How to think out of the box with @gwendallecoguic

how-to-think-out-of-the-box-with-eraymitrani.png

Hey hackers! This is another AMA on the topic of: How to think out of the box?

If you haven’t checked out the other ones, they’re at https://pentester.land/ama.
And the podcast episode that started this whole series is The Bug Hunter Podcast 4: Bypassing email filters & Thinking out of the box.
While preparing it, I wanted to include advice from different bug hunters. So I asked several hackers these 3 specific questions:

  • How to find bugs that are not duplicates?
  • How to find new areas of research (like in @securinti’s last blog post or what James Kettle does)?
  • How to find logic bugs or bugs that don’t fall under any category, can’t be found with tools or require real thinking?

@gwendallecoguic was one of the awesome hackers who responded. Here is his advice:

Some weeks ago, someone on Twitter asked what tools we use the most for hunting.

My reply was (initial answer was french but here is the english translation):

Imagination. In #bugbounty technical knowledge is not so important, you just need to do what other peoples don’t, because they didn’t think about it or because they were lazy, success guarantee.

Being honest, it’s hard for me to think out of the box because I am a developper since a very long time now so I always think like a developper, it’s in my blood. A hunter who doesn’t have any technical background will be able to think different. For me it’s hard. What I try to do is to read (technical) security resources as much as possible and I usually get new ideas from there.

For that reason, my advice will not be exactly about thinking out the box but it’s more a general point I was able to notice several times while hunting. It’s the second point of my answer about lazyness.

Whenever you feel that a task is boring, be sure that other hunters feel the same. So if you can pass over that feeling, then you will find what other missed because they gave up. I remember a program where I was successful. Using directory brute force I firstly found a .git directory. Many hunters would immediately report an information disclosure. But after grabbing and studying the code, I found a RCE. Another example is from javascript files. It can be very tedious to extract endpoints, find parameters, good value etc… but again if you persist it will pay for sure. I will finish with my best success, it’s also a nice example of obstinacy, to not give up when things become hard: http://10degres.net/aws-takeover-ssrf-javascript/

That’s it :)

This is great advice. I’ve noticed that what makes some writeups/findings amazing and valuable is that they go way beyond the first obvious bug found, like you recommend. Or they show impact with elaborate PoCs. So it’s nice to hear your philosophy on what to focus on.

What I wanted to add is, often you will hear something like “root is a state of mind”. For me it’s really relevant. Hunting is like every sport, 50% about skills, 50% about spirit and 10% of luck :)

Thank you @gwendallecoguic. I love what you say about lazyness and mindset! Also grateful for your time.

If you want to be notified when new articles, our newsletter and podcasts are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…


Comments