March 12, 2025 • 53 mins
This video is an interview with René de Sain, known as renniepak. We talk about XSS, CSP bypasses, privilege escalation, speeding up the workflow with tricks like JS bookmarks and we discuss if there's such thing as bug bounty methodology.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
XSS is still the most common vulnerabilityclass, so there's a lot of bounties
to be earned here, especially if, likemy today's guest, you're so good at it
that you can get bounties like 50, 000.
We'll talk about this bug, about manyother things, for example, how you can
speed up your workflow by, instead ofcopying things from your browser to your
(00:24):
terminal to run some tools, you can dothings with one click from your browser.
Enjoy my interview with renniepak.
So hello, René.
Thank you so much for joining me here.
We're recording this in Prague,just as we finish the Elite 8
round of the Ambassador World Cup.
(00:45):
And it's great meeting you here, andthank you for being my guest today.
Likewise, thank you for having me.
for those who don't know youyet, can you please tell us a
little bit about your background?
Sure.
I'm Rene, renniepak on most platforms, I'mfrom the Netherlands, I'm 40 years old.
(01:07):
Yeah, and I, my background, I studied,at the conservatory actually to become
a like a professional school for music.
Oh, yeah,
So to become a musician, percussionist.
Yeah.
and while I liked my studies, I quicklyrealized that it wasn't really for
me to be a professional musician.
(01:30):
Hobbies was fine.
but I did finish it.
So then, yeah.
Then I got my diplomas and,the great journey started off
discovering what I do and did wantto do with my professional career.
So I did all kinds of jobs likestarting in, a call center doing
(01:50):
support, tech support stuff.
Yeah.
And then slowly but surely Imoved towards IT a bit more.
I think my first real I. T. jobwas like a tester and at that at
the time really working through bigexcels like click here and check
that and then check mark it's done.
(02:11):
Sounds very boring to me, to be honest.
it was, but then I moved to a testautomation and later to development.
Yeah.
And then.
I think my last real job was at bold.
com,
which
is a big, like a retailerin the Netherlands and
Belgium, a bit like amazon.
com, but, but more localized, thereI worked also as a test in the
(02:35):
beginning, then as a developer.
And then I. Became a developerin the security team of Bold.
com because they have some applicationsthat are more sensitive, in nature.
So I worked there and then I hadthe opportunity to make the switch
to become an ethical hacker.
Yeah.
In the security team because.
Still within the same company.
(02:56):
Yeah.
Yeah.
and I was also responsible for the,big bounty program actually there.
And then, three years agoalmost, I decided to become a
full time Bug Bounty Hunter.
And that's So it's beenthree years already?
Yeah, In May it's three years.
So not there yet,
but it's coming there.
(03:16):
How is it going?
How do you like it after two years?
Ups and downs.
Ups and downs.
No, I still I'm Anyone that knows me andtalks to me knows that it's a bit of a
rollercoaster for me all, all the time.
So I like, I reallyliked having the freedom.
Yeah.
That's still one of the best parts still.
(03:37):
Oh yeah.
Also the freedom to choosewhat's interesting to you.
I really like that.
but I struggle with season, seasonaldepressions, winter is not great
for me for being alone in my,my workspace and, typing away.
(03:57):
yeah, and I, sometimes, sometimesI'll, I dislike the frustration
and the drama around bug bountyreports getting downgraded or
decisions you don't agree with.
So that's a bit harsh sometimes, but.
On the other hand, I'm also notprepared to go back to like office life.
And yeah, so that's still a bit, yeah,I'm still not sure what's next for me.
(04:22):
But so far so good.
I understand.
I also have some momentswhere Oh, it's backbound.
It's, it's annoying and you're gettingfrustrated or something, but then I
really could imagine myself going backto a nine to five and it would be really,
hard at this point, but I think we allat times where it would be really nice
to just have a job, don't care aboutanything, get the same pay, salary every
(04:44):
month.
Yeah, exactly.
Yeah.
Same for me.
I was, just telling someone that I madea mistake of, looking, I, I filtered all
my, duplicate reports from the past years, and it was like two or 300 of them.
So Wow.
I really got frustrated with all thetime that I, lost spending there.
(05:05):
But yeah, that's part of the game,
Yeah.
On the other side, what there,on the other hand, what the
best sides about Bagman Tea?
Yeah.
Like I said, I really like.
Doing stuff that I like.
Yeah, it sounds obvious when youput it like that, but obviously in
a job you need to fulfill some task.
Yeah.
and in Bug Bouncer you can really spendtime on the parts, on just the parts
(05:28):
that you're good at or that you like.
yeah, that's the best part for me,
Also didn't say it in the intro,but you're the only person I know
that has the, payload tattooedon, your, you can show it to the
camera for the podcast viewers.
We're sorry.
He has the SVG on load XSSpayload on the forearm.
And I think this is something I thinkevery hacker thought about having
(05:51):
it through like this at some point.
But, you're the only one thatI know that actually did it.
So well done.
So the three years, what, howdoes your routine look like now?
and how did it change in during this time?
I guess my, routine is pretty nine to fivestill, actually, I'm a dad and a husband,
(06:17):
so I just have a daughter to take toschool and daily life is, yeah, it's just,
going as, as it's supposed to go for me,
I'm not really a nighttimehacker in that sense.
I try to stick to my nine tofive and then, it's okay for me.
(06:39):
I guess in the beginning Iwas more, how do you call it?
Motivated to jump on new programs,pick, pick, pick up the low hanging
fruits, et cetera, and race toget the first bounties nowadays.
Yeah.
Like I, I guess just said, I'm,working more towards what I'm actually
(07:02):
interested in rather than, joiningthe rat race for the first bounties.
So I guess that changed a lot.
Also in the beginning, I was reallyheavy on, working on integrity, climbing
leaderboard, staying in the top 10.
And, currently I don't reallycare about leaderboards anymore.
(07:23):
Yeah.
What is your main platform these days?
I think I don't, at this point,it's even with like background
hacker one and integrity.
All three?
Yeah.
What is, how would you comparethe differences between
hacking on each of them?
(07:45):
honestly?
Yeah.
Not a huge difference anymore nowadays.
No,
Because I've heard from multiple peoplethat the Integrity has better triage.
I don't have a single bug onIntegrity, unfortunately, so I cannot.
I don't want to say anything badabout Integrity because I really love
them and I've done a lot on them.
But you can also, you can, you donotice that they also are growing.
(08:06):
Like when I started back then.
I was really in the beginning workingon integrity and, at that time
you could literally send the CEO,a question about your report on a
Sunday morning and he would respond.
Of course, that's not somethingthat's feasible when you're,
when your company grows.
So it's only, logical, that they're,becoming more standardized with,
(08:32):
with their support, et cetera.
but it's still fine.
And I, I actually enjoy workingall the platforms and I have also,
frustrations of all the platforms, Yeah.
So these days you just
choose by, who has theprogram that you want to hack.
Yeah.
Yeah.
Definitely.
Yeah.
How about events?
Do you, attend a lot of them, this,
(08:52):
I did attend a lot of integrity eventsand then it's been like, quiet for like
the past one and a half year or something.
And this is the first oneactually for, for Echo One for me.
Let's
hope it's not the last.
No, let's hope.
Let's hope we meet in the final.
Yeah.
Because the, background isfor, you at home is that now we
(09:14):
are at the quarterfinal stage.
If we advance through this stage, we'llmeet again in the final round in Dubai.
Even if we lose the semifinal,the we'll go, we'll play the
match for the third place.
So yeah, if we pass this round,we'll, meet in, in Dubai in what,
two months or something like that?
I think so.
In May.
I think.
Yeah, in May.
Yeah.
Correct.
(09:36):
so what was
the, your main motivationto actually quit Avanti?
Because I assume for some time youwere hunting for bags after hours
and working at the same time, andat some point you decided to quit.
What was the, thing thatactually motivated you?
Okay, this is the time to quit.
What was right after Covid, Okay.
(09:59):
I was already working at my previousemployer like five, six years.
yeah, it was like a natural timefor me to look for something else.
Okay.
I had grown there, new experiencesand I was, yeah, I needed to make a
next step and I was always wantingto try bug bounty, like full time,
(10:22):
but of course it's a scary step.
So I first, saved a lot of bountiesto have a financial buffer to make.
Yeah.
That's important.
Yeah.
Yeah.
Yeah.
And, yeah.
Yeah, and then I just tried itand still, trying it actually.
What do you say to people thatare considering quitting their
job for a full black and whitebounty or are just about to quit?
(10:45):
I think the financial part is reallyimportant, to have a buffer to be
able to fail not only for a week,but actually, yeah, I had a buffer.
I think I could fail for six months.
I could survive six months at a time.
Luckily, it's a bit bigger now, butyeah, I think that really helps for
(11:07):
bug bounty because otherwise, you'llget frustrated and, you'll get, if you
need the money, in my experience, itbecomes even harder to find something.
something good.
I don't even imagine likehaving to rely on bug bounty
for let's say next month's rent.
(11:28):
I, cannot imagine myselfin this situation.
I would be,
I think I would be just stressed.
Yeah.
Yeah.
And that, yeah.
In my experience that lowersyour creativity as well.
So then, yeah, it all becomesharder and harder actually.
Yeah.
Let's, let's now jump into alittle more technical topics.
A year ago, or I guess now it wouldbe more closer to two years ago,
(11:51):
you published a blog post withlike your top vulnerability types.
The top one was XSS, the secondone was IDERS, and the third
one was access control bugs.
Would you still put themin the same order today?
I think so,
yes.
So
XSS is your favorite bug class?
Yes.
yeah, it's a blessing anda curse in that sense.
(12:12):
Why is it a curse?
like my last year wasn't assuccessful as the year before.
And that's mainly becauseI followed my interests.
It was, I did a lot of post message XSS.
Yeah.
Which I find very interestingand also very abundant.
Like it's everywhere.
(12:34):
Even this event, I found some.
The only problem is that it's oftencaused by third parties, because the,
like the technology of post messagesreally links to like, the relation
between third parties and like mainscope, because if you're in the same
(12:54):
origin, you don't need the post.
Exactly.
So, often these type of bugsare like, partly, correctly
blamed on the third party.
And, yeah, and thenyou'll lose some money.
So it's hard to get paidfor them, is what you mean?
Yeah.
Do you, when you look for thesebugs, do you only look at what
(13:16):
post messages are being sent?
Or do you also like manuallysee the source code to see what
listeners are there as well?
Yeah,
both actually.
Actually, yeah, I, think Imentioned this before in another
podcast, but, I use Franz Rosen's.
PostMessageTracker.
Yeah.
