Episode 114: Single Page Application Hacking Playbook

Justin Gardner (00:00.16)
We haven't squatted in a long time, and we did for the first time in a while, and I just can't even move. I'm just stuck in this chair.

Joseph Thacker (00:08.171)
By we, are you lifting with Mariah or did you go, you made the gym? Okay, cool.

Justin Gardner (00:10.934)
No, I'm actually lifting with So. So he's in town right now. We're going to do an episode with him like next week, hopefully. But yeah, he's been pushing me to get back in the gym and stay consistent with it because sometimes he has to drag me out of bed in the morning, like 6.15, I'm not wanting to get up. But it happens. And it does feel good. It does feel good to get back lifting heavy stuff.

Joseph Thacker (00:23.074)
Nice.

Joseph Thacker (00:28.632)
Yeah, yeah.

Joseph Thacker (00:32.866)
Yeah, that's fair. I've been off the train for the last week or two, so. Slightly back into action.

Justin Gardner (00:38.006)
Nice man. All right. Well, we have quite a list of news today. Let's kind of let's kind of go through it. I guess I'll take the first one. This write up really do this. The write up is just like my jam right here right now. Like Bus Factor, member of the CTP community, you know, part of the Bug Bounty community in general, becoming a big name, did a great write up with XSS Doctor on a series of vulnerability they found in. And I don't know if they named the target. I know the target. So

I guess I can't say what Target is, but I looked at this environment pretty extensively in the past and I was not able to exploit this, so I'm impressed that they actually found the full exploitation path.

Joseph Thacker (01:18.126)
Mm-hmm.

Joseph Thacker (01:24.322)
How far deep down this rabbit hole did you go?

Justin Gardner (01:26.356)
dude, I was far. I was far. I had all but one of the components that they had to make it work. Actually, I'm sorry, two. There were two of the components that they had to make it work. So let me double-click into those real quick. This is an excellent write-up on Client-side Path-Diversal, which, of course, if you listen to the pod, you've heard me talk about. I love Client-side Path-Diversal. And BusFactor does some really great graphs in this write-up that show how this whole thing works, so definitely check those out if you're a

Joseph Thacker (01:31.616)
well.

Justin Gardner (01:56.152)
fuzzy on how CSPT works. Yeah, thank you. I will go ahead and share my screen. Yeah, the diagrams are great.

Joseph Thacker (01:58.05)
You wanna share your screen for the viewers? Yeah. They're mermaid diagrams.

Justin Gardner (02:06.646)
So it starts off with, you know, a client-side patch reversal, and he is able to figure out a way to manipulate the path, right? Excellent. That's what we want with a client-side patch reversal. And the problem is we need one of two things really to exploit a client-side patch reversal. Maybe three. Let's call it three things. One, you need a open redirect, right? So if you can get it to then send the fetch request to your domain, right, then you can respond with stuff, and that typically has impact.

Two, if you have the ability to upload a JSON file or something like that, that the code that is doing the CSPT will parse and then do something with, that's one way to go. And then the third way is actually just to hit an endpoint.

with it if you're dealing with a post request or a patch request that does something. Like I recently had one that just deletes the user's account. So they would click a link and it would just delete their whole account. And the one they opted for here was number two, where they uploaded a file onto the server. And that is how far I got to, Joseph. That is where I went. I was literally at this exact same point. But the only thing that I missed here was that when you go to this URL to download

Joseph Thacker (02:59.138)
Yeah.

nice.

Justin Gardner (03:22.088)
the file right here, you can see they have it as API marketplace files and then file number. It would just return a JSON blob saying here's the link to the URL or here's the link to the file, right? And it wouldn't actually return the file. But what they found was that if you add the redirect, yeah dude, well, I think, yeah, there's a typo in the screenshot. So sorry.

Joseph Thacker (03:38.616)
T redirect. no, just the redirect. Is there a typo?

Okay.

Justin Gardner (03:46.87)
And yeah, exercise doctors like, do Ted Direct.

Joseph Thacker (03:49.187)
Ted Direct.

And BuzzFactor somehow still figures it out within the same minute. because he changed the T to R. Okay, got it. That's funny.

Justin Gardner (03:54.95)
Yeah, yeah.

Yeah, yeah. So he figured it out. But this redirect true parameter was the thing that I missed, right? And essentially what that would do was make the file actually, make the server respond with a redirect to where the file was stored, which is awesome. And they popped it. I was a little bit salty, not going lie.

Joseph Thacker (04:20.718)
Little salty

Justin Gardner (04:21.94)
Well, a little salty. But then what I sort of also wouldn't have probably found or maybe

would have had a difficult time exploiting is this next section dude with the cores issues. Because what happens here is, okay, now they're redirecting to their file stored in like an S3 bucket, right? But now they've got issues with cores because cores wasn't returning an access control allow origin star header so that the fetch request couldn't read the JSON from that cross-site origin.

And so what they actually ended up doing was manipulating a caching issue on CloudFlare, or I'm sorry, CloudFront, that would allow them to get the access control, allow origin star header cached in the response and then trigger the full flow, reading the JS file and then causing the XSS.

Joseph Thacker (05:02.402)
Wow.

Joseph Thacker (05:15.022)
That's insane.

Justin Gardner (05:16.128)
pretty beautiful exploit chain here from BuzzFactor and SXSDoctor. And then they proceeded, of course, to explain how they fully exploited it with a... Yeah.

Joseph Thacker (05:23.922)
Well, that last gadget, just to be clear for our listeners who are trying to exploit something similar, is this a misconfig in the cloud front that the customer set up?

Justin Gardner (05:33.428)
You know, that's a good question, man. To be honest, I think, I it has to be, right? Because otherwise, if it was caching it that way, it would be causing problems any time you tried to access it. But I guess the signatures would be different. So, I'm not sure.

Joseph Thacker (05:38.136)
Okay.

Joseph Thacker (05:52.023)
It says right here, when we click it, the request doesn't include an origin header, so maybe that's the fix. It says this causes CloudFront to cache the response.

Justin Gardner (05:57.271)
Mm, mm, well.

Yeah.

Yeah, so what it says, to solve this we needed to avoid clicking the download button and instead let the CSP execute naturally, which would add the origin header automatically. When this happened, Cloudflare would respond with a access control, allow origin header. OK, so because they did a top, so I got it. So what they were doing before is they would upload the file and they'd the file, the button to grab the file link or whatever, and that would open it up as a top level navigation in their browser, which would cache not having

the origin header in place, right? But instead of doing that, they fed it directly into the CSPT, and the CSPT would set the origin header that it was sending from, you know, whatever site, and then it would work seamlessly. That makes sense. That's beautiful, That's a beautiful bug. I love that.

Joseph Thacker (06:49.528)
Yeah, yeah, really cool. XSS doctors everywhere these days.

Justin Gardner (06:53.374)
Yeah, dude, he's popping a lot of stuff. Yeah, and then the rest of this article, we won't dive into it too in depth, but they talk about how to exploit this by using scoped self-excesses. So they set a cookie to make sure that they are logged in for this file, accessing this file, just for their account on that endpoint.

which is something we talk about with Matan. We've talked about plenty of times on the podcast. If you don't fully get it, this is a good article for you to fully get it. But this technique is absolutely essential to exploiting self-excess in modern environments. So good to see someone taking it, using it, and landing, I think, a 22K bounty for this one.

Joseph Thacker (07:35.95)
That's awesome. So this is all one finding or was there a multiplier?

Justin Gardner (07:38.39)
Yeah, this is all one finding. And look this, dude. We even get a little shout out here at the end. So, yeah.

Joseph Thacker (07:44.43)
That's exactly right.

Also, it says awarded 7500 at the bottom.

Justin Gardner (07:50.87)
Yeah, guess it says 7500 but then or While okay. This approach worked on another target in same program earning me and my collab 22,000 this target was much better protected. Okay, gotcha Very cool. So this one's 7500

Joseph Thacker (08:00.46)
Got it. I see it now.

Joseph Thacker (08:04.44)
Got it. Cool dude.

Yeah, I will say most of my news is AI related, but we'll start with one that is not. I'm sure you saw this and everyone else did because it kind of blew up on X, but travel security used their, you know, their very famous secret scanner to scan all of common crawl. So if you're not familiar with what common crawl is, it's a massive download of basically the entire internet and it's sort of cleaned up, but it's not really. And it includes like

Justin Gardner (08:11.548)
Mm. Okay.

Justin Gardner (08:25.078)
Mm.

Joseph Thacker (08:37.366)
like it's in like this kind of interesting, actually has like the raw request and response. so it includes, like it's, it's deeper than actually, I want to go through common crawl and look for stuff, but it's huge. think it's, it's like, yeah, I'm sure someone has an index of it out there. That's like easier to look through on like elastic or Kibana or something. But basically this is like the, the main training set for a lot, a lot of AI models.

Justin Gardner (08:47.894)
Mm, mm, 400 terabytes it looks like. Oh my gosh.

Justin Gardner (08:56.118)
Hmm.

Joseph Thacker (09:02.092)
because it has so much internet data on it. And they do a lot of cleaning it up, cleaning it up and removing special characters. And I'm sure they drop out HTML tags and all kinds of stuff. Like they do a lot of really unique things. The kind of nuance here with this post is when they tweeted it, they basically said in DeepSeek's training data, I think they were doing that just to like get it click baited and kind of go to go a little bit viral because common crawl is used for many more things than just DeepSeek. Like every company uses it as a base. And a little bit of their findings kind of imply that this is like dangerous because you can tease out.

Justin Gardner (09:04.149)
Wow.

Justin Gardner (09:20.394)
Mm-hmm. Mm-hmm.

Justin Gardner (09:25.375)
yeah.

Joseph Thacker (09:32.108)
these secrets that they found from the training data. And you can't do that with current models unless it's like really overfit. And what overfit means is just that when you're talking to the model, it'll output the training data and yeah. And like no models really do that today. I'm unless I guess it's possible that common call is used so frequently that there are some companies that are really poorly training their models and releasing them open source. Cause there's like, there's tens of thousands of maybe hundreds of thousands of models now on hugging face anyways.

Justin Gardner (09:43.294)
It'll just spit out the training data.

Justin Gardner (09:54.485)
Yeah.

Joseph Thacker (09:58.946)
All that to say, I thought that the idea of going through Comic Call for Secrets was genius. Maybe people didn't do this because it was like, because it was so much data to go through, but they found like 12,000 live API keys and passwords, and I'm sure a lot of those were for bug bounty targets.

Justin Gardner (10:12.916)
Yeah, man, mean, definitely if I was an attacker, this would be easy mode. know, like if you were a malicious actor, that would be like, okay, just grab the whole internet and just grab the whole internet.

Joseph Thacker (10:19.042)
Yeah.

It wouldn't surprise me if nation states has already done that. Comic crawl has been out there and accessible for a ton of people for a long time. And being able to just write a singular regular expression, you know, I think they were struggling with the scale as well. And they're, they're like the forefront people in secret scanning, but they were probably scanning for a lot of different secrets. Like if you were a nation state actor looking for a specific type of API key for a specific service, you could just get for that one thing and it would probably be pretty easy. And obviously, you know, nation states.

