Episode 91: Zero to LHE in 9 Months (feat gr3pme)

Justin Gardner (@rhynorater) (00:00.331)
Yeah, man, I wish my jumpa, my jumpa was here. Sweater, it's not, why do you say it with an American accent? Can you say sweater? Do you not say sweater at all? Sweater, that's it, got it, got it, sup man. All right, man, all right, cool. Well, today everybody, we have Critical Thinking's own Brandon right here, our writer for the Hacker Notes.

Brandyn (00:03.342)
My sweater Sweat Sweater

Every time, every time.

Justin Gardner (@rhynorater) (00:26.809)
And I'm excited for this episode because I've wanted to have Brandon on for a while because I think his story is really good. And it's amazing to me to see how much progress has been made in 10 months as of today, actually, of working, working together and yeah, having a mentorship type thing. But to be honest, most of the time it's just me being like, yeah, that's, that's right. Continue doing that. Yeah. That sounds great to me.

Brandyn (00:51.47)
You

Justin Gardner (@rhynorater) (00:55.329)
So Brandon, I'll give you an opportunity here to give us a little bit of self-history. And then also, as I'm reading over this document, I'm realizing that I think we have a little bit of a different story on how we met originally. So I'm interested to hear your take and then tell mine.

Brandyn (01:11.714)
Okay.

Sure. So in terms of background and experience, I started in cyber when I was 16, so 10 years now, which has been a very wild and long career so far. If I start going racing, that's probably why, if I'm being honest. But it's been good. I started off very much in the blue team and system administration stuff, always with the goal of wanting to be a pen tester and wanting to go into pen testing. So

Throughout that progress and throughout that career, I've grinded out certs because that's what I believe was the only way to get there, but more on that later. And I've been testing for the past six years now and started bug hunting 10 months ago. So it's been an interesting journey and lots to talk about, but you can't fit 10 years into 10 minutes really.

Justin Gardner (@rhynorater) (02:05.305)
No, no, can't, man. And actually I was kind of surprised to hear that it was, it was, you know, 10 years that you've been, you've been at it now. And I was like, man, he's been, he's been at this for quite a while. And then I'm realizing, yeah, I've also been, I've been doing this for, 16 years. I started like hacking stuff when I was like 12, dude. and, and so it's crazy how, how much, how much time it takes, but it makes a lot of it. It makes sense to me that it, that you progressed.

Brandyn (02:19.12)
I'm turning it into like a cake.

That's insane.

Justin Gardner (@rhynorater) (02:34.677)
so much faster than a lot of the other people in the bug bounty industry that I've seen, given how focused you've been on pen testing. And I think also you were a pen tester even before we started training and stuff together. But yeah, that makes a lot more sense. And then, okay, so it says here in the notes that, did you suggest that you be a writer for critical thinking or did I suggest that?

Brandyn (02:37.84)
Mm.

Brandyn (02:59.73)
So I suggested it. So I'll give you my context and how I thought this started. So the Hacker Notes originally from my context started off in my iPhone and I have a lot of nonsensical scribbles, voice notes, memos, all of it, which basically highlighted the key takeaways from each episode which I found useful and which I thought other.

Justin Gardner (@rhynorater) (03:02.712)
Really? Okay.

Justin Gardner (@rhynorater) (03:08.931)
Okay.

Justin Gardner (@rhynorater) (03:13.389)
Mmm. Yeah.

Justin Gardner (@rhynorater) (03:19.971)
Ha

Brandyn (03:28.615)
hackers would find useful as well. And it got to a point where I was like, I'm doing this for myself, but other people might like benefit from this. And then this is sort of tied into the whole me messaging you and reaching out and going, hey, I'm doing this thing called the hacker notes. I'm looking for mentorship. If I'd done this for the pods, would you provide mentorship? See how it goes.

And I was expecting to be ignored, I'm not gonna lie. I was not expecting a response at all. And you responded a couple of days later. And this was over Christmas, I think, when I reached out. And I was like, wow, okay. And then me, you and Joel jumped on the call. And then off it went, really. We gave the hacker nodes a go and it went quite well.

Justin Gardner (@rhynorater) (04:01.687)
Yeah, yeah.

Justin Gardner (@rhynorater) (04:12.151)
Yeah, yeah, dude. Okay. So that it must've just been perfect timing because I remember also getting some advice from a respected podcaster, you know, saying, Hey, you, have to get somebody to, write notes for your, for your podcast. Like there has to be a text version because, you know, you're doing the video thing, you're doing the audio thing. It just makes sense to also have text, right? And because some people, you know, there's various different ways for people to consume media.

So I was thinking about it, I think at the time, our writer had moved along, and I was like, I really gotta find someone else. So I think you just kind of hit the nail on the head when you asked. I was like, yeah, that's exactly what we need. I accept.

Brandyn (04:56.579)
It's funny because the actual message that sat in my notes for a while because I was like how do I position this? I'm not like some creep from the internet, but also sounds good enough that you would respond back So it sat in my notes for like a good couple of days of like various iterations and then I got to the point Where I thought no, I'm just gonna send it and see how it goes

Justin Gardner (@rhynorater) (05:05.528)
Yeah.

Justin Gardner (@rhynorater) (05:09.154)
Yes.

Justin Gardner (@rhynorater) (05:17.229)
Well, clearly it worked, man. Clearly it worked. And since there has been one other individual who has successfully pulled off this, I'll provide services for mentorship sort of thing. I'm just gonna go ahead and put it out there. I am not open to that arrangement right now. I'm so sorry. just can't do... Brendan's too much of a handful. I can't take on any more mentees. No. But yeah, I think it's been really fun too. we, you know...

in our meetings we've kind of been talking recently, the way we have it structured for the listeners is, you know, once a week we'll meet up and we'll kind of do a sync for like, you know, 30 minutes to an hour on what's going on in the bug bounty stuff for this past, you know, week or whatever, what kind of strategies we're using, you know, if we've got any technical questions, that sort of thing.

And yeah, I mean, it's, it's gone incredibly well and it's been really exciting to see how you've grown and also, you know, just kind of debrief along the way, because a lot of this has just been a, like a straight upward trajectory. There hasn't been a lot of, you know, Hills and Hills and stuff. So, yeah. What do you, what do you think about that whole experience? what are, what are some, some takeaways or some thoughts you've had from that mentorship?

Brandyn (06:21.874)
Hmm.

Justin Gardner (@rhynorater) (06:36.003)
process that just give a brother a grade here. what kind of stuff was helpful and what kind of stuff wasn't helpful?

Brandyn (06:36.04)
Mm.

Brandyn (06:40.594)
I

Brandyn (06:44.455)
Well, what's funny now, looking back with the context I have on you now, which I didn't have before, when I used to report stuff and either it get downgraded by triage or not understood or anything like that, I just be raging in our Discord like, what's going on? It's been downgraded. And just being so fiery and angry. And you guiding me through the emotional side of Bug Bounty was very valuable because my default was to just get.

Justin Gardner (@rhynorater) (06:49.229)
Yeah.

Justin Gardner (@rhynorater) (06:55.63)
Yeah.

Justin Gardner (@rhynorater) (07:03.715)
Yeah.

Brandyn (07:14.713)
really annoyed for not much reason actually and now I realize how busy you are and how structured everything is you must have just been looking at your discord thinking no why have I taken him on

Justin Gardner (@rhynorater) (07:15.299)
Get mad, yeah. Yup.

Justin Gardner (@rhynorater) (07:25.145)
Dude, no, no, dude, I've been there, man. I've been there and it's really frustrating. I think there aren't really a lot of industries that I can think of that are results, money for results, like BookBounty is. So if you are delivering something that you perceive to be a high quality result and expecting to get paid for it and then it doesn't happen, that's extremely demoralizing and infuriating, right? Especially when you...

Brandyn (07:52.221)
Mm-hmm.

Justin Gardner (@rhynorater) (07:54.445)
have put so much time and effort into our POCs, into our reports like we do, right? So I think that that's an interesting thing that you pointed out as one of the top pieces of information you pulled away from our mentorship is that whole emotional regulation and I guess there's also that aspect of knowing what kind of things you can say back to triagers and that it's not like nail in the coffin, I just lost my bounty, it's let's have a conversation, right?

Brandyn (08:23.987)
That's it. that and it's funny because even though I've been on the other side of the fence with bug bounty in the triage of position managing quite small programs Until you've actually reported stuff as a hunter You can't recreate that emotional like rollercoaster that context or anything like that You have to really go do it experience it fail go again but yeah the mentorship that was probably the most valuable thing for me because I think if

Justin Gardner (@rhynorater) (08:30.868)
Mm. Yeah.

Brandyn (08:54.087)
this whole thing didn't happen and we weren't here talking right now I probably would have gotten so annoyed at the time and I would have just went nope not for me

Justin Gardner (@rhynorater) (09:02.819)
Yeah, well, I think, and I think there was just from like a technical perspective, I think there we've worked through a couple like quality vulnerability things and stuff like that. But, to be honest, a lot of, because I think you've been focused on being a pen tester for so long, I think you had a really good base of like technical knowledge and ability to approach these targets. So a lot of it was more like.

Brandyn (09:13.579)
man.

Justin Gardner (@rhynorater) (09:26.807)
Yeah, you're on the right track, stick at it, keep at it, keep at it, spend more time on this target, dive deeper here, this isn't a real lead, this is a real lead, you know, that sort of thing. So I think it's a lot easier just from a mentor perspective with you to point people in the right direction because, or to point you in the right direction because, you know, you already had a sense for what an attack vector looks like and that sort of thing. Yeah.

