Episode 58: Youssef Sammouda - Client-Side & ATO War Stories
Critical Thinking - Bug Bounty Podcast15 Helmi 2024

Episode 58: Youssef Sammouda - Client-Side & ATO War Stories

Episode 58: In this episode of Critical Thinking - Bug Bounty Podcast we finally sit down with Youssef Samouda and grill him on his various techniques for finding and exploiting client-side bugs and postMessage vulnerabilities. He shares some crazy stories about race conditions, exploiting hash change events, and leveraging scroll to text fragments.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Guest: https://twitter.com/samm0uda?lang=en

https://ysamm.com/

Resources:

Client-side race conditions with postMessage:

https://ysamm.com/?p=742

Transferable Objects

https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Transferable_objects

Every known way to get references to windows, in javascript:

https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2d

Youssef’s interview with BBRE

https://www.youtube.com/watch?v=MXH1HqTFNm0

Timestamps:

(00:00:00) Introduction

(00:04:27) Client-side race conditions with postMessage

(00:18:12) On Hash Change Events and Scroll To Text Fragments

(00:32:00) Finding, documenting, and reporting complex bugs

(00:37:32) PostMessage Methodology

(00:45:05) Youssef's Vuln Story

(00:53:42) Where and how to look for ATO vulns

(01:05:21) MessagePort

(01:14:37) Window frame relationships

(01:20:24) Recon and JS monitoring

(01:37:03) Client-side routing

(01:48:05) MITMProxy

Jaksot(161)

Episode 9: Headless Browser SSRF & RebindMultiA Tool Release + Web3 Bug

Episode 9: Headless Browser SSRF & RebindMultiA Tool Release + Web3 Bug

Episode 9: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Headless Browser SSRF and drop a tool called RebindMultiA. Joel also walks us through a web3 bug and we cover some bu...

2 Maalis 20231h 8min

Episode 8: PostMessage Bugs, CSS Injection, and Bug Drops

Episode 8: PostMessage Bugs, CSS Injection, and Bug Drops

Episode 8: In this episode of Critical Thinking - Bug Bounty Podcast we drop some critical bugs which leak raw credit card info. We also discuss some CSS Injection & PostMessage related techniques. It...

22 Helmi 202335min

Episode 7: PortSwigger Top 10, TruffleSecurity Drama, and More!

Episode 7: PortSwigger Top 10, TruffleSecurity Drama, and More!

Episode 7: In this episode of Critical Thinking - Bug Bounty Podcast we talk about PortSwigger's Top 10 Web Hacking Techniques of 2022 (link below), some drama surrounding TruffleSecurity's XSS Hunter...

16 Helmi 202356min

Episode 6: Mobile Hacking Attack Vectors with Teknogeek (Joel Margolis)

Episode 6: Mobile Hacking Attack Vectors with Teknogeek (Joel Margolis)

Episode 6: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with mobile hacking legend Joel Margolis and get the scoop on his approach to popping bugs on Android.Follow us on twit...

9 Helmi 20231h 39min

Episode 4: H1-407 Event Madness & Takeaways Part 2 w/ Special Guest Spaceraccoon

Episode 4: H1-407 Event Madness & Takeaways Part 2 w/ Special Guest Spaceraccoon

Episode 4: In this episode of Critical Thinking - Bug Bounty Podcast we have part two of our series on the H1-407 HackerOne Live Hacking Event. This time, we have a special guest SpaceRaccoon (@spacer...

2 Helmi 202345min

Episode 5: AI Security, Hacking WiFi, the New XSS Hunter, and more

Episode 5: AI Security, Hacking WiFi, the New XSS Hunter, and more

Episode 5: In this episode of Critical Thinking - Bug Bounty Podcast we talk about the new XSS Hunter, MD5 collisions and using ChatGPT for security, and much more!Follow us on twitter at: @ctbbpodcas...

2 Helmi 202353min

Episode 3: H1-407 Event Madness & Takeaways Part 1

Episode 3: H1-407 Event Madness & Takeaways Part 1

Episode 3: In this episode of Critical Thinking - Bug Bounty Podcast we talk about some of the interesting things we’ve learned from participating in HackerOne's H1-407 Live Hacking event. We cover de...

26 Tammi 202345min

Episode 2: Exploit Writing & Automation / Do you need to know how to program to hack?

Episode 2: Exploit Writing & Automation / Do you need to know how to program to hack?

Episode 2: In this episode of Critical Thinking - Bug Bounty Podcast we talk about exploit writing/automation, some new tools released in the industry (Of-CORS), the age old question of "Do you have t...

18 Tammi 20231h 14min