XSS is still the most common vulnerability class, so there's a lot of bounties to be earned here, especially if, like my today's guest, you're so good at it that you can get bounties like 50, 000. We'll talk about this bug, about many other things, for example, how you can speed up your workflow by, instead of copying things from your browser to your terminal to run some tools, you can do things with one click from your browser. Enjoy my interview with renniepak.
So hello, René. Thank you so much for joining me here. We're recording this in Prague, just as we finish the Elite 8 round of the Ambassador World Cup. And it's great meeting you here, and thank you for being my guest today. Likewise, thank you for having me. for those who don't know you yet, can you please tell us a little bit about your background? Sure. I'm Rene, renniepak on most platforms, I'm from the Netherlands, I'm 40 years old.
Yeah, and I, my background, I studied, at the conservatory actually to become a like a professional school for music. Oh, yeah, So to become a musician, percussionist. Yeah. and while I liked my studies, I quickly realized that it wasn't really for me to be a professional musician. Hobbies was fine. but I did finish it. So then, yeah. Then I got my diplomas and, the great journey started off discovering what I do and did want to do with my professional career.
So I did all kinds of jobs like starting in, a call center doing support, tech support stuff. Yeah. And then slowly but surely I moved towards IT a bit more. I think my first real I. T. job was like a tester and at that at the time really working through big excels like click here and check that and then check mark it's done. Sounds very boring to me, to be honest. it was, but then I moved to a test automation and later to development. Yeah. And then. I think my last real job was at bold.
com, which is a big, like a retailer in the Netherlands and Belgium, a bit like amazon. com, but, but more localized, there I worked also as a test in the beginning, then as a developer. And then I. Became a developer in the security team of Bold. com because they have some applications that are more sensitive, in nature. So I worked there and then I had the opportunity to make the switch to become an ethical hacker. Yeah. In the security team because. Still within the same company.
Yeah. Yeah. and I was also responsible for the, big bounty program actually there. And then, three years ago almost, I decided to become a full time Bug Bounty Hunter. And that's So it's been three years already? Yeah, In May it's three years. So not there yet, but it's coming there. How is it going? How do you like it after two years? Ups and downs. Ups and downs. No, I still I'm Anyone that knows me and talks to me knows that it's a bit of a rollercoaster for me all, all the time.
So I like, I really liked having the freedom. Yeah. That's still one of the best parts still. Oh yeah. Also the freedom to choose what's interesting to you. I really like that. but I struggle with season, seasonal depressions, winter is not great for me for being alone in my, my workspace and, typing away. yeah, and I, sometimes, sometimes I'll, I dislike the frustration and the drama around bug bounty reports getting downgraded or decisions you don't agree with.
So that's a bit harsh sometimes, but. On the other hand, I'm also not prepared to go back to like office life. And yeah, so that's still a bit, yeah, I'm still not sure what's next for me. But so far so good. I understand. I also have some moments where Oh, it's backbound.
It's, it's annoying and you're getting frustrated or something, but then I really could imagine myself going back to a nine to five and it would be really, hard at this point, but I think we all at times where it would be really nice to just have a job, don't care about anything, get the same pay, salary every month. Yeah, exactly. Yeah. Same for me.
I was, just telling someone that I made a mistake of, looking, I, I filtered all my, duplicate reports from the past years , and it was like two or 300 of them. So Wow. I really got frustrated with all the time that I, lost spending there. But yeah, that's part of the game, Yeah. On the other side, what there, on the other hand, what the best sides about Bagman Tea? Yeah. Like I said, I really like. Doing stuff that I like.
Yeah, it sounds obvious when you put it like that, but obviously in a job you need to fulfill some task. Yeah. and in Bug Bouncer you can really spend time on the parts, on just the parts that you're good at or that you like. yeah, that's the best part for me, Also didn't say it in the intro, but you're the only person I know that has the, payload tattooed on, your, you can show it to the camera for the podcast viewers. We're sorry. He has the SVG on load XSS payload on the forearm.
And I think this is something I think every hacker thought about having it through like this at some point. But, you're the only one that I know that actually did it. So well done. So the three years, what, how does your routine look like now? and how did it change in during this time?
I guess my, routine is pretty nine to five still, actually, I'm a dad and a husband, so I just have a daughter to take to school and daily life is, yeah, it's just, going as, as it's supposed to go for me, I'm not really a nighttime hacker in that sense. I try to stick to my nine to five and then, it's okay for me. I guess in the beginning I was more, how do you call it?
