WEBVTT Kind: captions Language: en 00:00:01.400 --> 00:00:03.629 align:start position:0% all<00:00:01.560> righty<00:00:01.959> just<00:00:02.120> knocked<00:00:02.480> out<00:00:02.720> my<00:00:03.159> uh 00:00:03.629 --> 00:00:03.639 align:start position:0% all righty just knocked out my uh 00:00:03.639 --> 00:00:05.630 align:start position:0% all righty just knocked out my uh headphones<00:00:04.120> of<00:00:04.279> course<00:00:05.160> going<00:00:05.279> to<00:00:05.400> go<00:00:05.480> ahead 00:00:05.630 --> 00:00:05.640 align:start position:0% headphones of course going to go ahead 00:00:05.640 --> 00:00:07.429 align:start position:0% headphones of course going to go ahead and<00:00:05.759> get<00:00:05.920> started<00:00:06.319> here<00:00:06.839> um<00:00:06.960> let<00:00:07.040> me<00:00:07.200> go<00:00:07.279> ahead 00:00:07.429 --> 00:00:07.439 align:start position:0% and get started here um let me go ahead 00:00:07.439 --> 00:00:28.950 align:start position:0% and get started here um let me go ahead and<00:00:07.520> get<00:00:07.640> the<00:00:07.759> link<00:00:08.639> and<00:00:08.920> get<00:00:09.040> it<00:00:09.200> over<00:00:09.360> to 00:00:28.950 --> 00:00:28.960 align:start position:0% 00:00:28.960 --> 00:00:37.950 align:start position:0% people 00:00:37.950 --> 00:00:37.960 align:start position:0% 00:00:37.960 --> 00:00:43.950 align:start position:0% see<00:00:38.040> if<00:00:38.120> we<00:00:38.200> can<00:00:38.320> get<00:00:38.440> the 00:00:43.950 --> 00:00:43.960 align:start position:0% 00:00:43.960 --> 00:00:46.630 align:start position:0% message<00:00:44.960> all<00:00:45.239> righty<00:00:45.520> messages<00:00:46.000> working<00:00:46.440> hey 00:00:46.630 --> 00:00:46.640 align:start position:0% message all righty messages working hey 00:00:46.640 --> 00:00:54.750 align:start position:0% message all righty messages working hey tedex<00:00:47.039> how's<00:00:47.160> it<00:00:47.280> going 00:00:54.750 --> 00:00:54.760 align:start position:0% 00:00:54.760 --> 00:00:56.470 align:start position:0% man 00:00:56.470 --> 00:00:56.480 align:start position:0% man 00:00:56.480 --> 00:00:59.869 align:start position:0% man righty<00:00:57.480> pretty<00:00:57.800> good<00:00:58.039> pretty<00:00:58.600> good<00:00:59.600> excited 00:00:59.869 --> 00:00:59.879 align:start position:0% righty pretty good pretty good excited 00:00:59.879 --> 00:01:02.150 align:start position:0% righty pretty good pretty good excited Ed<00:01:00.120> to<00:01:00.199> do<00:01:00.399> the<00:01:00.600> first 00:01:02.150 --> 00:01:02.160 align:start position:0% Ed to do the first 00:01:02.160 --> 00:01:05.270 align:start position:0% Ed to do the first uh<00:01:03.160> master<00:01:03.519> class<00:01:03.879> on<00:01:04.119> my<00:01:04.320> side<00:01:04.559> Joel<00:01:04.839> has<00:01:05.000> been 00:01:05.270 --> 00:01:05.280 align:start position:0% uh master class on my side Joel has been 00:01:05.280 --> 00:01:06.710 align:start position:0% uh master class on my side Joel has been having<00:01:05.479> all<00:01:05.600> the<00:01:05.720> fun<00:01:06.000> I<00:01:06.080> guess<00:01:06.240> you<00:01:06.320> can<00:01:06.479> count 00:01:06.710 --> 00:01:06.720 align:start position:0% having all the fun I guess you can count 00:01:06.720 --> 00:01:08.789 align:start position:0% having all the fun I guess you can count that<00:01:06.880> other<00:01:07.119> little<00:01:07.880> post<00:01:08.080> message<00:01:08.439> thing<00:01:08.640> as 00:01:08.789 --> 00:01:08.799 align:start position:0% that other little post message thing as 00:01:08.799 --> 00:01:12.670 align:start position:0% that other little post message thing as a<00:01:09.560> little<00:01:09.759> mini<00:01:10.040> Master<00:01:10.400> Class<00:01:10.600> of<00:01:10.680> sworts<00:01:11.680> but 00:01:12.670 --> 00:01:12.680 align:start position:0% a little mini Master Class of sworts but 00:01:12.680 --> 00:01:14.910 align:start position:0% a little mini Master Class of sworts but yo<00:01:12.920> yo<00:01:13.119> yo<00:01:13.400> what<00:01:13.560> Su 00:01:14.910 --> 00:01:14.920 align:start position:0% yo yo yo what Su 00:01:14.920 --> 00:01:16.950 align:start position:0% yo yo yo what Su guys<00:01:15.920> we'll<00:01:16.119> give<00:01:16.320> people<00:01:16.520> a<00:01:16.640> second<00:01:16.840> to 00:01:16.950 --> 00:01:16.960 align:start position:0% guys we'll give people a second to 00:01:16.960 --> 00:01:18.030 align:start position:0% guys we'll give people a second to trickle 00:01:18.030 --> 00:01:18.040 align:start position:0% trickle 00:01:18.040 --> 00:01:20.630 align:start position:0% trickle in<00:01:19.040> I<00:01:19.119> need<00:01:19.240> to<00:01:19.360> grab<00:01:19.560> some<00:01:19.720> water<00:01:19.960> too<00:01:20.280> I'll<00:01:20.439> be 00:01:20.630 --> 00:01:20.640 align:start position:0% in I need to grab some water too I'll be 00:01:20.640 --> 00:01:22.950 align:start position:0% in I need to grab some water too I'll be I'll<00:01:20.799> be<00:01:20.960> right<00:01:21.159> back<00:01:21.720> we'll<00:01:21.920> start<00:01:22.119> in<00:01:22.280> about 00:01:22.950 --> 00:01:22.960 align:start position:0% I'll be right back we'll start in about 00:01:22.960 --> 00:01:28.830 align:start position:0% I'll be right back we'll start in about probably<00:01:23.119> start<00:01:23.320> in<00:01:23.439> two 00:01:28.830 --> 00:01:28.840 align:start position:0% 00:01:28.840 --> 00:01:57.029 align:start position:0% minutes 00:01:57.029 --> 00:01:57.039 align:start position:0% 00:01:57.039 --> 00:01:59.630 align:start position:0% I<00:01:57.240> see<00:01:57.399> you<00:01:57.560> xss<00:01:58.159> Doctor<00:01:58.560> all<00:01:58.680> right<00:01:58.960> all<00:01:59.119> right 00:01:59.630 --> 00:01:59.640 align:start position:0% I see you xss Doctor all right all right 00:01:59.640 --> 00:02:01.990 align:start position:0% I see you xss Doctor all right all right got<00:01:59.840> got<00:01:59.920> to<00:02:00.000> stay<00:02:00.439> hydrated<00:02:01.439> got<00:02:01.520> to<00:02:01.719> stay 00:02:01.990 --> 00:02:02.000 align:start position:0% got got to stay hydrated got to stay 00:02:02.000 --> 00:02:06.350 align:start position:0% got got to stay hydrated got to stay hydrated 00:02:06.350 --> 00:02:06.360 align:start position:0% 00:02:06.360 --> 00:02:08.510 align:start position:0% essential<00:02:07.360> yep<00:02:07.640> you're<00:02:07.799> a<00:02:07.960> doctor<00:02:08.200> you<00:02:08.319> know 00:02:08.510 --> 00:02:08.520 align:start position:0% essential yep you're a doctor you know 00:02:08.520 --> 00:02:14.390 align:start position:0% essential yep you're a doctor you know this 00:02:14.390 --> 00:02:14.400 align:start position:0% 00:02:14.400 --> 00:02:18.070 align:start position:0% stuff<00:02:15.400> yeah<00:02:15.599> we<00:02:15.800> got<00:02:15.920> a<00:02:16.560> really<00:02:17.560> we've<00:02:17.760> got<00:02:17.879> a 00:02:18.070 --> 00:02:18.080 align:start position:0% stuff yeah we got a really we've got a 00:02:18.080 --> 00:02:20.589 align:start position:0% stuff yeah we got a really we've got a good<00:02:18.640> freaking<00:02:19.560> master<00:02:19.920> class<00:02:20.120> today<00:02:20.440> I'm 00:02:20.589 --> 00:02:20.599 align:start position:0% good freaking master class today I'm 00:02:20.599 --> 00:02:22.430 align:start position:0% good freaking master class today I'm excited<00:02:21.080> I<00:02:21.200> freaking 00:02:22.430 --> 00:02:22.440 align:start position:0% excited I freaking 00:02:22.440 --> 00:02:27.470 align:start position:0% excited I freaking love<00:02:23.440> cide<00:02:24.000> patch<00:02:24.160> ofers<00:02:24.519> Soul<00:02:24.920> such<00:02:25.080> a<00:02:25.200> cool 00:02:27.470 --> 00:02:27.480 align:start position:0% 00:02:27.480 --> 00:02:31.910 align:start position:0% bug<00:02:28.480> yo<00:02:28.800> sup<00:02:29.040> type 00:02:31.910 --> 00:02:31.920 align:start position:0% 00:02:31.920 --> 00:02:33.949 align:start position:0% yeah<00:02:32.120> dude<00:02:32.400> I<00:02:32.519> do<00:02:32.800> is<00:02:32.920> that<00:02:33.080> not<00:02:33.200> a<00:02:33.360> thing<00:02:33.840> well 00:02:33.949 --> 00:02:33.959 align:start position:0% yeah dude I do is that not a thing well 00:02:33.959 --> 00:02:35.110 align:start position:0% yeah dude I do is that not a thing well I<00:02:34.040> guess<00:02:34.160> that<00:02:34.239> wasn't<00:02:34.440> a<00:02:34.560> thing<00:02:34.680> in<00:02:34.840> Japan 00:02:35.110 --> 00:02:35.120 align:start position:0% I guess that wasn't a thing in Japan 00:02:35.120 --> 00:02:37.190 align:start position:0% I guess that wasn't a thing in Japan when<00:02:35.239> I<00:02:35.360> lived<00:02:35.720> there<00:02:36.360> but<00:02:36.560> yeah<00:02:36.760> we<00:02:36.920> just<00:02:37.080> kind 00:02:37.190 --> 00:02:37.200 align:start position:0% when I lived there but yeah we just kind 00:02:37.200 --> 00:02:38.910 align:start position:0% when I lived there but yeah we just kind of<00:02:37.319> walk<00:02:37.560> up<00:02:37.680> to<00:02:37.800> the<00:02:37.920> fridge<00:02:38.200> and<00:02:38.360> then<00:02:38.680> press 00:02:38.910 --> 00:02:38.920 align:start position:0% of walk up to the fridge and then press 00:02:38.920 --> 00:02:40.869 align:start position:0% of walk up to the fridge and then press the<00:02:39.040> glass<00:02:39.319> up<00:02:39.480> against<00:02:39.720> the<00:02:39.840> fridge<00:02:40.080> and<00:02:40.319> the 00:02:40.869 --> 00:02:40.879 align:start position:0% the glass up against the fridge and the 00:02:40.879 --> 00:02:42.750 align:start position:0% the glass up against the fridge and the ice<00:02:41.159> just<00:02:41.319> comes<00:02:41.640> right 00:02:42.750 --> 00:02:42.760 align:start position:0% ice just comes right 00:02:42.760 --> 00:02:48.100 align:start position:0% ice just comes right out<00:02:43.760> yo<00:02:44.000> what's<00:02:44.159> up 00:02:48.100 --> 00:02:48.110 align:start position:0% 00:02:48.110 --> 00:02:55.710 align:start position:0% [Music] 00:02:55.710 --> 00:02:55.720 align:start position:0% 00:02:55.720 --> 00:02:57.790 align:start position:0% ape<00:02:56.720> all<00:02:56.840> right<00:02:57.080> let's<00:02:57.239> go<00:02:57.360> ahead<00:02:57.519> and<00:02:57.640> get 00:02:57.790 --> 00:02:57.800 align:start position:0% ape all right let's go ahead and get 00:02:57.800 --> 00:03:01.030 align:start position:0% ape all right let's go ahead and get some<00:02:58.040> screen<00:02:58.360> sharing<00:02:58.920> stuff 00:03:01.030 --> 00:03:01.040 align:start position:0% some screen sharing stuff 00:03:01.040 --> 00:03:10.710 align:start position:0% some screen sharing stuff going 00:03:10.710 --> 00:03:10.720 align:start position:0% 00:03:10.720 --> 00:03:16.149 align:start position:0% uh<00:03:11.720> going<00:03:11.840> to<00:03:12.159> close<00:03:13.120> pretty<00:03:13.440> much 00:03:16.149 --> 00:03:16.159 align:start position:0% 00:03:16.159 --> 00:03:27.750 align:start position:0% everything 00:03:27.750 --> 00:03:27.760 align:start position:0% 00:03:27.760 --> 00:03:37.030 align:start position:0% here<00:03:28.760> okay 00:03:37.030 --> 00:03:37.040 align:start position:0% 00:03:37.040 --> 00:03:39.429 align:start position:0% yeah<00:03:37.239> what's<00:03:37.360> up 00:03:39.429 --> 00:03:39.439 align:start position:0% yeah what's up 00:03:39.439 --> 00:03:42.309 align:start position:0% yeah what's up eug<00:03:40.439> that's<00:03:40.640> true<00:03:40.879> the<00:03:41.000> toilets<00:03:41.360> in<00:03:41.519> Japan<00:03:41.959> are 00:03:42.309 --> 00:03:42.319 align:start position:0% eug that's true the toilets in Japan are 00:03:42.319 --> 00:03:45.869 align:start position:0% eug that's true the toilets in Japan are sick<00:03:43.319> I<00:03:43.439> can<00:03:43.680> totally<00:03:44.480> vouch<00:03:44.760> for<00:03:45.040> that<00:03:45.720> it's 00:03:45.869 --> 00:03:45.879 align:start position:0% sick I can totally vouch for that it's 00:03:45.879 --> 00:03:50.990 align:start position:0% sick I can totally vouch for that it's hard<00:03:46.120> trans<00:03:46.480> transitioning<00:03:47.040> back<00:03:47.319> sup 00:03:50.990 --> 00:03:51.000 align:start position:0% 00:03:51.000 --> 00:03:53.589 align:start position:0% Pete<00:03:52.000> man<00:03:52.239> you<00:03:52.360> guys<00:03:52.480> in<00:03:52.640> Australia<00:03:53.239> this<00:03:53.319> is 00:03:53.589 --> 00:03:53.599 align:start position:0% Pete man you guys in Australia this is 00:03:53.599 --> 00:03:56.429 align:start position:0% Pete man you guys in Australia this is uh<00:03:54.319> what<00:03:54.480> time<00:03:54.640> is<00:03:54.720> it<00:03:54.879> in 00:03:56.429 --> 00:03:56.439 align:start position:0% uh what time is it in 00:03:56.439 --> 00:03:59.190 align:start position:0% uh what time is it in Australia<00:03:57.439> goodness<00:03:57.840> gracious<00:03:58.599> 6:00<00:03:58.879> a.m.<00:03:59.159> I 00:03:59.190 --> 00:03:59.200 align:start position:0% Australia goodness gracious 6:00 a.m. I 00:03:59.200 --> 00:04:00.869 align:start position:0% Australia goodness gracious 6:00 a.m. I hope<00:03:59.319> you<00:03:59.400> guys<00:03:59.519> have<00:03:59.680> have<00:03:59.799> gone<00:03:59.920> to<00:04:00.079> sleep 00:04:00.869 --> 00:04:00.879 align:start position:0% hope you guys have have gone to sleep 00:04:00.879 --> 00:04:07.830 align:start position:0% hope you guys have have gone to sleep instead<00:04:01.239> of<00:04:02.159> uh<00:04:03.159> uh<00:04:03.480> just<00:04:03.640> staying 00:04:07.830 --> 00:04:07.840 align:start position:0% 00:04:07.840 --> 00:04:10.949 align:start position:0% up<00:04:08.840> look<00:04:09.000> at<00:04:09.120> my<00:04:09.280> boy<00:04:09.560> techno<00:04:10.040> up<00:04:10.159> in<00:04:10.360> here<00:04:10.840> what 00:04:10.949 --> 00:04:10.959 align:start position:0% up look at my boy techno up in here what 00:04:10.959 --> 00:04:15.550 align:start position:0% up look at my boy techno up in here what up 00:04:15.550 --> 00:04:15.560 align:start position:0% 00:04:15.560 --> 00:04:18.629 align:start position:0% Joel<00:04:16.560> you<00:04:16.720> know<00:04:16.880> you<00:04:17.000> could<00:04:17.199> hop<00:04:17.400> in<00:04:17.600> the<00:04:18.000> uh<00:04:18.479> in 00:04:18.629 --> 00:04:18.639 align:start position:0% Joel you know you could hop in the uh in 00:04:18.639 --> 00:04:20.509 align:start position:0% Joel you know you could hop in the uh in the<00:04:18.759> master<00:04:19.120> class<00:04:19.400> recording 00:04:20.509 --> 00:04:20.519 align:start position:0% the master class recording 00:04:20.519 --> 00:04:22.310 align:start position:0% the master class recording man<00:04:21.519> all<00:04:21.639> right<00:04:21.759> well<00:04:21.840> let's<00:04:22.000> go<00:04:22.079> ahead<00:04:22.240> and 00:04:22.310 --> 00:04:22.320 align:start position:0% man all right well let's go ahead and 00:04:22.320 --> 00:04:23.110 align:start position:0% man all right well let's go ahead and get 00:04:23.110 --> 00:04:23.120 align:start position:0% get 00:04:23.120 --> 00:04:25.909 align:start position:0% get rolling<00:04:24.120> um<00:04:24.600> yeah<00:04:24.840> with<00:04:25.000> that<00:04:25.120> we'll<00:04:25.280> start<00:04:25.680> up 00:04:25.909 --> 00:04:25.919 align:start position:0% rolling um yeah with that we'll start up 00:04:25.919 --> 00:04:28.150 align:start position:0% rolling um yeah with that we'll start up everyone<00:04:26.639> um<00:04:26.759> we're<00:04:26.919> talking<00:04:27.199> about<00:04:27.800> client 00:04:28.150 --> 00:04:28.160 align:start position:0% everyone um we're talking about client 00:04:28.160 --> 00:04:30.150 align:start position:0% everyone um we're talking about client side<00:04:28.280> path<00:04:28.479> traversal<00:04:28.919> today<00:04:29.720> uh<00:04:29.880> this<00:04:29.960> is<00:04:30.039> one 00:04:30.150 --> 00:04:30.160 align:start position:0% side path traversal today uh this is one 00:04:30.160 --> 00:04:32.189 align:start position:0% side path traversal today uh this is one of<00:04:30.240> my<00:04:30.360> favorite<00:04:30.639> types<00:04:30.840> of<00:04:30.960> vones<00:04:31.880> uh<00:04:31.960> it's<00:04:32.120> G 00:04:32.189 --> 00:04:32.199 align:start position:0% of my favorite types of vones uh it's G 00:04:32.199 --> 00:04:34.150 align:start position:0% of my favorite types of vones uh it's G to<00:04:32.360> be<00:04:32.720> freaking<00:04:33.120> awesome<00:04:33.759> I've<00:04:33.960> actually 00:04:34.150 --> 00:04:34.160 align:start position:0% to be freaking awesome I've actually 00:04:34.160 --> 00:04:38.029 align:start position:0% to be freaking awesome I've actually went<00:04:34.360> ahead<00:04:34.680> and<00:04:35.240> prepared<00:04:36.240> 3:00<00:04:36.479> a.m.<00:04:37.199> ouch 00:04:38.029 --> 00:04:38.039 align:start position:0% went ahead and prepared 3:00 a.m. ouch 00:04:38.039 --> 00:04:40.070 align:start position:0% went ahead and prepared 3:00 a.m. ouch I've<00:04:38.160> went<00:04:38.320> ahead<00:04:38.479> and<00:04:38.759> prepared<00:04:39.199> some<00:04:39.759> um 00:04:40.070 --> 00:04:40.080 align:start position:0% I've went ahead and prepared some um 00:04:40.080 --> 00:04:42.550 align:start position:0% I've went ahead and prepared some um Labs<00:04:40.520> even<00:04:40.759> for<00:04:40.880> us<00:04:41.000> to<00:04:41.120> play<00:04:41.320> around<00:04:41.639> with<00:04:42.360> uh 00:04:42.550 --> 00:04:42.560 align:start position:0% Labs even for us to play around with uh 00:04:42.560 --> 00:04:44.310 align:start position:0% Labs even for us to play around with uh just<00:04:42.720> some<00:04:43.000> little<00:04:43.280> things<00:04:43.639> that<00:04:43.840> I<00:04:44.080> have<00:04:44.199> on 00:04:44.310 --> 00:04:44.320 align:start position:0% just some little things that I have on 00:04:44.320 --> 00:04:46.590 align:start position:0% just some little things that I have on my<00:04:44.440> server<00:04:44.880> so<00:04:45.720> should<00:04:45.919> be<00:04:46.039> pretty<00:04:46.280> fun<00:04:46.479> there 00:04:46.590 --> 00:04:46.600 align:start position:0% my server so should be pretty fun there 00:04:46.600 --> 00:04:48.189 align:start position:0% my server so should be pretty fun there should<00:04:46.720> be<00:04:46.840> a<00:04:46.960> decent<00:04:47.240> interactive<00:04:47.759> component 00:04:48.189 --> 00:04:48.199 align:start position:0% should be a decent interactive component 00:04:48.199 --> 00:04:49.749 align:start position:0% should be a decent interactive component as<00:04:48.360> well<00:04:48.919> for<00:04:49.080> those<00:04:49.199> of<00:04:49.320> you<00:04:49.400> guys<00:04:49.520> that<00:04:49.639> are 00:04:49.749 --> 00:04:49.759 align:start position:0% as well for those of you guys that are 00:04:49.759 --> 00:04:52.469 align:start position:0% as well for those of you guys that are interested<00:04:50.199> in<00:04:50.400> that<00:04:51.120> so<00:04:51.560> uh<00:04:51.720> first<00:04:51.960> thing<00:04:52.160> up 00:04:52.469 --> 00:04:52.479 align:start position:0% interested in that so uh first thing up 00:04:52.479 --> 00:04:54.749 align:start position:0% interested in that so uh first thing up is<00:04:52.840> what<00:04:52.960> is<00:04:53.120> client<00:04:53.440> side<00:04:53.600> past<00:04:53.759> rsal<00:04:54.280> and<00:04:54.639> let 00:04:54.749 --> 00:04:54.759 align:start position:0% is what is client side past rsal and let 00:04:54.759 --> 00:04:56.590 align:start position:0% is what is client side past rsal and let me<00:04:54.919> tell<00:04:55.120> you<00:04:55.479> with<00:04:55.639> this<00:04:55.800> you<00:04:55.919> will<00:04:56.120> realize 00:04:56.590 --> 00:04:56.600 align:start position:0% me tell you with this you will realize 00:04:56.600 --> 00:05:00.029 align:start position:0% me tell you with this you will realize that<00:04:56.840> I<00:04:57.039> am<00:04:58.000> a<00:04:58.680> uh<00:04:58.840> no<00:04:59.000> it's<00:04:59.120> recording<00:04:59.840> it's 00:05:00.029 --> 00:05:00.039 align:start position:0% that I am a uh no it's recording it's 00:05:00.039 --> 00:05:01.270 align:start position:0% that I am a uh no it's recording it's recording<00:05:00.520> you<00:05:00.680> can<00:05:00.800> you<00:05:00.880> can<00:05:01.000> definitely 00:05:01.270 --> 00:05:01.280 align:start position:0% recording you can you can definitely 00:05:01.280 --> 00:05:03.950 align:start position:0% recording you can you can definitely rewatch<00:05:01.600> it<00:05:02.520> um<00:05:03.240> you'll<00:05:03.479> definitely<00:05:03.720> be<00:05:03.800> able 00:05:03.950 --> 00:05:03.960 align:start position:0% rewatch it um you'll definitely be able 00:05:03.960 --> 00:05:06.390 align:start position:0% rewatch it um you'll definitely be able to<00:05:04.080> tell<00:05:04.680> that<00:05:04.840> I<00:05:04.919> am<00:05:05.039> a<00:05:05.199> hacker<00:05:05.720> not<00:05:05.880> a<00:05:06.000> graphic 00:05:06.390 --> 00:05:06.400 align:start position:0% to tell that I am a hacker not a graphic 00:05:06.400 --> 00:05:11.270 align:start position:0% to tell that I am a hacker not a graphic designer<00:05:07.400> um<00:05:07.600> so<00:05:07.800> these<00:05:08.560> these<00:05:09.240> uh<00:05:10.240> uh<00:05:10.440> this 00:05:11.270 --> 00:05:11.280 align:start position:0% designer um so these these uh uh this 00:05:11.280 --> 00:05:13.150 align:start position:0% designer um so these these uh uh this picture<00:05:11.560> I'm<00:05:11.680> going<00:05:11.800> to<00:05:11.919> show<00:05:12.120> you<00:05:12.400> is<00:05:12.680> not 00:05:13.150 --> 00:05:13.160 align:start position:0% picture I'm going to show you is not 00:05:13.160 --> 00:05:18.270 align:start position:0% picture I'm going to show you is not super<00:05:13.880> welld<00:05:14.160> designed<00:05:15.240> but<00:05:16.240> uh 00:05:18.270 --> 00:05:18.280 align:start position:0% super welld designed but uh 00:05:18.280 --> 00:05:21.749 align:start position:0% super welld designed but uh yeah<00:05:19.280> I<00:05:19.400> think<00:05:20.000> it'll<00:05:20.319> get<00:05:20.440> the<00:05:20.560> point<00:05:20.759> across 00:05:21.749 --> 00:05:21.759 align:start position:0% yeah I think it'll get the point across 00:05:21.759 --> 00:05:25.029 align:start position:0% yeah I think it'll get the point across okay<00:05:22.680> so<00:05:23.280> here<00:05:23.520> is<00:05:23.840> the<00:05:24.400> uh<00:05:24.560> graphic<00:05:24.880> that<00:05:24.960> I 00:05:25.029 --> 00:05:25.039 align:start position:0% okay so here is the uh graphic that I 00:05:25.039 --> 00:05:27.510 align:start position:0% okay so here is the uh graphic that I was<00:05:25.160> going<00:05:25.240> to<00:05:25.440> use<00:05:25.919> to<00:05:26.680> explain<00:05:27.080> CLI<00:05:27.400> side 00:05:27.510 --> 00:05:27.520 align:start position:0% was going to use to explain CLI side 00:05:27.520 --> 00:05:30.029 align:start position:0% was going to use to explain CLI side PSAL<00:05:28.000> to<00:05:28.120> you<00:05:28.280> guys<00:05:28.520> so 00:05:30.029 --> 00:05:30.039 align:start position:0% PSAL to you guys so 00:05:30.039 --> 00:05:31.909 align:start position:0% PSAL to you guys so in<00:05:30.160> my<00:05:30.319> opinion<00:05:30.639> client<00:05:30.960> side<00:05:31.080> path<00:05:31.240> reversal 00:05:31.909 --> 00:05:31.919 align:start position:0% in my opinion client side path reversal 00:05:31.919 --> 00:05:34.870 align:start position:0% in my opinion client side path reversal is<00:05:32.319> kind<00:05:32.479> of<00:05:32.720> like<00:05:33.199> the<00:05:33.440> new<00:05:33.840> SE<00:05:34.240> surf<00:05:34.560> the<00:05:34.680> new 00:05:34.870 --> 00:05:34.880 align:start position:0% is kind of like the new SE surf the new 00:05:34.880 --> 00:05:37.830 align:start position:0% is kind of like the new SE surf the new csrf<00:05:35.720> attack<00:05:36.680> okay<00:05:36.960> and<00:05:37.120> essentially<00:05:37.639> why 00:05:37.830 --> 00:05:37.840 align:start position:0% csrf attack okay and essentially why 00:05:37.840 --> 00:05:41.070 align:start position:0% csrf attack okay and essentially why this<00:05:38.039> is<00:05:38.639> the<00:05:38.800> case<00:05:39.039> is<00:05:39.280> because<00:05:40.000> um<00:05:40.440> you<00:05:40.600> know 00:05:41.070 --> 00:05:41.080 align:start position:0% this is the case is because um you know 00:05:41.080 --> 00:05:44.070 align:start position:0% this is the case is because um you know back<00:05:41.880> I<00:05:41.960> want<00:05:42.080> to<00:05:42.199> say<00:05:42.479> maybe<00:05:43.120> in<00:05:43.319> 2020<00:05:43.960> or 00:05:44.070 --> 00:05:44.080 align:start position:0% back I want to say maybe in 2020 or 00:05:44.080 --> 00:05:47.110 align:start position:0% back I want to say maybe in 2020 or maybe<00:05:44.400> 2021<00:05:45.400> uh<00:05:45.759> Google<00:05:46.039> Chrome<00:05:46.319> started 00:05:47.110 --> 00:05:47.120 align:start position:0% maybe 2021 uh Google Chrome started 00:05:47.120 --> 00:05:49.909 align:start position:0% maybe 2021 uh Google Chrome started defaulting<00:05:48.120> Sam<00:05:48.400> site<00:05:48.639> cookies<00:05:49.240> to<00:05:49.759> uh 00:05:49.909 --> 00:05:49.919 align:start position:0% defaulting Sam site cookies to uh 00:05:49.919 --> 00:05:51.909 align:start position:0% defaulting Sam site cookies to uh cookies<00:05:50.240> to<00:05:50.440> same<00:05:50.680> site<00:05:50.880> lacks<00:05:51.600> which<00:05:51.720> is<00:05:51.800> a 00:05:51.909 --> 00:05:51.919 align:start position:0% cookies to same site lacks which is a 00:05:51.919 --> 00:05:53.230 align:start position:0% cookies to same site lacks which is a pain<00:05:52.080> in<00:05:52.160> the<00:05:52.280> ass<00:05:52.440> for<00:05:52.560> everything<00:05:52.759> sea<00:05:53.039> surf 00:05:53.230 --> 00:05:53.240 align:start position:0% pain in the ass for everything sea surf 00:05:53.240 --> 00:05:56.029 align:start position:0% pain in the ass for everything sea surf related<00:05:54.080> because<00:05:54.680> um<00:05:55.039> they<00:05:55.120> are<00:05:55.319> not<00:05:55.479> sent 00:05:56.029 --> 00:05:56.039 align:start position:0% related because um they are not sent 00:05:56.039 --> 00:05:58.230 align:start position:0% related because um they are not sent cross<00:05:56.360> origin<00:05:57.000> except<00:05:57.280> in<00:05:57.400> a<00:05:57.520> couple<00:05:57.840> cases 00:05:58.230 --> 00:05:58.240 align:start position:0% cross origin except in a couple cases 00:05:58.240 --> 00:06:01.749 align:start position:0% cross origin except in a couple cases with<00:05:58.400> top<00:05:58.639> level<00:05:58.840> navigations 00:06:01.749 --> 00:06:01.759 align:start position:0% 00:06:01.759 --> 00:06:03.830 align:start position:0% um<00:06:02.360> so<00:06:02.639> as<00:06:02.720> a<00:06:02.880> result<00:06:03.160> we<00:06:03.240> need<00:06:03.400> to<00:06:03.479> figure<00:06:03.720> out 00:06:03.830 --> 00:06:03.840 align:start position:0% um so as a result we need to figure out 00:06:03.840 --> 00:06:05.710 align:start position:0% um so as a result we need to figure out a<00:06:03.960> way<00:06:04.120> to<00:06:04.360> have<00:06:04.639> these<00:06:04.919> sort<00:06:05.120> of<00:06:05.240> sees<00:06:05.479> surf 00:06:05.710 --> 00:06:05.720 align:start position:0% a way to have these sort of sees surf 00:06:05.720 --> 00:06:11.230 align:start position:0% a way to have these sort of sees surf like<00:06:06.120> requests<00:06:07.199> originate<00:06:08.199> from<00:06:08.880> um<00:06:09.680> the<00:06:10.680> from 00:06:11.230 --> 00:06:11.240 align:start position:0% like requests originate from um the from 00:06:11.240 --> 00:06:13.150 align:start position:0% like requests originate from um the from the<00:06:11.479> origin<00:06:11.960> that<00:06:12.039> we<00:06:12.160> want<00:06:12.280> to<00:06:12.520> attack<00:06:13.039> right 00:06:13.150 --> 00:06:13.160 align:start position:0% the origin that we want to attack right 00:06:13.160 --> 00:06:15.589 align:start position:0% the origin that we want to attack right so<00:06:13.280> it's<00:06:13.440> not<00:06:13.639> cross<00:06:14.160> origin<00:06:15.160> and<00:06:15.280> the<00:06:15.440> best 00:06:15.589 --> 00:06:15.599 align:start position:0% so it's not cross origin and the best 00:06:15.599 --> 00:06:18.270 align:start position:0% so it's not cross origin and the best way<00:06:15.720> to<00:06:15.840> do<00:06:16.039> that<00:06:16.919> that<00:06:17.039> I've<00:06:17.240> identified<00:06:18.120> is 00:06:18.270 --> 00:06:18.280 align:start position:0% way to do that that I've identified is 00:06:18.280 --> 00:06:20.390 align:start position:0% way to do that that I've identified is these<00:06:18.440> client<00:06:18.800> side<00:06:18.960> path<00:06:19.160> rals<00:06:19.759> okay<00:06:20.199> so 00:06:20.390 --> 00:06:20.400 align:start position:0% these client side path rals okay so 00:06:20.400 --> 00:06:21.309 align:start position:0% these client side path rals okay so here's<00:06:20.639> the 00:06:21.309 --> 00:06:21.319 align:start position:0% here's the 00:06:21.319 --> 00:06:24.909 align:start position:0% here's the concept<00:06:22.319> um<00:06:22.560> you<00:06:22.720> send<00:06:23.000> a<00:06:23.120> victim<00:06:23.720> to<00:06:23.919> a<00:06:24.080> URL 00:06:24.909 --> 00:06:24.919 align:start position:0% concept um you send a victim to a URL 00:06:24.919 --> 00:06:27.670 align:start position:0% concept um you send a victim to a URL that<00:06:25.080> looks<00:06:25.639> like<00:06:26.160> this<00:06:26.319> one<00:06:26.720> right<00:06:26.960> here 00:06:27.670 --> 00:06:27.680 align:start position:0% that looks like this one right here 00:06:27.680 --> 00:06:30.589 align:start position:0% that looks like this one right here maybe<00:06:27.880> I<00:06:27.960> can<00:06:28.080> zoom<00:06:28.280> in<00:06:28.400> a<00:06:28.479> little<00:06:28.680> bit<00:06:29.880> um<00:06:30.479> that 00:06:30.589 --> 00:06:30.599 align:start position:0% maybe I can zoom in a little bit um that 00:06:30.599 --> 00:06:32.909 align:start position:0% maybe I can zoom in a little bit um that we've<00:06:30.840> got<00:06:31.080> in<00:06:31.319> here<00:06:31.919> um<00:06:32.120> where<00:06:32.360> there<00:06:32.479> is<00:06:32.680> a 00:06:32.909 --> 00:06:32.919 align:start position:0% we've got in here um where there is a 00:06:32.919 --> 00:06:35.909 align:start position:0% we've got in here um where there is a parameter<00:06:33.560> either<00:06:33.880> in<00:06:34.280> the<00:06:35.000> um<00:06:35.479> and<00:06:35.680> I<00:06:35.800> have 00:06:35.909 --> 00:06:35.919 align:start position:0% parameter either in the um and I have 00:06:35.919 --> 00:06:37.950 align:start position:0% parameter either in the um and I have this<00:06:36.080> currently<00:06:36.440> in<00:06:36.560> the<00:06:36.680> query<00:06:37.039> parameter 00:06:37.950 --> 00:06:37.960 align:start position:0% this currently in the query parameter 00:06:37.960 --> 00:06:40.309 align:start position:0% this currently in the query parameter but<00:06:38.080> it<00:06:38.240> could<00:06:38.479> also<00:06:38.720> be<00:06:38.880> in<00:06:39.000> the<00:06:39.240> path<00:06:39.880> okay<00:06:40.240> it 00:06:40.309 --> 00:06:40.319 align:start position:0% but it could also be in the path okay it 00:06:40.319 --> 00:06:41.749 align:start position:0% but it could also be in the path okay it could<00:06:40.520> also<00:06:40.680> be<00:06:40.840> in<00:06:40.919> the<00:06:41.080> path<00:06:41.319> it<00:06:41.400> could<00:06:41.560> be<00:06:41.680> in 00:06:41.749 --> 00:06:41.759 align:start position:0% could also be in the path it could be in 00:06:41.759 --> 00:06:43.710 align:start position:0% could also be in the path it could be in the<00:06:41.919> hash<00:06:42.560> it<00:06:42.680> could<00:06:42.800> be<00:06:42.960> any<00:06:43.160> way<00:06:43.319> for<00:06:43.440> you<00:06:43.520> to 00:06:43.710 --> 00:06:43.720 align:start position:0% the hash it could be any way for you to 00:06:43.720 --> 00:06:47.309 align:start position:0% the hash it could be any way for you to pass<00:06:44.000> information<00:06:44.400> in<00:06:44.639> via<00:06:44.840> the<00:06:44.960> URL<00:06:45.880> so<00:06:46.240> path 00:06:47.309 --> 00:06:47.319 align:start position:0% pass information in via the URL so path 00:06:47.319 --> 00:06:50.909 align:start position:0% pass information in via the URL so path hash<00:06:48.319> uh<00:06:48.599> you<00:06:48.720> know<00:06:49.520> uh<00:06:49.639> quer<00:06:49.960> parameter<00:06:50.800> and 00:06:50.909 --> 00:06:50.919 align:start position:0% hash uh you know uh quer parameter and 00:06:50.919 --> 00:06:52.309 align:start position:0% hash uh you know uh quer parameter and it<00:06:51.039> could<00:06:51.199> technically<00:06:51.520> be<00:06:51.639> a<00:06:51.759> path<00:06:51.919> parameter 00:06:52.309 --> 00:06:52.319 align:start position:0% it could technically be a path parameter 00:06:52.319 --> 00:06:55.469 align:start position:0% it could technically be a path parameter as<00:06:52.400> well<00:06:52.520> but<00:06:52.639> I've<00:06:52.759> never<00:06:52.880> seen<00:06:53.160> that<00:06:54.319> um<00:06:55.319> so 00:06:55.469 --> 00:06:55.479 align:start position:0% as well but I've never seen that um so 00:06:55.479 --> 00:06:56.589 align:start position:0% as well but I've never seen that um so in<00:06:55.560> this<00:06:55.720> scenario<00:06:56.080> I've<00:06:56.199> just<00:06:56.280> kind<00:06:56.400> of<00:06:56.479> put 00:06:56.589 --> 00:06:56.599 align:start position:0% in this scenario I've just kind of put 00:06:56.599 --> 00:06:58.070 align:start position:0% in this scenario I've just kind of put it<00:06:56.680> in<00:06:56.759> the<00:06:56.879> query<00:06:57.160> parameter<00:06:57.680> most<00:06:57.840> of<00:06:57.960> the 00:06:58.070 --> 00:06:58.080 align:start position:0% it in the query parameter most of the 00:06:58.080 --> 00:07:00.629 align:start position:0% it in the query parameter most of the time<00:06:58.280> I<00:06:58.360> will<00:06:58.479> tell<00:06:58.680> you<00:06:59.080> you<00:06:59.400> we'll<00:06:59.560> see<00:06:59.759> it<00:07:00.039> in 00:07:00.629 --> 00:07:00.639 align:start position:0% time I will tell you you we'll see it in 00:07:00.639 --> 00:07:02.589 align:start position:0% time I will tell you you we'll see it in well<00:07:01.240> I<00:07:01.319> guess<00:07:01.440> it's<00:07:01.560> a<00:07:01.720> tossup<00:07:02.319> a<00:07:02.400> lot<00:07:02.520> of 00:07:02.589 --> 00:07:02.599 align:start position:0% well I guess it's a tossup a lot of 00:07:02.599 --> 00:07:03.990 align:start position:0% well I guess it's a tossup a lot of times<00:07:02.759> you'll<00:07:02.919> see<00:07:03.080> it<00:07:03.160> in<00:07:03.240> the<00:07:03.479> path<00:07:03.800> and<00:07:03.919> a 00:07:03.990 --> 00:07:04.000 align:start position:0% times you'll see it in the path and a 00:07:04.000 --> 00:07:06.589 align:start position:0% times you'll see it in the path and a lot<00:07:04.120> of<00:07:04.199> times<00:07:04.400> you'll<00:07:04.560> see<00:07:04.720> it<00:07:04.919> in<00:07:05.240> the<00:07:06.240> quer 00:07:06.589 --> 00:07:06.599 align:start position:0% lot of times you'll see it in the quer 00:07:06.599 --> 00:07:07.869 align:start position:0% lot of times you'll see it in the quer parameter<00:07:07.000> these<00:07:07.120> sort<00:07:07.240> of<00:07:07.400> IDs<00:07:07.680> that<00:07:07.759> are 00:07:07.869 --> 00:07:07.879 align:start position:0% parameter these sort of IDs that are 00:07:07.879 --> 00:07:10.430 align:start position:0% parameter these sort of IDs that are getting<00:07:08.120> passed<00:07:08.520> in<00:07:09.520> and<00:07:10.039> this<00:07:10.160> type<00:07:10.319> of 00:07:10.430 --> 00:07:10.440 align:start position:0% getting passed in and this type of 00:07:10.440 --> 00:07:12.469 align:start position:0% getting passed in and this type of vulnerability<00:07:11.080> is<00:07:11.280> particularly<00:07:11.879> present<00:07:12.280> in 00:07:12.469 --> 00:07:12.479 align:start position:0% vulnerability is particularly present in 00:07:12.479 --> 00:07:15.029 align:start position:0% vulnerability is particularly present in single<00:07:12.879> page<00:07:13.160> applications<00:07:13.919> so<00:07:14.120> Pages<00:07:14.599> where 00:07:15.029 --> 00:07:15.039 align:start position:0% single page applications so Pages where 00:07:15.039 --> 00:07:16.629 align:start position:0% single page applications so Pages where you<00:07:15.160> know<00:07:15.360> you<00:07:15.520> request<00:07:15.919> any<00:07:16.199> path<00:07:16.400> and<00:07:16.520> it 00:07:16.629 --> 00:07:16.639 align:start position:0% you know you request any path and it 00:07:16.639 --> 00:07:18.270 align:start position:0% you know you request any path and it still<00:07:16.800> shows<00:07:17.120> the<00:07:17.240> same<00:07:17.479> like<00:07:17.639> JS<00:07:18.000> in<00:07:18.120> the 00:07:18.270 --> 00:07:18.280 align:start position:0% still shows the same like JS in the 00:07:18.280 --> 00:07:20.150 align:start position:0% still shows the same like JS in the response<00:07:18.800> right<00:07:19.360> um<00:07:19.520> and<00:07:19.599> then<00:07:19.720> it's<00:07:19.840> loading 00:07:20.150 --> 00:07:20.160 align:start position:0% response right um and then it's loading 00:07:20.160 --> 00:07:22.469 align:start position:0% response right um and then it's loading the<00:07:20.280> whole<00:07:20.520> app<00:07:20.840> via<00:07:21.400> VIA<00:07:21.680> JavaScript<00:07:22.240> which 00:07:22.469 --> 00:07:22.479 align:start position:0% the whole app via VIA JavaScript which 00:07:22.479 --> 00:07:24.710 align:start position:0% the whole app via VIA JavaScript which very<00:07:22.639> common<00:07:22.919> structure<00:07:23.360> for<00:07:23.599> modern<00:07:23.919> web 00:07:24.710 --> 00:07:24.720 align:start position:0% very common structure for modern web 00:07:24.720 --> 00:07:27.830 align:start position:0% very common structure for modern web applications<00:07:25.720> so<00:07:26.319> looking<00:07:26.599> at<00:07:26.800> this<00:07:27.160> um 00:07:27.830 --> 00:07:27.840 align:start position:0% applications so looking at this um 00:07:27.840 --> 00:07:29.469 align:start position:0% applications so looking at this um looking<00:07:28.080> at<00:07:28.280> this<00:07:28.440> over<00:07:28.599> here<00:07:28.720> on<00:07:28.840> the<00:07:28.919> left 00:07:29.469 --> 00:07:29.479 align:start position:0% looking at this over here on the left 00:07:29.479 --> 00:07:31.469 align:start position:0% looking at this over here on the left side<00:07:29.960> um<00:07:30.319> we<00:07:30.440> can<00:07:30.560> see<00:07:30.840> that<00:07:30.960> we've<00:07:31.160> passed<00:07:31.400> in 00:07:31.469 --> 00:07:31.479 align:start position:0% side um we can see that we've passed in 00:07:31.479 --> 00:07:33.749 align:start position:0% side um we can see that we've passed in the<00:07:31.599> ID<00:07:31.919> 1<00:07:32.080> 2<00:07:32.319> 3<00:07:32.879> and<00:07:32.960> then<00:07:33.080> there's<00:07:33.240> a<00:07:33.440> script 00:07:33.749 --> 00:07:33.759 align:start position:0% the ID 1 2 3 and then there's a script 00:07:33.759 --> 00:07:35.070 align:start position:0% the ID 1 2 3 and then there's a script in<00:07:33.840> the<00:07:34.000> body<00:07:34.360> this<00:07:34.440> is<00:07:34.560> supposed<00:07:34.759> to<00:07:34.840> be<00:07:34.960> the 00:07:35.070 --> 00:07:35.080 align:start position:0% in the body this is supposed to be the 00:07:35.080 --> 00:07:37.110 align:start position:0% in the body this is supposed to be the body<00:07:35.520> of<00:07:35.720> the<00:07:35.879> of<00:07:36.000> the<00:07:36.160> page<00:07:36.440> for<00:07:36.599> those<00:07:36.720> of<00:07:36.879> you 00:07:37.110 --> 00:07:37.120 align:start position:0% body of the of the page for those of you 00:07:37.120 --> 00:07:39.230 align:start position:0% body of the of the page for those of you guys<00:07:37.520> I<00:07:37.560> can<00:07:37.720> hear<00:07:37.919> you<00:07:38.080> guys<00:07:38.319> laughing<00:07:38.720> I<00:07:39.120> I'm 00:07:39.230 --> 00:07:39.240 align:start position:0% guys I can hear you guys laughing I I'm 00:07:39.240 --> 00:07:41.790 align:start position:0% guys I can hear you guys laughing I I'm sure<00:07:39.599> I'm<00:07:39.759> sure<00:07:40.560> but<00:07:40.840> um<00:07:41.039> you<00:07:41.120> can<00:07:41.280> see<00:07:41.639> in 00:07:41.790 --> 00:07:41.800 align:start position:0% sure I'm sure but um you can see in 00:07:41.800 --> 00:07:43.869 align:start position:0% sure I'm sure but um you can see in there<00:07:42.039> that<00:07:42.199> there's<00:07:42.520> a<00:07:42.840> a<00:07:43.039> fetch<00:07:43.479> request 00:07:43.869 --> 00:07:43.879 align:start position:0% there that there's a a fetch request 00:07:43.879 --> 00:07:46.550 align:start position:0% there that there's a a fetch request that<00:07:44.039> occurs<00:07:44.720> and<00:07:44.840> it<00:07:44.960> can<00:07:45.199> catenates<00:07:45.800> the<00:07:45.919> ID 00:07:46.550 --> 00:07:46.560 align:start position:0% that occurs and it can catenates the ID 00:07:46.560 --> 00:07:49.749 align:start position:0% that occurs and it can catenates the ID into<00:07:47.560> the<00:07:47.800> path<00:07:48.319> right<00:07:48.639> so<00:07:48.800> we<00:07:48.879> can 00:07:49.749 --> 00:07:49.759 align:start position:0% into the path right so we can 00:07:49.759 --> 00:07:53.029 align:start position:0% into the path right so we can see<00:07:50.759> uh<00:07:51.440> that<00:07:52.039> 1<00:07:52.240> two<00:07:52.479> 3<00:07:52.680> is<00:07:52.800> getting 00:07:53.029 --> 00:07:53.039 align:start position:0% see uh that 1 two 3 is getting 00:07:53.039 --> 00:07:55.550 align:start position:0% see uh that 1 two 3 is getting concatenated<00:07:53.800> with<00:07:54.400> object<00:07:55.039> and<00:07:55.159> then 00:07:55.550 --> 00:07:55.560 align:start position:0% concatenated with object and then 00:07:55.560 --> 00:07:58.149 align:start position:0% concatenated with object and then eventually<00:07:56.000> a<00:07:56.199> get<00:07:56.400> request<00:07:56.759> is<00:07:56.879> sent<00:07:57.120> to<00:07:58.000> um 00:07:58.149 --> 00:07:58.159 align:start position:0% eventually a get request is sent to um 00:07:58.159 --> 00:08:01.230 align:start position:0% eventually a get request is sent to um slob<00:07:58.800> sl12<00:07:59.280> 2<00:07:59.440> three<00:07:59.720> and<00:07:59.800> it<00:07:59.919> loads<00:08:00.240> some<00:08:00.440> data 00:08:01.230 --> 00:08:01.240 align:start position:0% slob sl12 2 three and it loads some data 00:08:01.240 --> 00:08:03.790 align:start position:0% slob sl12 2 three and it loads some data okay<00:08:02.240> so<00:08:02.639> this<00:08:02.720> is<00:08:02.840> a<00:08:02.960> normal<00:08:03.400> you<00:08:03.520> know<00:08:03.639> sort 00:08:03.790 --> 00:08:03.800 align:start position:0% okay so this is a normal you know sort 00:08:03.800 --> 00:08:06.189 align:start position:0% okay so this is a normal you know sort of<00:08:03.960> get<00:08:04.159> based<00:08:04.560> situation<00:08:05.080> here<00:08:05.840> um<00:08:06.000> and 00:08:06.189 --> 00:08:06.199 align:start position:0% of get based situation here um and 00:08:06.199 --> 00:08:08.830 align:start position:0% of get based situation here um and actually<00:08:06.680> that<00:08:07.039> the<00:08:07.560> on<00:08:07.680> the<00:08:07.800> right<00:08:08.039> hand<00:08:08.280> side 00:08:08.830 --> 00:08:08.840 align:start position:0% actually that the on the right hand side 00:08:08.840 --> 00:08:10.710 align:start position:0% actually that the on the right hand side there<00:08:08.960> should<00:08:09.159> be<00:08:09.400> a<00:08:09.639> uh<00:08:09.759> a<00:08:09.840> SEF<00:08:10.319> token<00:08:10.560> being 00:08:10.710 --> 00:08:10.720 align:start position:0% there should be a uh a SEF token being 00:08:10.720 --> 00:08:12.070 align:start position:0% there should be a uh a SEF token being passed<00:08:10.960> here<00:08:11.159> like<00:08:11.280> the<00:08:11.360> ones<00:08:11.560> down<00:08:11.759> here<00:08:12.000> I 00:08:12.070 --> 00:08:12.080 align:start position:0% passed here like the ones down here I 00:08:12.080 --> 00:08:14.990 align:start position:0% passed here like the ones down here I just<00:08:12.280> forgot<00:08:12.479> to<00:08:12.599> update<00:08:12.960> that<00:08:13.840> um<00:08:14.319> so<00:08:14.759> that's 00:08:14.990 --> 00:08:15.000 align:start position:0% just forgot to update that um so that's 00:08:15.000 --> 00:08:17.749 align:start position:0% just forgot to update that um so that's cool<00:08:15.639> because<00:08:16.199> one<00:08:16.479> we<00:08:16.720> get<00:08:16.960> to<00:08:17.159> control<00:08:17.520> the 00:08:17.749 --> 00:08:17.759 align:start position:0% cool because one we get to control the 00:08:17.759 --> 00:08:22.710 align:start position:0% cool because one we get to control the request<00:08:18.759> that<00:08:19.319> uh<00:08:19.840> you<00:08:20.000> know<00:08:21.120> Has<00:08:22.120> A<00:08:22.280> Cerf 00:08:22.710 --> 00:08:22.720 align:start position:0% request that uh you know Has A Cerf 00:08:22.720 --> 00:08:25.350 align:start position:0% request that uh you know Has A Cerf token<00:08:22.919> attached<00:08:23.199> to<00:08:23.360> it<00:08:24.080> so<00:08:24.360> the<00:08:24.520> idea<00:08:24.879> behind 00:08:25.350 --> 00:08:25.360 align:start position:0% token attached to it so the idea behind 00:08:25.360 --> 00:08:28.350 align:start position:0% token attached to it so the idea behind client<00:08:25.720> side<00:08:25.879> path<00:08:26.400> uh<00:08:26.560> path<00:08:26.720> traversal<00:08:27.360> then 00:08:28.350 --> 00:08:28.360 align:start position:0% client side path uh path traversal then 00:08:28.360 --> 00:08:30.390 align:start position:0% client side path uh path traversal then uh<00:08:28.479> sort<00:08:28.599> of<00:08:28.720> graduates<00:08:29.440> this<00:08:29.759> the<00:08:29.919> second<00:08:30.159> one 00:08:30.390 --> 00:08:30.400 align:start position:0% uh sort of graduates this the second one 00:08:30.400 --> 00:08:32.469 align:start position:0% uh sort of graduates this the second one that<00:08:30.520> we've<00:08:30.680> got<00:08:30.840> down<00:08:31.039> here<00:08:31.599> we<00:08:31.720> can<00:08:31.919> use<00:08:32.240> that 00:08:32.469 --> 00:08:32.479 align:start position:0% that we've got down here we can use that 00:08:32.479 --> 00:08:34.350 align:start position:0% that we've got down here we can use that ability<00:08:32.839> to<00:08:33.039> inject<00:08:33.360> into<00:08:33.599> the<00:08:33.760> path<00:08:34.120> to 00:08:34.350 --> 00:08:34.360 align:start position:0% ability to inject into the path to 00:08:34.360 --> 00:08:36.909 align:start position:0% ability to inject into the path to inject<00:08:34.959> a<00:08:35.279> you<00:08:35.399> know<00:08:35.599> a<00:08:35.760> DOT<00:08:36.000> do<00:08:36.200> slash<00:08:36.800> some 00:08:36.909 --> 00:08:36.919 align:start position:0% inject a you know a DOT do slash some 00:08:36.919 --> 00:08:38.909 align:start position:0% inject a you know a DOT do slash some sort<00:08:37.080> of<00:08:37.320> path<00:08:37.479> traversal<00:08:38.279> and<00:08:38.519> hit<00:08:38.760> a 00:08:38.909 --> 00:08:38.919 align:start position:0% sort of path traversal and hit a 00:08:38.919 --> 00:08:41.630 align:start position:0% sort of path traversal and hit a different<00:08:39.200> endpoint<00:08:39.719> in<00:08:39.880> this<00:08:40.360> example<00:08:41.360> I've 00:08:41.630 --> 00:08:41.640 align:start position:0% different endpoint in this example I've 00:08:41.640 --> 00:08:44.790 align:start position:0% different endpoint in this example I've supplied<00:08:42.640> um<00:08:42.880> the<00:08:43.360> do/<00:08:44.039> delete<00:08:44.440> product 00:08:44.790 --> 00:08:44.800 align:start position:0% supplied um the do/ delete product 00:08:44.800 --> 00:08:46.389 align:start position:0% supplied um the do/ delete product endpoint<00:08:45.519> and<00:08:45.600> then<00:08:45.720> I'm<00:08:45.839> able<00:08:46.040> to<00:08:46.160> add<00:08:46.279> a 00:08:46.389 --> 00:08:46.399 align:start position:0% endpoint and then I'm able to add a 00:08:46.399 --> 00:08:47.790 align:start position:0% endpoint and then I'm able to add a question<00:08:46.600> mark<00:08:46.880> again<00:08:47.200> because<00:08:47.480> after<00:08:47.680> the 00:08:47.790 --> 00:08:47.800 align:start position:0% question mark again because after the 00:08:47.800 --> 00:08:49.590 align:start position:0% question mark again because after the first<00:08:48.040> question<00:08:48.279> mark<00:08:48.839> the<00:08:49.040> question<00:08:49.279> mark<00:08:49.480> is 00:08:49.590 --> 00:08:49.600 align:start position:0% first question mark the question mark is 00:08:49.600 --> 00:08:52.870 align:start position:0% first question mark the question mark is just<00:08:49.680> a<00:08:49.839> normal<00:08:50.160> character<00:08:51.080> in<00:08:51.600> um<00:08:51.760> in<00:08:51.880> the<00:08:52.000> URL 