Episode 60: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel review the Portswigger Research list of top 10 web hacking techniques of 2023.
Follow us on twitter at: @ctbbpodcast
Send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord
We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.
Resources:
Top 10 web hacking techniques of 2023
5: HTTP Parsers Inconsistencies
7: How I Hacked Microsoft Teams
10: Hacking root EPP servers to take control of zones
Timestamps:
(00:00:00) Introduction
(00:04:26) 1: Smashing the state machine
(00:11:56) 8: From Akamai to F5 to NTLM... with love
(00:17:11) 3: SMTP Smuggling
(00:26:27) 4: PHP filter chains
(00:36:40) 5: HTTP Parsers Inconsistencies
(00:44:56) 6: HTTP Request Splitting
(00:53:43) 7: How I Hacked Microsoft Teams
(01:02:25) 9: Cookie Crumbles
(01:11:36) 10: EPP Server Takeover
Justin Gardner (@rhynorater) (00:00.644)
So I think I'm going to start this one off with a song, Joel. It's the most wonderful time of the year. It's the top 10 web hacking techniques of 2023 by Portsweeger Research episode. It's going to be lit.
Joel (teknogeek) (00:06.489)
uh... no or get a copy of straight to the first fifteen seconds on our deathly in copyright strikes
Joel (teknogeek) (00:20.406)
Oh yeah, this is gonna be a good one. I'm really excited.
Justin Gardner (@rhynorater) (00:23.824)
Yeah, dude, it is gonna be a good one, but let me say, I am, well, before I talk about myself, where are you right now, Mitchell? Cause you look like you're in a dungeon. Ha ha ha.
Joel (teknogeek) (00:33.298)
I am. I basically am. I'm in my parents basement. Yeah. Unfinished basement. This house is like 250 years old. So it's a it's like old school basement. But yeah, I drove from California to the East Coast to I guess I'll sshh I say which state I'll say East Coast. Yeah. But.
Justin Gardner (@rhynorater) (00:40.089)
unfinished basement.
Justin Gardner (@rhynorater) (00:45.189)
Oh my gosh.
Justin Gardner (@rhynorater) (00:48.82)
Wow, dude.
Justin Gardner (@rhynorater) (00:57.797)
No, just, you can leave that out for now.
Joel (teknogeek) (01:01.75)
yeah, I'm moving into a new house for clothing soon. And yeah, it's pretty exciting. Super pumped.
Justin Gardner (@rhynorater) (01:06.792)
Nice fan. Well, I saw the Zillow listing for your house. It looks awesome. And soon you'll be not in a dungeon, but in a mansion.
Joel (teknogeek) (01:15.706)
yes yeah well mention is that that's dot uh...
Justin Gardner (@rhynorater) (01:18.344)
Yeah, maybe a little, you know, just like contrast, contrastarily.
Joel (teknogeek) (01:23.662)
They're gonna think I'm loaded with batteries.
Justin Gardner (@rhynorater) (01:26.756)
It's all from that, you know, critical thinking money is what it is. Yeah. We're just, we're just loaded from doing this podcast. Oh man. Well, yeah, like you said, dude, it's going to be one heck of an episode. Essentially what we tried to do last year and what we're going to attempt to do again this year is cover all of the top 10 web hacking techniques of 2023, um, which ports we go releases. They do sort of like a competition every year.
Joel (teknogeek) (01:29.81)
Oh yeah, oh yeah, I got mansion money now. Ha ha ha.
Justin Gardner (@rhynorater) (01:56.952)
and the community votes on the top hacking techniques. And all of these are amazing pieces of research and are extremely technically dense. And so for the past, I don't know, it's probably taken me 10 hours or so to read through everything and fully understand and prepare a document and that sort of thing. Yeah, and so we're gonna try to condense it down to pretty much what you need to know, the tricks and tips and...
Joel (teknogeek) (02:07.389)
Yeah
Justin Gardner (@rhynorater) (02:25.828)
you know, assuming a base level knowledge of hacking techniques, what are the things about these specific pieces of research that stand out? And we'll try to condense that into one episode. Do you think we can do it, Joel? I don't know.
Joel (teknogeek) (02:40.274)
uh... we're gonna we're gonna try you know this uh... yeah i was reading through some of these said that they are really deep reads uh... so yeah i even if we explain it well i think uh... the britches so probably go read them all individually
Justin Gardner (@rhynorater) (02:55.812)
Yeah, yeah. Disclaimer, we are going to skip number two,.NET serialization. What is it called? Exploding hardened.NET deserialization because it is a 124 page white paper that
Joel (teknogeek) (03:08.006)
Justin sent me this document, he was like, hey, can you just like read through these and make sure that they're like summarized? And so I picked the first one that's assigned to me and I opened it up and it's a GitHub link to a PDF. And I was like, oh, you know, this looks good. And I downloaded and I opened it up and it's page one of 124. And I was like, I sent him a picture. I was like, did you know that this is 124 page white paper? And he was like, wait, seriously?
Justin Gardner (@rhynorater) (03:12.02)
Hahaha!
Justin Gardner (@rhynorater) (03:25.46)
Ha ha
Justin Gardner (@rhynorater) (03:34.568)
I did not know that. So, you know, we're going to skip that one, but I think, you know, the rest of them we should be able to speak to fairly well. So let's get into it, man. First up is number one. We're going to start from number one this year. I don't know. Did we start from number 10 last year? I feel like we did.
Joel (teknogeek) (03:42.61)
Yeah, yeah, absolutely.
Joel (teknogeek) (03:51.314)
I don't know, but I'm gonna do it in whatever order it's in the doc, which I think is the same order that's on the post on Port Sager, right?
Justin Gardner (@rhynorater) (03:58.)
Yeah, yeah, they are. This is the placing order. So number one, and it was kind of funny if you actually click the link to go and look at the actual.
Portswinger research, you know, the top 10 web hacking techniques of 2023 research. There's like a description for each one of them. And number one, obviously, James is the one that kind of puts this on, James Kettle. And then he's, you know, his one number one as it should because it's amazing research. And so he says, in the beginning of the description for that, he says, well, this is awkward. I always knew that there was a risk of rating research when I also published it myself. And after seven years, it finally happened. I now have to declare that my own research is the best.
James, we all knew your research was the best. Your research has always been the best. No, really. Kind of crazy. But yeah, so he released some research this year. James did. James Kettle. And he releases research every year. And I always make a habit of trying to read it as soon as possible, because oftentimes he's highlighting systemic issues that can be exploited in lots of different environments.
Joel (teknogeek) (04:39.038)
It wasn't really a question.
Justin Gardner (@rhynorater) (05:03.292)
And so I was being a habit of reading this right off the bat. So I've read through this multiple times before now. This is my third or fourth time through it. And this is a particularly simple, to be perfectly honest, exploit that James kind of came out with this year. It takes some.
pieces of research from two different researchers and some of his own research from the past, combines it together with some features of HTTP2 and creates this super awesome technique which is like now the go-to technique for race conditioning testing in web applications. Have you seen it? Joel, have you read through this whole thing?
Joel (teknogeek) (05:46.314)
Well, yes, interestingly, this research is actually used in another one of the top 10 vulnerability. Yeah, so I'll let you cover it. I think it'll make the other bug make a little more sense.
Justin Gardner (@rhynorater) (05:52.571)
Oh really?
Justin Gardner (@rhynorater) (05:58.62)
Cool, I didn't get the chance to read through all of the ones that we assigned to you, so I'm interested in hearing about it too. But essentially, to summarize this research, James figured out a way to abuse Nagel's algorithm, which is sort of like a TCP algorithm that is used to optimize TCP packets being sent.
so that there isn't a bunch of TCP metadata and then one byte of data. In conjunction with HTTP2, in conjunction with the last byte sync sort of idea that he had from a couple years back on getting race conditions to align. And essentially, the new thing is he utilizes HTTP2, which can send multiple sort of HTTP requests.
streamed together in a single TCP packet. And then essentially he only, he used, in one TCP packet he puts the last byte and sometimes the last byte and the end stream frame for the HTTP2 sort of structure in the same TCP packets for a bunch of different HTTP requests. So stream most of the body for all the HTTP requests, save the last byte and the end stream frame.
and then send those all at once and that will complete all of those HTTP requests all at once and essentially get your Hit times for these requests down to sub one millisecond Allowing for very effective race conditions to be achieved Amazing technique absolutely mind-boggling
Joel (teknogeek) (07:40.138)
super interesting I misspoke this is a different piece of albino wax research yeah no so yeah well I'll explain my other one when I get to there but yeah no this is a I mean one of the things that I really love about James's research is that he approaches things from like a fundamental level right he's like for a long time he was looking at like you know HTTP smuggling and
Justin Gardner (@rhynorater) (07:46.128)
Oh really?
Justin Gardner (@rhynorater) (08:01.596)
Mm-hmm.
Justin Gardner (@rhynorater) (08:05.803)
Mm-hmm.
Joel (teknogeek) (08:05.954)
desyncing and all that kind of stuff and like attacking like the layer But it layer 3 layer 4 that you know level you know HTTP servers and all that kind of stuff and then Now he's at like TCP layer Which is like so close to like I mean next the next albinox You know research is gonna be plugging in an ethernet cable and like
Justin Gardner (@rhynorater) (08:21.203)
Yeah.
