June 10, 2025 • 55 mins
In this podcast, my guest is Arthur Aires, part-time bug bounty hunter and cybersecurity pro from Brazil. He has an amazing approach that combines manual hacking with using a lot of tools for recon and fuzzing.
Some links mentioned in the video: https://github.com/pwntester/SerialKillerBypassGadgetCollection https://book.hacktricks.wiki/en/index.html https://portswigger.net/bappstore/e4e0f6c4f0274754917dcb5f4937bb9e https://portswigger.net/bappstore/594a49bb233748f2bc80a9eb18a2e08f https://portswigger.net/bappstore/0e61c786db0c4ac787a08c4516d52ccf https://github.com/PortSwigger/403-bypasser https://github.com/projectdiscovery/nuclei https://github.com/SeifElsallamy/Blind-XSS-Manager/tree/main https://github.com/trufflesecurity/xsshunter https://infosecwriteups.com/easy-xsshunter-discord-alerts-33fcff24a8f7 https://github.com/elkokc/reflector https://portswigger.net/burp/documentation/desktop/tools/dom-invader https://urlscan.io/
Timestamps:
00:00 Intro
01:30 Balancing part-time bug bounty with full-time job
02:56 Mixing manual bug bounty hunting with automation
22:04 The most useful Burp extensions
33:25 Fuzzing in bug bounty
46:34 Live Hacking Events
Some links mentioned in the video: https://github.com/pwntester/SerialKillerBypassGadgetCollection https://book.hacktricks.wiki/en/index.html https://portswigger.net/bappstore/e4e0f6c4f0274754917dcb5f4937bb9e https://portswigger.net/bappstore/594a49bb233748f2bc80a9eb18a2e08f https://portswigger.net/bappstore/0e61c786db0c4ac787a08c4516d52ccf https://github.com/PortSwigger/403-bypasser https://github.com/projectdiscovery/nuclei https://github.com/SeifElsallamy/Blind-XSS-Manager/tree/main https://github.com/trufflesecurity/xsshunter https://infosecwriteups.com/easy-xsshunter-discord-alerts-33fcff24a8f7 https://github.com/elkokc/reflector https://portswigger.net/burp/documentation/desktop/tools/dom-invader https://urlscan.io/
Timestamps:
00:00 Intro
01:30 Balancing part-time bug bounty with full-time job
02:56 Mixing manual bug bounty hunting with automation
22:04 The most useful Burp extensions
33:25 Fuzzing in bug bounty
46:34 Live Hacking Events
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
For me, 20, 000 is a lot of money.
(00:02):
But to get, I remember all the guys madea hundred thousand dollars, probably all
my free time when I'm not at the gym orplaying tennis or stay with my girlfriend.
It's for a big bounty.
Yeah.
So still today, a lot of SQLinjections on, on accurate one.
So a lot of.
Problems with all, with WAF 2, I wasable to bypass some WAFs and some cases.
(00:24):
My automation is only for recon,not to exploit anything, because
probably, uh, the exploit thingwith nuclear or something, there are
guys doing this more fast than me.
so much for joining mefor the podcast this time.
Uh, for the viewers who don'tknow you yet, can you please
introduce yourself a little bitand tell us about your background?
(00:46):
Okay.
So thank you again for inviting me.
I'm really excited about thispod questions and the question.
So yeah.
So about my background, SoI'm a book hunter and pen
test on Hacker one with four.
I think I have four or five years onHacker one I, and, and after that,
(01:06):
uh, I, I work, I work uh, as uh,cybersecurity tech lead, uh, uh,
cybersecurity constitute in Brazil.
And I'm pen test leader in Hacker one two.
So I work with both and, uh, this is me.
I think and I was invited, um,five times to live hack events and
hacker one and I really like it,send a lot of bugs on boot bounty.
(01:30):
Yeah.
So are you not the full time
backbone hunter now?
Yeah, not, not.
Have you considered it?
Yeah.
Um, I think maybe it's a possibilityto me because probably my income
from boot bounty, it's pretty low.
It's really, it's more than I receivefrom my, my work, really more, but I
really like at work at, uh, this Braziliancybersecurity, it's, it's good work there.
(01:55):
I have some friends and I really,I really like at work there.
So it's, it's, it's a good job.
I can do really good things there.
The vulnerability, uh, Ishowed to you was there.
Using the, the serial kilobytepass, get, get his collection.
So I have good opportunities.
That's to test BrazilianBrazilian companies.
So, yeah, I like work there.
(02:17):
Yeah, that's, I think that's, that'sthe common theme among all of the
back hunters that we like like bounty.
But also being alone isa little bit problematic.
Yes.
Yeah,
you are really true.
Very impressive That'sstill only work part time.
You've got to almost 22,000 reputation on HackerOne.
Yeah
So I I'm very excited to
(02:39):
to speak with you.
Awesome.
Awesome.
I probably owe my friends Freetime when I'm not at the gym or
playing tennis or stay with mygirlfriend, it's for a big bounty.
Yeah.
So yeah, all my free time is for abig bounty and probably maybe this is
the reason why I have this reputation.
Well done one way or another.
So Uh, are you more of aautomation based hunter?
(03:01):
Are you a manual hunter?
Are you something, something in between?
So, uh, yeah, maybe I'm in betweenthese juice, the, these two options
because I have automation, butonly to, my automation is only
for Rico not to exploit anything.
Yeah, because probably, uh, the,the exploit thing with nuclear or
something, there is more, there are,there are guys doing these more fast.
(03:23):
Yeah.
It's a race.
Yeah.
So it looked like a race.
So I didn't, it's like this, this.
So probably my, my, myautomation is only for recon.
What I have, it's, I have a huge,my SQL database, it's all my,
yeah, with all my, all my, yeah.
My scope from bookbug programsand all, all the time my script
is running and do the record.
(03:43):
And if I have some updates for hackerone, uh, uh, these updates notify me and
I have the assets on my, my telegram chat.
So I received that andmaybe this is a good target.
Oh, maybe this program, uh, thisprogram has now with the car
scope so I can look there and yes.
So my, my automation, it's only forrecon and receive the updates from the
(04:05):
programs and my, but my, my hunting,it's only manual testing, looking
at application and that's things.
Yeah.
How, how technically do you have connectedhacker one updates to a telegram chat?
So, uh,
maybe in, uh, at the first time was.
Really hard because we need we needto your scripts need to be hitting
(04:28):
the hacker on API a lot of timesto to get the updates in the time.
But I think it's OK now because becauseI I I'm writing the script a lot of time.
So maybe the script is stable.
Now and I did have so problems,but maybe at first time I had a lot
of a lot of books and description.
Not the script is not workingwell and I have losing scope.
(04:51):
An example.
Some I remember to see some time.
My script is not looking all thescope is only looking the first page.
Not all the scope.
So I fixed them, uh, making a for loop,uh, uh, looking all the pages of this
scope from API, because I didn't knowthe API only show a page of scope, not
(05:13):
all the scope is some progress that thehuge scopes with a lot of domains and
these, and probably I was missing that.
So this, this is what, uh, This isone of the mistakes I have in the,
in the way, but I think probablynow it's more stable, but, but my
automation is only for HackerOne.
Yeah.
Because probably implementing otherAPIs or others, uh, platforms will
(05:34):
be more, I will be more work that.
Yeah.
And
it's always when you write something,it's like, it's a, it's a cool idea and
you think it's going to be quick and thenit takes time and more time and bugs.
Yeah.
Yeah.
Yeah.
A lot of
bugs.
Sometimes I. I didn't receive thenotifications on Telegram and I think, oh,
probably there is something not workingwell, I need to check on the server.
(05:56):
Yeah.
What other alerts do you have?
For some, I don't know, do youmonitor JavaScript, for example?
No, I didn't monitor any JavaScript.
Uh, but what I, what I monitor with,with this, with my automation is,
uh, every, every day I do the recon.
And.
I have the responses for the same domainin, in a time and in, uh, an example.
(06:22):
I run the record yesterday, today,and there are going to be tomorrow.
I have all the HTTPS, uh, Parametersin the MySQL database and I can
compare if an example, if thestatus code yesterday was 401
and today was 200 andyesterday will be 200.
So I historical in my, in my automation.
(06:45):
So you store the HTTPS parameters.
So there's like the statuscode, number of words, number
of lines, something like this.
Yeah,
you don't actually,
you don't actually, Oh, yeah,because, because, um, HTTPS,
uh, has a, uh, a parameter.
You can get the hash of thebody so you can, I did it.
I have these, but I need towork to improve maybe the
(07:07):
way to view these things.
But I was capable, uh, if I searchsome, some domain example from a book
balance program, I was capable to seeif the page was changing in the time.
If the, the hash gen boI think it's gen body.
Yeah.
The name of the hash.
If, if this has changed, probablythe application changed and probably
the application will, probablythe application was update or
(07:29):
something, or have the body change.
Yeah, that's very interesting.
Yeah.
Doesn't
it cause too
many false positivesbecause the hash is very,
very strict.
Yeah.
Yeah.
Yeah.
We have a lot of many falsepositives, but sometimes I have
good, I have good, good examples.
So I will show an example to you.
I really like PHP page because.
(07:52):
When you saw PHP, probably wewill find some books there.
So I was monitoring this page and forthis page, the page was the same, the same
hash, same hash, same hash, same hash.
And someday I will lookand the hash change.
Oh, probably is there an update here.
And I was capable to find anew endpoint and access there.
(08:12):
So it's, it's fine because ifyou look for the right, The right
domains, the rights of domains,you can find good things there.
Yeah, but it's hard to, to, tolimit this because do you have like
just, um, you monitor this justfor the main page, like the slash?
No, it's only the main
page.
Only the main page?
Yeah, the main page.
(08:32):
Because, uh, probably, uh, all thepage will be more complex to do.
And yeah.
I don't know, maybe my SQL isnot the best database to do that.
Because imagine we store all these things.
Yeah, that's what I'm afraid of.
Like sometimes when I think ofwriting something like this, I want
to, well, first of all, I don'twant to spend all the time on the
(08:53):
development, but I can accept it.
But then I want to, Uh, somehowlimit the amount of noise.
Yeah.
To, to actually, so it gives me leads,but doesn't give me everything every day.
Yeah.
Yeah.
So it's a very nice balance thatyou, that you seem to have, I think
probably in my automations, uh, whatI really, really use is this, this
scope update because it's, it's fun.
(09:15):
This, it's really coolbecause, um, uh, sometimes.
The program update the scope, butdidn't send emails to other people's
or, or the subscribe didn't work well.
So this functionality to updatescope, it's really awesome because
give me the visibility of all thescope updates from the programs.
(09:36):
I didn't have that because my,my, my telegram chat has a lot of
messages all the day because all theseproblems that update changing as yeah.
As more things, I will showan example to you here.
So today I have 10 a.m. Yesterday, yesterday.
So yeah, a lot of updatesfrom these programs.
Yeah, even
in the beginning when you said it, Iimagined that, uh, the way I thought
(10:01):
it may be done is you have somewebhook on the email mail hook, but
now you realize, okay, there's notalways an email sent no scope update.
Not just now.
I realize this.
Yeah.
So what I do really is get all thetime the scope from HackerOne and after
that compare it with my scope in my SQLdatabase and comparing that, oh, there
(10:22):
is some new here, send to Telegram andstart storing in Yeah, that's very smart.
Yeah.
And do you, every day, do you hunt likeon whatever your automation shows you?
Yeah, when, when I have good targets,an example, I saw that, uh, I saw
maybe here there's some good things.
What I was thinking to do to improve myautomation is, uh, use HTTPS in these
(10:44):
new domains to check the technologies.
Because if I have some good technologylike PHP or something, probably this is
really good and I can, maybe it's good.
Take some, some, take some time herebecause probably will be good stuff here.
Yeah,
yeah, that's cool.
