Audio Overview: https://notebooklm.google.com/notebook/a23f952b-4776-4d2c-85a1-9f17e0cfa213/audio

Transcript:

The first ever live hacker mentoring with zseano - YouTube
<https://www.youtube.com/watch?v=-6tv1kvBZDQ>

Transcript:
(00:12) there we go yo I don't know if anyone can people hear me hmm let's see yo can people hear me why can't I see chapped alright cool atomic says yeah I fused chat over computer some reason I'm here we'll just wait a little while people to get on what have you what's gonna come on like 10 minutes early for some reason my computer decided to freeze up reset can everyone hear me absolutely ok and my lag in is everything fine I'm not
(01:21) quite sure how delayed this is to the chat and that so cool people so they can hear me and yeah Yogesh if i'm pronouncing your name okay this is for beginners this is literally so I'll give her wait a few minutes just to let everyone get on and what-have-you but basically this talk is gonna be around how anyone can be a hacker like I believe everyone has a hacker inside them and all of the information is out there for finding bugs and doing this and not just getting your head around it all and that's kind of what this first session is gonna be
(02:07) about if things go really well I think people enjoy etc and try to make this a weekly thing but we'll see how this goes so okay I'll give it to a5 past and it's two minutes past two at the moment will give people a couple of minutes to get on etc anyone has any random like there's going to be a question and answer thing at the end but if anyone has any questions right now you want me to answer feel free to chuck it either you can DM me my DMS are open let me just make sure yeah again yeah so if you ever have any
(02:45) questions either use the Google Chat or DME or tweet me anything and at the end I'm basically gonna be doing live hacking help in mentoring etc after I've done a bit of talking and rambled on a fair bit so you've got two minutes and I say we'll get going no it's actually two o'clock here in the UK it's not one o'clock I don't know what time calculator thing you're using but it's two o'clock here - 2:00 p.m.
(03:19) GMT hopefully no one else has got caught out by that but if it works for you it works for you all right we've got one minute and then lychee will get going we'll just jump straight into it I mean people want to listen to me talk and talk hack in everyone wants to be here wants to be here basically you never trust Google for time zones that's what I've learned I've done the exact same people have said hey we'll have a meeting at this certain time and if time zone I go google and type in time difference to whatever it tells me a time and I'll
(04:05) even turn up an hour late on out early don't trust Google's time zones there's a song out there bear sight all right cool let's begin literally everyone should be here a lot of site this should be recorded after a lot of people will miss this because they don't know about someone wintertime moving well I mean it's this this talk he's gonna be hours long I say it's gonna be two hours long but it's probably gonna go on a lot longer so even if they are an hour late this video is recorded so they can always go back and they're not gonna
(04:40) miss the opportunity to answer you ask me questions and things like that because that comes at the end so yeah hopefully people not to miss it okay know it for future reference okay so well let's begin there's enough people here let's let's do this so let me share my screen and let me get this up oh that's the wrong slide we don't want to show you that okay the subject of this lice live session is literally just live mentoring with Zhi Shan a so like I say the agenda is gonna be like like literally ah where do I
(05:35) begin you know I mean you've heard of bug bounties you've seen people tweet that they're earning lots of money your friends have heard etc so I'm gonna let you start what is but bad is how you can literally get straight involved because we are gifted in the way that bug bounties is around that you can sit in the comfort of your own home and poker majority of big websites out there we've so much out there and not get in trouble and make a lot of money so after that I'm gonna talk about basically understanding what is hacking and I get
(06:07) a lot of people message me like hey what does this key do I've got this what does it mean what does this do I've got a thought or I can't bypass like I said at the beginning this I believe everyone has a hacker inside them it's just about asking yourself the right questions and being curious and just understanding what is going on the more you understand it the more you're gonna become a better hacker and like I say people we asking you one day how how do you do that and then I'll do literally it's all in front of you so
(06:35) I've explained what balances out where it is cetera and cool key places to find some bugs understanding what actually hacking is and then I'm literally gonna say like lychee let's go find some bugs and I'm gonna take from the chat like you guys pick a random program we've all preferably a wide scope and I'll do some live I'm gonna say I don't say live hacking because I'm not quite sure how legal it is to do life hacking like John me no I don't wanna get in trouble but I'll do like live walk in and give you my opinion as to what I would look out
(07:06) on this website and what I think might be vulnerable to it and we'll do some hacking together and then after that it's gonna be the Q&A chat in and live help in literally you have any issues of bugs you don't know you want something explaining something clearing up I show up between you to ask me absolutely anything you want and I'll do my best to answer it so yeah before I begin if everyone is can hear me fine everyone can understand me okay and we're good to go just somebody give me a one in chat just so I know things are going
(07:39) well and we'll all up to speed and then we can go alright cool I got a 1 in chat ok cool so literally let me let's begin so let's begin fresh mindset give me bugs I can imagine the majority of people viewing the stream have got interested in bug bounties because of money let's face it there's a lot of money on the table people want to find bugs you kind in my opinion put that on the back burner and get in the mindset of I can poke at any website out there like I mean the Mathers Netflix Boys it all Verizon media all these
(08:28) companies are saying hey look is all our stuff you can poke it from the comfort of your own home so forget about them paying your search think about it as a ok I can have fun as I'm limitless right now like this is a huge opportunity in my opinion for got many people to make something good so picking a target now I understand it can be tough really tough I've been there in everyone everywhere every single person every single hacker in this industry has been in the same shoes of well where should I go hack and
(08:57) you see loads of other people tweeting out there and loads of money on a certain program and they've done this they found certain map bugs we've all been there it's something you just have to accept that it's just something you have to accept - so how can you choose the right programs in my opinion so for people who are new to this industry of see there is hacker one bugcrowd cynic integrity as a few more like how can proof they're mainly blockchain stuff they did a few web app stuff but they're the main bug bounty sites however there
(09:35) are so many companies out there with responsible disclosure pages which aren't advertised into the world like hey come on hackers but they are saying if you find an issue I mean we'll work with you to get this fix and potentially pay you they don't advertise how much they're going up how you and this and that because Johnny now get it not all companies want to advertise a marketplace as search for bugs on their website and they don't want everyone going absolutely crazy so don't just focus on hacker one bug crowd
(10:03) and all the other platforms because there's so much out there you can go onto google and do google talking for responsible disclosure do not just stick to the dot-com websites and i've retweeted lots of things to find these programs basic I don't want to give out exact talking things to find these because then everyone's gonna go do the same thing and everyone's going to deep each other and the idea behind this talk is you're your own BOTS Johnny in with bunnies you can pick anything you want to do and if they have a responsible
(10:35) disclosure program but bounty program they're gonna pay you basically so when you are picking a program this is my methodology I will only send a few low hanging fruit silly little bugs really now those sort of bugs while they're low hanging fruit they can give you the bigger mindset like bigger view to how a website works based on you poking just a little bit if that makes sense so you don't want to like go crazy on the target and I mean they take months and months to pay you fix things and you're an updo pin and it's just crazy that's
(11:13) that's gonna really frustrate you and you're gonna burn out basically and I think that's what happens to a lot of people is they see people tweeting I and 10k for this and then they go focus just on that on that program and and I get a bit frustrated so you need to kind of tickle the program as search like understand okay so what basic defenses does this program have now this all will make sense this is kind of gonna be a talk that when you get to the end you're gonna be like okay Sean actually makes sense as to why you should only test
(11:47) programs of little bugs before go in major sort of thing and I will get all that eventually yeah so yeah first so you send in test bugs to basically test their response so restart the reason why you're sending test bugs is to one test basic defenses they filtering against basic things they got any cross-origin misconfigurations so can you set your origin and read any data things like that you're just getting a feel for what is there you're also testing the response time because I could say if you actually this
(12:20) is more aimed at people who want to do this as a job if you want to get paid consistently then you obviously want to spent on the programs which are going to pay you consistent in my opinion you can't trust hacker 1 or bugcrowd stats or anything like that because I've submitted bugs to buckram which says they take like a month to pay and I get paid in three days whereas if people don't get paid for two weeks and then I've got programs on hacker 1 where people are getting paid quickly and I'm not it don't mean you have to you have
(12:51) to make it your thing this is the whole beauty of Bonnie's it's your thing if you stick at this long enough you should be able to come on your computer and have a list of companies who have a lot on the internet who are constantly update in their code we're gonna pay you consistently and fairly and nicely and you can make consistent money from jamming constantly poking so that's this isn't that I saying to people who are new if you're new and you want to find new target you got to get a feel for things if I'm brutally honest I like
(13:22) being honest honesty is the best policy I have the best success on Bukka our programs for Less dupes and spokes really find it bugs I don't know I just that not might just be me like I say this is just my opinion but I have more success overcrowd with things I feel like none of people spent on buckram programs I look at some stats oh look at some programs and there's hardly anything whatever that's because they haven't invited enough the researchers I did it and so yeah carrying on because I do ramble a lot so
(13:57) you've picked your target let's say for argument's sake Verizon media okay it's off the top of my head a massive wide scope program with lots to play with and you've run your on this device isn't a talk about a certain subject this is a wide talk so you've ran all of your recon scripts which are available out there what do you do with our data because I find a lot of people it's like occasionally I've got all these subdomains of what do I do it I if I visit some of them there's just a blank page if I visit other ones is 404 some
(14:31) of them just don't load like what do I do now this is again going back to being your own boss and this is your job and come up with your own techniques and what you do because I mean you want it to flow easily in your head so there's less confusion so my opinion this is my what I do because I'm gonna give you two comparisons you've got a genius hacker like naffy and Nathaniel lakelyn who is an absolute God at scanning these subdomains and finding random foils old forgotten files and Pokeno and Ja mean he has come up with this himself as
(15:11) finding certain keywords what to look for and that's his method he's come up with that and that I mean he's released so many slides where he gives this information out and if you think about it what he does is not hard to replicate he's simply scanning for subdomains and drying for foils and listen that brilliant that works for him for me on the other side I like to scan for the subdomains and I like to instantly go for the targets where there's somewhere for me to sign up and register and actually interact with the web
(15:41) application that's what I liked it so I'll have my subdomains I'll scan for like sign up register login I'll always check robots.txt files to then see if those files exist and see join me and what is actually on there so it's about what you want to achieve from this set of data and because this lit you so much you can do and there's so much all the information that you can do against these subdomains is out there one thing I don't think a lot of people do is setting up monitors with SSL mate for when new subdomains come out with a
(16:17) new HTTP L certificate HTTPS SSL certificate you see when it comes online did you see the DNS you can just start instantly poking and seeing what's there before ever hackers and a lot of buff you people are doing us he might get dupes but it's something that I don't think enough new hackers explore they they seem they run their recon scripts and follow the path of other hackers because that's in my opinion people were kind of just following everyone's tutorials word for word and tip for tip type thing and it's about taking bits and pieces from
(16:52) everyone's tutorials and write-ups and coming up with your own twist on these things so like I say when I've done my recon script I want to find instantly places where I can interact because if this places for me to interact chances are I can upload a photo chances I can store some information there's something for me to poke around and the reason I like poking around at live web applications and that is because there is another human that has a computer to create this code and he's potentially sat there and thought about somebody
(17:24) breaking it and poking it you're reverse engineering his thoughts basically with how he created this and what it should do and you're pushing this to his limits and I find that fun so again it's finding what works for you so you found your target you've ran your recon and you've got a feel for what's out there now it's about understanding your target now again going back to Nephi he understands horizon media scope and what is out there down to a tee John I mean he's focused on this program for god knows how long it works for him I've
(18:03) personally focused on two programs on book crowd one of them is public now which was TripAdvisor you just learn how these developers are thinking and the more you'd learn how a website is working the more books that are gonna pop out because you're like okay hang on if they made the mistake here chances are they're gonna make the mistake there you see a new feature come out go follow them on Twitter sign up to newsletters you can instantly look at it and think what I'm gonna try this because they made that same mistake and you might sit
(18:35) there think well Sean if I report one xs/s chances are they're gonna fix XSS all together on there and no new features are going to have xs/s no yeah no developers still introduced XSS for some reason and if they're not fixing against against basic XSS what else is there gonna be so again so you basically sum up this entire page it's about how badly you want to kind of work for yourself being a hacker and breaking these companies code and coming up with it not could not coming up with yourself because like I say there's so
(19:11) many tutorials and everything out there to help you but it's taken information from each of those and coming up with your own way of doing it because I'm Tommy you're not we're not malicious hackers we're good hackers but you have to put your mindset as a malicious hacker a malicious hacker would be at home on his computer Troy in ways to break into this company except when we break in we tell this company and get paid join I mean you have to look at this company and think ok where they gonna put some protection what are they
(19:41) trying to protect what what's going on you understand then you can reverse engineer a search the developers fort and what they basically try to achieve so yeah before I skip on from this does anyone have any real quick questions basically anything to do with what I've just said there because like I said I don't want to mention recon tools and all this and that because this I will get to it into this talk I say this talk will make sense towards the end but all the information is out there how can think like developer when are know
(20:18) develop and have no idea of programming ok that's a very good question yeah very good question so a lot of people message me and we'll say hey do I need to be a programmer to be a hacker and my answer is no you just have to understand what the site has tried to create a search so like I say a fun example is use the login page because I always find bugs there if when they're logging in even if you don't see any redirect URL try brute force parameters on there because your way of thinking should be well other developers did it
(20:53) and most developers share code and libraries and most developers think the same so try you never know what's gonna happen I've had it work before then when you see it login see if is like I say token exchanges what actually happens and you you don't have to be a developer to understand the flow that a developers had when code in this if that makes sense you just have to get your head around like okay this is what's actually happening well what happens if I was to do this and do that and Joe mean you can't be wrong with hacking your
(21:25) limitless how much time do you focus on recon I never stopped doing recon really in my opinion like I say I'll spend hours doing Google talking sometimes because Google will give you different results if you do certain characters and certain I mean if you just change it to a mobile device you get different results so there's an example I'm always doing recon never because code websites are always bringing out new code you should always be hunting that's why I say have a list of targets you love and just you can be s bored in a Sunday
(21:59) afternoon and just go do some hunting and see what's out there can you explain oh hang in fruit bugs so XSS open URL redirects cross-site request forgery these days my opinion the low-hanging fruit and shouldn't exist click jackin in my opinion like it's kind of not common but sometimes you can click jack sensitive sensitive actions especially if you chained it with cross-site request forgery and if you check out but by notes there is a tutorial on send in an example that your blank cross-site request forgery token
(22:36) and it would reflect back the change you wanted to make buried error and you could click Jack force the user to update it there is a challenge on it as well best recon tools I'd recommend checking out Nahum sec Ben's recon post I did happen with him not so long ago he literally did his exact recon steps and found a critical bug I recommend checking that out all key information is there really for scanning jeaious files etc how to start analyzing huge subdomain like like I say I check out Ben's post and start coming up with your
(23:13) own list for an American sub domains and yeah that's a there are so many recon tutorials out there and it's about like I say I'll give you another example random Robbie he's recon is off the charts for finding these random bugs which just appear I'm not gonna say where he does his recon Johnny because I respect that and if he wants to tell people he will but he suns in certain places for certain keywords and find stuff I say you can answer you have a question you can never be done with recon and there is no best recon tool
(23:44) really it's about see what other people are using my band and go from there it's the whole course in networking such as come here I mean it depends what kind of I mean I focus mainly on web app bugs so yeah I mean yeah networking is I mean I mean I've never taken a course as search so I'm not quite sure how to answer that one it depends on how people learn I'm gonna answer two more questions and then carry on the last question is I'm gonna add six I think chats delight is how much time do you spend per day hunt and the first
(24:19) question before that for marcroy is how hackers like you found critical ID or you just got to look in the right places it's not really much more tear I find idols all the time on mobile apps all the time you simply install burp on your own solder burp HTTP sir set it all up on your computer and just install the app most mobile apps are unable to idle and finally ask the last question before carrying on so we'll get to these questions after how much time do you spend per day hunting it can depend sometimes us typically five six hours a
(24:57) day hunting when I really sometimes have spent up to eight maybe ten hours depending on if I find a lot of bugs early on the day then I'm kind of motivated to want to keep going and find even more I've started to learn that if I'm looking for bugs in three and a bit burn out then to take a step back before getting really burnt out and trying to understand wanna burn out why am I looking at this website and not find anything are they just that secure am I not trying the right things have our report too many bugs to them at this
