Episode 128: New Research in Blind SSRF and Self-XSS, and How to Architect Source-code Review AI Bots

Title: Transcript - Thu, 26 Jun 2025 11:26:27 GMT
Date: Thu, 26 Jun 2025 11:26:27 GMT, Duration: [00:58:07.03]
[00:00:01.12] - Joseph Thacker
Coop is the freaking bane of my existence, man. I freaking hate Coop.

[00:00:05.28] - Joseph Thacker
Stops all your bugs.

[00:00:06.20] - Justin Gardner
Coop is like one of the worst things that for an attacker that has ever happened to browser security. Best part of hacking when you can just, you know, critical thing, right? Yeah, dude. So when you're running an enterprise security program, there are quite a few things you need to nail before you even consider doing something like running a bug bounty program, right? These are kind of like the ABCs of enterprise security. Obviously you need some sort of phishing prevention system, you need an edr, you need some introspection into your environment with logging. And of course you need some sort of patch management system to make sure that your software is constantly up to date and not going to lie. Guys, that last one is a little bit of a pain in the butt, right? I know you guys know what I'm talking about with that. It's a lot. And whenever there is something that's a pain in the butt in security, what happens? Well, Threat Locker always comes up with an innovative solution. And that's exactly what they've done with Threat Locker patch management. Their team is working constantly to ensure that the software updates for software in your ecosystem are audited, categorized. So if there's like a super severe zero day, you'll definitely know about it. And then check for conflicts with other software on your system before enabling the enterprise admin to automatically update or schedule an update in the future. And I'll just read this little snippet from their website really quick, which I loved. It says we'll even dare to say install Threat Locker patch management and forget about patch management. We've got it covered. That is what you love to hear. That is what you love to hear, right? Okay, so definitely check it out guys. ThreatLocker.com Platform Patch Management or just go to ThreatLocker.com and look for the patch management software. All right, that's a wrap. Let's go back to the show Sub hackers really quick. This week in bug bounty segment for you and for those of you that don't remember that this weekend bug bounty segment is where we give you updates from the platforms and other parts of the bug bounty community. Just sort of rapid fire news section. And so this one we've got, yes, we hack is going to LeHack 2025 and they're running a cool competition. I thought I'd shout out called payload please. And this is going to be essentially a polyglot competition where you create a payload that exploits XSS, SQLi, command injection, deserialization bugs and a couple other things. This is run by our boy Bitkay, who we love, who did an amazing masterclass for us in the Critical Thinkers Discord. Definitely want to get him on the pod at some point, but the output of his research is unbelievable. I have so many pages bookmarked from his research and tooling, so definitely shout out to our boy Bit K. And if you guys want to compete in this, go for it. June 27th 9:00am CST to June 28th 6:00pm CST and if you don't participate in it, it's going to be really good to read the write ups anyway because knowing all the tips and tricks you can use to craft a payload in a really restricted character set environment or whatever, really restrictive environment is a super helpful skill for hackers to have. So check it out. Payload, please. Competition at LeHack 2025 and virtual. All right, let's go back to the show. Dude, let me tell you, man, today is one of those days where I just didn't really want to come record a podcast. And I'm excited because we've got good content. I was like right in the middle of hacking something when we scheduled this.

[00:03:50.12] - Joseph Thacker
Episode, but you got derailed into something else where you learned something pretty cool that we'll talk about in this episode.

[00:03:55.68] - Justin Gardner
Yeah. All right, well, let's jump right into that. Okay. So yeah, thanks. Let me restore my hype for this as well. Switch context a little bit. So earlier today when we were prepping for this episode, I was going through the research, as I do by Slonzer, who recently released a article called Make Self XSS Great Again. And there was. Yeah, right. And there was a ton of really useful takeaways. We talked about credentialless iframes on the, on the pod before, in here. But those, those are definitely a big deal in this environment. And the way that he. You know, the main takeaway from the Credentialist iframe piece was that credentialless iframes and iframes, just normal iframes are same origin. So what that means is that you can have two iframes embedded on the page and you see him doing this right here where one is logged in as your victim. This is just a normal iframe and one has no credentials on it yet these two iframes are same origin. So this guy, this unauthenticated dude, can reach into the authenticated iframe and grab data out, which is super whack.

[00:05:11.11] - Joseph Thacker
Yeah, super weird. It almost feels like it's a browser bug.

[00:05:14.14] - Justin Gardner
Yeah, it really does. And it says here, looking at the rfc, we can see that credentials iframes are same origin as regular iframes. And let's see what he says here. I haven't actually read it's mentioned that implementing opaque origin similar to sandbox domains wasn't implemented due to implementation difficulties. Right. So they weren't able to make it not same origin or have some sort of tweak on same origin. So they just made it same origin, which is really helpful. And what this essentially does, Joseph, is it eliminates the need for a logout CSRF in these sort of environments because we can just drop our login CSRF inside of a credentialless iframe and we get a whole new cookie jar in that iframe.

[00:05:56.25] - Joseph Thacker
That's right. Does that make sense? You just reach in there and then use it? Yep, yep.

[00:05:59.77] - Justin Gardner
So you reach across and then grab. So the credentialist thing is, is super cool. And there's a couple other tips in this one that I wanted to highlight as well. This one was just super cool. Right here. This is self XSS plus CSRF with login with captcha. On login with captcha. Okay. And this is kind of a pain in the butt thing where sometimes they've got a captcha. Right. But I love that his solution here is just so elegant, which is it just opens up a websocket to the attackers page and just pipes through the captcha. So you just wait, you wait for the victim to open the page and then when they do, you solve it, a capture, you solve it really quick and then it triggers the csr. Right.

[00:06:44.87] - Joseph Thacker
It's almost like in the same way you can do pass through when you're phishing for like sms.

[00:06:50.06] - Justin Gardner
Yeah, yeah, exactly so and like conceptually I knew that this was possible, right. But then if you see his like 10 lines of code here that do it, I'm like, ah, this is good. This is exactly what we want.

[00:07:02.14] - Joseph Thacker
Why is that? I feel like not to take us down a tiny rabbit hole here, but I feel like there are so many times when hacking and also when doing development work when for some reason our brains are like, oh, this is just like some difficult opaque blob of a problem that I need to solve, but it's just too big for me to currently solve or something. Or maybe you don't even think that deep. It's just you just think of this as an unsolved problem when really it's like very often whenever you go to do it, it's easy or it only takes 10 minutes. Kind of the same way you let to dos hang over your life that you could just knock out in five minutes instead of just knocking them out, you know?

