Interested in going full-time bug bounty? Check out our blueprint!
July 25, 2024

Episode 81: Crushing Client-Side on Any Scope with MatanBer

The player is loading ...
Critical Thinking - Bug Bounty Podcast

Episode 81: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by MatanBer to go over some recent bug reports, as well as share some tips and tricks on client-side hacking and using DevTools effectively.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Guest: https://x.com/MtnBer

Resources:

Beyond XSS

https://aszx87410.github.io/beyond-xss/en/

Web VSCode XSS

https://gitlab.com/gitlab-org/gitlab/-/issues/461328

Timestamps

(00:00:00) Introduction

(00:05:24) Learning and Labs

(00:17:29) DevTools tips and tricks

(00:49:49) General Client-Side hacking tips

(01:09:59) Self-XSS Storytime

(01:32:16) But Reports

(01:46:37) Brainstorming a Client-side HUD

Transcript

Justin Gardner (@rhynorater) (00:00.844)
Alrighty dude, we are recording. MatanBear, welcome to the pod man, it's been a long time coming.

Matanber (00:06.814)
Yeah, it's great being here, I'm super excited.

Justin Gardner (@rhynorater) (00:09.762)
Yeah, me too, man. so, man, this dock is looking super gorgeous. We were just, we actually, you know, jumped into the studio here and we started chatting about all this stuff and then we forgot to hit record. So we're gonna have

Matanber (00:21.952)
Yeah, I couldn't help myself. I was like, recapping it before we even started, yeah.

Justin Gardner (@rhynorater) (00:28.964)
We're gonna have to go back and redo some of that conversation for the listeners. okay, whew, where to start? Let's start a little bit with the elephant in the room here, Matan, which is the fact that you are 16 years old. Exactly, the baby elephant in the room. Yeah,

Matanber (00:44.276)
Yeah, the baby elephant in the room. I am gonna be 17 in like a few weeks, so I am getting old.

Justin Gardner (@rhynorater) (00:55.972)
Okay, getting up there, getting up there, but you are competing at the live hacking events. You've already been to like what, three live hacking events or

Matanber (01:03.292)
yeah, the AWC, which is like kind of a live hacking event. then, we had Miami and Singapore. Yeah. And now Vegas.

Justin Gardner (@rhynorater) (01:06.424)
Yeah.

Justin Gardner (@rhynorater) (01:12.836)
Yeah. And now this next one. All right, dude, that's amazing. What a crazy career already at 16 years old. That's insane. Can you, can you tell us a little bit about how that came about? Because to be honest, most people at your age are just starting to, you know, if they're lucky, they're starting to think, oh, maybe I would like hacking and then starting their journey. Whereas you're already competing at the

Matanber (01:21.898)
Yeah

Justin Gardner (@rhynorater) (01:42.468)
stage level for this at 16. So how did you how did you originally get into this stuff and what kind of path did you take to ingest all of this so

Matanber (01:51.23)
Yeah, so it's a great question. I'm naturally kind of, you know, curious. So, and I used to and I still do watch like a lot of YouTube and the algorithm knows that I'm pretty, you know, nerd snipable. So it kind of throws a lot of stuff at me trying to see if I can go down some rabbit hole. And one day when I was like, I'm not sure when but like...

when I was like 14 or something like that, was, it threw like a Hacker101 video at me or something like that. And then I tried to see, tried to, started to watch like Nahamsec and Live Overflow and all of that, you know, classic channels. And I set myself a goal of like, I wanna find the bug by the end of the summer or something unrealistic like that. And...

Justin Gardner (@rhynorater) (02:23.756)
my gosh.

Justin Gardner (@rhynorater) (02:34.744)
Mm -hmm.

Justin Gardner (@rhynorater) (02:45.507)
Wow.

Matanber (02:48.352)
Maybe it is realistic if you like getting into it and you know investing a lot of time but like for a kid it's not really realistic and then I like started to do some labs and I think it was like still when I was 14 or maybe 15 I'm not sure like I don't really have great memory of the details but yeah I

Justin Gardner (@rhynorater) (02:56.536)
Right, right.

Justin Gardner (@rhynorater) (03:10.04)
Your timeline is not developed yet. That's hilarious. So when you say labs, were you working on like the Portswigger labs or what kind of stuff were you?

Matanber (03:17.81)
Yeah, yeah, the post -wigger labs on the Web Academy is still a great resource, the fair thing I recommend and actually I see a lot of people like

Not a lot of people, but when I hear Portswager lab mentioned, it's usually more like the XSS labs and the SQL injection labs or whatever, but they actually have a really good set of DOM XSS labs, which is what I specifically recommend. And I haven't heard as much about that, so maybe it's a bit underrated. I'm not sure, but anyways, yeah.

Justin Gardner (@rhynorater) (03:39.789)
Mm -hmm.

Justin Gardner (@rhynorater) (03:52.898)
Yeah, you don't hear about that too often, but they are pretty developed because I know the team at Portswicker put a lot of time into the DOM invader tool as well.

Matanber (03:57.938)
Yeah, yeah, have like, they have some great people on their team making those labs definitely experts in their fields. Yeah, so it's really worth it if you haven't checked out the DOMXSS labs specifically as a great like list of things and stuff. So I was going through those labs, the SQL injection ones.

the more popular ones and I was like looking at the site of Portswiger and I tried to put like a quote in the search field or whatever and it threw an arrow so I got excited I thought I had like an SQL injection or something and I submitted a bug to

Justin Gardner (@rhynorater) (04:44.333)
my gosh.

Matanber (04:47.872)
actually to port Swigger on Hacker 1 and of course it was N -Aid but the person who triaged it was actually AlbinoRax, James Kettle and...

Justin Gardner (@rhynorater) (04:50.168)
Hahaha!

Justin Gardner (@rhynorater) (04:57.3)
No way.

Matanber (04:59.388)
And he was like, he was super nice about it, he understood that I was like a beginner and he actually recommended like, I think you would love our XSS loves, whatever like he gave me, I don't know if it was like something that he pasted in there but it was super nice, like instead of getting frustrated with it, like why am I getting spammed by like these trash reports, putting quotes in search fields and calling it an SQL

But it was actually super nice about it and that sort of sent me down the XSS path and all of that so...

Justin Gardner (@rhynorater) (05:37.304)
Wow, dude, that's crazy. It's insane to me how many origin stories sort of start from some hacker, some more developed hacker, some pro hacker just being kind and doing something out of the ordinary for some random person, right? I mean, that's the same story with me is Doggie G showed up to my college cybersecurity club and then here we

Matanber (06:02.12)
Lecture and stuff, yeah

Justin Gardner (@rhynorater) (06:07.256)
what, seven, eight years, nine years later, and it's, you know, I'm just so grateful. So yeah, it's definitely, that's something that we need to be paying forward in the community, I think, is helping others that are earlier on in their career.

Matanber (06:20.616)
Yeah, it can have a lot of impact on someone, Like...

Justin Gardner (@rhynorater) (06:25.476)
Yeah, and a lot of impact on a lot of programs apparently because here we are. No, that's amazing, man. Okay, wow, so a lot of that was originally those Portswigger Labs and then like, was that it? Then you just did the Portswigger Labs and then you were like full beast mode and then you just roll up and pwn every programmer.

Matanber (06:45.66)
No, so... Actually, I remember I had a really hard time like jumping from the labs that were like, you know, a single page or something and you try to put an HTML injection in the comments and it works to like a full -blown application where nothing works basically and you have to go through a lot of different payloads and stuff.

I'm not sure how I got there eventually, a lot of practice, I guess. I'm really not sure how I managed to find the bug. But actually what I do remember is...

Justin Gardner (@rhynorater) (07:21.422)
Well, that's...

Matanber (07:27.802)
I submitted like some very shit bugs to Reddit, like some stuff that I would close as NA in like in the blink of an eye, but they actually they were super nice and they accepted it and they paid like some even as mediums and stuff. Yeah, so that really like gave me the motivation and from there it was kind of steadier.

Justin Gardner (@rhynorater) (07:53.134)
Very cool, man. Yeah, I think you had an interesting point, which is there is this sort of disconnect between the labs and reality. And I think that disconnect is largely in the area of how many times you have to fail and how many times you have to, you know, how much time you have to spend just going from page to page and finding functionality that is interesting.

Matanber (08:16.444)
Yeah, and it's yeah, yeah, definitely. It's not just like how many times you have to spam a payload for it to work. It's like you don't have the same complexity and you know, you don't have to get intimate with the application like you say on the on the phone. Yeah, so you don't, you know, I've been listening to the podcast for a very long time, like from that same place on the timeline, basically.

Justin Gardner (@rhynorater) (08:31.466)
Exactly. My man listens to the podcast. That's great.

Justin Gardner (@rhynorater) (08:44.447)
Mmm. That's amazing.

Matanber (08:45.566)
that I'll be in the wax era. But yeah, there was definitely...

Justin Gardner (@rhynorater) (08:49.976)
Yeah, well, that's great, man. And I appreciate you listening. And I just kind of want to say, think there's a gap in that area that you said with regards to having people having to search for a vulnerability inside of a lab system. So I wonder if there would be any ways to improve this with like, hey,

you've got to, here's an application, there is a bug somewhere in this application, go find it. And when you do, this is the, you know, sequence to attack it. Like I feel like those sort of labs would be a little bit more impactful.

Matanber (09:26.086)
Yeah, but I mean, still, it would be, it would be definitely a step in the right direction, but you can't make a lab that's as complex as like a real world target. It would definitely be, there's a hole there in the sort of ecosystem or whatever of training for bug bounty. There's definitely a need for something there.

Justin Gardner (@rhynorater) (09:51.744)
Yeah. Yeah, I agree. But, I think that's, I mean, we preach it all the time on the pod, but like, think getting out there and failing is the, the, the, you know, lab that you need in a lot of ways, but man, there, that takes out a lot of smart people is, is getting out there and how much, how many times you have to fail before you start seeing success.

Matanber (10:11.712)
Yeah, but I mean, once you understand that, once you understand that that isn't really failure because you can't logically expect for like more than say 10 % of 10 % is like, yeah, 1%. You can't expect like a payload that you put into work.

Justin Gardner (@rhynorater) (10:27.204)
Yeah, 1 % to be honest. Yeah.

Matanber (10:34.792)
Like, if you just put a payload in and it works, you should get worried. Like, for the program, yeah. I wouldn't use the app if I were you.

Justin Gardner (@rhynorater) (10:34.996)
Mm. Yeah.

Justin Gardner (@rhynorater) (10:40.612)
Yeah, exactly, exactly. Yeah, absolutely. And I think that's an interesting statistic to throw out there. It really is more like the 1 % number, listeners out there. Like, if you look at the amount of replay tabs I have and how many requests I've inspected and how much code I've read, 1 % or less of attack vectors are actually resulting in a bug.

So one of the first things I told to one of the people I'm mentoring right now was, you know, go and look at 500 HTTP requests and try to understand, write down what each one is doing. And after you get through those 500 reps, you're going to be at a much better spot. yeah. All right. So that's a little bit about the history.

Matanber (11:24.368)
That's a great tip, yeah.

Justin Gardner (@rhynorater) (11:30.018)
You started doing labs, you started getting out there, you started failing until you got a couple nice little wins on Reddit that kept the momentum going.

Matanber (11:35.742)
Yeah, though I will mention that this isn't like what I would recommend for a beginner to do now. There are some great resources that you could like supplement the Portswigger Labs with because there is some stuff that's missing. Yeah, there's one I don't really remember what it's called. I think Beyond XSS. It's a series by I think Hooli, right? Beyond...

Justin Gardner (@rhynorater) (11:41.246)
Mm. Mm.

Justin Gardner (@rhynorater) (11:51.64)
Hit us.

Justin Gardner (@rhynorater) (11:59.736)
Yeah.

Yeah, that is an amazing series.

Matanber (12:04.082)
Yeah, it's a great series. I love that. I love that list of write -ups and I actually, I've used one of those pages in like a few days ago on the real world target, hardened real world target. So it's useful.

Justin Gardner (@rhynorater) (12:21.176)
Yeah, absolutely. We shouted out that resource a couple of weeks ago on the pod and that was the first time I'd ever seen it, like a couple of weeks ago. And I was like, this is amazing. And so definitely check that out if anybody is looking for additional information on XSS stuff, because I think the fact that Matan Ber says this is an amazing resource on client -side stuff should be more than enough for you to check that

Matanber (12:28.469)
really?

Matanber (12:41.153)
Hahaha

Matanber (12:46.364)
Yeah, there's like, it's not only about Texas S there, of course, like, that's kind of the point of the series. There are some, yeah, there are some like,

Justin Gardner (@rhynorater) (12:51.532)
Mm -hmm. It's beyond XSS.

Matanber (13:00.35)
Here you start to get into more like, puzzly territory, because with XSS it's sort of the more straightforward of the client -side bugs, where you have like JavaScript execution and then it's kind of game over. But you start to get into the more like gadgety stuff, like I have a CSPT, what can I do with it? Yeah. So it's a great introduction to that aspect of client -side hacking, which is I think the most fun aspect and it's the most unique. You tend to get less

doing that sort of hacking.