(25:29) that learn understand them why you getting burnt out and you need to try something new and come in through it with yourself basically so I'm gonna carry on come back to these questions in a little bit so what so basically we found that target we've done our recon with understand that target and now your hack in you found an endpoint that basically you don't know what it does so in my opinion is why spray-and-pray when you can spend time and make a dime but do I mean dimes only ten cent so times that hunt that dime by a hundred
(26:10) odd with how much bug bounties pay so let me just so I was just reading the question there so the more you hacked on a target and the more you understand what it's doing the more bugs you're gonna find so don't just chuck a ton of payloads out there on Verizon media scope for example understand what's going on because if you understand what's gonna repeat myself in this [ __ ] but if you understand what's going on you're gonna be able to come up with an exploit or proof of concept so exact for example you've done your
(26:54) subdomain scans on Verizon media if you want to go down the same route of me and find tons of places where you can sign up register interact with things I'm not just saying gonna chuck 'chuck a ton of payloads everywhere because they might have some defenses against excess paint normal XSS paler its Martin a so they're gonna I'm not I'm gonna sit there and think one that finds anything you have to understand first of all what what is this what is actually going on what is this website actually about what can I
(27:23) do and then try little things so just try the less than sign to see if it is unfiltered never just chuck random payloads at it because you're not you need to understand what payload it is that you're sending because if you understand the pain you can come up with so many boy passes to other bugs on their website potentially so the reason for doing this as well as focusing on certain things is because to make this there's a lots and lots and lots of bug types out there jumping you've got ID or open URL SS RF RC e SQL injection and some people can
(28:04) get a bit overwhelmed with oh my god what Troy I've got so much here now set yourself a challenge what is it you want to find on a certain scope what is it you want to try and test the fences of on this website and go from there basically so I get a lot of people messaging him at the MSHA I found this key on github I found this in a JavaScript file it's a random API key what does it do Google literally is your friend well not with our day apparently given this information Google is our friend Google for this whatever example
(28:47) somebody asked me about some map key type thing the other day Google for this key map key and see if there's any docs about it see if there's any Stack Overflow posts see if there's any github issue see if anyone else has mentioned anything about this and understand what this token is actually doing basically because not all keys exposed are a leak and they are come in their public keys so but there are some keys out there which you could potentially cost the company money whether they would show me whether they're gonna accept that as an
(29:20) issue or not tell me because some map services charge them based on how many queries are made so if you're using that yeah that's questionable but so this goes back to understanding your target so the longer you spend on a target and the more you want to find a bug and push it over and the more you want this basically in your writing notes there's not writing notes is key in this when you find a key you're gonna be more prone to Arkell know what this does so I'm gonna give you an Paul I found a key leaked after a login
(29:57) so after you logged in a key was leaked and I had no idea what I did I tried it wasn't in the cookie files well it wasn't anywhere I was like okay this is interested so I googled for just part of the token because I real Ogden over like five times and notice that part the token did not change so I googled for this part the token first result was a link to their wiki page which told me this token acted as an auth token and a header for their API boom I can now query for this users information it's about so it's about
(30:32) stepping back and realize understanding why is this token here what does it do now you're not always gonna get that lucky and I mean there are some tokens out there where you're like what does this do I have no idea that's just being a hacker that that like don't sit there and feel like okay I may be bad hacker maybe it does do something what should I do that's just being a hacker you sometimes you might have to you might have to sit on that bug for a few hours a few days I say ask people or even reach out to the
(31:07) company make a report and just say hey tell me if it's some silly type of token like Google Analytics code something I mean it's I'm talking like a reset password token that if I don't know yeah that's an it's just an example basically if there's so many edge cases with hacking and that you join me when people tell me I'm mentoring people but you can't I can't answer every single thing because everything is an edge case and so if people do have any queries with tokens so I say feel free to reach out to the end of this and I'll be sure to
(31:41) help you but yeah carrying on Just Answer one question real quickly Google is friend but without basic knowledge it's tough to learn from Google so okay maybe I should do a story on Google Dorkin but literally you can go onto google and type in site colon anything yahoo.com and then in url olan and search for characters search for certain words this gives you your face start online for hunting on Google basically okay you can start searching for certain keywords and going in-depth a lot of people don't realize this on Google so when you're
(32:24) hunting on Google especially on a website which will index a lot of pages if you actually go to the very last page there'll be a link saying some results have been omitted blah blah blah click that link and you'll get ton more results I think I honestly a lot of people miss that that's my first go-to and I'm Google talking go right to the end page get all the results and yeah just have someone random question real quick in the chair do you really write your tools in BB six so that was a very long time ago that
(32:59) video in Vegas probably four years ago yeah I did robber tools bb6 back in the day then I don't know anymore but yeah I made what worked for me because that's what I do I mean I mean let's take this talk for example I've not got no fancy equipment I'm saying the comfort of my own home front of my basic laptop I've made a slideshow and I make him do what I've got and trying to give people lots of cool information it's not cost anyone any money to be here it's not cost me any money to do this and it works so yeah so carrying on
(33:34) so it started to make sense for hopefully some people with being at your own boss as a bug hunter and understand your tie it and understanding what is going on so when you can come onto your computer and go to work you can pick a target pick up from your notes and get to work interesting end points note him down come back to them do you I mean it's we have the beauty of being our own bosses a book on that so hold on I think I may have just missed something two seconds night so I have gone for everything so I carry an arm so
(34:20) basically come up we uncheck this one test him so like I've just been explained I'm Ritchie passing my knowledge to you guys with what I do I said I'm probably gonna deep loads now aren't I but I literally scan in for subdomains and looking for places that I can interact my checklist is I want to find places I can sign up because I know if I can sign up I can interact I've suddenly got all these tic tic tic tic tic going off in my head for things to test for stored XSS open URL you redirects is there any token leaks kind
(34:54) of upload a photo what can I do so I carry on don't just like I say don't just Chuck payloads and understand what is happening this once I've found somewhere to sign up I won't suddenly test the bug straight away I know sounds weird but I mentioned this in my live stream the other week I want to get a feel for how a site is working like I want to i watch burp I look for interest in parameters I see what is going on because then the hacker inside me I mean a light bulb goes off from ahead and I'm instant I know it start I know what to
(35:31) try let's start here and you suddenly John I mean and the longer you do this the easier you'll pick this up so here's an example I have found so many bypasses to XSS sewers on public programs that I mean people have missed there may be developers just made it I don't know so to step through my methodology for testing XSS this applies to every bug type there is reopen your redirects are see a command injection SQL injection if so let's say for example your you've listened to this talk and you've simply you're testing for XSS and I always
(36:19) always start with a h2 tag if I'm testing for XSS because most developers will not tell me if they've created some sort of filter which they shouldn't do I mean they should just encode the response when they but some developers create some sort of filter so if they have created a filter HT is probably going to be ignored and you can quickly verify this by chucking a script tag at a frame and seeing if that is if it disappears or what happens to it so if h2 isn't accepted try just the less than sign and basically just
(37:01) try to understand okay is there any filter in here the website might not be vulnerable but you're trying to understand is it vulnerable so you can try other things like no tags in front of it the break in new line and code in /aa there are so many variants it's about literally again reverse engineer and how this developer has thought about it so I'll give you an example as to potentially a web application firewall bypass I found but I think was just for this site that they created so if you chucked an image source tag at it so
(37:36) image source equals x on error alert it wouldn't reflect back at all but it it would reflect back with it being coded so it wasn't valid HTML however if you give it ' so the single quote character around the source then it reflected it back if you give it a normal quote sign it was encoded encrypted etc I don't mean reflected back normal but given a single apostrophe made it this filter basically just give it back to me as HTML because I found that it led on to 17 more XSS now yeah some people and I would I mean you could argue this
(38:18) company just has to update their protection filter etc but the XSS is still there fix the actual problem John I mean like so yeah it's understanding I mean it took I'm honest it took me about two months to realize with this company because I was one day just bored and I was seeing this weird behavior with HD characters I could get my h2 but I couldn't get any excess s and I just knew there was XSS there so again I just simply chucked whatever possibly could and reverse-engineered essentially how this developer who
(38:52) create this rule was thinking and payload and it was throughout it worked and it still works now so yeah it's about being your own boss that's why I've put it in big green layers you are your own boss with bug bounties hacker 1ba crowd syn/ack I have done the hard work and got these companies to agree to let us pocket all of their stuff let's do it let's break their stuff so I was just having a drink so I do apologize if I'm talking real quick I hope everyone is keeping up with me and I hope this is making sense I'm just I'm just gonna
(39:32) have a little pause before I go to the next slide because the idea behind this talk I brainstorms like what can i how can i mentor people basically how can I help them be successful in bug bounties I didn't want to just do a talk on RC or exercise listen that I wanted to do it on a wider reach to people basically where it's about understanding all of this information to learn hacking is out there that says so many tutorials write-ups challenges CTFs it's about getting your head around hacking and [Music] okay this websites doing this so what
(40:15) happens if I do this and then do I mean creating the hacker inside yourself question anything you see on the Internet and seeing how it works so carrying on I will get these questions so yeah like I say what's filtered what are they looking for understand a sites filter for maximum gain it works trust me that's how honestly why I found so I'll give you an example on TripAdvisor people ask me how did you find so many bugs so I'm not gonna say the exact method live here I'm not a I mean I don't want to get in trouble to help in
(40:55) people hack ascent like you don't join me not quite sure how legalized but basically I scan for what they had on the internet there are tutorials out there for what I do is scanning things and I checked every file that I could find and scraped input files and tried these parameters everywhere I could find and they reuse the same parameters throughout because they obviously copy and pasted code throughout so take advantage of this if Johnny and developers share and copy and paste code one bug is gonna be elsewhere
(41:28) trust me I'm just going to answer a question real quick about this quick question from and the Anders see if you find multi XSS on the same domain and you see it's the same name stay same mistake do you make multiple multiply tickets for the bug or one with them all in so yeah I just talked about this I found key parameters runnable on tripadvisor XSS throughout their entire site I made a single report for each one because that's what they asked me to do [Music] some companies will say it's a site-wide fix some companies want to track it
(42:08) internally that's that goes back to the very beginning we've testing the program and seeing how they handle thing and what's what John I mean because I think this is a another problem with bug hunters in this industry is we all expect the same from every bug bounty company I think we all need to realize that every company handles things very differently to each other especially with how they write bugs and things like that etc and just gonna answer tech chiefs question real quick as well parameters where we can give and test
(42:40) different inputs so what you mean by that likes what how you can guess for parameters that so it's really quickly talk about that there's tools out there where you can brute force parameters I also highly highly recommend just scrape in like Johnny incensed a spider tool off to go through all of their website and grab all of their JavaScript variables from JavaScript files look for input names IDs look for anything like that and just go and try it but not only that try the most common I mean if you're trying for redirects try to
(43:14) redirect URL I redirect URL ah on the school URL there's so many variants you can't go wrong what's the worst that's gonna happen they're not gonna accept that parameter and nothing's gonna happen or the chances are they might accept that parameter the same goes for headers Chaka head erotic Chuck your site is a referrer and who knows they might ping it back a lot of sites do that trust me if you visit a web site with Burt collaborator as your referrer or your website or your server you get a lot of pingbacks what you do with that
(43:47) information join me that's been a hacker understanding what's going on so carrying on so we've understand what brownies are we've understanding that we have to test these programs response times etc and becoming our own boss so we want to go hack right so the bugs are lit she right in front of me but where there are these bugs who knows read read read follow people on Twitter always look at how can one disclose look at open bug bounty check out tutorials from people write-ups that are shared and test what they've disclosed they've
(44:33) presented all the information out there for you go see what happens if you simply do their repo steps and then work your way through see how developers fixed it you never know you might find a bypass there was a researcher who got a boy boy passed was a get lower get hubs fingers get lab and you got like 10k or something something like that I write about it in my latest blog post turning time into bugs but yet the researchers who disclose informations they're my tutorials on open URL redirects for hijackin tokens that's a real bug it is
(45:07) out there it's just about finding where to test that bug so if you want to go test it open you re open URL redirect that's a mouthful hunt for nothing but login endpoints on domain sure I mean understand what's going on and don't forget to check the mobile app because some mobile apps allow you to login with third-party websites so I'm actually gonna give a tip that I used it doesn't work anymore because of things that have changed but basically back in the day Facebook would allow so if you set up a Facebook
(45:44) application and you set your what your domain that you could redirect to to let's say for example example.com back in the day if you set it to that Facebook would basically allow any subdomain endpoint to that domain so if you found an open URL redirect on your target domain and they allowed logging in via Facebook you could hijack that Facebook token and then log in to them on the website when don't mean log in with Facebook that's how it works key place I found this so many people missed back in the day before Facebook
(46:18) made lots of changes is you go log in you get the mobile app or you just get a mobile user agent and because they want to make it convenient for people on their mobile to sign up to the website they had login with Facebook logging with Google log in with Twitter but it was only on their mobile app you go on their desktop it wasn't there so it's only on their mobile app if you didn't find anything about it on the desktop at all so it's about understanding developers want convenience for developers developers developers want
(46:47) convenience for users so bear that in mind when testing think about what convenient features they may have created that potentially you can abuse so carrying on like I've been saying throughout this entire talk there are so many tutorials write-ups information payloads out on the internet for every single bug type you name it it is out there so this goes back to understanding hacking and once you're understanding a target and you spent time on it and you're seeing certain errors you'll see in certain behavior that's where the
(47:27) longer you do this the hacker light bulb goes off in your head oh I think okay I'm gonna try this an example I had someone message me tell me that he had a JSON endpoint and if he chucked certain characters at it replied back with an XML error this says to me and the hacker I've seen first of all my first four is I've seen so many reports and I've seen so many people give the advice of chat when you see content type application for such JSON change it to text XML and see what happens there's hacker wonder slows reports as
(48:01) information so that's maybe my first thought okay I'm gonna go understand what's going on here why did it reply back of XML what's what's going on and when you see what another hack what another hacker has achieved from it you can then understand okay so it's probably passed in XML behind scenes but let's try this and see what enjoy me you work through and there's payloads all things on github which has a list of payloads for every bug type out there see what happens see what's being filtered see what it's doing it's about
(48:32) recognizing and understanding and then stepping back and then making an elite for it basically that's you join me and you're kind of chucking yourself at it so we're gonna do something cool now I'm gonna answer some questions but and when you guys to pick around a bug writing program wide scope and like I say I'll give you my what Rd I'll do some live talking because there was some questions in the chat to do some talking help some talk in you guys pick a program and dummy up I'll pick around would pick who
(49:06) chooses one and we'll do it I'll ask some questions while we wait for that day so hijack do you have any advice on how to test site the how and CloudFlare in the past I got permabanned so yes try find their IP address somebody did give me a tip for finding IPS behind CloudFlare he actually found the IP to buy buy notes I don't know if he wants the method public so I don't particularly want to say it out loud but yeah find their IP and then join me in your bypass CloudFlare so look for IP leaks because they might even pay you if
(49:41) you can leak their IP so they drop me and there's a hacker in you think about that a site behind CloudFlare find out I know IP see what's what see what there see what they're up to okay another question is just stays and script part gets disappear what can I do so hacker cracker I would let you go through what I've just tried try h2 tag C try Johnny and try the h2 of out the ending tag see what they're actually fill in don't just chuck a script alert that's generic that's common that's what everyone's trying trying H to if they're
(50:17) not filtering that you know there's gonna be XSS there and there's a certain filter that's where the hacker in you comes out and you understand okay what are they filtering and why they filter it if you need help with that because I love breaking XSS filters feel free to DM me on Twitter and my DMS public ok facili Kaiser did answer the question their tech guy how can I turn header base XSS due to 4x forwarded hosted good XSS hmm that's a good question so I found some interesting XSS as well in exhorted host I believe James kettle
(50:53) did something with caching did he not on hacker one recently with that I would look into see if you can cache the XSS where the X warded host you might be able to do something with that Caesar pose um I think it's recorded I presume after I'm done here it's just gonna be available I hope so okay I'm gonna ask two more questions and then we're gonna do it Steve Verizon media why not I've looked at that program before and I found some bugs yeah it's the look a trick to try to find faced with OAuth redirects mmm so faced with
(51:32) my changes where they make the developer lock down the redirect URL so it has to be hard-coded so chances of doing that kind of slim now there are potentially other services vulnerable to it open ID services for example what about on the forum input is limited like 15 charm in a maximum yeah that's one of those cases where you just want to punch your head basically right damn it like damn I've got a book but I haven't got a bug I'm afraid that's just one of those cases drumming if you're limited by your characters the