[00:07:35.76] - Justin Gardner
Absolutely. And this is especially true with AI now because you can just say, hey, build a websocket server that works like this. And it just goes. You don't even have to type out all the lines right. So it was cool to see him implement that here to get around captchas. I would love to see somebody go and take this research and build a framework for this for recaptcha, because recaptcha is not this simple. So I think that it would be really cool to have some framework where connects back to the attacker's server or whatever. The attacker solves the captcha and then it gets all of those sub requests and stuff like that that are necessary for recaptcha to go ahead and push the request through. That'd be sick. Okay, now I'm going to skip the clickjacking one because I didn't love that one. And we're going to move on to this new piece that he mentions, which utilizes this function called fetch later. This is a new function that got added to Chrome, I believe, very recently. And essentially what this allows it to do is issue a fetch request with a certain timeout on it. And that will what Solnzer was saying in this write up, and there was a little bit of controversy about this on the, on the CTB discord of like, does this work? Does this not work? Yeah, but what it does is later, after that timeout, it will send the request with your current authenticated session. And so Slonzer was like, okay, well after we leave the page, you can still do this. And it's not exactly that simple, unfortunately, because when you leave the page, according to the MDN docs, it actually sends all of your fetch layers at the same time, which is kind of a pain in the butt. But this.

[00:09:27.20] - Joseph Thacker
Does that include even if you kill the tab?

[00:09:29.60] - Justin Gardner
Yeah, if you close. I tested that. So if you close all of Chrome completely, then it shoots it out real quick.

[00:09:38.00] - Joseph Thacker
It just shoots all the fetch layers at the last second. Weird.

[00:09:42.46] - Justin Gardner
It is kind of weird. But here's the crazier piece of this was like, okay, well, how Slonzer wanted to use it in this specific write up was he wanted to say, okay, you know, register these fetch leaders and then wait, you know, log the attacker out and then wait for the victim to log in later.

[00:09:57.37] - Joseph Thacker
Yep.

[00:09:57.77] - Justin Gardner
And Then when it does, these Fetch leaders will trigger and then, you know, it'll run the attacker's request that they wanted to run. Like, you know, give whatever person admin rights or whatever. Um, however, it doesn't do that because if you close the tab, it. It just runs them all right away. So I was like, ah, how can we get around this? And the solution that I came up with was actually what you do is you make a request to your own server and you set the timeout super long and you h. You stall the HTTP response from your own server for the maximum amount of time that Chrome can handle it, which is like 300 seconds.

[00:10:32.76] - Joseph Thacker
Okay.

[00:10:33.16] - Justin Gardner
And then you do that in a redirect loop 20 times. So you can get. You can get up to an hour and a half.

[00:10:39.50] - Joseph Thacker
Okay, so wait, we're going to clarify this. One, this isn't in the blog post. You found this and thought of this.

[00:10:44.22] - Justin Gardner
This is my research right now.

[00:10:45.89] - Joseph Thacker
And two, this feels novel. Like, this feels like something no one's really thought about. It's like a massive feature to combine with Fetch later to enable an entire attack.

[00:10:57.01] - Justin Gardner
I tried doing it with Fetch too. I was like, maybe this isn't a Fetch later thing in particular. Maybe Fetch can do it too. But Fetch will just stop if the page has already been closed. Fetch later has some background Async properties that are going on with it where it's not. It caches whatever origin this was supposed to be living on when the Fetch later request was issued.

[00:11:17.26] - Joseph Thacker
Wow.

[00:11:17.87] - Justin Gardner
And it continues. You can continue doing redirect after redirect after redirect after redirect with these maximum Chrome timeouts. And you can extend that request all the way up to an hour and a half.

[00:11:33.25] - Joseph Thacker
Is it 30 redirects at 300 seconds each?

[00:11:35.89] - Justin Gardner
20 redirects at 300 seconds each? Yeah. So it's like a little over an hour and a half that you can do with that, which is like, not forever, but.

[00:11:44.46] - Joseph Thacker
No, but that's pretty cool.

[00:11:45.74] - Justin Gardner
Yeah, yeah, yeah. And so I think that there's still some viability to this sort of delay piece of that attack. And I guess also it's worth mentioning that, you know, you need to like, 307 probably with this, because if you're going to be using a post request or whatever.

[00:12:03.65] - Joseph Thacker
Yeah.

[00:12:04.01] - Justin Gardner
Then you'll need to 307. But yeah, so I thought that was an interesting piece that you can continue to trigger these.

[00:12:10.94] - Joseph Thacker
That's super cool. Yeah, that's amazing. So it makes me wonder, like, anytime that I hear anything about this my mind immediately jumps to what are the other implications of this? Right. Like I wonder what other things this enables. Like one thing that jumped to my mind is attack. Like a user would often probably log back in and want to re auth pretty quickly if they're actively in their browser, which they're often going to be in their browser if they get sea surfed because they're going to end up on either a water hole attack or something like that. Right. So for the initial thing to occur, they're probably in their browser and then I think an hour and a half is totally actually reasonable for the attack to occur because they might hop back to the other tab, see they're logged out, log back in, you know what I mean? Actually feel unrealistic at all.

[00:12:54.97] - Justin Gardner
No. Yeah. And I think a lot of people will just, you know, you could even just trigger a redirect to that page and be like, oh no, you're logged out. What happened?

[00:13:03.45] - Joseph Thacker
Yeah, that's a good point. Yeah.

[00:13:04.88] - Justin Gardner
Yeah. So it's tricky though because you've only got, I guess you've only. Well, you could register a lot of. Yeah, you could register a lot of fetch later requests and so you could do it at certain increments as well, just like you said in the blog post. Okay. And then it works, man, it works.

[00:13:23.37] - Joseph Thacker
It does. Yeah, it's neat.

[00:13:24.91] - Justin Gardner
I'm excited. I've only pocked it out a little bit, but I think this fetch later thing is super weird and definitely should be the subject of more research.

[00:13:34.51] - Joseph Thacker
So just as like a super applicable way to wrap this up with a bow one for people like me who aren't doing a lot of front end stuff. So this is basically when you have self XSS and you have a login csrf. And is that it? Or do you also need a credential SI frame?

[00:13:55.26] - Justin Gardner
No. So you can self xss. Right. So you get the self xss, you log in CSRF your attacker into this. You can do this either via the credential iframe, or you can find some way to get rid of the current person session. Sometimes login CSRF itself gets rid of the current victim session. However way you do that, you could do it quick jar overflow, you could do it with credentials, life frames, whatever, and then trigger the self XSS and then register these fetch later handlers. Right. And then log the attacker out and then these fetch laters will keep churning, churning, churning, churning at all.

[00:14:33.45] - Joseph Thacker
Then it becomes a stored xss.

[00:14:35.21] - Justin Gardner
Exactly. Then you can trigger a fetch to a specific and it's interesting because it doesn't necessarily trigger, it doesn't trigger a stored xss. It allows you to send a fetch request. So you also need one more gadget here. I'm glad you clarified this, Joseph. You also need, you know, a one shot fetch request that you can issue that will, you know, affect the victim's account in some negative way. You know, change their password, change their email, something like that. Right.

[00:15:04.64] - Joseph Thacker
But you're making it with their credentials so you're making it with. And it can be a post request. It doesn't have to be. It's not like a get base and.

[00:15:10.69] - Justin Gardner
It'S same origin and everything and it.

