Critical Thinking - Bug Bounty Podcast

Episode 66: CDN-CGI Research, Intent To Ship, and Louis Vuitton

Apr 11, 2024

In this podcast, they discuss YesWeHack Louis Vuitton LHE, importance of failure in bug bounty, CDN CGI research, benefits of cold showers, Louis Vuitton live hacking event, bug bounty dominance, browser market share insights, OAuth flow vulnerabilities, Kaido workflows, Blink's features, DOM secrets, data attributes in frameworks.

58:20

Creator website

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Exploiting data attributes in HTML for XSS attacks, Chrome's XSS auditor bypass revealed by Masatoshi Tzukinoagawa.

Capitalizing on new event handlers in Chromium's rendering engine, insights from Blink Dev Google Group.

Uncovering potential vulnerabilities in CDNCGI framework through exhaustive analysis using Google Big Query.

Deep dives

Using Unique Tricks to Bypass XSS Auditor in Cloudflare Email Hiding Feature

A tweet by Masatoshi Tzukinoagawa unveiled an original bypass of Chrome's XSS auditor using SVG and data-CFE-email attribute, abused by Cloudflare email hiding. This technique is ideal for obfuscating payloads. Additionally, HTML parser peculiarities can further exploit data attributes for payload smuggling.

Introduction

2min

Cold Showers, Soreness, and Eclipse Trip Discussion

2min

Paris Live Hacking Event with Louis Vuitton Target

4min

Bug Bounty Dominance and Browser Market Share Insights

16min

Exploring Security Vulnerabilities in OAuth Flows and Excitement for Global Workflows in Kaido

20min

Exploring Blink's Upcoming Features and DOM Secrets

13min

Exploration of Data Attributes in Frameworks and Surprising Research Findings

2min

Episode 66: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the recent YesWeHack Louis Vuitton LHE, the importance of failure as growth in bug bounty, and Justin shares his research on CDN CGI.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Project Discovery Conference: https://nux.gg/hss24

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Resources:

YesWeHack Luis Vuitton LHE

https://twitter.com/yeswehack/status/1776280653744554287

https://event.yeswehack.com/events/hack-me-im-famous-2

Caido Workflows

https://github.com/caido/workflows

Oauth Redirects

https://twitter.com/Akshanshjaiswl/status/1724143813088940192

Bagipro Golden URL techniques

https://hackerone.com/reports/431002

Roadmap I followed to make 15,000+$ Bounties in my first 8 months https://shreyaschavhan.notion.site/Roadmap-I-followed-to-make-15-000-Bounties-in-my-first-8-months-of-starting-out-and-my-journey-98b1b9ff621645c0b97d1e774992f300

Monke Hacks Blog