The player is loading ...
Sign up to get updates from us
Episode 36: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel take a break from LHE prep to answer questions about the ethics of bug bounty and share their recent bug finds. We talk Iframes, mobile intercept proxies, open redirects, and that time Justin got shot at…
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
Timeshifter:
Tweet about Google Open Redirect
https://twitter.com/Rhynorater/status/1697357773690818844
Tweet about XSS Exploitation
https://twitter.com/Rhynorater/status/1698059391700701424
Request Minimizer
https://portswigger.net/bappstore/cc16f37549ff416b990d4312490f5fd1
Timestamps:
(00:00:00) Introduction
(00:02:45) Hacker One LHE Preview
(00:05:40) Is Bug Bounty Inherently Ethical
(00:19:25) Ethics of Going out of scope
(00:27:56) Justin’s story of getting shot at
(00:30:22) Setting up a mobile intercept proxy
(00:33:40) How to approach a new target
(00:40:30) Google Open Redirect
(00:43:35) Recent XSS Exploitation
(00:46:28) ATO Trick
(00:50:25) Joel’s Bug Report
(00:55:40) Justin’s Bug Report
Joel Margolis (00:01.098)
Yo yo, on the go recording.
Justin Gardner (@rhynorater) (00:01.887)
Alrighty man, you ready? Here we go. Crack the neck. Gonna do the stand back, the little shimmy before we get into the podcast episode. Yup. Well, I don't know, man. I feel like I'm more tired than you and it's only 5 p.m. where I am.
Joel Margolis (00:09.572)
Ugh, get the blood flowing.
Joel Margolis (00:18.114)
I don't know. Well, yeah, so I've been actually using this really interesting app. It's called Time Shifter and It's supposed to help with jet lag adjustment And so basically you tell it like what flights you're gonna be taking and what your sleep schedule normally is and then it will Tell you like a couple days before like oh go to bed like two hours later. Don't see sunlight Don't drink coffee and then like when you get there Yeah
Justin Gardner (@rhynorater) (00:33.001)
Oh, dang.
Justin Gardner (@rhynorater) (00:36.931)
Dude, it's too late, man. Like, you should have told me this, for the record, to clear up this conversation. Joel is currently in Tokyo for the Hacker One Live hacking event. I will be leaving in about 12 hours to go to Tokyo. So dude, so this app, like, it tells you how to beat jet lag. Is that the vibe?
Joel Margolis (00:59.954)
Yeah, I mean that's the goal. They actually have like a partnership with United, so if you have a 1k membership you get like a free year of it or something. But even still it's like 25 bucks a year. It's like really not that bad. And yeah, it's been pretty interesting. It's, you know, if you've traveled a lot it's not anything you're probably not, you know, already aware of in terms of like try to go to bed at a normal time. Like just try and like stay up and take melatonin before you go to bed and the light I think is a really big important thing.
Justin Gardner (@rhynorater) (01:05.259)
Mmm. Oh, cool.
Justin Gardner (@rhynorater) (01:12.527)
Yeah.
Justin Gardner (@rhynorater) (01:22.531)
Yeah.
Joel Margolis (01:28.502)
because when you take light into your retinas, it helps your circadian rhythm adjust. You're supposed to have light in the morning and in the evening. And that's one of the things that they recommend. And I noticed that helped quite a bit of just like getting light into my eyes and helping sort of just reset my sleep.
Justin Gardner (@rhynorater) (01:28.928)
Yeah, it is for sure.
Justin Gardner (@rhynorater) (01:33.995)
Mm-hmm.
Yeah.
Justin Gardner (@rhynorater) (01:44.475)
When you talk about light in the morning, it makes me think of that little meme of the eagle, you know, like going on the stupid mental, the stupid little walk for my stupid mental and physical, you know what I'm talking about? Like, okay. Yeah, we need to, we need to, I guess we need to get somebody to overlay that on the screen, we should note that down, little eagle meme, okay.
Joel Margolis (01:50.414)
Hehehehe
Joel Margolis (01:56.502)
Very relatable, yeah. I'm like, I have to see light. Uh...
Joel Margolis (02:08.056)
Yeah.
Justin Gardner (@rhynorater) (02:08.691)
Nice man. Well, how's the live hacking event going for you? We're not team critical thinking this time, so I haven't caught up with you at all. How's it going?
Joel Margolis (02:17.022)
Yeah, yeah, it's been pretty good. It's been a pretty hard target, I'm not gonna lie. I've found a couple things, did some collaborations with Shubz. So yeah, we found one really interesting thing together, but it's been a pretty tough target, I'm not gonna lie. I think a lot of people, I don't know, are we allowed to say who it is? I know it's kind of public.
Justin Gardner (@rhynorater) (02:28.749)
Nice.
Justin Gardner (@rhynorater) (02:34.904)
Yeah.
Justin Gardner (@rhynorater) (02:38.503)
I think we're allowed to say the, yes, we are allowed to say the primary target. Yeah.
Joel Margolis (02:44.03)
Okay, yeah, so it's PayPal. So yeah, I know a lot of people, there's a special scope, I'm not gonna say what it is, but there's a special scope and then there's the PayPal scope, and I know a decent amount of people have actually been focusing on the PayPal scope. I know I was speaking with Nagley and Nagley had some really interesting stuff on the main scope for PayPal. So yeah, it's been a really interesting event. I'm excited to see what people are finding. I haven't even checked the leaderboard, so I wonder how many bugs are in and stuff, but I think it's gonna be a cool event.
Justin Gardner (@rhynorater) (02:50.6)
Mm-hmm.
Justin Gardner (@rhynorater) (02:56.413)
Oh really, wow.
Justin Gardner (@rhynorater) (03:12.143)
Yeah. I think it's, I think it's, it's been a little bit of a tricky one for me too. I've, I've got a, I think I've got a good number of reports that I'm comfortable with and happy with, but it's just dupe Palooza because the, the special scope that they added for this one is like just very, very narrow and not
extremely featureful. So, you know, you really have to dig deep and you got to find everything. And yeah, it's just I think I out of my 23 reports, I think like 18 or 19 are duplicates, including all of my bugs above a high and above. So I have no well, maybe I might have one I might have one solo high.
Joel Margolis (03:49.192)
Wow.
Joel Margolis (03:54.594)
Oof.
Justin Gardner (@rhynorater) (04:02.389)
We'll see. But the two crits that I have are all dupes. And so it just like stabbed to the heart. Yeah.
Joel Margolis (04:07.294)
Oh, damn. Well, if it's a crit, we'll have to see. I was speaking with Naglian apparently because of the way that this whole account set up works, and I think you know what I'm talking about. They might be doing privilege required low at minimum for everything. So that's kind of annoying, kind of frustrating. I don't think personally, personally I don't think that it, yeah, I know they had some special stuff in the backend, I think when we were signing up to make it so we didn't get flagged as spam.
Justin Gardner (@rhynorater) (04:14.252)
Mm-hmm.
Yeah.
Justin Gardner (@rhynorater) (04:21.599)
Yeah.
Justin Gardner (@rhynorater) (04:26.559)
Yep, it's kinda meh, it's kinda meh.
Joel Margolis (04:36.53)
So maybe that's why you actually do need a little bit of privileges required. It's not as simple as just signing up for your own account. But yeah.
Justin Gardner (@rhynorater) (04:37.493)
Mmm.
Justin Gardner (@rhynorater) (04:44.255)
Yeah, maybe we'll see. We'll see at the event, man. You know, not trying to, you know, toot my own horn or anything here, but your boy has some persuasive skills and, you know, put me, put me in front of the team and I'll, yeah, that'd be clutch. That'd be clutch. Alrighty, man. Yeah.
Joel Margolis (04:53.33)
Yeah, okay. Hey, if you could swing it for the whole team...
Joel Margolis (05:01.09)
Cool. So we got a bunch of questions, I think, that we were gonna go over, yeah?
Justin Gardner (@rhynorater) (05:07.691)
Yeah, let's take a peep at these. We're trying to keep this episode pretty chill today since Joel and I are both in the middle, in the throes of a live hacking event. So we went back and looked at a Twitter post from a while back when we were giving away the Kaido Pro subscription and kind of grabbed some questions off there for us to kind of discuss. Let's do, let's go ahead and start with our boy, Jewbobz.
And let's talk about does bug bounty hunting unconditionally qualify as ethical hacking? Do you think, Joel?
Joel Margolis (05:38.754)
Awesome.
Joel Margolis (05:46.982)
So I think, I think, okay. So the thing is when you call it bug bounty hunting, I think that kind of implies, at least the way that I understand it, that kind of implies that you're hacking on a bug bounty program. And to me, when I think about it that way, that implies also that you are complying with a program policy. And so,
Justin Gardner (@rhynorater) (05:49.623)
Jubeb's coming in with the hard-hitting questions, man. Like, these are some serious questions.