Justin Gardner (10:25.92)
Mm-hmm. 100%.

Joseph Thacker (10:49.26)
have the computing power to pull something like this off. I just thought it was a really genius idea and a really cool post. We'll put the link in the show notes.

Justin Gardner (10:56.842)
Yeah, dude. Yeah, I mean.

To be honest, common crawl, we've been using common crawl for a while as like just, I think it hooks into GAL. GAL uses common crawl and I think Waymoor does too, if I'm not mistaken. So we use it for like path enumeration and that sort of thing. But yeah, I hadn't really thought of doing the wide scale security research for that with regards to scanning for secrets and stuff like that. So pretty cool finding there.

Joseph Thacker (11:13.934)
Mm-hmm.

Joseph Thacker (11:26.038)
Also, I'm really glad that I didn't have to set up the modules for verifying if those keys were working. I feels like verifying if a bunch of keys that you're, that you're pulling are working for hundreds of different services is like a pretty big project, but it's also really cool to have going forward. Like if you could just drop a key in there and it would just check it for all the services and do whatever the auth checks are there to verify them as a really cool piece of technology to have that it sounds like they now have.

Justin Gardner (11:38.102)
Mm.

Justin Gardner (11:47.156)
Yeah, it's like key hacks, like automated. Yeah, I a little bit of a tangent, but.

Joseph Thacker (11:50.476)
Yeah, but automated, exactly.

Justin Gardner (11:55.102)
I was hacking on Google earlier this week and so and I, my buddy, were looking at Google's Chrome Web Store and I had this crazy idea for security research and like I kind of went down the path for it and it kind of dead ended a little bit because of the way that it is implemented but all of the organizations with all of the like extensions in the Chrome Web Store, if you're not a single developer, so if it's not tied to a single

Google account, right? imagine if Grammarly or something like that was tied to a single Google account, right? It's tied to a Google group. so you actually go into groups.google.com and you create a Google group and then you like sort of slurp that Google group into Chrome Web Store. then, yeah, and that Google group owns the extension, right? So, and here's the thing, in the documentation like 15 times they say, do not leave this Google group open.

Joseph Thacker (12:29.784)
Sure, all right.

Joseph Thacker (12:35.374)
Mm-hmm.

Joseph Thacker (12:43.52)
As like an owner? Interesting.

Justin Gardner (12:55.416)
Do not. Do not leave it open. Don't do it. You know, like, and I was like, some people are gonna have done that.

Joseph Thacker (12:55.458)
Right.

Joseph Thacker (12:59.138)
Yeah, yeah. There's some that are definitely open, yeah.

Justin Gardner (13:02.558)
And so I was like, my gosh, I got to go and check and see if there's any way for me to find the Google Group associated with a given extension. And I was like, surely this is possible. Dude, I know. And I spent so much time looking through the Chrome Web Store, and maybe it gets put inside the CRX files. But I couldn't find it anywhere. So if anybody wants to go after that, that would be really cool. Because if you could take a Chrome extension, identify what Google Group is associated with it, then you can check the permissions on

Joseph Thacker (13:09.41)
Yeah. Yes. it feels totally possible.

Joseph Thacker (13:19.608)
The files, yeah.

Justin Gardner (13:32.472)
that Google group and some of these Google groups are just anyone can join. So then you could.

Joseph Thacker (13:37.302)
Yeah, dude, we need we need a channel on the discord that's called like close the loop because we say this all the time. It's like if you if you use what we said here for this thing, come back and close the loop on it. And I want to have a close the loop section on episodes where if anybody found something that we mentioned, then we close the loop on it. And so yes, if someone does this, please go close the loop.

Justin Gardner (13:41.493)
Yeah.

Justin Gardner (13:45.919)
Yeah.

Justin Gardner (13:52.278)
That's a great idea. Oh, oh, speaking of that, let me, dude, I don't even know if I put it in the notes, man, I'm sorry, our news section is gonna be super long.

Joseph Thacker (14:00.717)
It's gonna be long today.

Justin Gardner (14:01.622)
Yeah, so here's what we'll do, y'all. just, you know, if you're interested in the actual topic of this episode, which was single page application hacking, just jump to the timestamp, because this is gonna take a second, okay? Somebody messaged me and said, what is it called? Hackadvisor.io, that's what it's called. Because we talked about essentially providing ratings for bug bounty platforms, right? And we said, hey, we don't wanna do that, that's gonna be tricky, you know, like managing all the data, private programs, blah-dee-blah. And somebody

Beside us did it, so I'm like great. I don't have to do that shit, that's wonderful. And it's hackadvisor.io. yeah, mean, I don't know how it's gonna go. They have Integrity, YesWeHack, Standoff365, which is the first time I've heard of that, BugCrowd and HackerOne on there as platforms, and they've got, looks like quite a decent amount of actual programs.

Joseph Thacker (14:56.684)
It's not overly intuitive. So if you scroll down on the main page, I thought they would like have it all sorted. You have to scroll down to see the platforms and then in each table is the program.

Justin Gardner (15:06.804)
Yeah, yeah, so the UI could definitely use some work, but you click on each individual program and, yeah, yeah, the UI looks great, it's just not super intuitive, and then it says, you you can leave feedback if you've logged in, they load in some of the metadata about the program. But yeah, I mean, to be honest, it's something the community really needed, so yeah, I'm glad somebody did it. Mm-hmm, yeah, rating system.

Joseph Thacker (15:12.394)
it's a pretty UI though. I like that.

Joseph Thacker (15:24.59)
This is cool.

Joseph Thacker (15:29.262)
So there's ratings, it looks like. So if you click into one, let me see what the rating looks like. yeah, so no comments. I wonder how you write.

Justin Gardner (15:35.926)
The rating is like between 1 to 10. So right now, Grafana Labs is the top one on integrity.

Joseph Thacker (15:42.06)
No, no, it's not. No, it's not. Well, if you click more, maybe, okay, I got you. It goes beyond Tim, but you're saying, yeah, yeah, it's like an order. So it's like the best program on that platform. That's cool.

Justin Gardner (15:52.934)
Yeah, exactly. So according to this right now, Integrity's best program is Grafana Labs.

Joseph Thacker (15:59.766)
It shows Hacker One's best program is AT &T.

Justin Gardner (16:02.77)
Yeah, I don't know about that. I think it needs data, you know?

Joseph Thacker (16:04.514)
But, well, okay, sorry, the bounty average here is $350 on AT &T, so it shouldn't be rated number one. But I think it might be ranking it by reports or reports times rewards or something. Yeah, but it's cool that they have like, it looks like green and red bubbles, like you're gonna be able to upvote and downvote.

Justin Gardner (16:16.021)
Yeah.

Justin Gardner (16:22.014)
Yeah, it's kind of like Rape My Professor, but for a program. Did you ever use Rape My Professor in college?

Joseph Thacker (16:27.008)
I did. Yeah. I mean, it was so helpful to know who you cause like whenever you're trying to make a, when you're trying to make your schedule for the next year, knowing which, which one's good and which one's bad is huge.

Justin Gardner (16:29.615)
yeah.

Justin Gardner (16:35.876)
my gosh, yeah, and you know what's crazy too is like my schedule was kind of tight in college so I had to like, sometimes I had to take a professor that wasn't great and you get into that class and it's like totally accurate, right? It's like, you're right, this guy sucks. So it's wonderful. Hopefully this will turn into that for programs.

Joseph Thacker (16:46.732)
Mm-hmm. Yes.

Joseph Thacker (16:54.416)
Okay, cool. So I set up an account. I'm just gonna see if I can now vote

Justin Gardner (16:58.496)
Yeah, let me, and I'm gonna go ahead and go ahead and add this to the links for the episode. Richard, I'm gonna put it under news. I love how we just do like, yeah, logistic stuff in the middle of podcast. All right, let me know how you go. Let me cover this next one really quick while you're doing that.

Joseph Thacker (17:06.21)
We're finding news, this news discovery.

Joseph Thacker (17:15.418)
this is cool. Before you can actually feedback, have to verify, have to log into your profile and complete the verification process for your, for like your, what's it called? Your pro, yeah, your platform account.

Justin Gardner (17:26.036)
your platform account? dude, that's exactly what we wanted to do. What's the process like? Do you have to put a hash in your bio or something?

Joseph Thacker (17:34.254)
to verify the profile and gainability, click the add button and select what you're listed. Yeah, let's see what happens. Integrity, Rezo, maybe it might just trust you anyways.

Justin Gardner (17:39.36)
Wow. All right, Reza, you take a second, figure that out, and then come back and deliver it to the people. Let me tell them about this next thing really quick, okay? Not a big thing, it's not gonna take very long. There's a tweet from somebody I follow, Yosuke Zan.

Joseph Thacker (17:48.738)
Yep. Perfect.

Justin Gardner (17:59.158)
And it was in Japanese, but the tweet was a POC for CVE 2025-2475. I'm sorry, 24752. And that was an XSS.

as on admin of a WordPress site for a plugin that has two million installs. And I think this kind of just slid under the recon radar. here's a little freebie for those of you guys that do recon. Fingerprint this shit and at least try to submit it to Bug Bounty. I know that sometimes it's a little bit difficult to get admin facing XSS in WordPress accepted, but this one has two million installs. So I imagine there'd

Joseph Thacker (18:21.046)
Wow.

Justin Gardner (18:44.542)
quite a few and I definitely think that they could walk away with some bounties if they if they went ahead and sprayed this so give it a shot let me know how it goes and and this is a little tidbit for the listeners that do it early enough listen to critical thinking podcast as soon as it comes out and then take action right away so okay what'd you find Rezo

Joseph Thacker (19:01.75)
Yeah. I, well, I'm actually, well, I'm sorry. I've got two things and neither one of these are on the news. The first, the first on our news list. The first one is they manually review it. looks like when I submitted my username, it said like, it says, we'll review this. So I kind of liked that at first, you know, integration with the platform can come later, let them manually review stuff. And then the second thing is I'm circling back to your Chrome extension thing really quickly.

Justin Gardner (19:15.145)
interesting. OK.

Justin Gardner (19:27.006)
Mm-hmm.

Joseph Thacker (19:27.31)
So I'm sure you noticed this, you didn't, I'm sure have noticed, my uBlock origin got removed. And that is one of like, let me actually look up how many extensions it is. I think hundreds of thousands of extensions did not update their manifest file. so they're getting, yep, sorry, 84,504 Chrome extensions are disabled in the next few months. That was posted in August of last year, they just got disabled. What this means is there is a huge,

Justin Gardner (19:31.926)
Mmm.

Justin Gardner (19:40.149)
Yeah.

Justin Gardner (19:50.496)
Wow.

Joseph Thacker (19:56.822)
market for builders. Like if you had an extension that you love that went away, go use AI to rebuild it and just put it on the store and you can, you can easily make some money. You can make it easily blow up. You could do that for hackers specifically. Like, I don't know if like.

Justin Gardner (19:58.199)
Mm-hmm.

Justin Gardner (20:03.222)
Mm-hmm.

