December 23, 2024 • 90 mins
This video is my interview with a full-time bug bounty hunter that had a great success at recent Live Hacking Events - Victor “doomerhunter” Poucheret. We're talking about his bug bounty methodology, choosing a bug bounty program, tools and much more.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Making it to a live hacking event isalready a big accomplishment, but my
guest today, Doomer Hunter, not onlymade it, but on all three events that he
attended, he achieved the top 10 finish.
So clearly he has some good methodologyto find crits on well hardened targets.
So we'll dive into this in this interview.
Hello, Victor.
(00:21):
How are you doing?
Can you please introduce yourself tothose viewers who don't know you yet?
Hi
Greg.
Well, first, thanks for having me.
It's so cool to be herein Poland, in Krakow.
So I really enjoy it.
And thanks again for the tour yesterday.
Uh, yeah, I have quite someof a specific background.
So basically I was notinto IT or into cyber.
I was into the pharmacological industry.
(00:42):
I have even a master'sdegree in marketing.
Oh,
and, uh, it all switchedwhen, um, well, COVID hit.
Thanks.
And, uh, the job I should have inNorth America and Canada was frozen.
So I was left with no other options.
And I was wondering to myself, Hey,this big boaty thing seems a bit cool.
And I'm starting to makea bit of money with it.
(01:03):
Could I make a living out of it?
And so, yeah, I decided to switch fulltime into cyber, uh, offensive security,
and I got a small first pen testingjob at a local firm and met the guy
who become next, my future partner.
So we started our own business, uh, andit was a pen test writing in company.
(01:23):
We did work together for threeyears, brought the company to 1.
2 million euros, I think in turnover.
So really nice, uh, stuff had goodclients, did physical intrusion,
you know, physical pen testing.
It's awesome.
And, uh, on the side, we didalso bug bounty hunting because
as a small business, it was likea cool, you know, um, front.
For you to say, okay, I'm performingin real world on hardened targets.
(01:47):
And so that's how we started getting to,you know, more competitive events, such
as the first AWC, the world cup thatwe won with the French team in 2022.
And, uh, then we're all startingto get into live hacking events.
I sold my shares of the companyto my partner this year.
So I'm back into full timebackhunting entrepreneurship.
(02:07):
That's pretty much what I do now.
Backhunting, I do a bit of AI on the side.
Uh, I do corporate talks also.
I'm invited to buy various companiesto give cybersecurity talks across
Europe.
That's pretty much it.
So how much time did it take foryou to get into cybersecurity from
the marketing or from the pharmacybackground or whatever it is?
That's why I lied a bit because,you know, hacking was always the
(02:31):
things that I really wanted to do.
Yeah.
But I come from a family thatis into, you know, health.
They are mostly health practitioners.
And so I was more, you know,inclined to do that as a real job.
And I didn't thought that it waspossible to get into cyber route.
And I thought that pentestingwas reserved to kind of elites,
you know, some few people.
And, um, so I did a bitof hacking on this side.
(02:52):
I remember buying an old book called TheArt of Exploitation by John Erickson.
Yeah.
So it's a really old book, butit still gives, you know, first
hands on approach with live CD.
It was so good at the time.
And so I practiced a bit during, well,my university years, because I'd enjoy
doing some CTF on the side and so on.
And one day I had a friend, I wasmaybe in my third year of uni.
(03:14):
And, uh, well, So she had aloan, you know, to pay her
studies, her private school.
And well, sadly she started like, um,buying stuff with the money from the loan.
So when September came, it was likemaybe June, she didn't have enough
money to pay for the next year.
So what do you do at that point when youdon't get much money, you want to help
(03:37):
your friend and don't have like an actualjob that makes that amount of money?
Well, you take a look at your skillsets.
Say, okay, I can do Hassam hacking.
Can I make money hacking?
Can I make legal money hacking?
What's the boundary?
Oh, Oh, that was a nice amount I can make.
So yeah, that's where Ilanded my first create.
(03:58):
I think maybe you did some free Kon, uh, on Sam rush at the time.
And so he managed to go to coverthe costs and get back into it.
Then once again, I put it back intothe closet because I thought that
no, man, I'm in health carrier andmust not like ruin my future health
carrier by doing cybersecurity.
(04:18):
And then when I decided to reallymake the switch, I had like a little
background, you know, couple of skills.
I know I could land some smallbounties, but I decided to really prep.
And when I took the decision, maybein, in May, 2020, I thought to myself,
okay, in September, I got my job.
So I got five months to get ready.
(04:39):
So I just took everything that, that, uh,that I've already had and seek the, what I
would call quality content to really grow.
And so I first went to, uh, Louis.
Uh, we spent just a labbecause, uh, I really love the
approach, the hands on approach.
And he's one of the few guysthat really teaches you to, um,
actually deep dive into the sourcecode with like such an accessible
(05:00):
platform and high quality contents.
And also forces you to like,understand how it's going, um, dissect
the CV, write the exploit code.
And I did like maybe five or sixbadges that he had at the time.
Just to feel comfortable and, youknow, proud of myself and also set
up the certification on my LinkedInprofile because I did not have
(05:20):
enough money to pay for the sets.
Yeah, that's a good way.
And then I did the thing, the full,um, OASP juice shop, which is also,
I think a cool, um, you know, way to,uh, go into like, So the real world
web applications, and then I got intoa small bug bounty platform in France,
which is called the yoga shop becauseI didn't know any better at the time.
And so I'm making some, uh, some,uh, some more active bug bounty.
(05:43):
And that allowed me totransition, you know, correctly.
Now let's skip to, to the presenttime after quitting the business,
what made you choose the life ofa full time bug bounty hunter?
Freedom.
Um,
once you're used to entrepreneurship,you're used to producing
value for yourself directly.
(06:04):
Yeah.
And you're used to, well, valuing yourtime and your efforts based on your
skill sets and how you bring added valueto the real world and to the companies.
And so once you have tasted that andyou feel confident enough to be alone
and stay by yourself, Honestly, it'svery hard to going back to classic job.
(06:25):
It's a one way ticket.
Exactly.
But it comes with a lot of costsand a lot of responsibilities.
But, uh, I had like the money asfrom my shares money from my personal
and professional bank accounts.
So I could finance, you know,taking the risk of going back
to full time back hunting.
And also, let's be honest, uh, whenyou start to perform a bit well on
(06:46):
back hunting, you do make a lot ofmoney and that allows you to open more
opportunities for yourself in the future.
So I was in a position where I had,like, I think a good network flowing
the, my, my business here had abit of money in the bank could make
more with the, the big bounty parts.
And if you take all that by itself,you got potential, then you got
(07:08):
to make this potential grow by thebuilding new things, keep building your
network and then keep making money.
Yeah.
So freedom and all the opportunitiesthat he brought was like.
Why I chose to,
to go along this path.
And also, if I understand correctly,you do use Back Bounty as sort of the,
the way to grow your personal brandand to, to also details of fuels,
(07:32):
the, the trainings that you giveand, and other things that you do.
So, you know, whenever you find a bag,you're not only getting the bounty
from this bag directly, but also itbuilds your personal brand, which,
you know, grows and grows forever.
You know?
Yeah.
Back in the days we used that, as of.
Kind of a front for our businessbecause as a small company, it was
really helpful, you know, to legitimizeyourself as, Hey, I was able to
(07:53):
find a bug on X, Y, Z big company.
It gives you like, you know, thislegitimacy and, uh, yeah, now
that it's all just by myself.
Yeah.
It's still a pretty way because I stillhave like a small audience in France.
Um, and still show that you'reactive, that you are indeed,
you know, a real hacker.
And I think it doesn't only like,it's not only useful for the audience.
(08:16):
It's also used to comfort yourself.
Think, okay, I'm still a hacker.
You know, you still can force your, yourimposter syndrome or your ego, whatever
you want to, you, you want to call it.
And yes, it's also a way to, um, growa bit, um, the business part, because
when you, when you, for example,when I give, um, cybersecurity talks
to companies and incorporate whenthey are looking for speakers, they
(08:39):
are looking for what they consider.
You know, special people.
So often there will be like high levelathletes, you know, people from the
government, ex special forces and so on.
Yeah.
So you're here, you know,
and
so it, it helps you legitimate, youknow, your, your presence even through,
uh, I feel, I still feel uncomfortablepresenting myself, you know, in
(09:01):
front of people, but sometimes yougotta do it just so that people, Hey.
He knows what he's talking about.
He
seems to know what he's talking about.
Yeah.
And it's a good way because a lot ofbug bounty you can speak publicly about.
So, you know, you can bethe best pen tester ever.
All your reports are confidential.
You cannot, you know, sharethe defining from the pen test.
Even if you try to write it on the blog,you have to redact the company name.
(09:25):
And, you know, it doesn't sound as wellwhen you find a good bug in bug bounty.
You know, Oh, I hacked Microsoft.
I had Google.
I had, it just sounds nice.
So when you hunt, whatis your hunting style?
What are your favorite bug classes?
That's a, that's honestly, it's even a,what I consider weakness on myself that,
(09:45):
um, I remember, I think it's Justin fromcritical thinking writer who, um, shared,
you know, his, um, his roadmap to, okay.
If I had one year to make a hundredK in big bounty, how I would like,
you know, uh, invest my time.
during the different steps.
And I think one of those firststeps is getting to, um, comfortable
with access control bugs.
(10:07):
And when you get inside the, whenyou, when you start your own business,
of course, you have to be someonetechnical because you have to run the
business and technical part of it.
But then you start to, well, notbe that much hands on the technical
and offensive part of the set,but more on quality management,
control, sales, marketing, and so on.
Everything on the side.
And I felt that I.
(10:28):
was kind of trapped inside that, youknow, comfort zone of being okay.
I'm pretty good with access control.
Yeah.
I think, uh, like I'm made a lot ofmoney with access controls because
it's easy to find it's repeatable.
And I love hunting for them because oftenyou get like very high impact full books.
And that's where we're where I stayedfor a long, long, long, long time.
(10:49):
So yeah, it's still my pee pee view.
I know that if I'm going on a newprogram, first thing I'm going to
look is for access control bugs andlogic bugs, because I love that.
But then you start goingoutside of this comfort zone.
I started to more into business logicbugs, which are often, you know, more
hidden and less covered by modernsecurity tools, such as fast and dust.
When you know that, let'ssay that you have an idle.
(11:11):
Okay.
You just increment a number.
Well, Once the issue is known, ifthe developers take some time to
make unit testing, you can prettyeasily test the fact that, okay, if I
increment the number, then the resultof the test should be 403 forbidden.
Yeah, but then business logic bugs areway more hidden because it's nested
inside like multi step workflowsand you cannot test all of the
(11:31):
possibilities of these workflows.
And so you still find these issues.
And I think it's allstill easy for me to find.
And it's also hard to come up witha source code scanning rule to
detect business logic because thereis, there's no template for it.
It's just, you know, every singlecode can have different logic,
different rules, different bugs in it.
So, um, so that's why I think thesebugs will be with us for, for longer
(11:57):
because, you know, obviously scannersare getting better and better.
Frameworks are doing stuff likeautomatically sanitizing the HTML.
So there's less XSS, but bugs like this,they're not so easy to, to, To fix or the
tag that scale, I think are the ones thatwill be with us for a long, long time.
Yeah, they will.
They will.
You cannot have a bug free,like 20 step workflow.
(12:18):
It doesn't happen in real life.
And, and even there, we arejust scratching the surface.
Like, I don't know who madethe talk a couple of years ago
about, you know, everythingsecond order on the server side.
It was a really great talk and even ifyou take like your five step workflow
of buying something and start to mixup some parameters, add some parameters
(12:38):
that shouldn't be there, add someideas that are not matching, et cetera.
This is like only thetop levels of his bug.
And We often miss likethe second order bugs.
Like, I don't know if you start tobuy a TV and you put the insurance
of a phone on it, will it work?
But will it work if you likecreate a custom insurance policy?
Like what happens deep down, youknow, further steps beyond that's
(13:01):
what's really scratches my mind.
But bug hunting, black box testing, wedon't have access to the source code.
And there is so many issues.
Hidden surface, not being covered in it.
And I think that's whywe should spend more time
fuzzing.
Yeah.
And also that's, you know,we are never sure how many
different flows we didn't test.
Cause you know, I had a talk with, withJonathan in Edinburgh that, you know,
(13:24):
if you have, let's say Amazon, probably.
Shipping from one country has adifferent code to handle the ship
shipping to another country who hastested 200 countries in the world.
Probably not even him and Zeeshanon Amazon in their six years.
So on many programs, we just have alot of code that we never touched,
but I think GripMe hasan interesting approach.
(13:47):
So GripMe is the one doing the notes forthe critical thinking about him podcast.
And he's also Rhino'smentee, a very cool guy.
Yeah.
Very crazy story.
Uh, got into big bounty likenine months ago, did the two
LH here at Vegas and Edinburgh.
Very cool guy.
He, by the way, he, he quit the workthis month to be a full time hunter.
And he has been very successful.
(14:09):
And when talking with him, he toldme that his own methodology was
trying to be more comprehensive.
building his checklist of whatcould be the most impactful for
the company, and then really tryto assess all of these vectors.
And so he is indeed trying to be moremythological and trying to build a
comprehensive way to like really test theapplication, but through the lens, if I
(14:31):
understood correctly, of his perspectiveof security model and what can impact it.
And I think that's a good way, you know,to ensure that you have more coverage.
Yeah.
Yeah.
That's a good way.
And there's pretty muchThere's no, no border to it.
There's no boundary that, becausethere's just so much different
possibilities everywhere.
And that's the, uh, the overall answerto, well, no new hunters like don't,
(14:53):
that don't want to hack on publicprograms and each year there are
thousands of bugs, millions of dollarsbeing paid to different hunters.
I think once you are new to theback hunting, you have something
that is called being naive.
And being naive allows you to explorewith a fresh view of the program.
(15:14):
When you start to hunt, you haveyour spider sense, you know,
you got your instinct, you trustyour guts and say, okay, DSL
smells bad, I'm going to hack it.
And you're hacking it and you find issues.
That's, that's cool.
You're starting to get trappedinto your own routine, in your
own way of things, seeing things.
Whereas a newbie, Who isvery naive, doesn't know that
this is not going to work.
(15:35):
This is not going to workbecause he's going to test it.
And by testing it, he's going to findthese issues in the spots that you,
your blind spot that you never tried.
That's why it's very cool to huntwith like very new hunters because
they are going to test everythingthat are going to find those little
tracks that you would have missed.
What are your, your top tipsto like uncover parts of the
application that nobody looked at?
(15:56):
Well, when I, um, start hunting onthe, on a program, The, you know, I, I
told you that my pet peeve was using,uh, was working on access controls.
So when you want to uncovermore access controls, you've
got to unlock more feature.
And what I think to myself is evenwhen I think that I've covered
(16:16):
the whole application, I alwaysconsider that I've missed something.
And by keeping And keepingthe grind on it, like trying
to test all the damn featureeverywhere, everywhere, everywhere.
That's how you start to understandthe, Oh, I miss that workflow.
workflow.
workflow.
And then you start to understand like,okay, there's way more hidden features
because nowadays you eyes are, you know,very, um, like styled down, you know,
(16:42):
you don't see much buttons anymore.
So you have to really liketest all the flows all around.
Um, and so by.
It's a bit stupid, but I keep bruteforcing kind of the application.
You want to cover most of this.
Of course, the good old JavaScriptmining is very important.
And that's why tools like JS Weasel bySteelman are very damn useful because,
um, it gives a really, like, really oneplace to have everything stored, all
(17:05):
JS files, even that hidden JS file thatonly is loaded on a, on a weird route.
You will have it.
And need.
Processes you, you know,the potential path.
So that's a pretty, a pretty nice one.
And the thing, uh, the lastthing is being, um, logging.
So you have your burphistory or Cato history.
What I like to do is to try to, youknow, store that into a database.
(17:26):
When I, I'm strict enough with myselfto take the time to set up that.
Uh, and sometimes when you look intoyour burp history or you look on to
some, on some parameters, you willfind like the hidden root or the hidden
params that you needed to unlock that
stuff.
How exactly do you look for this?
You have your database withall the requests logged.
What do you do to find it?
(17:46):
Initially, what I used was the, um, withlogger plus plus, you have a feature
to export the request to Elasticsearch.
Yeah.
And using Elasticsearch, you can thenuse the, um, the, uh, well, the full,
Elasticsearch, Logstash and Kibana.
And so Kibana acts as a kind of front end.
So we can type like SQL like requests,you know, to find the specific stuff.
(18:11):
But the issue is that in Elasticsearch,uh, to find like specific words
inside the requests or so, or theresponse, it goes through a tokenizer.
And so you have a limit on thelength of the contents, for example,
a very large JS file of 5 or 10megabytes, it will not really work
properly, except if you fine tune it.
But that's, for example, a cool wayto improve your coverage when you're
(18:35):
testing for access control or businesslogic errors, because you're able
to find like very hidden parameters,parameters that you missed, or
parameters that have a similar name,but that you needed to craft like.
The Google write request for that newlyuncovered routes that you understood
that you found in the, in the GS.
Yeah.
So we just like have a reg X to look forthe, to find all the parameters in all the
(18:57):
JS files and history, something like this.
No, because I am not disciplinedenough to actually build that.
And that's why I love SteelMans justresult too, because it does that
for you and it removes you the heavy
lifting on that part.
Yeah.
Yeah.
It's really nice.
How about some back classesyou never look for, or do you
think are there, like, present?
Honestly, I suck at client side.
I'm very bad at it.
(19:17):
Because, you know, I used to do theclassical, you know, HTML injection
to popping in XSS and so on.
And, like, being in the live hackingevent and seeing the bugs shown on the
show and tales clearly shows me thatI'm years behind all those top hackers
doing, like, crazy post message stuff,finding gadgets all over the source code.
They're all there.
(19:37):
Yeah.
They are found at each event and veryimpactful bugs are found with that.
I just never took the time to actually,well, do all the CTF, do all the training.
And it's, it's kind of have beenthe new hype, you know, since like
solutions like Dumpurify has been wheremore implemented a bit everywhere.
Synthesization is now a real standardin most of the web applications.
(19:58):
Well, yeah.
All the post message tricks,you know, and the CSPT, the
traversals, been like the new craze.
And so the desktop hunters have quicklyadapted and to learn these techniques.
And I think the wider communitywould gain a lot to start working on
those kinds of techniques, but it is
additional work.
Yeah.
And it's also, you can see the shift,I think, from like more server side
(20:22):
processing, moving to the client side,JavaScript also, you know, brings
bugs with it and, and all the postmessage stuff and the things that
they find, the things that they knowabout the client stuff, it's crazy.
All the like cookie, even yesterdayin the newsletter, I shared like two
different articles about sharing about.
And there was like one articlethat compared parsing in browsers,
(20:43):
in frameworks, uh, and then itwas already so inconsistent.
And then there was another article from
Portswigger.
I don't remember the name unfortunately,where you had like a version cookie,
which changes the way cookies are parsed.
So you get another layer of it.
And to be honest, I never think I playedwith cookies Uh, like the cookie parsing,
(21:04):
I don't think I've had a bug whichwould like require me to mess with this.
Yeah, during a lifehacking event in France.
I had another hunter called Brumance,who developed his own tool to start
fuzzing, you know, other parts of HTTPrequests that you don't really fuzz into.
And he was fuzzing cookies at that time.
I started to uncover some, like, beginningof an SQL injection just inside a cookie.
(21:27):
No, that's stuff that you have to testfor, you know, or you just won't do it.
It's just like sometimes, um, I think it'son petastore lab or something like that.
