Episode 93: A Chat with Dr. Bouman - Life as a Hacker and a Doctor

Justin Gardner (@rhynorater) (00:00.242)
keep the energy up. Alrighty, Dr. Bowman, the time has come. Thank you for coming back on the pod, man.

Jonathan Bouman (00:01.36)
You

Jonathan Bouman (00:06.508)
Thanks, thanks for the invite.

Justin Gardner (@rhynorater) (00:08.542)
Yeah, I, we, we, was thinking, you know, I gotta have Bowman on. I realized we actually did have you on in an episode back in, in the beginning of the podcast episode 17, with all those, all those hackers just kind of sitting in a hotel room, chatting about all the bug stories. So that was definitely a great memory of mine.

Jonathan Bouman (00:27.264)
It's a good memory. Yeah, it was just some smallish hotel room on the bed because there was not more space there. And yeah, I think I described some book that had me to create a music song and get it released and all the hassle to get through to get it actually there where I wanted it to pop. Yeah, that was a good time. And I'm so honored that you guys still use it in the podcast at the end.

Justin Gardner (@rhynorater) (00:34.752)
Yeah.

Justin Gardner (@rhynorater) (00:43.399)
Yeah.

Justin Gardner (@rhynorater) (00:54.378)
Yeah, dude, we use it every episode. I think people really like it at the end, you know, it's, you know, cause you go through the full podcast, the intro music is really like, all right, let's hype it up, let's hype it up. And then at the end, it's like, okay, now we're just gonna mellow it out, right? At the end, right?

Jonathan Bouman (01:08.333)
to be one of the two like Whitey Cracker and me, wow, standing in the credits next to Whitey Cracker, come on. Such an honor. Yeah.

Justin Gardner (@rhynorater) (01:12.262)
Yeah, dude.

It just, it just, adds to your list of achievements, man, which is, which is where I wanted to start today. Cause it's like, I think you're probably one of the unique, most unique hackers in our space. You know, obviously bug bounty has a lot of, a lot of, variants and the people that are participating in it by nature of what it is, you know, anybody can participate. There's no, there's no, limits on that, but to see someone do be a medical doctor and also do bug bounty is pretty, pretty mind blowing.

Jonathan Bouman (01:22.349)
Thanks

Justin Gardner (@rhynorater) (01:45.11)
So I'm wondering, you know, which one of those did you have interest in first and how did you, you know, hop? How did you simultaneously become very good at both of these things?

Jonathan Bouman (01:56.653)
Thanks, you make me a little bit shy there. So to start with, think most hackers start when they're young. It's the state of mind of like, how does this work? How to find the boundaries of this thing that I'm using, if it's a computer game or some software at school. So yeah, it all started when I was real young, say 12 years old, 13 years old, when you start building

Justin Gardner (@rhynorater) (01:58.698)
Mm-hmm.

Justin Gardner (@rhynorater) (02:05.846)
Mm-hmm.

Jonathan Bouman (02:25.718)
websites or stuff figuring out how internet works. So I can't say I was first a doctor and then a hacker. No, I think I was starting real young there and I was developing websites and trying to understand how search engine optimizations work. But if you ask me now, guys, what am I, I will tell you I'm a doctor. And the hacking thing, that is something that came into my life

about six years ago. So before that time, I did med school and during med school you have to earn some money because it's expensive and you have to live on your own in some big cities. that's when I started to build up websites, e-commerce things, startups. So I was responsible for some big auctioning website in the Netherlands, some big crowdfunding website.

Justin Gardner (@rhynorater) (03:20.816)
Jonathan Bouman (03:22.06)
So I learned from the full stack developer perspective, how to handle a lot of data, PII data and how to do it a little bit secure. It was all PHP at the time. So that's a challenge, but still you learn a lot. after that, went to work as a street doctor, three days a week, two days a week startups. And then at one moment I became a GP and like,

It's a special training of three years, just like a surgeon, you need six years as a GP, three years in their life. And they forbid me to do any sidekicks, any external jobs because they say, we pay your training, so we want you to focus on it, which is okay. But a hacker never stops thinking as a hacker. at one moment, in middle of my trainings, I went to do this

Justin Gardner (@rhynorater) (03:59.678)
Mm. Mm.

Justin Gardner (@rhynorater) (04:11.52)
Hahaha

Jonathan Bouman (04:19.62)
I can say this group where all the doctors come together that are in the training and my supervisor was there as well. And I asked him like, hey, is there a possibility that I could do some variation of chess matches online? And if I win them, then I might earn a price. It's not like a guaranteed income. is that an option? Can I do sports?

Justin Gardner (@rhynorater) (04:39.199)
Ha

Jonathan Bouman (04:43.422)
actually. And they were like, yeah, yeah, internet sports, that's all that it exists and some sort of chess, some sort of chess. So they gave me permission to do that. And that was actually bookbinding. So since I saw on the national TV, some some young guy, Herben is his name. Shout out to Herben. If you listen to the podcast, I'm not sure I've never met him in person. Herben was a bookbinder and on the national television, he mentioned like, yeah, yeah, some people say,

Justin Gardner (@rhynorater) (04:44.374)
Mm.

Justin Gardner (@rhynorater) (04:54.167)
I see, I see.

Jonathan Bouman (05:11.133)
Bookbond is hard, but I earned 10K a weekend for finding books. And I was like, this guy, so young, how does he do that? So that was the moment for me to introduce this to my supervisors. And they said, yeah, let's give it a ride. So that's when it all started.

Justin Gardner (@rhynorater) (05:18.613)
Right.

Justin Gardner (@rhynorater) (05:27.715)
So, know, at this time you're in training for this, for being a GP and you're not allowed to do side gigs, but you figure out a way to make this side gig, you know, a game, a gamble, you know, a risk maybe that has some monetary incentive. All right. Think of it like a hacker. I love it, dude. And I just, wonder, I wonder this.

Jonathan Bouman (05:45.769)
Yeah. Yeah. Yeah.

Justin Gardner (@rhynorater) (05:54.238)
I wonder why you decided to go down the route of medicine when you were clearly passionate about hacking and tinkering and computer stuff for this whole duration as well, right? Like typically what most people will do, most people have a hard enough time coming up with one thing that they're passionate about and really going ham at that. But you identified, you went the medical route and the hacking route. So what made you do that instead of just picking IT and sticking with it?

we're picking medicine and sticking with that.

Jonathan Bouman (06:25.532)
Yeah, so the honest answer is I was 17 years old and I was almost done with the last year in high school. So that's the moment where you go to different university to have a look around. So I went to this introduction course on artificial intelligence actually. And I went there with one of my best friends who later on ended up at OpenAI as one of their first employees. Super proud of him, super proud of him.

Justin Gardner (@rhynorater) (06:34.39)
Mm.

Justin Gardner (@rhynorater) (06:51.776)
Wow.

Jonathan Bouman (06:55.367)
But I went with him there and I sat down in this big, big theater where all the students come together. And then the person in front of the theater started the introduction and said, I'm so happy this year of the 400 interested people, four females sign up. And this was a moment of crisis to me. It was like, okay, wait, John, you're quite good in computers. You're not really interested in girls, but now might sign up for a world with

which are only males. And that was a problem at the time. These days it's less of a thing and that's super good. But I'm an old guy, I'm 37. So back in the day, say 18 years ago, this was a problem. So this was when I went back to the drawing board and I was like, okay, if I want to live in a world with only guys, they will become my best friends and I will have a great time. But I might prefer a more dispersed world to work in for the less.

Justin Gardner (@rhynorater) (07:27.145)
Yeah, yeah.

Justin Gardner (@rhynorater) (07:31.285)
Yeah.

Justin Gardner (@rhynorater) (07:35.277)
wow, I didn't know that.

Justin Gardner (@rhynorater) (07:39.542)
Mm, mm.

Justin Gardner (@rhynorater) (07:48.277)
Mmm.

Justin Gardner (@rhynorater) (07:54.976)
Yeah.

Jonathan Bouman (07:55.469)
for the upcoming 40 years. And so I started thinking about what was the most interesting thing in high school, stuff that I can't really understand. And I would love to learn more about because this is the moment in life that I can do that. And besides computers and hacking and AI and that sort of stuff, I figured out biology is the thing. I had such a good teacher at the time that it was so inspiring. It was one of those

those people you meet in life, everyone got a few of them, but this biology teacher made me decide to do a med school. And I was quite lucky since you have to sign up for med school and do some interviews. And there was a lottery at the time, so I had to be lucky. But I was placed in some university in Amsterdam and start doing that. it wasn't the best choice, maybe.

Justin Gardner (@rhynorater) (08:42.484)
Mm, mm.

Jonathan Bouman (08:52.165)
in my young youth, because you learn so much, not only about biology, but also about ethics, about communication, about what matters in life. And still this day, I'm super grateful that I can do this work because it shows you how short life is, how important it is to enjoy every good minute of it, but also help others out and share your luck, share your insights, and just try to make the best of it.

Justin Gardner (@rhynorater) (08:53.812)
Mm.

Justin Gardner (@rhynorater) (08:58.934)
Mm. Mm.

Justin Gardner (@rhynorater) (09:09.846)
Hmm.

Jonathan Bouman (09:21.233)
So yeah, that's a little bit of the background of that.

Justin Gardner (@rhynorater) (09:24.854)
That makes sense. I I definitely felt that draw as well, just as I don't know that I've talked about this on the pod before, but you know, back when I was in college and they up until, I guess, two years past when you start college in the U.S., you can still sort of change and go to a different route. And even though I was really into like computer science and hacking stuff in college, there I was a part of a leadership program and the some of the most of the other people in the leadership program were med students.

And so they were talking to me and my grades were really good, particularly in chemistry. And they were like, Justin, a very programmatic thinking computer science guy with really good grades in chemistry would make a really killer med school application. And I sat there for a second and I was like, man, I would love to help people. I would love to be able to be a part of saving people's life or

Jonathan Bouman (10:18.303)
Yeah.

Justin Gardner (@rhynorater) (10:24.229)
or giving people their health back. And I was close, man. I was very close to going down that route. So I definitely, when I see you on the scene, I'm like, this is what could have been, potentially.

Jonathan Bouman (10:37.397)
Don't, you can still become maybe one, I'm not sure in your country out of work, but in med school when I was there, there were also people of 30 plus, 40 plus even there. It cost a little bit, they were more money, but it's a possibility. And I'm sure you will be a great doctor. And with you, there are plenty of bookbinding hunters actually that think like doctors, but they're not aware that they do. Since what would you guys do, what we do as bookbinding hunters, we do Revecom. Well, this doctor,

Justin Gardner (@rhynorater) (10:41.309)
Mm-hmm. Yeah.

Justin Gardner (@rhynorater) (10:46.293)
Yeah.

Justin Gardner (@rhynorater) (10:54.016)
Thanks, man.

Justin Gardner (@rhynorater) (10:58.246)
Mm. Mm.

Jonathan Bouman (11:05.908)
where you're sitting in front of is also doing a recon on you. And it's not going to pull a fuss on you on thousand threats and draw all your blood and check it for everything. No, because you will end up with too much false positives or collapsing patients, just like a surfer that is crashing because of doing so much recon. And so you pinpoint, you do the specific nucleate templates on this human body, and then you get some signal back and then you start figuring out what's going on.

Justin Gardner (@rhynorater) (11:09.238)
Mm.

Jonathan Bouman (11:33.758)
You're connecting the dots. That's what backbound hunters do, connecting dots and finding risk groups. In other words, certain types of surfaces that are running, trying to figure out systemic problems that exist in all different humans. Yeah, that's what we do as well as doctors, systemic issues. As backbound hunters, look for sandbox Chrome instances making screenshots.

Justin Gardner (@rhynorater) (11:37.052)
Mmm. Mmm.

Justin Gardner (@rhynorater) (11:48.086)
Mmm.

Jonathan Bouman (12:02.382)
and then breaking out of that. Doctors do the same. We are thinking like, wait a minute, this disease looks like that disease and it exists everywhere. So we need to poke into those sandboxes of the human body and see what's going on. So there's so many similarities. I'm sure if we conferred a lot of the opinions tomorrow into doctors and that will be great. Will be a really interesting thing.

