Hacker TL;DR

• ETag length leaks response size. By CSRF-padding the victim’s data, attackers can flip the ETag across a hex boundary. The ETag is reflected into If-None-Match, where longer values hit Node’s 16KB header limit and return 431 (req header too large), while shorter ones stay under the limit and return 200. The browser’s history behaviour turns this difference into a cross-origin oracle, enabling character-by-character exfiltration.

• Claude Code can now be controlled from WhatsApp using Clawdis.ai for voice-driven hacking workflows

• BugBounty.forum provides anonymous discussions for hunters with verified earnings for credibility. This week we answered some questions made on this post by Rhyno: https://bugbounty.forum/post/0198fcf1-d3c6-4a79-a377-1fb90b28c21c

We do subs at $25, $10, and $5, premium subscribers get access to:

– Hackalongs: live bug bounty hacking on real programs, VODs available
– Live data streams
– Exploits, tools & scripts
– Un-redacted bug reports
– A collaborative hacking environment

Check out the CTBB Discord!

You can also find some hacker swag here.

The News

Cross-Site ETag Length Leak

This week's technical highlight comes from ArcArc, a Japanese security researcher who created an insane CTF challenge for SECCON. The technique demonstrates how a single byte difference can leak the entire flag cross-site.

The Attack Chain

Step 1: ETag Header Behavior

The ETag header often encodes response size in hexadecimal. When the response size crosses certain boundaries (e.g., 0xFF → 0x100), the ETag length changes by one character.

Response size: 255 bytes → ETag: "ff" (2 chars)
Response size: 256 bytes → ETag: "100" (3 chars)

Step 2: Manipulating Response Size

By abusing CSRF to create notes in the victim's session, attackers can manipulate the total response size. A search hit versus a miss produces different response sizes, crossing that hex boundary.

Step 3: The 431 Status Code Oracle

Here's where it gets clever. The ETag value from the response gets reflected into the If-None-Match request header on subsequent requests. By padding the request right up to Node.js's 16KB header limit:

• Search hit → Longer ETag → Exceeds limit → 431 Request Header Fields Too Large

• Search miss → Shorter ETag → Within limit → 200 OK

Step 4: Browser History as the Oracle

The final piece uses the browser's shouldReplaceCurrentEntry behavior:

• 431 responses replace the current history entry

• 200 responses push a new entry

By checking history.length cross-origin, attackers can determine if the search hit or missed, enabling binary search to brute-force the flag character by character.

Clawd: AI Hacking from Your Pocket

Rez0 highlighted an interesting project: https://clawd.bot/ that enables Claude Code control via WhatsApp.

Why is it cool ?

• Send voice messages to trigger hacking workflows

• Control a VPS-based Claude Code instance while on the go

• No more typing on tiny Termux keyboards

Use Cases

• Quick POC modifications from your phone

• Managing development servers without SSH clients

BugBounty.forum: Anonymous Discussions for Bug Hunters

There is this new forum called BugBounty.forum, a community platform for bug hunters with nice features like :

• UUID-based authentication - No credentials to store, just a UUID for login, so anonymous

• Optional earnings verification - Upload earnings to prove credibility

• Upvotes - You can control the quality of the posts

• Mobile - Works well on mobile devices

That’s great for bug hunters. We now have a proper place to discuss anonymously about different topics.

BugBounty.forum AMA

Will bug hunting become obsolete due to AI agents in 5-10 years?

No, not really.

• AI is just another layer of automation, like cloud and Kubernetes were before

• AI lowers the barrier to entry, making it more competitive but not obsolete

• AI-written code ("vibe coding") creates MORE vulnerabilities to find

• If bug bounty disappears, almost every industry disappears, it's a societal shift, not industry-specific

• Bug bounty still offers: real skills, resume building, money potential, flexibility, no sales required

Advice for beginners: Go into it knowing you'll want to use AI to supercharge yourself, build your own tools.

How do you get invited to a live hacking event if you're not a top tier hacker?

