Interested in going full-time bug bounty? Check out our blueprint!
May 9, 2024

Episode 70: NahamCon and CSP Bypasses Everywhere

The player is loading ...
Critical Thinking - Bug Bounty Podcast

Episode 70: In this episode of Critical Thinking - Bug Bounty Podcast we’re once again joined by Ben Sadeghipour to talk about some Nahamcon news, as well as discuss a couple other LHE’s taking place. Then they cover CI/CD and drop some cool CSP Bypasses.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Guest: https://twitter.com/NahamSec

https://www.nahamcon.com/

flag{y0ur_fav0r1te_p0d}

Resources:

Depi

https://www.landh.tech/depi

Youtube CSP:

https://www.youtube.com/oembed?callback=alert()

Maps CSP:

https://maps.googleapis.com/maps/api/js?callback=alert()-print

Google APIs CSP

https://www.googleapis.com/customsearch/v1?callback=alert(1)

Google CSP

https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1)//

CSP Bypass for opener.child.child.child.click()

https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/

Timestamps:

(00:00:00) Introduction

(00:02:55) BSides Takeaways and hacking on Meta

(00:12:12) NahamCon News

(00:23:45) CI/CD and the launch of Depi

(00:33:29) CSP Bypasses

Transcript

Justin Gardner (@rhynorater) (00:01.381)
Alrighty guys, I am feeling the podcast energy today, man. We just got off like a awesome brainstorming session on how to make the Critical Thinker's Discord tier super valuable. And now we got our boy Ben back on the pod. Welcome, Ben.

Ben (00:15.828)
Second time, hopefully it's better than last time, so.

Justin Gardner (@rhynorater) (00:18.341)
Nah, dude, that's actually, you're looking at the podcast analytics and you just see this big boom, this big peak that goes, and I was like, what is that? What did we do right there? And it's like, ah, we had been on the podcast.

Ben (00:32.564)
I'm assuming it's probably the YouTube algorithm loving the user and probably, yeah, it makes sense. That was a fun podcast too though. There's a lot of Blinix and stuff and I know I'm looking at the notes for this episode and I feel like we're gonna talk more about cross -site scripting anyway. So here we are.

Justin Gardner (@rhynorater) (00:38.053)
It absolutely...

Justin Gardner (@rhynorater) (00:47.749)
Nothing wrong with a good cross -site scripting, man. You gotta love it, you gotta love it. But you just came back from B -sides, right?

Ben (00:55.41)
Yeah, B -Size was really, really fun. This is our second year going to B -Size. Me and Justin Haddix, we host the Bugbondi Village there and we went back again. We did an event with Adobe. We did some like live hacking events, not live hacking events, but like live recon more than anything with Adobe. And then yeah, I did some workshops and went to some talks and lots of hackers were in town. I don't know if you saw Nagley, Sam and Ian were out there.

Justin Gardner (@rhynorater) (01:02.725)
Nice.

Justin Gardner (@rhynorater) (01:09.509)
Mm, mm.

Justin Gardner (@rhynorater) (01:19.077)
I saw the pictures, man.

Ben (01:20.946)
Meta's team was there, lots of cool people to see and hang out with.

Justin Gardner (@rhynorater) (01:25.893)
Dude, I feel like B -Sides is just not really on my radar as much as it, I mean obviously you hear about like Defcon and Nomcon and lots of these other, you know, cons pretty often, but for some reason I always forget about B -Side San Francisco. So I think that actually is one of the more, maybe it's just me forgetting about it, but I think that is a stealth really, really good conference. Because I went, I want to say in like 2018, and they had some great, great talks.

Ben (01:34.865)
Yeah.

Ben (01:52.24)
Yeah. Yeah, I think it's.

Joel Margolis (teknogeek) (01:54.314)
Yeah, a lot of the B -side stuff depends on where you are, right?

Justin Gardner (@rhynorater) (01:57.285)
Mmm. Mmm.

Ben (01:58.352)
But B -Side San Francisco, it's like right before RSA happens. I'm not really like, I'm not big on RSA because it's enterprise. I don't have really a lot of stake in that game, right? But it's cool to go and everyone comes in for RSA. They go to B -Side San Francisco. And then it's like some of the more community stuff happens there. But you also have these like big sponsors that are out there too. The cool thing is a lot of these quote unquote, I want to say quote unquote content creators come out. So, you know, like you see people that are going to RSA for that same specific reason and you just run into them at the same time. It's a very exciting game.

It's not as exciting as DEFCON, the summer camp that we have every year, but it makes you like, okay, I'm almost ready for DEFCON.

Justin Gardner (@rhynorater) (02:31.493)
Mmm.

Justin Gardner (@rhynorater) (02:38.117)
Yeah, what kind of, so you said you went to some, you did the Bug Bounty Workshop, which I wanna hear more about, but you also went to some cool talks, including one by the meta team, right? And you said you were pretty impressed with that program, right?

Ben (02:43.054)
Yep.

Ben (02:50.221)
Yeah, actually, so I've known Farah for years and she was at Bug Crowd previously and then she just left and went to Meta, I think, and not recently, but she's been at Meta for a while now. But I just went in to her, I was like, what are you up to? And one of the Bug Crowd folks that was there was like, hey, let's go see this Meta talk. It's supposed to be about the Bug Bounty program. And it is mind blowing to see what Meta is doing with their program, dude. I think they're top -bound right now, it's like 300k if you are seeing some of their big production sites.

Justin Gardner (@rhynorater) (02:53.349)
Mm.