Justin Gardner (@rhynorater) (12:02.636)
Hahaha

Justin Gardner (@rhynorater) (12:11.995)
Mmm, mmm.

Justin Gardner (@rhynorater) (12:21.942)
That would be pretty cool. That'd be pretty cool. And I think there's a lot about Bug Bounty that can feel pretty like, I don't know, like green hat, right? Like you're just in it for the money. And in some scenarios, Bug Bounty hunters are notoriously like that. And I think it's refreshing to see your take on Bug Bounty combined with this whole ethics piece as well. Because I know that that plays a big part with you in your perception of the situation.

from a doctor's perspective, right? You you have taken an oath to try to care for these patients and in a similar way, I know you're applying a lot of that technical stuff to the medicine space, trying to protect the patients, trying to protect the doctors and that sort of thing. And I think, you know, there's power in the Bugatti world as well, you know, being able to find and exploit these vulnerabilities and you want to use that for positive means to try to make the world safer.

and care for the people in it.

Jonathan Bouman (13:18.717)
Yeah, it's a part I forgot in the during the training of becoming GP. One of the main reasons for also trying the book body thing is it's the thing you actually just described. I'm trained as a doctor to see if some treatment or some tablets or some injection has more benefits than risks. So I only want to give you good treatments and don't cause you harm.

Justin Gardner (@rhynorater) (13:24.917)
Mm.

Justin Gardner (@rhynorater) (13:41.034)
Mm. Mm.

Jonathan Bouman (13:48.669)
And I'm not trained to assess computer systems as a doctor, but I prescribe them nonstop. I give you learning size and forms to you. I invite you to my portal site, connect systems. so I'm not trained to that. And I have to trust the blue eyes of all those people doing a great job on putting certificates on all those applications and infrastructure. But the proof is in the padding and I want to see myself if it's really working.

Justin Gardner (@rhynorater) (13:54.518)
Hmm.

Justin Gardner (@rhynorater) (13:59.316)
Wow, yeah.

Jonathan Bouman (14:16.509)
and he asked school to go to his bookbinding, since there is the place where you learn actually what happens, what is the books of tomorrow, what are the books of today and what to look for. So I don't say certificates and ISOs and whatever is not good. No, it's part of your way to defend yourself, but

Justin Gardner (@rhynorater) (14:36.918)
Mm.

Jonathan Bouman (14:44.433)
The last resort is book bounties and you need to be able to think out of the box, poke from different directions.

I think pen testing is limited often by scope and BokehBound is still a little bit limited by scope, but more and more the scopes are widening up and that is perfect because then you can connect the dots again, think like a real hacker and see how this patient or a doctor is vulnerable actually, or the other weak groups we have.

Justin Gardner (@rhynorater) (15:05.375)
Hmm.

Justin Gardner (@rhynorater) (15:21.927)
Mm. Yeah.

Jonathan Bouman (15:23.037)
And there's good money. So my disclosure, I'm always honest about that. I earned 95 % of my money with a bookbond. So only 5 % is with being a doctor and stuff like that. And it's not a number I tell people to show off. No, it's just my conflicts of interest. So I've got a big interest in also pushing the bookbond. But I think for a good cause in healthcare, it's almost non-existing.

Justin Gardner (@rhynorater) (15:30.229)
Yeah.

Justin Gardner (@rhynorater) (15:36.854)
Mmm.

Justin Gardner (@rhynorater) (15:48.192)
Well, enlighten me a little bit about how this works in European countries because in the US, like doctors normally make a pretty good amount of money. It's one of the higher paying things. And I think that's probably a lot because of the stupid, stupid system we have over here where everything in healthcare is ridiculously inflated, right? And not to say that doctors shouldn't make a lot of money. I think they should because they're doing a big service. But I think there's also this aspect where I believe in European countries, it's a little bit different where

Jonathan Bouman (15:55.783)
Mm-hmm. Yeah.

Jonathan Bouman (16:03.1)
Yeah.

Jonathan Bouman (16:07.068)
Yeah.

Justin Gardner (@rhynorater) (16:17.546)
being like a doctor is perceived more as like a, as a public service sort of thing.

Jonathan Bouman (16:23.037)
Yeah, yeah, sort of it. Most doctors in Netherlands work for the public health, as we say. you're forced to pay for insurance, health care insurance. That's by law a thing you need to do. And then you can also access this health care. And doctors earn good in the Netherlands. No misunderstandings about that. But to give a figure, it's like if you're a well-earning doctor, it's 100k max.

Justin Gardner (@rhynorater) (16:29.802)
Mm.

Justin Gardner (@rhynorater) (16:34.772)
Mm.

Mm.

Jonathan Bouman (16:51.809)
And maybe there are exceptions there, but it's still a lot of money. But for working five days a week, being vulnerable to all different types of losses and having to be always on top of stuff and don't make mistakes, that's a lot of work.

Justin Gardner (@rhynorater) (16:52.072)
Mm, mm.

Yeah.

Justin Gardner (@rhynorater) (17:10.26)
putting yourself at risk to you know, you're dealing with a lot of sick people, you know, you're gonna get you can get sick like, yeah, I imagine so do that must have been that must have been terrifying. So yeah, that that definitely makes sense. And yeah, that that that it makes sense that you would be out earning that in bug bounty a lot because the way that I've seen it, you've been you've been really crushing it. And let's let's go ahead and pivot into that arena now. And I want to pick your brain on

Jonathan Bouman (17:14.265)
COVID was so scary. Yeah.

Justin Gardner (@rhynorater) (17:37.658)
you know, your approach to bug bounty programs and that sort of thing. And I also want to swing back around to some of how the way, the, way that you approach some of this health related stuff in bug bounty as well, you know, making sure you're keeping your body energized and how you've been able to continue for such a long amount of time in bug bounty, with high performance with that. But let's, let's jump over to the, the, hacking stuff, real quick. And I'm actually going to pause it right.

right here real quick Jonathan, because I meant to ask you this beforehand, are we able to talk about Amazon as your program?

Jonathan Bouman (18:15.995)
Yeah, it's no secret that Amazon is my main program. I can't really disclose any docs on them because they're still uncomfortable. I'm trying to get them more comfortable. And I think even AWS recently started doing disclosures. So I hope to do that soon as well with Amazon retail. But I can tell roughly stuff like, hey, what sort of stuff I find, yes, almost top 10. It's nothing special. It's all the poor Twitter labs. Yeah.

Justin Gardner (@rhynorater) (18:27.67)
Mm-hmm.

Justin Gardner (@rhynorater) (18:32.278)
Hmm.

Justin Gardner (@rhynorater) (18:43.092)
Okay. Really? Okay. Solid. All right. All right. Cool. So now we kind of got that sussed. Getting back into the pod here. We got that dealt with. Yes. Okay. So we can talk about the fact that Amazon is your primary program and you've been pretty much exclusively hacking on Amazon for the past what? Five, six years? Really?

Jonathan Bouman (18:45.224)
Just do this first, yeah, so.

Jonathan Bouman (19:03.261)
Six years, think. Yeah, my initial idea was to get rich quickly on Amazon from scroll.am. You can still go to this website. I think it's still online. I hope my SSL is working. And if you go there, you see an animating gif of how the site used to work. And what I did is I created some front end, some laptop backend services that misused in the end.

the API of the Amazon app and create some Pinterest look on Amazon. So no UI distractions, just you can enter something, boom, you saw the products. So that's when I thought like, okay, if I do this, put referral links on them, I get rich easily because I get this affiliate thing of 10 % of everything that is bought in the next days. This failed miserably because after four days I was banned from the affiliate program on Amazon. But during this, yeah, because yeah.

Justin Gardner (@rhynorater) (19:56.618)
Why?

Jonathan Bouman (19:59.539)
you should embed their content on your website and not create content that is solely their content. That was one of the rules, I think. Okay, can happen. I learned a lot. I learned a lot about JavaScript frameworks and about Lambda and Microsoft services and stuff like that. And to scale it up in such a way that it does not burn a lot of money. But during that time, I had to dissect the Android app of Amazon. And while doing that, I...

Justin Gardner (@rhynorater) (20:07.83)
Justin Gardner (@rhynorater) (20:26.74)
Mmm, mmm.

Jonathan Bouman (20:28.647)
found some endpoint that was vulnerable to reflected XSS. And by today, that's still the only Amazon report that is disclosed on Medium, I think. So if you Google it, you can find it. There's some really, really fancy payload with GSFuck, is I think the name of the payload generator. But I found some bugs. I emailed them, like, hey, there's an XSS there. You bet me. So you might.

Justin Gardner (@rhynorater) (20:40.16)
Haha

Justin Gardner (@rhynorater) (20:48.756)
Yeah. Yep.

Jonathan Bouman (20:57.395)
be able to unban me, but okay, I understand it's in your terms of condition, so fair game, but you need to fix this back. So they replied back, thank you and bye. And then it was silent for one year and then suddenly some guy emailed me from the Amazon security department, how why he was one of the founders of the Bug Bounty Program of Amazon and he was like Jonathan, do you want to become part of some experiment of us as experiments?

Justin Gardner (@rhynorater) (21:25.809)
snap.

Jonathan Bouman (21:26.611)
Tell me what type of experience. Yeah. We want to create a group, the Knights in the Trust. You could be one of them. And that means? Yeah. And the logo is brilliant. And a lot of Knights and stuff. It's like, yeah, this makes sense. If I go to the bar in a bar and I tell a girl, hey, I'm Jonathan. I'm part of Knights in the Trust. I'm a Knight for finding bucks on a website.

Justin Gardner (@rhynorater) (21:35.129)
I love that name by the way, like it's so dramatic. It's like, okay, sure.

Jonathan Bouman (21:56.403)
So I said yes and that was the moment that I started reporting to Buxedan earning points and with those points gift cards.

Justin Gardner (@rhynorater) (22:02.912)
So you were, I guess, I didn't know this, you were actually one of the preliminary people, one of the first people to be a part of Amazon's book bounty programs. And was that something they were just running privately at that point? Were they running it through HackerOne? How is that working? bug crowd. Nice.

Jonathan Bouman (22:14.587)
Yeah, the book route days, book route. Yeah, yeah. So that's where I started and yeah, trying to find more exercise and all the OVAS.10 books, learning a lot of stuff. And that's the moment where at some point I had 100 points and with 100 points, you earned the certificate. the certificate, there's something really important. I received it. I was really proud. I opened up the box and let me.

Justin Gardner (@rhynorater) (22:26.07)
Mmm.

Justin Gardner (@rhynorater) (22:35.291)
snap, okay, here we go.

Jonathan Bouman (22:43.933)
tried to find it. I got it somewhere behind me Yeah, because there's something fun there. I should have prepared this though. Where is it?

Justin Gardner (@rhynorater) (22:45.76)
Go see if you can find it, yeah.

Justin Gardner (@rhynorater) (22:53.512)
No, you're good. You're good. That's, that's the great thing about doing a, a podcast, you know, not live is we can just cut this stuff together and it works.

Jonathan Bouman (22:59.827)
yeah, that's good. So where is this thing? Because there is something really funny. And the funny part is that...

you

Jonathan Bouman (23:17.991)
Yeah, I found it.

Justin Gardner (@rhynorater) (23:19.87)
Nice.

Jonathan Bouman (23:21.971)
So.

Jonathan Bouman (23:27.133)
There was a moment I put it in some plastic that I received this thing and have a look at the logo. But if you look closely, it's number two. It's not number one. So I was like, who's this number one guy? Someone beat me there. And that was the moment I started doing some OS-ins on the internet, having a look.

Justin Gardner (@rhynorater) (23:27.808)
Dude, check this out.

Justin Gardner (@rhynorater) (23:34.804)
Yeah, yeah.

Justin Gardner (@rhynorater) (23:43.547)
Number two, what is this?

Jonathan Bouman (23:53.041)
around putting it up Twitter, looked on LinkedIn and I found out there's a guy named Zshano. And Zshano got the number one. And I was like, holy shit, who is this guy? And what did he do? So I got in touch with him and we had a really great fun. Like, no, you found this bug. I also found, I duped you there. but what we discovered that only maybe

Justin Gardner (@rhynorater) (23:58.688)
snap, no way!

