Youssef Sammouda - Client-Side & ATO War Stories (Ep. 58)

Episode 58: In this episode of Critical Thinking - Bug Bounty Podcast we finally sit down with Youssef Samouda and grill him on his various techniques for finding and exploiting client-side bugs and postMessage vulnerabilities. He shares some crazy stories about race conditions, exploiting hash change events, and leveraging scroll to text fragments.

Follow us on twitter at:   / ctbbpodcast  

We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]
Shoutout to   / realytcracker   for the awesome intro music!

====== Links ======
Follow your hosts Rhynorater & Teknogeek on twitter:
  / 0xteknogeek  
  / rhynorater  

====== Ways to Support CTBBPodcast ======
Sign up for https://caido.io/ using the referral code CTBBPODCAST for a 10% discount.

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Guest:
https://twitter.com/samm0uda?lang=en
https://ysamm.com/

Resources:
Client-side race conditions with postMessage:
https://ysamm.com/?p=742

Transferable Objects:
https://developer.mozilla.org/en-US/d...

Every known way to get references to windows, in JavaScript:
  / every-known-way-to-get-references-to-windo...  

Timestamps:
(00:00:00) Introduction
(00:04:27) Client-side race conditions with postMessage
(00:18:12) On Hash Change Events and Scroll To Text Fragments
(00:32:00) Finding, documenting, and reporting complex bugs
(00:37:32) PostMessage Methodology
(00:45:05) Youssef's Vuln Story
(00:53:42) Where and how to look for ATO vulns
(01:05:21) MessagePort
(01:14:37) Window frame relationships
(01:20:24) Recon and JS monitoring
(01:37:03) Client-side routing
(01:48:05) MITMProxy