Justin Gardner (@rhynorater) (13:32.152)
Yeah, absolutely. So you said your favorite is client -side stuff. Why do you think that is? What is it about client -side stuff that draws you to it?

Matanber (13:41.215)
I think it's just the flexibility there. The things you can do with client side hacking are crazy like

I get some chains sometimes with like, I sent you one a few days ago because I was so excited about it, or maybe a few weeks, but with like 13 steps of what the attacker site does and opening the windows and stuff and setting cookies and clearing them and you can't do that same, you can't play the same way with the application when you're looking at server side stuff. It's way more fun for me.

Justin Gardner (@rhynorater) (13:53.686)
Yeah, dude.

Justin Gardner (@rhynorater) (14:17.35)
It is, there's a lot more capabilities and I think because of that it's a lot more chainable. But I think also the nature of it being, know, white box that you have the source code that you can see everything that's going on. I think that that does a lot more than I realized in the beginning of my career because, you know, when you look at some of these more complex exploits, I'm just thinking particularly of a couple bugs that Shubs has shared with me.

Matanber (14:42.278)
Yeah, yeah, I was gonna mention shops, yeah.

Justin Gardner (@rhynorater) (14:44.448)
It's just like, you know, he can do the same thing on the server side. Yeah. Yeah. It's, it's, it's stunning. And so I think, in situations like that, having white box, having, having the code and being able to introspect into it is, is massive as well. but man, that chainable aspect of it is just, it's, it's so

Matanber (14:47.494)
and his whole team in general.

Matanber (15:03.828)
And it's so easy to debug and it's super interactive. That's the aspect I love. It's like you have the debugger and the UI all in the same place and you can like in real time input align and see how we change the things. It's great.

Justin Gardner (@rhynorater) (15:07.062)
Mm -hmm. Yeah.

Justin Gardner (@rhynorater) (15:19.564)
It is, it is. And with that, actually, one of the top requested things for this episode was talking about DevTools and general client -side hacking tips. And I'm looking right now at two sections that I have mega highlighted for the things that I'm most excited about. And those two sections, the whole section is just highlighted, which is great. So talk to us a little bit about DevTools and what kind of stuff you use in there

Matanber (15:33.385)
Hahaha

Justin Gardner (@rhynorater) (15:47.093)
you think most hackers should know about when approaching a client -side target.

Matanber (15:51.112)
Yeah, so DevTools is definitely way more robust than you initially think. It does have a few limitations, especially if you try to use it as an HTTP proxy, I wouldn't recommend that. Talking from experience, because sometimes I don't want to wait for a verb to load. But it does have some...

Justin Gardner (@rhynorater) (16:04.228)
Yup.

Justin Gardner (@rhynorater) (16:11.373)
Yep.

Matanber (16:17.052)
some great features that I'd recommend checking out. So if you're not entirely familiar with DevTools, the first thing I'd recommend you to do is go into the settings. There's a little gearbox there under the three dots or whatever. And it has a ton of different check boxes and stuff and you can enable like beta features and it's very, very useful. You have like a CSP violation stuff, all bunch of stuff that you don't see.

like out of the box and once you're done like messing around with those settings and stuff and there are some tricks like some very quick and dirty tricks that I like to use while testing with DevTools. So if I'm trying to like modify some piece of code in order to test something or whatever

I usually don't want to start setting up a match and replace rule for it and also don't want to use the override feature because it tends to be a little hard and it messes up. Yeah. And it's like, it has a few issues because sometimes

Justin Gardner (@rhynorater) (17:26.05)
Yeah, that's been my experience as

Matanber (17:35.92)
you know the integrity attribute, yeah, so you can have on a script, you can have an integrity attribute that checks the checksum or the hash of the script. You could also have that in like a CSP or something. And if you change it, like change the actual file with DevTools override, then...

Justin Gardner (@rhynorater) (17:39.468)
Yeah. Mm -hmm.

Matanber (17:59.506)
it's gonna change the checksum of it and the app will misbehave because it's not gonna be valid anymore. So what I do is I set a break point and with DevTools there's actually a few different types of break points which is interesting. There's the regular like blue break point that will just break whenever.

it gets executed, but there's also one that's orange, a conditional breakpoint, and you can put just like a statement there or a piece of code in the breakpoint when you sort of edit it, and it will execute that code. If that code returns true, then it's gonna break there. If it returns false, it's not gonna break. So if I want to like override something for like a quick check or something, I...

I set like a breakpoint there and I edit it and I just write out the code that I want to inject there and I do like a semicolon and write false at the end so it doesn't use it as a breakpoint and it's super quick it's like and because you yeah because I wanted to save your reaction for the pod we're farming content yeah

Justin Gardner (@rhynorater) (18:58.262)
Really?

Justin Gardner (@rhynorater) (19:05.954)
Wow, what the heck? That's a genius technique. What the heck, Matan? Why didn't you tell me about this before, dude? Holy crap. What? Dude, that is nuts. I thought, okay, so I was reading over this and I was like, yeah, conditional breakpoints, that's something that people need to know about. We should definitely talk about that. Of course, I'm just using it like a normal human and just setting conditional breakpoints.

Matanber (19:30.56)
Yeah, not like a crazy person would, yeah.

Justin Gardner (@rhynorater) (19:33.802)
Yeah, and you're like actually writing scripts inside conditional breakpoint. Wow. That's a super cool

Matanber (19:37.536)
And you you never have to live like your environment and it's way like it removes friction like you talked about I think Maybe less tweak or something on the board About removing friction when you're testing and it's super valuable for that this trick

Justin Gardner (@rhynorater) (19:55.416)
Wow, dude, that's nuts. That is so exciting actually, because what I'm often doing is I'm using match and replace to actually overwrite parts of the JavaScript, right? And so I'm thinking of a target that I'm working on right now, and there's a JavaScript function that says, is this feature turned on? And I'm like, okay, well, what if you just always returned true? That would be really helpful, then every feature would be turned on instead of me having to

Matanber (20:16.98)
Yeah

Justin Gardner (@rhynorater) (20:25.314)
you match it, replace this whole long list of feature flags. So I do that, but then you're absolutely right. You know, sometimes there's integrity checks and that sort of

Matanber (20:30.803)
Yeah, but I mean that.

for that specific use case, I would still use a match and replace because the log points and stuff, the, I'm getting ahead of myself, the conditional break points are only executed if the DevTools is open. It's the same with the overrides and stuff. So if you just wanna test the app, like the features and stuff, match and replace is the way to go. But if you're looking at the JavaScript and you want to quickly change something,

Justin Gardner (@rhynorater) (20:47.785)
okay.

Matanber (21:03.078)
It's way quicker and way easier to do it with by misusing a conditional breakpoint. Yeah.

Justin Gardner (@rhynorater) (21:06.616)
with very cool, very cool. But I think it's also important to shout out the conditional breakpoint, actual functionality Matan, which is that you can do a conditional breakpoint, right? You can write a JavaScript statement, which will, if it evaluates to true, it will trigger. And if it doesn't, then it will not trigger. So this is really helpful.

Matanber (21:14.844)
Yeah.

Matanber (21:25.16)
Yeah, definitely what I sometimes do with it when I'm trying to look at like some message listener

I put like a breakpoint on the messages center and sometimes, like usually, you would get a ton of different messages from like browser extensions or from like the regular app and stuff. So I just like put a conditional breakpoint and I will do like E or whatever the name of the event variable is, dot like ASDF or something. And then only if it has a truthy ASDF property, it will

Justin Gardner (@rhynorater) (21:43.276)
Yeah. Yeah.

Matanber (22:03.89)
So and then in all of my testing messages and look like ASDF.

Justin Gardner (@rhynorater) (22:08.792)
And then you don't have to keep pressing that like little play button, play button, play button over and over again. That's great, man. Yeah, that definitely reduces friction and increases the efficiency of your testing, which like, like we said before, I mean, it just has very, it has cascading effects. You know, it continues. You think it's just a little small thing. I just got to press, you know, play a couple of times here, but it allows your brain to not think about that anymore. and.

Matanber (22:11.336)
Yeah, yeah, yeah.

Matanber (22:32.224)
Yeah, and even more importantly, you will feel less resistance before you do the accent. So if I'm like trying to test something and I know that I'm gonna have to press like forward 10 times, I'm gonna be less likely to actually do it. So it's not only in the moment. It also affects like the way you think about what you will do.

Justin Gardner (@rhynorater) (22:39.523)
Mm.

Justin Gardner (@rhynorater) (22:52.43)
That's a great point.

Justin Gardner (@rhynorater) (23:00.194)
Yeah, so that's a great point because it allows you to go further in your testing because you're not getting tired as quickly like, okay. You know, I've already tried three things. I'm not going to like go through this flow, you know, five more times. I'm just going to skip it versus if you just have lower friction, you still are able to just go, go, go. So that's a great point.

Matanber (23:21.502)
We have a lot of different points to go through here so... Yeah.

Justin Gardner (@rhynorater) (23:24.55)
We do, we gotta keep moving. I'm sorry, what's the next one? Hit

Matanber (23:26.738)
So I'm going to go through the next one very quickly. We mentioned regular breakpoints and conditional breakpoints. There's also what's called log points. So you put in some code there and it parses that code like it's a list of arguments to console .log. So if you put like a string and then a comma and some variable, it will log the string and the variable. And actually using commas in console .log and stuff is very useful.

And what I usually do with this sort of break point, I have a very specific use case for it. A lot of the time the app...

the web app is gonna have some function that's like a conditional log of something or something. So they will have some like logging library and they will check like sometimes they do it with local storage or whatever, they will check if debug mode is enabled. So instead of going in and like...

Checking how they're checking whether debug is enabled and then overriding it or something I just set a log point in the function that logs stuff And that log point will just log the arguments of the function so if they have like a function called debug or whatever that's Checking whether debug mode is enabled and if it is it's gonna log something My log point is just gonna log it anyways, so then you get a bit more visibility into what's going

Justin Gardner (@rhynorater) (25:03.342)
Dude, I did not know this existed. And let me tell you,

Matanber (25:06.144)
It might be a new feature because I didn't know about it too until recently.

Justin Gardner (@rhynorater) (25:12.034)
Yeah, so I'm looking at this and what's odd about this, so here's how you do this, guys. In the DevTools, they've got the little line, row or whatever on the left -hand side. I think it's called the gutter, technically. And you click over there and it a breakpoint, right? Well, don't left -click, right -click instead, and you'll see Add Log Point. Here's the, wait, what have you been doing?

Matanber (25:32.722)
you can right click, wait. I've been clicking on it, then clicking on the side panel, edit condition, and then you can change the type of it. But right click is way more useful, yeah.

Justin Gardner (@rhynorater) (25:46.558)
and then a log point conditional point break point. very interesting. So the reason I never knew that this existed is what I always do is I click to add the break point, right? And then I right click on the break point to hit edit break point and then set conditional break point. But actually if you right click after break points already set, it won't show you the option for a log point. It'll only show you the option for break point. So instead of left clicking the first

Matanber (26:13.738)
Don't you have a little drop down there? Yeah.

Justin Gardner (@rhynorater) (26:16.182)
I do, I do, but up at the top, yeah, I do have that, but I never saw that before. So what I'm gonna do now though is instead of right clicking or left click, I'm gonna right click and hit add log point. And that will just add the log point on there. Wow, I did not even.

Matanber (26:30.516)
Yeah, it's hard to teach me stuff about DevTools because I kind of live there, but yeah, I just learned a new trick.

Justin Gardner (@rhynorater) (26:35.992)
That's crazy, man. This is super helpful. So we can just do, and then you said this input here is just essentially console .log at that specific point in the code,

Matanber (26:48.306)
Yeah, and it's not just console .log for a specific object, it like passes a list of objects. So you can put like comas there or something.

Justin Gardner (@rhynorater) (26:57.452)
That's great. That is helpful. That is super helpful. And then I don't have to like, I don't have to do the break point and then go to console and then type console .log. I can just log it. That's super helpful, man. Wow. Very cool. All right, what else we got on

Matanber (27:01.886)
Yeah.

Matanber (27:08.232)
Yeah.

Matanber (27:14.378)
Alright, so yeah, another one that is like very useful. I've actually done this pretty recently. You can, sometimes it's very useful when the app opens a new window or a pop -up or something to know what specifically it's doing, like what...

Arguments it's passing to window .open because there is some stuff you actually talked about I don't remember when but If the name of the window is guessable there some tricks you can do that and if you're within the same tab group as that window you could like hijack it I haven't done it but like

Justin Gardner (@rhynorater) (28:01.87)
Dude, I've done it, I'll show you a report afterwards. It feels so good, man. Like when the user clicks a button or whatever and there's just no popup and then it's like in your other window in the iframe, it's just, I love it. Window hijacking is such a cool, mm.

