Learning

Taking notes always a good idea.

Episode 1:

Episode 2:

Episode 3:

Episode 4:

Episode 5:

Episode 6:

Episode 7:

Episode 8:

Episode 9:

Episode 10: The Life of a Full-Time Bug Bounty Hunter + BB News + Reports from Mentees

Episode 11:

Episode 12:

Episode 13:

Episode 14:

Episode 15:

Episode 16:

Episode 17: LA Live Chat with Five Legendary Hackers

  1. Host your own blind xss payloads with a dashboard:

    ezXSS: https://github.com/ssl/ezXSS

  2. SSTI via SSRF:

    Frans Rosen shared s story about how he had a ssrf which retrived HTML content , but most he could do was a XSS. Then with some help he tested SSTI payloads and response rendered the payload. It was nodeJS engine and eval() was being used to render.

Episode 18:

Episode 19:

Episode 20:

Episode 86: The X-Correlation between Frans & RCE - Research Drop

Youtube Link.

Slides Link

You might have seen certains headers like x-correlation-id or x-request-id , trace and look-alike with a long UUID values in request and response while doing pentest. Stop and think what are those? why they are being used?

Well it is a technique used to link multiple related requests of user/session/transaction together. his is particularly useful for tracking the flow of a user's session, understanding the relationship between various API calls, or debugging complex interactions in distributed systems.

e.g from chatgpt 

Imagine a user makes a purchase on an e-commerce website. This action might trigger several HTTP requests: one to check inventory, another to process payment, and another to confirm the order. By using a correlation ID, you can trace all these related requests across different services, making it easier to debug if something goes wrong.

You can supply your custom values as request ids and if they reflect it's a good indicator to dig in.

Even if they don't reflect there is still a blind vector. test it if you have time.

Now this could be a command injection, sql injection , ssrf, log4shell anything and moreover everything is 99% blind so test for that. because we don't know how server processed it.

Now some requests are more important and they are treated differently than others. So what fran recommended is to put a match and replace rule in background with special charcaters for fuzzing and do your testing. 

' " % & > [ ${ $( ` ; \

Now review logs to see if something went wrong.

There are gonna be false positives so manually review.

~Tip: In JSON multiple from multiple same values generally last one is chosen~

Watch the slides and video for understanding how frans found numerous blind attack vectors.

Platform Tip: Zapier for automating email notification.

Episode 87: 'Hacker Wife' Mariah Gardner

In This episode Justin Gardner was talking with his wife Mariah Gardner

Youtube Link

Learning 1: UUID v1 is inseucre and suffers predictibility attack. Hacktricks has good explanation.

Burp Plugin to detect UUID: https://portswigger.net/bappstore/65f32f209a72480ea5f1a0dac4f38248

UUID exploitation tool: https://github.com/Lupin-Holmes/sandwich

Learning 2: They mentioned a bug from samcurry

Null byte buffer overflow.

Well idea was to re-register as victim username with some null characters victim%00 first server could think it is unique and will pass this to other servers but null characters could be trimmed or ignored further down in line. And you might get logged in as victim or something but what end up happening was even more interesting.

Sneak-peak from blog:

I had attempted to register an account with the following characters with the idea I could possibly overwrite the registration of the victim's email address if the null byte was ever removed at some point with the flow of the application.

victim%00@domain.com

The request went through, but the strange thing was when it reflected my registered email address it showed up as follows...

victimL@domain.com

The server had replaced the "%00" with "L" for some unknown reason.

Read more here

PreviousCritical Thinking - Bug Bounty PodcastNextMalware Development

Last updated