Episode 143: New Cohost + Client-Side Gadgets, LHE Meta — Instant Global Admin in Entra!

Title: Transcript - Thu, 09 Oct 2025 15:57:36 GMT
Date: Thu, 09 Oct 2025 15:57:36 GMT, Duration: [01:04:24.52]
[00:00:00.96] - Brandyn Murtagh
Yeah, man. I just finishing up my 18th report and then I've got to submit six more and I'm like, shut the frick up. Brandyn.

[00:00:11.83] - Brandyn Murtagh
Was it the accent or the bug count that annoyed you? When I said it was, you know.

[00:00:15.24] - Justin Gardner
A little bit of both, you know, makes me feel like I'm in the bin, you know. Best part of hacking when you can just, you know, critical things.

[00:00:33.82] - Brandyn Murtagh
Yeah, dude.

[00:00:42.21] - Justin Gardner
Alrighty, hackers, Fun little announcement before we jump into the episode this week. Brandyn, Gret me. You know, you guys know him and love him from the pod, has been working with us for a long time. He's been running our hacker notes and he's done an excellent job at that. But after probably two years of working with the podcast, we have decided to graduate him to a co host. In light of his massive success in the bug bounty world lately in the live hacking events and just going as a full time hunter, I think we'd like to have him a little bit more in the spotlight and sharing his experiences. So Rezo isn't going anywhere. Don't worry, I'm not going anywhere. We will have three hosts of the podcast, yours truly, Rezo and Gretmi, and we will kind of hand off from week to week. But I just, I just. It's just been amazing to see his growth as a hacker and I think he brings really good insights to the pod. So we just wanted to welcome him on as a co host. So, yeah, shoot him a dm, tell him you love him, he's doing a great job and I'm excited to chat with him each week. Actually, I think this episode that we're running right now should have him on it. So enjoy and yeah, definitely send him some love. I. Let's go. All right, hackers, we got a quick this week in Bug Bounty segment for you this time around it's kind of actually been a big week for yes We Hack. They just landed an $8 million contract with the European Commission, becoming the new preferred bug bounty services provider in the eu. And I think these sort of things as long in addition to what's going on in Iceland with their program, the European Union, we're seeing they're making moves in the bug bounty world and I really want that to be successful because then other parts of the world will learn from it and do the same. So very interesting stuff here. Yes, We Hack also recently became a CNA, which is cool, so they can issue CVEs and they launched. This is the opportunity I wanted to tell you guys about. They launched this open source bug bounty leaderboard here, there are already quite a few people rocking it on here, but if you're really into the open source scene, this could be a great place to look, find other hackers to collaborate with and programs to work on. All right, let's go back to the show. Dude, these are the weeks that we live for, man. Am I right? Like these live hacking events, I just leave these live hacking events just brimming with energy and passion for bug bounty.

[00:03:04.37] - Brandyn Murtagh
Oh man, it's so good. It's so good. You get to see your friends, you get to hopefully completely crush the target and have some good war stories from it. It is top tier stuff. You just can't. You can't top it.

[00:03:17.75] - Justin Gardner
Yeah, dude. Okay, so let's set the scene a little bit here. I just got back from Sweden with the HackerOne live hacking event. Awesome. You are currently crushing it in an IPC with. Is the target public for those or no?

[00:03:31.27] - Brandyn Murtagh
I don't know. I'm not sure.

[00:03:33.43] - Justin Gardner
How many reports? Dude, it's like 20 something reports. Right?

[00:03:36.06] - Brandyn Murtagh
So I checked the stats this morning. I spoke with Jrock and he was like, man, you're responsible for half of the reporters reports.

[00:03:44.61] - Justin Gardner
That's my boy. Yes. Well done, man. Yeah, yeah, I, I, I. Because we had our little, you know, I don't even. We, we used to call it our mentorship meeting. Now you've kind of graduated from this. But we had our little sync meeting and, and you were like, yeah, you know, and I started one day. One, one freaking day late on this competition, man. And you're like, yeah, man, I just finishing up my 18th report and. And then I, I've got to submit six more. And I'm like, shut the frick up, Brandyn.

[00:04:14.22] - Brandyn Murtagh
Was it the accent or the bug count that annoyed you when I said.

[00:04:17.26] - Justin Gardner
You know, a little bit of both, you know, makes me feel like I'm in the bin, you know? No, dude, but that's exciting, right? And so, I mean, what, how, how, how, bro?

[00:04:29.91] - Brandyn Murtagh
Yeah, I done a little bit of prep before the event to help myself out because it's been a while since I have actually committed some time to hunting. So a week before I really the event Headspace, I sort of done what I could do around getting my information about some of the services that could have been in scope. I didn't know at the time. And I started looking around at the scope when it drops and I really, I have this, I don't know, theory of like, know your target is what I refer to it as when I'm trying to explain it and I try and summarize what would hurt and where would hurt and based on what scope is available, what I can do with that. So essentially what. Oh, man, I'm really trying hard not to like, give any details.

[00:05:21.56] - Justin Gardner
Come on, man, like, give us a little juice. Just a tiny little bit of juice.

[00:05:25.48] - Brandyn Murtagh
Well, I was fortunate enough to use a bug to gain some information from another part of the app. And although the bugs aren't chained, the information was quite useful because I could deduct a lot from what I had. Say no more. That is it. My lips are sealed.

[00:05:54.44] - Justin Gardner
Okay, so this is a little bit more. This is a little shout to the bug dung metagaming here, which is like when you are finding vulnerabilities and gadgets as well, you know, gadgets that can leak information. But you got to keep a big picture mentality here, right? It's not necessarily like you are always just going to, I find the bug, report the bug and then it's freshly and you move to the next one. Right. Sometimes you can use what you learned from those bugs or use some of the information revealed via those bugs to inform other vulnerabilities. And in fact, you should if you're looking to optimize your earnings, right? Is that what you're saying?

[00:06:26.58] - Brandyn Murtagh
Yeah, absolutely. And I just really dug deep, tried to understand the threat model, tried to understand all of the apps, and sort of got a. Got a bit of a feel for what I would perform well on. And that's another thing as well. When you're looking at scope and you're trying to get a feel for it, try and look for your flavors of hunting on that scope. And see, because I doubled down, I was okay. Probably would do okay here. And I was right this time. And dude, I also done a collab with the, with the, with the big dogs as well.

[00:07:01.54] - Justin Gardner
Oh, did you really?

[00:07:02.66] - Brandyn Murtagh
Okay, yeah, with the big dog. So that's, that's going to be a fun one if it comes through, but.

[00:07:07.81] - Justin Gardner
Well, I think you messaged me, right? I don't know if I can dox your DMs here, but like you messaged me and you're like, hey, man, I've got this cool thing. And then like I see like two hours later I did it was it at my phone. You're like, shit. You know, Franz popped it. It's like, ah, dang it.

