Episode 149: DEFCON Debrief: AI Vulns, Unicode Weirdness, and Wild Vulnerability Chains

Title: Transcript - Thu, 20 Nov 2025 14:36:42 GMT
Date: Thu, 20 Nov 2025 14:36:42 GMT, Duration: [01:02:34.47]
[00:00:01.04] - Justin Gardner
Summarize my day, summarize my week. What are my calendar events like that phrase. Exactly. And that is a better PoC if you compone that versus the user saying hello, hi, whatever.

[00:00:12.32] - Justin Gardner
You know what I mean? That is such a good call out, Rezo. It is really good call out.

[00:00:21.19] - Joseph Thacker
Best part of hacking when you can just, you know, critical things. Yeah.

[00:00:40.71] - Justin Gardner
All right, hackers, look, we got a lot. I don't know if you guys know this, but there's a lot more to CTPB than just the podcast. Okay, I'm just going to list a couple things you guys might be interested in real quick. Okay, we got the Discord. That's where a lot of awesome conversations are happening. This cool research channel in particular is amazing. On the Discord, we've got the full time Hunters Guild. For those of you making over 100k a year in Bug Bounty. If you're looking to be around other elite hackers, that's the place to do it. We've got the Critical Thinkers tier on the Discord. That's where we, that's like our inner circle. That's where we share all of our scripts, do exclusive AMAs, masterclasses, that sort of thing. And we've got the research lab over at Lab CTB show where if you've got a piece of research you'd like to submit, you can submit it there and we may take it hosted on the blog and cover it on the pod for you. Also underappreciated, but we also have the SWAG store guys. So hit the SWAG link over at CTBB show and you guys can buy some cool T shirts with critical thinking, you know, slogan and stuff like that on it. All right, with that, let's go back to the show, check out some of those things. All right, we're going to go back to the show, but check out those things for me. All right, let's go. All right. Sup hackers? Welcome to the this Week in Bug Bounty segment. We got a couple of news items that did not make it into the episode that I wanted to make sure got in front of you guys. The first one warms the heart. It is our boy Ronnie Carta. Lupin was Featured in a HackerOne blog by Maggie Miller. So definitely go check this out if you want to hear more about Ronnie's story. If you guys are been listening to the pod, you probably know a good amount about Ronnie's story. But Depi, his supply chain product is amazing. One of the best supply chain products out there. Really doing a Lot of unique research in that arena as well. So if you want to learn more, you can check out the link. We'll put it in the description. It's on the HackerOne blog under Roni  Carta. Bug Bounty Next is Caido actually released a new plugin called Auth Swap. This is by bevix. And this one, I just wanted to show you guys this for those of you that are watching on YouTube. It's just a really awesome plugin that allows you to swap your sessions super easily. So you define these user profiles. You say, okay, set this cookie for this user, set this cookie for that user, right? And then it just puts these buttons in your replay where you've got User A, User B and you can just press them and it applies that transformation to your open replay request, right? So it makes it really easy for you to swap sessions and go after those auth vulnerabilities which are just everywhere. We're releasing a lot of stuff like this with Caido right now. We've got like I know some, some people have been doing authlify. There's authorizers, auth Matrix, there's Auth Swap. So there's a lot of Auth based plugin for whatever you are going after in Caido. And we've also got some shift stuff coming there too. So be on the lookout there. But this is a very manual approach, right? And I know that aligns with some of the bug bounty hunters that really like to do everything themselves to ensure full coverage. So check out opswap if you're interested in that. Okay, Last is something a little interesting I wanted to tell you guys about 10 Takumi, okay? Takumi is GMO securities, flat securities continuous source code review AI. Okay? So there are a lot of people building AI products right now. But I know, I know the guys that are building this and I know that Takumi is amazing, okay? The way that it's implemented, it does an excellent job and it's very affordable. If you go to the website Flat Tech Takumi T A K U M I then you can check it out. It's very affordable. It's free for open source products, right? 0 yen per month and the basic plan is 7 monan which is 70,000 yen which is about $450 USD. And this contains, I think what it says here is that it contains about one month's worth of credits where you can do source code review, okay? Using the AI. Very good stuff. Very good results out of here from what I've seen under the hood. Wanted to make you guys aware of that. This is, like, really the S tier stuff in Japan. So if you're wanting to try to understand, you know, take advantage of what. What companies are ahead in other markets, then you should definitely check out Takumi, because they are ahead, in my opinion. All right, that's all I had for this week. Let's get back to the show. All right, man, I feel like I gotta be real with the audience on this one, like, right before. I'm, like, squeezing this little stressful thing so hard right now, because right before we got on the air, I have been fighting with a CSS issue in this plugin that I'm coding for, like, an hour, an hour and a half, and I just.

[00:05:16.02] - Joseph Thacker
It's totally not even worth your time.

[00:05:18.38] - Justin Gardner
I'm about to lose it, dude. Css. I freaking love css, but I hate css, dude. I really do.

[00:05:26.31] - Joseph Thacker
Why is it so complicated? It feels like it's like a stack of layered complexity on top of a million other things. And I know you specifically are complaining about tailwinds as, like, another.

[00:05:35.75] - Justin Gardner
You know, I love. I love the kind of team. I love them. I love them to death, but they. They're on this whole tailwind kick, and I just can't get behind it, and I just don't like the added complexity of, like, classes and. Oh, did it. Did it, like, generate the correct class? I don't know. There's just. There's all sorts of stuff with it.

[00:05:55.73] - Joseph Thacker
But has Jan given you his bull case for it?

[00:05:58.76] - Justin Gardner
He has, he has, and he's right, of course, you know, but. But for me, like, I. I, you know, I'm just a simple hacker, you know, man. I'm not a dev, you know, I just. All I want to do is just, like, pop open dev panels, tweak it to how I want it to look, copy the css, put it in there, you know, like, put it in inline screen, like, whatever. But, yeah, okay. All right. Just breathing. Just breathing through this.

[00:06:25.48] - Joseph Thacker
So what you're actually saying for the listener is if they hear any rage behind your voice about anything, it's not intended at the content.

[00:06:31.63] - Justin Gardner
It's just.

[00:06:32.12] - Joseph Thacker
You've got this.

[00:06:32.68] - Justin Gardner
It's Ian's fault is what it is.

[00:06:34.07] - Joseph Thacker
Yeah, it's Ian's fault.

[00:06:35.07] - Justin Gardner
Yeah. No. All right, dude, let's get to it. Well, actually, okay, before we jump into the DEF con fun, I do want to talk to the listeners about a new research piece that popped up through the lab. So let me go ahead and get that up. I thought I Had it up before, but I don't. But this is just a cool. Once again, we are trying to incentivize people with the research lab to do little micro blogs with cool, you know, two paragraph. This one's a little longer, but the TLDR is pretty short. Like, hey, this is what I found. This is how it worked. Maybe you can use this little gadget. Right. I just think that's so valuable.

[00:07:16.16] - Joseph Thacker
Super valuable.

[00:07:16.72] - Justin Gardner
Yeah. And so this one was awesome. This one was actually relating to Unicode surrogates and how I didn't really think about how they would affect the specific databases and them being converted via Unicode normalization or not knowing how to represent these things into the question mark character. Right. So here's the. Here's the write up right here. And the TLDR of it is, you know, there are some scenarios in which these Unicode surrogates in particular, you know, other Unicodes may not. But these surrogates that are often used in emojis will get normalized into a question mark character. And the question mark character. Obviously we know. You know, I thought about it in the context of URLs. Okay. You know, it's going to truncate the URL, whatever.