Justin Gardner (20:08.094)
Yeah, the thing is Chrome extensions are kind of hard to monetize, man. They are a little bit difficult. mean, Grammarly does this successfully, so there's a nice use case for you. from what I've seen, they're pretty hard to monetize per install, and they're pretty cheap to buy, too.

Joseph Thacker (20:12.396)
Really?

Joseph Thacker (20:16.824)
Mm-hmm.

Joseph Thacker (20:23.502)
Yeah, that's what I was gonna say. I feel like I've seen people exit for 50 or 100K on Chrome extensions though, which I mean, if you can get one going and just drop it off, kind of neat. But I did want to mention that because it's kind of cool. It probably affects all of our listeners because we all have a bunch of Chrome extensions we use. If anyone has like a really recommended uBlock Origin alternative, there's probably just a way to reinstall it if I wanted to, but.

Justin Gardner (20:27.358)
Yeah. Yeah.

Yeah, not bad.

Justin Gardner (20:42.974)
Yeah, I just force reinstalled all the ones. I said, no, just ignore the manifest v3, just install again.

Joseph Thacker (20:45.118)
Yeah.

Justin Gardner (20:48.79)
Dude, Manifest 3.3 is such a shit show too. Like I've been creating a extension recently and it doesn't allow you to like mess with, grab the data from the response of an HTTP request. And I'm like, what? Like that's so pivotal, you know? To doing an extension. So what I ended up having to do, and you have this extension, I don't know if you've installed it yet, but what it's supposed to do, or what I had to do was hook in

Joseph Thacker (20:54.146)
Mm-hmm.

Joseph Thacker (21:06.582)
Yeah, yeah.

Justin Gardner (21:18.744)
into DevTools with the extension because there's like a debugger permission that you can give the extension and then it can hook into DevTools protocol and then.

Joseph Thacker (21:20.078)
Hmm

Joseph Thacker (21:28.078)
You're telling all of the scammers and malicious Chrome extension developers who listen to our podcast how to get the functionality back they want.

Justin Gardner (21:32.45)
Yeah.

Justin Gardner (21:36.982)
Well, dude, no. But the thing is with that is the functionality's there, but what happens then is whenever it attaches the debugger to any tab, it pops up a little bar underneath your bookmark bar that says, this plugin is debugging your shit. So it is very in your face about it.

Joseph Thacker (21:52.863)
okay, that's nice. That's good.

More secure. Yeah.

Justin Gardner (21:58.312)
Yeah, but then, I don't want that, and I use this thing all the time, so what did I do? I disable it at the flags level, right? And so now I just think it like, wow, they just really shot themselves in the foot here with this, because now I've just disabled Chrome extensions hooking into my tabs via debugger because I don't want to be bothered by this little bar every time. So I don't know, man. Maybe it's a good security posture decision for Chrome in general, but it's a pain in my ass as a hacker. Yeah.

Joseph Thacker (22:09.047)
Right.

Joseph Thacker (22:16.76)
All right.

Joseph Thacker (22:24.45)
Yeah. Sweet. Exactly, exactly, exactly. That even was on your list, right? That was just your riff in there.

Justin Gardner (22:26.582)
Which is probably what they want to be fair, but

No, that was just me ranting. We're just doing our thing today,

Joseph Thacker (22:37.312)
Okay, sweet. I think it's my turn. No, yeah, it is. Yeah, you talked about hack advisor. So this is just gonna be even quicker, I hope and think. I know a lot of our listeners like take really great notes. I saw that and also know that a lot of our hackers are sometimes wanting to ask questions about code bases that are longer, like larger than 2 million tokens. And you know, like cursor and windsurf like have ways to do that. I've heard windsurf is quite good about it.

Justin Gardner (22:41.268)
Yeah, go for it. Yeah.

Mm-hmm. Mm-hmm.

Mm.

Justin Gardner (22:57.494)
Mm-hmm.

Joseph Thacker (23:05.046)
I've never really used cursor to chat with code bases. I thought that was a good idea though. Could you imagine like, let's say you're hacking open source project, like you're doing code review on GitHub for a program. If you clone it and then open cursor and then ask questions about the code base, about things that might be insecure, it might actually flag things for you that are pretty cool because it's good at code base search. But anyways, the thing that I wanted to actually bring up is that notebook LM is still underrated. I know people we've mentioned it or people have probably seen notebook LM for like the podcasting stuff you can do.

Justin Gardner (23:09.718)
Mm-hmm.

Justin Gardner (23:23.028)
Yeah.

Joseph Thacker (23:32.898)
where you can make a podcast and it sounds very natural. But like the whole purpose of notebook LLM, the way it was originally designed was basically you put a bunch of notes in there and then you can chat with your notes. And so you can do that with entire code bases. You can do that with all of your bug bounty notes and it like will contextually pull in the right data. And Google deep mind is really good at what they're building. So I would imagine it's quite good. I don't have like significantly strong notes. I was also thinking about what would you think about?

Justin Gardner (23:35.102)
yeah, I love that.

Justin Gardner (23:42.464)
Mm-hmm.

Justin Gardner (23:50.485)
Wow.

Joseph Thacker (23:57.836)
basically using in Kaido or burp like exporting a bunch of requests and then throwing it in there and then just seeing if you could ask it about the request. It'd be kind of neat. So people should do that.

Justin Gardner (24:04.842)
Wow, that would be pretty neat, dude. Yeah, I...

I know that recently there's a hacker that I really respect, definitely like top three hacker that I know for as far as source code review goes. And they recently said that they're a little bit, you know, thinking that that Claude 3.7 is is gonna like really be a lot, you know, like, and so I think that that is pretty sick. And that hackers really need to be leaning into using LLM stuff, which is also just one of the reasons I'm so grateful that

Joseph Thacker (24:14.764)
Wow. Wow.

Joseph Thacker (24:23.064)
worried.

eat their job. Yeah, yeah.

Justin Gardner (24:38.614)
that you decided to come onto the pod as a co-host because I think you do have a lot of that AI angle that's really necessary to the growth of our industry. I'm definitely, like within the past week or two, I've become a little bit more convinced that I need to be leaning into this a little bit more than I am. Because there is, I mean, the game is about to change, for sure.

Joseph Thacker (24:59.37)
Yeah, I think so. And, you know, my advice to your buddy would be like, if three seven is going to eat everything, like you be, you be the person that's holding three seven as it eats all the bounties. Like you be the, the hand that it's feeding. Right. Like, I mean, yeah, lean into it and use that. I'm sure that, you know, eventually some tools will come out that company or that companies will, especially enterprises will deploy that will find vulnerabilities on the way out the door via code review. But in the short term, it's like for all of the code review, bug bounty programs, like use three seven to go through that code and find vulnerabilities for you. Right.

Justin Gardner (25:07.186)
Exactly. Yeah. Mm-mm.

Justin Gardner (25:21.427)
Hmm.

Justin Gardner (25:28.138)
Yeah, Grafana, mean, according to Hack Advisor, Grafana is a top program and they are open source, so you can go and grep that whole thing. Dude, I will say though that I've been like pretty blown away with Cursor's ability to consume code recently and give like a contextual thing. Like, I don't know what they did with between the past couple updates, but I'll ask it about something and it'll be like, okay, first I need to like identify how this piece of code works. And then I need to like grep for this. And I see all the uses of XYZ here. And then, and like, and then,

Joseph Thacker (25:33.03)
that's cool.

Joseph Thacker (25:52.846)
Mm-hmm.

Joseph Thacker (25:56.631)
Yeah, yeah.

Justin Gardner (25:58.064)
and it very systematically goes through the whole code base and can apply mass changes very consistently across the whole code base. So, very impressed. go for it, yeah.

Joseph Thacker (26:07.212)
Yeah, I, yeah. So that was like my next thing. So I can just roll into it real quick and then we can go back to, yeah, it was basically the fact that within the last few weeks, we haven't had a lot of times in the news. Grok three has come out. So on it three seven has come out and GPT four five has come out. And with all the AI people that I follow, like there are people using each of those in unique and cool ways that are totally state of the art. Like I've been using Grok three. It's definitely the smartest at like, like I was asking about the content for this week's show notes and it's like,

Justin Gardner (26:15.744)
Mm-hmm.

Justin Gardner (26:34.55)
Mm-mm.

Joseph Thacker (26:35.66)
Yeah, like, you know, make sure using link finder and like, like stuff like, like it's like referencing and it was, it was saying like, you know, make sure you use match replace rules in burps, matching replace section and other models didn't get like, and in the weeds or as technical and you know, I'm holding that masterclass on Tuesday where I'm talking about how to hack AI agents. When I put the context of my, of my, huge blog posts, like, know, 5,500 words in there about AI security. I did that for all the top models. Cause I just wanted advice for like, Hey, what am I missing here?

Justin Gardner (26:38.294)
Mm-mm.

Joseph Thacker (27:04.812)
What, what things have I not talked about? What examples did I not have? What scenarios was I not thinking about? None of them gave me anything useful besides grok three. And he gave me two things that I added immediately. So I think that grok three, even though it doesn't do well with long context, it's not going to do well if you incorporate a cursor in my opinion, cause it's not as like excellent on tool calling, but I think that it has a deeper technical understanding of app sec and AI security than any other model. So if you're using, yeah. And it's free. If you have like a premium thing to use, I think you get limited per day, but like,

Justin Gardner (27:12.532)
Wow.

Justin Gardner (27:27.712)
That's really interesting.

Joseph Thacker (27:34.232)
But some of the other ones are like 20 bucks a month or 40 or whatever. And I think Grok Super is 40. But if you just have like the $8 a month, you know, Twitter premium or X premium, you can still use it a bunch in the UI. And that's what I've been using and it, you know, I haven't run out of requests.

Justin Gardner (27:47.488)
Wow, that's pretty sick dude. Yeah, I heard Croc 3 was doing really well. And what surprises me, and I've heard a ruckus about Sonic 3.7 as well, but I haven't heard much about GPT 4.5. So I guess that's, yeah.

Joseph Thacker (27:58.476)
Yeah, let me tell you real quick. One, to circle back what you said about 3.7, it's definitely the best at coding. And now cursor defaults to that agent mode. That's why you were able to see that stuff it's doing. And then it does more pulling of like, it does more pulling of code that's not full files. You probably saw that like when it searches for like a function name and it goes and looks it up, then it'll say like, getting file or lines like 100 to 150, like around that function name. So that's probably what you saw. And so on at 3.7 is fantastic, much better at coding it, you know,

Justin Gardner (28:05.642)
Mm-hmm. Mm-hmm.

Justin Gardner (28:16.374)
Mm-hmm.

Justin Gardner (28:20.918)
Mm-hmm.

Joseph Thacker (28:27.534)
the scores from software engineering benchmarks. As far as four or five, initially when it launched, it did not have great benchmarks, but everyone who used it said it had like the big model smell more than any other model. And so like it's much more human-like when you interact with it. It's not as prone to give you like these gigantic pair, like Wikipedia articles for your questions. It's going to give you a much more contextualized, shorter, smaller, better answer.

Justin Gardner (28:46.262)
Mmm, okay.