Justin Gardner (@rhynorater) (06:09.623)
Mm-hmm.
Joel Margolis (06:14.702)
Theoretically, most of the time it's ethical hacking. But I think we both know that safe harbor isn't foolproof and there are certainly edge cases, well not even edge cases, there are cases where you will be going out of safe harbor if you do certain things, right? So if you do bug bounty hunting and you extort the team, that's not ethical hacking, right? Like asking for, do this or I'm gonna release the data or I'm gonna keep the data, like.
Justin Gardner (@rhynorater) (06:15.929)
Mm-hmm.
Justin Gardner (@rhynorater) (06:28.331)
Mm, for sure.
Justin Gardner (@rhynorater) (06:36.968)
Mm-hmm, right.
Justin Gardner (@rhynorater) (06:40.831)
Yeah, yeah, absolutely.
Joel Margolis (06:41.186)
Anything like that. I don't consider that ethical So I think there are certainly lines that you can cross to make it non-ethical But from like a baseline standpoint just reporting a bug to a bug running program. That's absolutely ethical
Justin Gardner (@rhynorater) (06:54.435)
So I have a little bit of a differing opinion on this, and it's gonna be interesting because it also kinda toes the boundary of what I was talking about last week, which was it's not our responsibility to define a company's threat model for them, but I would feel a little bit yucky about reporting something that is, that the company wanted to receive, that I know full and well is technically impossible to exploit.
Joel Margolis (06:58.357)
Okay, let's do it.
Justin Gardner (@rhynorater) (07:23.135)
So I've got a good example of this, okay? So let's say I got a bunch of, I don't know why lately, but I get a bunch of DMs and lately a lot of people have been asking about access control origin star header, right, you know, access with, you know, asterisk origin, plus the access control credentials, exactly, plus the access control allow credentials true header.
Joel Margolis (07:43.094)
Right, allow anything to call it.
Justin Gardner (@rhynorater) (07:51.355)
those two things together. Theoretically, what should happen with this is that you're allowed to send cookies, and then any origin is allowed to read the response, right? But the people that defined, yeah, the people that defined the spec thought, hey, this is dumb, we shouldn't allow this to happen. And they said, hey, this is not gonna be exploitable.
Joel Margolis (08:00.758)
Yeah, goals, Bug Bunny goals.
Justin Gardner (@rhynorater) (08:16.723)
we're not gonna make this, you can't use the access control credentials true with the asterisk origin. And so, you know, people are messaging me like, hey, how do I exploit this? And I'm telling them, hey, this is not exploitable, even though it's clearly a misconfiguration. Like those headers cannot be working together, you know, well, they just don't work together. It causes an error. So, you know, if you were to report that, right,
Joel Margolis (08:38.695)
Yeah.
Justin Gardner (@rhynorater) (08:42.379)
and the team were to accept it. And you know that the team accepts that. Let's say you reported it when you didn't know whether it was a bug or not, and the team accepted it and paid it out. Then you found another one, but now you know that it is not an exploitable bug. Is that ethical hacking or not? Because you're deceiving the company into paying you money. What do you think?
Joel Margolis (09:01.754)
Um, so from the, from like a programmer perspective, the way that I would view this is that, well, for one, it would be hard to pay that out except for like a low or maybe a low end of medium. And the reason for that is that it's essentially, well, yeah, I mean, so, well, here's why I might consider paying it. And the reason is that it's a security misconfiguration, right? And so the reality is that like, is something wrong? Yes.
Justin Gardner (@rhynorater) (09:07.413)
Mm-hmm.
Justin Gardner (@rhynorater) (09:17.189)
You shouldn't pay it out at all.
Justin Gardner (@rhynorater) (09:25.279)
Interesting, okay.
Joel Margolis (09:30.526)
Is it exploitable right now? No. Would it be exploitable in certain edge cases? Potentially, right? Like maybe you could exploit it in an older browser or like certain browser, I don't know, right? Like there might be certain edge cases where it's possible. And I think the fact that it's there and written and show like all it takes is one slip up for that to go wrong, but it's not exploitable, right? Like you said. And so I think that is a huge mitigating factor that like,
Justin Gardner (@rhynorater) (09:44.46)
Mm-hmm.
Mm-hmm.
Joel Margolis (10:00.442)
almost nullifies your bounty essentially because what's the security impact? Nothing, but what's the security issue? Something. And so I think it's kind of toning the line between a bug and not a bug. I could see like 50, whether or not the program wants to accept it.
Justin Gardner (@rhynorater) (10:03.394)
Yeah.
Right.
Justin Gardner (@rhynorater) (10:15.455)
Yeah, yeah, I mean, I would encourage, you think it's ethical, even though you know that there is no possible way for it to be exploited.
Joel Margolis (10:17.162)
But I think it's ethical.
Joel Margolis (10:26.654)
I think the ethics are the same for the program as it is for the reporter, whether or not they want to accept it and pay it out. Or, like, if the program says, I'm not going to accept this, that's kind of the same ethical decision in my mind as the reporter reporting it again, even though it's not exploitable.
because the program is accepting well the program is accepting something that's not valid and ever researchers submit something that's not valid
Justin Gardner (@rhynorater) (10:43.817)
I'm not following you.
Justin Gardner (@rhynorater) (10:49.763)
Yeah, but the program in this scenario, the program doesn't know that. The program doesn't know that this is not an exploitable vulnerability.
Joel Margolis (10:54.486)
Oh, okay. That's a big caveat. If the program doesn't know that it's not exploitable, well, first of all, this should stop a triage, right? Like triage should see this and be like, I can't exploit this, and it probably should never even make it to the team. If the team either doesn't have triage or they decide to accept it anyways, that, if they don't mention it, like I feel like somebody should mention it, right? They're like...
Justin Gardner (@rhynorater) (10:59.851)
Yeah, that's a problem. Yeah, it should for sure. Yeah.
Justin Gardner (@rhynorater) (11:19.223)
Here's another fringe case, right? Let's say you have an injection of a URL, of a JavaScript URL into an A tag with the target blank attribute set, right? And somebody clicks that link, it won't trigger in the browser because you cannot trigger JavaScript URLs on underscore blank, target blank.
Justin Gardner (@rhynorater) (11:43.488)
a HTML tags, couldn't get that out. And so, you know, that's not exploitable, but like you said, they're deleting one attribute away from an XSS, but you know that that's not, you know, exploitable, so is it ethical for you to report that or not?
Joel Margolis (11:43.678)
Yeah, yeah. Yeah.
Joel Margolis (12:01.026)
So I think that is a little more of a clear cut case in my mind than the headers, because the headers are very explicitly like, you're setting a header in your response, this is configured incorrectly. The fact that...
Justin Gardner (@rhynorater) (12:05.837)
Mm-hmm.
Justin Gardner (@rhynorater) (12:09.391)
Mm-hmm
Justin Gardner (@rhynorater) (12:14.005)
Mm-hmm.
Joel Margolis (12:17.686)
just like being able to put a URL in an element but that's not exploitable. I don't know. Yeah, I don't know. I'm going back and forth on it.
Justin Gardner (@rhynorater) (12:24.335)
I don't know, it's tricky man. Well, I guess in order to devil's advocate my own point, I guess I would say that there's nothing really, there's nothing unethical about seeing whether something meets the criteria that a company has for their threat model for their organization. And I guess it definitely has to be, I think the rub,
Joel Margolis (12:45.516)
Yeah.
Justin Gardner (@rhynorater) (12:50.639)
is how you describe the issue in your report. Are you saying, hey, click this link and you'll get an XSS and then you actually don't. And you're like, oh, some browser restriction, blah-de-blah-de-blah, should work in other browsers, blah-de-blah-de-blah. Or are you saying, hey, this isn't exploitable in any active browsers, but I thought you might wanna know because you guys are very close to making a bad mistake.
Joel Margolis (13:12.306)
Right, and I think transparency is like the biggest thing here from both sides, right? And so, like, as a researcher, if this is something you're going to report, be ready for the program to not accept it. Like just, you know, test the waters though. I think that like what you suggested there is a good idea. Submit it, see how they react, see if this is something they care about. Some security teams care about misconfigurations like this a lot, and they'll accept it and they'll pay it. And like a security issue is a security issue even if it's not fully exploitable.
Justin Gardner (@rhynorater) (13:16.953)
Mm-hmm. Yeah.
Justin Gardner (@rhynorater) (13:24.885)
Mm-hmm.
Justin Gardner (@rhynorater) (13:35.435)
Mm-hmm. Yeah.