[00:07:23.23] - Brandyn Murtagh
You know, like what was interesting, I kept that conversation going. Or we kept that conversation going and we actually figured out we could do Some other things on another endpoint, so we got a really nice bug out of that as well. So yeah, it's good, but that's. Sorry.

[00:07:40.79] - Justin Gardner
Yeah, I just, I wanted to say, just going back to before we moved along from your principle that you shared just a second ago, I totally think that's true in trying to align the scope to your like, capabilities and stuff like that and figure out which app in Scope is like, you know, you have an advantage on as a hunter. But one of the things that I've, you know, just consistently come back to lately is, you know, I am intimidated by a good amount of scope, like desktop applications, binaries, some mobile stuff, you know, like just there's a good amount of that that I am afraid of and then sometimes I try to go after that because that's where the impact is and I can see that clearly and I always am happy that I did that, you know, Like, I have never not been happy that I've done that. And I just think that's really odd because I feel like I should fail at that sometimes, you know, and I feel like I should come out with like, ah, this is a little bit of a hit or miss, you know, like. But really every single time I've done it, it's been like, wow, that was great, you know.

[00:08:44.14] - Brandyn Murtagh
Yeah, I remember you saying that about a few events actually. I feel like there's two things that come into play though, is really understanding the threat model and also having a good foundation to rely on in terms of technical ability because there are a lot of principles and concepts which will be cross applicable regardless of what you're looking at. And I feel like you obviously have very, very strong foundations to tap into. So just look at whatever, man, you'll find bugs, you'll be fine.

[00:09:13.08] - Justin Gardner
It could be, it could be, it could be that. Yeah. But I also think a lot of other hackers are intimidated by the same things you're likely intimidated by.

[00:09:19.87] - Brandyn Murtagh
Sure.

[00:09:20.36] - Justin Gardner
And you know, they probably haven't had eyes on it. And actually this is something that I was thinking about recently and I was on a run and I was thinking of actually about your conversation about starting your, your pen test company or whatever because you've had a lot of inbound and I was thinking, you know, one of the really cool things that I would like to see some people market in a pen test company is a pen test company that only looks at the intimidating part of your scope. Right. So this is not your first pen test company. This is the company that is going to go deep and get the things that other people shied away from because they have a responsibility to do coverage on other parts of the apps. Right? Um, and, and so like, let's talk about a, a normal pen test situation. You know, you hire the company, they come in, you've got 80 hours through the pen test, 60 hours, 70 hours is, oh, I need to cover all of the web endpoints and I need to like check them for all of the normal stuff and, you know, some logic bugs or whatever, right? That takes up the bulk of your time. And then, you know, you have maybe 10, 15 hours to look for these crazy deep bugs, right? Not enough. Not enough, Right. And so they don't do it. And then, okay, you're like, okay, I fixed some of those things. Well, guess what? The next guys that are going to do the next pen test, they've got to go through and they've got to do their due diligence on the same applications, the same endpoints, right? And maybe they'll find something different because they've got a different set of eyes and a different way of perceiving those pieces of functionality. But it's unlikely that anybody is going through all of the hoops to configure all of the stuff like we see in Bug Bounty. Right? Like, that's what, why we find crazy stuff in Bug Bounty is because we are digging deeper, deeper, and we're not confined by this, by a need to cover everything because we can cover whatever the heck we want. Right? And I think it would be a really interesting differentiator for a pen test company to say, hey, listen, we're going to ignore all of the basic scope, some give it to the other pen test companies. Okay? We are just going to go for the stuff that's very deep and very technical in your app and spend time there. We may not find anything, but we may find something that breaks the whole world for sure.

[00:11:28.67] - Brandyn Murtagh
So sort of like a flavor of red teaming. But for web apps and that sort of hardcore, like in the weeds type research, I think it could be very good.

[00:11:40.75] - Justin Gardner
And we see some of this stuff with like cure 53 and stuff like that, right? Where they're going super deep on stuff. But I, I don't know that they're putting it in their marketing material that it's like, hey, listen, we're not going to find your access control bugs, you know, like, it's not going to happen. We're going to focus on this.

[00:11:57.95] - Brandyn Murtagh
Yeah, no, that's an interesting thought. I feel like there would be a lot of Appetite as well for some of the biggest security companies that want that to go through their budget to improve, and also for actual bug bounty companies as well, before adding new scope to in program. That's exactly what they'd want to do. Let's talk about that after.

[00:12:21.95] - Justin Gardner
Yeah, yeah. Like, why. Why are we doing this on air? Shit. Yeah, okay. All right, anyway, let's get to the actual content of the. Oh, wait, no, no, no. I didn't even get to talk about my live hacking.

[00:12:31.78] - Brandyn Murtagh
Yeah. So how. How did your stuff go? I heard from somewhere you might have done very well from this event.

[00:12:37.71] - Justin Gardner
Frick. Let me check right now, because I think they're still paying out some of this stuff. I'm still, as of recording this in first place, just barely sliding above the. The team baguette, which is amazing. But yeah, man, it was a great event. This one was in Sweden, which is actually one of my top places in the world to go. And I. I found a couple good bugs that I was actually able to get escalated to criticals because of some nuances in their threat model that would not traditionally be criticals. And so that was good. And then, yeah, man, just sat down and pumped it out on a very difficult piece of scope and found, you know, the super crit that you need to like seal a good event. Right. Because I feel like, you know, just going back to the live hacking event strategy thing, I feel like if you want to crush it at an event, you've got to have like, good performance across the board. You know, get your mediums in there, get your highs in there. Get, get, you know, one crit, two crits and then one mega crit. Right. That kind of seals the deal at least, you know, if you get one mega crit, that's like, oh, no, like this is the end of the world, then that. That really solidifies the event for you. So that's what I was going for.

[00:13:57.29] - Brandyn Murtagh
So I want to talk to you about that because there's this. I've had it in a few of the other events and I'm really digging deep to try and find something obscure. It's taken me a bunch of time. I enter. Panic's not the right word, but like this mindset of, oh, no, I'm not reporting something. Do I. Do I go for volume or do I go deep in this? Do you experience that at all? And how do you combat that? Because it almost blocks my ability to go really deep in the weeds sometimes, and it's very frustrating.

[00:14:31.03] - Justin Gardner
Yeah, I think I do. And I think that was, that was something I struggled with more earlier in my life, hacking event career, but still struggle with. And that is why, you know, in the beginning I spent a lot of time and just like you did this event, I was so hyped when I heard you say this. Cause I'm like, that's, that's my guy. Um, but, you know, going for volume, trying to get a feel of these applications. Right. Getting a decent amount of base reports in, and then you've already done, you know, a good amount of like looking into a specific app. Right. And I would say volume in a specific app. Like, I would really not endorse jumping from app to app to app to app. I would say volume and a specific app. And then, you know, after the dupe window closes or after you feel like you've got a good base of reports or understandings, then kind of shooting your shot for those deeper. Those deeper bugs. Right. But yeah, I think often I've done that post dupe window. The con of this approach is that sometimes the megacrits that people find right off the bat will get fixed and you'll miss them.

