin Gardner (@rhynorater) (01:15:14.062)
Mm -hmm.
Justin Gardner (@rhynorater) (01:15:24.462)
Yeah, that's.
Justin Gardner (@rhynorater) (01:15:29.774)
Yeah.
Justin Gardner (@rhynorater) (01:15:38.574)
Hmm.
Joel Margolis (teknogeek) (01:15:38.846)
But the difference between gambling and buying money is that you can actually learn from the signals that you see in response and you can actually influence those and change them. It's not completely pure chance.
Justin Gardner (@rhynorater) (01:15:43.31)
Mm -hmm.
Justin Gardner (@rhynorater) (01:15:48.494)
Yeah, yeah, I agree. All right, so let's move into the staying sharp and motivated section and then we'll kind of move over to the the burnout avoidance. Before we get into the things that are actually like sort of bug bounty related, do you know what a continuous glucose monitor is? Dude, is that what I mean? Yes, it is what I mean. So, so it's like, you know,
Joel Margolis (teknogeek) (01:16:05.79)
I do. And when I saw CGM, I was like...
That's like what what does he mean by this? I mean CGF might help with your your steak sharp and motivated to be honest with
Justin Gardner (@rhynorater) (01:16:16.846)
Well, that's what I'm saying. So I've got one sitting right over there, but I got one the other day. Yeah, yeah, I had one in my arm for two weeks, and I got it just as a way to monitor my blood glucose levels and see how I respond to various foods. So I can, no, I didn't, I didn't. I got one prescribed through my doctor. I just said, hey, can you prescribe me one? And he's like, sure. And so I got it hooked up to the app, and it was really interesting to see how
Joel Margolis (teknogeek) (01:16:22.75)
Wait, really?
Joel Margolis (teknogeek) (01:16:31.838)
Did you get the Huberman one? Okay. From the pharmacy? Okay, yeah.
Justin Gardner (@rhynorater) (01:16:46.67)
Fasting plus coffee gets me in this super like locked in, focused state for a while, but then it sort of tails off towards the end. And then what I found is, so I eat a lot of rice because we lived in Japan and we got used to that diet and we just kind of haven't shifted away from it. and, and so, when I eat a bowl of white rice, that just messes with me, dude. Like my, my blood glucose levels just skyrocket and then plummet. And I'm like,
Joel Margolis (teknogeek) (01:17:15.39)
You know why that is?
Justin Gardner (@rhynorater) (01:17:16.27)
Well, I mean, explain it to me. No, I don't know why it is. Yeah.
Joel Margolis (teknogeek) (01:17:20.51)
Well, it's all gluten. It's like, yeah, cause it's, it's grain, right? So it gets converted. It's from gets converted from gluten into glucose. And then, your body has like a massive sugar spike and then it has a massive sugar crash right after. cause there's no, like you're going from nothing to something to nothing.
Justin Gardner (@rhynorater) (01:17:24.494)
Mm -hmm.
Justin Gardner (@rhynorater) (01:17:35.182)
Mm. Mm.
Justin Gardner (@rhynorater) (01:17:40.11)
Yeah, and I know those carbs all sort of break down into that. And so I didn't do as much analysis on it as I should have because I got super busy in those two weeks. But I thought it was a really interesting sort of experiment to say like, okay, this is how various foods at certain timings affect my body and like keep me in a state of being focused or in a state where I can't focus and I'm just super exhausted and dying and falling over.
I really recommend it. I think mine, I think I got four weeks worth of continuous glucose monitors, which is two of them. And it was only like 70 bucks, which I think is a pretty good investment. So I recommend that to anyone who's interested in kind of getting, addressing this sort of sharpness and mental clarity from. So yes, sort of, I don't do it on purpose, but I,
Joel Margolis (teknogeek) (01:18:28.798)
So you do intermittent fasting.
Justin Gardner (@rhynorater) (01:18:36.238)
don't normally eat breakfast and I don't eat late at night after I don't eat after 8pm just as like a family thing. And so I end up doing roughly an 8 16 intermittent fast. And so yeah, I think it really helps. I do eat lunch, but I don't normally eat till like two or three.
Joel Margolis (teknogeek) (01:18:51.774)
Sweet lunch.
Joel Margolis (teknogeek) (01:18:56.382)
Okay, interesting. Okay, so we have probably about pretty similar. I eat once a day usually, but at like two or three. Yeah, so I don't eat breakfast, I don't eat lunch. I eat dinner at like three or four. And then usually what ends up happening though is I end up snacking a lot after that. So that probably isn't great either. But yeah, I've always wondered what my glucose levels would look like just monitoring them because I don't.
Justin Gardner (@rhynorater) (01:19:02.03)
What?
Justin Gardner (@rhynorater) (01:19:07.47)
Really?
