Interested in going full-time bug bounty? Check out our blueprint!
Sept. 26, 2024

Episode 90: 5k Clickjacking, Encryption Oracles, and Cursor for PoCs

The player is loading ...
Critical Thinking - Bug Bounty Podcast

Episode 90: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin recap some of their recent hacking ups and downs and have a lively chat about Cursor.Then they cover some some research about SQL Injections, Clikjacking in Google Docs, and how to steal your Telegram account in 10 seconds.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Shop our new swag store at ctbb.show/swag

Today’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinder

Resources:

Breaking Down Barriers: Exploiting Pre-Auth SQL Injection in WhatsUp Gold

Content-Type that can be used for XSS

Clikjacking Bug in Google Docs

Justin's Gadget Link

https://www.youtube.com/signin?next=https%3A%2F%2Faccounts.youtube.com%2Faccounts%2FSetSID%3Fcontinue%3Dhttps%3A%2F%2Fwww.google.com%252Famp%252fpoc.rhynorater.com

Stealing your Telegram account in 10 seconds flat

Timestamps

(00:00:00) Introduction

(00:08:28) Recent Hacks and Dupes

(00:14:00) Cursor

(00:25:02) Exploiting Pre-Auth SQL Injection in WhatsUp Gold

(00:34:17) Content-Type that can be used for XSS

(00:40:25) Caido updates

(00:43:14) Clikjacking in Google Docs, and Stealing Telegram account

Transcript

Joel (teknogeek) (00:01.175)
Listen, I'm getting roasted.

Justin Gardner (@rhynorater) (00:01.372)
Dude, we're just Dude, you're just rolling up to Twitter like alright guys. I'm freaking expensing these desheen impact pies dude What a tweet man what a tweet

Joel (teknogeek) (00:10.244)
Listen listen, it's in policy, okay? I get a per diem for dinner. I chose to it at McDonald's, okay? I open the McDonald's app and there's Genshin Impact Apple Pies for sale. like, I ordered them and I was like, damn, I just realized I'm gonna have to file an itemized expense report for the Genshin Impact Apple Pies.

Justin Gardner (@rhynorater) (00:17.756)
huh.

Justin Gardner (@rhynorater) (00:26.006)
How do you say no to that? How do you say no to that?

Justin Gardner (@rhynorater) (00:38.296)
my gosh dude, that's amazing. I'm looking at this little side picture here in Riverside where it shows your, I think the thumbnail, the first frame that happens when you loaded up your camera dude, and it looks like you just rolled out of bed in your hair. Okay, alright guys, sorry about all that. Joel, where you at man?

Joel (teknogeek) (00:52.335)
I

Joel (teknogeek) (00:55.958)
Thanks

Joel (teknogeek) (01:01.625)
I'm in LA. Yeah, I'm in LA for a couple of days. I'm here for a conference. So I'm just popping in and out. But yeah, we're back on that East Coast, West Coast time difference.

Justin Gardner (@rhynorater) (01:02.571)
You're in LA.

Justin Gardner (@rhynorater) (01:07.404)
Nice.

Justin Gardner (@rhynorater) (01:14.208)
Yeah, yeah, it's, mean, it works out well, to be honest, because you're an early bird, yeah.

Joel (teknogeek) (01:21.253)
Yeah, yeah, it's not too bad, but it was a little bit difficult getting myself out of bed this morning, I will say. You're like, 8 a I'm like, 5 a

Justin Gardner (@rhynorater) (01:26.018)
I'll say it works out well for me. No. 5 a my gosh, that's great dude. Well, yeah, just to give Joel an out here, there was a little bit of miscommunication this week and Joel did not know that he was gonna be on the pod this week. Joel, thanks for showing up man.

Joel (teknogeek) (01:45.944)
So was like, you ready to record tomorrow? And I was like, no.

Justin Gardner (@rhynorater) (01:50.026)
Yeah, so thanks for showing up dude. Thanks for doing the homework and you got the air rocking the air pods today. if this is your first episode, whoever is listening, I'm sorry. This is not our normal audio quality, but you know, we show up. We show up every week. That's what we do.

Joel (teknogeek) (02:05.67)
Dude, one thing I will say, one thing I will say, there was a rumor, there was a rumor, I don't know if this is true or like when it's gonna happen, but apparently Apple's gonna be rolling out a change at some point where the AirPods are no longer gonna switch into handset mode when you're using the microphone and they'll stay on like the 48 kilohertz or whatever. And I think it's gonna happen like over thread or something instead.

Justin Gardner (@rhynorater) (02:27.66)
What is,

What does that mean?

Joel (teknogeek) (02:32.581)
So when you're so normally like your headphones, like, you know how like there's an audio quality difference when you hop onto a call? It's cause it's using both the microphone and it's using both input and output. So it runs at a lower bit rate. And, and so that's like why it sounds like shit where if you set the, like if I set it to only use the audio and to use the microphone from my laptop, it'll switch back to sounding good. So Apple's apparently making a change where they're gonna

Justin Gardner (@rhynorater) (02:38.474)
Yeah. Yeah.

Justin Gardner (@rhynorater) (02:45.506)
Joel (teknogeek) (03:01.634)
make it so the AirPods can do both without needing to switch quality. But I don't know. We'll see. We'll see. I saw a tweet about that a couple of weeks ago.

Justin Gardner (@rhynorater) (03:01.856)
Wow.

Justin Gardner (@rhynorater) (03:07.047)
That's pretty baller, We'll see, man. I said yes, but I've never used AirPods in my life. So I have no idea what you were talking about. Yeah, I've heard that they're pretty decent.

Joel (teknogeek) (03:15.676)
They're pretty good, man. I like my AirPods. Yeah, I'm a pretty big fan. I actually just bought, well, I have mixed experiences. My Max's, I just had them break. And thankfully they were under Apple care and they fixed them very quickly. But during that process, I then had to buy a new pair of pros, the little tiny ones. And I've had a pair of pros for a while and...

Justin Gardner (@rhynorater) (03:29.007)
Justin Gardner (@rhynorater) (03:38.06)
Mmm.

Joel (teknogeek) (03:43.428)
I'm quite happy with them because I like to store them in my pocket.

Justin Gardner (@rhynorater) (03:44.77)
Dude, it's just like, I lose headphones so fast too. I don't know what it is. Like, I'm not a particularly irresponsible person when it comes to like keeping things. Like I never lose my wallet, my phone, my keys. But for some reason, headphones are just not important to me. Like, and I just, and it's so, I just always get these like same $40 pair, you know, cause you get a good enough quality where it's like, okay, this is good quality. But if I lose it, it's not like, ugh, this hurts, you know?

Joel (teknogeek) (03:55.313)
Booze headphones?

Joel (teknogeek) (03:59.633)
And so...