00:08:52.870 --> 00:08:52.880 align:start position:0% just a normal character in um in the URL 00:08:52.880 --> 00:08:55.150 align:start position:0% just a normal character in um in the URL so<00:08:53.600> the<00:08:54.000> the<00:08:54.279> the<00:08:54.440> request<00:08:54.760> that<00:08:54.920> actually 00:08:55.150 --> 00:08:55.160 align:start position:0% so the the the request that actually 00:08:55.160 --> 00:08:57.389 align:start position:0% so the the the request that actually gets<00:08:55.399> created<00:08:56.120> is<00:08:56.480> get 00:08:57.389 --> 00:08:57.399 align:start position:0% gets created is get 00:08:57.399 --> 00:08:59.870 align:start position:0% gets created is get slob<00:08:58.399> do<00:08:58.600> do<00:08:59.079> which<00:08:59.200> which<00:08:59.320> deletes<00:08:59.720> the 00:08:59.870 --> 00:08:59.880 align:start position:0% slob do do which which deletes the 00:08:59.880 --> 00:09:02.430 align:start position:0% slob do do which which deletes the object<00:09:00.279> thing<00:09:00.560> part<00:09:00.880> right<00:09:01.320> delete<00:09:01.720> product 00:09:02.430 --> 00:09:02.440 align:start position:0% object thing part right delete product 00:09:02.440 --> 00:09:04.389 align:start position:0% object thing part right delete product question<00:09:02.680> mark<00:09:02.880> ID<00:09:03.120> equals<00:09:03.399> 1<00:09:03.959> and<00:09:04.200> that 00:09:04.389 --> 00:09:04.399 align:start position:0% question mark ID equals 1 and that 00:09:04.399 --> 00:09:07.389 align:start position:0% question mark ID equals 1 and that request<00:09:04.920> Has<00:09:05.160> A<00:09:05.279> Cerf<00:09:05.800> token<00:09:06.120> attached<00:09:06.480> to<00:09:06.640> it 00:09:07.389 --> 00:09:07.399 align:start position:0% request Has A Cerf token attached to it 00:09:07.399 --> 00:09:09.310 align:start position:0% request Has A Cerf token attached to it um<00:09:07.640> now<00:09:07.760> you<00:09:07.839> might<00:09:08.000> be<00:09:08.120> saying<00:09:08.480> probably<00:09:09.079> a 00:09:09.310 --> 00:09:09.320 align:start position:0% um now you might be saying probably a 00:09:09.320 --> 00:09:12.069 align:start position:0% um now you might be saying probably a get<00:09:09.600> request<00:09:10.519> that<00:09:10.800> deletes<00:09:11.279> something<00:09:11.880> even 00:09:12.069 --> 00:09:12.079 align:start position:0% get request that deletes something even 00:09:12.079 --> 00:09:14.310 align:start position:0% get request that deletes something even if<00:09:12.160> the<00:09:12.279> cerve<00:09:12.720> token<00:09:13.000> is<00:09:13.120> required<00:09:13.880> is<00:09:14.040> pretty 00:09:14.310 --> 00:09:14.320 align:start position:0% if the cerve token is required is pretty 00:09:14.320 --> 00:09:15.990 align:start position:0% if the cerve token is required is pretty rare<00:09:14.600> it's<00:09:14.720> a<00:09:14.839> pretty<00:09:15.040> rare<00:09:15.760> uh 00:09:15.990 --> 00:09:16.000 align:start position:0% rare it's a pretty rare uh 00:09:16.000 --> 00:09:17.829 align:start position:0% rare it's a pretty rare uh implementation<00:09:16.920> and<00:09:17.160> yeah<00:09:17.320> that's<00:09:17.519> true 00:09:17.829 --> 00:09:17.839 align:start position:0% implementation and yeah that's true 00:09:17.839 --> 00:09:19.790 align:start position:0% implementation and yeah that's true absolutely<00:09:18.560> and<00:09:18.920> these<00:09:19.079> things<00:09:19.279> are<00:09:19.519> not 00:09:19.790 --> 00:09:19.800 align:start position:0% absolutely and these things are not 00:09:19.800 --> 00:09:22.069 align:start position:0% absolutely and these things are not super<00:09:20.240> trivial<00:09:20.640> to<00:09:20.800> exploit<00:09:21.519> but<00:09:21.640> when<00:09:21.760> you<00:09:21.880> do 00:09:22.069 --> 00:09:22.079 align:start position:0% super trivial to exploit but when you do 00:09:22.079 --> 00:09:24.550 align:start position:0% super trivial to exploit but when you do pull<00:09:22.320> them<00:09:22.480> off<00:09:22.880> one<00:09:23.279> it's<00:09:23.519> so<00:09:23.920> gratifying 00:09:24.550 --> 00:09:24.560 align:start position:0% pull them off one it's so gratifying 00:09:24.560 --> 00:09:25.870 align:start position:0% pull them off one it's so gratifying like<00:09:24.839> the<00:09:24.959> bug<00:09:25.160> that<00:09:25.240> I'm<00:09:25.320> going<00:09:25.440> to<00:09:25.519> show<00:09:25.680> you 00:09:25.870 --> 00:09:25.880 align:start position:0% like the bug that I'm going to show you 00:09:25.880 --> 00:09:27.870 align:start position:0% like the bug that I'm going to show you guys<00:09:26.040> later<00:09:26.399> in<00:09:26.560> this<00:09:27.000> in<00:09:27.120> this<00:09:27.399> uh<00:09:27.560> master 00:09:27.870 --> 00:09:27.880 align:start position:0% guys later in this in this uh master 00:09:27.880 --> 00:09:30.269 align:start position:0% guys later in this in this uh master class<00:09:28.680> is<00:09:28.839> like<00:09:29.240> one<00:09:29.360> of<00:09:29.480> my<00:09:29.640> favorite<00:09:29.959> bugs 00:09:30.269 --> 00:09:30.279 align:start position:0% class is like one of my favorite bugs 00:09:30.279 --> 00:09:32.269 align:start position:0% class is like one of my favorite bugs that<00:09:30.440> I've<00:09:30.640> ever<00:09:30.839> found<00:09:31.279> just<00:09:31.680> and<00:09:31.800> the<00:09:31.920> impact 00:09:32.269 --> 00:09:32.279 align:start position:0% that I've ever found just and the impact 00:09:32.279 --> 00:09:34.910 align:start position:0% that I've ever found just and the impact is<00:09:32.440> not<00:09:32.600> even<00:09:32.839> that<00:09:33.040> great<00:09:33.839> but<00:09:34.160> it's<00:09:34.440> like 00:09:34.910 --> 00:09:34.920 align:start position:0% is not even that great but it's like 00:09:34.920 --> 00:09:38.110 align:start position:0% is not even that great but it's like just<00:09:35.279> when<00:09:35.480> you<00:09:36.240> see<00:09:36.480> it<00:09:36.720> go<00:09:36.920> through<00:09:37.360> you<00:09:37.600> just 00:09:38.110 --> 00:09:38.120 align:start position:0% just when you see it go through you just 00:09:38.120 --> 00:09:42.150 align:start position:0% just when you see it go through you just H<00:09:38.320> you're<00:09:38.480> just<00:09:38.640> so<00:09:38.880> happy<00:09:39.680> okay<00:09:40.440> so<00:09:41.040> um<00:09:42.040> it 00:09:42.150 --> 00:09:42.160 align:start position:0% H you're just so happy okay so um it 00:09:42.160 --> 00:09:43.550 align:start position:0% H you're just so happy okay so um it definitely<00:09:42.480> takes<00:09:42.680> some<00:09:42.920> gadgets<00:09:43.399> that<00:09:43.480> you 00:09:43.550 --> 00:09:43.560 align:start position:0% definitely takes some gadgets that you 00:09:43.560 --> 00:09:46.350 align:start position:0% definitely takes some gadgets that you need<00:09:43.720> to<00:09:43.880> find<00:09:44.320> you<00:09:44.440> know<00:09:44.640> in<00:09:44.880> the<00:09:45.200> uh<00:09:45.800> in<00:09:46.200> the 00:09:46.350 --> 00:09:46.360 align:start position:0% need to find you know in the uh in the 00:09:46.360 --> 00:09:47.870 align:start position:0% need to find you know in the uh in the application<00:09:46.800> to<00:09:46.959> get<00:09:47.120> everything<00:09:47.360> to<00:09:47.480> trigger 00:09:47.870 --> 00:09:47.880 align:start position:0% application to get everything to trigger 00:09:47.880 --> 00:09:50.949 align:start position:0% application to get everything to trigger properly<00:09:48.839> um<00:09:49.079> but<00:09:49.240> once<00:09:49.399> you<00:09:49.600> do<00:09:50.600> it's<00:09:50.800> it's 00:09:50.949 --> 00:09:50.959 align:start position:0% properly um but once you do it's it's 00:09:50.959 --> 00:09:53.150 align:start position:0% properly um but once you do it's it's really<00:09:51.160> clutch<00:09:51.880> so<00:09:52.480> that's<00:09:52.640> the<00:09:52.800> basic 00:09:53.150 --> 00:09:53.160 align:start position:0% really clutch so that's the basic 00:09:53.160 --> 00:09:56.509 align:start position:0% really clutch so that's the basic concept<00:09:53.720> of<00:09:54.279> um<00:09:55.279> client<00:09:55.640> side<00:09:55.800> path<00:09:56.000> reversal 00:09:56.509 --> 00:09:56.519 align:start position:0% concept of um client side path reversal 00:09:56.519 --> 00:09:59.829 align:start position:0% concept of um client side path reversal you<00:09:56.680> have<00:09:56.920> some<00:09:57.320> way<00:09:57.560> to<00:09:57.839> affect<00:09:58.760> the 00:09:59.829 --> 00:09:59.839 align:start position:0% you have some way to affect the 00:09:59.839 --> 00:10:02.550 align:start position:0% you have some way to affect the uh<00:10:00.839> the<00:10:01.079> path<00:10:01.399> of<00:10:01.560> a<00:10:01.720> fetch<00:10:02.040> request<00:10:02.360> that<00:10:02.440> is 00:10:02.550 --> 00:10:02.560 align:start position:0% uh the path of a fetch request that is 00:10:02.560 --> 00:10:04.550 align:start position:0% uh the path of a fetch request that is being<00:10:02.760> made<00:10:03.000> or<00:10:03.399> you<00:10:03.480> know<00:10:03.680> Ajax<00:10:04.160> request<00:10:04.440> or 00:10:04.550 --> 00:10:04.560 align:start position:0% being made or you know Ajax request or 00:10:04.560 --> 00:10:08.470 align:start position:0% being made or you know Ajax request or XML<00:10:05.160> you<00:10:05.279> know<00:10:05.480> whatever<00:10:06.480> um<00:10:07.279> and<00:10:08.000> then<00:10:08.320> and 00:10:08.470 --> 00:10:08.480 align:start position:0% XML you know whatever um and then and 00:10:08.480 --> 00:10:09.990 align:start position:0% XML you know whatever um and then and that<00:10:08.640> request<00:10:08.920> has<00:10:09.040> a<00:10:09.120> cerve<00:10:09.519> token<00:10:09.720> attached 00:10:09.990 --> 00:10:10.000 align:start position:0% that request has a cerve token attached 00:10:10.000 --> 00:10:11.590 align:start position:0% that request has a cerve token attached to<00:10:10.120> it<00:10:10.200> or<00:10:10.320> some<00:10:10.600> other<00:10:10.800> sort<00:10:11.000> of<00:10:11.200> additional 00:10:11.590 --> 00:10:11.600 align:start position:0% to it or some other sort of additional 00:10:11.600 --> 00:10:15.110 align:start position:0% to it or some other sort of additional Authority<00:10:12.040> attached<00:10:12.360> to<00:10:12.480> it<00:10:13.240> and<00:10:13.839> um<00:10:14.839> and<00:10:15.000> then 00:10:15.110 --> 00:10:15.120 align:start position:0% Authority attached to it and um and then 00:10:15.120 --> 00:10:16.870 align:start position:0% Authority attached to it and um and then you're<00:10:15.279> able<00:10:15.440> to<00:10:15.600> leverage<00:10:16.079> that<00:10:16.399> to<00:10:16.600> hit<00:10:16.720> a 00:10:16.870 --> 00:10:16.880 align:start position:0% you're able to leverage that to hit a 00:10:16.880 --> 00:10:19.509 align:start position:0% you're able to leverage that to hit a different<00:10:17.279> endpoint<00:10:18.279> and<00:10:18.800> cause<00:10:19.120> some 00:10:19.509 --> 00:10:19.519 align:start position:0% different endpoint and cause some 00:10:19.519 --> 00:10:22.190 align:start position:0% different endpoint and cause some negative<00:10:19.959> effect<00:10:20.480> that's<00:10:20.640> the<00:10:20.959> concept<00:10:21.959> um 00:10:22.190 --> 00:10:22.200 align:start position:0% negative effect that's the concept um 00:10:22.200 --> 00:10:24.710 align:start position:0% negative effect that's the concept um and<00:10:22.320> I<00:10:22.399> will<00:10:22.680> note<00:10:22.920> as<00:10:23.120> well<00:10:23.360> that<00:10:23.600> when<00:10:24.000> the<00:10:24.200> ID 00:10:24.710 --> 00:10:24.720 align:start position:0% and I will note as well that when the ID 00:10:24.720 --> 00:10:25.990 align:start position:0% and I will note as well that when the ID you<00:10:24.800> know<00:10:24.959> in<00:10:25.079> this<00:10:25.200> scenario<00:10:25.600> we've<00:10:25.760> got<00:10:25.880> it 00:10:25.990 --> 00:10:26.000 align:start position:0% you know in this scenario we've got it 00:10:26.000 --> 00:10:28.150 align:start position:0% you know in this scenario we've got it in<00:10:26.079> the<00:10:26.200> query<00:10:26.519> parameter<00:10:27.360> when<00:10:27.519> it's<00:10:27.760> in<00:10:27.920> the 00:10:28.150 --> 00:10:28.160 align:start position:0% in the query parameter when it's in the 00:10:28.160 --> 00:10:30.630 align:start position:0% in the query parameter when it's in the path<00:10:28.480> the<00:10:28.600> actual<00:10:28.839> path<00:10:29.320> itself<00:10:30.200> in<00:10:30.279> order<00:10:30.519> to 00:10:30.630 --> 00:10:30.640 align:start position:0% path the actual path itself in order to 00:10:30.640 --> 00:10:32.870 align:start position:0% path the actual path itself in order to do<00:10:30.800> a<00:10:30.920> path<00:10:31.079> traval<00:10:31.560> you<00:10:31.720> may<00:10:31.880> need<00:10:32.040> to 00:10:32.870 --> 00:10:32.880 align:start position:0% do a path traval you may need to 00:10:32.880 --> 00:10:35.710 align:start position:0% do a path traval you may need to encode<00:10:33.880> the<00:10:34.320> uh<00:10:34.440> percent<00:10:34.720> 2f<00:10:35.200> or<00:10:35.320> maybe<00:10:35.560> even 00:10:35.710 --> 00:10:35.720 align:start position:0% encode the uh percent 2f or maybe even 00:10:35.720 --> 00:10:37.590 align:start position:0% encode the uh percent 2f or maybe even use<00:10:35.839> a<00:10:36.040> backslash<00:10:36.480> or<00:10:36.639> something<00:10:36.920> like<00:10:37.120> that 00:10:37.590 --> 00:10:37.600 align:start position:0% use a backslash or something like that 00:10:37.600 --> 00:10:39.350 align:start position:0% use a backslash or something like that so<00:10:37.839> that<00:10:38.040> the<00:10:38.200> actual<00:10:38.519> path<00:10:38.760> is<00:10:38.880> not<00:10:39.000> perceived 00:10:39.350 --> 00:10:39.360 align:start position:0% so that the actual path is not perceived 00:10:39.360 --> 00:10:42.350 align:start position:0% so that the actual path is not perceived to<00:10:39.440> be<00:10:39.680> different<00:10:40.680> uh<00:10:40.959> by<00:10:41.399> by<00:10:41.639> the<00:10:42.079> the<00:10:42.240> back 00:10:42.350 --> 00:10:42.360 align:start position:0% to be different uh by by the the back 00:10:42.360 --> 00:10:44.389 align:start position:0% to be different uh by by the the back end<00:10:42.560> of<00:10:42.680> the<00:10:42.760> server<00:10:43.120> that<00:10:43.240> you're<00:10:43.839> actually 00:10:44.389 --> 00:10:44.399 align:start position:0% end of the server that you're actually 00:10:44.399 --> 00:10:47.230 align:start position:0% end of the server that you're actually interacting<00:10:44.880> with<00:10:45.839> um<00:10:46.480> but<00:10:46.680> when<00:10:46.839> the<00:10:46.959> time<00:10:47.120> it 00:10:47.230 --> 00:10:47.240 align:start position:0% interacting with um but when the time it 00:10:47.240 --> 00:10:49.230 align:start position:0% interacting with um but when the time it reaches<00:10:47.560> the<00:10:47.680> sync<00:10:47.920> of<00:10:48.040> the<00:10:48.120> fetch<00:10:48.480> request<00:10:49.120> it 00:10:49.230 --> 00:10:49.240 align:start position:0% reaches the sync of the fetch request it 00:10:49.240 --> 00:10:51.949 align:start position:0% reaches the sync of the fetch request it will<00:10:49.399> be<00:10:49.600> perceived<00:10:50.079> as<00:10:50.279> something<00:10:50.680> that<00:10:51.360> um 00:10:51.949 --> 00:10:51.959 align:start position:0% will be perceived as something that um 00:10:51.959 --> 00:10:54.110 align:start position:0% will be perceived as something that um can<00:10:52.360> cause<00:10:52.560> a<00:10:52.680> path<00:10:52.839> to<00:10:53.000> veral<00:10:53.760> inside<00:10:54.000> the 00:10:54.110 --> 00:10:54.120 align:start position:0% can cause a path to veral inside the 00:10:54.120 --> 00:10:56.910 align:start position:0% can cause a path to veral inside the fetch<00:10:54.839> request<00:10:55.839> hope<00:10:56.000> that's<00:10:56.200> clear<00:10:56.680> if<00:10:56.800> not 00:10:56.910 --> 00:10:56.920 align:start position:0% fetch request hope that's clear if not 00:10:56.920 --> 00:10:58.910 align:start position:0% fetch request hope that's clear if not we'll<00:10:57.079> cover<00:10:57.320> it<00:10:57.440> a<00:10:57.560> little<00:10:57.680> bit<00:10:57.839> more<00:10:58.040> later 00:10:58.910 --> 00:10:58.920 align:start position:0% we'll cover it a little bit more later 00:10:58.920 --> 00:11:01.030 align:start position:0% we'll cover it a little bit more later um<00:10:59.120> um<00:10:59.320> any<00:10:59.519> questions<00:10:59.839> so<00:11:00.079> far<00:11:00.519> you<00:11:00.680> guys<00:11:00.839> can 00:11:01.030 --> 00:11:01.040 align:start position:0% um um any questions so far you guys can 00:11:01.040 --> 00:11:02.629 align:start position:0% um um any questions so far you guys can either<00:11:01.440> you<00:11:01.839> you<00:11:01.959> guys<00:11:02.079> can<00:11:02.200> just<00:11:02.320> drop<00:11:02.519> them 00:11:02.629 --> 00:11:02.639 align:start position:0% either you you guys can just drop them 00:11:02.639 --> 00:11:16.949 align:start position:0% either you you guys can just drop them in<00:11:02.760> the<00:11:02.880> chat<00:11:03.079> if<00:11:03.160> you've<00:11:03.320> got<00:11:03.480> any 00:11:16.949 --> 00:11:16.959 align:start position:0% 00:11:16.959 --> 00:11:18.629 align:start position:0% questions<00:11:17.959> okay<00:11:18.079> we've<00:11:18.240> got<00:11:18.360> a<00:11:18.440> great 00:11:18.629 --> 00:11:18.639 align:start position:0% questions okay we've got a great 00:11:18.639 --> 00:11:20.230 align:start position:0% questions okay we've got a great question<00:11:18.880> from<00:11:19.040> xss<00:11:19.600> doctor<00:11:19.880> as<00:11:20.000> far<00:11:20.120> as 00:11:20.230 --> 00:11:20.240 align:start position:0% question from xss doctor as far as 00:11:20.240 --> 00:11:21.910 align:start position:0% question from xss doctor as far as encoding<00:11:20.720> what<00:11:20.880> other<00:11:21.079> things<00:11:21.360> do<00:11:21.480> you<00:11:21.639> try 00:11:21.910 --> 00:11:21.920 align:start position:0% encoding what other things do you try 00:11:21.920 --> 00:11:24.069 align:start position:0% encoding what other things do you try other<00:11:22.120> than<00:11:22.279> percent<00:11:22.560> 2f<00:11:23.160> in<00:11:23.360> double<00:11:23.600> encoding 00:11:24.069 --> 00:11:24.079 align:start position:0% other than percent 2f in double encoding 00:11:24.079 --> 00:11:28.670 align:start position:0% other than percent 2f in double encoding dou<00:11:24.600> encoding<00:11:25.519> uh<00:11:25.680> yeah<00:11:25.839> percent<00:11:26.160> 2f<00:11:27.519> um<00:11:28.519> uh 00:11:28.670 --> 00:11:28.680 align:start position:0% dou encoding uh yeah percent 2f um uh 00:11:28.680 --> 00:11:30.470 align:start position:0% dou encoding uh yeah percent 2f um uh you<00:11:28.800> know<00:11:29.079> percent<00:11:29.320> 252f<00:11:30.079> right<00:11:30.240> like<00:11:30.360> you 00:11:30.470 --> 00:11:30.480 align:start position:0% you know percent 252f right like you 00:11:30.480 --> 00:11:33.310 align:start position:0% you know percent 252f right like you said<00:11:30.959> uh<00:11:31.120> percent<00:11:31.399> 5c<00:11:31.880> or<00:11:32.000> the<00:11:32.120> backslash<00:11:33.120> uh 00:11:33.310 --> 00:11:33.320 align:start position:0% said uh percent 5c or the backslash uh 00:11:33.320 --> 00:11:35.670 align:start position:0% said uh percent 5c or the backslash uh that's<00:11:33.560> that's<00:11:33.720> another<00:11:33.959> great<00:11:34.120> one<00:11:34.279> to<00:11:34.680> try 00:11:35.670 --> 00:11:35.680 align:start position:0% that's that's another great one to try 00:11:35.680 --> 00:11:38.430 align:start position:0% that's that's another great one to try um<00:11:36.040> I<00:11:36.120> will<00:11:36.360> also<00:11:36.639> note<00:11:37.000> that<00:11:37.600> using<00:11:38.040> things 00:11:38.430 --> 00:11:38.440 align:start position:0% um I will also note that using things 00:11:38.440 --> 00:11:41.990 align:start position:0% um I will also note that using things like<00:11:38.760> the<00:11:39.480> hashtag<00:11:40.480> um<00:11:40.920> you<00:11:41.040> know<00:11:41.240> for<00:11:41.839> for 00:11:41.990 --> 00:11:42.000 align:start position:0% like the hashtag um you know for for 00:11:42.000 --> 00:11:43.870 align:start position:0% like the hashtag um you know for for truncating<00:11:42.839> the<00:11:43.040> request<00:11:43.360> and<00:11:43.519> that<00:11:43.639> sort<00:11:43.760> of 00:11:43.870 --> 00:11:43.880 align:start position:0% truncating the request and that sort of 00:11:43.880 --> 00:11:45.190 align:start position:0% truncating the request and that sort of thing<00:11:44.000> is<00:11:44.160> extremely<00:11:44.560> helpful<00:11:44.839> as<00:11:45.000> well<00:11:45.120> as 00:11:45.190 --> 00:11:45.200 align:start position:0% thing is extremely helpful as well as 00:11:45.200 --> 00:11:46.430 align:start position:0% thing is extremely helpful as well as the<00:11:45.320> question<00:11:45.519> mark<00:11:45.760> can<00:11:45.880> also<00:11:46.000> be<00:11:46.079> used<00:11:46.279> for 00:11:46.430 --> 00:11:46.440 align:start position:0% the question mark can also be used for 00:11:46.440 --> 00:11:47.430 align:start position:0% the question mark can also be used for that<00:11:46.560> purpose<00:11:46.839> if<00:11:46.920> you're<00:11:47.079> not<00:11:47.240> already 00:11:47.430 --> 00:11:47.440 align:start position:0% that purpose if you're not already 00:11:47.440 --> 00:11:50.590 align:start position:0% that purpose if you're not already smuggling<00:11:47.880> in<00:11:48.040> parameters<00:11:48.639> so<00:11:49.560> um<00:11:50.279> that<00:11:50.480> those 00:11:50.590 --> 00:11:50.600 align:start position:0% smuggling in parameters so um that those 00:11:50.600 --> 00:11:53.509 align:start position:0% smuggling in parameters so um that those are<00:11:51.160> interesting<00:11:51.560> things<00:11:51.720> to<00:11:52.160> try<00:11:53.160> um<00:11:53.320> as<00:11:53.399> far 00:11:53.509 --> 00:11:53.519 align:start position:0% are interesting things to try um as far 00:11:53.519 --> 00:11:55.629 align:start position:0% are interesting things to try um as far as<00:11:53.680> encoding<00:11:54.160> goes<00:11:54.720> besides<00:11:55.160> that<00:11:55.360> the<00:11:55.480> only 00:11:55.629 --> 00:11:55.639 align:start position:0% as encoding goes besides that the only 00:11:55.639 --> 00:11:57.590 align:start position:0% as encoding goes besides that the only other<00:11:55.839> thing<00:11:56.000> that<00:11:56.120> I<00:11:56.240> can<00:11:56.519> think<00:11:56.760> of 00:11:57.590 --> 00:11:57.600 align:start position:0% other thing that I can think of 00:11:57.600 --> 00:12:00.430 align:start position:0% other thing that I can think of conceivably<00:11:58.200> happening<00:11:58.800> is 00:12:00.430 --> 00:12:00.440 align:start position:0% conceivably happening is 00:12:00.440 --> 00:12:02.470 align:start position:0% conceivably happening is is 00:12:02.470 --> 00:12:02.480 align:start position:0% is 00:12:02.480 --> 00:12:05.910 align:start position:0% is if<00:12:03.720> yeah<00:12:04.720> that<00:12:04.959> that<00:12:05.040> would<00:12:05.160> be<00:12:05.279> a<00:12:05.399> really<00:12:05.639> rare 00:12:05.910 --> 00:12:05.920 align:start position:0% if yeah that that would be a really rare 00:12:05.920 --> 00:12:07.470 align:start position:0% if yeah that that would be a really rare situation<00:12:06.480> though<00:12:06.760> um<00:12:07.000> there<00:12:07.120> are<00:12:07.279> some 00:12:07.470 --> 00:12:07.480 align:start position:0% situation though um there are some 00:12:07.480 --> 00:12:09.230 align:start position:0% situation though um there are some situations<00:12:07.959> in<00:12:08.120> which<00:12:08.279> Unicode<00:12:08.760> code<00:12:09.079> Point 00:12:09.230 --> 00:12:09.240 align:start position:0% situations in which Unicode code Point 00:12:09.240 --> 00:12:12.069 align:start position:0% situations in which Unicode code Point encoding<00:12:10.240> may<00:12:10.560> work 00:12:12.069 --> 00:12:12.079 align:start position:0% encoding may work 00:12:12.079 --> 00:12:14.750 align:start position:0% encoding may work um<00:12:13.079> and<00:12:13.399> and<00:12:13.639> that<00:12:14.000> that<00:12:14.120> could<00:12:14.279> be<00:12:14.399> something 00:12:14.750 --> 00:12:14.760 align:start position:0% um and and that that could be something 00:12:14.760 --> 00:12:16.310 align:start position:0% um and and that that could be something that<00:12:15.000> could<00:12:15.120> be<00:12:15.240> interesting<00:12:15.639> so<00:12:15.959> you<00:12:16.040> know 00:12:16.310 --> 00:12:16.320 align:start position:0% that could be interesting so you know 00:12:16.320 --> 00:12:19.430 align:start position:0% that could be interesting so you know back<00:12:16.760> back<00:12:17.000> slash<00:12:17.680> U<00:12:18.680> you<00:12:18.800> know<00:12:18.959> and<00:12:19.079> then<00:12:19.320> a 00:12:19.430 --> 00:12:19.440 align:start position:0% back back slash U you know and then a 00:12:19.440 --> 00:12:25.230 align:start position:0% back back slash U you know and then a four<00:12:20.440> integer<00:12:20.920> or<00:12:21.120> four<00:12:21.639> um<00:12:22.880> U<00:12:23.880> uh<00:12:24.240> character 00:12:25.230 --> 00:12:25.240 align:start position:0% four integer or four um U uh character 00:12:25.240 --> 00:12:27.150 align:start position:0% four integer or four um U uh character string<00:12:25.680> after<00:12:25.920> that<00:12:26.079> to<00:12:26.240> represent<00:12:26.920> what 00:12:27.150 --> 00:12:27.160 align:start position:0% string after that to represent what 00:12:27.160 --> 00:12:28.509 align:start position:0% string after that to represent what character<00:12:27.480> you're<00:12:27.639> looking<00:12:27.839> for<00:12:28.279> uh<00:12:28.360> I've 00:12:28.509 --> 00:12:28.519 align:start position:0% character you're looking for uh I've 00:12:28.519 --> 00:12:30.590 align:start position:0% character you're looking for uh I've also<00:12:28.680> seen<00:12:29.000> that<00:12:29.160> work<00:12:29.360> in<00:12:29.480> some<00:12:29.680> scenarios 00:12:30.590 --> 00:12:30.600 align:start position:0% also seen that work in some scenarios 00:12:30.600 --> 00:12:31.670 align:start position:0% also seen that work in some scenarios where<00:12:30.760> they're<00:12:30.920> doing<00:12:31.120> something<00:12:31.360> weird<00:12:31.560> with 00:12:31.670 --> 00:12:31.680 align:start position:0% where they're doing something weird with 00:12:31.680 --> 00:12:33.550 align:start position:0% where they're doing something weird with the<00:12:31.800> JavaScript<00:12:32.360> and<00:12:32.480> it<00:12:32.600> ends<00:12:32.800> up<00:12:32.959> rendering 00:12:33.550 --> 00:12:33.560 align:start position:0% the JavaScript and it ends up rendering 00:12:33.560 --> 00:12:37.150 align:start position:0% the JavaScript and it ends up rendering that<00:12:34.120> that<00:12:34.320> Unicode<00:12:35.320> thing<00:12:36.320> um<00:12:36.880> Matrix 00:12:37.150 --> 00:12:37.160 align:start position:0% that that Unicode thing um Matrix 00:12:37.160 --> 00:12:39.590 align:start position:0% that that Unicode thing um Matrix parameters<00:12:37.600> in<00:12:37.800> strings 00:12:39.590 --> 00:12:39.600 align:start position:0% parameters in strings 00:12:39.600 --> 00:12:42.230 align:start position:0% parameters in strings to<00:12:40.600> uh<00:12:40.800> y<00:12:41.040> absolutely<00:12:41.519> Matrix<00:12:41.839> parameters 00:12:42.230 --> 00:12:42.240 align:start position:0% to uh y absolutely Matrix parameters 00:12:42.240 --> 00:12:43.910 align:start position:0% to uh y absolutely Matrix parameters that's<00:12:42.360> what<00:12:42.440> I<00:12:42.519> meant<00:12:42.720> by<00:12:42.880> path<00:12:43.079> parameters 00:12:43.910 --> 00:12:43.920 align:start position:0% that's what I meant by path parameters 00:12:43.920 --> 00:12:46.389 align:start position:0% that's what I meant by path parameters um<00:12:44.320> Matrix<00:12:44.680> parameters<00:12:45.160> another<00:12:45.360> name<00:12:45.519> for 00:12:46.389 --> 00:12:46.399 align:start position:0% um Matrix parameters another name for 00:12:46.399 --> 00:12:50.829 align:start position:0% um Matrix parameters another name for those 00:12:50.829 --> 00:12:50.839 align:start position:0% 00:12:50.839 --> 00:12:53.189 align:start position:0% um<00:12:51.839> yeah<00:12:52.040> and<00:12:52.199> absolutely<00:12:52.680> of<00:12:52.800> course<00:12:53.000> you<00:12:53.079> can 00:12:53.189 --> 00:12:53.199 align:start position:0% um yeah and absolutely of course you can 00:12:53.199 --> 00:12:54.590 align:start position:0% um yeah and absolutely of course you can mess<00:12:53.399> around<00:12:53.600> with<00:12:53.720> the<00:12:53.839> encoding<00:12:54.240> for<00:12:54.440> the 00:12:54.590 --> 00:12:54.600 align:start position:0% mess around with the encoding for the 00:12:54.600 --> 00:12:56.949 align:start position:0% mess around with the encoding for the dot<00:12:54.920> as<00:12:55.040> well<00:12:55.399> that's<00:12:55.519> a<00:12:55.720> that's<00:12:55.839> a<00:12:55.959> good<00:12:56.120> idea 00:12:56.949 --> 00:12:56.959 align:start position:0% dot as well that's a that's a good idea 00:12:56.959 --> 00:12:58.350 align:start position:0% dot as well that's a that's a good idea um<00:12:57.120> and<00:12:57.240> then<00:12:57.399> also<00:12:57.680> you<00:12:57.800> know<00:12:58.000> of<00:12:58.120> course 00:12:58.350 --> 00:12:58.360 align:start position:0% um and then also you know of course 00:12:58.360 --> 00:13:02.150 align:start position:0% um and then also you know of course we've<00:12:58.560> got<00:12:59.000> um<00:12:59.880> what<00:13:00.000> is<00:13:00.120> it<00:13:00.440> uh<00:13:00.839> oranges<00:13:01.839> dot 00:13:02.150 --> 00:13:02.160 align:start position:0% we've got um what is it uh oranges dot 00:13:02.160 --> 00:13:04.350 align:start position:0% we've got um what is it uh oranges dot dot<00:13:02.360> semicolon<00:13:03.240> thing<00:13:03.600> yeah<00:13:03.880> I<00:13:03.959> think<00:13:04.160> that's 00:13:04.350 --> 00:13:04.360 align:start position:0% dot semicolon thing yeah I think that's 00:13:04.360 --> 00:13:05.750 align:start position:0% dot semicolon thing yeah I think that's probably<00:13:04.680> what<00:13:04.760> you're<00:13:04.920> talking<00:13:05.120> about<00:13:05.320> raic 00:13:05.750 --> 00:13:05.760 align:start position:0% probably what you're talking about raic 00:13:05.760 --> 00:13:11.110 align:start position:0% probably what you're talking about raic now<00:13:05.880> that<00:13:06.040> I'm<00:13:06.600> now<00:13:06.880> that<00:13:07.079> I'm<00:13:07.399> uh<00:13:07.680> coming<00:13:07.920> to 00:13:11.110 --> 00:13:11.120 align:start position:0% 00:13:11.120 --> 00:13:14.710 align:start position:0% it<00:13:12.120> cool<00:13:13.079> any<00:13:13.279> other<00:13:13.519> questions<00:13:14.440> before<00:13:14.639> we 00:13:14.710 --> 00:13:14.720 align:start position:0% it cool any other questions before we 00:13:14.720 --> 00:13:18.230 align:start position:0% it cool any other questions before we move<00:13:14.880> on<00:13:15.000> to<00:13:15.079> the<00:13:15.199> next 00:13:18.230 --> 00:13:18.240 align:start position:0% 00:13:18.240 --> 00:13:20.069 align:start position:0% section<00:13:19.240> all<00:13:19.360> righty<00:13:19.600> you<00:13:19.680> guys<00:13:19.800> are<00:13:19.880> going<00:13:19.959> to 00:13:20.069 --> 00:13:20.079 align:start position:0% section all righty you guys are going to 00:13:20.079 --> 00:13:21.629 align:start position:0% section all righty you guys are going to get<00:13:20.160> to<00:13:20.240> see<00:13:20.440> my<00:13:20.720> super 00:13:21.629 --> 00:13:21.639 align:start position:0% get to see my super 00:13:21.639 --> 00:13:25.550 align:start position:0% get to see my super secret<00:13:22.639> uh<00:13:22.839> planning<00:13:23.279> document<00:13:23.680> here<00:13:24.000> okay<00:13:24.959> so 00:13:25.550 --> 00:13:25.560 align:start position:0% secret uh planning document here okay so 00:13:25.560 --> 00:13:26.829 align:start position:0% secret uh planning document here okay so uh<00:13:25.839> the<00:13:25.959> next<00:13:26.160> section<00:13:26.399> that<00:13:26.519> we're<00:13:26.639> going<00:13:26.720> to 00:13:26.829 --> 00:13:26.839 align:start position:0% uh the next section that we're going to 00:13:26.839 --> 00:13:28.430 align:start position:0% uh the next section that we're going to talk<00:13:27.000> about<00:13:27.320> then<00:13:27.600> is<00:13:27.800> how<00:13:28.000> exactly<00:13:28.279> to 00:13:28.430 --> 00:13:28.440 align:start position:0% talk about then is how exactly to 00:13:28.440 --> 00:13:31.269 align:start position:0% talk about then is how exactly to identify<00:13:29.000> these<00:13:29.079> vulnerabilities<00:13:30.120> um<00:13:31.120> and 00:13:31.269 --> 00:13:31.279 align:start position:0% identify these vulnerabilities um and 00:13:31.279 --> 00:13:34.509 align:start position:0% identify these vulnerabilities um and we're<00:13:31.399> going<00:13:31.480> to<00:13:31.639> do<00:13:31.800> that<00:13:32.079> via<00:13:32.639> some 00:13:34.509 --> 00:13:34.519 align:start position:0% we're going to do that via some 00:13:34.519 --> 00:13:37.590 align:start position:0% we're going to do that via some exercises<00:13:35.519> so<00:13:36.279> uh<00:13:36.560> I'm<00:13:36.880> going<00:13:37.040> to<00:13:37.279> go<00:13:37.399> ahead 00:13:37.590 --> 00:13:37.600 align:start position:0% exercises so uh I'm going to go ahead 00:13:37.600 --> 00:13:39.310 align:start position:0% exercises so uh I'm going to go ahead and<00:13:37.800> give<00:13:37.959> you 00:13:39.310 --> 00:13:39.320 align:start position:0% and give you 00:13:39.320 --> 00:13:45.990 align:start position:0% and give you guys<00:13:40.320> this 00:13:45.990 --> 00:13:46.000 align:start position:0% 00:13:46.000 --> 00:13:47.990 align:start position:0% URL<00:13:47.000> this 00:13:47.990 --> 00:13:48.000 align:start position:0% URL this 00:13:48.000 --> 00:13:50.269 align:start position:0% URL this URL<00:13:49.000> actually<00:13:49.279> I'm<00:13:49.360> going<00:13:49.480> to<00:13:49.639> stop<00:13:49.800> sharing 00:13:50.269 --> 00:13:50.279 align:start position:0% URL actually I'm going to stop sharing 00:13:50.279 --> 00:13:53.470 align:start position:0% URL actually I'm going to stop sharing because<00:13:50.600> this<00:13:50.800> has<00:13:51.079> the<00:13:51.639> the<00:13:51.800> solution<00:13:52.240> on<00:13:52.480> it 00:13:53.470 --> 00:13:53.480 align:start position:0% because this has the the solution on it 00:13:53.480 --> 00:13:55.150 align:start position:0% because this has the the solution on it uh<00:13:53.639> so<00:13:53.839> you<00:13:54.000> guys<00:13:54.160> can<00:13:54.360> go<00:13:54.480> ahead<00:13:54.680> and<00:13:54.880> take<00:13:55.000> a 00:13:55.150 --> 00:13:55.160 align:start position:0% uh so you guys can go ahead and take a 00:13:55.160 --> 00:13:58.069 align:start position:0% uh so you guys can go ahead and take a look<00:13:55.279> at<00:13:55.519> those<00:13:56.160> those<00:13:56.279> are<00:13:56.519> two<00:13:57.040> little<00:13:57.600> um 00:13:58.069 --> 00:13:58.079 align:start position:0% look at those those are two little um 00:13:58.079 --> 00:13:59.870 align:start position:0% look at those those are two little um exercises<00:13:58.800> that<00:13:59.000> I<00:13:59.160> have<00:13:59.440> kind<00:13:59.519> of<00:13:59.639> put 00:13:59.870 --> 00:13:59.880 align:start position:0% exercises that I have kind of put 00:13:59.880 --> 00:14:02.470 align:start position:0% exercises that I have kind of put together<00:14:00.079> for<00:14:00.279> you<00:14:00.480> guys<00:14:01.480> um<00:14:01.759> so<00:14:02.000> the<00:14:02.160> first 00:14:02.470 --> 00:14:02.480 align:start position:0% together for you guys um so the first 00:14:02.480 --> 00:14:05.509 align:start position:0% together for you guys um so the first one<00:14:03.480> let<00:14:03.600> me<00:14:03.800> go<00:14:03.920> ahead<00:14:04.279> and 00:14:05.509 --> 00:14:05.519 align:start position:0% one let me go ahead and 00:14:05.519 --> 00:14:14.550 align:start position:0% one let me go ahead and get<00:14:06.519> a<00:14:07.160> browser<00:14:07.720> tab<00:14:08.160> open 00:14:14.550 --> 00:14:14.560 align:start position:0% 00:14:14.560 --> 00:14:17.710 align:start position:0% here 00:14:17.710 --> 00:14:17.720 align:start position:0% 00:14:17.720 --> 00:14:23.030 align:start position:0% um<00:14:18.720> is<00:14:18.839> that<00:14:18.959> 404ing<00:14:19.560> for<00:14:19.720> you 00:14:23.030 --> 00:14:23.040 align:start position:0% 00:14:23.040 --> 00:14:26.790 align:start position:0% guys<00:14:24.040> ah<00:14:24.639> I<00:14:24.720> wonder<00:14:25.040> if<00:14:25.240> I 00:14:26.790 --> 00:14:26.800 align:start position:0% guys ah I wonder if I 00:14:26.800 --> 00:14:30.629 align:start position:0% guys ah I wonder if I um<00:14:27.800> you<00:14:28.000> know 00:14:30.629 --> 00:14:30.639 align:start position:0% um you know 00:14:30.639 --> 00:14:33.590 align:start position:0% um you know I<00:14:30.759> think<00:14:31.040> I 00:14:33.590 --> 00:14:33.600 align:start position:0% 00:14:33.600 --> 00:14:38.069 align:start position:0% used<00:14:34.600> move<00:14:35.120> instead<00:14:35.399> of<00:14:35.600> copy<00:14:36.240> which<00:14:36.480> is<00:14:37.480> an<00:14:37.680> L 00:14:38.069 --> 00:14:38.079 align:start position:0% used move instead of copy which is an L 00:14:38.079 --> 00:14:41.030 align:start position:0% used move instead of copy which is an L for 00:14:41.030 --> 00:14:41.040 align:start position:0% 00:14:41.040 --> 00:14:43.189 align:start position:0% sure 00:14:43.189 --> 00:14:43.199 align:start position:0% sure 00:14:43.199 --> 00:14:47.269 align:start position:0% sure um<00:14:44.199> yeah<00:14:44.360> I<00:14:44.480> did<00:14:45.160> Heck<00:14:46.160> so<00:14:46.440> give<00:14:46.519> me<00:14:46.720> just<00:14:46.839> a<00:14:47.000> sec 00:14:47.269 --> 00:14:47.279 align:start position:0% um yeah I did Heck so give me just a sec 00:14:47.279 --> 00:14:57.670 align:start position:0% um yeah I did Heck so give me just a sec and<00:14:47.399> I'll<00:14:48.079> uh<00:14:49.079> get<00:14:49.279> that<00:14:49.480> back 00:14:57.670 --> 00:14:57.680 align:start position:0% 00:14:57.680 --> 00:15:05.629 align:start position:0% up 00:15:05.629 --> 00:15:05.639 align:start position:0% 00:15:05.639 --> 00:15:08.269 align:start position:0% so<00:15:06.240> uh<00:15:06.399> I<00:15:06.480> want<00:15:06.720> ahead<00:15:07.199> I<00:15:07.360> fixed<00:15:07.720> it<00:15:07.920> already 00:15:08.269 --> 00:15:08.279 align:start position:0% so uh I want ahead I fixed it already 00:15:08.279 --> 00:15:10.509 align:start position:0% so uh I want ahead I fixed it already but<00:15:08.399> you're<00:15:08.519> going<00:15:08.639> to<00:15:08.720> need<00:15:08.839> to<00:15:09.079> refresh<00:15:09.560> it 00:15:10.509 --> 00:15:10.519 align:start position:0% but you're going to need to refresh it 00:15:10.519 --> 00:15:14.470 align:start position:0% but you're going to need to refresh it so<00:15:11.519> yeah<00:15:12.040> that<00:15:12.240> one<00:15:13.079> should<00:15:13.399> work<00:15:14.079> so<00:15:14.279> yeah<00:15:14.399> you 00:15:14.470 --> 00:15:14.480 align:start position:0% so yeah that one should work so yeah you 00:15:14.480 --> 00:15:15.990 align:start position:0% so yeah that one should work so yeah you should<00:15:14.680> be<00:15:14.759> able<00:15:14.920> to<00:15:15.040> go<00:15:15.160> ahead<00:15:15.399> and<00:15:15.680> uh<00:15:15.839> and 00:15:15.990 --> 00:15:16.000 align:start position:0% should be able to go ahead and uh and 00:15:16.000 --> 00:15:18.230 align:start position:0% should be able to go ahead and uh and hit 00:15:18.230 --> 00:15:18.240 align:start position:0% 00:15:18.240 --> 00:15:20.870 align:start position:0% it<00:15:19.240> yeah<00:15:19.480> so<00:15:19.680> the<00:15:19.800> second<00:15:20.079> one<00:15:20.480> second<00:15:20.720> one 00:15:20.870 --> 00:15:20.880 align:start position:0% it yeah so the second one second one 00:15:20.880 --> 00:15:22.269 align:start position:0% it yeah so the second one second one should<00:15:21.079> work<00:15:21.320> fine<00:15:21.560> the<00:15:21.680> first<00:15:21.880> one<00:15:22.120> I 00:15:22.269 --> 00:15:22.279 align:start position:0% should work fine the first one I 00:15:22.279 --> 00:15:23.790 align:start position:0% should work fine the first one I accidentally<00:15:22.800> hit 00:15:23.790 --> 00:15:23.800 align:start position:0% accidentally hit 00:15:23.800 --> 00:15:28.189 align:start position:0% accidentally hit uh<00:15:24.800> accidentally<00:15:25.279> hit<00:15:26.000> uh<00:15:27.000> move<00:15:27.440> instead<00:15:27.759> of 00:15:28.189 --> 00:15:28.199 align:start position:0% uh accidentally hit uh move instead of 00:15:28.199 --> 00:15:31.189 align:start position:0% uh accidentally hit uh move instead of uh<00:15:28.800> copy<00:15:29.120> on<00:15:29.319> that<00:15:29.440> one<00:15:29.759> so<00:15:30.040> it<00:15:30.279> it<00:15:30.519> it<00:15:31.079> it 00:15:31.189 --> 00:15:31.199 align:start position:0% uh copy on that one so it it it it 00:15:31.199 --> 00:15:33.110 align:start position:0% uh copy on that one so it it it it wasn't<00:15:31.440> working<00:15:31.639> for<00:15:31.800> a<00:15:31.920> second<00:15:32.279> but<00:15:32.560> um<00:15:33.040> it 00:15:33.110 --> 00:15:33.120 align:start position:0% wasn't working for a second but um it 00:15:33.120 --> 00:15:35.629 align:start position:0% wasn't working for a second but um it was<00:15:33.240> pretty<00:15:33.440> simple<00:15:33.680> to<00:15:33.920> refix<00:15:34.440> again<00:15:34.759> so<00:15:35.399> okay 00:15:35.629 --> 00:15:35.639 align:start position:0% was pretty simple to refix again so okay 00:15:35.639 --> 00:15:39.189 align:start position:0% was pretty simple to refix again so okay so<00:15:35.839> the<00:15:35.959> situation<00:15:36.360> with<00:15:36.720> these<00:15:37.720> is<00:15:38.079> that<00:15:39.079> let 00:15:39.189 --> 00:15:39.199 align:start position:0% so the situation with these is that let 00:15:39.199 --> 00:15:41.309 align:start position:0% so the situation with these is that let me<00:15:39.319> go<00:15:39.440> ahead<00:15:39.600> and<00:15:39.720> get<00:15:39.880> this<00:15:40.000> one<00:15:40.360> in<00:15:40.560> my 00:15:41.309 --> 00:15:41.319 align:start position:0% me go ahead and get this one in my 00:15:41.319 --> 00:15:43.749 align:start position:0% me go ahead and get this one in my browser<00:15:42.319> so<00:15:42.519> the<00:15:42.680> goal<00:15:42.959> here<00:15:43.120> is<00:15:43.240> to<00:15:43.480> actually 00:15:43.749 --> 00:15:43.759 align:start position:0% browser so the goal here is to actually 00:15:43.759 --> 00:15:45.670 align:start position:0% browser so the goal here is to actually Implement<00:15:44.240> some<00:15:44.399> sort<00:15:44.800> of<00:15:45.000> client<00:15:45.360> side<00:15:45.519> path 00:15:45.670 --> 00:15:45.680 align:start position:0% Implement some sort of client side path 00:15:45.680 --> 00:15:47.269 align:start position:0% Implement some sort of client side path rsal<00:15:46.240> so<00:15:46.360> let's<00:15:46.560> go<00:15:46.680> ahead<00:15:46.839> and<00:15:46.959> take<00:15:47.040> a<00:15:47.160> look 00:15:47.269 --> 00:15:47.279 align:start position:0% rsal so let's go ahead and take a look 00:15:47.279 --> 00:15:50.470 align:start position:0% rsal so let's go ahead and take a look at<00:15:47.360> the<00:15:47.480> code<00:15:47.800> for<00:15:48.800> um<00:15:48.959> the<00:15:49.120> first<00:15:50.040> uh<00:15:50.319> yeah 00:15:50.470 --> 00:15:50.480 align:start position:0% at the code for um the first uh yeah 00:15:50.480 --> 00:15:53.629 align:start position:0% at the code for um the first uh yeah let's<00:15:50.639> go<00:15:50.720> ahead<00:15:50.880> and<00:15:50.959> do<00:15:51.079> the<00:15:51.240> first<00:15:51.800> one<00:15:52.800> um 00:15:53.629 --> 00:15:53.639 align:start position:0% let's go ahead and do the first one um 00:15:53.639 --> 00:15:54.550 align:start position:0% let's go ahead and do the first one um who<00:15:53.800> knows<00:15:53.959> I<00:15:54.040> might<00:15:54.199> have<00:15:54.279> to<00:15:54.360> make<00:15:54.440> some 00:15:54.550 --> 00:15:54.560 align:start position:0% who knows I might have to make some 00:15:54.560 --> 00:15:55.710 align:start position:0% who knows I might have to make some modifications<00:15:55.040> along<00:15:55.279> the<00:15:55.360> way<00:15:55.480> but<00:15:55.600> we'll 00:15:55.710 --> 00:15:55.720 align:start position:0% modifications along the way but we'll 00:15:55.720 --> 00:15:58.150 align:start position:0% modifications along the way but we'll figure<00:15:55.920> it<00:15:56.120> out<00:15:57.120> um<00:15:57.639> let's<00:15:57.800> go<00:15:57.920> ahead<00:15:58.040> and 00:15:58.150 --> 00:15:58.160 align:start position:0% figure it out um let's go ahead and 00:15:58.160 --> 00:16:01.150 align:start position:0% figure it out um let's go ahead and share 00:16:01.150 --> 00:16:01.160 align:start position:0% 00:16:01.160 --> 00:16:03.509 align:start position:0% that 00:16:03.509 --> 00:16:03.519 align:start position:0% 00:16:03.519 --> 00:16:07.350 align:start position:0% window<00:16:04.519> okay<00:16:04.759> good<00:16:05.079> so<00:16:05.279> here<00:16:05.399> we<00:16:05.639> are<00:16:06.639> so<00:16:07.040> very 00:16:07.350 --> 00:16:07.360 align:start position:0% window okay good so here we are so very 00:16:07.360 --> 00:16:10.309 align:start position:0% window okay good so here we are so very very<00:16:07.519> simple<00:16:07.800> code<00:16:08.079> here<00:16:08.319> okay<00:16:09.000> so<00:16:09.639> the<00:16:10.079> this 00:16:10.309 --> 00:16:10.319 align:start position:0% very simple code here okay so the this 00:16:10.319 --> 00:16:12.309 align:start position:0% very simple code here okay so the this application<00:16:11.160> here<00:16:11.680> essentially<00:16:12.079> what<00:16:12.160> it 00:16:12.309 --> 00:16:12.319 align:start position:0% application here essentially what it 00:16:12.319 --> 00:16:14.309 align:start position:0% application here essentially what it does<00:16:12.519> is<00:16:12.639> it<00:16:12.759> takes<00:16:13.000> the<00:16:13.120> search<00:16:13.399> parameters 00:16:14.309 --> 00:16:14.319 align:start position:0% does is it takes the search parameters 00:16:14.319 --> 00:16:17.030 align:start position:0% does is it takes the search parameters it<00:16:14.560> gets<00:16:14.839> the<00:16:15.040> ID<00:16:15.480> parameter<00:16:16.360> creates<00:16:16.800> this 00:16:17.030 --> 00:16:17.040 align:start position:0% it gets the ID parameter creates this 00:16:17.040 --> 00:16:19.069 align:start position:0% it gets the ID parameter creates this Cerf<00:16:17.560> token<00:16:17.920> right<00:16:18.480> and<00:16:18.600> then<00:16:18.720> it<00:16:18.839> does<00:16:18.959> a 00:16:19.069 --> 00:16:19.079 align:start position:0% Cerf token right and then it does a 00:16:19.079 --> 00:16:21.509 align:start position:0% Cerf token right and then it does a fetch<00:16:19.399> request<00:16:20.000> like<00:16:20.199> these<00:16:20.480> guys<00:16:21.079> like<00:16:21.319> with 00:16:21.509 --> 00:16:21.519 align:start position:0% fetch request like these guys like with 00:16:21.519 --> 00:16:23.550 align:start position:0% fetch request like these guys like with this<00:16:21.720> right<00:16:21.880> here<00:16:22.079> where<00:16:22.199> it<00:16:22.360> embeds<00:16:22.800> the<00:16:22.920> ID 00:16:23.550 --> 00:16:23.560 align:start position:0% this right here where it embeds the ID 00:16:23.560 --> 00:16:26.790 align:start position:0% this right here where it embeds the ID into<00:16:23.880> the<00:16:24.079> request<00:16:24.839> okay<00:16:25.519> so<00:16:25.680> if<00:16:25.800> we<00:16:26.040> go<00:16:26.240> to 00:16:26.790 --> 00:16:26.800 align:start position:0% into the request okay so if we go to 00:16:26.800 --> 00:16:31.150 align:start position:0% into the request okay so if we go to this<00:16:27.519> page<00:16:28.680> and<00:16:28.839> we<00:16:29.120> say<00:16:30.120> we<00:16:30.279> open<00:16:30.519> up<00:16:30.680> our 00:16:31.150 --> 00:16:31.160 align:start position:0% this page and we say we open up our 00:16:31.160 --> 00:16:33.990 align:start position:0% this page and we say we open up our developer<00:16:31.560> console<00:16:32.040> here<00:16:33.000> and<00:16:33.120> we<00:16:33.240> do<00:16:33.639> ID 00:16:33.990 --> 00:16:34.000 align:start position:0% developer console here and we do ID 00:16:34.000 --> 00:16:36.790 align:start position:0% developer console here and we do ID equals 00:16:36.790 --> 00:16:36.800 align:start position:0% 00:16:36.800 --> 00:16:39.509 align:start position:0% 123<00:16:37.800> right<00:16:38.639> we<00:16:38.759> can<00:16:38.880> see<00:16:39.079> that<00:16:39.199> there's<00:16:39.360> a 00:16:39.509 --> 00:16:39.519 align:start position:0% 123 right we can see that there's a 00:16:39.519 --> 00:16:43.749 align:start position:0% 123 right we can see that there's a request<00:16:39.839> being<00:16:40.199> sent<00:16:41.199> to<00:16:41.480> apps.