MonkeHacks #01

A collection of notes and ideas from Monke/Ciarán

MonkeHacks #01

Introduction

Welcome to MonkeHacks! I’m Ciarán, a.k.a monke. Briefly about me - I work as a SaaS security researcher at AppOmni alongside rez0, and this is my fourth year doing bug bounty as a hobby. The goal of this newsletter is to provide some useful notes, ideas, and other resources. There will be minimal structure - this is just an assembly of my thoughts for the week. So, stay tuned!

100-Hour Challenge Updates

As some of you know, I’m currently doing a challenge to hack for 100 hours on a public program. This week, I picked a hardened public program, after considering a variety of factors such as payouts, response times and report volume. I conducted a complete assessment of the obvious attack surface and identified the priority surfaces that I wanted to attack first. I spent the remainder of my time investigating how those features worked and established what limitations I had with the feature I was actively attacking.

Here are this week’s statistics:

⌛️ Hours This Week

11

⏳️ Hours Left

89

🗞️ Total Reports (All-Time)

1

✅ Total Triages (All-Time)

1

✨ New Triages (This Week)

1

💸 Bounties 

$500

The bug was very weird, so I’ll definitely write a post about it if I can get permission to do so.

Bug Bounty Updates

  • I found a bug on my 100-hour target after 2-3 days of looking at it. It’s a good start.

  • This week, I found an XSS with Jayesh25. He’s a machine!

  • I educated myself on more GraphQL attack vectors.

  • I worked on Go code to optimise some recon flows. My automation doesn’t fully work yet, but the completed body of work is very fast.

  • I’m nearly at 3,000 reputation points on HackerOne. I hope I’ll reach that milestone before the next issue.

Weekly Ideas/Notes

  • I started putting hacking ebooks into GPT-4 using the Create GPT functionality. It was able to propose attack vectors for my HTTP requests by applying the book’s methods to it. If you’re a beginner and you have access to GPT-4 and you’re a bit lost, this is a great way to learn.

  • I’ve been following Kei0x’s work on Aiko, their hackbot, closely on Twitter/X. I’ll probably give this a shot myself. Last year, I built the foundation of an automated API hacking system with my college friend. We were several months ahead of the rest at the time, but since everyone’s caught up - give it a shot! I’d like to see how people tackle the challenges around different API contexts.

  • Do you farm medium bugs on mediocre programs? Are you making decent money, but long for those highs and crits? Well, I guarantee that if you dig into a program with much better payouts such as Epic Games or AirBnB, you’ll find stuff. Give the 100-hour challenge a go. If you can find Mediums you can find Highs.

  • Do you run a program? The best way for you to get better reports, is to treat your reports like a conversation rather than a task or ticket. I’m a lot more motivated to hack on programs with nice people behind them and fast response times, than programs that are slow to respond and don’t care about their hackers.

  • Hacking in other languages - consider dorking for useful information in languages other than English. These can be overlooked easily in places like Github or in source code.

  • Portswigger’s Top 10 Web Hacking Techniques, Nominations: I highly recommend going through every nominated technique on Portswigger’s blog. It’s an incredibly informative resource.

Resources

Have a great week!

— Monke / Ciarán