When you start learning aboutSQL injection, you focus on the
parameters and then, well, thechallenge is actually to, well, inject
that into your user agent header.
So of course I never saw it or almostnever saw it in real life in pen testing,
(21:49):
but it still reminds you that once again,you have coverage that is not being done
properly client side or server side.
There's a lot of thingsthat we don't test for.
Yeah.
And I also think it's the problem.
You have relatively few bugs you found inyour career because you have like a few
back classes and then a few input sources.
So it's easy to like fall into theinto testing the same same things
(22:14):
all the time because they work.
And then you have a thing like.
SQL injection in the user agent header.
I've never found this,so I don't test for it.
So in the future, I also won't find it.
So it's sort of the, the negativefeedback loop where you don't find
something, so we don't test it.
So we don't test for it.
And I struggle with like motivatingmyself to like fast more things
(22:35):
and test more things that I think.
won't be successful because probably someof them will be successful at some point.
Another book class, um,it's very, it's pretty wide.
It's, uh, all the timingattacks were reported.
So either you go for the James Kettleroute, which is in my opinion, of course,
the way that you will, you know, Uncoverlike very, very, very, very impactful
(22:57):
bug, but everything related, you know,to also timing attack and sandwich
attacks and also time based secrets.
So there is a talk on reset Tolkien wherebasically he's shown that even on some
bug bounty targets, he still find likeideas that are generated, derivated from
a secret that is derivated from time.
(23:18):
And even if we know that he's insecure,or sometimes you have a gut feeling That
this smells bad and you know that it'snot secure, but you cannot prove it.
It's cool that he and, and all theresearchers have started like building
comprehensive solutions to testall variations of, for example, is
it like your email plus underscoreplus a timestamp passing to a shower
(23:40):
one or MD five or unique ID andso on and all of these variations.
And so I think.
Okay.
Like we discussed yesterday, like, um,having more and more tool kits and more
and more use case being ready to be testedautomatically will greatly help us for all
these time attacks and time based secrets.
Yeah.
There's so many
things to be, to
(24:00):
be found.
Yeah.
And it's a good, good way to thinkabout it to try to automate this stuff.
So, you know, okay.
I may not believe it will work, butif it just means pressing a button
and, you know, generating somethingautomatically, it's less of a hurdle.
If I were to manually inject, let's stickto the example, SQL injection payload in
the user agent header, in the cookie, inthe parameter, in the body everywhere.
(24:21):
Yeah.
If it's just one button,then, then it's easier.
So I think it's a good way to thinkabout it, to try to automate this stuff.
And you know, then it's, if it doesn'twork, doesn't work, not a problem.
The issue is that we end up with thephilosophical question, or are we in the
end, rebuilding some kind of vulnerabilityscanner to automate ourselves?
That's the issue that we, we, there'sso many things to be tested and I
(24:43):
got to develop like your instance,your spider, your spider sense, but.
Well, then you just have to avoidbeing stuck into your routine and,
and the issue with bug bounty, andespecially if you do it for money,
uh, is that you need profitability.
And so when you're stuck into thateternal cycle of, I need to make
money, then you're less likely tobe doing research and then going
(25:04):
outside of your comfort zone.
So you gotta find the right balance.
And that's why, uh,that's what I strive for.
So is to just have hacking as apassion that can really research
rather than say, okay, this makes moneyand I should keep doing it because.
You know, it supports my,my lifestyle, my family.
Yeah,
it would be, would be fun tohave this, this way I try to,
(25:26):
this video won't be published, somaybe I can, I can say about it.
I tried to hack some software that I use.
I tried to make a video.
I had the idea to make the video of likehacking different software that I used
that does not have a bug bounty program.
It ended up with like me finding afull read SSRF in 19 minutes, because
I But then I was like, and I planto spend the whole week doing this,
(25:49):
but then I just lost the motivation.
It was like a week is too, too a lot.
And then, you know, it's fairly easy tofind bugs and would be, would be cool
to, to feel allowed to just, okay, let'sspend a week hacking on whatever I want.
Well, Yesterday we talked about, youknow, um, the, the way that your brain
process happiness and you know, everythingrelated to your dopamine levels and the
(26:13):
way we are also kind of victims of thatbecause now that there is a financial
rewards, we are often bound to, um,Consider yourself and Oego as hackers
as somehow correlated to the bountythat you make and also the value of
the bug that you find being correlatedto the amount of money that you make.
Which is not a, which is of coursegood in a way because it stimulates
(26:36):
you, you've got that dopamine, thatadrenaline rush and you want to,
you want, you want to go forward.
You cannot stay in that loop foreverbecause at any time though you
will find less bugs or sometimesthere are underrated value program.
You cannot devalue yourself.
Cause then you just go into a verybad spiral cycle of self deprecating,
you know, faults.
Yeah.
(26:56):
That's bad.
I do it.
I try to not do it, but still, eventhough it's financially, it's easy
to like manage a time with no, withno bounty mentally, this is the
hard part for me to like, okay.
Cause I, I feel it's more of a sort ofreward that the bounty itself is, of
course it pays the bills, but it's more.
(27:18):
a way to, to, you know, as yousay, to express the, how well
your, your, how good your bag was.
And yeah, it's hard when you have aworse period, worse bags, downgraded
severity and stuff like this.
And sorry, I'm keep going off
road with you
is this one.
That's something that isnot talked about, I think.
I don't know if I, I think itaffects all the people, but not a
(27:40):
lot is like the blues or the smalldepression after a life hacking event.
Yeah.
Like the, the high and thepersonal investment of this cool
live hacking events is crazy.
Yeah.
It ends up.
Like at the top, you know, of the climax,when you read all inside of the, the live
hacking event, you see all the people,you see money flowing, you see crazy
(28:02):
bugs, you see show and tells, and like,it's so much excite, excitement that,
and I think when you go back home after,like everything feels less stimulating.
And I kind of feel like a littlebit depressed for a week after.
Yeah.
Because they're way less stimuli.
I think, okay, well backto daily life, I guess.
(28:24):
To be fair, I didn't have this.
I was surprised.
I know some people have it.
Yeah.
And I spoke with Johan and hewas like, Oh, how was the life?
I can even argue depressed after.
I'm like, no, I'm pumped up.
I met so many people.
I had so many ideas.
I just want to hug man.
I had like the complete opposite.
And also the.
The life hacking event islike more stressful because
you want to find the bugs.
You feel the pressure.
(28:44):
After I came back from Edinburgh,I slept so well because before each
night, if I, if I, if I wake up andthe bounties and updates, and then I
came back and I slept so well for me,it's like, Oh, so the opposite school,
let's go back to access control box.
So what exactly is this?
What, what is it that you test?
(29:05):
Well, it ranges from the classic idle.
So
add one, decrease by one.
That's a classical one.
But you know, um, depending on the techstack and the type of ideas that are used,
you have like various, um, uh, sneakyways to get those access control issues.
One thing that I liked, um, uh, Ispent a month in on LinkedIn, that
(29:27):
program made, I think, 30K, somethinglike that in bounties overall.
Crazy, not that crazy, but still, Ithink a good amount to express that
I spent and invested time in that.
And so I was reading the activityand they have a few disclosed
programs, um, sorry, reports on it.
And LinkedIn use a lot of urns.
(29:48):
So you have, for example, uh, URN,uh, columns, some, uh, prefix, for
example, user ID colon and some, andsome alpha animal string after it.
And the guy found a, a verycool, uh, second level bug.
where he filled inside of his profile,a value being an, uh, a new run.
(30:09):
So it was the key was a URNand the value was also a URN.
And this value was later sourced by theapplication at a different location.
And so it retrieved the value of this.
Like, injected URN and thisprocess didn't actually, uh,
provide good access controls.
It was able, for example, to accessother people, uh, data through it.
(30:32):
It's like a second order injectionwhere you put, uh, instead of a
string, like, uh, like, uh, an URN.
That's, for example, inmy opinion, a cool bug.
Yeah.
So it's like second order processing.
And then it's pretty much anythingranges from either to testing, uh,
authenticate, not authenticated.
And if I'm really, really tryingto go into finding all the little
(30:55):
scrap bugs that I can find, thenit's like, take your time on the, um,
metrics of rights of an application.
Do you have?
Yeah.
Okay.
Five levels for the authentication,like, are you sure that all of
these five levels on the 200 likeactions are properly implemented?
And I sometimes I do that,but I find it a bit boring.
(31:16):
Yeah, that was supposed to be myquestion because 200 endpoints
times five rows, it's 1000 tries.
That's a lot.
Yeah.
And honestly, there's one guythat's way better than me at that.
It's Frisek.
He's a French hunter.
And I remember in Edinburgh, I said, Hey,you should take a look at this application
because it has maybe like 10 levelsof privilege with almost all of that.
So enjoy this crazy guy, like push maybe16 reports in the next hours, the next
(31:42):
couple of hours, because you know, yougot to feel, you got to get organized
and then you just got to be efficientand compare it to the documentation.
That honestly tires me toomuch to do it properly.
Automate this process in Norway.
No, I know a lot of people useodd matrix or odd Z and so on.
Yeah.
I can get my head aroundto get to, to use them.
(32:02):
Even if they look likevery great solutions.
Most of the time when I usethem, it just to like test
authenticated, not authenticated.
Just to have a quickreplay, but not that much.
And it's also an issue for me because, um,uh, it doesn't work on complex workflows.
So if you use, for example, a threestep workflow and you want to test
the last step or the workflow.
(32:23):
Uh, if you use something that replaceyour cookies, it won't work because
sometimes you need like the correctideas for step one, step two, step
three, and then as step four, youhave to modify and get the right idea.
And so investing time in those multistep workflows will allow you to find the
bugs that other people do not find, butmostly, well, you cannot automate them
(32:44):
because it just breaks the whole chain.
Yeah.
From, from my tries is like, youcan automate the get endpoints.
Most of the time, but then when it'sposts of, um, update of resources or
deleting resources, it's hard to modifythem because either you will struggle
to determine by the response, if it wassuccessful or not, because if you're
(33:04):
creating something with a post, you'd.
Don't usually know from the response,if it was created on your account or
the victim's account deleting, like aswell, it might be problematic because
you cannot directly replay the request.
So I also just do the manual thing.
I think, uh, in the, in the next future,like even right now, uh, carefully crafted
(33:26):
AI engines could help you for that becauseif you really decompose the problem.
Uh, and you have like an AIagent that does one small thing,
but that does it really well.
You can have like more,uh, reliable results.
I mean, um, if you first, I don't know,add a product to your baskets, uh,
then, uh, add the customization option.
(33:48):
Then, you know, try somethingelse, like put that item into
the basket of another user.
Like having just a very small AIagent that verifies, okay, uh, is
the answer, uh, plausibly correct?
Yes or no.
Given that input, that input andthat expected output, only does
that real small task might be easierto apprehend or to understand the
(34:09):
potential vulnerabilities that you have.
And I think that it's a very,really underlooked the way to craft
really, really small agents to do.
Yeah.
That's a good one.
It's way more powerful.
Like, um, if people want to divea bit into that, just take a look
at Daniel's Miestro's Fabric tool.
It has a lot of prompts that are premade and really allows you to show, to
(34:34):
understand how to customize those prompts.
And I really like that.
I have small agents thatwere perfectly unreliable.
So would you, do you, do you usean agent like this or do you think
it's, it's possible to create it?
No, I don't use them right now becauseI'm working on all the AI projects.
But I think, yeah, it's, it couldbe, uh, it could be useful, but I
think that's a couple months of, youknow, fine tuning all this stuff and
(34:56):
it's almost a project of a company
by itself.
Yeah.
But I do see the potential in it.
I think by the time we get likea full blown hacking agents.
It's going to be a long time becauseit's a lot of vulnerability classes, a
lot of things to understand to createsomething that, you know, takes the 200
routes and the permission matrix andgoes through the different resources.
Yeah, it's, it, it should be
(35:17):
fairly easy.
The thing is that if you want todo build that, as I said, you have
to have like very small agents thatdo one task and one task perfectly,
then change those very small agents.
And.
Each agents.
So we'll take an input, providean output to the next agent.
And so you have this famous chainof faults between unit agents that
(35:37):
do one thing and then one thing.
Well, then you have to preservethe context and the context
window is like limited.
So maybe you have two, 200,000 tokens on,on the cloud, LLM, something like that.
But the more context you provide andthe less pertinent your result will
be, and so your challenge will be toprovide just enough relevant context.
Well, maintain, you know, theunderstanding of the application of, and
(35:59):
of what you're doing, but that's possible.
And it's a couple ofmonths of work, I think.
So we said you, you hackedon LinkedIn for a little bit.
What is your usual bug bounty program?
Cause I will tell you one thing I noticedwhen preparing for the interview in
many of the profiles of top hunters,like top program is like a private
one that I don't even have access to.
(36:19):
And they have.
often thousands of reputationin a single program.
Your profile looks different.
You look your profile, there's manymore well paying public programs.
So you're like taking the program with alot of competition and you still succeed.
So, so what is your, your usual target?
You
know, it's, it hasn't been a longtime since I got back into full
(36:41):
time back hunting, maybe the endof March of this year of 2024.
So maybe it makes likenine months in the year.
And out of those nine months, I thinkit might have taken three or four
months just for me, like seeing peoplethat I never saw before, going to see
family, relatives, taking a bit ofholidays, working on other side projects.
(37:02):
So I wasn't hacking for that much time.
That's why the data setis a bit more limited.
But, um, yeah, I did afull month on LinkedIn.
I did a full month on some privateprogram that had like One 100 K
in the potential reward was likea infrastructure related bug.
So it prepared, it put be abit actually for double us.
Uh, and then, yeah, there was,um, there was Amazon that I wanted
(37:26):
to look into and have all over usand no, it's like, you got to get
invited to the double us program.
So I was really happy of getting intoit after the, the LHC and mostly, uh,
I think this is going to be my, my nextprogram for the foreseeable future.
But, um, you know, when you seea lot of top hunters in the end.
There's not that much of very big payingprogram that do also live hacking events.
(37:50):
So in the end you still have likethose, this small club of maybe, I
don't know, there's Uber, Paypal,Capital One, Salesforce, AWS, Amazon.
Epic games.
Yeah.
Now, TikTok, you've got apretty small subset of programs.
So in the end, well, you're, you'rerunning around the clock, hunting all
(38:12):
of these programs, but, um, you, you,you're, you're right off, um, when
you're talking about people specializingin one program, because most time you
spend there, of course, you know, thebugs, you know, the steam, you know.
How they handle the things, you know,how to maximize your output, how to keep
the good relationship with the program.
So, yeah, I think I'm going to stickwith, uh, with AWS, like very large
(38:32):
scope allows you to be very creative.
Both doing like classic web bugs tomore infrastructure related bugs to
like exploring in depth, some features.
And I think it's a great all around
program.
I love it.
Yeah, it's nice.
And the attack serve isabsolutely massive as well.
How about YesWeHack?
Because you also hack there.
(38:53):
There, I do not have as muchvisibility into the stats.
How would you sort of comparehacking on HackerOne and YesWeHack?
It's a bit different
because YesWeHack is a Europeanplatform, French based.
Uh, I've followed them and I'vebeen friends with them for years
and it's a great company and peoplein there are really, really, really
awesome, really great people.
(39:14):
And, um, it's a bit different.
Um, basically when you're in Europe,you don't necessarily have that
much large companies like in the U.
S.
So, of course, the size of the programsand the payouts will not be as big
as, uh, as it goes on, uh, on H1.
You can expect from a company that'snot on Amazon to pay a hundred K bucks.
That's just not realistic.
(39:35):
Um, but it's, uh, it's a small platform.
And, uh, from when I was very activeon the platform at that time, I felt
like the 3H quality was higher, youknow, um, I'm less active there.
So I cannot, you know, give factualfeedback on how it is now and nowadays.
But you know, it feels like a bitmore humanizing than, you know,
(39:57):
when you're on big platform thatyou feel that sometimes people don't
read your report and, and so on.
So.
I really enjoyed that more, uh,you know, closer, more human,
more family like, uh, concepts.
Um, the thing is, if you take a lookat the, the bug bounty markets in
the end, like how much areas in theworld where you can sell bug bounty,
(40:18):
Northern America, which is of courseone of the richest countries, South
America, which is emerging, but thereare still not a lot of companies,
Europe that does have money and Europe,you have mostly these Western parts.
It's like starting to have enoughcompanies with strong enough,
you know, arms to, to bearthe load of the Black Bounty.
(40:39):
And then you got this EA, so SoutheastAsia, HAC 1 has the, the, the
American market, ESWI HAC is mostlypredominant on the European market
and fights with Integrity on the rest.
And so the next battlefieldis Southeast Asia.
So yes, he's implemented in, in SCAand now the CEO, uh, Kevin, who's an
(41:00):
awesome guy in SCA, I know, well, I goon is also starting to get cleanser.
I don't know.
I know less about integrity,but then it just shows you that.
You know, the quality and the type ofprograms and the evolution of the bug
bounty platform will be directly boundto the clients that are able to get.
Yeah.
And so you've got thosebig juicy programs on H1.
You've got those European and start of SEIprogram on, on Yes React, and it gives you
(41:24):
overall different targets and differentways to interact with the programs.
It can be cool, I think, tochange and rotate platforms.
If you feel burned out with workingwith certain types of companies,
because the culture is different.
Yeah.
Working with European companies isdifferent from working with American
based companies or SEA companies.
Like, it's a different wayto interact with people.
(41:44):
Yeah.
Also like, uh, the LHEs, the livehacking events, how are they different
on ESP Hack to the HackerOne events?
HackerOne events are pretty large scale.
You often get like 100 usersall flown out to some very cool
location like in Vegas or wherever.
Um, Yes React has two typesof live hacking events.
(42:06):
Uh, the first one being a smallpunctual event associated to like a
larger event, let's say cybersecurityconferences or cybersecurity,
you know, general public events.
And they will often hold a smallcompetition like 24 to 48 hours, uh,
in it a reduced price pool becauseoften, well, these are just the people
(42:27):
that are going by or people that arespecifically going to the, to the LHC.
So the wallet size is obviously lower.
If you only hack for a day,you're not going to find as
much bugs as you, as you would.
And then there are some dedicated,uh, life hacking events that are
bigger, larger scale, uh, whichare, for example, the last one being
(42:47):
in Italy with, uh, no, in France,in France with the Louis Vuitton.
Uh, luxury, uh, brand.
And so they were flown out to Parisinto like the real headquarters and they
invited way more, uh, hunters, includingNorth American hunters, uh, as well.
But it's, it's still a smaller scalewhere you cannot compare, I think
the, the, the behemoth that is a hackone to European companies, not yet.
(43:10):
How did you get involved with
the HackerOne lifehacking events?
Uh, in 2022 with the AWC, sothe Ambassador World Cup, I was
with, uh, Maybe for those whodon't know what Ambassador World
Cup is, could you maybe explain?
Yeah, of course.
The Ambassador WorldCup is an annual event.
That started in 2022.
It's a bit like a football orsoccer for your US friends.
(43:32):
It's football.
So it's like a football competition whereyou have like, um, teams per country.
Sometimes if there are toomany people, there can be like
multiple teams per country.
Then you've got the selection phase.
Which will eliminate some, uh, some teams.
Then you go into a classical world cupstyle of football, where you got like
16 teams and eight fought and two oneuntil the, well, the final one stands.
(43:59):
And though each country has anambassador, uh, that represents, well,
the country with his team and thatis directly in, in, in relationship
with hacker one and with the, with theprograms to coordinate both the hackers.
And the, the relationshipwith the platform.
Um, and the rules have evolved a bit.
