- MonkeHacks
- Posts
- MonkeHacks #01
MonkeHacks #01
A collection of notes and ideas from Monke/Ciarán
MonkeHacks #01
Introduction
Welcome to MonkeHacks! I’m Ciarán, a.k.a monke. Briefly about me - I work as a SaaS security researcher at AppOmni alongside rez0, and this is my fourth year doing bug bounty as a hobby. The goal of this newsletter is to provide some useful notes, ideas, and other resources. There will be minimal structure - this is just an assembly of my thoughts for the week. So, stay tuned!
100-Hour Challenge Updates
As some of you know, I’m currently doing a challenge to hack for 100 hours on a public program. This week, I picked a hardened public program, after considering a variety of factors such as payouts, response times and report volume. I conducted a complete assessment of the obvious attack surface and identified the priority surfaces that I wanted to attack first. I spent the remainder of my time investigating how those features worked and established what limitations I had with the feature I was actively attacking.
Here are this week’s statistics:
⌛️ Hours This Week | 11 |
⏳️ Hours Left | 89 |
🗞️ Total Reports (All-Time) | 1 |
✅ Total Triages (All-Time) | 1 |
✨ New Triages (This Week) | 1 |
💸 Bounties | $500 |
The bug was very weird, so I’ll definitely write a post about it if I can get permission to do so.
Bug Bounty Updates
I found a bug on my 100-hour target after 2-3 days of looking at it. It’s a good start.
This week, I found an XSS with Jayesh25. He’s a machine!
I educated myself on more GraphQL attack vectors.
I worked on Go code to optimise some recon flows. My automation doesn’t fully work yet, but the completed body of work is very fast.
I’m nearly at 3,000 reputation points on HackerOne. I hope I’ll reach that milestone before the next issue.
Weekly Ideas/Notes
I started putting hacking ebooks into GPT-4 using the Create GPT functionality. It was able to propose attack vectors for my HTTP requests by applying the book’s methods to it. If you’re a beginner and you have access to GPT-4 and you’re a bit lost, this is a great way to learn.
I’ve been following Kei0x’s work on Aiko, their hackbot, closely on Twitter/X. I’ll probably give this a shot myself. Last year, I built the foundation of an automated API hacking system with my college friend. We were several months ahead of the rest at the time, but since everyone’s caught up - give it a shot! I’d like to see how people tackle the challenges around different API contexts.
Do you farm medium bugs on mediocre programs? Are you making decent money, but long for those highs and crits? Well, I guarantee that if you dig into a program with much better payouts such as Epic Games or AirBnB, you’ll find stuff. Give the 100-hour challenge a go. If you can find Mediums you can find Highs.
Do you run a program? The best way for you to get better reports, is to treat your reports like a conversation rather than a task or ticket. I’m a lot more motivated to hack on programs with nice people behind them and fast response times, than programs that are slow to respond and don’t care about their hackers.
Hacking in other languages - consider dorking for useful information in languages other than English. These can be overlooked easily in places like Github or in source code.
Portswigger’s Top 10 Web Hacking Techniques, Nominations: I highly recommend going through every nominated technique on Portswigger’s blog. It’s an incredibly informative resource.
Resources
Have a great week!
— Monke / Ciarán