[00:15:37.73] - Brandyn Murtagh
Yeah. I mean, it's again, finding a strategy that works for you fundamentally, because different people, like there's a few lhe hackers that run their game in a way, which would just give me a meltdown. I can't do this. So again, I think it just comes back to, as you said, that experience and finding your flow. Because everyone looks for different bug classes. Different bug classes require varying content, context of the application, bearing, understanding. It's all unique, I guess is my point.

[00:16:08.54] - Justin Gardner
It is, it is, man. It's a, it's a very unique ecosystem. It's a good, It's a good thing that we've got variety too. And, and I think some hackers just don't give a lily and they show up and they hack whatever they want to hack. And I think that's cool, you know, but I think, yeah. And to some degree I aspire to that, but I also aspire to really consistently performing at these live hacking events. And I think that my methodology and the methodology you implemented here, I think is one of the most reliable ways to reliably perform. Right. And. Yeah. And whereas you'll see some people that knock, knock mega crits on day two at some events and then don't find anything at other events.

[00:16:47.92] - Brandyn Murtagh
Yeah, 100%. I feel like we might have to edit that out because that's a very valuable meta strategy.

[00:16:53.61] - Justin Gardner
Yeah.

[00:16:54.16] - Brandyn Murtagh
That people are going to use against us.

[00:16:56.49] - Justin Gardner
Yeah, well, you know, hey, that's. That's the give and take of the pod, man. Like, I, I especially lately, I've been realizing, like, dang, like, some of the stuff that I. That we distribute on the pod stings sometimes when it comes back to, like, be used against you in a competition, dude.

[00:17:14.15] - Brandyn Murtagh
The one of my most prized gadgets that I use in so many chains that I mentioned on my first POD episode has been patched since that went out. And I only noticed this, like, two weeks ago.

[00:17:26.23] - Justin Gardner
What is it?

[00:17:26.78] - Brandyn Murtagh
Maybe three weeks ago? It was the. On the target that I look at quite often in a certain part of the ecosystem, the OWOLF mode, where you can force a redirect.

[00:17:38.51] - Justin Gardner
Yeah.

[00:17:39.31] - Brandyn Murtagh
Just without sort of like, it's just by design. But they patched it and it completely. I was getting so excited. I was like, I've got something just for this. And then nothing. I was like, I shouldn't have said it on the pod. I just should have just left it.

[00:17:55.23] - Justin Gardner
Yeah, yeah. And sometimes. And like we discussed before this episode, you know, you do have to kind of watch the things you say because these companies do, like, especially the companies that we're talking about under, you know, I guess, behind the scenes a little bit right now, they all listen to the podcast, you know, and so it's like, all right, but it's part of it.

[00:18:15.63] - Brandyn Murtagh
It's part of it.

[00:18:16.67] - Justin Gardner
It is. And it. And it's a part of the give and take of the industry as well. We are standing on the shoulders of giants in so many ways, you know, and so, yeah, I guess it's part of the game.

[00:18:27.59] - Brandyn Murtagh
Before we move on, I did want to talk about some of your takeaways because you have some very unconventional pieces of wisdom in here, which I'd like you to double, double click on.

[00:18:41.27] - Justin Gardner
So I want to. I want to be clear about this. These takeaways are a mix of experiences from this last live hacking event and from talking to other hackers at the live hacking event about their experiences at lhe's and in hacking over the past, like, couple. Couple weeks now or a couple months. I want to disclaim here. I always get people's permission before I share these things. So don't do frickers come up to me and be like, oh, can't tell Justin anything because he's gonna yap about it on the pod. I always get permission before I talk about something on the podcast. So anyway, with that being said, here are a couple fun takeaways. Okay. One, sometimes you fight with a waf. Okay. And that is a very unpleasant experience. And most of the time we win our battles with wafts. It's just persistence. It's encoding, it's understanding quirks of the system, it's, you know, stripping or sanitization that occurs on the backside of the waf. Right. All of those things can lead you to bypassing WAFs or contextually aware WAFs as well, you know, trying to abuse that. Yeah. The problem is sometimes they've just got like a includes rule and they just auto deny and it's like there's nothing you can do, you know. And so one of the hackers I was speaking with, I had a situation like this recently and they were saying that the way that they actually ended up exploiting it was internal employees for this company are not routing through the waf. Their DNS internally resolves directly to the host. So while all of the users of the company were hitting cloudflare or Akamai or whatever it was, when an employee clicked to the link, there was no WAF in front of it and the bug would pop. Right. And in the specific context the guy was telling me about, the internal employees were one of the prime targets for this bug and they had a delivery mechanism through the business logic. Right. So it was just like Perfect Storm. But I hadn't really thought about that before, so I wanted to shout that out. And I also just don't have really any good ideas on how to test whether this is possible without actually like having a contact at the company.

[00:21:10.98] - Brandyn Murtagh
Yeah, it's tough because those sort of context, which is what you'll only really see when you're looking at, say, like blind XSS bugs typically, isn't it because they're being detonated from a different context in terms of how, man, you'd need some serious threat modeling and guessing, I think, in order to get to that. And you'd also need the bugs to line up in the sense that you actually can deliver a canary of some description to even test it. So I'd say it's definitely rarer from what I can think.

[00:21:43.52] - Justin Gardner
Yeah, I'm thinking as well, like blind XSS is an interesting point. You know, you could definitely test it with a blind XSS if you're just looking for. If you have a blind XSS and you are trying to do what you were saying, like use the bug to gain more information about your target, which is a little bit red teamy, a little bit pivoty, but, you know, ask forgiveness rather than permission there sometimes. But I was also Thinking when you said that actually maybe this could be a good use for blind SSRFs is if you've got like a, like a only status code blind ssrf. What you could do is try to hit an asset from that blind SSRF that's a public facing asset from within the company and put a malicious string. Let's just do your normal script alert in the query params and if it hits that server and doesn't give a 403 then you're not getting blocked by the WAF. Right, but if it does, then you know that you are routing through the waf.

[00:22:46.14] - Brandyn Murtagh
Yeah, that's good.

[00:22:47.66] - Justin Gardner
Interesting thing. You could potentially use a blind SSRF to kind of give you some intel about the company for.

[00:22:52.05] - Brandyn Murtagh
That's good, that's good. But that comes with its own caveats of you don't actually know the segment you are calling out from internally and what that looks like, but it's still a potential gadget nonetheless.

[00:23:03.22] - Justin Gardner
Yeah, it doesn't say that it's not the case, but if it works then you do know that it is the case.

[00:23:08.14] - Brandyn Murtagh
Exactly. Yeah, it's like a. Yeah, that's some big brain stuff.

