The player is loading ...
Sign up to get updates from us
Episode 78: In this episode of Critical Thinking - Bug Bounty Podcast we’re talking about writing reports. We share some tips that we’ve learned, and discuss ways that AI can (and can’t) help with that process. We also talk about the benefit of using tools like Fabric, Loom, and ShareX.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Resources:
XSS WAF Bypass by multi-char HTML entities
hey why can't you fix this one bug
Justin's reporting templating software
2to3 Automated Python Converter
Timestamps:
(00:00:00) Introduction
(00:04:00) XSS WAF Bypass by Multi-char HTML Entities
(00:11:59) Next.js and Cache Poisoning
(00:18:03) Nagli's Nuclei Template and Sean Yeoh's Blog
(00:27:34) Report Writing and AI
(00:50:02) Reporting tips
Joel Margolis (teknogeek) (00:00.154)
Man, if only the audience did the blooper that we just had.
Justin Gardner (@rhynorater) (00:02.025)
man, that blooper. We're gonna have to send that one to the critical thinkers, I think. So, anyway, let me get back to the subject matter. I'm prepping for this Defcon talk right now, and essentially it is a summary of all of the crazy bugs I've found within the past couple years. And dude, that memory of me and you popping that router, that was the best fan. That was such a fun bug.
Joel Margolis (teknogeek) (00:06.458)
Ugh.
Joel Margolis (teknogeek) (00:28.154)
Yeah, I'm really excited to see what you're able to, well, maybe not what you're able to, but what you're going to say about that.
Justin Gardner (@rhynorater) (00:35.657)
Yeah, dude, I have like this meme of you and you know, like I want to say it was probably when like, man, I think it was when the hacker one did like a, like a photo shoot in like the streets of New York back in the day. And you've got your like hood up and your glasses on and you just look so bad ass. And I've just.
Joel Margolis (teknogeek) (00:48.986)
Yeah.
Joel Margolis (teknogeek) (00:55.322)
There's a picture of Andre from that same photo shoot. We posed next to like the same sign. Yeah, yeah, somewhere. There's a there's a X ACB photo as well.
Justin Gardner (@rhynorater) (00:59.689)
Yeah, really?
Justin Gardner (@rhynorater) (01:05.353)
I have to say that that photo shoot that HackerOne did with y 'all was like one of my like core motivation features. You know, like I saw that and I was like, I have to become a live hacking event hacker. Like it is, it is my fate and voila, here we are. Indeed, indeed. All right, man. All right. So, we got a couple of things to hit today before we talk about our primary topic, which is
Joel Margolis (teknogeek) (01:20.602)
That's awesome.
Here you are, manifest. That's awesome.
Justin Gardner (@rhynorater) (01:35.273)
less writing, more hacking, essentially how to write reports quickly and well for bug bounty programs. And I've got a tool I'm gonna release with this. So should be pretty fun. Yeah, I normally drop these things first to the critical thinkers, but this one I was like, you know what, I'm gonna just drop this one for everyone this time.
Joel Margolis (teknogeek) (01:43.066)
Ooh, this is awesome. Yeah.
Joel Margolis (teknogeek) (01:51.29)
Yeah, I saw these links in the, in the doc and I was like, these, is this like new? Like, what is this?
Justin Gardner (@rhynorater) (01:56.981)
Yeah, yeah it is man. I just got it PR'd into the project, but we'll talk about that in a second. News. Really cool thing happened this week. I saw a post on Twitter from the RCE man and then I saw Gareth Hayes comment on it with one or with two chilling words. Nice research exclamation point.
Joel Margolis (teknogeek) (02:02.49)
Awesome.
Joel Margolis (teknogeek) (02:21.562)
Underrated reply.
Justin Gardner (@rhynorater) (02:23.753)
Seriously. And when Gareth, you know, when that's coming from Gareth, it's like, okay, we done something right. You know? And this was the tweet regarding essentially XSS WAF bypasses by using multi -character HTML entities. And from what I can tell, there's just like a bunch of entities that I didn't know existed, like the ampersand, and then you do some, you know, ASCII string and then the, the semicolon.
And if that is being interpreted by the server and getting HTML decoded, even if it's checking for less than or something like that, there are some weird attributes like ampersand NVGT or ampersand NVLT, which will convert into the less than and greater than signs plus some other Unicode character. And I thought this was rad.
Joel Margolis (teknogeek) (03:17.754)
Yeah, I'd never heard of these by the way. and I don't know if you saw, there was actually a second reply that Garrett sent to this tweet as well, which was a link to Schausser, which is a tool tool that we talked about last week. and well, actually the initial reply is broken, but he followed up with, with a new fuzz on it. But Gareth added a fuzz to Schausser that tests for this specifically.
Justin Gardner (@rhynorater) (03:24.713)
Mm -hmm, mm -hmm.
Justin Gardner (@rhynorater) (03:29.801)
Mm -hmm.
Justin Gardner (@rhynorater) (03:38.089)
Mm -hmm.
Joel Margolis (teknogeek) (03:43.93)
and finds all of the ASCII or URL encoded values that'll work in JavaScript URLs, which is great. So now you know what things you can put in there that will actually work and bypass there. So.
Justin Gardner (@rhynorater) (03:48.969)
super fascinating.
Justin Gardner (@rhynorater) (03:57.257)
Yeah, yeah, no it seems really rad and and essentially it looks like he just kind of hit it with I'm not actually sure where he's getting the the source for all this but There's a bunch of different Strings you can put in between those the ampersand and the semicolon sign and it's interesting though because that if you use the one that they mentioned in the tweet it becomes a less than and
a string, like a Unicode string, right? So it's like, I'm not sure if this is actually gonna, because it's not a valid tag, right? So the less than one is a little bit like, I mean, maybe it would work in those scenarios where HTML, like you're able to trigger an XSS using any HTML attribute, like there's some stuff in the Portswigger XSS cheat sheets that's like, you know, this onClick handler or whatever will work with any element and they always just use the XSS element or whatever.
Joel Margolis (teknogeek) (04:33.754)
Yeah.
Justin Gardner (@rhynorater) (04:55.912)
So it might work in that scenario, but the one that I'm more excited about is the ampersand NVGT semicolon entity. And that one will do the greater than sign, which will allow you to close off tags, which could be really, really helpful.
Joel Margolis (teknogeek) (05:13.434)
That's awesome. That's awesome. Yeah, so this is super, super cool. I love this kind of research. I'm sure that there are probably some other instances of this as well. And the Shazer thing from Gareth is actually specifically for URLs. So one example that he showed is that if you do like an Ahrefs with JavaScript colon one and hat, semicolon alert one,
Justin Gardner (@rhynorater) (05:24.233)
Mm.
Justin Gardner (@rhynorater) (05:32.649)
Mm -hmm.
Justin Gardner (@rhynorater) (05:41.865)
Mm -hmm. Mm -hmm.
Joel Margolis (teknogeek) (05:43.13)
then that will work, I guess. So that's just a very interesting bypass. There's a lot of these characters in HTML encodings that seem to work. So I definitely recommend taking a look at the fuzz that he put through. Yeah.
Justin Gardner (@rhynorater) (05:55.401)
Yeah, that one was kind of interesting. I wasn't sure, I'm not sure about that one. I wanna go and actually check and see if that works, because that doesn't make a lot of sense to me, that it would work with that, you're talking about the one with the JavaScript URL? Yeah, that one, I don't know about that one. I see that he put that in there just to kind of smuggle in the J character or whatever, but I think that might only be in some niche scenarios where it cuts off the first string. But if it actually does work, that would be nuts.
Joel Margolis (teknogeek) (06:07.418)
Yeah, yeah.
Joel Margolis (teknogeek) (06:22.778)
Yeah, yeah, I don't know. It's super weird.
Justin Gardner (@rhynorater) (06:25.033)
Yeah, so actually, you know what? Let's just check it out right now.
all right. let's go ahead and move along. I'm still a little bit stunned, honestly. That's really, really interesting. Let's, let's go ahead and move along to the next one though. this was some research that came out this week next to JS cache poisoning and you can read through it and it's, I mean, there's definitely a good technical right up in here. but here are some of the takeaways I had from this. Okay. one, I think cache poisoning might be the new like,
subdomain takeover. Yeah, I think like, you know, subdomain takeover is super duper competitive nowadays. And the recon boys, so to speak, are having to pivot into different attacks, different attack vectors to, you know, spray across a mass scale. And I think that the best way, that this might be one of the best ways to make money.
