Exploring WAFs and Their Attack Surfaces

Episode 135: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Ryan Barnett for a deep dive on WAFs. We also recap his Exploiting Unicode Normalization talk from DEFCON, and get his perspective on bug hunting from his time at Akamai.

Follow us on twitter at: https://x.com/ctbbpodcast

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor - ThreatLocker. Checkout ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detect

Today’s Guest: https://x.com/ryancbarnett

====== Resources ======

Accidental Stored XSS Flaw in Zemanta 'Related Posts' Plugin for TypePad

https://webappdefender.blogspot.com/2013/04/accidental-stored-xss-flaw-in-zemanta.html

XSS Street-Fight

https://media.blackhat.com/bh-dc-11/Barnett/BlackHat_DC_2011_Barnett_XSS%20Streetfight-Slides.pdf

Blackhat USA 2025 - Lost in Translation: Exploiting Unicode Normalization

https://www.blackhat.com/us-25/briefings/schedule/#lost-in-translation-exploiting-unicode-normalization-44923

====== Timestamps ======

(00:00:00) Introduction

(00:02:49) Accidental Stored XSS in Typepad Plugin

(00:06:34) Chatscatter & Abusing third party Analytics

(00:11:42) Ryan Barnett Introduction

(00:21:11) Virtual Patching & WAF Challenges

(00:40:39) AWS API Gateways & Whitelisting Bug Hunter Traffic

(00:49:59) Lost in Translation: Exploiting Unicode Normalization

(01:11:29) CSPs at the WAF level & 'Bounties for Bypass'