1 00:00:00,200 --> 00:00:04,270 So when interviewing Johan two years ago for the podcast, we spoke about 2 00:00:04,300 --> 00:00:09,599 making 100, 000 in one year and it was impressive, but since then he's 3 00:00:09,599 --> 00:00:13,629 been really killing it, hacking not only on GitLab, but also programs 4 00:00:13,629 --> 00:00:16,169 like Apple, Google, or Yahoo. 5 00:00:16,759 --> 00:00:20,120 And in this interview, I'll try to uncover all his secrets. 6 00:00:20,419 --> 00:00:23,440 So enjoy my interview with Johan Carlsson. 7 00:00:24,460 --> 00:00:25,080 Hello, Johan. 8 00:00:25,080 --> 00:00:26,480 How are you doing? 9 00:00:26,520 --> 00:00:28,649 How has these two years been to you? 10 00:00:29,039 --> 00:00:31,329 Oh, thanks for having me again. 11 00:00:31,850 --> 00:00:32,439 Yeah, you're 12 00:00:32,450 --> 00:00:35,900 the first, the first guest that makes a second appearance. 13 00:00:35,900 --> 00:00:41,229 Yeah, no, I'm, uh, I'm having a great time. 14 00:00:42,619 --> 00:00:45,480 It's been, uh, so has it been two years? 15 00:00:46,040 --> 00:00:46,310 Yes. 16 00:00:46,340 --> 00:00:50,710 The previous episode was in January, 2023 for the record. 17 00:00:50,710 --> 00:00:56,969 We were recording this in December, 2024 and you also in, in person in Sweden. 18 00:00:56,969 --> 00:00:59,680 Uh, so, um, it's almost two years. 19 00:00:59,859 --> 00:01:00,189 Yeah. 20 00:01:00,529 --> 00:01:00,739 Yeah. 21 00:01:00,739 --> 00:01:03,530 That's a crazy in a lot, in many ways. 22 00:01:03,629 --> 00:01:04,299 Yeah. 23 00:01:04,450 --> 00:01:11,635 And yeah, it's been, uh, It's been a ride, uh, and, uh, a lot of things are the same, 24 00:01:11,925 --> 00:01:13,845 uh, and, uh, some things have changed. 25 00:01:15,425 --> 00:01:22,655 I'm still, uh, on GitLab, uh, and, uh, uh, but I also hunt on other programs and, 26 00:01:22,655 --> 00:01:27,965 uh, but I think the, the big thing, of course, is that I've gone, uh, full time. 27 00:01:28,345 --> 00:01:28,585 Yes. 28 00:01:28,975 --> 00:01:29,525 That's a big thing. 29 00:01:29,575 --> 00:01:32,005 Uh, from what I did previously. 30 00:01:32,675 --> 00:01:39,214 Um, so I'm from this from August, so it's almost, I guess it's like four 31 00:01:39,214 --> 00:01:43,555 months or something, but I also did three months, uh, before the summer 32 00:01:44,135 --> 00:01:49,295 where I just tried it out, like taking a break from my regular job and, uh, 33 00:01:49,585 --> 00:01:51,615 testing it to see if it could fly. 34 00:01:51,895 --> 00:01:53,785 What pushed you to quit your job? 35 00:01:54,200 --> 00:02:00,370 It was a combination of, I really, it was not a problem with the job per se. 36 00:02:00,410 --> 00:02:03,789 I was working as a developer, like front end developer. 37 00:02:04,479 --> 00:02:11,019 I was a combination of the being able to be more free with my time. 38 00:02:11,510 --> 00:02:15,080 Uh, having a big family and being able to like do whatever I want with my 39 00:02:15,080 --> 00:02:20,790 time, uh, and also with my interest in, uh, like security and that I, I didn't 40 00:02:20,870 --> 00:02:25,959 really get to like fulfill that, uh, doing, uh, regular development work. 41 00:02:26,189 --> 00:02:26,509 Yeah. 42 00:02:27,129 --> 00:02:27,699 So. 43 00:02:29,259 --> 00:02:31,869 How has the, the life changed since you quit? 44 00:02:32,579 --> 00:02:34,460 What did you expect it to be? 45 00:02:34,990 --> 00:02:37,820 Uh, yeah, I mean, I guess so. 46 00:02:38,060 --> 00:02:44,335 Uh, I've had a lot of, it has changed in many ways. 47 00:02:45,480 --> 00:02:46,930 It's not related to bug boundaries. 48 00:02:46,930 --> 00:02:50,460 Like I got my fourth, uh, child, uh, during this time. 49 00:02:50,540 --> 00:02:54,220 Uh, so it's, I mean, I've, I've been doing it full time, but I 50 00:02:54,300 --> 00:02:56,030 have not been working full time. 51 00:02:57,510 --> 00:03:01,519 I've been a full time hunter, but my time has been, uh, a bit, uh, 52 00:03:02,219 --> 00:03:07,239 scattered between the different things, but it has given me like the feeling 53 00:03:07,239 --> 00:03:11,900 of like, I can control what I do myself, which has been, uh, amazing. 54 00:03:12,580 --> 00:03:14,700 And when we spoke two years ago. 55 00:03:15,505 --> 00:03:20,705 I felt like I'm saying the same things, but then it seemed incredible that you 56 00:03:20,745 --> 00:03:22,895 climbed the GitLab leaderboard so quickly. 57 00:03:22,895 --> 00:03:25,535 I don't remember which place you were at two years ago. 58 00:03:25,794 --> 00:03:26,161 No, I 59 00:03:26,161 --> 00:03:26,374 don't remember. 60 00:03:26,374 --> 00:03:27,805 I was top 10 at least. 61 00:03:27,805 --> 00:03:27,835 Top 62 00:03:28,084 --> 00:03:28,795 10 something. 63 00:03:28,815 --> 00:03:31,715 And I was like, wow, he made top 10 in GitLab in one year. 64 00:03:32,390 --> 00:03:38,647 But, uh, it seems like the bugs have to stop somewhere yet, you know, not, not 65 00:03:38,647 --> 00:03:43,050 two years have passed and you're now top one, huge congratulations on that. 66 00:03:43,490 --> 00:03:47,293 And how on earth is it possible there's still so 67 00:03:47,293 --> 00:03:48,599 many bugs? 68 00:03:48,600 --> 00:03:53,040 I mean, that was definitely one of my big milestones, uh, that I wanted to 69 00:03:53,040 --> 00:03:54,950 reach because when I got at the top 10. 70 00:03:55,660 --> 00:03:58,080 That I think you could get into top 10. 71 00:03:58,140 --> 00:04:03,710 I don't remember the numbers now, but you can be at least like around one K in 72 00:04:03,710 --> 00:04:05,189 reputation points or something like that. 73 00:04:05,700 --> 00:04:09,350 And the people at the top at that time had like three K. 74 00:04:10,039 --> 00:04:13,349 So it still felt like there's a long way to go. 75 00:04:13,349 --> 00:04:14,100 Yeah, exactly. 76 00:04:15,450 --> 00:04:23,470 And, uh, I think I almost made one K reputation points, 77 00:04:23,950 --> 00:04:25,310 uh, this year or something. 78 00:04:25,310 --> 00:04:32,740 It's like, so in the end I've, I did, uh, uh, a huge, uh, uh, rush, uh, but 79 00:04:33,450 --> 00:04:37,130 I mean, so that's also the strange thing with this reputation scoreboards 80 00:04:37,149 --> 00:04:41,490 that they keep this, a lot of the people at the top 10 are not really 81 00:04:41,490 --> 00:04:43,830 active hunters on GitLab anymore. 82 00:04:44,169 --> 00:04:44,639 Yeah. 83 00:04:44,669 --> 00:04:44,989 So. 84 00:04:45,859 --> 00:04:50,499 Uh, I think I'm definitely one of, um, they've added this new feature 85 00:04:50,499 --> 00:04:53,679 on HackerOne where you can actually see scoreboards for each year 86 00:04:53,759 --> 00:04:56,789 instead, so you can pick a year and they will like rearrange it. 87 00:04:57,739 --> 00:05:02,349 And uh, I've been number one all of these years, except one for some 88 00:05:02,349 --> 00:05:07,489 reason, some guy beat me one year, like two years ago, uh, but uh, yeah, 89 00:05:07,839 --> 00:05:09,519 uh, yeah, I'm really happy with that. 90 00:05:09,939 --> 00:05:10,109 Are you 91 00:05:10,109 --> 00:05:12,499 planning to stay with GitLab for the future? 92 00:05:12,500 --> 00:05:12,509 Yeah. 93 00:05:12,509 --> 00:05:12,519 Yeah. 94 00:05:13,629 --> 00:05:20,579 I will definitely hang around there as long as it, uh, I'm still amazed 95 00:05:20,709 --> 00:05:25,159 that I find it's not, I don't even feel like I'm doing the same thing. 96 00:05:25,189 --> 00:05:30,549 I find new ways of like learning new skills and learning new techniques 97 00:05:30,830 --> 00:05:32,289 while staying at this target. 98 00:05:32,289 --> 00:05:37,669 So, and they are very fair to me and to other people as well, like 99 00:05:37,669 --> 00:05:39,159 they're a really good program. 100 00:05:39,599 --> 00:05:44,259 So it's hard to change, yes, for the like. 101 00:05:44,684 --> 00:05:50,854 For whatever reason, uh, if they decide to stop paying or rewarding or doing 102 00:05:50,854 --> 00:05:53,104 another change, maybe I will move on. 103 00:05:53,694 --> 00:05:59,764 Is it more after so much time, more like just auditing the new codes 104 00:06:00,384 --> 00:06:03,784 or is it still after so much time, you still haven't explored all 105 00:06:03,784 --> 00:06:06,314 functionalities that have been there? 106 00:06:06,824 --> 00:06:13,844 It's still definitely a mix, even if I think it's a bit more, uh, leaning towards 107 00:06:14,864 --> 00:06:19,174 Code, but people are definitely not only me, but other ones are definitely finding 108 00:06:19,184 --> 00:06:23,544 things deep inside the old code as well. 109 00:06:24,184 --> 00:06:26,554 So there's a lot of things to find there. 110 00:06:27,274 --> 00:06:32,164 I imagine I haven't, haven't looked at the source code, but I imagine there's 111 00:06:32,164 --> 00:06:37,594 just so many pieces of code that are just hard to trigger that, you know, you just. 112 00:06:38,009 --> 00:06:41,309 Don't know this feature exists, or you don't know there was this 113 00:06:41,309 --> 00:06:45,849 particular case that and all of a sudden new code does a similar thing. 114 00:06:45,849 --> 00:06:49,179 And I imagine, you know, you just randomly discover this. 115 00:06:49,619 --> 00:06:49,999 Yeah. 116 00:06:49,999 --> 00:06:51,839 And that's actually one thing that. 117 00:06:52,334 --> 00:06:59,284 I have, uh, uh, changed or that I've forced myself to actually finally do is 118 00:06:59,294 --> 00:07:05,164 to start using their, like the GitLab development kit, which is like the 119 00:07:05,174 --> 00:07:10,084 development, uh, um, environment that they are using when you're developing things 120 00:07:10,224 --> 00:07:13,304 in GitLab and as it's, uh, Ruby based. 121 00:07:14,364 --> 00:07:17,544 You actually have access to, it's like an interpreted. 122 00:07:17,574 --> 00:07:20,094 So it's like running the code as you 123 00:07:20,464 --> 00:07:22,354 can have like debug breakpoints. 124 00:07:22,384 --> 00:07:23,214 Yeah, exactly. 125 00:07:23,234 --> 00:07:24,214 And you can also, you 126 00:07:24,214 --> 00:07:28,894 can also start a console where you have access to the code so you can trigger. 127 00:07:29,179 --> 00:07:33,779 Functions and you can call functions using things from the database, for 128 00:07:33,779 --> 00:07:39,439 example, so you can say like, give me the first project in the database 129 00:07:39,469 --> 00:07:45,259 and then throw it into this function here that takes a project or whatever. 130 00:07:45,849 --> 00:07:46,409 So you 131 00:07:46,409 --> 00:07:48,179 can speed up the testing a lot. 132 00:07:48,199 --> 00:07:48,449 No, 133 00:07:48,549 --> 00:07:49,409 yeah, definitely. 134 00:07:49,669 --> 00:07:54,369 Uh, so you can, uh, when you get a hang of it, you can start like. 135 00:07:54,859 --> 00:07:58,049 Poking at things that you don't really know how to get to yet. 136 00:07:58,799 --> 00:08:04,429 Yeah, and, uh, it's really useful and I don't have no idea why I didn't, uh, 137 00:08:04,729 --> 00:08:07,229 transition to it earlier than I did. 138 00:08:07,929 --> 00:08:10,439 Well, last time we were recording the podcast, you were 139 00:08:10,449 --> 00:08:11,959 just after stopping talking. 140 00:08:12,244 --> 00:08:14,154 Uh, looking at the codes through the website. 141 00:08:14,294 --> 00:08:14,814 Yeah, 142 00:08:14,815 --> 00:08:15,715 yeah, yeah. 143 00:08:15,715 --> 00:08:16,164 Exactly. 144 00:08:16,164 --> 00:08:19,844 Because I watched it and I was like, oh, just recently I 145 00:08:19,844 --> 00:08:21,984 pulled GitLab to my local disk. 146 00:08:22,674 --> 00:08:23,064 Yeah. 147 00:08:24,774 --> 00:08:29,774 Yeah, so there's definitely things that I'm doing a bit more structured. 148 00:08:30,004 --> 00:08:30,374 Yeah. 149 00:08:31,894 --> 00:08:32,754 At the moment, yeah. 150 00:08:33,414 --> 00:08:36,074 And now I think about it, for a lot of projects. 151 00:08:36,474 --> 00:08:40,734 Probably you can speed up the testing when you have the source code, 152 00:08:40,734 --> 00:08:45,444 obviously, and especially when you have the debugging access, you can, 153 00:08:45,684 --> 00:08:49,434 instead of like running the intruder attack or something like this. 154 00:08:49,884 --> 00:08:53,314 You can just do a for loop and run a function in the for with 155 00:08:53,324 --> 00:08:55,014 different inputs and stuff like this. 156 00:08:55,314 --> 00:08:55,674 Yeah. 157 00:08:56,214 --> 00:09:00,394 And actually something that really inspired me as well was, uh, I don't 158 00:09:00,394 --> 00:09:06,624 know if you saw this, uh, this SAML bypass, uh, bug that was also like 159 00:09:06,644 --> 00:09:10,884 really impressive, uh, in the, on its own, like the bug was really impressive. 160 00:09:10,934 --> 00:09:11,194 Yeah. 161 00:09:11,214 --> 00:09:15,364 And also like really old code, uh, and super critical. 162 00:09:15,384 --> 00:09:19,564 But, uh, I saw some write up like when some other people like 163 00:09:19,604 --> 00:09:23,294 tried a similar thing, they were like recreating it or whatever. 164 00:09:23,604 --> 00:09:28,374 And they sort of like broke out a piece of the code and built their 165 00:09:28,374 --> 00:09:33,094 own little like in isolation and they could remove the things that 166 00:09:33,094 --> 00:09:34,854 they knew didn't really impact. 167 00:09:35,469 --> 00:09:38,049 And then they could like iterate, uh, looking at this piece 168 00:09:38,049 --> 00:09:39,339 of code, uh, really quickly. 169 00:09:39,569 --> 00:09:41,339 And that's a really inspired me. 170 00:09:41,339 --> 00:09:45,589 I will try to do more of that as well doing during court code review. 