Brandyn (09:28.43)
Hmm. Hmm.

Brandyn (09:34.609)
Mm.

Brandyn (09:49.427)
Yeah, yeah, I think the other side of it, putting the mental and like softer skills away, the technical piece was quite valuable because the client side stuff that is very much your jam, like everyone knows that everyone who listens knows that and that isn't an area for me where I ever deep dived in and spent the time to craft and learn because I think there's a lot of intricacies and it's very much an alive.

Justin Gardner (@rhynorater) (09:56.931)
Yeah.

Justin Gardner (@rhynorater) (10:04.471)
My jam. Yep.

Brandyn (10:17.331)
and living ecosystem, changes a lot as browsers change and so on. And I just sort of abandoned that. And I think we'll touch upon this later, think, but traditional pen testing and bearing in mind, I started 10 years ago and all the advice I got was very like network hard and traditional pen test experience. It goes against that style of bug hunting, I think in my opinion, because there's a lot of focused around.

Justin Gardner (@rhynorater) (10:19.139)
Mm.

Justin Gardner (@rhynorater) (10:34.285)
Mm-hmm.

Brandyn (10:45.307)
traditional attack vectors more from a network perspective and I'm speaking from experience when I tried to break in but equally with web app there's more around the traditional like web app hardcore stuff rather than more client side focus and I think Jason I think it might have been Jason had extended upon this before and I think it's because a lot of the material I mean it's getting better now but a lot of the material traditionally that was built around this

Justin Gardner (@rhynorater) (10:50.937)
Mm-hmm.

Justin Gardner (@rhynorater) (10:58.259)
Yeah.

Brandyn (11:10.139)
was around that traditional like web app hacking stuff and not much focus on JavaScript analysis or anything like that. So I think that's been really, for me, incredibly valuable to like balance my attributes in all areas of hacking if you see what I mean.

Justin Gardner (@rhynorater) (11:23.737)
Mmm.

Yeah, yeah. And it's, it's, it's all too easy to go one, one direction or the other. Right. And I think to become a balanced hacker, you really have to often intentionally balance rebalance yourself. Right. and I, I often find myself moving too much in the client side direction and being like, you know, yeah. And, and, and because at the end of the day, I mean, unless your application has a specifically, intense, threat model, most of the time, what you're going to achieve with client side stuff is, is a high.

right, you know, at max. And while a high feels great and keeps the pockets loaded, you know, it isn't as fun as popping like a critical where you're you know, dumping everyone's PII and it's like, you know, you got access to everything, right? So I know for me, you know, just, and it's funny because these mentorship sessions have also turned into like, I don't know, like group therapy, like bug hunter group therapy where I'm like.

Hey, Brandon, guess what I learned about myself this past week, you know? And so it's good to sit down and talk about stuff, right? Because I also get to regurgitate these lessons that I'm realizing for myself as well. But it's far too easy to leverage in one direction or the other, right? And so I think one of the things that I wanna try to work on in Q4 of this year and going into 2025 is like...

Brandyn (12:24.071)
Okay.

Brandyn (12:30.833)
Hmm.

Justin Gardner (@rhynorater) (12:48.873)
Swinging back onto that server-side realm and using the client-side stuff to inform the way that I attack the the server side more directly Rather than getting caught up in the weeds of like, that looks like a weird sanitization or that looks like a weird little You know code flow that they've got there so Yeah

Brandyn (12:53.843)
Hmm.

Brandyn (13:05.075)
Yeah, I would say we've done a few hackalongs as well for people that aren't aware and it has been interesting because you like when I blink you've got like DevTools open like straight away like and you start going down that flow of getting familiar with an app which I never used to really follow or have much knowledge on and that for me was really interesting to see because if you're not predominantly

Justin Gardner (@rhynorater) (13:11.63)
Yeah.

Justin Gardner (@rhynorater) (13:20.537)
you

Justin Gardner (@rhynorater) (13:27.289)
Mmm.

Brandyn (13:34.705)
doing much client side hacking or having much client side bugs. That isn't intuitive at first, but then as you start to use like the dev tools and doing some like dynamic analysis to inform your hunt and inform your testing going forward, that's where it starts to get quite interesting. But that's one thing that definitely stood out to me when we done our first hack along was I blinked and like dev tools open, you're like break point, break point, break point, I was like, what's going on?

Justin Gardner (@rhynorater) (13:44.013)
Mm-hmm.

Justin Gardner (@rhynorater) (13:49.113)
Mm-hmm.

Justin Gardner (@rhynorater) (13:56.889)
Yeah, dude, I love it, man. It is great and it really does inform a lot. Yeah, I think that's a takeaway and we'll go to takeaways from this past Live Hacking event as well because Brandon, dude, Brandon, I have to say, man, you had me sweating there for a little bit at this last Live Hacking event because, you know, I was like, okay, you know, this is cool. My mentee, you know, is going to a Live Hacking event. Like, this is fun. And then...

Brandyn (14:14.451)
you

Justin Gardner (@rhynorater) (14:23.607)
Like you messaged me like one hour into the event, and you're like, dude, I just popped a crit. And I'm like, shit, is this how we're gonna start? am I gonna, I gotta hustle. So I, you know, for a little while I was sweating there about whether my mentee was gonna outperform me. And if I was gonna need to write something for you to become the mentee now, but it turned out quite great. So we'll come back to some of the LHE.

Brandyn (14:27.411)
Hahaha.

Brandyn (14:31.507)
Yeah.

Brandyn (14:39.739)
Peace.

Brandyn (14:44.731)
that's what that

Justin Gardner (@rhynorater) (14:49.793)
takeaways, but definitely this time around one of the big ones for me that's relevant to this was, that whole aspect of, and I think this might be like a nice axiom, like something that we should have, like one of the takeaways from previous pods that I've always held with me is Jason Haddix's quote on Recon. The purpose of Recon is to find more apps to hack, right? And I think one of the axioms that I would like to sort of propose out there is that the client side can really, really be useful in

in determining, informing the way that you make assumptions about the server side. And I missed that, this event, man. And it hurts me because another hacker just found some really crazy stuff with that. And after I sat down and reviewed some of the material, some of the vulns with them, something really, really clear to me stuck out and I was like, what have I done? Yeah.

Brandyn (15:44.258)
But man, that feedback that is, and we keep saying that we'll go back to it, but we keep talking about it. But that feedback, shall we just do it? But that feedback that you get in the LHE context where you're able to see what other people are hacking and get that immediate, I missed that or, okay, I maybe didn't spot that, is just so like, you don't get that really anywhere else in Bug Bounty unless you collab.

Justin Gardner (@rhynorater) (15:51.225)
Alright, let's just do it, man. Let's just do it. I don't know. Yeah, let's do it. Okay, continue. Go ahead.

Justin Gardner (@rhynorater) (16:00.249)
crazy.

Justin Gardner (@rhynorater) (16:10.862)
Mm-hmm.

Brandyn (16:11.872)
And even if you do collab, you don't get it to that extent because people have literally spent three weeks on the same sort of areas as you have in the same weird contexts. And then you can talk about it and see what they found. And that for me, it just felt like another piece of the puzzle falling into place. And I was like, this is great. Why wasn't I here before?

Justin Gardner (@rhynorater) (16:33.603)
Yeah, it's such high feedback, Like you think about the way we are traditionally educated, right? You you go, you study, you take an exam. Imagine if you just never got a grade. You never got, no one ever told you if you had the answers right or if you had the answers wrong, right? And so I think, you know, live hacking events sort of is the closest we can get as hackers to getting a grade on our work. Because if you look at all the other hackers around you that are extremely talented,

and you look at their work and you say, okay, well probably between the combination of the 50 of us, know, somebody, you know, somebody found pretty much everything there is to find, but then you do it again the next time and then there's still more things to find, which is just the sort of mind boggling thing that happens with these live hacking events, so.

Brandyn (17:18.947)
Mm-hmm.

Brandyn (17:25.474)
And man, just Franz Rosen by the way, like every time, every time, just, doesn't seem, it just doesn't, whatever he's stacking in his head, fundamentally do not stack in mine. Cause I don't, how does he extrapolate the, he done some really cool stuff for this LHC and done a show and tell, but that's all we can say. And it was great.

Justin Gardner (@rhynorater) (17:28.435)
my god, dude.

Justin Gardner (@rhynorater) (17:40.717)
Yeah.

Justin Gardner (@rhynorater) (17:47.405)
Yeah. Yeah. Yeah, dude. It's always amazing, man. I'm so glad you got to go and experience it because it is really, it is really amazing. And I think for me, to see you go through it and to see you be amazed by it, it renews it a little bit for me because it's become a little bit of like a normal thing for me. And then now when I hear you talking about it, like, my gosh, you know, it really is amazing. So it does, it does make me,

Brandyn (18:04.259)
you

Justin Gardner (@rhynorater) (18:16.397)
made me realize that, yeah, if anybody has the opportunity to go to a live hacking event, I would really take it regardless of the cost or whether it's how much work it takes or if you have to pay your own flight or pay your own hotel or whatever because the opportunity to be around other hackers and see how they think about the same application, it's pretty rare because in a pen test contest as well, like,

Oftentimes most you get is a pen test report from another company or like maybe you get paired if you're lucky you get paired with one other Pen tester to like pair work on a project, right? So it's it's so crazy to see more than two hackers hacking on one thing

Brandyn (18:47.173)
Mm-hmm.

