Bug bounty tools that actually land bugs with Arthur Aires

For me, 20, 000 is a lot of money. But to get, I remember all the guys made a hundred thousand dollars, probably all my free time when I'm not at the gym or playing tennis or stay with my girlfriend. It's for a big bounty. Yeah. So still today, a lot of SQL injections on, on accurate one. So a lot of. Problems with all, with WAF 2, I was able to bypass some WAFs and some cases.

My automation is only for recon, not to exploit anything, because probably, uh, the exploit thing with nuclear or something, there are guys doing this more fast than me. so much for joining me for the podcast this time. Uh, for the viewers who don't know you yet, can you please introduce yourself a little bit and tell us about your background? Okay. So thank you again for inviting me. I'm really excited about this pod questions and the question. So yeah.

So about my background, So I'm a book hunter and pen test on Hacker one with four. I think I have four or five years on Hacker one I, and, and after that, uh, I, I work, I work uh, as uh, cybersecurity tech lead, uh, uh, cybersecurity constitute in Brazil. And I'm pen test leader in Hacker one two. So I work with both and, uh, this is me. I think and I was invited, um, five times to live hack events and hacker one and I really like it, send a lot of bugs on boot bounty.

Yeah. So are you not the full time backbone hunter now? Yeah, not, not. Have you considered it? Yeah. Um, I think maybe it's a possibility to me because probably my income from boot bounty, it's pretty low. It's really, it's more than I receive from my, my work, really more, but I really like at work at, uh, this Brazilian cybersecurity, it's, it's good work there. I have some friends and I really, I really like at work there. So it's, it's, it's a good job. I can do really good things there.

The vulnerability, uh, I showed to you was there. Using the, the serial kilobyte pass, get, get his collection. So I have good opportunities. That's to test Brazilian Brazilian companies. So, yeah, I like work there. Yeah, that's, I think that's, that's the common theme among all of the back hunters that we like like bounty. But also being alone is a little bit problematic. Yes. Yeah, you are really true. Very impressive That's still only work part time.

You've got to almost 22, 000 reputation on HackerOne. Yeah So I I'm very excited to to speak with you. Awesome. Awesome. I probably owe my friends Free time when I'm not at the gym or playing tennis or stay with my girlfriend, it's for a big bounty. Yeah. So yeah, all my free time is for a big bounty and probably maybe this is the reason why I have this reputation. Well done one way or another.

So Uh, are you more of a automation based hunter? Are you a manual hunter? Are you something, something in between? So, uh, yeah, maybe I'm in between these juice, the, these two options because I have automation, but only to, my automation is only for Rico not to exploit anything. Yeah, because probably, uh, the, the exploit thing with nuclear or something, there is more, there are, there are guys doing these more fast. Yeah. It's a race. Yeah. So it looked like a race.

So I didn't, it's like this, this. So probably my, my, my automation is only for recon. What I have, it's, I have a huge, my SQL database, it's all my, yeah, with all my, all my, yeah. My scope from bookbug programs and all, all the time my script is running and do the record. And if I have some updates for hacker one, uh, uh, these updates notify me and I have the assets on my, my telegram chat. So I received that and maybe this is a good target.

Oh, maybe this program, uh, this program has now with the car scope so I can look there and yes. So my, my automation, it's only for recon and receive the updates from the programs and my, but my, my hunting, it's only manual testing, looking at application and that's things. Yeah. How, how technically do you have connected hacker one updates to a telegram chat? So, uh, maybe in, uh, at the first time was.

Really hard because we need we need to your scripts need to be hitting the hacker on API a lot of times to to get the updates in the time. But I think it's OK now because because I I I'm writing the script a lot of time. So maybe the script is stable. Now and I did have so problems, but maybe at first time I had a lot of a lot of books and description. Not the script is not working well and I have losing scope. An example. Some I remember to see some time.

My script is not looking all the scope is only looking the first page. Not all the scope. So I fixed them, uh, making a for loop, uh, uh, looking all the pages of this scope from API, because I didn't know the API only show a page of scope, not all the scope is some progress that the huge scopes with a lot of domains and these, and probably I was missing that.

So this, this is what, uh, This is one of the mistakes I have in the, in the way, but I think probably now it's more stable, but, but my automation is only for HackerOne. Yeah. Because probably implementing other APIs or others, uh, platforms will be more, I will be more work that. Yeah. And it's always when you write something, it's like, it's a, it's a cool idea and you think it's going to be quick and then it takes time and more time and bugs. Yeah. Yeah. Yeah. A lot of bugs.

Sometimes I. I didn't receive the notifications on Telegram and I think, oh, probably there is something not working well, I need to check on the server. Yeah. What other alerts do you have? For some, I don't know, do you monitor JavaScript, for example? No, I didn't monitor any JavaScript. Uh, but what I, what I monitor with, with this, with my automation is, uh, every, every day I do the recon. And. I have the responses for the same domain in, in a time and in, uh, an example.