You make, you motivate me to startdoing something similar as well.
(11:04):
Yeah, I have some kind of, I have someJavaScript monitoring which I use and, but
I use it on programs I don't even handleanymore and I get updates every few days.
And I never actually likecreated the automation.
The automation where I wouldreally stick to it and I would
actually use it properly.
Yeah.
But I think it's, I thinkit's incre incredibly useful.
(11:24):
So I have to,
yeah, the texts from theupdates were, it's useful.
I really use that.
Yeah.
Yeah.
That's really awesome.
Yeah, that's very, that's very smart.
And that's weird.
There's no native functionalities do it.
Not just now I realize.
Yeah.
So, uh, I, I was talking with Omi.
I dunno.
I, I'm.
Talking about years, love me in the past,we're talking about maybe it's better
(11:47):
for hacker one API if they use webhooksto send to us, because imagine all all
the day my script is honey and it'srunning and hit the hacker one API, get
all the programs and do this every, Okay.
Minutes.
Do, do, do, do.
So maybe, maybe this, uh, uh,maybe this consume a lot of
resource on HackerOne API.
(12:08):
So maybe Webhooks can finish withthis, this, consume enough resources.
That would be easy.
And also not only on the HackerOne API,but then you have to pull it yourself.
You have to diff it yourself.
Yeah.
So it's, it's a lot of code.
It's a lot of resources andthe Webhook would be easier.
Yeah.
Yeah.
Although for bug bounty, thething is, if something is hard,
it's, it is the reason Yeah.
(12:30):
Yeah.
Yeah, it's true.
Okay.
So you have the automation.
You, you start handing on some newdomain that automation gave you.
What's, where do you start?
What do you hack?
A lot of fuzzing.
Probably.
I really like to do fuzzing.
Yeah.
I really like to use way more.
And these, these tools would give me thehistorical things from this, this domain.
(12:54):
So fuzzing.
Historic, uh, historic things for this.
I might use way more orother, other, others tools.
So I really like, uh, I really like tosearch on Google being that the goal and
others search to, I really like site, uh,two points, I think two points, two points
(13:14):
are not two dots, uh, colon, colon, colon.
I think, yeah, a sitecolumn and, uh, domain.
com.
So you, uh, it's, it's reallyawesome because when you do that, a
lot of these, these searching genesgive you a lot of good end points.
Uh, so I really do that way more in alot of fuzzing and fuzzing over fuzzing.
(13:39):
In example, you find a new path.
Oh, probably I need to do f more here.
I, I need, I need to do rec recursive fbecause sometimes this can be, uh, can
be a problem to the customer becauseyou, maybe you can turn, turn it all
or off or maybe, uh, stop the server.
This, this is normal, so youneed to, uh, for me, uh, the
(14:02):
normal, now it's use low threads.
Big word, least fuzzing out the pastlooks for for good things and after
fight a bad fuzzy and again and again.
And look what's back classes do fast for.
I really like access.
Yes, improper access control.
Insecure sterilization, sickle injection.
(14:23):
I have a lot of For me.
So you have like a one largeword list with everything?
Yeah.
What, what I can, what I can seeon the application, probably I will
test an example, uh, a few monthsago I, I saw in pdf f reader, in
this PDF reader, I was capable to.
(14:43):
Attach files.
I don't know if you saw thiskind of vulnerabilities and I
was able to local file inclusion.
So yeah, maybe probably for me when Ifound an application, I try, I try to
test all these things on the application.
XSS, misconfiguration, informationdisclosure, SQL injection,
(15:05):
XSXXE.
So all these things I try.
Application and if I havesome specifications and
with, and this PF reader.
So this is interesting and I test all,I I want to test this, uh, uh, SSRF on
this PDF reader, LFE on this PF reader.
So what I, I, everything I, I, I,I can le see on the application.
(15:30):
I try, I really like itto the Hack Tricks book.
I don't know if you know this.
Yeah, of course.
This domain, this is really, really good.
Didn't it disappear recently?
Yeah, I don't know because the, the,the URL, the domain is working, but
the Google is not showing anymore.
I don't know why.
Okay.
Interesting.
I don't know why.
Maybe.
I don't know, but the Googleis not, is not showing anymore.
(15:52):
But if you have the, the URL, theURL of Hacktrix, it's working.
Okay.
Yeah.
Okay.
I don't know what's happened.
Yeah, so your, your word list, howmany, how many positions does it have?
Oh, probably, I have, I havesome huge, uh, word lists.
The one that you use, just you openan endpoint parameters by default?
(16:15):
Uh, no, uh, the, the word list tofuzzing a path in a web application
probably wants to meet an entry.
Okay.
And to fuzzing parameters, maybe, Uh, 300,I think, entries to fuzzing parameters.
An example, I have an endpoint, I, Itry to see if it gets, um, if in this
(16:35):
endpoint there is some get parameterinteresting and I, I fuzzing again.
I really like it.
XH, these two, two fuzzingparameters is really nice.
I don't know if you know this.
No, I don't.
It's really nice because, uh, for me, theparam, parameter is, it's really slow.
I don't know because I didn't havegood experience with parameter.
So these two, do you mean paraminder?
(16:58):
Sorry, my English is very good.
So I really like in my burpsuite, my setup, I have another
extension called ascend 2.
Yeah.
And I use it This extensionto pipe the request.
Just these tools like XH, XSQLmap and other custom tools.
I have an example.
I have a custom tool tosay as far as application.
(17:19):
So I pipe the request to thesetools and it's really good
work with that.
Yeah, but do you fast?
You said there is a word is of how big?
My, my main words list.
Yeah.
An example.
I have the normal words list.
Yeah.
If, if I use the normal, the normalwords list and the words list didn't
(17:41):
work, uh, probably, uh, this wordslist has one or two millions entries.
And you always fast withone or two million entries.
No, no.
Probably give a few days working.
So yeah, I do a lot.
And waiting, do my, do mywork and stay where it is.
So you just leave it inthe background, don't you?
Yeah, sometimes, yeah, sometimes I'mlooking, but I'm afraid to, to, how
(18:07):
can I say, I'm afraid to turn off,it's not turning off the servers of the
customers, but I'm really afraid of that.
So, uh, what I do is lookthe polish of the problem.
If, if the problem allow, you can only do.
20 racks per second.
I, I, I use these metricsto, to configure the fuzzy.
(18:30):
Okay.
So, yeah.
Interesting.
Yeah.
I, I, I know I'm, but it's fuzzing,but, but I had no idea, like Someone
fathers with such a large world list.
Yeah.
I think he, I'm a, I'm, I'm patient.
So I get, yeah, I start the fluffy,putting another monitor and see
(18:52):
working what I'm due to working.
Sometimes I minimize and look there.
Because sometimes you, sometimes, uh,the, the, the program has a policy, you
are in the policy, but the applicationdown and you need to turn off.
Yes, and stop.
You are, you are right because you arein the policy, but the application is
not, uh, good enough to, to, is notcapable to deal with, with that request.
(19:15):
So I stopped and didn't test, didn'tdo fuzz in there anymore because
probably the application will be downand a lot of problems will be happen.
Yeah, yeah.
So this is for fuzzing the paths.
Uh, so then how do you fuzz parameters?
Do you also use a big word listto fuzz all the parameters?
I
really like to use a tool called GAP.
(19:35):
I don't know if you know this tool.
I really like the devfrom these extensions.
I use it way more from this guy to get.
More information about to recon andthese extensions really good gap
burp extension because with thatextension, you can use your burp story,
uh, an example, all your navigationstory with all the path and points,
(19:57):
parameter and the response containingparameters, uh, containing points.
You can use the extension to get allthese things and generate wordless.
This is very nice.
Yeah.
So sometimes when I'm spending alot of time in some programs, I use
that word release to add to my worddeletion and do fuzzing with that.
(20:17):
So yeah, the result with this caseis, with this case and this extension
and way more are really good.
Yeah.
Can you send this to me so I can putit in the description for the viewers?
Sure, sure, sure.
Really, uh, let me send this andanother, I really like this way more.
Yeah, way more.
Very good as well.
It's really, really good.
(20:39):
I really like the tools from this guy.
I give a lot of, becausehis guy has, uh, Coffee.
Yeah.
Yeah.
Uh, oh, yeah.
Buy me a coffee.
I do a lot of coffee.
Yeah, I give a lot of coffee to this guybecause the tools are really, really good.
That's very nice to get to give back to
the tool creators.
Yeah.
(20:59):
Yeah, it's awesome.
Yeah.
So, um, when you fast these parameters,do you fast for all back classes at once?
Yeah, I really like to
use Burpee Bounty Pro.
I don't know if you know, somepeople don't, don't, some people
don't like this, this Burpee Bounty.
I like because the, the tests of BurpeeBounty are more Because, an example,
(21:24):
the Burp Suite Scanner, it's, I have thefeeling it's huge and do a lot of things.
I really like the Burp Bounty becauseyou can create custom templates
and you can create custom rules.
And the rules there and the templatesthere are really, are really nice.
So, I use a lot.
(21:44):
Uh, this template when I havethe parameters to, to find if I
have some SQL injection or XSS.
Yeah.
But I really like to use BuffProf.
But sometimes I use the BuffScanner.
It's not the best option because thescanner for me, it's really heavy.
Yeah.
So, but sometimes I use them too.
Yeah.
You seem to, to rely a lot onburp and different extensions.
(22:07):
Yeah.
I, I have a lot of extinctions and Yeah.
Yeah.
I really like to automate my processto hunting, to be, to, to, how can I
say, to have to, to easier my life.
Yeah.
To be efficient.
Yeah.
To be, yeah.
To be efficient.
And example with xh in the past when,when I didn't know send to you, I will
send the linking to send it to you.
(22:29):
To you too.
Oops.
Because, uh, in the past.
I copy the request, savinga file, run the command.
So this is really, uh, really slow,but with this, this extension sent
to you and the comment pipe, youcan send it to a Mac terminal and
(22:50):
sent to X eight sent to SQL map.
So yeah, it's really, forme, it's really productive.
Yeah.
I use Piper for the similar thing.
So Piper, have you, areyou familiar with it?
Yeah.
I think Piper do thesame has sent to, right.
Okay.
Yeah.
Yeah.
A few options as well.
Oh, it has, uh, sometimes you can alsohave like Inside the verb, you can like
(23:12):
have commentators or, uh, which meansfor each request that matches particular,
uh, criteria, you run some command andthen the output of this command is in
the comment of the request in verb.
You can also have the message viewer.
So when you have like pretty,raw, uh, I don't know, GraphQL
hex view in the request.
You can also have someoutput of a command.
And you can also just do,do, do what you say, send it.
(23:35):
And it's very efficient when, yeah,it's when something just automatically
gets run in the background.
It's so nice because you don'thave this time, copy, paste.
Yeah, you do what you need to do andthe things are working automatically.
So, yeah, yeah, it's awesome.
I need to test Piper.
I think I remember today.
I don't know, I didn't remember whowas, who was it, but it's very powerful.
(23:58):
It's very open
and you can do so many things with it.
Yeah.
Uh, I'm, I'm using, uh,send to you because I, I
remember to see the extension.
Yo, this is, this is awesome.
I need to use that.
And now it's.
It's the normal to me is use that.
Yeah.
What other extensions do you use?
Uh, let me check here.
I have a lot of, this is my, my work.
(24:21):
I really like this extension.
W X D L E R this extension.
I don't know if he,
Oh, the, I dunno how, how to . It's WSDLis is some type of format, isn't it?
Yeah.
It looks like, looks like an API format.
Yeah, and you can, and you can sendthe, uh, the, the WSDL to the extension
(24:46):
and they will give the request toyou and for create the request and
you can only send to B two test.
Yeah.
Because some.
Some XML, uh, API are reallyhard to create the request.
It's more difficult thanSwagger, for example.