Motivated to jump on new programs, pick, pick, pick up the low hanging fruits, et cetera, and race to get the first bounties nowadays. Yeah. Like I, I guess just said, I'm, working more towards what I'm actually interested in rather than, joining the rat race for the first bounties. So I guess that changed a lot. Also in the beginning, I was really heavy on, working on integrity, climbing leaderboard, staying in the top 10. And, currently I don't really care about leaderboards anymore.
Yeah. What is your main platform these days? I think I don't, at this point, it's even with like background hacker one and integrity. All three? Yeah. What is, how would you compare the differences between hacking on each of them? honestly? Yeah. Not a huge difference anymore nowadays. No, Because I've heard from multiple people that the Integrity has better triage. I don't have a single bug on Integrity, unfortunately, so I cannot.
I don't want to say anything bad about Integrity because I really love them and I've done a lot on them. But you can also, you can, you do notice that they also are growing. Like when I started back then. I was really in the beginning working on integrity and, at that time you could literally send the CEO, a question about your report on a Sunday morning and he would respond. Of course, that's not something that's feasible when you're, when your company grows.
So it's only, logical, that they're, becoming more standardized with, with their support, et cetera. but it's still fine. And I, I actually enjoy working all the platforms and I have also, frustrations of all the platforms, Yeah. So these days you just choose by, who has the program that you want to hack. Yeah. Yeah. Definitely. Yeah. How about events?
Do you, attend a lot of them, this, I did attend a lot of integrity events and then it's been like, quiet for like the past one and a half year or something. And this is the first one actually for, for Echo One for me. Let's hope it's not the last. No, let's hope. Let's hope we meet in the final. Yeah. Because the, background is for, you at home is that now we are at the quarterfinal stage. If we advance through this stage, we'll meet again in the final round in Dubai.
Even if we lose the semifinal, the we'll go, we'll play the match for the third place. So yeah, if we pass this round, we'll, meet in, in Dubai in what, two months or something like that? I think so. In May. I think. Yeah, in May. Yeah. Correct. so what was the, your main motivation to actually quit Avanti? Because I assume for some time you were hunting for bags after hours and working at the same time, and at some point you decided to quit. What was the, thing that actually motivated you?
Okay, this is the time to quit. What was right after Covid, Okay. I was already working at my previous employer like five, six years. yeah, it was like a natural time for me to look for something else. Okay. I had grown there, new experiences and I was, yeah, I needed to make a next step and I was always wanting to try bug bounty, like full time, but of course it's a scary step. So I first, saved a lot of bounties to have a financial buffer to make. Yeah. That's important.
Yeah. Yeah. Yeah. And, yeah. Yeah, and then I just tried it and still, trying it actually. What do you say to people that are considering quitting their job for a full black and white bounty or are just about to quit? I think the financial part is really important, to have a buffer to be able to fail not only for a week, but actually, yeah, I had a buffer. I think I could fail for six months. I could survive six months at a time.
Luckily, it's a bit bigger now, but yeah, I think that really helps for bug bounty because otherwise, you'll get frustrated and, you'll get, if you need the money, in my experience, it becomes even harder to find something. something good. I don't even imagine like having to rely on bug bounty for let's say next month's rent. I, cannot imagine myself in this situation. I would be, I think I would be just stressed. Yeah. Yeah. And that, yeah. In my experience that lowers your creativity as well.
So then, yeah, it all becomes harder and harder actually. Yeah. Let's, let's now jump into a little more technical topics. A year ago, or I guess now it would be more closer to two years ago, you published a blog post with like your top vulnerability types. The top one was XSS, the second one was IDERS, and the third one was access control bugs. Would you still put them in the same order today? I think so, yes. So XSS is your favorite bug class?
Yes. yeah, it's a blessing and a curse in that sense. Why is it a curse? like my last year wasn't as successful as the year before. And that's mainly because I followed my interests. It was, I did a lot of post message XSS. Yeah. Which I find very interesting and also very abundant. Like it's everywhere. Even this event, I found some.
The only problem is that it's often caused by third parties, because the, like the technology of post messages really links to like, the relation between third parties and like main scope, because if you're in the same origin, you don't need the post. Exactly. So, often these type of bugs are like, partly, correctly blamed on the third party. And, yeah, and then you'll lose some money. So it's hard to get paid for them, is what you mean?
Yeah. Do you, when you look for these bugs, do you only look at what post messages are being sent? Or do you also like manually see the source code to see what listeners are there as well? Yeah, both actually. Actually, yeah, I, think I mentioned this before in another podcast, but, I use Franz Rosen's. PostMessageTracker. Yeah. And I actually made a lot of enhancements since then. Also to actively alert me if some, XSS syncs are already present in the listener.
