Chandu
Chandu
8 min read

Categories

AMA with Brutelogic


Brutelogic aka Rodolfo Assis , is known for his awesome research in the field of Cross site Scripting (XSS) . He has been in the infosec industry for more than a decade .

About BruteLogic 😎 And His XSS work’s 💪

  • How do you stay awesome?

    • I think having great people and friends around me like you makes that possible! Thanks a lot!
  • How did you come up with the idea to focus on XSS, and master that?

    • I was in need to really understand XSS since I’ve seen some researchers and challenges but I couldn’t find basic information. So I’ve decided to apply my philosophy hack2learn to get good at it and challenged myself at XSSposed (now OBB) to get into 1 in their rankings


  • How do u get in with XSS

    • While looking for different ways to make my payloads work, bypassing filters and specially WAFs.


  • What caught your attention for learning and researching on xss?

    • It was some solution to a challenge using document.location.hash.slice with (1) and (2) to use chars filtered in the HTML payload. I’ve realized I had too little knowledge in XSS so that triggered me to understand common methods and properties of JS objects.


  • What will be your next/advanced level XSS attack process.

    • It started already, it’s a repo for CSRF (and other) exploits via XSS using our brand new project X55.is. You can contribute here:https://github.com/BruteLogic/X55


  • what is your next project?

    • To hack the planet! Via XSS.


  • @brutelogic Guruji U r great..

    • Thanks, appreciate it!


  • Just curious! Is there a story behind the name brute logic?

    • Sure! At that time I was convinced that a simple horizontal dictionary attack against a big company was enough to get into it (it was the easiest way I found to get into the one I’ve worked for). So I wanted something like Brute Force but at the same time just Force was really not enough, it should be smart. So I’ve changed to LOGIC but I’ve started in Portuguese as “logica bruta”. I’ve changed to Brute Logic and to English language 10 days after. It was also in line with that security guard which became my avatar.


  • @brutelogic hello. I only have one question regarding your amazing tool: do you update it constantly with every little xxs find/trick that you discover? Or did you stop working on the tool once you made it available? Thank you

    • I’m always updating it in the following way: 1. New major releases, always announced and usually w/ new features, improvements and/or new detection cases; 2. New minor releases, not always announced, w/ bug fixes, minor improvements etc + hot fixes for actual XSS covered cases. New tricks, research etc fall into one of these categories, depending on its purpose.


  • Tell us about the most hard xss you done fire

    • I think it was the bypass on Google Chrome v57 and up, shown below. I remember how hard I was trying to get another bypass after last fix and how happy I got when finally found it. https://www.buymeacoffee.com/p/80886


  • At what age did you started hacking and what were you doing before
    • At age of 32 (2010) but I had some interest on it several times before but never really got into it. I was just an IT technician. I’ve learned programming back in 90’s, really old stuff like Pascal, COBOL and Assembly.


Tips For Beginners 🔰

  • Guideline to hunt XSS on mobile applications

    • Mobile uses the same HTTP protocol and HTML/JS stack web sites do. Usually they just open an instance of WebView or something to do that which is pretty much like dealing with any major browser. So fundamentally it’s the same test methodology.


  • How much time he taken to go that level.. and how can we learn more about xss

    • It takes a lot of time but it depends on your efforts and availability. I’m still learning after 5 years dedicated almost exclusively to it. One can always learn more about #XSS by practicing and becoming a researcher him/herself in that field.


  • See, if someone asks me that he/she wants to learn XSS, @brutelogic’s site is the first one I recommend… Question : How will your methodology go step by step in finding Xss in websites right from the recon phase? It’s one of the many questions that newbies have in their minds

    • I have a blog post about it. It’s exactly the same methodology I’ve applied to @knoxss_me because I’ve tried to reproduce my thought process when approaching a target page. It gets improved constantly though. LINK


  • To understand xss attack completely what should I know before. From where to start about xss boss beginner

    • You need to understand HTTP (protocol), HTML and JavaScript basics first at least.


  • Tell me your best secret: How to be that awesome person? Thanks in advance!

    • I just try to CARE about things, people, animals, etc. I know world is not like that but if a simple rule of “doing for the others what you do expect to be done for you” could be followed by most people, there would be no awesome person, just regular ones. Thank you, my friend!


