Episode 26: Client-side Quirks & Browser Hacks
Podcast: Critical Thinking - Bug Bounty PodcastPublished On: Thu Jul 06 2023
Description: In this episode of Critical Thinking - Bug Bounty Podcast, we're back with Joel, fresh (haha) off of back-to-back live hack events in London and Seoul. We compare the different vibes of each LHE, then we dive into the technical thick of it, and talk web browsers, XSS vectors, new tools, CVSS 4.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:______Hunting for NGINX alias traversals in the wildPortSwigger TweetSoroush's Follow-upTweet about magic math elementLupin’s follow-upPatch diffingChanges to CVSS 4.0Ask FIRSTdotORG what's going onJsluiseJS import() behavior'JavaScript for Hackers'CSP Evaluator:Dom ClobberingHTML Injection Cheat SheetGareth Heyes website/game______Timestamps:(00:00:00) Introduction(00:04:10) LHE Vibes(00:07:45) "Hunting for NGINX alias traversals in the wild"(00:12:30) Payouts in BB programs(00:16:05) New XSS vectors and popovers(00:24:15) The "magical math element" in Firefox(00:27:15) LiveOverflow on HTML parsing quirks(00:32:10) Mr. Tux Racer, Woocommerce, and WordPress(00:40:00) Changes in the CVSS 4 draft spec(00:45:00) TomNomNom's new tool Jsluise(00:51:15) JavaScript's import function & "JavaScript for Hackers"(01:09:15) Prototype pollution & DOM clobbering(01:18:10) Base tags and CSS Games
The note was deleted
The note was saved
Your message was sent