Okay. So then I'll get a pop up saying, check this out. This is, this sounds like it's more than just a source code scan. It sounds like you're actually parsing the, interpreting the functions. No, it's, it's. much more basic than that. So it's like really looking for if there's a href, equals in there and it's probably something with, so it's really rudimentary in that sense. But I really like, in any of my bug mounting to have, I prefer false positives over, false negatives. False negatives.
Yeah. So I'd rather check something out and it's nothing than the other way around. Yeah. Yeah, of course. Yeah. Is your version of the PostMessageTracker public or is it your private? Okay, that's a shame. Yes. Have you tried other tools for PostMessages like DOMInvader has something? Yes, yes, I have tried it and I occasionally use DOMInvader for if you need to spoof an origin. Okay. Because they can do just out of, it works out of the box, Yeah.
But I typically just use Chrome DevTools, set breakpoints and, if I need to, change, edit data on the fly, yeah. So you just write the, post message in JavaScript consoles or stuff like that? Yeah. Yeah. I see. What's, what other tools do you use apart from the post message tracker? Burp, of course. I'm not that great with command line. I use, Fuff occasionally, but I'm like, my attention span is too short to keep waiting for the end result.
So typically halfway through, I'm like, ah, it's probably not going to find something. yeah. And I have some other browser tools. Like I guess people also know me for JavaScript bookmark. Let's say I do a lot of browser stuff. Also building small tools to help myself. Within the browser. So yeah, so we just write some JavaScript and put it as a bookmark to click it and do something. Yeah, I remember, I don't know who mentioned this, that they learned this trick from you.
Could be, yeah, I have, yeah, I have one that is fairly known, that finds endpoints in JavaScript sources. Yeah. It tries to pull all the yeah, that's, the one. I don't know who, mentioned it, but I saw it, yeah. Yeah. I use this trick as well for I don't remember the context now, but I had some mobile browser or maybe some other device. And I wanted for some reason to execute JavaScript, but there is no JavaScript console there.
And I remember I used the, I saw this tip and I was like, Oh yeah, I can do the bookmark with JavaScript. And I don't remember what was I doing, but it's nice. Yeah, I really like it. I like it because it's quick. I don't need an external tool. I don't need to move away from my focus. I can just click the button and move along. Yeah. I generally, I think I underestimate the bookmark button. Sometimes, for example, I'm testing the overflow.
And instead of going to repeat or copy the URL pasted again, I just do the bookmark and I just go through the flow instantly. It just feels so nice for some reason. And I only started doing it recently. I don't know why, but it's nice. So would you say you're a manual hacker? Yes, definitely. Yeah. So it's just burp, browser and some fuzzing occasionally. Yeah. Yeah. I think my main burp. Tools are like intruder and repeater. Yeah. And that's it. Yeah. So I'm mainly a manual hacker, Yeah.
Do you use any checklist? It's how do you call it in English? I try to do it. And then, after a while I forget about the checklists and I'm back to gut feeling again. Yeah. So yeah, I didn't find myself so much with what you're saying. I, have created a checklist. And sometimes I look at it, but it's like the last thing if I've already run out of ideas. Let's look at that checklist and make sure it's everything, but I really would like to do it more.
I feel you will identify it as well that I would like to fast more because I do very much manual hacking and I struggle to fast things where I know the probability of it working is low, but if I do it like often enough, the probability is probably will be higher, but I'm in the sense of okay, I want to see the motivation for the payload I'm trying. And if it's like blind, I'll just fast every input. I'm not doing it. And I think I should. Yeah. Would you say the same?
Yeah. yes, Okay. But I, like I just said, it's, it was partly a joke and partly the truth. My attention span is not good. If I don't know if it's ever going to work, I tend to really, quit ahead of time. Yeah. Yeah. But, it is a consideration, especially since last year wasn't great. So I'm trying to move more again, towards the I Doors and, the, access control stuff. which is also stuff that you can find in JavaScript sources, like endpoints, et cetera, that we just mentioned. yeah.
Do you actually use some productivity tricks to help with your short attention span? No, You just power through it. Except for putting on the, noise cancelling headset with some focus music and try, Do you still work from co working? No. From home? I don't. That's changed since the last podcast. Yeah. Yeah. So I had a co working space. it was mainly also to get out of the house, meet some people, et cetera, et cetera. Yeah. But in reality.
There were, like all self employed people on that floor, meaning that there was no one there all the time because most of the people working there had it like a backup place. if they weren't at a customer, they would go there for a few hours and not then not be there for the rest of the week. So it wasn't really worth my money, So I moved back home. Yeah. Okay. This is going to be a hard question because I sense you're very much an intuition based hacker.
and it's always hard to, ask questions about it, but what are some things that you do? And maybe when working with younger hackers or less experienced hackers, I want to say. they do not do the things that, that you do, or things they struggle with that for you. Oh, that's easy. Cool. That's a really hard question. It is. It is. It is really hard to ask about the intuition and I'm trying, hard. Yeah. I guess it sounds like such a cliche, but follow something that you're really interesting in.