[00:15:12.25] - Joseph Thacker
Could actually be JSON. It doesn't even have to be. It's not like a post based csr. It's literally any, any fetch request you can make with their creds on their origin. So it's probably not that difficult. But you do have to have something that doesn't require two FA or something unique.

[00:15:26.16] - Justin Gardner
Yeah, or the, or like a CSRF token or something. Right? Like, well even the CSRF token. No, because it would be coming from the attacker's account. So yeah, you need to not have anything in the request body that you can't predict. So everything would have to be done completely via cookies which you know, it's not that rare. I think it's still a great gadget. Still.

[00:15:46.25] - Joseph Thacker
Yeah. Oh, so it can't actually, it can't use a bear token either.

[00:15:51.16] - Justin Gardner
No, it can't because the authentication that's happening here, the auth boundary is like, oh, it's coming from this same site. Right. Which is what we did from the attackers attacker session. So if it was using, you know, anything besides cookies, then that auth vary is going to be different on the victim session. Okay, so it has to be cookies.

[00:16:11.03] - Joseph Thacker
Cool. See this is why we need a new here to ask questions to clarify the exact parameters by which it's actually vulnerable.

[00:16:18.20] - Justin Gardner
Yeah, it's good either way, man. I mean like a lot of times we get fixated on these little pieces of gadgets. You know, we're like, oh, you know, I just found a way to get persistence in the browser, which is what this is. Right. This is a persistence in the browser mechanism. And, and then you kind of, you know, until you build out the full pocket, until you try to use it in exploitation scenario, you're like oh, oh.

[00:16:36.33] - Joseph Thacker
I don't have delivery or oh, I don't have impact, you know, or whatever.

[00:16:38.76] - Justin Gardner
Yeah, functions a little bit weirder. So yeah. All right. Man, that's, that's all I had on this. Shout out to Salonzer. Great research, man. Thanks for bringing in Fetch later and Credentialless iframes, shedding a little bit more light on those.

[00:16:51.04] - Joseph Thacker
Speaking of redirects, we have some awesome research from Shubs and Asset Note Slash now Searchlight Cyber as they did another sweet blog post.

[00:17:01.62] - Justin Gardner
Yeah, dude, this thing is awesome. I can't believe that they actually found some research that affects blind SSRFs here because for a while everyone was like, ah, that's of course that's an amazing piece of research to go after, but there's just never going to be any way to do it. Right. Like it's probably so different.

[00:17:20.91] - Joseph Thacker
There probably is some impact for some companies where they have like some sort of internal intranet site that has like a git based, you know, endpoint or you could do something state changing but without like white box testing there, there's just nothing you can usually find.

[00:17:34.25] - Justin Gardner
Yeah, yeah, but this is, this turns the blind SSRF into a full SSRF in some scenarios and it's super whack the way that they've dealt with this. So do you want to, you want to give it the rundown on it or should I. Yeah, sure.

[00:17:48.80] - Joseph Thacker
I think you got two more up. So. Yeah, I'll do it.

[00:17:51.13] - Justin Gardner
Okay.

[00:17:51.56] - Joseph Thacker
Basically they found a. Wow. An app. Couldn't think of a good word for it. An app where if they, where they found a blind SSRF and if they did one or more or just one or a few redirects, it would give an exception for invalid JSON. So presumably it was trying to parse that and respond with it, or it was trying to respond with JSON or maybe there was like a secondary hop in there that expected JSON, but because it got an error message or something, it didn't actually properly validate it. But then they noticed that if they gave it 30 redirects or more, it would actually fail with a network exception. And there were. The invalid JSON error went away. And so this triggered in their mind like the idea that, oh wow, there's like, this isn't a single endpoint, it's actually something deeper. There's like a secondary context or maybe a third context. Right. And so they tested all the different status codes and stuff and they realized that if there was a 500 error HTTP status code, then it would be a full HTTP response. The sad thing is the majority of the endpoints that are going to have like good impacts for like file found or you know, if you're hitting the AWS metadata, it's not going to be a 500, it's going to be a 200. And so they actually, I don't know if he, if he makes it clear in this blog post, if they had found this before now and it triggered that in their brain or since finding this, they went and found it other places. Did you get a vibe of either way?

[00:19:15.16] - Justin Gardner
I think, I think they've noticed this behavior that we'll describe a little bit later in a couple, maybe one or two in the past. And then when it started becoming a trend, they're like, okay, what's going on here? And they double clicked into it.

[00:19:27.85] - Joseph Thacker
Yes. And they do speculate on what causes it, but they're still not a definitive answer. So maybe future research there would be kind of interesting from our community. But basically the way they solved this is they wrote a little bit of Python code that's shown here, where each time that the redirect occurs, they increment the redirect response code. So it's kind of interesting. So their server responds with a 301, then a 302, then a 303. I actually think they skipped past 302 because they come back to that for the final redirect. And in their output here it looks like they start with 305, but that maybe just they're showcasing that 305 and above are what actually worked.

[00:20:07.74] - Justin Gardner
That's what it was. There was something weird with that where they wrote this code that iterates across all of them to try all the three, you know, the 300 status codes. And then somehow at the end they found that the response that was coming back was it was showing the response for all of the status codes. So past 305.

[00:20:28.05] - Joseph Thacker
Oh yeah. It was like storing them up.

[00:20:29.33] - Justin Gardner
Yep, yep, yep, exactly. So it was like you're seeing almost like a HTTP pipelining sort of type response here that was happening. And then so, and this is the line that kind of did it for me on this one. It's like this drove us nuts. Was there something special about the 305 status code? Even though we performed a redirect from 301 to 310, why did we only get the HTTP responses from the status code 3, 0, 5 and above? And they, they went on to just kind of going, going through the rest of this. They went on to say that they don't think that it was anything special about 305 or anything like that. It was just the fact that there was some Difference in handling of the air conditions between the number of redirects that were occurring. One is being handled by Lib Curl and one's being handled by the application layer. And that's what caused the mismatch.

[00:21:18.70] - Joseph Thacker
Yeah. So if there any time there was more than 5. So basically if instead of iterating through them, you just did 301 five times and then switched to 307 or something, it would start at 307. Anything after the fifth attempt it would start, or after the fourth attempt it would start. Kind of logging is the weird word to use there, but it would kind of start logging it and then respond with it.

[00:21:37.33] - Justin Gardner
It's our handling it in a different way. Yeah, right. And I'll read this snippet from the write up so that there isn't any confusion about what they said. Instead, we believe that the application was happy to follow a few redirects and then failing on the JSON parsing and was not happy about falling more than the max redirects configured by Lib Curl. However, there was an error state when it followed more than five redirects not handled by Lib Curl but rather handled by the application itself. This technique may sound obscure to you, but it has now worked for us in several situations where we would not have been able to see the full HTTP response from 200 okay requests, but could see the full HTTP response for 500 status codes. So I think that's the key right there, the 500 status code. That's your indicator that this is going to actually that you should try this, right?