[00:08:05.52] - Joseph Thacker
That's basically like two separate conversions. Like one thing is falling back into a question mark like character and then it's being translated to the question mark later.

[00:08:16.07] - Justin Gardner
I'm not sure. That's a great point. It could be like that conversion between Unicode into the Unicode question mark and then the Unicode question mark into the actual normal question mark.

[00:08:26.80] - Joseph Thacker
That's how I understood.

[00:08:27.92] - Justin Gardner
Yeah, yeah, it certainly could be. But however it worked out, it panned out. This character and other Unicode characters, this specifically one is unicode code point DC2A was being converted into a question mark, and that question mark was then being converted into a wildcard character in Solar or elasticsearch. He's not sure which one because of the situation, but he looked into it and found two databases that use it as a wildcard character. So that is clutch. And I totally didn't think about it in like the. The SQL or like the database perspective. Right. Versus like the URL query parameter perspective.

[00:09:11.92] - Joseph Thacker
Yeah. So is this basically like when you're fuzzing, like when you're looking for interesting things and you're looking for characters that might bypass specific like parsing or things like that. People just need to be aware of potentially testing for surrogate pairs.

[00:09:26.04] - Justin Gardner
Yeah, exactly. And seeing if those are normalizing into question marks and whether those question marks, the big thing for me Is that. Oh, of course, those question marks can. Can be converted into, you know, wildcard characters. That was. That was the big thing because I knew, you know, I know Unicode normalization sometimes through the pipes or whatever ends up with a. With a question mark at some point. Right. But specifically, this surrogate is. It does this and then results in a question mark which can be used as a wildcard in a database. Wasn't something I'd really, really thought through.

[00:09:57.88] - Joseph Thacker
Yeah, I feel like it always get normalized to the question mark inside the little square icon. So I bet then that's getting converted to a real question mark, which is being interpreted as the wild card.

[00:10:06.28] - Justin Gardner
And if it. Even if it wasn't in his scenario, I'm sure that does exist. That scenario does exist. So. Yeah. All right, dude. So for this episode, we kind of went back through a bunch of different DEF CON videos that. That finally got posted, and we finally got around to actually watching them and tried to pull out some juicy goodness for you guys. Listener. I've got. Let's see, 1, 2, 3, 4, 5. Five talks that I can talk about. I don't know how many you grabbed.

[00:10:36.11] - Joseph Thacker
But I've got 1, 2, 3, 4, 5. But mine's more like 3 and then like, 2 that are so deeply technical on things that I'm not an expert in, but I still pulled out some, like, things that I thought were worth mentioning.

[00:10:49.54] - Justin Gardner
Yeah, dude. And then you've got, like, some mega list over here as well.

[00:10:52.90] - Joseph Thacker
Oh, I just put the whole list of the bug Bounty Village talks in case we wanted to, like, comment on those. I mean, obviously, so many people that we know well, and so I didn't know if there were any of these that you had heard good things about, had heard mentioned. So, yeah, put the full list in here.

[00:11:05.88] - Justin Gardner
Dude, I was. I was a little salty to not be able to make it to a lot of the talks this year. Like, I. I had to, like, in and out DEFCON this year. And do you know if those were.

[00:11:15.09] - Joseph Thacker
Recorded or if they'll be put up anywhere? I feel like I heard or something.

[00:11:19.21] - Justin Gardner
Sort of recorded, I think. So I'm. I. I messaged Harley, and I'm trying to get, like, you know, I'm trying to see if he'll just give me the recording so that I can, you know, condense some of the information down. But, yeah, I think they'll be up eventually, I think. Okay, but let's dive into it. The first one that I. Okay, well, first, we can't talk about DEFCON talks without mentioning the HTTP 1.1 must die from James Kettle and the Portswigger research team. We're not going to talk about that because we did a whole episode on that already. So go listen to that episode if you, if you haven't already. The one that I wanted to start off with is actually prompt scan exploit AI's journey through zero days by the Expo team. And this one was interesting because they didn't actually get to give the talk at defcon. They had to record it afterwards and post it on the website. So this video I think only has like a thousand something views.

[00:12:14.82] - Joseph Thacker
Very few people are bleeding. I haven't seen it. I need to go watch it.

[00:12:18.65] - Justin Gardner
It's, it's good man. There's a lot of good content in there. So let me, let me pick out a couple of the things. You should definitely go watch it yourself. But let me pick out a couple of the key points for me. So the first one is they kind of, you know, about halfway through the talk, you know, they cover all like the, how Expo works and like the output things that they do. The blog posts off of, they covered those. But then later on they covered the challenges that they faced while building Expo. That bug bounty hunter should be aware of if they're building their own AI systems, which I happen to be doing right now. So I was like, oh, this is very interesting. But the first challenge that they came up against was that they noted was AI costs are high versus traditional costs. But they really did map this out and we've seen this time and time again AI costs are going to continue to drop. We saw a 76% cut. What is this between Gemini Pro 1.5 at launch and. And Gemini 1.5 Pro in 2024 and half two of 2024. So and we're going to see and we saw another 86% drop after that. So like the costs are just continuing to just tank for these things.

[00:13:33.64] - Joseph Thacker
And so even if, like, let's say I do think a lot of people might be skeptical about that. There are many people I know, which I don't necessarily agree with that think that the bubble is going to pop and that this is basically companies burn burning subsidiary investor funds, right? Like yeah, they're just trying to mass adopt users. But I think that what's really crazy and really cool is that so many of these models are like, they get distilled, they get reused, they get fine tuned, they like. It seems like even when like, let's say even if the latest and greatest models went up in price Which I don't actually know that I believe they will. The previous models, which are just still insanely good, like Gemini 2.0 flash. And like, even, even this. It's like in this screenshot, it's 1.5, right? They're already at 2.5. And I think three just recently came out or is at least in testing already on like some of the battle arena sites. And so I think, like, even if price, the prices don't like, stay low forever, these older models are still really capable for things like this.

[00:14:28.45] - Justin Gardner
Yeah, yeah. So essentially their takeaway here was like, don't worry about cost of AI right now.

[00:14:32.64] - Joseph Thacker
Exactly.

[00:14:33.09] - Justin Gardner
You know, just build it. And then eventually, you know, the older models are going to be so cheap, it's like, who gives a lily? You know? Exactly. And I do agree with that. And I also think models that are open source are also getting pretty good. And so then you kind of just have to pay for energy, which is not. Which. Which by the way, is not inconsequential. You know, like, like, it does cost money, real money, guys. Your energy bill will feel it if you're running like AI stuff constantly. I once was like calculating out. Oh, you know, I got this big server from the store, you know, and I was like, oh, I'm going to run it in my basement and kill my VPS costs. And I'm like calculating out. I'm like, oh, shit, this is going to cost me like $15 a month in electricity. I should just spin up a vps, you know.

[00:15:18.71] - Joseph Thacker
Exactly. Yep, exactly.

[00:15:20.78] - Justin Gardner
So, yeah, there are some gotchas there. Okay. Challenge three, skipping over a couple too many assets, right? They were saying, okay, this is a problem. We've got too many URLs, too many things to scan. So they did a couple of things. One, they, they used. They parse the scope EZPs. We're not going to talk about that. I'm going to talk about the two other things, scoring and deduplication. Okay. Scoring and deduplication. Scoring is essentially the way they approached identifying which targets are interesting. They created like this massive 80. It looked like 80 or so attribute list for these targets. It says, does it have GraphQL? Does it have forms? Does it have an API? Does it have a password reset? You know, those sort of things. Yes or no. And then it asked the AI those questions and rated each one of the hosts, Right? And then it would focus on the host that has the highest scoring rating.

