Episode 79: In this episode of Critical Thinking - Bug Bounty Podcast we deepdive CSS injection, and explore topics like sequential import chaining, font ligatures, and attribute exfiltration.
Follow us on twitter at: https://twitter.com/ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to https://twitter.com/realytcracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Resources:
SpaceRaccoon's Universal Code Execution Extensions
https://spaceraccoon.dev/universal-code-execution-browser-extensions/
Escalating Client Side Path Traversal
https://x.com/isira_adithya/status/1809228815002136719
Full-time Bug Bounty Blueprint:
https://www.criticalthinkingpodcast.io/p/how-to-go-full-time-bug-bounty/
Sequential Import Chaining
https://d0nut.medium.com/better-exfiltration-via-html-injection-31c72a2dae8b
CSS Exfiltation
https://github.com/PortSwigger/css-exfiltration/blob/main/steal-attribute-values/styles.css
Link that Justin was talking about
https://github.com/PortSwigger/css-exfiltration/blob/main/steal-attribute-values/styles.css#L5
Font Ligatures
https://x.com/kinugawamasato/status/1808887754090295805
Lava Dome bypass
https://github.com/LavaMoat/LavaDome/issues/40
Stealing Data in Great style
https://research.securitum.com/stealing-data-in-great-style-how-to-use-css-to-attack-web-application/
Steal Script Contents
https://github.com/PortSwigger/css-exfiltration/tree/main/steal-script-contents
Masato Kinugawa’s Tweet
https://x.com/kinugawamasato/status/1808910589135368687
CSS Injection: Attacking with Just CSS
https://aszx87410.github.io/beyond-xss/en/ch3/css-injection-2/
CSS Injection Primitives
https://x-c3ll.github.io/posts/CSS-Injection-Primitives/
Timestamps:
(00:00:00) Introduction
(00:02:32) Universal Code Execution
(00:11:32) Escalating Client Side Path Traversal
(00:16:56) Justin's Defcon talk & Bug Bounty Blueprint
(00:23:32) CSS Injection
(00:39:23) Font Ligatures
(00:54:30) Descent Override and display:block
(01:02:10) Some Final Research
