Interested in going full-time bug bounty? Check out our blueprint!
Jan. 18, 2024

Episode 54: White Box Formulas - Vulnerable Coding Patterns

The player is loading ...
Critical Thinking - Bug Bounty Podcast

Episode 54: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with news items and new projects. Joel shares about his personal scraping project to gather data on bug bounty programs and distribution Next, they announce the launch of HackerNotes, a podcast companion that will summarize the main technical points of each episode. They also discuss a recent GitLab CVE and an invisible prompt injection, before diving into a discussion (or debate) about vulnerable code patterns.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Gitlab CVE

https://github.com/Vozec/CVE-2023-7028

https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/

Fix commit: https://gitlab.com/gitlab-org/gitlab/-/commit/abe79e4ec437988cf16534a9dbba81b98a2e7f18

Invisible Prompt Injection

https://x.com/goodside/status/1745511940351287394?s=20

Regex 101

https://regex101.com

Regex to Strings

https://www.wimpyprogrammer.com/regex-to-strings/

Timestamps

(00:00:00) Introduction

(00:01:54) Joel’s H1 Data Scraping Research

(00:19:23) HackerNotes launch

(00:21:29) Gitlab CVE

(00:27:45) Invisible Prompt Injection

(00:33:52) Vulnerable Code Patterns

(00:37:51) Sanitization, but then modification of data afterward

(00:45:39) Auth check inside body of if statement

(00:48:15) sCheck for bad patterns with if, but then don't do any control flow

(00:50:21) Bad Regex

(01:00:36) Replace statements for sanitization

(01:04:32) Anything that allows you to call functions or control code flow in uncommon ways

Transcript

Justin Gardner (@rhynorater) (00:00.687)
Boom, boom, we're rolling. Pretty good, dude. Lots of, lots of busy-ness lately. Prepping for this live hacking event coming up. Trying to knock some critical thinking stuff out of the way. Get some, you know, long-term projects finished up so I can get in the zone and do the hackity-hackity.

Joel Margolis (teknogeek) (00:02.826)
Yo yo yo, how's it going?

Joel Margolis (teknogeek) (00:18.634)
Yeah, same dude, same. I've been trying to block out some time and get prepared. And it's, everything's been coming at me sideways lately. So hopefully, hopefully it's all coming down now.

Justin Gardner (@rhynorater) (00:27.691)
Yeah Hopefully so hopefully so um Tell me a little bit about The scraping project you were doing dude. Sorry. I just like Didn't get my breath straight there for a second Tell me a little bit about this the scraping project you were doing dude because you post about it on Twitter looked pretty cool I want more data man. It seems like a really good a good place to do some bug bounty analytics

Joel Margolis (teknogeek) (00:52.894)
Yeah, yeah. So I was talking with Nagley. I'm trying to pull up the data on my other computer here really quick. I was talking with Nagley about, you know, it's just sort of different program statistics that we could look at. And one of the things that he mentioned was that we should take a look at 90 day total bounty speed. And I think one of the areas where HackerOne doesn't do a great job of data, like visibility is sort of like program data visibility for hackers.

Justin Gardner (@rhynorater) (00:59.353)
Yeah.

Justin Gardner (@rhynorater) (01:07.127)
Mm-hmm.

Justin Gardner (@rhynorater) (01:22.743)
Yeah.

Joel Margolis (teknogeek) (01:23.33)
Um, so like there's no real way to sort of search or view this sort of data across all programs as a hacker. Um, I don't really think they have a good way, a good incentive to reveal that data, to be honest. Um, so that's probably why. Um, but, uh, so I wrote a quick little script that basically just like pulls all of my private programs and my public programs that I'm on, and it pulls down all the ones that have exposed their total 90 day bounties, some of them haven't. Um, and then basically just.

Justin Gardner (@rhynorater) (01:34.85)
Mm-hmm.

Joel Margolis (teknogeek) (01:52.854)
shows me them. It was really, really interesting actually, the data that popped up, because it wasn't quite what I was expecting. I don't really know what I was expecting, to be honest. But when I started to look at it, I mean, there's some really big discrepancies right off the bat. I can't really name too many of these, because I also don't know which ones off the top of my head are public or private. But what I will say is kind of similar to what I found on the tweet, which is that, you know, I'm on a

Justin Gardner (@rhynorater) (02:14.711)
Right, right.

Joel Margolis (teknogeek) (02:22.07)
about 600 total public and private programs. It's not all of them, it's a pretty decent cohort, but based on what Yobert was saying in the replies, it's probably about half of them, or maybe even less than half. And so from the data that I have, about give or take, 560 of them show their total bounties.

Justin Gardner (@rhynorater) (02:26.404)
Okay.

Justin Gardner (@rhynorater) (02:36.375)
Wow.

Joel Margolis (teknogeek) (02:51.102)
Uh, so, you know, 40 or 50 of them don't reveal it. Some of them, I think one of the ones off the top of my head that doesn't do it, that's public, let me just double check. Is.

Justin Gardner (@rhynorater) (02:55.304)
Mm-mm.

Joel Margolis (teknogeek) (03:07.102)
Not that. Okay, I'm glad I didn't say it. It's not public. It's not public. Okay.

Justin Gardner (@rhynorater) (03:09.711)
It's not public. That's funny. So there are a couple of them that don't reveal their 90-day bounty statistics, which I feel like that's kind of like, I don't know, that's kind of a sketchy move to be honest. Like if you're not revealing your 90-day statistics then I'm kind of a little bit like, eh, like, why? Why are you doing that? Why are you hiding that?

Joel Margolis (teknogeek) (03:17.663)
Yeah.

Joel Margolis (teknogeek) (03:28.89)
Yeah, it is a little bit weird. I'm not really sure what the motivation would be to hide that stat. Like.

Justin Gardner (@rhynorater) (03:35.323)
Mmm.

Joel Margolis (teknogeek) (03:38.574)
I don't know. I think one important thing to say is that like, I don't want to put too much weight on this stat. Because we've talked about this before, like, I don't think programs really should be paying a lot of money. Like, I think that's kind of a bad signal, if anything. So paying a lot of money is like kind of a pro and a con. But I think from the hacker perspective, this is one of the things we care about, because we want to see where programs are active and, you know, who's paying a lot right now. And

Justin Gardner (@rhynorater) (03:47.059)
Yeah, yeah.

Joel Margolis (teknogeek) (04:04.694)
You know, maybe why are they paying a lot? Is there something that somebody's exploiting, all that kind of stuff? I think there's a lot of interesting, um, sort of data points that you can pull out of it.

Justin Gardner (@rhynorater) (04:13.195)
Yeah, what do you think about doing with that data? Are you gonna, you know, I know there was some talk of putting it into a bot or something like that, but I don't know, would you do like a daily report or something like that of like, oh, there's been a bounty spike over on this program or, you know, something like that? Or what kind of ideas did you have for that?

Joel Margolis (teknogeek) (04:31.762)
Yeah, that might be what I'd do. Like maybe the right way to do this is to monitor for programs that have large spikes relative to their current or large payouts that are relative percentages to their overall bounties and notify like, hey, this program just paid out like proportionally a large bounty.

Justin Gardner (@rhynorater) (04:48.835)
Mm-hmm. That could be interesting.

Joel Margolis (teknogeek) (04:56.102)
Compared to what they have been paying or something like that and then maybe that's an interesting place to take a look Maybe they rolled out some features somebody found something and you could jump on that bandwagon

Justin Gardner (@rhynorater) (05:04.139)
Yeah, I wish it was more like the Hacker One live hacking event leaderboard, dude, where it's like as soon as the bounty hits, the total goes up and stuff like that, because then you could do some stuff like, okay, they just paid out, we know right now that they just paid out a 50k bounty or something like that. Let's go check out this program because they're paying a lot of money. So yeah, that could definitely be interesting. I'm definitely looking forward to see what you do with it. I hope you put it in the CTV Discord, man.

Joel Margolis (teknogeek) (05:25.29)
Right. Yeah.

Justin Gardner (@rhynorater) (05:34.013)
I think, I mean, you know I've got some bots in there that I haven't fully released yet that I'm thinking about releasing. We'll see, we'll see if they keep on churning out bugs. I don't know, I need some incentivization. But I've got some bots that I would like to integrate, you know, into the community. And I think the statistic piece, the data scraping and analytics of HackerOne programs could be really cool. Obviously you're gonna have to find, you know, the ones that are just public and just do those. Or you can hash the name or something.

like that, insulted in some way or I don't know. It could be a little tricky but.

Joel Margolis (teknogeek) (06:06.004)
Yeah.

Joel Margolis (teknogeek) (06:09.534)
Yeah, yeah, for sure. So the other thing I wanted to mention was, when we were looking at overall numbers and stuff, like who's paying what and how much and all that kind of stuff, one of the really interesting thing is, when we were looking at the total bounties paid by programs under a certain threshold, first we were looking at who's paid less than 10K or who's paid more than 10K. And when you look at who's paid less than 10K, it's 60 to 70.

Justin Gardner (@rhynorater) (06:12.792)
Mm.

Justin Gardner (@rhynorater) (06:17.022)
Mm.

Joel Margolis (teknogeek) (06:39.542)
5% of programs, which you'd think like, wow, okay, that's not a lot. And even if you add up the totals, it isn't a lot. All the programs that I'm on, again, this is a smaller subset of all the programs, but of the programs that I'm on, the ones who are paying less than 10K total about 12% of the total bounties over the last 90 days, again, out of my data that I have.

Justin Gardner (@rhynorater) (06:42.191)
That's nuts, man.