[00:16:14.84] - Joseph Thacker
Like it's almost like a likelihood to be vulnerable. Type scoring.

[00:16:18.51] - Justin Gardner
Yeah.

[00:16:18.79] - Joseph Thacker
Like, if It's a, like if it's a plain hello world page with nothing on it, it would just rank it as zero because there's no functionality there.

[00:16:23.63] - Justin Gardner
Right? Yeah, yeah, exactly. And, and, and so, and you know, obviously there are situations where, oh, it's like, you know, there's some hidden path or whatever. But I mean this is, this is a good start. And I think that cut down about 45% of their targets. You know, they're able to focus more on the top, you know, 45%.

[00:16:41.12] - Joseph Thacker
Well, the reason why I love this, I've obviously talked to a lot of hackbot companies. The vast majority are not approaching hackbot in this way. Like the thing that I love the expos on all the way since the beginning relative to other hackbot companies is like, it felt like they wanted to be a full black box. Like here you're given this bug money program, now go like attack it. Yeah, the majority of other companies, they just take input as URL and so they're not even worried about the problem of like which domain do I look at. So I think it's just kind of cool that they even wanted to solve this problem in the first place. Totally like that. It was a part of their desire was to actually decide which subdomains to look at.

[00:17:18.08] - Justin Gardner
It's a part of the bug bounty design, man. You know, it really is. You know, these guys are bringing a bunch of bug bounty automation experience into this whole thing, which is invaluable. Taxpo, I'm sure. So the next one was deduplication. I think this one was interesting because we've, I've seen a bunch of people try to address this problem. Right. We've seen the top hackers, you know, in the automation world try to address this. Sometimes you do visual distance based off of screenshots, sometimes you do like DOM hashing. You part, you, you know, parse the DOM and you try to like you SIM hash and like, you know, keep.

[00:17:49.30] - Joseph Thacker
Up the dynamic content. Exactly, yeah.

[00:17:51.78] - Justin Gardner
And you try to figure out what's dynamic and what's not. The one that they mentioned here that was very interesting was they used text content and embeddings.

[00:18:02.30] - Joseph Thacker
Yeah, really. And then created AI back into it.

[00:18:06.23] - Justin Gardner
Exactly. So I'm like, okay, this is a very interesting thing here. We're not necessarily going to be using AI here, but we are doing this embedding process. Right. Or we're not going to be using LLMs, like hey, take this and tell me what it is. But instead you are using some of the core technology behind it that allows you to take meaning and assign it to like a vector, you know, a series of numbers and then you know, use that to identify. Okay, you know, are these, you know, what is the cosine difference between this one and this one? And say, okay, wow, these are really similar. Like we should. These are probably dupes, right? So then you dedupe much more efficiently there based off of meaning, you know, versus off of like whatever visual display or, or you know, whatever hashing the techniques we have. So I just thought that was a really unique way of solving that problem.

[00:19:01.73] - Joseph Thacker
It's super cool. And my thing like immediately my brain jumps to. I want to see it in visual space. I want to see a three dimensional like node graph of. Oh, which I mean, I guess they actually do have that for image based already, don't they? But anyways, yeah, for vector based I feel like it's like actually the representation of really what you're, what the vectors are. You know, of course you're condensing down some sort of like 1 million dimension space down to like 3D. But it would be cool to see like little clusters of domains based on that.

[00:19:26.21] - Justin Gardner
Dude, that would be sick. That would be totally sick. I totally. That was not where my brain went at all. My brain was like, oh really? My brain was like great deduplication.

[00:19:35.49] - Joseph Thacker
Yeah, well anytime I think of vector space, that's how I visualize it. It's just like a big 3D space. And you know by vectorizing you're taking that content and you're putting it at a single point. And so whenever you say cosine, similarity, distance, I think, oh, those points are really close in that 3D space. And so what do I want to see for uniqueness for like anomalies is like what's not close to the other ones. So I imagine if you map it onto 3D space, you would see a whole bunch of domains that are all together and then you would see some like that are like kind of off on their own and it'd be cool to be able to just click those to go to them.

[00:20:04.96] - Justin Gardner
Yeah, that would be cool. That'd be super cool. Yeah, so yeah, I thought that was really unique. The next challenge that they represented was boundaries, you know, setting scope, staying and scope, that sort of thing. And they, one of the ways that they did this was they implemented dynamic DNS for this whole thing. So they're just not resolving some of the domains that are not in their scope. And I think that that is a good solution to solve it at the DNS level. You know, some of the LLM stuff can.

[00:20:31.53] - Joseph Thacker
It's going to break so many sites, though.

[00:20:33.09] - Justin Gardner
Yeah, yeah, it could. But I think you can also do some contextual awareness on it, right? Like, let's say it's loading a third party script or whatever. Um, and that third party script, you know, you need to respond with like, you know, you sandbag it to your server and respond it with like a 200 and an empty js file or something like that. You know, I feel like it's better.

[00:20:52.39] - Joseph Thacker
Just to like, not let it modify requests to sites that aren't in scope. Just still let it load or maybe.

[00:20:56.86] - Justin Gardner
Like let it load stuff but like, don't let it target it. Focus on.

[00:21:01.58] - Joseph Thacker
Exactly. Don't let it send requests to that.

[00:21:03.26] - Justin Gardner
Yeah, yeah, I thought that was interesting. And then. Oh. So challenge number seven, number eight was essentially this whole concept of how do we get the most out of the models? And what they were saying is they actually saw a really big increase in efficacy when switching back and forth between different models. Essentially, like every rotation of the agent, flip a coin, pick a model and just distribute it, going for this statistical approach. Because what'll happen is one model will get stuck and it'll get stuck and it'll rotate, it'll rotate, it'll rotate. But somewhere in that rotation, a different model's getting added in to the mix. And then that model will bring its own perspective and then that'll get handed back to the other model. And that's the breakthrough needed to continue going further. Right. So just like by subbing in and out different models, you get differences in approach and, and they said that that increased efficacy a lot, which I was kind of surprised because I feel like it would be kind of a scattered brained, like, oh, let me try this. Oh, let me try this. No, I'm gonna go this way. But really it seemed to. To work well from what they said.

[00:22:10.43] - Joseph Thacker
Yeah, I remember. I think we covered that on like a podcast episode a little bit ago when they kind of first published that paper. Or maybe when we were talking to Diego, we mentioned that. But. Yeah, I agree. I. I think that models today all feel so similar. They all are. Like, as long as you're getting ones in the same class. Right. Like, if you're comparing GPT5 to Gemini 2, 5 Pro to Claude 4 or whatever, it feels like they're all like kind of the same intelligence. But yeah, I mean, I guess that the internal structures are like very different. And so you're going to get like, different approaches different attempts.

[00:22:35.68] - Justin Gardner
Yeah, yeah. And then the last thing that they mentioned was there are diminishing returns on number of rotations per vulnerability type. So you know what they're saying is, okay, you know, typically only on average, it's only going to take me eight times or whatever to get this xss and then it produces diminishing returns. Right. So like for per vulnerability class, understand where the optimal point of ROI is on number of rotations versus output of valid vulnerabilities and then limit your agent to that to maximize like your, your output of vulnerabilities. Because instead you can allocate those computing resources to another endpoint which is going to produce more vulnerabilities.

[00:23:19.74] - Joseph Thacker
Yeah, it's so cool that you can basically gamify anything these days. Like you can create an evaluation. And so I'm sure that's what they did, right? They were like, oh, let's create an evaluation and, and figure out if it hasn't figured out by four steps, it's never going to figure it out. So just don't waste any cycles after that and just stop right at four steps, you know?