Joel Margolis (13:41.502)
I respect that, but I think it's really up to each program to decide how they want to handle that. And if it's something they want to say, sorry, this is informative, and then they fix it. I also don't really have a problem with that because in most cases, if you report something to a bug bounty program, I could understand you getting frustrated if they close it and then they fix it anyways. But this is not exploitable. And so...
Justin Gardner (@rhynorater) (13:57.191)
Mm.
Justin Gardner (@rhynorater) (14:06.381)
Yeah.
Joel Margolis (14:08.138)
it's really more just you're letting them know that this is a thing. And if they wanna like toss you some points or like, you know, a small bonus bounty or swag or something like that, I think that's more than reasonable depending on, again, depending on the program, but there's not really a great clear cut case for it.
Justin Gardner (@rhynorater) (14:17.057)
Mm.
Justin Gardner (@rhynorater) (14:20.523)
Yeah, I was gonna say, Jill, I'm a little bit, it's a little bit interesting to hear you talk about maybe potentially maybe paying bounties for things that are not fully exploitable. I might have to give your program a try sometime. No, you're good, man. Yeah, JuBobbs, thanks for the question, man. I think that's a good one. And...
Joel Margolis (14:38.742)
Now I'm gonna have to go look at all the security misconfigurations.
Justin Gardner (@rhynorater) (14:48.387)
The only other scenario that kind of pops into my head about whether or not it's ethical for us to participate in a Bug Bounty program in all scenarios is this case of lying about severity as well. We have a friend, I think you know what friend I'm talking about, that always just.
goes very, I'm not saying he's lying about the, I'm sorry, they're lying about the severity of the bug. But like, it's definitely strongly worded, right? And I have a little bit of an ethical thing about this because at the end of the day, like, the people on, the triagers on the security teams and stuff like that, they're seeing a lot of reports. You know, oftentimes they're not.
Joel Margolis (15:23.194)
Uh oh.
Justin Gardner (@rhynorater) (15:43.895)
the ones that are also doing the offensive hacking, right? So they're not as intimately familiar with the details of the boundaries of all of these bugs. And so, you know, pulling a fast one on these guys to gain a buck or two is, I think, unethical. So unethical, yeah.
Joel Margolis (16:00.618)
Yeah, I'll agree with you on that. Yeah, unethical. Yeah, I think everybody, especially people who hack a lot and like full-time and that kind of stuff, this is a really tricky and easy hole to fall into because when you're submitting stuff, like you don't really wanna toot your own horn too much, but at the same time, you also want to like, critical information being leaked, like, you know, like.
Justin Gardner (@rhynorater) (16:09.685)
Mm-hmm.
Justin Gardner (@rhynorater) (16:16.62)
Mm-hmm.
Justin Gardner (@rhynorater) (16:29.511)
You want to sell it. I mean, you want to get your report attention, you know? Yeah.
Joel Margolis (16:30.997)
Yeah.
Exactly. So like I think there's a line between like you want it to be like this is like to demonstrate that there's impact here So the team doesn't under play it but also You know, you don't really want to be like You know, I don't like lying to programs, right? I don't think like I think if you have to lie and you're like being dishonest Like that's kind of where I draw my personal ethical boundary of like where is this ethical hacking and like where's this not ethical hacking?
Justin Gardner (@rhynorater) (16:44.472)
Mm-hmm.
Justin Gardner (@rhynorater) (16:51.8)
Mm-hmm.
Justin Gardner (@rhynorater) (16:59.779)
Yeah.
Justin Gardner (@rhynorater) (17:03.383)
Mm.
Joel Margolis (17:05.342)
And the reality is that if the like triage is in the programs and everybody is doing their job properly and they read through the report properly, they should see through that still and they should pay it appropriately. And if you as a hacker have a problem with that, that's not really the program's fault.
Justin Gardner (@rhynorater) (17:13.208)
Mm-hmm.
Justin Gardner (@rhynorater) (17:19.439)
Yeah. Well, I also think here's another scenario that I've kind of felt a little ethical quandary on before is like, I don't know, man, like, clearly this is not an ethical problem, but I feel really bad about sometimes, not all the time.
But sometimes I feel bad about reporting bugs that will just clearly never, ever, ever be exploited. Like, and they are bugs and they're valid, you know, let's say access control bypasses or whatever, but like I cannot even fathom a world in which some attacker would be like, I'm gonna like unsubscribe you from these email notifications, you know, like, you know, like I...
Joel Margolis (18:00.458)
I'm not gonna try to get too doomer about this because You can I mean you can really extend this to lit like every small program and be like who's even using this thing? But you know, but I think like, you know bugs a bug You know Bug bounty is kind of a game We've talked about this. There's a lot of meta aspect to How you report stuff and all that kind of stuff. So I don't know. It's a it's a very tricky
Justin Gardner (@rhynorater) (18:09.284)
Oh, well, that's true. Yeah.
Justin Gardner (@rhynorater) (18:26.476)
Mm.
It is tricky.
Joel Margolis (18:30.102)
It's a very tricky line to figure out where that is and how you should be reporting stuff and what's ethical and what's not ethical and all that kind of stuff. So yeah, I don't know.
Justin Gardner (@rhynorater) (18:36.374)
Mm.
Yeah, yeah, okay, so scope, right? That's the other thing that you've mentioned in their comment. Is it ethical to go out of scope to attack an in scope asset?
Joel Margolis (18:53.084)
Ugh, okay.
Justin Gardner (@rhynorater) (18:53.203)
Yeah, okay. So actually, I'll take first take on that one while you think. I'm gonna say no. And the reason for that is that it's technically illegal. And so even though you have goodwill and you have good intent and you know you're not gonna weaponize these vulnerabilities to attack anyone else,
The fact that you are hacking a system that you are not authorized to hack, that crosses an ethical boundary. It's kind of like, to me, it's kind of like trespassing. You're not going to break anybody's house or cut down somebody's trees or something, but if you're walking through their property for a period of time, that's...
It's not hurting anybody, so to speak, but it is technically illegal. And that's why I would say going out of scope is not a good practice. And I think there are some scenarios where, I will say, I've seen programs do this sometimes, where they'll say, hey, star.site.com is in scope but not eligible for bounties. And then, but, you know, www.site.com is eligible for bounties.
Joel Margolis (19:53.812)
Yeah.
Justin Gardner (@rhynorater) (20:19.519)
And in those scenarios, since it's technically in scope, you can hack on that all you want and then try to use that to affect www. I think that's a really good configuration.
Joel Margolis (20:29.65)
Yeah, this is one of those really tricky cases. And again, this is going to be program by program. It's just, you know.
Justin Gardner (@rhynorater) (20:44.003)
I have to say, I'm pretty proud of that trespassing analogy too. You know, like, that was pretty good, right?
Joel Margolis (20:46.942)
Yes, that's a great analogy. Like, yes, yeah, like I think that's a great analogy. Like, man, it's so hard because like, I think all programs should be paying for impact, right? And that means that going out of scope to provide impact on the main scope is still impact on the main scope. However, just like you said, it's going out of scope. And that by definition is like violating the program terms and like doing things that you shouldn't be doing.
Justin Gardner (@rhynorater) (21:13.815)
Mm-hmm. Yep.
Joel Margolis (21:17.41)
You know, it's again, it's kind of one of those cases where if you submit something like this Don't be surprised that the programs like hell. No, this is absolutely not We're not gonna accept this like this, you know, and you shouldn't have done that and you're lucky We're not banning you right? Like I think that like the program has every right to be frustrated and mad if you do that on the other hand Impact is impact and if you can show some really solid like if it's a critical, I think it's a security team I would have a hard time being mad if it was a third party because it's a critical
Justin Gardner (@rhynorater) (21:24.256)
Yeah.
Justin Gardner (@rhynorater) (21:28.889)
Mm-hmm.
Joel Margolis (21:45.322)
Like, if you can provide critical impact to my program, even if it's a third party, one of the things you have to realize as a security program is that the relationships that you have with your third parties and the way that you handle accounts and data and all that kind of stuff sharing with third parties is your responsibility as a security team. It's not just like, oh, that's the third party now. Like, we're, you know, totally wiped clean of our liability here. No, like, your, you know, data and whatever is still involved there, so.
Justin Gardner (@rhynorater) (21:45.75)
Mm, yeah.
Justin Gardner (@rhynorater) (21:57.259)
your responsibility.
Justin Gardner (@rhynorater) (22:11.768)
Mm-hmm.
Joel Margolis (22:12.478)
you should still own that to some extent. But this, I think, goes back a little bit to the whole zero day, should you report a zero day to a program and that kind of stuff, and where does the responsibility lie for bounty, and should they pay for it, and all that kind of stuff. It's a very tricky scenario. I think at the end of the day, the security team is still probably gonna reach out to that third party, and they're gonna get it fixed, and they're gonna figure out how to fix it from their side so that it's not creating that impact on the main program or on the main scope. But...