Matanber (28:16.97)
Yeah. I see what you mean. So you make it like open because they're doing like window .open and then passing like the target or the name. And if there's already such a window in like an iframe on your page in the same top group, it's gonna open it there. I thought what you were doing is, yeah.

Justin Gardner (@rhynorater) (28:30.328)
The name, yeah.

Justin Gardner (@rhynorater) (28:38.082)
Right, and then you can control that iframe then, right? So you can redirect the source of it and if it's like implicitly trusting that relationship with a post message or if it's like, hmm.

Matanber (28:47.134)
Yeah, what I thought you were doing was like, letting it open it normally and then on your tab running window .open with some attacker controlled URL and then the name. But I'm gonna let you finish up what you're starting to say,

Justin Gardner (@rhynorater) (29:01.794)
Yeah, that's also possible. No, no, no, that's also possible, but it's better when they don't even see the pop -up, right? It just goes into your iframe and then you can redirect it. And so, you know, one of the bugs that I've seen before is it'll like, the user will click a button for auth and it'll like, you know, you can hijack that window and put it into your iframe and then you can respond with your auth in there.

and then maybe it'll do some action with your auth code, right? So then you can snag information that's now attached to your account instead of attached to the victim's account. It's super fun, man.

Matanber (29:39.592)
yeah that's very cool. You're logging CSRFing them with a yeah that's fun.

Justin Gardner (@rhynorater) (29:45.194)
Exactly. And so that's a fun one. And then also sometimes they just trust the response and just embed it into the page or whatever, or give you access to some post message listener, which is really...

Matanber (29:56.766)
It's definitely very fun when you start to get into those areas where the dev doesn't expect any malicious input to be like even in the equation. Like they think that they already verified it and all of that. So when you start having the, and sometimes like,

post message protocols or like the communication can be very complicated. Like they're building a whole protocol on top of post messages. And when the developer doesn't expect an attacker to be there, that can be like very fun to exploit.

Justin Gardner (@rhynorater) (30:35.97)
Very, very impactful indeed. I wonder what you're talking about right now, Matan. I wonder... Yeah, sounds like a very similar situation to one that I'm kind of familiar with right now.

Matanber (30:39.744)
Maybe you'll see a show and tell, maybe you'll see a show and tell in a few weeks, yeah. Wait... Did you find one recently? I really hope... Yeah. I really hope we're not gonna dupe each other because I was actually, I mentioned it to Nagli specifically, if someone is gonna dupe me on this it's gonna be Justin.

Justin Gardner (@rhynorater) (30:52.33)
Who knows? Who knows? We might be doing this show until together.

Justin Gardner (@rhynorater) (30:58.66)
Ha ha!

Justin Gardner (@rhynorater) (31:05.058)
I found the Open Reader Act, so there's some... We'll save that for the post Vegas episode.

Matanber (31:13.632)
But mine my like post message stuff is on the other target So we're not upping each other, okay Yeah

Justin Gardner (@rhynorater) (31:18.824)
is it really? okay, that's good. That's good. That's good. Okay, awesome. So essentially just to TLDR this tip, because we kind of got carried away here was that you're essentially, so what you've got in the doc here is you're saying you're overriding window .open with a call to debugger,

Matanber (31:29.81)
Yeah, yeah, let's move to the other ones quickly.

Matanber (31:42.53)
yeah, I forgot to actually mention what the trick was.

Justin Gardner (@rhynorater) (31:45.77)
Yeah, yeah, I got you though, I got you. So, and this is actually something that I think is really, really interesting for people to know about is, is you can trigger a debugger. You can trigger a breakpoint by using the, I don't know, is it a keyword debugger? It's not a function call, right? So that will trigger a breakpoint if you just type debugger, that's it, which I think is really helpful.

Matanber (32:03.122)
Yeah, it is,

Matanber (32:11.878)
Yeah, and it's very useful because it will trigger. If you have like a weird context where your code is running, like maybe on the CSTI or something like that. If you put like a, if you manage to make it run debugger, then you can like look at that and see, understand the context way better. Yeah.

Justin Gardner (@rhynorater) (32:23.693)
Yeah,

Justin Gardner (@rhynorater) (32:36.856)
Hmm, hmm, very cool. Yeah, I think that debugger tip is really helpful. I forgot to tell you before this episode to get some water too, and I'm hearing you coughing, so get some water while I'm yapping for a second. Yeah, you have some? Good, good, Yeah, so debugger tip, super helpful. I think that one's good. And we moved past this one that I'm highlighting right now in the doc, and I wanna go back to

Matanber (32:46.908)
Haha

Matanber (32:52.382)
No, I have some, yeah.

Matanber (33:04.22)
yeah.

Justin Gardner (@rhynorater) (33:05.358)
Talk to me about on before unload breakpoints.

Matanber (33:08.35)
So it's very similar to what we just talked about with window .open. If you're trying to figure out some, there's actually a few different use cases for it. One is if the app is moving very quickly, if you're getting redirected.

Justin Gardner (@rhynorater) (33:12.671)
Mm. Mm.

Matanber (33:34.088)
a lot of times like during an overflow or something like that, and you want to understand like what's going on at every like stage of the way. You can set a break point. The way it's actually done, it's a bit complicated. You go to the DevTools and it's like in the sources panel, you have in the...

Justin Gardner (@rhynorater) (33:58.212)
Okay.

Matanber (34:03.11)
menu on the left, have right above CSP violation breakpoints, you have event listener breakpoints, and you can go there and you can expand the load category, and you click on, check before unload, yeah, before unload, and then once the page redirects itself, like with the setting location or something like that, before that happens, it's gonna breakpoint.

it's gonna like break on DevTools and then you can see like, how are they reacting, what's happening like on the page and it slows down and it's like, you can actually understand what's going on.

Justin Gardner (@rhynorater) (34:47.82)
Yeah, that's one of the worst things is like when you, try to go to this page and it's got some weird functionality on it, but it just keeps freaking redirecting away and you can't actually get dev dev tools to like open properly and do stuff. So this will, this will be super helpful for that. I, I go

Matanber (35:04.097)
Sometimes, yeah, sometimes it's even more annoying. It has like a timeout of like five seconds or something, and then you try to like really quickly go through the code in like five seconds and save it or something.

Justin Gardner (@rhynorater) (35:18.284)
Right, have you, so I told a friend about this recently and he didn't know and he was freaking out, but did you know that you can spam escape on a page that is redirecting and it will cancel the redirect? Yeah.

Matanber (35:31.962)
Really? because it's like clicking the X on the URL bar.

Justin Gardner (@rhynorater) (35:39.784)
I don't know. I've never clicked the X on the URL bar. I just hit escape, escape, escape, escape, escape, it like

Matanber (35:42.11)
Yeah, so while it's loading the page, you're like canceling the request or whatever it's doing. Yeah.

Justin Gardner (@rhynorater) (35:49.05)
yeah, yeah it is like that. Okay, I'm clicking it right now and it, yeah. Huh, very interesting.

Matanber (35:54.75)
Yeah, that's nice. I haven't actually thought about using that. Yeah.

Justin Gardner (@rhynorater) (35:58.466)
Yeah, so that helps sometimes when you're like stuck in a flow.

Matanber (36:00.72)
wait, I, it's not related at all, but I just remembered some trick that I actually found. No, it's not related to DevTools at all. I have no idea how I just remembered it, but it was actually a trick. was, the origin story of the trick is I was helping someone download photos from Google Drive to their phone. And the way I did it is like I,

Justin Gardner (@rhynorater) (36:08.29)
Hit me, man, that's what we're talking about here. Hit

Matanber (36:30.086)
I click on download and then Safari on mobile has like a little pop -up and it asks you whether you want to download the file or view it. And I've seen that pop -up many times but for some reason in that like moment I stopped and I thought about it for a second and a common problem you have is if you can like upload a file or something.

Justin Gardner (@rhynorater) (36:54.142)
No way Matan, are you kidding me? Can you do this with an SVG?

Matanber (36:56.384)
Wait, it's not as crazy as you might think, but if you can upload a file somewhere, but that file has like a content disposition header, if you try to make a user navigate to it to trigger like an XSS or something, it will not work, it will download it.

Justin Gardner (@rhynorater) (37:08.76)
Mm -hmm.

Matanber (37:16.828)
What I realized is like, if Safari asks you whether you want to view or download it, will it ask you if you like have an HTML file or something? So apparently what happened is, Safari thought about that, like the developers have thought about that scenario, and for most content types, it will ask you whether you want to view it or download it, but.

there's a blacklist of which ones it doesn't allow you to click on view but there is one specific content type that I did find I don't remember which it is I have it on like my wait wait I have it I have it on my on my chat with I have it on my chat with Johan I sent it to him and with Johan I will check it real quick but

Justin Gardner (@rhynorater) (37:53.656)
What do mean you don't remember which it is? Baton!

Justin Gardner (@rhynorater) (38:01.742)
Okay, go get that right now because I need that.

Matanber (38:05.744)
that it doesn't trigger XSS, it doesn't trigger XSS, it will let you inject HTML, but for some reason it doesn't run JavaScript. It's super weird. But still, that HTML injection is like, it will be in the, I think the URL bar will show the vulnerable site. So you have impact out of a bug that usually has no impact.

Justin Gardner (@rhynorater) (38:15.418)
that sounds super

Justin Gardner (@rhynorater) (38:29.028)
Dude, are you seriously dropping a Safari Zero Day on the pod right now? Like, what are you doing?

Matanber (38:33.504)
Maybe, I don't know. I mean, there's plenty of Safari Zero days to go around, yeah. We don't have to get cheap about those.

Justin Gardner (@rhynorater) (38:38.221)
There's a blacklist. man. So did you try the image slash SVG plus XML content type? Did that

Matanber (38:48.594)
Yeah, I tried a few. There's a list of content types that let you XSS. I don't remember. It's on some GitHub repo. It's a super useful list. I used it on a Shopify bug once.

Justin Gardner (@rhynorater) (39:00.044)
Hmm. Yeah.

Justin Gardner (@rhynorater) (39:05.844)
really? nice, that's great man. Yeah, I'm very interested to know what the content type is for that. So go dig it up. No, you're good, you're good. we have to...

Matanber (39:13.17)
Yeah, I'm trying to find it. So it for leaving you hanging. Yeah. yeah, it's so it's interesting because I'm not sure. Yeah, it's text slash XSL, I think. So yeah.

Justin Gardner (@rhynorater) (39:27.838)
XSL. the... Is that the transformation language for... Yeah, that's XSLT.

Matanber (39:33.64)
Yeah, yeah, it is. So you can make the server respond with that if you upload an XSS file, I think. I'm not sure because I haven't actually tested it, but I think if you would upload a .xsl file, it would respond with that. the most weird thing about that whole functionality is if you don't specify the content disposition header and you put

and XSS payload in there, it will trigger and it will XSS. But if you specify the content disposition header and then pick view, it won't run the JavaScript. And it won't even let you in iframe stuff or anything.

Justin Gardner (@rhynorater) (40:11.16)
Really?

Justin Gardner (@rhynorater) (40:15.182)
but it will run some sort of sandbox HTML in there.

Matanber (40:19.176)
Yeah, it will let you like embed images and stuff. haven't checked forums, which is interesting. Iframes don't work, yeah. But it's definitely like noteworthy. CSS, maybe, I don't know. But like, you don't have anything to leak, yeah. Maybe it would help you fish someone though if you had forums

Justin Gardner (@rhynorater) (40:25.164)
Forms would be interesting. I frames would be interesting and like objects or embeds would be interesting. CSS. Yeah, not really interesting, but yeah. Yeah, that's interesting.

Justin Gardner (@rhynorater) (40:45.388)
Maybe if it gets concatenated with a document, like maybe you have like a, yeah, maybe there's data.

Matanber (40:50.048)
yeah, maybe if you have like an injection into, but then you wouldn't be able to specify the extension of that file and you wouldn't, yeah. But I wonder if password managers would auto fill it. I wonder if it's like considered same origin. That would be a sick attack scenario. And I mean, it's a.

Justin Gardner (@rhynorater) (41:00.137)
that's true. That's true.

Justin Gardner (@rhynorater) (41:11.904)
dude password manager auto fills it and then you leak it with CSS injection. my gosh.

Matanber (41:19.832)
Or a form or a CSS injection. Hell yeah Yeah, wow. So we just took like on live we just took a bar class that's like completely ignored nobody talks about it and Yeah, and I mean the funny thing is Johan he was like he found a bug like this and usually like auto ignore

Justin Gardner (@rhynorater) (41:22.936)
Yeah, that would be crazy. my gosh.

Justin Gardner (@rhynorater) (41:30.189)
Yeah?

Justin Gardner (@rhynorater) (41:35.626)
man, yeah, that's great.

Matanber (41:47.636)
But for some reason he asked me like, do you have any crazy trick for it? And I was like, I was downloading images one day. Yeah. Yeah. Also, I don't know why I didn't add that to the doc, but I'm glad I remembered it, yeah.

Justin Gardner (@rhynorater) (41:56.9)
As you do, as you do, as every good story starts.