Joel (teknogeek) (04:09.832)
That's interesting. That's interesting. No, I love them because I just throw them in my pocket and I have them with me like everywhere I go. So, I digress.

Justin Gardner (@rhynorater) (04:13.94)
Yeah. Yeah. Yeah. Well, shout out to Ben for all the AirPods that he's lost. We know that that's a legacy of his. But all right. So I meant to start out this episode a little bit differently, Joel, but I'll do a little story time real quick.

Joel (teknogeek) (04:21.202)
Thanks.

Joel (teknogeek) (04:29.71)
Dude, I saw this story. I got some questions, but I'm gonna let you go ahead.

Justin Gardner (@rhynorater) (04:32.866)
Okay, dude, this is this is just the hacker mentality. Okay, I think this is the I just wanted to do I just wanted to share this story so that we can talk about the struggle that hackers feel internally ethical hackers, right? Because I'm driving down actually, I'm not driving. I'm sitting in the passenger seat I almost always drive our car when Mariah and I are together, right? But for some reason this time Mariah's driving and this asshole cuts her off completely and like she has to slam on the brakes and

Joel (teknogeek) (04:44.497)
Thank you.

Justin Gardner (@rhynorater) (05:01.843)
and I'm looking at this person, was like, can see this license plate very clearly, right? I'm like, man, wouldn't it be cool if I, like, if I could just pick a couple black hat things to do, how sick would it be to just be able to hand out like road retribution for all of these like terrible sins that people commit while driving, right? So I could just say like, that guy is gonna get like a ton of toll fines or something like that, right? And just like go in,

Joel (teknogeek) (05:28.138)
Justin, you need to work for the Department of Transportation.

Justin Gardner (@rhynorater) (05:32.75)
I'll do it, I'd never do it. I'm purely on the white hat side, but how cool would that be to just be able to be like, I got your license plate number. You're done for buddy. You're done for bucko. know, like, yeah. You know, and I know I'm not gonna shout out any hackers in particular, but I know a couple of hackers that have like some automation framework surrounding license plate numbers and stuff like that. And so, yeah.

Joel (teknogeek) (05:42.89)
You're done bud. You're done bud. Alright, you're not that guy pal. That's fucking crazy dude.

Joel (teknogeek) (05:58.771)
Yeah, I know the same one you're talking about. I'm glad you phrased it that way because I was going to call them out by name.

Justin Gardner (@rhynorater) (06:03.658)
Yeah, yeah, but, but, you know, it would be cool if there was some way to, you know, if it wasn't just read, if it was right, you know, if we could, if we could just be like, you, you deserve fine. You're going to get fined. So.

Joel (teknogeek) (06:16.815)
Maybe it's time to do an ethical hacking endeavor on the DMV.

Justin Gardner (@rhynorater) (06:19.826)
Yeah, I don't know man. it's not, and thing is man, I'm not a particularly road rage -y person. So I figured I'd share this on the pod because it surprised me a little bit. I'm like, why do I wanna do that? And I think it's cause they cut off Mariah. Yeah.

Joel (teknogeek) (06:37.238)
Every once in a while it happens to me. I get a I get a road rage incident. Well, incident, maybe that's not the right way to phrase it. I'm not like getting out of my car and yelling at someone. Usually it's the other way around. But it's not because I've caused anything. It's because like I'll flip them off and then they'll flip me back off and then it just escalates.

Justin Gardner (@rhynorater) (06:41.942)
Yeah.

Yeah. my gosh.

Justin Gardner (@rhynorater) (06:57.338)
Dude whenever anybody flips me off. I just I do I do this I do a little I do a little heart sign I do the heart back at them that just that just gets them that gets them that pisses So if you flip them off like they're like, well screw that guy, you know, he split me off I flipped him off the but if you give him the heart, you know if you hit him with a little Korean drama heart then they're like Like what is this? What is wrong with you know, it gets in their head a little bit more right? You know, am I wrong? I'm not wrong

Joel (teknogeek) (07:02.367)
You do a heart? That's crazy, That's crazy, bro.

Joel (teknogeek) (07:20.501)
Thank

Joel (teknogeek) (07:24.493)
yeah man, that's super intimidating, you're right. I feel threatened.

Justin Gardner (@rhynorater) (07:27.296)
Yeah, thanks, Yeah, you're welcome for that. All right, dude, yeah, well, we'll leave that at that. But, so, let's hit some of these topics. We got a pretty lean episode today, guys. I'm just coming off a live hacking event. The show intels were just like an hour ago. So, I am feeling a little bit high from those, because it's always amazing to see what the other hackers come up with.

And I will also give a shout out to, to Cosman, inhibitor 181 because him and I both there in this live hacking event that we're working on, there's a massive scope, massive. And him and I both happened to coincidentally choose the same little minimal application. That was just a small part of a small part of the scope, right? And just went ham on that for the whole live hacking event. And, we both found 15 plus bugs.

Cosmin's substantially more critical than mine, but we didn't dupe at all. Isn't that, isn't that amazing? Yeah. And and it just, blows the mind a little bit because like Cosmin, Cosmin and I, know, we we've had vuln overlap before, but it just, cause I remember getting to the end of this event just a of days ago and just being like, wow, I think I found everything that could be possibly found on this app, you know?

Joel (teknogeek) (08:30.251)
No, I was gonna say, I was gonna ask. Wow, that's crazy.

Joel (teknogeek) (08:50.516)
This is this is

Justin Gardner (@rhynorater) (08:50.656)
Like I know everything about this app. Like ain't nobody can teach me nothing about this app. And then Cosman comes in there with like six crits, you know? Seriously. I'm like, and he just found some way to get around a core protection and it just unlocked a bunch of new scope. So yeah, it just goes to show, man. Even if you, you know, I preach a lot on the pod about going deep and becoming the world expert on an application, right? And, and you know, I'm going to say I thought I did it.

Joel (teknogeek) (08:58.732)
Yeah, then the professor walks in.

Joel (teknogeek) (09:06.901)
Nice. That's cool. That's super cool.

Justin Gardner (@rhynorater) (09:20.33)
you know, at this event. But there's always more to learn about it, man. There's always more to learn about it.

Joel (teknogeek) (09:24.547)
Dude, I've been para hacking on a couple of different random like public programs and, and we've been duping like crazy. It's, I'm like the, I like stuff that like we shouldn't be duping on either. And it's like, we're duping by like two days and it's like super annoying. and like, I've never had this many dupes before. Like I never do pet life hacking events ever. And like, this time around I am just like.

Justin Gardner (@rhynorater) (09:28.544)
Yeah.

Justin Gardner (@rhynorater) (09:33.669)
no.

Justin Gardner (@rhynorater) (09:46.518)
Yeah, yeah.

