Justin Gardner (@rhynorater) (00:01.222)
Yo, what's up dude?

Joel (teknogeek) (00:02.742)
Yo yo, how's it going?

Justin Gardner (@rhynorater) (00:04.349)
Good, just got done with my nice little pre-podcast, little bounce, little warmup, ready to.

Joel (teknogeek) (00:10.302)
Yeah, you know, you seem to always forget that you're three hours ahead of me.

Justin Gardner (@rhynorater) (00:13.837)
Yeah, it's like 7 15 in the morning for you right now.

Joel (teknogeek) (00:16.862)
Yeah, yeah, something like that.

Justin Gardner (@rhynorater) (00:18.849)
Well, thanks for getting up early to record the pod. I wanted to start today off with a little Bug Bounty struggle story. You know? Because I feel like a lot of the people that listen to this pod, you know, I hear a lot of, or at least what we see on the Discord often is people saying there's a lot of struggles to Bug Bounty and that's true.

but it seems like everyone's just sort of at the top, winning, post in there, I just got awarded whatever bounty on whatever on Twitter. But I wanted to flip it around a little bit today and give you guys a little bit of an insight into the actual hacking struggles. So this goes back to, I guess, the past two live hacking events that I've been a part of, the one in Tokyo and the one in Portugal.

So I just barely scraped into the top 10 in Tokyo, which is great, that was my goal. But I think I placed like fourth or fifth in Portugal. But both of those events, for me, were like a little bit subpar as far as like bounties go, right, as far as like actual earnings go. And even though, you know, I was ranking pretty well on them, it was a little bit rough. And so...

And around this time, you know, I'm traveling all around Japan, I'm traveling all around Portugal and I get back to my home and I'm like, man, I feel so disconnected from the hacking, you know, like I haven't had like a normal schedule where I've deep dived something in a long time. Um, and I just feel like that. Start, you know, that difficulty getting restarted again. Do you know what I'm talking about? I mean, you're, you're pretty like, I feel like you do hunting in spurts, right?

Do you also feel that sort of like stress when you haven't been hacking in a while and you have to restart?

Joel (teknogeek) (02:14.942)
Yeah, I mean, I feel that a lot. Like I don't hack nearly as much as you do. Um, and so like that is kind of like an all the time struggle for me where like, if I have stopped hacking for awhile and I need to get back into it, it's very difficult for me to like get that ball rolling again. Usually I'd either need, um, somebody who I'm like hacking with, who like has the energy going already, like you're usually a good source of that. Um, or I'll have to.

Justin Gardner (@rhynorater) (02:26.267)
Mm-hmm.

Justin Gardner (@rhynorater) (02:38.095)
Mm-mm.

Joel (teknogeek) (02:40.202)
Like just, you know, kind of like anything else, that's really difficult. You just have to like start on it. Like how do you eat an elephant one bite at a time? So it's the same thing with like any other hard task that's like difficult to start. You just have to start it and eventually like, you'll get into it. And usually like, especially cause it's something that we enjoy, like we'll fall into flow state or something, but you really just have to start. And that's always like the hardest thing is just like starting with no sort of like, you know.

Justin Gardner (@rhynorater) (02:57.881)
Yeah. In a-

Yeah, exactly. And that's, that's kind of where I was at this time, man. And like, this one actually really was hard for me to push through. Like normally it's not very hard for me to push through. And normally I'll just be like, you know, all right, time to just get back at it. But this time I was like, man, I just, I don't know what targets to go after. I don't know what, like, I was just kind of lost, you know? Um, but just like you said, you know, you just kind of, you pick a target and you, and you deep dive it. And then here's the thing, man. Here's the thing that was crazy. I went four days, which is like.

super irregular for me but I was feeling it a little you know I was feeling the pressure a little bit I went four days without finding a bug right zero bugs for four days and that like you know when you're already feeling down in the dumps and you're like you're already feeling that the that the ambition is not there that the motivation is not there that just you know it's like a knife in the chest and twist it you know

Joel (teknogeek) (03:56.266)
Yeah, I will say this is like normal for me because like oftentimes when I look at programs, I'll be looking at like a lot of times mobile stuff and for lots of programs there's not mobile bugs. Like it's just like either a very small app or it's just like, you know, the small tech surface, whatever. And like I'll spend like a day, like a whole day just like digging, looking at all the different things like.

Justin Gardner (@rhynorater) (04:04.656)
Yeah.

Joel (teknogeek) (04:18.626)
following paths down rabbit holes that don't lead anywhere and then just like by the end of it, I'm like, okay, well, I know a little bit more than I did earlier, but that's about it.

Justin Gardner (@rhynorater) (04:24.55)
That's it.

Yeah, and, but you know, that's, that's the way you got to start, right? Like that's the way you got to get into it because yeah.

And I don't know, so after those four days, I was like, man, I feel like shit, but it's Friday and I'm gonna give it, because this is a full hacking week. Like I did nine to five for this week, trying to get back into the schedule of things and stuff like that. And then on the last day, I popped three bugs and a crit. They paid out right before this call, so I'm very, very hyped about that.

Joel (teknogeek) (04:53.258)
Nice. Nice, nice. That's awesome.

Justin Gardner (@rhynorater) (04:58.886)
But it takes a little while to get back into your groove. And that's one of the things that I see people that are beginners, I mean, obviously even pros struggle with it, right? Because we're having this conversation right now. But this is one of the things I see almost all hackers struggle with actually is this whole concept of like, okay.

how much time do I devote into this? How do I get restarted when I'm not already in the zone? How do I get back in that flow state? And dude, I mean, I'm gonna come back and listen to this next time I'm in this same situation so I can give myself a little pep talk. Just start and just start doing it and start hacking and start gaining expertise on an application and dude, the vulnce will come. So now I'm back on my groove and I think one of the things, I think.

Joel (teknogeek) (05:42.826)
Yeah. Awesome.

Justin Gardner (@rhynorater) (05:47.397)
For me, one of the pros that I haven't really talked about much on the podcast about being a full-time bug bounty hunter is that you actually don't have to deal with this very often because you, you know, you often have a pipeline of bugs, you're hacking on a really regular basis and you know, unless you're taking massive amounts of time off, you very rarely have to like redo that whole process again. So that's, that's something I'm really grateful for.

Joel (teknogeek) (06:11.99)
Yeah, I was gonna say like notes are also like one of the biggest things that you can use to help yourself because Oftentimes if you think about it like when you're hacking nine to five Like every day a week every day of the week, you know, you come back, you know, you're doing yesterday Like you it's fresh in your mind, you know at most it's maybe ten hours twelve hours old and

Justin Gardner (@rhynorater) (06:16.006)
Mm.

Justin Gardner (@rhynorater) (06:23.782)
Mm.

Justin Gardner (@rhynorater) (06:28.827)
Mm.

Yeah.

Joel (teknogeek) (06:32.266)
You know, if you come back to that, you know what you're working on. But if you go away for like a week, a lot of times like your memory then gets filled with other things that you were doing. Like you kind of start to forget about the like recency of the specifics of the details of things that you were looking into. So if you take notes of those things, like everything that you're working on, like all the things that you were looking down, all the things that you like wanted to still investigate. And then you come back to it. Like that can help offset that, um, that like delay of like not knowing where to start and what things to look at. Cause you have a list of things that

Justin Gardner (@rhynorater) (06:58.736)
Mm.

Joel (teknogeek) (07:01.566)
you were already looking at, and you can kickstart that. The other thing is, you just have to remember that anytime you start a new program, it's always gonna be like this. So we have the same problem when we start any new program. There's always that discovery period in the beginning. And it just takes time to get familiar with the program, spend time testing it out, understanding the ins and outs. If you've taken time off and switched programs, then that's double whammy, right? So you have no context on this new program.

Justin Gardner (@rhynorater) (07:10.693)
Yeah.

Justin Gardner (@rhynorater) (07:28.391)
Mm.

Joel (teknogeek) (07:29.474)
you still have to do discovery phase and you're trying to kickstart yourself with no notes, no starting point, no nothing. Like, yeah, it's definitely gonna be a little bit of a slow roll, but once you can get there, you know, take notes on everything that's like looks interesting. So that way when you come back, like even if you take two days off, you can come back again, you have notes, stuff to look at.

Justin Gardner (@rhynorater) (07:47.065)
Yeah, no, that's a great insight, dude. And I actually, it's funny you mentioned that without even knowing it because I actually had been tuning up my notes game, because we talk about it on the pod a decent bit and we've seen an overwhelming representation of the no notes sort of people, right? But ever since that happened, I was like, man, there's gotta be people that take notes on a pretty regular basis. So I've been finding them and I'm gonna have them on the pod.

Joel (teknogeek) (08:05.778)
Yeah.

Justin Gardner (@rhynorater) (08:15.489)
and we're going to be able to interview them about their note taking things. But one of the things that I've noticed that's pretty consistent across the note takers is they are very consistent top performers on one program.

Right? You don't see a lot of people that switch programs on a regular basis taking very detailed notes. But the people that do take notes, they stick to one program and they absolutely crush it. And they know the insides and outs of that program. Like they are the person for that program. Right? So that was really inspiring to me. And I started to, so I'm going to look at my notes right here. I've got a section that says almost Wulms slash gadgets. OK. Those are the things that are sort of like, you know, almost there that maybe I might be able to use in a chain.

Joel (teknogeek) (08:46.369)
Yeah.

Justin Gardner (@rhynorater) (09:00.647)
I've got app segments, which is actually like on the target that I'm talking about, it's one big domain, but there's lots of different like sub apps under different paths, right? That have different JS files, are clearly different, you know, segments of the app. And knowing about each one of those, you know, you can try to chain together pieces from all the different ones to build gadgets. And then I've just kind of got interesting functionality and notes on the actual deep dive and then specific target, specific notes.

Joel (teknogeek) (09:08.762)
Mm.

Joel (teknogeek) (09:14.05)
Mm-hmm.

Joel (teknogeek) (09:29.214)
Yeah, well, and I can tell that you've already like done some of that discovery phase too, because those things that you mentioned even just like that sub app concept, it shows that like you spend time looking at this, you realize that there was some sort of a pattern here. And eventually, like you sort of cracked it in a sense that makes sense, at least for now, like a lot of a lot of time, like while we're doing this stuff. I think it's kind of like running theories. We're like, you don't really know 100% what's going on. But like, you can take a pretty good guess based on the behavior that you see. And so a lot of times, it's good to make those

Justin Gardner (@rhynorater) (09:30.548)
I don't know, we're getting there.

Justin Gardner (@rhynorater) (09:37.66)
Yeah.

Justin Gardner (@rhynorater) (09:46.374)
Mm.

Justin Gardner (@rhynorater) (09:53.702)
Mm.

Joel (teknogeek) (09:58.418)
sort of assumptions where you say, okay, I'm pretty sure this is how this is working. I'm going to run with this theory until I run into some data that, you know, contradicts my theory and then I can rework my theory if I need to. And that can let you, you know, find vulnerabilities because if you, if you have a good idea of how it's working in the backend or like what it's actually doing, then you can, you know, make more educated guesses towards the type of bugs that you're targeting or the types of techniques that you're trying. Um, and so I, I like that sort of like running theory type stuff where basically you have, you know, Oh, there's sub apps here. Okay.

Justin Gardner (@rhynorater) (10:03.323)
Mm-hmm.

Justin Gardner (@rhynorater) (10:21.927)
Mm.

Joel (teknogeek) (10:28.342)
You know, I'm going to run with that theory until I see something that contradicts it. Or maybe there's like two different systems here and that leads you down. And it also helps you like identify like anomalies within those patterns. So that if something does contradict your theory, you're like, huh, that's weird. Like why, what is that? Like, why does that behave differently?

Justin Gardner (@rhynorater) (10:43.845)
Yeah, no, 100%. And the same sort of thing, you know, Franz was talking about on the episode, you know, with him about mapping out what's gonna be happening in your head, and I think taking notes on that is a really big, yeah, it's a really big benefit. And actually, so taking the notes thing a little bit further, I need to get a couple of these people on, but one of the things that I've noticed in particular that people who really crush it on one program have been taking notes on is OAuth stuff.

enumerating different client IDs, enumerating different scopes associated with different apps, trying to get client secrets, that sort of thing, right? And very, very cool because using those things, we can start to really map out and really understand at a deep level, and man, do they understand it at a deep level, how the permissioning works for a given app. And so I just started diving that a little bit deeper, and I already found a crit,

less than a week in with it. And as we're recording this episode, I'm seeing notifications pop on my phone like, okay, yep, we're dealing with it, we're dealing with it now. So that's always good to see. And so yeah, especially off-bass notes, I think really, really important.

Joel (teknogeek) (11:45.663)
Yeah.

Joel (teknogeek) (12:01.45)
Yeah, I mean, auth stuff is always like really weird. Um, because the more complex that an organization is oftentimes there's multiple spots where you'll log in and, uh, the, the behaviors of those auth systems, either they have to be centralized, which means that they have some sort of like OAuth mechanism or like a centralized auth system, or they're implemented separately, which means that there needs to be consistency across multiple implementations. And so in both cases, there's rooms for error and there's rooms for

Justin Gardner (@rhynorater) (12:17.737)
Mm-mm-mm.

Joel (teknogeek) (12:28.162)
for holes and stuff. So we actually have some running nodes in a separate document. So I think we're gonna have an OAuth episode soon. I don't know if it'll be today though. I don't think it's today.

Justin Gardner (@rhynorater) (12:29.235)
Mm.

Justin Gardner (@rhynorater) (12:32.776)
Yeah.

Justin Gardner (@rhynorater) (12:35.991)
Yeah.

I it's on the episode for today, dude. We have so much stuff to cover and we're already, you know, as far in as we have, and we haven't even covered the first bullet point. So, um, yeah, no, we'll definitely have an episode on that. I feel like I need to deep dive it a little bit more before we get the episode on it. Though, but I will say Joel, I don't know if you went back and listened to the SAML episode that I released last week. Um, I know you've been all over the place. I think you're recording in a hotel right now, but, um, yeah, that, that sort of thing, um, you know, it will also apply.

Joel (teknogeek) (12:43.182)
Hehehehe

Joel (teknogeek) (12:56.788)
I did.

Joel (teknogeek) (13:01.351)
Yeah.

Justin Gardner (@rhynorater) (13:06.963)
a lot to the OAuth and OpenID stuff. So definitely excited to keep deep diving that. All right. Dude, we launched the Discord, man. It's out there. What are your thoughts? Yeah.

Joel (teknogeek) (13:13.888)
Yeah, absolutely.

Joel (teknogeek) (13:19.382)
We did launch the Discord and it's been crazy. It's been really crazy. We're up to almost a thousand members now. I just checked this morning, it's like, almost a thousand. And yeah, it's really awesome to see, just like all the people coming in, having conversations, like every day, there's just hacking conversations, just random things, people posting research and tools, and hey, I found this thing, hey, anybody got an idea about this? It's really awesome to see.

Justin Gardner (@rhynorater) (13:28.817)
Yeah.

Joel (teknogeek) (13:49.454)
community like, you know, communicating and working on blocks together and just like, you know, enjoying this space. So yeah, already just one weekend. It's really amazing. Or two weeks in one week, two weeks in. Yeah.

Justin Gardner (@rhynorater) (13:58.601)
100%.

Yeah, I was so excited and encouraged by how much of a response we've had from the community and how active all the channels are. And yeah, and also just big shout out to anyone who got in on the subscriptions, the Discord subscription memberships early on. That is so exciting for us to see and very exciting for our wallets as well because we've been running Critical Thinking at what? Like 500, $600 burn rate per month

ever since the beginning pretty much so Getting some income to offset that is really helpful for so for those of you that want to support the pod definitely go check out the discord subs and we're dropping a bunch of really cool stuff in the Exclusive subscribers channel mostly in the in the critical thinkers critical thinkers channel so Yeah

Joel (teknogeek) (14:45.814)
Yeah.

Joel (teknogeek) (14:50.218)
Yeah, definitely. Like it's not just like for supporting the pod. Like obviously we appreciate the support, but it's also for you guys. You know, it's really for sharing exclusive information and stuff. We posted a bunch of different exclusive techniques and tips and links and tools and all sorts of things in the critical thinkers chat. We're working on setting up our first masterclass. You've got some AMA questions coming in. So yeah, there's a lot of really awesome things that are available in the paid tiers that are more exclusive benefits.

Justin Gardner (@rhynorater) (14:57.533)
Yeah.

Justin Gardner (@rhynorater) (15:04.442)
Mm-hmm.

Justin Gardner (@rhynorater) (15:09.808)
Mm.

Joel (teknogeek) (15:19.362)
But just in general, there's tons of people who just come in, chat in the general chat, chat in the hacking chat. It's really awesome.

Justin Gardner (@rhynorater) (15:23.741)
Yeah.

Yeah, I mean, we've definitely had some more. I think the discussions that happen in the supporter chats, you know, they're...

A lot of them are tailored to specific vulnerabilities and stuff you wanna keep in the more exclusive channels, but there's been a lot of great high quality stuff, like you mentioned, in the general and hacking channels as well. And so I just grabbed a couple of the things that I wanted to kinda just give you guys a taste of what we're seeing in the Discord. The first thing was we're seeing a lot of conversation and really helpful conversation, actually, surrounding JS monitoring. And I'm a little, I'm not gonna lie, Joel,

I'm a little sad actually to see so many people do this because like I feel like you know

Joel (teknogeek) (16:05.13)
Hehe.

Justin Gardner (@rhynorater) (16:10.437)
content creation in the bug bounty realm is a little bit tricky, because it's like, okay, what do I share, and how much do I share, right? And then when I share, how much competition am I creating for myself, right? And I will say, I have noticed an increase in dupes since we started doing critical thinking, I really have. And stuff that you wouldn't really think is a dupe either. And it could just be my bias or whatever, but,

Joel (teknogeek) (16:26.515)
Oh yeah.

That's interesting.

Justin Gardner (@rhynorater) (16:42.131)
when there are people actually taking the advice, it's a little bit, you know, and people talking about it in the chat, like, oh, you know, I set up this script, you know, I'm monitoring this endpoint, and I already found these bugs, I'm like, all right, well, there goes one of my, you know, top.

Joel (teknogeek) (16:55.566)
Yeah, no, it's true because like literally just the other day somebody in the in the critical thinkers chat They pinged us and they were like, yeah, you know like I was stuck on this bug and like Then I was listening to the episode and you guys mentioned this thing and I tried it and it worked and like, you know I wouldn't even thought about that's like oh man like you got competition

Justin Gardner (@rhynorater) (17:09.917)
Yeah.

Yeah, yeah, I mean, and it's great. It's great to see, but also, you know, it does. It's that, it's that dichotomy, you know, it's that, it's that battle, uh, that you have as content creator and buck bounty, but needless to say, we're glad to see it, we're going to keep them coming for y'all, um, because, you know, when the community continues to perform, buck bounty industry continues to perform and, you know, a rising tide lifts all boats. Is that it? Is that the.

Joel (teknogeek) (17:39.786)
That is the saying, yeah. Yeah. There's a whole psychology thing behind this between there's two mentalities where it's finite mentality and I don't know what the other one is, but it's basically like, is it one piece? Yeah, it's basically like, if you think of it all as one pie, when somebody gets added, does everybody get a smaller slice of the pie? Or does the pie increase? And usually people...

Justin Gardner (@rhynorater) (17:41.041)
That is the expression, man. I got it.

Justin Gardner (@rhynorater) (17:48.091)
Yeah.

Justin Gardner (@rhynorater) (17:55.786)
Mm. Infinite game mentality? Is that the Simon Sinek thing? Yeah.

Justin Gardner (@rhynorater) (18:07.227)
Mm.

Joel (teknogeek) (18:09.074)
individually like have like a sort of a set like view on this About like how they think about things just in general and it's like the same thing with bug bounty where it's like, you know If I share data like am I taking away from my bounties or am I just like increasing the overall research and then everybody gets more bounties, etc

Justin Gardner (@rhynorater) (18:15.933)
Yeah.

Justin Gardner (@rhynorater) (18:23.449)
Yeah. Yeah, and to be honest, man, everyone's got such unique.

perspective when it comes to what kind of bugs they're going to find as well. It's very unlikely that, that I am actually causing dupes for myself, but I will, you know, I, I think we mentioned the one time when we had Alex Chapman on the pod, there was one, one occasion when, uh, a blog that Alex wrote really helped me in exploiting a bug that he duped on, uh, and, and I, that just, uh, in that moment, I was like, man, I feel for you brother. So.

Joel (teknogeek) (18:34.682)
I don't know.

Joel (teknogeek) (18:48.707)
That's true.

Joel (teknogeek) (18:54.499)
That's so funny

Justin Gardner (@rhynorater) (18:55.457)
Yeah, the things I wanted to shout out in particular were a couple of the people on the Discord. Xnlhacker, who you guys probably know, we've shouted him out lots for the tools he's making, is using a modified version of a tool called jsmon, which is exactly what it sounds like, a sort of JavaScript change monitor for Bug Bounty. We got another person in there, Abby, who's using a custom script and using the Scrappy Python library

which is actually very close to what I do, and he writes a custom script for each individual company that he's monitoring, tailored to that company's JS files, and running regexs that will produce results on that company's JS files. And then there's a couple other people, I'm not even gonna try to pronounce E-A-T-I-M-I-S, and then Static Flow as well, is also might be building something for the people. I don't know if Static Flow is ready to announce that yet,

Joel (teknogeek) (19:46.599)
Lea- Lea-Timerz? Yes.

Joel (teknogeek) (19:52.091)
I don't know.

Justin Gardner (@rhynorater) (19:55.211)
having some exciting chats on a secret channel in the discord. So Tanner, whenever you're ready to drop that thing, man, you know, the world might be ready for it. So.

Joel (teknogeek) (20:05.658)
Yeah, absolutely. No, we've been, we've been working behind the scenes with Tanner on static flow on some, some cool stuff. So we're hoping again, more, some exclusive stuff. So if you're interested, you know, go check out the discord, but yeah, we're, we're hoping to have some more exclusive critical thinking tooling and all sorts of fun things coming out very soon.

Justin Gardner (@rhynorater) (20:19.157)
Mm.

Justin Gardner (@rhynorater) (20:26.597)
Yeah, dude, the swag game should be fun too, coming up. We're working on that. I don't know what the timeline is that gonna be because I was like, yeah, I was talking to our person who's kinda helping with that and I was like, hey, you think we could roll this out by Christmas? And they're like, no. Yeah, they're like, not a chance. So yeah, no, that makes sense.

Joel (teknogeek) (20:32.138)
Yes. Unknown timeline.

Joel (teknogeek) (20:42.433)
It's like late November. It's like yeah, can we do this in a month during the busiest season?

Justin Gardner (@rhynorater) (20:53.241)
Yeah, okay, so obviously a couple more things I mentioned in the Discord was secondary context bugs, which we've talked about on the pod a decent bit. I'll mostly skip over this now, but I am glad to see people saying, hey, I'm actually finding secondary context bugs out here that have high impact. And actually, I know of a couple people that haven't even posted in the Discord publicly, but I've DMed me privately saying, hey, found some cool secondary context bugs and scored massive, massive bounties from it.

Joel (teknogeek) (21:21.226)
Yeah, secondary context bugs are really, really interesting. We talked about it a bunch, so if you're interested, you can check out a good example, Sam Curry's Starbucks blog. Yeah, yeah.

Justin Gardner (@rhynorater) (21:30.149)
Yeah, Sam Curry and Rhino Raider, featuring Rhino Raider. Goodness Joel, what the heck man? I mean, dude, well it's Sam Curry shit, you know? It really is. There's a specific brand of stuff and that's Sam Curry shit right there. But yeah, sorry, I need to get some water. But the last thing was like, there's been some really good automationist.

Joel (teknogeek) (21:34.294)
Oh yeah, oh that guy, who's that? It's on simcurry.net, I don't know what to tell you

Joel (teknogeek) (22:00.19)
Automationist. Yeah, this is a new term that we come up with.