171 00:09:45,769 --> 00:09:46,959 Can you, can you specify this? 172 00:09:46,959 --> 00:09:49,379 I don't think I fully got the, 173 00:09:49,379 --> 00:09:53,970 so they, I think in that blog post, they wanted to see how GitHub in 174 00:09:53,989 --> 00:09:56,969 that case were handling the sample. 175 00:09:57,374 --> 00:10:03,754 Uh, their sample implementation, so they took the code, uh, that you can extract 176 00:10:03,774 --> 00:10:09,604 from GitHub if you, uh, figure it out and they just took that piece of the 177 00:10:09,604 --> 00:10:12,914 library and they, uh, recreated like. 178 00:10:13,339 --> 00:10:14,749 Almost like building a test case. 179 00:10:14,789 --> 00:10:18,589 If you're a developer, like mocking some parts and just like making 180 00:10:18,629 --> 00:10:20,749 sure that it works good enough. 181 00:10:21,149 --> 00:10:24,779 And then they could run like a lot of tests on it quickly because they don't 182 00:10:24,779 --> 00:10:26,389 have to go through the whole application. 183 00:10:26,689 --> 00:10:28,379 They just break out that piece of code. 184 00:10:28,964 --> 00:10:33,014 Like try to break it and then try to fit it into the application again. 185 00:10:33,374 --> 00:10:36,274 Oh, because there were two blog posts about the Samuel bypass 186 00:10:36,274 --> 00:10:38,034 one was GitLab on GitHub, right? 187 00:10:38,084 --> 00:10:39,764 And I think I only read the GitLab one. 188 00:10:39,774 --> 00:10:40,354 Oh, yeah. 189 00:10:40,574 --> 00:10:42,044 And the one you're saying is GitHub. 190 00:10:42,054 --> 00:10:42,724 Yeah I think it was 191 00:10:42,724 --> 00:10:45,724 from the so they discovered this back through like Buzzing 192 00:10:45,725 --> 00:10:47,934 the, the, the, the, the Samu. 193 00:10:48,104 --> 00:10:48,264 Yeah. 194 00:10:48,264 --> 00:10:52,004 I don't know if they've busted, but at least they broke it out to test it very 195 00:10:52,004 --> 00:10:55,624 quickly with like automation to just like send a bunch of, because then they could 196 00:10:55,624 --> 00:10:59,924 remove some of the, the things that would make it slow, that you would have like 197 00:10:59,964 --> 00:11:02,114 certain timestamp checks or whatever. 198 00:11:02,364 --> 00:11:04,154 That doesn't really matter for the final exploit. 199 00:11:04,304 --> 00:11:04,574 Yeah. 200 00:11:04,624 --> 00:11:05,284 That's nice. 201 00:11:05,944 --> 00:11:10,844 I also wanted to, to, to, uh, understand someone a bit after this, because 202 00:11:10,874 --> 00:11:19,314 still I spend a lot of time on the SSO, but Samuel's, Samuel's like, he's 203 00:11:19,324 --> 00:11:23,774 there and there's Samuel Ryder and I may try the attack from, from this. 204 00:11:24,374 --> 00:11:26,944 And then it's pretty much end of my knowledge about it. 205 00:11:29,654 --> 00:11:34,924 If you were to approach a new system that is GitLab, how would you start doing this? 206 00:11:35,514 --> 00:11:41,084 It's been on my to do list since like going full time to, to expand, to 207 00:11:41,294 --> 00:11:46,804 have like, uh, one or two more targets to be like my main go to targets. 208 00:11:47,344 --> 00:11:49,214 Uh, I haven't really managed to do it yet. 209 00:11:49,884 --> 00:11:58,364 Um, I think one of the reasons that I've managed to stay for so long at GitLab 210 00:11:58,364 --> 00:12:03,500 is to, uh, Because I, I found it like interesting as well, like the application, 211 00:12:03,600 --> 00:12:10,909 the functionality connected to my job as a developer, like it's resonated with me. 212 00:12:11,680 --> 00:12:17,859 Um, so I would approach it sort of like I approach this, I guess, like. 213 00:12:18,360 --> 00:12:23,430 Trying to find the functionality that I want to test that I have a like a hunch 214 00:12:23,430 --> 00:12:26,460 that something could break and then I test that and then like move around in 215 00:12:26,470 --> 00:12:32,340 the application is to try to find and that's sort of like what's the luxury, 216 00:12:32,579 --> 00:12:37,479 I guess, with doing bug bounties is that no one is checking on you, like how 217 00:12:37,530 --> 00:12:41,470 thorough you go through the application or wherever you can just like, Browse around. 218 00:12:42,310 --> 00:12:42,510 Yeah. 219 00:12:42,510 --> 00:12:45,090 There's no, no, no consequences from missing a bug. 220 00:12:45,160 --> 00:12:46,090 No, exactly. 221 00:12:46,160 --> 00:12:47,540 Uh, except like mental. 222 00:12:48,170 --> 00:12:48,420 Yeah. 223 00:12:48,730 --> 00:12:49,030 Yeah. 224 00:12:49,580 --> 00:12:57,660 Uh, but, and also, I mean, you have to, so one of the big changes for, from 225 00:12:57,660 --> 00:13:04,060 going full time, uh, is that I now have to rely on the income from bug bounties. 226 00:13:05,450 --> 00:13:11,090 To actually pay my bills and my own salary and all of that so that 227 00:13:11,680 --> 00:13:16,900 that sort of Shift did happen like from day one that you at least you 228 00:13:16,900 --> 00:13:18,890 sort of have to find things, right? 229 00:13:19,550 --> 00:13:26,330 Uh, and that there is like a mental shift there that, uh, uh, if you don't 230 00:13:26,360 --> 00:13:31,740 like constantly find something that is like bringing income, it starts to be. 231 00:13:31,869 --> 00:13:34,730 So even if you're like free to do whatever you want, at least you have 232 00:13:34,730 --> 00:13:37,600 to like, it has to be bring something. 233 00:13:37,850 --> 00:13:38,190 Yeah. 234 00:13:38,190 --> 00:13:39,350 You're not, you don't 235 00:13:39,460 --> 00:13:40,560 feel completely free. 236 00:13:40,790 --> 00:13:41,170 No. 237 00:13:41,610 --> 00:13:43,550 And I'm, I'm, but I'm still. 238 00:13:44,200 --> 00:13:51,500 in the camp of, uh, uh, my big, uh, like inspiration when, before I went full 239 00:13:51,530 --> 00:13:56,899 time, I listened a lot to like interviews with Alex Chapman and he's like ideas 240 00:13:56,899 --> 00:14:00,650 of like finding fewer, but bigger bugs. 241 00:14:01,189 --> 00:14:08,430 And also like not really doing it like to maximize Uh, income, but like 242 00:14:09,320 --> 00:14:14,710 a sufficient income and like enough and also enough to be able to keep it 243 00:14:15,029 --> 00:14:20,690 interesting and, uh, and doing it for the fun of like learning and exploiting. 244 00:14:20,980 --> 00:14:21,420 Yes. 245 00:14:21,700 --> 00:14:24,570 But at the same time, I actually, it's funny because I thought about him 246 00:14:24,579 --> 00:14:29,820 before you mentioned his name because he had the exchange, um, or just a post 247 00:14:29,820 --> 00:14:31,759 on, on blue sky recently about Yeah. 248 00:14:32,480 --> 00:14:37,790 Escalating some bugs, some as always, probably a Chromium RCE 249 00:14:38,500 --> 00:14:42,840 and also even though he keeps it fun, he also as a full time hunter 250 00:14:43,050 --> 00:14:44,700 looks at the return on investment. 251 00:14:45,200 --> 00:14:50,880 And he was saying, you know, um, on a low paying program, perhaps you can be, 252 00:14:50,930 --> 00:14:54,170 if the program, let's say downgrades your back to a medium in case in his 253 00:14:54,170 --> 00:15:01,030 case, it's an RCE where he can, uh, access the, um, the AWS access keys. 254 00:15:02,039 --> 00:15:02,489 So. 255 00:15:02,965 --> 00:15:05,265 He can't really prove the impact. 256 00:15:05,525 --> 00:15:08,335 He has to rely on the team and the team says it's medium. 257 00:15:08,745 --> 00:15:14,435 And the whole post was about escalating this to a more, a bigger severity bug. 258 00:15:15,175 --> 00:15:18,895 But then he was like, if this program doesn't play that well, there's no. 259 00:15:19,140 --> 00:15:23,375 I actually had the similar shrink. 260 00:15:23,375 --> 00:15:27,315 I had, as I told you before, I was spending some time on the program that has 261 00:15:27,615 --> 00:15:30,525 like the typical hacker one, uh, payouts. 262 00:15:30,555 --> 00:15:33,395 So the medium is 500, the high is 1000. 263 00:15:33,875 --> 00:15:40,325 So I thought if I have the, let's say the SSRF and I would like to approach. 264 00:15:40,635 --> 00:15:42,625 you to escalate from medium to high. 265 00:15:43,125 --> 00:15:45,459 I'm still getting the same 500. 266 00:15:46,135 --> 00:15:51,565 So, and also there's some, somebody else, um, puts in their time and 267 00:15:51,625 --> 00:15:53,045 effort and maybe they are rewarded. 268 00:15:53,075 --> 00:15:57,865 So in the end it's, it's plus EV, but there's, it's not like a no brainer if 269 00:15:57,884 --> 00:15:59,545 you think about it from the full time. 270 00:15:59,545 --> 00:16:03,990 It's actually something that I've been thinking about, like, Pros and 271 00:16:03,990 --> 00:16:05,880 cons of different programs lately. 272 00:16:05,880 --> 00:16:10,200 And one another thing that I'm really happy about at the the 273 00:16:10,200 --> 00:16:15,040 GitLab program is that they don't have like a, a linear bounty table. 274 00:16:15,130 --> 00:16:15,370 Yeah. 275 00:16:15,550 --> 00:16:18,075 It's like, I don't know, it's exponential. 276 00:16:18,080 --> 00:16:18,750 Exponential. 277 00:16:18,780 --> 00:16:20,190 I don't think it's exponential. 278 00:16:20,190 --> 00:16:20,370 Yeah. 279 00:16:20,370 --> 00:16:20,700 But we 280 00:16:20,700 --> 00:16:21,390 know that the, yeah. 281 00:16:21,675 --> 00:16:21,755 Yeah. 282 00:16:21,785 --> 00:16:23,115 That graph, if you have the curve that 283 00:16:23,655 --> 00:16:23,875 if. 284 00:16:24,210 --> 00:16:28,560 If you move from medium that tops at like 2. 285 00:16:29,560 --> 00:16:33,580 4k or something, and you end up at high, which starts at like 286 00:16:33,620 --> 00:16:37,650 five and ends at 15 or something. 287 00:16:38,090 --> 00:16:40,820 And then the critical starts at like 20. 288 00:16:41,119 --> 00:16:46,060 So there's a real incentive to at least try to escalate to high. 289 00:16:46,140 --> 00:16:48,460 Like that jump is really important. 290 00:16:48,785 --> 00:16:49,055 Yeah. 291 00:16:49,115 --> 00:16:53,735 And other companies like say, for example, GitHub, where I haven't hunted as much, 292 00:16:53,755 --> 00:16:58,965 but they really like, they pay like 4k for mediums, which is, uh, impressive. 293 00:16:59,555 --> 00:17:02,615 And I think you can get even more, you can get up to like 10k for 294 00:17:02,624 --> 00:17:07,954 medium, but the criticals are still end at 30, like the same as GitLab. 295 00:17:07,985 --> 00:17:15,355 So it's much more linear and helping out, as you say, in that scenario makes less. 296 00:17:16,575 --> 00:17:21,585 So I really like the, the exponential thing because it's incentivized, like 297 00:17:21,585 --> 00:17:27,244 working together and like pushing bugs to, uh, their limits sort of, so to speak. 298 00:17:27,944 --> 00:17:28,274 Yeah. 299 00:17:29,165 --> 00:17:30,895 Also makes sense. 300 00:17:30,895 --> 00:17:35,495 If you have a lot of, I imagine you have loads of gadgets hidden somewhere, so 301 00:17:35,784 --> 00:17:40,755 all of a sudden you can chain them and then instead of 500 plus 500, you have. 302 00:17:41,090 --> 00:17:43,580 You know, much more than one plus one. 303 00:17:43,580 --> 00:17:44,780 So yeah. 304 00:17:44,800 --> 00:17:45,210 Interesting. 305 00:17:45,250 --> 00:17:50,040 Although when I look at the program, I think I prefer the linear one because I 306 00:17:50,070 --> 00:17:53,930 think in the, at the end of the day, you end up reporting highs, maybe, maybe the 307 00:17:53,930 --> 00:17:58,379 one you said where the high is also higher than it makes sense because there are. 308 00:17:58,905 --> 00:18:02,365 quite a lot of programs that are sort of flat up until 309 00:18:02,425 --> 00:18:06,535 the high and then exponential critical, which they never pay. 310 00:18:06,635 --> 00:18:07,445 No, exactly. 311 00:18:07,445 --> 00:18:07,755 Yeah. 312 00:18:07,795 --> 00:18:09,405 So I 313 00:18:09,435 --> 00:18:12,675 definitely agree that you want to have those high mediums as well. 314 00:18:12,764 --> 00:18:18,735 Uh, and in a way you kind of get spoiled with like these big programs. 315 00:18:18,975 --> 00:18:23,495 And I don't know, maybe that's at least for me, that my way of working 316 00:18:23,505 --> 00:18:25,265 is that I spend a lot of time. 317 00:18:25,660 --> 00:18:32,660 pretty slowly on this one program, uh, finding like one, two, three issues, 318 00:18:32,930 --> 00:18:39,420 uh, and then like nothing and then something more and like doing that 319 00:18:39,649 --> 00:18:44,245 sort of work on a program that's like Topes out that like three K wouldn't 320 00:18:44,275 --> 00:18:46,595 be, it's just not worth it for me. 321 00:18:46,595 --> 00:18:52,675 So I skip all of those, uh, invitations or whatever to, uh, I 322 00:18:52,675 --> 00:18:56,944 think there's enough bugs on the, the big, the big targets out there. 323 00:18:57,884 --> 00:19:02,694 So that's why I, If I'm not looking at GitLab, I'm usually just like looking 324 00:19:02,694 --> 00:19:07,194 at, well, like Chrome or whatever else, like big, big applications. 325 00:19:07,494 --> 00:19:09,154 Yeah, we can maybe jump to this. 326 00:19:09,184 --> 00:19:12,254 Last time you said you were planning to do some browser hacking. 327 00:19:12,764 --> 00:19:13,614 How has this gone? 328 00:19:14,624 --> 00:19:19,260 Yeah, it hasn't really gone as planned, I guess. 329 00:19:19,494 --> 00:19:23,214 I still have it on my, I report things. 330 00:19:24,739 --> 00:19:31,789 Once in a while, like smaller issues that I find when I still tinker a lot with 331 00:19:32,259 --> 00:19:39,829 Chrome and web standards and web features and things like that, even if I'm maybe 332 00:19:39,829 --> 00:19:45,179 in my main hunting, trying to move a bit more to the back end bugs and stuff 333 00:19:45,179 --> 00:19:47,169 like that as well to increase impact. 