The player is loading ...
Sign up to get updates from us
Episode 66: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the recent YesWeHack Louis Vuitton LHE, the importance of failure as growth in bug bounty, and Justin shares his research on CDN CGI.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
Project Discovery Conference: https://nux.gg/hss24
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Resources:
YesWeHack Luis Vuitton LHE
https://twitter.com/yeswehack/status/1776280653744554287
https://event.yeswehack.com/events/hack-me-im-famous-2
Caido Workflows
https://github.com/caido/workflows
Oauth Redirects
https://twitter.com/Akshanshjaiswl/status/1724143813088940192
Bagipro Golden URL techniques
https://hackerone.com/reports/431002
Monke Hacks Blog
https://monkehacks.beehiiv.com/
PortSwigger post
https://x.com/PortSwiggerRes/status/1766087129908576760
post from Masato Kinugawa
https://x.com/kinugawamasato/status/916393484147290113
Timestamps:
(00:00:00) Introduction
(00:04:19) Louis Vuitton LHE
(00:13:57) Browser Market share
(00:21:13) Justin's Bug of the Week
(00:24:49) Caido Workflows
(00:27:24) Oauth Redirects
(00:32:24) Bug Bounty learning Methodology
(00:41:03) 'Intent To Ship'
(00:48:08) CDN-CGI Research
Justin Gardner (@rhynorater) (00:01.126)
Dude, I am so freaking cold right now. Like, I don't, it's not that man, it's the cold showers. Do you do the cold showers? Dude.
Joel (teknogeek) (00:05.334)
Man, you gotta turn your heat up.
Joel (teknogeek) (00:11.454)
No, I don't do that. I know a bunch of you do that and I think you're crazy for it.
Justin Gardner (@rhynorater) (00:17.006)
Dude, like I don't normally do it very often, but like I was, I've like, I stopped lifting for a couple of weeks and then I'm getting back into it and I've been pretty sore. So I was like, all right, you know, let me see if I can do like a cold shower. And now I'm just like, like core cold, you know, like I'm not cold. Like I've got like plenty of clothes on and like got even the heater is on the feet right now, but like something deep in my core is just freezing.
Joel (teknogeek) (00:42.882)
Freezing interesting that's interesting. Yeah, I'm up in I'm in upstate New York. I'm in Buffalo for the eclipse
Justin Gardner (@rhynorater) (00:44.7)
Yeah, where you at man? You're in a hotel today, yeah?
Justin Gardner (@rhynorater) (00:51.63)
Oh really? Oh you went up there to see the eclipse huh?
Joel (teknogeek) (00:54.266)
yeah i've got some friends appears uh... i thought it would be a fun little trip and uh... gets it's exciting the local area but i'm hoping that it was up
Justin Gardner (@rhynorater) (01:00.627)
I saw this... Hopefully so, that would suck if you went there for that. It's just straight clouds for the whole eclipse. I saw this crazy graph of like Airbnb bookings right on that little band and it's like everything is booked in that entire band.
Joel (teknogeek) (01:07.847)
I know. I know, I know.
Joel (teknogeek) (01:16.958)
It's so interesting. Yeah. I mean, the hotels were like ridiculously expensive. Because I've stayed here in this area before. It's like usually very, you know, normal hotel prices. And then it was like two or three times minimum as much per night. Just to like stay here.
Justin Gardner (@rhynorater) (01:21.782)
Really.
Justin Gardner (@rhynorater) (01:34.623)
lost you.
Justin Gardner (@rhynorater) (01:38.658)
Hello?
Joel (teknogeek) (01:39.436)
Hello.
Joel (teknogeek) (01:43.082)
You can't hear me?
Justin Gardner (@rhynorater) (01:44.654)
I lost you for a second. It seems like you're back now. We can cut it, but how did you end your sentence so I can just flow off of it?
Joel (teknogeek) (01:54.272)
I said that it was two to three times as expensive right now.
Justin Gardner (@rhynorater) (01:59.194)
Ouch dude, that sucks man. That is not a normal thing to pay. RIP.
Joel (teknogeek) (02:04.878)
Yeah, it's a little bit ridiculous, but I was able to find a pretty good deal, so all things considered. I think it's worth it, you know. I do have the special glasses, you know, I've got these special glasses so you can look at the sun and stuff. They're basically like paper welding goggles, you know?
Justin Gardner (@rhynorater) (02:11.69)
You got like the goggles or whatever, the glasses that you need for it?
Justin Gardner (@rhynorater) (02:18.29)
Nice. Cool. I have a vested interest in you being able to see, so please protect your eyes.
Joel (teknogeek) (02:28.407)
Me too, me too. I would, yeah, I'm not gonna stare directly at the sun. Don't stare directly at the sun.
Justin Gardner (@rhynorater) (02:35.324)
Great. Well, what if you stare directly at the moon?
Joel (teknogeek) (02:39.25)
Okay, well, uh... I am... I am... Yeah, don't stare... well maybe you can stare directly at me, I don't know.
Justin Gardner (@rhynorater) (02:42.896)
Haha, gotcha on that one, didn't see that one coming, did ya? Oh my gosh dude, okay. Alright, alright, well we'll leave that up to the experts in, you know, astrology and we'll get back to our lane, which is Bug Bounty. Where do we want to start out today?
Joel (teknogeek) (02:55.69)
Yeah, exactly.
Joel (teknogeek) (03:02.994)
Yeah, so there was this really cool event that I saw. YesWeHack is running. We're in. It's over now, I think. They ran a live hacking event with Louis Vuitton, which is super cool. Where was this event?
Justin Gardner (@rhynorater) (03:11.382)
Dude, I saw that.
Justin Gardner (@rhynorater) (03:22.966)
You know, I imagine it was, I believe it was Paris. Yes, it was in Paris. And I saw, you know, I talked to a couple people that went to the event and saw the pictures online and it looks pretty freaking well done, you know?
Joel (teknogeek) (03:26.561)
Okay.
Joel (teknogeek) (03:37.034)
Yeah, it's pretty exciting. I don't know if YesWeHack has run an event before. Have they run live hacking events or is this their first one?
Justin Gardner (@rhynorater) (03:43.786)
I think they have done a couple, but I think this is the one that like, for me, this is the one that put them on the map with regards to like live hacking events. Cause it's like, there've been some small ones here or there, but Louis Vuitton is a pretty cool target and you know, it's in Paris and the, the pictures are really good. The swag looked really good. It looked like an awesome time.
Joel (teknogeek) (04:00.417)
Yeah.
Joel (teknogeek) (04:08.39)
Yeah, I mean it looks really sick, so I'm hoping to see more events from the team, but it's cool to see such a large like Non-traditional brand doing an event like that. You know I'm sure That other fashion brands and stuff are gonna see that and maybe hopefully get interested in doing security events would be super cool I know there's so many luxury brand lovers in the bug bounty hacker scene
Justin Gardner (@rhynorater) (04:30.914)
Dude, the swag, the swag for that, for that like event, just, ah, imagine having like a custom Louis Vuitton, like freaking jacket that they've got there. I don't even know. So I haven't even gotten confirmation. I imagine that this is the case, but I haven't gotten confirmation that those are actually Louis Vuitton jackets. Like, but.
Joel (teknogeek) (04:42.026)
So sick.
Joel (teknogeek) (04:54.282)
Yeah, I don't know.