Joel Margolis (teknogeek) (07:08.158)
and then the top 10 programs are accounting for like 50% of those boundaries. So the top 10 are doing 50% of the bounties and everybody under 10k is doing 10% of the bounties and everybody under 10k is 75% of the total programs. So the top 25 are doing 90% of the bounties, sorry, the top 25% are doing 90% of the bounties and the top 10 programs individually are doing 50%.

Justin Gardner (@rhynorater) (07:13.72)
Wow.

Justin Gardner (@rhynorater) (07:26.084)
Wow.

Justin Gardner (@rhynorater) (07:37.727)
Dude, sounds like a chart of the wealth distribution in America or something like that. You know, like, it's pretty gnarly. But I mean, I guess we see those sort of systems in pretty much every environment where, you know, it's pretty much classic 80-20 rule here of like, you know, the top 20% or in this case, maybe the top, not even 5%, probably 2%, have 50% of the bounties paid. It's pretty crazy.

Joel Margolis (teknogeek) (07:42.647)
Hehehehe

Joel Margolis (teknogeek) (07:58.346)
Yeah, absolutely.

Joel Margolis (teknogeek) (08:05.354)
Yeah, absolutely. And so, Yobert followed up on my tweet and said that it was pretty interesting data and that the data that I had scraped was actually about half of the full data. So, I said I was curious how close my percentages were to real world, you know, if you scale it up sort of to the other.

Justin Gardner (@rhynorater) (08:17.546)
Mm.

Justin Gardner (@rhynorater) (08:23.832)
Yeah.

Joel Margolis (teknogeek) (08:27.594)
half that I'm missing. He said directionally it seemed correct. So I thought that was quite interesting. But he also mentioned this chart. I'm not good with chart names as I know, like the basic ones, but he mentioned it was a power law distribution. And I had looked at this up and it definitely seems like a pretty close representation where essentially it's very, very high, sort of 80-20 basically, like what you mentioned, I think it's the same thing.

Justin Gardner (@rhynorater) (08:34.039)
Hmm.

Justin Gardner (@rhynorater) (08:38.281)
Mm.

Hmm.

Justin Gardner (@rhynorater) (08:51.042)
Ah yeah, yeah.

Joel Margolis (teknogeek) (08:55.806)
the 80-20 rule power log graph type, you know. Exactly. Yeah, in the very beginning it's very high and then it steeply drops off. Yeah.

Justin Gardner (@rhynorater) (08:59.615)
Yeah. So the ones where it does that like steep, steep drop. Interesting. Yeah. Wow. That that's definitely, that definitely represents the situation. So what kind of, what kind of takeaways do you think, you know, hunters can, can have from this? I mean, is the takeaway to focus on a big program if you really want to get a lot of money out of it? I don't know.

Joel Margolis (teknogeek) (09:23.142)
Yeah, so I think there's a couple of really interesting things. One thing to remember is that, you know, like I said, 75% of programs right now are accounting for about 10% of the bounties, which means that there's probably actually a lot more juice to be pulled from that area. Yeah, those top 10 programs. Right, like the top 10 programs are paying 50% of bounties, sure. But like.

Justin Gardner (@rhynorater) (09:44.148)
Mm, mm, okay, so the opposite intuition there, okay.

Joel Margolis (teknogeek) (09:52.306)
You could hack on those and you could get it. It really just shows that they have money. But I think what I'm more interested in is the fact that all of those programs that are paying 10K or less, one, they are paying 10K or less, right? So that's still pretty significant bounties. Maybe it's only a couple of reports, but they have that kind of budget and they're paying it out. And secondly, there's a lot more programs in that cohort. So we're talking about hundreds of programs

Justin Gardner (@rhynorater) (09:56.362)
Mm-hmm.

Justin Gardner (@rhynorater) (10:14.139)
Mm-mm.

Joel Margolis (teknogeek) (10:20.878)
who are paying 10K or less and 10 programs who are paying hundreds of thousands in the top 10.

Justin Gardner (@rhynorater) (10:29.184)
Yeah.

Yeah.

Yeah. So I guess there is, there's a decent, a decent takeaway there as well as like, you can focus on these smaller programs. They're not even paying out that much right now. There's not a lot of competition on these guys. And so, you know, lower chance of dupes for sure, but it's a little bit, you know, there isn't as much of a track record of bounties being paid there. And so for me, that's a little bit more of the indicator. Like I'm less scared of dupes because my methodology is not as dupe-centric, you know, dupe, dupable bug centric. Um, and, you know, that's,

Obviously I'm looking for bugs that can be duped, you know, anyone can dupe my eye doors or anything like that. But like, um, I guess for me, I kind of look for a program that has a set track record of paying money because I know that they are more likely to.

pay versus programs that don't have a track record, but maybe the competition isn't as severe. But I think that's also a function of being sort of towards the top of the game. And if you're a newer hacker, it might be better for you to focus on those smaller programs. Make that program your niche. Make that program your thing. And then develop a sense of presence of like, okay, I can make three or $4,000 a month off this program.

Joel Margolis (teknogeek) (11:21.503)
Yeah.

Justin Gardner (@rhynorater) (11:49.977)
And from there, you can expand.

Joel Margolis (teknogeek) (11:52.138)
Yeah, and it makes me think, I'll probably expand on this script a little bit and I'll start to look at some of the other data points as well that are available from programs. So like maybe what's their average bounty over the last 90 days instead of just the total as well. Because if it's like, let's say they paid a million dollars with the average bounties 500, well, that says a lot. Maybe they're just paying a lot of bounties and they're just a large program, but most of what people are finding are.

Justin Gardner (@rhynorater) (12:00.342)
Mm.

Justin Gardner (@rhynorater) (12:06.7)
Mm.

Justin Gardner (@rhynorater) (12:12.072)
Mm.

Mm, that's true.

Justin Gardner (@rhynorater) (12:18.783)
everything's low yeah

Joel Margolis (teknogeek) (12:21.386)
Right, right. And from like a hacker perspective, like, I'm not really sure what the right conclusion to pull away from that is. It's like, should I, should you just hack on that and farm lows and mediums or, you know, and you know, that they have a lot of scope or should you, you know, look for the programs that, you know, paid 15 K in the last 90 days and they're just above sort of that threshold and they've got some decent bounties, maybe they have some new scope or something. I don't know yet. I haven't really figured out the right

Justin Gardner (@rhynorater) (12:50.811)
Hmm. Yeah, I-

Joel Margolis (teknogeek) (12:51.898)
useful from a hacker's perspective, but the data is there. And I think just generally speaking, like when I look at these lists of programs, especially like the top 30, you know, they're big programs that most people have heard of that maybe, I mean, a lot of them have run live hacking events, that's for sure. I can read off some of them, like number 17, Uber, *Redacted* number 15, GitLab. Sorry, I might have to leave that out. I don't know if that one's public. The one that I, that I,

Justin Gardner (@rhynorater) (13:00.232)
Mm.

Justin Gardner (@rhynorater) (13:08.715)
Yeah, yeah.

Justin Gardner (@rhynorater) (13:16.815)
Hmm. That's fine, we'll bleep that. Heh. Heh heh heh. Heh hah hah.

Joel Margolis (teknogeek) (13:21.958)
Yeah, that'll be easy to figure out. Number nine, Airbnb. Number 12, Yahoo. So yeah, I mean, like a lot of these are like pretty big programs in sort of the top like 15, either like past live hacking event runners or like current live hacking event runners. Some of them are private. Like I think the number one program is a private one.

Justin Gardner (@rhynorater) (13:38.228)
Mm, mm.

Justin Gardner (@rhynorater) (13:43.723)
You know what I'd kind of like to see, man, is maybe if we could find some way to show the distribution.

of vulnerabilities, a specific vulnerability delegations that a program is paying out. So I wanna know which program pays the most crits and which program pays the most highs, you know? And which program plays the most mediums. I think that would be really valuable data. And pretty much the only way I can think of to do that is to try to correlate reputation increases on that program's leaderboard to severities.

Does that make sense? You think so?

Joel Margolis (teknogeek) (14:22.294)
You could definitely do that. Yeah, so I think, yeah, so the right way to do that is basically, I mean, it's tricky because you would miss certain, you would miss some things, but I think depending on how many programs you're on, you could definitely do it at scale. So the model would basically be like this. You have all your programs that you're on. You pull all those programs, and when you pull the programs, you pull their leaderboards with their top 10 hackers.

Justin Gardner (@rhynorater) (14:37.479)
Mm.

Justin Gardner (@rhynorater) (14:50.072)
Mm.

Joel Margolis (teknogeek) (14:50.166)
You take those 10 hackers, you pull their profiles with their stats. And then when the program gets, uh,

Justin Gardner (@rhynorater) (14:54.294)
Mm.

Joel Margolis (teknogeek) (15:00.158)
a new bounty or yeah, you'd have to monitor everything. Correct, correct. So when the program gets a new bounty, like when they pay out a new bounty, you check the leaderboard and you see who bumped on the leaderboard. If nobody bumped on the leaderboard, somebody who's not on the leaderboard, but maybe you could do it with the thanks tab or something.

Justin Gardner (@rhynorater) (15:01.188)
Well, you'd have to monitor the whole leaderboard. Yeah, geez.

Justin Gardner (@rhynorater) (15:13.262)
Mmm.

Justin Gardner (@rhynorater) (15:20.235)
Something like that. So we need to, or here's an idea. We could hit up Yobert and be like, hey, we want this. Could you please do this? That's another possibility because he's been cranking out stuff, you know? So that's one option. I think that would be much more telling, right? Like I wanna hack on the program that pays the most crits.

Joel Margolis (teknogeek) (15:33.678)
That's true.