Yeah. I. Okay. I often am amazed by people that claim on their social media that they have a certain methodology that they always go step by step and doing this and that. Yeah, I don't have that. I think people ask about it, but nobody who actually hacks has such a strict methodology. No, and I think some starting bug bounty hunters get blindsided by the methodology rather than getting to know the technology that they're hacking.
I think that's maybe something That's, that can be a takeaway, yeah, that's good to know the technology that you're trying to hack rather than, following a methodology to hack. It's yeah, I must confess. I use chats, GPT all the time. and even when I worked in the office and chat GPT didn't exist, I was asking colleagues questions all the time.
And now I have a colleague that, that always answers my questions happily for me, but, often it's just about how does this work, the happy flow, not even trying to hack anything. I'm just interested in how things work. And then, when you have a good feeling about that, then you can start thinking about, okay, how can I abuse this, Yeah, that's true. And the word methodology is also something I noticed from the, creator perspective, people ask about it all the time.
And, sometimes my answer is like my, each article or each video that I produce about how do I hack, it's just, you can call it part of my methodology. So we can say I disclose part of my methodology every week when doing some, part of content, but people ask about it, like it was some kind of magic. Process or magic checklist.
And I think they, they do expect it to be something crazy, but the reality is what you say, the ability to use the app properly, the ability to, be in a good place, do the happy flow, have the account, have the like KYC, whatever. this is the part that actually hardened the part that sort of gets, the bugs and not actually some, magic payloads. true. And I think the only thing that I might do that a beginner doesn't do is I try, like with the JavaScript bookmarklets.
if I notice, and I think, that's really typical for IT. People in general, but if I notice I'm doing the same thing over and over again manually, then I'll start automating stuff like with a JavaScript bookmarklet or whatever. So I guess that's, that helps in some cases to get to know your target, et cetera. But yeah. But sometimes we do use the, more advanced tricks. I saw your tool about, or maybe not a tool, the, website, we've gathered all the CSP bypasses. I really like it.
it's really good. Thank you. how often do you actually you also sometimes do some challenges with a short XSS payload, something like that. How often would you say you actually need those things like CSP bypasses, short payloads, weird car sets to, to exploit an XSS in the real world? Very rarely, actually. Yeah. Yeah. the CSP bypass really came out of frustration of not being able to find a bypass, basically.
Because that's also the thing with XSS, you often have to show impact and you often have to show, have to find a bypass for a CSP. And I got frustrated that probably every hacker that reports XSS to a specific program has to bypass the same CSP, and probably uses the same endpoint or the same library that's hosted somewhere in a, whitelisted domain. So I got a bit frustrated with that. And of course you have the Google CSP evaluator that works great and it has some domain somewhere in the code.
But it's, it just tells you the domain. That's hard. Yeah, I was like, that would be a great idea. Yeah. To do it. How did you gather all of these? the first batch I was basically like, I, checked the Google ones. Then, somebody quickly told me to open source it so people could contribute actively. So I did that. So a lots of new ones came from that. and also a lot came from just. Just, GitHub regex searches, just search for plausible, JSON P endpoints. Oh, I see. searched for angular, stuff.
So yeah. How many sort of bypasses are there now in the tool? Do you know? Don't know. No, I'm not a hundred percent sure, but I think over a hundred at least. That's that is great. Yeah, there are many more, but I try to, keep the list to ones that are actually useful. I guess one guy was really actively contributing and he contributed some, great stuff, but he also once got a list of A few thousand, all, there were all blocks, all WordPress blocks that had like a jsonp endpoint or something.
Technically, yeah, technically they could be used for a CSP bypass, but it was very unlikely that anyone would have it. In the, their CSP headers. So especially as I think every web, every WordPress website has the JSONP. Yeah, exactly. So I typically, if I get a new one, I try to just do like a GitHub search for the domain name. And if it's more than a thousand times in there in different repositories, then it's probably something that's yeah. Yeah. Cool. How about some.
xxxxx xx cross site scripting techniques like dom clobbering Have you ever exploited this in the wild? No, no Interesting, not intelligent enough to To do that But I was, speaking with Johan Carlsson that in the last podcast and he was like, oh, this is actually more useful than you think and I'm like, sure cause I think it's not useful Johan is in a league of his own yea he is crazy No, I think the most.
