Interested in going full-time bug bounty? Check out our blueprint!
May 23, 2024

Episode 72: Research TLDRs & Smuggling Payloads in Well Known Data Types

The player is loading ...
Critical Thinking - Bug Bounty Podcast

Episode 72: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss some hot research from the past couple months. This includes ways to smuggle payloads in phone numbers and IPv6 Addresses, the NextJS SSRF, the PDF.JS PoC drop, and a GitHub Enterprise Indirect Method Information bug. Also, we have an attack vector featured from Monke!

Follow us on twitter at: @ctbbpodcast

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Resources:

PDF.JS Bypass to XSS

https://github.com/advisories/GHSA-wgrm-67xf-hhpq

https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/

PDFium

NextJS SSRF by AssetNote

Better Bounty Transparency for hackers

Slonser IPV6 Research

Smuggling payloads in phone numbers

Automatic Plugin SQLi

DomPurify Bypass

Bug Bounty JP Podcast

Github Enterprise send() bug

https://x.com/creastery/status/1787327890943873055

https://x.com/Rhynorater/status/1788598984572813549

Timestamps:

(00:00:09) Introduction

(00:03:20) PDF.JS XSS and NextJS SSRF

(00:12:52) Better Bounty Transparency

(00:20:01) IPV6 Research and Phone Number Payloads

(00:28:20) Community Highlight and Automatic Plugin CVE-2024-27956

(00:33:26) DomPurify Bypass and Github Enterprise send() bug

(00:46:12) Caido cookie and header extension updates

Transcript

Justin Gardner (@rhynorater) (00:00.138)
roll from there. Let's see. So mine is sitting at, mine is 0 % uploaded. But I'm, you're coming, you're coming through alright. Say, say, yeah. I mean mine just jumped to 100.

Joel (teknogeek) (00:02.755)
How's it doing?

So is mine.

Joel (teknogeek) (00:11.939)
Something something one two three nine ten sixteen twenty.

Justin Gardner (@rhynorater) (00:18.25)
You're at 30 % uploaded. There's a little bit of a lag. Yeah, it could be Riverside, because mine is also jumping back and forth between 30 and 100. So.

Joel (teknogeek) (00:20.291)
Yeah, mine seems to chill around 30.

Justin Gardner (@rhynorater) (00:32.586)
Yeah, just make sure you leave it open when you, yeah, so then it'll be fine, yeah?

Joel (teknogeek) (00:35.044)
Yeah, yeah.

Joel (teknogeek) (00:40.1)
I'm gonna try to look down because I'm seeing that there's a lovely reflection.

Justin Gardner (@rhynorater) (00:46.282)
A lovely glare right there. Very good.

Joel (teknogeek) (00:50.755)
Look up like this.

Justin Gardner (@rhynorater) (00:52.478)
my gosh. All right, this is actually gonna be our starting frame right there. So, no. All right, Mr. Margot, what is that face? What is that face you're doing, man? All right, well, somehow you still have energy after a 14 hour flight. So props to you on that. Where are you at and why are you out there right now, Joel?

Joel (teknogeek) (01:00.323)
That's a reflection of my glasses. I gotta keep it either up here or down here.

Joel (teknogeek) (01:14.851)
Yeah, man. Yeah, I'm in Johannesburg, South Africa for a Meta Bugbonding Research Conference. So they're doing a little bit of a conference slash live hacking that type of thing out here. They do one, I think, every year. Last year was in Seoul, South Korea. And this year it's in Johannesburg, South Africa. So that's pretty, pretty exciting. I've never been anywhere in Africa before, let alone South Africa. So I'm super, super excited and awesome opportunity to get to come.

Justin Gardner (@rhynorater) (01:22.218)
Nice, dude.

Justin Gardner (@rhynorater) (01:37.93)
Yeah.

Justin Gardner (@rhynorater) (01:44.202)
Is it Johannesburg or is it Johannesburg?

Joel (teknogeek) (01:46.724)
jeez, I don't know. I'm gonna say Johannesburg, cause that is...

I'm white.

Justin Gardner (@rhynorater) (01:55.914)
Alright, gotcha. Well, we'll leave it at that. I'm sure we're gonna get roasted in the comments for that. But, Joel, I've got something for you, man. While you were on this flight, flight to something Hannisburg, the POC dropped for the PDF .js xss. The PDF .js xss. You saw, you, we,

Joel (teknogeek) (02:19.716)
The what?

Joel (teknogeek) (02:24.132)
man. I go to sleep for five seconds and then this is what happens. They just start dropping zero days on me.

Justin Gardner (@rhynorater) (02:25.162)
We talked about that I think a little while back.

Yeah, man. Well, you know, this is what happens when you get a business class flight, when you get upgraded to business class and then you fall asleep. So poor, poor Joel, poor Joel and his full full reclining seat.

Joel (teknogeek) (02:40.549)
Poor me.

The full iFlatlight is very difficult.

Justin Gardner (@rhynorater) (02:49.066)
Yeah, yeah, I believe it. Yeah, so this one was an interesting one, man. And I know the WiFi was kind of shit on the plane, and I know you probably didn't get a bunch of time to prep this time, so I'll take this one, and we'll keep this a little bit more Q &A -y for this episode. But yeah, I wanted to talk about this one anyway. This was on the list even without the POC, because I was like, wow, the advisory actually has some good information in it. It's like...

Essentially the XSS occurs in the font processing JavaScript code that the PDF .js generates and then it proceeds to eval. So it's been on my to -do list to go and like find the POC for this because it should be pretty easy to look through the code and figure out where they're evaling and then just kind of work back from there. But they beat me to it today. Coding and Labs dropped the POC for CV2NE244367.

the XSS and PDF .js. And what I didn't realize, dude, is this actually affects every single Firefox user because it uses it by default.

Joel (teknogeek) (03:56.261)
Yeah, it's really crazy. I mean, so we've talked about this a little bit before, right? But browser market share for Firefox is less than 3%. So there are a decent amount of Firefox users. But I think as hackers, we're probably a little more biased towards thinking that a lot more people use Firefox than they do. That being said, that's pretty bad.