Nowadays, it's like you've gota set of programs per round.
(44:21):
So all teams hunt on a specific set ofprograms, usually two to three programs.
But 2022 was wild, man.
Very wild.
Like now it's, yeah, yeah, no, it'slike properly set up, you know,
you've got your free programs andthey take time between it's in 2022.
It was so wide.
(44:42):
We were like all the World Cupteams on all of the managed
public programs of HackerOne.
Do your thing.
And it was around, I thinkit took around one month.
And, uh, and, uh, a sad story in the realworld, but a fun, kind of fun, uh, joke
(45:02):
here is that during that time, the war inUkraine started getting worse and worse.
So they started banning, forexample, well, because there was
bans, you know, for, for recreationpurpose on some Russian programs.
So for example, the mail.
ru program was present at the timeand disappeared during the cup.
So yeah, it was a bit chaotic, but very,very, very fun because like people were
(45:23):
submitting All around the platform.
And yeah, that's why, where we, we gotthe first World Cup with the French team.
And the, in the end we spenta lot of time on Epic games.
And so as we specialize a bit moreon that program and we had like very
good hackers, Snorlax, who was verysuccessful on Epic games to help a lot to.
(45:43):
Really understand the program, find a box.
And, uh, that's how basically we gotthe, the first, uh, I think, uh, how
I got the, the, the first invite.
I don't remember if I was aplus one or if I was invited.
I think I was invited as a, asa, as a customer sector program.
That was my first, yes,live hacking events.
Yeah,
I had to take the time to bragbecause now the Ambassador World Cup
(46:06):
this year, I'm also playing as, as,as the ambassador of team Poland.
We are advancing to the finaleight, France loses out.
So it's a payback for, for thefootball World Cup, because in the
football World Cup, you eliminated us.
Now we didn't directlycompete, but, uh, yeah.
But you guys
deserve
it.
Very
talented people.
You're
doing an awesome
work
and it's great to, to see you go forward.
(46:28):
So, yeah, we, I didn't expect it as well.
We didn't have so many hunters thatwould be so much so, so active.
So now I'm, I'm really proud of theteam 'cause uh, yeah, and, and it's
also not that we just advanced, weactually scored a lot of points, so.
Awesome man.
Congrats.
Yeah, congrats.
Congrats to the whole team.
How can somebody that, uh, wouldlike to get involved in the a WC get?
(46:50):
'cause it's only 20 people.
In Poland it's like fewer hundreds,so it's not as much of a problem.
But in France, I imagine there's.
Hundreds of people that wouldlike to be part of the team.
So how can one get involved if they don'thave as much reputation on the platform?
The thing is,
um, even it's like a bigevent in the bug bounty world.
(47:12):
Um, it's not as much publicized yet.
Yes, it's the first, third year.
So people are getting more and more knownto it and might want to, to get into it.
But the first thing is, uh, alsoabout fighting imposter syndrome.
So that you don't have to beokay with, I'm not able to get
into, to get on, to get on board.
Like I know that the French, Frenchteam, one of the French team last
(47:33):
year was comprised of a lot ofyoung, uh, of young hunters and
they still perform pretty well.
So that's, that's the firstthing being confident.
The second thing is, well, um,even if there is more and more back
hunters, finally the people thatreally wants to get involved, uh, go
fewer and fewer with like the levelof dedication that you put into.
(47:56):
And so once you really start to beactive in those kinds of circles, we
are still kind of Not that numerous.
They're not mad at much peoplewho really want to go inside
and to go on to the team.
And then as the ambassador isthe one person that is making
the final decision, final call onwho's going and who's not going.
Don't forget that ambassadorsrole is also initially to promote
(48:20):
the bounty in their own country.
So you're not just going to take like theold, Top performing guys all the time.
You have to give the chanceto your rising stars.
And that's why you are in the roster.
You will, I will have some new guysthat are coming in, that coming fresh.
That's a great way, you know,to have your, like your own time
of glory, if you feel like it.
(48:41):
I would also say to, it's good toget involved in the community 'cause
it's now it's, it's also as a, as theambassador, I also want, I've, I've
heard tips from other ambassadors, youknow, it's good to put somebody in the
team that maybe has a little bit lessexperience but is maybe more passionate,
more motivated, active in the community.
So I imagine it's also agood way to, to get involved.
(49:03):
Yeah.
Consistency.
Just being to able to put in the, the,the work and also keep in mind that.
This, the World Cup takes almost ayear, you know, and a year is very long.
People sometimes get burnouts,people have other issues,
have other stuff to deal with.
And so even your top huntersmight, well, at some point
(49:25):
not be available at that time.
And so you've got to have peopleon the roster who are able to
take like the fight, keep going.
So, yeah, just, just get thoseyoung guys and girls and,
you know, those rising stars.
It's the moment.
Yeah.
Okay.
Once you already get the LA to invitation,you perform really well and all the events
(49:47):
you've, you've attended, you get to gothe show and tell you got the top 10.
So what's the key to perform?
Well, The thing is, I think my
only real capability is to, Deepto dive, but mostly, um, find the
knowledge that I need for somethingthat I feel is going to be vulnerable.
(50:11):
I'm don't considermyself as a good hacker.
I suck at a lot of things.
I suck at client side.
That's finally coming from you.
Yeah.
But you know, uh, when I hang outwith other guys, like, I don't know,
maybe the worst guy in the room.
Like, You know, you hang out withCTF guys who are like complete
brutes on so many topics.
(50:33):
They, yeah, that's true.
Okay, well I suck at everything.
good.
You go with some good clients, guys,they talking about you, they're talking
about like, stuff you don't understand.
You see the show and tell, say, uh, you,you asked me as a second slide , but
I, I think I'm only good as much as theextent of my knowledge and so I have like.
My monkey brain processing a bitof knowledge, then you have to find
(50:58):
the right information at the righttime to be able to find that bug.
And so even if you, when you startdoing bug bounty a lot and pentesting
a lot, you have your instinct of whatis going to be vulnerable or not.
And that's kind of yourunique approach, but.
Having the gut feeling of somethingbeing vulnerable is not enough.
You gotta transform it just like intorugby, you know, you place it with
(51:19):
the ball and then you gotta shootit and transform it into a point.
And so that's where like being ableto grasp and retrieve information
from different people, differentsources, really makes a difference
on how well that feeling is going tobe or not an actual vulnerability.
And then it's pacing the cursor.
Um, when to stop and when tokeep investigating because bug
(51:43):
bounty is kind of profitability.
So if you invest too much time on asingle bug and it doesn't pays out,
well, finitely you have wasted a lot oftime and you feel bad about yourself.
And then just it's, it's being able toplace like the right course or one where
you should stop or where you should investmore time or, but we'll simply keep that
in the back for later for another friendwho might be smarter than you, you know?
(52:06):
Yeah.
And.
How they're going at the right time.
So yeah, it's feeling good with theprogram and being able to seek the
right information at the right time.
For example, I never did, you know,AWS infrastructure hacking before.
Yeah.
But you know, right people,right time, right information.
It's finding that sweet spot,which makes a difference.
So what were the things you
(52:28):
focused on, on, on the hacking events?
I knew in which event, for example, the
last one, you focused on infrastructureon AWS, the previous ones.
Did you also get like a one sort of onegoal that you wanted to, or one area?
Oh yeah.
On
Epic games, I focused on a veryclassic web app, purely marketplace.
And, uh, I did my usualthing with access controls.
(52:50):
And the thing is sometimes,well, people don't care about it.
Because it's not impactful or it'snot impactful in their own security
model and then you gotta accept it.
So after like spending two weeks of doing
everything like
that and getting like, well, yeah, No,you're gonna get a low hanging, a low bug.
(53:11):
Then you feel doubt.
Damn, I spent really two timeslike covering the whole platform
and covering secret features.
Uh, I even spent like 2, 000 onthe premium subscription on it.
It was worth it in the end.
Oh, nice.
But yeah.
And so, yeah, well, Iwas quite, uh, confused.
Kind of tired.
And so what I did in the end was tofall back to something that I really
(53:34):
never tested at scale before was tryingto test denial of service issues.
And that's when I started tofind some, you know, nice bugs.
And paradoxically, the two weeksof work that I did when to uncover,
you know, hidden attack surface,accessing premium features, like
even broken features or things thatwere not implemented yet, accessing
(53:56):
them and so on and so on, didn't pay.
Much in the end.
And I've made almost all the money inthe end with a couple of those bugs.
How about those bugs?
Aren't they out of scope usually?
Yeah, they, well, they are.
They always are like almost allpolicy will have like those bugs.
I think it's, it'sreally program dependent.
(54:17):
It's.
Out of good sense, because theydon't want people to spawn a thousand
DPS and start doing some volumetricdoses because it doesn't add any
added value and anyone can do it.
And you know, it just going to bring someissues for the, for the people in France,
(54:37):
but application level doses or sometimes.
accepted.
And once again, it depends on whichprogram you're working on and the
security maturity of that program andwhich parts of the application you're
able to crash, potentially stop.
Yeah.
And so in the end, there'sstill an availability metric.
(54:58):
And this availabilitymetric is not related to.
Destroying information.
It's literally in the spec making asystem not available, not the data in it.
It's not making the system not available.
So let's say that in a couple ofrequests, you're about to crash.
I don't know the shopping cartof all users in the marketplace.
(55:18):
Yeah.
Hell, that's, that's impactful.
And then you've got to walka fine line because you can't
really test that in prod.
Most of the time, either you have asuspicion, a very hard suspicion and life
hacking events are cool in the way thatyou can talk with the final program or
demand validation, that's a good thing.
(55:40):
Or, well, you just scale up properlyand progressively and you just, I don't
know, create enough objects to slowthe server response to three seconds,
five seconds, 10 seconds, 15 seconds.
And you cross check with anotheruser from another IP with another
account to ensure that you indeedhave a cross user, um, account
(56:01):
impact.
So would you also test DOS on a, let'ssay a public program where you don't have
the direct connection of the customer?
How would you, and if you would, howwould you watch out to not cross the line?
With those bugs thatare kind of, you know.
on the fine line that youfelt not really cross.
Um, there are two things.
The first being, um, don't looklike a complete fool to the program.
(56:25):
So if you're starting to, you know,cross that line, at least make sure
that you've got a really nice impactand not that you're crushing like some
small things that, No, the programdoesn't really care about make sure
that you've got actual like potentialthat you have actual potential impact
on something that is really big because,you know, if you are going to do
(56:49):
something, do it well, especially ifyou're, you know, crossing the line.
Second part is, uh, if youhave like something like.
You send one request and it'spermanently crashed, yeah, don't do it.
But you're going to have a very hard timewith triaging and then the final program.
(57:11):
So it depends on who you aretalking with during the triage
and how the program receives it.
Sometimes it's going to be yes,sometimes it's going to be a no.
And if it's just a no, well, Youknow, you lost your bug, but at
least you didn't have any issue.
But if sometimes it's somethingthat can be like a bit smoother,
uh, for example, you create a lot ofobjects in the database and then you
(57:35):
return all of these objects at once.
At least you control the amountof data that is returned.
So you can create them progressively1000, 2000, 3000 and so on and so on.
And just assess theresponse time of the server.
And so if some of you start seeing likeresponse time for five to 10 seconds,
In its case, like linearly with theamount of object or action that you
(57:57):
perform, then logically, you know thatit's sufficient to make a first report.
And then often it's going to end uplike, yeah, no, that's not enough.
So you ask, okay, should I go further?
Let's say go further.
You do show a significant, uh,higher delay or sometimes it would
(58:20):
just say, no, it's out of scope.
Yeah.
And then it's quite a weird situationbecause they want you to show impact, but
they not allowing you to show impact, butit's just the role of the game that you
decided to play by trying to use this, uh,this kind of, uh, our books, but honestly
on more major program is less of an issue.
(58:40):
So would you send the report, let's saywhen you have a response of 10 seconds,
or would you look for, for a higher delay?
What is sort of the, the ideal responsetime that you would think shows the impact
without actually impacting too much?
It depends also on, um, how it impactsother users, because sometimes you
can augment, improve the response timefor yourself, but this is going to
(59:06):
be, for example, a very short spike.
At one set point in time, forexample, that's a book a, and so
when another user user site, if it'sat a book, a plus one millisecond,
maybe he will not be impacted.
So The thing is, you gotta crosscheck to ensure that it actually
(59:28):
works, and if you cross check withanother user and get a delay of 5,
10, 15 seconds, I think it's enough.
And, um, consider that in a lot ofDOS cases, the proof of concept that
you're going to push is not goingto crash your platform instantly,
but rather provide like a sufficientdelay enough at a fixed point in time.
(59:50):
And it's only if you reallycontinue way past that point that
you might consider crashing theplatform for a bit longer of time.
So it's often scary, but you often havelike a lot of room, you know, between
having an actual worst case scenario
impacts.
So do you actually, when sendingthe report, you also like, Test that
(01:00:10):
the delay is present for anotheruser with another IP address,
then the sort of attacker user.
Yeah.
For me, that's the gold standard.
Okay.
And that's what I was oftenasked on some programs.
And at least it really shows that ifyou have no bias and even as though
it's like less cool to do becauseit's actual additional work to have
like kind of a second computer orsecond IP and so a second account.
(01:00:33):
Yeah.
Uh, at least it ensures for yourself.
But by applying this methodology, youhave a real applicable reports and
not just like being almost all of ushunters being very bound to your own
vulnerability, say, no, I know it's true.
I know it works.
Sometimes it doesn't.
And being a bit strict about thatkind of methodology allows you
(01:00:54):
at least to be a hundred percentsure that you have an actual bug.
It still feels good becauseeven if that's rejected.
You found something
and you feel good about yourself.
Doesn't it feel, because when I thinkabout it, the sort of problem in my
head is if it's a, let's say there'sa single worker and let's say I have
a second, it causes a 30 second delay.
(01:01:15):
I know that if the, if I testedfrom the another account, It may
get routed to a different worker.
So let's say there are four workers.
I would have to send four 30 secondrequests so that this user is affected.
So I would have to sort of brute forcehow many workers are there by essentially
sending requests that I would preferavoid to avoid sending too many of.
(01:01:38):
So like, how do you, do you manage this?
In my opinion, there's no good solution.
Um, I was talking with Blacklistabout another bug, the class, so not
another By doing statistical work,he understood that he's run a bit if
worked like one out of four times.
So once again, possibly differentworkers on different code bases,
(01:02:00):
it just had to, well, repeatuntil he got the right worker.
And I think that the same issue, butonce again, it depends on how much
room you have until actually crushingthe, the, the, the, the Walker.
So sadly there's no good solutions
in my opinion.
Yeah.
It's a hard problem.
How much.
If you were to estimate the percentageof how many of your DOS reports
(01:02:23):
were accepted, is it like 50%?
Something like this?
More?
Less?
Well, I did most of themduring LHEs, I think.
And so during LHEs, I'dsay 70 percent of them.
And outside LHEs, Well, I, whatI found was way less impactful.
So it was still accepted, but itwas like a, a low or medium bounty.
(01:02:45):
Okay.
So I think that the context andthe impact makes a difference,
but it's not to be generalized
to all programs.
Yeah.
It's also good to know at the LHE,you're one of the 100 hunters,
so you're kind of trusted.
Yeah, exactly.
It's also helped if you havealready, if you accepted bugs
that show the team out, this guy.
Exactly.
Yeah.
He doesn't report only DOS bugs,he also reports good stuff, so.
(01:03:09):
But if you take DOS on a more generalscale, for example, you know, CP, DOS,
things like that, it's often like prettywell accepted all around bug bounty
programs, or at least more major ones.
So things should not be toomuch of an issue if you have
something that's really impactful.
Yeah.
Coming back to, to the topicof, of LATs, you've been to,
(01:03:31):
to free life hacking events.
So how has your approach changedfrom the first one when everything
was new to the third one whenyou already know what to expect?
I think it grows with your own maturity.
You know, being a bit moreorganized, knowing the common
pitfalls, knowing like your ownissue with your own mental problems.
(01:03:52):
And so it's similar to be, I think,just a better bug bounty hunter overall.
Like, I don't know, when I was first doingthat Epic Games LHE in 2023, it was It
was cool, but I was a bit more lost, youknow, and yeah, organization thing, I
think makes, uh, makes a good difference.
Like for example, in Edinburgh,uh, I worked with another
(01:04:15):
French hacker, Gerusha.
That's where we got themost impactful team.
Quite a nice award to have.
Yeah.
And, uh, Right at the beginning, likewe created a dedicated discord server
with different channels so that we canhave, you know, stuff sorted out, but
that was not too much into organization.
Like if you have too muchchannels or too much, you know,
(01:04:36):
cases, not going to use it.
It still has to be a little chaotic.
And for example, the other thing Idid on AWS was, um, I spent like, uh,
just maybe one day before the event.
Like a whole day of spending time,uh, reviewing all of the services.
Like I went to the catalog andclick and read the description of
(01:04:56):
maybe 30 percent of the services,because there's a lot of services
and just making small spreadsheetson saying, Oh yeah, that may be cool.
That may be cool.
That might be cool.
That might be cool.
But that's why I think it's cool.
And it lowered me when I have like, whenwe endured hardships or, you know, it was
hard not finding bugs, losing motivationto have like kind of a spreadsheet Hey.
(01:05:19):
That one, I didn't test it.
And so you can keep your motivationhigh by having like fallback scopes
and avoid that the, the eternalcycle of, I'm not finding bug.
I need to find a new scope.
I'm not finding bug.
I need to find a new scope.
I'm stuck finding new scope.
I think it helps a lot with,um, maintaining morale.
And morale is honestly my, for me,that, that's the key because if you
(01:05:43):
or your team is depressed, you'renot going to find any bug, you're
going to maintain your confidence,you're going to maintain your inertia.
And it's like almost all esports.
If your guys are motivated, ifyour guys have high morale, high
confidence, they're going to beon a roller coaster of, you know.
As soon as moral drops, you thinklike, no, this is not worth the time.
This is not worth the effort and youfeel less energetic, less motivated.
(01:06:06):
And of course you're going to missbugs because you're less involved in
doing the actual work to find the bugs.
So yeah, that, thatmakes a good difference.
A little bit more of organizationand being able to better maintain
you, you, your mental healthduring the, during the events.
How do you.
Manage your focus during the event,because the mistake I've done was like,
(01:06:27):
I wanted to focus completely on the LHEand it was just too much and it ended up
being worse than if I, you know, stuckto my, to my routine, to my sports.
So how do you manage your,your time during the LHE?
Well,
I'm going to jump a little bit out ofthe box and, um, It all comes down to
how you handle your performance yourselfas entrepreneur, as a backhunter.
(01:06:53):
Um, back in the days, and that's whyalso I think caused health degradation
for me was I was all about the grind.
So.
If I'm something important, I'mgoing to wake up early, I'm going
to grind very late and I'm goingto stop until I've done what I've
done for extended periods of time.
That was my first LHE and honestlyI felt it on my health because I
(01:07:15):
didn't sleep much, I smoked a lot ofcigarettes, drank a lot of caffeine
and it hasn't impacted anybody.
And the grind works.
If you're able to maintain a certainamount of work, even do your performance
drops, if you're just putting the rawbrute hours, you will make a difference.
(01:07:38):
That's not something that you shoulddo in my opinion in the long run.
And then when you gain more maturity,you understand that is more akin
to a marathon and not a sprint.
So you gotta manage yourself properly.
And so if you manage yourself properlyas an individual, you gotta take
advantage of your peak focus hours.
And you know the saying, like, peoplecan work being productive at most
(01:08:00):
five, four, five hours per day.
And then what is the rest?
I don't believe in purely beingproductive for four or five hours a day.
