Hackyx news, Fucking XSS and Berlin

public
3 min read
Hackyx news, Fucking XSS and Berlin

Table of contents

This week, I was chilling in Berlin. It's my second time here this year, and I really appreciate this city.

I also worked a lot, both on bug bounty and my project Hackyx, very nice to be back grinding.

Hackyx News

I just figured it out that a lot of content index was quite bad, and I discovered that, for HackerOne reports, I added quite every reports without too much filter instead the AI that tell if it's something interesting.

But for an AI, a guy telling that there is a Critical vulnerability on curl because you can send a request with a file in the request will look like a real proper vulnerability, even if it's bullshit. So I just put a new filter to only take resolved reports and to delete N/A, Informative and Duplicate stuff. It will be much better now.

Also, I need to add a lot of new articles, andan RSS feed to have something way better.

As I added embeddings for each article, I can now use AI on them, and also find related articles and stuff, which is quite good. So I tried putting a chat on Hackyx for some test, and It was interesting.

It can give you a real explanation about what you need and give you the related articles or write-ups to dig deeper. The best of the two worlds. It's like a ChatGPT with all the context of the latest cybersecurity research.

I'm still working on it, so it's not in production, but it will soon be, if Mizu lets me work on it instead of letting me make a 6-step javascript poc for an XSS đź« 

Fucking XSS

Joking aside, we discovered a nice chain—a long chain with a lot of different little pieces to understand—but it's so interesting. Since I worked with him, I have learned so many new client-side techniques.

So, for this one, We needed to build a proper PoC, I'm not going into details, but there was around 5 differents steps involved, and it took me like a few hours to build it and record a video for the triager.

And at the end, one part of the chain was going to fixed, but we figured at another way to trigger it and after a long discussion, it's now triaged. The day was pretty long. And I was pretty upset, to be honest, but it's part of the game.

Finally, I learned a lot with this PoC, so it's still good, but still fucking xss. And hopefully, I got a tonkatsu don to finish the day.

Berlin

I came here again for a Home Exchange, so someone is in my place in Paris. I love that concept, I came here for free, have a proper flat, and can live a few days somewhere else.

And as my place is well located in Paris, I'm getting a lot of demands for that, so next year, I will continue doing it.

Last week, I also bought an Oura ring which will track my health and sleep. I did it with my Coros before, but the sleep stages are not really accurate, which annoyed me. After digging a bit the subject, I discovered that Oura was one of the best wearable to track the sleep.

And I'm pretty happy with it now, the data looks way better, and I can now properly track everything. Coming back tonight to Paris and then in a month back in Asia.

Aituglo

Aituglo

Paris
The author of this blog, a bug bounty hunter and security researcher that shares his thoughts about the art of hacking.