[00:22:23.92] - Joseph Thacker
Yep. Yeah. And I. I mean this may be a little bit of showing our cards a little bit, but you and I were talking before the podcast episode where I honestly think that the community needs some sort of tool, whether it's built into Kaido or whether it's a standalone tool where you give it like a blind ssrf, like a request that will trigger a blind ssrf. And then because it's going to be on different targets and whatnot, you should maybe give it like some internal IP or internal host names for that target, because those are going to be some of the checks or some of the tests and basically make a blind SSRF escalation app where it does like this technique and lots of others. Like maybe it's looking for some sort of specific DOS or some sort of specific internal host like Jenkins Dot or Jira Dot or something. You know, any known things from that SSRF bible, as I sometimes allude to it, the old asset notepost that has like all of the ways to increase the impact of ssrf. Maybe somebody includes a bunch of different checks that could be done in that case. And if, maybe if a list isn't passed for known Internet based host names, then maybe it takes a guess at someone's like internal root or whatever else.

[00:23:34.79] - Justin Gardner
Yeah, there definitely should be something surrounding this. And I just DM'd you on Discord. There's this one surf that asset no team released that sort of hits different sort of candidates for SSRF and tries to enumerate hosts within a specific environment for it.

[00:23:54.30] - Joseph Thacker
Someone should just fork this and add more checks to it. Right? It's great.

[00:23:57.50] - Justin Gardner
Yeah, exactly. So I think that this would be a good base for that. And then we try some of those escalation techniques from the blind ssrf. And the flow just like you said, should be like, all right, let me just point this at some host. It could even be a hosted tool that someone would use. Point it at some host and then essentially in automate just give it a numeric iterator and say, all right, give me 1,000 payloads or whatever. And then it just hits it, hits it, hits it, hits it, hits it. And then each time it says, all right, we're going to chain a redirect 30 times. We're going to chain a redirect 20 times. 301, 302, 303.

[00:24:35.46] - Joseph Thacker
Yeah, this 5 and 30 threshold might have, might have, might be the most common misconfig, but I guarantee you there's some where it's like greater than 10, less than 50, whatever, you know, and it's probably somewhere it's like it only works for 302 somewhere, it only works for 307s, et cetera, et cetera. Right. And there's probably some permutations there where there are ways to get full read SSRF that people haven't found yet.

[00:24:56.97] - Justin Gardner
Yeah, totally, man. I'm excited for that. Hopefully someone will build that out. That'd be really cool.

[00:25:00.97] - Joseph Thacker
Yep.

[00:25:03.04] - Justin Gardner
All right, I'm going to do this frame busting one real quick.

[00:25:05.41] - Joseph Thacker
Yes, please do.

[00:25:06.76] - Justin Gardner
So there was something that hit the intent to prototype list that I just kind of thought was interesting and kind of gives me a reason.

[00:25:15.41] - Joseph Thacker
Can you refresh listeners what intent ship is?

[00:25:18.04] - Justin Gardner
Yeah, yeah, yeah, sure. So there are these Google groups that the, I'm trying to think the Blink team, which is the team behind Chrome for a lot of The HTML and JavaScript progressions that happen, new features. And one of the posts that were put in that Google group was the intent to prototype, which is they're going to build this out. They're going to build out this feature for frame busting intervention. And essentially this is some way for them to prevent cross origin iframes from navigating the top level browsing context. When I saw this, I was like, crap, that sucks, because I like doing that. But I also thought, you know, this, this is something that maybe the community might not be super aware of because it is a little bit counterintuitive that if you have an iframe inside of a page and you control that iframe, then you can navigate the top level page. Just the fact, by the fact that you have, you know that you're iframed in on that page. This is not true for sandboxed iframes without a specific, I think allow top level navigations permission to be attached to it. But just a normal straight iframe, even if it's cross origin, you can navigate the top, you know, top dot location. Right. And you can set that. So I just wanted to remind the listeners of that because it may be going away soon and if you have exploits that you need to kind of finish off that, utilize that, then now would be the time to do it.

[00:26:46.69] - Joseph Thacker
It's cool to see like there's only 90 views on that right now on this request for comments or whatever.

[00:26:51.61] - Justin Gardner
Yeah, yeah, man. You know, we, we have a little bot for the critical thinkers that watches this and, and tells us whenever stuff is going to be released. It's been very helpful in finding stuff.

[00:27:01.85] - Joseph Thacker
Yeah, great. Little like just preview of what you know, either potential future vulnerabilities or like you said, old stuff that's going away, that's now going to be more secure, which is just cool to stay on top of, even if there's nothing to be done about it necessarily.

[00:27:13.46] - Justin Gardner
Yeah, yeah. It is a little bit sad though. Every time like something really like annoying comes out, everybody in the critical thinkers chat responds to it like, no, yeah, like oh no, they're doing. They're fixing this or moving that pain.

[00:27:27.01] - Joseph Thacker
Yeah. But it's also just the progression of humanity moving forward.

[00:27:30.61] - Justin Gardner
So let me add one more thing to that piece about like top level navigations from within the iframe. Some, you know, it is. There are situations where that's helpful. But I want to remind you that if you have a tab open and you opened up a new website, then you can always redirect that tab unless Coop has severed the connection. So that's something that I kind of wanted to make sure the listener understands Is that just because you're able to navigate the top level page from within your iframe, that doesn't mean that you're gaining anything extra if you already have an established frame reference from an attacker controlled page. So here's the attacker controlled page, here's the page, you know, here's the little frame reference right here or the iframe. If you already have a relationship in these top two, then this doesn't, you know, have controlling. This iframe doesn't give you anything on this top page. It's only when this relationship is severed and you've just got the window and then iframe inside of it where. Okay, now I can use top location to navigate the top level frame. When that results in something impactful, what.

[00:28:37.06] - Joseph Thacker
Causes the connection to other tab to be severed?

[00:28:39.98] - Justin Gardner
That can happen for a couple reasons, but the most common one would be coop. Right? Which is a cross origin opener policy saying, okay, there can't be an opener relationship between attacker.com and google.com right. And Coop is the freaking bane of my existence, man. I freaking hate stops all your bugs. Coop is like one of the worst things for an attacker that has ever happened to browser security. So yeah, and I've done an episode on it, you know, covering how to. How to get around it as best you can, but sometimes there's just not much you can do about it.

[00:29:11.66] - Joseph Thacker
Right, Sweet. One other thing. Yeah. Actually I'll jump to the Hrishi stuff and then we can go. Then we can go down to the ligature next. So this is I posted in the Critical Thinkers chat. Let me share my screen and I will do my very best to articulate this well to listeners.

[00:29:29.14] - Justin Gardner
This is a hard one, dude. This is a hard one to articulate.