Joel Margolis (teknogeek) (12:55.482)
Yeah.
Justin Gardner (@rhynorater) (13:22.185)
through mass automation at this point is mass scanning for cache poisoning. And I'm looking at, cause I'm looking at this write up this guy did and he made a chunk. I mean, there, there are probably 20 something reports here at least, that he associated with this one bug all, all paid out and accepted and triaged, just from this one, this one thing. So I think cache poisoning could be the way to go.
Joel Margolis (teknogeek) (13:45.914)
Yeah, that's pretty good. Yeah, I mean, so I think we're definitely seeing sort of the pivot. I mean, automation has always been like a very fluid sort of thing where it depends on like what's exploitable in mass and what's what there's a lot of and like where the competition is and like how to get that edge and stuff. And so you've definitely seen like subdomain takeovers sort of being starting to be solved as a systemic problem where all the providers
Justin Gardner (@rhynorater) (14:13.673)
Hmm.
Joel Margolis (teknogeek) (14:15.482)
who are vulnerable to sub domain takeover are implementing methods where like they're no longer vulnerable to it because I think their customers are complaining about it and what I like they're getting lots of reports and stuff. So right like so you know because when you get a sub domain takeover for a third party product you're going to reach out to a third party and say hey like we have this issue like how do we fix it right. So you know it makes sense. But yeah you're definitely seeing this shift where now like sub domain takeovers are starting to get harder and harder and more competitive and it's like a super
Justin Gardner (@rhynorater) (14:21.417)
Yeah, I would be too.
Justin Gardner (@rhynorater) (14:43.465)
Mm -hmm.
Joel Margolis (teknogeek) (14:44.89)
fast race to claim it first and all that kind of stuff. So, you know, when you pivot to a more complex vulnerability or something that's a little more technical, you get that edge and it's a much better payout.
Justin Gardner (@rhynorater) (14:52.873)
You do, and I think the cash poisoning, the beauty of the cash poisoning thing is it's something you can validate pretty easily automatically, right? Like, if I add this header, does the response drastically change, you know? I think that's pretty validatable, and I know that there are a lot of people doing cash poisoning at scale already. I've had some good conversations with people about that and building out automation and making quite a bit off of it, so definitely something to look at.
Joel Margolis (teknogeek) (15:17.786)
Yeah.
Justin Gardner (@rhynorater) (15:21.385)
there for anybody who's big into the recon space. Other takeaways I had from this was just get the code base for whatever technology you're trying to look at and just grep for headers, grep for x dash or whatever, right? And any mention of customized headers within these sort of frameworks and something like that, there's a lot of possibility. I think that's a really interesting attack surface that's kind of underestimated because
A lot of times we're looking for parameters and trying to trace the data as it flows through query parameters or body parameters or whatever, or JSON blobs, but we're not necessarily thinking about, okay, wait, I can also trace my input from custom HTTP headers. So that's definitely another attack surface to keep your eye on. And then the next one was, I just love this quote from this writeup. It says, quote,
the application was cache poisoning itself. And so the devs added this cache buster. And I think that that's a really good takeaway from this, right? If you see a cache buster anywhere, the application was likely cache poisoning itself and the dev is like, how do I fix this? cache buster, right? And so I think that's always a good place to look for those vulnerabilities.
Joel Margolis (teknogeek) (16:46.778)
Well, and it's also like, again, pull down the source code and look through some of that stuff. Go back. One thing I love to do is if there's something like a cash buster, for example, and you notice there's a cash buster on GitHub, click blame. There's a little button for it. Okay. And, and it's, it's a get blame. It, you know, it's, it's sounds a little more mean than it is, but really what it is, is it's a log of every line in the code who committed that line. And.
Justin Gardner (@rhynorater) (16:51.017)
Mm -hmm.
Justin Gardner (@rhynorater) (16:59.465)
Mm -hmm.
Justin Gardner (@rhynorater) (17:03.977)
Hahaha
Joel Margolis (teknogeek) (17:16.698)
And you can go and you can view the commit so you can see, okay, the line that added this cash buster was from this commit. You go to that commit, you see what PR came from. It was probably the commit that went and fixed that original cash poisoning. Now you go and you look and see, okay, where was this affecting? Where did they fix this? How do they fix this? Is there a bypass? Yeah.
Justin Gardner (@rhynorater) (17:29.449)
Mm -hmm.
Justin Gardner (@rhynorater) (17:34.96)
Yeah. Yeah. Or you, what I thought you were going to say was you run a git blame, you find the developer that did that shit, and then you look at everything else that they've ever written in that code base and be like, all right, let's just pick on this guy. That's hilarious. No.
Joel Margolis (teknogeek) (17:43.13)
You shame them? Wow.
Goddamn Justin. Justin's a savage. Justin's like, I want to take this person and make their life horrible. I want to find every mistake they ever did.
Justin Gardner (@rhynorater) (17:58.025)
Yeah. Could you imagine if it's like, if it's like, if you just did that to one developer and like, you just submit like 15 bugs and they're all from this guy's code base.
Joel Margolis (teknogeek) (18:06.298)
You
Joel Margolis (teknogeek) (18:11.962)
That's so mean. He's like, I just noticed that John Smith committed this.
Justin Gardner (@rhynorater) (18:18.185)
Yeah, your art enemy is like a dev on an open source project or something like that and you're just like, you, you're going down.
Joel Margolis (teknogeek) (18:24.186)
You're just like tagging him on every issue you file. So speaking of things at scale, you saw this tweet from Nagli, right?
Justin Gardner (@rhynorater) (18:32.777)
Yeah, dude, okay, so that was kind of a weird situation. I want to get your take on this as an AppSet guy, okay? So, Nogli tweeted out this nuclei template about how exactly to scan for this sort of polyfill I -O domain takeover that occurred. And it's crazy because I've seen polyfill I -O everywhere, man. And essentially the situation with this was that domain got sold to...
bad people essentially, and now they have like a back door on every website that's ever used polyfill .io. Which I feel like there needs to be some sort of like regulation surrounding this at the domain level, you know? My American is screaming right now saying, freedom, blah, blah, but like, man, if you have a domain that is so widely used in so many ways, there needs to be some sort of transfer.
system or surrounding that applied at the domain level because, man, just transferring that away to rogue actors gave a back door into a ton of websites.
Joel Margolis (teknogeek) (19:41.69)
Yeah, yeah, it's super, super wild. It's really interesting. So one thing I was thinking about recently is that there's a new PCI requirement for anybody who deals with PCI and stuff. But one of the PCI requirements is that you have to have change and tamper detection on payment and checkout pages. And not in the sense of monitoring for code changes, but monitoring for dynamic changes, like scripts that are loaded that are
not expected or that they have changed signature and stuff. And I think that's a very interesting call out in retrospect on like this sort of vulnerability, because if any company that has that sort of monitoring would probably have noticed this. So it's just something, you know, very interesting that I was just thinking about the connections between the two of those and, and, you know, how it would have played out from sort of like an AppSec perspective.
But yeah, as a whole, I mean, these types of things are like very difficult to find and detect. Like even what I just like mentioned of like monitoring for dynamic script execution on a website, it's a very difficult thing to do. Like you basically have to, you know, use like some headless browser or something like that to, you know, load the page and then somehow you have to hash it and like, yeah, it's, you know, it's a very, yeah.
Justin Gardner (@rhynorater) (21:02.345)
Mm.
Justin Gardner (@rhynorater) (21:06.729)
Dude, that's a pretty interesting sort of business idea, isn't it? Monitor the upcoming changes to PCI -compliant specs and say, okay, they're gonna make this requirement for us to have this headless browser that does change monitoring or whatever. Here's your solution.
Joel Margolis (teknogeek) (21:17.946)
I promise it exists, don't worry.
Joel Margolis (teknogeek) (21:28.762)
I promise if you search PCI 11 .6 .1, you'll get there's like at least five or six companies that are doing exactly that.