Joel Margolis (teknogeek) (15:40.204)
Yeah.

Justin Gardner (@rhynorater) (15:43.147)
You know, like that would be really cool. And we can tell from that there's systemic issues that they consider to be highs or crits or mediums or whatever that continue to make themselves present. And so I think that would be a really valuable piece of information. And you may be even able to correlate it with, yeah.

Joel Margolis (teknogeek) (15:43.927)
Yeah.

Joel Margolis (teknogeek) (15:55.308)
Yeah.

Joel Margolis (teknogeek) (16:06.786)
Bridge Bounty Range? Yep.

Justin Gardner (@rhynorater) (16:07.895)
Yeah, because you're just piecing together all these pieces of information because the average bounty range, you know, it gives you a specific percentile and then you might be able to use like a model to extrapolate that data out to the rest of the bell curve or whatever and then, and then court map that onto the amount of bounties paid over the past 90 days. Tricky.

Joel Margolis (teknogeek) (16:20.907)
Yeah.

Joel Margolis (teknogeek) (16:28.002)
Yeah, so like for example, for example, number three in my list is PayPal, public program. So PayPal has paid 474K in the last 90 days. Their average bounty range. Now the interesting thing is, I don't know, I don't think average bounty range is actually 90 days. It's overall, right?

Justin Gardner (@rhynorater) (16:36.3)
Yeah, I believe that.

Justin Gardner (@rhynorater) (16:41.816)
Oof.

Justin Gardner (@rhynorater) (16:51.791)
Ah yeah, so that's even trickier because you're not getting data on your main number.

Joel Margolis (teknogeek) (16:57.827)
Yeah, because it says that their average boundary range is 1.9 to 4.1, which is probably right in the middle of medium for them, for the current table.

Justin Gardner (@rhynorater) (17:06.191)
Mm-hmm

Justin Gardner (@rhynorater) (17:09.751)
Hmm, interesting. We'll have to think through it, see if we can figure out a way to extrapolate that data. If any of you guys in the listenership here have any ideas on what we could do with this data or ways to get that piece of data that I wanted to tell how many programs, you know, how many.

Joel Margolis (teknogeek) (17:10.754)
But yeah.

Justin Gardner (@rhynorater) (17:27.895)
crits or highs or mediums or whatever a program is paying, definitely hop into the Critical Thinking Discord and drop us a note in the pod talk channel about that because that would definitely be something that I think would be interested in releasing for the public.

Joel Margolis (teknogeek) (17:41.622)
Yeah, yeah, I think there's definitely some other data points that we could, you know, pull from. I'm not sure, but I'll have to look. I'll have to keep looking, you know, because there's nothing. This is itching my brain now.

Justin Gardner (@rhynorater) (17:49.023)
Joel is it We we nerd sniped Joel live on the pod and now he's just staring mindlessly into his computer screen No, that's great, man. Um, alright Well, let's pivot away from that topic before you get in too deep and I can't pull you out Next thing that I wanted to talk about was the hacker notes launch. There's a little bit of an announcement

Joel Margolis (teknogeek) (17:55.81)
Oh.

Joel Margolis (teknogeek) (17:58.926)
Ha!

Joel Margolis (teknogeek) (18:05.534)
Yeah.

Justin Gardner (@rhynorater) (18:13.219)
We recently brought on grepme, a hacker by the name of grepme, onto the critical thinking team, he'll be our writer. And he is going to be essentially listening to the podcast episode before it releases and then providing you all with a hacker TLDR of sorts. And it's designed to be a little bit like Tim Ferriss's Five Bullet Friday. So it's just going to be five bullet points limited at the top of the blog post.

and it's just gonna note the most important things from that episode. And then it's gonna take those most important things, elaborate on them a little bit, and then you can just take those and run. You'll get a lot of the value out of the episode if you just read those five bullet points. And then beneath that, he'll elaborate a little bit more on the content for those of you that prefer text-based mediums versus audio or maybe just can't get your, and maybe your headphones are dead or something like that. I don't know. And you still wanna get access to the information.

So that should be really good. I'm looking forward to seeing how he continues to push that out. And I think particularly just the five bullet points will be helpful for people that don't have time to listen to the full episode.

Joel Margolis (teknogeek) (19:24.162)
Yeah, absolutely. I'm super excited to see where this is gonna go. We did a little bit of this with the blog cast, but I don't think it was really targeted towards the right technical audience. So hopefully this is a little bit more of a technical approach, sort of by hackers for hackers. And yeah, we definitely wanna hear the feedback about this. So as you're reading through it, if you have any things you'd like to see more of, less of, anything you'd like changed,

Justin Gardner (@rhynorater) (19:29.669)
Mm-hmm.

Justin Gardner (@rhynorater) (19:32.923)
Mm-hmm. Yeah.

Mm.

Justin Gardner (@rhynorater) (19:41.181)
Mm.

Joel Margolis (teknogeek) (19:53.014)
Give us a shout in the Discord and we love to hear that sort of feedback.

Justin Gardner (@rhynorater) (19:56.107)
Yeah, yeah, for sure. And if you're interested in getting this as a newsletter, you can sign up for that at ctvb.show or on blog All right, with that, let's move on to the next news item. Technically, that was the news section. We didn't say that was the news section. We just kind of jumped right into it. But yeah, Joel, GitLab CVE man popped this past week. What's going on with that?

Joel Margolis (teknogeek) (20:21.598)
Yeah. So there was a really interesting, uh, I think it came out on Twitter originally first. Um, I saw it like pop up in somebody just like in a hacker chat was just like code block, like GitLab ATO it's zero day. I was like, Oh, wow. Okay. Um, so yeah, there, there was a, there's a little bit of buzz about this. I did some digging as well. Um, cause there was, um, uh, there was the, it was announced in there like.

Justin Gardner (@rhynorater) (20:27.523)
Yeah, someone dropped a POC, yeah.

Justin Gardner (@rhynorater) (20:36.392)
So bad.

Joel Margolis (teknogeek) (20:48.522)
release that there was a security patch, and then obviously there was some buzz and whatever. There's a repo created for it eventually. And I mentioned to find the PR, but the TLDR for this is essentially when you go to reset someone's, like you do a password reset or like a forgot password flow, in the parameters, you know how in parameters you can like array them by putting like square brackets?

Justin Gardner (@rhynorater) (21:13.687)
Yeah, in XW reform you were all encoded, you can kind of like do square bracket and then like square bracket or something like that in order to indicate an array, right? Hmm, maps, yeah.

Joel Margolis (teknogeek) (21:20.618)
Right. Yeah, either arrays or key indexes, basically. Like you can do both of them. So you can do that, basically, if you do like user, like the parameter user and then the subkey email, and then you make it an array. And the first value is like your target user email. And the second value is your hacker email. And that's it. And it was really, really interesting. I was actually looking through the code to try and understand how this works. And it's a lot simpler.

Justin Gardner (@rhynorater) (21:32.866)
Mm.

Hmm.

Justin Gardner (@rhynorater) (21:45.106)
Oh my gosh.

Joel Margolis (teknogeek) (21:50.862)
than it seems. Basically what happened is they were taking this parameter and they were sending the password reset option, they were sending the password reset to this email parameter. The problem is it worked with an array by default. So what's happening here is you're actually giving an array of two emails. The first email is the valid email, the second email is your attacker email. And what it's doing is in the code, it goes through this whole flow and then it goes in it.

Justin Gardner (@rhynorater) (22:03.375)
Mm.

Justin Gardner (@rhynorater) (22:11.437)
Mm.

Joel Margolis (teknogeek) (22:18.046)
it calls this function send password reset instructions to email. And when it passes an email, it's actually sending it to an array of two emails. So it sends the same email to two emails. Right. Exactly. And so the first one, like, you know, it's going to check, like, is this a valid account? Blah, blah, yes, it is. Because that's the first email. But the second email, when it sends out the email and it sends it to both addresses, now the attacker receives the password reset link for the victim.

Justin Gardner (@rhynorater) (22:20.769)
Mm.

Justin Gardner (@rhynorater) (22:26.755)
Mm. Multiple, yeah, multiple two directives or whatever, yeah.

Joel Margolis (teknogeek) (22:45.886)
as well as the victim receiving the password reset link for the victim.

Justin Gardner (@rhynorater) (22:49.059)
One, I cannot believe that this existed in GitLab for so long and that this was like, because I've seen this technique before, you know? I've seen people do this before in the past. And one thing that's always kind of crazy to me is like, how does it know, oh, maybe the specific token is, or the specific user specified is different. I don't know, but like, how does it look at that array of emails or whatever and say, okay, the first one is the user that we're gonna.

you know, take over the account for. And then the second one is the, you know, and then we're gonna send the email to both. Like, I feel like it should fail when it says, look up the user whose email is, insert a ray here with two emails in it, you know? Like, I don't know.

Joel Margolis (teknogeek) (23:32.71)
Yeah, it's super weird. I was trying to find like, I didn't get to like dig deep, deep into how this works because like when it sends a notification, it has this like type that it passes in like password reset instructions and then it does some stuff. So I think it has some sort of like additional flow where it might've gone wrong here, but the commit that they actually like changed to fix this initially, it's very, very minimal. It literally just makes sure.

Justin Gardner (@rhynorater) (23:39.802)
Mm-hmm.

Justin Gardner (@rhynorater) (23:45.935)
Yeah.

Justin Gardner (@rhynorater) (23:52.464)
Oh.

Joel Margolis (teknogeek) (24:00.066)
that it's explicitly pulling out, like it's verifying the email, right, yeah. And like, you know, before it sends it, it's, yeah.

