Episode 44: URL Parsing & Auth Bypass Magic

Justin Gardner (@rhynorater) (00:00.746)
sup my dude? Dude, I know man, it's just me and you again. No more guests. We've been doing guest palooza this past couple episodes. Yeah. Dude, this might be... I'm at the standing desk right now. This might be a sitting episode, not gonna lie, because it's just been so freaking crazy lately. Hold on, let me go grab...

Joel Margolis (teknogeek) (00:02.55)
Yo yo yo, man what a day.

Joel Margolis (teknogeek) (00:10.982)
I know, holy cow, I feel like it's been messed up.

Joel Margolis (teknogeek) (00:19.328)
Yeah?

Should we even go into the my standing desk chaos? That's so basically I have an uplift desk. I love my uplift desk. It's a huge, it was like the biggest sit stand desk I could find. It's something it's like 90 inches long or something. I don't know how many feet or meters that is. Uh, it's big, it's huge. And, uh, it's been great for like a couple of years. And then yesterday we were doing some recording and, uh,

Justin Gardner (@rhynorater) (00:25.222)
Oh my god dude, tell the people about that while I go get my chair.

Justin Gardner (@rhynorater) (00:43.79)
Thanks for watching!

Joel Margolis (teknogeek) (00:51.582)
I was like noticing that my camera was like slanted. And I was like, I don't know what's causing this. And I had I like rotated my monitor so it looks straight. And I was like, that's definitely crooked. And so I just like ignored it and figured it was like maybe my house is at a level or something. And so then I just like sat down while my desk was up. And I was like sitting in my chair and I just look over at my desk and I see it's like visibly like slight like.

Justin Gardner (@rhynorater) (00:54.702)
Dude, it was so off.

Joel Margolis (teknogeek) (01:17.782)
very noticeably at a different height. And it turns out the legs are at different heights. So then I tried to fix it and I like lowered the whole thing down and then it started throwing this error code and I like looked up the error code and they were like, you should try and reset your system. And I like did the, I did everything.

Justin Gardner (@rhynorater) (01:20.258)
Dude.

Justin Gardner (@rhynorater) (01:30.994)
Yeah, and then, and then, no, no. Don't skip the part where Joel was angrily filling out like a warranty agreement, you know? Joel's like, ah, this stupid piece of garbage. Like I gotta, I gotta like submit a warranty claim on this bloody, I'm like, Joel, did you try like holding the down arrow for a little while? Ha, ha, ha.

Joel Margolis (teknogeek) (01:39.662)
No, that's true.

Joel Margolis (teknogeek) (01:50.03)
Okay, here's the thing, here's the thing, here's the thing. I reset it by holding, like the way you're supposed to do it is you hold the down arrow and then it like, it's supposed to bring both legs all the way down if they're at different levels and I did that, but then it threw this error code and so it was like, if you see this error code and like it wouldn't do anything with here, like I couldn't move it, I couldn't, like I unplugged it, I plugged it back in. Okay, so I'm getting there, I'm getting there, okay. So I fill out, I like do the reset instructions, nothing changes, I'm like, okay.

Justin Gardner (@rhynorater) (01:58.646)
Okay?

Justin Gardner (@rhynorater) (02:06.658)
Oh man. Well then why did it start working whenever I said to...

Joel Margolis (teknogeek) (02:18.626)
this is like broken, I need to have them fix this I guess. And also my desk is now slanted and stuck in the down position. Yeah. So I like, I fill out this form, I like take pictures and stuff, I send it all off. And then you're like, have you tried like, just holding down and like, usually that's how you're supposed to like recalibrate it. But I figured it wouldn't do anything because it was in the air mode. So I like try it and sure enough, it goes into like ASR or whatever. And then I'm able to hold down and the...

Justin Gardner (@rhynorater) (02:21.36)
Uh-huh.

Justin Gardner (@rhynorater) (02:24.688)
stuck on a slanted, yeah, that was so bad.

Justin Gardner (@rhynorater) (02:39.04)
Yeah.

Joel Margolis (teknogeek) (02:46.91)
Other leg like went all the way down finally and then I like recalibrated it and everything's working fine now so I don't even know I feel like an idiot cuz I Know I and I feel like an idiot because I like sent them an email or whatever I like filled out their form and then like 20 minutes later. I said a follow-up. I was like, yeah actually never mind I fixed it so anyways Very anti climactic

Justin Gardner (@rhynorater) (02:52.842)
Go. You gotta go cancel your, you gotta go cancel your warranty claim, bro.

Justin Gardner (@rhynorater) (03:09.135)
Well, that's another episode of Joel's office problems. We've talked about chairs, we've talked about cameras and mics, and now we've got a slanted desk story.

Joel Margolis (teknogeek) (03:17.11)
Ha!

Joel Margolis (teknogeek) (03:20.534)
Don't get me started on cameras. Don't get me started on cameras. You saw the white balance problems with my camera yesterday too.

Justin Gardner (@rhynorater) (03:25.15)
I did, dude. You had to fight with those. That was a challenge.

All right, let's give the people what they're looking for here, Joel. Let's give them some talk about security, about critical vulnerabilities, or in this case, our boy XNL Hacker dropping a pretty awesome Chrome extension inspired by the pod and inspired by some tweets from the podcast account. After the episode with Renny Pak, he was thinking, actually, he does a nice write up of his sort of thought process or inspiration.

in the GitHub repo, but he releases this Chrome extension called xnl-reveal, which shows alerts for any query parameters that are reflected, shows any hidden elements, and enables any disabled elements. And Joel, I don't know if you saw it, because I was running the Twitter at the time. Did you see that whole tweet storm about like, you know, enabling hidden elements via a Chrome extension versus, you know, using burps enabled thing?

Joel Margolis (teknogeek) (04:26.79)
I didn't see any of this, and one interesting thing I will note as well on that feature specifically is that in like the latest, I think it's the latest version or whatever, version point three, he made a change where now it's like a context menu, so if you right click, there'll be a little button to show hidden elements so it doesn't show it by default on everything, which I think is probably for the better, just for usability, but no, I didn't see that thread.

Justin Gardner (@rhynorater) (04:32.555)
Yeah.

Justin Gardner (@rhynorater) (04:36.662)
Cough.

Justin Gardner (@rhynorater) (04:45.568)
Oh, that's nice.

Justin Gardner (@rhynorater) (04:50.514)
Yeah, yeah, so essentially the whole concept of that tweet was like, you know...

burp has this feature where it will modify the HTML response to remove any disabled equals true or some of the hidden features, right? To hide an HTML element so you can access stuff, like buttons that shouldn't be clickable, that sort of thing. But the majority of the apps nowadays are being generated by a JavaScript single page thing, right? So when HTML elements are being generated on the client side,

passing that whole thing with burp. So you're missing a bunch of hidden elements. So I actually have, in order to solve this, I actually have a JavaScript bookmarklet that I use where I click this bookmarklet and then it automatically goes through and removes anything with display none or removes the disabled elements. But XNL Hacker combined that piece of advice or that sort of conversation that we had on Twitter with the stuff that...

Renny Pax was talking about on the episode we did live from Portugal and created this awesome extension that does it all. So really nice, really nice work there, man. I really like that XNL Hacker.

Joel Margolis (teknogeek) (06:02.498)
Super awesome. Yeah, yeah, that's awesome. It was really cool to see and it looks like it really popped off on Twitter. It's got a ton of views and a ton of stars on GitHub. So it's really cool to see the community hearing us talk about these types of things and then going and just spinning up a tool in a day or two. It's really awesome.

Justin Gardner (@rhynorater) (06:15.679)
Yeah.

Justin Gardner (@rhynorater) (06:21.254)
I know man whenever anybody does that I like I'm so excited and happy because it's like I feel like I contributed to that But I didn't you know like I get to like sort of be like yeah It's like that meme you know like that. I made this you made this thing. Yeah, like I love that. That's great Yeah, all right cool. Did you get a chance to read this next one?

Joel Margolis (teknogeek) (06:29.754)
Hehehe

Joel Margolis (teknogeek) (06:35.162)
I made this. Yeah. Yeah, that's awesome.

Joel Margolis (teknogeek) (06:44.742)
I didn't, but we have a couple things about email and OAuth account takeovers and stuff, so why don't you break this down because we have one following up that's...

Justin Gardner (@rhynorater) (06:50.866)
Yeah, yeah, so this one's an OAuth one. Yeah, this one's a cool one, okay? So this is a writeup by Salt Labs, okay? And this is discussing a OAuth problem that affected a lot of websites, it looks like. They were able to exploit three websites with this vulnerability.

And whenever anything OAuth pops up, I'm listening because it's widely used everywhere. And it's so complicated. And I know that there's some stuff I don't understand about this, right? Because you know dang well, you probably know the people I'm talking about, but there are some people that are at the live hacking events that like OAuth is their thing and they're just like so, you know, mysterious about it. And I, you know, I've gone up to them a couple of times. I've been like, yo.

Joel Margolis (teknogeek) (07:35.778)
Yeah.

Joel Margolis (teknogeek) (07:39.767)
Ha ha.

Justin Gardner (@rhynorater) (07:42.406)
So tell me what the deal is and they're like, can't tell you man. And I'm just like, what the heck? So I'm on this like a never ending search to understand Oath as well as these people. So this one definitely caught my attention, but it's a little bit.

