May 14, 2025 • 72 mins
Interview with Jasmin “JR0ch17” Landry, a former triager and security manager, now a full-time bug bounty hunter. We discuss bug bounty strategy, mindset, and finding high and critical vulnerabilities.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
And I got a bounty for it.
Got $1,000 bounty on myfirst bug, first bounty.
So I was like, oh, this is, it's easy.
I found with time that showing impactwill result in better bounties and also
better bounties means higher, impact.
While still working full-time.
I decided to apply asa triager at HackerOne.
(00:20):
And fortunately, I got the job.
I think I was always good technically,but OSCP gave me that mindset, like
that hacker mindset that I did not have.
sometimes the, you won't get in yourerror messages, but that the A team react
differently depending on your input.
Hello JR0ch.
Thank you so much for joiningme today for, the podcast.
(00:42):
For those listeners who don'tknow you yet, can you please
introduce yourself and tell us alittle bit about your background?
Sure.
so my name is Jasmin Landry.
It's a French Canadian name.
I'm known as, JR0ch17 on internetcurrently, full-time bug bounty
hunter but I started my career init, in 2012, so almost 15 years now.
(01:04):
Yeah, that's a lot.
my first couple of years in my careerI worked as a system administrator,
so I worked a lot with Linux,networking for routing and switching,
using like products like Cisco,windows as well, middle servers.
I did lots of certifications as well.
I was certified with Cisco,Microsoft, so VMware as well,
(01:27):
which was big 10 years ago.
Not as much now.
And I did that for likeroughly four or five years.
And after a while I was, I wouldn't saybored, but I wanted more challenges.
I wanted like something more challenging.
and security was also somethingthat was, I was interested in.
at school I had classes on security,but it was like really like basics.
(01:53):
and I wanted to, I guess workin security, but I wanted to
do more than just basic stuff.
and obviously hacking or penting wassomething that I always wanted to do.
when I learned that we could do it as aadult was like, I wanna do that one day.
It was my career goal.
Yeah, I think so.
I think a lot were like this.
(02:14):
Yes, that's true.
So I worked my way.
To get there.
so while I was working full-timeassist admin, I spent my evenings,
learning, reading as much as I could.
I read many books on hacking, and did afew certifications such as OSCP, which to
(02:35):
me was like the, game changer personally.
I think I'm always good technically,but USCP gave me that mindset, like
that hacker mindset that I did not have.
Yeah.
Because as a regular person you wouldjust do what the app tells you to do.
But the was CP helped me getthe hacker mindset of can I do
(02:56):
something else that you cannot,that I should not be able to do?
Yeah.
and yeah, so I did the recipes.
P.
and then after roughly six months afterI got my first job in, in, information
security or cybersecurity, I didstuff that were considered junior.
but I got my foot in, so I was like,okay, yeah, now I can focus on.
(03:19):
Was it more towards thenetworking since you've already
had the experience with this?
it did help like.
Landing a job insecurity, but Idid also did like it, but I found
it, that it was not a passion.
Yeah.
While cybersecurity, itwas more of a passion.
(03:40):
Yeah.
like I remember what I wasstudying, I, had to like, okay,
go to bed late while networking.
While I was studying networking.
I was, did not have that passion.
Yeah, I see.
I, it was fun, but not like,cybersecurity or hacking in general.
and I got my job.
I had colleagues who were pen testers.
(04:02):
I was not yet, I was justlike a junior analyst.
I did help them on, some likeautomation task, or not ion, but like
running ES scans and stuff like that.
and around that time, one of mycolleagues did a bit of bug bounty.
he wasn't really good, but hewas talking to me about it.
(04:23):
He was like, oh, you should.
Yeah, she used Should try it.
Yeah.
I was like, okay, I'll try it.
I registered on both BuckGrout and Hacker One.
tried, did not really succeed.
so what year was that?
2017. 2017. Okay.
Yeah.
I did find one bug, which was like, luck.
(04:47):
on the Microsoft, application, I justput in like a payload, and months
later I noticed that it, worked.
It was like a reflected excess.
Yeah.
And I got a bounty for it, like one KBounty on my first bug, first bounty.
So I was like, oh, this is.
It's easy, you,
you, learn through this scam as well.
Yeah.
Yeah.
So this was like in February, 2017.
(05:09):
Yeah.
so I literally got my first job Itook in January, so a month earlier.
So I started doing bugmounty, one month later.
And then for the next coupleof months I. Not no bugs, no
bounties, ab, absolutely nothing.
So I was like, okay, I need to takea step back, improve my skills and
more knowledge on, on, on the topics.
(05:31):
so I did continue learning.
I remember having, the hack one activitypage open on my browser every day.
So every day I looked at whatwas reported, what was disclosed.
Yeah,
read it.
I looked at, Twitter back then X now,what people were talking about where there
were, maybe they disclosing bugs, or, pubmaking public their, research or writeups.
(05:58):
So I read a lot.
I read some more books on web application.
do you remember the names of the books?
Yes.
it was, I. Web ApplicationHacker's Handbook.
Yeah, that,
I think I read that one.
Yeah.
Like 900 page book.
Yeah.
Yeah.
It's a big one.
I think I read that one twice actually.
Because I think the first time theyread it was like, okay, I understand.
(06:20):
The second time was okay, now I get it.
You only have that.
Okay, I get it.
Now it's, this is the thingwhen you, this is like the time
when you think you're ready.
so fast forward from February to August,in August I found my, second bug, second
Bounty, another X excess s This onewas a bit more complicated, so I was
(06:40):
happy that I was the first one on it.
'cause I put in and put in the effort.
So if it would've been a dupe, I probablywould've been like discouraged, Yeah.
so I was first one on and got a,Bounty, and then the month after.
Started finding more bugs and I wasnot really, I wouldn't say like a
good bug bunny, hunter, but I startedfinding stuff, had some Ds obviously.
(07:06):
so I was like gettingconfidence, but I still felt
I was not where I wanted to be.
I feel like I could improvemyself even more, if I had the
chance to like, learn more.
Yeah.
while still working full time, I decidedto apply as a triager at Hacker One.
(07:27):
unfortunately, I, gotthe job, back then in, I.
Yes.
I think this was December, 2017.
I worked at Hacker One as a triagerfor about a year, working 10 to 15
hours a week on top of my full-time.
Oh, so it was like a part-time?
Yeah, part-time.
Okay.
Interesting.
Yeah.
(07:47):
by triaging reports I learned,that Hacker one does get a, lots
of reports, not always good.
some really good, yeah, a lot, of bad.
we all know that.
but I was able to, I guess learn,I would say learn how others work.
'cause when, we write a report,we don't always write like
(08:11):
how we got to that point.
We just explain the bug.
Yeah.
But it still showed me like,okay, I didn't know, I dunno,
post measure that existed.
So now I knew what that existed,that it was vulnerable in some cases.
So I was able to look intoit, learn more about it.
Yeah.
And then the un exploit it.
After a year of triaging, obviouslyit's a job that's not easy.
so I figured, okay, I wannaspend those 10, 15 hours of
(08:33):
triaging and do hunting instead.
So I started doing a bitmore bug balance in 2018.
had a good year.
like again, also having a full-time job.
Full-time job.
So I probably did 20hours a week back then.
I was like in my early midtwenties, had lots of energy and
(08:54):
I was able to hack, late evenings.
So I had a good year.
I had met, Gilbert, founder of,Hacker One, and, Peter Yaki, who
we worked at Shopify back then.
so I had attended my first LHE, lifehacking event with Shopify, was actually.
(09:14):
In Montreal, ironically.
Oh yeah.
so I got my first electricexperience over there.
I remember finding a few books,but they were all closed as I think
informative because Shopify nineneeds not only needs to target.
Oh yeah.
especially as a beginner,it'll be even harder.
but again, I learned a lotwhile working with, others,
(09:38):
collaborating with other people.
the show tell obviously was insane.
I remember those.
Yeah, it magical.
Yeah.
The tells are, like critical to itwas critical to my learning anyways.
Yeah.
Yeah.
And then, while with time got invitedto Morally cheese and stuff, and while
I was working at Hacker One, obviouslyhad access to a lot of programs.
(10:01):
So like, when I was not able to hack onthose programs, 'cause obviously you would
cheating, so I hacked a lot on background.
my first couple of years, mademy way in the top, I think 40 at
one point all time on buck route.
and then switched to hack one.
'cause I think they were doing a bitmore events and my friends were attending
(10:22):
a lot, of them, so I figured out,
yeah,
one out attend those too.
So did of, of life hacking events,bug mati, part-time as well.
and then a couple of yearsago during the covid,
I was a bit tired of, my, my job.
I wouldn't say tired, butI eventually scaled up.
(10:44):
I was not a junior analyst.
I became a pen tester as seniorbusiness as a matter of fact.
so I was hacking 40 hours a week andthen doing Ty 20 hours roughly a week.
Yeah.
So it was a lot.
Yeah.
so I was like, okay.
Oh, my brain is tired.
so I took another job, whichwas not related to pen testing,
(11:07):
just like a, an AppSec, job as aconsultant for a six month contract.
okay.
I could calm down my hacking stuff.
I. take a breather andthen still do bug bounty.
But like after a while when I did pentesting, 40 hours and bug on the evenings,
I was like, I'm not, wasn't motivated.
Yeah.
So I wanted like that motivation backbecause I was really enjoyed doing
(11:30):
bug bounty like in the past few years.
so I took that job, I did it for sixmonths and then after the contract I was
like, okay, should I do ba full time?
Should I take another job?
I was like, really, debating.
And it was roughly a year after I hadmy, my, my son and as a father, like
(11:51):
during bubble full time is a risk.
'cause we all know that.
Yeah.
It's not like stable income, Yeah.
It's, we don't decide when we get paid.
with a regular job, you get paidevery two weeks no matter what.
So Okay.
I'll, I won't take the risk,but I. It wasn't online, so I
(12:11):
took a, job as in a startup inMontreal, as head of IT security.
So I was leading the whole ITdepartment and security department,
and the department was me.
I was alone.
I was the very first employeein security over there in it.
I was a startup, that wasfounded like 10 years earlier.
(12:32):
So it was like a sasIt was a long startup.
Yeah, it was like a SaaS product,which had barely any security.
So even the employee side of things,like there were no like basic
stuff, like INCH varies on theirlaptops and EDR, there's nothing.
Yeah.
So I was like, okay, this is notwhat I. Was thinking of doing, but
like the challenge is so interestingthat I think I'll take the job.
(12:54):
So I took the job, and eventuallyhired, more people, eventually put
in like the basics in place, justto get like the regulars because
like, a regular company would haveas security, products or, whatnot.
and then a year later, we got acquiredby nasdaq, which was quite interesting.
(13:19):
'cause I learned that theacquisition would not have
happened because of my work.
if it had happened like a yearearlier, security would've been like,
NF on the audit for due diligence.
But when NASDAQ did the auditon the startup, they, we
got an a plus on security.
I was like, man, this is really cool.
(13:39):
Yeah.
So I felt like really cool.
Yeah.
Like even when, you had like themeeting internally where, the
founders were like saying that,we're gonna get inquired by nasdaq.
I got a shout out saying, look,you can't thank, Ja Manus without
him, this won't be happening.
Yeah.
So that was pretty cool.
and then while joining nasdaq, withthe, title that I had at the previous
(14:02):
company, with the work that I was doing,I got I guess hired as a senior director
in, at nasdaq, in information security.
so obviously Nasdaq is, was way biggerthan, what I was doing, that had lost more
departments, lot more people in security.
so I stayed at NASDAQfor roughly two years.
(14:26):
and then, again, still doing bugbounty as a hobby, part-time.
now as a, family I could even doless bug bounty, but still did like
maybe 10 hours a week on average,sometimes more, sometimes less.
And then, back in Vegas this pastsummer, for the Life Hacker One
(14:46):
event, life hacking event withHacker One, I took two weeks off to
do, just focus on the event itself.
So that came just Took sometime for myself and then hack.
Just have fun.
Yeah.
Yeah.
And had a time in mylife, I really enjoyed it.
So I was like, okay, should I leave now?
Actually bug my full time?
I was like, I can't think about it.
(15:06):
and this is like in, in August, right?
The live hacking in, Vegas, inSeptember I get my resignation.
So I was like, okay,man, I think it's time.
I'll, give it a shot.
Yeah.
yeah, so I left Nasdaq in end ofSeptember, First week of August.
Of October, I was full-time by Monte.
Obviously I took sometime off, for myself.
(15:28):
So 2024 was, the restof 2024 was a bit quiet.
did, a bit of hacking, did abit like recon building just to
get some, passive income going.
'cause I am like a deep dive hacker.
so I recons like not my thing at all.
Yeah.
so I did a bit of, building, bit ofhacking, a bit of hacker one pen testing
(15:49):
as well, just to get back into it.
And then starting in 2025, I reallydoing like a full-time hunting.
And it's been doing, it'sbeen going really well.
Yeah.
I saw your profile.
yeah, I'm happy about that decision.
Yeah.
I get to work, work for me.
(16:10):
It's, not work.
I'm just having fun hacking, butI do work a lot less than I did.
Yeah.
I've been playing, obviously as a CanadianI play hockey, I've been playing hockey
a lot more, even during the work days.
Yeah.
I've been playing golf a lot more as well.
golf is also another passion that I'vebeen building in the past year or so.
(16:30):
so in the end, I work less andmake more money and have like
more like free time for myself.
Yeah, that's great.
For my
family.
So my son just goes to school now, solet's say he has a day off of school.
While it's not a panic at home, I can juststay with them, and we can go out, we can
go to the park and do anything we want.
Yeah.
That's awesome.
It's not a
big, yeah.
So if I need to take sometime off, I just take it.
(16:51):
I don't need to ask forapproval or whatnot, so I find
that it's a lot less stress.
Yeah.
Even though we get, even though they'llget a stable income, but in the end.
The income is bigger, right?
Yeah.
with bug, for me personally,so I really less stressed.
and I've been really enjoying it.
Yeah.
So I don't regret it, one bit.
(17:12):
Yeah, Unfortunatelyfor na, that, but yeah.
Yeah.
No, that's great because, and alsoit's, there's a thing that 'cause
obviously a, podcast about backbone.
It's a podcast about making money, butI really like this, these beats where
somebody says something about the worklifebalance, spending time with the family.
'cause I think this.
(17:32):
At the end of the day, the, thisis more important in your life
than it is additional $2,000,additional five, $10,000.
And yeah, it's just invaluable.
It is.
Yeah.
And the time will, wewill never get back, so.
I'm really happy to, I, sometimes Itry to smuggle in the podcast like
this, but it's really hard, so I'mreally glad to hear this from you.
(17:53):
Awesome.
Yeah.
And like stuff like reallybasic, like taking naps.
Yeah.
Like with a full-time job, nine tofive, you can't really take naps.
Yeah.
And like when I feel tired.
I'll take a one hour an nap, I'mgetting old, have rest, because I feel
like sleep is really something thatI lack in the past couple of years.
