episode-header-image

Oct 2023

1h 21m

Episode 39: The Art of Architectures

Justin Gardner (Rhynorater) & Joseph Thacker (Rez0)

About this episode

Episode 39: In this episode of Critical Thinking - Bug Bounty Podcast, We're catching up on news, including new override updates from Chrome, GPT-4, SAML presentations, and even a shoutout from Live Overflow! Then we get busy laying the groundwork on a discussion of web architecture. better get started on this one, cause we're going to need a part two!

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

CT shoutout from Live Overflow

https://www.youtube.com/watch?v=3zShGLEqDn8

Chrome Override updates

https://developer.chrome.com/blog/new-in-devtools-117/#overrides

GPT-4/AI Prompt Injection

https://x.com/rez0__/status/1706334160569213343?s=20 & https://x.com/evrnyalcin/status/1707298475216425400?s=20

Caido Releases Pro free for students

https://twitter.com/CaidoIO/status/1707099640846250433

Or, use code ctbbpodcast for 10% of the subscription price

Aleksei Tiurin on SAML hacking

https://twitter.com/antyurin/status/1704906212913951187

Account Takeover on Tesla

https://medium.com/@evan.connelly/post-account-takeover-account-takeover-of-internal-tesla-accounts-bc720603e67d

Joseph

https://portswigger.net/bappstore/82d6c60490b540369d6d5d01822bdf61

Cookie Monster

https://github.com/iangcarroll/cookiemonster

HTMX

https://htmx.org/

Timestamps:

(00:00:00) Introduction

(00:04:40) Shoutout from Live Overflow

(00:06:40) Chrome Overrides update

(00:08:48) GPT-4V and AI Prompt Injection

(00:14:35) Caido Promos

(00:15:40) SAML Vulns

(00:17:55) Account takeover on Tesla, and auth token from one context in a different context

(00:24:30) Testing for vulnerabilities in JWT-based authentication

(00:28:07) Web Architectures

(00:32:49) Single page apps + a rest API

(00:45:20) XSS vulnerabilities in single page apps

(00:49:00) Direct endpoint architecture

(00:55:50) Content Enumeration

(01:02:23) gRPC & Protobuf

(01:06:08) Microservices and Reverse Proxy

(01:12:10) Request Smuggling/Parameter Injections

Up next

Episode 143: New Cohost + Client-Side Gadgets, LHE Meta — Instant Global Admin in Entra!

Episode 143: In this episode of Critical Thinking - Bug Bounty Podcast Justin brings Brandyn back to announce him as our newest co-host. We chat about recent LHE experiences, and then break down some news. Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and sugges ... Show More

Episode 142: Gr3pme's Full-Time Hunting Journey Update, Insane AI research, And Some Light News

Episode 142: In this episode of Critical Thinking - Bug Bounty Podcast Rez0 and Gr3pme join forces to discuss Websocket research, Meta’s $111750 Bug, PROMISQROUTE, and the opportunities afforded by going full time in Bug Bounty.Follow us on twitter at: https://x.com/ctbbpodcastGo ... Show More

Episode 141: Hacking the Pod - Google Docs 0-day & React CreateElement Exploits with Nick Copi (7urb0)

Episode 141: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Nick Copi to talk about CSPT, React, CSS Injections and how Nick hacked the pod.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any f ... Show More

Recommended Episodes

Were We Wrong? 2022 Predictions Revisited

In this episode of Syntax, Wes and Scott revisit their 2022 predictions and see which ones they got right, and which they got wrong. Sentry - Sponsor If you want to know what’s happening with your code, track errors and monitor performance with Sentry. Sentry’s Application Monito ... Show More

E167: Nvidia smashes earnings (again), Google's Woke AI disaster, Groq's LPU breakthrough & more

(0:00) Bestie intros: Banana boat! (2:34) Nvidia smashes expectations again: understanding its terminal value and bull/bear cases in the context of the history of the internet (27:26) Groq's big week, training vs. inference, LPUs vs. GPUs, how to succeed in deep tech (49:37) Goog ... Show More

Some 40 Series Getting Discontinued

► Thanks to ProtoArc for sponsoring today’s video! Use code UFD10 to get 10% off! Check out their HUB Mouse & XK01 Folding Keyboard here: https://geni.us/MGmAY & https://geni.us/lZnRV ► Check out today's hottest tech deals here: https://www.ufd.deals/ https://howl.me/ck1lO9QW ... Show More

Empowering Innovation: Oxolo's €13M Funding Boosts AI-Driven Video Platform

Explore the transformative potential of Oxolo's €13M funding round, fueling innovation and pushing the boundaries of AI-driven video technology. Get on the AI Box Waitlist: https://AIBox.ai/ Join our ChatGPT Community: ⁠https://www.facebook.com/groups/739308654562189/⁠ Follow ... Show More

Oxolo's €13M Funding for AI-Driven Video Platform

In this episode, we delve into Oxolo's recent €13 million funding success for their revolutionary AI-driven video platform, designed to optimize viewer engagement in real-time. I'll explore the platform's features, potential impact on content creators, and the broader ... Show More

Episode 108 - Diving into Amazon Q Builder with Clare Liguori

🚀 Dive into the world of AI with Morgan Willis, Principal Cloud Technologist for AWS, as she interviews Clare Liguori, a Senior Principal Software Engineer at AWS and one of the visionaries behind Amazon Q. Discover the secrets behind this groundbreaking Generative AI conversati ... Show More

ROLLUP: $ETH 3k! | TradFi Stonks ATHs | $STRK Now Live | Yuga Acquires PROOF

Last Week of February 2024 ------ 🏹 USE PODCAST24 FOR 10% OFF https://bankless.cc/Citizen2024 ------ 📣SUI | Register for Sui Basecamp https://bankless.cc/sui-basecamp ------ 🎧Listen On Your Favorite Podcast Player: https://bankless.cc/podcast ------ BANKLESS SPONSOR TOO ... Show More

730: Own Your Own PaaS

Scott and Wes talk about the benefits of owning your own PaaS (platform as a service), the main alternatives in the space, and ways to make passion projects more financially viable. Show Notes 00:00 Welcome to Syntax! 01:12 Brought to you by Sentry.io. 01:56 What is a PaaS? NGINX ... Show More

Reddit’s IPO, Consumer vs. Enterprise AI, and Sam Altman’s New Fund and more! | E1903

This Week in Startups is brought to you by… Northwest Registered Agent. When starting your business, it's important to use a service that will actually help you. Northwest Registered Agent is that service. They'll form your company fast, give you the documents you need to ... Show More

Listen to millions of songs and podcasts on Anghami