Joel Margolis (teknogeek) (07:46.374)
Hahaha

Justin Gardner (@rhynorater) (07:56.606)
It's a little bit different from like a normal OAuth configuration thing. It's actually specific to Facebook. And I imagine that there are other providers that might have similar vulnerabilities, but the concept here was that whenever using Facebook to log in, you know, a user, right? So this is a vulnerability affecting applications that allow sign on from via Facebook, log in with Facebook. There's a little caveat down the, you know, line in the instructions

how to build this out that says when you get a token back from the user you need to make a introspection call to make sure that this token is for your own your own app rather than for a different app right normally this wouldn't it is it is you know like you'd think that they would do this but in it but in the beginning I was thinking like oh okay so shouldn't they have to like swap the code for like an access token but that's actually a different oauth flow that's

Joel Margolis (teknogeek) (08:40.202)
It's such a weird thing to call out.

Justin Gardner (@rhynorater) (08:56.298)
Actually, I shouldn't speak to it off the top of my head because I believe that this one is called the explicit grant type.

But essentially, the big thing that changes here in the end is that the response type is different, right? They give you a token at the end rather than a code, which the user needs to give to the server side and then thus have swapped for an access token. Instead, they just give the access token directly to the website, right? So when you see this in these sort of situations, what they're supposed to do is take this access token and hit a debug endpoint to be like, okay, is this access token for my app?

Or is it for a different app? And if it's for a different app, and they don't do this check, then they can just continue reaching out to slash me or whatever, grab the email down from slash me, and then just auth that user in.

Joel Margolis (teknogeek) (09:44.074)
Yeah. Which is so weird because you'd think that from the, like, from the backend side, they would basically just check if you're authorized to be making calls with a token for another app, and, but I guess there's no delineation.

Justin Gardner (@rhynorater) (09:55.574)
Well, but see, here's the thing. That's the auth token, though. That's what I thought, too, when I was thinking, because when you swap the code, normally, you would be using your server secret, plus the code, to get the token. But in this scenario, you're actually just giving the server side the token, and that's the token that they use to contact Facebook on your behalf.

Joel Margolis (teknogeek) (10:14.102)
Which is a really sus like setup, honestly.

Justin Gardner (@rhynorater) (10:17.087)
It is a little sus, but I think it's a really cool bug that they understood OAuth well enough to piece all this together. So this allows you to do account takeover with the one caveat that you have to have that user be...

the user whose account you want to take over, they have to be a customer of your Facebook app so that you can generate a token for that user, right?

Joel Margolis (teknogeek) (10:47.679)
Okay.

Justin Gardner (@rhynorater) (10:49.01)
And so that's a it is limiting for sure But let's say you know there are so many stupid Facebook apps man right like you know that you know Facebook You know adjacent things right and how easy would it be to go pop those and then use those to sign into something like Grammarly which is You know one of the people that was vulnerable to this attack, so

Joel Margolis (teknogeek) (10:50.67)
Kind of limiting.

Joel Margolis (teknogeek) (11:01.634)
Yep. That's true.

Mm-hmm.

Justin Gardner (@rhynorater) (11:11.538)
Really, really cool bug here with a technique that I hadn't seen before, and definitely going to be keeping an eye out for this in the future.

Joel Margolis (teknogeek) (11:18.986)
Yeah, I mean, I know Grammarly has a 100k bounty for what is it? It has to be zero click though, right?

Justin Gardner (@rhynorater) (11:25.846)
Yeah, it has to be zero click, man. They were so close.

Joel Margolis (teknogeek) (11:29.406)
I have heard a lot of cases where people have been like one click or like basically like you click on a link or like you load a link or something and like kind of zero click but nothing's ever qualified as far as I know.

Justin Gardner (@rhynorater) (11:42.731)
Yeah.

Yeah, man, this one was super close. You know, like this is, for me, for me, this is like, I think this would land on the user interaction not required side of, you know, if I had to pick between not required or required, I would actually put this in not required, personally. You can make an argument for attack complexity high, for sure, but I wouldn't put this as user interaction required.

Joel Margolis (teknogeek) (12:09.674)
Yeah, I would agree because the attack complexity is really that they have to, for one, you have to basically pop an app that they already have authorized, which may or may not be difficult depending on what they sign in with, but there is definitely some extra interaction they're required to... Whether it's directly, I think user interaction, I would usually count as part of the bug. It has to be that the user has to interact. They don't have to interact for this to be exploited, but they have to have done something else for it to be exploitable.

Justin Gardner (@rhynorater) (12:18.283)
Yeah.

Justin Gardner (@rhynorater) (12:31.661)
Yeah.

Justin Gardner (@rhynorater) (12:35.894)
Hmm. Dude, speaking of that, should we talk about this crazy drama that's going on right now with the Hacker One hacktivity thing where that guy got robbed based off of a CVSS? Did you see that? It's not in the doc.

Joel Margolis (teknogeek) (12:55.279)
I saw a bunch of chatter about it and being like, this is not how this should have been handled and all that kind of stuff, but I didn't actually read the report.

Justin Gardner (@rhynorater) (12:58.794)
Alright dude, I'm gonna, I'm gonna...

Justin Gardner (@rhynorater) (13:04.375)
I just DM'd it to you on Discord. Let's take a pause from our normal programming. Yeah.

Joel Margolis (teknogeek) (13:11.094)
Bebix, I know Bebix, which is funny because Bebix actually replied to this last tweet that we were just talking about.

Justin Gardner (@rhynorater) (13:17.246)
Yeah, so yeah, this is a pretty interesting situation. And at the end of the day, like you can't, is this, this is the one with Bevex, right? Yeah, yeah, I see it right here, okay. At the end of the day, people make mistakes.

and stuff, right? And I fully expect that HackerOne will fix this mistake, personally. It hasn't happened yet, but I fully expect they will. This user reported they were doing something cool, right? Which I've talked about in the pod before, which is monitoring the JS files of an application for changes, right? And they noticed that a new Google Doc link appeared, right? And when they went to that Google Doc link, they found that the attacker has the ability to edit anything and see some confidential data about other users.

emails and survey responses and stuff like this, right? So it's a pretty decent leak. And then check out this comment halfway down by, yeah, ChrisZoe111.

Joel Margolis (teknogeek) (14:09.102)
Mm-hmm.

Joel Margolis (teknogeek) (14:16.462)
I can see this. Yeah. They recategorized it saying that the attack complexity was high because the attacker is monitoring the code base and the associated Google form had to be published to the code base by internal staff.

Justin Gardner (@rhynorater) (14:26.314)
Oof. Yeah. Yep. That is, that, yep.

Joel Margolis (teknogeek) (14:30.858)
Wrong, but okay user interaction required a staff member owns the form Configured permissions which led to being able to access the confidential data when in possession of the link Okay The Here's here's what I'm gonna say. I understand where he's coming from. I'm sorry. You're wrong The user and the attack complexity does not matter

Justin Gardner (@rhynorater) (14:44.806)
How does that, yeah. So.

Justin Gardner (@rhynorater) (14:53.937)
Yeah.

Joel Margolis (teknogeek) (14:59.03)
when you're the one who created the vulnerability. The attack complexity is not that you created a vulnerability, it's how hard is it to exploit.

Justin Gardner (@rhynorater) (15:01.431)
Yeah.

Justin Gardner (@rhynorater) (15:06.054)
Exactly. So these sort of things they happen, they happen to, you know, triage rs working at Hacker 1, they happen on the program levels. If this doesn't get fixed, I'm gonna holler more, you know, but...

If they wanted to, if they didn't want to pay out higher than this, they could say that it was, you know, confidentiality low, right, rather than high. I would say that it is high, personally, but I would say, you know, you could say confidentiality low and that would drop the impact. But attack complexity high, user interaction required, not a chance for this one.

Joel Margolis (teknogeek) (15:42.174)
Yeah, no, I totally agree. That's pretty interesting. I'll be interested to see if they decide to reevaluate that. Hopefully they do. I think it deserves a reevaluation. I think it's kind of, I mean, if nothing else, I don't think it aligns with how they've handled things in the past and how they view severity as a whole. So.

Justin Gardner (@rhynorater) (16:04.576)
Yeah.

Joel Margolis (teknogeek) (16:08.214)
We'll see. We'll see what happens. It looks like it was disclosed four days ago. So the storm is still building.

Justin Gardner (@rhynorater) (16:11.896)
Yeah.

And it was over the weekend a little bit too. So, and I've reached out to HackerOne, whenever this sort of thing happens, I'll reach out and be like, hey, justify, you're getting roasted on Twitter here. But hopefully we'll see a change here. And to the person that made a mistake on this one, happens, we just gotta make it right. There's no ill will here, at least from the critical thinking side. We understand that these sort of mistakes happen, but when they do happen,

Joel Margolis (teknogeek) (16:25.61)
Yeah, yeah.

Justin Gardner (@rhynorater) (16:43.604)
Resolved this report actually I guess was submitted on September 25th So it's been over a month in this state if I was you know, I don't know how to pronounce this person to bevitt

Joel Margolis (teknogeek) (16:56.59)
Thanks for watching.

Justin Gardner (@rhynorater) (16:57.306)
Bebics? See man, I don't know why when it's not a word. I just have such a hard time pronouncing it. Yeah Well, you know if I were Bebics, I'd be pretty I'd be pretty salty at this point But it seems like they've been taking it in stride And even asking to disclose the report. So we'll see if the community gets their voice heard on this one

Joel Margolis (teknogeek) (17:16.298)
Yeah, absolutely. And based on some discussions in the Hacker Success manager, the server on Discord, it looks like this was brought up by some other hackers who said, hey, you know, this isn't really my business, but I don't think this is right. And somebody from H1 followed up and said, hey, just so you know, we're aware and we're talking about this internally. So it's awesome to see some swift action on it.