I feel the difference.
I think like my top hours ormaybe three hours of full focus.
And that's where mostof the work get done.
But for me, you've got to findthe right balance between the
pure and dumb grind and only, youknow, maximizing your peak focus.
(01:08:25):
You've got to find the right balance.
And then in between of that, you gotta go.
And enjoy, uh, indeed your rest, yourhobbies, life, your wife, and so on.
And so you, you do see the differencewhen you start to find that right balance
because you maintain your moral, youmaintain your routine, you feel good
as an individual, and it just showsoff in your, in the, in the final walk.
(01:08:49):
Yeah.
For me, the sort of problem that, um,that I have with this sort of, because
I do believe there's few hours duringthe day that can be really productive,
but in the background with you, I feel.
It's as important to have these, youknow, really focused hours to solve a
problem, write a script, come up with abypass, but also the hours you're just
(01:09:09):
at the computer using the app, triggeringdifferent flows, looking for the, the
one point where you can then find,spend this, this focused time bypassing.
So it's necessary to alsolike just spend a lot of time.
You don't really have to be superfocused and, uh, yeah, it's sort of,
you know, you can never plan for it.
(01:09:30):
And that's sort of why, where, where Istruggle is, you know, just three hours
a day is not enough because you know, iftwo and a half hours are just browsing
the app and not actually finding aparticular bug, it's too, too little.
And then, you know, that's, that's whereI find myself having a very various.
Amounts of hours on different days.
(01:09:50):
That's if you just got tofind the right balance.
Yeah.
And if you get that sweet spot on you'regoing to have bugs, you just, you have to
work on all, you know, of your workhorses
to get the actual job done.
That's perfect.
How to not feel that, you know,Especially in the, in the group of
like 100 hackers with so many topguys, how to, to still stand out, how
(01:10:14):
to not feel the imposter syndrome.
Honestly, I still feel terrified.
Like, I know that I'm maybe likelybecause of, you know, the rankings,
going to get a next LHC invite.
And I told you about that yesterday.
I'm damn terrified of the next LHCbecause I don't feel confident or I don't
feel like, uh, I I'm going to performwell and I'm afraid of the scope that
(01:10:38):
is going to be if there is one and I'mafraid of the, none of the people there
because people are quite friendly, butI'm afraid of, um, that competition.
So what I do is, uh, forget about that.
The thing is you're, even if you're kindof competing with other guys and girls,
(01:10:58):
uh, actually you're just competing withyourself and you just run your own race.
The thing is, at an LHC, you gota lot of people working on the
same program right now, but youonly know it because it's an LHC.
Which work on Amazonor other good program.
Do you see the people hacking inthe same time, the same focus?
(01:11:21):
No, you don't see them.
No, I don't.
No, I don't.
And so what you do is simply, well, put inthe work, stay in your bubble, enjoy the
ride, talk with other people, because it'scool, it's an emulation, people are having
fun together, finding cool bugs, etc, etc.
But disconnect yourself from the, fromthe direct competition, or else You're
going to try to rush some things and getthem badly and poorly done because you
(01:11:45):
must keep in mind that in LHE you have aduplicate window which means that during
the two first week of remote hunting,uh, every bug that is duplicates will be
split between all of the duplicates soif you are duped you will still get paid.
Which means that if you have likea super cool bug chain, you don't
(01:12:06):
care about having your bug stolenby another one, you can just put
in the work to have a quality.
Time and quality bug chain.
And so when you start forgetting about thecompetition and just focusing on having a
nice bug, you will find cool bugs becauseyou invest two weeks of time and you
will find something that is very nice.
But in the end, isn't that just the advicethat generally applies to bug bounty?
(01:12:28):
Forget about the other people,find cool bugs, get the reward.
In the end, that's the secret
that's, in my opinion,that it's the same thing.
Yeah.
Yeah.
For me, for me, it works.
At the first event, I looked at theleaderboard and stuff like this.
The second event, you know, I'msitting here, you made as a team
200k on AWS, I made like 18.
(01:12:50):
If, if I just compare myself asalways, he made five times as
much for me, 18 K for three, threeweeks of work, it's still a lot.
So, you know, I'm happy with thisand it's probably the only way to
like keep the, the same mentality.
So yeah, it's, it's really, reallysmart to, to, you know, look
at yourself, look at your box.
Also.
(01:13:10):
Being a duplicate of somebody atan LHC, it can be kind of an honor.
Oh, I do this guy.
It's cool.
So, so you don't even see it as negative.
I don't get the exact quote, but if Iremember correctly, it's from Miyamoto
Musashi, you know, the book of fivewheels and, uh, and everything he
related to samurai fighting on theBushido, the way of the samurai is that
(01:13:35):
today's victory is to be greater thanthe person that you were yesterday.
Yeah.
And tomorrow's victory.
is to be greater than what hecalls the lesser man, which
includes, well, basically yourself.
That's the way that you should see it.
You're walking your ownroad and find your own bugs.
In the end, competing with otherpeople and pushing them, trying
(01:13:56):
to find the bugs before them, it'snot going to work well for you.
That's what I wrote, you know, Iwrote a small blog article about,
you know, performing in LHE.
And the thing is, thousands ofhackers made Thousand, millions of
dollars per year on those events.
And it works because they are notfighting with photo, they just have
(01:14:17):
their own style, own unique approach.
Yeah, that's, that's a really good, andhonestly, the unique approach is not
like I have a super secret nested bug.
No, that's not the case.
It's based sometimes only,for example, the, the way you
perceive the security model.
You also mentioned collaboratingduring the, during the event.
So can you tell us more a bit,you know, how does it work?
(01:14:39):
How do you split the bounties?
What sort of, how do you split the tasks?
The
gentlemen agreement forme is the standard 50 50.
Uh, obviously by bounties,complex situations can evolve.
People can stop.
Can.
get more or less involved.
And of course, in a lot of cases,people might feel not comfortable
with, you know, doing the full 50 50.
(01:15:01):
I'd rather do it even if my teammatedoesn't work, because at least I know
that I will always be full clean.
Get your 50 percent cut.
If you like, we will stick together.
If you don't like, we'll split ways.
It was fun working with you, but at leastthat's a gentleman agreement for me.
That's what I did, for example, withNoxious in, uh, in the, in the, um,
(01:15:22):
in the Las Vegas, uh, event wherewe finally collaborated on some
bugs and say, okay, don't worry.
We are collaborating onthat type of bug class.
So I had a couple of reports before.
I'll put you at 50 50 because I trust you.
I want that to be fully fair.
And that's what we did with Gerushaagain at Enumbr, it was, okay, are
you willing to invest your fully?
(01:15:43):
Yes.
Are you willing to do a 50 50?
Yes.
That's the standard agreement.
He told me, okay, I have a, I havea day job, so maybe sometimes I will
not be as available as yourself.
Is it okay for you?
Yes, I don't care because I trust you.
And then you just find theright people at the right time.
Gentleman agreements go on and then it'sjust trust and being a complimentary
(01:16:06):
on your skillset helps a lot.
So what do you get outof the collaboration?
Um, three things, moral and confidence,because it's always cool to have
an all hacker with you and not justalone fighting the odds, the Kraken,
the Titans of big bounty, it's coolto have like a, a teammate, uh,
just to hang out and grow out with.
Don't mind me, don't you careabout you enjoy being around.
(01:16:29):
That's the first thing.
And as I said, moral is very important.
Uh, second part is indeed whenyou have complimentary skill set.
I'm terrible at client side.
Gerusha considers himself bad atserver side, but that's a lie.
And so at least when I hadsomething that I didn't, I had
no idea about, he helped me.
He, uh, he was doing some very coolcode review, for example, like,
(01:16:52):
There's so many things where, you know,people get complimentary, or even when
they have both the same skillset, atleast you have a, you know, different
point of view, different perspective.
And so, you know, uh, you know,when I arrived here, you, I told you
about a potential bug that I had,you start talking me away, maybe
you can do that, that, that, that.
Hey, wait, wait, wait,wait, wait, slow down.
(01:17:13):
Cause I just told you about the bug.
I didn't even thought about that.
We were just having a coffeeand I couldn't, couldn't resist.
And that's, that's pretty crazy.
And I think that's still what's impressedme the most when I talk with other hunters
at LHs or other events is the way thatthey perceive the potential attack path
based on the signal potential flow.
(01:17:33):
Each time I, Oh, I neverthought about that.
And so, yeah, it's a moral.
Where a complementary skill setand you know, the way to perceive
the potential attack path.
Yeah,
that's nice.
Let's, let's talk abouttools a little bit.
Uh, are you using Burp or Kaido?
I'm a Burp guy, but Ihave like a lot of tools.
(01:17:54):
I have a love hate relationship with them.
Like, Burp is battle tested.
That's why I stick with it.
Know how it behaves.
I know.
It's limitations.
I know that it evolves quite quicklysince the Kaido being more competitive.
I love how they are implementingcool stuff like BAMDAS, B checks,
and so on, but I also hate theway they are implementing them.
(01:18:16):
They have a low heavyrelationship with them.
Kaido is a new cool kid in town.
A lot of top hunters are switchingto Kaido and I feel I understand why.
I don't know for now.
I, uh, when I tested it, like, Monthsago, I felt like it had not yet all
the features that I wanted to have.
But at the same time, it has features thatI wanted to see, like, natively in Burp.
(01:18:37):
It just bothered me, so.
Burp Suite, extensions, custom extensions.
For now, it does the trick for me.
What extensions?
Top three, I would say, um, So when Ineed logging, It's logger to send to
Elasticsearch or log resource, log requestto SQLite, who logs the request to SQLite.
(01:18:58):
Uh, Piper, Piper is super iterated.
It's crazy.
I have like a ton ofscripts for, for Piper.
To do what?
Everything.
Um, first thing is I want to rightclick and be able to save any number
of requests or response to the disk.
Okay.
Clear text.
Not that burp.
(01:19:20):
Weird format.
I want the full clear text.
I want to be able to extract onlythe JSON request or response.
I want to have it beautify.
I want to be able to compare it.
I want to be able, I don't know, toreplace dynamics, dynamically some stuff.
I want to be able, forexample, sometimes to apply.
Like specific GQ featuresto some specific stuff.
And so a lot of things just toprocess data, to save data, to disk
(01:19:43):
and, uh, yeah, to sometimes havelike graphical interfaces to, well,
do dynamic divs or, um, I have evenone that calls, uh, JSON crack.
So for example, if I have a very big, uh,JSON, I send a, um, I do a right click.
Send to JSON crack and then I havea graphical Explorer to show me the
visualization of the JSON file andsome fuzzy finding to find like the,
(01:20:06):
the right keys and how it's nested.
Yeah.
I use Piper a little bit.
I think it's underrated.
I think it can do a lot of things.
Although recently, since they introducedBAMPDAS, I also use some custom columns.
So things I used to do by like Piperscripts, I now just have a custom column
with the BAMPDA and, uh, I don't know,extracting GraphQL name of the operation.
(01:20:28):
For example.
I used to have a, a, um, Piperscript to do it now, it's
just, you know, another column.
So, so it was nice.
What, what,
what about them does it's a very coolfeature, but they just like, and, uh,
I've been in an interview with them togive them some feedback and they like the,
the way to save, you know, your Banda.
So you can quickly switch, uh,between, uh, code, you know, snippets.
(01:20:51):
Yeah.
For search.
Yeah.
For, for columns.
Yeah.
That's pretty cool.
Uh, what was the extension?
You mean?
Yeah.
Uh, I had at one point I used a bitof CSTQ, I think it's, um, uh, it's
like, uh, an embedded cyber chef.
inside burp and it can alsodo like custom manipulations.
(01:21:12):
For example, all the operationsthat you're able to chain in cyber
chef, you can apply them to some,uh, ingoing or outgoing requests.
And so, you know, when you're a dumb guylike me, who cannot learn hack Vector, who
didn't take the time to learn hack Vector,you have at least a graphical way to, you
know, move blocks with your monkey brain.
Decode base 64.
So yeah, I like this one.
(01:21:34):
Uh, and then yeah, justmostly additional bandas.
Like for example, I know Ryan Ratterhas, well, it was on his discord.
I think that I saw, you know, somethingwith the HTTP header, like just to
highlight, for example, the beginningof a sequence of requests, it's very
cool to have that band that to applyyour specific coloring on the flight.
So you see the beginning ofeach sequence when you click
(01:21:54):
an action, something like that.
And that's pretty much it.
I started using Burp Bounty,but never really stuck with it.
Uh, and the GS result to havethe, you know, the GS stored
inside Visual Studio Code.
And outside Burp?
Outside Burp?
Um, depends.
When I need to do somefuzzing, it's a good old Fuff.
(01:22:15):
Does the trick for me.
Really like it.
Uh, GQ, of course, and the JSONcrack to graphically explore it.
I really like the, the way you canlike quickly explore the stuff.
Let me think because.
I'm using any stuff.
Some extensions like TempleMonkey,you know, when you need to modify the
(01:22:36):
DOM quickly to remove some elementsor do some quick actions, like know to
remove the disabled part of something.
That's pretty, that's pretty nice.
Uh, I've got a self hostedinteractor slash server for
out of bounds interactions.
I've got a couple DNS zone for,um, you know, um, DNS rebinding.
And, uh, and variousvariations, uh, around that,
(01:23:00):
uh, man, I think that's pretty much it.
And of course you got to know someclassic toolkit that you once in a
while you go with, you know, someSQL map or GW to track, but you
know, it's very specific to an issue.
Variations of DNS rebinding.
Did you mean?
If I'm correct, there's like a three,four, five different methods, you know,
(01:23:21):
where the browser goes onto your websiteand then you hold it for a couple of
seconds and you change the DNS record.
There's one where you send twoDNS record at the same time.
Uh, and, uh, it's, uh, I think it's Rhinowho made a tool for that, which is DNS.
Rebind multi A, something like that.
Okay.
There are other ways, also some variationsto clear the, to clear the cache by
(01:23:44):
no saturating the, the, the numberof, of DNS respondents you send them.
So it's, uh, well, like there was fiveor six variations, I think, in the tool
singularity when you set up it properly.
And then you got other toolslike DNS rebind multi A and a
couple other ones on GitHub.
Okay.
I didn't know all of them,so I have to check this.
Yeah.
It's, uh, it's, it's cool to setup, but it's boring because you
(01:24:07):
have to set correctly your DNSzone and all the tools and so on.
And then you can just customize theJavaScript on the page and the tests.
It's cool.
Yeah.
How about AI?
I know you have some great ideas forusing AI in the future, but today,
how, how does it help your hacking?
That's multiple levels.
Um, I don't know.
I love what, uh, Justin was saying,uh, regarding, uh, you know, keeping
(01:24:32):
yourself in a good flow state.
And there's another French hunter calledLaLuca who takes a lot about, who talks
about, about that, about keeping yourselfin a good flow state and avoid having
like breaking interactions and so on.
So I love how, um, When AI is correctlyintegrated into your workflow, so you
don't have to open Chrome, go to chat GPT,create a new chat or something like that.
(01:24:55):
So I have a lot of bindings, you know,so just, I can interact quickly with AI.
I have like, uh, self hosted, uh,LibreChats, which is, uh, you know,
simply in the, um, Using the, the APIsof the most paper popular LMS providers.
And you can self force it.
So you can like have a graph, nicegraphical interface with all your power
(01:25:16):
methodized queries, your prompts thatare all correctly stored in one place.
Yeah.
So it's pretty cool.
And uh, it also adds some other features.
For example, big A GI, which is anotherapplication, allows you to do something
called bim, which allows you to querymultiple random providers with the same.
Prompt, so we can comparethe questions that you like.
Uh, and sometimes there is also multistep rezoning, for example, where you
(01:25:40):
take two or three LLMs, different LLMs,working on the same things, and then
makes a diff and unified response.
That's a lot of cool stuff.
Um, I started working onDaniel Niestereur Fabric.
So it's a CLI tool, which, um,has like a collection of prompts,
maybe a hundred, 200 prompts.
Very cool.
(01:26:00):
And so basically youcan pipe anything in it.
So from your command line, you can say,for example, uh, SQL map, uh, dash dash
help, and then you pipe it into fabric andspecify the prompt that you want to use.
So for example, you provide, well,your inputs from your terminal into,
well, your AI agent and your prepand your pref configure prompt, for
(01:26:22):
example, to ask him to, well, generateyou the perfect SQL map, I don't
know, command at some point in time.
And, um, It's very cool because itintegrates natively, you know, into
your environment, but mostly, um, ithas like very high quality prompts
or, or to organize them and how toensure that you get quality results.
(01:26:43):
So it's pretty nice as well.
Um, I was starting to develop also aBURP extension, you know, and I recently
saw Justin sharing the, the, um, andhis team, um, the integration that
they made into Kaido, you know, youdo a shift L and you got, uh, that.
And, uh, I was initially developingsomething like that for myself.
(01:27:04):
I got to check if I have the timeand the strength to endure, you know,
coding in Java for that much time.
But yeah, that's the kind of thing
I do.
How do you see the futureof, of AI in hacking?
Is AI going to replace bug bounty?
Not necessarily, but you know,as all things, um, you know, and
the maturity level of different
(01:27:28):
Sorry, the technical capabilities ofthe attackers also, uh, also improve.
And so not necessarily because for now weare pretty far from having the real, you
know, artificial general intelligence,um, and we are still stuck by context.
So context is pretty much everything.
It's a, it's the state machine, youknow, and if you don't have, you're
(01:27:51):
not able to maintain context for along period of time, you're not able
to, you know, Have really meaningfulin depth assessment of something.
And that's why I talk so much about, youknow, those little agents, this chain
of thought and the way to go around thelimitations of not having enough context.
So yeah, maybe one day we'll be replacedand that's, that's not a bad thing, but
(01:28:14):
we will find other things to hack on.
AI is a black box.
No one understand really how it works.
Even like you've got machine learningengineers who walk under the hood, but.
It's a black box for a lot of people.
Once AI has replaced us, we will hackAI and then we hack other things.
We hack quantum computers, I don't know.
(01:28:35):
Yeah, that's the good mindset, like,if the technology changes, we'll adapt.
There's always been needfor security somewhere.
Yeah, we can't be, um, like attachedto a technology or to a specific time.
Like by nature, it's always evolvingtechnologies or rapidly, you know,
also deprecating like how manyweeks can you wait before there
(01:28:56):
is a new JavaScript framework?
Two weeks, maybe.
It's bound to evolve.
And, um, hacking is the art of learning,not necessarily the art of exploiting,
but it's mostly the art of learningand then applying those skills.
Yeah.
Good.
We'll, we'll come to an end.
Uh, Tell me, what are you looking toachieve in, in the upcoming year, 2025?
(01:29:20):
Uh, basically, I'll, I'll try to keeparound because of very cool events.
And of course we make big money with them.
And, uh, I need, I think to, to keepbuilding some wealth very honestly.
Yeah.
And, uh, I'd like to also, uh, diversifymyself outside of the cybersecurity world.
So for now I have said project withAI, but I also like, for example,
(01:29:40):
to have, you know, some real worldbusinesses to ensure that, you know.
This is, we are living excitingtimes, but also very dangerous times.
And I think it's good to have like alittle fit in the, in the real world,
maybe a small restaurant, maybe asmall house, something like that.
You know, you can touch.
(01:30:00):
Great.
Thank you so much.
It was awesome.
Thanks for listening.
If you want to listen to anotherone, I recommend you, uh, this one
in the description and on the screenright now with Louis from Pentester
Lab, where we talked about gettinginto the field, learning about
cybersecurity and, uh, many other things.
For now, thank you so muchfor listening and goodbye.