Advanced XSS I did was like prototype solutions, but also mainly from the public repository of Blackfan. He has a few gadgets and, yeah, so that's still fairly easy and fairly. Do you always look for these for the protopollution? No. What happened that time that you looked for them? it was one of my, failed attempts of automation. I had some automation running for a while, but, like a true amateur, I did it on my home computer. Just leave it overnight, et cetera.
It worked quite well and got some leads and I even got some nice bounties from it. But, Yeah. Again, the attention span, once it breaks and I have to fix it like five times, I get, bored of it. Oh, so your automation found the proto volution? Yeah, I found some stuff. Okay, that's good. Yeah. And now you don't look for it manually. No, not enough. Not enough. I have a JavaScript bookmarklet for it, but I don't click on it as much. Okay. I should. Is it for? putting things in the URL bar.
Yeah, basically. So basically, it just puts all of them in the URL bar and then checks in the console if it can find a polluted object, basically. Okay. And then, yeah, then you still have to find the gadget to make XSS out of it, but, yeah. How do you do it? if you have seen the proto pollution and you need the gadget, what's the first thing you look at?
I think the same repository I just mentioned has like a short script to do to check for these gadgets, like just by looking at the important, JavaScript files and determine if that, if it's at jQuery and stuff like that. and again, I made a JavaScript bookmarklet out of it to just show me an alert, like these, you can try these a few. So, you took the, created the Java book bookmarks from it? Yeah. Oh, nice. How many of these bookmarks do you have? Too many too. You have a full yeah.
Bar. Yeah. My, my home bar is like full wedding and then, yeah, two more I guess. That's nice. I don't have a single one. I, think I should. Yeah. It's really nice again. Yeah. I used for all kinds of stuff, like I have one for making a quick, word list of all the words that are on the present page. So once I had like a swagger doc file and I wanted to use that as a word list for fuzzing further, I just can, I can now just click the button and I get all the words in the swagger doc.
Wow. So yeah. So useful. Yeah. What are the, other ones that you think are, what are the, what is the one you use the most? the endpoint one. Yeah, I think so. Yeah. And it's also a public one because the rest one I assume is your private one and that one is yeah I think I will share to the word list one But yeah, that's it because it makes the workflow very quickly because you don't have to copy something from the browser No, exactly.
Even if you're proficient with bash or whatever tool you use If you can, do something with one click, it's just No, and that's what I really like, because every time I share one of these, bookmarklets, people comment, oh, you have a command line tool that does exactly this, and I know, and it works, and that's This is so much quicker and easier for me at least. Yeah. And that's going to be my resolution for 2025 to, to move my workload in this direction a little bit.
Yeah. Have you tried some of the, sort of client side hacking techniques that were new, at least for me, 2024, like we had the cross window hijacking. We had the double click jacking, which. I, two days ago, I think, Portugal published the top 10 list and the double clickjacking was I think number six. Have you tried this? Not really. Actually. I must confess. I don't know both. I don't know either of them. I have some reading up to do, They are interesting. They are.
Yeah, it's something new that there is impact of a very creative techniques for sure. I'm yet to know how well do companies respond to, to cross window hijacking. I already know that companies do accept that sometimes and they can pay really well. The double click jacking. I don't think we've seen a public report that was rewarded, but we'll see. I'll look into it. Yeah. I also saw you have you, you hacking a little bit on metamask on the browser extension.
Do you spend a lot of time in general on browser extensions? No, I would like to though, also because they also use their own kind of post messages to communicate. Yeah, it is crazy what happens there. And also because I'm into the crypto thingies. Of course all have their own wallet in their own extension. So that's how I got into it basically. It's not that I specifically look for browser extensions to hack. It's more of like a side quest. Yeah, yeah, yeah. I think they are very interesting.
And the impact of the browser extensions is so big. Because a lot of them just ask you for all the permissions on all the websites. So if you can get something there. It is really, serious. I still have a lot of learning to do in that area, Yeah, you probably listened to the Critical Thinking episodes with Matan about the extensions. It is crazy what happens there.
I wasn't even aware that you have this so many different contexts, this post messaging from the page to One thing and then another post message. It is crazy, but especially for you looking for a lot of XSS, it should be the, a very good area because the impact is so high with these things. Yeah, definitely. Similarly, like, Web3, where XSS all of a sudden is so, severe.
Yeah, So that's why, that's also why I'm moving, sometimes moving towards Web3 stuff, Typically, an XSS in a, a stored XSS in a Web3 program is like a critical, plus the bounties in Web3 programs are typically, higher. So yeah, from an XSS point of view, it's a, good decision to, yeah, to do and do stuff in the crypto scene. Your 50k bounty, was it on one of these sort of Web3 websites? Yes. Can you tell us what it was or is it not? It's undisclosed.