<00:16:41.920> rator<00:16:42.399> dodev 00:16:43.749 --> 00:16:43.759 align:start position:0% request being sent to apps. rator dodev 00:16:43.759 --> 00:16:49.509 align:start position:0% request being sent to apps. rator dodev slob<00:16:44.759> sl12<00:16:45.399> 3.x<00:16:45.920> YZ<00:16:46.880> okay<00:16:47.880> so<00:16:48.440> um<00:16:49.000> there 00:16:49.509 --> 00:16:49.519 align:start position:0% slob sl12 3.x YZ okay so um there 00:16:49.519 --> 00:16:50.829 align:start position:0% slob sl12 3.x YZ okay so um there there's<00:16:49.759> two<00:16:49.959> techniques<00:16:50.360> that<00:16:50.480> I'm<00:16:50.639> kind<00:16:50.720> of 00:16:50.829 --> 00:16:50.839 align:start position:0% there's two techniques that I'm kind of 00:16:50.839 --> 00:16:54.990 align:start position:0% there's two techniques that I'm kind of going<00:16:50.959> to<00:16:51.639> uh<00:16:51.880> yeah<00:16:52.639> is<00:16:52.759> it<00:16:53.079> is<00:16:53.160> it<00:16:53.759> too<00:16:54.759> is<00:16:54.880> it 00:16:54.990 --> 00:16:55.000 align:start position:0% going to uh yeah is it is it too is it 00:16:55.000 --> 00:16:58.230 align:start position:0% going to uh yeah is it is it too is it too<00:16:55.199> small<00:16:55.720> can<00:16:55.839> you<00:16:55.959> guys<00:16:56.079> see<00:16:56.240> it<00:16:56.680> now<00:16:57.680> or<00:16:58.040> was 00:16:58.230 --> 00:16:58.240 align:start position:0% too small can you guys see it now or was 00:16:58.240 --> 00:17:01.590 align:start position:0% too small can you guys see it now or was that<00:16:58.639> uh<00:16:58.800> before<00:16:59.160> when<00:16:59.319> you<00:16:59.560> when<00:16:59.680> I<00:16:59.880> was<00:17:00.600> uh 00:17:01.590 --> 00:17:01.600 align:start position:0% that uh before when you when I was uh 00:17:01.600 --> 00:17:04.189 align:start position:0% that uh before when you when I was uh looking<00:17:01.880> at<00:17:02.079> the<00:17:02.319> actual<00:17:02.600> source<00:17:02.959> code<00:17:03.959> here's 00:17:04.189 --> 00:17:04.199 align:start position:0% looking at the actual source code here's 00:17:04.199 --> 00:17:06.990 align:start position:0% looking at the actual source code here's the<00:17:04.360> actual<00:17:04.600> source<00:17:04.880> code<00:17:05.439> if<00:17:05.880> that's<00:17:06.880> I 00:17:06.990 --> 00:17:07.000 align:start position:0% the actual source code if that's I 00:17:07.000 --> 00:17:09.829 align:start position:0% the actual source code if that's I imagine<00:17:07.319> that<00:17:07.439> was<00:17:07.559> what<00:17:07.640> you're<00:17:07.839> looking<00:17:08.480> for 00:17:09.829 --> 00:17:09.839 align:start position:0% imagine that was what you're looking for 00:17:09.839 --> 00:17:12.270 align:start position:0% imagine that was what you're looking for um<00:17:10.839> so<00:17:11.079> we<00:17:11.199> can<00:17:11.319> see<00:17:11.520> that<00:17:11.640> there's<00:17:11.799> a<00:17:11.959> request 00:17:12.270 --> 00:17:12.280 align:start position:0% um so we can see that there's a request 00:17:12.280 --> 00:17:16.750 align:start position:0% um so we can see that there's a request being<00:17:12.480> sent<00:17:12.760> to<00:17:12.959> 1<00:17:13.120> 12<00:17:13.360> 34<00:17:14.360> orob<00:17:15.120> sl12<00:17:15.559> 34.<00:17:15.959> XYZ 00:17:16.750 --> 00:17:16.760 align:start position:0% being sent to 1 12 34 orob sl12 34. XYZ 00:17:16.760 --> 00:17:18.110 align:start position:0% being sent to 1 12 34 orob sl12 34. XYZ so<00:17:16.880> there's<00:17:17.079> two<00:17:17.240> types<00:17:17.480> of<00:17:17.640> attacks<00:17:17.919> that<00:17:18.039> I 00:17:18.110 --> 00:17:18.120 align:start position:0% so there's two types of attacks that I 00:17:18.120 --> 00:17:19.230 align:start position:0% so there's two types of attacks that I kind<00:17:18.199> of<00:17:18.319> want<00:17:18.400> to<00:17:18.520> walk<00:17:18.679> you<00:17:18.839> guys<00:17:19.000> through 00:17:19.230 --> 00:17:19.240 align:start position:0% kind of want to walk you guys through 00:17:19.240 --> 00:17:22.270 align:start position:0% kind of want to walk you guys through here<00:17:19.919> one<00:17:20.079> of<00:17:20.240> them<00:17:20.480> is<00:17:20.600> a<00:17:20.760> little<00:17:21.000> bit 00:17:22.270 --> 00:17:22.280 align:start position:0% here one of them is a little bit 00:17:22.280 --> 00:17:25.590 align:start position:0% here one of them is a little bit um<00:17:23.280> uh<00:17:24.280> a<00:17:24.400> little<00:17:24.640> bit<00:17:24.880> like<00:17:25.000> the<00:17:25.079> stars<00:17:25.439> need 00:17:25.590 --> 00:17:25.600 align:start position:0% um uh a little bit like the stars need 00:17:25.600 --> 00:17:30.110 align:start position:0% um uh a little bit like the stars need to<00:17:25.760> align<00:17:26.039> a<00:17:26.120> little<00:17:26.319> bit<00:17:27.280> um<00:17:27.839> roll 00:17:30.110 --> 00:17:30.120 align:start position:0% to align a little bit um roll 00:17:30.120 --> 00:17:38.029 align:start position:0% to align a little bit um roll yeah<00:17:31.120> click<00:17:31.480> the<00:17:31.600> link 00:17:38.029 --> 00:17:38.039 align:start position:0% 00:17:38.039 --> 00:17:40.470 align:start position:0% above<00:17:39.039> yeah<00:17:39.600> somebody<00:17:39.919> in<00:17:40.039> the<00:17:40.120> discord's 00:17:40.470 --> 00:17:40.480 align:start position:0% above yeah somebody in the discord's 00:17:40.480 --> 00:17:42.350 align:start position:0% above yeah somebody in the discord's having<00:17:40.640> a<00:17:40.760> problem<00:17:41.039> getting<00:17:41.240> in<00:17:41.400> here<00:17:42.080> um<00:17:42.240> so 00:17:42.350 --> 00:17:42.360 align:start position:0% having a problem getting in here um so 00:17:42.360 --> 00:17:44.110 align:start position:0% having a problem getting in here um so we<00:17:42.480> can<00:17:42.600> see<00:17:43.080> that<00:17:43.320> this<00:17:43.480> request<00:17:43.799> is<00:17:43.919> being 00:17:44.110 --> 00:17:44.120 align:start position:0% we can see that this request is being 00:17:44.120 --> 00:17:48.110 align:start position:0% we can see that this request is being sent<00:17:44.600> right<00:17:44.760> here<00:17:45.039> okay<00:17:46.039> um<00:17:46.600> so<00:17:46.880> now<00:17:47.559> our<00:17:47.799> goal 00:17:48.110 --> 00:17:48.120 align:start position:0% sent right here okay um so now our goal 00:17:48.120 --> 00:17:49.710 align:start position:0% sent right here okay um so now our goal is<00:17:48.240> going<00:17:48.360> to<00:17:48.520> be<00:17:48.720> to 00:17:49.710 --> 00:17:49.720 align:start position:0% is going to be to 00:17:49.720 --> 00:17:54.150 align:start position:0% is going to be to redirect<00:17:50.720> the<00:17:50.880> user<00:17:51.760> out<00:17:52.280> of<00:17:53.280> this<00:17:53.720> specific 00:17:54.150 --> 00:17:54.160 align:start position:0% redirect the user out of this specific 00:17:54.160 --> 00:17:56.950 align:start position:0% redirect the user out of this specific website<00:17:54.640> and<00:17:54.840> leak<00:17:55.200> the<00:17:55.320> Cerf<00:17:55.840> token<00:17:56.520> to<00:17:56.760> our 00:17:56.950 --> 00:17:56.960 align:start position:0% website and leak the Cerf token to our 00:17:56.960 --> 00:17:59.029 align:start position:0% website and leak the Cerf token to our website<00:17:57.520> okay<00:17:58.120> and<00:17:58.400> so<00:17:58.520> for<00:17:58.679> this<00:17:58.799> we're<00:17:58.960> going 00:17:59.029 --> 00:17:59.039 align:start position:0% website okay and so for this we're going 00:17:59.039 --> 00:18:00.310 align:start position:0% website okay and so for this we're going to<00:17:59.480> uh<00:17:59.600> I'm<00:17:59.640> going<00:17:59.760> to<00:17:59.840> show<00:17:59.960> you<00:18:00.080> guys<00:18:00.200> one 00:18:00.310 --> 00:18:00.320 align:start position:0% to uh I'm going to show you guys one 00:18:00.320 --> 00:18:03.350 align:start position:0% to uh I'm going to show you guys one other<00:18:00.480> endpoint<00:18:00.919> apps.<00:18:01.799> uh<00:18:01.960> rator<00:18:02.520> dodev<00:18:03.240> and 00:18:03.350 --> 00:18:03.360 align:start position:0% other endpoint apps. uh rator dodev and 00:18:03.360 --> 00:18:05.669 align:start position:0% other endpoint apps. uh rator dodev and we're<00:18:03.480> going<00:18:03.559> to<00:18:03.720> hit<00:18:04.039> the<00:18:04.640> redirect<00:18:05.320> PHP 00:18:05.669 --> 00:18:05.679 align:start position:0% we're going to hit the redirect PHP 00:18:05.679 --> 00:18:08.110 align:start position:0% we're going to hit the redirect PHP endpoint<00:18:06.360> okay<00:18:07.360> this 00:18:08.110 --> 00:18:08.120 align:start position:0% endpoint okay this 00:18:08.120 --> 00:18:12.149 align:start position:0% endpoint okay this endpoint<00:18:09.120> is<00:18:09.520> uh<00:18:09.919> is<00:18:10.679> takes<00:18:10.880> a<00:18:11.000> URL 00:18:12.149 --> 00:18:12.159 align:start position:0% endpoint is uh is takes a URL 00:18:12.159 --> 00:18:15.029 align:start position:0% endpoint is uh is takes a URL parameter<00:18:13.159> and<00:18:13.280> you<00:18:13.400> can<00:18:13.600> provide<00:18:13.880> it<00:18:14.039> with<00:18:14.200> a 00:18:15.029 --> 00:18:15.039 align:start position:0% parameter and you can provide it with a 00:18:15.039 --> 00:18:16.630 align:start position:0% parameter and you can provide it with a a 00:18:16.630 --> 00:18:16.640 align:start position:0% a 00:18:16.640 --> 00:18:19.350 align:start position:0% a um<00:18:17.640> a<00:18:17.840> domain<00:18:18.360> and<00:18:18.440> it<00:18:18.520> will<00:18:18.679> redirect<00:18:19.080> to<00:18:19.200> that 00:18:19.350 --> 00:18:19.360 align:start position:0% um a domain and it will redirect to that 00:18:19.360 --> 00:18:22.950 align:start position:0% um a domain and it will redirect to that domain<00:18:20.039> okay<00:18:20.960> so<00:18:21.520> this<00:18:21.720> will<00:18:22.080> redirect<00:18:22.640> to 00:18:22.950 --> 00:18:22.960 align:start position:0% domain okay so this will redirect to 00:18:22.960 --> 00:18:25.549 align:start position:0% domain okay so this will redirect to example.com<00:18:23.640> I'm<00:18:24.120> going<00:18:24.200> to<00:18:24.320> put<00:18:24.480> that<00:18:24.640> in<00:18:24.799> the 00:18:25.549 --> 00:18:25.559 align:start position:0% example.com I'm going to put that in the 00:18:25.559 --> 00:18:29.390 align:start position:0% example.com I'm going to put that in the in<00:18:25.720> the<00:18:26.200> uh<00:18:27.200> chat<00:18:27.480> right<00:18:27.600> there<00:18:27.720> for<00:18:27.919> you<00:18:28.799> okay 00:18:29.390 --> 00:18:29.400 align:start position:0% in the uh chat right there for you okay 00:18:29.400 --> 00:18:34.110 align:start position:0% in the uh chat right there for you okay so<00:18:29.679> the<00:18:30.039> the<00:18:30.240> idea<00:18:30.600> would<00:18:30.760> then<00:18:31.360> be<00:18:32.640> to<00:18:33.640> utilize 00:18:34.110 --> 00:18:34.120 align:start position:0% so the the idea would then be to utilize 00:18:34.120 --> 00:18:36.350 align:start position:0% so the the idea would then be to utilize this<00:18:34.280> client<00:18:34.600> side<00:18:34.760> path<00:18:35.039> reversal<00:18:36.039> to 00:18:36.350 --> 00:18:36.360 align:start position:0% this client side path reversal to 00:18:36.360 --> 00:18:40.270 align:start position:0% this client side path reversal to redirect<00:18:37.240> out<00:18:37.480> of<00:18:37.720> this<00:18:38.280> domain<00:18:39.280> and<00:18:39.480> leak<00:18:40.120> the 00:18:40.270 --> 00:18:40.280 align:start position:0% redirect out of this domain and leak the 00:18:40.280 --> 00:18:43.110 align:start position:0% redirect out of this domain and leak the curf<00:18:40.840> token<00:18:41.240> to<00:18:41.400> an<00:18:41.559> attacker<00:18:41.960> control<00:18:42.400> domain 00:18:43.110 --> 00:18:43.120 align:start position:0% curf token to an attacker control domain 00:18:43.120 --> 00:18:44.669 align:start position:0% curf token to an attacker control domain okay<00:18:43.440> this<00:18:43.520> is<00:18:43.720> one<00:18:43.840> of<00:18:43.960> the<00:18:44.080> two<00:18:44.360> ways<00:18:44.559> that 00:18:44.669 --> 00:18:44.679 align:start position:0% okay this is one of the two ways that 00:18:44.679 --> 00:18:46.669 align:start position:0% okay this is one of the two ways that you<00:18:44.760> can<00:18:44.960> exploit<00:18:45.600> um<00:18:45.919> client<00:18:46.280> side<00:18:46.440> path 00:18:46.669 --> 00:18:46.679 align:start position:0% you can exploit um client side path 00:18:46.679 --> 00:18:50.149 align:start position:0% you can exploit um client side path traversal<00:18:47.679> and<00:18:48.320> um<00:18:49.320> and<00:18:49.520> so<00:18:49.760> I<00:18:49.880> think<00:18:50.080> this 00:18:50.149 --> 00:18:50.159 align:start position:0% traversal and um and so I think this 00:18:50.159 --> 00:18:52.390 align:start position:0% traversal and um and so I think this will<00:18:50.320> be<00:18:50.559> a<00:18:51.039> a<00:18:51.280> good<00:18:51.559> a<00:18:51.679> good<00:18:51.840> little<00:18:52.039> challenge 00:18:52.390 --> 00:18:52.400 align:start position:0% will be a a good a good little challenge 00:18:52.400 --> 00:18:57.310 align:start position:0% will be a a good a good little challenge I'll<00:18:52.520> give<00:18:52.640> you<00:18:52.720> guys<00:18:52.840> a<00:18:52.919> sec<00:18:53.120> to<00:18:53.240> poke<00:18:53.440> at 00:18:57.310 --> 00:18:57.320 align:start position:0% 00:18:57.320 --> 00:19:00.470 align:start position:0% it 00:19:00.470 --> 00:19:00.480 align:start position:0% 00:19:00.480 --> 00:19:02.630 align:start position:0% yeah<00:19:00.679> so<00:19:00.880> obviously<00:19:01.320> this<00:19:01.400> is<00:19:01.720> um<00:19:02.120> and<00:19:02.280> I<00:19:02.559> I'll 00:19:02.630 --> 00:19:02.640 align:start position:0% yeah so obviously this is um and I I'll 00:19:02.640 --> 00:19:03.789 align:start position:0% yeah so obviously this is um and I I'll sort<00:19:02.799> of<00:19:02.919> talk<00:19:03.039> a<00:19:03.120> little<00:19:03.240> bit<00:19:03.400> about<00:19:03.559> it<00:19:03.679> while 00:19:03.789 --> 00:19:03.799 align:start position:0% sort of talk a little bit about it while 00:19:03.799 --> 00:19:05.669 align:start position:0% sort of talk a little bit about it while you<00:19:03.880> guys<00:19:04.000> are<00:19:04.159> taking<00:19:04.400> a<00:19:04.600> taking<00:19:04.799> a<00:19:04.919> stab<00:19:05.200> at 00:19:05.669 --> 00:19:05.679 align:start position:0% you guys are taking a taking a stab at 00:19:05.679 --> 00:19:09.230 align:start position:0% you guys are taking a taking a stab at it<00:19:06.679> um<00:19:07.679> so<00:19:07.919> yeah<00:19:08.200> this<00:19:08.320> is<00:19:08.559> this<00:19:08.679> is<00:19:08.799> one<00:19:08.919> of<00:19:09.039> two 00:19:09.230 --> 00:19:09.240 align:start position:0% it um so yeah this is this is one of two 00:19:09.240 --> 00:19:10.470 align:start position:0% it um so yeah this is this is one of two ways<00:19:09.400> to<00:19:09.559> exploit<00:19:09.880> a<00:19:09.919> client<00:19:10.200> side<00:19:10.320> path 00:19:10.470 --> 00:19:10.480 align:start position:0% ways to exploit a client side path 00:19:10.480 --> 00:19:13.470 align:start position:0% ways to exploit a client side path gersal<00:19:11.240> um<00:19:11.840> so<00:19:12.559> in<00:19:12.679> this<00:19:12.799> scenario<00:19:13.200> we<00:19:13.320> would 00:19:13.470 --> 00:19:13.480 align:start position:0% gersal um so in this scenario we would 00:19:13.480 --> 00:19:15.029 align:start position:0% gersal um so in this scenario we would be<00:19:13.559> using<00:19:13.760> the<00:19:13.840> client<00:19:14.120> side<00:19:14.280> Pat<00:19:14.440> reveral<00:19:14.840> to 00:19:15.029 --> 00:19:15.039 align:start position:0% be using the client side Pat reveral to 00:19:15.039 --> 00:19:17.190 align:start position:0% be using the client side Pat reveral to hit<00:19:15.200> an<00:19:15.360> open<00:19:15.679> redirect<00:19:16.679> and<00:19:16.840> that<00:19:16.960> open 00:19:17.190 --> 00:19:17.200 align:start position:0% hit an open redirect and that open 00:19:17.200 --> 00:19:19.710 align:start position:0% hit an open redirect and that open redirect<00:19:17.960> would<00:19:18.240> cause<00:19:18.559> the<00:19:18.679> fetch<00:19:19.039> request 00:19:19.710 --> 00:19:19.720 align:start position:0% redirect would cause the fetch request 00:19:19.720 --> 00:19:22.350 align:start position:0% redirect would cause the fetch request to<00:19:19.880> be<00:19:20.559> reissued<00:19:21.559> because<00:19:21.679> it<00:19:21.840> automatically 00:19:22.350 --> 00:19:22.360 align:start position:0% to be reissued because it automatically 00:19:22.360 --> 00:19:25.149 align:start position:0% to be reissued because it automatically retries<00:19:22.799> on<00:19:22.880> a<00:19:23.200> redirect<00:19:24.200> um<00:19:24.480> to<00:19:24.720> a<00:19:24.840> different 00:19:25.149 --> 00:19:25.159 align:start position:0% retries on a redirect um to a different 00:19:25.159 --> 00:19:27.590 align:start position:0% retries on a redirect um to a different domain<00:19:25.600> and<00:19:25.720> when<00:19:25.880> we<00:19:26.039> control<00:19:26.480> that<00:19:26.640> domain 00:19:27.590 --> 00:19:27.600 align:start position:0% domain and when we control that domain 00:19:27.600 --> 00:19:30.950 align:start position:0% domain and when we control that domain we<00:19:27.760> can<00:19:28.000> then<00:19:28.720> um<00:19:29.320> Harvest<00:19:30.240> that<00:19:30.400> sees<00:19:30.720> surf 00:19:30.950 --> 00:19:30.960 align:start position:0% we can then um Harvest that sees surf 00:19:30.960 --> 00:19:33.750 align:start position:0% we can then um Harvest that sees surf token<00:19:31.640> that<00:19:31.760> is<00:19:31.919> being<00:19:32.120> sent<00:19:33.000> and<00:19:33.200> then<00:19:33.480> we<00:19:33.600> can 00:19:33.750 --> 00:19:33.760 align:start position:0% token that is being sent and then we can 00:19:33.760 --> 00:19:35.590 align:start position:0% token that is being sent and then we can use<00:19:34.000> that<00:19:34.120> to<00:19:34.280> sees<00:19:34.559> surf<00:19:34.760> the<00:19:34.880> victim<00:19:35.360> so<00:19:35.520> the 00:19:35.590 --> 00:19:35.600 align:start position:0% use that to sees surf the victim so the 00:19:35.600 --> 00:19:38.510 align:start position:0% use that to sees surf the victim so the flow<00:19:35.880> would<00:19:36.000> then<00:19:36.159> be<00:19:36.880> to<00:19:37.880> force<00:19:38.159> the<00:19:38.280> victim 00:19:38.510 --> 00:19:38.520 align:start position:0% flow would then be to force the victim 00:19:38.520 --> 00:19:41.510 align:start position:0% flow would then be to force the victim to<00:19:38.640> come<00:19:38.760> to<00:19:38.880> a<00:19:39.039> page<00:19:39.880> catch<00:19:40.080> the<00:19:40.520> request 00:19:41.510 --> 00:19:41.520 align:start position:0% to come to a page catch the request 00:19:41.520 --> 00:19:43.750 align:start position:0% to come to a page catch the request excuse<00:19:41.799> me<00:19:42.760> catch<00:19:43.000> the<00:19:43.120> request<00:19:43.400> on<00:19:43.559> our 00:19:43.750 --> 00:19:43.760 align:start position:0% excuse me catch the request on our 00:19:43.760 --> 00:19:46.350 align:start position:0% excuse me catch the request on our server<00:19:44.480> par<00:19:44.760> the<00:19:44.840> se-<00:19:45.080> surf<00:19:45.320> token<00:19:46.000> pass<00:19:46.240> that 00:19:46.350 --> 00:19:46.360 align:start position:0% server par the se- surf token pass that 00:19:46.360 --> 00:19:50.270 align:start position:0% server par the se- surf token pass that sees<00:19:46.600> surf<00:19:46.840> token<00:19:47.360> to<00:19:48.120> um<00:19:48.640> the<00:19:49.600> the<00:19:49.799> page<00:19:50.120> that 00:19:50.270 --> 00:19:50.280 align:start position:0% sees surf token to um the the page that 00:19:50.280 --> 00:19:52.870 align:start position:0% sees surf token to um the the page that we<00:19:50.440> are<00:19:50.960> you<00:19:51.080> know<00:19:51.280> controlling<00:19:52.159> uh<00:19:52.679> from 00:19:52.870 --> 00:19:52.880 align:start position:0% we are you know controlling uh from 00:19:52.880 --> 00:19:55.029 align:start position:0% we are you know controlling uh from which<00:19:53.080> we<00:19:53.280> originally<00:19:54.120> triggered<00:19:54.679> this 00:19:55.029 --> 00:19:55.039 align:start position:0% which we originally triggered this 00:19:55.039 --> 00:19:57.070 align:start position:0% which we originally triggered this client<00:19:55.360> side<00:19:55.520> pth<00:19:55.679> reversal<00:19:56.520> and<00:19:56.640> then<00:19:56.799> sees 00:19:57.070 --> 00:19:57.080 align:start position:0% client side pth reversal and then sees 00:19:57.080 --> 00:19:59.230 align:start position:0% client side pth reversal and then sees surf<00:19:57.320> the<00:19:57.440> victim<00:19:57.799> again<00:19:58.280> but<00:19:58.440> this<00:19:58.640> time<00:19:59.080> we 00:19:59.230 --> 00:19:59.240 align:start position:0% surf the victim again but this time we 00:19:59.240 --> 00:20:01.430 align:start position:0% surf the victim again but this time we have<00:19:59.360> the<00:19:59.480> CES<00:19:59.720> serf<00:19:59.919> token<00:20:00.760> um<00:20:00.960> and<00:20:01.159> and 00:20:01.430 --> 00:20:01.440 align:start position:0% have the CES serf token um and and 00:20:01.440 --> 00:20:03.470 align:start position:0% have the CES serf token um and and sometimes<00:20:01.720> that<00:20:01.840> can<00:20:02.000> be<00:20:02.600> done<00:20:02.919> via<00:20:03.240> you<00:20:03.360> know 00:20:03.470 --> 00:20:03.480 align:start position:0% sometimes that can be done via you know 00:20:03.480 --> 00:20:04.789 align:start position:0% sometimes that can be done via you know sending<00:20:03.720> it<00:20:03.840> in<00:20:03.919> the<00:20:04.039> request<00:20:04.320> body<00:20:04.679> sometimes 00:20:04.789 --> 00:20:04.799 align:start position:0% sending it in the request body sometimes 00:20:04.799 --> 00:20:06.190 align:start position:0% sending it in the request body sometimes it<00:20:04.919> has<00:20:05.039> to<00:20:05.120> be<00:20:05.200> done<00:20:05.360> via<00:20:05.559> header<00:20:05.880> in<00:20:06.000> which 00:20:06.190 --> 00:20:06.200 align:start position:0% it has to be done via header in which 00:20:06.200 --> 00:20:08.470 align:start position:0% it has to be done via header in which case<00:20:06.360> you're<00:20:06.520> kind<00:20:06.640> of<00:20:07.120> kind<00:20:07.240> of<00:20:07.480> in<00:20:07.640> trouble 00:20:08.470 --> 00:20:08.480 align:start position:0% case you're kind of kind of in trouble 00:20:08.480 --> 00:20:10.149 align:start position:0% case you're kind of kind of in trouble um<00:20:08.760> but<00:20:08.919> either<00:20:09.120> way<00:20:09.280> leaking<00:20:09.600> that<00:20:09.720> Cerf 00:20:10.149 --> 00:20:10.159 align:start position:0% um but either way leaking that Cerf 00:20:10.159 --> 00:20:12.230 align:start position:0% um but either way leaking that Cerf token<00:20:10.440> is<00:20:10.640> not<00:20:11.120> is<00:20:11.240> not<00:20:11.360> a<00:20:11.520> good 00:20:12.230 --> 00:20:12.240 align:start position:0% token is not is not a good 00:20:12.240 --> 00:20:14.310 align:start position:0% token is not is not a good thing<00:20:13.240> uh<00:20:13.360> what's<00:20:13.600> the<00:20:13.799> parameter<00:20:14.200> that 00:20:14.310 --> 00:20:14.320 align:start position:0% thing uh what's the parameter that 00:20:14.320 --> 00:20:16.990 align:start position:0% thing uh what's the parameter that redirects<00:20:14.880> on<00:20:15.440> it's<00:20:15.600> URL<00:20:16.080> it's<00:20:16.280> right<00:20:16.440> above 00:20:16.990 --> 00:20:17.000 align:start position:0% redirects on it's URL it's right above 00:20:17.000 --> 00:20:21.710 align:start position:0% redirects on it's URL it's right above uh<00:20:17.840> it's<00:20:18.240> it's<00:20:18.440> right<00:20:18.640> above<00:20:19.200> your<00:20:19.880> uh<00:20:20.880> comment 00:20:21.710 --> 00:20:21.720 align:start position:0% uh it's it's right above your uh comment 00:20:21.720 --> 00:20:27.149 align:start position:0% uh it's it's right above your uh comment xss 00:20:27.149 --> 00:20:27.159 align:start position:0% 00:20:27.159 --> 00:20:32.710 align:start position:0% doctor 00:20:32.710 --> 00:20:32.720 align:start position:0% 00:20:32.720 --> 00:20:34.190 align:start position:0% all<00:20:32.840> right<00:20:32.960> so<00:20:33.080> I'm<00:20:33.159> going<00:20:33.280> to<00:20:33.400> start<00:20:33.679> slowly 00:20:34.190 --> 00:20:34.200 align:start position:0% all right so I'm going to start slowly 00:20:34.200 --> 00:20:36.830 align:start position:0% all right so I'm going to start slowly working<00:20:34.559> through<00:20:34.720> it<00:20:35.360> okay<00:20:36.360> okay<00:20:36.480> so<00:20:36.640> here<00:20:36.720> we 00:20:36.830 --> 00:20:36.840 align:start position:0% working through it okay okay so here we 00:20:36.840 --> 00:20:39.070 align:start position:0% working through it okay okay so here we are<00:20:37.039> we're<00:20:37.159> on<00:20:37.320> this<00:20:37.440> page<00:20:38.159> so<00:20:38.360> I<00:20:38.440> can<00:20:38.559> see<00:20:38.760> 1<00:20:38.919> 2 00:20:39.070 --> 00:20:39.080 align:start position:0% are we're on this page so I can see 1 2 00:20:39.080 --> 00:20:40.830 align:start position:0% are we're on this page so I can see 1 2 3<00:20:39.240> 4<00:20:39.440> is<00:20:39.559> being<00:20:39.760> embedded<00:20:40.200> into<00:20:40.440> the<00:20:40.559> fetch 00:20:40.830 --> 00:20:40.840 align:start position:0% 3 4 is being embedded into the fetch 00:20:40.840 --> 00:20:42.310 align:start position:0% 3 4 is being embedded into the fetch request<00:20:41.120> that's<00:20:41.280> being<00:20:41.440> sent<00:20:42.000> I'm<00:20:42.080> going<00:20:42.200> to 00:20:42.310 --> 00:20:42.320 align:start position:0% request that's being sent I'm going to 00:20:42.320 --> 00:20:45.230 align:start position:0% request that's being sent I'm going to go<00:20:42.440> ahead<00:20:42.640> and<00:20:42.919> add<00:20:43.520> um<00:20:43.679> another<00:20:44.000> slash<00:20:44.480> here 00:20:45.230 --> 00:20:45.240 align:start position:0% go ahead and add um another slash here 00:20:45.240 --> 00:20:47.310 align:start position:0% go ahead and add um another slash here and<00:20:45.400> see<00:20:45.640> what<00:20:45.799> happens<00:20:46.280> so<00:20:46.440> when<00:20:46.520> I<00:20:46.679> add<00:20:46.840> the 00:20:47.310 --> 00:20:47.320 align:start position:0% and see what happens so when I add the 00:20:47.320 --> 00:20:49.630 align:start position:0% and see what happens so when I add the slash<00:20:48.320> we<00:20:48.400> can<00:20:48.559> see<00:20:48.720> that<00:20:48.840> the<00:20:48.960> slash<00:20:49.280> is<00:20:49.400> being 00:20:49.630 --> 00:20:49.640 align:start position:0% slash we can see that the slash is being 00:20:49.640 --> 00:20:51.190 align:start position:0% slash we can see that the slash is being reflected<00:20:50.120> here<00:20:50.320> that<00:20:50.400> means<00:20:50.600> we're<00:20:50.760> breaking 00:20:51.190 --> 00:20:51.200 align:start position:0% reflected here that means we're breaking 00:20:51.200 --> 00:20:52.710 align:start position:0% reflected here that means we're breaking out<00:20:51.440> of<00:20:51.640> the<00:20:51.840> path<00:20:52.159> context<00:20:52.520> that<00:20:52.600> we're 00:20:52.710 --> 00:20:52.720 align:start position:0% out of the path context that we're 00:20:52.720 --> 00:20:57.390 align:start position:0% out of the path context that we're currently<00:20:53.159> in<00:20:54.320> um<00:20:55.320> and<00:20:55.559> when<00:20:55.919> I<00:20:56.440> send<00:20:56.919> a<00:20:57.120> dot 00:20:57.390 --> 00:20:57.400 align:start position:0% currently in um and when I send a dot 00:20:57.400 --> 00:20:58.630 align:start position:0% currently in um and when I send a dot dot<00:20:57.679> right<00:20:57.840> after 00:20:58.630 --> 00:20:58.640 align:start position:0% dot right after 00:20:58.640 --> 00:21:02.029 align:start position:0% dot right after it<00:20:59.640> we<00:20:59.760> can<00:20:59.880> see<00:21:00.080> that<00:21:00.200> the<00:21:00.360> request<00:21:01.039> now 00:21:02.029 --> 00:21:02.039 align:start position:0% it we can see that the request now 00:21:02.039 --> 00:21:05.029 align:start position:0% it we can see that the request now deletes<00:21:02.480> the<00:21:02.600> 1<00:21:02.760> 2<00:21:02.960> 3<00:21:03.159> 4<00:21:03.559> part<00:21:04.559> and<00:21:04.679> now<00:21:04.840> we're 00:21:05.029 --> 00:21:05.039 align:start position:0% deletes the 1 2 3 4 part and now we're 00:21:05.039 --> 00:21:10.669 align:start position:0% deletes the 1 2 3 4 part and now we're just<00:21:05.200> hitting<00:21:05.640> object<00:21:06.720> XYZ 00:21:10.669 --> 00:21:10.679 align:start position:0% 00:21:10.679 --> 00:21:13.149 align:start position:0% right<00:21:11.679> um 00:21:13.149 --> 00:21:13.159 align:start position:0% right um 00:21:13.159 --> 00:21:15.310 align:start position:0% right um now<00:21:14.159> we're<00:21:14.320> going<00:21:14.400> to<00:21:14.559> try<00:21:14.720> to<00:21:14.880> go<00:21:15.000> ahead<00:21:15.159> and 00:21:15.310 --> 00:21:15.320 align:start position:0% now we're going to try to go ahead and 00:21:15.320 --> 00:21:18.190 align:start position:0% now we're going to try to go ahead and Traverse<00:21:16.159> again<00:21:17.159> one<00:21:17.360> more 00:21:18.190 --> 00:21:18.200 align:start position:0% Traverse again one more 00:21:18.200 --> 00:21:21.430 align:start position:0% Traverse again one more time<00:21:19.200> and<00:21:19.320> we<00:21:19.400> can<00:21:19.559> see<00:21:19.840> right<00:21:20.200> here<00:21:21.200> that<00:21:21.320> we 00:21:21.430 --> 00:21:21.440 align:start position:0% time and we can see right here that we 00:21:21.440 --> 00:21:24.909 align:start position:0% time and we can see right here that we are<00:21:21.679> just<00:21:21.960> left<00:21:22.480> with/<00:21:23.440> XYZ<00:21:24.200> the<00:21:24.360> thing<00:21:24.520> on<00:21:24.679> the 00:21:24.909 --> 00:21:24.919 align:start position:0% are just left with/ XYZ the thing on the 00:21:24.919 --> 00:21:26.350 align:start position:0% are just left with/ XYZ the thing on the right<00:21:25.159> side<00:21:25.360> of<00:21:25.480> what<00:21:25.600> we're<00:21:25.760> injecting<00:21:26.200> right 00:21:26.350 --> 00:21:26.360 align:start position:0% right side of what we're injecting right 00:21:26.360 --> 00:21:27.870 align:start position:0% right side of what we're injecting right because<00:21:26.480> the<00:21:26.559> source<00:21:26.760> code<00:21:26.919> looks<00:21:27.120> like<00:21:27.320> this 00:21:27.870 --> 00:21:27.880 align:start position:0% because the source code looks like this 00:21:27.880 --> 00:21:29.549 align:start position:0% because the source code looks like this this<00:21:28.080> this<00:21:28.200> is<00:21:28.279> where<00:21:28.400> we're<00:21:28.559> injecting<00:21:29.400> so 00:21:29.549 --> 00:21:29.559 align:start position:0% this this is where we're injecting so 00:21:29.559 --> 00:21:31.230 align:start position:0% this this is where we're injecting so we've<00:21:29.799> gone<00:21:29.960> ahead<00:21:30.120> and<00:21:30.279> deleted<00:21:31.000> you<00:21:31.120> know 00:21:31.230 --> 00:21:31.240 align:start position:0% we've gone ahead and deleted you know 00:21:31.240 --> 00:21:32.669 align:start position:0% we've gone ahead and deleted you know our<00:21:31.400> own<00:21:31.559> input<00:21:31.919> which<00:21:32.039> we<00:21:32.120> could<00:21:32.240> have<00:21:32.400> just 00:21:32.669 --> 00:21:32.679 align:start position:0% our own input which we could have just 00:21:32.679 --> 00:21:35.470 align:start position:0% our own input which we could have just done<00:21:32.880> differently<00:21:33.240> if<00:21:33.320> we<00:21:33.440> wanted<00:21:33.640> to<00:21:33.919> but<00:21:34.880> uh 00:21:35.470 --> 00:21:35.480 align:start position:0% done differently if we wanted to but uh 00:21:35.480 --> 00:21:36.990 align:start position:0% done differently if we wanted to but uh and<00:21:35.679> just<00:21:35.799> done<00:21:35.919> it<00:21:36.080> with<00:21:36.200> one<00:21:36.360> path<00:21:36.520> to<00:21:36.679> veral 00:21:36.990 --> 00:21:37.000 align:start position:0% and just done it with one path to veral 00:21:37.000 --> 00:21:39.350 align:start position:0% and just done it with one path to veral but<00:21:37.159> you<00:21:37.279> know<00:21:37.520> such<00:21:37.720> as<00:21:37.919> life<00:21:38.679> and<00:21:38.840> then<00:21:39.200> um 00:21:39.350 --> 00:21:39.360 align:start position:0% but you know such as life and then um 00:21:39.360 --> 00:21:40.950 align:start position:0% but you know such as life and then um we've<00:21:39.559> just<00:21:39.720> got<00:21:39.960> this<00:21:40.120> part<00:21:40.480> remaining<00:21:40.760> so 00:21:40.950 --> 00:21:40.960 align:start position:0% we've just got this part remaining so 00:21:40.960 --> 00:21:43.149 align:start position:0% we've just got this part remaining so how<00:21:41.039> do<00:21:41.200> we<00:21:41.360> cut<00:21:41.720> this<00:21:41.880> part<00:21:42.159> off<00:21:42.440> to<00:21:42.640> get 00:21:43.149 --> 00:21:43.159 align:start position:0% how do we cut this part off to get 00:21:43.159 --> 00:21:47.149 align:start position:0% how do we cut this part off to get arbitrary<00:21:43.840> access<00:21:44.440> to<00:21:45.440> uh<00:21:45.760> the<00:21:45.960> path<00:21:46.279> here 00:21:47.149 --> 00:21:47.159 align:start position:0% arbitrary access to uh the path here 00:21:47.159 --> 00:21:49.669 align:start position:0% arbitrary access to uh the path here well<00:21:47.360> the<00:21:47.440> way<00:21:47.559> to<00:21:47.679> do<00:21:47.880> that<00:21:48.039> would<00:21:48.200> be<00:21:48.400> to<00:21:49.240> um 00:21:49.669 --> 00:21:49.679 align:start position:0% well the way to do that would be to um 00:21:49.679 --> 00:21:51.789 align:start position:0% well the way to do that would be to um we<00:21:49.799> could<00:21:49.919> do<00:21:50.080> a<00:21:50.159> couple<00:21:50.440> things<00:21:51.159> but<00:21:51.520> percent 00:21:51.789 --> 00:21:51.799 align:start position:0% we could do a couple things but percent 00:21:51.799 --> 00:21:57.789 align:start position:0% we could do a couple things but percent 23<00:21:52.320> aut<00:21:52.520> to<00:21:52.640> do<00:21:52.799> the<00:21:53.400> trick<00:21:54.400> that<00:21:54.559> will<00:21:55.640> make<00:21:56.799> uh 00:21:57.789 --> 00:21:57.799 align:start position:0% 23 aut to do the trick that will make uh 00:21:57.799 --> 00:22:00.470 align:start position:0% 23 aut to do the trick that will make uh see<00:21:58.159> right<00:21:58.320> here<00:21:58.559> yeah<00:21:59.240> that<00:21:59.360> will<00:21:59.720> cut<00:22:00.320> a 00:22:00.470 --> 00:22:00.480 align:start position:0% see right here yeah that will cut a 00:22:00.480 --> 00:22:04.269 align:start position:0% see right here yeah that will cut a percent<00:22:00.760> 23<00:22:01.520> URL<00:22:01.960> decodes<00:22:02.440> to<00:22:02.840> a<00:22:03.080> hashtag<00:22:04.080> and 00:22:04.269 --> 00:22:04.279 align:start position:0% percent 23 URL decodes to a hashtag and 00:22:04.279 --> 00:22:06.510 align:start position:0% percent 23 URL decodes to a hashtag and as<00:22:04.400> we<00:22:04.559> know<00:22:04.960> um<00:22:05.120> the<00:22:05.279> hashtag<00:22:05.679> is<00:22:05.840> used<00:22:06.279> for 00:22:06.510 --> 00:22:06.520 align:start position:0% as we know um the hashtag is used for 00:22:06.520 --> 00:22:10.590 align:start position:0% as we know um the hashtag is used for the<00:22:06.720> hash<00:22:07.200> in<00:22:07.640> yep<00:22:07.919> you<00:22:08.039> guys<00:22:08.240> got<00:22:08.400> it<00:22:09.400> um<00:22:10.400> the 00:22:10.590 --> 00:22:10.600 align:start position:0% the hash in yep you guys got it um the 00:22:10.600 --> 00:22:14.390 align:start position:0% the hash in yep you guys got it um the hashtag<00:22:11.039> is<00:22:11.159> used<00:22:11.679> um<00:22:11.880> to<00:22:12.559> to<00:22:13.559> convey<00:22:14.039> the<00:22:14.159> hash 00:22:14.390 --> 00:22:14.400 align:start position:0% hashtag is used um to to convey the hash 00:22:14.400 --> 00:22:16.310 align:start position:0% hashtag is used um to to convey the hash fragment<00:22:15.279> um<00:22:15.400> and<00:22:15.559> is<00:22:15.720> not<00:22:15.880> sent<00:22:16.080> to<00:22:16.200> the 00:22:16.310 --> 00:22:16.320 align:start position:0% fragment um and is not sent to the 00:22:16.320 --> 00:22:18.029 align:start position:0% fragment um and is not sent to the server<00:22:16.640> side<00:22:16.840> so<00:22:16.960> we<00:22:17.080> were<00:22:17.200> able<00:22:17.360> to<00:22:17.520> truncate 00:22:18.029 --> 00:22:18.039 align:start position:0% server side so we were able to truncate 00:22:18.039 --> 00:22:20.269 align:start position:0% server side so we were able to truncate that<00:22:18.200> whole<00:22:18.559> side<00:22:18.720> of<00:22:18.799> the<00:22:18.960> request<00:22:19.400> okay<00:22:20.039> so 00:22:20.269 --> 00:22:20.279 align:start position:0% that whole side of the request okay so 00:22:20.279 --> 00:22:22.149 align:start position:0% that whole side of the request okay so now<00:22:20.520> let's<00:22:20.720> go<00:22:20.880> ahead<00:22:21.039> and<00:22:21.200> redirect<00:22:21.720> this 00:22:22.149 --> 00:22:22.159 align:start position:0% now let's go ahead and redirect this 00:22:22.159 --> 00:22:25.070 align:start position:0% now let's go ahead and redirect this towards<00:22:23.159> uh<00:22:23.400> our<00:22:24.000> our<00:22:24.240> server<00:22:24.640> in<00:22:24.760> order<00:22:24.919> to 00:22:25.070 --> 00:22:25.080 align:start position:0% towards uh our our server in order to 00:22:25.080 --> 00:22:27.230 align:start position:0% towards uh our our server in order to redirect<00:22:25.640> off<00:22:25.799> of<00:22:25.960> the<00:22:26.080> domain<00:22:26.799> so<00:22:26.960> for<00:22:27.120> that 00:22:27.230 --> 00:22:27.240 align:start position:0% redirect off of the domain so for that 00:22:27.240 --> 00:22:28.870 align:start position:0% redirect off of the domain so for that we'll<00:22:27.400> hit<00:22:27.559> redirect<00:22:28.159> . 00:22:28.870 --> 00:22:28.880 align:start position:0% we'll hit redirect . 00:22:28.880 --> 00:22:31.190 align:start position:0% we'll hit redirect . PHP<00:22:29.880> okay<00:22:30.400> and<00:22:30.520> we<00:22:30.600> can<00:22:30.760> see<00:22:30.919> that<00:22:31.039> it's 00:22:31.190 --> 00:22:31.200 align:start position:0% PHP okay and we can see that it's 00:22:31.200 --> 00:22:33.110 align:start position:0% PHP okay and we can see that it's hitting<00:22:31.440> redirect<00:22:32.000> PHP<00:22:32.559> and<00:22:32.679> we<00:22:32.760> are<00:22:32.919> getting 00:22:33.110 --> 00:22:33.120 align:start position:0% hitting redirect PHP and we are getting 00:22:33.120 --> 00:22:35.870 align:start position:0% hitting redirect PHP and we are getting a<00:22:33.240> 302<00:22:33.799> but<00:22:33.960> there's<00:22:34.240> no<00:22:34.919> location<00:22:35.320> header<00:22:35.559> to 00:22:35.870 --> 00:22:35.880 align:start position:0% a 302 but there's no location header to 00:22:35.880 --> 00:22:38.430 align:start position:0% a 302 but there's no location header to finded<00:22:36.880> so<00:22:37.200> then<00:22:37.360> we'll<00:22:37.559> go<00:22:37.679> ahead<00:22:38.039> and 00:22:38.430 --> 00:22:38.440 align:start position:0% finded so then we'll go ahead and 00:22:38.440 --> 00:22:42.149 align:start position:0% finded so then we'll go ahead and provide<00:22:39.000> a<00:22:39.640> query<00:22:39.960> parameter<00:22:40.480> URL<00:22:41.000> equals<00:22:42.000> and 00:22:42.149 --> 00:22:42.159 align:start position:0% provide a query parameter URL equals and 00:22:42.159 --> 00:22:44.390 align:start position:0% provide a query parameter URL equals and then<00:22:42.400> let's<00:22:42.559> just<00:22:42.720> go<00:22:42.840> ahead<00:22:43.039> and<00:22:43.200> say<00:22:43.480> htps 00:22:44.390 --> 00:22:44.400 align:start position:0% then let's just go ahead and say htps 00:22:44.400 --> 00:22:46.870 align:start position:0% then let's just go ahead and say htps po.<00:22:45.000> rat.com 00:22:46.870 --> 00:22:46.880 align:start position:0% po. rat.com 00:22:46.880 --> 00:22:50.990 align:start position:0% po. rat.com sl200<00:22:47.960> PHP<00:22:48.960> just<00:22:49.120> a<00:22:49.320> thing<00:22:49.440> that<00:22:49.679> returns<00:22:49.840> a 00:22:50.990 --> 00:22:51.000 align:start position:0% sl200 PHP just a thing that returns a 00:22:51.000 --> 00:22:52.909 align:start position:0% sl200 PHP just a thing that returns a 200<00:22:52.000> and<00:22:52.120> we<00:22:52.200> can<00:22:52.320> see<00:22:52.440> a<00:22:52.520> couple<00:22:52.760> things 00:22:52.909 --> 00:22:52.919 align:start position:0% 200 and we can see a couple things 00:22:52.919 --> 00:22:54.350 align:start position:0% 200 and we can see a couple things happen<00:22:53.159> here<00:22:53.320> a<00:22:53.400> couple<00:22:53.640> interesting<00:22:54.000> things 00:22:54.350 --> 00:22:54.360 align:start position:0% happen here a couple interesting things 00:22:54.360 --> 00:22:56.510 align:start position:0% happen here a couple interesting things okay<00:22:54.880> so<00:22:55.000> we<00:22:55.120> see<00:22:55.279> the<00:22:55.440> request<00:22:55.840> happen<00:22:56.320> right 00:22:56.510 --> 00:22:56.520 align:start position:0% okay so we see the request happen right 00:22:56.520 --> 00:22:58.990 align:start position:0% okay so we see the request happen right here<00:22:57.039> this<00:22:57.159> is<00:22:57.279> our<00:22:57.520> overd<00:22:58.080> in<00:22:58.240> request<00:22:58.720> right 00:22:58.990 --> 00:22:59.000 align:start position:0% here this is our overd in request right 00:22:59.000 --> 00:23:01.789 align:start position:0% here this is our overd in request right where<00:22:59.200> we've<00:22:59.640> path<00:22:59.880> traversed<00:23:00.559> back<00:23:01.320> and<00:23:01.559> and 00:23:01.789 --> 00:23:01.799 align:start position:0% where we've path traversed back and and 00:23:01.799 --> 00:23:03.789 align:start position:0% where we've path traversed back and and I<00:23:01.960> also<00:23:02.159> just<00:23:02.279> want<00:23:02.360> to<00:23:02.520> make<00:23:02.640> it<00:23:02.760> clear<00:23:03.600> that 00:23:03.789 --> 00:23:03.799 align:start position:0% I also just want to make it clear that 00:23:03.799 --> 00:23:05.110 align:start position:0% I also just want to make it clear that there's<00:23:04.039> some<00:23:04.240> really<00:23:04.440> cool<00:23:04.679> stuff<00:23:04.840> you<00:23:04.960> can 00:23:05.110 --> 00:23:05.120 align:start position:0% there's some really cool stuff you can 00:23:05.120 --> 00:23:08.430 align:start position:0% there's some really cool stuff you can do<00:23:05.320> here<00:23:05.640> okay<00:23:06.480> um<00:23:07.000> there<00:23:07.159> is<00:23:07.840> uh<00:23:08.080> let<00:23:08.159> me<00:23:08.320> go 00:23:08.430 --> 00:23:08.440 align:start position:0% do here okay um there is uh let me go 00:23:08.440 --> 00:23:09.630 align:start position:0% do here okay um there is uh let me go ahead 00:23:09.630 --> 00:23:09.640 align:start position:0% ahead 00:23:09.640 --> 00:23:12.990 align:start position:0% ahead and<00:23:10.640> so<00:23:11.039> the<00:23:11.240> path<00:23:11.440> traversal<00:23:11.919> notice<00:23:12.279> how<00:23:12.840> it 00:23:12.990 --> 00:23:13.000 align:start position:0% and so the path traversal notice how it 00:23:13.000 --> 00:23:17.310 align:start position:0% and so the path traversal notice how it doesn't<00:23:13.799> actually<00:23:14.799> show<00:23:15.520> this<00:23:15.760> part<00:23:16.480> the<00:23:16.799> um 00:23:17.310 --> 00:23:17.320 align:start position:0% doesn't actually show this part the um 00:23:17.320 --> 00:23:18.710 align:start position:0% doesn't actually show this part the um it<00:23:17.440> doesn't<00:23:17.720> actually<00:23:17.880> show<00:23:18.120> the<00:23:18.279> dot<00:23:18.520> dot 00:23:18.710 --> 00:23:18.720 align:start position:0% it doesn't actually show the dot dot 00:23:18.720 --> 00:23:21.630 align:start position:0% it doesn't actually show the dot dot slash<00:23:19.120> part<00:23:19.600> in<00:23:19.840> here<00:23:20.200> right<00:23:20.480> because<00:23:21.440> that's 00:23:21.630 --> 00:23:21.640 align:start position:0% slash part in here right because that's 00:23:21.640 --> 00:23:23.070 align:start position:0% slash part in here right because that's because<00:23:22.080> the<00:23:22.159> traversal<00:23:22.640> is<00:23:22.799> actually 00:23:23.070 --> 00:23:23.080 align:start position:0% because the traversal is actually 00:23:23.080 --> 00:23:24.669 align:start position:0% because the traversal is actually happening 00:23:24.669 --> 00:23:24.679 align:start position:0% happening 00:23:24.679 --> 00:23:27.750 align:start position:0% happening on<00:23:25.679> uh<00:23:25.880> yeah<00:23:26.039> quas<00:23:26.440> that'll<00:23:26.679> happen<00:23:27.039> yeah<00:23:27.520> um 00:23:27.750 --> 00:23:27.760 align:start position:0% on uh yeah quas that'll happen yeah um 00:23:27.760 --> 00:23:29.870 align:start position:0% on uh yeah quas that'll happen yeah um that<00:23:28.039> because<00:23:28.200> the<00:23:28.320> p<00:23:28.640> veral<00:23:28.919> is<00:23:29.200> actually 00:23:29.870 --> 00:23:29.880 align:start position:0% that because the p veral is actually 00:23:29.880 --> 00:23:32.149 align:start position:0% that because the p veral is actually happening<00:23:30.440> at<00:23:30.559> the<00:23:30.760> fetch<00:23:31.159> level<00:23:31.559> fetch<00:23:32.000> is 00:23:32.149 --> 00:23:32.159 align:start position:0% happening at the fetch level fetch is 00:23:32.159 --> 00:23:34.470 align:start position:0% happening at the fetch level fetch is normalizing<00:23:32.919> that<00:23:33.080> URL<00:23:33.440> for<00:23:33.600> you<00:23:33.840> okay<00:23:34.360> and 00:23:34.470 --> 00:23:34.480 align:start position:0% normalizing that URL for you okay and 00:23:34.480 --> 00:23:36.190 align:start position:0% normalizing that URL for you okay and then<00:23:34.640> in<00:23:34.840> addition<00:23:35.159> to<00:23:35.320> fetch<00:23:35.640> normalizing 00:23:36.190 --> 00:23:36.200 align:start position:0% then in addition to fetch normalizing 00:23:36.200 --> 00:23:39.430 align:start position:0% then in addition to fetch normalizing the<00:23:36.279> URL<00:23:37.039> you<00:23:37.320> also<00:23:37.600> can<00:23:37.760> weaponize<00:23:38.720> sort<00:23:38.960> of 00:23:39.430 --> 00:23:39.440 align:start position:0% the URL you also can weaponize sort of 00:23:39.440 --> 00:23:41.990 align:start position:0% the URL you also can weaponize sort of um<00:23:39.919> reverse<00:23:40.360> proxy<00:23:40.720> based<00:23:41.080> path<00:23:41.320> reversals<00:23:41.840> on 00:23:41.990 --> 00:23:42.000 align:start position:0% um reverse proxy based path reversals on 00:23:42.000 --> 00:23:44.909 align:start position:0% um reverse proxy based path reversals on the<00:23:42.240> server<00:23:43.240> um<00:23:43.760> and<00:23:44.240> actually<00:23:44.480> just<00:23:44.600> normal 00:23:44.909 --> 00:23:44.919 align:start position:0% the server um and actually just normal 00:23:44.919 --> 00:23:46.269 align:start position:0% the server um and actually just normal path<00:23:45.120> rals<00:23:45.480> on<00:23:45.600> the<00:23:45.679> server<00:23:45.960> right<00:23:46.080> because<00:23:46.200> if 00:23:46.269 --> 00:23:46.279 align:start position:0% path rals on the server right because if 00:23:46.279 --> 00:23:47.950 align:start position:0% path rals on the server right because if you<00:23:46.440> hit<00:23:46.559> a<00:23:46.679> server<00:23:47.240> you<00:23:47.360> know<00:23:47.480> with<00:23:47.640> dot<00:23:47.799> dot 00:23:47.950 --> 00:23:47.960 align:start position:0% you hit a server you know with dot dot 00:23:47.960 --> 00:23:49.470 align:start position:0% you hit a server you know with dot dot slash<00:23:48.320> it's<00:23:48.440> going<00:23:48.559> to<00:23:48.679> normalize<00:23:49.120> it<00:23:49.279> before 00:23:49.470 --> 00:23:49.480 align:start position:0% slash it's going to normalize it before 00:23:49.480 --> 00:23:51.350 align:start position:0% slash it's going to normalize it before it<00:23:49.640> actually<00:23:49.840> processes<00:23:50.240> it<00:23:50.360> normally<00:23:51.200> and 