Justin Gardner (@rhynorater) (24:05.395)
one email. Yeah. Dude, it's crazy to look at this Ruby code, man. I don't know, Ruby just always throws me for a loop. And I guess they're using like it and then some string and then do and then to like almost comment blocks on what it specifically does, which is like one really cool for the impact of like or for the purpose of like documenting

what the code is doing, but it just makes it really weird to look at. You know, you're like, is this an if statement? Is this an it statement? It do statement? Like, why is this so grammatically weird? Like so many questions.

Joel Margolis (teknogeek) (24:43.991)
Yeah

Joel Margolis (teknogeek) (24:47.69)
Yeah, there's a lot of weird Ruby-isms that are like, you'll read a piece of code and it's very, like you said, it's very difficult to figure out what is a variable or where a class or a reference is coming from and all that kind of stuff. So yeah, I was actually, I was looking at this file to see sort of where it came from. And it seems that...

Justin Gardner (@rhynorater) (25:06.883)
Hmm. Yeah.

Joel Margolis (teknogeek) (25:11.814)
This was some sort of new functionality that was added within the last year to support password resets from any verified email. So if you have multiple verified emails, then you can password reset your account from any of those verified emails instead of just a single one. And yeah.

Justin Gardner (@rhynorater) (25:15.965)
Okay.

Justin Gardner (@rhynorater) (25:23.451)
Ah, that might be what it is, because it might be like, okay, here's the account, and then here is the email I wanna send the interesting. Okay, very interesting. Well, that's a pretty gnarly bug, man, and I can't believe how simple the POC was. It like...

Joel Margolis (teknogeek) (25:33.546)
Yeah. Super, super interesting. Yeah.

Justin Gardner (@rhynorater) (25:41.951)
fit in a short tweet, not like a long tweet, like a very short tweet. So that was cool to see. And I spoke with a couple of my recon buddies, and it seems like not a lot of things are popping with it actually, because you have to have a valid email associated with it, which shouldn't be that much of a problem, I don't think. But...

Joel Margolis (teknogeek) (25:44.292)
I...

Justin Gardner (@rhynorater) (26:03.427)
From what I've heard, people are getting on top of patching it, and there haven't been a lot of public instances of it exploited, which is good to hear and sad to hear. You know, I don't know. Got that sort of pull of the heart in either way when you're a bug bounty hunter or offensive researcher. So it is what it is.

Joel Margolis (teknogeek) (26:19.734)
Yeah, absolutely.

Justin Gardner (@rhynorater) (26:22.443)
All right, so with that, let's go to the last news item of the day. This one was really exciting. This is from Riley Goodside. He is a researcher on some AI stuff at Scale AI. And so, you know, we don't cover a lot of AI-related stuff here on the pod because

It's just not a lot of technical content, to be honest. A lot of it is like, hey, let me convince this semi-sentient thing to do what I want it to do, or render some markdown text or something, which is cool. But it's not crazy until this came up, which I think was a really technical solution to a LLM.

related vulnerability called prompt injection, which we've talked about in the past. And essentially what it does is Riley outlined the fact that LLMs are able to perceive Unicode tag characters, which are actually invisible characters that represent all of the normal English characters you would use. And so these are typically only used, these tag characters are typically used

following a flag emoji in order to create the flag for a specific country. So if you were going to do the flag for the US, it would be flag and then the tag character U and the tag character S. But since the LLM is parsing it from a text perspective, it's looking at the actual characters, not how they're actually displayed, it's actually able to read those and respond to those. So you're able to smuggle invisible pieces of text into any LLM prompt.

Joel Margolis (teknogeek) (27:44.29)
Yeah.

Joel Margolis (teknogeek) (28:01.07)
super interesting. The other place where I know that these are used are for the skin tone modifiers on emojis. Yep, same thing.

Justin Gardner (@rhynorater) (28:07.495)
Oh, really? Interesting. Huh, I hadn't seen that. So these seem like sort of like a, well, I mean, maybe like a tag or like a label, you know, for another emoji often used with other Unicode characters alongside other Unicode characters. And Riley actually figured out a way that we can actually just take over any prompt using these. So I think there's, this is a pretty technical solution, which I was really impressed by. And then of course our boy Rezo jumped right on it and did a write up on it.

Joel Margolis (teknogeek) (28:17.966)
Correct.

Justin Gardner (@rhynorater) (28:36.459)
did a video on it that was really good explaining it, and also released a Python script, a very short Python script that'll allow you to take any input and convert it into tag characters with just a simple char conversion. What is it, like 0XE0000 plus whatever the ordinal number is for that specific character point. So very cool approach here. I think the biggest attacks that we'll see with this

will be embedding those invisible characters into text that will be placed into a prompt and will bypass sort of the user being able to see that they're actually pasting that text into the prompt and result in prompt injection or indirect prompt injection.

Joel Margolis (teknogeek) (29:25.078)
Yeah, it's really, this kind of reminds me of like the early days of like sandbox escapes, because this is like, you know, it's kind of a lot of what this is, which is right now, I don't think, it feels like a lot of the AI companies haven't quite figured out the right way to like systemically deal with this stuff. So it's a lot of like, oh shit, there's a hole here, there's a hole here, there's a hole here, and they're just running around sort of duct taping holes and like, you know, putting temporary stuff in place and fixing things wherever they come up. And eventually, you know,

Justin Gardner (@rhynorater) (29:42.536)
Mmm.

Justin Gardner (@rhynorater) (29:48.931)
Mm-mm-mm.

Joel Margolis (teknogeek) (29:54.034)
a little bit down the line, they're gonna figure out the right way to sort of deal with all the... Because this seems to be a pattern where it's like, you know, stuff that's... To the human is like, oh, this is crazy, because I can't see this visibly. But I think it's a little bit weird, because what's going on here is like, those characters are there. They're just not visible because they're not rendered by your browser, they don't have a text representation, or one way or another. And so I think there's a variety of different...

Justin Gardner (@rhynorater) (30:14.139)
Mm-hmm. Right.

Joel Margolis (teknogeek) (30:21.41)
possible solutions that could go in place. You know, like you could make the browser render invisible characters, or you could have your site not support invisible characters, or the LM rewrites your input message to show the invisible characters, or who knows? I think there's a lot of different things, but none of them are super great. But eventually we'll get to some more systemic fixes, I think.

Justin Gardner (@rhynorater) (30:31.46)
Yeah.

Justin Gardner (@rhynorater) (30:41.451)
Yeah. It's.

Justin Gardner (@rhynorater) (30:45.979)
It's a little bit tricky, you know, to fix this sort of thing at an LLM level, I believe. We had some debates in the comments with some random dude that.

was being very obstinate, excuse me. But essentially saying like, Rezo mentioned in here that it's very difficult to fix this because sure, you can fix it at the API level, but fixing it at the LLM level is gonna be tricky because of how it perceives characters and that sort of thing. And some of the good features of LLMs, which is they inherently understand Unicode, they inherently understand these characters that have circles in them, or circles around them, and that sort of thing. So how do you discard some

or the other besides doing it at the API level. So that'll definitely be an interesting problem for those people to fix, but for the time being, I think there's a lot of cool applications here from an AI perspective. And I'm sort of wondering if there's anything else that this could be used with. I imagine these characters will have Unicode normalization happen to the actual characters in some scenarios. So maybe there could be a situation where like,

you submit an email, you apply to be in an organization or something, and the admin looks at your name or your email address and says, okay, this is clearly justin at safe.com, but it's actually safe.

you know, invisiblecharacter, invi And then when they add me to the organization, that Unicode gets normalized and it sends it to my evil domain or something like that. Could be some interesting applications there from just a web app perspective as well.

Joel Margolis (teknogeek) (32:26.818)
Yeah, super interesting.

Justin Gardner (@rhynorater) (32:28.503)
Yeah, so very, very good stuff there. That's all I had from the news section. With that, let us get into the topic of today's pod, which is vulnerable code patterns. So, sort of, I'm not sure the order that these episodes are gonna, I think the order is that this one will come first. So, in the future, there will be an episode where we're talking about WordPress plugins and a bunch of like,

crazy bugs and stuff like that I've been finding and that the Wordfence team has been finding and lots of discussions surrounding that. It's a very nuanced ecosystem and we provide you with a really great summary of how to look at that ecosystem quickly and find bugs that will affect your targets. So that's coming up. But with all of that knowledge that I had to get in order to do that episode, I did a shit ton of code review in PHP. And so...

And I've been teaching this code review to a couple of my mentees and friends. And I realized that there are some code patterns that are just really common that we kind of need to talk about and get out there and get sort of frameworkized of sorts before we actually in order to...

be able to see them more easily when we look at code at a glance. Because for the experienced eye, you look at a piece of code and almost in an instant, you can say, okay, this is the structure, this is the flow, these are the conditions that need to be met. And I think the more we can frameworkize that thought, that intuition, the better code reviewers we're going to be. So that's kind of what I'm thinking we got. How many of these do we have, Joel? Let's see. One, two, three, four, five. Yeah, seven or eight.

Joel Margolis (teknogeek) (34:13.026)
Six, seven.

Justin Gardner (@rhynorater) (34:16.259)
various different code patterns that I wanted to go through and just kind of discuss and talk about vulnerabilities surrounding those. So, hmm.

Joel Margolis (teknogeek) (34:22.102)
Yeah, so the one, really quick, I wanted to preface this because when you brought this up to me, I thought it was an interesting concept and I think there's some important nuance to, there's some important nuance here, okay. And I think like, I do wanna encourage people to be like reading code and like looking for code patterns and like be able to identify that stuff, but I also want to encourage the,

Justin Gardner (@rhynorater) (34:33.379)
Uh oh, uh oh, Joel's got his fighting gloves on here. Hold on, let's go.