Brandyn (18:53.029)
Hmm.

Brandyn (18:57.36)
Well, this is it. like the time constraints as well, I haven't ever looked at. So for the past 10 months, my bug bounty hunting has been incredibly broken up, maybe two hours a day here, there, whenever I can fit it in around my schedule. And I managed to negotiate some time off work to focus on this LHC this time around. So I got somewhat unexpected invite through and I was like, have to try and make this work.

Justin Gardner (@rhynorater) (19:02.009)
Mm.

Justin Gardner (@rhynorater) (19:21.305)
Mm-hmm.

Brandyn (19:27.079)
because you don't get this every day. And being able to spend that much time on the target and also have that feedback from other hackers, I feel like it levels you up so much more and quite quickly in some ways because of that immediate feedback and being able to have three weeks worth of context on the target.

Justin Gardner (@rhynorater) (19:27.257)
Mm-hmm.

Justin Gardner (@rhynorater) (19:47.181)
Yeah, yeah. So, so what do you think about, let me ask you this for the people that haven't experienced what it's like to be a full-time hacker. What was that transition like the, the, the two to three hours? Like, were you experiencing a lot of two to three hours to a full day, right? Or maybe, you know, a 12 hour day or whatever, right? So were you experiencing a lot of mental fatigue? How is your focus? You know, where, where, where was the burnout? That's a leading question because I know where that's going. But, but yeah, hit me with that.

Brandyn (20:13.543)
It was interesting because where it was for such a long period that is is like a roller coaster in a way and I think it started off very like energized really great like yeah, that's bang bang bang getting all these things but then there are points and When you're trying to hack something where you get stuck and usually when I get stuck

Justin Gardner (@rhynorater) (20:23.214)
Mm-hmm.

Brandyn (20:42.534)
I would have like a day or two in between of doing other stuff then coming back to it and being refreshed and going, how didn't I see that before? This time, however, when you're going at it and you're looking at one target, having to like coach yourself through that mentally, because it's very easy to fall into a hole and be like, I'm so bad. I should be able to get this. Why aren't I getting this? And you can sort of fall into this like pit of just despair.

Justin Gardner (@rhynorater) (21:01.838)
Right?

Brandyn (21:09.761)
and you really need to try and avoid that or just get yourself out of it. So that was very interesting for me because I hadn't ever really had that at all, spending that long on one target.

Justin Gardner (@rhynorater) (21:18.147)
Yeah. Dude, it's crazy how much of this podcast, which we really do try to orient towards actionable bug bounty tips that we actually spend talking about mental because I think bug bounty is a particularly tasking mental thing, right? Like you tasking, taxing, that's what I'm trying to say. like, what am I trying to say here? It's very taxing, right? Like it takes a lot of energy. There's a lot of little like

Brandyn (21:35.048)
Hmm.

Taxing.

Justin Gardner (@rhynorater) (21:46.435)
pits around there that you can fall into and make a mistake. And it's at every turn too. It's not just when you're a beginner, right? It's as you're even, you know, as you're getting more advanced, are you burning yourself out? If you're at the live hacking events, how do you deal with the competition aspect? Yeah, it is really odd. But yeah, so I mean, there's definitely that mental aspect of it, right? How were the...

Brandyn (22:02.715)
Mmm.

Justin Gardner (@rhynorater) (22:15.565)
the energy levels and how hard did you put yourself for this LHG?

Brandyn (22:20.189)
Yeah, so I originally basically tried to burn all fuel in the tank and just go for it and I put like every aspect or tried to put every human aspect of my life on hold and then I would like forget to go to the gym because I was like halfway through like a chain of doing something incredible but that long term really did work against me because just because you're in an LHE you still need to like do stuff and like refresh yourself.

Justin Gardner (@rhynorater) (22:34.809)
Mm-hmm.

Justin Gardner (@rhynorater) (22:38.606)
Mm.

Brandyn (22:47.891)
And I messaged you and I was like, how's everything going? And you were like, well, I'm sort of being less productive now, so I'm going to take like half a day off. And for me, I was trying to brute force through that period and I was like, no, we, we're going to keep finding more bugs. We've got to keep pushing. And then when I spoke to you, I realized that it probably wasn't the right approach because with hindsight, looking back, that really didn't work with me. It worked against me and I should have just taken the break time to refresh and go for it.

And I feel like I was spending between minimum seven, between seven to 12 hours a day, some days on the target, trying to really peel it back and understand the context, which was great. But again, you need breaks, man. Like just because you're in an LHC, you don't turn into Superman. I mean, some people do, but I certainly didn't.

Justin Gardner (@rhynorater) (23:26.894)
Mmm.

Justin Gardner (@rhynorater) (23:39.267)
Yeah. Yeah, I feel that man. Yeah. And I think, you know, in retrospect, when we had our conversation about the intensity and what my my advice was, you know, for you going into the live hacking event, a lot of what we spent our time on was like, you know, make sure you're trying to get other other aspects of your life unlock, right? Like, you know, get get all your tasks.

Brandyn (24:02.761)
Mm-hmm.

Justin Gardner (@rhynorater) (24:05.377)
around the house, done, get your house clean, take your girlfriend out for a couple dates, that sort of thing. Communicate with loved ones, try to reduce your task load as much as you can for the live hacking event and then sort of lock in and focus. But then there's also this reverse aspect of like, as you're pushing, as you're going hard, you have to do that self-care piece. And it's also really inspiring for me to hear you say, like, I forgot about all these human aspects.

Like, I think this is a quote from you, from our chats. I forgot about all these human aspects, like eating and going to the gym. And I often forget about eating, but I often don't think about going to the gym as like a human aspect, but it really is. And it's funny, you you use that specific piece because I think the gym is one of those first things that goes for me. And like, if I don't do it first thing in the morning,

Brandyn (24:41.74)
Mm.

Mm-hmm.

Brandyn (24:48.89)
man.

Justin Gardner (@rhynorater) (25:00.343)
Right? It's not getting done that day for sure. Like if I even sit down at my computer, I'm going to blink and it's going to be five o'clock and you're six o'clock, seven o'clock, I'm going to be exhausted. And then I'm not going to do it. You know?

Brandyn (25:01.643)
Mmm.

Brandyn (25:07.518)
Yeah.

I feel like it's one of them things as well, like once you get it done, you get so much of an ROI on it. Just get it done because you feel good. It sets the tone for the rest of the day. You can smash this target, whatever you're looking at. And it just works. Whereas when you're, or where I found myself in the LHE, I was very much in the mindset of, if I'm not hacking, there's someone else globally that is, which might mean we do. And it just fell into this like horrible like.

Justin Gardner (@rhynorater) (25:21.795)
Mmm.

Brandyn (25:40.428)
tsunami of cascading thoughts of if I'm not hacking someone else's and once I got myself out of it and just focused on hacking like doing good hacking but also doing other things as well I felt a lot more comfortable and just had a lot more fun as well.

Justin Gardner (@rhynorater) (25:44.601)
Mmm.

Justin Gardner (@rhynorater) (25:53.262)
Hmm.

Justin Gardner (@rhynorater) (25:57.869)
Yeah, yeah, absolutely. Wow, okay, so there's a, it's a lot, man. What did you think about my, what did you think about the results of my advice for you to stick to a specific portion of the application for the whole duration of the event? Because I know that there are some people that jump around and try to attack every little piece of scope. I don't know how Franz consistently finds crits on both targets in multi-target events. I just don't get it.

Brandyn (26:15.148)
Mm.

Justin Gardner (@rhynorater) (26:27.801)
But what is your thought on that methodology?

Brandyn (26:28.109)
Mm.

Brandyn (26:32.77)
Yeah, so for me, it most definitely works. And I feel like with LHG and targets in general, there is somewhat of a meta approach depending on the target. And for this one, instead of focusing on an individual application, I'm more focused on the ecosystem that the application resided in because there's a lot of interconnected components and different APIs, different applications, which had like their own.

Justin Gardner (@rhynorater) (26:43.417)
Mm-hmm.

Justin Gardner (@rhynorater) (26:54.489)
Mmm.

Yeah.

Brandyn (27:00.719)
authorization, their own permissions, but yet they depended on each other and depended on these permissions which were set in other applications. And for me, I focused a lot on the ecosystem of my specific area, which I focus on, which done really, really well because on a target like this, you can unlock a lot. And I feel like that lended itself really well to a target like this. But that approach

Justin Gardner (@rhynorater) (27:22.713)
Hmm.

Mm.

Brandyn (27:29.093)
definitely worked because I was able to peel back the layers and get into places where people would either not think to go to or they would have gotten bored and not have even bothered trying to go that deep. So there was a lot of attack surface which felt relatively unseen which was quite nice in my context.

Justin Gardner (@rhynorater) (27:47.475)
Mm. Yeah. I think with some of these bigger programs too, obviously there's a lot of hackers on the bigger programs and in bigger scope on the bigger programs, right? But if you can weasel your way into, you know, just one or two layers deeper than the normal hacker goes, there's really a lot of results to be found there. So spending some time unlocking scope, I think is really important. And I think...

I like your term ecosystem hacking, where you're not necessarily focusing on one app, but an ecosystem of apps that sort of integrate together and trying to get it in such a configured state where those apps unlock different pieces of each other and give you access to deeper, deeper, deeper scope.