00:23:51.350 --> 00:23:51.360 align:start position:0% it actually processes it normally and 00:23:51.360 --> 00:23:52.909 align:start position:0% it actually processes it normally and then<00:23:51.600> also<00:23:52.080> sometimes<00:23:52.240> if<00:23:52.360> there's<00:23:52.480> a<00:23:52.600> reverse 00:23:52.909 --> 00:23:52.919 align:start position:0% then also sometimes if there's a reverse 00:23:52.919 --> 00:23:55.630 align:start position:0% then also sometimes if there's a reverse proxy<00:23:53.200> in<00:23:53.400> place<00:23:53.960> that<00:23:54.080> reverse<00:23:54.480> proxy<00:23:55.240> will 00:23:55.630 --> 00:23:55.640 align:start position:0% proxy in place that reverse proxy will 00:23:55.640 --> 00:23:57.350 align:start position:0% proxy in place that reverse proxy will you<00:23:55.760> know<00:23:55.960> decode<00:23:56.640> and<00:23:56.720> then<00:23:56.840> send<00:23:57.039> it<00:23:57.120> to<00:23:57.240> the 00:23:57.350 --> 00:23:57.360 align:start position:0% you know decode and then send it to the 00:23:57.360 --> 00:23:59.070 align:start position:0% you know decode and then send it to the back<00:23:57.480> end<00:23:57.840> so<00:23:57.960> there's<00:23:58.159> like<00:23:58.320> multiple<00:23:58.720> layers 00:23:59.070 --> 00:23:59.080 align:start position:0% back end so there's like multiple layers 00:23:59.080 --> 00:24:01.669 align:start position:0% back end so there's like multiple layers of<00:23:59.279> encoding<00:23:59.720> you<00:23:59.840> could<00:24:00.000> use<00:24:00.279> here<00:24:01.159> um<00:24:01.480> with 00:24:01.669 --> 00:24:01.679 align:start position:0% of encoding you could use here um with 00:24:01.679 --> 00:24:03.149 align:start position:0% of encoding you could use here um with URL<00:24:02.039> encoding<00:24:02.440> so<00:24:02.559> if<00:24:02.760> just<00:24:02.919> because 00:24:03.149 --> 00:24:03.159 align:start position:0% URL encoding so if just because 00:24:03.159 --> 00:24:04.909 align:start position:0% URL encoding so if just because something<00:24:03.400> doesn't<00:24:03.640> work<00:24:03.880> right<00:24:04.039> away<00:24:04.760> with 00:24:04.909 --> 00:24:04.919 align:start position:0% something doesn't work right away with 00:24:04.919 --> 00:24:07.149 align:start position:0% something doesn't work right away with the<00:24:05.080> fetch<00:24:05.880> not<00:24:06.039> normalizing<00:24:06.600> it<00:24:06.799> or<00:24:06.960> with<00:24:07.080> the 00:24:07.149 --> 00:24:07.159 align:start position:0% the fetch not normalizing it or with the 00:24:07.159 --> 00:24:09.430 align:start position:0% the fetch not normalizing it or with the server<00:24:07.440> not<00:24:07.600> normalizing<00:24:08.200> it<00:24:08.919> make<00:24:09.039> sure<00:24:09.240> you 00:24:09.430 --> 00:24:09.440 align:start position:0% server not normalizing it make sure you 00:24:09.440 --> 00:24:10.510 align:start position:0% server not normalizing it make sure you kind<00:24:09.559> of<00:24:09.679> play<00:24:09.880> around<00:24:10.120> with<00:24:10.279> all<00:24:10.400> your 00:24:10.510 --> 00:24:10.520 align:start position:0% kind of play around with all your 00:24:10.520 --> 00:24:11.789 align:start position:0% kind of play around with all your different<00:24:10.760> encodings<00:24:11.240> and<00:24:11.360> see<00:24:11.559> what<00:24:11.679> the 00:24:11.789 --> 00:24:11.799 align:start position:0% different encodings and see what the 00:24:11.799 --> 00:24:13.830 align:start position:0% different encodings and see what the server<00:24:12.120> does<00:24:12.520> because<00:24:13.120> a<00:24:13.240> lot<00:24:13.400> more<00:24:13.559> things 00:24:13.830 --> 00:24:13.840 align:start position:0% server does because a lot more things 00:24:13.840 --> 00:24:15.590 align:start position:0% server does because a lot more things are<00:24:13.960> exploitable<00:24:14.520> that<00:24:14.679> way<00:24:15.200> than<00:24:15.320> you<00:24:15.440> would 00:24:15.590 --> 00:24:15.600 align:start position:0% are exploitable that way than you would 00:24:15.600 --> 00:24:18.830 align:start position:0% are exploitable that way than you would think<00:24:15.880> and<00:24:16.000> I<00:24:16.120> I'll<00:24:16.240> show<00:24:16.400> you<00:24:16.520> more<00:24:16.679> on<00:24:16.840> that 00:24:18.830 --> 00:24:18.840 align:start position:0% think and I I'll show you more on that 00:24:18.840 --> 00:24:21.789 align:start position:0% think and I I'll show you more on that later<00:24:19.840> okay<00:24:20.000> so<00:24:20.200> now<00:24:20.400> we've<00:24:20.799> um<00:24:21.039> redirected 00:24:21.789 --> 00:24:21.799 align:start position:0% later okay so now we've um redirected 00:24:21.799 --> 00:24:24.190 align:start position:0% later okay so now we've um redirected off<00:24:22.799> we<00:24:22.880> can<00:24:23.000> see<00:24:23.240> right<00:24:23.440> here<00:24:23.919> that<00:24:24.039> the 00:24:24.190 --> 00:24:24.200 align:start position:0% off we can see right here that the 00:24:24.200 --> 00:24:27.269 align:start position:0% off we can see right here that the location<00:24:24.640> is<00:24:24.799> specifying<00:24:25.279> to<00:24:25.640> my<00:24:25.840> PC<00:24:26.279> server 00:24:27.269 --> 00:24:27.279 align:start position:0% location is specifying to my PC server 00:24:27.279 --> 00:24:28.510 align:start position:0% location is specifying to my PC server and<00:24:27.360> then<00:24:27.480> the<00:24:27.559> next<00:24:27.880> thing<00:24:28.000> we<00:24:28.080> see<00:24:28.240> is<00:24:28.320> an 00:24:28.510 --> 00:24:28.520 align:start position:0% and then the next thing we see is an 00:24:28.520 --> 00:24:32.029 align:start position:0% and then the next thing we see is an options<00:24:28.960> request<00:24:29.559> okay<00:24:29.960> so<00:24:30.159> this<00:24:30.279> is<00:24:30.520> a<00:24:30.840> a<00:24:31.120> um<00:24:31.799> a 00:24:32.029 --> 00:24:32.039 align:start position:0% options request okay so this is a a um a 00:24:32.039 --> 00:24:33.389 align:start position:0% options request okay so this is a a um a a<00:24:32.159> function<00:24:32.399> of<00:24:32.520> the<00:24:32.640> browser<00:24:33.039> security 00:24:33.389 --> 00:24:33.399 align:start position:0% a function of the browser security 00:24:33.399 --> 00:24:36.350 align:start position:0% a function of the browser security mechanisms<00:24:34.039> right<00:24:34.799> and<00:24:35.200> this<00:24:35.320> is<00:24:35.480> going<00:24:35.559> to<00:24:35.799> be 00:24:36.350 --> 00:24:36.360 align:start position:0% mechanisms right and this is going to be 00:24:36.360 --> 00:24:38.149 align:start position:0% mechanisms right and this is going to be to<00:24:36.600> check<00:24:37.039> this<00:24:37.120> is<00:24:37.279> because<00:24:37.480> we're<00:24:37.600> sending<00:24:38.000> a 00:24:38.149 --> 00:24:38.159 align:start position:0% to check this is because we're sending a 00:24:38.159 --> 00:24:40.830 align:start position:0% to check this is because we're sending a complex<00:24:38.640> request<00:24:39.120> across<00:24:39.880> the<00:24:40.320> to<00:24:40.480> a<00:24:40.600> cross 00:24:40.830 --> 00:24:40.840 align:start position:0% complex request across the to a cross 00:24:40.840 --> 00:24:42.830 align:start position:0% complex request across the to a cross origin<00:24:41.240> site<00:24:41.799> luckily<00:24:42.200> in<00:24:42.320> this<00:24:42.440> scenario 00:24:42.830 --> 00:24:42.840 align:start position:0% origin site luckily in this scenario 00:24:42.840 --> 00:24:44.950 align:start position:0% origin site luckily in this scenario we're<00:24:43.080> the<00:24:43.200> cross<00:24:43.440> origin<00:24:43.880> site<00:24:44.360> so<00:24:44.559> we<00:24:44.720> can 00:24:44.950 --> 00:24:44.960 align:start position:0% we're the cross origin site so we can 00:24:44.960 --> 00:24:47.389 align:start position:0% we're the cross origin site so we can actually<00:24:45.320> respond<00:24:45.840> with<00:24:46.799> Access<00:24:47.080> Control 00:24:47.389 --> 00:24:47.399 align:start position:0% actually respond with Access Control 00:24:47.399 --> 00:24:49.909 align:start position:0% actually respond with Access Control allow<00:24:47.679> headers<00:24:48.200> star<00:24:48.919> Access<00:24:49.240> Control<00:24:49.679> allow 00:24:49.909 --> 00:24:49.919 align:start position:0% allow headers star Access Control allow 00:24:49.919 --> 00:24:52.350 align:start position:0% allow headers star Access Control allow origin<00:24:50.320> star<00:24:50.960> and<00:24:51.120> that<00:24:51.240> will<00:24:51.440> allow<00:24:52.039> the 00:24:52.350 --> 00:24:52.360 align:start position:0% origin star and that will allow the 00:24:52.360 --> 00:24:56.029 align:start position:0% origin star and that will allow the fetch<00:24:53.360> uh<00:24:53.440> fetch<00:24:53.799> request<00:24:54.240> to<00:24:54.520> send<00:24:55.080> the<00:24:55.200> curf 00:24:56.029 --> 00:24:56.039 align:start position:0% fetch uh fetch request to send the curf 00:24:56.039 --> 00:24:59.230 align:start position:0% fetch uh fetch request to send the curf token<00:24:56.520> to<00:24:56.720> our<00:24:56.919> server<00:24:57.360> okay 00:24:59.230 --> 00:24:59.240 align:start position:0% token to our server okay 00:24:59.240 --> 00:25:01.110 align:start position:0% token to our server okay and<00:24:59.399> then<00:24:59.720> once<00:24:59.919> it<00:25:00.039> gets<00:25:00.240> the<00:25:00.399> permission<00:25:01.039> we 00:25:01.110 --> 00:25:01.120 align:start position:0% and then once it gets the permission we 00:25:01.120 --> 00:25:02.750 align:start position:0% and then once it gets the permission we can<00:25:01.279> see<00:25:01.480> that<00:25:01.600> it<00:25:01.760> actually<00:25:01.919> sends<00:25:02.279> the 00:25:02.750 --> 00:25:02.760 align:start position:0% can see that it actually sends the 00:25:02.760 --> 00:25:05.870 align:start position:0% can see that it actually sends the request<00:25:03.760> and<00:25:04.480> uh<00:25:04.720> in<00:25:04.840> the<00:25:05.000> request<00:25:05.279> headers<00:25:05.720> we 00:25:05.870 --> 00:25:05.880 align:start position:0% request and uh in the request headers we 00:25:05.880 --> 00:25:06.630 align:start position:0% request and uh in the request headers we can 00:25:06.630 --> 00:25:06.640 align:start position:0% can 00:25:06.640 --> 00:25:10.590 align:start position:0% can see<00:25:07.640> the<00:25:07.840> lovely<00:25:08.799> XC<00:25:09.240> surf<00:25:09.520> token<00:25:10.039> right<00:25:10.240> there 00:25:10.590 --> 00:25:10.600 align:start position:0% see the lovely XC surf token right there 00:25:10.600 --> 00:25:12.750 align:start position:0% see the lovely XC surf token right there which<00:25:10.760> we've<00:25:10.919> now<00:25:11.039> leaked<00:25:11.360> to<00:25:11.559> the<00:25:11.760> attackers 00:25:12.750 --> 00:25:12.760 align:start position:0% which we've now leaked to the attackers 00:25:12.760 --> 00:25:15.789 align:start position:0% which we've now leaked to the attackers uh<00:25:12.960> page<00:25:13.880> um<00:25:14.080> which<00:25:14.200> should<00:25:14.399> result<00:25:14.679> in<00:25:14.760> a<00:25:14.880> curf 00:25:15.789 --> 00:25:15.799 align:start position:0% uh page um which should result in a curf 00:25:15.799 --> 00:25:19.830 align:start position:0% uh page um which should result in a curf uh<00:25:15.919> depending<00:25:16.159> on<00:25:16.279> the<00:25:16.840> configuration 00:25:19.830 --> 00:25:19.840 align:start position:0% uh depending on the configuration 00:25:19.840 --> 00:25:23.230 align:start position:0% uh depending on the configuration um<00:25:20.840> man<00:25:21.240> thr's<00:25:21.520> a<00:25:21.600> little<00:25:21.760> dry<00:25:21.960> today<00:25:22.279> sorry 00:25:23.230 --> 00:25:23.240 align:start position:0% um man thr's a little dry today sorry 00:25:23.240 --> 00:25:25.549 align:start position:0% um man thr's a little dry today sorry guys<00:25:24.240> um<00:25:24.679> all<00:25:24.799> right<00:25:24.960> so<00:25:25.080> that's<00:25:25.240> the<00:25:25.360> first 00:25:25.549 --> 00:25:25.559 align:start position:0% guys um all right so that's the first 00:25:25.559 --> 00:25:26.950 align:start position:0% guys um all right so that's the first one<00:25:25.919> how<00:25:26.000> do<00:25:26.080> you<00:25:26.200> guys<00:25:26.320> feel<00:25:26.480> about<00:25:26.679> that<00:25:26.760> one 00:25:26.950 --> 00:25:26.960 align:start position:0% one how do you guys feel about that one 00:25:26.960 --> 00:25:28.230 align:start position:0% one how do you guys feel about that one any<00:25:27.200> any<00:25:27.360> questions 00:25:28.230 --> 00:25:28.240 align:start position:0% any any questions 00:25:28.240 --> 00:25:39.310 align:start position:0% any any questions any<00:25:28.440> questions 00:25:39.310 --> 00:25:39.320 align:start position:0% 00:25:39.320 --> 00:25:40.990 align:start position:0% there<00:25:40.320> all 00:25:40.990 --> 00:25:41.000 align:start position:0% there all 00:25:41.000 --> 00:25:43.230 align:start position:0% there all right<00:25:42.000> uh<00:25:42.120> can<00:25:42.240> you<00:25:42.320> put<00:25:42.440> the<00:25:42.520> URL<00:25:42.799> in<00:25:42.880> the<00:25:43.000> chat 00:25:43.230 --> 00:25:43.240 align:start position:0% right uh can you put the URL in the chat 00:25:43.240 --> 00:25:46.510 align:start position:0% right uh can you put the URL in the chat yeah<00:25:43.399> the<00:25:43.520> final<00:25:43.799> URL<00:25:44.679> absolutely<00:25:45.679> um<00:25:46.279> Here's 00:25:46.510 --> 00:25:46.520 align:start position:0% yeah the final URL absolutely um Here's 00:25:46.520 --> 00:25:48.190 align:start position:0% yeah the final URL absolutely um Here's the<00:25:46.640> final<00:25:46.880> URL<00:25:47.480> right 00:25:48.190 --> 00:25:48.200 align:start position:0% the final URL right 00:25:48.200 --> 00:25:51.470 align:start position:0% the final URL right here<00:25:49.200> and<00:25:49.760> uh<00:25:50.760> yeah<00:25:50.919> for<00:25:51.080> those<00:25:51.200> of<00:25:51.320> you 00:25:51.470 --> 00:25:51.480 align:start position:0% here and uh yeah for those of you 00:25:51.480 --> 00:25:53.710 align:start position:0% here and uh yeah for those of you afterwards<00:25:52.320> um<00:25:52.520> I'll<00:25:52.760> I'll<00:25:52.960> publish<00:25:53.240> my<00:25:53.360> notes 00:25:53.710 --> 00:25:53.720 align:start position:0% afterwards um I'll I'll publish my notes 00:25:53.720 --> 00:25:59.149 align:start position:0% afterwards um I'll I'll publish my notes as<00:25:53.840> well<00:25:54.279> so<00:25:54.600> you<00:25:54.760> can<00:25:55.120> um<00:25:55.919> see<00:25:56.919> the<00:25:58.120> results<00:25:58.960> um 00:25:59.149 --> 00:25:59.159 align:start position:0% as well so you can um see the results um 00:25:59.159 --> 00:26:01.389 align:start position:0% as well so you can um see the results um clo<00:25:59.679> it<00:25:59.880> really<00:26:00.240> depends<00:26:00.600> on<00:26:00.760> what<00:26:00.880> the<00:26:01.039> impact 00:26:01.389 --> 00:26:01.399 align:start position:0% clo it really depends on what the impact 00:26:01.399 --> 00:26:03.750 align:start position:0% clo it really depends on what the impact is<00:26:01.640> right<00:26:01.840> so<00:26:02.039> you'll<00:26:02.240> see<00:26:02.679> a<00:26:03.000> uh<00:26:03.320> a<00:26:03.440> client 00:26:03.750 --> 00:26:03.760 align:start position:0% is right so you'll see a uh a client 00:26:03.760 --> 00:26:06.029 align:start position:0% is right so you'll see a uh a client side<00:26:03.919> path<00:26:04.080> reversal<00:26:04.799> later<00:26:05.440> um<00:26:05.760> that<00:26:05.960> that 00:26:06.029 --> 00:26:06.039 align:start position:0% side path reversal later um that that 00:26:06.039 --> 00:26:09.029 align:start position:0% side path reversal later um that that I'll<00:26:06.200> talk<00:26:06.320> to<00:26:06.399> you<00:26:06.520> about<00:26:07.360> that<00:26:08.080> uh<00:26:08.559> has<00:26:08.760> a<00:26:08.880> lot 00:26:09.029 --> 00:26:09.039 align:start position:0% I'll talk to you about that uh has a lot 00:26:09.039 --> 00:26:10.950 align:start position:0% I'll talk to you about that uh has a lot of<00:26:09.240> impact<00:26:09.840> and<00:26:10.159> actually<00:26:10.399> ended<00:26:10.640> up<00:26:10.760> getting 00:26:10.950 --> 00:26:10.960 align:start position:0% of impact and actually ended up getting 00:26:10.960 --> 00:26:14.230 align:start position:0% of impact and actually ended up getting a<00:26:11.000> showand<00:26:11.399> tell<00:26:12.360> and<00:26:12.919> uh<00:26:13.440> you<00:26:13.640> know<00:26:13.840> resulted 00:26:14.230 --> 00:26:14.240 align:start position:0% a showand tell and uh you know resulted 00:26:14.240 --> 00:26:17.029 align:start position:0% a showand tell and uh you know resulted in<00:26:14.480> some<00:26:14.799> pretty<00:26:15.159> bad<00:26:15.399> stuff<00:26:15.760> happening<00:26:16.760> um 00:26:17.029 --> 00:26:17.039 align:start position:0% in some pretty bad stuff happening um 00:26:17.039 --> 00:26:19.110 align:start position:0% in some pretty bad stuff happening um for<00:26:17.600> a<00:26:17.720> given<00:26:18.000> app<00:26:18.440> um<00:26:18.559> so<00:26:18.720> it<00:26:18.799> really<00:26:19.000> just 00:26:19.110 --> 00:26:19.120 align:start position:0% for a given app um so it really just 00:26:19.120 --> 00:26:20.430 align:start position:0% for a given app um so it really just depends<00:26:19.440> on<00:26:19.559> the<00:26:19.679> way<00:26:19.799> you're<00:26:19.960> able<00:26:20.120> to<00:26:20.240> chain 00:26:20.430 --> 00:26:20.440 align:start position:0% depends on the way you're able to chain 00:26:20.440 --> 00:26:22.190 align:start position:0% depends on the way you're able to chain it<00:26:20.679> together<00:26:21.159> right<00:26:21.640> in<00:26:21.760> this<00:26:21.840> scenario<00:26:22.159> if 00:26:22.190 --> 00:26:22.200 align:start position:0% it together right in this scenario if 00:26:22.200 --> 00:26:23.950 align:start position:0% it together right in this scenario if you're<00:26:22.320> leaking<00:26:22.559> the<00:26:22.679> SE<00:26:22.919> surf<00:26:23.120> token<00:26:23.840> then 00:26:23.950 --> 00:26:23.960 align:start position:0% you're leaking the SE surf token then 00:26:23.960 --> 00:26:25.870 align:start position:0% you're leaking the SE surf token then you<00:26:24.080> should<00:26:24.240> be<00:26:24.360> able<00:26:24.559> to<00:26:24.760> perform<00:26:25.399> arbitrary 00:26:25.870 --> 00:26:25.880 align:start position:0% you should be able to perform arbitrary 00:26:25.880 --> 00:26:27.389 align:start position:0% you should be able to perform arbitrary SE<00:26:26.159> surf<00:26:26.360> depending<00:26:26.600> on<00:26:26.720> the<00:26:26.799> configuration 00:26:27.389 --> 00:26:27.399 align:start position:0% SE surf depending on the configuration 00:26:27.399 --> 00:26:29.630 align:start position:0% SE surf depending on the configuration right<00:26:27.960> and<00:26:28.200> that<00:26:28.360> normally<00:26:28.840> has<00:26:29.080> a<00:26:29.279> lot<00:26:29.440> of 00:26:29.630 --> 00:26:29.640 align:start position:0% right and that normally has a lot of 00:26:29.640 --> 00:26:32.710 align:start position:0% right and that normally has a lot of impact<00:26:30.679> um<00:26:31.679> once<00:26:31.919> again<00:26:32.200> all<00:26:32.360> depending<00:26:32.640> on 00:26:32.710 --> 00:26:32.720 align:start position:0% impact um once again all depending on 00:26:32.720 --> 00:26:34.990 align:start position:0% impact um once again all depending on the<00:26:33.240> configuration<00:26:34.240> all<00:26:34.360> right<00:26:34.520> so<00:26:34.679> let's<00:26:34.880> go 00:26:34.990 --> 00:26:35.000 align:start position:0% the configuration all right so let's go 00:26:35.000 --> 00:26:36.549 align:start position:0% the configuration all right so let's go ahead<00:26:35.200> and<00:26:35.320> move<00:26:35.520> to<00:26:35.679> the<00:26:35.760> next<00:26:35.919> one<00:26:36.120> now<00:26:36.440> this 00:26:36.549 --> 00:26:36.559 align:start position:0% ahead and move to the next one now this 00:26:36.559 --> 00:26:41.190 align:start position:0% ahead and move to the next one now this is<00:26:36.840> a<00:26:37.279> a<00:26:37.440> post<00:26:37.799> based<00:26:38.720> one<00:26:39.520> okay<00:26:40.520> and<00:26:40.799> I've<00:26:40.960> also 00:26:41.190 --> 00:26:41.200 align:start position:0% is a a post based one okay and I've also 00:26:41.200 --> 00:26:44.950 align:start position:0% is a a post based one okay and I've also set<00:26:41.440> up<00:26:41.840> a<00:26:42.480> um<00:26:43.039> I've<00:26:43.200> also<00:26:43.399> set<00:26:43.640> up 00:26:44.950 --> 00:26:44.960 align:start position:0% set up a um I've also set up 00:26:44.960 --> 00:26:49.549 align:start position:0% set up a um I've also set up a<00:26:45.960> PHP<00:26:46.360> file<00:26:46.640> here<00:26:46.919> called<00:26:47.200> change.<00:26:48.159> PHP<00:26:49.159> and 00:26:49.549 --> 00:26:49.559 align:start position:0% a PHP file here called change. PHP and 00:26:49.559 --> 00:26:51.470 align:start position:0% a PHP file here called change. PHP and this<00:26:49.679> one<00:26:49.840> will<00:26:49.960> say<00:26:50.159> no<00:26:50.360> Cerf<00:26:50.919> token<00:26:51.279> if<00:26:51.360> you 00:26:51.470 --> 00:26:51.480 align:start position:0% this one will say no Cerf token if you 00:26:51.480 --> 00:26:53.830 align:start position:0% this one will say no Cerf token if you don't<00:26:51.720> have<00:26:51.799> a<00:26:51.880> Cerf<00:26:52.279> token<00:26:52.480> in<00:26:52.600> the<00:26:52.840> request 00:26:53.830 --> 00:26:53.840 align:start position:0% don't have a Cerf token in the request 00:26:53.840 --> 00:26:56.310 align:start position:0% don't have a Cerf token in the request um<00:26:54.080> and<00:26:54.240> if<00:26:54.360> you<00:26:54.559> do<00:26:54.880> have<00:26:55.080> a<00:26:55.480> A<00:26:55.600> Cerf<00:26:56.039> token<00:26:56.279> in 00:26:56.310 --> 00:26:56.320 align:start position:0% um and if you do have a A Cerf token in 00:26:56.320 --> 00:26:58.430 align:start position:0% um and if you do have a A Cerf token in the<00:26:56.440> request<00:26:56.760> and<00:26:56.919> the<00:26:57.080> ID 00:26:58.430 --> 00:26:58.440 align:start position:0% the request and the ID 00:26:58.440 --> 00:27:00.510 align:start position:0% the request and the ID and<00:26:58.760> you've<00:26:58.919> got<00:26:59.039> the<00:26:59.200> ID<00:26:59.520> parameter<00:27:00.279> then<00:27:00.399> it 00:27:00.510 --> 00:27:00.520 align:start position:0% and you've got the ID parameter then it 00:27:00.520 --> 00:27:03.510 align:start position:0% and you've got the ID parameter then it will<00:27:00.679> say<00:27:01.039> hey<00:27:01.520> you've<00:27:01.799> changed<00:27:02.440> XYZ<00:27:03.039> object 00:27:03.510 --> 00:27:03.520 align:start position:0% will say hey you've changed XYZ object 00:27:03.520 --> 00:27:06.430 align:start position:0% will say hey you've changed XYZ object okay<00:27:04.279> so<00:27:04.720> the<00:27:04.960> the<00:27:05.080> goal<00:27:05.320> for<00:27:05.520> this<00:27:05.960> challenge 00:27:06.430 --> 00:27:06.440 align:start position:0% okay so the the goal for this challenge 00:27:06.440 --> 00:27:09.350 align:start position:0% okay so the the goal for this challenge is<00:27:06.559> to<00:27:06.799> hit<00:27:07.240> this<00:27:07.880> to<00:27:08.080> force<00:27:08.600> the<00:27:08.760> post<00:27:09.039> request 00:27:09.350 --> 00:27:09.360 align:start position:0% is to hit this to force the post request 00:27:09.360 --> 00:27:11.909 align:start position:0% is to hit this to force the post request to<00:27:09.520> hit<00:27:09.799> this 00:27:11.909 --> 00:27:11.919 align:start position:0% to hit this 00:27:11.919 --> 00:27:15.510 align:start position:0% to hit this endpoint<00:27:12.919> um<00:27:13.279> and<00:27:13.640> then<00:27:14.640> and<00:27:14.799> then<00:27:14.960> use<00:27:15.279> that 00:27:15.510 --> 00:27:15.520 align:start position:0% endpoint um and then and then use that 00:27:15.520 --> 00:27:17.990 align:start position:0% endpoint um and then and then use that to<00:27:15.880> change<00:27:16.600> the<00:27:16.919> the<00:27:17.080> object<00:27:17.440> there<00:27:17.679> so<00:27:17.880> in 00:27:17.990 --> 00:27:18.000 align:start position:0% to change the the object there so in 00:27:18.000 --> 00:27:20.230 align:start position:0% to change the the object there so in this<00:27:18.120> scenario<00:27:18.600> it's<00:27:18.760> sort<00:27:18.919> of<00:27:19.200> mimicking<00:27:19.840> a<00:27:19.960> c 00:27:20.230 --> 00:27:20.240 align:start position:0% this scenario it's sort of mimicking a c 00:27:20.240 --> 00:27:22.909 align:start position:0% this scenario it's sort of mimicking a c surf<00:27:20.520> attack<00:27:21.000> okay<00:27:21.960> um<00:27:22.120> and<00:27:22.200> then<00:27:22.320> agent<00:27:22.600> Melo 00:27:22.909 --> 00:27:22.919 align:start position:0% surf attack okay um and then agent Melo 00:27:22.919 --> 00:27:26.070 align:start position:0% surf attack okay um and then agent Melo says<00:27:23.240> why<00:27:23.600> is<00:27:23.720> it<00:27:23.840> doing<00:27:24.080> keep<00:27:24.320> alive<00:27:25.080> pending 00:27:26.070 --> 00:27:26.080 align:start position:0% says why is it doing keep alive pending 00:27:26.080 --> 00:27:29.750 align:start position:0% says why is it doing keep alive pending on<00:27:26.440> how<00:27:27.120> p<00:27:27.640> P<00:27:27.799> redirect<00:27:28.279> is<00:27:28.559> written<00:27:29.559> uh<00:27:29.679> you 00:27:29.750 --> 00:27:29.760 align:start position:0% on how p P redirect is written uh you 00:27:29.760 --> 00:27:30.950 align:start position:0% on how p P redirect is written uh you know<00:27:29.919> I'm<00:27:30.000> not<00:27:30.120> sure<00:27:30.360> the<00:27:30.480> answer<00:27:30.679> to<00:27:30.799> that 00:27:30.950 --> 00:27:30.960 align:start position:0% know I'm not sure the answer to that 00:27:30.960 --> 00:27:32.350 align:start position:0% know I'm not sure the answer to that question<00:27:31.240> I'm<00:27:31.360> not<00:27:31.480> sure<00:27:31.760> that<00:27:31.880> it's<00:27:32.080> super 00:27:32.350 --> 00:27:32.360 align:start position:0% question I'm not sure that it's super 00:27:32.360 --> 00:27:35.430 align:start position:0% question I'm not sure that it's super relevant<00:27:33.039> um<00:27:33.320> for<00:27:33.520> this<00:27:33.640> sort<00:27:33.799> of<00:27:34.120> exploit<00:27:35.120> uh 00:27:35.430 --> 00:27:35.440 align:start position:0% relevant um for this sort of exploit uh 00:27:35.440 --> 00:27:37.710 align:start position:0% relevant um for this sort of exploit uh but<00:27:35.840> I<00:27:36.159> the<00:27:36.279> redirect<00:27:36.840> PHP<00:27:37.159> file<00:27:37.360> is<00:27:37.559> very 00:27:37.710 --> 00:27:37.720 align:start position:0% but I the redirect PHP file is very 00:27:37.720 --> 00:27:39.870 align:start position:0% but I the redirect PHP file is very simply<00:27:38.039> written<00:27:38.440> all<00:27:38.559> it<00:27:38.720> does<00:27:38.960> is<00:27:39.559> open<00:27:39.760> the 00:27:39.870 --> 00:27:39.880 align:start position:0% simply written all it does is open the 00:27:39.880 --> 00:27:42.470 align:start position:0% simply written all it does is open the PHP<00:27:40.279> tag<00:27:41.279> insert<00:27:41.640> the<00:27:41.760> location<00:27:42.120> header<00:27:42.399> and 00:27:42.470 --> 00:27:42.480 align:start position:0% PHP tag insert the location header and 00:27:42.480 --> 00:27:49.190 align:start position:0% PHP tag insert the location header and then<00:27:42.600> close<00:27:42.840> the<00:27:42.919> PHP<00:27:43.279> tag<00:27:43.559> so<00:27:44.159> that's 00:27:49.190 --> 00:27:49.200 align:start position:0% 00:27:49.200 --> 00:27:53.190 align:start position:0% it<00:27:50.200> that's<00:27:50.399> interesting<00:27:51.320> that'sa<00:27:52.320> um<00:27:52.960> why<00:27:53.120> I 00:27:53.190 --> 00:27:53.200 align:start position:0% it that's interesting that'sa um why I 00:27:53.200 --> 00:27:56.149 align:start position:0% it that's interesting that'sa um why I wonder<00:27:53.480> why<00:27:53.640> that<00:27:53.799> is<00:27:54.640> normally<00:27:55.039> if<00:27:55.159> I<00:27:55.279> can<00:27:55.519> ex 00:27:56.149 --> 00:27:56.159 align:start position:0% wonder why that is normally if I can ex 00:27:56.159 --> 00:27:59.190 align:start position:0% wonder why that is normally if I can ex uh<00:27:56.679> exfiltrate<00:27:57.120> a<00:27:57.200> CA<00:27:57.760> token<00:27:58.679> it<00:27:58.880> has<00:27:59.000> some 00:27:59.190 --> 00:27:59.200 align:start position:0% uh exfiltrate a CA token it has some 00:27:59.200 --> 00:28:02.070 align:start position:0% uh exfiltrate a CA token it has some pretty<00:27:59.480> bad<00:28:00.039> implications<00:28:00.960> but<00:28:01.720> maybe<00:28:01.960> I'm 00:28:02.070 --> 00:28:02.080 align:start position:0% pretty bad implications but maybe I'm 00:28:02.080 --> 00:28:04.269 align:start position:0% pretty bad implications but maybe I'm missing<00:28:02.360> something 00:28:04.269 --> 00:28:04.279 align:start position:0% missing something 00:28:04.279 --> 00:28:06.110 align:start position:0% missing something there<00:28:05.279> unlikely<00:28:05.760> though<00:28:05.919> because<00:28:06.039> I've 00:28:06.110 --> 00:28:06.120 align:start position:0% there unlikely though because I've 00:28:06.120 --> 00:28:07.750 align:start position:0% there unlikely though because I've gotten<00:28:06.279> a<00:28:06.360> lot<00:28:06.440> of<00:28:06.519> bounties<00:28:06.840> with<00:28:06.960> it 00:28:07.750 --> 00:28:07.760 align:start position:0% gotten a lot of bounties with it 00:28:07.760 --> 00:28:09.830 align:start position:0% gotten a lot of bounties with it so 00:28:09.830 --> 00:28:09.840 align:start position:0% so 00:28:09.840 --> 00:28:11.870 align:start position:0% so um<00:28:10.840> let's<00:28:11.039> go<00:28:11.159> ahead<00:28:11.320> and<00:28:11.440> take<00:28:11.559> a<00:28:11.640> look<00:28:11.760> at 00:28:11.870 --> 00:28:11.880 align:start position:0% um let's go ahead and take a look at 00:28:11.880 --> 00:28:13.950 align:start position:0% um let's go ahead and take a look at this<00:28:12.080> post<00:28:12.519> post<00:28:12.799> Bas<00:28:13.080> one<00:28:13.559> let's<00:28:13.679> look<00:28:13.799> at<00:28:13.880> the 00:28:13.950 --> 00:28:13.960 align:start position:0% this post post Bas one let's look at the 00:28:13.960 --> 00:28:15.950 align:start position:0% this post post Bas one let's look at the source<00:28:14.159> code<00:28:14.440> here<00:28:15.440> okay<00:28:15.559> so<00:28:15.679> here's<00:28:15.840> the 00:28:15.950 --> 00:28:15.960 align:start position:0% source code here okay so here's the 00:28:15.960 --> 00:28:17.549 align:start position:0% source code here okay so here's the source<00:28:16.200> code<00:28:16.360> it's<00:28:16.440> a<00:28:16.519> little<00:28:16.679> bit<00:28:16.840> different 00:28:17.549 --> 00:28:17.559 align:start position:0% source code it's a little bit different 00:28:17.559 --> 00:28:20.750 align:start position:0% source code it's a little bit different this<00:28:17.799> in<00:28:17.919> this<00:28:18.360> scenario<00:28:19.360> um<00:28:19.880> it<00:28:20.039> takes<00:28:20.320> an<00:28:20.480> ID 00:28:20.750 --> 00:28:20.760 align:start position:0% this in this scenario um it takes an ID 00:28:20.760 --> 00:28:22.909 align:start position:0% this in this scenario um it takes an ID from<00:28:20.880> the<00:28:21.000> URL<00:28:21.799> and<00:28:21.919> then<00:28:22.039> it<00:28:22.200> concatenates<00:28:22.760> it 00:28:22.909 --> 00:28:22.919 align:start position:0% from the URL and then it concatenates it 00:28:22.919 --> 00:28:25.110 align:start position:0% from the URL and then it concatenates it with<00:28:23.039> a<00:28:23.240> tracking<00:28:23.840> post<00:28:24.159> request<00:28:24.679> okay<00:28:24.919> so 00:28:25.110 --> 00:28:25.120 align:start position:0% with a tracking post request okay so 00:28:25.120 --> 00:28:26.950 align:start position:0% with a tracking post request okay so this<00:28:25.320> request<00:28:25.600> is<00:28:25.720> going<00:28:25.840> to<00:28:26.000> send<00:28:26.600> a<00:28:26.720> post 00:28:26.950 --> 00:28:26.960 align:start position:0% this request is going to send a post 00:28:26.960 --> 00:28:30.110 align:start position:0% this request is going to send a post request<00:28:27.240> to<00:28:27.600> SL<00:28:27.840> tring<00:28:28.159> SLV<00:28:28.559> visited<00:28:29.159> and<00:28:29.320> then 00:28:30.110 --> 00:28:30.120 align:start position:0% request to SL tring SLV visited and then 00:28:30.120 --> 00:28:33.190 align:start position:0% request to SL tring SLV visited and then input<00:28:30.440> our<00:28:30.960> ID<00:28:31.960> and<00:28:32.080> it's<00:28:32.240> going<00:28:32.360> to<00:28:32.519> be<00:28:32.720> method 00:28:33.190 --> 00:28:33.200 align:start position:0% input our ID and it's going to be method 00:28:33.200 --> 00:28:36.350 align:start position:0% input our ID and it's going to be method post<00:28:33.960> okay<00:28:34.960> um<00:28:35.360> and<00:28:35.559> so<00:28:35.919> what<00:28:36.000> we're<00:28:36.159> going<00:28:36.240> to 00:28:36.350 --> 00:28:36.360 align:start position:0% post okay um and so what we're going to 00:28:36.360 --> 00:28:37.909 align:start position:0% post okay um and so what we're going to do<00:28:36.559> is<00:28:36.799> hijack<00:28:37.200> this<00:28:37.360> request<00:28:37.640> using<00:28:37.840> the 00:28:37.909 --> 00:28:37.919 align:start position:0% do is hijack this request using the 00:28:37.919 --> 00:28:41.950 align:start position:0% do is hijack this request using the client<00:28:38.240> side<00:28:38.360> path<00:28:38.720> rsal<00:28:39.720> and<00:28:40.399> uh<00:28:41.000> modify<00:28:41.720> an 00:28:41.950 --> 00:28:41.960 align:start position:0% client side path rsal and uh modify an 00:28:41.960 --> 00:28:44.509 align:start position:0% client side path rsal and uh modify an arbitrary<00:28:42.519> object<00:28:42.919> on<00:28:43.039> the<00:28:43.120> server<00:28:43.760> okay<00:28:44.320> so 00:28:44.509 --> 00:28:44.519 align:start position:0% arbitrary object on the server okay so 00:28:44.519 --> 00:28:46.590 align:start position:0% arbitrary object on the server okay so let's<00:28:44.720> go<00:28:44.840> ahead<00:28:45.080> and<00:28:45.320> and<00:28:45.519> go<00:28:45.720> to<00:28:46.360> uh<00:28:46.480> the 00:28:46.590 --> 00:28:46.600 align:start position:0% let's go ahead and and go to uh the 00:28:46.600 --> 00:28:48.990 align:start position:0% let's go ahead and and go to uh the actual<00:28:46.960> page<00:28:47.960> we'll<00:28:48.200> specify<00:28:48.559> the<00:28:48.679> ID 00:28:48.990 --> 00:28:49.000 align:start position:0% actual page we'll specify the ID 00:28:49.000 --> 00:28:51.110 align:start position:0% actual page we'll specify the ID parameter<00:28:49.799> and<00:28:49.919> we'll<00:28:50.120> just<00:28:50.240> sort<00:28:50.399> of<00:28:50.640> see 00:28:51.110 --> 00:28:51.120 align:start position:0% parameter and we'll just sort of see 00:28:51.120 --> 00:28:53.149 align:start position:0% parameter and we'll just sort of see what<00:28:51.279> actually<00:28:51.640> happens<00:28:52.039> here<00:28:52.360> so<00:28:52.519> if<00:28:52.679> we 00:28:53.149 --> 00:28:53.159 align:start position:0% what actually happens here so if we 00:28:53.159 --> 00:28:55.070 align:start position:0% what actually happens here so if we inspect<00:28:53.600> and<00:28:53.840> go<00:28:53.960> to<00:28:54.080> network<00:28:54.679> also<00:28:54.880> we<00:28:54.960> could 00:28:55.070 --> 00:28:55.080 align:start position:0% inspect and go to network also we could 00:28:55.080 --> 00:28:57.070 align:start position:0% inspect and go to network also we could be<00:28:55.200> doing<00:28:55.360> this<00:28:55.480> with<00:28:55.600> burp<00:28:55.919> as<00:28:56.039> well<00:28:56.240> or<00:28:56.480> or<00:28:56.960> or 00:28:57.070 --> 00:28:57.080 align:start position:0% be doing this with burp as well or or or 00:28:57.080 --> 00:28:58.549 align:start position:0% be doing this with burp as well or or or whatever 00:28:58.549 --> 00:28:58.559 align:start position:0% whatever 00:28:58.559 --> 00:29:02.070 align:start position:0% whatever um<00:28:59.559> but<00:29:00.480> yeah<00:29:00.840> I<00:29:00.960> figure<00:29:01.240> it's<00:29:01.440> just<00:29:01.720> easier<00:29:02.000> to 00:29:02.070 --> 00:29:02.080 align:start position:0% um but yeah I figure it's just easier to 00:29:02.080 --> 00:29:04.830 align:start position:0% um but yeah I figure it's just easier to do<00:29:02.200> it<00:29:02.279> in<00:29:02.360> the<00:29:02.679> browser<00:29:03.679> um<00:29:04.360> so<00:29:04.480> we<00:29:04.600> can<00:29:04.679> see 00:29:04.830 --> 00:29:04.840 align:start position:0% do it in the browser um so we can see 00:29:04.840 --> 00:29:06.509 align:start position:0% do it in the browser um so we can see the<00:29:04.919> first<00:29:05.120> request<00:29:05.480> is<00:29:05.600> happening<00:29:06.000> the<00:29:06.200> ID 00:29:06.509 --> 00:29:06.519 align:start position:0% the first request is happening the ID 00:29:06.519 --> 00:29:08.669 align:start position:0% the first request is happening the ID from<00:29:06.840> the<00:29:07.760> parameter<00:29:08.200> here<00:29:08.360> is<00:29:08.480> being 00:29:08.669 --> 00:29:08.679 align:start position:0% from the parameter here is being 00:29:08.679 --> 00:29:11.630 align:start position:0% from the parameter here is being injected<00:29:09.159> right<00:29:09.320> into<00:29:09.559> this<00:29:09.679> post<00:29:10.279> request<00:29:11.279> um 00:29:11.630 --> 00:29:11.640 align:start position:0% injected right into this post request um 00:29:11.640 --> 00:29:13.430 align:start position:0% injected right into this post request um and<00:29:11.840> so<00:29:12.399> what<00:29:12.519> we're<00:29:12.640> going<00:29:12.720> to<00:29:12.840> do<00:29:13.039> then<00:29:13.279> is 00:29:13.430 --> 00:29:13.440 align:start position:0% and so what we're going to do then is 00:29:13.440 --> 00:29:14.710 align:start position:0% and so what we're going to do then is just<00:29:13.559> follow<00:29:13.840> the<00:29:13.960> same<00:29:14.200> process<00:29:14.480> we're<00:29:14.640> going 00:29:14.710 --> 00:29:14.720 align:start position:0% just follow the same process we're going 00:29:14.720 --> 00:29:16.029 align:start position:0% just follow the same process we're going to<00:29:14.840> go<00:29:14.960> ahead<00:29:15.200> and<00:29:15.360> actually<00:29:15.559> I'll<00:29:15.679> show<00:29:15.880> you 00:29:16.029 --> 00:29:16.039 align:start position:0% to go ahead and actually I'll show you 00:29:16.039 --> 00:29:17.950 align:start position:0% to go ahead and actually I'll show you we<00:29:16.159> don't<00:29:16.360> actually<00:29:16.600> have<00:29:16.720> to<00:29:17.159> even<00:29:17.600> provide 00:29:17.950 --> 00:29:17.960 align:start position:0% we don't actually have to even provide 00:29:17.960 --> 00:29:20.149 align:start position:0% we don't actually have to even provide this<00:29:18.120> so<00:29:18.279> we<00:29:18.399> can<00:29:18.720> do<00:29:18.960> dot<00:29:19.159> do<00:29:19.320> slash<00:29:19.600> do<00:29:19.799> do 00:29:20.149 --> 00:29:20.159 align:start position:0% this so we can do dot do slash do do 00:29:20.159 --> 00:29:24.110 align:start position:0% this so we can do dot do slash do do slash<00:29:21.159> like<00:29:21.360> that<00:29:22.080> and<00:29:22.200> we<00:29:22.320> can<00:29:22.519> see<00:29:23.000> that<00:29:23.320> the 00:29:24.110 --> 00:29:24.120 align:start position:0% slash like that and we can see that the 00:29:24.120 --> 00:29:25.549 align:start position:0% slash like that and we can see that the path<00:29:24.360> has<00:29:24.480> been<00:29:24.600> traversed<00:29:25.039> all<00:29:25.120> the<00:29:25.200> way<00:29:25.399> back 00:29:25.549 --> 00:29:25.559 align:start position:0% path has been traversed all the way back 00:29:25.559 --> 00:29:27.590 align:start position:0% path has been traversed all the way back and<00:29:25.799> all<00:29:26.039> that's<00:29:26.399> left<00:29:26.760> is<00:29:26.919> this<00:29:27.120> right<00:29:27.399> right 00:29:27.590 --> 00:29:27.600 align:start position:0% and all that's left is this right right 00:29:27.600 --> 00:29:30.190 align:start position:0% and all that's left is this right right hand<00:29:28.000> slash<00:29:29.000> um<00:29:29.480> which<00:29:29.559> we<00:29:29.679> can<00:29:29.799> see<00:29:29.960> from<00:29:30.080> the 00:29:30.190 --> 00:29:30.200 align:start position:0% hand slash um which we can see from the 00:29:30.200 --> 00:29:32.110 align:start position:0% hand slash um which we can see from the code<00:29:30.519> is<00:29:30.640> appended<00:29:31.120> after<00:29:31.360> the<00:29:31.519> IID<00:29:31.960> right 00:29:32.110 --> 00:29:32.120 align:start position:0% code is appended after the IID right 00:29:32.120 --> 00:29:35.389 align:start position:0% code is appended after the IID right here<00:29:32.840> once<00:29:33.120> again<00:29:33.519> we<00:29:33.640> can<00:29:33.880> go<00:29:34.039> ahead 00:29:35.389 --> 00:29:35.399 align:start position:0% here once again we can go ahead 00:29:35.399 --> 00:29:37.789 align:start position:0% here once again we can go ahead and 00:29:37.789 --> 00:29:37.799 align:start position:0% and 00:29:37.799 --> 00:29:40.789 align:start position:0% and um<00:29:38.799> we<00:29:39.080> once<00:29:39.240> again<00:29:39.440> we<00:29:39.519> can<00:29:39.720> go<00:29:39.880> ahead<00:29:40.360> and 00:29:40.789 --> 00:29:40.799 align:start position:0% um we once again we can go ahead and 00:29:40.799 --> 00:29:43.669 align:start position:0% um we once again we can go ahead and truncate<00:29:41.399> that<00:29:41.600> with<00:29:41.919> the<00:29:42.640> um<00:29:42.880> percent<00:29:43.159> 23 00:29:43.669 --> 00:29:43.679 align:start position:0% truncate that with the um percent 23 00:29:43.679 --> 00:29:47.230 align:start position:0% truncate that with the um percent 23 sign<00:29:44.159> right<00:29:44.399> and<00:29:44.600> now<00:29:44.919> it<00:29:45.120> just<00:29:45.559> hits<00:29:46.559> slash 00:29:47.230 --> 00:29:47.240 align:start position:0% sign right and now it just hits slash 00:29:47.240 --> 00:29:48.630 align:start position:0% sign right and now it just hits slash like<00:29:47.399> that<00:29:47.559> so<00:29:47.720> now<00:29:47.840> we<00:29:47.960> have<00:29:48.120> arbitrary 00:29:48.630 --> 00:29:48.640 align:start position:0% like that so now we have arbitrary 00:29:48.640 --> 00:29:51.269 align:start position:0% like that so now we have arbitrary control<00:29:48.960> over<00:29:49.159> the<00:29:49.559> path<00:29:50.559> and<00:29:50.679> then<00:29:50.880> we'll<00:29:51.120> go 00:29:51.269 --> 00:29:51.279 align:start position:0% control over the path and then we'll go 00:29:51.279 --> 00:29:54.190 align:start position:0% control over the path and then we'll go ahead<00:29:51.519> and<00:29:51.799> hit<00:29:52.240> the<00:29:52.640> change<00:29:53.159> endpoint<00:29:53.919> okay 00:29:54.190 --> 00:29:54.200 align:start position:0% ahead and hit the change endpoint okay 00:29:54.200 --> 00:29:58.990 align:start position:0% ahead and hit the change endpoint okay so<00:29:54.360> we're<00:29:54.480> going<00:29:54.600> to<00:29:54.720> go<00:29:54.840> up<00:29:55.360> here<00:29:56.360> change.<00:29:56.880> PHP 00:29:58.990 --> 00:29:59.000 align:start position:0% so we're going to go up here change. PHP 00:29:59.000 --> 00:30:00.470 align:start position:0% so we're going to go up here change. PHP we're<00:29:59.159> going<00:29:59.240> to<00:29:59.600> uh<00:29:59.760> Supply<00:30:00.080> a<00:30:00.200> query 00:30:00.470 --> 00:30:00.480 align:start position:0% we're going to uh Supply a query 00:30:00.480 --> 00:30:02.470 align:start position:0% we're going to uh Supply a query parameter<00:30:01.279> also<00:30:01.760> here's<00:30:01.960> some<00:30:02.200> here's<00:30:02.360> an 00:30:02.470 --> 00:30:02.480 align:start position:0% parameter also here's some here's an 00:30:02.480 --> 00:30:03.509 align:start position:0% parameter also here's some here's an interesting<00:30:02.840> thing<00:30:03.000> that<00:30:03.080> I<00:30:03.159> wanted<00:30:03.399> to 00:30:03.509 --> 00:30:03.519 align:start position:0% interesting thing that I wanted to 00:30:03.519 --> 00:30:05.630 align:start position:0% interesting thing that I wanted to mention<00:30:04.320> um<00:30:04.480> and<00:30:04.679> I've<00:30:04.840> got<00:30:04.960> in<00:30:05.080> my<00:30:05.159> notes<00:30:05.519> as 00:30:05.630 --> 00:30:05.640 align:start position:0% mention um and I've got in my notes as 00:30:05.640 --> 00:30:09.669 align:start position:0% mention um and I've got in my notes as well<00:30:06.559> um<00:30:07.200> a<00:30:07.320> lot<00:30:07.480> of<00:30:07.640> times<00:30:08.600> you<00:30:08.760> can<00:30:09.039> smuggle 00:30:09.669 --> 00:30:09.679 align:start position:0% well um a lot of times you can smuggle 00:30:09.679 --> 00:30:14.470 align:start position:0% well um a lot of times you can smuggle parameters<00:30:10.399> in<00:30:11.519> with<00:30:12.600> this<00:30:13.600> uh<00:30:13.840> via<00:30:14.039> the<00:30:14.159> query 00:30:14.470 --> 00:30:14.480 align:start position:0% parameters in with this uh via the query 00:30:14.480 --> 00:30:16.110 align:start position:0% parameters in with this uh via the query parameter<00:30:15.200> so<00:30:15.360> let's<00:30:15.519> say<00:30:15.679> you've<00:30:15.880> got<00:30:16.000> you're 00:30:16.110 --> 00:30:16.120 align:start position:0% parameter so let's say you've got you're 00:30:16.120 --> 00:30:17.870 align:start position:0% parameter so let's say you've got you're trying<00:30:16.279> to<00:30:16.399> find<00:30:16.559> a<00:30:16.720> gadget<00:30:17.159> you've<00:30:17.399> you've 00:30:17.870 --> 00:30:17.880 align:start position:0% trying to find a gadget you've you've 00:30:17.880 --> 00:30:19.830 align:start position:0% trying to find a gadget you've you've established<00:30:18.880> that<00:30:19.000> you<00:30:19.159> have<00:30:19.320> a<00:30:19.399> client<00:30:19.720> side 00:30:19.830 --> 00:30:19.840 align:start position:0% established that you have a client side 00:30:19.840 --> 00:30:21.509 align:start position:0% established that you have a client side path<00:30:20.000> dver<00:30:20.279> so<00:30:20.399> you're<00:30:20.519> able<00:30:20.679> to<00:30:20.799> hit<00:30:21.000> any<00:30:21.279> path 00:30:21.509 --> 00:30:21.519 align:start position:0% path dver so you're able to hit any path 00:30:21.519 --> 00:30:24.750 align:start position:0% path dver so you're able to hit any path with<00:30:21.600> a<00:30:21.720> post<00:30:21.960> request<00:30:22.399> right<00:30:23.320> um<00:30:23.960> but<00:30:24.440> the 00:30:24.750 --> 00:30:24.760 align:start position:0% with a post request right um but the 00:30:24.760 --> 00:30:26.590 align:start position:0% with a post request right um but the body<00:30:25.000> of<00:30:25.120> the<00:30:25.240> post<00:30:25.480> request<00:30:25.919> doesn't<00:30:26.240> contain 00:30:26.590 --> 00:30:26.600 align:start position:0% body of the post request doesn't contain 00:30:26.600 --> 00:30:29.590 align:start position:0% body of the post request doesn't contain what<00:30:26.679> you<00:30:26.840> need<00:30:27.480> to<00:30:27.679> do<00:30:28.519> what<00:30:28.640> you<00:30:28.760> want<00:30:28.840> to<00:30:29.039> do 00:30:29.590 --> 00:30:29.600 align:start position:0% what you need to do what you want to do 00:30:29.600 --> 00:30:30.789 align:start position:0% what you need to do what you want to do right<00:30:29.760> like<00:30:29.880> maybe<00:30:30.080> you<00:30:30.200> want<00:30:30.279> to<00:30:30.399> change<00:30:30.679> the 00:30:30.789 --> 00:30:30.799 align:start position:0% right like maybe you want to change the 00:30:30.799 --> 00:30:32.430 align:start position:0% right like maybe you want to change the email<00:30:31.279> okay<00:30:31.440> but<00:30:31.559> the<00:30:31.679> body<00:30:31.880> doesn't<00:30:32.200> have<00:30:32.320> an 00:30:32.430 --> 00:30:32.440 align:start position:0% email okay but the body doesn't have an 00:30:32.440 --> 00:30:34.110 align:start position:0% email okay but the body doesn't have an arbitrarily<00:30:32.960> controllable<00:30:33.519> email<00:30:33.919> that<00:30:34.000> you 00:30:34.110 --> 00:30:34.120 align:start position:0% arbitrarily controllable email that you 00:30:34.120 --> 00:30:37.750 align:start position:0% arbitrarily controllable email that you can<00:30:34.279> control<00:30:34.919> right<00:30:36.240> um<00:30:37.240> one<00:30:37.360> of<00:30:37.480> the<00:30:37.600> ways 00:30:37.750 --> 00:30:37.760 align:start position:0% can control right um one of the ways 00:30:37.760 --> 00:30:39.909 align:start position:0% can control right um one of the ways that<00:30:37.919> I've<00:30:38.039> seen<00:30:38.279> success<00:30:38.600> in<00:30:38.720> the<00:30:38.919> past<00:30:39.519> is<00:30:39.679> by 00:30:39.909 --> 00:30:39.919 align:start position:0% that I've seen success in the past is by 00:30:39.919 --> 00:30:43.350 align:start position:0% that I've seen success in the past is by actually<00:30:40.320> providing<00:30:41.159> the<00:30:42.159> uh<00:30:42.320> email 00:30:43.350 --> 00:30:43.360 align:start position:0% actually providing the uh email 00:30:43.360 --> 00:30:46.230 align:start position:0% actually providing the uh email parameter<00:30:44.360> via<00:30:44.840> the<00:30:45.000> quer<00:30:45.399> the<00:30:45.600> get<00:30:45.880> query 00:30:46.230 --> 00:30:46.240 align:start position:0% parameter via the quer the get query 00:30:46.240 --> 00:30:49.310 align:start position:0% parameter via the quer the get query parameters<00:30:47.039> okay<00:30:47.320> so<00:30:47.559> then<00:30:47.760> it<00:30:48.159> becomes<00:30:49.159> you 00:30:49.310 --> 00:30:49.320 align:start position:0% parameters okay so then it becomes you 00:30:49.320 --> 00:30:52.230 align:start position:0% parameters okay so then it becomes you know<00:30:49.799> SL<00:30:50.640> change. 