So I really like this extension.
I really like the Flow extension.
(25:06):
I don't know why, but I really like thisextension because What does Flow do?
I'm not familiar.
Flow is the same as Let me, letme open a new BURP suite here.
I really like Flow because it's, uh,there is Logger but I didn't, um, I'm
not familiar with Logger So I use Flowto get the request for an extension.
(25:28):
So, an example, I reallylike the extension Reflector.
This extension is reallygood to get some XSS.
So, but sometimes hedoing a lot of requests.
I didn't know what is happenand with flow extension, I can
solve the extension requests.
So I really like it.
Flow.
This is, this is why I like it.
Flow.
(25:48):
Yeah.
So an example of gap as shows to you.
With all this really goodin what we can do there.
The BuffBot Pro, I have thelicense, I paid for the license.
They support Eduardo, I thinkEduardo is a great guy too.
Create this, this rate too.
Uh, I really like this extension, burp.
(26:08):
js like Finder.
Because when you are, I don'tknow if you know this extension.
Uh,
link finder, yes.
But yeah, but the one in burp, isit some kind of wrapper around it?
Uh, uh.
I don't know.
Does it call link finder CLI tounder the hood or is it something you
let me?
Yeah.
JS link finder.
Yeah.
Okay.
Okay.
Yeah.
It's, it's really cool becauseyou are, uh, testing the web
(26:32):
page and loading other page.
And this extension, it's usingrejects to get some endpoints and
some good stuff from the GS file.
So it's really, it's really awesome.
Use the extension.
Um, I sent to you reflect or gap.
Yeah.
The Hubbard Bouncing Flow, theDigitalization Scanner, I use a lot.
(26:52):
Login Plus Plus, I use because it'snecessary on a HackerOne paint testing.
Because you need to have, you needto auto save your paint, your log.
Because it's important tohave it installed this.
Okay.
Because of the testing.
And this guy works.
One or two times with me.
So I have this extinction too, to test
(27:13):
It maybe sometimes work,maybe sometimes not.
It's curious because, uh, my first bugwas with this extinction different.
It was, uh, uh, it was a remote codeexecution, but it was fun because
it's a program with a large scope,and I use this extension in the.
The main page, because themain page are a blank page.
(27:36):
When I use this extension,you see the headers here.
Which extension are we talking about?
Uh, sorry?
Which extension?
403 Bypasser?
Yeah,
403 Bypasser.
So, it worked only one time, but this timewe're so happy I have the extension here.
Because with this specified header, Iwas capable to access the application.
(27:56):
The application, before theapplication was only a white box.
page with this header.
I was capable to assess theapplication and all the application
with the CV for remote code.
Yeah.
So, so I have the extension too.
Yeah.
That's cool.
Yeah.
It's a lot.
You seem to have like your, somepeople, for example, um, the
last, the last podcast that waspublished was with, uh, RemyPack.
(28:21):
He seems to have like his centerof hacking in the browser.
He has like JavaScript bookmarkletsand trying to be able to do
everything from the browser.
And you on the other hand, you havelike your verb, all the extensions too.
So this is like yourcenter of, of hacking.
Yeah.
Yeah.
But I, but I really like hacking inGoogle Chrome because of an example,
(28:41):
I have this Chrome for my, mypersonal stuff and this Chrome better
Chrome to only use it with work.
And there I, I, I really like thisversion because, um, I really like
using work to hack because thedevelopers too are really good.
Uh, I really like the, these optionsbecause sometimes, uh, when you have some.
(29:04):
Uh, apps.
You can debug the app using the devtools and you can override the books.
The burp says, give this name overridingcan change the GS and changing there.
You have different response in the,in the single page application.
And with that, sometimes you can bypass.
Out in the front end out and assessall the application and understand how
(29:27):
the API is used by the application.
So yeah, I use a lot.
How
about browser extensions?
Do you also have as many browserextensions as crow as burp extensions?
Oh, let me.
So I didn't have a lot browser extension.
I have this extension because it's good.
What's the name?
(29:47):
gitch.
It's only to find.
Uh, when you have Oh slash geeslash Yeah, because sometimes I, I,
I, I just use nuclei a lot becausenuclei probably will show that.
Yeah.
So this is a, a really good, youcan find some good stuff here to
get so cold and tokens and somethingwhen you, when you have a, a look
at a look at dot, gee, I use thisextinction for my blind and success.
(30:08):
Yeah.
This is a really good extension.
I dunno if you know that.
No.
What's the name?
I, I have all my.
Pay blind.
She says payloads here.
I didn't know the name andit's out blind access manager.
Okay.
Interesting.
Yeah.
Because I have my blind XSS payloads here.
My domain gives you in the history withthe page and where I use the payload.
(30:29):
Oh, that's very nice.
Yeah.
It's really good because when yousaw the blind, she says, yes, you
didn't know where you are sending.
So this extension really goodto, to manage my blind XSS.
Yes.
For blind XSS, what do you use as the, I
use,
I
think, uh, let me see.
Is it XSS Hunter?
(30:51):
Yeah.
Yeah.
XSS Hunter.
Let me see, self hosted.
I only self hosted this.
Let me see if he's, yeah, this guy,the pre cut ad, but I use this guy.
It's really good.
I didn't have any problem.
The only problem I have with this guy wassometimes, uh, the webpage are so huge,
(31:13):
so huge, and when the, the request aretrying to upload the, the, the screenshot
to the server, we have this problem.
So I need to change the nojs limit size for the final.
Yeah.
Yeah, maybe, maybe I lose some, I lose inthe past some, some byte access for that.
(31:33):
I don't know.
I didn't remember if
So travel security, uh, tookover, bought this extension.
So now they, I think they maintainit now because I think the original
maintainer sort of stopped supporting it.
Oh, okay.
So this is the, the new extension.
Yeah, yeah, but it's still the,the version that's hosted by
(31:56):
them is a little bit limited.
Okay.
So if you want to have fullfunctionality, you have to self host it.
Okay.
Maybe I use this express.
I don't know.
Yeah.
I use that.
I use that because I remember.
I think it's
the same.
Yeah.
I remember because thereis this Docker config.
Yeah.
I remember to, to.
Okay.
Yeah.
I remember to change here andbecause I changed from, uh,
(32:18):
email to discord notification.
There is a, there is a pull request here.
Uh, change here at thesediscord and Slack integration.
Yeah.
So this guy made this all the work for me.
So yeah, thank you.
Adam G yesterday.
Yeah, very nice.
Yeah.
Yeah.
You're amazing in termsof how many tools you use.
(32:40):
You like, especially that nowI'm now in the moment where I
feel always, I don't fuzz enough.
I don't use enough tools.
I mostly hack manually.
And I only sort of fast something.
If I have really bigsuspicion, something is there.
And I think it's my big problem thatI don't, like, blindly fast so much.
I don't brute force pass so much.
So it's really nice for me to see, tosee you, speak with you, to see, like,
(33:00):
how many, how many you can actually use,that you can have a brute force that's
running for a few days in the background.
Yeah, because you, you turnon and for using low, because
the use of memory often Fuffy.
Uh, it's increasing.
When you have huge word releaseand use the command minus E
(33:21):
because you have more extensions.
And I think, but probablyfluffy, uh, added to the memory.
And you were deletion with your extension.
So this is the real, it's your memory.
So I try to use, I try touse not a lot of, Yeah.
And, uh, when you, you can test that whenyou have a lot of instance of running,
(33:43):
you can, you didn't use a lot of memory.
So yeah, it's, it's a really good tool.
Yeah, do you do you run it fromyour local computer or from a cloud?
in the past I have a history by and Iuse that for for for that, but Today now
because in the past I have my my homieaddress blocking on Uh, Akamai, I think.
(34:10):
An example.
Yeah, I was capable.
I wasn't able to open TikTok.
Because TikTok uses Akamai and I was ableto see TikTok on some other web page.
I need to call the providerto change my IP address.
So, yeah.
Uh, so now I, I really like these guys.
(34:31):
I, I always recommend it to, toall because they are, they have the
dedicated servers with a cheap price.
Yeah.
Can you send me the link as well?
Yeah.
Yeah.
So, uh, I really like these guys.
Um, let me send it to you.
It's not only Amsterdam, butit's not only Amsterdam servers.
But other servers are, are good.
(34:53):
So an example I have, Ihave my server running.
The, my SCO has, uh, Ithink it's 64 memory honey.
It's, it's really cheap for theprice and, and the config I have.
So I have a lot of memory.
Memory.
And for a cheap price, maybe20, $30, yes, for that.
(35:14):
Good, nice and unlimited,unlimited traffic key and
one, one gigabyte connection.
So, yeah.
Yeah,
it's really good.
So I really like it.
These guys, they are reallycheapy with good servers.
Yeah.
Yeah.
Okay.
So you have your, you have yourautomation, you have your tools.
So what bugs do you find most commonly?
(35:34):
Probably,
I find a lot of bugs, butprobably Uh, a lot of improper
access control bugs access.
Yes, when I have the opportunity, becausewhen you have access to scope with
legacy scope and scope without F what?
Yeah, probably sickle injection has has.
(35:55):
I remember to see a lotof sickle injection.
Yeah, still today.
Yes, still today.
A lot of sickle injection.
SQL injection on accurate one.
So a lot of problems with all,with, by, with WAF two, I was able
to bypass some WAFs and some cases.
I remember to see one case, itwas really, really strange because
these guys use a different.
(36:18):
Type of database.
There is no home SQL map and thisdatabase, it's used, it's IBM mainframe.
So what's, what's, yeah,what's really insane.
Yeah.
What's really insane in SQLmap was not working there.
I was needed to write custom Python scriptto, uh, make that blind assumptions.
(36:41):
And with this blind, blind question, blindquestions that to the database, I was
capable to get the database with a name.
Okay.
Nice.
So, yeah.
It's, it's awesome.
Uh, you need to, uh, probably spendtime is the thing with, with bug bounty.
You need to spend a lot of time andhave, and be patient with the fuzzing,
(37:01):
for example, because the fuzzing it'srunning days, a few days, because you,
you, you can't, uh, turn off the ratelimits, but probably this will, uh,
generate problems with the customersand probably the server will be down.
So low fuzzing, fuzzing with a low.
Uh, requests, fuzzing a lot, differenthosts and, and be patient and
(37:23):
have, uh, have, uh, go constancy.
Is that right?
Yeah.
Consistency.
Consistency.
So have constancy every day when youhave free time, do it at probably
you will be get good results.
Yeah.
How do you, but because you saidbroken access control, which.
I think of access control as the bugwhich is quite hard to, like, fuzz.
(37:44):
It is more, at least in myhead, like a manual testing.
So how do you, do you?
I
really like to use authorize.
Okay.
When, when, because I'm doing fuzzing.
Uh, and, uh, you say about fuzzingand broken access control, right?
Yeah.
Uh, I do fuzzing to get more pathsand more applications and when when
I get access to more applicationsbecause the application is probably
(38:07):
not visible to all the other people,you have a sex to older logging
systems and older systems and there.
In this application, you are capableto find a lot of improper sess control.
Yes, basically just manually for them.
Yeah, yeah.
Because an example you have, you havethis domain, the path and in the path,
this strange path, you have access,you have assistant with the logging.
(38:30):
But if you fuzz in again, you have.
Access to other path of theapplication didn't, uh, other paths.
And you can find a lot ofbroken access control there.
XSS, SQL injections.
So yeah, you need to spendtime for doing fuzzing.
So how, how would youdescribe your normal day?
How much time do you spend runningtools versus manual hacking?
(38:52):
Uh, because running tools is so fast.
I only.
I only see the endpoint, get, get,uh, the URL or send it to you or get
the endpoint sent, create the commandand, uh, use the command on cloud and
wait and spend time testing the app.
Because I was testingwhat I can see on the app.
