Small Winds - No. 07

A personal mini blog about infosec and life

It's been a while since I posted. Here's what I've been up to.

Thoughts and Experiences

(🐞) My bug bounty plans have been changed. Inspired by Ciarán, I made myself a challenge (60 hours challenge). I chose a target site and I'll see how things progress. My expectations are not very high because the scope of the program is quite small, but let's see how it goes! Oh, and actually this mini blog series is also inspired by his blog.

I'm already 5 hours in and mainly used it to set automations for this website. Specifically, monitoring changes in JS files. I'm not done with it and wonder if it's worth my time, since the JS files are very obfuscated, large (1-2 MB), and the obfuscation changes about every day. One thing I could do, is to monitor for changes, prettify the files, check for new or removed lines (while ignoring lines that were modified, as it modifies the obfuscated variable names - I take into account the possibility of missing stuff), and keep only the new lines.

This program isn't new to me and there are things I've already done. So here are the recent highlights including other stuff.

• (🗒️🗒️🗒️) Organized and gathered my notes and leads. I exported the relevant things from Burp Suite to Caido.

• (🪲) I found a bug in my target site that exposes PII, but it was a duplicate.

• (🔍) I started using Caido. Although it lacks some of the features Burp Suite provides, it has other nice features, like workflows, findings, files and other interesting sections. They make it better frequently. I also really like the UI and the fact that it works very fast. I'm really afraid it would be emotionally hard for me to get back to Burp Suite if I have to.

• (🪲) I tested a certain feature in a website I use, for personal reasons and it led to a bug. I reported it and it was considered informative. This will probably be my next target site for my next challenge, after I finish this one.

• (👩🏻‍💻👩🏾‍💻👨‍💻👨🏻‍💻👨🏾‍💻) Critical Thinking had another hackalong event which was fun and beneficial. I continued testing this target with the leads I gathered during the event.

• (👩🏻‍💻👩🏾‍💻👨‍💻👨🏻‍💻👨🏾‍💻) Critical Thinking also had a bug escalation event where people shared some unbaked bugs and we tried to exploit them together. It was funny and informative.

• (📱) There's a certain mobile app I use on a daily basis, and it motivated me to do some Android mobile hacking, so in my spare time I focus on this. I think this is one of the reasons I commonly encounter the advice of doing bug bounty of apps you already use, or apps that interest you. Personally, I have more motivation there.

• (📝🎫) A while ago, I spent a lot of time in doing threat modeling on the application I test, organizing everything and reading the documentation. Although it took a lot of time, it was beneficial and important. It made me understand the application much better and the testing much more efficient. Specifically, reading the documentation resulted in the discovery of new attack surfaces and ideas and also valid coupon/invitation codes, email addresses and usernames I can use for testing. It was kind of funny that they accidentally exposed an invitation link in a video when hovering over a link.

• (⚙️) I used gau for the target site, and it revealed a lot of useful URLs - some of them contain credentials and even valid coupons or invitation links. This is a very powerful tool.

• (🐞) Found a bug in BMW that got accepted: https://app.intigriti.com/profile/orelg

Interesting Resources:

• https://regexper.com/ - website that shows regex using a diagram.

• https://portswigger.net/research/top-10-web-hacking-techniques-of-2024-nominations-open - all the 2024 nominations for the top 10 web hacking techniques.

• https://medium.com/@illoyscizceneghposter/exposed-credentials-guide-not-just-in-client-javascripts-101-case-studies-131b765e07a2 - niche areas for exposed credentials.

• https://medium.com/@maxpasqua/type-confusion-dos-in-fb4a-747837d3a8e3 - Type Confusion in Facebook.