A personal mini blog about infosec and life
One day, about two weeks ago, my partner was talking to me, and I felt the urge to pay closer attention as he spoke. I focused on his body language, facial expressions, and other nonverbal cues, knowing that by doing so, I could better understand his feelings, what he really tried to tell me, and connect with him on a deeper level. I'm not sure what made me do this, but I believe that many times people speak to me (and I'm sure I'm not the only one), and although I'm usually attentive to their words and emotions, placing even more focus on the person I'm communicating with can yield much more from the conversation. A while ago I started reading a certain book (maybe I'll review it once I've finished reading it) that touches on this topic in one way or another. Years ago, I got familiar with the concept of active listening, so this subject wasn't new to me. Still, I want to be more conscious of it as it truly enrich relationships, and I really encourage others to get familiar with it as it can enrich yours as well.
Recent Thoughts and Experiences
(🤩) My last CTF writeup was shared in two different blogs, wow! That really surprised me.
I also won the 'Most Detailed Writeup' competition for the World Wide CTF! It was for this writeup. I didn't even know about this competition when I wrote it.
(🔬) Someone (I believe it was James Kettle) mentioned in the past something about how a person could start research. More specifically, he mentioned an article that I want to find. He talked about people sometimes asking which subject they should research and whether their research ideas are good enough. I remember him saying that if you have an idea for research, just go for it, there are no bad ideas for research (I hope I'm not misquoting him 😬). Either way, I believe in that approach, and I've been waiting for interesting ideas for things I'd like to research. Recently, in one of my tests, I encountered two strange behaviors related to servers or reverse proxies. One of them involves a discrepancy related to encoding, and the other is related to a certain malformed HTTP request structure and the behavior of servers and reverse proxies to that.
(🚩) Last weekend I participated in a certain CTF and tried a certain challenge that taught me a few things but in overall it was a guessy challenge. A guessy challenge refers to one that lacks clear direction, includes red herrings, and requires guessing unrelated to logical reasoning.
Generally, I believe these kinds of challenges are considered less favorable because they waste the solvers' time on parts that might be irrelevant to their solving attempts.
For example, you can see the following comments from people about such challenges:
Here are a few points that can be problematic in challenges:
Participants have to guess things unrelated to logic (for example, a username, or even worse - one that isn't found in common wordlists).
No source code is provided, the web application has many functionalities, and nothing appears suspicious or everything returns 500 errors.
A challenge that provides source code, which is not the real source code, with parts of it removed.
Suspicious behaviors or even vulnerabilities in the web application that are unrelated to the solution.
There are more aspects that can decrease the quality of a challenge, such as copied challenges from other CTFs, wrong flags, etc., but this section is about something else.
(🔎🐛) I haven't invested enough time in bug bounty lately because of the many tasks I have, and since I sometimes feel very tired after work, I’ll try to lower my weekly goals to 5 hours a week and see how it goes from there. I’ll update each time on how my goal progresses, and I’ll start with one month.
I haven't mentioned it, but my main goal in bug bounty is to get better at application security. Sometimes, I encounter the belief that after a certain amount of time—let's say one to three years—there's a feeling that a person has reached a level beyond which there isn't much more to learn. However, when I encounter bugs, ideas, exploitation methods, a deep understanding of certain technologies, programming skills, and more, I see how much more room there is for improvement and learning.
My second goal is to hopefully earn money from this.
(🚩) This year, I've reached the goal I set for myself two and a half years ago regarding CTFs. I find CTFs to be another way for improvement. If previously I focused on getting the highest score, currently I invest a certain amount of hours each weekend on a specific challenge or challenges, and focus on learning and research. This means that I still try to solve the challenge, but I delve deeper into things like documentation, deeply understanding the source code, researching topics, and trying to comprehend and learn, even if it comes at the cost of not solving the challenge in time. Actually, a lot of times the opposite is true - focusing and investing time on understanding the system and researching helps with solving the challenge.
(🤖) XBOW - In the past months, there have been talks about XBOW, which is supposed to be an AI-based tool that helps with penetration testing and bug bounty. The company claims that the tool's capabilities are very powerful, for example, you can see some of them here. Since September, they've reached the #11 place in the USA on HackerOne and found 20 critical bugs. Although some of the programs may have been VDPs, it still raises questions such as: How will this tool or other ones in the future affect bug bounty hunters and programs? How will it affect penetration testers' job positions? Is it really as good as they claim? Which bug types can it find?
People say various things, and I agree with some of them. If it's as good as they claim, it may be beneficial to the security research field as it will give penetration testers and bug bounty hunters more time for research instead of investing time in finding basic vulnerabilities.
It may also drive people to get even better and search for even more complex bugs.
Time will tell.
(📄) As time passes, my belief that Mirantis will help me with the voucher problem for the DCA exam disappears. I believe I've studied enough to pass it, but I'm not planning on paying another ~$200 for a voucher :)
I'll try contacting them a few more times, but maybe I'll leave it in the near future. I've gained the knowledge and experience I wanted.
Now I'm thinking about my next certification, and it will probably be one of the AWS ones as I want to study cloud security.
Regarding my studies for the DCA exam, in the last few months I've noticed how my control and understanding of Docker have increased. I've used Docker for creating images that helped me with tasks at work and when docker files were provided in CTFs. Now I've also started using it for personal labs and mini-projects or poc's I need.
(🐛🐛🐛) This week I participated in an online Hack-Along event for a certain bug bounty program. I partially participated but my main goal is to also see how others hack, while Rhynorater was streaming. Although there were some similarities of things I do, I learned a few things and got some new ideas. I need to strengthen my client-side hacking and I might give Caido a try in the future. Two people even found vulnerabilities, one of them found a few critical ones.
Interesting Resources
https://github.com/assetnote/nowafpls - Documented WAF limitations that can help with bypassing WAFs.
https://blittle.github.io/chrome-dev-tools/ - Dev Tools tips. I haven't tried it yet, but checked it out and I totally plan to.
https://xsinator.com/testing.html# - XS leak tests for browsers.
Comments