Thanks.

Jonathan Bouman (24:20.435)
1 % of the books we found we duped each other, but the 99 % we did not. So somehow we did different things there. So we had some say six, seven months where we raised each other in the charts and then he topped me and then I topped him and then he topped me and then he him. And at one moment we figured out it might be more fun if we collab here and just join forces since

Justin Gardner (@rhynorater) (24:27.051)
Yeah.

Justin Gardner (@rhynorater) (24:45.909)
Mmm.

Jonathan Bouman (24:49.255)
We'd all we both do a different thing, but we might add. At unfinished box that we can finish for each other and so that that's how it all started and we.

Justin Gardner (@rhynorater) (25:01.91)
And so at this point, mean, you've connected with Zshano. That's great. Right. And, and so I'm wondering here, like, what is, you've only had your experience with just the Amazon program, right? Like you haven't been poking around on other bug bounty programs. So, I mean, is that, is that. I've, did you, once you started getting money out of it, like where you're like, okay, maybe I should look around at this other bug bounty thing and start going to these other programs. Or were you always just so locked into Amazon?

Jonathan Bouman (25:30.375)
At the time I was more busy with discovering new techniques and Amazon was helping me with that, it was also more. So if you look on my Medium blog, you'll see disclosures about IKEA, Philips, all different sort of, and that was not about money. was also, it was probably about learning new stuff and also just discovering how it all works.

Justin Gardner (@rhynorater) (25:37.142)
Mm, mm.

Justin Gardner (@rhynorater) (25:46.014)
Mm. Yeah, IKEA, that's right. Mm-hmm.

Jonathan Bouman (25:59.162)
the responsible disclosure. The Amazon in the beginning that was all earning points. So say the first six months that was, yeah, it was fun, but I got gift boxes with Kindles. And at one point I got invited to DEFCON. So that was the first big prize I got there. So yeah, I went there with my brother. I booked a hotel room, got an email back from the Amazon team. Please.

Justin Gardner (@rhynorater) (26:07.963)
so you just doing it for fun.

Justin Gardner (@rhynorater) (26:14.475)
Sure.

Justin Gardner (@rhynorater) (26:17.867)
Mmm.

Jonathan Bouman (26:29.072)
book a better hotel room and send the employees again. So I booked a better hotel room. So I got the upgrades there and yeah, it felt like a celebrity. So I went to Las Vegas with my little brother there and had a great time at Defcon and hang around with the Amazon team, which was super small. It was how, why, and some other people we bunker. And yeah, that's when I also start doing more and also look around a little bit. So I hacked on Netflix, maybe a few bucks.

Justin Gardner (@rhynorater) (26:30.966)
snap dude that feels nice

Jonathan Bouman (26:58.746)
But my focus was Amazon all the time because the scope is so big and so complex.

Justin Gardner (@rhynorater) (27:03.203)
Yeah, so that's kind of what I want to double click into a little bit more as well is like, you I think there are very few programs on which it's feasible for you to spend six years and still be finding bugs out the wazoo. I mean, you guys found over around a hundred bugs together you and Zezhano at this last event, which is unbelievable. And, and so, I mean, do you think that the biggest thing that Amazon has going in its favor for that sort of engagement is the fact that the scope is just so

massive and you're constantly finding new applications? Or is it the speed at which they're putting code or the interactions with the researchers? What is Amazon doing that has been able to keep your attention for six years?

Jonathan Bouman (27:45.903)
They have a realistic scope in my opinion, so their attack surface is quite big. They understand that their attack surface is quite big. One of their goals is to be aware of the new bugs as soon as possible. So that's why they have good interactions with me as a researcher. I know their weak spots, so I monitor for the weak spots. I know what they find important,

Justin Gardner (@rhynorater) (27:48.402)
Mm. Mm.

Jonathan Bouman (28:15.331)
the stuff they don't find important. And yeah, it's a good program to me because it's so complex. We're in one of the biggest companies in the world, all digital with tons of employees, tons of talented people trying new innovations. And with every innovation, there are some risks of something going wrong. And that's where we jump in as Bug Bunny Hunters to make them aware of the risks. And yeah.

Justin Gardner (@rhynorater) (28:26.486)
Mm.

Jonathan Bouman (28:45.325)
There's, it never stops.

Justin Gardner (@rhynorater) (28:45.846)
How are you aware of this innovation? Are you monitoring for, like, are you watching them in the news? Do you have, like, monitoring set up at the specific application level for new code being pushed? Or does it just make itself apparent to you because you're living in that ecosystem?

Jonathan Bouman (28:59.885)
Yeah, yeah. You just need to be in the ecosystem and sometimes order a product. It's just like, if you want to hack on Netflix, you should watch Netflix movies. And if you want to hack on Amazon, you should order every once in a while some products. Yeah, yeah, sometimes. Yeah, yeah. I bought a lot of stupid stuff.

Justin Gardner (@rhynorater) (29:11.558)
Ha ha ha!

So do you use Amazon? mean, like, that something that you use often? Okay, nice. It's important to use the product. Yeah. Do you deal with fatigue on the same target? Like where you just don't really want to look at these types of requests anymore or like anything like that? Or is it pretty fresh?

Jonathan Bouman (29:38.373)
Long term, no, because I take passes. So for example, after the last live hack event, I took a pass off now, think for a week and some more days. So that's really important to me because I also have a lot of other responsibilities. And so that's just recover time. If you run a marathon, you should recover from this marathon. There are only a few that can keep running those marathons, but I'm not part of that.

Justin Gardner (@rhynorater) (29:44.629)
Mm.

Justin Gardner (@rhynorater) (29:50.805)
Mm-hmm.

Justin Gardner (@rhynorater) (29:54.208)
Mm.

Justin Gardner (@rhynorater) (30:02.23)
Mm.

Jonathan Bouman (30:06.693)
I call that the loss. So it's not money I chase. It's not the points I chase. It's the fun I chase and the excitement of finding new types of bugs or learn and stuff. So you don't get fatigued if you learn something new, even though you don't find, yeah. And if you don't find bugs, but you learned something new, then you still have some achievement there. Yes. That's maybe an

Justin Gardner (@rhynorater) (30:19.382)
Mm.

Justin Gardner (@rhynorater) (30:23.058)
if you're focusing on the right things.

Justin Gardner (@rhynorater) (30:30.57)
Mm.

Jonathan Bouman (30:34.509)
One of the take homes I want to share in your podcast don't depend too much on that money. It, there are some people who do it full time, which I'm looking up to. I, that's amazing that you can do that. But from my perspective, I got four of three different, four different other jobs. And that's also part of my personality income as the yeah.

Justin Gardner (@rhynorater) (30:37.29)
Mm, mm.

Justin Gardner (@rhynorater) (30:58.998)
three or four different other jobs. my gosh, Jonathan.

Jonathan Bouman (31:02.883)
But that also makes it easier that if one thing collapse or you got too much fatigue from it, then you slow down on that one and try to figure out with the other jobs or the other stuff you do. It could be a sport, could be some sidekick you do, developing stuff, a lot of bookbinding and they're starting their own startups at one point or their own products. I think that's really smart to do because if you do bookbinding for six years full-time, I'm not sure if I could do that. I don't think I do.

Justin Gardner (@rhynorater) (31:23.766)
Mm-mm.

Justin Gardner (@rhynorater) (31:32.31)
Hmm. So, so for you, the reason you've been able to do this so long in a performant way is because you are not focusing on the nitty gritty pieces, aspects of it. And when you get tired, you're taking breaks and you're not putting stress on yourself to perform in the bug bounty world. You're just chasing the fun aspect of it. Right. Is that, is that accurate?

Jonathan Bouman (31:33.509)
So.

Jonathan Bouman (31:49.305)
Yeah.

Yeah, Yeah, that's accurate. And I was super lucky though that I had some wild card for the first Amazon life hack event, which was a virtual one during COVID. And I managed to win that one. So yeah, then out of nothing, your first event, you win this MPH thing and then you're like, this was the top prize I could win. Okay, that's good. So I don't have to stress anymore. So that was luck.

Justin Gardner (@rhynorater) (31:58.687)
Mm.

Justin Gardner (@rhynorater) (32:02.262)
Mm.

Mm.

Justin Gardner (@rhynorater) (32:14.878)
Yeah, you feel a little bit more secure in your position in that world as well. That's good. Zed Shano got the first little certificate, but Jonathan Bowman got the MVH.

Jonathan Bouman (32:20.069)
Somehow.

Jonathan Bouman (32:25.887)
With all the prizes also, think this one is also Cichano's one. So during the OcFans, we collected fully. I think I might just have some more points on the first live hacky fan because I found some chain that we popped and he helped me out to do, but I had some more points. yeah, I can say, if you look at that.

Justin Gardner (@rhynorater) (32:35.111)
Mm-mm.

Justin Gardner (@rhynorater) (32:41.746)
Mm. Sure.

Jonathan Bouman (32:51.048)
From that perspective, I might be more MGH, but from my perspective, he is like similar.

Justin Gardner (@rhynorater) (32:54.379)
Mm.

Yeah. Well, you guys, you guys have very, a very legendary collaboration set up in place. And that's kind of what I want to stick to next is like, you know, how transparently are you guys sharing all of the techniques and stuff? Because at the end of the day, there's a lot of money on the line here. And I'm know for sure that you have come up with a technique that, that, you know, didn't take any input from him and, vice versa. And, and then you guys have to decide, okay, you know, if I give this to.

Jonathan Bouman (33:14.076)
Yeah.

Justin Gardner (@rhynorater) (33:26.868)
Zed Shano or if I give this to Bowman, Dr. Bowman, then, you know, there's gonna be some vulnerabilities that they find that I won't be able to just get and report myself. So, I mean, what does that trade off look like for you and how have you managed that over the past six years of collaboration?

Jonathan Bouman (33:45.426)
Yeah, well, we do a lot of research together. So there's no, there's no, no problem there. If you share stuff now and it's also not super fancy what we do. So it's not like super high technical complex things. No, I sometimes go a little bit more deeper in some new new techniques. And at the same time, he also goes deeper every once in a while. if I tell him, I will pause for a month.

Justin Gardner (@rhynorater) (33:49.248)
Mm.

Jonathan Bouman (34:15.294)
I'm very happy if he reports back finding some chain I created together with him. And sometimes we shared a little bit. It's just thinking in with each other like, hey, how does that feel? Yeah, it feels well. Okay, you got hands on this thing. I'll focus on this other life hack event. Have a good one. And then by the end of the week, he made a shit ton of good money. And I'm at his life hack event, super proud of some high CPSS back.

Justin Gardner (@rhynorater) (34:26.038)
Mm.

Justin Gardner (@rhynorater) (34:35.402)
Yeah.

Jonathan Bouman (34:41.916)
That took me 10 days to develop and not for the money, just for the funds. And it's also okay. You should not chase money. I think that is the thing. And if you're thinking enough with each other and both are on the same page on that, you... Yeah, that stuff is not complicated. Yeah.

Justin Gardner (@rhynorater) (34:46.976)
Well, I think...

You need both.

Justin Gardner (@rhynorater) (35:02.698)
then the money will come too. I mean, at the end of the day, you're performing better together and you're collaborating and you are sharing that knowledge. you know, I think you said in an interview with HackerOne that I watched in prep for this podcast that a lot of the advancements that have been made in the medical industry have been made because of relentless sharing of information and trying to get that information out to everyone so that people can save lives and help people live more quality lives. And I think.

You know, you've applied something similar here with this collaboration where you guys share and that just continues to compound and compound and compound.

Jonathan Bouman (35:39.698)
Yeah, I think that that's a good summary. And the best thing is that relationships should go over any virtual internet points or money or whatever. And that's just in a relationship with a partner in real life. Although I speak with Sean maybe as much as with Renee, my girlfriend. That's always a funny thing.

Justin Gardner (@rhynorater) (35:50.278)
Mm. Mm.

Justin Gardner (@rhynorater) (35:54.91)
Mm. Yeah.

Justin Gardner (@rhynorater) (36:01.418)
Yeah.