'cause yeah, I was workingfull-time, doing my bouncy on
(18:13):
evenings once in a while, so Ifeel like I need to catch up a bit.
Yeah.
I think maybe the way I have, afew white hairs in my beer now.
Maybe I lack of sleep.
So I'm trying to like, reallywork on my, my, my health.
Yeah.
worklife balance, make sure likeI'm really happy and healthy.
And for now I think Bug Monteis perfect for, me right now,
Yeah.
Yeah.
It's, so you've, you've mentioneda few different ways of learning.
(18:36):
You've mentioned books, you'vementioned just hunting you, you've
been employed as a pan tester.
You've mentioned some certificates.
Which of these things, thesemethods of learning, you would
say, are the most efficient incontext of strictly bag bounty?
I think it's really having your.
Like deep diving and, working with it.
(18:59):
I'm like a, learner where havingsomeone teach me, is I won't
learn as much as I as reading.
Yeah.
For some reason when I read, I learn Yeah.
Faster and easier.
but having like really like testingstuff, is I think is the way to that.
The way to go.
Yeah.
along with reading for example, when atone point you will get stuck on something,
(19:21):
so you will have to look it up, whichis equivalent to reading in the end.
Yeah.
so that's how I. Work,in terms of, learning.
let's say I wanna learn something new,I will try to do it or whatever it is,
manually and then read a bit on it andgo back to it and, so for me personally,
(19:43):
that's the, that's my way of learning.
Yeah.
Yeah.
I, see.
And I think the, it's easy to,get lost in different methods.
'cause they are very satisfying.
Getting a certificate, havinga task done is very satisfying.
But I think just gettingyour hands dirty, right?
it's the thing.
I think so
(20:03):
do.
Yeah,
for sure.
so as mentioned, I saw yourhacker profile recently.
It looks really good with areputation of, with an impact
of over 37 in the last 90 days.
Yes.
Which is huge.
It basically means you, you have only Cris
almost.
Yeah.
Almost.
So what's the, secret?
What's what happens recently?
(20:26):
I don't know.
I remember like sitting and golffor myself I think, for a long time.
if you look at my overall impact all time.
It used to be like around 20 something.
I was like, I want increase that.
Yeah.
'cause it's always fun.
Half really and a half.
Yeah.
So I think now my impact,what is it all time?
(20:49):
25.95 all time.
That's good.
It used to be like 20 ish.
Yeah.
So it's I want to get, Iwant to increase that to 25.
So like my average would belike equivalent of a high.
Yeah,
so in the past year or so, Ifocused mainly on highs and credits.
if I found a low, I would try to changeit with something else instead of
reporting it as is something for mediums.
(21:10):
I did submit a few mediums, butI think mostly highs and credits
and even like for mediums, let'ssay reflected excess success.
I don't think I reportedone Xs, which was medium.
I've always increased it to highand even some cases it's critical.
Yeah,
yeah.
By basically taking over the account.
Yes, exactly.
(21:30):
and I found I, won't say it's,a new technique, but like
it's just thinking of how to.
use the XS to show impact.
so I, won't say, I won't say I'vesubmitted only x success, obviously not,
and actually barely any success, maybelike 10 maximum, throughout the year.
But I did focus on highcriticals, on, I did focus on
(21:55):
how to maybe better show impact.
for example, again,exercise as an example.
I used to just do an alert.
Yeah.
But I found with time that showing impactwill result in better bounties and also
better bounties means higher, impact.
Yeah.
So in the end,
(22:16):
showing impact on all of myreports, showing, I would say
focusing on certain stuff.
'cause I focus on everything.
but lots of service side issues.
And I try to chain issues, show impact,look for stuff that is a bit hidden.
(22:37):
Yeah.
and in the end, I reported lots of.
Bugs that were high and, critical,which increased my impact.
Yeah.
And now it's just like habit.
So let's say in the ni 90 dayslecture, it's 37, but now it's like
the way I work, I look for, stuffthat everybody looks for, I think.
But I try to,
(23:00):
show impact a bit more than I used to.
Yeah.
So what are your most commoncommonly reported back classes?
probably SSRF, as youguys saw, or not yet.
I have,
I reported an interesting one.
so we,
we published it on, YouTube two weeks ago.
The writeup with it together.
So if you haven't watchedit, make sure you, do.
(23:22):
'cause it's an amazingSSR with a huge impact.
And it's also.
some techniques of both the exploitationand detection that are probably
universal across more targets.
so definitely worth that.
yes.
Sorry.
For sure.
one of my, go-to one, those, one ofthe bug classes I like to look for
personally, on all, kind of applications.
(23:44):
But I will not ignore address stufflike, either service at our client
side, whether it's XS or C srf.
Yeah.
past reversal, bothclient and service side.
c injection, ecstasy.
I'll look for everything.
Yeah.
Depending on what I see.
I'll look at it, but I tend tofind more service side stuff.
(24:06):
my, like my client sideskills are limited a bit.
so I will, rarely findanything related to the dom.
do success.
I probably won't even look for it.
Yeah.
but I, use like the JavaScriptto find end points to look for
service side stuff, for example.
Yeah.
So
I tend to find more serviceside bugs, a bit client side.
(24:30):
so yeah, a bit of a generalist I'd say.
Yeah.
When I was preparing for theinterview I saw so, a big variety
of different bug you report and alsobags that I ignore and I never look
for them and I, so that's, oh yeah.
That's why I wanted to interview forexample, server, site template injection.
It's, 'cause for me the, problem of itis that in theory it can be everywhere.
(24:57):
I dunno, and I don't like.
Putting the payloads everywhere if I don'thave some clue that the back can be there.
So what is your approach?
Do you just have the, SSTI payloadseverywhere or do you look for some
kind of clues that it can be there?
a mix of both.
So I used to be, like you were, I wouldnot necessarily put payloads everywhere.
at one point I was like working on an app.
(25:17):
I had found absolutely nothing.
Yeah.
And at one point I put my pilloweverywhere and eventually.
It worked.
Yeah.
Okay.
Maybe I should put it everywhere.
So I started doing that.
But the, so sorry to interrupt.
Which, S-S-T-I-P do you put,do you have that's the thing,
a polyglot for all language?
not really.
It depends on the app.
Okay.
Because certain applications, dependingon language that is used, the template
(25:39):
engine will have its own syntax.
Yeah.
So let's say, Python enginewill be different than on Java.
Yeah.
From pH p Ruby, it looks all different.
So I try to focus on, whatcould be used in the backend.
Yeah.
for client side, I do have likemore of a poly cloud 'cause I have
a angular JS view, which has asimilar syntax in terms of templates.
(26:05):
but for service side, Itry to be more specific.
Yeah.
also to bypass the wall.
'cause a lot of cases they're, theyblocked like curly brackets and whatnot.
If you're a bit more specific, sometimesyou can work around bypassing off.
yeah.
So yeah.
Technique now, specific,but I've put it everywhere.
(26:26):
'cause I've had cases where, itworked and I was not expecting it.
Does everything also mean like a defaultheaders, like user agent, I don't
know, host header or is it just inputs?
Just inputs, yeah.
Yeah.
And maybe you should try headersas you're bringing a good
point, but, yeah, just inputs.
(26:48):
Yeah.
For me, I, dunno, I feel stupid fornot testing so many things, but,
one thing I noticed, is some, a lot ofthe applications, the way that build
these days is your input will is like onthe application, but it will be brought.
Elsewhere.
Yeah.
(27:08):
and those, sometimes those,elsewhere will be vulnerable.
So your payload may trigger on that one.
Yeah.
So like a second orderinjection in this case, Yeah.
I I had a few caseslike that, with Ansible,
where I put in my payload, likein my, my, in my email address.
(27:31):
Yeah.
And it eventually worked like ina totally different application.
I put my, in my payload, like I thinkseven times seven, like the typical Yeah.
Testing thing.
and then my email address,it was like JRO plus 49.
I was like, whoa.
And it was like totally differentcode, different everything.
It's yeah, something's happeningon the way there or over there.
(27:52):
So yeah, I've been just tryingto put it everywhere if I can.
'cause you never knowwhere you, your input will,
will end up.
Yeah.
Do you have some kind.
I dunno, a word list that youalways put in the, pillow.
Do you manually type it into each input?
What's the, like, howexactly do you, do it?
just like a match and replace rule.
(28:13):
Okay.
so I have a interesting, let's sayI would put SSTI and in the pillow
it would be like my public lotfor client side or that's smart.
Or another, keyword.
Yeah.
for server side stuff, I uselots of, matching replace rules.
Just bypass like client siderestrictions and whatnot.
(28:33):
Yeah.
That's super nice.
I never thought about this.
I use uman, it's called Okay.
But I don't use it enough, Ithink, and it does not always work.
Especially if you have somekind of weird input or whatever.
Okay.
Yeah.
So that's, yeah, I'm definitelygoing to, use this from now on.
(28:53):
Awesome.
Another, the backlash I never find, 'causeI never test for it at school injection.
Yeah.
You have, I saw a Twitterpicture from last year from 2024.
Yeah, you had some.
So it's still around.
I
found four more in 20, 25.
So
centuries.
Yes,
it still exists for sure.
(29:15):
I think like in the end.
First SQL injection.
Yeah.
Even if you have your database likein, AWS, like I've forgotten the name.
but anyways, or like in Azure, it's stillin the end the code that is vulnerable.
Yeah.
So the developers stillcode, vulnerable code.
you'll still find some.
(29:36):
and so yeah, so the ones that Ifound this year were really simple.
Like I just added like a singlequote and see how it reacted.
It gave me an error message showingthat it's probably vulnerable.
and indeed it was, and it'snothing that really complicated.
yeah, sometimes there are, theyare complicated, but the ones that
(29:57):
I found, in, this year, 2025, it'sjust like single code, send it
to ESCO map and the rest is done.
Yeah, I think so.
It's literally minutesof, testing and Yeah.
Yeah.
I think the exploitation part is the.
The more doable one, I think.
Detect the more difficult to, detect.
(30:19):
Detect it.
So I have a few methods of, liketesting, but something that is hard is
identifying the database that is used.
Yeah.
sometimes like the, you won't getany error messages, but you'll
see that the application reactsdifferently depending on your input.
so that, that is usually hard to identify.
(30:39):
Some cases like it, the applicationis built on Ruby, on Rails.
A lot of times it worksbest with Postgres.
So you can guess that it'sPostgres or PP, it'll probably
be minus but you never know.
You can be anything.
same thing for apps.
Built on C or Microsoft productswill most likely be, MSS grill.
Yeah.
But again, you neverknow it can be anything.
(31:01):
Right?
Yeah.
so this is usuallysomething that's quite hard.
we had a technique doesn't alwayswork, but sometimes it does, for
identifying what is used in the backend.
And it's really simple just looking atlike job applications or job offers.
Sometimes they, list oh, we'relooking for a, database administrator.
(31:22):
Yeah, this is what we're using,so okay, this, they use that.
So maybe it's, that's, whatit's used in the backend.
so sometimes that's just a simplething, need that, that can work.
but, so yeah, there's,they still exists in 2025.
Yeah.
I saw, I
saw in one of your, I think it was anarticle on background that sometimes
for Rico you browse job applications.
(31:44):
And I was like, yeah, whatinformation do you find?
Job applications andYeah, that makes sense.
Yes.
I find that it's interesting 'cause.
And, when you look at applicationitself, you'll see like language,
like quick plugins, like you werebuilt with, and with error messages.
You can see a bit what's used in thebackend, but you, it won't go in detail
(32:05):
as much as like a job application.
Yeah.
I find that some companies havestarted like hiding that a bit,
but some others, like they'll showlike, oh, elastic search, MongoDB.
they, so everything what developersneed to know, and this is a good
indicator of what is potentially usedin the background around that product.
Yeah.
like I said, like your input cango from one app to the other.
(32:28):
let's say, it can go from the appto Elastic search, or maybe your
data is stored MongoDB and then ajob fetches the data from MongoDB
and puts it in a admin dashboard.
Like you never know, right?
Yeah.
so knowing what is used.
In the product or around, I thinkit's like an indicator or not an
indicator, but like it helps interms of recon For me personally.
(32:49):
Yeah.
Of what it could, test for.
Also, one thing I saw in, one ofthe interview, in, in the same
blog post background was thatyou think what infrastructure
as a code used, tools are used.
And my question is, first,how do we even determine this?
And the second is, if you know what toolsare used, how do you use this information?
Yeah.
So this is like really context dependent.
(33:13):
so in.
When I wrote that article withbackground, it's 'cause I recently
found an SSTI, with Terraform wheremy input landed in, a Terraform file.
Okay.
So it, so Terraform evaluated my input.
Okay.
It's a very specificfunctionality, isn't it?
Yeah,
it was, and in the end I couldsee that it validated because it
(33:35):
rendered it back to the application.
Yeah.
and with testing at, the timeI had no idea it was Terraform.
Yeah.
So I knew something washappening, but not sure what.
So with testing and all, I figuredokay, maybe it's a Terraform
'cause I worked with it in the pastwhile I was working in, AppSec.
Yeah.
I was like, is it that?
So I tested it and indeed it was,
yeah.
Was this, some kind of functionality,which was it like, testing a cloud
(34:00):
provider which allowed you todeploy somehow something like this?
yes.
okay.
Not.
A cloud provider, but you could deploy,like products, like you could deploy
like WordPress and stuff like that.
Yeah.
Yeah.
I see.
So you so contact dependent.
Yeah.
So you won't probably, won't seethat like in regular applications.
But again, if it's something thatyou can deploy stuff or maybe
(34:20):
sometimes not, it really depends.
Yeah.
but something that Ionly find once with Yeah.
I see.
I found this so it exists.
So maybe others target.
Yeah.
And these targets arevery interesting, right?
Anything built for developerdevelopers is very interesting,
at least from my experience.
exactly.
Yeah.
Because the functionality is very complex.
The what happens under the hood often,like executes comments, creates clusters.
(34:45):
Exactly.
True.
This is very complex.
This is very hard to get.
True.
And they may not think about thesecurity impact or maybe you have
some kind of separation, so theydon't, we don't need security.
'cause you have your owninstance and then you have.
A client side bug.
Which allows us to do anythingand Exactly from my, yeah.
these targets are very interesting.
(35:06):
That's true.
one other bag class that, that I sawyour report and I also, sometimes
I do test for it, but rarely,probably not often enough is XXC.
Because this is very specific, Iguess this is not a case where you
spam the payloads 'cause you needlike the XL XML parer to, do it.
(35:27):
But do you have some experienceof maybe cases where it wasn't so
obvious XML is par, but you throughsome trick you made it parts xml?
not really I'll when I test for XXCis 'cause I saw something XML related.
Yeah.
But what I did have luck withis look at features that people
(35:50):
did not think X ml was used.
Yeah.
Yeah.
I
had one case, Two yearsago, I think, where.
what was it again?
I'm trying to remember here.
but yeah, you could convert, like a docfile or a PDF to, another file type.
(36:12):
Yeah.
And one of the options was, XCL F file.
What, yeah, what exactly?
It proves a point.