Justin Gardner (@rhynorater) (22:19.349)
Yeah.
Justin Gardner (@rhynorater) (22:39.544)
Mm-hmm. Yeah.
Joel Margolis (22:42.162)
as a hacker, you are definitely crossing some lines there and you're opening yourself up to some risk by going out of scope and reporting something that's out of scope and explicitly kind of violating some boundaries and some rules in order to get that critical.
Justin Gardner (@rhynorater) (22:50.433)
Mmm.
Justin Gardner (@rhynorater) (22:56.851)
Okay, so yes, I hear that. And it actually makes me think of a better analogy for the trespassing, okay? So this time, this time we're trespassing, right? But we're doing it, we're doing it to save a cat.
Joel Margolis (23:02.818)
Oh, okay. Okay. I'll take my notice trespassing sign down. Oh, I put it back up.
Joel Margolis (23:13.318)
Oh, I mean, well, say less.
Justin Gardner (@rhynorater) (23:14.699)
Right? Like, like, I'm sorry, not a cat, a dog. No, no, I just, actually, I told you that I'm no longer allergic to cats, right? Dude, I am free of my lifelong allergy to cats and I pet a cat for the first time in my life the other day. And it was like, it was lit, man. Anyway, so I'm gonna put it back to a cat. We're trespassing on the property, but we're doing so to save a cat, right? How does that feel?
Joel Margolis (23:20.709)
What's wrong with cats?
Joel Margolis (23:26.786)
Uh, yes, apparently.
Joel Margolis (23:34.53)
It's so crazy.
Joel Margolis (23:42.369)
Okay.
Justin Gardner (@rhynorater) (23:44.179)
Right? Like that feels, that feels... Okay, maybe even more accurate would be we're trespassing on a property looking for a person's lost cat. Right? Because at the end of the day, when we're bug hunting, we don't know that we're gonna find a bug. But if we do find a bug, we are helping that program. We are finding that person's cat. And so... Ha ha ha!
Joel Margolis (24:03.382)
Sure, I'm gonna use an America analogy here, okay? So in America, if you were to do this, you also have, yes, exactly, that's exactly where I was going. 50-50 chance, right? Like that homeowner has every right, you're on their property, you're on private property, you're trespassing, like you didn't ask permission, they have every right.
Justin Gardner (@rhynorater) (24:10.878)
You're gonna get shot.
Justin Gardner (@rhynorater) (24:16.087)
Right.
Justin Gardner (@rhynorater) (24:21.123)
For all of you that don't live in America, it's not actually a 50-50 chance, but there is definitely a non-zero chance that you'll be shot at. I have been shot at multiple times in my life for trespassing, yes. Yes. Yeah.
Joel Margolis (24:25.695)
Yeah.
Joel Margolis (24:31.23)
What? Okay, that's crazy. We need to talk about that on fair. Holy cow. What? Okay, that's some Virginia stuff right there. But yeah, no, I think like, okay, in the same way that like the homeowner or whatever has the right to defend their property and like tell you to get the hell out of there. Same thing for the program, right? Like they have the right to say, this is not in scope.
Justin Gardner (@rhynorater) (24:41.351)
Yeah, that's some Virginia shit right there for sure.
Joel Margolis (24:59.326)
we're not gonna accept this, get the hell off my property. Right? Like, you know, and, you know, as a researcher, don't be surprised if that happens. That's kind of the risk that you're accepting by submitting that stuff. So, yeah, I don't know. I think you can't play stupid in these situations as a researcher. Like, you definitely know what you're doing. Like, if you're going out of scope and you're writing up that report, you know, like, there's a risk that they're gonna say no, or they're gonna get mad about that. And, you know.
Justin Gardner (@rhynorater) (25:02.253)
Mm-hmm, right, exactly, yeah.
Justin Gardner (@rhynorater) (25:11.683)
Yeah.
Justin Gardner (@rhynorater) (25:25.027)
There is, for sure. That's the chance you take.
Joel Margolis (25:27.762)
Hopefully you have a good relationship with the program or hopefully it's a it's a program that is willing to look past that but you know, there's always going to be the chance of mitigating factors or Not accepting it or marking it as NA or informative and still fixing it on the back end, you know Those are things that might happen. So
Justin Gardner (@rhynorater) (25:33.655)
Yeah.
Justin Gardner (@rhynorater) (25:41.771)
Yeah, I will say as well that there are some, I guess, caveats being made in computer fraud and abuse act laws for good faith security research. And so I haven't really gone down the rabbit hole lately of what that
actually looks like, and especially for people like us who have an established record of ethical hacking. I'm not sure if going out of scope would technically be illegal. And if it is, then that ethical boundary's still there, but if it's not, then yeah, that's not, yeah. Good faith security research, yeah.
Joel Margolis (26:24.042)
Yeah, I forget what the exact wording is. It's either best intent or good faith security research or something like that. I think in terms of legality, now the reality, let's get into the weeds a little bit, they didn't actually change the CFA. The Justice Department made a statement that said this is how you should prosecute the CFA. And so if you're adhering to, you know, best intent and good faith ethical hacking, then that shouldn't be illegal according to the CFA and it shouldn't be charged.
Justin Gardner (@rhynorater) (26:36.086)
Mm.
Okay.
Justin Gardner (@rhynorater) (26:44.212)
Oh really, okay.
Justin Gardner (@rhynorater) (26:52.612)
Mmm, sweet.
Joel Margolis (26:54.606)
But, I think that's separate from bug bounty, right? Like, in terms of ethics, I don't know, like everybody's ethics are different. In terms of legality, it's probably legal, at least in the US. And in terms of validity for eligibility for a bounty, that's basically what we've been talking about. Well, that's a personal choice.
Justin Gardner (@rhynorater) (27:13.079)
Well, what if it's against my ethics to do something illegal?
Justin Gardner (@rhynorater) (27:19.795)
Right, right. Cool, well today we're kind of just screwing around, so I'm going to tell you the story about me getting shot at. Because it's a pretty great story, okay? So I grew up in Virginia and like a couple hundred yards, no it was probably like a mile actually, behind my house there was this really awesome waterfall, like 20 foot waterfall.
Joel Margolis (27:22.42)
Go.
Joel Margolis (27:29.869)
Okay.
Joel Margolis (27:46.559)
Okay.
Justin Gardner (@rhynorater) (27:47.027)
massive waterfall built by slaves in the Civil War. And so it was had like, you know, it was flowing water, very beautiful area, but it was on somebody else's property. And so, but it was very far from their house, right? Like, you know, like you could barely see their house in the distance, right? So it is definitely on their property, yeah. So, you know, being the kid that I am, I've been...
Joel Margolis (27:50.32)
Oh, pretty cool.
Joel Margolis (28:01.805)
Okay.
Joel Margolis (28:05.73)
Okay, but it's on their property line.
Justin Gardner (@rhynorater) (28:14.955)
snuck out there a couple times and enjoyed the beautiful view. Well, okay, hold on. Let's hold off on that one. When I was a kid, I used to go out there often, right? But this time that I'm talking about that I got shot at, I was a teenager. Let's just say, not a young teenager. And I was
Joel Margolis (28:17.75)
How old were you at this point?
Joel Margolis (28:25.922)
Ha ha!
I'm gonna get Justin arrested.
Joel Margolis (28:42.37)
Okay.
Justin Gardner (@rhynorater) (28:44.591)
going to go on a picnic with my girlfriend. And so my girlfriend and I were walking, you know, through the woods. I had made like this little like basket and it was all cute and everything. And we're like, you know, walking to the waterfall. It's going to be so fun. And then all of a sudden I just hear shots ringing out over our head, right? And I look across the lake and I see like very, very far away. I mean, the person is like this small at this point but they're standing on their deck.
Joel Margolis (28:47.466)
Ah.
Joel Margolis (28:54.475)
Hehehe
Joel Margolis (29:03.75)
Holy shit.
Justin Gardner (@rhynorater) (29:14.179)
with a gun and we just like book it back the other way and move our picnic to the middle of the woods that was on my property. But I was, oh yeah, we did the picnic. We're not about to let a good ham sandwich go to waste. No sir, no sir. No, no, I still was hungry, man. So, yeah.
Joel Margolis (29:23.158)
Holy cow. You still did the picnic?
Joel Margolis (29:31.413)
A little bullet doesn't stop my ham sandwich.
Joel Margolis (29:37.314)
That's awesome. Wow, that's crazy.
Justin Gardner (@rhynorater) (29:40.239)
Yeah, this is a little bit of an off-brand critical thinking episode, but you know, such as life. Yeah, man, this is kind of crazy. All right, let's see if there's any other questions on here that looked good.
Joel Margolis (29:45.04)
What a wild little childhood experience there, holy cow.
