Mar 2024
1h 27m
Episode 61: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Jasmin Landry to share some stories about startup security, bug bounty, and the challenges of balancing both. He also shares his methodology for discovering OAuth-related bugs, highlights some differences between structured learning and self-teaching, and then walks us through a couple arbitrary ATO’s and SSTI to RCE bugs he’s found lately.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today’s Guest: Jasmin Landry
Resources:
Dirty Dancing blog post
https://labs.detectify.com/writeups/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/
OAuth 2.0 Threat Model and Security Considerations
https://datatracker.ietf.org/doc/html/rfc6819
OAuth 2.0 Security Best Current Practice
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
Timestamps:
(00:00:00) Introduction
(00:02:20) Meta Tag + DomPurify Bug
(00:09:36) Jasmin's Origin story
(00:28:23) Full time Bug bounty challenges
(00:36:57) Career jumps in Security and current Role
(00:47:32) OAuth Bug methodology and cool bug stories
(01:02:35) Social Engineering and Bug Bounty
(01:13:41) Arbitrary ATO bug
(01:19:41) SSTI to RCE bug