Making it to a live hacking event isalready a big accomplishment, but my
guest today, Doomer Hunter, not onlymade it, but on all three events that he
attended, he achieved the top 10 finish.
So clearly he has some good methodologyto find crits on well hardened targets.
So we'll dive into this in this interview.
Hello, Victor.
(00:21):
How are you doing?
Can you please introduce yourself tothose viewers who don't know you yet?
Hi
Greg.
Well, first, thanks for having me.
It's so cool to be herein Poland, in Krakow.
So I really enjoy it.
And thanks again for the tour yesterday.
Uh, yeah, I have quite someof a specific background.
So basically I was notinto IT or into cyber.
I was into the pharmacological industry.
(00:42):
I have even a master'sdegree in marketing.
Oh,
and, uh, it all switchedwhen, um, well, COVID hit.
Thanks.
And, uh, the job I should have inNorth America and Canada was frozen.
So I was left with no other options.
And I was wondering to myself, Hey,this big boaty thing seems a bit cool.
And I'm starting to makea bit of money with it.
(01:03):
Could I make a living out of it?
And so, yeah, I decided to switch fulltime into cyber, uh, offensive security,
and I got a small first pen testingjob at a local firm and met the guy
who become next, my future partner.
So we started our own business, uh, andit was a pen test writing in company.
(01:23):
We did work together for threeyears, brought the company to 1.
2 million euros, I think in turnover.
So really nice, uh, stuff had goodclients, did physical intrusion,
you know, physical pen testing.
It's awesome.
And, uh, on the side, we didalso bug bounty hunting because
as a small business, it was likea cool, you know, um, front.
For you to say, okay, I'm performingin real world on hardened targets.
(01:47):
And so that's how we started getting to,you know, more competitive events, such
as the first AWC, the world cup thatwe won with the French team in 2022.
And, uh, then we're all startingto get into live hacking events.
I sold my shares of the companyto my partner this year.
So I'm back into full timebackhunting entrepreneurship.
(02:07):
That's pretty much what I do now.
Backhunting, I do a bit of AI on the side.
Uh, I do corporate talks also.
I'm invited to buy various companiesto give cybersecurity talks across
Europe.
That's pretty much it.
So how much time did it take foryou to get into cybersecurity from
the marketing or from the pharmacybackground or whatever it is?
That's why I lied a bit because,you know, hacking was always the
(02:31):
things that I really wanted to do.
Yeah.
But I come from a family thatis into, you know, health.
They are mostly health practitioners.
And so I was more, you know,inclined to do that as a real job.
And I didn't thought that it waspossible to get into cyber route.
And I thought that pentestingwas reserved to kind of elites,
you know, some few people.
And, um, so I did a bitof hacking on this side.
(02:52):
I remember buying an old book called TheArt of Exploitation by John Erickson.
Yeah.
So it's a really old book, butit still gives, you know, first
hands on approach with live CD.
It was so good at the time.
And so I practiced a bit during, well,my university years, because I'd enjoy
doing some CTF on the side and so on.
And one day I had a friend, I wasmaybe in my third year of uni.
(03:14):
And, uh, well, So she had aloan, you know, to pay her
studies, her private school.
And well, sadly she started like, um,buying stuff with the money from the loan.
So when September came, it was likemaybe June, she didn't have enough
money to pay for the next year.
So what do you do at that point when youdon't get much money, you want to help
(03:37):
your friend and don't have like an actualjob that makes that amount of money?
Well, you take a look at your skillsets.
Say, okay, I can do Hassam hacking.
Can I make money hacking?
Can I make legal money hacking?
What's the boundary?
Oh, Oh, that was a nice amount I can make.
So yeah, that's where Ilanded my first create.
(03:58):
I think maybe you did some free Kon, uh, on Sam rush at the time.
And so he managed to go to coverthe costs and get back into it.
Then once again, I put it back intothe closet because I thought that
no, man, I'm in health carrier andmust not like ruin my future health
carrier by doing cybersecurity.
(04:18):
And then when I decided to reallymake the switch, I had like a little
background, you know, couple of skills.
I know I could land some smallbounties, but I decided to really prep.
And when I took the decision, maybein, in May, 2020, I thought to myself,
okay, in September, I got my job.
So I got five months to get ready.
(04:39):
So I just took everything that, that, uh,that I've already had and seek the, what I
would call quality content to really grow.
And so I first went to, uh, Louis.
Uh, we spent just a labbecause, uh, I really love the
approach, the hands on approach.
And he's one of the few guysthat really teaches you to, um,
actually deep dive into the sourcecode with like such an accessible
(05:00):
platform and high quality contents.
And also forces you to like,understand how it's going, um, dissect
the CV, write the exploit code.
And I did like maybe five or sixbadges that he had at the time.
Just to feel comfortable and, youknow, proud of myself and also set
up the certification on my LinkedInprofile because I did not have
(05:20):
enough money to pay for the sets.
Yeah, that's a good way.
And then I did the thing, the full,um, OASP juice shop, which is also,
I think a cool, um, you know, way to,uh, go into like, So the real world
web applications, and then I got intoa small bug bounty platform in France,
which is called the yoga shop becauseI didn't know any better at the time.
And so I'm making some, uh, some,uh, some more active bug bounty.
(05:43):
And that allowed me totransition, you know, correctly.
Now let's skip to, to the presenttime after quitting the business,
what made you choose the life ofa full time bug bounty hunter?
Freedom.
Um,
once you're used to entrepreneurship,you're used to producing
value for yourself directly.
(06:04):
Yeah.
And you're used to, well, valuing yourtime and your efforts based on your
skill sets and how you bring added valueto the real world and to the companies.
And so once you have tasted that andyou feel confident enough to be alone
and stay by yourself, Honestly, it'svery hard to going back to classic job.
(06:25):
It's a one way ticket.
Exactly.
But it comes with a lot of costsand a lot of responsibilities.
But, uh, I had like the money asfrom my shares money from my personal
and professional bank accounts.
So I could finance, you know,taking the risk of going back
to full time back hunting.
And also, let's be honest, uh, whenyou start to perform a bit well on
(06:46):
back hunting, you do make a lot ofmoney and that allows you to open more
opportunities for yourself in the future.
So I was in a position where I had,like, I think a good network flowing
the, my, my business here had abit of money in the bank could make
more with the, the big bounty parts.
And if you take all that by itself,you got potential, then you got
(07:08):
to make this potential grow by thebuilding new things, keep building your
network and then keep making money.
Yeah.
So freedom and all the opportunitiesthat he brought was like.
Why I chose to,
to go along this path.
And also, if I understand correctly,you do use Back Bounty as sort of the,
the way to grow your personal brandand to, to also details of fuels,
(07:32):
the, the trainings that you giveand, and other things that you do.
So, you know, whenever you find a bag,you're not only getting the bounty
from this bag directly, but also itbuilds your personal brand, which,
you know, grows and grows forever.
You know?
Yeah.
Back in the days we used that, as of.
Kind of a front for our businessbecause as a small company, it was
really helpful, you know, to legitimizeyourself as, Hey, I was able to
(07:53):
find a bug on X, Y, Z big company.
It gives you like, you know, thislegitimacy and, uh, yeah, now
that it's all just by myself.
Yeah.
It's still a pretty way because I stillhave like a small audience in France.
Um, and still show that you'reactive, that you are indeed,
you know, a real hacker.
And I think it doesn't only like,it's not only useful for the audience.
(08:16):
It's also used to comfort yourself.
Think, okay, I'm still a hacker.
You know, you still can force your, yourimposter syndrome or your ego, whatever
you want to, you, you want to call it.
And yes, it's also a way to, um, growa bit, um, the business part, because
when you, when you, for example,when I give, um, cybersecurity talks
to companies and incorporate whenthey are looking for speakers, they
(08:39):
are looking for what they consider.
You know, special people.
So often there will be like high levelathletes, you know, people from the
government, ex special forces and so on.
Yeah.
So you're here, you know,
and
so it, it helps you legitimate, youknow, your, your presence even through,
uh, I feel, I still feel uncomfortablepresenting myself, you know, in
(09:01):
front of people, but sometimes yougotta do it just so that people, Hey.
He knows what he's talking about.
He
seems to know what he's talking about.
Yeah.
And it's a good way because a lot ofbug bounty you can speak publicly about.
So, you know, you can bethe best pen tester ever.
All your reports are confidential.
You cannot, you know, sharethe defining from the pen test.
Even if you try to write it on the blog,you have to redact the company name.
(09:25):
And, you know, it doesn't sound as wellwhen you find a good bug in bug bounty.
You know, Oh, I hacked Microsoft.
I had Google.
I had, it just sounds nice.
So when you hunt, whatis your hunting style?
What are your favorite bug classes?
That's a, that's honestly, it's even a,what I consider weakness on myself that,
(09:45):
um, I remember, I think it's Justin fromcritical thinking writer who, um, shared,
you know, his, um, his roadmap to, okay.
If I had one year to make a hundredK in big bounty, how I would like,
you know, uh, invest my time.
during the different steps.
And I think one of those firststeps is getting to, um, comfortable
with access control bugs.
(10:07):
And when you get inside the, whenyou, when you start your own business,
of course, you have to be someonetechnical because you have to run the
business and technical part of it.
But then you start to, well, notbe that much hands on the technical
and offensive part of the set,but more on quality management,
control, sales, marketing, and so on.
Everything on the side.
And I felt that I.
(10:28):
was kind of trapped inside that, youknow, comfort zone of being okay.
I'm pretty good with access control.
Yeah.
I think, uh, like I'm made a lot ofmoney with access controls because
it's easy to find it's repeatable.
And I love hunting for them because oftenyou get like very high impact full books.
And that's where we're where I stayedfor a long, long, long, long time.
(10:49):
So yeah, it's still my pee pee view.
I know that if I'm going on a newprogram, first thing I'm going to
look is for access control bugs andlogic bugs, because I love that.
But then you start goingoutside of this comfort zone.
I started to more into business logicbugs, which are often, you know, more
hidden and less covered by modernsecurity tools, such as fast and dust.
When you know that, let'ssay that you have an idle.
(11:11):
Okay.
You just increment a number.
Well, Once the issue is known, ifthe developers take some time to
make unit testing, you can prettyeasily test the fact that, okay, if I
increment the number, then the resultof the test should be 403 forbidden.
Yeah, but then business logic bugs areway more hidden because it's nested
inside like multi step workflowsand you cannot test all of the
(11:31):
possibilities of these workflows.
And so you still find these issues.
And I think it's allstill easy for me to find.
And it's also hard to come up witha source code scanning rule to
detect business logic because thereis, there's no template for it.
It's just, you know, every singlecode can have different logic,
different rules, different bugs in it.
So, um, so that's why I think thesebugs will be with us for, for longer
(11:57):
because, you know, obviously scannersare getting better and better.
Frameworks are doing stuff likeautomatically sanitizing the HTML.
So there's less XSS, but bugs like this,they're not so easy to, to, To fix or the
tag that scale, I think are the ones thatwill be with us for a long, long time.
Yeah, they will.
They will.
You cannot have a bug free,like 20 step workflow.
(12:18):
It doesn't happen in real life.
And, and even there, we arejust scratching the surface.
Like, I don't know who madethe talk a couple of years ago
about, you know, everythingsecond order on the server side.
It was a really great talk and even ifyou take like your five step workflow
of buying something and start to mixup some parameters, add some parameters
(12:38):
that shouldn't be there, add someideas that are not matching, et cetera.
This is like only thetop levels of his bug.
And We often miss likethe second order bugs.
Like, I don't know if you start tobuy a TV and you put the insurance
of a phone on it, will it work?
But will it work if you likecreate a custom insurance policy?
Like what happens deep down, youknow, further steps beyond that's
(13:01):
what's really scratches my mind.
But bug hunting, black box testing, wedon't have access to the source code.
And there is so many issues.
Hidden surface, not being covered in it.
And I think that's whywe should spend more time
fuzzing.
Yeah.
And also that's, you know,we are never sure how many
different flows we didn't test.
Cause you know, I had a talk with, withJonathan in Edinburgh that, you know,
(13:24):
if you have, let's say Amazon, probably.
Shipping from one country has adifferent code to handle the ship
shipping to another country who hastested 200 countries in the world.
Probably not even him and Zeeshanon Amazon in their six years.
So on many programs, we just have alot of code that we never touched,
but I think GripMe hasan interesting approach.
(13:47):
So GripMe is the one doing the notes forthe critical thinking about him podcast.
And he's also Rhino'smentee, a very cool guy.
Yeah.
Very crazy story.
Uh, got into big bounty likenine months ago, did the two
LH here at Vegas and Edinburgh.
Very cool guy.
He, by the way, he, he quit the workthis month to be a full time hunter.
And he has been very successful.
(14:09):
And when talking with him, he toldme that his own methodology was
trying to be more comprehensive.
building his checklist of whatcould be the most impactful for
the company, and then really tryto assess all of these vectors.
And so he is indeed trying to be moremythological and trying to build a
comprehensive way to like really test theapplication, but through the lens, if I
(14:31):
understood correctly, of his perspectiveof security model and what can impact it.
And I think that's a good way, you know,to ensure that you have more coverage.
Yeah.
Yeah.
That's a good way.
And there's pretty muchThere's no, no border to it.
There's no boundary that, becausethere's just so much different
possibilities everywhere.
And that's the, uh, the overall answerto, well, no new hunters like don't,
(14:53):
that don't want to hack on publicprograms and each year there are
thousands of bugs, millions of dollarsbeing paid to different hunters.
I think once you are new to theback hunting, you have something
that is called being naive.
And being naive allows you to explorewith a fresh view of the program.
(15:14):
When you start to hunt, you haveyour spider sense, you know,
you got your instinct, you trustyour guts and say, okay, DSL
smells bad, I'm going to hack it.
And you're hacking it and you find issues.
That's, that's cool.
You're starting to get trappedinto your own routine, in your
own way of things, seeing things.
Whereas a newbie, Who isvery naive, doesn't know that
this is not going to work.
(15:35):
This is not going to workbecause he's going to test it.
And by testing it, he's going to findthese issues in the spots that you,
your blind spot that you never tried.
That's why it's very cool to huntwith like very new hunters because
they are going to test everythingthat are going to find those little
tracks that you would have missed.
What are your, your top tipsto like uncover parts of the
application that nobody looked at?
(15:56):
Well, when I, um, start hunting onthe, on a program, The, you know, I, I
told you that my pet peeve was using,uh, was working on access controls.
So when you want to uncovermore access controls, you've
got to unlock more feature.
And what I think to myself is evenwhen I think that I've covered
(16:16):
the whole application, I alwaysconsider that I've missed something.
And by keeping And keepingthe grind on it, like trying
to test all the damn featureeverywhere, everywhere, everywhere.
That's how you start to understandthe, Oh, I miss that workflow.
workflow.
workflow.
And then you start to understand like,okay, there's way more hidden features
because nowadays you eyes are, you know,very, um, like styled down, you know,
(16:42):
you don't see much buttons anymore.
So you have to really liketest all the flows all around.
Um, and so by.
It's a bit stupid, but I keep bruteforcing kind of the application.
You want to cover most of this.
Of course, the good old JavaScriptmining is very important.
And that's why tools like JS Weasel bySteelman are very damn useful because,
um, it gives a really, like, really oneplace to have everything stored, all
(17:05):
JS files, even that hidden JS file thatonly is loaded on a, on a weird route.
You will have it.
And need.
Processes you, you know,the potential path.
So that's a pretty, a pretty nice one.
And the thing, uh, the lastthing is being, um, logging.
So you have your burphistory or Cato history.
What I like to do is to try to, youknow, store that into a database.
(17:26):
When I, I'm strict enough with myselfto take the time to set up that.
Uh, and sometimes when you look intoyour burp history or you look on to
some, on some parameters, you willfind like the hidden root or the hidden
params that you needed to unlock that
stuff.
How exactly do you look for this?
You have your database withall the requests logged.
What do you do to find it?
(17:46):
Initially, what I used was the, um, withlogger plus plus, you have a feature
to export the request to Elasticsearch.
Yeah.
And using Elasticsearch, you can thenuse the, um, the, uh, well, the full,
Elasticsearch, Logstash and Kibana.
And so Kibana acts as a kind of front end.
So we can type like SQL like requests,you know, to find the specific stuff.
(18:11):
But the issue is that in Elasticsearch,uh, to find like specific words
inside the requests or so, or theresponse, it goes through a tokenizer.
And so you have a limit on thelength of the contents, for example,
a very large JS file of 5 or 10megabytes, it will not really work
properly, except if you fine tune it.
But that's, for example, a cool wayto improve your coverage when you're
(18:35):
testing for access control or businesslogic errors, because you're able
to find like very hidden parameters,parameters that you missed, or
parameters that have a similar name,but that you needed to craft like.
The Google write request for that newlyuncovered routes that you understood
that you found in the, in the GS.
Yeah.
So we just like have a reg X to look forthe, to find all the parameters in all the
(18:57):
JS files and history, something like this.
No, because I am not disciplinedenough to actually build that.
And that's why I love SteelMans justresult too, because it does that
for you and it removes you the heavy
lifting on that part.
Yeah.
Yeah.
It's really nice.
How about some back classesyou never look for, or do you
think are there, like, present?
Honestly, I suck at client side.
I'm very bad at it.
(19:17):
Because, you know, I used to do theclassical, you know, HTML injection
to popping in XSS and so on.
And, like, being in the live hackingevent and seeing the bugs shown on the
show and tales clearly shows me thatI'm years behind all those top hackers
doing, like, crazy post message stuff,finding gadgets all over the source code.
They're all there.
(19:37):
Yeah.
They are found at each event and veryimpactful bugs are found with that.
I just never took the time to actually,well, do all the CTF, do all the training.
And it's, it's kind of have beenthe new hype, you know, since like
solutions like Dumpurify has been wheremore implemented a bit everywhere.
Synthesization is now a real standardin most of the web applications.
(19:58):
Well, yeah.
All the post message tricks,you know, and the CSPT, the
traversals, been like the new craze.
And so the desktop hunters have quicklyadapted and to learn these techniques.
And I think the wider communitywould gain a lot to start working on
those kinds of techniques, but it is
additional work.
Yeah.
And it's also, you can see the shift,I think, from like more server side
(20:22):
processing, moving to the client side,JavaScript also, you know, brings
bugs with it and, and all the postmessage stuff and the things that
they find, the things that they knowabout the client stuff, it's crazy.
All the like cookie, even yesterdayin the newsletter, I shared like two
different articles about sharing about.
And there was like one articlethat compared parsing in browsers,
(20:43):
in frameworks, uh, and then itwas already so inconsistent.
And then there was another article from
Portswigger.
I don't remember the name unfortunately,where you had like a version cookie,
which changes the way cookies are parsed.
So you get another layer of it.
And to be honest, I never think I playedwith cookies Uh, like the cookie parsing,
(21:04):
I don't think I've had a bug whichwould like require me to mess with this.
Yeah, during a lifehacking event in France.
I had another hunter called Brumance,who developed his own tool to start
fuzzing, you know, other parts of HTTPrequests that you don't really fuzz into.
And he was fuzzing cookies at that time.
I started to uncover some, like, beginningof an SQL injection just inside a cookie.
(21:27):
No, that's stuff that you have to testfor, you know, or you just won't do it.
It's just like sometimes, um, I think it'son petastore lab or something like that.
When you start learning aboutSQL injection, you focus on the
parameters and then, well, thechallenge is actually to, well, inject
that into your user agent header.
So of course I never saw it or almostnever saw it in real life in pen testing,
(21:49):
but it still reminds you that once again,you have coverage that is not being done
properly client side or server side.