Justin Gardner (@rhynorater) (30:00.556)
You could run them through real quick how to set up a mobile intercept proxy. Just talk them through that real quick while I figure out some other stuff.
Joel Margolis (30:04.97)
Yeah.
Joel Margolis (30:08.298)
Sure. Yeah, so typically what I do, regardless of whether or not it's an emulator or a physical device, if it's a physical device, plug it in, but either way you just want it to show up on ADB and have debugging enabled. And then from there you just do ADB reverse, TCP colon 8080, TCP colon 8080. And what that will do is it creates a tunnel between your host and the device on port 8080. And so that means that
Justin Gardner (@rhynorater) (30:21.248)
Mm-hmm.
Joel Margolis (30:38.098)
Any traffic that's going to port 8080 on the device will get tunneled to port 8080 on your host machine. And that's seriously the easiest, like most straightforward, foolproof way that I've found to proxy. You don't have to worry about network conditions. You don't have to proxy to an IP address. You literally proxy to 127.001, port 8080. It goes over ADB. It tunnels and there's no connectivity concerns or anything like that. It's great.
Justin Gardner (@rhynorater) (30:44.867)
Mm-hmm.
Justin Gardner (@rhynorater) (30:58.251)
Yeah, I love it.
Justin Gardner (@rhynorater) (31:07.747)
So then you just go into the mobile app or the mobile device's wifi settings and then set up the proxy to point at localhost 8080.
Joel Margolis (31:13.642)
Yeah, the Wi-Fi settings.
Yep. Yeah, just edit your network proxy manual host 127 001 port 8080. And yeah, it should work that easy. You should be able to, you know, just navigate to like burp in your browser. If you want to get the CA cert, all that stuff should just work. So.
Justin Gardner (@rhynorater) (31:28.703)
Mm-hmm. Yeah. And then and then the easiest way to download the C.A. cert, like you said, is just hit localhost 8080. They'll see you'll see a little C.A. cert button up at the top right hand corner on the burp. Click that download the cert. Sometimes you have to rename it to dots C.E.R. Yeah, or CRT.
Joel Margolis (31:44.574)
Yeah, to CRT. Yeah, yeah, either of those from.der and then you just go into your security settings, trusted credentials, CA certificates, install one, and you just select it from your SD card and it's good to go.
Justin Gardner (@rhynorater) (31:54.879)
CA certificates, yep. And then boom, done. That's the easy part though, because most applications are implementing cert pinning. So for that you're gonna need some Frida SSL pinning, bypassing secret sauce. Which we talked about, I believe, on, what was that episode? That was an early one, I think. 14? 12? I'm gonna pull it up right now.
Joel Margolis (32:04.29)
True.
Joel Margolis (32:08.69)
Yeah. Secret sauce. Yeah. We did.
Joel Margolis (32:18.6)
Uh, yeah, I think it was like 12, 14, 12 or 14.
Justin Gardner (@rhynorater) (32:25.348)
Yeah, 14. Yeah, boy remembers numbers, man. 14. 12 was Jay Hattick's. Yeah, you're off. LA live hacking was 17.
Joel Margolis (32:28.678)
Yeah, Twa was LA life hacking? Is that? Oh man, okay. You got this better than I do. Oh, okay. Wow, I'm way off. Cool. But yeah, no, it's that easy. You know, very straightforward and I think during the mobile episode we actually talked about the free to unpinning. I have a universal, quote unquote, universal unpinning script that is linked there and that works like 98% of the time for me.
Justin Gardner (@rhynorater) (32:42.834)
Uh huh.
Justin Gardner (@rhynorater) (32:51.636)
Mm-hmm. Yeah, always works for me.
Justin Gardner (@rhynorater) (32:57.007)
Yeah, we can link that in the description as well. Let me write that down. Eagle meme and then cert pinning script. OK, so next topic that I, so I kind of scrolled through these. Not gonna lie, dude, there wasn't a lot of great questions. So come on, critical thinking listeners. Give us something deep. Like there's a bunch of people saying, like, could you just think, like, think critical, OK?
Joel Margolis (33:00.142)
Cool.
Joel Margolis (33:20.354)
Could you think critically, God?
Justin Gardner (@rhynorater) (33:27.235)
So one of the ones that kept on popping up was how do you approach a new target? What's the first stuff you look at? What's your process? And what kind of steps do you do before you start hacking? And I wish that we could give you a recipe, but there's not really a recipe. So it really depends on the target. For me, a lot of the time, I try to figure out what the app is and how to use it like a human.
And so for me that often means logging into the application, navigating around, reading documentation, kind of keeping a general eye on the architecture of the application, trying to understand whether it's like a single page app, whether you know you've got, they're using a front end framework like React or Vue, what their backend looks like, are there a bunch of different APIs, are there microservices, is there GraphQL, that sort of thing.
I also look at auth a decent bit, so at OAuth, at the two factor authentication flow, any sort of alternative authentication paths like one time password being sent to your email, and you just click that link and it logs you in like Slack does. Those sort of things are pretty pivotal to my methodology, but it very much varies with every single target.
Joel Margolis (34:49.354)
Yeah, for me, so I think there's a couple of core steps that I like to follow, and it generally depends on where I'm at within the process of looking at that target. So when I'm starting out, from the very beginning, a lot of it is like what you said, it's figuring out what is this app, what is it supposed to do, where are the natural boundaries in terms of what functionality should be, where are their access controls, kind of identifying those no's, like Archangel.
was speaking about in the last episode. And then from there, if they have a mobile app, a lot of times I'll be looking at that and just see what activities do they have exposed? What are the intent filters? What kind of functionality exists from like an external attack surface perspective on this app? Is there any like weird JavaScript interfaces, any web views, any content providers, any of that kind of stuff? And I'll usually do a bit of a deep dive on the mobile app and just like see if there's any
Justin Gardner (@rhynorater) (35:18.159)
Mm-hmm. Yeah.
Joel Margolis (35:47.97)
funky stuff that I should be poking at and trying to exploit. If I don't really find anything there, one of the things I do like to do is look for API endpoints within the mobile app and just see, is it different from the, if there's like a web app, assuming that is it different from that, what is the auth structure look like? How do you log in through the mobile app? All that kind of stuff. And then if I'm kind of hitting like a wall, I'd like to split and sort of
Justin Gardner (@rhynorater) (35:51.237)
Mm.
Justin Gardner (@rhynorater) (36:07.276)
Mm-hmm.
Joel Margolis (36:17.422)
do recon or do like more breadth searching where I'm trying to find new, yeah. Yeah, like what services exist, subdomains, things that are in scope that I haven't looked at that I might not know about. Are there any weird URLs or things that are provided in API responses from the mobile app or from the web app that I haven't looked at? Those are the types of things that I wanna take, a little bit of a closer look at and see if there's some bugs that I haven't found or that I, might be easy wins.
Justin Gardner (@rhynorater) (36:20.323)
Hmm. What other apps? Yeah.
Justin Gardner (@rhynorater) (36:33.525)
Mm-hmm.
Justin Gardner (@rhynorater) (36:46.614)
Mm.
Joel Margolis (36:47.358)
And then I kind of just repeat that, like, you know, look for something, find something, figure out what the functionality is, dig. If you run out of things to dig at, try and move laterally and find some other, you know, or horizontally or whatever, and try and find new things to look at and, you know, rinse and repeat.
Justin Gardner (@rhynorater) (36:49.679)
Mm-hmm. Iterate on it.
Justin Gardner (@rhynorater) (37:02.903)
Yeah, kind of grasping for straws right now, man, with this application that we're hacking, because it's like the scope is so small and I've exhausted all of it, you know, all of the attack vectors that I can think of over the past week. You know, I've tried them. And so I'm really kind of going back over, reiterating. I'm reaching for some really crazy bugs and like tangentially related.
Joel Margolis (37:19.661)
Yeah.
Justin Gardner (@rhynorater) (37:30.691)
third party libraries that could result in vulnerabilities. So it's definitely, that's definitely a part of the grind is learning how to push through those scenarios when you're like, I'm out of attack vectors. But oftentimes that's when the good stuff pops up.
Joel Margolis (37:34.637)
Yeah.
Joel Margolis (37:42.93)
Yeah, it's a really tricky scope. I mean, for me, especially for this event, the way that they have the scope structured has made it very difficult for me to want to submit everything, you know what I mean? I'll find something, I'll be like, oh, that's kind of interesting, but I don't even wanna dig into it because it'll be on a domain that's either explicitly listed as ineligible for bounty or it's not in scope. The way that they have this scope structure,
Justin Gardner (@rhynorater) (37:58.24)
Mm-hmm.
Joel Margolis (38:11.502)
I don't know if you're looking at it, but it's very particular. And so that has really limited the hacking that I've chosen to do for this event. And I think I'm kind of holding myself back here a little bit because of that, but...
