The player is loading ...
Sign up to get updates from us
Episode 106: In this episode of Critical Thinking - Bug Bounty Podcast we are pleased to announce our new co-host of the podcast: Joseph Thacker Aka Rez0! We discuss Joseph's transition to full-time bug bounty hunting, his goals, and what he’s looking forward to bringing to the pod. We also cover some news items including doubleclickjacking, character set attacks, SVG XSS, and more.
Follow us on twitter at: @ctbbpodcast
Feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Rez0 on twitter:
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Check out our new SWAG store at https://ctbb.show/swag!
Resources
DoubleClickjacking: A New Era of UI Redressing
https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html
XBOW Validation Benchmarks
https://github.com/xbow-engineering/validation-benchmarks
Jorian tweet
https://x.com/J0R1AN/status/1871586792455163975
Simplified Payload
SVG XSS Payload
https://x.com/garethheyes/status/1876953751245783534
curl-cffi
https://pypi.org/project/curl-cffi/
Bypassing File Upload Restrictions To Exploit CSPT
https://blog.doyensec.com/2025/01/09/cspt-file-upload.html
AI-Crash-Course
https://github.com/henrythe9th/AI-Crash-Course?tab=readme-ov-file
Timestamps
(00:00:00) Introduction
(00:02:15) Rez0's journey to Full-time hunter, Tool developer, and new Co-host
(00:21:04) DoubleClickjacking
(00:31:48) XBOW Validation Benchmarks, Charset Thoughts, and SVG XSS
(00:42:28) curl-cffi, CSPT, and AI Crash Course
Justin Gardner (00:00.725)
Alrighty, critical thinking community, the time, the much awaited time has come where we announce who the next co-host is, who's gonna be my partner in crime on this podcast. And as you may have guessed, it is none other than Rezo himself. So dude, I'm so excited to have you on the team. Thank you so much for taking the position. I guess I just wanted to give you a little bit of a platform right now to talk about why you're such a great fit for this role as the co-host and also,
you're going full-time book bounty in like what, seven days or something, so just talk about that plan and that transition.
Joseph Thacker (00:37.324)
Yeah, when this podcast comes out, it will have been yesterday. So I went full time yesterday to the listeners. No. Yeah. I appreciate it. I mean, I think that, it's, it's a good fit for me because I'm a massive fan of CDB and I think that, it's another good fit. Cause like you said, I'm going full time bug bounty. I've been passionate about it for five or six years trying to go, but work kept reeling me back in. And so now it's, it's the right time for me. And it's also, you know, a potentially a great time for, critical thinking.
Justin Gardner (00:40.32)
exciting.
Joseph Thacker (01:05.454)
Yeah, to guess the to the platforms send me all your invites and live hacking invites to the events. But now in general, if listeners do want to reach out super open to collaboration, super open to learning or to mentoring, you know, like just reach out to me and chat with me. I'll be active in the critical thinking discord. So
Justin Gardner (01:24.877)
Yeah, I'm excited to have another full-time hunter as the co-host as well because it's a different world, I think, when you're in it all day, every day. And so I'm excited to have you there. We met at the live hacking events. Can you tell the listenership a little bit about your journey from where you started in Bug Bounty and how you ended up at the live hacking events where we met and how we landed where we are today?
Joseph Thacker (01:49.71)
Yeah, credibility is a huge thing. I want the listeners to know that I'm in the trenches with the have been dealing with the dupes, dealing with the N.A.'s and the informationals for a long time now. So yeah, when I initially got started, honestly, I was listening to I was seeing like tweets and stuff from Doggy G and Nahomsek and people like that. And I was like, man, this feels like it could be something that's like fun and lucrative and career building. And I honestly think that, you know, that'd be my pitch to people who are listening that aren't doing bug bounty yet. It's like
Justin Gardner (01:54.265)
Heck yeah.
Justin Gardner (02:06.777)
Classic, yeah.
Joseph Thacker (02:18.506)
Even if you make no money, you're building an awesome skillset. You're having a ton of fun. You're basically, in my opinion, getting like the privilege of doing something that people in the past risk their skin for, right? Like people had to go to jail, like we're like scared they would go to jail because they would be hacking things, but it was just like such an intense passion in them and like a curiosity that they wanted to state. And now you can actually kind of quench that, that desire and get paid to do it. So I think that's really cool. But when I first got started,
I was like, I'm in security. was doing blue team stuff and I was like, I already know how to write code. So I feel like I have like two kind of small advantages there. And I want to pivot that into, into like being fat, like acquiring bug bounty skill and profit like kind of quicker. So I, you know, I would like hack along with Ben when he was doing those, live streams, he would do like the live recon streams and stuff. And
Justin Gardner (03:09.305)
Dude, so many amazing hackers came out of those live streams, man. Ben is, what an amazing service to the community he does with his live streams and his hackalongs.
Joseph Thacker (03:12.288)
Really?
Joseph Thacker (03:20.46)
Yeah, we should do some of those sometime, but yeah, kind of quickly thereafter, I found some good vulnerabilities. I knew that I would need an edge at the beginning when I was lacking the skill. So I would try to go after brand new targets. And so I did that through new public launches and then through like, you know, my first few private invites, which, you know, I valued so highly, I would get it and just like drop everything and sprint to it. My first live event was actually the Yahoo.
Justin Gardner (03:22.668)
Yeah. Yeah.
Justin Gardner (03:39.288)
yeah.
Joseph Thacker (03:45.13)
Open scope, the kind of open to anyone, which was perfect for me because I had never been invited to one. Right. So there was, there was like 3000 people that hacked in it. I was fortunate enough to get an early invite to the bug money form Slack, which, you know, some listeners will definitely know about and, and had partnered up with Douglas day, Hussain, Jesse Hogarth, and then Eric, with code, code, code can care. Of course today is new. And we ended up winning best team in that event, across every round.
Justin Gardner (03:49.059)
Nice.
Joseph Thacker (04:15.126)
And so it was highly beneficial. Yeah.
Justin Gardner (04:15.981)
Wow, dude. Dang. That is quite a team, I have to say. I understand why that turned out the way that it did.
Joseph Thacker (04:22.99)
Yeah, and what's crazy is I was a little worried about pulling my weight, but in the first round, my fuzzing and automation found a sick crit that like resulted in like a please stop bonus if anybody knows what that is from Yahoo back in the day. And it was like, it paid out like 18,000, I think, but it was really cool because it was a web.zip in like another directory, but it was, it was hosted on their infrastructure where it was only landing one in 12 times. So once I found it, was like, how did no one find this? So then I kept fuzzing it and checking it.
Justin Gardner (04:32.621)
Dude... Yes!
Justin Gardner (04:50.676)
was round robin or something like that.
Joseph Thacker (04:52.216)
there was a round robin, there was only one proxy that it would actually like let you download the content from. And so anyways, that was just like a dream come true. And then of course, once I think once we got best team in that it guaranteed another invite. And then, you know, I was like, I've been on a lot of Douglas Day, the Archangels, you know, collaboration teams through the years, through the events. And so that snowballed into some other invites. And so, yeah, I think I'm at like 11,000 reputation points, but.
My last 90 days looks pretty pitiful. I've been hacking on Google and then trying to wrap up stuff at the job. So I'm excited to get the stats pumping again.