00:30:52.230 --> 00:30:52.240 align:start position:0% know SL change. 00:30:52.240 --> 00:30:56.509 align:start position:0% know SL change. PHP<00:30:53.240> you<00:30:53.360> know<00:30:53.600> ID<00:30:53.919> equals<00:30:54.360> 123<00:30:55.240> and<00:30:56.120> email 00:30:56.509 --> 00:30:56.519 align:start position:0% PHP you know ID equals 123 and email 00:30:56.519 --> 00:31:01.110 align:start position:0% PHP you know ID equals 123 and email equals<00:30:57.559> abc123<00:30:58.559> you<00:30:58.679> know<00:30:59.639> um<00:31:00.440> and<00:31:00.679> that<00:31:00.960> that 00:31:01.110 --> 00:31:01.120 align:start position:0% equals abc123 you know um and that that 00:31:01.120 --> 00:31:04.269 align:start position:0% equals abc123 you know um and that that will<00:31:01.639> that<00:31:01.760> will<00:31:02.320> merge<00:31:03.320> the<00:31:03.720> sometimes<00:31:04.000> the 00:31:04.269 --> 00:31:04.279 align:start position:0% will that will merge the sometimes the 00:31:04.279 --> 00:31:05.990 align:start position:0% will that will merge the sometimes the post<00:31:04.519> in<00:31:04.679> the<00:31:04.799> get<00:31:05.000> quer<00:31:05.279> parameters<00:31:05.720> will<00:31:05.840> be 00:31:05.990 --> 00:31:06.000 align:start position:0% post in the get quer parameters will be 00:31:06.000 --> 00:31:07.470 align:start position:0% post in the get quer parameters will be merged<00:31:06.639> and<00:31:06.720> you'll<00:31:06.880> be<00:31:07.000> able<00:31:07.159> to<00:31:07.279> actually 00:31:07.470 --> 00:31:07.480 align:start position:0% merged and you'll be able to actually 00:31:07.480 --> 00:31:09.470 align:start position:0% merged and you'll be able to actually achieve<00:31:07.720> the<00:31:07.840> impact<00:31:08.159> you 00:31:09.470 --> 00:31:09.480 align:start position:0% achieve the impact you 00:31:09.480 --> 00:31:12.430 align:start position:0% achieve the impact you want<00:31:10.480> um<00:31:10.960> so<00:31:11.200> I've<00:31:11.440> actually<00:31:12.080> this<00:31:12.200> is 00:31:12.430 --> 00:31:12.440 align:start position:0% want um so I've actually this is 00:31:12.440 --> 00:31:14.110 align:start position:0% want um so I've actually this is actually<00:31:12.679> how<00:31:12.799> I<00:31:12.919> coded<00:31:13.240> it<00:31:13.320> in<00:31:13.440> PHP<00:31:13.919> actually 00:31:14.110 --> 00:31:14.120 align:start position:0% actually how I coded it in PHP actually 00:31:14.120 --> 00:31:15.269 align:start position:0% actually how I coded it in PHP actually I'll<00:31:14.200> show<00:31:14.360> you<00:31:14.480> guys<00:31:14.679> real<00:31:14.840> quick<00:31:15.039> let<00:31:15.120> me 00:31:15.269 --> 00:31:15.279 align:start position:0% I'll show you guys real quick let me 00:31:15.279 --> 00:31:23.710 align:start position:0% I'll show you guys real quick let me just<00:31:15.399> go<00:31:15.480> ahead<00:31:15.639> and<00:31:15.760> pull<00:31:15.960> up<00:31:16.200> the<00:31:16.919> the 00:31:23.710 --> 00:31:23.720 align:start position:0% 00:31:23.720 --> 00:31:26.149 align:start position:0% server 00:31:26.149 --> 00:31:26.159 align:start position:0% server 00:31:26.159 --> 00:31:28.470 align:start position:0% server uh 00:31:28.470 --> 00:31:28.480 align:start position:0% uh 00:31:28.480 --> 00:31:32.149 align:start position:0% uh I'm<00:31:28.559> going<00:31:28.679> to<00:31:28.880> actually<00:31:29.159> go<00:31:29.320> ahead 00:31:32.149 --> 00:31:32.159 align:start position:0% 00:31:32.159 --> 00:31:34.710 align:start position:0% and<00:31:33.159> I'm<00:31:33.279> going<00:31:33.399> to 00:31:34.710 --> 00:31:34.720 align:start position:0% and I'm going to 00:31:34.720 --> 00:31:38.629 align:start position:0% and I'm going to move<00:31:35.720> change.<00:31:36.399> PHP<00:31:37.240> no<00:31:37.600> nope<00:31:37.880> not<00:31:38.080> move<00:31:38.519> I 00:31:38.629 --> 00:31:38.639 align:start position:0% move change. PHP no nope not move I 00:31:38.639 --> 00:31:40.070 align:start position:0% move change. PHP no nope not move I almost<00:31:38.840> did<00:31:39.000> it 00:31:40.070 --> 00:31:40.080 align:start position:0% almost did it 00:31:40.080 --> 00:31:45.070 align:start position:0% almost did it again<00:31:41.080> change.<00:31:41.639> PHP<00:31:42.519> change.<00:31:43.200> php.<00:31:43.760> txt<00:31:44.399> okay 00:31:45.070 --> 00:31:45.080 align:start position:0% again change. PHP change. php. txt okay 00:31:45.080 --> 00:31:47.509 align:start position:0% again change. PHP change. php. txt okay so<00:31:45.440> if<00:31:45.519> you<00:31:45.760> hit<00:31:45.960> change.<00:31:46.480> php. 00:31:47.509 --> 00:31:47.519 align:start position:0% so if you hit change. php. 00:31:47.519 --> 00:31:51.909 align:start position:0% so if you hit change. php. txd<00:31:48.519> so<00:31:48.960> apps.<00:31:50.039> R.D 00:31:51.909 --> 00:31:51.919 align:start position:0% txd so apps. R.D 00:31:51.919 --> 00:31:53.590 align:start position:0% txd so apps. R.D change 00:31:53.590 --> 00:31:53.600 align:start position:0% change 00:31:53.600 --> 00:31:55.190 align:start position:0% change php. 00:31:55.190 --> 00:31:55.200 align:start position:0% php. 00:31:55.200 --> 00:31:59.190 align:start position:0% php. txt<00:31:56.200> boom<00:31:56.960> We<00:31:57.159> we<00:31:57.240> can<00:31:57.399> actually<00:31:57.880> see<00:31:58.880> the<00:31:59.080> the 00:31:59.190 --> 00:31:59.200 align:start position:0% txt boom We we can actually see the the 00:31:59.200 --> 00:32:00.789 align:start position:0% txt boom We we can actually see the the code<00:31:59.399> for<00:31:59.559> this<00:31:59.720> here<00:32:00.000> okay<00:32:00.279> so<00:32:00.440> this<00:32:00.559> is<00:32:00.679> the 00:32:00.789 --> 00:32:00.799 align:start position:0% code for this here okay so this is the 00:32:00.799 --> 00:32:06.230 align:start position:0% code for this here okay so this is the PHP<00:32:01.440> code 00:32:06.230 --> 00:32:06.240 align:start position:0% 00:32:06.240 --> 00:32:09.750 align:start position:0% um<00:32:07.240> yeah<00:32:07.600> yeah<00:32:07.880> so<00:32:08.200> so<00:32:08.760> okay<00:32:08.960> yeah<00:32:09.080> clo<00:32:09.600> this<00:32:09.679> is 00:32:09.750 --> 00:32:09.760 align:start position:0% um yeah yeah so so okay yeah clo this is 00:32:09.760 --> 00:32:11.190 align:start position:0% um yeah yeah so so okay yeah clo this is a<00:32:09.919> contrived<00:32:10.360> scenario<00:32:10.799> here<00:32:10.960> right<00:32:11.080> so 00:32:11.190 --> 00:32:11.200 align:start position:0% a contrived scenario here right so 00:32:11.200 --> 00:32:13.470 align:start position:0% a contrived scenario here right so change.<00:32:11.679> PHP<00:32:12.080> is<00:32:12.159> a<00:32:12.320> built-in<00:32:12.720> functionality 00:32:13.470 --> 00:32:13.480 align:start position:0% change. PHP is a built-in functionality 00:32:13.480 --> 00:32:17.070 align:start position:0% change. PHP is a built-in functionality of<00:32:13.639> the<00:32:13.799> victim<00:32:14.120> server<00:32:14.720> okay<00:32:15.519> and<00:32:15.840> um<00:32:16.360> and<00:32:16.519> so 00:32:17.070 --> 00:32:17.080 align:start position:0% of the victim server okay and um and so 00:32:17.080 --> 00:32:19.029 align:start position:0% of the victim server okay and um and so apps.<00:32:17.480> rerat<00:32:17.919> dodev<00:32:18.320> in<00:32:18.399> this<00:32:18.519> scenario<00:32:18.919> is 00:32:19.029 --> 00:32:19.039 align:start position:0% apps. rerat dodev in this scenario is 00:32:19.039 --> 00:32:20.269 align:start position:0% apps. rerat dodev in this scenario is our<00:32:19.200> victim<00:32:19.519> server<00:32:19.880> that's<00:32:20.039> why<00:32:20.120> we 00:32:20.269 --> 00:32:20.279 align:start position:0% our victim server that's why we 00:32:20.279 --> 00:32:23.389 align:start position:0% our victim server that's why we redirected<00:32:20.840> off<00:32:21.000> of<00:32:21.159> the<00:32:21.279> website<00:32:21.840> before<00:32:22.840> um 00:32:23.389 --> 00:32:23.399 align:start position:0% redirected off of the website before um 00:32:23.399 --> 00:32:26.710 align:start position:0% redirected off of the website before um to<00:32:24.320> uh<00:32:24.440> leak<00:32:24.840> the<00:32:25.279> uh<00:32:25.399> XC<00:32:25.799> surf<00:32:26.320> token 00:32:26.710 --> 00:32:26.720 align:start position:0% to uh leak the uh XC surf token 00:32:26.720 --> 00:32:28.509 align:start position:0% to uh leak the uh XC surf token parameter 00:32:28.509 --> 00:32:28.519 align:start position:0% parameter 00:32:28.519 --> 00:32:31.070 align:start position:0% parameter uh<00:32:28.760> header<00:32:29.080> I<00:32:29.159> mean<00:32:30.159> um<00:32:30.440> and<00:32:30.519> so<00:32:30.720> this<00:32:30.799> is<00:32:30.960> the 00:32:31.070 --> 00:32:31.080 align:start position:0% uh header I mean um and so this is the 00:32:31.080 --> 00:32:33.990 align:start position:0% uh header I mean um and so this is the code<00:32:31.320> for<00:32:31.600> change.<00:32:32.080> PHP<00:32:32.480> you<00:32:32.559> can<00:32:32.720> see<00:32:33.320> that<00:32:33.559> if 00:32:33.990 --> 00:32:34.000 align:start position:0% code for change. PHP you can see that if 00:32:34.000 --> 00:32:38.070 align:start position:0% code for change. PHP you can see that if the<00:32:34.399> uh<00:32:35.279> the<00:32:36.279> uh<00:32:36.399> cerve<00:32:36.880> token<00:32:37.080> is<00:32:37.200> set<00:32:37.600> then<00:32:37.919> it 00:32:38.070 --> 00:32:38.080 align:start position:0% the uh the uh cerve token is set then it 00:32:38.080 --> 00:32:40.950 align:start position:0% the uh the uh cerve token is set then it it<00:32:38.240> echoes<00:32:38.760> you've<00:32:39.000> changed<00:32:39.559> the<00:32:40.559> whatever 00:32:40.950 --> 00:32:40.960 align:start position:0% it echoes you've changed the whatever 00:32:40.960 --> 00:32:43.590 align:start position:0% it echoes you've changed the whatever object<00:32:41.639> and<00:32:41.760> you<00:32:41.960> you'll<00:32:42.159> note<00:32:42.480> here<00:32:42.919> that<00:32:43.279> it 00:32:43.590 --> 00:32:43.600 align:start position:0% object and you you'll note here that it 00:32:43.600 --> 00:32:47.990 align:start position:0% object and you you'll note here that it uses<00:32:44.600> dollar<00:32:45.000> signore<00:32:45.679> request<00:32:46.600> okay<00:32:47.080> in<00:32:47.279> PHP 00:32:47.990 --> 00:32:48.000 align:start position:0% uses dollar signore request okay in PHP 00:32:48.000 --> 00:32:51.629 align:start position:0% uses dollar signore request okay in PHP this<00:32:48.120> is<00:32:48.559> a<00:32:49.120> uh<00:32:49.240> a<00:32:49.600> mechanism<00:32:50.600> that<00:32:50.799> will<00:32:51.320> allow 00:32:51.629 --> 00:32:51.639 align:start position:0% this is a uh a mechanism that will allow 00:32:51.639 --> 00:32:55.870 align:start position:0% this is a uh a mechanism that will allow you<00:32:51.880> to<00:32:52.440> get<00:32:52.720> data<00:32:53.080> from<00:32:53.399> the<00:32:53.840> the<00:32:54.639> uh<00:32:54.880> URL 00:32:55.870 --> 00:32:55.880 align:start position:0% you to get data from the the uh URL 00:32:55.880 --> 00:32:57.870 align:start position:0% you to get data from the the uh URL parameters<00:32:56.399> the<00:32:56.559> get<00:32:56.720> parameters<00:32:57.440> the<00:32:57.600> query 00:32:57.870 --> 00:32:57.880 align:start position:0% parameters the get parameters the query 00:32:57.880 --> 00:33:01.149 align:start position:0% parameters the get parameters the query parameters<00:32:58.919> or<00:32:59.919> the<00:33:00.080> post<00:33:00.360> body<00:33:00.600> parameters 00:33:01.149 --> 00:33:01.159 align:start position:0% parameters or the post body parameters 00:33:01.159 --> 00:33:03.269 align:start position:0% parameters or the post body parameters right<00:33:01.559> so<00:33:01.760> in<00:33:01.880> this<00:33:02.000> scenario<00:33:02.399> we<00:33:02.519> could<00:33:02.760> also 00:33:03.269 --> 00:33:03.279 align:start position:0% right so in this scenario we could also 00:33:03.279 --> 00:33:05.310 align:start position:0% right so in this scenario we could also do<00:33:03.440> a<00:33:03.600> post<00:33:03.919> request<00:33:04.440> with<00:33:04.519> the<00:33:04.720> post<00:33:05.039> body 00:33:05.310 --> 00:33:05.320 align:start position:0% do a post request with the post body 00:33:05.320 --> 00:33:08.549 align:start position:0% do a post request with the post body being<00:33:05.720> ID<00:33:06.039> equals<00:33:06.320> 1<00:33:06.559> 23<00:33:07.559> to<00:33:07.679> change.<00:33:08.159> PHP<00:33:08.480> and 00:33:08.549 --> 00:33:08.559 align:start position:0% being ID equals 1 23 to change. PHP and 00:33:08.559 --> 00:33:10.549 align:start position:0% being ID equals 1 23 to change. PHP and as<00:33:08.679> long<00:33:08.799> as<00:33:08.880> we<00:33:09.000> have<00:33:09.080> the<00:33:09.159> Cerf<00:33:09.600> token<00:33:10.320> then 00:33:10.549 --> 00:33:10.559 align:start position:0% as long as we have the Cerf token then 00:33:10.559 --> 00:33:12.789 align:start position:0% as long as we have the Cerf token then it<00:33:10.639> will<00:33:10.799> show<00:33:11.039> you've<00:33:11.279> changed<00:33:11.760> XYZ<00:33:12.320> object 00:33:12.789 --> 00:33:12.799 align:start position:0% it will show you've changed XYZ object 00:33:12.799 --> 00:33:17.230 align:start position:0% it will show you've changed XYZ object okay<00:33:14.279> um<00:33:15.279> and<00:33:15.399> so<00:33:15.639> this<00:33:15.760> is<00:33:15.960> just<00:33:16.200> a<00:33:16.840> a<00:33:16.960> clear 00:33:17.230 --> 00:33:17.240 align:start position:0% okay um and so this is just a a clear 00:33:17.240 --> 00:33:18.909 align:start position:0% okay um and so this is just a a clear example<00:33:17.799> of<00:33:18.000> what<00:33:18.159> kind<00:33:18.279> of<00:33:18.399> implementation 00:33:18.909 --> 00:33:18.919 align:start position:0% example of what kind of implementation 00:33:18.919 --> 00:33:20.629 align:start position:0% example of what kind of implementation there<00:33:19.039> could<00:33:19.159> be<00:33:19.279> in<00:33:19.440> place<00:33:19.760> where<00:33:20.200> the<00:33:20.440> get 00:33:20.629 --> 00:33:20.639 align:start position:0% there could be in place where the get 00:33:20.639 --> 00:33:24.110 align:start position:0% there could be in place where the get and<00:33:20.880> post<00:33:21.639> um<00:33:22.639> variables<00:33:23.200> are<00:33:23.360> being<00:33:23.880> query 00:33:24.110 --> 00:33:24.120 align:start position:0% and post um variables are being query 00:33:24.120 --> 00:33:25.750 align:start position:0% and post um variables are being query parameters<00:33:24.480> are<00:33:24.559> being<00:33:24.720> merged<00:33:25.159> together 00:33:25.750 --> 00:33:25.760 align:start position:0% parameters are being merged together 00:33:25.760 --> 00:33:28.830 align:start position:0% parameters are being merged together okay<00:33:26.519> so<00:33:27.200> uh<00:33:27.440> that<00:33:27.559> is<00:33:27.799> that<00:33:28.080> let's<00:33:28.320> go<00:33:28.440> ahead 00:33:28.830 --> 00:33:28.840 align:start position:0% okay so uh that is that let's go ahead 00:33:28.840 --> 00:33:30.750 align:start position:0% okay so uh that is that let's go ahead and<00:33:29.240> finish<00:33:29.519> off<00:33:29.720> this<00:33:29.840> exploit<00:33:30.480> so<00:33:30.639> we're 00:33:30.750 --> 00:33:30.760 align:start position:0% and finish off this exploit so we're 00:33:30.760 --> 00:33:33.070 align:start position:0% and finish off this exploit so we're going<00:33:30.840> to<00:33:31.000> go<00:33:31.080> ahead<00:33:31.279> and<00:33:31.519> add<00:33:31.720> we're<00:33:32.080> hitting 00:33:33.070 --> 00:33:33.080 align:start position:0% going to go ahead and add we're hitting 00:33:33.080 --> 00:33:34.470 align:start position:0% going to go ahead and add we're hitting uh<00:33:33.200> change.<00:33:33.639> PHP<00:33:34.000> and<00:33:34.080> we're<00:33:34.200> just<00:33:34.279> going<00:33:34.399> to 00:33:34.470 --> 00:33:34.480 align:start position:0% uh change. PHP and we're just going to 00:33:34.480 --> 00:33:36.629 align:start position:0% uh change. PHP and we're just going to go<00:33:34.600> ahead<00:33:34.720> and<00:33:34.880> add<00:33:35.279> ID<00:33:35.600> parameter<00:33:36.000> equals<00:33:36.279> 1<00:33:36.440> 2 00:33:36.629 --> 00:33:36.639 align:start position:0% go ahead and add ID parameter equals 1 2 00:33:36.639 --> 00:33:37.710 align:start position:0% go ahead and add ID parameter equals 1 2 3 00:33:37.710 --> 00:33:37.720 align:start position:0% 3 00:33:37.720 --> 00:33:41.230 align:start position:0% 3 4<00:33:38.720> like<00:33:38.960> this<00:33:39.880> and<00:33:40.039> if<00:33:40.159> we<00:33:40.320> see<00:33:40.760> we<00:33:40.880> can<00:33:41.000> see 00:33:41.230 --> 00:33:41.240 align:start position:0% 4 like this and if we see we can see 00:33:41.240 --> 00:33:43.149 align:start position:0% 4 like this and if we see we can see right<00:33:41.399> here<00:33:41.720> that<00:33:41.919> the<00:33:42.120> it's<00:33:42.240> a<00:33:42.399> post<00:33:42.639> request 00:33:43.149 --> 00:33:43.159 align:start position:0% right here that the it's a post request 00:33:43.159 --> 00:33:45.070 align:start position:0% right here that the it's a post request 200<00:33:43.399> okay<00:33:44.039> and<00:33:44.159> the<00:33:44.320> response<00:33:44.679> is<00:33:44.880> you've 00:33:45.070 --> 00:33:45.080 align:start position:0% 200 okay and the response is you've 00:33:45.080 --> 00:33:47.509 align:start position:0% 200 okay and the response is you've changed<00:33:45.399> the<00:33:45.480> 1<00:33:45.639> two<00:33:45.799> 3<00:33:45.960> 4<00:33:46.240> object<00:33:46.760> okay<00:33:47.279> so 00:33:47.509 --> 00:33:47.519 align:start position:0% changed the 1 two 3 4 object okay so 00:33:47.519 --> 00:33:49.029 align:start position:0% changed the 1 two 3 4 object okay so this<00:33:47.639> is<00:33:47.960> this<00:33:48.080> is<00:33:48.200> showing<00:33:48.440> an<00:33:48.600> example<00:33:48.880> of 00:33:49.029 --> 00:33:49.039 align:start position:0% this is this is showing an example of 00:33:49.039 --> 00:33:51.269 align:start position:0% this is this is showing an example of how<00:33:49.159> you<00:33:49.279> can<00:33:49.480> do<00:33:49.600> a<00:33:49.760> path<00:33:49.960> traversal<00:33:50.799> smuggle 00:33:51.269 --> 00:33:51.279 align:start position:0% how you can do a path traversal smuggle 00:33:51.279 --> 00:33:55.549 align:start position:0% how you can do a path traversal smuggle in<00:33:51.559> a<00:33:51.720> parameter<00:33:52.159> via<00:33:52.360> the<00:33:52.519> URL<00:33:53.519> and<00:33:54.039> hit<00:33:54.440> a<00:33:55.279> a 00:33:55.549 --> 00:33:55.559 align:start position:0% in a parameter via the URL and hit a a 00:33:55.559 --> 00:33:57.789 align:start position:0% in a parameter via the URL and hit a a uh<00:33:55.960> unsuspecting<00:33:56.919> end<00:33:57.080> point<00:33:57.320> on<00:33:57.399> the<00:33:57.480> victim 00:33:57.789 --> 00:33:57.799 align:start position:0% uh unsuspecting end point on the victim 00:33:57.799 --> 00:33:59.269 align:start position:0% uh unsuspecting end point on the victim server<00:33:58.480> which<00:33:58.600> will<00:33:58.760> have<00:33:58.880> some<00:33:59.039> sort<00:33:59.159> of 00:33:59.269 --> 00:33:59.279 align:start position:0% server which will have some sort of 00:33:59.279 --> 00:34:01.629 align:start position:0% server which will have some sort of negative<00:33:59.799> effect<00:34:00.799> um<00:34:00.960> and<00:34:01.039> we'll<00:34:01.240> see<00:34:01.480> this 00:34:01.629 --> 00:34:01.639 align:start position:0% negative effect um and we'll see this 00:34:01.639 --> 00:34:03.110 align:start position:0% negative effect um and we'll see this we'll<00:34:01.799> see<00:34:01.960> this<00:34:02.120> as<00:34:02.240> well<00:34:02.399> a<00:34:02.519> little<00:34:02.679> bit<00:34:02.840> more 00:34:03.110 --> 00:34:03.120 align:start position:0% we'll see this as well a little bit more 00:34:03.120 --> 00:34:05.870 align:start position:0% we'll see this as well a little bit more when<00:34:03.320> I<00:34:03.519> I<00:34:03.639> walk<00:34:03.799> you<00:34:04.000> through<00:34:04.799> um<00:34:05.080> some<00:34:05.320> other 00:34:05.870 --> 00:34:05.880 align:start position:0% when I I walk you through um some other 00:34:05.880 --> 00:34:08.069 align:start position:0% when I I walk you through um some other attacks<00:34:06.320> that<00:34:06.480> I've<00:34:06.679> got<00:34:07.399> uh<00:34:07.519> in<00:34:07.679> reports<00:34:07.960> that 00:34:08.069 --> 00:34:08.079 align:start position:0% attacks that I've got uh in reports that 00:34:08.079 --> 00:34:10.909 align:start position:0% attacks that I've got uh in reports that I've 00:34:10.909 --> 00:34:10.919 align:start position:0% 00:34:10.919 --> 00:34:12.710 align:start position:0% submitted<00:34:11.919> okay<00:34:12.079> I'm<00:34:12.159> going<00:34:12.240> to<00:34:12.399> look<00:34:12.520> at 00:34:12.710 --> 00:34:12.720 align:start position:0% submitted okay I'm going to look at 00:34:12.720 --> 00:34:14.069 align:start position:0% submitted okay I'm going to look at questions<00:34:13.079> for<00:34:13.240> a<00:34:13.359> second<00:34:13.679> and<00:34:13.760> then<00:34:13.879> we'll 00:34:14.069 --> 00:34:14.079 align:start position:0% questions for a second and then we'll 00:34:14.079 --> 00:34:16.589 align:start position:0% questions for a second and then we'll get<00:34:14.240> back<00:34:14.359> to<00:34:14.720> it<00:34:15.720> um<00:34:15.879> going<00:34:16.119> back<00:34:16.240> up<00:34:16.359> to 00:34:16.589 --> 00:34:16.599 align:start position:0% get back to it um going back up to 00:34:16.599 --> 00:34:18.790 align:start position:0% get back to it um going back up to dosaku<00:34:17.599> it<00:34:17.720> checks<00:34:18.000> the<00:34:18.079> origin<00:34:18.480> I<00:34:18.560> wasn't 00:34:18.790 --> 00:34:18.800 align:start position:0% dosaku it checks the origin I wasn't 00:34:18.800 --> 00:34:21.829 align:start position:0% dosaku it checks the origin I wasn't able<00:34:18.960> to<00:34:19.119> bypass<00:34:19.520> it<00:34:19.960> also<00:34:20.960> have<00:34:21.119> found<00:34:21.359> xss 00:34:21.829 --> 00:34:21.839 align:start position:0% able to bypass it also have found xss 00:34:21.839 --> 00:34:23.310 align:start position:0% able to bypass it also have found xss ever<00:34:22.000> since<00:34:22.119> the<00:34:22.240> beginning<00:34:22.480> so<00:34:22.679> gave<00:34:22.879> up<00:34:23.000> on 00:34:23.310 --> 00:34:23.320 align:start position:0% ever since the beginning so gave up on 00:34:23.320 --> 00:34:26.270 align:start position:0% ever since the beginning so gave up on it<00:34:24.320> yeah<00:34:24.520> no<00:34:24.800> I<00:34:24.919> I<00:34:25.000> feel<00:34:25.280> that<00:34:25.480> man<00:34:25.960> it's<00:34:26.119> It's 00:34:26.270 --> 00:34:26.280 align:start position:0% it yeah no I I feel that man it's It's 00:34:26.280 --> 00:34:28.270 align:start position:0% it yeah no I I feel that man it's It's Tricky<00:34:26.639> when<00:34:27.079> you<00:34:27.440> keep<00:34:27.599> on<00:34:27.760> trying<00:34:27.960> to<00:34:28.040> find<00:34:28.159> a 00:34:28.270 --> 00:34:28.280 align:start position:0% Tricky when you keep on trying to find a 00:34:28.280 --> 00:34:30.349 align:start position:0% Tricky when you keep on trying to find a vul<00:34:28.679> and<00:34:28.879> and<00:34:29.000> you<00:34:29.159> can't<00:34:29.399> find<00:34:29.560> it<00:34:29.839> but<00:34:30.159> they 00:34:30.349 --> 00:34:30.359 align:start position:0% vul and and you can't find it but they 00:34:30.359 --> 00:34:31.950 align:start position:0% vul and and you can't find it but they exist<00:34:30.679> I'm<00:34:30.760> sure<00:34:30.919> they're<00:34:31.119> out<00:34:31.320> there<00:34:31.720> and<00:34:31.839> as 00:34:31.950 --> 00:34:31.960 align:start position:0% exist I'm sure they're out there and as 00:34:31.960 --> 00:34:33.270 align:start position:0% exist I'm sure they're out there and as far<00:34:32.079> as<00:34:32.159> the<00:34:32.280> origin<00:34:32.560> checks<00:34:32.919> yeah<00:34:33.040> you<00:34:33.119> will 00:34:33.270 --> 00:34:33.280 align:start position:0% far as the origin checks yeah you will 00:34:33.280 --> 00:34:36.710 align:start position:0% far as the origin checks yeah you will see<00:34:33.440> that<00:34:33.599> from<00:34:33.720> time<00:34:33.919> to<00:34:34.119> time<00:34:35.200> um<00:34:36.200> uh<00:34:36.399> so 00:34:36.710 --> 00:34:36.720 align:start position:0% see that from time to time um uh so 00:34:36.720 --> 00:34:38.349 align:start position:0% see that from time to time um uh so that's<00:34:36.919> another<00:34:37.200> thing<00:34:37.399> that's<00:34:37.919> tricky<00:34:38.240> to 00:34:38.349 --> 00:34:38.359 align:start position:0% that's another thing that's tricky to 00:34:38.359 --> 00:34:42.510 align:start position:0% that's another thing that's tricky to bypass<00:34:39.560> um<00:34:40.560> uh<00:34:41.320> if<00:34:41.639> it's<00:34:41.760> origin<00:34:42.159> null<00:34:42.440> you 00:34:42.510 --> 00:34:42.520 align:start position:0% bypass um uh if it's origin null you 00:34:42.520 --> 00:34:45.750 align:start position:0% bypass um uh if it's origin null you could<00:34:42.679> issue<00:34:42.960> it<00:34:43.200> from<00:34:44.200> an<00:34:44.440> i<00:34:44.760> frame<00:34:45.520> but<00:34:45.679> then 00:34:45.750 --> 00:34:45.760 align:start position:0% could issue it from an i frame but then 00:34:45.760 --> 00:34:48.149 align:start position:0% could issue it from an i frame but then you're<00:34:45.879> going<00:34:46.000> to<00:34:46.159> get<00:34:46.440> caught<00:34:46.720> on<00:34:47.000> the<00:34:47.800> same 00:34:48.149 --> 00:34:48.159 align:start position:0% you're going to get caught on the same 00:34:48.159 --> 00:34:51.510 align:start position:0% you're going to get caught on the same sight<00:34:48.359> cookie<00:34:48.839> sort<00:34:49.040> of 00:34:51.510 --> 00:34:51.520 align:start position:0% 00:34:51.520 --> 00:34:53.389 align:start position:0% situation 00:34:53.389 --> 00:34:53.399 align:start position:0% situation 00:34:53.399 --> 00:34:56.270 align:start position:0% situation um<00:34:54.399> yeah<00:34:55.280> that<00:34:55.359> one<00:34:55.520> might<00:34:55.639> be<00:34:55.760> tricky<00:34:56.040> unless 00:34:56.270 --> 00:34:56.280 align:start position:0% um yeah that one might be tricky unless 00:34:56.280 --> 00:34:58.710 align:start position:0% um yeah that one might be tricky unless same<00:34:56.440> site<00:34:56.639> set<00:34:56.760> to<00:34:56.960> none 00:34:58.710 --> 00:34:58.720 align:start position:0% same site set to none 00:34:58.720 --> 00:35:01.829 align:start position:0% same site set to none bummer<00:34:59.720> um<00:35:00.280> let 00:35:01.829 --> 00:35:01.839 align:start position:0% bummer um let 00:35:01.839 --> 00:35:04.870 align:start position:0% bummer um let see<00:35:02.839> yeah<00:35:03.200> well<00:35:03.640> I<00:35:03.720> knew<00:35:04.119> I<00:35:04.200> knew<00:35:04.440> you<00:35:04.640> guys 00:35:04.870 --> 00:35:04.880 align:start position:0% see yeah well I knew I knew you guys 00:35:04.880 --> 00:35:06.710 align:start position:0% see yeah well I knew I knew you guys would<00:35:05.040> try<00:35:05.200> to<00:35:05.320> do<00:35:05.480> something<00:35:05.800> like<00:35:06.000> that<00:35:06.240> oh 00:35:06.710 --> 00:35:06.720 align:start position:0% would try to do something like that oh 00:35:06.720 --> 00:35:08.310 align:start position:0% would try to do something like that oh yeah<00:35:07.000> okay<00:35:07.160> agent<00:35:07.440> Melo<00:35:07.839> I<00:35:07.960> see<00:35:08.119> on<00:35:08.200> the 00:35:08.310 --> 00:35:08.320 align:start position:0% yeah okay agent Melo I see on the 00:35:08.320 --> 00:35:10.950 align:start position:0% yeah okay agent Melo I see on the redirect<00:35:08.720> parameter<00:35:09.079> one<00:35:09.599> yeah<00:35:10.400> yeah<00:35:10.560> it<00:35:10.880> it 00:35:10.950 --> 00:35:10.960 align:start position:0% redirect parameter one yeah yeah it it 00:35:10.960 --> 00:35:13.349 align:start position:0% redirect parameter one yeah yeah it it is<00:35:11.200> sad<00:35:11.560> it<00:35:11.640> is<00:35:11.880> sad<00:35:12.480> uh<00:35:12.640> that<00:35:12.839> serers<00:35:13.240> side 00:35:13.349 --> 00:35:13.359 align:start position:0% is sad it is sad uh that serers side 00:35:13.359 --> 00:35:14.950 align:start position:0% is sad it is sad uh that serers side redirects<00:35:13.880> don't<00:35:14.119> trigger<00:35:14.440> JavaScript 00:35:14.950 --> 00:35:14.960 align:start position:0% redirects don't trigger JavaScript 00:35:14.960 --> 00:35:16.950 align:start position:0% redirects don't trigger JavaScript schemes<00:35:15.400> but<00:35:15.520> if<00:35:15.640> they<00:35:15.800> did<00:35:16.119> that<00:35:16.200> would<00:35:16.400> be 00:35:16.950 --> 00:35:16.960 align:start position:0% schemes but if they did that would be 00:35:16.960 --> 00:35:19.710 align:start position:0% schemes but if they did that would be pretty<00:35:17.359> bad<00:35:17.960> because<00:35:18.240> every<00:35:18.960> open<00:35:19.240> redirect 00:35:19.710 --> 00:35:19.720 align:start position:0% pretty bad because every open redirect 00:35:19.720 --> 00:35:22.630 align:start position:0% pretty bad because every open redirect would<00:35:19.839> be<00:35:20.119> in<00:35:20.359> xss<00:35:21.119> so<00:35:21.760> we<00:35:21.920> have<00:35:22.040> this<00:35:22.200> sort<00:35:22.359> of 00:35:22.630 --> 00:35:22.640 align:start position:0% would be in xss so we have this sort of 00:35:22.640 --> 00:35:24.430 align:start position:0% would be in xss so we have this sort of uh<00:35:22.800> balance<00:35:23.359> in<00:35:23.640> the<00:35:23.960> the<00:35:24.079> white<00:35:24.320> hat 00:35:24.430 --> 00:35:24.440 align:start position:0% uh balance in the the white hat 00:35:24.440 --> 00:35:25.950 align:start position:0% uh balance in the the white hat community<00:35:24.839> of<00:35:25.000> like<00:35:25.320> I<00:35:25.440> really<00:35:25.560> want<00:35:25.760> this<00:35:25.880> to 00:35:25.950 --> 00:35:25.960 align:start position:0% community of like I really want this to 00:35:25.960 --> 00:35:27.829 align:start position:0% community of like I really want this to be<00:35:26.079> vulnerable<00:35:26.520> but<00:35:26.599> also<00:35:26.880> so<00:35:27.400> I<00:35:27.520> don't<00:35:27.680> want 00:35:27.829 --> 00:35:27.839 align:start position:0% be vulnerable but also so I don't want 00:35:27.839 --> 00:35:29.710 align:start position:0% be vulnerable but also so I don't want it<00:35:27.960> to<00:35:28.040> be<00:35:28.200> vulnerable<00:35:28.760> because<00:35:29.400> then<00:35:29.560> people 00:35:29.710 --> 00:35:29.720 align:start position:0% it to be vulnerable because then people 00:35:29.720 --> 00:35:33.870 align:start position:0% it to be vulnerable because then people would<00:35:29.880> be<00:35:30.000> at<00:35:30.440> risk<00:35:31.440> um<00:35:32.400> also<00:35:32.760> you<00:35:33.359> you<00:35:33.680> you'll 00:35:33.870 --> 00:35:33.880 align:start position:0% would be at risk um also you you you'll 00:35:33.880 --> 00:35:35.109 align:start position:0% would be at risk um also you you you'll note<00:35:34.160> that<00:35:34.359> I 00:35:35.109 --> 00:35:35.119 align:start position:0% note that I 00:35:35.119 --> 00:35:37.710 align:start position:0% note that I um<00:35:36.119> where's<00:35:36.480> the<00:35:36.920> where's<00:35:37.160> the<00:35:37.320> code<00:35:37.520> from 00:35:37.710 --> 00:35:37.720 align:start position:0% um where's the where's the code from 00:35:37.720 --> 00:35:40.630 align:start position:0% um where's the where's the code from before<00:35:38.599> you'll<00:35:38.800> note<00:35:39.040> that<00:35:39.240> I<00:35:39.520> did<00:35:39.800> a<00:35:39.960> int<00:35:40.320> vow 00:35:40.630 --> 00:35:40.640 align:start position:0% before you'll note that I did a int vow 00:35:40.640 --> 00:35:43.150 align:start position:0% before you'll note that I did a int vow on<00:35:40.800> this<00:35:41.359> guy<00:35:42.359> so<00:35:42.560> because<00:35:42.680> I<00:35:42.839> knew<00:35:42.960> you<00:35:43.040> guys 00:35:43.150 --> 00:35:43.160 align:start position:0% on this guy so because I knew you guys 00:35:43.160 --> 00:35:45.230 align:start position:0% on this guy so because I knew you guys were<00:35:43.280> going<00:35:43.400> to<00:35:43.520> try<00:35:43.680> to<00:35:44.359> try<00:35:44.520> to<00:35:44.640> do<00:35:44.839> some<00:35:45.040> sort 00:35:45.230 --> 00:35:45.240 align:start position:0% were going to try to try to do some sort 00:35:45.240 --> 00:35:50.190 align:start position:0% were going to try to try to do some sort of<00:35:45.720> uh<00:35:46.160> xss<00:35:46.720> on<00:35:46.880> me<00:35:47.079> if<00:35:47.200> I<00:35:47.280> didn't<00:35:47.520> do<00:35:47.760> that<00:35:48.880> um 00:35:50.190 --> 00:35:50.200 align:start position:0% of uh xss on me if I didn't do that um 00:35:50.200 --> 00:35:51.910 align:start position:0% of uh xss on me if I didn't do that um so 00:35:51.910 --> 00:35:51.920 align:start position:0% so 00:35:51.920 --> 00:35:55.910 align:start position:0% so yeah<00:35:52.920> um<00:35:53.560> yeah<00:35:53.680> so<00:35:53.880> any<00:35:54.079> questions<00:35:54.560> on<00:35:55.240> the 00:35:55.910 --> 00:35:55.920 align:start position:0% yeah um yeah so any questions on the 00:35:55.920 --> 00:35:57.750 align:start position:0% yeah um yeah so any questions on the exploitation<00:35:56.920> once<00:35:57.079> again<00:35:57.280> I'll<00:35:57.440> go<00:35:57.560> ahead 00:35:57.750 --> 00:35:57.760 align:start position:0% exploitation once again I'll go ahead 00:35:57.760 --> 00:36:02.069 align:start position:0% exploitation once again I'll go ahead and<00:35:58.040> put<00:35:58.640> this<00:35:58.920> URL<00:35:59.440> in<00:35:59.599> the 00:36:02.069 --> 00:36:02.079 align:start position:0% 00:36:02.079 --> 00:36:10.069 align:start position:0% chat<00:36:03.079> there<00:36:03.200> you 00:36:10.069 --> 00:36:10.079 align:start position:0% 00:36:10.079 --> 00:36:12.349 align:start position:0% go<00:36:11.079> all<00:36:11.240> right<00:36:11.640> seems<00:36:11.880> like<00:36:12.000> you<00:36:12.119> guys<00:36:12.240> are 00:36:12.349 --> 00:36:12.359 align:start position:0% go all right seems like you guys are 00:36:12.359 --> 00:36:15.470 align:start position:0% go all right seems like you guys are tracking<00:36:12.880> that's<00:36:13.160> good<00:36:14.119> um<00:36:14.680> so<00:36:15.160> the<00:36:15.280> next 00:36:15.470 --> 00:36:15.480 align:start position:0% tracking that's good um so the next 00:36:15.480 --> 00:36:16.589 align:start position:0% tracking that's good um so the next thing<00:36:15.599> that<00:36:15.720> I<00:36:15.800> kind<00:36:15.880> of<00:36:15.960> want<00:36:16.040> to<00:36:16.200> talk<00:36:16.319> about 00:36:16.589 --> 00:36:16.599 align:start position:0% thing that I kind of want to talk about 00:36:16.599 --> 00:36:17.950 align:start position:0% thing that I kind of want to talk about is<00:36:16.760> just<00:36:16.920> some<00:36:17.119> sort<00:36:17.319> of<00:36:17.520> now<00:36:17.640> that<00:36:17.720> you<00:36:17.839> guys 00:36:17.950 --> 00:36:17.960 align:start position:0% is just some sort of now that you guys 00:36:17.960 --> 00:36:19.230 align:start position:0% is just some sort of now that you guys have<00:36:18.079> kind<00:36:18.200> of<00:36:18.280> gotten<00:36:18.480> your<00:36:18.599> hands<00:36:18.839> dirty<00:36:19.160> a 00:36:19.230 --> 00:36:19.240 align:start position:0% have kind of gotten your hands dirty a 00:36:19.240 --> 00:36:20.349 align:start position:0% have kind of gotten your hands dirty a little<00:36:19.400> bit<00:36:19.560> with<00:36:19.720> client<00:36:20.079> side<00:36:20.200> path 00:36:20.349 --> 00:36:20.359 align:start position:0% little bit with client side path 00:36:20.359 --> 00:36:22.470 align:start position:0% little bit with client side path traversal<00:36:21.280> I<00:36:21.359> want<00:36:21.440> to<00:36:21.599> talk<00:36:21.800> about<00:36:22.240> um<00:36:22.359> a 00:36:22.470 --> 00:36:22.480 align:start position:0% traversal I want to talk about um a 00:36:22.480 --> 00:36:24.190 align:start position:0% traversal I want to talk about um a couple<00:36:22.680> more<00:36:22.880> nuances<00:36:23.480> and<00:36:23.640> tips<00:36:23.839> and<00:36:23.960> tricks 00:36:24.190 --> 00:36:24.200 align:start position:0% couple more nuances and tips and tricks 00:36:24.200 --> 00:36:25.750 align:start position:0% couple more nuances and tips and tricks that<00:36:24.319> I<00:36:24.440> picked<00:36:24.640> up<00:36:24.800> over<00:36:25.000> a<00:36:25.119> long<00:36:25.359> time<00:36:25.560> of 00:36:25.750 --> 00:36:25.760 align:start position:0% that I picked up over a long time of 00:36:25.760 --> 00:36:27.910 align:start position:0% that I picked up over a long time of exploting<00:36:26.200> these<00:36:26.520> okay<00:36:27.119> so 00:36:27.910 --> 00:36:27.920 align:start position:0% exploting these okay so 00:36:27.920 --> 00:36:30.670 align:start position:0% exploting these okay so one<00:36:28.920> uh<00:36:29.079> it's<00:36:29.319> always<00:36:29.640> a<00:36:29.760> good<00:36:29.920> idea<00:36:30.200> to<00:36:30.319> be<00:36:30.520> on 00:36:30.670 --> 00:36:30.680 align:start position:0% one uh it's always a good idea to be on 00:36:30.680 --> 00:36:33.910 align:start position:0% one uh it's always a good idea to be on the<00:36:30.839> lookout<00:36:31.480> for<00:36:31.839> a<00:36:32.119> gadget<00:36:33.119> so<00:36:33.400> a<00:36:33.599> gadget 00:36:33.910 --> 00:36:33.920 align:start position:0% the lookout for a gadget so a gadget 00:36:33.920 --> 00:36:36.190 align:start position:0% the lookout for a gadget so a gadget meaning<00:36:34.520> a<00:36:34.760> specific<00:36:35.079> HTTP<00:36:35.640> request<00:36:35.960> or<00:36:36.119> a 00:36:36.190 --> 00:36:36.200 align:start position:0% meaning a specific HTTP request or a 00:36:36.200 --> 00:36:37.950 align:start position:0% meaning a specific HTTP request or a functionality<00:36:36.680> in<00:36:36.760> the<00:36:36.920> application<00:36:37.760> a 00:36:37.950 --> 00:36:37.960 align:start position:0% functionality in the application a 00:36:37.960 --> 00:36:40.589 align:start position:0% functionality in the application a gadget<00:36:38.359> that<00:36:38.520> allows<00:36:38.920> you<00:36:39.280> to<00:36:40.079> change 00:36:40.589 --> 00:36:40.599 align:start position:0% gadget that allows you to change 00:36:40.599 --> 00:36:43.589 align:start position:0% gadget that allows you to change something<00:36:41.599> by<00:36:41.760> sending<00:36:42.240> a<00:36:42.400> post<00:36:42.800> request<00:36:43.319> or<00:36:43.440> a 00:36:43.589 --> 00:36:43.599 align:start position:0% something by sending a post request or a 00:36:43.599 --> 00:36:46.390 align:start position:0% something by sending a post request or a get<00:36:43.960> request<00:36:44.960> with<00:36:45.160> no<00:36:45.760> you<00:36:45.839> know<00:36:46.040> a<00:36:46.160> post 00:36:46.390 --> 00:36:46.400 align:start position:0% get request with no you know a post 00:36:46.400 --> 00:36:48.230 align:start position:0% get request with no you know a post request<00:36:46.680> with<00:36:46.800> no<00:36:46.960> body<00:36:47.319> or<00:36:47.480> a<00:36:47.599> get<00:36:47.800> request 00:36:48.230 --> 00:36:48.240 align:start position:0% request with no body or a get request 00:36:48.240 --> 00:36:49.990 align:start position:0% request with no body or a get request right<00:36:48.680> those<00:36:48.920> gadgets<00:36:49.240> are<00:36:49.480> extremely 00:36:49.990 --> 00:36:50.000 align:start position:0% right those gadgets are extremely 00:36:50.000 --> 00:36:51.750 align:start position:0% right those gadgets are extremely helpful<00:36:50.319> for<00:36:50.480> exploting<00:36:50.960> client<00:36:51.280> side<00:36:51.400> path 00:36:51.750 --> 00:36:51.760 align:start position:0% helpful for exploting client side path 00:36:51.760 --> 00:36:54.510 align:start position:0% helpful for exploting client side path traversal<00:36:52.760> um<00:36:53.440> so<00:36:53.880> whenever<00:36:54.200> you<00:36:54.280> see 00:36:54.510 --> 00:36:54.520 align:start position:0% traversal um so whenever you see 00:36:54.520 --> 00:36:56.109 align:start position:0% traversal um so whenever you see something<00:36:54.839> that's<00:36:55.040> like<00:36:55.200> SL<00:36:55.599> delete<00:36:55.920> and<00:36:56.000> it's 00:36:56.109 --> 00:36:56.119 align:start position:0% something that's like SL delete and it's 00:36:56.119 --> 00:36:57.510 align:start position:0% something that's like SL delete and it's just<00:36:56.240> a<00:36:56.319> post<00:36:56.680> to<00:36:56.800> it<00:36:56.960> and<00:36:57.040> there's<00:36:57.200> nothing<00:36:57.400> in 00:36:57.510 --> 00:36:57.520 align:start position:0% just a post to it and there's nothing in 00:36:57.520 --> 00:36:59.710 align:start position:0% just a post to it and there's nothing in the<00:36:57.640> body<00:36:58.440> then<00:36:58.720> you<00:36:58.880> got<00:36:58.960> to<00:36:59.359> got<00:36:59.440> to<00:36:59.560> look 00:36:59.710 --> 00:36:59.720 align:start position:0% the body then you got to got to look 00:36:59.720 --> 00:37:01.550 align:start position:0% the body then you got to got to look closely<00:37:00.079> at<00:37:00.200> that<00:37:00.400> and<00:37:00.520> note<00:37:00.800> that<00:37:00.960> down 00:37:01.550 --> 00:37:01.560 align:start position:0% closely at that and note that down 00:37:01.560 --> 00:37:02.750 align:start position:0% closely at that and note that down because<00:37:01.800> anytime<00:37:02.079> you<00:37:02.160> get<00:37:02.240> a<00:37:02.319> client<00:37:02.599> side 00:37:02.750 --> 00:37:02.760 align:start position:0% because anytime you get a client side 00:37:02.760 --> 00:37:04.230 align:start position:0% because anytime you get a client side path<00:37:02.920> diversal<00:37:03.280> you<00:37:03.359> can<00:37:03.440> use<00:37:03.560> it<00:37:03.680> to<00:37:03.800> exploit 00:37:04.230 --> 00:37:04.240 align:start position:0% path diversal you can use it to exploit 00:37:04.240 --> 00:37:05.670 align:start position:0% path diversal you can use it to exploit that<00:37:04.760> so<00:37:04.920> that's<00:37:05.079> something<00:37:05.240> you<00:37:05.359> got<00:37:05.440> to<00:37:05.560> be 00:37:05.670 --> 00:37:05.680 align:start position:0% that so that's something you got to be 00:37:05.680 --> 00:37:07.670 align:start position:0% that so that's something you got to be on<00:37:05.800> the<00:37:05.880> lookout<00:37:06.240> for<00:37:07.000> um<00:37:07.160> you<00:37:07.240> should<00:37:07.440> also<00:37:07.599> be 00:37:07.670 --> 00:37:07.680 align:start position:0% on the lookout for um you should also be 00:37:07.680 --> 00:37:10.069 align:start position:0% on the lookout for um you should also be on<00:37:07.800> the<00:37:07.920> lookout<00:37:08.200> for<00:37:08.520> any<00:37:08.800> get<00:37:09.079> request<00:37:09.880> that 00:37:10.069 --> 00:37:10.079 align:start position:0% on the lookout for any get request that 00:37:10.079 --> 00:37:12.470 align:start position:0% on the lookout for any get request that does<00:37:10.400> something<00:37:10.880> and<00:37:11.079> requires<00:37:11.599> a<00:37:11.800> c<00:37:12.040> surf 00:37:12.470 --> 00:37:12.480 align:start position:0% does something and requires a c surf 00:37:12.480 --> 00:37:16.109 align:start position:0% does something and requires a c surf parameter<00:37:13.480> um<00:37:14.319> because<00:37:14.680> get<00:37:14.960> based<00:37:15.599> uh<00:37:15.720> client 00:37:16.109 --> 00:37:16.119 align:start position:0% parameter um because get based uh client 00:37:16.119 --> 00:37:19.069 align:start position:0% parameter um because get based uh client side<00:37:16.280> patch<00:37:16.440> rals<00:37:16.960> are<00:37:17.240> extremely<00:37:17.880> common<00:37:18.839> and 00:37:19.069 --> 00:37:19.079 align:start position:0% side patch rals are extremely common and 00:37:19.079 --> 00:37:20.750 align:start position:0% side patch rals are extremely common and they're<00:37:19.319> everywhere<00:37:20.000> and<00:37:20.119> I'm<00:37:20.240> going<00:37:20.359> to<00:37:20.440> show 00:37:20.750 --> 00:37:20.760 align:start position:0% they're everywhere and I'm going to show 00:37:20.760 --> 00:37:23.109 align:start position:0% they're everywhere and I'm going to show you<00:37:21.079> one<00:37:21.200> of<00:37:21.359> them<00:37:21.560> on<00:37:21.680> a<00:37:21.839> live<00:37:22.079> target<00:37:22.920> uh<00:37:23.000> on 00:37:23.109 --> 00:37:23.119 align:start position:0% you one of them on a live target uh on 00:37:23.119 --> 00:37:25.069 align:start position:0% you one of them on a live target uh on an<00:37:23.319> actual<00:37:23.599> Target<00:37:23.839> in<00:37:23.960> a<00:37:24.040> bug<00:37:24.200> Bounty<00:37:24.520> program 00:37:25.069 --> 00:37:25.079 align:start position:0% an actual Target in a bug Bounty program 00:37:25.079 --> 00:37:27.430 align:start position:0% an actual Target in a bug Bounty program um<00:37:25.520> in<00:37:25.680> just<00:37:25.800> a<00:37:25.960> second 00:37:27.430 --> 00:37:27.440 align:start position:0% um in just a second 00:37:27.440 --> 00:37:29.550 align:start position:0% um in just a second um<00:37:27.800> and<00:37:27.920> I<00:37:28.079> have<00:37:28.280> four<00:37:28.599> other<00:37:28.800> ones<00:37:29.160> just<00:37:29.359> like 00:37:29.550 --> 00:37:29.560 align:start position:0% um and I have four other ones just like 00:37:29.560 --> 00:37:31.430 align:start position:0% um and I have four other ones just like it<00:37:30.240> uh<00:37:30.400> that<00:37:30.520> I<00:37:30.680> just<00:37:30.800> can't<00:37:31.000> figure<00:37:31.200> out<00:37:31.359> how 00:37:31.430 --> 00:37:31.440 align:start position:0% it uh that I just can't figure out how 00:37:31.440 --> 00:37:33.190 align:start position:0% it uh that I just can't figure out how to<00:37:31.560> fully<00:37:31.800> utilize<00:37:32.319> yet<00:37:32.640> um<00:37:32.720> and<00:37:32.839> I<00:37:32.920> don't<00:37:33.079> have 00:37:33.190 --> 00:37:33.200 align:start position:0% to fully utilize yet um and I don't have 00:37:33.200 --> 00:37:36.950 align:start position:0% to fully utilize yet um and I don't have an<00:37:33.319> open<00:37:33.520> redirect<00:37:34.359> so<00:37:35.280> um<00:37:36.040> but<00:37:36.560> yeah<00:37:36.760> always 00:37:36.950 --> 00:37:36.960 align:start position:0% an open redirect so um but yeah always 00:37:36.960 --> 00:37:38.430 align:start position:0% an open redirect so um but yeah always be<00:37:37.079> on<00:37:37.160> the<00:37:37.240> lookout<00:37:37.520> for<00:37:37.680> get<00:37:37.920> requests<00:37:38.280> that 00:37:38.430 --> 00:37:38.440 align:start position:0% be on the lookout for get requests that 00:37:38.440 --> 00:37:40.710 align:start position:0% be on the lookout for get requests that do<00:37:38.640> something<00:37:38.960> with<00:37:39.040> a<00:37:39.160> CF<00:37:39.920> uh<00:37:40.079> token<00:37:40.400> attached 00:37:40.710 --> 00:37:40.720 align:start position:0% do something with a CF uh token attached 00:37:40.720 --> 00:37:43.510 align:start position:0% do something with a CF uh token attached to<00:37:40.960> them<00:37:41.960> um<00:37:42.599> I<00:37:42.640> already<00:37:42.800> mentioned<00:37:43.079> smuggling 00:37:43.510 --> 00:37:43.520 align:start position:0% to them um I already