Joseph Thacker (28:51.744)
And I have heard from some people that even though it's not as good at coding as like Sonic 3.7, if you're trying to one shot like an entire application, that it can sometimes solve one shot requests for like a big app, complex app that Grok or 3.7 failed to do. So I think it's basically on par with them, maybe not as good as 3.7 if you're like having it interact with your entire code base. Like I think clearly 3.7 is the best thing in Cursor and then Windsurf and all of these things.

But I think as far as like, you just have like one big app and you just wanting to generate your initial POC four or five, it might be the thing to go to. So yeah.

Justin Gardner (29:22.912)
Wow, interesting. And I think that's often what we do as hackers is there are some moments where we are trying to just write a whole application. But most of time, we're just writing a little POC script. And it's like, just write this thing that does this thing, just like this.

Joseph Thacker (29:39.788)
Yep, it can be a little slower than the other, so that might be frustrating for that, but if you have the time to wait for it.

Justin Gardner (29:43.968)
Yeah, yeah, and the denials are kind of a pain too. So I would like to see less of those moving forward. And I know that's gonna be a pain for some of the stuff that we're trying to integrate into to Kaido to shift in this upcoming section, so development cycle. I think that'll be a challenge moving forward for security researchers. really, that's sick.

Joseph Thacker (30:06.776)
Grok will deny nothing, so Grok is basically a jail bro.

Justin Gardner (30:10.878)
That's awesome, Yeah, I have seen that it's pretty unhinged. Like, yeah.

Joseph Thacker (30:13.854)
It is, it can be unhitched. Yeah, there's like an NSFW like voice mode and stuff on the app. It's like, it's kind of crazy. Yeah.

Justin Gardner (30:19.362)
my gosh, that's hilarious. All right, so moving into the next one, there was a write up by Jorian, another valued member of the CTP community. And this one was sort of building upon the work that we covered, I guess when this launches probably two weeks back with Paul Lose on the double click hijacking and some of the pop under stuff that he's done. And so I read through this article and there's some

very interesting things in here with hijacking, essentially using another frame in hijacking the details about how our clicks and our spacing are hitting our space bar works. Very interesting stuff, but the two main takeaways that I'd like to distill it down to for you guys, for me, were these two sections right here. The pop under is what he mentions this as.

Joseph Thacker (31:13.502)
another great trick for scammers who are listening. We should just, we should rename this episode, Tricks for Scammers. New browser tricks for scammers.

Justin Gardner (31:16.278)
Yeah, sorry guys, I'm like... New browser tricks for scammers.

Joseph Thacker (31:29.422)
He would probably do the rounds on YouTube if we did.

Justin Gardner (31:31.166)
my gosh dude, that's hilarious. Well, you know, now I got a deliver, so here's how you do the pop under guys. One of the things that's been tricky with window.focus, and I love that somebody else said this because this sums up my experience with window.focus completely. Quote, there is the intuitive window.focus method that should allow you to focus any window reference. In reality, this method very rarely works and you should definitely not rely on it from my experience. I totally agree. It's just very weird how that, I don't know why that

just so rarely works. But he said there's another more secure way of focusing a window, and that's using the target argument of window.open. And I use the target argument of window.open all the time. And for some reason, I never considered this as a possibility for focusing windows as well. So definitely a cool approach here is that you can perform a window.open and set just the hash on that page, and it will not really

load the page, but it will focus that window if you provide the correct target, which is the name of that window. And it's in the shared browsing context. So that will be really helpful for causing pop-unders.

Joseph Thacker (32:43.18)
Is that something that they could remove for security purposes down the line? It's useful.

Justin Gardner (32:46.632)
not really, there's too much legacy, there's gonna be too much stuff that's depending on that functionality to work. So I think that's one really cool takeaway is using that for a pop under, which can be really helpful for these sort of attacks. And then the...

Joseph Thacker (33:01.646)
Did that remind you of anything that you could have potentially exploited in past that you weren't able to? Not really.

Justin Gardner (33:07.444)
Yeah, you know, it's a useful piece of functionality for crafting some really obscure out there exploits. But to be honest, if my exploits are getting to the point where I'm needing a pop under and stuff, I start to question, is this exactly what I should be doing with my hacking time? I'm not sure. So it's cool. It's something to have in your pocket. There's a scenario in which it could be helpful for an exploit, especially if you're in a live hacking event or something and you just really want to make

something work, but you know it's probably not gonna land you a crit. So, alright, and this other one was this, this other one was this right here, which is using the window.moveTo function. I'm a big fan of like knowing what functions you can call on a cross origin window, and there is this moveTo method that you can call on a pop-up window, and that will move the, the,

Joseph Thacker (33:41.464)
Sure, cool. The second thing.

Joseph Thacker (33:54.926)
Hmm.

Justin Gardner (34:02.812)
the window to a specific spot. And I've seen people do really funny stuff with this sometimes, like you'll try to go close a tab and it'll like move out of the way, you know, and stuff like that. So there's some weird stuff you can do with that. Yeah, there you go guys. But all of these can be useful, you know, and in this scenario he just provides an improvement to the double click jacking techniques where, you know, you needed to align the button with the

Joseph Thacker (34:10.088)
Mm-hmm. I hate that so much.

Joseph Thacker (34:16.376)
That's the Scammer Trick number three.

Justin Gardner (34:32.054)
button on the window that you're trying to click jack on. And this move to functionality makes it much more simple. yep. All right, so that's that one. Let's see, where are we at? Okay, I'm sorry. Let me take the next one. This one is gonna be real quick, but it's in the same vein since we're talking about pop wonders. There was a tweet that was...

Joseph Thacker (34:39.224)
Yep. Sweet dude.

Justin Gardner (34:56.542)
responding to the article that we just covered by Renoir and he drops a POC right here. I'm just gonna show it on my screen. He said I reported this to Chrome, but they're not gonna patch it. And so he drops like this POC and it's so interesting. Let me see if I can actually get it to share what the POC actually does. But essentially the TLDR of it is you click on the screen and it pops up a new window. I'm not sure it's gonna show in my environment. No, it's not.

Joseph Thacker (34:58.616)
Hmm.

Joseph Thacker (35:02.584)
You

You

Joseph Thacker (35:24.652)
Yeah, the pop-up didn't show, yeah.

Justin Gardner (35:25.908)
the pop-up didn't show, but it pops up a window and then it triggers like this sign in with Google auth, which has some connection to Chrome and it will pop up this little side panel, which you also can't see on my screen share, so sorry about that. But it pops up another little screen at the top right that says sign in with Google, you know, and it's like a part of Chrome. But when that piece pops up, it triggers a DOM event on the page and it moves that window that you just opened back.

and brings your window forward. So it's effectively a pop under. You can pop up a window and then move it under your current window by utilizing this focusing mechanism that comes along with the sign in with Chrome functionality.

Joseph Thacker (36:08.61)
Sorry I started laughing so hard when you started saying that, it just feels like the same exact vein, so.

Justin Gardner (36:12.694)
It is, dude. mean, there's lots of ways to accomplish it. But this one, think, is particularly creative because it utilizes Chrome's own sign-in with Google features to cause the pop-under.

Joseph Thacker (36:26.126)
Yeah, that's cool. Yeah. Very cool. I don't know how much of this we want to keep going through or if we want to pivot.

Justin Gardner (36:36.374)
We'll tell you what, let's do this. Okay.

Joseph Thacker (36:37.664)
Let me at least cover this last thing, just real quick. The very last link here in our notes, and I'll share my screen to show everyone, is a person named Devanch, or Devanch. Their hacker handle looks like it's it's Asmodeus in Leetspeak. Let me share.

Justin Gardner (36:47.926)
Mm-hmm.

Justin Gardner (36:52.181)
Mm.

Joseph Thacker (36:58.766)
Also, the name's great, right? Like I love the everything I learned or everything I'll forget type post, but they tweeted this, everything I learned about prompt injection attacks in the last two years in this guide. This should be your stepping stone into the routine of, into the field of AI red teaming. So I'm going to switch to that tab. Basically it is an extremely comprehensive guide for a bunch of ways to do prompt injection and gel breaking. Like extremely comprehensive. I actually, it's so comprehensive.

that I was scared I would lose it. And so I just saved it off to a different place in case they take it down, because I want access to this. And I think it is similar to my mega post I just released on how to hack agents. This is something I think you can copy and paste into a model. And as long as it doesn't get derailed by all of the prompt injection payloads in here, it would be extremely beneficial for generating more prompt injection payloads or more jailbreaking payloads. Yeah, I was just really excited to see this. So this link will be in the show notes.

Justin Gardner (37:31.178)
Hahaha!

Justin Gardner (37:37.718)
Mm-hmm.

Justin Gardner (37:53.524)
So this is like a source for what you would feed into AI to generate AI jailbreaking payloads.

Joseph Thacker (38:00.526)
Well, I'm saying you could do it for that. In general, this should just be a reference for when you're looking at jailbreaking and prompt injecting. It's like similar to my mega post. I think you want to look in here for both ideas and for payloads that you can copy and paste and then just adapt to your usage.

Justin Gardner (38:13.504)
Dude, I don't know, man. I just don't love jailbreaking models. It's just so like annoyingly non-deterministic, you know? my God, okay, fine, go.

Joseph Thacker (38:22.486)
Okay, well, I'm gonna have to jump to my other news note then, because I think you're gonna love this. Haddix, as a part of his Attacking AI course he just did, built a tool that allows you to just give it the thing you're trying to do, like a tactic or a technique, and then a bunch of obfuscation things, and it just generates all the payloads.

Justin Gardner (38:29.909)
Yeah.

Justin Gardner (38:35.88)
Yeah.

Justin Gardner (38:40.02)
Wow, and then you just need to try them over and over until you get the result.

Joseph Thacker (38:43.84)
Yeah, yeah, I assume you just use them in Automate or in FFUF or whatever and just get the outcome you want. But you could imagine that you want to do data exfiltration by image mark down rendering with every obfuscation technique. Then you would just generate all this payload. You would choose chat history or system prompt exfiltration. Then you would choose image mark down rendering. Then you would choose select all. Then you click download. And then all of sudden it gives you a text file or whatever of all of the payloads to do that.

Justin Gardner (38:48.267)
Wow.

Justin Gardner (38:56.79)
Hmm.

Joseph Thacker (39:12.886)
I hope that there's a feature where you can give it an abstract goal and then it uses an LLM to generate the payloads for you on the backend. I think that that would probably be a product he could even sell. So anyways, yeah, free shot out there. Yeah, cause I agree with you. It's tough. Like the non-determinism makes it like less fun to hack than just like traditional vulnerabilities.

Justin Gardner (39:22.942)
Hmm. Hmm. Very interesting. Yeah, that sounds...

Justin Gardner (39:32.008)
Yeah, and I don't know, I guess I'm just so used to that moment where I'm like, yes, I exploited it, you know? And then like, when I'm jailbreaking something, like press enter again and it's like, no, and I'm like, shit, you know? Like, it's so frustrating, you know? Yeah.

Joseph Thacker (39:42.807)
Yeah.