Justin Gardner (@rhynorater) (04:03.978)
Mm. Yeah. Yeah.

Justin Gardner (@rhynorater) (04:16.394)
Yeah.

Justin Gardner (@rhynorater) (04:21.194)
Yeah, it's pretty bad. It's pretty bad. And I think there's a lot of, there's a lot of application as well in just other areas, you know, applications using PDF .js to display PDF. So it was definitely one that I was kind of looking into and being like, okay, this is actually one to keep in the, in the, in your mind, you know, because it's one of those like JavaScript libraries where, or Volns in a JavaScript library where it's like, if the library is actually doing the thing that it's supposed to do, then it should be vulnerable.

And so whenever, like it might even be worthwhile to put up some sort of alerting in in Kaido or in burp. I know that burp does like the vulnerable JS libraries either in extension or by default. This could definitely be a good one to keep an eye out for. And with regards to the technical details for this one, it was super simple, dude. Essentially what was happening is the code that was being, they were doing glyph rendering via JavaScript in.

inside of this PDF .js and essentially what it would do is would take a part of the PDF file and it would integrate it just like place it directly into a JavaScript code and then eval that JavaScript code. So in the end, yeah, you could just, you could specify a string in the specific section of the font and then that would actually just get placed directly into the code. You just close off the function call and run whatever code you want and that just gets executed. So.

Joel (teknogeek) (05:30.597)
Hmm. Interesting.

Justin Gardner (@rhynorater) (05:48.33)
really, really clean POC too, and they actually dropped a proof of concept PDF file, so you don't even have to generate the PDF file yourself.

Joel (teknogeek) (05:48.901)
So interesting.

Joel (teknogeek) (05:55.942)
That's awesome. That's awesome. Look at that. That's super interesting. You know what it makes me wonder is if there's a similar type of vulnerability in PDF -eum, which is the Chrome one, right? PDF -eum, is that what it's called? Yeah, like Chromium, PDF -eum. Yeah, I do wonder. I think it's a totally separate thing, but I would be curious if there's been any research into it from that side, because I'm very surprised that something so...

Justin Gardner (@rhynorater) (06:04.01)
Mm -hmm.

really? PDFium, okay.

Joel (teknogeek) (06:25.158)
fundamental as PDF .js would have been exploitable. And I'm looking at the payload here, and this is super, super simple too.

Justin Gardner (@rhynorater) (06:27.722)
Yeah.

Justin Gardner (@rhynorater) (06:34.09)
Yeah, yeah, it'll be interesting, man. You know, I think it's definitely worthwhile to take a look at any sort of JS rendering of complex file types. I recently had a vulnerability with my mentee. Actually, my mentee had a vulnerability to give him full credit. Like, he really took it the full way. I just kind of advised along the way. But he had a vulnerability in a JS library that was parsing a complex file type and displaying it in the browser.

as a part of some rendering. And it's just hard to do securely, I think. There's lots of nuances to it. So that should definitely be... On this pod, we like to talk about attack vectors in areas where you can attack stuff that are probably gonna be less discussed by the traditional security environment. And I think this is one of them. If you're really willing to take the deep dive and audit a library for displaying specific types of files, I think there's often problems there.

Joel (teknogeek) (07:33.575)
Yeah, so did Kodian find this or was this a vulnerability that existed and they just got a POC for it?

Justin Gardner (@rhynorater) (07:37.834)
Yeah.

Justin Gardner (@rhynorater) (07:41.738)
No, they found it. They didn't leak the POC or anything. They found it themselves. They reported it to PDF .js and then Ertemazilla and then they disclosed the POC. So, you know, definitely respect for Kodi and Labs here dropping the POC for us, which is nice. You know, it saves us the time to go back and reverse it. I'm sure plenty of people reversed it, though. So, yeah, I think that's the right call anyway to just expose it and once the patch is in place.

Joel (teknogeek) (07:45.383)
Cool.

Joel (teknogeek) (08:06.022)
Yeah.

Joel (teknogeek) (08:11.462)
Absolutely. I mean, I think it's also really fascinating when I'm looking at the POC. Like, I can very clearly see how it exploits. But then when I read through this whole writeup, it's significantly more confusing coming from, like, the white box approach, where it's like, how does this code actually, like, exploit this? Like, what do you need to do to match all this criteria and stuff? Versus if you were just approaching this from a black box perspective, I think it actually would have been a lot easier.

Justin Gardner (@rhynorater) (08:29.322)
Mm -hmm.

Justin Gardner (@rhynorater) (08:37.85)
really? Wow. That, yeah.

Joel (teknogeek) (08:38.79)
I think so. I mean, maybe if you just fuzz all the fields, right? Like, versus trying to find some sink and then going backwards.

Justin Gardner (@rhynorater) (08:42.858)
You have to see the flow of the data, you know? And I think that is a little bit of a tricky part, but it does make me think of another thing that was kind of on the to -do list for Day, which is the Next .js SSRF that AssetNote released, which is just another great example of sitting down and auditing some source code, resulting in a really crazy set of bugs. Did you get the chance to read through this one before?

Joel (teknogeek) (09:09.414)
Yeah, I saw that they had talked about this a little bit. I'm glad to see that it's out now. I think I knew about this a little bit ahead of time. But this is really, really cool. Yeah, did we talk about this? I feel like we might have mentioned this or something, right? Or no?

Justin Gardner (@rhynorater) (09:16.906)
Yeah. really? Okay, gotcha. You got the inside scoop?

Justin Gardner (@rhynorater) (09:24.778)
Yeah.

Justin Gardner (@rhynorater) (09:29.642)
We may have I don't know, you know our apologies to the audience if it had if we have already because we've had this on on the list for a little while is also some of the other items here, but we've been so we've had the opportunity to interview such great guests the past couple weeks where it's like You know, there's just been a lot going on So but I just wanted to point out a couple a couple things here one just amazing right up, but I really liked how they Won that that there if you look at the code flow

There seems to be a lot of inhibiting factors, right? There's a head request that's sent beforehand and there's a specific content type that has to come back and if you look at it, you know, sort of at a glance, you might think, okay, well, they've got protections in place that would make this SSRF like not even possible. But they don't give up there. They continue to push through it and, you know, find a way to bypass the content type limitation and use a redirect to get past that. So I just think it's a really...

a really high quality piece of research and just an example of the stuff that the Ascendote team has been pushing out.