[00:23:12.40] - Justin Gardner
That's like some. I know there's some like logical like if A is B and B is C, then A is C or whatever like thing that I can do there, but I can't wrap my head around it.

[00:23:24.07] - Brandyn Murtagh
Yeah, don't look at me, mate. I can't do that on the spot either. Give me 10 minutes and I might be able to.

[00:23:30.48] - Justin Gardner
Okay, so that's takeaway number one. Can circumvent waft sometimes with, for internal employees not routing through, you know, external DNS. Number two, secondary context bugs. I've always struggled with exploiting and I've done it, you know, a dozen, couple dozen times probably. But I just, whenever I look at them, unless it's really verbose and it's really just dumping back exactly what's happening on the back end API. Sometimes I really struggle with it because it's like, you know, they're expecting a certain format in the JSON structure of the response and sometimes you're getting partial fields back and sometimes you're not getting anything back. And it's like one tip that I did get from a hacker at this live hacking event and they actually showed me the bug from a couple months ago that they exploited was that secondary context bugs can also be exploited to bypass access controls within a like RBAC environment, which is very interesting. Like sometimes what you'll see in apps is that you know they've got maybe like your organization ID or your account ID or whatever in the URL, right? And if you try to mess with that at all, you're done, you're hooked. Right? Like it just has to be there as a part of the path for the API and that's where all their access controls are done. But sometimes that's done by a front end service. So if you have a secondary context path traversal, you may be able to provide a organization or an account ID in the path that you own so that you're an admin on, but then you're also in a different organization where you're just a lower privilege user and then overwrite that on the secondary context, traverse back up and then, and then go build out the whole path again. I hope that makes sense. But I just almost always thought about this from the context of like cross. Org attacks and I think obviously that's where you should go first. But if you're really stumped on crossorg's attack, definitely try to exploit same org rbac implementation and see make sure that extends past the first proxy into the secondary API as well.

[00:25:55.15] - Brandyn Murtagh
This is so painful because there's so much I want to talk about but I can't from this event. But that exact scenario is. I'm working with something now and I've been testing this theory all morning. Hopefully I can talk about it next time. But it's very good way to look at things because once you start getting those sort of gadgets, it can turn something which was weird behavior into a really, really nice bug just by thinking about architecturally where are those access controls implemented and if you can get vivice era or something like that to disclose that as well, which I may or may not have done somewhere, just I'm going to stop talking.

[00:26:37.34] - Justin Gardner
Dude. Yeah, it's crazy because I mean the bug that the guy showed me, it's, it's on a different target than the one you're working on. And it's interesting that we're seeing this, this one. You know, you're giving good tips. Guys, this is, you know, this is what's so exciting to me about critical thinking though is I love it when we get to talk about stuff like this and I know that many top tier hackers are listening to this being like, ah, I'm gonna change my methodology because of this. You know, that's our North Star with critical thinking is. And even with you coming on as the, as the co host, which by the way, after we started I decided I'M going to record a preempt to this episode and explain that. So they already know about that.

[00:27:15.56] - Brandyn Murtagh
Okay, good.

[00:27:17.17] - Justin Gardner
But, yeah, I mean, it's, you know, one of the north stars that, for the podcast, is making sure that elite hackers, you know, intermediate to advanced level hackers, are getting a takeaway every single week that modifies their methodology that makes them be a better hacker. Right. If we're doing just one of those every week, then we're winning, right?

[00:27:36.86] - Brandyn Murtagh
Absolutely.

[00:27:38.10] - Justin Gardner
And so, yeah, absolutely.

[00:27:39.63] - Brandyn Murtagh
Let's just hope we don't dupe on any of these bugs now.

[00:27:41.95] - Justin Gardner
Yeah, dude. Shucks. Yeah. Okay. All right, last one. Keep this one brief. I don't know. This is something that I. I mean, I was in Sweden, so I was hanging out with. With Franz and Matthias, and these guys are just legendary. And. And I always leave conversations with them thinking like, man, I do not theorize what's happening in the back end. Pipeline. Pipelines nearly as much as I should, you know, and especially in an environment when you're working with an amazing team and you can have a conversation with them about, like, hey, is this what's going on in your back end? Or, you know, whatever. Like, it just opens my eyes to like, oh, yeah, that is a very logical deduction that I could have made from a black box perspective. And I just need to start flexing those muscles a little bit more.

[00:28:29.58] - Brandyn Murtagh
That is exactly it. I recall there was a time at some point last year when I messaged you after France dropped a crazy bug, and I was like, what have you done this week to think more like Franz when you're approaching a target? And I remember besting you like, four times. But, yeah, I think he's the best example of it. When the research on the. Do you remember the headers when he, like, shelled through the I idem, through.

[00:28:54.73] - Justin Gardner
The request id, the, like, logging headers?

[00:28:57.73] - Brandyn Murtagh
Yeah, that is like the perfect research if you haven't seen it. Go and check out the old hacker notes, because that is like, the perfect highlight of using that. What can we deduct from a black box scenario perfect of exactly that. And it's just insane.

[00:29:12.91] - Justin Gardner
One of the. One of the things I've realized from this too, from. From talking to Franz and Matthias, though, is that, like, Matthias is. I mean, we. We. I've highlighted Matthias many times on this podcast because of the amazing hacker that he is, but he continues to be underrated, man. Like, Matthias is. Is every bit like, as. As good at that as Franz is. And. And you just don't hear about it quite as much.

[00:29:35.36] - Brandyn Murtagh
I feel like he doesn't make as much content though, compared. I might be wrong on that.

[00:29:39.45] - Justin Gardner
We're fixing that though.

[00:29:40.41] - Brandyn Murtagh
Okay?

[00:29:40.80] - Justin Gardner
We are. Like, I sent him a mic for the pod and to be honest, man, I've used his Archive Alchemist tool a bunch we talked about on the pod. He covered it in an episode. Super good tool and really, really excellent for finding critical vulnerabilities. And guys like, if you haven't watched that episode, go back and watch that episode whenever you actually have the opportunity to test an archive upload. Okay. Because I did that recently when I was testing some stuff and I had such a blast with it and I got some really impactful stuff out of it. And now I feel, excuse me, so much more comfortable with that tool, you know, And I've got muscle memory for it. I know exactly what it can do. And now that I've done it at least once, testing the whole methodology that he outlined in that episode, I just feel like I've got a grip on it now and I will not shy away at all from archive related vulnerabilities moving forward. I will run to them because I've got the tool and the methodology to exploit them.

[00:30:41.49] - Brandyn Murtagh
Yeah, man, I've been waiting. I really have been waiting, but nothing as of yet. So I'll keep an eye out and hope something cool comes up.