I think that's probably pretty widely applicable, but it's definitely pretty applicable for Amazon. The target is public, so we can be public about that. But yeah, I think that's definitely the case.

Brandyn (28:45.284)
Mmm.

Brandyn (28:50.862)
Yeah.

Brandyn (28:54.195)
Yeah, the ecosystem approach did work well and when I feel like when you start looking at a target you get a feel for the different integrations and if they offer documentation, read the documentation and I just feel like when there's so many different apps and APIs that depend so heavily on each other but implement completely different access controls built on completely different technologies there's going to be a lot of different contexts which reside in each.

and discrepancies across them and I massively tried to profit off that and it worked.

Justin Gardner (@rhynorater) (29:29.498)
Yeah, yeah. So I want to take a turn here and go back to your LHG experience. Just spending time with you in Vegas when you weren't competing at the Live Hockey events, I saw how powerful of a networker you are. one of the reasons you got invited to this Live Hockey event, I imagine, was you were plus one to not only by me, but

by several other hackers that you've met in Vegas and talked to about the Bugfine ecosystem. And so, I mean, I don't even know how to phrase this question. I do you have advice relating to that or is it just like something that you do instinctually that has paid off really well for you across these couple of interactions?

Brandyn (30:18.548)
Yeah, that's interesting. I think for me it feels very natural and instinctual. doesn't require effort as such. I genuinely enjoy speaking to people and a lot of the connections I made in Vegas, which I attended as a guest, not as a hacker, I made some really good friends and Greg Sunday, Naham Seck, loads and loads of people. I just would literally go up to someone and be like,

Justin Gardner (@rhynorater) (30:27.523)
Yeah.

Justin Gardner (@rhynorater) (30:33.049)
Mm.

Justin Gardner (@rhynorater) (30:38.153)
Mm. Mm.

Brandyn (30:45.617)
What bugs did you find? Or can you show me some bugs? Stuff like that.

Justin Gardner (@rhynorater) (30:48.087)
That's exactly what I was gonna say, man. I was gonna say, like, do you ask the technical questions? Because I think people, despite what you would think, 99 % of the people in this industry love to talk about their bugs, right? That's like a flattering question, right? And so have people responded well to that? Yeah.

Brandyn (31:00.51)
Hmm. Yeah, they do. They do. Very well. Very well. And I think when the LHE environment, what I find very interesting about it is that it's quite competitive in the sense that there's a leaderboard and then when someone gets a palp, there's a ding and everyone just like turned around like they're programmed. I was definitely programmed by the end of the LHE. But the sense of community and like

Justin Gardner (@rhynorater) (31:19.437)
Yeah.

Justin Gardner (@rhynorater) (31:23.31)
Yeah.

Brandyn (31:26.9)
Collaboration and helping people out that is like a very very good piece of the whole scene that you don't really get much of anywhere else when you're hunting or when you're hunting I don't think and Just going up to people and asking about their bugs or like what they're hacking on I Literally didn't get a single person be like no stop talking to me. Who are you? Everyone's very welcoming very very nice and

Justin Gardner (@rhynorater) (31:48.643)
Yeah.

Brandyn (31:52.382)
For me, that's what made my Vegas experience, I think, or one of the things that made the Vegas experience. And I feel like that's what made me want to get onto the LHE scene so much more than I already did because it just felt so welcoming. And so it just, it was good.

Justin Gardner (@rhynorater) (32:02.783)
Mmm. Mmm.

Yeah. It's crazy, man. I think over the course of my entire Bug Bounty career, I've been doing this since 2017, right? So seven years. I think I've only had somebody say like, no, I don't want to talk about my bugs. Like maybe three times over that whole course of time. And so it's definitely very rare. And it's also something that made me...

Brandyn (32:24.798)
Really?

Justin Gardner (@rhynorater) (32:32.669)
you know, feel very comfortable starting this podcast because I was like, you know what? People love to talk about this, you know, they love to talk about their bugs because it's something we're all passionate about in general. Right. and I definitely have had people say like, okay, well it's different that, you know, going on a podcast where thousands and thousands of people listen every week and, and, you know, talk about my bugs rather than, know, just, Hey Justin, yeah, check this out. You know, cause it's, it's a difference in distribution. Right. But,

I think in general, think that's absolutely the case. All right, let me look here back at our dock real quick. Yeah, I think we're good on the live hacking event stuff. Did you have anything else you wanted to add to that whole flow?

Brandyn (33:05.456)
Absolutely.

Brandyn (33:16.88)
No, I'm off. That-

Justin Gardner (@rhynorater) (33:18.765)
How was organization for you? I don't know what is wrong with me today. Organizing, how was organizing all of the data that you got? Because you spent a very long time on one target for this event, right? This was actually kind of a long event. So yeah, what was that like and did you use your notes slash different burp files or whatever?

Brandyn (33:23.316)
Peruvian suit.

Brandyn (33:33.704)
Mm-hmm. Mm-hmm.

Brandyn (33:43.836)
Yeah, absolutely. So for people that don't know me, but Justin knows this very well, if I'm not taking notes, and I mean really good notes, I am as close to useless as one could get. need to, I just have to take notes, otherwise it doesn't get done or it gets forgotten about. And for me, throughout the whole LHE, I made a lot of notes and a lot of contextual bass notes and even voice notes as well. So I could just jump back into it when I was...

going the next day or if there was something that I really needed to stick that I didn't want to forget. And for the entire time I was hacking remote, fantastic. Notes were going well, I was using them, I was ticking things off, attack vectors, bang, bang, In person, I was just, the mental energy it took me to like focus and just get on and try and do that.

Justin Gardner (@rhynorater) (34:16.483)
Mm.

Justin Gardner (@rhynorater) (34:25.241)
Mm.

Justin Gardner (@rhynorater) (34:32.985)
Hmm.

Brandyn (34:37.33)
I don't know why it just wasn't working. I think it might be like quite ADHD because there's so much stuff going on, so many hackers and like collabs and like other people's bugs. That just went straight out the window.

Justin Gardner (@rhynorater) (34:45.107)
Mmm.

Justin Gardner (@rhynorater) (34:48.889)
That's a great point, man. It is actually a very different skill set to hack with people in person than at home, right? I think it's very distracting. It's very hard to actually sit down at the live hacking event itself and hack because there is such social, there's that social presence where you'd be like, I so rarely get to see XYZ. I wanna go talk to them. But also so many distractions around.

Brandyn (34:57.908)
Hmm.

Brandyn (35:02.895)
Mm. Mm-hmm.

Justin Gardner (@rhynorater) (35:16.761)
And I think that's why a lot of times there's that extra aspect of they put in this bonus of best bug on the event day, right? Because they want hackers to continue trying to collaborate and hack together rather than just kind of, know, screwing around while they're there, you know, on event. I think the inverse is also true. There are some hackers, some hackers, XSEB, that...

Brandyn (35:26.089)
Mm.

Justin Gardner (@rhynorater) (35:44.589)
goes to the live hack event and just somehow enters cosmic mode and just like, when they're around their people, they just become this hacking god and always find a critical at the event, on the event day somehow, or the night before in the hotel at 3 a.m. or something like that. So it's weird how different hackers respond differently to that pressure.

Brandyn (36:06.332)
Yeah, man, that's... I don't think that's ever gonna be me. I hate to call it out now, but I don't think that's me. I'm very much notes, tick it off, attack vectors. Very much, I need silence just to properly get into things and to get into my workflow. But with that being said, when you're with other hackers at the LHG, it brings an entirely different set of opportunities to collab on.

Justin Gardner (@rhynorater) (36:21.433)
Mmm.

Brandyn (36:35.836)
which are equally as powerful because you have many different skill sets, people with their own niches, lots of different contexts as well and understandings and that can come together and do some really, really cool collabs and really cool bugs.

Justin Gardner (@rhynorater) (36:36.025)
Mm.

Justin Gardner (@rhynorater) (36:49.653)
Yeah, yeah, I agree with that, man. There's definitely both sides of that. I think it does take practice as well. I know Nagli is another guy that often finds something at the event, day of the event, and I would not really think that he would be one of those guys. Nagli, I know you're listening, but he often goes to these events and is like, let's party, man. But then also he somehow rolls up to the hotel and opens up his laptop and is like,

look at this SRF that's like one little tidbit away from being exploitable. And somebody's like, just do this. And then it's like, crit, crit, you know? And so it's great, it's great. So that collaboration piece definitely, I don't know that it fully counteracts the ability to sit down and like focus and get deep and have your notes, but it definitely is a stroke in the other direction. Yeah.

Brandyn (37:45.684)
for sure. And I think it definitely depends on what type of hack you are and what personality as well. I think that's another big thing as well on Bug Bounty and LHEs. You get to see how people's personalities and how they interact and how they hack really has a massive play because as you said, some people can just lock in and find some intense things where me for example, I was just, it was more effort trying to put my laptop password in.

in and itself than just trying to open up and hack something on the day. So it's interesting to see, really interesting.

Justin Gardner (@rhynorater) (38:16.961)
Yeah. Yeah. I'll throw this out there for the listener base as well. And it's something that I think I've mentioned to you in the past, but one of the things I've learned over years of going to the live hacking events is in order to be a good collaborator, you really have to take your co-collaborator, know, the person you're collaborating with, their attack vectors or their ideas or their things that they think are sketchy really seriously, more seriously than you would probably think you should.