[00:23:34.08] - Justin Gardner
Yeah, yeah. Pretty solid. So overall, a really good talk. Definitely underrated. Uh, I'm going to link it in the description. You guys should check it out. Um, anybody who's even remotely thinking about using AI or integrating AI or creating an AI hacking product should check that out because there's a lot of lessons learned and they're sharing very freely. So. So, all right, you want to take the next one?

[00:23:56.46] - Joseph Thacker
Yes. And you had a different opinion on this one, so I think it's going to be kind of exciting for us to talk about it. Yeah, I even went back and like parsed through it before we recorded and I still, I think you're wrong. So here we'll talk about it.

[00:24:05.14] - Justin Gardner
All right, we'll debate it.

[00:24:07.33] - Joseph Thacker
So it's called breaking into thousands of cloud based VPNs with one bug. And this is a talk by David Cash and Rich Warren. I'm sure these guys are legends outside of the bug bounty industry. I'm sure they're like amazing hackers. Um, I think that they're from the uk, but anyways, they basically found a bunch of bugs in Zscaler and netscope. I think presumably it seemed like it was because they, they run into them so often on their pen tests and so they wanted to kind of like, you know, be able to really compromise them. I personally thought that one of the coolest things they did and in their slide deck, like every few slides Once they found vulnerabilities, they would like check it off. They basically created a wish list of bugs. And in general, I think that like achievement or like, you know, a task based hacking is really valuable. We've talked about a little bit on the pod. I think you specifically do this kind of a lot, right. When you're going to live hacking events, like, oh, I want RC on this feature or I want to be able to like listen to anybody's conversation in this device. Right. It's like you set up a goal and then you go and get it and usually somehow it's just like the stars align to make it possible. It's probably because everything is vulnerable if you work hard enough. Yeah, but, but I think that's just really cool as like a takeaway for bug hunters, as like a wish list. I did think that it was neat they had multiple items on their wish list. Right. Like, I feel like as hackers sometimes we go to events saying like, oh, rc and this thing is just like one. Having the wish list is pretty neat because you can probably pivot between them.

[00:25:28.67] - Justin Gardner
Yeah, I think there's, you know, point of diminishing returns with that as well. Right. Like you're like, sure, you need to stay focused, but maybe, you know, be open to the possibilities of how the system is implemented, you know, where the vulnerabilities might be. But I definitely like that concept as well and I think it's especially applicable to appliances and IoT devices or whatever. Right. Because, you know, oftentimes there are just very specific things you want to do, like phone to own, all about shelling the device. Right. And so you've got a very narrow focus there and it makes it a lot more intense. For sure.

[00:26:00.86] - Joseph Thacker
Yeah. So I personally was surprised by how much AppSec there was in this. You may disagree, but I mean, there was like so many slides they had that were basically like, here's the HTTP request and here's the HTTP response and like kind of we're breaking it down. Which I was delightfully pleased by because they were often looking at like, you know, the desktop installs of these apps. But anyways, they. The one thing that I thought was like a really great takeaway was they found pre auth configs for both zscaller and netscope and I'm pretty sure that still existed today. That wasn't like some vulnerability. I think that what was in there was a little bit too much data. Whenever I was at App omni and did SaaS security, I also found this on workday for example, a lot of SaaS based workday apps that are like multi tenant will for some reason have like some sort of like externally available config. It'll usually include things like the org name or some other stuff and you can, you can like garner a little bit of information about it. Sometimes it's not, it's usually not a vulnerability, but it gives you a lot of information about the target. In this case, a couple of them were actually vulnerabilities, but I thought that it was, I thought that it was pretty neat. You can see actually. Well, I won't share, but for the audience there's a, there's an endpoint for netscope that's like Git mobile user pack and then org key. And so as long as you have the Org key which is able to be found in a couple different ways they talk about in the talk. So you should go watch that. But you can return a bunch of information about that org and it very often included sensitive things like routes, internal host, external host and in some cases it would even include keys and stuff. But I thought that that was one thing is neat. I like meta concepts and I think in SAS having like a pre auth config as like a meta concept to know, to look for or to like Google force, like if you're trying to target a specific desktop thing or SaaS thing and you're like hey, what's the pre auth config URL for this app? Right? And then that gives you more information about it and sometimes might be leaking things that shouldn't.

[00:27:58.43] - Justin Gardner
Dude, those meta ideas are just going to become more and more and more valuable though as you know as well as we move into a bunch of AI stuff supplemented hacking over the next couple of years because those meta concepts are going to be able to be pulled out and applied specifically. Um, yeah, totally. Uh, and, and I think I've definitely seen this as well. You know, with these appliances you've got to look for. I mean it's a, this is kind of what it boiled down to. You know, I kind of covered this in a talk a while back when I was talking about my approach to hacking Grafana back in like 2020. But essentially it's like you just got to look at the, the routes, you know, look at the routes, look at the unauthenticated routes and then that is your, what you can work with. You know, you've got, if you want an unauthenticated bug, you've got two options. You bypass auth or you work with the unauthenticated routes, you know, like so, you know, you just kind of break it down into the steps and you work through them. But yeah, I thought that that talk was really interesting. I think that there's certainly a lot of. There's certainly a lot of AppSec in there, like you were saying, right? A lot of. A lot of, you know, web hacking. And I think a lot of the IoT hacking that you actually do with these apps is to get to the AppSec stuff, right? It is to get to the web hacking. So I think that makes a lot of sense to me. You just got to try to keep pushing at the IoT side until you get the source code or you're able to proxy the traffic and understand what's actually happening in the realm of communication.

[00:29:24.25] - Joseph Thacker
Yeah, they blast right by in the talk. I don't have it in my notes here, but one of the things they very quickly did was there was some sort of client side encryption or something that was signed by an AES key. And then by figuring that out then you were able to actually see what was actually going on, what was in the request and all that. I think that's something that when I often run into something complicated like that client side, I usually just move on. But I think that figuring that sort of stuff out is obviously the birth of all bugs. That's where the real bugs are from.

[00:29:53.45] - Justin Gardner
Yeah, Big, big breakthrough moments there for sure. I remember in my very limited experience of hacking routers, like this has happened twice and you know, where we needed to push some, you know, public key by some endpoint, and then that opens up just like a ton of different, you know, RPC calls or whatever we can do over a different protocol. Very.

[00:30:13.04] - Joseph Thacker
You mentioned like, hardware a couple of times. This was all cloud based vpn, so I think that it was all just software related.

[00:30:17.76] - Justin Gardner
Yeah, yeah. I'm talking more about like appliances. Right. You know, I'm thinking about it from an IoT perspective because that's where a lot of my experiences, I haven't like done a bunch of like, appliance hacking, but, like, the principles are somewhat cross, you know, cross applicable. The nice thing about appliances, though, is that oftentimes you can just, you know, jump right into the software realm. Whereas, like, you know, with hardware, okay, first I've got to like, you know, either pull the chip off, get the firmware, or I've got to figure out how to get a shell on it so that I can like, then get access to the software layer. Right, right. Yeah, yeah.