Justin Gardner (@rhynorater) (22:00.197)
you know, the automation is shit. Yeah, in the Discord, we've talked a good bit about DNS wildcard filter, and I'll just kind of give the TLDR of that here.

A lot of people have a lot of different approaches. Some tools do it automatically. I think DNSX does some stuff. But really, it's kind of a hard problem to nail down. And one of the approaches that seems to have worked best for me, and I've kind of discussed a little bit with the community, is this concept of wildcard profiles. And what you'll do is when you detect a wildcard, when you're doing subdomain enumeration, you will take that wildcard and put it through a process to create a profile for what this

specific wild card looks like. So.

you're generating multiple iterations, you're resolving it multiple times, you're querying different resolvers, you're adding and prepending things, trying to figure out exactly where the wildcard break is in the definition, where it is at in the sub-domain structure, that sort of thing. And then you're also resolving it multiple times with multiple resolvers to try to get an idea of what IPs are being round-robin returned in that.

creating a profile of sorts for what that wild card should look like. And then when you resolve things which match that wild card in the subdomain level but do not match that response, then you know you've got a diamond in the rough, something that most other people won't find because they're just going to be saying, all right, everything under dot whatever is a wild card, and I'm just going to ignore it. But this one isn't. And so there's a lot of really good scope living in those sort of caveats.

Justin Gardner (@rhynorater) (23:47.802)
if you can read between the lines for the DNS.

Joel (teknogeek) (23:50.23)
Yeah, for sure. And an interesting thing about wildcards, so I'm pretty sure this is like all the time, but basically like the way that you configure a wildcard on DNS is that your A record essentially, the record itself is an asterisk, it's a star. And so you can do a lookup on that. If you think something's a wildcard and you want to verify, you can actually just dig star.whatever.com. Yes, you can. Yep. And it'll actually, yeah, totally.

Justin Gardner (@rhynorater) (23:57.862)
Mm.

Justin Gardner (@rhynorater) (24:06.415)
Mm-hmm. Yeah.

Justin Gardner (@rhynorater) (24:14.781)
No you cannot. No. What the frick Joel?

Hold up, hold up, hold up. No.

Justin Gardner (@rhynorater) (24:31.601)
Hold on, hold on just a sec. I gotta, I gotta. What?

Joel (teknogeek) (24:32.974)
for the end quotes.

Justin Gardner (@rhynorater) (24:38.245)
Well, I mean, OK, I guess that sort of makes sense because anything there, I mean, what can I do a slash there? Like, oh, yeah, OK, but any character is going to return that, though, right?

Joel (teknogeek) (24:49.454)
Right, but typically, like a DNS, because that's the way that it's being configured, like yes, the wildcard is probably wildcarding itself, maybe, but that's also a really easy way that you can concretely check if you're not sure that something is a wildcard.

Justin Gardner (@rhynorater) (24:58.683)
Yeah.

Justin Gardner (@rhynorater) (25:03.213)
Interesting, interesting. I wonder if some authoritative name servers will actually give you more information if you actually hit star.whatever.com rather than, you know, bladieblah.whatever.com. That's very interesting. I didn't know that.

Joel (teknogeek) (25:18.047)
Yeah.

Joel (teknogeek) (25:22.73)
Right. It's super interesting behavior. Yeah, because I have some wildcards configured on my own domain, and it's configured like that. Like, you do an asterisk dot whatever, and you can look it up. And I'm not sure if it's that the wildcard is wildcarding itself or if that's just that it's wildcarding everything else and it's giving you the literal lookup. But either way, that's a really good way that you can get basically the wildcard response and then you can use that to filter it. So if you're not sure that something's a wildcard, you can literally just start out.

Justin Gardner (@rhynorater) (25:28.346)
Mm-hmm.

Yeah.

Justin Gardner (@rhynorater) (25:36.485)
It could be.

Joel (teknogeek) (25:51.95)
Yeah.

Justin Gardner (@rhynorater) (25:52.977)
Very nice, dude. I didn't know that. That's definitely something to keep in mind. And we've been kind of scheming with some of the guys in there, with Gould and them, about how exactly to get this stuff to work. And you have to put together so many different pieces of the puzzle when trying to do this effectively. And we've been seeing some experts hop in there, like Sean, SY will hop in there, from Asset Note, and give some good stuff.

Joel (teknogeek) (26:18.09)
Yeah, from Ascendant.

Justin Gardner (@rhynorater) (26:22.931)
appreciate the guests also being active in the Discord. That's really encouraging to see.

Joel (teknogeek) (26:29.61)
Yeah, it was hilarious. On the first day he was like, what's happening? I just woke up and my phone is exploding. I have like a million notifications from this Discord. I went to sleep. There was 15 people in here. I woke up. There's 500 people in here.

Justin Gardner (@rhynorater) (26:36.504)
Yeah, yeah because...

Justin Gardner (@rhynorater) (26:41.661)
Yeah, dude, we probably should have let them know, but we had all the guests join the Discord in advance because we were using it for like logistic stuff with planning and that sort of thing. And then, you know, we didn't really tell anyone we were gonna launch it, and then all of a sudden, ding ding, you know, like the welcome channel is like blowing up. So if you're listening, sorry about that, Sean. Hope you get some sleep. Sorry for anyone on the Asia time zone when we launched that, but yeah.

Joel (teknogeek) (27:09.662)
Yeah. Cool, there was another tool that I saw posted in there. It's called Thank You Next. And this seems specifically for Next.js. So I believe Next.js is mostly used for web three applications, but it might be used for other things. But it's called Thank You Next, letter U, like Thank You Next.js. And basically all it does is it just parses, it looks for a Next.js build manifest, and then it will parse out all of the...

Justin Gardner (@rhynorater) (27:16.246)
Mm. Yeah.

Justin Gardner (@rhynorater) (27:24.465)
Mm.

Justin Gardner (@rhynorater) (27:32.685)
Ah, yeah, yeah.

Joel (teknogeek) (27:39.23)
all of the routes that are available through that, through the Next.js build manifest and it'll just print them out for you. Super easy. So if you're looking at Next.js applications, you see it's using Next.js. You can just run it through this tool, it'll give you all the routes. Super easy, nice, cool piece of research.

Justin Gardner (@rhynorater) (27:54.513)
dude, I love this. I really, I love this a lot. And actually this is something very sort of related to something that I wanted to talk about on the pod today, which was this concept of client side paths. And when we think about JS, when we think about JS file.

Recon, reading the JS files, trying to extract the endpoints, that sort of thing. We kind of think about this grit your teeth process of staring at the JS until your eyes bleed and trying to trace back all these functions to get the correct parameters for a request that's going to be sent to the server-side API. But in reality, something that I've been sleeping on is this whole concept of...

Joel (teknogeek) (28:26.614)
Yeah.

Justin Gardner (@rhynorater) (28:42.369)
looking at how the client side routing actually works, because like nine times out of 10, the application that you're dealing with nowadays are gonna all return the same, you're gonna hit slash blah-de-blah and it's still gonna return the same response. And then the JS on the client side, Angular, React, Next.js or whatever, is gonna look at the path and show you a page based off of that, right?

And so looking at these client side paths as well within the JS files is massively helpful because not only can you trigger various functions that are bound to these routes and maybe even get XSS, I've popped several XSS over the past week because of this trick, but you can also not have to go through this terrible process of trying to figure out

Justin Gardner (@rhynorater) (29:33.695)
in a request and actually just have that app generated for you by forcing a specific state in the application by navigating to that route. And I just, I don't know why I haven't been doing this more often and it's just, it's a great trick.

Joel (teknogeek) (29:39.126)
Yeah.

Joel (teknogeek) (29:45.526)
Well, and another thing that I've noticed is that, especially with Webpack stuff, so a lot of times you'll still have the Webpack map files and you can un-map it, you can view it in your browser, or you can un-map it locally. And oftentimes what you'll see is that the pages, there's usually a folder called like pages, and it has like the JSX or whatever, is that the right terminology? The like JS templating thing?

Justin Gardner (@rhynorater) (30:04.914)
Mm-hmm.

Justin Gardner (@rhynorater) (30:12.285)
Uh, like, no, like, like the dot T S T S X files, like for TypeScript and then JSX, I think probably for just straight JavaScript stuff. Yeah.

Joel (teknogeek) (30:16.694)
TSX. Yeah, yeah, TSX. Yeah, yeah, exactly.

Joel (teknogeek) (30:21.726)
Right, right. So basically those like HTML-esque JavaScript templating type of stuff that's used in React, typically. And you'll see that it'll only return like one page. And a lot of the time that's because it's using either lazy loaded JavaScript or because it's explicitly like checking whether or not it should load other parts of the app, even though it's in the code, as you just have to do a little bit more digging and the page IDs and stuff are in there. So just like what you're talking about where

Justin Gardner (@rhynorater) (30:25.718)
Mm-hmm. Yeah.

Joel (teknogeek) (30:51.146)
Essentially, all this stuff is on the client side already. Like the front end pages, there might be back end API endpoints that it's hitting, and those will also be in the JavaScript. But really, the available pages for you to browse are all within that file right there. And so you can look through and you can find them and you can pull them out. And then usually, you can also go one step further and you can either get the lazy loaded file for that page or you can find maybe there's a specific JS file just loaded on that page and that has extra functions, extra API endpoints, all that kind of.

You know, juicy, juicy info. And, uh, a lot of time, just at first glance, you wouldn't really see it. Cause you might see the pages folder and see like, you know, two things in there and not nothing's there that you haven't already seen, but if you, you know, go just one step further.

Justin Gardner (@rhynorater) (31:21.597)
Yeah.

Justin Gardner (@rhynorater) (31:35.129)
Yeah, 100% and I think JS weasel is doing a lot of this stuff right like doing the lazy loading, you know unpack It's an expensive tool, but I have seen a couple people give testimonials recently saying like hey This is really worth it finding a lot more bugs with this And I like it and I and I it's on my to-do list for this week to go And try it again and work on it a little bit and you know See if I can integrate it into my workflow a little bit more effectively

One problem with that is it doesn't have Kaido integration, and Kaido is my main tool that I'm using now for proxying. I switched over a couple weeks back, and I've put probably 80 to 120 hours in Kaido over the past three or four weeks. Yeah.

Joel (teknogeek) (32:13.422)
Dude, I gotta say, I love everything about Kaido except for there's one thing, and this has always irked me, and it's the scope control. Like the way that they handle scopes is like it has to be, basically like you have to know what the domain is, like the root domain in some extent, because it like, on burp you can literally just put like word and it'll just regex, like, and I love that.

Justin Gardner (@rhynorater) (32:22.278)
Yeah.

Justin Gardner (@rhynorater) (32:29.893)
Yeah.

Justin Gardner (@rhynorater) (32:36.025)
Okay, I literally, I literally, there's an open ticket, they're gonna push it in, I think probably the next patch or maybe the patch after that, but I've told them like, dude, 90% of the time, I just wanna give it a keyword. And I wanna see, you know, S3 buckets that have Facebook in it, I wanna see, you know, tangential domains that have, you know, the word Facebook in it or whatever, like that's the way to do it. And it'll get there, it'll get there. And then in the meantime, it's a little bit of a pain, but yeah.

Joel (teknogeek) (32:41.537)
Okay.

Joel (teknogeek) (32:47.638)
Same. Yeah.

Joel (teknogeek) (32:55.891)
Yeah, absolutely.

Joel (teknogeek) (33:02.298)
Yeah, yeah, because I found like, for example, I was I've also been trying to use Kido significantly more as like my main tool, mainly just because the projects like honestly, like I wish it was more than this. But the project switching is just like a huge hassle and burp. And the fact that you can just like make a new project, you can just switch through it in the same window and all that. It's so nice. Yeah.

Justin Gardner (@rhynorater) (33:07.964)
Yeah.

Justin Gardner (@rhynorater) (33:11.517)
Dude, it's so nice.

Justin Gardner (@rhynorater) (33:16.367)
It is.