mentioned smuggling 00:37:43.520 --> 00:37:45.309 align:start position:0% to them um I already mentioned smuggling perimeters<00:37:43.920> in<00:37:44.200> with<00:37:44.319> the<00:37:44.440> question<00:37:44.720> mark<00:37:45.160> and 00:37:45.309 --> 00:37:45.319 align:start position:0% perimeters in with the question mark and 00:37:45.319 --> 00:37:48.190 align:start position:0% perimeters in with the question mark and the<00:37:45.560> post<00:37:45.839> body<00:37:46.119> being<00:37:46.640> merged<00:37:47.520> with<00:37:47.720> the<00:37:48.079> uh 00:37:48.190 --> 00:37:48.200 align:start position:0% the post body being merged with the uh 00:37:48.200 --> 00:37:51.550 align:start position:0% the post body being merged with the uh career<00:37:48.560> parameters<00:37:49.560> and<00:37:49.720> then<00:37:50.240> um<00:37:50.440> thanks<00:37:50.839> to 00:37:51.550 --> 00:37:51.560 align:start position:0% career parameters and then um thanks to 00:37:51.560 --> 00:37:53.790 align:start position:0% career parameters and then um thanks to xss<00:37:52.079> doctor<00:37:52.400> we<00:37:52.520> also<00:37:52.800> discussed<00:37:53.680> the 00:37:53.790 --> 00:37:53.800 align:start position:0% xss doctor we also discussed the 00:37:53.800 --> 00:37:56.750 align:start position:0% xss doctor we also discussed the different<00:37:54.079> techniques<00:37:54.560> for<00:37:55.560> um<00:37:55.839> hitting 00:37:56.750 --> 00:37:56.760 align:start position:0% different techniques for um hitting 00:37:56.760 --> 00:37:58.910 align:start position:0% different techniques for um hitting various<00:37:57.160> paths<00:37:57.599> using<00:37:58.240> uh<00:37:58.359> double<00:37:58.599> URL 00:37:58.910 --> 00:37:58.920 align:start position:0% various paths using uh double URL 00:37:58.920 --> 00:38:01.230 align:start position:0% various paths using uh double URL encoding<00:37:59.240> single<00:37:59.480> URL<00:37:59.920> encoding<00:38:00.920> um 00:38:01.230 --> 00:38:01.240 align:start position:0% encoding single URL encoding um 00:38:01.240 --> 00:38:02.870 align:start position:0% encoding single URL encoding um sometimes<00:38:01.480> unic<00:38:01.720> code<00:38:01.920> code<00:38:02.119> Point<00:38:02.359> encoding 00:38:02.870 --> 00:38:02.880 align:start position:0% sometimes unic code code Point encoding 00:38:02.880 --> 00:38:04.630 align:start position:0% sometimes unic code code Point encoding that<00:38:03.000> sort<00:38:03.160> of 00:38:04.630 --> 00:38:04.640 align:start position:0% that sort of 00:38:04.640 --> 00:38:08.109 align:start position:0% that sort of thing<00:38:05.800> um<00:38:06.800> all<00:38:06.960> right<00:38:07.359> in<00:38:07.480> that<00:38:07.640> case<00:38:07.839> let's<00:38:08.040> go 00:38:08.109 --> 00:38:08.119 align:start position:0% thing um all right in that case let's go 00:38:08.119 --> 00:38:11.030 align:start position:0% thing um all right in that case let's go ahead<00:38:08.319> and<00:38:08.520> get<00:38:08.720> straight<00:38:09.040> to<00:38:09.680> the 00:38:11.030 --> 00:38:11.040 align:start position:0% ahead and get straight to the 00:38:11.040 --> 00:38:14.470 align:start position:0% ahead and get straight to the bugs<00:38:12.040> okay<00:38:12.760> so<00:38:13.000> this<00:38:13.119> is<00:38:13.200> a<00:38:13.359> live<00:38:13.599> target<00:38:14.359> this 00:38:14.470 --> 00:38:14.480 align:start position:0% bugs okay so this is a live target this 00:38:14.480 --> 00:38:17.910 align:start position:0% bugs okay so this is a live target this is<00:38:14.640> an<00:38:14.920> actual<00:38:15.440> bug<00:38:15.640> Bounty<00:38:16.119> Target<00:38:17.119> um<00:38:17.720> I 00:38:17.910 --> 00:38:17.920 align:start position:0% is an actual bug Bounty Target um I 00:38:17.920 --> 00:38:19.390 align:start position:0% is an actual bug Bounty Target um I spent<00:38:18.160> a<00:38:18.240> lot<00:38:18.359> of<00:38:18.480> time<00:38:18.680> trying<00:38:18.880> to<00:38:19.000> exploit 00:38:19.390 --> 00:38:19.400 align:start position:0% spent a lot of time trying to exploit 00:38:19.400 --> 00:38:21.109 align:start position:0% spent a lot of time trying to exploit this<00:38:19.599> and<00:38:19.720> I<00:38:19.800> couldn't<00:38:20.040> get<00:38:20.160> it<00:38:20.240> to<00:38:20.359> work<00:38:21.000> but 00:38:21.109 --> 00:38:21.119 align:start position:0% this and I couldn't get it to work but 00:38:21.119 --> 00:38:22.750 align:start position:0% this and I couldn't get it to work but it's<00:38:21.319> got<00:38:21.440> some<00:38:21.640> nuances<00:38:22.200> that<00:38:22.359> I<00:38:22.440> think<00:38:22.560> are 00:38:22.750 --> 00:38:22.760 align:start position:0% it's got some nuances that I think are 00:38:22.760 --> 00:38:24.109 align:start position:0% it's got some nuances that I think are interesting<00:38:23.240> that'll<00:38:23.480> be<00:38:23.640> interesting<00:38:23.960> to 00:38:24.109 --> 00:38:24.119 align:start position:0% interesting that'll be interesting to 00:38:24.119 --> 00:38:27.470 align:start position:0% interesting that'll be interesting to discuss<00:38:24.440> with<00:38:24.560> you<00:38:24.720> guys<00:38:25.000> okay<00:38:25.760> so<00:38:26.119> here<00:38:26.240> it<00:38:26.359> is 00:38:27.470 --> 00:38:27.480 align:start position:0% discuss with you guys okay so here it is 00:38:27.480 --> 00:38:30.910 align:start position:0% discuss with you guys okay so here it is epic<00:38:27.800> games<00:38:28.800> uh<00:38:29.520> nope<00:38:29.880> that's<00:38:30.319> didn't<00:38:30.640> didn't 00:38:30.910 --> 00:38:30.920 align:start position:0% epic games uh nope that's didn't didn't 00:38:30.920 --> 00:38:36.670 align:start position:0% epic games uh nope that's didn't didn't copy<00:38:31.400> that's<00:38:31.640> the<00:38:31.720> same<00:38:31.920> link<00:38:32.160> from 00:38:36.670 --> 00:38:36.680 align:start position:0% 00:38:36.680 --> 00:38:40.030 align:start position:0% before<00:38:37.680> there<00:38:37.800> it<00:38:37.880> is<00:38:38.079> right<00:38:38.520> there<00:38:39.520> so<00:38:39.720> that's 00:38:40.030 --> 00:38:40.040 align:start position:0% before there it is right there so that's 00:38:40.040 --> 00:38:41.630 align:start position:0% before there it is right there so that's epicgames.com 00:38:41.630 --> 00:38:41.640 align:start position:0% epicgames.com 00:38:41.640 --> 00:38:46.150 align:start position:0% epicgames.com ID<00:38:42.720> error<00:38:43.720> and<00:38:43.880> then<00:38:44.200> the<00:38:44.400> path<00:38:44.599> tsal<00:38:45.359> is<00:38:45.560> in 00:38:46.150 --> 00:38:46.160 align:start position:0% ID error and then the path tsal is in 00:38:46.160 --> 00:38:50.670 align:start position:0% ID error and then the path tsal is in the<00:38:46.599> client<00:38:47.720> ID<00:38:48.760> parameter<00:38:49.760> okay<00:38:50.280> so<00:38:50.400> let's<00:38:50.599> go 00:38:50.670 --> 00:38:50.680 align:start position:0% the client ID parameter okay so let's go 00:38:50.680 --> 00:38:55.270 align:start position:0% the client ID parameter okay so let's go ahead<00:38:50.839> and<00:38:50.960> take<00:38:51.079> a<00:38:51.200> look<00:38:51.319> at 00:38:55.270 --> 00:38:55.280 align:start position:0% 00:38:55.280 --> 00:38:57.710 align:start position:0% this<00:38:56.280> all<00:38:56.400> right<00:38:56.520> all<00:38:56.599> right<00:38:57.000> so<00:38:57.160> I<00:38:57.280> visit<00:38:57.560> this 00:38:57.710 --> 00:38:57.720 align:start position:0% this all right all right so I visit this 00:38:57.720 --> 00:38:59.710 align:start position:0% this all right all right so I visit this page<00:38:58.119> this<00:38:58.200> is<00:38:58.319> a<00:38:58.520> part<00:38:58.680> of<00:38:58.880> the<00:38:59.119> authorization 00:38:59.710 --> 00:38:59.720 align:start position:0% page this is a part of the authorization 00:38:59.720 --> 00:39:01.950 align:start position:0% page this is a part of the authorization flow<00:39:00.400> for<00:39:00.640> epic 00:39:01.950 --> 00:39:01.960 align:start position:0% flow for epic 00:39:01.960 --> 00:39:04.630 align:start position:0% flow for epic games 00:39:04.630 --> 00:39:04.640 align:start position:0% games 00:39:04.640 --> 00:39:08.309 align:start position:0% games um<00:39:06.079> and<00:39:07.079> yeah<00:39:07.359> let's<00:39:07.560> go<00:39:07.680> ahead<00:39:07.920> and<00:39:08.119> and<00:39:08.240> take 00:39:08.309 --> 00:39:08.319 align:start position:0% um and yeah let's go ahead and and take 00:39:08.319 --> 00:39:09.390 align:start position:0% um and yeah let's go ahead and and take a<00:39:08.440> look<00:39:08.560> at<00:39:08.640> the<00:39:08.720> requests<00:39:09.079> that<00:39:09.160> are<00:39:09.240> being 00:39:09.390 --> 00:39:09.400 align:start position:0% a look at the requests that are being 00:39:09.400 --> 00:39:12.550 align:start position:0% a look at the requests that are being issued<00:39:09.760> here<00:39:10.000> okay<00:39:10.560> we<00:39:10.720> press<00:39:11.240> enter<00:39:12.240> and<00:39:12.400> we 00:39:12.550 --> 00:39:12.560 align:start position:0% issued here okay we press enter and we 00:39:12.560 --> 00:39:19.910 align:start position:0% issued here okay we press enter and we can<00:39:12.760> see<00:39:13.680> uh<00:39:14.000> a<00:39:14.119> lot<00:39:14.240> of<00:39:14.359> requests<00:39:14.680> being 00:39:19.910 --> 00:39:19.920 align:start position:0% 00:39:19.920 --> 00:39:24.109 align:start position:0% issued 00:39:24.109 --> 00:39:24.119 align:start position:0% 00:39:24.119 --> 00:39:29.910 align:start position:0% uh<00:39:25.119> hang<00:39:25.280> on<00:39:25.480> just<00:39:25.599> a<00:39:25.760> sec 00:39:29.910 --> 00:39:29.920 align:start position:0% 00:39:29.920 --> 00:39:33.589 align:start position:0% it's<00:39:30.160> not<00:39:30.560> showing<00:39:31.000> it<00:39:31.760> that's<00:39:32.000> kind<00:39:32.079> of<00:39:32.599> weird 00:39:33.589 --> 00:39:33.599 align:start position:0% it's not showing it that's kind of weird 00:39:33.599 --> 00:39:47.030 align:start position:0% it's not showing it that's kind of weird I<00:39:33.680> was<00:39:33.920> just<00:39:34.079> fussing<00:39:34.480> with<00:39:34.640> this 00:39:47.030 --> 00:39:47.040 align:start position:0% 00:39:47.040 --> 00:39:55.390 align:start position:0% before<00:39:48.040> dude<00:39:48.480> that's<00:39:48.880> crazy<00:39:49.800> I<00:39:49.920> wonder<00:39:50.240> if 00:39:55.390 --> 00:39:55.400 align:start position:0% 00:39:55.400 --> 00:39:56.950 align:start position:0% they 00:39:56.950 --> 00:39:56.960 align:start position:0% they 00:39:56.960 --> 00:39:59.109 align:start position:0% they I<00:39:57.079> wonder<00:39:57.359> if<00:39:57.560> they<00:39:57.839> patched<00:39:58.200> it<00:39:58.839> like<00:39:58.960> I 00:39:59.109 --> 00:39:59.119 align:start position:0% I wonder if they patched it like I 00:39:59.119 --> 00:40:00.870 align:start position:0% I wonder if they patched it like I literally<00:39:59.520> was<00:39:59.640> working<00:40:00.000> on<00:40:00.200> this<00:40:00.400> exact 00:40:00.870 --> 00:40:00.880 align:start position:0% literally was working on this exact 00:40:00.880 --> 00:40:04.309 align:start position:0% literally was working on this exact request<00:40:01.880> like<00:40:02.200> five<00:40:02.400> minutes<00:40:02.960> ago<00:40:03.960> like<00:40:04.160> an 00:40:04.309 --> 00:40:04.319 align:start position:0% request like five minutes ago like an 00:40:04.319 --> 00:40:06.109 align:start position:0% request like five minutes ago like an hour<00:40:04.640> before<00:40:04.880> the<00:40:05.040> actual<00:40:05.280> lunch<00:40:05.920> that's 00:40:06.109 --> 00:40:06.119 align:start position:0% hour before the actual lunch that's 00:40:06.119 --> 00:40:07.870 align:start position:0% hour before the actual lunch that's really<00:40:06.359> interesting<00:40:07.000> um<00:40:07.200> give<00:40:07.280> me<00:40:07.400> just<00:40:07.520> a<00:40:07.640> sec 00:40:07.870 --> 00:40:07.880 align:start position:0% really interesting um give me just a sec 00:40:07.880 --> 00:40:09.069 align:start position:0% really interesting um give me just a sec I'm<00:40:07.960> going<00:40:08.040> to<00:40:08.160> go<00:40:08.240> ahead<00:40:08.440> and<00:40:08.560> pull<00:40:08.760> up<00:40:08.880> one<00:40:09.000> of 00:40:09.069 --> 00:40:09.079 align:start position:0% I'm going to go ahead and pull up one of 00:40:09.079 --> 00:40:12.390 align:start position:0% I'm going to go ahead and pull up one of the<00:40:09.200> other<00:40:09.359> ones<00:40:09.599> I<00:40:10.119> had<00:40:11.119> uh<00:40:11.800> because<00:40:12.000> that<00:40:12.119> one 00:40:12.390 --> 00:40:12.400 align:start position:0% the other ones I had uh because that one 00:40:12.400 --> 00:40:14.190 align:start position:0% the other ones I had uh because that one does<00:40:12.560> not<00:40:12.720> seem<00:40:12.920> to<00:40:13.040> be<00:40:13.200> working<00:40:13.520> anymore<00:40:14.040> or 00:40:14.190 --> 00:40:14.200 align:start position:0% does not seem to be working anymore or 00:40:14.200 --> 00:40:15.790 align:start position:0% does not seem to be working anymore or maybe<00:40:14.400> it's<00:40:14.560> something<00:40:14.800> to<00:40:14.920> do<00:40:15.079> with<00:40:15.240> my<00:40:15.440> off 00:40:15.790 --> 00:40:15.800 align:start position:0% maybe it's something to do with my off 00:40:15.800 --> 00:40:19.470 align:start position:0% maybe it's something to do with my off State<00:40:16.319> in<00:40:16.800> uh<00:40:17.599> in<00:40:17.839> epic<00:40:18.119> games<00:40:18.400> I<00:40:18.520> wonder<00:40:18.720> if<00:40:18.920> my 00:40:19.470 --> 00:40:19.480 align:start position:0% State in uh in epic games I wonder if my 00:40:19.480 --> 00:40:22.470 align:start position:0% State in uh in epic games I wonder if my like<00:40:19.599> I<00:40:19.680> need<00:40:19.800> to<00:40:19.880> clear<00:40:20.119> my<00:40:20.240> cookies<00:40:20.599> or 00:40:22.470 --> 00:40:22.480 align:start position:0% like I need to clear my cookies or 00:40:22.480 --> 00:40:25.349 align:start position:0% like I need to clear my cookies or something<00:40:23.480> I<00:40:23.560> was<00:40:23.760> not<00:40:24.040> off<00:40:24.480> in<00:40:24.599> the<00:40:24.720> other 00:40:25.349 --> 00:40:25.359 align:start position:0% something I was not off in the other 00:40:25.359 --> 00:40:34.349 align:start position:0% something I was not off in the other computer 00:40:34.349 --> 00:40:34.359 align:start position:0% 00:40:34.359 --> 00:40:55.069 align:start position:0% never<00:40:34.599> going<00:40:34.680> to<00:40:34.839> go<00:40:35.000> off<00:40:35.160> without<00:40:35.359> a 00:40:55.069 --> 00:40:55.079 align:start position:0% 00:40:55.079 --> 00:41:02.829 align:start position:0% hitch<00:40:56.079> okay 00:41:02.829 --> 00:41:02.839 align:start position:0% 00:41:02.839 --> 00:41:06.069 align:start position:0% he<00:41:03.839> hey<00:41:04.640> so<00:41:05.079> here<00:41:05.280> is 00:41:06.069 --> 00:41:06.079 align:start position:0% he hey so here is 00:41:06.079 --> 00:41:13.670 align:start position:0% he hey so here is one<00:41:07.079> see<00:41:07.280> if<00:41:07.440> this<00:41:07.560> one<00:41:07.720> wants<00:41:07.920> to 00:41:13.670 --> 00:41:13.680 align:start position:0% 00:41:13.680 --> 00:41:16.390 align:start position:0% work<00:41:14.680> yeah<00:41:14.839> this<00:41:14.960> one<00:41:15.119> works<00:41:15.560> okay<00:41:15.800> weird<00:41:16.200> I<00:41:16.319> I 00:41:16.390 --> 00:41:16.400 align:start position:0% work yeah this one works okay weird I I 00:41:16.400 --> 00:41:18.430 align:start position:0% work yeah this one works okay weird I I wonder<00:41:16.760> why<00:41:16.920> the<00:41:17.040> other<00:41:17.200> one<00:41:17.599> stopped<00:41:18.000> working 00:41:18.430 --> 00:41:18.440 align:start position:0% wonder why the other one stopped working 00:41:18.440 --> 00:41:25.230 align:start position:0% wonder why the other one stopped working it's<00:41:18.640> pretty 00:41:25.230 --> 00:41:25.240 align:start position:0% 00:41:25.240 --> 00:41:28.910 align:start position:0% odd 00:41:28.910 --> 00:41:28.920 align:start position:0% 00:41:28.920 --> 00:41:30.710 align:start position:0% yeah<00:41:29.240> it<00:41:29.560> that<00:41:29.760> that's<00:41:29.920> really<00:41:30.119> weird<00:41:30.440> I'm<00:41:30.520> not 00:41:30.710 --> 00:41:30.720 align:start position:0% yeah it that that's really weird I'm not 00:41:30.720 --> 00:41:32.390 align:start position:0% yeah it that that's really weird I'm not really<00:41:30.920> sure<00:41:31.359> why<00:41:31.560> that<00:41:31.760> happened<00:41:32.119> I<00:41:32.200> wonder 00:41:32.390 --> 00:41:32.400 align:start position:0% really sure why that happened I wonder 00:41:32.400 --> 00:41:33.550 align:start position:0% really sure why that happened I wonder if<00:41:32.520> there's<00:41:32.680> something<00:41:32.920> weird<00:41:33.160> about<00:41:33.400> my 00:41:33.550 --> 00:41:33.560 align:start position:0% if there's something weird about my 00:41:33.560 --> 00:41:35.390 align:start position:0% if there's something weird about my state<00:41:33.920> in<00:41:34.040> this<00:41:34.280> browser<00:41:35.000> maybe<00:41:35.200> I<00:41:35.280> should 00:41:35.390 --> 00:41:35.400 align:start position:0% state in this browser maybe I should 00:41:35.400 --> 00:41:36.910 align:start position:0% state in this browser maybe I should have<00:41:35.520> done<00:41:35.640> it<00:41:35.720> in<00:41:35.839> an<00:41:36.000> incognito<00:41:36.599> tab<00:41:36.800> or 00:41:36.910 --> 00:41:36.920 align:start position:0% have done it in an incognito tab or 00:41:36.920 --> 00:41:39.470 align:start position:0% have done it in an incognito tab or something<00:41:37.680> anyway<00:41:38.160> so<00:41:38.520> there<00:41:39.079> I'll<00:41:39.200> go<00:41:39.319> ahead 00:41:39.470 --> 00:41:39.480 align:start position:0% something anyway so there I'll go ahead 00:41:39.480 --> 00:41:41.069 align:start position:0% something anyway so there I'll go ahead and<00:41:39.599> update<00:41:39.960> this<00:41:40.079> in<00:41:40.200> the<00:41:40.359> document<00:41:40.880> my 00:41:41.069 --> 00:41:41.079 align:start position:0% and update this in the document my 00:41:41.079 --> 00:41:42.950 align:start position:0% and update this in the document my documentation<00:41:41.640> too<00:41:42.000> hold<00:41:42.160> on<00:41:42.400> let<00:41:42.480> me<00:41:42.680> just 00:41:42.950 --> 00:41:42.960 align:start position:0% documentation too hold on let me just 00:41:42.960 --> 00:41:45.790 align:start position:0% documentation too hold on let me just get<00:41:43.960> so<00:41:44.200> that<00:41:44.400> I<00:41:44.480> don't<00:41:44.680> forget<00:41:45.000> to<00:41:45.560> I<00:41:45.640> don't 00:41:45.790 --> 00:41:45.800 align:start position:0% get so that I don't forget to I don't 00:41:45.800 --> 00:41:47.950 align:start position:0% get so that I don't forget to I don't give<00:41:45.960> the<00:41:46.079> people<00:41:46.400> afterwards<00:41:46.839> the<00:41:47.000> wrong 00:41:47.950 --> 00:41:47.960 align:start position:0% give the people afterwards the wrong 00:41:47.960 --> 00:41:49.870 align:start position:0% give the people afterwards the wrong link 00:41:49.870 --> 00:41:49.880 align:start position:0% link 00:41:49.880 --> 00:41:52.390 align:start position:0% link okay<00:41:50.880> yeah<00:41:51.240> so<00:41:51.560> you<00:41:51.720> guys<00:41:51.880> can<00:41:52.000> see<00:41:52.240> the 00:41:52.390 --> 00:41:52.400 align:start position:0% okay yeah so you guys can see the 00:41:52.400 --> 00:41:54.710 align:start position:0% okay yeah so you guys can see the request<00:41:52.839> that<00:41:53.240> uh<00:41:53.400> I<00:41:53.520> just<00:41:53.640> sent<00:41:53.880> in<00:41:54.000> the 00:41:54.710 --> 00:41:54.720 align:start position:0% request that uh I just sent in the 00:41:54.720 --> 00:41:58.109 align:start position:0% request that uh I just sent in the chat<00:41:55.720> um<00:41:56.599> this<00:41:56.720> one<00:41:57.040> redirects<00:41:57.560> off<00:41:57.720> the<00:41:57.880> page 00:41:58.109 --> 00:41:58.119 align:start position:0% chat um this one redirects off the page 00:41:58.119 --> 00:41:59.510 align:start position:0% chat um this one redirects off the page a<00:41:58.240> little<00:41:58.400> bit<00:41:58.680> which<00:41:58.760> is<00:41:58.880> kind<00:41:59.000> of<00:41:59.119> annoying 00:41:59.510 --> 00:41:59.520 align:start position:0% a little bit which is kind of annoying 00:41:59.520 --> 00:42:00.790 align:start position:0% a little bit which is kind of annoying because<00:41:59.599> you<00:41:59.720> got<00:41:59.800> to<00:41:59.920> keep<00:42:00.040> on<00:42:00.200> repasting<00:42:00.640> it 00:42:00.790 --> 00:42:00.800 align:start position:0% because you got to keep on repasting it 00:42:00.800 --> 00:42:02.309 align:start position:0% because you got to keep on repasting it every<00:42:00.920> single<00:42:01.240> time<00:42:01.760> which<00:42:01.880> is<00:42:02.000> why<00:42:02.079> I<00:42:02.160> didn't 00:42:02.309 --> 00:42:02.319 align:start position:0% every single time which is why I didn't 00:42:02.319 --> 00:42:03.589 align:start position:0% every single time which is why I didn't want<00:42:02.400> to<00:42:02.480> use<00:42:02.720> this<00:42:02.839> one<00:42:03.040> but<00:42:03.200> I<00:42:03.280> guess<00:42:03.400> this<00:42:03.480> is 00:42:03.589 --> 00:42:03.599 align:start position:0% want to use this one but I guess this is 00:42:03.599 --> 00:42:06.109 align:start position:0% want to use this one but I guess this is the<00:42:03.680> one<00:42:03.800> we're<00:42:03.960> stuck<00:42:04.240> with<00:42:04.520> so<00:42:05.480> um<00:42:05.640> we<00:42:05.800> issue 00:42:06.109 --> 00:42:06.119 align:start position:0% the one we're stuck with so um we issue 00:42:06.119 --> 00:42:08.950 align:start position:0% the one we're stuck with so um we issue this<00:42:06.280> request<00:42:06.760> right<00:42:07.599> and<00:42:07.920> we<00:42:08.040> can<00:42:08.200> see<00:42:08.720> okay 00:42:08.950 --> 00:42:08.960 align:start position:0% this request right and we can see okay 00:42:08.960 --> 00:42:11.589 align:start position:0% this request right and we can see okay here's<00:42:09.440> here<00:42:09.560> is<00:42:09.839> the<00:42:10.359> um<00:42:10.800> original<00:42:11.280> request 00:42:11.589 --> 00:42:11.599 align:start position:0% here's here is the um original request 00:42:11.599 --> 00:42:14.349 align:start position:0% here's here is the um original request with<00:42:11.720> the<00:42:11.839> path<00:42:12.160> veral<00:42:12.400> in<00:42:12.680> it<00:42:13.680> and<00:42:14.040> and<00:42:14.160> then 00:42:14.349 --> 00:42:14.359 align:start position:0% with the path veral in it and and then 00:42:14.359 --> 00:42:16.150 align:start position:0% with the path veral in it and and then we<00:42:14.480> can<00:42:14.640> see<00:42:15.040> this<00:42:15.240> request<00:42:15.599> as<00:42:15.720> well<00:42:16.000> right 00:42:16.150 --> 00:42:16.160 align:start position:0% we can see this request as well right 00:42:16.160 --> 00:42:18.470 align:start position:0% we can see this request as well right here<00:42:16.400> that<00:42:16.520> is<00:42:16.720> made<00:42:17.280> okay<00:42:17.960> go<00:42:18.079> ahead<00:42:18.240> and 00:42:18.470 --> 00:42:18.480 align:start position:0% here that is made okay go ahead and 00:42:18.480 --> 00:42:20.109 align:start position:0% here that is made okay go ahead and expand 00:42:20.109 --> 00:42:20.119 align:start position:0% expand 00:42:20.119 --> 00:42:22.910 align:start position:0% expand this<00:42:21.119> we<00:42:21.240> see<00:42:21.720> that<00:42:21.839> there's<00:42:22.040> a<00:42:22.200> fetch<00:42:22.559> request 00:42:22.910 --> 00:42:22.920 align:start position:0% this we see that there's a fetch request 00:42:22.920 --> 00:42:23.990 align:start position:0% this we see that there's a fetch request being 00:42:23.990 --> 00:42:24.000 align:start position:0% being 00:42:24.000 --> 00:42:27.990 align:start position:0% being made<00:42:25.160> um 00:42:27.990 --> 00:42:28.000 align:start position:0% made um 00:42:28.000 --> 00:42:29.990 align:start position:0% made um see<00:42:28.720> if 00:42:29.990 --> 00:42:30.000 align:start position:0% see if 00:42:30.000 --> 00:42:33.910 align:start position:0% see if it<00:42:31.000> shows<00:42:32.040> the<00:42:33.040> yeah<00:42:33.160> you<00:42:33.280> can<00:42:33.400> see<00:42:33.640> it's<00:42:33.760> an 00:42:33.910 --> 00:42:33.920 align:start position:0% it shows the yeah you can see it's an 00:42:33.920 --> 00:42:36.349 align:start position:0% it shows the yeah you can see it's an XML<00:42:34.319> HTTP<00:42:34.880> request<00:42:35.280> right<00:42:35.440> so<00:42:35.559> it's<00:42:35.680> a<00:42:35.839> non 00:42:36.349 --> 00:42:36.359 align:start position:0% XML HTTP request right so it's a non 00:42:36.359 --> 00:42:40.270 align:start position:0% XML HTTP request right so it's a non non-top<00:42:36.880> level<00:42:37.599> navigation<00:42:38.599> and<00:42:39.040> it's<00:42:39.160> a<00:42:40.079> it's 00:42:40.270 --> 00:42:40.280 align:start position:0% non-top level navigation and it's a it's 00:42:40.280 --> 00:42:44.150 align:start position:0% non-top level navigation and it's a it's being<00:42:41.000> sent<00:42:41.400> to<00:42:42.200> exactly<00:42:42.640> what<00:42:42.800> we<00:42:43.040> put<00:42:43.319> in<00:42:44.040> the 00:42:44.150 --> 00:42:44.160 align:start position:0% being sent to exactly what we put in the 00:42:44.160 --> 00:42:46.870 align:start position:0% being sent to exactly what we put in the URL<00:42:44.880> parameters<00:42:45.880> except<00:42:46.240> it's<00:42:46.400> been<00:42:46.520> URL 00:42:46.870 --> 00:42:46.880 align:start position:0% URL parameters except it's been URL 00:42:46.880 --> 00:42:49.309 align:start position:0% URL parameters except it's been URL decoded<00:42:47.359> once<00:42:47.800> right<00:42:47.960> so<00:42:48.200> this<00:42:48.319> is<00:42:48.480> our<00:42:49.200> this 00:42:49.309 --> 00:42:49.319 align:start position:0% decoded once right so this is our this 00:42:49.319 --> 00:42:51.349 align:start position:0% decoded once right so this is our this is<00:42:49.440> our<00:42:49.720> actual<00:42:50.240> value<00:42:50.520> that<00:42:50.640> we<00:42:50.760> put<00:42:50.920> in<00:42:51.160> the 00:42:51.349 --> 00:42:51.359 align:start position:0% is our actual value that we put in the 00:42:51.359 --> 00:42:53.069 align:start position:0% is our actual value that we put in the in<00:42:51.480> the<00:42:51.599> parameters<00:42:52.319> uh<00:42:52.480> up<00:42:52.640> there<00:42:52.839> it's 00:42:53.069 --> 00:42:53.079 align:start position:0% in the parameters uh up there it's 00:42:53.079 --> 00:42:56.950 align:start position:0% in the parameters uh up there it's percent<00:42:53.480> 252f<00:42:54.480> dot<00:42:54.720> dot<00:42:55.319> I<00:42:55.400> wonder<00:42:55.640> if<00:42:55.800> I<00:42:55.880> can 00:42:56.950 --> 00:42:56.960 align:start position:0% percent 252f dot dot I wonder if I can 00:42:56.960 --> 00:42:58.829 align:start position:0% percent 252f dot dot I wonder if I can yeah<00:42:57.079> I<00:42:57.200> can't<00:42:57.359> really<00:42:57.559> zoom<00:42:57.839> in<00:42:58.040> on<00:42:58.240> my<00:42:58.400> URL 00:42:58.829 --> 00:42:58.839 align:start position:0% yeah I can't really zoom in on my URL 00:42:58.839 --> 00:43:01.030 align:start position:0% yeah I can't really zoom in on my URL bar<00:42:59.160> unfortunately<00:42:59.880> that's<00:43:00.079> kind<00:43:00.200> of<00:43:00.880> an 00:43:01.030 --> 00:43:01.040 align:start position:0% bar unfortunately that's kind of an 00:43:01.040 --> 00:43:02.710 align:start position:0% bar unfortunately that's kind of an annoying<00:43:01.400> feature<00:43:01.720> maybe<00:43:01.920> I'll<00:43:02.079> do<00:43:02.359> this 00:43:02.710 --> 00:43:02.720 align:start position:0% annoying feature maybe I'll do this 00:43:02.720 --> 00:43:05.670 align:start position:0% annoying feature maybe I'll do this maybe<00:43:02.920> I'll<00:43:03.079> do<00:43:03.760> window.location<00:43:04.760> equals 00:43:05.670 --> 00:43:05.680 align:start position:0% maybe I'll do window.location equals 00:43:05.680 --> 00:43:07.150 align:start position:0% maybe I'll do window.location equals that<00:43:06.040> if<00:43:06.160> I'm<00:43:06.280> trying<00:43:06.440> to<00:43:06.599> navigate<00:43:06.960> in<00:43:07.040> the 00:43:07.150 --> 00:43:07.160 align:start position:0% that if I'm trying to navigate in the 00:43:07.160 --> 00:43:08.670 align:start position:0% that if I'm trying to navigate in the future<00:43:07.440> so<00:43:07.559> you<00:43:07.680> guys<00:43:07.839> can<00:43:07.960> see<00:43:08.119> a<00:43:08.200> little<00:43:08.359> bit 00:43:08.670 --> 00:43:08.680 align:start position:0% future so you guys can see a little bit 00:43:08.680 --> 00:43:12.030 align:start position:0% future so you guys can see a little bit better<00:43:09.680> um<00:43:10.319> so<00:43:10.520> this<00:43:10.599> is<00:43:10.760> the<00:43:10.880> URL<00:43:11.359> right<00:43:11.559> here 00:43:12.030 --> 00:43:12.040 align:start position:0% better um so this is the URL right here 00:43:12.040 --> 00:43:13.270 align:start position:0% better um so this is the URL right here you<00:43:12.200> notice<00:43:12.440> that<00:43:12.559> we've<00:43:12.680> got<00:43:12.800> a<00:43:12.880> double 00:43:13.270 --> 00:43:13.280 align:start position:0% you notice that we've got a double 00:43:13.280 --> 00:43:15.630 align:start position:0% you notice that we've got a double encoded<00:43:14.280> uh<00:43:14.400> thing<00:43:14.680> here<00:43:14.960> and<00:43:15.119> then<00:43:15.440> the 00:43:15.630 --> 00:43:15.640 align:start position:0% encoded uh thing here and then the 00:43:15.640 --> 00:43:17.270 align:start position:0% encoded uh thing here and then the result<00:43:15.960> is<00:43:16.160> that<00:43:16.280> it<00:43:16.400> gets<00:43:16.680> injected<00:43:17.119> right 00:43:17.270 --> 00:43:17.280 align:start position:0% result is that it gets injected right 00:43:17.280 --> 00:43:19.430 align:start position:0% result is that it gets injected right into<00:43:17.480> this<00:43:17.640> backend<00:43:18.000> request<00:43:18.480> okay<00:43:19.040> so<00:43:19.200> let's 00:43:19.430 --> 00:43:19.440 align:start position:0% into this backend request okay so let's 00:43:19.440 --> 00:43:20.910 align:start position:0% into this backend request okay so let's go<00:43:19.599> ahead<00:43:19.760> and<00:43:19.920> see<00:43:20.240> how<00:43:20.400> the<00:43:20.520> browser 00:43:20.910 --> 00:43:20.920 align:start position:0% go ahead and see how the browser 00:43:20.920 --> 00:43:24.430 align:start position:0% go ahead and see how the browser responds<00:43:21.880> here<00:43:22.880> so<00:43:23.559> the<00:43:23.800> the<00:43:24.000> response<00:43:24.359> that 00:43:24.430 --> 00:43:24.440 align:start position:0% responds here so the the response that 00:43:24.440 --> 00:43:27.950 align:start position:0% responds here so the the response that we<00:43:24.599> get<00:43:25.079> back<00:43:26.160> so<00:43:26.319> let's<00:43:26.480> go<00:43:26.640> to<00:43:27.119> response 00:43:27.950 --> 00:43:27.960 align:start position:0% we get back so let's go to response 00:43:27.960 --> 00:43:31.790 align:start position:0% we get back so let's go to response headers<00:43:28.960> is<00:43:29.359> a<00:43:30.000> redirect<00:43:30.520> to<00:43:30.800> fortnite.com 00:43:31.790 --> 00:43:31.800 align:start position:0% headers is a redirect to fortnite.com 00:43:31.800 --> 00:43:34.390 align:start position:0% headers is a redirect to fortnite.com okay<00:43:32.240> and<00:43:32.359> the<00:43:32.480> reason<00:43:32.720> for<00:43:32.960> that<00:43:33.280> is<00:43:33.480> because 00:43:34.390 --> 00:43:34.400 align:start position:0% okay and the reason for that is because 00:43:34.400 --> 00:43:35.990 align:start position:0% okay and the reason for that is because this<00:43:34.480> is<00:43:34.720> exactly<00:43:35.280> and<00:43:35.480> guys<00:43:35.640> this<00:43:35.760> is<00:43:35.880> the 00:43:35.990 --> 00:43:36.000 align:start position:0% this is exactly and guys this is the 00:43:36.000 --> 00:43:37.670 align:start position:0% this is exactly and guys this is the cool<00:43:36.599> thing<00:43:36.800> that<00:43:36.920> I<00:43:37.000> was<00:43:37.160> talking<00:43:37.440> about 00:43:37.670 --> 00:43:37.680 align:start position:0% cool thing that I was talking about 00:43:37.680 --> 00:43:41.870 align:start position:0% cool thing that I was talking about before<00:43:38.160> okay<00:43:39.160> this<00:43:39.280> is<00:43:39.960> why<00:43:40.800> these<00:43:41.040> are<00:43:41.280> so 00:43:41.870 --> 00:43:41.880 align:start position:0% before okay this is why these are so 00:43:41.880 --> 00:43:45.069 align:start position:0% before okay this is why these are so flexible<00:43:42.880> okay<00:43:43.079> this<00:43:43.160> is<00:43:43.280> why<00:43:43.440> these<00:43:43.559> are<00:43:43.920> so 00:43:45.069 --> 00:43:45.079 align:start position:0% flexible okay this is why these are so 00:43:45.079 --> 00:43:48.109 align:start position:0% flexible okay this is why these are so um<00:43:46.079> really<00:43:46.440> Dynamic<00:43:47.240> and<00:43:47.400> and<00:43:47.599> able<00:43:47.839> to<00:43:47.960> be 00:43:48.109 --> 00:43:48.119 align:start position:0% um really Dynamic and and able to be 00:43:48.119 --> 00:43:50.190 align:start position:0% um really Dynamic and and able to be exploited<00:43:48.559> in<00:43:48.640> a<00:43:48.760> lot<00:43:48.839> of<00:43:48.920> scenarios 00:43:50.190 --> 00:43:50.200 align:start position:0% exploited in a lot of scenarios 00:43:50.200 --> 00:43:52.950 align:start position:0% exploited in a lot of scenarios because<00:43:51.200> you<00:43:51.400> can<00:43:51.720> you<00:43:51.839> can<00:43:52.079> have<00:43:52.359> the<00:43:52.480> fetch 00:43:52.950 --> 00:43:52.960 align:start position:0% because you can you can have the fetch 00:43:52.960 --> 00:43:54.829 align:start position:0% because you can you can have the fetch normalizing<00:43:53.559> it<00:43:54.000> you<00:43:54.119> can<00:43:54.240> have<00:43:54.359> the<00:43:54.480> reverse 00:43:54.829 --> 00:43:54.839 align:start position:0% normalizing it you can have the reverse 00:43:54.839 --> 00:43:56.270 align:start position:0% normalizing it you can have the reverse proxy<00:43:55.160> normalizing<00:43:55.640> it<00:43:55.839> you<00:43:55.920> can<00:43:56.079> can<00:43:56.160> have 00:43:56.270 --> 00:43:56.280 align:start position:0% proxy normalizing it you can can have 00:43:56.280 --> 00:43:57.950 align:start position:0% proxy normalizing it you can can have the<00:43:56.359> server<00:43:56.599> normalizing<00:43:57.160> it<00:43:57.559> in<00:43:57.680> this 00:43:57.950 --> 00:43:57.960 align:start position:0% the server normalizing it in this 00:43:57.960 --> 00:44:00.390 align:start position:0% the server normalizing it in this scenario<00:43:58.960> the<00:43:59.440> it<00:43:59.559> looks<00:43:59.760> to<00:43:59.920> me<00:44:00.119> like<00:44:00.240> the 00:44:00.390 --> 00:44:00.400 align:start position:0% scenario the it looks to me like the 00:44:00.400 --> 00:44:02.309 align:start position:0% scenario the it looks to me like the reverse<00:44:00.839> proxy<00:44:01.200> is<00:44:01.319> normalizing<00:44:01.880> it<00:44:02.160> we're 00:44:02.309 --> 00:44:02.319 align:start position:0% reverse proxy is normalizing it we're 00:44:02.319 --> 00:44:05.430 align:start position:0% reverse proxy is normalizing it we're getting<00:44:02.599> one<00:44:02.839> set<00:44:03.040> of<00:44:03.240> UR<00:44:03.800> URL<00:44:04.240> decoding<00:44:05.240> right 00:44:05.430 --> 00:44:05.440 align:start position:0% getting one set of UR URL decoding right 00:44:05.440 --> 00:44:07.430 align:start position:0% getting one set of UR URL decoding right that's<00:44:05.640> happening<00:44:06.000> when<00:44:06.200> we<00:44:06.440> when<00:44:06.599> we<00:44:07.000> submit 00:44:07.430 --> 00:44:07.440 align:start position:0% that's happening when we when we submit 00:44:07.440 --> 00:44:10.790 align:start position:0% that's happening when we when we submit this<00:44:08.280> uh<00:44:09.000> URL<00:44:09.680> so<00:44:09.880> first<00:44:10.119> it's<00:44:10.240> going<00:44:10.359> to<00:44:10.480> URL 00:44:10.790 --> 00:44:10.800 align:start position:0% this uh URL so first it's going to URL 00:44:10.800 --> 00:44:12.309 align:start position:0% this uh URL so first it's going to URL decode<00:44:11.119> all<00:44:11.319> this<00:44:11.760> and<00:44:11.880> then<00:44:12.000> it's<00:44:12.119> going<00:44:12.200> to 00:44:12.309 --> 00:44:12.319 align:start position:0% decode all this and then it's going to 00:44:12.319 --> 00:44:13.549 align:start position:0% decode all this and then it's going to take<00:44:12.520> this<00:44:12.720> value<00:44:13.000> and<00:44:13.079> it's<00:44:13.200> going<00:44:13.280> to<00:44:13.359> send 00:44:13.549 --> 00:44:13.559 align:start position:0% take this value and it's going to send 00:44:13.559 --> 00:44:15.870 align:start position:0% take this value and it's going to send it<00:44:13.640> to<00:44:13.760> the<00:44:13.839> server<00:44:14.319> okay<00:44:14.960> now<00:44:15.119> when<00:44:15.280> you<00:44:15.559> hit 00:44:15.870 --> 00:44:15.880 align:start position:0% it to the server okay now when you hit 00:44:15.880 --> 00:44:16.589 align:start position:0% it to the server okay now when you hit this 00:44:16.589 --> 00:44:16.599 align:start position:0% this 00:44:16.599 --> 00:44:19.030 align:start position:0% this endpoint<00:44:17.599> on<00:44:17.839> Epic 00:44:19.030 --> 00:44:19.040 align:start position:0% endpoint on Epic 00:44:19.040 --> 00:44:21.470 align:start position:0% endpoint on Epic games.com<00:44:20.040> it's<00:44:20.319> automatically<00:44:21.079> part<00:44:21.359> the 00:44:21.470 --> 00:44:21.480 align:start position:0% games.com it's automatically part the 00:44:21.480 --> 00:44:23.190 align:start position:0% games.com it's automatically part the reverse<00:44:21.839> proxy<00:44:22.160> in<00:44:22.240> this 00:44:23.190 --> 00:44:23.200 align:start position:0% reverse proxy in this 00:44:23.200 --> 00:44:25.589 align:start position:0% reverse proxy in this scenario<00:44:24.200> is<00:44:24.359> parsing<00:44:24.760> these<00:44:24.920> percent<00:44:25.200> 2fs 00:44:25.589 --> 00:44:25.599 align:start position:0% scenario is parsing these percent 2fs 00:44:25.599 --> 00:44:28.670 align:start position:0% scenario is parsing these percent 2fs into<00:44:25.760> SL<00:44:26.440> es<00:44:27.440> and<00:44:27.559> then<00:44:27.680> it's<00:44:27.880> normalizing 00:44:28.670 --> 00:44:28.680 align:start position:0% into SL es and then it's normalizing 00:44:28.680 --> 00:44:31.829 align:start position:0% into SL es and then it's normalizing right<00:44:29.640> so<00:44:30.160> this<00:44:30.640> becomes<00:44:30.839> a<00:44:30.960> slash<00:44:31.559> and 00:44:31.829 --> 00:44:31.839 align:start position:0% right so this becomes a slash and 00:44:31.839 --> 00:44:33.829 align:start position:0% right so this becomes a slash and deletes<00:44:32.359> this<00:44:32.920> this<00:44:33.079> becomes<00:44:33.319> a<00:44:33.440> slash<00:44:33.720> and 00:44:33.829 --> 00:44:33.839 align:start position:0% deletes this this becomes a slash and 00:44:33.839 --> 00:44:36.150 align:start position:0% deletes this this becomes a slash and delets<00:44:34.319> this<00:44:35.040> this<00:44:35.200> becomes<00:44:35.480> a<00:44:35.640> slash<00:44:36.000> and 00:44:36.150 --> 00:44:36.160 align:start position:0% delets this this becomes a slash and 00:44:36.160 --> 00:44:38.950 align:start position:0% delets this this becomes a slash and deletes<00:44:37.160> this<00:44:37.880> and<00:44:37.960> then<00:44:38.119> we're<00:44:38.359> left<00:44:38.680> with 00:44:38.950 --> 00:44:38.960 align:start position:0% deletes this and then we're left with 00:44:38.960 --> 00:44:41.910 align:start position:0% deletes this and then we're left with the<00:44:39.160> path<00:44:39.480> fortnite<00:44:40.200> slash<00:44:41.200> right<00:44:41.559> and<00:44:41.680> if<00:44:41.760> you 00:44:41.910 --> 00:44:41.920 align:start position:0% the path fortnite slash right and if you 00:44:41.920 --> 00:44:45.190 align:start position:0% the path fortnite slash right and if you hit<00:44:42.119> fortnite<00:44:42.880> on<00:44:43.040> ww.<00:44:43.640> epicgames.com<00:44:44.280> you're 00:44:45.190 --> 00:44:45.200 align:start position:0% hit fortnite on ww. epicgames.com you're 00:44:45.200 --> 00:44:48.710 align:start position:0% hit fortnite on ww. epicgames.com you're going<00:44:45.319> to<00:44:45.760> going<00:44:45.880> to<00:44:46.000> be<00:44:46.160> redirected<00:44:46.720> to<00:44:47.720> htps 00:44:48.710 --> 00:44:48.720 align:start position:0% going to going to be redirected to htps 00:44:48.720 --> 00:44:52.470 align:start position:0% going to going to be redirected to htps ww.<00:44:49.319> fortnite.com<00:44:50.319> okay<00:44:51.079> and<00:44:51.440> so<00:44:51.839> ideally 00:44:52.470 --> 00:44:52.480 align:start position:0% ww. fortnite.com okay and so ideally 00:44:52.480 --> 00:44:54.870 align:start position:0% ww. fortnite.com okay and so ideally what<00:44:52.599> I<00:44:52.720> would<00:44:52.880> do<00:44:53.119> here<00:44:53.880> is<00:44:54.200> I<00:44:54.319> would<00:44:54.640> find 00:44:54.870 --> 00:44:54.880 align:start position:0% what I would do here is I would find 00:44:54.880 --> 00:44:58.750 align:start position:0% what I would do here is I would find some<00:44:55.119> way<00:44:55.280> to<00:44:55.480> smuggle<00:44:56.359> in<00:44:57.359> uh<00:44:57.720> find<00:44:57.960> an<00:44:58.160> O<00:44:58.440> an 00:44:58.750 --> 00:44:58.760 align:start position:0% some way to smuggle in uh find an O an 00:44:58.760 --> 00:45:01.230 align:start position:0% some way to smuggle in uh find an O an open<00:44:59.079> redirect<00:44:59.760> and<00:44:59.920> smuggle<00:45:00.319> a<00:45:00.520> parameter<00:45:00.960> in 00:45:01.230 --> 00:45:01.240 align:start position:0% open redirect and smuggle a parameter in 00:45:01.240 --> 00:45:03.750 align:start position:0% open redirect and smuggle a parameter in and<00:45:01.400> redirect<00:45:01.880> out<00:45:02.000> to<00:45:02.160> my<00:45:02.319> server<00:45:03.119> and<00:45:03.280> leak 00:45:03.750 --> 00:45:03.760 align:start position:0% and redirect out to my server and leak 00:45:03.760 --> 00:45:05.710 align:start position:0% and redirect out to my server and leak the<00:45:04.160> uh<00:45:04.280> Cerf<00:45:04.760> token<00:45:05.040> which<00:45:05.160> is<00:45:05.280> attached<00:45:05.559> to 00:45:05.710 --> 00:45:05.720 align:start position:0% the uh Cerf token which is attached to 00:45:05.720 --> 00:45:06.470 align:start position:0% the uh Cerf token which is attached to this 00:45:06.470 --> 00:45:06.480 align:start position:0% this 00:45:06.480 --> 00:45:08.430 align:start position:0% this request<00:45:07.480> which<00:45:07.640> is<00:45:07.800> attached<00:45:08.079> to<00:45:08.240> this 00:45:08.430 --> 00:45:08.440 align:start position:0% request which is attached to this 00:45:08.440 --> 00:45:10.910 align:start position:0% request which is attached to this request<00:45:08.839> I<00:45:09.000> think<00:45:09.800> yeah<00:45:10.079> the<00:45:10.160> Cerf<00:45:10.599> token 00:45:10.910 --> 00:45:10.920 align:start position:0% request I think yeah the Cerf token 00:45:10.920 --> 00:45:12.030 align:start position:0% request I think yeah the Cerf token right 00:45:12.030 --> 00:45:12.040 align:start position:0% right 00:45:12.040 --> 00:45:14.030 align:start position:0% right here 00:45:14.030 --> 00:45:14.040 align:start position:0% here 00:45:14.040 --> 00:45:16.470 align:start position:0% here um<00:45:15.040> and<00:45:15.200> that<00:45:15.319> would<00:45:15.440> be<00:45:15.640> super<00:45:15.960> clutch<00:45:16.359> and 00:45:16.470 --> 00:45:16.480 align:start position:0% um and that would be super clutch and 00:45:16.480 --> 00:45:18.030 align:start position:0% um and that would be super clutch and who<00:45:16.640> knows<00:45:16.880> maybe<00:45:17.119> in<00:45:17.200> some<00:45:17.359> scenarios<00:45:17.920> some 00:45:18.030 --> 00:45:18.040 align:start position:0% who knows maybe in some scenarios some 00:45:18.040 --> 00:45:20.309 align:start position:0% who knows maybe in some scenarios some of<00:45:18.200> these<00:45:18.359> other<00:45:18.599> things<00:45:19.000> are<00:45:19.520> are<00:45:19.760> populated 00:45:20.309 --> 00:45:20.319 align:start position:0% of these other things are are populated 00:45:20.319 --> 00:45:22.109 align:start position:0% of these other things are are populated too<00:45:20.559> and<00:45:20.640> you<00:45:20.760> might<00:45:20.920> even<00:45:21.119> be<00:45:21.240> able<00:45:21.400> to<00:45:21.520> leak 00:45:22.109 --> 00:45:22.119 align:start position:0% too and you might even be able to leak 00:45:22.119 --> 00:45:24.630 align:start position:0% too and you might even be able to leak oh<00:45:22.280> that's<00:45:22.440> the<00:45:22.599> other<00:45:22.920> thing<00:45:23.920> I'm<00:45:24.040> so<00:45:24.240> glad<00:45:24.480> I 00:45:24.630 --> 00:45:24.640 align:start position:0% oh that's the other thing I'm so glad I 00:45:24.640 --> 00:45:26.349 align:start position:0% oh that's the other thing I'm so glad I I<00:45:24.880> remember<00:45:25.240> this<00:45:25.359> I<00:45:25.400> need<00:45:25.520> to<00:45:25.640> write<00:45:26.119> down 00:45:26.349 --> 00:45:26.359 align:start position:0% I remember this I need to write down 00:45:26.359 --> 00:45:28.150 align:start position:0% I remember this I need to write down actually<00:45:26.720> to<00:45:27.400> make<00:45:27.520> sure<00:45:27.640> I<00:45:27.760> add<00:45:27.880> it<00:45:27.960> to<00:45:28.040> the 00:45:28.150 --> 00:45:28.160 align:start position:0% actually to make sure I add it to the 00:45:28.160 --> 00:45:30.309 align:start position:0% actually to make sure I add it to the notes<00:45:28.440> afterwards<00:45:29.200> some<00:45:30.000> sometimes<00:45:30.200> it 00:45:30.309 --> 00:45:30.319 align:start position:0% notes afterwards some sometimes it 00:45:30.319 --> 00:45:34.589 align:start position:0% notes afterwards some sometimes it doesn't<00:45:30.599> just<00:45:30.720> leak<00:45:31.160> the<00:45:31.520> uh<00:45:32.760> the<00:45:33.760> uh<00:45:34.280> sees 00:45:34.589 --> 00:45:34.599 align:start position:0% doesn't just leak the uh the uh sees 00:45:34.599 --> 00:45:37.470 align:start position:0% doesn't just leak the uh the uh sees surf<00:45:34.839> token<00:45:35.520> sometimes<00:45:35.720> it'll<00:45:36.040> actually<00:45:36.480> leak 00:45:37.470 --> 00:45:37.480 align:start position:0% surf token sometimes it'll actually leak 00:45:37.480 --> 00:45:40.630 align:start position:0% surf token sometimes it'll actually leak the<00:45:37.680> off<00:45:37.960> Bearer<00:45:38.760> for<00:45:38.960> the<00:45:39.200> Target<00:45:40.200> because 00:45:40.630 --> 00:45:40.640 align:start position:0% the off Bearer for the Target because 00:45:40.640 --> 00:45:42.430 align:start position:0% the off Bearer for the Target because fetch<00:45:40.960> is<00:45:41.160> just<00:45:41.400> saying<00:45:41.680> you<00:45:41.760> know<00:45:42.079> fetch<00:45:42.319> is 00:45:42.430 --> 00:45:42.440 align:start position:0% fetch is just saying you know fetch is 00:45:42.440 --> 00:45:44.109 align:start position:0% fetch is just saying you know fetch is just<00:45:42.559> being<00:45:42.760> instructed<00:45:43.160> follow<00:45:43.400> redirects 00:45:44.109 --> 00:45:44.119 align:start position:0% just being instructed follow redirects 00:45:44.119 --> 00:45:46.390 align:start position:0% just being instructed follow redirects and<00:45:44.240> use<00:45:44.480> this<00:45:44.599> off<00:45:44.839> Bear<00:45:45.559> right<00:45:45.960> and<00:45:46.079> so 00:45:46.390 --> 00:45:46.400 align:start position:0% and use this off Bear right and so 00:45:46.400 --> 00:45:47.510 align:start position:0% and use this off Bear right and so sometimes<00:45:46.599> when<00:45:46.720> you<00:45:46.880> get<00:45:47.040> this<00:45:47.240> it'll 00:45:47.510 --> 00:45:47.520 align:start position:0% sometimes when you get this it'll 00:45:47.520 --> 00:45:49.150 align:start position:0% sometimes when you get this it'll actually<00:45:47.720> just<00:45:47.920> leak<00:45:48.280> the<00:45:48.400> off<00:45:48.640> bear<00:45:48.880> directly 00:45:49.150 --> 00:45:49.160 align:start position:0% actually just leak the off bear directly 00:45:49.160 --> 00:45:51.670 align:start position:0% actually just leak the off bear directly to<00:45:49.319> the<00:45:49.440> attacker<00:45:49.760> controlled<00:45:50.200> server<00:45:51.079> um<00:45:51.599> if 00:45:51.670 --> 00:45:51.680 align:start position:0% to