Joseph Thacker (39:47.242)
Yeah, I was speaking, I was speaking to all of hacker one staff in Dallas this last week and Shlomi mentioned that same frustration and how that that affects him whenever he's hacking. And I think that, you know, one thing that I brought up that was really interesting is it can determine, it can be kind of affected by whether the model is quantized in that moment. And another really frustrating thing is that a lot of times these apps on hacker one, you've probably hacked on some of them, like the AI challenges will have

Justin Gardner (40:10.357)
Yeah.

Joseph Thacker (40:17.198)
like built in history and no way to clear that history. So once they're in like this mode of rejecting you, then they just keep rejecting you. And so it's really frustrating as a tester, um, because you don't know what to do, right? It's like, I just send a million messages to kind of clear that out of the context or whatever? And so, yeah, you're right. It can be really frustrating to hack these applications. And if there's program managers listening, like that's like really good advice, like that you should set up some mechanism by which, cause a lot of these are like alpha features, right? Because companies want them tested before they like put them all the way to prod.

Justin Gardner (40:31.958)
That's, yeah.

Joseph Thacker (40:44.398)
you still want to give away to kind of reset the context or the chat history in such a way that each attack can be fresh.

Justin Gardner (40:50.39)
Yeah, absolutely. think good insights there.

Moving to the last news topic, we do have to cover Shadow Repeater. I think that is a really cool project that Burp released. And I looked at the video that Gareth posted, and I love the concept of having sort of like an AI watch your testing technique and then try to implement it itself. And I wanted to get your thoughts on how that feels to you. Yeah, Shadow Repeater.

Joseph Thacker (41:21.559)
The repeater.

so I mean, in general, like my very first thoughts were this is exactly what I talked about on the pod like three weeks ago. You know, like we said that this would be like really cool to say, you know, to like right click or click somewhere and shift and basically be able to send a diff of all the things you've been trying and all the responses you've been trying and then output, you know, the next few payloads or let it continue to hack on your behalf. Yeah, that's my honest thoughts. I think what you were just implying that.

Justin Gardner (41:30.162)
Mm-hmm. Yeah.

Justin Gardner (41:46.847)
Mm.

Joseph Thacker (41:52.418)
Having it happen automatically is kind of interesting.

Justin Gardner (41:55.804)
You know, so I thought about that. When we first discussed this, my first thought was like, I don't love that it is automatically trying stuff without me giving it a goal. Right? That just feels a little bit like...

it might get a little carried away and be like, oh, okay, now I've got SQL I, let's drop the database. Like, ah, no. And hopefully, the port server has put in some smart guardrails there, saying, hey, let's just make sure we're doing non-destructive testing in any way, that sort of thing. But then, the...

Joseph Thacker (42:16.664)
Sure, yeah.

Justin Gardner (42:33.11)
My my honest thoughts on it is I think it's super cool. I think it's awesome that it exists and I think that I Would be more comfortable using AI when I give it a direct goal and it is very goal oriented on that rather than it looks at my my actions tries to extract a goal and Then and then implements it right because it could misinterpret what I want. Does that make sense?

Joseph Thacker (42:46.414)
Mm-hmm.

Joseph Thacker (42:57.292)
Yeah, and I think they have a model where you pay for token usage too. So it would be maybe a little bit annoying to like always toggle it on and off because like we're sometimes testing a repeater and we would not want shadow repeater to like go spend my tokens. You know what I mean? And so then, and then sometimes you would want it to do it. Like you said, so I think maybe like a manual kickoff would be better.

Justin Gardner (43:00.863)
Mm-hmm.

Justin Gardner (43:08.852)
Mmm, yeah, yeah.

Justin Gardner (43:14.612)
Yeah, but dude, how sick would it be if you're testing something and then all of sudden Shadow Repeater's like, yo sup, figured it out. Dude, that would be so sick. So I love the vision, I love where it's going. Here's something that I think could maybe even make it awesome. Would be just like, me give it some guardrails or maybe give it some limit of requests. That's the other thing, it's like, maybe I don't want you to spend, you know.

Joseph Thacker (43:20.622)
Here's the crit, I figured it out for you, I'd be so sick.

Justin Gardner (43:45.814)
200 requests brute-forcing through all of the ASCII characters one by one, you know, like That seems like it's gonna consume a lot of tokens. It's gonna consume a lot of bandwidth a lot of time If I could just provide some extra insight into it Like maybe there's just a box next to each request and it doesn't start hacking on stuff until I say hey I'm trying to figure out XSS here or something like that Then it kind of takes that my testing methodology and then goes with it The what? Oh, yeah

Joseph Thacker (43:50.39)
Yeah, yeah.

Joseph Thacker (44:06.412)
Yeah. Actually, you know, the clippy methodology. You might be trying to exploit path traversal here. Would you like me to do it? It really is. Yeah, because then it's like guessing what you're trying to do too, which is kind of neat.

Justin Gardner (44:15.69)
That's a great idea, I love that, yeah, yeah.

Yeah, and do you want help with that? like, am I right? Yes or no? You know, like that sort of thing. That would be really helpful.

Joseph Thacker (44:23.448)
Sure. Also, this is just like something that maybe everyone should be aware of with both Shift and Burp AI. your request are being sent to a third party, two third parties, right? It's like, it's going to Portswicker or to us and then also to the model provider and also back, right? It's like, I don't think there's an issue there. I don't really like, I trust like we use mostly Gemini or Sonnet. I trust Anthropic and Google on our side. I don't know what Burp is using, but I also trust me and you. We're not going to do anything with anyone's data, but it's just like.

Justin Gardner (44:29.308)
Mm. Mm. Yes, they are.

Justin Gardner (44:44.79)
Yeah.

Joseph Thacker (44:51.47)
You should definitely be aware of this. Like if you're hacking a government agency or you've signed to like a super strict NDA, you should probably be careful where you submit that.

Justin Gardner (44:58.848)
Yeah, yeah, for sure. But yeah, overall, I'm excited to see AI features getting integrated more into the proxies. I'm excited to continue deving on Shift. I think this next iteration, what we've got coming up is gonna be sick. And we definitely are gonna have base improvements to the product as well. Just the core functionality of it. So thanks for all the listeners out there that are supporting that product and keeping us deving on that.

Joseph Thacker (45:19.33)
Yeah, it's definitely basically supporting an alpha or beta product and we're very appreciative.

Justin Gardner (45:24.074)
Yeah, definitely appreciate that. All right, so I think that's the end of the news section, 45 minutes in. Let's move to attacking SPAs. So the thought here was that a while back, I wanna say it was like episode 30 something, maybe 39, Joel and I did an episode on various application architectures, and I was gonna sort of make this episode a follow-up to that one, but I decided to focus more on single-page applications because almost everything we see nowadays is a single-page application.

Joseph Thacker (45:43.768)
Mm-hmm.

Joseph Thacker (45:52.461)
Yeah, so common.

Justin Gardner (45:53.942)
And I just want to make sure that we're sort of comparing notes with listeners on what the sort of best practices are for going after single page applications And you know what kind of stuff is not actually gonna help very much So okay When I see a single page application first thing this sort of comes to mind is I have everything that I need right like everything

Actually, nowadays, inversely, when I go up against something that's not a single page application, I'm like, shit, there is some JavaScript file that's on some weird page deep in this thing that I'm not seeing, and I'm worried about that. But with the single page application, you've got everything in the files. You may have to unwebpack it and get all the data out, but it's such a great place to start having all of the JS files for the whole application in one spot.

Joseph Thacker (46:29.55)
All right, yep.

Joseph Thacker (46:47.502)
Yeah, yeah, absolutely. I think for me, it almost always screams, and we'll talk about this a little bit later, but it just always screams like the ability to view all the features and know all the endpoints, which is like you said, very beneficial and makes it much more fun to hack, I think.

Justin Gardner (46:58.859)
Mm.

Justin Gardner (47:03.37)
Yeah, that's a great point. The features is a big thing, right? Because we've talked about in the past how feature flags get integrated into these environments too with a single page application. Those are much more likely to be just like a JavaScript blob. On the front end, you can just say, turn on advanced feature, true. Or yeah, I'm in this A-B test group, that sort of thing. And I think that's a part of the initial recon. Recon sort of has a...

Joseph Thacker (47:15.704)
sitting there. Yep.

Justin Gardner (47:32.096)
The term recon sort of makes you think about asset enumeration, that sort of thing. I really think about a recon as well in this sort of more application recon sense, where you're going through, you're downloading all the JS files, you're beautifying all the JS files, you're grepping for endpoints, you're identifying feature flags you can turn on and turn off. Doing that recon pays massive dividends and is a much more relevant skill to hackers that are in the weeds hacking on an application than...

You know running sub domain enumeration or something like that and trying to find some some asset if you're trying to go for core Impact on the main application Yeah So alright, let's see. Let's see what else we got on list here

Joseph Thacker (48:07.298)
Right, yeah.

Joseph Thacker (48:14.252)
Yeah. I mean, you mentioned it there. want to whenever Justin says like turn on feature flags, what he means is either something in local storage or something that's like a client side, Matt replace, you know, it's very frequently a client side, Matt replace, which is really great. Almost all these single page apps just as like very technical or very practical way to look at this for any testers who aren't super familiar with it. Almost all single page apps will have like a slash me or a slash config or a slash features.

Justin Gardner (48:16.758)
Mm.

Justin Gardner (48:24.049)
Mm, yeah.

Joseph Thacker (48:40.396)
like requests that happens when you load the page. Like with single page apps, I find myself doing like a command shift R kind of frequently because I want to see those requests, right? I want to see what are those initial requests that makes. And then what's in those responses is often the feature flags, the privileges, the roles of your account, your username, your user ID. And so doing match replace on those can be super beneficial. You can either do it in intercept, you know, at runtime, just to like kind of mess with like a single thing. Like let's say you wanted to see what would happen like.

Justin Gardner (48:40.426)
Mm.

Justin Gardner (48:45.589)
Mm.

Joseph Thacker (49:05.526)
what all requests does it make for IDs and can I load Justin's ID just I'll go into intercept and change it real quick once, right? But if you're actually trying to view all the features in the app, maybe you do like a true to false, but it'll be like is admin equals true or false, or it'll be like a list of roles or features and you'll match or place those for the ones you want, which you found in recon when you went through the JavaScript. And then, you know, sometimes they actually, I don't know if you've noticed this, Justin, I bet some people are missing this. Sometimes it'll like, they'll have negative based features.

Justin Gardner (49:10.613)
Mm-mm.

Justin Gardner (49:33.675)
Yeah.

Joseph Thacker (49:33.708)
Like it'll be like, is, you know, there'll be like a enabled for this feature or disabled for the feature. And if you put both those in there, you're not going to see the feature. You got to be smart about it.

Justin Gardner (49:40.192)
Right, yeah, you have to go through each one and I think that's where we could also use an AI component of this too, like here, here's some feature flags, turn them on correctly, you know, like, cause you see that all the freaking time, you know, is not disabled or something like that, it's really crazy what people write in these applications. So you can't just do like, you know, flag.

Joseph Thacker (49:52.962)
Yes.

Right.

Joseph Thacker (49:59.16)
Yeah.

Justin Gardner (50:03.838)
Double quote, double quote, you know, false or to true. It won't work. You have to individually read each one of them for a lot of the cases out there. And I really liked what you said regarding the groups as well. That is one of the most common implementations that I see for these feature flags is like the API endpoint kicks back like a role, a list of roles. Yeah, and then deep in the code it'll say, okay, if they have the developer role, show them this, you know?