Justin Gardner (@rhynorater) (42:09.38)
Me too, me too. Okay, dude, we are only four bullets in. We gotta move. Okay, what's this next one? I have a hard stop in an hour, an hour 30. So I think we're, yeah, I think we're good. But yeah, let's keep moving. What is this next one here? Oh, this is a good one.

Matanber (42:14.686)
How much time have you already recorded?

Matanber (42:20.953)
wow, we don't have any time.

Matanber (42:30.353)
Yeah, so, yeah, it's just, it's a section of the DevTools side panel that you have to know. I use it all the time. It's the call stack section. So if you know VS Code, it has this very useful feature where if you like control click on something and you jump somewhere, you can use Alt and the arrows or...

like you go forward and backwards in history on the browser, you can use it to go back to where you jumped from. But in the DevTools, which is actually a feature that I really miss, you can't do that. So you tend to get lost if you like, you're reading some part of the code and you have a break point somewhere and it triggers and

like try to look for a string somewhere and you start to jump around the code to different sections, it's very easy to get lost. So if you just expand the call stack section and you click on the uppermost entry, it will just jump to where your current break point is.

Justin Gardner (@rhynorater) (43:44.034)
Yeah, that is super helpful. I use that all the time. And actually while you were saying it, I was thinking, man, I think there was a way to jump back and forth in DevTools. Yeah, I'm looking at it right now. I found it at one point, I thought. Where was it?

Matanber (43:55.612)
is the... I would love to know that,

Matanber (44:06.429)
There's so much obscure functionality in their tools.

Justin Gardner (@rhynorater) (44:09.058)
There is, I'm looking, I'm scrolling through the shortcuts tab right now. I can't find it right now, but I wanna see that they're actually, yeah, there is, yeah. So if you go to the settings, the little, and then all the way down at the bottom on the left -hand side, there's like preferences, workspace, experiments, whatever, and then shortcuts. So I think there's some stuff in there that allows you to navigate through.

Matanber (44:16.204)
Is there a shortcut stop?

Matanber (44:22.624)
Immortals.

Matanber (44:28.997)
yeah.

Justin Gardner (@rhynorater) (44:39.352)
but I can't figure out which one it is now. So we'll have to go back to that afterwards and see if we can, yeah, there it is right there. It's, I think, control, that might not be it. Control, like, open square bracket and control, close square bracket. But we'll go back and we'll figure that out afterwards. But I'm pretty sure there is a way to do that. And if there's not, holy moly, someone needs to do

Matanber (45:00.318)
yeah, So it says jump to next editing location and jump to previous editing location. It's alt, alt minus and alt plus. I'm not sure if plus means holding shift, but yeah.

Justin Gardner (@rhynorater) (45:04.862)
Mm -hmm. Yeah, what is it?

That's right, alt minus alt plus.

Justin Gardner (@rhynorater) (45:15.384)
Yeah, let's see. Let me see if it, editing location though? I'm not really editing things. does, check that

Matanber (45:21.31)
Yeah, it does work. Wow. Yeah, that's super useful. Man, I hope you would have told me that earlier,

Justin Gardner (@rhynorater) (45:28.608)
Yeah, these sort of things are super nice and allow you to feel a lot more comfortable in your tools.

Matanber (45:35.816)
Yeah, maybe if you can rebind it I can maybe just use the VS code rebinds,

Justin Gardner (@rhynorater) (45:39.608)
Yeah, yeah, yeah, I think that'll be really good. While you were talking about all these things, I wanted to shout out one more breakpoint that's kind of interesting, which is the XHR and fetch breakpoints. Have you seen those before or no?

Matanber (45:55.434)
Hmm. I mean, I've seen that it exists. haven't looked into it. Like I haven't tried to use it.

Justin Gardner (@rhynorater) (46:04.59)
This is helpful when you're trying to figure out what piece of JS code originated a request. You can set that breakpoint and essentially it's in that same panel on the right hand side. The initiators, is that what you're talking about in the network tab? Yeah. I think that is helpful and it's very nice to see the call stack when you have a specific initiator for a specific request or whatever.

Matanber (46:11.604)
Hmm. There's an easier way to do that though. You could go to the... Yeah, yeah. Yeah.

Justin Gardner (@rhynorater) (46:33.282)
I think the break point is also really helpful because then you get to jump back and forth between that call stack like you were just mentioning and you can go through.

Matanber (46:41.47)
Yeah, I've definitely had times where I like went to the initiators and then set a break point. So this is just an easier way to do it. Yeah.

Justin Gardner (@rhynorater) (46:48.424)
Exactly, just like that. But that initiators thing is really helpful. Okay, okay, I'm sorry. One more thing before I bulldoze your podcast, Matlan. But I wanted to shout out a technique that you actually taught me, which was that I didn't know that you could go to the application tab in DevTools and click on frames down at the very bottom and it'll show you the various frames that you have.

Matanber (46:50.516)
We have to move on though, from this section, yeah.

Matanber (46:58.571)
Hahaha

Matanber (47:12.692)
yeah.

Justin Gardner (@rhynorater) (47:17.334)
And on that page, there's the CSP, which is super helpful. And you don't have to like copy it. You don't have to like copy it into CSP evaluate or anything. It's just like they're highlighted, broken out, nice and easy to read.

Matanber (47:17.95)
the CSP.

Matanber (47:22.546)
Yeah, syntax highlighted and everything,

Matanber (47:31.304)
Yeah, I forgot to mention it. It's good that you remember that,

Justin Gardner (@rhynorater) (47:34.116)
Yeah, no, that's really good. Yes, let's do it. Okay, DevTools and general testing tricks, done. Now we've got general client -side hacking tips. Hit us with the goodness, not done.

Matanber (47:36.552)
So should we move on to this section?

Matanber (47:48.91)
Yeah, so these are just like some very general tips. I usually don't like very general tips because they can feel less actionable, but with my style of hacking, it's very, what I do is very target specific.

So kind of the only tips I can give are pretty general, except for like tricks and shout out likes like we just did with the content type little piece there. But some of these tips are more applicable to beginners and some just like general good tips. So what I would recommend is, and this is a pitfall that is for people that are kind of newer to...

to client -side hacking, think that this would be a pretty common pitfall. Don't just like dive into the JS. have minify JavaScript for a big application can be so huge. It's so, yeah, it's super overwhelming and you can't, maybe some people can do it, but you can't just start reading it and actually understand what it does. What

Justin Gardner (@rhynorater) (48:50.552)
super intimidating.

Matanber (49:06.26)
can do and this is way more productive and you it's a way to only read the code that is interesting what you have to do is utilize as much dynamic analysis as you can so this means like whether it's installing dom logger which is a way to do dynamic analysis or using breakpoints or like all of the I think all of the

most of the tips we just gave are like applicable to dynamic analysis. Like if there's a window .open and you're trying to understand that functionality, instead of trying to read the whole JS code like you would with the source code or something and trying to figure out where they're opening that window, set a breakpoint on window .open or something like that. So utilize as much dynamic analysis as you can. And also,

You have to get to know the application. lot of client side hacking is just hacking. You have to get intimate with the application. So a lot of, a lot of client side hacking is just hacking. And I think for me, it's like, maybe a lot of my time is spent looking at the JS code, but

Justin Gardner (@rhynorater) (50:10.756)
I'm sorry, what did you say Matan? Did you say get to know the application? That's right, you have to get intimate with the application. That's correct, okay, go ahead, sorry.

Matanber (50:35.806)
A lot of it is just like spent looking through menus, trying to see which functionality seems like interesting to me out of instinct or something like that. So don't just like dive into the JS and try to find like sources and things and all of that just from reading the JS or yeah, try to get to know the application and it also what it allows you to do if you actually know the application well.

you need to have less, you can have less powerful primitives and keep the same impact. So what I'm trying to say is say you have some application and you've studied the overflow of it very well. And you know that you can somehow get the code to land on any page in a specific domain, right? Now, if you find an XSS in the domain,

That's great, like you have ATO and stuff. But now you can have with a less powerful primitive, like leaking the referral or the location or whatever, you could achieve the same impact. And now by just getting to know the application and looking into that flow, which is, there was no reading JavaScript involved in that. You just saved yourself a lot of time and.

you made your life way easier for getting ATOs. Yeah.

Justin Gardner (@rhynorater) (52:06.562)
Yeah. And your eyes aren't bleeding because you've been staring at minified JavaScript for hours. There is one hacker that I know that just reads JavaScript like a book. And, and I just like the most insane thing I've ever seen in my life. But I really, I really liked that tip. I'm going to, I'm going to wrap that up for the listeners. Taking dynamic analysis and using that to inform your static analysis, right? Like to understanding what pieces of code are running via, via dynamic analysis.

Matanber (52:15.986)
I can't do it.

Justin Gardner (@rhynorater) (52:36.268)
And then going back and looking at the surrounding code in the call stack and that sort of thing can really help you understand, help you narrow down what pieces of code are interesting and what is just the endless fluff that gets thrown into all of these like web packed monstrosities that we have nowadays. That's really key.

Matanber (52:47.68)
Yeah. Yeah. I think I'm way more, um, linear towards dynamic analysis than you might expect. Like 99 % of my time reading JavaScript is just like looking into setting breakpoints, looking at the values of the different variables and all of that. Just like pure dynamic.

Justin Gardner (@rhynorater) (53:14.66)
You mentioned DomLogger++. We just recently did a master class on DomLogger++ in the Critical Thinkers exclusive tier on Discord. You've been using that tool for a little while,

Matanber (53:25.906)
Yeah, I watched the recording of that master class because I couldn't make it to the actual class, but it was great. Yeah, it's very useful.

Justin Gardner (@rhynorater) (53:37.912)
So how are you using that tool and what kind of sources and sinks are you detecting on?

Matanber (53:42.354)
Yeah, so I'm actually, I'm not using it to the full potential at all. Like, yeah, I'm, I have been using, I haven't known about all of the different stuff you can do with it with like, especially events and stuff. There's some very interesting stuff you can do the surrounding events. But what I've been using it for is just like query parameters.

Justin Gardner (@rhynorater) (53:47.25)
Me neither.

Matanber (54:11.937)
for analysis of messages and stuff, I use post message logger and for analysis of like which, which URL parameters or hash parameters I can use, I use DOM logger and that kind of covers like all of your, like globally applicable sources. So, yeah.

Justin Gardner (@rhynorater) (54:38.007)
So are you hooking like that, like what are you doing for hash related stuff? Are you hooking anything for that?

Matanber (54:44.36)
So hash related stuff I do the exact same thing I do for search. I just hook URL search parameters, dot prototype dot get and dot has. So it catches like, I wanna say most of the cases, definitely not all, which is why I want to improve that config with like to catch cases where parameters are being

passed with rejects or with splits and stuff like that. And what I actually want to do is catch cases when there's a string that gets a split on and presents.

Justin Gardner (@rhynorater) (55:25.664)
Ampersand? Dude, I was literally just about to say that. That is like, I haven't seen anyone do that. I think that should be pretty doable, right? Because if we can just, with DOM logger, we can override that function, right? DOM logger++, we can override that function. If it's got the ampersand character, return something that we can get a little bit more introspection into, and then essentially log all of the parameters that are being parsed out of any string that contains the ampersand.

Matanber (55:53.822)
Yeah, and it will be like pretty high signal, which is like a problem that I had with other configs that I've tried, is that there's a lot of code running on a page and it can get very noisy if you hook too much stuff. But I mean, which strings gets split on ampersands other than parameters? Yeah.

Justin Gardner (@rhynorater) (56:11.778)
Yeah, it can.

Justin Gardner (@rhynorater) (56:17.476)
Exactly, it's pretty much just that. I think there also needs to, I need to do some analysis of JS files to understand like what the common flow is because they might be like trying to detect the question mark or something like that, or trying to detect the hashtag before they do the split. So maybe we need to hook that too to just check and see what potential stuff there could have been.

Matanber (56:30.952)
Yeah,

Matanber (56:36.746)
Yeah.

Matanber (56:40.744)
Yeah, in my experience also, the weirdest parsing behaviors are those of all their functionality. And that's definitely functionality that you don't want to miss. So it's gonna be valuable to try to catch those as best as you can.

Justin Gardner (@rhynorater) (57:01.856)
And did you see in the masterclass, there's a way that he has it set up where it can like pop up a little alert box when something happens. So what I'm thinking about doing is I've just got a long flight coming up here. So I'm going to try to do this on the flight is building a DOM logger plus plus config where it will essentially just pop up on the screen. Any, any calls to a URL search params dot prototype dot get dot has, or any of those splits. Right.

Matanber (57:26.474)
Yeah.

Justin Gardner (@rhynorater) (57:30.688)
any page I navigate to, just automatically says, hey, these are all the possible query parameters for this page that are being parsed by the client side. Wouldn't that just like, that would be amazing.

Matanber (57:37.52)
I think alerts would be a bit too spammy. I do it with like a number that says how many it found, sort of like with post message logger, and then I check the dev tools to see which they found. So.

