Episode 58: Youssef Sammouda - Client-Side & ATO War Stories
Critical Thinking - Bug Bounty Podcast15 Helmi 2024

Episode 58: Youssef Sammouda - Client-Side & ATO War Stories

Episode 58: In this episode of Critical Thinking - Bug Bounty Podcast we finally sit down with Youssef Samouda and grill him on his various techniques for finding and exploiting client-side bugs and postMessage vulnerabilities. He shares some crazy stories about race conditions, exploiting hash change events, and leveraging scroll to text fragments.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Guest: https://twitter.com/samm0uda?lang=en

https://ysamm.com/

Resources:

Client-side race conditions with postMessage:

https://ysamm.com/?p=742

Transferable Objects

https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Transferable_objects

Every known way to get references to windows, in javascript:

https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2d

Youssef’s interview with BBRE

https://www.youtube.com/watch?v=MXH1HqTFNm0

Timestamps:

(00:00:00) Introduction

(00:04:27) Client-side race conditions with postMessage

(00:18:12) On Hash Change Events and Scroll To Text Fragments

(00:32:00) Finding, documenting, and reporting complex bugs

(00:37:32) PostMessage Methodology

(00:45:05) Youssef's Vuln Story

(00:53:42) Where and how to look for ATO vulns

(01:05:21) MessagePort

(01:14:37) Window frame relationships

(01:20:24) Recon and JS monitoring

(01:37:03) Client-side routing

(01:48:05) MITMProxy

Jaksot(161)

Episode 129: Is this how Bug Bounty Ends?

Episode 129: Is this how Bug Bounty Ends?

Episode 129: In this episode of Critical Thinking - Bug Bounty Podcast we chat about the future of hack bots and human-AI collaboration, the challenges posed by tokenization, and the need for cybersec...

3 Heinä 202536min

Episode 128: New Research in Blind SSRF and Self-XSS, and How to Architect Source-code Review AI Bots

Episode 128: New Research in Blind SSRF and Self-XSS, and How to Architect Source-code Review AI Bots

Episode 128: In this episode of Critical Thinking - Bug Bounty Podcast we talking Blind SSRF and Self-XSS, as well as Reversing massive minified JS with AI and a wild Google Logo Ligature BugFollow us...

26 Kesä 202558min

Episode 127: Drama, PDF as JS Chaos, Bounty Profile Apps, And More

Episode 127: Drama, PDF as JS Chaos, Bounty Profile Apps, And More

Episode 127: In this episode of Critical Thinking - Bug Bounty Podcast we address some recent bug bounty controversy before jumping into a slew of news itemsFollow us on XShoutout to YTCracker for the...

19 Kesä 20251h 7min

Episode 126: Hacking AI Series: Vulnus ex Machina - Part 3

Episode 126: Hacking AI Series: Vulnus ex Machina - Part 3

Episode 126: In this episode of Critical Thinking - Bug Bounty Podcast we wrap up Rez0’s AI miniseries ‘Vulnus Ex Machina’. Part 3 includes a showcase of AI Vulns that Rez0 himself has found, and how ...

12 Kesä 202538min

Episode 125: How to Win Live Hacking Events

Episode 125: How to Win Live Hacking Events

Episode 125: In this episode of Critical Thinking - Bug Bounty Podcast Justin shares insights on how to succeed at live hacking events. We cover pre-event preparations, challenges of collaboration, on...

5 Kesä 202547min

Episode 124: Bug Bounty Lifestyle = Less Hacking Time?

Episode 124: Bug Bounty Lifestyle = Less Hacking Time?

Episode 124: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph cover some news from around the community, hitting on Joseph’s Anthropic safety testing, Justin’s guest appeara...

29 Touko 202545min

Episode 123: Hacking AI Series: Vulnus ex Machina - Part 2

Episode 123: Hacking AI Series: Vulnus ex Machina - Part 2

Episode 123: In this episode of Critical Thinking - Bug Bounty Podcast we’re back with part 2 of Rez0’s miniseries. Today we talk about mastering Prompt Injection, taxonomy of impact, and both trigger...

22 Touko 202544min

Episode 122: We Won Google's AI Hacking Event in Tokyo - Main Takeaways

Episode 122: We Won Google's AI Hacking Event in Tokyo - Main Takeaways

Episode 122: In this episode of Critical Thinking - Bug Bounty Podcast your boys are MVH winners! First we’re joined by Zak, to discuss the Google LHE as well as surprising us with a bug of his own! T...

15 Touko 20251h 45min