334 00:19:47,889 --> 00:19:51,959 But, uh, I definitely, I find some like quirks and strange things 335 00:19:52,319 --> 00:19:56,019 once in a while, and then I report them, but I haven't done it in the 336 00:19:56,049 --> 00:19:57,709 consistent way that I would have hoped. 337 00:19:58,279 --> 00:19:58,559 So, 338 00:19:58,729 --> 00:20:00,509 so it's more like you're working on something and you 339 00:20:00,519 --> 00:20:04,309 have the idea of something that could be a bug in the browser 340 00:20:05,169 --> 00:20:05,349 and 341 00:20:05,349 --> 00:20:08,949 then you're more reported rather than actually spend time researching. 342 00:20:09,189 --> 00:20:09,599 Yeah. 343 00:20:09,959 --> 00:20:16,479 Uh, and I mean, I, I guess it's a big, it's quite a big hurdle to 344 00:20:16,479 --> 00:20:21,199 spend all that time to actually start finding things, uh, in the browsers. 345 00:20:21,649 --> 00:20:26,509 Uh, like consistently, but, uh, it's still a dream to be able to do that as well. 346 00:20:26,509 --> 00:20:30,939 Uh, it's like one of the biggest like open source projects that you can attack. 347 00:20:31,949 --> 00:20:37,669 Would you like to learn like the memory related bugs to find 348 00:20:37,849 --> 00:20:40,809 actual RCEs and stuff in browsers? 349 00:20:40,809 --> 00:20:46,099 Or are you still trying to stick to To this kind of bug that sort of requires 350 00:20:46,099 --> 00:20:47,849 only the web web based knowledge. 351 00:20:48,169 --> 00:20:53,899 Yeah, it hasn't really caught my interest, uh, that much. 352 00:20:54,209 --> 00:20:59,229 So maybe because I, I think it looks really hard, but, uh, 353 00:20:59,309 --> 00:21:01,069 uh, yeah, maybe eventually. 354 00:21:01,149 --> 00:21:06,544 I mean, I, I've been Trying to move to the back end and like more proper code review 355 00:21:06,564 --> 00:21:10,384 on GitLab during the last year at least. 356 00:21:11,154 --> 00:21:15,204 Uh, and it's been, uh, very interesting. 357 00:21:15,274 --> 00:21:19,184 So I'm like moving in that direction, but not at that like low level 358 00:21:19,274 --> 00:21:24,294 as when you are finding those kind of memory corruption things. 359 00:21:24,444 --> 00:21:24,694 Yeah. 360 00:21:24,694 --> 00:21:26,154 It's for me, it's, it's crazy. 361 00:21:26,844 --> 00:21:32,014 Can you give us an example of the, of a bug from the browser that you reported? 362 00:21:32,509 --> 00:21:36,799 I imagine if they are in Chromium, I guess the issue tracker is public, no? 363 00:21:36,949 --> 00:21:37,549 Yeah. 364 00:21:38,149 --> 00:21:42,649 Yeah, I guess, uh, I think I actually saw, maybe you mentioned something 365 00:21:42,649 --> 00:21:46,759 about it, and I was supposed to write a blog post and then I found a bypass 366 00:21:46,759 --> 00:21:48,549 to it, but now that speaks as well. 367 00:21:48,979 --> 00:21:56,899 So, uh, that was, um, like a funny, uh, I hadn't really thought much about it, 368 00:21:56,899 --> 00:22:01,379 that you could like, serve HTML in xml? 369 00:22:01,789 --> 00:22:01,969 Yeah. 370 00:22:02,059 --> 00:22:04,369 Or like x html. 371 00:22:04,809 --> 00:22:04,959 Yeah. 372 00:22:04,989 --> 00:22:11,629 Uh, and also in sbg, like all of these, like XML based, uh, like 373 00:22:11,629 --> 00:22:14,599 languages that are baked into browsers. 374 00:22:15,169 --> 00:22:20,189 And then I remember like, so this was, uh, maybe at the time where we had our 375 00:22:20,199 --> 00:22:24,979 last interview, like two years ago or something, I think Ren Reinepack, uh, 376 00:22:24,979 --> 00:22:32,089 he posted some tweet about like someone had stolen his, uh, POC, like bragged 377 00:22:32,099 --> 00:22:39,579 about it on Twitter about just like how to build like an XML, HTML attack and 378 00:22:39,629 --> 00:22:41,809 like getting execution through like. 379 00:22:42,139 --> 00:22:47,984 XML, HTML, and I started to play with that because I hadn't 380 00:22:47,984 --> 00:22:49,654 really thought too much about it. 381 00:22:49,974 --> 00:22:56,154 So I played around with it and tested it and then all of a sudden, I, 382 00:22:57,564 --> 00:23:02,109 because I knew that you could get something so Uploaded on GitLab, 383 00:23:02,109 --> 00:23:04,149 which I always test my things on. 384 00:23:04,889 --> 00:23:11,169 And I put some HTML in an, I don't remember if it was in an, uh, s 385 00:23:11,169 --> 00:23:14,349 VG or, uh, some other XML file. 386 00:23:15,499 --> 00:23:22,059 I was on my bus from work and I, I was doing this on my phone, like hacking, uh, 387 00:23:22,954 --> 00:23:28,949 . And uh, all of a sudden, like I saw my eye frame that I have made, like on GIT Labs. 388 00:23:29,529 --> 00:23:33,829 web page in this XML document that I have created. 389 00:23:34,379 --> 00:23:35,589 And I got like really hyped. 390 00:23:35,739 --> 00:23:38,569 This was during like a 20 minutes transit from work. 391 00:23:39,019 --> 00:23:42,589 And I was like, ran home and like, shit, this is like, probably like 392 00:23:42,589 --> 00:23:47,049 the biggest thing that I've ever found, like some sort of like bypass. 393 00:23:47,834 --> 00:23:51,724 On there, like, because it was on the, when you can look at 394 00:23:51,724 --> 00:23:53,704 like raw content of a file. 395 00:23:53,884 --> 00:23:56,039 Yeah, you can do that on GitHub and the GitLab and whatever. 396 00:23:56,039 --> 00:23:59,644 You can click the raw and you just see it in as a text plane I guess. 397 00:24:00,144 --> 00:24:02,724 And I, I got home and I opened my computer and I looked at 398 00:24:02,724 --> 00:24:04,254 it and it was just text again. 399 00:24:05,194 --> 00:24:06,634 Uh, so that was really disappointing. 400 00:24:06,634 --> 00:24:11,664 But I looked at my phone and it was rendering at HTML and, uh, at that 401 00:24:11,784 --> 00:24:15,684 time it, it took a while for me to figure out what's actually going on, 402 00:24:15,684 --> 00:24:17,934 but I had stumbled on a bug where. 403 00:24:19,759 --> 00:24:26,459 Webkit were actually like mine sniffing, which is an old concept when 404 00:24:26,469 --> 00:24:29,989 the browsers try to figure out what sort of content you are providing. 405 00:24:30,029 --> 00:24:30,379 Yeah. 406 00:24:30,419 --> 00:24:32,819 So which usually happens when there is no content type. 407 00:24:32,929 --> 00:24:33,519 Exactly. 408 00:24:34,179 --> 00:24:35,899 But the issue here with Webkit. 409 00:24:36,579 --> 00:24:37,509 On iOS. 410 00:24:37,749 --> 00:24:41,499 So like they have, uh, two different branches for one, for uh, uh, 411 00:24:41,529 --> 00:24:43,299 the desktop and one for iOS. 412 00:24:43,899 --> 00:24:45,809 And, um, yeah. 413 00:24:45,809 --> 00:24:47,969 So for some reason they were mime sniffing. 414 00:24:47,969 --> 00:24:55,279 Even if you served text plane, if you had like an a dot, like an extension 415 00:24:55,279 --> 00:24:59,509 of XML or SVG or whatever, or JP G or like, yeah, you could serve 416 00:24:59,599 --> 00:25:01,129 whatever sort of content you wanted. 417 00:25:01,489 --> 00:25:01,579 Oh, 418 00:25:01,579 --> 00:25:02,899 it worked for an extension? 419 00:25:02,899 --> 00:25:03,291 Yeah, yeah, yeah. 420 00:25:03,349 --> 00:25:05,059 Oh, so you could serve just x remote. 421 00:25:05,249 --> 00:25:09,229 No, you could serve anything as long, so it will, it would first look at 422 00:25:09,229 --> 00:25:12,829 the extension of the name or the path. 423 00:25:13,584 --> 00:25:18,254 And then it would look at the name in the content disposition, I think. 424 00:25:18,634 --> 00:25:24,784 So even if that was like xml, and then it would look at the 425 00:25:25,014 --> 00:25:27,664 content or something like that. 426 00:25:27,944 --> 00:25:29,184 It was really messed up. 427 00:25:31,404 --> 00:25:36,539 And I had some fun with it because, Apparently, it worked on GitLab. 428 00:25:36,539 --> 00:25:41,419 I didn't really manage to bypass CSP fully because you're still restricted by CSP, 429 00:25:42,769 --> 00:25:48,219 but on the self hosted one, you could get access and on GitLab, I could manage 430 00:25:48,219 --> 00:25:50,329 to do some like click jacking, yeah. 431 00:25:50,799 --> 00:25:55,509 Uh, CSRF thing to actually do things because you could render and also you 432 00:25:55,509 --> 00:25:57,269 could render like a login screen and 433 00:25:57,499 --> 00:25:59,319 yeah, I think that that was in the report. 434 00:25:59,409 --> 00:26:00,249 Yeah, exactly. 435 00:26:00,539 --> 00:26:04,449 You, that was form SRC and HTTPS URL. 436 00:26:04,689 --> 00:26:08,499 So I think you created the login form to your website Exactly, 437 00:26:08,499 --> 00:26:09,459 which would be auto-filled. 438 00:26:09,459 --> 00:26:13,659 So if the user clicks the button or is, is somehow click jacked, 439 00:26:15,299 --> 00:26:18,749 it also, actually also send it back to get the two A code as well. 440 00:26:18,809 --> 00:26:20,484 I built this whole, okay, nice. 441 00:26:20,724 --> 00:26:24,209 PC so you have like two SBG files, one for the getting the 442 00:26:24,209 --> 00:26:26,884 passwords and one for the code. 443 00:26:27,129 --> 00:26:29,679 And everything was like loaded on the GitLab page. 444 00:26:29,764 --> 00:26:33,159 I, I had a lot of fun with it, but uh, in the end it didn't really. 445 00:26:33,609 --> 00:26:36,899 Uh, pay that much, but, uh, it was, 446 00:26:37,599 --> 00:26:40,009 so you reported it both to get lab and to Apple as well. 447 00:26:40,209 --> 00:26:41,429 Yeah, exactly. 448 00:26:41,589 --> 00:26:47,279 Uh, and, uh, actually I also reported it to Chrome because 449 00:26:47,299 --> 00:26:49,259 it worked on Chrome on iOS. 450 00:26:49,709 --> 00:26:50,059 Okay. 451 00:26:50,079 --> 00:26:57,769 Which is sort of a bug bounty hack, uh, that they sometimes, uh, uh, step in and 452 00:26:57,789 --> 00:27:03,269 like push for changes, uh, because they are forced to use the web kit on iOS, but, 453 00:27:03,349 --> 00:27:08,899 uh, you can, uh, because Apple, they don't really pay for those kinds of issues. 454 00:27:08,899 --> 00:27:09,239 Yeah. 455 00:27:09,799 --> 00:27:11,019 So you didn't get paid from Apple? 456 00:27:11,049 --> 00:27:11,369 No. 457 00:27:11,939 --> 00:27:13,589 Uh, but Chrome paid me some. 458 00:27:13,590 --> 00:27:15,314 That's 459 00:27:15,314 --> 00:27:17,039 good. 460 00:27:17,039 --> 00:27:17,369 That's weird. 461 00:27:17,799 --> 00:27:18,179 Yeah. 462 00:27:18,179 --> 00:27:18,819 That's strange. 463 00:27:19,034 --> 00:27:23,594 And then I was like a year ago or something, I was actually gonna write to 464 00:27:23,614 --> 00:27:25,864 like a blog post about this whole thing. 465 00:27:26,164 --> 00:27:30,134 And then when I was like testing my payloads, I found a bypass to 466 00:27:30,134 --> 00:27:34,389 it because They had only fixed like some of these extensions, but, and I 467 00:27:34,419 --> 00:27:40,079 think that I had left, for example, XHTML for some reason, they were 468 00:27:40,079 --> 00:27:41,799 still like mime sniffing that bug. 469 00:27:42,949 --> 00:27:48,469 So today is XHTML any helpful in terms of not looking for browser 470 00:27:48,469 --> 00:27:50,569 bugs, but bugs in websites? 471 00:27:52,379 --> 00:27:53,509 Not really. 472 00:27:53,509 --> 00:27:59,069 I guess there are like lists out there of type of files that 473 00:27:59,099 --> 00:28:01,179 will allow you to render HTML. 474 00:28:01,419 --> 00:28:01,729 Yeah. 475 00:28:01,789 --> 00:28:03,049 And that's one of them. 476 00:28:03,149 --> 00:28:04,309 And SVG is another one. 477 00:28:04,309 --> 00:28:06,029 And there are 478 00:28:06,029 --> 00:28:11,939 some So it's useful if there is a block list of extensions. 479 00:28:11,999 --> 00:28:12,849 Yeah, sort of. 480 00:28:12,850 --> 00:28:14,849 If they look like HTML files 481 00:28:15,099 --> 00:28:18,034 or whatever and you can get HTML in there. 482 00:28:18,424 --> 00:28:18,724 Yeah. 483 00:28:18,814 --> 00:28:23,614 Uh, otherwise it's just, uh, uh, harder to work with HTML because 484 00:28:23,614 --> 00:28:25,114 you have to be strict to the 485 00:28:26,144 --> 00:28:26,444 . Yeah. 486 00:28:26,444 --> 00:28:26,474 Uh, 487 00:28:27,314 --> 00:28:28,244 XML standards. 488 00:28:28,544 --> 00:28:29,054 Yeah. 489 00:28:29,564 --> 00:28:34,064 I had the, the case recently, which makes less sense than your example. 490 00:28:34,504 --> 00:28:39,334 'cause I was testing a website, um, and I could go through 491 00:28:39,334 --> 00:28:41,914 the re and I, I wanted to. 492 00:28:42,609 --> 00:28:45,969 Connect my Tik Tok account with like the real account, which has 493 00:28:45,979 --> 00:28:49,319 followers because I needed to pass some thresholds for some stuff, something. 494 00:28:50,619 --> 00:28:56,119 And as the testing browser, I use any Chromium based browsers as my personal 495 00:28:56,159 --> 00:29:01,289 browser, I use Safari, uh, which I know is insecure and I shouldn't do it, but I like 496 00:29:01,290 --> 00:29:02,489 it. 497 00:29:02,709 --> 00:29:07,969 And I realized that I can go through the flow, uh, like register on the 498 00:29:07,969 --> 00:29:12,059 website without confirming the email if I go through the particular flow. 499 00:29:12,709 --> 00:29:16,129 So then I was trying to reproduce this in a Chromium based browser. 500 00:29:16,149 --> 00:29:16,919 It didn't work. 501 00:29:17,279 --> 00:29:19,109 Of course, it took me a while to figure out. 502 00:29:19,589 --> 00:29:23,679 And for some reason, in Uh, I don't think it's a client side thing. 503 00:29:23,679 --> 00:29:25,629 It's like a server side profiling. 504 00:29:25,899 --> 00:29:28,419 It allows me to go through the registration without 505 00:29:28,539 --> 00:29:30,249 confirming the email on Safari. 