Episode 110: Oauth Gadget Correlation and Common Attacks

Episode 110: In this episode of Critical Thinking - Bug Bounty Podcast we hit some quick news items including a DOMPurify 3.2.3 Bypass, O3 mini updates, and a cool postLogger Chrome Extension. Then, we hone in on OAuth vulnerabilities, API keys, and innovative techniques hackers use to exploit these systems.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: [email protected] to https://x.com/realytcracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!====== Resources ======DOMPurify 3.2.3 BypassJason Zhou's post about O3 miniLive Chat Blog #2: Cisco Webex ConnectpostLogger Chrome ExtensionpostLogger Webstore LinkCommon OAuth VulnerabilitiesnOAuth: How Microsoft OAuth Misconfiguration Can Lead to Full Account TakeoverAccount Takeover using SSO LoginsKai Greshake====== Timestamps ======(00:00:00) Introduction(00:01:44) DOMPurify 3.2.3 Bypass(00:06:37) O3 mini(00:10:29) Ophion Security: Cisco Webex Connect(00:15:54) Discord Community News(00:19:12) postLogger Chrome Extension(00:21:04) Common OAuth Vulnerabilities & Lessons learned from Google’s APIs