Justin Gardner (@rhynorater) (33:20.945)
It's like a two minute time. I have like a crazy, crazy strong server that I use as my main computer here. 128 gigs of RAM, top processor I could get at the time. It still takes me like two minutes to switch into Burr projects, right? In Kaido, it's literally three seconds.

Joel (teknogeek) (33:28.524)
Yeah.

Joel (teknogeek) (33:36.67)
Yeah, well, and the crazy thing is that I used to do this, this like really janky setup where I would run multiple instances of burp because it's got so much, this got on my nerves so badly that I would run multiple instances of burp and I would only like, I would have the proxy tab open and I would just check, uncheck the listener on the other instances that I wasn't using. And then when I'd switch projects, I would like uncheck, minimize, bring up the other instance, turn the proxy on and just like do it like that and just ignore all the warnings and whatever, when you launch with the temporary files and like

Justin Gardner (@rhynorater) (33:54.554)
Yeah.

Justin Gardner (@rhynorater) (34:01.862)
Yeah.

Joel (teknogeek) (34:06.154)
It's just a pain. So I've been switching more to Kaido. And that's like the one thing that really that I miss is that I was hacking on a scope, for example, and I had their domain in there. And usually what I'll do is I'll do percent.domain.com as well as domain.com, because that's another thing that like you have to explicitly, anyways. And I was like doing a bunch of hunting. And sure enough, I see in the DNS logs, like there's some completely separate root domain that like had the keyword in it, but I didn't know it existed.

Justin Gardner (@rhynorater) (34:15.865)
Mm-hmm. Sure. Yeah, yeah, yeah.

You do.

Justin Gardner (@rhynorater) (34:33.818)
Yep.

Joel (teknogeek) (34:35.606)
And I was like, oh shit, like maybe I've been, you know, who knows, maybe I've been missing stuff on this. So, you know, once they get that added, that'll be really awesome. I do like the idea of the scope control that they have, but I think for bug bounty hunting, often it needs to be like just very broad and generic. Yeah, exactly, like just make it regex. Like regex, default to regex, please.

Justin Gardner (@rhynorater) (34:52.385)
or just do a full regex. We can all write regex. If you can't write, yeah, if you can't write regex, you need to go fix that. There's so many bugs that happen because of regex. Hackers, 90% of the time, should be able to write regex. Oh, geez. Yeah.

Joel (teknogeek) (35:07.982)
All right, crazy side tangent here. I, when I first started hacking, I used to write in burp full regex statements with like conditional ors and like every sub domain, every, everything in one entry in my, in my host, in my like target config in burp. And one time I was at a live hacking event and Chubb saw me doing that. And he was like, what are you doing? And I was like.

Justin Gardner (@rhynorater) (35:20.285)
Holy moly.

Justin Gardner (@rhynorater) (35:26.212)
No!

Joel (teknogeek) (35:34.958)
I was like, I'm adding this to the scope. He was like, dude, just put like what just put like Facebook. I was like

Justin Gardner (@rhynorater) (35:35.467)
Classic.

Justin Gardner (@rhynorater) (35:41.652)
We've always had, we've all had that moment with Shubs. Anyone who's met Shubs has been, and you know, he's kind as can be about it. He's like, hey man, just wanna let you know, that's fucking stupid, you know? Like, you know?

Joel (teknogeek) (35:49.13)
He like called Naffy over, he's like Naffy come look at this. I was like, he's like dude can you believe this guy's writing full regex's for all his hosts. I was like, wait doesn't everybody do this?

Justin Gardner (@rhynorater) (35:57.209)
Oh man. No, no, Joel. Only, and it's the same sort of thing, you know?

Joel (teknogeek) (36:01.374)
Yeah, but from that day I realized the easiest way is just keyword and yeah, absolutely

Justin Gardner (@rhynorater) (36:07.573)
Same sort of thing when I first learned that you could rename tabs. By the way, on that note, another thing about Kaido is that I've really been... Okay, here we go. I'm going on a tangent. Let's do it though. It's that kind of day on the pod. Going back to what we were talking about before with notes, I had the opportunity to...

Joel (teknogeek) (36:17.666)
We're going on a tangent here, let's just do it.

Justin Gardner (@rhynorater) (36:31.157)
screen share with some hackers that I really respect recently and that take very deep notes. And these hackers that I'm talking about, they're not using burp or Kaido or Zap. They're using Postman. And it's because they're coming from a dev background, right? And it works for them. It's part of... Yeah, yeah. And they're using like...

Joel (teknogeek) (36:49.695)
Okay.

well postman keeps your histories right?

Justin Gardner (@rhynorater) (36:58.173)
They're using, what are they using? It's like Fiddler maybe, I think, to get like as a proxy, and then they'll recreate it in Postman. And I was like, okay, that's ridiculous. Why would you do that? It takes so much time. But here's the thing, man. The guy that I'm talking, I'm thinking of, has like a whole collection of like, essentially built out API docs for his target with sample requests and knows everything about it.

Joel (teknogeek) (37:06.431)
Okay.

Justin Gardner (@rhynorater) (37:27.081)
and he's a master of it, you know? And it's all organized, all the tabs have get, and then whatever path you're doing, it's very easy to navigate through and get the request you need. And so, big fan of that. I definitely don't think that you need to go as far as to use Postman with it, but I've mentioned Takaido, like, hey, it would be really cool.

Joel (teknogeek) (37:30.508)
Yeah.

Justin Gardner (@rhynorater) (37:48.089)
if we could provide some sort of like, either even like an LLM prompt or like a some sort of configuration to auto name our tabs.

and have them put into a certain collection or something like that, based off of where they are in the application and that sort of thing, and just get a little bit more organized and be able to use the collections a little better. And I'm actually getting to the point now where I am using the collections better in Kaido, where I'm creating certain collections for gadgets, for vulns, for interesting requests I need to come back to, for specific chains that I'll need to do, like, oh, I'm gonna chain this request and this request and this request together in that order, so then I just create a collection, drop them all in there, boom,

So definitely some value in being a little bit more organized with your collections, which I'm really appreciative that Kaido has in place.

Joel (teknogeek) (38:36.854)
Yeah, for sure. So I used to do a very similar thing. I use, I don't use Postman. I like Postman, but I use a tool called Paw. Or, well, what's it called now?

Joel (teknogeek) (38:50.786)
rapid API, pod.cloud, but it's Mac only. So maybe that's why I post man, but it's basically the same thing. It lets you structure sort of like a developer really, like you can group your requests, you can set up different HTTP requests, they all have like parameterized inputs. It's made for like testing APIs really, as a developer. But the really nice use case that I like to use it for is when I have very complex.

Justin Gardner (@rhynorater) (38:52.265)
Ah, okay.

Justin Gardner (@rhynorater) (39:03.544)
Mm-hmm

Justin Gardner (@rhynorater) (39:10.972)
Yeah.

Joel (teknogeek) (39:18.926)
HTTP requests that often require some sort of crypto. Good example of this is OAuth HMAC. I believe Twitter uses this. I think there's a couple other things that use it that I'm blanking on, but sometimes they will use OAuth HMAC in their authentication flow, and it requires that you have to generate a signature for every single request, and that it has to have a token that's based on your current request and has to be included in the request, and it's like...

Justin Gardner (@rhynorater) (39:25.206)
Mmm.

Justin Gardner (@rhynorater) (39:39.953)
Ugh. Dude.

Joel (teknogeek) (39:46.698)
You can't do it in burp like in any easy way whatsoever. You could maybe script it in Python, but these tools often have extensions that are designed exactly for this. So you say, oh, my auth is oauth, here's my key, here's my secret, done, that's it. Like you just send your request, it automatically signs it, it automatically puts the token in, it automatically does all that kind of stuff. And in addition to that, because it's designed for APIs, you can often structure it. So for example, you can use variables. I assume you can probably do this in Postman. I'm not.

Justin Gardner (@rhynorater) (39:48.829)
That would be the worst.

Joel (teknogeek) (40:15.662)
100% familiar, but you can in rapid API where you say, you know within this project I have a variable called let's say host name, right? and then all of your requests you just reference the variable host name and then if you need to change that or you want to Have maybe there's a staging environment. You thought you want to test instead. You just change it in one place. It changes it everywhere And so there's some really nice things that you can do with the sort of like structured side of that They're like developer side of those testing tools that make it really nice to test API's

Justin Gardner (@rhynorater) (40:15.75)
Mm-mm.

Justin Gardner (@rhynorater) (40:23.353)
Mm-hmm.

Justin Gardner (@rhynorater) (40:29.353)
Dude, that's so nice for IDs.

Justin Gardner (@rhynorater) (40:45.171)
Yeah.

Joel (teknogeek) (40:45.238)
Honestly, the only hassle with it is that you have to kind of like rewrite it, right? So like, it's not as easy as just sending it to your repeater tab and just like editing the path and sending it. You have to basically like clone it in. There are importers, I think, in most of these tools. So like you can paste it from like curl or you can paste it from a raw HTTP request and it'll like parse it out. But, you know, it's a little bit of hassle, but again, for those cases where it's like, you know, signing or HMAC and that kind of stuff, it's really, really good for those.

Justin Gardner (@rhynorater) (41:07.721)
Dude. Yeah.

Justin Gardner (@rhynorater) (41:14.237)
That would be huge in burp or Kaido having the ability to set a variable and say like, okay, this is going to be my org ID always, you know, and, and just be able to reference that in all of the requests and then have it replace it. Yeah, it is.

Joel (teknogeek) (41:23.348)
Yeah.

Joel (teknogeek) (41:26.866)
Yeah, like it's almost hackverter-esque, right? Where like it's kind of, it's like hackverter as a whole application, where like it's really designed around, like you can have gadgets, you can, like in POD, for example, like you can, you can wrap variables in different functions and gadgets that like modify that. So you can like hex encode, or you can, you know, basic C4 encode or decode, or like you can do all sorts of different modifications on stuff like on the fly. That makes it really.

Justin Gardner (@rhynorater) (41:45.149)
Mm-hmm.

Joel (teknogeek) (41:51.85)
you know, really useful for those things. Things that you could probably do to some extent with Hackverter, but without an extension, there's just no way to do it.

Justin Gardner (@rhynorater) (42:00.197)
Yeah, and in Kaido you can do it with convert workflows. If you just select the whole request and then send it to a convert workflow, shell out and then do it in Python and then replace it back or whatever, you could definitely make that work. So that's interesting. Once Kaido actually implements the whole keep your workflows across multiple projects thing, I think I'm gonna do that because that's the other big pain point right now is that I have to redefine my convert stuff for every single project.

But once they do that, I think I'll start doing a little bit more tooling surrounding that sort of thing That would definitely be that definitely be huge and I would love to see that it also integrated with a built-in sort of request Minimizer like they have in burp. It's a burp extension, but Something that just breaks the request down to the bare bones, you know, okay. I know I need this cookie What? What it always works for me, what do you mean it doesn't work for you?

Joel (teknogeek) (42:49.602)
That thing never works for me. I wanted to like it so bad, but it never works for me. Whenever I use it, it always like gives me like, it takes a long time and then it gives me like a weird output that like doesn't, that doesn't work. And so I ended up just doing it myself. Yeah, I don't know. Maybe I'm doing it wrong, but yeah.

Justin Gardner (@rhynorater) (43:04.229)
What? No way. It definitely takes a long time, I'll give you that. And there's no feedback because of how burp plugins are designed, you know? But it always gives me a good result. And yeah.

Joel (teknogeek) (43:14.411)
Yeah.

Joel (teknogeek) (43:17.758)
Okay, maybe I'm doing it wrong.

Justin Gardner (@rhynorater) (43:21.189)
I guess you need to make sure you're giving it the base request, right? With the expected output as the response. Because the first thing it's going to do is it's going to send the request with the output. And then it's going to remove everything that still, that results in anything different than that output, right? And so, yeah, that's, that's...

That's a cool tool. I would love to see that integrated into Kaido as well. Really looking forward to when we get to plugins and I'm able to just sit down and like, you know, code out all these plugins that I need.

Joel (teknogeek) (43:44.606)
plugins soon.

Joel (teknogeek) (43:49.918)
This is our chance, Justin. We could, we could be a head of the market. All they have to do is monetize plugins and we're, we're billionaires.

