Supply Chain Attack Primer - Popping RCE Without an HTTP Request (feat 0xLupin) (Ep. 74)

Поделиться
HTML-код
  • Опубликовано: 5 авг 2024
  • Episode 74: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Roni "Lupin" Carta for a deep dive into supply chain attacks and dependency confusion. We explore the supply chain attacks, the ethical considerations surrounding maintainers and hosting packages on public registries, and chat about the vision and uses of his new tool Depi.
    Follow us on twitter at: / ctbbpodcast
    We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
    Shoutout to / realytcracker for the awesome intro music!
    ====== Links ======
    Follow your hosts Rhynorater & Teknogeek on twitter:
    / 0xteknogeek
    / rhynorater
    ====== Ways to Support CTBBPodcast ======
    Hop on the CTBB Discord at ctbb.show/discord!
    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
    Today’s Guest: x.com/0xLupin
    Resources:
    Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
    / dependency-confusion
    git-dump
    github.com/tomnomnom/dotfiles...
    Depi
    www.landh.tech/depi
    Weak links of Supply Chain
    arxiv.org/pdf/2112.10165
    Timestamps:
    (00:00:00) Introduction
    (00:07:13) Overveiw of Supply Chain Flow
    (00:15:14) Getting our Scope
    (00:23:46) Depi
    (00:29:12) Types of attacks and finding the 80/20
    (00:45:06) Maintainer attacks
    (01:10:40) Regestries, artifactories, and an npm bug
    (01:31:51) Grafana NPX Confusion
  • НаукаНаука

Комментарии • 5

  • @user-mk3zz8zn9b
    @user-mk3zz8zn9b Месяц назад +2

    Okay, so who was explaining both of them were just chatting, 🤧 , guys you were supposed to explain, all of the pipelining and ci cd stuff, how are we supposed to know... you cant just assume that. 😵

    • @Mary-le5db
      @Mary-le5db Месяц назад

      no wonder I didn't understand half of it.

  • @0xdead4f
    @0xdead4f 2 месяца назад +1

    Am i the only one that does not understand a thing about what they said ?

    • @fnulnu5645
      @fnulnu5645 2 месяца назад +1

      All I heard was cache... or cash... I hope it was cash

    • @sebastianm8028
      @sebastianm8028 Месяц назад

      Me when they go deep on s and client side path traversal lol. Since I'm a dev this one was fine for me

