Critical Thinking - Bug Bounty Podcast

Episode 86: The X-Correlation between Frans & RCE - Research Drop

Aug 29, 2024

Frans Rosen, a cybersecurity expert, shares groundbreaking insights from his latest presentation. He discusses X-correlation injections and their effects on server-side vulnerabilities, emphasizing the role of request IDs. Frans delves into fuzz testing techniques, revealing how to uncover hidden software weaknesses, and highlights the complexities of managing cross-origin APIs. Additionally, he explores security challenges related to JSON Web Tokens and logging pipelines, providing practical solutions for developers and security professionals.

42:09

Creator website

Episode guests

Frans

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Manipulating x-correlation IDs in HTTP requests can expose significant vulnerabilities, necessitating rigorous validation to ensure system integrity.

Fuzzing techniques reveal how unexpected inputs in request identifiers can uncover critical vulnerabilities and improve error handling processes.

Deep dives

X-Correlation Injection Vulnerabilities

X-correlation IDs, frequently used in HTTP requests, can open up significant vulnerabilities in server-side architectures. These identifiers, which help trace requests across microservices, are often customizable and can be manipulated during their lifecycle in an application's backend. By exploiting these request headers, attackers can gain in-depth access to sensitive system processes, potentially allowing for injection attacks that lead to severe data breaches. The discussion emphasizes the need for rigorous validation of these identifiers to prevent unauthorized access and to ensure system integrity.

Intro

6min

Understanding X-Request and X-Correlation IDs in Microservices

2min

Exploring Vulnerabilities in Cross-Origin APIs

2min

Exploring Fuzz Testing Techniques for Software Security

1min

Navigating Web Security Vulnerabilities

18min

Exploring JWTs and Security Vulnerabilities

10min

Unpacking Logging Pipeline Vulnerabilities and Injection Attacks

3min

Episode 86: In this episode of Critical Thinking - Bug Bounty Podcast Frans blows Justin’s mind with a sneak peak of his new presentation. Note: This is a little different from our normal episode, and video is recommended. So head over to ctbb.show/yt if you feel like you’re missing something.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Shop our new swag store at ctbb.show/swag

Watch this Episode on Youtube - ctbb.show/yt

Today’s Guest: Frans Rosen - https://x.com/fransrosen

View the slides of this presentation at https://speakerdeck.com/fransrosen/x-correlation-injections-or-how-to-break-server-side-contexts

Timestamps

(00:00:00) Introduction

(00:04:09) x-correlation injection

(00:21:10) Server-side JSON-Injection

(00:32:10) Fuzz Blindly and Optimizing Blind RCE

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Critical Thinking - Bug Bounty Podcast

Episode 86: The X-Correlation between Frans & RCE - Research Drop

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

X-Correlation Injection Vulnerabilities

Understanding Request ID Manipulation

Fuzzing Techniques for Server-Side Testing

JSON Injection and Its Implications

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights

Critical Thinking - Bug Bounty Podcast

Episode 86: The X-Correlation between Frans & RCE - Research Drop

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

X-Correlation Injection Vulnerabilities

Understanding Request ID Manipulation

Fuzzing Techniques for Server-Side Testing

JSON Injection and Its Implications

Get the Snipdpodcast app

AI-poweredpodcast player

Discoverhighlights

Save anymoment

Share& Export

AI-poweredpodcast player

Discoverhighlights

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights