Episode 88: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel tackle a whole slate of new research including a new cheat sheet for URL validation bypass from Portswigger, the introduction of Sanic DNS as a high-speed DNS resolver, xsstools, and the Dockerization of Orange Confusion Attacks.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Find the Hackernotes: https://blog.criticalthinkingpodcast.io/
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Shop our new swag store at ctbb.show/swag
Resources
URL Validation Bypass cheat sheet
Bypassing browser tracking protection
DOM Clobbering
And
https://domclob.xyz/domc_payload_generator/
Timestamps:
(00:00:00) Introduction
(00:02:00) URL validation bypass
(00:07:41) SanicDNS and Orange confusion attacks
(00:20:06) WordPress GiveWP POP to RCE
(00:31:29) Xsstools
(00:43:56) Bypassing browser tracking protection
(00:52:06) DOM Clobbering and mixing up your approach
Justin Gardner (@rhynorater) (00:00.672)
Alrighty, Joel, let me ask you this to start this one out, okay? Have you ever been to the Golden Corral?
Really? You've never been to Golden Corral?
Joel Margolis (00:09.399)
I don't think so. No, I think I've only seen their TV commercials. It's like one of those like 3M commercials. You're like, what?
Justin Gardner (@rhynorater) (00:16.086)
Dude.
Justin Gardner (@rhynorater) (00:20.0)
Dude, so recently, I hadn't been to the Golden Crown maybe like, you know, three or four times in my life. And then we recently started going a little bit. That place rocks, man. You roll up in there and there's like a whole buffet, anything you want, you know, just classic American mentality here, you know? And that, Joel, is kind of like what we got today on the pod. Cause we have a smorgasbord, a buffet of different research and news to talk about today.
Joel Margolis (00:49.87)
That was the wildest transition you've done ever. No, no, that was great. That was great. That was crazy. I had no idea where that was going.
Justin Gardner (@rhynorater) (00:51.51)
Not digging my intro, not digging it. Okay.
Justin Gardner (@rhynorater) (01:01.43)
Hey man, the golden corral. That's takeaway number one from the podcast today. All right, man, dude, we got a ton of, I mean, we probably have 12 different things we got on the list today. So I don't know if we'll get through all this, but tell you what, let's not go in the order we have in the doc. Let's talk about this Portswigger Research release first, because whenever Portswigger Research comes out with something new,
Joel Margolis (01:03.372)
We started Golden Corral and we ended that podcast.
Justin Gardner (@rhynorater) (01:30.388)
Gosh darn it, it's gonna be a banger.
Joel Margolis (01:32.014)
Bro, this is actually the best timing ever because I was testing something and specifically I needed a URL validation bypass. And I was like, hey, this is extremely topical. And I just plugged it. So for those who don't know, before I get ahead of myself, Portswicker came out with a new cheat sheet. So they have all these cheat sheets where basically like, know,
Justin Gardner (@rhynorater) (01:44.33)
Yep, yep.
Joel Margolis (02:02.114)
I think calling it a cheat sheet is bit of not really doing it justice because it's more like an interactive payload generator, I guess, where basically, you know, they have these for various other scenarios. think the, yeah, the XSS one is phenomenal. I think that's probably the biggest one that I'm aware of other than this one. I'm sure there's other ones, but the XSS one is great. You basically just say like, I'm on this browser and I'm in this element type.
Justin Gardner (@rhynorater) (02:11.274)
Yeah. Yeah.
Justin Gardner (@rhynorater) (02:16.33)
Yeah, the XSS one is phenomenal.
Justin Gardner (@rhynorater) (02:22.767)
Mm. Mm. Mm.
Justin Gardner (@rhynorater) (02:32.032)
Mm
Joel Margolis (02:32.29)
Give me every payload and it'll say, okay, you can do on key down on key up on load on hover on whatever. Right. so that's really awesome. They also made one now for URL validation. So essentially you can put in the target domain that it, you know, passes validation. You can put in the attacker domain that you're trying to get to. And then you can set different things like URL encoding, Unicode escapes, whether or not to use special characters. there's, there's IPV six, IPV four, like all these different things. And.
It just spits out a list and you just copy it to your clipboard and you can paste that in Kaido. can paste that in wherever burp. I guess I should say since it's for it.
Justin Gardner (@rhynorater) (03:09.046)
Yeah, I guess we should save So sorry for Twitter team. Well, it's your product. We should lead with burp this time faced it into burp Yeah, no, but I Yeah, but as far as I know, yeah, can you can you paste into burp or do you have to okay? Yeah, okay Okay
Joel Margolis (03:25.942)
I think you can. I'm pretty sure you can paste from clipboard. But anyways, yeah, so basically you get a list of possible options and you can just paste this into your proxy of choice and test all of the different bypass options. It's really, really awesome.
Justin Gardner (@rhynorater) (03:38.162)
It's so nice too. It's really good. It's nice because it allows you to specify an allowed domain name and an attacker domain name as well. So you don't have to like do these like, you know, said commands to like pop in your domain. And then sometimes they're like encoded a little weird. So it doesn't do it. Like it automatically does all of it, which is super awesome. And then there's various advanced settings as well, including like various IPv4 to IPv6 transformations.
Joel Margolis (04:06.754)
Right, can have it automatically. Yeah, exactly. Yeah, yeah. Yeah, so very, cool. Very awesome tool. It also has built into this.
Justin Gardner (@rhynorater) (04:07.07)
Cloud metadata endpoints, just tons of stuff.
Joel Margolis (04:17.91)
it's not just for absolute URLs, right? So like maybe it's for an open redirect or something like that, but it's also for host headers. So maybe you're trying to get access to an internal tool. You're trying to do some vhost bypass. They have host header generation for the same type of stuff. So basically you put in the allowed domain, the target domain that you're trying to hit, and it'll generate you a list of host header options. It also has cores options. So very, very awesome tool. They made a little blog post about it as well, if you're curious about sort of the background behind it, but
Justin Gardner (@rhynorater) (04:22.399)
Mm -hmm.
Justin Gardner (@rhynorater) (04:30.005)
Mm -hmm.
Joel Margolis (04:48.265)
I'm sure if you haven't seen it on Twitter already you can find the link down down below but very very helpful tool especially if you're trying to bypass some URL validation parsing open redirects SSRFs you name it
Justin Gardner (@rhynorater) (04:53.077)
Yeah.
Justin Gardner (@rhynorater) (05:00.867)
This is so pretty too dude, because you hover over each one of the URLs, right? Just hover over those and you'll see a name or a bypass categorization for this specific why this works.
Joel Margolis (05:16.552)
I didn't even know that that might be new I don't think that you was there when I first tried this but this is awesome safari allows left parentheses as sub domain HTTP colon slash allowed it dot sub dot left parentheses dot attacker slash that yeah, these are awesome it's like it's like the marriage of of shazer and and like I Don't cheat sheets. I don't know like
Justin Gardner (@rhynorater) (05:32.448)
This is really cool.
Justin Gardner (@rhynorater) (05:36.821)
Yeah.
I don't think this is... Shazer and cheat sheets. Yeah.
Joel Margolis (05:43.884)
Like the fuzz - like the fuzzing side of like Shazzer where it's like, you know, browser specific stuff and all these weird quirks and whatever combined with just like, I have this thing and this thing, get me there. And yeah, it's -
Justin Gardner (@rhynorater) (05:53.524)
Yeah. Well, I was looking at it though, and it's, it's, you know, obviously released by Portsmouth Research, but it's created by D4D and it's linked down at the bottom of the, of the cheat sheet. But so it's not even Gareth and there is like shout outs to Gareth. Like it says in the, the, the, the big thanks to section. The first one on the list is Gareth Hayes.
Joel Margolis (06:15.166)
There's a lot of names on here. I think next time I make a tool I'm just gonna shout out all the people that I like and just hope that they're like, thanks. Big thanks to Franz Rosen, Orange.
Justin Gardner (@rhynorater) (06:20.34)
Yeah, yeah. yeah, I don't, I've. Anybody who's ever inspired me? No, this is great though. Really, really high quality, quality thing here. Definitely gonna be using that. And man, it saves us so much time too, because there's so much like encoding that you have to do to really like thoroughly bypass things. And you just need that one anomaly, you know? You just need that one anomaly to start seeing some, some weird stuff there.
Joel Margolis (06:49.836)
Yep, yep, absolutely.