506 00:29:30,919 --> 00:29:32,069 Not on other browsers. 507 00:29:32,849 --> 00:29:37,519 I like limited all the other variables and I guess they just have, you 508 00:29:37,519 --> 00:29:39,634 know, different flows for different. 509 00:29:39,939 --> 00:29:41,660 Yeah. 510 00:29:42,394 --> 00:29:43,424 It was, it was fun. 511 00:29:43,904 --> 00:29:47,914 I mean, that's one of the fun things with the browser, looking for browser 512 00:29:47,954 --> 00:29:52,794 quirks and bugs is that you have, at least you have three big targets and 513 00:29:52,804 --> 00:29:54,744 they behave differently sometimes. 514 00:29:54,794 --> 00:29:56,464 And so you always have this like. 515 00:29:57,240 --> 00:30:00,710 Uh, yeah, you can test it and it's pretty fun trying to find these 516 00:30:00,710 --> 00:30:02,160 like discrepancies between them. 517 00:30:02,770 --> 00:30:09,680 And I don't know, uh, so one thing that actually came out of this, I made a small 518 00:30:09,750 --> 00:30:16,249 challenge, uh, a web challenge thing that I sometimes post on my social media. 519 00:30:16,700 --> 00:30:19,350 Uh, I'm moving a bit more to blue sky. 520 00:30:19,780 --> 00:30:26,810 Uh, then, uh, Twitter at the moment, but I made one that was, uh, it was 521 00:30:26,850 --> 00:30:30,509 related to this XML XHTML thing. 522 00:30:31,109 --> 00:30:33,930 Uh, I don't remember, really remember what I was trying to do. 523 00:30:33,930 --> 00:30:34,789 I think it was. 524 00:30:35,215 --> 00:30:39,855 It's like filtering a lot of things that you could then in HTML, you could 525 00:30:40,285 --> 00:30:43,015 like bypass it by using like namespaces. 526 00:30:43,015 --> 00:30:50,205 So you could like prepend all of the HTML tags with like X colon and then the 527 00:30:50,275 --> 00:30:54,705 release and you can like create this like fake HTML that could bypass something. 528 00:30:55,085 --> 00:30:59,855 And then a lot of people sent in solutions where you can use this. 529 00:30:59,870 --> 00:31:05,920 It's in XML, uh, which is also connecting to SAML because SAML is also XML. 530 00:31:05,920 --> 00:31:11,860 So they also have this, uh, idea of like some sort of like transformers. 531 00:31:11,870 --> 00:31:15,939 So like tags that transform the own, the document. 532 00:31:16,805 --> 00:31:22,625 Um, maybe connected to like XXE things as well, but you can like 533 00:31:22,635 --> 00:31:24,665 transform the document in place. 534 00:31:24,715 --> 00:31:30,225 Like when it's rendering, some people like managed to bypass my sanitation by 535 00:31:30,225 --> 00:31:32,915 like transforming the document in place. 536 00:31:33,604 --> 00:31:35,935 And there's definitely something that you could. 537 00:31:36,875 --> 00:31:41,095 There's things to learn there that could potentially do something. 538 00:31:42,315 --> 00:31:45,145 So that was, uh, yeah, so maybe there is something to them, 539 00:31:45,375 --> 00:31:46,814 uh, that you can still use. 540 00:31:47,534 --> 00:31:47,984 Yeah. 541 00:31:48,034 --> 00:31:48,294 Yeah. 542 00:31:48,755 --> 00:31:52,595 I feel like a lot of the browser challenges, even though they are 543 00:31:52,595 --> 00:31:56,884 made by people like you, who know a lot about the client side security, 544 00:31:57,274 --> 00:32:00,715 still, they often have unintended solutions because of things like this. 545 00:32:00,735 --> 00:32:03,675 So it just shows you how complex the client side is. 546 00:32:04,305 --> 00:32:04,605 Yeah. 547 00:32:05,755 --> 00:32:08,115 Speaking of these challenges, how often. 548 00:32:08,915 --> 00:32:12,945 Or maybe, which features of these challenges, where you have like limited 549 00:32:12,975 --> 00:32:18,065 car sets or strange CSP, which of these things you use in those challenges 550 00:32:18,405 --> 00:32:21,774 are the most useful in real life bugs? 551 00:32:22,575 --> 00:32:29,510 So, I have actually, this year, I think I've used Like three or four, 552 00:32:29,790 --> 00:32:37,310 like really strange browser quirks in, uh, like escalations of, uh, client 553 00:32:37,320 --> 00:32:43,189 side bugs that some things that I've, I thought like I would never probably 554 00:32:43,190 --> 00:32:48,390 be like be able to use this or like, why, why would I ever have to use this? 555 00:32:48,430 --> 00:32:52,550 But then I found myself in like a corner where the only way to get out was like 556 00:32:52,560 --> 00:32:54,200 using one of these like strange gadgets. 557 00:32:55,170 --> 00:32:57,010 And that's what I find. 558 00:32:57,825 --> 00:33:03,335 So a lot of time when I do my small challenges things, it's one way to get, 559 00:33:03,345 --> 00:33:06,704 like, I like the interaction between these, like, really smart people. 560 00:33:06,705 --> 00:33:10,465 They're always like, it's sort of like a fishing thing. 561 00:33:10,504 --> 00:33:14,975 They send you like really smart payloads so you can learn a lot from these 562 00:33:14,995 --> 00:33:17,185 really like super talented people. 563 00:33:17,645 --> 00:33:22,320 But um, It's also often they are like based in something that I have 564 00:33:22,370 --> 00:33:24,840 encountered on the real target. 565 00:33:25,260 --> 00:33:30,249 And then I just tweak it to like fit whatever I, either 566 00:33:30,249 --> 00:33:31,659 what I found interesting. 567 00:33:31,659 --> 00:33:34,980 So instead of like doing a blog post or whatever, I do a small 568 00:33:34,980 --> 00:33:38,250 challenge so that people can like get the experience of finding. 569 00:33:38,400 --> 00:33:42,250 Um, something themself, which is sometimes like more useful than 570 00:33:42,640 --> 00:33:45,110 reading about what someone has done. 571 00:33:45,700 --> 00:33:49,980 Uh, but then also some, I made a challenge recently that was more 572 00:33:49,980 --> 00:33:52,239 like an open ended research thing. 573 00:33:52,250 --> 00:33:55,600 I don't know if you saw it, but like you, you were supposed to like try 574 00:33:55,600 --> 00:33:57,239 to get like the smallest payload. 575 00:33:57,400 --> 00:33:57,680 Yeah. 576 00:33:57,680 --> 00:33:58,750 So I could like fetch. 577 00:33:59,475 --> 00:34:00,775 A script and execute it. 578 00:34:01,525 --> 00:34:05,655 And that was more like a research question, like I didn't really have 579 00:34:05,695 --> 00:34:10,215 time to do too much on it myself. 580 00:34:10,295 --> 00:34:15,454 I did enough to use it on a real target, but then it was like this thought, 581 00:34:15,454 --> 00:34:17,294 like, how small could you make this? 582 00:34:18,025 --> 00:34:21,685 And it was really fun to see all these people, uh, come together 583 00:34:21,685 --> 00:34:23,565 and try to like break it down. 584 00:34:23,565 --> 00:34:28,044 And then they also found like, uh, mistakes by me in my actual 585 00:34:28,044 --> 00:34:32,175 challenge, abused it to make it even smaller and stuff like that. 586 00:34:32,815 --> 00:34:33,414 It's really fun. 587 00:34:33,494 --> 00:34:33,734 Yeah. 588 00:34:33,755 --> 00:34:37,644 So what were the other gadgets that you used in your life that you didn't expect? 589 00:34:38,614 --> 00:34:43,184 So I guess some of them I still keep as. 590 00:34:43,660 --> 00:34:44,230 Yeah, of course. 591 00:34:45,420 --> 00:34:48,550 There's also like one change from becoming like full time hunter. 592 00:34:48,580 --> 00:34:54,540 You kind of have to start to build your own toolbox of things that 593 00:34:54,580 --> 00:34:59,549 you, uh, that you can become like good at and that you can bring 594 00:35:00,610 --> 00:35:02,560 Forward when you need it, I guess. 595 00:35:03,800 --> 00:35:11,439 But I had one really fun one that I got to use together with Matan. 596 00:35:11,440 --> 00:35:11,820 That's a good 597 00:35:11,910 --> 00:35:12,320 call up story. 598 00:35:14,600 --> 00:35:18,889 We have had some good, he found some fun things on GitLab that we 599 00:35:18,889 --> 00:35:23,130 have then collaborated on, like taking them a bit further and doing 600 00:35:23,130 --> 00:35:25,510 some bypasses and things like that. 601 00:35:26,155 --> 00:35:31,495 Uh, but we had one situation when we, and that's like, and then this is really a 602 00:35:32,735 --> 00:35:41,095 quirk and a niche, but we could, we were stuck in a web worker, which is a, like 603 00:35:41,095 --> 00:35:48,415 a thread in, uh, like an execution thread of JavaScript, but we needed to get to 604 00:35:48,415 --> 00:35:53,055 a service worker, which is another sort of web worker, but the service worker 605 00:35:53,055 --> 00:35:55,595 is more like in control of navigation. 606 00:35:55,605 --> 00:35:55,635 And. 607 00:35:56,385 --> 00:36:00,205 You can use a service worker to like control what sort of content is 608 00:36:00,215 --> 00:36:02,315 served to the application and so on. 609 00:36:02,645 --> 00:36:06,575 And then you usually you cannot really make that switch. 610 00:36:07,195 --> 00:36:12,914 But for some reason, if you go to MDM and look at the description of web 611 00:36:12,914 --> 00:36:20,375 workers, you can actually see that like there's one green box on like that 612 00:36:20,375 --> 00:36:27,395 you can access the service worker, um, functionality or API from a web worker. 613 00:36:27,705 --> 00:36:31,345 And then it's just like green on Safari, which is like super strange. 614 00:36:31,434 --> 00:36:35,914 All of the other browsers have like, uh, close this off, like for a long time 615 00:36:35,914 --> 00:36:39,955 ago, like you cannot touch or create a service worker worker from a web worker. 616 00:36:40,445 --> 00:36:43,295 But, uh, for some reason, Safari allows this. 617 00:36:43,655 --> 00:36:43,935 Yeah. 618 00:36:43,945 --> 00:36:48,295 So we were, and when, so yeah, we found that and we managed to like. 619 00:36:48,740 --> 00:36:49,580 make the jump. 620 00:36:49,990 --> 00:36:53,120 If someone was using Safari, you could make this jump and that could 621 00:36:53,340 --> 00:36:58,229 finish our chain that would, it was like a big chain of like random stuff. 622 00:36:58,270 --> 00:37:01,509 But I was really, really happy that we managed to use this like 623 00:37:01,779 --> 00:37:06,519 forgotten, I guess, uh, feature that I don't see any use for it. 624 00:37:06,520 --> 00:37:07,920 I have no idea why it's still there. 625 00:37:08,805 --> 00:37:13,245 And it's also like documented, so it's not a bug or whatever, it's a 626 00:37:14,325 --> 00:37:16,055 That's why I'm saying I shouldn't use Safari. 627 00:37:16,055 --> 00:37:17,680 Yeah. 628 00:37:18,835 --> 00:37:20,645 But it is well integrated, what can I do? 629 00:37:20,674 --> 00:37:21,745 I can't help myself. 630 00:37:24,325 --> 00:37:26,235 How about content security policy? 631 00:37:26,354 --> 00:37:30,215 What do you do when you have the XSS or HTML injection? 632 00:37:30,695 --> 00:37:34,985 And there is CSP, what's your first What do you first look at? 633 00:37:35,395 --> 00:37:40,925 Yeah, I don't remember if I, when we spoke two years ago, if I was already, 634 00:37:41,755 --> 00:37:46,045 uh, deeply invested in, uh, CSP bypasses, 635 00:37:46,495 --> 00:37:47,105 I don't think 636 00:37:47,555 --> 00:37:50,185 so, but it's, it's become one of those things. 637 00:37:50,215 --> 00:37:54,475 I really enjoy it just as I enjoy cross site scripting, 638 00:37:54,605 --> 00:37:57,695 which I find to be like a puzzle. 639 00:37:57,765 --> 00:38:03,255 Like I, I enjoy it in the same way as like solving Sudoku's or puzzles or 640 00:38:03,255 --> 00:38:09,345 crosswords Uh, and the CSP bypasses a lot of times can be like, it's like 641 00:38:09,345 --> 00:38:14,645 an extension of cross site scripting and something that you can, uh, prove. 642 00:38:15,275 --> 00:38:21,075 I like it way more than WAF bypasses like web application firewalls. 643 00:38:21,325 --> 00:38:27,955 Those to me feel very random and strange and you cannot really use them. 644 00:38:28,390 --> 00:38:33,010 I mean, you can use logic against them, but they don't really interest me because 645 00:38:33,010 --> 00:38:38,620 they're very like, they're specific for the application and they are like, 646 00:38:39,850 --> 00:38:46,809 you, you have to throw like ugly things at it while a CSP bypass is often more 647 00:38:46,810 --> 00:38:50,909 beautiful because you're bending the rules and you're like finding these 648 00:38:50,929 --> 00:38:53,850 gadgets and things to, to get passive. 649 00:38:55,580 --> 00:38:56,569 So yeah, I don't know. 650 00:38:56,569 --> 00:38:56,839 I don't know. 651 00:38:57,180 --> 00:39:01,910 And the only, the way to do it is of course, just like the, the 652 00:39:01,920 --> 00:39:04,450 holy grail is to get a full XSS. 653 00:39:05,340 --> 00:39:09,739 So you have to first go to like script source and see whatever they allow there. 654 00:39:09,800 --> 00:39:12,799 And if it's too hard, maybe you cannot do anything. 655 00:39:13,100 --> 00:39:15,575 And then you can start looking at, so like what sort of like loose, 656 00:39:15,575 --> 00:39:19,360 you know, like, Um, uh, HTML things. 657 00:39:19,390 --> 00:39:23,660 Can you do, can you do like form injections and, uh, form actions 658 00:39:23,660 --> 00:39:27,020 or base tag, uh, take over the base tag and stuff like that. 659 00:39:27,760 --> 00:39:31,490 So we covered, you can do the form to your website if it's possible. 660 00:39:31,499 --> 00:39:32,260 Yeah, exactly. 661 00:39:32,400 --> 00:39:35,449 You need the, the, the forum SRC or form action. 662 00:39:35,469 --> 00:39:36,939 Is that what controls this? 663 00:39:36,940 --> 00:39:37,489 Yeah. 664 00:39:37,490 --> 00:39:38,140 Form action. 