The player is loading ...
Sign up to get updates from us
Episode 57: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are live from Miami, and recap their experience and share takeaways from the live hacking event. They highlight the importance of paying attention to client-side routing and the growing bug class of client-side path traversal. They also discuss the challenges of knowing when to cut your losses and the value of tracking time and setting goals.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Timestamps:
(00:00:00) Introduction
(00:03:50) Miami LHE Recap and Takeaways
(00:05:57) Keeping time and cutting losses.
(00:19:07) Roles and Goals
(00:23:33) OAuth
(00:28:52) HTML5 image to img Tip
Joel (00:01.746)
Whoo Wow This has been a whirlwind man Cannot slow down can it no it can't dude we here we are we are in Miami for the recording the second episode. I think this one's gonna air first though Yeah, we recorded an episode a day before yesterday with Yusef Samudah
And man, is that a good episode. You guys are in for a good one next week. Oh man, it was funny because I was joking with some people that were like, oh, were you on Youssef's podcast yesterday? I was like, yeah, I was. I was the guest, actually. Dude, seriously, it was so good. And just a lot of really high technical bugs, a lot of great discussion surrounding client-side constraints in the browser.
and that sort of thing. So really looking forward to airing that episode and I gotta re-listen to it myself. Yeah dude, I mean it's so awesome seeing somebody who has, I mean, it feels like a niche, right? But it's just like web hacking, right? Like he has managed to corner this niche of ATOs and post message and deep JavaScript bugs and you do that too, man, don't get me wrong. Yeah, so I guess some of the things that I kinda wanna talk about is takeaways from this live hacking event.
The target is public, it is capital one. And it's been a really fun event. A lot of client side bugs have rolled out, especially for me. So there's a couple good takeaways there, and one of those is that I wasn't paying enough attention to client side routing, I don't think, before this specific event. And like I've been predicting over the past couple months, or even maybe a year at this point since we started the podcast,
Client-side path traversal is just gonna continue to grow and grow and grow as a bug class. And we've seen that at this event, we've seen it at past events. Paying attention to client-side routing is going to be the new C-Surf in the near future. Yeah, absolutely, because there are so many levels of complexity now with just browsers. How the browser is handling requests that you are gonna have to rely on client-side path traversal at a certain point. Like C-Surf.
Joel (02:11.138)
within the next 10 years could not even exist anymore. Yeah, it's going to be real tricky. When the browsers remove the same site lacks default caveat that they have, the top level navigation with a POST request within two minutes of the cookie being set, when that goes away, it's going to be very hard to implement Csurf's. By default, it's going to be safe, which is great for the community, but a little bit sad for us. Yeah.
And so definitely those client-side path traversals are gonna continue to be a thing. And I've seen this event, and in past events as well, a lot of really interesting stuff surrounding chaining those client-side path traversals with OpenRedirects, and then actually being able to control content that's being placed into the application that the application expects to be secure. Right. They're trusting their API response, you know, requests.
and you're gonna get stuff back and sometimes it's HTML and a JSON blob and then they literally just dump it right into the DOM and you've just got XSS. So especially when it can be chained with an open redirect, lot of impact there. Yeah, absolutely. So where did you spend most of your time on the event? Man, I jumped all over the place. There was a couple things in scope that went out of scope by a certain time. So I went and focused on the things that were time sensitive first.
And then for the rest of the event, man, I was just kind of chugging away on, on client side stuff. I've got 40 bless my heart. I've got 40 bugs right now. 40. And I was up till 3am last night, um, finding another high, uh, and getting it submitted and getting it fully exploited. That's awesome. I am toasty right now, but I'm expecting some good results. I'm a little bit nervous right now though, man, cause it's like, let's the event has officially closed and they've only paid.
150k I think last time we looked at it and they might be paying them out right now as we're recording. Yeah. Yeah 150k Yeah, so I think that they're lagging a little bit behind on this I'm interested to see how it turns out tonight. Yeah, I have a feeling it'll probably end at least Three or four hundred K total bound. I think at least yeah I think a lot of it is there was so many dupes especially on those time-sensitive areas like you said like I remember I checked on the first day and there was like
Joel (04:33.142)
five or 10 people who had 25 reports in. And I was like, oh, okay, I need a new time zone. Like, wow, this is crazy. For those of you that aren't familiar with the live hacking event, I sort of set up how it works in these competition is there's a dupe period for the first week of hacking. So you've got all these top hackers hacking on one target and then the bounties are inflated and then...