Joel (teknogeek) (10:35.462)
Yeah, I mean, per usual asset note, everything that they publish is going to be super high quality and super in depth and super well researched. So I always love to see the stuff that they're pushing out and I just can't, I wish I could like subscribe somehow, you know?

Justin Gardner (@rhynorater) (10:52.202)
Yeah, yeah, I don't know. I feel like maybe they have like a, we might be able to like find a, like email subscription. Yeah, yeah, they have updates on the research down at the bottom. I don't know, I'm not a huge newsletter guy. I only read like two newsletters. But I think this is one of the ones where I would like create a filter for it and have it like automatically starred in my Gmail or whatever. So I think, yeah, maybe we should do that. I'm gonna add that right now actually.

Boom, there we go. Can't believe I wasn't subscribed to that before. I guess, you know, we see it so quickly though, and we often get the inside scoop even before it happens, because of the group chats and stuff. So, yeah, I think there's lots to be gotten there. All right, dude, I got a couple of things that I wanna talk about with regards to smuggling payloads through sort of obscure data types that have, I guess, some caveats in the RFCs.

Joel (teknogeek) (11:37.443)
Yeah, for sure.

Justin Gardner (@rhynorater) (11:51.786)
But before we get into that, let's talk a little bit about this announcement by Mikheil from HackerOne about better bounty transparency for hackers by showing you what percentage of vulnerabilities are paid at what tier. What are your thoughts on that?

Joel (teknogeek) (12:08.069)
I've thoughts I think it was I Think generally this was coming from a good a good place I think It needs some tweaking for sure. So I think probably the biggest complaint that I have with it is that it's not really representative of the current picture Meaning that when you see these percentages in these average bounties, I'm almost certain I don't

Justin Gardner (@rhynorater) (12:10.122)
I know you have thoughts, that's why I just opened up the room to you, man.

Joel (teknogeek) (12:37.892)
see anywhere that it's mentioned, but I'm almost certain that this is basically all time stats. That's what it appears to be anyways. And so I think the tricky part is that a lot of programs change bounties. Programs don't have a lot of reports or a lot of resolved reports. And those two things combined can really skew these stats pretty badly. All right, so say your program, you're paying 50... Sure.

Justin Gardner (@rhynorater) (12:43.338)
Mm. Mm, yeah, I think so too.

Justin Gardner (@rhynorater) (13:00.426)
Okay, let me just add something really quick. For those of you that haven't actually seen this yet, what happened, HackerOne updated their sort of built -in bounty table that's a part of the platform built into the policy page to reflect how much, how many, how much, the average amount of bounty paid for a specific type of vulnerability, so if you've got a medium and the medium range is like, you know, 1 ,000 to 3 ,000, they'll say, okay, the average medium paid is 1 ,000.

So why are they never paying that 3 ,000, essentially, right? You've got that and then you've also got what percentage of vulnerabilities lie in what severity in this program. So it does help because you can look at a specific program and be like, okay, well, this specific program is inclined to pay highs and crits. But like you said, that data might be a little bit skewed.

Joel (teknogeek) (13:50.148)
Yeah, so I think I would like a little bit of clarity on some of the things like percent of submissions, for example, when it says like 2 % of submissions are criticals. Does that mean post -triage in general or like on submission? Like what counts as a critical when it's paid out? Like, I don't know. So that's just one thing. But I think going back to what I was speaking on originally, my biggest complaint here is that it doesn't really account for changes within the program, right? So let's say...

Justin Gardner (@rhynorater) (13:55.466)
Mm -hmm.

Justin Gardner (@rhynorater) (14:01.77)
Mm, mm, mm.

I... Mmm.

Justin Gardner (@rhynorater) (14:13.13)
Mm.

Joel (teknogeek) (14:18.467)
As an example, a program is paying very low crits, let's say they're 1 ,500 for a critical. And then they decide to double their bounties, triple their bounties. They're now paying 5k crits. If they never pay a critical, their average bounty for a critical is never going to reflect that range. Let's say between when they updated it to now.

Justin Gardner (@rhynorater) (14:38.282)
Mmm.

Joel (teknogeek) (14:43.109)
They've never paid a critical bug. They never received one. They never paid one out. So there's nothing to represent that they do pay 3K criticals in reality. It's just that the average bounty that they paid for a critical is somewhere between zero and 1 ,500 because that's what they used to pay for criticals. So I think that it's not super representative of that. I would like to see it be maybe like since the last time the bounty table was updated or something like that.

Justin Gardner (@rhynorater) (14:58.538)
Mmm.

Justin Gardner (@rhynorater) (15:05.834)
Yeah, that could be gamified from the program side too though then if they're getting some stats they'll be like, all right, you know, it's not 5K for a high, it's, you know, 5K to 10K, you know, like just making it clear but also resetting your bounty stats. Yeah, so it is interesting I have to say. I love the concept. Shout out to HackerOne for that in general. I think this sort of transparency is really helpful.

Joel (teknogeek) (15:10.82)
Right.

Joel (teknogeek) (15:16.612)
5001 Yeah

Joel (teknogeek) (15:24.516)
Yeah.

Justin Gardner (@rhynorater) (15:35.338)
And I think it solves one problem that hackers, like I mentioned before, it solves one thing that hackers would really want to look for, which is programs that routinely pay high -end crits, right? And it's not necessarily that their severity assessment is off or whatever, but it's like that there are highs and crits to be found, and those highs and crits are getting paid out. It is the biggest indicator that there are highs and crits on that program. And I know a specific hacker,

who told me that this program that he hacks on, it's just everything is a high end of crit. And he has a specific way of showing data leakage and it just always ends up being a higher crit. And so I bet if we looked at that program, maybe, maybe, or maybe they're happy about it. And the...

Joel (teknogeek) (16:22.02)
I'm sure for the program side, they're super annoyed about that, by the way.

