Live Recon on Rockstar Games With @zseano

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right we are doing another episode of live recon today's guest is zeeshano also the uh founder and creator behind bugbountyhunter.com a great bug bounty platform for people that want to learn hands-on experience with web hacking the way i it works and what i understand is you find a bug you report it zee shauna himself triages it and teaches you the way so we obviously channel here the way it works for now the current format of the live recon show is we're going to bring on a guest chat picks a target we put up a poll so if you're watching this on youtube you can come join me every sunday at 11 30 a.m pacific time but the chat picks at target we do some recon the guest shows us how they do it so we're going to switch over to our guests but before i bring them on chat do me a favor i need you to all drop a z channel in the chat so i can switch over and bring our guests up on the stream i'm going to switch over here in a minute but i need you guys to get it hyped and then we'll bring them on hey man how you doing hey what's up man how's it going do you happen to have your camera buying a chance uh not at the moment do i need it i mean it would be nice to have but it would it doesn't it you can't have it i i don't have it set up at the moment if i'm honest i'd need to move my other screen um because i'm on a smaller desk at the moment to get it set up and yeah sorry are you cool with shooting um yeah let me just close down pretty much what we're doing at the hack one event so i don't give anything away maybe create a new profile on your google chrome all right well you do that i'm going to talk to your chat really quickly chat i cook we talked about this earlier um if you want to give us a target i'm going to create a poll in the next few minutes put on all of the um give me your the company you want to see give me a suggestion for the target i'm going to create a poll and we're going to do some hacking and my headphones are about to freaking die my headphones died no not yet all right let's see if i can fix this tesla twitter tick tock i don't know what tick tock chad i think this died on one second you guys put these up one sec chat the beauty of doing live streams is that uh things could go wrong and will go wrong top dog three months thank you so much i appreciate you so much for that three months thank you thank you thank you bear with me chad trying to figure it out maybe this one yeah buddy all right i think i made it work yo my bad accidentally closed all my crap things obviously all right luciano is closing things out chat let us know what other targets you want to uh want to hack on uh i think everything's good um let's make sure my skype isn't uh setting this usb into the usb port and i can't all right let's see so we have spotify facebook pornhub get out of here hold on the internet spacex snapchat rockstar games i think it's a good one rockstar games could be fun i'm making it less yeah yeah let me let's copy rockstars rockstar games the boring company apple how do you feel about apple dude i heard you've been hacking on him a lot can people hear me now by the way oh yeah they can hear you you've been around for this oh cool um i mean yeah i'm down for apple because um we've actually i don't know how many i should probably get chat open um on twitch but for the blog mountainy hunter hack event things we was actually targeting apple recently and believe it or not but we was actually so like it's funny when you introduced wanted me to do this recon thing with you because as you know i don't do a lot of recon last night thinking what can i do on bench stream because i don't really run anything because as such but for me it's recon is about understanding when to use these tools and what to do this information so like i mean you can run as many sub domain scanners as you want but it's about what you actually then do this information and that's what i was teaching people with the first hack event with how we used your information and sam's blog post with the bugs that you found and basically took certain information from your blog posts with parameters end points and ended up finding more and we've actually got like what seven bugs now triage apple just from your research i've ran no sub domain scanners i've not tested any of their main web app type things like in-depth i've literally just been following on from what you guys shared so to me that's my recon um understanding how things work yeah i mean the thing is like listen man like you still do recon because i've seen you pull up a javascript for each application and go through that you do you focus more on content discovery while a lot of folks you ask it and then go to content discovery yeah exactly yeah so let's put up the pool um i'm gonna put this up this is such a weird pool is does tick tock have a bug mounting program does he sorry tick tock they want to do tick tock for some goddess for a reason tick tock does but i mean we're gonna have to open up a mobile only app isn't it so we'd have to open up no the other web that they have a web stack but hey someone says i want you to do trip advisor how do you feel about that um i don't think i'm legally allowed if i'm honest um they removed me from their program um and told me i can't do anything so yeah i mean i don't think we can it's all good man i'm just trolling i know the background story to it so that's why i kind of asked i mean philly it depends what people want to do recon as such i mean do people want to just run all these sub domain scanner type things and look for stuff or in shall we do a recon in the sense of picking a target where somebody's got a lot of write-ups for example google could be interesting target we could digest some google vip write-ups and go ahead and see what we can find on google potentially so for now the targets that i put up uh it's rockstar games apple tesla dod and tiktok those are the ones that are really popular i would love to see rockstar games just because of the fact that it's a single app i used to be you know i've hacked a lot on their apps but the thing is like they have so many micro apps within rockstar games that is incredibly hard to distinguish what app is what without it being a supplement if that makes sense they're not sub domains okay but it's just it's a gold mine of just reading javascript and it looks like we're going to be by the looks of it 68 have voted for rockstar games okay interesting so let me put this screen right here um let's see what's been disclosed and there's a lot because i think they're good to disclose too they're really good at it too what i um like when i'm looking at new targets so like i've never looked at rockstar games is i create like a lead for myself based on like even before i've even opened rockstar games running any subdomain scanners i'm interested to know what other people have found or if they've shared anything interesting so what i'm looking at right now is there was an open redirect 23 days ago um no information on the report sadly though we'll give it a second let's let's finish the poll it has a few more minutes okay i'm jumping ahead sorry you know i mean you're doing your recon already but let's give it a sec and then once this is done um i'm gonna have you share your screen if you don't mind and uh we'll take it from there i'm trying to get my chat to pop out but i can't what happens if i find a bug accidentally hopefully you don't you're gonna time you're gonna you're gonna do your best to not find a bug accidentally and if you do we're gonna take the screen down and um we're gonna go cry in a corner together okay okay um all right i'm gonna try and ignore some stuff that i would test to do that as such yeah that's that's a good idea that's a good idea all right chad uh how is this paul doing it looks oh it's it's an easy decision 63 has said rockstar games do we wait chad do we wait for the poll to be over we just get started what do you want to do you know what my um my biggest fear is that if you find a bug on stream is that like people gonna report it's gonna be like 20 duplicate the same bug within like 20 minutes at least from this stream i can claim that i found it first right right we'll send him a clip all right chat i need you to get hyped i'm going to have shawn akaze shawno uh share his screen here in one sec and we're gonna get started dude my [ __ ] um apple watch is throwing jobs telling me it's time to get up and stand working all right chad ready all right sean it's time for you to share your screen if you don't mind all right yeah cool um do i just press present now why are we good okay um can we hack in the home six apple watch now please make it stop throwing jabs dude all right cool can you see my site michaels i can see you all right normally i don't hack in firefox but i don't want to change load of stuff on chrome with what i've got um and give away targets and such so yeah okay um so yeah like i say so basically if i'm picking a new target so like i said i did this with apple admittedly i didn't do it with tripadvisor but with the way you hack it's something you kind of you pick up your own flow over time do i mean when i was first hacking on hacker one back in 2015 2016 i was reporting stuff that i didn't have any clue about and you kind of pick things up over time don't you um so for me personally i like to understand what other people have found because it can give me before i've even looked at anything like kind of a feel for how the company is john i mean so right i've already read some write-ups from rockstar games from previous times so i know that they're vulnerable to a lot of xss things open redirects so basically the basics of basics so that says to me that well let's just go check out how the main web app works basically and log some requests because that's my second thing i mean instantly before we've even clicked anything can anyone else see that in the corner where we've actually got return url at the bottom yeah yeah yeah yeah like instantly i'm like okay potentially what can i do here and well i need to sign up um but that's then when you kind of work i watched a really great film um escape from preforia or however you pronounce it with daniel radcliff where he escapes from prison based on the true story and there was some i can't remember the exact quote um but he was saying that you basically work your way from the inside out so i've seen that there's a reader a return url