Joel Margolis (teknogeek) (34:51.754)
mindset of context is key. Okay. And I think like that's really, really important because you can take all these snippets of code and you can put them in some random context that is not exposed to the internet or is not exposed to the world or just happens in a box in a silo and it's completely, yeah, it's like not great coding practice, but it's not an issue.

Justin Gardner (@rhynorater) (34:54.104)
Hmm.

Justin Gardner (@rhynorater) (35:13.325)
Mmm.

Joel Margolis (teknogeek) (35:13.586)
And so I think being able to identify whether or not something's an issue is the real challenge here. Like, yeah, start the starting point is also tricky. But I think like, you know, this is sort of, it's not it's not the equivalent, but it's close to the equivalent of just like Ctrl F, like eval, and then just like anywhere you see eval and like, yeah, eval is bad, but not always, you know, there are there can be use cases or safe ways to use it or whatever. So

Justin Gardner (@rhynorater) (35:18.264)
Yeah.

Joel Margolis (teknogeek) (35:41.23)
Yeah, these patterns oftentimes can lead to things, but the context is really important. Like, you know, if this is in a plugin, like, is that flow exposed or is this just something that happens in the background? Like, you know, how is this being used? Is it, you know, one thing that you mentioned was HTML decoding, right? And like you see HTML decoding and that's like a really scary thing.

Justin Gardner (@rhynorater) (35:55.66)
Yeah.

Justin Gardner (@rhynorater) (35:59.555)
Right. Was that before or after you called me a human semgrep instance, Joel, in our pre-call? Ha ha ha!

Joel Margolis (teknogeek) (36:05.998)
That was before that I said this is some grab because yeah, HTML decoding can be bad, but like how's it being used, right? Are they HTML decoding to log it in the console or are they HTML decoding it to put it in the HTML?

Justin Gardner (@rhynorater) (36:15.937)
No, no-

Justin Gardner (@rhynorater) (36:20.611)
Yeah, I mean 100%, but like what I'm trying to highlight here is that

There are some things that actively undo whatever you've just done. For example, let's just go ahead and jump to number two first. Sorry, editor, that has to maybe put up the little graphics or something like that. But we're going to jump to sanitization and then modification of data afterwards. The scenario that I had for this was you have an input parameter that you take from a query parameter or something like that. You run some sort of sanitization function on it. This is something that strips out HTML elements and that sort of thing.

pass it to URL decode. That sanitization HTML function has done effectively nothing in that scenario. Because you can take everything that function does and undo it by putting that in an encoded format that then gets decoded on the next line. So, like, whenever you have these sort of tradeoffs, it shows that the developer is not understanding something. And I think that's always a good indicator.

of where vulnerability might be, or at least a place to look a little bit closer. Wouldn't you agree?

Joel Margolis (teknogeek) (37:29.694)
Yeah, I mean, they're good starting points, I think. This is my big problem with sem-grep-like searching is that compared to something like CodeQL, which is more AST-based, it's looking for something that looks wrong, right? But it's not actually smart enough to tell whether it is wrong, and so it leaves a lot of that manual effort up to you, and it can be time-consuming. I don't think it's bad, I just think it's not the most efficient way to do stuff.

Justin Gardner (@rhynorater) (37:34.03)
Yeah.

Justin Gardner (@rhynorater) (37:42.754)
Mmm.

Justin Gardner (@rhynorater) (37:54.365)
Mmm.

Joel Margolis (teknogeek) (37:58.55)
just kind of depends on what is available for what you're doing. Like PHP, for example, there's no CodeQL support for PHP. So you can't use CodeQL for that. So either you need to write your own tool or you just don't get me started. Don't look at me like that. Or use semgrip it. Yeah, but you know, sanitizing HTML and then you're all decoding.

Justin Gardner (@rhynorater) (38:04.943)
Mm-hmm. Unfortunately.

Justin Gardner (@rhynorater) (38:11.707)
Hahaha! Nerdsnipe him, let's go!

Justin Gardner (@rhynorater) (38:21.016)
Yeah.

Joel Margolis (teknogeek) (38:27.222)
I'm inclined to say that there are probably cases where that's not an issue, but I...

Justin Gardner (@rhynorater) (38:33.191)
No, Joel, how could this not be an issue? If there's a scenario where either the sanitized HTML call shouldn't be there in the first place because it's not doing anything and it's wasting CPU cycles, or it's a problem. I mean, not to say that it will result in an issue, they could URL decode it and then say, compare it to a string or something like that and then make some decision based off of that, right? You're not gonna be able to inject it or whatever, but in the first place,

They shouldn't be HTML sanitizing it in that scenario because with, they're just going to compare it to a string anyway, and then do some action. It doesn't actually, there's no reason to decode it or to sanitize it in the first place.

Joel Margolis (teknogeek) (39:14.782)
What if they decode it and then sanitize the HTML?

Justin Gardner (@rhynorater) (39:18.411)
No, of course, that's the opposite way, right? That's the right way to do it. You decode it and then you sanitize so that you can't just un-

Joel Margolis (teknogeek) (39:24.47)
Well what if there's another standardized call after this?

Justin Gardner (@rhynorater) (39:27.923)
Oh, yeah, I mean, well, you know, there is that possibility, but then that doesn't really fit the pattern. You know, the pattern is that it you see some sanitization that occurs and then afterwards you modify that data. And that's just a dangerous place to be because like even with and we'll talk about another one later with replace statements. But, you know, you can you can affect the result of what you thought you accomplished with the sanitization call if you modify that afterwards. You know?

Joel Margolis (teknogeek) (39:58.474)
Yeah, I think the big thing that, I think modification's the wrong word. I think what you're trying to get at is like a reuse of attacker controlled data, right? So you're sanitizing it and then you're decoding that data again and it's still attacker controlled, right? If you're modifying it with something that's not attacker controlled, simply modification of data that's been sanitized, not necessarily an issue. If it's modification with attacker controlled data of attacker controlled data, right?

Justin Gardner (@rhynorater) (40:18.456)
That's true.

Joel Margolis (teknogeek) (40:28.138)
sort of like the chain of custody of the data, right? Like you still need to be, right? Yeah.

Justin Gardner (@rhynorater) (40:28.959)
Yeah. Chain of custody of the data. I like that chain of custody of the data. That's good.

Joel Margolis (teknogeek) (40:36.874)
Right. Yeah, you want to be ensuring that you're actually still in control here, right? Because at a certain point, it might pass through a function, maybe it passes through sanitized HTML and it gets converted into an arbitrary PHP object that's totally custom and it's not actually a string. And then when a URL decodes it, it handles it separately or something. I don't know. I think there are potentially some instances, but that's a really important thing to be looking for is where do I still actually control this data?

Justin Gardner (@rhynorater) (40:58.882)
Yeah.

Joel Margolis (teknogeek) (41:06.442)
like throughout these steps, like chain of custody.

Justin Gardner (@rhynorater) (41:07.179)
Mm, mm, yeah, I agree. And there's definitely nuance to the situation, right? Like you said in the beginning, and I think your main point here is context is king, and that you need to be able to, at the end of the day, POC or GTFO, what does it actually do to affect the application? What I'm trying to get the, train my mentees to do, and also to, this is an important part too, what I'm trying to formula, formule.

formula eyes, I don't know it's turn into a formula Is that is that the word? I don't dang it. I've got two second languages man. I swear but What I'm trying to turn into a formula in my brain is When I turn these into formulas it makes my brain see them better And it makes if you'd be less intuition based and more principle based and so that's what I'm trying to bring to the peeps here and then also you know to

Joel Margolis (teknogeek) (41:34.766)
formulate.

Joel Margolis (teknogeek) (41:40.322)
Formulate. That is a real word, yeah.

Justin Gardner (@rhynorater) (42:04.907)
have these trigger you to take a second look. Because when you're looking at a code base, you're scrolling through a ton of code, your eyes are just, you know, like reading everything. You need to know when to say, oh, that's something interesting. And that's a very valuable skill in code review, I think. So.

Joel Margolis (teknogeek) (42:20.95)
Yeah, and I think like this is kind of like the nuclei or the HTTP X or whatever of like code review. I'm just saying, no, let me, let me, let me explain because like basically those tools are really good at taking large inputs and helping you narrow down by like signal by like pointing out signals, right? Like, Hey, this host is online or this is running Apache or, um, you know, this is spring boot and

Justin Gardner (@rhynorater) (42:28.323)
Why do you keep comparing me to tools, dude? Ahaha!

Justin Gardner (@rhynorater) (42:46.598)
Mm. Yeah.

Joel Margolis (teknogeek) (42:49.598)
here's the version and so, you know, like whatever, like, and I think this is kind of similar because you have too much to look at. Like realistically, you could read through every single line of every single plugin on WordPress and you could audit them all like that.

Justin Gardner (@rhynorater) (42:56.366)
Mm.

Joel Margolis (teknogeek) (43:07.714)
That's fine. I'll see you in 50 years. Like, you know, like it's never going to end. Like, and so you really need a better way to sort of narrow it down, which is kind of what we're talking about, which is like, you know, okay, I have this massive code base, where do I even look? Uh, you know, here's like a couple of interesting spots and these aren't guaranteed, uh, to be findings, but they are good starting spots and maybe you'll find something else like, you know, along the way when you're looking at that, but they're, they're good sort of entry points to, you know,

Justin Gardner (@rhynorater) (43:09.788)
Yeah, yeah.

Justin Gardner (@rhynorater) (43:13.518)
Yeah.

