[HackerNotes Ep.106] Announcing our new Co-Host...

We announce our new co-host of the podcast: Joseph Thacker Aka Rez0! We also cover some cool research including doubleclickjacking, character set attacks, SVG XSS, CSPT and a bunch more. Check it out below.

Author

gr3pme
January 17, 2025

Hacker TL;DR

  • New Co-Host Announcement: We’re excited to announce Joseph Thacker aka Rez0 as the new CTBB co-host! Welcome, Rez0!

  • DoubleClickjacking: A New Era of UI Redressing: Some neat research weaponizes a user's double-click sequence, allowing new UI manipulation attacks that bypass all known clickjacking protections, including the X-Frame-Options header or a SameSite: Lax/Strict cookie. Check it out below.

  • Xbow Validation BenchMarks: A whole repository of 100+ small, easy-to-spin-up labs used to train Xbow. Very useful to test out any automation or tooling you may be developing!

  • ISO-2022-JP escape sequences: Gareth Heyes casually tweeted more great research. ISO-2022-JP escape sequences can be used inside JS URLs - <a%20href=javas%1B(Jcript:alert(1)>test</a> - Check out the PortSwigger lab here.

  • SVG XSS Payload: Another one from Gareth Heyes. You can use custom entities to define JavaScript URLs within SVG file types - useful when trying to bypass any WAFs or sanitisers.

  • curl-cffi: A library that allows you to impersonate other browsers’ TLS and HTTP/2 fingerprints. This is a neat one if you need to impersonate Chrome directly in Python.

  • Bypassing File Upload Restrictions To Exploit CSPT: More stellar research from Doyensec. The research highlights it’s possible to craft files that appear to be valid formats like PDFs or images but actually contain JSON payloads. This can be abused to bypass standard file validation processes. For instance, by embedding %PDF headers within the first 1024 bytes of a JSON object, a file can pass as a PDF to the mmmagic library while remaining parseable as JSON on the client side. Check it out below.

  • AI-Crash-Course: An AI Crash Course to go from 0 to up to scratch understanding in two weeks. The repository contains a tonne of resources covering all verticals of AI/LLM, covering just about everything you’d need to know.

The White House has recently banned the use of Kaspersky products across the United States, citing concerns over potential data access risks and allegations of incorporating "backdoors" in their software.


In response, ThreatLocker®, a prominent provider of Zero Trust cybersecurity solutions, has introduced a complimentary system cyber health report. This tool offers businesses insights into their IT environments, highlighting vulnerabilities associated with foreign software. This proactive measure assists organizations in assessing and securing their software ecosystems, ensuring compliance and preemptively addressing security threats. While acknowledging national security concerns raised by foreign software, ThreatLocker® emphasizes the broader scope of vulnerabilities, exemplified by incidents like the 2020 SolarWinds attack. The ThreatLocker® cyber health report comprehensively details all applications in use, their countries of origin, and potential data access implications, promoting informed decision-making and robust security protocols.

Learn More About the ThreatLocker® Cyber Health Report Here: https://www.criticalthinkingpodcast.io/chr

New Co-Host Announcement:

The moment we’ve all been eagerly waiting for: the new co-host reveal! We’re thrilled to welcome Joseph Thacker aka Rez0 as the new co-host for CTBB!

If you aren’t familiar with Rez0, he’s got a pretty stacked resume as far as it goes. His first live hacking event was the Yahoo open scope event where his team won “Best Team” across every round. Since then, he’s been a part-time bug bounty hunter for around six years.

Interestingly, Rez0 started his bug bounty career through automation, inspired by Jason Haddix’s THMB. Recently, he’s made the leap to full-time hunting, so we’re expecting some epic war stories in the near future. If you’re thinking about joining the ranks of full-time hunters, you can catch him active in the Full-Time Hunters' Guild.

On top of that, Rez0 somewhat dabbles in AI (and that’s putting it mildly). He co-developed Shift with our very own Justin Gardner (Rhynorater) and has a bunch of cool content about AI on his blog: josephthacker.com. He’s also delved into AI hacking, so we’re unofficially dubbing him CTBB’s new subject matter expert in all things AI.

Welcome aboard, Rez0!

Who had DoubleClickjacking on their cyber security bingo card in 2025?

This research done by paulosyibelo abuses some pretty neat tricks to harvest a double-click from a user on some sort of sensitive functionality. The technique was named DoubleClickjacking, and the post gives a pretty straightforward explanation of the term:

DoubleClickjacking is a new variation on this classic theme: instead of relying on a single click, it takes advantage of a double-click sequence. While it might sound like a small change, it opens the door to new UI manipulation attacks that bypass all known clickjacking protections, including the X-Frame-Options header or a SameSite: Lax/Strict cookie. This technique seemingly affects almost every website, leading to account takeovers on many major platforms.

In terms of the exact attack sequence, it relies solely on some timing and event order quirks, as explained below:

  1. The attacker creates an initial webpage with a button that opens a new window (or just opens a new window without user interaction).

  2. When the user clicks this button:

    • A new window opens on top, asking the user to “double-click.”

    • This new window immediately uses window.opener.location to change the parent window’s location to the target page.

    • The parent window now contains the target page (e.g., OAuth authorization), while the top window still shows the double-click prompt.