and i also saw this redirect here it happened very quickly i've got i have got burp running so there was also this request so there's the return url so i want to see what happens with that but i want to basically see how the site works normally so when i actually log in so i can see here that we've got connect authorize and return url if i actually log in is there going to be any sort of like token exchange and what have you and then work my way back from there john i mean so yeah so like you do you usually is that your first go-to thing is like look at the sign in and sign up flow when you approach a target yeah like literally i a lot of people will say they look for just one bug type and they do their sub domain scanners and things like that but for me i wanna this is their main public facing web application in production lots of people use it i want to literally get to know how their actual website works parameters how basic common vulnerabilities are potentially vulnerable and things like that because then when i do my sub domain scanning and things like that um i know what that data is used for and what where this comes from etc etc i mean i can make more sense of the data basically um so yeah okay so let's sign up i guess i won't actually test i guess because i mean that gives a good idea though right you see a return url at the top what are you going to do you're going to look for open radio rack and put javascript in there and see if it gives you a javascript or xss or if not it's going to redirect you to another website that itself is available it's actually this bug here that was found yeah it was already wow we missed it by three weeks so this here return url yeah but then that says to me as a hacker like well how was it fixed you know what i mean that could be a bug that's why i don't want to test it live because there could be a way to bypass their patch here like so how about this um let's let's do this why don't we push this to a repeater all right and instead don't send the don't send the actual request but let's say if there is a white list going on for you have to have rockstar games in that return url what things would you try for and do me a favor okay do you know how to use yes i'll walk through what i was going to test for but what would i test for basically one second do you know how to zoom in on uh burp no how do you do that can you go to your user options tab and then go to display yeah and then make the font size at the top uh 16 or 18 you know that's way too big yeah 20 maybe yeah there you go and then go to change font right there right there and then make that also 20 if you don't mind and then let's pop back into repeater that should do it there we go come on everyone see that um so this what my my thought process is so one um do they care about it being www dot so can i put literally whatever i want there and are they going to accept that because that says to me first of all if um i did find an open redirect it wouldn't have to be on their main um production server like i mean www dot rock star i don't think they reflect it back see i'm literally just instantly going but yeah do me a favor don't play don't press ok next time or go next time all right yeah so i would test the sub domain and see basically how that's being reflected and if they're trusting it i would test certain characters so hashtags um question marks backslashes and i would try that in various different encodings i mean i'd try was it 5c i think it is from my head um and then i mean you could try that and also double encoding and things like that um i would try to see how their passer works so are they looking for a complete domain there or can i use relative url so if i type forward slash naham sec would they literally would they say okay i'm going to redirect to the hamster because by default the browser's going to have the domain as rockstar games isn't it you know what i mean um so in that case um how's their parcel work so if i had forward um one forward slash and then i encoded it with two f and then another slash that's one of my payloads that i always find seems to bypass open redirect filters um when it's um when they're only accepting relative redirects and it ended up redirecting to your domain so you'll be able to protect that did you get me okay yeah it absolutely makes sense um i'll then also see how are they handling after so can i put a period can i put um encode and things like that can i use the trick um i believe only works on mobile phones where you can use the weird what is that character back tick character thing um in sub domains can't you somebody used it in a cause bug i remember i've personally never found it as a redirect as such um okay so yeah that would be my thought process for that and see how it works basically and working out how they're filtering that but obviously i'm not going to test it right here so you pretty much are testing things before and after the subdomain while double encoding or you know encoding special characters and understanding the logic behind whatever is in place of this okay do they care about it being https or http or can i put like literally z shawno and then like you know i mean because a lot of people a lot of companies don't care what it starts with sort of thing and then that's based on how the redirect happens potentially you'll be able to get some sort of um john maybe able to be redirected some javascript um and get xss etc is there a lot of times when you look for these return urls and like you can actually break the logic you know from a previous bug for example or like is there a high chances of you being able to break it again even though it's been reported before um it can be 50 50 really it can honestly depend sometimes it can be really easy sometimes not i mean sometimes they literally let's say for example um i've had some times where i've reported open redirects and they've only just fixed the hashtag value so then i literally use a question mark and then it works again so in some cases it can depend on the team and who's fixing it and yeah okay um so you think it's a good investment of doing this but my question is have you automated this like do you have a list of these that you can throw into intruder and just look for the um return um the sponsor response code not personally i don't like automating anything really because i like to really understand how it's working and i mean like for example the hackaron event a lot of people have said that they're struggling to find some bugs it's a hardened target and that's because if you go and run some tools at it you really won't find anything but once you actually understand how the web app works you will realize very very vulnerable um that's kind of why i don't like just chucking and spamming around trying to look for a i will look for return url elsewhere but that's after i've got a complete feel for how the site's working and i can look at my lists and my parameter notes and i can see for example they're using return url cancel url return uri i mean i've got a big list of all the common ones that have been used then i will chuck them in intruder and start looking around to see if they're used elsewhere and things like that that's only after i've got a complete feel for how the site's working because at the moment my knowledge of how rockstar game works is i don't have any knowledge and that's also why i don't look for one bug type because the chance to find an xss here probably slim but the chance of finding some sort of award token league quite high you know what i mean you're gonna miss it if you're just looking for one bug type basically fair enough okay so let's go let's let's let's see what's next um so we talked about open radio x which is really valuable because i see those return url parameters almost in every site it's just a matter of knowing how to fuzz for it yeah basically so i'll sign up we use a securely generated password if anyone wants to hack me i'm not sure stealing that from not naffy yeah i'm gonna take you off the screen if it needs you to go to your email let me know i can just take you off the screen for a sec yeah cool no worries um so usually i kind of just pause things and see what happens because they're asking me to do a capture right but how do i know the request to make the account hasn't actually already been sent you know what i mean it might just be um and it might actually be nothing so i can see they've sent my date of birth off um they're not a minor really good check there but yeah apart from that nothing interesting um obviously you've got we've got the graphql thing so again instantly as a hacker you start thinking um this is i don't know if this is just burp 1.7 but you can see here the sent the options request right if i go i don't know i haven't cleared my http history actually i've just thought so i'm not going to click it but if i go in there i'll see the post request here and i'll be able to then but it doesn't ever ever appear here and it really annoys me i think it's just a 1.7 problem day i think burpa has had a lot of uh great feedback given to them with the recent updates i think i need to probably update um but yeah so i'm going to sign up because nothing's happened so which ones are the correct way one of them apparently this is a fun capture isn't it they're agreeing they're getting very creative with the captures dude i've already got an account apparently one three three seven why is it gonna be one two three seven dude i wonder which one it's not it's they're telling me it's not valid all right so do you know what we do here because they're obviously telling me it's not valid in client side so what we're going to do i'm going to check and see if we can do it through burp yeah i'm just going to move this to my screen so i can see it turning off [Music] forward i can't take over your own account hey but while you do that big shout outs to uh i think rob was the person that just made us thank you so much for that incoming wait i appreciate you so much um this one so what they seem to be doing is just a client-side check so i'm actually going to modify it on the fly here in a minute so in burbsteel you're going to modify the request and make z channel out with hacka1.com yes i'm gonna encode it and see what happens so as you can see yes so again as a hacker says to me that anything that you like a lot of rock star games potentially just doing client-side checks and it won't be like server-side checks so yeah i mean there you've just found it's not a