(39:13):
An example, I was testing the app and Isaw a lot of functions, a lot of, uh, a
lot of possibilities in this application.
I will test everything.
Every single part of the application,every piece of this application
to understand how this work is andwhat, what I can see and the fuzzy,
it's running to, it's running and Iwas looking in the fuzzy and maybe
(39:34):
there is some, some interest in here.
I do fuzzy in API too, becausesometimes you are capable to get
swagger's and other important thingswith if you fuzzy and get a swagger.
Swagger, you can't stop becauseyou have all the API endpoints.
So, yeah, I do a lot of fuzzing.
Yeah, so Justin, how do yousend requests directly from
(39:56):
Bairp to your cloud instance?
Yeah, this case I need to workin And way to, I was thinking to
create a Python script to sendthe request directly to my cloud.
But today I copied the URL, anexample, generate a first comment
and, and, and put in my cloud.
I use the screen to, I don't knowif you know the screen software.
(40:18):
No, it's a software on, on Linux and youcan, uh, there is a lot of servers here.
So I use this screen a lot.
Let me
see.
Is it like backgroundingterminal or something like this?
Uh, sorry?
Putting one terminal in the backgroundand the other in the foreground?
(40:41):
Yeah.
Oh, there's a lot of fuzzing right here.
Yeah, I see.
Yeah, so with the screen, I wascapable to enable a new screen.
And here I fluffy.
After that, I Press thisand a new screen is running.
So I do that.
It's a manual working, but I was, I wasworking to automate that with Python 72.
Yeah, yeah.
(41:01):
Okay, that's cool.
Yeah, that's nice.
So much, so much things I would
like to do.
Yeah, I really like it.
There is, there is other.
Uh, tools like no hub.
I think, uh, no hobby.
That's the way I use usually no hub.
I didn't like the hub because it'smaking running in background and
you can see the screen running.
(41:23):
I think, Oh, I don't know how to
put it to a file.
So you have to like the tail dash
file.
Yeah, yeah, yeah.
But that's that's what Iuse when I use something.
So maybe he screen works well tome because An example, nohub, it's
running and you can stop, you onlystop nohub if you use ps and kill the
(41:44):
task, but in screen you can access thescreen and for if it's running I can
press enter and for if it is pause.
Yeah, that's nice.
I should probably switch.
Yeah.
So.
So it's more advanced version basically.
Yeah.
Yeah.
So I really like how to use the screen togenerate my all terminals on the server.
Yeah.
Yeah.
How about, um, cause XSS it's.
(42:06):
Also that much problematic that it's,I think, harder to detect with a tool
because yeah, you can just look at theresponse, but the only like proper,
proper way to detect something is tohave like a tool with a headless Chrome.
And this is heavy.
So do you use headless Chrome ordo you just use some kind of For
Doom XSS are you talking about, right?
(42:28):
For XSS.
Yeah.
Yeah.
For XSS.
I really like this guy.
Okay.
But always So Reflector extension.
Reflector is really good.
But always I'm looking flow, because flowhas this, this thing here reflecting.
Yeah.
And this you can see the parametersare reflected in the page.
So with that, um, probablythere's some good things here.
(42:49):
But every time Reflector, it's workingin the scope and send request and I'm
looking that and look at the issues.
He, uh, the issues have vectorcreated and for doing XSS.
I really look, I really likeuses, uh, their birth browser.
I, I, I, I really, I didn't use burpbrowser a lot because sometimes he's
(43:12):
browsing these browsers, some problematic,I think, but I really like doing Vader.
So it's really, really awesometo do XSS because I, I grabbed
this canary, DC canary, canary.
Yeah, put in the URLand look and do invader.
If you're doing very good alert, Oh,probably there is a DOOM XSS here, but
(43:32):
I really like to look at the JS and lookif I have some possibilities in, in the
JS to, to get, to get some DOOM XSS.
Yeah.
Yeah.
So I use Reflector.
I do a lot of fuzzy parameters, usethe sends to you, or I have these
extensions and sends to you, sends to you.
(43:52):
I select my, my.
My programs here, XO,XH, XLMAP, SeriousForce.
So,
yeah.
I also saw you have a repository onGitHub with TamperMonkey scripts.
Do you still use it a lot these days?
That repo wasn't so toofresh, I have to say.
So, yeah, I really like to useTamperMonkey in the past, but
(44:14):
it's because I didn't know about,I didn't know about the DevOps
tool and how this work on Chrome.
So now you just use overriding of tools.
I didn't use a lot.
Today, but yes, the, the, thescripts are really, the temporary
multiscripts are good because youcan change the app in the runtime.
And with that, maybe you can assessother page of the application.
(44:34):
So I really like that.
But now using the develop toolsin Chrome, it's more, it's better.
Yeah.
Uh,
so a lot, another thing I really likehad to do it's, uh, because, uh, When
I was, when I, uh, when, uh, when,uh, when I, I started doing, doing
(44:57):
hockey and, and some things, I reallylike to see how these PHP apps, uh,
works and, and how the PHP apps work.
And it's really fun when, an example,when I have a local file inclusion
with PHP apps, because with that,you can find the source code of the
app and you can look, oh, Probablyhere there is a way to get remote
(45:17):
code execution or upload a php file.
So our deserialization on php.
So it's it's really, Ireally like it called review.
But what I do sometimes in somescope, some scopes is an example.
I have.
This program with a large scope,I find some apps of this program.
(45:38):
I search the, these paths of theseapps using URL scan, because there
you can search only for the pathsand you, the path, and you can find
other applications with the same path.
So.
Pro.
Probably this application is, uh, it's,uh, it's not, it's hosted by this client,
but the code is not for these clients.
(45:59):
And sometimes you are capable toget the source code on the internet
and he was capable to reveal thesource called the source code.
So it's, I really do that a lot.
And it's really good.
Yeah,
yeah, it's nice.
I dunno if it was you the other dayhere telling me about it or somebody
else, but yeah, I didn't use it.
And the second timesomebody mentions it here.
(46:20):
. Yeah.
Uh uh.
I really like, I really like howdo that, because sometimes you,
you are fine for zero days, butnot in the really purple software.
You are looking in that software.
You use it by some company.
Yeah.
Yeah.
That's nice.
Yeah.
Okay.
We'll now talk a little bit about LEDs.
Okay.
Did you attended, you said, yousaid you attended four LEDs in the
past, I think five, five times.
(46:42):
Yeah, I remember LAGs fromAmazon, AWS, PayPal, Zoom.
So I think probably the life hackevents, the life hack events are
really hard because you have alot of good hackers together.
Uh, testing the same scope.
So there is a lot of dupes, but for me,probably life hack events are best because
(47:06):
I have some friends together with me, soI have F6X, Amstrad, I see Amstrad, but.
A M S D A, so Manuel, T, Herrera,Caio, uh, so Amir, so these guys
together with me, we workingtogether, we can do a lot of things.
I, I, that, that report, uh,with the remote coding execution,
(47:29):
that scenario, it was together.
A lot of guys workingtogether to get that.
So
do you work as one biggroup with so many people?
Yeah.
When, when, uh.
When, uh, the Brazilians guys are,the Brazilians guys are together,
we work together, and I'll, I'llagree with share the bounty.
So, yeah.
So it's, it's report like a six way split.
(47:50):
Yeah, sometimes six, five, five splits.
So, yeah, I'm okay because, uh, inthe most part of the case, we are, We
earn a lot of money and we stay okay.
I remember an example for me, anexample for me, 20, 000 is a lot of
money, but together, uh, together,I remember all the guys made, uh, a
(48:11):
hundred, a hundred thousand dollars.
So five guys made a hundredthousand dollars in the heaven.
So.
Yeah, it's, it's, for me, it's good,probably because probably if I stay alone,
I will be not perform like that to that.
So for me, work together in lifehack events, it's really important.
I think you're the biggest team becauseI think there were some teams in
(48:34):
the past, but these days I feel likemost people were, if there are teams,
there are teams of two, maybe three.
I'm not aware of any other groupthat's like sticks with so many people.
Yeah.
Cool.
Yeah, so this case was five, lastyear was three, me, F6X, and Amzda,
because we only, only we are invited.
(48:56):
So yeah, when, when, when the, allthe guys are invited, we do together.
When not, it's okay.
We do with the guys we have.
Um, I probably the Brazilian guyslike work together and I really like
it because are really skilled atguys because they are guys with a
(49:16):
really good skills and probably wecomplement we complement all together.
So yeah, that's a nice strategy.
Yeah.
Did you ever
have problems
with managing such a big team?
No.
I didn't remember to haveproblems, only, only good bautis.
So the guys are really,are really nice to do.
(49:36):
A lot of, they, they arereally friend, friendly.
Do you
change your hacking methodology a littlebit when working in the team or is it
exactly the same as when working alone?
So when we are, we are workingin the team, probably I do a lot
of fuzzing and recon and get all.
Uh, good information about the scope andsend to the team to we work together.
(50:00):
So, uh, I really like at workingat some good information.
Good, good information about the scope.
Uh, an example, find somelegacy application on some,
some good applications to test.
An example, probably thisapplication I find here is good.
Maybe you can spend time hereof fuzzing here and that's here.
So, yeah, I remember to.
I remember to do that with someguys in the past and we find a
(50:23):
lot of zero days and applicationssent to, to lifehack haven.
So I remember, I remember to send and,and, and vulnerability with a hater, uh,
maybe it's, it's missing, maybe, uh, Uh,maybe, uh, the, the submission will close.
The submission will close in 30 minutes.
(50:45):
I think we found somegood vulnerability link.
A lot of PII we sent and the teampaid, I think the team paid 50, 000.
It was, it was really awesome.
It was really awesome.
So, yeah, it's really good workwith these guys and work together.
We really, we reallyfind good, good veneer
updates together.
Yeah.
Do you physically go to the same locationto hack together or is it mostly online?
(51:09):
So,
uh, when you, when you are Uh, becauselifehack haven't had two steps.
The first step is, uh, beforethe, the, the presence here.
And after, after the ritual,you have these guys together.
So sometimes we work together ina discord cow and hacking, but
there is Async, uh, moments whenyou send, Oh, there is some good.
(51:33):
We created telegram groups to talk about
that.
But for the virtual face, you didnot try to, I don't know, rent the
hacker house or something like this.
Yeah,
there is a problem becausewe work far in Brazil.
It's really huge.
So I work in the north.
An example, I work in the north.
I stay in the north of Brazil.
F6X, uh, in this, in the south of Brazil.
(51:55):
But now in the, in the.
Northeast of Brazil.
So all are from a different
place.
Yeah.
I saw a few maps of Brazilthat really show the scale.
For example, the most Northern partis closer to any other country in
North and South America than theSouthern part, the part, most Southern
part of Brazil or the other one.
(52:17):
The most eastern part of Brazil is closerto the other side of the ocean than to the
uh, western, most western part of Brazil.
It's huge.
Yeah.
So imagine, uh, uh, from even the north ofBrazil, really near to the top of Brazil.
And we didn't have directflights from there.
So I need to go to the south.
(52:38):
And after that, go.
In example, we are going to Atlanta,so I need to go down to Sao Paulo
and after that go to Atlanta.
Yeah.
I spent, I've been maybe, uh,my city to Sao Paulo, I spent
four, five hours in plane.
And after that, 90 hours go to Atlanta.
Yeah.
Yeah.
Yeah.
Which of the four or five life hackingevents, which one was the best?
(53:01):
Um, um, I really liked the, um, the lifehacking event with, with the five guys,
because it was really, really good.
Um, the last year was really, reallygood because I saw a lot of good
vulnerabilities with Manu, with Amazon.
(53:22):
Sorry, with Amish.
nf6x, we are capable to send goodvulnerabilities, but I really like the
last year of, last, I think it's 2023.
Yeah, 2023, because it wasfive guys together and some
good bugs are sending together.