Justin Gardner (@rhynorater) (08:29.58)
he's gonna be like, and at the Mac address level, no. I do like that how he approaches it from a holistic perspective. And I also think that this specific writeup, so the concept is pretty simple, group the last byte for a bunch of HTTP requests into one TCP packet with all this data being sent over HTTP2. So that's really cool. And in the writeup, he does a really good.
job of making the algorithm seem really simple. And he actually condenses it down to just a couple bullet points. So I'm just going to read it word for word here. He says, excuse me, first, presend the bulk of each request. If the request has no body, send all the headers and don't set the end stream flag. Sorry, flag. I said frame, but it's a flag. And withhold an empty data frame with end stream set. If the request has a body, so that was what there was no body.
then send the headers in all the body except the final byte, withhold a data frame containing the final byte, okay? So that's all you've got to do. It's really easy to implement in various different libraries as well. So this is something that I really, really like Kaido to implement. Or once we get a sort of plugin extensibility piece of Kaido, I will really be looking forward to using this because I know Burp has a feature now where you can group a bunch of tabs in Repeater.
into a group and then you can right click and hit send in parallel and it will actually use the single packet methodology to send all of those together and synchronize them and I just think that's such a beautiful simple way to do race conditioning.
Joel (teknogeek) (10:08.446)
Yeah, yeah, exactly. Maybe this is somewhat related then, because the, I'll talk about this book now. Are you, was that your?
Justin Gardner (@rhynorater) (10:18.409)
Yeah, that's about it for this one. The takeaways for this one I just want to highlight again is understanding how it works with the HTTP2 and including only that last byte as well as the end stream flag as well. And then also just being able to do this in burp with the send in parallel. Those are the main takeaways for this one and allow you to also getting down to one millisecond.
time which would really, really make, and this is also, no network jitter affects this because it's all hitting the server at the same time, which is just revolutionary. So, yeah, that's my, I've said my piece now. Where did you want to go with that next, Joel?
Joel (teknogeek) (10:59.182)
Okay, so what I was going to say is, you know, so this next bug also, this is a number two, sorry, because number two was a, I know, number, well, number two was the 124 page white paper about.NET serialization. So I will jump around. I'm going to jump to number eight, which is the, from Akamai to F5 to H2, to NTLM with love. Now this is a really, really cool bug.
Justin Gardner (@rhynorater) (11:05.562)
Oh my gosh, Joe, we're gonna jump around. Okay, what number is this?
Justin Gardner (@rhynorater) (11:11.619)
Okay, okay, okay.
Joel (teknogeek) (11:28.25)
It's one of those bugs that you read through and you're like, wow, this sounds almost too simple to be true. Because essentially it is like textbook HTTP request smuggling. They were just doing a normal pen test. They were looking at this target. At the end of their test, they ran an HTTP smuggler, scanned through burp, and it came back with a bunch of findings. And like, oh, that's kind of weird. You know, it looks like the trace method is being processed by this backend server.
Justin Gardner (@rhynorater) (11:32.264)
Mm.
Joel (teknogeek) (11:57.85)
And there were a lot of references to Akamai and Akamai Edge servers. And so he did a bunch more testing and he noticed that indeed there was a specific gadget that he was able to put together that you could put HTTP request smuggling through the Akamai Edge, directly attacking the Akamai Edge itself instead of the customer servers underneath, but you would have the ability to attack other proxies and stuff. Right? And so...
Justin Gardner (@rhynorater) (12:02.6)
Mm.
Joel (teknogeek) (12:26.518)
Because there are so many different possibilities, he initially found like right away, 25% of the global caches could be poisoned through cache poisoning directly through the HTTP smuggling. So HTTP request smuggling into the Akamai edge servers, and then from there, you can smuggle whatever you want. You can poison the cache of internal servers, the Akamai cache, all that kind of stuff. But then he also realized like, oh, I mean, big IP by F5, this is vulnerable to...
Justin Gardner (@rhynorater) (12:36.222)
Oh my gosh.
Joel (teknogeek) (12:55.958)
you know, cache poisoning as well. A lot of people use big IP, especially behind Akamai. So he started scanning through Akamai using his vulnerability to find other big IP servers. And sure enough, like, you know, three quarters of the big IP servers were also vulnerable to cache poisoning. So he's going through, he's farming, he's submitting a bunch of reports, he's getting three, 4,000, you know, per report. He's got like 20, 30 of these reports. And...
Justin Gardner (@rhynorater) (13:13.1)
Oh my gosh, dude.
Justin Gardner (@rhynorater) (13:23.548)
Holy moly, look at this.
Joel (teknogeek) (13:25.27)
Then he's looking through his callbacks, and he's like, huh, what is this weird auth callback? And he realizes that there's this NTLM auth over HTTP thing that exists for Office 365 and a bunch of other things. And as it turns out, you can also use that to steal NTLM hashes. So he was able to, through the Akamai Edge into F5 BigIP,
Justin Gardner (@rhynorater) (13:38.44)
Yeah.
Joel (teknogeek) (13:53.422)
poison the NTLM cash to get NTLM tokens back and you know full off takeover, you know full arbitrary redirects through cash poisoning. I mean absolutely insane. Absolutely insane.
Justin Gardner (@rhynorater) (14:05.344)
Oh my gosh, yeah, I'm looking at this at the end here. They just got like a bunch of NTLM hashes just pouring in via responder. He's using to catch them it looks like. Wow, I wonder why... Oh, this is interesting here. So why were they reaching out to Auth in the first place? Something super weird is going on here with Microsoft stuff.
Joel (teknogeek) (14:12.938)
Yeah. Yeah, exactly.
Joel (teknogeek) (14:28.07)
Yeah, I have a feeling it's because of the like weird redirect stuff that he was testing out where he realized that he would because he could cash poison he could basically are arbitrarily redirect people from whatever to wherever so bank SSO or you know customer logins or like anything you could put them anywhere and so I think he was just redirecting a bunch of stuff and started to notice that you know that he was getting these Microsoft
Justin Gardner (@rhynorater) (14:56.04)
Wow.
Joel (teknogeek) (14:58.243)
uh... logins
Justin Gardner (@rhynorater) (14:59.336)
Dude, request smuggling is such a crazy vulnerability because you just start seeing traffic from other people's sessions and stuff like that. And yeah, I hadn't even thought about putting that together with any sort of NTLM-based auth because yeah, there are mechanisms for that in Microsoft environment. That is really cool, man. What a cool write-up. Right?
Joel (teknogeek) (15:20.138)
Yeah, yeah. And it really depends on the org and how they set it up. But yeah, I mean, this was such a cool, and I liked how he was able to scale it. I find that's kind of challenging for me. When I find something, I usually rely on somebody else to help scale it, but being able to identify that this is a widespread issue and scale it yourself is pretty awesome.
Justin Gardner (@rhynorater) (15:33.126)
Mm.
Justin Gardner (@rhynorater) (15:41.812)
Yeah, dude, that's sick. I'm definitely gonna go back and redo this one a little bit more. I feel like HTTP request modeling is like one of those things that there are a couple people that are really good at it and it shows up almost every live hacking event still too. You know, somebody gets like some massive crit from HTTP request modeling. And it's not like the normal, the normal like big crit players normally. It's like these people that are really good specifically at request modeling. So I think that's one of the things that I need to sit down and sort of deep dive over the next.
Joel (teknogeek) (15:55.276)
Yeah.
Justin Gardner (@rhynorater) (16:12.046)
I don't know, a couple months and try to understand that a little bit better. I've found it a couple times, but mostly just relying on burp and its scanner to tell me when, hey, there might be something funky going on here.
Joel (teknogeek) (16:22.31)
Yeah, same. I feel like it's one of those things I've exploited maybe like a handful of times, but I'd like to get a lot better at it.
Justin Gardner (@rhynorater) (16:26.512)
Mm.
Yeah. All righty. Let's jump to number, I guess, so that was number eight. All right, Joel. Thanks. Thanks for that, Joel. Now I'm going to have to go ahead and I'm going to have to go in here and what it was straight. Okay. I'm going to talk. You strike through number eight and number one on our list so that I know which ones we've actually done.
Joel (teknogeek) (16:34.974)
Yeah, sorry. Sorry.
Joel (teknogeek) (16:40.29)
We'll go back into order a little bit. You wanna do three?
Justin Gardner (@rhynorater) (16:50.576)
And I'll jump down. So like we mentioned, we're skipping number two.NET serialization because it's very long and we didn't have time to prep it. And we're gonna jump right to SMTP smuggling, okay? And I thought this write-up was very funny. It's number three in top web hacking techniques of 2023. And there's a quote from this write-up that says, literally, quote, "'Since this blog post is about SMT smuggling
I'm like, why is this in the 2023 top web hacking techniques if it doesn't even have anything to do with web applications? Which is true, it doesn't. So the rest of the writeup proceeded to explain a bunch of SMTP security mechanisms and it does a really good job of...
Joel (teknogeek) (17:22.99)
Hehehehe
Joel (teknogeek) (17:26.946)
Ha ha
Justin Gardner (@rhynorater) (17:39.644)
like starting from zero, because a lot of people that are reading this, or at least for me as web hacker, aren't familiar with the SMTP protocol super in depth. So they give a nice summary of SPF, which is essentially in place to validate what IP addresses and domains are allowed to send mail for a certain domain. They talk about DKIM, which is providing a signature for the body so it isn't tampered, also validated over TXT record by DNS.
And also DMARC, and DMARC is the one that's really doing a lot of the heavy lifting here because SMTP protocol has two sort of from fields, right? There's the mail from field, which is sort of a part of the SMTP metadata or the commands that are being sent to the SMTP server when data is being transmitted. And then there's like the message data from field, which is...
like a different from field. So often something that a technique that's used to spoof is having the mail from being different from the actual message data from. And DMARC sort of solves that issue by comparing SPF, DKI-M and the from in the actual body of the message to ensure alignment and that sort of thing. And in this technique, so it's called SMTP smuggling. And the reason for that is the guy sort of took
Joel (teknogeek) (18:42.613)
Mm.
Justin Gardner (@rhynorater) (19:01.036)
inspiration from James Kettle's HTTP smuggling research and said, hey, how can I apply some of these things to SMTP? And the sort of data end indicator in SMTP is normally slash r slash n dot slash r slash n, right? So, he's like, okay, I wonder what we can do to kind of work around that. And so, eventually, what he ends up doing is finding that some servers will accept slash n dot slash n.