Justin Gardner (@rhynorater) (03:18.437)
Gosh, dude, imagine popping a 300k bug.

Ben (03:21.804)
That's a you know, that's a 300k sometimes used to be what Hacker One paid at about an event in the early days of like the live hacking events, right? Yeah, and then like met us over here like hey we pay 300k for an RCE and the other cool thing is that I don't know if you guys know that loyalty program too, you know about that?

Joel Margolis (teknogeek) (03:28.362)
Yeah, they're kidding.

Justin Gardner (@rhynorater) (03:28.549)
Entire event, yeah.

Justin Gardner (@rhynorater) (03:37.221)
Hmm. Oh, oh, like (REDACTED), we're gonna have to bleep that, but yeah.

Ben (03:42.444)
Like a bleep program we just talked about. Yeah.

Justin Gardner (@rhynorater) (03:44.197)
Yeah, exactly. I was like, I think it came out of my mouth and I was like, oh, wait, I probably shouldn't say that. Yeah. No, that's really cool though.

Joel Margolis (teknogeek) (03:48.554)
Like that one, yeah.

Ben (03:52.843)
So yeah, like the Bleep program that you just mentioned, but you know, they pay you like, they tier you in like different tiers and then depending on what tier you're on, you get a bonus. So they were saying like, you could probably get another 20k of bonuses depending on what tier you are, what kind of bugs you find and things like that. Yeah, and they're doing the promotion for a new Bugbonding Hunter. They gave me a coupon thing. I've never submitted to the meta program, but right now if you submit to them, you get up to X percent on top of your vulnerabilities, which is really cool.

Justin Gardner (@rhynorater) (03:59.461)
Mm.

Justin Gardner (@rhynorater) (04:06.949)
Jeez, dude.

Justin Gardner (@rhynorater) (04:19.653)
Dude, I don't know, Joel, you've done a little hacking on meta, right? It's an intimidating target, but the payouts are freaking good.

Ben (04:27.274)
Not a little, you just had a sick XSS, didn't you?

Justin Gardner (@rhynorater) (04:29.765)
Yeah, yeah, well...

Joel Margolis (teknogeek) (04:30.602)
I yeah, okay. So yeah, we did find an exercise on Facebook or With some caveats and there is a space vacuum blog post about that. However, I will say it is a really cool You know group of products and platforms to hack on it's very very dense I think a lot of the people that hack on that are like Specialized sort of hackers like that is what they focus on a lot of what they do is just

hacking on meta products. So they're very familiar with the ecosystem and everything and how it works and how stuff communicates with each other and the common types of bugs and they have their own gadgets and all sorts of stuff. So yeah.

Justin Gardner (@rhynorater) (05:07.173)
Yeah, I think they've got a cool IoT ecosystem as well, right? With like the portals and the glasses, yeah, those. And then I think they also have a lot of really loyal client -side hackers because they really care about ATO, I think, on Meta. Yeah.

Ben (05:13.353)
What'd you like to Oculus and stuff? Yeah.

Joel Margolis (teknogeek) (05:13.61)
Absolutely.

Ben (05:24.775)
Yeah, the ATO stuff is insane, dude. One of the things that they were saying with their vulnerabilities also is that if you tell them, like, hey, I have this vulnerability and I think I can do X, Y, and Z with it, they will give you an authorization from this time to this time to try it out. And if you can actually prove it to them, they'll do it. And then on top of that, they go and...

do their own investigation. So if they find more systems that are vulnerable to that vulnerability or that technique, they give you the max payout for that bug. This was just all that stuff that Farah was talking about during her talk. And it's a very interesting program. Do you imagine you're getting an SSRF on Facebook and Facebook says, cool, go out and show us what you can actually do with this, right?

Justin Gardner (@rhynorater) (06:07.589)
Wow, that's cool that they give you a time frame where they're actively monitoring and figuring out what exactly you can do. I think that's really awesome.

Joel Margolis (teknogeek) (06:08.124)
Cool. Yeah.

Ben (06:11.814)
Yeah.

Ben (06:17.733)
Yeah, shout outs to Jason Grace on their team. He's like on the purple team and he's like in between some of the bookbinding stuff he was talking about. I think it's the way he explained it was very, very cool. It's like, Hey, I was on a pen test myself and I found the blind access, but I asked him to let me explore it more. And he said, I went from blind access to X, Z to RCE. And he's like, that's like something that you don't see most programs that you do that we stop at blind access. Like we get critical payouts for it, but I want to pop a shot on this admin panel. If I can, like that'd be really, really cool. Right.

Justin Gardner (@rhynorater) (06:36.709)
Oh my gosh.

Justin Gardner (@rhynorater) (06:42.021)
Mm -hmm.

Justin Gardner (@rhynorater) (06:47.813)
Oh my gosh, yeah, if you can pivot on that, that'd be really awesome. Get access to the admin panel and then now you're attacking stuff that was never meant to be external. That's pretty rad that they let them do that. I really dig that. Yeah, I know that there have been a couple hackers recently, particularly hackers that are talented in client -side stuff, sort of pivoting over to meta to try to try them out as a long -term program because it's not something you really, I mean, I say it's not something you do.

Joel Margolis (teknogeek) (06:48.906)
Yeah, absolutely.

Ben (07:07.652)
Yeah.

Justin Gardner (@rhynorater) (07:16.453)
sort of for a short -term thing, but we've also had some success, I mean Joel had some success doing it for an LHE and I've had some success doing an LHE with them in the past, but I definitely think it's better as a long -term, like this is my home base sort of program where they'll, you know, you learn the team, they treat you well, you get good bounties, you learn the ecosystem.