So I looked at what is anX lift file, so X-L-I-F-F.
Okay.
And by looking into it, it was X and L.
Okay.
So I just put a regularexisting payload and it worked.
(36:34):
how did you get to, to, how did youdiscover a file like this exists?
type,
I mean,
in the options on the UI itself.
On application, you coulddo like a doc Excel.
Yeah.
PowerPoint, regular T xt, HTML.
And in the bottom there was X lift.
Yeah.
So probably people tested forDOC and PowerPoint, Excel.
(36:54):
'cause it's a known technique where youcan, it's a, it's a. XML document in end.
Yeah.
That just compressed or zip whatever.
So people probably tested for that,but have they tested, I mean they also
probably tested from HTML to otherstuff, but have they tested for X lift?
And you said what?
So yeah, you, yeah, exactly.
So have no idea.
I was like, probably not, Yeah.
(37:15):
So I tested it and it worked.
I was the first one andit got a bounce for it.
And yeah.
So I look for stuff where maybe peoplewill not look or think the XL is used.
Yeah.
I had another case on that sameapplication, in regards to, site map
parsing just a bit more of a knowntechnique where site map is, an XML file.
(37:38):
Yeah.
So I had one case like that whereyou can give it like a remote,
site map file and it'll parse it.
and then XML XXC.
Yeah.
apart from that, like it's.
I won't necessarily put likeaccessy, pay payloads blindly.
I'm just trying to find a functionthat functionality or like
other, other XML related specs.
(38:01):
I've had luck with that as well,where it's like format that is
X ML based and you can put SY inthere 'cause it doesn't expect it.
the parer won't expect it, butit'll still parse it in some, cases.
so yeah.
How, what do
you mean
other XML specs?
what does it mean?
So one that I found recently, I'mnot sure if I can disclose, the
(38:24):
spec name, I guess it spec name.
It can be anything.
Yeah.
It's
called CXML.
Okay.
I forgot what CX ML is.
We can look it up real quick.
commerce extensible markup language.
Okay.
And this is like one example, butthere were others that I found in
the past, which, it was completelydifferent, spec related to, I
think like translation stuff.
(38:45):
Okay.
and it was like, XML based spec.
so I just looked at the docsonline, see how it worked.
and then in the end, maybe youcan get an EC to see with that.
'cause in the end it is xml.
So maybe the pars in the backend willparse it even though it doesn't look
like, not that look doesn't look like XXC.
(39:06):
It's maybe a feature thatothers don't think it.
There is XML parsing.
It's not as
obvious for not as obvious.
Yeah, exactly.
I see.
Yeah.
Yeah.
Although now I thought about thisprobably spamming the payload.
Once every hundred targets itwill probably work as well.
Maybe.
Yeah.
Potentially.
Yes.
Yeah.
It's, crazy how many things we,probably miss as hunters in general,
(39:27):
right.
For like weird, things that happenthat you can never guess blindly.
True.
yeah.
And
one thing as well that has, has happenedin the past, recently is external,
these don't work, but internal ones do.
What's an internal entity?
internal DTD internal document.
(39:48):
Oh, yeah, I forgot what d it standsfor document type definition, I think.
so internal dt.
So instead of pointing tolike your own DTD file Yeah.
You have to point to an internal one.
so I've had a few cases whereexternal word is allowed,
but internal ones did work.
So we have to test for both.
Yeah.
'cause I guess there'sone that's defaulting, UB.
That's like always Yeah.
(40:08):
Depending on the os.
Yeah.
You'll have always these files available.
Yeah.
Yeah.
'cause it sounds pretty, becausethe thing is you don't fetch
the DTD from your server.
You need to know a local DTD, which soundslike something that's really hard to know.
The black box test.
Right.
But there are a few that are.
In, I guess it was Debian thatis always in the same directory.
(40:31):
And if you can use the file protocol,it's not like a guesswork, it's a
Exactly.
Yeah.
and there are, I have a GitHub repo,not, not mine, but like I start
a GitHub repo that has a bunch ofpayloads containing, internal dds.
Yeah,
that's pretty interesting.
So I usually just usethat list, test it out.
'cause in the end you're a black box.
(40:52):
So you don't know what OSis used in the backend.
Yeah, I think I, or not the
backend, yeah.
I think I remember using theseRipple once as well for, something.
Yeah.
So for HTCI keep in mind of textingfor internal disease as well.
'cause yeah, I found that not a lot oftimes, but sometimes, like I said, by
default, I think now more, nowadays, bydefault they disabled external disease.
(41:15):
But maybe forget about internal ones.
Yeah.
Yeah.
That's a good one.
Good.
These are, the bug that were,that are painful for me.
'cause I, know I miss them becauseI just don't test for them.
I don't know why, but, yeah.
Another bag that I do actually testfor it, but I, I. I want to test more.
(41:37):
'cause I see the potentialsecondary past reversal.
Yes.
How, is your experience with them?
One of my favorite bug, I testit for on every app that I, use.
Yeah.
If I see that it's probably happening,
I, it's not something that I found often,but I do looking forward and then I
think, it can be like a really impactfulbug if you're able to show impact.
(42:02):
Yeah.
it's funny 'cause when I was, when Istarted looking for that, it's roughly
the same time around, when Sam Currypublished his research about it.
And I actually, the him,have you seen this before?
'cause I know this,it's his type of thing.
So he's oh, I'm actuallydoing a, research on it.
I published it like inthe, week or something.
It was like really late.
Yeah.
(42:22):
Around the same time I say,oh, cool, I'll just look it up.
and yeah, like I said, it's, common.
It's not something that I've foundtoo many times, but I think it's
sometimes, a lot of times it's hardto, I mean it won't be verbose, a lot.
It'll show that maybeit's happening, maybe not.
Yeah.
Depending on the error message.
(42:45):
and there's a lot, lots of guessingwork as well needed if it's a bit blind.
Yeah.
Do you fast all the path parametersor all, the parameters or what?
I
go a bit logically.
Okay.
'cause some parameters, forexample, let's say it's like a,
an JSO body of a, post request.
(43:06):
If the parameter is like id, then let'ssay it's like a digit, then maybe in the
backend it, there will be like a call,let's say a PIV one slash object name.
Than the ig.
Yeah.
So maybe this is a good parameter test.
Yeah.
If it's, let's say like a parameter justlooks more like a metric related, for
(43:27):
example, it'll have like your Chromeversion for example, then probably not.
Yeah.
I try to go a bit more logically.
but I, would test every, thatI, let's say, I'm not sure.
It's like really specificto the application.
And I would test maybeall parameters to check.
'cause you never know, right?
Yeah.
(43:47):
so yeah, that would be my approach.
Yeah.
'cause yeah, it makes sense tobasically test every parameter
that can be in the path later.
That test would make sense to test.
So most of the time it'sgonna be IDs, Maybe a
type.
And, regarding to that, I discovereda new, I won't say new technique,
but something relates to secondarypat reversal, with GraphQL.
(44:12):
I'm gonna.
Talk about it, at a future conference.
But, I think we need to keep inmind that it's not always just like
an a PIA rest, API in the backend.
Could be something else.
Yeah.
yeah, I think it'll be a fun, yeah, the,
the backends can be really, complex.
I wait for the full talk.
but yeah, we, sell many times that whathappens on the backend can be crazy
(44:37):
and, that, we don't expect can happen.
yeah, it's nice when, youfast for the, secondary pass.
'cause I guess for template injection,usually you need like one payload.
Maybe two free or, for differentengine, depending on the
technology for secondary erso.
how many payloads do you test?
'cause I guess you need different depths.
(44:59):
I need, you need different,iterations of, your own coding.
So how long is your, word is for fuzzing?
I actually rarely fuzz.
I do it like.
Manually.
Okay.
Just see how he reacts.
Okay.
my typical go-to is like traverse backone path and comment out the rest.
(45:19):
So I put like a question mark or hashtag
Yeah.
vault with all coding withoutdepending on, on, on what's going on.
'cause a lot of times if you're notgiving it, what is what it's expecting,
it'll give you an error message.
Yeah.
so if you just comment out.
The rest of the, UL maybe there arehardcoded parameters that you're
(45:41):
not seeing, in the code and that inthe error message it'll tell you,
oh, you're missing X parameter.
Yeah.
So that way you have an ideathat, okay, maybe there is
like a de patcher vessel here.
or just like the path itself, it's ifby going back one it may say oh, object
X or whatever's going on is not there.
Yeah.
So it gives you an idea of somethingis happening in the backend.
(46:05):
Yeah.
Now you mentioned actually, 'causeI do have, I do use a longer, list,
but when I test manual, I would startwith going back and going forward.
Right now, I think actually you, yousay it maybe putting in a question mark.
Is more likely to give us a usefulerror rather than anything else.
Question mark.
Maybe the, full UL is like your inputthan other path in the end, right?
(46:30):
Yeah.
So
if you put a question mark,it'll remove everything else.
Yeah.
So it'll give an error messageindicating what is happening.
if you just put like a, let's say doubleslash or whatever without removing the
rest, it'll just say maybe knock out.
Yeah.
Compared to if you put a questionmark, it may be more ose.
(46:52):
Yeah.
Yeah.
Yeah.
That's interesting.
And also,
if there's some kind of filter forthe dot slash, which I think is
rare, but probably can happen You arenot gonna have problems with this.
True.
Yeah.
Yeah.
Especially if the input is in the body.
(47:13):
obviously it depends on the valve.
Let's say Akamai is reallyannoying with the l slash
Yeah, but
other, but usually like you can getaway with it just with the regular,
yeah.
Yeah.
It's the body.
It's not a problem,
but it, sometimes you need to encode it.
really depends on, thecontext of the, application.
Yeah.
Yeah.
So we mentioned GraphQL.
(47:34):
I know the research is cominglater, but, in general, what's, your
methodology for, testing GraphQL?
I guess you.
So you, start by checkingthe introspection is enabled.
Yes.
That's usually my, first thing that I do.
I find that it's disabled mostof the time, unfortunately.
Unfortunately.
(47:55):
so what I do typically firstis try to find the queries
themselves in the JavaScript files.
a lot of times they'll be there,so just look for like query space
and Yeah.
Yeah.
It's easy to prep for.
Exactly.
or just like the operations name andtry to, find, those, queries or mutation
(48:16):
that way I. let's say I do have aquery, I valid query and networks.
I try to add more parameters to it,see if I can get those in response
or disclose more information thatI would not be able to access.
secondary patch.
Russell's also, one that I've had successwith in GraphQL queries OR mutations.
(48:37):
Okay.
yeah, so, you would use the DOslash or whatever the character in
like a variable As the variable?
Okay.
Yeah,
yeah,
typical stuff like DOS,like non GRA techniques.
Yeah.
I call hacking techniques.
Yeah.
(48:57):
Yeah.
How successful are you withreporting the denial of service bugs?
Not successful.
When, they are mentioned
as our scope.
not successful 'cause everybodyprobably tests for it.
Yeah.
I actually started like not testingfor it 'cause I found that in
impact's not always there either.
'cause a lot of times it'lljust do os GraphQL service.
(49:20):
Yeah.
Everything else works.
And then, sometimes impactsthere, sometimes not.
Depends on, application, but I juststarted looking for other, stuff.
Yeah.
Yeah.
And also if you're testing the target,which you showed the writeup from LA
recently, which has separate instances.
Sometimes you, can only dose if it'sa post authentication, sometimes
(49:44):
you can only dose your own instance.
Exactly.
Yeah.
If, that's a dose and you haveto be a user of the organization
which you're dosing Yeah.
The impact is really
low.
Exactly.
Yeah.
And yeah, and I had this case recently,I reported the denial of service.
'cause the response time was really long.
And turned out that I could,even though my instance was, was,
(50:09):
having a long, response time, theother instance was unaffected.
Okay.
So even though it was like a very similarcase to what it, what you described,
like the domain was similar, so I assumedsome resources are shared as well.
it still was separated enough thatthe dose just didn't affect on the
users, so it was, pretty useless.
(50:30):
One thing as well that I just remembered,that I test for, a lot of times the
query augmentation will be in thebody request, but if you put it as,
a get request, sometimes it'll work.
So that can help interms of CSRF or whatnot.
Yeah.
Yeah.
Sometimes it works and usually if itworks, it also allows mutations, doesn't
it?
I don't, know.
(50:50):
Maybe I. I haven't, I think lasttime that I found it, it was only
queries, no, it was mutation.
'cause I reported as aCSR, so I did an action.
Yeah.
Yeah.
I said about the question, I realizedit doesn't really make sense.
How about OI on the CriticalThinking podcast, you mentioned,
a very interesting back in purify.
(51:11):
Can you please remind, us or,tell the users that didn't listen?
what was the bug?
Yeah, sure.
so it was a case, where Dump Purifywas used along with, obviously Chrome,
and Dump Purify did block the metaltag, but for some reason it still,
(51:31):
existed in the dom, I guess in Chrome.
Yeah.
Yeah.
The bug itself was, I was ableto leak, an nawa token by putting
the meta tag, which, what was it?
The refer policy so that the token wouldbe sent through, I think an image, I think
(51:54):
I put an image, payload image tag, yeah.
as of my HML injection payload.
so that way the cookies would besent to the URL along with the token.
and from what I heard recently, justlast month, that technique still works.
So it still applies, probably today.
(52:16):
I guess Chrome or number four, number fivehas having not fixed it, so Yeah, because
the bug is the.
When your HTML on the client side isbeing parsed, maybe you have, a, very
restrictive, list of allowed tags andusually meta tag will not be allowed.
Usually.
Yeah.
But, still, after parsing it,it is applied to the website.
(52:38):
So even though.
Don't purify the HT m other returns.
Strips it in.
Yeah, strips it.
It's still in the website,
right?
Yeah.
Yeah.
That's a very cool bag.
I stumbled on it like a bit by chancebecause I was literally just trying any
payloads thought of meta of metatech'cause it did apply to my scenario.
Yeah.
and I later learned through criticalthinking of how to look for the
(53:02):
allow listed tags and dumper five.
So I did not do that last time,which we literal just like
trying some, strike some stuff.
Yeah.
and yeah, like I said, ended up workingand then still works to this day.
So even this dumper five blocks it.
Yeah.
It
still for some reasonapplies in the dam yeah.
Yeah.
So if you have do purify on theclient side and you have something
(53:25):
sensitive, you can put in the URL,use this 'cause it still works.
So Yeah, it's a very interesting bug.
I'm trying to think if Ihave some target using it.
Maybe.
'cause dify is used often a lot more.
Yeah.
Than it used to be likejust two or three years ago.
Felix now is everywhere.
Yeah.
I think it became the standard.
I
think so, yes.
Which we should be happy about.
(53:47):
At the end of the day, we wouldn'tthink to be success, but as
backhanders, we, not which, meansthey do a good job of Right, exactly.
Of being hard to bypass.
That's true.
speaking of, of oath, so if wehave, this bag which allows us to,
to leak the URL, but for, this to.
(54:10):
To be a value attack, we have, we shouldput an unused code in the URL, right?