Justin Gardner (@rhynorater) (21:32.969)
Yeah.
Justin Gardner (@rhynorater) (21:38.793)
Yeah, my gosh. Yeah, look at that. Wow. Crazy. Yeah, well, I mean, like in the future, it's kind of an interesting thing. Like, like, I'm sure there will be changes to the PCI spec in the future. And I think that they goes through like a review process first where in that those reviews are public. So as soon as that gets released and there's a new a new requirement in place that requires some sort of technical solution.
Joel Margolis (teknogeek) (21:48.346)
Yeah. absolutely. Yeah.
Justin Gardner (@rhynorater) (22:03.977)
getting a head start on deving that, deving that, deving that, and reaching out to organizations that are gonna need it. I think that's a really great business model. Anyway, so it was interesting to see that Nagli released a nuclei template for that. That definitely helps. I don't know that, I mean, and he's kind of doing it related to Shockwave. I don't know that that would result in bounties. What do you think about that, Joel?
Joel Margolis (teknogeek) (22:11.706)
Yep. Yeah, absolutely.
Joel Margolis (teknogeek) (22:28.57)
Yeah, so I don't like just simply pointing it out is one of those things that I guess it depends on the program. Like some programs will probably like maybe as a thank you if they didn't know or something. I have a feeling it's probably also maybe one of those things where the platforms would like potentially argue that it's like a zero day or something like that. I don't know. I think it's definitely like a nice thing to do, but you probably shouldn't expect a bounty like.
Justin Gardner (@rhynorater) (22:39.497)
Mm -hmm.
Joel Margolis (teknogeek) (22:57.626)
You know, if you have the automation set up, like I can see for somebody like Nagley that it's a good business proposition to be like, hey, I'm not expecting a bounty. Just want to let you know I have this software called Shockwave. It detected, you know, this vulnerable software on your website. You may want to fix that also. If you want to sign a contract, here's my email. Like, you know, and like do something like that. But that's kind of a unique angle, right?
Justin Gardner (@rhynorater) (23:02.953)
Mm.
Justin Gardner (@rhynorater) (23:16.073)
Yeah. Yeah.
It adds value and man, he's on top of all these things, dude. He pinged me a couple days before the Magento thing hit the public and was like, hey, this is going to be crazy. And he's got a good, a good feed on that. So yeah, it's pretty good for shockwave. What's this other thing you got on here, man?
Joel Margolis (teknogeek) (23:35.002)
He's got his finger on the pulse. Yeah, nice.
Joel Margolis (teknogeek) (23:41.562)
Okay, yeah, so okay, so Sean Yo, you know, friend of the pod. He tweeted out this amazing blog that he wrote, I guess, and it's titled, Hey, why can't I get, what was the title again? I can't, my mouse. Yeah, hey, why can't you fix this one bug? And it basically chronicles a researcher being like,
Justin Gardner (@rhynorater) (23:59.081)
Hey, why can't you fix this one bug?
Joel Margolis (teknogeek) (24:09.338)
You know, imagine your security research, you scan the internet, you find this endpoint on some company, you submit the bug hoping for, you know, easy, easy, you know, easy money. And then you're like, well, I can't develop or just remove the route. And it's a walkthrough of like the other side of the conversation. And it's such a great blog. you know, we've definitely had this conversation, multiple different times, but I think this does a great way of illustrating it in more depth on sort of a generic level.
Justin Gardner (@rhynorater) (24:17.001)
Easy money.
Joel Margolis (teknogeek) (24:38.906)
of what it's like being a security engineer and like the process that you go through and the days turned to weeks, turn to, you know, whatever, as you're just trying to like figure out how to fix this and who owns it and where it is and what the issue is. And meanwhile, all the researchers sees is like, Hey, where's my bounty bro? Like, they're like, why can't you just remove the route and the researcher, I think a lot of the time researchers like, they think that.
Justin Gardner (@rhynorater) (25:01.833)
Could you just remove the route, please?
Joel Margolis (teknogeek) (25:08.826)
every website is just like a, like a, you know, 30 lines of flask code and like a Python file. And they're just like, what do you mean? There's like, there's just a route handler. You just like highlight 15 lines of code, you press delete, and then you save and you rerun the Python file. Like, what's the big, this shouldn't be that hard.
Justin Gardner (@rhynorater) (25:17.161)
Yeah man, that's how my apps are.
Justin Gardner (@rhynorater) (25:25.801)
Exactly.
Justin Gardner (@rhynorater) (25:29.449)
I was reading through this and I was like, man, this is absolutely me. Like I am, I'm going through here and you know, every step along the way, he's like talking about all this like L7 load balancing and like Lambda this and blahdy, blahdy, blah that. And I'm like, I have no idea what you're talking about. Like I consider myself pretty like familiar with, I guess application architecture and stuff, but like.
Joel Margolis (teknogeek) (25:33.114)
Ha ha!
Joel Margolis (teknogeek) (25:42.458)
Hahaha.
Justin Gardner (@rhynorater) (25:55.945)
Nah, like, like I only know it from the outside, man. I only know it from the outside. And it seems like this is a really interesting read for me because there's there's so much more to it than I than I anticipated. And, you know, the at one point somewhere in here, he says, like, you know, I figured out sort of roughly where it is. But wait.
Joel Margolis (teknogeek) (25:57.53)
It's different, man.
Justin Gardner (@rhynorater) (26:19.465)
I can't touch that. I don't have privileges to touch that. And can I get a dev to touch it? Not a chance. It's Q2, you know, like nothing happens in Q2. And I'm like, what? How does this, what?
Joel Margolis (teknogeek) (26:26.49)
Yeah. Yeah. Yeah. Yeah. It's so real. It's so real. Yeah. So I would recommend anybody who's just, I'm sure everybody's had this thought at one point that's like, why can't they just remove this? Like what's, like what's taking so long, whatever. Read through this blog post. It's a very, it's a short read. It's very easy to read. It's a good read.
It will definitely put you in the mindset of like what it's like to be a security engineer. And then I would recommend that anytime you're like, what is taking this team so long? Just pull this up, read through it and be like, yeah, that's why.
Justin Gardner (@rhynorater) (27:04.841)
Yeah, I love this line at the end too. He says, as a bonus, you get to spend another week after all of this figuring out how to do regression testing so all future deployments don't have it again and no one accidentally reintroduces the bug. If you're lucky, you'll have someone report that one edge case later that you forgot to consider and then bundle it with a free consultation about how an ASM product can solve this problem for you.
Joel Margolis (teknogeek) (27:26.106)
I did not even play that. I didn't read that end part. That's so funny.
Justin Gardner (@rhynorater) (27:32.777)
Which is like, which is like has Nagli. I love how we put that right after our segment on Nagli too. That's great. Well.
Joel Margolis (teknogeek) (27:38.682)
Wow, that's amazing. Anyways, this is this is a great blog from Sean. So go check it out on his blog I think this is a new blog for him you mui .pw and me w y But yeah, we love Sean
Justin Gardner (@rhynorater) (27:44.457)
Mm -hmm.
Justin Gardner (@rhynorater) (27:48.425)
Mm.
Justin Gardner (@rhynorater) (27:54.089)
Yeah, Sean is great, dude. Yeah. Wow. That's that's hilarious, man. All right. So let's let's get to the topic matter for this week. And I guess I'm going to go ahead and start with what's down towards the bottom of the dock, Joel, which is lately I've been thinking, OK, AI, right? How can it how can it help? Lately, I've been thinking, how's Justin's just kind of sitting there in the hot tub. Hmm. AI.
Joel Margolis (teknogeek) (28:08.762)
Sure.
Joel Margolis (teknogeek) (28:14.426)
Hey, lately I've been thinking AI. Who hasn't? I told Justin yesterday that if he had any ideas for how to do something related to the podcast, that he should write it down and he's out here thinking about AI instead.
Justin Gardner (@rhynorater) (28:26.281)
you
Yeah.
Justin Gardner (@rhynorater) (28:32.553)
Yeah, no, no, I was sitting in the hot tub thinking about AI, not those things. So as I was sitting in the hot tub thinking, hmm, AI, as I do, you know, I'm thinking what are the ways that this can apply to bug bounty hunting and hacking? And there's a lot of applications that kind of pop into the brain. But what large language models are best at is dealing with text and human parsable text, really. They do great work with code and stuff like that too, but
Joel Margolis (teknogeek) (29:02.074)
can.
