MonkeHacks #14

I met up with my mom in Tokyo and spent a few days with my relatives in Sendai from Monday to Friday. I flew back to The Hague, Netherlands. I flew with Emirates, which meant an 11-hour flight to Dubai, then a 7-hour flight to Schiphol Airport in Amsterdam. I flew in Economy for the first leg of the trip (I didn’t sleep at all). As I checked in, I noticed a cheap upgrade to Business class from Dubai to Amsterdam (the second leg), so I allowed myself the upgrade as my birthday is coming up in about two weeks. And it was absolutely worth it - I had a few coffees during the flight to stay awake, and I used the in-flight wifi to get some work done. As you’d expect, the other business passengers were mostly old people. There was a lounge area at the back of the plane, so I sat there for a while and snacked on rhubarb desserts. The business class cabin was on the second floor of the plane (an Airbus A380) so that was a first for me! I absolutely would do this again if it were a cheap enough upgrade. I landed in Amsterdam feeling refreshed!

June is shaping up to be a hectic month. A few things that I can’t talk about yet are in limbo right now, and the outcome of those things will dictate the direction of my life in the next 1-3 months. At the very least, I’ll have more time to hack in June than in May, so that’s something. I’ll do my best to end Q2 on a high note.

100-Hour Challenge Updates

Here are this week’s statistics:

My third bug paid out at $2,983. No extra hours done this week on the challenge but I’ll be doing some hacking again this coming week on this target. I aim to finish this challenge by the end of June.

Weekly Ideas / Notes 

• Burp2Caido v1.0.1 - Sytten from the Caido team updated how they handled requests in the backend, so I patched Burp2Caido to accommodate for that. I made a start on some new plugin features, but I put it on pause as I made my way back to Europe.

  

  I’ve slacked off on Caido plugin work, so this is how I feel right now.

  • NahamCon is happening this week. If you don’t usually tune into it—well, here’s your heads-up! This is THE bug bounty conference of the year, excluding live hacking events. He’s also organised a fundraiser for the American Foundation for Suicide Prevention, so donate to that if you have some spare cash lying around.

  • All in all, this is shaping up to be a decent quarter for me. The amount of time I’m spending on finding bugs has been gradually increasing as I get back into the flow of bug bounty, so this should only go upward from here. I had my last day at AppOmni this week, so I am officially a full-time bug bounty hunter now.

  • Average bounty stats on HackerOne are now live. This makes it SO much easier to pick a program to hack on. Now, you can see if a program is lowballing hackers across all of its severity grades or intentionally lowering bugs into lower grades. For example, if a relatively normal-looking program has 50% Medium bugs but 5% High bugs, then you know something is probably fishy and that they’re lowering High bugs to pay less. Maybe someone could compile some data around this?

  • I wrote a short piece on maintaining core skills in the age of AI. Read it here if that interests you.

  • Here’s a reminder to hack what scares you. If it scares you, it scares everyone else, so the odds of finding something good are probably higher. It’s counterintuitive, but if you think the same way as everyone else, how the hell are you going to find anything unique? I implore you to give it a try. The worst thing that can happen is that you find nothing, but at least you’ve gotten more skilled. And that alone will pay off in the future.

Resources 

• XSS in PDF.js - XSS in a commonly used PDF library.

• Joaxcar tweeted about an excellent writeup on iframes he read recently. Well worth the read.