665 00:39:38,520 --> 00:39:42,170 Um, and it's, so the, the, the thing with that one is that it's 666 00:39:42,180 --> 00:39:44,659 not covered by default source. 667 00:39:44,660 --> 00:39:44,689 Yeah. 668 00:39:44,690 --> 00:39:44,919 Yeah. 669 00:39:44,919 --> 00:39:45,369 That's important. 670 00:39:45,400 --> 00:39:47,010 And the same with the base. 671 00:39:47,715 --> 00:39:47,955 Yeah. 672 00:39:48,495 --> 00:39:52,615 So base and form are like outside of that default, because the default is usually 673 00:39:52,615 --> 00:39:55,305 set to something like none or self. 674 00:39:56,355 --> 00:40:01,375 So if you cannot execute JS, these are the sort of two things that you look at. 675 00:40:01,925 --> 00:40:02,375 Yeah. 676 00:40:02,555 --> 00:40:08,055 Uh, but then also for the JavaScript, like if they have a white list, you of course 677 00:40:08,055 --> 00:40:11,085 go and look for like script gadget things. 678 00:40:11,655 --> 00:40:17,025 And, uh, speaking of like gadgets that I've been able to use, like just this 679 00:40:17,025 --> 00:40:22,295 past year, I've been able to use the, this trick where you, you have a white 680 00:40:22,295 --> 00:40:28,135 listed domain with a path, but then if you hit like a redirect on that path. 681 00:40:28,840 --> 00:40:34,970 Then you're allowed to hit, uh, or like load code that is like from the base. 682 00:40:35,230 --> 00:40:35,540 Oh, 683 00:40:36,220 --> 00:40:36,690 okay. 684 00:40:36,710 --> 00:40:40,240 So after the redirect, any path will be ignored and they will 685 00:40:40,250 --> 00:40:45,539 only look at the base URL of each of your whitelisted objects. 686 00:40:46,420 --> 00:40:47,290 So wait again. 687 00:40:47,349 --> 00:40:48,650 So you have some, some path. 688 00:40:49,305 --> 00:40:54,245 In the CSP and the resource should start with this path, but then if under 689 00:40:54,245 --> 00:40:59,395 this part, there's a redirect, you are allowed to do anything on the same host. 690 00:40:59,555 --> 00:41:00,235 Yeah, exactly. 691 00:41:00,305 --> 00:41:00,695 Okay, 692 00:41:00,935 --> 00:41:04,455 that's interesting that there is a validation but only to the host, no? 693 00:41:04,545 --> 00:41:10,334 Yeah, and I think one thing that a lot of might miss there is that you 694 00:41:10,334 --> 00:41:16,115 can also like, After the redirect, the path requirement is removed 695 00:41:16,115 --> 00:41:20,295 from like everything on the CSP. 696 00:41:20,325 --> 00:41:24,225 I guess you can actually start to look again on like these other ones as well. 697 00:41:24,874 --> 00:41:25,384 Okay. 698 00:41:25,824 --> 00:41:28,815 Like whatever, what, so for example, the frame. 699 00:41:29,765 --> 00:41:34,495 Source, like whatever you can frame, uh, you might find something there 700 00:41:34,495 --> 00:41:40,555 that they are allowing you to frame like slash, uh, assets slash whatever. 701 00:41:40,905 --> 00:41:45,194 But if you can redirect that, you can all of a sudden frame things from the base. 702 00:41:45,410 --> 00:41:50,630 Uh, so that I've been able to use in like these sort of like click jacking 703 00:41:50,630 --> 00:41:55,939 scenarios where they maybe allow you to frame something, but then you can frame 704 00:41:55,940 --> 00:42:00,350 something that is, uh, much more dangerous because it's like on the default. 705 00:42:00,940 --> 00:42:01,290 Yeah. 706 00:42:01,320 --> 00:42:05,250 And I believe still the Chrome passport manager autofills. 707 00:42:06,010 --> 00:42:08,900 the password inside the iframe, even if it's different origin? 708 00:42:10,440 --> 00:42:13,700 I don't think it's, if it's different origin, I don't think it does it anymore. 709 00:42:13,760 --> 00:42:14,020 Okay. 710 00:42:14,060 --> 00:42:16,130 I think it does it if it's sandboxed then. 711 00:42:16,660 --> 00:42:17,060 Maybe. 712 00:42:17,120 --> 00:42:18,730 Because I think we had this case. 713 00:42:19,050 --> 00:42:21,100 Um, okay. 714 00:42:21,199 --> 00:42:21,479 Yeah. 715 00:42:21,910 --> 00:42:22,990 There's something with this. 716 00:42:23,640 --> 00:42:24,180 It's a flip. 717 00:42:24,660 --> 00:42:30,185 I've seen things like that as well, but uh, I think that's really It's 718 00:42:30,185 --> 00:42:33,755 important to keep in mind that there are more parts to the CSP as well. 719 00:42:33,955 --> 00:42:34,215 Yeah. 720 00:42:34,235 --> 00:42:37,815 So it's like the script is one thing, but you can do other fun things like framing 721 00:42:37,815 --> 00:42:39,375 and things that could be dangerous. 722 00:42:40,154 --> 00:42:45,694 How to, let's say you have some custom JavaScript that's whitelisted as a 723 00:42:45,695 --> 00:42:51,745 script SRC, and it has, I don't know, thousands of lines after beautifying. 724 00:42:52,285 --> 00:42:57,254 How would you start even looking for a, for a gadget to exploit to, to, 725 00:42:57,255 --> 00:43:02,285 to To be able to escalate your, your access to, to execute JS through this. 726 00:43:02,760 --> 00:43:03,779 Yeah, 727 00:43:04,285 --> 00:43:05,135 I don't know. 728 00:43:05,135 --> 00:43:08,484 I haven't really been in that situation too many times, I guess. 729 00:43:08,514 --> 00:43:14,265 Like a lot of the, for some reason, the big companies actually have 730 00:43:14,275 --> 00:43:16,815 their like source maps out there. 731 00:43:16,905 --> 00:43:22,235 So you can see it, uh, where I've been hunting GitHub and you can 732 00:43:22,235 --> 00:43:23,265 actually see what's going on. 733 00:43:23,555 --> 00:43:29,020 But otherwise, I mean, that's one of the things that you get Uh, not for 734 00:43:29,020 --> 00:43:31,180 free, but what that, uh, like a bonus. 735 00:43:31,635 --> 00:43:37,115 For spending a lot of time on, um, one target or like a couple of targets is that 736 00:43:37,135 --> 00:43:42,965 you, you find these things and then you can keep them in your notes, for example, 737 00:43:46,415 --> 00:43:50,355 because I think you use the same GitLab CSP bypass a few times at least. 738 00:43:50,485 --> 00:43:53,875 No, because I think there was the same bypass that kind of everyone knew 739 00:43:53,875 --> 00:43:56,625 about and people used it for years. 740 00:43:56,945 --> 00:43:57,345 Yeah. 741 00:43:57,695 --> 00:44:01,954 Uh, there's been a few of them, uh, they've been starting 742 00:44:01,955 --> 00:44:03,595 to close off More and more 743 00:44:04,195 --> 00:44:05,185 it's not good for you, is it 744 00:44:06,655 --> 00:44:10,795 , but there's still, there's still ways to, to get around it and depending on what 745 00:44:10,795 --> 00:44:13,635 you can, uh, what you can inject or not. 746 00:44:13,845 --> 00:44:20,755 So, and I mean, it also adds, even if it's boring, that when 747 00:44:20,755 --> 00:44:23,785 they remove them, it also adds to the game that you have to find. 748 00:44:24,860 --> 00:44:25,160 Yeah. 749 00:44:25,270 --> 00:44:30,319 And when you find a new one, you're, you get really happy about that as well. 750 00:44:30,320 --> 00:44:34,299 What other client side bugs are you, are you finding apart from XSS? 751 00:44:35,159 --> 00:44:42,210 Something that I've been, uh, also have had quite like a surprising amount of, 752 00:44:42,239 --> 00:44:46,250 uh, success with is, uh, DOM clobbering. 753 00:44:46,710 --> 00:44:47,250 Okay. 754 00:44:47,520 --> 00:44:48,710 As, uh, I'm not. 755 00:44:49,155 --> 00:44:56,805 On its own, but like as a part of a chain or a gadget or whatever, um, it's 756 00:44:56,855 --> 00:45:03,174 actually way more useful than you like initially think just to be able to, 757 00:45:03,975 --> 00:45:10,465 for example, on, I had one bug on, uh, Gmail, it was sort of a combination. 758 00:45:11,350 --> 00:45:16,970 The worst kind of in bug bounties when you mix programs, which ends up 759 00:45:17,030 --> 00:45:19,340 that no one really wants to award you. 760 00:45:20,910 --> 00:45:26,720 So it was a combination of like, you can in emails, of course, you can send HTML. 761 00:45:26,750 --> 00:45:30,450 That's why it looks so beautiful and you can send forms. 762 00:45:31,105 --> 00:45:37,305 If you want to, and some email clients will actually render 763 00:45:37,315 --> 00:45:38,685 these forms in different ways. 764 00:45:39,545 --> 00:45:42,965 And they will do some sanitation and stuff like that. 765 00:45:43,685 --> 00:45:48,614 But Gmail, for example, will actually render the complete form with form. 766 00:45:48,654 --> 00:45:53,505 It will change the passwords fields to text fields. 767 00:45:54,825 --> 00:45:58,705 So they will be of type text, but it will have the whole form and everything. 768 00:45:59,215 --> 00:46:03,715 Uh, and if you click submit, it will pop up a warning saying like, you're 769 00:46:03,715 --> 00:46:06,635 submitting things to an external page. 770 00:46:06,645 --> 00:46:07,795 Do you really want to do this? 771 00:46:08,145 --> 00:46:09,335 And you click no. 772 00:46:10,035 --> 00:46:14,585 Uh, so I, I found a bug, uh, using. 773 00:46:14,985 --> 00:46:18,884 There was a couple of, uh, password managers that could do like auto 774 00:46:18,884 --> 00:46:24,215 filling and they don't really care about whether it's a password field or not. 775 00:46:24,705 --> 00:46:25,645 They're really like. 776 00:46:26,310 --> 00:46:30,470 Uh, happy to fill whatever, like if you give it a name, a password 777 00:46:30,840 --> 00:46:34,669 and not the type password, a lot of them will fill it anyway in plain 778 00:46:34,669 --> 00:46:35,970 text, which is really strange. 779 00:46:36,440 --> 00:46:38,700 Uh, but they will do it. 780 00:46:38,749 --> 00:46:43,630 And I also found a way to trick some of these password managers 781 00:46:43,660 --> 00:46:45,259 to actually auto submit it. 782 00:46:45,660 --> 00:46:50,160 If you put the text field inside of the submit button, because they 783 00:46:50,160 --> 00:46:54,590 will actually to, because they want to pretend that they are human. 784 00:46:55,230 --> 00:46:58,889 So they will actually send like a click action to the form field. 785 00:46:59,849 --> 00:47:04,530 And if that is inside of the submit button, the button will, the event 786 00:47:04,550 --> 00:47:07,700 will propagate up to the button and it will click it and submit it. 787 00:47:08,330 --> 00:47:09,070 So you have like. 788 00:47:09,515 --> 00:47:12,755 Login field, a normal password field, and another password 789 00:47:12,755 --> 00:47:13,955 field inside of the button. 790 00:47:14,305 --> 00:47:17,045 Yeah, or the password field that they want, because they will fill 791 00:47:17,045 --> 00:47:19,725 it first, and then they will trigger the Oh yeah, yeah, okay, so you're 792 00:47:19,725 --> 00:47:20,864 saying the key to react, correct. 793 00:47:20,865 --> 00:47:28,325 Uh, and I tried to submit that, but the, the, the, the password, uh, uh, storage 794 00:47:28,355 --> 00:47:31,845 companies are like, I don't know their threat models, it's really strange, 795 00:47:31,845 --> 00:47:33,275 they don't care about things like that. 796 00:47:33,445 --> 00:47:35,995 Yeah, I'm not having a good time with 797 00:47:36,390 --> 00:47:41,600 But so I, so that was like one sort of a bug that I, I felt like it was a bit 798 00:47:41,620 --> 00:47:46,630 strange that this one password manager did actually allow you to autofill. 799 00:47:47,010 --> 00:47:50,750 When you open an email, you had a form in Gmail and it would autofill 800 00:47:50,750 --> 00:47:54,819 your Gmail credentials because as you said, they will look at just 801 00:47:54,830 --> 00:47:57,930 like Google, uh, or whatever, like, 802 00:47:58,170 --> 00:47:58,490 yeah, 803 00:47:59,800 --> 00:48:00,130 Yeah. 804 00:48:00,280 --> 00:48:01,420 And, uh, and top, 805 00:48:01,840 --> 00:48:02,350 top window. 806 00:48:02,410 --> 00:48:02,830 Exactly. 807 00:48:02,830 --> 00:48:03,400 And so some 808 00:48:03,400 --> 00:48:08,140 people might have like the password saved then on the Gmail, so it'll fill there and 809 00:48:08,140 --> 00:48:13,470 it'll click, but then you will get blocked by this, uh, uh, Google protection thing. 810 00:48:13,560 --> 00:48:13,830 Yeah. 811 00:48:14,210 --> 00:48:17,840 And then I went into the source code and, and found that this check 812 00:48:17,840 --> 00:48:21,890 they were doing was like, they found the form element or like, they, 813 00:48:21,980 --> 00:48:24,290 they catched the, the submission. 814 00:48:24,700 --> 00:48:27,400 Uh, and then they looked at the element and they did like. 815 00:48:27,770 --> 00:48:34,190 Element dot target, uh, equals blank, like question mark. 816 00:48:34,760 --> 00:48:38,280 And one thing that they did was if you put the form in there, they would put 817 00:48:38,329 --> 00:48:42,850 like target blank because they wanted this thing to trigger Google when they rendered 818 00:48:42,850 --> 00:48:44,109 the form, they wanted it to trigger. 819 00:48:44,770 --> 00:48:51,980 Uh, but then I could use Dom clobbering them to put, uh, to 820 00:48:51,990 --> 00:48:54,590 name one of these fields to target. 821 00:48:55,240 --> 00:48:57,880 So you have a form and inside of the form you have an input 822 00:48:57,880 --> 00:48:59,360 field with the name target. 823 00:48:59,360 --> 00:48:59,429 That's it. 824 00:49:00,180 --> 00:49:04,790 And then if you have the element of the form and you do dot target, you will 825 00:49:04,830 --> 00:49:09,280 get the input field and you will not get the value of the target thing and the 826 00:49:09,409 --> 00:49:11,559 input field will not equal equal blank. 827 00:49:13,020 --> 00:49:20,480 So then you would skip the, so the final, uh, POC was actually like, if 828 00:49:20,490 --> 00:49:24,740 you opened an email, your password thing would autofill and submit it 829 00:49:24,770 --> 00:49:26,420 and you would lose your credentials. 