[00:29:31.38] - Joseph Thacker
I think it is. Yeah. I'm honestly just going to hit the high points and if people want to dig into this, they can. So Hrishi is a buddy of mine that is a founder of a company called Southbridge AI and they're doing some cool stuff, but it's all in stealth right now and they can't talk about it. So one thing that he did that I thought was really incredible, we'll actually talk about a few different tools that he's written that could be relevant to bug hunters here in a second. But this project that he did is extremely relevant to bug hunters. So basically he wanted to reverse engineer and fully understand how Claude Code works. And Claude Code is a tool from Anthropic that's kind of similar to cursor. Lets you write code and stuff. I'm sure most people have heard of it, but it's all obfuscated, minified JavaScript. And you know, he wanted to understand it and he's not like, like an offensive security hacker or anything. You know, he's a hacker in the developer sense. And so he wanted to understand this and he was curious how far he could get with current AI models. So he wrote a report, we'll link both these things about a breakdown all about how cloud code works and how he got there is actually the second post he put out. I think he was worried about them coming at him for some sort of copyright infringement or something. But he eventually posted it. And that's the, that's the thing that I'm sharing right now and that's the thing that we'll cover for those who are only listening because there's a lot of really cool takeaways. I actually thought that there would be more kind of like hacker or tool related takeaways where, you know, it's like, and as a result of doing this, I wrote this script that works really well to do this, but there's no scripts in here. This is actually fully just AI models and like the current AI chat apps, basically processing and understanding the JavaScript and then like breaking it down in natural language for humans to understand how it works. Because that was his whole goal.

[00:31:07.75] - Justin Gardner
So the relevant piece for us as you know, hackers or engineers here is that what he does here is essentially taking an app, right, cursor code and, or cloud code and you know, breaking it down into this minified JavaScript pieces and then getting the AI to actually ingest this massive amount of obfuscated minified code and actually provide you with reasonable deductions about the architecture, the flow of data through the application and that sort of thing. And this is the technique of how we did that.

[00:31:39.74] - Joseph Thacker
With that we care much more about how it works, whereas we would care much more about how to break it or what the security of it is. So you could imagine like this exact same blog post being done by somebody in our community where the questions they ask of the app of the AI model is like, hey, describe to me, you know, what are the sources and sinks here for user input? What, what are the potential areas for security vulnerabilities? Are there any hard coded keys? You know, like these types of questions. And so like, you know, even though he's doing this through the frame of understanding how it's built in a developer frame, we would definitely do this through a hacker Frame. But one really key thing about this that is like just so sweet, especially for you because I know you love POC or gtfo and I love like getting into the mind of other hackers and is like he talks about all his failed attempts to do it, right? Just like we love seeing a blog post. It's like, I tried this, it didn't work. I tried this, it didn't work. Because you understand and you can begin to understand how the mind of a top level person works, right? A top level hacker in our example, but a top level AI engineer in this example. So I think, you know, just as a random aside here at the top, he has a video of him actually like sped up at like you know, a thousand percent or something of him writing this entire blog post.

[00:32:47.61] - Justin Gardner
Oh my gosh.

[00:32:48.50] - Joseph Thacker
I think in this day and age people are so skeptical that everything's AI written. So I think he wanted to prove like, hey, this is me manually typing out this like 5,000 words or whatever it is.

[00:32:57.31] - Justin Gardner
That's crazy, dude. That's amazing that he did that.

[00:33:00.35] - Joseph Thacker
Yeah. So he's got some really cool architectures. The takeaways here, I'm just going to touch on a few of them. It's way too much to cover in full, but are the architecture that he settled on for how he is using agents and sub agents to break it down with a lot of human input here. I'll say this is not like a foolproof one shot way for, you know, one of our listeners to just turn, you know, immediately take this blog post and turn it a system that can then reverse engineer JavaScript, minified obfuscated JavaScript. But I do think it gives a lot of very strong tips and clues where it could be that eventually. So he talks about it kind of in two different ways. My favorite is the process notes. So if you jump down to the process notes in here, he actually talks about his like kind of. I think this is maybe his raw paste of like what he attempted. So the first thing he did was he was trying to use Opus 4 because it's so smart and break it into 20 different parts and have Opus analyze the 20 different parts and kind of communicate with it itself and break it down. But that's just too much disparate context because as we all know in code you can't just look at 1/20 of it and understand what's going on because it's often calling functions from other places, it's inheriting classes from other places, it's inheriting libraries from other places. And so what he ended up settling on and actually I think this would give us a hard limit because I think it was about 3 million tokens in context. So he was able to get it into 3 chunks with Gemini 2.5Pro instead of 20 chunks with Opus 4. And so the 3 chunks is much more manageable to kind of sync across. But you could imagine, let's say this app was actually 20 million tokens. He would have to use 20 chunks even for Gemini 2.5 Pro with the 1 billion token context. And again, it would probably be unfeasible to kind of break it down in a way that was ingestible by these AI models. And so maybe the hard limit here is like, you know, 5 million tokens of contact or something. But Claude code is very big. And so my takeaway here was for users is that most apps you see today would probably be usable by this structure.

[00:34:56.92] - Justin Gardner
Yeah. Okay, so here's what I'm thinking for this, Joseph. Here's what we're going to do. You're going to go through this and describe the process that he had there.

[00:35:06.36] - Joseph Thacker
Perfect.

[00:35:06.73] - Justin Gardner
And I'm going to try to repeat back to you, what are the takeaways for hackers that are architecting their own versions of this for hacking purposes? The orchestration piece with all the sub agents and that sort of thing. So what I've got so far is that it's great, it's very tempting to try to use some of these models that are just massive big brain models, but at the end of the day, context is king in a lot of these code related scenarios. And because of that we're forced to use Gemini, which is not that bad.

[00:35:37.61] - Joseph Thacker
No, it's great. It's still ranked number one on some of the rankings.

[00:35:40.96] - Justin Gardner
Yeah. But it also has a 1 million token context window. So that's what they're using for actually the raw processing of the data. Right?

[00:35:48.03] - Joseph Thacker
That's right, yeah. For these specifically. Yep. So the, the. Yeah, that's great. I like the process here. He tried to just have it used. So whenever I say the sub agents, we're talking about Gemini 2.5Pro because they're the only ones that can hold enough context in them. But what he eventually set, so he tried just using sub agents, so Gemini 2.5Pro subagents to process it. And then he kind of worked as the, as the orchestrator himself to try to like copy and paste and understand, you know, and kind of like keep the thread going as he, as he was asking it deeper and deeper questions. But what he, what he converged on eventually was actually some sort of agent coordination with like a super agent number one didn't work, so I'm just going to kind of skip that. But his second. His second and third attempt worked much better. So he was using Opus 4 as basically an orchestrator agent.

[00:36:34.03] - Justin Gardner
I'm not familiar with. Is that an anthropic model? Is that.

[00:36:37.11] - Joseph Thacker
Yeah, yeah, yeah. So Sonnet and Opus are the two bigger, you know, Sonnet's medium and Opus is large, and Haiku is the smallest of the anthropic models.

[00:36:43.67] - Justin Gardner
Sure. Okay.

