Critical Thinking - Bug Bounty Podcast
Episode 65: Motivation and Methodology with Sam Curry (Zlz)
Episode guests
Podcast summary created with Snipd AI
Quick takeaways
- Ethical considerations in hacking and bug bounty hunting are crucial for success.
- Balancing financial stability, personal interests, and mental well-being is a constant process.
- Discovering vulnerabilities in well-known companies like Tesla and Starbucks requires innovative manipulation techniques.
- Exploiting directory traversal techniques and unconventional character sequences can lead to successful hacking.
- Maintaining alignment between work passion, challenges, and positive feedback loops sustains motivation.
- Secondary context bugs like path traversal vulnerabilities can be leveraged for unauthorized access to backend resources.
Deep dives
Transitioning Between Jobs and Focus
Initially, the speaker started working in bug bounty full time, driven by the financial benefits and passion for hacking. After recognizing the need for more stability, the speaker transitioned to a security consultancy role, seeking a consistent income. Subsequently, realizing the desire for more growth and impact, the speaker moved back to full-time bug bounty, focusing on targets aligned with personal interests and community engagement.
Challenges of Full-Time Bug Bounty
During the full-time bug bounty phase, the speaker faced challenges related to sustainability and burnout. The routine nature of the work, financial pressures, and the constant pursuit of success added to the stress. While goal-oriented hacking provided motivation, the pressure to consistently perform and earn income sometimes led to feelings of stress and stagnation.
Dealing with Burnout
Over a year and a half ago, the speaker experienced a significant burnout period, feeling removed from bug bounty and lacking metrics for success or happiness. This challenging time led to feelings of stagnation and dissatisfaction. Transitioning to starting a consultancy brought new challenges and growth opportunities, leading to a different focus on web security audits for crypto grants and exchanges.
Career Transition and Feedback Loop
The transition to a consultancy role involved building a business with a small team, focusing on web security audits for crypto entities. As the company grew, the speaker and the team dealt with fluctuations in work volume and shifted to being acquired by a client, leading to a shift in the feedback loop and work dynamics. The lack of positive feedback and the shift in work focus contributed to feelings of dissatisfaction.
Finding Balance and Satisfaction
Throughout the professional journey, the speaker faced challenges related to financial stability, burnout, and transitioning between different roles. Finding a balance between personal interests, financial goals, and mental well-being has been an ongoing process. The experiences highlighted the importance of aligning work with passion, seeking meaningful challenges, and maintaining a positive feedback loop to sustain motivation and satisfaction.
Identifying Secondary Context Path Traversal in Vercel
In a Vercel application, the discovery of a secondary context path traversal vulnerability revealed a manipulation technique where appending characters like ABC to an integer in a URL query parameter caused a parsing function to retrieve the numeric part only. By leveraging this flaw, unauthorized access to backend resources was achieved by manipulating the requested integer value to access user-specific content.
Exploiting Vehicle ID in Tesla's Authorization Logic
A vulnerability in Tesla's API authentication process involved manipulation of the vehicle ID and time values passed in a JWT token. By appending characters to the end of the vehicle ID before parsing, the logic check decoded the altered integer, leading to unauthorized access to the victim's vehicle data through a reverse engineered request.
Reverse Engineering ID Parameters in Payment Processing
A flaw in a gaming platform's payment processing system allowed for changing payment values post-authorization. By manipulating the integer parsing behavior, a decimal value in the URL and a different value in the post body led to checkout anomalies allowing items to be purchased at significantly reduced prices.
Technique for Parameter Confusion in Application Logic
By intentionally altering request parameters through a request that could access both query string and post body data, vulnerabilities in endpoint authorization checks were exploited. Leveraging inconsistencies in how data was accessed and validated in different request types allowed for bypassing controls.
Utilizing Client-Side Path Reversal for Administrative Access
Utilizing client-side path reversal, an attacker manipulated requests by injecting parameters into the query string to evade application logic designed to add admin users to an organization. Exploiting the flexibility of modern web frameworks handling parameters, parameter confusion was leveraged to impact application-level permissions.
Endpoint Fuzzing for Backend APIs in Starbucks Patch Reversal
Fuzzing endpoints for backend APIs, especially in the context of Starbucks patch reversal, revealed the unique traversal sequence needed for successful exploitation. Unconventional traversal patterns, with careful spacing like backslash dot dot backslash dot backslash, stood out as effective techniques for bypassing security measures.
Exploring Directory Traversal with Different Methodologies
Various methodologies, highlighted by the work of Andre, focus on directory traversal techniques using different character sequences like dot dot percent zero zero to ff slash. Experimenting with diverse hex codes and uncommon characters such as tabs or percent zero nine can lead to successful directory traversal, aiding in understanding and exploiting potential vulnerabilities.
Next.js Security Vulnerabilities and Exploitation Techniques
Discovering security vulnerabilities in Next.js applications, particularly in image optimization functionalities and open redirect issues, provided opportunities for exploitation. By manipulating URL structures and leveraging developer oversight, attackers can potentially access unauthorized accounts, evade security measures, and manipulate responses to gain sensitive information or unauthorized access.
Episode 65: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with Sam Curry to discuss the ethical considerations and effectiveness of hacking, the importance of good intent, and the enjoyment Sam derives from pushing the boundaries to find bugs. He shares stories of his experiences, including hacking Tesla, online casinos,Starbucks, his own is ISP router, and even getting detained at the airport.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
Project Discovery Conference: https://nux.gg/hss24
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today’s Guest:
Resources:
Don’t Force Yourself to Become a Bug Bounty Hunter
Timestamps:
(00:00:00) Introduction
(00:02:25) Hacking Journey and the limits of Ethical Hacking
(00:28:28) Selecting companies to hack
(00:33:22) Fostering passion vs. Forcing performance
(00:54:06) Collaboration and Hackcompute
(01:00:40) The Efficacy of Bug Bounty
(01:09:20) Secondary Context Bugs
(01:25:01) Mindmaps, note-taking, and Intuition.
(01:46:56) Back-end traversals and Unicode
(01:56:16) Hacking ISP
(02:06:58) Next.js and Crypto
(02:22:24) Dev vs. Prod JWT
Remember Everything You Learn from Podcasts
