Episode 116: In this episode of Critical Thinking - Bug Bounty Podcast Justin gives a quick rundown of Portswigger’s SAML Roulette writeup, as well as some Google VRP reports, and a Next.js middleware exploit.
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater and Rez0 on Twitter:
https://x.com/Rhynorater
https://x.com/rez0__
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
Today’s Sponsor: ThreatLocker Cloud Control - https://www.threatlocker.com/platform/cloud-control
====== Resources ======
SAML roulette: the hacker always wins
https://portswigger.net/research/saml-roulette-the-hacker-always-wins
Loophole of getting Google Form associated with Google Spreadsheet with no editor/owner access
https://bughunters.google.com/reports/vrp/yBeFmSrJi
Loophole to see the editors of a Google Document with no granted access(owner/editor) with just the fileid (can be obtained from publicly shared links with 0 access)
https://bughunters.google.com/reports/vrp/7EhAw2hur
Cloud Tools for Eclipse - Chaining misconfigured OAuth callback redirection with open redirect vulnerability to leak Google OAuth Tokens with full GCP Permissions
https://bughunters.google.com/reports/vrp/F8GFYGv4g
Next.js, cache, and chains: the stale elixir
https://zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixir
Next.js and the corrupt middleware: the authorizing artifact
https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware
====== Timestamps ======
(00:00:00) Introduction
(00:02:59) SAML roulette
(00:13:08) Google bugs
(00:20:16) Next.js and the corrupt middleware