Justin Gardner (@rhynorater) (01:19:13.07)
Mm -hmm.
Joel Margolis (teknogeek) (01:19:24.862)
eat anything until like the late afternoon. And I know that like I crash pretty hard, like, and the same thing happens to me where like I'll eat and I'll crash. And so like, I it doesn't like improve my energy levels at all. When I eat dinner, I just like get ready for bed.
Justin Gardner (@rhynorater) (01:19:33.646)
Mm -hmm.
Justin Gardner (@rhynorater) (01:19:39.97)
Yeah. I'm kind of putting off this eating a little bit because it's like, okay, I know as soon as I eat, I'm not going to be able to hack or I'm not going to be able to do anything. So it's like, it's very important, I think, for me to understand, okay, what kind of food should I eat that keeps me sharp and keeps me able to be engaged through the full workday. And to be honest, even if I didn't, the productivity trade -offs in the morning are pretty strong.
Like I feel like I get at least eight hours worth of work done, you know, by like two or three by the time I first eat. And so I think it's really helpful, but it'd be even more helpful if I could prevent that crash. And that definitely depends on what kind of foods I'm eating and then also whether I'm going for a walk or getting some exercise immediately following getting some food in me.
Joel Margolis (teknogeek) (01:20:30.494)
Yeah, yeah, and I think also just having the right things around for you to have available. For me, my ADHD makes it really hard for me to plan or food or want to make food and stuff, especially when I'm in the middle of stuff. I hate getting interrupted and task switching and stuff. So it's a...
Justin Gardner (@rhynorater) (01:20:36.27)
Mm -hmm.
Justin Gardner (@rhynorater) (01:20:42.094)
Mm -hmm.
Joel Margolis (teknogeek) (01:20:53.63)
If there's like nothing readily available for me to just like grab like a bag of like, you know, beef jerky or something like I'm just like, I just won't eat or I just like won't have anything until like I'm like starving. Yeah.
Justin Gardner (@rhynorater) (01:21:03.438)
Yeah, yeah, it's tricky. It's something you definitely ought to be aware of. And I've got a buddy actually that recently started a business here in Richmond. So if any of you guys are in Richmond and are interested in this, then DM me. But he does sort of a private chef. Yeah, like exactly. Have you really?
Joel Margolis (teknogeek) (01:21:18.494)
delivered meal prep. Yep. I've actually done this before. Yeah. Yeah. Yeah. I use somebody for that back in California. and the pricing, well, like wasn't bad at all. Honestly, the hardest thing for me was like the calories. Like a lot of these types of things are generally like designed for people who are like trying to monitor their caloric intake. So you're going to see like somewhere between four and 600, maybe 800 calories per meal. and unless you're eating like four of those a day,
Justin Gardner (@rhynorater) (01:21:28.078)
Mm -hmm.
Justin Gardner (@rhynorater) (01:21:36.046)
Mm -hmm.
Joel Margolis (teknogeek) (01:21:45.566)
You're not gonna hit like your normal consumption unless you're trying to cut calories So that can be a lot but like as little quick meals that you throw in the microwave like, you know It's up like either like have somebody, you know deliver it to your door or like do that on the weekend and like portion out like broccoli and bits of chicken and steak and whatever whatever you eat and then just like Throw it in little microwave food boxes and then stack them in the fridge and you're good to go
Justin Gardner (@rhynorater) (01:21:48.91)
Mm.
Justin Gardner (@rhynorater) (01:22:12.174)
Yeah, yeah, no, absolutely. And I think, you know, what my buddy does is he does it a little bit. It's more of a high end service. But still pretty, pretty well priced, I must say, where he will take into account all those things. If you say, okay, I want, you know, one meal that's 2000 calories, right? You know, right? Like if you're eating one meal a day or whatever, right? Then he can make that happen. Or if it's like, I want smaller meals of this amount. I want these macros. I prefer these meats, you know, that sort of thing.
Joel Margolis (teknogeek) (01:22:19.182)
cool.
Justin Gardner (@rhynorater) (01:22:39.63)
He can kind of make it happen to a certain degree, you know, it's still got to make sense from him from like economies of scale perspective Well, you know, that's that's me saying like, you know, because he does have some customers He mentioned to me that are like pretty serious You know bodybuilding types that need to consume a lot of calories And so it all depends on what your your individual diet looks like but now now we've kind of There marks the end of our our edge of Huberman lab
Joel Margolis (teknogeek) (01:22:44.958)
Dang, I gotta get the recipe for the 2000 calorie meal.
You
Joel Margolis (teknogeek) (01:22:58.43)
Yeah.
Joel Margolis (teknogeek) (01:23:03.582)
Yeah. Yeah. Anyways, the point is, yeah, the, the point is like there are, there are like a couple of things that I feel very strongly about that. Like when I was younger, I used to, I didn't give a shit about what I ate and give a shit about when or how much I slept. and I didn't give a shit about when or how much caffeine I consumed. And those three things alone are like huge.