Jonathan Bouman (36:03.902)
Sometimes it's the first person I speak to and by the end of the day, the last person I speak to. Rina is already sleeping. And yeah, you share a lot of stuff in life and I don't have to worry. And that's maybe a good other take-home thing is try to find a book on your partner. A lot of people have them. And try to build up a trust relation with the other person. Sink in.

Justin Gardner (@rhynorater) (36:10.165)
Yeah.

Justin Gardner (@rhynorater) (36:23.658)
Mm, mm, mm.

Justin Gardner (@rhynorater) (36:30.133)
Mm.

Jonathan Bouman (36:31.568)
If you feel like, this feels uncomfortable, just bring it up and say, hey, what do you think about that? Or should we change this? Yes, communication. And also in my work as a doctor, that's the main thing, is communication about if you do stuff wrong, if I did something wrong, yeah, I tell people I messed up. I did it with a good reason, but it was not good. Yeah, let's fix it. So, yeah.

Justin Gardner (@rhynorater) (36:36.694)
Yeah, communication.

Justin Gardner (@rhynorater) (36:53.706)
Hmm. Have there, have there been, you know, in, this commitment to communication and you say, Hey, does this feel good with you? Does this feel good with you? Have there been times where you guys have said, no, that doesn't feel good and no, that doesn't feel good. And, and you know, you guys have a disagreement that you have to resolve at more at length. Really? It's been, it's been pretty smooth.

Jonathan Bouman (37:10.11)
No, Yeah, yeah. But that is some luck in life that you run into people that are not complicated or not in the game for fame or money. No, of course, it pays the bills. yeah, of course, that's a thing. But by the end of the day, as you said, you're more together if you...

Justin Gardner (@rhynorater) (37:26.058)
Hmm. Yeah.

Jonathan Bouman (37:39.024)
look for the long perspectives. And it also does not burn you out. Yeah, there's a lot of benefits there.

Justin Gardner (@rhynorater) (37:41.334)
Mm.

Justin Gardner (@rhynorater) (37:47.156)
Lots of, lots of pros to that. So, so swinging back around to the Amazon program itself, one of the things you had here in the list, in the doc is, is that Amazon, one of the things that makes Amazon a great program is they have consistent payouts for certain bugs, bug types. can you talk a little bit about what that, why you really like that and how that makes Amazon an amazing program?

Jonathan Bouman (38:10.718)
So for all the people who work for program listening to your podcast, the one of the key things you need to try to achieve is consistency. And that's also an hard part, like how do you apply CVSS? How do you rate certain bugs? How do you deal with some XSS that someone already reported but you

got a new report where there's a payload that does different stuff there or approve account takeovers or stuff like that. And that's something that you can do as a program where you give the same answer multiple times in a row about certain book types and be predictable. Take feedback from researchers like, this might be odd that this payout is so much lower or.

How do you feel about that? Or would it make sense if we change this? Would that be more interesting to you? that conversation, if it keeps going and the leadership is there, also continuing the previous leaderships, that makes it a program consistent and less stressful as a researcher. Because the last thing we like to see is that one day you get

say 1K, then 3K, then 4K, then 1K, and then you start asking yourself, like, what's the difference? Is it the weather?

Justin Gardner (@rhynorater) (39:37.866)
Yeah.

and it feels like our work is discredited as well. Like sometimes you can be really proud of a bug and then you're like, wow, you really don't see that. And that's disappointing.

Jonathan Bouman (39:50.515)
Yeah, so that is the perspective indeed from a book pony hunter. You feel some, yeah, you want that reward and you want to be a consistent reward because otherwise you might doubt like, hey, is it less good or? Yeah, that's really important.

Justin Gardner (@rhynorater) (39:54.315)
Mm.

Justin Gardner (@rhynorater) (40:05.754)
Yeah, I think that's, I think that's probably one of, I have to say, I think that's probably one of the reasons that Amazon has been able to keep so many anchor hackers like you and Zincano is that they have their thing and they stick to it and they pay the bugs and that sort of thing. And you can become very consistent then and you can really understand the threat model of an organization and of an application very thoroughly. And that just feels, it just clicks, right? You know, when you finally,

when you get these bugs paid and they're paid the same way time and time again, you can really feel like you've got mastery of a specific set of a program or a set of applications.

Jonathan Bouman (40:43.605)
Yeah, you understand way better what they find important to them. also you understand more and more how to report certain stuff or what is necessary for them to see in a report that makes them like, okay, this needs to get priority because by the end of the day, we want the proper CDSS or rating for a buck because that helps also in getting stuff fixed. Well, there's more an ethical perspective, but I think it's an important one.

Justin Gardner (@rhynorater) (40:47.766)
Hmm.

Justin Gardner (@rhynorater) (41:05.514)
Mm-hmm.

Jonathan Bouman (41:13.769)
So sometimes I'm fighting some downgrading of a buck, not only because, it earns maybe a little bit more money, but to be sure that's on the top of their list to get fixed and that everyone got a true understanding of the real impacts. And the last thing about that is that it's super important with big companies like Amazon, but also all the other big companies on stock markets.

Justin Gardner (@rhynorater) (41:19.563)
Mm-hmm.

Justin Gardner (@rhynorater) (41:26.23)
Hmm.

Justin Gardner (@rhynorater) (41:31.606)
Mm.

Jonathan Bouman (41:43.677)
is that you tend to have people moving around the company after three, four years. So there's a thing that if you work for certain big company, you need to have some career path. And that's a hard thing because we as Buckbinding Hunters have to deal with different phases, different teams, new leadership, et cetera. And that's something that Amazon achieved quite well is to keep the mindset the same as it was six years ago.

Justin Gardner (@rhynorater) (41:49.206)
Mm-hmm. Yeah.

Jonathan Bouman (42:11.327)
the same sort of people are working in their leadership positions. And what I observe now doing Web Boundaries for a while is that you see programs changing so fast into great programs turning into programs with a lot of problems. And it might be money because less budgets, might be changing of people working for the teams. So try to get some permanent positions, seniors.

Justin Gardner (@rhynorater) (42:24.982)
Mm.

Justin Gardner (@rhynorater) (42:40.096)
Yeah.

Jonathan Bouman (42:40.799)
people who understand our position as a researcher, but also understand the internal problems and then you have a great program.

Justin Gardner (@rhynorater) (42:48.18)
Yeah, I think that's super important. Even, even in just the, you know, year and some change that I've been running this podcast year and a half, I've, I've said some great stuff about programs and then, you know, come back a year later and it's like completely different experience because of turnover and because of changes within the organization. So that consistency I think is huge from a, from a people level as well. And it's something that I think extends beyond just the realm of security as well.

I think it's sort of a problem with tech in general right now is that there's so much turnover and so much job hopping to climb the ladder and that sort of thing where people just need to pay more money and have a consistent schedule to go up so that these people don't have to jump around from job to job to job and relearn a new system every like two or three years. Yeah, it's intense, man. I think with that, I think we'll move into some of the more

technical aspects. I'm very excited that you have agreed to release some of the information about this server-side template injection vulnerability on File Sender with us on the pod today. thanks for doing that. Can you talk a little bit about that bug and how you found it and how it can be exploited?

Jonathan Bouman (44:03.277)
So FileSend is a quite interesting piece of software. It's used for the last, well, maybe 15 years, I think. It's really old. When I was in university doing med school, I used it. And it's used in the Netherlands and all university and other colleges to send around files because we did not have FileSend of a retransfer and the other.

Justin Gardner (@rhynorater) (44:07.744)
Mm-hmm.

Justin Gardner (@rhynorater) (44:13.302)
cheese.

Jonathan Bouman (44:32.044)
solutions at the time. So university figured out let's open source the tool ourselves and we called file sender so you can find it on GitHub. It's a quite interesting tool since well you can connect some SSO, some login thing so students can log in and then people can upload stuff and you can send someone else a link or an email with the contents and it works quite well.

But in the recent years they also added some extra services behind it. So S3 is supported now, so that's good for storage. AWS S3. Yeah, yeah, through that. And I have good contacts within the cybers of the InfoSec community of the universities in the Netherlands.

Justin Gardner (@rhynorater) (45:10.806)
Mm. Mm. Additional layers of complexity as well, though.

Jonathan Bouman (45:29.406)
sort of one internet service provider called Surf, amazing people working there. And they reached out to me like, hey John, are trying, we are thinking of rolling out a full new version of FileCenter, FileCenter 3. And we did a lot of pen tests already. We think it's quite secure, but can you have a final look at it? And being quite busy with the live hack events. I had it somewhere on my list, but I...

honest, forgot about it. I got a reminder from one of the people working there and like, John, you should have a look. Really do it. it. So was like, okay, let's do that. So I asked them like, Hey, do you have any

Justin Gardner (@rhynorater) (45:59.606)
Mm-mm.

Justin Gardner (@rhynorater) (46:06.998)
you

Amazing that you fit this in dude. Amazing that you make this happen. I don't understand. Continue. Sorry.

Jonathan Bouman (46:14.088)
Yeah, so I was like case pin up a machine where it's running so I can first do some black box tax thing before I dive deep into the source code. And what we do is backbinding hunters. We look for an offset first because that has the highest impact. So what types of stuff can we find? And quite quickly I figured out there were certain error messages and those error messages came up within the URL. Some days.

Justin Gardner (@rhynorater) (46:20.402)
Mm. Mm.

Jonathan Bouman (46:43.53)
64 coding. And I decoded that and I figured out, there's some templating stuff going on there. I saw some template codes. Then I tried to think like, why did I do that? And the reason for that was they have different university, different logos, different designs. So in emails, they want to get different logos, for example, and also to

Yet to to expose like where's the actual base Earl and what's the base Earl and stuff like.

And I could see that I could manipulate the error message enough. And then I just started looking in the code. In one of your previous podcasts, it's like, where's the request? Was one of the main changing things of math. Yeah, there was where's the error came from. And so that was the thing I tried to do. So I just literally download the zip file from GitHub, unpacked it, opened it up in CS code, and just did console shift s.

Justin Gardner (@rhynorater) (47:30.578)
Mm. Yeah, the Where's the Request game. Yeah, yeah, I love that. Yeah.

Right.

Justin Gardner (@rhynorater) (47:46.123)
Mm.

Jonathan Bouman (47:51.249)
and search all the files for the error message. that was a theory. So after a few clicks, I figured out where's the loop that tries to replace those templates, tags in error messages, figured out where it was. So no complex debuggers with PHP storm or something. Now, just looking in the code.

And I thought there was also a config, a config template variable that was used for the, for the paths, the server paths actually. So where could I download, where should it write temporary files or something like that?

Justin Gardner (@rhynorater) (48:35.84)
Mm-mm.

Jonathan Bouman (48:37.79)
The next moment you do, when you find that, you immediately look for what other config variables are existing. And then you figure out, wait a minute, my SQL database user and password. So I tried to do that and I saw the username and password and I was like, oops, isn't that good? And then I looked more and.

Justin Gardner (@rhynorater) (48:49.151)
No.

Justin Gardner (@rhynorater) (48:55.206)
that's not good. Dude, how far are you into this assessment? Like, is this like, you just checked it out for, my God, Thelman, please.

Jonathan Bouman (49:00.697)
Seven minutes. So yeah, yeah, yeah. So it's just getting an error and I'm like, hey, Base64, as soon as we see Base64, it's like eczema on the skin. We understand like there is something off going on there and we need to get you a cream. And in this situation, we need to look into this, go, why should you use Base64 there? So that was the first thing. then, yeah, it was quite easy to figure out.

Justin Gardner (@rhynorater) (49:10.644)
Yeah. Yeah.

Justin Gardner (@rhynorater) (49:21.385)
Right.

Jonathan Bouman (49:28.189)
This new version also has S3 support. So I saw that I could dump the spreads and the access key of S3 bucket, giving full access to the file system. So I reported back to them, like, hey, there's a problem with your version 3. You might need to have double extra look at that. And then a few hours later, I was like, but if it's in the latest version, why is it not?

in the currently used version. So I looked into the source code and you got this thing Git Blame, where you can see how old the commit is. And this commit was 10 years old. And I was like, shit, shit. This thing is already hanging around for 10 years. so I looked into the production version of the one used by my university and I figured out that they were vulnerable. I could just see the S3 key and access token.