We sent a lot of bugs,that's like hacking events.
So it was really, really good.
(53:44):
So I really like these two years.
Yeah.
Probably the first livehacking event I was.
was, are not, are not my best performance.
See, so together with these guys, Ireally increased my, my performance.
Nice.
Uh, we'll, we'll, uh, we'reclosing in on the, on the episode
is I have the flights today.
(54:07):
Um, what before, but beforewe go, what are your plans
for the Uh, rest of the 2025,
uh, so my plans is improving my reconautomation and spend most part of my
free time doing book bounties to save,um, a lot of money and be in my house.
This is what I'm doing.
(54:27):
I'm, I'm building my housebuilding from the ground.
Yeah.
So I bought the, I boughtthe lane, I buy the lanes.
And I bought, I, I contract and,and some company to build the house.
Yeah.
So we are, we are buildingthe house and contracts.
I try to draw, draw, draw thehouse, think out the, this thing.
(54:50):
So, yeah, but it's cool because,uh, if, if, if I think in that,
HackerOne is paid for my house.
It's true.
It's true.
I wish you good luck with this.
Thank
you so much for joining me for the
podcast
today.
Thank you so much for inviting me.
I really, I'm really happy with that.
Lovely.
For me, 20, 000 is a lot of money.
(00:02):
But to get, I remember all the guys madea hundred thousand dollars, probably all
my free time when I'm not at the gym orplaying tennis or stay with my girlfriend.
It's for a big bounty.
Yeah.
So still today, a lot of SQLinjections on, on accurate one.
So a lot of.
Problems with all, with WAF 2, I wasable to bypass some WAFs and some cases.
(00:24):
My automation is only for recon,not to exploit anything, because
probably, uh, the exploit thingwith nuclear or something, there are
guys doing this more fast than me.
so much for joining mefor the podcast this time.
Uh, for the viewers who don'tknow you yet, can you please
introduce yourself a little bitand tell us about your background?
(00:46):
Okay.
So thank you again for inviting me.
I'm really excited about thispod questions and the question.
So yeah.
So about my background, SoI'm a book hunter and pen
test on Hacker one with four.
I think I have four or five years onHacker one I, and, and after that,
(01:06):
uh, I, I work, I work uh, as uh,cybersecurity tech lead, uh, uh,
cybersecurity constitute in Brazil.
And I'm pen test leader in Hacker one two.
So I work with both and, uh, this is me.
I think and I was invited, um,five times to live hack events and
hacker one and I really like it,send a lot of bugs on boot bounty.
(01:30):
Yeah.
So are you not the full time
backbone hunter now?
Yeah, not, not.
Have you considered it?
Yeah.
Um, I think maybe it's a possibilityto me because probably my income
from boot bounty, it's pretty low.
It's really, it's more than I receivefrom my, my work, really more, but I
really like at work at, uh, this Braziliancybersecurity, it's, it's good work there.
(01:55):
I have some friends and I really,I really like at work there.
So it's, it's, it's a good job.
I can do really good things there.
The vulnerability, uh, Ishowed to you was there.
Using the, the serial kilobytepass, get, get his collection.
So I have good opportunities.
That's to test BrazilianBrazilian companies.
So, yeah, I like work there.
(02:17):
Yeah, that's, I think that's, that'sthe common theme among all of the
back hunters that we like like bounty.
But also being alone isa little bit problematic.
Yes.
Yeah,
you are really true.
Very impressive That'sstill only work part time.
You've got to almost 22,000 reputation on HackerOne.
Yeah
So I I'm very excited to
(02:39):
to speak with you.
Awesome.
Awesome.
I probably owe my friends Freetime when I'm not at the gym or
playing tennis or stay with mygirlfriend, it's for a big bounty.
Yeah.
So yeah, all my free time is for abig bounty and probably maybe this is
the reason why I have this reputation.
Well done one way or another.
So Uh, are you more of aautomation based hunter?
(03:01):
Are you a manual hunter?
Are you something, something in between?
So, uh, yeah, maybe I'm in betweenthese juice, the, these two options
because I have automation, butonly to, my automation is only
for Rico not to exploit anything.
Yeah, because probably, uh, the,the exploit thing with nuclear or
something, there is more, there are,there are guys doing these more fast.
(03:23):
Yeah.
It's a race.
Yeah.
So it looked like a race.
So I didn't, it's like this, this.
So probably my, my, myautomation is only for recon.
What I have, it's, I have a huge,my SQL database, it's all my,
yeah, with all my, all my, yeah.
My scope from bookbug programsand all, all the time my script
is running and do the record.
(03:43):
And if I have some updates for hackerone, uh, uh, these updates notify me and
I have the assets on my, my telegram chat.
So I received that andmaybe this is a good target.
Oh, maybe this program, uh, thisprogram has now with the car
scope so I can look there and yes.
So my, my automation, it's only forrecon and receive the updates from the
(04:05):
programs and my, but my, my hunting,it's only manual testing, looking
at application and that's things.
Yeah.
How, how technically do you have connectedhacker one updates to a telegram chat?
So, uh,
maybe in, uh, at the first time was.
Really hard because we need we needto your scripts need to be hitting
(04:28):
the hacker on API a lot of timesto to get the updates in the time.
But I think it's OK now because becauseI I I'm writing the script a lot of time.
So maybe the script is stable.
Now and I did have so problems,but maybe at first time I had a lot
of a lot of books and description.
Not the script is not workingwell and I have losing scope.
(04:51):
An example.
Some I remember to see some time.
My script is not looking all thescope is only looking the first page.
Not all the scope.
So I fixed them, uh, making a for loop,uh, uh, looking all the pages of this
scope from API, because I didn't knowthe API only show a page of scope, not
(05:13):
all the scope is some progress that thehuge scopes with a lot of domains and
these, and probably I was missing that.
So this, this is what, uh, This isone of the mistakes I have in the,
in the way, but I think probablynow it's more stable, but, but my
automation is only for HackerOne.
Yeah.
Because probably implementing otherAPIs or others, uh, platforms will
(05:34):
be more, I will be more work that.
Yeah.
And
it's always when you write something,it's like, it's a, it's a cool idea and
you think it's going to be quick and thenit takes time and more time and bugs.
Yeah.
Yeah.
Yeah.
A lot of
bugs.
Sometimes I. I didn't receive thenotifications on Telegram and I think, oh,
probably there is something not workingwell, I need to check on the server.
(05:56):
Yeah.
What other alerts do you have?
For some, I don't know, do youmonitor JavaScript, for example?
No, I didn't monitor any JavaScript.
Uh, but what I, what I monitor with,with this, with my automation is,
uh, every, every day I do the recon.
And.
I have the responses for the same domainin, in a time and in, uh, an example.
(06:22):
I run the record yesterday, today,and there are going to be tomorrow.
I have all the HTTPS, uh, Parametersin the MySQL database and I can
compare if an example, if thestatus code yesterday was 401
and today was 200 andyesterday will be 200.
So I historical in my, in my automation.
(06:45):
So you store the HTTPS parameters.
So there's like the statuscode, number of words, number
of lines, something like this.
Yeah,
you don't actually,
you don't actually, Oh, yeah,because, because, um, HTTPS,
uh, has a, uh, a parameter.
You can get the hash of thebody so you can, I did it.
I have these, but I need towork to improve maybe the
(07:07):
way to view these things.
But I was capable, uh, if I searchsome, some domain example from a book
balance program, I was capable to seeif the page was changing in the time.
If the, the hash gen boI think it's gen body.
Yeah.
The name of the hash.
If, if this has changed, probablythe application changed and probably
the application will, probablythe application was update or
(07:29):
something, or have the body change.
Yeah, that's very interesting.
Yeah.
Doesn't
it cause too
many false positivesbecause the hash is very,
very strict.
Yeah.
Yeah.
Yeah.
We have a lot of many falsepositives, but sometimes I have
good, I have good, good examples.
So I will show an example to you.
I really like PHP page because.
(07:52):
When you saw PHP, probably wewill find some books there.
So I was monitoring this page and forthis page, the page was the same, the same
hash, same hash, same hash, same hash.
And someday I will lookand the hash change.
Oh, probably is there an update here.
And I was capable to find anew endpoint and access there.
(08:12):
So it's, it's fine because ifyou look for the right, The right
domains, the rights of domains,you can find good things there.
Yeah, but it's hard to, to, tolimit this because do you have like
just, um, you monitor this justfor the main page, like the slash?
No, it's only the main
page.
Only the main page?
Yeah, the main page.
(08:32):
Because, uh, probably, uh, all thepage will be more complex to do.
And yeah.
I don't know, maybe my SQL isnot the best database to do that.
Because imagine we store all these things.
Yeah, that's what I'm afraid of.
Like sometimes when I think ofwriting something like this, I want
to, well, first of all, I don'twant to spend all the time on the
(08:53):
development, but I can accept it.
But then I want to, Uh, somehowlimit the amount of noise.
Yeah.
To, to actually, so it gives me leads,but doesn't give me everything every day.
Yeah.
Yeah.
So it's a very nice balance thatyou, that you seem to have, I think
probably in my automations, uh, whatI really, really use is this, this
scope update because it's, it's fun.
(09:15):
This, it's really coolbecause, um, uh, sometimes.
The program update the scope, butdidn't send emails to other people's
or, or the subscribe didn't work well.
So this functionality to updatescope, it's really awesome because
give me the visibility of all thescope updates from the programs.
(09:36):
I didn't have that because my,my, my telegram chat has a lot of
messages all the day because all theseproblems that update changing as yeah.
As more things, I will showan example to you here.
So today I have 10 a.m. Yesterday, yesterday.
So yeah, a lot of updatesfrom these programs.
Yeah, even
in the beginning when you said it, Iimagined that, uh, the way I thought
(10:01):
it may be done is you have somewebhook on the email mail hook, but
now you realize, okay, there's notalways an email sent no scope update.
Not just now.
I realize this.
Yeah.
So what I do really is get all thetime the scope from HackerOne and after
that compare it with my scope in my SQLdatabase and comparing that, oh, there
(10:22):
is some new here, send to Telegram andstart storing in Yeah, that's very smart.
Yeah.
And do you, every day, do you hunt likeon whatever your automation shows you?
Yeah, when, when I have good targets,an example, I saw that, uh, I saw
maybe here there's some good things.
What I was thinking to do to improve myautomation is, uh, use HTTPS in these
(10:44):
new domains to check the technologies.
Because if I have some good technologylike PHP or something, probably this is
really good and I can, maybe it's good.
Take some, some, take some time herebecause probably will be good stuff here.
Yeah,
yeah, that's cool.
You make, you motivate me to startdoing something similar as well.
(11:04):
Yeah, I have some kind of, I have someJavaScript monitoring which I use and, but
I use it on programs I don't even handleanymore and I get updates every few days.
And I never actually likecreated the automation.
The automation where I wouldreally stick to it and I would
actually use it properly.
Yeah.
But I think it's, I thinkit's incre incredibly useful.
(11:24):
So I have to,
yeah, the texts from theupdates were, it's useful.
I really use that.
Yeah.
Yeah.
That's really awesome.
Yeah, that's very, that's very smart.
And that's weird.
There's no native functionalities do it.
Not just now I realize.
Yeah.
So, uh, I, I was talking with Omi.
I dunno.
I, I'm.
Talking about years, love me in the past,we're talking about maybe it's better
(11:47):
for hacker one API if they use webhooksto send to us, because imagine all all
the day my script is honey and it'srunning and hit the hacker one API, get
all the programs and do this every, Okay.
Minutes.
Do, do, do, do.
So maybe, maybe this, uh, uh,maybe this consume a lot of
resource on HackerOne API.
(12:08):
So maybe Webhooks can finish withthis, this, consume enough resources.
That would be easy.
And also not only on the HackerOne API,but then you have to pull it yourself.
