Hacker TL;DR

A different kind of episode: this week, Justin and Roni talked about how they’d make their first $100K again in one year if they had to start over without any hacking knowledge.

• The Hacker Mentality: Hacking demands continuous learning, and curiosity is important for anyone who’s getting started in hacking. Beginners and experts go through the same learning process every time they encounter something new, the only difference is that the expert has more reps going through the learning process, while the beginner will have a lot more ground to study.

• Knowledge = Creativity?: Limited technical knowledge holds beginners back. Deep understanding of technologies helps with the hacker’s creativity even when applications seem simple on the surface. The deeper we dig into each component of an application, the more likely we are to find/create ways to break it. Do not neglect the simple stuff - that’s what most people would do, and that’s where the more experienced hackers find their craziest bugs.

• Threat Modelling: This is a skill that helps prioritise and generate new attack vectors, as different businesses value risks differently. What’s critical for one company may be low-priority for another. People who are good at identifying what a company values the most have a better time hacking because they can hack with a purpose, something they want to actually achieve instead of aimlessly trying to “find a vuln”.

Remote workforces are a ticking time bomb!
Hybrid and remote work expand your company's surface area of attack beyond corporate firewall boundaries. Employees’ personal computers introduce shadow IT, and home networks with default settings are easy targets, compounded by public Wi-Fi vulnerabilities.
You need to develop a strategy to stay secure while remote employees work across untrusted networks.
To learn how you can secure your company's workforce, get a free copy of the latest ThreatLocker® whitepaper on how to secure remote workforces.

Learn More About the ThreatLocker® Cyber Health Report Here

— $100K in 1 Year

This week’s episode is a little bit different from what we’re used to, this thread by Justin talks about what he’d do if he had to start from scratch without any hacking/tech knowledge, with the objective of making 100K$ in his first year as a bug bounty hunter.

If you missed it, it’s a thread filled to the brim of information as to how Justin would approach bug bounty if he was just starting, and needed to make $100k a year:

The thread is no doubt worth a bookmark and full of tips for newcomers, so check it out if you have time.

And this is exactly what this week’s pod is about.

- Getting Into Bug Bounty Hunting

As a beginner, it is really difficult to get started in the security field, even though there is a lot of good content out there for people to learn, most of it looks the same and doesn’t teach the really important stuff.

Roni says the content people put out there for beginners need to be a little more hardcore. Getting into the security field is difficult and it would be better for beginners if they understood the reality right from the start, not to discourage, but to already get them in the right mindset.

— The Hacker Mentality

“Hacking” isn’t something you really learn and then you’re fine, because once you learn anything in this field, the next step is always to go deeper and deeper into understanding how whatever you’re testing works.

Hacking is an endless cycle of figuring things out, and every time we figure something out, we discover new things we had no idea existed. Curiosity is an incredibly important quality in a hacker.

- Learning How to Learn

We are all humans, and the person who created what we’re testing had to learn it at some point too. The main difference between an experienced hacker and a beginner is simply the amount of time and effort they’ve already invested in learning.We can’t teach hacking without teaching people how to learn.

Every time we examine an application, we’re essentially doing what a beginner would do. The key difference is that a beginner needs to learn the fundamentals like the HTTP protocol, or TCP/IP first, while experienced people can skip directly to what is new for them.

Though these two people are at different stages, they both go through the same learning process and will continue to do so with each new challenge. Getting used with being uncomfortable helps tremendously, there’s always so much more to learn.

— Understanding Vulns and Context

Another key point Roni and Justin discussed was how to visualize an application’s flow. There are many approaches to hacking, and here are some tips on to make the thought process easier:

- Abstraction

When trying to understand an application, Roni likes to first get a general understanding of what the application is doing, and then he likes to think about what is happening (or should be happening) in each step of the process.

This way of looking at an application can help us see the bigger picture and think more creatively by understanding how everything fits together, instead of treating it as a bunch of separate features. Once we get a general idea of what is happening, then it’s time to investigate everything we find.

For example, if you focus solely on trying to find a reflection point to inject an XSS payload in, it can make it harder to spot other gadgets or vectors that could be abused to break the context you’re in. Cookie context breaks, for example, isn’t something you’d normally find if reflection is the only thing you’re looking for when hunting for XSS.

There is a huge difference between understanding how a vulnerability works and understanding all the ways you can achieve it. Whenever we study a type of vulnerability, researching what can lead to it should be part of the learning process - this way we'll have a lot more tools in our belt when hunting.

It's important to read documentation and other people's research/reports if we want to keep up with what is happening in the tech and security industry. New techniques appear every day and we should be willing to learn them, even if they don't make sense right now, our brains will make these connections naturally as we gain more experience.

— Knowledge = Creativity?

A common challenge for beginners is not knowing enough about the technologies they’re working with or testing. The deeper we understand what we’re dealing with, the more creative we can be. Some technologies sure look simple at first, but there’s often a lot of hidden complexity, and that’s exactly where we should dig in.

Applications process information differently at different layers. For example, a reserved word in one programming language might be perfectly fine in another, or a random sequence of characters might unexpectedly break something on the back-end with no indication on the front-end.

Weird, right? That’s why exploring and hunting for bugs isn’t just about finding issues - it’s important to learn deeply about every part of the application. Over time, that knowledge builds up and makes us more creative. Even if we don’t use everything we’ve learned every day, this knowledge will be useful in the future and we’ll be glad we didn’t give up on studying it.

— Threat Modelling

Extremely important but just as difficult to teach, “Threat Modelling” means looking into an application and visualising what would affect it the most. What could a bad actor do to completely destroy their core feature, their business model, infrastructure, reputation, or anything else? That’s what we are looking for, impact.

The better we get threat modelling, the better we will be at generating attack vectors and valuing each of them, because different business care about different things. It’s perfectly possible for one company to categorise one finding as critical an other company to categorise the same type of finding as an informational or low.

- Private BBP vs. Big Techs

Roni made a funny comparison that actually kinda make sense: a big tech company is like a giant cheese wheel full of holes for us to find. Sure, they’re generally more secure than smaller companies, but their massive infrastructure also makes it harder for them to keep everything secured.

Even if there’s a lot of independent researchers looking into them, it’s still impossible to cover everything, especially because they deploy new code so many times a day.

There are pros and cons to hunting bugs in both big and small companies, but the key is to stay focused on what we’re doing. We’ll find a bug eventually.

The big takeaway from this episode: keep studying. Ignoring things, even if they seem unimportant, is a huge mistake. Like we’ve heard in past episodes, developers put things in the code for a reason. Find that reason, mess with it, and twist it until it breaks.

As always, keep hacking!

https://x.com/Rhynorater/status/1699395452481769867

https://www.linkedin.com/in/roni-carta/

https://www.landh.tech/