Because for me, somebody will come up to me be like, hey Justin, this is sketchy. And I'm like, I'll look at it and I'll be like, you know, for whatever reason, this just doesn't hit me as sketchy. Or like, it's not something that I would normally spend a bunch of time on, right? And then, and so I'm like, in the beginning I was like, okay, cool, you know? And I'd look at it for a second and as soon as my brain said, this is not really sketchy, I would put it away, right? And I'd be like, okay, I don't really think that's worth anything, right? But then.

As I had the experience time and time again of those people actually popping the thing that I didn't think was sketchy, I'm starting to realize, know, Justin's sketchiness radar is not completely, you know, locked in, right? I am not thinking everything is sketchy that is sketchy and I'm missing things that are there, right? And so I think even if you don't think it's a good finding, if you respect the hacker that you are

Brandyn (39:26.644)
Hmm.

Mm.

Brandyn (39:36.628)
Mm.

Justin Gardner (@rhynorater) (39:42.859)
are working with and you believe them to have a skill set that you don't, then it's very important to take those leads seriously and really throw everything you've got at them because that difference in exploitation experience or difference in your spidey senses, so to speak, for that endpoint might be exactly the combination that's needed to get that bug to pop as long as you give it a chance. Does that make sense? Yeah.

Brandyn (39:52.637)
Hmm.

Brandyn (40:05.908)
Absolutely, yeah, for sure.

Justin Gardner (@rhynorater) (40:10.039)
I know I went into full mentor mode there for a second, but I think that's a valuable takeaway.

Brandyn (40:15.954)
No, you're right. I think that's a valuable one as well. Yeah, it absolutely is because as we said earlier, everyone has their own skill set. Everyone. mean, a lot of people specialize in very niche things as well. So if something comes to your plate, it's probably good to look at it and try and peel it back and see what they're seeing.

Justin Gardner (@rhynorater) (40:29.945)
Mmm.

Justin Gardner (@rhynorater) (40:35.871)
Mm-mm, for sure. So let's, we've covered the live hacking event stuff a little bit where, yeah, so Richard, I'm so sorry, because he's gonna have to go in here and timestamp this video, and he's gonna be like, mentorship, LHC, mentorship, LHC. But let's swing back around to what has made you go from essentially zero successful experience in Bug Bounty at the beginning of this year to,

Brandyn (40:41.396)
We've done it backwards.

Justin Gardner (@rhynorater) (41:04.723)
what are you in like 13th or something out of like 100 at this last live hacking event. So a really remarkable performance. And a couple of the things we had on here was how you choose targets and what you choose to do with those targets. So can you talk a little bit about what your experience has been with that and how you pick the targets you go for and how you approach them?

Brandyn (41:08.852)
Mm.

Brandyn (41:28.788)
sure. So when I'm looking at a target it I try and pick things which and I have a list really if I need to like buy something or if I need something new or a subscription I will look to see if there's a bug bounty program for the thing I'm trying to buy if there's a competitor I can use which has a bug bounty program and I'll purposely buy it from them so I can walk through their flow in its entirety and buy something.

Justin Gardner (@rhynorater) (41:37.549)
Mm-hmm.

Mm-hmm.

Justin Gardner (@rhynorater) (41:47.417)
Mm.

Brandyn (41:56.676)
and almost get like a 2.4 and maybe even a 3B because it just makes so much sense to do. I'm going to buy it anyway so I might as well try and get some like additional experience or exposure to it if I can hack it so why not. And that's been pretty good and has unlocked a lot of attack surface for me. And the other thing as well is what services do you currently use or can you start using similar to the first point which

Justin Gardner (@rhynorater) (42:02.787)
Yeah.

Justin Gardner (@rhynorater) (42:08.857)
Mm.

Brandyn (42:25.556)
gives you one, an edge on a target or two has a bug bounty program in itself. So do you already pay for something which is an integration for a target which you have been looking at, for example, is quite powerful and can unlock a lot of attack surface. And the reason why I start with these two things is because it almost like flows into your day to day life. You don't need to go out of the way to buy something else or

Justin Gardner (@rhynorater) (42:37.027)
Hmm.

Brandyn (42:50.916)
learn something else, you're already familiar with it or you need to do it anyway. So it sort of makes sense and there's less resistance there. And the other thing as well is in terms of region and where you reside, what can you, are you from the UK, are you from the US? What services can you unlock or what attack surface is unique and geographically exclusive to you? Because I guess we'll touch upon it shortly, but I've had a lot of success in unlocking a lot of

Justin Gardner (@rhynorater) (42:57.689)
Hmm.

Justin Gardner (@rhynorater) (43:14.477)
Hmm.

Brandyn (43:20.286)
hard to unlock areas purely because of the attack, well, the unlock complexity to get there in the first place.

Justin Gardner (@rhynorater) (43:29.282)
Yeah, I kind of mentioned this a little bit yesterday in the talk that I gave for the critical thinkers, but I have this theory on bug bounty that we should try to maximize what I call the attack vector value, which is a function of the impact of this specific attack vector. So what would you achieve if you were able to pull off this attack times the

probability of that attack actually succeeding. Okay, this really a long shot? I dropping a command injection prompt into a logging endpoint or something like that, Franz? Divided by the friction to actually try that attack vector. And so I think that that friction component is really the most interesting variable in that equation.

Brandyn (44:10.482)
Yes.

Brandyn (44:25.396)
Mm.

Justin Gardner (@rhynorater) (44:26.679)
because the friction piece, can really save you from dupes. It can get you exclusive scope. It can get you access to things that pen testers don't even get access to because anybody who's been a pen tester consultant knows that when you roll up to a pen test, they're not handing you a fully seated account. They're not handing you a credit card you can use to buy the stuff behind the paywall, right? You're pretty much having the same thing that you have access to as a bug bounty hunter.

Brandyn (44:52.02)
Mm-hmm.

Justin Gardner (@rhynorater) (44:55.519)
If you don't have access to it, then the pen tester probably didn't as well. So there might be code living behind these little paywalls or location gates or whatever that nobody has ever assessed. And so that definitely unlocks some exclusive scope. And I think you found that, or at least what I've observed, is that sometimes you can go really hard on the parts of the scope that are

more accessible and then when you move into those regionally locked things or paywall locked things, all of a sudden everything just seems to work and it just gets easier. Which I think is really encouraging as well, right? Because it's like you're not going up against this really hardened thing anymore. You've kind of found the hack to getting access to the sweet spot.

Brandyn (45:33.192)
Mm-hmm. Yeah.

Mmm.

Brandyn (45:44.852)
And I think that's one piece of advice I'll give to part-time hunters as well, which I'm in hindsight I'm quite happy it didn't bother me, but if you aren't full-time hunting and you don't have much time to hunt or as much you would like putting in an hour two hours to go through that flow and Go through the very annoying process of signing up to something or configuring your account to support five different types of putting that investment in

Justin Gardner (@rhynorater) (45:49.241)
Hmm.

Brandyn (46:14.354)
will probably pay off around 90 % of the time at some point and you will dig something up. You just have to put that investment in initially, which is what puts a lot of people off from doing it in the first place.

Justin Gardner (@rhynorater) (46:17.593)
Mm.

Justin Gardner (@rhynorater) (46:26.47)
Yeah, it's hard. I like your tip though of actually intentionally unlocking scope for yourself with the products you buy. So it's not like I'm a hacker, I'm sitting here thinking, okay, what do I hack? And then I see a product and I'm like, all right, I'll just pay the money and buy that product and do the hacking, right? That's great. That's the, know, we've got that little Christian I'm gonna ask my video editor to try to put this up on the screen.

Brandyn (46:42.962)
Yes.

Justin Gardner (@rhynorater) (46:52.153)
There's like the galaxy brain meme, right? The small brain is like, know, public's go stuff. The middle brain is like, you know, I'm paying for services, right? You cause I'm a hacker. And then the galaxy brain is like, really, I'm gonna, you know, go in and use the services that I have and, intentionally buy a service that has a bug bounty program for personal use and make that a part of my product selection. I don't know how he's going to fit that into a little thing, but.

Brandyn (46:54.632)
The drink.

Brandyn (47:16.55)
Mm.

Brandyn (47:20.2)
Yeah, sorry mate.

Justin Gardner (@rhynorater) (47:21.561)
Yeah, sorry, sorry Christian. But I really like that idea. I've actually heard, I think it was Ben Nahomsek say this one time where he was like, yeah, I use this credit card. I was like, you know, like, just talking about credit card point hacking. was like, this one really gives, you know, more flexible points and is really, you know, helpful. And he's like, yeah, but that one doesn't have a bug bounty program. And I'm like, damn, that's true, man. If you find like one bug.

Right, that is way better than all these points that I'm talking about, right? So intentionally making a product selection for your personal use surrounding whether something has a bug bounty program or not, not only pays dividends from a security perspective, but also can pay actual dividends, like for you to get bounties. That's great, man. I really like that. Let me ask you this. So I guess you've had experience as a pen tester before going into bug bounty, but...

Brandyn (47:54.344)
Hmm.

Brandyn (48:06.094)
Literally. Yeah, absolutely.

Justin Gardner (@rhynorater) (48:20.595)
What vulnerability classes have you found to be most fruitful for you, going from beginner to LHE? And then what vulnerability classes have you recently said, wow, this is something that I wasn't looking for quite as much that I really should have been investing in?