Justin Gardner (@rhynorater) (01:23:09.422)
Critical Thinking Edition.
Justin Gardner (@rhynorater) (01:23:14.414)
Mm.
Justin Gardner (@rhynorater) (01:23:19.79)
Mm -hmm.
Mm -hmm.
Justin Gardner (@rhynorater) (01:23:28.718)
Mm -hmm. Yeah.
Joel Margolis (teknogeek) (01:23:33.662)
modifiers to how you're going to feel every single day. Like when you choose to drink coffee, like you should wait like probably an hour to an hour and a half after you wake up before you have any caffeine. You shouldn't have any like at most or at minimum six hours before you go to bed, probably like eight to 12. You should be sleeping at least six hours, probably six to nine, depending on age, gender, et cetera.
Justin Gardner (@rhynorater) (01:23:36.238)
Mmm. Yeah.
Justin Gardner (@rhynorater) (01:23:51.502)
Hmm. Hmm.
Joel Margolis (teknogeek) (01:24:03.774)
And you should be going to bed and waking up at the same exact time. When I was in college, I used to like go to bed and like, I don't know, like 3 a wake up at like six, like, or like whatever. Like I was just like sleeping whenever, however much. I didn't like have alarms. Go to bed at the same time. Wake up at the same time, even on the weekends. Sleep enough. Respect your sleep. If you do not respect your sleep, your sleep will not respect you and it will fuck you up. man. You want to, you want to, you want to like lower your life expectancy. Start sleeping four hours a night like.
Justin Gardner (@rhynorater) (01:24:27.342)
Bye!
Joel Margolis (teknogeek) (01:24:33.278)
My goodness, that is, yeah, straight up slash rant. Three.
Justin Gardner (@rhynorater) (01:24:35.374)
Well, I take my whiskey neat, my coffee black, and my bet at three, and I'm gonna die soon. No. No, no, I go to bed at like 10, so.
Joel Margolis (teknogeek) (01:24:47.454)
You can go to bed at 5 a if you do it every night. I wouldn't necessarily recommend it because yeah, like, you know, there are still like circadian rhythm things that like, you know, going to bed, like when the sun comes out, like third shift, third shift work is classified as chrysanogenic in the U .S. because it's so bad for you. Yeah, the hit to your circadian rhythm is so bad that it's shown to cause cancer. So, you know, like there are definitely like certain things that you might want to avoid, but
Justin Gardner (@rhynorater) (01:24:49.55)
Right, if it's consistent, right?
Justin Gardner (@rhynorater) (01:24:57.134)
Mm -hmm.
Justin Gardner (@rhynorater) (01:25:02.702)
Really? Wow.
Justin Gardner (@rhynorater) (01:25:09.902)
Wow, no way.
Joel Margolis (teknogeek) (01:25:15.71)
I think having schedules and standards for your sleep and routine is probably the bare minimum you should do for your body.
Justin Gardner (@rhynorater) (01:25:21.486)
Yeah, no, I totally agree. So keeping, I guess, bringing that all back around at the top of your hand, being aware, especially if you're doing this full time, being aware of what habits you're falling into place, are falling into place when you're eating, how much you're eating, what you're eating, causing various effects on your energy, I think is really helpful for staying sharp and motivated. The next one that I had sort of on the list here is competition and accountability when helpful. So I think...
Just pulling some of the top hackers that I've spoken with over the over the past couple years There are a lot of people that really thrive off of the competition of bug bounty Thrive off of the leaderboards thrive off of the live hacking events. It's it's something that keeps them really motivated and excited so I think that should
Joel Margolis (teknogeek) (01:26:11.55)
record I'm not one of those people by the way I kind of wish I was sometimes but and I think a lot of a lot of the really top people are maybe I used to be at some point but I'm definitely not anymore
Justin Gardner (@rhynorater) (01:26:23.661)
Yeah, you know, it can change with time too. I definitely used to be more, more competition oriented. And then I think, you know, as you start to understand more of the nuances of the system of like, wow, I actually didn't really try that hard at that live hacking event. And I placed really well. You start to realize that there's a certain degree of it that is just being at the right place at the right time, putting in the hours, that sort of thing. But, but I mean, there is absolutely results that
Joel Margolis (teknogeek) (01:26:35.55)
but
Joel Margolis (teknogeek) (01:26:45.182)
Yeah, for sure. Yeah, finding the right bug, like, absolutely.
Justin Gardner (@rhynorater) (01:26:52.942)
that suggests that people can do it on a regular basis as well. Pretty much every live hacking event that I've seen Franz really give it his all, he's at the top. So I think that there's definitely some aspects to this. So figure out if competition motivates you, set friendly competitions with your other hackers, and if accountability could be motivating for you.