Justin Gardner (@rhynorater) (09:51.148)
Are you duping with your pair, like with the person you're working on it with or?

Joel (teknogeek) (09:55.108)
Yeah, we're collabing, so we're doping on like random people. Yeah, somebody else.

Justin Gardner (@rhynorater) (09:56.512)
Yeah. you're duping on somebody else. Dude, that's super annoying. And it's close too. It's not like something did the program like, let's hit for damn.

Joel (teknogeek) (10:05.504)
Yeah, yeah, like there was one, there was one, was talking about this in the discord that like originally it was duped by like two years and I was like, okay, that's super annoying. Like that this was open for two years and then like they reopened it and were like, actually now that this isn't a dupe and then like a couple of days later they duped it again on a different bug that was two days before ours. I was like, dang, I can't win here.

Justin Gardner (@rhynorater) (10:14.167)
Yeah.

Justin Gardner (@rhynorater) (10:25.698)
my gosh. Dude. So demotivating. I don't understand, you know, like I understand that they have to do that, right? I understand that it's a part of their job to go in and be like, actually this is a dupe. But like if you do something like that where you open up and you undoop it and then you redoop it again a couple days later, like you gotta understand, if you have any empathy, you gotta understand what that does to the hacker, right? Like why, like, yeah. Yeah, so.

Joel (teknogeek) (10:49.218)
Yeah, yeah, I mean it's terribly demotivating.

Justin Gardner (@rhynorater) (10:54.464)
I don't know man, I did get a little bit of a shot in the gut though when I thought I had really like wrecked this application and then Cosman comes in there with like six crits that I missed.

Joel (teknogeek) (10:59.813)
haha

Joel (teknogeek) (11:04.312)
Do you feel like the bypass that he found was something you would have found?

Justin Gardner (@rhynorater) (11:08.084)
No, I mean, was, I so I think I would have found it eventually, but the thing is I specifically decided to ignore a certain part of the application because I thought that the impact was not gonna be, I'll just be a little bit more clear about it. I decided to ignore (REDACTED), right? Because I'm like, you know what? The impact here is a little bit low. I kinda wanna go for the juicy juice, right? And yeah.

Joel (teknogeek) (11:33.829)
Yeah, yeah, ATO.

Justin Gardner (@rhynorater) (11:36.674)
And so I ignored that part and there was an additional piece of impact that could be achieved by using a different component within that environment. So I might have to bleep some of that. We'll see, we'll see. Sorry if I do, guys. But yeah, was a very creative approach. I think at the end of the day, he just knew more about that part of the application than I did. And that's because I didn't go as deep as I could have.

Joel (teknogeek) (11:49.573)
Hmm. I see.

I see.

Justin Gardner (@rhynorater) (12:05.834)
And that's the thing that I love about these live hacking events, is you always get to see how the other hackers' minds work, and you get to fine tune your own hacker intuition and your own brain radar there. And then next time, I'm gonna be a little bit more thorough about this for sure. Yeah. All right, so we got a couple things. We got a couple write -ups. We got a couple gadgets. We got some cool research that I stumbled upon. But first,

Joel (teknogeek) (12:22.962)
yeah, that's awesome.

Justin Gardner (@rhynorater) (12:33.346)
I wanted to go ahead and handle a community request here from NBK underscore 2000 on Twitter saying, tell us about some of the stuff you're doing with cursor after I tweeted about cursor. Dude, have you played around with cursor?

Joel (teknogeek) (12:47.482)
I've been using cursor to write an app.

Justin Gardner (@rhynorater) (12:49.356)
Dude, it is unreal, is it not?

Joel (teknogeek) (12:52.41)
It's pretty interesting. So.

Justin Gardner (@rhynorater) (12:57.299)
Dude, why do you guys say it like that right as I take a sip of my coffee? man

Joel (teknogeek) (13:00.434)
yeah, so I've, I've, I've been, I used it quite a bit, over the last couple of weeks. the thing is it can be really good for certain things. I think a lot of the hype around it was very misleading. you know,

Justin Gardner (@rhynorater) (13:15.606)
Wow, okay, we're gonna have different takes on this. Go for it. You're an actual dev, so maybe.

Joel (teknogeek) (13:18.652)
Yes. So, and for what it's worth, I've been using it to write a complicated iOS app for the last couple of weeks. So it's not like I'm not experienced with it. I've gone back and forth with it quite a bit and I'm now at the point where I'm like fully not using it. I actually uninstalled it the other day because I'm now like, I'm just on manual development and I'll explain it a little bit why, but.

Justin Gardner (@rhynorater) (13:26.764)
Okay.

Justin Gardner (@rhynorater) (13:40.278)
Really?

Joel (teknogeek) (13:48.339)
early on when I, when I first saw it, like a lot of the hype being drummed up, they were like, check this thing out. There's cursor composer. You just give it this MD file. Like you, you know, describe like how you want your backend app to work and whatever. And then you just feed it into this and it'll go and create it. And I was like, wow, that's pretty cool. so I went and I was testing with it and I was like, you know, you can, you can actually do this, but I was having trouble like replicating those results to the same extent until I started taking a closer look at those demo videos.

And when you look at the demo videos, the markdown file that they provided to cursor in the demo was create a file called server .ts with the following content. And it's literally just a code block. And like they wrote the code for it. That's not like, so that, you know, so, so that aside, right? Like taking that with a grain of salt, like the fact that it can actually get close, pretty cool. You know, like it's very interesting technology.

Justin Gardner (@rhynorater) (14:34.05)
That doesn't make any sense at all.

Mmm.

Joel (teknogeek) (14:46.448)
you know, I think like the context stuff is probably where the biggest hurdle is. Like there's just so much context where you get to a point, and this is why I've switched to manual development, where there's too much context for a GPT, especially a free one to be able to do anything meaningful with. And you'll get to a point where it starts to clobber itself, where it'll, you know, change things or doesn't have enough context to.

to keep things the way they are to keep functionality the same. And like as a human, like, you know, like I don't want to change this. I just want to add this one thing, but it will like change other parts of the application just to do this one thing, or it'll, you know, re add a class that already exists, even though it should know that it exists, just for like, you know, to get rid of an error message. so, so it'll do like a lot of that kind of stuff, which is a little bit tricky. but.

Justin Gardner (@rhynorater) (15:34.454)
Yeah.

Joel (teknogeek) (15:42.006)
You know, as a whole, it's a very, very cool piece of software.

Justin Gardner (@rhynorater) (15:46.656)
Yeah. So, so I think you're coming, I think our difference in perspective here is, coming from the fact that you're using it to actually code a large application, right? The project you're working on is a lot more advanced than anything I'm working on, right? And it's also in a language, I think that that probably I theorize the, the AI has less experience with. for me, I'm writing mostly HTML, CSS, JavaScript, Python, right? Those are, those are the ones that I'm using it for.