Brandyn (48:40.52)
Hmm so originally I think a lot of defaults and because of the amount of them there are there's a lot of excess broken access control so I focus on them as my bread and butter and That was my plan originally but as I started peeling back in getting more familiar with targets a lot of Logicky type bugs as well kept cropping up But XSS there's so many

Justin Gardner (@rhynorater) (48:49.017)
Mm.

Brandyn (49:08.494)
Everywhere that I recommend everyone to at least have them on your checklist somewhere to look but that's primarily where I started off and then I went to Vegas and I attended Ben Naham's talk and he done a talk on SSRF and the talk was really good had some workshops in there as well all good stuff and Not that the techniques or anything new to me, but I had the very very harsh realization

of why aren't I looking for SSRF, the talk was on SSRF. And I sat there and I couldn't answer it and I felt a bit silly because I just thought there's no reason for me not to look for this. I have experience exploiting it in the past in a pen test context. I just never bothered looking for it. So I took that away and I was like, all okay, let's try and some SSRF. And then for three weeks solid, I think it was, I chain, I escalated.

SSRS into RCEs with Alex Chapman for three weeks. I was like one a week, which was incredible and all headless browser exploitation. Obviously that's Alex's jam. But yeah, it just occurred to me like if you have experience or some competitive edge around whether it be a target or a wrong class, don't disregard that because that's knowledge and experience you can very easily put to use with the right mindset when approaching a target.

Justin Gardner (@rhynorater) (50:10.554)
my gosh, dude.

Justin Gardner (@rhynorater) (50:17.721)
Mm.

Brandyn (50:36.732)
That was my biggest takeaway.

Justin Gardner (@rhynorater) (50:38.371)
This extends to industry as well, right? Like if you, before you were a hacker, have experience in whatever industry, the financing industry, the construction industry, know, the pharmaceutical industry, right? There are almost certainly bug bounty programs out there that will utilize those terms or the requirements of that, you know, field, the specific knowledge of that field, which is really, really helpful for you and gives you a competitive edge.

Brandyn (50:47.398)
Hmm. Hmm.

Justin Gardner (@rhynorater) (51:06.697)
That's something that me, as somebody who's been forced to look at so many targets because of live hacking events, it became a little bit less important to me because I'm like, well, if HackerOne or Bugcrowd or wherever is gonna just point me at these targets, I gotta be able to hack it. in my off time, when I'm not hacking for these live hacking events, working on targets where I have industry specific knowledge could be fun. So I'm gonna...

Brandyn (51:22.726)
Mm. Mm.

Justin Gardner (@rhynorater) (51:35.609)
I'm gonna see man, maybe there's some real estate websites that I can go hack or something like that.

Brandyn (51:41.992)
I can tell you right now I have, I can list some off which are private but you most definitely have access to them. There's a few, I know there's a few.

Justin Gardner (@rhynorater) (51:47.671)
Yeah, that's interesting, Huh, huh, hadn't really thought about that. So, coming back to what you said though, you mentioned a checklist. And I know that you are very structured, and I don't know that we've actually talked about this, but I know that you're very structured, that you take really good notes. Do you actually use a von class checklist? is your checklist mostly like,

Brandyn (51:59.816)
Mm-hmm. Mm-hmm.

Justin Gardner (@rhynorater) (52:13.761)
attack vector ideation, then that goes on the checklist and then I'm checking those off one by one.

Brandyn (52:18.504)
Yeah, so when I approach a target where I've had previous experience pen testing and have like a base grounding on every, not every, but most phone classes, I use a threat model approach on targets. So I go on the application, sign up, unlock everything I possibly can, every single flow.

Justin Gardner (@rhynorater) (52:25.367)
Mm.

Justin Gardner (@rhynorater) (52:30.201)
Mm.

Brandyn (52:41.884)
go through everything and then once I have that context as a normal user I'll start going through my burp history and playing around with the app and when I start peeling back the layers I try and put down every single possible attack vector no matter how stupid it might sound put down the attack vector whether that be because the functionality is sketchy whether they're using a specific technology whether the architecture lends itself to that whatever it might be and my whole aim

when I'm going through this process when I first approach a target is to come up with as many attack vectors as humanly possible. So when I'm then hacking the target, I have a massive list of inspiration I can actually look at and just get really creative with and tick off one by one. And the idea is that it is a living, breathing list document, which I can never finish because the more familiar you get with something, the more ideas you should have. That's my

Justin Gardner (@rhynorater) (53:29.261)
Mmm.

Justin Gardner (@rhynorater) (53:35.022)
Hmm.

Brandyn (53:42.418)
premise of why I do that and how I do it. And for me personally, with the way I work and needing notes just to do any basic function of life in general, it's been quite successful. And you can pick back up on the target, you can look at this list and go, okay, I didn't really try that last time, but it's on my list. And then you can start going down that route. And I feel like if you are in a part-time capacity and your time is quite sporadic,

Justin Gardner (@rhynorater) (53:44.441)
Hmm.

Justin Gardner (@rhynorater) (53:56.03)
Yeah.

Brandyn (54:11.834)
and you can't just hit a target for two, three days solid, that very much lends itself towards that. It's very, very useful.

Justin Gardner (@rhynorater) (54:18.647)
Hmm. Yeah. Wow. I think this, if I had to guess, obviously there's a lot of things going for you over the past 10 months that have worked out well. But if I had to guess, I think this is probably the number one thing that, that it has served you well is your, your dedication to attack vector ideation. And it's actually, it's starting to click with me a little bit now, cause I've heard you talk about this time and time again. And I've even put it in some of these presentations that I've been doing.

Brandyn (54:38.172)
Mm-hmm.

Justin Gardner (@rhynorater) (54:47.065)
At Defcon and just yesterday for the critical thinkers the importance of attack vector ideation and how pivotal that is I think it's probably the most underrated skill in in bug bounty And it seems like you have a good system for that you you you start preloading this list you get this massive list, right and then you You know you start working on the items and you allow those you allow your your creativity to trigger and you allow yourself to go down different paths and then when you get to a dead end

A lot of people that aren't creating this massive list, they're just getting stuck and they're saying, okay, well, I'm kind of, you know, that didn't pan out. I don't know where to go next. But for you, you've got this document where you say, all right, I don't know where to go next, back to the next item on the list. And then you start from there. That's really powerful, dude. I really respect that approach. Is that something that you think evolved from more?

Brandyn (55:21.042)
Mm.

Brandyn (55:33.042)
Mm-hmm.

Justin Gardner (@rhynorater) (55:44.835)
from more structured hacking, in the beginning you wanted to make sure you were checking all the boxes with the vulnerable classes and stuff like that, or is that just something, is that a function of the way that you live your life with the note taking?

Brandyn (55:58.14)
So in the hacking context, I think that really started when I started doing more code review type stuff because to give everyone context, I don't have a developer background at all. I was very traditional blue team, network administration, SOC and then pen testing. So that development background, which a lot of hackers have, which is incredibly useful to have, I didn't have. So when I, it all started when I tried to go for my OSWE.

Justin Gardner (@rhynorater) (56:04.391)
Mmm. Interesting.

Brandyn (56:27.304)
and I found it, it wasn't intuitive at first when I was approaching these code bases and some of these code bases were enterprise, small enterprise level and I was just like well what have I been doing for the last three hours, like where am I, like I don't even, I don't get where I am, like what's been going on? And that's when I was like yeah and I

That's when I started coming out with the system. And when I tried to get into bug bounty, I realized under the context I was doing it and the constraints I was doing it, because in the mornings I'd say do stuff critical thinking and then I'll do my main job. And then in the evenings I'll do bug hunting or it might be completely different. And in the mornings I'll be bug hunting and whatever. I realized that that context switching is incredibly taxing mentally. It is incredibly taxing and it's exhausting as well.

and the idea of notes and applying that methodology when I'm approaching a target takes a bit of that mental tax away because you can see your notes, can almost, it helps you prime yourself to get back into that. Right, okay, this is what I'm going for next.

Justin Gardner (@rhynorater) (57:42.627)
Dude, I'm so glad I have you as a writer. Like, this is the perfect guy for the writer, the guy that like lives and breathes notes. That's awesome, dude. That is really great. Yeah, I think that is definitely one of the major components that contributed to your success for sure. All right, man, I think that is the end of what we've got on this list here. Do you have any, no, I almost forgot the bugs.

Brandyn (57:46.043)
the

Brandyn (57:51.73)
Hmm.

Brandyn (58:02.836)
That's real,

Justin Gardner (@rhynorater) (58:12.365)
We gotta go to the bugs. All right, dude, you actually plopped some three pretty solid ones on here. So let's start with this first one, ATO on FinTech Bank. Tell us how you pulled that off.

Brandyn (58:26.162)
Hmm Yeah, so this one was one of my first bugs ever paid bugs and bug bounty it was my first one on hacker one and It was the first one was a crit and after that I was very much like I Set the bar high high for myself, but then I also Knew I wanted to like keep that energy and keep going which didn't pay me dividends

Justin Gardner (@rhynorater) (58:47.351)
Yeah.

Brandyn (58:54.432)
the second time I didn't get a crit but it was still good to get a crit first time anyway. So this one was good, it involved a lot of unlocking attack surface and I was trying to basically peel back this target and understand what would hurt them and where some areas are which probably haven't been looked at as much. And in order to unlock this attack surface and really get into the bottom of it.

Justin Gardner (@rhynorater) (58:56.333)
Right.