Joel Margolis (teknogeek) (01:27:04.67)
Yeah, for sure.
Justin Gardner (@rhynorater) (01:27:18.925)
then maybe something that I've seen full -time bug bounty hunters do is set up an accountability schedule with other hunters to be like, okay, making sure I'm getting a certain number of hacking hours in per week and that sort of thing. And I've seen this be helpful, and it's been helpful for me in the past too when I've been trying to be, when I've been less motivated to hack and wanted to perform. So.
Joel Margolis (teknogeek) (01:27:43.038)
Yeah, you know, tweet out your weekly stats or whatever, like keep track of it in a spreadsheet, whatever you need to do to like help you stay on track or feel like you're, you know, hitting the goals that you want to hit. Like, I think it's always good to set goals so that you have some sort of objective measurable marker on whether or not you've hit that. And when you're setting those goals, make sure it is something that you can measure. So it, and don't like being fair to yourself. Don't be like, I want to make $500 ,000 this week.
Justin Gardner (@rhynorater) (01:27:45.262)
Mm -hmm.
Justin Gardner (@rhynorater) (01:27:55.182)
Mm.
Joel Margolis (teknogeek) (01:28:12.638)
because like one, maybe you will, but like the odds of you not are probably higher than the odds of you are. And while that's a good goal to set, it's kind of unrealistic. And if you make $10 ,000 and then you compare that to the fact that you wanted to make 500 ,000, you'd be like, wow, I really sucked and didn't hit my goal. And it's like, no, bro, you made $10 ,000 this week, you're fine. So I think setting goals, being realistic about them,
Justin Gardner (@rhynorater) (01:28:33.774)
Mm -hmm. Mm -hmm.
Joel Margolis (teknogeek) (01:28:39.678)
and having a good perspective for where your performance is and having measurable goals is really important.
Justin Gardner (@rhynorater) (01:28:46.638)
Yeah, absolutely. And that just goes to a lot of the whole self -help theory as well of like a smart goals or whatever. And so that's, that is definitely applicable here as well. the next one that I had is working on something interesting and, or something that you're interested in. And I kind of wanted to get your take on this as somebody who, you know, struggles with ADHD and weaponizes that in, and also, feels the consequences of that, in your life. so
I think for me, even as somebody that doesn't really super struggle with that, I think I perform much better when I'm super engaged in something. And if you have the flexibility to be like, okay, I'm going to go work on this thing and then I'm going to jump back to this thing and I'm going to, you know, as your sort of interest in certain tasks, ebb and flow, if you have the flexibility to work on something that you're interested in, I think your brain is in more high performance mode in those scenarios. And I've definitely heard of people that
that have ADHD being able to weaponize this pretty effectively.
Joel Margolis (teknogeek) (01:29:48.382)
Yeah. So I think like being able to focus in on something is important. Like I think generally it is possible even with ADHD to like find interest in something, but a lot of Bug Bounty and a lot of, I mean, a lot of everything that you do, but you know, Bug Bounty especially relies around the mental that you have like during that moment. Like you said, when Franz decides that he's going to give it his all in an event, he ends up in the top five, top 10, top three.
Justin Gardner (@rhynorater) (01:29:51.214)
Mm -hmm.
Justin Gardner (@rhynorater) (01:29:54.83)
Mm -hmm.
Justin Gardner (@rhynorater) (01:29:58.574)
Mm -hmm.
Justin Gardner (@rhynorater) (01:30:14.35)
Mm -hmm.
Mm -hmm. Mm -hmm.
Joel Margolis (teknogeek) (01:30:18.014)
because it's commitment, right? He's not, there's no like, let me do this other thing. He's committed. Like he is like head down committed and fully 100%, 150 % giving everything he has to try and get finding the coolest, best bugs that he can. And he's working his brain in overtime to try and, you know, make that happen. So a lot of it is around how you're mentally framing the entire situation in your head. Are you taking this seriously?
Is this a target you want to hack or are you just trying to find an XSS? I think to some degree you do need that interest to be like, yeah, OK, I want to hack this target. I want to find a bug here. If you're somebody who does it full time, you're not going to find that for every target, I'm sure. So there is a whole other side to it, which is I want to find this XSS because I need to find this XSS for my stats. And that's a different, but regardless, you need to
Justin Gardner (@rhynorater) (01:31:11.726)
Mm. Mm.
Joel Margolis (teknogeek) (01:31:15.806)
have some sort of motivation that like pushes you to hack on that target. If you're like, I don't want to be here the whole time that you're hacking on that target, you're not going to be really looking, you're not going to find the gadgets and the, and the, the, you're not going to notice the things that you need to notice.