(52:10) nothing you can do really my opinion okay so cool shall we do some talking then on Google before we do a smiie anything we'll do some [ __ ] sorry pardon my language decent talkin oh cool let's get the rising media up I'm not gonna do like live hacking because didn't mean I don't know if that's a lead or legal but I'm gonna do some talking we're gonna do some hunting I'm gonna give you my opinion so for rising media the big Verizon media who have paid out four million in bug bounties four million so the first point of call
(52:53) in my opinion that you guys need to know and understand Nathaniel is a boss at this program and you know what he does so it's always kind I'm not saying copy what he does but you know where he's getting success so you what does I say to you as a hacker for rising media potentially sloppy with old files on their servers that potentially sloppy with subdomain takeovers I like John me I don't know what exact bugs he's finding but based on his talks and hacking I've seen he knows what's up so that's our first point of cool we
(53:28) know our hackers are having success so let's have a look at the scope so we first of all see an API me me looking at a hacker your first thought is when you visit this year it's probably gonna be nothing there nothing at all John I'm it yeah exactly Joe makes its API secure so you know there is you your first put a core is to brute force that domain in my opinion to see what's on that domain see why API calls and they're fine what it is go onto github go on to get guys I mean let's do it let's just find out what this API domain
(54:02) does potentially is it listed anywhere so yeah we're going URL scan here do I mean you just simply find it out what is war so we know it's related to sports yeah yahoo.com John I mean is pretty obvious with the sports in there but tell me just make sure see what is out there just make sure it is owned by you simply understand it so second point of call is well okay wherever hackers been looking because you don't want to deep do you we don't want to we don't want to duplicate people so most people struggle with mobile apps don't they so
(54:42) um I found books on their mobile apps yeah they're fixed loud I mean but I my for a couple of months ago was hard anyone's looking at their mobile apps so I downloaded their mobile apps simply installed it and there were some requests which are basically vulnerable to XSS I think because I'm from the UK it helped being where there was some certain requests root of gd's PR stuff so think that helped me and that's another thing change your language there is a certain website on Verizon media which no one pokes at really because you
(55:21) have to have a certain IP in country it's to Taiwan Taiwan Hong Kong things like this think where other hackers are potentially looking because for those who are watching this year a lot of hackers in this industry are just interested in money do I mean they just want to find some simple bugs Exorcist they just want to get paid whereas if you actually take this seriously you actually put in the time and effort understand what you're poking at understand what is going on you will find bugs you will find big pain bugs
(55:52) and you will feel like a million dollars you'll feel like a hero and you'll want to keep at it don't don't join me and don't don't just go for money money money understand what's going on treat us like a job and understand so let's oh what's going on I didn't mean to do that okay so let's say let's see some live talking let's pick something okay in fact yeah let's do the Hong Kong stuff I mean I don't know if I can access it I'm pretty sure I can't oh there's the gdpr page no see I can't view it spurt chances are
(56:31) let's see what Google has found out about it I mean oops wrong URL I mean I'm itchy just doing random live stuff it this is because this is I literally do this I spent hours just randomly on google hunting for stuff because it's fun why not see what Google's told us you know they scrape everything always start with that now look at this all the way to the end page there might be a lot I mean but this okay might be a lot of pages here no I've done the wrong character we'll get there now look at this see I want to see all the results
(57:18) and then you simply and join me in a lot of these are probably not gonna be anything interesting but you get a feel for what is on the site you I mean you see Google's because a lot of people say to me are Sean how do you do recon what is this what is that Google's done the work for you so okay so can you see down here in the bottom corner where I'm hovering over URL category is being found everywhere isn't it and there's not many interesting parameters not a lot is probably gonna be interested so we want to get rid of rid of that from
(57:52) the results I don't care go away we don't want that are you kidding me it's our storefront I don't know and suddenly we start okay so now we know that on the auction we can see just from this URL yeah that there's a user ID now I can't access this site if I get a proxy VPN then I might be able to but you can instantly see just from gawking on this URL there's a user ID so the chances are we can sign up and there's gonna be interesting things to play with there so bouf bouf is really popular apparently so we've seen that I don't want to see
(58:32) boof anymore why did they just get rid of my search boof okay we got nothing nothing else interesting get rid of this so we can see that they've got potentially a mobile app there on earth mr. smart assess the item my bad okay so we don't to see item IVA there's nothing interested little Jimmy just so much instantly to start playing with my opinion you can probably post your own talks on this website if you post your own auction you can upload your own you are photo chances so I hope this is making sense to people
(59:14) like literally I would spend hours doing this searching certain things yes time-consuming but that's being a hacker piece I've spent hours hunting for bugs hours playing at things I'll potentially get something that looks interesting and be like Johnny I'll come back to it being a hacker you have the entire Internet at your disposal to look for bugs and poke at things and your limitless to what you can try like I say there is a mountain of information on the Internet a mountain of information with hack ins so many tutorials so many
(59:52) scripts tools videos burp extensions you just have to get your head around what your task is and that's understanding what these developers created and trying to break it now before I go through some questions one final thing I want to say is if you're ever sat there with a bug now this might be self XSS this might be API key leak that could be anything that your question about you're like I don't really know put yourself in that company shoes put yourself in a malicious hackers shoes and think can i impact
(1:00:32) anyone with this what can I really really do with this can I leak any serious data like tell me if it's API keys it might be worth potentially talking to the company and has been like dummy if I say as long as it's not something like Google analyst code something silly but if it's self XSS so it's just a pop-up appear lots for transport they're completely from a pop up damn um Wow mind on completely blank I'm gonna take a drink Andrey yeah okay see ya carry on so you've got self XSS it's under think about if you're a company and assembly
(1:01:16) reports to you are you gonna care what can happen now not all self XSS is just self XSS now just because it's in your profile that only you can view it uh some researchers have got banned from plaque they're not platforms from both my programs are doing this but sometimes if the someone at this company views your profile it might execute I say I'm not recommending you do that because it could be classed as social engineering and they might ban you but don't always write off self XSS don't always write that off now I'm gonna do some asking
(1:01:52) some questions where do I get to other questions okay how to ask a question from your path missus live session you can always reach out to me on Twitter DM my dm's are open you can always tweet me naffy is mostly awesome of SSRS yeah he's he's insane hacker naffy I'd privilege hacking with him back in 2015 a hack one live event now I started bug bounties around 2015 now join me I've understood what a hacking is and I don't mean I've been a developer but bog bodies was new to me back in 2015 and hacker one I'm really grateful for it
(1:02:35) they invite me to their live event in Vegas and I was hacking benefits that was the target and at the end a fee was talking about the bugs he found a source oh wow how did you find all of this and Johnny he explained well I'm just simply scanning for this and doing this and then I was like ok this makes so much sense it's about this understanding though I don't think everyone realizes that there's no secrets in bug bounties of how people find these bugs all the information that people are using is out there every single information
(1:03:09) including payloads and things like that it's it's out there for the taking you just have to get your head around and understand okay how can I find these books then don't mean that's where you then start understanding recon and getting your head around so I'm gonna actually get my if I know how to know not that page this page all right cool I'm back yo what's up okay so I'm gonna carry on with these questions how do you know if the endpoint is vulnerable to SS RF okay so simply put if first of all you're gonna check the parameters Tommy
(1:03:54) if there's something really common like URL or there's something that looks like a URL we're even just an endpoint so I'll be forward slash and then an endpoint it's potentially making a request somewhere doing something so if you can put your URL there you'll server IP or you can even put an open you are redirect so for example there's a end point where it will take another end point and send a request to it internally and give you the contents and if you try to change it to a website it doesn't work and it can only be an
(1:04:24) endpoint now if you found an open URL redirect what about if you force the server to visit that does it follow the redirect which might follow it to something internal which they might show you the response and it's all staying internal which I mean you're bypassing a lot of defenses using the chain book so it's about SS RFC in what is in front of you and seeing the behavior and understanding and let's say the more you do this and the more you understand what is going on the more the light bulb is gonna go off in your head basically and
(1:04:54) you're gonna see like oh okay I see something interesting is happening and then try and understand why did the developer do this what what is this actually doing are you wasting my my wasting my time poking at this is is nothing or is this something really interesting going on here it's about John I mean put yourself in the shoes of a malicious hacker you want to really break into this company but you're gonna tell them how you did it but John I mean malicious hacker really want finds our way in so you have to put yourself in
(1:05:20) their mindset but you're the good hacker [Music] if you change to Hongkong her cleaner fit here I'm getting for these questions about Jackie's move and that's annoying ng a long is more an uber and logical Berg's and file descriptors mostly on Twitter and here's XSS god yes so i hack sometimes of file descriptor like we helps me he's our God XSS I honestly but he does get burnout as well don't think that Johnny no keep everyone who is on leaderboards and the list and that fine bucks at the time we get burnt out we
(1:05:55) get tired we go through months with not find anything it's it's normal so don't always think that if you're not finding anything that you're not doing well because it's normal honestly a question about blind XSS or blind SQL injection I've seen hacker supporting them on HTTP headers what type of payloads would you use just almost script payload also fuzz I script so for blind XSS you don't want to just chuck like a script alert do you you want to chuck payloads where it's gonna ping back your server so script
(1:06:27) source iframe embed image source anything that when the HTML executes it's gonna hit your server and be like hello something happened here for blind SQL injection sleep I mentioned this in my other live Twitter feed whenever you're testing for even testing for SQL injection on even if you're testing it on a wide scale but especially for blind SQL injection always used to sleep commands and try and make its lead you I mean because you and then you're not really having to guess if you can force the site to sleep
(1:06:58) for an extra thirty seconds and you can prove it reliable and if you change it to ten actually sleeps for ten if you mean you've proven is blind SQL injection they're very very easily and you've not got very frustrated really you're able to see the results without can't see the results how many how many time would you say you spent googled or can compare to a recon stuff it can pend on the target and how many I mean what what what what the target is basically but there is no time limit people a lot of people have asked me how long have
(1:07:32) you spent recon how long have you spent this there's no time limit there is no time limits for us Verizon Media I'm not gonna shut down their bounty program as far as I'm aware Google is not gonna stop scraping there's always gonna be new data coming up every single day there's no time limit carry on keep going I just think you dropped a drink no rate limit on a pin page is a valid bug so or what can you do what you mean brute-force the admin page I mean what do you think's behind the admin page does it look like there might be
(1:08:03) something sensitive how do you know there's no rate limit in and like jomi that's a tough one I mean that I checked the program policy scope and see what they write rate limiting because yeah what do you use for taking notes about sites and subs with the mathematics use sub supplamine text editor however you pronounce it I would open it now on my computer but I'm not quite sure the first thing is the total reveal anything but yeah I use text editor each file I have a folder for each company and anything interesting where there's been
(1:08:37) some interest in behaviors Johnny I've got an XSS payload potentially in there but can't fully get it to work anything interested I just know down to come back to its I mean yeah nothing special from Chris hey Shawn so I recently found an SQL injection and exercise and many more serious vulnerable in a contaminant content management system but I got rewarded by 50 US dollars these kind of this these kinda upset these people like me what can we do to overcome these I'm afraid I don't have the answer to that how much a
(1:09:10) company pays and when they want to pay analyst and that that's completely out of my hands if you check out my blog post the turnin time into bugs I reiterate that doing bug bounties is a risk as to when you'll get paid how much you'll get paid and all this and that that's the risk that comes with the reward I'm afraid that's that comes to me that comes back to the start of this talk we've not spending too much time on a program to begin with especially if you new and find him what works for you so I mean Johnny it's not only finding
(1:09:40) what works for you but joy mean there's so many people out there community if you tell you who are the good programs we know Verizon media do pay fairly quickly there is a lot in scope so you know gonna be trip very well there it's when you get invited to the new programs that's where you just want to test it a little bit see what's what to not waste your time so let's carry on some questions here well okay Sean is the mass of Idol and pretty cool Becca says yo brew our brute logics here hey man how much time should
(1:10:13) someone spend time read and when he is known how much time for hacky and it should he practice on labs okay so okay well tell to me I'll tell you how I hack well how I learnt to hack basically so when I first started in bug bounties I'll be honest I used to look up to Franz Rosen see him sharing these cool bugs top leaderboards I think even Smeagol this was at the top at some point don't think he is up anymore I don't believe so mark Litchfield as well he was massively key when I very first started because I
(1:10:46) saw their write-ups so in terms of spending time reading I read mark Litchfield's old write-ups on Yahoo on his bug bounty HQ net or something like that and I think it's online anymore and maybe someone has all of his old bugs disclosed save somewhere hopefully I believe Shawn meals was on there but I spent probably a day going for their bugs and understanding what they had found okay mark Litchfield managed to execute this XS x XX e here it was passing this and Johnny so again it's spending time it's about what works for you but I read
(1:11:24) for a day and then just jump straight into it because I learned better by having it happen in front of me so I wanted to see this it's all fair seeing Mart Litchfield do this but I want to feel that euphoric freedom that he felt when this worked so that's then when you go test on set up places for people you know I mean damn vulnerable web app this hacker one CTF about but my notes but crowd university yes we hack I've also got a CTF on it's about what works for you and how you learn I I don't read as much as I used to now let you mean when
(1:12:02) write-ups come out I do read them but I don't spend as much time reading as I did when I first begun because you are the hacker light bulb you just know what I mean just know what's going on you absorb that information you process it and then you execute it really don't mean last I read the write-ups but when I read the write-ups to begin with with Martin Litchfield I really really tried to understand what is going on here and when you get ahead your head around that hacking is simply you're here with your payload there's a server in the
(1:12:37) middle and it executes sit you chuck your payload execute it gives it back your limitless to what you can try limitless check anything you want just understand what it is doing and what is executing and why it's executing it how did you start learning about security just curious and on simpler is I just like to poke at things and break things I reported a bug not realizing that wasn't inscribed was self XSS as a result off reputation I won't worry about reputation if I'm honest I mean Joe Vitt even said on Twitter that they
(1:13:16) only created rep wasn't it for vdps to have some sort of incentive rep doesn't really mean like shouldn't focus on it don't don't worry about it honestly and like I say don't rely on platforms to get invoice to programs there's lots of programs out there who want hacker help and you just have to find them trust me how sure my bro I would like to tell you as your pinion on the future of bug bounties and InfoSec in general also based on that do you have any advice to newcomers great session keep going that's brute logic okay the future of
(1:13:50) bug bounties I mean that's that's an interesting question because gentleman I'm just the hunter I don't know how these companies are liking bug bounties or if it's working for them on a wider scale I mean if Bob Barney's is working so well why above ground and how can one now start in all these pen testings I mean at a German are we are we now gonna be out of a job are they I mean I don't know if this is happening but maybe hacker won a book crowd or creating some sort of target team that looks at programs before they go live of
(1:14:29) writing programs so there's not so many XSS everywhere on that I don't know but the future of bug bounties it works you know I mean it bog bodies works if it's executed correctly because I a website should have so many different layers of the fence I mean and bug bounties in my opinion should be last because you should already if somebody reports XSS to you via bug bounty there shouldn't can be another 50-odd XSS on your website you should be able to instantly know who to send this bug report to and understand why this bug was introduced
(1:15:05) and be like okay we made a mistake here and then you prevent that mistake I think in a current state a lot of companies with Bob Annie's are setting them up Wow I mean I if I'm honest I can't get my head around how multi-million dollar companies can open bug bounty programs and researchers like me can find hundreds of books just like that just slack today have no previous tests where was their pen test what I don't understand why bug bounties is out the basically show in the world that the Internet is completely broke good I've
(1:15:38) no idea just to finish answering that question from brute logic wherever it's just gone based on that my advice for newcomers like I say don't rely on platforms you are your own boss Bob bounties isn't gonna go anywhere and companies understand that there are researchers across the entire world with talent and they want our help so don't give up don't let the bad times stop your future you know I mean do you use a mass or recon yeah I actually I use Ben's tutorials simple as that I had last hour hacker with Ben lost a long
(1:16:15) ago and he found a bug I go through all the scripts and tools that everyone else uses so blister still aquatune I've updated my input scanner burps pardon I use all the usual tools everyone else does we're all using the same tools it's about what you do if that data I mean a lot of people get all these subdomains and they're like well I've got turned your subdomains and I visited a few and there's not a lot on there and then they sort of give up they get a bit demoralized and look see I mean you set a goal see what you want to do for the
(1:16:46) afternoon and what is your experience when you use HTTP HTTP response data to inject it into a tea what you mean by that use the response data to inject into the request how to make your own word list is there any methodology and as you're hacking on domination yes you're focusing on certain programs and you're noting down your nodes certain parameters you're come at the word list yourself and then cope with different variants do I mean if there's a parameter for example where it says value 1 equals try value 2 equals value