Ben (07:36.194)
Yeah. I mean, if you're spending three months on like a program like that and you get like a 50K bounty, that's a good return for three months of work, right? Because I feel like with a lot of like the regular bug bounty programs, you have to do quantity to make up because the bounty amounts aren't as high as you would expect them to be. But I think with a big program like that, I agree, dude.

Justin Gardner (@rhynorater) (07:44.613)
Absolutely.

Justin Gardner (@rhynorater) (07:56.453)
Mm, mm, yeah, I agree. So you mentioned before you did the bug bounty workshop, man. Can you give me like, can you give me the TLDR of that? I wish I had been able to make it out there this year, but.

Ben (08:05.506)
Yeah, well, unfortunately, we had labs ready and DigitalOcean had an incident. I think Adam caused an incident maybe, but he tweeted about it saying, I caused an incident. Yeah, I think two other nameservers were up and we just couldn't spin up new things anymore. So like last minute we had to change it. And I look at Jason, I go, so what do we do? He goes, we do what we do best, recon. I'm like, all right. So we're going back and forth talking about like different methods of finding domains and different things we can do. We actually talked about like some of the CSP stuff that he talked with you guys about at B -Sides.

Justin Gardner (@rhynorater) (08:13.125)
I saw him tweet about that.

Justin Gardner (@rhynorater) (08:32.069)
Mm -mm.

Ben (08:35.409)
and then we just did a little recon and some tooling and things like that and good turnaround. And then shout out to the Adobe team for letting us use them as a target for some of our recon stuff.

Justin Gardner (@rhynorater) (08:46.501)
Was the Adobe team out there?

Ben (08:48.479)
Yeah, they were out there, they were doing a lot of, they wanted a, I think they're including Firefly on their Bug Bounty program. It's like, from what I remember, it used to be like a note taking thing, and I think now it does more. So they wanted to get that tested, took AI meets meetings, and I think it's supposed to have, eventually I saw in the comments, like Twitter, that they're supposed to be like video editing too.

Justin Gardner (@rhynorater) (09:01.413)
Mmm.

Justin Gardner (@rhynorater) (09:09.797)
Very nice, very nice. That sounds like a good workshop.

Joel Margolis (teknogeek) (09:11.69)
super interesting. There was a new Google product that launched that sounds kind of similar to that too. There was Google Google video, I think they call it it's it's like a new Google Docs, Google Drive type offering where it's like sheets and, and slides and stuff, but you it's a video editor that's based in your browser.

Ben (09:14.207)
Yeah.

Ben (09:23.838)
Interesting.

Ben (09:28.99)
I wonder if it's like replay where you can like live comment on videos like, you know, for editing and things like that. Or if you can like just take it out.

Joel Margolis (teknogeek) (09:34.634)
Yeah, they showed a lot of that kind of stuff where it's very AI driven and collaboration driven. So you can be like, let's put this in here. And in the same way that you could collaborate in Google Docs and stuff, but sounds like an interesting hacking target, it sounds like to me.

Ben (09:43.421)
Yeah.

Justin Gardner (@rhynorater) (09:49.573)
Yeah, for sure. And Google, another one of those good, all of my devices in front of me just bled up when I said that. Stop, stop, I'm not talking to you, Google. Yeah, exactly. Don't steal that. All right, man, so it's been announced, it's out there. Ya boys are hosting NahomCon. We are super excited for this and.

Ben (09:49.628)
Ha ha ha.

Ben (09:53.436)
The Homebuses.

Ben (09:58.076)
I wish you had you didn't have headphones okay Google turn the lights on

Justin Gardner (@rhynorater) (10:17.541)
We've got some announcements for this week, right?

Ben (10:19.963)
Yeah, it's a it's an exciting time. So people watching may 24 may 25 is the conference we have may 20 30s with CTF kicks up 24th. We have workshops And then on the 25th, we have all our main talks and I just announced on Twitter that Shubs is actually the keynote Speaker and he's got there's some like WAF bypasses originally was like smaller WAF bypasses that he was gonna talk about I'm actually like looking at his CFP right now to see what it was, but he's doing large attack surfaces

Justin Gardner (@rhynorater) (10:37.125)
Frick yeah, dude.

Ben (10:49.869)
is more than anything else. Like, he's like, if you have a large attack surface, this is what you do. So some of the things to talk about is like also using tooling, using some custom templates. He's gonna talk about like FUF on a single host, then some bird plugins. And then he also has some bypasses for smuggling that he's gonna talk about too.

Justin Gardner (@rhynorater) (11:07.493)
Jeez, man, that guy has an endless source of content, I swear.

Joel Margolis (teknogeek) (11:12.362)
I'm super excited for this.

Ben (11:12.378)
And if that wasn't enough, there's also a workshop for two hours on Friday on just WAF bypasses with labs and things like that. So, no, it's within, so yes, we hack, it's one of our sponsors and they wanted to do a talk on it and it was like, it took an hour and a half and I'm like, dude, I can't do an hour and a half talk, this is a workshop. And they're like, yes. So I know, I don't know about you guys, but I get like a shit ton of tweets that are like, hey, how do I do WAF bypasses? How do I do WAF things?

Justin Gardner (@rhynorater) (11:18.629)
Well, with him or with somebody else?

Justin Gardner (@rhynorater) (11:29.669)
Sweet.