Joel (teknogeek) (19:19.384)
Mm-hmm.
Joel (teknogeek) (19:29.586)
Mmm.
Justin Gardner (@rhynorater) (19:30.516)
or slash r dot slash r as the terminator for a specific message, right? Piece of message data. And he can use that difference along with some, I guess, binary data encoding stuff on some servers to essentially create a mismatch between the relaying SMTP server, the one that's sending the message, the one that the SPF record points to, and the SMTP server that receives the message.
Joel (teknogeek) (19:37.247)
Interesting.
Joel (teknogeek) (19:55.799)
Mm-hmm.
Justin Gardner (@rhynorater) (19:59.684)
And because, you know, all of this authentication is happening on the other side of this, you know, you're essentially taking advantage of a mismatch between the relaying server, which is allowed to send mail for like something like outlook.com, right? Some big domain. You know, that input is trusted. So when I was looking at it, it kind of reminded me of sort of a mix of SSRF.
because it's taking advantage of what that server's authority is, right? And that server's position as a trusted entity to send mail and HTTP request smuggling to send mail from pretty much any domain, which was totally badass, but not necessarily related to web hacking in the most clear way, right?
Joel (teknogeek) (20:48.334)
Yeah, not quite web hacking, but I mean, now I'm thinking like, you know, here we are linking NTLM hashes over HTTP, so, or, you know, maybe it is possible somehow, in some way, maybe there's some proxy server that will allow you to send to SMTP or something.
Justin Gardner (@rhynorater) (20:56.856)
Yeah, yeah, that's true.
Justin Gardner (@rhynorater) (21:03.133)
Mm.
Yeah. So, sort of big takeaways for this one, kind of understanding and applying HTTP smuggling methodology, where does the data part of the transmission stop? And how can I get a mismatch between two different entities on that? That's one big thing. And I also just really like the concept of applying HTTP vulnerabilities to different protocols that might have similar functionality.
So I'm sure that there's other protocols out there that could benefit from HTTP smuggling-esque sort of vulnerabilities. And I think we could definitely see some cool research coming out like that in the future.
Joel (teknogeek) (21:48.606)
Yeah, you know, it makes me think especially like how, what this looks like on like code analysis side, cause that's, I feel like that's one aspect that I haven't really seen covered. Like a lot of this seems to be very, very black box approach. Like almost like there's some weird magic that goes on when I send all these requests in a certain way and it just kind of works this way. But I'm more curious, like why, like why does it work that like where, you know, and is this like a pattern?
Justin Gardner (@rhynorater) (22:10.918)
Mm-hmm.
Justin Gardner (@rhynorater) (22:14.376)
Yeah.
Joel (teknogeek) (22:16.918)
because to some extent, this sort of behavior is a pattern where you can basically trigger it. I mean, we've seen it as well. We can sort of tangentially talk about this, but the bug that we found in LA, which uses line termination stuff, or how it's basically parsing where the end of things happen.
Justin Gardner (@rhynorater) (22:35.244)
Okay. Oh yeah, yeah.
Joel (teknogeek) (22:46.562)
you know, weirdness with and the inconsistencies between like one way of parsing it and another way of parsing it. So I'm really, really curious how this kind of stuff looks from source code and if there's some way that we could maybe scan for that.
Justin Gardner (@rhynorater) (22:58.056)
For sure, it's just kind of crazy to me as well that, you know, all these protocols have to be able to.
convey arbitrary data, right? Like I need to be able to send an email to you saying, hey, SMTP ends with, you know, newline.newline, right? And then that newline.newline has to be included in the SMTP message that's sent, but also is the terminator, you know? And so there's sort of like that data inception of sorts that happens. And when delimiters like that are used, I think there's room for problems. I have a zero data.
in a CSS via JS library right now that essentially dynamically creates CSS rules and inserts them into the DOM. And when it does that, it breaks on a specific character sequence. And if you take that character sequence and you stick it in a content attribute, it's
inside CSS, which allows for strings, right, by nature, then it will split on that instead and allow you to get arbitrary CSS injection and will even allow for you to do like, what is it, cyclical input chaining where you can import other CSS style sheets from a different server. And that uses the same thing as like, there's some delimiter, can we inject that delimiter
delimiter that some parsers will recognize as the delimiter itself.
Joel (teknogeek) (24:33.002)
Right. Any sort of normalization, anything like that. Yeah. Super cool. That's a super, super cool book.
Justin Gardner (@rhynorater) (24:36.512)
Exactly. You know, this is one of the things that that's really nice about doing a podcast. Joel is like, you know, we often have to look at all this stuff and think what, what sort of high level principles, what kind of overarching things can we draw out from this research and apply to other areas when we're talking about it on the pod? Um, and I think just having the ability to.
or having to develop the ability by reading it over and over and over again to talk about it and then pull out those principles is definitely making me a better hacker every day. I can feel it.
Joel (teknogeek) (25:12.746)
Yeah, yeah, I mean same dude. It's I mean because it requires some level of stepping back I mean we could have gone through and read these line by line But it wouldn't you know then the reader listener has to do what we're doing there, and so You know it's nice to sort of get those brain juices flown and make you're making me think you know on a Monday
Justin Gardner (@rhynorater) (25:18.033)
Mm.
Justin Gardner (@rhynorater) (25:23.952)
Yeah, exactly.
Justin Gardner (@rhynorater) (25:33.653)
Yeah man, it definitely is tricky. And you know what they say, if you can't teach it, you probably don't understand it thoroughly. So hopefully we can understand all this stuff thoroughly. Oh my gosh, this one is such a beast too. Oh my gosh. Good luck Joel.
Joel (teknogeek) (25:41.982)
Yes sir, yes sir.
Joel (teknogeek) (25:45.854)
Alright, well on that note, let me try and thoroughly explain this, uh, this... Oof, okay, yeah, I... Yeah, I don't... I don't know if I fully understand this one, to be honest. It's... it's... Heh heh heh!
Justin Gardner (@rhynorater) (25:57.376)
We should have taken bets in advance. Like, all right, how many out of, so we each have five, right? How many out of five are we gonna be able to successfully get a passing grade on? But, all right.
Joel (teknogeek) (26:07.526)
Yeah, they're getting... Okay, so this one was really, really cool. This one, what was the title? It was titled PHP Filter Chains File Read from Error-Based Oracle. Okay. So to start with, an error-based Oracle is essentially, you know, similar to a SQL injection, where, you know, an error-based injection, basically you're triggering some sort of error and using that as a way to identify that something is happening or not happening.
Justin Gardner (@rhynorater) (26:16.38)
Mm.
Joel (teknogeek) (26:37.09)
There's this concept in PHP where there's the PHP protocol, like php colt and slash slash, and then there's all these different attributes that you can put after it. And one of them is filter. And you can actually chain these things together. So there's all these different filters that are built into PHP that you can combine in sequence to do all sorts of really, really interesting things. There's rot 13 for shifting characters, there's UTF-8 encoding, Unicode encoding.
and the encodings are really a big part of this. You can do base64, encode, decode, tons and tons of things. Now there's a few key different filter attributes basically that this researcher used and it mainly relies on this UCS4 encoding. Now, when you do this UCS4 encoding, it basically pads out each byte into
multiple bytes because there's more bytes needed for each encoding of every single character and By doing that over and over and over again You can essentially grow the input to such a large output that it creates a memory overflow and throws an error All right, so there's our error oracle Yeah, so that's what is at the end of the chain, right? And then the goal is how do I make this thing exit early in a predictable way so that if it exits early? I know it's one thing
Justin Gardner (@rhynorater) (27:48.456)
No way. You're kidding me, man.
Joel (teknogeek) (28:00.618)
If it throws an error, I know it's another thing. And that is the oracle itself. So you can use this filter, dChunk, which is really designed to parse chunks of, chunk encoded data, right? CRLF ended data. And the first character is intended to be the length of that chunk. And so it will parse it as a hex character. And so if the first character is a hex,
Justin Gardner (@rhynorater) (28:14.44)
share.
Joel (teknogeek) (28:27.394)
then it says, okay, that's the length, and then it looks for a CRLF after it. If it doesn't find a CRLF, it bails out, so it doesn't throw an error. So now you know whether or not it's a hex character, but you don't know which hex character. So then there's another encoding that you can do, this IBM 930, or it's CP930 encoding, and every time you encode it, the way that this encoding works is that it actually shifts...
Justin Gardner (@rhynorater) (28:31.412)
Ha ha ha!
Justin Gardner (@rhynorater) (28:36.261)
No way, dude.
Joel (teknogeek) (28:55.178)
the alphabet over by like 1. So like an A would be hex 61, but in this encoding it's actually hex 62. And so it, you can do this over and over again. So say you shift it one time and nothing happens, then you shift it two times, nothing happens, shift it three times, nothing happens, shift it four times, it crashes. Well now you know what the shift is so that you can go backwards and you can figure out what each character is, and then you can do stuff like rot 13 to...
rotate them to get them into a known range or you can do the bite order mark encoding so that it goes backwards instead of forwards so you can read from the end instead of the beginning. I mean it's such a such a cool attack. And you can, as I said, you can chain these things together. So he has this code that basically generates this massive long chain of all these different PHP filters in order that...
Justin Gardner (@rhynorater) (29:28.68)
Holy moly man.
Joel (teknogeek) (29:50.126)
do all sorts of different shifting and byte offsetting and coding and decoding and all this stuff to leak one character at a time, an arbitrary file. And there's so much impact. There's a ton of different PHP attributes that are affected by this. You can use it for a ton of different functions. Fgets, fgetsc, fopen, parseINIFile, hashfile.
Justin Gardner (@rhynorater) (30:15.992)
Oh my gosh.