And I actually made a lotof enhancements since then.
(13:38):
Also to actively alert me if some, XSSsyncs are already present in the listener.
Okay.
So then I'll get a pop up saying, check
this out.
This is, this sounds like it'smore than just a source code scan.
It sounds like you're actually parsingthe, interpreting the functions.
(13:59):
No, it's,
it's.
much more basic than that.
So it's like really looking for ifthere's a href, equals in there and
it's probably something with, so it'sreally rudimentary in that sense.
But I really like, in any of my bugmounting to have, I prefer false
(14:19):
positives over, false negatives.
False negatives.
Yeah.
So I'd rather check something out andit's nothing than the other way around.
Yeah.
Yeah, of course.
Yeah.
Is your version of the PostMessageTrackerpublic or is it your private?
Okay, that's a shame.
Yes.
Have you tried other toolsfor PostMessages like
(14:39):
DOMInvader has something?
Yes,
yes, I have tried it and Ioccasionally use DOMInvader for
if you need to spoof an origin.
Okay.
Because they can do just outof, it works out of the box,
Yeah.
But I typically just use Chrome DevTools,set breakpoints and, if I need to,
(15:04):
change, edit data on the fly, yeah.
So you just write the, post message inJavaScript consoles or stuff like that?
Yeah.
Yeah.
I see.
What's, what other tools do you useapart from the post message tracker?
Burp, of course.
I'm not that great with command line.
(15:25):
I use, Fuff occasionally, but I'mlike, my attention span is too short
to keep waiting for the end result.
So typically halfway through,I'm like, ah, it's probably
not going to find something.
yeah.
And I have some other browser tools.
Like I guess people also knowme for JavaScript bookmark.
(15:46):
Let's say I do a lot of browser stuff.
Also building small tools to help myself.
Within the browser.
So yeah,
so we just write some JavaScriptand put it as a bookmark to
click it and do something.
Yeah, I remember, I don't knowwho mentioned this, that they
learned this trick from you.
Could be, yeah, I have,
yeah, I have one that is fairlyknown, that finds endpoints
(16:09):
in JavaScript sources.
Yeah.
It tries to pull all theyeah, that's, the one.
I don't know who, mentionedit, but I saw it, yeah.
Yeah.
I use this trick as well for I don'tremember the context now, but I had some
mobile browser or maybe some other device.
And I wanted for some reason toexecute JavaScript, but there
is no JavaScript console there.
And I remember I used the, I sawthis tip and I was like, Oh yeah, I
(16:33):
can do the bookmark with JavaScript.
And I don't remember whatwas I doing, but it's nice.
Yeah, I really like it.
I like it because it's quick.
I don't need an external tool.
I don't need to move away from my focus.
I can just click thebutton and move along.
Yeah.
I generally, I think Iunderestimate the bookmark button.
(16:53):
Sometimes, for example,I'm testing the overflow.
And instead of going to repeat or copy theURL pasted again, I just do the bookmark
and I just go through the flow instantly.
It just feels so nice for some reason.
And I only started doing it recently.
I don't know why, but it's nice.
So would you say you're a manual hacker?
Yes, definitely.
(17:14):
Yeah.
So it's just burp, browserand some fuzzing occasionally.
Yeah.
Yeah.
I think my main burp.
Tools are like intruder and repeater.
Yeah.
And that's it.
Yeah.
So I'm mainly a manual hacker, Yeah.
Do you use any checklist?
(17:34):
It's how do you call it in English?
I try to do it.
And then, after a while I forgetabout the checklists and I'm
back to gut feeling again.
Yeah.
So yeah,
I didn't find myself so muchwith what you're saying.
I, have created a checklist.
And sometimes I look at it,but it's like the last thing if
I've already run out of ideas.
(17:56):
Let's look at that checklist andmake sure it's everything, but I
really would like to do it more.
I feel you will identify it as well thatI would like to fast more because I do
very much manual hacking and I struggle tofast things where I know the probability
of it working is low, but if I do itlike often enough, the probability is
(18:17):
probably will be higher, but I'm inthe sense of okay, I want to see the
motivation for the payload I'm trying.
And if it's like blind,I'll just fast every input.
I'm not doing it.
And I think I should.
Yeah.
Would you say the same?
Yeah.
yes, Okay.
But I, like I just said, it's, it waspartly a joke and partly the truth.
(18:39):
My attention span is not good.
If I don't know if it's evergoing to work, I tend to
really, quit ahead of time.
Yeah.
Yeah.
But, it is a consideration, especiallysince last year wasn't great.
So I'm trying to move moreagain, towards the I Doors
and, the, access control stuff.
(19:02):
which is also stuff that you can findin JavaScript sources, like endpoints,
et cetera, that we just mentioned.
yeah.
Do you actually use some
productivity tricks to helpwith your short attention span?
No, You just power through it.
Except for putting on the,noise cancelling headset with
(19:25):
some focus music and try, Doyou still work from co working?
No.
From home?
I don't.
That's changed since the last podcast.
Yeah.
Yeah.
So I had a co working space.
it was mainly also to getout of the house, meet some
people, et cetera, et cetera.
Yeah.
But in reality.
There were, like all self employedpeople on that floor, meaning that
(19:48):
there was no one there all the timebecause most of the people working
there had it like a backup place.
if they weren't at a customer, they wouldgo there for a few hours and not then
not be there for the rest of the week.
So it wasn't really worth mymoney, So I moved back home.
(20:08):
Yeah.
Okay.
This is going to be a hard questionbecause I sense you're very
much an intuition based hacker.
and it's always hard to, askquestions about it, but what
are some things that you do?
And maybe when working withyounger hackers or less
experienced hackers, I want to say.
(20:29):
they do not do the things that,that you do, or things they
struggle with that for you.
Oh, that's easy.
Cool.
That's a really hard question.
It is.
It is.
It is really hard to ask about theintuition and I'm trying, hard.
Yeah.
I guess it sounds like such acliche, but follow something that
(20:55):
you're really interesting in.
Yeah.
I. Okay.
I often am amazed by people that claimon their social media that they have a
certain methodology that they always gostep by step and doing this and that.
Yeah, I don't have that.
I think people ask about it,but nobody who actually hacks
has such a strict methodology.
No, and I think some starting bugbounty hunters get blindsided by the
(21:20):
methodology rather than getting to knowthe technology that they're hacking.
I think that's maybe something That's,that can be a takeaway, yeah, that's
good to know the technology thatyou're trying to hack rather than,
following a methodology to hack.
It's
(21:40):
yeah, I must confess.
I use chats, GPT all the time.
and even when I worked in the officeand chat GPT didn't exist, I was asking
colleagues questions all the time.
And now I have a colleaguethat, that always answers my
questions happily for me, but,
often it's just about how doesthis work, the happy flow, not
(22:05):
even trying to hack anything.
I'm just interested in how things work.
And then, when you have a good feelingabout that, then you can start thinking
about, okay, how can I abuse this, Yeah,
that's true.
And the word methodology is also somethingI noticed from the, creator perspective,
people ask about it all the time.
(22:26):
And, sometimes my answer is like my,each article or each video that I
produce about how do I hack, it's just,you can call it part of my methodology.
So we can say I disclose part of mymethodology every week when doing some,
part of content, but people ask aboutit, like it was some kind of magic.
Process or magic checklist.
(22:46):
And I think they, they do expect it tobe something crazy, but the reality is
what you say, the ability to use theapp properly, the ability to, be in a
good place, do the happy flow, have theaccount, have the like KYC, whatever.
this is the part that actuallyhardened the part that sort of gets,
(23:06):
the bugs and not actually some, magic
payloads.
true.
And I think the only thing that I mightdo that a beginner doesn't do is I try,
like with the JavaScript bookmarklets.
if I notice, and I think,that's really typical for IT.
People in general, but if I noticeI'm doing the same thing over and
over again manually, then I'llstart automating stuff like with a
(23:30):
JavaScript bookmarklet or whatever.
So I guess that's, thathelps in some cases to get to
know your target, et cetera.
But yeah.
But sometimes
we do use the, more advanced tricks.
I saw your tool about, or maybenot a tool, the, website, we've
gathered all the CSP bypasses.
(23:50):
I really like it.
it's really good.
Thank you.
how often do you actually you alsosometimes do some challenges with a
short XSS payload, something like that.
How often would you say you actuallyneed those things like CSP bypasses,
short payloads, weird car sets to,to exploit an XSS in the real world?
Very
(24:10):
rarely, actually.
Yeah.
Yeah.
the CSP bypass really came outof frustration of not being able
to find a bypass, basically.
Because that's also the thingwith XSS, you often have to show
impact and you often have to show,have to find a bypass for a CSP.
(24:31):
And I got frustrated that probably everyhacker that reports XSS to a specific
program has to bypass the same CSP,and probably uses the same endpoint
or the same library that's hostedsomewhere in a, whitelisted domain.
So I got a bit frustrated with that.
And of course you have the Google CSPevaluator that works great and it has
(24:53):
some domain somewhere in the code.
But it's,
it just tells you the domain.
That's
hard.
Yeah, I was like, thatwould be a great idea.
Yeah.
To do it.
How did you gather all of these?
the first batch I was basicallylike, I, checked the Google ones.
(25:13):
Then, somebody quickly toldme to open source it so people
could contribute actively.
So I did that.
So a lots of new ones came from that.
and also a lot came from just.
Just, GitHub regex searches, justsearch for plausible, JSON P endpoints.
(25:36):
Oh, I see.
searched for angular, stuff.
So yeah.
How many sort of bypassesare there now in the tool?
Do you know?
Don't know.
No, I'm not a hundred percent sure,but I think over a hundred at least.
That's that is great.
Yeah, there are many more, but I try to,
(25:59):
keep the list to onesthat are actually useful.
I guess one guy was really activelycontributing and he contributed some,
great stuff, but he also once got alist of A few thousand, all, there were
all blocks, all WordPress blocks thathad like a jsonp endpoint or something.
(26:21):
Technically, yeah, technically they couldbe used for a CSP bypass, but it was
very unlikely that anyone would have it.
In the, their CSP headers.
So especially as I think every web,every WordPress website has the JSONP.
Yeah, exactly.
So I typically, if I get a newone, I try to just do like a
GitHub search for the domain name.
(26:42):
And if it's more than a thousand timesin there in different repositories, then
it's probably something that's yeah.
Yeah.
Cool.
How about some.
xxxxx xx cross site scriptingtechniques like dom clobbering Have
you ever exploited this in the wild?
No, no Interesting, not
(27:03):
intelligent enough to To
do that But I was, speaking with JohanCarlsson that in the last podcast and
he was like, oh, this is actually moreuseful than you think and I'm like,
sure cause I think it's not useful
Johan is in a league of his own yeahe is crazy No, I think the most.