  • What are the types of bugs that a beginner, with little technical knowledge, should learn first? Thanks sir!

    • Beginners with little technical knowledge should not learn about bugs at all. You should learn first how to use your computer, operating systems (Linux, Unix-like etc), network and specially PROGRAMMING. You can’t expect to learn about advanced topics lacking basic knowledge.


  • Done that for more than a year now, but how do i know when I’m ready to start finding bugs?what platform do you suggest practicing on?

    • Just started to look for it and see how it goes. The problem is not your ability to find bugs but in which environment you will look for it: if you do it on BBPs it will be harder and you will probably think you are not ready so do it elsewhere first.A platform called WORLD WIDE WEB.


Tips for XSS 🔍

  • How u find Vulnerable parameters for XSS

    • They are usually there, you just need to test them properly for reflection and also reading some HTML and JS code.


  • What was your biggest breakdown, and what would you suggest to overcome these things?

    • We all pass for these moments from time to time and it’s hard to point just 1. What I suggest is to try to find strength in your family, friends, community (on/offline) and whatever good things you have. Cause you have to keep it running, so the sooner you stand up, the better.
  • How do you find xss when the scope is everything would you rather do manually or any toll ( if so which one)

    • In that case I would probably start manually to sort the best entry points to try with a tool. And using manually again to exploit if there’s a good information from the tool when it can’t proceed properly


  • What is the most unexpected place where you found an xss and what is the weirdest xss payload you ever saw/crafted?

    • I think it was in Baidu website (Chinese Google), it was #4 in Alexa ranking at that time (2015). The weirdest payloads I see are always the latest ones I craft to bypass major #WAFs! Those who got to know them might agree with me I guess…


  • How common are DOM based xss these days ? Is reading javascript form dom vulnerabilities worth in this time ?

    • If you think about the whole web it’s a number so small that wouldn’t be worth to look for it, in scale. But it happens somewhat more frequently in big sites like the ones in BB programs due to their complexity and use of new technologies. Yes, sometimes reading JS pays off.


Advice’s 👍

  • predictions for the long term future? where do you think new vulnerability classes will come from? what do you think web app security will look like in 10 years?

    • I would bet in JavaScript stuff since things are moving more and more from server to client side.So client side vulnerabilities might become more and more important. Mobile is also obviously an import battlefield to keep an eye on. Hard to tell anything for 10 years from now.


  • Where you see bb in coming years?

    • Hard to predict. I think it will depend heavily on REGULATORY LAW if any to come. By now, it will stop growing and it will reach an equilibrium soon. World is changing too so it might affect how new #hacking generations will behave but I bet in power back to Community.


  • There are so many youngsters give their heart and soul for hacking .Aiming to get a career in #infosec .What will be ur advise to them ? Do you think they are right in choosing this path ?

    • i use to say in private chats to all those who get too anxious for results or are actually frustrated with their actual performance and/or level of understanding: achievement = time + effort.So keep going, don’t give up, be patient. Good things take time to happen.


  • what life means to you me - i hate my life, god don’t want anyone to stay with me. totally distracted not doing anything, not able to do bug hunting, i want to do but i can’t

    • Look, you seem to have DEPRESSION and that’s a serious condition. Look for help, medical or not. Come to talk to me in private here or in my personal account @rodoassis or join our Eternal Noobs Community, full of good guys there willing to help you. https://discord.com/invite/mRcNtVJ


  • is it possible for someone to get job in infosec industry who have completed college few years back but due to some issues didn’t have any corporate or job experience just farming experience but now want to work in infosec.. if yes can you please provide some guidelines. thanks

    • Sure, why not? Do some independent work in the field, contribute to community, do some social networking, get some certifications, send resumes, look for job offers and apply to them, try to give some talks, etc. So many possibilities, dedicate yourself to it and it will happen.


Admiration 🦸‍♂️

  • Whom did you admire when you were at the learning stage? How long did it take to be where you are now? Thanks.

    • In the learning stage of #HACKING it was guys like @hdmoore (all core Metasploit guys) @WeldPond @carnal0wnage & many others. When getting into #XSS it was guys like @RSnake @soaj1664ashar and the ones above me in XSSposed ranks. It took me 10 and 5yrs, respectively, til now!