Posts tagged 'Bounty Podcast'

Recovering data from a cropped image (thanks to an undocumented API change, bypassing an origin check with an emoji, and a trivial SSRF filter bypass all in this week's bug bounty podcast.

A few varied issues this week, exploiting an apparently unexploitable CRLF injection, organization secrets exposure in GitHub, and a Jenkins XSS.

This episode covers a lot of ground, from an insecure OAuth flow (Booking.com) to a crazy JSON injection and fail-open login system (DataHub) to hacking Bluetooth smart locks (Megafeis-palm). And even a new ImageMagick trick for a local file read.

Parameter pollution for an auth bypass, SQL injection in an ORM, CRLF injection for a WAF bypass...this episode has a great mix of issues.

A variety episode this week with some bad cryptography in PHP and Azure, information disclosure in suid binaries, request smuggling in HAProxy, and some research on testing for server-side prototype pollution.

Bit slow this week, so we talk about the Top Web-hacking techniques of 2022, and some TruffleSec/XSS Hunter drama before so we cover a blockchain verification bug, and a simple path traversal to SSTI and RCE chain.

Is it possible to escalate a self-XSS into an account takeover? Perhaps, we take a look at some potential options by abusing single-sign on. Then we take a look at a few Facebook/Meta authentication issues, and a deserialization trick to increase the usable classes in PHP.

Starting off the week strong we have a CSS injection turned full-read SSRF, and a MyBB exploit chain from XSS to server-side code injection. And we've got a couple auth token disclosures to end off the episode.

We've got a cloud focused episode this week, starting with a logging bypass in AWS CloudTrail, a SSH Key injection, and cross-tenant data access in Azure Cognitive Search.

This week kicks off with another look at client-side path traversal attacks, this time with some more case-studies. Then we get into some mobile issues, one a cool desync between DER processors resulting in an iOS privilege escalation. The other a Bundle processing issue in Android that provides an almost use-after-free like primitive but in Java.