Episode 44: In this episode of Critical Thinking - Bug Bounty Podcast, the topic is URL structure, and Justin and Joel break down the elements that make up a URL and some common tips and tricks surrounding them which allow for all sorts of bypasses. We also round out the episode with some new tools, ato stories, and some controversial current events in the hacker scene.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
How a URL is structured:
https://engineering.linkedin.com/blog/2016/06/open-sourcing-url-detector--a-java-library-to-detect-and-normali
====== Ways to Support CTBBPodcast ======
Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.
"XnlReveal" XNL h4ck3r
OAuth article by Salt Labs
Hacker1 controversy recap
ATO through Facebook Login
https://twitter.com/Jayesh25_/status/1718543152296939861
https://twitter.com/itscachemoney/status/1721658450613346557
When URL Parsers disagree
Golden techniques to bypass host validations in Android apps
Mozilla article on HTTP Authentication
Breaking Parser Logic talk by Orange Tsai
URL Detector
SSRF Bible
Timestamps:
(00:00:00) Introduction
(00:04:10) “Xnl-Reveal”
(00:07:22) OAuth vulnerabilities
(00:13:17) Recap of controversy surrounding the handling of a vulnerability report on H1
(00:18:55) Hacker Success Manager Program
(00:22:30) Facebook login ATO
(00:27:45) When URL parsers disagree
(00:34:34) URL Structures
(01:02:22) Shared secrets across environments
(01:09:40) Social Media Logins