And most of the time what I'm coding are proof of concept exploits, right? So I'll essentially say to it, and I'll have cool ideas for, this is the cool part, right? Because for a hacker, I often have these cool ideas for my proof of concept bugs, especially my web stuff, that kind of utilizes common flows of the web and a user's tendency to be able to wait on a page.

you know, for a certain amount of time, right? Without realizing anything's happening. So I can say like, hey, generate a loading bar that takes, you know, 20 seconds for it to load. And if I had to code that myself, I'd be like, I'm not gonna do that. But because I can just tell cursor, hey, generate that and it does it, it makes my proof of concepts much more beautiful and much more realistic to the program where they can come to this page and be like, yeah, I didn't even realize I was sitting on this page for 20 seconds. And something's happening in the back.

Joel (teknogeek) (16:48.607)
Yeah. Yeah.

Joel (teknogeek) (17:15.231)
Yeah, exactly. So before I was actually having it write an iOS app, a lot of the experimentation I was doing with it was around web apps and stuff and just having like, I won't go into the rabbit hole. It's a very dumb rabbit hole, but we were trying to have it write a very silly web app. I can't even go into the details, guess it's too much. the point is,

Justin Gardner (@rhynorater) (17:18.871)
Mm

Justin Gardner (@rhynorater) (17:34.504)
my gosh.

Joel (teknogeek) (17:43.083)
It can do a lot of really impressive stuff. think one of the more impressive things is how it can integrate with libraries. So you'll be like, you know, I want, I want to do this thing. And instead of like expecting that it's going to home roll, like image recognition or something, it'll just pull some JavaScript library that actually does it really well. And it'll just implement it and it just works. so, you know, there were definitely like for, for more basic web apps, it's really good at that kind of stuff. And like, you know, a couple files, like you said, like.

Justin Gardner (@rhynorater) (17:50.007)
Mmm.

Justin Gardner (@rhynorater) (17:57.32)
Yeah.

Justin Gardner (@rhynorater) (18:01.004)
Mm.

Justin Gardner (@rhynorater) (18:09.59)
Mmm.

Joel (teknogeek) (18:12.378)
You know, maybe you need a backend server that does some specific flow and you just want like a little front end, like an HTML thing that, you know, and could you do it yourself? Sure. But can you do it in 10 seconds? No. So, you know, cursor is kind of nice for that.

Justin Gardner (@rhynorater) (18:23.808)
Yeah, exactly, exactly. So here's the thing that I'll shout out about Cursor to the hackers out there. Like for us, the end goal is not to create some majestic code that is running very high efficiency, very optimized, you know. Okay, well most of the time when we're coding our proof of concepts, hey, no, I mean, you're Devin. I'm talking about us as hackers, right? Most of the time our goal is to just

Joel (teknogeek) (18:38.433)
Well, speak for yourself.

Joel (teknogeek) (18:44.025)
I'm trying to make a million bucks with my iOS app, all right?

Justin Gardner (@rhynorater) (18:53.622)
build POCs. This thing is very good for getting a rough solution to a problem. And also adding some of those nice to haves that make it a lot more clear. For example, I'll just share this little tidbit. One of the things that is really negative about GDPR and all of these cookie stuff, like you gotta accept the cookies, is that everybody is just tuned to that out completely. So it is extremely easy to harvest a click.

by just popping up a little box saying like, do you like cookies? You don't even need to say anything else, just say cookies. They're just like, accept, accept, accept, right? So it's extremely easy to harvest a click in that scenario. And so, you know, in order to make your proof of concepts more reasonable, more beautiful, more convincing to the team, which we've already talked about, you know, really increase your bounty. think my experience has been up to 1 .5 times your bounty if you do a really well, good POC.

Joel (teknogeek) (19:27.93)
cookies.

Joel (teknogeek) (19:51.324)
But let me just throw a little anecdote in here. I woke up this morning and I checked my email inbox and I had a beautiful POC, okay, for the record. Like I said, I've been going deep on some applications. We went through the effort of writing an entire backend server to handle and proxy your class, all this stuff, okay? I get a notification this morning. Treyendr has updated severity from critical 9 .0 to none.

Justin Gardner (@rhynorater) (19:53.14)
What?

Justin Gardner (@rhynorater) (19:58.972)
no, Joel.

Justin Gardner (@rhynorater) (20:08.575)
You

Justin Gardner (@rhynorater) (20:17.658)
No, Joel, please. Okay. Dude, you know, we do have a little bit of like good cop, bad cop thing going on here with Buck Bounty, because I feel like I'm relentlessly optimistic about Buck Bounty. I'm like, this is the great shit about Buck Bounty.

Joel (teknogeek) (20:19.26)
Report has transitioned to pending program review.

Joel (teknogeek) (20:32.068)
Just like I love getting duped so I can see where I messed up and I'm like when I get a dupe I want to quit hacking.

Justin Gardner (@rhynorater) (20:35.294)
Hahaha!

Justin Gardner (@rhynorater) (20:40.066)
my God, dude, I love it, man. Yeah, I not to say it's always the case, but using Cursor AI to TLDR it, for anybody who didn't follow us through that monstrosity of a conversation, Cursor is really good for building POCs that have nice -to -haves, especially in the web world, and also just making quick modifications to your code so you don't have to go look up all these things. Because us as hackers, we're not necessarily writing the code every day. We're reading the code. We're playing around with it.

And we can get it there, it just takes more time. I cursor is an excellent tool for hackers because it takes away that need to know all the syntax, all the flows, and it does it a lot of it if you can describe the general concept.

Joel (teknogeek) (21:21.726)
Right. For sure. it definitely, and like I said, it doesn't have to be, think, you know, unfortunately when, there's hype, clearly that video that I was talking about, like, you know, they want it to work perfectly. So that's why it was done in the way that it does. So they can say, you know, write the backend for this app using this file. And it just, just works right. Quote unquote just works. But, but like, it just works because you did all the heavy lifting. That being said, you can also get it to do.

Justin Gardner (@rhynorater) (21:32.757)
Mm

Justin Gardner (@rhynorater) (21:43.19)
Hahaha

Joel (teknogeek) (21:50.047)
that stuff, right? And, and it can do a good amount of work and pull in a lot of context just out of the box, like free using Claude 3 .5, like, you know, very, very, you know, it's very cool, very, very interesting stuff. honestly, the biggest thing that I like struggle with is I pay for chat GPT premium plus or whatever. and I have like access to O1, preview and stuff.

Justin Gardner (@rhynorater) (22:19.018)
Mm -hmm.