Justin Gardner (@rhynorater) (17:24.287)
Yeah, yeah.

Justin Gardner (@rhynorater) (17:31.083)
Yeah. Yep.

Justin Gardner (@rhynorater) (17:40.418)
That's good.

Joel Margolis (teknogeek) (17:42.878)
I hope it wasn't that it had to be disclosed to get to that point. It doesn't, based on the report, context within the report, it doesn't seem like there was any pushback or mediation or anything like that. Just seems like Bevix was like, thanks for the bounty. I would like this disclosed so I can have it at my flex sheet or whatever, my brag sheet. And then other people saw it and were like, hey, hang on a second, that's not right. So yeah, absolutely. So cool.

Justin Gardner (@rhynorater) (18:01.17)
Yeah, right. Yeah, it's a great bug.

You should be flexing harder. Those muscles should be bigger, you know? Yeah, have we talked, so you mentioned the HSM, you know, chat on here. Have we talked about that concept before on the pod? I don't remember.

Joel Margolis (teknogeek) (18:21.774)
I don't know if we have, I don't think it's anything like secret for what it's worth.

Justin Gardner (@rhynorater) (18:25.438)
Yeah, no, there's a blog, I just pulled it up right now on it. So the Hacker Success Manager program, or I guess the Hacker Success program is something that HackerOne sort of launched, was it 2022, I think, probably? Yeah, maybe 2021. But essentially, I'm not sure what the requirements are for to enter the program, but...

Joel Margolis (teknogeek) (18:40.424)
Yeah, a couple years ago.

Justin Gardner (@rhynorater) (18:52.614)
There's a couple hundred, maybe three, 400 hackers that have Hacker Success Managers, and essentially it's a person that works at HackerOne. I'm Team Steve, freaking love Steve. And they're a point of contact for the top hackers at HackerOne to have a conversation with them, and just kind of have the voice heard, have a point of contact for any issues that could pop up, help setting goals for what kind of,

Joel Margolis (teknogeek) (19:03.842)
Same.

Justin Gardner (@rhynorater) (19:21.988)
you want to get or what kind of stats you want to do in a given year. And I've had a really good experience with that program. It's increased my ability to deal with issues faster on the platform. It's increased my ability to stay goal-oriented and focused on the platform. So big fan of that program. I'm not sure if Bug Crowd and Integrity are running similar programs, but I would hope that they are.

Joel Margolis (teknogeek) (19:44.362)
Yeah, absolutely. Yeah, I have the same HSM. Steve, he's awesome. And yeah, nothing but good things to say about it. Honestly, it's I wish it were more easily more easily scalable is the only thing like I don't even see like a potential solution there you could scale it better and the effectiveness of it. It's really just one of those things where you know, they really value the top hackers and it shows especially through the HSM program. I think it's

Justin Gardner (@rhynorater) (19:47.405)
Yeah.

Justin Gardner (@rhynorater) (19:57.355)
Yeah.

Justin Gardner (@rhynorater) (20:01.528)
Yeah.

Justin Gardner (@rhynorater) (20:10.294)
Yeah.

Joel Margolis (teknogeek) (20:13.854)
amazing that like if I have a problem with something, I can always just like reach out to a person and they, you know, not just like sending a ticket into the void or having to do mediation or something. I have an actual human that I can talk to about it and get candid, you know, feedback or, you know, if I am wrong on this or whatever, you know, Steve has no problem telling me that so.

Justin Gardner (@rhynorater) (20:18.763)
Yeah.

Justin Gardner (@rhynorater) (20:32.555)
Yeah.

Yeah, Steve definitely does not have any problem telling you that. I definitely have, you know, I don't know. The thing about Steve too is he's such a great guy, you know, like, and so I'll call him and I'll be like, man, I'm just like really frustrated about this specific vulnerability and you know, all of this stuff is like semi-confidential stuff, right? So, you know, you can't be, you know, talking about all of the details, but it's good to be able to talk to Steve and be like, I'm really frustrated with this. He's like, Justin, take a breath, man. Like we're going to get it fixed.

out, we're gonna work on it, it's gonna get resolved. And so I don't have to send these angry messages to the teams, because it's an emotional process sometimes when you put in so much hard work to find a vulnerability, you found something you're really proud of, and then sometimes programs don't see it's worth. So it's definitely improved my quality of experience with Hacker One since I've been on the HSM in that program.

Joel Margolis (teknogeek) (21:16.107)
Yeah.

Joel Margolis (teknogeek) (21:32.886)
Yeah, absolutely. It reminds me of the type of communications that you get to have at live hacking events where if you have a problem, you can talk to a triage or a hacker one employee or something and just, that level of transparency and willingness to communicate and stuff is just really, really nice to see. So anyways, we got very sidetracked there. I wanted to bring up because this was in the sheet and we were just talking about Facebook.

Justin Gardner (@rhynorater) (21:50.258)
It is indeed. Yeah, let's get back to the news section.

Justin Gardner (@rhynorater) (21:59.5)
Mm. Yeah.

Joel Margolis (teknogeek) (22:01.474)
blogging stuff. There was this thread, J.S. Madnani, I think is the name, J.S. 25. Yeah, J.S. 25 underscore on Twitter or X or whatever. He's been doing a bunch of different Twitter threads recently, which is nice to see lots of good tips and stuff in there. And one that particularly popped off was this one talking about an ATO through Facebook login. So essentially, he

Justin Gardner (@rhynorater) (22:05.602)
You're so much better at pronouncing names than me. Yeah, that's it, yeah.

Justin Gardner (@rhynorater) (22:13.407)
Yeah.

Justin Gardner (@rhynorater) (22:17.846)
Yeah.

Joel Margolis (teknogeek) (22:29.258)
found this weird mechanism where if you log in with Facebook and when you're logging in through Facebook, one of the things that you can choose is that you can choose not to share your email from your Facebook profile. So if you log in with Facebook, you can log in without Facebook telling the service what your email address is. When you do that, the service would then ask, what is your email? You know, new account or whatever, give us your email. So you put in a victim email and it would send email confirmation link to the victim email.

Justin Gardner (@rhynorater) (22:40.962)
Mmm.

Joel Margolis (teknogeek) (22:59.318)
Then, if you log in a second time with the same Facebook account, and you do share your email, what ends up happening is that it ties the account on the service to your Facebook account, but this time, if you share your own email that's linked to your Facebook account, it just sends the same email activation link to the new email. And so, instead of like you filling in your email or whatever, you basically just say, you know, this is my email from Facebook this time.

Justin Gardner (@rhynorater) (23:21.943)
Ah!

Joel Margolis (teknogeek) (23:28.766)
It sends the same link to the new email and then you can, you know, log in as the victim. Well, I think you actually, he repeated the steps again. Yeah. So you received it back to the victim email. You use the old link that you got to then verify the account and now you have access to a victim account. And he said he got 16 K for, uh, for that account takeover, which is really, really hilarious. I thought it was even funnier because Tanner, uh, cash money.

Justin Gardner (@rhynorater) (23:34.474)
Oh, so then you go back and reseed it to the victim, right? Ah.

Justin Gardner (@rhynorater) (23:50.294)
Wow.

Dude.

Joel Margolis (teknogeek) (23:59.054)
He retweeted this tweet and he, you know, understandable. He retweeted this tweet and was like, he was like, oh, it finally happened. And attached to the tweet was this bug bounty tip from Integrity from 2019. Okay, so this is four years ago, more than four years ago, August 2019. And it's a picture.

Justin Gardner (@rhynorater) (23:59.086)
Cash money! Sorry, had to.

Justin Gardner (@rhynorater) (24:13.77)
Dude, what the heck?

Justin Gardner (@rhynorater) (24:18.575)
Oh my gosh, dude.

Joel Margolis (teknogeek) (24:22.934)
that says, signing up with Facebook, remove the email scope from the OAuth prompt and see what happens at its cash money. So it's really hilarious that, you know, that four year old tweet or tip or whatever was basically the same exact thing that was happening here. And sure enough, it led to a nice big bounty.

Justin Gardner (@rhynorater) (24:30.126)
Dude.

Justin Gardner (@rhynorater) (24:42.278)
That's sick, man. You know, we've got some content coming out soon on authentication related stuff, and we're gonna talk about that a little bit later today. But Tanner is like the king of that stuff, man. Every time I talk to Tanner about auth flows or weird shit, like race conditions in the auth, he always has some crazy bug. And this is such an...

great example of thinking outside of the box in those scenarios. The whole point of contacting Facebook in the first place is to share the email. What happens if I just don't share the email? That's such an edge case that I wouldn't even...

Joel Margolis (teknogeek) (25:15.03)
Yeah. I love that functionality exists. It just throws a wrench into everything. It's so awesome.

Justin Gardner (@rhynorater) (25:20.106)
Yeah, no, it's great. And he definitely called this shot. And good on Jayesh for either remembering what Tanner said or thinking of it himself in trying this complex flow. Because I feel like if I had done this and then it said provide an email, and I was like, okay, and it sent a link, I'd be like, this is probably just like the normal email validation flow. But then he, you know.

continues to press deeper and he says, all right, well, what if I, you know, don't complete this whole flow, go back, try it again. Is that the same email? You know, and boom, it is, you know, it's the same code in the email. So what a, what a, what a baller and you know, it's a 16 K bounty too. So that, that is like, you know, you know, he found that on a high end program.