We definitely should get through this way faster, we're spending a ton of time on each one. I don't think we're gonna get to the extension hacking stuff.

Justin Gardner (@rhynorater) (58:01.833)
my gosh, Dang it. We're going to have to come back and do another episode.

Justin Gardner (@rhynorater) (58:09.873)
I don't think so either. We're gonna, we'll do another one. Maybe we can record one live in Vegas. That would be fun.

Matanber (58:14.936)
yeah, that would be very fun, yeah. So, let's move on in this section,

Justin Gardner (@rhynorater) (58:21.282)
Okay, yeah, let's do

this was a great one. Okay, so this is exactly what I'm talking about when it comes to chaining stuff, right? Like trying to weave your way into these like situations where you have these super mangled payloads and you gotta get it past a WAF and there's a bunch of tricks. So drop these tricks on the listeners. This is great.

Matanber (58:43.89)
Yeah, so this one is very fresh in my mind because I've exploited it on one of the programs which I really like. I've like used it in exploit. In many situations, when you're trying to like escalate an XSS or maybe to exploit an XSS,

you have to get like, at the end of the day, have to get the app to execute like a big script. So the way I do it is I just on my server host like a big script that I can write like with an idea or something easily. And then you have to get that app to execute that big script. So it's kind of a big step to go from alert origin or something like that to executing that huge script.

The easiest way that works like 90 % of the time to do that is using the import function. It's not really a function, it's a keyword, but you can just treat it as a function. JavaScript has...

function that just basically it's just XSS as a service you just like yeah you call import you put in like your URL or something inside of that import statement in with quotes like with a string and it just fetches that

Justin Gardner (@rhynorater) (01:00:01.463)
Yeah, I love

Matanber (01:00:16.896)
that file and just executes it. So you've gone from like fetch .text .something and evaling it to just like a single line, which is very useful. So what I usually do in like 90 % of the cases, I like find an XSS with alert origin, then I change it to do like import and then the path to my file and then I have like a nice way of editing the JS file in an

Justin Gardner (@rhynorater) (01:00:23.907)
Yeah.

Justin Gardner (@rhynorater) (01:00:27.981)
I love that tip.

Matanber (01:00:47.01)
and having the page executed. But there are some cases where this won't work. Number one is like when you're dealing with a WAF or maybe with an input that is limited in characters or maybe in character set. In those cases, maybe the import won't work because either the WAF will block it or maybe...

Justin Gardner (@rhynorater) (01:01:18.724)
I wanna say there's some weird context as well where import just doesn't work. yeah. What is that? Do you know about that? No, no, it's like, I've gotten a weird error when I'm trying to execute import from like, within a script that isn't a mod, yeah, like a module or something like that. And I haven't fully assessed what that means, but like 95 % of the time it works for

Matanber (01:01:23.838)
Yeah, so, do you mean like with CSP?

Matanber (01:01:36.893)
and module.

Matanber (01:01:40.818)
Hmm. So there are two types of imports. One is like an import where you just write import and then a space and that only works for modules. And that import statement is very useful because that import statement automatically gets hoisted to the top of the file.

Justin Gardner (@rhynorater) (01:02:03.991)
Mmm.

Matanber (01:02:04.636)
So when you could get your script to execute before any other script in that file, if it's in the context of like an injection into a script or something like that, but the import statement that I'm talking about is the more like a generally applicable one. I think it's called the dynamic import or something like that, where you just treat import as a function. So just call it with brackets and I think that should work in.

Justin Gardner (@rhynorater) (01:02:32.88)
I've been using import as a function call for a couple years now. And there are some scenarios for some reason where it won't work. So maybe I'll see if I can find them.

Matanber (01:02:39.466)
Hmm. Yeah. I haven't encountered it, but maybe it's just because it's niche.

Justin Gardner (@rhynorater) (01:02:46.38)
Yeah, it could be an issue or there could be some script delegation type delegations or something like that where it doesn't work because it is for this sort modularized environments. yeah, mean that function is absolutely pivotal to getting arbitrary JavaScript execution in most scenarios.

Matanber (01:03:07.24)
Yeah, so in the cases where it doesn't work, like say a CSP or a WAF or something, what you have to do is you have to think about like how you manage to get a script to run in the first place. So for example, recently I had on some target, yeah, I had an XSS.

Justin Gardner (@rhynorater) (01:03:31.061)
Such a good tip, dude. This is such a good tip.

Matanber (01:03:37.202)
and they had, I had like an HTML injection and they had CSP. And the CSP had like, in the script source, it allowed data URIs. So I inject my script, I inject like script source data and then I put my script there. But then I was trying to think and I was also, if that's not enough, I was also like limited in characters.

Justin Gardner (@rhynorater) (01:04:02.924)
my gosh.

Matanber (01:04:03.976)
Which I love those scenarios. There's one really good one on my blog about CS, yeah. Yeah, the four characters, yes, yeah. It's amazing, yeah. But anyways, I was limited in character, both in character set and in payload length. So that was kind of tricky, but.

Justin Gardner (@rhynorater) (01:04:06.092)
Yeah, you gotta code golf it.

Justin Gardner (@rhynorater) (01:04:12.777)
my gosh, the four character... Is that the one you're talking about? Ridiculous.

Matanber (01:04:33.266)
what I sort of try to think like, okay, how can I make arbitrary JavaScript under? So the first payload I was kind of thinking about was maybe creating a script element. So script or maybe S equals document create element script, and then assigning a source to it and then injecting it into the page.

but that was too long and I tried to think about it and then I eventually realized that what my primitive was, was basically just an HTML injection, right? So what I could do is just like reintroduce that primitive or like re -exploit it somehow. So.

What I eventually did was just like get some variable that has like malicious, that can have malicious content. I'm gonna go through the list of like these sources in a second. But in this case, I used the window name, which as an attacker, you can have control over. So I used the window name and then I just passed it to document .write.

Justin Gardner (@rhynorater) (01:05:49.036)
Mmm, yep.

Matanber (01:05:49.656)
And then what happens is like I reintroduce the HTML injection and with document .write you can put script tags. It's not like inner HTML where those don't work. So I just write to the document and then I basically have the exact same vulnerability that I had a second ago, but now I'm not limited in character set or in character length or anything. So.

when you're trying to get those exploits to work, it's really important to think how you manage to get it in the first place. So for example, if you...

Justin Gardner (@rhynorater) (01:06:27.251)
Mm, mm.

Matanber (01:06:31.826)
maybe got it through a JavaScript URI, then you can do like open and then put the JavaScript URI in there. Like you should think on a low level, like how you manage to get XSS to work there. And in terms of like the sources for where you could get malicious input from, there are a few options. Like I mentioned, you can use the name of the current window and the way you set it from an as an attacker, you either

in your malicious site, either change the window .name and then redirect the window and the window .name will stay constant after the redirect. Or you can open the vulnerable page and in the window .open call, the second argument, you can put payload there and it will be its window name. So, yeah.

Justin Gardner (@rhynorater) (01:07:26.136)
That's something else I want to hook in DOM logger++ by the way, is any window .open that has a name property attached to

Matanber (01:07:32.778)
That's a great idea for a config. But anyways, what I did there was in that case, I couldn't get the window .name to be a malicious value. I won't get into the details, but I had to use another, yeah. So.

Justin Gardner (@rhynorater) (01:07:52.878)
Come on Matan, give us the details.

Matanber (01:07:58.416)
The chain was very complicated. I had like a self -excess, alright? And that self -excess was the one that I said was limited in characters and stuff. And that self -excess I was trying to get it to trigger on the victim's account. So... I have no idea how I'm gonna put it into like a podcast format.

Justin Gardner (@rhynorater) (01:08:20.464)
Shut

Justin Gardner (@rhynorater) (01:08:25.24)
Welcome to my world, dude. It is so hard. I'm a year and a half into this, more even, into running this podcast, and I still have such a hard time taking these complex convoluted chains and exploits and just talking through them, even though it's what I live and breathe every single day.

Matanber (01:08:43.398)
Yeah, I'm gonna try it though because it's very interesting.

Justin Gardner (@rhynorater) (01:08:47.554)
Okay, okay, hold on. me go get my chair.

Justin Gardner (@rhynorater) (01:10:16.322)
Alright, we're back. Storytime with Matan here. I'm excited. yeah, give it a shot, man. It is hard to put some of these things into words,

Matanber (01:10:23.776)
I'm gonna open the list of steps I sent you about that specific bug. You know which one I'm talking about, Yeah.

Justin Gardner (@rhynorater) (01:10:28.238)
Okay.

Well, okay, I do know the one you're talking about. I'll mention this though. Here is the tip that he had in the doc on this while you're pulling that up, Matan. He's listing here a bunch of ways to smuggle in your payloads into this access environment. You've got window .name, you've got opener .name, you've got opener .opener .name, right? There's a chain of all these things you can do.

Matanber (01:10:55.052)
Yeah, so I'm actually gonna go through them real quick so we don't have to like come back from a tangent. So each one of those different ways to smuggle input has like its pros and cons. So the classic one is like name, which is a super short payload like four characters and

Justin Gardner (@rhynorater) (01:11:00.172)
Okay, go for it. Yeah. Yeah.

Justin Gardner (@rhynorater) (01:11:18.222)
Mm

Justin Gardner (@rhynorater) (01:11:22.563)
Yeah.

Matanber (01:11:24.996)
The window .name has basically no length limit and you can put any character in there. But it does require you to have like an attacker's page. The victim has to navigate to an attacker's page. You can't like put

the URL of the vulnerable page directly and have the victim navigate to that. So that's the con that that specific way has. And you could also, if you need more inputs, you could do opener .name and opener .opener .name, which the attacker would have control over.

The other one, which I listed here, there are a few, you can add, with a very short payload, a message listener to the page that you have code execution in. So you can just write onMessageEquals and then some...

variable name like E and then do an arrow so like an equals greater than and then the code that you put there will have access to like an E variable that the data of which has like malicious input. are two cons to that payload. While it doesn't have a length limit or character limit, a char set limit to the input you can inject.

it does require you to have a greater sign symbol and you need to have an attacker's page to exploit it. And the other one, which is useful, is location. So if you have control over the location, which you do in most cases,

Justin Gardner (@rhynorater) (01:12:57.982)
Mm. Mm.

Matanber (01:13:11.57)
it can just use location. You don't even have to use location .hash or anything, just location because it contains the hash obviously. And that will not have a length limit because the hash of the URL has absolutely no length limit. You can put as much stuff there as you want. But it does have a char set limit. If you've ever like me tried to exploit some piece of code that does like

Justin Gardner (@rhynorater) (01:13:30.328)
That's crazy.

Matanber (01:13:40.582)
document .write location .href you'll know that the browser automatically encodes any yeah any like greater sign symbols it encodes it so if you want to use the location

Justin Gardner (@rhynorater) (01:13:46.944)
So annoying dude. Absolutely infuriating.

Matanber (01:13:58.992)
as a source of malicious input, you'll have to pass it into decodeURI component if you want no char set limitation, or you could use unescape, which is a deprecated function that does basically the same thing and is way shorter. that's what I ended up using on the exploit, which we're gonna talk about in a second. And the last one, which is like a lengthy payload,

Justin Gardner (@rhynorater) (01:14:16.844)
Really, it's shorter, interesting. Huh.

Matanber (01:14:29.946)
I'm not sure in which cases you'd use it though I did in one case talk to someone which had to use that specific payload because all of the other stuff didn't work for him. You can fetch an attacker controlled script or something and then you have to either await that fetch or do a dot then.

and then you have to get the text from that request, and then you have to do a dot then on that text call because it reads it asynchronously, and then you're gonna have malicious input. I'm not sure in which cases you have to use it, but it definitely does exist in cases where you have to use that specifically. So let's get into our story time.

Justin Gardner (@rhynorater) (01:15:09.444)
It's long, dude.

Justin Gardner (@rhynorater) (01:15:18.532)
Let's do that. I want to add one more thing about this fetch thing though. I actually did end up using a payload very similar to this the other day. And the situation was that the CSP had a script source on it that included unsafe eval or whatever. So I was able to get XSS, but it did not allow me to import scripts from other domains.

Matanber (01:15:23.167)
Yeah.

Justin Gardner (@rhynorater) (01:15:43.566)
but it didn't have a default source or a connect source or anything like that. So I was able to just like do a fetch and then get the response and then eval it.

Matanber (01:15:51.006)
Yeah, though in that case you could have used the evil name or something like that. Yeah.

Justin Gardner (@rhynorater) (01:15:57.501)
Mm, yeah, that also would have done it and it would have been much shorter.

Matanber (01:16:01.32)
Yeah, but sometimes you just don't need it to be short and using fetch or something like that is well more comfortable and easier because you can just like edit the script that you're hosting on your page. Yeah.

Justin Gardner (@rhynorater) (01:16:14.577)
It's easier to read too for the devs. All right, dude, let's do story time now. What bugs you got to share with

Matanber (01:16:24.862)
Yeah, that exploit was definitely not easy to read. Actually, the triage team specifically mentioned that it took them a while to figure out what I was doing, which is super funny. And also I think that report got like NMI'd at least like five times by h1 -triage. But I had a self -excesses that had

Justin Gardner (@rhynorater) (01:16:28.738)
Yeah.

