Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Critical Thinking - Bug Bounty Podcast Profile picture
Critical Thinking - Bug Bounty Podcast
@ctbbpodcast
A 'by Hackers for Hackers' podcast focused on technical content ranging from bug bounty tips, to write-up explanations, to the latest exploitation techniques.
Mar 25 5 tweets 1 min read
A Google iframe component used across multiple products had weak origin validation. We used postMessages, CSPT, and Google’s RPC API to exfiltrate data. The iframe’s flexibility made origin validation difficult (for them). ↓ Google’s requests via this iframe included an Authorization header by default.
The iframe made two requests:

1. Domain validation where the malicious postMessage's origin is passed into a request via query param ?domain=attacker..com
2. The actual request/returned data
Dec 3, 2024 7 tweets 2 min read
Last year, @joaxcar found a way to hide payloads in URL creds.

Inspired by this, @garethheyes pushed the research further, revealing new attack vectors and WAF-blind spots.

Here’s a quick breakdown of what they discovered 👇 Image @joaxcar @garethheyes 1️⃣ Understanding the URL Credential Discrepancy

Did you know document.URL includes credentials, while location doesn’t? This opens a way to test hidden payloads in the credentials part of a URL.

🧵 1/6 Image
Aug 20, 2024 9 tweets 2 min read
Team Critical Thinking (@0xLupin & @Rhynorater) hit up Vegas last week for the Google BugSwat!

Here are their 8 key takeaways from the event: Image @0xLupin @Rhynorater 1. Focus on the main app

Target the primary application of your target. It’s often under active development, meaning new features and frequent updates—prime conditions for new bugs to appear.

New functionality means new gadgets, and often, new vulnerabilities.

1/8
Jun 25, 2024 8 tweets 3 min read
.@H4R3L's "Cookie XSS" affecting almost every Zoom page and subdomain demonstrates the effectiveness of experimenting with escape characters in cookie values.

Details in thread. @H4R3L It all started when @H4R3L discovered a CSP Nonce cookie that was being used in every page with a CSP policy.

Because Zoom takes their security seriously, there was a CSP policy on almost every page!
Aug 7, 2023 6 tweets 2 min read
IIS Hacking tips from the latest episode with the master himself @infosec_au:
1. NEVER leave that blue IIS page un-touched
"You see that blue page that comes up when you hit an IIS server? That should be your point where you think, I'm gonna find criticals on this bad boy. 2. Use shortscan or other shortname scanners to enumerate directory and file shortnames
IIS is vulnerable to short name file enumeration. This allows you to determine the first 6 chars of the name and 3 chars of extension.
github.com/bitquark/short…