vulnerability but i'm already getting a feel for how they're basically handling things and what i'm going to find on here do you know what i mean yeah it's a good indication that they're probably doing stuff client-side night service on a lot of cases right yeah so um just checking what's what's happening here so at this point um and this is a bug on barker i would revisit the sign-in forms because as you can see here you've got return url when i'm logging in but i visited these when i didn't have an account now you have to think about user experience if somebody who's logged in revisits the register form you don't want them to be able to re-register so you want to send them elsewhere so that's usually why you'll see a lot of developers will have return url because it's for user experience to control the user to where to be able to be redirected to etcetera etcetera do you know what i mean so at this point like i say i'd simply try revisit the url i'd also probably clear this one and we'll see what happens so you can actually see it actually did just re it simply did just redirect me so if i put forward slash in a hamster there so you can see there and when i'm actually logged in revisiting that does something whereas if you visit it when you're not logged in it it wants you to log in etc etc and so this is where i'd start hunting to see i i don't want to it just right but it's a good indication right it shows you like yeah it's something's happening here like i mean look you can see here there's my code and there's the return url is there any way i can potentially leak this code to the harmsec so this is again where i'd start testing around i'm not going to but i would cha if you want to go for it go for it but that's a it's a really good place to like it's muscle memory which you know okay i see this thing i've seen it vulnerable a million times before chance that it might be vulnerable let's go first i mean all websites pretty much work the same i mean you'll you'll either log in and they'll simply trust your username email and password log you in job done a lot of times they have some sort of token exchange which is then used for let's say they've got some sort of other domain and they don't want you to have to relog in that's why they have these sso tokens and award tokens so you can simply press log in and the token is exchanged and you're logged in you haven't had to re-enter any of your information it's all for user experience but you can take advantage of that and chain and open redirect to leak that basically would you would you report an open redirect right away or would you sit on it um in my opinion it depends on your situation so fifty dollars and a hundred dollars to some bug hunters is a lot of money and if it's a lot of money to you you need that money then by all means go ahead report it um whereas if you understand that like server side request forgery or leaking or what tokens and that if you understand that and you want to go i mean then by all means go try for that and try get the bigger bounty but if you feel completely out your depth and you accidentally found this open redirect you can't get it to do anything and you need the money then yeah in my opinion fair enough okay um so yeah that's literally our test to see basically and also i believe didn't somebody actually find um a warf league i believe i mean there's another open reader right there for a facebook oauth token theft you've got a dom based xss via the return url parameter which we actually just found so that would say to me i actually need to go back and see how they're actually handling return url um and this is also where i'd start doing basically kind of what i just i do a lot of google talking so i it says i've seen the return url parameter a few times now on rockstar games i can see a report here that is vulnerable so i would literally just want to ask google well what do you have index for this basically right because google is always crawling around so here we yeah and we've got yeah so you've got the log out form linked to like yeah this is basically where i would now not go into because but there's a chance one of these here you're going to be able to leak some sort of token do whatever and literally i might now be busy for the next day how things work john i mean um but let's say i'm finding a lot of the same so like the tpa thing so you just type tpa just to get some unique ones so life invader seems i don't know what that is and also one thing is always scroll to the bottom and tick this to repeat the search of admitted results included um so yeah you've got create yeah i'll just basically kind of see what what happens here yeah for people asking in the chat the dash tp that he just said if you missed it it means it's gonna exclude anything that has that tpa endpoint in it without further whatever it was so he's excluding it because it's repeating and repeating and we don't want to see it anymore yes i've gone down to nine unique results whereas if i go uh big shout out to 916 jungles for one year thank you so much man i appreciate it yeah so uh okay oh nice because i haven't admitted the results so you got 3 380 and you can see if you go over to the pages most of them are literally the same the tpa coming in yeah they're literally just changing the client id and the return urls um undefined and yeah to me it's nothing interesting i know what the tpa thing is so i don't want to see it anymore john i mean yeah yeah and you just got excluded to make your life easier yeah basically um so yeah that's i would spend time basically kind of seeing how that works and if anyone finds a bug well done if you do find a bug gives ichannel a shout out on twitter let us know you found something because of you know the stream at least mahaka senses in me says that there's something in here that's that's what i'll tell you [Laughter] so um another thing as well that i would note down is they've obviously got this privacy thing here so your profile visibility i would go ahead and test to see if these actually do work so if you set it to me only can you access it somehow do you know what i mean because another account maybe it's an issue yeah exactly make a second account and try and interact with it but for now i'm just going to leave everything public do you use um is burp a big part of your testing yeah i literally just use burp all together um so this is probably potentially vulnerable to crosstalk across forgery i mean if they're not validating the content type and that can be anything like text plain then um it'll be vulnerable i'll take that off screen and we'll have a little test okay um so you might be able to update everyone's privacy nice so if you do text plain it says unsupported um resource so try text html no and then if you have no content type whatsoever then it just tells you there's an error but so yeah that's not vulnerable but that would also then signal to me that have they done that for every single js json endpoint post request that they're sending or have they only done this because somebody's reported this book and they're like oh we better validate this john i mean so you're literally going through every single endpoint and trying the content type with different things well it's just well no but so like the reason why i saw this is when i'm i'm literally just looking at requests so i can see this is the request when i updated my privacy there is no mention of any cross-site request will be token anywhere is there so that says to me as because as a developer i'd be like well how are they validating this request how are they going to prevent somebody else from submitting this request for somebody and what a lot of times you'll find i mean i found this on on the uk government's websites where it should validate there's an application json but they don't and you could submit it in an html form and for example if you go center repeater and you can go on generate so you can see here it sets the input name to your json end point right to your json payload and that's how it managed to get through um and the fixes to basically validate that is actually a json content type coming your way but like i say have they only done that because somebody's reported to that to them or because there's no crosstalk quest forgery token anywhere like i say that's somebody seen that as well and reported it and they've only added that because they've been reported that and it could be vulnerable elsewhere you know what i mean right right okay that's a i've actually i don't test what i mean i've always just generated it and seen if it worked but i've never just i think it's easier to change the content type than just creating the poc and seeing if it works so yeah so that's a very valid point you should always test for uh what is it application um yes application wwe so you should always test for an application for wwx form encoded and also text plain because i won't mention the target but a target you know we actually found some bug where if you actually add on your form so you'd have form action whatever methods equals post or you could have a get and then if you type enc and then you can just what is it text planes yeah something like that and then it will set the content type to text plane so for example when you're testing this content type it might not allow the application one but it might allow tech playing and in that case then you can get it free and then you have yourself a bug interesting okay very good cool um so what's next so we talked about csrf and how you do different things we look for we talked about the privacy things but now let's talk about rockstar games itself um first my first point of call would be to how are they handling when i update my user information um so when i update my password and email and things what what are because that's where there should be the most protection right there should be crosstalk request forgery there should be some sort of tow consent there should be something happening right that should have protection i shouldn't be able to just edit my email and i was vulnerable to crosstalk press forgery so i kind of want to go to the most secure place first to work out okay well what actual security have they got here are they making some sort of request elsewhere to grab the cross-site request forgery token before it's updated in which case potentially i can use that later on for some sort of xss chain etc etc okay um so in this case so first of all we're not on rockstargames.com we're on social club