There's a lot of thingsthat we don't test for.
Yeah.
And I also think it's the problem.
You have relatively few bugs you found inyour career because you have like a few
back classes and then a few input sources.
So it's easy to like fall into theinto testing the same same things
(22:14):
all the time because they work.
And then you have a thing like.
SQL injection in the user agent header.
I've never found this,so I don't test for it.
So in the future, I also won't find it.
So it's sort of the, the negativefeedback loop where you don't find
something, so we don't test it.
So we don't test for it.
And I struggle with like motivatingmyself to like fast more things
(22:35):
and test more things that I think.
won't be successful because probably someof them will be successful at some point.
Another book class, um,it's very, it's pretty wide.
It's, uh, all the timingattacks were reported.
So either you go for the James Kettleroute, which is in my opinion, of course,
the way that you will, you know, Uncoverlike very, very, very, very impactful
(22:57):
bug, but everything related, you know,to also timing attack and sandwich
attacks and also time based secrets.
So there is a talk on reset Tolkien wherebasically he's shown that even on some
bug bounty targets, he still find likeideas that are generated, derivated from
a secret that is derivated from time.
(23:18):
And even if we know that he's insecure,or sometimes you have a gut feeling That
this smells bad and you know that it'snot secure, but you cannot prove it.
It's cool that he and, and all theresearchers have started like building
comprehensive solutions to testall variations of, for example, is
it like your email plus underscoreplus a timestamp passing to a shower
(23:40):
one or MD five or unique ID andso on and all of these variations.
And so I think.
Okay.
Like we discussed yesterday, like, um,having more and more tool kits and more
and more use case being ready to be testedautomatically will greatly help us for all
these time attacks and time based secrets.
Yeah.
There's so many
things to be, to
(24:00):
be found.
Yeah.
And it's a good, good way to thinkabout it to try to automate this stuff.
So, you know, okay.
I may not believe it will work, butif it just means pressing a button
and, you know, generating somethingautomatically, it's less of a hurdle.
If I were to manually inject, let's stickto the example, SQL injection payload in
the user agent header, in the cookie, inthe parameter, in the body everywhere.
(24:21):
Yeah.
If it's just one button,then, then it's easier.
So I think it's a good way to thinkabout it, to try to automate this stuff.
And you know, then it's, if it doesn'twork, doesn't work, not a problem.
The issue is that we end up with thephilosophical question, or are we in the
end, rebuilding some kind of vulnerabilityscanner to automate ourselves?
That's the issue that we, we, there'sso many things to be tested and I
(24:43):
got to develop like your instance,your spider, your spider sense, but.
Well, then you just have to avoidbeing stuck into your routine and,
and the issue with bug bounty, andespecially if you do it for money,
uh, is that you need profitability.
And so when you're stuck into thateternal cycle of, I need to make
money, then you're less likely tobe doing research and then going
(25:04):
outside of your comfort zone.
So you gotta find the right balance.
And that's why, uh,that's what I strive for.
So is to just have hacking as apassion that can really research
rather than say, okay, this makes moneyand I should keep doing it because.
You know, it supports my,my lifestyle, my family.
Yeah,
it would be, would be fun tohave this, this way I try to,
(25:26):
this video won't be published, somaybe I can, I can say about it.
I tried to hack some software that I use.
I tried to make a video.
I had the idea to make the video of likehacking different software that I used
that does not have a bug bounty program.
It ended up with like me finding afull read SSRF in 19 minutes, because
I But then I was like, and I planto spend the whole week doing this,
(25:49):
but then I just lost the motivation.
It was like a week is too, too a lot.
And then, you know, it's fairly easy tofind bugs and would be, would be cool
to, to feel allowed to just, okay, let'sspend a week hacking on whatever I want.
Well, Yesterday we talked about, youknow, um, the, the way that your brain
process happiness and you know, everythingrelated to your dopamine levels and the
(26:13):
way we are also kind of victims of thatbecause now that there is a financial
rewards, we are often bound to, um,Consider yourself and Oego as hackers
as somehow correlated to the bountythat you make and also the value of
the bug that you find being correlatedto the amount of money that you make.
Which is not a, which is of coursegood in a way because it stimulates
(26:36):
you, you've got that dopamine, thatadrenaline rush and you want to,
you want, you want to go forward.
You cannot stay in that loop foreverbecause at any time though you
will find less bugs or sometimesthere are underrated value program.
You cannot devalue yourself.
Cause then you just go into a verybad spiral cycle of self deprecating,
you know, faults.
Yeah.
(26:56):
That's bad.
I do it.
I try to not do it, but still, eventhough it's financially, it's easy
to like manage a time with no, withno bounty mentally, this is the
hard part for me to like, okay.
Cause I, I feel it's more of a sort ofreward that the bounty itself is, of
course it pays the bills, but it's more.
(27:18):
a way to, to, you know, as yousay, to express the, how well
your, your, how good your bag was.
And yeah, it's hard when you have aworse period, worse bags, downgraded
severity and stuff like this.
And sorry, I'm keep going off
road with you
is this one.
That's something that isnot talked about, I think.
I don't know if I, I think itaffects all the people, but not a
(27:40):
lot is like the blues or the smalldepression after a life hacking event.
Yeah.
Like the, the high and thepersonal investment of this cool
live hacking events is crazy.
Yeah.
It ends up.
Like at the top, you know, of the climax,when you read all inside of the, the live
hacking event, you see all the people,you see money flowing, you see crazy
(28:02):
bugs, you see show and tells, and like,it's so much excite, excitement that,
and I think when you go back home after,like everything feels less stimulating.
And I kind of feel like a littlebit depressed for a week after.
Yeah.
Because they're way less stimuli.
I think, okay, well backto daily life, I guess.
(28:24):
To be fair, I didn't have this.
I was surprised.
I know some people have it.
Yeah.
And I spoke with Johan and hewas like, Oh, how was the life?
I can even argue depressed after.
I'm like, no, I'm pumped up.
I met so many people.
I had so many ideas.
I just want to hug man.
I had like the complete opposite.
And also the.
The life hacking event islike more stressful because
you want to find the bugs.
You feel the pressure.
(28:44):
After I came back from Edinburgh,I slept so well because before each
night, if I, if I, if I wake up andthe bounties and updates, and then I
came back and I slept so well for me,it's like, Oh, so the opposite school,
let's go back to access control box.
So what exactly is this?
What, what is it that you test?
(29:05):
Well, it ranges from the classic idle.
So
add one, decrease by one.
That's a classical one.
But you know, um, depending on the techstack and the type of ideas that are used,
you have like various, um, uh, sneakyways to get those access control issues.
One thing that I liked, um, uh, Ispent a month in on LinkedIn, that
(29:27):
program made, I think, 30K, somethinglike that in bounties overall.
Crazy, not that crazy, but still, Ithink a good amount to express that
I spent and invested time in that.
And so I was reading the activityand they have a few disclosed
programs, um, sorry, reports on it.
And LinkedIn use a lot of urns.
(29:48):
So you have, for example, uh, URN,uh, columns, some, uh, prefix, for
example, user ID colon and some, andsome alpha animal string after it.
And the guy found a, a verycool, uh, second level bug.
where he filled inside of his profile,a value being an, uh, a new run.
(30:09):
So it was the key was a URNand the value was also a URN.
And this value was later sourced by theapplication at a different location.
And so it retrieved the value of this.
Like, injected URN and thisprocess didn't actually, uh,
provide good access controls.
It was able, for example, to accessother people, uh, data through it.
(30:32):
It's like a second order injectionwhere you put, uh, instead of a
string, like, uh, like, uh, an URN.
That's, for example, inmy opinion, a cool bug.
Yeah.
So it's like second order processing.
And then it's pretty much anythingranges from either to testing, uh,
authenticate, not authenticated.
And if I'm really, really tryingto go into finding all the little
(30:55):
scrap bugs that I can find, thenit's like, take your time on the, um,
metrics of rights of an application.
Do you have?
Yeah.
Okay.
Five levels for the authentication,like, are you sure that all of
these five levels on the 200 likeactions are properly implemented?
And I sometimes I do that,but I find it a bit boring.
(31:16):
Yeah, that was supposed to be myquestion because 200 endpoints
times five rows, it's 1000 tries.
That's a lot.
Yeah.
And honestly, there's one guythat's way better than me at that.
It's Frisek.
He's a French hunter.
And I remember in Edinburgh, I said, Hey,you should take a look at this application
because it has maybe like 10 levelsof privilege with almost all of that.
So enjoy this crazy guy, like push maybe16 reports in the next hours, the next
(31:42):
couple of hours, because you know, yougot to feel, you got to get organized
and then you just got to be efficientand compare it to the documentation.
That honestly tires me toomuch to do it properly.
Automate this process in Norway.
No, I know a lot of people useodd matrix or odd Z and so on.
Yeah.
I can get my head aroundto get to, to use them.
(32:02):
Even if they look likevery great solutions.
Most of the time when I usethem, it just to like test
authenticated, not authenticated.
Just to have a quickreplay, but not that much.
And it's also an issue for me because, um,uh, it doesn't work on complex workflows.
So if you use, for example, a threestep workflow and you want to test
the last step or the workflow.
(32:23):
Uh, if you use something that replaceyour cookies, it won't work because
sometimes you need like the correctideas for step one, step two, step
three, and then as step four, youhave to modify and get the right idea.
And so investing time in those multistep workflows will allow you to find the
bugs that other people do not find, butmostly, well, you cannot automate them
(32:44):
because it just breaks the whole chain.
Yeah.
From, from my tries is like, youcan automate the get endpoints.
Most of the time, but then when it'sposts of, um, update of resources or
deleting resources, it's hard to modifythem because either you will struggle
to determine by the response, if it wassuccessful or not, because if you're
(33:04):
creating something with a post, you'd.
Don't usually know from the response,if it was created on your account or
the victim's account deleting, like aswell, it might be problematic because
you cannot directly replay the request.
So I also just do the manual thing.
I think, uh, in the, in the next future,like even right now, uh, carefully crafted
(33:26):
AI engines could help you for that becauseif you really decompose the problem.
Uh, and you have like an AIagent that does one small thing,
but that does it really well.
You can have like more,uh, reliable results.
I mean, um, if you first, I don't know,add a product to your baskets, uh,
then, uh, add the customization option.
(33:48):
Then, you know, try somethingelse, like put that item into
the basket of another user.
Like having just a very small AIagent that verifies, okay, uh, is
the answer, uh, plausibly correct?
Yes or no.
Given that input, that input andthat expected output, only does
that real small task might be easierto apprehend or to understand the
(34:09):
potential vulnerabilities that you have.
And I think that it's a very,really underlooked the way to craft
really, really small agents to do.
Yeah.
That's a good one.
It's way more powerful.
Like, um, if people want to divea bit into that, just take a look
at Daniel's Miestro's Fabric tool.
It has a lot of prompts that are premade and really allows you to show, to
(34:34):
understand how to customize those prompts.
And I really like that.
I have small agents thatwere perfectly unreliable.
So would you, do you, do you usean agent like this or do you think
it's, it's possible to create it?
No, I don't use them right now becauseI'm working on all the AI projects.
But I think, yeah, it's, it couldbe, uh, it could be useful, but I
think that's a couple months of, youknow, fine tuning all this stuff and
(34:56):
it's almost a project of a company
by itself.
Yeah.
But I do see the potential in it.
I think by the time we get likea full blown hacking agents.
It's going to be a long time becauseit's a lot of vulnerability classes, a
lot of things to understand to createsomething that, you know, takes the 200
routes and the permission matrix andgoes through the different resources.
Yeah, it's, it, it should be
(35:17):
fairly easy.
The thing is that if you want todo build that, as I said, you have
to have like very small agents thatdo one task and one task perfectly,
then change those very small agents.
And.
Each agents.
So we'll take an input, providean output to the next agent.
And so you have this famous chainof faults between unit agents that
(35:37):
do one thing and then one thing.
Well, then you have to preservethe context and the context
window is like limited.
So maybe you have two, 200,000 tokens on,on the cloud, LLM, something like that.
But the more context you provide andthe less pertinent your result will
be, and so your challenge will be toprovide just enough relevant context.
Well, maintain, you know, theunderstanding of the application of, and
(35:59):
of what you're doing, but that's possible.
And it's a couple ofmonths of work, I think.
So we said you, you hackedon LinkedIn for a little bit.
What is your usual bug bounty program?
Cause I will tell you one thing I noticedwhen preparing for the interview in
many of the profiles of top hunters,like top program is like a private
one that I don't even have access to.
(36:19):
And they have.
often thousands of reputationin a single program.
Your profile looks different.
You look your profile, there's manymore well paying public programs.
So you're like taking the program with alot of competition and you still succeed.
So, so what is your, your usual target?
You
know, it's, it hasn't been a longtime since I got back into full
(36:41):
time back hunting, maybe the endof March of this year of 2024.
So maybe it makes likenine months in the year.
And out of those nine months, I thinkit might have taken three or four
months just for me, like seeing peoplethat I never saw before, going to see
family, relatives, taking a bit ofholidays, working on other side projects.
(37:02):
So I wasn't hacking for that much time.
That's why the data setis a bit more limited.
But, um, yeah, I did afull month on LinkedIn.
I did a full month on some privateprogram that had like One 100 K
in the potential reward was likea infrastructure related bug.
So it prepared, it put be abit actually for double us.
Uh, and then, yeah, there was,um, there was Amazon that I wanted
(37:26):
to look into and have all over usand no, it's like, you got to get
invited to the double us program.
So I was really happy of getting intoit after the, the LHC and mostly, uh,
I think this is going to be my, my nextprogram for the foreseeable future.
But, um, you know, when you seea lot of top hunters in the end.
There's not that much of very big payingprogram that do also live hacking events.
(37:50):
So in the end you still have likethose, this small club of maybe, I
don't know, there's Uber, Paypal,Capital One, Salesforce, AWS, Amazon.
Epic games.
Yeah.
Now, TikTok, you've got apretty small subset of programs.
So in the end, well, you're, you'rerunning around the clock, hunting all
(38:12):
of these programs, but, um, you, you,you're, you're right off, um, when
you're talking about people specializingin one program, because most time you
spend there, of course, you know, thebugs, you know, the steam, you know.
How they handle the things, you know,how to maximize your output, how to keep
the good relationship with the program.
So, yeah, I think I'm going to stickwith, uh, with AWS, like very large
(38:32):
scope allows you to be very creative.
Both doing like classic web bugs tomore infrastructure related bugs to
like exploring in depth, some features.
And I think it's a great all around
program.
I love it.
Yeah, it's nice.
And the attack serve isabsolutely massive as well.
How about YesWeHack?
Because you also hack there.
(38:53):
There, I do not have as muchvisibility into the stats.
How would you sort of comparehacking on HackerOne and YesWeHack?
It's a bit different
because YesWeHack is a Europeanplatform, French based.
Uh, I've followed them and I'vebeen friends with them for years
and it's a great company and peoplein there are really, really, really
awesome, really great people.
(39:14):
And, um, it's a bit different.
Um, basically when you're in Europe,you don't necessarily have that
much large companies like in the U.
S.
So, of course, the size of the programsand the payouts will not be as big
as, uh, as it goes on, uh, on H1.
You can expect from a company that'snot on Amazon to pay a hundred K bucks.
That's just not realistic.
(39:35):
Um, but it's, uh, it's a small platform.
And, uh, from when I was very activeon the platform at that time, I felt
like the 3H quality was higher, youknow, um, I'm less active there.
So I cannot, you know, give factualfeedback on how it is now and nowadays.
But you know, it feels like a bitmore humanizing than, you know,
(39:57):
when you're on big platform thatyou feel that sometimes people don't
read your report and, and so on.
So.
I really enjoyed that more, uh,you know, closer, more human,
more family like, uh, concepts.
Um, the thing is, if you take a lookat the, the bug bounty markets in
the end, like how much areas in theworld where you can sell bug bounty,
(40:18):
Northern America, which is of courseone of the richest countries, South
America, which is emerging, but thereare still not a lot of companies,
Europe that does have money and Europe,you have mostly these Western parts.
It's like starting to have enoughcompanies with strong enough,
you know, arms to, to bearthe load of the Black Bounty.
(40:39):
And then you got this EA, so SoutheastAsia, HAC 1 has the, the, the
American market, ESWI HAC is mostlypredominant on the European market
and fights with Integrity on the rest.
And so the next battlefieldis Southeast Asia.
So yes, he's implemented in, in SCAand now the CEO, uh, Kevin, who's an
(41:00):
awesome guy in SCA, I know, well, I goon is also starting to get cleanser.
I don't know.
I know less about integrity,but then it just shows you that.
You know, the quality and the type ofprograms and the evolution of the bug
bounty platform will be directly boundto the clients that are able to get.
Yeah.
And so you've got thosebig juicy programs on H1.
You've got those European and start of SEIprogram on, on Yes React, and it gives you
(41:24):
overall different targets and differentways to interact with the programs.
It can be cool, I think, tochange and rotate platforms.
If you feel burned out with workingwith certain types of companies,
because the culture is different.
Yeah.
Working with European companies isdifferent from working with American
based companies or SEA companies.
Like, it's a different wayto interact with people.
(41:44):
Yeah.
Also like, uh, the LHEs, the livehacking events, how are they different
on ESP Hack to the HackerOne events?
HackerOne events are pretty large scale.
You often get like 100 usersall flown out to some very cool
location like in Vegas or wherever.
Um, Yes React has two typesof live hacking events.
(42:06):
Uh, the first one being a smallpunctual event associated to like a
larger event, let's say cybersecurityconferences or cybersecurity,
you know, general public events.
And they will often hold a smallcompetition like 24 to 48 hours, uh,
in it a reduced price pool becauseoften, well, these are just the people
(42:27):
that are going by or people that arespecifically going to the, to the LHC.
So the wallet size is obviously lower.
If you only hack for a day,you're not going to find as
much bugs as you, as you would.
And then there are some dedicated,uh, life hacking events that are
bigger, larger scale, uh, whichare, for example, the last one being
(42:47):
in Italy with, uh, no, in France,in France with the Louis Vuitton.
Uh, luxury, uh, brand.
And so they were flown out to Parisinto like the real headquarters and they
invited way more, uh, hunters, includingNorth American hunters, uh, as well.
But it's, it's still a smaller scalewhere you cannot compare, I think
the, the, the behemoth that is a hackone to European companies, not yet.
(43:10):
How did you get involved with
the HackerOne lifehacking events?
Uh, in 2022 with the AWC, sothe Ambassador World Cup, I was
with, uh, Maybe for those whodon't know what Ambassador World
Cup is, could you maybe explain?
Yeah, of course.
The Ambassador WorldCup is an annual event.
That started in 2022.
It's a bit like a football orsoccer for your US friends.
(43:32):
It's football.
So it's like a football competition whereyou have like, um, teams per country.
Sometimes if there are toomany people, there can be like
multiple teams per country.
Then you've got the selection phase.
Which will eliminate some, uh, some teams.
Then you go into a classical world cupstyle of football, where you got like
16 teams and eight fought and two oneuntil the, well, the final one stands.
(43:59):
And though each country has anambassador, uh, that represents, well,
the country with his team and thatis directly in, in, in relationship
with hacker one and with the, with theprograms to coordinate both the hackers.
And the, the relationshipwith the platform.
Um, and the rules have evolved a bit.
Nowadays, it's like you've gota set of programs per round.
(44:21):
So all teams hunt on a specific set ofprograms, usually two to three programs.
But 2022 was wild, man.
Very wild.
Like now it's, yeah, yeah, no, it'slike properly set up, you know,
you've got your free programs andthey take time between it's in 2022.