Justin Gardner (05:26.659)
Yeah, I know you've been doing a great job with the Google stuff too. I've been kind of poking at them the past couple days and I'm gonna be going ham now for the next week on them and the scope that they have is really interesting. The changes they've made to their program are really attractive too so I definitely see them being one of my main targets in 2025. I can just like, I gotta break through that mentality because I found a couple bugs on Google before but like,
Joseph Thacker (05:40.119)
It is.
Justin Gardner (05:54.979)
Google is just such an intimidating target, right? It's just, it's, it's scary. And all this stupid protobuf stuff, like, ugh.
Joseph Thacker (05:57.504)
It is, but if you really think about it, if you really think about it though, GCP is so similar to AWS and people spend like their whole life hacking AWS and succeeding, you know? So this isn't in our docket, but I did want to talk to you about this specific thing now that you bring it up, because I was thinking about this in the shower actually. I know you're a good idea in the shower boy yourself, but.
Justin Gardner (06:11.979)
Mm. Mm.
Dude, hot water. What is it about hot water that makes us have amazing ideas?
Joseph Thacker (06:22.24)
Yeah, I don't know. think it's just the only time our brain gets the rest because we like shove stuff in front of our face all the, all the rest of the time. But, what was dawning on me was like, there are definitely different applications, which are more fun and less fun to hack. And actually the kind of obfuscated, you know, nature of proto buff actually does make it a less enjoyable experience. Like I was just thinking about on the spectrum of like, what's fun to hack what's not. And I think that like,
Justin Gardner (06:26.553)
Yeah, that's a good point.
Justin Gardner (06:43.936)
yeah.
Joseph Thacker (06:47.722)
If a company does have like more obfuscation or more, whatever less people hack on it, of course. And that makes it a good target from a bug money perspective. But I was just thinking about how that's kind of interesting. And I want to shift my mind in that regard too. It's like, just because it doesn't feel that enjoyable immediately. How could I make it enjoyable? Whether I write a plugin or whether I use AI automation to like kind of reverse the proto buff, or maybe I think about it in a different way, or I look for a different type of bugs. It's kind of interesting.
Justin Gardner (07:13.251)
Yeah, 100%. mean, and that lack of fun, when you're first looking at it, that additional friction there makes your competition much less, too. So that's one of the reasons why I've been excited to kind of work on Google stuff is like, I know that if I can crack the egg, then it's gonna be really, profitable. Especially with their increased bounties they've got recently. So I think that's pretty solid. And actually, I was a little bit surprised when you said that pathway.
Joseph Thacker (07:31.17)
Yep, yeah, I think so.
Justin Gardner (07:41.753)
you know with the team that you had on the Yahoo event and how your automation found stuff because I didn't really have you in my head as a as much of an automation guy like are you looking to kind of dip back into the automation realm as you go full-time hunter are you gonna focus more on manual stuff or you know where do you kind of put yourself on the manual to recon hacker?
Joseph Thacker (07:57.645)
Yeah.
Joseph Thacker (08:00.952)
Yeah, fantastic question. I would say my, my inroad was definitely automation. Like I followed Hattick's, what's it called?
Justin Gardner (08:12.089)
how to shot web or like Bugbonding Hunter's methodology.
Joseph Thacker (08:15.406)
Yes, the Bugbody Hunters methodology, I think it was version two when I was getting big. So version one was already down. I basically built that exact pipeline on a random VPS on DigitalOcean and used that for a long time. And I would say the vast majority, like over 50 % of my bugs for the first probably three years came from big fuzzing and from that type of automation. You know, when I knew programs spun up, I would definitely go in and just immediately look for iDoors and all that regular stuff. But my bread and butter that I would come back to every night like...
Justin Gardner (08:18.649)
I don't know.
Joseph Thacker (08:44.942)
everyone go to sleep in the house and I would hack for two hours, it would be like always fuzzing. you know, initially it was like Durr Buster or something like that, but very quickly it became FFUF. I would venture to bet that I've sent more requests than FFUF than 99.9 % of all Bug Bunting Hunters. I have famously been warned for dosing in like three or four different live hacking events. So sorry about that.
Justin Gardner (08:54.681)
Mm. Yeah.
Justin Gardner (08:59.545)
That's crazy.
Justin Gardner (09:09.899)
Yeah. Yeah.
Joseph Thacker (09:11.032)
I like to spin up fleets of Axiom host and then kind of fuzz from there. Yeah, I don't know. think that if someone could give me, it just feels like panning for gold, right? It's like, if someone could give me a directory listing of every web server at a company, I would be able to show them so many vulnerabilities. And it's actually, and that's actually not that hard for the companies to do and no one's ever taken me up on it, but I think it'd be really interesting just to go to, yeah.
Justin Gardner (09:32.323)
Wow, that's a really interesting concept. Yeah. It's not necessarily as simple as that with modern architectures because it's not like, we're not dealing with as much of like, we talked about this on an episode, like art of the architectures way back there. But you know, we talked about how there's sort of more like this flat file architecture where you've got like, this is more something you see more in like a PHP sort of environment where you've got, you're exposing a file system.
Joseph Thacker (09:40.13)
It's not.
Joseph Thacker (09:50.978)
Mm-hmm.
Justin Gardner (09:58.241)
to the web via a web server, right? But then now, you what's becoming more popular is like these single page applications backed by APIs and stuff like that. But I mean, you're right, even if companies would just give the directory listings for, you know, these sort of flat file based architectures that they have, that would be, I mean, you would just, because all that stuff's out there anyway, it's just security by obscurity, right?
Joseph Thacker (10:22.25)
And a lot of times, even in the new architectures, they'll still like mount full folders. like, so like it'll still be at a specific path. Yeah, exactly. So anyways, that was the initial part of my journey. I would say the last two years, it's been a little bit more manual, you know, a lot of AI hacking, but then a lot more manual testing. think that basically I haven't really used my server. I got to spun back up in the last two months, because obviously I'm about to go full time and I want to do a lot more recon in that regard, but
Justin Gardner (10:25.325)
Yeah. yeah, yeah, slash gnatick
Joseph Thacker (10:51.05)
Before that, I would say for the last two years, it's been a lot more manual hunting, manual hacking. And then that's also during the time when I transitioned from burp to Kaido because, you know, I'm not using the necessarily the scanner, the active scanner as much.
Justin Gardner (11:03.777)
Yeah, yeah, yeah, wow, okay, that all makes sense. I I've seen you at the live hacking events and stuff, but I hadn't had you sort of categorized in either one of those arenas, but it seems like you kind of have a similar approach as Nogli, which is like, you know, there is some automation stuff going on, but like when you need to get down to it, you also get in there and you find the iDoors and you find the application level bugs beyond just the recon world. So that's really cool, man.
So you're going full-time bug bounty yesterday. So what's the plan for how you're gonna do that? I mean, obviously we've got the Full-Time Hunters Guild, I know you're gonna be an active participant in, but what's your plan moving forward on what kind of targets you're gonna hit, how often you're gonna try to hack, that sort of thing.
Joseph Thacker (11:35.426)
Yep. Yep.