the attacker controlled server um if 00:45:51.680 --> 00:45:55.150 align:start position:0% to the attacker controlled server um if they're<00:45:51.839> using<00:45:52.480> off<00:45:52.760> bear<00:45:53.000> based<00:45:53.599> uh<00:45:53.880> C<00:45:54.200> surf 00:45:55.150 --> 00:45:55.160 align:start position:0% they're using off bear based uh C surf 00:45:55.160 --> 00:45:56.630 align:start position:0% they're using off bear based uh C surf um 00:45:56.630 --> 00:45:56.640 align:start position:0% um 00:45:56.640 --> 00:45:59.390 align:start position:0% um uh<00:45:56.839> or<00:45:57.480> off<00:45:57.720> bear<00:45:57.960> based<00:45:58.440> um<00:45:58.680> authentication 00:45:59.390 --> 00:45:59.400 align:start position:0% uh or off bear based um authentication 00:45:59.400 --> 00:46:02.109 align:start position:0% uh or off bear based um authentication there<00:45:59.920> so<00:46:00.520> really<00:46:00.800> cool<00:46:01.359> I<00:46:01.480> love<00:46:01.640> it<00:46:01.760> when<00:46:01.920> that 00:46:02.109 --> 00:46:02.119 align:start position:0% there so really cool I love it when that 00:46:02.119 --> 00:46:04.790 align:start position:0% there so really cool I love it when that happens<00:46:02.800> very<00:46:03.200> exciting<00:46:04.200> uh<00:46:04.359> so<00:46:04.520> anyway<00:46:04.760> in 00:46:04.790 --> 00:46:04.800 align:start position:0% happens very exciting uh so anyway in 00:46:04.800 --> 00:46:05.990 align:start position:0% happens very exciting uh so anyway in this<00:46:04.920> scenario<00:46:05.240> you<00:46:05.319> can<00:46:05.440> see<00:46:05.640> it's<00:46:05.800> going 00:46:05.990 --> 00:46:06.000 align:start position:0% this scenario you can see it's going 00:46:06.000 --> 00:46:07.150 align:start position:0% this scenario you can see it's going ahead<00:46:06.160> and<00:46:06.280> doing<00:46:06.440> the<00:46:06.559> same<00:46:06.720> thing<00:46:06.920> like<00:46:07.040> we 00:46:07.150 --> 00:46:07.160 align:start position:0% ahead and doing the same thing like we 00:46:07.160 --> 00:46:08.910 align:start position:0% ahead and doing the same thing like we talked<00:46:07.400> about<00:46:07.599> it's<00:46:07.760> issuing<00:46:08.200> options 00:46:08.910 --> 00:46:08.920 align:start position:0% talked about it's issuing options 00:46:08.920 --> 00:46:11.270 align:start position:0% talked about it's issuing options issuing<00:46:09.240> an<00:46:09.400> options<00:46:09.760> request<00:46:10.040> to 00:46:11.270 --> 00:46:11.280 align:start position:0% issuing an options request to 00:46:11.280 --> 00:46:14.230 align:start position:0% issuing an options request to fortnite<00:46:12.280> and<00:46:12.720> uh<00:46:12.880> it's<00:46:13.040> getting<00:46:13.319> back<00:46:13.520> a<00:46:13.720> 500 00:46:14.230 --> 00:46:14.240 align:start position:0% fortnite and uh it's getting back a 500 00:46:14.240 --> 00:46:16.349 align:start position:0% fortnite and uh it's getting back a 500 server<00:46:14.599> error<00:46:15.040> because<00:46:15.559> we<00:46:15.720> can't<00:46:15.960> redirect 00:46:16.349 --> 00:46:16.359 align:start position:0% server error because we can't redirect 00:46:16.359 --> 00:46:18.589 align:start position:0% server error because we can't redirect off<00:46:16.480> the<00:46:16.640> page<00:46:17.400> so<00:46:17.680> if<00:46:17.800> anyone<00:46:18.079> can<00:46:18.240> figure<00:46:18.440> out 00:46:18.589 --> 00:46:18.599 align:start position:0% off the page so if anyone can figure out 00:46:18.599 --> 00:46:20.349 align:start position:0% off the page so if anyone can figure out how<00:46:18.680> to<00:46:18.800> exploit<00:46:19.240> this<00:46:19.559> there<00:46:19.680> you<00:46:19.920> go<00:46:20.200> there's 00:46:20.349 --> 00:46:20.359 align:start position:0% how to exploit this there you go there's 00:46:20.359 --> 00:46:24.270 align:start position:0% how to exploit this there you go there's a<00:46:20.480> nice<00:46:20.680> little<00:46:20.880> freebie<00:46:21.440> for<00:46:21.640> you<00:46:23.040> um<00:46:24.040> and<00:46:24.200> if 00:46:24.270 --> 00:46:24.280 align:start position:0% a nice little freebie for you um and if 00:46:24.280 --> 00:46:26.270 align:start position:0% a nice little freebie for you um and if you<00:46:24.400> do<00:46:24.839> please<00:46:25.119> contact<00:46:25.480> me<00:46:25.920> and<00:46:26.079> you<00:46:26.160> don't 00:46:26.270 --> 00:46:26.280 align:start position:0% you do please contact me and you don't 00:46:26.280 --> 00:46:27.309 align:start position:0% you do please contact me and you don't need<00:46:26.400> to<00:46:26.480> split<00:46:26.720> the<00:46:26.800> Bounty<00:46:27.040> with<00:46:27.119> me<00:46:27.200> or 00:46:27.309 --> 00:46:27.319 align:start position:0% need to split the Bounty with me or 00:46:27.319 --> 00:46:28.670 align:start position:0% need to split the Bounty with me or anything<00:46:27.640> I<00:46:27.720> just<00:46:27.839> want<00:46:27.920> to<00:46:28.079> know<00:46:28.440> I<00:46:28.480> just<00:46:28.599> want 00:46:28.670 --> 00:46:28.680 align:start position:0% anything I just want to know I just want 00:46:28.680 --> 00:46:30.390 align:start position:0% anything I just want to know I just want to<00:46:28.800> know<00:46:28.920> how<00:46:29.040> you<00:46:29.160> did<00:46:29.319> it 00:46:30.390 --> 00:46:30.400 align:start position:0% to know how you did it 00:46:30.400 --> 00:46:32.549 align:start position:0% to know how you did it okay<00:46:31.400> I've<00:46:31.559> banged<00:46:31.880> my<00:46:32.000> head<00:46:32.160> up<00:46:32.319> against 00:46:32.549 --> 00:46:32.559 align:start position:0% okay I've banged my head up against 00:46:32.559 --> 00:46:35.630 align:start position:0% okay I've banged my head up against these<00:46:32.720> for<00:46:32.880> a<00:46:33.040> while<00:46:33.480> and<00:46:33.640> I've<00:46:33.920> actually<00:46:34.480> got 00:46:35.630 --> 00:46:35.640 align:start position:0% these for a while and I've actually got 00:46:35.640 --> 00:46:39.990 align:start position:0% these for a while and I've actually got a<00:46:36.640> flow<00:46:37.160> a<00:46:37.319> chain<00:46:37.880> of<00:46:38.280> of<00:46:38.559> exploits<00:46:39.240> and<00:46:39.640> um 00:46:39.990 --> 00:46:40.000 align:start position:0% a flow a chain of of exploits and um 00:46:40.000 --> 00:46:41.910 align:start position:0% a flow a chain of of exploits and um gadgets<00:46:40.520> together<00:46:40.960> where<00:46:41.119> if<00:46:41.200> I<00:46:41.319> can<00:46:41.480> just<00:46:41.640> get 00:46:41.910 --> 00:46:41.920 align:start position:0% gadgets together where if I can just get 00:46:41.920 --> 00:46:44.190 align:start position:0% gadgets together where if I can just get one<00:46:42.040> of<00:46:42.200> these<00:46:42.400> to<00:46:42.520> be<00:46:42.720> post<00:46:43.119> instead<00:46:43.400> of<00:46:43.640> get 00:46:44.190 --> 00:46:44.200 align:start position:0% one of these to be post instead of get 00:46:44.200 --> 00:46:45.630 align:start position:0% one of these to be post instead of get then<00:46:44.359> I<00:46:44.480> have<00:46:44.599> an<00:46:44.760> account<00:46:45.000> takeover<00:46:45.520> which 00:46:45.630 --> 00:46:45.640 align:start position:0% then I have an account takeover which 00:46:45.640 --> 00:46:49.549 align:start position:0% then I have an account takeover which would<00:46:45.760> be<00:46:45.920> really<00:46:46.160> nice<00:46:47.079> um<00:46:47.839> so<00:46:48.800> yeah<00:46:49.319> let<00:46:49.440> me 00:46:49.549 --> 00:46:49.559 align:start position:0% would be really nice um so yeah let me 00:46:49.559 --> 00:46:51.030 align:start position:0% would be really nice um so yeah let me know<00:46:49.680> if<00:46:49.760> you<00:46:49.920> if<00:46:50.000> you<00:46:50.079> can<00:46:50.160> figure<00:46:50.359> it<00:46:50.480> out<00:46:50.960> all 00:46:51.030 --> 00:46:51.040 align:start position:0% know if you if you can figure it out all 00:46:51.040 --> 00:46:52.829 align:start position:0% know if you if you can figure it out all right<00:46:51.160> let<00:46:51.240> me<00:46:51.359> answer<00:46:51.559> some<00:46:51.720> questions<00:46:52.079> here 00:46:52.829 --> 00:46:52.839 align:start position:0% right let me answer some questions here 00:46:52.839 --> 00:46:55.190 align:start position:0% right let me answer some questions here um<00:46:53.839> fets<00:46:54.160> just<00:46:54.280> following<00:46:54.559> redirect<00:46:54.960> seems 00:46:55.190 --> 00:46:55.200 align:start position:0% um fets just following redirect seems 00:46:55.200 --> 00:46:57.750 align:start position:0% um fets just following redirect seems wild<00:46:55.440> to<00:46:55.559> me<00:46:56.079> yeah<00:46:56.240> you<00:46:56.319> know<00:46:56.520> you<00:46:56.720> think<00:46:57.160> it<00:46:57.640> I 00:46:57.750 --> 00:46:57.760 align:start position:0% wild to me yeah you know you think it I 00:46:57.760 --> 00:46:59.109 align:start position:0% wild to me yeah you know you think it I guess<00:46:57.880> they're<00:46:58.079> just<00:46:58.240> not<00:46:58.400> really<00:46:58.640> modeling 00:46:59.109 --> 00:46:59.119 align:start position:0% guess they're just not really modeling 00:46:59.119 --> 00:47:01.349 align:start position:0% guess they're just not really modeling in<00:46:59.280> the<00:46:59.480> fact<00:46:59.720> that<00:46:59.920> we<00:47:00.119> might<00:47:00.280> be<00:47:00.440> able<00:47:00.599> to 00:47:01.349 --> 00:47:01.359 align:start position:0% in the fact that we might be able to 00:47:01.359 --> 00:47:02.950 align:start position:0% in the fact that we might be able to manipulate<00:47:01.839> the<00:47:02.040> path<00:47:02.440> right<00:47:02.680> because 00:47:02.950 --> 00:47:02.960 align:start position:0% manipulate the path right because 00:47:02.960 --> 00:47:04.870 align:start position:0% manipulate the path right because normally<00:47:03.280> following<00:47:03.599> RX<00:47:04.079> would<00:47:04.359> sort<00:47:04.559> of<00:47:04.680> make 00:47:04.870 --> 00:47:04.880 align:start position:0% normally following RX would sort of make 00:47:04.880 --> 00:47:06.750 align:start position:0% normally following RX would sort of make sense<00:47:05.280> but<00:47:06.079> yeah<00:47:06.200> I<00:47:06.280> don't<00:47:06.400> know<00:47:06.520> it<00:47:06.599> is<00:47:06.680> a 00:47:06.750 --> 00:47:06.760 align:start position:0% sense but yeah I don't know it is a 00:47:06.760 --> 00:47:09.109 align:start position:0% sense but yeah I don't know it is a little<00:47:06.920> bit<00:47:07.240> weird<00:47:08.240> do<00:47:08.359> you<00:47:08.440> know<00:47:08.559> if<00:47:08.640> anyone 00:47:09.109 --> 00:47:09.119 align:start position:0% little bit weird do you know if anyone 00:47:09.119 --> 00:47:10.549 align:start position:0% little bit weird do you know if anyone pay<00:47:09.280> for<00:47:09.400> leaking<00:47:09.640> the<00:47:09.720> C<00:47:09.920> Ser<00:47:10.119> toen<00:47:10.400> without 00:47:10.549 --> 00:47:10.559 align:start position:0% pay for leaking the C Ser toen without 00:47:10.559 --> 00:47:12.750 align:start position:0% pay for leaking the C Ser toen without proving<00:47:10.960> impact<00:47:11.839> without<00:47:12.040> sending<00:47:12.280> A<00:47:12.359> Cerf 00:47:12.750 --> 00:47:12.760 align:start position:0% proving impact without sending A Cerf 00:47:12.760 --> 00:47:14.750 align:start position:0% proving impact without sending A Cerf request<00:47:13.559> I<00:47:13.599> don't<00:47:13.760> know<00:47:13.880> the<00:47:14.000> Epic<00:47:14.280> team<00:47:14.520> games 00:47:14.750 --> 00:47:14.760 align:start position:0% request I don't know the Epic team games 00:47:14.760 --> 00:47:16.910 align:start position:0% request I don't know the Epic team games team<00:47:15.079> is<00:47:15.240> pretty<00:47:15.480> cool<00:47:16.079> um<00:47:16.400> so<00:47:16.599> you<00:47:16.680> can 00:47:16.910 --> 00:47:16.920 align:start position:0% team is pretty cool um so you can 00:47:16.920 --> 00:47:18.390 align:start position:0% team is pretty cool um so you can probably<00:47:17.119> send<00:47:17.280> him<00:47:17.440> something<00:47:17.640> over 00:47:18.390 --> 00:47:18.400 align:start position:0% probably send him something over 00:47:18.400 --> 00:47:22.990 align:start position:0% probably send him something over anyway<00:47:19.400> uh<00:47:20.200> but<00:47:21.040> yeah<00:47:21.800> uh<00:47:22.319> I<00:47:22.400> would<00:47:22.559> say<00:47:22.720> if<00:47:22.800> you 00:47:22.990 --> 00:47:23.000 align:start position:0% anyway uh but yeah uh I would say if you 00:47:23.000 --> 00:47:26.190 align:start position:0% anyway uh but yeah uh I would say if you have<00:47:23.160> the<00:47:23.240> Cerf<00:47:23.720> token<00:47:24.680> shoot<00:47:24.920> me<00:47:25.040> a<00:47:25.160> DM<00:47:25.839> cuz<00:47:26.119> uh 00:47:26.190 --> 00:47:26.200 align:start position:0% have the Cerf token shoot me a DM cuz uh 00:47:26.200 --> 00:47:27.349 align:start position:0% have the Cerf token shoot me a DM cuz uh I<00:47:26.319> think<00:47:26.440> I<00:47:26.520> can<00:47:26.720> probably<00:47:26.920> figure<00:47:27.160> something 00:47:27.349 --> 00:47:27.359 align:start position:0% I think I can probably figure something 00:47:27.359 --> 00:47:31.150 align:start position:0% I think I can probably figure something out<00:47:27.520> with<00:47:27.839> that<00:47:28.839> uh<00:47:29.319> definitely<00:47:29.880> definitely 00:47:31.150 --> 00:47:31.160 align:start position:0% out with that uh definitely definitely 00:47:31.160 --> 00:47:33.510 align:start position:0% out with that uh definitely definitely probable<00:47:32.160> so<00:47:32.359> this<00:47:32.440> is<00:47:32.760> uh<00:47:32.960> one<00:47:33.079> of<00:47:33.200> the<00:47:33.319> things 00:47:33.510 --> 00:47:33.520 align:start position:0% probable so this is uh one of the things 00:47:33.520 --> 00:47:35.109 align:start position:0% probable so this is uh one of the things that<00:47:33.680> I<00:47:33.800> sort<00:47:33.960> of<00:47:34.040> have<00:47:34.200> noted<00:47:34.520> down<00:47:34.680> on<00:47:34.800> a<00:47:34.920> real 00:47:35.109 --> 00:47:35.119 align:start position:0% that I sort of have noted down on a real 00:47:35.119 --> 00:47:37.030 align:start position:0% that I sort of have noted down on a real life<00:47:35.280> Target<00:47:35.880> um<00:47:36.200> now<00:47:36.559> we're<00:47:36.680> going<00:47:36.800> to<00:47:36.920> go 00:47:37.030 --> 00:47:37.040 align:start position:0% life Target um now we're going to go 00:47:37.040 --> 00:47:39.750 align:start position:0% life Target um now we're going to go ahead<00:47:37.200> and<00:47:37.400> transition<00:47:38.359> to<00:47:38.760> the<00:47:38.960> final<00:47:39.319> thing 00:47:39.750 --> 00:47:39.760 align:start position:0% ahead and transition to the final thing 00:47:39.760 --> 00:47:41.950 align:start position:0% ahead and transition to the final thing which<00:47:40.000> is<00:47:40.440> a<00:47:40.680> bounty<00:47:41.119> that<00:47:41.240> I<00:47:41.359> got<00:47:41.480> at<00:47:41.599> a<00:47:41.760> life 00:47:41.950 --> 00:47:41.960 align:start position:0% which is a bounty that I got at a life 00:47:41.960 --> 00:47:46.230 align:start position:0% which is a bounty that I got at a life hacking<00:47:42.359> event<00:47:43.359> that<00:47:44.319> uh<00:47:45.319> uh<00:47:45.880> I'll<00:47:46.040> be 00:47:46.230 --> 00:47:46.240 align:start position:0% hacking event that uh uh I'll be 00:47:46.240 --> 00:47:47.829 align:start position:0% hacking event that uh uh I'll be explaining<00:47:46.640> to<00:47:46.760> you<00:47:46.880> guys<00:47:47.040> that<00:47:47.319> redacted 00:47:47.829 --> 00:47:47.839 align:start position:0% explaining to you guys that redacted 00:47:47.839 --> 00:47:49.870 align:start position:0% explaining to you guys that redacted report<00:47:48.359> I<00:47:48.599> I<00:47:48.720> can't<00:47:48.880> share<00:47:49.119> the<00:47:49.240> whole<00:47:49.440> report 00:47:49.870 --> 00:47:49.880 align:start position:0% report I I can't share the whole report 00:47:49.880 --> 00:47:50.750 align:start position:0% report I I can't share the whole report but 00:47:50.750 --> 00:47:50.760 align:start position:0% but 00:47:50.760 --> 00:47:54.710 align:start position:0% but um<00:47:51.760> uh<00:47:52.440> explaining<00:47:52.880> that<00:47:53.680> and<00:47:54.000> uh<00:47:54.160> that'll 00:47:54.710 --> 00:47:54.720 align:start position:0% um uh explaining that and uh that'll 00:47:54.720 --> 00:47:56.829 align:start position:0% um uh explaining that and uh that'll will<00:47:54.880> close<00:47:55.359> we<00:47:55.480> close<00:47:55.960> the<00:47:56.200> master<00:47:56.440> class<00:47:56.640> off 00:47:56.829 --> 00:47:56.839 align:start position:0% will close we close the master class off 00:47:56.839 --> 00:47:58.670 align:start position:0% will close we close the master class off with<00:47:57.000> that<00:47:57.880> answering<00:47:58.240> a<00:47:58.319> couple<00:47:58.520> more 00:47:58.670 --> 00:47:58.680 align:start position:0% with that answering a couple more 00:47:58.680 --> 00:47:59.870 align:start position:0% with that answering a couple more questions<00:47:59.000> here<00:47:59.240> how<00:47:59.359> do<00:47:59.440> you<00:47:59.599> look<00:47:59.760> for 00:47:59.870 --> 00:47:59.880 align:start position:0% questions here how do you look for 00:47:59.880 --> 00:48:01.630 align:start position:0% questions here how do you look for something<00:48:00.200> like<00:48:00.400> this<00:48:00.800> okay<00:48:01.000> well<00:48:01.240> yeah<00:48:01.440> so 00:48:01.630 --> 00:48:01.640 align:start position:0% something like this okay well yeah so 00:48:01.640 --> 00:48:03.549 align:start position:0% something like this okay well yeah so essentially<00:48:02.040> you<00:48:02.200> look<00:48:02.440> for<00:48:02.880> values<00:48:03.240> that<00:48:03.359> are 00:48:03.549 --> 00:48:03.559 align:start position:0% essentially you look for values that are 00:48:03.559 --> 00:48:08.309 align:start position:0% essentially you look for values that are in<00:48:04.000> the<00:48:04.800> URL<00:48:05.800> uh<00:48:06.119> URL<00:48:06.599> bar<00:48:07.040> in<00:48:07.200> general<00:48:08.079> uh<00:48:08.200> that 00:48:08.309 --> 00:48:08.319 align:start position:0% in the URL uh URL bar in general uh that 00:48:08.319 --> 00:48:10.990 align:start position:0% in the URL uh URL bar in general uh that you<00:48:08.440> can<00:48:08.640> control<00:48:09.480> and<00:48:09.640> then<00:48:10.040> correlate<00:48:10.599> to 00:48:10.990 --> 00:48:11.000 align:start position:0% you can control and then correlate to 00:48:11.000 --> 00:48:14.309 align:start position:0% you can control and then correlate to something<00:48:11.680> in<00:48:12.079> a<00:48:12.800> in<00:48:13.240> the<00:48:13.400> JavaScript<00:48:14.160> and 00:48:14.309 --> 00:48:14.319 align:start position:0% something in a in the JavaScript and 00:48:14.319 --> 00:48:15.870 align:start position:0% something in a in the JavaScript and actually<00:48:14.640> I<00:48:14.760> think<00:48:14.880> you<00:48:15.000> can<00:48:15.160> even<00:48:15.400> configure 00:48:15.870 --> 00:48:15.880 align:start position:0% actually I think you can even configure 00:48:15.880 --> 00:48:18.510 align:start position:0% actually I think you can even configure stuff<00:48:16.160> like<00:48:16.319> Dom<00:48:16.599> Invader<00:48:17.240> and<00:48:17.960> um<00:48:18.240> some<00:48:18.400> of 00:48:18.510 --> 00:48:18.520 align:start position:0% stuff like Dom Invader and um some of 00:48:18.520 --> 00:48:20.349 align:start position:0% stuff like Dom Invader and um some of the<00:48:18.760> burp<00:48:19.119> Dom<00:48:19.440> stuff<00:48:19.720> that<00:48:19.839> they've<00:48:20.040> got<00:48:20.160> in 00:48:20.349 --> 00:48:20.359 align:start position:0% the burp Dom stuff that they've got in 00:48:20.359 --> 00:48:22.829 align:start position:0% the burp Dom stuff that they've got in place<00:48:20.839> to<00:48:21.040> tell<00:48:21.280> you<00:48:21.559> when<00:48:21.839> a<00:48:22.040> value<00:48:22.440> from<00:48:22.680> the 00:48:22.829 --> 00:48:22.839 align:start position:0% place to tell you when a value from the 00:48:22.839 --> 00:48:25.870 align:start position:0% place to tell you when a value from the URL<00:48:23.319> is<00:48:23.640> passing<00:48:23.960> into<00:48:24.200> a<00:48:24.319> fetch<00:48:24.680> sync<00:48:25.680> cuz 00:48:25.870 --> 00:48:25.880 align:start position:0% URL is passing into a fetch sync cuz 00:48:25.880 --> 00:48:28.950 align:start position:0% URL is passing into a fetch sync cuz they<00:48:26.079> they'll<00:48:26.359> like<00:48:27.160> uh<00:48:27.920> tag<00:48:28.240> the<00:48:28.400> string<00:48:28.800> or 00:48:28.950 --> 00:48:28.960 align:start position:0% they they'll like uh tag the string or 00:48:28.960 --> 00:48:30.670 align:start position:0% they they'll like uh tag the string or something<00:48:29.319> like<00:48:29.520> that<00:48:30.119> and<00:48:30.240> then<00:48:30.400> if<00:48:30.480> it's 00:48:30.670 --> 00:48:30.680 align:start position:0% something like that and then if it's 00:48:30.680 --> 00:48:34.430 align:start position:0% something like that and then if it's concatenated<00:48:31.280> to<00:48:31.440> a<00:48:31.599> string<00:48:32.240> that<00:48:33.240> uh<00:48:33.760> puts<00:48:34.000> it 00:48:34.430 --> 00:48:34.440 align:start position:0% concatenated to a string that uh puts it 00:48:34.440 --> 00:48:36.829 align:start position:0% concatenated to a string that uh puts it into<00:48:35.440> some<00:48:35.599> sort<00:48:35.760> of<00:48:35.880> sync<00:48:36.240> then<00:48:36.359> it'll<00:48:36.640> it'll 00:48:36.829 --> 00:48:36.839 align:start position:0% into some sort of sync then it'll it'll 00:48:36.839 --> 00:48:38.910 align:start position:0% into some sort of sync then it'll it'll trigger<00:48:37.119> for<00:48:37.319> you<00:48:37.839> but<00:48:38.079> for<00:48:38.280> me<00:48:38.559> I<00:48:38.680> just<00:48:38.800> kind 00:48:38.910 --> 00:48:38.920 align:start position:0% trigger for you but for me I just kind 00:48:38.920 --> 00:48:41.309 align:start position:0% trigger for you but for me I just kind of<00:48:39.079> look<00:48:39.359> at<00:48:39.559> what<00:48:39.720> each<00:48:40.000> page<00:48:40.319> does<00:48:41.000> and<00:48:41.160> take 00:48:41.309 --> 00:48:41.319 align:start position:0% of look at what each page does and take 00:48:41.319 --> 00:48:43.510 align:start position:0% of look at what each page does and take the<00:48:41.440> values<00:48:41.839> out<00:48:41.960> of<00:48:42.079> the<00:48:42.200> URL<00:48:42.880> and<00:48:43.319> kind<00:48:43.400> of 00:48:43.510 --> 00:48:43.520 align:start position:0% the values out of the URL and kind of 00:48:43.520 --> 00:48:45.150 align:start position:0% the values out of the URL and kind of fuzz<00:48:43.760> them<00:48:43.920> a<00:48:44.000> little<00:48:44.200> bit<00:48:44.359> and<00:48:44.480> see<00:48:44.760> if<00:48:45.000> what 00:48:45.150 --> 00:48:45.160 align:start position:0% fuzz them a little bit and see if what 00:48:45.160 --> 00:48:46.270 align:start position:0% fuzz them a little bit and see if what kind<00:48:45.280> of<00:48:45.359> requests<00:48:45.680> are<00:48:45.800> happening<00:48:46.040> on<00:48:46.119> the 00:48:46.270 --> 00:48:46.280 align:start position:0% kind of requests are happening on the 00:48:46.280 --> 00:48:49.870 align:start position:0% kind of requests are happening on the back<00:48:46.400> end<00:48:47.119> and<00:48:47.280> it's<00:48:47.440> normally<00:48:47.839> pretty 00:48:49.870 --> 00:48:49.880 align:start position:0% back end and it's normally pretty 00:48:49.880 --> 00:48:52.750 align:start position:0% back end and it's normally pretty apparent<00:48:50.880> um<00:48:51.760> analyze<00:48:52.160> calmly<00:48:52.520> before 00:48:52.750 --> 00:48:52.760 align:start position:0% apparent um analyze calmly before 00:48:52.760 --> 00:48:54.390 align:start position:0% apparent um analyze calmly before reporting<00:48:53.280> the<00:48:53.400> open 00:48:54.390 --> 00:48:54.400 align:start position:0% reporting the open 00:48:54.400 --> 00:48:56.349 align:start position:0% reporting the open redirect<00:48:55.400> yeah 00:48:56.349 --> 00:48:56.359 align:start position:0% redirect yeah 00:48:56.359 --> 00:48:59.109 align:start position:0% redirect yeah seriously<00:48:57.359> open<00:48:57.599> redirects<00:48:58.119> can<00:48:58.520> be<00:48:58.680> used<00:48:58.960> in 00:48:59.109 --> 00:48:59.119 align:start position:0% seriously open redirects can be used in 00:48:59.119 --> 00:49:02.190 align:start position:0% seriously open redirects can be used in so<00:48:59.240> many<00:48:59.480> different<00:48:59.720> exploit<00:49:00.119> chains<00:49:01.200> uh 00:49:02.190 --> 00:49:02.200 align:start position:0% so many different exploit chains uh 00:49:02.200 --> 00:49:03.670 align:start position:0% so many different exploit chains uh please<00:49:02.400> don't<00:49:02.640> just<00:49:02.799> report<00:49:03.079> them<00:49:03.240> as<00:49:03.400> is 00:49:03.670 --> 00:49:03.680 align:start position:0% please don't just report them as is 00:49:03.680 --> 00:49:07.390 align:start position:0% please don't just report them as is without<00:49:03.880> doing<00:49:04.119> due 00:49:07.390 --> 00:49:07.400 align:start position:0% 00:49:07.400 --> 00:49:09.470 align:start position:0% diligence<00:49:08.400> all<00:49:08.520> righty<00:49:08.839> let's<00:49:09.040> go<00:49:09.160> ahead<00:49:09.319> and 00:49:09.470 --> 00:49:09.480 align:start position:0% diligence all righty let's go ahead and 00:49:09.480 --> 00:49:12.510 align:start position:0% diligence all righty let's go ahead and take<00:49:09.599> a<00:49:09.760> look<00:49:10.400> at<00:49:11.400> um<00:49:11.839> the<00:49:12.000> report<00:49:12.319> so<00:49:12.480> I'm 00:49:12.510 --> 00:49:12.520 align:start position:0% take a look at um the report so I'm 00:49:12.520 --> 00:49:16.309 align:start position:0% take a look at um the report so I'm going<00:49:12.640> to<00:49:12.720> go<00:49:12.839> ahead<00:49:13.000> and<00:49:13.200> stop<00:49:13.400> sharing<00:49:13.799> my 00:49:16.309 --> 00:49:16.319 align:start position:0% 00:49:16.319 --> 00:49:20.589 align:start position:0% screen 00:49:20.589 --> 00:49:20.599 align:start position:0% 00:49:20.599 --> 00:49:23.870 align:start position:0% there<00:49:21.599> I'm<00:49:21.680> just<00:49:21.799> going<00:49:21.920> to<00:49:22.119> glance<00:49:22.480> over<00:49:22.880> this 00:49:23.870 --> 00:49:23.880 align:start position:0% there I'm just going to glance over this 00:49:23.880 --> 00:49:25.230 align:start position:0% there I'm just going to glance over this report<00:49:24.200> one<00:49:24.319> more<00:49:24.559> time<00:49:24.720> and<00:49:24.839> make<00:49:25.000> sure<00:49:25.119> I 00:49:25.230 --> 00:49:25.240 align:start position:0% report one more time and make sure I 00:49:25.240 --> 00:49:27.870 align:start position:0% report one more time and make sure I didn't<00:49:25.599> leak<00:49:25.960> anything<00:49:26.400> that 00:49:27.870 --> 00:49:27.880 align:start position:0% didn't leak anything that 00:49:27.880 --> 00:49:30.950 align:start position:0% didn't leak anything that is<00:49:28.880> sensitive<00:49:29.720> I<00:49:29.799> don't<00:49:30.240> think<00:49:30.480> I<00:49:30.640> leaked 00:49:30.950 --> 00:49:30.960 align:start position:0% is sensitive I don't think I leaked 00:49:30.960 --> 00:49:33.510 align:start position:0% is sensitive I don't think I leaked anything<00:49:31.319> sensitive 00:49:33.510 --> 00:49:33.520 align:start position:0% anything sensitive 00:49:33.520 --> 00:49:35.870 align:start position:0% anything sensitive here<00:49:34.520> yeah<00:49:34.760> shouldn't<00:49:35.200> shouldn't<00:49:35.599> shouldn't 00:49:35.870 --> 00:49:35.880 align:start position:0% here yeah shouldn't shouldn't shouldn't 00:49:35.880 --> 00:49:38.109 align:start position:0% here yeah shouldn't shouldn't shouldn't be<00:49:36.040> anything<00:49:36.280> sensitive<00:49:36.760> all<00:49:36.920> right<00:49:37.400> gu<00:49:37.559> we'll 00:49:38.109 --> 00:49:38.119 align:start position:0% be anything sensitive all right gu we'll 00:49:38.119 --> 00:49:40.349 align:start position:0% be anything sensitive all right gu we'll see 00:49:40.349 --> 00:49:40.359 align:start position:0% see 00:49:40.359 --> 00:49:43.069 align:start position:0% see um<00:49:41.359> tedex<00:49:41.920> says<00:49:42.280> you<00:49:42.400> mentioned<00:49:42.799> that<00:49:42.960> the 00:49:43.069 --> 00:49:43.079 align:start position:0% um tedex says you mentioned that the 00:49:43.079 --> 00:49:44.750 align:start position:0% um tedex says you mentioned that the proxy<00:49:43.440> is<00:49:43.559> translating<00:49:44.040> the<00:49:44.119> URL<00:49:44.480> to 00:49:44.750 --> 00:49:44.760 align:start position:0% proxy is translating the URL to 00:49:44.760 --> 00:49:46.710 align:start position:0% proxy is translating the URL to fortnite.com<00:49:45.760> would<00:49:45.920> you<00:49:46.000> be<00:49:46.119> able<00:49:46.319> to<00:49:46.480> hit 00:49:46.710 --> 00:49:46.720 align:start position:0% fortnite.com would you be able to hit 00:49:46.720 --> 00:49:49.069 align:start position:0% fortnite.com would you be able to hit other<00:49:46.960> targets<00:49:47.480> behind<00:49:47.960> the<00:49:48.160> proxy<00:49:48.920> and 00:49:49.069 --> 00:49:49.079 align:start position:0% other targets behind the proxy and 00:49:49.079 --> 00:49:51.789 align:start position:0% other targets behind the proxy and retrieve<00:49:49.680> sensitive<00:49:50.160> data<00:49:51.079> uh<00:49:51.240> no<00:49:51.520> that<00:49:51.640> would 00:49:51.789 --> 00:49:51.799 align:start position:0% retrieve sensitive data uh no that would 00:49:51.799 --> 00:49:53.870 align:start position:0% retrieve sensitive data uh no that would be<00:49:52.079> a<00:49:52.240> server<00:49:52.680> side<00:49:52.880> level<00:49:53.240> thing<00:49:53.599> right 00:49:53.870 --> 00:49:53.880 align:start position:0% be a server side level thing right 00:49:53.880 --> 00:49:55.589 align:start position:0% be a server side level thing right because<00:49:54.480> if<00:49:54.599> you<00:49:54.760> could<00:49:54.920> do<00:49:55.119> that<00:49:55.280> then<00:49:55.559> you 00:49:55.589 --> 00:49:55.599 align:start position:0% because if you could do that then you 00:49:55.599 --> 00:49:57.150 align:start position:0% because if you could do that then you could<00:49:55.720> just<00:49:55.839> send<00:49:56.000> the<00:49:56.119> HTP<00:49:56.599> request<00:49:56.960> from 00:49:57.150 --> 00:49:57.160 align:start position:0% could just send the HTP request from 00:49:57.160 --> 00:49:59.150 align:start position:0% could just send the HTP request from your<00:49:57.680> you<00:49:57.799> know<00:49:57.920> from<00:49:58.119> curl<00:49:58.640> from<00:49:58.799> the<00:49:58.880> command 00:49:59.150 --> 00:49:59.160 align:start position:0% your you know from curl from the command 00:49:59.160 --> 00:50:01.270 align:start position:0% your you know from curl from the command line<00:49:59.359> or<00:49:59.480> something<00:50:00.200> um<00:50:00.480> you<00:50:00.640> do<00:50:00.799> see<00:50:01.040> that<00:50:01.160> a 00:50:01.270 --> 00:50:01.280 align:start position:0% line or something um you do see that a 00:50:01.280 --> 00:50:03.789 align:start position:0% line or something um you do see that a lot<00:50:01.440> with<00:50:01.640> proxies<00:50:02.200> you<00:50:02.319> know<00:50:02.760> um<00:50:03.280> not<00:50:03.520> as<00:50:03.640> much 00:50:03.789 --> 00:50:03.799 align:start position:0% lot with proxies you know um not as much 00:50:03.799 --> 00:50:05.390 align:start position:0% lot with proxies you know um not as much anymore<00:50:04.119> as<00:50:04.240> you<00:50:04.359> used<00:50:04.559> to<00:50:04.760> a<00:50:04.880> couple<00:50:05.119> years 00:50:05.390 --> 00:50:05.400 align:start position:0% anymore as you used to a couple years 00:50:05.400 --> 00:50:07.589 align:start position:0% anymore as you used to a couple years back<00:50:05.680> but<00:50:06.400> um<00:50:06.960> that's<00:50:07.160> definitely<00:50:07.400> something 00:50:07.589 --> 00:50:07.599 align:start position:0% back but um that's definitely something 00:50:07.599 --> 00:50:09.030 align:start position:0% back but um that's definitely something you<00:50:07.680> want<00:50:07.760> to<00:50:07.880> sus<00:50:08.200> in<00:50:08.280> this<00:50:08.400> scenario<00:50:08.880> it's 00:50:09.030 --> 00:50:09.040 align:start position:0% you want to sus in this scenario it's 00:50:09.040 --> 00:50:11.470 align:start position:0% you want to sus in this scenario it's just<00:50:09.160> helping<00:50:09.440> us<00:50:09.720> by<00:50:10.400> doing<00:50:10.680> one<00:50:10.839> layer<00:50:11.079> of<00:50:11.240> De 00:50:11.470 --> 00:50:11.480 align:start position:0% just helping us by doing one layer of De 00:50:11.480 --> 00:50:14.030 align:start position:0% just helping us by doing one layer of De of<00:50:11.599> URL<00:50:11.920> decoding<00:50:12.440> before<00:50:12.640> it<00:50:12.799> passes<00:50:13.119> it<00:50:13.440> to 00:50:14.030 --> 00:50:14.040 align:start position:0% of URL decoding before it passes it to 00:50:14.040 --> 00:50:15.910 align:start position:0% of URL decoding before it passes it to or<00:50:14.200> or<00:50:14.400> normalizing<00:50:15.000> it<00:50:15.559> um<00:50:15.680> before<00:50:15.839> it 00:50:15.910 --> 00:50:15.920 align:start position:0% or or normalizing it um before it 00:50:15.920 --> 00:50:17.470 align:start position:0% or or normalizing it um before it reaches<00:50:16.200> the<00:50:16.359> back<00:50:16.480> end<00:50:16.880> and<00:50:17.000> so<00:50:17.200> that's<00:50:17.359> why 00:50:17.470 --> 00:50:17.480 align:start position:0% reaches the back end and so that's why 00:50:17.480 --> 00:50:19.870 align:start position:0% reaches the back end and so that's why we're<00:50:17.599> able<00:50:17.760> to<00:50:17.960> hit<00:50:18.280> arbitrary<00:50:18.799> paths<00:50:19.160> here 00:50:19.870 --> 00:50:19.880 align:start position:0% we're able to hit arbitrary paths here 00:50:19.880 --> 00:50:21.190 align:start position:0% we're able to hit arbitrary paths here um<00:50:20.079> because<00:50:20.280> it's<00:50:20.440> actually<00:50:20.680> normalizing 00:50:21.190 --> 00:50:21.200 align:start position:0% um because it's actually normalizing 00:50:21.200 --> 00:50:22.390 align:start position:0% um because it's actually normalizing that 00:50:22.390 --> 00:50:22.400 align:start position:0% that 00:50:22.400 --> 00:50:24.750 align:start position:0% that URL<00:50:23.400> all<00:50:23.520> right<00:50:23.680> let<00:50:23.760> me<00:50:23.880> go<00:50:24.000> ahead<00:50:24.160> and<00:50:24.319> share 00:50:24.750 --> 00:50:24.760 align:start position:0% URL all right let me go ahead and share 00:50:24.760 --> 00:50:33.030 align:start position:0% URL all right let me go ahead and share this 00:50:33.030 --> 00:50:33.040 align:start position:0% 00:50:33.040 --> 00:50:34.510 align:start position:0% sure 00:50:34.510 --> 00:50:34.520 align:start position:0% sure 00:50:34.520 --> 00:50:38.670 align:start position:0% sure okay<00:50:35.520> Al<00:50:35.640> righty<00:50:36.079> guys<00:50:36.760> this<00:50:36.960> is<00:50:37.720> my 00:50:38.670 --> 00:50:38.680 align:start position:0% okay Al righty guys this is my 00:50:38.680 --> 00:50:41.470 align:start position:0% okay Al righty guys this is my masterpiece<00:50:39.680> I<00:50:39.839> just<00:50:40.119> I<00:50:40.240> love<00:50:40.480> this<00:50:40.680> bug<00:50:41.079> so 00:50:41.470 --> 00:50:41.480 align:start position:0% masterpiece I just I love this bug so 00:50:41.480 --> 00:50:43.589 align:start position:0% masterpiece I just I love this bug so freaking<00:50:42.000> much 00:50:43.589 --> 00:50:43.599 align:start position:0% freaking much 00:50:43.599 --> 00:50:47.549 align:start position:0% freaking much um<00:50:44.599> yeah<00:50:44.960> it's<00:50:45.480> great<00:50:46.480> uh<00:50:47.160> would<00:50:47.319> it<00:50:47.440> be 00:50:47.549 --> 00:50:47.559 align:start position:0% um yeah it's great uh would it be 00:50:47.559 --> 00:50:49.390 align:start position:0% um yeah it's great uh would it be considered<00:50:47.839> a<00:50:47.960> w<00:50:48.200> bypass<00:50:48.559> 10<00:50:49.000> yeah<00:50:49.119> I<00:50:49.200> mean<00:50:49.319> if 00:50:49.390 --> 00:50:49.400 align:start position:0% considered a w bypass 10 yeah I mean if 00:50:49.400 --> 00:50:50.910 align:start position:0% considered a w bypass 10 yeah I mean if you<00:50:49.559> can<00:50:49.880> if<00:50:49.960> you<00:50:50.079> can 00:50:50.910 --> 00:50:50.920 align:start position:0% you can if you can 00:50:50.920 --> 00:50:53.630 align:start position:0% you can if you can hit<00:50:51.920> I<00:50:52.000> mean<00:50:52.240> nothing<00:50:52.520> about<00:50:53.119> client<00:50:53.520> side 00:50:53.630 --> 00:50:53.640 align:start position:0% hit I mean nothing about client side 00:50:53.640 --> 00:50:55.309 align:start position:0% hit I mean nothing about client side pass<00:50:53.799> R<00:50:53.920> vers<00:50:54.119> will<00:50:54.240> result<00:50:54.480> in<00:50:54.559> a<00:50:54.680> w<00:50:54.920> bypass 00:50:55.309 --> 00:50:55.319 align:start position:0% pass R vers will result in a w bypass 00:50:55.319 --> 00:50:58.950 align:start position:0% pass R vers will result in a w bypass but<00:50:55.440> but<00:50:55.559> if<00:50:55.680> you<00:50:55.839> can<00:50:56.319> hit<00:50:57.280> backend<00:50:57.960> servers 00:50:58.950 --> 00:50:58.960 align:start position:0% but but if you can hit backend servers 00:50:58.960 --> 00:51:00.870 align:start position:0% but but if you can hit backend servers using<00:50:59.240> a<00:50:59.400> reverse 00:51:00.870 --> 00:51:00.880 align:start position:0% using a reverse 00:51:00.880 --> 00:51:03.470 align:start position:0% using a reverse proxy<00:51:01.880> that's<00:51:02.040> a<00:51:02.359> problem<00:51:02.640> of<00:51:02.760> its<00:51:02.880> own<00:51:03.160> not<00:51:03.280> a 00:51:03.470 --> 00:51:03.480 align:start position:0% proxy that's a problem of its own not a 00:51:03.480 --> 00:51:08.549 align:start position:0% proxy that's a problem of its own not a w<00:51:04.200> bypass 00:51:08.549 --> 00:51:08.559 align:start position:0% 00:51:08.559 --> 00:51:12.670 align:start position:0% um<00:51:09.559> okay<00:51:10.400> so<00:51:11.400> here<00:51:11.839> so<00:51:12.000> we're<00:51:12.119> going<00:51:12.200> to<00:51:12.520> we're 00:51:12.670 --> 00:51:12.680 align:start position:0% um okay so here so we're going to we're 00:51:12.680 --> 00:51:14.870 align:start position:0% um okay so here so we're going to we're going<00:51:12.760> to<00:51:12.880> start<00:51:13.079> with<00:51:13.240> the<00:51:13.400> actual<00:51:14.079> report<00:51:14.520> or 00:51:14.870 --> 00:51:14.880 align:start position:0% going to start with the actual report or 00:51:14.880 --> 00:51:16.990 align:start position:0% going to start with the actual report or uh<00:51:15.079> the<00:51:15.240> actual<00:51:15.559> URL<00:51:16.200> um<00:51:16.319> let<00:51:16.400> me<00:51:16.520> see<00:51:16.680> can<00:51:16.799> I 00:51:16.990 --> 00:51:17.000 align:start position:0% uh the actual URL um let me see can I 00:51:17.000 --> 00:51:19.470 align:start position:0% uh the actual URL um let me see can I zoom<00:51:17.280> in<00:51:17.440> on<00:51:17.680> this<00:51:18.680> you<00:51:18.839> know<00:51:19.000> it's<00:51:19.160> not<00:51:19.400> going 00:51:19.470 --> 00:51:19.480 align:start position:0% zoom in on this you know it's not going 00:51:19.480 --> 00:51:22.950 align:start position:0% zoom in on this you know it's not going to<00:51:19.599> let<00:51:19.720> me<00:51:19.880> zoom<00:51:20.160> in<00:51:20.559> on<00:51:20.799> this<00:51:21.040> because<00:51:21.280> it's<00:51:21.400> a 00:51:22.950 --> 00:51:22.960 align:start position:0% to let me zoom in on this because it's a 00:51:22.960 --> 00:51:25.190 align:start position:0% to let me zoom in on this because it's a preview<00:51:23.960> huh<00:51:24.480> Can<00:51:24.599> you<00:51:24.720> guys<00:51:24.839> see<00:51:25.000> it<00:51:25.079> all 00:51:25.190 --> 00:51:25.200 align:start position:0% preview huh Can you guys see it all 00:51:25.200 --> 00:51:32.910 align:start position:0% preview huh Can you guys see it all right<00:51:25.480> or<00:51:25.599> is<00:51:25.720> it<00:51:26.000> kind<00:51:26.119> of 00:51:32.910 --> 00:51:32.920 align:start position:0% 00:51:32.920 --> 00:51:35.390 align:start position:0% small<00:51:33.920> it's<00:51:34.200> okay<00:51:34.440> and<00:51:34.680> kind<00:51:34.799> of<00:51:34.920> small<00:51:35.240> are 00:51:35.390 --> 00:51:35.400 align:start position:0% small it's okay and kind of small are 00:51:35.400 --> 00:51:41.630 align:start position:0% small it's okay and kind of small are the<00:51:35.559> answers<00:51:36.000> that<00:51:36.400> I've<00:51:36.559> gotten<00:51:36.799> back<00:51:37.000> so<00:51:37.319> far 00:51:41.630 --> 00:51:41.640 align:start position:0% 00:51:41.640 --> 00:51:43.710 align:start position:0% um<00:51:42.640> yeah<00:51:42.799> you<00:51:42.920> know<00:51:43.160> I<00:51:43.240> guess<00:51:43.400> we<00:51:43.520> could 00:51:43.710 --> 00:51:43.720 align:start position:0% um yeah you know I guess we could 00:51:43.720 --> 00:51:47.230 align:start position:0% um yeah you know I guess we could actually<00:51:44.040> just<00:51:44.280> go<00:51:44.599> and 00:51:47.230 --> 00:51:47.240 align:start position:0% 00:51:47.240 --> 00:51:50.270 align:start position:0% do<00:51:48.240> you<00:51:48.400> guys<00:51:48.559> didn't<00:51:48.760> see 00:51:50.270 --> 00:51:50.280 align:start position:0% do you guys didn't see 00:51:50.280 --> 00:51:54.349 align:start position:0% do you guys didn't see that<00:51:51.280> there's<00:51:51.599> nothing 00:51:54.349 --> 00:51:54.359 align:start position:0% 00:51:54.359 --> 00:51:57.270 align:start position:0% there<00:51:55.720> it<00:51:55.839> did<00:51:56.119> my<00:51:56.599> it<00:51:56.680> showed<00:51:57.000> my<00:51:57.119> little 00:51:57.270 --> 00:51:57.280 align:start position:0% there it did my it showed my little 00:51:57.280 --> 00:52:00.030 align:start position:0% there it did my it showed my little matching<00:51:57.680> replace<00:51:58.119> from<00:51:58.440> before<00:51:58.839> I<00:51:59.200> uh<00:51:59.880> I 00:52:00.030 --> 00:52:00.040 align:start position:0% matching replace from before I uh I 00:52:00.040 --> 00:52:03.549 align:start position:0% matching replace from before I uh I redacted<00:52:00.559> it<00:52:01.359> um<00:52:02.040> anyway<00:52:02.880> before<00:52:03.119> you<00:52:03.319> get<00:52:03.480> the 00:52:03.549 --> 00:52:03.559 align:start position:0% redacted it um anyway before you get the 00:52:03.559 --> 00:52:05.390 align:start position:0% redacted it um anyway before you get the recording<00:52:04.040> I'm<00:52:04.160> G<00:52:04.280> to<00:52:04.599> do<00:52:04.799> something<00:52:05.119> with 00:52:05.390 --> 00:52:05.400 align:start position:0% recording I'm G to do something with 00:52:05.400 --> 00:52:06.950 align:start position:0% recording I'm G to do something with that 00:52:06.950 --> 00:52:06.960 align:start position:0% that 00:52:06.960 --> 00:52:10.549 align:start position:0% that uh<00:52:07.960> uh<00:52:08.319> anyway<00:52:09.319> uh<00:52:09.520> here<00:52:09.640> is 00:52:10.549 --> 00:52:10.559 align:start position:0% uh uh anyway uh here is 00:52:10.559 --> 00:52:13.470 align:start position:0% uh uh anyway uh here is the<00:52:11.559> I<00:52:11.640> can<00:52:12.079> probably<00:52:12.319> Zoom<00:52:12.520> it<00:52:12.640> in<00:52:12.880> now<00:52:13.280> and 00:52:13.470 --> 00:52:13.480 align:start position:0% the I can probably Zoom it in now and 00:52:13.480 --> 00:52:15.870 align:start position:0% the I can probably Zoom it in now and then<00:52:13.920> do 00:52:15.870 --> 00:52:15.880 align:start position:0% then do 00:52:15.880 --> 00:52:18.950 align:start position:0% then do this<00:52:16.880> like<00:52:17.119> this 00:52:18.950 --> 00:52:18.960 align:start position:0% this like this 00:52:18.960 --> 00:52:24.270 align:start position:0% this like this yeah 00:52:24.270 --> 00:52:24.280 align:start position:0% 00:52:24.280 --> 00:52:27.109 align:start position:0% see 00:52:27.109 --> 00:52:27.119 align:start position:0% see 00:52:27.119 --> 00:52:28.430 align:start position:0% see they<00:52:27.359> not<00:52:27.559> letting 00:52:28.430 --> 00:52:28.440 align:start position:0% they not letting 00:52:28.440 --> 00:52:32.670 align:start position:0% they not letting me<00:52:29.440> zoom<00:52:29.760> in<00:52:30.359> now<00:52:31.359> why<00:52:32.160> what<00:52:32.280> is<00:52:32.440> wrong<00:52:32.559> with 00:52:32.670 --> 00:52:32.680 align:start position:0% me zoom in now why what is wrong with 00:52:32.680 --> 00:52:36.270 align:start position:0% me zoom in now why what is wrong with you<00:52:32.880> vs 00:52:36.270 --> 00:52:36.280 align:start position:0% 00:52:36.280 --> 00:52:39.390 align:start position:0% code<00:52:37.280> there<00:52:37.400> we<00:52:37.599> go<00:52:38.520> yeah<00:52:38.960> I<00:52:39.040> should<00:52:39.160> be<00:52:39.280> able 00:52:39.390 --> 00:52:39.400 align:start position:0% code there we go yeah I should be able 00:52:39.400 --> 00:52:41.430 align:start position:0% code there we go yeah I should be able to<00:52:39.480> do<00:52:39.599> that<00:52:39.680> on<00:52:39.799> the<00:52:40.160> yeah<00:52:40.359> okay<00:52:40.520> here<00:52:40.640> we<00:52:40.839> go 00:52:41.430 --> 00:52:41.440 align:start position:0% to do that on the yeah okay here we go 00:52:41.440 --> 00:52:44.069 align:start position:0% to do that on the yeah okay here we go we're<00:52:41.640> fine<00:52:41.960> we're<00:52:42.160> good<00:52:42.400> here<00:52:43.280> I'm<00:52:43.440> just<00:52:43.960> I'm 00:52:44.069 --> 00:52:44.079 align:start position:0% we're fine we're good here I'm just I'm 00:52:44.079 --> 00:52:46.430 align:start position:0% we're fine we're good here I'm just I'm just<00:52:44.599> normally<00:52:45.040> expecting<00:52:45.400> vs<00:52:45.720> code<00:52:45.920> to<00:52:46.079> do 00:52:46.430 --> 00:52:46.440 align:start position:0% just normally expecting vs code to do 00:52:46.440 --> 00:52:48.750 align:start position:0% just normally expecting vs code to do like<00:52:46.559> a<00:52:47.079> control<00:52:47.720> and<00:52:47.839> then<00:52:47.960> scroll<00:52:48.319> bar<00:52:48.480> Zoom 00:52:48.750 --> 00:52:48.760 align:start position:0% like a control and then scroll bar Zoom 00:52:48.760 --> 00:52:50.030 align:start position:0% like a control and then scroll bar Zoom but<00:52:48.880> it's<00:52:49.000> not<00:52:49.119> doing<00:52:49.400> that<00:52:49.520> it's<00:52:49.599> just<00:52:49.720> doing 00:52:50.030 --> 00:52:50.040 align:start position:0% but it's not doing that it's just doing 00:52:50.040 --> 00:52:53.270 align:start position:0% but it's not doing that it's just doing the<00:52:50.760> the<00:52:51.760> uh<00:52:52.440> Control<00:52:52.760> Plus<00:52:52.960> all<00:52:53.040> right<00:52:53.160> I 00:52:53.270 --> 00:52:53.280 align:start position:0% the the uh Control Plus all right I 00:52:53.280 --> 00:53:03.270 align:start position:0% the the uh Control Plus all right I assume<00:52:53.480> you<00:52:53.599> guys<00:52:53.720> can<00:52:53.839> see<00:52:54.000> it<00:52:54.119> now<00:52:54.400> right 00:53:03.270 --> 00:53:03.280 align:start position:0% 00:53:03.280 --> 00:53:05.150 align:start position:0% great<00:53:04.280> okay 00:53:05.150 --> 00:53:05.160 align:start position:0% great okay 00:53:05.160 --> 00:53:09.589 align:start position:0% great okay so<00:53:06.160> here<00:53:06.280> is<00:53:06.480> the<00:53:06.640> exploit<00:53:07.680> guys<00:53:08.680> it's<00:53:08.960> awesome 00:53:09.589 --> 00:53:09.599 align:start position:0% so here is the exploit guys it's awesome 00:53:09.599 --> 00:53:12.670 align:start position:0% so here is the exploit guys it's awesome you're<00:53:09.760> going<00:53:09.880> to<00:53:10.040> love<00:53:10.200> it<00:53:11.160> um<00:53:12.000> okay<00:53:12.240> so<00:53:12.520> this 00:53:12.670 --> 00:53:12.680 align:start position:0% you're going to love it um okay so this 00:53:12.680 --> 00:53:14.230 align:start position:0% you're going to love it um okay so this is<00:53:12.839> the<00:53:12.960> end<00:53:13.240> point<00:53:13.559> we're<00:53:13.720> going<00:53:13.799> to<00:53:13.960> work 00:53:14.230 --> 00:53:14.240 align:start position:0% is the end point we're going to work 00:53:14.240 --> 00:53:17.030 align:start position:0% is the end point we're going to work back<00:53:14.400> from<00:53:14.559> the<00:53:14.720> actual<00:53:14.960> exploit<00:53:15.319> URL<00:53:15.839> okay<00:53:16.720> so 00:53:17.030 --> 00:53:17.040 align:start position:0% back from the actual exploit