Justin Gardner (@rhynorater) (11:36.325)
Dude, so many people, and I swear, because once you get into content creation in this industry, people will message you and they'll be like, hey, I've got this XSS and I can't get past this WAF. And I'm like, okay, I can do this. And then I always sit down for a couple minutes and I'm like, let me bypass this thing, and then I just get tilted. And I'm like, this is so annoying. But there are some techniques that can help with it. So I'm excited to learn a little bit more about that. And I think there's a good ROI.

Ben (11:56.953)
It's hard, man.

Justin Gardner (@rhynorater) (12:04.421)
for us in particular with that sort of thing too, because we can help all these people DMing us.

Ben (12:05.689)
Yeah.

Yeah, I know you guys did some stuff with WordPress recently, different sponsor, but we have a different sponsor coming in doing a workshop on WordPress hacking actually, and like finding vulns on WordPress plugins, how do you do it and things like that. And also that has a CTF around it too, so I know you guys is critical thinking people that you have on your Discord, we're really active on that. So if they wanna come and do some CTFs, you also have that too.

Justin Gardner (@rhynorater) (12:12.837)
Mm -hmm. Yeah.

Justin Gardner (@rhynorater) (12:22.309)
Hell yeah.

Justin Gardner (@rhynorater) (12:32.901)
Very good, man. Very good. Yeah, we just actually, I wanna say Joel, earlier today is when we moved my WordPress automation script into the, I just, so I had some private automation that I built when I was really into WordPress plugin stuff in the beginning of this year. And essentially it monitors for any plugins entering a certain threshold of uses. And it also monitors for common code patterns for vulnerabilities in.

Joel Margolis (teknogeek) (12:33.418)
That's awesome.

Justin Gardner (@rhynorater) (13:01.733)
various Ajax register functions within the WordPress code, that plugin code, and then it pushes to a Discord webhook whenever that gets in place. So essentially over the past couple months, I'll just randomly drop a WordPress plugin zero day into the critical thinkers chat and be like, here you go guys, just go ahead and report this. Yeah, so that's been pretty fun. Yeah.

Ben (13:04.983)
Yeah.

Ben (13:18.615)
Nice. That's cool, that's amazing dude.

Joel Margolis (teknogeek) (13:22.186)
Whoever wants this, yeah.

Justin Gardner (@rhynorater) (13:28.869)
But that's not all with NahumCon, right? I'm just excited for this last bit, man. We try to keep the opportunities pretty clean here on Critical Thinking. We try to keep the things that we talk about pretty relevant and add a lot of value to the listeners. And nothing adds value like $50 ,000. Am I right?

Joel Margolis (teknogeek) (13:33.354)
But wait, there's more!

Ben (13:34.839)
But wait, there is more.

Ben (13:52.692)
Financial value. Yeah a little bit of value So so that we was just gonna jump into yeah, so the another sponsor was like Yahoo and the pan or specifically and you know You guys have I think probably one of your first bug bounties was Yahoo Same

Joel Margolis (teknogeek) (13:52.842)
little bit of value.

Justin Gardner (@rhynorater) (13:54.117)
Yeah!

Justin Gardner (@rhynorater) (14:06.565)
It was, man, it was.

Joel Margolis (teknogeek) (14:08.65)
My NVH bell was from a Yahoo event.

Ben (14:11.284)
or the New York event. So yeah, they're a sponsor and with a lot of our sponsors, what we want to do is like.

Justin Gardner (@rhynorater) (14:11.397)
Woo!

Ben (14:19.348)
I wanna think of like, how do they get value? And then we do this thing with no harm come for community. I can talk about that later too, but how do we make it more fun for the community? Well, also this like sponsors also happy, right? So I got on a call with them. They're like, hey, we have 50 ,000. I go 15. They go, no, no, no, five zero in bonuses. And I go, okay, like that's like, that's insane. All right, like we're doing something big. And like, yeah, like.

Justin Gardner (@rhynorater) (14:34.917)
Dude.

Ben (14:42.548)
Obviously we can't give more, but we want to get people to get active. What can we do? And I'm like, okay, that's just like a brainstorm. So we brainstorm a lot with them. Shout out to the Paranoids team. They were very, very good to go back and forth. Yeah, they're doing some amazing stuff. So yeah, $50 ,000 in bounties and there is a, not bounties, bonuses, and there's pretty much a bonus for everybody, dude. Like anyone that wants to try out this program, they can get a bonus.

Justin Gardner (@rhynorater) (14:50.853)
Mmm, they rock.

Justin Gardner (@rhynorater) (15:04.965)
You dropped a list here in the chat. Let me see if I can pull it up. Dude, there's a critical thinkers bonus, isn't there?

Ben (15:12.5)
So there's one called the critical thinker. There is one for, there is multiple. We don't want to mention everything, but if you have, you know, if you find something that's critical, it's probably going to get a bonus. Something with high, it's, you know, depending on the numbers, but I find it, it might get a bonus. Medium might get, may get a bonus, but there's also like cool stuff. Like I don't know how long it's been since you guys have hacked on the Bug Bounty program. So if you're returning, you're returning hacker, you know, you get, you're ignited with the program, you may get a bonus. There is a lot of cool stuff in there. So.

Justin Gardner (@rhynorater) (15:18.981)
Okay.

Justin Gardner (@rhynorater) (15:33.477)
It's been a little while for me.