Justin Gardner (@rhynorater) (01:31:31.054)
So I'm going to jump one item down in the list here, Joel, and say something that's sort of contradictory to what I just said, which is I think there's also a lot of merit in staying on the same target longer than you feel like staying on the same target from a motivation perspective. Because what it forces you to do is it forces you to look at a target from a different angle. And once you've done that a couple of times and you sort of flexed that muscle,
Joel Margolis (teknogeek) (01:31:47.934)
Yeah.
Justin Gardner (@rhynorater) (01:32:00.078)
It's not gonna feel like you're sharp and motivated the first couple times you do it, right? But once you've sort of flexed that muscle a little bit, you start to realize that you miss stuff everywhere. Everywhere. All over the place. Everyone does. It's just a part of the breadth of the whole app ecosystem and just how Bug Bounty works in general is you're gonna miss stuff. And that's why there's always stuff to find. So I think forcing yourself to...
take a deep breath, sort of write down or quantify what sort of things you've actually tried on this application and what sort of things you haven't, and then coming at it at a different angle in the long term will give you motivation payoff because you'll start to realize, hey, even when I feel like I've hit a wall, there is more there. And I know that because there was more there this time and this time and this time and this time when I did it.
the evidence suggests that this case is no different. Yeah, what are your thoughts on that?
Joel Margolis (teknogeek) (01:33:02.622)
Yeah, yeah, absolutely. Well, and like this one thing that we talk about all the time is taking notes. And I think like taking notes in the beginning or just like throughout the whole process is really good for chasing down and like pushing yourself to whether it's a time minimum or just like taking really diligent notes and, you know, checking every single path or whatever. Like, you know, you want, like you said, you want to push yourself to actually feel like you're done.
Justin Gardner (@rhynorater) (01:33:08.206)
Mm -hmm.
Joel Margolis (teknogeek) (01:33:32.094)
before you move on with something. But you also don't need to be excessive with it. So part of that is gonna be a time thing as you hack more, you'll gain that sense and you'll be able to better judge when it's time to move on. But even still, both of us take notes, everybody takes notes and circles back and goes, okay, what didn't I look at here? And having a way to look at that is really important.
Justin Gardner (@rhynorater) (01:33:59.182)
Yeah, I'll often take retrospective notes too. Like I'll like just go, hey, I'm on a target for two hours. And then I'll say, all right, what have I learned about this target? And I'll write that down. And what I've actually started doing as I started having some more, hard stop times, just as my life became a little bit less flexible. I I've started taking loom videos of myself talking about a target and, and just, I'll, I'll sort of just brain dump on myself, essentially try to give any information that will get future Justin back in the same.
headspace as he was when he stopped hacking and watching those videos as soon as I start the next hacking session. And that really, really helps. And I think that one is specifically applicable for people that do part -time hunting and might not be able to hack every day and might have to stop for longer periods of time. Having that in place as a habit will allow you to reduce the amount of time that you spend sort of trying to reignite your...
Joel Margolis (teknogeek) (01:34:37.054)
Mm.
Joel Margolis (teknogeek) (01:34:55.902)
Yeah, catch up.
Justin Gardner (@rhynorater) (01:34:57.39)
your interest in a target and getting back in your flow state. So that's a great one as well. The next two that I wanted to talk about, gadgets and then goals and celebrations. Both of these sort of speak to motivation and controlling your motivation. One, recognizing when you found a gadget and celebrating that win I think is really good. It will keep your momentum going. It'll keep you feeling like you're making progress even if you don't have a report to send in. So we talked about that a lot. So I'm gonna leave that one there.
And then the other one is goals and celebrations. So my wife and I do this for every life hacking event that I do. We select some sort of thing I'm gonna do if I crush it at this life hacking event. Like, all right, I'm gonna, you know, my hot tub was one of them, you know, that I really had to, that was a stretch goal. I had to really hustle for that one. And, you know, sometimes it's as simple as going out to a super fancy dinner with me and her, you know, just.
going blocking off that time, not thinking about money or anything, just saying, okay, this is a reward for a job well done. But defining those goals and getting those in place and time bounding those really motivating for me to get done what I want to get done.
Joel Margolis (teknogeek) (01:36:06.59)
Yeah, for sure. And again, this goes back to setting good measurable goals for yourself that are realistic and that you can achieve. Dude, this is a strategy I do every single day. Like if I completed something and I haven't put it on my to -do list, I'll put it on my to -do list and check it off just to be like, yeah, I did something today. Like it's really important to feel completion and feel like you've accomplished things and done things and made progress, especially on those days where it feels like you aren't.
Justin Gardner (@rhynorater) (01:36:17.326)
Mm -hmm.
Justin Gardner (@rhynorater) (01:36:22.83)
Absolutely, I do that too.
Justin Gardner (@rhynorater) (01:36:33.486)
Mm -hmm.