Justin Gardner (@rhynorater) (04:56.822)
I don't know, the concept is still pretty cool. If it was actually a Louis Vuitton jacket, I would absolutely fly out just for that. You know, like.
Joel (teknogeek) (05:04.25)
For sure, for sure. Yeah, I mean, super cool, right? Like once, like one time, super epic swag like that is that's super cool. It's such an enticing, enticing opportunity.
Justin Gardner (@rhynorater) (05:15.106)
Yeah, so dude, I'm not normally the one to do stuff like that too. I normally look at this like pretty from like a business perspective, like, okay, you know, I'm going to have to spend.
whatever, however much on flying Mariah out and gonna go out to the event, that sort of thing. The opportunity cost of hacking on other programs when the boundings aren't quite as high, that sort of thing. But I feel like there's a special niche of swag that's pretty different, which is something that holds mainstream sway, like Louis Vuitton, right? But I feel like if it was like, all right, we'll give you like a...
Joel (teknogeek) (05:41.772)
Yeah.
Justin Gardner (@rhynorater) (05:50.302)
I feel like I might do it for a custom laptop or something like that, but also Louis Vuitton jacket, that would be really rad. I didn't really put myself in the category of hackers that would go to a live hacking event just for the swag, not considering the bounties and that sort of thing. I probably wouldn't spend a bunch of time on the program if the bounties weren't great, but I would definitely go and hack for at least a couple days for that.
Joel (teknogeek) (05:59.816)
Yeah, yeah, exactly.
Joel (teknogeek) (06:17.586)
Yeah, for sure. I mean, absolutely. You know, hey, if Louis Vuitton wants to send us invites next time, that'd be... I'll for sure say yes.
Justin Gardner (@rhynorater) (06:23.934)
Yeah, well, I need to go make a YesWeHack account, because I don't even have a YesWeHack account.
Joel (teknogeek) (06:28.914)
Mmm. Yeah, that's true. I don't think I have any there. That's probably not really helping my chances
Justin Gardner (@rhynorater) (06:33.414)
Yeah, yeah, I think we gotta, you know, do something here to get to get on the board. But yeah, I was looking at the results. I dropped that tweet in the in the doc Joel, but the results for that live hacking event are up and man dude, Team Spain, they are just crushing it with almost all of the all of the awards at this event went to Team Spain.
Joel (teknogeek) (06:39.05)
I'm kidding.
Joel (teknogeek) (06:51.939)
Krishna.
Joel (teknogeek) (06:58.11)
Yeah, it looks like they work together, the three of them, because they all have the same number of reports. But yeah, they really crush it. And our boy Nagli, of course, right, not far behind them. It's interesting that they won first, second, third, because their points are different, even though they all have the same number of reports and stuff. I'm not really sure. Maybe it's just the severity. I'm not really sure how the reporting structure works over there. But.
Justin Gardner (@rhynorater) (07:06.657)
Yep.
Justin Gardner (@rhynorater) (07:14.438)
Oh yeah? Oh, check that out. Yeah, just buy a couple.
Joel (teknogeek) (07:24.394)
I would have expected that they would have been tied for first. I think technically now they actually got second if you're ignoring the points.
Justin Gardner (@rhynorater) (07:29.83)
Exactly. Yeah, yeah, I don't know. What do you think about this? What do you think about like a points-based leaderboard? Because I think that was something that Hacker One did away with really quickly.
early on in the live hacking event game as they were kind of figuring that whole thing out. And I think pretty much every other bug bounty platform makes that, in my opinion, mistake of doing it based off of points in the beginning rather than doing it based off of money. But then we've seen the other, we've seen bug crowd and integrity both come around on that and sort it by money now. So I'm kind of curious as to why YesWeHack isn't doing that.
Joel (teknogeek) (08:08.222)
Yeah, I don't know. I'm not sure why they did it, but it's an interesting approach. I think HackerOne didn't like the gamification aspect of it, where a lot of people were just finding ways to gamify that to get on the top of the leaderboard, where bounty amount is usually a direct correlation with impact. So higher bounties, higher impact, that's a pretty good way of measuring and having a scoring mechanism.
Justin Gardner (@rhynorater) (08:16.713)
Mm-hmm.
Justin Gardner (@rhynorater) (08:29.159)
Mm-hmm.
Joel (teknogeek) (08:38.314)
But even on the Hacker 1 leaderboard, you see that there's other ways of sorting it too. Like they have sorting by like number of reports and number of results and like that kind of stuff too. So it's not all exclusively just money, but I think that money is a pretty good way of measuring it. Maybe the points are their same sort of thing.
Justin Gardner (@rhynorater) (08:56.21)
Yeah, yeah, maybe so. It definitely depends. I mostly just pay attention to the bounty amount ones, but then there's also that aspect of like, okay, well, when you've got a tallying bounty amount total, and you have...
sorting by bounties and you know there are those people that are like Nagli that write the scripts and are like alright Justin just got a 15k bounty alright note that down in my little notebook. Like I don't know why he does this but he is like freaking bounty intelligence agency because you can be like alright Nagli how much did you know Justin make at
Joel (teknogeek) (09:22.208)
Yeah, yeah.
Justin Gardner (@rhynorater) (09:36.118)
the PayPal event in 2023 and he'll give you like the number within a 10% plus or minus somehow every time. I was like, how do you know that?
Joel (teknogeek) (09:43.274)
It's pretty crazy. Like he really is like tracking it somewhere somehow because he definitely like has a lot of data on that stuff. Like I remember one time we were in our Discord and we were chatting. We were like, he was like, oh, I know how much everybody's made, you know, like with their total bounty amounts. So I was like, what's mine? He's like 10K off. I was like, whoa.
Justin Gardner (@rhynorater) (09:55.001)
Mm.
Justin Gardner (@rhynorater) (10:05.394)
Oh wow, okay. Geez, Natalie, man. He's definitely got some data. And you know, that's one of his things, you know, his data. So it's on brand, but creepy nonetheless, I must say. Yeah. But yeah, I did, so shout out to Team Spain. They did awesome. Shout out to Piku Haku or Haku Piku, depending on where you are in the, you know, if you're on Discord or on...
Joel (teknogeek) (10:16.022)
Yeah, a little bit, a little bit. The Nagley Intelligence Network, you know.
Justin Gardner (@rhynorater) (10:35.126)
Twitter. They got best dressed bug, biggest impact, that's pretty awesome. And yeah, looked like an awesome event for sure. Very cool.
Joel (teknogeek) (10:46.09)
Yeah. What's so what is this? What is a little this little note underneath? What you have some insider? You have some insider information?
Justin Gardner (@rhynorater) (10:51.542)
Oh, okay. Yeah, so I do have some insider information. So I will, you know, normally if it's Nogli, I'll throw Nogli under the bus. This one was not Nogli, but I did talk to a couple other people from that event. And one con that I can say about that event is the top earners were not actually earning very much. The bounties were not awesome for that event. So I can say roughly,
it assuming the data is accurate and I probably should double check with Nogli because he's got good data on all this stuff too. But it seems like quite a bit off. Like it could be somewhere between one fifth to one tenth of what a top earner at any given live hacking event is making or any given hacker one live hacking event is making. So that's a little bit.
Joel (teknogeek) (11:23.714)
Hehehehehehehehe
Joel (teknogeek) (11:38.522)
Interesting. Do you know why that was? Was it Bounty Table or...?