Justin Gardner (@rhynorater) (43:57.577)
True man, true. Yeah, how the heck are we gonna do that hackers are gonna be like just go into the code and be like Okay, like is licensed replace function return true, you know That'd be terrible Yeah

Joel (teknogeek) (44:11.475)
One thing I did want to mention before we get to loss on this engine Charlie from JS weasel is in the discord and he's posted a couple really useful like tips feature updates Things that people didn't really know I saw he posted something about being able to combine The files that I found and everybody was like wait what you could do that. I didn't know there was a thing so

Justin Gardner (@rhynorater) (44:18.698)
Yeah.

Justin Gardner (@rhynorater) (44:22.022)
Hmm

Justin Gardner (@rhynorater) (44:29.127)
Yeah.

That's super cool.

Joel (teknogeek) (44:34.082)
Don't go in there and pester him about problems, he said. I think he even dropped an email that, like I think it's support at jsweasel.io, I wanna say. But if you have problems, just send an email because that's the best way for them to track it. But he's posting really awesome stuff in there. He's letting people know about really cool things. So it's an awesome way to interact with Charlie from JS Weasel if that's something you're interested in.

Justin Gardner (@rhynorater) (44:41.981)
Yeah.

Justin Gardner (@rhynorater) (44:55.737)
Yeah, I know the, I know the Kaido guys as well are in there. And XNL Hacker, yeah.

Joel (teknogeek) (45:00.106)
Yeah, and they also have their own discord, which is super like, you know, great place to they're very responsive in there If you file support tickets, it's all like, you know, they make it super easy So yeah, you should check out their discord to the kaito discord

Justin Gardner (@rhynorater) (45:12.453)
Yeah, 100%, yeah. I've been pleased with, like I mentioned, XNL Hacker is in there, Bebix is in there. Speaking of Bebix, dude, awesome tool that will, let's just jump.

Joel (teknogeek) (45:27.466)
Yeah, there was so many cool researches, research things. Yeah, yeah.

Justin Gardner (@rhynorater) (45:30.025)
It's down a little bit in the notes. I don't remember, to be honest, he released it quite a while ago, but I don't think we've talked about it yet, because we had a couple episodes queued to get us through the holidays, but he released this ssrf.cdssadvisor.com thing, and I saw it before, and if I shouted it out, it was in passing, I've used this extensively now, and it rocks. This is a great collaborator, replacement for collaborator, yeah.

Joel (teknogeek) (45:40.407)
Yeah.

Joel (teknogeek) (45:53.994)
Yeah, so it's basically burp collab, right? Yeah, yeah. Yeah, I was gonna say, more and more, dude, I run into the problem where my burp collab is blocked because I just use the default one. And it's such a hassle to set up your own burp collab server unless you do it in the cloud where there's no IP restrictions. And even then, you often want to domain. It's a whole thing. And why, why can't...

Justin Gardner (@rhynorater) (46:06.149)
Yeah. Yep.

Justin Gardner (@rhynorater) (46:20.774)
Hmm

Joel (teknogeek) (46:23.23)
Why is this so hard? Like, yeah, it's a real pain.

Justin Gardner (@rhynorater) (46:24.925)
Yeah.

Justin Gardner (@rhynorater) (46:28.557)
100% and this solves a lot of it and I kind of talked about this before Actually, I think I said on a tweet about it, which is like for any people building burp plugins right now like Stop and make it make it something a little bit more generic make it make it something that can be used

you know, in Kaido, something that can be used in burp, something that can be used in postman or whatever, right? I really like the trend of having this, you know, go in a different direction. That's why I really appreciate what Bebex did there. And it's got more features and it's a, you can define your response and that sort of thing, which is really cool. One of the things that just came to mind, because of what you just said, is I wonder if you would be open to coding it in such a way that you can define your own domain and then just point it at it,

Joel (teknogeek) (46:52.66)
Yeah.

Joel (teknogeek) (47:16.926)
Yeah. I just don't know how it does the like the routing. Maybe it's all V host or something. Um, but yeah, I was going to, I was going to say this kind of reminds me of like way back when bug bounty first started popping off in like 2017, 2018, there was a big influx of tool development where like. Derbuster go, go search, uh, derb, um, FUF like, uh, you know,

Justin Gardner (@rhynorater) (47:18.171)
right?

Justin Gardner (@rhynorater) (47:23.269)
Yeah, but it seems pretty doable, right?

Justin Gardner (@rhynorater) (47:39.773)
Yeah.

Yeah.

Yeah.

Joel (teknogeek) (47:45.802)
All these crazy, crazy tools just popped out of the woodworks, got created out of necessity, and then things kind of died down. A lot of stuff got consolidated into the proxy tools and whatever. But now we're seeing, we're kind of returning back to fundamentals. It's nice to see that the community is sort of surging back and being like, hey, you could probably do this with burp collaborator, but if you want to do it not with burp collaborator because of need, I go back into all the problems that people have with burp collaborator.

Justin Gardner (@rhynorater) (48:12.094)
Sure.

Joel (teknogeek) (48:14.142)
You know, you can do this and I it reminds me like back in the day there was a lot of tools that were like this ping bin HTTP bin There was a couple other ones Yeah, DNS bin like they were always like separate tools for like the different protocols and stuff that were all just like online tools You just like open it up. It would give you a random URL and you could just use it as your payload Yeah, but a lot of them are like dead now unfortunately, so it's nice that like we're kind of reviving it and to some extent I don't know

Justin Gardner (@rhynorater) (48:19.749)
Mm-hmm. Yeah. DNS Bin.

Justin Gardner (@rhynorater) (48:32.793)
It's pretty functional, you know?

Justin Gardner (@rhynorater) (48:37.906)
Yeah.

Joel (teknogeek) (48:41.162)
If this SRF testing tool is only for HTTP and HTTPS. But, okay.

Justin Gardner (@rhynorater) (48:46.725)
Yeah, it is. And I'm not even sure, I'm not even sure it's for, I haven't used it for HTTP yet, so I'm not even sure that it supports HTTP. But I'm really excited about the fact that, yeah, I need to hit Pevix up after this pod and tell him, hey man, it would be great if you could just like.

Joel (teknogeek) (48:51.804)
HDPS. Ah.

Justin Gardner (@rhynorater) (49:04.981)
we could provide our own domain pointing at that IP address and have your own version without any setup necessary, right? That should be totally doable. And then the other thing is like, I would love, the one thing that this doesn't do, that collaborator does do, couldn't get that out, is that it doesn't do DNS, right? And DNS is huge, and it's a pain in the butt to get it set up sometimes. I've talked before about how easy it is to get it set up with DNS Chef, but it's not as simple as HTTP for sure.

Joel (teknogeek) (49:21.344)
DNS.

Joel (teknogeek) (49:29.152)
Yeah.

Justin Gardner (@rhynorater) (49:35.435)
But I would love to see that also sort of integrated into this. I could definitely see the community really starting to get behind this project as a primary replacement to collaborator if we could define our own domains and then also get DNS callbacks. That would be huge.

Joel (teknogeek) (49:51.838)
Yeah, yeah, yeah. I mean, this is basically like all those tools that I was talking about earlier, like all this HTTP based ping bin DNS bin HTTP bin, whatever bin all in, you know, but while this is really just HTTP right now, but hopefully we can, you know, get to that, all those other protocols and everything too. Um, and then maybe provide it in a way that, uh, other people can mess with it too.

Justin Gardner (@rhynorater) (50:00.07)
Mm-hmm.

Justin Gardner (@rhynorater) (50:14.917)
Yeah, 100%. Dude, we are not even halfway done with the pre-episode. So we're not going to get to the full episode today. Do you have time?

Joel (teknogeek) (50:22.754)
Oh boy. Alright.

Have a little bit of time.

Justin Gardner (@rhynorater) (50:28.665)
Okay, all right, all right. I'm gonna keep going down, talking about this cool stuff though. One thing that I wanted to share that we mentioned on the Discord, and I realized wasn't really sort of common knowledge for people is this sort of concept of an iframe sandwich. And it's not really an iframe sandwich, but it's sort of like an open iframe sandwich, okay? And so this is something that you can do, because I've mentioned before on the pod and other mediums that if you have a target, the iframe's in a subdomain, okay?

So let's say one of the first time I actually fully exploited this the scenario was My target domain I framed in a marketing sub domain where you could control your email preferences or whatever, right? Not a huge impact in that scenario, but I did something cool with it with a lot of stuff and got ATM

Joel (teknogeek) (51:11.583)
Okay.

Joel (teknogeek) (51:17.682)
Okay. No big deal.

Justin Gardner (@rhynorater) (51:19.953)
Yeah, but in that scenario, the iframe domain, which is a different domain from the primary domain, if you can pop an XSS on that iframed domain, you can do some cool shit, okay? So what you can do is from an attacker, and keep in mind this domain is iframed, so normally it has iframe allow configurations. So what you can do from your attacker-controlled page, you can iframe in, do an invisible iframe

have the XSS, pop the XSS, get JS control. Okay? Then from the attacker controlled page, pop open a new tab to the victim.

domain that you would like to attack, and that victim domain has the XSS vulnerable subdomain iframe.den, right? And then what you can do is you can reach from the iframe on the attacker controlled page, up to the attacker page, over to the victim domain, and then down into the XSS domain on that page by using different frames. And because you control JS on the iframe on your page, you can modify the content of the iframe.

on the victim domains page, right? That's iframed into the victim domains page. And you can affect that content. So let's say in that scenario, you can rewrite that content with like, you know, something that might could leak tokens, something that could, you know, you could put even a, you know, sort of a phishing thing in there. And that sort of thing is normally accepted in my experience because you're affecting the integrity of the InScope application by modifying the contents of a domain that they are iframed

into their website. And so I kind of call this an iframe sandwich. It's not really, you know, when iframes used to be a little bit more permissive, you could do some cooler stuff with that. But just making sure you understand how frames work and what kind of stuff you can access using parent, using opener, using the frames array. Yeah, yeah. Yeah. Right.

Joel (teknogeek) (53:20.566)
So just to make sure I understand this, let's say victim.com. You have one tab open, victim.com. Inside it, they have vulnerable.com. Vulnerable.

Justin Gardner (@rhynorater) (53:28.805)
Yes, yeah, vulnerable.com or you know, vulnerable.victim.com or something like that.

Joel (teknogeek) (53:34.866)
Okay, sure. And vulnerable.victim.com is vulnerable to an XSS. So now you get an XSS, you have an XSS inside an iframe on victim.com.

Justin Gardner (@rhynorater) (53:38.514)
Yes.

Justin Gardner (@rhynorater) (53:45.805)
On the, well, not exactly. Okay, so let me break it down a little bit better. You've got two frames, or two pages, two tabs with iframes in them, okay? One is an attacker page, and one of them is the victim page. Both of them have an iframe to XSS vulnerable domain, right? Using the X, you can't control the path that is iframed into the victim's

Joel (teknogeek) (53:57.952)
Okay.

Joel (teknogeek) (54:09.186)
Okay.

Justin Gardner (@rhynorater) (54:15.333)
domain, so that's always gonna be iframed to wherever the victim says it should go, right? But on the attacker-controlled page, you can control it. So you pop XSS through that, reach back up through the attacker-controlled page, reach over to the tab that's opened up the other iframed page, reach into the iframe and modify the content. Does that make sense?

Joel (teknogeek) (54:19.566)
Okay.

Joel (teknogeek) (54:36.066)
Ah, okay. Yeah, so it's almost backwards instead. Like you're modifying the victim page from the attacker page, like, because it's the same iframe in both of them, because it's, yeah, right, same origin. So you can communicate with iframes of the same origin in a different tab.

Justin Gardner (@rhynorater) (54:41.986)
Exactly.

Justin Gardner (@rhynorater) (54:45.521)
because it's the same origin.

Justin Gardner (@rhynorater) (54:52.845)
Is there a better way to explain this? Because I had the same trouble expanding it.