Joel (teknogeek) (22:19.548)
I just want to hook it into that and I don't want to pay for like the API stuff, which is like a totally different cause it's like tokens and stuff.

Justin Gardner (@rhynorater) (22:23.83)
Okay.

Hmm. Yeah. I do. mean, do you think it's better? Do you think like open AI stuff is

Joel (teknogeek) (22:31.198)
I don't know, I mean, here's the thing, here's the thing, whether or not it's better, I'm unsure. The fact that I'm paying for it is really all it is. So like, I'm paying for a version that should be better than Clod 3 .5 out of the box.

Justin Gardner (@rhynorater) (22:39.153)
man.

Justin Gardner (@rhynorater) (22:43.04)
You know, I think that the Claude products are probably better for code stuff. that's what I've heard from people that know more about AI than me. So.

Joel (teknogeek) (22:52.167)
yeah.

Joel (teknogeek) (22:57.152)
That's what I've heard as well, but I've gone back and forth with the two of them. I think the biggest, well, to be fair, I put it up on very, very difficult, unfair challenges where I'll be like, generate a free to script and it'll just start to hallucinate. And I'm like, man, this stuff is garbage. And then I'll be like, generate a Python script that like opens a web server and do that perfectly. obviously, you know, so I think it depends on, you know, set your expectations accordingly, but it's still, it's still quite cool.

Justin Gardner (@rhynorater) (23:06.359)
Yeah.

snap, yeah.

Justin Gardner (@rhynorater) (23:19.754)
Hmm. Yeah.

Justin Gardner (@rhynorater) (23:26.42)
Yeah, okay, so I've got this next item here on the dock, Joel, and I'm gonna talk through it really quick, but I'm also gonna go off on a little bit of a tangent, okay, from a recent hacking experience. I'm just cautioning you, you know, so you're not taken by surprise. You know, given our normal strict adherence to the dock. Yeah, okay, so we got a write -up here from SinCynology from Summoning Team. He was on the pod a couple months ago.

Joel (teknogeek) (23:36.103)
You never do that. So, and neither do I, so.

Joel (teknogeek) (23:42.033)
It's true.

Joel (teknogeek) (23:46.15)
Right,

Justin Gardner (@rhynorater) (23:56.122)
And it's a great write up on WhatsApp Gold SQLI. The thing that I wanted to highlight from this, and we'll link it down below, I'm not gonna walk you through the whole thing once again, because like Sina does, it's an amazing detailed write up of all the different code blocks and all the different techniques and thought patterns that he went through. So definitely a recommended read. I just wanna pull a couple things out of this, okay? So he gets a vanilla SQLI.

And I want to just say, there's like this really bad ass quote.

Joel (teknogeek) (24:25.505)
of vanilla SQL. First of all, I haven't found a sequel injection since 2015, but keep going.

Justin Gardner (@rhynorater) (24:31.552)
I know right this is crazy dude like they exist they can find them there's been a couple

Joel (teknogeek) (24:36.034)
It's been literally almost 10 years since I've had a sequel injection. don't like... However, how are we not using prepared statements, folks? Come on.

Justin Gardner (@rhynorater) (24:39.096)
I know man, they're deep in there but

Dude, and this is what he said, I'm just gonna quote this thing, he says, and this leads to a vanilla SQL injection as one would expect from such a sophisticated application. So one, one burned, two, great bug, so not very good, and yeah.

Joel (teknogeek) (24:55.239)
Yeah, yeah.

Joel (teknogeek) (25:01.557)
Wait, real quick, real quick, real quick. I need to pivot back to the cursor stuff because this reminded me of something. That video I was talking about, I quote tweeted it when I first saw it and I was like, security engineers or security researchers rubbing their heads together. The dev develops an entire backend service without knowing how it works. This is exactly how I feel, dude.

Justin Gardner (@rhynorater) (25:06.188)
Joel! What are you doing?

Joel (teknogeek) (25:22.977)
You know, it's like you got this awesome sophisticated application secretly behind the scenes cursor, Claude 3 .5 wrote this whole thing and it did it in a way because it's like, I want to do this fast and quick and it's just going to work. And it accidentally created like 15 security vulnerabilities behind the scenes, but it works.

Justin Gardner (@rhynorater) (25:34.528)
Mm.

Justin Gardner (@rhynorater) (25:39.104)
Yeah, no, no, no, I think it's great job security for us. As long as there isn't a, you know, cursor equivalent of the security researcher. Right. Yeah, absolutely. Okay, so now that you've gone off on your little tangent, we're going back to the thing. We got an SQL I, here's what he does with this, okay? What he ends up doing is a common SQL I exploitation technique, which is let me overwrite the master password.

Joel (teknogeek) (25:46.85)
Well, we need to land some AI sponsors here. Job security. I'm seeing it now.

Justin Gardner (@rhynorater) (26:08.962)
for this application, right? So I can just log in as the admin and get into the app, right? But in this specific application, this master password is encrypted, okay? And so it's not as easy as just overriding the password. And you can't register an account or anything, this is an unauth bug. So what does he do? He dives deep into the encryption, figures out exactly how it works and...

You can't reproduce it. You know, it's unique to a random thing on that machine, right? But what he does instead is he finds an encryption oracle, okay? And he uses the SQLI to read an encrypted piece of text from somewhere else in the application that's in the database, extract that out and set it as the master password for the actual user and then proceeds to log in, right? So I just wanna, yeah.

Joel (teknogeek) (27:03.083)
One thing I will say is like, this is one of those, like you get to this point and you're like, okay, how bad do I want to destroy this application? Because, we're going to test some things that are probably going to break everything.

Justin Gardner (@rhynorater) (27:12.39)
Yeah, exactly.

Justin Gardner (@rhynorater) (27:17.664)
Yes. Yeah. No, no. And, you know, this is important to notice, note here that, that he's, he's targeting an application that is offline, right? This is a, this is not a cloud instance. This is a, you know, this is him on his machine with his thing, you know, don't go overriding all this stuff with SQL injections. It's extremely dangerous and I've been burned by it. Tons of people have been burned by it. So please don't do that in production. But, I think that this was a really unique,

Joel (teknogeek) (27:31.136)
Okay, okay.

Justin Gardner (@rhynorater) (27:46.946)
cool thing to do. And I wanted to sort of pivot off of the topic a little bit because this whole concept of encryption oracles, it's very interesting and it's very applicable, I think. So there's an app that I've been testing a couple months ago where there's a big piece of their security was built off of this encryption aspect that they had. if you were able to get around that encryption, you could really reliably attack the application.

And so this concept, yeah.

Joel (teknogeek) (28:18.381)
Which I think is pretty common by the way. just like, you know, JWTs, for example, I think like a great example where like a JWT is one key leak or one generation Oracle or one arbitrary input in like JSON injection, like anything like from being really catastrophic, right?