Advanced XSS I did was like prototypesolutions, but also mainly from
(27:28):
the public repository of Blackfan.
He has a few gadgets and, yeah, sothat's still fairly easy and fairly.
Do you
always look for thesefor the protopollution?
No.
What
happened that time thatyou looked for them?
it was one of my, failedattempts of automation.
(27:51):
I had some automation running fora while, but, like a true amateur,
I did it on my home computer.
Just leave it overnight, et cetera.
It worked quite well and got some leadsand I even got some nice bounties from it.
But, Yeah.
Again, the attention span, once itbreaks and I have to fix it like
five times, I get, bored of it.
(28:14):
Oh, so your
automation found the proto volution?
Yeah,
I found
some stuff.
Okay, that's
good.
Yeah.
And now you don't look for it manually.
No, not enough.
Not enough.
I have a JavaScript bookmarklet forit, but I don't click on it as much.
Okay.
I should.
Is it for?
putting things in the URL bar.
Yeah, basically.
So basically,
(28:35):
it just puts all of them in the URL barand then checks in the console if it
can find a polluted object, basically.
Okay.
And then, yeah, then you stillhave to find the gadget to
make XSS out of it, but, yeah.
How do you do it?
if you have seen the proto pollutionand you need the gadget, what's
the first thing you look at?
(28:57):
I think the same repository I justmentioned has like a short script to
do to check for these gadgets, likejust by looking at the important,
JavaScript files and determine if that,if it's at jQuery and stuff like that.
and again, I made a JavaScript bookmarkletout of it to just show me an alert,
(29:19):
like these, you can try these a few.
So,
you took the, created theJava book bookmarks from it?
Yeah.
Oh, nice.
How many of these bookmarks do you have?
Too many too.
You have a full yeah.
Bar.
Yeah.
My, my home
bar is like full wedding andthen, yeah, two more I guess.
That's nice.
I
don't have a single one.
I,
think I should.
(29:40):
Yeah.
It's really nice again.
Yeah.
I used for all kinds of stuff, like I haveone for making a quick, word list of all
the words that are on the present page.
So once I had like a swagger doc fileand I wanted to use that as a word
list for fuzzing further, I just can,I can now just click the button and I
get all the words in the swagger doc.
(30:01):
Wow.
So yeah.
So useful.
Yeah.
What are the, other ones thatyou think are, what are the,
what is the one you use the most?
the endpoint one.
Yeah, I think so.
Yeah.
And it's also a public one because therest one I assume is your private one and
that one is yeah I think I will share to
(30:22):
the word list one
But yeah, that's it because it makes theworkflow very quickly because you don't
have to copy something from the browser
No, exactly.
Even if you're proficient with bashor whatever tool you use If you
can, do something with one click,
(30:43):
it's just No, and that's what I reallylike, because every time I share
one of these, bookmarklets, peoplecomment, oh, you have a command line
tool that does exactly this, and Iknow, and it works, and that's This is
so much quicker and easier for me at
least.
Yeah.
And that's going to be my resolutionfor 2025 to, to move my workload
(31:03):
in this direction a little bit.
Yeah.
Have you tried some of the, sort ofclient side hacking techniques that
were new, at least for me, 2024, likewe had the cross window hijacking.
We had the double click jacking, which.
I, two days ago, I think, Portugalpublished the top 10 list and the double
clickjacking was I think number six.
(31:24):
Have you tried this?
Not
really.
Actually.
I must confess.
I don't know both.
I don't know either of them.
I have some reading up to do, They
are interesting.
They are.
Yeah, it's something new thatthere is impact of a very
creative techniques for sure.
(31:44):
I'm yet to know how well do companiesrespond to, to cross window hijacking.
I already know that companiesdo accept that sometimes and
they can pay really well.
The double click jacking.
I don't think we've seen a publicreport that was rewarded, but we'll see.
I'll look into it.
Yeah.
I also saw you have you, youhacking a little bit on metamask
(32:08):
on the browser extension.
Do you spend a lot of time ingeneral on browser extensions?
No, I would like to though, alsobecause they also use their own kind
of post messages to communicate.
Yeah, it is crazy what happens there.
And also because I'minto the crypto thingies.
(32:28):
Of course all have their ownwallet in their own extension.
So that's how I got into it basically.
It's not that I specifically lookfor browser extensions to hack.
It's more of like a side quest.
Yeah,
yeah, yeah.
I think they are very interesting.
And the impact of thebrowser extensions is so big.
(32:50):
Because a lot of them just ask you forall the permissions on all the websites.
So if you can get something there.
It is really, serious.
I
still have a lot of
learning to
do in that area,
Yeah, you probably listened tothe Critical Thinking episodes
with Matan about the extensions.
It is crazy what happens
there.
I wasn't even aware that you havethis so many different contexts, this
(33:13):
post messaging from the page to Onething and then another post message.
It is crazy, but especially for youlooking for a lot of XSS, it should
be the, a very good area because theimpact is so high with these things.
Yeah,
definitely.
Similarly,
like, Web3, where XSS allof a sudden is so, severe.
(33:37):
Yeah, So that's why, that's also whyI'm moving, sometimes moving towards
Web3 stuff, Typically, an XSS in a,a stored XSS in a Web3 program is
like a critical, plus the bounties inWeb3 programs are typically, higher.
(33:57):
So yeah, from an XSS point of view,it's a, good decision to, yeah, to
do and do stuff in the crypto scene.
Your 50k bounty, was it on oneof these sort of Web3 websites?
Yes.
Can you tell us what it was or is it not?
It's undisclosed.
I think, people know what programit was, but I won't mention it.
(34:18):
But it was a, since you havemultiple, it was an NFT marketplace.
Yeah.
and I had a stored XSS there that's, thatI got there because I re, I, deployed a
smart contract, an NFT Smart Contract.
And what, these marketplaces typicallydo, they'll just monitor the blockchain.
(34:43):
and every smart contract that fits the,
the, format of A NFT, they'lljust import and show in there.
in their marketplace basically, so I just,yeah, I actually, found a few of those
bugs on different marketplaces, and allhave their own kind of problems, because
(35:06):
one, for the one it's in a title foranother one, it's like in a metadata URL.
Yeah.
So there are some different flavors, inthat, but the basics are all the same.
Like I deploy a smart contract and theyfail to sanitize it or to encode it.
Yeah.
So pretty, straightforward, right?
Yeah, basically.
(35:26):
But I guess for a lot of people,it's a really big hurdle to do like a
smart contract deployment, et cetera.
Yeah.
Half of the audience nowis wouldn't have an idea.
Like, how do you send a smart contract?
Exactly.
So, I
did do some deep dive there, butbasically, Deep Dive is relative because
(35:47):
it's like a smart contract deployment 101.
everyone can do this, who isa blockchain developer, Yeah.
and it's way easierthan most people think.
So you need to have a crypto walletand for the rest, it's like a few
clicks and you deploy a smart contract.
(36:12):
Congrats on that.
It
is a big impact.
Did you also, look for some webfree sort of server side stuff in
the smart contracts themselves?
Yes, I
have.
But I like, what I dislike about reallylike smart contract vulnerability.
(36:33):
hunting is that it's mostly code review.
It is, which sounds to me like a heaven.
Yeah, but I like, I also do a lot ofcode review and I found a lot of stuff
on like open source projects, etc. Butwhat I really like is like the, how would
you call it, is the gray box approachthat you can On the one hand, click an
(36:55):
application, intercept stuff, et cetera,and then use the code to determine,
what code paths to take, et cetera.
Yeah.
While with smart contracts,it's only codes, Really?
Can you Is it not possible to attacha debugger if you have Yeah, but
then you can only trigger stuff bywriting your own code, interacting
(37:15):
with a smart contract, basically.
Yeah, I see.
It's not really You won't have a UIto press buttons or whatever, and it's
not that I need it, but I noticed thatit's, yeah, not really my cup of tea,
But have you, learned it or are youat the level where you just thought
about it and decided it's not for you?
(37:36):
I've learned some stuff, but I'venever successfully found anything, no.
Okay.
I'm, in the, same boat.
I had a period maybe two or three yearsago when I was learning a little bit.
I, I, at least then I knew about some backclasses in smart contracts, but I never
spent a minute hunting for them in the, in
the reward.
No, and it's hard because in, insome sense, they are so completely
(37:59):
different than the buck types.
You are used to like.
If I don't know if you like to lose afew cents somewhere in a smart contract,
then it's considered a high or a criticaland in the real world you would like me.
Oh, okay.
Maybe they'll accept itas a low or something.
Yeah.
How about let's go back to, to web two.
(38:22):
you said eithers and accesscontrol bugs are, still at
the sort of top of your list.
Yeah.
And.
For me, it is crazy.
How does it happen that these bugs oftenwhen they are found, they look like really
simple bugs, but still people like you,people at the, top find them all the time.
So how does it happen?
How, do you all still find all of these
(38:44):
bugs?
I don't know, In my case, again, itreally boils down to, the manual hacking,
So I'm not looking for fuzzing, lotsof endpoints, but typically, especially
with nowadays with these huge, JavaScriptclient side frameworks where like
(39:05):
basically all the endpoints are in there.
Also the admin endpoints are inthere because the admin probably
use the same UI as you do.
But it has a lot of different accounts,but all the stuff is typically in there.
that's how I find that stuff.
and, where, actually where I did start todo some fuzzing is, recently it's like a
(39:27):
GraphQL, endpoints, especially the onesthat don't have introspection, but will
say did you mean, if you put somethingin there, they will give you a response
with a suggestion that is correct.
did you mean this?
yes, I did mean this.
And then you can start enumeratingall the stuff by yourself.
(39:48):
So I did find some stuff like that.
I also think you have some tools forit, but, I made my own scripts for it.
but yeah, is it a JavaScript book?
No,
yeah, I was about to ask you if youuse the tool for this, but no, I did.
did you try the clairvoyance?
Yeah, that's it.
(40:08):
Yeah.
It didn't work for me.
So for some reason, soyeah, I built my own.
Okay.
So what's, your workflowwith, with GraphQL?
You see the GraphQL endpoint, you seethere's no introspection, you run the
tool and then you manually go from there?
Yes.
Yeah.
And then I'll, just, soI'll try to have a tool to.
(40:31):
resemble like the typical GraphQLintrospection schema that you
will
get.
Yeah.
It's not complete, but it doeshighlight, some keywords that
are potentially interesting.
So I'll try to manually reconstruct aquery that, that uses those keywords.
Okay.
and go from there,
Do you just send it from verb repeater?