Joseph Thacker (11:52.174)
Sure. Yeah. I think that as far as the targets go, it's still a little bit up in the air. I'm, definitely want to spend some time on Google. Like you mentioned, I plan to actually, basically I've always felt like new scope, like untouched scope is the way to go. So this is maybe giving away my secret a little early, but my goal is going to be to pull the top, like the, know, basically pull all the top programs that I trust or the other hunters trust and maybe, maybe out of a list of like 30 or 40.
Justin Gardner (11:59.929)
Mm-hmm.
Joseph Thacker (12:21.29)
Get the ones that are wild carded. Then from those, do some sort of recon that basically tells me, here are the assets that have been spun up in the last three months to kind of narrow it down to just those. And then work my way through that list. So I know the program's good. I know they pay well. I know they pay street research as well. I know they have open scope and then I know that these domains or these features, yeah, I might also just look at change logs for those companies as well. I do that a lot for Google. Yeah.
Justin Gardner (12:29.027)
Mm-hmm. Sure.
Justin Gardner (12:43.992)
Yeah, that's big, I think. I think that's some stuff that I'm gonna be setting up. I've already got a couple of them monitoring right now, but I think I'm gonna try to build that out this year. Every target that I hack on religiously, I'm gonna onboard into my change log monitoring or JS file monitoring to see when changes occur to the API endpoints on that specific app. I think it's kind of a waste not to. If you're already taking notes, you already have your whole brain in this app, you understand how it works.
Now you need to, one of the takeaways that I had from an episode with Sam Erb was taking notes with code, right? That's what I'm gonna do here is like take notes with code to automate my understanding of this app and make sure that I'm developing that understanding over time as that app continues to develop.
Joseph Thacker (13:31.19)
Yeah, exactly. And I mean, like not only can developers increase bugs at that level because these are new changes and new features, but also I think that as you learn the app, you can see where there's going to be regressions or whatever else. So yeah, so that's kind of the methodology for what I'm going to look at. And you know, obviously always pivoting to new invites and just like basically conventional wisdom in that regard. And by new invites, I mean, not new to me, but completely new programs. As far as time.
Justin Gardner (13:57.527)
Yeah, yeah, those would be huge.
Joseph Thacker (13:59.328)
As far as time spent, and I think this may have been what you were double clicking on because obviously we just launched shift, but that, so that'll probably be 60 to 70 % of my time as full-time bug bounty. And the other bits will be obviously recording and supporting critical thinking. But then outside of that, I would love to build more tools. so shift is the first one. And so I'll be doing, you know, some maintenance and updates and features on that. But I would, I would love to build other kind of AI apps specifically in the security space. So in fact, if people do have ideas, I think that.
the current AI models kind of unlock an entire new class and suite of tools that are possible. Some of those require a lot more work. Some of them don't require very much at all. You just kind of throw it together and, the ability to develop so fast now with things like cursor, as I know you've mentioned many times, makes it so possible. So yeah, lots of building too.
Justin Gardner (14:44.921)
Unbelievable man, yeah. The shift thing, I've been amazed at how active you've been in that, man. can say, we launched this thing and then guys, every person that subscribes, I see Rezo just sending out an email being like, hey, how do you like the product? What do you think? Give me ideas. Dude, you're rocking it, man. And really, for anybody who's subscribing to it right now and getting access to it, we're really interested in.
Joseph Thacker (15:05.88)
Customer attention, come on Justin.
Justin Gardner (15:14.601)
and your use cases that aren't being fulfilled or anything, any future progression, we definitely want to hear about that. And actually, I was kind of thinking about this, it the notes to talk about on this episode. I've been working on this program recently where we have API specs. And they're just sort of free form in like a CSV or whatever. And I was like, man, how cool would it be to like, in sort of like a cursor like fashion.
Just say like, hey, here's this document that contains API specs. Here's what I want you to do. With this row, do this column, do this, set this to the host, generate this token, put it here, that sort of thing. And then just have Shift sort of automatically parse out this API spec and then create it into a collection in Kaido where each one of the requests is built out fully. And I think we can sort of do that lower scale right now.
With Shift, you could pace in one or two lines of that spec and it will actually create them and stick them in Replay. But I think being able to upload a full document and then break it out into certain sections and then create the request for those as it goes along, as it parses through the whole document would be another really cool feature we could integrate.
Joseph Thacker (16:31.95)
Yeah, yeah, that's a cool idea. I think that it's probably already possible with a few changes. So I like it as an idea. And I like that it basically would give you then a list of tabs to go through and replay where it's like, I'll test this one, then I'll test this one, then I'll test this one. And it's every end point.
Justin Gardner (16:38.552)
Yeah.
Justin Gardner (16:51.033)
The crazy thing, one of the craziest things about AI that I really just haven't put into words before is how much it enables you to deal with free form stuff. You never know what format you're gonna get documentation in. It could be a big Word doc, could be in CSV, could be in swagger files, could be in this, but if you can just tell the AI, hey, this is what it looks like, this is where the information you need is, then you can really easily get that from a format, from any format, from, you know.
free format into a format that you can ingest and then put into a tool. And that sort of thing is just not possible without AI, without it smartly identifying.
Joseph Thacker (17:29.376)
Yeah. Yeah. I don't currently have automation that like takes bug bounty scope and then like transforms it into something that my automation uses or needs, but that's a great, that's a great place where that would exist. Like, as I'm sure, know, anybody who tries to do that programmatically realizes that the, the scope fields across the different platforms are different and wildcards will sometimes look different or sometimes they'll put it the description or whatever. But what's interesting is I could definitely abstract that out if you had it like set up with a specific schema that you wanted. So.
Justin Gardner (17:38.734)
Yeah.
Justin Gardner (17:46.062)
hard.
Justin Gardner (17:53.655)
Yeah.
Justin Gardner (17:58.819)
Geez man, this is another reason I'm really excited to have you on the pod is it's really great to have a local AI expert and sort of be able to talk about how to take these applications of AI stuff and apply it to security and I know that that's like your shit. dude, I'm excited man. Yeah.
Joseph Thacker (18:14.124)
Yeah, yeah. So I mean, I guess I could, I can, can pre-apologize and pre-prep the listener that, I'm sure I'll bring lots of AI content. Just even prepping for this episode is as me and Justin and I were coming up with resources, I had to kind of like control myself because I just wanted to keep putting in more AI stuff in there. So, I think it'll help usher the listeners into a world where they're using AI and integrating into their lives earlier than their peers, which is going to give them a huge level up. But I also think that they'll understand the way AI-
AI applications are being built and that's going to give them a huge leg up and actually hacking these applications later.
Justin Gardner (18:46.881)
Yeah, dude, massive value add there. And I think I'll always bring a bunch of web stuff as I do. So I think it's great to have a counterbalance there of like, all right, here's some AI, here's some tooling, and then also the web stuff. I you've got web stuff in your list right here too. yeah, dude, I'm excited, man. This is gonna be awesome. Thank you so much for joining the team, dude, and coming on this journey with me.
Joseph Thacker (19:08.65)
No, no, no. Thank you so much. Thanks. for selecting me slash bringing me on as the cohost. It's a real pleasure and honor and I do not take it for granted. So thank you.
Justin Gardner (19:18.649)
Awesome. All right. Well, I'm trying to think if I had anything else that I wanted to run by you before we just kind of jump into the content for this episode. Yeah, I think that's good intro, man. If the listeners don't know who you are at this point, you guys can find him on Twitter if you want to read more. He's pretty big on Twitter. You're like, what, 50-something thousand followers? So.