You have to diff it yourself.
Yeah.
So it's, it's a lot of code.
It's a lot of resources andthe Webhook would be easier.
Yeah.
Yeah.
Although for bug bounty, thething is, if something is hard,
it's, it is the reason Yeah.
(12:30):
Yeah.
Yeah, it's true.
Okay.
So you have the automation.
You, you start handing on some newdomain that automation gave you.
What's, where do you start?
What do you hack?
A lot of fuzzing.
Probably.
I really like to do fuzzing.
Yeah.
I really like to use way more.
And these, these tools would give me thehistorical things from this, this domain.
(12:54):
So fuzzing.
Historic, uh, historic things for this.
I might use way more orother, other, others tools.
So I really like, uh, I really like tosearch on Google being that the goal and
others search to, I really like site, uh,two points, I think two points, two points
(13:14):
are not two dots, uh, colon, colon, colon.
I think, yeah, a sitecolumn and, uh, domain.
com.
So you, uh, it's, it's reallyawesome because when you do that, a
lot of these, these searching genesgive you a lot of good end points.
Uh, so I really do that way more in alot of fuzzing and fuzzing over fuzzing.
(13:39):
In example, you find a new path.
Oh, probably I need to do f more here.
I, I need, I need to do rec recursive fbecause sometimes this can be, uh, can
be a problem to the customer becauseyou, maybe you can turn, turn it all
or off or maybe, uh, stop the server.
This, this is normal, so youneed to, uh, for me, uh, the
(14:02):
normal, now it's use low threads.
Big word, least fuzzing out the pastlooks for for good things and after
fight a bad fuzzy and again and again.
And look what's back classes do fast for.
I really like access.
Yes, improper access control.
Insecure sterilization, sickle injection.
(14:23):
I have a lot of For me.
So you have like a one largeword list with everything?
Yeah.
What, what I can, what I can seeon the application, probably I will
test an example, uh, a few monthsago I, I saw in pdf f reader, in
this PDF reader, I was capable to.
(14:43):
Attach files.
I don't know if you saw thiskind of vulnerabilities and I
was able to local file inclusion.
So yeah, maybe probably for me when Ifound an application, I try, I try to
test all these things on the application.
XSS, misconfiguration, informationdisclosure, SQL injection,
(15:05):
XSXXE.
So all these things I try.
Application and if I havesome specifications and
with, and this PF reader.
So this is interesting and I test all,I I want to test this, uh, uh, SSRF on
this PDF reader, LFE on this PF reader.
So what I, I, everything I, I, I,I can le see on the application.
(15:30):
I try, I really like itto the Hack Tricks book.
I don't know if you know this.
Yeah, of course.
This domain, this is really, really good.
Didn't it disappear recently?
Yeah, I don't know because the, the,the URL, the domain is working, but
the Google is not showing anymore.
I don't know why.
Okay.
Interesting.
I don't know why.
Maybe.
I don't know, but the Googleis not, is not showing anymore.
(15:52):
But if you have the, the URL, theURL of Hacktrix, it's working.
Okay.
Yeah.
Okay.
I don't know what's happened.
Yeah, so your, your word list, howmany, how many positions does it have?
Oh, probably, I have, I havesome huge, uh, word lists.
The one that you use, just you openan endpoint parameters by default?
(16:15):
Uh, no, uh, the, the word list tofuzzing a path in a web application
probably wants to meet an entry.
Okay.
And to fuzzing parameters, maybe, Uh, 300,I think, entries to fuzzing parameters.
An example, I have an endpoint, I, Itry to see if it gets, um, if in this
(16:35):
endpoint there is some get parameterinteresting and I, I fuzzing again.
I really like it.
XH, these two, two fuzzingparameters is really nice.
I don't know if you know this.
No, I don't.
It's really nice because, uh, for me, theparam, parameter is, it's really slow.
I don't know because I didn't havegood experience with parameter.
So these two, do you mean paraminder?
(16:58):
Sorry, my English is very good.
So I really like in my burpsuite, my setup, I have another
extension called ascend 2.
Yeah.
And I use it This extensionto pipe the request.
Just these tools like XH, XSQLmap and other custom tools.
I have an example.
I have a custom tool tosay as far as application.
(17:19):
So I pipe the request to thesetools and it's really good
work with that.
Yeah, but do you fast?
You said there is a word is of how big?
My, my main words list.
Yeah.
An example.
I have the normal words list.
Yeah.
If, if I use the normal, the normalwords list and the words list didn't
(17:41):
work, uh, probably, uh, this wordslist has one or two millions entries.
And you always fast withone or two million entries.
No, no.
Probably give a few days working.
So yeah, I do a lot.
And waiting, do my, do mywork and stay where it is.
So you just leave it inthe background, don't you?
Yeah, sometimes, yeah, sometimes I'mlooking, but I'm afraid to, to, how
(18:07):
can I say, I'm afraid to turn off,it's not turning off the servers of the
customers, but I'm really afraid of that.
So, uh, what I do is lookthe polish of the problem.
If, if the problem allow, you can only do.
20 racks per second.
I, I, I use these metricsto, to configure the fuzzy.
(18:30):
Okay.
So, yeah.
Interesting.
Yeah.
I, I, I know I'm, but it's fuzzing,but, but I had no idea, like Someone
fathers with such a large world list.
Yeah.
I think he, I'm a, I'm, I'm patient.
So I get, yeah, I start the fluffy,putting another monitor and see
(18:52):
working what I'm due to working.
Sometimes I minimize and look there.
Because sometimes you, sometimes, uh,the, the, the program has a policy, you
are in the policy, but the applicationdown and you need to turn off.
Yes, and stop.
You are, you are right because you arein the policy, but the application is
not, uh, good enough to, to, is notcapable to deal with, with that request.
(19:15):
So I stopped and didn't test, didn'tdo fuzz in there anymore because
probably the application will be downand a lot of problems will be happen.
Yeah, yeah.
So this is for fuzzing the paths.
Uh, so then how do you fuzz parameters?
Do you also use a big word listto fuzz all the parameters?
I
really like to use a tool called GAP.
(19:35):
I don't know if you know this tool.
I really like the devfrom these extensions.
I use it way more from this guy to get.
More information about to recon andthese extensions really good gap
burp extension because with thatextension, you can use your burp story,
uh, an example, all your navigationstory with all the path and points,
(19:57):
parameter and the response containingparameters, uh, containing points.
You can use the extension to get allthese things and generate wordless.
This is very nice.
Yeah.
So sometimes when I'm spending alot of time in some programs, I use
that word release to add to my worddeletion and do fuzzing with that.
(20:17):
So yeah, the result with this caseis, with this case and this extension
and way more are really good.
Yeah.
Can you send this to me so I can putit in the description for the viewers?
Sure, sure, sure.
Really, uh, let me send this andanother, I really like this way more.
Yeah, way more.
Very good as well.
It's really, really good.
(20:39):
I really like the tools from this guy.
I give a lot of, becausehis guy has, uh, Coffee.
Yeah.
Yeah.
Uh, oh, yeah.
Buy me a coffee.
I do a lot of coffee.
Yeah, I give a lot of coffee to this guybecause the tools are really, really good.
That's very nice to get to give back to
the tool creators.
Yeah.
(20:59):
Yeah, it's awesome.
Yeah.
So, um, when you fast these parameters,do you fast for all back classes at once?
Yeah, I really like to
use Burpee Bounty Pro.
I don't know if you know, somepeople don't, don't, some people
don't like this, this Burpee Bounty.
I like because the, the tests of BurpeeBounty are more Because, an example,
(21:24):
the Burp Suite Scanner, it's, I have thefeeling it's huge and do a lot of things.
I really like the Burp Bounty becauseyou can create custom templates
and you can create custom rules.
And the rules there and the templatesthere are really, are really nice.
So, I use a lot.
(21:44):
Uh, this template when I havethe parameters to, to find if I
have some SQL injection or XSS.
Yeah.
But I really like to use BuffProf.
But sometimes I use the BuffScanner.
It's not the best option because thescanner for me, it's really heavy.
Yeah.
So, but sometimes I use them too.
Yeah.
You seem to, to rely a lot onburp and different extensions.
(22:07):
Yeah.
I, I have a lot of extinctions and Yeah.
Yeah.
I really like to automate my processto hunting, to be, to, to, how can I
say, to have to, to easier my life.
Yeah.
To be efficient.
Yeah.
To be, yeah.
To be efficient.
And example with xh in the past when,when I didn't know send to you, I will
send the linking to send it to you.
(22:29):
To you too.
Oops.
Because, uh, in the past.
I copy the request, savinga file, run the command.
So this is really, uh, really slow,but with this, this extension sent
to you and the comment pipe, youcan send it to a Mac terminal and
(22:50):
sent to X eight sent to SQL map.
So yeah, it's really, forme, it's really productive.
Yeah.
I use Piper for the similar thing.
So Piper, have you, areyou familiar with it?
Yeah.
I think Piper do thesame has sent to, right.
Okay.
Yeah.
Yeah.
A few options as well.
Oh, it has, uh, sometimes you can alsohave like Inside the verb, you can like
(23:12):
have commentators or, uh, which meansfor each request that matches particular,
uh, criteria, you run some command andthen the output of this command is in
the comment of the request in verb.
You can also have the message viewer.
So when you have like pretty,raw, uh, I don't know, GraphQL
hex view in the request.
You can also have someoutput of a command.
And you can also just do,do, do what you say, send it.
(23:35):
And it's very efficient when, yeah,it's when something just automatically
gets run in the background.
It's so nice because you don'thave this time, copy, paste.
Yeah, you do what you need to do andthe things are working automatically.
So, yeah, yeah, it's awesome.
I need to test Piper.
I think I remember today.
I don't know, I didn't remember whowas, who was it, but it's very powerful.
(23:58):
It's very open
and you can do so many things with it.
Yeah.
Uh, I'm, I'm using, uh,send to you because I, I
remember to see the extension.
Yo, this is, this is awesome.
I need to use that.
And now it's.
It's the normal to me is use that.
Yeah.
What other extensions do you use?
Uh, let me check here.
I have a lot of, this is my, my work.
(24:21):
I really like this extension.
W X D L E R this extension.
I don't know if he,
Oh, the, I dunno how, how to . It's WSDLis is some type of format, isn't it?
Yeah.
It looks like, looks like an API format.
Yeah, and you can, and you can sendthe, uh, the, the WSDL to the extension
(24:46):
and they will give the request toyou and for create the request and
you can only send to B two test.
Yeah.
Because some.
Some XML, uh, API are reallyhard to create the request.
It's more difficult thanSwagger, for example.
So I really like this extension.
I really like the Flow extension.
(25:06):
I don't know why, but I really like thisextension because What does Flow do?
I'm not familiar.
Flow is the same as Let me, letme open a new BURP suite here.
I really like Flow because it's, uh,there is Logger but I didn't, um, I'm
not familiar with Logger So I use Flowto get the request for an extension.
(25:28):
So, an example, I reallylike the extension Reflector.
This extension is reallygood to get some XSS.
So, but sometimes hedoing a lot of requests.
I didn't know what is happenand with flow extension, I can
solve the extension requests.
So I really like it.
Flow.
This is, this is why I like it.
Flow.
(25:48):
Yeah.
So an example of gap as shows to you.
With all this really goodin what we can do there.
The BuffBot Pro, I have thelicense, I paid for the license.
They support Eduardo, I thinkEduardo is a great guy too.
Create this, this rate too.
Uh, I really like this extension, burp.
(26:08):
js like Finder.
Because when you are, I don'tknow if you know this extension.
Uh,
link finder, yes.
But yeah, but the one in burp, isit some kind of wrapper around it?
Uh, uh.
I don't know.
Does it call link finder CLI tounder the hood or is it something you
let me?
Yeah.
JS link finder.
Yeah.
Okay.
