Small Winds - No. 07

A personal mini blog about infosec and life

It's been a long time since I posted. I had to deal with a lot of things that put my writing on hold.

Lately, I've been thinking about mentioning in the blog that I lacked motivation for a couple of days with bug bounty, and then I felt a bit scared. I was scared of the thought that people would criticize me for making a mistake or not "being perfect" even for a brief moment.

But my mentality and mindset are different from that. I've always known it's okay to make mistakes and to be open about difficulties, and obviously - it's okay to "not be perfect" all of the time (I'm putting the word 'perfect' in double quotes as lacking motivation isn't imperfection at all).

I believe that these feelings are related to recent trauma I went through. It originated from stalking and a major criticism (actually more of a humiliation or an attack) of making mistakes - even the smallest ones, and even if they actually weren't mistakes. It was a combination of manipulation and toxicity.

But actually, it might be quite insignificant for me because I have a strong belief that being open about making mistakes and imperfections is not only okay, but critical for a healthy mindset and self-development. So for anyone reading this - I encourage you not to be afraid of making mistakes and imperfections, even if this is hard. In addition to the advantages I already mentioned, this also helps with making deep connections with others.

One thing I recently learned is that when you encounter manipulative, emotionally unqualified (context below), and vengeful people, run away as if from a fire, because even if things don't affect you immediately, they can in the future. This is also a mindset I adopted a long time ago, but not to the fullest.

Although it might have been like this in the past, I believe these days, it's more prominent that people feel like they can say whatever lies they want and get away with that without any consequences, even if the lies have major effects. One possible reason for this is that in recent years, a lot of politicians or people in powerful positions allow themselves to make false statements and it seems there are no significant implications. But I believe things are like tsunami, in the beginning there's silence, but later, the time takes its course.

For instance, unlawful rules in the US - there was a quite time for a month or two, but then people started to defend and fight for justice and morality.

Usually this is how history acts - people do unethical things lacking accepted values, and later (might be days, months or even hundreds of years), the justice arrives in certain ways, and even if there's no justice, history remembers. Usually history remembers not only the criminals themselves, but the people who helped them, like Volkswagen in WW2, and even if they are not remembered as guilty, they are remembered as the ones who were part of these actions.

Actually, there are also groups and individuals who unfortunately will not be remembered, or at least their attackers will remain unknown. This is how life is - there is evil in this world, and I think it's needed to fight this where it's possible.

Why? There are many reasons for this question and this article is too small for discussing them.

It might be somewhat unrelated, but it reminds me of the domino effect in the context of hate, discrimination, or racism when originated from groups in power.

When there's an attempt to attack one marginalized group, it usually continues to other minorities and groups not in power. It might be because of emotional immaturity, vengefulness or any other relevant characteristics of people in power, but it could also be about preserving control. Being inclusive and respectful of marginalized groups and minorities leads to less control for people in power (when they are not part of these groups).

This is actually what currently happens in Trump's administration - the attack started with transgender individuals and people were surprised when it continued to other groups that seemed like they were harder to attack, like women, black people, etc. Here's an example:

Part of it reminded me of the attack on DEI.

Trump's administration attempted (and partially succeeded) to fearmonger about the idea that groups like LGBTQI+, women, black people, Muslims, etc. are hired at the expense of other people. There might be situations where positions that are preserved to marginalized groups, but I'll be focusing on generally being against the idea of DEI.

People who are against it actually mean they are against the diversity, equity, and inclusion of people in the organization. I believe when people are against being inclusive, being equitable, or including people from diverse groups, it will eventually negatively affect the organization or country.

How is someone supposed to feel when their basic needs aren’t acknowledged or when they’re treated unequally? It leads to resignations, less success to the organization or country, and creates a toxic atmosphere.

So when I hear that people are against equality, inclusion, or allowing diversity, it sounds to me at the very least strange, and in other cases, an extension of hatred, racism, and conscious or unconscious attempt to preserve power.

Lack of empathy and lack of emotional sensitivity can slow down the progress of a team, a society, or a country, and even lead to its downfall.

This is why it's problematic to put hateful and emotionally unqualified people in key positions. But sometimes they are intentionally placed in positions of power because it’s easier to control people through fear, division, and hatred, for example look at Hitler or Trump.

The collapse or delay of development of countries or companies can be prevented when there's an entity that protects against those hateful and emotionally unqualified people, and from their actions and decisions. It might be really problematic when this person was appointed because of a personal connection and friendship. I know there are significant advantages to this, and I might also work with people I trust or know in advance, but the problem begins when you protect their unethical or unprofessional actions, or when you appoint them when you already know they behave like this.