It was so wide.
(44:42):
We were like all the World Cupteams on all of the managed
public programs of HackerOne.
Do your thing.
And it was around, I thinkit took around one month.
And, uh, and, uh, a sad story in the realworld, but a fun, kind of fun, uh, joke
(45:02):
here is that during that time, the war inUkraine started getting worse and worse.
So they started banning, forexample, well, because there was
bans, you know, for, for recreationpurpose on some Russian programs.
So for example, the mail.
ru program was present at the timeand disappeared during the cup.
So yeah, it was a bit chaotic, but very,very, very fun because like people were
(45:23):
submitting All around the platform.
And yeah, that's why, where we, we gotthe first World Cup with the French team.
And the, in the end we spenta lot of time on Epic games.
And so as we specialize a bit moreon that program and we had like very
good hackers, Snorlax, who was verysuccessful on Epic games to help a lot to.
(45:43):
Really understand the program, find a box.
And, uh, that's how basically we gotthe, the first, uh, I think, uh, how
I got the, the, the first invite.
I don't remember if I was aplus one or if I was invited.
I think I was invited as a, asa, as a customer sector program.
That was my first, yes,live hacking events.
Yeah,
I had to take the time to bragbecause now the Ambassador World Cup
(46:06):
this year, I'm also playing as, as,as the ambassador of team Poland.
We are advancing to the finaleight, France loses out.
So it's a payback for, for thefootball World Cup, because in the
football World Cup, you eliminated us.
Now we didn't directlycompete, but, uh, yeah.
But you guys
deserve
it.
Very
talented people.
You're
doing an awesome
work
and it's great to, to see you go forward.
(46:28):
So, yeah, we, I didn't expect it as well.
We didn't have so many hunters thatwould be so much so, so active.
So now I'm, I'm really proud of theteam 'cause uh, yeah, and, and it's
also not that we just advanced, weactually scored a lot of points, so.
Awesome man.
Congrats.
Yeah, congrats.
Congrats to the whole team.
How can somebody that, uh, wouldlike to get involved in the a WC get?
(46:50):
'cause it's only 20 people.
In Poland it's like fewer hundreds,so it's not as much of a problem.
But in France, I imagine there's.
Hundreds of people that wouldlike to be part of the team.
So how can one get involved if they don'thave as much reputation on the platform?
The thing is,
um, even it's like a bigevent in the bug bounty world.
(47:12):
Um, it's not as much publicized yet.
Yes, it's the first, third year.
So people are getting more and more knownto it and might want to, to get into it.
But the first thing is, uh, alsoabout fighting imposter syndrome.
So that you don't have to beokay with, I'm not able to get
into, to get on, to get on board.
Like I know that the French, Frenchteam, one of the French team last
(47:33):
year was comprised of a lot ofyoung, uh, of young hunters and
they still perform pretty well.
So that's, that's the firstthing being confident.
The second thing is, well, um,even if there is more and more back
hunters, finally the people thatreally wants to get involved, uh, go
fewer and fewer with like the levelof dedication that you put into.
(47:56):
And so once you really start to beactive in those kinds of circles, we
are still kind of Not that numerous.
They're not mad at much peoplewho really want to go inside
and to go on to the team.
And then as the ambassador isthe one person that is making
the final decision, final call onwho's going and who's not going.
Don't forget that ambassadorsrole is also initially to promote
(48:20):
the bounty in their own country.
So you're not just going to take like theold, Top performing guys all the time.
You have to give the chanceto your rising stars.
And that's why you are in the roster.
You will, I will have some new guysthat are coming in, that coming fresh.
That's a great way, you know,to have your, like your own time
of glory, if you feel like it.
(48:41):
I would also say to, it's good toget involved in the community 'cause
it's now it's, it's also as a, as theambassador, I also want, I've, I've
heard tips from other ambassadors, youknow, it's good to put somebody in the
team that maybe has a little bit lessexperience but is maybe more passionate,
more motivated, active in the community.
So I imagine it's also agood way to, to get involved.
(49:03):
Yeah.
Consistency.
Just being to able to put in the, the,the work and also keep in mind that.
This, the World Cup takes almost ayear, you know, and a year is very long.
People sometimes get burnouts,people have other issues,
have other stuff to deal with.
And so even your top huntersmight, well, at some point
(49:25):
not be available at that time.
And so you've got to have peopleon the roster who are able to
take like the fight, keep going.
So, yeah, just, just get thoseyoung guys and girls and,
you know, those rising stars.
It's the moment.
Yeah.
Okay.
Once you already get the LA to invitation,you perform really well and all the events
(49:47):
you've, you've attended, you get to gothe show and tell you got the top 10.
So what's the key to perform?
Well, The thing is, I think my
only real capability is to, Deepto dive, but mostly, um, find the
knowledge that I need for somethingthat I feel is going to be vulnerable.
(50:11):
I'm don't considermyself as a good hacker.
I suck at a lot of things.
I suck at client side.
That's finally coming from you.
Yeah.
But you know, uh, when I hang outwith other guys, like, I don't know,
maybe the worst guy in the room.
Like, You know, you hang out withCTF guys who are like complete
brutes on so many topics.
(50:33):
They, yeah, that's true.
Okay, well I suck at everything.
good.
You go with some good clients, guys,they talking about you, they're talking
about like, stuff you don't understand.
You see the show and tell, say, uh, you,you asked me as a second slide , but
I, I think I'm only good as much as theextent of my knowledge and so I have like.
My monkey brain processing a bitof knowledge, then you have to find
(50:58):
the right information at the righttime to be able to find that bug.
And so even if you, when you startdoing bug bounty a lot and pentesting
a lot, you have your instinct of whatis going to be vulnerable or not.
And that's kind of yourunique approach, but.
Having the gut feeling of somethingbeing vulnerable is not enough.
You gotta transform it just like intorugby, you know, you place it with
(51:19):
the ball and then you gotta shootit and transform it into a point.
And so that's where like being ableto grasp and retrieve information
from different people, differentsources, really makes a difference
on how well that feeling is going tobe or not an actual vulnerability.
And then it's pacing the cursor.
Um, when to stop and when tokeep investigating because bug
(51:43):
bounty is kind of profitability.
So if you invest too much time on asingle bug and it doesn't pays out,
well, finitely you have wasted a lot oftime and you feel bad about yourself.
And then just it's, it's being able toplace like the right course or one where
you should stop or where you should investmore time or, but we'll simply keep that
in the back for later for another friendwho might be smarter than you, you know?
(52:06):
Yeah.
And.
How they're going at the right time.
So yeah, it's feeling good with theprogram and being able to seek the
right information at the right time.
For example, I never did, you know,AWS infrastructure hacking before.
Yeah.
But you know, right people,right time, right information.
It's finding that sweet spot,which makes a difference.
So what were the things you
(52:28):
focused on, on, on the hacking events?
I knew in which event, for example, the
last one, you focused on infrastructureon AWS, the previous ones.
Did you also get like a one sort of onegoal that you wanted to, or one area?
Oh yeah.
On
Epic games, I focused on a veryclassic web app, purely marketplace.
And, uh, I did my usualthing with access controls.
(52:50):
And the thing is sometimes,well, people don't care about it.
Because it's not impactful or it'snot impactful in their own security
model and then you gotta accept it.
So after like spending two weeks of doing
everything like
that and getting like, well, yeah, No,you're gonna get a low hanging, a low bug.
(53:11):
Then you feel doubt.
Damn, I spent really two timeslike covering the whole platform
and covering secret features.
Uh, I even spent like 2, 000 onthe premium subscription on it.
It was worth it in the end.
Oh, nice.
But yeah.
And so, yeah, well, Iwas quite, uh, confused.
Kind of tired.
And so what I did in the end was tofall back to something that I really
(53:34):
never tested at scale before was tryingto test denial of service issues.
And that's when I started tofind some, you know, nice bugs.
And paradoxically, the two weeksof work that I did when to uncover,
you know, hidden attack surface,accessing premium features, like
even broken features or things thatwere not implemented yet, accessing
(53:56):
them and so on and so on, didn't pay.
Much in the end.
And I've made almost all the money inthe end with a couple of those bugs.
How about those bugs?
Aren't they out of scope usually?
Yeah, they, well, they are.
They always are like almost allpolicy will have like those bugs.
I think it's, it'sreally program dependent.
(54:17):
It's.
Out of good sense, because theydon't want people to spawn a thousand
DPS and start doing some volumetricdoses because it doesn't add any
added value and anyone can do it.
And you know, it just going to bring someissues for the, for the people in France,
(54:37):
but application level doses or sometimes.
accepted.
And once again, it depends on whichprogram you're working on and the
security maturity of that program andwhich parts of the application you're
able to crash, potentially stop.
Yeah.
And so in the end, there'sstill an availability metric.
(54:58):
And this availabilitymetric is not related to.
Destroying information.
It's literally in the spec making asystem not available, not the data in it.
It's not making the system not available.
So let's say that in a couple ofrequests, you're about to crash.
I don't know the shopping cartof all users in the marketplace.
(55:18):
Yeah.
Hell, that's, that's impactful.
And then you've got to walka fine line because you can't
really test that in prod.
Most of the time, either you have asuspicion, a very hard suspicion and life
hacking events are cool in the way thatyou can talk with the final program or
demand validation, that's a good thing.
(55:40):
Or, well, you just scale up properlyand progressively and you just, I don't
know, create enough objects to slowthe server response to three seconds,
five seconds, 10 seconds, 15 seconds.
And you cross check with anotheruser from another IP with another
account to ensure that you indeedhave a cross user, um, account
(56:01):
impact.
So would you also test DOS on a, let'ssay a public program where you don't have
the direct connection of the customer?
How would you, and if you would, howwould you watch out to not cross the line?
With those bugs thatare kind of, you know.
on the fine line that youfelt not really cross.
Um, there are two things.
The first being, um, don't looklike a complete fool to the program.
(56:25):
So if you're starting to, you know,cross that line, at least make sure
that you've got a really nice impactand not that you're crushing like some
small things that, No, the programdoesn't really care about make sure
that you've got actual like potentialthat you have actual potential impact
on something that is really big because,you know, if you are going to do
(56:49):
something, do it well, especially ifyou're, you know, crossing the line.
Second part is, uh, if youhave like something like.
You send one request and it'spermanently crashed, yeah, don't do it.
But you're going to have a very hard timewith triaging and then the final program.
(57:11):
So it depends on who you aretalking with during the triage
and how the program receives it.
Sometimes it's going to be yes,sometimes it's going to be a no.
And if it's just a no, well, Youknow, you lost your bug, but at
least you didn't have any issue.
But if sometimes it's somethingthat can be like a bit smoother,
uh, for example, you create a lot ofobjects in the database and then you
(57:35):
return all of these objects at once.
At least you control the amountof data that is returned.
So you can create them progressively1000, 2000, 3000 and so on and so on.
And just assess theresponse time of the server.
And so if some of you start seeing likeresponse time for five to 10 seconds,
In its case, like linearly with theamount of object or action that you
(57:57):
perform, then logically, you know thatit's sufficient to make a first report.
And then often it's going to end uplike, yeah, no, that's not enough.
So you ask, okay, should I go further?
Let's say go further.
You do show a significant, uh,higher delay or sometimes it would
(58:20):
just say, no, it's out of scope.
Yeah.
And then it's quite a weird situationbecause they want you to show impact, but
they not allowing you to show impact, butit's just the role of the game that you
decided to play by trying to use this, uh,this kind of, uh, our books, but honestly
on more major program is less of an issue.
(58:40):
So would you send the report, let's saywhen you have a response of 10 seconds,
or would you look for, for a higher delay?
What is sort of the, the ideal responsetime that you would think shows the impact
without actually impacting too much?
It depends also on, um, how it impactsother users, because sometimes you
can augment, improve the response timefor yourself, but this is going to
(59:06):
be, for example, a very short spike.
At one set point in time, forexample, that's a book a, and so
when another user user site, if it'sat a book, a plus one millisecond,
maybe he will not be impacted.
So The thing is, you gotta crosscheck to ensure that it actually
(59:28):
works, and if you cross check withanother user and get a delay of 5,
10, 15 seconds, I think it's enough.
And, um, consider that in a lot ofDOS cases, the proof of concept that
you're going to push is not goingto crash your platform instantly,
but rather provide like a sufficientdelay enough at a fixed point in time.
(59:50):
And it's only if you reallycontinue way past that point that
you might consider crashing theplatform for a bit longer of time.
So it's often scary, but you often havelike a lot of room, you know, between
having an actual worst case scenario
impacts.
So do you actually, when sendingthe report, you also like, Test that
(01:00:10):
the delay is present for anotheruser with another IP address,
then the sort of attacker user.
Yeah.
For me, that's the gold standard.
Okay.
And that's what I was oftenasked on some programs.
And at least it really shows that ifyou have no bias and even as though
it's like less cool to do becauseit's actual additional work to have
like kind of a second computer orsecond IP and so a second account.
(01:00:33):
Yeah.
Uh, at least it ensures for yourself.
But by applying this methodology, youhave a real applicable reports and
not just like being almost all of ushunters being very bound to your own
vulnerability, say, no, I know it's true.
I know it works.
Sometimes it doesn't.
And being a bit strict about thatkind of methodology allows you
(01:00:54):
at least to be a hundred percentsure that you have an actual bug.
It still feels good becauseeven if that's rejected.
You found something
and you feel good about yourself.
Doesn't it feel, because when I thinkabout it, the sort of problem in my
head is if it's a, let's say there'sa single worker and let's say I have
a second, it causes a 30 second delay.
(01:01:15):
I know that if the, if I testedfrom the another account, It may
get routed to a different worker.
So let's say there are four workers.
I would have to send four 30 secondrequests so that this user is affected.
So I would have to sort of brute forcehow many workers are there by essentially
sending requests that I would preferavoid to avoid sending too many of.
(01:01:38):
So like, how do you, do you manage this?
In my opinion, there's no good solution.
Um, I was talking with Blacklistabout another bug, the class, so not
another By doing statistical work,he understood that he's run a bit if
worked like one out of four times.
So once again, possibly differentworkers on different code bases,
(01:02:00):
it just had to, well, repeatuntil he got the right worker.
And I think that the same issue, butonce again, it depends on how much
room you have until actually crushingthe, the, the, the, the Walker.
So sadly there's no good solutions
in my opinion.
Yeah.
It's a hard problem.
How much.
If you were to estimate the percentageof how many of your DOS reports
(01:02:23):
were accepted, is it like 50%?
Something like this?
More?
Less?
Well, I did most of themduring LHEs, I think.
And so during LHEs, I'dsay 70 percent of them.
And outside LHEs, Well, I, whatI found was way less impactful.
So it was still accepted, but itwas like a, a low or medium bounty.
(01:02:45):
Okay.
So I think that the context andthe impact makes a difference,
but it's not to be generalized
to all programs.
Yeah.
It's also good to know at the LHE,you're one of the 100 hunters,
so you're kind of trusted.
Yeah, exactly.
It's also helped if you havealready, if you accepted bugs
that show the team out, this guy.
Exactly.
Yeah.
He doesn't report only DOS bugs,he also reports good stuff, so.
(01:03:09):
But if you take DOS on a more generalscale, for example, you know, CP, DOS,
things like that, it's often like prettywell accepted all around bug bounty
programs, or at least more major ones.
So things should not be toomuch of an issue if you have
something that's really impactful.
Yeah.
Coming back to, to the topicof, of LATs, you've been to,
(01:03:31):
to free life hacking events.
So how has your approach changedfrom the first one when everything
was new to the third one whenyou already know what to expect?
I think it grows with your own maturity.
You know, being a bit moreorganized, knowing the common
pitfalls, knowing like your ownissue with your own mental problems.
(01:03:52):
And so it's similar to be, I think,just a better bug bounty hunter overall.
Like, I don't know, when I was first doingthat Epic Games LHE in 2023, it was It
was cool, but I was a bit more lost, youknow, and yeah, organization thing, I
think makes, uh, makes a good difference.
Like for example, in Edinburgh,uh, I worked with another
(01:04:15):
French hacker, Gerusha.
That's where we got themost impactful team.
Quite a nice award to have.
Yeah.
And, uh, Right at the beginning, likewe created a dedicated discord server
with different channels so that we canhave, you know, stuff sorted out, but
that was not too much into organization.
Like if you have too muchchannels or too much, you know,
(01:04:36):
cases, not going to use it.
It still has to be a little chaotic.
And for example, the other thing Idid on AWS was, um, I spent like, uh,
just maybe one day before the event.
Like a whole day of spending time,uh, reviewing all of the services.
Like I went to the catalog andclick and read the description of
(01:04:56):
maybe 30 percent of the services,because there's a lot of services
and just making small spreadsheetson saying, Oh yeah, that may be cool.
That may be cool.
That might be cool.
That might be cool.
But that's why I think it's cool.
And it lowered me when I have like, whenwe endured hardships or, you know, it was
hard not finding bugs, losing motivationto have like kind of a spreadsheet Hey.
(01:05:19):
That one, I didn't test it.
And so you can keep your motivationhigh by having like fallback scopes
and avoid that the, the eternalcycle of, I'm not finding bug.
I need to find a new scope.
I'm not finding bug.
I need to find a new scope.
I'm stuck finding new scope.
I think it helps a lot with,um, maintaining morale.
And morale is honestly my, for me,that, that's the key because if you
(01:05:43):
or your team is depressed, you'renot going to find any bug, you're
going to maintain your confidence,you're going to maintain your inertia.
And it's like almost all esports.
If your guys are motivated, ifyour guys have high morale, high
confidence, they're going to beon a roller coaster of, you know.
As soon as moral drops, you thinklike, no, this is not worth the time.
This is not worth the effort and youfeel less energetic, less motivated.
(01:06:06):
And of course you're going to missbugs because you're less involved in
doing the actual work to find the bugs.
So yeah, that, thatmakes a good difference.
A little bit more of organizationand being able to better maintain
you, you, your mental healthduring the, during the events.
How do you.
Manage your focus during the event,because the mistake I've done was like,
(01:06:27):
I wanted to focus completely on the LHEand it was just too much and it ended up
being worse than if I, you know, stuckto my, to my routine, to my sports.
So how do you manage your,your time during the LHE?
Well,
I'm going to jump a little bit out ofthe box and, um, It all comes down to
how you handle your performance yourselfas entrepreneur, as a backhunter.
(01:06:53):
Um, back in the days, and that's whyalso I think caused health degradation
for me was I was all about the grind.
So.
If I'm something important, I'mgoing to wake up early, I'm going
to grind very late and I'm goingto stop until I've done what I've
done for extended periods of time.
That was my first LHE and honestlyI felt it on my health because I
(01:07:15):
didn't sleep much, I smoked a lot ofcigarettes, drank a lot of caffeine
and it hasn't impacted anybody.
And the grind works.
If you're able to maintain a certainamount of work, even do your performance
drops, if you're just putting the rawbrute hours, you will make a difference.
(01:07:38):
That's not something that you shoulddo in my opinion in the long run.
And then when you gain more maturity,you understand that is more akin
to a marathon and not a sprint.
So you gotta manage yourself properly.
And so if you manage yourself properlyas an individual, you gotta take
advantage of your peak focus hours.
And you know the saying, like, peoplecan work being productive at most
(01:08:00):
five, four, five hours per day.
And then what is the rest?
I don't believe in purely beingproductive for four or five hours a day.
I feel the difference.
I think like my top hours ormaybe three hours of full focus.
And that's where mostof the work get done.
But for me, you've got to findthe right balance between the
pure and dumb grind and only, youknow, maximizing your peak focus.