But obviously there's gonna be a lot of dupes because a lot of the top hackers are gonna find similar bugs. So within that first week, all of the bounties that are dupes are all split evenly between all the reporters. So it's very important within that first week to find all of the things that you can find that you think are not specifically, you know, Reinerator bugs or TechnoGeek bugs, right? And get those submitted, get those in before the dupe period ends, and then you can kind of focus on the bigger brain stuff, right? Yeah, yeah, and I did a similar approach. So there was...
There was a flag that they had set out in the mobile apps. I was like, well, that's my jam, so let me go. All right, here we go. So I went in on that. I got that super quick. I think I got it. It hasn't been paid out yet. You got it first. I'm pretty sure I got it. And then I kind of made a, well, it was a mistake, but I didn't know it at the time, where I spent most of my time on the mobile apps. And again, because my niche, right? So I was talking with Rezo. He was like, you know what, dude, just do it. Like focusing, going, it'll be worth it. I was like, okay, I'll do it.
And so I started tracking my time this time. This was the first event I tracked my time. No way, really? I hacked up. Oh man, you were going seriously. I was going serious. Honestly, it really helped with like, I don't know, maybe it's just my ADHD, but like having a timer where like, if I feel like I've been doing something for a bit and just being able to like look up and see, oh, like I'm two hours in or three hours in or whatever, like it's good to feel like I'm making progress and not just like I'm sitting still. There's something about putting hours in that that's gratifying in and of itself. Right, right.
But unfortunately, I didn't I didn't find anything else than that. I felt like one load got close and the whole app was tight It was very tight and we in even across the other mobile hackers I think there were only like one or two other accepted reports on the mobile apps. Yep. So that's that was definitely Sad to see yeah, they had a ton of obfuscation on it. I spent a bunch of time getting around Oh, yeah, was that what you know? Oh for sure like once I get past this obfuscation
Joel (06:52.034)
Good like I'm gonna find all the bugs as soon as I get past this I got past it at like hour six and oh my gosh, it's just like Testing endpoints looking for other entry points like looking for anything and it just nothing panned out I even pulled out the full list of endpoints. I sent him over to rezo. He was like, alright, let me fuzz these nothing So wow, dude. Yeah, that's just how the cards lies and I know we were gonna do a What did you put in the chair a hacker therapy? therapy session man, so like
How did that make you feel, Joel, in that moment? I'm not gonna lie. I was like, in the heat of the moment, I was like, you know what? Maybe I'm done with Bug Bounty. I know, man, I always feel that way. And then it's like, it pulls you back in to when you find something that, and we've got a bug, we've got an ATO on a specific site that we need to go finish up. So maybe after this event, we'll go do that and that'll kind of swing us back around into the proper mindset. Gotta get that momentum going. Oh man. Mindset grindset.
Yeah, dudes, but I will say the nice thing about tracking the time I felt like because I knew how many hours I put in, I felt less bad when I decided it was time to cut my losses. And so when I was like, okay, I'm at 25 hours on this mobile app. I'm done on the mobile app. I'm not there. I'm not spending more time on this. If I'm going to hack more on the, on this target, I'm going to look at
other scope assets because this is no longer worth my time. If I'm going to find anything, it's not going to be on these apps. I've got a cool story about learning how to cut your losses. This event, I found what should have been a bug but was not a bug. There was a specific spot in one of the applications where it was taking a parameter via the hash and it was taking that parameter. It was actually doing...
Domain validation on a different parameter and then using this parameter as the API host Okay for like their fetch stuff that they would do like this in the past I did really and But here's the thing with that. So typically this would be an easy dub be but There was a there's a CSP in place a connect source CSP. Okay So that means I can't connect to any website that is not what they had to find. They've got one website In scope they've got self
Joel (09:09.182)
and then they had star.googleapis.com. Okay, that's pretty broad. That is. So I was looking into that, I was like, okay, what can I do with that? And lo and behold, the storage API for, or the way you access Google Storage Buckets, the S3 buckets of Google Cloud, is on stor I was like, great, I'll just upload a JSON file to a bucket. And then...