Joel (teknogeek) (16:29.028)
I mean, on one hand you're getting value, on the other hand you've got this one guy who just...

Justin Gardner (@rhynorater) (16:31.658)
All right, so we're not gonna start this again, okay? You're not ever gonna, no, we're not gonna go down the whole like, program should play less bounties to the hackers, no, no, no. But yeah, I think also from a data perspective, this is really interesting. Like you were doing a scraping project, you know, a while back that sort of correlated a bunch of data points. And this is another set of data points you can use for that.

Joel (teknogeek) (17:00.26)
Yeah, yeah, absolutely. Yeah, I'm curious if that was spun off from that or anything. I like to think that maybe we had a piece of that. But yeah, it is pretty interesting to see this data being more visible from the HackerOne side. So I'm always in favor of program improvements from the HackerOne side more than hacker improvements.

Justin Gardner (@rhynorater) (17:06.058)
Mm, mm, yeah.

Justin Gardner (@rhynorater) (17:24.202)
Yeah, yeah, absolutely. Yeah, it's definitely cool. I do think that caveat that you mentioned does need to be addressed though. Like, what is this representing? If we slide our bounty table, you know, does everything paid in a certain range get reallocated? So if our crits go from 2K to 10K and our mediums go to 2K, is there like, all of our bugs are in the medium bucket now? Like, that would kinda suck. Yeah.

Joel (teknogeek) (17:49.315)
Yeah, that is interesting. Yeah. Yeah.

Justin Gardner (@rhynorater) (17:53.514)
And then, yeah, but it's a step in the right direction. So I think they'll get there. And the Hacker One folks, I'm sure, are thinking about some of these edge cases as well. So I imagine it's engineered close to correct, but I am seeing a couple of scenarios where it's like they don't have an average bounty in some and like the numbers are a little bit off. So I don't know. I guess we'll see what they do with it over the long term.

Joel (teknogeek) (18:18.115)
Yeah, yeah, it seems like they're rolling it out slowly. So I think it's only on the hacker one program and a couple others right now, but Eventually, it'll probably roll it. did they okay? All right, so in the time and they all it's been about a month since this was to Wow We're really behind on news

Justin Gardner (@rhynorater) (18:25.834)
No, actually they pushed it out. They pushed it out to everything. Yeah.

Justin Gardner (@rhynorater) (18:32.33)
Yep. Yeah, dude, that's the thing. Like I'm really glad that you were feeling up to recording today, even though you just got off a long flight because we have had this stuff sitting in the dock for a while and we need to get it out there. So yeah, thanks for hanging in there, dude. The next two, so like I said before, the next two things that I kind of wanted to talk about are sort of together, but not really. One is a piece of IPv6 related research by Slanzer, which is essentially...

how to smuggle data into IPv6 IP addresses. And then the other one is smuggling payloads in phone numbers, which I found from a tweet from Zedshano. And both of these have similar concepts, which is there are these data types, phone numbers, IPv6 addresses, IP addresses in general. Go ahead, go ahead. Slanzer.

Joel (teknogeek) (19:19.365)
Can I just... What was his name?

No.

The other one.

Justin Gardner (@rhynorater) (19:27.434)
Zed -Shan, no, okay. So, hey, let me, let me, let me, hold up, hold up. I am an American, where's my passport, hold on. No, no, no, I'm sorry, I'm sorry, I'm sorry. But, you know, out of respect for their culture of mispronouncing the last letter of the alphabet, I figured I would show some respect. So, thank you for...

Joel (teknogeek) (19:33.574)
Yeah!

Joel (teknogeek) (19:38.246)
Where's your passport?

Joel (teknogeek) (19:46.982)
I like that.

Joel (teknogeek) (19:51.846)
In that case, continue.

Justin Gardner (@rhynorater) (19:56.746)
Yeah, so thank you, thank you for that. Now, you could have just let me slide by as a respectful person, but now I had to throw the.

Joel (teknogeek) (20:04.903)
It almost it almost slipped through I was like said what the hell?

Justin Gardner (@rhynorater) (20:09.802)
I don't know like now I think from like a from like a hearing perspective I owe it when I read it I see I read Zshono in my head, but when I'm talking about it I've heard so many people say Zshono out loud Have you not is that not a thing that you?

Joel (teknogeek) (20:19.879)
Yeah.

Joel (teknogeek) (20:26.151)
I only ever say Zshano. I'm different. Yeah, potato, tomato.

Justin Gardner (@rhynorater) (20:29.642)
Alright, well, potato, tomato, you know, whatever it is, man. Exactly, yeah.

Joel (teknogeek) (20:40.103)
Sorry dude, you're gonna be late. My brain's all over.

Justin Gardner (@rhynorater) (20:42.634)
You're good. Dude, Joel, you're doing great, man. You're doing great. I appreciate you. So let me talk about this research, okay? Just shut up and let me talk about the research real quick. So the research shows that, and I like the bigger principle associated with this too, which is we have these data types that we see on a regular basis, these IPv6, IPv6 IP addresses, I almost said domains, but we'll get to that. IPv6 IP addresses and,

Joel (teknogeek) (20:51.527)
Okay.

Justin Gardner (@rhynorater) (21:12.681)
phone numbers and we think we know about these these what these data types are supposed to contain and how they're supposed to be represented but there's often caveats to these that live in the RFCs so I really appreciate the people that have taken the deep dive and uncovered some of these caveats. So the TLDR of this research on IPv6 which we'll link down in the description as well is that there is a zone delegation that you can a zone ID and a zone delegation that you can

include in an IPv6 address, which is delimited by the percent sign or sometimes percent 25, if it's double URL encoded in the, or URL encoded in the scenario. And what this allows you to do is just kind of add arbitrary strings after an IPv6 address. So it goes open square bracket, colon, colon, one, and then your percent sign, and then the zone that you are associating with this specific.

the zone identifier. So what you can do then is you can say, okay, square bracket, colon, colon, 1%, 25, dot example, dot com, or something like that, right? And when some of these host name parsing tools are looking at this, they will consider this IPv6 address to be a part of that domain. So in the write up, he,

described some caveats in Golang and Python. I think he mentioned some stuff in C sharp. The browser does not have any sort of misconfigurations with regards to this, which is cool and doesn't really even support the syntax. But some of the parsing that happens for server -side requests, right? Like if you're doing like a SSRF, will allow you to include data like this. So you may be able to bypass some origin checks on the server -side for those.