Joel (teknogeek) (54:55.07)
It was a, well, you explained it from the other way around. It was a little confusing because it was kind of like, you get an XSS within this iframe and then you set up your own page. I think the way you just described it now is better, where basically you have two pages, they both iframe the same URL. You have an XSS in both of them, but you can easily pop it from your attacker page, which then you can use that context to communicate with the context of the iframe in the other page.

Justin Gardner (@rhynorater) (55:17.14)
They both iframe the same domain, but probably a different URL if it's a reflected XSS or whatever, right? Yeah.

Joel (teknogeek) (55:21.798)
Yeah, like, you know, like there's no saying that like maybe on victim.com right like that You'd be able to actually pop it through the URL or something. Maybe it's an attack Complex attacks in here. It doesn't really matter because all you need is control over that iframe context with the same origin, right? Yeah, cool

Justin Gardner (@rhynorater) (55:28.925)
Right.

Yeah.

Justin Gardner (@rhynorater) (55:35.245)
Yeah, exactly, exactly. And as long as you control, you're running JS execution, right, on that origin, and you have a path to reach the other frame, right, in this scenario, it would be parent name of the other tab, iframe.

Joel (teknogeek) (55:52.166)
Oh, that's why you open it up from the...

Is that why you open it from victim.com? Why you have to open it from victim.com?

Justin Gardner (@rhynorater) (55:56.85)
Does that?

Justin Gardner (@rhynorater) (56:01.977)
No, no, well, you have a attacker-controlled page with the XSS embedded into it.

Joel (teknogeek) (56:05.906)
Yeah. Oh, would you just open the victim page from your attacker page? Got it.

Justin Gardner (@rhynorater) (56:09.845)
Exactly, that one. Yeah, and then you hop over there and modify it. Man, maybe I should, maybe, let me make a note here. What, I'll write, I'll draw a little, draw a diagram for iframe sandwich. I'll draw a little diagram and put it on the screen for those of you watching on YouTube. Yeah. Yep.

Joel (teknogeek) (56:19.228)
We need a cardboard box diagram from...

Joel (teknogeek) (56:30.07)
Yeah, I think I got it. So basically you open attacker.com, attacker.com opens a new tab with victim.com. They both iframe the same URL. You pop the XSS from your attacker.com in the iframe, which can then communicate with the iframe in the other tab on victim.com, and then you can either control the content, you can do whatever you want within that iframe. Got it.

Justin Gardner (@rhynorater) (56:47.905)
Exactly. Yeah, and you know, depending on the refer policy and stuff like that, you might be able to leak, you know, OAuth parameters and that sort of thing. So all sorts of cool stuff you can do with that. It's a good way to take an XSS in a subdomain that's, you know, maybe not even in scope or less important and make it affect the primary domain and increase your impact.

Joel (teknogeek) (56:57.934)
Mm-hmm.

Joel (teknogeek) (57:12.526)
Mm-mm. Very cool.

Justin Gardner (@rhynorater) (57:14.053)
So these are the kind of things we're discussing in the CTP podcast Discord. So check it out, ctpb.show slash Discord. Hop on in and join that conversation. All right, so now we're done with the pre-show and now we're in. And now we can go into the news section.

Joel (teknogeek) (57:30.226)
Ha.

Justin Gardner (@rhynorater) (57:35.982)
So let's go ahead and let's pop open these links and we'll start. We already covered Bevec's, his little, his thing on the SSRF tool. So that's good. We got some work done. First thing on the list.

Johan Carlsen sort of retweeted a tweet that you guys really liked from the Critical Thinking account talking about a good open redirect sort of bypass to get open redirect. And he added a really insightful piece of information. Let me read that for you. There are some good and common ways to gain redirects like at and dot, but I've also had a lot of success with...

double slash, so slash slash. A lot of simple filters check if the URL is relative by checking if it starts with a slash.

forgetting that slash attacker.com is not a relative domain, but is actually an absolute URL. And then he posts some examples down in the bottom of sort of deviations on this attack that use backslashes, that use whitespace, that sort of thing. And just really good to be aware of these because sometimes if you can bypass, people make fun of OpenRedirect as a vulnerability, but sometimes if you can bypass redirect logic,

it's a real problem. So knowing these tricks is really helpful.

Joel (teknogeek) (58:59.634)
I mean it's like, SSRF 101 is like, yeah, like check if it's in the same domain. Okay, well if you have an open redirect and a lot of times it follows redirects, then game over.

Justin Gardner (@rhynorater) (59:03.847)
Yeah.

Justin Gardner (@rhynorater) (59:12.057)
Yeah, and not even just SSRF, but also it's OAuth 101, is like, you know, if you can affect that redirect URI, yeah, in some scenarios, SAML as well, if you can affect that redirect URI, then you're golden. So definitely, definitely something to keep in mind. Appreciate Johan hopping in there, joining the conversation and adding something really relevant there that I've used a ton of times and just forgot to include in that tweet.

Joel (teknogeek) (59:16.115)
Oh, off, yep.

Maybe even Samo.

Joel (teknogeek) (59:40.61)
Yeah, yeah, totally. Yeah, the double slash thing is a classic I mean you see this a lot in browsers legitimately to like script URLs often use double slash Because I think double slash is used to default to the same protocol that the page uses, right? Right. Yeah

Justin Gardner (@rhynorater) (59:46.143)
Mm. Yeah.

Justin Gardner (@rhynorater) (59:52.793)
Exactly. Yep. So if it's using HTTP, it'll use HTTP. If it's using HTTPS, it'll use HTTPS. Yeah.

Joel (teknogeek) (59:57.386)
Yeah, yeah, so really good really good tip there There was a there was another tweet. Well, actually yeah, it was a tweet But also it was posted somewhere within our hacker circles, but the Google Bug bounty program VRP program vulnerability rewards program, whatever you want to call it They released a burp suite plugin written in part by one of our buddies or B Sam

Justin Gardner (@rhynorater) (01:00:01.477)
Yeah, nice one.

Justin Gardner (@rhynorater) (01:00:09.598)
Yep.

Justin Gardner (@rhynorater) (01:00:15.441)
Mm. Yep, that's it.

Justin Gardner (@rhynorater) (01:00:23.365)
Yeah.

Joel (teknogeek) (01:00:24.846)
And yeah, it's specifically for protobuf testing. I think it's meant for Google, but you could probably use it for other things. It's a little bit narrow in terms of how it works if you look into it, because I installed it and I was like, why isn't this working? It looks for application slash proto, I think in the response header, but then it will basically decode it and it will make it easy so that you can manipulate protobuf requests without having to have the protocols. And yeah, it's really awesome.

Justin Gardner (@rhynorater) (01:00:32.565)
Mmm.

Justin Gardner (@rhynorater) (01:00:42.006)
Mm.

Justin Gardner (@rhynorater) (01:00:51.749)
Mm.

Joel (teknogeek) (01:00:54.242)
I think there's been a lot of different tools that do similar stuff to this, but not very well or not completely. This is really nice to see. I have a solo episode about protobuf stuff that I still need to record. I'll probably include this in there as well, but there's a lot of really interesting stuff that you can do with protobuf and that you can use to figure out how protobuf is working.

Justin Gardner (@rhynorater) (01:01:10.234)
Mm-hmm. Yeah, looking forward to that one, man.

Justin Gardner (@rhynorater) (01:01:19.237)
Yeah, I was, I was...

Once again, the moat is disappearing here. I was excited, but also a little sad to see them release this because Lupin and I, mostly Lupin really, coded up an extension to do this exact same thing, probably with less good results because Google actually has a bunch of resources to allocate to it. Three engineers were working on it, including Sam, rather than just what Lupin did late at night, one night. But, you know.

We used this when we were hacking Bard, and we found a bunch of great bones with it. And so, definitely increases the accessibility of the...

Google VRP because one of the biggest problems with hacking on Google is you got to be a protobuf G to figure all that out. So really great. And furthermore, I think this is a great example of how to be a good program. If you build tools specifically to help hackers hack your program, this takes a lot of work because you have to be aware of how hackers see your program. You have to be aware of the problems they're running into.

Justin Gardner (@rhynorater) (01:02:33.015)
right, which is something that so many companies aren't even actually doing. And then you have to take the initiative to get some engineering done, build out an extension, and then give it to the community. I'm 100% sure that Google will see a ton of ROI on their time for building out this tool because it makes it so much more approachable, and I would love to see companies that have insight into their own architecture do similar things to help promote their program.

Joel (teknogeek) (01:03:01.194)
Yeah, absolutely. It's really cool. Yes. Yeah. So no, I see like, I think another good example of this is like SSRF sheriffs, for example, like stuff like stuff like that just makes it easier to hack on your program, especially, you know, Google has like, for the for a very long time, it felt like Google had created a very complicated stack that was hard to hack on. And they didn't really care about that.

Justin Gardner (@rhynorater) (01:03:02.778)
at Joel Margolis with the...

Justin Gardner (@rhynorater) (01:03:11.929)
Yeah, exactly.

Justin Gardner (@rhynorater) (01:03:27.429)
Mm. Yeah. Which is not bad for their overall security, but you know.

Joel (teknogeek) (01:03:30.138)
and it was just what it is. Right, but it's really security through obscurity and it basically just raised the bar for hacking. It didn't make it more secure, right? And so I think by doing this, this helps bring the bar back down a little bit so that it's easier to start hacking on Google stuff and they can still get the security benefit of having people look at their program and being able to hack on it without doing...

Justin Gardner (@rhynorater) (01:03:35.643)
Yeah.

Justin Gardner (@rhynorater) (01:03:41.702)
Mm-hmm.

Joel (teknogeek) (01:03:58.382)
If you imagine a new person comes and starts to hack on some Google product that uses protobuf, they're going to see this and be like, I have no idea what this is. It's just binary data. I don't know what a protobuf is. They go and look up protobuf. It's some weird format. They don't understand the use case. They don't understand why it is or how it is. And they just give up. They move on. They go to a different program. They find something that doesn't use it.

Justin Gardner (@rhynorater) (01:04:05.39)
literally exactly what I did.

Justin Gardner (@rhynorater) (01:04:16.338)
Mm-hmm.

Joel (teknogeek) (01:04:23.742)
And so you need to do stuff like this. If you're gonna be using it so extensively and have such a large program, if you want people to be able to hack on your program, you gotta do stuff like this.

Justin Gardner (@rhynorater) (01:04:32.389)
Yeah, yeah, no, I totally agree. Creating those means to do that, very, very important. Let's see, okay, so I guess I'll go ahead and pivot from here into some JS hoisting stuff. You good with that?

Joel (teknogeek) (01:04:53.838)
Sure, go for it.

Justin Gardner (@rhynorater) (01:04:54.701)
I feel like I had something else on that last topic that I wanted to say, but it escaped me. So maybe it'll come back later and I'll kind of go from there. So I tweeted out something. It's funny to see my own name in the doc here, under the news section. But I tweeted something out, which I thought was worthy to talk about on the podcast because it's a pretty cool exploitation scenario. And we've been having some chats like this a good bit on Twitter.

Joel (teknogeek) (01:05:03.105)
Okay.

Joel (teknogeek) (01:05:09.599)
Hmm.

Justin Gardner (@rhynorater) (01:05:21.405)
just sort of surrounding various XSS scenarios we run into. And a lot of them have been brought to me by the community, the critical thinking community, just DMing me and being like, hey, I have a bug here, but I can't fully exploit it, you know? And sometimes I'll take a look, sometimes I won't. No promises, no promises, but this time I did decide to take a look. And the scenario was this. We had an injection.

So I'm going down a path of trying to represent things from an audio perspective. It's gonna be tricky. But let's say we had an injection at a place in the JS where it was x.y, where neither x nor y were defined. Okay? And.

Joel (teknogeek) (01:05:53.727)
Okay.

Joel (teknogeek) (01:06:02.734)
Can you control them? Oh, okay.

Justin Gardner (@rhynorater) (01:06:04.469)
No, you can't control them. They're not defined. And then it's a function call, so it's calling the function x.y. The first parameter is a 1. There's a comma. And then you were injecting. OK, and you can inject anything you want, except for script text. You have to stay inside the script, right? How do you get this to resolve? Because as soon as it reads the line, it's going to say x is undefined, or y is undefined.

can't read a property on undefined error and then your code is never going to run. And so I was looking at this, I was like, I know that there's a way to exploit this. I can't figure out what it was. And I tried actually the solution that ended up working, but I was missing one stupid little piece. And the answer to this problem is something called JS wasting. Have you heard of JS wasting, Joel?