Two realistic paths:

1. Specialize in one program that runs LHE for HackerOne, that can afford live events and become the expert on their scope

2. Be a plus one by developing relationships with invited hackers:

   • Send them high-quality leads (not "is this vulnerable?" messages)

   • Collaborate on actual bugs you're stuck on

   • Many top hackers started as plus-ones who performed well and got more invites

Is it better to do bug bounty full-time or treat it like a 9-to-5?

It depends on your phase:

• Learning phase: Go all in. Fall asleep at your computer. It requires that passion to succeed initially.

• Sustainability phase: Time-box to 8-5, maintain healthy boundaries. This is non-negotiable for longevity.

Pro Tip from Franz Rosen: "Close the laptop right when you're about to find something." You'll be clawing at your desk to get back the next day, this builds sustainable momentum.

From my perspective, I'm more into scheduling things and having a healthy balance between work and chill stuff.

What's better, 10 bugs at $5K total or 1 bug at $5K?

It depends on context:

Finding 10 bugs gives you intel on what the program is vulnerable to. But companies care more about crits for invites and respect.

What's the background behind starting CTBB? How profitable has it been?

Justin and Joel loved the conversations at live events with top tier hunters and wanted that energy available every week.

The goal: Bring top-tier hackers at least one actionable methodology takeaway per episode.

Long-term view: Still up in the air. The weekly commitment takes away from 100% hunting freedom, but they're bringing on co-hosts like Rez0 and Gr3pme to share the load.

How do you conquer a vulnerability class?

• Learning must be goal-oriented for the specific target you're attacking

• If you see something you don't understand on a real target, go learn about it

• Keep failing, do that for a month and you'll start finding stuff

• Consider lower-paying programs to build frontend skills if hardened targets are blocking you

Do you actually use all the techniques from the podcast in your workflows?

Definitely not all of them.

Having the tools in your mental toolkit means when you see something, it triggers: "I need to look up that thing" or "That was from the Franz episode" or "DM that researcher."

Now you can tell your AI assistant to try techniques X, Y, Z without manually implementing each one.

Following methodology step-by-step actually does help when starting out, it gives you something to do and teaches you why things don't work.

Generalism or specific vulnerability type when starting a new target?

If the question is "starting a NEW target": Generalism, always. You need to understand what the target is vulnerable to, not every target has XSS.

If the question is "making money": Could be different. Just checking IDOR on every program works for some hunters (cf: Zwink/iDORminator).

• Want to own a specific target? → Generalist

• Want to print money? → Specialist in high-ROI vuln classes

• Want to be a beast who can destroy any target? → Generalist

Tips for making $500K in a year from bug bounty?

$500K/year = $1,400/day average (including weekends). That's either:

• One medium/high bug per day, OR

• Crazy crits every few days, OR

• High five-figure to six-figure bugs to compensate for off days

Some advices:

1. Hack programs that pay decent money

2. Go deep on those programs

3. Focus on assets with obvious impact

4. Be effective, don't waste time on low-probability attacks

5. Follow opportunities for bigger bugs when you see them

6. Write excellent reports (this alone can 10x payouts)

7. Put in the hours OR find mega-crits

Do AI and vibe coding introduce a new era with more bugs?

Yes, we're in the "AI Slop" era:

• Nearly everyone at big companies uses AI to write code

• AI is bad at thinking about business logic and IDOR

• In 1-2 years, AI will write fewer bugs, but right now it's a goldmine

• New AI apps have actually new vulnerability types

• Crazy researchers like ArcArc are finding insane new vectors

Human-in-the-loop vs. AI will solve web security, which camp?

Both, but human-in-the-loop dominates for now:

The example from Justin in the Nahamcon presentation: He found a bug quickly because he pointed the AI at something his intuition said was vulnerable. How many headers were in that request? How many requests did the app make? Human intuition directed it.

When it's cheaper to run a hackbot than the bug bounty payouts from its findings, companies will scale it infinitely. But that keeps resetting as bugs get fixed.

So Human-in-the-loop + AI will be massive for at least the next 5-10 years.

What questions do you ask yourself to mentally map attack surface on a new program?