(1:17:21) 3 equals value 4 equals see see what's watching I mean understand the target understand the parameters guess the parameters brute-force them see what is on the page sit join me could not find mousetraps yeah they got removed I see if I've got them say to my old computer somewhere me there is a psychological barrier that is telling you all the time and everything that you are actually trying have you have all been tried there's no magic any tips on this don't care what anyone else has tried take it as this company wants to
(1:17:56) work with you they've told you what's in scope they tell you how much they're gonna pay you you're doing the test join me you're doing the test you somebody else might have tested it differently to you somebody else might try a different set payload somebody else might done this and that it's not what everyone else is trying I don't care what anyone else is trying only care what people have shared and what's working for them and what you know they do do I mean you know I'm gonna exercise I search wayback machine
(1:18:24) robots file open uro redirect to hijack the token you know NASA is really good at scanning for files and old files and subdomains when they come online that me and Pete mean people like me and a fee can not give it any more clear as day for what we do to find bugs honestly so don't feel like it's not been tried just try when I tested whatsapp I couldn't see anything edible in JSON everything are generating burped did you try what's up no I've never tested what's up from honest how from sha sha rule how determine upload picture from URL as
(1:19:03) blind SSRS like so you're uploading the picture from your URL and okay so that's an interesting one because that's charming that intended functionality if you look at Ben's recent tweet he actually did some DNS rebinding which enabled him to leak some information I believe they're gonna do a tutorial right up on that so I recommend keeping that for that but you're essentially doing that see so you're abusing their functionality basically so well I'll give you two examples here so let's say friggin sake it's looking for an image and it wants
(1:19:42) nothing but an image see if it first of all will follow a redirect to an image that might be on their internal system and there was there was a report for it let me find there was internal internal SSR F on Shopify or something like that where they could prove that there was a sent image on their internal system to prove that something was running that's using their feature sort of against anything I mean if the reader if it follows redirects and wants to check a photo and you check it as an internal photo basically I will try find that
(1:20:16) send me a DM on Twitter for that question and I'll send you the report um is it worth to give it a regular drop of bug bounty that can depend on what country you're in where you live way from how long you've been hacking a lot of factors into that it from honest I feel like if you've been in this industry the longest you'll do more successful on platforms that's just because they do base it on rep and all this and that and activity I mean even bugcrowd say you have to submit a certain amount of bugs and certain
(1:20:49) amount of time to be eligible for private invites I mean it it depends on a lot of things that's why I say don't malign him because many people out there scouring massive bounties with companies who are not using these platforms and going back to brute logics question maybe we will see a decentralized as such bug bounty place a suck like companies will be running themselves they will do I mean maybe they'll ditch platforms that's my work that's probably what will happen maybe so yeah again if you want to go at your
(1:21:22) regular job I can't recommend what to do can depend on all the things what three bugs should I focus on finding when I'm just starting out so I get you need to get your head around what hacking is because there is no like okay just there is just focus on this book but first I understand in what hacking is because when you're doing your recon data and you're doing your recon and you found subdomains and you're like right I'm gonna find all the login forms and I'm gonna login it's about could you understand hacking and you understand
(1:22:00) how things work you just have to be able to look at the code for the light bulb to go off in your head basically that that's what I'm trying to help people understand here with this mentoring session that while there is ok I want to focus on this certain type of bug when you're just starting out like this is aimed at people just starting out you need to be able to get into the mindset of when you're looking at things to twig in your head light bulb moment ah I get it I see this happening are someone mentioned that you could probably try
(1:22:30) this and that and join me understanding because yeah if I'm honest that's the best way and because I don't want to just say I'll focus on exercise focus on just this because then you might get burnt out looking for just that you want to be able to learn to find these bugs as you do in as you're learning recon and learning how people like me and naffy and all these other good hackers find stuff basically you're learning on the way assess how to become a good hackage I mean you in actually curious you actually want to ask things ok I got
(1:22:59) a lot of questions any tips to find RCE issues finding where they would probably be done I mean file upload can you upload your own file test-1 thing for arcielo people me is like command injection gentleman you tried pipe that try kill your URL but with RCE you this is probably where you don't want to focus so much on the signup forms as such like don't mean you're obviously trying for my injection there but if you were looking for the RCE you want to try look for maybe any exposed services they've got where you
(1:23:37) can interact of it i say any file upload type things but you're looking for something like syncing your head like where something might actually execute and work I mean there is no like go-to point of RCE really cuz it can be anywhere okay there's some random parameters we can inject a command into it and they will execute your code why was that there I don't know anyway it's more in Sun Italian the more you're gonna get your head around it from fail chase how would you find a good program to hack on which is already vulnerable
(1:24:13) like PHP app Java base what makes you interested in a program good question I like that so what makes me interested in the program is wide scope and if I understand what the site is actually about and what they want to do so say for example Trip Advisor again and I mean they're a hotel booking website [Music] they have a lot in scope and I don't know like I don't know it's you just find a good program to hack on the more you test okay Johnny and I've been doing this for five years and when I first started out I was in the same shoes as
(1:24:52) everyone where do I start there's so much to do what do I do the more you do it and the more you just focus on something the more you actually pick it up basically like I spent I was in I was on holiday in Greece and my girlfriend went to sleep wasn't meant to be gonna sleep and I was like screw this I'm gonna get up I had a packing so by 5:00 in the morning and got up next day and she's like what you say ty it's like yeah I can't I killed a Richard voice that's a bit too much fun so I could have gone there complete opposite way I
(1:25:22) could have had a horrible time not found hardly anything so it's about what works for you poking and seeing what's what basically how do you approach the target specially if website is based on IAI is aspx genotype so if you find a target that has all of those on and you're like what's going on go onto Google and research every single thing about one every single thing about it but understand what potential bug types have already been found so search for Joomla exploits and then think to yourself okay well if it's Joomla exploits out there
(1:25:55) what's the first thing you want to do see if their versions up-to-date if their version isn't up today then you want to consider ok why is it not today is this an old forgotten about server do they not care about it is it attached to anything sensitive but what's going on same with aspx there's a common payload for bypassing XSS if it was on aspx so you know part of me you know to try that everywhere it's on the ghetto bypass our monitor as well you know to try that for XSS everywhere if they're filtering because dummy it's about experience all
(1:26:31) kinds of experience for a lot of you a lot of you obviously knew it comes experience is so daunting I get it it comes with experience you will pick it up honestly I'm getting all these messages promise I'm a beginner started learning web pentesting and plan to learn and practice two years and then when it gets bug counting and then some home fames give me some advice watch this video if you haven't from the beginning because I've just gone forever vid like you've lit Johnny o explain two minutes every fin is out there toriel's
(1:27:05) payloads right herbs challenges videos all the bug body programs are out there it's about just getting your head around it and going at it it's all out there how do you look for bugs like RCEs srf SQL injection as you said that's what what are the common endpoints which you have found that are most often two attacks like this so if s your injection you can pretty much test at anywhere I mean but if you look man you're looking for like numbers potentially if it's interact with the database because you can easily test that if you have a
(1:27:33) number I say for example 10 you can just put the palos 10 take one and see if it executes well I let you do 11 take one to get your you your ideas 10 work from there sort of thing FS let's say I first to injection you tested pretty much anywhere really it's still very very common there is for RC and SSRS again again for any bug you can test it anywhere like I'll give you an example [ __ ] message me finding RC e on to provider so well how where and it's just some random parameter just just around the parameter do I mean it's
(1:28:10) underst understand you Sundance say you have to understand what's going on but even I understand why that was there and that taught me a lesson of once you feel hot this love it on there then probably good spray and prior ton of random payloads and see if anything hit you joking like if you really feel like you've been fed them after this how can we look for parameters in this parameters where we can give and test different inputs one place is talking what others I think I answered that one so you can brute force parameters and
(1:28:43) you can look in the chat like join me in JavaScript files and check the source for input names and things like that some of your own wordless there's there's no wrong answer to parameters I mean you don't know what parameter debug equals one has worked me before to display loads of random debug information completely random jomi hacking is that's the beauty of hacking you can't be wrong there's no one at you saying you must do this you must do that you have to find a bug you try anything you want you're only wrong if you give up John I
(1:29:16) mean I was doing CTF and I got the hint from someone that the flag is in SQL injection I try it for free eg go straight still nothing so if you run SQL map I presume and probably filtering certain things so that goes back to early in the talk and understanding what is filtering and what it's doing and join me that's thus all I'd ever CTF to get your head around and to reverse engineer this developers forts as to what filters here what's going on dummy I say run SQL map on it but don't just chuck SQL map on it as such because you
(1:29:51) want understand what is filter and what is what it's doing try and work out and then I mean try school map um I'm getting through these questions go buster order search I used a search from honest every time I use something go related there's always errors I set it up every time it infuriates me annoys me so I tried honesty don't use many tools with go anymore really no offense to go fans out there do you think SQL injections are dead no but with SQL injections you're probably gonna want to look for old servers and things exposed like new
(1:30:31) code normally isn't vulnerable to SQL injection you are correct with the latest frameworks and cone languages and that so again what does that say to your hacker light bulb moment moment you want to start looking for old stuff old things that have been forgotten about you join me and any tips for command injection and local file inclusion what area I should look for so a command injection anywhere there's there's no limits where you can try that look for somewhere potentially the parameter where it looks like they're doing their
(1:31:06) own code injection is such I mean like it'll say action equals something and I'm obviously got some sort of coast is gonna execute this to call it to a function try and just pipe this sort of thing gotta say github payloads all things if you simply just look at other people's payloads and understand what the payload is doing and why they come with a payload you've already skipped a massive step of the hard work somebody done to create this payload and why don't me why somebody made that filter understand what's going on and get your
(1:31:40) head around it that's really honestly as simple as hacking it's it's just understanding for local file inclusion I mean you're looking for somewhere potentially where you can upload a file so download files view files looking at parameters if the rendering PDF files potentially things like that could you please tell something about race condition bugs and where I should check it so okay interesting question I'll give you an example let's say for example you can apply a coupon to your account it's a fifteen dollar coupon if there was a
(1:32:17) race condition which let you apply coupon over a thousand times you create self a book over protect Jamie like again being a hacker your limitless to what you can try like I say so what happens if you tried test for a race condition or a login form like a lot of you people are asking me where shall look for this what should I do there is no go here go there go do that every sight and every developers coded everything completely different Jamie we don't know how everything is working and that's the job of you as a
(1:32:52) hacker to poke and anything what happens if you test it a race condition went crying account and it created two of the exact same accounts you most spit you might have it spit out a ton of random errors which exposes something you don't know you don't know unless you try honestly don't know do you have a list of methods on hunting yeah I believe I went through that I may have started this talk early for some people I do recommend going back to watch the beginning but my I mean I compared myself to naffy and naffy likes what
(1:33:26) tell me I don't know whose exact hacking things but based on the talks he's done and the slide shows he's given out and actually meeting him he likes to find everything that this website company has exposed the Internet and see what's on there basically me personally I like to find websites where I can interact I can login I can sign up I can do something so I mean because in my mindset somebody has potentially created some filters here and created some slide the fence and I want to break that then that's it
(1:33:56) [Music] just coming in how can we keep how can we check or keep track if a new subdomain is being create by a particular company it's very difficult to scan again again for check first new subdomains so you can SSL mate search spotter you can see if they bring out new SSL certs for subdomains and things like that but honestly some people will scrape subdomains every 60 seconds but I'm not even kidding they will check a subdomain even if there's nothing on there no files nothing they'll check it every 60 seconds just in case it does come on
(1:34:32) there I'm not even exaggerating every 60 SEC's some people probably do even quicker but gee I mean don't feel like you're doing the same things over because you kind of are but you're learning as you go along and join me and how long do you want to stick out this floor how long do you want to find a bug like I'd say some people do this just for money and they come in they can't find nothing so they get out oh now you can't make money from bug bounties you spend time at this learn stuff understand what's going on you'll make
(1:34:59) money honestly even though frameworks made it easier to fix SQL injection using ORM Zoar even paralyzed at power matera cassowaries there are a few places like after phone calls is yeah there are lots rah-rah-rah I can't pronounce your name Rahul British accent you know he's a genius SQL injection I always say if you have any queries with him with SQL injection even has a challenger bug bite notes for cracks in intestine you should go to guy for that random Robbie for recon stuff what's your strategy mean check any site like I say I understand
(1:35:38) what this site is about I don't want to just go dive nose deep into a program and not know what's going on and just be chucking random payloads everything and thinking oh my god nothing's working nothing's going on I want understand what this programs about what's going on why they thought we and what's - what's doing what if there's a program how about Skype for dues but as you look the rapid eyes are showed and this is Vernon Wells to do report it or not out of scope for DOS so yeah I mean some programs will say dos isn't allowed
(1:36:14) Johnny because if you're doing a denial of service and you're bringing down their website I get it I mean you cost of money so that's a hard one to answer because I don't test for that there was one recently that James kettle got seven and a half from uber but that was at the live event so I can imagine that was in a controlled environment I don't test for DOS really with programs in case you bring it down they're gonna be annoyed at you probably if you want if you feel like there is some behavior where you can dose their
(1:36:44) sight like gummy and cause their application to hog all the memory and come down potentially reach out absalom be responsible and say hey I've got this that I think potentially is gonna work can I try it see what they say I mean the worst they can say is no they might say yeah yeah no I get go errors all the time it's really annoys me yeah I very less I really use go tools SQL injection is still alive yes what was my recent SQL injection it was just in a parameter this is like a random what was it let me think I'm found SQL injection of
(1:37:26) worth monist let me think I'm have to get that one ever think of some random old site and you simply put in ' and it would check out the SQL that it was making I remember running SQL map on it and not being able to actually extract hardly any useful information but I report it anyway and they said yeah it was valid you could have been out to do something but yeah school ingestion is interesting one I'm getting these questions in your experience our companies that use ba-bye programs getting any better secure coding that
(1:38:02) can vary from company to company depends on why the company is set up a bug bounty program and what they hope to get out of it in my opinion some companies get sent the bugs and don't know what to do in my opinion like there's certain bugs on certain companies I still work [Music] there - can depend if you're asking whether the we're basically helping companies get more secure and we're not gonna be able to find bugs it's always gonna be bugs always always always always how to find Dom XSS in a huge line of JavaScript my
(1:38:38) file descriptor read and understandin - I mean if it's a bunch of random JavaScript code office gated you can the obfuscate it if they've beautified it which I mean they've made it all on the same line to try and make it harder just Jame beautify the JavaScript code and it will make it neat so you can understand and just go for the code understand what's going on in the code find endpoints find developer comments hacking really is just understanding what's going on can we increase the severity training any other only vulnerability with a self XSS
(1:39:14) yeah so if you can SS are F there was a bug on uber from Jack Witten Finity a few years back where he had a self XSS and he chained cross-site request forgery login to basically forced to use its log into his account on the CERN uber domain to grab the cookies on the other in demand it was very interesting you could also potentially have blind XSS itself SSS if it's in your user profile potentially someone that when someone at this company views your profile it might execute I did speak about earlier but like I say I don't
(1:39:48) recommend going harassing customer support same patient profile because you might get in trouble I'm new to hacking please guide me am i start with hacking I'm going to have a field please I need help guide me I mean what's your interests are you interested in hardware hacking you like mobile hacking you like web pack in like I mean if you're interested in bounties you're interested in hacking like how there are some answers for that what are you interested in I like web hacking personally Mobile's but no felch a so do not find
(1:40:32) SQL injection as common as I find idle XSS and all that if I'm honest for new beginning which type of program one should focus or how to select such programs so again I didn't mention this earlier but with bug bounties right you can't there's no do this do that look here look there because drumming get involved the community look at what's being disclosed look through the hacker one activity look at write-ups see what everyone else has been poking at and follow in their shoes so like I say Verizon media now you're
(1:41:10) gonna be trapped well over there they have a lot in scope don't just go into Verizon median think right I'm gonna find a bug and make loads of money whoo first if you're brand spanking new you're brand new no bugs no nothing on any platforms the very first thing I would be doing is looking for what bugs have been found Verizon media already look on open bug bounty look for any disclose reports look for information that people have been talking about to get a feel for okay this was found then this was found whenever and you get an
(1:41:40) instant feel for what's going on don't you I mean okay so it's got some questions why layer seven DDoS attacks considered hard to detect by the company even had to mitigate I don't know much about D Dawson nobody does anyone never be indeed asked please no one DDoS me right now the u.s.
