- MonkeHacks
- Posts
- MonkeHacks #29
MonkeHacks #29
Coworking, Comment Asymmetry, LHE Mental Prep
MonkeHacks #29
It was a productive and busy week this week. My mom visited me and had a great holiday here in Scotland. This weekend, my friends from university are visiting - I’m really looking forward to it.
I made significant progress in my research this week, which I’m excited to share in the next few weeks! I’ve got great momentum at the moment in bug bounty, so I’m pretty happy with how things are going.
I also signed up to a coworking membership at the WeWork in Edinburgh. Previously I was just hopping between cafés, so this should be much better suited to my needs. The coworking space in Edinburgh is really, really nice - it has a terrace with a full view of the castle and such, and they have an in-house barista.
St.Andrew’s Square, Edinburgh. The good weather has stayed, although the temperature is starting to drop.
Gadget of the Week
This week’s Gadget of the Week is Javascript comment asymmetry! This is a useful technique in specific Javascript context escapes. I’m going to outline a scenario that is actually surprisingly common. Let’s suppose that you have a Javascript context escape with a URL parameter, but it’s impossible to fix the context of the Javascript in such a way that’ll make your injected payload run without causing errors.
In these situations, if you have a second context escape at a different place in the page, you can try to abuse the fact that /*
, */
and //
are asymmetric to fix the context, by commenting out the problematic code snippets. This generally won’t work in cases where you’re unable to close a single or double quote, as there’s simply no way to retroactively comment out a line from the end of it. If someone does discover a way to close these types of dangling newlines, you could pop a LOT of bugs.
Weekly Ideas / Notes
Don’t be afraid to reach out when you need help! This week, I got very stuck on finishing the chain of a particular bug, but I reached out to Justin (Rhynorater) and he solved it in 15 minutes. If I hadn’t reached out, I’d still be bashing my head on that problem even now.
The latest optimisation I identified in my workflow was to switch from café-hopping to a WeWork. Yes, it’s more expensive, but I can already tell that this is going to be beneficial for me. If I find more bugs as a result of this change, then it’s a worthwhile investment.
If any of you are attending the LHE at the end of this month and are looking for recommendations for food and such - I got you. Just reach out!
This is a short update on mental state analysis in the run-up to the LHE.
I’m very eager to prove myself. I know that finding anything is an achievement on hardened targets, but I want to give a Show & Tell.
Edinburgh is dreary and dull in the winter-time. I want to perform well enough in this event to secure a place in the next one, which is usually Miami in January, to escape the Edinburgh wintertime…
I’ve internalised the idea that everything is vulnerable - so I’ve had no problems with motivation and such. I find that if I have something I can dig deep into, then that’s enough to keep any imposter syndrome at bay. Digging deep means I have something I can talk about at the in-person event, and that’s enough for me. My fear is having nothing interesting to say at all. Fortunately, I think I’ve already got enough cool stuff to discuss at this event.
Resources
The X-Correlation between Frans & RCE - Research Drop (Ep. 86): This is a must-watch episode from Critical Thinking. Frans Rosen yet again demonstrates why he’s so highly regarded in the bug bounty industry.
Bypassing airport security via SQL injection: Multiple vulnerabilities in the TSA backend systems that handle special lanes in airport security.