Justin Gardner (@rhynorater) (29:02.185)
Mainly writing and generating text is what it's great at. When do we have to generate text in the bug bounty flow? For the report.
Joel Margolis (teknogeek) (29:09.978)
The worst part, I'm not, dude, I'm not gonna lie. I literally like writing reports is, it pushes me over the edge sometimes. Like I will literally, I'll find something and I'll be like, is it really worth my time to write this report? No. Even if I find something critical, I'll be like, ugh, now I have to write this up? I have to try and explain this.
Justin Gardner (@rhynorater) (29:20.201)
It's Batman.
Justin Gardner (@rhynorater) (29:26.729)
Is it worth writing the rep - well, see, and then -
Okay, so I do not have that problem. If it's a critical, I'm normally like super hyped to write the report. I'm like, let me show them how I like did this and I like bypassed that and I went, whew, whew, whew, like, you know, like, that's what's happening in my brain. But yeah, and so, but what I don't love writing is the stupid, like, reflected XSS reports. I'm like, okay.
Joel Margolis (teknogeek) (29:43.418)
That was like a little snapshot of St. Joseph's brain for a second.
Justin Gardner (@rhynorater) (30:01.353)
Here's a quick little reflect at XSS. Obviously, you can just grab the token and get account takeover or whatever. There's not this whole technical thing. Normally, if there's some cool flow where I do this OAuth thing and grab the code and get ATO, then it feels a little bit more fulfilling. But when it's super basic, it's just really annoying. So, mm.
Joel Margolis (teknogeek) (30:03.93)
Yeah.
Yeah.
Yeah.
Joel Margolis (teknogeek) (30:20.346)
Yeah. So, so let's start with that, right? Like the first, the first tip and the thing that I always like, and I know you have something for this is report templates, right? I know HackerOne has this natively. I assume bug crap on the other platforms probably due to some extent. If not, just keep a folder on your, on your computer and probably put it on GitHub, which Q Justin talking about this repo.
Justin Gardner (@rhynorater) (30:44.009)
Yes, thank you. Yeah, I get it. Which, yeah, so listen, here's the thing about the report templating thing, okay? I do have a repo, github .com slash renderer slash reports, that is essentially a report templating software that I used back in the day when I was doing a bunch of automation stuff and I was just submitting the same bones over and over and over again. Subdomain takeover, blah de blah de blah. Then, you know, take the domain, run a dig plus trace on it.
take the output, put it in the report, that sort of thing, right? And it's written in Python 2 .7. It's not very long. I didn't even know because I'm well.
Joel Margolis (teknogeek) (31:19.898)
Wow. I'm not, listen, I'm not gonna roast you. It's okay, it's old.
Justin Gardner (@rhynorater) (31:25.353)
Dude, here's the thing though. Like I started writing Python when I was 12, you know, and, and I, in around that same time was when they made the transition to Python three, right. And, and.
Joel Margolis (teknogeek) (31:33.498)
That's when, yeah, people don't realize like how well both how old and how young Python is like, yeah.
Justin Gardner (@rhynorater) (31:40.073)
Yeah. And, and I, at that point, you know, I was, I was a young, I was a young guy and I was like, I kind of got my, my head into the Python 2 .7 ecosystem. I was more of a programmer at that point than I was a hacker. I was just left programming with Python and, and I was very against the Python. I mean, there was a whole sort of resistance movement against Python three. Like it was so bad. Exactly. It was so infuriating. Like, why would you make that, that change? Like it's ridiculous.
Joel Margolis (teknogeek) (31:59.482)
Me too, man. I was like, you mean I gotta put parentheses around my print statements now?
In hindsight though, I was like, yeah, that was such an outlier. Like why wasn't there parentheses around the parentheses?
Justin Gardner (@rhynorater) (32:13.129)
Yeah. We don't need that. All we need is our youthful rage, Joel, at the system. Anyway, so I held off on switching to Python 3 for years, and then I finally have. And now I'm thinking, OK, now I need to learn how to write Rust or Go or whatever. So that's going to be on my... What did you say the other day that I didn't know the H2? Yeah.
Joel Margolis (teknogeek) (32:34.81)
H2, yeah, yesterday I was like, it's the start of H2 and you were like, what's H2? And I was like, it's the second half of the year.
Justin Gardner (@rhynorater) (32:38.473)
It's like, it's, it's like corporate speak, man. I don't know that. I mean, I barely know what quarter are we in right now? Like, right. Exactly. Thank you. so anyway, that's on my 2025 H H one. There we go. goals, learning to write rust or go one of the two, but, okay, let me just finish this segment. No, no, you're good.
Joel Margolis (teknogeek) (32:46.842)
Three, Q3 just started.
Joel Margolis (teknogeek) (33:05.274)
Yeah, sorry, I'm derailing you really hard.
Justin Gardner (@rhynorater) (33:08.361)
So essentially we have this github .com slash Rainerator slash reports repo. It's written in Python 2 .7. Literally just handed to chatgbt and converted to Python 3. I didn't get the chance to do it before this episode. It's very simple. All it does is just takes your mark down, parses out the templates, allows you to run, to provide like variables into the templates and also run commands on the command line. So you can automatically insert stuff like, you know, dig commands and then the output from.
the dig commands into the report, super helpful. That really helps. But here's what I was gonna say before, which was, I have a tool now to write the reports using AI. So essentially what it does is it uses this really cool framework called Fabric from Daniel Measler, okay? And I actually in the doc, I've got my own fork of it listed here, but it actually got merged into main.
yesterday. So essentially what Fabric is, is it's a way, the way he describes it is it's a way to augment humans with AI. Essentially it's a framework around collecting prompts or they call patterns in this specific environment and allowing you to very easily send data to that via standard in typically and get
the results passed to AI. So you can pass it to ChatGPT, you can pass it to Claude, you can pass it to your own olama server. There's lots of cool stuff that's built into there. You can have it have context about you as a person. is there really?
Joel Margolis (teknogeek) (34:45.114)
just a CV in Olamo by the way so don't don't expose don't don't expose your Olamo to the network but I make sure it's up to date but yeah there was there was just a CV in Olamo recently
Justin Gardner (@rhynorater) (34:51.177)
really? Interesting. I think that's really, I think Olamo would be a really interesting thing to go after because they've got like role -based permissions and stuff like that too. You can have like users and admins and that sort of thing. But I wrote this pattern called write underscore hacker one underscore report. And essentially what it does is you can provide it with an input that contains requests, responses, and then comments. And it will take that
and take into consideration your comments, look at the requests and the response, and write a report for you based off of that, that fits the HackerOne sort of model, right? You've got like the summary, the details, the steps to reproduce, and the impact, and like, you know, various supporting resources and that sort of thing. And so in order to get everything in the right format for all that, I wrote this other tool called BBbugbounty.
report formatter, that's on github .com slash Rainier .com slash bpreportformatter. And essentially what that does is it allows you to just very easily send in requests, send in responses, send in comments, and it'll store them on your local system. And then whenever you tell it to, you can just use dash dash print dash report, and it will dump out the report structure. And then you can just pipe that right into Fabric, write HackerOne report, and it will
generate the AI based report. Now here's the question I know you're, it's in your head Joel, it might be in your head, might not be in your head, does it actually freaking work? And the answer to that...
Joel Margolis (teknogeek) (36:31.61)
What? The only thing that's been in my head... Okay, it doesn't work. We'll finish. I'll let you finish. I'll let you finish.
Justin Gardner (@rhynorater) (36:38.217)
The answer to that is sort of. So it works really well with a chat GPT 4 .0 or for Omega, whatever. Yeah. Yeah. The new one, it gets great results. It, I gave it a, a vuln that I had from before that's already closed and it wrote an awesome report for it. Easy peasy. I just gave it the request, the response and some description of the vuln and it took it away.
Joel Margolis (teknogeek) (36:41.274)
no.
Joel Margolis (teknogeek) (36:51.098)
4 -0. The new one.