Joel Margolis (teknogeek) (43:37.266)
Easy sort of things to take a look at.

Justin Gardner (@rhynorater) (43:39.127)
Yeah, and especially when code reuse is a part of it too, you know, like if this, these flaws that I'm, we're getting ready to describe here are in a function that is reused in multiple spots throughout the application, then you can say, hey, okay, this will result in a vulnerability in XYZ scenario. Let's go see if.

this is ever used in that scenario. And then you can kind of work backwards from that code reuse starting point. But yeah, I definitely agree with what you said about using this sort of as a way to filter, as an aqua tone of sorts. Now we got screenshots, now we got is the host alive sort of scenario rather than, all right, let me go knock on the door of every single port.

So with that, all right, let's go back up to the first one. The first one is a auth check inside the body of an if statement. So this is something that I've seen like a stupid amount. It's kind of funny. But like if there's an if statement and then your auth check is inside of that if statement, obviously you can.

if you can control the condition of the if statement, you can absolutely run whatever is outside of that if statement or in the else statement. And so whenever I see an auth check inside of an if statement where the condition is user controllable, I'm always like, wait a second, why, what's going on there? And I always look a little bit deeper.

Joel Margolis (teknogeek) (44:52.926)
Yeah. And so from like a developer's perspective, I think, like there's a couple of different instances. It's not always bad thing. Like sometimes it's, you know, you want it to happen only in a certain case, and you want everything else to still happen. So like maybe it's normal. Yeah. And it also could be that there's this coding practice called dedenting, where basically instead of, you know, if you imagine this statement, if you flip it and you do if not get and then you call do something else and then otherwise you're calling.

Justin Gardner (@rhynorater) (44:59.501)
Mm-hmm.

Justin Gardner (@rhynorater) (45:04.555)
Yeah. Intentional functionality, yeah.

Justin Gardner (@rhynorater) (45:21.004)
interesting.

Joel Margolis (teknogeek) (45:21.698)
you know, check off, you can sort of flip your if statement and you can do certain logic inside the if statement and then just, you know, after the if statement, you just do everything else. Inside a check off, you know, theoretically, there's a return statement here somewhere or an exception or something that's supposed to cause the outer function to break out in a bad case. Realistically, maybe probably not doing that. I mean, looking at this code.

Justin Gardner (@rhynorater) (45:39.891)
Mm-hmm. Yeah.

Justin Gardner (@rhynorater) (45:46.059)
Mm-mm.

Joel Margolis (teknogeek) (45:49.994)
It certainly doesn't seem like it's being caught anywhere.

Justin Gardner (@rhynorater) (45:50.57)
Yeah, okay.

This is just a little bit of code I wrote so that I can help you visualize what we're talking about. But actually, I've got an idea, Joel. Here's what we're gonna do for the rest of this episode, okay? We're gonna turn this into another versus episode. We're gonna turn this into a hacker versus developer episode. Yeah, and we're gonna say, okay, Justin says this is a vulnerable code pattern, and Joel says, well, there's a little bit of nuance to that situation. And it's called dedenting, you know? And so.

Joel Margolis (teknogeek) (45:55.199)
Yes.

Joel Margolis (teknogeek) (46:02.876)
I dunno, okay.

Joel Margolis (teknogeek) (46:07.606)
the right way in the wrong way? Okay.

Joel Margolis (teknogeek) (46:16.802)
There is a way to do this. Yeah. D dending.

Justin Gardner (@rhynorater) (46:21.961)
No, that is an interesting practice though, and it definitely does make your code more readable and shorter when you have, you say, okay, is this just a massive if statement, should I just invert this, put everything else on the outside, and then make a short if statement that catches the scenario and exits if it needs to.

Joel Margolis (teknogeek) (46:35.403)
Yeah.

Joel Margolis (teknogeek) (46:41.322)
Right. But that exit is like the key, right? Like in order for you to be able to dedone successfully, it has to essentially exit, it has to bail out. And so if that bailout behavior is not done properly or if it's like supposed to be handled in a different function, it's not being handled in a different function, then it's not gonna bail out, right? And it's just gonna keep going, so.

Justin Gardner (@rhynorater) (46:44.094)
Mm.

Justin Gardner (@rhynorater) (46:49.213)
Mm.

Justin Gardner (@rhynorater) (46:53.773)
Mm.

Justin Gardner (@rhynorater) (46:57.335)
Well, it's funny if you look at number four now, check for bad patterns with an if statement, but then don't do anything to the control flow. That's exactly what we're talking about there. This is a scenario where essentially you look, there's an if statement that's clearly used for security purposes. And then inside the if statement, they're supposed to be handling that bail, that bail out, that error.

But sometimes they just set a variable to true or something like that and then never do anything else with it later and the code continues on anyway. That's another bad pattern that I've seen and that's exactly what you're talking about, Rachel.

Joel Margolis (teknogeek) (47:33.278)
Yeah, I mean, I don't have a justification for that one other than like, you know, humans, like developers are humans too. And the reality is that just like everybody else, they started something and forgot to finish it or, you know, they had a plan and one way or another, the code still worked and it was inconsequential the way they were testing it, but ended up being something later. Yeah.

Justin Gardner (@rhynorater) (47:38.816)
Yeah.

Justin Gardner (@rhynorater) (47:46.703)
Yeah.

Justin Gardner (@rhynorater) (47:52.735)
Yeah, the test case passed, you know? Yeah, so that's another one to take a look for, you know, whenever they're bailing or whenever there's an exiting strategy in place, making sure that that's actually killing the control flow of the application will result in. And.

some valid code versus if it's not killing it, if it's setting a variable, then you still gotta continue to trace that flow, even though they've detected something bad and they're onto us, there still could be things that you could do, especially if there's a sync in between you and the death that inevitably occurs due to your bad input. So.

Joel Margolis (teknogeek) (48:30.762)
Yeah. Or maybe they have that check and they set bad equals true and then they do something with it. But what they do with it isn't right or it's not meaningful. Right? Like, yeah. Or yeah, exactly. Like maybe they do something else with your vulnerable data and it's, you know, the bad check is already, you know, hasn't happened yet. Yeah.

Justin Gardner (@rhynorater) (48:40.324)
Or it's too late.

Justin Gardner (@rhynorater) (48:49.407)
Exactly. All right. Do you want to pick up any of these or? No, no, no. We'll do it this way and I'll say it and then you can comment on it. So next one on the list is badrejects. I'm interested to see how you can... I...

Joel Margolis (teknogeek) (48:58.798)
Okay.

Joel Margolis (teknogeek) (49:04.422)
This is a losing battle. How am I supposed to defend someone not escaping a dot in a rejigs?

Justin Gardner (@rhynorater) (49:09.255)
I set you up for failure here. But yeah, so this next one is sort of a regex-based one, which is, you know, anytime you see regex, to be honest, for any of you that are scared of regex and that have not taken the dive to understand regex fully, you will get such an ROI on this if you just deep dive regex and understand it thoroughly, because so many people try to use regex for sanitization and for security, and man, is it tricky to do right. So definitely, hmm.

Joel Margolis (teknogeek) (49:36.266)
And not only that, I use regex for a lot of things. I mean, I use regex all the time for just developer flows or pulling data out of a pipe, like piping data through bash and stuff and just pulling different data points out and stuff or manipulating data and all that kind of stuff. I use regex all the time. Regex is such a valuable tool and the syntax is not difficult. It's a little bit daunting at first. We've talked about this before probably, regex101.com.

Justin Gardner (@rhynorater) (49:39.885)
Mm-hmm.

Justin Gardner (@rhynorater) (49:43.383)
Oh yeah.

Justin Gardner (@rhynorater) (49:48.664)
Mm-hmm.

Justin Gardner (@rhynorater) (49:59.211)
No, it's not.

Justin Gardner (@rhynorater) (50:04.719)
Dude, I freaking love that website, yeah.

Joel Margolis (teknogeek) (50:05.454)
amazing site, like literally just take a regex, put it in the website and then look on the right side. There's a section called explanation and it literally walks you through every single part of the regex and says, here, this does this. It's looking and it in layman's English terms explains exactly what that part of the regex is doing. And then it goes to the next part and says, this is looking for this and this character does this modifier and it's looking for this, this and this. Amazing tool, great.

very useful for learning regex and understanding like, what is this thing I'm looking at actually doing? The other side of that is, you can use this, start writing your own regex and in the test string, just like put your own data in there and just start writing a regex and be like, how do I select this data? I wanna select this text. Yeah, yeah, it shows you visually. Yeah, definitely I'd recommend taking some time, learn about regex, there's a lot of tools out there.

Justin Gardner (@rhynorater) (50:46.104)
Mm-hmm.

Justin Gardner (@rhynorater) (50:49.855)
I love it. Because it highlights the data you've selected too. And it's like, ah, this is so easy. Ugh.

Justin Gardner (@rhynorater) (51:00.442)
Mm.

Joel Margolis (teknogeek) (51:01.902)
There's another tool, we'll link it. I don't, I'll have to find it.

Regex two strings. Yeah. Yes.

Justin Gardner (@rhynorater) (51:08.843)
This is your regex to strings tool. Yeah, we talked about this I think once before on the pod. That's a great tool too. I haven't used it quite as much. I did put the regex 101 in the link section by the way. But yeah, so you can drop that down there as well. Regex to strings is also really cool. It'll give you strings that match your regex. Very helpful. With regards to what actually things you should be on the lookout for when you look at a regex.

Joel Margolis (teknogeek) (51:19.147)
Cool. Awesome.