Joel (teknogeek) (30:18.958)
PHP standard in, PHP standard out, PHP memory. It's really, really interesting. And it's one of those things, they highlighted a little bit in the research, but like these, many of these filters exist, but are not well documented on how they work. Like the D chunk filter, which is used to parse these, these content transfer encoding chunks. It's like written in C and it's like in the source code, but
there's not really very good clear documentation on how this stuff actually works. So it's just such a really, really cool use of the technology. And one really fun thing is that at the very beginning of this blog post, it says this attack method was first disclosed during the down under CTF 2022. So this all came from a CTF. And I don't think anybody actually solved it. Yeah, nobody solved it.
Justin Gardner (@rhynorater) (31:06.973)
Oh my god. Of course it did.
Justin Gardner (@rhynorater) (31:13.709)
No way, really? Oh wow.
Joel (teknogeek) (31:15.258)
Yeah, but basically the whole challenge was just a file call on a post parameter. So you can provide it an arbitrary input and it gets fed into the file function in PHP. That's it. It doesn't echo it. It doesn't do anything. It just calls it. And using this, right, as an air-based Oracle, you could character by character have read through the whole file. Yeah.
Justin Gardner (@rhynorater) (31:29.716)
directly.
Justin Gardner (@rhynorater) (31:35.208)
No way, dude. That is like... So I just want to specify, Joel, I told you before this episode that I had read this. I did not read this. This was something very different from what I read. So Synactive, the people that did this, that wrote this up, also did another article called PHP Filter Chains and What It Is, or What It Is and How to Use It, okay? Yeah, it was. And...
Joel (teknogeek) (31:46.048)
hahahaha
Joel (teknogeek) (31:57.386)
Yes. Yeah, that was the precursor to this one.
Justin Gardner (@rhynorater) (32:01.888)
my mind was already blown at the precursor. And essentially what the precursor does is gives you a script essentially to generate arbitrary content for essentially include-based stuff, right? So if you needed to, you no longer need to actually, if you have a PHP include, you don't need a file upload anymore to get RCE from an LFI. You can just use this file or this PHP scheme with all these different filters to generate arbitrary data, which then gets
you know, read and generates PHP functions, which is nuts. And I thought that was crazy. And now they've got this other thing where they're like literally doing 16 different ways of leaking data, like by the byte, which is absolutely nuts, man. So this is so cool to see, but I don't know, man. I mean, I'm sure this has real world application where people will use this to actually leak files, but like.
Joel (teknogeek) (32:34.986)
It's so cool.
Justin Gardner (@rhynorater) (32:59.016)
This is just the most CTF thing I've ever seen in my life. So.
Joel (teknogeek) (33:04.018)
I love it. It's almost like the balance between like a CTF and Code Golf where like it seems so simple and you're like, okay something there's got to be some weird functionality here and I Love thinking about problem problems in that way Even if it's not a CTF problem because it really makes you think creatively about like, okay, let's imagine this is vulnerable How you know what are the mechanisms what is what's every single lever I can pull
Justin Gardner (@rhynorater) (33:08.561)
Yeah.
Joel (teknogeek) (33:31.707)
and let me go through every single one and figure out what I can exploit.
Justin Gardner (@rhynorater) (33:36.112)
Yeah, and I'm looking right now at this exploitation video. I just kinda got like nerds time, and it's fast too. It's not particularly slow. I thought it'd be like, try like 160 requests or whatever for one bite, but it's pretty fast too, which is very impressive. Wow.
Joel (teknogeek) (33:42.242)
I'm sorry.
Joel (teknogeek) (33:48.538)
It's really impressive.
Justin Gardner (@rhynorater) (34:01.612)
What a piece of research. Man, dude, you got so many of the, you got so many cool ones. Now I gotta, well, I'm sure they're all cool, you know, I gotta go and read them all. But that one's definitely, I'm gonna go back and reread that one. Although I probably, should probably go back and reread it next time I've got an LFI because I'm definitely not gonna remember any of that shit the next time that I, yeah. Yeah. I've had an LFI on-
Joel (teknogeek) (34:01.863)
Yeah, super, super cool.
What?
Joel (teknogeek) (34:21.924)
Well now I'm thinking about WordPress, especially, and the impact there.
Justin Gardner (@rhynorater) (34:28.628)
WordPress stuff in the past year for sure. Actually in the past three months. But I think actually something interesting is going on with PHP 8. I believe PHP 8 doesn't allow you to do the PHP scheme anymore for a certain number of calls. I wanna say like F-stat based calls I think. So like file exists and that sort of thing. Or stat based calls. So that's something to look up as well.
Joel (teknogeek) (34:30.315)
Yeah.
Joel (teknogeek) (34:44.694)
oooo
Joel (teknogeek) (34:51.958)
Mm-mm. I see.
Justin Gardner (@rhynorater) (34:59.28)
All right, man, number four on the list done. We're making progress, we're pushing through. Next one on the list is HTTP parsing consistencies. And I actually super loved this research. I've tweeted about this research before, it got put on the list here. But this is such a great example of just like really quality, high quality, Lee conducted research. What am I trying to say?
The quality of this research is very high in the way that they've conducted it. And there's a bunch of different backends that essentially they've compared with how Nginx in particular parses routes. And they provided vulnerable configuration specifically based off of the trim or strip functionality associated with these languages. So essentially what kind of characters like a newline character like
you know, whitespace characters, non-displayed characters, that sort of thing, can you append at the end or at some spot in a route that will make it not match a nginx rule or match an nginx rule and still match a route on the backside? So let's say you've got sort of like a blacklist on the front end for, you know, nginx, and you wanna...
access an admin route on the back end. So that's the whole scenario they set up here. They set up like just like a slash admin route or whatever that just says admin. And it's a, they've got an Nginx route on the front end that just says deny admin. And then they get access to that by adding these various characters. So I'll just kind of read through these really quickly to give you guys an idea for the various languages. And hopefully you'll go and document these yourself so that you, you know, when you see the various
pertaining to these various technologies, you'll understand what kind of inconsistencies could be in place with NGINX in those backends. So, first up was Node.js, and there is a bypass, there are many bypasses for Node.js when it comes to NGINX reverse proxy sort of, I guess, blocking or blocking a specific route. The one that works in the most versions is the backslash XAO.
Justin Gardner (@rhynorater) (37:24.825)
So that code point. And that works in versions 1.16 through 1.22. But there's also other ones such as the hex 09 and OC characters that get stripped out by node's trim function. And they don't get stripped out by Nginx on the front end. So Nginx assumes it's a different route.
understands that once it's trimmed, this is actually just the slash admin wrap.
Joel (teknogeek) (37:57.406)
Yeah, and I'll interrupt for a second. I just love this aspect of hacking, where it's like, so often when you're testing these types of things, you're putting like dot slashes or percent zero A or backslash N, but you're not actually trying the character itself. And this is like the cool step, where it's like an actual, you know, like XA0, or like this weird hidden non-printable character that...
Justin Gardner (@rhynorater) (37:59.916)
Mm, sure.
Justin Gardner (@rhynorater) (38:21.004)
mm-hmm yeah
Joel (teknogeek) (38:26.15)
is getting sent through and parsed weirdly.
Justin Gardner (@rhynorater) (38:26.32)
Mm. Yeah. No, it is really good stuff, and it's odd to me, and I haven't taken the time to dive deep and understand why each one of these specific characters is a part of.
the various languages, trim or strip functionalities. But it's kind of odd that this is so hard. Why can't we just say, okay, white space is a space and a tab and a new line, you know? And the answer to that is because there's so much variance in the specs and stuff like that. But it's just something that seems like it shouldn't be that hard, but is actually very hard. And that margin is where we live, Joel. That margin is where we make our money.
Joel (teknogeek) (39:05.03)
Exactly, we live within the margins.
Justin Gardner (@rhynorater) (39:07.944)
Exactly. So cool takeaways for this one, you know, make sure you're trying all of these sort of hexadecimal code points, which obviously correlate to various ASCII characters. I guess maybe not be within the ASCII range. But these are all very cool to try out. And essentially what we need to be able to do is identify, hey, there's nginx plus some backend.
where the incompatibility is there. So the ones that they've talked about here are nodes, specific node versions, Flask, Spring Boot, PHP, and I think that was it. And they also talked about some stuff with AWS.
WAF in particular, which was super weird, okay? So I'll deviate from that whole strip and trim functionality there to bypass various NGINX blocking rules. And actually talk about this other sort of like extra that they kind of threw into this writeup, which is essentially like apparently some backends parse line folding in headers.
as a thing, so essentially you have an HTTP header, right, so x colon, blah slash r, slash n, right? And then if the next line starts with a tab character, then it assumes that is a continuation of the previous line and is actually a part of the character that's above it. So in the writeup, they actually found a way to bypass the Amazon WAF.
Joel (teknogeek) (40:31.31)
Hmm.
Justin Gardner (@rhynorater) (40:42.676)
using this but I just thought that was a weird thing to actually have some languages parse like why are we line wrapping HTTP headers at the protocol level like what is going on here?
Joel (teknogeek) (40:52.942)
It's so weird. It's so weird and You know I will say it sort of as an overall arching theme across these top ten I don't recall if it was pulled out as sort of a conclusion within the article itself But what I've noticed a lot is it's a lot of like parsing bugs lately where These are like these aren't anything like it's not like we're even talking about new protocols here or anything right we're talking about HTTP We're talking about
Justin Gardner (@rhynorater) (40:58.289)
Mm.
Justin Gardner (@rhynorater) (41:18.013)
Hmm.
Joel (teknogeek) (41:22.426)
SMTP, again, old protocol, but it's not like Protobuf or some new technology or anything that's causing this. These are all like existing protocols and technologies that are very widely used, but just have some fundamental issues depending on the implementation. And a lot of it also reminds me of the orange research that we talked about not too long ago about the, you know,
Justin Gardner (@rhynorater) (41:28.165)
Yeah.
Justin Gardner (@rhynorater) (41:47.868)
Hmm. Legendary stuff.