So what are some methodswe, can do it with?
so when I test for aot, I find it likeso many attack scenarios and techniques.
So I usually just open up,France Roses, like dirty
dancing article, which is great.
Yeah, it's awesome.
Just
trying to think of okay, Ishould maybe try this and that.
(54:33):
I also look at the, I thinkthere's a guide for oas.
hacking, like createdfrom Oasp, I believe.
sorry.
Oasp awa hacking guy.
yeah, so look at that for like ideas.
but a lot of time I justlook for the basic stuff.
can I send the code to, an attackerserver, attacker own server
(54:56):
to do a direct UI parameter?
is the state validated?
what else am I, what am I missing interms of, the, basic regular stuff?
Yeah.
Yeah.
I af I remember after thearticle from France, I started
testing it on every flow.
But I, got to a point where usuallyit's, if there's a, the outflow,
(55:20):
it's fairly easy to break it.
And to, land with the code on the page.
the harder part is to leave the URL.
Yes.
Yeah.
usually it means needing an exerciseor the value mentioned, or the
one he described was some kindexercise, but on the sandbox domain.
(55:40):
But it is allowed to, leak the,URL, but it's usually quite
difficult to do, unfortunately.
Yes.
Yeah.
And then like you said, so you need ansuccess, but you always had success, so
you don't often, you don't always needto exploit that part to do something bad,
Yeah, you can you can probably useit as a gadget to show the impact of
their success if you cannot addressit, change the email, stuff like this.
(56:03):
Yes.
actually reminded me of something.
One thing that did workrecently is something that
Dorian sek, published recently.
Yeah.
I think also Justin spokeabout it in critical thinking.
I think they called it client side.
No, client application.
Fusion
Client application.
Oh, I know
what you mean.
Client id, yeah.
Confusion.
Something like that.
Yeah.
(56:23):
Yeah.
actually I think I pulled it up here.
I wanted, I rememberedI wanna talk about it.
Yeah.
The blog post from about is very good.
Yeah.
I actually don't, so yeah.
you can create like your own, ifyou can, depending on the context.
Yeah.
Use like different client id.
Sometimes they won'tvalidate the client Id.
But once it's time for the applicationto validate the token, it'll notice
(56:45):
that it's not, for the client.
And, so the token will not be consumed.
So you can try to stealit in another way or not.
But there are ways by manipulatingthe client ID where you can get
access to the token or, Yeah.
Lots of testing to bedone with, with a lot.
(57:06):
and also I remember one bag and I trackedthe origin of why it was possible.
'cause it was possible to use,like my client authenticate
to somebody's instance, right?
Yeah.
it was using kognito.
Okay.
And I tracked back that in the AWSdocumentation there was, or still is,
I haven't checked, a code snippet to,to validate the, token in that case.
(57:29):
And this code did not have, becausebasically what you need to do in, In
that case, it's to validate the issuer.
If it's the one you are, you'retrying to authenticate user against.
And basically the code in the dogs didn'thave this validation of the issuer.
But the dog said, this code doesnot have the validation of the
issuer, but for the production,code, you should do it yourself.
(57:53):
Oh really?
But of course, the developer wouldcopy the code and use it as this.
So, we'd work like this.
I think they did fix this part indocumentation, but it was very kind.
Yes.
I also remember one AAT bug fromWAN to Africa, who it was, recently.
I remember it was, I wasn't answering that'cause I had something that I had tested
(58:15):
for, in the outflow, the product, the.
Application, there were like customparameters that were added in the OT flow.
Yeah.
And I was like, it's probably justlike metrics stuff, like for them
to know who connected from where.
it turns out that by manipulatingthose, parameters, you could just put
any redirect UI and the token wouldbe directed redirected over there.
(58:40):
So since the custom parameter hadlike arbitrary data, it like did dirty
dancing and messed up everything.
Yeah.
so yeah, it was one case where I was like,oh, I should have thought about that.
Wait, so another parameter wasused as the redirect, right?
No, like another parameterwas part of the oat flow.
Yeah.
It contain I forgot what it was.
(59:01):
but just like something that.
It's not necessarily part of theAWA spec and the regular AWA flow.
Just like an arbitrary like
yeah.
Parameter specific to the application.
Yeah.
I see.
And by manual manipulating it, youcould put in any value as you redirect
your I parameter, you can redirect it.
It could redirect the code anywhere.
(59:22):
Yeah.
Yeah, That seems, yeah.
I always love to see the, customparameters or when the state is like
adjacent and contains Yeah, true.
I love to see this, but when
there's like the, pk CEthing with a challenge
Yeah.
you just remove those parameters.
Sometimes it works,
(59:42):
Yeah, yeah,
how successful have you been recentlywith the typical ovary direct URI
takeovers where the redirect URIjust isn't validated properly?
it's been a while.
I think last one was through like apastoral vessel in the redirect U eye.
Yeah.
So it stays on the same application andsame origin, but you need ans or something
(01:00:05):
or like a direction with the metal tag,whatever, another technique to leak.
Yeah.
or redirect.
Or the redirect.
Yeah.
but it's been a while.
I found I think a few last year, butI don't think I found one yet in 2025.
In regards to OT or,
yeah, it's hard.
The programs are starting
to configure it a bit more properly,but I think there's always some,
(01:00:28):
weird bug thing around in ot, so
Yeah.
Yeah, of course there is.
And you have some hidden parametersit lead to that are just forgotten and
the validation is exactly not there.
You know what bug actuallyreminds, it reminds
me of one bug actually,and it's quite interesting.
and part of the AWA flow, likeI manipulated the scope part.
(01:00:49):
Yeah.
And I added myself a privilegethat I usually do not have.
Yeah.
And in the end it was redirected to.
Arbitrary host that didnot even know existed.
Yeah.
Because of a different scope.
And it gave me like, you're notallowed to access that permission.
Yeah.
But it was, the token was sent inthe URL and the other host, so I
(01:01:11):
just found another excess on thatother host and then was able to
leak the token in the whole flow.
Flow.
Yeah.
That's interesting.
Yeah.
It was the one was weird.
Yeah,
because why would it redirectto a completely different host?
doesn't make sense.
Yeah.
What was the other host?
Was it like a. Server.
It was like server or something
like this.
Some kind of SSO server,But it was not used.
(01:01:32):
It was like used for another product.
Yeah, I see.
Completely.
Yeah.
That, that's cool.
and usually it was like in thelogin or like some kind of sso, but
usually like in login application.
Yeah.
But that one was sent to completelydifferent one, which was not even
used as like a what for my obligation.
Yeah.
Yeah.
I see.
(01:01:53):
Do you often test for, let'ssay lower severity of related
bug where, for example, I.
When you go through the authenticationflow with some restricted set of
scopes, and then you want to redothe authentication flow, but with
more scopes, it should repromptthe user to confirm the new scopes.
(01:02:13):
So if, there's no reconfirmation,it's like a lower medium level bag.
there are a, few different ones as well.
I know Johan is sometimeslooking for, bags like this.
Do you also spend time on this or.
Because you of your resolution tolook for high increases you ignore.
Yeah.
Not
really.
Maybe I should, maybe you couldlead to like more, more bugs and
(01:02:34):
more interesting bugs that canmaybe change with other stuff.
but yeah, I usually just tryto link the code somehow.
Yeah.
Yeah.
Because it directly to a TOwhich is my goal for oau.
Yeah, for heis and kids.
That's, the only goal.
Yeah.
Because the other, why do Ihave started recently to hunt?
'cause I, hunt on the target thatpaid really well for mediums.
(01:02:57):
so I also hunted for these attackscenarios that are a little
bit more difficult to exploit.
'cause the attack scenarios,like the app is the attacker.
So it has more privileges than itshould and it's clearly a back.
Right.
But the tax ary is not there.
But on a good target that pays, likefor the, this target paid I up to
(01:03:17):
1000 lows and up to 8,000 mediums.
Okay.
Yeah.
That's worth it.
That's, worth it.
Yeah.
Awesome.
And I think there's a lot of, bagslike this, but it's quite difficult
to test or it's a bit annoying.
Yeah.
But yeah, sometimes it is worth it.
Okay.
Last, question, 'cause you saidthat you are more like a deep dive
(01:03:39):
guy, more like a manual hacker.
But you did build some automation.
Yep.
So what does the automation do?
it's pretty, I wouldn't say simple.
Like I don't do like anynuclei hacking or, scanning.
'cause I feel likeeverybody's already doing it.
So it would be a waste of resources.
Yeah.
And time to do it.
So I have put like aninfrastructure in place where.
(01:04:01):
I get alerted when a newapp, has been put online
on, internet.
Okay.
By, from the DNS sources.
Yeah.
D
Ns.
Yeah.
So it sometimes it resolvesactually a lot of time.
It doesn't resolve.
But at least I know when it's there.
Yeah.
And I put like a bot in place thatwould constantly test the resolution.
(01:04:22):
no, sorry, lemme start again.
So I have a, a tool in placewhere, it alerts me of new assets.
whether they're on internet or not.
Sometimes it resolves,sometimes it doesn't.
Yeah.
If it does resolve, I'll do with HTPX on it, see if HP is running, if it
doesn't, just store it in the file.
(01:04:43):
And then, the bot that I built willconstantly do resolution, constantly.
Once I think every week that I did it.
Yeah.
To see if it does resolve and if it does.
Then do HPS.
Okay.
Interesting.
Yeah.
Do you some somehow note all thedomains that resolve to internal
IP addresses to use it later for, I
(01:05:03):
do store it.
Yeah.
but I don't go back to it, much.
I go back to it when Ido need it for R Okay.
Yeah,
yeah, 'cause I thought it's, ituseful to, let's say we have,
loads of IP addresses resolvedfrom a wildcard domain, let's say.
(01:05:24):
It's useful to just saveall the internal ones.
Yeah.
And once you have the SSRF,that's, the ones that you use.
Exactly, yes.
So that's what you do.
Yeah.
Nice.
Yeah.
It's, I thought about it, didn't do it.
Yeah.
I think in the end, it's like Ikinda changed my, technique a bit.
Yeah.
so I used to just like open burp.
(01:05:46):
Hack.
Yeah.
And that's it.
Now I've been like gathering a bitmore data, taking a lot more notes.
My notes are, a lot more structured.
Oh, and I do note like internal domainsand yeah, take note of everything that
I see that can be, can lead to a bug.
So I think I probably missed somebugs in the past where I was like,
(01:06:07):
oh, I remember that, but where was it?
I don't know.
But by taking notes, yeah,sometimes it's easier to, go back.
How do you organize the notes?
I have a, let's say ahack on, one application.
'cause I'm a deep dive, so Idon't really do recon or not much.
Anyway.
(01:06:27):
I have like technologies used, like myrecon in terms of hacking on an app.
I like, not like ESE scanning,just like recon on the apps system.
So I'll note that technologiesused, I'll note the,
API endpoints, the reverse proxy APIssometimes slash I don't know, water will
(01:06:54):
have a different backend than another.
Another one.
Yeah.
So I know which one leads toanother end, another, backend.
sometimes like slash Water willhave an known JS app, but slash
Glass will have, a Java app.
So I take note all of, this.
take note of GraphQL endpoints, thingsthat I notice that are like interesting
(01:07:17):
or weird sometimes just something assimple as like a metrics like sex.
slash metrics endpoints,are pretty usefully.
Usually we report them as alittle bit like informative,
but it can help in other stuff.
So I take note of that.
I take note of like lows andmediums that I will not report.
Yeah.
Report, yeah.
But can be trained with something else.
(01:07:39):
I take note of what I see isinteresting and what to test.
kinda like a bit of threat modeling.
okay, this app, this has this, a bitof, a bit of logic behind what to test.
and, actually couldprobably take a look here.
Forgetting something
so you, things for, to you save for later.
(01:08:02):
internal domains, right?
Obviously lows, mediums and
that, you can potentiallychange with something.
Yes.
What else are like the typicalthings you save for later?
stuff that I find that areprobably vulnerable but
have a hard time exploiting.
Okay.
or that they disclose information, whichcan probably help in another place.
(01:08:27):
For example, I had one case where, when Iuploaded a file for some reason, once in a
while it said, ok, find file in this path.
This was the internal path.
Okay.
Yeah.
So I could,
know where it was being uploaded, andmaybe I could pa do like a petro Russell
and upload it elsewhere or whatnot.
So information like that.
(01:08:49):
I also store, custom headers.
I've had luck recently with likecustom headers that the company's, Use,
success in what sense?
In the sense of putting one headerin and different request that
normally did not have that header?
yeah, sometimes yes.
Okay.
I see.
I saw different behavior.
(01:09:11):
and one trick as well that I think France,obviously France knows everything, right?
it's looking at the accesscontrol allowed headers, I think.
Yeah.
In response, yeah.
Sometimes you have like custom headers inthere and putting them in the requests.
We'll have an adjusting behavior.
so I had a few cases likethat, which like interesting.
(01:09:31):
I was not always able to exploit it,but like I know something is happening.
They're doing something with that header.
I didn't look at this part.
the headers that are disclosed in theaccess control allow allowed headers.
Yeah.
Sometimes you have a bunch of them.
So if you put one by one or all ofthem in your request and put like any
value, sometimes the application willreply like with something interesting.
(01:09:55):
Okay.
Yeah.
Okay, I see.
Interesting.
and also cases where, the app usedlike, custom headers for admins
and by putting like that header.
In the request and putting likea, let's say it was like a X
dash user ID in the request.
I could put another id, it gotme access to another user's.
(01:10:18):
Yeah.
So like that, yeah.
That's cool.
So that should not work, but works
after.
speaking of things that should notwork, but they work or they worked,
after the recent next JS bug.
Oh yeah.
I'm tempted to just take a look atthe source code of each web framework.
Just create for.
(01:10:38):
All the headers that I thought about that
too.
Yeah.
I actually thought about it.
About it too.
Yeah.
Because I'm sure something weird happens.
There must be something
else.
Yeah.
There must be something
else.
It's not the first time that guyin, in particular has found next
J bugs specific to, headers.
I think he had found two or threeregarding to cash poisoning.
Yeah.
(01:10:59):
And now an authorizationbypass with headers.
And I think I found a future whereit led to some interesting stuff.
So I think headers are definitely,an interesting, attack surface.
Yeah.
Yeah, for sure.
we'll end our interview here, but beforewe do, tell me what are your plans
(01:11:19):
for 2025 as this is your first fullyear as a full-time background hunter,
what are your goals for this year?
I have my, financialgoals and sort background.
I'm on pace to pass that.
Yeah.
I think by a lot, if I can continuehacking and finding more bugs.
Yeah.
(01:11:40):
I'm hoping to get invited to afew, more life hacking events.
'cause those usually like boost, a bit.
yeah.
And, hoping to take more vacation as well.
I actually go on vacationa couple of weeks.
I'm hoping, to be able to,schedule some, more, later this
summer, maybe in the fall as well.
(01:12:00):
We'll see.
just, have fun, play more golf, play morehockey, and, have fun doing multi full
time or part-time, but like full-time,
part-time was full-time.
