Craig’s Newsletter April 6, 2020 Edition
Here’s a little update on what I’ve been doing since we last spoke.
What I’ve Been Writing
Since the last update I’ve published my 5th in a series of bug bounty hunting tips:
Bug Bounty Hunting Tips #5 — Aim to Become World-Class in Your Niche. You can read it for free on craighays.com or if you’re a medium.com member you can support me by reading it there.
What I’ve Been Watching
Things are pretty stressful for everyone right now. We can’t go outside, we can’t see family and friends, and everything’s a little bit tense. While unusual for me, I’ve been enjoying watching jacksepticeye playing Half-Life Alyx in virtual reality from start to finish. I haven’t owned a gaming PC for a very long time and I can’t justify building one just for this game. I’ve found that watching someone else play it is good enough for some well-needed escapism without investing in all the kit needed to play it.
What I’ve Been Doing
It feels like the entire world has changed since I last emailed out a couple of weeks ago. All over the world, anyone who can do it is now working from home. The safety net of the corporate firewall is gone. People are working permanently behind home routers with default passwords, firewalls turned off, and… who knows what else is happening. Therefore, I’ve spent the last couple of weeks at work making sure everything is as it was designed to be, for when things like this happen. I suspect many of you will have been in the same situation.
That said, I’ve started learning more about gRPC at a very low level as I’m really interested in bug bounty targets using this method of data transfer. It isn’t as easy to work with as text encoded HTTP requests so there might not be so many people testing this in this bug bounty space. I did, however, find this Burp Suite Protobuf plugin from NCC Group which looks really useful. Hopefully, I’ll get a chance to try it soon.
What I’m Doing Next
I’m planning on publishing an article on my work analysing external inbound and outbound email through Exchange 365 as there doesn’t seem to be any way to do it in detail in the native reports. My PowerShell scripts need a bit of polishing to make them publishable, but once done I’ll host them up on Github and link to them from the article.
As always, if you’ve got feedback, questions, or something to add, please get in touch.
Stay home, stay safe, and take care.