Justin Gardner (@rhynorater) (06:50.334)
So, all right, let's see. So, okay, I said on the pod, we can do that. You wanna go down to this one right here? All right, let's do it.
Joel Margolis (06:54.456)
You to keep the tool chain rolling?
Joel Margolis (07:02.87)
Yeah, yeah, yeah, yeah, yeah, let's talk about this. Okay, so this is really interesting because, geez, I mean, this had to have been before COVID even. I was working with Smeagols on some like random tool and I think there was a tool called like fast.
Justin Gardner (@rhynorater) (07:12.388)
Mm.
Mmm.
Joel Margolis (07:21.474)
dot JS or something or like fast on SH I think is what it was called it was like a really old tool and basically it was just like designed to do like DNS lookups in bulk and like Detect good DNS servers and whatever I was like, this is like really slow. Let's let's make it faster And so I wrote this tool called fast up high. I think I actually released it on my github No Fresh dot pie
Justin Gardner (@rhynorater) (07:24.628)
Hmm.
Justin Gardner (@rhynorater) (07:45.664)
Let's see. Fresh .py?
Joel Margolis (07:50.604)
That's what it is. Yeah, fresh .py is, yeah, so it was a remix of fresh .sh. Yeah, fresh, not fast. So fresh .sh basically just fetches a bunch of DNS resolvers, tests them, tries to find a list of good resolvers so that you can do big mass DNS lookups. I was like, this is slow. So I wrote fresh .py, which did it way faster. And then I also have a private version of it, fresh .go. then I just, thank you.
Justin Gardner (@rhynorater) (08:04.437)
Mm.
Justin Gardner (@rhynorater) (08:17.29)
Very creative naming, Joel, I love that.
Joel Margolis (08:20.332)
I try to be original. yeah. So I completely forgot about that project. And then. I don't know, like a month ago, some people's tweets out that the company that he founded co -founder of Hadrian, has this new tool called Sanic DNS. does. I mean, it definitely blows my tool like way out of the water.
Justin Gardner (@rhynorater) (08:35.764)
Mm
Justin Gardner (@rhynorater) (08:40.128)
you
Well, this is also, this does full resolutions as well. This is like a mass DNS alternative. Yeah.
Joel Margolis (08:46.154)
Right, right. It's not just like, exactly. It's not just like clean resolver finding. It's very like, I mean like, okay, five million lookups per second.
Justin Gardner (@rhynorater) (09:00.448)
Dude, that's insane, man. I feel like the resolvers, I feel like at five million, like, resolves per second, you're just gonna, like, the resolvers are gonna be like, okay, that guy is actually becoming a problem now. Like.
Joel Margolis (09:11.694)
Yeah, it's one of those things where like so I think the only time I really hit this crux was when I got 10 gig service at my house in California and When when you get here's the thing is the thing when you get internet that fast you realize yeah, most things actually aren't designed to like work with networks this fast and I think
Justin Gardner (@rhynorater) (09:19.67)
my god, dude. Here we go again with the 10 gig service.
Justin Gardner (@rhynorater) (09:34.314)
Mm.
Joel Margolis (09:35.95)
you're probably going to find a very similar thing with Sanic DNS, which is that like most DNS resolvers and infrastructure is not designed to do 5 million requests per second. that's going to, that's definitely going to be something you're going to have to probably work around a little bit. But you know, if you really want to see those types of speeds, that being said, even if it works at like a fraction of that, like 1 million DNS requests per second.
Justin Gardner (@rhynorater) (09:44.708)
Mm.
Justin Gardner (@rhynorater) (09:49.429)
Yeah.
Justin Gardner (@rhynorater) (09:59.688)
Yeah, totally crazy. And I love how the first step, if you go to the GitHub repo for this, the first step of getting started is you're going to need more memory. So go ahead and like allocate yourself another extra gigabyte of memory with like DPDK huge pages. So that's that's pretty that's pretty hilarious. Also, I love can I just say I love the artwork for this? Like they just got Sonic like got to go fast.
Joel Margolis (10:09.666)
Yeah.
Joel Margolis (10:27.702)
They just took the sanic the sanic meme in there just like yeah, yeah, that's the sanic meme yeah Justin becomes a dad and now he's like full boomer. He is like completely disconnected from internet culture
Justin Gardner (@rhynorater) (10:30.718)
So is that meme actually Sanic? Like is that what they... Okay, see, I was just connected from now on. I thought they were just being silly with Sonic, but... Yeah, you know, hey man.
From internet memes, great, great, thanks for that. But yeah, dude, this is, I think this is, you know, every couple years we see a core tool that I think is used by a lot of people get unseated or whatever, right? Somebody takes the crown. And I think this one might take it from MassDNS. I've used MassDNS for the past long time.
and it looks like this might be the move now and I actually actually passed this off to donut as well because You know donuts kind of like my go -to guy when I'm talking about high performance tools I'm like because he knows what's up with that, right? He's wrote a really high performance port scanner and stuff like that And he just sort of skimmed the code and took a look at it and he said that it seems like they're doing all these things, right? They're using something that I had never even heard of called XDP sockets, which apparently stands for express data
path sockets, which I guess is just express sockets. don't know, like sockets but faster, you know?
Joel Margolis (11:47.958)
Yeah, I think it's like basically like kernel level sockets It's sort of the idea I mean like there's a certain point right where you start to get capped by user land stuff And you need you need things to be like lower level or higher low I guess lower level whatever you want to to to be you know optimally fast so like one of the things that's in the In the read me that talks that it talks about is like it has this i40 e driver support so it can hook directly combine directly onto the nick like
Justin Gardner (@rhynorater) (11:51.997)
yeah?
Justin Gardner (@rhynorater) (12:02.004)
Yeah, lower level.
Justin Gardner (@rhynorater) (12:17.555)
really? Okay.
Joel Margolis (12:17.71)
It works with like 10 gig and up right so it's like 10 25 and 40 gig cards Like Intel Nick cards, and then it can do you know they said on a 40 gig line They were able to do for seven and a half million requests per second, so That's like you know with with their own resolver, but even still like that's just like Ridonkulous so the very very cool. I I feel like this is one of those tools that you develop out of necessity which
Justin Gardner (@rhynorater) (12:24.849)
my gosh, dude.
Justin Gardner (@rhynorater) (12:32.749)
my gosh. That's insane.
Justin Gardner (@rhynorater) (12:39.988)
Yeah.
Justin Gardner (@rhynorater) (12:45.397)
Mm.
Joel Margolis (12:47.052)
is pretty awesome so it just kinda shows you like what sort of like the end game version of like DNS lookups and stuff looks like when you're like really trying to do it at scale and do it efficiently
Justin Gardner (@rhynorater) (12:48.107)
Yeah.
Justin Gardner (@rhynorater) (12:56.34)
Yeah, I wonder what Asset Note is doing with DNS lookups, like whether they're wrapping mass DNS or whether they've got a custom solution.
Joel Margolis (13:05.822)
Was about to say I've had some really in -depth conversations with the folks over there about how they do stuff I don't think I'm gonna say anything specific, but they definitely do some really cool stuff and You know similar to this you have to push sort of the boundaries of how you're like you have to Really rethink how you do stuff in order to break through you know these sort of limit caps
Justin Gardner (@rhynorater) (13:09.908)
Yeah.
Justin Gardner (@rhynorater) (13:13.607)
Yeah.
Justin Gardner (@rhynorater) (13:22.056)
Mmm.
Justin Gardner (@rhynorater) (13:29.524)
Yeah, yeah, I agree. Very cool. So new, normally we don't really cover, you know, big recon stuff super much on here, but I think a tool unseating mass DNS as the go -to DNS resolver is probably a good one to mention. that's why I bring that up. Okay, so let me go back to what I was saying before, which was on the podcast a couple of weeks ago, probably now, I talked about the write -ups from Orange, from this.
Joel Margolis (13:50.039)
Okay.
Justin Gardner (@rhynorater) (13:58.87)
this past Defcon blackout and I mentioned that I Had in you know when I went to go reproduce it I was like shit my Apache is actually patched and I didn't actually even like intentionally patch it It was it was just patched already And so I was like dang I don't really feel like spinning up this whole thing or whatever and so I just didn't didn't continue with the with the reproducing of it but then I saw on Twitter that
Hari Sek released a GitHub recall, GitHub recall, GitHub repo, man, it's the morning, man. I gotta take my sip of my coffee. A GitHub repo called Orange Confusion Attacks. And essentially he Dockerized all of these attacks that Orange released in that presentation, which is super duper helpful. So you can play with them and like fine tune your tools if you're trying to get some detection going for it.