(1:42:08) is a scoff but by program so don't focus on it and I'm not the guys talk to you for that how do I deal with burnouts good question very good question so if I'm burned I say the longer you do this the more companies you're gonna have that you want to poke at so if I'm burnt out on a certain company and I'm not find anything my first fort is gonna be like well why number one it's this company listening to me oh they actually fixing bugs and not introducing new bugs and actually doing something right it's working I mean - am I just trying the wrong
(1:42:41) thing so I need to actually try something differently three to simply go look at a different program or four this is my checklist bear in mind a for us I'll just simply take a step back depending on how the last couple of weeks have gone with hunting if it's been quite good I'll be like okay I was gonna take some time off don't mean as you're then taking time off and reading things that people are seeing on disk that disclose bugs or you're watching this live Twitter stream now you're it's dead get-get remote valleys oh wow he found
(1:43:15) that okay cool I'm gonna go try to do this that's also what this talk has been about to try and help motivate people get get motivate here to get pumped up to want to find these bugs because I mean how much did you want it I've got another question for how much time you reek how much time I take to recon a site there's no time limit I'm still recon in the sites that I start as a new program I started hunting on and last year sometime like that I'm still doing recon everyday I'm still looking because you don't know what's out there I can
(1:43:46) never be done with recon never be done that's how I always get bugs always doing recon there's a lot of questions here dark porns a i've keep repeating the same question I've already answered your question like there's no right answer to have you to start we're packing or go into another field I if you're forcing yourself to be a hacker I would like to know why why are you interested in being hacker what's brought you to the stream because I'm a web hacker everything I share stuff web-based stuff I've got me
(1:44:23) I've got Bobby knows to help people with that you're new to hack in and that like what brought you here because I'm interested have you ever self closed any program and hacker won because they didn't approach our triage at all for a long time ye yeah I have self first complains hacker one about programs before we've all been there we all know the reasons why bug bounties are how they are I mean I don't want to start drama but the markets it oh yeah the marketing is aggressive in my opinion from platforms you need a bug bounty
(1:44:58) program but this is what I'm doing this talk and this is why I mentioned at the taught at the start of this talk we're in a huge there's a huge opportunity here to sit in the comfort of your own home and hack these companies legally and get paid so I thank hacker one and bugcrowd for doing their aggressive marketing really but you just have that as well sya is risk with reward because not all company is going to play fair that's why you have to test these companies is everything making sense as to how this industry works and how you
(1:45:26) can do this for a living and find out what's what how much severity is an external SSR F I mean external interaction to my site well what can you do again I said this I mentioned this earlier put yourself in this company shoes is this an intended feature to ping your website like why is it paying your website's is it down is it designed to download a photo I understand why it's doing it if you can give me more information as to that I can help you but just saying hey external SSRS do I mean yet again with being a good hacker understand the
(1:46:06) context understand what is right in front of you what what bug have you got should I focus on only one program or try an attack on different program loads of programs out there and don't just focus on one program but John if I'm honest write some this talk and I'm not finding this tool card at all really but like it's hard to talk to people very new and people who are also experienced because if your new focus on one program but as you go along you'll find you're not focusing on one program but I feel like I believe every
(1:46:41) hacker has their program that they've learned the most on I have one I'll be honest Autotrader was a program that Johnny and they had they having fun ability disclosure program there's no money involved but there was no one else looking at it I knew they'd give me some cool swag and there was just fun stuff to try on there try new things it was just fun Johnny so again what works for you how to bypass capture change your IP address try change cookie values things like that depends why you want to bypass the capture capture isn't really defense
(1:47:15) these days because you can just pay services like 20p even 2p2 also get rid of the capture as such so websites protecting themselves from capture I'm not really protecting themselves so how do you keep a relationship with the triage people I deny I I try out professional and I don't know if I'm honest how to answer that one I get frustrated with triage people a lot honest especially on bugcrowd because doubt I mean I'm Johnny I'm not going to start all of this but the VRT I submitted XSS that did nothing p3 then I submit stored XSS p3 a query
(1:48:09) but the analyst why are they the same what's going on well I'm just following VRT nothing to do with me and it's like what hang on a second you're meant to be a hacker like me verifying the bug we're meant to be on the same page here and it felt like he was just going down a checklist and Johnny not actually doing his job properly dummy no offence sort of thing and but yeah when show me a emailed the program said hey this bugs actually not just the medium they turn around change of priority but what a waste of frustration and I don't think
(1:48:40) triage people understand how much of the frustration they actually cause for some of the hackers with not understanding the bug not understanding the rapport and understand the true impact miss dupea but this goes back to a guest root logics question with the future but bounties and ask yourself why are over hackers triage and bugs and that's because of aggressive marketing and always companies don't want to deal with people like us they want somebody else to verify the bug first but if you've got these analysts who are verifying
(1:49:13) bugs for so many different companies how do they actually know the true impact of what's going on so yeah I know trying to get to attach these triage people try to build a relationship with the companies not the triage people companies are the people you want to build a relationship with they're the people that want you how to hunt for p1 bugs I mean I mean how do you in all honesty be Beck if that's how you pronounce your name how does a hacker like me answer that question because that's like saying I'm now gonna go hunt for just p1 bugs like
(1:49:50) I understand what a p1 buggy our CSS our f ing what you can do SQL injection etc but if you understand what those bugs out you're gonna know how to hunt for them John I mean so I mean you this is the gun this is how well this whole talk is about understanding what hacking is understanding that you've got all these payloads and things you just have to understand and you'll know where to hunt it's do you want to do this as a job or come in are you know for the quick money or you in this for the long game basically and yeah I'm honest I'm
(1:50:25) gonna be honest with everything about this any suggestions to find in xx e mobile apps a lot of mobile apps will actually do some XML parsing behind scenes on the API that people don't realize about just change content type Chuck's Chuck XML payloads at it you'll be surprised that's good price I've had some success with you're mainly looking for upload features oath XS x x e gonna be an upload an XML file SVG file potentially as well things like that when you were new how long did you spend the program or top bug until you moved on I mean
(1:51:13) okay so okay okay I'll answer this one with my experience at the live hacker event with hacker one in Vegas the very first one I found diddly squid nothing my first ever live event I felt the pressure of life hacking around all these people I was nervous I found one bug actually some rate-limiting bug that was crap yeah it took me a good four hours probably it says I'm low am I still live I think this is glitched out no I am still live yeah came outside I thought my thing had glitched out there I was watching myself
(1:52:07) don't know what happened there okay cariann uh yeah Carrie and I can now get just the one in chat if you guys can hear me just to make sure okay I'm getting a lot yes is cool let's go wait for a one in chat for a carry on rambling okay I got one that's good okay so how long okay back to my story sorry about that so yeah like I say I attacking in Def Con and I was frustrated I won't find anything I was burnt out after four hours before I felt like moving on oh so I'm going round round round round circles I'm just
(1:52:49) getting frustrated so I went back to a program that I knew I went straight back to the program that I felt familiar with and actually found a book that night on that program so yeah it depends on you and sometimes I can I mean sometimes I wake up and be having a bad day and get burnt out within an hour it's depend a lot of factors in play can capture prevent brute-force yeah it can but potentially not very well depends on other defenses they have I mean if you're thinking about reporting a bug where you can bypass now I mean what
(1:53:26) what is the feature for them let me ask him is there any way to escalate dns-based SSRS of an important in so what you mean okay I'm loading against some reason I don't like he's doing this we closed shirts we're still good okay I think we're back I can see myself on here [Music] finishing that question so what you mean by dns-based SS RF sir was it hitting your server making a DNS request I'd keep an eye for Ben's DNS rebinding or things like that I come in handy when did I start by bounties back in 2015 something around there is it suitable to
(1:54:30) report outdated web servers without giving an exploit proof-of-concept uh no because think about it if he was a company and you received a bug like what okay this is outdated web server without any exploit they're gonna be like okay show them why they shouldn't be online if it's old and outdated I understood that one has to learn and keep an open eye to find bugs I found some but mostly not set for stuff of stuff is safe that's like sales job you get rejected how you deal with it it's the motivating what you mean like your
(1:55:05) bugs are getting rejected why your books getting rejected could you give me an example as to what bugs your having rejected I've got five duplicates yesterday what depends on program you're looking at I mean don't treat a duplicate bug as I'll know I'll never go look at this program again take whatever this duplicate bug is and try elsewhere on this program it might be in another area if it's XSS try this parameter in another area I mean don't let but don't let dupes demoralize you trust me don't how to manage time like for hunting and
(1:55:46) learning well it depends I mean like yourself in a streamer who extremes games she's if he's enjoying something he's gonna string for a long time isn't he tell me constantly streaming on this video he's having fun same is for hacking there's no time limit every all these questions with time limit and listen that if you're having fun you're having fun if you're doing this is a nine-to-five full time then that's where you treat it as a job and you join in you understand you have to take breaks and managing your time is what works for
(1:56:26) you me Percy my my time management I will hack during the day and normally game at night sometimes I hack at night till 4:00 a.m. depending on depends on my mood I mean and what books I found if I found something that's really frustrate me that I've not got made to work it then I'll keep at it that's that's just me that's that's just being a hacker in a live event is the scope different yeah it's usually it's completely different product I'm new to hunting and which type of bugger I should focus in the beginning so again this isn't about just
(1:57:08) focusing on certain bugs getting your head around what actually hacking is because you can find a bug anywhere if you understand that you can try anything do you know what I mean I'm repeating myself a lot of times I don't want to just say search for XSS do this do that because then you're just gonna focus on that and get burnt out the whole idea of this talk is you want to be able to take a site like Verizon Media and understand you can do anything you want all of the bug information is out there from talented hackers like Franz Rose
(1:57:50) and Nathaniel Shaw meals me brute logic there's so many talented hackers out there who've shared so much key information just have to read it understand get your head around what they explained to you what they're trying to tell you is going on here and why it was runnable and then just get to it you are your own boss you come up with your own recon ways and all this and that it's what works for you caPSURE and login so what's the impact honestly right what is the impact because if you bypass the capture and
(1:58:24) login they might have bad they might have IP rate-limiting if you want to brute force a password so think about the impacts is that it's their impact in that think about it what's your recon methodology I've been through this I highly recommend going to watch this video a few months ago I found a war fee 1 token leak then I report it but the program closes n/a because I can't reuse the token so what do you mean by you can't reuse the token so how does how does it work so is it a login flow so when you login the token
(1:59:03) is leaked where did you find this token because that's another key thing if you found a token that was set up in 2015 probably wasn't probably not gonna do a lot now John I mean what is highest impact on rate limit bugs can depend on the feature I say if there's some stuff I mean I don't know because I don't really smoke ever report brute force in passwords on admin pages some people do I get it you want to try common passwords now but that's not my power my methodology whether it's part of our peoples that's fair play but I don't
(1:59:47) know I don't like the idea just sat there brute-forcing testing rate limits really I have reported a few they've always got no impact so I've never really focused on them and how long did it take you for turn on the hacker bulb as your default mindset since I couldn't remember from honest hacking just comes natural I guess to some people because you're not I don't know how to explain it I'm just naturally curious I see websites it's not just website search anything in life I see anything in life and I'm just
(2:00:21) naturally curious to how it works I I don't know I get I can picture in my head a visual mind map as to how something might be were again I want to find out how that works and understand why it's working like that I don't know it's just match fly so just comes natural to some people I I guess that's why I'm here just talking free of charge and helping people now let me see if I got any questions on Twitter we got one about Google Dorkin one from Simon Smith which Ben is this sorry this has been nan SEC Matt and hey na h AMS e
(2:01:04) ke c yeah I got that a person chat yeah yeah Ben may be posted a really good tutorial recon like I say people asked me for a recon methodology informations all out there honestly can you show me your birth plug in I can on this computer I'm a my laptop but I can tell you right now I'm over computer what I've got I only have two back slash powered scanner and collaborate here everywhere it's all I have I do a lot of manual hacking I'm a hands-on try me like everyone some people might be sitting there saying my
(2:01:49) gosh when you miss not know two plugins you're not doing this property and doing that but it's what works for you now he found that doing his scanning stuff works for him I found that I like to break things and treat and like not puzzle because I don't like puzzles but I like to understand people's thoughts I like to understand why somebody fought like that on why they did it like that and break it and try and help them not make that mistake again really yeah like I said I use a lot of burn plugins and I got another question
(2:02:21) here it's a physician that's wrong we had a question from wolf droid about Google talkin I think I did mention of a lot about Google talking but like I say I've spent hours even on get her there are a lot of shodhan a lot of ones but they're doing all the work for you really don't mean spidery and journalist or not you just piggybacking off of there is essentially as naffy a blog to see write-ups and tips I don't think he has a blog there is a slideshow out there not shared out I'll have to find out more Twitter I find it now potentially
(2:03:00) but he basically shared information with shops I believe it was about how they were hacking on Yahoo and tons of really cool bugs they find and as you go through these slides and you compare to what he's doing now you just get that light bulb moment as search like if what you know Nafees method I understand when he finds he's interested in points that Johnny he's doing hacking and that but you know Matthew cannot tell people any more than what he's doing he's taught even that asset note yeah everyone knows what asset note does so yeah I will find
(2:03:35) a fees thing and paste it in here it took me ages to fight last time I tweeted it to him a tweener out I wish I could search tweets somehow I will find it any word list for other than set this with brute force and what are you brute force in I have my own lists that come up with a lot of people have their own lists well he briefed awesome you brute force and passwords I can't help you some program on buck route are telling they won't fix broken authentification and session and bugs can you give me an example what you mean by session
(2:04:15) management bugs a talking about like a say for example you close the browser and you're not logged out did you report something like that and like I need me some more context I will get a fees slideshow thing very soon define this I need to remember where I said waited it out to him like a while back though I was like people don't somebody was saying to naffy like you don't share anything on this in the industry and I was like hey did you never ever see this this is this is everything you possibly need I am new in this bug hunt inside and I
(2:04:55) didn't have any bachelors Computers and after bachelor field - what's your suggestion I mean I don't have any qualifications either at all I left school 16 did college for a year hated it because it was just learned about PowerPoint presentations and Here I am ten years later so in terms of changing jobs and maybe should mean like I'm probably the best person to ask advice on that because education is important apparently I don't know can the latest driver instances have older plugins which might be vulnerable yeah wasn't it
(2:05:39) orange that I found I think it was on driver he found some interesting bug hey they released a payload can't remember but yeah on driving instances yeah if it's a plug-in why not try it show me like with hacking you're never wrong you're literally never wrong cookies are not expiring so what you mean when you log out they're not expiring at all if you refresh the account page you're still logged in is that what you're trying to say or what do you mean I hope everyone by the way is enjoying this and getting what they
(2:06:16) wanted from this because I say this was first time doing this live mentoring thing and I didn't want to just do a talk on his xs/s here's how to do this is how to do that I wanted to do a wider reach of what bug bounties is how to find the programs what to do the information and how to get your head around hacking because that that's what it is that's what we have done people I keep mentioning that fees probably gonna think I'm his favorite fanboy here but he's come off of his own methodology and so if I and so his brute logic so is
(2:06:50) random Robbie every hackers got their methodology take the information we're giving you twist it up into a ball and do your own informated your own thing with it yeah you're your own boss [Music] think this chats ending by the way I'm not done I'm still going I'm free to keep answering questions helping people [Music] yeah I like helping people and I hope hopefully I'm doing all right anyone have any questions I feel that she got through all this questions I'm calm well I'm very happy with this I was a bit nervous as to how nervous but I
(2:07:40) was a bit worried as to how I could train not train people but like meant to people and I want to get people motivated and get it the I mean click in your head as to what this is about like after this live session I can now go pick a program on how can one book round or something and start learning what it is the only reason you see people consistently sharing lots of bugs isn't seen them potentially months worth of work that they've actually already put into it you only ever see their success never their failure but I'm here to tell
(2:08:11) you that all good hackers have failures and they spend months sometimes looking at stuff it's about like I say I mentioned it lots of times but some people join bug bounties just for the quick cash they see big amounts being tweeted out and they think up what I want money I need money that seems easy I'm gonna get money and I don't like those kind of people in my opinion because that's not what hacking is about hacking these companies are trusting us to poke at their systems and potentially reveal sensitive information I mean that
(2:08:44) we shouldn't be seeing and that so you have to treat it like a job very professional in that don't think about the money so much bye Jamie oh I got some more messages here we go cool how to find juicy info of website by dogs any google dogs for us so I did mention earlier I can sit here and give specific dogs don't mean that this if you've gone bye-bye notes there are to talk that my tutorials I give examples for Dawkins for different bug types and what where to find them like this you all the information is there they take
(2:09:18) this talk take the information to something with it sort of thing but I don't want to life give talks here because everyone's just go go deep each other really do the same things it's about finding your own stuff and what works for you at random Robbie will dog certain things and find exposed they've stepped systems and cash it in like it did on snapchat he's made that work for himself Jeremy and he's made he's found that himself he's you one of the best guys bug Barney thank you Kennedy I'm Twitter yes dm's open
(2:09:48) feel free mark can I share a little about my setup ah yes sure I'll show my setup why not it's just simply free screens I'm using Windows 10 I have burp professional license I have a droplet with dish lotion for running and connecting and giving tools based tools that's it hands-on hacker me that's I'm a hands-on hacker I like hands-on hacking not sure if this was asked for Oh missed a question sorry what when are you going to do next time we'll see try work out some new content for us do you have any prior coding experience
