Zero to Hero in bug bounty by ‘Vibe Coding’

About a year ago, I decided I wanted to embark on the bug bounty journey after discovering it through a learning path in HackTheBox academy. I immediately found the topic very interesting and have since spent hundreds of hours studying the topic. There is one issue however — there is a RIDICULOUS amount to learn.

Many of the top hackers in the bug bounty community develop this ‘6th sense’ on where companies tend to make the most mistakes when it comes to web applications. This comes from countless hours learning about networking fundamentals, endless protocols, endless frameworks, programming languages, common configurations, CVEs, and blah blah blah. I was lucky to already have been a Cybersecurity professional where I knew my fundamentals and have most likely at least heard about several of these topics but it was still daunting for me. Particularly, code analysis and web browsers were a major blind spot and still are for me. I have a trick though, and I hope to share that with you today.

If you’ve heard the constant chatter about AI in the past few months, you may have heard of ‘vibe coding’. Vibe coding is where you program an application by prompting AI until you get an end result that works. Combine this with the fact that AI is great at breaking complex topics down into simple topics, vibe coding can end up as an excellent teaching tool. A simple prompt such as “Break down ___ in terms that a grade schooler can understand!” may actually lead my neurons to do the impossible! Actually learn!

To start, I follow a channel on YouTube called the Critical Thinking Bug Bounty Podcast (CTBB), if you are interested in bug bounty I implore you to dig into their content as it is the real deal and very fun/educational. They have a Discord channel that has some of the best hackers you can find across all bug bounty platforms just discussing their findings, issues, and general musings.

When I started lurking around in the Discord, I could not understand a thing anybody was saying. Zilch. Again, I knew generally what people were talking about but their problems were complex! Their general thoughts seemed like hieroglyphics to me. So, I deployed my trusty tool — VIBE CODING!!!

Here’s a question somebody asked about a week ago that I deployed this method on:

With my knowledge I knew:

What an Iframe is.What an event handler is.What XSS is and how they got it using <object> or <embed> .

What I didn’t know:

Why would you access the document.domain event handler?What is a Data URI (“not iframe”, why would you confuse the two?)What is a Sandbox and why don’t you know if its sand boxed?

So, I went to work by prompting ChatGPT the following:

I quite literally just said “IDK HELP!” and slammed the comment into ChatGPT. I got this lengthy response:

Since ChatGPT likes to talk a lot I cannot fit all the screenshots here. But next, I was still confused at what a Sandbox exactly was so I prompted again:

I then prompted:

“What is a data URI?”,

“Somebody said “data uris aren’t same origin” what does this mean?”,

“So an Iframe can access stuff on the main page but since a data uri is in it, it cant?”.

People who are into bug bounty are probably laughing at these prompts being amateur or absurdly obvious BUT I was unaware. ChatGPT will take the most bizarre, unintelligent, and redundant questions over and over again. SO USE IT! I then got to the meat and potatoes of what I want to show you today:

“Can you build me a demo setup so I can learn these concepts?”

Very simple, Very Demure. It spit out a basic HTML page that assigns you a cookie on page load and spawns two buttons: one that creates an iframe and one that creates a Data URI. I was a bit too general with my prompt saying “these concepts” so, I only got a website that teaches the difference between how cookies are passed to an iframe compared to a Data URI.

The ‘Vibe-Coded” site

Cool, but also, ChatGPT forgot to put the cookie on the page as shown in the screenshot above. Or so I thought!

Turns out, you have to run the browser on a server!

Voila! The test cookie 12345 was there. I then proceeded to play around with the Data URI frame and the regular iframe and learned a great deal of terms in this context such as Data URI, same-origin, isolated, etc!

I then wanted ChatGPT to further teach me about sandboxes and it even gave me a method to bypass the sandbox (for learning purposes!)

To conclude, with almost no effort programming and with 0 research on the topic at hand I managed to:

Get an entire lab propped up in a few sentencesEdit the lab around my questionsBuild upon the lab as I learned more about the topicLearn about what these top level hunters are talking about!

This can apply to anything you want to learn. I’ve only used it in a bug bounty context but I’m sure this is applicable elsewhere. Keep prompting until all of your questions are answered. I always follow the words of my guitar professor Tomo Fujita: “Don’t worry. Don’t compare. Don’t expect too fast. Be kind to yourself!”