Joel Margolis (teknogeek) (01:36:33.886)
Right, like if you feel like you haven't submitted anything or you haven't done X, Y, and Z, like make a list of the things that you did do today and just go and check them off and be like, yeah, actually I did do a bunch of stuff today. And you know, just put stuff in perspective because, especially with Bug Bounty, especially when you're working alone, it's really easy to just spend eight hours focusing on your computer screen and then be like, shit, it's three o 'clock, like I have no idea what I did today but I didn't submit anything so it feels like I did nothing.
Justin Gardner (@rhynorater) (01:36:57.486)
Mm -hmm.
Justin Gardner (@rhynorater) (01:37:01.806)
Yeah. Yeah. And I'll sort of share a vulnerable story about this. I mean, last night I texted you probably 10, 10 PM saying, Hey man, I didn't get the notes fully prepped for this episode today. Like I normally do. I'm going to wake up early tomorrow morning and do it. And the reason for that was I got super fixated on a task yesterday and I was, and it was a big task and I performed super well on it. I got a ton of work done on it. And I I'm really grateful that, that I did and that I was that motivated on that day.
but I did not prioritize the thing that I needed to get done for this morning. And that has effects on you and it has effects on other people too. Luckily I was able to get out of bed this morning and get another hour or so of prep in before the episode. But I think there's also something to be said about knowing what times you have flexibility and living in that flexibility, especially as a full -time hunter, that's a great benefit of our sort of life that we lead.
Joel Margolis (teknogeek) (01:37:35.518)
It happens.
Justin Gardner (@rhynorater) (01:37:57.966)
but then also knowing, Hey, there are times I need to write down my tasks and I need, I need to prioritize the thing that will, that are time sensitive, that will give me the most, you know, output for my, for my time and think about that really intentionally. And then just crank it all out, you know, and just hit it. Boom, boom, boom, boom, boom. And I think wisdom sort of should dictate what, what time is what.
Joel Margolis (teknogeek) (01:38:16.19)
Yeah.
Joel Margolis (teknogeek) (01:38:23.102)
Yeah, and I think you'd be really hard pressed to find anybody who like has never procrastinated or has never like spent time doing something that they shouldn't have done. Like it can be difficult. I salute the people who can just immediately be like, okay, I need to work on this thing. I'm going to go work on this thing regardless of what time or how I feel and go do that thing. I'm not one of those people either. Like I can.
Justin Gardner (@rhynorater) (01:38:27.662)
Mm -hmm, yeah.
Joel Margolis (teknogeek) (01:38:46.846)
depending on what it is. I've definitely sat down and been like, shit, I need to do this work thing for tomorrow and it's seven o 'clock. I sit down, I open my laptop and I do it. Cause you know, that's life sometimes, right? Like you sleep in the bed that you make for yourself. So if that's something that's my fault and I put it off, like absolutely, you gotta own that. You gotta, you know, sometimes you have to bite the bullet and you gotta do tough things because you made a bad decision at a different time and that's the consequence.
Justin Gardner (@rhynorater) (01:38:58.638)
Mm -hmm.
Joel Margolis (teknogeek) (01:39:15.038)
But not always, right? And so, you know, just this goes a little bit into the burnout stuff, but like, I think one really big burnout philosophy I have is like, don't be, if you're your own boss, especially with like free time, don't be your own asshole boss. Don't be like the guy who's just like, get back to work. It's the weekend. Like you're allowed to have days off. Like it's...
Justin Gardner (@rhynorater) (01:39:41.214)
I'm gonna need this TPS report by Saturday. Could you come in?
Joel Margolis (teknogeek) (01:39:44.382)
Hey, yeah. Hey, yeah. So, I mean, yeah, a lot of, you know, like be fair to yourself, be fair to your time, be fair to your energy. Don't, you know, there's a line that you should draw for yourself in terms of where am I going to force myself and push myself to go beyond my limits? And it's OK to some days drop that line to a different level. And it's OK to have sick days and it's OK to take time off and
It's okay to give yourself some grace because it's hard to be self -employed. It's hard to work all the time. And with Bug Pounding, it can definitely feel like, especially full -time Bug Pounding, it can feel like a rat race where you're just constantly on the wheel. And if you're not on the wheel, you're not making money and you're not submitting bugs and everything comes to a halt. And getting out of that mindset can be really difficult.