Justin Gardner (@rhynorater) (38:11.776)
Mm. Yeah. Yeah, it is.
Mm.
Justin Gardner (@rhynorater) (38:22.327)
We should compare notes on that after this because I think there are some ways around a lot of that because of what you kind of mentioned before about having impact to the main domain and PayPal is really good about that. If you can show impact to the primary application to the primary target, then I think you've got some good bones there. Yeah, for sure. Sweet.
Joel Margolis (38:43.71)
Okay, cool. Yeah, let's compare notes after.
Justin Gardner (@rhynorater) (38:50.943)
Yeah, so this next one was what kind of steps did you take before you started hacking? I think the only other thing I wanted to add to this one was...
Justin Gardner (@rhynorater) (39:02.483)
Like really, we talk about this all the time, but like I get so much out of reading documentation. And it's gonna be dry at first, and you're gonna sit there and you're gonna be like, why am I reading this? But read the main apps documentation and read the developer portal documentation, because that's gonna give you so much insight into the application. And actually I missed multiple very critical bugs at this live hacking event.
Joel Margolis (39:20.716)
Yeah.
Justin Gardner (@rhynorater) (39:28.203)
because I didn't read literally every single page of the developer section. And had I read it, I would have absolutely found them, but I missed it, so, sucks man, sucks, it sucks. All right, so before we bounce, I've got three little things, three little cool things, and then I guess we can also, we were also gonna go over the reports, weren't we?
Joel Margolis (39:33.27)
soon.
Joel Margolis (39:44.879)
It happens.
Joel Margolis (39:55.637)
Yeah, yeah.
Justin Gardner (@rhynorater) (39:56.435)
Okay, so I'll make these quick. Alright, number one, two tweets from ya boi Rhino Reader. I just wanted to shout these out because these are kind of surprising to me that some of these, that one of these...
Joel Margolis (40:08.118)
The way you introduced that was like as if it was a guest, but it's just you.
Justin Gardner (@rhynorater) (40:11.327)
No, it's me. Ha ha ha. From, from the man, the myth, the legend, me. Ha ha. No, no, um, you know, so here's the thing, man. Like, and I'm sure you get this all the time as well, but like I get tagged in like five to 10 Twitter posts a day and I get saying like, hey.
Joel Margolis (40:15.814)
Like from this awesome unheard of hacker before. Me.
Justin Gardner (@rhynorater) (40:37.951)
run a reader and then spam a bunch of other popular bug bounty hackers, how do I exploit this thing? And I try to respond to them if I can. And so, last, I guess two weeks ago and almost now, somebody was like, hey, I found an open redirect, but it only allows Google and target.com, not other websites. What should I do? How can I exploit this? And so I commented on it because I knew the answer, and the answer is, Google has a built-in open redirect.
that they don't patch that is just a part of functionality for Google. That is google.com slash amp slash S and then your target domain. If you go to that, it will redirect you to the target domain. Yep. And so it's just funny because it, I believe it does, yes.
Joel Margolis (41:15.887)
Mm. For the AMP page reloads. Yeah.
Joel Margolis (41:20.994)
Does that work on mobile?
OK, because normally AMP pages, that behavior is typically restricted to mobile. So I'm curious if it behaves a little bit differently if you have a mobile user agent and stuff.
Justin Gardner (@rhynorater) (41:31.96)
Oh, really?
Let's see, we can simulate that real quick.
Joel Margolis (41:41.418)
Yeah, for those who don't know, AMP pages are essentially, they're supposed to be like mobile, okay, yeah, there you go. So, yeah, so mobile, typically the way that this works is that there's these AMP pages. I forget what it stands for, but it's meant to be basically mobile-friendly versions of pages. You see it a lot with news websites, especially, like, yeah. Yeah, so it's really meant to be like a simplified, mobile-friendly version of whatever page you're looking at.
Justin Gardner (@rhynorater) (41:44.275)
No, it does not work for mobile. For mobile, it doesn't do that.
Justin Gardner (@rhynorater) (42:00.931)
Accelerated mobile pages.
Joel Margolis (42:09.79)
Again, I see it a lot with journalism and news websites, like news articles and stuff. But typically, if you try and visit an AMP URL on desktop, it does what you said, it redirects you. So that's probably why that's happening, is that it detects you on mobile and it goes, oh, let me try and render an actual AMP page. And if you're on desktop, it goes, go back to the main page.
Justin Gardner (@rhynorater) (42:13.354)
Mm-hmm.
Justin Gardner (@rhynorater) (42:30.031)
just go to the main page. Wow, very interesting, Joel. I didn't know that. That's helpful to know why that actually works. Yeah, so if you're looking for a chain for your open redirects, that's the one. It was really funny because this guy tagged me in this post, I commented on it, and then that comment got more retweets and likes than my normal Twitter post, so I was like, wait a second, what the heck is going on here? Yeah. Mm-hmm.
Joel Margolis (42:53.229)
Yeah, that's a good one though. That's a really clever attack scenario, especially for like desktop clients. Yeah, yeah, very cool.
Justin Gardner (@rhynorater) (43:00.223)
Yeah, if you're gonna chain it. Yeah. The other thing was, I was exploiting an XSS the other day, tweeted about it, so if you guys haven't seen that, you can go check it out, but I just wanted to mention it on the pod as well, because it's a nice little tidbit. I was getting sort of stopped by the X content type options no sniff header when I was trying to change a CRLF into an XSS.
So you're adding the break, then you're adding the content body, you're providing content length, that sort of thing. But for some reason I couldn't, in the scenario, the content type header had to be blank, or else it would break it. And if you try to do, if you do content type blank, it's gonna try to sniff it normally, but in the scenario they had the no sniff header. So...
Joel Margolis (43:43.877)
Mm.
Joel Margolis (43:53.282)
Mm-hmm.
Justin Gardner (@rhynorater) (43:54.943)
I actually added another no sniff header with an invalid value. If you have two no sniff content type options headers, one of them with an invalid value, one of them with a valid value, Chrome just throws the whole thing out the window. Yeah.
Joel Margolis (43:59.479)
Hmm
Joel Margolis (44:09.526)
Yeah, I was gonna say, like, potentially for the... Even just for the content type, providing two values of it, one should... I mean, that leads to some kind of unanticipated behavior with how it's gonna behave, so...
Justin Gardner (@rhynorater) (44:14.445)
Mm-hmm.
Justin Gardner (@rhynorater) (44:21.739)
Yeah, yeah, it definitely does. And the reason we couldn't override the content type was because the CRLF was in the path and you couldn't put a slash in it. So you can't do HTML, you know, text slash HTML, right? So we couldn't override the content type to be a text, an HTML content type. We tried everything we could think of for that. You have to have a slash. So we said, all right, what about a blink content type and then HTML sniffing, and that's how we got.
Joel Margolis (44:31.407)
Oh. Dang.
Joel Margolis (44:36.93)
Hmm.
Joel Margolis (44:47.755)
Yeah, that's what I thought.
Justin Gardner (@rhynorater) (44:49.979)
how we popped it. But I was just really surprised to see the X content type options header. If you provide two of them, it's just like, you know what? Actually we just give up. We don't know what to do. And then it just sniffs the HTML. Yeah.
Joel Margolis (44:51.266)
Okay.
Joel Margolis (44:59.19)
Yeah, I'm also surprised that that's from a client side. Like you'd think that would be more of just like a server side control that would, you know, do that if it didn't detect something or, you know, whatever, like.
Justin Gardner (@rhynorater) (45:09.579)
Yeah, well it's the browser's, you know, the response header is for the browsers. You know, it tells the browsers whether to sniff or not to sniff. And so, Crumb just said, screw it. This is in a response header.
Joel Margolis (45:17.486)
Mm.
Joel Margolis (45:20.655)
Oh, so this is in a response header from an API. Not, okay, I thought you meant in like an outbound request that you were changing the request content.
Justin Gardner (@rhynorater) (45:26.335)
No, no, no. So this is a CRLF. We're injecting another XContentTypeOptions header in the response and trying to trigger the XSS. And the browser says, all right, I'll sniff that. If you give them... I'll sniff that. So I thought that was a good one to know. We're getting silly, man. This is what happens when you stare at a screen for 12 hours a day for the past week.
Joel Margolis (45:41.832)
I'll get that a sniff.
Joel Margolis (45:46.414)
I was like... Cool.
Joel Margolis (45:53.262)
Ha ha
Justin Gardner (@rhynorater) (45:55.675)
Okay, last little one. This is actually a trick I used to get an ATO at, let's just say recently, and at recently. Shut up, Joel. So essentially, this scenario was a scenario.
Joel Margolis (46:07.554)
You at recently, right?