Justin Gardner (@rhynorater) (50:05.045)
I love that.

Justin Gardner (@rhynorater) (50:15.033)
man.

Justin Gardner (@rhynorater) (50:24.336)
no. geez.

Jonathan Bouman (50:25.897)
All the stuff. I tried to log in on the book at just a probe impact. Yes, I could access it. So that was quite a complex problem since this software is used in a lot of places in especially education, but also some, some healthcare organizations are using it. Some big governmental organizations are using it. Yeah. And then you have to start to do the responsible disclosure and they did an amazing job since it's all.

open source things, so it's all like people doing this as volunteers.

Justin Gardner (@rhynorater) (50:59.924)
Are you working with the file sender team directly at this point? Are you working with that collective of, okay, nice, okay.

Jonathan Bouman (51:03.272)
Yeah.

Yeah, And luckily enough, they were together with some conference in Paris. So they set up a call quite quickly. I got them through to understand where the bugs are existing. Then they tried to figure out how to hot patch this. That was quite hard because it's a templating thing, so it might break a lot. So they start creating patches. They start monitoring if the bugs were

Justin Gardner (@rhynorater) (51:10.694)
nice.

Jonathan Bouman (51:31.771)
abuse said because it might be a zero day already discovered by someone else. then the part two of the fun of the fun. Yeah, it's fun for me as a big money hunter. No, no, no, no, no, no, That's also the hardest part of being a doctor. Sometimes you feel so excited finding this rare disease that you have to understand at the same time, there's someone in front of you not happy.

Justin Gardner (@rhynorater) (51:35.968)
Sure.

Justin Gardner (@rhynorater) (51:45.291)
Hahaha, yeah, I don't think they would describe that day as fun.

Justin Gardner (@rhynorater) (51:56.767)
Right. This is... Right, right.

Jonathan Bouman (52:00.723)
So you learn how to cope with excitement on moments where that's difficult. But here part two of the excitement comes was the moment they start developing the fix. This Git commits bug was published at super interesting. Exactly. Yeah, so long story short, every fork in a repo is.

Justin Gardner (@rhynorater) (52:07.478)
Mm.

Justin Gardner (@rhynorater) (52:12.8)
Mm.

Mmm, yeah.

from TruffleSec,

Jonathan Bouman (52:29.513)
even if the fork is hidden, the commits might be also hidden, but if you know the hash of the commits, some piece of it that is unique, then you can still view it. Somehow it is security through obscurity. So I figured out like, hey, it be fun if they start trying to patch this back and commit on the public repo. And

Justin Gardner (@rhynorater) (52:58.068)
Lo and behold, that's what happened.

Jonathan Bouman (52:59.273)
And so that's what I did. So I reached out to Lupin and to trickle themselves like, hey, I want to try this tool, how to do that. And Lupin being a great talent that a hacker already figured out pipelines and stuff. he helped me a little bit there. And I run this script on some little Linux box for, I think, two hours or three hours in total. And I found the commits they made to patch this thing.

Justin Gardner (@rhynorater) (53:05.686)
Mm.

Justin Gardner (@rhynorater) (53:24.308)
Hmm.

Justin Gardner (@rhynorater) (53:28.478)
No way, dude.

Jonathan Bouman (53:28.723)
So I had to reach out back to them again. like, hey, dudes, be aware that at this moment, lot of Git commits, of GitHub commits are being scraped. And if it's not known this patch, there is a risk that this patch is found by someone. And also the zero day is exposed, or one day, whatever you call it.

Justin Gardner (@rhynorater) (53:48.704)
Mm.

Jonathan Bouman (53:50.537)
So then we're like, no, you again, no, no, what technique can you show us? But the way how to handle it is also that is academics. That's why I work one day a week in academics is, is there are also scientists and are also like, shit, this is cool. How does that work?

Justin Gardner (@rhynorater) (53:52.63)
Jonathan, no, get out of here. That's great.

Justin Gardner (@rhynorater) (54:09.332)
Yeah, well that's good. I'm glad that they appreciate it because it is pretty cool stuff. And I was looking at, when you sent me over this 10 year old commit or whatever, I was kind of looking at the way that they patched it and stuff. And it's a little bit of an odd thing that they're doing it looks like here, right? Because essentially the way that this vulnerability was working, if I understand correctly, was there would be an exception page that would be generated and then you would pass a base64 encoded.

know, exception string or something like that into that page. And then that would get concatenated with a template and then that template would be rendered, right? But they're still doing, it looks like, it seems like they've moved that user controlled portion of that input into some, something different. So it's not getting concatenated into the template there. They've associated it with the session, but it still looks like they're dynamically rendering templates themselves, right? Like in, it's different.

from actually taking a template and rendering it, it's dynamically creating a template that you will then render, which I think is just a little bit of a weird way of doing things. So I wonder if there are more server-side template injection bugs on this software. Like you said, it's pretty widely used, I believe. So think there could be more things there. Do you have any plans to continue looking at it further?

Jonathan Bouman (55:33.112)
yeah, for sure. Yeah. Yeah. Yeah. Yeah. I tried to break it. I was not able to break the patch. If one of your listeners is please reach out to their teams and to the search behind files. And I think it's also the main repose. If you open it up there, there's ways to get in touch with the owners. And if you got struggles always for free also to reach out to me, but

Justin Gardner (@rhynorater) (55:50.198)
Mm-hmm.

Jonathan Bouman (56:01.511)
FileSender.org, is, think, FileSender.org. Yeah, that's the way you should go. and then contacts. So yeah, if someone finds something there, there might be still a way to do this, but I'm not experienced enough, I think, to do that. So, help the research world, help academics, find your book. Yeah, and you don't earn big money.

Justin Gardner (@rhynorater) (56:16.086)
Hmm.

Justin Gardner (@rhynorater) (56:21.493)
Yeah.

Justin Gardner (@rhynorater) (56:26.294)
It's a little funky.

Jonathan Bouman (56:30.107)
That's the thing, but you earn some, you know, the thing of doing good for human mankind and maybe some stickers, some t-shirts, whatever. Yeah.

Justin Gardner (@rhynorater) (56:30.496)
Yeah.

Justin Gardner (@rhynorater) (56:38.475)
Maybe some stickers or t-shirts. That's good. You're planning on doing the blog post as well in conjunction with this pod, right? You're gonna drop that or is it gonna be, okay, solid. So we'll have a blog post down in the description. I'll call that out now when we release this episode. And then we'll probably put the POC somewhere up here on the screen or something like that as well so that you guys can understand exactly what's happening.

Jonathan Bouman (56:46.353)
Yeah. Yeah.

Jonathan Bouman (57:03.943)
Yeah.

Justin Gardner (@rhynorater) (57:05.172)
I was reading through some of your other bugs as well, Jonathan, and I actually see a trend of server-side template injection, which is just really a weak bug for me. I've only ever found server-side template injection once or twice. And so what are you doing that is making you find these server-side template injections? I know that in one of your articles you mentioned a custom burp scanning profile that helps with that.

But are you just spraying the payloads around or thinking about it from a templating perspective? What's going on there?

Jonathan Bouman (57:42.109)
I try to use the active scanner in such a way that it only scans for useful stuff. I think you can, there's a lot of trainings around on how to use burp and how to use all the different options. But I think the most important part is how to use the active scanner in such a way that is useful. And there are a few steps I always take.

First, I look at the target. I try to figure out what coding language is behind it. Sometimes there are multiple ones. It's like a reverse proxy somewhere on an endpoint, and sometimes it's one. And especially with the old coding languages like Perl and the ancient ones, there you want to be sure that it's part of your active scan. And often, bug bounty hunters turn them off, the active scanner, because they get your bent on Akamai or whatever is too noisy.

Justin Gardner (@rhynorater) (58:31.392)
Mm.

Justin Gardner (@rhynorater) (58:37.642)
Yeah.

Jonathan Bouman (58:39.933)
And they forget to turn it on or if they turn it on, they only turn on the XSS or server interaction types of stuff. But if you toggle on the template injections, the per code injection, and that's what it's called in the active scan, then you might end up with bugs that other people miss. And so there's an interesting bug that RCE found on ALS.

one of the biggest food companies in the world nowadays. And the only way I could find that was because I had my burp configured to also scan for Perl code injections. And they get some payload that does some sleep or proof there is code injection. And to show impact, you need to start coding Perl, which I can't do myself. So you need to...

Justin Gardner (@rhynorater) (59:09.137)
Mm, mm.

Justin Gardner (@rhynorater) (59:29.888)
Dude, so, so terrible. So terrible.

Jonathan Bouman (59:33.331)
So, you need to figure out with Chatsypty or old friends how to get some useful out of that. then you end up with good stuff. But that is a way. Another way is try to understand how the templates are rendered.

Justin Gardner (@rhynorater) (59:39.572)
Yeah, our old friends.

Justin Gardner (@rhynorater) (59:45.156)
Savage.

Jonathan Bouman (01:00:01.016)
For certain targets, Amazon, for example, I know exactly what types of strings they use for templates. For a lot of other targets, I also know. And you can discover by looking at not properly rendered pages, for example. you need to be lucky there. So look in your site map. Look for the generic template types of.

Justin Gardner (@rhynorater) (01:00:07.263)
Mm-mm.

Justin Gardner (@rhynorater) (01:00:20.331)
Mm.

Jonathan Bouman (01:00:28.96)
how you write the template code text angle brackets. Yeah, and then figure out, those are the angle brackets they use. OK, this is an example of what actually also renders a proper variable. And then you might put that in your work list for your own custom scats. So that's the way to go.

Justin Gardner (@rhynorater) (01:00:30.004)
Yeah, like angle brackets and that sort of thing. Yeah.

Justin Gardner (@rhynorater) (01:00:46.336)
Mm.

Justin Gardner (@rhynorater) (01:00:49.898)
Hmm. Well, I know, I noticed also in this writeup that you did with, I'll hold USA that you first brute forced for parameters on this specific endpoint. And then you did the, did the scan and that scan uncovered the, pearl injection. Is that, mean, is that something that you, you have a part of your flow pretty often is identifying each individual endpoint and then brute forcing parameters on those endpoints? Yeah.

Jonathan Bouman (01:01:16.694)
Correct. Yeah. Yeah. The challenge for us as bug money hunters is to discover untouched functionality and query string parameters, form parameters that are not mentioned in the JavaScript, not mentioned anywhere, but are doing something on the code. That's where, that's where you want to look because other people miss that out. so yeah, you need to have some flow where you

Justin Gardner (@rhynorater) (01:01:23.243)
Mm.

Justin Gardner (@rhynorater) (01:01:41.43)
Mm.

Are you using param miner for that or are you mostly just using intruder like you are in this article?

Jonathan Bouman (01:01:49.522)
I've got a hate relationship with Paramitr, hate laughing. So I turn it on as everyone and then I turn it off after 20 seconds. And then I turn it on again and then I turn it off because it never stops. If someone can fix a version of Paramitr that actually behaves and doesn't go rogue and everything, that will be super helpful. Or my...

Justin Gardner (@rhynorater) (01:01:54.554)
Haha

Justin Gardner (@rhynorater) (01:02:07.382)
Mm.

Justin Gardner (@rhynorater) (01:02:11.082)
What do you mean by go rogue? you talking about how like it adds like cash, cash poisoning or like canaries or whatever to all the different requests or what are you talking about?

Jonathan Bouman (01:02:17.782)
then

I might need to read the manual. Yes, I might tick the wrong boxes there. often for me, it slows down, it hangs. So that's maybe the thing. On Amazon, I would not recommend you to use Fire Reminder, for example, will give you a lot of headaches. So.

Justin Gardner (@rhynorater) (01:02:23.712)
Yeah.

Justin Gardner (@rhynorater) (01:02:27.264)
But, mm.

Justin Gardner (@rhynorater) (01:02:36.15)
Mm.

Gotcha. And so what you're looking for in those scenarios is just something maybe that has a little bit more feedback so you can see whether it's slowing down or whether it's not slowing down or that sort of thing. And then you are hoping to be able to stop it and start it pretty easily. Is that the main problem? Do you see what that's right now?

