Critical Thinking - Bug Bounty Podcast Episode 135: Akamai's Ryan Barnett on WAFs, Unicode Confusables, and Triage Stories
Aug 14, 2025
Ryan Barnett, Principal Researcher at Akamai, brings his web application security expertise to the table. He discusses the intricacies of Web Application Firewalls (WAFs), including their dual role in vulnerability prevention. The conversation delves into Unicode vulnerabilities, particularly the challenges of encoding, and real-world examples like the NIMDA worm. Ryan also shares insights on the importance of collaboration between bug bounty hunters and web security platforms, enhancing the discourse around ethical hacking's evolving landscape.
AI Snips
Chapters
Books
Transcript
Episode notes
Accidental Stored XSS From Related-Posts
- Ryan accidentally triggered a stored XSS while typing in TypePad when a related-posts plugin rendered third-party JSON as HTML.
- He converted exploit text to images afterwards because crawlers and APIs may re-render or execute text unexpectedly.
Chat Widget Backscatter Confuses Triage
- Ryan triaged DOM XSS telemetry that came from a chat widget beaconing full request URIs to a customer.
- The attacker's payloads reflected via third-party widgets produced 'chat scatter' telemetry that looked like attacks against the customer.
WAF Behavior Mirrors Customer Goals
- Customers use WAFs for different goals: vulnerability enumeration or realistic attacker simulation.
- That choice determines whether WAFs should allow bug-hunter traffic or treat it like real attacks to prove exploitability.