830 00:49:26,759 --> 00:49:27,099 Yeah. 831 00:49:27,400 --> 00:49:28,110 That's a cool bug. 832 00:49:28,795 --> 00:49:29,615 For which nobody has paid. 833 00:49:29,615 --> 00:49:31,885 No, no, no. 834 00:49:32,065 --> 00:49:33,695 Google actually paid me for it. 835 00:49:33,705 --> 00:49:35,015 They paid me for the dom club ring. 836 00:49:35,015 --> 00:49:38,685 So that was like one three, three, seven or whatever it is. 837 00:49:38,735 --> 00:49:39,724 They're like, yeah, that's cool. 838 00:49:41,344 --> 00:49:42,125 So that was really good. 839 00:49:42,235 --> 00:49:47,085 And I think that to be fair, I think I got like 500 or something 840 00:49:47,085 --> 00:49:49,610 for the From the password manager. 841 00:49:49,620 --> 00:49:49,990 Okay. 842 00:49:50,340 --> 00:49:51,850 So they did something. 843 00:49:52,220 --> 00:49:55,260 I don't really know what they fixed, but they did something. 844 00:49:56,530 --> 00:50:00,160 But I thought it was, I mean, the book, the bug, it looks 845 00:50:00,460 --> 00:50:02,560 much cooler than the payout. 846 00:50:02,560 --> 00:50:02,789 Yeah. 847 00:50:02,790 --> 00:50:03,170 Yeah. 848 00:50:03,319 --> 00:50:05,039 And it's a cool idea as well. 849 00:50:05,450 --> 00:50:08,439 I don't think I ever used dumb clobbering on the reward targets. 850 00:50:08,960 --> 00:50:11,390 I feel like I see your bugs. 851 00:50:11,390 --> 00:50:12,520 I see Martin bugs. 852 00:50:12,520 --> 00:50:16,531 I see all the client and I'm like, Oh, I should spend more time on 853 00:50:16,531 --> 00:50:17,179 the client. 854 00:50:19,480 --> 00:50:22,090 Um, how about post message related bugs? 855 00:50:22,460 --> 00:50:22,900 Do you? 856 00:50:23,635 --> 00:50:26,835 Do you find a lot of stuff that, that starts with a post message? 857 00:50:27,895 --> 00:50:31,015 I, I haven't actually looked too much into it. 858 00:50:31,115 --> 00:50:38,255 Uh, I know that it's one of those fields that are still like ripe with bugs. 859 00:50:38,744 --> 00:50:42,874 Uh, so like one of those like untouched areas where there are, it 860 00:50:42,874 --> 00:50:44,625 seems at least to be bugs everywhere. 861 00:50:44,715 --> 00:50:48,725 But, uh, I haven't really spent too much time on it, actually. 862 00:50:49,745 --> 00:50:51,485 Probably I should, but I 863 00:50:51,485 --> 00:50:51,755 feel the same 864 00:50:51,755 --> 00:50:53,779 way. 865 00:50:54,615 --> 00:50:58,545 Um, maybe client side prototype pollution is the next one that 866 00:50:58,545 --> 00:51:00,305 I don't spend too much time on. 867 00:51:00,575 --> 00:51:01,674 Uh, yeah, yeah. 868 00:51:01,675 --> 00:51:05,075 So, so when you, when you asked me, like, what sort of client side 869 00:51:05,085 --> 00:51:09,765 bugs I found, find these days, uh, that was one that I thought about, 870 00:51:09,765 --> 00:51:11,925 but I have actually never found it. 871 00:51:12,670 --> 00:51:17,320 And it feels very strange and niche to me that it should exist. 872 00:51:17,760 --> 00:51:22,910 I know that people sometimes find them, um, but it's, yeah, 873 00:51:23,040 --> 00:51:26,849 it's, to me, it doesn't feel like something that is like super common. 874 00:51:27,630 --> 00:51:32,459 So it's definitely more common to find as something else that you mentioned, these 875 00:51:32,479 --> 00:51:34,700 like client side path, traversal things. 876 00:51:34,910 --> 00:51:35,130 Yeah. 877 00:51:35,930 --> 00:51:39,100 Which was actually something that I, I think I, I think you 878 00:51:39,110 --> 00:51:40,740 made a video of one of those. 879 00:51:40,800 --> 00:51:46,600 Yeah, my, my video was about your client side path traversal in GitLab because I 880 00:51:46,600 --> 00:51:48,520 didn't see a real world example of this. 881 00:51:48,520 --> 00:51:52,100 And then we had the interview and they told me you had, so 882 00:51:52,100 --> 00:51:53,600 then I covered it in the video. 883 00:51:53,900 --> 00:51:56,519 And I don't think there is many public write ups about 884 00:51:56,519 --> 00:51:57,650 client side post reversals. 885 00:51:58,319 --> 00:52:01,580 No, I mean, there's been a lot of discussions with it. 886 00:52:01,580 --> 00:52:05,759 And I think there's also been a lot of tooling made recently. 887 00:52:05,770 --> 00:52:08,330 I haven't really used anything, but I think that people have 888 00:52:08,340 --> 00:52:12,105 both, uh, Like Kaido plugins and 889 00:52:14,375 --> 00:52:16,515 extensions to Chrome and stuff like that. 890 00:52:16,655 --> 00:52:21,165 Yeah, I think the critical thinking guys created the browser extension for it. 891 00:52:21,905 --> 00:52:26,875 For me, it's more, it's more of a hierarchy. 892 00:52:27,575 --> 00:52:31,475 Like I think that the reason why I haven't felt like I need to use it, 893 00:52:31,805 --> 00:52:35,485 it's the way I'm looking for these kinds of bugs is usually on GitLab. 894 00:52:36,455 --> 00:52:42,154 Maybe I find a way, like a new way of getting content into the app. 895 00:52:42,515 --> 00:52:47,295 So that's like where I start like, okay, if I connect this piece here, 896 00:52:47,924 --> 00:52:50,814 it will render data over here. 897 00:52:51,554 --> 00:52:55,179 And then, so then I start from the top, like, okay, I want it to set. 898 00:52:55,840 --> 00:52:57,470 And then like, okay, it doesn't work. 899 00:52:57,510 --> 00:53:00,350 Okay, then I want dumb clobbering or whatever. 900 00:53:00,380 --> 00:53:03,180 I want to HML injection and then that doesn't work. 901 00:53:03,530 --> 00:53:08,070 And then I try like, Oh, maybe I can do a client side path commercial or whatever. 902 00:53:08,119 --> 00:53:08,449 Yeah. 903 00:53:08,539 --> 00:53:13,959 And so it's more of a, I just go through different bugs depending on the 904 00:53:13,969 --> 00:53:18,220 injection I have, like going from, I found like a source and I tried to like. 905 00:53:18,705 --> 00:53:19,425 Do something with it. 906 00:53:19,725 --> 00:53:24,375 So I've, I've actually found a few CSP, uh, client side path 907 00:53:24,375 --> 00:53:27,305 protocols, uh, this year as well. 908 00:53:28,084 --> 00:53:32,965 Uh, they're a bit hard sometimes to, if they only make, I found some that 909 00:53:32,975 --> 00:53:38,765 just made like a get, uh, request and that makes it quite hard to exploit. 910 00:53:39,630 --> 00:53:47,210 Uh, I managed to show some impact by again, like chaining it with, uh, 911 00:53:48,370 --> 00:53:53,720 as you hear, like there's a lot of chaining of small things, but I managed 912 00:53:53,740 --> 00:54:01,249 to chain it with a redirect and yeah, so, and so the, the get request. 913 00:54:01,735 --> 00:54:08,245 It was a GET request made by Fetch, so it contained a CSRF token in a header. 914 00:54:08,515 --> 00:54:08,855 Yeah. 915 00:54:09,265 --> 00:54:13,874 And then if you redirect that request, you would actually leak 916 00:54:13,935 --> 00:54:17,745 the CSRF token to your page. 917 00:54:17,875 --> 00:54:18,085 Yeah. 918 00:54:18,085 --> 00:54:20,035 And then you could redirect that again. 919 00:54:20,455 --> 00:54:26,855 Using the CSRF, so it kind of turns into a CSRF, uh, all the way to 920 00:54:26,855 --> 00:54:30,345 run, or you can just wait for it to like land on your domain and, 921 00:54:30,715 --> 00:54:34,835 Oh yeah, cause from your website you can directly issue a redirect, 922 00:54:34,854 --> 00:54:36,684 which is already the CSRF request. 923 00:54:36,835 --> 00:54:37,644 Yeah, exactly. 924 00:54:37,695 --> 00:54:37,814 So 925 00:54:37,814 --> 00:54:40,104 there's never like top level navigation to your website. 926 00:54:40,195 --> 00:54:44,885 No, or you could actually like leak it and then make sure that the user ends up 927 00:54:44,905 --> 00:54:51,015 on your Domain somehow and you can see it's a bit convoluted and it doesn't, 928 00:54:51,565 --> 00:54:56,705 uh, work all the time, but it was like the best I could using a get request. 929 00:54:57,084 --> 00:55:00,595 Yeah, the best, but in, um, many targets that would use not 930 00:55:00,635 --> 00:55:04,375 cookies, but some custom header for authorization, the header would 931 00:55:04,385 --> 00:55:05,584 just be leaked to your website. 932 00:55:05,585 --> 00:55:10,680 Then you don't have to do anything. 933 00:55:11,965 --> 00:55:15,255 Have you had much success outside GitLab with the client side bus traversals? 934 00:55:15,660 --> 00:55:17,150 No, not really. 935 00:55:17,400 --> 00:55:22,310 Uh, I think it's a, it's a bug to me at least how I work. 936 00:55:22,320 --> 00:55:26,500 It would be a bug that requires me to like know the application deeply 937 00:55:26,700 --> 00:55:31,330 to know where to put it, to see where like IDs are rendered or whatever. 938 00:55:31,880 --> 00:55:36,950 Uh, so I, I haven't really, the other work I've done has not been related to that. 939 00:55:37,380 --> 00:55:37,650 Yeah. 940 00:55:37,670 --> 00:55:40,740 I have found a few, but never a gadget to exploit. 941 00:55:41,580 --> 00:55:45,660 Once I had, uh, Uh, I had the clients I passed traversal and 942 00:55:45,760 --> 00:55:46,970 it was an open source stuff. 943 00:55:46,970 --> 00:55:50,260 So I was looking through all the, all the get routes because it was 944 00:55:50,260 --> 00:55:53,930 a get based, all the get routes that would make sense to chain it. 945 00:55:54,650 --> 00:55:57,950 And I found one that was actually making changes and I was happy 946 00:55:57,950 --> 00:56:00,330 because I found the guidance for client side cross reversal and then 947 00:56:00,330 --> 00:56:03,870 I realized that I don't need the client side cross reversal because 948 00:56:03,870 --> 00:56:05,490 top level navigation is good enough. 949 00:56:06,209 --> 00:56:10,680 So I, I got, uh, I reported this as a CSRF and never used the client side 950 00:56:10,680 --> 00:56:13,579 cross reversal, so that's my experience. 951 00:56:15,559 --> 00:56:23,455 Um, Another bug that I also saw for the first time publicly exploited in 952 00:56:23,455 --> 00:56:25,855 your bug is a cross window forgery. 953 00:56:26,325 --> 00:56:26,355 Can 954 00:56:26,365 --> 00:56:26,655 you 955 00:56:26,724 --> 00:56:29,484 tell us what cross window forgery is? 956 00:56:29,485 --> 00:56:33,814 So this is actually, it's a research from a guy that I 957 00:56:33,814 --> 00:56:35,185 don't really remember his name. 958 00:56:38,745 --> 00:56:44,114 It was sort of at the same time when I was going to try to do full time bug bounties. 959 00:56:45,500 --> 00:56:47,230 It's my first three months, I guess. 960 00:56:47,800 --> 00:56:50,910 Uh, there was this blog post about something that he had 961 00:56:50,970 --> 00:56:52,880 named then cross window forgery. 962 00:56:53,200 --> 00:56:57,499 I have his name, but I, I'm worried I will misspell it 963 00:56:57,500 --> 00:56:59,009 badly, but now I think I have to. 964 00:56:59,350 --> 00:56:59,710 Yeah. 965 00:56:59,710 --> 00:57:00,429 Paulus. 966 00:57:02,359 --> 00:57:08,639 I mean, 967 00:57:08,640 --> 00:57:15,040 he found this strange quirk in browsers where you essentially 968 00:57:15,060 --> 00:57:16,710 on if you are on the page. 969 00:57:17,165 --> 00:57:21,815 And you, for example, start pressing enter and that triggers 970 00:57:22,115 --> 00:57:25,955 a new window to open your click. 971 00:57:25,975 --> 00:57:30,184 If you keep pressing enter, the click will transfer to the new 972 00:57:30,185 --> 00:57:34,885 window and click on maybe something. 973 00:57:35,275 --> 00:57:35,735 Yeah. 974 00:57:35,735 --> 00:57:40,675 And then you can chain that with, uh, uh, you can use the, the 975 00:57:40,675 --> 00:57:42,895 hash or the fragment in the URL. 976 00:57:43,300 --> 00:57:46,930 To actually like point to something dangerous, like a button that will 977 00:57:47,250 --> 00:57:49,150 accept something or do something. 978 00:57:49,550 --> 00:57:52,940 And the click will like transfer to this new window and click on that button. 979 00:57:54,129 --> 00:57:54,489 Yeah, 980 00:57:55,240 --> 00:57:58,509 because when you press the space or the enter, it will 981 00:57:58,510 --> 00:57:59,989 click the button that's focused. 982 00:58:00,029 --> 00:58:04,980 And one way I usually use this is probably when I do the tab on the 983 00:58:05,050 --> 00:58:08,040 input field and then I do the tab for the button and then I press the space. 984 00:58:08,660 --> 00:58:09,640 So you can also do it. 985 00:58:10,305 --> 00:58:13,695 If there's a hash with the ID of the button, then it's sort 986 00:58:13,695 --> 00:58:15,055 of automatically focused, right? 987 00:58:15,205 --> 00:58:16,680 Yeah, exactly, exactly. 988 00:58:17,095 --> 00:58:21,469 Uh, and I mean, the, the, the, the, the write up is. 989 00:58:22,300 --> 00:58:28,240 It's fun and fine and great in a lot of ways, but it's also like a, a pretty 990 00:58:28,260 --> 00:58:35,020 strange bug to like, it's, it's hard to see if it's like, if it's good or 991 00:58:35,040 --> 00:58:39,559 bad, like if it requires like really strange behavior in a way like pressing 992 00:58:39,560 --> 00:58:41,834 enter, but I had some fun with it. 993 00:58:42,115 --> 00:58:49,455 Uh, this year, because I, I took it as like an, an exercise to, to build, uh, 994 00:58:49,535 --> 00:58:55,365 POCs or like to convince companies, like, because the worst scenario that I 995 00:58:55,365 --> 00:59:00,064 could think of was this, like you shame this with this sort of like, Oh, uh, 996 00:59:02,675 --> 00:59:05,285 requirement, uh, what do you call those pages? 