Episode 103: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph delve into the vulnerabilities associated with ANSI codes and large language models (LLMs), as well as talk through some research about _json Juggling, cookie handling quirks, and the value of micro-blogging in general.
Follow us on twitter at: https://twitter.com/ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to https://twitter.com/realytcracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Check out our new SWAG store at https://ctbb.show/swag!
Join our Shift waitlist!
https://shiftwaitlist.com/
Today’s Sponsor - ThreatLocker. Check out their Elevation Control! https://www.criticalthinkingpodcast.io/tl-ec
Resources:
_json Juggling Attack
https://nastystereo.com/security/rails-_json-juggling-attack.html
Cross-Site POST Requests Without a Content-Type Header
https://nastystereo.com/security/cross-site-post-without-content-type.html
Worst Fit
https://worst.fit/#
Orange Tsai on Worst Fit
https://worst.fit/assets/EU-24-Tsai-WorstFit-Unveiling-Hidden-Transformers-in-Windows-ANSI.pdf
Handling Cookies is a Minefield
https://grayduck.mn/2024/11/21/handling-cookies-is-a-minefield/
Terminal DiLLMa
https://embracethered.com/blog/posts/2024/terminal-dillmas-prompt-injection-ansi-sequences/
XS-Leaking flags with CSS: A CTFd 0day
https://jorianwoltjer.com/blog/p/hacking/xs-leaking-flags-with-css-a-ctfd-0day
Hacking Back the AI-Hacker
https://arxiv.org/html/2410.20911v1?utm_source=danielmiessler.com&utm_medium=newsletter&utm_campaign=ul-no-458-ollama-vulnerabilities-rating-ai-using-ai-the-mantis-hack-back-framework
Johann Computer use demo
https://embracethered.com/blog/posts/2024/claude-computer-use-c2-the-zombais-are-coming/
How I Became The Most Valuable Hacker
https://douglas.day/2024/12/13/HowIBecameTheMostValuableHacker.html
Timestamps
(00:00:00) Introduction
(00:01:39) _json Juggling Attack and Cross-Site POST Requests Without a Content-Type Header
(00:10:55) Worst Fit and Unicode Mapping
(00:20:08) Handling Cookies is a Minefield
(00:28:11) Terminal DiLLMa
(00:34:41) CTFd 0day
(00:41:18) Hacking Back the AI-Hacker
(00:47:30) Becoming Most Valuable Hacker