(2:10:36) yeah I learned to code before I learnt to hack and then I got hacked and I was interested that kind of sparks me a little bit and then got cheated people cheating on me on games watch cheat against them and yeah it's kind of went in together not sure if this was asked for just join a session do you man you test XSS yes and no so when I'm first target in a program and trying to get my head around and understand what this program is about what they're potentially feeling about I do it all manually but then you can simply
(2:11:12) automate it we've try and mask this that parameter throughout the site certain payloads on certain all the parameters join me but you've got a feel for the site you can automate a lot and turn a lot of but less time into more bugs basically experience a soil comes to like Johnny take it take put hack in as a game example if you suddenly picked up a new game and you're not gonna be very good at it potentially are you because you don't understand how it works in that but if you enjoy this game and you keep playing this game
(2:11:43) you're gonna naturally get good at and you're not treat bug bunnies like a game if you enjoy this which you should cuz hacking is fun I mean you get that euphoric feeling of oh my god like I've just broken into this side what's crazy what the hell that's fun that that makes you a natural hacker Jan I mean do you use a VPS or local VM no I say digital ocean droplet so I connect to do I follow a checklist yeah I do have a checklist I've been through a lot of times I would go back and watch this video I need to write a
(2:12:23) long long post this is my exact checklist the too long didn't read is once I've done my recon stuff I want to like do something with this information a search like I'm not gonna repeat myself I've done with to meet ours Liz she Nathaniel is gonna think that I'm massive fanboy what would she try if you came across a subdomain of generic Django admin login panel try find the version try default credentials if you can find the version then you can might be fine then gone to Google search if there's any past exploits and understand what that target
(2:13:01) is about basically I'm pretty sure there is some way you can execute code with that somewhere might be exposed was it franz rosen that found something with that might be mistaken what about an online course class 11 you of course not for free ads i don't know i'm really considered that like i'm top of guy where i don't like people to expect him for me i don't like to disappoint people and let people down really so I guess this is Weiss is free because no one can expect anything from me because it's free and so if it goes wrong no one can
(2:13:36) complain to me because it's not cost you any money I mean with people buy things from me really I mean if I'm honest you don't need to buy anything from me all the information to be a hacker is on bug buy notes on my blog posts on session icon my medium and things I retweet all the informations there to be a hacker but if you are oh yeah okay maybe an online class course but other what are you to find an assets aside from talking word lists big big word lists because you just simply just want to check about files on
(2:14:15) there don't ya Jonah me /login full slash admin full sash debug for sash reset password and he's like anything so much you're just looking for a turned response burp intruder very very quickly you can even set it to not go very quickly sure I mean once Sunday afternoon massive word list you know one of course proms for this website so you set a massive word list going off to send a request every second half a second go out for the day and enjoy yourself come back you've got a ton of stuff to play with then send
(2:14:47) input scanner off on it and scan some inputs and maybe find some X and s and a said use back classic I know do you find yourself I use that when you know is something going on particular point if I'm honest I only use scanners when I feel like I'm at a dead end because sometimes it can help with burnout using tools last that's why I like manual hacking because with manual hacking I'm exhausting my own thoughts and what I know where as a tool from other people has been created to do stuff automatically search as their thoughts
(2:15:21) what have you so sometimes I send the scanner off last and if it picks up any finish out well why didn't I find that because you wish to get Barris on you always want to be proved wrong and someone to be bet that is always someone better than you what's that saying if you're the loudest in the room then you're in the wrong room yeah yeah I had that show as you set up clearly is there any way to resolve the DNS got from out DNS because it's taken too much time why would we must take much time have you ever been banned for trying blowing XSS
(2:15:57) against Chau support no I've asked a permission they've told me no I know that one researcher house but he has been unbanned now that's why do I mean you shouldn't you shouldn't do it in my so if you send a blind XSS payload in your profile you probably then should go to some random customer support person who doesn't know about its bug bounty program and asin's check your profile out like I get it you're just verifying it but they might freak out you set alarms off and yeah you honor to say politely somehow talk to the company
(2:16:30) whether you reach out to a platform you I don't know that can this sort of thing can go in your favor if you're the long you've been in this industry and more companies want to work with you sort of thing but yeah it's so it's each case scenario really depends how you want to play what's the point you focused in your target things that I can touch and play with I know a developer has coded something they've spent their time writing code and I want to break that that's it so things that you can play with that's what I love doing
(2:17:06) any advice for balance and study from my CS degree and learning more about hacking not really if I'm honest and I'm really bad in exams I got really poor grades at school I I'm not yeah I'm not good at exams revising for things yeah the best guy to ask for that one I'm like your high school dropout in I really yeah once we have target this is from henna Coomer once we have target and got subdomains and what to do next take one burner Billy and try and target and how long period we have to try I thought like this is a question we've
(2:17:47) been asked they with ten times how long should we try there's no time limit people no time limit like I say as far as I'm aware these but many programs are not shutting down new codes release daily it's gentleman if your test this again this is Reva instance this talk Odyssey because when you're hacking on targets for long periods of time and you're writing notes there is no trying because if you see something interesting and you're burning out you wanna this iron that you note it down come back to it and when you come back to it
(2:18:27) you might have fresh mindset and fresh way of looking at it I think so there's no time limit I'm not done I mean I'm done on tackle vizor because they removed me from their program but I still have a text file with so many interesting things whether dummy has been probably every year now since they removed me but I was looking at all the time that I've been interested to pull that file up and see if there's anything still interested cause I say not touched for a year what's my checklist it can depend on the bug so this this answer is gonna be
(2:19:10) aimed at people who are not new to bug bounties so this is aimed at people who understand what bug bounties is understand what hacking is so my my checklist let's say okay I'm trying to think how to word this my checklist so probably reason why I'm strong to ask this is because my brains will be telling me I've answered this a lot of times but recon definer what's out there how many subdomains and then I instantly want to go find places to interact this is just my checklist if there's places to interact there's things for me to
(2:19:51) poke at I work from there as long as you have somewhere to work from you're gonna make your way through their site eventually are you not I like to instantly jump into their web app the live production that everyone is looking at everyone is using I want to poke at that some people go want to go behind the scenes and find whatever but I yeah sexist texts what for wordless than that the certain word list for certain like aspx PHP is common easy hits things like that why is it so hard to find bug for starters in bug bounty can you make in
(2:20:28) certain skill I mean probably are you set yourself a goal a challenge like what what's what our bug do you want to find what do you enjoy are you simply just testing everything anywhere and hoping for the best cuz I say you got to get your head around what hacking is like itchy from the top of my head yeah yahoo has a redirect after you login I've never tested how like strict that parameter is and whether it'll redirect anything on yahoo.
(2:21:07) com and that but if I was new I'd go poke at that oh I've seen loads of people talking about this I see what's what's had she happened in here understand why people like me are telling people do check these top of books because then drumming yeah if you understand why people are saying stuff then you can find the books really have you ever given up a program get Prime 5 get private invites and some of them seem totally secure using secure frame worse yes CRF protection etc have you jumped into a program only to quit in the end and why bring a question from
(2:21:36) Phil chase and yep I've given up some programs for a variety of reasons one if they don't respond obviously and but if they just seem totally secure then I that's where I will try and avoid a bit of a burnout I mean it again it can also depend on your mood and I mean what how you feeling that day I guess but if I've looked at a site for a while I'm seeing that as a CSF protection everywhere no it wasn't working then my first like literally if I haven't looked anywhere else I would then go see ok well is anyone else found a bug on this
(2:22:16) and I check Google I'd go look for open bug bounty for any XSS bugs I've been reported on it I'll just see if anyone else has found anything to give me any clues or indication to what has potentially been burnable on this site because then like I say you want to start in point to every site you're hacking on as long as you can find that starting point you can then essentially unpeel the rest do I mean if I make sense so yeah I have quit programs will I go back to them probably not because I try and replace a program that I don't
(2:22:52) enjoy with another program I always like to keep at least five programs that I enjoy and spin around them all I hunt them for Princeton at a time and then go on to number one and yeah most write-ups appear to use Burke collaborator how important of a featured is its findbugs so Burke collaborator isn't a hundred percent needed depending on how you use it so if you're wanting to just use Burke collaborator to check for pingbacks and things like that then you don't don't mean you don't need to use it you can just host using xampp local
(2:23:32) server on your computer and then run an grok and then just send it to hit that address and you'll get the request for free of charge however you can really set up burp collaborator to do some crazy stuff for you so it is worth learning how to use burp grab right I'm still learning how to use it properly to its full potential in my opinion but yet were in my opinion it is worth that's that's worth the burp license Burke library and is it possible to take over Amazon ELB instances I've no idea from honest no idea edie overflow knows a lot
(2:24:15) about takeovers and that I mean sign up to Amazon and check it out why not see see what's what you might know more than I know any tips on API testing so what sort you looking for I only asked like because a lot of people ask me war tips and I always tell them go for mobile apps look for idols and things like that another key thing with api's is they usually have different handling to the code that's being executed a search that makes sense so let's say for example on a desktop site I could sign up for a profile and if I put XSS in the name it
(2:24:57) stripped it however on the 8 mobile API app as a mobile app which had an API which it called to I could still inject my XSS payload but it didn't strip it so there's an example that an API is essentially like separate code running some bug hunting techniques would be dinner's but by noise calm my good friend there is tutorial on recon open UI redirects to then chain and for token token leaks which can lead to big payouts XSS and even talking cross-site request forgery and then once you're done reading there's other people's
(2:25:38) write-ups in tutorials and then you can go practice on challenges and find the live bugs that I have personally found that's that's all I see I'm not just plugin bug by notes because it's my site it doesn't make me any money at all I made it free of charge I spent four months solid non-stop coding it to the community because you read practice at that and just keep going around John I mean that's that that's it little informations there you ever stuck just refer back to these payloads refer back to tutorials write-ups answers to a lot
(2:26:13) of things are out there how do you get J's files from a specific URL so there's tools out there JAAA scanner by me and I know Brett from Blizzard and been created a JavaScript URL if you visit bug bounty forum calm and click on tools there is a link to some JavaScript extracting tools on there see ya I recommend checking that out I mean there's so much GCM for my example going back to the how much time do you spend on things I've spent a week go in through a website looking for every reference to a JavaScript file to
(2:26:53) see what it does to not only look for URLs and endpoints and developer comments but to understand what this page does how this JavaScript it interacts with this page because then you can understand what's going on the more you understand the more you can be like well what happens if I try this oh I've got myself a bug is it necessary to learn any language not really like John I mean I don't know Java or and if I only know PHP so when it comes to hacking Java sites yeah I mean you always have don't I'll never thing with
(2:27:30) hackers right this many bugs to try for is overwhelming I get it you don't have to know everything and anything right there and then as long as you have the references to it and you can when you're looking at things and you're poking the things as long as you can be like mmm this looks a bit interest in here bombs if I try this and one thing leads to another it's not like hackers I mean the top hackers don't look at things and ten minutes of bug pops out and then they're happy 10k they spent hours days weeks mumps it's
(2:28:04) normal it really is normal so no you don't eat learning language as long as you have references to understand what is going on what's your favorite feature to see on a website when testing and why changing your photo is always a really fun one because my checklist with testing file uploads is so first of all upload a photo JPEG image and I'll check with what the response is of what it's actually saved as has it saved as a JPEG and I'll instantly change it to dot PNG I know another photo is gonna be uploaded and it's not gonna do anything
(2:28:45) interested but I want to see if this site is just trust in the extension so if I change it to PNG changes to PNG what about dog gif does it change your gif okay what about dot text because thought we'd go back to my when I was talking about XSS and why you should try the h2 tag rather than just the script tag straight away and the reason we try and not text is because a lot of filters just forget about it well we thought text file can't do anything so why should we filter against it we don't really care for that text file comes on
(2:29:16) our system but that's your starting point to understand in how these developers are thinking okay Jeremy so if I was I would then try without any extension if you give it just docked so hello dot just period nothing else do they append it automatically for me like I've had some sites Auto append dot URL for me which I was then able to get stored XSS Rob because I didn't give it any file type so it's about understanding though I say there is a challenge on but by notes where it asks for a photo I don't want to give the answer the challenge away
(2:29:56) but if you give it something else you get you get the answer and that's that's it that's how I try and teach people there's it's not always about Chuck this payload at it submit a report bounty please I'm happy if you can understand and get that starting point and really understand how these developers have thought with code and things and filtering things you'll find a hell of a lot more bugs for outside and you're gonna be a lot happier and see that's my favorite feature file upload stuff and because developers have my cell phone
(2:30:33) making it really easy astray tips to bypass SSL pinon tried some different things but no luck so Ashley mommy asked him what actually having problems with SSL pinyin I've honestly never really had problems with SSL pinyin like I've never needed to bypass it most apps just don't have it but if I was going to need to bypass it I just again simply follow us in tutorials and references for how they've been doing on Android and I think it's easier on Android if I'm right I go down that route I mean not everyone again not
(2:31:07) everyone can know everything but the information is there so I people think I'm a good hacker like yeah I might be quite high on bugcrowd and what have you but I still don't know anything this I don't ever class myself as a good hacker or talented hacker I just know what I know and I stick at that I'm always learning them always join me always learn I love bug by nodes inspire me to make write-ups - I owe I appreciate that I'll check out write-ups 200 I've never heard of this let's check it out nice and interesting maybe
(2:31:50) help each other out I need talking quick five minutes about what buy notes so I do understand not a lot of updates have happened on the site it doesn't mean I've given up on it because of course a lot my little baby I love it but there is a lot of information on there for to make you a hacker challenges tutorials write-ups I have got some changes coming not like massive changes I'm just changing a few things I'm gonna change the forum make thing I'm trying other okay going not gonna give anything away yet um but yeah
(2:32:27) I like I'm not just plug in my own site there are live challenges to help you understand as well as tutorials and that and hopefully with this talk as well something might click in a lot of people's heads and so Burpo's app which is better burp in my opinion lots of tutorials on youtube how to use it the community versions free the support is great the team is great behind it very problem is doesn't test WebSocket stuff it's really annoying that there are alternative things out there WebSockets which I have retweeted if you need me to
(2:33:02) send you them I can to send me a DM what should check this when testing mobile scopes okay and at that question we have a new question okay so for mobile scopes my first point of cool if I am honest because I'll look at desktop first before mobile is I will go test all the XS if I found the XSS probably have I will go test all of them on the mobile app or the mobile version of the website to see if this different Janome and see if there's any different handling and what's what so I will first of all test the mobile app on my computer by
(2:33:37) changing the user agent and going through that is there any features what's different any new parameters and just get again get a feel for it that sounds desktop site then I'll install the mobile app on my phone always always check for the different languages of the app now you do need multiple iTune accounts for this again there's tutorials on google for how to make an iTunes account or Apple iTunes account in different countries there's yeah so I mean there's bugs in different countries that's all I'm gonna say
(2:34:12) lots of accounts so I'll get the apps in different countries my very first thing I want to test is for Idol because again I'm going from past behavior I know what's worked in the past and I will sudden I'll change my ID information like my name and see if there's any IDs in there tell me I'll crate two accounts and try and interact with one another that's my first point of call and second point of cool after I've tested that is I want a file upload feature because a lot of not quite sure why but a lot of mobile
(2:34:50) developers seem to put less protection in file upload features on mobile phones for mobile phones so that just on apps because they feel like well someone hasn't got access to a HTML file on their phone have they they can only upload a photo so they tend to put less protection so that's an interesting one that I yeah I found a lot of interesting stuff with mobile apps going through these questions I need a drink when you're testing an image upload form and you notice that uploads the photo to as you or as free do you bother to continue
(2:35:28) so yeah do so if you can upload a HTML file to an s3 bucket or something like that see if they point a subdomain to that s3 bucket right John I mean they some sites might have media dot whatever point into this s3 bucket going through the subdomains you found see if there is anything there might be a random stage in testing server you don't know if there's not I still do report it because if this website has got a feature that says you can only upload a photo and you can upload a HTML file to their s3 bucket yeah the impact might be quite
(2:36:05) low but you've bypassed their protection and they don't they didn't want that so tell them about it if website don't use English language and don't have many to change it are you still test this website yeah this right click on google cloak yeah right click on Google Chrome and click translate English or translate to whatever language you're in and Google or do it or you know there's technology out let's translate anything if it's a mobile app and you want to change the language there's normally some sort of feature to
(2:36:36) change the language I mean accessibility is quite good these days with the internet I'm interested in both system and we're packing please guide me some resources but by notes hacker one CTF bugcrowd universe II yes we hack has a CTF on at the moment as well do you use a phone or emulator are you the phone iPhone I've gone android over there it's a bit broken I have an iPad as well how about have a little devices and somebody has just tried to XSS the Google Chat the Google page chat I think didn't work I'm afraid none of
(2:37:21) you any tips for xxe and insecure addy serialization so tips for XX e is most sites are filtering against stuff like they've joined disabled doctype declarations and things like that so when you test him for xx II assume there's gonna be some sort of filtering and bypassing that filtering now Tommy divorced dog eg he's really good at X X X X e to me need letters here hey he's really good at bypassing filters and things like that but it goes back to again what this hell talks about he focuses on that and things like SQL
