Episode 183: PortSwigger Research Impossible XSS SOLVED
Episode 183: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Brandyn talk about looking at AI features like tech features, Using AI to leak private repos, and solving PortSwigger’s Unexploitable XSS labs
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
Critical Research Lab:
Need a Pentest? We just launched CTBB Pentests!
Hack full time? Check out the Full-Time Hunter’s Guild!
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
Today's Sponsor: Check out Zero Trust Network Access:
https://www.criticalthinkingpodcast.io/tl-ztna
====== This Week in Bug Bounty ======
How LLMs are changing Bug Bounty Interview series
https://www.yeswehack.com/fr/community/llms-bug-bounty-interview-aituglo
https://www.yeswehack.com/fr/community/llms-bug-bounty-interview-rhynorater
https://www.yeswehack.com/fr/community/llms-bug-bounty-interview-icare
====== Resources ======
$15k - CSPT to full account takeover, then 2FA bypass via the prototype chain
https://whoareme.com/blog/cspt-account-takeover-2fa-bypass/
Two Bypasses for Chrome’s Sanitizer API
https://slcyber.io/research-center/two-bypasses-for-chromes-sanitizer-api/
Documenting the impossible: Unexploitable XSS labs
https://portswigger.net/research/documenting-the-impossible-unexploitable-xss-labs
GitLost: How We Tricked GitHub’s AI Agent into Leaking Private Repos
https://noma.security/blog/gitlost-how-we-tricked-githubs-ai-agent-into-leaking-private-repos/
Chaining Razor SSTI into RCE via Reflection and Runtime Strings
https://phsi.se/posts/chaining-razor-ssti-into-rce-via-reflection-and-runtime-strings/
====== Timestamps ======
(00:00:00) Introduction
(00:06:07) AI Features Are Just Tech Features
(00:20:02) CSPT to full Account Takeover & Other Chains
(00:35:27) Sanitizer API for Chrome and Firefox
(00:46:57) Solving PortSwigger's Impossible Lab & GitLost
(01:01:19) SSTI into RCE via Reflection