The other one from our boy Z or Zed Shano is a similar type of thing and it also makes me think of the email, the double quotes and the plus in the email. But it's a similar thing but for phone numbers. You can add a semicolon extension equals or phone dash context equals at the end of a phone number and that is supposed to, by the RFC that has to be

Joel (teknogeek) (23:24.421)
Mm -hmm.

Justin Gardner (@rhynorater) (23:39.946)
accept it as a valid phone number. So if you're using any library to like parse a phone number and then you're like echoing it straight into the, you know, the HTML response, then that's a great way for you to include XSS related characters there and break out of the context. So.

Joel (teknogeek) (23:55.941)
Yeah, so one of the interesting things that Zeeshanah called out here is that, you know, he sort of asked a rhetorical question of why aren't these things sanitized? And it's really just comes down to that a lot of developers go, I need to validate an email. Let me get the email validation regex from Stack Overflow, copy paste, done. And it matches the RFC. The problem is that using an RFC blindly, I think, is kind of a mistake, right?

Justin Gardner (@rhynorater) (24:03.722)
Mm. Mm.

Justin Gardner (@rhynorater) (24:13.578)
Mm -hmm. Yeah.

Justin Gardner (@rhynorater) (24:24.786)
Or even libraries that do this.

Joel (teknogeek) (24:24.965)
because you should really be using, right, like you should be using it within the context of how you need it, right? Like you need a phone number. That means you need a certain number of digits. It doesn't need to follow the RFC spec. It just needs to be digits, right? Like, you know, it's not that complicated, but I think it tends to get to a point where things get a little bit overcomplicated or you try to have so much of like a...

Justin Gardner (@rhynorater) (24:36.394)
Mm -hmm.

Joel (teknogeek) (24:49.861)
like a catch -all or like a, you know, adherence to the RFC where you use some regex, it's like, you know, ridiculously long, right? And at the end of the day, you should have just looked for like word up to an at symbol and then everything, not a space after the at symbol, right? Like, yeah, pretty simple.

Justin Gardner (@rhynorater) (24:56.458)
You shoot yourself in the foot. Mm -hmm.

Justin Gardner (@rhynorater) (25:07.05)
So what you're talking about, Joel, is kiss. Mwah. Keeping it simple. Keeping it simple because as things get more and more complicated, as you start using libraries to parse phone numbers or email addresses and stuff like that, things, yeah, there's lots of edge cases that aren't. And to give the developers a break here, you can't just go read the RFC for every single thing that you're dealing with. And so it's kind of...

Joel (teknogeek) (25:11.716)
Yeah, keep it simple. Exactly. Yeah.

Justin Gardner (@rhynorater) (25:37.482)
It's kind of just a function of the complexity of modern day applications and the building blocks for all of this. But I think for us as hackers, it presents a great opportunity to dive a little bit deeper and see where we can smuggle specific data types into traditionally trusted data types, like an email address, like a phone number, like an IPv6 address.

Joel (teknogeek) (26:00.803)
Yeah, well, right. And if you think about the phone number thing, for example, why does every developer who works with phone numbers need to know that this is a valid part of the RFC? They don't, because most of the time they're not even using it. I'm sure it was added to the RFC for some random, there's some reason for it, right? So you're sort of left with these options of, okay, as a developer, do I go read the RFC, find out this edge case, code around it, because I don't need it, but I also want to comply with the RFC? Or...

do you use this library blindly because you know that the library complies with RFC and then you have these edge cases that you didn't even know about or you just write your own solution that just works for your use case and probably doesn't comply with RFC but works really good for however you're using it. So I think that there's yeah.

Justin Gardner (@rhynorater) (26:34.634)
Mm, mm.

Justin Gardner (@rhynorater) (26:45.418)
Yeah, and at the end of the day, it's only gonna add a little bit more friction to the end user to be like, okay, I gotta rewrite my phone number with the area code in like dashes versus like parentheses or whatever. So yeah, complexity there gets tricky and, but you know, that's where we live. That's where we live. We live in the details, man. So it's a good thing for the hackers. All right, Joel, we got a couple.

Joel (teknogeek) (26:54.562)
Yeah.

Joel (teknogeek) (27:03.746)
Yeah, absolutely.

Justin Gardner (@rhynorater) (27:09.994)
places we can go here. I want to spend more time on the GitHub Enterprise Send bug and the DomPurify bypass. So I'm just going to mention this bug really quickly that I saw. MrTuxRacer is definitely a follow on Twitter that you should be following if you're not already. And essentially, he doesn't tweet super often despite being a super badass hacker. But he did drop the POC, the full POC for CVE 2024.

27956 which is an unauthenticated arbitrary SQL injection in one of the most popular WordPress plugins automatic WP automatic and It's pretty nasty And and so I've already you know we're getting to this a little bit late. You know I think he tweeted this end of April So it's probably not too much out there anymore plus WordPress has a decent auto updating system, so Hopefully everyone's using that

But I love how this POC was literally just, they took the queue parameter and just stuck it directly into like an SQL call. Like you literally just write whatever SQL that you want in this queue parameter and that's it. And so he dropped the POC to just essentially add a new user to the WP admin and get RSC from that. So classic move there.

And these WordPress bugs, we gotta keep an eye on them, man, because WordPress is all over the place.

Joel (teknogeek) (28:40.963)
Yeah, man, I mean, I love this or talks like mr. Tux. Racer is one of those you know, you said he doesn't really tweet much I like to think of myself as one of those people mostly just because I don't use Twitter. It's not because I'm stoic or anything. It's just cuz I Don't I I don't say anything

Justin Gardner (@rhynorater) (28:52.202)
Yeah.

Justin Gardner (@rhynorater) (28:58.922)
It's not because I don't have things to say. It's just... Right. Well, you know, essentially you're tweeting for an hour every week with me on the pod, so it's just coming out on the fly. You're... geez. You get like a chat GPT bot to go through and parse it and then just shoot it on Twitter. Justin, shut up. I'm trying to explain something.