Justin Gardner (@rhynorater) (01:16:35.096)
Hahaha

That is funny.

Justin Gardner (@rhynorater) (01:16:43.179)
Yeah. Yeah.

Matanber (01:16:53.394)
CharCet limit though most characters were allowed and a length limit and What I was trying to do was both get it to eval like a big script like we just talked about like we just talked about and Get it to trigger on a victim's page on the victims like session, whatever so

Justin Gardner (@rhynorater) (01:17:15.8)
Mm. Mm.

Matanber (01:17:18.688)
The way I ended up doing it was very complicated, but we're gonna go through like the thought process so I had the HTML injection working on my account

So the first step to have the victim see that page is to have them log into my account. So that's like a must have. So what I ended up using on that specific target, they had SSO functionality, which is awesome. You love to see it. Yeah. It's very interesting, not only from like a client side hacking perspective, just generally, there are a lot of different attack scenarios with that.

Justin Gardner (@rhynorater) (01:17:48.461)
You'd love to see

Matanber (01:18:00.176)
and you can use it just like as a login CSRF by design. Like I've used that on a few targets, just like using the SSO as an as a login CSRF, and you could also use it in some cases as an open redirect. But anyways, so the first step of the attack was to use the...

SSO to log in the victim to your account and then you redirect them to the page where we have XSS and that the excess would trigger Which is already great but We don't like have access to their session because it triggers on the attacker session and usually what you will do in this case in those sort of situations

And I think you talked about it on your episode with Yosef Samouda, which is a great hacker. Yeah, but what you usually do is like you open a window to the vulnerable site before you log them out and then

Justin Gardner (@rhynorater) (01:18:57.407)
Amazing.

Matanber (01:19:11.014)
do the whole attack, you open, you log them out of their account into your account, then you access it and everything. And then once you have code execution in the vulnerable origin, you take over the page that you opened in advance and you leak sensitive stuff from it like access tokens, et cetera. That does have some limitations though. In this case, what I was trying to do, the access was in a

Justin Gardner (@rhynorater) (01:19:34.861)
Right, right.

Matanber (01:19:41.938)
And I didn't have any super sensitive data in the subdomain. It did have sensitive data, but I didn't have a way to impact integrity from that subdomain. The only thing I had was like, it had a cause policy that trusted that subdomain. So if the excess were to run in the victim session,

I could use it to like send fetch requests to sensitive APIs and stuff and as the victim in their session. So I had to make it execute in the victim session. Like I couldn't use any weird trick of like.

on the attacker session, but you have a window and stuff, I had to have it actually in the victim session, which forced me to get a bit more creative, And I'm actually very glad that that happened because the trick which I ended up using was kind of like pretty globally applicable. There wasn't a ton of target -specific stuff. Yeah, I'm getting there. Okay, so what I did, once the victim is logged into the attacker's account,

Justin Gardner (@rhynorater) (01:20:29.036)
Oof. This is tricky.

Justin Gardner (@rhynorater) (01:20:43.172)
Tell it to me then Matan, come on.

Matanber (01:20:53.744)
first thing I did was wipe all of the cookies using a cookie jar overflow which by the way I was trying to use your little page that counts how many cookies you have and it doesn't work on Firefox it completely like loops indefinitely anyways

Justin Gardner (@rhynorater) (01:21:14.242)
What? Are you kidding me?

Matanber (01:21:20.306)
And I was checking it on Firefox because the triager was using Firefox for some reason. Anyways, once I wiped the cookies, the victim is now logged out of all of the accounts. But I still have a JS execution because it's still running the script that I have provided. So now...

the situation that we have is like we have JavaScript execution in a subdomain and the victim is logged out of all of the accounts. So then what I did, before all of the attack, as the attacker I would take the note of the session token value that I have. And then,

During the attack after I log the victim out of all of the accounts I then set the cookie and set it with like a specific path. So it takes precedence precedent precedence, I don't know So it takes precedence and I provide I Fixate like the session to the session that I Have taken in advance Yeah, so

Justin Gardner (@rhynorater) (01:22:18.157)
Either one.

Justin Gardner (@rhynorater) (01:22:29.944)
Wait, but how do you have access to the session token? Is is that HTTP, it's not an HTTP only variable? Or a

Matanber (01:22:37.001)
No, it's like, it is but what I did is I cleared all of the cookies, right? And then I just put my own cookie that isn't like HTTP only. The server doesn't know it's not HTTP only. It looks the same to them, right? And what I did is I take that session, the attacker session, and I put it.

Justin Gardner (@rhynorater) (01:22:57.348)
That's hilarious.

Matanber (01:23:03.964)
on the like specific part of the vulnerable page and I fixated on the victim's browser. So now what happens is every time the victim navigates to that specific page, the session that the server is actually gonna pay attention to is gonna be the attacker session. So now it doesn't matter what's actually going on in the browser though. For that specific endpoint, the victim is logged into my account.

So now the next step was to make sure that the victim was logged into their account for every other endpoint. And this is where it gets actually pretty crazy. I made sure that the exploit can work only with like, with,

Matanber (01:23:55.056)
a malicious like the payload in the location. So I didn't have to make them navigate to an attacker's page or anything just in the location, which is why I had to investigate like all of the different ways to get malicious input. And then once I got it to work only with location information, what I did once the session was fixated on everything, I found the session, I found the cookie on the application that

Once every time the victim logs into the account, the server checks that cookie and uses it to figure out where the victim should be redirected. it was actually happening on the client, but anyways, that was like the idea. So the functionality there was like if you try to navigate to some page, but you're unauthenticated, so it redirects you, saves it in the cookie, and then once you log in, it redirects you back.

Justin Gardner (@rhynorater) (01:24:40.76)
This is insane.

Matanber (01:24:54.652)
So, how I abused this cookie? It didn't allow any origin, but it allowed like origins of the... it allowed like redirection to...

to pages of the application. It didn't allow me to redirect to an attacker's page. But what I did that I fixated in the victim's browser, also with a specific path so it gets precedence. I fixated the cookie that makes the server redirect them. The next time they log in, it makes the server redirect them to the vulnerable page.

and it also puts the payload in the hash of the page. So now, the whole attack flow, I'm gonna go through it from the beginning because it's hard to keep it all in mind. The victim is peacefully using the application with their account. Now they navigate to the malicious page.

Justin Gardner (@rhynorater) (01:25:52.12)
Hahaha!

Matanber (01:26:01.42)
the malicious page actually in an iframe, I didn't even have to do a window .open or anything, logs them into the attacker's account. Now it redirects them to the vulnerable page where they get XSSed. That vulnerable page logs them out of the attacker's account by clearing all of the cookies with a cookie jar overflow, and then it fixates the attacker's session for this specific vulnerable page, and it also fixates the redirect cookie.

And then the page just redirects the victim to example .com or anything. Now the victim forgets that the attack even happened after like a few days or something. I made sure that the cookies would last up to like five years or something. In case the victim wants to like go on vacation in the meantime or something.

Justin Gardner (@rhynorater) (01:26:43.694)
Hahaha

Matanber (01:26:52.14)
The next time the victim tries to use the application They don't have any session cookies and this is actually the reason why I made sure to clear all the cookies So they won't like be logged into an attacker's account all of it all of a sudden so now they get redirected to the login page and Then they log into their account, but now instead of getting redirected back to where they came from the cookie that we have set takes precedence and the server actually tells them that

Justin Gardner (@rhynorater) (01:27:04.994)
Right, right.

Matanber (01:27:21.68)
they should now be redirected after logging in to the vulnerable page with a payload in the URL. So now they get redirected back to the vulnerable page and that page, specifically in that page, they are logged in as the attacker because in that page we have fixated the cookie. So for that specific page and that specific page only, the cookie that will take precedence is the attacker's session cookie. So now,

the situation that we have, we have a little bubble, the vulnerable page, where the victim is logged into the attacker's account and can see the self -excess and everything, and in every other page that are logged into their account, and now I can fully exploit the core's misconfiguration and interact with the APIs as the victim. That's it.

Justin Gardner (@rhynorater) (01:28:14.686)
Matan, that is disgusting. That is an amazing vulnerability, dude. Holy crap. That's like a brand new way. So, hold up for a second.

Matanber (01:28:18.342)
Yeah, and I mean

Matanber (01:28:25.982)
They gave me like a 4k bonus which was really great.

Justin Gardner (@rhynorater) (01:28:28.97)
Yeah, I imagine they would. So that's like a whole new way to exploit login CSRF. my gosh, or self XSS. Okay, so you need a couple of gadgets. You need the ability to redirect somebody after they log

Matanber (01:28:36.429)
And I found that whole chain in like a few days. Yeah.

Matanber (01:28:47.934)
with the cookies.

Justin Gardner (@rhynorater) (01:28:49.881)
And then that's

Matanber (01:28:51.86)
Yeah, and a way to log in CSRF, a way to log in CSRF, but that you already have to exploit the self -exercise. So yeah, the only additional gadget.

Justin Gardner (@rhynorater) (01:28:53.442)
Wow, that's very common.

Yes.

Justin Gardner (@rhynorater) (01:29:01.144)
Wow dude, that's really creative. Okay, let me just repeat it back to you one more time so I can make sure I got it. Okay, so you got the login C -Surf to self -xss. You use the self -xss to clear all the cookies and set a redirect cookie that has the payload in it. The user then goes to login with their browser primed for this whole thing. It automatically redirects them. no, you fixate the attacker session also.

with the path variable that takes precedent. And then when they go to log in, they get redirected to that page because of the redirect cookie. On that page, they are only that page. They are logged in as the attacker because of the path limitations. And now you just have regular XSS. Holy crap, dude, that's amazing.

Matanber (01:29:39.808)
Yeah, and now you have just regular XSS.

Matanber (01:29:49.633)
Yeah, and I mean that gadget is super common like you see all the time like putting a path or even like some session code or something in the redirect cookie so the server knows where to redirect you. Yeah, and local storage is also something that you as the attacker but only if it's like same origin but anyways as the attacker you could like set like set and forget basically

Justin Gardner (@rhynorater) (01:30:02.54)
Or even like a local storage variable oftentimes is used as well.

Justin Gardner (@rhynorater) (01:30:09.791)
Mm -hmm. Mm. Yeah.

Justin Gardner (@rhynorater) (01:30:16.29)
Yeah, or if you can find a gadget to inject it into the local storage situation, that would be really cool too. Wow, dude, that's an amazing technique. I'm really glad you shared that. That is a very high value share. That, path? Yeah. The path attribute, man, on cookies is so powerful. That is...

Matanber (01:30:30.75)
I'm not sure I'm glad I shared that but yeah.

Matanber (01:30:38.676)
Yeah, it's clutch. And also the domain, the fact that you could set like cookies for domains that you shouldn't have access to. Like, yeah.

Justin Gardner (@rhynorater) (01:30:47.488)
Super, super powerful. Wow, dude, yeah, you're absolutely right. We are not gonna get through anything in this doc today. Okay, so we're gonna move all of the browser extension hacking stuff to a different day, I think. And we're just gonna focus on, for this episode, we're gonna focus on the rest of your reports that you've got here, and then maybe we'll do some brainstorming about, yeah, okay. So that was sick.

Matanber (01:31:11.464)
Yeah, there's some very interesting stuff there.

Justin Gardner (@rhynorater) (01:31:18.069)
what what other ones you got man like keep on give me give me another one do it again

Matanber (01:31:22.912)
Yeah, so I'm already running out of breath, but yeah, do you want to do this one or maybe another one? Yeah, it's not simple, but we can do it. Yeah Alright, so What I had there, this is a bug that sort of combines O -Worth with

Justin Gardner (@rhynorater) (01:31:32.652)
Yeah, do that one. That one's great.

Matanber (01:31:52.18)
cache deception, which is something that you don't really see together very often. This was actually in a live hacking event, so it was very fun to find and I didn't actually get a show and tell for that one. I got a show and tell for a more boring bug. But what happened there, there was a node flow that let you in the redirect URI, you could put

it checked whether the redirect URI had a certain prefix, but which is like the domain that they trust and then a specific path where they expect the callback to happen. But it only checks if it starts with that prefix and you could put like path traversal payloads in the rest of the redirect URI.

So then what I had is like the ability to in the domain where the callback URL should be, like make the code landing every page on that domain, whatever path I wanted. And then I noticed that domain.

If you hit the root like URL, like just slash, it would redirect you to some legitimate domain, like to some domain that had some UI and stuff. This domain was like more of an internal API.

So it would redirect you to the main page and it had some cache in front of it. And I noticed that if I kept hitting that URL, I would get cache hits. So if I went to like slash and I sent a request, the first request would be like a miss. And then if I kept sending them, I would get hits. And then I tried like going to slash A equals B and I send it and I keep getting hits after

Matanber (01:33:49.792)
send it and then what I realized that was actually very interesting is that the cache in the cache key the URL parameters weren't actually included so what happened is if I like went to slash a equals b and then I hit it once and then I change it to like a equals c or even just remove the parameters completely I would get the same response

And that response was a redirect to https://legitimatedomain .com slash a equals b. So now what I could do and what I actually did, I just made the victim navigate to the...