Justin Gardner (@rhynorater) (46:21.707)
we really often see, which is you've got an application that is using like Axios JS library on the front end to communicate with an API, and they're authenticating into that API by an authorization bearer header. And that header is just sort of stored in the JavaScript state and not stored in local storage or in a cookie. So if we get an XSS normally, you're going to try to pull your session token out of...
Joel Margolis (46:44.206)
Okay.
Justin Gardner (@rhynorater) (46:50.311)
at local storage or out of a cookie. But in this scenario, you can't because it's not stored there. So your option is you can go through the OAuth flow, which in this scenario had a bunch of like crazy intricacies with crypto stuff to it. Like you had to generate like a certain length nonce or whatever and then it had to get passed. It was kind of a pain in the butt. So what I actually did was I created an iframe.
to the same origin page. And then that iframe, when it loaded up, it was gonna try to reach out to the API to load data. And I just reached into that iframe and overwrote the fetch function, the window.fetch. And I just put my own function in there. I shimmed it, is what it's called. And essentially said, okay, anytime they call fetch, call my function and then call fetch.
And if that function call has the authorization bearer header in it, then exfil it to the attacker server. So it's not a crazy hack, but it is something to know that is useful. If you are trying to, you know, if you have XSS, you have the opportunity to overwrite functions like fetch or other properties within the window. Not all properties can be overwritten, but most of them can. And you can use that to save yourself some time and...
when proving an exploit or in some cases, like JavaScript sandboxes, you can actually use these to escape the sandbox and get arbitrary JS execution.
Joel Margolis (48:27.47)
That's super interesting. I'm curious how it's stored in a place where it's not in local storage and not in cookies, but shouldn't it always be accessible from JavaScript if it's being set?
Justin Gardner (@rhynorater) (48:40.031)
I'm sure it is. I'm sure I could hit like window.reactstate, you know, bloody, blah. Yeah, yeah, it is. And it's from within their minified hell that is whatever JavaScript library they were using in the front end. And so I just didn't feel like freaking traversing the whole.
Joel Margolis (48:46.402)
Because somehow it's setting it in Axios.
Joel Margolis (48:55.636)
Yeah.
Justin Gardner (@rhynorater) (49:03.615)
you know, JavaScript window object to find that. And it took literally like two minutes to write the exploit and pulled it out really easy rather than having to do like an OAuth, you know, hijack this like OAuth flow and like generate a cryptographically accurate, you know, nonce or whatever. So figured I'd mention it cause it's a cool little trick. It's actually, unfortunately, like the coolest thing I've done this live hacking event because all of the bugs have been mega boring.
Joel Margolis (49:03.71)
Yeah, it's just easier to set your own function.
Justin Gardner (@rhynorater) (49:33.059)
They've been like, you know, well actually I won't say what kind of bugs they are, but you know, they have not been very interesting bugs. So congrats to the PayPal team. You don't have a lot of, you know, crazy interesting bugs, just boring ones. Yeah.
Joel Margolis (49:33.19)
Yeah.
Joel Margolis (49:36.622)
Hahaha
Joel Margolis (49:52.394)
Congrats for having boring books. Yeah, cool. Um, is it do I should I talk about my the bug that I had?
Justin Gardner (@rhynorater) (49:58.215)
Oh yeah, let's go ahead and go over some bugs. That's always a dub.
Joel Margolis (50:00.354)
Cool. Yeah, so I had a really interesting bug a couple weeks ago, and I had talked to you about this because I think we're both on this program. It's a private program, so I won't say who it is. But the mobile app was primarily in scope, and I was looking at the mobile app, and there was some interesting functionality in one of the API endpoint responses. And there was like a JSON object that had a bunch of different configurations, URLs and stuff in it. And one of them was
Justin Gardner (@rhynorater) (50:07.847)
Mm-hmm. Yeah.
Justin Gardner (@rhynorater) (50:27.691)
Mm.
Joel Margolis (50:30.146)
a.html file, which kind of caught my eye, because a lot of times in modern web app infrastructure, you really don't see raw.html like that. And it just seemed like a kind of a weird endpoint. And I was like, huh, I wonder what that is. And so I went to it, and it rendered some very strange stuff. And there was this login functionality. You're supposed to log in so it can get your account. And then you can do app functionality to
Justin Gardner (@rhynorater) (50:40.845)
Mm-hmm.
Joel Margolis (50:59.174)
schedule something, is what I'll say. And so I was poking at it, and I was like, huh, this is really weird, but I wonder if this is actually being used, because every time I would try and exploit it, I would click login, and it would send me to a different page. I was like, huh, this is kind of weird. Maybe this is just a dev environment or something. So I go, I log in, and it takes me to the main page, and I notice very, very similar to the.html that I was looking at embedded within the page.
Justin Gardner (@rhynorater) (51:01.42)
Mm-hmm.
Justin Gardner (@rhynorater) (51:19.225)
Legacy thing or something. Yeah
Joel Margolis (51:28.906)
Okay, so I look and it's an iframe. And it's an iframe from a different URL, but it's rendering essentially the same thing as that.html. And so as I kept digging, I realized that it does post-message communications to talk back and forth, because it's embedded within an iframe and it has to pass authentication from the main site into this iframe. And so I was like, huh, I wonder how that works. Like, how is it, like what's actually triggering that to, you know, send over the auth? Like, is it...
Justin Gardner (@rhynorater) (51:47.692)
Mm-hmm.
Joel Margolis (51:58.102)
a certain event, like what are the restrictions on that? Could I put my own frame in there, like whatever. So I start digging and sure enough, there's, I mean, the stars really aligned on this one because there's this functionality for different environments within this iframe. And essentially it has a URL parameter called override URL. And essentially it checks for, you know, it's supposed to be that if you set it to local, then it like uses 127.001 or something, right? But they had,
Justin Gardner (@rhynorater) (52:02.988)
Mm-hmm.
Justin Gardner (@rhynorater) (52:19.082)
What?
Justin Gardner (@rhynorater) (52:24.609)
Ah, sure.
Joel Margolis (52:27.658)
you know, they essentially didn't check if it was, you know, you could put whatever you wanted in there. Like if it was just like, you know, if it's not in the URL, then it just defaults to whatever you've set it to. And so I could just set it to my own iframe, and then it would embed my iframe in the page. And so then I could send a post message to the parent.
Justin Gardner (@rhynorater) (52:40.675)
Dude.
Justin Gardner (@rhynorater) (52:46.163)
And is this inside a web view in the mobile app or is this in, like on web?
Joel Margolis (52:50.718)
No, so that's the weird thing is like it started out from the mobile app and then it ended up just being a complete web bug. Like I only found that URL and the fact that it was iframe and all that from the config endpoint within that mobile app. And then all and then I realized, oh, this is like on the main site. It's like a different URL, but the functionality is all the same. So, yeah, I could set this parameter to my own URL. It would then set the iframe source to that URL, put it in the page.
Justin Gardner (@rhynorater) (53:09.414)
Interesting.
Joel Margolis (53:18.474)
and then you could send post messages to the parent and there was all these different commands and stuff. So initially I just, you know, I sent the one that it sends me the auth token. I was like, okay, that's pretty cool. And then I kept poking and I was like, oh, there's actually like a lot more functionality in here. And so you could do all sorts of things. Like you could, you could, there was actually one action called go to, and it would just do window.location equals whatever. So you could just, you know, a second, yeah, basically a second XSS.
Justin Gardner (@rhynorater) (53:24.099)
Wow.
Justin Gardner (@rhynorater) (53:37.071)
This is ridiculous.
Justin Gardner (@rhynorater) (53:42.731)
Lovely. There's your XSS. Yep.
Joel Margolis (53:47.314)
You could get geolocation through one of the other actions. There was like a lot of really interesting functionality But it all just stemmed from this random, you know URL that I was like, huh I wonder what that is and then when I was trying to log in with it I realized that it was sending me back to the main page and it was you know doing very similar functionality But from a different URL and the team actually accepted it which is which is amazing Technically, I think it was probably would have been out of scope according to the explicit scope that was written down but it's
Justin Gardner (@rhynorater) (54:07.907)
That is cool.
Joel Margolis (54:16.518)
on the main website and it's account takeover. So, yeah.
Justin Gardner (@rhynorater) (54:18.743)
Hmm. It's used by the, the in-scope acid as well. So, yeah.
Joel Margolis (54:24.298)
Right, yeah, so that was a, oh, and I'm looking right now and it seems that they actually added, they added the main site to the scope, so that's good. It wasn't, yeah, yes, so that's dope. But yeah, that was a really fun one. I've actually been enjoying hacking on this program. You know the one I'm talking about, but yeah, they have a pretty cool scope and it's something that I use personally, so.