I run the record yesterday, today, and there are going to be tomorrow. I have all the HTTPS, uh, Parameters in the MySQL database and I can compare if an example, if the status code yesterday was 401 and today was 200 and yesterday will be 200. So I historical in my, in my automation. So you store the HTTPS parameters. So there's like the status code, number of words, number of lines, something like this.

Yeah, you don't actually, you don't actually, Oh, yeah, because, because, um, HTTPS, uh, has a, uh, a parameter. You can get the hash of the body so you can, I did it. I have these, but I need to work to improve maybe the way to view these things. But I was capable, uh, if I search some, some domain example from a book balance program, I was capable to see if the page was changing in the time. If the, the hash gen bo I think it's gen body. Yeah. The name of the hash.

If, if this has changed, probably the application changed and probably the application will, probably the application was update or something, or have the body change. Yeah, that's very interesting. Yeah. Doesn't it cause too many false positives because the hash is very, very strict. Yeah. Yeah. Yeah. We have a lot of many false positives, but sometimes I have good, I have good, good examples. So I will show an example to you. I really like PHP page because.

When you saw PHP, probably we will find some books there. So I was monitoring this page and for this page, the page was the same, the same hash, same hash, same hash, same hash. And someday I will look and the hash change. Oh, probably is there an update here. And I was capable to find a new endpoint and access there. So it's, it's fine because if you look for the right, The right domains, the rights of domains, you can find good things there.

Yeah, but it's hard to, to, to limit this because do you have like just, um, you monitor this just for the main page, like the slash? No, it's only the main page. Only the main page? Yeah, the main page. Because, uh, probably, uh, all the page will be more complex to do. And yeah. I don't know, maybe my SQL is not the best database to do that. Because imagine we store all these things. Yeah, that's what I'm afraid of.

Like sometimes when I think of writing something like this, I want to, well, first of all, I don't want to spend all the time on the development, but I can accept it. But then I want to, Uh, somehow limit the amount of noise. Yeah. To, to actually, so it gives me leads, but doesn't give me everything every day.

Yeah. Yeah. So it's a very nice balance that you, that you seem to have, I think probably in my automations, uh, what I really, really use is this, this scope update because it's, it's fun. This, it's really cool because, um, uh, sometimes. The program update the scope, but didn't send emails to other people's or, or the subscribe didn't work well. So this functionality to update scope, it's really awesome because give me the visibility of all the scope updates from the programs.

I didn't have that because my, my, my telegram chat has a lot of messages all the day because all these problems that update changing as yeah. As more things, I will show an example to you here. So today I have 10 a. m. Yesterday, yesterday. So yeah, a lot of updates from these programs.

Yeah, even in the beginning when you said it, I imagined that, uh, the way I thought it may be done is you have some webhook on the email mail hook, but now you realize, okay, there's not always an email sent no scope update. Not just now. I realize this. Yeah. So what I do really is get all the time the scope from HackerOne and after that compare it with my scope in my SQL database and comparing that, oh, there is some new here, send to Telegram and start storing in Yeah, that's very smart.

Yeah. And do you, every day, do you hunt like on whatever your automation shows you? Yeah, when, when I have good targets, an example, I saw that, uh, I saw maybe here there's some good things. What I was thinking to do to improve my automation is, uh, use HTTPS in these new domains to check the technologies. Because if I have some good technology like PHP or something, probably this is really good and I can, maybe it's good.

Take some, some, take some time here because probably will be good stuff here. Yeah, yeah, that's cool. You make, you motivate me to start doing something similar as well. Yeah, I have some kind of, I have some JavaScript monitoring which I use and, but I use it on programs I don't even handle anymore and I get updates every few days. And I never actually like created the automation. The automation where I would really stick to it and I would actually use it properly.

Yeah. But I think it's, I think it's incre incredibly useful. So I have to, yeah, the texts from the updates were, it's useful. I really use that. Yeah. Yeah. That's really awesome. Yeah, that's very, that's very smart. And that's weird. There's no native functionalities do it. Not just now I realize. Yeah. So, uh, I, I was talking with Omi. I dunno. I, I'm.

Talking about years, love me in the past, we're talking about maybe it's better for hacker one API if they use webhooks to send to us, because imagine all all the day my script is honey and it's running and hit the hacker one API, get all the programs and do this every, Okay. Minutes. Do, do, do, do. So maybe, maybe this, uh, uh, maybe this consume a lot of resource on HackerOne API. So maybe Webhooks can finish with this, this, consume enough resources. That would be easy.

And also not only on the HackerOne API, but then you have to pull it yourself. You have to diff it yourself. Yeah. So it's, it's a lot of code. It's a lot of resources and the Webhook would be easier. Yeah. Yeah. Although for bug bounty, the thing is, if something is hard, it's, it is the reason Yeah. Yeah. Yeah, it's true. Okay. So you have the automation. You, you start handing on some new domain that automation gave you. What's, where do you start? What do you hack? A lot of fuzzing.

Probably. I really like to do fuzzing. Yeah. I really like to use way more. And these, these tools would give me the historical things from this, this domain. So fuzzing. Historic, uh, historic things for this. I might use way more or other, other, others tools. So I really like, uh, I really like to search on Google being that the goal and others search to, I really like site, uh, two points, I think two points, two points are not two dots, uh, colon, colon, colon.