So we'll drop that link down in the description, dude, I just, so appreciate when people do this sort of thing where they minimize that friction piece to like playing around with something new. And I would love to see more people integrate that into their research flow and say like, Hey, you know, I've been releasing some new research on XYZ. Here is a Docker container that you can use to reproduce this like boom, like no problem, you know?
Joel Margolis (15:18.22)
Yeah. Yeah. That's exactly what I was going to say. think like creating a Docker container, I mean, as you're doing research, it's probably not your first thought because I catch myself doing this all the time where I start to overcomplicate things. And if I were to think about like, I want to do research on this web server. Like let me Dockerize the whole process. Like before I even like that's basically definition overcomplicating things. So I would probably have stopped myself there. That being said,
Justin Gardner (@rhynorater) (15:43.509)
Yeah.
Joel Margolis (15:47.98)
If you're gonna release it, make it easy for people to do that sort of research and just go that extra mile and it'll make it so much better so that, you know. I love HariSeg, I love Orange, but the fact that one of them had to do the extra mile for the other is, you know, yeah, so.
Justin Gardner (@rhynorater) (15:57.856)
Yeah.
Justin Gardner (@rhynorater) (16:02.09)
Yeah, yeah, it's great. And so I think, if you want to be a member of the community that does something like this and that's like your thing, I think that would be super cool. I think you would get really popular if you just started tweeting out like, hey, exactly, here's the research, here's the Docker file so you can reproduce it. I mean, super helpful. And then to any of you guys out there that are actually producing like,
Joel Margolis (16:16.952)
ChatGPT is pretty good at generating Docker files, I've heard.
Justin Gardner (@rhynorater) (16:31.774)
your own security research that that would also I think is, it would be, would be massive. And I did, also feel like, I feel like Docker is just kind of like a high value skill for security researchers to just understand, you know, even if you're not doing Docker container security or anything like that, but like, I think if you just understand how it works and, and are able to spin up Docker containers easily and create Docker containers pretty easily, I think that that is a very high value skill. It will save you a lot of time and effort.
Joel Margolis (17:01.59)
Yeah, for sure. mean, it's one of those technologies where it's like, it's like, for me, like I would view it almost as like Linux, right? Or like knowing how to use a shell where it's like, it's, sort of one of those fundamental technologies that at minimum you should, you should be like familiar with and understand like the core concepts of, even if you don't like understand it as super low level, like just knowing like, okay, there's containers and these containers are like templated and you can have like commands and this Docker file like sets up like a container in like a specific way.
Justin Gardner (@rhynorater) (17:09.286)
Mm. Mm.
Joel Margolis (17:31.504)
It's like reproducible, just like knowing the basics of what Docker is, how to use it, have some experience with it. If you don't have that, take a day, like this weekend. Yeah, seriously, take a day out of your weekend, just sit down for a couple hours, install Docker, create some basic containers, fiddle around with it, read through some docs. It'll be worth your while for sure.
Justin Gardner (@rhynorater) (17:31.627)
Mmm.
Justin Gardner (@rhynorater) (17:41.524)
Yeah, it's worth it. I mean, it really is.
Justin Gardner (@rhynorater) (17:51.348)
Yeah. And I, and I feel like I like I'm sitting here preaching this, right. And I've done this multiple times, but I also am not really to the level where I'm like, yeah, you know, I, I, I'm a Docker guy. You know, I can use Docker, you know, like, yeah.
Joel Margolis (18:05.294)
But that's fine, right? You've hit the minimum. It's one of those things where...
Justin Gardner (@rhynorater) (18:10.058)
I'm not scared of it, but also I'm not like, that's easy, you know? And I feel like, hmm.
Joel Margolis (18:13.034)
Yeah, but I also think like you don't need to necessarily know like, you know, it's not, it's not like so mandatory that you should like everybody should know everything about Docker. Like if you're doing a project that involves Docker, like a great example, you want to reverse engineer some software and there's a Docker container for it.
Justin Gardner (@rhynorater) (18:19.669)
Mmm.
Justin Gardner (@rhynorater) (18:28.456)
Mm -hmm. Mm -hmm.
Joel Margolis (18:31.628)
Most people aren't gonna know how to do that, like how to do what, like pull files out of a Docker container. I only know how to do it because I wanted to do that specifically and I looked up how to do it and if I wanted to do it again, I would have to look it up again. So like it's just one of those things that like, know, you get familiar with it out of necessity and you know what, you know, learn it as you need it, right?
Justin Gardner (@rhynorater) (18:32.33)
That's the move.
Justin Gardner (@rhynorater) (18:40.117)
Yeah.
Justin Gardner (@rhynorater) (18:45.248)
Yeah.
Justin Gardner (@rhynorater) (18:53.342)
Yeah, yeah, I feel that man. Yeah, I think for me, it's not something that I use super duper often because I'm not doing a lot of this like patch reverse engineering or like even really going after enterprise software that often. But whenever I sit down and I actually am like, let me just like build a Docker container for this or spin up this Docker container. It's like.
I'm like, that was much easier than I expected it to be and maybe I shouldn't let these inhibitions hold me back in a lot of scenarios. All right, so next one, actually, I do have a transition for this one. You ready for this? So, actually this is super way out there. Because I was gonna say, you know what a Docker container that I have built is? Which is the WordPress testing environment Docker container.
Joel Margolis (19:36.024)
Okay, well...
Joel Margolis (19:44.586)
you
Joel Margolis (19:48.066)
It's
Justin Gardner (@rhynorater) (19:49.167)
and also related to
No, no, no, Joe, we don't do cuts on this podcast, man. We don't do cuts. All right. No. So I did want to shout this, this right up out though, because it's, super good. So the writeup of course, the one that I'm talking about is the WordPress give WP pop chain to RCE writeup done by Mr. Talks Eraser. And when Mr. Talks Eraser drops anything specifically WordPress stuff, like he's just quite good with WordPress stuff. It's always worth a read.
Joel Margolis (19:55.0)
Cut! Cut!
Joel Margolis (20:22.232)
feel like his tweets have a minimum bar being like RCE or worse.
Justin Gardner (@rhynorater) (20:26.146)
Yeah, like RCE or global, universal RCE. Yeah, so I think this was a really good write up. I think he does a good job of, mean, clearly he went in there and reproduced it thoroughly himself. And I love the little details that he added in here. So for example, let me read you this. He's talking about the situation or the specific location where the deserialization is happening.
Joel Margolis (20:30.56)
Yeah
Justin Gardner (@rhynorater) (20:55.858)
in this chain, and he says PHP object injection exploits usually reference class names using their namespaces, which might contain slashes. Strip slashes underscore deep tries to get rid of these by calling strip slashes on every value. However, this can be easily bypassed by using four backslashes in the namespace names. And I just like this, this sort of detail might be something that a lot of write up people would just sort of solve themselves and then skip over and not include.
you know, in the actual write up itself. But I find stuff like this extremely useful and also kind of counterintuitive. Like why does strip slashes allow a backslash in the actual final result? Like that shouldn't be how that works. And so I literally sat down and I was like, all right, I gotta play with this. So I spun up a little PHP thing and I was playing with it. And essentially I think the reason why it works is because it will...
it will escape, if you have four backslashes, it will convert the two backslashes, it'll remove one of the backslashes, because one of them is an escape character and one of them is a backslash. It'll remove that, so it's just a backslash. And then it'll do the same one for the next one, and now you've got two backslashes right next to each other, which is an escaped backslash again, so it produces a backslash. And it's just not something that I would have really liked.
intuitively tried to in this situation. So it's just great to be aware of the fact that those that strips lashes can be bypassed in PHP.
Joel Margolis (22:30.178)
Yeah, so dude, this is one of those like mental gadgets, right? It's it's like the little nugget.
Justin Gardner (@rhynorater) (22:34.869)
Yeah, yeah.
Joel Margolis (22:38.348)
That you get from reading this like you read through this cool research Does it apply how many times are you gonna see give WP? Probably not that often how many times you're gonna see an outdated give WP almost never however That's not really the important part right the important part is how does this work like understanding that and then separately the little nuggets like the Strip slashes and how that works because the next time you see something, you know, maybe you know, it's PHP Maybe you don't know it's PHP. Maybe you do some
Justin Gardner (@rhynorater) (23:01.824)
Mm.
