Critical Thinking - Bug Bounty Podcast Episode 112: Interview with Ciarán Cotter (MonkeHack) - Critical Lab Researcher and Full-time Hunter
Feb 27, 2025
Ciarán Cotter, known as MonkeHack, is a dedicated bug bounty hunter and Critical Lab Researcher. He shares his insights on navigating complex vulnerabilities, particularly in WebSockets and Angular applications, revealing advanced exploitation techniques. The conversation touches on the rise of AI-related threats like prompt injection and the use of AI tools to enhance hacking strategies. Ciarán also emphasizes the importance of community collaboration in cybersecurity, making it a captivating dive into the ever-evolving world of ethical hacking.
AI Snips
Chapters
Books
Transcript
Episode notes
Complex Client-Side Account Takeover
- Ciarán Cotter shared a complex account takeover bug involving an XSS in a chat widget on a page with multiple iframes.
- He detailed leveraging postMessage, frame hopping, and OAuth state fixation to leak OAuth codes and exploit the bug chain.
Unusual Client-Side Template Injection Bug
- Ciarán discovered an unauthenticated client-side template injection allowing account takeover by manipulating iframes and purging DOM to bypass redirects.
- He used frame ancestors whitelisting and postMessage listeners to exfiltrate credentials across distinct but related domains.
Server-Side Classpath Enumeration Bug
- Ciarán found a server-side information disclosure bug during a 100-hour challenge involving Spring's classpath resource loading.
- By analyzing error messages, he could infer existence of files in Java jars but couldn't execute code or exploit beyond enumeration.