Joseph Thacker (19:41.55)
Yeah, I think I almost 55, but honestly, I've been hearing from people who are in the social media realm that it's like almost, that it can be a hindrance because like if you have like a split audience that the low engagement rate ratio to your followers can be whatever, but it doesn't matter. Yeah, I definitely post a ton of stuff AI bug bounty. So I'm on Twitter at Rezo underscore underscore, which by the way, if we have any listeners from Twitter, there's no one using R E Z zero, the account.
Justin Gardner (20:06.982)
no, dude.
Joseph Thacker (20:07.032)
So hook a boy up sometime, I want it. And it's unused and you can't register four character usernames anymore. So you can't, yeah. So I can't go steal it, but, and then I also blog a lot. So you all can check out josephthacker.com for that.
Justin Gardner (20:13.889)
No, really? dang. Well.
Yeah, yeah, the newsletter is great too. So I love your writing style in the newsletter. cool stuff there. All right, well let's go into the content for this week. We already talked a little bit about Shift and how I think that can be really useful for grabbing free form API docs and kind of getting them integrated into your request and your replay in Kaido. But there was a cool piece of research that comes out, and error that came out. I just, every single time,
Paulos Yabelo releases something. It's very outside of the box, thinking, weaponizing some things that a lot of people take for granted. And so I follow their research pretty closely. And this time, they released an article called Double Click Jacking, A New Era of UI Redressing. And I've also seen some research. It might come out through the Critical Research Lab soon.
Joseph Thacker (20:58.094)
Mm-hmm.
Justin Gardner (21:18.893)
that just also really, really weaponizes well pages that can be framed. previously, I wouldn't really consider X-ray options header missing as like a mega gadget, but after seeing this and after seeing some of the research from the lab, there is a lot of stuff you could do if you have no X-ray options header and same site cookies are not an issue.
Joseph Thacker (21:34.168)
Yeah.
Justin Gardner (21:48.229)
And the way that this specific research addresses this scenario is it invites a user to double click on something. And with the first click, the mouse down event, it harvests that to close a window. And then the mouse up event happens. And when the mouse down event happens again, the user's cursor right where it was on that button will be aligned over a sort of.
popped under page that was done in preparation for this attack and can harvest a single click on a button on a sensitive page. And I was like, okay, you know, that's kind of crafty, kind of cool, you know? And then I went and looked at these demo videos that he recorded for Salesforce, Slack, Shopify, and one-click account takeovers, and they're pretty freaking good, dude. Yeah, double click, exactly, double click. Technically, it's two-click.
Joseph Thacker (22:38.794)
Double click, I can't take over. I mean, on the platform it's one, but then the vulnerability is also one, yeah.
Justin Gardner (22:46.987)
Right, right, but technically, yeah, I guess it's a two-click, you because you're going, but you you go in there, you click the capture, especially, excuse me, especially with captures and accept cookies stuff, priming users to just give a click without a second thought. I think this will result in some very impactful stuff if done correctly. I'm not sure I would report this as is, but maybe change with something else like the OAuth flow.
I think it's worthwhile. I think it's a valid bug.
Joseph Thacker (23:19.31)
Yeah. So, uh, before we jump to kind of the really cool kind of mitigations here, uh, which are really neat. So you all definitely want to listen to that. Uh, I just wanted to say click checking in general. I definitely have always kind of like, you know, like you said, look down my nose at it from a bug bounty hunting perspective, but I don't know. But I think that, yeah, I think I'm underrating it a little bit. remember Jesse, uh, Hogarth 45 back.
Justin Gardner (23:33.921)
Yeah, it's easy to do.
Joseph Thacker (23:41.582)
like three years ago showed me an amazing clickjacking vulnerability that resulted in like a kind of takeover. then recently in the Google event in Malaga, Spain this fall, or I guess back in November, somebody had a really neat clickjacking demo that it was like based around Gmail. So I don't know, I don't know, I don't know all the details and I don't know if I could share them anyways, cause I think we were under NDA, but, but there was a vulnerability that paid out that was like extremely impactful.
Justin Gardner (23:59.757)
Mm, mm.
Joseph Thacker (24:09.292)
that did some click jacking and some like kind of user trickery where like it had the user play a little game for the capture that resulted in an extremely like a severe impact. So it's worth considering this blog just well written and the POC is like you said, our money. Do you wanna talk about these really cool mitigation things he brought up?
Justin Gardner (24:24.365)
Yeah.
Yeah, yeah, so definitely the mitigation things are, we'll get to those in just a second, but I just wanna echo that. The crazy thing about clickjacking is I think it gets a bad rap because people will report it without proving impact, right? But just think about this for a second. In a lot of scenarios that they're talking about there, where you're proving an OAuth application with one click that can do anything to your account, that's the highest amount of impact you can achieve on the client side, right? If you have a,
you know, one click account takeover, that is the highest amount of impact you can achieve on the client side period, right? So if you are in a clickjacking scenario where you come to the attacker's page, you click one button on that page, right, that is like one, and your account gets pwned, that is like one click away from the highest impact scenario that you can run into on the client side. So, I mean, it's really, this is one of the classes where it's really about weaponization, and if you can take it and take it the full mile,
and get the account takeover out of it. maybe if you can one click delete your account or one click do some other very sensitive action, then I think that will often result in some accepted bug.
Joseph Thacker (25:38.198)
Yeah, it isn't reflected XSS basically the same thing. Like it's still a one click kind of account takeover. The thing with our XSS is you can like spray it because you can kind of put that payload anywhere. Whereas I think a lot of clickjacking you have to get them on your page. But in general, it's kind of the same, right? You just spray the link to your safe looking page that is malicious that has the framed page on it. And so it still looks legitimate. And so, yeah, I think they're very similar. Like you said, clickjacking as like a phrase maybe kind of...
Justin Gardner (25:41.453)
Yeah.
Justin Gardner (25:46.712)
Mm-hmm. Yeah.
Justin Gardner (25:54.551)
Yeah.
Joseph Thacker (26:08.024)
frowned upon, in general, if you still have a weaponized payload, should probably, it should probably be taken seriously. So.
Justin Gardner (26:09.315)
Yeah, bad rap.
Justin Gardner (26:13.719)
Yeah, for sure. Okay, what are these protections for the double-click jacking stuff that they had here?
Joseph Thacker (26:19.382)
Yeah, I think I was pointing this out to you when we were talking about it before the the pod. It's just like, it's so neat that there's both a JavaScript based protection here, mitigation that anyone can implement on these on these super sensitive pages where a single click has like a lot of impact. And then and then they also go into the details for how browsers could completely fix this, which I think which I think you thought was neat how that actually would be implemented.
Justin Gardner (26:40.59)
Yeah.