[00:30:50.06] - Joseph Thacker
Cool. Yeah. So in general I think that that's neat. They said actually this is at the bottom of my notes. But there are still netscope install without secure enrollment enabled. And so in those you can basically still either bypass auth or get access to some of these like sensitive information. So people should look for that. And there are CVEs and I'm pretty sure they're POCs and stuff from their talk. The other main thing I wanted to mention, and this is something that me and Monkey Kieran found when we were hacking a few different SaaS applications slash companies when we were at App Omni, was just like bad SAML implementations are everywhere. It's so hard to like deploy SAML properly because it's just complicated, right. And devs really struggle to do it. And yeah, they cracked both netscope and Zscaler SAML implementations. And there are like, there's like recurring things that are possible that I've seen in my research and in stuff like this one is that very often it's making sure that there like is a valid signature and not that the signature is like good for you. So if you have a cross org, like if you can go create an instance of this org or a tenant of the org and like create your own like signed SAML requests, it often just works for all, for all tenants. And then the other things you can do is a lot of times they won't validate some of the fields in there. So as long as it's a good signature, the fields inside of the SAML request can be anything. So you can, you can test for other users, you can test for other orgs. There are lots of things to test for when it comes to saml and I think that doesn't get tested much either because it is kind of complicated. But with AI these days, all the top models can write Python scripts that'll sign SAML stuff for you. It's like it's not a big deal at all anymore. And I think the best way to test is actually just to create your own org and then you can just proxy your own traffic in your own tenant and then just change it to other users values or other org values.

[00:32:39.74] - Justin Gardner
Yeah, yeah, it is a little bit more challenging when you don't have the ability to do that. Right. You're just kind of blackrock testing the SAML implementation. But there are some really good articles out there still. I remember there's one from Uber a while back where somebody like totally pwned the SAML implementations of Uber. Definitely a ton of good bugs there. And I know. I've been meaning to get a hacker one, the guy that keeps doing a bunch of, like, crazy Sam's stuff on here, so we could talk about that. But we do have a pretty solid episode on saml. Like, I forget which one it is, but it's way back. Yeah, and. But like, that episode, I've gone back and listened to myself talk about SAML in that episode. Yeah, yeah. So I think that one I hit pretty often. All right, man, let's see. Next one that I want to talk about. I'll just. This one's nice and quick. The title is Examining Access control vulnerabilities in GraphQL. It's like a field study. Right. And he's talking about finding a bunch of vulnerabilities in a target with GraphQL. And I just wanted to shout this one out because I think this is a good example of, like, good GraphQL testing. And he does. He breaks it down quite a bit. And one of the ones that I kind of walked away with, like, oh, yeah, that's something I didn't really think about before is the difference between broken object property level authorization and broken object level authorization. So, you know, you sometimes will see scenarios, especially in GraphQL, where, you know, oh, you are supposed to be able to access this object, but you're not supposed to be able to access the sub property of the object. Right. And. And that is where a lot of the vulnerabilities lie in GraphQL.

[00:34:22.46] - Joseph Thacker
That's interesting. Yeah, you're right. Because, like, very often I should be able to like, view like, user just an email, but not user just in anything else. Right.

[00:34:29.71] - Justin Gardner
It's like password. Because of password.

[00:34:31.07] - Joseph Thacker
Because if I go to your profile or whatever, it'll pull the user object of yours and so that'll be like. It'll have some of those properties, but I won't be able to see all of them.

[00:34:38.57] - Justin Gardner
Exactly, exactly. So just a quick shout out. If anybody's interested in doing some GraphQL stuff and wanted to brush up, that is a good place.

[00:34:45.53] - Joseph Thacker
Were there any crazy bugs in there that you remember that you. There were.

[00:34:48.53] - Justin Gardner
There were a lot of crazy ones, dude. It was. It was a dating app that.

[00:34:51.09] - Joseph Thacker
They were nice. What was this? What was his tool of choice for testing it? Did he mention it?

[00:34:58.65] - Justin Gardner
You know, I didn't even pay attention to that. I was just looking at the. I was just looking at the data.

[00:35:03.82] - Joseph Thacker
Yeah, sure.

[00:35:04.63] - Justin Gardner
So, yeah. All right, next up for you.

[00:35:08.55] - Joseph Thacker
Yeah, sure, I'll do. I'll do A quick one from lower down in my list. I've got at least two quick ones, but one was so DEFCON 33. Smart bus or. Yeah, smart bus smart hacking free WI fi to total control. This guy is insane. Well, there's maybe two of them, but it was mostly just one guy. Basically he, he like lives in China, I think Shanghai. But anyways, he's on a bus and he gets into a traffic jam and just like a, like, just like a classic hacker, he's like, ah, let's just see if I can take over this bus. Before he arrived at his destination, he literally had taken the free WI fi, gotten access to like an admin panel, pivoted to another admin panel. There was like two, two of them had the, had the username password admin admin got full access to like all the recordings and all the controls for every bus in his city.

[00:35:58.01] - Justin Gardner
So one.

[00:35:58.32] - Joseph Thacker
It's just, it's just, it's like just a cool talk, right? But the thing that I thought that was just interesting about it was it felt very much like those old, those old Hussein write ups that were like you just get in via some way and it's like, and then this happened, and then this happened, and then this happened. You know, it felt like easy mode bug bounty targets where you get pre, you get post auth and everything's just so easy and lined up for you. It's like. And then admin admin worked and then I just found this route where it dumped everything and then that, you know, that led to a domain over here where I could log in with admin again.

[00:36:29.67] - Justin Gardner
It's so good, man. It's so good. I love those scenarios. I like my pulse is high right now just thinking about it, you know?

[00:36:36.30] - Joseph Thacker
Yeah.

[00:36:36.75] - Justin Gardner
Oh my gosh. Yeah, dude. I mean definitely, you know, things that aren't pen tested. I always forget because I spend so much time, you know, in the book bounty world, but like how much of a palooza it is when you just like tack something that isn't, you know, intentionally being hardened. Oh my God.

[00:36:53.42] - Joseph Thacker
Exactly.

[00:36:54.23] - Justin Gardner
It's crazy, man. Um, all right, so next one that I had here was passkey. That was it on that one, right? Yep. Okay. Uh, next one I had here is called Passkey Poned Turning web auth and against itself. And this was very timely because I see passkeys everywhere all of a sudden and, and I was like, I should kind of understand this a little bit better. So watched this, this talk and it was a very good explanation essentially for those of you Guys that haven't, you know, looked into it very much at all. The situation is this. You're just doing a public key, private key sort of thing here. So you give the server, you know, your public key or whatever, they're going to go ahead and correlate that public key to your account once you've done the registration. And then whenever you want to log in, they'll give you a challenge. You prove that you have the private key and then they just let you into your account. Right.

[00:37:47.32] - Joseph Thacker
And do they sometimes feel too easy to you?

[00:37:50.86] - Justin Gardner
What do you mean? Oh, the. Yeah, oh, totally. A hundred percent.

[00:37:55.50] - Joseph Thacker
Like sometimes I'm like, is this, this feels too easy. Yeah, like I feel like like 2fa is supposed to feel like a little bit difficult, but it just feels like it feels almost too easy.

[00:38:04.82] - Justin Gardner
Totally.

[00:38:05.26] - Joseph Thacker
It feels like it just like works without adding any difficulty. Yeah, but maybe it's just like you're just I guess confirming that like, you know, that is your device. Right. Because basically if your device is pwned, then you do lose it.

[00:38:18.38] - Justin Gardner
Yeah. And. Well, I mean, I've got it hooked into one password or whatever.

[00:38:22.42] - Joseph Thacker
Same.

[00:38:22.73] - Justin Gardner
Yeah, yeah. And it just, you know, it pops up, I hit automatically and then boom. You know, it's like, I'm in.

[00:38:27.50] - Joseph Thacker
I'm like, it doesn't feel like true to FA, you know, but if they've.

[00:38:30.50] - Justin Gardner
Got my 1Password, I'm fucked anyway. You know, like, it's like, you know.

[00:38:33.26] - Joseph Thacker
What are you gonna do? Yeah, exactly.

