Episode 50: Mathias "Fall in a well" Karlsson - Bug Bounty Prophet
Dec 21, 2023
auto_awesome
Hacking master Mathias Karlsson discusses burnout, collaboration, and specialization in bug bounty. They dive into technical details of MXSS and XSLT, character encoding, and predict the future of bug bounty. They also talk about the importance of finding insecure defaults, the beauty of simple code, and the benefits of sharing research. The evolution of bug bounty programs and the rise of bug bounty budgets are explored. Techniques for bypassing Web Application Firewalls and the importance of persistence in bug bounty programs are discussed.
Bug bounty programs may face more competition and require program marketing to attract talented hackers.
Legislative measures could pose risks to the bug bounty industry.
Full-time bug bounty hunting can lead to burnout, so finding a balance is important.
Manual testing and talent remain crucial in bug bounty hunting despite advancements in automation.
Matias Karlsson focuses on finding high-level vulnerabilities, including confusion and code injection issues.
Deep dives
Bug bounty industry expected to continue growing with increased competition
Bug bounty programs are likely to see more competition as the industry continues to grow. This can result in higher average bounty amounts and a greater emphasis on program marketing to attract talented hackers.
Possible legislative risks
There is a potential risk of legislative measures that could impact the bug bounty industry. Examples include restrictions on exporting cyber weapons or regulations that may affect the ability to hack on certain entities.
Challenges with full-time bug bounty
Full-time bug bounty hunting can pose challenges such as lack of structure and potential burnout. Maintaining a balance between bug bounty hunting and other employment opportunities can help prevent these challenges.
Predictions for the future
Bug bounty hunting may see a continued rise as more programs seek out talented hackers. However, potential risks, such as legislative measures, could impact the industry. The importance of talent and manual testing is likely to remain crucial, despite advancements in automation and AI technologies.
Main focus: High or great level vulnerabilities
Matias focuses on finding high or great level vulnerabilities in bug bounties. He starts by understanding what the organization values and what they are protecting, and then identifies the vulnerabilities in that context. One of his favorite types of vulnerabilities to find are confusion and code injection issues, including reverse proxy bugs and traversal vulnerabilities.
Secondary context bugs and tips
Matias enjoys exploring secondary context bugs, which involve traversing through hidden paths or exploiting uncommon character encoding behaviors in server-side HTML parsers or browser rendering engines. He suggests fuzzing different fragments, such as the question mark, and using verbose errors to determine the right injection points. Matias also recommends exploring potential vulnerabilities by throwing Hail Mary requests or looking for SSRF by altering paths and analyzing logs.
Cheating with server-side rules
In some scenarios, Matias suggests trying to bypass backend routing rules and access different areas of the application by altering the path or tricking the server-side firewall. For example, he mentions exploiting bad rules by manipulating static paths or altering segments to reuse certain backend functionality. This approach can help identify vulnerabilities that may not be directly accessible from the front-end.
Exploring the Complexity of GraphQL Queries and Subscriptions
GraphQL queries and mutations are relatively straightforward, resembling REST APIs with some additional features like input arguments and improved payload flexibility. However, the real complexity lies in working with GraphQL subscriptions. Subscriptions offer the ability to perform asynchronous queries or mutations, leveraging websockets or multipart mixed requests. With subscriptions, you can establish an open socket and receive updates whenever specific data is added or modified. This introduces a new level of interactivity and real-time data retrieval within the GraphQL framework.
Uncovering the Power of Multipart Mixed Requests in GraphQL
One intriguing aspect of GraphQL subscriptions is the use of multipart mixed requests, which allow for streaming data over time within a single HTTP response. This functionality resembles WebSockets but operates within the HTTP protocol. Multipart mixed requests enable developers to include multiple content documents within a single response, making it possible to stream and process data continuously. This feature has implications not only in real-time data retrieval but also in areas such as HTTP request smuggling and server confusion. Further research and exploration are warranted to fully understand the potential impact and possible vulnerabilities associated with multipart mixed requests in GraphQL.
Episode 50: In this episode of Critical Thinking - Bug Bounty Podcast, Justin catches up with hacking master Mathias Karlsson, and talks about burnout, collaboration, and the importance of specialization. Then we dive into the technical details of MXSS and XSLT, character encoding, and give some predictions of what Bug Bounty might look like in the future…
We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