Yeah, no, this is great. I think there should be some addressing of this at the browser level, but I mean, especially for those programs that want to be very thorough with their, with the places in their application where one click can take over your account, right? Because that's a pretty stringent scenario already. And pretty much the only place you kind of see this is in OAuth authorization. And so if you just add this one little snippet of JavaScript, which, you know, removes the risk of double-click jacking by disabling critical buttons,
Joseph Thacker (26:57.88)
Huge,
Justin Gardner (27:12.985)
unless a gesture is detected, then you save yourself from this sort of attack. Even if you have to allow the page to be framed. And actually in this scenario, it's not even framing because they're popping it up in a lot of ways. There's a bunch of scenarios where this can be exploited further, but just being able to add that one little snippet into your page.
to make sure that there's some movement of the mouse, that sort of thing, before that button becomes enabled. I think it's something that should be added to those high value OAuth pages where it can result in one click ATO. Those pages need special security concern anyway, so this is just one extra step.
Joseph Thacker (27:58.636)
Yeah, it does. It reminds me of the vulnerabilities you found with CSS injection and on those credit card pages. It's like when there's a highly sensitive page, things that might not typically be vulnerabilities can kind of become those. And honestly, another really key point about this blog is that like he gives you the mitigation. And I think.
Justin Gardner (28:02.169)
Mm.
Justin Gardner (28:14.521)
Ugh.
Joseph Thacker (28:15.424)
I think having mitigation in bug bounty reports is one of the best ways to get them accepted and to also get those kind of like well written report bonuses and stuff. And it makes it makes teams take you seriously. It's like, Hey, here's the vulnerability and here's how you fix it right now. You just put this JavaScript on the page and it removes this. And I think it really showcases the fact that there is a vulnerability and that there is a single fix in that single place. Yeah.
Justin Gardner (28:23.449)
Mmm, yeah.
Justin Gardner (28:37.241)
Yeah, yeah, for sure. And, you gotta remind me as we record future episodes, our editor has said that I really should be sharing my screen when I'm talking about these articles so we can get it up on YouTube. Sorry, folks on YouTube, I always forget to do that. But I did wanna add one more thing as we move away from the subject, which is that, I just wanna quote specifically from the article here. says, double-click jacking adds a layer. Many defenses were never designed to handle. Methods like.
Joseph Thacker (28:48.812)
I'll try to remind you.
Justin Gardner (29:05.737)
X frame options, same site cookies, and CSP cannot defend against this attack. So I know we sort of covered clickjacking as a specific attack while we were talking about double clickjacking, but double clickjacking is very different because it uses pop-up windows and stuff like that. And so it's gonna be a top level navigation, so same site cookies aren't gonna be a thing. Yeah.
Joseph Thacker (29:27.17)
Yeah, it passes all of your cookies. It's a completely legitimate click on the under page. Yeah, there's no protection for that part. Yeah.
Justin Gardner (29:32.503)
Yeah, there's nothing you can do with that. And it doesn't have anything to do with framing either, so it's not gonna happen. And a lot of these modern day attacks that utilize different windows and frames will be stopped by Coop, which is cross origin, I forget the actual, let me look up the actual acronym. Cross origin opener policy, yeah, that's it.
removes that opener relationship. But this one, I think, could also be implemented without, even though Coop was in place. So there's lots of ways that this attack sort of bypasses traditional attack mechanisms. So just wanted to make sure that was clear and we weren't getting confused with click jacking and the prerequisites for that attack. All right, solid dude.
Joseph Thacker (30:23.662)
Yeah, testing in places where those protections still exist because they are still vulnerable most of time.
Justin Gardner (30:27.767)
Yeah, and I think you kind of have to feel out the teams as well, because some teams are going to be like, yeah, well, know, what are we going to do? But if you're working with teams that are high quality and the POC is really clean, then it could get accepted, or it could not get accepted. And that's just kind of the risk you take with these sort of fringe attacks that require a little bit more user interaction.
Joseph Thacker (30:34.424)
We'll take the risk. Yeah.
Joseph Thacker (30:49.292)
Yeah, they say in here that the results were mixed, he says most have chosen to address it while some have chosen not to. So honestly, I would have expected the opposite, but it would not surprise me if the mitigation being a part of the report is one reason why they were like, yeah, we'll just accept this and throw this mitigation on the page, right?
Justin Gardner (30:54.051)
Mm-hmm.
Justin Gardner (31:01.048)
Yeah.
Justin Gardner (31:06.019)
You
Yeah, that's great. Okay, cool. So that was the double click jacking one. You want to hop down to expo stuff?
Joseph Thacker (31:18.232)
Sure, yeah, so I actually am an advisor at Ethiac, which is one of the kind of automated hacking platforms out of Portugal started by our boy, Andre, OXACB. Yeah, he's the man. And so as a part of that, they may or may not be working on Hackbot, but in my research for that and in my support of that,
Justin Gardner (31:28.921)
Shout out to our Boro XACB!
Justin Gardner (31:36.814)
Mm-hmm.
Joseph Thacker (31:40.526)
I shared with them this validation benchmark. It's actually two top bug hunters, Dorado and do you know who the other person is? Yeah, yeah, Neiman sec are both on the expo team. And so expo is building a hack bot. is. Yeah, it's it's yeah, it's amazing. And the founders are also like really brilliant. But so anyways, this link will be in the show notes. But if you if you wanted to search for it yourself, if you just look up expo engineering validation benchmarks, they have
Justin Gardner (31:47.161)
Yeah, name and sec, right?
Justin Gardner (31:54.489)
Stacked dude, stacked team.
Joseph Thacker (32:10.476)
man, over 100 benchmarks, which are really cool. They include like a Docker compose file that will help you spin up a little app that has a single vulnerability that you can then test your AI system at hacking. like, let's say that you're a bug hunter and you want to start implementing AI to be able to solve your XSS or your IDOR or whatever, just to play with it, either to learn it or because legit it could pay off and make you money.
This is like a perfect place to go to test those systems against little micro exploits where they're very vulnerable. These are not like hard things to solve for the majority of them. And I think they increase in difficulty, but.
Justin Gardner (32:46.777)
Wow, yeah, so this is sort of a, this benchmarking is a lot of work, you know, putting together all of these GitHub repos and, or Docker containers and stuff like that. And they've kind of done that leg work and then released it for the community so that they can, so that people can use these to make sure their hack bots are achieving the goal. And I think that's really cool, because a lot of times when I'm building automation, I need a test case, you know, a vulnerable test case, right?
Joseph Thacker (32:54.506)
yeah.
Joseph Thacker (33:13.996)
Yes. Yes.
Justin Gardner (33:15.721)
And oftentimes I train them off the actual vulnerabilities that I find manually. But if you don't have those on hand, or if you'd like to train it on what you found manually, and then sort of apply it to a benchmark and say, hey, but does it figure out this scenario? This is a great way to validate that. And I guess, do they have it broken out into what specific types of bugs are each one of? Yeah, they do.
Joseph Thacker (33:19.79)
Mm-hmm.
Joseph Thacker (33:39.064)
They don't like the top level, but if you click into them, they definitely do. actually, I don't know that the titles, even when you click in or not. yeah. So vulnerability type and category. Yeah. It's in the read me. So, and also difficulty too. I hadn't noticed that there's a difficulty field. So you could even like, you know, cherry pick the easy ones or cherry pick the hard ones or whatever.
Justin Gardner (33:43.297)
Yeah. Okay.
Justin Gardner (33:49.677)
Yeah, so like IDOR, broken access control, stuff like that.
Justin Gardner (33:59.905)
Nice, yeah, cross site scripting, injection, difficulty, hard, interesting. Cool, yeah, so these will definitely be helpful for anybody who's building a hack bot, which I think there are more and more researchers doing that now, so yeah, yeah.