Justin Gardner (@rhynorater) (11:42.626)
Bounty table. I mean, I think it's got to be a combination of bounty table and scope, but I know that there were some exclusive crits that were paid out, you know, one person crits or whatever, but I believe that the bounty table for that event was not very high, and that's why, you know, it's a little bit discrepancy between Hacker One's life hacking events and something like this.
Joel (teknogeek) (12:08.709)
Super interesting.
Justin Gardner (@rhynorater) (12:09.726)
Yeah, so that, but I mean, they're making it, like we said, they're making up for it with the crazy, you know, target and the crazy swag. Cause like, how sick would it be to be like, I just was spent the weekend hacking Louis Vuitton. It was pretty rad.
Joel (teknogeek) (12:21.226)
I know right it's super cool. It's super cool. I love I mean there's that's always like one of the really cool aspects of the Lot to LA cheese is like the name aspect and like getting to hack these big companies and stuff. Yeah
Justin Gardner (@rhynorater) (12:30.402)
Hmm. Yeah. All right, dude, let's jump over to the browser market share stuff because this is a really interesting topic that we were having a discussion around in the Discord recently. And so I went and like double clicked on it a little bit and figured out some details. And I highlighted the interesting ones there in the doc, Joel. So I feel like a lot of people throw around this number of like Safari having a decent amount of market share.
in the browser space, because if you look it up, it says like 18 point, yeah, second most used browser, 18.5%. And they still have not adopted same site, lacks default, so this really affects, you know, C-SERVs. But if you look into it a little bit more, and you look at the breakdown for this.
Joel (teknogeek) (13:00.426)
Yep. Yeah. It's like the second most used browser, right? Yeah.
Justin Gardner (@rhynorater) (13:22.994)
you know, there's desktop users and there's mobile users. And maybe I'm just thinking about this wrong, but desktop users only have, Safari only has 8% of desktop users. And they have 24% of mobile users, right? Which makes sense because iOS is kind of a bigger platform on mobile for sure. But I feel like a lot of the apps that we hack are like not something that you casually log into on your phone.
Joel (teknogeek) (13:35.106)
That makes sense.
Justin Gardner (@rhynorater) (13:53.384)
Maybe I'm off with that, because I know that the statistics are pretty high on like...
70% of web traffic is mobile or something like that. But I feel like when we're reporting stuff to this business analytics platform or something like that, I feel like people aren't gonna be logging in on their phone and being like, all right, let me run this report, and that sort of thing. So I feel like knowing what kind of target demographic your website that you're hacking has, and then being able to give them browser-specific exploits and numbers on that could be a helpful thing. What do you think about that?
Joel (teknogeek) (14:14.433)
Mm-hmm.
Joel (teknogeek) (14:27.538)
Yeah, that's a good call out. I mean, I think it is good to sort of break it down into the desktop and the mobile stuff because the total stats, it always catches people off guard when you tell them, oh, why don't you tell me in order, what are the top three browsers? And most people are gonna say, oh, Chrome, Firefox, Safari or Edge. And you're like, nope, Chrome, Safari, Edge. And they're like, what? You know?
Justin Gardner (@rhynorater) (14:37.135)
Mm-hmm.
Justin Gardner (@rhynorater) (14:42.236)
Mm-hmm.
Justin Gardner (@rhynorater) (14:45.383)
Mm-hmm.
Justin Gardner (@rhynorater) (14:48.854)
Mm-hmm.
Joel (teknogeek) (14:54.67)
I mean Safari as a whole almost has 20% of the market, but the reality is that it's mostly mobile people Using iPhones because there's so many iPhones and they don't use an alternative browser. They just use Safari That they have that large share whereas Android, you know The default browser is Chrome and the browser most people use on it on Android is Chrome, which is why they have such a high Mobile share plus I mean I use iOS but I use Chrome on my phone As my browser. Yeah. Yeah, I think a lot of people do
Justin Gardner (@rhynorater) (15:03.561)
Mm-hmm.
Justin Gardner (@rhynorater) (15:20.23)
Oh really? Hmm.
Joel (teknogeek) (15:24.598)
So it is really interesting and I think that's a good idea. You should always be framing your write-ups and your POCs and your bugs and stuff to try and show the most impact for whatever company you're hacking on. So I think also targeting more people, if this is a mobile specific website, then more people are gonna be likely to be using Safari than they would on desktop. And if there's a Safari specific vulnerability that you can take advantage of, same site lacks, no default same site.
Justin Gardner (@rhynorater) (15:34.946)
Mm.
Justin Gardner (@rhynorater) (15:53.058)
Mm.
Joel (teknogeek) (15:54.102)
you know, setting then, yeah.
Justin Gardner (@rhynorater) (15:55.506)
Yeah, yeah, I think that makes a lot of sense. And 25%, that's a pretty decent chunk of mobile traffic. So if you are focusing on a site, like you said, that has mobile presence, then that's very significant. And not something that I was super...
well acquainted with before. But one thing that I wanted to shout out as well from looking at the statistics was like, Firefox, if you look at the total market share, has only a 2.8% presence. And it's.5% in mobile, right? So nobody is using Firefox on mobile. Yeah.
Joel (teknogeek) (16:32.414)
Yeah, I don't know anybody who uses Firefox mobile browser and I will say like I think a lot of more people used Firefox back in the day It was a lot more popular of a browser but then chrome like rocketed past it after a while after it sort of like gained popularity and gained a lot of features and stuff and then Firefox surged a little bit when they did the quantum or whatever like the they rewrote their
Justin Gardner (@rhynorater) (16:47.199)
Yeah.
Justin Gardner (@rhynorater) (16:58.687)
What?
Joel (teknogeek) (16:59.894)
Firefox rewrote their engine to be super fast and optimized. And that gave it a performance edge on Chrome. And I think that surged their popularity. But now there's so many browsers. You see Opera, right? Opera is now, I would say, a marketing heavy browser, where they're on social media a lot. They sponsor lots of YouTube channels and stuff. And you can see they have almost the same market share as Firefox does now.
Justin Gardner (@rhynorater) (17:03.34)
Really.
Justin Gardner (@rhynorater) (17:13.323)
Yeah.
Justin Gardner (@rhynorater) (17:23.01)
2.5 percent.
Justin Gardner (@rhynorater) (17:27.759)
I would have never thought that. That was why this is crazy to me. It was like, opera has the same presence and more presence on mobile than Firefox does. But Firefox still has 6% of desktop.
Joel (teknogeek) (17:35.467)
Mm-hmm.
Justin Gardner (@rhynorater) (17:42.69)
users, which I thought was a little bit higher than expected. So there is, you know, it's still a little bit hard to sell that because, you know, Firefox isn't doing same set lacks either despite, if you Google it, it says they are, but they rolled it back apparently, I found out recently. And it's...
Joel (teknogeek) (17:57.707)
Interesting.
Justin Gardner (@rhynorater) (18:02.086)
So 6% of users, I feel like that might be a little bit of a tricky sell if you're trying to talk about it in a report, but if you can combine it with 8% from Safari and the 25% on mobile, there's a decent amount of users that potentially could get affected by a same site.
Let me see if I can say this properly. A cross-site attack, right? A CSURF attack without, you know, these same site lacks default protections in place. So I don't know, it's just helpful to have the numbers and be aware of these sort of things. You know, 15% on desktop, 24% on mobile. Not insignificant numbers. But I think this is also a really good statistic for the people on the program side as well, because as much as I hate to put, you know,
Justin Gardner (@rhynorater) (18:48.84)
hands.