I think, yeah, a site column and, uh, domain. com. So you, uh, it's, it's really awesome because when you do that, a lot of these, these searching genes give you a lot of good end points. Uh, so I really do that way more in a lot of fuzzing and fuzzing over fuzzing. In example, you find a new path. Oh, probably I need to do f more here.

I, I need, I need to do rec recursive f because sometimes this can be, uh, can be a problem to the customer because you, maybe you can turn, turn it all or off or maybe, uh, stop the server. This, this is normal, so you need to, uh, for me, uh, the normal, now it's use low threads. Big word, least fuzzing out the past looks for for good things and after fight a bad fuzzy and again and again. And look what's back classes do fast for. I really like access. Yes, improper access control.

Insecure sterilization, sickle injection. I have a lot of For me. So you have like a one large word list with everything? Yeah. What, what I can, what I can see on the application, probably I will test an example, uh, a few months ago I, I saw in pdf f reader, in this PDF reader, I was capable to. Attach files. I don't know if you saw this kind of vulnerabilities and I was able to local file inclusion.

So yeah, maybe probably for me when I found an application, I try, I try to test all these things on the application. XSS, misconfiguration, information disclosure, SQL injection, XSXXE. So all these things I try. Application and if I have some specifications and with, and this PF reader. So this is interesting and I test all, I I want to test this, uh, uh, SSRF on this PDF reader, LFE on this PF reader. So what I, I, everything I, I, I, I can le see on the application.

I try, I really like it to the Hack Tricks book. I don't know if you know this. Yeah, of course. This domain, this is really, really good. Didn't it disappear recently? Yeah, I don't know because the, the, the URL, the domain is working, but the Google is not showing anymore. I don't know why. Okay. Interesting. I don't know why. Maybe. I don't know, but the Google is not, is not showing anymore. But if you have the, the URL, the URL of Hacktrix, it's working.

Okay. Yeah. Okay. I don't know what's happened. Yeah, so your, your word list, how many, how many positions does it have? Oh, probably, I have, I have some huge, uh, word lists. The one that you use, just you open an endpoint parameters by default? Uh, no, uh, the, the word list to fuzzing a path in a web application probably wants to meet an entry. Okay. And to fuzzing parameters, maybe, Uh, 300, I think, entries to fuzzing parameters.

An example, I have an endpoint, I, I try to see if it gets, um, if in this endpoint there is some get parameter interesting and I, I fuzzing again. I really like it. XH, these two, two fuzzing parameters is really nice. I don't know if you know this. No, I don't. It's really nice because, uh, for me, the param, parameter is, it's really slow. I don't know because I didn't have good experience with parameter. So these two, do you mean paraminder? Sorry, my English is very good.

So I really like in my burp suite, my setup, I have another extension called ascend 2. Yeah. And I use it This extension to pipe the request. Just these tools like XH, XSQL map and other custom tools. I have an example. I have a custom tool to say as far as application. So I pipe the request to these tools and it's really good work with that. Yeah, but do you fast? You said there is a word is of how big? My, my main words list. Yeah. An example. I have the normal words list.

Yeah. If, if I use the normal, the normal words list and the words list didn't work, uh, probably, uh, this words list has one or two millions entries. And you always fast with one or two million entries. No, no. Probably give a few days working. So yeah, I do a lot. And waiting, do my, do my work and stay where it is. So you just leave it in the background, don't you?

Yeah, sometimes, yeah, sometimes I'm looking, but I'm afraid to, to, how can I say, I'm afraid to turn off, it's not turning off the servers of the customers, but I'm really afraid of that. So, uh, what I do is look the polish of the problem. If, if the problem allow, you can only do. 20 racks per second. I, I, I use these metrics to, to configure the fuzzy. Okay. So, yeah. Interesting.

Yeah. I, I, I know I'm, but it's fuzzing, but, but I had no idea, like Someone fathers with such a large world list. Yeah. I think he, I'm a, I'm, I'm patient. So I get, yeah, I start the fluffy, putting another monitor and see working what I'm due to working. Sometimes I minimize and look there. Because sometimes you, sometimes, uh, the, the, the program has a policy, you are in the policy, but the application down and you need to turn off. Yes, and stop.

You are, you are right because you are in the policy, but the application is not, uh, good enough to, to, is not capable to deal with, with that request. So I stopped and didn't test, didn't do fuzz in there anymore because probably the application will be down and a lot of problems will be happen. Yeah, yeah. So this is for fuzzing the paths. Uh, so then how do you fuzz parameters? Do you also use a big word list to fuzz all the parameters? I really like to use a tool called GAP.

I don't know if you know this tool. I really like the dev from these extensions. I use it way more from this guy to get. More information about to recon and these extensions really good gap burp extension because with that extension, you can use your burp story, uh, an example, all your navigation story with all the path and points, parameter and the response containing parameters, uh, containing points. You can use the extension to get all these things and generate wordless. This is very nice.