Justin Gardner (@rhynorater) (01:40:37.358)
It is, it is, it's tricky. And yeah, I totally second everything you just said about that. And so I'm gonna jump through some of these other ones. We kind of touched on collaboration already, but of course, collaboration can really keep you sharp and motivated, working with other hackers, grabbing little tidbits. And one note I will add on collaborations. If you wanna be a really good collaborator, if that's something that you want to improve on as a hacker, take your partners,
bugs, gadgets, weird functionality, take that really seriously. Like if somebody sends you something and says, hey, look at this, this is kind of sketchy, right? Like, and you get to it and you don't see the sketchiness right away, don't just write it off. Like try to see the sketchiness and try to iterate on that. Try to get excited with them about it. Because we all have different lenses and especially if you're collaborating with someone you respect, which you should always do, I think.
then they might see something that you don't, and you gotta acknowledge that. In addition, so totally different angle, but also work with high quality teams, high quality programs, programs that are gonna give you fast communication, programs that are gonna validate your threat model, your understanding of their threat model quickly, because that will, there's nothing more motivating than a program coming back and saying, wow, that report was a banger, you know, like.
we're shaking in our boots over here, you know? And I think if there's anyone from the program side listening, of course, I mean, Joel is here, so he knows what's up, but, you know, providing that little bit of encouragement to the hackers saying, you know, and really playing into how the hacker wants to feel like, shit, you know, that one really got us, you know, scrambling or something like that can be a massive motivator for the hackers. And so working with teams that give you that and for teams,
Make sure you're giving that to the hacker because that's one way for sure to keep loyalty to your program.
Joel Margolis (teknogeek) (01:42:39.39)
Yeah, yeah, I totally agree. I mean, right. It's like a two way street, you know, from the researcher's perspective, like somebody has to extend their hand first in a handshake, you know, like, and both parties have to do it for it to happen. And so it does take some, some cooperation and some, you know, like, I don't know. I think a good analogy is like, if you've ever had a conversation with someone who like doesn't carry their side of the conversation, it's never fun.
Justin Gardner (@rhynorater) (01:42:43.118)
Mm -hmm.
Justin Gardner (@rhynorater) (01:42:48.622)
Mm -hmm.
Joel Margolis (teknogeek) (01:43:08.03)
and it doesn't feel like a fulfilling conversation, you're probably not gonna wanna have another conversation with that person. And that goes the same way for a report. Like if you provide like very minimal, like just like shortened to the point, unless you're consistently doing that type of research, the program is probably not gonna be like, wow, like great research. But like if you go out of your way, out from the gate to like demonstrate that you're like a quality researcher, there's a lot of like thought and time and effort and energy put into your hacking. Like the program will acknowledge that, should acknowledge that and respect.
Justin Gardner (@rhynorater) (01:43:38.158)
Yeah, first impressions in Bug Bounty are also important, you know, making sure that first report comes through with a real banger as much as you can.
Joel Margolis (teknogeek) (01:43:38.878)
appreciate that. And, you know, yeah, first impressions everywhere.
Joel Margolis (teknogeek) (01:43:47.166)
I really feel like a dad on this episode. I'm just giving life tips. Sleep at an appropriate time. Don't drink coffee.
Justin Gardner (@rhynorater) (01:43:51.086)
Hey man. Justin and Joel, you're bug bounty dads. That sounds like we're a gay couple. You're bug bounty dads. No. So we're both married. Not that there's anything wrong with that, but yeah. So anyway, the last thing that I had on the list here was routinely reducing the friction in your workflow, right? And...
Joel Margolis (teknogeek) (01:44:01.086)
Ha!
Justin Gardner (@rhynorater) (01:44:19.31)
I wanted to talk about this one because there's friction in everybody's workflow, right? There's areas where you are having to do something manually, you're testing something that just takes more time to go through the hoops to do it. And there's some way that you can automate it and make it better. And I think one of the things that really helps me from a motivation perspective is taking the time every couple weeks
whenever I see these sort of things popping up, just dropping them in my certain project in my to -do list and actually taking the time to actually implement those and then appreciate them as soon as you're actually using them, right? Like, wow, I just right clicked and selected this thing and automatically did it. This rocks.
Joel Margolis (teknogeek) (01:45:06.398)
Yeah, like I guarantee it's it's going to be one of those things that every time you use that tool, you're going to be like, wow, this is so much easier. I should have done that. Like, wow, this is so nice that I just run this one command or just give it these three arguments. Why didn't I do that earlier? And I think a lot of it for me, a lot of the time is, do I really want to spend that time writing this thing? Like I'll just do it. I just want to follow this bug. And like, again, like follow the energy, like ride the highs, ride the lows.
Justin Gardner (@rhynorater) (01:45:13.198)
Mm -hmm.
Justin Gardner (@rhynorater) (01:45:17.134)
Mm -hmm.
Mm -hmm.
Joel Margolis (teknogeek) (01:45:33.726)
but also know when to spend your time fixing a problem and like fix things that are annoying to you, right? It's like a squeaky door. You know, you get the hinge, you open, you open that one door in your house and every time you open it, it squeaks and you don't realize it bothers you. But now that I've said it, I guarantee you're going to go open a door and you're going to be like, fuck that hinge is, go get some oil and oil the hinge. It takes five seconds.