You know if I need to do multiple requests I can like get the timing right, you know And I can change out the file and that sort of thing so far. Nothing has gone wrong That's a problem right because I go all the way down this you know path and then it doesn't work at the end I'll tell you I'll tell you so I plug it in there. Give it the host. It sends out the request boop Axis control headers for
need to be in place. So you need access control, loud origin header. I'm like, okay, shit. On the bucket. So I was like, okay, you know, Google storage bucket, access control header, right? Oh no. Okay, well first actually, I had a different idea. First I was like, okay, maybe I can just use a data URL.
Oh, yeah, right actually yeah, right and I was like, okay great and I opened up my browser I said fetch data URL and it worked and I was like, oh wow I can I didn't know that I could use a data URL with fetch and I can specify the content type and everything I was like, this is really cool. Where do you specify content in the data? You are itself it's like data, you know colon and then it says like Jason or whatever and then basics it applies when it fetches it. Yeah, and it does it's clean CSP
doesn't like data, of course, I don't know what I was thinking. But I was really interested to that like, oh wow, I can use a data URI with fetch. So anyway, then I go to the bucket solution, right? Okay, I need to solve the access control loud origin header problem. So I start Googling that and there's a way to set it for the bucket. I'm like, hell yeah. So I go ahead and upload the thing and I'm like, all right, got it set to star, whatever, no problem. And I set it up and it's boo-boo.
Joel (11:16.406)
This fetch request is with mode send credentials. So there needs to be an access control, allow credentials true header in the response. And you can't set that for Google Storage buckets. But wait, Joel, it gets better, man. OK? Listen to this, dude. Then I'm like, shit, how do I fix this problem? So I start researching, researching. Also on stor is the JSON API for the storage.
Interface so you can get like metadata on objects and stuff like that. Okay, that one does return It echoes the origin into the access control allow origin header And and it has access control allow credentials true. Okay, it's like this is perfect But how do I get my arbitrary data in there? Right? Because it's the metadata URL It's not actually or it's the metadata endpoint. It's not the actual content Well, there's this one weird parameter that says instead of giving the metadata for this object
return the actual object content. And I'm like, yes, this is perfect, I got it. And there's a sync too. There's a window location.htrf sync that's right after the call. So it literally, if it has a JSON attribute, then it just puts it right into window location.htrf. I'm like, hell yeah, this is XSS, let's go. I mean, at this point so far, are you pranking me? It's ups and downs, no, it's ups and downs, it's ups and downs, man. And then guess what? I send it in, JavaScript URI, boop boop, CSP script source.
can't execute anything, I don't know why I didn't see it, I went on this whole thing, there's no script source, and I just, it's a dead end, you can't do anything with it. There's no JavaScript you can execute, I've tried this and that and the other thing, oh, here's the other thing, it caches the API host in session storage, okay? And then it will use that for another request that has sensitive information in the URL, so I'm like, great, I can link that.
but when it sends the sensitive information via the URL, it clears session storage. So it's like, and session storage is supposed to be per tab, I figured out a way to get that to not work, right? To cache mine and then use it on the page. It's still freaking, they clear session storage so I can't leak the data, it's useless. Wow, okay, I was gonna ask a couple things if you had tried. I'm so salty, man. Before I found out about the CSP, I was gonna say, I was gonna wonder if you had tried redirects.
Joel (13:42.194)
For the storage bucket thing to see if you could maybe redirect it to The URL you want it or at like wrap it or something But now the connect source is gonna block anything and there's no way for you to make that initial connection because you can't make CSP You know dot or a storage dot What about like CSS like CSS exfiltration? Yeah, but we have no
Joel (14:10.018)
There's no way to inject. So then there's also sort of a way for you to get HTML injection, but it's in Angular's HTML injection thing. So it's just totally, it's impossible, man. I've had six people look at it at the event and all of them are extremely talented client-side hackers. Not a man, dang. So anyway, man. I'll be honest with you. I sunk probably eight hours into that in-point. And that was a mistake. I got...
the full length that I made it in the end, three hours in probably, and I made that extra hop to, oh, okay, maybe I can leak data via poisoning the API host in session storage, maybe five or six in, you know? So maybe if that clear session storage thing wasn't there, then maybe I could have actually gotten the exploitation, but one of the hardest things in bug bounty for me, man, is knowing when to cut your losses.
