Go offline with the Player FM app!
Episode 28: Surfin' with CSRFs
Manage episode 371761298 series 3435922
Episode 28: In this episode of Critical Thinking - Bug Bounty Podcast, the CSRF’s up, dude! We kick off with a debate about whether or not deep link vulns in mobile apps can be considered CSRF. We also talk browser extensions and tools like Hackbar, PwnFox, and JS Weasel, and Justin tries to invent a whole new vuln term. There’s plenty of good stuff here, so what are you waiting for? Jump on in!
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
rez0's latest tip
https://twitter.com/rez0__/status/168134822190014466019
Hackbar
https://addons.mozilla.org/en-US/firefox/addon/hackbartool/
PwnFox
https://twitter.com/adrien_jeanneau/status/1681364665354289152
JS Weasel
Charlie Eriksen
https://twitter.com/CharlieEriksen
Link to talk by Rojan
https://twitter.com/uraniumhacker/status/1681381857383030785
Bypassing GitHub's OAuth flow
https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html
Great SameSite Confusion
https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/
Check out Nahamsec's Channel
https://www.youtube.com/c/nahamsec
Timestamps:
(0:01:45) The deep link debate
(00:08:00) LHE and in-person interviews
(00:09:25) SQLMAP and raw requests
(00:11:11) Hackbar, PwnFox, and browser extensions
(00:16:45) JS Weasel tool and its features
(00:25:28) Rojan's Research and Public Talks
(Start of main content)
(00:28:36) Cross-Site Request Forgery (CSRF)
(00:35:00) Bypassing GitHub's OAuth flow
(00:45:00) A Small SameSite Story
(00:48:50) CSRF Exploitation Techniques
(01:07:15) CSRF Bug Stories
(01:15:30) NahamSec and DEFCON
78 episodes
Manage episode 371761298 series 3435922
Episode 28: In this episode of Critical Thinking - Bug Bounty Podcast, the CSRF’s up, dude! We kick off with a debate about whether or not deep link vulns in mobile apps can be considered CSRF. We also talk browser extensions and tools like Hackbar, PwnFox, and JS Weasel, and Justin tries to invent a whole new vuln term. There’s plenty of good stuff here, so what are you waiting for? Jump on in!
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
rez0's latest tip
https://twitter.com/rez0__/status/168134822190014466019
Hackbar
https://addons.mozilla.org/en-US/firefox/addon/hackbartool/
PwnFox
https://twitter.com/adrien_jeanneau/status/1681364665354289152
JS Weasel
Charlie Eriksen
https://twitter.com/CharlieEriksen
Link to talk by Rojan
https://twitter.com/uraniumhacker/status/1681381857383030785
Bypassing GitHub's OAuth flow
https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html
Great SameSite Confusion
https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/
Check out Nahamsec's Channel
https://www.youtube.com/c/nahamsec
Timestamps:
(0:01:45) The deep link debate
(00:08:00) LHE and in-person interviews
(00:09:25) SQLMAP and raw requests
(00:11:11) Hackbar, PwnFox, and browser extensions
(00:16:45) JS Weasel tool and its features
(00:25:28) Rojan's Research and Public Talks
(Start of main content)
(00:28:36) Cross-Site Request Forgery (CSRF)
(00:35:00) Bypassing GitHub's OAuth flow
(00:45:00) A Small SameSite Story
(00:48:50) CSRF Exploitation Techniques
(01:07:15) CSRF Bug Stories
(01:15:30) NahamSec and DEFCON
78 episodes
All episodes
×Welcome to Player FM!
Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.