episode-header-image

Oct 2023

1h 21m

Episode 39: The Art of Architectures

Justin Gardner (Rhynorater) & Joseph Thacker (Rez0)

About this episode

Episode 39: In this episode of Critical Thinking - Bug Bounty Podcast, We're catching up on news, including new override updates from Chrome, GPT-4, SAML presentations, and even a shoutout from Live Overflow! Then we get busy laying the groundwork on a discussion of web architecture. better get started on this one, cause we're going to need a part two!

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

CT shoutout from Live Overflow

https://www.youtube.com/watch?v=3zShGLEqDn8

Chrome Override updates

https://developer.chrome.com/blog/new-in-devtools-117/#overrides

GPT-4/AI Prompt Injection

https://x.com/rez0__/status/1706334160569213343?s=20 & https://x.com/evrnyalcin/status/1707298475216425400?s=20

Caido Releases Pro free for students

https://twitter.com/CaidoIO/status/1707099640846250433

Or, use code ctbbpodcast for 10% of the subscription price

Aleksei Tiurin on SAML hacking

https://twitter.com/antyurin/status/1704906212913951187

Account Takeover on Tesla

https://medium.com/@evan.connelly/post-account-takeover-account-takeover-of-internal-tesla-accounts-bc720603e67d

Joseph

https://portswigger.net/bappstore/82d6c60490b540369d6d5d01822bdf61

Cookie Monster

https://github.com/iangcarroll/cookiemonster

HTMX

https://htmx.org/

Timestamps:

(00:00:00) Introduction

(00:04:40) Shoutout from Live Overflow

(00:06:40) Chrome Overrides update

(00:08:48) GPT-4V and AI Prompt Injection

(00:14:35) Caido Promos

(00:15:40) SAML Vulns

(00:17:55) Account takeover on Tesla, and auth token from one context in a different context

(00:24:30) Testing for vulnerabilities in JWT-based authentication

(00:28:07) Web Architectures

(00:32:49) Single page apps + a rest API

(00:45:20) XSS vulnerabilities in single page apps

(00:49:00) Direct endpoint architecture

(00:55:50) Content Enumeration

(01:02:23) gRPC & Protobuf

(01:06:08) Microservices and Reverse Proxy

(01:12:10) Request Smuggling/Parameter Injections

Up next

Episode 129: Is this how Bug Bounty Ends?

Episode 129: In this episode of Critical Thinking - Bug Bounty Podcast we chat about the future of hack bots and human-AI collaboration, the challenges posed by tokenization, and the need for cybersecurity professionals to adapt to the evolving landscape of hacking in the age of ... Show More

Episode 128: New Research in Blind SSRF and Self-XSS, and How to Architect Source-code Review AI Bots

Episode 128: In this episode of Critical Thinking - Bug Bounty Podcast we talking Blind SSRF and Self-XSS, as well as Reversing massive minified JS with AI and a wild Google Logo Ligature BugFollow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel fre ... Show More

Episode 127: Drama, PDF as JS Chaos, Bounty Profile Apps, And More

Episode 127: In this episode of Critical Thinking - Bug Bounty Podcast we address some recent bug bounty controversy before jumping into a slew of news itemsFollow us on XShoutout to YTCracker for the awesome intro music!Today's Sponsor: Adobe====== This Week In Bug Bounty ====== ... Show More

Recommended Episodes

Linux Kernel Scheduler Developer | David Vernet

The linux kernel is something we all use but have you ever thought about what goes into it, well today we've got David Vernet on the show who has spent quite a bit of time focusing on one aspect, that being the scheduler. =========Guest Links========== Twitch: https://www.twi ... Show More

Were We Wrong? 2022 Predictions Revisited

In this episode of Syntax, Wes and Scott revisit their 2022 predictions and see which ones they got right, and which they got wrong. Sentry - Sponsor If you want to know what’s happening with your code, track errors and monitor performance with Sentry. Sentry’s Application Monito ... Show More

763: Web Scraping + Reverse Engineering APIs

Web scraping 101! Dive into the world of web scraping with Scott and Wes as they explore everything from tooling setup and navigating protected routes to effective data management. In this Tasty Treat episode, you’ll gain invaluable insights and techniques to scrape (almost) any ... Show More

E167: Nvidia smashes earnings (again), Google's Woke AI disaster, Groq's LPU breakthrough & more

(0:00) Bestie intros: Banana boat! (2:34) Nvidia smashes expectations again: understanding its terminal value and bull/bear cases in the context of the history of the internet (27:26) Groq's big week, training vs. inference, LPUs vs. GPUs, how to succeed in deep tech (49:37) Goog ... Show More

The Linux Distro No One Talks About | René Rebe

Today we have the one and only René Rebe on the show, the developer of T2 SDE one of the very few standalone distros that is severely under represented in the media alongside running 2 youtube channels, Code Therapy and Bits inside ==========Support The Channel========== ► Patreo ... Show More

Is it too late to opt out of AI? (Friends)

Tech lawyer Luis Villa returns to answer our most pressing questions: what’s up with all these new content deals? How did Google think it was a good idea to ship AI Summaries in its current state? Is it too late to opt out of AI? We also discuss AI in Hollywood (spoilers!), posit ... Show More

GPT-4o launches, Glue demo, Ohalo breakthrough, Druck's Argentina bet, did Google kill Perplexity?

(0:00) Bestie Intros: Recapping Phil Hellmuth's birthday weekend (7:38) OpenAI launches GPT-4o: better, faster, cheaper (29:40) Sacks demos Glue: How AI unlocked his Slack killer (40:12) Friedberg walks through his major breakthrough at Ohalo (1:01:35) Stanley Druckenmiller bets ... Show More

#431 – Roman Yampolskiy: Dangers of Superintelligent AI

Roman Yampolskiy is an AI safety researcher and author of a new book titled AI: Unexplainable, Unpredictable, Uncontrollable. Please support this podcast by checking out our sponsors: – Yahoo Finance: https://yahoofinance.com – MasterClass: https://masterclass.com/lexpod to get 1 ... Show More

#434 – Aravind Srinivas: Perplexity CEO on Future of AI, Search & the Internet

Arvind Srinivas is CEO of Perplexity, a company that aims to revolutionize how we humans find answers to questions on the Internet. Please support this podcast by checking out our sponsors: – Cloaked: https://cloaked.com/lex and use code LexPod to get 25% off – ShipStation: https ... Show More

AI vs software devs

Daniel and Chris are out this week, so we’re bringing you conversations all about AI’s complicated relationship to software developers from other Changelog pods: JS Party, Go Time & The Changelog.Join the discussionChangelog++ members save 2 minutes on this episode because they m ... Show More

Listen to millions of songs and podcasts on Anghami