Episode 73: Sandboxed IFrames and WAF Bypasses

Episode 73: In this episode of Critical Thinking - Bug Bounty Podcast we give a brief recap of Nahamcon and then touch on some topics like WAF bypass tools, sandboxed iframes, and programs redacting your reports.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today's Sponsor - Project Discovery: https://nux.gg/podcast

Resources:

?. Tweet

https://x.com/garethheyes/status/1786836956032176215

NoWafPls

https://github.com/assetnote/nowafpls

Redacted Reports

https://x.com/deadvolvo/status/1790397012468199651

Breaking CORS

https://x.com/MtnBer/status/1794657827115696181

Sandbox-iframe XSS challenge solution

https://joaxcar.com/blog/2024/05/16/sandbox-iframe-xss-challenge-solution/

iframe and window.open magic

https://blog.huli.tw/2022/04/07/en/iframe-and-window-open/#detecting-when-a-new-window-has-finished-loading

domloggerpp

https://github.com/kevin-mizu/domloggerpp

Timestamps

(00:00:00) Introduction

(00:03:29) ?. Operator in JS and NoWafPls

(00:07:22) Redacting our own reports

(00:11:13) Breaking CORS

(00:17:07) Sandbox-iframes

(00:24:11) Dom hook plugins