Joel (teknogeek) (01:06:53.011)
I don't know if I've heard of the term, but if you explain it to me, I might have heard of it.

Justin Gardner (@rhynorater) (01:06:57.005)
Yeah, so the term is JS hoisting, and it's essentially the concept that functions in JS defined using, and some other objects as well, but mostly for this case functions, defined using the function keyword, despite where they are in the flow, will be hoisted to the top of the script execution flow. So if you define a function at the very bottom using the function keyword of a script tag,

and you call that function above where that function is defined, it'll work. Because the function definition is getting moved up to the top of the script. So in this scenario, what we were able to do was define the function x.

Joel (teknogeek) (01:07:34.397)
Mm-hmm.

Justin Gardner (@rhynorater) (01:07:40.553)
And what that would do is it would hoist the definition up to the top. So now the variable x now contains a valid function. So when you try to access the property y on x, you don't get an error, but you get y is undefined. Then it will attempt to call the undefined y.

because of the function call. And when it does that, it will parse the parameters that are being passed into that function. And at that point, when it parses the parameters, you can do a function call in the parameters themselves. And that will get executed before it attempts to call y, which will inevitably fail because you can't call undefined. And in that way, we were able to get arbitrary script execution and pop it into an XSS because of this concept called JS wasting. So I wanted to shout that out there because we're big fans of

that kind of crazy edge fringe java script shit here on the pod uh... and i know i wasn't even sure yeah i feel like most people haven't heard of it so i would be surprised if you had heard of that

Joel (teknogeek) (01:08:45.214)
Yeah, I was just testing some things around.

Justin Gardner (@rhynorater) (01:08:48.905)
He's got a handheld mic and he's trying to type and speak into the...

Joel (teknogeek) (01:08:53.331)
Yeah, I was testing some things around this to see if there's a better way, and I think there might be without having to break out of the whole thing.

Justin Gardner (@rhynorater) (01:09:05.827)
This is like classic Joel nerd sniped shit right here. Okay, alright Joel, rein it in, rein it in. Bring it back to the pod. He says okay, he's still freaking looking at it.

Joel (teknogeek) (01:09:11.435)
Okay, okay. What I was going to say is, though, I am still freaking looking at it. I was just going to... Okay. Yeah, so the JS hoisting thing, it seems that... So context is important, right? Basically, my thought was maybe you could do this without having to break out of the function. But even if you define X within the parameters, it doesn't work. Because

Justin Gardner (@rhynorater) (01:09:26.287)
Yeah.

Justin Gardner (@rhynorater) (01:09:36.953)
right. It never gets evaluated because it fails right in the beginning.

Joel (teknogeek) (01:09:38.527)
So you can do the...

Joel (teknogeek) (01:09:42.726)
Right, so like you tweeted out a similar, like an XSS challenge like a while ago and had to do with essentially in JavaScript, there's a behavior where you can use commas to provide multiple statements and you can assign variables to the last variable, the last thing that is returned in that comma sequence. And you can abuse that in a similar way here where you can use that for like, you know, one comma and you can just, within your parameters, you can do the same thing.

Justin Gardner (@rhynorater) (01:09:48.571)
Mm-hmm.

Justin Gardner (@rhynorater) (01:09:57.358)
Mm-hmm.

Yeah.

Joel (teknogeek) (01:10:12.614)
But because it's within that context of it's already trying to call it It seems that it has to be like what you said like you have to define it because it's gonna try and call it before evaluates

Justin Gardner (@rhynorater) (01:10:22.437)
Well, it's going to try to read the... It's going to try to...

Joel (teknogeek) (01:10:25.31)
Yeah, like the object itself. So it's gonna say, does the object exist? Then it gets the parameters, then it passes them into the function call.

Justin Gardner (@rhynorater) (01:10:31.297)
Exactly, and when it tries to say, hey, I need to get the X or the Y property of X, then, and X is undefined, then you can't get a property of undefined, and then that'll error.

Joel (teknogeek) (01:10:36.63)
Yeah, X doesn't exist yet.

Joel (teknogeek) (01:10:42.139)
Right.

Justin Gardner (@rhynorater) (01:10:43.181)
So shout out to BitK and to Johan and a couple of the other people that I think Carl, also Karel Origin also got it and was able to exploit this. So definitely appreciate the help there and I learned a lot about JavaScript that day because then I had to deep dive JS hoisting. So there's a bunch of, you can do it with variables, you can do it with classes, but

Justin Gardner (@rhynorater) (01:11:14.035)
The thing doesn't just get defined, it gets sort of initialized too, it's an actual object.

Joel (teknogeek) (01:11:18.822)
Yeah. Well, and like, I'm pretty sure the reasoning for this was that like, way back in the day, there was a, there was a historical problem with programming languages where if you define something after it was used, it couldn't be called. And I think this was most common with like C and C++ and stuff. But if you had a function that was like

Justin Gardner (@rhynorater) (01:11:30.897)
Mm-hmm.

Mm-hmm.

Joel (teknogeek) (01:11:36.542)
if your main function essentially wasn't at the end of your program, then you couldn't call anything else because it didn't know it existed. I think this is maybe why header files exist. I don't know. I'm not an expert on this. But essentially, that's part of what JS is trying to solve here, is that if you call something before it's defined, it should still be able to call it, even if, because it's defined, it's just that it does some restructuring and I don't know. But yeah, it's super interesting reworking that existing behavior to work in your favor.

Justin Gardner (@rhynorater) (01:11:39.215)
Mm-hmm.

Justin Gardner (@rhynorater) (01:11:43.41)
Sure.

Justin Gardner (@rhynorater) (01:11:58.425)
Yeah. Well, the other interesting thing.

Yeah, the other interesting thing with this is that it doesn't work for variables to find a function. So for example, if you did var x equals function, bladdy, blah, and defined it that way, like you were defining a variable pointing to a function, rather than using the function keyword, then it won't work.

But if you use the function keyword as the primary expression in that line of code, then it will hoist it. So lots of cool things there. I was just talking to my brother and Lali the other day, who's a programmer, and we were talking, he was saying he freaking hates JavaScript. And I was like, man, I love JavaScript. Because JavaScript, there's so many ways to get everything done, and there's so many quirks to the language, it's like a hacker's dream, it really is. So, yeah.

Joel (teknogeek) (01:12:51.614)
It really is. Yeah, it's super interesting that if you define it as a variable, it works but doesn't work.

Justin Gardner (@rhynorater) (01:13:00.265)
What do you mean?

Joel (teknogeek) (01:13:01.642)
So when you do, like if you do var x equals function afterwards, after the call, it'll say, cannot read properties of, oh no, it doesn't work, sorry, I misread it, I misread it, my bad, sorry.

Justin Gardner (@rhynorater) (01:13:07.078)
Yeah.

Justin Gardner (@rhynorater) (01:13:12.077)
Yeah, well sometimes it'll, so there is something you can do with var, because var will hoist the definition to the top, or the initialization, nope not that, the definition to the top, but not the initialization. There we go.

Or maybe it's the declaration. That's what I'm looking for. It'll it'll hoist the declaration, but it will not hoist the initialization And so that's a little bit of a of a quirky thing there. All right, Joel So before we get further nerd sniped on this Let's move to the next thing because actually as far as nerd sniping goes I was just kind of researching this morning on a whim and I am just I just love CSP bypass shit, dude I don't know why it just feels great and

Joel (teknogeek) (01:13:30.43)
Yeah.

Joel (teknogeek) (01:13:34.536)
Mm-hmm.

Joel (teknogeek) (01:13:38.742)
Yeah, so weird.

Hehehe

Justin Gardner (@rhynorater) (01:13:57.823)
So cool. Once again, our boy, Johan, is just dropping all sorts of amazing shit. This one was actually in the Cool Research channel on the Discord, which is a gold mine of Cool Research. I'm so glad we built that channel. I've been reading everything that comes through there, and I've seen so many things that I've missed somehow. So really appreciate everyone contributing to that. One of the things that was dropped in there was this crazy, yeah, it's the first one,

Joel (teknogeek) (01:14:14.771)
Yeah, for real.

Justin Gardner (@rhynorater) (01:14:27.303)
to gun.net, this crazy write-up on how to do some CSP bypassing using JSONP. Of course, everyone says, okay, using JSONP, that's the classic way to get past CSP. Uh-uh. This is different. Okay? This is real different. What's happening here is, in this specific example, it's using a WordPress endpoint that has JSONP compatibility, right? So you can bypass CSP on a WordPress site.

This one is so cool. What?

But the JSONP endpoint that's there, it doesn't allow you to use commas, it doesn't allow you to use things, so it's a secure JSONP endpoint. It doesn't allow you to write your own code, essentially, in the callback, right? It just allows you to use dots and letters, which is what you see with a lot of fixed JSONP endpoints. They don't want you to be able to write alert, you know, open bracket, close bracket, and then just be able to run arbitrary code there. But this guy figured out a way to actually use this still to bypass CSP, okay? So essentially, what he figured out how to do,

Joel (teknogeek) (01:15:09.559)
Mm-hmm.

Joel (teknogeek) (01:15:27.552)
interesting.

Justin Gardner (@rhynorater) (01:15:30.411)
was, so in a JSONP endpoint, obviously it's gonna call the function with its own contents at the end of the day. Here, Joel, let me actually send you, I can send you the actual endpoint really quickly here so you have an example of what I'm looking at. Hold on just a sec.

Justin Gardner (@rhynorater) (01:15:55.137)
I want you to be able to see this, because it's just so... Okay, so here's an example of the actual... I'm gonna send it to you on... I'm gonna put it in the Riverside chat, because it's... I've got Discord closed, so it doesn't blow up. Yeah. Do you see that? Okay, so go to that URL. So you see how it says attacker input, and then it's got the function call, and then the data inside of it, right? This is classic JSONP...

Joel (teknogeek) (01:16:05.174)
Okay.

I was gonna say I also did. I drew a roof in the thing. I do see that. Yep.

Joel (teknogeek) (01:16:18.55)
Yep.

Justin Gardner (@rhynorater) (01:16:23.701)
callback, okay? What he does here is instead he, so we can only inject characters and dots. He builds out this flow, okay? Let me see if I can find it. It says, so you can open, you can do window.opener.whatever and then select a button on the parent tab, right,

Joel (teknogeek) (01:16:23.79)
comic.

Justin Gardner (@rhynorater) (01:16:53.293)
and then call the click function with that, and it doesn't matter the context, right? And then what you're gonna have to do, you're gonna have to open this page up via a window.open from your attacker-controlled page, right? Now it's open, two separate frames. Redirect the attacker-controlled page to the target domain, where you have a button that you wanna get clicked, right? Like delete account, okay? So now the two pages, the two tabs that are open, are same origin, right?

Joel (teknogeek) (01:17:19.52)
Okay.

Justin Gardner (@rhynorater) (01:17:20.269)
And then what you do is you trigger the XSS, and it will go back to window.opener when it calls the XSS. This is the same origin now, so it can reach back up through window.opener and call the.click function on a specific button that you want, like delete account.

So you can actually weaponize this to reach back up to the different tab and trigger it with just the use of window.opener.body.firstElementsSibling. Define that whole flow out to select the button you want.

Joel (teknogeek) (01:17:39.625)
Okay.

Joel (teknogeek) (01:17:51.05)
Mm-hmm So this is that same kind of where from attacker page you open the victim page and then you're going cross-tab Using the same origin to abuse behavior within the page

Justin Gardner (@rhynorater) (01:18:01.297)
Similar concept to what we were talking about earlier, but a little bit different because after you open the tab with the attacker, you know, from the attacker controlled page, you remove the attacker controlled context from, you know, piece out of there. You redirect that opener to, or you redirect yourself to the victim page. Yeah, and then window.opener still points back to that frame, which is so cool, right?