Joel Margolis (teknogeek) (26:03.318)
Yeah, and he said it was an old report. What did he say? I think he said, cause Tanner replied to it and was like, hey, congrats. And he said, thanks. It's an old finding, just sharing some tips and tricks with the community. So 16K on an old finding, either they were already a high paying program or that was a crazy bounty for whoever it was. So that's a super cool write up and a super simple concept. So I'm gonna put that in my little.

Justin Gardner (@rhynorater) (26:24.875)
Yeah.

Joel Margolis (teknogeek) (26:32.367)
shovel that into my little notebook of tips to try out when I run testing. Yeah, yeah, yeah. I'm like a restaurant worker.

Justin Gardner (@rhynorater) (26:36.679)
You're just gonna shove it into the notebook of tips? Is that what you're gonna do? Solid, all right. All right, oh yeah, okay, I see that. Now I'm starting to see the imagery. Whew, man, for those of you that are watching on YouTube rather than listening, I've got a little bit of a cough right now and I just like.

I was on mute during that last rant, Joel was on there, so sorry about that for any of you on YouTube. But yeah, with that, let's move to the last news item that we wanted to talk about, which is.

a write-up from Canva, actually, from the security team at Canva, talking about when URL parsers disagree. So we're going to talk about this a little bit more later today too, but I read this write-up and I was like, man, this is such a cool thing. I love it when this... So let me get a little bit more conceptual here. One of the things we talk about all the time on this podcast...

is trying to seed attack vectors, right? Trying to seed ideas in your brain of what kind of vulnerabilities are possible and what kind of things you can try when you're attacking these applications, right? And once these ideas, excuse me, once these ideas get into your head,

when you're looking at applications, you have the opportunity or not to go and try them. And the people that do try them, and they go through the effort to, you know, learn whatever additional details they need.

Justin Gardner (@rhynorater) (28:18.966)
Those are the people that are gonna go far and that are gonna find a lot of crazy bugs, okay? So it's just, it's a little bit of a rant. People have been asking me lately, how do we find high impact bugs? You gotta try high impact attack vectors, okay? So rant over, let's talk about the actual technical details of this one. We've spent a lot of time on the news section, so I'm not gonna go too deep into this one, but the TLDR of this writeup is that

There is a disagreement, as the title says, between two URL parsers in use in the specific application. And the disagreement occurs when parsing a file URL, and the disagreement happens over the role of the question mark character.

So, yeah, as we know from URLs, the question mark normally delineates the start of the query, right? And is no longer a part of the path. Well, one of the parsers in question did not respect that, right? It said, hey, the query parameter.

Or the question mark is just another character in the path because it's a file scheme rather than a an actual Rather than like an HTTP scheme or something like this, right? So because it's a file scheme Yeah

Joel Margolis (teknogeek) (29:37.902)
Okay. Which I would technically say is more accurate.

Like I'm not sure if it should be the same. Like I think context is kind of appropriate here, where like if it is a file scheme, then like technically the only thing there should be a path. So like query parameters and stuff shouldn't, it should never like be part of that. Like if you're just generically parsing a scheme, then like, okay, I can see why you might, I'd almost say mistakenly parse it that way, but context is kind of important.

Justin Gardner (@rhynorater) (29:48.907)
Yeah.

Justin Gardner (@rhynorater) (30:00.503)
Yeah.

Justin Gardner (@rhynorater) (30:07.511)
Yeah.

Justin Gardner (@rhynorater) (30:11.602)
It is, it is, and you're actually, I didn't have that in my notes, but you're right, dude, actually, you know, I can go in here in my Linux file system, create a file with a question mark in it, right? I'm not sure if you can do that on Windows or not, but so in that scenario, the question mark should be respected as a actual valid character, right? And so...

Joel Margolis (teknogeek) (30:22.604)
Yeah.

Justin Gardner (@rhynorater) (30:36.918)
But one of the parsers in this situation was mistakenly using the question mark and actually truncating the path, right? So when a malicious, or when the checks were occurring of a certain URL to say, hey, is this, you know, trying to path traverse out, it would, you know, they just had one dot and then the question mark and it says, nope, this is just referring to the current directory, we're truncating everything after the question mark, all good here. And then after that, after that question mark,

a series of path traversals that would go back up and hit, you know, Etsy password or whatever and include it in the SVG file.

And that's because the second parser was looking at that question mark not as a as a truncating character as something that will end the path But actually as a part of the path and then allowing that part of the path to be deleted By a path traversal sequence to go back out and grab that file from you know another directory. So Yeah, it's such a great. It's such a great attack vector here whenever you're dealing with file URLs This can definitely be something to check and something that's gonna be on my list for sure or what did you say before?

this take this tip and stick it in my tip book.

Joel Margolis (teknogeek) (31:44.866)
But this is, put it in my tips folder. Yeah. This is reminding me, I don't know why, but this reminded me of a story. And honestly, I was trying to find a source for this. I don't know if this is true, but I can't remember where I heard it either. But allegedly, it goes that the creator, do you know what glob is? Like in Linux, like the concept that you can do like star and like star, slash, and that kind of stuff. And it basically does like matching of files.

Justin Gardner (@rhynorater) (31:49.294)
cat.

Justin Gardner (@rhynorater) (32:04.782)
Bob?

Justin Gardner (@rhynorater) (32:09.69)
Oh yeah, yeah. Yeah. Yup.

Joel Margolis (teknogeek) (32:14.21)
So that whole system is called glob. And the guy who created it, yeah, it's like glob or globbing basically. So the guy who created that, initially when he created it, he called it like asterisk, like star.c. And after he finished writing it, he was like, you know, he was trying to test it. And he was like, you know, rm star.c, and it deleted the actual.

Justin Gardner (@rhynorater) (32:16.326)
Oh, interesting. I didn't know the technical term for that.

Justin Gardner (@rhynorater) (32:21.666)
Yeah.

Justin Gardner (@rhynorater) (32:35.12)
Oh no.

Joel Margolis (teknogeek) (32:42.586)
star dot C file instead of like all the files that ended dot C. And so it deleted the source code and he had to rewrite the entire thing from memory.

Justin Gardner (@rhynorater) (32:45.546)
Oh no, dude, like what the heck? Yeah, well, oh gosh dude, that's terrible. What a terrible idea to name it, Stardots. He deserved that, you know, for sure. But I know there are some, you know, there are some weird files, right, where like.

Joel Margolis (teknogeek) (32:58.702)
Ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha

Justin Gardner (@rhynorater) (33:05.322)
I think this is like a try to hack me or like some, you know, this is really reaching far back in the, to my CTF days when I was in college, but there was some, you know, trivial little thing was like, okay, this, this file has a bunch of like weird characters in it. And like, if you try to delete it, just using like tab completion, it's like deletes everything, you know, or like does a bunch of crazy stuff and you can't remove this file. So there's definitely some weird stuff with Linux like that where you've got to like add two dashes.

Joel Margolis (teknogeek) (33:11.851)
Yeah, yeah.

Joel Margolis (teknogeek) (33:25.986)
Wow.

Justin Gardner (@rhynorater) (33:35.056)
You know, it's like rm dash r, or, rm dash and then the file name will like prevent it from having other flags in the name or something like that. Pretty weird stuff, yeah. Dude, we're too, you know, it hasn't been just me and you in a while, so, you know, we're just, we're shaking off the dust, we're going down our little tangents. Yeah.

Joel Margolis (teknogeek) (33:44.482)
Yeah, yeah, super crazy. Anyways, another little tangent there, but I know, I'm sorry.

Joel Margolis (teknogeek) (33:56.791)
All right. You want to jump into the main content of URL structures here?

Justin Gardner (@rhynorater) (34:02.694)
I do, I do. Throat is giving me a little problems here, but we'll push through it. Okay, so today's topic, a little bit past the new section, is on URL structuring and then a bunch of other cool shit. This one's, not gonna lie, this one's a little bit scattered, so we'll see where we land. But this episode was sort of...

inspired by a conversation that I had at a live hacking event where one of the people at the live hacking event had found an open redirect and was challenging another person in this open redirect resulted in an account takeover and was challenging another person at the live hacking event to see if they could split it as well. Excuse me. Yeah, I think you were there.

Joel Margolis (teknogeek) (34:55.806)
I recall this happening. I was watching this happen in real time. Yeah.

Justin Gardner (@rhynorater) (34:59.946)
Yeah, and so it made me realize that not everyone is familiar with all the different parts of the URL. And so I kind of have this little graph here that we'll put up on the screen. And it's missing one piece, which is the path parameters, but this is a pretty good breakdown of all the different parts of a URL. Yeah. Sorry, my throat is killing me. I'm gonna have to grab a water for a second. You wanna pause or?

Joel Margolis (teknogeek) (35:27.866)
Yeah, we can buzz. Yeah.

Justin Gardner (@rhynorater) (35:28.607)
Okay, I'll be right back.

Justin Gardner (@rhynorater) (35:39.022)
Jeez, man.

Joel Margolis (teknogeek) (35:40.482)
Yeah, you look rough.

Justin Gardner (@rhynorater) (35:42.71)
Cough cough

Justin Gardner (@rhynorater) (35:48.402)
It's like, it's like, um... Yeah.

It's like I'm at that stage of COVID where I feel totally fine, you know, but if it like triggers this little tickle, then you're just like totally screwed. So I need to grab water. I'll be right back.