Yeah.
Awesome.
I wish you a lot of good luck with thisand thank you so much for the interview.
Thanks
for having me.
And I got a bounty for it.
Got $1,000 bounty on myfirst bug, first bounty.
So I was like, oh, this is, it's easy.
I found with time that showing impactwill result in better bounties and also
better bounties means higher, impact.
While still working full-time.
I decided to apply asa triager at HackerOne.
(00:20):
And fortunately, I got the job.
I think I was always good technically,but OSCP gave me that mindset, like
that hacker mindset that I did not have.
sometimes the, you won't get in yourerror messages, but that the A team react
differently depending on your input.
Hello JR0ch.
Thank you so much for joiningme today for, the podcast.
(00:42):
For those listeners who don'tknow you yet, can you please
introduce yourself and tell us alittle bit about your background?
Sure.
so my name is Jasmin Landry.
It's a French Canadian name.
I'm known as, JR0ch17 on internetcurrently, full-time bug bounty
hunter but I started my career init, in 2012, so almost 15 years now.
(01:04):
Yeah, that's a lot.
my first couple of years in my careerI worked as a system administrator,
so I worked a lot with Linux,networking for routing and switching,
using like products like Cisco,windows as well, middle servers.
I did lots of certifications as well.
I was certified with Cisco,Microsoft, so VMware as well,
(01:27):
which was big 10 years ago.
Not as much now.
And I did that for likeroughly four or five years.
And after a while I was, I wouldn't saybored, but I wanted more challenges.
I wanted like something more challenging.
and security was also somethingthat was, I was interested in.
at school I had classes on security,but it was like really like basics.
(01:53):
and I wanted to, I guess workin security, but I wanted to
do more than just basic stuff.
and obviously hacking or penting wassomething that I always wanted to do.
when I learned that we could do it as aadult was like, I wanna do that one day.
It was my career goal.
Yeah, I think so.
I think a lot were like this.
(02:14):
Yes, that's true.
So I worked my way.
To get there.
so while I was working full-timeassist admin, I spent my evenings,
learning, reading as much as I could.
I read many books on hacking, and did afew certifications such as OSCP, which to
(02:35):
me was like the, game changer personally.
I think I'm always good technically,but USCP gave me that mindset, like
that hacker mindset that I did not have.
Yeah.
Because as a regular person you wouldjust do what the app tells you to do.
But the was CP helped me getthe hacker mindset of can I do
(02:56):
something else that you cannot,that I should not be able to do?
Yeah.
and yeah, so I did the recipes.
P.
and then after roughly six months afterI got my first job in, in, information
security or cybersecurity, I didstuff that were considered junior.
but I got my foot in, so I was like,okay, yeah, now I can focus on.
(03:19):
Was it more towards thenetworking since you've already
had the experience with this?
it did help like.
Landing a job insecurity, but Idid also did like it, but I found
it, that it was not a passion.
Yeah.
While cybersecurity, itwas more of a passion.
(03:40):
Yeah.
like I remember what I wasstudying, I, had to like, okay,
go to bed late while networking.
While I was studying networking.
I was, did not have that passion.
Yeah, I see.
I, it was fun, but not like,cybersecurity or hacking in general.
and I got my job.
I had colleagues who were pen testers.
(04:02):
I was not yet, I was justlike a junior analyst.
I did help them on, some likeautomation task, or not ion, but like
running ES scans and stuff like that.
and around that time, one of mycolleagues did a bit of bug bounty.
he wasn't really good, but hewas talking to me about it.
(04:23):
He was like, oh, you should.
Yeah, she used Should try it.
Yeah.
I was like, okay, I'll try it.
I registered on both BuckGrout and Hacker One.
tried, did not really succeed.
so what year was that?
2017. 2017. Okay.
Yeah.
I did find one bug, which was like, luck.
(04:47):
on the Microsoft, application, I justput in like a payload, and months
later I noticed that it, worked.
It was like a reflected excess.
Yeah.
And I got a bounty for it, like one KBounty on my first bug, first bounty.
So I was like, oh, this is.
It's easy, you,
you, learn through this scam as well.
Yeah.
Yeah.
So this was like in February, 2017.
(05:09):
Yeah.
so I literally got my first job Itook in January, so a month earlier.
So I started doing bugmounty, one month later.
And then for the next coupleof months I. Not no bugs, no
bounties, ab, absolutely nothing.
So I was like, okay, I need to takea step back, improve my skills and
more knowledge on, on, on the topics.
(05:31):
so I did continue learning.
I remember having, the hack one activitypage open on my browser every day.
So every day I looked at whatwas reported, what was disclosed.
Yeah,
read it.
I looked at, Twitter back then X now,what people were talking about where there
were, maybe they disclosing bugs, or, pubmaking public their, research or writeups.
(05:58):
So I read a lot.
I read some more books on web application.
do you remember the names of the books?
Yes.
it was, I. Web ApplicationHacker's Handbook.
Yeah, that,
I think I read that one.
Yeah.
Like 900 page book.
Yeah.
Yeah.
It's a big one.
I think I read that one twice actually.
Because I think the first time theyread it was like, okay, I understand.
(06:20):
The second time was okay, now I get it.
You only have that.
Okay, I get it.
Now it's, this is the thingwhen you, this is like the time
when you think you're ready.
so fast forward from February to August,in August I found my, second bug, second
Bounty, another X excess s This onewas a bit more complicated, so I was
(06:40):
happy that I was the first one on it.
'cause I put in and put in the effort.
So if it would've been a dupe, I probablywould've been like discouraged, Yeah.
so I was first one on and got a,Bounty, and then the month after.
Started finding more bugs and I wasnot really, I wouldn't say like a
good bug bunny, hunter, but I startedfinding stuff, had some Ds obviously.
(07:06):
so I was like gettingconfidence, but I still felt
I was not where I wanted to be.
I feel like I could improvemyself even more, if I had the
chance to like, learn more.
Yeah.
while still working full time, I decidedto apply as a triager at Hacker One.
(07:27):
unfortunately, I, gotthe job, back then in, I.
Yes.
I think this was December, 2017.
I worked at Hacker One as a triagerfor about a year, working 10 to 15
hours a week on top of my full-time.
Oh, so it was like a part-time?
Yeah, part-time.
Okay.
Interesting.
Yeah.
(07:47):
by triaging reports I learned,that Hacker one does get a, lots
of reports, not always good.
some really good, yeah, a lot, of bad.
we all know that.
but I was able to, I guess learn,I would say learn how others work.
'cause when, we write a report,we don't always write like
(08:11):
how we got to that point.
We just explain the bug.
Yeah.
But it still showed me like,okay, I didn't know, I dunno,
post measure that existed.
So now I knew what that existed,that it was vulnerable in some cases.
So I was able to look intoit, learn more about it.
Yeah.
And then the un exploit it.
After a year of triaging, obviouslyit's a job that's not easy.
so I figured, okay, I wannaspend those 10, 15 hours of
(08:33):
triaging and do hunting instead.
So I started doing a bitmore bug balance in 2018.
had a good year.
like again, also having a full-time job.
Full-time job.
So I probably did 20hours a week back then.
I was like in my early midtwenties, had lots of energy and
(08:54):
I was able to hack, late evenings.
So I had a good year.
I had met, Gilbert, founder of,Hacker One, and, Peter Yaki, who
we worked at Shopify back then.
so I had attended my first LHE, lifehacking event with Shopify, was actually.
(09:14):
In Montreal, ironically.
Oh yeah.
so I got my first electricexperience over there.
I remember finding a few books,but they were all closed as I think
informative because Shopify nineneeds not only needs to target.
Oh yeah.
especially as a beginner,it'll be even harder.
but again, I learned a lotwhile working with, others,
(09:38):
collaborating with other people.
the show tell obviously was insane.
I remember those.
Yeah, it magical.
Yeah.
The tells are, like critical to itwas critical to my learning anyways.
Yeah.
Yeah.
And then, while with time got invitedto Morally cheese and stuff, and while
I was working at Hacker One, obviouslyhad access to a lot of programs.
(10:01):
So like, when I was not able to hack onthose programs, 'cause obviously you would
cheating, so I hacked a lot on background.
my first couple of years, mademy way in the top, I think 40 at
one point all time on buck route.
and then switched to hack one.
'cause I think they were doing a bitmore events and my friends were attending
(10:22):
a lot, of them, so I figured out,
yeah,
one out attend those too.
So did of, of life hacking events,bug mati, part-time as well.
and then a couple of yearsago during the covid,
I was a bit tired of, my, my job.
I wouldn't say tired, butI eventually scaled up.
(10:44):
I was not a junior analyst.
I became a pen tester as seniorbusiness as a matter of fact.
so I was hacking 40 hours a week andthen doing Ty 20 hours roughly a week.
Yeah.
So it was a lot.
Yeah.
so I was like, okay.
Oh, my brain is tired.
so I took another job, whichwas not related to pen testing,
(11:07):
just like a, an AppSec, job as aconsultant for a six month contract.
okay.
I could calm down my hacking stuff.
I. take a breather andthen still do bug bounty.
But like after a while when I did pentesting, 40 hours and bug on the evenings,
I was like, I'm not, wasn't motivated.
Yeah.
So I wanted like that motivation backbecause I was really enjoyed doing
(11:30):
bug bounty like in the past few years.
so I took that job, I did it for sixmonths and then after the contract I was
like, okay, should I do ba full time?
Should I take another job?
I was like, really, debating.
And it was roughly a year after I hadmy, my, my son and as a father, like
(11:51):
during bubble full time is a risk.
'cause we all know that.
Yeah.
It's not like stable income, Yeah.
It's, we don't decide when we get paid.
with a regular job, you get paidevery two weeks no matter what.
So Okay.
I'll, I won't take the risk,but I. It wasn't online, so I
(12:11):
took a, job as in a startup inMontreal, as head of IT security.
So I was leading the whole ITdepartment and security department,
and the department was me.
I was alone.
I was the very first employeein security over there in it.
I was a startup, that wasfounded like 10 years earlier.
(12:32):
So it was like a sasIt was a long startup.
Yeah, it was like a SaaS product,which had barely any security.
So even the employee side of things,like there were no like basic
stuff, like INCH varies on theirlaptops and EDR, there's nothing.
Yeah.
So I was like, okay, this is notwhat I. Was thinking of doing, but
like the challenge is so interestingthat I think I'll take the job.
(12:54):
So I took the job, and eventuallyhired, more people, eventually put
in like the basics in place, justto get like the regulars because
like, a regular company would haveas security, products or, whatnot.
and then a year later, we got acquiredby nasdaq, which was quite interesting.
(13:19):
'cause I learned that theacquisition would not have
happened because of my work.
if it had happened like a yearearlier, security would've been like,
NF on the audit for due diligence.
But when NASDAQ did the auditon the startup, they, we
got an a plus on security.
I was like, man, this is really cool.
(13:39):
Yeah.
So I felt like really cool.
Yeah.
Like even when, you had like themeeting internally where, the
founders were like saying that,we're gonna get inquired by nasdaq.
I got a shout out saying, look,you can't thank, Ja Manus without
him, this won't be happening.
Yeah.
So that was pretty cool.
and then while joining nasdaq, withthe, title that I had at the previous
(14:02):
company, with the work that I was doing,I got I guess hired as a senior director
in, at nasdaq, in information security.
so obviously Nasdaq is, was way biggerthan, what I was doing, that had lost more
departments, lot more people in security.
so I stayed at NASDAQfor roughly two years.
(14:26):
and then, again, still doing bugbounty as a hobby, part-time.
now as a, family I could even doless bug bounty, but still did like
maybe 10 hours a week on average,sometimes more, sometimes less.
And then, back in Vegas this pastsummer, for the Life Hacker One
(14:46):
event, life hacking event withHacker One, I took two weeks off to
do, just focus on the event itself.
So that came just Took sometime for myself and then hack.
Just have fun.
Yeah.
Yeah.
And had a time in mylife, I really enjoyed it.
So I was like, okay, should I leave now?
Actually bug my full time?
I was like, I can't think about it.
(15:06):
and this is like in, in August, right?
The live hacking in, Vegas, inSeptember I get my resignation.
So I was like, okay,man, I think it's time.
I'll, give it a shot.
Yeah.
yeah, so I left Nasdaq in end ofSeptember, First week of August.
Of October, I was full-time by Monte.
Obviously I took sometime off, for myself.
(15:28):
So 2024 was, the restof 2024 was a bit quiet.
did, a bit of hacking, did abit like recon building just to
get some, passive income going.
'cause I am like a deep dive hacker.
so I recons like not my thing at all.
Yeah.
so I did a bit of, building, bit ofhacking, a bit of hacker one pen testing
(15:49):
as well, just to get back into it.
And then starting in 2025, I reallydoing like a full-time hunting.
And it's been doing, it'sbeen going really well.
Yeah.
I saw your profile.
yeah, I'm happy about that decision.
Yeah.
I get to work, work for me.
(16:10):
It's, not work.
I'm just having fun hacking, butI do work a lot less than I did.
Yeah.
I've been playing, obviously as a CanadianI play hockey, I've been playing hockey
a lot more, even during the work days.
Yeah.
I've been playing golf a lot more as well.
golf is also another passion that I'vebeen building in the past year or so.
(16:30):
so in the end, I work less andmake more money and have like
more like free time for myself.
Yeah, that's great.
For my
family.
So my son just goes to school now, solet's say he has a day off of school.
While it's not a panic at home, I can juststay with them, and we can go out, we can
go to the park and do anything we want.
Yeah.
That's awesome.
It's not a
big, yeah.
So if I need to take sometime off, I just take it.
(16:51):
I don't need to ask forapproval or whatnot, so I find
that it's a lot less stress.
Yeah.
Even though we get, even though they'llget a stable income, but in the end.
The income is bigger, right?
Yeah.
with bug, for me personally,so I really less stressed.
and I've been really enjoying it.
Yeah.
So I don't regret it, one bit.
(17:12):
Yeah, Unfortunatelyfor na, that, but yeah.
Yeah.
No, that's great because, and alsoit's, there's a thing that 'cause
obviously a, podcast about backbone.
It's a podcast about making money, butI really like this, these beats where
somebody says something about the worklifebalance, spending time with the family.
'cause I think this.
(17:32):
At the end of the day, the, thisis more important in your life
than it is additional $2,000,additional five, $10,000.
And yeah, it's just invaluable.
It is.
Yeah.
And the time will, wewill never get back, so.
I'm really happy to, I, sometimes Itry to smuggle in the podcast like
this, but it's really hard, so I'mreally glad to hear this from you.
(17:53):
Awesome.
Yeah.
And like stuff like reallybasic, like taking naps.
Yeah.
Like with a full-time job, nine tofive, you can't really take naps.
Yeah.
And like when I feel tired.
I'll take a one hour an nap, I'mgetting old, have rest, because I feel
like sleep is really something thatI lack in the past couple of years.
'cause yeah, I was workingfull-time, doing my bouncy on
(18:13):
evenings once in a while, so Ifeel like I need to catch up a bit.
Yeah.