Joel (teknogeek) (29:02.57)
Yeah, totally that's it's not yeah

Joel (teknogeek) (29:13.858)
True, true. Maybe I'll start tweeting a transcript of everything I say.

Joel (teknogeek) (29:23.778)
fake big tweets.

Justin Gardner (@rhynorater) (29:27.978)
That's the only tweet that goes out. So good, man. These next two ones are interesting, super interesting. The GitHub Enterprise Send bug and the DomPurify bypass. And I've actually got a little something to add to the DomPurify bypass that is not mass consumed. I don't have the POC, but I do have a little bit more information. So where do you wanna go? You wanna do the GitHub Enterprise bug first or the DomPurify stuff?

Joel (teknogeek) (29:28.322)
hahahaha

Joel (teknogeek) (29:54.37)
wherever your heart desires.

Justin Gardner (@rhynorater) (29:56.234)
All right, my heart's feeling Dom Purify. So I haven't seen the POC out, if it's out yet. I did spend some time looking at it, because I expected it to be pretty simple to reproduce because of how the patch looked. But I think it's using a lot of different stuff. And I did have a conversation with Uriota about this. That's Uriotak on Twitter and on Discord. And...

He definitely has done a little bit more research into it and has a semi -viable POC that he shared with me, but it only affects a certain segment of the market. So it's not super relevant. But I also did listen to a podcast in Japanese about this. And I'll shout them out. Let me see, I think I wanna get the name right. I think it's JP Bug Bounty Podcast.

Let me see if I can find it. Well, I'll link it down in the description. It's Bug Bounty JP Podcast. And it's a podcast that's put on by Nokuso, which is my, it's fully in Japanese. So for those of you that speak Japanese, great. And I think the content of that was a little bit tricky for me to get. My Japanese is meh, and especially when it's.

Joel (teknogeek) (30:57.378)
JP.

Joel (teknogeek) (31:07.2)
And it's fully in Japanese.

Joel (teknogeek) (31:22.976)
He says as he just spits some crazy Japanese, like...

Justin Gardner (@rhynorater) (31:24.542)
My Japanese is I can speak all right, but the listening to native speakers talk about high level hacking concepts is a little bit tricky. But they did talk on that podcast a little bit about Ryota's experience trying to reverse some of this stuff. And obviously if you look at the patch, there's something to do with depth of nodes. With regards to this.

Dom Purify bypass, so there's definitely you're gonna need to stack various amounts of divs and tags together. And then the piece that I sort of got out of that, which I hadn't seen before, was then it also results in a namespace confusion. So at some point, Dom Purify is thinking that it's parsing SVG namespace or...

or MathML namespace, and it's actually parsing HTML or vice versa. And the overflow of that nesting, that's the word I was looking for, nesting of those elements, and then also that sort of namespace confusion together leads to some variance of the DOM purify bypasses that have been affecting that library recently.

So that's all I've got. I wish I could give more, but Jota is also, I trolled him a little bit on Twitter about this too. He's very sensitive about disclosing information that he could be even remotely related to a vulnerability that he doesn't have permission to speak about. So even that was, so my mentee was like pulling teeth to get it out of him. So we work with what we can get.

Joel (teknogeek) (33:09.632)
Yeah, so I will say when it first came out I I did take a look at the patch myself as well and It's not very difficult to figure out how it works. You know if you're if you're curious Go look there's a single commit that has everything you need to know in it

Justin Gardner (@rhynorater) (33:27.146)
Yeah, but okay, let me say though Joel, I also thought the same thing, but you can't get the POC out of that. Like you can get the concepts, but it is not very easy to get the POC out of that.

Joel (teknogeek) (33:37.631)
Yeah, but it gives you a really good starting point. So.

Justin Gardner (@rhynorater) (33:39.69)
It does, it does. So that one's that. All right, two things and then we can wrap it and you can get some sleep, Joel. The GitHub Enterprise bug, dude, what a masterpiece. So cool, did you get the chance to read through that whole thing?

Joel (teknogeek) (33:50.079)
Okay.

Joel (teknogeek) (33:55.295)
Yeah.

Joel (teknogeek) (33:59.487)
Yeah, man. So I think I actually put this in the doc last week. And it was so in -depth that I was trying to figure out how to even summarize it. It's just one of those super technical, really interesting bugs that has a lot of context and a lot of code in it. You know what I mean? So if you're a Ruby nerd, or you like auditing GitLab or GitHub or...

Justin Gardner (@rhynorater) (34:03.562)
Mm. Mm.

Justin Gardner (@rhynorater) (34:09.642)
Mmm.

Justin Gardner (@rhynorater) (34:18.346)
Mmm. Mmm.

Joel (teknogeek) (34:28.159)
HackerOne, which I think are the only three services left on the internet using Ruby. No, no, no, everything uses Next .js now, come on.

Justin Gardner (@rhynorater) (34:31.978)
No, no, everything uses Ruby, man.

Justin Gardner (@rhynorater) (34:39.434)
Okay, that's true, you're not wrong about that. Yeah, no, absolutely, I totally agree. Very well done write up. Technically in depth, intriguing, long, but worth the read for sure.

Joel (teknogeek) (34:52.766)
Yeah. And not only that, it took, geez, six months between when it was disclosed and when it got published. Yeah, I think so. Yeah. So they disclosed this initially like end of December, man. Can you imagine POV? It's December 26th.

Justin Gardner (@rhynorater) (35:01.962)
really? wow.

Justin Gardner (@rhynorater) (35:11.466)
This dude that's so bad. He drops this on like

Joel (teknogeek) (35:13.95)
December 26th that you just get an RC reported to your bug bounty

Justin Gardner (@rhynorater) (35:18.634)
Yeah, literally in the backstory section back in early December, 2023. I was performing some research on GGS. on the day I went on vacation, I located a potentially minor bug. Fast forward to the day after Christmas. You're right, dude. December 26th. What the frick? my gosh. Dude, did we learn nothing from the whole Tanner Pete Yawarski situation? Like we talked about that on the on the pod before, right? Tanner dropped a

Joel (teknogeek) (35:35.038)
Ugh.