Ben (15:42.454)
Don't you know first of all like go find bugs there's assets that are in scope that are gonna get bonuses too So don't worry about like hey, am I gonna qualify? There's so much in there that I feel like everyone could qualify I feel like up to 50 people maybe not 50 people but there's a good 20 30 people that could get bonuses

Justin Gardner (@rhynorater) (15:57.669)
Wow, dude. I'm looking at these numbers. It may be close to that, man, because you've got these broken out pretty well. So.

Ben (16:03.408)
10, 20, 30, yeah 37 bonuses right now and it goes up to $10 ,000 for some and then up to 500 for some of the other ones.

Justin Gardner (@rhynorater) (16:07.397)
Oh my gosh.

Mm.

So here's a little double -click into the live hacking event life for you guys, really, with this. Because one of the more advanced strategies when you become in the live hacking event circuit is how do you optimize these bonuses? How do you hack on these targets, not only that are going to be getting you bounties and getting you enough bounties.

but are also going to land you these bonuses that companies just kind of throw money at these specific assets. So this is a cool opportunity to kind of feel what it feels like to have these bonuses tacked on like we get at the live hacking events all the time.

Ben (16:53.294)
funny you say that that's literally when I sat down I was like how do I come up with 50k bonuses you know like how do we do this so it's like more fun for everyone like how do we do that life -like events you know how do we do it where

Justin Gardner (@rhynorater) (16:59.685)
Mm.

You just ask.

Ben (17:03.694)
And you just pretty much think of like what are some of the cool bonuses that we had at these events and there it is. So there's gonna be more information on this coming out soon. I think by the time this podcast comes out, a lot of it's gonna be announced. But yeah, if you're watching this, if you're a critical thinker, you're someone on their Discord, if you're watching this, not even on Discord at all, you can hack and it doesn't have to be on one platform either. It could be on either platform that the Yahoo program is hosted on to.

Justin Gardner (@rhynorater) (17:07.813)
Mm.

Justin Gardner (@rhynorater) (17:29.349)
Pretty sick, dude. Pretty sick opportunity. LHE stuff brought to the public here. Very good, dude. I really do also like the Reigniter thing. People that used to be engaged with the Yahoo program and want to come back, because they hold a lot of knowledge in their heads and in their inbox about the Yahoo program. And you can kind of bring that back in and reignite your engagement with that program.

Joel Margolis (teknogeek) (17:34.602)
Super cool.

Ben (17:44.013)
Yeah.

Ben (17:48.717)
Absolutely, man.

Ben (17:54.412)
It's the same thing with the hacking event. So you invite some of your top hackers because they have value and then they get invited to the program for the events, right? So that's kind of the same idea. But Joel, do you want to give us one more? But wait, there's more? There's one more thing, more value, I think. And also, I think with education and content creation, I think going to Vegas,

Justin Gardner (@rhynorater) (17:57.829)
Mm.

Justin Gardner (@rhynorater) (18:07.877)
Oh, oh, oh, oh.

Joel Margolis (teknogeek) (18:09.034)
But wait, there's more!

Ben (18:22.059)
I had a friend of mine that I will keep anonymous, but this person didn't want to stay for DEFCON one year at H1702 and he was like, hey, you should just stay, we'll get you a room, just stay and hang out. And he went to H1702 and so he went to DEFCON and he was like, oh my God, this is so cool. Like, I wonder why they would have done this. Like, I met so many different people that kind of like energized me and I'm like super excited about it. And I never expected any of that. I just, I want this person to just stay and hang out more. And...

This year we thought about like, okay, if this person calls me and tells me like, hey, that was really valuable for me. And they're already in the industry. They've done Vegas every year because of their job or whatever it is. What do we do for someone that has never had the chance to go to DEF CON? So as a part of the partnership with Yahoo, also one person is going to get a full ride scholarship to go to DEF CON. So which is your flight and hotel being paid for. I don't think there's going to be like food and stuff like that, unfortunately, but the big lift is on us. We're going to book you a flight. We're going to book you a room. Hopefully get you a bath.

Justin Gardner (@rhynorater) (19:04.901)
No way, dude.

Ben (19:17.243)
and you get to go and enjoy Defqon from Thursday through Sunday and have a blast. Hopefully make some friends.

Justin Gardner (@rhynorater) (19:24.709)
Do you think we can sneak him into H1702 as well?

Ben (19:28.521)
That is a really good idea. I'm working on maybe also getting that other half of the week. I think it's a really cool thing to go to H1702, dude. Especially if you're bug bounty hunter already, right?

Justin Gardner (@rhynorater) (19:37.413)
Yeah.

100 % man, that adds so much value. I think if me and you both pull out the puppy dog eyes on Caitlin or Jessica, we might be able to make it happen.

Ben (19:49.352)
So I know they watch these podcasts. So Caitlin, Jessica, Ari, and Harley, you guys are watching this. We are gonna beg you, please let us make this happen. But honestly, but yeah, I mean, I haven't thought about it that far. There's a little bit of logistic nightmare with bringing someone to H1702 because it's somebody else's event, the customer, the client, and then also our...

Justin Gardner (@rhynorater) (19:54.949)
Harley.

Justin Gardner (@rhynorater) (19:59.333)
One, two, please.

Justin Gardner (@rhynorater) (20:05.669)
Mm.

Yeah, they're gonna have to leave for the NDA stuff and stuff like that, so.

Ben (20:15.303)
And then the community parts of it also, like people are very entitled to some opinion sometimes, but we'll see. To be determined, we'll learn like a week or two. Maybe we'll announce that in the Hong Kong, who knows.