(2:38:03) injection so he knows what he's looking for he knows what it's doing I love finding XSS so I know where I'm findin and things like that insecure D serialization that's an interesting one B tips for that is looking cookies cookie file stairs that 20 K bug on pornhub where they found it cookie file cookie not cookie fast cookie values whatever none of you I'm afraid your XSS Pylos still isn't working I was just about to ask about WebSockets do you remember finding something called the WebSockets proxy uh there are
(2:38:40) interesting bugs with WebSockets the most common bug with WebSockets is they don't verify the origin as to who's connected to the WebSocket and you can send commands to it and leak information depending on how their sites working that makes sense I'm gonna do a write-up on that actually yeah I'll get a write-up on its WebSockets and what I do because that's an interesting one I like that because there's some cool bugs on there my friend asked me this question bro I have completed hacker 1 course and their labs
(2:39:13) but I'm stuck at finding bugs especially in big companies because everyone find anything everything already what would you suggest for me so not to rely on platforms like could I show me like I've got nothing bad against this a platform so I mean they are I'm grateful that they are around and helping the community and everything however it is quite hard to tell how to tell people what to do with hacking on platforms when it they do base it around your rep signal and things like that because you could be an insanely talented hacker but
(2:39:55) if you have no rep and nothing on background hacker 1 good luck getting private invites in my opinion like yeah there are the CTF but I don't think hacker 1 are gonna send out the best invites from that if I'm brutally honest I've checked it out alright yeah it's don't rely on platforms to get in starting but banished you know I mean and something else like I'm not saying going hack every single company out there because that's irresponsible and yummy if you've not got permission you will get in trouble however most companies out there have a
(2:40:37) bug bounty program thanks to the don't mean these platforms aggressive marketing if you're a talented hacker and have an issue and you're being responsible about it and you're gonna be telling them about it their chances are they're not going to tell you to go away and they're not gonna call the police and they're gonna be very grateful you have helped them now like I say I'm not going I'm not saying go and hack everyone out there but don't just rely on platforms yeah okay you said so fast please can you share some resources
(2:41:12) brother which resources would you like me to share I do apologize from talking quick how to bypass session ID that's a pretty generic question I'm afraid what do you mean by this what have you tried what have you tested do you try to convert open uro redirects into XSS of JavaScript yeah if you go on to book my notes go on XSS tutorial if it's sir if the redirect is done from jar a jerk like JavaScript code then you can get XSS if it's a 302 redirect you can you used to be able to back in the day before Chrome and
(2:41:50) Firefox and other browsers made changes but you can't anymore that's why a lot of people will see tutorials for yeah redirect JavaScript but it's like we have to have the right condition for it and I am getting internal server error while XSS can it be furthest can it be further exa bill exploited okay well step back to what's causing the internal server error is this parameter looking for something certain step back and understand like I say understand what's going on why is it causing that you're the hacker what's what's
(2:42:24) happening there's a server error you've done something sometimes when I use payload in a site the payload loads to Mershon does not proceed to request I know something is happening how do I proceed well what's your payload if mister robot if your payload is sleeping and the page is taking a long time to load and maybe it's executing your code if it's just an XSS payload and it's taking a while to load maybe this I don't know maybe some sort of laughs day it's going through first of all I don't know what's the spoiler
(2:42:54) I have RFI which leads to local file enumeration SS era as only HTTP schema is allowed and server doesn't print any output can any idea how I can exploit this so if you have got local file enumeration but it doesn't print any output how are you able to determine stuff feel free to DM me more details about that I've got a lot of bugs coming in do you consider it a bug if I use a changes past went in the web dashboard but session does not expire in the mobile app for that account um yeah I mean that it sounds like a such a simple
(2:43:40) bug like oh wait what you changed the password on the desktop and you're still logged in on the mobile app but that's actually quite serious issue because an attacker can have persistent access into someone's account that's germane if you're changing your password this session should be destroyed across everywhere and yeah yeah that's a bug simply put yeah I never felt lazy while hacking yeah I'll tell you why I get lazy hacking when I'm looking for the same stuff if I'm literally just XSS over and I do love SSS a lot but if I
(2:44:17) look for just that I'm uh kind of bothered anymore I'm quite bored of this so challenge yourself set yourself challenge I don't mean I have spent so much time messing with login forms that I just look at a login form and can know instantly what to test for and before I've even tested the login form I'm already looking for an open URL redirect it's yeah how to stay motivated hack in any movie or quotes um I mean I mean people that know me quite well know that I like to play overwatch a lot and play lucio I enjoy that same way I enjoy
(2:44:58) hacking and that's how I stay motivated it's just fun I enjoy it I like it I uh Jemmy to me especially on new sites is something about that's probably why I get lazy as well and burnout if I've spent the longer I spent the site yeah it's good I'm getting lots of information it's helping me with potential burnout but I can get bored of a site I'm like oh my god so it's so boring I mean so it's really interesting sometimes when you get invites to a new program and it's like okay well let's see how they're protecting their stuff
(2:45:30) let's see what they're doing and you've got this whole fresh new mindset you still understand hacking and all these bugs but you've got a whole new approach as to what they're doing it might be really easy pickins but it might not be have you tried way back URLs yeah you're not seeing a lot of my tutorials that's how I cleaned up big on TripAdvisor I'll tell you the book why not so Trip Advisor robots.
(2:45:59) txt exposes everything I went onto wayback machine and scraped seven years worth of data of robots.txt I then ran I then ran a script to check which files were around and alive and I found an endpoint which looks similar to a previous bug I'd found which led to email leakage I could leak anyone's email via their user ID and I found a similar endpoint discovered from wayback machine so I was like hmmm what happens if I try the information from the other bug is simply on this endpoint I'll try my the ominous user ID and when I did it I was logged into my account no
(2:46:33) password needed so I I mean I recon never end the property still bugs out there that are similar like that but it's about taking what you already know and just trying it but nothing might have happened but how do you know unless you don't try um so yeah way back URLs and wayback machine and wave out robot that's Keenan Keenan h1 Keenan he won't like me for saying this because he's now gonna be getting a load of dupes but he messaged me not so long ago saying thank you so much for teaching me about way machine I found so much recently there
(2:47:07) are bugs on there bugs I think networking was very important any best resource infamous truant mastering at networking for free online I don't have any right now if you have Twitter or something send me a DM and I will go through saying I'll try find you something I have a lot of things bookmarked and what have you the payload is an XSS file upload SVG any file upload it will show a preview of the image and SVG is supported ok yeah so there is a report I'm just going to move my laptop down here well I just have my computer so if you can upload an
(2:47:53) SVG file and control the contents if you go if you google now SVG server-side request forgery on Shopify there you've got $500 forever and it's an example as to how they load a remote image in an SVG file that's uploaded and they query for an internal image to determine what services are running now impact terms quite low but it's to give you an idea is to what you can try as such like okay you've got XSS in there what about trying to query for internal stuff your update is ready your PC needs to restart no I don't think so
(2:48:38) carrying on sorry I got confused by content length and response code on valid file okay interesting mmm so you can local file name right SS r FS only HTTPS schema is allowed and server doesn't print any output hmm that's a good question because it doesn't print any output but you can do local file enumeration like what's probably the worst file you can find out is on that server like you can hit a search and with the SS RF is it literally just ping in your URL and no response at all for it how did you get started what the guys materials you
(2:49:26) follow - now re-watch the start of this talk I say those Martlet filled Franz Rosen they was all publishing loads of things I thought they was up to him was like well I ant I understand around what they were finding and then I was like what if they can do it I can do it and I just went at it that really is it I went to a lot more depth throughout this talk I recommend go check it out do you hunt full-time today um it is what's the time it is three o'clock at Fox frequent it's five o'clock almost off about two
(2:50:03) Southbend live three hours Wow time has flown Wow do you appreciate everyone staying on him three hours Wow I probably won't do any hunting today after this whenever I'm done I've no time limit but I'm probably gonna cook some food and go on overwatch have you ever been face of a web sorry app developed with an automatic code generator what do you mean by a code generator let me google those names you've just posted there ah okay interested I don't think I have I mean if if it has been generated with those uh how am I to know haha I don't
(2:50:53) even get access to their code that but no I haven't if I'm honest no can I do me on Twitter yet you can DM me my DM that open let me just make sure there's no messages missed on there I [Music] have one on their newest book you saw that blew my mind ah good question good question indeed let me think let me have look every bug that I really enjoy reading I always retweet I mean maybe I miss some I don't know Oh get back to you now now there's got eyes probably the reset password on observe that because now yeah that's a good
(2:51:40) question actually I like that question now this is again this is how I think with hacking I this is probably why I was bit nervous about things not going well live because in case I didn't think of an answer such but it's about China for going off so on observe you can see that they were handling password resets and if he simply had the square bracket quite mark email homer and then love it email it reset both passwords now Sam Sam why Co whatever his hurry pronounce his name let me just find his Twitter real quick
(2:52:16) oh yes Sam curry s Zell Zed Sam Y Co they on Twitter so he posted about an interest in XSS in JSON where he again nested it in these square brackets now me as a hacker who has found lots of interest in endpoints with JSON and things like that I'm gonna probably go try that now for the next week and see what interesting behavior because again I have loads of endpoints and interest in things noted down for my years of hacking I can just simply go try this there I might find a bug who knows but yeah if you find yourself needing
(2:52:57) externally host files like PHP file what service do you use Michael Blake I recommend running example so X a I'll type it in chat so it's easier so I recommend running exam because you can then run PHP and HTML code locally and then if you run something called n grok so n gr ok it then basically gives you our URL that when you visit it will run that PHP code from your computer join me and there are some security concerns like Johnny you know don't have it running 24/7 and let anyone access these things and don't do I mean be a
(2:53:38) bit careful so yeah that that's the answers that were Michael you don't need any money to run that on your computer and have to get given a URL no money why not make your own discord server my twitter ID is zeeshan oh I think that was given is he sure that's where I am Zhi Shan oh I don't have a discord server I don't know I don't really use chat services I really use slack i I don't know oh yeah how to stay motivated I got two informative to Duke's on hacker 1 so what okay so ask yourself what were the deeps where your dupes you
(2:54:29) aware of testing the program by finding like the low-hanging fruits was that someone else's testing as well you know I mean so understand what the deeps were and then look back and think well if that was XSS in the search field of course you were gonna do German like look and think well why did I deep then it's still your start dupes are still a great starting point because it's a valid bug go try that parameter as well go try it behind it elsewhere and you never know for informative and it can pend the bug sure I mean it means a
(2:55:00) company doesn't really necessarily say it's an issue yeah I have a session token' and I can login with only the token but I can't get someone else's token I mean sounds like maybe they're not fundable so no so if you have it and I'm assuming I'm on sounds correctly hacker cracker you have an endpoint where you take they take a token and it logs you in look for ways to leak that token in the referrer so I'll give you an example I had a website where I could in only insert an image but I could link to my website I bypassed their
(2:55:48) protection to link it to my website and on the login they were they were pretty secure I can go to my URL can he go to a certain amount of endpoints however one of the endpoints that was allowed was where my image was so after in you were redirected to this innocent-looking page which linked to my URL in the images and in the referral was leaked to the users token simple as that is that using their features against them apart from bypassing the filters for having your URL but that's about just taken advantage of therefore
(2:56:26) so see if there is any anything out there baby where you can leak their token and yeah I am on slack on bug brownie forum slack yeah that's any slack I use um yeah which is the best public bug bounty program I mean they're all great there are bugs everywhere like tell me if I now sit here and say okay we're gonna go hack on Verizon media it we're all probably gonna be especially if people are new and listen to my advice we're gonna be looking at the same places it's about now taking everything I've said in this talk and
(2:57:11) looking at what's out there so I mean there are lots and lots and lots of programs out there I can't recommend just one I mean are you coming to Def Con this year um maybe I don't really like coming to America from honest the borders they make you feel like a criminal before you've even come in the country you get interrogated yeah I mean I just don't feel welcome I feel uncomfortable and yeah I dunno we'll see I don't mean I want to see my friends and that but I I see if I've been talking for three hours I never got invited to the pub back for
(2:58:07) him slap not sure why I have a decent Michel um if you reach out to bend some Eagles Brett but hey why do you not invite me I don't know how long when they send out invites yeah how long it take to find a vulnerability that is worth for him right up there is no time limit I'm a good friend no time limit join me I can spend hours hours looking for bugs and find nothing or I can spend ten minutes and find a bug straight away hours all comes of experience it really does there's lots of books out there that I've missed lots of books and what
(2:58:52) am i next gonna be live okay so um I think probably not mean we've been live in AI for three hours so I think in the next 10 minutes I'll make all this done sort of thing but before I mean is this people enjoyed this has this helped people I didn't want to just rehash the same information over and over again and I understand I've talked with question and answers and mentoring more than the other talk which was intended but the first part of the talk was to help people basically get their head around like it's all there for you you just
(2:59:26) have to really get your head around things and understand what's going on and put the time in know Oh accent he unplugged it can you hear me now no yes now yes yes Google chats laggy oh I'm getting spammed lots of lesson yeses
(3:00:42) yeah I will tweet out my right ride Bobby do it this weekend or at some point yeah I honestly I really do hope people have understood what this mentoring session was about I understand there's a lot to take in with hack in there are lots of bugs to try there's so much that's why take it easy they think about just oh my god I want to get rich from bug bounties people have coming millionaires understand especially if you're new but ok I'll do this talk so for people that are new get your head around what hacking is get your head
(3:01:19) around ok these companies are letting us poke at things and understand bug types and what's going on for experienced hackers in this chat who want to succeed well how do I help you join me in your experience now and joking and try and fine line a fine line like snopp effects because you can't perfect anything but try and work on new methodology you've got your methodology if you're inexperienced hunters to what to go for them what to look for try and starts something new plant a new seed for something still obviously with
(3:01:53) hacking but look for something different and try something different because yeah you're probably gonna fail because it's something new and different but you learn it and learning is key and trying new things can you please share your best bug ever I have lots of cool bugs okay a really simple bug so there was an app where you could pay for features and if you download if you connected the app to your computer and backed up your phone and extracted the plist file for this app you could simply modify has paid from false to true and then you'd
(3:02:43) apply the update to your phone and that basically means the plist file that you modified for this app is now on your phone when I then open the app I had access to all the pages easy that's probably not my best bug but that's the easiest oh well it's probably a lot of easier bugs but that's there what the [ __ ] bug pardon my language people that don't like to swear but WTF is the beauty F how can what a bug cries too competitive that's that yeah that goes back to what I said earlier German is in my opinion hard for
(3:03:20) newcomers to be very successful on but cron hacker one that's why understand what hacking is and realize that not all companies we want our help our on background hacker one and a lot of companies will are hacking on a bug crowd to invite their researchers and you know I mean if they want your help then won't you help Jimmy do you record this yeah it should be recorded and hopefully I'm talking loud enough for you to hear me I do apologize if not I'm trying to talk is slow and clear as possible with this British accent my mic
(3:04:08) is still working I think how to escalate stored XSS to account takeover where J's code is being executed on behalf of the victim so if you want to account takeover check what cookies session cookies or not not me not being saved properly so if you can hijack that users session cookies and you can simply replay it in your browser and your that user if there's anything in the HTML the Dom safe what protection there is on changing their account information like coming can you change their email if this exercise if SSS executes on the
(3:04:43) site it's not always game over is it I but if you can update their email without them having to change their like they don't have to input their password change it they can simply just change their email and that's it they've got account takeover and has two issues in my opinion because you've got XSS but then the second issue is to change your email sensitive information on your account there should be some second layer of defense so if there is no second layer of defense to issues in my opinion some companies will argue
(3:05:09) it's not and import but yeah that's good mark I have to get you some bug by no swag although now if just said that I'm waiting for the chat to just say I want nobody knows in which he starts hacking and what is a firm when you find your first bug I started hacking a long time ago but I started bug bounties in 2015 and feeling for my first bug that's it all right yeah I'm really happy like wow this is cool and I went on to find loads and loads more and yeah this is kind of where I am now it's it's addictive I
(3:05:50) mean like imagine if you're really being sown on a game it's fun it really addictive it's you just keep at it it's yeah treat this like a game it's not a game but it is you can do it from the comfort of your own home you don't have to go out to a gaming convention to play again you can log in at home same hack it yeah I'm gonna go to work you know go to the office to hack this load up your computer and go to hack have you tried trace to steal hate TTP Oh any cookies I haven't if you have any information on that as to what I should
(3:06:22) be knowing please do tell me how would you best prevent bad JavaScript other than CSP and URI hashes or connect source or iframe as an attack how would you attempt to bypass these by the way awesome you dears and I people that might ask you questions yeah it's cool man their eyes so how would I prevent bad job it's like is this JavaScript like how would you best prevent magical other than CSB and URI hashes or connects or iframe so are you talking about how to prevent some sort of XSS here like is this XSS posted in a script tag type
(3:06:59) thing that's okay I'll just wait for mark oh okay I get it so if a site gets hacked and somebody injects some malicious JavaScript well yeah it's litchi CSP is there to stop that really I mean don't mean CSP probably contents here a policy is probably gonna be the go-to answer in that in my opinion if somebody's managed to get their own Java scripts you execute on your system from however means you don't want that to execute for the user you want the browser to be like well no I've been told not to execute from this domain so I'm not gonna
(3:07:57) execute that that if I mean that's if they've you're not protecting them XSS in that then that's probably the best way in my opinion is that that's what it was built for you know I mean that's what's what it's designed for it's designed to tell the browser where to those things I mean really websites set up things to scan their Dom for malicious code and really mr.