Justin Gardner (@rhynorater) (37:09.065)
But the goal with this whole thing was to be able to do this with private AI, to be able to do it with Olamma on my local system so that it doesn't leak the, yeah, so that it doesn't leak the report contents, yeah, to OpenAI. And that does not work quite as well. It works pretty poorly, actually. So I don't know. I think, I think...
Joel Margolis (teknogeek) (37:17.338)
Yeah, which is not.
Joel Margolis (teknogeek) (37:25.69)
data too. Yeah.
Justin Gardner (@rhynorater) (37:38.537)
It's an interesting edge. I'm still going to release the tool because some people will use it with chat GPT and that's fine. I, I'm definitely looking forward to seeing progress in private AI, because this really highlighted for me the difference between a, a system that like, like chat GPT stuff and something like O llama using like, llama three or llama two model.
I mean, the results were just drastically different.
Joel Margolis (teknogeek) (38:11.162)
Yeah, yeah, super interesting. One thing I did when I mentioned, and this is completely, this is like the totally wrong takeaway. I'm so sorry. Okay. You said you, let's see. Okay. I'm just sorry. You said that to convert Python due to Python three, you should just throw it in chat. GPT. Okay. There's a built -in tool. Okay. If you don't know this, there's a built -in tool in Python. It's called two to three, number two, number two word two, number three, two, two, three.
Justin Gardner (@rhynorater) (38:18.857)
Joel, come on, what is going on today, man?
Justin Gardner (@rhynorater) (38:24.713)
my gosh, what are you talking about?
Justin Gardner (@rhynorater) (38:39.433)
What?
Joel Margolis (teknogeek) (38:40.73)
and it converts Python 2 scripts to Python 3 built in. It does. That's what it does. Search it up. 2 to 3. Anyways, I'm just leaving that there.
Justin Gardner (@rhynorater) (38:44.585)
No it does not.
Joel Margolis (teknogeek) (38:53.658)
It exists. It's pretty cool. I think it's getting removed in like version 3 .13 or something. But like if you haven't converted your Python stuff by now, you know, whatever. But yes.
Justin Gardner (@rhynorater) (38:54.345)
Wow, check that out.
Alright, you know what, I wanna be mad at you, cause that... really?
Justin Gardner (@rhynorater) (39:07.177)
Wow, very cool. I was gonna be mad at you, but that's actually really cool.
Joel Margolis (teknogeek) (39:12.09)
Yes, that is like the one case where I'll say you don't need to use gpt for this you can use something much less AI that will probably not get it start hallucinating halfway through your script
Justin Gardner (@rhynorater) (39:25.417)
Yeah, no, that makes sense. Very cool. Someone should do that. Maybe I'll do it afterwards. Maybe I'll do it before this podcast airs, who knows? I got a lot of stuff on my plate this upcoming week, but it would be interesting. The takeaway there though is really worthwhile to have some sort of templating system in place, and I just kind of use the HackerOne templates and use some of the AI stuff that I've built in now, but I think...
Joel Margolis (teknogeek) (39:34.042)
Mmm, who knows?
Me too.
Justin Gardner (@rhynorater) (39:53.033)
You know, before, when I had this more advanced templating system, especially if you're reporting very similar bugs time and time and time again, it's very helpful. And I recently had a scenario where I had to report 25 very, very similar bugs and I used report templating and it just saved so much freaking time.
Joel Margolis (teknogeek) (40:10.618)
Yeah, I will say like if you're not doing full -time bug bounty, and you don't need to be submitting a lot of reports en masse like that, or if it's not something that you've farmed, like if you're submitting 25 of the same report, template is a great solution for that. But if you're not a full -time bug bounty hunter, I don't think necessarily that trying to shortcut the whole report writing process is a great idea per se. I think it is kind of, I mean,
Justin Gardner (@rhynorater) (40:36.969)
Even with AI?
Joel Margolis (teknogeek) (40:40.474)
To some extent, right? So like, say you're not like a native English speaker and you're like, I want to make sure like this is readable. I think that's a good use case for like, I know for example, HackerOne has like rewrite with HAI thing or whatever. You could maybe do that with chat GPC or maybe Olamo just to rewrite it and to make it more readable. But like having it generate and like write the report itself, at the end of the day, you're going to have to reread through it to make sure that it's actually right and that it actually got everything correct. And if you're doing that, then you're like,
Justin Gardner (@rhynorater) (40:49.865)
Mm. Mm.
Joel Margolis (teknogeek) (41:10.298)
halfway there pretty much to just writing the thing yourself. And like, it is kind of part of the process. I don't know. I think it depends on what it is. like the, there should be sort of a line, I think, where like, it makes sense to have the AI be writing a report for you versus just writing it yourself. because like, at what point do you like need the AI to write? Like how much time is it saving you to like collect all this stuff?
Justin Gardner (@rhynorater) (41:11.657)
Mm. Yeah, I don't know, I feel like this... Mm.
Joel Margolis (teknogeek) (41:38.842)
Just put it into the AI, read through what it writes, format that. Again, you're probably 50 % of the way there.
Justin Gardner (@rhynorater) (41:44.265)
Nah, dude, nah, it helps, man. It helps. And I think for me, just seeing the way that it worked for my sample stuff that I wrote associated with this, I literally took one request, one response, one, two sentence thing about how to access this thing. And it extrapolated a bunch of the correct details. It was an IDOR, and there was another one for Reflected XSS, worked great.
Joel Margolis (teknogeek) (41:49.658)
It does help, right?
Joel Margolis (teknogeek) (42:08.89)
What type of bug was it? Okay.
Justin Gardner (@rhynorater) (42:14.121)
and, yeah, yeah, no, absolutely. Yeah. And that's the, that's the use case where we're right now, I just don't feel like writing up these super annoying bugs, you know? And I just like, okay, just send it off. All you have to do is just tell the triage or like log into the application, go get this ID from here and, and then do this, do that. And it did actually did a really good job. This is the part that was surprising to me.
Joel Margolis (teknogeek) (42:14.554)
Okay, that's pretty straightforward though, right? Yeah.
Joel Margolis (teknogeek) (42:24.09)
Yeah. Right.
Joel Margolis (teknogeek) (42:32.218)
Yeah.
Justin Gardner (@rhynorater) (42:39.752)
the application that I gave it the test data from, it knew about that application. It's a pretty popular application. And it was like, you know, this is the functionality in this application. You can get, you log in, go to this spot and then do this thing. And I was like, wow, that's like, I didn't tell you about that. You just kind of knew that. That's kind of funky, you know, like, yeah. So I'm sure there will be problems with it, but I think for me having to actually get out of my hacker brain and into my writer brain,
Joel Margolis (teknogeek) (42:56.058)
Freaky it's kind of weird that I do that
Justin Gardner (@rhynorater) (43:08.809)
and start doing that, I think this will be a big time saver for me. So I've only used it a couple times, but I think it'll be helpful.
Joel Margolis (teknogeek) (43:19.226)
Yeah, right? It's like, yeah, for sure. I agree with you. I think it depends on the use case. And if you find that use case for yourself where it makes sense and it's something simple like that, or it's just a big time saver where you don't have a template that fits it nicely or whatever, you can't just copy paste the company name and it's not something in mass and it needs to be a little more custom, then AI is great for that. Or having something rewrite it for you with just a little bit of info is great for that.
Justin Gardner (@rhynorater) (43:22.313)
Mm.
Justin Gardner (@rhynorater) (43:44.073)
Mm -hmm. Yeah, I agree. And I wanted to shout out while we're at this segment, I wanted to talk a little bit more about Fabric as well, because Fabric is pretty rad. There's a couple other patterns that I use pretty regularly that come in here as well. The create command one in particular is great. So you can just say like echo, write me a command to, you know, a said command to like remove this or that or the other thing and just.
Joel Margolis (teknogeek) (44:04.794)
Okay.
Justin Gardner (@rhynorater) (44:13.193)
pipe that into Fabric Create Command and it will write that whole command for you. And I'm like, yeah, yeah, and like get it all built out, yeah. And it knows, I mean, you can give it more context too. You can give it more like the man pages or whatever and that sort of thing and it will be able to tie stuff together. But for stuff where you're constantly trying to like, what was that syntax or whatever, I think this is really handy.