Justin Gardner (@rhynorater) (20:25.477)
Very cool, man. Well, I am super excited either way. It's going to be a blast. And really looking forward to all that. Whoever lands the, and this scholarship, this is for people that performed well in the Yahoo challenge, right? Mm. Mm, OK.

Ben (20:39.174)
It's gonna be at random. We're not gonna say, you know, it's not just performance based. So you don't have to be the top of the tier hackers. It's just, we want someone that's gonna put in the effort. So there is a little bit of effort there. So you have to get some sort of a valid submission. And then at random, we're gonna pick somebody that's gonna wanna go to this event. And then the first person says no, we go to the next one, the next one until someone says yes.

Justin Gardner (@rhynorater) (20:58.277)
very solid man, it's gonna be like the real LH experience. You got bonuses, you got free flights, free hotels, a bunch of community, that's awesome.

Ben (21:05.284)
We just don't have a belt. Maybe I'll make my own Nahumsec belt and just ship it off. But yeah, so that's all of it. So if people that wanna get involved, even if you don't wanna go to Defqon, there's a lot of money for grabs. Please, like go and hack on Yahoo and make some money. And that's addition to what you would get on those bounties too.

Justin Gardner (@rhynorater) (21:09.061)
Naham belt. Just take one of the belts and like just paste your face over it. That's good, man.

Justin Gardner (@rhynorater) (21:24.325)
Yeah, for sure man.

I'm super excited for Naham Khan this year. It's gonna be a record -setting one, man, I think, in the history of Naham Khans. All right, cool. Gotta go hard. So let's go ahead and shift the conversation. Let's go talk about some technical stuff. We got some cool CSP stuff and we got some CI, CD stuff. Where do we wanna go?

Ben (21:36.355)
It's our fifth year, so we gotta go out with a bang, dude, for our fifth year.

Ben (21:52.067)
We can start with, I think Serious City would be cool because we can also talk about a little bit of a launch on some stuff that you guys have on your notes, but yeah.

Justin Gardner (@rhynorater) (21:57.029)
Yeah, oh yeah, that'll be real fun. So, all right, let me start with that then, just to give Lupin his due here. So, our boy Lupin came in the pod, we did an episode with him in Japan, and that was one of my favorite episodes to record, to be honest, because one, he's got so much passion, and his accent's sexy, and the backdrop of that episode was really good. So, one, go check out that episode. Two,

Ben (22:19.233)
Ha ha ha ha.

Justin Gardner (@rhynorater) (22:26.341)
our boy is launching a product. And it is a freaking amazing thing that has sort of stemmed from this whole CI, CD research that, man, I guess this whole dependency confusion thing stemmed from a live hacking event where AJ Chapman and, not Chapman, I'm sorry, Alex Beerson and I were working on, Beerson did have a, or Chapman did have a part of that event, but it was a different thing.

Ben (22:43.521)
Alex.

Justin Gardner (@rhynorater) (22:52.389)
Alex Pearson and I were sort of working on PayPal related bugs and this whole dependency confusion thing came out. And then Lupin sees this and he's like, this is a crazy industry, a crazy scope surrounding CI, CD stuff. And he's built this tool called Depi that he's gonna be releasing and this is an enterprise product to help secure the CI, CD chain. And I've seen this thing. All right, dude, hold on. Let me send you this link. This link is not public yet.

But you gotta go to this link and tell me that this is not the most... Did you see it? Okay.

Ben (23:24.897)
I saw the website dude, I clicked on it. Yeah, it's a pretty interesting design. It's a very cool design, it's very unique. And I know he's worked really hard on this, because him and I chat once in a while. He was one of the people that reached out to me when I went to my burnout and would just go back and forth a lot. It's like, I'm so slammed with making this happen. And then when I saw this, I'm like, holy crap, this is gorgeous.

Justin Gardner (@rhynorater) (23:31.525)
It's crazy, right?

Justin Gardner (@rhynorater) (23:44.357)
Yeah, dude, it's an amazing product and it's also just technically really interesting because he's been kind of keeping me in the loop while he's doing the research that powers this thing and he's got so many like zero days in all of these package management softwares that he uses to get this sort of dependency confusion. And so I'm really excited for that to launch. And I just wanted to give it a shout out here because it's a product that I really, really believe in. So if you haven't checked out CIACD stuff, definitely check out...

It's at www .lnh .tech .deppie. It will be live by the time this podcast is live. So we can go ahead and shout it out.

Ben (24:23.841)
Yeah, very cool stuff. I'm excited to see what he does with it and I'm sure he's gonna have a lot of like research come out of it too with this being released.

Justin Gardner (@rhynorater) (24:31.141)
Yeah, we're going to have him on for an episode in a couple weeks to talk about the technical details of that, which I'm super hyped for. But you've also been doing some CI CD stuff, right?

Ben (24:34.465)
Nice, nice, nice.

Ben (24:39.329)
Mine isn't so much like the dependency confusion stuff. Mine is just mostly on these couple of pentest that I've been on.

it's always like, hey, we want you to do a pen test, but we're not gonna give you credentials to start with. And it's like, great, love it. Like it's a phase one, right? But what do you do? Like there's so much you can do with JavaScript files. And if it's like, if they're using some like framework, like Django or something, right? Then your chances are gonna be a lot less. You know, Django is just an example, but like whatever PHP framework or whatever language they use. So like you gotta just really think about it. But I just, it all started with just like a .getignore file with me. There was like four assets in scope and it just started with like a .getignore file that leaked a lot of like

Joel Margolis (teknogeek) (24:52.938)
Love them.

Justin Gardner (@rhynorater) (25:06.213)
Mm, mm.