Justin Gardner (@rhynorater) (51:33.891)
Obviously, there's this concept of dots in regex meaning any character. And man, did the stars align when people decided to make that the dot any character and make dots the separator in domains. One of the things that I just relish in my life, like that sort of good luck for attackers. So anytime you see an unescaped dot in a URL-based regex or in a domain-based regex, you can pretty much guarantee that there's something you need to look into there.

He's, you like that Joel? Did you like, I didn't say, I didn't say that there's any, you know, that there's guaranteed there's a vuln there. There's definitely something that you need to look into there.

Joel Margolis (teknogeek) (52:05.264)
Yeah. No, that sounds good.

Joel Margolis (teknogeek) (52:11.422)
Yes, absolutely. Look into that. And the other thing that's mentioned here is like the missing of the carat and the dollar sign, which indicate the start and end of line. Depending on the context of the data that's being passed in for the match, it might be doing a regex search on, you know, everything, the whole input or whatever non-filtered part. And so if it's not specifically saying, I want the whole match to start here and end here, then you can match data within other pieces of

Justin Gardner (@rhynorater) (52:28.067)
Mm.

Justin Gardner (@rhynorater) (52:37.018)
Hmm.

Joel Margolis (teknogeek) (52:41.25)
be completely irrelevant. So you can, you know, a good example is, you know, www. right? And it's only looking for www.example.com, or we have github.com on here. But, you know, if it's only searching for that and it's not checking for the end of the line, then you can have stuff after it and before it that can change the context of that data and be used in different ways.

Justin Gardner (@rhynorater) (53:04.311)
Yeah, 100%. So that's a big one to look at, the start and the ending. Another one is that a lot of times people just won't think about all of the possibilities from a character perspective. So we talked in the past about...

what parts of the URL have what impact on what host the request will be routed to. In the end, we've got the at sign that allows us to add characters before the actual domain is specified. That can be really helpful. And then we've also got, in the context of URLs, we've got slashes. You can use backslashes instead of slashes. And a lot of time, the browser will natively convert those or any request sending tool.

and that sort of thing will convert them as well a lot of times. So you really wanna think about the edge cases, the breadth of possibilities you have from a character set perspective. And then also, this is sort of only tangentially related, but I ran into a situation where this was helpful the other day. Some servers will just accept the full path in URL encoded format. So you could just, you know, percent 2f, abc, percent 2f, you know, 123, you know, blah-de-blah-de-blah like that, you don't even have to have slashes in there.

That's another thing is even if their code isn't doing URL decoding, you may be able to affect the backend by sending those URL encoded characters directly to the backend if you're in sort of like an SSRF or secondary context sort of situation.

Joel Margolis (teknogeek) (54:33.314)
Yeah, yeah, for sure. And one thing I was thinking about as you were describing that, well, two things. One, with the, you know, their regex may be a little too broad in terms of what they're expecting. So maybe they use dot star, right? Or something like as just like a filler, right? That's pretty common. People use dot star meaning any number of any character, but you know, infinite, from zero to infinite. And

Justin Gardner (@rhynorater) (54:38.043)
Mm. Yeah.

Justin Gardner (@rhynorater) (54:49.238)
Mm. Yeah.

Joel Margolis (teknogeek) (55:01.73)
The regex to string tool that I, that we'll link down below is a great tool for that because you can take a regex and you can put it in there and you can see all the different possibilities and that will really easily identify like, hey, here's like a weird spot where you can put a bunch of different characters or here's a spot where there can be sort of infinite possibilities of things in between. And that makes it really useful. What was I gonna say? I had it.

Justin Gardner (@rhynorater) (55:27.319)
Well, I think...

Well, I don't know where you were gonna go, but where I was gonna go after you were done going with where you were gonna Go was and there's nuance to the star and the plus sign, right? You know in that scenario, you know if you're using dot star then you can just ignore that whole part if you want to because zero it matches the thing zero times And a lot of times people will also use Star when they should be using plus to make sure that there's at least one instance of the thing one to infinite

Joel Margolis (teknogeek) (55:46.346)
Yeah, nothing. Yeah.

Justin Gardner (@rhynorater) (55:59.138)
versus zero to infinite instances. So that's another sort of gotcha in that scenario. Does that trigger what you were gonna talk about or is it gone? Okay, great.

Joel Margolis (teknogeek) (56:04.906)
Yes, I remember now. Yeah, well, it wasn't related to that, but one thing that we talked about in a recent episode was the Franz Rosen XSS challenge. And this was very related to Regex specifically and specifically JavaScript, like Regex replacement group name, like special naming things. So that's another thing to keep in mind with Regex, specifically in the context of JavaScript. I don't know about other languages that have support for it.

Justin Gardner (@rhynorater) (56:19.063)
Yeah.

Justin Gardner (@rhynorater) (56:24.313)
Mm-hmm.

Joel Margolis (teknogeek) (56:34.006)
it to that full extent, like those different replacement groups. But I know that the JavaScript regex replacement has all these special capture groups that Franz pointed out is XSS challenge that can be super useful.

Justin Gardner (@rhynorater) (56:47.375)
That's, that's a great point, dude, man. Like this was just so cool to see that you could actually insert these strings in the, in the response. So you can say, you know, things that match before things before the match that we have things after the match. So freaking cool. Um, I cannot wait to exploit this more. And I'm glad you brought it up again, because it sort of refreshes that neural pathway a little bit and it makes it sure it's in the forefront of your head rather than.

Joel Margolis (teknogeek) (57:02.798)
Mm-hmm.

Justin Gardner (@rhynorater) (57:16.127)
you know, being further back. Because that's such a cool thing. I'm gonna add it to the list here, capture groups. Let's see. Capture groups. Last one on the regex list was multi-line stuff. Sometimes, depending on the regex configuration, and actually I should add capitalization here.

Joel Margolis (teknogeek) (57:17.311)
Yeah.

Joel Margolis (teknogeek) (57:22.174)
Yeah, absolutely.

Justin Gardner (@rhynorater) (57:36.203)
capitalization and multi-line, both of those are things that are sort of flags in most languages that you can kind of turn on, like do I ignore case, do I do this on a multi-line match. And so if there is an opportunity for multi-line input and they're running something that just goes through the first line, then you may be able to smuggle in a payload there. Or if there's something that they're expecting to be a certain capitalization and you can

Justin Gardner (@rhynorater) (58:06.257)
result in you being able to do some cool stuff. So those are some other things to keep in mind from the Redgex perspective. Anything else to add there, Joel?

Joel Margolis (teknogeek) (58:11.01)
Yep. No, I mean, I was just gonna say, regex 101 supports the flags in your regex thing. There's a little, you click the little, I think it's by default, it says GM, G for global, M for multi-line, but it has a dropdown of all the different flags that you can use and you can check them and it gives an explanation of how they work. You know, we won't go too deep into all of the nuances of regex, but again, I'd really encourage, go to regex 101 and check out regex if you haven't.

Justin Gardner (@rhynorater) (58:33.772)
Mm.

Joel Margolis (teknogeek) (58:39.47)
taking a deep dive into how that works and it's definitely worth learning.

Justin Gardner (@rhynorater) (58:43.039)
Yeah, one more piece there, you know, since we're fanboying over Regex 101 right now. It's definitely the best idea to select as granularly as you can the language on the left-hand side in the flavor section, especially when you're looking for exploitation, because there are specific nuances to various different languages that you may be able to, you know, pull out of there if you're actually using the correct playground for your regular expression evaluation and toying. So definitely don't forget to do that as well.

Joel Margolis (teknogeek) (58:46.178)
haha

Justin Gardner (@rhynorater) (59:13.003)
All right, next one on the list. We already did the bad pattern one, so we're gonna jump down to the next one. Oh, I love this one. This is replace statements for sanitization. Replace statements for sanitization are helpful only in a scenario where you are replacing one character. When you're replacing a sequence of characters.

Obviously you can just sort of sandwich the thing in the middle, get something replaced, and then if it's not recursive, you won't, you know, you can get the same flow of characters in there. So the classic example is dot dot, so four dots, slash whatever, right? And when they do a dot slash replacement on that, it'll remove the dot slash in the middle, and the two dots on the left-hand side and the slash on the right-hand side will then become.

And so since it's not recursive, you will just get that result in your resulting payload and be able to easily bypass any replace-based.

stuff. And one of the things I've seen some things do, like for example the sanitization functions in WordPress core, I was auditing those recently, they will put annoying characters there instead of just replacing it to nothing. You know, they'll put an underscore, like a squiggly sign or something like that, and it's like, well that hacks up the whole situation. So if you see any sanitization where the thing that they're replacing with is nothing,

Then you might be able to do and the thing that they're replacing is more than one character Then you may be able to do something funky there

Joel Margolis (teknogeek) (01:00:56.938)
Yeah, for sure. I was gonna say like the recursive aspect that you mentioned is a pretty big caveat there. Like definitely like if, I think almost all of these, if you just put it in a, you know, while loop that checks if it had any replacements and then, you know, exits out whenever it's done replacing, that would fix it, right? Like if you did a dot slash and just kept replacing until it didn't replace anymore, problem solved. But you know, it can be very difficult.

Justin Gardner (@rhynorater) (01:01:14.151)
Mmm.

Justin Gardner (@rhynorater) (01:01:17.925)
Mm-hmm.

Justin Gardner (@rhynorater) (01:01:22.448)
True.

Joel Margolis (teknogeek) (01:01:25.518)
And the context, I think, this is something that's not context aware, right? So the big issue of replacing a dot slash is that it's not context aware. It doesn't know what's around it. It doesn't know how it's being used. And so trying to do that generically is kind of difficult. If you say, I don't want a dot slash anywhere, then you can recursively replace it. Easy. But that's not always easy. So I like that one. That's a good one. Another nuance, what I'm thinking of it is that by default in JavaScript,

Justin Gardner (@rhynorater) (01:01:33.314)
Mm.