Jonathan Bouman (01:02:47.094)
Yeah.

Jonathan Bouman (01:02:58.058)
Yeah, yeah, yeah. See what are the tasks. But that's the same with the active scanner of burp. You should rule out any path with GPEG, with images, for example, or fonts or CSS. There's not much there. So, and if you don't do that, it will try to do a pro code injection on a CSS file, which makes no sense. So yeah, you need to limit it heavily to be effective. And this blog post on Arnold.

I showed that you can also use the intruder. If you got a feeling this page must be vulnerable, just go manually. I almost ultimately nothing of what I do. I just look carefully about what's going on, what's happening, I read code.

Justin Gardner (@rhynorater) (01:03:35.318)
Mm.

Justin Gardner (@rhynorater) (01:03:41.558)
So let's say you identify a cool, funky-looking request. You send it to a repeater or whatever. You're playing around with it. Do you pretty much instantly send it to Intruder as well and launch off a, and then let that run for a little while, look at the responses that are different, and then keep playing with it? That's the flow.

Jonathan Bouman (01:04:02.89)
Yeah, and then you have at one moment six different intruders and you keep refreshing them and you keep looking at them and then yeah, you're lost on your screen and then you think like, I 20 repeater tabs and now four, five, six, seven, eight windows of intruder, help.

Justin Gardner (@rhynorater) (01:04:17.828)
man. Yeah. There definitely needs to be some organization stuff that is a little bit different in that area. That's pretty cool though. Yeah. So I think server-side template injection is definitely a tricky one for me. definitely want to grow in that area. I don't have a good flow right now for using a scanner that would alert to that sort of thing. Mostly the way that I should be doing it, but I'm not, is just putting these, you know,

Jonathan Bouman (01:04:22.879)
Yeah. Yeah.

Justin Gardner (@rhynorater) (01:04:46.816)
curly brackets or angle brackets or whatever into a part of the like XSS payloads that I'm using and spraying across the website. Is that something you're doing as well or are you mostly relying on the Skinner to detect that? Solid.

Jonathan Bouman (01:04:55.968)
Yep. No, that totally makes sense. Yeah. Yeah. Yeah. And, and, and then you still have the challenge of a lot of template engines are custom stuff like file centers, a great example where you need to know the specific way they write their template, DAX. and if you, if you don't use it in a proper way or with a variable that's not existing, then you might miss a, miss the, the, the injection. So yeah.

Justin Gardner (@rhynorater) (01:05:10.058)
Mm-hmm.

Jonathan Bouman (01:05:25.738)
But if you're able to try to figure out some real working templates, template code blocks. Yeah.

Justin Gardner (@rhynorater) (01:05:32.234)
Hmm. That makes sense. So, so pivoting a little bit, you know, you mentioned before that one of the early things you did earlier with Amazon was breaking apart the Android mobile app and kind of diving into that a little bit, understanding how the APIs work to build this, website or whatever that was going to make you a millionaire. and, and, and I think you've, you've done a pretty good job as well. Just looking, like talking to you at the live hack events and seeing the kind of bugs you're finding.

of looking at that peripheral scope of Android and iOS. And I think a lot of people go down the Android route, but not as many people go down the iOS route. So can you talk about your methodology with iOS apps and how you're approaching that to attack these bigger organizations?

Jonathan Bouman (01:06:20.916)
Yeah, so it's really important, I think, as a bookbinding editor to have an iPad that is still broken and to have an Android that you can use to easily man in the middle. Because if it's too big of a hassle to man in the middle all those apps, you don't do it or you lose too much time. If it's super easy to do, then you

Justin Gardner (@rhynorater) (01:06:29.088)
Mmm.

Justin Gardner (@rhynorater) (01:06:43.413)
Mm, yeah.

Jonathan Bouman (01:06:47.894)
For example, in the life hack event you get a new scope. see, OK, we've got six apps there. We've got some websites. OK, let's install those apps right now on my iPad and on my Android. Wait for five minutes and then come back and then just start trying to man in the middle then and see what traffic. So my methodology is I got an iPad that I jailbreak with Peel Rain. Peel Rain is one of those jailbreak tools and there's still an iPad available that you can

Justin Gardner (@rhynorater) (01:07:10.282)
Mmm.

Jonathan Bouman (01:07:16.845)
GeoBreak with that tool that also updates to some of the latest iOS versions. I think it's the tablet, iPad 7. So have a good look on the Pilgrim website and see which models are still supported and if the model supports one of the latest iOS versions, because that's a problem. You need to have recent versions. But the last time I checked was three, four months ago and it was still working well.

Justin Gardner (@rhynorater) (01:07:34.581)
Yeah.

Jonathan Bouman (01:07:42.796)
So that's the thing. And I got a spare Android phone, a Pixel thing that I routed, but also with Android, can easily do use APKMETM, APK Men in the Middle. It's on GitHub. So sometimes I just patch the APK and then I install it. But I also think here it's important to have those devices separately.

Justin Gardner (@rhynorater) (01:07:56.496)
Mm. Mm.

Jonathan Bouman (01:08:10.688)
from your own device because otherwise you end up with your personal phones full with strange apps or keep up your own security. So have those different devices there also really helps to open them up and update just all those apps and see which apps can be updated. So you get some signal back from the gate or something new.

Justin Gardner (@rhynorater) (01:08:16.744)
Yeah. Yeah.

Justin Gardner (@rhynorater) (01:08:30.058)
Yeah.

This is really interesting, this APK MITM tool that you mentioned here. I hadn't actually seen this before. I'd seen something similar called Objection, which allows you to patch APKs and then hook in via Frida scripts and stuff like that. But this actually seems like it's oriented specifically more towards getting rid of SirPinning and that sort of thing. And it just goes for that. So it's like a one shot, let me see if this works. If it does, great.

Jonathan Bouman (01:08:47.52)
Yeah. Yeah.

Jonathan Bouman (01:08:57.824)
Exactly.

Yeah.

Justin Gardner (@rhynorater) (01:09:02.43)
And then if not, obviously I'm going have to go down the custom route.

Jonathan Bouman (01:09:05.228)
Yeah, and that's also sometimes I do. So then I go give it a try with freedom or objection and try to patch it myself. There's only one time I was not able to disable the man in the middle and there was some heavily obfuscated app from some government somewhere on this planet that had that if I had to patch it, I had to patch it on system call level in iOS and my.

Justin Gardner (@rhynorater) (01:09:11.605)
Mm-hmm.

Justin Gardner (@rhynorater) (01:09:21.868)
So annoying, man.

Jonathan Bouman (01:09:31.276)
good old French chat GPT was hallucinating too much to help me out there. So I got stuck in a lot of rabbit holes and then I figured out, okay, I might need to wait for other people to figure out how to do this properly. But most of the time, APK, mean, men in the middle thing works or objection. And then the fun starts, then you need to use the app and just see what's going on. And is there any hidden functionality? you need to, are you able to...

Justin Gardner (@rhynorater) (01:09:34.897)
no.

Justin Gardner (@rhynorater) (01:09:48.79)
Mm.

Jonathan Bouman (01:09:59.66)
to get some perks if you are an artist or if you sell stuff or whatever you can think of. Yeah, that's most of my time I spend on is understanding how an application works or where are the edge cases.

Justin Gardner (@rhynorater) (01:10:06.57)
get the app configured in general. Yeah, that makes sense.

Justin Gardner (@rhynorater) (01:10:16.022)
I really like what you said here is get some framework in your brain for both Android and iOS where it reduces friction to get to the man in the middle point, right? Because a lot of the value for us as web hackers is looking at these APIs and what kind of different APIs the mobile app is using as compared to the web, right?

Jonathan Bouman (01:10:27.659)
Yeah.

Justin Gardner (@rhynorater) (01:10:41.202)
And so if you have a system in place, okay, you we download the APK on the device, we pull it off with ADB, we run MITM APK or whatever the name of the thing is to patch it. And then we send it along and if it works, great. If it doesn't, fine. You know, just having that in place and not having to think about that whole thing and the same flow for iOS opens up scope for you when it's easy. And when it's not, you...

you can go a different route or you can choose to double click in.

Jonathan Bouman (01:11:11.84)
Exactly, one other important advice is have two of those tablets because one day one will brick and you will have a lot of stress. So I got two iPads, I got two pixels and that removes all the stress for me that if something is bricked because it's all jail breaks, all, that's, you try to update them and then see if the pill rain still works.

Justin Gardner (@rhynorater) (01:11:19.318)
Mmm.

Hahaha

Jonathan Bouman (01:11:39.348)
And you don't want to endure this moments of truth. No, you want to say like, OK, I got my backup here. It's working. If I break this one, I still got my backup there. So this was an important lesson I learned.

Justin Gardner (@rhynorater) (01:11:42.806)
Mmm.

Justin Gardner (@rhynorater) (01:11:48.692)
Yeah. I imagine that helps as well for like cross user testing. Like you don't have to go log out of the app on this one and log into it on that one. like, all right, now I'm just trying to use two sessions on one iPad. You know, it's like, geez. Hmm. Yeah. I think that's worth the investment.

Jonathan Bouman (01:12:02.719)
Yeah, exactly. You spent $200 on a refurbished iPad. It's all refurbished. Those models. It costs nothing. You can buy them on amazon.com. This was not sponsored by amazon.com. Please click my affiliate link below. Scroll.am.

Justin Gardner (@rhynorater) (01:12:16.92)
You buy them on Amazon?

Justin Gardner (@rhynorater) (01:12:22.903)
That's great. my gosh. Give up your dream, Jonathan. You're never gonna become an Amazon affiliate. my gosh. That's hilarious, man.

Jonathan Bouman (01:12:33.687)
Make me wish quick. But you can, yeah, it costs nothing and it saves you, if it saves you two hours of headaches or stress, then you get your money back. Yeah. Yeah.

Justin Gardner (@rhynorater) (01:12:44.916)
Very much worth it, very much worth it. I'm looking through some of these other things here on the list and I think next place, you've got two more cool bugs that I wanna go through. This chain of three bugs in the health care, Dutch health care system stuff. And that also sort of leads us down the path of why the threat model changes with the different industries that you're in, right? And I think...

A lot of times in the bug bounty world, are very much used to POC or GTFO sort of things. And, but I think this, this medium article that you wrote up on people being able to send executable files through a portal that was meant for sending patient information can have tremendous amount of impact. So can you talk to us a little bit about that assessment and the vulnerabilities you chained together for that one?

Jonathan Bouman (01:13:40.545)
Yeah, so I try to bring back everything I learned from bookmoney is in health care just to to improve and make the industry more mature and on the infosec thing. And one day I decided to see how feasible ransomware attack would look like in the child care. So being a GP myself, I'm quite vulnerable. I've got a lot of patient data. I've got a lot of colleagues running around.

Justin Gardner (@rhynorater) (01:14:00.927)
Mm. Mm.

Jonathan Bouman (01:14:09.527)
a lot of clients. And so I started with having a look at one of the biggest insurance companies in the Netherlands. I'm also insured by them for my legal problems. And at the time they did not have any responsible disclosure policies, but they are like, yeah, an organization founded by doctors. So I expected them to be doctor friendly, ethical doctor friendly.

Justin Gardner (@rhynorater) (01:14:23.402)
Hahaha

Justin Gardner (@rhynorater) (01:14:34.646)
Mm.

Jonathan Bouman (01:14:39.299)
And so there's one problem there is that they also sell insurances for cyber risk and ransomware attacks where they give a guaranteed payout for ransomware attacks of 100k plus. So if you insure yourself or if you own the bucks, then if you got ransomware, then they will pay the ransomware group, which is a problem because in my industry there's

So if you rent a room you get a box of candies with not tasteful candies because that's all we have in our practice. There's no big money floating around there.

Justin Gardner (@rhynorater) (01:15:10.902)
Hahaha

Justin Gardner (@rhynorater) (01:15:15.967)
You've brought those Netherlands candies to the live hacking events before. It's like, what is it, like the black licorice or something like that? I don't like that. Yucky.