Joel Margolis (teknogeek) (36:03.987)
Yeah.

Justin Gardner (@rhynorater) (36:55.018)
Cough cough

Justin Gardner (@rhynorater) (37:02.018)
cough

Joel Margolis (teknogeek) (37:08.482)
Damn, homie.

Justin Gardner (@rhynorater) (37:09.226)
Cough cough

Justin Gardner (@rhynorater) (37:22.862)
cheese dude. One more episode, we'll be done for a while.

Joel Margolis (teknogeek) (37:26.846)
Yeah, yeah, yeah. Yeah, it's a lot of talking for a rough throat.

Justin Gardner (@rhynorater) (37:33.483)
Yeah it is.

Justin Gardner (@rhynorater) (37:42.978)
I'm gonna give my eyes a second to settle cause they're looking kinda red. If you, if you, can you see it or no? Okay. Well maybe it's not a big deal. But.

Justin Gardner (@rhynorater) (38:02.09)
Alrighty, we back. I got some water, feeling better now. So let's talk about this URL structure. You know, at times like this, man, I'm really grateful for the casualness of podcasts. You know, like we don't have to like, you know, take another cut or anything like that. We can just keep rolling. I love it. All right, so Joel, look at this graph. Look at this graph. Are you, are you?

Joel Margolis (teknogeek) (38:20.043)
Absolutely.

Joel Margolis (teknogeek) (38:26.006)
I'm trying to and I...

Justin Gardner (@rhynorater) (38:29.294)
Is this okay? So I thought that this was like a pretty, a thing that most people were super familiar with. Would you say that you are super familiar with every single one of these or no?

Joel Margolis (teknogeek) (38:38.318)
I definitely know what all of these are and what they're called. I'm confused at how to read this graph. But yes, I knew about every single part of this.

Justin Gardner (@rhynorater) (38:42.016)
Okay.

Justin Gardner (@rhynorater) (38:46.858)
Okay, so for those of you listening, the average URL has one, two, three, four, five, six, seven, eight, I would say nine parts, okay? So the first part at the very left-hand side is the scheme, right? Okay, this is going to be your HTTP, HTTPS sort of thing, right?

This could be file, this could be, you know, FTP, could be all sorts of things. There's a great resource called the SSRF Bible that was floating around years ago that would talk about if you have an SSRF, here are some cool things you can do with alternative schemes like FTP and Gopher and that sort of thing. So the scheme is really important, okay? But most people know about the scheme. Most people don't know about the next part, apparently.

which is the username and password fields, which you can put in the URL. But you were familiar with this, Joel.

Joel Margolis (teknogeek) (39:41.802)
Yeah, I mean, these are, a username and password is something that I use like, all the time if it's like an open redirect bypass because usually there's like a starts with or ends with or maybe they're parsing it incorrectly. I mean, this happens on Android too, where there's like different bypasses depending on how it's formatted, if they're special characters or if it's, you know, yeah.

Justin Gardner (@rhynorater) (39:47.762)
Yeah. Exactly.

Justin Gardner (@rhynorater) (40:02.566)
Oh really? In like a deep link scheme?

Joel Margolis (teknogeek) (40:09.15)
Yeah, I mean just with like the default URI.parse, there's a great report, like self-disclosure report or whatever from BaggyPro called, yeah, the golden techniques for bypassing URL parsing. And he talks a little bit about that. And there's some very big nuance between like Android.net.URI and Java.net.URI. I think they're the two classes. But yeah, definitely go check that out. We'll put a link down below.

Justin Gardner (@rhynorater) (40:17.863)
Oh yeah, by Baggy Pro, right?

Justin Gardner (@rhynorater) (40:23.048)
Nice, yeah I remember that.

Justin Gardner (@rhynorater) (40:34.29)
Yeah, definitely drop that in the doc. We want to get that on the description. But the next thing that comes in a possible URL is the user in pass field. So the user is, you can type anything after the colon slash slash, right? So scheme colon slash slash. Then you've got user colon password.

Now I think that this is sort of like a or and when I say ad I mean the ad side, right? So this is sort of a legacy thing sort of left over I believe from when They used to specify basic auth this way so you could actually craft really

Joel Margolis (teknogeek) (41:10.858)
Yep, and actually a lot of stuff still does this. Yeah, yeah, so if you go to a website and you get a Realm response, like it'll say like Realm, what's the specific verbiage? I actually stumbled on one of these. Bearer Realm equals or whatever. It'll basically pop up a box on your, it looks like an alert box and it has a username and a password. Yeah, no, that's.

Justin Gardner (@rhynorater) (41:16.575)
Huh.

Justin Gardner (@rhynorater) (41:25.066)
Yeah.

Justin Gardner (@rhynorater) (41:30.518)
No, but it doesn't use this though. It uses Basic Auth, doesn't it? It creates an authorization header with Basic and then it has a B64 encoded username and password in that, doesn't it?

Joel Margolis (teknogeek) (41:41.866)
Yep. Yeah, but it's equivalent.

Justin Gardner (@rhynorater) (41:44.202)
Yeah, yeah, it absolutely is equivalent, that's true. And it'd be really cool if you could kind of smuggle these sort of things in there. Like for example, if you could have someone click a link and force their browser to do authorization with basic, but I believe it's been disabled in all modern browsers. But you can fact check me on that while I'm explaining this next section, Joel, if you would.

Joel Margolis (teknogeek) (41:52.622)
I think you can.

Justin Gardner (@rhynorater) (42:13.034)
Yeah, so the main reason I want to mention this is this user and pass section is super helpful for bypassing restrictions on a domain, right? Because for example, because you can go HTTP colon slash Google dot com. Right. And then put the at sign.

and it gets parsed differently at test.com. And that URL is gonna go to test.com. And you could say, all right, you could just prepend it to a, in a subdomain of test.com, and sure, you could do that. But there are a lot of scenarios where if it treats this user and what the URL parsing library will treat this username and password feel differently. And then a subdomain attached to the domain.

even seen them treat the username and password field different from each other, even though that they're separate entities are a part of that same prior to the at symbol structure that comes in the URL. So very important for us to be aware of the existence of this user and password thing if you're looking to bypass any sort of open redirect restrictions.

Joel Margolis (teknogeek) (43:29.198)
Okay, so I've done a little reading and from what I can tell, I'm on a Stack Overflow post from 2011 of 2012. And basically it starts out, the original answer says that yes, you can indeed put username, colon, password at host.com and it will send those credentials in a standard authorization header. Then if you look through the comments, people say, oh, this functionality doesn't work anymore and they linked to a ticket from 2011.

Justin Gardner (@rhynorater) (43:40.603)
What the heck bro?

Justin Gardner (@rhynorater) (43:45.64)
Mm-mm.

Joel Margolis (teknogeek) (43:56.722)
on a chromium like bug ticket that's like, oh, this doesn't work anymore. Okay, a couple comments down. Oh, actually this does work. It's just IE where this doesn't work. Oh, this doesn't work. As of 2019, it works in Chrome, doesn't work in Safari. May 2020, doesn't work in Firefox, Chrome or Safari. November 2022, doesn't work in Chrome, works in Curl and Postman. May of this year, works in Chromium. So I don't actually know.

Justin Gardner (@rhynorater) (44:13.59)
Dang it.

Justin Gardner (@rhynorater) (44:23.21)
What? Are you kidding me?

Joel Margolis (teknogeek) (44:26.714)
Um, I can't seem to find a solid answer and I'm not getting enough info just by requesting it in, in my URL.

Justin Gardner (@rhynorater) (44:33.57)
works in chromium? Well then it should work in chrome, right? test at test.com

Joel Margolis (teknogeek) (44:38.994)
I mean, you know, maybe it's something that maybe it's like a dev only feature or something. But yeah, I was almost certain that you could put username, colon, password, and it would rewrite the URL to put it in an auth header because that allows you to visit sites that would require realm auth. Normally, normally you can just rewrite it. Yeah, I thought I was pretty sure this was the thing. So we might have to test this or maybe if somebody from the audience.

Justin Gardner (@rhynorater) (44:56.522)
Like it was a legacy thing?

Justin Gardner (@rhynorater) (45:07.03)
Yeah, no, I tried it in Chromium, or not Chromium, in Chrome, and it doesn't work in Chrome, as far as I can tell, just from looking at the inspector real quick. Would be very interested to know if that was the case, because it would be really interesting if you could have someone go to a link, auth them into the link.

Joel Margolis (teknogeek) (45:07.326)
knows or wants to test it.

Justin Gardner (@rhynorater) (45:29.222)
Let's say you have an API that's doing authorization via, that isn't looking to see whether the.

They laugh, we're grasping now, I think, but let's say they're not looking at whether it says authorization bearer or authorization basic, right? And then it just takes the token afterward and parses it. You could actually potentially smuggle that in via the URL if it's a base64 encoded token. Let's say it's like a JWT or something like that, right? You might be able to actually smuggle that in there and force the victim to auth as you. And sometimes API requests have like, you know, cookies that they will set on the response

Maybe you could trigger an XSS if the response content type is not specified or whether it's text to HTML or something. So there's a lot of exploitation scenarios there that could be reached if this was actually working. Very interesting that it says it's working in Chromium though.

Joel Margolis (teknogeek) (46:27.534)
Okay, so more info. Mozilla docs say under HTTP authentication, at the very, very bottom it says, access using credentials in the URL. Many clients allow you to avoid the login prompt by using an encoded URL containing the username and password like this, username colon password at www.example.com. The use of these URLs is deprecated. In Chrome, the username colon password at part of a URL

Justin Gardner (@rhynorater) (46:33.07)
This is live research here on critical thinking. Let's go.