Joel Margolis (23:08.272)
Fingerprinting and find out it's PHP Now you have something to add in your payload specifically targeted towards PHP because maybe they're using strip slashes and you can exploit in this way So it's just you know those little those little mental gadgets. You know you don't even have to remember it specifically You just you're like man. What was that that that tux racer blog and yeah?
Justin Gardner (@rhynorater) (23:21.642)
Yeah.
Justin Gardner (@rhynorater) (23:25.792)
But your brain will, it'll notice it, right? You see strip slashes and you'll start staring at it you're like, why am I staring at strip slashes? Like, why do I feel like there's something weird about that? And then you'll look it up and you'll...
Joel Margolis (23:36.428)
Yep. You'll start searching like strip slashes, bug bounty, RCE, write up.
Justin Gardner (@rhynorater) (23:41.726)
Yeah, exactly. RCE will get you there. Yeah, no, that's great, man. A couple other takeaways that I had for this one was the entry point for this attack, and we talked about this a little bit way back in episode, I don't know, whatever number it was, where we started, we talked about WordPress security a lot. But one of the main ways to do WordPress security in a lot of the API flows is to have
these nonces in place. And sometimes these nonces will only be accessible from pages where admins can access or something like that, right? But technically the endpoint where you utilize the nonce doesn't actually require that privilege, right? Anybody can hit that endpoint, but if you don't have the nonce, it's gonna freak out, right? So it's like, yeah.
Joel Margolis (24:28.578)
Yeah. Dude, as I was reading through this, was like, man, the stars just keep, another one just aligns.
Justin Gardner (@rhynorater) (24:36.174)
Yeah, no, it's beautiful. But I think that's a really good call out for anybody who is looking at WordPress stuff is like if you have the, where they're doing the add action and it's wp underscore ajax, right? That can be triggered by even a subscriber level user, right? And if there's not an actual permission check on that, there's just a nonce verification check, then you may be able to leak that nonce and actually call that function still.
And even more so if it's like WPA Jacks, no priv and you can just hit it from an unauthenticated perspective or like admin in it or something like that. and I've got some, we've got some automation actually set up in the Critical Thinkers channel for the data streams section where we automatically scan every new commit done to WordPress plugins above 50 ,000 installs and we use it
AST tree to go through, AST tree? Tree tree? Syntax tree? Yeah, abstract syntax tree to go through and look for where these verification nonsense is and lack of ways for checking various roles within the WordPress APIs. So we catch a lot of those bugs when those come through. I think that that script probably pops out a couple of CVEs a month at least.
Joel Margolis (25:37.762)
Yeah. Abstract syntax tree tree.
Justin Gardner (@rhynorater) (26:02.418)
that just get handed off to the critical thinkers community and they make a couple bucks on it here and there. But I think this sort of situation where you have a nonce and the nonce is in place, but the nonce is actually leakable is a more complicated situation that would be a little bit more if you're doing intentional research on a plugin.
Joel Margolis (26:08.919)
Yeah.
Joel Margolis (26:23.852)
Yeah, yeah, absolutely. And on top of that, yesterday I got an email. I'll give a little free shout out here.
Justin Gardner (@rhynorater) (26:25.876)
Mmm. Yeah.
Justin Gardner (@rhynorater) (26:30.718)
Okay, Alright.
Joel Margolis (26:31.032)
from the WordFence folks who are now running a couple different bug bounty promotions on their thing. They've added XSS vulnerabilities on anything over a thousand plus installs into Scope. They have increased bounties. have a new install tier for plugins with over five million active installs with bounties up to 30K. So, I mean.
Justin Gardner (@rhynorater) (26:43.851)
Really?
Joel Margolis (26:56.812)
We have alerts for plugins. There's some new research on plugins. There's some higher bounties for plugins. So maybe this weekend, if you want to go check out some of the WordPress plugins and go get some 30K bounties on that higher installer. And yeah, that's legit legit. So very, cool stuff. And I don't think WordPress is going anywhere anytime soon. So it's everywhere.
Justin Gardner (@rhynorater) (26:58.528)
Yeah?
Justin Gardner (@rhynorater) (27:10.026)
Wow, 30K is a serious bounty, dude.
Justin Gardner (@rhynorater) (27:20.138)
Yeah, it's used everywhere, man. So it is really a high value thing to know the ins and outs of. So yeah.
Joel Margolis (27:26.754)
The weird thing is like it'll be used on like sites that you would never expect to be WordPress like you'll just run recon and like my nuclei will say hey by the way this is what running WordPress I'm like heck this is running WordPress and then I'd run a WP scan and you know it's got like all these different plugins so definitely definitely not going anywhere
Justin Gardner (@rhynorater) (27:31.712)
Yeah.
Justin Gardner (@rhynorater) (27:48.278)
Yeah, I'm gonna look up the episode really quick. Yeah, popping WordPress plugins methodology brain dump. Episode 55 is the one where we are joined by that Wordfence researcher and we kind of talk about what the approach is to hack WordPress bugs or find WordPress vulnerabilities because at the end of the day it's PHP, right? So of course if somebody's just putting a PHP file out there and they're just like echoing dollar sign underscore get whatever.
then you're gonna get XSS, but there's also a lot of custom PHP, WordPress synergies that happen. Yeah.
Joel Margolis (28:24.546)
Bro, the only thing I'll say is, okay, the only times I've ever used PHP ever is in the most hacky of situations. Like, I never write a PHP POC when I'm like, ha, just need something normal. It's like when I need some really weird, like I need to add a header in the response in real time, like some like, I'm running eval and like the head.
Justin Gardner (@rhynorater) (28:33.386)
you
Justin Gardner (@rhynorater) (28:40.852)
guys, chill.
Justin Gardner (@rhynorater) (28:45.563)
No, Joel, that's a you problem,
Dude, actually have you seen the whole, and we won't, we won't rabbit trail down this for too long, but have you seen the like movement lately surrounding like reverting to PHP and jQuery and just shipping really fast for like, it's the, the levels IO like.
Joel Margolis (29:03.832)
Dude, let's go. I'm so here for it. Dude, okay. I know you said we weren't gonna rabbit hole on this, a week or two ago, I was just like, just for fun, I went down the cursor rabbit hole with like AI code writing and projects and stuff. And I literally got to the point where I was like, okay, I don't want any React. I want basic HTML. I want this to look like 90s website, like straight HTML and JavaScript. And it actually worked way better.
Justin Gardner (@rhynorater) (29:15.648)
Yes.
Justin Gardner (@rhynorater) (29:24.927)
Yeah.
Justin Gardner (@rhynorater) (29:31.2)
Dude, it's a real thing, man. I think there's something to be said about just using the minimum required technology to do it. Okay, all right, Joel, I'm writing this back in. Last comment that I want to have on this one is if you're not familiar with popchains, I think that's a pretty cool volume class to at least understand if you like to geek out over stuff. And it's a deserialization technique, but...
Joel Margolis (29:36.41)
Take me back, bro. Take me back.
Joel Margolis (29:43.084)
All right, all right
Justin Gardner (@rhynorater) (30:00.52)
Man, those things are fun to research. And when we were going down the WordPress rabbit hole back earlier this year, it's just, had so much fun hunting for pop chain gadgets to allow, allow to pivot from class to class and actually get arbitrary code execution. And this example here in the, in the blog post by, by Mr. Tux Racer is, is pretty awesome. I think he pulled this graphic from the, yeah, he did. He pulled it from the Word Fence Teams blog.
But I appreciate when they break down all that and allow us to see the beauty of what a pop chain looks like in its full glory. Cause like this is what five steps before it even gets to the code execution. So you're, you're in deep, deep by the time you actually pop something.
Joel Margolis (30:43.96)
Yeah, very much so. mean, it's one of those scenarios where you're like, is this actually gonna pop? And when it does, man, feels so good. Awesome. Another tool? Another tool? Dude, it's Tool Tuesday. Okay. It really is.
Justin Gardner (@rhynorater) (30:48.574)
Yeah, it does. Feels so good, All right, where you wanna go? All right, hit me.
Justin Gardner (@rhynorater) (31:02.848)
So, hey man, hey, thank you for evening the score because I did a crappy transition earlier. So, all right. You're done talking now. Okay, go, go.