[00:38:34.98] - Justin Gardner
So it's like, it's pretty bad, so I think it's fine. But, but I do think that like there's a lot of ways that the attacker can utilize this. Of course. Yeah. And so first, you know, I wanted to make sure you guys understand the private key, public key thing and how that that works. It makes sense if you think about it. And then what the, the guy mentioned here is that there's actually a lot of attack surface here for, for attackers. And mostly what he spent the time talking about was a malicious extension. You know, people just yeeting extensions into their browser all the time and how easy it is for that extension to insert a content script. Shim the navigator credentials calls, which is how you register and get your passkeys.

[00:39:22.98] - Joseph Thacker
That's what I was going to ask you was how does this. Because it does feel a little bit like voodoo magic because on my Mac, for example, the passkey is accessible if I use my fingerprint and on your phone or whatever. I think usually it's by face ID or whatever. But There has to be some sort of, yeah, I guess Interface between the 1Password or the desktop or whatever that is handing over the public key into the HTTP into the browser, which is then going to pass it via HTTP. It feels weird. It feels like it's like going from like a physical desktop into HTTP land and they're like, I'm curious what that interface is like.

[00:39:56.21] - Justin Gardner
Yeah, that's handled by the browser. You know, the browser itself is exposing navigator credentials, which is the interface for pass keys. And then you know, all of your various, you know, whether it be your desktop, 1Password or like your phone's fingerprint or whatever, those are all sort of interacting with the browser from there, which is pretty solid. But I think it's really interesting as well, is like you can definitely use this for ATO by shimming those, that navigator credentials thing. If you can trigger somebody's like auth for that in the passkey and they approve it, then that authentication material that comes from them doing that passkey activation can then be used as authentication material to log into that user's account. And furthermore, if you shim it on registration, then you can just link your own malicious passkey to the victim's account. And I know that there's going to be a lot of scenarios where we're looking for ATO methodologies and it's going to require a password to change password, but it's not going to require, you know, any, any additional auth to add a passkey. So be on the lookout for that as a way to get ATO once you've established xss.

[00:41:17.63] - Joseph Thacker
This makes me really curious. What are the protections in the browser to prevent like website A from, you know, basically requesting a passkey for website B? Because then you like basically have the shim, right? Like, because it's like it's your website, not the website they're logging into. Like, I'm really curious how that, like what the segmentation is there. Like if you have xss, can you all of a sudden shimmer? If you have a post message listener, can you shim it? Like, what does it take on the page to be able to shim it?

[00:41:46.92] - Justin Gardner
Definitely xss. Yeah. I'm trying to think about how it would emulate a different website. I imagine that handled at the browser level. Like once you call those navigation credentials things, it's like, oh, this call is coming from rhinorator.com or whatever. But I think there's also obviously the cryptographic aspect of it where the server is giving you a challenge and then you're Going to complete that. So, yeah, interesting stuff there. And I also think that, just going back to the XSS angle, that I think it would be really cool to see something. An exploitation framework for this that can be generalized and just kind of included as an XSS script where, okay, boom, I got xss. Now I'm going to include this script which shims the. The calls to navigator credentials and then, you know, registers my. My key maliciously or whatever. Yeah.

[00:42:50.21] - Joseph Thacker
Because that's what you want for your video. POC is once you get access, is some sort of easy way to prove that it's critical. Right. It's like, yeah, yeah, yeah. Here's a video of me showing that with users, I can actually, like, steal their, like, get full ato, including the passkey bypass.

[00:43:04.61] - Justin Gardner
Yeah. And I'm actually going to pull this up really quick and see if I can find the. Yeah, the credentials here. Yeah, yeah. I just wanted to make sure I was. I was explaining this correctly. But yeah, the. The challenge is coming from. Okay, yeah, cool. We're good. I think we're good. It is complicated stuff, man. You know, I don't. I don't know if you've had the same vibe, but like, whenever, you know, I do the episode for, like the top 10 web hacking techniques or do like a DEFCON recap or something, I just have to ingest so much material very quickly and then be able to regurgitate it, you know, in a way that is, like, easy to explain and easy for the viewer to understand. It's tricky, dude. It's freaking tricky, man.

[00:43:43.44] - Joseph Thacker
I mean, I think there's a lot of grace there, but you are definitely a person who is hard on yourself and expects.

[00:43:49.40] - Justin Gardner
I want to make sure that people know how it works. You know, it's important because I think a lot of the neurons need to fire as a hacker. Right. You know, like, even if you don't fully understand something, if you heard Justin talk about it that one time, then you're like, oh, I kind of understand how that works. And that doesn't really align with how I understand it. So maybe I should look into that a little more, you know, it's important. It's important.

[00:44:09.32] - Joseph Thacker
Yeah, it is.

[00:44:11.25] - Justin Gardner
All right, what you got next?

[00:44:13.65] - Joseph Thacker
This is one of the ones that, yeah, I thought was pretty interesting. I am not a mobile guy, so you might actually think that this part that I have highlighted is, like, much more interesting. I will mention how I got it, but basically, this talk is called Bypassing Intent, Destination Checks, Launch Anywhere, Privilege Escalation. And I Mean, the person's obviously wildly intelligent. Their name is Qidan Hay Q I D A N H E But I thought that like, so it was like there was like a focus on basically time of check to time of use vulnerabilities and how Android intents are like resolved and used. And yeah, while you're parsing that, if you want to explain to the user in a minute, that's great. But one of the main things that I thought was super cool was at the very end, he basically gave a prompt for, for how to find the bug using AI in like code base. And I thought, man, what a cool thing to add to the end of your talk. And I just, yeah, I wish more people would do that. Right. Like, if you're looking for this and you're not, you know, like an expert in this exact type of vulnerability, here's the prompt you can use to ask AI, say, hey, here's the code. Like, here's the decompiled code or whatever. Here's. Here's the thing I'm looking for. Does this exist in this place? And it was like, not like a specific signature for a thing. It was like, when this function is called in this way with this context and doesn't have this protection, then it's vulnerable. And so of course like the top models today will be able to kind of understand that and then look for it in the code and then tell you if that type of thing is in the code. And I thought that was really neat that he did that.

[00:45:47.88] - Justin Gardner
Dude, that's super beautiful. Yeah, I love that. I mean, that's the new or maybe improved version of like, here's the PoC at the end, the PoC video, right? Giving you the script and showing you how to use it, that sort of thing. Giving a prompt to actually detect some of these code patterns. You know, I wish I could add more to what you were saying about this, but as I'm looking forward to it or looking through this little, you know, summary that you have here, I didn't get the chance to read this one, but it seems very interesting. So I'm going to read a couple of these very cool points here. It seems like what he's talking about is something that I've kind of played around a little bit with just in post messages, which is in web, and it's essentially trying to use time of check, time of use, race conditions to trick things going on. And we see this in postmessage, where, let's say, for example, we send a message and it does a Fetch request and then it checks the origin. But in that meantime, you can do a very quick swap of the origin where the event source came from. And since it's pointing to a window reference, it says, oh, okay, that's coming from my place or whatever, my buddy over here, it says, okay, I'm going to do all the things. And then when it responds event source postmessage, then by that time you've already swapped it back to your cached HTML page and now you can snag the response. That's me thinking about it from a web world. I'm seeing some very interesting pieces of that here, where he's talking about identifying and extending the time windows between security check and intent launches, and then using large malformed Android manifests to slow down the resolution process and widen time of check, time of use windows. Dude, I am so excited to listen to this talk.

[00:47:38.44] - Joseph Thacker
Anytime there's like a gadget that slows something down to get a race condition through, it feels like that's just like peak hacking.

