Praha, Working outside and filters

Hey ! I'm currently in Praha, I really love this city, the architecture of all the buildings is crazy.

I was in Berlin last week, and I didn't know anything about this city. That was a very nice experience discovering it, and the Kebab was insane

If you like architecture, you have to go to Berlin and Praha. But now, let's talk more about hacking stuff.

How I manage my work

It can be very hard when you work for yourself or remotely to be efficient. Especially in this field where you can't really have precise goals. You can set some financial goals, or in terms of the amount of bugs or severity, but it's not very precise.

And you have to be disciplined to stay in front of your computer every day looking for bugs without the certitude that you will find something.

It was very hard for me at the beginning, probably because I didn't have any confidence in my skills of finding something. And I found some tricks to manage my work.

It can be paradoxical as I have the freedom to work the time I want, but I like to count the time I'm working on something. Some people use Toggl to do it, I personally use Balance, a Mac app to manage that.

I know that when using it, I will stay consistent at work and not be distracted by something else. Some people prefer to work on workdays during a regular schedule. I personally work every morning until 12 ( yes, I'm a morning hacker sleeping at 10, it's a shame ), and then, during the afternoon, I chill, visit places if I'm not at home, or learn new stuff related to IT security.

I'm also not looking at the hours I'm working but more at how I'm efficient when I'm working.

When I'm traveling, I also tend to work more. I stay in the same coffee for a long time and I don't see the time pass and I love that compared to when I work at home when I have a lot of distracting stuff around me.

Building filters for Hackyx

Last week was also playing with Javascript and CSS to create filters on hackyx. That was painful because I hate CSS, centering stuff, and making something responsive. But I finally did it and you can now filter about quite everything.

My next step is to create an easy way to index content. I found that creating a PR each time someone wants to add content can be painful, even for me.

I think I will build a browser extension, like the Omnivore one, and each time I see or you see a good article, it will scan the content and ask you about tags and then it will be sent to Hackyx ( not directly because I will need to moderate what will be added to avoid junk stuff ). As the Omnivore extension is already open-source, it can be easy to create one, but that's the first time I'm making one so we will see if it's easy or not.

JS analysis and client-side stuff

I'm still working on improving my skills on client-side vulnerabilities. I found them very interesting. The only problem I have is that a lot of programs don't really find them impactful, even if you manage to prove an ATO or steal PII data.

I found some good XSS on a program and they were duplicated from last year and they don't plan to fix them, even if I can do impact stuff with them.

That's the same on Intigriti where a Reflected XSS will always be Medium.

But besides that, I still love to look at them. I use jswzl and it's quite powerful but I don't know if I need it at the moment. I'm waiting for the Caido version of it, cause for the moment, it's only for Burp so I need to have Caido, Burp, and Jswzl server open which is consuming all of my RAM.

I'm looking to develop my own tools for JavaScript analysis in the future to perfectly fit my workflow.

I also use the extension built by @Mizu called DomLogger++. It's very powerful as you can create your own config files. It's useful when looking for postMessage stuff or DOM vulnerabilities. I heard he will release a new version soon so stay tuned.