And I just suck at that and maybe sometimes that makes us better hackers and maybe that makes us pops bugs But I think a lot of time it makes us lose Lose a lot of time right and like it's a trade-off right because there's always like if you cut your losses too early Then you definitely could miss something. Well, there's guarantee the miss right like yeah I mean assuming something's there but yes, like the miss is significantly more but again it like Equally if you keep hacking
The miss also like the other scope and the other things that you haven't looked at like that miss is still there um, and I Dude, i've been thinking about this because I like I don't know If I should adjust anything and I don't think I should like Because I don't think I did anything wrong Maybe maybe I should have cut losses and maybe a little earlier Maybe I should have spent less time on like the nitty gritty of the obfuscation and stuff. What what I would say joel is
25 hours is, I mean you got a full-time job as well. So I wasn't really considering that. 25 hours is not where I cut my losses normally in these sort of situations, but I didn't really take into consideration the fact that you have limited time constraints with your full-time job. With full-time job I was doing about six hours a day. Yeah, that's, yeah. That's, yeah. So, you know, it is what it is.
Joel (16:31.222)
You know, you can't win them all. I think I've said that to like 10 people So, you know it happens and I think I'm just gonna apply the same, you know go deep right like that's what we always say Keep keep going keep going deep just keep going deep and notes, right? Like I was taking a ton of notes and by the end of it. I was looking through my notes. I was like
I have nothing else to look at you. We need to find that every time I say going deep in with the Bug Bounty context, I think of that tweet by Tom Nom Nom. You know the one I'm talking about? No, no, no. So dude, somebody tweeted out a, I'll have to see if I can find it, but it's like one of the most legendary tweets I've ever seen. Someone was like, all right, Bug Bounty tips. You know, go deep, read the manual.
You know push hard something like that and then Tom comment in a bunch of other ones that are in line And then Tom comments. He's like, this is also my approach to sex And I'm like dude you're nuts such a that it ratioed hard, of course Wow, yeah, man getting intimate with the application as we say is pivotal to these sort of things
So yeah, and I will say man, I am I am I am intimate Yeah, many of the applications right now and I I'm really looking forward to not looking at a computer screen for a little while Yeah going out of the country right after this Which is which will be great a good time to relax and I'm just hoping these bugs pay out the way The way they should yeah, absolutely, dude. I heard what your total is right now versus what you were expecting, you know, yeah
It's gonna be a little tricky. I'm looking at my phone because I'm like, ah, you know, and then the thing is about these, the events too is, you know, it'll, they'll make like a ch-ching sound if you're downstairs, you know, in the hacking room and you'll get the, you know, the pings and stuff like that. So it's very like dopamine heavy, you know. Yeah, very anticipatory. Yeah, so any other cool takeaways from the event for you? The only other thing that.
Joel (18:42.69)
comes to my very tired brain right now is I was very impressed with a specific set of business logic bugs from Douglas Day Archangel at this event. He really took his methodology and he normally collabs we called you know we did an episode with him we called him the king of collaboration. He did a solo a solo event this time and I was talking to him about some of his bugs and they're just
Joel (19:12.926)
it exemplifies perfectly the idea of understanding what, it exemplifies two things. Understanding the business and hitting them at their pain points and really setting a goal for the application, the other one is setting a goal for the application and just brooding it into having that goal. Which is something that we talk about a good bit. So I think he did a really good job with this. I'm hoping he gets the payouts that he deserves at this specific one.
Yeah, but you know, we've got time to argue afterwards as well So if it doesn't happen event day, it's sad because you know, you don't make it on the on the you know podium or whatever but There's always time to debate afterwards. Yeah. Yeah, I will say so I also did this event basically solo And that was the first solo then I've done in a long time I usually lean pretty heavy on collaborations because I really like collaborations and I think they're good opportunities, but To be quite honest when you do a lot of collaboration
It's really just like sitting around waiting for somebody else to come up with something and being like hey I have this thing and you're like I can help with that I think for you, you know, one of the areas you shine is as an exploitationist, you know like there's a lot of things that there's a different skill set from you know Exploding a bug exploiting a weird functionality and finding that weird functionality finding the asset that's gonna give you weird function It's not necessarily recon right, you know recon could be
finding the asset and that sort of thing. Understanding what is weird in application really requires a more intimate knowledge of the application. And then you take that and you say, hey Joel, this is why it's weird. This is what it would be cool if it could do. And then, you know, when you have strong exploitationists like yourself that you can collaborate with, it works out really well. But when you spend a long time on collaboration,
some of those other skills get a little rusty too. Yep. Which is tricky and something you gotta go in and be like, okay, I'm self aware of that, I gotta shake that off and be a little bit more resilient in that regard, you know? Yeah, it's gonna take more time, it's gonna, yeah, absolutely, I dealt with a lot of that during this event and the goal thing, I think that's one area I probably could've done better, I didn't set as many goals this event, which. Yeah.