[00:47:44.59] - Justin Gardner
Ah, dude, yeah, I love race conditions. Race conditions are so cool. But yeah, dang, Joseph, come on, be more of a mobile guy so that.

[00:47:53.92] - Joseph Thacker
You can explain those. If I was, maybe I'd be able to explain this better.

[00:47:57.03] - Justin Gardner
Yeah.

[00:47:57.23] - Joseph Thacker
But yeah, basically, this little thing I did want to tell you, this little summary is just so good and clean. And I was. I used the ask button in YouTube and basically said like, hey, you know, just as like a practical bug bounty hunter, what are the big takeaways? Like the actual, like practical advice or things to look for when I'm like testing similar things. And this is what it came out with, which is really clean.

[00:48:19.03] - Justin Gardner
Okay, I'm going to read this one summary at the top. The bad resolve vulnerability highlights that even if an event or. I'm sorry, excuse me, an intent is checked and deemed safe at one point, its resolution might change by the time it's actually launched, creating a window for privilege escalation. Oh my gosh. I know what I'm doing right after this.

[00:48:37.32] - Joseph Thacker
What is so bad Resolve is an old vulnerability. His new one is called Launch anywhere, I think. But what exactly does it mean by resolution here? What is the resolution of an intent?

[00:48:46.40] - Justin Gardner
Dude, I wish I knew. But you know, the, the way that I'm, the way that I'm thinking of it is, you know, they're. They're checking. How do, how do I explain the resolution? I mean, I'm almost thinking it like a promise, you know, in JavaScript. I don't know if that's getting too.

[00:49:02.57] - Joseph Thacker
Yeah, yeah, yeah.

[00:49:03.13] - Justin Gardner
No, but. But, you know, like. And then, you know, you check where it's from, you know what it's supposed to be doing, and then by the time it's actually used, it's swapped. So I think that's really cool. I'm going to go. I'm going to go check this out a little bit further after this. Cool. But, yeah, okay, sorry.

[00:49:17.90] - Joseph Thacker
This is one of those times when we really need Joel back. We need to bring in, like, guest appearance Joel here. Please come explain this to us, Joel.

[00:49:23.46] - Justin Gardner
Yeah, dude. But I mean, I totally feel you, though, Ben. Some of these times, you know, you listen to some of these talks and you're like, I know that this is really cool and I can express, you know, to the people that this is cool, but I cannot explain all of it. Okay. So one of the ones that I chose was invoking Gemini agents with Google Calendar invite, which is, like, very similar to a lot of the research that we've done and talked about before. But there was a couple things here that were good takeaways. Essentially, the TLDR of it was, who gave this talk? Let me see. It's in the notes. I'll let you pull it up while I'm talking about it. But essentially, the TLDR of this was they'd invite you to a Google Calendar event and they'd say, hey, what's on my calendar? And then the prompt injection would just do a bunch of crazy stuff.

[00:50:09.84] - Joseph Thacker
You've reported this exact thing?

[00:50:11.09] - Justin Gardner
Yeah, yeah, we have. But in this scenario, controlled windows, you know, turned up the boiler, you know, turned up your heat in your house, all sorts of stuff. And I thought one that. That was really amazing. But one of the tips that they gave in here was specifically here was targeting this phrase, here are your events for this week. Right, right. And. And that is what they would be responding with constantly when it says, here are your events for this week, when you ask what's on my calendar. And so they targeted that phrase specifically and were able to override the response of the LLM because they could predict what it was going to say as a part of its system prompt or as a part of its training, and then get it to invoke all sorts of different tools.

[00:51:02.59] - Joseph Thacker
Yeah. I wanted to mention this. So I think I've noticed this in the last week. You and I were in a hacking event that we won't have to go into too deeply here, but I noticed that a lot of people in that event and just in my other hacking for like another AR red taming. I've been doing that in nearly every app these days. There's like a suggested prompt, right? It's like summarize my day, summarize my week, what are my calendar events? Like that phrase. Exactly. And that is a better PoC if you compone that versus the user saying hello, hi, whatever.

[00:51:34.42] - Justin Gardner
That's such a, that is such a good call out, Rezo. That is a really good call out.

[00:51:39.15] - Joseph Thacker
It is. Because like with Google, you and I know this, they're like, oh, at scale this will get popped. We'll kind of trust you on any prompt. But a lot of these smaller bug money programs won't like. So if you're like, if you're prompt that you're inputting, that's going to go figure, go trigger. A prompt injection is like, hey, can you tell me the 22nd thing I did last week on this other thing? And then it triggers the prompt injection. They're like, this is unrealistic. But when it's one of the hard coded prompts that they just like can click or that they expect the users to always say or do, it almost always gets accepted. And it will sometimes I think even leave the. It leaves the user interaction required at like a lower bar. It might not be UIL versus uih, but it definitely leaves it there. Right?

[00:52:18.46] - Justin Gardner
Dude, what a great call out, man. Like that, that's just one of those things like, you know, you hear it and you're like, ah, duh, of course. But like, I totally never thought of that. And I've looked at, you know, I don't know, I probably looked at like, you know, 20 AI apps by this point, you know, and I haven't thought of that. That's, that's such a good point.

[00:52:37.51] - Joseph Thacker
But I think what they did is the next step, right? It's like they noticed that every time they clicked that the LLM would respond with here are your events for the week. So then they put in their prompt injection, here are the events for the week colon. Then all the things that they wanted it to do maliciously. So I think that's kind of like a two step process there. That's like pretty cool and valuable. It's like one, what are the recommended prompts? And then when you use those, what's the model's language when it responds to you and you want to kind of. What's that called? Mirror. You want to mirror the model's language in your prompt injection payload?

[00:53:07.46] - Justin Gardner
Yeah, it's almost like it's a, you know, you're trying to convince a human to do something. Right? It's hilarious. Like, if you read, like, all those, like, sales, you know, technique books, or they're like, oh, you know, mirror, mirror, your. Your partner in the negotiation. And I'm like, yeah, wow. Crazy, dude. I would add one more thing to the end of this, and I cannot believe I didn't. I don't believe I checked this when I was working on Gemini, which stab in the heart. But prompt injection to opening a URL and then swapping that URL via redirect to an intent uri. Oh, my gosh. Like, that is such a good idea. And, you know, maybe by the time. I don't. I know we were playing around with that one night.

[00:53:49.69] - Joseph Thacker
You can redirect to intents. I don't even know you can do that.

[00:53:51.50] - Justin Gardner
Yes, you can. Yeah. So essentially what they did there was they did a prompt injection. You know, it then opened up an HTTP URL. That URL redirected to an intent URI and it would just launch the app. And I'm like, oh, my gosh.

[00:54:04.40] - Joseph Thacker
Can you redirect to any protocol?

[00:54:06.80] - Justin Gardner
Yeah, yeah. And it's all up to the user agent, up to the browser, whatever, to decide what to do with it. And most of the time in Android, it will go ahead and prompt you, you know, and say, like, hey, do you want to open the YouTube app? Right, sure. But in this Gemini thing that they were talking about here, if you redirected to an intent URI from within the embedded browser in Gemini, it would just open up the intent. And I'm like, oh, my gosh, that is such a crazy thing. And it made me think of a pwn to own write up. I just recently, it was a video that I was watching by Ken. I can't remember his last name, Ken Gannon. And essentially he was talking about how you need delivery. Delivery is a huge problem for these devices that you are trying to pwn and pwn to own these mobile apps. Right. How do I, without user interaction, trigger these attacks? And one of the ways that could potentially do that is using these AI apps. Normal usage. Hey, what's on my calendar? Right, but that. That calendar has been. Has been hijacked.

[00:55:18.78] - Joseph Thacker
Compromised.

