Discussion this week around Chrome's Sanitizer API, and bypassing firewalls with webhooks and 0days (ModSecurity bypass), and a pre-auth BitBucket RCE.
Links and summaries are available at https://dayzerosec.com/podcast/153.html
[00:00:00] Introduction
[00:00:31] Exploiting Web3’s Hidden Attack Surface: Universal XSS on Netlify’s Next.js Library
[00:10:31] Breaking Bitbucket: Pre Auth Remote Command Execution [CVE-2022-36804]
[00:16:25] [Chrome] Sanitizer API bypass via prototype pollution
[00:23:02] How we Abused Repository Webhooks to Access Internal CI Systems at Scale
[00:35:03] WAF bypasses via 0days
[00:42:40] Cloning internal Google repos for fun and… info?
[00:43:19] How to turn security research into profit: a CL.0 case study
A Kernel Race, SuDump, and a Chrome Garbage Collector Bug [Exploit Dev/VR]
A Slack Attack and a MySQL Scientific Notation Bug [Bug Hunting]
WebKit Bugs, a Windows Race, and House of IO Improved [Exploit Dev/VR]
WebSocket Hijacking, GitHub review bypass and SQLi to RCE [Bug Hunting]
HyperKit Bugs & an Open5GS Stack Overflow [Binary Exploitation]
SharePoint RCE & an Apache Path Traversal [Bug Hunting]
Chrome Exploits and a Firefox Update Bug [Binary Exploitation]
Gatekeeper Bypass, Opera RCE, and Prototype Pollution [Bounty Hunting]
Kernel UAFs and a Parallels VM Escape [Binary Exploitation]
iOS 0days, Apache Dubbo RCEs, and NPM bugs [Bounty Hunting]
A Curl UAF, iPhone FORCEDENTRY, and a Crazy HP OMEN Driver [Binary Exploitation]
A Flickr CSRF, GitLab, & OMIGOD, Azure again? [Bounty Hunting]
NETGEAR smart switches, SpookJS, & Parallels Desktop [Binary Exploitation]
Reused VMWare exploits & Escaping Azure Container Instances [Bounty Hunting]
Escaping the Bhyve, WhatsApp, & BrakTooth [Binary Exploitation]
Takeover A Facebook, SnapChat or JetBrains Account [Bounty Hunting]
NoSQL Injection, Mobile Misconfigurations and a Wormable Windows Bug
Cross-Browser Tracking, Frag Attacks, and Malicious Rust Macros
Fake Vulns, More Valve, and an AWS Cognito issue
Defcon Quals, Dead μops, BadAllocs, Wordpress XXE
Create your
podcast in
minutes
It is Free
Insight Story: Tech Trends Unpacked
Zero-Shot
Fast Forward by Tomorrow Unlocked: Tech past, tech future
The Unbelivable Truth - Series 1 - 26 including specials and pilot
A Prairie Home Companion: News from Lake Wobegon