Critical Thinking - Bug Bounty Podcast

Episode 61: A Hacker on Wall Street - JR0ch17

Mar 7, 2024

Guest Jasmin Landry shares stories about startup security, bug bounties, discovering OAuth-related bugs, and differences between structured learning and self-teaching. They walk through arbitrary ATO's, SSTI to RCE bugs, and emphasize the challenges and surprises in bug hunting.

01:27:00

Creator website

Episode guests

Jasmin Landry

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Exploring OAuth vulnerabilities through callback manipulation can lead to obtaining user tokens without authorization tokens.

Deepening understanding of OAuth intricacies and attack vectors enhances bug-hunting success.

Thorough testing and exploitation of SSTI vulnerabilities can unveil critical security issues and potential data leakage.

Deep dives

Exploring OAuth Weaknesses

Through experience and research, I gained an appreciation for OAuth vulnerabilities, particularly related to authentication token handling. By exploiting callback manipulation vulnerabilities in OAuth flows, I could control redirect flows to obtain user tokens. Utilizing techniques like open redirects, subdomain takeovers, and other basic OAuth vulnerabilities, I was able to extract OAuth tokens without requiring authorization or refresh tokens.

Introduction

3min

Exploring Vulnerabilities in Dom Purify and Path Traversal in OAuth Flow

8min

Journey from Networking to Pen Testing in Cybersecurity

7min

Journey in Bug Bounty and Pen Testing

19min

Transitioning to Head of Security Role and Managing Challenges

4min

Implementation of ESG SaaS Tool and Cloud Security Measures

2min

Evolution from Startup Security to Senior Director at Nasdaq

3min

Navigating Between Technical Expertise and Managerial Roles

3min

Exploring Server-Side Bugs & Unique Vulnerabilities in Bug Bounty Hunting

15min

10.

Uncovering Vulnerabilities through Social Engineering and Document Analysis

10min

11.

Exploring Security Vulnerabilities in Application Documentation

14min

Episode 61: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Jasmin Landry to share some stories about startup security, bug bounty, and the challenges of balancing both. He also shares his methodology for discovering OAuth-related bugs, highlights some differences between structured learning and self-teaching, and then walks us through a couple arbitrary ATO’s and SSTI to RCE bugs he’s found lately.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Guest: Jasmin Landry

https://twitter.com/JR0ch17

Resources:

Dirty Dancing blog post

https://labs.detectify.com/writeups/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/

OAuth 2.0 Threat Model and Security Considerations

https://datatracker.ietf.org/doc/html/rfc6819

OAuth 2.0 Security Best Current Practice

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics

Timestamps:

(00:00:00) Introduction

(00:02:20) Meta Tag + DomPurify Bug