997 00:59:05,505 --> 00:59:10,205 The consent consent screens, uh, because the consent screen will ask 998 00:59:10,205 --> 00:59:12,065 you, like, are you allowing this? 999 00:59:12,890 --> 00:59:15,430 application to see everything and access you. 1000 00:59:15,670 --> 00:59:18,650 And you have one button that says like, yeah, okay. 1001 00:59:18,790 --> 00:59:19,780 And if you click it, it's done. 1002 00:59:20,290 --> 00:59:22,210 And then you have like an account to take over. 1003 00:59:22,730 --> 00:59:29,919 So if that button has an ID, uh, then you could focus that button and you can abuse 1004 00:59:29,919 --> 00:59:32,039 this to take over accounts essentially. 1005 00:59:32,210 --> 00:59:32,560 Yeah. 1006 00:59:32,700 --> 00:59:38,720 So my idea was that the impact here is big, even if the, the, 1007 00:59:38,730 --> 00:59:42,220 like how you get there is kind of like goofy and not really. 1008 00:59:42,675 --> 00:59:46,425 I don't know if it's realistic or not, but I've sort of spent the time to 1009 00:59:46,435 --> 00:59:54,135 build this case that we have, or like companies as a community has moved to 1010 00:59:55,100 --> 00:59:59,580 make people just like the cookie bar has made people click on all the pages. 1011 00:59:59,680 --> 01:00:00,000 Yeah. 1012 01:00:00,280 --> 01:00:06,460 Um, you have, we have these like recapture or capture things that When 1013 01:00:06,460 --> 01:00:10,660 you go to a page that you sort of trust, like maybe you don't even trust 1014 01:00:10,660 --> 01:00:14,440 it, but you do something and they say like, yeah, here's a Capcha game. 1015 01:00:15,170 --> 01:00:19,040 Uh, a lot of people will just do whatever it says, like, yeah, five 1016 01:00:19,040 --> 01:00:23,750 clicks, type something and drag and drop and like do whatever. 1017 01:00:23,960 --> 01:00:24,200 Yeah. 1018 01:00:24,230 --> 01:00:29,210 So I, I built a case that like, it's not that hard to convince someone like. 1019 01:00:29,530 --> 01:00:32,790 Yeah, press enter three times and then you have like a progress bar that 1020 01:00:32,800 --> 01:00:36,820 is like filling up and if you drop enter, it will like go down again. 1021 01:00:36,860 --> 01:00:39,390 So you have to press it for like three seconds to prove 1022 01:00:39,390 --> 01:00:40,400 you're a human or whatever. 1023 01:00:41,220 --> 01:00:46,600 Uh, so I did that POC and then I did like a, a built like a floppy bird game or I 1024 01:00:46,610 --> 01:00:49,500 cloned the game from, uh, from GitHub. 1025 01:00:49,790 --> 01:00:51,670 And I, I just, I edit the code. 1026 01:00:51,700 --> 01:00:57,200 So like when you play it with the enter and then like during a period 1027 01:00:57,220 --> 01:01:01,080 where you're supposed to like go a lot of like up with the bird. 1028 01:01:01,820 --> 01:01:02,780 Find the space. 1029 01:01:02,780 --> 01:01:05,990 You have to, yeah, you have to like enter for like you have to keep it in. 1030 01:01:06,110 --> 01:01:06,320 Yeah. 1031 01:01:06,320 --> 01:01:07,820 To get the bird up. 1032 01:01:08,270 --> 01:01:12,440 And during that time, I opened this window as like a small popup 1033 01:01:12,500 --> 01:01:14,090 and it'll do the, the thing. 1034 01:01:14,090 --> 01:01:14,240 Yeah. 1035 01:01:14,980 --> 01:01:18,485 Uh, and to you using those two POCs. 1036 01:01:19,485 --> 01:01:23,965 Uh, it actually became quite easy to convince at least these big companies 1037 01:01:24,005 --> 01:01:29,885 that are like hosting these sort of like consent wealth things, uh, that this is 1038 01:01:29,885 --> 01:01:33,934 actually an issue because it's really, again, it's also really easy to fix. 1039 01:01:34,335 --> 01:01:35,494 So the impact is high. 1040 01:01:35,775 --> 01:01:36,634 The fix is easy. 1041 01:01:36,634 --> 01:01:39,135 You just remove the ID and, uh, you're done. 1042 01:01:39,295 --> 01:01:40,865 You cannot exploit it anymore. 1043 01:01:41,485 --> 01:01:46,525 Uh, and, uh, but still like, it's not really maybe realistic, but. 1044 01:01:46,660 --> 01:01:51,200 It's, it's dangerous enough that you could, uh, it could be worth fixing. 1045 01:01:51,660 --> 01:01:51,910 Yeah. 1046 01:01:51,910 --> 01:01:56,750 And also, it was also one of the reasons I wanted to talk about this because I 1047 01:01:56,760 --> 01:02:00,310 even said it in one of the recent videos that sometimes it's hard to get through 1048 01:02:00,310 --> 01:02:02,389 the triage with non standard things. 1049 01:02:03,029 --> 01:02:03,429 Yeah. 1050 01:02:03,470 --> 01:02:08,940 And because this, and I would like this to be more standardized, so 1051 01:02:08,940 --> 01:02:10,810 maybe it's like widely accepted. 1052 01:02:11,630 --> 01:02:15,770 That, you know, okay, this is not the, the interaction is 1053 01:02:15,770 --> 01:02:18,320 kind complex, but it's likely. 1054 01:02:18,320 --> 01:02:21,320 So, you know, it's, it's, maybe it's not, uh, critical. 1055 01:02:21,320 --> 01:02:25,160 Maybe not a high, but it's, it's, in my opinion, it's definitely a bug. 1056 01:02:25,670 --> 01:02:26,090 Yeah. 1057 01:02:26,150 --> 01:02:32,480 I, and I mean, uh, I, I must admit that these are maybe the bugs where I found 1058 01:02:32,780 --> 01:02:36,260 I felt most, uh, like scammy in a way. 1059 01:02:36,260 --> 01:02:39,620 Like doing, uh, like I, it's not like I was. 1060 01:02:40,295 --> 01:02:43,865 Super proud of what I created . Okay. 1061 01:02:44,615 --> 01:02:45,510 When, well, you created the 1062 01:02:45,510 --> 01:02:46,950 flowy, but it's cool episode. 1063 01:02:46,950 --> 01:02:49,865 Yeah, I, I thought it was fun to send a game and stuff like that because I've 1064 01:02:49,865 --> 01:02:54,305 been really inspired by, there's been one guy that I've seen some bugs on Chrome. 1065 01:02:54,725 --> 01:02:54,845 Yeah. 1066 01:02:54,845 --> 01:02:55,325 A lot of like. 1067 01:02:55,910 --> 01:03:00,950 things when, uh, you kind of like click on these different consent things in 1068 01:03:00,950 --> 01:03:04,289 Chrome that they pop like, are you allowed to use the microphone or whatever? 1069 01:03:04,999 --> 01:03:10,810 And there's one guy who has sent like tens or 20 reports, like abusing this. 1070 01:03:10,870 --> 01:03:16,300 And it's all, he always has like a Dino game, like a dinosaur that runs and jumps 1071 01:03:16,630 --> 01:03:18,040 and you have to do like different things. 1072 01:03:18,540 --> 01:03:21,810 And I, I thought it was really fun to have like. 1073 01:03:22,160 --> 01:03:27,450 This aspect of like building a small game as the POC, like a bit 1074 01:03:27,450 --> 01:03:30,150 goofy and a bit like light touch. 1075 01:03:30,520 --> 01:03:30,909 Yeah, it's 1076 01:03:30,909 --> 01:03:31,169 nice. 1077 01:03:31,760 --> 01:03:32,749 It was fun in that way. 1078 01:03:32,750 --> 01:03:32,949 And I 1079 01:03:32,949 --> 01:03:33,710 mean, it's worked out. 1080 01:03:33,710 --> 01:03:36,040 So it's, uh, it's good. 1081 01:03:36,400 --> 01:03:36,680 Yeah. 1082 01:03:36,680 --> 01:03:40,749 And it's also, I think the, as I said, I like it because it's 1083 01:03:40,750 --> 01:03:44,560 something I didn't know about and I think it's applicable fairly widely. 1084 01:03:44,980 --> 01:03:45,300 Yeah. 1085 01:03:45,610 --> 01:03:49,260 Let's now talk a little bit about the server side bugs. 1086 01:03:50,240 --> 01:03:55,590 When browsing through your recent bugs on GitLab, at least from the issue tracker, 1087 01:03:55,840 --> 01:03:57,680 there was a lot of denial of service bugs. 1088 01:03:58,200 --> 01:03:58,410 Yeah. 1089 01:03:58,760 --> 01:04:01,250 Especially the regular expression based ones. 1090 01:04:01,710 --> 01:04:04,990 Can you talk to us more about this? 1091 01:04:05,589 --> 01:04:05,969 Yeah. 1092 01:04:09,020 --> 01:04:16,700 I was turning into the The denial of service guy, uh, in the beginning of this 1093 01:04:16,700 --> 01:04:19,410 year, I, I think I counted them as well. 1094 01:04:19,410 --> 01:04:27,610 I think I had the 20 accepted reports on GitLab that are like denial of 1095 01:04:27,610 --> 01:04:30,049 service, uh, the two different kinds. 1096 01:04:30,599 --> 01:04:34,310 And I've also seen that there's been a lot of other people 1097 01:04:34,310 --> 01:04:36,190 reporting that I was at the moment. 1098 01:04:36,900 --> 01:04:37,660 Uh, yeah. 1099 01:04:38,400 --> 01:04:39,070 Kind of one of those. 1100 01:04:39,680 --> 01:04:44,390 things that happens with one of those old programs that you see bug types like 1101 01:04:44,430 --> 01:04:50,540 come and go and they fix and then they like fix the root cause uh eventually 1102 01:04:50,540 --> 01:04:55,029 and then people move on to something new and at the moment like there's still a 1103 01:04:55,029 --> 01:04:59,950 lot of like different sending bad Content to a GitLab server and trying to crash. 1104 01:05:00,390 --> 01:05:00,720 Yeah. 1105 01:05:01,020 --> 01:05:05,170 Uh, I, I was moving it. 1106 01:05:05,540 --> 01:05:13,670 I had been on a break during like December and January and I was moving into my like 1107 01:05:13,790 --> 01:05:16,800 three month trying out full time in March. 1108 01:05:17,075 --> 01:05:21,795 So in February, I felt like I had to like start finding something 1109 01:05:21,795 --> 01:05:26,735 or like get something going prior to getting into it for full time. 1110 01:05:27,375 --> 01:05:32,894 And then I decided, I don't remember how, but I had this hunch 1111 01:05:32,894 --> 01:05:35,534 that, okay, like we DOS bugs. 1112 01:05:36,475 --> 01:05:37,755 People have found them. 1113 01:05:37,885 --> 01:05:39,195 I have found some of them. 1114 01:05:39,755 --> 01:05:41,555 Regular expression denial of service. 1115 01:05:42,095 --> 01:05:48,605 And I decided to like, trying to actually like, root out all of the last ones. 1116 01:05:48,605 --> 01:05:50,484 In GitLab. 1117 01:05:50,485 --> 01:05:53,794 Like why does people find them like, once in a while. 1118 01:05:54,005 --> 01:05:56,085 And always like in old code. 1119 01:05:56,085 --> 01:06:00,730 Like why doesn't, haven't anyone just, Found all of them, like, what's my idea? 1120 01:06:00,960 --> 01:06:07,189 So I started to grab through the code base, uh, using regular expressions, 1121 01:06:07,600 --> 01:06:09,800 trying to find regular expressions. 1122 01:06:09,895 --> 01:06:12,044 Yeah. 1123 01:06:12,045 --> 01:06:17,745 So it was actually one of my maybe most, uh, structural, structural attacks ever. 1124 01:06:17,785 --> 01:06:25,195 Like I, I got this like list of like 200, uh, potential, I think I grept for 1125 01:06:26,335 --> 01:06:33,104 a couple of patterns, like anything that contained more than one star or plus. 1126 01:06:34,190 --> 01:06:37,060 So that's the indicator that's sort of like 1127 01:06:37,300 --> 01:06:43,320 the main goal of a regular expression, denial of service is to get the regular 1128 01:06:43,320 --> 01:06:49,499 expression to go into a really, really deep nested search for something. 1129 01:06:49,840 --> 01:06:55,110 You have something called like backtracking, so it tries to go as far 1130 01:06:55,630 --> 01:07:00,729 forward as it can, and then it goes back, and then it goes forward again, and back 1131 01:07:00,869 --> 01:07:07,785 and forward, and it creates this like exponential, uh, amount of, paths through 1132 01:07:07,845 --> 01:07:10,395 this, uh, whatever you're trying to hit. 1133 01:07:11,665 --> 01:07:17,395 And when this happens are usually when you have like multiple asterisks 1134 01:07:17,395 --> 01:07:22,335 or plus it can happen in other scenarios as well, but that's like the 1135 01:07:22,525 --> 01:07:23,765 sort of simple example is. 1136 01:07:24,405 --> 01:07:29,935 If you have wildcards one or more times and wildcard one or more times, 1137 01:07:30,315 --> 01:07:35,175 and I have this string three A's, it can be the first group can be two 1138 01:07:35,205 --> 01:07:39,795 A's and the second can be one, and then it can be one, two or two, one. 1139 01:07:40,484 --> 01:07:44,665 And then with this simple example, it's two different sort of, uh, I don't 1140 01:07:44,665 --> 01:07:49,135 know, it's the tree that's being thrown somewhere, but, but it's two combinations. 1141 01:07:49,870 --> 01:07:54,690 And I assume your inputs are not, are not three characters long, more like 3, 1142 01:07:55,220 --> 01:07:55,290 000. 1143 01:07:55,500 --> 01:07:59,530 And actually something that I had to learn, because the theory is quite 1144 01:07:59,530 --> 01:08:05,090 easy, but then you actually had to learn to break, uh, using your payload. 1145 01:08:05,480 --> 01:08:09,440 So after all the A's you have to put like a B or whatever, because 1146 01:08:09,450 --> 01:08:13,700 it has to fail and then go back and try again, like different paths. 1147 01:08:13,750 --> 01:08:14,060 Yeah. 1148 01:08:14,470 --> 01:08:18,160 Uh, and that can be a bit more like, that's a super simple example, but in 1149 01:08:18,170 --> 01:08:24,409 different cases, it could be like, uh, quite like convoluted, but there are like, 1150 01:08:24,660 --> 01:08:26,859 so you want the sandwich to be like. 1151 01:08:27,765 --> 01:08:29,125 almost your whole input. 1152 01:08:29,285 --> 01:08:29,625 Yeah. 1153 01:08:29,665 --> 01:08:31,145 But not sort of the last character. 1154 01:08:31,145 --> 01:08:33,314 At 1155 01:08:33,315 --> 01:08:36,525 least like there are some different ones and that's, I actually 1156 01:08:36,545 --> 01:08:40,865 learned like there are some, it's a classic like research topic. 1157 01:08:41,074 --> 01:08:45,804 Like there are university people like doing like heavy 1158 01:08:45,805 --> 01:08:48,385 research into read, read us bugs. 1159 01:08:48,985 --> 01:08:55,595 Uh, and I actually tried some like Java based Chinese research 1160 01:08:56,015 --> 01:08:57,739 things that I put out on this. 1161 01:08:57,900 --> 01:08:58,310 GitHub. 