I think, people know what program it was, but I won't mention it. But it was a, since you have multiple, it was an NFT marketplace. Yeah. and I had a stored XSS there that's, that I got there because I re, I, deployed a smart contract, an NFT Smart Contract. And what, these marketplaces typically do, they'll just monitor the blockchain. and every smart contract that fits the, the, format of A NFT, they'll just import and show in there.
in their marketplace basically, so I just, yeah, I actually, found a few of those bugs on different marketplaces, and all have their own kind of problems, because one, for the one it's in a title for another one, it's like in a metadata URL. Yeah. So there are some different flavors, in that, but the basics are all the same. Like I deploy a smart contract and they fail to sanitize it or to encode it. Yeah. So pretty, straightforward, right? Yeah, basically.
But I guess for a lot of people, it's a really big hurdle to do like a smart contract deployment, et cetera. Yeah. Half of the audience now is wouldn't have an idea. Like, how do you send a smart contract? Exactly. So, I did do some deep dive there, but basically, Deep Dive is relative because it's like a smart contract deployment 101. everyone can do this, who is a blockchain developer, Yeah. and it's way easier than most people think.
So you need to have a crypto wallet and for the rest, it's like a few clicks and you deploy a smart contract. Congrats on that. It is a big impact. Did you also, look for some web free sort of server side stuff in the smart contracts themselves? Yes, I have. But I like, what I dislike about really like smart contract vulnerability. hunting is that it's mostly code review. It is, which sounds to me like a heaven.
Yeah, but I like, I also do a lot of code review and I found a lot of stuff on like open source projects, etc. But what I really like is like the, how would you call it, is the gray box approach that you can On the one hand, click an application, intercept stuff, et cetera, and then use the code to determine, what code paths to take, et cetera. Yeah. While with smart contracts, it's only codes, Really?
Can you Is it not possible to attach a debugger if you have Yeah, but then you can only trigger stuff by writing your own code, interacting with a smart contract, basically. Yeah, I see. It's not really You won't have a UI to press buttons or whatever, and it's not that I need it, but I noticed that it's, yeah, not really my cup of tea, But have you, learned it or are you at the level where you just thought about it and decided it's not for you?
I've learned some stuff, but I've never successfully found anything, no. Okay. I'm, in the, same boat. I had a period maybe two or three years ago when I was learning a little bit. I, I, at least then I knew about some back classes in smart contracts, but I never spent a minute hunting for them in the, in the reward. No, and it's hard because in, in some sense, they are so completely different than the buck types. You are used to like.
If I don't know if you like to lose a few cents somewhere in a smart contract, then it's considered a high or a critical and in the real world you would like me. Oh, okay. Maybe they'll accept it as a low or something. Yeah. How about let's go back to, to web two. you said eithers and access control bugs are, still at the sort of top of your list. Yeah. And. For me, it is crazy.
How does it happen that these bugs often when they are found, they look like really simple bugs, but still people like you, people at the, top find them all the time. So how does it happen? How, do you all still find all of these bugs?
I don't know, In my case, again, it really boils down to, the manual hacking, So I'm not looking for fuzzing, lots of endpoints, but typically, especially with nowadays with these huge, JavaScript client side frameworks where like basically all the endpoints are in there. Also the admin endpoints are in there because the admin probably use the same UI as you do. But it has a lot of different accounts, but all the stuff is typically in there. that's how I find that stuff.
and, where, actually where I did start to do some fuzzing is, recently it's like a GraphQL, endpoints, especially the ones that don't have introspection, but will say did you mean, if you put something in there, they will give you a response with a suggestion that is correct. did you mean this? yes, I did mean this. And then you can start enumerating all the stuff by yourself. So I did find some stuff like that. I also think you have some tools for it, but, I made my own scripts for it.
but yeah, is it a JavaScript book? No, yeah, I was about to ask you if you use the tool for this, but no, I did. did you try the clairvoyance? Yeah, that's it. Yeah. It didn't work for me. So for some reason, so yeah, I built my own. Okay. So what's, your workflow with, with GraphQL? You see the GraphQL endpoint, you see there's no introspection, you run the tool and then you manually go from there? Yes. Yeah. And then I'll, just, so I'll try to have a tool to.
resemble like the typical GraphQL introspection schema that you will get. Yeah. It's not complete, but it does highlight, some keywords that are potentially interesting. So I'll try to manually reconstruct a query that, that uses those keywords. Okay. and go from there, Do you just send it from verb repeater? Yes. Okay. And do you switch, cause there are two or three GraphQL extensions? Which one do you use? Remember, don't use them. You don't use them?