Joel (teknogeek) (18:49.79)
Yeah, that's exactly what I was gonna say. You know, like, the reality is that when programs come back with these, you know, if anybody reports something that's like, oh, this only works on Edge, or this only works on Firefox, then.
Justin Gardner (@rhynorater) (18:52.116)
Yeah.
Joel (teknogeek) (19:04.242)
You know, you can't really be surprised when they're gonna put a damper on the severity or they're gonna lower your bounty or whatever because if you look at the raw numbers, if it's not affecting Chrome, like, well, we'll start there. If it's not affecting Chrome, then it's already like missing almost half of the market. And then if it's not affecting, yeah, right. And then if it's not affecting, you know, Safari or Edge, then that's...
Justin Gardner (@rhynorater) (19:19.71)
in the minority.
Justin Gardner (@rhynorater) (19:24.256)
More than half, yeah.
Joel (teknogeek) (19:32.054)
the other like third. And that, yeah, I mean, you're basically at, you know, 10% or less of the market. So it's a very, very difficult case to make, but you can still report it nonetheless. I think programs will still fix it. It's just gonna be way lower.
Justin Gardner (@rhynorater) (19:33.711)
Yeah!
Justin Gardner (@rhynorater) (19:46.718)
Yeah, yeah, I think so too. All right, dude, I'm gonna tell you a story from this week of bug bounty hunting, because I was, let's see, how vague do I wanna make this? I wanna make this pretty vague, I think. I was signing up for a service that I will use, that I am using on a regular basis, that has a bug bounty program that I'm aware of, and that, let's say within the past year and a half, there has been a live hacking event.
Joel (teknogeek) (19:56.173)
Okay.
Justin Gardner (@rhynorater) (20:14.734)
on this target and they're they got a lot of reports and a lot of eyes it was a pretty big one you know um and I found a bug uh while I was signing up for this service that was just like
Joel (teknogeek) (20:16.183)
Okay.
Justin Gardner (@rhynorater) (20:30.674)
right in front of me. You know? So one, and I looked back in my logs and I looked at this endpoint before and I missed it. I missed this exploit. And what it was is this, it was a part of the OAuth flow. And it was just a classic example of being able to use the at sign to bypass host restrictions on the redirect URI. And it...
Joel (teknogeek) (20:32.032)
Hmm.
Justin Gardner (@rhynorater) (20:57.158)
They weren't allowing slash in that username password section on the left side of the app. They weren't allowing backslash. They weren't allowing hashtag. They weren't allowing a bunch of stuff. But they made the mistake of allowing a question mark in there, which makes it a part of the query. And they were still parsing it as if that part that was following the ad sign was the domain rather than the part before. So that allowed me to just completely hijack the account.
and it had to be sent to the root of my domain, which is a little tricky, but I had to go in there and edit my index.php page or whatever. But yeah, making sure, being thorough with these sort of things when you're testing these, trying the at sign, trying the question mark, the hashtag, the forward slash, the back slash, all of the terminating characters, really important because sometimes you get that one that just works.
Joel (teknogeek) (21:37.026)
That's super interesting.
Joel (teknogeek) (21:55.982)
So this was in a username and it would allow you to like do like basically like to do like a forgot password, but it would send it to the wrong place.
Justin Gardner (@rhynorater) (22:02.656)
No, no, totally different, sorry. So it was an OAuth flow, right, with the redirect URI, so, you know, where it sends the code to you afterwards. And it's using the username and password.
Joel (teknogeek) (22:06.954)
Yeah.
Justin Gardner (@rhynorater) (22:15.358)
part for basic auth of the URL. So you can do like, you know, you can do like HTTPS colon slash test at Google.com and it'll still send it to Google.com. But if you do test question mark at Google.com, then it'll send it to test. Right? And so that was how I sort of broke that auth flow. And they still said, okay, this host is...
Joel (teknogeek) (22:18.591)
Oh.
Joel (teknogeek) (22:25.066)
Yep.
Joel (teknogeek) (22:31.786)
Yeah. Yep.
Justin Gardner (@rhynorater) (22:39.734)
whatever host it was, but actually my domain was before the at sign, terminated by a question mark there, and so the actual browser navigated to my domain with the valuable code that can be used as the session token. Yeah. I'll tell you afterwards. Yeah. It's kind of annoying that I missed it before, but I was like, oh, someone must have found this, and they just
Joel (teknogeek) (22:53.794)
Gotcha. That's super cool. That's a cool bug, man. You'll have to tell me who was on after we finished recording.
Joel (teknogeek) (23:06.498)
Do you think it was there the whole time? Okay. Oh wow.
Justin Gardner (@rhynorater) (23:08.742)
Oh yeah, it was there for sure. I have validation that it was there. But yeah, it just somebody, we all missed it. And it's like, oh my gosh, I can't believe that happened. So yeah, kind of a crazy, crazy one from this week.
Joel (teknogeek) (23:19.982)
Wow. That's freaky. Cool. I saw that you made a tweet about Kaido workflows. Finally.
Justin Gardner (@rhynorater) (23:30.162)
Yeah, dude. Okay, so check this out. Kaido is dropping global workflows this week. Probably by the time this airs, but if not, shortly after.
And what this means is that you will be able to build workflows and then reuse them across different projects, which is something that I feel like should have been there from the very beginning, but is something that the community has been asking for a little while. And it's really helpful because you can build out these automations that make your hacking workflows much more efficient. And so I'm really looking forward to that release. Plus, they're easy to share now too.
thanks to even better from Bebex. And I wanted to shout out as well that I, in conjunction with the announcement that this is gonna be in the next release, we saw a bunch of pull requests go into the Kaido slash Workflows repo on GitHub for a bunch of really awesome things like generating a CSRF POC, like doing something that should have been in birth since forever, which is
to form data and form data back to JSON encoding for the request body. And these are all done by Ryota. And so definitely very high quality code. And it's good to see another top hacker investing into the Kaido environment.
Joel (teknogeek) (24:46.561)
Yeah.
Joel (teknogeek) (24:53.454)
Cool.
Joel (teknogeek) (25:03.986)
Yeah, this is really awesome. It's cool to see that there's a community, sort of like a way to contribute these and share these with other people and create a really awesome base of different workflows and show what's possible, et cetera. So yeah, this is really, really cool.
Justin Gardner (@rhynorater) (25:17.338)
Mm.
Justin Gardner (@rhynorater) (25:22.59)
Yeah, previously you could export them and stuff like that and then reimport them into different projects, but it was kind of a pain. So having these be global, I think will be really helpful.
Joel (teknogeek) (25:29.11)
Yeah.
Joel (teknogeek) (25:33.226)
Super awesome.
Justin Gardner (@rhynorater) (25:34.054)
So yeah, and we've been seeing a lot of it more investment into the Kaido environment lately, which is cool. I'm definitely excited about that and excited about building some stuff out. I've got a, I've got a topic next week for the pod that I'm going to talk about. Some ideas for a Kaido plugin that I want to develop slash maybe someone in the community will develop, who knows that I'm going to talk about. So we'll, we'll save that one for next week though. Um, dude, so.
Joel (teknogeek) (25:54.347)
Mmm.
Joel (teknogeek) (25:58.126)
Cool. That's awesome.