(40:52):
Yes.
Okay.
And do you switch, cause there aretwo or three GraphQL extensions?
Which one do you use?
Remember, don't
use them.
You don't use them?
No.
I think a Burp has their own GraphQL tap.
Okay.
Nowadays.
Okay.
So I
use that . Okay.
Yeah.
Yeah, maybe.
Yeah.
I don't, I know there's in ql,there's GraphQL Explorer, a few
(41:14):
of them, but maybe they actuallyI'm using the, just GraphQL tab.
Whatever.
Yeah.
If it's just
in the repeated tab, Ithink it's like burps own.
okay.
Okay.
Nice.
About the, and about the end points,cause the problem that I always
encounter when I find end points,I will send them for intruder.
And then, if there's sometimesit's easy cause you have
(41:36):
variables error, or we need the.
User parameter in this endpoint, butsometimes you just get the generic,
502, 500, 400, and how do you,first of all, how do you prioritize?
Because I imagine you will often have,I don't know, 100, 200 endpoints.
How do you prioritize whichendpoints to, to focus on and then
(41:56):
how do you construct the request?
focus is really based on just whatseems juicy, like I'll just scroll
to the list and if it's like a resetpassword or whatever, something
admin y, then I'll, prioritize those.
and I either do what you justsaid, I hope that it will return
(42:19):
something like you missed thisparameter, et cetera, et cetera.
That's the easy approach,
Yeah.
Another thing that I. Often do is likewith these client side applications,
you can often trick it like just thefront end into thinking you are an admin
while you're not an admin on the backend, but it will show you the UI, for
(42:40):
example, some sometimes it's as easyas, changing some JavaScript in the
response that says, Is admin false, andthen you move it to true and suddenly
you get a UI from a foreign, an admin.
Yeah.
But what's
really, so sorry to interrupt.
Would you make this changein matching replace rules?
Yes.
(43:00):
Okay.
Typically, yeah.
Typically, yeah.
and other, yeah, other types thatyou'll see sometimes if you use an
endpoint and it will, give you a 40 1, then the JavaScript has some
parts that it will redirect you to thelogout page or something like that.
Yeah.
then I'll just removeit completely and, Yeah.
I'll load it like that.
The part of the JavaScript.
(43:20):
Yeah.
The part of the redirection.
Yeah.
So you don't get to thelogout screen anymore.
Yeah.
that's cool.
and what that really allows you to do isjust click stuff that an admin would click
and then you don't need to minify or don'tneed to reconstruct the whole JavaScript,
et cetera, but it will just send a requestthrough your repeat or through your burp.
And then you don't have to thinkabout basically reconstructing the
(43:44):
endpoints and the parameters, etc.
Do you also, because I know Justin wassaying about turning on some feature flags
and having success with this, which islike what you said about the admin panel,
but in a little bit different context.
Yeah.
Have you also had successwith this approach?
Yes.
Actually, yeah, I, think onefun finding I had once was like,
(44:09):
it was exactly that.
I think it was like, it had definedsome user roles and I had the role user.
And I just, replaced it to therole admin and it showed the admin
UI
and basically nothing worked, except for,the password resets UI, which allowed
(44:30):
me to enter my, it was pre filled withmy own email address, but I could enter
any email address and it would show thepassword resets, yeah, to screen like.
So nice.
yeah, that was really nice.
Yeah.
How do you usually, like thefeature flags, if they are in
(44:53):
the one request, it's easy.
But sometimes I think it's a littlebit more hidden, maybe in the
JavaScript, do you sometimes get asdeep to find these feature flags?
Personally, I've never spent time onfinding the, feature flags or whatever.
Yeah, I'm
typically pretty deepinto the JavaScript stuff.
Yeah.
Okay.
Sometimes even too deep that I getblindsided by, for example, like
(45:15):
if a backend request just returnsthe feature flags, it's much
easier to replace them there thanto spend time in the JavaScript.
But yeah.
What other things are, cause yeah, we knowyou look for the post message listeners.
We know you look for feature flags.
What are the other sort of mostimportant things you look for JavaScript?
(45:37):
Because sometimes it's so much code,it's just hard to focus somewhere.
Yeah.
So like, roles, permission roles is alwaysinteresting feature flags and points.
And typically I think that's about it.
Typically if you have a juicy endpoints and then you try to dive
into that JavaScript and see what'shappening around it, et cetera.
(45:59):
But yeah, I think that'smostly it actually.
And I guess it makes sense.
It's stuff that you won't haveaccess to normally that, yeah.
It is.
It's
just, yeah, these, things that analyzingJavaScript is also something I would
really, like to ask you a smart questionabout it, but I know it's just impossible.
You just know how to do itand you know what to focus on.
(46:22):
But it's just called experience.
There's no question to ask
about it.
Yeah.
Yeah.
I, especially with the post messages,I came to a point where I would just
recognize like the library based onthe structure of the phy, JavaScript.
Oh.
Like the, it was a phy in a differentway, but I was like, oh, that's the same.
(46:46):
No, not interesting.
Not interesting.
Yeah.
Yeah.
That's, but yeah, it's mostly experience.
Yeah.
Yeah.
And
experience with the, like the Chromedebugging tools is also really handy.
Yeah, it's really helpful.
Knowing where to set break points andediting stuff on the fly is really useful
for getting to know the JavaScripts.
(47:07):
Yeah.
Do you use the 'cause when you set thebreak point, you can have the break point,
log point and conditional break points.
Do you use all three of themregularly or is it mostly
typical breakpoints?
Yeah,
basically it works.
Yeah.
Yeah.
Dev tools are very, powerful.
At some point I was not aware of how manyfeatures there are in the, in dev tools.
(47:32):
It was just all the, yeah.
It's super, super helpful apart from thediscovering endpoints because also, okay.
One, one question for this.
So either an access control box.
In your sort of, what are yourdefinitions of these two back classes?
Because for me, they are
(47:52):
Yeah, they're the same.
I guess access control in this senseis like an endpoint that you have
access to that you shouldn't haveaccess to without an identifier,
Yeah.
That's the only difference in my mind, But
the sort of methodology is similar.
Find an endpoint thatyou shouldn't do and,
Yeah.
Okay.
Definitely.
Do you think that accessing theseendpoints from JavaScript is the only
(48:17):
thing that make you find the accesscontrol bugs in IDORS, which other
people don't, that don't find, or doyou think there's something else that
you also do that, could be the reason?
Not sure.
Not sure, honestly.
No, I don't know.
Yeah, it's, for me, it's crazy.
I don't have the, you say you have shortattention span, but for these bugs,
(48:40):
from my perspective, you do, maybe notattention span, but you need a lot of
persistence to go through all of them.
Yeah,
that's true.
For me, I like, I check two orthree, and I'll have a look for.
Yeah.
And I guess that's also tied towhat you're interested in, Because I
have that, that, my attentions planis short with five tools and such.
Yeah.
(49:00):
But for this, if I'm locked in, I'll,yeah, I'll forget to eat and drink
and such.
So yeah.
Good.
Awesome.
I also read you run somethingcalled Hacker Hideout.
Can you tell us what this is?
It's a bit stale at the moment, but,me and, Stefan, we have a, like a small
(49:23):
discord community with a bunch of hackersthat we know, or that we get to know.
and we try to organize regular meetups.
So we had one last year, in May inUtrecht in the Netherlands, people
came from all over Europe, peoplefrom Poland, people from France.
And we did some hacking actually,where we arranged some private
(49:46):
invites for the afternoon.
We did some hacking, ate some pizza, hada few drinks and basically that was it.
Yeah.
and it's, It originated basicallyout of a need of doing like
these life hacking events.
Yeah, exactly.
But having the control of to dowhat you want to do basically.
(50:07):
And people don't need to hack whenthey come, but we like to offer
them the opportunity to hack.
yeah, it's basically just afun side project where we get
to do fun events that we like.
Yeah.
Are you planning somethingfor this year as well?
Yes, I'm actually, planning, I'm going to,we're going to make a plan next weekend.
(50:30):
Okay.
Hopefully
soon.
Any idea of the location or dates?
Probably the
Netherlands again.
Okay.
but, nothing is decided yet.
Okay.
I hope I get an invitation for it.
I've never been thereand it would be cool.
Cool, cool.
Reason to go there.
I'll, I'll be sure to invite you Andalso for me, I, especially from the
(50:50):
interviewing the critical thinkingpodcast, I sense you also like struggle
with hacking, which is very, you doit alone and you don't talk to anyone.
Yeah.
And for me as well, I, I am a team player.
I like to talk with people.
That's why I like this.
this tournament as well.
And, yeah, so you surprisedme with the, thing that you're
(51:12):
not no longer in the coworking.
but, yeah, for me, the, sort of shockconnecting the, bug bounty, which
is very you go alone with the socialaspects or the team competitions here.
I do really love it.
Yeah.
Yeah.
The,
origin of the hacker hideoutidea was In fact, a bit broader
(51:32):
because I was struggling with it.
so my first idea actually was to have a,a flex working space, targeted towards bug
bounty hunters or hackers or IT persons.
And then, and then I was looking into,the logistics of it and looking into.
What, bug bounty hunters from theNetherlands would be interested
(51:56):
in an office space in Utrecht?
I could count like, 10 bug bountyhunters from the Netherlands who
were all over the Netherlands.
Probably not the best idea.
Yeah, this
is very, very, niche.
cool.
Soon head to the end of the interviewbecause we have the show and tell soon.
(52:17):
Yeah.
But can you please tell me what areyour goals for 2025 back bounty wise?
focus more on
backend stuff,
Okay.
Are you planning to learn theweb free a little bit or you
completely let go of the idea?
No, I'm actually, I don't know ifI can disclose the targets for this
(52:40):
round, but I actually looked intolike blockchain node codes more.
Yeah, I think that thecustomers are public.
Okay, so I did that this round.
Yeah.
Wasn't really successful, but it didspark some interest to maybe do that.
on all the targets as well.
also, re read some, blogs about otherpeople finding stuff, by that approach.
(53:01):
So that's something I'mactually interested in.
And the funny part is that it'sactually not specifically web free,
but it does, of course, have impacton these, these web free, programs.
So that's something I aim to do more.
Yeah.
Yeah.
Awesome.
Good luck with this.
Thank you very much.
Good luck in this round.
I hope Netherlands.
(53:23):
And Poland will advance to the nextround and we'll meet, meet in Dubai.
Thank you so much for the interview.
Thanks for having me.
If you enjoyed this episode, alsocheck out the one with Johan Carlsson.
That's on your screen right nowand also linked in the description.
For now, thank you so muchfor listening and goodbye.