(01:08:25):
You've got to find the right balance.
And then in between of that, you gotta go.
And enjoy, uh, indeed your rest, yourhobbies, life, your wife, and so on.
And so you, you do see the differencewhen you start to find that right balance
because you maintain your moral, youmaintain your routine, you feel good
as an individual, and it just showsoff in your, in the, in the final walk.
(01:08:49):
Yeah.
For me, the sort of problem that, um,that I have with this sort of, because
I do believe there's few hours duringthe day that can be really productive,
but in the background with you, I feel.
It's as important to have these, youknow, really focused hours to solve a
problem, write a script, come up with abypass, but also the hours you're just
(01:09:09):
at the computer using the app, triggeringdifferent flows, looking for the, the
one point where you can then find,spend this, this focused time bypassing.
So it's necessary to alsolike just spend a lot of time.
You don't really have to be superfocused and, uh, yeah, it's sort of,
you know, you can never plan for it.
(01:09:30):
And that's sort of why, where, where Istruggle is, you know, just three hours
a day is not enough because you know, iftwo and a half hours are just browsing
the app and not actually finding aparticular bug, it's too, too little.
And then, you know, that's, that's whereI find myself having a very various.
Amounts of hours on different days.
(01:09:50):
That's if you just got tofind the right balance.
Yeah.
And if you get that sweet spot on you'regoing to have bugs, you just, you have to
work on all, you know, of your workhorses
to get the actual job done.
That's perfect.
How to not feel that, you know,Especially in the, in the group of
like 100 hackers with so many topguys, how to, to still stand out, how
(01:10:14):
to not feel the imposter syndrome.
Honestly, I still feel terrified.
Like, I know that I'm maybe likelybecause of, you know, the rankings,
going to get a next LHC invite.
And I told you about that yesterday.
I'm damn terrified of the next LHCbecause I don't feel confident or I don't
feel like, uh, I I'm going to performwell and I'm afraid of the scope that
(01:10:38):
is going to be if there is one and I'mafraid of the, none of the people there
because people are quite friendly, butI'm afraid of, um, that competition.
So what I do is, uh, forget about that.
The thing is you're, even if you're kindof competing with other guys and girls,
(01:10:58):
uh, actually you're just competing withyourself and you just run your own race.
The thing is, at an LHC, you gota lot of people working on the
same program right now, but youonly know it because it's an LHC.
Which work on Amazonor other good program.
Do you see the people hacking inthe same time, the same focus?
(01:11:21):
No, you don't see them.
No, I don't.
No, I don't.
And so what you do is simply, well, put inthe work, stay in your bubble, enjoy the
ride, talk with other people, because it'scool, it's an emulation, people are having
fun together, finding cool bugs, etc, etc.
But disconnect yourself from the, fromthe direct competition, or else You're
going to try to rush some things and getthem badly and poorly done because you
(01:11:45):
must keep in mind that in LHE you have aduplicate window which means that during
the two first week of remote hunting,uh, every bug that is duplicates will be
split between all of the duplicates soif you are duped you will still get paid.
Which means that if you have likea super cool bug chain, you don't
(01:12:06):
care about having your bug stolenby another one, you can just put
in the work to have a quality.
Time and quality bug chain.
And so when you start forgetting about thecompetition and just focusing on having a
nice bug, you will find cool bugs becauseyou invest two weeks of time and you
will find something that is very nice.
But in the end, isn't that just the advicethat generally applies to bug bounty?
(01:12:28):
Forget about the other people,find cool bugs, get the reward.
In the end, that's the secret
that's, in my opinion,that it's the same thing.
Yeah.
Yeah.
For me, for me, it works.
At the first event, I looked at theleaderboard and stuff like this.
The second event, you know, I'msitting here, you made as a team
200k on AWS, I made like 18.
(01:12:50):
If, if I just compare myself asalways, he made five times as
much for me, 18 K for three, threeweeks of work, it's still a lot.
So, you know, I'm happy with thisand it's probably the only way to
like keep the, the same mentality.
So yeah, it's, it's really, reallysmart to, to, you know, look
at yourself, look at your box.
Also.
(01:13:10):
Being a duplicate of somebody atan LHC, it can be kind of an honor.
Oh, I do this guy.
It's cool.
So, so you don't even see it as negative.
I don't get the exact quote, but if Iremember correctly, it's from Miyamoto
Musashi, you know, the book of fivewheels and, uh, and everything he
related to samurai fighting on theBushido, the way of the samurai is that
(01:13:35):
today's victory is to be greater thanthe person that you were yesterday.
Yeah.
And tomorrow's victory.
is to be greater than what hecalls the lesser man, which
includes, well, basically yourself.
That's the way that you should see it.
You're walking your ownroad and find your own bugs.
In the end, competing with otherpeople and pushing them, trying
(01:13:56):
to find the bugs before them, it'snot going to work well for you.
That's what I wrote, you know, Iwrote a small blog article about,
you know, performing in LHE.
And the thing is, thousands ofhackers made Thousand, millions of
dollars per year on those events.
And it works because they are notfighting with photo, they just have
(01:14:17):
their own style, own unique approach.
Yeah, that's, that's a really good, andhonestly, the unique approach is not
like I have a super secret nested bug.
No, that's not the case.
It's based sometimes only,for example, the, the way you
perceive the security model.
You also mentioned collaboratingduring the, during the event.
So can you tell us more a bit,you know, how does it work?
(01:14:39):
How do you split the bounties?
What sort of, how do you split the tasks?
The
gentlemen agreement forme is the standard 50 50.
Uh, obviously by bounties,complex situations can evolve.
People can stop.
Can.
get more or less involved.
And of course, in a lot of cases,people might feel not comfortable
with, you know, doing the full 50 50.
(01:15:01):
I'd rather do it even if my teammatedoesn't work, because at least I know
that I will always be full clean.
Get your 50 percent cut.
If you like, we will stick together.
If you don't like, we'll split ways.
It was fun working with you, but at leastthat's a gentleman agreement for me.
That's what I did, for example, withNoxious in, uh, in the, in the, um,
(01:15:22):
in the Las Vegas, uh, event wherewe finally collaborated on some
bugs and say, okay, don't worry.
We are collaborating onthat type of bug class.
So I had a couple of reports before.
I'll put you at 50 50 because I trust you.
I want that to be fully fair.
And that's what we did with Gerushaagain at Enumbr, it was, okay, are
you willing to invest your fully?
(01:15:43):
Yes.
Are you willing to do a 50 50?
Yes.
That's the standard agreement.
He told me, okay, I have a, I havea day job, so maybe sometimes I will
not be as available as yourself.
Is it okay for you?
Yes, I don't care because I trust you.
And then you just find theright people at the right time.
Gentleman agreements go on and then it'sjust trust and being a complimentary
(01:16:06):
on your skillset helps a lot.
So what do you get outof the collaboration?
Um, three things, moral and confidence,because it's always cool to have
an all hacker with you and not justalone fighting the odds, the Kraken,
the Titans of big bounty, it's coolto have like a, a teammate, uh,
just to hang out and grow out with.
Don't mind me, don't you careabout you enjoy being around.
(01:16:29):
That's the first thing.
And as I said, moral is very important.
Uh, second part is indeed whenyou have complimentary skill set.
I'm terrible at client side.
Gerusha considers himself bad atserver side, but that's a lie.
And so at least when I hadsomething that I didn't, I had
no idea about, he helped me.
He, uh, he was doing some very coolcode review, for example, like,
(01:16:52):
There's so many things where, you know,people get complimentary, or even when
they have both the same skillset, atleast you have a, you know, different
point of view, different perspective.
And so, you know, uh, you know,when I arrived here, you, I told you
about a potential bug that I had,you start talking me away, maybe
you can do that, that, that, that.
Hey, wait, wait, wait,wait, wait, slow down.
(01:17:13):
Cause I just told you about the bug.
I didn't even thought about that.
We were just having a coffeeand I couldn't, couldn't resist.
And that's, that's pretty crazy.
And I think that's still what's impressedme the most when I talk with other hunters
at LHs or other events is the way thatthey perceive the potential attack path
based on the signal potential flow.
(01:17:33):
Each time I, Oh, I neverthought about that.
And so, yeah, it's a moral.
Where a complementary skill setand you know, the way to perceive
the potential attack path.
Yeah,
that's nice.
Let's, let's talk abouttools a little bit.
Uh, are you using Burp or Kaido?
I'm a Burp guy, but Ihave like a lot of tools.
(01:17:54):
I have a love hate relationship with them.
Like, Burp is battle tested.
That's why I stick with it.
Know how it behaves.
I know.
It's limitations.
I know that it evolves quite quicklysince the Kaido being more competitive.
I love how they are implementingcool stuff like BAMDAS, B checks,
and so on, but I also hate theway they are implementing them.
(01:18:16):
They have a low heavyrelationship with them.
Kaido is a new cool kid in town.
A lot of top hunters are switchingto Kaido and I feel I understand why.
I don't know for now.
I, uh, when I tested it, like, Monthsago, I felt like it had not yet all
the features that I wanted to have.
But at the same time, it has features thatI wanted to see, like, natively in Burp.
(01:18:37):
It just bothered me, so.
Burp Suite, extensions, custom extensions.
For now, it does the trick for me.
What extensions?
Top three, I would say, um, So when Ineed logging, It's logger to send to
Elasticsearch or log resource, log requestto SQLite, who logs the request to SQLite.
(01:18:58):
Uh, Piper, Piper is super iterated.
It's crazy.
I have like a ton ofscripts for, for Piper.
To do what?
Everything.
Um, first thing is I want to rightclick and be able to save any number
of requests or response to the disk.
Okay.
Clear text.
Not that burp.
(01:19:20):
Weird format.
I want the full clear text.
I want to be able to extract onlythe JSON request or response.
I want to have it beautify.
I want to be able to compare it.
I want to be able, I don't know, toreplace dynamics, dynamically some stuff.
I want to be able, forexample, sometimes to apply.
Like specific GQ featuresto some specific stuff.
And so a lot of things just toprocess data, to save data, to disk
(01:19:43):
and, uh, yeah, to sometimes havelike graphical interfaces to, well,
do dynamic divs or, um, I have evenone that calls, uh, JSON crack.
So for example, if I have a very big, uh,JSON, I send a, um, I do a right click.
Send to JSON crack and then I havea graphical Explorer to show me the
visualization of the JSON file andsome fuzzy finding to find like the,
(01:20:06):
the right keys and how it's nested.
Yeah.
I use Piper a little bit.
I think it's underrated.
I think it can do a lot of things.
Although recently, since they introducedBAMPDAS, I also use some custom columns.
So things I used to do by like Piperscripts, I now just have a custom column
with the BAMPDA and, uh, I don't know,extracting GraphQL name of the operation.
(01:20:28):
For example.
I used to have a, a, um, Piperscript to do it now, it's
just, you know, another column.
So, so it was nice.
What, what,
what about them does it's a very coolfeature, but they just like, and, uh,
I've been in an interview with them togive them some feedback and they like the,
the way to save, you know, your Banda.
So you can quickly switch, uh,between, uh, code, you know, snippets.
(01:20:51):
Yeah.
For search.
Yeah.
For, for columns.
Yeah.
That's pretty cool.
Uh, what was the extension?
You mean?
Yeah.
Uh, I had at one point I used a bitof CSTQ, I think it's, um, uh, it's
like, uh, an embedded cyber chef.
inside burp and it can alsodo like custom manipulations.
(01:21:12):
For example, all the operationsthat you're able to chain in cyber
chef, you can apply them to some,uh, ingoing or outgoing requests.
And so, you know, when you're a dumb guylike me, who cannot learn hack Vector, who
didn't take the time to learn hack Vector,you have at least a graphical way to, you
know, move blocks with your monkey brain.
Decode base 64.
So yeah, I like this one.
(01:21:34):
Uh, and then yeah, justmostly additional bandas.
Like for example, I know Ryan Ratterhas, well, it was on his discord.
I think that I saw, you know, somethingwith the HTTP header, like just to
highlight, for example, the beginningof a sequence of requests, it's very
cool to have that band that to applyyour specific coloring on the flight.
So you see the beginning ofeach sequence when you click
(01:21:54):
an action, something like that.
And that's pretty much it.
I started using Burp Bounty,but never really stuck with it.
Uh, and the GS result to havethe, you know, the GS stored
inside Visual Studio Code.
And outside Burp?
Outside Burp?
Um, depends.
When I need to do somefuzzing, it's a good old Fuff.
(01:22:15):
Does the trick for me.
Really like it.
Uh, GQ, of course, and the JSONcrack to graphically explore it.
I really like the, the way you canlike quickly explore the stuff.
Let me think because.
I'm using any stuff.
Some extensions like TempleMonkey,you know, when you need to modify the
(01:22:36):
DOM quickly to remove some elementsor do some quick actions, like know to
remove the disabled part of something.
That's pretty, that's pretty nice.
Uh, I've got a self hostedinteractor slash server for
out of bounds interactions.
I've got a couple DNS zone for,um, you know, um, DNS rebinding.
And, uh, and variousvariations, uh, around that,
(01:23:00):
uh, man, I think that's pretty much it.
And of course you got to know someclassic toolkit that you once in a
while you go with, you know, someSQL map or GW to track, but you
know, it's very specific to an issue.
Variations of DNS rebinding.
Did you mean?
If I'm correct, there's like a three,four, five different methods, you know,
(01:23:21):
where the browser goes onto your websiteand then you hold it for a couple of
seconds and you change the DNS record.
There's one where you send twoDNS record at the same time.
Uh, and, uh, it's, uh, I think it's Rhinowho made a tool for that, which is DNS.
Rebind multi A, something like that.
Okay.
There are other ways, also some variationsto clear the, to clear the cache by
(01:23:44):
no saturating the, the, the numberof, of DNS respondents you send them.
So it's, uh, well, like there was fiveor six variations, I think, in the tool
singularity when you set up it properly.
And then you got other toolslike DNS rebind multi A and a
couple other ones on GitHub.
Okay.
I didn't know all of them,so I have to check this.
Yeah.
It's, uh, it's, it's cool to setup, but it's boring because you
(01:24:07):
have to set correctly your DNSzone and all the tools and so on.
And then you can just customize theJavaScript on the page and the tests.
It's cool.
Yeah.
How about AI?
I know you have some great ideas forusing AI in the future, but today,
how, how does it help your hacking?
That's multiple levels.
Um, I don't know.
I love what, uh, Justin was saying,uh, regarding, uh, you know, keeping
(01:24:32):
yourself in a good flow state.
And there's another French hunter calledLaLuca who takes a lot about, who talks
about, about that, about keeping yourselfin a good flow state and avoid having
like breaking interactions and so on.
So I love how, um, When AI is correctlyintegrated into your workflow, so you
don't have to open Chrome, go to chat GPT,create a new chat or something like that.
(01:24:55):
So I have a lot of bindings, you know,so just, I can interact quickly with AI.
I have like, uh, self hosted, uh,LibreChats, which is, uh, you know,
simply in the, um, Using the, the APIsof the most paper popular LMS providers.
And you can self force it.
So you can like have a graph, nicegraphical interface with all your power
(01:25:16):
methodized queries, your prompts thatare all correctly stored in one place.
Yeah.
So it's pretty cool.
And uh, it also adds some other features.
For example, big A GI, which is anotherapplication, allows you to do something
called bim, which allows you to querymultiple random providers with the same.
Prompt, so we can comparethe questions that you like.
Uh, and sometimes there is also multistep rezoning, for example, where you
(01:25:40):
take two or three LLMs, different LLMs,working on the same things, and then
makes a diff and unified response.
That's a lot of cool stuff.
Um, I started working onDaniel Niestereur Fabric.
So it's a CLI tool, which, um,has like a collection of prompts,
maybe a hundred, 200 prompts.
Very cool.
(01:26:00):
And so basically youcan pipe anything in it.
So from your command line, you can say,for example, uh, SQL map, uh, dash dash
help, and then you pipe it into fabric andspecify the prompt that you want to use.
So for example, you provide, well,your inputs from your terminal into,
well, your AI agent and your prepand your pref configure prompt, for
(01:26:22):
example, to ask him to, well, generateyou the perfect SQL map, I don't
know, command at some point in time.
And, um, It's very cool because itintegrates natively, you know, into
your environment, but mostly, um, ithas like very high quality prompts
or, or to organize them and how toensure that you get quality results.
(01:26:43):
So it's pretty nice as well.
Um, I was starting to develop also aBURP extension, you know, and I recently
saw Justin sharing the, the, um, andhis team, um, the integration that
they made into Kaido, you know, youdo a shift L and you got, uh, that.
And, uh, I was initially developingsomething like that for myself.
(01:27:04):
I got to check if I have the timeand the strength to endure, you know,
coding in Java for that much time.
But yeah, that's the kind of thing
I do.
How do you see the futureof, of AI in hacking?
Is AI going to replace bug bounty?
Not necessarily, but you know,as all things, um, you know, and
the maturity level of different
(01:27:28):
Sorry, the technical capabilities ofthe attackers also, uh, also improve.
And so not necessarily because for now weare pretty far from having the real, you
know, artificial general intelligence,um, and we are still stuck by context.
So context is pretty much everything.
It's a, it's the state machine, youknow, and if you don't have, you're
(01:27:51):
not able to maintain context for along period of time, you're not able
to, you know, Have really meaningfulin depth assessment of something.
And that's why I talk so much about, youknow, those little agents, this chain
of thought and the way to go around thelimitations of not having enough context.
So yeah, maybe one day we'll be replacedand that's, that's not a bad thing, but
(01:28:14):
we will find other things to hack on.
AI is a black box.
No one understand really how it works.
Even like you've got machine learningengineers who walk under the hood, but.
It's a black box for a lot of people.
Once AI has replaced us, we will hackAI and then we hack other things.
We hack quantum computers, I don't know.
(01:28:35):
Yeah, that's the good mindset, like,if the technology changes, we'll adapt.
There's always been needfor security somewhere.
Yeah, we can't be, um, like attachedto a technology or to a specific time.
Like by nature, it's always evolvingtechnologies or rapidly, you know,
also deprecating like how manyweeks can you wait before there
(01:28:56):
is a new JavaScript framework?
Two weeks, maybe.
It's bound to evolve.
And, um, hacking is the art of learning,not necessarily the art of exploiting,
but it's mostly the art of learningand then applying those skills.
Yeah.
Good.
We'll, we'll come to an end.
Uh, Tell me, what are you looking toachieve in, in the upcoming year, 2025?
(01:29:20):
Uh, basically, I'll, I'll try to keeparound because of very cool events.
And of course we make big money with them.
And, uh, I need, I think to, to keepbuilding some wealth very honestly.
Yeah.
And, uh, I'd like to also, uh, diversifymyself outside of the cybersecurity world.
So for now I have said project withAI, but I also like, for example,
(01:29:40):
to have, you know, some real worldbusinesses to ensure that, you know.
This is, we are living excitingtimes, but also very dangerous times.
And I think it's good to have like alittle fit in the, in the real world,
maybe a small restaurant, maybe asmall house, something like that.
You know, you can touch.
(01:30:00):
Great.
Thank you so much.
It was awesome.
Thanks for listening.
If you want to listen to anotherone, I recommend you, uh, this one
in the description and on the screenright now with Louis from Pentester
Lab, where we talked about gettinginto the field, learning about
cybersecurity and, uh, many other things.
For now, thank you so muchfor listening and goodbye.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Ridiculous History
History is beautiful, brutal and, often, ridiculous. Join Ben Bowlin and Noel Brown as they dive into some of the weirdest stories from across the span of human civilization in Ridiculous History, a podcast by iHeartRadio.