Justin Gardner (@rhynorater) (46:47.457)
Yeah.

Justin Gardner (@rhynorater) (46:51.755)
Yes, sir.

Joel Margolis (teknogeek) (46:56.186)
is even stripped out for security reasons, and they actually link to that same Chrome bug from 2011. And it says, in Firefox, it is checked if the site actually requires authentication, and if not, Firefox will warn the user with a prompt saying you're about to log into the site whatever with username whatever, but it doesn't require authentication. They may be trying to trick you. So that's really interesting. I'm gonna send you a link to this, and we'll put a link to this in the docs, or down below on the...

Justin Gardner (@rhynorater) (47:00.93)
Do they really?

Justin Gardner (@rhynorater) (47:16.883)
Interesting.

Joel Margolis (teknogeek) (47:26.506)
in the notes as well, but yeah, super interesting.

Justin Gardner (@rhynorater) (47:27.17)
Yeah, this is really, I wonder if it's, yeah. Firefox is doing something weird with it, so I wonder how they check, yeah.

Joel Margolis (teknogeek) (47:34.838)
But that being said, I don't know about Safari. I don't know about IE slash edge.

Justin Gardner (@rhynorater) (47:39.634)
or any of these other edge browsers, I say edge browsers, all of these browsers that are on the periphery of the primary browser scene that use Chromium as a base.

Joel Margolis (teknogeek) (47:49.63)
Yeah. And let's I mean, let's not forget, right? Safari and Edge together make up 25% of the browser market. So it's pretty significant if, you know, they're vulnerable to this and they're not following the same standards as Chrome, which I think historically they haven't been great. I think it might now. Yeah. Which then makes me wonder. Yeah. Yeah, absolutely.

Justin Gardner (@rhynorater) (48:06.922)
Yeah, Edge uses Chromium, right?

Justin Gardner (@rhynorater) (48:12.382)
Yeah, we should suss that after this episode. All right, well, we came here to teach and look, we are being taught. So moral of the story there, definitely some interesting stuff surrounding the username and password field in the URL. One quick tip that I will add here is that one of the most common bypasses that I see to domain validation here is when you add,

something to the URL, right? Add a username that contains a backslash, okay? So oftentimes that will be reflected. So you'll see something like HTTPS colon slash test.com backslash colon at victim.com, right? And that backslash will actually break the at.

Joel Margolis (teknogeek) (49:00.662)
Yep.

Justin Gardner (@rhynorater) (49:06.346)
the username and password field there, and will be actually rendered by the browser as test.com rather than example.com, or victim.com or whatever. So that is a very useful escape to sort of find open redirects or bypass URL validation in an application. Yeah, yeah.

Joel Margolis (teknogeek) (49:28.278)
Yeah, somebody just putting a backslash in there. Yeah.

Justin Gardner (@rhynorater) (49:32.842)
Very cool stuff there. Next section, everyone knows, it's the domain, the subdomain, the domain, that sort of part. And then there's one extra part after that, right Joel? One part that isn't always visible, and that is the port. No, no Joel, come on, look at the graph, man. Look at the graph. It's the port. It's the purple part, okay? So, so, so.

Joel Margolis (teknogeek) (49:46.967)
Fragment.

Joel Margolis (teknogeek) (49:54.698)
the port. Okay. Sure.

Justin Gardner (@rhynorater) (50:00.206)
So so the after the domain you put us you put a colon right and then you're able to specify a port We see this all the time, you know If you're trying to hit port 8080 or whatever you got to go to localhost colon 8080 to specify the port you're trying to hit Sometimes when you're trying to bypass You know URL validation. It is also helpful to inject illegal characters here because You know even just putting an a or something like that in there and if it gets passed through

happen here. So definitely check that out as well.

Joel Margolis (teknogeek) (50:33.558)
Yeah, another thing that's interesting that we've actually done in security interviews is TLDs. So something common, like a big mistake that you see all the time, is that whoever invented regex came up with the brilliant idea that the dot is a wild card character, which is amazing minus the fact that so much of internet infrastructure uses dots as a separator character. And so...

Justin Gardner (@rhynorater) (50:41.766)
Mmm. Ah yeah.

Justin Gardner (@rhynorater) (50:52.042)
Yeah, love that.

Joel Margolis (teknogeek) (51:02.25)
This often leads to bad regexes where they put a dot in, but they should have put a backslash dot for a literal dot, not just any character. And this leads to all sorts of different vulnerabilities and things that can pop up as a result of being able to manipulate either the TLD or the root domain or the root domain and the TLD or something to that effect to get it to parse incorrectly.

Justin Gardner (@rhynorater) (51:08.376)
Mmm.

Justin Gardner (@rhynorater) (51:26.428)
Mm.

Yeah, yeah, no, especially if you're hacking sites like...

you know, for, when I lived in Japan, you know, we're looking at some co.jp sites, right? So whatever.co.jp, right? You've got an extra dot in there that they don't always escape. And if you can, you know, inject a, um, for example, if they, they don't escape the dot that comes before co, whatever, whatever.jp is likely a valid domain, right? Because dot jp is also a, a valid domain. So, um, you know, there's lots of ways that you can kind of tweak that. You also see that for, uh,

Joel Margolis (teknogeek) (51:38.796)
Mm-hmm.

Joel Margolis (teknogeek) (51:55.416)
Yes.

Correct.

Joel Margolis (teknogeek) (52:04.65)
Yep. And.us as well..us, but there's no.co.us, which is weird. It's one of those, like the country ones that, like, there's.co.uk and.uk and.co.jp and.jp, and I think there's a couple other that are like that, but then the US is just.us.

Justin Gardner (@rhynorater) (52:04.77)
with these sort of edge domains.

Justin Gardner (@rhynorater) (52:09.566)
Yeah.

Justin Gardner (@rhynorater) (52:14.687)
Yeah.

Justin Gardner (@rhynorater) (52:20.498)
Yeah, I don't know why. Maybe we just have.com? I don't know, is that a US, you know, is that originate from like a, yeah, I mean, you know, whatever. Merica. Ha ha ha. Ha ha.

Joel Margolis (teknogeek) (52:27.406)
Yeah. Hahaha. Sure, let's claim it man. Fuck it, right? It's ours now.

Joel Margolis (teknogeek) (52:33.674)
That's a peak American mentality.

Joel Margolis (teknogeek) (52:39.991)
I made this? Yeah, I made this. This is mine now.

Justin Gardner (@rhynorater) (52:41.466)
Dang it Joel, you're making me cough because you're making me laugh man. Um, alright, so...

The port section, definitely try to inject some stuff there. Then we get into the path, the query, and the fragment, which I think most people know about. You got the path, you're breaking down, slash, asset, slash JS, whatever, dot JS. And you got the query parameters, question mark, X equals one, and then you've got the fragment, the hash. The hash is not ever sent to the server side, so when you're interacting with server side things, sometimes you send the hash, and it truncates stuff,

This is a great way to truncate the right side of your injection if you're able to do an SSRF vulnerability where something is getting tacked on the end, right? Like a file extension or something like that.

Joel Margolis (teknogeek) (53:29.174)
Yep, it's basically like a comment in a URL, right? Like in the sense that it makes everything after it just not like do anything, right? Like kind of like SQL injection.

Justin Gardner (@rhynorater) (53:39.265)
Dude.

Justin Gardner (@rhynorater) (53:43.022)
Joel, I love this way of thinking that you have. It's like, this is a comment in the URL. No, dude, this is great. I mean, I'd never thought about it that way, man. I'm just...

Joel Margolis (teknogeek) (53:50.286)
It's...

Justin Gardner (@rhynorater) (53:54.254)
looking at you in awe when you say stuff like that. So yeah, it's like a comment for the URL, sure. And the browser is the only piece that's actually really supposed to be able to access that sort of thing. But if you send a fragment as a part of a request, say you send a raw get request, weird stuff can happen. Most of the time it's pulled out before it even reaches, before it's processed by the server.

So the last thing that I wanted to mention that is not actually present in this diagram that we have is this thing called the path parameter. You've seen these before, right?

Joel Margolis (teknogeek) (54:35.539)
Uh, yeah, yeah. Uh, Orange did a talk about this at DEF CON a couple years ago, right?

Justin Gardner (@rhynorater) (54:39.206)
Yeah, yeah. So the famous, you know, dot semicolon thing, that's utilizing this sort of path parameter notation. So, you know, let's say you've got a path. It's like...

whatever.com slash test and you put a semicolon, right? Then you can start adding parameters there. X equals one, you know, and those will, and I believe it's another semicolon delimiter. So semicolon X equals, you know, two or Y equals two. You can start adding parameters there. This is only parsed by some types of servers in some languages. Because of that, it can cause interoperability problems, right, which is what we saw

the orange side dot semi semicolon thing because does that get parsed as a path that is dot semicolon or does that get parsed as Dot of the path traversal sequence or a plus an empty, you know path parameter string So there's definitely some weird shit that happens there It's important to know all of these different pieces of the of the URL I think so you can come up with weird attack vectors like orange did

Joel Margolis (teknogeek) (55:51.158)
Yeah, absolutely. And I love these talks. He's actually given two of them. I just realized I was confusing one with the other one, but he's he did two talks in 2017 and 2018, both about URL parsing, which just shows you the level that he goes to, which is always awesome to see. So we'll link both of those below. But definitely, if you haven't seen these or you haven't read them, or if you haven't read it in a while, read it, because it's

Justin Gardner (@rhynorater) (55:55.778)
Mm.