  3. When the user attempts the requested double-click:

  1. The first click (triggered on mousedown) causes the top window to close.

  2. The second click lands on the now-exposed authorization button in the parent window.

  3. The user unknowingly authorizes the attacker’s application into their account with arbitrary scope.

If you’re struggling to visualise how this one works, this might help from the blog:

Now this kind of attack impact will solely rely on the functionality you are hitting. This would be incredibly useful when attempting to trick the user into performing actions which could result in some form of account take over. The research listed some high signal areas this could be applicable, including OAuth-related functionality and one-click account changes.

Clickjacking has historically had a bad rap but that’s usually because it’s demonstrated without much impact. This research has demonstrated the impact is definitely there when combined with the functionality!

They popped Salesforce, Slack, and Shopify - all with one-click account takeovers!

XBOW released its repository of validation benchmarks. The repo contains use cases containing labs for different categories of bugs, categorised by difficulty, bug class, and description:

It’s all dockerised, so very easy to spin up and use. It’s a perfect benchmark if you’re building out some automation and need a test case against which to test it.

ISO-2022-JP: the encoding everyone loves… for XSS-related reasons.

This is another great tweet from Gareth Heyes, highlighting how ISO-2022-JP escape sequences can be used inside JS URLs:

What’s interesting is that it also works when there is a charset without a value specified as shown here: https://portswigger-labs.net/xss/charset.php?x=$B(B%3Ca%20href=javas(Jcript:alert(1)%3Etest%3C/a%3E&charset=

The whole thread started a discussion and has some pretty cool insights and tips from other researchers too like this one - be sure to check it out!

Remember, charset without a value specified? gadget.

Fun fact on this one - it was me who asked about SVG XSS when I ran out of ideas and hit a few hurdles on a target. Unfortunately, it wasn’t exploitable, but at least a cool tweet and research came out of it.

This one might be useful when you’re facing some form of sanitiser or WAF and you can introduce an SVG file type. It essentially highlights you to use custom entities to define JavaScript URLs:

Another great trick from Gareth to keep in your pocket!

This is a neat one if you need to impersonate Chrome directly in Python. curl-cffi is a library that allows you to impersonate other browsers’ TLS and HTTP/2 fingerprints.

It’ll prove useful for any upcoming automation you need to make (we may have implemented it in one of Justin’s JS monitoring tools) and super easy to use. Literally exactly the same as and behaves just like Python requests: 

from curl_cffi import requests

# Notice the impersonate parameter
r = requests.get("<https://tools.scrapfly.io/api/fp/ja3>", impersonate="chrome")

print(r.json())
# output: {..., "ja3n_hash": "aa56c057ad164ec4fdcb7a5a283be9fc", ...}
# the js3n fingerprint should be the same as target browser

# To keep using the latest browser version as `curl_cffi` updates,
# simply set impersonate="chrome" without specifying a version.
# Other similar values are: "safari" and "safari_ios"
r = requests.get("<https://tools.scrapfly.io/api/fp/ja3>", impersonate="chrome")

# To pin a specific version, use version numbers together.
r = requests.get("<https://tools.scrapfly.io/api/fp/ja3>", impersonate="chrome124")

# To impersonate other than browsers, bring your own ja3/akamai strings
# See examples directory for details.
r = requests.get("<https://tls.browserleaks.com/json>", ja3=..., akamai=...)

# http/socks proxies are supported
proxies = {"https": "<http://localhost:3128>"}
r = requests.get("<https://tools.scrapfly.io/api/fp/ja3>", impersonate="chrome", proxies=proxies)

proxies = {"https": "socks://localhost:3128"}
r = requests.get("<https://tools.scrapfly.io/api/fp/ja3>", impersonate="chrome", proxies=proxies)

Check the full project out here: https://pypi.org/project/curl-cffi/

Bypassing File Upload Restrictions To Exploit CSPT

Another banger from Doyensec, building upon their historical research on CSPTs. If you aren’t familiar with CSPTs, their historical research is a great read and does a pretty good job of explaining CSPT in depth:

The TL;DR for CSPT is when an attacker manipulates client-side code, typically JavaScript, to traverse file paths or access unintended resources. Unlike server-side path traversal, CSPT happens all within the browser's execution environment and depends on vulnerabilities in client-side logic.

Equally, CSPT is not a vulnerability by itself; it's a gadget that has to be combined with another gadget to be useful. A lot of CSPT often results in CSRF or even XSS when combined with other gadgets.

This new research highlights exactly how other gadgets - file uploads - can be abused with clientside path traversals. The research highlights it’s possible to craft files that appear to be valid formats like PDFs or images but actually contain JSON payloads.

This can be abused to bypass standard file validation processes. For instance, by embedding %PDF headers within the first 1024 bytes of a JSON object, a file can pass as a PDF to the mmmagic library while remaining parseable as JSON on the client side.

Similarly, placing specific magic bytes at designated offsets can trick image validation libraries into accepting malicious files. The research is cross applicable - not just for CSPT - and is a very good read. Check it out here: https://blog.doyensec.com/2025/01/09/cspt-file-upload.html

As I said earlier, we now have our community subject matter expert on AI and he dropped an AI crash course repository on the pod for ya’ll.

This is a solid list of resources to go from 0 understanding to full comprehension of how AI engineering works. The idea is it can be completed in 2 weeks (though I imagine you’d have to free up your social schedule to do that) and it looks pretty comprehensive:

I’ll most definitely be going through some of the resources at some point to level up my AI game. You can check out the full repository here: https://github.com/henrythe9th/AI-Crash-Course?tab=readme-ov-file

That’s all we have for this week. Some solid research, tips and takeaways.

As always, keep hacking!