I think maybe the way I have, afew white hairs in my beer now.
Maybe I lack of sleep.
So I'm trying to like, reallywork on my, my, my health.
Yeah.
worklife balance, make sure likeI'm really happy and healthy.
And for now I think Bug Monteis perfect for, me right now,
Yeah.
Yeah.
It's, so you've, you've mentioneda few different ways of learning.
(18:36):
You've mentioned books, you'vementioned just hunting you, you've
been employed as a pan tester.
You've mentioned some certificates.
Which of these things, thesemethods of learning, you would
say, are the most efficient incontext of strictly bag bounty?
I think it's really having your.
Like deep diving and, working with it.
(18:59):
I'm like a, learner where havingsomeone teach me, is I won't
learn as much as I as reading.
Yeah.
For some reason when I read, I learn Yeah.
Faster and easier.
but having like really like testingstuff, is I think is the way to that.
The way to go.
Yeah.
along with reading for example, when atone point you will get stuck on something,
(19:21):
so you will have to look it up, whichis equivalent to reading in the end.
Yeah.
so that's how I. Work,in terms of, learning.
let's say I wanna learn something new,I will try to do it or whatever it is,
manually and then read a bit on it andgo back to it and, so for me personally,
(19:43):
that's the, that's my way of learning.
Yeah.
Yeah.
I, see.
And I think the, it's easy to,get lost in different methods.
'cause they are very satisfying.
Getting a certificate, havinga task done is very satisfying.
But I think just gettingyour hands dirty, right?
it's the thing.
I think so
(20:03):
do.
Yeah,
for sure.
so as mentioned, I saw yourhacker profile recently.
It looks really good with areputation of, with an impact
of over 37 in the last 90 days.
Yes.
Which is huge.
It basically means you, you have only Cris
almost.
Yeah.
Almost.
So what's the, secret?
What's what happens recently?
(20:26):
I don't know.
I remember like sitting and golffor myself I think, for a long time.
if you look at my overall impact all time.
It used to be like around 20 something.
I was like, I want increase that.
Yeah.
'cause it's always fun.
Half really and a half.
Yeah.
So I think now my impact,what is it all time?
(20:49):
25.95 all time.
That's good.
It used to be like 20 ish.
Yeah.
So it's I want to get, Iwant to increase that to 25.
So like my average would belike equivalent of a high.
Yeah,
so in the past year or so, Ifocused mainly on highs and credits.
if I found a low, I would try to changeit with something else instead of
reporting it as is something for mediums.
(21:10):
I did submit a few mediums, butI think mostly highs and credits
and even like for mediums, let'ssay reflected excess success.
I don't think I reportedone Xs, which was medium.
I've always increased it to highand even some cases it's critical.
Yeah,
yeah.
By basically taking over the account.
Yes, exactly.
(21:30):
and I found I, won't say it's,a new technique, but like
it's just thinking of how to.
use the XS to show impact.
so I, won't say, I won't say I'vesubmitted only x success, obviously not,
and actually barely any success, maybelike 10 maximum, throughout the year.
But I did focus on highcriticals, on, I did focus on
(21:55):
how to maybe better show impact.
for example, again,exercise as an example.
I used to just do an alert.
Yeah.
But I found with time that showing impactwill result in better bounties and also
better bounties means higher, impact.
Yeah.
So in the end,
(22:16):
showing impact on all of myreports, showing, I would say
focusing on certain stuff.
'cause I focus on everything.
but lots of service side issues.
And I try to chain issues, show impact,look for stuff that is a bit hidden.
(22:37):
Yeah.
and in the end, I reported lots of.
Bugs that were high and, critical,which increased my impact.
Yeah.
And now it's just like habit.
So let's say in the ni 90 dayslecture, it's 37, but now it's like
the way I work, I look for, stuffthat everybody looks for, I think.
But I try to,
(23:00):
show impact a bit more than I used to.
Yeah.
So what are your most commoncommonly reported back classes?
probably SSRF, as youguys saw, or not yet.
I have,
I reported an interesting one.
so we,
we published it on, YouTube two weeks ago.
The writeup with it together.
So if you haven't watchedit, make sure you, do.
(23:22):
'cause it's an amazingSSR with a huge impact.
And it's also.
some techniques of both the exploitationand detection that are probably
universal across more targets.
so definitely worth that.
yes.
Sorry.
For sure.
one of my, go-to one, those, one ofthe bug classes I like to look for
personally, on all, kind of applications.
(23:44):
But I will not ignore address stufflike, either service at our client
side, whether it's XS or C srf.
Yeah.
past reversal, bothclient and service side.
c injection, ecstasy.
I'll look for everything.
Yeah.
Depending on what I see.
I'll look at it, but I tend tofind more service side stuff.
(24:06):
my, like my client sideskills are limited a bit.
so I will, rarely findanything related to the dom.
do success.
I probably won't even look for it.
Yeah.
but I, use like the JavaScriptto find end points to look for
service side stuff, for example.
Yeah.
So
I tend to find more serviceside bugs, a bit client side.
(24:30):
so yeah, a bit of a generalist I'd say.
Yeah.
When I was preparing for theinterview I saw so, a big variety
of different bug you report and alsobags that I ignore and I never look
for them and I, so that's, oh yeah.
That's why I wanted to interview forexample, server, site template injection.
It's, 'cause for me the, problem of itis that in theory it can be everywhere.
(24:57):
I dunno, and I don't like.
Putting the payloads everywhere if I don'thave some clue that the back can be there.
So what is your approach?
Do you just have the, SSTI payloadseverywhere or do you look for some
kind of clues that it can be there?
a mix of both.
So I used to be, like you were, I wouldnot necessarily put payloads everywhere.
at one point I was like working on an app.
(25:17):
I had found absolutely nothing.
Yeah.
And at one point I put my pilloweverywhere and eventually.
It worked.
Yeah.
Okay.
Maybe I should put it everywhere.
So I started doing that.
But the, so sorry to interrupt.
Which, S-S-T-I-P do you put,do you have that's the thing,
a polyglot for all language?
not really.
It depends on the app.
Okay.
Because certain applications, dependingon language that is used, the template
(25:39):
engine will have its own syntax.
Yeah.
So let's say, Python enginewill be different than on Java.
Yeah.
From pH p Ruby, it looks all different.
So I try to focus on, whatcould be used in the backend.
Yeah.
for client side, I do have likemore of a poly cloud 'cause I have
a angular JS view, which has asimilar syntax in terms of templates.
(26:05):
but for service side, Itry to be more specific.
Yeah.
also to bypass the wall.
'cause a lot of cases they're, theyblocked like curly brackets and whatnot.
If you're a bit more specific, sometimesyou can work around bypassing off.
yeah.
So yeah.
Technique now, specific,but I've put it everywhere.
(26:26):
'cause I've had cases where, itworked and I was not expecting it.
Does everything also mean like a defaultheaders, like user agent, I don't
know, host header or is it just inputs?
Just inputs, yeah.
Yeah.
And maybe you should try headersas you're bringing a good
point, but, yeah, just inputs.
(26:48):
Yeah.
For me, I, dunno, I feel stupid fornot testing so many things, but,
one thing I noticed, is some, a lot ofthe applications, the way that build
these days is your input will is like onthe application, but it will be brought.
Elsewhere.
Yeah.
(27:08):
and those, sometimes those,elsewhere will be vulnerable.
So your payload may trigger on that one.
Yeah.
So like a second orderinjection in this case, Yeah.
I I had a few caseslike that, with Ansible,
where I put in my payload, likein my, my, in my email address.
(27:31):
Yeah.
And it eventually worked like ina totally different application.
I put my, in my payload, like I thinkseven times seven, like the typical Yeah.
Testing thing.
and then my email address,it was like JRO plus 49.
I was like, whoa.
And it was like totally differentcode, different everything.
It's yeah, something's happeningon the way there or over there.
(27:52):
So yeah, I've been just tryingto put it everywhere if I can.
'cause you never knowwhere you, your input will,
will end up.
Yeah.
Do you have some kind.
I dunno, a word list that youalways put in the, pillow.
Do you manually type it into each input?
What's the, like, howexactly do you, do it?
just like a match and replace rule.
(28:13):
Okay.
so I have a interesting, let's sayI would put SSTI and in the pillow
it would be like my public lotfor client side or that's smart.
Or another, keyword.
Yeah.
for server side stuff, I uselots of, matching replace rules.
Just bypass like client siderestrictions and whatnot.
(28:33):
Yeah.
That's super nice.
I never thought about this.
I use uman, it's called Okay.
But I don't use it enough, Ithink, and it does not always work.
Especially if you have somekind of weird input or whatever.
Okay.
Yeah.
So that's, yeah, I'm definitelygoing to, use this from now on.
(28:53):
Awesome.
Another, the backlash I never find, 'causeI never test for it at school injection.
Yeah.
You have, I saw a Twitterpicture from last year from 2024.
Yeah, you had some.
So it's still around.
I
found four more in 20, 25.
So
centuries.
Yes,
it still exists for sure.
(29:15):
I think like in the end.
First SQL injection.
Yeah.
Even if you have your database likein, AWS, like I've forgotten the name.
but anyways, or like in Azure, it's stillin the end the code that is vulnerable.
Yeah.
So the developers stillcode, vulnerable code.
you'll still find some.
(29:36):
and so yeah, so the ones that Ifound this year were really simple.
Like I just added like a singlequote and see how it reacted.
It gave me an error message showingthat it's probably vulnerable.
and indeed it was, and it'snothing that really complicated.
yeah, sometimes there are, theyare complicated, but the ones that
(29:57):
I found, in, this year, 2025, it'sjust like single code, send it
to ESCO map and the rest is done.
Yeah, I think so.
It's literally minutesof, testing and Yeah.
Yeah.
I think the exploitation part is the.
The more doable one, I think.
Detect the more difficult to, detect.
(30:19):
Detect it.
So I have a few methods of, liketesting, but something that is hard is
identifying the database that is used.
Yeah.
sometimes like the, you won't getany error messages, but you'll
see that the application reactsdifferently depending on your input.
so that, that is usually hard to identify.
(30:39):
Some cases like it, the applicationis built on Ruby, on Rails.
A lot of times it worksbest with Postgres.
So you can guess that it'sPostgres or PP, it'll probably
be minus but you never know.
You can be anything.
same thing for apps.
Built on C or Microsoft productswill most likely be, MSS grill.
Yeah.
But again, you neverknow it can be anything.
(31:01):
Right?
Yeah.
so this is usuallysomething that's quite hard.
we had a technique doesn't alwayswork, but sometimes it does, for
identifying what is used in the backend.
And it's really simple just looking atlike job applications or job offers.
Sometimes they, list oh, we'relooking for a, database administrator.
(31:22):
Yeah, this is what we're using,so okay, this, they use that.
So maybe it's, that's, whatit's used in the backend.
so sometimes that's just a simplething, need that, that can work.
but, so yeah, there's,they still exists in 2025.
Yeah.
I saw, I
saw in one of your, I think it was anarticle on background that sometimes
for Rico you browse job applications.
(31:44):
And I was like, yeah, whatinformation do you find?
Job applications andYeah, that makes sense.
Yes.
I find that it's interesting 'cause.
And, when you look at applicationitself, you'll see like language,
like quick plugins, like you werebuilt with, and with error messages.
You can see a bit what's used in thebackend, but you, it won't go in detail
(32:05):
as much as like a job application.
Yeah.
I find that some companies havestarted like hiding that a bit,
but some others, like they'll showlike, oh, elastic search, MongoDB.
they, so everything what developersneed to know, and this is a good
indicator of what is potentially usedin the background around that product.
Yeah.
like I said, like your input cango from one app to the other.
(32:28):
let's say, it can go from the appto Elastic search, or maybe your
data is stored MongoDB and then ajob fetches the data from MongoDB
and puts it in a admin dashboard.
Like you never know, right?
Yeah.
so knowing what is used.
In the product or around, I thinkit's like an indicator or not an
indicator, but like it helps interms of recon For me personally.
(32:49):
Yeah.
Of what it could, test for.
Also, one thing I saw in, one ofthe interview, in, in the same
blog post background was thatyou think what infrastructure
as a code used, tools are used.
And my question is, first,how do we even determine this?
And the second is, if you know what toolsare used, how do you use this information?
Yeah.
So this is like really context dependent.
(33:13):
so in.
When I wrote that article withbackground, it's 'cause I recently
found an SSTI, with Terraform wheremy input landed in, a Terraform file.
Okay.
So it, so Terraform evaluated my input.
Okay.
It's a very specificfunctionality, isn't it?
Yeah,
it was, and in the end I couldsee that it validated because it
(33:35):
rendered it back to the application.
Yeah.
and with testing at, the timeI had no idea it was Terraform.
Yeah.
So I knew something washappening, but not sure what.
So with testing and all, I figuredokay, maybe it's a Terraform
'cause I worked with it in the pastwhile I was working in, AppSec.
Yeah.
I was like, is it that?
So I tested it and indeed it was,
yeah.
Was this, some kind of functionality,which was it like, testing a cloud
(34:00):
provider which allowed you todeploy somehow something like this?
yes.
okay.
Not.
A cloud provider, but you could deploy,like products, like you could deploy
like WordPress and stuff like that.
Yeah.
Yeah.
I see.
So you so contact dependent.
Yeah.
So you won't probably, won't seethat like in regular applications.
But again, if it's something thatyou can deploy stuff or maybe
(34:20):
sometimes not, it really depends.
Yeah.
but something that Ionly find once with Yeah.
I see.
I found this so it exists.
So maybe others target.
Yeah.
And these targets arevery interesting, right?
Anything built for developerdevelopers is very interesting,
at least from my experience.
exactly.
Yeah.
Because the functionality is very complex.
The what happens under the hood often,like executes comments, creates clusters.
(34:45):
Exactly.
True.
This is very complex.
This is very hard to get.
True.
And they may not think about thesecurity impact or maybe you have
some kind of separation, so theydon't, we don't need security.
'cause you have your owninstance and then you have.
A client side bug.
Which allows us to do anythingand Exactly from my, yeah.
these targets are very interesting.
(35:06):
That's true.
one other bag class that, that I sawyour report and I also, sometimes
I do test for it, but rarely,probably not often enough is XXC.
Because this is very specific, Iguess this is not a case where you
spam the payloads 'cause you needlike the XL XML parer to, do it.
(35:27):
But do you have some experienceof maybe cases where it wasn't so
obvious XML is par, but you throughsome trick you made it parts xml?
not really I'll when I test for XXCis 'cause I saw something XML related.
Yeah.
But what I did have luck withis look at features that people
(35:50):
did not think X ml was used.
Yeah.
Yeah.
I
had one case, Two yearsago, I think, where.
what was it again?
I'm trying to remember here.
but yeah, you could convert, like a docfile or a PDF to, another file type.
(36:12):
Yeah.
And one of the options was, XCL F file.
What, yeah, what exactly?
It proves a point.
So I looked at what is anX lift file, so X-L-I-F-F.
Okay.
And by looking into it, it was X and L.
Okay.