Joel Margolis (teknogeek) (44:19.738)
pipe it together and stuff and you just copy paste that's pretty nice
Justin Gardner (@rhynorater) (44:42.793)
And the other ones, so there's clean text, which I think is a really interesting one. You can kind of tell it, give it some text and it will try to pull out like all of these weird formatting things and try to get it in a very consistent format. And I think this is something that, you know, we've all become pretty adept with using like said, grep, awk, you know, all these things to try to get the text in the right format. But for the beginner that is just trying to get stuff to...
Joel Margolis (teknogeek) (45:03.482)
Yeah.
Justin Gardner (@rhynorater) (45:09.705)
be in the right format for like an intruder list or something like that. I think this could be really helpful.
Joel Margolis (teknogeek) (45:12.57)
Yeah.
Dude, you know, I'm really conflicted about this whole thing because this this reminds me of the conversation that we had with was it yeah with Keith about. Like the Google effect of this on memory and learning where it's like. I do think it's worthwhile to like know how to use said or know how to use or know how to like use these fundamental Linux commands to modify and chain data and not just be like.
Justin Gardner (@rhynorater) (45:18.729)
Mm -hmm.
With Keith.
Justin Gardner (@rhynorater) (45:37.065)
Absolutely.
Justin Gardner (@rhynorater) (45:40.841)
Mm -hmm.
Joel Margolis (teknogeek) (45:44.57)
Let me ask the AI how to do this thing and just have like copy, blindly copy pasting. It's like the equivalent of like, you know, stack overflow or whatever, like just like, you know, copy pasting code snippets and just not really knowing what you're doing. And I think like, this is something like I, I absolutely, I want like things to be easier for people, but I also don't want to encourage like the wrong type of learning and behavior around this where like, this should be something that you should be learning or using like as a utility to make your life easier, not to like do something you don't know how to do.
Justin Gardner (@rhynorater) (46:04.873)
Mm.
Justin Gardner (@rhynorater) (46:13.513)
Yeah, well, I think...
Joel Margolis (teknogeek) (46:14.234)
necessarily like, and there's like a line, right? Where like, you know, something's not worth your time. And then, okay, you probably shouldn't be wasting your time like learning this, but like learning how to use said, like, again, like I think like the fundamental Linux knowledge and stuff that you're going to gain off that is like so much more valuable and more applicable than like, for example, using it to write a report, like you don't need to like go learn how to like write like a PhD student.
In order to write a report right, you can just have like that AI do that for you, but you should learn what the Linux commands that you're using are doing.
Justin Gardner (@rhynorater) (46:49.52)
Hmm. But there's, there's, there's a limit to that, right? Like we all have limits to our knowledge. I know how to use said and awk and cut and all these things very, very fluently, but I don't know all of these super abstract edge cases for JQ or like, you know, some of these other applications, right? yeah, but I, yeah, but I don't, you know, and I've got other things to do besides like, especially when you're ha this is a really important takeaway, I think.
Joel Margolis (teknogeek) (47:09.114)
But imagine if you did.
Yeah.
Justin Gardner (@rhynorater) (47:18.697)
Especially when you're hacking you want to try to remove as much friction as possible to you being able to get to your goal in the hacking scenario, right? So for things like this, yes It's helpful to have that knowledge about said and awk and if you want to take the time to learn that outside of being in the zone from a hacking perspective then that's great but at the end of the day when you're hacking you need to stay in your flow and you need to remove as much friction as possible so that's where I think stuff like fabric and integrating these clean clean text or create command patterns
could be really helpful because it removes that, that, huh, now I gotta go look at the docs, blah, blah, blah. And now I can just, okay, here's what I need to write, copy paste it and go. Your cat's tail is like right in front of this.
Joel Margolis (teknogeek) (47:53.21)
Yeah.
Joel Margolis (teknogeek) (47:58.138)
Yeah, don't mind this. I was gonna say, yeah, I think...
You know, there is right. There's like a line. I forgot what I was gonna say now. yeah. Yeah, I remember. Yeah. So like definitely. I would recommend setting aside some time to be able to learn these things, right? Like don't always just say that like, in the in the effort of like going fast and like not getting out of flow, I'm not going to bother learning this thing. And then you'll like never learn it. I do think it's important to like set aside some time for yourself to learn these types of things. So if it's something that you
Justin Gardner (@rhynorater) (48:12.681)
I'm sorry, the cat.
Joel Margolis (teknogeek) (48:38.874)
don't want to learn now, but you think that you should learn later, put it in like a note file or something, and then like set aside like one day a week or something if you're a full -time hacker or a couple hours per week or certain times a day where you can go and you can research those things and not feel the pressure to be hacking, but instead be learning to improve your hacking and hone it, you know?
Justin Gardner (@rhynorater) (48:46.537)
Hmm.
Justin Gardner (@rhynorater) (48:59.753)
Yeah. What I recommend to my mentees as well is doing that sort of supplemental learning during times when you can't deep focus on hacking. So let's say you've got an hour at this cafe while your kids at their swim lesson or whatever, right? Take that hour and instead of trying to like get into a target and in an hour and like find a bug, which you could, you know, it's possible, especially if you, you structure your time properly. but, but instead of that, maybe take some time, go learn all these commands, go learn about, go set up some environment that's going to save you some time.
and reduce your friction when you do have focus time, like four hours or something like that, where you can really be in the zone. That's sort of my recommendation.
Joel Margolis (teknogeek) (49:39.706)
Yeah, I also love doing that when I'm in constrained environments, like on a plane, on a train, traveling in an Uber. Like when you're in constrained environments and you're just like, what do I do? Instead of scrolling Twitter, go find an article and read through that article because you're much more likely to actually read through it and occupy yourself than you are to like do that when you're at your computer and you have a million other things that you can be doing.
Justin Gardner (@rhynorater) (49:43.113)
Mm. Mm -hmm.
Justin Gardner (@rhynorater) (49:53.033)
Mm -hmm.
Justin Gardner (@rhynorater) (50:01.833)
Yeah, and it doesn't make a difference just that one time, but if you get in the habit of doing it, like, and you keep on getting in this habit of like, let me read this article instead of scrolling Twitter or let me like, figure out how to use this, this Linux command while I'm, you know, waiting in line at the grocery store or something like that, then that knowledge will compound compound compound. And you're just going to be mega elite at the end. You're going to be the next Tom nom nom. yeah. So.
Joel Margolis (teknogeek) (50:24.09)
Yep, absolutely. Absolutely, absolutely.
Justin Gardner (@rhynorater) (50:28.329)
All right, well, I guess on the note of like taking some time, biting the bullet and setting some stuff up, I do have a couple of recommendations in addition to what we've mentioned here already. I always record a POC video. That's the first one. Like, unless it's literally click the link, see the pop -up, and even then, if it's gonna be a bounty above like 500 bucks or something like that, I'm gonna...
Joel Margolis (teknogeek) (50:37.594)
Yeah, lay him down.
Justin Gardner (@rhynorater) (50:57.768)
If it's a bounty that I'm going to be upset to lose, if like the endpoint goes down or something like that, I'm always going to record a POC video because it's so, it takes so little time. It shows proof that the thing happened and it just makes it easier for these triagers that are skimming reports more and more nowadays. So one, that's one tip, always record a POC video and two, remove friction to recording that POC video on yourself and make it a nice setup, you know?
What I'm using nowadays is OBS and I've sort of I really like the way to loom has their setup in place right and I wish I could use loom but it Sends the video out to loom automatically right which is kind of like kind of meh So I kind of set up my OBS to mimic loom and I've got like a little circle of my face down at the bottom and I've got you know the screen Recording on there and for some reason my default setting on OBS. I don't know if you have this as well Joel
but it didn't have a pause button by default. It was like something about the way that it's encoded. Yeah, go check it because it didn't have a pause button. And I was like, why does this not have a pause button? Because it's super helpful when you're recording a video to be like, okay, now I'm gonna brute force this for 20 seconds. Be right back. And you just press the pause button and then you come back when it's done brute forcing and then you can show the result or whatever. Do you have it?
Joel Margolis (teknogeek) (52:02.906)
check my ideas.