Justin Gardner (@rhynorater) (55:59.224)
Mm.

Justin Gardner (@rhynorater) (56:09.313)
Yeah.

Justin Gardner (@rhynorater) (56:20.605)
Yeah.

Joel Margolis (teknogeek) (56:20.726)
You know, this is probably still a thing, you know, just like we talked about earlier with Tanner's tip from 2019, like these things, they persist. They don't just disappear because somebody made a poster or talk about it. They keep surfacing.

Justin Gardner (@rhynorater) (56:26.56)
Yeah.

Justin Gardner (@rhynorater) (56:34.859)
It's really cool to see people call stuff too. We recently recorded an episode with Franz, which I think will air after this episode. And he was calling stuff from way back there that's still hyper relevant, and I would say is still some of the peak parts of the industry. And so, yeah, definitely pay attention to these people that are dropping some research because...

Joel Margolis (teknogeek) (57:00.846)
This is why I have a tips folder, see? Ha.

Justin Gardner (@rhynorater) (57:02.346)
This is the, great, the tips, the notes.txt, the cat everything in a notes.txt thing, yeah. Exactly, exactly, all right. So cool, yeah, the last thing I really had on this list here was like, I was gonna ask you actually about how this looks for.

Joel Margolis (teknogeek) (57:09.002)
Exactly, the 10 year long notes.dxt.

Justin Gardner (@rhynorater) (57:25.59)
for Android and stuff like that, specifically in the context of OAuth-related stuff. Have you ever looked at OAuth flows that use a specific client ID? You know that client ID is associated with the app, right? So that it's redirecting, the redirect URI is configured to be the app. And then there being some sort of regex-related issues or domain-related issues with that.

Joel Margolis (teknogeek) (57:52.182)
So I'm sure it exists. I'm trying to think of a specific example with OAuth, but generally speaking, yeah, all the time you see URL parsing problems, which circles me back to the Baggy Pro blog post about host validation parsing on Android and the different bypasses and the different pitfalls and gotchas and whatever is related to that, just even if you're using the wrong class to parse it.

Justin Gardner (@rhynorater) (58:19.295)
Yeah.

Joel Margolis (teknogeek) (58:19.658)
You can have pitfalls there. So that stuff definitely exists for sure, especially with regex. I can even think of personal bugs that I found that have been like, they did dot ends with or whatever, instead of, they forgot a dot at the beginning or something. But yeah, the Android, oftentimes, it is very similar to what you described where you'll log in and it'll redirect you to a URI schema that will then send the code back. It'll just launch the app directly and it'll get the code through some OAuth handler.

Justin Gardner (@rhynorater) (58:27.946)
Yeah.

Justin Gardner (@rhynorater) (58:45.172)
Yeah.

Joel Margolis (teknogeek) (58:49.834)
that can be a lot harder to exploit because typically it's the code flow. The auth code flow where basically you're just, you log in and then it generates a code for you and that just gets sent directly back to the app and it just makes a claim and gets your auth token exchanges if you're not auth token. So there's a lot less room for error in a setup like that, but that doesn't mean that you can't exploit it or use it for your own purposes. I think it would be really case by case.

Justin Gardner (@rhynorater) (59:00.142)
Sure, and then.

Justin Gardner (@rhynorater) (59:04.767)
Yeah.

Justin Gardner (@rhynorater) (59:16.41)
Yeah, I was kind of thinking like, you know.

it would be kind of interesting if, well, I don't know, because then you wouldn't have a scheme. And I guess it would kind of get parsed as a relative URL probably. But I was thinking it'd be interesting if there was an app that said, okay, we're just gonna allow it to redirect to testapp colon. That's like the custom scheme that they've registered in the app, right? And that was the whole regex, was testapp colon, right? And then you could actually do testapp colon,

and then the password at test.com, right? Utilizing that username and password, there's some synergies there, that piece in the URL. And then maybe get it redirected to your domain instead of to the actual Android app. But I imagine if it has to start with the actual character, I believe that the browser would probably try to treat that as a relative URL if there's no HTTP or recognized scheme.

in the beginning. So I'm not sure that there's much synergy that's possible there.

Joel Margolis (teknogeek) (01:00:20.384)
Yeah.

Yeah, now that being said, like the way that they get registered on Android is it's within the Android manifest. So you say like everything under this scheme, potentially with this host and this port and this path or whatever, should all go to my app. But you can also do that for HTTP and HTTPS. So you can register like a specific HTTP or HTTPS URL and host and say, I want this URL to be openable in my app and it should do something. You can,

Justin Gardner (@rhynorater) (01:00:43.81)
Well... Yeah.

Joel Margolis (teknogeek) (01:00:52.758)
But you can do what you said. I could make just a scheme with no host or anything after it be loaded in my app. And then those are the cases where you're gonna look and see are they parsing it correctly? Because it steps beyond the system into the app and then there's chance that they're handling something incorrectly.

Justin Gardner (@rhynorater) (01:01:03.86)
Yeah.

Justin Gardner (@rhynorater) (01:01:08.69)
I imagine that the colon character is not a valid character for you to have in your registered schemes, right?

Joel Margolis (teknogeek) (01:01:22.842)
Yeah, not direct. I mean, maybe it is. I don't know specifically what it checks. Yeah, you'd have to look at the spec.

Justin Gardner (@rhynorater) (01:01:27.606)
We'd have to look at the spec on that, yeah. Because here's what I'm thinking, right? You got like test app colon, that's what the OAuth redirect UI configuration is set to. So what if you, and then it takes anything after that, so you do test app colon one, two, three, without putting a slash in there, right? It would be interesting if you could do test app, you could register an app called test app colon hacked.

colon slash slash, right? You know, that would be your scheme. And then you could hijack that OAuth code coming into your malicious app. But I kind of highly doubt that Android's going to allow a colon into the actual name of the scheme.

Joel Margolis (teknogeek) (01:02:09.822)
Yeah, it's one of those things where even testing it is very difficult because there's probably multiple layers where it's being checked. Like a couple of live hacking events ago, I was looking at an Android app and we were trying to, well, it was actually a service that took Android app, like APK files, and then would like parse them and handle them. And so we thought, oh, why don't we just like put an XXE in the Android manifest. And then when it pulls the app name out, it'll

Justin Gardner (@rhynorater) (01:02:19.295)
Yeah.

Justin Gardner (@rhynorater) (01:02:28.458)
Mmm.

Justin Gardner (@rhynorater) (01:02:33.834)
Sure.

Joel Margolis (teknogeek) (01:02:37.29)
you know, pop the xxc on the server side. Well, the problem is that Android manifests are written in this Android XML, which is like a binary version of XML, and it's like custom encoded down. And so.

Justin Gardner (@rhynorater) (01:02:39.2)
Yeah.

Justin Gardner (@rhynorater) (01:02:44.446)
Oh, it's like a... Is that a... Do you know if it's inflated or deflated XML? Is that what it is? It's an Android thing? Oh, wow. Okay, lovely.

Joel Margolis (teknogeek) (01:02:51.15)
It's not like a, it's called AX, it's AXML. Yeah, and for Android. And so it like has like a specific subset of things that it supports and all this kind of stuff. And so we were doing a bunch of testing and all we ended up getting XXE on was like all of the local tooling that we were using, like to try and compile like, or decompile the APK. Like I would get like an XXE in APK tool or something. Like it would never be like exactly where I wanted it to because all of the tooling and stuff that would be

Justin Gardner (@rhynorater) (01:03:00.099)
Mm-hmm.

Justin Gardner (@rhynorater) (01:03:07.691)
Ha ha.

Justin Gardner (@rhynorater) (01:03:14.362)
Oh my gosh dude, that's crazy.

Joel Margolis (teknogeek) (01:03:19.622)
used to expand it or re-sign it or whatever was getting vulnerable instead of the actual XML that would then get parsed and yeah.

Justin Gardner (@rhynorater) (01:03:25.91)
Dude, I'm not sure if you were using the name of that tool that we might have to bleep as a filler, but if you actually do have that, you might report that to like, Internet Project or something like that, because who knows, that could cause problems.

Joel Margolis (teknogeek) (01:03:41.198)
True, that's true, I actually... I do wonder.

Justin Gardner (@rhynorater) (01:03:45.442)
Critical critical thinking, man.

Joel Margolis (teknogeek) (01:03:47.29)
It might be a zero day. We might have to cut that out. Ha ha ha.

Justin Gardner (@rhynorater) (01:03:50.666)
Yep, well, we might have to bleep that. But yeah, no, I think there's some, going back to the OAuth flow, with the defined redirect URIs, I think there is some wiggle room there, but you'd have to have a really weird configuration. For example, if a identity provider was setting the redirect URI to have to include

you know, the first part of it has to be test app, right, or whatever the name of their scheme is, and it doesn't have a colon afterwards. Then you could register a handler called test app hacked, colon slash slash, right, register that own scheme in your malicious app, and then redirect to that, which would give you access to that code that you need to take over the account. So you could still trigger some OAuth issues there via redirect on mobile as well.

Joel Margolis (teknogeek) (01:04:43.127)
Yeah, yeah, definitely.

Justin Gardner (@rhynorater) (01:04:45.526)
Alright man, let's see what else we got on the list. Okay, so like I said, this one's all over the place, but that kind of covers the URL parsing stuff that I wanted to talk about.