Brutal.

Justin Gardner (@rhynorater) (35:48.33)
cash money dropped a mega crit on Pete on like Christmas Day one time and Pete had to like leave his family on Christmas Day to go deal with this like really bad bug. So, security researchers, man. Seriously, man, seriously, no, no, man. Yeah, very cool one. I did have a couple takeaways from this one.

Joel (teknogeek) (36:04.671)
Listen, bug bounty stops for no sleep, okay?

Justin Gardner (@rhynorater) (36:14.73)
One, just read it, because we're not gonna talk about it. It's too technical to actually try to talk through on the pod. But there is a takeaway from this, which I tweeted about, and the tweet didn't do as well as I hoped it would for the sole purpose of people understanding how this works. So I'm gonna sort of reiterate a little bit of what I talked about in the tweet here on the pod.

I outlined a couple things you should pay extra attention to when doing source code review. And one of them was indirect method invocation. And I sort of nested it down a little bit further on purpose for the people that dig a little bit deeper and are gonna just not read between the first fold of my tweet and kind of like click in a little bit. So for those of you that spend the time reading my tweets, thank you. But I also want to reward our listeners here. So I did want to call out.

This is something that I've seen. This is a trend that I've seen where vulnerabilities occur due to this whole indirect method invocation thing. And there are lots of ways to do this in different languages. In Ruby, as we saw in this write up, it's object .send. In PHP, you can actually just call a string and it will execute that function. In Python, you can access the globals.

You can do a call to globals and then provide a string name and then call that string and it will And it will run that in Java. There's lots of ways to do it in JS. There's lots of ways to do it so this whole concept of taking input from the user and allowing some function to be called whether it be on an object or whether it's just be you know, sort of eval'd and you can just kind of you know run an OS system or whatever and run a command and

It's not normally that simple. And so looking, looking for scenarios where it's limited, but you can call things on various objects or like parent classes and that sort of thing is really powerful and has resulted in a lot of bugs.

Joel (teknogeek) (38:21.087)
Yeah, I will say, one interesting thing I've noticed when I look for stuff like this, typically if I find something like this, I'll go and I'll look for other instances of it and it almost never exists. I don't know if you find this too, but like, it's so weird. Like if I find something super complex and like crazy like this, I'll go and be like, maybe they're doing the same mistake elsewhere. And it's like, I've literally stumbled on like the only instance in the entire code base where this happens.

Justin Gardner (@rhynorater) (38:34.502)
really?

Justin Gardner (@rhynorater) (38:39.402)
Mm -hmm.

Justin Gardner (@rhynorater) (38:46.698)
Yeah, yeah, it happens, man. I mean, we ran into a couple things like that in a live hacking event a while back, but I will say, the time that you and I went ham on some source code review at a live hacking event last year, there were multiple instances of things. So I think it depends on the situation. I think it depends on the situation. But definitely, I'm gonna just read out some of these really quickly. Templating is like really big when it comes to getting RCE on a service when you're actually looking at the source code.

If you can figure out a way to get your input to be interpreted as templates, that's massive. And of course, any sort of interaction with files, any sort of interactions with external services, whether it be APIs, whether it be like a Redis, something like that, all of those are really big. Deserialization of binary formats, of YAML, of JSON, all of these things can result in unintended stuff.

whether sometimes you can get prototype pollution, sometimes you can just get straight RCE if it's arbitrary deserialization. So I think sometimes I get, just speaking from personal experience, when I look at these massive applications and I finally have access to the source code, I'm like, all right, let's go. Like, let's get it. And then I open it up in VS code and VS code takes like an hour to opens up because it's so freaking massive. And then I'm just like a little bit intimidated. I'm like, how am I ever gonna find this?

Joel (teknogeek) (40:10.91)
even start yeah

Justin Gardner (@rhynorater) (40:12.382)
But having a sort of a list of, all right, let me look at this, this, this, and this, and work back from the syncs. And I know, Joel, I know that you're gonna give me that stupid face that you're giving me right now because of what I've said in the past about sources and syncs and light -preferring sources. But you gotta go syncs.

Joel (teknogeek) (40:26.91)
What? What face?

Joel (teknogeek) (40:33.726)
Listen, I think that everybody has their own. Some people listen. Everybody's a little bit different. Some people go sing, some people go sources. I think there's arguments to be made for either one.

Justin Gardner (@rhynorater) (40:46.314)
Yeah, and I think there are, and I think for me, it's largely a function of app size. If your app is not that huge, I think it makes sense to go after sources. And I think going after sources is a really good investment of time for you in a lot of ways, because you can understand the app, how it's architected much better. But at the end of the day, if you're trying to take that and you're trying to turn, if you have a very specific goal, I want unauthenticated RCE on this. I want, you know, SQL injection, whatever it be. You gotta work, you gotta work backwards.

from the sinks. Because a lot of times these apps are too big and you're just going to burn too much time.

Joel (teknogeek) (41:23.518)
Yeah, like trying to find potential, you know, entry points is like anything can be an entry point, right? Like I agree with that, right? Like I think depending on the size of the app, like certain things you might end up falling down rabbit holes or you're like, there's an evil call here. And then it's like, you spend four hours looking at every single evil call. It turns out it's like a systemic way that they've safely done it, right? That's fine. Like I think that's also a good use of time. That being said.

Justin Gardner (@rhynorater) (41:26.026)
Mm.

Justin Gardner (@rhynorater) (41:38.378)
Mm -hmm.

Justin Gardner (@rhynorater) (41:48.33)
I see you speaking from experience here Joel. We did...

Joel (teknogeek) (41:50.078)
I don't know what you're talking about. That was a random example I pulled out of my head.

Justin Gardner (@rhynorater) (41:55.146)
Dude, I love how you just like straight up read our chat from that event, man. They're like, there's eval everywhere. This is gonna be a shell. And then, you know, eight hours later, we're like, not a single freaking use of eval is actually so funny, dude. Screw that, man. Well, at least we shelled it, man. So that helps. All right, cool. So I've said my piece on that. Last thing before I let you go, Joel, is I wanted to give a shout out to my boy Riddle.