Justin Gardner (@rhynorater) (28:24.32)
Mm -hmm. Yeah.

Justin Gardner (@rhynorater) (28:32.224)
Yeah, JSON, yeah.

Justin Gardner (@rhynorater) (28:37.27)
Yeah, absolutely. And so I think a lot of hackers sort of shy away from this cryptography piece because it's very math heavy and it's very like complex and you've got to understand a lot of the various pieces of the system to be able to exploit it. But it's extremely impactful. And one of the attacks that I think is really consistently impactful if you can figure it out is this Oracle thing, right? If you can provide some string,

and that string will get encrypted reliably and you can get that encrypted value out, there's a lot of weird stuff you can do with that because applications are not trusting or they're not expecting that you can get that encrypted value, right? And so they're trusting that. And so anytime you see something like that, like brainstorm a little bit in your brain, like how could I get this encrypted value? Where could I find this? And then actually what I did in this specific environment was I set up a...

A Haido workflow that took like, you know, maybe 15 minutes to write where I would inject at a specific spot. I'll keep it to a little vague. I'll inject at a specific spot and then note, you know, where that I could tell in the response, whether or not my, my data had been encrypted and put in the response or not. And, and so I think that that sort of thing is, and then I navigated the application, navigate that, but it didn't end up panning out.

But I was proud of the methodology because I think there are very niche cases where you can get that encryption Oracle and then apply it to the app. And it's really catastrophic.

Joel (teknogeek) (30:13.673)
Yeah, so I've got two tips on that. One is if you think that you have one, try to pad in your data with something like a super, super long string, like 1 ,000 A's or something. And one common thing that you'll see is the response length goes up significantly when you have that encryption oracle, the value's getting reflected in there. The other thing is with the length side of it, a lot of applications aren't expecting large,

Justin Gardner (@rhynorater) (30:15.415)
Yeah.

Justin Gardner (@rhynorater) (30:29.131)
Mm

Justin Gardner (@rhynorater) (30:33.708)
Mm -hmm.

Joel (teknogeek) (30:43.654)
very large JSON objects and stuff. so oftentimes that will either break at the web server level where it's like we're trying to return a content link that is far larger than expected, or it will break at like, you know, the library level where it might be trying to craft the JWT or trying to craft, you know, that response token back that it's generating for you, that encryption token. So yeah, large values is really useful.

Justin Gardner (@rhynorater) (30:46.668)
Yeah.

Justin Gardner (@rhynorater) (30:58.593)
Mmm.

Justin Gardner (@rhynorater) (31:06.614)
That length piece was exactly one of the techniques I used in that application. so, yeah, there's definitely inflating the size. you theorize that you might be injecting into an encrypted context, then just inflate your input size. And if the output is also inflated, then there's a good chance that you're injecting somewhere in that. you might be able to, depending on what's being encrypted, you could do JSON injection, you could do path traversals, you could do all sorts of stuff.

Joel (teknogeek) (31:35.55)
Yeah, and this is one of my favorite things to do, you know, for like information gathering when I'm looking at an application. It's just like fuzzy inputs with different types and different things and what it's expecting. So if it's expecting a string, give it a list, if it's, or give it null, if it's like a Jason, like give it, you know, the, the, the null type, not, not an empty string. give it like extra parameters, give it invalid Jason, just tried a bunch of different stuff because eventually one of those is going to raise an error.

Justin Gardner (@rhynorater) (31:38.869)
Mm

Justin Gardner (@rhynorater) (31:46.365)
Mm. Mm. Mm.

Joel (teknogeek) (32:02.834)
and it's going to give you something that's a bit revealing about the application, about how it's actually functioning.

Justin Gardner (@rhynorater) (32:07.338)
Yeah, dude, I, when you said that, it made me think of something. I don't know if you were asleep or not, cause I know the time zones didn't work super well for you, but there was a, there was a show and tell, let's just say, let's just say there was a show and tell given and let's just say Franz was wearing a CTBB t -shirt and there was a shout out given to CTBB podcast for something that has been said in the history of the podcast that may have had an application. That's all I'm gonna say. That's all I'm gonna say. Hmm.

Joel (teknogeek) (32:17.182)
I didn't see it.

Joel (teknogeek) (32:36.053)
Finished. Finished. Swoosh for thought.

Justin Gardner (@rhynorater) (32:37.506)
All right, let's move along here. one of the things that I've been hacking on lately, there was an ability for me to do a file upload. And inside of this file upload environment, there was essentially a regex for the content type of the file that you could upload. And it needed to start with image slash. there was a regex for

so that you couldn't do SVG plus XML, right? So it's not gonna allow you to do XSS via that. And so started researching some of the different cool things you can do with content types if you have a lot of flexibility over it like there was in this scenario. And I stumbled upon this writeup called content -type -research by Blackfan. It's a GitHub repo on

on GitHub. It's a repo on GitHub. Yeah, you're welcome for that. And dude, whenever I see stuff like this, I just get happy. Because we talked about this before, content type research. That is so helpful, because people are going deep into these things that are components of various attacks. And it contains a really nice table of content types that can be used for XSS, and then

Joel (teknogeek) (33:39.948)
So get a repo on GitHub, yeah.

Justin Gardner (@rhynorater) (34:06.314)
Response content types tricks, which was the thing that helped me in this scenario. So click that link and scroll all way down to the bottom Dude, it's it blew my mind that this content type is valid. Okay content dash type colon text slash HTML left parentheses xxx That will that will trigger an XSS that will that will be parsed as text HTML even though there's no space. It's just a left parentheses

Joel (teknogeek) (34:12.8)
I'm looking at it, this is so weird.

Justin Gardner (@rhynorater) (34:35.734)
That is a valid delimiter in the content type header. Isn't that crazy?

Joel (teknogeek) (34:38.583)
Do you find that you have content type injection pretty frequently?

Justin Gardner (@rhynorater) (34:41.886)
in file uploads, yes, because what will happen is, is you, you upload a file, right? And they'll be like, right. Wrapping an S3 policy or whatever. And then they'll upload the thing to S3 and you can specify the content type that it should be served with when you upload it to S3. and so I often find that they're doing some sort of regex on the content type, but sometimes they just like statically say, all right, we're going to allow image JPEG, image PNG, that sort of thing. So yeah.

Joel (teknogeek) (34:44.461)
Okay.

Joel (teknogeek) (35:08.801)
Hmm. Hmm. Super cool. Yeah. No, is, this is great. mean, this is one of those like meta, you you bookmark it and not like, you know, the next time you're, you realize that you have content type injection, you're gonna be like, shit. Where was that content type research repo?

Justin Gardner (@rhynorater) (35:13.399)
Mm.