Joel Margolis (teknogeek) (52:14.49)
I don't.
Joel Margolis (teknogeek) (52:23.898)
Yeah. No, I don't. I don't think so. Unless I have to start recording. But yeah, that's.
Justin Gardner (@rhynorater) (52:26.729)
Yeah, so.
Yeah, I think you might have to start recording with the like, start recording button down at the bottom before it to pop up. But I don't know if, because your camera and microphone are in use right now. I don't know if it can do it. Yeah, don't mess with it. Don't mess with it. But if you don't have a record button, here's the way to get a record button on, not a record button, what am I saying? A pause button on your recordings for OBS. Go to settings, good output, good recording, and then change your recording.
Joel Margolis (teknogeek) (52:40.186)
yeah, I'm not gonna, I'm not gonna break it.
Justin Gardner (@rhynorater) (52:59.657)
encoder to x264 and change the output type to mp4 and then save it. And if you just Google it, there's an article on it, you know, of course, I just am telling you from the article. But essentially that will give you the pause button, just something with the way it does encoding. You can't pause with the normal encoding. And then that pause button will pop up and you can easily pause, unpause.
and you've got a nice little setup and the TriageR can see you and it makes a connection and it's very easy to follow. So that's my tip there is like go ahead and set that up and then reduce as much, you know, set the auto output directory to be somewhere where you know exactly where it is and just reduce the friction as much as possible to doing these PSE videos and then just do it every time and have a voiceover as well. Talk them through it, say, okay, now we're going over here, we're clicking this button. Then the attacker is like.
you know, doing this thing and just talking through the whole flow, it will really help to understand the full attack vector and it will get your reports to the triage faster and it will, even in scenarios, I've actually had triagers be like, hey, I can't reproduce this because of XYZ, but I see you have a video and I followed the video, so I'm gonna triage this. And it just saves you that extra time bump, you know?
Joel Margolis (teknogeek) (54:14.266)
Yeah.
Yeah, one thing I will say about the videos. So if you can't embed your video in your report, like don't, I wouldn't be kidding, like for real, because making, whether it's the program, whether it's the triage or whoever, have to download your MOV file and like run it on their, like that should give everyone an ick. And that's, yeah, please don't do like.
Justin Gardner (@rhynorater) (54:35.273)
Yeah, no.
Mm -mm.
Yeah, no, of course, just embed it.
Joel Margolis (teknogeek) (54:44.282)
Yeah, embed it in your report. Don't just attach it as a thing on the end and be like attached as a video record. Like that literally just feels like a malware email that you've sent me. Like, please see the attached PDF file and run it on your computer. Like bro.
Justin Gardner (@rhynorater) (54:57.304)
Dude, the report is like ability to social engineer a security analyst into, open up the video, proof of concept, you just opened this.
Joel Margolis (teknogeek) (55:05.466)
Yeah, right. Yeah, exactly. I'm like, hang on a second. Hang on a second. I think I've seen this one before. Yeah.
Justin Gardner (@rhynorater) (55:15.145)
Yeah. Yeah. But I mean, I can't imagine anybody doesn't know this, but on HackerOne and Bugcrowd, you can embed the videos directly in the report. So you have to do that.
Joel Margolis (teknogeek) (55:23.098)
yeah.
Joel Margolis (teknogeek) (55:27.29)
And not only that, at least on HackerOne, there's a built -in screen recorder. So if you don't use OBS, you don't have a screen recorder set up, there's a button you can click in the HackerOne webpage, like record my screen or whatever. You can record your screen, it automatically embeds it right in the thing. I don't know how well it works, I've never used it before, but it's there. And just give it a shot.
Justin Gardner (@rhynorater) (55:46.665)
I think it's a little funky.
Joel Margolis (teknogeek) (55:52.346)
If you don't like it, then you can go through the effort of setting up OBS or some recording software. Loom is super easy. Like you said, like Loom is great. Puts your face there, puts your mouse there. It's very user friendly. So yeah, there's definitely a lot of options.
Justin Gardner (@rhynorater) (56:04.329)
Yeah, Loom, I've been using a lot recently for sending messages to you, sending messages to the other members of our staff, and then.
Joel Margolis (teknogeek) (56:13.306)
Justin communicates to me with videos. He'll be like, hey man, are you around? I'm like, yeah, and then he'll just reply with like a video. I'm like, what the fuck?
Justin Gardner (@rhynorater) (56:23.689)
Very true, very true. Joel's like, hey man, what's your favorite color? And I just said to respond with a loom link.
Joel Margolis (teknogeek) (56:29.914)
It's like, hey, so as you can see, I'm a pretty big fan of this shade of red right here, but also this one's pretty good as well.
Justin Gardner (@rhynorater) (56:33.929)
Yeah
Justin Gardner (@rhynorater) (56:38.473)
my gosh, yeah. But so, dang it, we are silly today, Joel. So regarding Loom, I did want to definitely add this though, that one, it's very helpful for sending, like collaborating with other hackers. You can be like, hey, check out this request. It literally, you just press the record button, you record it, it gets your mic, gets your little face down in the corner, it's recording your screen.
follows your mouse, all those sort of things. And then literally the instant you press stop recording, it generates a link, then you can just drop that link into Discord chat or whatever, and your buddy can follow along with you exactly. So that's super helpful for collaboration. And here's what I've been doing with it recently that's been kind of a game changer, is when I've got to step away from work for the night or whatever, and I'm in my zone, and I'm like, man, I wish I didn't have to leave, I'm in my zone.
just recording a Loom video to myself and saying, hey, you think this request, I always do it in the second person. Currently you think that this is really, yeah, this is really weird and we should come back to this request. So yeah, that's been really helpful. And then I'll just kind of bookmark it and put it right in an annoying spot in my bookmark bar so I see it as soon as I open up my browser. And I watch that video and that helps me.
Joel Margolis (teknogeek) (57:46.97)
yelling at yourself.
Justin Gardner (@rhynorater) (58:04.745)
drop right back into the flow state that I was in the last time that I was hacking. So that's a big one, man. That one really helps.
Joel Margolis (teknogeek) (58:10.266)
awesome.
Yeah. Yeah. And I love that. I mean, that in combination with what Ron said he does, and I do this as well, where you try and leave yourself on like a cliffhanger the night before so that you really energized to go hack that the next day. You know, that's always good to sort of set yourself up for success the next day and have something to look at and have something to focus on instead of just sitting down and being like, hmm, what do I, what should I write? That momentum is like super important. So keeping the momentum going like across throughout the evening by sending notes to yourself and keeping
keeping notes of what you were working on and where you were in that momentum headspace is really, really important.
Justin Gardner (@rhynorater) (58:47.913)
Yeah, yeah, I agree, man. I agree. Yeah, that was such a great, a great tip from Franz. Like I had such an extreme response to that. I was like, no, that's the moment that you gotta like, that's when you, that's when you crush the app into the ground, you know? And no, it's, it makes a lot of sense. You just leave it, you leave it is, you let your brain sort of reflect on it for the rest of the night or whatever. And then the next morning when you need to get up at, you know, 5 a to go hack before your kids wake up.
Joel Margolis (teknogeek) (58:57.69)
That's what you have to know.
Justin Gardner (@rhynorater) (59:17.321)
You wake up and your eyes are like this. You know, your eyes are kind of squinty and then, you know, they just go wide open and you remember and you're like, let's go. Exactly. Very real stuff there. Very real stuff. Yeah.
Joel Margolis (teknogeek) (59:23.45)
And you're like, and then you remember and you're like, yeah, I'm going to go hack that thing.
Some people like their coffee in the morning. I like my, my last night realization.
Justin Gardner (@rhynorater) (59:37.801)
What the frick dude? Okay, okay couple more couple more reporting tips and then we're just gonna wrap Yeah, these poor listeners this week man, yeah, so if this is your first episode of critical thinking that you're listening to I'm so sorry. This is not how we normally are Okay, so couple more tips dude, I only just found out I've been writing reports on hacker one for seven years at this point. I just found out recently
Joel Margolis (teknogeek) (59:42.298)
It's good we're putting this stuff at the end otherwise we might weird people out.
Joel Margolis (teknogeek) (59:54.266)
Ha ha ha.