Okay.
Yeah.
It's, it's really cool becauseyou are, uh, testing the web
(26:32):
page and loading other page.
And this extension, it's usingrejects to get some endpoints and
some good stuff from the GS file.
So it's really, it's really awesome.
Use the extension.
Um, I sent to you reflect or gap.
Yeah.
The Hubbard Bouncing Flow, theDigitalization Scanner, I use a lot.
(26:52):
Login Plus Plus, I use because it'snecessary on a HackerOne paint testing.
Because you need to have, you needto auto save your paint, your log.
Because it's important tohave it installed this.
Okay.
Because of the testing.
And this guy works.
One or two times with me.
So I have this extinction too, to test
(27:13):
It maybe sometimes work,maybe sometimes not.
It's curious because, uh, my first bugwas with this extinction different.
It was, uh, uh, it was a remote codeexecution, but it was fun because
it's a program with a large scope,and I use this extension in the.
The main page, because themain page are a blank page.
(27:36):
When I use this extension,you see the headers here.
Which extension are we talking about?
Uh, sorry?
Which extension?
403 Bypasser?
Yeah,
403 Bypasser.
So, it worked only one time, but this timewe're so happy I have the extension here.
Because with this specified header, Iwas capable to access the application.
(27:56):
The application, before theapplication was only a white box.
page with this header.
I was capable to assess theapplication and all the application
with the CV for remote code.
Yeah.
So, so I have the extension too.
Yeah.
That's cool.
Yeah.
It's a lot.
You seem to have like your, somepeople, for example, um, the
last, the last podcast that waspublished was with, uh, RemyPack.
(28:21):
He seems to have like his centerof hacking in the browser.
He has like JavaScript bookmarkletsand trying to be able to do
everything from the browser.
And you on the other hand, you havelike your verb, all the extensions too.
So this is like yourcenter of, of hacking.
Yeah.
Yeah.
But I, but I really like hacking inGoogle Chrome because of an example,
(28:41):
I have this Chrome for my, mypersonal stuff and this Chrome better
Chrome to only use it with work.
And there I, I, I really like thisversion because, um, I really like
using work to hack because thedevelopers too are really good.
Uh, I really like the, these optionsbecause sometimes, uh, when you have some.
(29:04):
Uh, apps.
You can debug the app using the devtools and you can override the books.
The burp says, give this name overridingcan change the GS and changing there.
You have different response in the,in the single page application.
And with that, sometimes you can bypass.
Out in the front end out and assessall the application and understand how
(29:27):
the API is used by the application.
So yeah, I use a lot.
How
about browser extensions?
Do you also have as many browserextensions as crow as burp extensions?
Oh, let me.
So I didn't have a lot browser extension.
I have this extension because it's good.
What's the name?
(29:47):
gitch.
It's only to find.
Uh, when you have Oh slash geeslash Yeah, because sometimes I, I,
I, I just use nuclei a lot becausenuclei probably will show that.
Yeah.
So this is a, a really good, youcan find some good stuff here to
get so cold and tokens and somethingwhen you, when you have a, a look
at a look at dot, gee, I use thisextinction for my blind and success.
(30:08):
Yeah.
This is a really good extension.
I dunno if you know that.
No.
What's the name?
I, I have all my.
Pay blind.
She says payloads here.
I didn't know the name andit's out blind access manager.
Okay.
Interesting.
Yeah.
Because I have my blind XSS payloads here.
My domain gives you in the history withthe page and where I use the payload.
(30:29):
Oh, that's very nice.
Yeah.
It's really good because when yousaw the blind, she says, yes, you
didn't know where you are sending.
So this extension really goodto, to manage my blind XSS.
Yes.
For blind XSS, what do you use as the, I
use,
I
think, uh, let me see.
Is it XSS Hunter?
(30:51):
Yeah.
Yeah.
XSS Hunter.
Let me see, self hosted.
I only self hosted this.
Let me see if he's, yeah, this guy,the pre cut ad, but I use this guy.
It's really good.
I didn't have any problem.
The only problem I have with this guy wassometimes, uh, the webpage are so huge,
(31:13):
so huge, and when the, the request aretrying to upload the, the, the screenshot
to the server, we have this problem.
So I need to change the nojs limit size for the final.
Yeah.
Yeah, maybe, maybe I lose some, I lose inthe past some, some byte access for that.
(31:33):
I don't know.
I didn't remember if
So travel security, uh, tookover, bought this extension.
So now they, I think they maintainit now because I think the original
maintainer sort of stopped supporting it.
Oh, okay.
So this is the, the new extension.
Yeah, yeah, but it's still the,the version that's hosted by
(31:56):
them is a little bit limited.
Okay.
So if you want to have fullfunctionality, you have to self host it.
Okay.
Maybe I use this express.
I don't know.
Yeah.
I use that.
I use that because I remember.
I think it's
the same.
Yeah.
I remember because thereis this Docker config.
Yeah.
I remember to, to.
Okay.
Yeah.
I remember to change here andbecause I changed from, uh,
(32:18):
email to discord notification.
There is a, there is a pull request here.
Uh, change here at thesediscord and Slack integration.
Yeah.
So this guy made this all the work for me.
So yeah, thank you.
Adam G yesterday.
Yeah, very nice.
Yeah.
Yeah.
You're amazing in termsof how many tools you use.
(32:40):
You like, especially that nowI'm now in the moment where I
feel always, I don't fuzz enough.
I don't use enough tools.
I mostly hack manually.
And I only sort of fast something.
If I have really bigsuspicion, something is there.
And I think it's my big problem thatI don't, like, blindly fast so much.
I don't brute force pass so much.
So it's really nice for me to see, tosee you, speak with you, to see, like,
(33:00):
how many, how many you can actually use,that you can have a brute force that's
running for a few days in the background.
Yeah, because you, you turnon and for using low, because
the use of memory often Fuffy.
Uh, it's increasing.
When you have huge word releaseand use the command minus E
(33:21):
because you have more extensions.
And I think, but probablyfluffy, uh, added to the memory.
And you were deletion with your extension.
So this is the real, it's your memory.
So I try to use, I try touse not a lot of, Yeah.
And, uh, when you, you can test that whenyou have a lot of instance of running,
(33:43):
you can, you didn't use a lot of memory.
So yeah, it's, it's a really good tool.
Yeah, do you do you run it fromyour local computer or from a cloud?
in the past I have a history by and Iuse that for for for that, but Today now
because in the past I have my my homieaddress blocking on Uh, Akamai, I think.
(34:10):
An example.
Yeah, I was capable.
I wasn't able to open TikTok.
Because TikTok uses Akamai and I was ableto see TikTok on some other web page.
I need to call the providerto change my IP address.
So, yeah.
Uh, so now I, I really like these guys.
(34:31):
I, I always recommend it to, toall because they are, they have the
dedicated servers with a cheap price.
Yeah.
Can you send me the link as well?
Yeah.
Yeah.
So, uh, I really like these guys.
Um, let me send it to you.
It's not only Amsterdam, butit's not only Amsterdam servers.
But other servers are, are good.
(34:53):
So an example I have, Ihave my server running.
The, my SCO has, uh, Ithink it's 64 memory honey.
It's, it's really cheap for theprice and, and the config I have.
So I have a lot of memory.
Memory.
And for a cheap price, maybe20, $30, yes, for that.
(35:14):
Good, nice and unlimited,unlimited traffic key and
one, one gigabyte connection.
So, yeah.
Yeah,
it's really good.
So I really like it.
These guys, they are reallycheapy with good servers.
Yeah.
Yeah.
Okay.
So you have your, you have yourautomation, you have your tools.
So what bugs do you find most commonly?
(35:34):
Probably,
I find a lot of bugs, butprobably Uh, a lot of improper
access control bugs access.
Yes, when I have the opportunity, becausewhen you have access to scope with
legacy scope and scope without F what?
Yeah, probably sickle injection has has.
(35:55):
I remember to see a lotof sickle injection.
Yeah, still today.
Yes, still today.
A lot of sickle injection.
SQL injection on accurate one.
So a lot of problems with all,with, by, with WAF two, I was able
to bypass some WAFs and some cases.
I remember to see one case, itwas really, really strange because
these guys use a different.
(36:18):
Type of database.
There is no home SQL map and thisdatabase, it's used, it's IBM mainframe.
So what's, what's, yeah,what's really insane.
Yeah.
What's really insane in SQLmap was not working there.
I was needed to write custom Python scriptto, uh, make that blind assumptions.
(36:41):
And with this blind, blind question, blindquestions that to the database, I was
capable to get the database with a name.
Okay.
Nice.
So, yeah.
It's, it's awesome.
Uh, you need to, uh, probably spendtime is the thing with, with bug bounty.
You need to spend a lot of time andhave, and be patient with the fuzzing,
(37:01):
for example, because the fuzzing it'srunning days, a few days, because you,
you, you can't, uh, turn off the ratelimits, but probably this will, uh,
generate problems with the customersand probably the server will be down.
So low fuzzing, fuzzing with a low.
Uh, requests, fuzzing a lot, differenthosts and, and be patient and
(37:23):
have, uh, have, uh, go constancy.
Is that right?
Yeah.
Consistency.
Consistency.
So have constancy every day when youhave free time, do it at probably
you will be get good results.
Yeah.
How do you, but because you saidbroken access control, which.
I think of access control as the bugwhich is quite hard to, like, fuzz.
(37:44):
It is more, at least in myhead, like a manual testing.
So how do you, do you?
I
really like to use authorize.
Okay.
When, when, because I'm doing fuzzing.
Uh, and, uh, you say about fuzzingand broken access control, right?
Yeah.
Uh, I do fuzzing to get more pathsand more applications and when when
I get access to more applicationsbecause the application is probably
(38:07):
not visible to all the other people,you have a sex to older logging
systems and older systems and there.
In this application, you are capableto find a lot of improper sess control.
Yes, basically just manually for them.
Yeah, yeah.
Because an example you have, you havethis domain, the path and in the path,
this strange path, you have access,you have assistant with the logging.
(38:30):
But if you fuzz in again, you have.
Access to other path of theapplication didn't, uh, other paths.
And you can find a lot ofbroken access control there.
XSS, SQL injections.
So yeah, you need to spendtime for doing fuzzing.
So how, how would youdescribe your normal day?
How much time do you spend runningtools versus manual hacking?
(38:52):
Uh, because running tools is so fast.
I only.
I only see the endpoint, get, get,uh, the URL or send it to you or get
the endpoint sent, create the commandand, uh, use the command on cloud and
wait and spend time testing the app.
Because I was testingwhat I can see on the app.
(39:13):
An example, I was testing the app and Isaw a lot of functions, a lot of, uh, a
lot of possibilities in this application.
I will test everything.
Every single part of the application,every piece of this application
to understand how this work is andwhat, what I can see and the fuzzy,
it's running to, it's running and Iwas looking in the fuzzy and maybe
(39:34):
there is some, some interest in here.
I do fuzzy in API too, becausesometimes you are capable to get
swagger's and other important thingswith if you fuzzy and get a swagger.
Swagger, you can't stop becauseyou have all the API endpoints.
So, yeah, I do a lot of fuzzing.
Yeah, so Justin, how do yousend requests directly from
(39:56):
Bairp to your cloud instance?
Yeah, this case I need to workin And way to, I was thinking to
create a Python script to sendthe request directly to my cloud.
But today I copied the URL, anexample, generate a first comment
and, and, and put in my cloud.
I use the screen to, I don't knowif you know the screen software.
(40:18):
No, it's a software on, on Linux and youcan, uh, there is a lot of servers here.
So I use this screen a lot.
Let me
see.
Is it like backgroundingterminal or something like this?
Uh, sorry?
Putting one terminal in the backgroundand the other in the foreground?
(40:41):
Yeah.
Oh, there's a lot of fuzzing right here.