Следующие
Автовоспроизведение
Bug Bounty Mental - Practical Tips for Staying Sharp & Motivated (Ep.77)1:50:20Bug Bounty Mental - Practical Tips for Staying Sharp & Motivated (Ep.77)
Bug Bounty Mental - Practical Tips for Staying Sharp & Motivated (Ep.77)Critical Thinking - Bug Bounty Podcast
Просмотров 2,9 тыс.
Crushing Client-Side on Any Scope with MatanBer (Ep. 81)2:04:49Crushing Client-Side on Any Scope with MatanBer (Ep. 81)
Crushing Client-Side on Any Scope with MatanBer (Ep. 81)Critical Thinking - Bug Bounty Podcast
Просмотров 3,2 тыс.
Pwn2Own VS H1 Live Hacking Event (feat SinSinology) (Ep. 80)2:49:27Pwn2Own VS H1 Live Hacking Event (feat SinSinology) (Ep. 80)
Pwn2Own VS H1 Live Hacking Event (feat SinSinology) (Ep. 80)Critical Thinking - Bug Bounty Podcast
Просмотров 2,9 тыс.
I Built a River Table for Real Fish30:52I Built a River Table for Real Fish
I Built a River Table for Real FishJohn Malecki
Просмотров 287 тыс.
surviving a nuke by flipping a coin1:22:07surviving a nuke by flipping a coin
surviving a nuke by flipping a coinTheRussianBadger
Просмотров 2,6 млн
It's Clash Anime Season! Happy 12th Clashiversary!00:35It's Clash Anime Season! Happy 12th Clashiversary!
It's Clash Anime Season! Happy 12th Clashiversary!Clash of Clans
Просмотров 5 млн
MY BRAND NEW WIDE BODY LAMBORGHINI URUS13:23MY BRAND NEW WIDE BODY LAMBORGHINI URUS
MY BRAND NEW WIDE BODY LAMBORGHINI URUSDuke Dennis
Просмотров 1,4 млн
Schizophrenic Shark Tank14:23Schizophrenic Shark Tank
Schizophrenic Shark TankStoic Stick
Просмотров 32 тыс.
L'Oréal x YesWeHack: Live Bug Bounty event at leHACK 20243:27L'Oréal x YesWeHack: Live Bug Bounty event at leHACK 2024
L'Oréal x YesWeHack: Live Bug Bounty event at leHACK 2024YesWeHack
Просмотров 670
I Electroplated a 3D Printed C-3PO and it looks insane now10:41I Electroplated a 3D Printed C-3PO and it looks insane now
I Electroplated a 3D Printed C-3PO and it looks insane nowHEN3DRIK - Electroplating 3D Prints
Просмотров 27 тыс.
Match & Replace - HTTP Proxies' Most Underrated Feature (Ep. 76)1:34:43Match & Replace - HTTP Proxies' Most Underrated Feature (Ep. 76)
Match & Replace - HTTP Proxies' Most Underrated Feature (Ep. 76)Critical Thinking - Bug Bounty Podcast
Просмотров 2,1 тыс.
Sandboxed IFrames and WAF Bypasses (Ep. 73)31:14Sandboxed IFrames and WAF Bypasses (Ep. 73)
Sandboxed IFrames and WAF Bypasses (Ep. 73)Critical Thinking - Bug Bounty Podcast
Просмотров 1,3 тыс.
Research TLDRs & Smuggling Payloads in Well Known Data Types (Ep. 72)52:48Research TLDRs & Smuggling Payloads in Well Known Data Types (Ep. 72)
Research TLDRs & Smuggling Payloads in Well Known Data Types (Ep. 72)Critical Thinking - Bug Bounty Podcast
Просмотров 1,3 тыс.
Getting Started with Rust! | #1 | A Fun Rust Programming Tutorial5:13Getting Started with Rust! | #1 | A Fun Rust Programming Tutorial
Getting Started with Rust! | #1 | A Fun Rust Programming TutorialBandit
Просмотров 45
2024 Guide: Hacking APIs20:212024 Guide: Hacking APIs
2024 Guide: Hacking APIsNahamSec
Просмотров 17 тыс.
"The Life & Death of htmx" by Alexander Petros at Big Sky Dev Con 202423:01"The Life & Death of htmx" by Alexander Petros at Big Sky Dev Con 2024
"The Life & Death of htmx" by Alexander Petros at Big Sky Dev Con 2024Montana Programmers
Просмотров 43 тыс.
Секрет, как продлить жизнь аккумулятора iPhone📱 Сохрани и поделись с друзьями!🙌🏼00:43Секрет, как продлить жизнь аккумулятора iPhone📱 Сохрани и поделись с друзьями!🙌🏼
Секрет, как продлить жизнь аккумулятора iPhone📱 Сохрани и поделись с друзьями!🙌🏼Dimitri Lebed
Просмотров 2,1 млн
ЧТО ЭТО За Флешки Замурованные в СТЕНЕ? #shorts00:53ЧТО ЭТО За Флешки Замурованные в СТЕНЕ? #shorts
ЧТО ЭТО За Флешки Замурованные в СТЕНЕ? #shortsBubble™
Просмотров 7 млн
Ура!наконец-то куплю новый Samsung!#хочуврек#котики#футажи#shorts Автор звука:@GORA933800:10Ура!наконец-то куплю новый Samsung!#хочуврек#котики#футажи#shorts Автор звука:@GORA9338
Ура!наконец-то куплю новый Samsung!#хочуврек#котики#футажи#shorts Автор звука:@GORA9338lev89k
Просмотров 2,8 млн
📱магазин техники в 2014 vs 202400:41📱магазин техники в 2014 vs 2024
📱магазин техники в 2014 vs 2024djetics
Просмотров 646 тыс.
КУПИЛ САМЫЙ ПОПУЛЯРНЫЙ ПК ARDOR GAMING в DNS для CS225:51КУПИЛ САМЫЙ ПОПУЛЯРНЫЙ ПК ARDOR GAMING в DNS для CS2
КУПИЛ САМЫЙ ПОПУЛЯРНЫЙ ПК ARDOR GAMING в DNS для CS2JOSKIY
Просмотров 144 тыс.
Секрет, как продлить жизнь аккумулятора iPhone📱 Сохрани и поделись с друзьями!🙌🏼00:43Секрет, как продлить жизнь аккумулятора iPhone📱 Сохрани и поделись с друзьями!🙌🏼
Секрет, как продлить жизнь аккумулятора iPhone📱 Сохрани и поделись с друзьями!🙌🏼Dimitri Lebed
Просмотров 2,1 млн
ПРО БЛОКИРОВКУ YOUTUBE ❌ Ютуб заблокируют - как смотреть?08:17ПРО БЛОКИРОВКУ YOUTUBE ❌ Ютуб заблокируют - как смотреть?
ПРО БЛОКИРОВКУ YOUTUBE ❌ Ютуб заблокируют - как смотреть?«о том о сём»
Просмотров 79 тыс.
Looks very comfortable. #leddisplay #ledscreen #ledwall #eagerled00:19Looks very comfortable. #leddisplay #ledscreen #ledwall #eagerled
Looks very comfortable. #leddisplay #ledscreen #ledwall #eagerled LED Screen Factory-EagerLED
Просмотров 12 млн