Joel Margolis (31:11.15)
Still Tuesday, alright so yeah. No, no, wait, that was the best transition of all time. Alright, so YesWeHack, YesWeHack has released a tool called XSS Tools. What a fitting name. They released it three years ago. Yeah, no, it's crazy. I have literally never heard of this thing. You link this up until five seconds ago. I thought this was brand new.
Justin Gardner (@rhynorater) (31:23.821)
This has been around for a while though, dude. Just FYI.
Hahaha
Joel Margolis (31:39.608)
Brand new release. I linked it to one of my friends who's like, what? This is cool. So this is awesome. So the best way I can analogize this, I can make an analogy for this is, this is a terrible analogy. Anybody, I'm sorry, this is maybe the worst way can make an analogy for it. Anybody who's used Pwn tools before for like native.
Justin Gardner (@rhynorater) (31:39.633)
Hahaha!
Justin Gardner (@rhynorater) (31:56.179)
my god.
Justin Gardner (@rhynorater) (32:02.954)
Hound tools?
Joel Margolis (32:05.814)
native exploitation, a binary exploitation. Yeah, so PwnTools is like this Python library that you can import and you just do like from Pwn import star. And then you just have all these functions that are like awesome, like helper functions. You can like decode stuff, you can set breakpoints, whatever. So this like is kind of like that, but for XSS. So it's like this library, you just import.
Justin Gardner (@rhynorater) (32:23.0)
this is actually pretty rad, dude.
Joel Margolis (32:32.172)
this dot JS file, and then it gives you all these functions that you can call. you, you know, you just do like payload .new and then you do dot add exfiltrator and you give it a function to exfiltrate and you do dot eval and then it like runs some code and you dot exfiltrate and it exfiltrates it to your exfiltrator and it dot fetch dom and it like gets a page from the, right? So it does like all these, like, it's just a lot of helper functions that like, if you were to write an exossess payload, like you were, you have an exossess,
Justin Gardner (@rhynorater) (32:46.762)
Yeah.
Justin Gardner (@rhynorater) (32:52.958)
What? Yeah.
Joel Margolis (33:02.096)
want to exploit it and like build out a POC building out the POC is big paid. Sorry big cheese Choked on my air
Justin Gardner (@rhynorater) (33:06.804)
Yeah. It is a big pain, dude, much like your throat is experiencing right now. But, but yeah, no, no, no, no. The, the exfiltrators piece I think is really, is really cool too, right? Cause listen to this, there's listen to these exfiltrators, post message exfiltration, get based exfiltration, send beacon based exfiltration, image exfiltration, iframe exfiltration. So like it's, it's got a bunch of scenarios for ways when you have limited
Joel Margolis (33:15.294)
So yeah, it's really awesome
Justin Gardner (@rhynorater) (33:36.874)
exfiltration methodologies and you don't have to like go and write all this custom code for it. You just import the library and boom, boom, boom. yeah, dude, bit K dropped this on me when he was doing the, the, the prototype pollution masterclass in the, in the critical thinkers discord. And, I was like, wow, how have I not heard of this? Because I feel like this would save a bunch of time, but, but, but also let me just say this kind of gets like this. I think this was way cooler before AI because like now
Joel Margolis (34:05.292)
Ha
Justin Gardner (@rhynorater) (34:06.29)
I can just, literally just go to chat, GVT or whatever and I'm like, all right, write this to do this. And then it just does it and it works so well. Yeah.
Joel Margolis (34:11.25)
the one thing i will say that
I think there are probably some areas where you can improve this a little bit because like chat tbt is good for like basic stuff. When it gets like more complicated, a little it can maybe it's okay sometimes. But like when you're talking about exfiltrators, I'm thinking, okay, let's add the port swigger CSS blind exfiltration technique as an exfiltrator. And let's like update this because this is, know, three years out of date now. So there's probably some other exfiltration methods that have come up since then.
Justin Gardner (@rhynorater) (34:37.45)
Mmm, yeah.
Justin Gardner (@rhynorater) (34:42.389)
Yeah.
Joel Margolis (34:45.648)
That's the first one that came to mind. then, you know, in those really weird scenarios, I think this still has a really good use case where you want to write a really high quality POC that just works and you can just do this and it just works.
Justin Gardner (@rhynorater) (34:59.316)
Yeah, yeah, dude, but also check this out. There's a payload here within here that says start keylogger. That's the kind of stuff that it's nice to have like, modulized, right? Because it's like, I know it's possible. Yeah, I know that it's possible for me to do a keylogger, but then I gotta write all the JavaScript and exfiltrate it out. But this thing will just automatically do it, so.
Joel Margolis (35:11.82)
Like, yeah, my impact is in the read me. It's awesome.
Joel Margolis (35:24.769)
Okay.
Justin Gardner (@rhynorater) (35:26.153)
okay, also, I'm sorry, Joel, the other thing that I was really excited about, which is kind of ironic, because it's clickjacking, but is the clickjacking functionality here, okay? So listen up, critical thinking listeners here, okay? I'm not warranting, I'm not saying that clickjacking is a valid bug in most of the situations, okay? Please, no. Joel, please stop, no. But.
Joel Margolis (35:44.482)
You heard it here first. At the bottom of your reports, Reinerator told me that clickjacking is a valid report. Please accept. Bounty please.
Justin Gardner (@rhynorater) (35:53.92)
There are scenarios, I have had a click -jacking accepted as a high when you have a click -jacking, for example, on an OAuth approval page, where you can just force the they click one button and now their account is pwned, right? Valid. The thing is, these things are a pain in the ass to write because you've gotta align all the things and where's the button, who knows? It's a whole step, but this...
this library has a click -jacker functionality. And all you have to do, I'm just gonna read from the readme here, writing click -jacking code can be tedious. With XSS tools, you only need to supply the position of the target element on the target page, and then you're good to go. And I'm just like, yes, this is what I need, this is what I need.
Joel Margolis (36:41.334)
It's so good. mean, this is is awesome. I love little helper tools like this. And OK, bad transition number two. Are you ready? Are you done with this one? Are you ready? OK, OK, finish, finish.
Justin Gardner (@rhynorater) (36:43.459)
Mm.
Justin Gardner (@rhynorater) (36:52.08)
my God. No, no, no, I'm not done. also, okay, let me just say, let me add one more thing about the click checker, okay? Not only did they build that into it, right? But they also gave us this little one -liner down at the bottom that says, hey, you can find the bounding box interactively using this code. So they just give you like a JavaScript one -liner that you can just toss into your script console and it'll, dude, it's clutch.
Joel Margolis (37:15.37)
Dude, I'm telling you, it's these little snippets, man. It's the little nuggets.
Justin Gardner (@rhynorater) (37:20.808)
It's so clutch, so yeah. I'm sorry. That's all I wanted to say. It's just really helpful for excess exfiltration and click jacking POCs. Okay, take it away. Go ahead.
Joel Margolis (37:30.594)
I mean, well the impact is right here. They give you the impact in the read me. And you know what else reminds me of impact? Somebody in our Discord, in the hacking channel. Ballant. Okay, this guy.
Justin Gardner (@rhynorater) (37:44.588)
my god Joel that...
Justin Gardner (@rhynorater) (37:49.77)
This was nuts. This was actually nuts. Yeah.
Joel Margolis (37:50.602)
This is crazy. I'm not gonna lie. Like normally I'm like, skeptical of injection, text injection, HTML injection, whatever. Okay, this is pretty big brain. I will not lie. this guy found, I guess it's just HTML injection, right?
Justin Gardner (@rhynorater) (38:08.074)
Dude, it's actually not even HTML injection. This is text injection, This is not even HTML. There is not a bug here, right?
Joel Margolis (38:12.802)
Text injection, just text injection. Yeah, it's like bug question mark. So what they did is they realized, hang on a second, you ever seen those ASCII art? Those big like, the man's dancing in the chat, you know, on like Twitch chat and it's all ASCII art. Yeah, so he was like, hang on a second, big brain moment. And then.
Justin Gardner (@rhynorater) (38:33.14)
Mm -hmm, mm -hmm.
Joel Margolis (38:39.448)
He built a QR code out of these ASCII Unicode block characters, whatever, like the solid white squares and then like the like shaded square characters or whatever. I don't know how to describe this without a screenshot. But yeah, they basically, built a QR code. maybe our editors can put it up, but there's a screenshot in our Discord from this guy in the hacking channel.