[00:36:44.51] - Joseph Thacker
And so Opus 4 is, like, really smart and particularly it's the best at writing prompts. So he says that in here, but that's a really great takeaway for the listeners. If you ever, like, are setting up an agentic system or you're just about to use AI to process your bug bounty report or whatever, and you want to write a good system prompt, just pop in and ask Opus 4 to write the prompt for you, and you give it the rough outline. It's so good at writing prompts for other models.

[00:37:10.21] - Justin Gardner
That's. That's what. What a useful skill. That's great. Okay.

[00:37:13.38] - Joseph Thacker
Yeah, exactly. So it's like a super prompt writer.

[00:37:15.17] - Justin Gardner
All right, so how does he apply that here?

[00:37:17.09] - Joseph Thacker
Yeah, so he basically says, I'm trying to understand this thing. So this is the prompt Orchestra agent. I've got three sub agents working together to understand each of the three parts because it's too big to fit in one. Here's their analysis. And he kind of copied and pasted and stuff from his previous attempts to kind of get it going on the right track. And then the questions he wanted answered were like, so because this is a AI tool calling thing, how are the tools called, how are the tool outputs inserted back into the context? What tools and functions exist for managing the length of the context, et cetera, et cetera. Right. Whereas if we were building this, we would say something like, what are the sources in the sinks? You know, for any potentially dangerous sinks? What, you know, how many steps does that have to flow through? Are there any protections? Is there any mitigating? Exactly. What are the mitigating factors there? And are they bypassable based on your opinion or. Well, that sort of thing. Right. And then is he put down here, provide your analysis as a long, detailed, well, contextualized markdown document. Right. And then he would pass these kind of. He would then basically he would have the orchestrator, Opus 4, the super agent, tell the sub agents, hey, these are the answers we're trying to get or these are the questions we're trying to get an answer for. You kind of have answered these three, but you didn't answer these other three. And here's how I ranked them in priority and you know, here's how you should look for those answers. And so then they would communicate back and forth. And so the final set of data, like the final answer from the super agent, once it was done, kind of talking to the sub agents, the Gemini subagents, and they continued to give context back. Then he used that and that source document, which was like 300,000 tokens, to then create the report which you can read, which is that second link that I was talking about, which is like the full understanding of the whole app. But when it comes to, when it comes to actually understanding the architecture, this is like a key piece, I think, for the listeners. He wanted three main markdown artifacts, the architecture of the system in a high detail. Because then that lets the AI models as they're iterating, know what to go look at. Right. It's almost like a checklist if you think about it, or when you're coding with AI, it's like the plan it makes first. If you, if you don't have, if you don't ask it about what the architecture is, it's probably going to like, not cover or not discuss lots of things that are in there just by, I don't know, by some sort of random mistake or, you know, just overlooking it. Whereas if you ask it what the full architecture is, including all the classes or all the function calls or all of the tabs or all the pages in the app, then now you can have the AI make sure that it answers questions about each of those areas of the code.

[00:39:46.17] - Justin Gardner
Dude. Yeah, that is, that is a lot, man. That is a freaking lot. It's cool to see how he architected this and I'm wondering how. And I don't know that he covered it. I was just kind of curse, cursorily, cursor, cursorly, like, like looking at a cursor, cursorily. I don't know. I don't know what the word is for that. It's freaking English, man. But I was just taking a glance at the, the, at the write up here, trying to figure out how he glued all this together. And I'm wondering if he actually just like copied and pasted the results from one chat to another. But I feel like the best way to do that would be LangChain, right? Of like getting all these together so that they can like coordinate together or.

[00:40:24.76] - Joseph Thacker
There are a lot of agent frameworks these days. I do think LinkedIn is probably the most mature, but it's going to have the steepest learning curve. I would actually probably write from scratch. These models are pretty good at doing traditional algorithms, and so I would probably just ask Opus 4 Gemini 2.5 Pro or whatever to architect out an application where it has sub agents that then return this.

[00:40:50.69] - Justin Gardner
Just using the rest APIs directly. For those. For those. For those various.

[00:40:57.26] - Joseph Thacker
Yes. Yep, yep, exactly. Yeah, Okay. I would just. Yeah, because it's just so. It's like, it's not that complex and I think the complexity of learning a new like, basically hackers are just so adept with, like, scripts and hacky. Yeah, exactly. We're good with scripts and we're good with rest APIs. And so it just makes so much more sense to, like, just like, be able to see how it fully works without anything hidden in the background. LangChain has a bunch of, like, system prompts and stuff that are called whenever you're like, calling agents and stuff that very likely are going to affect the output of some of these tools in a way that you might not expect. And getting back to them in the library code is kind of annoying. I'm not great at, like, debugging deep in, like, SDKs or library code. And so I would imagine other hackers are the same way. You know, like, they just want to see the full code and the full prompt that's going to it. And so I would actually just say, like, just build it yourself and just a script and doesn't have to be anything super fancy.

[00:41:47.21] - Justin Gardner
Nice.

[00:41:47.53] - Joseph Thacker
Okay. Yeah, go ahead. No, no, if you had a question.

[00:41:51.78] - Justin Gardner
I was just going to say, like, so, you know, takeaways so far. You know, Opus is really good for writing prompts for other things. The result of his research here is that the best way to do this is to use a massive context model to answer specific questions generated by a more intelligent orchestrator model. Right. Or orchestrator agent, so to speak. Right. And then have that bubble back up to the orchestrator, and then the orchestrator can actually ask clarifying questions of each of the different sub agents to get the data it needs to make the correct deductions. And that's how we are effectively bubbling up that context from the subagents to the smart model without having to use a massive amount of context in the smarter model.

[00:42:38.05] - Joseph Thacker
Yep, yeah, exactly. And I actually. So one thing that he emphasizes a few times in this is that summarization is like, hard or Impossible. And I would have never really about that because, I mean, AI is pretty good at summarization in my opinion. But I think when you're trying to understand a code base, it's just too lossy and so you end up doing that. But yeah, I loved the way that. The way the super agent, the Opus super agent was like always asking Gemini 2.5pro about, like you said, extra context. So here's just like a really great sample example. Whenever it's in communication with the Gemini sub agents, it says, excellent progress. Your analysis has revealed these core insights, but critical implementation details are needed for these things. And it's a list and it says like, you know, hyper priority here, high priority for this one, medium priority for this one. And for anyone just listening alone, these sections are just things that, that the models that the super agent needed answers for that the sub agents hadn't given it answers for. And so it's asking for clarification, just like Justin just said, it's asking clarifying questions.

[00:43:37.44] - Justin Gardner
Yeah, that's. That's really cool because then, yeah, you're not really surrendering the context at all because that chat is still open where that context is there and you can just pluck out the data that you need from all of these different pieces.

[00:43:49.94] - Joseph Thacker
Right? That's 1000%. Exactly right. Because those sub agents, not only do they have like, let's say they have 800,000 tokens of context, but they have their own internal monologue there about reasoning through the pieces that it's already bubbled up. So when the super agent comes back and talks to it, it's still in its own context without overflowing the context of the super agent. Does that make sense?