Joseph Thacker (34:11.094)
Yeah, in the Full Time Hunters Guild, I won't leak their name, but one of the Full Time Hunters has already found a high vulnerability with their own personal hack bot that they trained themselves to write in like a week. which they're a talented developer, so.
Justin Gardner (34:18.797)
Badass, man. Yeah, dude, so. Yeah, we gotta definitely make sure we're staying on top of all that. I think it's gonna be helpful to have one of those on your team as you keep moving forward. Okay, any other comments on that one or is that one, do that one about justice, I think? Yeah, okay. Get some water. My throat is a little scratchy today. Yeah, so obviously, you know.
Joseph Thacker (34:36.492)
No, I was gonna ask you about this Jorian tweet.
Justin Gardner (34:47.339)
Let me just say what I say all the time. When Gareth Hayes tweets anything, you should pay attention to that tweet. And Gareth tweeted out on Christmas Eve, and we're just getting the chance to cover it now, that he found that you can use ISO 2022 JP char set escape sequences inside of JS URLs. So this is gonna break a lot of WAFs and hard-coded like.
scenarios where they're just looking for JavaScript colon, right? If they had like a hard-coded, no JavaScript colon, you know, taking in some accommodations for HTML encoding and stuff like that, then that's very hard to bypass when you're trying to do a URL or like an Ahrefs-based attack. But this scenario that he outlines here allows you to do a payload, and I will share my screen on this one now so people can actually see the tweet.
Yeah, in this scenario he outlines a way to actually get it to pop with a bunch of whack characters in there. So this, and then there was another comment, so this is where Jorian comes in, a little bit further down on Twitter, where he says, Gareth was saying, hey, this doesn't work on Chrome, and Jorian noticed that if you just spam the escape sequence for this specific character set a bunch of times,
then Chrome successfully sniffs it if there's no character set defined on that page and will actually trigger it, even though it doesn't work right off the bat like it does in Firefox. this works in both Firefox and Chrome if there's no character set defined that you can send in this payload like Java S space, know, escape sequence thing, script colon alert one, and it will actually trigger that in the browser.
and they provided some example links on how this might work in that Twitter thread, so we'll have those linked in the description. Character set attacks have been amazing. No, did you reply?
Joseph Thacker (36:46.59)
Yeah, did you see my reply to that? Did you? Yeah, yeah. So in our doc here, click on my link. There's no spam and it still pops. So I don't know if it's just my browser locally that's behaving that way or if Jorian was incorrect and just figured out a different way to make it pop. basically I was like, that spam doesn't feel that necessary. So I went and started removing some of those characters and it totally pops for me in Chrome if you remove a bunch of them. So.
Justin Gardner (36:52.921)
Hmm. Let me see here.
Justin Gardner (36:58.228)
really?
Justin Gardner (37:10.243)
you
Joseph Thacker (37:14.476)
Maybe more research required there.
Justin Gardner (37:14.734)
interesting.
Yeah, so I think you still have one or two of the escape sequences, so maybe you don't need to do that many. But there's like a smaller amount of escape sequences that you can use and create a more consolidated payload. Nice, I like that. Yeah, we'll drop that down in the description as well. Richard, the one that's highlighted in the doc, if you could add that to the description, that would be great. Okay, cool. So yeah, I kinda wanna keep the community up to date on these sort of character set related attacks that have been kinda popping up a ton lately.
Joseph Thacker (37:23.501)
Right.
Joseph Thacker (37:45.506)
Well, it's perfect for WAF bypasses and other things. Yeah.
Justin Gardner (37:48.345)
Oh yeah, yeah, it's great for those scenarios. And I think it's a little bit less common that the character set isn't defined, but just like scenarios that we were just talking about where extreme options headers might be missing, this is stuff that we weren't really paying attention to as much before, but now I think should start really being like, ah, this is a gadget. If there's no character set defined, this is a gadget if there's some ability to inject any text.
in the page, which is a pretty low bar to me, in my opinion.
Joseph Thacker (38:16.344)
Yeah.
Right. Yeah, I'm sure that you probably already geeked out about this, but what's funny about this character set specifically is it's for like a Japanese email. It's like a 2022 Japanese code point email thing. it's, yeah, it's hilarious.
Justin Gardner (38:32.479)
Yeah. Yeah, dude, I love it when my interests overlap like that. When you've got some stuff that's only available in Japanese. I love it when Kinigawa Masato released some stuff in Japanese first, and I get to go read it and be like, hee hee hee hee hee. Like, I understand this. And then he does the English release a day later, and I'm like, shit. But I do love it when there's that aspect.
Joseph Thacker (38:51.458)
Yeah, that's funny.
Justin Gardner (39:01.785)
Yeah, yeah dude, so you dropped this one, this SVG related tweet in here as well, right?
Joseph Thacker (39:02.04)
So speaking of Gareth Hayes.
Joseph Thacker (39:10.092)
Yeah, yeah. So, obviously SVG XSS has been around a little while. and I do know and remember your rule about always paying attention to Gareth's tweets. So I actually wanted to, I wanted to ask you why specifically Justin would not answer this offline everyone. Cause we thought it'd be great contact for the podcast. What is special about this, payload that made him tweet and share it.
Justin Gardner (39:20.419)
Hahaha.
Yeah.
Justin Gardner (39:31.479)
Yeah, so the payload that Gareth shared is a SVG XSS payload. And like you said, it's pretty common knowledge that we can get XSS from SVGs if the content type is image slash SVG plus XML. And then it's being loaded up in a frame in the browser, right? It doesn't work from an image tag, which is a common misconception. But what Gareth tweeted out here that's a little bit special is that you can actually use HTML entities to sort of prime this attack.
which may help bypass some WAFs that are blocking your malicious SVG payload. Or it can also help in the scenario where your SVG is being sanitized when it's being uploaded. Because there are some SVG softwares that will look and say, okay, is there an Ahrefs item in here that is being dynamically generated, or is there a script tag that's being created?
when I'm uploading this SVG file and then stripping it out so it's non-malicious. Gareth is highlighting here that you can actually use XML entities, which is something we normally just associate with server-side attacks for X6E, to actually craft a malicious SVG that actually only becomes malicious at runtime when the XML is parsed by the browser. So very cool tweet here.
Joseph Thacker (40:50.018)
Yeah. Yeah, that's interesting. Like you said, even if you stripped out any script tags, this would still make it through that WAF or make it through that sanitization.
Justin Gardner (41:00.119)
Yeah, 100%. So this is another one that's kind of interesting to keep in your pocket. And I just want to shoot out a reminder, because there was a couple higher level hackers recently that I was talking to that seemed to be under the concept that you could get XSS from an SVG that was loaded into an image tag.
I'm happy to be proven wrong, but I've never seen that work. It's just when the browser is parsing the SVG in the frame directly, so you navigate directly to that SVG, that payload will actually pop, and that's because the browser is parsing XML as well with that SVG, not just considering it to be an image. So, yeah, that's a cool shout out as well there from Gareth.
Joseph Thacker (41:42.658)
Yeah. Right.
That's sweet.
Justin Gardner (41:51.301)
dude, my throat is dying, man. It's, you know, it's winter here, it's been snowing this whole week and my everything is just so dry. It's, you got snow as well, right?