Joseph Thacker (50:07.118)
Mm-hmm.

Joseph Thacker (50:23.896)
Yeah, it'll say developer.

Joseph Thacker (50:30.178)
Yes. Yep.

Justin Gardner (50:30.94)
And so what you've got to do in those scenarios is you've got to either match and replace the JavaScript file to just always, if they have one function that they always do, I always like match and replace that function just say, you know, yeah, just turn it on, you know, for this specific role. You know, has role or something like that. Just always set it to true. But the other thing is you can do exactly what you said and just like match and replace all of the roles that you can find in the JS files into that array and then you're off to the races. And I think that's something,

Joseph Thacker (50:40.834)
Hmm. That's cool.

Justin Gardner (51:01.216)
I kinda talked about this a little bit before in the past, but it's something you don't wanna do too early on in your process, think. I think it's something you wanna do after you're moderately familiar with the application. And the reason for that is because you wanna be able to spot the difference between, right? Yeah.

Joseph Thacker (51:14.082)
Yep. I find this, I have this issue all the time. I loaded the SPA and I'm like, yeah, I can rematch replace this. set it up. And then I like, but what's new? What, what, what? And so I'm like trying to refresh and swap it back and look and figure it out.

Justin Gardner (51:20.053)
Yeah.

Yeah.

Justin Gardner (51:26.238)
Yeah, yeah, that's huge. Let yourself get used to the application. Let your hacker eyes be like, okay, that's feature, this feature, that feature. And then when you turn on the matching place, you'll be like, wait a second, that feature wasn't there before. That option wasn't like that. And then that's where you drill down, because that's where the competition is gonna be the least. most users are not gonna have access to those features, so they're gonna be less tested.

Joseph Thacker (51:33.678)
Mm-hmm.

Joseph Thacker (51:37.911)
right.

Joseph Thacker (51:44.483)
Right.

Joseph Thacker (51:49.198)
Yeah, yeah, that's a great point. And as an aside there, this is like also a great way to test for like whenever there are like not only privilege escalation, but also like free features, which I know is not always the most impactful thing, but a lot of times if you match your place for like a higher subscription level, like, know, a business or a pro subscription, and then you're able to use some of those features or functionality. If the API calls work under the hood with it, actually, yeah, we should clarify this. We have a lot of new listeners too. Not all of our listeners are like super OP.

Justin Gardner (51:53.216)
Mm.

Justin Gardner (51:59.54)
Mm. Mm.

Justin Gardner (52:17.578)
Yeah.

Joseph Thacker (52:18.658)
just because you can match your place and see more features in single page apps is not a vulnerability. I'm sure a million people have fallen for this. I've fallen for this just because it like looks different and it says that you're an admin. If the API calls are 403-ing, you know, if they're showing forbidden, you, you aren't getting more actual real functionality that affects other users or that finds more vulnerabilities, it's not a bug. So that's worth clarifying.

Justin Gardner (52:38.74)
Yeah. Aw, come on, Joseph. Our boys know that. You know, our...

Joseph Thacker (52:43.03)
Yeah, I'm sure 90 % of listeners know, maybe, but there are new people who listen, so... Yeah.

Justin Gardner (52:46.72)
For that there you go. All right, yeah, the other thing that I was gonna shout out here is something that we covered recently in the DevTools master class that we did in the Critical Thinkers Discord. It is, yeah, it's up, yeah, it's up in there. We did get it uploaded. But one of the things with that was with regards to webpack files, you it's really nice when you are looking at application and the webpack map files are there.

Joseph Thacker (52:59.286)
Is that recorded? Are they able to go back and listen if they sign up? Okay, cool.

Justin Gardner (53:15.922)
and you can just kind of be like, okay, you know, now I'm clicking through the actual source code and looking at TypeScript rather than all this minified garbage, right? And sometimes these map files are there, but they're not linked to the JS files. So whenever you see these JS files loaded up, and actually this would be a great thing for somebody to embed into an extension, is just try that same JS file dot map. And if it does work, then you can match and replace that, or do a local override or whatever.

that map file into place and force the browser to unpack the webpack and now you've got a beautiful breakout of JS files and you're reading TypeScript rather than minified garbage.

Joseph Thacker (53:56.43)
Does the browser look at the last line of the file to know? Okay, yeah, that's where I always see it, but I didn't know that was actual spec for how it worked.

Justin Gardner (53:58.494)
It does, yeah. So if you look at any site, yeah. Yeah, that's the assumption I've made. So yeah, I think that that is the origin for it. And it's worked in the past when I've done it. yeah, so that's a pretty sick one.

Joseph Thacker (54:08.92)
Okay. Cool. That's a great idea.

I wanted to just mention, know you probably mentioned it on the podcast a hundred times, but if anyone doesn't know about P prettier, that's definitely the best, the best like command line tool and just best tool in general for cleaning up a prettified or I'm sorry, minified JavaScript.

Justin Gardner (54:30.27)
Yeah, dude, and it's crazy. If you search p prettier, it will not come up. Yeah, I'm search p prettier mixer, or p prettier, or parallel prettier is actually, think, what it got renamed to after Mixer gave it to Microsoft. But yeah, dude, I mean, it's performant, it's multi-threaded, so it will like...

Joseph Thacker (54:35.352)
Does it still not come up? Yeah.

Justin Gardner (54:57.32)
it will very, very quickly beautify these files. Definitely the best one to use out there, definitely underrated. Let me actually, hold on, let me grab that link and I'll just drop it in the episode. Did you? Okay. You the man, you the man. All right. So what do we not wanna do with an SPI application? Brute forcing on the main domain is not gonna get you anywhere. It's likely just an S3 bucket. That should be pretty clear. You're gonna be getting essentially wild card responses to

Joseph Thacker (55:00.088)
Yep. Yep.

Joseph Thacker (55:06.377)
I dropped it in there.

Justin Gardner (55:27.228)
You know some s3 bucket if you try to hit a random path So that's definitely definitely not what you're looking for typically these apps are built off of a static HTML front end on the s3 bucket and then an API on the back end So you may want to spend time, know brute forcing on that API or attack net API but to be honest brute forcing API's is a little bit tricky because the whole premise of Like traditional brute forcing is you manipulate the fact that if you hit a certain path That folder does exist

you see a 301 to that name and then a slash most of the time. And that allows you to know that you've hit a folder that's correct. And you're not gonna find that on APIs. So typically, when you're attacking these APIs, you wanna be using something a little bit more complex like Kite Rider from the Asset Note team. I have had mixed experiences with Kite Rider.

Definitely the concept is great and it's there and I think it's one of those things that you kind of just need to deep dive and understand how it works and to be perfectly honest I haven't done that yet. But the concept of doing a little bit more smart, a little bit more intelligent, a little bit more oriented towards API based brute forcing is essential if you actually want to go the full distance on these APIs.

Joseph Thacker (56:44.878)
Yeah, they're not, it's not overly fruitful, but I definitely have found some stuff with just, um, if there are, there are sometimes JavaScript or sorry, some API and points that are not in the JavaScript. Um, but you definitely have to fuzz at the existing or known path that like you're already observing in the app. So you have to like be in the app, be manually hacking it. You notice that all the requests are to slash management slash API slash V1. I'll just fuzz right at that V1. I don't do like any kind of like deep recursive fuzzing. Cause like you said, it's completely fruitless.

Justin Gardner (56:54.517)
Mm.

Justin Gardner (57:00.725)
Yeah.

Justin Gardner (57:13.311)
Right.

Joseph Thacker (57:13.762)
But at that path, it's still worth doing some fuzzing just because, you know, if users, user slash user ID of user slash whatever, just because those exist doesn't mean there might not be some hidden paths like slash groups or slash admin or whatever. Also some sometimes find that stuff.

Justin Gardner (57:23.668)
Mm-hmm.

Justin Gardner (57:31.734)
Yeah, yeah, absolutely. And I think this is a good area for just kind of using your brain or maybe even using AI to like look at these paths. This would be a cool one, dude. This is what shadow repeater should do is like look at the paths, look at, okay, you know, there's a get here, there's a post here with this structure. Let me guess other paths, right? And that would be so easy to implement too, because you could just, all you have to do is have the LLM, take a look at it, and then just don't send a body.

I mean, unless it's like a delete request, and I might delete your resources or whatever. But like, you know. Yeah, yeah, or just be like, okay, if I'm deleting it, and it's a UUID, just rotate the number by one, or something like that. And then if it's a 404, then it's a 404, and if it's an application level 404, couldn't find this thing that you want me to delete, then you know that there's actually some functionality there. That's pretty cool.

Joseph Thacker (58:03.95)
Just don't have it use that verb.

Joseph Thacker (58:21.07)
All right.

Joseph Thacker (58:25.71)
Calling that an application level 404 is like a really neat word. I'm glad you just picked that. I've never thought about that before, but I see those and I've never known what to call them. And I feel like that's like a useful, sometimes having a word for a gadget or a functionality enables you to talk about it with other people in a way where, and it's a way, if you don't have a name for something, I feel like it's hard to hold in your mind. So like when you're showering and having shower thoughts, you don't think about it.

Justin Gardner (58:32.341)
Yeah.

Justin Gardner (58:38.678)
Hmm.

Justin Gardner (58:47.675)
Mmm. Mmm.

Joseph Thacker (58:49.004)
So an application level 404, an application level 200 or whatever, like I like the application level status codes or, you know, response codes is a concept that you just brought up. Cause now it's in my head and I'm going to like think about it more.

Justin Gardner (58:52.32)
Yeah.

Justin Gardner (58:56.33)
Mm.

Yeah, because it's like, okay, there's like an HTTP server level 404, right? Where it's like, I don't know where to route this, you know? But then there's also a 404 like, hey, I couldn't find something when I was looking through the database, you know, sort of situation, which is very different. Those are very different outcomes. So yeah, think understanding that is, that sort of concept is really essential. What else do we have on APIs? I think one of the things that Frons does well here is just like, just uses that.

Joseph Thacker (59:03.734)
Right. Right.

Joseph Thacker (59:10.89)
Right. Mm-hmm. Yep, that's right.

Justin Gardner (59:28.796)
hacker brain and says like, okay, all of these things are structured in this specific way. I think that there is an endpoint here and just kind of guesses these endpoints just from his brain. And so yeah, I think that's essential. Yeah. Yeah, it's awesome. And man, it's like, if you can just get good at that. And it's hard. It's a hard thing to get good at because you don't get a lot of feedback. Like, yes, that could have been a good guess, but the endpoint just doesn't exist. You know, like

Joseph Thacker (59:38.808)
That very few people have that skill, but some people do and it's really impressive.

Justin Gardner (59:55.254)
So I think it takes a lot of experience and lot of time messing around with web apps. But definitely worth trying when you're on one of those cash cow applications, right? Where you're like, if I find another API endpoint, there's gonna be another three iDoors there, you know? And so I think in those applications where it's cash cow, going this extra level of API level brute forcing, trying to just use your brain to guess, maybe even utilizing an LLM with the paths that are currently there.

