MonkeHacks #18

Preparations, Javascript Sandboxes and CTFs

MonkeHacks #18

This week was quite busy on the personal side - mostly in applying for apartment viewings in Edinburgh. I’m flying to Scotland on Tuesday and spending a week in a hostel there (I’ve been to Edinburgh many times, so I know the good spots for this stuff). I did quite a bit of manual hacking this week, but it wasn’t as fruitful as I would’ve liked. I did some work on automation and finished a particular kind of automation I was working on, so I’m hopeful that that’ll reap rewards soon. I added a generalised system to my UI that I can copy and paste if I want to add new features so that should be very efficient. I also ironed out some plans for automating parts of my unique methodology. I’ll explain more about that in the future.

I’m definitely struggling a bit with motivation at the moment.

100-Hour Challenge Updates

Here are this week’s statistics:

⌛️ Hours This Week


⏳️ Hours Left


🗞️ Total Reports (All-Time)


✅ Total Triages (All-Time)


✨ New Triages (This Week)


💸 Bounties 


I noted some interesting behaviours from playing with various pieces of functionality, but nothing solidified into a concrete lead yet. What I did test, was reasonably well secured, so the fight for another interesting area of attack surface continues.

Weekly Ideas / Notes 

  • I published my first technical blog post of the year - Exfiltrating Data from Sandboxed Documents. It details how I approached and built a POC for a vulnerability in a limited Javascript environment. I have more writeups on the way, I just need approval from the parties involved first.

    • On this note, learn, learn, learn! This was my first ever postMessage bug. Yes, it was complex, but ultimately, postMessage is just a gadget. With a solid intuitive understanding, chaining new concepts becomes a lot easier.

  • Joaxcar posted this recently, and I thought it was really cool - a CSP challenge in a CTF with some ingenious techniques required to solve it. There’s a very good reason why some of the world’s top CTF players are also crazy good bug bounty hunters (I’m looking at you, my friend DrBrix). My take on the whole “CTF vs bug bounty” argument is that CTFs can teach you some really good problem-solving skills. I’ve been involved in the CTF scene for several years now so I’d like to think that my view is relatively balanced. It’s also helpful to go into the bug bounty scene without any preconceived notions of what is and is not “hackable”, as some CTF players do.

  • Without sounding too much like a conspiracy nut - “the matrix” is real in the sense that the world that we are taught, and the world that we live in, are two very different places. Bug bounty is one such escape from the world we’re taught - it’s such an unconventional career path. Don’t limit yourself to just the options that you’re told about. Carve your own way. This applies to bug bounty as well. There are so many bugs out there that don’t exist within the framework or technical format of what’s taught in courses and such. I’ll try and scrape together a few examples this week to illustrate what I mean.

  • As always, when I have a slow week, the following week is always a bit better. My “developer” phase over the past two weeks has concluded, so back to the “hacking” phase for the next two weeks at least.

This’ll be me for the next week.


  • Situational Awareness: The Decade Ahead - what is, in my opinion, a pessimistic but not entirely implausible prediction of the next decade. Personally I’m sceptical that we’ll reach AGI or “superintelligence” anytime soon. The leap between “can predict the next likely word” and “can perform reasoning” is significant. We’re also constrained by hardware resources. This article is LONG. Don’t bother reading all of it.

  • Story of a RCE on Apple through hot jar swapping - this talk didn’t get a proper writeup from the legendary Frans Rosen, so it flew under the radar when it was published a few years ago. Regardless, this type of stuff is the gold standard and I can only hope that I’ll reach Frans’ level someday.

    • YouTube video of the talk: here.

    • Slides here.