Yeah. So sometimes when I'm spending a lot of time in some programs, I use that word release to add to my word deletion and do fuzzing with that. So yeah, the result with this case is, with this case and this extension and way more are really good. Yeah. Can you send this to me so I can put it in the description for the viewers? Sure, sure, sure. Really, uh, let me send this and another, I really like this way more. Yeah, way more. Very good as well. It's really, really good.

I really like the tools from this guy. I give a lot of, because his guy has, uh, Coffee. Yeah. Yeah. Uh, oh, yeah. Buy me a coffee. I do a lot of coffee. Yeah, I give a lot of coffee to this guy because the tools are really, really good. That's very nice to get to give back to the tool creators. Yeah. Yeah, it's awesome. Yeah. So, um, when you fast these parameters, do you fast for all back classes at once? Yeah, I really like to use Burpee Bounty Pro.

I don't know if you know, some people don't, don't, some people don't like this, this Burpee Bounty. I like because the, the tests of Burpee Bounty are more Because, an example, the Burp Suite Scanner, it's, I have the feeling it's huge and do a lot of things. I really like the Burp Bounty because you can create custom templates and you can create custom rules. And the rules there and the templates there are really, are really nice. So, I use a lot.

Uh, this template when I have the parameters to, to find if I have some SQL injection or XSS. Yeah. But I really like to use BuffProf. But sometimes I use the BuffScanner. It's not the best option because the scanner for me, it's really heavy. Yeah. So, but sometimes I use them too.

Yeah. You seem to, to rely a lot on burp and different extensions. Yeah. I, I have a lot of extinctions and Yeah. Yeah. I really like to automate my process to hunting, to be, to, to, how can I say, to have to, to easier my life. Yeah. To be efficient. Yeah. To be, yeah. To be efficient. And example with xh in the past when, when I didn't know send to you, I will send the linking to send it to you. To you too. Oops. Because, uh, in the past. I copy the request, saving a file, run the command.

So this is really, uh, really slow, but with this, this extension sent to you and the comment pipe, you can send it to a Mac terminal and sent to X eight sent to SQL map. So yeah, it's really, for me, it's really productive. Yeah. I use Piper for the similar thing. So Piper, have you, are you familiar with it? Yeah. I think Piper do the same has sent to, right. Okay. Yeah. Yeah. A few options as well.

Oh, it has, uh, sometimes you can also have like Inside the verb, you can like have commentators or, uh, which means for each request that matches particular, uh, criteria, you run some command and then the output of this command is in the comment of the request in verb. You can also have the message viewer. So when you have like pretty, raw, uh, I don't know, GraphQL hex view in the request. You can also have some output of a command. And you can also just do, do, do what you say, send it.

And it's very efficient when, yeah, it's when something just automatically gets run in the background. It's so nice because you don't have this time, copy, paste. Yeah, you do what you need to do and the things are working automatically. So, yeah, yeah, it's awesome. I need to test Piper. I think I remember today. I don't know, I didn't remember who was, who was it, but it's very powerful. It's very open and you can do so many things with it.

Yeah. Uh, I'm, I'm using, uh, send to you because I, I remember to see the extension. Yo, this is, this is awesome. I need to use that. And now it's. It's the normal to me is use that. Yeah. What other extensions do you use? Uh, let me check here. I have a lot of, this is my, my work. I really like this extension. W X D L E R this extension. I don't know if he, Oh, the, I dunno how, how to . It's WSDL is is some type of format, isn't it? Yeah. It looks like, looks like an API format.

Yeah, and you can, and you can send the, uh, the, the WSDL to the extension and they will give the request to you and for create the request and you can only send to B two test. Yeah. Because some. Some XML, uh, API are really hard to create the request. It's more difficult than Swagger, for example. So I really like this extension. I really like the Flow extension. I don't know why, but I really like this extension because What does Flow do? I'm not familiar.

Flow is the same as Let me, let me open a new BURP suite here. I really like Flow because it's, uh, there is Logger but I didn't, um, I'm not familiar with Logger So I use Flow to get the request for an extension. So, an example, I really like the extension Reflector. This extension is really good to get some XSS. So, but sometimes he doing a lot of requests. I didn't know what is happen and with flow extension, I can solve the extension requests. So I really like it.

Flow. This is, this is why I like it. Flow. Yeah. So an example of gap as shows to you. With all this really good in what we can do there. The BuffBot Pro, I have the license, I paid for the license. They support Eduardo, I think Eduardo is a great guy too. Create this, this rate too. Uh, I really like this extension, burp. js like Finder. Because when you are, I don't know if you know this extension. Uh, link finder, yes. But yeah, but the one in burp, is it some kind of wrapper around it?

Uh, uh. I don't know. Does it call link finder CLI to under the hood or is it something you let me? Yeah. JS link finder. Yeah. Okay. Okay. Yeah. It's, it's really cool because you are, uh, testing the web page and loading other page. And this extension, it's using rejects to get some endpoints and some good stuff from the GS file. So it's really, it's really awesome. Use the extension. Um, I sent to you reflect or gap. Yeah. The Hubbard Bouncing Flow, the Digitalization Scanner, I use a lot.