Joseph Thacker (41:57.39)
Yeah.
Joseph Thacker (42:00.898)
Yeah, we got, mean, I'm sure that this is true all across the U.S. across the Midwest. We're getting more snow than we've basically ever gotten. We got like eight inches here in Kentucky and like three, yeah, and three to six are coming in the next two days. So I'm enjoying the cold plunge. My wife got me for Christmas.
Justin Gardner (42:10.541)
Dude, no way.
Justin Gardner (42:16.473)
That's not, the cold plunge, my gosh. That's gotta be legendary. Yeah, we got like four inches here in Virginia, but we've had worse before. So the kids are having fun with it though, for sure.
Joseph Thacker (42:26.646)
Yeah. Nice. Well, I mean, your throat will make it through the next two, think, right? We've only got two left.
Justin Gardner (42:33.111)
Yeah, yeah, so let me jump back over. I'm gonna just do one quick shout out to a project called curl-cffi. So many of you as you're building automation will run into the scenario where these sites are running Cloudflare and they will not like your TLS handshake that you do from like Python requests or something like that. Someone created this awesome project in Python.
called curl-cffi, which essentially allows you to impersonate Chrome's TLS signature or fingerprint and use it in Python. And you can just literally import from it, like import from curl-cffi as requests. And then it just use it like you normally would in requests. So it makes the transition really simple.
Joseph Thacker (43:22.188)
You need to, you're obsessed with these matrixes. Make sure you share your screen and show the matrix of the support on there. Cause, cause Justin himself is a big fan of these, of these matrixes. And then on top of that, this, this tool is really cool. So.
Justin Gardner (43:25.771)
OK. OK, all right, hold on. Let me do it.
Justin Gardner (43:32.707)
Dude, I love these, man.
Yeah, this is great. So this is the tool right here, curl cffi. And it's super easy to integrate into the project. can literally, I'm showing it on the screen now, but you can just from curl underscore cffi import requests and then use requests just exactly like you would as your primary, you know, HTTP interface in Python. And it allows you to impersonate Chrome super simply, which has allowed me to get around a bunch of Cloudflare related stuff.
So I wanted to just shout that out there for anybody who might be dealing with similar issues there. And then I'll jump right into this CSPT thing, if that's cool with you, before my voice gives out. So we're recording this on the 9th, and this was released this morning, so sorry guys if I don't do it full justice to the homies over there at Doyansec. But they've been doing some really awesome work on one of my favorite bugs.
Joseph Thacker (44:15.906)
Yeah. Yeah. Yeah, please do.
Joseph Thacker (44:24.216)
today.
Justin Gardner (44:35.469)
bug types, client side path traversal. And we've done a bunch of master classes and stuff like this on this actual vulnerability type in the Discord, so check those out if you're interested. But the research that came out was essentially how to use one of the ways to exploit CSPT, because CSPT by itself is not a vulnerability, it's a gadget. And that gadget has to be weaponized with another gadget. And one of the most common ways to do that, there's like OpenRedirect.
there's like response poisoning or whatever, and then one of the most common ones is to get a file uploaded onto the server that has like a JSON in it, and then get the CSPT to traverse, hit that JSON file, the JavaScript that triggered that fetch request or whatever will parse that JSON and use your malicious values and integrate them into the DOM and cause XSS or some bad effect on the application. So what the people over at Doinsec,
did was a little bit of research on how to get fetch to process JSON effectively and with different file types. the one that they released here was PDF and how a lot of the libraries for uploading PDFs will use very liberal checking of the magic bytes at the beginning of the file. And what was it like in the first?
Joseph Thacker (45:45.922)
Yeah.
Justin Gardner (46:02.009)
Yeah, in the first like 1,024 characters, if there is percent PDF, then it will bypass the PDF upload. The PDF uploader will still think this is a PDF, and you can actually integrate just normal JSON into that file, which can then be processed by the CSPT. So they provided a couple different libraries, PDF lib, and what was the other one?
file type within a specific language. I can't find the other one here. But there's a couple libraries that were vulnerable to this.
Joseph Thacker (46:41.774)
It was in a magic and then PDF PDF lib. And then that one you just mentioned. Yeah. The crazy thing is like, to me, this is really cool because I'm always thinking about, you know, the highest impact possible. And I love that file uploads are so frequently, considered RCE, you know, this, in this case, it may or may not be. I didn't have a chance. Like you said, you sent me this this morning. I didn't get to read it all, but in general, that's fine. In general, file uploads are often RCE, right? And so.
Justin Gardner (46:59.288)
Hmm.
Justin Gardner (47:05.273)
Yeah, I just threw it right in front of you.
Mm-hmm.
Joseph Thacker (47:10.764)
Like understanding the way that the backend server is deciding whether or not a file type is allowed was really cool to me. Like when I was reading that, was like, wow, this is amazing. Like not only can I potentially trick the content type, you know, header or directive there, but then you can also, you know, like I've known about magic bytes and how to potentially modify those, but it's, it's, it's a really cool idea that.
Justin Gardner (47:27.769)
Mm-hmm.
Joseph Thacker (47:32.214)
And I guess it's more just a cool vulnerability that some of these libraries do something as simple as look for the magic byte of, know, percent PDF or whatever within the first thousand bytes. So.
Justin Gardner (47:43.075)
Well, that's a great point. mean, this research is cross applicable in lots of areas, right? If there's very permissive parsing of this file type, then you might end up being able to get files on the server that contain malicious content easier. And normally when I think about the magic bytes, I'm thinking, these have to be defined at the very beginning of the file. But apparently there are a lot of
Joseph Thacker (47:47.16)
Yes.
Joseph Thacker (48:06.862)
first bite.
Justin Gardner (48:11.135)
PDF parsing engines that will allow it to be anywhere in the first 1,024 bytes. this gives us lot of flexibility, not only with client-side path traversals, which would just normally result in XSS or some impact on the client-side, but also when file upload scenarios, like you mentioned. Yeah, pretty solid. Definitely a big shout out to their team. They've been really diving deep on the specific vulnerability type.
And I love to see the research come out. And check that out, dude. They shouted me out at the end. They did. They did. And yeah, that was the other thing. I'm glad I scrolled down to the bottom to flex on the people about my shout out in this blog. Because they also mentioned this CSBT Playground, which is a GitHub repo that they released that contains a Docker container and a bunch of little labs that you can do to strengthen your CSBT knowledge.
Joseph Thacker (48:43.982)
Did that give you a mention? Nice.
Justin Gardner (49:08.837)
And guys, let me tell you, this gadget is everywhere. CSPT is everywhere. Massive bug type that is underrated by the security community in general, I think. So definitely something you wanna kind of wrap your head around and be able to exploit if you're doing web application auditing with any frequency.
Joseph Thacker (49:29.998)
Yep, there you go.
Justin Gardner (49:32.055)
All right, what's the last one you got on your list here? AI crash course.