Joel (21:30.078)
I wish I had, I set a couple soft goals. I definitely set more soft goals than I did hard goals, and I wish I would have gone for more hard goals, really go after, I wanna do this thing, I want an ATO, or I wanna bypass whatever, and just go, go at that. I think it might have helped a little bit with the focus and sort of the direction of my hacking. And the one soft goal that I did pursue, it didn't really pan out, it was just implemented securely.
So sometimes you run into and it just happens you did snag the flag. Yeah, which is good So you at least got something to show for it? But yeah that goal that goal oriented mentality is important And then you've also got some I don't know if you want to talk about the thing But you've also got something else going on right now selling a house buying a house Yeah, moving yeah moving across the country, so I'm getting them on the East Coast so we're going back to East Coast We're gonna record in the same time zone eventually it's gonna be clutch and actually there's direct flights between where I live and where Joel lives
Twice per day so we could hop down for an episode hop back and it only be like a hundred bucks Yep, so that would be super clutch. I'm very excited to have you back on these guys so I'm looking forward to like four to five months from now and hopefully Everything is a lot more chill. I moved in I Am NOT dealing with constant chaos this whole year has just been
crazy man, from plumbing problems to house sales to just nonstop. So I'm hoping this is the bad karma side of the year and then the rest, it can only go up from here, right? So another thing that comes to mind about this event is when you're working on a company that's very big and has a lot of different components and pieces to it, looking at auth is absolutely essential. Understanding the auth flow very intimately is super important. Yeah, it is.
Especially when you've got companies that are buying other companies and sort of duct taping them into their own infrastructure, that auth piece is really tricky to implement properly and there's also a lot of things you can do with open redirects and with client side stuff and can I leak this specific piece of information by any of six different ways? If you can, then you've really got a serious bug.
Joel (23:46.702)
Well, I know you I mean you said I'm a good exploitationist you're at least as good as I am if not better bro because like to be honest like in order to exploit those kind of bugs you have to have an intimate level of understanding of the application gotta have gadgets right cuz like you might look at the author of intention be like This this is just standard. Oh off like I don't know what to make of this right, but like
You have to try stuff. You have to know what to try. You have to have sort of that, that playbook of things to be testing, things that you've seen before, things that you've seen around the app as well, like other areas of login that you might be able to try and without that knowledge, like you're just going to walk up to be like, this looks like OAuth next. Yeah, absolutely. The, the knowledge of gadgets and, um, the whole process and where it might break down between all of these different third parties, vendors, you know, sister applications.
All of that sort of thing. One of the things that's very interesting from the OAuth perspective is first party OAuth applications where you don't have to approve consent and third party applications where somebody can sign up and say I wanna use xyz target for single sign on or whatever. That's something that I've been seeing a lot even outside of this event is like, look very granularly at those flows and see if you can make any of them overlap.
because the first party flows often don't require any sort of user interaction to release information. And the third parties do, and you can sign up for your own third party application. So that's another really cool area of interest that I've been kind of piquing my interest lately. And then also, and this is more relating to things before the event, but also things I've been hearing about the event, looking very closely at any...
third-party software that is being brought into a hyper secure environment if you're dealing with a target that really takes security seriously They may have a lot of their own shit on lock Yeah, you know and you may not be able to do much with that but um When they say okay, I'm gonna bring into you know my application this little weird feature this little analytics tool or this little You know thing, you know little widget
Joel (25:58.274)
then a lot of times they expose themselves to undue risk and they don't do enough security code review and threat modeling on those specific pieces of software. I'm talking to you, Joel. I'm talking to myself and I'm talking to the audience. I know you know this. Well, I mean, honestly, and just to highlight sort of like.
Whenever I see a company implement something from the ground up that is like a big red flag for me Especially if it's something that's common right if I see somebody Reimplementing that's true the flip side of this is very true right Samel SSO like any of that That's like weird to me. I'm like why did why didn't they just use some provider?