XSS is still the most common vulnerabilityclass, so there's a lot of bounties
to be earned here, especially if, likemy today's guest, you're so good at it
that you can get bounties like 50, 000.
We'll talk about this bug, about manyother things, for example, how you can
speed up your workflow by, instead ofcopying things from your browser to your
(00:24):
terminal to run some tools, you can dothings with one click from your browser.
Enjoy my interview with renniepak.
So hello, René.
Thank you so much for joining me here.
We're recording this in Prague,just as we finish the Elite 8
round of the Ambassador World Cup.
(00:45):
And it's great meeting you here, andthank you for being my guest today.
Likewise, thank you for having me.
for those who don't know youyet, can you please tell us a
little bit about your background?
Sure.
I'm Rene, renniepak on most platforms, I'mfrom the Netherlands, I'm 40 years old.
(01:07):
Yeah, and I, my background, I studied,at the conservatory actually to become
a like a professional school for music.
Oh, yeah,
So to become a musician, percussionist.
Yeah.
and while I liked my studies, I quicklyrealized that it wasn't really for
me to be a professional musician.
(01:30):
Hobbies was fine.
but I did finish it.
So then, yeah.
Then I got my diplomas and,the great journey started off
discovering what I do and did wantto do with my professional career.
So I did all kinds of jobs likestarting in, a call center doing
(01:50):
support, tech support stuff.
Yeah.
And then slowly but surely Imoved towards IT a bit more.
I think my first real I. T. jobwas like a tester and at that at
the time really working through bigexcels like click here and check
that and then check mark it's done.
(02:11):
Sounds very boring to me, to be honest.
it was, but then I moved to a testautomation and later to development.
Yeah.
And then.
I think my last real job was at bold.
com,
which
is a big, like a retailerin the Netherlands and
Belgium, a bit like amazon.
com, but, but more localized, thereI worked also as a test in the
(02:35):
beginning, then as a developer.
And then I. Became a developerin the security team of Bold.
com because they have some applicationsthat are more sensitive, in nature.
So I worked there and then I hadthe opportunity to make the switch
to become an ethical hacker.
Yeah.
In the security team because.
Still within the same company.
(02:56):
Yeah.
Yeah.
and I was also responsible for the,big bounty program actually there.
And then, three years agoalmost, I decided to become a
full time Bug Bounty Hunter.
And that's So it's beenthree years already?
Yeah, In May it's three years.
So not there yet,
but it's coming there.
(03:16):
How is it going?
How do you like it after two years?
Ups and downs.
Ups and downs.
No, I still I'm Anyone that knows me andtalks to me knows that it's a bit of a
rollercoaster for me all, all the time.
So I like, I reallyliked having the freedom.
Yeah.
That's still one of the best parts still.
(03:37):
Oh yeah.
Also the freedom to choosewhat's interesting to you.
I really like that.
but I struggle with season, seasonaldepressions, winter is not great
for me for being alone in my,my workspace and, typing away.
(03:57):
yeah, and I, sometimes, sometimesI'll, I dislike the frustration
and the drama around bug bountyreports getting downgraded or
decisions you don't agree with.
So that's a bit harsh sometimes, but.
On the other hand, I'm also notprepared to go back to like office life.
And yeah, so that's still a bit, yeah,I'm still not sure what's next for me.
(04:22):
But so far so good.
I understand.
I also have some momentswhere Oh, it's backbound.
It's, it's annoying and you're gettingfrustrated or something, but then I
really could imagine myself going backto a nine to five and it would be really,
hard at this point, but I think we allat times where it would be really nice
to just have a job, don't care aboutanything, get the same pay, salary every
(04:44):
month.
Yeah, exactly.
Yeah.
Same for me.
I was, just telling someone that I madea mistake of, looking, I, I filtered all
my, duplicate reports from the past years, and it was like two or 300 of them.
So Wow.
I really got frustrated with all thetime that I, lost spending there.
(05:05):
But yeah, that's part of the game,
Yeah.
On the other side, what there,on the other hand, what the
best sides about Bagman Tea?
Yeah.
Like I said, I really like.
Doing stuff that I like.
Yeah, it sounds obvious when youput it like that, but obviously in
a job you need to fulfill some task.
Yeah.
and in Bug Bouncer you can really spendtime on the parts, on just the parts
(05:28):
that you're good at or that you like.
yeah, that's the best part for me,
Also didn't say it in the intro,but you're the only person I know
that has the, payload tattooedon, your, you can show it to the
camera for the podcast viewers.
We're sorry.
He has the SVG on load XSSpayload on the forearm.
And I think this is something I thinkevery hacker thought about having
(05:51):
it through like this at some point.
But, you're the only one thatI know that actually did it.
So well done.
So the three years, what, howdoes your routine look like now?
and how did it change in during this time?
I guess my, routine is pretty nine to fivestill, actually, I'm a dad and a husband,
(06:17):
so I just have a daughter to take toschool and daily life is, yeah, it's just,
going as, as it's supposed to go for me,
I'm not really a nighttimehacker in that sense.
I try to stick to my nine tofive and then, it's okay for me.
(06:39):
I guess in the beginning Iwas more, how do you call it?
Motivated to jump on new programs,pick, pick, pick up the low hanging
fruits, et cetera, and race toget the first bounties nowadays.
Yeah.
Like I, I guess just said, I'm,working more towards what I'm actually
(07:02):
interested in rather than, joiningthe rat race for the first bounties.
So I guess that changed a lot.
Also in the beginning, I was reallyheavy on, working on integrity, climbing
leaderboard, staying in the top 10.
And, currently I don't reallycare about leaderboards anymore.
(07:23):
Yeah.
What is your main platform these days?
I think I don't, at this point,it's even with like background
hacker one and integrity.
All three?
Yeah.
What is, how would you comparethe differences between
hacking on each of them?
(07:45):
honestly?
Yeah.
Not a huge difference anymore nowadays.
No,
Because I've heard from multiple peoplethat the Integrity has better triage.
I don't have a single bug onIntegrity, unfortunately, so I cannot.
I don't want to say anything badabout Integrity because I really love
them and I've done a lot on them.
But you can also, you can, you donotice that they also are growing.
(08:06):
Like when I started back then.
I was really in the beginning workingon integrity and, at that time
you could literally send the CEO,a question about your report on a
Sunday morning and he would respond.
Of course, that's not somethingthat's feasible when you're,
when your company grows.
So it's only, logical, that they're,becoming more standardized with,
(08:32):
with their support, et cetera.
but it's still fine.
And I, I actually enjoy workingall the platforms and I have also,
frustrations of all the platforms, Yeah.
So these days you just
choose by, who has theprogram that you want to hack.
Yeah.
Yeah.
Definitely.
Yeah.
How about events?
Do you, attend a lot of them, this,
(08:52):
I did attend a lot of integrity eventsand then it's been like, quiet for like
the past one and a half year or something.
And this is the first oneactually for, for Echo One for me.
Let's
hope it's not the last.
No, let's hope.
Let's hope we meet in the final.
Yeah.
Because the, background isfor, you at home is that now we
(09:14):
are at the quarterfinal stage.
If we advance through this stage, we'llmeet again in the final round in Dubai.
Even if we lose the semifinal,the we'll go, we'll play the
match for the third place.
So yeah, if we pass this round,we'll, meet in, in Dubai in what,
two months or something like that?
I think so.
In May.
I think.
Yeah, in May.
Yeah.
Correct.
(09:36):
so what was
the, your main motivationto actually quit Avanti?
Because I assume for some time youwere hunting for bags after hours
and working at the same time, andat some point you decided to quit.
What was the, thing thatactually motivated you?
Okay, this is the time to quit.
What was right after Covid, Okay.
(09:59):
I was already working at my previousemployer like five, six years.
yeah, it was like a natural timefor me to look for something else.
Okay.
I had grown there, new experiencesand I was, yeah, I needed to make a
next step and I was always wantingto try bug bounty, like full time,
(10:22):
but of course it's a scary step.
So I first, saved a lot of bountiesto have a financial buffer to make.
Yeah.
That's important.
Yeah.
Yeah.
Yeah.
And, yeah.
Yeah, and then I just tried itand still, trying it actually.
What do you say to people thatare considering quitting their
job for a full black and whitebounty or are just about to quit?
(10:45):
I think the financial part is reallyimportant, to have a buffer to be
able to fail not only for a week,but actually, yeah, I had a buffer.
I think I could fail for six months.
I could survive six months at a time.
Luckily, it's a bit bigger now, butyeah, I think that really helps for
(11:07):
bug bounty because otherwise, you'llget frustrated and, you'll get, if you
need the money, in my experience, itbecomes even harder to find something.
something good.
I don't even imagine likehaving to rely on bug bounty
for let's say next month's rent.
(11:28):
I, cannot imagine myselfin this situation.
I would be,
I think I would be just stressed.
Yeah.
Yeah.
And that, yeah.
In my experience that lowersyour creativity as well.
So then, yeah, it all becomesharder and harder actually.
Yeah.
Let's, let's now jump into alittle more technical topics.
A year ago, or I guess now it wouldbe more closer to two years ago,
(11:51):
you published a blog post withlike your top vulnerability types.
The top one was XSS, the secondone was IDERS, and the third
one was access control bugs.
Would you still put themin the same order today?
I think so,
yes.
So
XSS is your favorite bug class?
Yes.
yeah, it's a blessing anda curse in that sense.
(12:12):
Why is it a curse?
like my last year wasn't assuccessful as the year before.
And that's mainly becauseI followed my interests.
It was, I did a lot of post message XSS.
Yeah.
Which I find very interestingand also very abundant.
Like it's everywhere.
(12:34):
Even this event, I found some.
The only problem is that it's oftencaused by third parties, because the,
like the technology of post messagesreally links to like, the relation
between third parties and like mainscope, because if you're in the same
(12:54):
origin, you don't need the post.
Exactly.
So, often these type of bugsare like, partly, correctly
blamed on the third party.
And, yeah, and thenyou'll lose some money.
So it's hard to get paidfor them, is what you mean?
Yeah.
Do you, when you look for thesebugs, do you only look at what
(13:16):
post messages are being sent?
Or do you also like manuallysee the source code to see what
listeners are there as well?
Yeah,
both actually.
Actually, yeah, I, think Imentioned this before in another
podcast, but, I use Franz Rosen's.
PostMessageTracker.
Yeah.
And I actually made a lotof enhancements since then.
(13:38):
Also to actively alert me if some, XSSsyncs are already present in the listener.
Okay.
So then I'll get a pop up saying, check
this out.
This is, this sounds like it'smore than just a source code scan.
