Episode 74: Supply Chain Attack Primer - Popping RCE Without an HTTP Request (feat 0xLupin)
Critical Thinking - Bug Bounty Podcast6 Kesä 2024

Episode 74: Supply Chain Attack Primer - Popping RCE Without an HTTP Request (feat 0xLupin)

Episode 74: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Roni "Lupin" Carta for a deep dive into supply chain attacks and dependency confusion. We explore the supply chain attacks, the ethical considerations surrounding maintainers and hosting packages on public registries, and chat about the vision and uses of his new tool Depi.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today's Sponsor - Project Discovery: https://nux.gg/podcast

Today’s Guest: https://x.com/0xLupin

Resources:

Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

git-dump

https://github.com/tomnomnom/dotfiles/blob/master/scripts/git-dump

Depi

https://www.landh.tech/depi

Weak links of Supply Chain

https://arxiv.org/pdf/2112.10165

Timestamps:

(00:00:00) Introduction

(00:07:13) Overveiw of Supply Chain Flow

(00:15:14) Getting our Scope

(00:23:46) Depi

(00:29:12) Types of attacks and finding the 80/20

(00:45:06) Maintainer attacks

(01:10:40) Regestries, artifactories, and an npm bug

(01:31:51) Grafana NPX Confusion

Jaksot(162)

Episode 58: Youssef Sammouda - Client-Side & ATO War Stories

Episode 58: Youssef Sammouda - Client-Side & ATO War Stories

Episode 58: In this episode of Critical Thinking - Bug Bounty Podcast we finally sit down with Youssef Samouda and grill him on his various techniques for finding and exploiting client-side bugs and p...

15 Helmi 20241h 54min

Episode 57: Technical breakdown from Miami Hacking Event - H1-305

Episode 57: Technical breakdown from Miami Hacking Event - H1-305

Episode 57: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are live from Miami, and recap their experience and share takeaways from the live hacking event. They highlight t...

8 Helmi 202432min

Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston)

Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston)

Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston)Episode 56: In this episode of Critical Thinking - Bug Bounty Podcast, Justin sits down with Jon Colston to discuss how hi...

1 Helmi 20241h 47min

Episode 55: Popping WordPress Plugins - Methodology Braindump

Episode 55: Popping WordPress Plugins - Methodology Braindump

Episode 55: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Wordpress Security Researcher Ram Gall to discuss both functionality and vulnerabilities within Wordpress Plu...

25 Tammi 20241h 44min

Episode 54: White Box Formulas - Vulnerable Coding Patterns

Episode 54: White Box Formulas - Vulnerable Coding Patterns

Episode 54: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with news items and new projects. Joel shares about his personal scraping project to gather data on bug b...

18 Tammi 20241h 12min

Episode 53: 500k/yr as Full-Time Bug Hunter & Content Creator - Nahamsec

Episode 53: 500k/yr as Full-Time Bug Hunter & Content Creator - Nahamsec

Episode 53: In this episode of Critical Thinking - Bug Bounty Podcast,we’re joined by none other than NahamSec. We start by discusses the challenges he faced on his journey in bug bounty hunting and c...

11 Tammi 20241h 40min

Episode 52: Best Technical Content from Year 1 of CTBB Podcast

Episode 52: Best Technical Content from Year 1 of CTBB Podcast

Episode 52: In this episode of Critical Thinking - Bug Bounty Podcast we're going back and highlighting some of the best technical moments from the past year! Hope you enjoy this best of 2023 Supercut...

4 Tammi 20243h

Episode 51: Hacker Stats 2023 & 2024 Goals

Episode 51: Hacker Stats 2023 & 2024 Goals

Episode 51: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are back for the last episode of 2023. We discuss some noteworthy news items including a Hacker One Crit, Caido u...

28 Joulu 20231h 21min