Episode 135: Akamai's Ryan Barnett on WAFs, Unicode Confusables, and Triage Stories
Podcast: Critical Thinking - Bug Bounty PodcastPublished On: Thu Aug 14 2025
Description: Episode 135: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Ryan Barnett for a deep dive on WAFs. We also recap his Exploiting Unicode Normalization talk from DEFCON, and get his perspective on bug hunting from his time at Akamai. Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today’s Sponsor - ThreatLocker. Checkout ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detectToday’s Guest: https://x.com/ryancbarnett====== Resources ======Accidental Stored XSS Flaw in Zemanta 'Related Posts' Plugin for TypePadhttps://webappdefender.blogspot.com/2013/04/accidental-stored-xss-flaw-in-zemanta.htmlXSS Street-Fighthttps://media.blackhat.com/bh-dc-11/Barnett/BlackHat_DC_2011_Barnett_XSS%20Streetfight-Slides.pdfBlackhat USA 2025 - Lost in Translation: Exploiting Unicode Normalizationhttps://www.blackhat.com/us-25/briefings/schedule/#lost-in-translation-exploiting-unicode-normalization-44923====== Timestamps ======(00:00:00) Introduction(00:02:49) Accidental Stored XSS in Typepad Plugin (00:06:34) Chatscatter & Abusing third party Analytics(00:11:42) Ryan Barnett Introduction(00:21:11) Virtual Patching & WAF Challenges(00:40:39) AWS API Gateways & Whitelisting Bug Hunter Traffic(00:49:59) Lost in Translation: Exploiting Unicode Normalization(01:11:29) CSPs at the WAF level & 'Bounties for Bypass'
The note was deleted
The note was saved
Your message was sent