It sounds like you're actually parsingthe, interpreting the functions.
(13:59):
No, it's,
it's.
much more basic than that.
So it's like really looking for ifthere's a href, equals in there and
it's probably something with, so it'sreally rudimentary in that sense.
But I really like, in any of my bugmounting to have, I prefer false
(14:19):
positives over, false negatives.
False negatives.
Yeah.
So I'd rather check something out andit's nothing than the other way around.
Yeah.
Yeah, of course.
Yeah.
Is your version of the PostMessageTrackerpublic or is it your private?
Okay, that's a shame.
Yes.
Have you tried other toolsfor PostMessages like
(14:39):
DOMInvader has something?
Yes,
yes, I have tried it and Ioccasionally use DOMInvader for
if you need to spoof an origin.
Okay.
Because they can do just outof, it works out of the box,
Yeah.
But I typically just use Chrome DevTools,set breakpoints and, if I need to,
(15:04):
change, edit data on the fly, yeah.
So you just write the, post message inJavaScript consoles or stuff like that?
Yeah.
Yeah.
I see.
What's, what other tools do you useapart from the post message tracker?
Burp, of course.
I'm not that great with command line.
(15:25):
I use, Fuff occasionally, but I'mlike, my attention span is too short
to keep waiting for the end result.
So typically halfway through,I'm like, ah, it's probably
not going to find something.
yeah.
And I have some other browser tools.
Like I guess people also knowme for JavaScript bookmark.
(15:46):
Let's say I do a lot of browser stuff.
Also building small tools to help myself.
Within the browser.
So yeah,
so we just write some JavaScriptand put it as a bookmark to
click it and do something.
Yeah, I remember, I don't knowwho mentioned this, that they
learned this trick from you.
Could be, yeah, I have,
yeah, I have one that is fairlyknown, that finds endpoints
(16:09):
in JavaScript sources.
Yeah.
It tries to pull all theyeah, that's, the one.
I don't know who, mentionedit, but I saw it, yeah.
Yeah.
I use this trick as well for I don'tremember the context now, but I had some
mobile browser or maybe some other device.
And I wanted for some reason toexecute JavaScript, but there
is no JavaScript console there.
And I remember I used the, I sawthis tip and I was like, Oh yeah, I
(16:33):
can do the bookmark with JavaScript.
And I don't remember whatwas I doing, but it's nice.
Yeah, I really like it.
I like it because it's quick.
I don't need an external tool.
I don't need to move away from my focus.
I can just click thebutton and move along.
Yeah.
I generally, I think Iunderestimate the bookmark button.
(16:53):
Sometimes, for example,I'm testing the overflow.
And instead of going to repeat or copy theURL pasted again, I just do the bookmark
and I just go through the flow instantly.
It just feels so nice for some reason.
And I only started doing it recently.
I don't know why, but it's nice.
So would you say you're a manual hacker?
Yes, definitely.
(17:14):
Yeah.
So it's just burp, browserand some fuzzing occasionally.
Yeah.
Yeah.
I think my main burp.
Tools are like intruder and repeater.
Yeah.
And that's it.
Yeah.
So I'm mainly a manual hacker, Yeah.
Do you use any checklist?
(17:34):
It's how do you call it in English?
I try to do it.
And then, after a while I forgetabout the checklists and I'm
back to gut feeling again.
Yeah.
So yeah,
I didn't find myself so muchwith what you're saying.
I, have created a checklist.
And sometimes I look at it,but it's like the last thing if
I've already run out of ideas.
(17:56):
Let's look at that checklist andmake sure it's everything, but I
really would like to do it more.
I feel you will identify it as well thatI would like to fast more because I do
very much manual hacking and I struggle tofast things where I know the probability
of it working is low, but if I do itlike often enough, the probability is
(18:17):
probably will be higher, but I'm inthe sense of okay, I want to see the
motivation for the payload I'm trying.
And if it's like blind,I'll just fast every input.
I'm not doing it.
And I think I should.
Yeah.
Would you say the same?
Yeah.
yes, Okay.
But I, like I just said, it's, it waspartly a joke and partly the truth.
(18:39):
My attention span is not good.
If I don't know if it's evergoing to work, I tend to
really, quit ahead of time.
Yeah.
Yeah.
But, it is a consideration, especiallysince last year wasn't great.
So I'm trying to move moreagain, towards the I Doors
and, the, access control stuff.
(19:02):
which is also stuff that you can findin JavaScript sources, like endpoints,
et cetera, that we just mentioned.
yeah.
Do you actually use some
productivity tricks to helpwith your short attention span?
No, You just power through it.
Except for putting on the,noise cancelling headset with
(19:25):
some focus music and try, Doyou still work from co working?
No.
From home?
I don't.
That's changed since the last podcast.
Yeah.
Yeah.
So I had a co working space.
it was mainly also to getout of the house, meet some
people, et cetera, et cetera.
Yeah.
But in reality.
There were, like all self employedpeople on that floor, meaning that
(19:48):
there was no one there all the timebecause most of the people working
there had it like a backup place.
if they weren't at a customer, they wouldgo there for a few hours and not then
not be there for the rest of the week.
So it wasn't really worth mymoney, So I moved back home.
(20:08):
Yeah.
Okay.
This is going to be a hard questionbecause I sense you're very
much an intuition based hacker.
and it's always hard to, askquestions about it, but what
are some things that you do?
And maybe when working withyounger hackers or less
experienced hackers, I want to say.
(20:29):
they do not do the things that,that you do, or things they
struggle with that for you.
Oh, that's easy.
Cool.
That's a really hard question.
It is.
It is.
It is really hard to ask about theintuition and I'm trying, hard.
Yeah.
I guess it sounds like such acliche, but follow something that
(20:55):
you're really interesting in.
Yeah.
I. Okay.
I often am amazed by people that claimon their social media that they have a
certain methodology that they always gostep by step and doing this and that.
Yeah, I don't have that.
I think people ask about it,but nobody who actually hacks
has such a strict methodology.
No, and I think some starting bugbounty hunters get blindsided by the
(21:20):
methodology rather than getting to knowthe technology that they're hacking.
I think that's maybe something That's,that can be a takeaway, yeah, that's
good to know the technology thatyou're trying to hack rather than,
following a methodology to hack.
It's
(21:40):
yeah, I must confess.
I use chats, GPT all the time.
and even when I worked in the officeand chat GPT didn't exist, I was asking
colleagues questions all the time.
And now I have a colleaguethat, that always answers my
questions happily for me, but,
often it's just about how doesthis work, the happy flow, not
(22:05):
even trying to hack anything.
I'm just interested in how things work.
And then, when you have a good feelingabout that, then you can start thinking
about, okay, how can I abuse this, Yeah,
that's true.
And the word methodology is also somethingI noticed from the, creator perspective,
people ask about it all the time.
(22:26):
And, sometimes my answer is like my,each article or each video that I
produce about how do I hack, it's just,you can call it part of my methodology.
So we can say I disclose part of mymethodology every week when doing some,
part of content, but people ask aboutit, like it was some kind of magic.
Process or magic checklist.
(22:46):
And I think they, they do expect it tobe something crazy, but the reality is
what you say, the ability to use theapp properly, the ability to, be in a
good place, do the happy flow, have theaccount, have the like KYC, whatever.
this is the part that actuallyhardened the part that sort of gets,
(23:06):
the bugs and not actually some, magic
payloads.
true.
And I think the only thing that I mightdo that a beginner doesn't do is I try,
like with the JavaScript bookmarklets.
if I notice, and I think,that's really typical for IT.
People in general, but if I noticeI'm doing the same thing over and
over again manually, then I'llstart automating stuff like with a
(23:30):
JavaScript bookmarklet or whatever.
So I guess that's, thathelps in some cases to get to
know your target, et cetera.
But yeah.
But sometimes
we do use the, more advanced tricks.
I saw your tool about, or maybenot a tool, the, website, we've
gathered all the CSP bypasses.
(23:50):
I really like it.
it's really good.
Thank you.
how often do you actually you alsosometimes do some challenges with a
short XSS payload, something like that.
How often would you say you actuallyneed those things like CSP bypasses,
short payloads, weird car sets to,to exploit an XSS in the real world?
Very
(24:10):
rarely, actually.
Yeah.
Yeah.
the CSP bypass really came outof frustration of not being able
to find a bypass, basically.
Because that's also the thingwith XSS, you often have to show
impact and you often have to show,have to find a bypass for a CSP.
(24:31):
And I got frustrated that probably everyhacker that reports XSS to a specific
program has to bypass the same CSP,and probably uses the same endpoint
or the same library that's hostedsomewhere in a, whitelisted domain.
So I got a bit frustrated with that.
And of course you have the Google CSPevaluator that works great and it has
(24:53):
some domain somewhere in the code.
But it's,
it just tells you the domain.
That's
hard.
Yeah, I was like, thatwould be a great idea.
Yeah.
To do it.
How did you gather all of these?
the first batch I was basicallylike, I, checked the Google ones.
(25:13):
Then, somebody quickly toldme to open source it so people
could contribute actively.
So I did that.
So a lots of new ones came from that.
and also a lot came from just.
Just, GitHub regex searches, justsearch for plausible, JSON P endpoints.
(25:36):
Oh, I see.
searched for angular, stuff.
So yeah.
How many sort of bypassesare there now in the tool?
Do you know?
Don't know.
No, I'm not a hundred percent sure,but I think over a hundred at least.
That's that is great.
Yeah, there are many more, but I try to,
(25:59):
keep the list to onesthat are actually useful.
I guess one guy was really activelycontributing and he contributed some,
great stuff, but he also once got alist of A few thousand, all, there were
all blocks, all WordPress blocks thathad like a jsonp endpoint or something.
(26:21):
Technically, yeah, technically they couldbe used for a CSP bypass, but it was
very unlikely that anyone would have it.
In the, their CSP headers.
So especially as I think every web,every WordPress website has the JSONP.
Yeah, exactly.
So I typically, if I get a newone, I try to just do like a
GitHub search for the domain name.
(26:42):
And if it's more than a thousand timesin there in different repositories, then
it's probably something that's yeah.
Yeah.
Cool.
How about some.
xxxxx xx cross site scriptingtechniques like dom clobbering Have
you ever exploited this in the wild?
No, no Interesting, not
(27:03):
intelligent enough to To
do that But I was, speaking with JohanCarlsson that in the last podcast and
he was like, oh, this is actually moreuseful than you think and I'm like,
sure cause I think it's not useful
Johan is in a league of his own yeahe is crazy No, I think the most.
Advanced XSS I did was like prototypesolutions, but also mainly from
(27:28):
the public repository of Blackfan.