So I just put a regularexisting payload and it worked.
(36:34):
how did you get to, to, how did youdiscover a file like this exists?
type,
I mean,
in the options on the UI itself.
On application, you coulddo like a doc Excel.
Yeah.
PowerPoint, regular T xt, HTML.
And in the bottom there was X lift.
Yeah.
So probably people tested forDOC and PowerPoint, Excel.
(36:54):
'cause it's a known technique where youcan, it's a, it's a. XML document in end.
Yeah.
That just compressed or zip whatever.
So people probably tested for that,but have they tested, I mean they also
probably tested from HTML to otherstuff, but have they tested for X lift?
And you said what?
So yeah, you, yeah, exactly.
So have no idea.
I was like, probably not, Yeah.
(37:15):
So I tested it and it worked.
I was the first one andit got a bounce for it.
And yeah.
So I look for stuff where maybe peoplewill not look or think the XL is used.
Yeah.
I had another case on that sameapplication, in regards to, site map
parsing just a bit more of a knowntechnique where site map is, an XML file.
(37:38):
Yeah.
So I had one case like that whereyou can give it like a remote,
site map file and it'll parse it.
and then XML XXC.
Yeah.
apart from that, like it's.
I won't necessarily put likeaccessy, pay payloads blindly.
I'm just trying to find a functionthat functionality or like
other, other XML related specs.
(38:01):
I've had luck with that as well,where it's like format that is
X ML based and you can put SY inthere 'cause it doesn't expect it.
the parer won't expect it, butit'll still parse it in some, cases.
so yeah.
How, what do
you mean
other XML specs?
what does it mean?
So one that I found recently, I'mnot sure if I can disclose, the
(38:24):
spec name, I guess it spec name.
It can be anything.
Yeah.
It's
called CXML.
Okay.
I forgot what CX ML is.
We can look it up real quick.
commerce extensible markup language.
Okay.
And this is like one example, butthere were others that I found in
the past, which, it was completelydifferent, spec related to, I
think like translation stuff.
(38:45):
Okay.
and it was like, XML based spec.
so I just looked at the docsonline, see how it worked.
and then in the end, maybe youcan get an EC to see with that.
'cause in the end it is xml.
So maybe the pars in the backend willparse it even though it doesn't look
like, not that look doesn't look like XXC.
(39:06):
It's maybe a feature thatothers don't think it.
There is XML parsing.
It's not as
obvious for not as obvious.
Yeah, exactly.
I see.
Yeah.
Yeah.
Although now I thought about thisprobably spamming the payload.
Once every hundred targets itwill probably work as well.
Maybe.
Yeah.
Potentially.
Yes.
Yeah.
It's, crazy how many things we,probably miss as hunters in general,
(39:27):
right.
For like weird, things that happenthat you can never guess blindly.
True.
yeah.
And
one thing as well that has, has happenedin the past, recently is external,
these don't work, but internal ones do.
What's an internal entity?
internal DTD internal document.
(39:48):
Oh, yeah, I forgot what d it standsfor document type definition, I think.
so internal dt.
So instead of pointing tolike your own DTD file Yeah.
You have to point to an internal one.
so I've had a few cases whereexternal word is allowed,
but internal ones did work.
So we have to test for both.
Yeah.
'cause I guess there'sone that's defaulting, UB.
That's like always Yeah.
(40:08):
Depending on the os.
Yeah.
You'll have always these files available.
Yeah.
Yeah.
'cause it sounds pretty, becausethe thing is you don't fetch
the DTD from your server.
You need to know a local DTD, which soundslike something that's really hard to know.
The black box test.
Right.
But there are a few that are.
In, I guess it was Debian thatis always in the same directory.
(40:31):
And if you can use the file protocol,it's not like a guesswork, it's a
Exactly.
Yeah.
and there are, I have a GitHub repo,not, not mine, but like I start
a GitHub repo that has a bunch ofpayloads containing, internal dds.
Yeah,
that's pretty interesting.
So I usually just usethat list, test it out.
'cause in the end you're a black box.
(40:52):
So you don't know what OSis used in the backend.
Yeah, I think I, or not the
backend, yeah.
I think I remember using theseRipple once as well for, something.
Yeah.
So for HTCI keep in mind of textingfor internal disease as well.
'cause yeah, I found that not a lot oftimes, but sometimes, like I said, by
default, I think now more, nowadays, bydefault they disabled external disease.
(41:15):
But maybe forget about internal ones.
Yeah.
Yeah.
That's a good one.
Good.
These are, the bug that were,that are painful for me.
'cause I, know I miss them becauseI just don't test for them.
I don't know why, but, yeah.
Another bag that I do actually testfor it, but I, I. I want to test more.
(41:37):
'cause I see the potentialsecondary past reversal.
Yes.
How, is your experience with them?
One of my favorite bug, I testit for on every app that I, use.
Yeah.
If I see that it's probably happening,
I, it's not something that I found often,but I do looking forward and then I
think, it can be like a really impactfulbug if you're able to show impact.
(42:02):
Yeah.
it's funny 'cause when I was, when Istarted looking for that, it's roughly
the same time around, when Sam Currypublished his research about it.
And I actually, the him,have you seen this before?
'cause I know this,it's his type of thing.
So he's oh, I'm actuallydoing a, research on it.
I published it like inthe, week or something.
It was like really late.
Yeah.
(42:22):
Around the same time I say,oh, cool, I'll just look it up.
and yeah, like I said, it's, common.
It's not something that I've foundtoo many times, but I think it's
sometimes, a lot of times it's hardto, I mean it won't be verbose, a lot.
It'll show that maybeit's happening, maybe not.
Yeah.
Depending on the error message.
(42:45):
and there's a lot, lots of guessingwork as well needed if it's a bit blind.
Yeah.
Do you fast all the path parametersor all, the parameters or what?
I
go a bit logically.
Okay.
'cause some parameters, forexample, let's say it's like a,
an JSO body of a, post request.
(43:06):
If the parameter is like id, then let'ssay it's like a digit, then maybe in the
backend it, there will be like a call,let's say a PIV one slash object name.
Than the ig.
Yeah.
So maybe this is a good parameter test.
Yeah.
If it's, let's say like a parameter justlooks more like a metric related, for
(43:27):
example, it'll have like your Chromeversion for example, then probably not.
Yeah.
I try to go a bit more logically.
but I, would test every, thatI, let's say, I'm not sure.
It's like really specificto the application.
And I would test maybeall parameters to check.
'cause you never know, right?
Yeah.
(43:47):
so yeah, that would be my approach.
Yeah.
'cause yeah, it makes sense tobasically test every parameter
that can be in the path later.
That test would make sense to test.
So most of the time it'sgonna be IDs, Maybe a
type.
And, regarding to that, I discovereda new, I won't say new technique,
but something relates to secondarypat reversal, with GraphQL.
(44:12):
I'm gonna.
Talk about it, at a future conference.
But, I think we need to keep inmind that it's not always just like
an a PIA rest, API in the backend.
Could be something else.
Yeah.
yeah, I think it'll be a fun, yeah, the,
the backends can be really, complex.
I wait for the full talk.
but yeah, we, sell many times that whathappens on the backend can be crazy
(44:37):
and, that, we don't expect can happen.
yeah, it's nice when, youfast for the, secondary pass.
'cause I guess for template injection,usually you need like one payload.
Maybe two free or, for differentengine, depending on the
technology for secondary erso.
how many payloads do you test?
'cause I guess you need different depths.
(44:59):
I need, you need different,iterations of, your own coding.
So how long is your, word is for fuzzing?
I actually rarely fuzz.
I do it like.
Manually.
Okay.
Just see how he reacts.
Okay.
my typical go-to is like traverse backone path and comment out the rest.
(45:19):
So I put like a question mark or hashtag
Yeah.
vault with all coding withoutdepending on, on, on what's going on.
'cause a lot of times if you're notgiving it, what is what it's expecting,
it'll give you an error message.
Yeah.
so if you just comment out.
The rest of the, UL maybe there arehardcoded parameters that you're
(45:41):
not seeing, in the code and that inthe error message it'll tell you,
oh, you're missing X parameter.
Yeah.
So that way you have an ideathat, okay, maybe there is
like a de patcher vessel here.
or just like the path itself, it's ifby going back one it may say oh, object
X or whatever's going on is not there.
Yeah.
So it gives you an idea of somethingis happening in the backend.
(46:05):
Yeah.
Now you mentioned actually, 'causeI do have, I do use a longer, list,
but when I test manual, I would startwith going back and going forward.
Right now, I think actually you, yousay it maybe putting in a question mark.
Is more likely to give us a usefulerror rather than anything else.
Question mark.
Maybe the, full UL is like your inputthan other path in the end, right?
(46:30):
Yeah.
So
if you put a question mark,it'll remove everything else.
Yeah.
So it'll give an error messageindicating what is happening.
if you just put like a, let's say doubleslash or whatever without removing the
rest, it'll just say maybe knock out.
Yeah.
Compared to if you put a questionmark, it may be more ose.
(46:52):
Yeah.
Yeah.
Yeah.
That's interesting.
And also,
if there's some kind of filter forthe dot slash, which I think is
rare, but probably can happen You arenot gonna have problems with this.
True.
Yeah.
Yeah.
Especially if the input is in the body.
(47:13):
obviously it depends on the valve.
Let's say Akamai is reallyannoying with the l slash
Yeah, but
other, but usually like you can getaway with it just with the regular,
yeah.
Yeah.
It's the body.
It's not a problem,
but it, sometimes you need to encode it.
really depends on, thecontext of the, application.
Yeah.
Yeah.
So we mentioned GraphQL.
(47:34):
I know the research is cominglater, but, in general, what's, your
methodology for, testing GraphQL?
I guess you.
So you, start by checkingthe introspection is enabled.
Yes.
That's usually my, first thing that I do.
I find that it's disabled mostof the time, unfortunately.
Unfortunately.
(47:55):
so what I do typically firstis try to find the queries
themselves in the JavaScript files.
a lot of times they'll be there,so just look for like query space
and Yeah.
Yeah.
It's easy to prep for.
Exactly.
or just like the operations name andtry to, find, those, queries or mutation
(48:16):
that way I. let's say I do have aquery, I valid query and networks.
I try to add more parameters to it,see if I can get those in response
or disclose more information thatI would not be able to access.
secondary patch.
Russell's also, one that I've had successwith in GraphQL queries OR mutations.
(48:37):
Okay.
yeah, so, you would use the DOslash or whatever the character in
like a variable As the variable?
Okay.
Yeah,
yeah,
typical stuff like DOS,like non GRA techniques.
Yeah.
I call hacking techniques.
Yeah.
(48:57):
Yeah.
How successful are you withreporting the denial of service bugs?
Not successful.
When, they are mentioned
as our scope.
not successful 'cause everybodyprobably tests for it.
Yeah.
I actually started like not testingfor it 'cause I found that in
impact's not always there either.
'cause a lot of times it'lljust do os GraphQL service.
(49:20):
Yeah.
Everything else works.
And then, sometimes impactsthere, sometimes not.
Depends on, application, but I juststarted looking for other, stuff.
Yeah.
Yeah.
And also if you're testing the target,which you showed the writeup from LA
recently, which has separate instances.
Sometimes you, can only dose if it'sa post authentication, sometimes
(49:44):
you can only dose your own instance.
Exactly.
Yeah.
If, that's a dose and you haveto be a user of the organization
which you're dosing Yeah.
The impact is really
low.
Exactly.
Yeah.
And yeah, and I had this case recently,I reported the denial of service.
'cause the response time was really long.
And turned out that I could,even though my instance was, was,
(50:09):
having a long, response time, theother instance was unaffected.
Okay.
So even though it was like a very similarcase to what it, what you described,
like the domain was similar, so I assumedsome resources are shared as well.
it still was separated enough thatthe dose just didn't affect on the
users, so it was, pretty useless.
(50:30):
One thing as well that I just remembered,that I test for, a lot of times the
query augmentation will be in thebody request, but if you put it as,
a get request, sometimes it'll work.
So that can help interms of CSRF or whatnot.
Yeah.
Yeah.
Sometimes it works and usually if itworks, it also allows mutations, doesn't
it?
I don't, know.
(50:50):
Maybe I. I haven't, I think lasttime that I found it, it was only
queries, no, it was mutation.
'cause I reported as aCSR, so I did an action.
Yeah.
Yeah.
I said about the question, I realizedit doesn't really make sense.
How about OI on the CriticalThinking podcast, you mentioned,
a very interesting back in purify.
(51:11):
Can you please remind, us or,tell the users that didn't listen?
what was the bug?
Yeah, sure.
so it was a case, where Dump Purifywas used along with, obviously Chrome,
and Dump Purify did block the metaltag, but for some reason it still,
(51:31):
existed in the dom, I guess in Chrome.
Yeah.
Yeah.
The bug itself was, I was ableto leak, an nawa token by putting
the meta tag, which, what was it?
The refer policy so that the token wouldbe sent through, I think an image, I think
(51:54):
I put an image, payload image tag, yeah.
as of my HML injection payload.
so that way the cookies would besent to the URL along with the token.
and from what I heard recently, justlast month, that technique still works.
So it still applies, probably today.
(52:16):
I guess Chrome or number four, number fivehas having not fixed it, so Yeah, because
the bug is the.
When your HTML on the client side isbeing parsed, maybe you have, a, very
restrictive, list of allowed tags andusually meta tag will not be allowed.
Usually.
Yeah.
But, still, after parsing it,it is applied to the website.
(52:38):
So even though.
Don't purify the HT m other returns.
Strips it in.
Yeah, strips it.
It's still in the website,
right?
Yeah.
Yeah.
That's a very cool bag.
I stumbled on it like a bit by chancebecause I was literally just trying any
payloads thought of meta of metatech'cause it did apply to my scenario.
Yeah.
and I later learned through criticalthinking of how to look for the
(53:02):
allow listed tags and dumper five.
So I did not do that last time,which we literal just like
trying some, strike some stuff.
Yeah.
and yeah, like I said, ended up workingand then still works to this day.
So even this dumper five blocks it.
Yeah.
It
still for some reasonapplies in the dam yeah.
Yeah.
So if you have do purify on theclient side and you have something
(53:25):
sensitive, you can put in the URL,use this 'cause it still works.
So Yeah, it's a very interesting bug.
I'm trying to think if Ihave some target using it.
Maybe.
'cause dify is used often a lot more.
Yeah.
Than it used to be likejust two or three years ago.
Felix now is everywhere.
Yeah.
I think it became the standard.
I
think so, yes.
Which we should be happy about.
(53:47):
At the end of the day, we wouldn'tthink to be success, but as
backhanders, we, not which, meansthey do a good job of Right, exactly.
Of being hard to bypass.
That's true.
speaking of, of oath, so if wehave, this bag which allows us to,
to leak the URL, but for, this to.
(54:10):
To be a value attack, we have, we shouldput an unused code in the URL, right?
So what are some methodswe, can do it with?
so when I test for aot, I find it likeso many attack scenarios and techniques.