Justin Gardner (@rhynorater) (38:45.118)
Ridiculous, dude.
Justin Gardner (@rhynorater) (38:52.989)
Mmm, mmm.
Justin Gardner (@rhynorater) (38:58.23)
They can put it up. Yeah, we'll put it up.
Joel Margolis (39:06.051)
and, it's just text injection, but it's, builds out a QR code and I don't know.
Justin Gardner (@rhynorater) (39:09.407)
Yeah.
Justin Gardner (@rhynorater) (39:12.85)
You scan the QR code and it takes over your account. This is amazing, dude. This is so good.
Joel Margolis (39:18.114)
I'm gonna scan it right now.
I will say, I will say, I will say, he went through a lot of effort here to redact the URL and like all the surrounding stuff and then the rock you are
Justin Gardner (@rhynorater) (39:33.898)
All of the surrounding stuff, yeah.
Justin Gardner (@rhynorater) (39:39.325)
the Rock QR code's there! Okay, shit, maybe we can't put it up on the screen. Dang it.
Joel Margolis (39:41.614)
I will say you probably could just open in Chrome
Justin Gardner (@rhynorater) (39:51.195)
my gosh, I'm trying to...
Joel Margolis (39:51.722)
It takes me to a thing. Hello from. I'm gonna guess that's probably the target.
Justin Gardner (@rhynorater) (39:56.992)
Dude, don't say it on air, now we gotta bleep it. Okay.
Joel Margolis (39:59.254)
I didn't say it, didn't say it, I just said hello from blank. Okay, so maybe we...
Justin Gardner (@rhynorater) (40:08.458)
Yeah, okay, so I don't know maybe we'll put it up on the screen Maybe we won't but what I wanted to bring to you, okay Joel Just you take a second because I think you're crying over there right now. This is such a beautiful exploit I just wanted to bring this bring this To the to listeners because dude, isn't this such a beautiful? Representation of hacker mentality right like like text injection classic NA bug, right? Doesn't matter at all, but this guy figures out a way to use some technical prowess
Joel Margolis (40:11.8)
I'll leave that as an exercise to the listener.
Justin Gardner (@rhynorater) (40:36.948)
to use his knowledge of Unicode, and I think he also had some sort of tangential CSS injection on this page that allowed him to do some CSS realigning or whatever, but to make this QR code, and then he uses his knowledge of the app to take that, when that QR code actually gets scanned, it does something bad to their account. presumably they're using like a.
same site strict or something like that, which is why it needs to originate from, well, no, I'm not sure. That should just be a C -surf. So maybe it's just a part of the attack methodology. But he went the full way to build out this whole POC. And when you do that, man, doesn't your heart just swell with pride? Like.
Joel Margolis (41:22.936)
What it's well -loved is I hope triage didn't just go Hello, we're having trouble reproducing this bug like Because like this is one of those things where I think When like if you can get it to the team it's like a beautiful side of bug bounty that is so creative and so like
Justin Gardner (@rhynorater) (41:26.758)
N .A.
Justin Gardner (@rhynorater) (41:38.132)
Mmm. Yeah.
Joel Margolis (41:40.916)
Out of the box thinking that is so cool where it's like you have like chat GPT couldn't come up with that shit in a million years Okay, like straight up you could feed that problem. You could click the regenerate button a thousand times It'll never be like you should generate a QR code with ASCII characters with your text injection, right? Like that is it's such a cool like unique Attack scenario and it's so creative. Like if I had received that I've been like, all right
Justin Gardner (@rhynorater) (41:48.18)
Yeah. Yeah.
Justin Gardner (@rhynorater) (41:57.547)
Right.
Joel Margolis (42:08.244)
At minimum low bounty just for creativity
Justin Gardner (@rhynorater) (42:09.652)
Yeah. Well, dude, like I think it also just kind of pays for itself a little bit too. You know, not to say that you don't need to pay for these super crazy bugs, because I think the company should, but like when you get to the end of that, I just finished a POC last night for a bug that I am super proud of. That's like, like, you know, it's funny. I call it like a Matan Bear bug now after that episode, because it's like, and then I do this and I grab this cookie and then overflow the cookie jade like this and that and the other thing.
And it comes together and it's so smooth and clean and you just, mmm, it feels so good, you know? So, yeah.
Joel Margolis (42:45.592)
And then the next morning triage goes, hey, do you own this domain?
Justin Gardner (@rhynorater) (42:50.942)
Yeah, exactly, lovely. yeah. Well, that's ups and downs of bug bounty, man. That's how it works. let me just, thank you for that Joel. But yeah, think, out to Balint here from the Discord. This is a very cool strategy of text injection and Unicode characters to build out a QR code. Very cool. Very cool indeed. All right, let's see what else we got on the list for today, dude.
Joel Margolis (42:55.042)
That's something that's never happened to me before.
Joel Margolis (43:01.678)
in the last week.
Joel Margolis (43:15.064)
Very good.
Justin Gardner (@rhynorater) (43:20.094)
Okay, let's jump back up to this browser tracking protection thing, okay? So, yeah, I got you, I got you. Yes, it was, it was very dense.
Joel Margolis (43:25.74)
Okay, I'm gonna let you take this one, because this was dense AF. I didn't even know this was a thing, by the way. And it took me a very... Like, more Google searches than it should've to even find out what this ITP thing is. I was like, what is ITP? And everyone was like, ITP is a mechanism for... And I was like, no, no, no, what is it? What does ITP stand for?
Justin Gardner (@rhynorater) (43:38.421)
Right?
Justin Gardner (@rhynorater) (43:44.714)
Yeah.
Yeah, exactly. And so essentially what this article is, and we'll link it down below, it's Bypassing Browser Tracking Protection for Core's Misconfiguration Abuse by the PT Security Team. And essentially what this blog post does is it details Safari's and Firefox's answer of sorts to Chrome's same site lacks, okay? So what they've done in Firefox and Safari,
is they've implemented these tracking protections that happen by default, which prevent cookies from being sent to third party domains so that you're not getting tracked by like, you came to this website and there was like a pixel for whatever and it said a cookie and now we know who you are forever, right? And these have been kind of foiling exploits for a little while. Like I've heard some murmurs in the critical thinking discord and
and in the community a little bit of like, man, this exploit works fine here, but it doesn't work over here. Like, why is that happening? And it's because Firefox and Safari have implemented these. So the TLDR of the situation is that you won't be able to send not top level requests, so like a fetch request or whatever with credentials with it in Safari or Firefox. If you don't first do a window .open to
the vulnerable page, okay? And so what this means is that if you do see vulnerable cores configurations nowadays, typically I've been kind of not paying attention to those very much because same site kind of screws with that if it's cookie -based authentication, which it has to be for that. But this is still very possible in Firefox and in Safari because you just need to harvest one click to open up a window. And when you do that, at least in Firefox, this is the case.
Justin Gardner (@rhynorater) (45:44.246)
there's a relationship between those two domains stored for 30 days. So let's say I do it from my poc .renorator .com to google .com. I do a window .open, right? So now, poc .renorator .com can send credentialed requests to google .com for 30 days, okay? And so all you gotta do is do that window .open and then you're good to go. I think Safari, you have to wait like two seconds or something like that because of something janky.
Yeah, it's kind of weird. You got to use like a set timeout or whatever before you can send the request. But this attack still absolutely works. And the majority of this blog post was just explaining the setup and explaining what this thing is and the way that they went about building a test environment for it, which is cool and helpful if you want to play around with it a little bit more. But I was a little bit overwhelmed when I got to the end and I was like, it's just like.
Window .open? OK, cool. You know, like, I'll do that.
Joel Margolis (46:43.342)
you
Joel Margolis (46:47.113)
That's really really interesting. It kind of reminds me. So I don't know. I don't think I added. I added this and then I removed it because I knew you wouldn't have time to read it. I don't know if you saw there was this CTF write up from IDK CTF 2024. And this... Yeah, yeah. Yeah, this...
Justin Gardner (@rhynorater) (46:56.17)
Hmm.
Justin Gardner (@rhynorater) (46:59.745)
my gosh, dude.
Justin Gardner (@rhynorater) (47:06.006)
Was this the iframe thing? Dude, read it, dude, my mentee sent it to me as soon as it, yeah, and I woke up and I looked at the message, I was like, what's this? I clicked on it and it was like six a in the morning, I was reading it groggy and I'm like, my gosh, this is insane, I can't even process any of this.
Joel Margolis (47:10.914)
Yeah, it came out like three days ago.
Joel Margolis (47:20.642)
Dude, it's insane. It's insane. But like, you know, there's a lot of this like sort of similar behavior where like if you like load a page first, then it like, allow it sets like different CSP behavior or like, sorry, not CSP cross origin or yeah, yeah, CSP. Right, right, right. It inherits the CSP and then it like, yeah.
Justin Gardner (@rhynorater) (47:32.821)
Mm
Justin Gardner (@rhynorater) (47:39.434)
Yeah, CSP or sandboxing behavior depending on, yeah.
Joel Margolis (47:46.304)
I also need to reread because it was so dead dude I read through it I was like what the heck like there was like new attributes that I didn't even know like iframe sandbox and iframe source doc like it I put it I put it at the bottom but but yeah well maybe we'll save that for next week
Justin Gardner (@rhynorater) (47:56.938)
Yeah, now we're gonna have to find that link and put it in the description, dude. did you? Okay.
Yeah, maybe we will because I actually would like to go back and reread that and get a more concrete grip on it because that iframe stuff and the attribute inheritance and like all of that is really tricky. But yeah, I just want to swing back around to this browser tracking protection thing for a second because I feel like this is one of those issues that kind of like slid under the radar and has been kind of foiling POCs, you know, and you're like, why is this working? I know that this should work.
This is very well could be the reason if you're in Firefox or Safari. just do a window .open to your target page anytime within the past 30 days from that origin and you're good to go. All right. here's the other dude. had another one more interesting takeaway from this. This setting is not a, I was kind of curious about how the setting gets stored, right? Let me take a sip of something real quick. Cause my third is hecking up.
Justin Gardner (@rhynorater) (49:06.505)
Okay. This is not stored. I was kind of wondering how this was stored, right? And so was like, I wonder if this could actually tell us whether we have been on a specific website or not within the past however many days by detecting whether we could send a cross origin request to that website, right? And it turns out you can. And even if you go and you clear your browser history.
If you go to that website and you send a request and it sends cookies, that setting is still there. Yeah.
Joel Margolis (49:42.082)
Okay, bro, hear me out, hear me out. There's a canary there. I don't know if you realized it, but in the same way that you can like CSS exfiltrate with like, you know, like the sort of like, true, like if it goes through, then that's an indicator. So, you know, you could brute force, like, you know, right, right, right. Like, you know, if the request goes through, then you know that path exists. So you brute force paths until you hit one that exists and, and then you can, but it won't be incremental, right?
Justin Gardner (@rhynorater) (49:56.853)
Yeah.
Cross -site leak of sorts, right? Yeah.
Justin Gardner (@rhynorater) (50:08.01)
Yeah, mean, but here's the thing, have to control JavaScript execution on the website of that origin. Yeah, so if they clicked on the link, then you should already be able to know that. But yeah, it's more interesting from like a just general overall security perspective where it's like, okay, well, I cleared my browser history, but also this, if I go to whatever website and say fetch,
Joel Margolis (50:19.894)
Okay, that's little trickier.
Justin Gardner (@rhynorater) (50:37.12)
has the user clicked on a link from this website and gone to another website and yes, that setting is still stored. So I just thought that was an interesting little tidbit. I don't think it's an actionable vulnerability or anything, but there definitely is some interesting nuance to it because you can, if you do get an XSS, you could even trigger this attack from the client side, right? And if it does go through, then,
you have a true or false on whether the user has logged into a specific, or clicked on a link from this website to a different website in the past 30 days, which gives you decent amount of time range on it. So yeah, I don't know, man. A little bit weird, a little bit fringe, but I figured I'd mention it just because generally security related. Okay. Let me see. Yeah.
This next one, all right, I'll take the dom clobbering one as well if you don't mind, because I have been playing around with this lately. I think it's so fun.
Joel Margolis (51:39.393)
Sure, I saw this tool and I was like, again, it's tool Tuesday, man. Tool Tuesday.
Justin Gardner (@rhynorater) (51:43.318)
Yeah, yeah. Well, so essentially how this conversation started is I think somebody in the critical thinkers tier was asking about DOM clobbering. I think it was like XSS doctor or something. And then Jay Haddix hopped up in there and dropped this research on us. And we're like, whoa, what is this? And there's some really great research. mean, think this has been around, this was 2023. So it's actually pretty recent research from somebody named Sohail Code.
Sorry about that, did my best. it's everything you wanted to know about dom clobbering, but were afraid to ask. And I think this is a really cool presentation for anybody who wants to understand dom clobbering at a basic level and understand how to start exploiting it. And there's lots of great information in there. But the real gem that came out of that was this domclob .xyz website that documents a bunch of dom clobbering.
functionality that you can use to essentially clobber certain variables inside of a DOM when you only have HTML injection versus XSS. And within that, there is this payload generator. again, the week of the payload generator where you can say, the variable I want to clobber is response .status underscore code.
Joel Margolis (53:00.568)
So many bookmarks to add, man.
Justin Gardner (@rhynorater) (53:10.576)
And then you just click generate and it will generate like five different ways for you to clobber that variable using an a tag, using a form, using like a text area inside of a form and all of these things. And I just think once again, that makes our life much simpler because we know that that that's possible, but now we got to go and research, where's, what elements should I use? Is it ID or is it name? You know, that's one of the things that is kind of tricky about DOM clobbering. So this payload generator makes it much easier.
Joel Margolis (53:40.61)
Yeah, dude, you know, I love the, think the way I love to think about this is like, like a contractor who has like those, like a really expensive tool, right? Like a, like a really, like it was an investment, but like, does something very specific, very well. And you're like, why do you have that? And it's like, because if I didn't have that, I would have to know how to do it the other way or manually or the old school way. And instead I have invested in this tool to do it better.
Justin Gardner (@rhynorater) (54:00.661)
Mm
Joel Margolis (54:08.234)
And that is exactly what this type of stuff is. Like, could you go through and like, you know, maybe there's something to be said about like the learning process of like, maybe you do that once, like the first time you do a DOM clobbering, just to understand like how it works and get all the background and whatever. But then like, use the tool, like make your life easier and like do it more efficiently because that's why it exists. Like having tools and using them effectively is like so, so important. Yeah.
Justin Gardner (@rhynorater) (54:27.284)
Mm.
Justin Gardner (@rhynorater) (54:32.414)
Yeah, especially for career hunters, right? Like if you're gonna be in, you know, security for the rest of your life, like I plan to be, like it makes sense to invest in these tools and build them out and know about them and document them for yourself because sometimes there are people out there whose thing is dom clobbering and they're like gonna maintain this website on dom clobbering for you and you just have to know where it is and how to use it.
Joel Margolis (54:56.61)
Yeah, totally.
Justin Gardner (@rhynorater) (54:58.154)
Yeah, so that was a great takeaway. I definitely have been thinking about that a lot. Okay, so we got a couple more things to go through here, but I kinda wanna take a pause real quick and just reflect on that episode that we did with Franz back in Vegas, okay, where he was talking about the X correlation IDs and the request IDs and what kind of logging pipelines those get integrated into. And here's why I wanted to...
to pause about that because I was thinking like, so Franz found that thing, that's really cool, how can we take that concept that he used and expand it and apply it to other areas? Like what are the things like request ID that I was totally sleeping on? Right? And I definitely should have been sussing, but I just was like, it's just request ID, like that never does anything, right?
And so I started brainstorming on it a little bit. I'll give you some time to think, Joel, because I'm kind of throwing this on you last minute. But one of the things that popped up in my mind is Sentry and or client -side error logging that occurs via Sentry or via some other provider. And I know that there are some exploits out there. There's a Sentry SSRF I think HackerOne was vulnerable to at one point and that sort of thing. But I feel like that environment in general,
unless it's all going back to one dashboard, could have a similar effect to what Franz did with the request ID, right? Where you throw some payloads in there, and then that goes through the logging pipeline, and ends up in some custom dashboard they've built to show all of their JS errors or whatever, and then pops, and you get access to a bunch of logged session tokens or something like that from the client side. So, yeah, that's one of the things I was thinking of. Do you have anything in your brain that kind of like,
you definitely looked at and thought, that's sketchy, but I see it everywhere. No one's exploiting it. So I'm just going to move along.