Login Plus Plus, I use because it's necessary on a HackerOne paint testing. Because you need to have, you need to auto save your paint, your log. Because it's important to have it installed this. Okay. Because of the testing. And this guy works. One or two times with me. So I have this extinction too, to test It maybe sometimes work, maybe sometimes not. It's curious because, uh, my first bug was with this extinction different.

It was, uh, uh, it was a remote code execution, but it was fun because it's a program with a large scope, and I use this extension in the. The main page, because the main page are a blank page. When I use this extension, you see the headers here. Which extension are we talking about? Uh, sorry? Which extension? 403 Bypasser? Yeah, 403 Bypasser. So, it worked only one time, but this time we're so happy I have the extension here.

Because with this specified header, I was capable to access the application. The application, before the application was only a white box. page with this header. I was capable to assess the application and all the application with the CV for remote code. Yeah. So, so I have the extension too. Yeah. That's cool. Yeah. It's a lot. You seem to have like your, some people, for example, um, the last, the last podcast that was published was with, uh, RemyPack.

He seems to have like his center of hacking in the browser. He has like JavaScript bookmarklets and trying to be able to do everything from the browser. And you on the other hand, you have like your verb, all the extensions too. So this is like your center of, of hacking. Yeah. Yeah. But I, but I really like hacking in Google Chrome because of an example, I have this Chrome for my, my personal stuff and this Chrome better Chrome to only use it with work.

And there I, I, I really like this version because, um, I really like using work to hack because the developers too are really good. Uh, I really like the, these options because sometimes, uh, when you have some. Uh, apps. You can debug the app using the dev tools and you can override the books. The burp says, give this name overriding can change the GS and changing there. You have different response in the, in the single page application. And with that, sometimes you can bypass.

Out in the front end out and assess all the application and understand how the API is used by the application. So yeah, I use a lot. How about browser extensions? Do you also have as many browser extensions as crow as burp extensions? Oh, let me. So I didn't have a lot browser extension. I have this extension because it's good. What's the name? gitch. It's only to find.

Uh, when you have Oh slash gee slash Yeah, because sometimes I, I, I, I just use nuclei a lot because nuclei probably will show that. Yeah. So this is a, a really good, you can find some good stuff here to get so cold and tokens and something when you, when you have a, a look at a look at dot, gee, I use this extinction for my blind and success. Yeah. This is a really good extension. I dunno if you know that. No. What's the name? I, I have all my. Pay blind. She says payloads here.

I didn't know the name and it's out blind access manager. Okay. Interesting. Yeah. Because I have my blind XSS payloads here. My domain gives you in the history with the page and where I use the payload. Oh, that's very nice. Yeah. It's really good because when you saw the blind, she says, yes, you didn't know where you are sending. So this extension really good to, to manage my blind XSS. Yes. For blind XSS, what do you use as the, I use, I think, uh, let me see. Is it XSS Hunter?

Yeah. Yeah. XSS Hunter. Let me see, self hosted. I only self hosted this. Let me see if he's, yeah, this guy, the pre cut ad, but I use this guy. It's really good. I didn't have any problem. The only problem I have with this guy was sometimes, uh, the webpage are so huge, so huge, and when the, the request are trying to upload the, the, the screenshot to the server, we have this problem. So I need to change the no js limit size for the final.

Yeah. Yeah, maybe, maybe I lose some, I lose in the past some, some byte access for that. I don't know. I didn't remember if So travel security, uh, took over, bought this extension. So now they, I think they maintain it now because I think the original maintainer sort of stopped supporting it. Oh, okay. So this is the, the new extension. Yeah, yeah, but it's still the, the version that's hosted by them is a little bit limited.

Okay. So if you want to have full functionality, you have to self host it. Okay. Maybe I use this express. I don't know. Yeah. I use that. I use that because I remember. I think it's the same. Yeah. I remember because there is this Docker config. Yeah. I remember to, to. Okay. Yeah. I remember to change here and because I changed from, uh, email to discord notification. There is a, there is a pull request here. Uh, change here at these discord and Slack integration.

Yeah. So this guy made this all the work for me. So yeah, thank you. Adam G yesterday. Yeah, very nice. Yeah. Yeah. You're amazing in terms of how many tools you use. You like, especially that now I'm now in the moment where I feel always, I don't fuzz enough. I don't use enough tools. I mostly hack manually. And I only sort of fast something. If I have really big suspicion, something is there. And I think it's my big problem that I don't, like, blindly fast so much.

I don't brute force pass so much. So it's really nice for me to see, to see you, speak with you, to see, like, how many, how many you can actually use, that you can have a brute force that's running for a few days in the background. Yeah, because you, you turn on and for using low, because the use of memory often Fuffy. Uh, it's increasing. When you have huge word release and use the command minus E because you have more extensions. And I think, but probably fluffy, uh, added to the memory.