Joel (teknogeek) (41:49.918)
Yep, the HTTP parser stuff and the nginx, you know, parser bugs with semicolons and dot slashes and all that kind of stuff.
Justin Gardner (@rhynorater) (41:58.384)
Yeah, there's always gonna be those sort of bugs. And it kind of goes back to what we were talking about last week, which is like context, understanding the context is king.
in all of these scenarios, really, because almost all of web vulnerabilities, I'm sure there's cut and dry access controls and stuff like that, but almost all web vulnerabilities originate from some sort of misunderstanding or misconstruing of context and what data is to be interpreted in what context. Yeah, or assumptions on that, exactly.
Joel (teknogeek) (42:28.426)
Yeah, or assumptions.
Justin Gardner (@rhynorater) (42:33.072)
And so let me see, I think, I thought there was one more little takeaway from this one that I wanted to mention. Oh yeah, the other cool thing that they kind of mentioned within this research as well was various backends have a different way of parsing the, so you know when you do an HTTP request, it's like get or post or whatever, and then the space, and then normally slash, and then it provides the path, right, some backends parse that,
Joel (teknogeek) (42:56.75)
Mm-hmm.
Justin Gardner (@rhynorater) (43:02.108)
path piece differently when the first character is not a slash. So some people will, some, some people, some backends will allow you to put an at sign there, which is super helpful for SSRF in some scenarios. Some will allow you to put a semicolon there. Some will allow you to put a, that's often in the, in sort of like the spring environments where matrix parameters are a thing.
And then some, I want to say the, was it PHP environment? For some reason, we'll just let you put an asterisk there, which is real weird. Like I don't even, I didn't even mention in there why they let you put an asterisk there, but this is something to fuzz for sure. Mm.
Joel (teknogeek) (43:37.206)
Hmm.
Joel (teknogeek) (43:42.954)
Well, this isn't mentioned either, but another thing that I've seen is you can put full HTTP URLs there as well. That's for proxy syntax, I think, by default. But...
Justin Gardner (@rhynorater) (43:49.36)
Yeah.
Justin Gardner (@rhynorater) (43:53.596)
HGP 0.9, I think, syntax. Yeah.
Joel (teknogeek) (43:56.73)
Yeah, some yeah, something like that. But it also will work in like, you know, other HTTP versions. So it all depends on the implementation and what they choose to support. It's super, super weird. Yep.
Justin Gardner (@rhynorater) (44:06.312)
backwards compatibility, another thing that makes us our living. Alright, that's all I had for this one. You want to go ahead and take the next one or maybe we can tag team that one since we didn't get fully through that one.
Joel (teknogeek) (44:11.022)
Hehehehe
Joel (teknogeek) (44:20.698)
Yeah, so this one was from a Kaspersky researcher, Sergei Bobrov. He's a really talented researcher and he gave this presentation at Off Zone 2023. And it's basically talking about these HTTP requests splitting vulnerabilities and it all stems from these NGINX misconfigurations, right? Just like Orange Research, just like
Justin Gardner (@rhynorater) (44:26.6)
Mm.
Justin Gardner (@rhynorater) (44:30.963)
Mm.
Justin Gardner (@rhynorater) (44:35.659)
Mm.
Joel (teknogeek) (44:49.898)
you know, many other pieces of research, it's very easy to misconfigure things without realizing it's a misconfiguration. Simply just by like trying to use, you know, oh, I'm gonna write this config out, and you put an extra character or something, or you copy paste it and you didn't really know what it did, so you just left it in to be safe. Yeah, exactly, and it's like, here you go, this will work in all cases. And so it's super, super interesting. There's...
Justin Gardner (@rhynorater) (45:07.348)
Mm. You make, you make chat GPT write it. Hehehe.
Joel (teknogeek) (45:18.358)
You know, the root of it is basically this regex, right, that's looking for a slash instead of just allowing all characters to go through.
Justin Gardner (@rhynorater) (45:28.529)
Mm.
Justin Gardner (@rhynorater) (45:32.56)
So yeah, I broke a couple things out here into the doc, Joel, for this one. And that regex piece, I think, requires a little bit nuance here. So essentially, what's crazy with this is, maybe we'll put this up on the screen for those of you that are on YouTube. Put on screen, please.
Justin Gardner (@rhynorater) (45:55.412)
But essentially, there's this regex when you're defining a location in Nginx reverse proxy configurations. And if you use... When I looked at this, it's just so weird. So if you use dot star, then that's the safe configuration, you know, for this. Because it's not going to allow you to inject... It does. It's not going to let you inject, like, apparently these line break characters that are going to make everything terrible. But if you use an...
Joel (teknogeek) (46:10.43)
Yeah, it feels so backwards.
Justin Gardner (@rhynorater) (46:24.868)
I guess an exclusive range. So if you say a square bracket and then the upward carrot, slash and then close brackets, you're saying, okay, allow every single character except for the slash. And in that scenario, that's a more permissive definition actually than the dot character, which is super weird and will allow you to inject new line characters and line breaks, which will allow you to just overwrite the whole request, which is nuts to me.
Joel (teknogeek) (46:33.343)
Yeah.
Joel (teknogeek) (46:43.373)
Yeah.
Joel (teknogeek) (46:50.986)
It's super interesting because I want to say that...
Joel (teknogeek) (46:56.93)
can't remember if in if in red X by default the dot it's supposed to include white space but I don't know if it includes new lines unless you explicitly have the like multi-line flag on right but there's probably some weird implementation issue here because like you said one is like an exclude like an exclusive range words like any character that's not a slash versus any character that's a dot which then gets translated into
Justin Gardner (@rhynorater) (47:04.797)
That's interesting.
Yeah, that's a good point. Yeah, that could be what it was.
Justin Gardner (@rhynorater) (47:17.757)
Hmm.
Justin Gardner (@rhynorater) (47:23.817)
Mm.
Joel (teknogeek) (47:26.342)
A through Z, like any character, maybe except new lines or whatever. So it's just like, it's such a weird new one. Like, I mean, I would have never expected that those two things would be backwards.
Justin Gardner (@rhynorater) (47:30.939)
Mm.
Justin Gardner (@rhynorater) (47:35.672)
It is. And just to be clear here, what we're talking about is matching the location on an nginx reverse proxy rule. So this is the definition for what route you can hit and it will trigger a certain block of code. And inside of that, there's regex to allow for things like IDs and that sort of thing to be included. So this is really...
some, some cool research and it makes me wish that I had the nginx configuration files for so many of these targets that I work on that use nginx. So it's like, man, I'm sure there's so many like weird edge cases out there that, um, that this could, could cause. And, um, and, and the next one as well is, is a proxy pass based, um, uh, nginx problem, which was actually originating from some, some research Franz did, of course, you know, years before everyone else started thinking about
Joel (teknogeek) (48:14.432)
Yeah.
Justin Gardner (@rhynorater) (48:30.162)
Frans style, which most of you guys have seen likely where he was proxy, doing a proxy pass to, uh, Amazon AWS and was able to override the host header. And since the, the host is actually, um, you know, since the backend server is the same for all S3 buckets there, he could actually specify his own bucket as the host header, it would get virtual routed to his bucket and he was allowed to host any arbitrary content on a website. Um, so that, those are the two sort of main techniques that they mentioned in
this vulnerability could occur. And the other thing that I thought was cool here, Joel, was the detection methods for this that they sort of outlined. Because I think this sort of bug is a little bit tricky to understand and a little bit tricky to find without source code because you're not able to look at the configuration file and say, like, hey, oh, that's one of those commonly known patterns that could result in HTTP request splitting. And so they mentioned a couple detection methods that could be helpful for this. And the first
site.com slash and then the path to whatever your anticipated split. What am I trying to say there, Joel? The place where you believe the split may be occurring, right? Where they, exactly. And then actually just putting a space and an X there. So the actual backend HTTP request that gets generated is get or whatever, slash the path space X.
Joel (teknogeek) (49:42.838)
Right, right, the intended delimiter, yeah.
Justin Gardner (@rhynorater) (49:57.836)
space HTTP slash one dot one or whatever, right? And that will result in a 400 on the backend and hopefully that will bounce forward through the reverse proxy and show you a 400. The, I'm sorry, that will give you a different error code. That's the differentiator. That has to give you a different error code. So if you put the space X in there, it needs to give you some error code that's not a 400. Then if instead you put space H,
Justin Gardner (@rhynorater) (50:27.696)
at that and says, oh, that starts with an H, that's them specifying the HTTP protocol. So that's them saying, that's the beginning of HTTP slash 1.1. And then it will say, hey, we're parsing the protocol here now. Oh, H is the protocol? That's weird, that's not a valid protocol. Bam, 400. So this is a good way to tell whether you're actually injecting into this sort of backend.
Joel (teknogeek) (50:32.718)
That's so funny.
Justin Gardner (@rhynorater) (50:55.644)
Um, you're injecting into the actual syntax of the HTTP request because you space X should give you some other error code and space H because of that engine X sort of tendency should give you a 400.
Joel (teknogeek) (51:08.49)
Yeah, and then there's the one step further, right? Where space HTTP, and then you give it a bad version, like one three dot three seven, and you finish the CRLF at the end, and it should say bad protocol or something, and that's for sure, for sure, then you've got CRLF injection.
Justin Gardner (@rhynorater) (51:23.424)
Mm.
Justin Gardner (@rhynorater) (51:26.81)
Exactly.
Justin Gardner (@rhynorater) (51:30.448)
Yeah. So, so the input there would be space HTTP slash one three dot three seven, of course, and then the new line character. So we're completing that first line of the HTTP request, right? And then we'll, you know, add like an X header or something like that to catch the remainder of the original HTTP request. And then when the reverse proxy tries to communicate with the backend server like that, the backend server is like, wait, what the heck? I can't use HTTP 13.37. I don't know that protocol.
takes back a 505 and 505 is a very rare error code. I've only, I don't think I've ever seen it actually. Yeah, and so if you're able to trigger a 505, then you've certainly got request splitting. So this could be great for any of you people out there that are doing mass scanning and want some high signal like scans to do for HTTP request smuggling. Just what I would do is actually, you know, run GAU or something like that. Take all of the paths that come out of GAU.
