MonkeHacks #02

100-Hour Challenge Updates

Here are this week’s statistics:

A slow week. I dug into some of the more complex features, and spent most of the time reading about them. My first finding is now in Resolved state. I’ll disclose it at the end of this challenge. No new bugs this week, sadly.

Bug Bounty Updates

• I found an IDOR with Jayesh25 (again). Hackers need to be consistent to be successful and Jayesh is one of the most consistent hackers I know.

• I read about websockets on HackTricks. I tested a few attacks too, but I was blocked by origin validation on my target. I wonder if websockets are susceptible to frame smuggling attacks? Is it the same type of connection?

• I made a plan to visit my good friend Mikey96 next week in Scotland to do some hacking in-person.

• I fixed some bugs in my recon automation.

• I’ve been testing a lot of secondary context path traversals. While I’m finding the behaviour a lot, it’s not often exploitable. Often, the backend proxy limits the scope of the traversal to the user’s own session, so it’s impossible to retrieve the data of other users. If I keep trying, I’ll get a neat bug out of this stuff soon.

Weekly Ideas / Notes 

• ChatGPT Voice on the mobile apps is a brilliant way to practice speaking languages. This overcomes the biggest obstacle of learning a language - having a practice partner.

• SQL injections often have blacklists for certain characters. pmnh, a friend of mine and a very experienced hacker, just launched SQLi Dojo (linked in Resources). This training ground allows you to test different blacklists and SQLi scenarios. Highly recommended.

• Caido has launched Passive Workflows. It’s still too basic for most use-cases but it’s a huge step towards a good plugin system. You can still use it in its current state to change the colour of HTTP requests that meet certain conditions - for example, if the cache hit response header exists.

• When you open a HTTP proxy like Burpsuite or Caido, are you overwhelmed? Is the volume of requests too much? There are two solutions to this problem. The first solution is to use Caido’s “No Styling” and “No Images” custom presets, in the Advanced section of HTTP History, to filter out the useless traffic. The second solution, to be combined with the first, is to proxy everything. There was a video from Stok at some point (I forget which one) that stated (paraphrasing) “proxy everything you do daily and stare at the requests until your eyes bleed”. Your brain excels at pattern recognition, so you need to define what a “normal” request is in your brain first. Then you can start looking for the weirdness that leads to bugs. But having this “normal request” context first is essential.

Resources 

• Stored XSS in ChatGPT

• All About Hackbots: AI Agents That Hack

• caido/awesome

• SQLi Dojo by pmnh