And you were deletion with your extension. So this is the real, it's your memory. So I try to use, I try to use not a lot of, Yeah. And, uh, when you, you can test that when you have a lot of instance of running, you can, you didn't use a lot of memory. So yeah, it's, it's a really good tool. Yeah, do you do you run it from your local computer or from a cloud?

in the past I have a history by and I use that for for for that, but Today now because in the past I have my my homie address blocking on Uh, Akamai, I think. An example. Yeah, I was capable. I wasn't able to open TikTok. Because TikTok uses Akamai and I was able to see TikTok on some other web page. I need to call the provider to change my IP address. So, yeah. Uh, so now I, I really like these guys.

I, I always recommend it to, to all because they are, they have the dedicated servers with a cheap price. Yeah. Can you send me the link as well? Yeah. Yeah. So, uh, I really like these guys. Um, let me send it to you. It's not only Amsterdam, but it's not only Amsterdam servers. But other servers are, are good. So an example I have, I have my server running. The, my SCO has, uh, I think it's 64 memory honey. It's, it's really cheap for the price and, and the config I have.

So I have a lot of memory. Memory. And for a cheap price, maybe 20, $30, yes, for that. Good, nice and unlimited, unlimited traffic key and one, one gigabyte connection. So, yeah. Yeah, it's really good. So I really like it. These guys, they are really cheapy with good servers. Yeah. Yeah. Okay. So you have your, you have your automation, you have your tools. So what bugs do you find most commonly? Probably, I find a lot of bugs, but probably Uh, a lot of improper access control bugs access.

Yes, when I have the opportunity, because when you have access to scope with legacy scope and scope without F what? Yeah, probably sickle injection has has. I remember to see a lot of sickle injection. Yeah, still today. Yes, still today. A lot of sickle injection. SQL injection on accurate one. So a lot of problems with all, with, by, with WAF two, I was able to bypass some WAFs and some cases. I remember to see one case, it was really, really strange because these guys use a different.

Type of database. There is no home SQL map and this database, it's used, it's IBM mainframe. So what's, what's, yeah, what's really insane. Yeah. What's really insane in SQL map was not working there. I was needed to write custom Python script to, uh, make that blind assumptions. And with this blind, blind question, blind questions that to the database, I was capable to get the database with a name. Okay. Nice. So, yeah. It's, it's awesome.

Uh, you need to, uh, probably spend time is the thing with, with bug bounty. You need to spend a lot of time and have, and be patient with the fuzzing, for example, because the fuzzing it's running days, a few days, because you, you, you can't, uh, turn off the rate limits, but probably this will, uh, generate problems with the customers and probably the server will be down. So low fuzzing, fuzzing with a low.

Uh, requests, fuzzing a lot, different hosts and, and be patient and have, uh, have, uh, go constancy. Is that right? Yeah. Consistency. Consistency. So have constancy every day when you have free time, do it at probably you will be get good results. Yeah. How do you, but because you said broken access control, which. I think of access control as the bug which is quite hard to, like, fuzz. It is more, at least in my head, like a manual testing. So how do you, do you?

I really like to use authorize. Okay. When, when, because I'm doing fuzzing. Uh, and, uh, you say about fuzzing and broken access control, right? Yeah. Uh, I do fuzzing to get more paths and more applications and when when I get access to more applications because the application is probably not visible to all the other people, you have a sex to older logging systems and older systems and there. In this application, you are capable to find a lot of improper sess control.

Yes, basically just manually for them. Yeah, yeah. Because an example you have, you have this domain, the path and in the path, this strange path, you have access, you have assistant with the logging. But if you fuzz in again, you have. Access to other path of the application didn't, uh, other paths. And you can find a lot of broken access control there. XSS, SQL injections. So yeah, you need to spend time for doing fuzzing. So how, how would you describe your normal day?

How much time do you spend running tools versus manual hacking? Uh, because running tools is so fast. I only. I only see the endpoint, get, get, uh, the URL or send it to you or get the endpoint sent, create the command and, uh, use the command on cloud and wait and spend time testing the app. Because I was testing what I can see on the app. An example, I was testing the app and I saw a lot of functions, a lot of, uh, a lot of possibilities in this application. I will test everything.

Every single part of the application, every piece of this application to understand how this work is and what, what I can see and the fuzzy, it's running to, it's running and I was looking in the fuzzy and maybe there is some, some interest in here. I do fuzzy in API too, because sometimes you are capable to get swagger's and other important things with if you fuzzy and get a swagger. Swagger, you can't stop because you have all the API endpoints. So, yeah, I do a lot of fuzzing.

Yeah, so Justin, how do you send requests directly from Bairp to your cloud instance? Yeah, this case I need to work in And way to, I was thinking to create a Python script to send the request directly to my cloud. But today I copied the URL, an example, generate a first comment and, and, and put in my cloud. I use the screen to, I don't know if you know the screen software. No, it's a software on, on Linux and you can, uh, there is a lot of servers here. So I use this screen a lot. Let me see.

Is it like backgrounding terminal or something like this? Uh, sorry? Putting one terminal in the background and the other in the foreground? Yeah. Oh, there's a lot of fuzzing right here. Yeah, I see. Yeah, so with the screen, I was capable to enable a new screen. And here I fluffy. After that, I Press this and a new screen is running. So I do that. It's a manual working, but I was, I was working to automate that with Python 72. Yeah, yeah. Okay, that's cool. Yeah, that's nice.