Jonathan Bouman (01:15:20.634)
Good! Yeah, yeah, dropmix. Yeah, yeah. Good that you remember that. You're more fond of the strumpfwagels, I guess. Strumpfwagels, yeah, yeah, yeah.

Justin Gardner (@rhynorater) (01:15:28.394)
Uh-huh.

I am. Those are very good. Those approved.

Jonathan Bouman (01:15:36.552)
Yeah, there you go. So I figured out like, hey, they creating a big risk to my industry. And they obviously do it because people request them to sell those insurances. So it's a complicated problem. But my perspective, that's not good. But also like they're the first main targets I would like to hack as a ransomware group, because if I hack them, I know exactly who's insured for which amount of money. And that will be, well, my dream come true because I can pinpoint my attacks.

Justin Gardner (@rhynorater) (01:15:43.606)
Mm.

Right.

Justin Gardner (@rhynorater) (01:16:01.002)
Mm-hmm.

Justin Gardner (@rhynorater) (01:16:05.654)
so you're hacking the insurance provider to understand, this company, this company, this company, this company, have insurance policies at a hundred grand. So I need to go pop that one and that one and that one and that one. Wow.

Jonathan Bouman (01:16:05.984)
So...

Exactly.

Jonathan Bouman (01:16:17.024)
There you go. So that was the moment when I had, when I discovered that like, wait, this might be a thing. Then I start poking more into their infrastructure as I'm a client, but I had to be super careful because I did not have permission, no responsible disclosure thing there. So I was more doing this to do good for society, being some sort of journalists, publishing about security issues. So I've got some protection in the Netherlands, but I need to be careful. So,

Justin Gardner (@rhynorater) (01:16:44.63)
Mm.

Jonathan Bouman (01:16:47.562)
And I ringed up my mom, my mom is a psychologist. And I asked her, like, are you also in charge with them? And she was like, yeah, I am. So at that moment, I had two accounts on my left screen, I have my mom active on my right screen myself. So I was able to safely IDOR my own account from my mom's and it's well, she hits the fan and whatever happens with lawyers and judges. And I could at least say I did.

I did try to only impact myself and I did to try to do it, et cetera. And in the Netherlands, you're quite safe if you do that. So that's when I opened up Burp, see how it all worked. And then I figured out, there's some inbox with all your PDF documents that request has some integer of your membership number. And I could replace my memory of my mom's membership number with mine. And that way I could view all the tiles that were part of my profile.

Justin Gardner (@rhynorater) (01:17:17.873)
Mm, mm.

Jonathan Bouman (01:17:45.199)
including the insurance policy term sheet. yeah, so I reached out to them and they handled this really well. So they patched this back within hours or a few days and they reached out to me to discuss how they can improve the overall security. the end of a few weeks, they also published a responsible disclosure. Had to convince leadership there that it's a good idea to...

Justin Gardner (@rhynorater) (01:17:48.892)
If, if...

Jonathan Bouman (01:18:14.095)
get transparency. And I think Jobert once put that on Twitter, transparency is trust. And that is one of the most important parts, I think in our society, in our bookbinding programs in, but also from a customer perspective, I want to know if something went wrong and how you handled it. And if you learned something from it, it's all good. So I try to convince them also to let me share the story.

Justin Gardner (@rhynorater) (01:18:16.213)
Hmm.

Justin Gardner (@rhynorater) (01:18:20.692)
Yeah.

Jonathan Bouman (01:18:41.876)
And after some debate, they agreed on that. And so that's the proper route to go.

Justin Gardner (@rhynorater) (01:18:49.194)
Yeah, it's really good to enforce change, you know, via that by bringing it to the public and that sort of thing. And I think especially in these very high data sensitivity industries, it's super important to have at minimum a responsible disclosure program. Otherwise, how are people gonna be able to report stuff? And dude, it's so common. I've actually found almost an identical bug to the one in your right up here within the past month.

Jonathan Bouman (01:19:05.742)
Yeah.

Justin Gardner (@rhynorater) (01:19:18.386)
on a healthcare thing in the US where it's literally just up in the URL bar, member ID equals numeric IDOR and it's like, this is really not good. There's no way we're the only one seeing this, There are definitely other people that look up there and say, if I'm member ID one, two, three, then somebody else is gonna be member ID one, two, four, and that's not good.

Jonathan Bouman (01:19:23.79)
Yeah.

Jonathan Bouman (01:19:27.866)
Help! Yeah, yeah. did you, did, no.

Jonathan Bouman (01:19:44.538)
How did it went when you reported it? Was it part of a big bounty program or responsible disclosure thing?

Justin Gardner (@rhynorater) (01:19:48.028)
No, it wasn't a part of a bug bounty program. It was something that I use. and so I went in there and I was, I was like, I opened up this PDF file. I have exported it so that I could do something with it. And, you know, in the PDF export, of course, there's like a, you know, they, they like slash PDF renderer, you know, whatever, and, and just put in the ID and it generates the output. And I looked at it I'm like, no. So I sent an email and I, I, to their support team, cause they didn't have any security contacts.

Jonathan Bouman (01:20:04.825)
Yeah

Justin Gardner (@rhynorater) (01:20:17.11)
And then I called the company and said, hey, I just sent it through an email. And they're like, we don't really know what to do with this. And I'm like, that's fine. It's not you. Just can you pass it to somebody in IT, please? they fixed it within 24 hours, which was amazing. But yeah, mean, no email back, no response, no nothing. Just fixing it.

Jonathan Bouman (01:20:31.7)
Yeah.

Jonathan Bouman (01:20:37.878)
Yeah, and that's super important thing. We need to push more for us as a society to do all the people creating like the laws, all the people in government working for governments, try to see what you can do to get every piece of infrastructure that holds data of citizens of your country, that they have some way, that there is some way to reach out to this infrastructure to report security bugs to.

But also try to see if you can enforce or support transparency because enforcing stuff is not good because people find ways around. if you share the reason why we need to be transparent about stuff, then you also create more awareness on all levels. Like, hey, we might need to bend this something every once in a while. Hey, we might need to check something for the risks before we deploy it.

And that will protect us from people who want to do harm. And in the healthcare industry, ransomware is our biggest threat at the moment. They're super smart. They've got really big budgets. I bet they already fixed my power miner at Buck and they were like, yeah, we have fixed that already because of their budgets. yeah, we got so much.

Justin Gardner (@rhynorater) (01:21:46.014)
Mm. Mm.

Justin Gardner (@rhynorater) (01:21:51.424)
Yeah

Justin Gardner (@rhynorater) (01:21:55.286)
Mm.

Jonathan Bouman (01:22:00.446)
stuff exposed on the internet and if it's hard to reach out to companies like you had to go through all the hoops. That's work to do and maybe not our work but yeah, we need to ask people. Yeah.

Justin Gardner (@rhynorater) (01:22:14.9)
Yeah, somebody from the policy side. know, I think one of the things that I haven't seen a ton of is, and like pretty much only I've seen this from Jack Cable here in the US and you over there in the Netherlands as well, is trying to get involved with the policy creation and trying to influence that at a big scale. I think that's really important work and will make it easier for us to do these sort of things in the future and continue to move forward with, you know,

reporting these bugs and getting them addressed in a way that's good.

Jonathan Bouman (01:22:47.304)
And also get you rewarded for your assessment of time. Yeah, because by then...

Justin Gardner (@rhynorater) (01:22:50.846)
Yeah, because people aren't just gonna, know, people aren't gonna do it just for free forever, you know? And so there should actually be some additional monetary incentive, think, as well.

Jonathan Bouman (01:22:56.156)
No. No.

Jonathan Bouman (01:23:01.78)
Yeah, I fully agree on that. yeah. So that was the first hit. So we now know in the Netherlands everyone was insured we should have it for our people. The second book I found was in the Netherlands as a doctor, you need to have some subscription with a person that will.

handle all your complaints. So if you're not happy with me, you can file some complaint against me and then this independent person will try to mediate and try to figure out how could we learn from it. So it's not like a legal procedure, it's more like get stuff fixed and get stuff done in a proper, quicky way. But most doctors use their private details for that because they want to be aware of any problems as soon as possible. And we receive this stuff just with the ordinary old mail.

Justin Gardner (@rhynorater) (01:23:33.398)
Mm.

Mm.

Jonathan Bouman (01:23:53.533)
So that was my next target. It's a super small organization, two people working there, but they have a lot of sensitive data. All the doctors, but also the psychiatrists working in prisons and stuff like that. They hold all the data and they had a phone book that if you signed up for a new profile, everyone could sign up. You entered your registration number as a doctor. They call it big number, but it's.

Justin Gardner (@rhynorater) (01:24:07.274)
Wow.

Jonathan Bouman (01:24:19.771)
It's just an integer code that's public. You can find it everywhere. I need to share it also with you. If you ask me, it's the way you can check if I'm actually a doctor. you enter that in your new signup profile thing, they return an error like, sorry, you already have a profile, please log in. But if you look in burp, you saw the response, the full account details. They also put it in a response. So.

Justin Gardner (@rhynorater) (01:24:40.347)
no, no.

Jonathan Bouman (01:24:44.241)
take home message here, always check your burp for any responses. They might not render it on the website, but it's there in the response. So also they handled it pretty, pretty well and quickly and they patched it. But at that point we had all the private data of all the doctors. Also the doctors were having this really good insurance policy. We have coverage for a lot of money if you run somewhere. And third, we need to actually upload

malware to their systems. And easiest way these days is just sending an email with an attachment. That's my homeless answer, but that's not fancy. So we had to look for something fancy. So there are like seven systems in the netlite, EHR systems like we use as GPs. And I got access to a few of them and one of my GP buddies, is also sometimes hacking. So I reached out to Bart and I was like, hey dude.

Do you've got any which systems could you test for me? He like, yeah, I access to two of them. It's OK, good. So we have coverage about half of all the systems. So I explained him the thing and he was like, yeah, can try that for you. So you want to upload an executable instead of a picture of the Xeema thing. yeah, makes sense. So all our clients can send messages through some portal web. I can upload a picture. So it's easy for me to answer like, it's nothing. Yeah, have this screen.

Justin Gardner (@rhynorater) (01:26:04.81)
Mm, mm.

Jonathan Bouman (01:26:06.374)
So that moment me and Bart start trying to upload executables and most of them got blocked because there are some men in the middle party that is doing a lot of those hurdles. But one of them did not block it. So then we discovered like, we could just upload an executable. And for me as a doctor, the executable is displayed in my inbox of a Windows desktop application or custom or Java, I think it's really ancient.

Justin Gardner (@rhynorater) (01:26:32.63)
Mmm.

Jonathan Bouman (01:26:35.873)
legacy software. And I could just click it and it opened up the executable. And we did approve concept with some setup.action, nothing fancy, no ransomware there. But we proved that we could just send those executables to specific doctors. You can sign up as a ransomware group to any doctor you want to. There's no user.

Justin Gardner (@rhynorater) (01:26:58.412)
No

Jonathan Bouman (01:27:02.062)
privilege required, that will be none or low maybe, but I would say none. And yeah, so that was RCE there. Yeah, user interaction required, but still good thing.

Justin Gardner (@rhynorater) (01:27:06.332)
my gosh.

Justin Gardner (@rhynorater) (01:27:14.4)
So I mean, essentially what you did is something that we talk about, you know, on the pod from time to time here is building out that full threat model vision, that full attack vector vision, right? You started with enumerating all of the, you know, doctors that have these insurance policies, and then you figure out a way to actually get that payload through to the doctor in a way that's reasonable. I mean, this is beautiful. This is really beautiful because at the end of the day, it makes it so much clearer for

the people that are not in this bug bounty world, or even people that are in the security world, but not in the full, let me pock out this whole thing world, how easy it is to put these pieces together and achieve some really crazy impact. And I mean, this is exactly how a malicious actor would go about this, right? If they were gonna do it programmatically.

Jonathan Bouman (01:28:06.741)
So this is also the end game for programs, I think. If you want to be a great program, just say the scope is our customer data. Figure a way out how to hit it and no phishing because that's too easy, but think out of the box. And to do that, the only way to do it is if we got proper policies in countries where you are not limited by other companies suing you because you found a weapon or assistance. No, we need to create a way that we can create those change because

Justin Gardner (@rhynorater) (01:28:12.766)
Mm. Mm.