No. I think a Burp has their own GraphQL tap. Okay. Nowadays. Okay. So I use that . Okay. Yeah. Yeah, maybe. Yeah. I don't, I know there's in ql, there's GraphQL Explorer, a few of them, but maybe they actually I'm using the, just GraphQL tab. Whatever. Yeah. If it's just in the repeated tab, I think it's like burps own. okay. Okay. Nice. About the, and about the end points, cause the problem that I always encounter when I find end points, I will send them for intruder.
And then, if there's sometimes it's easy cause you have variables error, or we need the. User parameter in this endpoint, but sometimes you just get the generic, 502, 500, 400, and how do you, first of all, how do you prioritize? Because I imagine you will often have, I don't know, 100, 200 endpoints. How do you prioritize which endpoints to, to focus on and then how do you construct the request?
focus is really based on just what seems juicy, like I'll just scroll to the list and if it's like a reset password or whatever, something admin y, then I'll, prioritize those. and I either do what you just said, I hope that it will return something like you missed this parameter, et cetera, et cetera.
That's the easy approach, Yeah. Another thing that I. Often do is like with these client side applications, you can often trick it like just the front end into thinking you are an admin while you're not an admin on the back end, but it will show you the UI, for example, some sometimes it's as easy as, changing some JavaScript in the response that says, Is admin false, and then you move it to true and suddenly you get a UI from a foreign, an admin. Yeah. But what's really, so sorry to interrupt.
Would you make this change in matching replace rules? Yes. Okay. Typically, yeah. Typically, yeah. and other, yeah, other types that you'll see sometimes if you use an endpoint and it will, give you a 4 0 1, then the JavaScript has some parts that it will redirect you to the logout page or something like that. Yeah. then I'll just remove it completely and, Yeah. I'll load it like that. The part of the JavaScript. Yeah. The part of the redirection.
Yeah. So you don't get to the logout screen anymore. Yeah. that's cool. and what that really allows you to do is just click stuff that an admin would click and then you don't need to minify or don't need to reconstruct the whole JavaScript, et cetera, but it will just send a request through your repeat or through your burp.
And then you don't have to think about basically reconstructing the endpoints and the parameters, etc. Do you also, because I know Justin was saying about turning on some feature flags and having success with this, which is like what you said about the admin panel, but in a little bit different context. Yeah. Have you also had success with this approach? Yes. Actually, yeah, I, think one fun finding I had once was like, it was exactly that.
I think it was like, it had defined some user roles and I had the role user. And I just, replaced it to the role admin and it showed the admin UI and basically nothing worked, except for, the password resets UI, which allowed me to enter my, it was pre filled with my own email address, but I could enter any email address and it would show the password resets, yeah, to screen like. So nice. yeah, that was really nice.
Yeah. How do you usually, like the feature flags, if they are in the one request, it's easy. But sometimes I think it's a little bit more hidden, maybe in the JavaScript, do you sometimes get as deep to find these feature flags? Personally, I've never spent time on finding the, feature flags or whatever. Yeah, I'm typically pretty deep into the JavaScript stuff.
Yeah. Okay. Sometimes even too deep that I get blindsided by, for example, like if a backend request just returns the feature flags, it's much easier to replace them there than to spend time in the JavaScript. But yeah. What other things are, cause yeah, we know you look for the post message listeners. We know you look for feature flags. What are the other sort of most important things you look for JavaScript? Because sometimes it's so much code, it's just hard to focus somewhere.
Yeah. So like, roles, permission roles is always interesting feature flags and points. And typically I think that's about it. Typically if you have a juicy end points and then you try to dive into that JavaScript and see what's happening around it, et cetera. But yeah, I think that's mostly it actually. And I guess it makes sense. It's stuff that you won't have access to normally that, yeah. It is.
It's just, yeah, these, things that analyzing JavaScript is also something I would really, like to ask you a smart question about it, but I know it's just impossible. You just know how to do it and you know what to focus on. But it's just called experience. There's no question to ask about it. Yeah. Yeah. I, especially with the post messages, I came to a point where I would just recognize like the library based on the structure of the phy, JavaScript.
Oh. Like the, it was a phy in a different way, but I was like, oh, that's the same. No, not interesting. Not interesting. Yeah. Yeah. That's, but yeah, it's mostly experience. Yeah. Yeah. And experience with the, like the Chrome debugging tools is also really handy. Yeah, it's really helpful. Knowing where to set break points and editing stuff on the fly is really useful for getting to know the JavaScripts.