Justin Gardner (@rhynorater) (01:00:06.345)
that you can use syntax highlighting in your markdown blobs. Recently, maybe like being like two years ago or something like that. Yeah, this is a markdown thing. Yeah. Back tick, back tick, back tick, and then whatever language, right? So there's one for HTTP, JavaScript. Dude, that is amazing.
Joel Margolis (teknogeek) (01:00:12.346)
Yeah. This isn't just a hack or one thing, by the way. This is like, yeah, yeah.
Joel Margolis (teknogeek) (01:00:23.866)
Yep, so you can use JS. There's one for like everything. Yeah, yeah. It's amazing. And one of my favorite ones is HTTP, which is a much less well -known one, but it basically is great for highlighting HTTP requests, the headers and the body and that kind of stuff. It works especially well on HackerOne. I think they have some extra stuff added to it that makes it work nicer than it does in other places. But you can use this on Discord as well. So if you're chatting with your friends on Discord,
Justin Gardner (@rhynorater) (01:00:50.505)
amazing.
Joel Margolis (teknogeek) (01:00:51.706)
and you send them a block, a code block instead of just some block of text, but put the language there. Add some color to it. It's nice. It's like a paint, it's like, get some help, please. It's like a paint by numbers, you know, you can do it. All you have to do is just add the language.
Justin Gardner (@rhynorater) (01:01:00.393)
Stop it, get some help.
Justin Gardner (@rhynorater) (01:01:08.201)
my gosh dude. Okay, all right, all right. Yeah, okay, let me ask you this. Do you always, so just read the whole Markdown situation. Do you always forget how to do a link in Markdown or is that like not?
Joel Margolis (teknogeek) (01:01:23.61)
It's now burned into my brain. I don't know. I just know that it's, I just know.
Justin Gardner (@rhynorater) (01:01:25.513)
Is it?
I don't know what my problem is with that, but I like always get it mixed up. So.
Joel Margolis (teknogeek) (01:01:34.394)
Here's a good way to think about it. If you were to send someone, if you were to write someone like, hey, here's this really interesting thing. What you would normally do is you would put in parentheses after that, the link. Okay? You'd be like, hey, here's this thing, parentheses, link. So it's the same in Markdown. You just surround it and you're just telling it what the link should be.
Justin Gardner (@rhynorater) (01:01:47.273)
Right, right.
Justin Gardner (@rhynorater) (01:01:56.137)
No way. So it's like, it's square brackets and then parentheses adding the context sort of like that sort of thing.
Joel Margolis (teknogeek) (01:02:02.298)
Yeah, yeah, the link is like, parentheses, hidden. And the square brackets are like, link this thing.
Justin Gardner (@rhynorater) (01:02:08.393)
Okay, could you say that all again, but with a little ASMR? Like... PRETENCY
Joel Margolis (teknogeek) (01:02:12.162)
Okay, so the first
Justin Gardner (@rhynorater) (01:02:15.945)
my gosh, okay, all right. That's burned into my brain now. That is helpful though. I think having that parentheses around the, towards the end, I think that that is, that makes a lot of sense. Okay dude, we gotta wrap this episode because we're getting too loopy. The last one, let me just finish this out, okay? No dude, no, it's not just you man, it's not just you. Yeah, so last one that I wanted to.
Joel Margolis (teknogeek) (01:02:19.866)
You
Joel Margolis (teknogeek) (01:02:32.67)
How many times can I derail Justin this episode? I gotta get a counter going. I'm gonna get a world record.
Justin Gardner (@rhynorater) (01:02:42.121)
to say was screenshots are also very important in writing your reports. You should be including those on a really regular basis. And I know a lot of you are just using like the built -in, you know, Windows screenshot or whatever, or some like janky Linux one. I would recommend not doing that, even though I did that for a very long time, and still sometimes do it because of muscle memory. And instead get something like green shot.
where it's very simple, like you just, you activate it with a key binding, just like you do with, you know, the Windows Screenshotter. You can select very granularly, you know, it allows you to select down to the pixel. It's got a little magnifying thing that says, okay, from his pixel, you know, you drag your size for the screenshot. And then you can pop it up into like a little screenshot editor where you can really easily like draw arrows and add text and stuff like that. And you're not like trying to draw and paint like.
do this super jank looking circle and like this arrow that you drew with your mouse cursor and
Joel Margolis (teknogeek) (01:03:41.146)
If you're on Windows, the best screenshot tool that I can ever recommend is called ShareX. ShareX, share and the letter X. Dude, I gotta keep these things. These are top secret. Top secret tips, ShareX. Yeah, I think it's Windows only unfortunately, because it uses a lot of C sharp dot net stuff. I've tried to cross compile it for Mac before, because I liked it that much. But yeah, ShareX is really, really awesome.
Justin Gardner (@rhynorater) (01:03:46.217)
What? Joe, why don't you put these things in the dock?
Justin Gardner (@rhynorater) (01:03:56.489)
wow, this looks awesome.
Justin Gardner (@rhynorater) (01:04:06.889)
Wow.
Joel Margolis (teknogeek) (01:04:10.906)
It allows you to add blur, arrows, rectangles, all sorts of really cool things. It has like bounding boxes and stuff. It just copies to your clipboard. You can do custom upload stuff. So like if you have an, if you wanted to just like send it to some API endpoint, if you have a custom image uploader, you can do that. Yeah, you can do that. You can just have it copied to your clipboard, which is what I usually do. But yeah, ShareX is really awesome. That's what I...
Justin Gardner (@rhynorater) (01:04:30.185)
No way.
Justin Gardner (@rhynorater) (01:04:36.361)
Yeah.
Joel Margolis (teknogeek) (01:04:39.738)
use on Windows for screenshots on Mac. I just use the built -in screenshot thing. preview is kinda okay, but if you want to add blurs and arrows, what I use is called skitch. S K I T C H on Mac. Skitch.
Justin Gardner (@rhynorater) (01:04:53.993)
Interesting.
Justin Gardner (@rhynorater) (01:04:58.089)
Let's add that to the, I'll add it right now, sketch.
Joel Margolis (teknogeek) (01:04:59.77)
I don't, it looks like this software may or may not exist.
Justin Gardner (@rhynorater) (01:05:06.921)
Did it like discontinue or something like that? Does it have like a little? Yeah, yeah, yeah, it's here.
Joel Margolis (teknogeek) (01:05:11.546)
All I can find, all I can find are like the CNET download links.
Justin Gardner (@rhynorater) (01:05:15.721)
Hold on, I just put it in the section in the dock. Is that the one? It's got like a little arrow? Okay. You know, hacker skills, man. Google Dorker.
Joel Margolis (teknogeek) (01:05:19.066)
Did you? That is the one. Yeah, that's it. I don't know how you found that. That's it.
Yeah, this one's pretty good. yeah, it's made by Evernote. Yeah. Yeah, yeah, yeah, yeah. That's one of the reasons I like it. So it's made by a pretty reputable company, so Evernote makes this image editor called Skitch. And you can add blurs, you can add little arrows to it. I think you could probably do it in preview, just the Mac preview app as well, but it's blurs, I don't know about that. But yeah, ShareX on Windows, preview slash Skitch on Mac.
Justin Gardner (@rhynorater) (01:05:32.041)
is it really?
Hmm.
Justin Gardner (@rhynorater) (01:05:55.497)
Okay, so that's your recommendation. My recommendation is Greenshot. I'm gonna go ahead, because you didn't tell me about this before the episode, Joel, I didn't get the chance to go and download it and install it and provide my official recommendation. But we can leave that up to the listener. Greenshot versus, what was the one for Windows that you recommended? ShareX, okay, cool. Yeah, we'll see which one of those gets the better review from the community. All right, is that a wrap? I think we're done, right?
Joel Margolis (teknogeek) (01:06:05.018)
You
Joel Margolis (teknogeek) (01:06:14.842)
Sherex.
Joel Margolis (teknogeek) (01:06:25.146)
I think that's a wrap. Good luck writing your reports everybody. You got this.
Justin Gardner (@rhynorater) (01:06:26.441)
Alright dude, yeah, go get it guys. Alright, peace.
Joel Margolis (teknogeek) (01:06:31.994)
Peace.