Justin Gardner (@rhynorater) (54:31.903)
Oh, did they really? Oh dude, heck yeah. We need to go check that out.
Justin Gardner (@rhynorater) (54:42.935)
Yeah, I do. I do.
We'll check it out after the live hacking event in Japan. So that'll be fun, man. I love post message bugs. Post message bugs are so much fun. We talk about them all the time on the pod, but they're essentially APIs for your browser tabs, essentially. And why would you not want to remotely interact with a browser tab? So very, very cool stuff there.
Joel Margolis (54:50.251)
Yeah, yeah, for sure.
Joel Margolis (55:08.651)
Yeah, exactly.
Justin Gardner (@rhynorater) (55:12.799)
Alrighty, my report for the day is also a private program, so I can't really talk about it. But I can tell you the gist of it. And I will say that this chain starts with a XSS. And it came from none other than Mr. Today's new himself, Eric, so thanks for the assist there, Eric. And I found this whole chain.
Joel Margolis (55:33.89)
Awesome.
Justin Gardner (@rhynorater) (55:40.191)
And I had an XSS that had already been reported that I used to exploit the first time they were like, dupe, because you already use the XSS and you can't use it in another ATO chain. And I was like, guys, you're literally putting your users at so much risk right now by not fixing this. I guarantee you there's another XSS on your attack surface right now that could be used to exploit this. They didn't accept it.
There we go, couple weeks later, we do another run of it and find an XSS. Eric finds it in his automation, passes it over to me, and we exploit the bug. So here's how it works. Essentially what it is, is it's taking advantage of sort of a session fixation, but for the password reset. And so what you can do is you can...
use NXSS on star.anything, and you can take a specific session that you can generate, and stick it in a cookie, and set that cookie to a very specific scope, okay? To the specific path. So the way that cookies work in the browser, if you put a cookie at a more specific path than another cookie, even if the domain is wider, that cookie will be prioritized when it is sent to the server.
So let's say you have two cookies with the name session. If the path that you're on is slash login and one of the cookies is set to slash login and one of the cookies is set to slash, the slash login will be sent first and oftentimes prioritized.
Joel Margolis (57:20.814)
And you're saying even if the cookie that's scoped for slash login Even even if it's like specific sub domain dot post comm it'll still override Okay
Justin Gardner (@rhynorater) (57:25.467)
is set to the star scope.
Justin Gardner (@rhynorater) (57:32.523)
I believe so, yes. I'm actually wondering now whether both of them have to be set to the star scope, right? Or to like.site.com or whether, that's interesting, I'll have to check that. But I know for a fact that if both of them are set to.site.com, then the one that with the more specific path will be set first or will be sent first. And so in that sort of way, we can get our cookie to be prioritized. So then,
Another trick that we can do is we cookie bomb the password reset flow, or the login flow, excuse me. And when they go to login, if you cookie bomb that specific path, then the request will fail because the header size is inflated because of all the cookies you send from the other subdomain. Then when the request fails, it just gives you an invalid password response.
And so what are they gonna do? They're gonna reset their password. So they go to the password reset flow, they start going through the flow, and when they get to the end of the flow, there's a screen where you can set a new password. This whole time they've been using our maliciously set password reset token. And at that point, we use that password reset session to go directly to that page, and then we set the password before they can set the password.
Joel Margolis (59:02.162)
Mmm.
Justin Gardner (@rhynorater) (59:02.379)
and then we take over the account. And that is the account takeover that uses a cookie prioritization trick, cookie bombing, and sort of a session fixation bug.
Joel Margolis (59:04.892)
super interesting.
Joel Margolis (59:18.498)
So how did the program in triage react to that? Because that's kind of like, did it automatically take them to the password reset flow if it failed when you cookie bombed it, or during login? OK.
Justin Gardner (@rhynorater) (59:29.791)
No, no, they accepted the attack scenario that if you could figure out a way to tell the user that their password is wrong every single time they try to log in, that the next logical step would be to reset their password. So I think.
Joel Margolis (59:43.402)
Okay, yeah, so it's essentially a DOS that leads them to, you know, reset their password so they can log in, because it's saying invalid password or whatever. Login failed. Nice.
Justin Gardner (@rhynorater) (59:50.867)
Exactly, exactly, because the login request fails every time because of the cookie bomb and then the password reset flow, they go down that path and then we fixated the session for that. So, yeah, pretty fun bug, right?
Joel Margolis (59:55.724)
The Cookie Bomb.
Joel Margolis (01:00:03.914)
Super cool. That's a super dope bug Yeah, that's awesome. That's a really interesting one. I'm gonna have to look for stuff like that I almost never look for like cookie bombing stuff because it's so case by case, but that's a really good instance of it
Justin Gardner (@rhynorater) (01:00:14.123)
Yeah, it is. Yeah, cookie stuff, this is another thing that sort of came to mind when you were talking earlier about what kind of things you look for, particularly when you are starting assessing a program. For me, I always look at the cookies and I look at the authorization headers and any sort of cool codes that are being thrown around from an OAuth flow or anything like that.
It's very important, especially on those websites where you've got like 50 bajillion cookies that are being sent and you don't know which one's the session token, you don't know which one is like sort of your elevated session token, you don't know which one like tells whether you're not, you should remember the username, you know. There's just so many, so many cookies out there and they all just kind of get conglomerated together. And so I will give another shout out to something I gave a brief shout out to in the past on critical thinking. And that is...
Joel Margolis (01:00:53.911)
Yeah.
Justin Gardner (@rhynorater) (01:01:07.319)
the burps we plug in called request minimizer. This has saved me so much time. Yeah.
Joel Margolis (01:01:11.306)
I was gonna say this is something that I actually do. I wasn't sure if other people do this. And I think, yeah, I think we've talked about this, but if I'm messing with a request and there's a ton of cookies like that, one of the first things I will do is I'll open the Request Inspector on BERT, and I'll do this manually. I'll just open the cookies, I'll select like 80% of them, and I'll just delete it. And then I'll just send the request, and if it succeeds, then I'll do it again. Exactly, and if it fails,
Justin Gardner (@rhynorater) (01:01:19.957)
Mm.
Justin Gardner (@rhynorater) (01:01:25.23)
Mm-hmm.
Justin Gardner (@rhynorater) (01:01:30.497)
Mm-hmm.
Justin Gardner (@rhynorater) (01:01:35.467)
Yep. It's almost like a binary search, right? Yeah.
Joel Margolis (01:01:40.634)
after the first time that i know that the cookie that i need is in there and so that i delete all the other ones and then if it still fails and i know that i need two cookies so yeah that that's kind of do but there's a there's an extension for this is a
Justin Gardner (@rhynorater) (01:01:45.15)
Yep, paste it, delete the other ones, yeah.
Exactly.
Justin Gardner (@rhynorater) (01:01:53.887)
Yeah, there's an extension for this called Request Minimizer, and essentially what it does is it just tries to remove everything it possibly can from the request and still get the same response. And I use this plugin all the time, really valuable for analyzing what exactly is important in an HTTP request. So I definitely recommend it.
Joel Margolis (01:02:05.035)
Nice.
Joel Margolis (01:02:14.51)
That's awesome. Yeah, I'm gonna have to grab this for my burp. Very cool. Awesome.
Justin Gardner (@rhynorater) (01:02:20.279)
I'm gonna go ahead and write this down. Dude, I think that's it. I think that's a wrap, yeah?
Joel Margolis (01:02:25.062)
Yeah, I think that's pretty much it. Good little chat. Get back to live hacking and all that kind of stuff. Try to get some sleep before your flight. Is it is it a direct for you from Virginia? Do you have to connect?
Justin Gardner (@rhynorater) (01:02:32.375)
Yep.
Justin Gardner (@rhynorater) (01:02:36.863)
Yeah, for sure, man. I, uh, no, it's a, it's a one little one, one hop up to DC and then a direct to Haneda. Um, so yeah, not too bad. I think it's like 15 hours or 16 hours total. Not, not too bad. So I'm excited, man. All right. I'll see you in, uh, in Tokyo in 15 hours. Um, yeah, I land today for you. So, yep.
Joel Margolis (01:02:46.954)
Nice. Okay.
Joel Margolis (01:02:53.166)
Cool. So do you land on the 13th or 14th?
Okay, fifteen hours.
Joel Margolis (01:03:03.826)
Okay, sweet. Alright, well, I'll see you tonight then I guess.
Justin Gardner (@rhynorater) (01:03:07.443)
Wait, wait, no, no. I land tomorrow for you. Because I lose time going to Japan. I'll see you tomorrow. All right, peace.
Joel Margolis (01:03:12.21)
Oh, I guess I'll see you tomorrow.
Joel Margolis (01:03:17.054)
Okay, I'll see you tomorrow. Peace out.