Ben (25:16.275)
paths and I'm like if they have this file on here like I wonder what else is on here too right like what else can I find on these other apps that they own so

Justin Gardner (@rhynorater) (25:23.749)
Huh, so wait, the .gitignore file, you were looking at that for things that they didn't want included in the GitHub repo, but might have been accessible via a web server somewhere? Ah.

Ben (25:29.313)
they're correct. Correct. Yeah, so if you could get it noticed like for tracking, like it tells you like, hey, ignore these files, you don't track them, right? And sometimes like they'll have like folders for like logs, they will have like the upload folders in there. And it's just, they don't want to change it or they don't want to track it. The upload one's like interesting if you can find some stuff, the logs one's interesting, but then look at the bottom, there's also like configuration files sometimes, right? This one specifically, one of the companies had a,

I don't know what the path was, but they had like their GitLab CI files in there. Like you can see all the different repositories they work with and you can look for dependency confusions in that way, right? But then it gets worse when they have like a config .json file in there and it has like credentials inside.

Justin Gardner (@rhynorater) (26:34.629)
Mm, mm, yeah, no, I could totally see that. That technique is not one that I've actually super thought about, and I wonder if you could take, if you could find some way to correlate GitHub repos to what you're seeing on a web server, like you create a tool that correlates that, either through the .git file being exposed or something like that, and then create very high signal alerts where you download the .gitignore file, you pull the paths down, hit the web server on those paths,

And then if any of those come back, you assume that that's going to be super interesting, which I imagine it would.

Justin Gardner (@rhynorater) (27:15.333)
Mm.

Justin Gardner (@rhynorater) (27:28.965)
Yeah.

Justin Gardner (@rhynorater) (27:46.469)
Mm.

Justin Gardner (@rhynorater) (28:05.445)
Yeah, I bet with the, I guess, popularity increase of nuclei, you're not seeing as many of these .git files being exposed and stuff like that in any meaningful way.

Justin Gardner (@rhynorater) (28:24.261)
Mm.

Justin Gardner (@rhynorater) (28:34.021)
It's hard to fingerprint, right? Ah. Yeah, that's true. I also think that whatever you do with mass recon, I think it's a whole nother sector, it's a whole nother distribution to do that one layer deeper, right? So like, let's say for example, you're scanning for .git everywhere, right? There's hundreds of people doing that. But there aren't hundreds of people hitting GAU, hitting way back, running a quick hits brute force list.

taking that first layer of paths and then running all those nuclei templates under those paths as well. And I think there's a lot of value there.

Justin Gardner (@rhynorater) (29:21.381)
Mm.

Justin Gardner (@rhynorater) (29:27.205)
Mm, mm, absolutely. Yeah, just as we continue to talk about recon stuff, what every time you're, oh, did we lose them? Okay. That's fine. As we continue to talk about recon stuff, I always sort of dream about building some scanner that can effectively check for path traversal.

problems essentially, where you can, and I'm sure stuff out there exists, I just haven't really figured it out yet, but I remember finding an RCE one time on www, right, and I just, all it was was, on a pretty well known site, too, like this is a household brand that's paying, you know, I think it was like 6K crits at the time, and it's go to www, do dot dot dot dot semicolon slash, and then you get access to this backend piece.

and you can just do a bunch of things underneath that.

No, it just went straight from there. And so I keep on thinking, like, there has to be a good way to fingerprint where these traversals are happening. Like, you should be able to do just a normal dot dot slash and then compare it to a dot dot slash 2f or a dot dot slash semicolon 2f.

Justin Gardner (@rhynorater) (30:47.685)
If it's normalizing correctly, like you take something that of course it's gonna normalize correctly and then you know try to do these permutations and if they aren't the same then you can say okay well these actually should be the same response so something sketchy is happening here. I don't know it's probably really hard to get to be high signal but I feel like there should be some way to do it.

Justin Gardner (@rhynorater) (31:23.493)
Yeah, yeah, for sure. All right, man. Last little topic we had, this is gonna be a quick little pod today, because we spent so much time brainstorming about content creation stuff and critical thinking, your stuff. But I did want to hit on CSP related stuff.

Joel Margolis (teknogeek) (31:42.154)
this. Yes. Yes. You mentioned in here you've got some CSP bypasses for for Google Maps and some other Google products actually. So why don't you talk a little bit about that because I love these. I love that these things exist. These are such good little gadgets to have. So yeah.

Justin Gardner (@rhynorater) (31:48.773)
Mm.

Justin Gardner (@rhynorater) (32:36.709)
Yeah. Well, I don't know. I feel like you can do, and this last episode that we discussed with Johan, he just gave such a beautiful deep dive into CSP -related stuff. And there are a lot of things you can do with it, like the form action -related thing can prevent you from doing. When you don't have specific, when you don't have XSS, but you can create these forms and sort of do a CSRF or a CSRF token leak,

That can definitely be helpful, and then obviously, of course, you've got anything that's relating to cross -site leaks. It can also be limited by CSP, but certainly the primary function of it is to prevent cross -site scripting, which is really tricky to do when all of these sites keep on having all these gadgets in place that allow us to pop stuff.

Justin Gardner (@rhynorater) (33:34.405)
for Maps. Yeah, so Maps, this one I have to give credit where credit was due. I meant to mention this on the pod with Johan and maybe we sort of shouted it out, but I want to say that that was actually a tweet coming from him. Joel, do you know if that's right?

Joel Margolis (teknogeek) (33:35.978)
Yeah.