So much, so much things I would like to do. Yeah, I really like it. There is, there is other. Uh, tools like no hub. I think, uh, no hobby. That's the way I use usually no hub. I didn't like the hub because it's making running in background and you can see the screen running. I think, Oh, I don't know how to put it to a file. So you have to like the tail dash file. Yeah, yeah, yeah. But that's that's what I use when I use something.

So maybe he screen works well to me because An example, nohub, it's running and you can stop, you only stop nohub if you use ps and kill the task, but in screen you can access the screen and for if it's running I can press enter and for if it is pause. Yeah, that's nice. I should probably switch. Yeah. So. So it's more advanced version basically. Yeah. Yeah. So I really like how to use the screen to generate my all terminals on the server. Yeah. Yeah. How about, um, cause XSS it's.

Also that much problematic that it's, I think, harder to detect with a tool because yeah, you can just look at the response, but the only like proper, proper way to detect something is to have like a tool with a headless Chrome. And this is heavy. So do you use headless Chrome or do you just use some kind of For Doom XSS are you talking about, right? For XSS. Yeah. Yeah. For XSS. I really like this guy. Okay. But always So Reflector extension. Reflector is really good.

But always I'm looking flow, because flow has this, this thing here reflecting. Yeah. And this you can see the parameters are reflected in the page. So with that, um, probably there's some good things here. But every time Reflector, it's working in the scope and send request and I'm looking that and look at the issues. He, uh, the issues have vector created and for doing XSS. I really look, I really like uses, uh, their birth browser.

I, I, I, I really, I didn't use burp browser a lot because sometimes he's browsing these browsers, some problematic, I think, but I really like doing Vader. So it's really, really awesome to do XSS because I, I grabbed this canary, DC canary, canary. Yeah, put in the URL and look and do invader. If you're doing very good alert, Oh, probably there is a DOOM XSS here, but I really like to look at the JS and look if I have some possibilities in, in the JS to, to get, to get some DOOM XSS.

Yeah. Yeah. So I use Reflector. I do a lot of fuzzy parameters, use the sends to you, or I have these extensions and sends to you, sends to you. I select my, my. My programs here, XO, XH, XLMAP, SeriousForce. So, yeah. I also saw you have a repository on GitHub with TamperMonkey scripts. Do you still use it a lot these days? That repo wasn't so too fresh, I have to say.

So, yeah, I really like to use TamperMonkey in the past, but it's because I didn't know about, I didn't know about the DevOps tool and how this work on Chrome. So now you just use overriding of tools. I didn't use a lot. Today, but yes, the, the, the scripts are really, the temporary multiscripts are good because you can change the app in the runtime. And with that, maybe you can assess other page of the application. So I really like that.

But now using the develop tools in Chrome, it's more, it's better. Yeah. Uh, so a lot, another thing I really like had to do it's, uh, because, uh, When I was, when I, uh, when, uh, when, uh, when I, I started doing, doing hockey and, and some things, I really like to see how these PHP apps, uh, works and, and how the PHP apps work.

And it's really fun when, an example, when I have a local file inclusion with PHP apps, because with that, you can find the source code of the app and you can look, oh, Probably here there is a way to get remote code execution or upload a php file. So our deserialization on php. So it's it's really, I really like it called review. But what I do sometimes in some scope, some scopes is an example. I have. This program with a large scope, I find some apps of this program.

I search the, these paths of these apps using URL scan, because there you can search only for the paths and you, the path, and you can find other applications with the same path. So. Pro. Probably this application is, uh, it's, uh, it's not, it's hosted by this client, but the code is not for these clients. And sometimes you are capable to get the source code on the internet and he was capable to reveal the source called the source code. So it's, I really do that a lot. And it's really good.

Yeah, yeah, it's nice. I dunno if it was you the other day here telling me about it or somebody else, but yeah, I didn't use it. And the second time somebody mentions it here. . Yeah. Uh uh. I really like, I really like how do that, because sometimes you, you are fine for zero days, but not in the really purple software. You are looking in that software. You use it by some company. Yeah. Yeah. That's nice. Yeah.

Okay. We'll now talk a little bit about LEDs. Okay. Did you attended, you said, you said you attended four LEDs in the past, I think five, five times. Yeah, I remember LAGs from Amazon, AWS, PayPal, Zoom. So I think probably the life hack events, the life hack events are really hard because you have a lot of good hackers together. Uh, testing the same scope.

So there is a lot of dupes, but for me, probably life hack events are best because I have some friends together with me, so I have F6X, Amstrad, I see Amstrad, but. A M S D A, so Manuel, T, Herrera, Caio, uh, so Amir, so these guys together with me, we working together, we can do a lot of things. I, I, that, that report, uh, with the remote coding execution, that scenario, it was together. A lot of guys working together to get that. So do you work as one big group with so many people?

Yeah. When, when, uh. When, uh, the Brazilians guys are, the Brazilians guys are together, we work together, and I'll, I'll agree with share the bounty. So, yeah. So it's, it's report like a six way split. Yeah, sometimes six, five, five splits. So, yeah, I'm okay because, uh, in the most part of the case, we are, We earn a lot of money and we stay okay.