Justin Gardner (@rhynorater) (01:34:24.849)
my gosh.

Matanber (01:34:36.436)
to the overflow URL with the redirect URI of as legitimate path slash callback and then a lot of like path traversal sequences. And then what happened is the victim navigated to that URL got redirected to internal API domain slash and then all of the parameters. And then if right after he got the redirect response, I would from the same like region or whatever, I would send

a request to just internal API path slash, I would get the cached response that included the redirect and included the actual URL parameters. Now I could just leak the code and ATO them.

Justin Gardner (@rhynorater) (01:35:21.806)
Dude, that is such an uncommon situation. I have never seen a scenario where the cache key doesn't include the query parameter, but the response contains the query parameter that you put in the, what, that's so weird.

Matanber (01:35:28.946)
Yeah. Yeah, and I mean, it's...

Matanber (01:35:35.346)
Yeah and I mean the cache should always include the search if you were to put like a cache buster on some specific endpoint you would put it in like the location search like the search parameters I have no idea why the cache didn't include that but I mean yeah

Justin Gardner (@rhynorater) (01:35:50.274)
Right, right.

Justin Gardner (@rhynorater) (01:35:56.558)
So what you would do is you'd craft a scenario where it would launch an OAuth flow, hit the path traversal, hit this internal, or this like, you know, API domain where it has the weird caching, and then maybe hit a path that's like a unique ID or something like that, and then have the user's authorization code or whatever attached to that, and then you as the attacker would hit that endpoint afterwards and grab the code and log in. my gosh, dude.

Matanber (01:36:21.693)
Just lick it, Yeah, and I mean, the back class is called cache deception, but I didn't have to do any deception in this case, you just cached it for me.

Justin Gardner (@rhynorater) (01:36:30.454)
Yeah. Hey man, would you mind caching this? Don't include the query parameters. It's fine. Just how it is. That's great, man. That's so funny. Wow, dude. I think this is a really good example of how you use chains really effectively, right? Is because you're noticing all of these little niche caveats in these various primitives that you have across the scope.

And then you say, okay, you this primitive allows me to leak query parameters. And then you find a way to, to, you know, land those query parameters on the actually, so let me ask you this. Did, which one of those did you find first? Did you find the path traversal or the query param caching?

Matanber (01:37:09.652)
Yeah, yeah, I was gonna say, I found the path traversal first, and then I tried to look for ways to leak it from that domain. And that domain, it didn't have any functionality like except, or barely any functionality except that callback URL, but I mean, sometimes the functionality that you forget even exists, like a cache and the redirect.

Justin Gardner (@rhynorater) (01:37:38.316)
Yeah. Any, any functionality except for this over eager cash. Like I can cash that. can cash, you want me to cash that for you? That's hilarious. Wow, dude. Okay. Very cool. And I'm wondering, I'm wondering, did you, did you find this path traversal and then end up on this domain? And then did you search, search, search until you found this primitive to allow you to leak the, the query parameters or did you like move on to other things and that sort of thing?

Matanber (01:37:42.493)
Yeah.

Matanber (01:38:05.156)
I kind of stumbled upon it pretty quickly, which was like pretty lucky. And I never like run...

Justin Gardner (@rhynorater) (01:38:10.238)
Mm. Mm.

Matanber (01:38:19.752)
I didn't run like any cache deception tools or I don't even know if those tools exist, but like I didn't run any tools on it. I was just trying to check if there was any weird behavior there. And I stumbled upon it pretty quickly because it was like other than the callback URL, it was the only other URL I found that actually did something.

Justin Gardner (@rhynorater) (01:38:44.063)
Wow, dude, that's nuts. What a crazy one. Let's move from there. Let's go to this 673 one, and then we can talk a little bit about Dumblogger.

Matanber (01:38:55.996)
Yeah, I'm glad you skipped the... I'm glad you skipped the other one because that one is complicated. Yeah, though, it... yeah, it is... it was just disclosed. It's a bug on GitLab that has to do with VS Code. I'm gonna try to make it sound as boring as possible so you don't... so you don't get sorry that we missed it, but...

Justin Gardner (@rhynorater) (01:39:01.6)
Yeah, well, I'll mark that one for next time. I'm not gonna let you get off the hook without that,

Matanber (01:39:23.644)
It has been disclosed on GitLab now, so if you have to check it out as soon as possible, you can do that. In the issue tracker.

Justin Gardner (@rhynorater) (01:39:30.284)
Okay, there's two report numbers. Which report number is it?

Matanber (01:39:37.28)
And the one that got disclosed is the one that I wrote the CVE for. But the report isn't actually disclosed on AkaOne. I asked them to disclose it, but they didn't do it yet. But you can just, the WebVS code XSS is a link. I linked it to the GitLab issue, so you can put it in the description or something. Yeah.

Justin Gardner (@rhynorater) (01:39:42.208)
Okay, gotcha.

Justin Gardner (@rhynorater) (01:39:56.128)
Okay. We'll put that in the notes, the one that the bug explanation that we're skipping so that you can go and read that. All right. Tell me about this. So this is exactly what we were talking about earlier actually with DOM logger++ hooking the URL search params prototype .get, right?

Matanber (01:40:03.048)
Yeah.

Matanber (01:40:13.972)
Yeah. So it was an issue in like a big company. We chose you like the, the mistakes that some companies can make. it was, and I'm actually surprised that nobody else found it, but I was just looking through some, and it wasn't even a very weird,

Endpoint it was like an endpoint that gets visited all the time like one of the main endpoints of the main app And I just looked through the dom logger

Justin Gardner (@rhynorater) (01:40:39.064)
Mm -hmm.

Matanber (01:40:46.236)
logs and I hooked like the exact same thing we talked about like the URL search farms prototype get and has and just to see which parameters they're trying to see and there was just a parameter named dev so of course I tried to look into that and what yeah and what that parameter was doing it accepted a URL to some JSON config file

Justin Gardner (@rhynorater) (01:41:04.606)
Very interesting.

Matanber (01:41:16.404)
that config file had... Yeah, yeah, and that config file had the property of a JS file, and that JS file was loaded not in the same origin, in like some sandbox origin.

Justin Gardner (@rhynorater) (01:41:18.872)
Your heart is beating fast at this point. When you see it like loads of JSON config file, you're like, yes, yes, yes.

Matanber (01:41:35.494)
in, but in a worker and then they communicated with that worker and stuff and I managed to get some target specific impact out of that communication. but yeah, that was interesting and it was like a free bug.

Justin Gardner (@rhynorater) (01:41:46.19)
Very cool.

Justin Gardner (@rhynorater) (01:41:50.828)
Yeah, dude, I can't believe I can see here where you found that in the doc. We won't disclose it, but that's crazy because that's got to be one of the most assessed pieces of code out there. So, wow. That really just speaks to the power as well of DOM logger++ and how little introspection...

Matanber (01:42:00.926)
Yeah,

Justin Gardner (@rhynorater) (01:42:15.394)
the majority of hackers have into what's happening in their browser. And I think that's one of the things that I really wanna work with the community to change. Kevin, dude, Kevin is carrying us all on this front.

Matanber (01:42:24.508)
yeah because yeah and because just so much stuff happens like so much stuff and you couldn't go through all of that manually if you wanted to and like it changes all the time and stuff you couldn't go through that manually yeah

Justin Gardner (@rhynorater) (01:42:45.698)
Yeah, so it's so important then to have a built -in, I mean, this is literally an essential tool, I think. And the master class that we did in the pod, in the Critical Thinkers channel, it totally changed my perspective on how to use DOM logger++. And I went that same day, even though I was in the middle of live hacking event, and I wrote some config files for it because it's that impactful. And what I'd really like to see happen in the

Matanber (01:43:07.482)
Yeah.

Justin Gardner (@rhynorater) (01:43:10.948)
term in this sort of client side arena is to have a tool that's similar to like Kaido or Burp, right? Something, a proxy of sorts that allows us to see what's happening at essential areas of our browser for as far as security assessment goes.

Matanber (01:43:23.86)
Yeah, and I think that would require like, at a certain point you start to run into limitations of the browser. Kevin already managed to do that with his extension. I think that would require like a fork of Chromium or whatever, which can be hard to maintain. But it may be worth it. Yeah.

Justin Gardner (@rhynorater) (01:43:40.996)
Yeah, super hard. It might be an enterprise -grade product, to be perfectly honest, and I would pay for it gladly. I think that there's definitely some... And Dom & Vader does this to some degree, but I'd much rather have something that just lets me know what's going on rather than alert some things.

Matanber (01:43:56.2)
Yeah.

Matanber (01:44:00.498)
independent and that's yeah and that's like more independent like I don't like it when tools are too like monolithic like yeah

Justin Gardner (@rhynorater) (01:44:13.816)
Mm, yeah, locked into their environment.

Matanber (01:44:15.334)
So having to open up BERP to open the browser to do client side testing. And you can't turn on and off the proxy for that browser. And the BERP browser that has the, what's it called, the DOM Invader extension, yeah.

Justin Gardner (@rhynorater) (01:44:31.576)
Yeah, built into it, yeah. Yeah, I agree. So I think we need an outside product and it would be really cool if Google would just give us like a, you know, a setting or something like that, a flag, yeah, where we could go in and just, because we were discussing with Kevin in the master class, like.

Matanber (01:44:43.004)
A flag or something.

Justin Gardner (@rhynorater) (01:44:49.124)
there's not really a way for us to overwrite document location .hrf and proxy that using the reflection API. So I think a feature flag for that would be really, really helpful and allow extensions or whatever to hook into that and gain introspection there. So what I wanted to do with this last little segment that we'll do here is just kind of discuss what kind of things we would want to see.

Matanber (01:44:55.39)
Yeah, the like, setter for that,

Justin Gardner (@rhynorater) (01:45:18.358)
in that client side heads up display. I'm sort of in -pictioning, I'm kind of envisioning a, that's not a word, envisioning a separate application that's linked into the browser via an extension, right? And that's giving us introspection into everything that's going on in the page. And you can sort of do this with DevTools already, but I think it'd be helpful to have it be an external application. Yeah.

Matanber (01:45:40.746)
But even DevTools is limited. I think DevTools also needs a Chromium fork. Sometimes, yeah, sometimes, especially like I mentioned earlier in the network tab, it has requests that it just tells you, I can't find that. When you try to look at the response, tells, it says, I can't find the response to that request.

Justin Gardner (@rhynorater) (01:45:46.658)
Yeah, seriously.

Justin Gardner (@rhynorater) (01:46:04.94)
Like why? Like I see it here. Like what, where did it go? Did you lose it? Like, yeah. So it's, that's definitely a tricky part there. here's, here.

Matanber (01:46:10.094)
Yeah.

Matanber (01:46:17.064)
Yeah, and I actually, really liked that section. I think it's like very creative. And it's actually, it would be very useful to see, definitely.

Justin Gardner (@rhynorater) (01:46:22.637)
Yeah, so.

Let's kind of talk about what we'd like to see there. A couple things that came to mind, of course, is gonna be changes in registered handlers. like, for example, a, we'll often run into a scenario, and this is actually the sort of scenarios where I'm finding a lot of post -message vulnerabilities nowadays as it's becoming a little bit more mainstream, is it's dynamically generated, you know, and you've got either a user clicks on something and then it opens up a post -message listener or it's a temporal.

Matanber (01:46:43.722)
Well, it's like temporary.

Yeah.

Justin Gardner (@rhynorater) (01:46:55.352)
post -message listener that just gets registered for a short period of time and then gets closed.

Matanber (01:47:00.382)
Yeah, and there are some weird conditions sometimes, like, only if the window has a parent or only if, yeah.

Justin Gardner (@rhynorater) (01:47:09.516)
Yeah, exactly. And so those sort of things, you know, any registration of post -message listeners or new hash event, hash change events is also really interesting because those are ways that you can kind of get, weasel your way in there. What other handlers do we have?

Matanber (01:47:24.249)
Yeah, and that that kind of ties into

what I call like universal sources, which is something you have like in client side hacking, it's like sources of input that exists at like the browser level and exists for every target, almost every target unless they're using cross origin open air policy, unfortunately. But anyways, yeah, so all of those are like essential to see.

Justin Gardner (@rhynorater) (01:47:48.802)
Right. Yeah.

Matanber (01:47:57.092)
in any type of client side, aids up displays, heads up display. So like a hash change event or a post message event, or even, and this sort of references some research done by Space Racoon, a paste event.

That might require some more exotic user interaction, but you could make a user like paste attacker controlled input somewhere or maybe, and I didn't write it in the doc, but it's also applicable, a drop event like for a drag and drop. Yeah, you could like make user drag something and then open up a new window and make them drop it there.

Justin Gardner (@rhynorater) (01:48:35.23)
Mmm, a drag drop event.

