episode-header-image

Oct 2023

1h 21m

Episode 39: The Art of Architectures

Justin Gardner (Rhynorater) & Joseph Thacker (Rez0)

About this episode

Episode 39: In this episode of Critical Thinking - Bug Bounty Podcast, We're catching up on news, including new override updates from Chrome, GPT-4, SAML presentations, and even a shoutout from Live Overflow! Then we get busy laying the groundwork on a discussion of web architecture. better get started on this one, cause we're going to need a part two!

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

CT shoutout from Live Overflow

https://www.youtube.com/watch?v=3zShGLEqDn8

Chrome Override updates

https://developer.chrome.com/blog/new-in-devtools-117/#overrides

GPT-4/AI Prompt Injection

https://x.com/rez0__/status/1706334160569213343?s=20 & https://x.com/evrnyalcin/status/1707298475216425400?s=20

Caido Releases Pro free for students

https://twitter.com/CaidoIO/status/1707099640846250433

Or, use code ctbbpodcast for 10% of the subscription price

Aleksei Tiurin on SAML hacking

https://twitter.com/antyurin/status/1704906212913951187

Account Takeover on Tesla

https://medium.com/@evan.connelly/post-account-takeover-account-takeover-of-internal-tesla-accounts-bc720603e67d

Joseph

https://portswigger.net/bappstore/82d6c60490b540369d6d5d01822bdf61

Cookie Monster

https://github.com/iangcarroll/cookiemonster

HTMX

https://htmx.org/

Timestamps:

(00:00:00) Introduction

(00:04:40) Shoutout from Live Overflow

(00:06:40) Chrome Overrides update

(00:08:48) GPT-4V and AI Prompt Injection

(00:14:35) Caido Promos

(00:15:40) SAML Vulns

(00:17:55) Account takeover on Tesla, and auth token from one context in a different context

(00:24:30) Testing for vulnerabilities in JWT-based authentication

(00:28:07) Web Architectures

(00:32:49) Single page apps + a rest API

(00:45:20) XSS vulnerabilities in single page apps

(00:49:00) Direct endpoint architecture

(00:55:50) Content Enumeration

(01:02:23) gRPC & Protobuf

(01:06:08) Microservices and Reverse Proxy

(01:12:10) Request Smuggling/Parameter Injections

Up next

Episode 149: DEFCON Debrief: AI Vulns, Unicode Weirdness, and Wild Vulnerability Chains

<p>Episode 149: In this episode of Critical Thinking - Bug Bounty Podcast The DEFCON videos are up, and Justin and Joseph talk through some of their favorites.</p><p>Follow us on <a target="_blank" rel="noopener noreferrer nofollow" href="https://x.com/ctbbpodcast">X</a></p><p>Go ... Show More

Episode 148: MCP Hacking Guide

Episode 148: In this episode of Critical Thinking - Bug Bounty Podcast Justin gives us a crash course on Model Context Protocol.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io ... Show More

Episode 147: Stupid Simple Hacking Workflow Tips

Episode 147: In this episode of Critical Thinking - Bug Bounty Podcast we're talking tips and tricks that help us in hacking that we really should’ve learned sooner.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback ... Show More

Recommended Episodes

Were We Wrong? 2022 Predictions Revisited

In this episode of Syntax, Wes and Scott revisit their 2022 predictions and see which ones they got right, and which they got wrong. Sentry - Sponsor If you want to know what’s happening with your code, track errors and monitor performance with Sentry. Sentry’s Application Monit ... Show More

E167: Nvidia smashes earnings (again), Google's Woke AI disaster, Groq's LPU breakthrough & more

(0:00) Bestie intros: Banana boat! (2:34) Nvidia smashes expectations again: understanding its terminal value and bull/bear cases in the context of the history of the internet (27:26) Groq's big week, training vs. inference, LPUs vs. GPUs, how to succeed in deep tech (49:37) Goog ... Show More

Some 40 Series Getting Discontinued

<p>► Thanks to ProtoArc for sponsoring today’s video! Use code UFD10 to get 10% off! Check out their HUB Mouse & XK01 Folding Keyboard here: https://geni.us/MGmAY & https://geni.us/lZnRV ► Check out today's hottest tech deals here: https://www.ufd.deals/ https://ho ... Show More

Empowering Innovation: Oxolo's €13M Funding Boosts AI-Driven Video Platform

<p>Explore the transformative potential of Oxolo's €13M funding round, fueling innovation and pushing the boundaries of AI-driven video technology.</p> <p> Get on the AI Box Waitlist: <a href="https://aibox.ai/" target="_blank">https://AIBox.ai/</a> Join our ChatGPT Community: ⁠h ... Show More

Oxolo's €13M Funding for AI-Driven Video Platform

<p>In this episode, we delve into Oxolo's recent €13 million funding success for their revolutionary AI-driven video platform, designed to optimize viewer engagement in real-time. I'll explore the platform's features, potential impact on content creators, and the broader implicat ... Show More

Episode 108 - Diving into Amazon Q Builder with Clare Liguori

🚀 Dive into the world of AI with Morgan Willis, Principal Cloud Technologist for AWS, as she interviews Clare Liguori, a Senior Principal Software Engineer at AWS and one of the visionaries behind Amazon Q. Discover the secrets behind this groundbreaking Generative AI conversati ... Show More

ROLLUP: $ETH 3k! | TradFi Stonks ATHs | $STRK Now Live | Yuga Acquires PROOF

<p>Last Week of February 2024</p> <p>------<br /> 🏹 USE PODCAST24 FOR 10% OFF<br /> <a href= "https://bankless.cc/Citizen2024">https://bankless.cc/Citizen2024</a> </p> <p>------<br /> 📣SUI | Register for Sui Basecamp<br /> <a href= "https://bankless.cc/sui-basecamp">https://ba ... Show More

730: Own Your Own PaaS

Scott and Wes talk about the benefits of owning your own PaaS (platform as a service), the main alternatives in the space, and ways to make passion projects more financially viable. Show Notes 00:00 Welcome to Syntax! 01:12 Brought to you by Sentry.io. 01:56 What is a PaaS ... Show More

Reddit’s IPO, Consumer vs. Enterprise AI, and Sam Altman’s New Fund and more! | E1903

<p>This Week in Startups is brought to you by…</p> <p>Northwest Registered Agent. When starting your business, it's important to use a service that will actually help you. Northwest Registered Agent is that service. They'll form your company fast, give you the documents y ... Show More

Listen to millions of songs and podcasts on Anghami