logo
episode-header-image
Jan 2024
1h 12m

Episode 54: White Box Formulas - Vulnera...

Justin Gardner (Rhynorater) & Joseph Thacker (Rez0)
About this episode

Episode 54: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with news items and new projects. Joel shares about his personal scraping project to gather data on bug bounty programs and distribution Next, they announce the launch of HackerNotes, a podcast companion that will summarize the main technical points of each episode. They also discuss a recent GitLab CVE and an invisible prompt injection, before diving into a discussion (or debate) about vulnerable code patterns.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Gitlab CVE

https://github.com/Vozec/CVE-2023-7028

https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/

Fix commit: https://gitlab.com/gitlab-org/gitlab/-/commit/abe79e4ec437988cf16534a9dbba81b98a2e7f18

Invisible Prompt Injection

https://x.com/goodside/status/1745511940351287394?s=20

Regex 101

https://regex101.com

Regex to Strings

https://www.wimpyprogrammer.com/regex-to-strings/

Timestamps

(00:00:00) Introduction

(00:01:54) Joel’s H1 Data Scraping Research

(00:19:23) HackerNotes launch

(00:21:29) Gitlab CVE

(00:27:45) Invisible Prompt Injection

(00:33:52) Vulnerable Code Patterns

(00:37:51) Sanitization, but then modification of data afterward

(00:45:39) Auth check inside body of if statement

(00:48:15) sCheck for bad patterns with if, but then don't do any control flow

(00:50:21) Bad Regex

(01:00:36) Replace statements for sanitization

(01:04:32) Anything that allows you to call functions or control code flow in uncommon ways

Up next
Jul 3
Episode 129: Is this how Bug Bounty Ends?
Episode 129: In this episode of Critical Thinking - Bug Bounty Podcast we chat about the future of hack bots and human-AI collaboration, the challenges posed by tokenization, and the need for cybersecurity professionals to adapt to the evolving landscape of hacking in the age of ... Show More
36m 14s
Jun 26
Episode 128: New Research in Blind SSRF and Self-XSS, and How to Architect Source-code Review AI Bots
Episode 128: In this episode of Critical Thinking - Bug Bounty Podcast we talking Blind SSRF and Self-XSS, as well as Reversing massive minified JS with AI and a wild Google Logo Ligature BugFollow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel fre ... Show More
58m 6s
Jun 19
Episode 127: Drama, PDF as JS Chaos, Bounty Profile Apps, And More
Episode 127: In this episode of Critical Thinking - Bug Bounty Podcast we address some recent bug bounty controversy before jumping into a slew of news itemsFollow us on XShoutout to YTCracker for the awesome intro music!Today's Sponsor: Adobe====== This Week In Bug Bounty ====== ... Show More
1h 7m
Recommended Episodes
Mar 2024
AI vs software devs
Daniel and Chris are out this week, so we’re bringing you conversations all about AI’s complicated relationship to software developers from other Changelog pods: JS Party, Go Time & The Changelog.Join the discussionChangelog++ members save 2 minutes on this episode because they m ... Show More
57 m
Mar 2024
Linux Kernel Scheduler Developer | David Vernet
The linux kernel is something we all use but have you ever thought about what goes into it, well today we've got David Vernet on the show who has spent quite a bit of time focusing on one aspect, that being the scheduler. =========Guest Links========== Twitch: https://www.twi ... Show More
1h 55m
May 2024
763: Web Scraping + Reverse Engineering APIs
Web scraping 101! Dive into the world of web scraping with Scott and Wes as they explore everything from tooling setup and navigating protected routes to effective data management. In this Tasty Treat episode, you’ll gain invaluable insights and techniques to scrape (almost) any ... Show More
52m 33s
May 2024
SN 976: The 50 Gigabyte Privacy Bomb - Google AI Workarounds, Microsoft Recall
The bigger problem with AI Overview https://udm14.com/ -and- https://tenbluelinks.org/ The horses have left the barn VPNs and Firewalls Email @ GRC Extension to fix Google search Passwords and SPAM Fixing motherboard components Vertical tabs in Firefox FritzBox routers Too many P ... Show More
2h 13m
May 2024
Microsoft is all-in on AI: Part 1 (Interview)
Scott Guthrie joins the show this week from Microsoft Build 2024 to discuss Microsoft being all-in on AI. From Copilot, to Azure AI and Prompty, to their developer first focus, leading GitHub, VS Code being the long bet that paid off, to the future of a doctor’s bedside manner as ... Show More
1h 4m
May 2024
Is it too late to opt out of AI? (Friends)
Tech lawyer Luis Villa returns to answer our most pressing questions: what’s up with all these new content deals? How did Google think it was a good idea to ship AI Summaries in its current state? Is it too late to opt out of AI? We also discuss AI in Hollywood (spoilers!), posit ... Show More
1h 39m
Jun 2024
Apple finally gets Siri-ous (News)
Apple announces its “new” style of AI, piku gives you “git push” deployment on your own servers, Dabo Chen rebuilds nanoGPT in a spreadsheet, Mark Seemann thinks you’ll regret using natural keys in your database design & Glyph Lefkowitz describes his grand unified theory of the A ... Show More
7m 49s
Jun 2024
.NET Unwrapped: From Workflow Engines to Identity, A Developer's Journey with Dustin Metzgar
Avalonia XPF This episode of The Modern .NET Show is supported, in part, by Avalonia XPF, a binary-compatible cross-platform fork of WPF, enables WPF apps to run on new platforms with minimal effort and maximum compatibility. Show Notes I want it to be like one of those books tha ... Show More
1h 22m
Dec 2023
Cracking the Enigma Code
During the Second World War, the Germans used what they thought to be an uncrackable encryption system. It was a really good encryption system, and for the longest time, the Allies had a difficult time cracking the code. However, thanks to brilliant code breakers, a powerful comp ... Show More
13m 42s
Feb 2024
736: CJ Reynolds is Joining Syntax
Scott and Wes introduce Syntax’s new Senior Content Producer, CJ Reynolds, who will be creating video deep-dives and companion content for topics covered on the podcast. CJ, also known as the host of Coding Garden, shares his passions for web development, teaching and experimenti ... Show More
56m 49s
Listen to millions of songs and podcasts on Anghami