[00:44:13.03] - Justin Gardner
Yeah, that makes sense because that's pretty. That's a smart way of architecting it. Yeah.

[00:44:16.40] - Joseph Thacker
Yeah. It actually makes me think a lot about like a hacking team. Like, I think this is actually one core reason why people who are collaborating with bug bounty and hacking thrive and I, and we never knew it. It's because, like when someone else has a creative idea and then they ask you about it, you actually still have the context because you were the one that found the initial lead or the initial bug. And so then you're very quickly able to be like, yeah, no, that won't work because of this. So you're tapping into their creativity, but you're still keeping all of your context. And that's what happening with the super agents.

[00:44:44.42] - Justin Gardner
They're all just LLMs, man. Oh my gosh.

[00:44:48.69] - Joseph Thacker
Yeah. So anyways, down here, one thing That I thought was really neat. I showed this to you and you also thought was pretty cool. He's written, he's where he's like. Honestly, he reminds me of is a guy named Arjun. The guy who. No, Arjun was his tool.

[00:45:02.94] - Justin Gardner
Yeah, yeah. Dev something.

[00:45:07.67] - Joseph Thacker
Arjun, GitHub, Dev, Python. Let's see. Yeah, Sumdev. Yeah, some dev S O M D ev. Yeah. So Hershey kind of reminds me of that where he has written a bunch of different tools. One is called Mandark and it's kind of a Swiss Army Knoff, which I don't. You know, I'm very much of the Unix mindset probably like you. I want to tell you one thing really well, but Mandark specifically, I'll click into it one thing that he uses it for and you even show me.

[00:45:30.30] - Justin Gardner
You'Re not sharing it, by the way.

[00:45:31.59] - Joseph Thacker
Oh, share this tab instead. Yeah, so Mandark apparently can do a lot of different things. It sounds like it's just like an AI intern. I think he used this before the models got better to kind of make his models really good with like good system prompts and other things almost like fabric or LLM. But anyways, one of the things that it can do that he added features for is basically printing out the code base of a bunch of files wrapped in XML tags so that the LLM can see the beginning and end of the file as well as line tagged numbers. So you can imagine like in VIM or in your code editor, when you turn on line numbers you could see it on the left. It includes those in the output of the file. So then if you pass it to an lm, it can reference the line number to the human or to the other sub agents without there being like a confusion there like oh, online 200 whenever this line was there because as we know in code some line numbers are replicated like, you know, they're mentioned multiple times.

[00:46:23.07] - Justin Gardner
Yeah, that's, that's pretty rad, dude. I think that that's necessary for these AIs to be able to communicate correctly. Because if they don't, you know, if you're just giving them those, those pieces of code as context, then they can reference a specific line of code. But where is that in the code base? Right? Especially if you accompany it with some sort of prompt that says, hey, make sure you provide a specific file and line number L whatever for this. That'll definitely be helpful in getting it to provide more contextually aware and specific responses.

[00:46:55.25] - Joseph Thacker
Yeah, and another tool he uses later in this blog post that you all will find super useful. It's called Lumentus. Basically, you can pass in it any kind of text, transcript, document your bug bounty notes or what have you. This would actually, I think, probably be pretty cool for a lot of bug hunters that have notes on a specific program. Like, let's say you're an Amazon anchor hacker and you've got a bunch of notes. Like, you know, maybe Gretme does, like, Brandon. He could just throw all those in there. And I'm staying on this tab as I talk about this, but for our listeners, basically, you know how there are websites that have code documentation where there's like a really nice table of contents and you can click around and there's like nice headings and all that. It's like a prettified website based on markdown. That's kind of what this does. And so you could imagine having these.

[00:47:36.51] - Justin Gardner
It generates that from your. Your just freeform notes. Is that what you're saying?

[00:47:40.67] - Joseph Thacker
Yep. Yeah. So it could generate it from one of our conversations. If someone wants to take like a transcript of a CTPP episode and throw it in there, it would probably, you know, link to references. It would probably, you know, show it in nice bulleted lists and like table of contents that's clickable and stuff like that. So, yeah, that's another tool that he used in this whole process.

[00:48:00.75] - Justin Gardner
Wow, that's sick, man. Hold on, go back to that last tab really quick. Can you go back to that? Did it say trending GitHub tool of the day? GitHub. Trending number two repository of the day. Dang, dude. That's kind of crazy. Across all of GitHub.

[00:48:16.11] - Joseph Thacker
It's not now, but it was at some point.

[00:48:17.78] - Justin Gardner
It was at one point. Wow.

[00:48:19.03] - Joseph Thacker
Yeah, apparently you can.

[00:48:20.59] - Justin Gardner
Wow. I've never seen that before. That's pretty sick.

[00:48:22.98] - Joseph Thacker
Yeah, it has 1.6 K stars.

[00:48:25.78] - Justin Gardner
Not bad.

[00:48:26.34] - Joseph Thacker
Pretty popular repo.

[00:48:28.75] - Justin Gardner
All right. Did you have any other takeaways from the Conducting Smarter. Conducting Smarter Intelligences Than Me. I love that title. That's great.

[00:48:36.88] - Joseph Thacker
Yeah. There was just one thing that I wanted to cover. I thought this was really nice. In his final report, he had basically some model.

[00:48:45.61] - Justin Gardner
You're on Lumentus again. I'm not sure if you're trying to share your.

[00:48:47.84] - Joseph Thacker
Oh, sorry. Yeah. So he had the report written by Gemini 2.5Pro, simply because of the context being greater than Opus 4 again. But it was just kind of, I think, probably too technical to. And so he regenerated the report with Opus 4. And he talks a lot about this strategy in Here, basically, models will often go down the wrong path. They'll start to describe something incorrectly or they'll include a lot of output you don't want, or they'll be too repetitive or they'll be in the wrong style you want. He talks about it a lot in this guide. Basically, when you start generating, if you start seeing output you don't like, just stop it. Edit your prompt, regenerate it, right? And so you save those tokens, you save your time, you save your effort. I think too many people are not doing that and they're just unhappy with the output of the AI and then they just move on to something else, right? They don't use it or they go run a different model when really all they need to do is just tweak the prompt a few different times and just kind of regenerate it. And so he talks about doing that here, but anyways, what he ended up converging on for his written report and I'm not going to read all of this, but there are a few things that I thought in here were cool. He's like, we want this report to be consumable by an audience of deeply technical learners. Don't reintroduce stuff, stick close to delivering value, don't introduce things or just talk about them. Like actually, you know, deliver actual value. The intent is to cover this, this and this, but be creative and, you know, unique or whatever. And then this bottom part says, expect a high level intelligence from the reader. Don't talk down to them. Think they're almost like a senior engineer who's looking to learn and implement.

[00:50:17.25] - Justin Gardner
You don't need to tell them that's.