Yeah. Do you use the 'cause when you set the break point, you can have the break point, log point and conditional break points. Do you use all three of them regularly or is it mostly typical breakpoints? Yeah, basically it works. Yeah. Yeah. Dev tools are very, powerful. At some point I was not aware of how many features there are in the, in dev tools. It was just all the, yeah. It's super, super helpful apart from the discovering endpoints because also, okay. One, one question for this.
So either an access control box. In your sort of, what are your definitions of these two back classes? Because for me, they are Yeah, they're the same. I guess access control in this sense is like an endpoint that you have access to that you shouldn't have access to without an identifier, Yeah. That's the only difference in my mind, But the sort of methodology is similar. Find an endpoint that you shouldn't do and, Yeah. Okay. Definitely.
Do you think that accessing these endpoints from JavaScript is the only thing that make you find the access control bugs in IDORS, which other people don't, that don't find, or do you think there's something else that you also do that, could be the reason? Not sure. Not sure, honestly. No, I don't know. Yeah, it's, for me, it's crazy.
I don't have the, you say you have short attention span, but for these bugs, from my perspective, you do, maybe not attention span, but you need a lot of persistence to go through all of them. Yeah, that's true. For me, I like, I check two or three, and I'll have a look for. Yeah. And I guess that's also tied to what you're interested in, Because I have that, that, my attentions plan is short with five tools and such.
Yeah. But for this, if I'm locked in, I'll, yeah, I'll forget to eat and drink and such. So yeah. Good. Awesome. I also read you run something called Hacker Hideout. Can you tell us what this is? It's a bit stale at the moment, but, me and, Stefan, we have a, like a small discord community with a bunch of hackers that we know, or that we get to know. and we try to organize regular meetups.
So we had one last year, in May in Utrecht in the Netherlands, people came from all over Europe, people from Poland, people from France. And we did some hacking actually, where we arranged some private invites for the afternoon. We did some hacking, ate some pizza, had a few drinks and basically that was it. Yeah. and it's, It originated basically out of a need of doing like these life hacking events. Yeah, exactly. But having the control of to do what you want to do basically.
And people don't need to hack when they come, but we like to offer them the opportunity to hack. yeah, it's basically just a fun side project where we get to do fun events that we like. Yeah. Are you planning something for this year as well? Yes, I'm actually, planning, I'm going to, we're going to make a plan next weekend. Okay. Hopefully soon. Any idea of the location or dates? Probably the Netherlands again. Okay. but, nothing is decided yet. Okay. I hope I get an invitation for it.
I've never been there and it would be cool. Cool, cool. Reason to go there. I'll, I'll be sure to invite you And also for me, I, especially from the interviewing the critical thinking podcast, I sense you also like struggle with hacking, which is very, you do it alone and you don't talk to anyone. Yeah. And for me as well, I, I am a team player. I like to talk with people. That's why I like this. this tournament as well.
And, yeah, so you surprised me with the, thing that you're not no longer in the coworking. but, yeah, for me, the, sort of shock connecting the, bug bounty, which is very you go alone with the social aspects or the team competitions here. I do really love it. Yeah. Yeah. The, origin of the hacker hideout idea was In fact, a bit broader because I was struggling with it. so my first idea actually was to have a, a flex working space, targeted towards bug bounty hunters or hackers or IT persons.
And then, and then I was looking into, the logistics of it and looking into. What, bug bounty hunters from the Netherlands would be interested in an office space in Utrecht? I could count like, 10 bug bounty hunters from the Netherlands who were all over the Netherlands. Probably not the best idea. Yeah, this is very, very, niche. cool. Soon head to the end of the interview because we have the show and tell soon. Yeah. But can you please tell me what are your goals for 2025 back bounty wise?
focus more on backend stuff, Okay. Are you planning to learn the web free a little bit or you completely let go of the idea? No, I'm actually, I don't know if I can disclose the targets for this round, but I actually looked into like blockchain node codes more. Yeah, I think that the customers are public. Okay, so I did that this round. Yeah. Wasn't really successful, but it did spark some interest to maybe do that. on all the targets as well.
also, re read some, blogs about other people finding stuff, by that approach. So that's something I'm actually interested in. And the funny part is that it's actually not specifically web free, but it does, of course, have impact on these, these web free, programs. So that's something I aim to do more. Yeah. Yeah. Awesome. Good luck with this. Thank you very much. Good luck in this round. I hope Netherlands. And Poland will advance to the next round and we'll meet, meet in Dubai.
Thank you so much for the interview. Thanks for having me. If you enjoyed this episode, also check out the one with Johan Carlsson. That's on your screen right now and also linked in the description. For now, thank you so much for listening and goodbye.