Joel (teknogeek) (42:03.582)
Ha ha ha ha!

Joel (teknogeek) (42:11.104)
Hmm.

Yeah. Yeah.

Justin Gardner (@rhynorater) (42:25.162)
Riddle has been doing some awesome dev on Kaido and I just was in the Kaido chat and I was like, man, wouldn't it be cool if there was a button in replay that would go through your HTTP request history, grab the latest request and extract certain amount of headers and update your cookies for you. So like when your session dies, you don't have to go back to your HTTP history and like grab the latest, you know.

cross site request forgery header or like grab the latest cookie and like paste it in and update your session. And if you're like working over multiple sessions or whatever, and you've got like all these named tabs and it's all organized, but all the sessions are dead. So it doesn't work anymore. It's just, it's a pain. And so I put that in the chat and then I like looked back a couple hours later and Riddle's like, I got it. And he had pushed it, he had built it. It works awesome.

and he's actually got it pushed to the ever, or even better, extensions sort of manager as well for Kaido. So essentially you install even better extensions and you just click the install button on refreshes replay headers. And now there's a button right next to the send button in your replay tab and you just press update headers. You can specify what headers you want in the little drop down menu.

and it will pull the latest header from HTTP history, update your current replay tab, and just get your session right back on track with one click. It's just so clutch, man. That sort of thing is, it just smooths over your whole experience and just.

Joel (teknogeek) (43:56.161)
tweet.

Joel (teknogeek) (44:04.129)
I'm gonna throw some shade here. It's almost like, when you don't have to write your plugins in Jython and Java, it's so much easier to extend the application. I don't know any software that is architected like that. That was just a random thought I had.

Justin Gardner (@rhynorater) (44:11.114)
Ha ha ha ha!

Justin Gardner (@rhynorater) (44:15.274)
Yeah, yeah, I've...

Justin Gardner (@rhynorater) (44:20.65)
Yeah, just, I mean, I'm glad you shared that, you know, just out of the, as it bubbles up, you know? And to be honest, man, as a Python fanboy, I did critique Kaido in the beginning for leaning towards JavaScript, but JavaScript is great, dude. JavaScript is in a lot of spots, you know, you're not really context switching between the front end and the back end so much. It's very versatile, it's pretty fast in this environment, so.

Joel (teknogeek) (44:26.305)
Yeah, just... just, you know.

Joel (teknogeek) (44:49.185)
Yeah, like 95 % of hackers know how to read it and use it.

Justin Gardner (@rhynorater) (44:53.45)
That's a great point as well. It is mandatory for you to be, if you're using an HTTP proxy, you need to know some JavaScript. So I think it was a great decision and I think we can see dividends being paid from it because the Kaido development community is really thriving right now and there's a lot of really good extensions being added into the flow and especially Bebex and Riddle have been really crushing it lately.

Joel (teknogeek) (45:22.433)
I'll be really curious to see if Kaido decides to do any sort of like centralization or anything with the plugins like like burp did because I don't think it's necessarily a bad move but it is kind of interesting to see them sort of like take over so to speak like the plugins and whatever.

Justin Gardner (@rhynorater) (45:28.522)
Mm. Yeah. Yeah.

Justin Gardner (@rhynorater) (45:38.634)
Yeah, we are gonna do that. Just for those of you that aren't aware, I'm an advisor for Kydo, and so I do have a little bit of insight into that. That will be something that happens in the future. Whether it be something like this, like the even better extensions library, where it's controlled by the community, and then there's a pull request into a certain GitHub repo or whatever, or whether it's done at the Kydo level in a similar format, there will be some sort of centralization of plugins. And even now with the

even better extensions library, it makes it really easy to just one -click install plugins and that sort of thing. So, really, really excited to see that progression.

Joel (teknogeek) (46:20.16)
Yeah, absolutely. That's super exciting. I like having a man on the inside. It's a... I got my finger on the pulse!

Justin Gardner (@rhynorater) (46:25.066)
Yeah, dude, you know, I'll try to provide as much context as you know, I've gained a lot of value from it too, as well. You know, it's been cool to see to have to help guide the vision of how people use the tool because I use the tool all the time, constantly. It's literally open every day, all day in my hand on my computer. So I think from the perspective of literally just using it 24 seven, I think there's a lot of value that can be be added.

from having that experience. It's been fun, it's been fun, and we're gonna continue trying to really serve the Power User community and get people really comfortable in there and remove that friction of, okay, I have to think about using this tool, and more, you're just focusing on the hack.

Joel (teknogeek) (47:11.872)
Yeah, yeah, absolutely. Yeah, and that's been my biggest thing about Kaido is like, the less I have to focus on using the tool and the more I can just use the tool, the better, right? Yeah, of course.

Justin Gardner (@rhynorater) (47:20.682)
Mm -hmm. Well, and there's gonna be friction, man. It's the problem is, I've even talked to them a little bit about like, wouldn't it be cool if there was some sort of like, not really, burp compatibility mode or something like that. Like something that makes that transition a little bit easier because when you're moving from burp to Kaido, for the first week, it sucks. I'm not even gonna lie. And there are a lot of great features, like that you're like, I really like this. But you're gonna have to think about how to use the tool for the first week. But then,

Once you get in there and you start using the tool and you start understanding the power of workflows and these extensions that are in place and the distributed architecture and you're just popping back and forth from your couch to your desktop, you know, with ease without having to move your files or anything like that. There's a lot of added value to that for me. But you've got to get over that hump in the beginning. So, yeah, it's tricky.

Joel (teknogeek) (48:10.911)
Yeah, absolutely.

Justin Gardner (@rhynorater) (48:12.618)
Alright man, you got anything else you want to add about, I mean, I guess you haven't really done anything at Bounty Con yet, you just got off the plane, so we'll debrief from that next week. Alright man, sounds good, get some rest, have fun. Alright, peace.

Joel (teknogeek) (48:19.455)
I just got off the plane. Yeah. Yeah. Yeah, we'll see. We'll see.

Thank you. Peace.