He has a few gadgets and, yeah, sothat's still fairly easy and fairly.
Do you
always look for thesefor the protopollution?
No.
What
happened that time thatyou looked for them?
it was one of my, failedattempts of automation.
(27:51):
I had some automation running fora while, but, like a true amateur,
I did it on my home computer.
Just leave it overnight, et cetera.
It worked quite well and got some leadsand I even got some nice bounties from it.
But, Yeah.
Again, the attention span, once itbreaks and I have to fix it like
five times, I get, bored of it.
(28:14):
Oh, so your
automation found the proto volution?
Yeah,
I found
some stuff.
Okay, that's
good.
Yeah.
And now you don't look for it manually.
No, not enough.
Not enough.
I have a JavaScript bookmarklet forit, but I don't click on it as much.
Okay.
I should.
Is it for?
putting things in the URL bar.
Yeah, basically.
So basically,
(28:35):
it just puts all of them in the URL barand then checks in the console if it
can find a polluted object, basically.
Okay.
And then, yeah, then you stillhave to find the gadget to
make XSS out of it, but, yeah.
How do you do it?
if you have seen the proto pollutionand you need the gadget, what's
the first thing you look at?
(28:57):
I think the same repository I justmentioned has like a short script to
do to check for these gadgets, likejust by looking at the important,
JavaScript files and determine if that,if it's at jQuery and stuff like that.
and again, I made a JavaScript bookmarkletout of it to just show me an alert,
(29:19):
like these, you can try these a few.
So,
you took the, created theJava book bookmarks from it?
Yeah.
Oh, nice.
How many of these bookmarks do you have?
Too many too.
You have a full yeah.
Bar.
Yeah.
My, my home
bar is like full wedding andthen, yeah, two more I guess.
That's nice.
I
don't have a single one.
I,
think I should.
(29:40):
Yeah.
It's really nice again.
Yeah.
I used for all kinds of stuff, like I haveone for making a quick, word list of all
the words that are on the present page.
So once I had like a swagger doc fileand I wanted to use that as a word
list for fuzzing further, I just can,I can now just click the button and I
get all the words in the swagger doc.
(30:01):
Wow.
So yeah.
So useful.
Yeah.
What are the, other ones thatyou think are, what are the,
what is the one you use the most?
the endpoint one.
Yeah, I think so.
Yeah.
And it's also a public one because therest one I assume is your private one and
that one is yeah I think I will share to
(30:22):
the word list one
But yeah, that's it because it makes theworkflow very quickly because you don't
have to copy something from the browser
No, exactly.
Even if you're proficient with bashor whatever tool you use If you
can, do something with one click,
(30:43):
it's just No, and that's what I reallylike, because every time I share
one of these, bookmarklets, peoplecomment, oh, you have a command line
tool that does exactly this, and Iknow, and it works, and that's This is
so much quicker and easier for me at
least.
Yeah.
And that's going to be my resolutionfor 2025 to, to move my workload
(31:03):
in this direction a little bit.
Yeah.
Have you tried some of the, sort ofclient side hacking techniques that
were new, at least for me, 2024, likewe had the cross window hijacking.
We had the double click jacking, which.
I, two days ago, I think, Portugalpublished the top 10 list and the double
clickjacking was I think number six.
(31:24):
Have you tried this?
Not
really.
Actually.
I must confess.
I don't know both.
I don't know either of them.
I have some reading up to do, They
are interesting.
They are.
Yeah, it's something new thatthere is impact of a very
creative techniques for sure.
(31:44):
I'm yet to know how well do companiesrespond to, to cross window hijacking.
I already know that companiesdo accept that sometimes and
they can pay really well.
The double click jacking.
I don't think we've seen a publicreport that was rewarded, but we'll see.
I'll look into it.
Yeah.
I also saw you have you, youhacking a little bit on metamask
(32:08):
on the browser extension.
Do you spend a lot of time ingeneral on browser extensions?
No, I would like to though, alsobecause they also use their own kind
of post messages to communicate.
Yeah, it is crazy what happens there.
And also because I'minto the crypto thingies.
(32:28):
Of course all have their ownwallet in their own extension.
So that's how I got into it basically.
It's not that I specifically lookfor browser extensions to hack.
It's more of like a side quest.
Yeah,
yeah, yeah.
I think they are very interesting.
And the impact of thebrowser extensions is so big.
(32:50):
Because a lot of them just ask you forall the permissions on all the websites.
So if you can get something there.
It is really, serious.
I
still have a lot of
learning to
do in that area,
Yeah, you probably listened tothe Critical Thinking episodes
with Matan about the extensions.
It is crazy what happens
there.
I wasn't even aware that you havethis so many different contexts, this
(33:13):
post messaging from the page to Onething and then another post message.
It is crazy, but especially for youlooking for a lot of XSS, it should
be the, a very good area because theimpact is so high with these things.
Yeah,
definitely.
Similarly,
like, Web3, where XSS allof a sudden is so, severe.
(33:37):
Yeah, So that's why, that's also whyI'm moving, sometimes moving towards
Web3 stuff, Typically, an XSS in a,a stored XSS in a Web3 program is
like a critical, plus the bounties inWeb3 programs are typically, higher.
(33:57):
So yeah, from an XSS point of view,it's a, good decision to, yeah, to
do and do stuff in the crypto scene.
Your 50k bounty, was it on oneof these sort of Web3 websites?
Yes.
Can you tell us what it was or is it not?
It's undisclosed.
I think, people know what programit was, but I won't mention it.
(34:18):
But it was a, since you havemultiple, it was an NFT marketplace.
Yeah.
and I had a stored XSS there that's, thatI got there because I re, I, deployed a
smart contract, an NFT Smart Contract.
And what, these marketplaces typicallydo, they'll just monitor the blockchain.
(34:43):
and every smart contract that fits the,
the, format of A NFT, they'lljust import and show in there.
in their marketplace basically, so I just,yeah, I actually, found a few of those
bugs on different marketplaces, and allhave their own kind of problems, because
(35:06):
one, for the one it's in a title foranother one, it's like in a metadata URL.
Yeah.
So there are some different flavors, inthat, but the basics are all the same.
Like I deploy a smart contract and theyfail to sanitize it or to encode it.
Yeah.
So pretty, straightforward, right?
Yeah, basically.
(35:26):
But I guess for a lot of people,it's a really big hurdle to do like a
smart contract deployment, et cetera.
Yeah.
Half of the audience nowis wouldn't have an idea.
Like, how do you send a smart contract?
Exactly.
So, I
did do some deep dive there, butbasically, Deep Dive is relative because
(35:47):
it's like a smart contract deployment 101.
everyone can do this, who isa blockchain developer, Yeah.
and it's way easierthan most people think.
So you need to have a crypto walletand for the rest, it's like a few
clicks and you deploy a smart contract.
(36:12):
Congrats on that.
It
is a big impact.
Did you also, look for some webfree sort of server side stuff in
the smart contracts themselves?
Yes, I
have.
But I like, what I dislike about reallylike smart contract vulnerability.
(36:33):
hunting is that it's mostly code review.
It is, which sounds to me like a heaven.
Yeah, but I like, I also do a lot ofcode review and I found a lot of stuff
on like open source projects, etc. Butwhat I really like is like the, how would
you call it, is the gray box approachthat you can On the one hand, click an
(36:55):
application, intercept stuff, et cetera,and then use the code to determine,
what code paths to take, et cetera.
Yeah.
While with smart contracts,it's only codes, Really?
Can you Is it not possible to attacha debugger if you have Yeah, but
then you can only trigger stuff bywriting your own code, interacting
(37:15):
with a smart contract, basically.
Yeah, I see.
It's not really You won't have a UIto press buttons or whatever, and it's
not that I need it, but I noticed thatit's, yeah, not really my cup of tea,
But have you, learned it or are youat the level where you just thought
about it and decided it's not for you?
(37:36):
I've learned some stuff, but I'venever successfully found anything, no.
Okay.
I'm, in the, same boat.
I had a period maybe two or three yearsago when I was learning a little bit.
I, I, at least then I knew about some backclasses in smart contracts, but I never
spent a minute hunting for them in the, in
the reward.
No, and it's hard because in, insome sense, they are so completely
(37:59):
different than the buck types.
You are used to like.
If I don't know if you like to lose afew cents somewhere in a smart contract,
then it's considered a high or a criticaland in the real world you would like me.
Oh, okay.
Maybe they'll accept itas a low or something.
Yeah.
How about let's go back to, to web two.
(38:22):
you said eithers and accesscontrol bugs are, still at
the sort of top of your list.
Yeah.
And.
For me, it is crazy.
How does it happen that these bugs oftenwhen they are found, they look like really
simple bugs, but still people like you,people at the, top find them all the time.
So how does it happen?
How, do you all still find all of these
(38:44):
bugs?
I don't know, In my case, again, itreally boils down to, the manual hacking,
So I'm not looking for fuzzing, lotsof endpoints, but typically, especially
with nowadays with these huge, JavaScriptclient side frameworks where like
(39:05):
basically all the endpoints are in there.
Also the admin endpoints are inthere because the admin probably
use the same UI as you do.
But it has a lot of different accounts,but all the stuff is typically in there.
that's how I find that stuff.
and, where, actually where I did start todo some fuzzing is, recently it's like a
(39:27):
GraphQL, endpoints, especially the onesthat don't have introspection, but will
say did you mean, if you put somethingin there, they will give you a response
with a suggestion that is correct.
did you mean this?
yes, I did mean this.
And then you can start enumeratingall the stuff by yourself.
(39:48):
So I did find some stuff like that.
I also think you have some tools forit, but, I made my own scripts for it.
but yeah, is it a JavaScript book?
No,
yeah, I was about to ask you if youuse the tool for this, but no, I did.
did you try the clairvoyance?
Yeah, that's it.
(40:08):
Yeah.
It didn't work for me.
So for some reason, soyeah, I built my own.
Okay.
So what's, your workflowwith, with GraphQL?
You see the GraphQL endpoint, you seethere's no introspection, you run the
tool and then you manually go from there?
Yes.
Yeah.
And then I'll, just, soI'll try to have a tool to.
(40:31):
resemble like the typical GraphQLintrospection schema that you
will
get.
Yeah.
It's not complete, but it doeshighlight, some keywords that
are potentially interesting.
So I'll try to manually reconstruct aquery that, that uses those keywords.
Okay.
and go from there,
Do you just send it from verb repeater?
(40:52):
Yes.
Okay.
And do you switch, cause there aretwo or three GraphQL extensions?
Which one do you use?
Remember, don't
use them.
You don't use them?
No.
I think a Burp has their own GraphQL tap.