All of this also makes people leave the organization or country. I've heard of people with formal education or professionals in critical fields leaving their countries. For instance (and without taking any political stance) in Israel, or in the US. A famous historical example for this is Albert Einstein who left Nazi Germany.

If I had to share a personal experience for this, it would be that I left two CTF teams where I was an important part of them, because of hateful speech which was allowed or originated by the team leaders.

As I said, it's about preserving power. Why would people want to preserve existing power structures?

By being against diversity, equity and inclusion of different people, they try to determine who gets access to wealth, jobs, and other opportunities. They are doing it for example by fearmongering fake issues.

They know that hierarchies create some kind of stability, so they are afraid of civil rights, feminism, LGBTQ+ rights, etc. which makes them feel like their control is being attacked.

All of this makes me think of the absurdity of when one marginalized group (or a group not in power) attacks other marginalized groups. For me, it's like shooting oneself in the foot.

ANYWAY... like everyone else, I tried the new OpenAI image generation and it looks great!

Thoughts and Experiences

(🐞) My bug bounty plans have been changed. Inspired by Ciarán, I made myself a challenge (60 hours challenge). I chose a target site and I'll see how things progress. My expectations are not very high because the scope of the program is quite small, but let's see how it goes! Oh, and actually this mini blog series is also inspired by his blog.

I'm already 5 hours in and mainly used it to set automations for this website. Specifically, monitoring changes in JS files. I'm not done with it and wonder if it's worth my time, since the JS files are very obfuscated, large (1-2 MB), and the obfuscation changes about every day. One thing I could do, is to monitor for changes, prettify the files, check for new or removed lines (while ignoring lines that were modified, as it modifies the obfuscated variable names - I take into account the possibility of missing stuff), and keep only the new lines.

This program isn't new to me and there are things I've already done. So here are the recent highlights including other stuff.

• (🗒️🗒️🗒️) Organized and gathered my notes and leads. I exported the relevant things from Burp Suite to Caido.

• (🪲) I found a bug in my target site that exposes PII, but it was a duplicate.

• (🔍) I started using Caido. Although it lacks some of the features Burp Suite provides, it has other nice features, like workflows, findings, files and other interesting sections. They make it better frequently. I also really like the UI and the fact that it works very fast. I'm really afraid it would be emotionally hard for me to get back to Burp Suite if I have to.

• (🪲) I tested a certain feature in a website I use, for personal reasons and it led to a bug. I reported it and it was considered informative. This will probably be my next target site for my next challenge, after I finish this one.

• (👩🏻‍💻👩🏾‍💻👨‍💻👨🏻‍💻👨🏾‍💻) Critical Thinking had another hackalong event which was fun and beneficial. I continued testing this target with the leads I gathered during the event.

• (👩🏻‍💻👩🏾‍💻👨‍💻👨🏻‍💻👨🏾‍💻) Critical Thinking also had a bug escalation event where people shared some unbaked bugs and we tried to exploit them together. It was funny and informative.

• (📱) There's a certain mobile app I use on a daily basis, and it motivated me to do some Android mobile hacking, so in my spare time I focus on this. I think this is one of the reasons I commonly encounter the advice of doing bug bounty of apps you already use, or apps that interest you. Personally, I have more motivation there.

• (📝🎫) A while ago, I spent a lot of time in doing threat modeling on the application I test, organizing everything and reading the documentation. Although it took a lot of time, it was beneficial and important. It made me understand the application much better and the testing much more efficient. Specifically, reading the documentation resulted in the discovery of new attack surfaces and ideas and also valid coupon/invitation codes, email addresses and usernames I can use for testing. It was kind of funny that they accidentally exposed an invitation link in a video when hovering over a link.

• (⚙️) I used gau for the target site, and it revealed a lot of useful URLs - some of them contain credentials and even valid coupons or invitation links. This is a very powerful tool.

• (🐞) Found a bug in BMW that got accepted: https://app.intigriti.com/profile/orelg

Interesting Resources:

• https://regexper.com/ - website that shows regex using a diagram.

• https://portswigger.net/research/top-10-web-hacking-techniques-of-2024-nominations-open - all the 2024 nominations for the top 10 web hacking techniques.

• https://medium.com/@illoyscizceneghposter/exposed-credentials-guide-not-just-in-client-javascripts-101-case-studies-131b765e07a2 - niche areas for exposed credentials.

• https://medium.com/@maxpasqua/type-confusion-dos-in-fb4a-747837d3a8e3 - Type Confusion in Facebook.