[00:30:48.52] - Justin Gardner
Keep an eye out, man. All right. That's what I had for my live hacking events, chats and takeaways. So let's get into some news content, shall we? First up on the news, actually, we've got Gareth Hayes dropping stuff, as always, and this one was particularly interesting, I thought y', all, because he's using this attributes. For those of you that are on YouTube, you can, you can check it out. But he's using the attributes reference inside of an HTML on on event handler. So he's got input on focus and then attributes zero value. So he's reassigning the first attribute of the specific HTML element, which is in fact the on focus that he's presently in, and then reassigning what JavaScript should be run upon execution of this function here. And then he uses that to smuggle data in from the hash which is contained in the URL reference and redefine what the actual JavaScript is being run when that Onevent handler occurs. So I know that that's a little bit, a little bit dense there, but the main takeaways here that I think the hunter should have is that if you need to smuggle data. Maybe you've got like a specific character set that you can't get past. Because this is pretty character set liberal. You can reassign attributes inside of your HTML element. So input on focus or whatever using the data from the URL reference, which is only valid inside of an HTML tag. Very brilliant approach here by Gareth. And I did have a little demo. Do you understand what I'm saying? Grab me or is this just like.

[00:32:42.41] - Brandyn Murtagh
Yep. So for me, like I'm looking at you saying these words and I get like one fifth of the context before my brain goes, nope. And then I get the other one fifth. Nope.

[00:32:54.36] - Justin Gardner
Okay, look at this, look at this lab really quickly because he linked this lab as well. Okay, so the on click for this input is attributes 0. So the first attribute.value equals backtick plus URL plus backtick. Okay? So essentially it's saying, hey, take the current URL, stick it inside of the first attribute, which is the on click and put it inside of template literals. The backticks, right? So then what you do is when you click it, look what, look what happens now. It takes the current URL, sticks it inside of backticks, right? And then from the hash you grab the dollar sign, curly brackets, alert one, which allows you to execute code inside of the template literal, right? And then when you click it again, you get the pop, right? So it's priming the data in the hash with dollar sign curly brackets, alert one, right? And then it's using the attributes zero dot value to take the data from the URL, stick it inside of the the on event handler, and then when you trigger it, it triggers the, the actual code that's in the URL to be run.

[00:34:04.53] - Brandyn Murtagh
Does he just sit at his desk and goes, you know what, I think this might work. And then he just writes that and it works.

[00:34:11.98] - Justin Gardner
I think he does, dude. I think he actually does do that.

[00:34:16.30] - Brandyn Murtagh
I see some of these things on a scrolling on Twitter and I actually, I laugh out loud because I just think, how has someone just concocted that? And everything he posts is just so good.

[00:34:28.76] - Justin Gardner
It's freaking good, man. And I will say for those of you that are not like client side, like loving client side stuff, if you are, you should definitely be investigating this. But if you don't, your major takeaways here are using the attributes reference to redefine attributes on your current HTML tag. And then knowing that URL, the string URL, all caps is a way to reference essentially the document uri. Only when you are inside of an on Event handler.

[00:34:58.25] - Brandyn Murtagh
Doesn't it reference something else when you're outside of a non event handler?

[00:35:02.61] - Justin Gardner
Exactly. If you just type URL. It doesn't typically it's like a type, right? It's a constructor. But if you're actually doing it inside of the function inside of like a on click event or something like that, then. Okay, well it didn't update. Update it now. But yeah, you can see right here. That's the document uri.

[00:35:23.65] - Brandyn Murtagh
Nice, right? Nice. Yeah, he is. His brain needs to be preserved and studied. It's just like one of those things. Crazy, crazy content continuously as well.

[00:35:36.98] - Justin Gardner
I'm with you. I'm with you. Definitely Ports figure research. They've got some amazing stuff coming out.

[00:35:41.78] - Brandyn Murtagh
They do. On that note, Hooley, he's had a lot of love on the pod. They I should say on the pod before is back with some more research which will help you digest some of that Gareth Hayes magic. Really, really good write up. Good blog. And what I love about this and really warms the heart upon opening. If you have any thoughts on my blog and articles you want to let me know, you can either post a comment or tell me via this feedback form. They are actively looking for feedback from the community. Is that not like such a nice thing?

[00:36:18.46] - Justin Gardner
Has a feedback form on their free blog?

[00:36:21.17] - Brandyn Murtagh
Dude, that's just crazy. That is so nice of them.

[00:36:25.57] - Justin Gardner
That is such a commitment to quality.

[00:36:27.42] - Brandyn Murtagh
Yeah, yeah, so good. Anyway, the actual blog itself does a really nice job of breaking down some of these more exotic payloads that you might see and exactly how some of these tag template literals work.

[00:36:42.21] - Justin Gardner
Yeah, yeah, exactly. Just like we were talking about just a second ago.

[00:36:45.05] - Brandyn Murtagh
Exactly why they work and some of the context that would be useful for them to actually work, in. Which I thought was really good. I know again, we've mentioned so much of their research on the blog before, but I really, really like the way they break down every single subject, give you every single topic and give you some of the applicable use cases as well. Just a really nice writing style which I've grown an appreciation for since the hacker notes, I must admit.

[00:37:12.17] - Justin Gardner
Yeah, well, dude, I mean I love this one that you've got on the screen right here which is, you know, onerror equals eval and then throw equals alert one. Like that's so fun. Like just being able to use those error handlers and then the throw keyword. It really allows you to get around some character restrictions.

[00:37:31.34] - Brandyn Murtagh
Yeah, it's like using your error message as a payload but then they just keep breaking down these payloads and how you can further eliminate syntax is that might be giving you a problem. Really nice. Useful if you have. If you're being blocked by a waf, for example. Very useful if you're not as comfortable with client sized stuff like me. Like, this is the perfect content and it probably builds upon some of Gareth Hayes's content in this JavaScript for Hackers book, which I have committed to myself to read end to end. I always get part of the way through and I'm like, this is some heavy stuff and never commit to it. I will commit to it. I will do it.

[00:38:12.05] - Justin Gardner
Yeah, that is definitely one of the seminal works in making you a good client side hacker 100%.

[00:38:20.05] - Brandyn Murtagh
And then the thing I did want to give a shout out is they give the MOTHER payload at the end. This absolute. I want to call it a monstrosity, but it isn't. It's like art. Just look at that. And it only works in Chrome. And again, such a good job of breaking it down exactly how it's working.

[00:38:39.98] - Justin Gardner
And yeah, they've got. This is without quotes. It looks like. Wow. Yeah, yeah, They've abstracted away the quotes with decimal representation of strings and then forcing a conversion with a. Looks like with a regex there. That's pretty sick, bro.

[00:38:59.34] - Brandyn Murtagh
Honestly, it's just insane. So hats off to them because every piece of content they put out is just so in depth. So in the weeds. And overall, really good read. And then they give you a few key points at the end. Commas can chain multiple expressions returned in the last one. Replacing the onerror with EVAL allows you to execute the error messages code. Errors thrown will become part of the error message and as long as you can turn the error message into valid code, you succeed. Succeeded.