Brandyn (59:22.839)
I ended up creating seven, I might have been eight actually, real bank accounts under my name and with different payment providers, which has hurt me a little bit in the past 10 months. It has hurt me quite a lot, I'm not gonna lie. And there's at one point I was even getting messages from like bank fraud teams like, who are you? Why are you sending one penny with this nonsensical string?

Justin Gardner (@rhynorater) (59:34.653)
my god, dude.

Brandyn (59:50.039)
Who's Justin Gardner? Why has he sent you an international payment of £10? And yeah, it was an interesting experience, but that for me of unlocking the attack surface and going through all that pain did pay off quite well. And it's all started with really, it started before the bug hunting, but there's a lot of newer UK banks which when you get a payment, you can like...

Justin Gardner (@rhynorater) (59:53.297)
my gosh.

Brandyn (01:00:17.717)
respond back to someone with an emoji or a message and I was thinking okay, call functionality may be a little bit excessive, I don't know why that's necessary but how's that actually working and some of these banks have a web app portion so how is that rendered and what are they letting through because emojis and like that just had that little spidey sense tingling and throughout me approaching this target and performing this research

Justin Gardner (@rhynorater) (01:00:20.057)
Mmm.

Brandyn (01:00:46.842)
I started, the reason why I set up with so many different payment providers, not just bank accounts, I wanted to understand what different providers allowed, what different character sets and how much flexibility they're allowed to be sent with say a payment or a request or whatever it might be. And that's where the magic happened. primarily for EU now, but a lot of EU based FinTech related

companies added something called the open banking API and this is a open API spec that anyone can look at online and you can check which banks are compliant with which areas of the API and it's basically an API spec which is defined for if a bank a wants to send money to bank B and You're both in the EU or you're both UK based. This is what the API looks like

Justin Gardner (@rhynorater) (01:01:21.433)
Mm.

Justin Gardner (@rhynorater) (01:01:44.289)
So this is like a a B2B like a business to business or a bank to be all Bank to bank B2B API that's that's pretty cool and it's it's standardized across all these different banks

Brandyn (01:01:50.667)
Mm-hmm.

Yeah, so my understanding is it's primarily for EU based banks because there's a lot of functionality and OOR flows now where when you send a payment you can log into your account and there's like this OOR flow and all the banks know each other, they're pre-selected so you can just click your bank and then it takes you to the proper login page and does a lot of the legwork for you. But the interesting part about this is there's a lot of functionality there for one.

And two, in the open banking spec, it tells you like what data types to expect and how long the fields are and things like that. And compared to the open banking spec and what was implemented, I found there's a lot of discrepancies in terms of what was allowed and what wasn't. The one thing that was standardized across all of them, however, was a very strong and limited

reference in a payment and that was hard set across all EU UK providers. However when I was looking at what I can send and what I can't send this is where I roped you in and why I did get fraud ringing their alarm bells and everyone like that. I wanted to look at how international payments are handled right because open banking is more like EU to EU what what happens with international.

Justin Gardner (@rhynorater) (01:03:16.164)
Hahaha

Justin Gardner (@rhynorater) (01:03:22.233)
Mmm.

Brandyn (01:03:26.18)
And equally with international banking, each bank has to support their local character set, right? So like that could be anything, anything could end up in there really. And that is where I managed to figure out that one of these inputs was vulnerable. And I essentially used it to achieve account takeover through means of stored excess by sending a payment of like a penny to grep me.

Justin Gardner (@rhynorater) (01:03:54.392)
Yeah.

Brandyn (01:03:54.538)
And when they open the payment, they go, who is this guy? Why is he sending me a penny? Open it and bang, account takeover.

Justin Gardner (@rhynorater) (01:04:01.849)
Wow, dude, that's really solid. I'm gonna be like a proud dad for a second here and just highlight all of these amazing things that led to this bug, okay? First thing that just stood out to me so clearly was how far you went on this target, right? And I think we talked about that, right? We were like, hey, you should really spend a lot of time on this target. And you opened up seven different bank accounts in order to...

Brandyn (01:04:06.333)
This is

Brandyn (01:04:19.901)
Hmm.

Justin Gardner (@rhynorater) (01:04:28.343)
to get access to all of this different scope, right? When we talk about scope expansion, we're not just talking about, swipe my card, pay five bucks, now I've got access to the premium product, woohoo, sort of thing. You went and you filled out forms and you dealt with fraud emails and you damaged, I don't know what the UK equivalent of your credit score is, but you opened up a bunch of stuff in order to achieve this, which is very dedicated.

Brandyn (01:04:49.288)
man, it's on the floor, it's on the floor, I don't even look.

Justin Gardner (@rhynorater) (01:04:58.265)
And then you're also, the emoji piece was really interesting. The emoji piece in these different character sets, because the way that you're looking at this situation, you have a spidey sense for what type of data needs to be where and what kind of character sets need to be supported. So I thought that was really a great example of actually thinking about

Brandyn (01:05:03.421)
Mmm.

Justin Gardner (@rhynorater) (01:05:24.673)
in processing how data flows through applications, right? And that's definitely a core skill that a lot of hackers need to understand is where that data is flowing and what type of data we're dealing with. And then diving deep into that open banking API and seeing, okay, well, for EU to EU, there's this, but then what happens internationally? And thinking about those edge cases in that scenario, it's just all of it comes together and culminates in an amazing bug with.

great impact too. I if you can send somebody money and then you take over their bank, is bad. So I just, love all the different components of that that came together and how they bounced off of each other. So, you know, I gave a disclaimer. I'm proud. I'm happy with that. Let me just give you a little round of applause, little round of applause there.

Brandyn (01:06:14.133)
Thank you very much. Thank you. It was, yeah, it was good. And I feel like FinTech targets, I've almost lent into naturally from prior testing experience and also after approaching this target. And the amount of attack surface that was there, I started to realize. And then when I discovered the Open Banking API spec and all these discrepancies and things like that, it sort of was just, it just made sense for me that

Okay, there's a lot of weird things happening here, which probably weren't ever designed for an emoji to end up in, like, as a thank you back to the payment and things like that. And yeah, was, when you start seeing them sort of things, it can be interesting to peer them back and figure out why they were implemented and how they were implemented.

Justin Gardner (@rhynorater) (01:06:50.169)
Mm. Yeah.

Justin Gardner (@rhynorater) (01:07:01.655)
Yeah, 100 % man. Well done, well done. obviously I knew that story because I played a little bit of a part in it, but I'm not sure that I've actually heard these other two. So hit me with this zero interaction ATO.

Brandyn (01:07:07.306)
Mm-hmm.

Mmm.

Yeah, so on one of the targets in the hackable cup, the (REDACTED), I found an inherent design flaw by complete accident at the time, but now it's being very much integrated into my methodology and something to think about on other targets. But it's this concept of understanding which endpoints expose properties of an object that you're looking at.

and you're attacking. And what I mean by this is without trying to abstract it too much, if you have like a user object, for example, that you're attacking in one way or another, as count takeover excess, noting down which endpoints throughout the application ecosystem or entire ecosystem as a whole, which different endpoints expose which different properties of this same object.

Justin Gardner (@rhynorater) (01:07:55.065)
Mm-hmm.

Justin Gardner (@rhynorater) (01:08:11.641)
Mmm.

Brandyn (01:08:12.456)
and documenting them is very, powerful because objects can have different types, right? So when you look at a user object, for example, you can have active, inactive, deleted, invited, revoked, banned. Just one example, there's so many different states and objects can live in depending on its context and being able to identify these endpoints which expose these properties of the object and hitting

Justin Gardner (@rhynorater) (01:08:22.009)
Mmm.

Brandyn (01:08:41.214)
these same endpoints, but iterating the object through a different context every time found some really, really creative bugs for me because there's endpoints, for example, which were accessible to all users, which is completely normal behavior. They should be accessible. That's way it's designed. But when an object is in a very specific state, hitting that same endpoint would expose like an invitation token, for example, which

Justin Gardner (@rhynorater) (01:09:07.656)
Mmm, yeah.

Brandyn (01:09:10.226)
Again, all users can see this endpoint, but on this specific property, on this specific object, if you hit it when it's in the right state, you might disclose something quite juicy in this context and invitation token. And I found once I realized this on Target in particular, I realized that this was pretty much everywhere. And the impact of that was a lot of zero interaction ATO because you could just

Justin Gardner (@rhynorater) (01:09:38.606)
Wow.

Brandyn (01:09:39.85)
take over other users accounts if they were say invited or whatever state they're in because there are specific endpoints not all but specific endpoints which would expose these additional properties of that object and let anyone read them if that makes sense

Justin Gardner (@rhynorater) (01:09:44.387)
Mmm.

Justin Gardner (@rhynorater) (01:09:56.281)
Yeah, no, that makes total sense. And I think you also see this often in the GraphQL world as well. Like that is one of the, I don't know if this app was GraphQL or not, you understanding what data types are on what specific, or what data types have what properties and using different queries and mutations and such to be able to grab those properties out of these specific objects that might be at different states.

Brandyn (01:10:02.41)
Yeah.

Justin Gardner (@rhynorater) (01:10:25.079)
Definitely, definitely a powerful thing and it can affect traditional APIs as well like REST APIs. And sometimes you'll even see, I don't know if you've seen this one before, but some of these traditional APIs will have sort of like GraphQL-esque functionality where you can add a query parameter that says like include or something like that and then name like a sub-object or a sub-property and that will also be included in the API response only if you put that in the query parameter, right?

Brandyn (01:10:51.72)
Mm-hmm. Mm-hmm. Exactly that.