So I usually just open up,France Roses, like dirty
dancing article, which is great.
Yeah, it's awesome.
Just
trying to think of okay, Ishould maybe try this and that.
(54:33):
I also look at the, I thinkthere's a guide for oas.
hacking, like createdfrom Oasp, I believe.
sorry.
Oasp awa hacking guy.
yeah, so look at that for like ideas.
but a lot of time I justlook for the basic stuff.
can I send the code to, an attackerserver, attacker own server
(54:56):
to do a direct UI parameter?
is the state validated?
what else am I, what am I missing interms of, the, basic regular stuff?
Yeah.
Yeah.
I af I remember after thearticle from France, I started
testing it on every flow.
But I, got to a point where usuallyit's, if there's a, the outflow,
(55:20):
it's fairly easy to break it.
And to, land with the code on the page.
the harder part is to leave the URL.
Yes.
Yeah.
usually it means needing an exerciseor the value mentioned, or the
one he described was some kindexercise, but on the sandbox domain.
(55:40):
But it is allowed to, leak the,URL, but it's usually quite
difficult to do, unfortunately.
Yes.
Yeah.
And then like you said, so you need ansuccess, but you always had success, so
you don't often, you don't always needto exploit that part to do something bad,
Yeah, you can you can probably useit as a gadget to show the impact of
their success if you cannot addressit, change the email, stuff like this.
(56:03):
Yes.
actually reminded me of something.
One thing that did workrecently is something that
Dorian sek, published recently.
Yeah.
I think also Justin spokeabout it in critical thinking.
I think they called it client side.
No, client application.
Fusion
Client application.
Oh, I know
what you mean.
Client id, yeah.
Confusion.
Something like that.
Yeah.
(56:23):
Yeah.
actually I think I pulled it up here.
I wanted, I rememberedI wanna talk about it.
Yeah.
The blog post from about is very good.
Yeah.
I actually don't, so yeah.
you can create like your own, ifyou can, depending on the context.
Yeah.
Use like different client id.
Sometimes they won'tvalidate the client Id.
But once it's time for the applicationto validate the token, it'll notice
(56:45):
that it's not, for the client.
And, so the token will not be consumed.
So you can try to stealit in another way or not.
But there are ways by manipulatingthe client ID where you can get
access to the token or, Yeah.
Lots of testing to bedone with, with a lot.
(57:06):
and also I remember one bag and I trackedthe origin of why it was possible.
'cause it was possible to use,like my client authenticate
to somebody's instance, right?
Yeah.
it was using kognito.
Okay.
And I tracked back that in the AWSdocumentation there was, or still is,
I haven't checked, a code snippet to,to validate the, token in that case.
(57:29):
And this code did not have, becausebasically what you need to do in, In
that case, it's to validate the issuer.
If it's the one you are, you'retrying to authenticate user against.
And basically the code in the dogs didn'thave this validation of the issuer.
But the dog said, this code doesnot have the validation of the
issuer, but for the production,code, you should do it yourself.
(57:53):
Oh really?
But of course, the developer wouldcopy the code and use it as this.
So, we'd work like this.
I think they did fix this part indocumentation, but it was very kind.
Yes.
I also remember one AAT bug fromWAN to Africa, who it was, recently.
I remember it was, I wasn't answering that'cause I had something that I had tested
(58:15):
for, in the outflow, the product, the.
Application, there were like customparameters that were added in the OT flow.
Yeah.
And I was like, it's probably justlike metrics stuff, like for them
to know who connected from where.
it turns out that by manipulatingthose, parameters, you could just put
any redirect UI and the token wouldbe directed redirected over there.
(58:40):
So since the custom parameter hadlike arbitrary data, it like did dirty
dancing and messed up everything.
Yeah.
so yeah, it was one case where I was like,oh, I should have thought about that.
Wait, so another parameter wasused as the redirect, right?
No, like another parameterwas part of the oat flow.
Yeah.
It contain I forgot what it was.
(59:01):
but just like something that.
It's not necessarily part of theAWA spec and the regular AWA flow.
Just like an arbitrary like
yeah.
Parameter specific to the application.
Yeah.
I see.
And by manual manipulating it, youcould put in any value as you redirect
your I parameter, you can redirect it.
It could redirect the code anywhere.
(59:22):
Yeah.
Yeah, That seems, yeah.
I always love to see the, customparameters or when the state is like
adjacent and contains Yeah, true.
I love to see this, but when
there's like the, pk CEthing with a challenge
Yeah.
you just remove those parameters.
Sometimes it works,
(59:42):
Yeah, yeah,
how successful have you been recentlywith the typical ovary direct URI
takeovers where the redirect URIjust isn't validated properly?
it's been a while.
I think last one was through like apastoral vessel in the redirect U eye.
Yeah.
So it stays on the same application andsame origin, but you need ans or something
(01:00:05):
or like a direction with the metal tag,whatever, another technique to leak.
Yeah.
or redirect.
Or the redirect.
Yeah.
but it's been a while.
I found I think a few last year, butI don't think I found one yet in 2025.
In regards to OT or,
yeah, it's hard.
The programs are starting
to configure it a bit more properly,but I think there's always some,
(01:00:28):
weird bug thing around in ot, so
Yeah.
Yeah, of course there is.
And you have some hidden parametersit lead to that are just forgotten and
the validation is exactly not there.
You know what bug actuallyreminds, it reminds
me of one bug actually,and it's quite interesting.
and part of the AWA flow, likeI manipulated the scope part.
(01:00:49):
Yeah.
And I added myself a privilegethat I usually do not have.
Yeah.
And in the end it was redirected to.
Arbitrary host that didnot even know existed.
Yeah.
Because of a different scope.
And it gave me like, you're notallowed to access that permission.
Yeah.
But it was, the token was sent inthe URL and the other host, so I
(01:01:11):
just found another excess on thatother host and then was able to
leak the token in the whole flow.
Flow.
Yeah.
That's interesting.
Yeah.
It was the one was weird.
Yeah,
because why would it redirectto a completely different host?
doesn't make sense.
Yeah.
What was the other host?
Was it like a. Server.
It was like server or something
like this.
Some kind of SSO server,But it was not used.
(01:01:32):
It was like used for another product.
Yeah, I see.
Completely.
Yeah.
That, that's cool.
and usually it was like in thelogin or like some kind of sso, but
usually like in login application.
Yeah.
But that one was sent to completelydifferent one, which was not even
used as like a what for my obligation.
Yeah.
Yeah.
I see.
(01:01:53):
Do you often test for, let'ssay lower severity of related
bug where, for example, I.
When you go through the authenticationflow with some restricted set of
scopes, and then you want to redothe authentication flow, but with
more scopes, it should repromptthe user to confirm the new scopes.
(01:02:13):
So if, there's no reconfirmation,it's like a lower medium level bag.
there are a, few different ones as well.
I know Johan is sometimeslooking for, bags like this.
Do you also spend time on this or.
Because you of your resolution tolook for high increases you ignore.
Yeah.
Not
really.
Maybe I should, maybe you couldlead to like more, more bugs and
(01:02:34):
more interesting bugs that canmaybe change with other stuff.
but yeah, I usually just tryto link the code somehow.
Yeah.
Yeah.
Because it directly to a TOwhich is my goal for oau.
Yeah, for heis and kids.
That's, the only goal.
Yeah.
Because the other, why do Ihave started recently to hunt?
'cause I, hunt on the target thatpaid really well for mediums.
(01:02:57):
so I also hunted for these attackscenarios that are a little
bit more difficult to exploit.
'cause the attack scenarios,like the app is the attacker.
So it has more privileges than itshould and it's clearly a back.
Right.
But the tax ary is not there.
But on a good target that pays, likefor the, this target paid I up to
(01:03:17):
1000 lows and up to 8,000 mediums.
Okay.
Yeah.
That's worth it.
That's, worth it.
Yeah.
Awesome.
And I think there's a lot of, bagslike this, but it's quite difficult
to test or it's a bit annoying.
Yeah.
But yeah, sometimes it is worth it.
Okay.
Last, question, 'cause you saidthat you are more like a deep dive
(01:03:39):
guy, more like a manual hacker.
But you did build some automation.
Yep.
So what does the automation do?
it's pretty, I wouldn't say simple.
Like I don't do like anynuclei hacking or, scanning.
'cause I feel likeeverybody's already doing it.
So it would be a waste of resources.
Yeah.
And time to do it.
So I have put like aninfrastructure in place where.
(01:04:01):
I get alerted when a newapp, has been put online
on, internet.
Okay.
By, from the DNS sources.
Yeah.
D
Ns.
Yeah.
So it sometimes it resolvesactually a lot of time.
It doesn't resolve.
But at least I know when it's there.
Yeah.
And I put like a bot in place thatwould constantly test the resolution.
(01:04:22):
no, sorry, lemme start again.
So I have a, a tool in placewhere, it alerts me of new assets.
whether they're on internet or not.
Sometimes it resolves,sometimes it doesn't.
Yeah.
If it does resolve, I'll do with HTPX on it, see if HP is running, if it
doesn't, just store it in the file.
(01:04:43):
And then, the bot that I built willconstantly do resolution, constantly.
Once I think every week that I did it.
Yeah.
To see if it does resolve and if it does.
Then do HPS.
Okay.
Interesting.
Yeah.
Do you some somehow note all thedomains that resolve to internal
IP addresses to use it later for, I
(01:05:03):
do store it.
Yeah.
but I don't go back to it, much.
I go back to it when Ido need it for R Okay.
Yeah,
yeah, 'cause I thought it's, ituseful to, let's say we have,
loads of IP addresses resolvedfrom a wildcard domain, let's say.
(01:05:24):
It's useful to just saveall the internal ones.
Yeah.
And once you have the SSRF,that's, the ones that you use.
Exactly, yes.
So that's what you do.
Yeah.
Nice.
Yeah.
It's, I thought about it, didn't do it.
Yeah.
I think in the end, it's like Ikinda changed my, technique a bit.
Yeah.
so I used to just like open burp.
(01:05:46):
Hack.
Yeah.
And that's it.
Now I've been like gathering a bitmore data, taking a lot more notes.
My notes are, a lot more structured.
Oh, and I do note like internal domainsand yeah, take note of everything that
I see that can be, can lead to a bug.
So I think I probably missed somebugs in the past where I was like,
(01:06:07):
oh, I remember that, but where was it?
I don't know.
But by taking notes, yeah,sometimes it's easier to, go back.
How do you organize the notes?
I have a, let's say ahack on, one application.
'cause I'm a deep dive, so Idon't really do recon or not much.
Anyway.
(01:06:27):
I have like technologies used, like myrecon in terms of hacking on an app.
I like, not like ESE scanning,just like recon on the apps system.
So I'll note that technologiesused, I'll note the,
API endpoints, the reverse proxy APIssometimes slash I don't know, water will
(01:06:54):
have a different backend than another.
Another one.
Yeah.
So I know which one leads toanother end, another, backend.
sometimes like slash Water willhave an known JS app, but slash
Glass will have, a Java app.
So I take note all of, this.
take note of GraphQL endpoints, thingsthat I notice that are like interesting
(01:07:17):
or weird sometimes just something assimple as like a metrics like sex.
slash metrics endpoints,are pretty usefully.
Usually we report them as alittle bit like informative,
but it can help in other stuff.
So I take note of that.
I take note of like lows andmediums that I will not report.
Yeah.
Report, yeah.
But can be trained with something else.
(01:07:39):
I take note of what I see isinteresting and what to test.
kinda like a bit of threat modeling.
okay, this app, this has this, a bitof, a bit of logic behind what to test.
and, actually couldprobably take a look here.
Forgetting something
so you, things for, to you save for later.
(01:08:02):
internal domains, right?
Obviously lows, mediums and
that, you can potentiallychange with something.
Yes.
What else are like the typicalthings you save for later?
stuff that I find that areprobably vulnerable but
have a hard time exploiting.
Okay.
or that they disclose information, whichcan probably help in another place.
(01:08:27):
For example, I had one case where, when Iuploaded a file for some reason, once in a
while it said, ok, find file in this path.
This was the internal path.
Okay.
Yeah.
So I could,
know where it was being uploaded, andmaybe I could pa do like a petro Russell
and upload it elsewhere or whatnot.
So information like that.
(01:08:49):
I also store, custom headers.
I've had luck recently with likecustom headers that the company's, Use,
success in what sense?
In the sense of putting one headerin and different request that
normally did not have that header?
yeah, sometimes yes.
Okay.
I see.
I saw different behavior.
(01:09:11):
and one trick as well that I think France,obviously France knows everything, right?
it's looking at the accesscontrol allowed headers, I think.
Yeah.
In response, yeah.
Sometimes you have like custom headers inthere and putting them in the requests.
We'll have an adjusting behavior.
so I had a few cases likethat, which like interesting.
(01:09:31):
I was not always able to exploit it,but like I know something is happening.
They're doing something with that header.
I didn't look at this part.
the headers that are disclosed in theaccess control allow allowed headers.
Yeah.
Sometimes you have a bunch of them.
So if you put one by one or all ofthem in your request and put like any
value, sometimes the application willreply like with something interesting.
(01:09:55):
Okay.
Yeah.
Okay, I see.
Interesting.
and also cases where, the app usedlike, custom headers for admins
and by putting like that header.
In the request and putting likea, let's say it was like a X
dash user ID in the request.
I could put another id, it gotme access to another user's.
(01:10:18):
Yeah.
So like that, yeah.
That's cool.
So that should not work, but works
after.
speaking of things that should notwork, but they work or they worked,
after the recent next JS bug.
Oh yeah.
I'm tempted to just take a look atthe source code of each web framework.
Just create for.
(01:10:38):
All the headers that I thought about that
too.
Yeah.
I actually thought about it.
About it too.
Yeah.
Because I'm sure something weird happens.
There must be something
else.
Yeah.
There must be something
else.
It's not the first time that guyin, in particular has found next
J bugs specific to, headers.
I think he had found two or threeregarding to cash poisoning.
Yeah.
(01:10:59):
And now an authorizationbypass with headers.
And I think I found a future whereit led to some interesting stuff.
So I think headers are definitely,an interesting, attack surface.
Yeah.
Yeah, for sure.
we'll end our interview here, but beforewe do, tell me what are your plans
(01:11:19):
for 2025 as this is your first fullyear as a full-time background hunter,
what are your goals for this year?
I have my, financialgoals and sort background.
I'm on pace to pass that.
Yeah.
I think by a lot, if I can continuehacking and finding more bugs.
Yeah.
(01:11:40):
I'm hoping to get invited to afew, more life hacking events.
'cause those usually like boost, a bit.
yeah.
And, hoping to take more vacation as well.
I actually go on vacationa couple of weeks.
I'm hoping, to be able to,schedule some, more, later this
summer, maybe in the fall as well.
(01:12:00):
We'll see.
just, have fun, play more golf, play morehockey, and, have fun doing multi full
time or part-time, but like full-time,
part-time was full-time.
Yeah.
Awesome.
I wish you a lot of good luck with thisand thank you so much for the interview.
Thanks
for having me.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.