URL okay so 00:53:17.040 --> 00:53:19.789 align:start position:0% back from the actual exploit URL okay so the<00:53:17.160> final<00:53:17.480> exploit<00:53:17.760> URL<00:53:18.119> is<00:53:18.599> this<00:53:19.599> they're 00:53:19.789 --> 00:53:19.799 align:start position:0% the final exploit URL is this they're 00:53:19.799 --> 00:53:23.349 align:start position:0% the final exploit URL is this they're editing<00:53:20.200> an<00:53:20.359> API<00:53:21.160> key<00:53:22.160> and<00:53:22.680> there's<00:53:22.920> two 00:53:23.349 --> 00:53:23.359 align:start position:0% editing an API key and there's two 00:53:23.359 --> 00:53:26.109 align:start position:0% editing an API key and there's two parameters<00:53:24.359> there<00:53:24.520> is<00:53:24.799> a<00:53:25.359> service<00:53:25.760> parameter 00:53:26.109 --> 00:53:26.119 align:start position:0% parameters there is a service parameter 00:53:26.119 --> 00:53:27.870 align:start position:0% parameters there is a service parameter or<00:53:26.319> service<00:53:26.599> ID<00:53:26.880> parameter<00:53:27.599> and<00:53:27.720> a 00:53:27.870 --> 00:53:27.880 align:start position:0% or service ID parameter and a 00:53:27.880 --> 00:53:29.309 align:start position:0% or service ID parameter and a subscription<00:53:28.319> ID<00:53:28.559> parameter<00:53:28.960> I've<00:53:29.079> kind<00:53:29.200> of 00:53:29.309 --> 00:53:29.319 align:start position:0% subscription ID parameter I've kind of 00:53:29.319 --> 00:53:32.510 align:start position:0% subscription ID parameter I've kind of got<00:53:29.480> these<00:53:29.680> isolated<00:53:30.160> out<00:53:30.480> here<00:53:31.280> to<00:53:32.280> uh<00:53:32.400> make 00:53:32.510 --> 00:53:32.520 align:start position:0% got these isolated out here to uh make 00:53:32.520 --> 00:53:34.630 align:start position:0% got these isolated out here to uh make it<00:53:32.640> a<00:53:32.720> little<00:53:32.880> bit<00:53:33.119> easier<00:53:33.480> to<00:53:33.640> read<00:53:33.839> for<00:53:34.000> you 00:53:34.630 --> 00:53:34.640 align:start position:0% it a little bit easier to read for you 00:53:34.640 --> 00:53:38.470 align:start position:0% it a little bit easier to read for you okay<00:53:35.640> um<00:53:36.559> what<00:53:36.760> happens<00:53:37.119> in<00:53:37.280> this<00:53:37.480> application 00:53:38.470 --> 00:53:38.480 align:start position:0% okay um what happens in this application 00:53:38.480 --> 00:53:40.870 align:start position:0% okay um what happens in this application is<00:53:38.720> when<00:53:38.880> you<00:53:39.200> reach<00:53:39.480> to<00:53:39.720> this<00:53:39.920> page<00:53:40.720> the 00:53:40.870 --> 00:53:40.880 align:start position:0% is when you reach to this page the 00:53:40.880 --> 00:53:44.190 align:start position:0% is when you reach to this page the JavaScript<00:53:41.680> will<00:53:42.280> send<00:53:42.760> a<00:53:42.960> request<00:53:43.839> to<00:53:44.079> the 00:53:44.190 --> 00:53:44.200 align:start position:0% JavaScript will send a request to the 00:53:44.200 --> 00:53:47.470 align:start position:0% JavaScript will send a request to the following<00:53:44.640> URL<00:53:45.559> to<00:53:46.119> to<00:53:46.599> get<00:53:46.760> the<00:53:46.920> information 00:53:47.470 --> 00:53:47.480 align:start position:0% following URL to to get the information 00:53:47.480 --> 00:53:49.630 align:start position:0% following URL to to get the information about<00:53:47.760> the<00:53:48.000> API<00:53:48.400> key<00:53:48.599> that<00:53:48.680> you're<00:53:48.799> modifying 00:53:49.630 --> 00:53:49.640 align:start position:0% about the API key that you're modifying 00:53:49.640 --> 00:53:51.750 align:start position:0% about the API key that you're modifying okay<00:53:50.400> this<00:53:50.480> is<00:53:50.599> going<00:53:50.720> to<00:53:50.799> be<00:53:50.920> a<00:53:51.040> get<00:53:51.280> request 00:53:51.750 --> 00:53:51.760 align:start position:0% okay this is going to be a get request 00:53:51.760 --> 00:53:54.670 align:start position:0% okay this is going to be a get request to<00:53:51.960> this<00:53:52.280> URL<00:53:53.280> so<00:53:53.440> if<00:53:53.520> we<00:53:53.680> sub<00:53:53.920> in<00:53:54.119> the<00:53:54.240> values 00:53:54.670 --> 00:53:54.680 align:start position:0% to this URL so if we sub in the values 00:53:54.680 --> 00:53:58.030 align:start position:0% to this URL so if we sub in the values for<00:53:55.520> uh<00:53:55.640> the<00:53:55.799> URL<00:53:56.480> that<00:53:56.680> we've<00:53:57.079> or<00:53:57.319> the<00:53:57.720> values 00:53:58.030 --> 00:53:58.040 align:start position:0% for uh the URL that we've or the values 00:53:58.040 --> 00:54:00.829 align:start position:0% for uh the URL that we've or the values that<00:53:58.160> we've<00:53:58.359> provided<00:53:58.799> in<00:53:58.960> this<00:53:59.520> um<00:54:00.520> uh<00:54:00.680> in<00:54:00.760> the 00:54:00.829 --> 00:54:00.839 align:start position:0% that we've provided in this um uh in the 00:54:00.839 --> 00:54:03.230 align:start position:0% that we've provided in this um uh in the query<00:54:01.119> parameter<00:54:01.559> above<00:54:02.280> this<00:54:02.400> is<00:54:02.599> what<00:54:02.799> we<00:54:03.000> we 00:54:03.230 --> 00:54:03.240 align:start position:0% query parameter above this is what we we 00:54:03.240 --> 00:54:06.109 align:start position:0% query parameter above this is what we we get<00:54:03.720> so<00:54:04.000> this<00:54:04.200> part<00:54:04.480> right<00:54:04.640> here<00:54:04.799> to<00:54:04.960> the<00:54:05.119> left 00:54:06.109 --> 00:54:06.119 align:start position:0% get so this part right here to the left 00:54:06.119 --> 00:54:07.990 align:start position:0% get so this part right here to the left I<00:54:06.200> don't<00:54:06.359> think<00:54:06.520> I<00:54:06.599> can<00:54:06.839> yeah<00:54:06.960> I<00:54:07.079> can<00:54:07.359> okay<00:54:07.559> good 00:54:07.990 --> 00:54:08.000 align:start position:0% I don't think I can yeah I can okay good 00:54:08.000 --> 00:54:10.789 align:start position:0% I don't think I can yeah I can okay good this<00:54:08.160> part<00:54:08.319> to<00:54:08.440> the<00:54:08.599> left<00:54:09.000> is<00:54:09.440> is<00:54:09.880> uh<00:54:10.119> you 00:54:10.789 --> 00:54:10.799 align:start position:0% this part to the left is is uh you 00:54:10.799 --> 00:54:14.270 align:start position:0% this part to the left is is uh you know<00:54:11.799> this<00:54:11.960> part<00:54:12.160> right<00:54:12.799> here<00:54:13.799> and<00:54:13.920> then<00:54:14.119> here 00:54:14.270 --> 00:54:14.280 align:start position:0% know this part right here and then here 00:54:14.280 --> 00:54:16.069 align:start position:0% know this part right here and then here is<00:54:14.400> our<00:54:14.680> actual<00:54:15.079> value<00:54:15.400> that<00:54:15.520> we've<00:54:15.720> provided 00:54:16.069 --> 00:54:16.079 align:start position:0% is our actual value that we've provided 00:54:16.079 --> 00:54:18.870 align:start position:0% is our actual value that we've provided URL<00:54:16.720> decoded<00:54:17.720> and<00:54:17.799> then<00:54:17.960> we've<00:54:18.200> got<00:54:18.520> this<00:54:18.640> part 00:54:18.870 --> 00:54:18.880 align:start position:0% URL decoded and then we've got this part 00:54:18.880 --> 00:54:21.390 align:start position:0% URL decoded and then we've got this part right<00:54:19.160> here<00:54:20.160> and<00:54:20.240> then<00:54:20.400> we've<00:54:20.640> got 00:54:21.390 --> 00:54:21.400 align:start position:0% right here and then we've got 00:54:21.400 --> 00:54:24.510 align:start position:0% right here and then we've got our<00:54:22.400> uh<00:54:22.559> subscription<00:54:23.079> ID<00:54:23.640> being<00:54:24.040> embedded 00:54:24.510 --> 00:54:24.520 align:start position:0% our uh subscription ID being embedded 00:54:24.520 --> 00:54:25.789 align:start position:0% our uh subscription ID being embedded here<00:54:24.920> okay 00:54:25.789 --> 00:54:25.799 align:start position:0% here okay 00:54:25.799 --> 00:54:28.150 align:start position:0% here okay now<00:54:26.079> with<00:54:26.520> the<00:54:27.200> the<00:54:27.400> hashtag<00:54:27.880> that<00:54:28.000> we're 00:54:28.150 --> 00:54:28.160 align:start position:0% now with the the hashtag that we're 00:54:28.160 --> 00:54:30.750 align:start position:0% now with the the hashtag that we're doing<00:54:28.839> we're<00:54:29.079> actually<00:54:29.319> truncating<00:54:30.119> this<00:54:30.480> so 00:54:30.750 --> 00:54:30.760 align:start position:0% doing we're actually truncating this so 00:54:30.760 --> 00:54:33.309 align:start position:0% doing we're actually truncating this so this<00:54:30.880> is<00:54:31.000> the<00:54:31.119> only<00:54:31.319> part<00:54:31.520> that<00:54:31.640> the<00:54:31.760> server 00:54:33.309 --> 00:54:33.319 align:start position:0% this is the only part that the server 00:54:33.319 --> 00:54:35.990 align:start position:0% this is the only part that the server sees<00:54:34.319> and<00:54:34.599> this<00:54:34.799> is<00:54:35.160> actually<00:54:35.680> what<00:54:35.880> the 00:54:35.990 --> 00:54:36.000 align:start position:0% sees and this is actually what the 00:54:36.000 --> 00:54:39.589 align:start position:0% sees and this is actually what the normal<00:54:36.440> request<00:54:36.880> looks<00:54:37.319> like<00:54:38.319> um<00:54:38.839> so<00:54:39.319> we're 00:54:39.589 --> 00:54:39.599 align:start position:0% normal request looks like um so we're 00:54:39.599 --> 00:54:41.710 align:start position:0% normal request looks like um so we're we're<00:54:39.960> overwriting<00:54:40.960> and<00:54:41.160> we're<00:54:41.319> just<00:54:41.480> giving 00:54:41.710 --> 00:54:41.720 align:start position:0% we're overwriting and we're just giving 00:54:41.720 --> 00:54:43.670 align:start position:0% we're overwriting and we're just giving ourselves<00:54:42.240> access<00:54:42.520> to<00:54:42.720> put<00:54:42.920> whatever<00:54:43.280> we<00:54:43.400> want 00:54:43.670 --> 00:54:43.680 align:start position:0% ourselves access to put whatever we want 00:54:43.680 --> 00:54:45.950 align:start position:0% ourselves access to put whatever we want in<00:54:43.799> the<00:54:43.960> subscription<00:54:44.440> ID<00:54:44.760> parameter<00:54:45.760> um 00:54:45.950 --> 00:54:45.960 align:start position:0% in the subscription ID parameter um 00:54:45.960 --> 00:54:47.069 align:start position:0% in the subscription ID parameter um because<00:54:46.119> we're<00:54:46.280> building<00:54:46.599> the<00:54:46.720> original 00:54:47.069 --> 00:54:47.079 align:start position:0% because we're building the original 00:54:47.079 --> 00:54:48.670 align:start position:0% because we're building the original request<00:54:47.440> remember<00:54:47.839> this<00:54:47.960> is<00:54:48.200> the<00:54:48.359> the<00:54:48.440> flow 00:54:48.670 --> 00:54:48.680 align:start position:0% request remember this is the the flow 00:54:48.680 --> 00:54:52.270 align:start position:0% request remember this is the the flow for<00:54:48.799> the<00:54:48.880> original<00:54:49.319> request<00:54:50.160> and<00:54:50.480> this<00:54:50.720> is<00:54:51.079> the 00:54:52.270 --> 00:54:52.280 align:start position:0% for the original request and this is the 00:54:52.280 --> 00:54:56.549 align:start position:0% for the original request and this is the uh<00:54:53.280> this<00:54:53.440> is<00:54:54.079> the<00:54:55.480> request<00:54:55.799> we<00:54:55.880> end<00:54:56.040> up<00:54:56.119> setting 00:54:56.549 --> 00:54:56.559 align:start position:0% uh this is the request we end up setting 00:54:56.559 --> 00:54:57.750 align:start position:0% uh this is the request we end up setting which<00:54:56.680> is<00:54:56.960> exactly<00:54:57.280> the<00:54:57.400> same<00:54:57.520> as<00:54:57.640> the 00:54:57.750 --> 00:54:57.760 align:start position:0% which is exactly the same as the 00:54:57.760 --> 00:54:59.630 align:start position:0% which is exactly the same as the original<00:54:58.119> so<00:54:58.240> it<00:54:58.440> keeps<00:54:59.079> that<00:54:59.280> initial 00:54:59.630 --> 00:54:59.640 align:start position:0% original so it keeps that initial 00:54:59.640 --> 00:55:01.910 align:start position:0% original so it keeps that initial request<00:55:00.160> that<00:55:00.280> loads<00:55:00.680> the<00:55:00.839> data<00:55:01.480> it<00:55:01.599> keeps 00:55:01.910 --> 00:55:01.920 align:start position:0% request that loads the data it keeps 00:55:01.920 --> 00:55:04.390 align:start position:0% request that loads the data it keeps that<00:55:02.160> happy<00:55:02.880> right<00:55:03.160> and<00:55:03.280> so<00:55:03.520> the<00:55:03.880> the<00:55:04.079> the<00:55:04.200> page 00:55:04.390 --> 00:55:04.400 align:start position:0% that happy right and so the the the page 00:55:04.400 --> 00:55:06.950 align:start position:0% that happy right and so the the the page shows<00:55:04.680> up<00:55:05.119> just<00:55:05.280> like<00:55:05.400> it<00:55:05.559> normally<00:55:05.960> would 00:55:06.950 --> 00:55:06.960 align:start position:0% shows up just like it normally would 00:55:06.960 --> 00:55:09.870 align:start position:0% shows up just like it normally would okay<00:55:07.640> then<00:55:08.520> um<00:55:08.799> when<00:55:08.920> the<00:55:09.040> user<00:55:09.400> activates<00:55:09.799> the 00:55:09.870 --> 00:55:09.880 align:start position:0% okay then um when the user activates the 00:55:09.880 --> 00:55:11.349 align:start position:0% okay then um when the user activates the API<00:55:10.200> key<00:55:10.480> this<00:55:10.559> is<00:55:10.640> a<00:55:10.720> normal<00:55:11.040> part<00:55:11.160> of<00:55:11.240> the 00:55:11.349 --> 00:55:11.359 align:start position:0% API key this is a normal part of the 00:55:11.359 --> 00:55:13.309 align:start position:0% API key this is a normal part of the flow<00:55:11.640> in<00:55:11.760> the<00:55:11.920> application<00:55:12.680> um<00:55:12.960> and<00:55:13.079> we<00:55:13.160> would 00:55:13.309 --> 00:55:13.319 align:start position:0% flow in the application um and we would 00:55:13.319 --> 00:55:15.670 align:start position:0% flow in the application um and we would also<00:55:13.520> have<00:55:13.720> access<00:55:13.960> to<00:55:14.160> these<00:55:14.559> uh<00:55:14.680> IDs<00:55:15.480> by<00:55:15.559> the 00:55:15.670 --> 00:55:15.680 align:start position:0% also have access to these uh IDs by the 00:55:15.680 --> 00:55:17.470 align:start position:0% also have access to these uh IDs by the way 00:55:17.470 --> 00:55:17.480 align:start position:0% way 00:55:17.480 --> 00:55:22.390 align:start position:0% way um<00:55:18.480> then<00:55:19.319> the<00:55:20.319> uh<00:55:21.000> the<00:55:21.119> following<00:55:21.599> request<00:55:22.240> is 00:55:22.390 --> 00:55:22.400 align:start position:0% um then the uh the following request is 00:55:22.400 --> 00:55:26.109 align:start position:0% um then the uh the following request is generated<00:55:23.039> okay<00:55:23.359> this<00:55:23.480> is<00:55:23.640> a<00:55:23.839> put<00:55:24.119> request 00:55:26.109 --> 00:55:26.119 align:start position:0% generated okay this is a put request 00:55:26.119 --> 00:55:30.710 align:start position:0% generated okay this is a put request to<00:55:27.119> SL<00:55:27.720> interface<00:55:28.319> slv1<00:55:29.599> subscriptions<00:55:30.599> with 00:55:30.710 --> 00:55:30.720 align:start position:0% to SL interface slv1 subscriptions with 00:55:30.720 --> 00:55:32.589 align:start position:0% to SL interface slv1 subscriptions with a<00:55:30.880> subscription<00:55:31.359> ID<00:55:31.880> now<00:55:32.039> remember<00:55:32.480> the 00:55:32.589 --> 00:55:32.599 align:start position:0% a subscription ID now remember the 00:55:32.599 --> 00:55:34.390 align:start position:0% a subscription ID now remember the subscription<00:55:33.280> ID<00:55:33.599> is<00:55:33.760> now<00:55:33.920> the<00:55:34.039> thing<00:55:34.200> that<00:55:34.280> we 00:55:34.390 --> 00:55:34.400 align:start position:0% subscription ID is now the thing that we 00:55:34.400 --> 00:55:35.789 align:start position:0% subscription ID is now the thing that we can<00:55:34.520> do<00:55:34.720> whatever<00:55:35.000> we<00:55:35.119> want<00:55:35.359> with<00:55:35.640> right 00:55:35.789 --> 00:55:35.799 align:start position:0% can do whatever we want with right 00:55:35.799 --> 00:55:37.750 align:start position:0% can do whatever we want with right because<00:55:36.079> we<00:55:36.319> we<00:55:36.760> filled<00:55:37.039> in<00:55:37.160> the<00:55:37.319> Gap<00:55:37.559> and<00:55:37.640> then 00:55:37.750 --> 00:55:37.760 align:start position:0% because we we filled in the Gap and then 00:55:37.760 --> 00:55:40.029 align:start position:0% because we we filled in the Gap and then truncated<00:55:38.280> it<00:55:38.960> so<00:55:39.240> what<00:55:39.359> we've<00:55:39.599> provided<00:55:39.920> in 00:55:40.029 --> 00:55:40.039 align:start position:0% truncated it so what we've provided in 00:55:40.039 --> 00:55:42.549 align:start position:0% truncated it so what we've provided in our<00:55:40.280> subscription<00:55:40.799> ID<00:55:41.200> section<00:55:41.920> is<00:55:42.160> this<00:55:42.359> path 00:55:42.549 --> 00:55:42.559 align:start position:0% our subscription ID section is this path 00:55:42.559 --> 00:55:44.789 align:start position:0% our subscription ID section is this path traversal<00:55:43.520> which<00:55:43.640> will<00:55:43.799> delete<00:55:44.160> everything 00:55:44.789 --> 00:55:44.799 align:start position:0% traversal which will delete everything 00:55:44.799 --> 00:55:48.510 align:start position:0% traversal which will delete everything else<00:55:45.799> and<00:55:45.920> then<00:55:46.119> redirect<00:55:46.640> to<00:55:46.960> interface<00:55:47.520> V1 00:55:48.510 --> 00:55:48.520 align:start position:0% else and then redirect to interface V1 00:55:48.520 --> 00:55:51.990 align:start position:0% else and then redirect to interface V1 notification<00:55:49.200> preferences<00:55:49.920> okay<00:55:50.920> so<00:55:51.760> this<00:55:51.880> is 00:55:51.990 --> 00:55:52.000 align:start position:0% notification preferences okay so this is 00:55:52.000 --> 00:55:53.630 align:start position:0% notification preferences okay so this is the<00:55:52.160> put<00:55:52.359> request<00:55:52.640> that<00:55:52.799> gets<00:55:52.960> sent<00:55:53.319> it<00:55:53.400> ends 00:55:53.630 --> 00:55:53.640 align:start position:0% the put request that gets sent it ends 00:55:53.640 --> 00:55:55.510 align:start position:0% the put request that gets sent it ends up<00:55:53.839> sending<00:55:54.319> this 00:55:55.510 --> 00:55:55.520 align:start position:0% up sending this 00:55:55.520 --> 00:55:56.630 align:start position:0% up sending this right 00:55:56.630 --> 00:55:56.640 align:start position:0% right 00:55:56.640 --> 00:55:59.349 align:start position:0% right here<00:55:57.640> with<00:55:57.839> these<00:55:58.079> path<00:55:58.280> reversals<00:55:59.200> which 00:55:59.349 --> 00:55:59.359 align:start position:0% here with these path reversals which 00:55:59.359 --> 00:56:01.150 align:start position:0% here with these path reversals which will<00:55:59.520> get<00:55:59.640> it<00:55:59.760> back<00:55:59.920> to<00:56:00.079> the<00:56:00.200> root<00:56:00.640> and<00:56:00.799> then 00:56:01.150 --> 00:56:01.160 align:start position:0% will get it back to the root and then 00:56:01.160 --> 00:56:04.430 align:start position:0% will get it back to the root and then the<00:56:01.559> the<00:56:01.760> actual<00:56:02.160> put<00:56:02.400> request<00:56:02.680> gets<00:56:02.839> sent<00:56:03.440> to 00:56:04.430 --> 00:56:04.440 align:start position:0% the the actual put request gets sent to 00:56:04.440 --> 00:56:06.829 align:start position:0% the the actual put request gets sent to uh<00:56:04.640> SL<00:56:05.039> interface<00:56:05.520> slv1<00:56:06.319> notification 00:56:06.829 --> 00:56:06.839 align:start position:0% uh SL interface slv1 notification 00:56:06.839 --> 00:56:09.029 align:start position:0% uh SL interface slv1 notification preferences<00:56:07.480> okay<00:56:08.119> now<00:56:08.319> this<00:56:08.440> is<00:56:08.640> the<00:56:08.799> cool 00:56:09.029 --> 00:56:09.039 align:start position:0% preferences okay now this is the cool 00:56:09.039 --> 00:56:11.270 align:start position:0% preferences okay now this is the cool part<00:56:10.039> um<00:56:10.319> where<00:56:10.440> we<00:56:10.599> actually<00:56:10.760> figured<00:56:11.119> out 00:56:11.270 --> 00:56:11.280 align:start position:0% part um where we actually figured out 00:56:11.280 --> 00:56:12.910 align:start position:0% part um where we actually figured out and<00:56:11.480> exploit<00:56:11.960> because<00:56:12.240> in<00:56:12.319> the<00:56:12.440> live<00:56:12.680> hacking 00:56:12.910 --> 00:56:12.920 align:start position:0% and exploit because in the live hacking 00:56:12.920 --> 00:56:14.150 align:start position:0% and exploit because in the live hacking event<00:56:13.119> there<00:56:13.200> were<00:56:13.359> a<00:56:13.440> ton<00:56:13.559> of<00:56:13.720> other<00:56:13.880> people 00:56:14.150 --> 00:56:14.160 align:start position:0% event there were a ton of other people 00:56:14.160 --> 00:56:15.990 align:start position:0% event there were a ton of other people that<00:56:14.280> found<00:56:14.559> this<00:56:14.799> exact<00:56:15.079> same<00:56:15.319> thing<00:56:15.799> I<00:56:15.839> don't 00:56:15.990 --> 00:56:16.000 align:start position:0% that found this exact same thing I don't 00:56:16.000 --> 00:56:18.470 align:start position:0% that found this exact same thing I don't know<00:56:16.160> if<00:56:16.400> they<00:56:16.960> found<00:56:17.400> the<00:56:17.760> way<00:56:17.920> for<00:56:18.079> you<00:56:18.240> to 00:56:18.470 --> 00:56:18.480 align:start position:0% know if they found the way for you to 00:56:18.480 --> 00:56:20.190 align:start position:0% know if they found the way for you to like<00:56:18.599> free<00:56:18.839> up<00:56:19.039> the<00:56:19.160> subscription<00:56:19.640> parameter 00:56:20.190 --> 00:56:20.200 align:start position:0% like free up the subscription parameter 00:56:20.200 --> 00:56:21.990 align:start position:0% like free up the subscription parameter by<00:56:20.559> making<00:56:20.839> the<00:56:20.960> front<00:56:21.160> end<00:56:21.400> happy<00:56:21.599> and<00:56:21.760> stuff 00:56:21.990 --> 00:56:22.000 align:start position:0% by making the front end happy and stuff 00:56:22.000 --> 00:56:26.829 align:start position:0% by making the front end happy and stuff like<00:56:22.160> that<00:56:23.480> um<00:56:24.480> but<00:56:25.359> uh<00:56:26.359> a<00:56:26.440> lot<00:56:26.559> of<00:56:26.680> people 00:56:26.829 --> 00:56:26.839 align:start position:0% like that um but uh a lot of people 00:56:26.839 --> 00:56:28.430 align:start position:0% like that um but uh a lot of people found<00:56:27.039> the<00:56:27.160> client<00:56:27.440> eyth<00:56:27.760> rals<00:56:28.200> and<00:56:28.319> just 00:56:28.430 --> 00:56:28.440 align:start position:0% found the client eyth rals and just 00:56:28.440 --> 00:56:30.270 align:start position:0% found the client eyth rals and just couldn't<00:56:28.680> exploit<00:56:29.079> them<00:56:29.760> the<00:56:29.880> thing<00:56:30.079> that 00:56:30.270 --> 00:56:30.280 align:start position:0% couldn't exploit them the thing that 00:56:30.280 --> 00:56:31.990 align:start position:0% couldn't exploit them the thing that actually<00:56:30.559> made<00:56:30.799> this<00:56:31.000> much<00:56:31.160> more<00:56:31.400> exploitable 00:56:31.990 --> 00:56:32.000 align:start position:0% actually made this much more exploitable 00:56:32.000 --> 00:56:33.270 align:start position:0% actually made this much more exploitable is<00:56:32.160> I<00:56:32.240> went<00:56:32.440> through<00:56:32.559> the<00:56:32.680> app<00:56:32.839> and<00:56:32.960> I<00:56:33.079> looked 00:56:33.270 --> 00:56:33.280 align:start position:0% is I went through the app and I looked 00:56:33.280 --> 00:56:36.270 align:start position:0% is I went through the app and I looked for<00:56:33.599> every<00:56:33.880> single<00:56:34.200> put<00:56:34.480> request<00:56:35.000> okay<00:56:35.920> and 00:56:36.270 --> 00:56:36.280 align:start position:0% for every single put request okay and 00:56:36.280 --> 00:56:38.430 align:start position:0% for every single put request okay and there<00:56:36.359> was<00:56:36.559> one<00:56:36.799> put<00:56:37.039> request<00:56:37.799> that<00:56:38.240> would 00:56:38.430 --> 00:56:38.440 align:start position:0% there was one put request that would 00:56:38.440 --> 00:56:40.309 align:start position:0% there was one put request that would would<00:56:38.680> allow<00:56:38.960> you<00:56:39.160> to<00:56:39.680> update<00:56:40.160> the 00:56:40.309 --> 00:56:40.319 align:start position:0% would allow you to update the 00:56:40.319 --> 00:56:43.710 align:start position:0% would allow you to update the notification<00:56:41.039> settings<00:56:42.000> if<00:56:42.319> some<00:56:43.200> very<00:56:43.480> bad 00:56:43.710 --> 00:56:43.720 align:start position:0% notification settings if some very bad 00:56:43.720 --> 00:56:48.950 align:start position:0% notification settings if some very bad thing<00:56:43.960> happened<00:56:45.280> okay<00:56:46.280> um<00:56:47.079> and<00:56:48.000> in<00:56:48.520> the<00:56:48.680> body 00:56:48.950 --> 00:56:48.960 align:start position:0% thing happened okay um and in the body 00:56:48.960 --> 00:56:51.829 align:start position:0% thing happened okay um and in the body of<00:56:49.119> that<00:56:49.280> request<00:56:50.000> when<00:56:50.280> you<00:56:50.760> deleted<00:56:51.640> the 00:56:51.829 --> 00:56:51.839 align:start position:0% of that request when you deleted the 00:56:51.839 --> 00:56:53.150 align:start position:0% of that request when you deleted the email<00:56:52.200> that<00:56:52.319> would<00:56:52.440> get<00:56:52.559> sent<00:56:52.760> the 00:56:53.150 --> 00:56:53.160 align:start position:0% email that would get sent the 00:56:53.160 --> 00:56:55.230 align:start position:0% email that would get sent the notification<00:56:54.160> uh<00:56:54.280> it<00:56:54.400> would<00:56:54.559> just<00:56:54.880> send<00:56:55.119> an 00:56:55.230 --> 00:56:55.240 align:start position:0% notification uh it would just send an 00:56:55.240 --> 00:56:58.230 align:start position:0% notification uh it would just send an empty<00:56:55.920> string<00:56:56.920> uh<00:56:57.079> it<00:56:57.200> would<00:56:57.400> say<00:56:57.640> you<00:56:57.760> know 00:56:58.230 --> 00:56:58.240 align:start position:0% empty string uh it would say you know 00:56:58.240 --> 00:57:00.750 align:start position:0% empty string uh it would say you know curly<00:56:58.599> bracket<00:56:59.160> the<00:56:59.280> name<00:56:59.520> of<00:56:59.760> the<00:57:00.440> uh 00:57:00.750 --> 00:57:00.760 align:start position:0% curly bracket the name of the uh 00:57:00.760 --> 00:57:03.510 align:start position:0% curly bracket the name of the uh attribute<00:57:01.760> that<00:57:02.079> let's<00:57:02.240> just<00:57:02.359> call<00:57:02.480> it<00:57:02.559> email 00:57:03.510 --> 00:57:03.520 align:start position:0% attribute that let's just call it email 00:57:03.520 --> 00:57:05.750 align:start position:0% attribute that let's just call it email and<00:57:03.599> then<00:57:03.720> it<00:57:03.839> would<00:57:03.960> do<00:57:04.240> colon<00:57:04.680> empty<00:57:04.960> string 00:57:05.750 --> 00:57:05.760 align:start position:0% and then it would do colon empty string 00:57:05.760 --> 00:57:08.670 align:start position:0% and then it would do colon empty string close<00:57:06.400> curly<00:57:06.760> bracket<00:57:07.200> okay<00:57:07.960> uh<00:57:08.319> why<00:57:08.440> am<00:57:08.520> I 00:57:08.670 --> 00:57:08.680 align:start position:0% close curly bracket okay uh why am I 00:57:08.680 --> 00:57:10.029 align:start position:0% close curly bracket okay uh why am I just<00:57:08.760> saying<00:57:09.000> this<00:57:09.160> I<00:57:09.240> can<00:57:09.359> just<00:57:09.480> write<00:57:09.640> it<00:57:09.880> for 00:57:10.029 --> 00:57:10.039 align:start position:0% just saying this I can just write it for 00:57:10.039 --> 00:57:13.230 align:start position:0% just saying this I can just write it for you 00:57:13.230 --> 00:57:13.240 align:start position:0% 00:57:13.240 --> 00:57:15.750 align:start position:0% guys<00:57:14.240> it's<00:57:14.480> like<00:57:14.680> this 00:57:15.750 --> 00:57:15.760 align:start position:0% guys it's like this 00:57:15.760 --> 00:57:18.309 align:start position:0% guys it's like this right<00:57:16.760> it's<00:57:16.960> like 00:57:18.309 --> 00:57:18.319 align:start position:0% right it's like 00:57:18.319 --> 00:57:20.670 align:start position:0% right it's like this<00:57:19.319> like<00:57:19.520> that<00:57:20.039> that<00:57:20.160> is<00:57:20.280> what<00:57:20.400> it<00:57:20.520> would 00:57:20.670 --> 00:57:20.680 align:start position:0% this like that that is what it would 00:57:20.680 --> 00:57:23.470 align:start position:0% this like that that is what it would send<00:57:21.400> okay<00:57:21.839> so<00:57:22.000> I<00:57:22.160> imagine<00:57:22.799> the<00:57:23.039> the<00:57:23.160> code<00:57:23.400> on 00:57:23.470 --> 00:57:23.480 align:start position:0% send okay so I imagine the the code on 00:57:23.480 --> 00:57:26.109 align:start position:0% send okay so I imagine the the code on the<00:57:23.599> server<00:57:23.960> side<00:57:24.440> looked<00:57:24.960> something<00:57:25.400> like 00:57:26.109 --> 00:57:26.119 align:start position:0% the server side looked something like 00:57:26.119 --> 00:57:28.270 align:start position:0% the server side looked something like this<00:57:27.119> you<00:57:27.280> know 00:57:28.270 --> 00:57:28.280 align:start position:0% this you know 00:57:28.280 --> 00:57:31.630 align:start position:0% this you know if<00:57:29.280> rec. 00:57:31.630 --> 00:57:31.640 align:start position:0% if rec. 00:57:31.640 --> 00:57:35.630 align:start position:0% if rec. email<00:57:32.640> you<00:57:32.839> know<00:57:33.400> update<00:57:34.000> email<00:57:34.480> or<00:57:34.640> whatever 00:57:35.630 --> 00:57:35.640 align:start position:0% email you know update email or whatever 00:57:35.640 --> 00:57:37.829 align:start position:0% email you know update email or whatever right<00:57:36.640> like 00:57:37.829 --> 00:57:37.839 align:start position:0% right like 00:57:37.839 --> 00:57:40.829 align:start position:0% right like that 00:57:40.829 --> 00:57:40.839 align:start position:0% that 00:57:40.839 --> 00:57:44.990 align:start position:0% that else<00:57:41.839> set<00:57:42.319> email<00:57:43.319> to<00:57:43.640> none<00:57:44.319> or<00:57:44.480> something<00:57:44.839> like 00:57:44.990 --> 00:57:45.000 align:start position:0% else set email to none or something like 00:57:45.000 --> 00:57:46.710 align:start position:0% else set email to none or something like that<00:57:45.520> that's<00:57:45.680> how<00:57:45.799> I<00:57:45.920> imagine<00:57:46.280> it<00:57:46.400> looking<00:57:46.640> on 00:57:46.710 --> 00:57:46.720 align:start position:0% that that's how I imagine it looking on 00:57:46.720 --> 00:57:49.109 align:start position:0% that that's how I imagine it looking on the<00:57:46.799> server<00:57:47.160> side<00:57:47.760> so<00:57:48.039> actually<00:57:48.520> what<00:57:48.720> happens 00:57:49.109 --> 00:57:49.119 align:start position:0% the server side so actually what happens 00:57:49.119 --> 00:57:50.270 align:start position:0% the server side so actually what happens then<00:57:49.280> I<00:57:49.359> noticed<00:57:49.640> that<00:57:49.799> this<00:57:49.880> was<00:57:50.039> kind<00:57:50.119> of 00:57:50.270 --> 00:57:50.280 align:start position:0% then I noticed that this was kind of 00:57:50.280 --> 00:57:51.990 align:start position:0% then I noticed that this was kind of weird<00:57:50.880> and<00:57:51.000> I<00:57:51.119> thought<00:57:51.280> the<00:57:51.400> logic<00:57:51.720> might<00:57:51.920> kind 00:57:51.990 --> 00:57:52.000 align:start position:0% weird and I thought the logic might kind 00:57:52.000 --> 00:57:54.549 align:start position:0% weird and I thought the logic might kind of<00:57:52.160> be<00:57:52.359> like<00:57:52.559> that<00:57:53.079> so<00:57:53.359> when<00:57:53.720> what<00:57:53.920> actually 00:57:54.549 --> 00:57:54.559 align:start position:0% of be like that so when what actually 00:57:54.559 --> 00:57:56.190 align:start position:0% of be like that so when what actually happen<00:57:54.839> happened<00:57:55.079> is<00:57:55.240> when<00:57:55.319> I<00:57:55.440> sent<00:57:55.799> this<00:57:55.960> put 00:57:56.190 --> 00:57:56.200 align:start position:0% happen happened is when I sent this put 00:57:56.200 --> 00:57:57.630 align:start position:0% happen happened is when I sent this put request<00:57:56.599> that<00:57:56.720> had<00:57:56.839> a<00:57:56.960> bunch<00:57:57.119> of<00:57:57.280> other 00:57:57.630 --> 00:57:57.640 align:start position:0% request that had a bunch of other 00:57:57.640 --> 00:58:00.549 align:start position:0% request that had a bunch of other in<00:57:57.760> the<00:57:57.920> body<00:57:58.559> but<00:57:58.760> did<00:57:58.960> not<00:57:59.319> have<00:57:59.799> the<00:57:59.960> email 00:58:00.549 --> 00:58:00.559 align:start position:0% in the body but did not have the email 00:58:00.559 --> 00:58:03.230 align:start position:0% in the body but did not have the email parameter<00:58:01.559> then<00:58:02.000> it<00:58:02.200> just<00:58:02.400> deleted<00:58:02.799> the<00:58:02.920> email 00:58:03.230 --> 00:58:03.240 align:start position:0% parameter then it just deleted the email 00:58:03.240 --> 00:58:05.390 align:start position:0% parameter then it just deleted the email parameter<00:58:04.119> or<00:58:04.319> the<00:58:04.440> email<00:58:04.920> from<00:58:05.280> the 00:58:05.390 --> 00:58:05.400 align:start position:0% parameter or the email from the 00:58:05.400 --> 00:58:07.710 align:start position:0% parameter or the email from the notifications<00:58:06.280> so<00:58:06.520> then<00:58:06.799> it<00:58:06.920> triggered<00:58:07.599> you 00:58:07.710 --> 00:58:07.720 align:start position:0% notifications so then it triggered you 00:58:07.720 --> 00:58:10.230 align:start position:0% notifications so then it triggered you know<00:58:07.920> this<00:58:08.039> part<00:58:08.200> of<00:58:08.280> the<00:58:08.400> code<00:58:08.599> flow<00:58:09.520> and<00:58:10.079> uh 00:58:10.230 --> 00:58:10.240 align:start position:0% know this part of the code flow and uh 00:58:10.240 --> 00:58:13.309 align:start position:0% know this part of the code flow and uh it<00:58:10.559> undid<00:58:11.559> a<00:58:12.079> very<00:58:12.440> important<00:58:13.200> uh 00:58:13.309 --> 00:58:13.319 align:start position:0% it undid a very important uh 00:58:13.319 --> 00:58:16.470 align:start position:0% it undid a very important uh notification<00:58:14.000> measure<00:58:14.720> to<00:58:14.960> the<00:58:15.480> application 00:58:16.470 --> 00:58:16.480 align:start position:0% notification measure to the application 00:58:16.480 --> 00:58:19.109 align:start position:0% notification measure to the application um<00:58:16.839> and<00:58:17.160> achieved<00:58:17.839> and<00:58:18.000> then<00:58:18.200> and<00:58:18.400> then<00:58:18.839> the<00:58:19.000> in 00:58:19.109 --> 00:58:19.119 align:start position:0% um and achieved and then and then the in 00:58:19.119 --> 00:58:22.230 align:start position:0% um and achieved and then and then the in addition<00:58:19.400> to<00:58:19.599> that<00:58:20.319> it<00:58:20.680> responded<00:58:21.119> with<00:58:21.520> 200 00:58:22.230 --> 00:58:22.240 align:start position:0% addition to that it responded with 200 00:58:22.240 --> 00:58:24.270 align:start position:0% addition to that it responded with 200 to<00:58:22.440> that<00:58:22.599> request<00:58:23.079> and<00:58:23.240> so<00:58:23.680> the<00:58:23.839> the<00:58:23.920> front-end 00:58:24.270 --> 00:58:24.280 align:start position:0% to that request and so the the front-end 00:58:24.280 --> 00:58:25.990 align:start position:0% to that request and so the the front-end user 00:58:25.990 --> 00:58:26.000 align:start position:0% user 00:58:26.000 --> 00:58:28.789 align:start position:0% user API<00:58:26.400> key<00:58:26.559> updated<00:58:27.319> you<00:58:27.440> know<00:58:27.640> in<00:58:27.760> the<00:58:27.880> URL<00:58:28.640> and 00:58:28.789 --> 00:58:28.799 align:start position:0% API key updated you know in the URL and 00:58:28.799 --> 00:58:30.069 align:start position:0% API key updated you know in the URL and they<00:58:28.960> they're<00:58:29.079> none<00:58:29.280> the<00:58:29.400> wiser<00:58:29.799> that<00:58:29.960> they 00:58:30.069 --> 00:58:30.079 align:start position:0% they they're none the wiser that they 00:58:30.079 --> 00:58:31.750 align:start position:0% they they're none the wiser that they just<00:58:30.240> deleted<00:58:30.640> their<00:58:30.839> notification<00:58:31.440> settings 00:58:31.750 --> 00:58:31.760 align:start position:0% just deleted their notification settings 00:58:31.760 --> 00:58:35.710 align:start position:0% just deleted their notification settings for<00:58:31.920> the<00:58:32.039> whole<00:58:32.520> company<00:58:33.839> um<00:58:34.839> so<00:58:35.400> that's<00:58:35.559> the 00:58:35.710 --> 00:58:35.720 align:start position:0% for the whole company um so that's the 00:58:35.720 --> 00:58:37.549 align:start position:0% for the whole company um so that's the bug<00:58:36.039> that's<00:58:36.240> the<00:58:36.359> actual<00:58:36.680> application<00:58:37.359> um 00:58:37.549 --> 00:58:37.559 align:start position:0% bug that's the actual application um 00:58:37.559 --> 00:58:40.390 align:start position:0% bug that's the actual application um this<00:58:37.720> bug<00:58:38.000> was<00:58:38.200> given<00:58:38.440> Show<00:58:38.720> and<00:58:38.920> Tell<00:58:39.680> and<00:58:40.280> uh 00:58:40.390 --> 00:58:40.400 align:start position:0% this bug was given Show and Tell and uh 00:58:40.400 --> 00:58:42.910 align:start position:0% this bug was given Show and Tell and uh an<00:58:40.559> additional<00:58:40.960> Bounty<00:58:41.680> um<00:58:42.200> for<00:58:42.520> the<00:58:42.640> live 00:58:42.910 --> 00:58:42.920 align:start position:0% an additional Bounty um for the live 00:58:42.920 --> 00:58:46.549 align:start position:0% an additional Bounty um for the live hacking<00:58:43.200> event<00:58:43.880> and<00:58:44.400> uh<00:58:45.119> it<00:58:45.319> it's<00:58:45.760> one<00:58:45.880> of<00:58:46.079> the 00:58:46.549 --> 00:58:46.559 align:start position:0% hacking event and uh it it's one of the 00:58:46.559 --> 00:58:49.549 align:start position:0% hacking event and uh it it's one of the sort<00:58:46.799> of<00:58:47.160> one<00:58:47.280> of<00:58:47.400> the<00:58:47.799> cooler<00:58:48.799> uh<00:58:49.079> client<00:58:49.440> side 00:58:49.549 --> 00:58:49.559 align:start position:0% sort of one of the cooler uh client side 00:58:49.559 --> 00:58:51.510 align:start position:0% sort of one of the cooler uh client side Pat<00:58:49.839> personals<00:58:50.160> I've<00:58:50.280> found<00:58:50.680> because<00:58:51.359> it 00:58:51.510 --> 00:58:51.520 align:start position:0% Pat personals I've found because it 00:58:51.520 --> 00:58:53.670 align:start position:0% Pat personals I've found because it utilizes<00:58:52.079> that<00:58:52.240> truncation<00:58:52.960> and<00:58:53.079> a<00:58:53.240> multi- 00:58:53.670 --> 00:58:53.680 align:start position:0% utilizes that truncation and a multi- 00:58:53.680 --> 00:58:55.870 align:start position:0% utilizes that truncation and a multi- request<00:58:54.039> flow<00:58:54.720> to<00:58:54.920> actually<00:58:55.200> get<00:58:55.480> along<00:58:55.720> with 00:58:55.870 --> 00:58:55.880 align:start position:0% request flow to actually get along with 00:58:55.880 --> 00:58:57.990 align:start position:0% request flow to actually get along with a<00:58:56.119> gadget<00:58:56.599> that<00:58:57.079> um<00:58:57.240> didn't<00:58:57.480> require<00:58:57.799> anything 00:58:57.990 --> 00:58:58.000 align:start position:0% a gadget that um didn't require anything 00:58:58.000 --> 00:59:01.670 align:start position:0% a gadget that um didn't require anything in<00:58:58.119> the<00:58:58.480> body<00:58:59.480> to<00:58:59.680> achieve<00:58:59.960> some<00:59:00.119> good<00:59:00.640> impact 00:59:01.670 --> 00:59:01.680 align:start position:0% in the body to achieve some good impact 00:59:01.680 --> 00:59:04.470 align:start position:0% in the body to achieve some good impact so<00:59:02.680> all<00:59:02.799> righty<00:59:03.720> we're<00:59:03.880> getting<00:59:04.079> in<00:59:04.200> on<00:59:04.319> the 00:59:04.470 --> 00:59:04.480 align:start position:0% so all righty we're getting in on the 00:59:04.480 --> 00:59:06.589 align:start position:0% so all righty we're getting in on the hour<00:59:04.720> mark<00:59:05.119> here<00:59:05.599> um<00:59:05.760> I'll<00:59:05.920> leave<00:59:06.280> you<00:59:06.359> know<00:59:06.480> a 00:59:06.589 --> 00:59:06.599 align:start position:0% hour mark here um I'll leave you know a 00:59:06.599 --> 00:59:07.990 align:start position:0% hour mark here um I'll leave you know a minute<00:59:06.799> or<00:59:06.920> two<00:59:07.160> here<00:59:07.280> for<00:59:07.480> questions<00:59:07.799> at<00:59:07.920> the 00:59:07.990 --> 00:59:08.000 align:start position:0% minute or two here for questions at the 00:59:08.000 --> 00:59:10.510 align:start position:0% minute or two here for questions at the end<00:59:08.160> if<00:59:08.280> anybody's<00:59:08.680> got<00:59:08.960> any<00:59:09.960> and<00:59:10.119> if<00:59:10.240> not<00:59:10.440> I 00:59:10.510 --> 00:59:10.520 align:start position:0% end if anybody's got any and if not I 00:59:10.520 --> 00:59:12.910 align:start position:0% end if anybody's got any and if not I will<00:59:10.720> send<00:59:11.000> off<00:59:11.319> this<00:59:11.599> document<00:59:12.440> uh<00:59:12.520> to<00:59:12.680> you 00:59:12.910 --> 00:59:12.920 align:start position:0% will send off this document uh to you 00:59:12.920 --> 00:59:15.270 align:start position:0% will send off this document uh to you guys<00:59:13.559> uh<00:59:13.720> in<00:59:13.920> the<00:59:14.160> hashtag<00:59:14.599> critical<00:59:14.960> thinkers 00:59:15.270 --> 00:59:15.280 align:start position:0% guys uh in the hashtag critical thinkers 00:59:15.280 --> 00:59:18.390 align:start position:0% guys uh in the hashtag critical thinkers Channel<00:59:16.119> and<00:59:16.760> uh<00:59:17.760> you<00:59:17.880> guys<00:59:18.000> should<00:59:18.160> be<00:59:18.280> able 00:59:18.390 --> 00:59:18.400 align:start position:0% Channel and uh you guys should be able 00:59:18.400 --> 00:59:20.069 align:start position:0% Channel and uh you guys should be able to<00:59:18.520> review<00:59:18.880> all<00:59:19.039> that<00:59:19.240> stuff<00:59:19.680> um<00:59:19.839> I'm<00:59:19.920> not 00:59:20.069 --> 00:59:20.079 align:start position:0% to review all that stuff um I'm not 00:59:20.079 --> 00:59:22.630 align:start position:0% to review all that stuff um I'm not going<00:59:20.200> to<00:59:20.359> leave<00:59:20.640> the<00:59:20.839> stuff<00:59:21.079> up<00:59:21.359> on<00:59:21.720> apps. 00:59:22.630 --> 00:59:22.640 align:start position:0% going to leave the stuff up on apps. 00:59:22.640 --> 00:59:25.270 align:start position:0% going to leave the stuff up on apps. rider.<00:59:23.400> De<00:59:23.599> forever<00:59:24.119> so<00:59:24.520> um<00:59:24.799> go<00:59:24.920> ahead<00:59:25.119> and 00:59:25.270 --> 00:59:25.280 align:start position:0% rider. De forever so um go ahead and 00:59:25.280 --> 00:59:29.230 align:start position:0% rider. De forever so um go ahead and download<00:59:25.839> those<00:59:26.079> HTML<00:59:26.640> files<00:59:26.920> if<00:59:27.039> you<00:59:27.319> want<00:59:28.319> um 00:59:29.230 --> 00:59:29.240 align:start position:0% download those HTML files if you want um 00:59:29.240 --> 00:59:32.109 align:start position:0% download those HTML files if you want um and<00:59:29.599> I'll<00:59:29.880> I'll<00:59:30.359> move<00:59:30.640> the<00:59:30.760> other<00:59:31.119> P<00:59:31.640> um<00:59:31.920> let<00:59:32.000> me 00:59:32.109 --> 00:59:32.119 align:start position:0% and I'll I'll move the other P um let me 00:59:32.119 --> 00:59:33.549 align:start position:0% and I'll I'll move the other P um let me just<00:59:32.240> go<00:59:32.319> ahead<00:59:32.440> and<00:59:32.520> do<00:59:32.599> it<00:59:32.760> right<00:59:32.880> now<00:59:33.119> I'll 00:59:33.549 --> 00:59:33.559 align:start position:0% just go ahead and do it right now I'll 00:59:33.559 --> 00:59:38.390 align:start position:0% just go ahead and do it right now I'll uh<00:59:34.480> CP<00:59:35.480> redirect<00:59:36.319> PHP<00:59:36.760> to<00:59:36.960> redirect 00:59:38.390 --> 00:59:38.400 align:start position:0% uh CP redirect PHP to redirect 00:59:38.400 --> 00:59:41.630 align:start position:0% uh CP redirect PHP to redirect php.<00:59:39.400> txt<00:59:40.079> as<00:59:40.240> well<00:59:40.799> so<00:59:40.960> you<00:59:41.039> guys<00:59:41.200> can<00:59:41.359> access 00:59:41.630 --> 00:59:41.640 align:start position:0% php. txt as well so you guys can access 00:59:41.640 --> 00:59:44.710 align:start position:0% php. txt as well so you guys can access the<00:59:42.000> source<00:59:42.240> code<00:59:42.400> for<00:59:42.559> redirect<00:59:43.280> php. 00:59:44.710 --> 00:59:44.720 align:start position:0% the source code for redirect php. 00:59:44.720 --> 00:59:47.069 align:start position:0% the source code for redirect php. txt 00:59:47.069 --> 00:59:47.079 align:start position:0% txt 00:59:47.079 --> 00:59:49.589 align:start position:0% txt um<00:59:48.079> yeah<00:59:48.280> it<00:59:48.480> really<00:59:48.760> is<00:59:49.000> very<00:59:49.160> similar<00:59:49.440> to 00:59:49.589 --> 00:59:49.599 align:start position:0% um yeah it really is very similar to 00:59:49.599 --> 00:59:51.390 align:start position:0% um yeah it really is very similar to secondary<00:59:50.039> context<00:59:50.520> stuff<00:59:50.760> it's<00:59:50.920> secondary 00:59:51.390 --> 00:59:51.400 align:start position:0% secondary context stuff it's secondary 00:59:51.400 --> 00:59:53.430 align:start position:0% secondary context stuff it's secondary context<00:59:51.960> on<00:59:52.240> the<00:59:52.520> on<00:59:52.640> the<00:59:52.760> client<00:59:53.119> side<00:59:53.319> that's 00:59:53.430 --> 00:59:53.440 align:start position:0% context on the on the client side that's 00:59:53.440 --> 01:00:00.470 align:start position:0% context on the on the client side that's a<00:59:53.599> great<00:59:53.760> point<00:59:54.000> xss<00:59:54.400> do 01:00:00.470 --> 01:00:00.480 align:start position:0% 01:00:00.480 --> 01:00:03.349 align:start position:0% all<01:00:00.640> righty<01:00:01.200> y'all<01:00:02.200> very<01:00:02.440> good<01:00:02.880> well<01:00:03.079> thanks 01:00:03.349 --> 01:00:03.359 align:start position:0% all righty y'all very good well thanks 01:00:03.359 --> 01:00:05.230 align:start position:0% all righty y'all very good well thanks for<01:00:03.920> uh<01:00:04.240> thanks<01:00:04.440> for<01:00:04.599> listening<01:00:04.960> I'll<01:00:05.160> go 01:00:05.230 --> 01:00:05.240 align:start position:0% for uh thanks for listening I'll go 01:00:05.240 --> 01:00:08.710 align:start position:0% for uh thanks for listening I'll go ahead<01:00:05.440> and<01:00:05.559> cut<01:00:05.720> it<01:00:05.880> here<01:00:06.119> now<01:00:07.240> um<01:00:08.240> I<01:00:08.319> will<01:00:08.480> send 01:00:08.710 --> 01:00:08.720 align:start position:0% ahead and cut it here now um I will send 01:00:08.720 --> 01:00:10.430 align:start position:0% ahead and cut it here now um I will send out<01:00:08.880> the<01:00:09.039> recording<01:00:09.720> as<01:00:09.839> soon<01:00:09.960> as<01:00:10.079> I<01:00:10.200> can<01:00:10.319> get 01:00:10.430 --> 01:00:10.440 align:start position:0% out the recording as soon as I can get 01:00:10.440 --> 01:00:14.190 align:start position:0% out the recording as soon as I can get that<01:00:10.640> little<01:00:11.039> mishap<01:00:11.760> redacted<01:00:12.760> and<01:00:13.319> uh<01:00:13.960> and 01:00:14.190 --> 01:00:14.200 align:start position:0% that little mishap redacted and uh and 01:00:14.200 --> 01:00:16.510 align:start position:0% that little mishap redacted and uh and then<01:00:14.680> you<01:00:14.839> guys<01:00:15.000> will<01:00:15.160> have<01:00:15.319> that<01:00:15.480> as 01:00:16.510 --> 01:00:16.520 align:start position:0% then you guys will have that as 01:00:16.520 --> 01:00:19.470 align:start position:0% then you guys will have that as well<01:00:17.520> all<01:00:17.640> righty<01:00:18.000> thanks 01:00:19.470 --> 01:00:19.480 align:start position:0% well all righty thanks 01:00:19.480 --> 01:00:22.480 align:start position:0% well all righty thanks guys