Justin Gardner (@rhynorater) (01:45:47.758)
Mm.
Justin Gardner (@rhynorater) (01:45:53.005)
Dude, dude, I went up.
I went on a vacation this past weekend and the house that I went to, the stairs were silent. Like you walk up the stairs and nothing, nothing, you hear no squeaks, right? And I was like, what is this? Like, no, it wasn't. And it was a beach property as well. So I'm like, no idea how they did that. But like, I get back to my house and I'm like, walk up the stairs. I'm hearing, crr, crr, crr, crr. I'm like, drat, you know? Like, and it -
Joel Margolis (teknogeek) (01:46:06.973)
SILENCE
Joel Margolis (teknogeek) (01:46:11.134)
Whoa. Was it just built?
Joel Margolis (teknogeek) (01:46:17.95)
Whoa.
Joel Margolis (teknogeek) (01:46:24.926)
Back on the construction combo, I have a feeling I know what they did here, okay? It's a three -part combo. Nails, screws, and glue. All three, it'll never squeak, but you also never get them off.
Justin Gardner (@rhynorater) (01:46:27.214)
my gosh.
Justin Gardner (@rhynorater) (01:46:32.974)
my gosh.
Yeah, yeah, well, you know, at this point, I'll take them off, do something to them at some point because it's driving me nuts. But, okay, so that's the end of the staying sharp and motivated section. Let's move into the burnout avoidance. I think I only have a couple little tips here and I've kind of talked about my ideology about this a couple times. I think the number one thing that helps me avoid burnout as a full -time hacker for nearly five years now is
not putting my self worth into hacking. Okay, so if you are the kind of person that says, wow, I think less of myself if I haven't found a bug recently, or I think less of myself if, you know, I'm not ranking in the top, you know, whatever percent in a live hacking event. You should really try to minimize that as much as you can. I will say you might lose some competitive edge if you do that.
But my experience has actually been the opposite. When you sort of disconnect from that, you put your self worth in something more consistent. I'll just say intrinsic, something that is not as unstable, something that you control internally. Then that will be a lot better for your mental health and your burnout. Yeah, and well absolutely, have sex. Right, okay.
Joel Margolis (teknogeek) (01:47:51.422)
Touch grass. Have a hobby. Make children.
Well, don't do it. You don't have to make children. Get children. Adopt children. Okay, this is getting out of hand.
Justin Gardner (@rhynorater) (01:48:03.534)
Thank you. Exactly. So, you know, there's lots of lots of ways to do that. But I think having an intrinsic self -worth indicator is really important. Taking breaks, like you said, having hobbies, doing something outside of book bounty because and here's the tricky thing, dude, because when you go full time book bounty, probably what happened is your hobby just became your job. And
When that happens, it's very hard to reallocate that time and mental space because, and it's great, because you love your job and you're doing your job that you love every day and it's wonderful. But also you have to make space for other things. So make sure you're doing that intentionally if you're a full -time hunter because it will bite you in the butt if you don't.
Joel Margolis (teknogeek) (01:48:45.182)
Yeah, yeah, the one little anecdote I'll leave with and I think we probably get in because close on time. But I do have a friend who he probably a year or two ago, he completely pivoted into a different job from one thing into something completely opposite. And he did it very diligently for a year and a half or two years. And then recently he was like, you know, this was a mistake actually. You know, I realized that after
Justin Gardner (@rhynorater) (01:48:47.47)
Mm -hmm. Yeah, you gotta bounce, yeah.
Justin Gardner (@rhynorater) (01:48:58.51)
Mm -hmm.
Joel Margolis (teknogeek) (01:49:11.838)
after doing this for a while, like it's a really big grind. The drawbacks where there are drawbacks are huge and the upsides are huge too, but it's not worth it. It's not giving me fulfillment and joy in the way that I wanted it to. And so he's going back. He's going back to doing what he was before. But yeah, so it's, yeah, it's, it's very interesting to just, you know, to see, you know, I would say like, it's important to, to be real with yourself about turning something that you enjoy into a job and what that means to the relationship you have with that thing. Whether that's a hobby, whether that's a side project, a part -time job, anything, like if you decide to,
If you decide to turn that into something that's going to be your source of income, it's going to change the way that you view it. And when you wake up and have to do it to make money, instead of waking up and getting to do it because it's fun, it's very different.
Justin Gardner (@rhynorater) (01:50:14.062)
Mm, yeah, totally agree, man. All right, I know you got to bounce. We got a hard stop. That's a wrap.
Joel Margolis (teknogeek) (01:50:20.222)
Yep, that's a wrap. See you.
Justin Gardner (@rhynorater) (01:50:21.23)
Peace.