so we're on a completely different domain now um so we have again this code seems to change so i've not even tested how their login flow works and how this code is handled as such but what i noticed um just from using the site is when you logged in on here and it redirected this was the code for rockstar games okay but when you visited the social club there was the whole announced login thing and then there's a complete different code so it would say to me that potentially um even if he was able to leak this code it potentially wouldn't be able to do anything that's just without testing that's just from my initial thought process that because this code is different every time as such you know what i mean because it was different here and then i've logged into social club so even if i was able to leak this potentially wouldn't be able to do anything so that would that's just me getting a feel for the side i mean it might be fully vulnerable but at this point in time i'm just wanting to get a feel for how the site works um so let's update our information so we can actually see that it actually hasn't had let me add a plus there actually just added it like this interesting yeah does it let you uh oh damn capture [Music] [Laughter] um yeah i'm just like especially coming from a developer this background i just always want to get a feel so yeah they did let me update it let me go check my email i'm always wanting to get a feel for just how it's set up how it works as such um it's not potentially the right thing to do it's just how i hack i guess all right somebody in the chat wanted me to ask you um when do you try to test for xss like what areas do you look for access and i'm not a really good position any time um so first of all um obviously you've got lots of urls here with parameters seeing if any of these are reflected um so let's find so we've got this profile we've got email cookie what does this email cookie do because when every single website will take some sort of get parameter or post parameter in whatever format right and then they're gonna do something with that parameter and that value so are they simply taking this email cookie value and doing something server side are they set it in a cookie here or are they reflecting it here and i mean so if you i literally always just do it manually so you look for things like the parameter within the sound yeah i mean you can see here that it's reflected here and it's reflected um in javascript code with a single apostrophe so for me i would start testing is that vulnerable to xss because it's reflected my output with xss you're looking for anything that's reflected your output um domain reflected because that's what xss is isn't it it's just your output reflected so i'm not going to do it just in case it's vulnerable all right question for you well let's let's do this i'm going to have a i have a solution for us go back to that real quick if you don't mind yeah so here's my question so let's say you put an apostrophe in there and the apostrophe turns out to be a it gets um translated to it it gets escaped slash apostrophe right slash apostrophe yeah so what would you do in that case i'm just trying to show different ways of like okay you put an apostrophe a partial returns into stash apostrophe what do you do to see if it's still vulnerable um so i would see if they're literally escaping um any sort of quote um so i'd try another quote or i would try end the script tag or any sort of tag because you'd be expecting them yeah just just imagine like everything you played yeah it all gets escaped do you give up in that point or do you do it yeah yeah if i literally tried the usual common script things come in whatever if i tried common things yeah i would give up at that point be like it's not vulnerable um yeah big shout out to mb krump for the raid thank you so much for raiding us today uh welcome to the show uh for people joining right now i have ze shawno the founder for bug bounty hunter and also one of the uh top hackers that i know have the pleasure of calling him a friend he's showing us how he would approach a target and how he would look for vulnerabilities and we're looking at rockstar games before you say this is illegal we're not actually exploiting any vulnerabilities we're throwing out theories and things that we may or may not do so before you you know come out and tell me this is illegal we're not doing anything carry on sean no worries no problem um so yeah we can see here that they were actually only caring about the um plus sign in your email in client side when registering because it seems to have not cared i haven't received an email to say that it's been updated but it tells me it's been updated i mean usually you receive some sort of email to tell you don't you you should yeah i mean i i don't know some people would actually potentially report that wouldn't they and people have actually received bounties for that but yeah i mean it's kind of expected in my opinion yeah it's just one of those things that you want to it's you shoot your shot right if it works you get paid if you don't then you get an a it's just a risk um so that's where i kind of um just click around as such i know it sounds weird but like i want to get a feel so if i sign up how are they handling my sign up am i via a user id so i've just signed up i send the request to mailing list subscription um subscribe true and we can see here that this time there is a request verification token so this time it's still a json request but there's a request verification token which was completely different to wherever it is here but at the same time signing rockstar games is completely different to social club rockstar games so and i know and a lot of hackers should know that request verification token is a commonly used header and trying to think what it is used for i don't know it's it's usually it's not laravel um asp asp i believe it's a you would say to you okay social club and sign in are using two different code bases so vulnerabilities found on social club are probably not going to work on um sign in and john i mean so that's again me getting a feel for how things work because again you can see here exactly a json request which has an actual crosstalk crest 4g token but on the other crest it doesn't so then to me i would check are they actually caring about this do they actually validate it so um i'll take it off screen but i would basically delete the request verification token and i can see here you get forbidden and that but to me anytime i'd feel like any time i see request verification token i would basically assume it's always going to give me forbidden so it would make me it kind of speeds up my hacking and what's going on as such you know what i mean right i don't know what to look at as such somebody in chat is asking do you take notes yeah um 100 so and this is something i was teaching people um the other day of the week or whatever so what i my notes are absolutely crap i was going to open my notes but i just realized i shouldn't in case there's something good um but yeah what i write down is so i would write down at this moment in time i'd wrote that i'd have wrote down the return url i would have wrote down the two different sub-domains i would have wrote down big question marks over some sort of o-wharf token exchange because we've seen the code value um and that's that's what i'd have wrote down at the moment basically okay what uh what do you use for note taking um sublime text editor just listen okay yeah nice nice okay fair enough and then i literally just have folders on my computer which just stores text files of everything and word lists and screenshots and yeah basically okay so we have a little bit more time we have 15-20 more minutes what's next yes um we looked at a few of these settings um you walked us through the program and how you do your initial recon to see what kind of rules they have um what's next so next is well this is where i tell people to hack for features so when you're updating your information and things like that you're looking for like crosstalk request forgery idol potentially xss etc um but this is where then you want to test well how are they handling file uploads because by default when you're developing um you have to actually develop the code to tell it to not accept certain file types because by default your code obviously if you're using some sort of framework but well believe it or not laravel they by default will trust svg um file types because they're classed as an image and laravel out the box will happily let you upload that hence why it's actually a bug on barca because the code works it says trust images only but svg leads to xss um so that's where i would then you can get a feel for a site very quickly by finding certain features so say for example you want to test how they're handling um uploads so find somewhere where you can upload your profile image um or upload whatever in this case i know rockstar games you can create your own emblem and upload things so i would test for how they're handling this if you wanted to easily go test for some sort of server side of crest forgery instantly go for like their developer panel like for example people always find ssrf with web hooks on developer things and things like that whereas you're not likely to find ssrf when editing your profile for example do what i mean uh yeah absolutely um one second so we have 424 people in the chat watching wow that's a lot of people do you mind dropping us a hello or an emote so we know you're not bots just to keep uh zion and are going i want to make sure these we're not getting i know this is not bots but i gotta make sure people are i gotta give them their toes you know what's up everyone how real is everyone here pretty real man pretty real um it's crazy let's keep going man we have a little bit more time so you so this is where you start looking you said you call this looking for um functionality you you hunt for function yeah i wanted to get a feel for how the site works before i want to like really invest my time and get to know how the site works i mean i want to know what parameters are being used like for example the target we're now hacking on i've got so much research i had no research whatsoever two years ago three four years ago whenever they started but over time it builds up so then when they run events or open new scope you know instantly what to try for and john i mean um so i'm getting a feel for how it works here um and yeah when do