In this episode of Critical Thinking - Bug Bounty Podcast, We're catching up on news, including new override updates from Chrome, GPT-4, SAML presentations, and even a shoutout from Live Overflow! Then we get busy laying the groundwork on a discussion of web architecture. better get started on this one, cause we're going to need a part two!
Follow us on twitter at: https://twitter.com/ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater & Teknogeek on twitter:
- https://twitter.com/rhynorater
- https://twitter.com/0xteknogeek
CT shoutout from Live Overflow: https://www.youtube.com/watch?v=3zShGLEqDn8
Chrome Override updates: https://developer.chrome.com/blog/new-in-devtools-117/#overrides
GPT-4/AI Prompt Injection
- https://x.com/rez0__/status/1706334160569213343
- https://x.com/evrnyalcin/status/1707298475216425400
Caido Releases Pro free for students: https://twitter.com/CaidoIO/status/1707099640846250433
...or, use code "ctbbpodcast" for 10% of the subscription price 😁
Aleksei Tiurin on SAML hacking: https://twitter.com/antyurin/status/1704906212913951187
Account Takeover on Tesla: https://medium.com/@evan.connelly/post-account-takeover-account-takeover-of-internal-tesla-accounts-bc720603e67d
Joseph: https://portswigger.net/bappstore/82d6c60490b540369d6d5d01822bdf61
Cookie Monster: https://github.com/iangcarroll/cookiemonster
HTMX: https://htmx.org/
Timestamps
(00:00:00) Introduction
(00:04:40) Shoutout from Live Overflow
(00:06:40) Chrome Overrides update
(00:08:48) GPT-4V and AI Prompt Injection
(00:14:35) Caido Promos
(00:15:40) SAML Vulns
(00:17:55) Account takeover on Tesla, and auth token from one context in a different context
(00:24:30) Testing for vulnerabilities in JWT-based authentication
(00:28:07) Web Architectures
(00:32:49) Single page apps + a rest API
(00:45:20) XSS vulnerabilities in single page apps
(00:49:00) Direct endpoint architecture
(00:55:50) Content Enumeration
(01:02:23) gRPC & Protobuf
(01:06:08) Microservices and Reverse Proxy
(01:12:10) Request Smuggling/Parameter Injections