Justin Gardner (@rhynorater) (01:01:45.313)
Mm.

Justin Gardner (@rhynorater) (01:01:48.44)
Yeah.

Joel Margolis (teknogeek) (01:01:55.63)
dot replace is the first match only. So if you take a string and you do string dot replace in JavaScript, it only replaces the first instance. The right way to replace every instance is that you're supposed to do string dot replace with a regex that global matches. It's very weird. Yep.

Justin Gardner (@rhynorater) (01:02:00.385)
Mmm.

Justin Gardner (@rhynorater) (01:02:13.312)
Really?

123 space 123 replace 123 with squiggly. Check that out. Huh. I know I've seen that before, but I don't know that I've done it. So there's actually a replace all function as well in JavaScript that will do all of them. But the.

Joel Margolis (teknogeek) (01:02:33.889)
Okay.

Justin Gardner (@rhynorater) (01:02:39.911)
Single replace, man, okay, anytime auditing JavaScript, let me just get this in my head, come on, I gotta turn it into a formula in my head. Anytime you see.replace in a JavaScript scenario, alert, alert in the brain, okay. I've...

Joel Margolis (teknogeek) (01:02:54.422)
Yes. Yeah, the first parameter has to be like a global regex for it to actually replace all the instances.

Justin Gardner (@rhynorater) (01:02:59.939)
Very interesting. I have now stored that in the hacker brain. It's gonna stay there forever now. Very good. All right, let's see. Oh, okay, so then we've got this super weird one, okay? So this next one is anything that allows you to call functions or control code flow in an abstract or uncommon way, okay? I know that that's really out there, but it should make sense after I'm done explaining it, okay? So PHP does this super whack thing.

where you can call strings. And it's so dangerous, it's so dangerous. And I've...

Joel Margolis (teknogeek) (01:03:36.215)
This is one of my favorite features of PHP, but keep going.

Justin Gardner (@rhynorater) (01:03:39.435)
Okay, well, you know, I'm very excited to hear about that afterwards. But this has resulted in multiple criticals for me over the past couple months. And essentially, this sort of functionality is just extremely dangerous. For example, one of the common code patterns I'll see is they'll say in PHP, this, you know, meaning the current class arrow, and then some string variable that you can control, and then call the function.

Joel Margolis (teknogeek) (01:03:42.754)
Yes.

Justin Gardner (@rhynorater) (01:04:08.419)
that's associated with that string variable, in pass in, something like the entire request, dollar sign underscore request, which contains all of your parameters, it's a map that contains all of your parameters that you've defined for the request.

directly into that function. And so there's just so many weird things you can do with this. I couldn't believe it when I saw this actually coming up a couple times. It was really weird. But in order to make this a more general statement, I'm trying, I wanna emphasize that any sort of functionality in the app that will allow you to arbitrarily call functions even in a limited context, pretty weird and should kind of set alarm off and make you investigate further.

Joel Margolis (teknogeek) (01:04:52.534)
Yeah, I think in standard languages, this would be like reflection. If you see like reflection somewhere that's like pulling a method by a name and then later calling it or, like that's kind of weird behavior. And this is what a lot of that is. This is one of my favorite PHP features cause it's from a developer side, it's great. Like, it adds a lot of flexibility into your code because normally like, well, it's like, like the real way that you do this,

Justin Gardner (@rhynorater) (01:05:02.212)
Yeah.

Justin Gardner (@rhynorater) (01:05:11.46)
Oh my gosh.

Justin Gardner (@rhynorater) (01:05:16.295)
Yeah, a lot of flexibility. That's one way to put it. Ha ha ha.

Joel Margolis (teknogeek) (01:05:22.534)
Otherwise is like you call eval and eval's grows, you know, so instead you get to do this without calling eval and it's Yeah, it's secret eval the method has to exist, you know, but it's like yeah, you can you it's nice cuz For like deterministic code basically you can have multiple functions and then you can just be like this variable equals You know this function name Otherwise this variable equals this other function name and then you call it and it you know, there's a use case But it's pretty limited

Justin Gardner (@rhynorater) (01:05:25.367)
Yeah, it's like secret eval.

Justin Gardner (@rhynorater) (01:05:32.146)
Uh...

Justin Gardner (@rhynorater) (01:05:51.179)
Yeah, flexible code for sure. Lots of wiggle room in there, lots of yummy wiggle room for the attackers. Now it is a cool feature though, and it is very convenient. And I've seen some very, I guess, efficiently written code flows within the plugins that I've audited because of that. All right, last one on the list is sort of a type confusion.

sort of scenario, and I couldn't really figure out a way to generalize this super-duper well. But if you're dealing with languages that are not doing static typing, then you should always constantly be thinking, hey, can I get another data type in here? What happens if I turn this thing that they're expecting to be a string into an array?

You know, or what happens if I try to make them access the index of a array versus an object or an object versus an array, right? There's just a lot of flexibility here with type confusion bugs, and we talked about this a lot with Matthias on the episode in December. And we can see sort of the GitLab bug that we discussed at the beginning of this episode very much resembles that, right? They're expecting that email to be a string. And the fact that it was an array caused mass havoc for the GitLab team.

So anytime you see non-static typing on user controlled stuff, that should set off a flag too to just investigate a little further.

Joel Margolis (teknogeek) (01:07:14.41)
Yeah, absolutely. I think not only is this good for debugging, from a non-coded auditing perspective, we talked about this a little bit, where you can fuzz different data types and parameters to get the server to talk back, essentially. And that's really useful. But also, like this, the type confusion type stuff, where a lot of languages that are not strictly typed,

Justin Gardner (@rhynorater) (01:07:25.29)
Mm.

Justin Gardner (@rhynorater) (01:07:32.222)
Mm-hmm. Yeah.

Joel Margolis (teknogeek) (01:07:43.994)
Or even if they are strictly typed, they have to convert the input, the inbound data into a strict data type. And so in order to do that, they have to manipulate the data one way or another. And that leaves some gaps for how that data is being interpreted between like when it's being sent and how the server is actually handling it. And so I think depending on, you know, the language, depending on whether or not it's typed, depending on how it's being, some languages deserialize some, you know, automatically convert everything to strings.

Justin Gardner (@rhynorater) (01:07:49.145)
Mm-hmm.

Justin Gardner (@rhynorater) (01:08:01.571)
Mm.

Joel Margolis (teknogeek) (01:08:12.138)
You know, it's definitely worth looking into seeing what it's expecting and trying to fiddle around with some other data types and see what it does.

Justin Gardner (@rhynorater) (01:08:19.511)
Yeah, yeah, I totally agree. And one of the scenarios that I think that this comes up the most in is an int sort of situation, an integer.

for an ID, right? The person has named the parameter record ID, right? And they use that, they assume that it's gonna be an ID in whatever context they're in. And that it's gonna be a number. And that they haven't done that int typing, forced typing. What am I trying to say here? Forced typing, what is? What is the number of times that a person

Joel Margolis (teknogeek) (01:08:53.037)
Casting. Yeah, typecasting.

Justin Gardner (@rhynorater) (01:08:53.631)
Yeah, casting, thank you. I couldn't get the word. They haven't done that casting, right? And then you provide a string, and if they inject it into a URL context on the back end, secondary context bugs, that's like the bread and butter for secondary context bugs. And then also this can cause problems in SQL context as well, traditionally. And then the last thing that I wanted to mention here is that there's a whole type of bug class surrounding this sort of thing.

that I think is not super really talked about that I've been finding a lot of stuff related to lately, which is you give it a type that it doesn't understand and they don't expect that and it causes an error somewhere in the code and it just breaks the whole thing. You know? And so, you know, you can turn, this is an example, literally like 10 minutes before we started recording.

Menchie came up to me and said, hey, I've got this C-Surf, I can affect this really sort of benign thing, doesn't really impact the application very much. And I looked at it and I was like, hey, what if we just give it some sort of, what if we just give it ASTF, you know? Like what happens then? And we did and it just like broke the whole page, which is the most important page on that whole app. And so, you know, you go from like having this very minimal impact vulnerability to a type confusion to...

Joel Margolis (teknogeek) (01:10:03.426)
Wow.

Justin Gardner (@rhynorater) (01:10:14.359)
Wow, everything panics and everything's broken and now the page does nothing.

Joel Margolis (teknogeek) (01:10:19.155)
That's super, super good. I love that sort of immediate impact of being able to show the type of confusion into something meaningful.

Justin Gardner (@rhynorater) (01:10:20.683)
Mm.

Justin Gardner (@rhynorater) (01:10:26.827)
Yeah. DOS is a really, really good playground for that. All right, man. That's all I had on my list. Any other ones come to mind from you from all these? Or I think I think we hit a pretty comprehensive list.

Joel Margolis (teknogeek) (01:10:38.622)
Yeah, I think we hit a pretty good list. You know, as we mentioned, these are like good starting points. They're not explicitly bugs, but they're a good way to sort of narrow down your focus. And, you know, as you were sort of doing during this episode, I think it's good, like as you read through code, identify those problems, formulate them, store them in your brain, figure out what like weird things look like, and then you'll start to see more weird things.

Justin Gardner (@rhynorater) (01:10:43.546)
Mm-hmm.

Justin Gardner (@rhynorater) (01:11:04.93)
Exactly. Well said, man. And with that, we'll go ahead and cut it. That's the pod.

Joel Margolis (teknogeek) (01:11:09.363)
Awesome. That's the button.