MonkeHacks #11

Tokyo, JsTemplate and the 100-Hour Challenge

MonkeHacks #11

I’m now back in Tokyo. I’m going to spend about three weeks here, until May 12, and I’ll be leaving Japan on May 17 after a brief trip back up to Sendai to see my relatives again. On Tuesday, I’m going for beers with the very skilled bubby963 - we’ve been friends for several years. Also, I went bouldering this week for the first time in about a month - felt great but my arms are dead.

This week was a busy one, but very productive. I did about 25 hours of hacking this week. I’m collaborating with doomerhunter right now - we’ve been finding some really crazy stuff. Hats off to him, he’s pulling off miracles.

100-Hour Challenge Updates

Here are this week’s statistics:

⌛️ Hours This Week


⏳️ Hours Left


🗞️ Total Reports (All-Time)


✅ Total Triages (All-Time)


✨ New Triages (This Week)


💸 Bounties 


I reported the third finding of this challenge. This one should be a Medium, I think. Rest assured, I’ll try to publish everything at the end of the challenge.

Weekly Ideas / Notes 

  • I fell down a rabbit hole of investigating google-jstemplate. This provides an interesting way of executing JavaScript that may potentially bypass WAFs. I noted that Chrome uses this templating system for some of its error pages. I wonder if you could trigger an error to import the library this way to use it as a gadget?

  • Chrome extensions seem to be an exception for image-src CSP directives. Just something I noticed during testing.

  • I attended the Hack-Along event that took place this week on the Critical Thinking Discord server. It was really insightful - which is pretty much what you’d expect when 50 people are throwing vulnerability ideas around. I need to catch up on listening to some of the recent episodes.

  • I had a Hacker Success Manager assigned to me a few weeks ago, so I had a meeting this week to chat with them. They followed up on my open mediation ticket.