• What kind of stuff would the end user be doing?

• What goals might they have?

• What features are the most used on the app

What mental anti-patterns look smart but waste time?

1. Eternal learning vs eternal recon - Recon feels like panning for gold (easy dopamine), but manual hacking is the real work. Get on the main app.

2. Over-documentation - Writing everything down can slow you down. Trust your intuition.

3. Poor impact alignment - Ask: "Even if this works, what would the impact be?" Don't spend hours on a post-auth thing that'll be a medium at best.

4. Rabbit hole - If a chain isn't working, simulate the bypass (match & replace) to verify the full chain is viable before going deeper. "I didn't tell them to click here before they clicked here."

5. Closing eyes on attack vectors - Being dishonest with yourself about impact. "All they have to do is click 47 things..."

What belief about bug bounty turned out wrong, and dropping it changed your results?

Rez0: Imposter syndrome. Sitting at LHEs with top hackers, he realized they think in the exact same terms, one person says "try this" and the other is already typing it. It's achievable.

Justin: "I needed to be successful in bug bounty to respect myself as a hacker." Bug bounty is too volatile for self-worth. Put it somewhere more stable, relationships, faith, something that doesn't fluctuate with dupe rates.

How do you tackle small scope targets with limited functionality?

• Grasp at every little oddity or quirk

• Try things you don't normally try

• Think outside the box

• Put yourself in the developer's shoes

• Sometimes banging your head until you pwn it feels good as skill-building

The reality is that if the functionality isn't there, the crits may not be there either.

How long do you stay on one program before moving?

New program: As short as a couple of hours, as long as a couple of days.

But don't lock yourself into a new program for a long time, companies can have weird duping policies or skirt around bugs.

Better approach:

1. Spend a few hours

2. Submit a couple bugs if you find some

3. Go back to an anchor program

4. If they treat you well, come back

Do you recommend proxies besides Burp and Caido?

The main proxies are already pretty good and useful for almost everything.

Exception: RepPlus (Chrome extension) for quick and dirty browser-only testing when you don't have a full proxy setup. But it can't write arbitrary HTTP requests due to fetch stack limitations.

For system-level proxying: Some specialized proxies exist for mobile or whole-system proxying, but for web hacking, use Burp or Caido.

How many programs do you recommend focusing on at once?

One or a few.

• Mixing traffic and context is counterproductive

• Even switching Caido projects mid-session is annoying

• Goal for 2026: Develop anchor programs rather than bouncing around

Exception: Spraying a one-day/CVE across programs is different.

How do you pick up bug bounty after a long break?

Get curious, get hyped, trigger your love for it.

• Want some boredom BEFORE you sit down, if you've been scrolling TikTok, technical content won't seem interesting

• Go for a walk without your phone for 30 minutes

• The HTTP requests will feel exciting when you're dopamine-starved

When should you give up on a bug ignored by triagers?

If triagers are eternally ignoring your bug, it's probably not a valid bug.

Two likely causes:

1. You did a poor job articulating it

2. You over-inflated the severity in your mind, it's actually a low, so they're prioritizing more important reports

What invisible elements make the difference between a $2K and $20K payout?

#1: Reproduce via your own steps before submitting

Follow your reproduction steps exactly as a triager would. If you have to respond to even ONE "need more information" request, it subconsciously degrades how they view your report, even if it's the exact same bug.

#2: Automate complex exploits

Make exploitation look trivially simple. A script that outputs PII when run feels much more impactful than manual curl commands.

#3: Deep impact assessment

Don't just pop a token, explain:

• What the token grants access to

• How to use it (exact browser steps)

• Business impact in dollars when possible

#4: Video + POC for critical bugs

If it's critical enough to be worth your time, add a video walkthrough and automated POC script.

Resources

• BugBounty.forum - Anonymous bug bounty community made by Pomme

• Critical Thinking Research Lab - Crowdsourced security research

• ClawdBot - WhatsApp interface for Claude Code

• ArcArc's CTF Writeup - Cross-Site ETag Length Leak challenge

That's it for the week, keep hacking!