Okay.
Nowadays.
Okay.
So I
use that . Okay.
Yeah.
Yeah, maybe.
Yeah.
I don't, I know there's in ql,there's GraphQL Explorer, a few
(41:14):
of them, but maybe they actuallyI'm using the, just GraphQL tab.
Whatever.
Yeah.
If it's just
in the repeated tab, Ithink it's like burps own.
okay.
Okay.
Nice.
About the, and about the end points,cause the problem that I always
encounter when I find end points,I will send them for intruder.
And then, if there's sometimesit's easy cause you have
(41:36):
variables error, or we need the.
User parameter in this endpoint, butsometimes you just get the generic,
502, 500, 400, and how do you,first of all, how do you prioritize?
Because I imagine you will often have,I don't know, 100, 200 endpoints.
How do you prioritize whichendpoints to, to focus on and then
(41:56):
how do you construct the request?
focus is really based on just whatseems juicy, like I'll just scroll
to the list and if it's like a resetpassword or whatever, something
admin y, then I'll, prioritize those.
and I either do what you justsaid, I hope that it will return
(42:19):
something like you missed thisparameter, et cetera, et cetera.
That's the easy approach,
Yeah.
Another thing that I. Often do is likewith these client side applications,
you can often trick it like just thefront end into thinking you are an admin
while you're not an admin on the backend, but it will show you the UI, for
(42:40):
example, some sometimes it's as easyas, changing some JavaScript in the
response that says, Is admin false, andthen you move it to true and suddenly
you get a UI from a foreign, an admin.
Yeah.
But what's
really, so sorry to interrupt.
Would you make this changein matching replace rules?
Yes.
(43:00):
Okay.
Typically, yeah.
Typically, yeah.
and other, yeah, other types thatyou'll see sometimes if you use an
endpoint and it will, give you a 40 1, then the JavaScript has some
parts that it will redirect you to thelogout page or something like that.
Yeah.
then I'll just removeit completely and, Yeah.
I'll load it like that.
The part of the JavaScript.
(43:20):
Yeah.
The part of the redirection.
Yeah.
So you don't get to thelogout screen anymore.
Yeah.
that's cool.
and what that really allows you to do isjust click stuff that an admin would click
and then you don't need to minify or don'tneed to reconstruct the whole JavaScript,
et cetera, but it will just send a requestthrough your repeat or through your burp.
And then you don't have to thinkabout basically reconstructing the
(43:44):
endpoints and the parameters, etc.
Do you also, because I know Justin wassaying about turning on some feature flags
and having success with this, which islike what you said about the admin panel,
but in a little bit different context.
Yeah.
Have you also had successwith this approach?
Yes.
Actually, yeah, I, think onefun finding I had once was like,
(44:09):
it was exactly that.
I think it was like, it had definedsome user roles and I had the role user.
And I just, replaced it to therole admin and it showed the admin
UI
and basically nothing worked, except for,the password resets UI, which allowed
(44:30):
me to enter my, it was pre filled withmy own email address, but I could enter
any email address and it would show thepassword resets, yeah, to screen like.
So nice.
yeah, that was really nice.
Yeah.
How do you usually, like thefeature flags, if they are in
(44:53):
the one request, it's easy.
But sometimes I think it's a littlebit more hidden, maybe in the
JavaScript, do you sometimes get asdeep to find these feature flags?
Personally, I've never spent time onfinding the, feature flags or whatever.
Yeah, I'm
typically pretty deepinto the JavaScript stuff.
Yeah.
Okay.
Sometimes even too deep that I getblindsided by, for example, like
(45:15):
if a backend request just returnsthe feature flags, it's much
easier to replace them there thanto spend time in the JavaScript.
But yeah.
What other things are, cause yeah, we knowyou look for the post message listeners.
We know you look for feature flags.
What are the other sort of mostimportant things you look for JavaScript?
(45:37):
Because sometimes it's so much code,it's just hard to focus somewhere.
Yeah.
So like, roles, permission roles is alwaysinteresting feature flags and points.
And typically I think that's about it.
Typically if you have a juicy endpoints and then you try to dive
into that JavaScript and see what'shappening around it, et cetera.
(45:59):
But yeah, I think that'smostly it actually.
And I guess it makes sense.
It's stuff that you won't haveaccess to normally that, yeah.
It is.
It's
just, yeah, these, things that analyzingJavaScript is also something I would
really, like to ask you a smart questionabout it, but I know it's just impossible.
You just know how to do itand you know what to focus on.
(46:22):
But it's just called experience.
There's no question to ask
about it.
Yeah.
Yeah.
I, especially with the post messages,I came to a point where I would just
recognize like the library based onthe structure of the phy, JavaScript.
Oh.
Like the, it was a phy in a differentway, but I was like, oh, that's the same.
(46:46):
No, not interesting.
Not interesting.
Yeah.
Yeah.
That's, but yeah, it's mostly experience.
Yeah.
Yeah.
And
experience with the, like the Chromedebugging tools is also really handy.
Yeah, it's really helpful.
Knowing where to set break points andediting stuff on the fly is really useful
for getting to know the JavaScripts.
(47:07):
Yeah.
Do you use the 'cause when you set thebreak point, you can have the break point,
log point and conditional break points.
Do you use all three of themregularly or is it mostly
typical breakpoints?
Yeah,
basically it works.
Yeah.
Yeah.
Dev tools are very, powerful.
At some point I was not aware of how manyfeatures there are in the, in dev tools.
(47:32):
It was just all the, yeah.
It's super, super helpful apart from thediscovering endpoints because also, okay.
One, one question for this.
So either an access control box.
In your sort of, what are yourdefinitions of these two back classes?
Because for me, they are
(47:52):
Yeah, they're the same.
I guess access control in this senseis like an endpoint that you have
access to that you shouldn't haveaccess to without an identifier,
Yeah.
That's the only difference in my mind, But
the sort of methodology is similar.
Find an endpoint thatyou shouldn't do and,
Yeah.
Okay.
Definitely.
Do you think that accessing theseendpoints from JavaScript is the only
(48:17):
thing that make you find the accesscontrol bugs in IDORS, which other
people don't, that don't find, or doyou think there's something else that
you also do that, could be the reason?
Not sure.
Not sure, honestly.
No, I don't know.
Yeah, it's, for me, it's crazy.
I don't have the, you say you have shortattention span, but for these bugs,
(48:40):
from my perspective, you do, maybe notattention span, but you need a lot of
persistence to go through all of them.
Yeah,
that's true.
For me, I like, I check two orthree, and I'll have a look for.
Yeah.
And I guess that's also tied towhat you're interested in, Because I
have that, that, my attentions planis short with five tools and such.
Yeah.
(49:00):
But for this, if I'm locked in, I'll,yeah, I'll forget to eat and drink
and such.
So yeah.
Good.
Awesome.
I also read you run somethingcalled Hacker Hideout.
Can you tell us what this is?
It's a bit stale at the moment, but,me and, Stefan, we have a, like a small
(49:23):
discord community with a bunch of hackersthat we know, or that we get to know.
and we try to organize regular meetups.
So we had one last year, in May inUtrecht in the Netherlands, people
came from all over Europe, peoplefrom Poland, people from France.
And we did some hacking actually,where we arranged some private
(49:46):
invites for the afternoon.
We did some hacking, ate some pizza, hada few drinks and basically that was it.
Yeah.
and it's, It originated basicallyout of a need of doing like
these life hacking events.
Yeah, exactly.
But having the control of to dowhat you want to do basically.
(50:07):
And people don't need to hack whenthey come, but we like to offer
them the opportunity to hack.
yeah, it's basically just afun side project where we get
to do fun events that we like.
Yeah.
Are you planning somethingfor this year as well?
Yes, I'm actually, planning, I'm going to,we're going to make a plan next weekend.
(50:30):
Okay.
Hopefully
soon.
Any idea of the location or dates?
Probably the
Netherlands again.
Okay.
but, nothing is decided yet.
Okay.
I hope I get an invitation for it.
I've never been thereand it would be cool.
Cool, cool.
Reason to go there.
I'll, I'll be sure to invite you Andalso for me, I, especially from the
(50:50):
interviewing the critical thinkingpodcast, I sense you also like struggle
with hacking, which is very, you doit alone and you don't talk to anyone.
Yeah.
And for me as well, I, I am a team player.
I like to talk with people.
That's why I like this.
this tournament as well.
And, yeah, so you surprisedme with the, thing that you're
(51:12):
not no longer in the coworking.
but, yeah, for me, the, sort of shockconnecting the, bug bounty, which
is very you go alone with the socialaspects or the team competitions here.
I do really love it.
Yeah.
Yeah.
The,
origin of the hacker hideoutidea was In fact, a bit broader
(51:32):
because I was struggling with it.
so my first idea actually was to have a,a flex working space, targeted towards bug
bounty hunters or hackers or IT persons.
And then, and then I was looking into,the logistics of it and looking into.
What, bug bounty hunters from theNetherlands would be interested
(51:56):
in an office space in Utrecht?
I could count like, 10 bug bountyhunters from the Netherlands who
were all over the Netherlands.
Probably not the best idea.
Yeah, this
is very, very, niche.
cool.
Soon head to the end of the interviewbecause we have the show and tell soon.
(52:17):
Yeah.
But can you please tell me what areyour goals for 2025 back bounty wise?
focus more on
backend stuff,
Okay.
Are you planning to learn theweb free a little bit or you
completely let go of the idea?
No, I'm actually, I don't know ifI can disclose the targets for this
(52:40):
round, but I actually looked intolike blockchain node codes more.
Yeah, I think that thecustomers are public.
Okay, so I did that this round.
Yeah.
Wasn't really successful, but it didspark some interest to maybe do that.
on all the targets as well.
also, re read some, blogs about otherpeople finding stuff, by that approach.
(53:01):
So that's something I'mactually interested in.
And the funny part is that it'sactually not specifically web free,
but it does, of course, have impacton these, these web free, programs.
So that's something I aim to do more.
Yeah.
Yeah.
Awesome.
Good luck with this.
Thank you very much.
Good luck in this round.
I hope Netherlands.
(53:23):
And Poland will advance to the nextround and we'll meet, meet in Dubai.
Thank you so much for the interview.
Thanks for having me.
If you enjoyed this episode, alsocheck out the one with Johan Carlsson.
That's on your screen right nowand also linked in the description.
For now, thank you so muchfor listening and goodbye.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Ridiculous History
History is beautiful, brutal and, often, ridiculous. Join Ben Bowlin and Noel Brown as they dive into some of the weirdest stories from across the span of human civilization in Ridiculous History, a podcast by iHeartRadio.