Joel (teknogeek) (52:06.146)
Yeah, I'd like never see it.
Joel (teknogeek) (52:17.422)
Mm-hmm.
Justin Gardner (@rhynorater) (52:30.22)
And then at that sort of junction, at that each path level, then put this payload in there, and then look for, detect off of 505s. And you should have a pretty high signal response for anything that could be vulnerable to a HTTP request mongol.
Joel (teknogeek) (52:48.478)
Yeah, for sure. Super, super interesting. So I love those little detection methods, you know, those easy takeaways. And then if you see something that's working, go back to that paper and then start to read a little bit deeper and then see how to exploit it.
Justin Gardner (@rhynorater) (53:01.284)
Exactly man. Oh man the next one is so good. Kinugawa Masato-san thank you so much for this for this write-up.
Joel (teknogeek) (53:10.494)
I feel like nobody better could have gotten the summary for this one, so I'll let you go ahead.
Justin Gardner (@rhynorater) (53:15.425)
Dude, no, it's great. And so actually at the beginning of, so number seven, before I get ahead of myself, let me talk about this, what this actually is. Number seven is how I hacked Microsoft Teams and got 150K in Pwn2Own by Masato Kinugawa. And essentially this write up was great. And in the beginning of it, he's like, hey, if you're interested about the non-technical experience that I had with Pwn2Own.
Here's a couple podcasts in Japanese for you. So I've got those on my list. I'm gonna like put it on like 0.75 speed and try to keep up with these guys in Japanese. But I was able to fully parse through the amazing writeup that he did. And wow, there are some great takeaways from this one. So essentially what's happening here is they're in an electron environment hacking Microsoft Teams for Pwn2Own.
And essentially he gives us some cool takeaways on what to look for in an electron environment. Pretty basic stuff, stuff I've heard before, but still helpful to review. So whenever the browser window object is instantiated in an electron environment, there will be some parameters that can be passed into this. Three parameters of interest in particular. Node integration, context isolation, and sandbox, okay?
And so what this is gonna do, take those one by one. Node integration. If node integration is set to true, then if you get XSS on this target, this is the traditional thing you kinda always hear about when you get XSS in a electron application, then you should just be able to get RC. Well, that's only true if node integration is set to true because then in that case, you could access the Node.js APIs directly and do something like require and just run whatever code and exec your calculator, whatever.
But if this is set to false, then you don't have access to the Node API, and you're not gonna be able to get RCE as easily. Unfortunately for Masato, then in this scenario, this was actually set to false, so he had to figure out some other way to get RCE, even if he had XSS. And the second one is, this is the second parameter that you should be looking into, and sort of the instantiation of the browser window object, which is core to the Electron applications.
Justin Gardner (@rhynorater) (55:32.08)
is the context isolation sort of argumentably in here. If this is set to false, then the context between the client-side JS and the JS that has access to node APIs is not actually segmented. And because of that, what you can do is do prototype pollution, and that's what he ended up doing later on in this writeup, is he...
overwrites the function.call definition prototype and was able to snag access to it's baller I'm not gonna lie and was able to detect when the correct function was being passed in and get access to some stuff that he needed which is really cool and the last one is sandbox false or true that one is pretty clear for anyone who has ever worked with chrome that's whether chrome's going to be running in a sandbox
Joel (teknogeek) (56:06.818)
pretty good one to overwrite.
Joel (teknogeek) (56:18.274)
So cool.
Justin Gardner (@rhynorater) (56:26.808)
If this is set to false, then you've got a much easier time exploiting Chrome-related bugs inside of an electron application. If it's set to true, then you've got to figure out how to escape the sandbox, even if you get a Chrome-based RCE. So there's that. But dude, this isn't even the craziest part, Joel. This is crazy, man. No, no, no. It's good stuff. It's good stuff. Thank you for the information.
Joel (teknogeek) (56:38.946)
So, so cool.
Joel (teknogeek) (56:44.302)
Oh, okay. I mean, here I was thinking it was crazy. I'm not even there yet.
Justin Gardner (@rhynorater) (56:53.66)
you've got to see the way he gets XSS on this thing, man. So, you know, he's participating in Pwn2Own. Pwn2Own is a no user interaction event. So you've got a Pwn without anyone interacting with it essentially. And essentially what he found was that he could send a message to a user over Microsoft Teams and he could specify some, you know, basic markdown tags, right? Like bolding and stuff like that.
And when you look at how that's implemented, you're able to implement a couple, you know, HTML tags that are helpful. And he found a whitelist for class names that can be specified on these, you know, like the strong tag or whatever, right? So now he's got like, okay, I can specify some, and one of those whitelists had a star with it. So it was like Swift.
Joel (teknogeek) (57:42.87)
So crazy.
Justin Gardner (@rhynorater) (57:50.972)
dash whatever, right? So now he can specify any class name that starts with Swift dash, which is like, how could this possibly be helpful, right? Like, and I just, I don't understand how. And Joel, using that, using not even arbitrary class name injection, he gets XSS, which is just absolutely, absolutely inspiring. And it's really a great reason to.
Joel (teknogeek) (58:12.69)
So it's...
Justin Gardner (@rhynorater) (58:20.12)
look deep and understand how this application, how these applications are working and every single bit of, every single inch you can take from the application might be able to be used in exploit.
Joel (teknogeek) (58:31.078)
It's so awesome, I mean, it's gotta be like the perfect stars aligning feeling where like he's looking through, he's like, oh no way, like, oh, this exists?
Justin Gardner (@rhynorater) (58:39.108)
Yeah. So exactly. So this is how he did it, Joel.
Angular is being used in this application, right, on the front end. And if you could specify an arbitrary attribute in Angular, you could specify the ng init attribute which would allow you to run some code. Pretty standard stuff with Angular if you're familiar with it at all. However, what I did not know is that the ng init attribute can also be specified by a class attribute, which is super weird. Look at the screenshot in the dock, dude.
Joel (teknogeek) (59:12.782)
Hmm. Yeah, yeah, yeah.
Justin Gardner (@rhynorater) (59:15.144)
Look what he's got here. He says, any element nginit equals expression, right? That's one we're familiar with. Any element class equals ng dash init colon expression also allows you to just run arbitrary JS code inside of the class attribute for any freaking HTML tag. What?
Joel (teknogeek) (59:25.614)
through... yeah.
Joel (teknogeek) (59:36.238)
It's so weird. Like, why? Like, why does that work? Of all things, makes no sense.
Justin Gardner (@rhynorater) (59:41.356)
I don't know, but it's more context in which you can get XSS, which is really cool. So then he's able to use cons whatever, one of the classic ways to call arbitrary JS code, and get XSS. So now he's got XSS from just sending a user a message, and now he's going to use the context
to get RCE via that, which was an absolutely crazy part of this writeup and not particularly generally applicable to most environments. So I won't go too deep into it, but essentially what he does is gets access to this object called IPC renderer. And this is inter-process communication renderer. And this allows you to communicate between the main process in an electron application, which is a little bit more privileged and the renderer process.
Joel (teknogeek) (01:00:20.75)
Yeah.
Justin Gardner (@rhynorater) (01:00:41.792)
And essentially using that interprocess communication, render object, he's able to communicate with a listener on that side that's loaded up that has a vulnerability in it and is able to pop RCE and land that sweet, prone to own money. But biggest takeaways for me on this one, make sure on the Electron application, you're checking those three attributes, node integration, context isolation, sandbox.
And then also, what the heck, apparently you can get XSS via class name injection. Who knew?
Joel (teknogeek) (01:01:16.491)
Yeah, I mean that is like the last thing I would have ever tried of all like maybe if I was just broadly scanning for payloads and every attribute available on it on an element maybe but like that's so crazy. That's haunting.
Justin Gardner (@rhynorater) (01:01:30.192)
when you've truly given up. Yeah, the levels of desperation that we go to, to pop XSS, man. Okay, so Joel, you already covered Akamide F5, which was number eight. Number nine, I'll just kind of breeze through really quickly. And essentially, this is, cookie crumbles, this is a long academic paper written in academic style with a bunch of like, you know, special notation where like,
Joel (teknogeek) (01:01:37.067)
Yeah, no kidding.
Joel (teknogeek) (01:01:42.794)
Yes, correct. Yep.
Justin Gardner (@rhynorater) (01:01:58.74)
you know, why is this? And it's like, why are we making this so complicated? But I read it and it was good. And it had some cool, some cool techniques in it. Some things that weren't quite as applicable that they seem to be excited about, but I don't think has as much real world application. But I pulled the good bits out for you. And I'm going to go ahead and tell you about them right now. They tried to re they tried to rename CSURF to corf, which is a more accurate.
Joel (teknogeek) (01:02:20.056)
Nice.
Joel (teknogeek) (01:02:24.751)
Uhhh... Hmm...
Justin Gardner (@rhynorater) (01:02:27.472)
sort of representation of most of the cross-site request forgeries. I know. Nothing against the people. I mean, they wrote a great piece of research, but that is the more specific name, cross-origin request forgery. So if you're one of those people that would like to be a little bit more specific with what they're talking about, I think you could use cross-site request forgery and cross-origin request forgery to...
Joel (teknogeek) (01:02:31.438)
Typical academics.
Joel (teknogeek) (01:02:55.662)
interchangeably.
Justin Gardner (@rhynorater) (01:02:57.168)
to be able to specify the various nuances of these specific situations where you may be same site, but different origin. And so there's some nuances with regards to that regarding to same site cookies. So that's one little thing. Couple other things they talked about, stuff we've talked about on the pod before, cookie tossing, which is essentially using the path attribute of a specific cookie to override the value of a cookie that's already in place.