[00:39:28.86] - Justin Gardner
Dude, that. I love that. Those four at the end there, that's. That's really good. Okay, I'm gonna say them again. Commas can chain multiple expressions. Returning the last one that's pivotal because you often will want to control the return value while getting something done. Right. Replacing On Air with EVA allows you to execute the error messages code. That's a really good one. Errors thrown will be a part of the error message itself. So converting the error message into valid code and then as long as you can do that, you are avoiding syntax errors in getting your. Your payload through.

[00:40:02.80] - Brandyn Murtagh
Yeah, dude, I feel like you should get that as like a tattoo like the quote on your arm for being a client side.

[00:40:11.11] - Justin Gardner
That's beautiful, man. You know syntax or character set, restricted environments. This is like the new go to.

[00:40:22.25] - Brandyn Murtagh
Yeah. And they give you a lot of that context throughout the blog post as well. I can't see where it is, but exactly where it would be useful might be useful. So worth the read for you guys which aren't as handy on the client side as like me really.

[00:40:39.44] - Justin Gardner
Yeah, good, good stuff man. Pivoting a little bit from. Well actually you know what, tell you what, we'll. We'll stick with the client side stuff for just a second longer and I'm not going to spend too much time and dwell on this one because it's not strictly relevant to hacking. But there is an amazing, amazing write up here of Google's safe content frame and if you are at all interested, if any of the listeners here, I know a lot of you guys have appsec jobs if your requirements for your company require you to render an arbitrary HTML file that is very hard to do in a safe way and preserve isolation of code isolation of your domain because we can set cookies to the top level domain. Very difficult problem to solve. I have spent a lot of time trying to crack safe content frame that Google has produced to fix this problem. And it's bulletproof, man. Like it is really bulletproof. And so if you're interested in understanding how exactly all that works, you can see how it works here. They combine a isolated domain and a public suffix list registration with delivery via iframe that checks event source and blobs. And this is the key part right here, the hashing of the content and the parent origin to create a unique subdomain of these domains which makes it impossible for you to even like you can't affect the code because the parent origin changes and if the code changes at all inside of it then it changes the has. So it's like this is painful but really, really well done by the Google team. And this is I think the go to solution if you have to render untrusted HTML inside of your app.

[00:42:38.32] - Brandyn Murtagh
Is this a new thing or has this been around for a while and they've just improved upon it?

[00:42:43.36] - Justin Gardner
It's, it's been around for a while. This is the first write up I've seen that like fully explains the from the engineering side but there have been a lot of CTFs run on it because the Google team is like hey hack this, you know. And yeah, it's pretty freaking bulletproof and I know that Tarajank who was mentioned in the last article you, you had up was one of the main engineers for this and it's just, it's freaking Good, dude. It's really, really good.

[00:43:10.90] - Brandyn Murtagh
Well, have the client side guys got their hands on it? Jorian and Co on the channel? I'm sure they have, yeah.

[00:43:16.38] - Justin Gardner
Yeah. I mean, I, I, we've talked about it before and I mean, it's just, there's just not much. There's like, it painfully uses the right structure. I mean, that hashing that creates the unique domain and, you know, having the public suffix list, there's nothing you can do like that just completely isolates everything.

[00:43:40.36] - Brandyn Murtagh
One of those normal ones. Will it pain you as much as the Coop head is did?

[00:43:45.80] - Justin Gardner
I don't know, man. Coop is the worst. Coop is like really a pain in my butt. The thing is, even, even if you can get a frame reference to this thing, dude. Which is a problem in and of itself. Yeah. There's just nothing. There's no attack surface. So, yeah, yeah, I, I spent so much time, I was like, you know what, guys, I'm gonna, I'm gonna assess this. The terzenk was over there laughing like, all right, bro, like, take a stab at it. I'm like, nothing. Yeah. Oh, man.

[00:44:15.11] - Brandyn Murtagh
Yeah.

[00:44:15.92] - Justin Gardner
Actually, I will say I did find a problem with the implementation of it IT somewhere though, in Google's infrastructure.

[00:44:22.86] - Brandyn Murtagh
Well, that's something.

[00:44:24.05] - Justin Gardner
Yeah. There's nothing wrong with this itself, but the way that they took this and implemented it was not spec. And so I was able to use something there.

[00:44:32.69] - Brandyn Murtagh
Oh, there you go. You're fine then. Good stuff. I think the next one I'd want to jump in on is a very, very good write up on Microsoft Entrance. Let me just share my screen. And there's a reason why I did want to cover it, because the depth that this thing goes into is just insane.

[00:44:57.36] - Justin Gardner
And yeah, one token to rule them all. Obtaining global admin in every Entra ID tenant via actor tokens.

[00:45:06.63] - Brandyn Murtagh
Honestly, the reason I wanted to cover this is because we've used the term megacrit on the pod before. And this is literally an unstoppable, unstoppable megacrit that they could have done nothing about because there's no detection for it. So if people aren't familiar, Microsoft Entra is essentially Azure ad, but the newer version rehashed and it's pretty much their cloud identity service. So it can be quite the target for a lot of red team assessments. And the whole crux of the problem is essentially you have. I'll dive into the impact in a minute. I just want to give some context. You have these things called actor tokens, which are used by some Services to essentially imitate a user or service and do so with God like permissions in the sense that you can use the service but not actually be the user that initiated it. So it also uses the Microsoft Graph API and Azure Ad Graph API, which is somewhat applicable to Bug Bounty because Bug Bounty programs are run on both of them as well. And this is the sort of content that will help you attack those APIs perfectly. So the overview of the actor tokens is that they were essentially tokens issued by an the access Control service. And this guy didn't know what this service was, but he guessed that it was a legacy thing used by SharePoint applications. And if you've ever had an encounter with SharePoint, you know, it's. It's pretty awful. It's pretty bad.

[00:46:50.44] - Justin Gardner
Always, always a bad time.

[00:46:51.96] - Brandyn Murtagh
Exactly.

[00:46:52.67] - Justin Gardner
I was a SharePoint admin for. That was my first like real job in it was being a SharePoint admin and I did not stay in that job very long.

[00:47:01.07] - Brandyn Murtagh
Yeah, no wonder you went to Bug bun you so quickly, mate. Exactly, dude, that's tough. Anyway, the whole way this finding came about is that he was examining an exchange flow. And in this exchange flow, in a hybrid setup, essentially Exchange would request an actor token when it wants to communicate with another service. Now, as I said earlier, the actor token allows it to imitate that service or user that it's using. And this is the overview of the token for listeners. It is a JWT, but a lot of the claims are GUIDs, so they look like absolute nonsense. And unless you were really deeply rooted into the ecosystem, you probably wouldn't have any idea what any of these crypto correspond to. But luckily this guy is so far embedded into this ecosystem he knew everything.