you so like we're testing this functionality with like the emblem editor right when do you decide to give up on this functionality and move up to the next thing um it depends on how the functionality is being with me i mean let's i mean i i know i'm pretty sure i've read a bug on this emblem thing and if i'm right if i save this it's going to be xml data so again as a hacker you'd start thinking okay well what can i try to do with xml here and i would move on when i feel like i've tried absolutely nothing but if i'm getting interesting behavior so some sort of internal error some sort of error code coming out or something interesting happening where i'm like hmm something is here that's where usually potentially i'll ping somebody and be like hey man potentially something's here what do you think or i'll just simply note it down for myself and then when i'm feeling burnt out or i feel like i've tested absolutely every single feature i can revisit my notes and things i've struggled on and i can be like right okay actually i didn't think about trying this and johnny and i go at it again as such um there's lots of bugs i've completely given up on because they're just simply not vulnerable yeah okay so let's say this is um not vulnerable you found vulnerability whatever um what are we going to look at next are you just going to go down every pretty much every functionality do you have a way you um like organize that every single functionality i want to know how every every single thing works and that's why it can take months and months and months to actually um make it work like and understand how things work because there's so much isn't there do you know what i mean and yeah it takes me ages like how do i flip this i'm not sad yeah i go down there you found one um yeah this literally i it doesn't really look like a face doesn't it it kind of looks like a face [Music] i am this like i said i don't care in my opinion too much about what rockstar games has got out there i want to know how their site works i'm not i know it sounds weird but i'm not necessarily looking for a bug right now um i might stumble across one but i'm wanting to get a feel because if i'm gonna if there's lots to play with if there's lots of parameters and there's things that are interesting and as me as a hacker i'm like this is interesting i'm i'm motivated and i want to keep going john i mean um and i i want to enjoy the process as such but yeah that's where i get a feel for how things work note things down and in all honesty it's not let me down at all um yeah i mean i've that's i'm finding bugs now on apple thanks to your research and that's literally i've ran no tools whatsoever i've literally just been following your research and what you guys told us you were playing with and yeah it's awesome i mean it i mean i have friends saying the same thing saying that the thing that zeeshana touches on which is gold is going through the program's old activity thoroughly oh yeah 100 and that's a really good place of getting yeah it's a really good place of getting like a sense of what they have yeah three years ago there was blind um ssrf how do we know that they haven't rolled back that code um or maybe they've reintroduced it maybe the person who fixed that then actually left that company somebody else has come along and they've made some updates and reintroduced it you don't know i mean there was um another ssrf sorry i mean the other thing is like not even not getting rolled back but also how do we know it was fully fixed and it wasn't like one of those banded fixes right yeah exactly like jump in um and to see someone's question how does your methodology differ on production sites when compared to test is fairly uncommon to have test environments available for bug bounties um but i think that's where i'm quite lucky to be a bug money hunter because i don't have to worry about any of that i get to just hack on whatever they let me hack on i mean the thing is like i think the rule of thumb is like if you think you're gonna bring down the site maybe don't do it yeah you've got to be responsible i mean i even have that on barca like what you're testing on like you don't the payload you're sending you can test safely so you if you're testing some sort of blind sql you don't have to cause their server to sleep for like 15-20 minutes you can just do a 30-second sleep when you're testing rce you don't have to start touching internal code or i mean going in places that you shouldn't you can just touch certain things to prove hey look i have access to this um it's just be professional john i mean you don't don't bring things down and another thing as well very common is clearing up your xss payloads um a lot of people will use alert i do it myself as well but you should actually go ahead and remove your payload after especially if your stored xss is somewhere public just in case somebody finds it and if you want to leave it for the analyst to see then you should use a console log and tell the analyst hey look check your console because it's locked something in there because i stumble upon xss on some sites that people have left and it's like yeah i mean i think it's a it's a good thing to always remember you want to also clean up because that page is going to be broken for you it's going to just have alerts all over it when you revisit that page it's going to be annoying for you and everybody else exactly so so let's uh let's look at this emblem thing really quick if you don't mind um let's just send the request and um let's just save it maybe can you save that at all how do you unsave that uh maybe down below somewhere no idea i press on crate knee but this is going to create me a new one isn't it oh right there so the bottom corner says download i think if you press download it's uh it's going to give you the generated file for it somewhere um on the bottom left corner that panel that you were doing um oh here we go all right if somebody's watching from rockstar games how is that like obvious to us like what is this where's the big save button you're supposed to uh it's a scavenger hunt dude ah yeah so you push that it's gonna generate something for us it's send it to save it looks like and it's an svg to me as a hacker my first four is one you've got emblem id is one can i modify anyone else's emblems um and same with parent id and crew id can i potentially chuck my emblem in someone else's crew john i mean that's literally just from the first four um uploading malicious svg data which i would presume they made some sort of proof of concept with svg where you can load internal images if you know where it's linked at i believe um yeah i'd go from there really and let's see what it responded with so let's actually that's base64 decode that and see um what it is so for this one in particular now that you see it's sending something in post um and it's a basic for svg data what would you test for um so well i know it's svg days well first of all to see where they're storing that svg because if they're storing it on a rockstar games domain then i mean you can get stored xss but yeah i basically see how they're handling the svg because it's i wouldn't say it's xml code as such but i'll potentially chuck some xml in there and see if there is an xml password behind it because you never know what might happen behind the scenes with that tell me why you wanted to tell me why you want to know if it's an xml person for people that don't know why you're sorry why so i'm asking the question like why would you why do you care if to see if there's an xml parser in the back because if there's an xml password in the back then we'll be able to get xxe um and svg files will execute um xml codes like their their application type is always an image for svg plus xml it's something like that so you can have xml code in the svg so when their password thing says okay hey here's your svg image when it gets to your xml code it might say this is an svg code this is xml code and something else executes and if you've got some sort xml code in there to tell it to send a ping back to your server that's where you'd get the ping back let's look at um side let's let's throw this in the decoder and burp city if you don't mind just look at what the svg looks like just uh you know to kind of talk about next steps yeah sure potentially um so i don't actually use burp decorator click on the code no it's all good oh there you go yeah we just click on the code as on the top in the top right it says the code as and then do base 64. oh yeah yeah it makes it look like that yeah there we go yeah i was using online decoder because it's just handy for me it's where i hack it's just me dude i trust me i i forget that uh burp has it sometimes too you're not alone yeah it's um but yes so as you can see here they literally just send in svg so again i would this is where somebody who's mentioned xss what are they doing with this are they storing it are they then reflecting it are they passing it where is it so this is where we then go check our emblem and we can publish our emblem so if we publish it um i want to see basically where it goes what happens where where is this what have they done with this because we've given it to them for some reason john i mean um right absolutely um so we can see here as well by the way just from checking my requests we've got feed m md token and potentially there could be a cause bug here because you've got allow origin and allow credentials but not only that but if you had xss you could potentially use this to chain in to do something else not only that but we also have um websocket url here so you've got wss and then we also have a subdomain again i'm just thinking out loud here but they've got the word prod in there which is short for production and when companies always say that it's always like to you as a hacker like oh what is on here what's here if you change that to dev do you manage to interact with their dev server and yeah i always i mean it's also like extending your attack surface too when you see a project you turn it to dev staging qa uat whatever right that gives you more to poke at yeah exactly like um and that's also then when um with me dork and where did that request just go so i'd literally go ask google well what do you know about this domain because okay they might know something about this i've domain a bunch of submarine scanner things so i don't think that google doesn't appear to have indexed it at all um but this is also then when i would go to github