Justin Gardner (@rhynorater) (35:18.848)
Yeah. Yeah. Yeah, exactly. And then here's the cool thing about this too, you know, if you can get it rendered, you don't have to necessarily control so much of the body, right? You can just control some arbitrary pieces of the body. But if you can get the content type to be something that will be rendered as HTML, then you'll still get XSS. Especially when you can control the character set as well, which you can in a content type header.

because even if there's some restrictions on what type of characters you can put in there, you can play around with the char set a little bit and get the browser to interpret it as HTML. So really cool research here. The other one I wanted to shout out, besides that weird delimiter of the left parentheses, which I never would have thought, is this first one right here, which is a multiple content type header. And one of the things I love about this repo is there's just a link you can click to prove it.

You don't have to like just take their word for it like they've already prepared a link and everything you can just click and see if it pops in your browser and it does man So this is the content type header text slash plane semi -colon x equals x comma text slash HTML, right?

Joel (teknogeek) (36:31.962)
Yeah. My other favorite thing is that they link for this one specifically, they link to the, the what wg org .org, like HTML spec that specifically says like, here's like, yes, you can put multiple values in and here's like the different formats that you can, you know, you can extract a MIME type. Like, you know, yeah, it's, it's super interesting.

Justin Gardner (@rhynorater) (36:40.342)
Hmm, yeah.

Justin Gardner (@rhynorater) (36:50.762)
actually use. Yeah, it's very nice. So even if you have a strict regex, like must start with text plane or something like that, and it's just not validating the chart set or something like that, you can put in a comma and then add another content type header and validate the first one and then you're off to the races. So I think there's a lot of...

There's a lot of applications for this sort of thing, knowing the nuances. And sometimes it can even result in RCE if you are uploading to an actual environment that will do server -side rendering. For example, if you're able to get a PHP file uploaded or something like that. So these tricks can result in stored XSS, absolutely very common. But also you got to think about that bigger application as well.

Joel (teknogeek) (37:41.476)
Yeah, yeah, mean, it's this is this is some awesome research. So I'm definitely going to be starting this on GitHub and bookmarking it.

Justin Gardner (@rhynorater) (37:49.026)
Nice. Another quick thing, we'll hit the Kaido stuff and then I'll jump into another piece of really awesome research. Kaido released version 0 .41 and this actually has a plugin store, which is awesome. So definitely looking forward to seeing how this helps some of the distribution in Kaido plugins and I'm gonna be uploading Xpido, my Kaido plugin and...

Maybe there's another Kaido plugin in Dev right now with another guest of the podcast. So we'll see when that gets released, because it's kind of a monster. It's going to be a big one to Dev. But definitely be on the lookout for that.

Joel (teknogeek) (38:23.675)
Mmm. Mmm.

Joel (teknogeek) (38:29.105)
Yeah, I will say like, I will say as like a Kaido user, like it's been very difficult for me to sort of like follow the...

Justin Gardner (@rhynorater) (38:33.303)
Yeah.

Joel (teknogeek) (38:39.826)
Yeah, mean, like plugin stuff has shifted a lot, right? So like in the beginning there was nothing, right? And then there was even better, which added like a way to sort of like, you know, add stuff. And then they had like the plugin library, but also there's the workflow library, which I think is also from even better or no, that one's from Kaido, right? And then like even better also has a way to install bundled.

Justin Gardner (@rhynorater) (38:40.033)
development of the plugins.

Justin Gardner (@rhynorater) (38:48.769)
a library.

Justin Gardner (@rhynorater) (38:57.185)
Yeah.

Joel (teknogeek) (39:07.43)
plugins or something. And now there's like an official or something off the table. Don't worry about that. And now there's like an official plugin store. I, yeah, I think it might be good from the Kaido side. I know you have, you've, you've got, you've got a direct line in there. but it might be good for them to sort of like walk people through like the right way to do this, or maybe a good way to migrate from all those solutions to the recommended one or something. Cause it does, I'm still a little bit confused about like.

Justin Gardner (@rhynorater) (39:11.206)
You just like threw something off your desk Yeah

Justin Gardner (@rhynorater) (39:22.176)
Yeah, I've got the inside hookup.

Justin Gardner (@rhynorater) (39:30.881)
Yeah.

Joel (teknogeek) (39:37.296)
what things I should be leaving installed and what is even better providing me versus the community plugin store versus the workflows library versus, it's all a bit confusing.

Justin Gardner (@rhynorater) (39:44.854)
Yeah, it is a bit confusing, you're right. And that's something that we're working on with Kaido. That's something that I've talked to the team about. And I think one of the ways we're gonna solve that soon, hopefully, is get a Kaido GPT out there where you can ask it questions like, hey, here's what I wanna do. I wanna add this specific input and look for this encrypted response in the output, right? And then it'll say, okay, if that's what you wanna do, then...

know, XYZ, this workflow is your best bet or whatever, right? And so it should be able to provide suggestions for how you can implement various types of automation you wanna see in Kaido. Like you said, Joel, I'll go ahead and add a disclaimer. I am a Kaido advisor, I'm on the Kaido team, just to shout that out there. But I will say, we do, and I just wanna make this as a general announcement to the CTPB listeners. We do not talk about things

and or advertise things on this podcast that we do not endorse. Like that we haven't had experience with. We have turned down multiple five figure deals to advertise products because we don't like the product. And so just just saying if it's coming from us, even if it's an ad or if we're talking about it, like this is normally because we have hands on experience with it. We know the person that's releasing it. We know they release quality work. So when I talk about Kaido.

I'm talking about Kaido because I literally use it every single day. And so I'll just put that out there. Yeah, so I'm excited to see where that goes. There's definitely some improvements to be made, but Kaido is moving very fast and they're getting a lot of stuff right, I think. And I'm excited to see, I'm excited to release this next plugin that I'm working on, man, because I think it is really gonna change the game for Kaido stuff. All right, Joel, we got two write -ups here.

Let me go ahead and introduce this first one. the way I stumbled upon this writeup is Orange and James, James Kettle, two people that I have tweet notifications turned on for, both retweeted this writeup. So if you see James and Orange both retweet something, you need to go read that right now.

Joel (teknogeek) (42:11.136)
Yeah.

Justin Gardner (@rhynorater) (42:12.064)
Right? And so this is a write up by a researcher that I hadn't really seen before, Rebane. And it is a super cool client side chain to get, exploit, to pretty impactually exploit a click jacking in Google Docs. Did you get a chance to read through this one? I know it's a little bit lengthy. Yeah.

Joel (teknogeek) (42:32.938)
No, but I have it already, I have it bookmarked on my Twitter. I had it liked and bookmarked already. I remember I'd seen it and I was like, whoa, that's pretty interesting. I read the little synopsis and I was like, that feels like it should have gotten probably more money. But that was my first reaction.

