Dear diary…
Ok, so I said that I wasn’t going to do that anymore because I realized it was unfunny, and yet here we are.
Well I’m writing a follow up post, so it can’t be a total disaster yeah? After I uploaded the original post, I felt hella embarrassed. Which is kind of funny considering probably at most a handful of people read it (if even that), and no one on the internet knows who I am or even gives an eff about me, so why the emotional reaction? and yet here we are.
I also felt trapped. Crap, I’ve outted myself and now I’m forced to find a bug for this stupid series and that’s impossible and I don’t want to and now I’ve cemented myself as failure! Ugh, why did I do this to myself? (Chill Winston, you have like 30 twitter followers, no one cares)
I figured I’d ease into it, give myself something simple to work on that would get me into the motions. I had written a script a while back that extracts the RSA public key from JWT signatures. So my plan was to just hop around and grab the public keys to some sites and see if they were insecurely generated, or if the implementation was vulnerable to something like the RSA or HMAC exploit. The odds of finding anything were extremely low but it was something no one else had likely tested and for some reason the fact it probably wouldn’t work made it easier to do it. Because like I’ve said when I feel trapped I end up in avoidance mode and so anything that makes it easier to do is helpful.
So now I had something to focus on, could put in a couple hours and feel like I was at least doing something and at this stage that is booking a win. Then ADHD did it’s thing. It’s honestly kind of amazing what will take over my attention and focus actually. How have I survived for so long with my phone screen in the condition it’s in. That must get fixed right now. Good lord, my keyboard is disgusting, I absolutely must pull all the keys and clean everything, right now. I literally never once in my life up to this point had thought I needed a massage gun, but there I was an hour and a half deep into research mode reading reviews about which one I should buy, because damnit I really need one of those…right now! Eventually I got around to doing some real work, and you’ll never guess what I found?!?!? yeah, nothing.
I logged on today and there was a new target that had only just been listed. Decided I’d give it a look. Right off the bat, boom, a bug! Had I done it, had I finally found my first bug? I can show my face in public now? Sadly no. Well I mean yes, I found a bug, You could hit an API endpoint and get the entire user list and their associated data for the site (lol) but it was such an easy find that when I looked at what had already been submitted it was in the queue. Then I found a persistent XSS using a SVG file through an insecure file upload. Nope, both those are dupes. After a while of trying to see if I could get RCE I gave up and moved on and found that you could change the data for other users, one of the fields being their password hash. Sweet, account take over! Nope, dupe.
In some sense it was encouraging, because finding something is nice, but it’s also kind of discouraging because it highlights a problem I’m going to have. I’m not going to be able to look for the low hanging fruit, there are too many more experienced, better testers, probably with automated tools, and who have experience writing bug reports, for me to ever beat everyone in the submission race. I need to find some kind of sweet spot, probably not a brand new target with lots of active testers, and I need to look for things that aren’t the superficial casual finds someone of my skill level looks for, because those will already be found. I should probably pick a specific aspect of the typical web flow and really focus on that. More depth, less breadth. I’m not sure what however, it has to be something interesting enough that I’m motivated to look, but also not so hard or complex that I never find anything. The smart thing to do would probably be to spend some time researching what the most common vulns are and what most people are actually looking for. Then use that knowledge to try and pinpoint something I could do either better than the average tester or something that is being undertested.
I think I’ll just spray and pray for a few more days to keep forming the habit of logging in and looking and feeling like I’m doing something (book them easy wins) but spend a bit of time looking deeper into the whole bug bounty process and see if I can identify a sweet spot for me.
Comments
Post comment