um i'm obviously not i don't think you can search on github without being logged in this is where people always push code to github so you search for certain subdomains on github because some developer may have pushed some code for it and you never know and then also don't forget to go check way machine because you never know what wayback machine might have on this url as well there might have been some sort of some this domain might have been published a couple of years ago and they there might be something on there and they queried it and they stored it and they've got a copy of it and yeah let's do this for the last thing let's uh i want to kind of because i know you're really a big fan of doing way back machine and looking for old assets um yeah massively let's look at rockstar games on wayback machine if you don't mind and just kind of do that as a last bit for today's stream if you don't mind yeah sure just so i would understand what your mind what what goes through your mind this was this would be where i would run um the tools way back urls believe on a funny story why i actually had i've used um way back urls is because of tripadvisor kudos to them so if you look in their robots file look at all these lovely animals wow yeah lovely isn't it so i was like i've got a genius idea let's go on way back machine and grab the last seven years worth of data for their robots.txt files and using that i found 7 000 endpoints then using all of the vulnerable parameters that i knew were vulnerable i managed to find like 30 xss easy peasy um just because it's probably just some still stuff out there but yeah look at they've been logging since 2001 2001 and there's a lot of data in there and keys to the kingdom in my opinion we're doing your recon discovery on tripadvisor um 2001 hardly anything we look now lots yeah before we dig into this real quick sean um before we move on to the wayback machine uh someone wants to know about the svg thing i think we answered this already but uh sefedeen says ask him if an attacker can encode the xss code with base64 and inject it to the svg script is it possible um it like i say it depends on how they're what they're doing with it so xss will only be possible if they're storing that svg somewhere on a rockstar games domain and then you visit the svg file and executes or when you publish your emblem and somebody visits it and your svg code has been reflected there john i mean because if you actually take the svg code wherever it is so if you actually take this and you go somewhere like js fiddle when you press run it will actually then render your image um but then let's say you wanted to add some xss there if i add just get some xss here so let's we've got that svg there but let's say we had this svg so it's still svg but we've got our html in here and if you was to run that let's just i mean but it's still html so imagine if we supplied it with this so let's say for example we get rid of this so you can see here you've still got um let's give it a path we've got put it in here so if we put it in here so you've got the rectangle let's say we want to add some script code in here html if we was to then re-encode that to base64 and then send that let's say for example when you then visited my emblem rockstar games they might reflect all of this because like i say there's my emblem and they want to show it to people but there's also my xss payload and that would execute as well so if we actually press run there's the xss and there's the emblem so just to like wrap this up because i know people asked for this this would only work and sean said this a few times but i just want to make sure i get this across if this saves on the server and you can actually link to the emblem directly like a svg file or finding a way to share it with other people then you can exploit against other users that are becoming a vulnerability right so you have to make sure it's stored and presented to users in some way and not like being downloaded for example because you can upload this and it could be an xss but they may just allow you to download it and it's going to be just execute on their computer which is not really something a bug bounty program would accept and also visit in um you can visit blogs so when you upload your svg sometimes when you right click and click image address and they'll give you in a blob that's not actually executing on their site as such that's like create that's like from building to the browser to display you the image the code of search i mean because you can also have a data uri to display images and that's not actually johnny if you went to data was it text html there's something i think it's flat top my head yeah so if you then put script believe it or not if you used to redirect to this um a couple of years ago in firefox then it would be vulnerable on that website but it's not anymore and even though you've got this xss execute in here um it's not executing on any website you know what i mean it's just going to wait here but yeah okay let's go back to um wayback machine people asking what is wayback machine so the wayback machine archive.org they index versions of the website from years and years ago so you can see for rockstar case right there it starts from 2001 you can actually look what the site looks like what endpoints they had and you can get and sometimes some of these endpoints they may not be visible to their current website but they're still there and you can export them because they were there you know five years ago six years ago and they were vulnerable [Music] yeah and the example like with me doing my way back stuff is our old parameters still used now like legacy code because things move quick in the tech industry and updates and teams and things like that and even though let's say for example facebook has had a complete um revamp for this user interface and things like that old code that's been indexed might still be laying around so some endpoint that is referenced in some sort of javascript code or whatever parameter might still be used and that's why i always have a little look as to what is going on it's really lagging at the moment though so yeah i mean it's it's really valuable if you like go and look for these old stuff because a lot of people don't realize like like you were mentioning earlier people come and go out of these companies and people forget these endpoints were created for some god awful reason and they're just left behind yeah exactly like way back machine i mean as well if people do find bugs from this highly recommend you donate to them i've donated a few times to them because they've had a few bugs and without them it wouldn't have been possible so if you can and you're in a position to make sure to help them out because they do it all non-for profit what's your go-to uh tool for way back um like getting old data did you go to way back you were held by tom nom nom do you use uh get all url by cdl both do you have your no i actually use the original one by um let me pull it up i used this one still so he actually saw my post with using chip advisor and that and then he came out with the wayback urls and he's also got uh wayback robots i still honestly use his scripts because well they absolutely work perfect for me really um way back robots that's not the person that wrote directory research right the username looks like the same almost i feel like um maybe no i mean i could be wrong okay i am wrong okay it looks the same username almost but it's not no i don't think so he's made a few tools um but yeah like i say he saw me talking about the trip advisor robot thing and then he came out with the way back robots and i've used it ever since and way back urls really um yeah do you mind dropping that in the chat since you have the chat open for us yeah sure thank you man all right so let's do one last thing let's go to wayback url and just walk me through what do you do when you have you know you see all these different years and years of data from these uh websites um where do you go how do you um well it can depend on why i've used wayback machine as such because sometimes i i won't use it as such because well i don't know i don't know how to answer such because i don't know why i'd be using it on rockstar games you know what i mean because when i use my tools or i'm going hunting on wave app machine i know why i'm doing it like what i'm specifically looking forward i mean there might be a certain domain on rockstar games so obviously i haven't done any scanning but i would see what the rockstar games used to look like back in the day what did their login form used to look like so what actually was it was social club or something wasn't it let me log out yeah so what does their you know sign in rockstar games so let's go use a form so what did this page used to look like because maybe a small parameter things like that on there so you guys actually back in 2020. so you look for a specific pages not the entire website or you do both sometimes well that's what that's what wayback urls will do for you so you can run wayback urls uh either the one i linked or tom nomnom and you get a list of urls and then run them typically through intruder and i run example locally and you run a php script which literally open notepad i do actually i think i have a post on my site about this but basically let's say you had so you'd run exam locally and get all your way back urls so you'd have a list of urls that potentially have been found on rockstar games and things like that um and let's it worked a lot better on chip advisor because obviously i had their roblox file um but i'd run it for intruder and see which ones still work and literally if you run it so if you run example locally and you literally just had something like this um it's right in this literally raw right now but let and then let's say you run example oakley and you literally just visit redirect url and send that to intruder um and then run the list of urls and it will visit your local endpoint which will then simply redirect onto it and then you can start mask repping and seeing what's what in few people asking me about this let me just get a script set up or make sure i've got one set up yeah i'm gonna take you off the screen just so you can be comfortable so what we're gonna do right now is the sean is gonna show us how he uses his uh redirect script to determine if these alpha understand if these endpoints are still available which is great because you want to know what's still up and what's