[00:48:00.76] - Justin Gardner
Love to see it, man, love to see that depth.

[00:48:03.07] - Brandyn Murtagh
This is why I had to give this a shout out because so many good pieces of information in this and the breakdown and essentially the audience and all the claims guids for what you're requesting. And the main thing here which is actually readable is the trusted for delegation value, which is true. And that is what allows the ACT token to be an ACT token. Now in the next part of the flow of this Exchange functionality he was looking at, Exchange would embed the token that we just covered into an unsigned JWT which is then sent to the resource provider, which was Azure Graph. Now essentially they've taken a wraps token which was signed and then placed it in a completely unwrapped. Sorry, unsigned jwt. My bad. But they are using values from the unsigned JWT to make assumptions or decisions based on the authentication of that user. Now, don't know why they've done that, but we'll carry on.

[00:49:12.15] - Justin Gardner
Why did they do that? The world will never know.

[00:49:14.15] - Brandyn Murtagh
Yeah, why they've done that, who knows? Now, in the unsigned jwt, you have a name ID which originates from the Azure Ad Graph API. And more importantly, you have the. Where is it? The upn. No, that one doesn't matter now. Now, these impersonation tokens, especially all these claims, specify the service you want to impersonate, and none of them are signed. So once Exchange has that token, it can use it to impersonate anyone against the target service it requested for 24 hours, by the way. Now, this is hilarious because, and this is taken directly from the blog, it lacks almost every security control you would want. There's no logs when the apps.

[00:50:09.09] - Justin Gardner
Don't skip the line before that. In my personal opinion, this whole actor token design is something that should never have existed. Go ahead.

[00:50:16.76] - Brandyn Murtagh
It lacks almost every security control you'd want. There's no logs when ACT tokens are issued. Cincy services can craft unsigned impersonation tokens without talking to Entra. There are no logs when they are created or used. They cannot be provoked. They completely bypass any restrictions configured in conditional access, and we have to rely on login from the resource provider. Now, this is just absolutely insane that these sort of things are kicking about in the ecosystem. And this next screenshot really sums it up. So you have the signed actor token, but then the unsigned JWT is what's actually being used for some of the impersonation, and that is unsigned, which you can just put whatever in, send it off, providing you have that signed actor token.

[00:51:06.51] - Justin Gardner
Wow. Okay. So, yeah, that's really weird. It looks like we're for the audio listeners. We're looking at the breakdown of a jwt. So you see the header right in the close parentheses, and then you're looking at the body and you see inside of that jdb a field called Actor token, which contains a signed jwt. But then you also see, following that, a bunch of fields that you would expect to see in the. In the jwt, aud, iss, et cetera, and these. This is an unsigned token. And then I guess it's using those values from the unsigned JDBT rather than the signed WT inside of the unsigned jwt. Am I representing that right?

[00:51:44.94] - Brandyn Murtagh
Yeah, exactly that. So you've got two different checks being performed. You've got the first check which actually gives you the actor token to make sure it's valid and you're requesting something valid, but then they go ahead and wrap that in an unsigned JWT and make assumptions based off of what you want to assume on the unsigned jwt.

[00:52:05.13] - Justin Gardner
Okay, Brandyn, let me ask you this here. I'm sorry to interrupt because I know this is a complex bug, but I think what might be a good global takeaway here for us is that if we see a JWT that contains another jwt, look at the fields that are shared between the two because I could totally see how this would happen. Right. Essentially they are looking at the top level JWT instead of the embedded one and all they needed to maybe to fix their code even was her scroll up a little bit. What's the name of that? Yeah, actortoken aud. Right. Rather than aud. If there's any embed and then overlap in the body of those JWT tokens, that could be a really good area for us to test.

[00:52:49.86] - Brandyn Murtagh
Absolutely. And I feel like as well, this blog for me summarizes perfectly when you're looking at a target with so many interconnected and interacting services that depends on another service to perform its authentication, for example, and completely trust that that is the absolute truth. There's so much gold in that, man. Especially when you have two different APIs kicking around. Like one of these APIs is actually only there and being phased out and it's there for backwards compatibility issues and there's been so many bugs come off the back of it. And yeah, like the whole write up, very, very good. It covers the practical abuse this exact impact. It could basically use a token from its own tenant to go cross tenant and impersonate anyone using publicly available IDs of which aren't even though they are guids in some instances they're not secret, you can retrieve them. And if you've ever looked at any of the Azure or Microsoft bug bounty program, you will know that there are so many ways to disclose some of this information. I know quite a few hunters on that.

[00:53:57.80] - Justin Gardner
Okay, find the netid of a regular user, craft the impersonation, use that impersonation to list all global admins on the tenant and get their net ID and then impersonate those and then do whatever the heck you want. That's nasty man. That's super nasty crazy.

[00:54:13.13] - Brandyn Murtagh
And if you are thinking about attacking some of these services, start off with this blog because it gives you exactly where and how to find some of these net IDs and even some of the impacts of the threat model. When you are looking at cross tenant into tenant and also abusing the actual APIs. And we could talk about this right up for about an hour. So I will try and wrap it up because there is so much content packed into here. But the last thing I did want to cover, they've got detections and everything like that is this last bit here, the very last part of the blog. I do not have access to any tenants in a national cloud deployment, so I was not able to test whether the vulnerability existed there. Since national cloud deployments use their own token signing keys, it's unlikely that would have been possible to execute this attack from a tenant in the public cloud to one of these national clouds. I do consider it likely that this attack would have worked across tenants in the same national cloud deployment. That level of understanding and expertise on a service is like master level. And whenever this person now brings out a blog or any content about Entra Azure Graph or or anything related, I will trust them absolutely. Because you don't get this, this sort of information just by playing around with these things. You spend a serious amount of time to understand that.

[00:55:31.07] - Justin Gardner
Yeah, dude, I'm gonna just click on their ex directly from this article and yeah, dang it, I'm not following them. I've been missing out. I'm gonna turn on notifications. That's pretty sick.

[00:55:41.96] - Brandyn Murtagh
Yeah, so good man, so good.

[00:55:44.59] - Justin Gardner
I love that you read that little, little line. This is like a grayed out line at the very bottom in the like sub notes as well, Brandyn. At the bottom. So props to you for, for being very thorough in your assessment of this write up. And I think that also is a, is a vote of confidence, you know, to hear this researcher say that. For me, in, in sort of nation segmented cloud environments, right, where you know, you'll have like, you know, US government AWS or whatever or you know, that sort of thing sort of segmented off. I was like, yeah, in the past I've been like, okay, that might be a little bit overboard, you know, bureaucracy saying okay, everything's gotta be segmented. But it's cool to see that such an impactful vulnerability like this actually, you know, it was limited by that sort of nation based cloud segmentation, if I'm understanding what he's saying correctly.