Joseph Thacker (01:00:08.287)
Yep. Yeah.

Justin Gardner (01:00:23.744)
can land you a couple extra bounties for sure.

Joseph Thacker (01:00:25.91)
Yeah, you were mentioning what other things do we know about for single page apps? I think you put this in the doc, but yeah, you definitely don't see, I think just because they're newer and it's like a newer architecture, you don't see as much simple XSS. So like, I feel like you might see more like AngularJS or something like that, like kind of those, yeah, the DOM-based XSS or like kind of stored XSS, or you might be able to like submit something in the backend that renders in a different application later.

Justin Gardner (01:00:30.932)
Mm.

Justin Gardner (01:00:39.872)
Mm-hmm. Yeah.

Justin Gardner (01:00:45.083)
Mmm, mmm. Dom-based XSS, yeah.

Justin Gardner (01:00:55.338)
Mm.

Joseph Thacker (01:00:55.49)
but in general, just like simple XSS on the page, you don't see very often.

Justin Gardner (01:00:59.53)
Yeah, because the front end is all static, and those APIs are not often returning HTML content type. Yeah, and so it becomes a lot more of a DOMXSS game. But the trade-off for that is if you get good at exploiting DOMXSS in single-page applications by looking for your traditional syncs, your window.location, your inner HTML, your document.write, actually somebody...

Joseph Thacker (01:01:05.343)
Right, it's almost all JSON stuff.

Justin Gardner (01:01:25.43)
I think it was the PDF.js one from before. I was so impressed with the function constructor one. I love that. That's so fun. But if you get familiar with trying to hit those DOM XSS-based XSSs, then the trade-off in the single-page application is almost all of them use authorization-bear based auth, which means that if you do get an XSS and gain control of local storage or session storage, you're golden. You've got ATO.

Joseph Thacker (01:01:31.49)
Yeah, yeah.

Joseph Thacker (01:01:50.708)
yeah, that's nice. I was actually going to bring up that as like a way to know when something is potentially more vulnerable. If you see the single page apps and they're not using bear off, they're using like just cookies only. Then I feel like it's such a right target for CSRF. And specifically what I would do is like, you know, use shifts or something else to modify those JSON API calls into URL form and coded.

Justin Gardner (01:01:57.503)
Mm.

Justin Gardner (01:02:06.358)
Mm-mm.

Justin Gardner (01:02:13.556)
Mm. Mm.

Joseph Thacker (01:02:15.51)
And a lot of them just work by default. If they haven't disabled it, a lot of the backends that are, that people write APIs in these days will just like support either, either form. And so it'll just work.

Justin Gardner (01:02:24.894)
Yeah, that's a great tip. Or the other thing is also sending text JSON or plain text. Sometimes text JSON works, think. But if you send just text plain with JSON in the body and it parses the JSON, then you're good. you can also... Yeah, that's something that I built a Kaido workflow for that just automatically just checks, like, just swap that out. And will let me know if...

Joseph Thacker (01:02:38.53)
Text plan.

no, I don't look for that much. I need to look for that more.

Joseph Thacker (01:02:48.31)
Okay, cool.

Justin Gardner (01:02:54.152)
if it accepts that, which is cool.

Joseph Thacker (01:02:56.342)
Yeah. The other thing I was going to say is I feel like when these single page apps are using bear off, it's often good to check for gadgets for manipulating the components of the, of the JWT. And specifically I'm thinking about like some of like Joe hash's findings, you know, where you can generate it for another user or like basically go look at how the JWT is generated and it may be possible to generate for another user or play with the JWT and see if you can do, if you can resign it with like no, no key and those sorts of things.

Justin Gardner (01:03:11.785)
Mm-mm.

Justin Gardner (01:03:25.556)
Yeah, so JWT level attacks, great point. But also just like understanding what the JWT is looking at as an authentication mechanism. So breaking apart the JWT, saying, okay, there's a subject field, but there's also an email field. Like I wonder if it is using my subject field or my email field, you know, as authentication here and trying to sort of piece that apart and how that differs.

Joseph Thacker (01:03:28.3)
Yep. For single-page apps.

Joseph Thacker (01:03:41.838)
Mm-hmm.

Joseph Thacker (01:03:48.438)
Right. Change your email and then don't confirm it and then try to make some calls. Right. And stuff like that. Yeah.

Justin Gardner (01:03:53.403)
dude, that's such a good idea! Rezo, dude, yes, that's a great idea!

Joseph Thacker (01:03:59.352)
That's a great simple attack that you can pull off in so many apps.

Justin Gardner (01:04:01.876)
I was just thinking here, I mean it doesn't land you a bounty, but it does probably let you understand what is happening with regards to what, dude, what item it's using. Brilliant, okay, thank you, thank you. I need to, I'm gonna, that's great. Now it's just helpful because if you do know that the app is choosing something like email as the delimiter for what is the authentication piece of information.

Joseph Thacker (01:04:10.37)
which one it's using.

Joseph Thacker (01:04:14.198)
Yeah. When you start looking for that a lot of places, right?

Justin Gardner (01:04:31.782)
then it becomes a lot more doable to trick it if you have any control over the JWT at all.

Joseph Thacker (01:04:36.502)
Yep. Yeah, and that could be a small gadget to control that component of the JWT.

Justin Gardner (01:04:41.526)
Totally different topic, but one of my favorite vulnerabilities that I've ever found to this day is injecting into a JWT-like auth bearer that was semi-colon delimited. And I had control over one of the fields and I was able to inject a semi-colon and then add other fields into that auth bearer. It's the best, man. It's the best.

Joseph Thacker (01:04:50.274)
Hmm

That's cool.

Joseph Thacker (01:05:01.144)
So it wasn't a JWT, but it was like, like it, was like roll your own.

Justin Gardner (01:05:03.958)
Yeah, was base64 encoded and it was semicolon delimited. And so if you could just put in a semicolon, you could create a new field. So it'd be value equals key semicolon. It was almost like xw-formula encoded sort of format in there. And I was able to break out of those and add duplicate entries which overrode the auth mechanisms on certain endpoints.

Joseph Thacker (01:05:14.306)
That's cool.

Right.

Yeah.

Joseph Thacker (01:05:26.702)
That's cool. I don't know if there's a single page app specific. Maybe you tell me if it is or isn't, but I feel like, um, something to check for just in general is whether or not the, apps are like that, especially some older apps are using. So probably not single page, but are using certain cookie values that are not auth related for determining either things to draw on the page or even for auth when they shouldn't be like, I'm sure you've seen, I mean, it's like a classic example. Most everyone's probably seen like.

username equals your name as like a cookie, which obviously you can just change your own cookies. And then it uses that at some point on the server side to determine off when it really should.

Justin Gardner (01:05:56.796)
Mm, mm, mm. Right.

Justin Gardner (01:06:02.036)
Yeah, dude, that's, that is some area that I haven't seen hackers really like, like major in, you know, there, there are some hackers that are like, you know, yeah, I'm really good with API's, you know, I know the JSON in and out, you know, like everybody's kind of got their thing. Maybe JWT, right? We could be somebody's. but I haven't seen a really amazing web hacker that's like, yeah, cookies are my shit. Like I know everything about every single cookie in, in this application.

Joseph Thacker (01:06:10.104)
Right.

Joseph Thacker (01:06:27.714)
That's true. That's a great point. That's a great point. Yeah.

Justin Gardner (01:06:31.86)
And I think there's some really good opportunities for the HTTP proxy plugins to do something really cool here, where you can add notes for a specific cookie on a specific domain. So you can say, OK, this cookie is Cloudflare cookie. And this cookie is used for auth in this scenario or that scenario. And then just filter these cookies out when you're doing requests and say, OK, this one, this one, this one, this one's gone.

Joseph Thacker (01:06:44.558)
Hmm.

Joseph Thacker (01:06:52.706)
That's a great point.

Mm-hmm.

Justin Gardner (01:06:58.504)
and then have something that automatically reissues the request, maybe non-state changing requests or whatever, says, well, this cookie and this cookie and this cookie isn't necessary in this request. But one of those is necessary in this other request. So something weird's happening.

Joseph Thacker (01:07:02.702)
Sure.

Joseph Thacker (01:07:11.03)
Right, that's weird. Yeah, that's two different systems, right? Like there's two different secondary contexts there. And so now you can kind of, you know, start to figure that out. That's cool.

Justin Gardner (01:07:15.624)
Yeah. Yeah, or just like you said, the application logic is saying, I'm going to just use the shortcut because this cookie is always there as like a relic of the auth mechanism or something like that. And I'm going to rely on that as a piece of authentication information or application level information where you're accessing user data, even though that's not an auth-related cookie.

Joseph Thacker (01:07:25.186)
Right.

Joseph Thacker (01:07:37.998)
Yeah, I mean, someone should do that, right? mean, people who become an expert in a specific thing, whether it's Chapman with headless browsers or whether it's, you know, people bringing me AI bugs or I know that like I would always reach out to HX01 with OAuth bugs. I'm sure people reach out to you for client side stuff. If somebody wants to be the, to be the cookie monster, they can, they can figure that out.

Justin Gardner (01:07:43.957)
Yeah.

Justin Gardner (01:07:49.457)
Mm. Mm.

all the time.

Justin Gardner (01:07:58.506)
Dude, we just popped a, me and one of the members of the critical thinking community just popped a super sick bug. I'm gonna talk about it in the full-time Hunters Guild meet and greet later today. But I'm gonna talk to him and see, hey, can we present it on the pod sometime? Because it's so simple, and the functionality is so, the functionality that this XSS had was like, my god, please, this has to be vulnerable.

But it was just very aggravatingly not vulnerable in the three or four ways that you would think that, I could just explode it like this. And then finally, there's a workaround at the end that we came up with, which is just like, you love it. Okay, so two things here, caching attacks and then client-side path enumeration. So let me talk for a second about caching attacks. Caching attacks.

Joseph Thacker (01:08:26.776)
Yeah.

yeah.

Joseph Thacker (01:08:37.182)
Nice. That's sick.

Justin Gardner (01:08:54.634)
Definitely do happen in both traditional applications and single page applications. But my experience has been that it is a little bit harder to get these caching based attacks on single page applications because the user level logic is sort of segmented out into these APIs. And these APIs probably don't have any caching on them. And so I spend a little bit less time looking for caching related issues on these APIs.

Joseph Thacker (01:09:11.544)
Mm-hmm.

Joseph Thacker (01:09:17.109)
Right. That's fair.

Justin Gardner (01:09:24.448)
That being said, think the vulnerability, so let me say this. When there isn't a different API host, right, and there's just like a slash API that is being rerouted away from the S3 bucket or whatever for the single page application and being routed to a backend API, then you're serving static assets and API assets on the same host, right? And that is where you start seeing those caching attacks. if you, mm, mm.

Joseph Thacker (01:09:32.974)
Mm-hmm.

Mm-hmm.

Joseph Thacker (01:09:39.448)
Yes.

Mm-hmm.

Joseph Thacker (01:09:46.1)
on the same host. There you go.