Justin Gardner (@rhynorater) (26:01.95)
I was going back through my bookmark tweets in prep for this episode and I saw this tweet from November 2023 and it was when we were talking about like doing like OAuth app redirects or OAuth redirects to app schemes and this dude comments on it and he says, at TechnicGeek here instead of a malicious app installed a user could directly steal the token to their
is allowed. Okay, so it's a little bit, a little bit, I haven't read it out loud yet. But essentially what he's saying here is that if you can control any scheme for an app, then you could just trigger Google Chrome and then Google Chrome has this Google Chrome colon slash navigate question mark URL equals. That will navigate Google Chrome to that specific URL. And
So, I don't know, what do you think about this? Do you think this is something useful to use in a chain from a mobile perspective?
Joel (teknogeek) (27:05.738)
Yeah, so like I said, I think Chrome is the default browser on Android now. So this does kind of assume that Chrome is installed, but it probably is, I think, in most cases. That's not to say people haven't downloaded Firefox or some other opera or whatever on their phone, but I think probably in most cases. I'd really like to see the breakdown actually by OS for mobile for what the browsers are, because I'd imagine like Android is probably very, very high percent using Chrome. That being said.
Justin Gardner (@rhynorater) (27:11.7)
Yeah.
Justin Gardner (@rhynorater) (27:33.415)
Oh yeah.
Joel (teknogeek) (27:36.91)
There are definitely some good cases to use this. So if you were to just open HTTPS, by default the system is gonna use your browser or it's gonna prompt you to use any app that can open browser links. So it does almost the same thing, but I think if there's some sort of check, for example, like say the app is checking where a link, any link that gets opened, what's the scheme on it?
Justin Gardner (@rhynorater) (28:03.124)
Mm-hmm.
Joel (teknogeek) (28:03.686)
And if it's checking for HTTP and HTTPS and doing some extra logic there, you could bypass that with Google Chrome. If you instead just link out directly to the Google Chrome app and then have that open the URL for you, you don't have to worry about the app logic trying to prevent you from going to a certain URL or parsing the host or something like that if it's looking at the HTTP schemes. But yeah, I think this is a really creative way of sort of implicit.
Justin Gardner (@rhynorater) (28:10.01)
Mmm.
Justin Gardner (@rhynorater) (28:15.71)
Ah.
Joel (teknogeek) (28:32.498)
It's not really open reader. It's like an implicit open redirect kind of thing. You know what I mean? Yeah, it's a gadget. It's a good gadget
Justin Gardner (@rhynorater) (28:36.207)
It's a gadget, you know? It's a gadget for mobile stuff for sure. Yeah, I hadn't really.
Of course, you know, you could just use the HGP, HTTPS scheme. That, that makes sense too, if any scheme is being permitted. Um, but yeah, like you said, if there's restrictions around those, then that, that could be interesting. I wish there was some way in mobile for you to do something like what we just talked about for the other awa thing, where it's like, you know, I could do. Whatever at Google Chrome colon slash navigate question mark, URL equals blah, blah. You know, that would be really cool if there was some way to like, essentially
Joel (teknogeek) (29:05.961)
Mm-hmm.
Justin Gardner (@rhynorater) (29:12.096)
trash some text.
Joel (teknogeek) (29:14.446)
So there are some ways. One of the ways not pre, yeah, so basically you would have to start with the same scheme. Like you would have to be like Google Chrome colon slash and then the parsing problem. But there are some ways to do it. I believe Baggy Pro's golden URL tricks report that's published. Yeah, we talk about this one all the time. But I'm fairly certain there's some tricks in there that still work for this type of host like.
Justin Gardner (@rhynorater) (29:19.242)
but not prefix text, right?
Justin Gardner (@rhynorater) (29:27.318)
Yeah.
Justin Gardner (@rhynorater) (29:32.99)
Mm, mm, we talk about this all the time. Ha ha.
Joel (teknogeek) (29:43.03)
parsing problems with backslashes and ads and stuff.
Justin Gardner (@rhynorater) (29:46.142)
Hmm. Yeah, that will have to have to double check that. I feel like I can't read this, you know, write up by Baggy Pro enough times, like every time I come back to this, like the gift that keeps on giving or something like that.
Joel (teknogeek) (29:54.082)
Yeah, we'll leave a link for it.
Justin Gardner (@rhynorater) (30:02.99)
But yeah, I think that could also be another really interesting area of research is like, let's look into the Android scheme parsing. I mean, we have the source code, so we could just look at source code and see how that works specifically if there's any way for us to.
and put some text in there, get it parsed as a different part of the scheme or something like that, that would allow us to do something with a starts with. Because I feel like a lot of these redirects for mobile are like, okay, starts with Google Chrome, if that was what it was redirecting to, or starts with Snap or whatever. And then if it does, then they're like, all right, whatever.
So if you could find a way to redirect to a different scheme, like the Google Chrome scheme, then you could exfiltrate out pretty much anything you want via those OAuth flows, which would break a ton of websites. Yeah.
Joel (teknogeek) (30:55.178)
Yeah, no kidding. Yeah, absolutely I saw this really cool thing on Twitter while we're talking about Twitter I think a lot of this stuff today is from Twitter, but You mentioned that there was this guy who's been doing a really awesome self documentation self blog type of thing of Your bug bounty method all this is the methodology that you tweeted a long time ago, right?
Justin Gardner (@rhynorater) (31:02.36)
Mm.
Yeah.
Justin Gardner (@rhynorater) (31:15.653)
Yeah
Justin Gardner (@rhynorater) (31:21.129)
So.
Yeah, sort of. So I won't take full credit for this. As far as like, oh, you know, this guy and I'm, I'm sorry, dude, I'm going to butcher your name, but it's Shreyas Shraeshavan. And essentially what they did is they did one of these really cool detailed write ups that we talk about from time to time on the pod. But essentially, he's saying the roadmap I followed to make 15k in bounties in my first eight months.
Joel (teknogeek) (31:32.654)
Shre- Shreyas? Yeah.
Justin Gardner (@rhynorater) (31:51.346)
starting from zero. And if you look at the Notion site that he links out to, very detailed, you know, he's got exactly how many hours he spent each month, how many days he worked, how much bounty he's got, how many reports he submitted, number of programs, et cetera. And just very, very detailed stuff. And you know, I won't say that this is like the best.
pathway that someone could have taken. You know, in my opinion, if you read through his actual roadmap, I think there's a lot of things in there, there's a couple things in there that I wouldn't necessarily agree with. But one of the things that he does,
Mention and he doesn't give me credit for this specifically. So I'm not trying to steal credit for this just to be clear Although he does shout us out at the in one of the tweets at the bottom of the of the readup Is this whole concept of making sure you're doing enough hacking? While you're learning so he talks about this concepts of 60% hunting 40% learning 80% You know hunting 20% learning, you know making that shift as you're continuing to grow and this is something that I'm telling people in this
Joel (teknogeek) (32:51.022)
Mm-hmm. Yeah.
Justin Gardner (@rhynorater) (33:04.696)
ctpb discord all the time that are new that message me and are like, Hey, what do I do? You hack you get out there and you fail and you fail and you fail and you fail. And you look at that as a part of your training because it is. And eventually you can only bang your head into a wall for so long and before the wall breaks down. So yeah.
Joel (teknogeek) (33:23.762)
Yeah. Yeah, I mean, being failure-averse is like good, but you also have to learn when it's productive, right? Like to fail. And so, you know, getting that hands-on experience is really important and like trying stuff.