Justin Gardner (@rhynorater) (01:48:43.864)
Yeah, I think that's really easy to actually have happen to be perfectly honest, you know, and maybe there's a specific set of people that you couldn't target, you know, but like there's so many browser games where it's like, you know, drag this thing or like, do you know, and I think it's really, I think it's likely that you could get someone to do

Matanber (01:49:04.296)
Yeah, it's all about like the way you present it. There are like a lot of cases like maybe upload the file or I don't know. I'm sure you could somehow convince me to drag and drop something.

Justin Gardner (@rhynorater) (01:49:19.34)
Yeah, yeah, it should be pretty simple. It does make me wonder then, when does it cross the line of, if you have a compliant user, then you can just sort of make them enter their creds into your site or whatever, right?

Matanber (01:49:33.114)
Yeah, that's what I don't like about CVSS. One of the things I don't like, are many, but like the fact that user interaction is binary. for me as a hacker, once I get like, once my exploit needs a victim to navigate to my site and I already have like user interaction required, I've already paid that cost. I can just like go crazy with it. Like click here five times, like

Justin Gardner (@rhynorater) (01:49:44.03)
Mmm, yeah.

Justin Gardner (@rhynorater) (01:50:01.636)
Stand up, do a dance, know, like do the hokey pokey. Exactly, exactly. Yeah, think I record a pod with the victim.

Matanber (01:50:03.068)
this and drop it here like yeah yeah open up your webcam and give me permission yeah record the pod with the victim

Justin Gardner (@rhynorater) (01:50:21.508)
That's hilarious. Dude, if Riverside had a program, that would definitely be like a good one. It was like, you have to get the victim on your podcast and then you can... man, just a couple more minutes. My exploit takes two hours to work, so we're gonna have to... Right, leaking all your sensitive techniques character by character.

Matanber (01:50:30.704)
Haha

Also, that's the reason I'm here, yeah. Yeah. Yeah, your exploit was leaking... Excess leaks all the time. I'm already leaking it in my Discord chat with you, yeah. It's fine.

Justin Gardner (@rhynorater) (01:50:50.955)
No, that's good, man.

Right, exactly, All right, so yeah, the other thing obviously is like post -message conversations. That one's pretty great. have that with, yeah, absolutely need to have that. And I think that would be, it would be cool to have a nice user interface for that too. To be honest, I would totally pay for this product. Like if this was, you know, I would pay $50, 100, I mean, I don't pay for much, but I would pay $50 a month for a product that really nailed this.

Matanber (01:51:02.75)
Yeah, that one's essential, yeah.

Matanber (01:51:18.888)
Yeah, definitely.

Justin Gardner (@rhynorater) (01:51:21.282)
you know, something that makes post -message conversations really easy to follow and easy to track. New frames that are popping up on the page, Like, mm.

Matanber (01:51:30.13)
Yeah, and that one I actually really liked because I personally have found myself like, catch myself missing that a lot of the time. The way I like check which frames are available, just like after the page is finished loading, I just go through the elements and see which I frames there are. But in many cases, an I frame just like pops up and

Justin Gardner (@rhynorater) (01:51:57.913)
Mm -hmm.

Matanber (01:51:58.874)
gets removed and that sort of stuff and then I just notice like in the post message tracker which sort of like logs post message listeners and keeps them logged in after you like

close them or remove them, I noticed like some frames that I didn't even see in the page. And that is something that a person I am currently missing all the time, I'm sure. So even, yeah.

Justin Gardner (@rhynorater) (01:52:28.226)
Yeah, I'm sure there's ephemeral bugs like that, especially in reauthorization flows. When you get to a page, you know, it's very common for them to like, let me just pop up in this iframe and do some like OAuth magic in here to like get my, session token back out and then delete the

Matanber (01:52:40.162)
Yeah,

Justin Gardner (@rhynorater) (01:52:44.866)
So I think that that could be pretty common. And I think also a great way to see the frames is just sources and then on the left -hand side, you know, where in the page tab, you know, you have like all

Matanber (01:52:54.782)
it logs also the frames that are removed.

Justin Gardner (@rhynorater) (01:52:57.693)
It doesn't log the ones that are removed, but it does allow you to show the ones. So if you have that open when you navigate to the page, you'll see it sort of like blip open.

Matanber (01:52:59.688)
Hmm. Yeah. like we just said, in the application tab. Yeah.

Justin Gardner (@rhynorater) (01:53:07.862)
in the application, will it, will it do it in the application tab too? yeah, it will. But it, doesn't, that doesn't include ones that were ephemerally. I'm talking about in the sources tab, dude. So click, click dev tools, go to sources. And then you see on the left -hand side where it says top. So it will show the other frames over there as well. If you have an iframe on that page.

Matanber (01:53:10.73)
Matanber (01:53:15.548)
Mmm. Yeah.

Matanber (01:53:28.753)
And even ones that were like popped up and removed?

Justin Gardner (@rhynorater) (01:53:32.746)
No, not that. Yeah. So just normal ones. Just ones that are currently in the page. Yeah. So if you click this link.

Matanber (01:53:39.346)
Yeah. So I just like control F for iframe.

Justin Gardner (@rhynorater) (01:53:43.734)
Yeah, yeah. That'll do it too. So new frames. What do you think about local storage slash session storage read and writes? I feel like that's a little bit niche, but.

Matanber (01:53:54.012)
It's definitely, yeah, it's more niche. It's pretty rare to have gadgets that let you control it. A bit lesser to have gadgets that let you control some part of it. I actually have one I can show it to you in the LHC scope, a certain like local storage.

Justin Gardner (@rhynorater) (01:54:20.356)
pollution.

Matanber (01:54:22.228)
Yeah, like a specific setting, a specific key that holds like a JSON object with some settings. There's a listener that lets you set it. But I have been actually, it's pretty tough to see like where they're using it. So maybe this could also be implemented with maybe a DOM logger config, but it would be very noisy, like logging.

Justin Gardner (@rhynorater) (01:54:30.355)
Ooh.

Justin Gardner (@rhynorater) (01:54:48.715)
Mm. Mm.

Matanber (01:54:51.048)
which is also might be a problem with like a heads up display like that, that local storage gets used all the time with all sorts of different keys and it's gonna be pretty noisy but if you grab for like a certain key, it will be fine.

Justin Gardner (@rhynorater) (01:55:09.624)
Yeah, and I think also CSPT, like Tracker, the tool that we have in the Critical Thinkers Discord, what that does is it looks at the path, the query parameters, the hash or whatever, and then it traces those values into fetch requests or XHR requests or iframes that are happening as sub -resources. And I think something similar could be implemented here. Unfortunately, there are some frameworks that just literally put the current page

in a local storage, you know, cell or whatever. So that would be super noisy. But like being able to trace values from like, okay, you know, this was in the hash and now it's in the local storage. That should be pretty high signal, right? From the hash or from the query parameters.

Matanber (01:55:43.454)
Yeah.

Matanber (01:55:51.132)
Yeah, and I mean, I think, I think actually, yeah, I think actually the CSPT extension is maybe like...

one specific use case of that technique. And once you have it built out like you have it in your CSPT extension, I think it's gonna be very valuable to generalize it a bit, add iframe source, setters, location, things, basically the universal things because browsers, they have the universal sources, which is what we talked about.

location search, location in general, and post messages and all of that good stuff that we want to have visibility into. But they also have like global syncs.

So if you already have the ability to trace some of the sources, maybe not all of them, because something like post messages will be very hard to trace. But if you have it built out like you have it with the extension, I think it's gonna be very interesting to start adding some other things into that.

Justin Gardner (@rhynorater) (01:57:04.354)
Yeah, it gets a little bit less high signal though when we do that. That's really tricky part for this heads up display. If someone were to take on this project, the biggest challenge would be figuring out what is high signal and then also making sure that your users can customize the extension in the app thoroughly to their preference.

Matanber (01:57:08.018)
Yeah, it definitely does,

It's a balance.

Matanber (01:57:23.24)
Yeah. So it doesn't end up like, burp issues, basically. Like... Yeah. This page doesn't have a secure, whatever.

Justin Gardner (@rhynorater) (01:57:27.212)
Yeah, exactly. Exactly. You said it, not me. know, like, exactly. But yeah, so I

But you know, it's interesting though, because James had a point, James Kettle had a point when we were discussing something recently about the new character set, yeah, the char set thing, research that came out recently.

Matanber (01:57:49.44)
Charleset, yeah. Yeah, I did see that logged in the the BELP issues. That's actually useful.

Justin Gardner (@rhynorater) (01:57:56.674)
Yeah, was that? yeah, Sonar Research came out with that research on essentially being able to dynamically change the character set and convert backslashes into yen symbols. Amazing, but not as common as you would think it is because almost all pages are actually specifying the character set that's being used. But James, when we were discussing it, James kind of popped in and said, hey,

Matanber (01:58:02.856)
Yeah, it's a banger blog post.

Justin Gardner (@rhynorater) (01:58:22.66)
Um, you know, burp has been alerting on the fact that there is not a specified character set, uh, by default for like 10 years. And I was like, okay, well that's really interesting. And that is a cool call

Matanber (01:58:30.257)
Yeah.

But it got lost in all of the other... Logged issues. Yeah.

Justin Gardner (@rhynorater) (01:58:37.356)
Yeah. But it makes you wonder, you know, how many of these little issues like can be chained together and can be furthered a little bit more and applied.

Matanber (01:58:45.616)
Yeah, I mean, I'm sure it's not as easy as I managed on it. And I'm sure if I was a developer of BERP, I would have done a worse job. Because it's very hard issue. I I don't judge them for

Justin Gardner (@rhynorater) (01:58:55.256)
Mmm,

Matanber (01:59:02.928)
it being a bit noisy and I mean, for what it's worth, they do have some feature that let you like sort by, they have severity for every issue and they also have confidence, which I really like, I think it's good design, so yeah. So you might have like, I don't know, the scanner thinks that there's an SQL line in there, which you would like be very interested in that, but it has different levels

Justin Gardner (@rhynorater) (01:59:15.881)
I like that too.

Matanber (01:59:32.802)
like how confident it is. So if it only saw like an error message that looks similar, well I don't know how it does it, but like, then you might have it be like a critical issue, but have it be like low confidence, which is a good design.

Justin Gardner (@rhynorater) (01:59:52.066)
Yeah, I totally agree. really like that design from Burp. All right, so yeah, and I think just going back to the conversation of like, this kind of needs its own Chrome fork. I really do think that if someone was to build this, would be, there needs to be some way to grab introspection into, you know, window location .hrf or whatever. Because I think that would be extremely valuable and would further the product.

And sort of the reason for that is we really just want to know what inputs we have to a specific client side path, right? And, you know, hooking URL search params is great, but URL search params hasn't been around for forever. So we really need, you know, access to window location dot href custom parsing, which should be able to be done if we can override, if you can apply, you know, the proxy to that actual attribute, which you can't by default in Chromium.

Matanber (02:00:34.558)
Yeah.

Justin Gardner (@rhynorater) (02:00:49.528)
I don't know, maybe we need to hit up the guys at Google and be like, hey, look, can you just make this happen, please? Like, this would be huge.

Matanber (02:00:49.866)
So... So I'm currently...

You sort of reminded me of this with the encoding differentials research from Sonar. I saw there was one Wikipedia article, which I'm currently trying to find. We're gonna add it to the description later, but that has sort of a list. I don't think it's a comprehensive list. There weren't a lot of different char sets in there, but it's just a list of a few different char sets and the escape sequence that you can use

change into those char sets and for my testing, all of the ones that I've tested from that article have worked. So it's definitely because the article only lists a few, like maybe two, but the research can be generalized to a few more char sets if you need them for some reason.

Justin Gardner (@rhynorater) (02:01:52.75)
Wow, dude, that's pretty sick. Like if the certain application supports it or something like that, that's pretty rad. All right, dude, I just realized that I miscalculated the time that I needed to end this podcast at, and I am late to the airport. So I've got to go. Yeah, I think we will come back to all of this. I think we'll come back to this one next time too. So I'm gonna highlight this one for next time.

Matanber (02:02:07.954)
Oof. Yikes.

Matanber (02:02:17.286)
Mmm. Yeah.

Justin Gardner (@rhynorater) (02:02:22.41)
And Richard, if you can move this to a dock, that would be great. just, I love, I love critical thinking podcast, man. I'm just like talking to my, to my editor, like right on the pod live. man. All right. Well, Matan dude, thanks so much for coming on, man. It's been a blast. I could talk to you for hours.

Matanber (02:02:29.44)
To your minions, yeah. Yeah, it's been great. Yeah, definitely. Me too. Yeah, thanks so much for inviting me on the pod, it's been really fun.

Justin Gardner (@rhynorater) (02:02:42.5)
I will see you in Vegas in a couple weeks, right?

Justin Gardner (@rhynorater) (02:02:49.538)
Of man, it's always a blast. Alright, talk to you soon. Peace brother.

Matanber (02:02:52.114)
See ya.