Joseph Thacker (49:36.406)
Yeah, so I mean, in general, everyone wants a quick, easy hack, right? And everyone loves those resource-based GitHubs where it's like, here's a list of all the resources you need to know about XSS. And I do think it's kind of easy to ignore them or not ever go through them. But if people are willing to buckle down and really learn, I think that you can learn a lot of stuff in under two weeks. And that's what this link is that got shared. Let me see if I can share it really quickly. Share.
sweet, yeah, single Chrome tab, perfect. So this has been going around in a bunch of the AI engineering circles along with a subtext that's basically like, get a, know, become an AI engineer in two weeks. So supposedly you could take this AI crash course in two weeks, but it's just a list of resources. If you had to go from zero understanding to full comprehension of how current AI engineering works, basically it starts with like,
how to neural networks, like what exactly is a neural network. So you can kind of skip some of this stuff if you want, poke around. And then they even highlight with asterisks, the most important ones to focus on. But yeah, there's a list of paper. Yeah, there's a list of papers, a list of the major applications, some of the benchmarks, and then the video lecture series. You know, this is probably if I were spinning up where I would spend my time. I don't know why I just learned really well by watching and then doing.
Justin Gardner (50:45.453)
love to see this man.
Joseph Thacker (50:59.19)
And so I would probably follow these while building stuff on the side as I go, specifically Andre Caparthi's series is great. In general, I don't think that, especially the hacker community needs to like be training their own models or doing anything crazy like that, but understanding the power of these models and understanding how to plug them up with like tools.
Justin Gardner (50:59.321)
Mmm.
Joseph Thacker (51:21.25)
and hook them up to different capabilities and functionality is really going to give you a leg up when it comes to hacking or building your AI tooling or your own AI infrastructure for yourself. So I just wanted to share this with the community because I thought it was a really great resource. Pick and choose, click through, learn, kind of fill in some of your gaps if you're interested in it.
Justin Gardner (51:33.079)
Yeah, yeah.
Justin Gardner (51:41.591)
Yeah, and I think even just understanding the basics of like lane chain and getting all this stuff in your normal development environment in Python or in Node or whatever you go or whatever you're writing in is really, really helpful because then you can start using this tool, AI just as another piece of your automation. yeah, I think any time that you move forward and you utilize AI, you're kind of providing more.
cushion for yourself if you're worried at all about AI really affecting the security industry because you are now weaponizing that thing. You're gonna be the one that pushes that industry a little bit further with your innovation using the AI. So definitely a worthwhile topic.
Joseph Thacker (52:22.882)
Yeah. And I don't think, yeah. And don't think we're all going to be replaced or anything anytime soon, but let's say in five or 10 years, we were to like see actual impact on bug bounty from these, type of automation because expo pops off or something, you know, I think in general kind of getting up to speed with AI is going to mean that you will be the cream of the crop when it comes to companies that are trying to utilize or build on top of AI or
Justin Gardner (52:32.311)
Mm-hmm.
Justin Gardner (52:37.294)
Yeah.
Justin Gardner (52:46.905)
Mmm.
Joseph Thacker (52:47.138)
you know, want to implement or learn like what products are out there. So in general, I think it's a really nice hedge because it's gonna level yourself up while increasing your productivity.
Justin Gardner (52:56.973)
Yeah, mean Expo was what, 11th in the US that last year, that was crazy. So definitely something to keep an eye out. I'm not gonna call out our homies that work at Expo at all. I don't know how much of that is like Expo's product, finding bugs and like fully exploiting them on Bug Bounty program.
Joseph Thacker (53:00.76)
Yeah. Yeah.
Justin Gardner (53:19.129)
I literally honestly just don't know. But I know that it would not be very hard for the folks that work at Expo to get in the 11th place in the US. Those guys are some of the most talented hunters out there, the team from Spain over there. So definitely excited to see that though because I think there is a lot of progress being made in the industry there.
Joseph Thacker (53:25.41)
to paddlestat.
Joseph Thacker (53:40.226)
Yeah. Yeah. Sweet. guess one other thing I was going to ask you about as before we close here was, if there was anything on your top of mind for the listeners, as they would go into 2025, since we just had the kind of all hands meeting with the CBB CTBB team, was there anything from that that kind of float over that you thought the listener needed to know?
Justin Gardner (53:43.412)
Mm, yeah.
Justin Gardner (53:53.069)
Mm-hmm.
Justin Gardner (53:58.585)
Yeah, I I think just as far as the direction that CTBB is going in 2025, we're really gonna try to focus on the research lab, trying to get research from the research lab and present it on the pod, so it's gonna be original research. And I just sort of reiterated with the whole team the North Star for critical thinking, which is we wanna deliver high energy, motivational, very technically informative content every week to the community with the goal of...
even the most skilled researchers coming away from each episode with like, oh, yeah, I hadn't really thought of that or, you know, I have one actionable takeaway that that will change their methodology as they approach a target. And that's kind of what the North Star has been and I think will continue to be throughout 2025. It is easy to lose track of that, but we do have the team keeping us accountable now, you know, focusing in on that and really trying to spend more time.
Developing the plans for these episodes so that we can get that technical depth required to achieve that
Joseph Thacker (55:00.098)
Yep, absolutely. I I think that that's been why I've loved critical thinking so much. And I think that it is a perfect North star, right? Because our audience base, all of the listeners, all of our friends that we talk to and hang out with all the time are such practical people. Like we all just want the practical brass tacks advice. Let me go with this so I can, you know, succeed more and make more money or just do something really groundbreaking. And I think, you know, we care a lot about those really cool novel breakthroughs.
Justin Gardner (55:07.011)
Mm.
Justin Gardner (55:14.583)
Mm.
Justin Gardner (55:21.273)
Mmm.
Mm.
Joseph Thacker (55:28.878)
The hacker culture and hacker subculture has always been really, has always gotten really excited about novel breakthroughs, new techniques, new strategies. And yeah, we want to bring that to you all.
Justin Gardner (55:38.445)
Yeah. Dude, it's crazy though to see, to be in this researcher chat with the critical thinking research team. Like, you know, we've got Franz, we've got Matan in there, we've got Mizu, we've got Monkey Hacks, we've got Hakupiku, Piku-Haku, wherever, in Discord versus Twitter. But I mean, that team is really stacked and they really already, just in the week we've launched this, have bounced off of each other a lot, being like, what if we did this? we could have weaponized this this way.
So I really expect to see some awesome stuff out of them in 2025 and I'm really going to be privileged to distribute that on the podcast, I think.
Joseph Thacker (56:14.934)
Yeah. And one thing I think I told you in the all hands a minute ago, and I told the rest of the team, I think that everything we talk about here is extremely applicable to people out there who are web app testing or pen testing. And I want the leaders of those org, I want the leaders of those organizations to like be thinking like, our employees, our hackers have to be listening to CTBB because that's going to make them the best version of themselves. That's going to make them the best hackers on the planet. And so
Justin Gardner (56:26.617)
100%.
Joseph Thacker (56:40.086)
Yeah, if you listen or if you work at a place where you've got, you know, friends who are doing pen testing or doing web app testing, like definitely refer to the pod, recommend people to check it out.
Justin Gardner (56:50.103)
Yeah, yeah, definitely. All right, man, I think that's a wrap on this episode. I'm gonna go get some like snow and like put it on my throat. It's so raspy.
Joseph Thacker (56:55.394)
Hahaha.
Sweet dude, yeah, thanks again. I'm excited about this year. Can't wait to bring more awesome content to you all.
Justin Gardner (57:04.473)
Sweet. Peace.