Justin Gardner (@rhynorater) (33:36.726)
What do you mean by that? What do you mean by being failure averse is good?
Joel (teknogeek) (33:41.59)
Well, I think there are lots of areas in life where being failure-averse is even life or death, right? For example, driving a car. If you take the wrong turn or you turn at the wrong time, that could be potentially fatal. In bug bounty, if you take the wrong turn, it's not fatal. That's a learning experience, and that's something that could be useful, but it can also be a really big time sink. So...
Justin Gardner (@rhynorater) (33:48.674)
Mm-mm.
Justin Gardner (@rhynorater) (34:02.433)
Mm.
Joel (teknogeek) (34:10.03)
Training yourself to be able to identify those situations and spend time failing so that you can better identify when something is not necessarily a failure or when you can trust your gut or not trust your gut like we talked about last week. You know, there's a lot of aspects of bug bounty where failing can be good or can lead you to find other things that, you know, maybe gadgets or things that are just like, you know, useful to know. But it's important to push yourself to go into those areas, even if it might not feel comfortable, even if you think that you are gonna fail.
Justin Gardner (@rhynorater) (34:22.949)
Mm-hmm.
Joel (teknogeek) (34:39.618)
just because there might be more there than you realize.
Justin Gardner (@rhynorater) (34:43.378)
Yeah, I thought I disagreed with you on that, but I think I do agree. You know, there are areas where it's do or do, you know? But I think bug bounty is an area where, and I think most skills that you're trying to learn rather than actions you're trying to perform like driving a car or something like that, should be, failure should be looked at as almost a celebration of having
done the thing in the first place, you know? And as a part of the process, 100%. And so I think that for people like me who are essentially success obsessed, I am very driven by success and the feeling of achievement.
I think it's really hard to reframe that, but if you can, then it will help you push through those beginner stages, which I think is what deters almost everyone. Because those beginner stages can be really difficult when you're failing and failing and failing and failing.
Joel (teknogeek) (35:48.886)
Yeah, for sure. And I'm the same way, you know, I don't think anybody really likes to fail. But you can learn to, you know, sort of fail elegantly or, you know, take it not as a failure, but as a learning process.
Justin Gardner (@rhynorater) (35:53.057)
Yeah.
Justin Gardner (@rhynorater) (35:58.105)
Mm.
Justin Gardner (@rhynorater) (36:02.014)
Yeah, for sure. A couple more things I wanted to shout out on this write-up. One, I just appreciate the commitment to it, you know, how much detail went into recording all this stuff and then putting it on a public page where people can benefit from seeing your consistency and to achieve your goals. And I also want to highlight that around nine months in, he started in July, he did this in...
wrote this up in March, he's starting to actually see some good traction. Last month he made 14 grand from Bug Bounty. And this is very, it's not.
Consistent with that write-up that I that I did on my that's pinned to my Twitter profile In that he should have been seeing sort of increasing amounts of bounties as he continues to go over the past couple months, but He is seeing his first five figure month About nine months in you know eight to nine months in which I think is About accurate. I think you could get to the point where you're making
Joel (teknogeek) (37:03.638)
Right? Yeah.
Justin Gardner (@rhynorater) (37:13.382)
you know, five figures a month in Bug Bounty after really, really working your ass off for nine months. Yeah.
Joel (teknogeek) (37:19.914)
Yeah, which is a really good reality check too. I think a lot of people don't really, they think like, okay, I'm gonna read some stuff for a month and then I get bounties next month, right? It's like, nah, not really.
Justin Gardner (@rhynorater) (37:28.692)
Mm-hmm.
Justin Gardner (@rhynorater) (37:32.422)
Yeah, yeah, there's definitely going to be, you know, small bounties and failures along the way. But
Seeing these sort of write-ups are, with transparent details, really, really encouraging, especially when it's been such a long process for this, I mean this is 600 hours put into this thing. So, definitely applaud this person's commitment. And yeah, man, if I could long a person, you know, if I could invest into a person, I would be willing to bet that this person's gonna make a chunk in Bug Bounty in the future. And, and, and.
Joel (teknogeek) (38:03.283)
That's awesome. That's high praise from you. That's awesome.
Justin Gardner (@rhynorater) (38:07.066)
Yeah, yeah, man, I can see the writing on the wall for sure. And another piece of that was that he said, Hey, I'd write, you know, a step nine of his process, I'd recommend reading at least 1000 of the hacker one reports. Yeah, I don't even know how many hacker one reports are there, you know, I don't even know. But he said that he went through and read a bunch of them. And I think that takes a lot of commitment to go through and read a lot of those.
Joel (teknogeek) (38:31.254)
I will say Disclosed Hacker One reports are like free blog posts. You know, it's a really good resource for just understanding how other hackers think and what stuff leads to vulnerabilities and why it's impactful. Especially when there's good communication between the program and the researcher and stuff. It's really nice to see those kinds of examples that you can think about in your own communications and on your own reports.
Justin Gardner (@rhynorater) (38:34.708)
Yeah.
Justin Gardner (@rhynorater) (38:47.859)
Mm.
Justin Gardner (@rhynorater) (38:54.303)
Yeah, 100%.
And, and sort of in line with that, I kind of also want to recommend one other blog, uh, monkey hacks. Um, this is by Kieran. Um, and he's every, I read these every single week. He's, or every single time he sends them out, uh, sort of an update on his, uh, his a hundred hour bounty challenge. He's at 13 and a half K. Um, and he's got 63 hours left. So he's only, you know, 37 hours in. So he's doing pretty well. Um, but this is another person that's kind of doing, uh, an
update on a pretty regular basis. We mentioned Alex Chapman doing an update on a pretty regular basis of their bounty progress. So I really like this trend. I think it's encouraging for the community. Sweet. All right. Let's see what else we got on the list for today. Okay. So I'm going to jump to the last one real quick and then we'll come back. So.
Joel (teknogeek) (39:34.89)
Yeah. Yeah, I totally agree.
Justin Gardner (@rhynorater) (39:50.086)
Once again, going through the bookmarks on Twitter, super valuable. And I noticed this, yeah, it's helpful, man. You know, it's hard to go back through and, like, look at those on a fairly regular basis.
Joel (teknogeek) (39:55.414)
Yeah, I checked mine today by the way.
Justin Gardner (@rhynorater) (40:03.982)
Just because you forget but when you for me, you know when I'm in an environment where I'm like, oh let me try to You know deliver the most high-quality bug bounty content I can I that's a place for me to get data So it's nice. I really like that about prepping for these podcasts that I get to go back and sort of review that stuff
Joel (teknogeek) (40:20.086)
Yeah, for sure.
Justin Gardner (@rhynorater) (40:21.662)
And one of the nuggets that I found was a post from Portswigger Research just probably about a month ago. Yeah, a month ago. Announcing that they had a high quality contribution to the XSS cheat sheet by someone named Hans Machine or Hans Machine. And this is the use of the onFormData sort of event handler. And the payload is form tag, onFormData equals alert one,
tag, there's a button, and if you click it, it triggers on form data. Not something really super revolutionary, but cool nonetheless, might definitely get you past some laughs. But more so, Joel, I kind of wanted to talk about the process for this, because it's like, how do new event handlers get added into Chromium, or why are we just figuring out about this now? So I went on this tangent of like...
let me see how this happens. And here, well, Joel, do you know where it happens? Just to test your hacker knowledge. Okay, well, one of the, yeah, thank you for actually reading my document then. Um, um, uh, essentially what I discovered was one of the best places to see where this is happening is the Blink, uh, Blink Dev Google group. And Blink,
Joel (teknogeek) (41:26.27)
Well, I do now, but I didn't before.