[00:55:19.50] - Justin Gardner
Yep. And then it, you know, opens up an HTTP URL which redirects to an intense uri, which triggers a vulnerability in another mobile app that's, you know, embedded on the device by default, and that triggers rce. Right. I just think that's a. That's like, that's a really good Chain and could be something good for any of you guys that are looking at trying to attack like, like vanilla mobile devices, thinking about AI and then using those AIs to launch. Intense.

[00:55:44.55] - Joseph Thacker
Do you know if Google apps are like, more trusted in the Android ecosystem? Like, they're less likely to require, like, approval?

[00:55:56.71] - Justin Gardner
Oh, you mean like, you know, do you want to launch the YouTube app, that sort of thing?

[00:56:00.11] - Joseph Thacker
Yeah, it's like, it's like if you're on Android, it might automatically happen. I don't know where this takes my brain, which I think is going to be huge. It makes me want to go test it before this thing goes out. You know how I'm always thinking about delivery for AI vulnerabilities. And one thing is Q parameters, right. Where, you know, if you can, you can basically have a one click or a CSRF to a lot of delivery on these apps where the query is in like a specific get parameter. And then I remembered that in testing some of the desktop AI apps from Frontier Labs, there is a specific protocol like app name, colon, slash, slash. And when you do that, it automatically invokes the prompt.

[00:56:41.69] - Justin Gardner
Yep.

[00:56:42.13] - Joseph Thacker
And so that makes me think that these custom handlers, especially on, on like, mobile devices, like if you open up like a, you know, Q parameter based link via intent, across Claude, across chatgpt, across Gemini, will it auto execute those prompts? Because if so, then you have automatic delivery.

[00:57:01.90] - Justin Gardner
Yeah, dude. Yeah, it's good. It's good, man.

[00:57:04.65] - Joseph Thacker
I want to go test it.

[00:57:05.57] - Justin Gardner
It's like a thing. It's a good thing to be thinking of. Yeah. Okay, dude, I gotta bounce here in like two minutes, so let me hit this last one and then if you want to do another one, you can, and if not, we'll cut it. But last one. This one's kind of crazy. I'm not gonna lie, man. Like, this one blew my mind a little bit. And I think. I think it was you that mentioned to me that Brandon went to a talk on Dom clobbering.

[00:57:32.84] - Joseph Thacker
I did?

[00:57:33.63] - Justin Gardner
Yeah.

[00:57:34.07] - Joseph Thacker
These young guys, they're like, oh, we're looking for internships. And it's like, you guys are super experts already. Tell me.

[00:57:38.32] - Justin Gardner
Yeah, dude, it was like, I mean, this. These were, you know, university. They were associated with a university or whatever. Holy moly, dude. Like, they hire them.

[00:57:50.00] - Joseph Thacker
Have you reached out to them yet?

[00:57:51.00] - Justin Gardner
They took. I don't know, man.

[00:57:52.32] - Joseph Thacker
We.

[00:57:52.84] - Justin Gardner
I got to. I got to talk to them or something. But they. They found a bunch of bugs relating to dog climbering in things like webpacks, like bundler or runtime code, right? So every website uses webpack ever, you know, and the runtime code that comes along with that was vulnerable to like a DOM clobbering. And it's just like, holy moly, like. But anyway, essentially they took DOM clobbering super far because there are a lot of people that have kind of poked at DOM clobbering and tried to figure out how to do it, but essentially they formalized the whole thing and they like, figured out, okay, we know exactly what things we can overwrite with DOM clobbering. Then we're going to hook those into a taint analysis and then build the AST tree and correlate those to the structure of the HTML that we would need to mimic that flow to get our source to hit the sink. And they just formalized the whole thing and made it. So essentially it would trace the code, you know, via taint analysis and then it would say, okay, according to this tree, this is the DOM clobbering payload. We need to reach the sync. And then it would generate that payload automatically and then detect attack whether it hit the sink. And they like, they cleaned up with it. Like almost 500 zero days and bugs on webpack, Rspack Veit, I think, is how it's pronounced. I never had to say that out loud before. Google API client library Astro.

[00:59:23.90] - Joseph Thacker
How many of these do you think were being exploited by bug hunters in the wild? 5000 days.

[00:59:28.94] - Justin Gardner
Yeah, dude. Well, it does require an HTML injection though, which is interesting. Right? And so, you know, you've got to find that base piece, but once you've got it, then you've got these gadgets. Right?

[00:59:39.01] - Joseph Thacker
But not anymore. Not if all these got fixed.

[00:59:40.73] - Justin Gardner
Well, yeah, a lot of them did get fixed, but a lot of them are not fixed still. So you can check out the GitHub link. It's DOM Clobbering Collection by Jack from East. And we'll link it in the description, but the tool that they built is called the Hulk that does this automatically. Holy moly, dude. It was crazy.

[01:00:00.84] - Joseph Thacker
All right, let me do my two super quick. It will take me literally one minute each.

[01:00:04.44] - Justin Gardner
Go for it.

[01:00:05.80] - Joseph Thacker
Because these were not long. First of all, there was one by Matte Jose or yeah, M A T E I. It's called Smart Devices. Dumb Resets. Testing Firmware persistence in commercial IoT devices. Dude, this is one of those one that I was like, we should have covered this on the spooky episode, basically. Really cool. Matt Brown got a shout out, shout out in it, but Basically he would buy devices like routers, flash the firmware with open wrt, return them and then see if they, if they did anything or if they just shipped them to a new customer, totally backdoored and they would just ship them out. He somehow set up some like thing where he could pull for him to make sure he bought it. And his POC was something that would literally just make a get request to a server. So it wasn't malicious. But he, he found out that there's basically zero validation on the market of returns. So if you're ever going to buy an IoT device or a router or something, the, the like it just scared me about that because now I just don't know whether the firmware is going to be backdoored.

[01:00:59.75] - Justin Gardner
Yeah, dude, that's crazy, crazy, crazy talk.

[01:01:02.15] - Joseph Thacker
So you should look that up if you're interested in that. The other thing was there was one called MacPRT cookie theft and intra ID persistence and yeah I am. It was one of those that was like way over my head basically a bunch of like low level like Mac OS hacking and stuff and anyways, the thing I wanted to bring up was they talk a lot about sso and I think that if there are any of our listeners who are like just SSO experts or want to understand SSO better, I think you should definitely check that out because it got into they had a bunch of really neat diagrams and a bunch of really neat explanations for how different forms of SSO work and how they're implemented from like a desktop perspective. And then a lot of it was clearly applicable to AppSec too. So that's it.

[01:01:45.01] - Justin Gardner
All right man, very good. I do want to say on that last note that is also an IoT attack vector by the way is if you can persist a factory reset on the device, that is a valid bug in my opinion and with some of the IOT people that I've dealt with. So it's just not like a threat vector thing I think of very often. But yeah, I mean. Is that a wrap?

[01:02:05.03] - Joseph Thacker
Yep, that's a wrap. Thanks.

[01:02:06.36] - Justin Gardner
Peace y'.

[01:02:06.84] - Joseph Thacker
All.

[01:02:07.92] - Justin Gardner
And that's a wrap on this episode of Critical Thinking. Thanks so much for watching to the end y'.

[01:02:11.71] - Joseph Thacker
All.

[01:02:12.00] - Justin Gardner
If you want more Critical Thinking content or if you want to support the show, head over to CTVB Show Slash Discord. You can hop in the community. There's lots of great high level hacking discussion happening there on top of masterclasses hack alongs exclusive content content and a full time hunters guild if you're a full time, Hunter. It's a great time. Trust me. All right, I'll see you there.