Justin Gardner (@rhynorater) (01:28:18.678)
Mm.

Justin Gardner (@rhynorater) (01:28:30.283)
Mm.

Jonathan Bouman (01:28:36.063)
It's not only amazing stories, but it is actually the way it works in real life with the models we have to work with.

Justin Gardner (@rhynorater) (01:28:40.886)
Yeah.

Justin Gardner (@rhynorater) (01:28:44.95)
I think this is really good. I think this is something that a lot of programs could really do better on. Some programs will put treasure maps out there and say, hey, we care about this, we care about that. But I think incentivizing full-fledged attack methodology is really cool. So saying, hey, if you can provide some way to show a vulnerability, show distribution and exploitation of this vulnerability in mass, then we'll award additional bounties for that, or we'll award bonuses for that.

will have a tier or whatever that you reach to if you're able to provide me with a reasonable attack vector that chains things together and makes this attack that somebody could very easily implement.

Jonathan Bouman (01:29:26.566)
Exactly. And a mistake I see programs now making is to put third party code or stuff like that, or enterprise software out of scope. If you do that, you lose big talent because there are some researchers focused on that, finding your zero days in your enterprise software that holds all the sensitive data you can think of. So start doing that.

Justin Gardner (@rhynorater) (01:29:34.059)
Yeah.

Jonathan Bouman (01:29:51.614)
take responsibility for the stuff you implement in your company. It's your decision to use this enterprise software and be aware of any bugs. And if it's a zero day, you want to know. And if it's a one day, you might also want to know. And it's the change that will be the ones that impress leadership and in the end also protect your customers or your clients, whatever your employees. So.

Justin Gardner (@rhynorater) (01:30:04.502)
Mm.

Justin Gardner (@rhynorater) (01:30:13.664)
Yeah.

A lot of times these enterprise softwares, I think they were actually just discussing this last week on the AssetNote podcast, Surfacing Security, about how these third-party vendors are really becoming the shadow IT of this generation. And oftentimes the weakest links are not this code that are part of the main application, but these little vendors that they're like, we kind of need this tool, but we don't fully vet it. We just kind of plop it in on the system.

And then time and time again, you've seen shubs in the whole Asset Note crew just destroy those pieces of software and it's absolutely detrimental.

Jonathan Bouman (01:30:53.124)
We need so many people like Sheps on this team. Sheps is one of the most impressive hackers I've met in my hacking career. Super grateful to work together sometimes with him. And what he learns me is that there are so many weak spots in software that is used everywhere, but you need to insist heavily on that. And you need to go deep, really deep. And if we...

Justin Gardner (@rhynorater) (01:30:56.266)
Mm-hmm.

Justin Gardner (@rhynorater) (01:31:03.488)
Mm.

Jonathan Bouman (01:31:19.311)
don't let that be part of the bug bounty game or our trap models because if it's enterprise or third party, then you lose out on the most important bugs you might have. And yeah, I'm super happy that he is investing on that and doing great research.

Justin Gardner (@rhynorater) (01:31:41.638)
It's very important, I think. All right. I want to be respectful of your time, Dr. Broman, but I do have to ask a couple more questions about this. Okay. So moving away from the technical stuff and bringing it back around to something that I'm sort of tangentially passionate about with regards to Bug Bounty is how we as Bug Bounty hunters can take care of our bodies and take care of our minds as we're doing this very addicting, very, you know, hunched over at our desk for hours sort of thing. Right.

So as the official doctor of the Bug Bounty world, tell us what we need to know about how to maintain our posture, how to keep our brains functioning in these super long hacking sessions. What do you have for us there?

Jonathan Bouman (01:32:29.549)
Yeah, it all starts with fetch the balls.

Justin Gardner (@rhynorater) (01:32:32.118)
Why do you just pull out a carrot?

Jonathan Bouman (01:32:37.409)
As a book-bounding hunter, the most important part is to have a golden plate with carrots on it. It's the only way to have a constant way of finding books. Now, audio exercise has healthy habits. That's the most important thing. And habits, you create them by doing stuff periodically, a few times a week. And if you do that long enough, it becomes a habit. And if it's healthy, then it's good. So for myself, I've got the healthy habit.

Justin Gardner (@rhynorater) (01:32:42.093)
my gosh.

Jonathan Bouman (01:33:06.733)
working every other day lifting weights. It's super boring. In the bookbinding scene, I see quite a few power lifters around us. I'm not a power lifter, I'm just a boring one who's looking at the power lifter like, how do you do that? I'm not dedicated enough to do this, yeah. But still, I create a healthy habit of going that and doing that. And doing this for a long while, I can't think of a situation where I'm not doing it.

Justin Gardner (@rhynorater) (01:33:14.304)
Yeah.

Justin Gardner (@rhynorater) (01:33:22.986)
Hahaha

Jonathan Bouman (01:33:33.825)
That's also a struggle with life hack defense. Then you're in other environments and you sometimes don't have the ability to do those healthy habits or you tend to not do that. So try to figure out how to do that. for me, for example, two YouTube channels I use often, abroad are med fits and bully juice. just easy home gym stuff, which you can do without any, any extras. you can just do it on a.

Justin Gardner (@rhynorater) (01:33:42.795)
Yeah.

Jonathan Bouman (01:34:04.075)
Your auto room, I discovered that during COVID because all the gyms closed down. I'm still using it by today. Eating, yeah, obviously everything you put in your mouth can be harmful on the other end. Life is short, so you might enjoy it. So yeah, don't be super strict in everything. Find the right balance.

Justin Gardner (@rhynorater) (01:34:09.366)
Mm.

Jonathan Bouman (01:34:28.503)
People sometimes ask me like, do you drink alcohol? Well, most of time I don't. I might drink once a month, maybe once every three, four months max. But that's one of the hacks I use to stay sharp and focused. I remember from the time I was a developer, and if I had some alcohol, thought I had the greatest ideas. And if I looked back in the code, it was horrible the next day. So that was a good objective observation.

Justin Gardner (@rhynorater) (01:34:36.096)
Mm-hmm. Yeah.

Justin Gardner (@rhynorater) (01:34:53.27)
Bye!

Jonathan Bouman (01:34:57.934)
that it's not working well. Same with weed, I never smoked weed even though I'm from Amsterdam. something followed. Same with weed, I've never smoked weed in my life. For some people it works and there's quite a high rate of ADD or ADHD in impact bounty people having to get this. So that's often the reason people use weed to get some focus or some mind state that works for them.

Justin Gardner (@rhynorater) (01:35:03.862)
Mm.

Justin Gardner (@rhynorater) (01:35:15.506)
Mm-hmm. Yeah, I think so too.

Jonathan Bouman (01:35:27.586)
But there are other ways that are more healthy to do. So yeah, I'm not telling you you're doing wrong, but there's different ways to cope with the problem.

Justin Gardner (@rhynorater) (01:35:32.597)
Mm.

Justin Gardner (@rhynorater) (01:35:36.884)
Hmm. What I I'm not sure if this is your arena, because I know that like posture health and that sort of thing is something that's that's kind of different from, you know, general medicine stuff. It's more in the physical therapist realm. But I I've recently had an injury in my shoulder. And as I went to go talk to a doctor about it, you he was saying that from working at a desk, you know, the shoulders are sort of slunched, slunched forward like this a little bit. And because of that,

the pectoral muscle is shortened and it's pulling the shoulder down, right? And so one of the things that he had me do that it's been amazing for my posture and really helped with my ability to like reach and swing when I hit a volleyball is he's had me take like this ball, like a lacrosse ball or like a tennis ball and like lean my chest up against a wall and push this ball into my chest muscle to loosen up.

Jonathan Bouman (01:36:10.562)
OK.

Justin Gardner (@rhynorater) (01:36:35.978)
this muscle right here and that pushes, that allows for this muscle to be extended a little bit more and allows for my back muscles to pull those shoulders back into place. And I was like, I was like, man, this is like, this is the kind of stuff I need to know about, you know, like these hacks to keep, keep the posture, you know, up straight when you're hunched over the computer normally, because I think a lot of us get so in the zone with Bug Bounty where we're like not even thinking about.

Jonathan Bouman (01:36:45.76)
wow, that's amazing man.

Jonathan Bouman (01:36:51.735)
Yeah.

Justin Gardner (@rhynorater) (01:37:02.122)
You know, we're sitting like sideways and like, you know, exactly all the levels IO stuff. So.

Jonathan Bouman (01:37:04.864)
Yeah, yeah.

Yeah, if testing yourself and get a physiotherapist also maybe once you got some problems with posture, I try to sit in different positions all the time.

Justin Gardner (@rhynorater) (01:37:11.196)
Mm. Mm.

Justin Gardner (@rhynorater) (01:37:18.09)
I've heard that that's big, is changing the position that you're in, not just, not any given position, but just changing on a pretty regular basis.

Jonathan Bouman (01:37:21.324)
Yeah.

Jonathan Bouman (01:37:25.066)
Yeah, so that works for me, but it might not work for other people, but it works quite well for me. in lot of my jobs, I've got to sit down and in my work as an doctor, I sit on some strange old chair that looks like if you sit on a horse. I'm not sure what the word for that is, yeah, like I said, and that also makes you like sit in all different ways. And that works for me.

Justin Gardner (@rhynorater) (01:37:42.762)
Yeah. Yeah. Like a saddle.

Jonathan Bouman (01:37:54.998)
with all the complaints you have. The thing is with muscles, it starts with if you have a problem, you can go to a fish therapy, get some massage, and then the problem is gone for a few hours and then comes back. So you need to learn how to stretch the muscle. You need to learn after that how to train the muscle. And if you improve the condition of all your muscles, you are less prone to catch another pain or problem.

Justin Gardner (@rhynorater) (01:38:07.371)
Mm-hmm.

Jonathan Bouman (01:38:23.042)
So that's why you also should start doing sports, even though you don't have any problems at the moment. Just to stay in the safe zone. And then we're getting older and older and older. And when getting older, stuff got worn out. And that's part of life. The only thing you can do is start training and keep training.

Justin Gardner (@rhynorater) (01:38:27.412)
Mm, mm.

Justin Gardner (@rhynorater) (01:38:42.57)
Yeah, it's important to be consistent about it too, like you said, because for a really long time I was doing, I was in the gym, you know, five days a week and lifting and that sort of thing. And then, you know, I've recently had a child in the family and when you have that, things get a little bit difficult. You don't get as much flexibility in life. And so I stopped going to the gym and stopped lifting as regularly. And, you know, it wasn't six months after that happened.

that I threw out this arm playing volleyball and dislocated my shoulder and had this whole problem start. That I've been clawing my way back now for one month, know, or longer than a month actually, just trying to get this shoulder back in a position where I can use it. it's, you know, it's a little bit of a tough lesson for me that even if you are, you know, lifting on a pretty regular basis, if you just stop for just six months, that's enough for the degradation to occur.

and for some injury to happen.

Jonathan Bouman (01:39:43.34)
Yeah, yeah. So if your habits have, just like the iPads, have two of those iPads you can jailbreak. Also have just this thing as a backup plan, like the YouTube videos. And then you make the agreement with yourself, okay, if I can't go to the gym, I'll do this 30 minute workout just home. And so keep moving and yeah. Yeah.

Justin Gardner (@rhynorater) (01:39:47.402)
Mm. Yeah.

backup plan.

Justin Gardner (@rhynorater) (01:40:05.302)
That's a great idea. That's a great idea, Dr. Bowman. All right, thank you so much for joining us, man. I appreciate it. So many different areas of wisdom across collaboration, across hacking, across health. Really a pleasure. Thanks for coming on the pod, man.

Jonathan Bouman (01:40:19.244)
Thank you for the invite and yeah, if anyone finds good bucks, hope to hear that on your podcast. If you find bucks on file center, let them know they need more eyes and yeah, happy to meet with people on the Discord, I think. I'm not sure if I joined already, but I'll have a look around. So feel free to reach out.

Justin Gardner (@rhynorater) (01:40:39.222)
Perfect. Thank you so much. That's the pod. Peace.