Joel Margolis (teknogeek) (33:50.378)
remember.

Justin Gardner (@rhynorater) (33:51.141)
Yeah, I want to say he tweeted out a couple weeks ago a Google, like maps .googleapis .com bypass, a CSP bypass that is done via JSONP, right? Because one of the most common ways to bypass CSP is to find an endpoint where they're utilizing JSONP and then actually insert a full function call into the callback. And so we've...

I showed this one to Ben on the pre -recording and Ben's like, oh yeah, I got like a couple of these. And he pulls out one for www .youtube .com, www .googleapis .com, www .google .com.

Joel Margolis (teknogeek) (34:30.378)
Google .com, yeah.

Justin Gardner (@rhynorater) (34:41.701)
Yeah.

Justin Gardner (@rhynorater) (35:12.293)
Mm -mm.

Justin Gardner (@rhynorater) (35:17.957)
And these are pretty widely, I feel like when you see a CSP, they're often like, all right, start at Google .com or start at Google .APIs .com or something like that. So having these JSON callbacks on these really trusted domains is super clutch. So we'll put these in the description of the episode. We'll drop them in the hacker notes as well. We'll probably tweet them out. So you should see them in many places if you follow critical thinking in any way. But thanks for sharing these, man, because these are definitely high value gadgets to have in your back pocket.

Joel Margolis (teknogeek) (35:48.234)
Yeah, absolutely. And we're going to be for the critical thinkers soon. Soon we're going to be putting together some sort of potential reference or collection of these gadgets for these types of things so that, you know, as you're hacking, as you're going through and you're sitting there and you're one step away from an awesome bug and you're like, dang, if only I had a CSP bypass for blank. Well, now you're, you have a reference that you can come check and you can come see if somebody's already got one.

Justin Gardner (@rhynorater) (35:52.837)
Mm. Mm.

Justin Gardner (@rhynorater) (36:01.029)
Mm.

Joel Margolis (teknogeek) (36:17.77)
that they've shared with the community. So stay tuned for that because we're going to be working on that.

Justin Gardner (@rhynorater) (36:26.565)
Thanks, Ben's like, oh wait, I wrote this. That's great. Is this, yeah, no, that's great, man. That's really good. And I guess I just wanted to shout out, this isn't in the doc, so we're going off the thing there, but there was a really cool piece of research that I just can't get out of my head, which was essentially a scenario where you can't do this with the full CSP bypass, where you can't do like,

Joel Margolis (teknogeek) (36:26.666)
Yeah, absolutely.

Joel Margolis (teknogeek) (36:35.242)
Uh!

Justin Gardner (@rhynorater) (36:56.101)
a full function call in the callback, but you can do, you do have something that triggers JavaScript, so you're able to trigger some, it just doesn't allow you to do a function call. And so what this guy did with this research that I saw was he would include a script, right, like script dot, you know, whatever, and he would do, like, as his callback, he would do opener dot,

child element dot child element dot child element dot child element dot child element, right? So these are all just dots and ASCII characters, which are all allowed in the callback, even secure callbacks. And then obviously it's doing some sort of function call at the end, or else it wouldn't be a JSONP callback. So he ends it with dot click. And then in JavaScript, you can pass in any parameters to a function, even if it doesn't take it, and it'll just kind of like shove them away. So then what he would do was he could click arbitrary buttons on a page.

that was the opener of that page. So you do a window .open, you redirect your original page to like an OAuth flow, and then you include that CSP, which will do, go down on the parent page and click the approve button for an OAuth flow or something like that, and approve your OAuth application. And I'm like, this is such a genius technique to be able to weaponize just one single function call to execute .click on a parent page.

Justin Gardner (@rhynorater) (38:26.405)
I don't know man, but when I read that, I literally sat there with my jaw open for a while, because I'm like, wow, now you don't even really need a full CSP bypass in order to get some impact, because sometimes you see these JSON PN points and you can't introduce a function call or anything. So I'll see if I can track down that research and I'll put it in the show notes for this one, because I think I cannot give that, I've mentioned it on the pod before, but I cannot give that research enough shout outs how creative it is.

Justin Gardner (@rhynorater) (38:57.669)
Mm.

Justin Gardner (@rhynorater) (39:01.477)
Mm -hmm.

Justin Gardner (@rhynorater) (39:05.445)
Mm. Oh, the back ticks, yeah.

Justin Gardner (@rhynorater) (39:12.037)
Yeah.

Justin Gardner (@rhynorater) (39:15.461)
Seriously, and I think actually the cool thing about the research that he mentioned as well was I think by default every WordPress site has that gadget built in that you can't do the full function call on the callback, but you can do this thing that he's describing. So it's super easy to find a WordPress site on any of these victims, right? Most of them have them.

have them set to like slash blog or something like this and then it reverse proxies to a WordPress site. So lots of really awesome gadgets there as well.

Joel Margolis (teknogeek) (39:51.69)
Awesome.

Justin Gardner (@rhynorater) (39:52.901)
Alright man, Joel I know you got a hard stop right now. Ben, anything else you want to shout out?

Mm -hmm.

Justin Gardner (@rhynorater) (40:11.077)
Oh, dude, it's going to be freaking great. I'm sure of it. All right.

Joel Margolis (teknogeek) (40:20.202)
Awesome. And that's where can they check it out?

Justin Gardner (@rhynorater) (40:31.109)
Sweet, awesome. That's a wrap on this pod. I think. Peace everybody.

Joel Margolis (teknogeek) (40:35.594)
Peace.