Critical Thinking - Bug Bounty Podcast Episode 85: Practical Applications of DEFCON 32 Web Research
7 snips
Aug 22, 2024 In this discussion, security researcher Orange Tsai dives into web application vulnerabilities uncovered at DEFCON 32. He shares insights on innovative timing attacks and cache exploitation techniques. The conversation shifts to the practicalities of parsing email addresses, highlighting SMTP injection risks. Tsai also addresses the relevance of legacy protocols and their modern exploits. Lively anecdotes about DEFCON and unique collectibles add a light-hearted touch, making complex topics more engaging.
AI Snips
Chapters
Transcript
Episode notes
Use Lower Quartile for Timing
- Use the lower quartile of response times for timing attacks to reduce noise from server load spikes. - This approach improves accuracy by focusing on the fastest, most consistent responses.
Targeted Timing Attacks Importance
- Timing attacks require very targeted methods, especially on highly secure systems. - Such attacks become critical in fringe and finely tuned environments.
Scoped SSRF Concept
- "Scoped SSRF" is a new SSRF variant limited to subdomains, often caused by reverse proxy misconfigurations. - It enables attackers to pivot internally by exploiting allowed subdomain restrictions.