(3:08:38) robot yeah sir okay so mark actually okay so CSP is good come in but it can we bypass those as long as you don't have something on your site like where they can like a callback for example a lot of websites random end point which the content time is tech JavaScript's for example as just a callback and you can add your own JavaScript in there you can suddenly start execute in the JavaScript from their site so you add the script tag to their site and the CSP is like well I'm gonna execute because this is from my site and so that's that's down to good
(3:09:17) hygiene around your web application really I mean the CSP isn't a hundred percent defense because there are ways around it but if the things around the CSP are not keeping it up then yeah yeah concise firewall can work depend I mean depend if you're creating some sort of really bad whereat occasion firewall though to only look for like script tag and then replace that to null then that yeah yeah that work where works versioning and things like that most definitely but CSP should still be the first protocol to stop it really but if
(3:10:02) I was a company and somebody had managed to inject their own JavaScript code to my site depend on how I'd be quite concerned like I think websites should especially on I mean that was on the magic was it a magic our website was that was vulnerable to a Finnish British Airways as a hacker we'll focused on they managed to get XSS on the credit card page but how how did they manage to get that there yeah you got bigger problems exactly I am at race track request get response with you that's interesting I probably
(3:10:43) need to learn more about that mark if I'm honest gov dot uk' getting hacked I'm not at all surprised the NCSC whatever they NC s ce allow you to submit bugs to gov dot uk' so naturally I decided to have a little poke five minutes bug they're scary really scary will be interested in if you say what to avoid what not to do in this field for not wasting time and energy learn and bad in a general sense that's a good question I like that so what to avoid I mean if I tell you stuff to avoid then you might miss bugs but I would avoid touching
(3:11:31) WordPress and things like that like back in the day WordPress was easy pickins four or five years ago you could submit some random XSS on a wordpress site and get five hundred dollars not so much anymore and a few people message me like ah should I brute-force WordPress login and this and that like I don't know I don't really I don't tip it okay I'm probably the general sense of that is avoid third PI stuff like even though you like might be able to find bugs in that they might not pay for it and things like that and what not to do
(3:12:06) there is no not what to do you should do everything there's no limits to hacking try anything and everything trust me honestly you'd be surprised you honestly visit some random websites and set your domain as the referrer and watch them pinback watch them all start hitting your size some of them even start crawling your website which then gets interesting if you force it to visit your robots.
(3:12:33) txt file and it never stops cruel it might crash their system I've never tested that I did test for that but last question from mark what is your best waft bypass technique what is your best origin IP detection so my best woth bypass technique is just understanding what they're actually forward and then coming up with payloads on the fly anytime I come up with a payload that's taken me a long time I always tweet out I'm always free to tell people what it is I goes back to power my earlier talk where give it just a less than sign or h2 tag and to stop
(3:13:15) just don't close tag work out trying reverse engineer their thoughts as to why they created this waffle in the first place and what they're actually trying to prevent why do they not just go down the traditional route from preventing XSS really and my best origin IP detection so you mean like for finding sites behind CloudFlare and things like that and somebody did give me an interesting method I don't want to mention it live in case he doesn't want anyone to know about it sort of thing but he basically involved if a site was
(3:13:47) behind CloudFlare and had a SSL cert you can work it out what are the questions you ask before selecting a target is there anything for me to interact with that that's what I loved us there I mean if there's lots for me to interact with I'm lots for me to try and poke out that's what I love because I know it's like let them set my mind free let my brain just go crazy and think about things I'm gonna answer a few more questions and then I'm probably gonna cool this stream finish answering question because it's quarter past five
(3:14:26) my stomach's starting to ramble and I've been live for like every three hours I mean if it ever break so the last question I'm gonna get up to because chat is quite delayed is are you full time bug hunter that's the last question I'm gonna answer and that is one of my Twitter as well that okay it's not a question okay if you find the website ping in the referrer what would you try next you should I find myself a little lost yes so I've been in that situation as well a little lost and it's obviously edge case depending on what it does so
(3:14:59) if they literally just ping your website you want to find out why so if you then send the request again do they ring Petrie ping to hit your website or do they do it only once because if they only do it once why did they cache what was there so set some random payloads on the site that they're hitting see if it is stored anywhere for someone to ever hit later on you never know if they constantly hits in it when you're browsing then again you have to understand why but what is this what is the user agent if you can work out what
(3:15:33) the user agent is and see what it is that hit you and see where it came from you can try and retrace the steps and understand like what is running behind the scenes why would they be interested in checking out the domain that you came from are they looking for something specific is there any API Doc's fur filius stuff maybe it's to do with affiliate stuff you don't know so yeah again each case but it's about stepping backwards I hope that made sense do you try playing with x-forwarded-for yes I do 100% for bypassing filters always try
(3:16:07) how can I give an example this so let's say for example you've got I'm trying to think in the best example but I'm always trying for localhost and dummy m12 7.000 one I'm always trying that in x-forwarded-for to see what happens and Johnny 192.168 cetera going through basically things like that to see how it reflects also test x-forwarded-for when you're resetting the password because they might not rely on the host header they might rely on x-forwarded-for and things like that X 44 always play with that if you see an extra request
(3:16:50) happening after sort of thing so let's say there's an endpoint which does some sort of in I mean it grabs an endpoint add X 44 and give it the internal IP to see if there's anything different I mean when signing up sending emails resetting passwords mess around there because you don't know how it's gonna handle it are you full-time bug hunter yeah well when I feel like doing it I guess but yeah I'm jobless I'm gonna answer this two more questions and then I am definitely done is it normal to feel frustrated when you do bug bounties yes
(3:17:29) that is everything in life Jen I mean compared to a girl if you're interested in the girl she's not interested in you yeah be frustrated if you're trying to kill someone on a game and you can't you get frustrated when you're hacking you can't find anything you get frustrated that's called being human and that is life that that that's just life I'm afraid yeah how do you recon the Jandal sigh and how do you firs Python sites [Music] farm whatever people have been doing I mean for - sites I mean wordlist as such probably but for
(3:18:10) sites which are using CMS and public things find what other people have found unless it's come in new CMS's and third part things don't come out that often anymore most people are using Oracle or something I mean that everyone's using fine whatever people are found and go from there remember starting points it's what a lot of people don't do they don't get their starting point as to and if you can't find your starting point you can't start and then they fall over before they can begin and they're burnt out and they're frustrated so take a
(3:18:42) slow take it easy understand what it is that you're doing basically so yeah literally last two minutes to say I appreciate everyone for joining this live interview live interview you can tell I've been on this Chaffetz he hung this live mentoring session and I really appreciate everyone that has come along I honestly hope it's helped all of you I can't believe I've just sat and talked for or spoke for over three hours and I honestly I really hope you've all taken something away from this and yeah honestly appreciate you all being here
(3:19:22) thank you should I do another one I have a feeling the answers gonna be yes but I don't want people to feel like I've just rambled on and gone on on on on so I think next time let's get hands-on because if you remember on my life Twitter thing people wanted to get hands-on and learn hacking and that which I did do a little bit with Verizon media but for the first talk I kind of wanted to give a general talk to everyone and help people out and say yeah I think it went well and I think for next time we can go hands-on and do
(3:19:57) some stuff maybe best bebe live session yeah appreciate that Alex see I really do appreciate everyone who has asked questions and got involved and made this what it is next one hands-on Google Docs I like that okay maybe we should these a Google Doggett yeah honestly live hacking together I'm not sure how legal that is do you have an idea I'm working on for that I just finding the time because yeah very quickly I shouldn't keep rambling but I only recommend people doing bug bounties read my turn in time into bugs because I go through
(3:20:39) everything as well that I've been through here with you can't always find bugs you have to accept that there are going to be burnouts demoralizing if people are finding bugs and you're not it is what it is how badly do you want to be a hacker but yeah honestly appreciate every single person being here really you've made this what it is and I'll be doing this again much love to the community thank you for everyone I'm sorry if I didn't get around to everyone's questions I believe I did answer every question though if you have
(3:21:17) any questions ly same IDM is open you need help with a bug you're stuck on anything I am down to help my knowledge is your knowledge you want help ask I'll help I do sleep I'm not always on my computer on my phone give me a chance to reply but yeah you need help I'm here I hope everyone has a great evening afternoon morning day whatever the time is for you I'm gonna relax and give my voice a bit of a break and relax I appreciate everyone thank you thank you until next time community of hackers next time we hack hopefully my chat is
(3:22:00) gonna be filled with I found loads of bugs Thank You Sean thank you I'm probably not gonna do any hack in this weekend but if I was gonna do some hacking I'm gonna go for idle bugs yeah I retweet a latest bug from integrety about idle quite interesting it's got me intrigued makes me want to try some and also want to try some more testing with the JSON end points can remember set yourself challenges and know you want to do peace out everyone much love much love oh one before we go after reading your turning time into bugs I got stored XSS
(3:22:39) in the same night no I saw what a sceptic adds epic you owe me a drink if we ever meet take care of one and happy hacking it's been a pleasure much love much love that's when you've part yeah you can tell I'm hungry that's Bon Appetit much love

Notes:

• Send “Test” Bugs: Submit a couple of very simple reports—like a harmless XSS proof‑of‑concept or a header tweak—to gauge how the program handles submissions (response time, triage quality, communication tone
• Map Their Defenses: Are they filtering script tags? Do CORS headers look too permissive? This gives you a defense fingerprint to plan deeper tests
• Budget Your Time: Especially early on, limit yourself to 1–2 hours per program. If you haven’t spotted anything, switch to another target. This prevents burnout and maximizes your learning.
• Understand your target.
• Build Hacker Mindset:
  • Think like a “malicious” hacker (but be good): Ask yourself “where would I put protections? what would I try first?” Reverse-engineer the developer’s thought process and push each feature to it’s limits.
  • Understanding a site’s intended flow (login, token exchange, redirects) is more important than writing code. Visualize the data flow in your head and ask “What if I tweak this parameter?” over and over .
  • The light‑bulb moment (“Aha—I see why that behaves this way!”) comes from genuine curiosity. If you force yourself to only hunt XSS or RCE, you’ll burn out faster. Instead, let exploration guide you .
• Recon Fundamentals:
  • Recon is never “done.”: Even after you’ve mapped a program, keep looking. New assets appear daily—if you stop, you’ll miss fresh targets
  • Two Recon Styles:
    • Keyword‑driven: Scan for forgotten files, obscure parameters or payload keywords (à la Nathaniel or “Naffy”).
    • Interaction‑driven: Hunt subdomains that expose sign‑up, login, or upload pages—anywhere you can actually poke at functionality
  • Core Recon Workflow:
    • Subdomain Enumeration
    • Filter for interaction points: Immediately fingerprint endpoints with forms—/login, /register, /upload, etc.
    • Robots.txt & Certificates: Check robots.txt for hidden paths and monitor new TLS certificates (via services like SSL Mate) to catch freshly minted subdomains before others
    • Test Basic Defenses: Send a couple of harmless payloads (e.g. a simple <script>alert(1)</script>) to see how filters, CORS settings, and rate limits behave—this builds your “defense fingerprint.”
• Preventing Burnout & Staying Sharp:
  • Time-boxing: If you’ve spent a couple of hours with no wins, switch targets or take a break. Fresh eyes often spot what tired ones miss.
  • Mix Manual & Automated: Lean on scanners (Burp, Aquatone, your own scripts) when you hit a dead end, but prioritize manual probing to exhaust your personal creativity.
  • Note‑taking: Keep a simple text file per program with URLs, parameters, and observations. A clear, organized view helps you recognize patterns faster.
• Mobile App Recon:
  • Many mobile-only endpoints have looser filters than web apps.
  • Download the android app & proxy its traffic through burp
• Always think: “What else might this feature do if I tweak my locale, headers, or tokens?”
• Continuous Recon: Set up watchers on newly issued TLS certificates and robots.txt changes — so that you never miss fresh subdomains or asset additions.
• Good Reports Get Good Responses:
  • Be Clear, Concise, and Focused. Your job isn’t to write a novel—it’s to make the triage team’s life easier
  • Understating and being honest actually builds trust with triagers, and they’ll take your future reports more seriously.
• Template Everything
  • Build a report template in Notion or your notes app to quickly fill in when you find something—don’t start from scratch each time.
• Track Your Programs:
  • Keep a text log of:
    • Targets tested
    • Bugs submitted
    • Bugs triaged/pending/paid
    • Notes on how each program responds (are they fast? defensive? rude?)
• Set up watchers:
  • Automate notifications for:
    • New TLS certificates (for subdomain discovery)
    • Changes to robots.txt or sitemap.xml
    • Tech stack changes (e.g. wappalyzer alerts or header diffing)
• Reverse Engineer a Good report:
  • Platforms like HackerOne let you browse disclosed reports. Read them. Study them. Ask:
    • What did they test?
    • How did they structure the report?
    • What could have made it better?