Yeah, I see.
Yeah, so with the screen, I wascapable to enable a new screen.
And here I fluffy.
After that, I Press thisand a new screen is running.
So I do that.
It's a manual working, but I was, I wasworking to automate that with Python 72.
Yeah, yeah.
(41:01):
Okay, that's cool.
Yeah, that's nice.
So much, so much things I would
like to do.
Yeah, I really like it.
There is, there is other.
Uh, tools like no hub.
I think, uh, no hobby.
That's the way I use usually no hub.
I didn't like the hub because it'smaking running in background and
you can see the screen running.
(41:23):
I think, Oh, I don't know how to
put it to a file.
So you have to like the tail dash
file.
Yeah, yeah, yeah.
But that's that's what Iuse when I use something.
So maybe he screen works well tome because An example, nohub, it's
running and you can stop, you onlystop nohub if you use ps and kill the
(41:44):
task, but in screen you can access thescreen and for if it's running I can
press enter and for if it is pause.
Yeah, that's nice.
I should probably switch.
Yeah.
So.
So it's more advanced version basically.
Yeah.
Yeah.
So I really like how to use the screen togenerate my all terminals on the server.
Yeah.
Yeah.
How about, um, cause XSS it's.
(42:06):
Also that much problematic that it's,I think, harder to detect with a tool
because yeah, you can just look at theresponse, but the only like proper,
proper way to detect something is tohave like a tool with a headless Chrome.
And this is heavy.
So do you use headless Chrome ordo you just use some kind of For
Doom XSS are you talking about, right?
(42:28):
For XSS.
Yeah.
Yeah.
For XSS.
I really like this guy.
Okay.
But always So Reflector extension.
Reflector is really good.
But always I'm looking flow, because flowhas this, this thing here reflecting.
Yeah.
And this you can see the parametersare reflected in the page.
So with that, um, probablythere's some good things here.
(42:49):
But every time Reflector, it's workingin the scope and send request and I'm
looking that and look at the issues.
He, uh, the issues have vectorcreated and for doing XSS.
I really look, I really likeuses, uh, their birth browser.
I, I, I, I really, I didn't use burpbrowser a lot because sometimes he's
(43:12):
browsing these browsers, some problematic,I think, but I really like doing Vader.
So it's really, really awesometo do XSS because I, I grabbed
this canary, DC canary, canary.
Yeah, put in the URLand look and do invader.
If you're doing very good alert, Oh,probably there is a DOOM XSS here, but
(43:32):
I really like to look at the JS and lookif I have some possibilities in, in the
JS to, to get, to get some DOOM XSS.
Yeah.
Yeah.
So I use Reflector.
I do a lot of fuzzy parameters, usethe sends to you, or I have these
extensions and sends to you, sends to you.
(43:52):
I select my, my.
My programs here, XO,XH, XLMAP, SeriousForce.
So,
yeah.
I also saw you have a repository onGitHub with TamperMonkey scripts.
Do you still use it a lot these days?
That repo wasn't so toofresh, I have to say.
So, yeah, I really like to useTamperMonkey in the past, but
(44:14):
it's because I didn't know about,I didn't know about the DevOps
tool and how this work on Chrome.
So now you just use overriding of tools.
I didn't use a lot.
Today, but yes, the, the, thescripts are really, the temporary
multiscripts are good because youcan change the app in the runtime.
And with that, maybe you can assessother page of the application.
(44:34):
So I really like that.
But now using the develop toolsin Chrome, it's more, it's better.
Yeah.
Uh,
so a lot, another thing I really likehad to do it's, uh, because, uh, When
I was, when I, uh, when, uh, when,uh, when I, I started doing, doing
(44:57):
hockey and, and some things, I reallylike to see how these PHP apps, uh,
works and, and how the PHP apps work.
And it's really fun when, an example,when I have a local file inclusion
with PHP apps, because with that,you can find the source code of the
app and you can look, oh, Probablyhere there is a way to get remote
(45:17):
code execution or upload a php file.
So our deserialization on php.
So it's it's really, Ireally like it called review.
But what I do sometimes in somescope, some scopes is an example.
I have.
This program with a large scope,I find some apps of this program.
(45:38):
I search the, these paths of theseapps using URL scan, because there
you can search only for the pathsand you, the path, and you can find
other applications with the same path.
So.
Pro.
Probably this application is, uh, it's,uh, it's not, it's hosted by this client,
but the code is not for these clients.
(45:59):
And sometimes you are capable toget the source code on the internet
and he was capable to reveal thesource called the source code.
So it's, I really do that a lot.
And it's really good.
Yeah,
yeah, it's nice.
I dunno if it was you the other dayhere telling me about it or somebody
else, but yeah, I didn't use it.
And the second timesomebody mentions it here.
(46:20):
. Yeah.
Uh uh.
I really like, I really like howdo that, because sometimes you,
you are fine for zero days, butnot in the really purple software.
You are looking in that software.
You use it by some company.
Yeah.
Yeah.
That's nice.
Yeah.
Okay.
We'll now talk a little bit about LEDs.
Okay.
Did you attended, you said, yousaid you attended four LEDs in the
past, I think five, five times.
(46:42):
Yeah, I remember LAGs fromAmazon, AWS, PayPal, Zoom.
So I think probably the life hackevents, the life hack events are
really hard because you have alot of good hackers together.
Uh, testing the same scope.
So there is a lot of dupes, but for me,probably life hack events are best because
(47:06):
I have some friends together with me, soI have F6X, Amstrad, I see Amstrad, but.
A M S D A, so Manuel, T, Herrera,Caio, uh, so Amir, so these guys
together with me, we workingtogether, we can do a lot of things.
I, I, that, that report, uh,with the remote coding execution,
(47:29):
that scenario, it was together.
A lot of guys workingtogether to get that.
So
do you work as one biggroup with so many people?
Yeah.
When, when, uh.
When, uh, the Brazilians guys are,the Brazilians guys are together,
we work together, and I'll, I'llagree with share the bounty.
So, yeah.
So it's, it's report like a six way split.
(47:50):
Yeah, sometimes six, five, five splits.
So, yeah, I'm okay because, uh, inthe most part of the case, we are, We
earn a lot of money and we stay okay.
I remember an example for me, anexample for me, 20, 000 is a lot of
money, but together, uh, together,I remember all the guys made, uh, a
(48:11):
hundred, a hundred thousand dollars.
So five guys made a hundredthousand dollars in the heaven.
So.
Yeah, it's, it's, for me, it's good,probably because probably if I stay alone,
I will be not perform like that to that.
So for me, work together in lifehack events, it's really important.
I think you're the biggest team becauseI think there were some teams in
(48:34):
the past, but these days I feel likemost people were, if there are teams,
there are teams of two, maybe three.
I'm not aware of any other groupthat's like sticks with so many people.
Yeah.
Cool.
Yeah, so this case was five, lastyear was three, me, F6X, and Amzda,
because we only, only we are invited.
(48:56):
So yeah, when, when, when the, allthe guys are invited, we do together.
When not, it's okay.
We do with the guys we have.
Um, I probably the Brazilian guyslike work together and I really like
it because are really skilled atguys because they are guys with a
(49:16):
really good skills and probably wecomplement we complement all together.
So yeah, that's a nice strategy.
Yeah.
Did you ever
have problems
with managing such a big team?
No.
I didn't remember to haveproblems, only, only good bautis.
So the guys are really,are really nice to do.
(49:36):
A lot of, they, they arereally friend, friendly.
Do you
change your hacking methodology a littlebit when working in the team or is it
exactly the same as when working alone?
So when we are, we are workingin the team, probably I do a lot
of fuzzing and recon and get all.
Uh, good information about the scope andsend to the team to we work together.
(50:00):
So, uh, I really like at workingat some good information.
Good, good information about the scope.
Uh, an example, find somelegacy application on some,
some good applications to test.
An example, probably thisapplication I find here is good.
Maybe you can spend time hereof fuzzing here and that's here.
So, yeah, I remember to.
I remember to do that with someguys in the past and we find a
(50:23):
lot of zero days and applicationssent to, to lifehack haven.
So I remember, I remember to send and,and, and vulnerability with a hater, uh,
maybe it's, it's missing, maybe, uh, Uh,maybe, uh, the, the submission will close.
The submission will close in 30 minutes.
(50:45):
I think we found somegood vulnerability link.
A lot of PII we sent and the teampaid, I think the team paid 50, 000.
It was, it was really awesome.
It was really awesome.
So, yeah, it's really good workwith these guys and work together.
We really, we reallyfind good, good veneer
updates together.
Yeah.
Do you physically go to the same locationto hack together or is it mostly online?
(51:09):
So,
uh, when you, when you are Uh, becauselifehack haven't had two steps.
The first step is, uh, beforethe, the, the presence here.
And after, after the ritual,you have these guys together.
So sometimes we work together ina discord cow and hacking, but
there is Async, uh, moments whenyou send, Oh, there is some good.
(51:33):
We created telegram groups to talk about
that.
But for the virtual face, you didnot try to, I don't know, rent the
hacker house or something like this.
Yeah,
there is a problem becausewe work far in Brazil.
It's really huge.
So I work in the north.
An example, I work in the north.
I stay in the north of Brazil.
F6X, uh, in this, in the south of Brazil.
(51:55):
But now in the, in the.
Northeast of Brazil.
So all are from a different
place.
Yeah.
I saw a few maps of Brazilthat really show the scale.
For example, the most Northern partis closer to any other country in
North and South America than theSouthern part, the part, most Southern
part of Brazil or the other one.
(52:17):
The most eastern part of Brazil is closerto the other side of the ocean than to the
uh, western, most western part of Brazil.
It's huge.
Yeah.
So imagine, uh, uh, from even the north ofBrazil, really near to the top of Brazil.
And we didn't have directflights from there.
So I need to go to the south.
(52:38):
And after that, go.
In example, we are going to Atlanta,so I need to go down to Sao Paulo
and after that go to Atlanta.
Yeah.
I spent, I've been maybe, uh,my city to Sao Paulo, I spent
four, five hours in plane.
And after that, 90 hours go to Atlanta.
Yeah.
Yeah.
Yeah.
Which of the four or five life hackingevents, which one was the best?
(53:01):
Um, um, I really liked the, um, the lifehacking event with, with the five guys,
because it was really, really good.
Um, the last year was really, reallygood because I saw a lot of good
vulnerabilities with Manu, with Amazon.
(53:22):
Sorry, with Amish.
nf6x, we are capable to send goodvulnerabilities, but I really like the
last year of, last, I think it's 2023.
Yeah, 2023, because it wasfive guys together and some
good bugs are sending together.
We sent a lot of bugs,that's like hacking events.
So it was really, really good.
(53:44):
So I really like these two years.
Yeah.
Probably the first livehacking event I was.
was, are not, are not my best performance.
See, so together with these guys, Ireally increased my, my performance.
Nice.
Uh, we'll, we'll, uh, we'reclosing in on the, on the episode
is I have the flights today.
(54:07):
Um, what before, but beforewe go, what are your plans
for the Uh, rest of the 2025,
uh, so my plans is improving my reconautomation and spend most part of my
free time doing book bounties to save,um, a lot of money and be in my house.
This is what I'm doing.
(54:27):
I'm, I'm building my housebuilding from the ground.
Yeah.
So I bought the, I boughtthe lane, I buy the lanes.
And I bought, I, I contract and,and some company to build the house.
Yeah.
So we are, we are buildingthe house and contracts.
I try to draw, draw, draw thehouse, think out the, this thing.
(54:50):
So, yeah, but it's cool because,uh, if, if, if I think in that,
HackerOne is paid for my house.
It's true.
It's true.
I wish you good luck with this.
Thank
you so much for joining me for the
podcast
today.
Thank you so much for inviting me.
I really, I'm really happy with that.
Lovely.
Popular Podcasts
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.