[00:50:18.53] - Joseph Thacker
Good, you don't need to tell them why, but don't leave out any bit of useful context or implementation specifics that would be helpful. And so I thought that was just like a really cool thing just to throw in some prompts because, you know, like there's some. We've all spent way too many hours reading like filler text or just descriptions of things. When it's not being like practical. It's almost what we do on this podcast, right? Like our goal is to bring really practical tips, not just talk about the things, but talk about what you can do with the things or what you should invent to do with the things so that you can improve the industry or you can make more money or you can do better in bug bounty, right? So.

[00:50:51.01] - Justin Gardner
Right, dude. And I think looking at the output of this thing, I'll just sort of share my screen as well. Looking at the output of this thing, this is like a dream for a hacker who was going to go hack this. Oh, you know, like, like there's just. I mean, look at these sections. Dependencies, data structures, control flow tools, architecture, novel components, file editing, you know, like all of these are. This is exactly what we would want. This is like documentation for a tool that is closed source, you know, Exactly. Which is, I mean, what we do every single day. So it would be really amazing to see this methodology, especially the orchestration piece and that sort of thing copied into a tool that you could just point at a JavaScript file, a massive JavaScript file, or a folder of JavaScript files to have this, to have this happen. And I guess I can't fail to mention that what freaking XSS doctor did at Nahomcon, that was very similar to this, which is he took the web chunked pieces of the JavaScript files from a given web app and fed those into LLMs and provided summaries because those web chunked pieces are smaller and already compartmentalized for a specific set of functionality. So they should be autonomous. They should be not dependent on other pieces of the code in large way.

[00:52:10.11] - Joseph Thacker
In general, I just think that even if it's not 100% perfect, Hirishi is a little bit of a perfectionist. So I think that's why he wanted this to be very accurate with no hallucinations and very one shoddy and very whatever. But I think even doing stuff like XSS Dr. Is a genius. I think that if somebody's not as smart as Rishi or XSS doctor, just like throwing code you don't understand into AI and being like, hey, tell me where some potential security issues. What should I test here? What should I do? Can be really valuable even if you're not going to build some huge robo system.

[00:52:42.28] - Justin Gardner
Yeah, absolutely, man. I'm trying to find real quickly here that piece. I want to say it's multi document, but maybe it's something else that he used for that talk. So I got to go get that favorited or something like that, but I'll see if I can. No, no, no, not multidock. The JSCollab. That's what it's called. Here it is right here. I'll link it down in the description. But that was that thing that I was talking about where it uses Gemini to take all of the different pieces of the JS and provide the analysis for them. So it's a great tool.

[00:53:13.46] - Joseph Thacker
And then we had one last thing, this weird Google logo ligature, which I cannot help but think this is going to result in some bugs.

[00:53:19.82] - Justin Gardner
Yeah, dude, this one is super whack. So this was just. This came. I saw this a while back and it just came up in conversation with me and Rezo today. But the TLDR of this is that the font that was being used in the URL bar for Chrome had some ligatures defined in it that would allow you to do spoofing. So I'm sorry, for the listeners that are audio, this one's a little bit more of a visual one. But for you users that are watching on YouTube, you can see right here that the URL bar has just a fancy G O, O G L E on it. Right. But if you look at the actual error in the body, it says, Google logoligature.net was not found. Right. And so essentially what's happening here is this is actually requesting at the DNS level, a domain called googlelogoligature.net but what's being displayed in the URL bar is just google.net with a fancy style on it. So it allowed you to do really impactful URL spoofing for google.com, google.net, whatever in the browser. Very interesting discovery, I think.

[00:54:32.63] - Joseph Thacker
Yeah, we were talking about. And you can actually still go replicate this. So it's kind of fun to play with if you copy and paste one of these special strings into Google search on google.com. yeah, let me actually show you.

[00:54:45.42] - Justin Gardner
What was it? Oh, Google. I had it and I have it in my history right here. Yeah, look at this. Look. This is crazy. Look at this. I select. Oh, Google logo ligature right here. And look, it's still. Oh, not just. It's crazy, dude. So it is crazy that this still works on the Google Search, you know, bar right here.

[00:55:05.69] - Joseph Thacker
Will you show the full list of strings?

[00:55:07.69] - Justin Gardner
Yeah, yeah, yeah. Hold on. So that's.

[00:55:10.17] - Joseph Thacker
It's like Glogo.

[00:55:13.05] - Justin Gardner
Yeah. So here's the. Here is the list right here. It's Google underscore logo, G underscore logo. And then you've got, you know, E logo ligature, G logoligature, L logo ligature. These individual characters that are styled in the specific way that Google wants them to be. And I'm sorry, we didn't really go back and explain font ligatures, but that's kind of what we do on this pod. Much like Opus Model is not supposed to go back and explain. So if you need to Google what a font ligature is, go Google what a font ligature is. But, yeah, so Definitely a cool piece of research here. It puts something on my radar that I didn't have on my radar before, which is any place where spoofing can be actually really security impactful, like a URL bar. You should definitely be looking at the font that's being used to render the text and check for ligatures that may result in a mismatch between what's displayed and what's actually being held in the value for that given display of text.

[00:56:08.73] - Joseph Thacker
Yeah, and these chromium changes are open source, so if you could find a bypass, it could result in a vulnerability.

[00:56:12.96] - Justin Gardner
Oh yeah, I'm glad you brought that up, dude. The fix for this was kind of whack, so. Hold on, let me share that too. So here's the code that was used to actually fix this vulnerability. And instead of addressing the fact that this font has ligatures that they're using in their URL bar, they actually just provide a deny list of like strings that will result in these ligatures occurring. So yeah, and then the code here is just like domain hostname, dot find, unsafe ligature. You know that that needs to not exist. It needs to not be in that, in the string or else it won't resolve. So seems like a little bit of a band aid patch to me. Sort of. But. But I'm sure there's a good reason for the Google engineers to have done it this way. It just does not protect us if there are additional font ligatures being pushed into the font that is being used in the URL bar for Chrome. So that could be a good area to monitor if you're looking to get bounties in Google Chrome itself. And what did this pay? Dude, how much was this?

[00:57:20.21] - Joseph Thacker
$15,000.

[00:57:21.96] - Justin Gardner
It was $15,000 for this bug, which is crazy. So the team, the Google team is definitely taking URL bar spoofing very seriously.

[00:57:29.67] - Joseph Thacker
Yep. Sweet. I think that's all that I've got on our list. I think it's all you've got on our list.

[00:57:35.40] - Justin Gardner
Yeah, dude, let's wrap it. Good episode, man.

[00:57:37.76] - Joseph Thacker
Thanks guys. Peace.

[00:57:38.80] - Justin Gardner
Peace. And that's a wrap on this episode of Critical Thinking. Thanks so much for watching to the end, y' all. If you want more Critical Thinking content or if you want to support the show, head over to CTBB Show Discord. You can hop in the community. There's lots of great high level hacking discussion happening there on top of the master classes, hack alongs, exclusive content and a full time hunters guild. If you're a full time hunter, it's a great time. Trust me. I'll see you there.