logo
episode-header-image
Jan 2024
1h 12m

Episode 54: White Box Formulas - Vulnera...

Justin Gardner (Rhynorater) & Joseph Thacker (Rez0)
About this episode

Episode 54: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with news items and new projects. Joel shares about his personal scraping project to gather data on bug bounty programs and distribution Next, they announce the launch of HackerNotes, a podcast companion that will summarize the main technical points of each episode. They also discuss a recent GitLab CVE and an invisible prompt injection, before diving into a discussion (or debate) about vulnerable code patterns.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Gitlab CVE

https://github.com/Vozec/CVE-2023-7028

https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/

Fix commit: https://gitlab.com/gitlab-org/gitlab/-/commit/abe79e4ec437988cf16534a9dbba81b98a2e7f18

Invisible Prompt Injection

https://x.com/goodside/status/1745511940351287394?s=20

Regex 101

https://regex101.com

Regex to Strings

https://www.wimpyprogrammer.com/regex-to-strings/

Timestamps

(00:00:00) Introduction

(00:01:54) Joel’s H1 Data Scraping Research

(00:19:23) HackerNotes launch

(00:21:29) Gitlab CVE

(00:27:45) Invisible Prompt Injection

(00:33:52) Vulnerable Code Patterns

(00:37:51) Sanitization, but then modification of data afterward

(00:45:39) Auth check inside body of if statement

(00:48:15) sCheck for bad patterns with if, but then don't do any control flow

(00:50:21) Bad Regex

(01:00:36) Replace statements for sanitization

(01:04:32) Anything that allows you to call functions or control code flow in uncommon ways

Up next
Nov 20
Episode 149: DEFCON Debrief: AI Vulns, Unicode Weirdness, and Wild Vulnerability Chains
<p>Episode 149: In this episode of Critical Thinking - Bug Bounty Podcast The DEFCON videos are up, and Justin and Joseph talk through some of their favorites.</p><p>Follow us on <a target="_blank" rel="noopener noreferrer nofollow" href="https://x.com/ctbbpodcast">X</a></p><p>Go ... Show More
1h 2m
Nov 13
Episode 148: MCP Hacking Guide
Episode 148: In this episode of Critical Thinking - Bug Bounty Podcast Justin gives us a crash course on Model Context Protocol.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io ... Show More
32m 26s
Nov 6
Episode 147: Stupid Simple Hacking Workflow Tips
Episode 147: In this episode of Critical Thinking - Bug Bounty Podcast we're talking tips and tricks that help us in hacking that we really should’ve learned sooner.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback ... Show More
58m 48s
Recommended Episodes
Feb 2024
730: Own Your Own PaaS
Scott and Wes talk about the benefits of owning your own PaaS (platform as a service), the main alternatives in the space, and ways to make passion projects more financially viable. Show Notes 00:00 Welcome to Syntax! 01:12 Brought to you by Sentry.io. 01:56 What is a PaaS ... Show More
57m 57s
Jan 2024
716: JS Perf Wins & New Node.js Features with Yagiz Nizipli
Yagiz Nizipli talks about his involvement with Node.js, implementing .env, how he finds areas to improve in performance, the happy path vs the hot path, and new features coming to Node.js. Show Notes 00:32 Welcome 01:01 Introducing Yagiz Nizipli 02:21 What is your involvem ... Show More
1h 1m
Feb 2024
Episode 108 - Diving into Amazon Q Builder with Clare Liguori
🚀 Dive into the world of AI with Morgan Willis, Principal Cloud Technologist for AWS, as she interviews Clare Liguori, a Senior Principal Software Engineer at AWS and one of the visionaries behind Amazon Q. Discover the secrets behind this groundbreaking Generative AI conversati ... Show More
48m 6s
Jan 2024
How to build a role-playing video game in 24 hours
<p>Now you know: The human body can serve as a resonance chamber for <a href="https://physics.stackexchange.com/questions/101913/why-does-a-remote-car-key-work-when-held-to-your-head-body" target="_blank">remote car keys</a>, effectively extending their range.</p><p>A hackathon t ... Show More
14m 14s
Feb 2024
Episode 119 - Dart Squad (Ft. 1Dime)
<p>You are listening to this episode 1 week after it was released. To get episodes on time check out our Patreon!  <a href='https://www.patreon.com/posts/episode-103-ft-91756638'>Episode 1</a>20 is already available there: https://www.patreon.com/TheDeprogram<br/><br/>Check out h ... Show More
1h 16m
Nov 2023
65. FIS highlights 1 - SNAP trial, AMR musical, S. aureus update, IPC in LMIC
<p>Join Jame, Callum and Pals for a discussion on some highlights from FIS 2023: <a href='https://microbiologysociety.org/event/full-events-listing/federation-of-infection-societies-fis-conference.html'>https://microbiologysociety.org/event/full-events-listing/federation-of-infec ... Show More
28m 37s
Feb 2024
Microsoft's New Direction with Copilot, Data Management & Retention, Tech Skills Shortage
<p style="font-weight: 400;">The Transformation Ground Control podcast covers a number of topics important to digital and business transformation. This episode covers the following topics and interviews:</p> <ol><li>Microsoft’s New Direction with Copilot, Q&amp;A (Darian Chwialko ... Show More
1h 54m
Feb 2024
E167: Nvidia smashes earnings (again), Google's Woke AI disaster, Groq's LPU breakthrough & more
(0:00) Bestie intros: Banana boat! (2:34) Nvidia smashes expectations again: understanding its terminal value and bull/bear cases in the context of the history of the internet (27:26) Groq's big week, training vs. inference, LPUs vs. GPUs, how to succeed in deep tech (49:37) Goog ... Show More
1h 20m
Jun 2021
Inner Experience: Psychoanalysis, Schizoanalysis, and Dreams
<p>&quot;The Stranger&quot;, as they are known, visits Craig, Adam, and Will on this episode of Inner Experience. A psycho/schizoanalyst that some may know by the name DC Barker (tic) shares his approach and tools he implements in his practice. The discussion ranges from self-hel ... Show More
1h 18m
Listen to millions of songs and podcasts on Anghami