taken down so you can kind of shift your focus on the things that matter pretty much did you say my screen's not showing anymore yeah you're not being shocked you're not being shown ah cool yeah i'm not sure you're comfortable bank account steal your money i need you to go to hackerone.com reports really quick i'm kidding [Laughter] all right so people that are saying this is no recon this is actually recon recon doesn't have to always be asset discovery doesn't have to always be finding sub domains finding a ton of substances just recon is such a big thing we kind of just understanding your target understanding what they have what they don't have and like where you want to focus so stop thinking about i think that's partially my fault a little bit too but stop thinking of recon as asset discovery the reason why i focus on asset discovery on my recon is just because i want to avoid finding vulnerabilities and it's easier to do asset discovery than content discovery because i won't get in trouble especially when i do it weekly but it's different when i have a one-off guest who's okay with doing this with me and we push the boundaries a little bit but we're still playing against uh we're playing within those rules um that we have uh are you ready or do you want to i'm just getting a list um i've accidentally just crashed burp loading a very quickly let's not crash anything on your own um but yeah this is like this it's a completely different recon and it it with with what zijano has done so far it shows that you don't have to always do the same thing as other people he's created his own way of recon and his reconnaissance are going to the main app because while everybody else is busy looking at subdomains and different environments he's busy looking at the main app that probably most people are ignoring because quote on code this has been looked at before right and that's not that exactly [Laughter] um let me just get i need to connect to my server to get some sort of like i'm going to get a list that i've already got so it's easier yeah and while we do i'm going to someone's asking about your methodology if you are interested in z shawn's methodology do me a favor go to bugbountyhunter.com and he can actually enroll in his website and he's teaching you all these things one uh different ways you can actually find vulnerable abilities report it to him and he's personally triaging and giving you feedback right now because he's doing the live [ __ ] event with hacker one he will not be able to triage them but he has a backlog i'm sure he's gonna get to from what i've heard but yeah you can actually go i highly recommend it to go to bugbountyhunter.com sign up i think it's like you said 20 bucks to sign up uh no it's not 20 bucks a sign i'm sorry i'm from the ground um so hang on so i was just getting a list i don't have a very good list without giving away like a target and like the the list that i have that's really good for showing this is actually going to show a bug as well just do like do like five or ten just to show how the script works yeah i'll just i'll just do some really old end points of some stuff i found um but yeah so with bookmarking hunter it's not 20 bucks it's actually 250 for lifetime um i do have some different packages and some things come in um because obviously i understand it's i understand for people it can be a bit pricey for people but the way i priced it at is like it's not just a case of like watch some videos do whatever um you as you level up i kind of try to take people under my wing and the whole idea is to enter my z shauno machine go round and round the washing machine a circle and i hope to kind of spit people out of being like a full-time bug hunter and understand the process as to like what they need to do and that's why i've made it lifetime because i feel like if they want to be able to come back whenever they want and practice because i plan on adding lots more bugs and things they can and there's no pressure they can just use it to help themselves um but not only that but i want to create like i'm in like a community um of hackers um and yeah i got lots of plans yeah i thought it was twenty dollars a month i think it was early on when you launched it was like a monthly thing or like a second yeah it was yeah yeah that's why i was like for the lifetime but i think you've changed your pricing since i've got a lot of plans i mean i'm no business expert when it comes to things i'm still working out some stuff um but yeah i'm gonna be having some more packages and more accessibility to people really because um yeah i'll work some stuff out very cool man that's awesome but yeah go ahead go ahead and go to bugbountyhunter.com uh very good resource i highly recommend it and you guys are actually seeing this you know hands-on on the stream with how z channel does it and it's very similar to his website as well yeah i mean i know a lot of people as well be like well this is no recon you've not run any tools but i've ran zero tools for the live event on hacker one and i've got four criticals um triad like they say it's a valid bug i've run no tools i've no recon nothing at all um there's nothing wrong with doing recon but if every single person is doing recon and running the same tools they're using the same services and everyone's looking for the exact same stuff you're gonna miss stuff and i actually see this evident as well with people testing on barker because i can tell the people who are just running tools to look for things and i can tell those who are actually understanding how the web application works and they're finding things and stuff like that um and yeah that's just me it's how i hack um people might think it's bad but it's me and it finds me bugs but the thing with hacking man it's not it's not like everyone has to do the same way right it's it's your you have to find out what works for you and you just gotta get better at that right and you found this is what works for you don't like tools like surprisingly enough when i tell people it's like i have uh i'm the same one as you like i have a better time hacking on a single web app that's huge versus a big-ass company like yahoo rising media where there's a ton of sub-domains but um it just comes down to you have to understand what works with for you and then just keep on pushing um that forwarding you know getting your methodology better and better and better as you go exactly and not only that but you'll find that like the trend is your friend like i say a lot of websites work exactly the same and one bug that you found on websites probably going to be found on a completely different website because all developers are using the same thought process code libraries etc etc and yeah all right let's uh do you want to try and run your script one last time yeah well yeah i'm just going to run it on the tripadvisor robot thing but typically i wouldn't run this on the same domain like usually this is um so at the moment this is literally just going to hit chip advisor forward slash whatever i scraped et cetera and then i grep through burp but typically with wayback urls for example you'll see um there's lots of different urls and things like that um but different tlds and things like that so the whole idea of the redirect script is it just redirects for you you know what i mean so if i share my screen i'll show you literally how it works so basically johnny i've got tripadvisor.com put in there but you would literally set your position here and you would have all of your urls that you're wanting to hit basically here um and you tell it to follow the redirects yeah follow read yeah make sure you always do the follow redirects here because obviously it's got to hit your script first and then i'll literally send it off and just to make it clear the does he is running a local url on his end uh that that uh script is on his end all it does is it takes these and redirects them so he's made a redirect script uh so it's literally nothing special it just literally takes the parameter and redirects to it um but i want to this is i say i've not looked at tripadvisor for a very long time but i'm able to work out for my old data let's say tripadvisor said hey sean come back and hack on us let's say i wanted to use my old data i'm instantly able to find which endpoints still work on tripadvisor so we've got saved flights search ajax and you know what i mean i'm getting a feel for what's been removed what hasn't been removed what's working what's not working um and so when it was done when it's done so that's when you let's if i was hunting for urls and you can do this with subdomains and things like that when you start grepping i look for common keywords for example like login return url and things like that because if i find it on here let's say i'm scanning subdomains or i'm scanning some endpoints and one of the endpoints there's a login found on there it's like okay well why is there a login found here is it just normal login what's going on and yeah yeah it's always just going down the rabbit hole for me people are asking why don't you use fog again if you think about it guys he's saying that he doesn't like using a lot of tools everything you guys are mentioning using fuff using whatever to get the response header those are all valid but his way of doing this it's just again there's no right or wrong way of doing this what works for him he likes to stay in burp he doesn't want to use multiple tools so he's doing it through burp street because he already has a setup for him and the false mother's positives are less and he doesn't have to rely on a third-party tool it's just this is how he likes to do it and again there's no right or wrong way of doing these things it's just you have to find what works best for you and you're just gonna improve and improvise as you go right not only that but um there's nothing wrong with tools don't get me wrong but a lot of times so it won't just be a simple redirect sometimes um i've got on apple i'll be honest on apple i've got a custom curl script because when you run the most common tools and a lot of http screenshot tools and things like that think about your target right i'm going to use apple as an example um and why a lot of my tools because the idea when these with faff is literally just sending a request to it isn't it right right and you can make a tool like you can make some code send a request yourself and curl with but the thing is you have so much more control over it because you can add your own