Critical Thinking - Bug Bounty Podcast

Episode 73: Sandboxed IFrames and WAF Bypasses

May 30, 2024

Discussion on WAF bypass tools, sandboxed iframes, programs redacting bug reports, optional chaining operator in JS, Chrome cache exploit, hacker team shoutout, and innovative iframe hijacking techniques.

31:13

Creator website

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Authenticating scanning in Nuclei v3.2 improves fuzzing capabilities.

Exploiting frame hijacking exposes browser security threats.

Deep dives

New Features in Nuclei 3.2: Authenticated Scanning and Advanced Fuzzing Support

Nuclei version 3.2 introduces significant updates including authenticated scanning and enhanced fuzzing capabilities. Authenticated scanning now allows for automatic login using existing templates, eliminating manual cookie addition. Additionally, advanced fuzzing support extends to headers, cookies, and specific data parts like JSON and XML, enhancing scanning coverage.

Intro

2min

Discussion about Nuclei release, pink headphones, Hong Kong weekend, and Twitter syntax call-out

2min

Exploring the Optional Chaining Operator in JavaScript and WAF Bypasses

2min

Bypassing Web Application Firewalls and Redacting Reports

8min

Exploring Web Exploitation Techniques and Shoutout to Hacker Content Team

2min

Exploring Techniques with Sandbox IFrames and Frame Communication

16min

Episode 73: In this episode of Critical Thinking - Bug Bounty Podcast we give a brief recap of Nahamcon and then touch on some topics like WAF bypass tools, sandboxed iframes, and programs redacting your reports.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today's Sponsor - Project Discovery: https://nux.gg/podcast

Resources:

?. Tweet

https://x.com/garethheyes/status/1786836956032176215

NoWafPls

https://github.com/assetnote/nowafpls

Redacted Reports

https://x.com/deadvolvo/status/1790397012468199651

Breaking CORS

https://x.com/MtnBer/status/1794657827115696181

Sandbox-iframe XSS challenge solution

https://joaxcar.com/blog/2024/05/16/sandbox-iframe-xss-challenge-solution/