Joel Margolis (56:56.266)
Yeah, I mean, there are definitely things where I sort of draw the line. So like, think I used to be a lot more like permissive, I think, in terms of like things I would consider as like, ooh, maybe there's a bug here. And like, I think where I really have lately drawn the line is like anything to do with,
Justin Gardner (@rhynorater) (57:00.533)
Mm
Justin Gardner (@rhynorater) (57:07.829)
Mm -hmm.
Joel Margolis (57:14.68)
Well, yeah, I mean, most things to do with like new account creation, new setup, like initial setup, account setup, like that kind of stuff. Like maybe I'll put some payloads in there, but I'm not super concerned about like recording the traffic of like a new account setup, because maybe there is a bug in there. Like maybe there's some form of an ATO or something, but like most of the time, like this is a one time scenario that like happens where like you have very limited amount of configuration. It like probably won't ever pop up more than once. So if it's something
Justin Gardner (@rhynorater) (57:18.431)
Mmm.
Justin Gardner (@rhynorater) (57:25.141)
Yeah.
Justin Gardner (@rhynorater) (57:42.165)
Mmm.
Joel Margolis (57:44.654)
specifically like a user needs to like hit a certain URL during the setup phase or something like that's a very hard attack scenario to propose to the program. That being said, like I'm still gonna record it. I'm still gonna look like, you know, but but
Justin Gardner (@rhynorater) (57:51.904)
Yeah, it is.
Justin Gardner (@rhynorater) (57:56.798)
Hmm. Well, I think I think you can get caught up on that sometimes too. Like I've often spent many times or a lot of time before the many times man. I don't know what is wrong with me today, man. You know, I've spent a lot of time pre pre off just kind of playing with that flow and like trying to get it to to do something funky or whatever. And I'm like, ninety nine point nine percent of the functionality of application is on the other side of this process. Like maybe I should just.
But I also thought you were gonna go in a different direction with that because I've seen a lot of people pop crazy stuff on signup flows or like, one I think under discussed type of bug is signup hijacking. If there is some way for you to predict what kind of unique identifier the user will get before they actually have an account and then brute force that to take over active signups.
then I think that that is a really high value attack because then you can, sometimes you can get access to PII that's cached in the signup flow or maybe even affect that user's password, whatever. Or maybe even just automatically get logged into their account if you just put, like, yeah, I accept the terms and conditions and that's like the last step and then it says, okay, welcome to the website or whatever. So, yeah, think there's, I think this is kind of like what we talk about when we say,
everybody's got their own set of eyes for testing, right? know, Franz looks at the request ID and says, hmm, I think that could be weird. you know, there's people that look at the signup flow and be like, that seems a little odd. And then the rest of us sort of skip over it. And that's why it's important to have a variety of hackers hacking on your program rather than just like one pen test company you use every year, year over year.
Joel Margolis (59:44.802)
Yep.
Justin Gardner (@rhynorater) (59:47.222)
Did you have anything else you wanted to add to that? Things that are like X -Correlation ID that you think might be sketchy but you haven't taken the time to dive into?
Joel Margolis (59:56.254)
No, but I think like just generally speaking like it's a very healthy mindset to like not get so like
Justin Gardner (@rhynorater) (01:00:00.8)
Mm
Justin Gardner (@rhynorater) (01:00:06.728)
systematic about it all? Yeah. Yeah.
Joel Margolis (01:00:07.21)
Repet, yeah, like repetitive, like autopilot, right? Like you don't want to just be like, I've seen that header a million times. Like taking a step back and thinking, what is that header? Like how I ever thoroughly looked into that and, seen like, w w like, why did they send that header? Like there's some reason it's not just there for no reason. Like some technology is sending it or some, some, you know, tracing behind the scenes or like, you know, it's there for some reason. Like they don't, you don't put something in an application for no reason.
Justin Gardner (@rhynorater) (01:00:35.476)
Yeah. Yeah. And I think, this is another reason that I really advocate for spending a lot of time on an application, you know, spending more time than you are, you know, comfortable spending because you get to the point when you're out of ideas and then you sit there and you're forced to be creative. You're supposed to, you're forced to think, all right, well, what if there was a, you know, RCE in the request ID, you know, header, right? Or like that sort of thing. And you try those things out and you grow as a hacker.
Yeah, so spend time spend time go deep guys The last thing that I wanted to mention on that was I think those endpoints that return a one pixel GIF I think are mostly just kind of used for logging or like Yeah tracking pixels and stuff like that Those don't necessarily Yeah, I've never seen anything weird with those but I do wonder where all that data ends up and in what kind of ones there could be there So just a couple couple thoughts that I had surrounding all
Joel Margolis (01:01:08.706)
Yeah. Absolutely.
Joel Margolis (01:01:21.078)
yeah tracking pixels
Joel Margolis (01:01:35.554)
Yeah, absolutely, okay. Last thing. Second last thing you posted this link and I was very confused because it does nothing for me. So maybe you can. Yes. wait. Now what? now it even does even less of something. Actually. It wasn't doing that before.
Justin Gardner (@rhynorater) (01:01:43.094)
Mm
Justin Gardner (@rhynorater) (01:01:47.196)
yeah, the one to my website? Okay, well, hold up. you... shoot, did I...
Justin Gardner (@rhynorater) (01:01:58.88)
Well, no, no, no, no, no, it works. Yeah, click at the beginning of the link. Don't click on the middle part. So this is just a, here, I'll send it to you in Discord. This is just a little quirk of HTML that I found out the other day that, you know, I wanna say I mentioned it on the pod, but maybe I didn't, so I just wanted to go ahead and mention it, which is that you can, if you have a,
Joel Margolis (01:02:01.259)
It works.
Justin Gardner (@rhynorater) (01:02:27.808)
tag injection, you can actually trigger a post request, which is something that I didn't know. Wait, it still doesn't do anything for you?
Joel Margolis (01:02:31.566)
This is nothing for me. So I'm clicking it and I'm looking at my network tab and there's nothing.
Justin Gardner (@rhynorater) (01:02:38.506)
What? No, no, no, it works, dude, you're trippin'. You're trippin', dude, it works. So essentially, let me just tell the people about this and we'll troubleshoot your janky Chrome instance afterwards. So essentially, if you have an A tag, which I feel like is one of the more common places where you can get an injection because A tags are allowed in Markdown, and sometimes you wanna try to trigger a post with that because you...
Joel Margolis (01:02:42.146)
I'm on the latest Chrome.
Joel Margolis (01:02:48.034)
Okay.
Okay.
Justin Gardner (@rhynorater) (01:03:06.266)
you want to trigger a C surf on the website and maybe it's origin -based checks for C surf or something like that. And if you are able to smuggle in the ping attribute, then when you click the link, it will execute the link, but also will send a post request to wherever you set the ping attribute to.
And in the post request, Joel, I don't know why you can't see it, dude. I don't know why. But it contains some interesting things. It contains a header, ping from, and ping to that contains the full location href of the page that you're on. I think, no, no, no, no, I'm on Chrome. Joel, you've got some filter on for sure, or something like that.
Joel Margolis (01:03:44.374)
What? Are you on Firefox?
Joel Margolis (01:03:49.838)
so weird. You think? I'll open it in Cognito.
Justin Gardner (@rhynorater) (01:03:55.252)
Yeah, just try that. But the ping attribute I thought was really interesting because I didn't know that you could trigger that post request specifically with an a tag. And I think this could be helpful for one, leaking location href via these ping from ping to headers. And then for two, I think this could be applicable in sort of like a client -side path traversal slash text injection or HTML injection to see surf environment.
Right, where you can sort of create this ATAG dynamically and when the user clicks on it, you trigger some C -Serve that happens on the website. And I think this would also be really helpful in an environment where there are same site strict cookies, where the request must originate from the same origin for the cookies to be sent. So if you can get an ATAG injection and add the ping attribute, then you can trigger that post request. Joel, do you still not have it, man? my God, Joel.
Joel Margolis (01:04:50.508)
I'm gonna send you a video.
Justin Gardner (@rhynorater) (01:04:54.352)
All right. Well, all right. Let's end it here. Let's call it a wrap. And I'll go troubleshoot your instance. All right, let's go.
Joel Margolis (01:05:01.43)
Okay, alright dude, this is a good episode.