I remember an example for me, an example for me, 20, 000 is a lot of money, but together, uh, together, I remember all the guys made, uh, a hundred, a hundred thousand dollars. So five guys made a hundred thousand dollars in the heaven. So. Yeah, it's, it's, for me, it's good, probably because probably if I stay alone, I will be not perform like that to that. So for me, work together in life hack events, it's really important.

I think you're the biggest team because I think there were some teams in the past, but these days I feel like most people were, if there are teams, there are teams of two, maybe three. I'm not aware of any other group that's like sticks with so many people. Yeah. Cool. Yeah, so this case was five, last year was three, me, F6X, and Amzda, because we only, only we are invited. So yeah, when, when, when the, all the guys are invited, we do together. When not, it's okay. We do with the guys we have.

Um, I probably the Brazilian guys like work together and I really like it because are really skilled at guys because they are guys with a really good skills and probably we complement we complement all together. So yeah, that's a nice strategy. Yeah. Did you ever have problems with managing such a big team? No. I didn't remember to have problems, only, only good bautis. So the guys are really, are really nice to do. A lot of, they, they are really friend, friendly.

Do you change your hacking methodology a little bit when working in the team or is it exactly the same as when working alone? So when we are, we are working in the team, probably I do a lot of fuzzing and recon and get all. Uh, good information about the scope and send to the team to we work together. So, uh, I really like at working at some good information. Good, good information about the scope. Uh, an example, find some legacy application on some, some good applications to test.

An example, probably this application I find here is good. Maybe you can spend time here of fuzzing here and that's here. So, yeah, I remember to. I remember to do that with some guys in the past and we find a lot of zero days and applications sent to, to lifehack haven. So I remember, I remember to send and, and, and vulnerability with a hater, uh, maybe it's, it's missing, maybe, uh, Uh, maybe, uh, the, the submission will close. The submission will close in 30 minutes.

I think we found some good vulnerability link. A lot of PII we sent and the team paid, I think the team paid 50, 000. It was, it was really awesome. It was really awesome. So, yeah, it's really good work with these guys and work together. We really, we really find good, good veneer updates together. Yeah. Do you physically go to the same location to hack together or is it mostly online? So, uh, when you, when you are Uh, because lifehack haven't had two steps.

The first step is, uh, before the, the, the presence here. And after, after the ritual, you have these guys together. So sometimes we work together in a discord cow and hacking, but there is Async, uh, moments when you send, Oh, there is some good. We created telegram groups to talk about that. But for the virtual face, you did not try to, I don't know, rent the hacker house or something like this. Yeah, there is a problem because we work far in Brazil. It's really huge. So I work in the north.

An example, I work in the north. I stay in the north of Brazil. F6X, uh, in this, in the south of Brazil. But now in the, in the. Northeast of Brazil. So all are from a different place. Yeah. I saw a few maps of Brazil that really show the scale. For example, the most Northern part is closer to any other country in North and South America than the Southern part, the part, most Southern part of Brazil or the other one.

The most eastern part of Brazil is closer to the other side of the ocean than to the uh, western, most western part of Brazil. It's huge. Yeah. So imagine, uh, uh, from even the north of Brazil, really near to the top of Brazil. And we didn't have direct flights from there. So I need to go to the south. And after that, go. In example, we are going to Atlanta, so I need to go down to Sao Paulo and after that go to Atlanta.

Yeah. I spent, I've been maybe, uh, my city to Sao Paulo, I spent four, five hours in plane. And after that, 90 hours go to Atlanta. Yeah. Yeah. Yeah. Which of the four or five life hacking events, which one was the best? Um, um, I really liked the, um, the life hacking event with, with the five guys, because it was really, really good. Um, the last year was really, really good because I saw a lot of good vulnerabilities with Manu, with Amazon. Sorry, with Amish.

nf6x, we are capable to send good vulnerabilities, but I really like the last year of, last, I think it's 2023. Yeah, 2023, because it was five guys together and some good bugs are sending together. We sent a lot of bugs, that's like hacking events. So it was really, really good. So I really like these two years. Yeah. Probably the first live hacking event I was. was, are not, are not my best performance. See, so together with these guys, I really increased my, my performance.

Nice. Uh, we'll, we'll, uh, we're closing in on the, on the episode is I have the flights today. Um, what before, but before we go, what are your plans for the Uh, rest of the 2025, uh, so my plans is improving my recon automation and spend most part of my free time doing book bounties to save, um, a lot of money and be in my house. This is what I'm doing. I'm, I'm building my house building from the ground. Yeah. So I bought the, I bought the lane, I buy the lanes.

And I bought, I, I contract and, and some company to build the house. Yeah. So we are, we are building the house and contracts. I try to draw, draw, draw the house, think out the, this thing. So, yeah, but it's cool because, uh, if, if, if I think in that, HackerOne is paid for my house. It's true. It's true. I wish you good luck with this. Thank you so much for joining me for the podcast today. Thank you so much for inviting me. I really, I'm really happy with that. Lovely.