Youssef Sammouda - Client-Side & ATO War Stories (Ep. 58)
HTML-код
- Опубликовано: 5 авг 2024
- Episode 58: In this episode of Critical Thinking - Bug Bounty Podcast we finally sit down with Youssef Samouda and grill him on his various techniques for finding and exploiting client-side bugs and postMessage vulnerabilities. He shares some crazy stories about race conditions, exploiting hash change events, and leveraging scroll to text fragments.
Follow us on twitter at: / ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to / realytcracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater & Teknogeek on twitter:
/ 0xteknogeek
/ rhynorater
====== Ways to Support CTBBPodcast ======
Sign up for caido.io/ using the referral code CTBBPODCAST for a 10% discount.
Hop on the CTBB Discord at ctbb.show/discord!
We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today’s Guest:
samm0uda?lang=en
ysamm.com/
Resources:
Client-side race conditions with postMessage:
ysamm.com/?p=742
Transferable Objects:
developer.mozilla.org/en-US/d...
Every known way to get references to windows, in JavaScript:
/ every-known-way-to-get...
Timestamps:
(00:00:00) Introduction
(00:04:27) Client-side race conditions with postMessage
(00:18:12) On Hash Change Events and Scroll To Text Fragments
(00:32:00) Finding, documenting, and reporting complex bugs
(00:37:32) PostMessage Methodology
(00:45:05) Youssef's Vuln Story
(00:53:42) Where and how to look for ATO vulns
(01:05:21) MessagePort
(01:14:37) Window frame relationships
(01:20:24) Recon and JS monitoring
(01:37:03) Client-side routing
(01:48:05) MITMProxy Наука
00:02 Youssef's passion lies in client-side stuff with a focus on bounty hunting and OAuth.
02:34 Focus on achieving maximum impact through account takeover on client-side
07:09 Client-side post message changes origin with trust established
09:15 Client-side attack involves redirecting tabs and optimizing timing for exploit
13:44 Post message communication and race conditions
16:22 Client-side attack techniques like pop under and brute forcing using post message
20:09 Detecting and exploiting cross-site leaks
22:27 Encouraging deep exploration of programs for bug bounty success
26:49 Discussion on potential risks and vulnerabilities related to client-side page routing and redirection
28:59 Using JavaScript to control and change page elements
33:15 Understand security threats and strategies
35:16 Client-side code usage and note-keeping
39:25 Exploiting s for ATO and high pay targets is worth the extra effort.
41:21 Account takeover detection triggers
45:47 Facebook uses the JavaScript SDK for client-side chat plugin with security vulnerabilities.
48:18 Leaking random math do values from page to predict or reverse engineer IDs.
52:47 The vulnerability of using Math.random and the availability of a secure random class in JavaScript
54:36 Focus on identifying XSS sources and sinks.
58:39 Client-Side Attacks in Account Takeover (ATO)
1:00:41 Exploring the manipulation of same site cookie policies for creating separate browser sessions.
1:04:10 Understanding domain bridging for vulnerabilities
1:06:26 Message ports and their security measures in cross-origin communication
1:10:57 Using an object for the 'Target origin' can bypass string checks.
1:12:55 Client-side transferable objects and memory ownership
1:16:38 Discussion on referencing open windows in a same-origin scenario.
1:18:30 Understanding the window name and the opener property in JavaScript
1:22:42 Managing JavaScript packages and modules
1:24:48 Hashing used for code structure and function references
1:29:18 Programmatic parsing of code for function definitions and object retrieval.
1:30:59 Custom scripts need to be tailored for each target.
1:34:25 Discussion on lazy loading JavaScript
1:36:11 Creating a function to dynamically generate and extract data
1:39:49 Research on mobile app security and vulnerabilities
1:42:27 Unauthorized access risk in Instagram application
1:46:52 Attacker page's slow response leads to failure in checking page change
1:48:33 Using mitm proxy for browser navigation and web scraping
1:52:29 Using a simpler approach for requesting and responding to client-side interactions
1:54:06 Impressed with technical knowledge and bug stories
My brain exploded like 5 times, listening to this talk 😂 Love the depth of client side bugs explained. Really appreciate pushing quality content like this to the community!
Awesome talk enjoying
I love the passion
yay 🤩
Dzaaaaamn...the facebook hacker guy🔥🔥🔥
Ou my goooooooooooooood
Yousuf is really a great hacker masha Allah
wow wow wow
mic name please ??
2x Shure SM58 microphones plugged into a Zoom H4n pro as the interface/recorder!
sammouda you are my idol 🪬 🇹🇳
you do a great job with the channel. thank you! that being said, for the love of god, would you let the man speak?
ROY KENT is now a hacker ??