We've talked about this before, but I'll just provide a little refresher. Cookies that are set, so let's say you've got a cookie set gadget via Nexus S or something like that. You can make your cookie prioritized in the user's browser, if there's a cookie of the same name, by specifying a more specific path. Otherwise, it will default to which one was created first. So really helpful thing there. It doesn't actually...
depend on which domain was specified in the cookie at all, which probably it should, but you probably should go by more specific domain, but such is life. The path specificity piece is really helpful for, you know, overriding, for doing session fixation and that sort of things, like when you need to get your cookie prioritized over a cookie that may already be set in the victim's browser.
Justin Gardner (@rhynorater) (01:04:20.492)
Take a breath and take a breather there. Next one is cookie jar over... Dude, I mean, our notes from this episode as well are like what, eight pages long? It's nuts, man. And then the next thing they talk about, cookie jar overflowing, we talked about that. I've got an app set up at apps.renderator.dev that you can check out to see how many cookies you need to overflow your specific browser.
Joel (teknogeek) (01:04:23.534)
That's 150 pages. Keep going. Ha ha ha.
Joel (teknogeek) (01:04:32.79)
Alright, yeah, I don't even know. I turned off the pages because I didn't want to know.
Justin Gardner (@rhynorater) (01:04:48.696)
Normally it's about 180. And another cool takeaway is you can push out HTTP-only cookies from the cookie jar with non-HTP-only cookies. So good to know.
Joel (teknogeek) (01:04:59.522)
Hmm. Very interesting.
Justin Gardner (@rhynorater) (01:05:01.856)
The novel attacks from this research, there were two. And these have also been mentioned by Ankur Sundara, whose write-up we mentioned, and we'll link in the description, we mentioned in the past. But essentially, these attacks are surrounding nameless cookies, and how you can set a cookie that doesn't have a name. And so it's set-cookie colon equals something. And the way that browsers handle that is really
really hacked up and servers don't know how to parse it and everybody's like screaming and it's bad. And so if you think there's some sort of weird nuance you can do with that, that's a functionality that you should be aware of. Unfortunately, most of the applications of this from an attacking perspective are overriding the underscore host and underscore secure prefixes to cookies which are essentially just like,
Joel (teknogeek) (01:05:37.858)
Mm-hmm
Justin Gardner (@rhynorater) (01:06:01.676)
more secure versions of the cookie attributes, secure and setting the domain attribute. So there's not a ton of application of these nameless cookies, but it's still some nice quirk to be aware of. And there's lots of sort of misconfigurations and misinterpretations of cookies when those cookies' names start with an equal sign that they sort of documented in this paper.
And I think that they also listed a bunch of CVEs that they found and got fixed in this paper, which cool, you know, because we, you know, you may be able to bypass those or use them in an environment that is like, when you're dealing with that sort of older technology, but they're patched now, so not a ton of super awesome takeaways from that, from like a sort of a methodology perspective.
Joel (teknogeek) (01:06:42.798)
Pretty neat.
Joel (teknogeek) (01:06:59.614)
Yeah, yeah. But I do love that little replacement. Like, you know, it's just one of those gadgets you tuck in your back pocket and later when you need it in that one-off chance, it'll be there when you need it.
Justin Gardner (@rhynorater) (01:07:01.445)
Mm.
Justin Gardner (@rhynorater) (01:07:13.112)
Exactly, exactly. All right, the next sort of novel attack that they sort of mentioned here is various bypasses for underscore host, like I mentioned before, in a bunch of different server-side parsing environments, PHP, we all know the thing, well, maybe we don't all know. It's pretty well known that PHP replaces dots with underscores and a couple other characters, I think, as well, dashes included.
with underscores when they're populating their infamous dollar sign underscore get dollar sign underscore post dollar sign underscore cookie objects. So that caused some problems for essentially processing those cookies as well. So be on the lookout for those sort of discrepancies. The last piece of helpful information from this write up or from this research that I was able to find was a pretty well documented
description of various CSRF protections. There's a couple far-fetched examples where they were like, you know, if you're able to set a cookie and there's pre-session fixation and the generator for the CSRF token is linked to the pre-session, not the actual session, it's like, there's some really odd stuff in there that didn't seem quite as applicable.
then there were those which was interesting, but the one that I thought was most helpful was they make a description of a common C-Serve framework, which I'm not sure we've actually talked about here on the pod, which is called the double submit pattern of C-Serve protection, okay? And essentially what this is the application will set a cookie on the user session that says C-Serve token equals xyz, right? And then when you send a request,
Joel (teknogeek) (01:08:55.603)
Okay.
Justin Gardner (@rhynorater) (01:09:07.128)
you have to send in the body, CSRF token equals XYZ. And on the server side, it will compare the cookie that you sent and the cookie in the request body and make sure that those align. And if it is, then it passed the CSRF check. So this, I've seen this many times, I bypassed this many times. If there's a way for you to fixate a session, a session, a CSRF token, and get your CSRF token prioritized, right? Using the path methodology that we mentioned before, you can...
fixate that token, you know, maybe using a subdomain, an exercise in a subdomain or something like that, and get your token prioritized, and then send that value as a CSRF token parameter in your post request or whatever request to CSRF, and that will result in a bypass of CSRF protection. So that was something that they documented really clearly that I don't think we've talked about before, so I figured I'd mention that as well as the last piece of information in this cookie crumbles academic research.
analysis. Thank you very much.
Joel (teknogeek) (01:10:04.822)
those take about uh... that was uh... and i was just a dense one it's uh... it's because it's such awesome research but it's uh... it's very difficult to like get through it you know like it and fully these eclectic figure out a great blocks
Justin Gardner (@rhynorater) (01:10:12.07)
Yeah.
Mmm.
Justin Gardner (@rhynorater) (01:10:19.998)
Yeah.
I know man, I know. And you know, I hate to dislike it to be honest, because they're doing us a great service and finding a bunch of really cool things. But yeah, it's so different reading blogs versus reading academic write-ups. But maybe that's my own experience as well. Maybe I just need to read more academic papers.
Joel (teknogeek) (01:10:38.186)
Yeah, absolutely.
Joel (teknogeek) (01:10:43.546)
as so he's written a couple like it there is it's uh... it's definitely a little side that's uh... to you know for the whole process and they could be simplified i think
Justin Gardner (@rhynorater) (01:10:54.096)
Sure is man. All right, last one on the list. EPP server takeover by our boy Sam Curry. Let's go ahead and give a analysis of this one. We'll talk about it and close it out for this episode. You wanna go ahead and take it. It's a pretty straightforward XSE I think, but it's just the most crazy critical piece of environment ever.
Joel (teknogeek) (01:11:11.883)
Yeah, sure.
Joel (teknogeek) (01:11:17.93)
I'm in.
Yeah, right. It's like extremely, extremely safe, straightforward. So there's this whole protocol called EPP. It runs on port 700 and it's an XML based protocol. And literally like the most like open a socket on port 700, send the like a github.com textbook example of an XTC payload. It's like full read of Etsy password. You know what it's like?
Justin Gardner (@rhynorater) (01:11:26.672)
Mm.
Justin Gardner (@rhynorater) (01:11:41.681)
Hahaha!
Joel (teknogeek) (01:11:49.282)
It's really, really like the most simple X, E possible, which is kind of terrifying knowing that is, you know, was running some core part of Internet infrastructure for a very, very long time and was just widely vulnerable for a very, very long time. But it's just one of those great, great examples of, you know, don't take anything for granted. Right. Maybe that's the takeaway.
Justin Gardner (@rhynorater) (01:12:15.048)
Hmm.
Joel (teknogeek) (01:12:15.874)
for this is like even if it's a core technology even if it's something that seems really straightforward don't take that for granted it's probably vulnerable and you should you should dig a little deeper right because every single thing today is but you know like fundamental HGP fundamental SMTP fundamental EPP all the peas like yeah everything it's I mean it's mind-boggling to think how many things I probably have looked over
Justin Gardner (@rhynorater) (01:12:24.697)
Yeah, absolutely.
Joel (teknogeek) (01:12:43.074)
just because I'm like, there's no way that's vulnerable. I'm not gonna spend time on that.
Justin Gardner (@rhynorater) (01:12:45.2)
And I think the other really cool thing that they did here was actually understand straight outside of the realm of web app security. And they went into this odd protocol that's running on port 700. And sometimes the dubs are there. And so that's really impressive, I think.
Joel (teknogeek) (01:13:02.038)
Yeah.
Justin Gardner (@rhynorater) (01:13:11.516)
And I just, this line cracks me up, man. He said, you know, like you said, he like, it's the same, you know, leak Etsy password, sort of default XXE payload that you see from GitHub. And he says, our proof of concept was extremely effective. And it's great. It was, dude, it was, it was amazing. And it just goes to show that,
Joel (teknogeek) (01:13:30.293)
Oh
Joel (teknogeek) (01:13:34.946)
So awesome.
Justin Gardner (@rhynorater) (01:13:38.78)
there are weak spots and those weak spots are going to be the best spot to get in because they got control of how many, I mean this is like 20 top level domains from this. The other thing that I'll say here is that notice how they pivoted, right? They didn't just take this xxc, they used it to grab some source code and parse out
Joel (teknogeek) (01:13:48.234)
Yeah, seriously.
Justin Gardner (@rhynorater) (01:14:04.344)
some Java that was running in there, and then they found another LFI that allowed them to get access to Etsy Shadow and somebody's private keys to actually log into the server, which is just so badass.
Joel (teknogeek) (01:14:07.861)
Mm-hmm.
Joel (teknogeek) (01:14:13.534)
Yeah. So awesome. Which had backups of all the root so this is so awesome.