Joel (teknogeek) (41:46.086)
Which blink is the code word for Chrome, right? Is that my correct?
Justin Gardner (@rhynorater) (41:50.826)
You know, I think it is the code word for Chrome's HTML, maybe not just HTML, it's renderer, which is, I'm not really sure.
Joel (teknogeek) (42:00.055)
Okay.
Yeah, yeah, here we go. Blink is the rendering engine used by Chromium.
Justin Gardner (@rhynorater) (42:05.862)
Okay, yeah, I think it's Chromium's rendering engine. And they do this awesome thing in this Google group where they will put like a post up and get comments from the community on any feature that they intend to ship. So they'll prefix the subject of the message to the Google group with intend to ship, blah And I'm just like.
Joel (teknogeek) (42:31.342)
Cool. Booyah.
Justin Gardner (@rhynorater) (42:32.618)
Perfect, you know, like that is exactly what I want to see. So for the critical thinkers in the CTPB Discord, I went ahead and added a channel, exclusive channel, that will give us an alert anytime there's a new update to this feed. And so we can stay on top of what...
things Blink is intending to ship and stay on top of what features we may be able to exploit in those new functionalities.
Joel (teknogeek) (43:04.138)
Yeah, it's super awesome. I mean, this is one of those really unique things that we are trying to provide to the critical thinkers as extra value for subscribing and being part of that community. And so if you want to be on the front edge of all those new features that are being added into Google and the rendering engine and new event handlers and all that kind of stuff and get the XSS before anybody else does, definitely go head over to the ctpbdiscord.gg
Justin Gardner (@rhynorater) (43:09.431)
Mm.
Justin Gardner (@rhynorater) (43:27.224)
Mm.
Justin Gardner (@rhynorater) (43:34.122)
Yeah, we've got that one or we've got ctbb.show slash discord. That one works too.
Joel (teknogeek) (43:38.102)
Yep, so either of those links, they should take you right to the server. And yeah, we have a new channel in there, Intent to Ship, and it's monitoring for those changes, which is super awesome.
Justin Gardner (@rhynorater) (43:48.54)
Yeah, it wasn't like something super hard to implement. And obviously you could just like subscribe to the Google group if you want, but they're going to like bomb you with emails because it's a very active Google group. So maybe you could set something up where it's like.
some fancy filter or something like that that's, I don't even know how you would do that, but I've got it all coded up and pushed into the Discord bot now. So quick win for any of you that are critical thinkers or past guest speakers that have access to that channel. I'm definitely gonna keep an eye on it. Dude, there's some really cool ones in here. I didn't actually put this in the doc, sorry about that, but I'll put it in Discord right now. Here, go to that link. One of the ones that was kind of interesting
Joel (teknogeek) (44:19.542)
Yeah, absolutely.
Justin Gardner (@rhynorater) (44:33.804)
was these regex modifiers that they're intending to ship, that they announced late March that they were intending to ship, where as a part of the regex, it looks like you can add a flag for various things like the I, the M, the S flags inside the actual pattern, making something like...
case insensitive and that sort of thing, which I feel like is pretty useful for regular expression injection. You see that?
Joel (teknogeek) (45:05.154)
super interesting yet and what's even more interesting is it seems like there's people who are on this on this like mailing list or whatever or who are like reviewing the stuff who work at other companies
Justin Gardner (@rhynorater) (45:15.145)
Mm.
Justin Gardner (@rhynorater) (45:19.014)
Yeah, yeah, there is, there's like some Shopify people and that sort of thing. Yeah, so I don't know if they've got this like, looks good to me one, looks good to me two, looks good to me three, you know. I wonder what, because the group is open to anyone, so I could just respond and be like, looks good to me, like some random dude, you know, like. Yeah, like, looks great.
Joel (teknogeek) (45:21.202)
Yeah, yeah. Yeah, super interesting.
Joel (teknogeek) (45:30.378)
Yeah, yeah, multiple checks and balances.
Joel (teknogeek) (45:38.558)
Oh, here we go with XC, XC round two.
Justin Gardner (@rhynorater) (45:44.71)
So yeah, but definitely a cool place to look around and read through. I know there's some CSS stuff that's being pushed soon regarding transitions. There's some, I don't even, some of this stuff is like way, like this one, declarative shadow DOM serialization. Like what's a shadow DOM? Like that sounds like super.
Joel (teknogeek) (46:06.749)
I it's the that's the secret Dom that runs all the other Dom
Justin Gardner (@rhynorater) (46:10.95)
Yeah, well, either that or something else, but yeah, it's... There's definitely some deep browser knowledge that could be gained from reading through these and kind of understanding how this whole process flows, so I thought it'd be a cool shout out.
Joel (teknogeek) (46:26.454)
This is always something that's fascinated me, how this stuff is, like where it's defined and how it's defined. And so yeah, this is super cool. I'm definitely gonna be doing some deep dives into a bunch of these different issues and pull requests and stuff and just figuring out how this stuff works.
Justin Gardner (@rhynorater) (46:41.707)
Yeah.
Alrighty, man. Last topic that I had today for today was I was just going to give you sort of like a rundown of the CDN CGI research that I was talking about from before that I said that I would do and I have somewhat done at a rare turn of events. You know, so all right, you know what, before we get into that actually, let's talk about that because
Joel (teknogeek) (46:58.182)
Yeah, yeah, absolutely. Okay. Wow. The turnaround. I mean, this is execution. Incredible.
Justin Gardner (@rhynorater) (47:13.188)
I just flicked that cup over there. I don't like that I just said that in a rare turn of events, I have followed through on the research that I would like to be doing. But I feel like it's hard as a book bounty hunter and as a full-time book bounty hunter to justify spending a bunch of time researching for zero days or something like that on a specific target when you do not have an application for that. Do you feel that? I mean...
Joel (teknogeek) (47:41.75)
Yeah, I mean, we talked about this because one of the things that we wanted to look at is kind of like this. Like one of the things we wanted to look at was a piece of software that I mean, there are everybody, a lot of people use it. So I'm sure we'll be able to find instances of it. But that being said, it is a huge time investment and energy investment into something that may or may not pan out. It doesn't have like an immediate impact at the moment.
Justin Gardner (@rhynorater) (47:50.707)
Yeah.
Joel (teknogeek) (48:08.226)
And it's also like longer scale research, but I think it's still worth it. I think depending on what it is and depending on how much time you spend on it, it can be really worth it. And it can be one of those things that, depending on how widely it's used, I think we talked about this. Imagine you find an XSS here today in Google Ads or Google Tag Manager, Google Analytics. Any of those things that are used on such a large percentage of the internet, you can imagine the impacts of that
Justin Gardner (@rhynorater) (48:29.175)
Mmm.
Justin Gardner (@rhynorater) (48:33.066)
Holy moly dude.