1162 01:08:58,320 --> 01:09:04,640 It didn't really catch more than my, like, maybe it could do, but in the end, what 1163 01:09:04,640 --> 01:09:09,950 you have to do is like, you have to first find the bad regex and then you have to 1164 01:09:10,070 --> 01:09:12,240 figure out if you can actually get there. 1165 01:09:13,000 --> 01:09:17,289 You have to figure out if it's bad and that you can do with like a free, 1166 01:09:17,289 --> 01:09:21,080 there are web pages where you can just paste regex and it will tell 1167 01:09:21,080 --> 01:09:25,160 you if it's, uh, like if you could, if it could be a problem or not. 1168 01:09:25,410 --> 01:09:25,790 Okay. 1169 01:09:25,910 --> 01:09:28,300 But then you also have to find a way to get. 1170 01:09:28,910 --> 01:09:32,150 The payload to that place in the application, right? 1171 01:09:32,970 --> 01:09:37,570 And most of the times, as you kind of mentioned, is that most of the 1172 01:09:37,580 --> 01:09:42,259 bad RegExps are not that bad, but they are bad if you give it like 1173 01:09:42,979 --> 01:09:47,035 500, 000 Ks or whatever, like, Yeah. 1174 01:09:47,035 --> 01:09:52,305 You give it like a lot of data, then it will break because the computers are 1175 01:09:52,315 --> 01:09:56,135 like, if it would be a computer like 20 years ago, it will probably break easier. 1176 01:09:56,145 --> 01:10:00,545 But nowadays, like they are really, they can do a lot of work. 1177 01:10:01,635 --> 01:10:05,225 So, but there's a lot of those places in, for example, GitLab 1178 01:10:05,245 --> 01:10:07,595 where you can get like huge data. 1179 01:10:08,505 --> 01:10:15,065 Into like that you control into one of these like semi bad, uh, regis things. 1180 01:10:15,295 --> 01:10:15,545 Yeah. 1181 01:10:15,745 --> 01:10:18,395 How do they usually, what severity do they assign? 1182 01:10:19,215 --> 01:10:20,595 You have two levels. 1183 01:10:21,705 --> 01:10:28,245 Uh, I, I can also like stay, say now that I think Redos is in scope again. 1184 01:10:28,535 --> 01:10:32,705 But they have actually fixed it at like a language level now at GitLab. 1185 01:10:32,815 --> 01:10:35,345 So it's sort of a dead bug. 1186 01:10:35,495 --> 01:10:38,095 But that's also why you see people transitioning into this 1187 01:10:38,104 --> 01:10:40,464 other sort of like DOS bugs. 1188 01:10:41,265 --> 01:10:47,005 But they, I mean, it's a medium if you have to be, if you have to have a user. 1189 01:10:47,585 --> 01:10:51,115 But what you really want to do is you want to have, be able to send 1190 01:10:51,205 --> 01:10:53,495 like an unauthenticated request. 1191 01:10:54,615 --> 01:10:59,125 And then you get like the full, they have some metric that you have to, you 1192 01:10:59,125 --> 01:11:06,994 have to, uh, trigger like a 10 second delay on like a specific like setup with 1193 01:11:06,995 --> 01:11:09,235 a set of course and stuff like that. 1194 01:11:09,334 --> 01:11:10,605 Oh, that's, that's cool. 1195 01:11:10,674 --> 01:11:10,934 Yeah. 1196 01:11:10,935 --> 01:11:14,965 So they have it in the policy, like how bad you have to make it for it to 1197 01:11:14,975 --> 01:11:17,505 become high instead of low or whatever. 1198 01:11:18,585 --> 01:11:23,295 So, and I actually like, I found, I guess I found like 18 of these bugs or whatever. 1199 01:11:23,605 --> 01:11:28,855 And every bug I found, I found it like one at a time and exploit them. 1200 01:11:28,875 --> 01:11:30,925 And I thought like, okay, yeah, that was the last one. 1201 01:11:30,945 --> 01:11:34,324 Like, uh, it cannot be better than this. 1202 01:11:34,945 --> 01:11:39,095 And then in the end, uh, like, I think it was like the last two I 1203 01:11:39,095 --> 01:11:43,374 found because I, then I had like an epiphany, like I was taking a shower or 1204 01:11:43,375 --> 01:11:45,005 whatever, like a classic shower moment. 1205 01:11:45,535 --> 01:11:48,915 And I had, I thought like, I saw something strange in the code. 1206 01:11:48,915 --> 01:11:52,234 Like, I remember that I saw something really strange and 1207 01:11:52,494 --> 01:11:53,685 I went back and found it. 1208 01:11:54,135 --> 01:11:58,345 And it was actually in the main, uh, speaking of old bugs, 1209 01:11:58,415 --> 01:11:59,935 like in the main search bar. 1210 01:11:59,935 --> 01:11:59,985 Yeah. 1211 01:12:00,290 --> 01:12:06,550 When you search for code in GitLab, you can actually put like stars, asterisks in 1212 01:12:06,550 --> 01:12:11,009 your search search for wildcard matches. 1213 01:12:11,610 --> 01:12:14,330 And for some reason, I haven't really thought about like how this is 1214 01:12:14,340 --> 01:12:16,200 implemented, but if you look at the code. 1215 01:12:16,785 --> 01:12:21,215 At that time, at least it, it would parse out because it's not regex, but it's just 1216 01:12:21,215 --> 01:12:25,145 like a star and it acts like dot star. 1217 01:12:25,665 --> 01:12:29,355 And if you looked at the code, they will actually like match and replace in your 1218 01:12:29,355 --> 01:12:32,935 string, all the stars with dot star. 1219 01:12:33,364 --> 01:12:34,725 Oh, and then create the regex from it. 1220 01:12:34,934 --> 01:12:35,825 And create a regex from it. 1221 01:12:37,385 --> 01:12:39,435 And so then I could actually create this. 1222 01:12:39,575 --> 01:12:46,405 Uh, the, the school book example of like searching for, and you would, so 1223 01:12:46,405 --> 01:12:50,645 you could do it unauthenticated and something that almost always exist 1224 01:12:50,665 --> 01:12:53,885 in all repos is the read me file. 1225 01:12:54,504 --> 01:12:57,724 So I could do like a, a big R star, star, star, star, star, 1226 01:12:57,724 --> 01:13:03,045 star, star, star, and end it with something that is not MD, right? 1227 01:13:03,215 --> 01:13:05,755 So like markdowns, it has to end with something else. 1228 01:13:05,995 --> 01:13:06,095 Yeah. 1229 01:13:06,115 --> 01:13:06,145 Okay. 1230 01:13:06,145 --> 01:13:06,205 Thank you. 1231 01:13:06,565 --> 01:13:11,195 Uh, and then you could like break it with, uh, it's like, and usually these 1232 01:13:11,195 --> 01:13:15,665 read those things, you send like a bunch of requests to like kill all the course. 1233 01:13:15,695 --> 01:13:20,605 So they like end up at a hundred percent usage, but it was really fun. 1234 01:13:20,615 --> 01:13:23,225 That's how I found like two different of those in the end. 1235 01:13:23,414 --> 01:13:25,525 Uh, and they got rewarded as high. 1236 01:13:26,270 --> 01:13:30,980 So even when I thought like I had found like the last remaining one, 1237 01:13:31,060 --> 01:13:35,140 I found these two and that was the right before they put it out of scope. 1238 01:13:35,140 --> 01:13:36,500 So it was great. 1239 01:13:37,010 --> 01:13:37,340 Yeah. 1240 01:13:37,979 --> 01:13:38,809 You were the reason. 1241 01:13:38,810 --> 01:13:40,989 I 1242 01:13:40,990 --> 01:13:44,220 mean, they were actually really, really nice with this because 1243 01:13:44,229 --> 01:13:47,530 they had in the pipeline to actually upgrade and kill Ridos. 1244 01:13:48,710 --> 01:13:54,754 Uh, for good using like, uh, updating the, the Ruby to 3. 1245 01:13:54,754 --> 01:13:55,405 2 or whatever it is. 1246 01:13:55,835 --> 01:14:00,275 But as they hadn't, the roadmap was like in six months or something like that. 1247 01:14:00,745 --> 01:14:04,315 So they said like, yeah, if you have reported it before now, it 1248 01:14:04,315 --> 01:14:08,284 will still be dangerous in like six months, a six month period. 1249 01:14:08,604 --> 01:14:10,425 So we will still reward it and then, 1250 01:14:11,210 --> 01:14:11,865 okay. 1251 01:14:12,495 --> 01:14:16,335 Uh, we'll be heading to the end of the, of the interview. 1252 01:14:16,485 --> 01:14:18,515 I think it's actually getting quite dark here. 1253 01:14:18,605 --> 01:14:20,035 It is getting quite dark and we don't 1254 01:14:20,035 --> 01:14:21,145 have lights here, but 1255 01:14:21,145 --> 01:14:22,415 if 1256 01:14:22,415 --> 01:14:25,145 you cannot see us, we're still here. 1257 01:14:25,695 --> 01:14:26,295 Listen to us. 1258 01:14:26,295 --> 01:14:27,664 We're, we're still continuing. 1259 01:14:28,645 --> 01:14:34,215 Um, after just one, one more question after so much time and 1260 01:14:34,215 --> 01:14:37,665 so much things learn, how do you still learn new stuff today? 1261 01:14:39,375 --> 01:14:39,695 Yeah. 1262 01:14:40,154 --> 01:14:43,315 I, I definitely, I have not. 1263 01:14:44,280 --> 01:14:51,010 I will still, I think I only will still do this as long as I am learning things. 1264 01:14:51,400 --> 01:14:55,710 I think that's one of the, I can't really see myself just 1265 01:14:55,839 --> 01:14:58,420 doing it, the grind or whatever. 1266 01:14:58,429 --> 01:15:03,159 Like, uh, even if I find it really interesting to be able to live off of it. 1267 01:15:03,310 --> 01:15:06,430 finding bugs and like being in control of my time and everything. 1268 01:15:07,040 --> 01:15:12,889 I, one of the reasons why I also, when I, I quit my job was that I felt like I could 1269 01:15:12,890 --> 01:15:18,810 learn more and quicker if I would do this on my own, like if I can control my time. 1270 01:15:19,130 --> 01:15:24,535 But that also includes that I I want to and need to learn things and how 1271 01:15:24,535 --> 01:15:30,305 I do it is, uh, to remind myself to like go to the correct sources, like 1272 01:15:30,305 --> 01:15:35,995 reading documentation, uh, trying to become better at using like the 1273 01:15:35,995 --> 01:15:38,635 right tools and like learn tools. 1274 01:15:39,154 --> 01:15:43,685 Uh, so with all of this, like debugging and setting up environments 1275 01:15:43,685 --> 01:15:45,525 and like taking a small step. 1276 01:15:45,585 --> 01:15:45,925 Yeah. 1277 01:15:46,170 --> 01:15:49,810 Uh, each day and then we'd like the bug types and stuff like that. 1278 01:15:50,070 --> 01:15:57,469 It's more of a, if you put yourself out there and like you try, you, you 1279 01:15:57,470 --> 01:16:02,030 cannot just try to find whatever you have found before you have to like act. 1280 01:16:02,785 --> 01:16:07,785 be, I don't know, you cannot really call it brave, but you have to put yourself in 1281 01:16:07,785 --> 01:16:09,925 a position where you think you will fail. 1282 01:16:10,275 --> 01:16:10,505 Yeah. 1283 01:16:10,555 --> 01:16:13,575 And then sometimes you will actually succeed and you 1284 01:16:13,575 --> 01:16:15,324 will make a new step forward. 1285 01:16:15,495 --> 01:16:22,014 And so, for example, I found my first RC this year as well, which I really 1286 01:16:22,015 --> 01:16:27,615 didn't think I could check more boxes after becoming a number one 1287 01:16:27,615 --> 01:16:31,935 at GitLab this year, but yeah, And that's just the step when you finally 1288 01:16:31,935 --> 01:16:34,125 do it, it also feels quite easy. 1289 01:16:34,155 --> 01:16:37,954 And now maybe I only found one so far. 1290 01:16:40,005 --> 01:16:41,915 I have still a lot to learn. 1291 01:16:42,485 --> 01:16:42,705 Yeah. 1292 01:16:42,705 --> 01:16:44,305 Well, I think we, we all do. 1293 01:16:45,005 --> 01:16:47,534 Um, what are your plans for 2025 1294 01:16:48,305 --> 01:16:52,185 in a way, funny that I think that my answer is really similar to when we lost. 1295 01:16:52,790 --> 01:17:00,480 Spoke becoming more structured, uh, structured, uh, creating some automation. 1296 01:17:01,820 --> 01:17:03,240 I've actually started taking notes. 1297 01:17:03,440 --> 01:17:04,560 It's always been my thing. 1298 01:17:04,560 --> 01:17:10,719 I don't take notes, but I actually, I've been using obsidian now and I 1299 01:17:10,730 --> 01:17:15,420 really, really enjoy it and, uh, I'm, I need to get better at it, but at 1300 01:17:15,420 --> 01:17:19,970 least I throw things in there and I've found myself searching for my own. 1301 01:17:20,325 --> 01:17:21,085 No, it's a lot. 1302 01:17:21,265 --> 01:17:21,605 Yeah. 1303 01:17:21,765 --> 01:17:23,105 Uh, so it, it definitely helps. 1304 01:17:23,895 --> 01:17:28,135 Uh, but yeah, and I'm browser hacking on the list as well. 1305 01:17:28,884 --> 01:17:29,574 Uh, yeah. 1306 01:17:30,625 --> 01:17:31,334 Uh, yeah. 1307 01:17:31,355 --> 01:17:38,445 I mean, the to do list is always like move to a new program, uh, expand, but I 1308 01:17:38,464 --> 01:17:44,165 don't really have any super big, uh, I'm looking forward to, I've had quite a good 1309 01:17:44,225 --> 01:17:49,825 success This year it's been intense and there's been a lot, a lot of happening. 1310 01:17:50,035 --> 01:17:53,455 So I, I want, my big goal is to survive a year. 1311 01:17:53,995 --> 01:17:56,425 survive, not, but like mentally. 1312 01:17:56,425 --> 01:17:56,485 Yeah. 1313 01:17:56,905 --> 01:17:59,095 Feel like it's still interesting and fun. 1314 01:17:59,095 --> 01:18:01,495 I don't burn out and, uh. 1315 01:18:02,825 --> 01:18:07,735 Maybe like settle in this new situation of, of being in control of my own time. 1316 01:18:09,055 --> 01:18:09,335 Cool. 1317 01:18:09,505 --> 01:18:10,285 Good luck with this. 1318 01:18:10,475 --> 01:18:13,274 Uh, thank you so much for, for the interview. 1319 01:18:13,895 --> 01:18:18,355 If you enjoyed it, uh, also you can check out our interview from before two 1320 01:18:18,355 --> 01:18:22,194 years, which we mentioned a few times there, we spoke a little bit more about 1321 01:18:22,214 --> 01:18:27,055 the university, about the thesis, about getting into the, The security so if you 1322 01:18:27,065 --> 01:18:31,815 enjoyed this one, you will definitely like that one as well for now Thank 1323 01:18:31,815 --> 01:18:33,955 you so much for listening and goodbye