Justin Gardner (@rhynorater) (01:14:21.652)
Yeah, dude, it's nuts too that how much of this, how much of this internet infrastructure that we all rely on every day is like, just taped together with, you know, stuff. Yeah, absolutely nuts, man.
Joel (teknogeek) (01:14:32.214)
uh... already owned well on that lovely uh... optimistic note
Justin Gardner (@rhynorater) (01:14:40.592)
Yeah, on that it's a wrap, right? Anything else we got on this one? I think that was about it. We actually moved through this pretty quickly, probably because we skipped the 124 page NET deserialization white paper.
Joel (teknogeek) (01:14:52.071)
Yeah. Yeah, no kidding. Yeah. I mean, it's still a really, really interesting paper. There's a bunch of CVs in that one as well. And I'm for sure going to go circle back on that one and read through it a little more closely, especially when I'm testing on.NET stuff. Yeah.
Justin Gardner (@rhynorater) (01:15:05.136)
Absolutely. Let me ask you this, Joel. Let's reorder them, okay? We'll pull the.NET deserialization one out because we haven't done our due diligence on that one. But if we were to go ahead and reorder this, where would you put it?
Joel (teknogeek) (01:15:10.486)
Oooooooh
Joel (teknogeek) (01:15:23.438)
Hmm. Okay. I think I would put I would leave the state machine at the top
Justin Gardner (@rhynorater) (01:15:30.204)
That one's the most widely impactful, I think, right? And elegant, I think.
Joel (teknogeek) (01:15:33.458)
Yeah, yeah, that is really cool fundamental like research in my opinion. I think I would put.
the HTTP request splitting, the HTTP parser inconsistency, and the...
Akamai at five those are all very close to me. I think I'd bundle them together somewhere together Maybe not maybe like third place. I think second maybe second place Third place yeah third through six second place hacking Microsoft teams I think so cuz that's such I mean that's like so crazy Our mint no sorry second EPP I'm all out of order here now. Okay first place that is stacking smashing the stack
Justin Gardner (@rhynorater) (01:15:54.906)
Hmm.
Justin Gardner (@rhynorater) (01:16:01.768)
third through sixth place.
Justin Gardner (@rhynorater) (01:16:07.473)
Really?
Justin Gardner (@rhynorater) (01:16:20.496)
Okay, hold on, hold on, hold on. Wait, wait a second, wait a second. I'm gonna actually write down Joel's list here. Okay, so smashing the state machine. Not this, yep, there you go, that one. Okay.
Joel (teknogeek) (01:16:20.802)
Second place, EPP.
Joel (teknogeek) (01:16:25.868)
Okay.
Joel (teknogeek) (01:16:29.094)
stacks the stack statements yeah that stack yeah that's the state machine EPP number two numbers three through six tied or tied for third the pressure inconsistencies request floating and a equine f5
Justin Gardner (@rhynorater) (01:16:37.866)
EPP
Justin Gardner (@rhynorater) (01:16:44.984)
Okay, so we've got parser inconsistencies, okay.
Justin Gardner (@rhynorater) (01:16:52.34)
I was just splitting Akamada X5.
Joel (teknogeek) (01:16:56.766)
and then hacking Microsoft Teams.
Justin Gardner (@rhynorater) (01:16:58.161)
Okay.
teams.
Joel (teknogeek) (01:17:04.162)
then.
Justin Gardner (@rhynorater) (01:17:06.792)
SMTP and cookie crumbling and chill filter chains. Filter chains at seven.
Joel (teknogeek) (01:17:07.754)
filter chains.
Filter chains, I'm almost tempted to put that a little lower, but... And then Cookie Crumbles and SMTP.
Justin Gardner (@rhynorater) (01:17:21.936)
Alright dude, so you said smashing the state machine, EPP, parsing consistencies, request splitting, Akamida F5, Teams, filter chains, cookie crumbles, SMTP, smuggling. This is a very different order than what I would do. The only one probably that's similar is smashing the state. So I think I'm going to put mine at...
Joel (teknogeek) (01:17:41.941)
Okay.
Joel (teknogeek) (01:17:45.58)
Okay.
Justin Gardner (@rhynorater) (01:17:49.944)
Smashing the state machine at the top. And the reason for that is that it's very elegant research. He explains it really well. The concept's fairly simple. The implementation is very clear. And the implications are giant for an underserved vulnerability class.
Justin Gardner (@rhynorater) (01:18:09.12)
Second for me, man, I don't know if the filter chain piece where you can just generate arbitrary content like generate like, you know, question mark PHP, you know, run PHP info or exec or whatever. If that's included, which I think is extremely applicable research, then I got to put I got to put filter chains at number two.
Joel (teknogeek) (01:18:34.258)
Yeah, filter chains is one of those, like, when I'm looking at my list, it doesn't feel like number seven. I think it's hard because...
Justin Gardner (@rhynorater) (01:18:40.369)
Yeah.
Joel (teknogeek) (01:18:43.982)
I mean, it's somewhere in like three through.
three through three or four I think yeah maybe I would put filter chains above the three parsing ones after you the EPP server the EPP server for me is like such a cool like fundamental like internet core our infrastructure thing that is so crazy dangerous and like so simple that it falls a number two for me but if it was like you needed admin perms or something that would be higher on the list
Justin Gardner (@rhynorater) (01:18:57.725)
Mm.
Justin Gardner (@rhynorater) (01:19:03.867)
Mm.
Justin Gardner (@rhynorater) (01:19:17.342)
Yeah.
Joel (teknogeek) (01:19:17.646)
I'm seeing you type your list out. So number one, you've got smashing the state machine. Number two, filter chains. Three teams. Four, quest splitting. Five, parser inconsistencies. Six, cookie crumbles. Seven, Akamai, which is interesting. Why do you split the Akamai out from the other parser ones?
Justin Gardner (@rhynorater) (01:19:40.988)
So I'm kind of doing it based off of, dude, your laptop did the thing where it's like, where it did the thumbs up thing again. Did you see that?
Joel (teknogeek) (01:19:49.87)
What okay no way because I'm not even using the extra oh it's on I turn it off
Justin Gardner (@rhynorater) (01:19:55.52)
Oh my gosh. What is that thing, dude? It pops up every couple videos.
Joel (teknogeek) (01:19:57.906)
It is, it's this thing called reactions and it's built into Mac. I don't know.
Justin Gardner (@rhynorater) (01:20:05.844)
That's.
Joel (teknogeek) (01:20:06.094)
I thought it was only when I was using my phone as an external camera, but I now realizing...
Justin Gardner (@rhynorater) (01:20:08.992)
It's so weird. So essentially what happens is he'll like do like a thumbs up on the screen or something like that and then it'll parse it as a thumbs up and then it'll do like the thumbs up emoji on the screen. I'm like, why are you doing that? All right. Let me explain my order here, okay? So smashing the state machine obvious filter chains. I think there's a big amount of implications to this research.
Joel (teknogeek) (01:20:15.186)
like holding the mic like this and it's like...
Joel (teknogeek) (01:20:21.259)
That's so weird. Okay, hopefully it's now off for good. Man, now I'm going to have to check that every single time.
Justin Gardner (@rhynorater) (01:20:36.736)
with turning LFI to RCE. Easy peasy. No, you just eliminated a very strong precondition, a very challenging precondition to go to RCE, which is awesome. Teams, I think the piece about just going from class name to injection to XSS is just stunning. So I gave him credit for that. And then also,
The technical details, while we didn't really cover them here of that interprocess communication, technique that he used there was really, really engaging and I think highlights a knowledge of electron internals that I hadn't really seen showcased elsewhere. So I think that was why I placed that at three. Request smuggling and parsing inconsistencies, very practical and very reproducible.
in action, you know, actual environments. Reverse proxies are used everywhere. Reverse proxies are used to block off endpoints everywhere. So I think, you know, these pieces of research are very applicable. Cookie crumbles actually put this at six because I think that they're, the cookies are an underserved piece of, sort of browser mechanics. They were very much focused on, you know, back in the days of like C-Surf.
Joel (teknogeek) (01:21:59.362)
Okay.
Justin Gardner (@rhynorater) (01:22:03.144)
coming out and that sort of thing. And even just in like DOM XSS environment, I feel like cookies are just kind of underserved in general. And so I've got some extra love for cookies lately. Akamai, I put that below to break it out, mostly because cookie crumbling didn't really seem right at seven. And the Akamai one is a little bit less, it's kind of like a Vuln story, less of a applicable research that can be used in other environments.
And then I put the EPP stuff there as well in 8 because once again, it's a VOLN story Which is very engaging and fascinating and I'm so glad I heard the story But not necessarily reproducible for us in other environments and then number nine We both put SMTP smuggling there because it's not a web vulnerability So I think I think that's kind of where my top 10 or top 9 I guess
lands on the list pretty different from what they actually came up with.
Joel (teknogeek) (01:23:09.054)
Yeah, I mean it's super, reading through I think, I think yours are, your ordering is probably a little more level headed than mine. I'm just like, I'm like, this is, these are cool bugs. The more complicated, the better. Like, or maybe the more, the more dumb easy, the better. I don't know. I like, there's something about that like, really easy exploitation aspect that really is so fun. It's that like.
Justin Gardner (@rhynorater) (01:23:16.545)
You're gonna copy mine?
Justin Gardner (@rhynorater) (01:23:27.656)
Yeah.
Justin Gardner (@rhynorater) (01:23:34.461)
Mm.
Joel (teknogeek) (01:23:39.054)
It's like, oh wow, this really simple book is like just out there. Yeah.
Justin Gardner (@rhynorater) (01:23:42.896)
Elegant exploits are very cool for sure. Alrighty man, is that it for you? We calling it a wrap there?
Joel (teknogeek) (01:23:48.878)
I think that's it, that's a wrap. That's a wrap, peace.
Justin Gardner (@rhynorater) (01:23:50.36)
Alright, that's the pod. Peace.