cookie values headers and things like that i know you can do that in fluff but straight out the box most people will just run furth without customizing too much et cetera so for example on apple when you actually go do a lot of their sub domain scanning and you hit a lot of their endpoints most tools are hitting them with a desktop user agent and believe it or not they will actually reply if you change your user agent but not only to just a mobile user agent you have to change it to a specific user agent which you can only actually find if you actually test apple so you can go ahead and run all your tools against apple whatever and they're going to come back saying there's nothing here but what my tool would do and what people should realize is understand this certain domain for example on apple if you add this header as the user age if you had this certain user agent all the end points you find are going to respond to it whereas if you hit it with just a desktop user agent it's going to it's not going to reply it's not going to do nothing and that's why i feel like a lot of people get lost with a lot of their data because they don't know what to actually do with it you know what i mean yeah yeah friendly but that's why i build that's why personally i like to just use custom redirect tools custom requests and things like that because again i know you can add um i believe you can add cookies and things and fuff and that but for me i just i just like using burp i like seeing this list i like seeing what it's doing the requests seeing the response i can easily mask rep through everything i've not had to use something external it's it's here this is my hacking kit that that's me that's my rhythm yeah and i mean honestly man like again you have found a way to um you found what works for you man like the point that i'm trying to get across to people is like stop getting lost and what others others do what other people are doing and find the things that work for you and that's the that's all i can say about that man right we don't have to all do the same thing the same way um whoa let's not get that up [Laughter] here let me switch your screen so you can close whatever you want out of the screen you're not on anymore if you want to close things out but yeah so again like you can use all right we're all right the only code that i accidentally showed was um barca code that's so good you have your secret key right there but if you want to close it out on the screen you're not on the screen yet but yeah um panic all right let's do a few minutes of um qa chat just uh quickly i we've you know we've been live for i've been live for two and a half hours and i think sean's been live with me for like an hour and a half for this almost yeah it's crazy um yeah very very valuable this is one of my ultimate favorite streams so far man i'm so grateful that you have been so open to sharing your knowledge with us um but drop some questions i'm gonna bring you back on again sean uh there we go yeah drop us some questions what do you like to know what is did you guys get all the answers you wanted was this what did you guys think of this session was it helpful uh what are the note-taking tools you're using and he just says you use sublime right yeah i just use text editor please some okay someone subscribe what you did with burp and your open redirect one more time just for people understand what happened there uh yes so when let's say for example um i've got lots of endpoints and i want to mass test parameters on them or lots of different domains that i want to test for um so let's say there's lots of different sub domains then literally all my redirect script does is you can see if i go on the intruder position so i've got literally my p php.php script set up to take the url parameter and simply redirects to it and yeah it just redirects to it in burp and it enables me to easily see the response see what's going on i can grip for it enables me to mass test parameters across different paramet um think about endpoints and things like that um sub domains yeah there is a guide i believe on bug bounty hunter yeah there is i did write one sorry i wrote this a while ago for everyone so this this literally just sums up what i do that's something you see here how i'm testing all of yahoo's different domains like i say there's probably tools out there to do it but um for me i just like hacking and burp i like keeping everything in burp it's just how a hacker is okay um somebody says i don't understand this question but someone says what do you do when you put in a payload in a cookie you get a 200 okay but you're still doing a desired response and the vulnerability is not revealed yet example you know there's a vulnerability but you can't put your finger on it wait say that again sorry yeah i don't understand the question now what do you do when you know there's a vulnerability there but you can't fully exploit i think that's what they're asking um well it can depend on what what it is they think is there as such like what are they trying for like um i'd need more context really on what that is the test like well they're testing on as such we want to know if we can get zichano again tomorrow and the day after that so i'll bring since this is a big request i'll work with sean to see if we can bring it back on again when i come back for my break because again this was really really cool this was you know awesome to have him on here you're doing also a talk at no hong kong right yeah i am um i need to get that recorded for you um but yeah i'm going to kind of teach people and kind of not give them homework as such but kind of give them like something to do for the next 12 months um and i want people to kind of hopefully use information i give in this talk to go away for the next 12 months and do it and come back and tell me how many bugs and what you've done really um that's the kind of to help people yeah that's that's the plan fair enough well hey man um i wanted to really thank you so much for being on here thank you so much for taking the time to come on here this was very very cool thank you so much for sharing your knowledge with us and being so open and most importantly thank you for everything you've done for the community um whether it's with bugbountyhunter.com or your tweets mentoring folks um but yeah everybody if you see on the screen bugbountyhunter.com head over there and uh show them some support sign up and you will learn a ton um i vouch for it myself and yeah ben feel free however you see to give like free memberships away like three like three three free accounts away to whoever you want literally just get them to send you their email whoever you choose however you choose them is entirely up to you and i'll send them an invite um free of charge for lifetime and i'm also going to be giving away lots of them um your conference so cool well how about this i'm going to drop a thank you tweet after we get offline in that tweet i will mention how we're going to do the giveaway we'll do three giveaways thanks to sean offering them i'll throw them in it on twitter i'll tag sean himself so if you don't follow him you can go follow him as well so just head over to twitter.com right after this stream i will drop him for everybody to enjoy and last but not least last before i let shawn go he's also speaking at no homecoming no homecoming is going to happen exactly a week from today on this channel uh tons of good speakers tons of good ctfs uh tons of discord villages and so on uh let's say thank you to sean for being here man thank you so much for being i appreciate you so much i can't say that enough uh thank you for my pleasure and we'll talk soon take care thank you for having me see you man have a good one peace all right that was it i just want to say quickly thank you guys so much for being this was an insane stream there was a lot of people watching i think we almost had 500 people which is freaking insane um i'm going to go ahead and go offline i did the math wrong i think i was going to raid into the ultimate hacking championship if you're not familiar with esports hacking or hacking esports i'm going to drop a link in here you guys should definitely give them a follow uh go check them out go follow them show them some love what they do is incredibly fun they are actually showing everybody how to hack like you can watch people approach a live target in a form of a competition i highly recommend it if you want to get some more of these so you can actually watch people hack live as they go if you want to go check them out i highly recommend it i wish you could rate them earlier um i wish i were going live earlier so we can rate into their channel but unfortunately they're not going live for another um hour or so but um i do see someone is doing oscp training there are a brand new uh streamer i think the channel is yup the channel is english we're gonna go rate him listen there's 300 don't leave if you want to leave leave after we raid but do me a favor we're going to go into this channel he has five viewers and we we're the number one channel on twitch science and technology right now we're gonna go right in and push him to the top of the list i want you guys to get loud i want you guys to support say what's up to him i will see you all here maybe tomorrow um depends on how my work goes if i get a chance i'm going to be here tomorrow but otherwise i will be live on sunday for naham con if you want to come hang out on discord i'll be around if you want to get the cor if you want to purchase the course here's my course you're more than welcome to grab it it's going to be 60 off for now other than that i love you thank you so much for being here thank you for all the new followers thank you to everybody that raided me today thank you for all the new subs i appreciate you guys so much i can't say that enough thank you thank you so much i'm out i love you take care i'll see you all soon peace celebration just check the md5 and you

Info

Channel: Nahamsec

Views: 14,231

Rating: undefined out of 5

Keywords: bug bounty, recon, hacking, ctf, oscp, STOKfredrik, thecybermentor, defcon, tryhackme, metasploit, zseano, bug bounty methedolgy, bug bounty hunting, pentest, red team, nahamsec, nahamcon, bug hunter, hacker, hackerone, bugcrowd, synack, owasp, owasp top 10

Id: 8Sqp_kryB4E

Channel Id: undefined

Length: 89min 33sec (5373 seconds)

Published: Wed Jun 30 2021

Live Recon on Rockstar Games With @zseano​

Live Recon on Rockstar Games With @zseano