Justin Gardner (@rhynorater) (42:36.096)
Yeah.

Justin Gardner (@rhynorater) (42:39.69)
before I put it on the dock, nice.

Justin Gardner (@rhynorater) (42:48.898)
Yeah. Yeah. Well, it's really interesting and I'll present it for you as well then. It's a write -up on Avon that's a click -jacking bug, right? So this is an example. It was paid, I think, like $5 ,000 from Google VRB. So this is an example of a click -jacking bug that has impact. And the situation was this researcher was able to craft a Google Doc that looked like it had a Google form in it. So pretty standard, embedding a Google form in a Doc.

But when you clicked the button to submit the Google form, it would give you access to, or give the attacker access to the victims, all of their Google Drive, which was very impactful. And so yeah, right? And so there's a lot of really useful gadgets in this writeup, so that's why I wanted to cover it, because like,

Joel (teknogeek) (43:34.764)
Yeah, no big deal.

Justin Gardner (@rhynorater) (43:42.89)
It's great to see a really cool client side chain. There's like three redirects chained together and those redirects are not fixed by the way. So it's very helpful from a gadget perspective. But it's also really, really helpful to understand like some of these features about Google Drive as well. I did not know that Google Drive had a root directory. It's just called root and everybody's Google Drive has this. And you can grab it from like looking at your

your network request, explain how to do it in the writeup, but you can grab the ID for that folder, and if you share that folder, anything you put in Google Drive is now shared with that other person.

Joel (teknogeek) (44:22.009)
Yeah, it's super interesting that the Google Drive like sharing permission stuff because I mean, I know we've dealt with this a little bit from the CTV side actually, yeah, like folder sharing permissions are, they like carry through, right? So like you said, like anything that gets added to a folder gets shared and anything below that folder, even like subfolders inherit the permissions from the parent. So it's like super.

Justin Gardner (@rhynorater) (44:29.374)
Yeah, dude. Geez.

Justin Gardner (@rhynorater) (44:38.273)
Yeah.

Justin Gardner (@rhynorater) (44:42.686)
Mm

Yeah.

Joel (teknogeek) (44:47.074)
easy to kind of shoot yourself in the foot by accident by you you set like a parent folder so everybody can access it and then suddenly everybody can access everything.

Justin Gardner (@rhynorater) (44:54.304)
Yeah, yeah, absolutely. So here are some of the gadgets that I wanted to shout out from this, okay? You got that root folder thing, which is very interesting. And then you've also got a super useful gadget from YouTube. And this is a redirect chain that will allow you to go from www .youtube .com, which is often used for embedding YouTube videos. In the writeup, they do a path traversal on embedding YouTube videos. I could see this being very useful in other environments as well.

And you land on a Google Doc site, but you can also land on www .google .com, which we all know if we've listened to the podcast, has an open redirect via the slash amp endpoint to get you out. So I've got a URL that I'll put in the notes for this episode that starts with www .youtube .com and will end on my attacker control domain. And I can see this being extremely helpful for client side chains, very similar to the one in this report.

And also for anything that is trying to parse a YouTube video, you might even be able, if it's following redirects, you might even be able to get an SSRF out of this. So definitely, definitely some impact impact there. Just, I realized we got a little distracted. The actual, the, the exploit that this person comes up with in the end is, you know, they, they're sharing the whole, I did say that. Okay. That's good. The whole Google drive. And so there's lots of really cool tips adjacent to that in this writeup as well.

And then let me go ahead and grab one more thing out of here that I had Okay, yeah, I remember what it is dude, did you see did you see at the end of this write -up? I'm just gonna read a quote from this everything on this page is just HTML and CSS crafted with love no images No JavaScript or other resources and it's all G zipped into 31 kilobytes. So this whole write -up click on the link dude There's like it looks like there's a bunch of

images from Google Drive in here. None of these are images. This is all, this lunatic of a person wrote all of this in HTML and CSS only. No JavaScript even. So there are pictures throughout this whole write up and if you click on them, you can select all the text.

Joel (teknogeek) (46:58.556)
it.

Joel (teknogeek) (47:05.756)
Roll with it.

Wait, these are like, I can undo and redo the checkbox and type in.

Justin Gardner (@rhynorater) (47:16.918)
Right? It's crazy, right?

Joel (teknogeek) (47:18.62)
What is this? That's crazy.

Justin Gardner (@rhynorater) (47:21.09)
It's nuts. It's very, it's very, very cool. So kind of a shout out to them. Like Lira .Horse is a really cool blog. And I went to go read a little bit more about this and they have another article called stealing your Telegram account in 10 seconds flat. And I was like, okay, what's going on here? And essentially it outlines an exploit that they weren't able to fully develop. But essentially when you send a message in Telegram that contains a specific domain in it,

it will attach the person's credentials who is receiving that domain to the link. So you click on it and you're automatically authed into the domain for Telegram related short links and stuff like that. So one, if you're a Telegram hacker, because I know they have a bug bounty program, suss that very thoroughly, because that is super sketchy. And also, they outlined a very cool attack vector, which is like,

if you send a message to somebody and you have their phone, you can get persistent access on their phone by clicking that link and then just changing the URL up at the top of the browser very quickly to a URL that you control and it contains their auth token in it. And you're just very easily able to hijack their account in like sub 10 seconds. So I think that was, I thought that was a really cool write up. I don't think they got a bounty for it. I don't know that they even submitted it, but I think that kind of attack vector is, I think that kind of functionality is not something you really want to have.

in your application. you know, whether it be a low or a medium, I would have still reported that, I think.

Joel (teknogeek) (48:53.598)
Yeah, I mean, that's super crazy. That's a really interesting insight that I didn't actually realize.

Justin Gardner (@rhynorater) (48:56.096)
Mmm.

Justin Gardner (@rhynorater) (49:00.084)
Yeah, especially when it's an application like Telegram, which claims to be super secure and security oriented, right? To have something like that, I think, is really not a great idea. Definitely going to get yourself pwned somehow with that.

Joel (teknogeek) (49:11.827)
Yeah, yeah, exactly.

Justin Gardner (@rhynorater) (49:16.114)
Alright man, Joel that's all I had on the dock for today. You got anything else before we wrap it up or is that the pod?

Joel (teknogeek) (49:23.305)
Yeah, I think that's the pot. got a lot of juicy notes. I got to make sure I'm getting all my plugins from the plugin store. I got to look at some content type injections. So hell yeah, man. This is good stuff.

Justin Gardner (@rhynorater) (49:30.849)
Yep.

Justin Gardner (@rhynorater) (49:34.56)
Yep. Good episode, dude. All right. That's the pod. Peace.

Joel (teknogeek) (49:38.653)
That's part. Peace.