Like, where did they mess up? Because did they read the RFC? Like, how deep did they go on this? That's true. And where can I find one little crack that I can exploit? Yeah, it's kind of like a catch-22, right? Because if you use a third party, maybe they're, let's say Samel, like you said, Samel is their shit, Samel's their thing, right? And you'd assume that their implementation would be better than your sort of off-the-cuff implementation. But on the other side,
you don't know, because you can't see the code. So it's like, okay, do I trust this or do I not trust this? That is one of those things that draws me in all the time. I get so distracted by things, because I'm like, we've talked about this, I'm a big dopamine hunter, so whatever's pulling my attention, I'll just follow that. And that caught me a couple times during this event. They were using a specific... Especially in a highly obfuscated environment. Yes, they were using a specific tool for obfuscation that...
really was piquing my interest and so I kept getting pulled off to the side like oh how is this working maybe I can find a way to like systemically figure out that and it was just like not really relevant but I kept it was like giving me so much dopamine that I was just like oh I just gotta figure out how this thing works like I don't care if there's a bug here I just want to know how it works like you know and this is why this is why when we work together it
Joel (27:53.43)
Works really well. If you're like Joel, are you staring at that end points? Yeah, there's no There's not even a hint of a bug there. He's like I need to understand it right and so even if I see Sam like say I see like somebody's using like You know October whatever for Sam. Well, I'm like, maybe I can maybe I can break Maybe TCP is the issue here There's a fundamental HTTP core problem
Joel (28:21.698)
Oh, this is such a great tip and I gotta shout out Matan Bear for this one, cause he showed it to me. And I went and read the HTML5 spec last night, because I was so intrigued by this. Did you know that image, I-M-A-G-E, is a separate element from IMG? No, well it is, for SVG, right? But, if you don't have it in an SVG context, the browser auto changes image to
IMG wait what? Yeah in the browser So it's like okay, you know, how many things can we bypass with that because you know, there's so many things Image instead of image exactly and they're like, oh, this is an invalid HTML tag, you know the outside of SVG or something like that and it's literally it's crazy You go to your browser you type in image and you can even put on you know source and on error handles and that sort Of thing. It's no five thing
Yeah, it says specifically in the spec, and it's hilarious too. If you go to the spec, it says, change the tokens tag to image, and then it says, this is in the, in the HTML body section, what you should do when you run into a specific thing, and it says,
Don't ask is what it's literally says. It quotes. No way. It says in quotes, don't ask. And then it was funny, you know, cause I was like, ah, man, I gotta find more of these. You know, if there's any of these other weird little things, nothing else. And, but I went through and it was funny. It says, if you encounter the sarcasm tag, take a deep breath and move along. Is what it says. Dude, I was just like, how is the HTML five specs actually an engaging read? Like it's like, this is great.
I mean it's a shout out to the HTML5 people that was it was I laughed I chuckled a couple times Oh funny, dude. Now. I kind of want to go read through it, too It's long reminding me of the time when we were looking into that What was it the body tag or something? There was like the weird thing with meta or a base tag in the body tag. Yeah, super weird Yeah, that should not work according to the spec but that's the thing man. I really wish Google Chrome early chromium
Joel (30:38.59)
would release a HTML5 as implemented by Chromium spec. So it's like, it's just a description, but it's how they've actually implemented it in Chromium. Because otherwise you've got to go and read this C code that's there. Dude, there are so many things on that aspect of stuff that I have to hold myself back from the dopamine hunting because like.
When we were talking with Yusef, we were talking about like, the browser will decide whether or not the user has clicked on something to determine whether or not an XSS should pop. And it's like, how does it determine that I've clicked on something? That I've done an action? How is it actually doing that? How does the browser determine that I clicked it instead of something else clicking? Dude, they're in for such a good episode, man. I can't even, it's gonna be so good, you guys. That's so good, so good. He drops Google Chrome.
bugs on the pod. It's like, it's amazing. It's just like, oh yeah, there's this bug I had Chrome. Like, you know this common feature that everybody uses? Yeah, it's such a great implementation. Awesome stuff. Alrighty, man, I'm exhausted. Yeah, me too. Let's go down and see if there, it seems like they've paid a couple more bugs. So let's go, let's cut it for now and go check in on that. Awesome, that's the pod, dude. All right, that's the pod. Thanks, y'all. Peace.
