Critical Thinking - Bug Bounty Podcast

Episode 68: 0-days & HTMX-SS with Mathias

Apr 25, 2024

Security researcher Mathias discusses HTMX vulnerabilities and bug bounty challenges like CSP bypass, XSS conversions, and HTMX disable bypasses. They also explore CDN-CGI functionality, CTF Challenge results, and the use of HTMX in larger applications with performance trade-offs.

01:03:53

Creator website

Episode guests

Mathias

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Discovering Cloudflare Images' semi-open redirect for subdomain redirection and client-side path traversal.

Praising HTMX framework's simplicity and efficiency despite insecure defaults.

Exploring legacy techniques like bin rec HTTP endpoint and subdomain-bound 307 redirect in Cloudflare's CDN-CGI functionality.

Deep dives

CDN-CGI Image Proxy Usage and Benefits

Through investigating CDN-CGI image proxy functionality, a feature known as Cloudflare Images was discovered, allowing for local domain-only image proxy settings. This feature includes image optimization, caching, and the ability to specify on-error redirecting URLs. With the power to issue a 307 redirect, this semi-open redirect, restricted at the top domain level, proves invaluable for scenarios requiring subdomain redirection, client-side path traversal, and potential CSRF exploitation.

Intro

2min

Exploring HTMX-SS for Simplified Web Development and Security Vulnerabilities

18min

Discussion on Server-Side Requests and Bandwidth Efficiency

4min

HTML Syntax and Security Measures

16min

Exploring a Share Link Vulnerability in a Random Image Viewer Application

2min

Security Vulnerabilities and HTML Targeting in Web Development

2min

Navigating CTF Challenges and Bug Bounty Work

9min

Bug Hunting Frustrations and CDN CGI Work

12min

Episode 68: In this episode of Critical Thinking - Bug Bounty Podcast Mathias is back with some fresh HTMX research, including CSP bypass using HTMX triggers, converting client-side response header injection to XSS, bypassing HTMX disable, and the challenges of using HTMX in larger applications and the potential performance trade-offs. We also talk about the results of his recent CTF Challenge, and explore some more facets of CDN-CGI functionality.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Project Discovery Conference: https://nux.gg/hss24

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Guest:

https://twitter.com/avlidienbrunn

Resources:

Masato Kinugawa's research on Teams

https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=33

subdomain-only 307 open redirect

https://avlidienbrunn.se/cdn-cgi/image/onerror=redirect/http://anything.avlidienbrunn.se

Timestamps

(00:00:00) Introduction

(00:05:18) CSP Bypass using HTML

(00:14:00) Converting client-side response header injection to XSS

(00:23:10) Bypassing hx-disable

(00:32:37) XSS-ing impossible elements

(00:38:22) CTF challenge Recap and knowing there's a bug

(00:51:53) hx-on (depreciated)

(00:54:30) CDN-CGI Research discussion

Remember Everything You Learn from Podcasts

Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.

Critical Thinking - Bug Bounty Podcast

Episode 68: 0-days & HTMX-SS with Mathias

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

CDN-CGI Image Proxy Usage and Benefits

HTMX Framework Exploration and Evaluation

Legacy Techniques in Cloudflare CDN-CGI

Cross-Domain Post Requests and CSRF Scenarios

Innovation and Exploration in Vulnerability Research

Remember Everything You Learn from Podcasts