Justin Gardner (@rhynorater) (01:10:54.583)
So those sort of things, think, can really, and I like the way that you mixed that with state changes as well, invited, blocked, removed, whatever. As that data type, as that user type evolves, you'll see different things in those different states.

Brandyn (01:11:03.52)
Mm.

Brandyn (01:11:13.704)
Yeah, absolutely. I feel like that's something, well, think it was Art Gangel said that he finds a lot of like delete based broken access control in iDoors. And the reason for that is when someone's testing this and say you might have a typical flow of like using authorize and just repeating requests, whatever in them operations, that's a one time operation. Once that's complete, you can't run it again. So therefore it's not going to show up as vulnerable.

Justin Gardner (@rhynorater) (01:11:20.825)
Mmm.

Justin Gardner (@rhynorater) (01:11:37.209)
Mmm.

Brandyn (01:11:42.41)
But if you like, just drop that request entirely, then we send it when you're doing your testing. That's why a lot of these like weird delete based and maybe more context based things with these properties exist because that's a hole in a lot of hunters scope, I think I've noticed anyway.

Justin Gardner (@rhynorater) (01:12:02.169)
Hmm. Yeah, absolutely. That's really interesting, man. I hadn't really figured out the reason why that was the case, that a lot of delete IDORs made it through, but that makes a lot of sense in those frameworks that will automatically do the access control testing for you. And it reminds me of a bug that I found within the past couple months where there was an entity that you could modify explicitly, right?

And so, you know, the request just had that objects ID in it, right? And one of those properties of that object was the organization that the object belonged to, right? And you, if you tried to modify somebody else's object with their entity, their organization ID in there, right? Then it would fail and say you're not allowed to do that. But if you put your organization ID in the body,

and you referenced somebody else's object, right? Then not only would it allow you to modify it, but it would steal it over to your organization. So now the object is gone from their organization, it's in your organization, which is effect to integrity, right? And in some cases availability, depending on the services that might break their whole setup. But it also affects confidentiality, right? Because...

Brandyn (01:13:10.974)
Okay.

Brandyn (01:13:18.944)
Mm.

Brandyn (01:13:27.124)
Hmm.

Justin Gardner (@rhynorater) (01:13:27.433)
If you didn't modify all the properties of that object, you just modified a couple of them, the remaining properties are still at the values that they were when they were in this victim's organization. So you can leak data about that object as well. So it really hits the CIA triad really nicely. yeah, exactly. So it turns into a really, really impactful vulnerability. So very good, man. All right.

Brandyn (01:13:43.088)
Yeah, take some more love.

Brandyn (01:13:49.76)
Mm.

Justin Gardner (@rhynorater) (01:13:52.249)
Let's jump to this next one. It's an SSRF and we know big things come from SSRF for you lately.

Brandyn (01:13:58.098)
Hmm Yeah, so as I touched upon earlier I like to on the targets that lend themselves to it and I've looked at a couple now or I'd like to look at the ecosystem as a whole rather than individual components or applications of it and there's some

Justin Gardner (@rhynorater) (01:14:06.647)
Mm-hmm.

Justin Gardner (@rhynorater) (01:14:12.236)
Mm-hmm.

Brandyn (01:14:19.206)
ecosystems and targets which will offer something like a developer based service where you can test your own stuff and integrate into them but in like a test context in the test environment completely separate and equally more specifically I found that on one of these ecosystems they actually allow you to tie and piggyback off the back of the o-off configuration so you can use them

to perform all of your like authentication and then you deal with the rest sort of thing and When I was looking at this Ecosystem in particular. I realized that there's a lot of assumptions made in other controls on hosts and endpoints that If something comes from this host or something comes from this endpoint It is safe. It is to be trusted. It is okay without realizing in other parts of the ecosystem

there's ways that user input and developers can sign up and also host something on these same endpoints and also piggyback off of this same config which you offer. And it was quite interesting because I was originally looking for SSRFs in one area of the target and I couldn't quite get it because it was complaining about the host that was in use and I okay, fair enough, put it in my notes, come back to that later. Again, the notes come in useful.

I on looking at the oauth configuration and it turns out there's an area where you could add your own redirect URI value to redirect to your own application at some point in their ecosystem and at some point in the flow. So I was thinking okay what host does this reside on and it started to match up quite nicely and I thought okay so now I can satisfy some of these validations that they put in place of the host.

Justin Gardner (@rhynorater) (01:15:57.923)
Mm-hmm.

Brandyn (01:16:15.01)
based part right when I was looking for SRF that needs to reside on this host. You can't look at any other hosts apart from this host that is designed business functionality. That's all you can do. I'm going to start playing around with oof. If you play around with the code parameter and if you put in like a complete nonsensical value in this code parameter like blah, blah, blah, critical thing and whatever it might be.

Justin Gardner (@rhynorater) (01:16:41.57)
Critical, critical, critical. Lovely.

Brandyn (01:16:43.949)
I did do that for my POC. You can actually abuse that to go straight to the redirect URI value and it just redirects you, providing that the redirect URI value has actually been white listed on the backend. So now I...

Justin Gardner (@rhynorater) (01:16:58.103)
Hmm. the the the risk. we talking about the response type or the the is that what you're talking about? The response mode or response type one of those two nice Yeah

Brandyn (01:17:05.133)
Sorry, yes, was the response type. Yeah, whatever one it is, you can put in a completely made up value and providing that the redirect URI value has been whitelisted on the backend, it will just straight redirect you to that value. So I thought, okay, that's interesting. And at this time, the puzzle pieces weren't really formed in place. I was just pondering and thinking that is interesting. And then we got on a call and I was like,

Justin Gardner (@rhynorater) (01:17:18.498)
Hmm.

Justin Gardner (@rhynorater) (01:17:21.817)
Mmm.

Brandyn (01:17:34.561)
There it is, and I tried it and it worked. So essentially what you could do is, in this ecosystem, you could sign up as a developer, host your own, or have some control over that OOFLO on a host which they used heavily for their own input validation, and essentially abuse that whole flow to put a nonsensical value in and hit the redirect URI every time. And using that,

Justin Gardner (@rhynorater) (01:17:38.679)
Mmm.

Brandyn (01:18:03.445)
approach I managed to get quite a lot of SSRS and it was like an inherent design flaw because I don't think when the two teams didn't really talk when that architectural decision was made and that was when I realized that spending time on a wider ecosystem and understanding all the components of one can be incredibly useful because otherwise that would have been a dead end and I wouldn't have popped it.

Justin Gardner (@rhynorater) (01:18:07.033)
Mmm.

Justin Gardner (@rhynorater) (01:18:26.968)
Mm.

Yeah, including the dev stuff, right? This is one of the areas that I think is the most fruitful for Buck Bounty stuff is going and registering with this specific platform as a integration partner or like use their SDK or like, you know, there's tons of mostly untouched stuff there because people don't want to go, you know, down the rabbit hole of like, all right, now I got to go like set up this website.

emulates this integration and set up this JS file and blah-de-blah-de-blah. And that used to be something that I would do, you know, just as like, okay, I'm gonna do this because I'm gonna get deeper and like attack this specific portion of the scope. But now, dude, it's so much easier with AI. You can just feed it, you can just feed it the page and be like, hey, generate the, you know, the client-side request to trigger this flow and it'll do it. And I'm like, my gosh, this is amazing. But I think that that's...

Brandyn (01:19:20.877)
Mm.

Absolutely.

Justin Gardner (@rhynorater) (01:19:26.007)
I think that's a really good takeaway for the listeners of looking at the ecosystem as a whole, like you're talking about, looking at the dev-related stuff. And then I really like this trick that you mentioned of you weaponizing the OAuth flow to create an open redirect. like you said, I think it's the response type, because it would be response type code, right?

Brandyn (01:19:49.435)
Mm-hmm.

Exactly.

Justin Gardner (@rhynorater) (01:19:52.833)
Yeah. So, so if you put some nonsensical value in the response type, it will often just redirect back to the redirect URL because that's the way to inform the, the host that was initiating the OAuth flow that something failed. Right. So boom, you got an open redirect and that's gotta be widely applicable in so many environments. Right.

Brandyn (01:20:11.729)
Yeah.

Yeah, absolutely. feel like, especially now, all these integrations that exist and when you start looking at more ecosystem based targets, and this is heavily used in fintech as well, there's a lot of test environments, test flows, test accounts, test data, all this sort of thing, all these sort of things, which you can actually abuse to satisfy the requirements that some of their other defenses rely on in some cases, because the hosts might be the same.

and maybe even the endpoints match up if they're checking that. So it can be incredibly fruitful to go through and understand, okay, this is what I can set up, this is where my endpoints, my inputs are, and matching it up with production and the rest of the scope.

Justin Gardner (@rhynorater) (01:21:01.155)
Yeah dude, as I'm thinking about this, thinking I need to go try some stuff right now actually, because I think there might be a way for me to exploit a bug that I've been wanting to exploit for very long time. So I think we're gonna call that a pod, man. I think we're gonna call that a pod. You got anything else you wanna say at the end or am I free to go?

Brandyn (01:21:14.491)
Yeah.

Brandyn (01:21:19.057)
you

That's okay. That's That's okay. Go on have fun.

Justin Gardner (@rhynorater) (01:21:26.01)
Did you see my eyes just expand there for a second? I'm like, I gotta go. I gotta go. Alright, that's the pod. Peace, everybody.