Joseph Thacker (01:09:51.352)
Man, I love, that's such a great tip. Like if you see that, start looking deeper. Like those little, what are those called? It's like whenever, obviously we say like develop your sniffer and that sort of thing, but man, there's a word for that that I can't think of. But anyways, keep going. An indicator, there you go. It's an indicator, yeah.

Justin Gardner (01:09:55.912)
Yeah, yeah.

Justin Gardner (01:10:04.756)
Well, it's like an indicator that you should look deeper. Yeah. That there could be something interesting here. It's a trigger for you to sort of investigate more.

Joseph Thacker (01:10:11.8)
Right.

Yeah, and that's kind of what I meant by, we just need a word for that, because we're to use it on the pod all the time. Speaking of, it hit me earlier. We need the audience to help us come up with an Acme Corp name to use when we're talking about bugs for companies that we can't disclose, right? You told me we need to come up with this, right? This is actually on our to-do. We need to...

Justin Gardner (01:10:28.556)
my gosh, yeah, that's a great idea. Well, okay, let me ask you this. Do you think we should, it is on R2Doo, but what I told Richard, our producer, is what we wanna do is we wanna use a consistent name for a given target. So we can talk about it multiple anonymous targets and not conflate the two, right? So we gotta come up, I think one Yugi recommended was like,

Joseph Thacker (01:10:50.433)
interesting. Okay.

Justin Gardner (01:10:55.294)
George Foreman Grill or something like, you know, like, and just have some like over dramatized voice instead of just bleep, everything's bleep, you know? But yeah, so if you have any recommendations, chat, drop them in the pod talk channel on Discord and we'll take a look at those when we're trying to bleep out things in the future.

Joseph Thacker (01:10:57.742)
All right.

Joseph Thacker (01:11:01.672)
Right. Yeah, yeah.

Joseph Thacker (01:11:13.12)
Yeah, but to circle back. when I was saying earlier, if you see an API that's using cookie based auth, you should look for URL form encoded or text JSON instead of the regular application JSON content type, right? So that's like indicator and then thing to check for. And so like you're talking about that with indicator and thing to check for. So if someone has a specific word for that, also reach out to us. Or if you think of one right now, Justin, I would love like a word for like, that's your key to look for something else.

Justin Gardner (01:11:19.51)
Mm.

Justin Gardner (01:11:23.126)
Mm-hmm.

Justin Gardner (01:11:26.816)
Mmm.

Justin Gardner (01:11:31.349)
Yeah.

Justin Gardner (01:11:40.318)
Yeah, it's like a trigger, but the analogy that I used in my Defcon 2020 or Nahumcon 2020 talk where I was talking about source code review was smelling blood. When you see that, you're like, hmm, something's funky over there. Let me go check that out. And so I think that is a good way to think about it is you should have these triggers or you should be smelling something funky when you see these.

Joseph Thacker (01:11:55.096)
Something's fishy there, yeah.

Justin Gardner (01:12:08.81)
various pieces of functionality. Okay.

Joseph Thacker (01:12:11.254)
Yeah, perfect. So anyways, yeah, go on. So I think you were mostly talking about how with the, when the API points are shared, did you, did you have more to say there?

Justin Gardner (01:12:15.886)
Yeah. Yeah. So API endpoints, definitely. going back to the APIs, there was another one that I wanted to highlight here, which is sometimes with these single page applications, you can swap out the API backend. you can just, sometimes it's as simple as like naming your page dev or something like that. Window.name is now dev, you know, or something like that. And it will trigger the backend to switch.

to a different backend API. And then, you know, there's lots of attacks that actually can be triggered from that environment. can, one of the ones that Sam Erb does well and has exploited many times is the token swap. And you just, go to that staging environment, you generate a JWT or a session token that's using the same signing secret. So you put it in the main application. And even if it's like user ID equals, you know,

256, then now whoever user ID 256 is in the main application rather than in the staging application. Yeah, so that's something that you can definitely go after there. But swapping out the IPA backend can not only do that, but also give you access to staging features that aren't released on prod yet. And I've had a good hit rate with reporting vulnerabilities in staging features before they get to prod and saying, hey, you might want to fix this before prod.

Joseph Thacker (01:13:19.002)
wow, yeah, I need to look for that so much more, that's genius.

Justin Gardner (01:13:42.58)
And even if staging isn't in scope, that typically gets accepted because it was going to get pushed to prod. Yeah.

Joseph Thacker (01:13:45.966)
It would have been in prod soon, right? Yeah, I think that that also is just like something that's kind of cool about being a hacker. It's like when you see a single page app and you can see like, oh, if it's, you know, dev it's in, it's on local host. If it's on staging, it's on this host. If it's on this, on this host. So it can also give you an indicator of like their naming schemes for things like their naming schemes for sub domains and stuff too. So it's like a kind of a nice little recon technique to go look and find, you know, staging domains when you're looking at single page apps.

Justin Gardner (01:14:05.748)
Mm.

Justin Gardner (01:14:10.838)
Yeah, absolutely. Okay. Two more things here. One that I can't believe we pushed off until the very end, which is client-side paths. This is such an essential part of attacking single-page applications, and I feel like a lot of hackers that I know that are really talented, even ones that are quite good at client-side, don't understand this concept of client-side paths and server-side paths. So in a single-page application-based architecture,

your path doesn't really matter most of the time in the browser. It's gonna be a static 200 that they're gonna be sending back that says, okay, here's the single page application, here you go. What does happen though is that in the JavaScript code, they are utilizing the path and the state, sometimes it's in the hash, sometimes it's in the actual path itself, to determine what page you're on in the application and show you different parts of the UI dynamically without refreshing the page, without causing a bunch of bandwidth.

Joseph Thacker (01:15:08.302)
So yeah, I'm gonna sound like a super new here. So if I'm a single-page app, I click like a new tab and in the URL bar, I get a slash to that tab name. I often won't get a request, I guess, right? That's interesting.

Justin Gardner (01:15:10.709)
No, you're good.

Mm-hmm.

Justin Gardner (01:15:16.938)
Mm-hmm. Mm-hmm.

Right, because what's happening there is when you click that navbar link or whatever, it's just simulating that you're navigating. It's just pushing, it's using history.pushState typically, I think, to change the path name in the URL. I want to say it's pushState, I have to double check on that. But it's changing the path in the URL without issuing another request. And with that, then it's gonna go into a client-side router.

Joseph Thacker (01:15:29.43)
Right.

Joseph Thacker (01:15:36.558)
Mm-hmm.

Justin Gardner (01:15:50.068)
and that router you have access to, it's in the code. And one of the things I always search for with client-side applications is I search for, excuse me, single page applications, is path colon. Because almost all of the client-side environments define the routers that way. you do path colon and then a double quote and then it'll say like, okay, slash users slash star, right? And when you see that star, you know, okay, that's an ID there, right? And,

Joseph Thacker (01:16:01.72)
Path calling.

Joseph Thacker (01:16:13.56)
Mm-hmm. Mm-hmm.

Justin Gardner (01:16:19.272)
And then you can kind of build out these pieces of client-side functionality. And this is how you land C-SURFS in these applications is, or client-side path traversals is, you say, okay, wow, there's a client-side endpoint called like a callback after verification, you know, to change my email or whatever, right? You know, sometimes it's really long like that too on the callbacks. And you can just force a user to hit that endpoint directly. And it doesn't expect that you're navigating directly to that endpoint and it will cause the C-SURFS.

Joseph Thacker (01:16:48.462)
Hmm. Yeah, yeah, yeah, yeah, that's cool.

Justin Gardner (01:16:48.502)
Does that make sense sort of or am I yeah, okay, so yeah, so enumerating those client side paths Really big and then obviously that's also where Client side path traversal comes in right where a piece of that URL is being parsed or a query parameter And then it is then getting embedded in the into a fetch request on the back end in the path portion You can path traverse you can truncate with a hashtag or a query a question mark And that's sort of how we landed on this amazing

technique called client-side path traversal.

Joseph Thacker (01:17:21.048)
Sorry, think the place you were going was that there are paths that are parsed both client side and server side.

Justin Gardner (01:17:26.974)
Yeah, exactly. So you find those paths, you enumerate the functionality, sometimes you can trick or CSRF, sometimes you can trick or CSPT, but at the very least you understand all of the attack surface you're dealing with in a client-side application and you know all of the pages. And if you see a page that you haven't been to or you don't know how to navigate to with the UI, it's something that you can sort of make sure that you're getting full coverage on this client-side application because we have access to all the routes, which is awesome. Yeah.

Joseph Thacker (01:17:52.384)
Right. Yeah, sweet. That's interesting. So a lot of times I will go pull all the paths and then I'll kind of like fuzz for them, but that's also kind of silly to do sometimes.

Justin Gardner (01:17:58.482)
Mm. Mm-hmm. Mm. Yeah. Yeah, I mean, you don't fuzz really in the... I mean, you can manually put them in your browser, but you're not gonna get any response back if you hit it like, fuzz or something. Mm.

Joseph Thacker (01:18:14.54)
Right. Yeah. So that's interesting. Do you have any way that you like to, like, let's say it's a pretty large SPA. Do you have anything that like outputs you a list of links that you knew just like click them all in order to go to all the pages to see if there's any that you went to directly that you couldn't find in the app.

Justin Gardner (01:18:18.891)
Mm-hmm.

Justin Gardner (01:18:27.454)
Yeah, mean, what I typically do is I'll just dump all the JS, beautify it, grep for all those endpoints, and then just sub in the IDs. So oftentimes I'll have like, you know, there'll be a placeholder, like user ID or whatever. Well, I just say user ID is my user ID, right? And then it like populates it across all of those plugins. And then I just manually, you know, one by one go through them because you can't throw it into automate or intruder or anything because it's like...

it's not a server-side thing. So you just manually gotta put them in the browser and you either click to open them or you just, typically I don't like to open them all at once because sometimes they'll redirect and stuff happens. So I typically, one by one, click and see what happens, trace the code, and that's how you really become intimate. That's how you get intimate with the application. And that's what we talk about here on the pod is how important it is to be very intimate with the application and you can do that by looking at these client-side paths.

Joseph Thacker (01:18:55.608)
Right, right.

Justin Gardner (01:19:20.158)
enumerating each one and then one by one going through and trying to exploit functionality associated with each. Yeah, okay. Dude, we're coming up on time. We're gonna call it a wrap here. Let me just shoot this last tip out there. Obviously, client-side applications, or single-page applications, JavaScript files are super important. Luckily, way back, URLs caches JS files. So if you're really, really, really, really trying to do your due diligence,

Joseph Thacker (01:19:25.304)
Yep, sweet.

Justin Gardner (01:19:48.764)
you can hit those way back URLs, see what kind of, I mean the client side paths are gonna be gone, right, but see what kind of API endpoints were still in those, and see what functionality used to be there and where they might have integrated it somewhere else, and with that diff, it can inform you more on how to attack the application.

Joseph Thacker (01:20:08.258)
Yep, yeah. I guess maybe they tune in next week to see if they will hear more browser-based scam tactics.

Justin Gardner (01:20:15.646)
No, browser is... please, Joseph. whatever. That's the pod.

Joseph Thacker (01:20:20.526)
Thanks guys.