[00:56:34.40] - Brandyn Murtagh
Yeah, yeah, absolutely. And I feel like it sums up perfectly. Once you have so much context on some of these services, you can really dig deep into the threat model to the extent that you can understand whether deployment locations and these more segregated environments would be affected by knowing that they use their own token signing keys like Honestly, hats off to this guy. It's very commendable the depth and level of research that they've done on this one. Very, very good.

[00:57:03.46] - Justin Gardner
Totally, man, totally. That's D I, R, K J A N M IO so definitely check that out if you guys want to add that to like your RSS list or whatever. Next up, a little bit lighter, we've got Flare Prox. Fireprox is actually one of the tools I use very often, despite that episode with Ryan from, you know, Akamai saying like, hey Justin, that's illegal, don't do that. That breaks the terms and, and services or whatever. So anyway, if you're looking to not do that, then do it through Cloudflare instead with Flare Prox and get, you know, essentially for those of you that are familiar with it, essentially, this abuses sort of ephemeral cloud environments like Workers and I guess like API gateway in the AWS one to get you new IPs for every single request. So if you're dealing with a strong amount of rate limiting and you really need fuzz, then you're going to want to use fireprox or flareprox to do that. And that is, this one is popped up that uses the Cloudflare IP space to avoid detections and blocks and the code looks pretty solid. I mean, I will say one that's a little bit weird with this. I know that Fireprox gives you a unique domain for each host that you want to fuzz. It looks like this one actually just allows you to specify a URL equals in your query parameter of your target. Right. So it's like this one, there might be some weird encoding stuff with that or some weird gotchas there, so I would keep an eye out for that. And it certainly, I mean, it looks like it's passing through all your put and post and all that sort of thing, but it does allow you to be a little bit more flexible as you can keep that worker up and use it to scan multiple different hosts if you want.

[00:59:07.34] - Brandyn Murtagh
Yeah, more importantly, absolutely, do not host that on a very guessable domain or something you use a lot. Because if that's Euro equ and it accepts anything, I'll dig into the code later. But that's ripe for abuse, so be careful on that front as well.

[00:59:23.92] - Justin Gardner
Yeah, I think this sort of a spin up, spin down as you do thing, but that's true. If you forget to spin it down, that could be. You could be paying for a lot of people's brute forces out there.

[00:59:36.25] - Brandyn Murtagh
Yeah, I feel like as well, now we're starting to get to the point where a lot of these ecosystems, like when fireprox got released, right. AWS was really, I think, off the top of my head, one of the only ecosystems that supported it. With the API gateways, we're now seeing a lot of other providers mature up into the point that they have like a competitor service offering. So now you've got these tools coming out and when you combine it with asset notes, Newtowner, you go, right, okay, I'm accessible from cloudflare's IP range or I'm accessible for aws. I've got that test sorted. Let's just spin one up here and you can have a lot of fun with that, I think. So it's quite nice to see how it's all playing out over time now that we're just bypassing all these silly defenses that people are putting out there.

[01:00:18.46] - Justin Gardner
Yeah, and I mean there's definitely a little gray area with the agreements or terms of services with these, but hackers are going to hack, so we'll get our accounts banned.

[01:00:27.94] - Brandyn Murtagh
But yeah, and when that came up on the episode, I was like, okay, I guess you have to say that as an employee, but come on, man, I'm motivated. Attacker will not give an absolute hell about that.

[01:00:41.86] - Justin Gardner
Yeah, and that's what I told him too. I was like, look, man, we're all on the same side here, you know, like, as much as it feels like maybe sometimes we aren't, we are. You know, so, yeah, I think I, yeah, I agree.

[01:00:53.30] - Brandyn Murtagh
No, 100%. How are we doing on time? Are we okay?

[01:00:56.51] - Justin Gardner
Yeah, we're good. Let me, Let me just. I'll. I'll do this next one real quick and then we'll, we'll wrap it. That cool?

[01:01:03.00] - Brandyn Murtagh
Sure.

[01:01:03.55] - Justin Gardner
Okay, so just wanted to give a shout out because it, who is an excellent hacker, did a write up recently on Caido101 and if you read his blog, which I do, and all of you guys should as well, he credits his shift to Caido, I think with a lot of growth for him as a hacker, as somebody who was, you know, previously up and coming in the space and I think now is pretty confirmed top tier hacker. And so he was talking about his shift to Caido and He wrote this Caido101 how to Master it write up and he breaks down, coming from burp some friction points. You might see CLI vs desktop breaks down all the various sections of the Caido application, understanding concepts like HTTPQL workflows, plugins, et cetera. So if any of you guys are looking to take the deep dive on Caido and are looking to be led to the light, so to speak, I'm looking at you, Brandyn. Then this could be a good read for you guys to kind of understand exactly how to do that.

[01:02:12.26] - Brandyn Murtagh
Nice. Yeah. These sort of resources, I feel like when you're very much stuck in your ways like I have been and burp for forever, those are the sort of resources you want to find just to understand the capabilities, what you can do. And on that note, the Caido scope, I messaged you about it during that event. But man, please can that get changed really fast?

[01:02:34.61] - Justin Gardner
So Caido has a public issue tracker and you can go to the roadmap and one of the items on the roadmap right now is try to adjust the scope to be a little bit more. More compatible with hacker expectations.

[01:02:47.13] - Brandyn Murtagh
Oh man. I will fund my hard earned British pound coins to get that implemented into the tool if I have to. I need it because it was giving me a few problems in this event, I guess because of the current transition over.

[01:03:01.30] - Justin Gardner
Yeah, man, to be honest, I get it, but I use filters and it just works. That's what I use and it works fine. So it is a little bit of a friction point. It's definitely not as intuitive, but there are, there is a solution. You know, you can do path based filtering and very granular filtering on what you want to see in HTTP history using filters rather than scope.

[01:03:23.23] - Brandyn Murtagh
But that right there is the key. What you just said, you can use HTTP filters. Now there's a lot of extensions which solely rely on the scope. So your extension is absolutely hammered with everything when because I was seeing this mismatch because I did have a filter on, but then my extension was going haywire and I was thinking what is going on? And it's because it uses the scope so in scope.

[01:03:44.92] - Justin Gardner
Yeah, interesting. All right, good, good feedback, man. I'll bring that to the team right after this episode.

[01:03:49.15] - Brandyn Murtagh
Awesome. I'll fund it as well to get pushed out if you want.

[01:03:51.92] - Justin Gardner
I'll let them know. Thanks, man. All right, that's a wrap. That's the pod. Peace. And that's a wrap on this episode of Critical Thinking. Thanks so much for watching to the end y'. All. If you want more Critical Thinking content or if you want to support the show, head over to CTVV shows Discord. You can hop in the community. There's lots of great high level hacking discussion happening there on top of master classes, hack alongs, exclusive content and a full time Hunters Guild. If you're a full time hunter, it's a great time. Trust me. I'll see you there.