I just also wanted to talk about some other concepts that have kind of been banging around in my head from the live hacking events that we've been to over the past couple months. And you know, there's just been lots of good discussions with hackers. And one of the ones that came into my brain was this concept of shared secrets across environments, you know, and specifically JWT related things.

Justin Gardner (@rhynorater) (01:05:27.172)
and you're giving people, you're allowing people to register on one environment with an email, and then you can use that same token because it passes validation on a different app, you know, and they just look at the email. What?

Joel Margolis (teknogeek) (01:05:36.622)
I have no idea what you're talking about right now. I've never seen that exact bug on a target.

Justin Gardner (@rhynorater) (01:05:42.83)
Oh really? Oh maybe you didn't... Well I was talking to someone specific about this sort of bug at a live hacking event. But yeah, essentially the bug was that there was a stage environment you could sign up for. You'd get a JWT. You could use that same JWT on the prod environment. So let's say you've got an account registered, joel at joel.com, right? I could go to the staging environment, register joel.jol.com, if there's not email validation there.

Joel Margolis (teknogeek) (01:06:08.566)
I am being sarcastic right now because there was a, I don't know if you're like playing in on this, but yes, there was this exact same thing on, it wasn't staging, but it was just that you could like log into certain apps and then any app within that same, like they use the same auth mechanism, like middleware or whatever across all of their things.

Justin Gardner (@rhynorater) (01:06:28.057)
Yeah, you see it at various targets. You know, I wasn't, I mean, what was that sarcasm? Was that, like, are you saying because it exists?

Joel Margolis (teknogeek) (01:06:37.874)
Cause that was almost the exact bug that I was just talking about as well with the APK upload stuff. It was the same target and it was utilizing that bug. Yeah. Oh, you didn't? Okay. Yeah. So there was an auth bypass to get into one of these tools. Yeah.

Justin Gardner (@rhynorater) (01:06:44.102)
Oh really? Oh what the heck, I did not hear about this. This is crazy. No, I didn't. Oh wow. Okay, so this is actually, this is more prevalent than expected I think, because this is multiple live hacking events over the past year that has had this issue.

pop up on a hardened target like a live hacking target. So definitely something we see and was sort of on my radar because we talked about Cookie Monster in the past, right? That uses sort of, you know, that kind of has a similar situation where it's like, okay, you know, maybe you can forge this JWT, but the reuse of that JWT wasn't really on my radar until this past year, quite as much.

Joel Margolis (teknogeek) (01:07:26.474)
Yeah, and honestly, like from an engineering perspective, I totally see why it's happening because there's more and more push to centralize all these sorts of auth mechanisms into one place and have like a single mechanism that's doing all the authentication in a standardized way, which means that you have more risk for somebody to be able to issue an auth token that's just valid unless that single central auth mechanism is...

Justin Gardner (@rhynorater) (01:07:46.519)
Yeah.

Joel Margolis (teknogeek) (01:07:49.438)
really, really strictly properly checking like, where did this come from? Is it specifically authorized for this other application that they're trying to use it on? More than is it valid and is it like validly signed and all that kind of stuff? Because all that stuff could be true, but it could be for some other service and it could still pass.

Justin Gardner (@rhynorater) (01:07:52.482)
Yeah.

Justin Gardner (@rhynorater) (01:08:05.398)
It's actually similar to the thing we were just talking about before when you're reusing tokens across different providers too, right? Like the Facebook thing where they're not checking the app ID associated with it, right? Because it's actually a token for a different provider, but it kind of all checks out. So there's definitely reoccurring themes that we see across these authentication bugs, which the more and more you familiarize yourself with them, you'll start looking for those attack vectors,

Joel Margolis (teknogeek) (01:08:19.895)
Yeah, totally.

Justin Gardner (@rhynorater) (01:08:35.532)
That's been kind of a way I've grown as a hacker over the past couple years is like authentication related bugs can be really scary and sometimes I feel like I'm forced down that route because the other scope is so shit, you know, it's like, alright, we might as well just look it off and then when you do, some crazy bugs can come out of that.

Joel Margolis (teknogeek) (01:08:54.058)
Yeah. And it's weird because like I almost never look at auth a lot of the time because it's such a weird, it's such a weird flow and you can end up sinking a lot of time there. And it's like a lot of times it's like a weird setup stage where there's very like limited restricted amount of data and the program, even if you submit it, they'll be like, oh, well, this is just during the registration flow. So unless the impact is like elsewhere within the application, oftentimes it doesn't even like really count or it's not a high enough impact.

Justin Gardner (@rhynorater) (01:08:58.826)
Yeah, it's such a mistake. Yeah.

Justin Gardner (@rhynorater) (01:09:03.576)
Yeah.

Joel Margolis (teknogeek) (01:09:25.27)
But yeah, like you said, when you get backed into those corners where it's a tight scope, I mean, we just saw at the last event lots of off stuff that was just like, you know, small scope. Where do you look?

Justin Gardner (@rhynorater) (01:09:31.986)
Yeah. Yeah, it's true. But you know, you also look at the at the hackers that pop crits on a regular basis, right? You look at Sam or if you look at OXACB, you look at some of these guys that make a habit of looking at auth every single time.

They always pop stuff, man. They always pop weird shit. And so, yeah, that's something that I've sort of resolved to look into a little bit more. And on that note, I was gonna talk a little bit about...

Joel Margolis (teknogeek) (01:09:51.886)
They somehow manage, yeah. Yeah.

Justin Gardner (@rhynorater) (01:10:05.23)
one of the sort of successes I've had in this arena, which is finding, or I guess looking at Auth, which is multi-factor authentication bypasses. And there's lots of like, you know, super crappy multi-factor authentication bypasses where you can like just navigate to the page or like, you know, there's some, you know, other tricks you can do. But one of the things that I kind of wanted to highlight is like, especially when you've

you know, multi-factor devices like, hey, you know, do I want to send a text message to the phone or do I want to get an email or do I want to get a push? You know, these systems get really complex and these objects, these devices, they're just objects in the application and they're vulnerable to stuff like IDOR just like every other object in the application could be, right? So, you know, I remember taking a deep dive at a target one time and kind of looking at this flow

and IDOR in the multi-factor authentication flow, it's just allowed me to use an attacker controlled device to authenticate into the victim's account. And you could use that to get account takeover via the password reset flow. And it was like, I can't believe that this actually worked. So you'd think that I would learn my lesson after that, to like actually look at authentication more often, but sometimes it just doesn't sink in.

Joel Margolis (teknogeek) (01:11:20.342)
Yeah.

simplest things.

Joel Margolis (teknogeek) (01:11:29.314)
That's awesome, that's awesome. And you didn't even say the word rate limiting. I'm so proud of you. Ha ha ha. Ha ha ha.

Justin Gardner (@rhynorater) (01:11:33.146)
Oh yeah, that's true, rate limiting. Yeah, I said dumb multi-factor bypasses like just navigating through the thing. Anyway, nah.

Joel Margolis (teknogeek) (01:11:40.739)
I was waiting for you to say rate-limited because that's like the that's like the go-to MFA bypass Which is that you could brute force OTP codes

Justin Gardner (@rhynorater) (01:11:43.584)
Yeah.

Yeah, it's screwed so many companies too, if you can figure out a way to, you know. Yeah, definitely breaking down. Yeah, yeah, they've paid multiple mid to high five figure crits, I believe, for that bug.

Joel Margolis (teknogeek) (01:11:50.764)
Yep.

Facebook pays a lot of money for that.

Joel Margolis (teknogeek) (01:12:03.336)
Yes. That specifically, yep.

Justin Gardner (@rhynorater) (01:12:06.058)
Ridiculous. All right, man. Um, let's see what else we got here the only other the last thing that I wanted to go was also related to auth stuff and it and it's What else could it be on the on the only other thing that you know is left in the auth mechanism? Which is you know social media log it's kind of like we were talking about before You know if you're able to find you know, some weird provider that you don't see on a regular basis

Joel Margolis (teknogeek) (01:12:30.978)
such as login with Discord? No comment.

Justin Gardner (@rhynorater) (01:12:32.882)
Yeah, yeah, or maybe log in. You shouldn't say that, we're gonna have to bleep that. You know, log in with some weird provider, right? Let's just say.

It's always helpful to make sure that those emails are associated with, you know, that email is being validated. If you can get an account and auth into a certain, you know, service provider via the identity provider with an account that doesn't have a validated email, that is a huge problem and can often result in account takeover. So keep these, keep these things in your head as you're hacking. It can result in sort of crazy bugs. Yeah.

Joel Margolis (teknogeek) (01:13:10.402)
Yeah, the more login mechanisms, the more chaos there is. That's what I've learned. The more room for error because everybody does it a little bit differently.

Justin Gardner (@rhynorater) (01:13:17.866)
Yeah, for sure. All right, Joel, it's already turning into a good-linked episode. Do you wanna talk about this report or do you wanna push it to the next time?

Joel Margolis (teknogeek) (01:13:26.479)
Uhhh... yeah, I'll make that your call.

Justin Gardner (@rhynorater) (01:13:29.726)
Alright, my voice is dying, let's call it a wrap.

Joel Margolis (teknogeek) (01:13:33.074)
Alright, alright, we'll have some good bugs to talk about next time. Alright. Peace.

Justin Gardner (@rhynorater) (01:13:35.495)
Sounds good. Peace everybody.