Joel (teknogeek) (01:18:20.146)
Right, and just by the way it behaves, it... You know, yeah.

Joel (teknogeek) (01:18:27.97)
it's a big sense yet because it's the same it's like the same tab instance or whatever yeah

Justin Gardner (@rhynorater) (01:18:31.557)
Yeah, they're in the same sort of tab group and window.opener is pointing back to that frame, but now that frame is same origin. And so you're not gonna get an error if you try to execute window.opener.contentdocument.body.child.child.child.click. And then it'll just call that function with the CSP bypass, click on the button and cause essentially a C-surf to happen. Is that not absolutely breathtaking?

Joel (teknogeek) (01:18:38.221)
Hmm.

Joel (teknogeek) (01:18:43.543)
That's so interesting.

Joel (teknogeek) (01:18:54.695)
Yeah. Oh, that's so interesting.

Joel (teknogeek) (01:19:01.002)
It's a really interesting exploit. I love that kind of creativity where, we've talked about this before, but browsers are adding a lot of security features that make it very difficult to exploit. Even like if something is vulnerable, it's difficult to exploit it. Like you can see the vulnerability, but it's just difficult, like just due to security mechanisms in place. And these.

Justin Gardner (@rhynorater) (01:19:12.389)
Hmm

Justin Gardner (@rhynorater) (01:19:16.987)
Mm.

Joel (teknogeek) (01:19:24.626)
new types of attacks that are coming out now, a lot of them are utilizing, even within that secure environment, they're utilizing just like baseline behavior in order to abuse it, in order to make it do stuff that you want, like click buttons. Like it's almost like a whole new CSRF in a sense.

Justin Gardner (@rhynorater) (01:19:40.921)
Yeah, I mean, the same thing that's happening that I rant about all the time with client-side path traversals. These new categories. Yeah, these new sort of.

Joel (teknogeek) (01:19:46.646)
Yeah, stuff moves over to these single page applications.

Justin Gardner (@rhynorater) (01:19:53.205)
frontier of vulnerabilities are coming forth and it's really exciting. It's very hard for me to be honest I'm surprised you got it Joel. It's very hard for me to do this vulnerability justice over the audio medium because you really need to be able to kind of see what is happening. So I'm definitely gonna link this one if you're gonna read anything that we did today, well if you're gonna if you're gonna do anything that we have talked about today join the CTP podcast

Justin Gardner (@rhynorater) (01:20:23.059)
The second thing should be octagon.net write up on bypassing CSP using WordPress by using same origin method execution. It's the title of the research. Super rad about how they do this sort of frame, origin, manipulation, and then are able to weaponize just the calling of a function to actually trigger.

that functionality within the confines of CSP. Super inspiring. Yeah, really love that. And those JSONP gadgets are actually everywhere. A JSONP gadget that allows you to actually run arbitrary code, those are still there, but they're disappearing. These are everywhere. And so really cool to see someone actually be able to exploit that.

Joel (teknogeek) (01:20:54.466)
Super cool.

Joel (teknogeek) (01:21:02.86)
Yeah.

Joel (teknogeek) (01:21:16.362)
Yeah, totally. I mean, the CSP bypass tool is always like, you know, JSONP and there was just this discussion about this too, where people were like, I don't really see JSONP user very much. And you were like, actually, I see it all the time. I just used it recently. Yeah.

Justin Gardner (@rhynorater) (01:21:23.501)
Yeah.

Justin Gardner (@rhynorater) (01:21:29.217)
It's everywhere. So much legacy stuff in there. And especially if people will start their own domain in, if they have a blog, every company has a blog on their main domain that uses WordPress. There's WordPress endpoints that use JSONP, just like this, and you can't run arbitrary code, but using this you can actually get.

ACSurf with your, you know, sort of half XSS. And this will also help prove that there's impact to XSSs that are blocked by CSP in a lot of cases as well. It just takes time and dedication to actually break through it. So on that note, another one of my favorite pieces of research released in 2018 by Wallerm.

WALLARM, W-A-L-L-A-R-M. When I first saw this, I was like, wow, this is so genius, and I figured it'd be fitting here because we're already talking about CSP. This is a scenario where you have XSS and you're able to execute your alert because unsafe inline is allowed on the CSP policy. But you can't run arbitrary code.

Joel (teknogeek) (01:22:16.278)
Paul arm? Yep.

Justin Gardner (@rhynorater) (01:22:40.457)
either because of a link limitation or because the CSP prevents you from reaching out to another domain in any way. And you can't really exfil anything besides maybe like a page redirection or something like that, which might mess up your flow of the attack. This is a really cool bypass that uses sort of proxying of sorts to bypass the SP. And so the scenario is you've got a content security policy with unsafe inline allowed,

data. And what you do is you write a script which will iframe in another page on that same domain. So once again, we're same origin. We're abusing origin related stuff here. You can reach into that iframe, control the content. And you look for a page like a CSS file or a JS file or a PNG file, any sort of file that does not have the content security policy header. And every time I've looked for that, I've found it.

use these reverse proxies nowadays where they're reaching into an S3 bucket to store their assets and that sort of thing. Everyone's doing this, and the CSP header is really not globally defined across the whole scope. And when it's not, you can use that non-CSP header having page as a proxy for communication out. So you iframe in that page, and then you can control the script execution on that iframedin page, and that page does not have CSP limitation.

And so then you can use that to arbitrarily grab content that you want to load from You know your website pull it down and then execute it on the parent Context as well because once again same origins we can you know load a script on that page

Joel (teknogeek) (01:24:23.79)
Hmm. So in the, so in this scenario, you're basically, you're using, let's say reflected XSS inline on, on the victim domain to iframe a same origin domain on the victim that is missing CSP for something. And then you use your XSS to change the contents of that frame to load. Right. And because it has no CSP in the frame.

Justin Gardner (@rhynorater) (01:24:29.085)
Yeah.

Justin Gardner (@rhynorater) (01:24:38.981)
Yeah. Yep.

Justin Gardner (@rhynorater) (01:24:46.281)
to include a script from a different location, right? And then that.

Joel (teknogeek) (01:24:52.426)
then you can include an attacker script which has free access to do whatever it wants and you can dock to the parent frame because of the same origin.

Justin Gardner (@rhynorater) (01:24:55.765)
Exactly. Yeah, and that can exfil data, it can load arbitrary scripts, that sort of thing. A lot of times when you're trying to show impact for an XSS, they say, hey, please prove arbitrary execution of JS, right? Not just alert. Show me that you can run any script, right? You'll see this.

Joel (teknogeek) (01:25:16.009)
Mm-hmm. How do you usually show that?

Justin Gardner (@rhynorater) (01:25:18.733)
So for me, you know, a lot of times if you can pull from a domain, that's great, but a lot of times when they're asking for this, it's in a length-limited context, right, where you would have a hard time fetching data and exfilling it, right? But in a scenario like this, if you have a length-limited...

Joel (teknogeek) (01:25:35.202)
You can sort of break out because you can include your, yeah.

Justin Gardner (@rhynorater) (01:25:37.741)
Exactly. And then as soon as you include that script inside the child tag, or the child iframe, then you're loading from a domain. And then you've got all the JS execution you need to do a multi-step attack and really exfil some important data. And you can also do it blindly, right? You don't need, the victim doesn't need to know that that's happening. And so really cool way to bypass the SP from Wallarm. We'll link that technique down.

Joel (teknogeek) (01:25:51.804)
Mm.

Justin Gardner (@rhynorater) (01:26:08.137)
in the show notes. Very helpful if you're.

Joel (teknogeek) (01:26:10.198)
Do you find that a lot of this iframe stuff is harder to do with the X frame option stuff nowadays?

Justin Gardner (@rhynorater) (01:26:15.889)
It most certainly is, yeah, but the cool thing about this though is that if it's missing the CSP header, it's probably also missing the X frame options header. Because those are normally grouped in the same sort of reverse proxy header appending rule. So I still see this from time to time, and actually a technique like this, not exactly like this, but similar to this, helped me score a 70K XSS one time. And it was...

Joel (teknogeek) (01:26:22.148)
Mm. Mm-hmm. Okay.

Justin Gardner (@rhynorater) (01:26:44.817)
a heck of a bug. It was. It's crazy to me that my highest bounty is in XSS, but it was affecting, I mean, it was a company where the client side is everything, you know, and where they really have to keep their client side tight. And if they make a problem, it affects a ton of people. So.

Joel (teknogeek) (01:26:47.65)
Quite next to this.

Joel (teknogeek) (01:26:52.726)
That's so wild.

Justin Gardner (@rhynorater) (01:27:08.177)
really, really excited to make sure people know about this technique as well, because it's near and dear to my heart.

Joel (teknogeek) (01:27:09.175)
Super cool.

Joel (teknogeek) (01:27:15.646)
Yeah, that's awesome. All right, we are, what are we, we're like an hour and a half in? An hour and a half in, we just made it through the news. So we should probably call it a day.

Justin Gardner (@rhynorater) (01:27:20.101)
Yeah, we're pushing it, man. Tell you what, yeah, we should call it here. I'm just gonna say this for those of you, and we'll cover a little bit more in the future as well on this, but OpenID and OAuth stuff, extremely interesting. Impact is everywhere. There's a lot of standardized endpoints from the OpenID standard that will allow you

to do a lot better recon on your targets and try to get access to areas of the applications that you may not have access to because of permissioning problems by knowing OpenID really well. So hopefully we'll deliver you some content in the future diving into that a little bit deeper but for now just know that is coming because we'll do some reading on it beforehand because some app.

Joel (teknogeek) (01:28:10.718)
I see what your cursor's on. I see what your cursor's on, and you just left them with quite a teaser.

Justin Gardner (@rhynorater) (01:28:16.417)
I did, man, I did. There's some great stuff there. And, you know, I will say, I'll be the first to say that doing a podcast on an extremely technical field is extremely challenging. And I think I'm probably subpar at. I'm probably subpar at.

taking extremely technical content and condensing it into just words and conveying that picture to the listener in a way that is easily comprehensible. That's something that I'm working on. But, um, if you guys actually do the homework after the episodes, and maybe even before the episodes, when I give you a heads up like this, the stuff that I'm talking about will start making a lot more sense, um, and you'll get a lot more value out of the podcast.

Joel (teknogeek) (01:28:54.45)
Yeah, like if something's really not clear, what I'd recommend is go to the show notes, open the link that we're talking about, and either side by side or in your headphones, listen to us talk about it as you're reading through the article, and it'll probably make significantly more sense, because that's a lot of what we do, as well as we have them both open as we talk about it. So, sometimes we're talking about concepts that might not be clear, like verbally, we're not great at explaining it, but then if you just read through it, it'll make sense.

Justin Gardner (@rhynorater) (01:29:05.451)
Mm.

Justin Gardner (@rhynorater) (01:29:14.829)
Yeah, and I think Joel as well.

Yeah.

Justin Gardner (@rhynorater) (01:29:23.801)
Yeah, 100%. And I think, Joel, as well, you do a good job of sort of teasing it out and making me re-explain it and re-simplifying the words once I've kind of.

Joel (teknogeek) (01:29:32.982)
Also part of it is because like you know, you tend the way you approach things often is like from the hackers perspective and this is a common mistake as well like report writing this happens all the time where hackers like explain stuff from a hackers perfect perspective instead of from like a fresh perspective and You have like a lot of like side data in there that like makes sense to you But doesn't make sense to anybody else so you have to like it's difficult. It's a skill for sure

Justin Gardner (@rhynorater) (01:29:38.085)
Mm.

Yeah.

Yep.

Justin Gardner (@rhynorater) (01:29:48.784)
Yeah.

Justin Gardner (@rhynorater) (01:29:54.877)
Yeah. Well, I'm glad I brought a program manager on as well to help me get this, you know, sort of context included. I'm, solid life choices getting you on this pod, Joel. I love it, man. All right, cool. Well, that's a wrap, yeah? All right, that's the pod.

Joel (teknogeek) (01:29:59.79)
hahahaha

Joel (teknogeek) (01:30:05.975)
Yeah, yeah, yeah. Awesome, awesome. All right. Yeah, that's the wrap.

Peace.