Joel (teknogeek) (48:38.134)
very broad and sweeping so that's probably a place to spend you know where your time investment is gonna be worth it, but If it's some really abstract tool that it's only used by one company You should probably be looking at that one company's bounty table and deciding if a zero day and this piece of software is gonna pay Off and be worth it
Justin Gardner (@rhynorater) (48:55.23)
Yeah, yeah, and I mean, like, a zero day in Cloudflare, I mean, once again, it would have large reaching impact, but it is a one place fix as well. Like, and sort of the motivation for, because we talked about it at the beginning of this year, you know, wanting to do some more research this year, so I was kind of reviewing that goal and being like, all right, you know, maybe I should lean a little bit more research heavy for the next couple months. And, yeah, like,
The things that have one location fix are probably not that great for us as book bounty hunters. Like if I pop something on CDN CGI.
I'm gonna feel super cool and it's gonna be super badass. But then I'm gonna, you know, even if I report it to like everyone, then it's gonna be like, okay, you know, Cloudflare needs to fix it because you can't even really put a laugh in front of a laugh, you know? Like, and so then Cloudflare is gonna fix it, it's gonna fix it for everyone and I'd probably just get the one bounty from Cloudflare, you know, because everyone else doesn't really have an actionable remediation step.
Joel (teknogeek) (49:47.966)
Right.
Justin Gardner (@rhynorater) (50:01.218)
And so, I don't know, maybe there's cool research there, maybe there's not, but I'll talk about the methodology nonetheless. So I wanted to see what are all the files that are available via this CDN CGI endpoint. And so I did something scary, and I went to Google BigQuery, and I queried the HTTP archive dataset, man.
Joel (teknogeek) (50:28.502)
Hopefully you used a prepaid card.
Justin Gardner (@rhynorater) (50:30.762)
Dude, okay, so does that not freak you out? Have you ever done that before?
Joel (teknogeek) (50:35.106)
that you can click a button and accidentally cost yourself like $500?
Justin Gardner (@rhynorater) (50:39.366)
not even $500 dude I read an article on this that was like I accidentally charged myself 14 grand and I'm like oh no this is terrifying but the response from like the Google Smee or whatever was like dude I'm so sorry this happened to you know it was very emotionally mature response to he was like you know I can't imagine what it must be like to you know see that number or whatever but for you to do this
Joel (teknogeek) (50:49.673)
Oh my god.
Justin Gardner (@rhynorater) (51:08.318)
you had to be pretty dumb.
essentially was, and he's like, for example, this is the query that would cost $14,000. And essentially he's like, select star on star, you know, it's like, it's like, why would you run that? And, and, and so, I don't know, it was a good cautionary tale for me, but I was like sweating as I pressed the run button and like trying to figure out exactly like how to optimize all this. But at the end of the day, I queried the whole HTTP archive for every, um,
Joel (teknogeek) (51:10.05)
YEEE!
Joel (teknogeek) (51:20.461)
Oh man.
Ugh.
Justin Gardner (@rhynorater) (51:39.809)
CDN CGI.
URL that I could find and I've been kind of piecing through them. There's some really interesting looking JS files there That are kind of small so pretty able to be parsed and stuff like that and I might drop the that whole list of Files into the CTP discord one of them once I'm done with the research just if anybody else wants to do some follow-up research But one of the ones that was most interesting was this whole
concept surrounding the email hiding feature of Cloudflare. And I went and I found a tweet by Masato Kinugawa, which I think we mentioned before on the pod about a XSS auditor bypass. So you remember when Chrome had like, yeah, XSS auditor?
Joel (teknogeek) (52:18.318)
Mm-hmm.
Joel (teknogeek) (52:29.164)
Yeah.
Justin Gardner (@rhynorater) (52:33.098)
they were able to use this sort of chain to bypass XSS Auditor and run arbitrary JS code. But it still works. So if you look at this, we'll link the tweet in the description, and Masato's website is down. But...
The payload is this, SVG, and then he does a script tag, and then he does SVG, and then the data-cfe email, and then a hex encoded string.
Attribute, okay, and then a bunch of other stuff and then what ends up happening is the code for the email or hiding thing will go through and Decode hex decode whatever is in that data CFE email Attribute oh Yeah, CF email. I mean that makes sense cloudflare email It'll decode what's ever is in there and then just replace that whole tag with it
Joel (teknogeek) (53:21.418)
It's just a CF email.
Justin Gardner (@rhynorater) (53:32.738)
And I was like, and it uses inner HTML and everything, man. And I was like, I was poking at it for so long, trying to be like, there's gotta be like some way for me to escape this, but not that I can find. And so I don't think there's any like XSS or anything there, but it is a very cool way for you to use Cloudflare to obfuscate your payloads. And also, sort of like we learned from the Masato Kinugawa.
Joel (teknogeek) (53:43.639)
Okay.
Justin Gardner (@rhynorater) (54:00.414)
Teams research, sometimes various HTML parsers and stuff like that will allow you to specify, I think actually DOM purifies default, allows you to specify data dash attributes. And so that could allow you to smuggle some payloads through because there's some post processing that's being done with it via this Cloudflare script.
Joel (teknogeek) (54:18.794)
Mm.
Joel (teknogeek) (54:25.198)
Man, there's a lot of really interesting things with those data attributes. There's some other frameworks that use that type of stuff, like Angular. Is it Angular? Like ngData and ng... Yeah, all that kind of stuff. Super, super weird, funky behavior. And I bet there's probably more of this stuff. You said that you've done some research, so I imagine that there's... Yeah.
Justin Gardner (@rhynorater) (54:29.827)
Mm-hmm.
Justin Gardner (@rhynorater) (54:35.838)
Yeah.
Justin Gardner (@rhynorater) (54:49.39)
I, there is some additional stuff. I just mostly that one that just kind of blew my mind, uh, from that teams research that I mentioned a second ago of, of NG and it being able to be specified as a class attribute. So inside the HTML tag class equals NG dash init colon JavaScript. And that will just get run was like, what? Um, and you know, it's funny dude is I, I like somebody had some relevant, um, you know, quip about that on Twitter.
Joel (teknogeek) (55:00.831)
Mm-hmm.
Joel (teknogeek) (55:07.839)
Yep.
Joel (teknogeek) (55:12.055)
So crazy.
Justin Gardner (@rhynorater) (55:19.004)
And I was like, I posted a picture of that screenshot and it ratioed hard, you know, and it was like blowing up like, oh wow, this is, this is really interesting. I'm like, yeah, we talked about it on the pod and Masato released it months ago, you know, so I don't know, man, it's good, but it's good to get the distribution on that.
Joel (teknogeek) (55:23.234)
Hehehe
Joel (teknogeek) (55:33.294)
I'm sorry.
Joel (teknogeek) (55:37.886)
Yeah, it's super, super cool. Well, this is awesome. Yeah, I'm looking forward to seeing that list. Yeah.
Justin Gardner (@rhynorater) (55:44.19)
Yeah, yeah. So I'm gonna continue doing a little bit of research on it. The JS files are really interesting. Unfortunately, there hasn't been much that's panned out. It's actually a little bit less scope than I thought it was. It's just a lot of the same files. So I'm condensing it down a little bit, trying to find the outliers.
But I would say probably optimistically, I'm looking at like a CSP bypass rather than a, you know, a global Cloudflare XSS, just kind of looking at the writing on the wall there. So we'll see how that goes. All right, man, I think that's it. Is that a wrap? All right, sweet, peace.
Joel (teknogeek) (56:14.518)
Yeah. Yeah, absolutely.
Joel (teknogeek) (56:20.654)
I think that's a wrap.
See ya.
