[HackerNotes Ep. 149]: DEF CON 33 Recap - Wildcards, Passkeys, DOM-Clobbering and More

Hacker TLDR;

• Unicode Surrogates → Wildcards: Unicode surrogate pairs can normalize to ? characters, which become wildcards in Solr/Elasticsearch - enabling search result manipulation.

• Expo's AI Cost Optimization: AI costs dropped 76% between Gemini Pro 1.5 launches, then another 86% - don't let cost fears stop you from building AI tooling.

• Target Suggested Prompts: AI apps with "suggested prompts" (like "summarize my week") make better PoCs than random queries - they're expected user behavior and mirror the model's response patterns.

• DOM Clobbering at Scale: New research found ~500 zero-days via automated DOM clobbering detection in Webpack, Vite, and other bundlers - requires HTML injection but gadgets are everywhere.

Unicode Normalization: From Emoji to Wildcards

A new research piece from the Critical Research Lab submitted by Krzysztof Balas (@zerodaykb) covers how Unicode surrogates (commonly used in emojis) can be used to bypass strict validation.

As UTF-8 parsers can't display surrogates, they are replaced with the replacement character (that ? inside a diamond character). Some parsers will then normalize this character to a question mark (?).

And, in Solr and Elasticsearch, that question mark becomes a wildcard character.

The Attack Flow:

1. Unicode surrogate code points such as \udc2a are inserted into a search query.

2. The database normalizes it to ?.

3. The ? is interpreted as a wildcard.

4. Attacker can manipulate search results and potentially leak data.

• Read the full write-up: https://lab.ctbb.show/research/unicode-surrogates-to-replacement-characters

• Low surrogate reference: https://jrgraphix.net/r/Unicode/DC00-DFFF

• High surrogate reference: https://jrgraphix.net/r/Unicode/D800-DB7F

DEF CON 33 Talks to Watch

Save these to a playlist you actually watch.

Building XBOW's AI Agent

Due to technical difficulties at DEFCON, the XBOW team couldn't present their talk. However, the presentation is available on the Bug Bounty Village YouTube Channel: Prompt. Scan. Exploit - AI's Journey Through Zero-Days And A Thousand Bugs

In the video, Joel Noguera (@niemand_sec) and Diego Jurado's (@djurado9), share hard-won challenges in building an AI-powered bug hunting agent.

Takeaway: Make sure to watch if you're developing your own.

Breaking Into Cloud VPNs

David Cash and Rich Warren (@buffaloverflow) presented research on compromising leading zero-trust VPN solutions (including Zscaler, Netscope, and Check Point) in their presentation: Zero Trust, Total Bust: Breaking into Thousands of Cloud-Based VPNs with One Bug

Takeaways:

• When testing SaaS apps, Google for or ask AI: "What's the pre-auth config URL for [application]?"

• When testing for SAML vulnerabilities:

  1. Create your own tenant, generate a valid SAML assertion, swap user/org fields.

  2. Modify user IDs, email addresses, org identifiers, etc. to test for unvalidated fields.

  3. Have an LLM write scripts to sign SAML assertions for you - the crypto complexity is no longer a barrier.

• Read the accompanying blog post: Breaking Into Your Network? Zer0 Effort. - DEF CON 33 Overview

GraphQL Access Control

Bogdan Tiron's presentation Examining Access Control Vulnerabilities in GraphQL provides a solid overview of GraphQL testing methodology.

Justin highlights the distinction between:

• BOLA (Broken Object Level Authorization): You can access objects you shouldn't.

• BOPLA (Broken Object Property Level Authorization): You can access the object, but you shouldn't see certain properties.

Example:

query {
  user(id: "justin") {
    email        # ✓ Should be visible on profile.
    passwordHash # ✗ Should NOT be accessible.
    resetToken   # ✗ Should NOT be accessible.
  }
}

Takeaway: Test additional properties that you've discovered from other requests or introspection.

Smart Bus, Dumb Security

Chai-Lin Yu and Kai-Ching Wang cover 10 different vulnerabilities they discovered in public transit systems in their presentation: Smart Bus Smart Hacking: From Free WiFi to Total Control

The were able to manipulate the onboard LED displays, steal driver and passenger information, penetrate the backend API servers, and more.

Takeaway: Untested systems (outside the bug bounty/pentest hardening cycle) are often trivially vulnerable. The security posture gap between bug bounty programs and the real world is massive. Also, test for default credentials, they're still in use out there.

Pwning Passkeys

Shourya Pratap Singh, Jonny Lin, and Daniel Seetoh demonstrate how malicious browser extensions can exploit passkeys in their presentation: Passkeys Pwned: Turning WebAuthn Against Itself

Takeaways:

• Scripts can shim navigator.credentials API calls to intercept passkey registration and authentication.

• Many applications require the current password to change password, but DON'T require additional auth to add a passkey.

• View the accompanying blog post: Recap of Our “Passkeys Pwned” Talk at DEF CON

• View the accompanying slides: DEFCON Media Server

Intention Matters

Qidan He demonstrates how the LaunchAnywhere vulnerability has been reborn due to insufficient checks in privileged code in Android in his talk: Dead Made Alive Again: Bypassing Intent Destination Checks and Reintroducing LaunchAnyWhere Privilege Escalation

Takeaways:

• Even if an intent is checked and deemed safe at one point, its resolution might change by the time it's actually launched, creating a window for privilege escalation.

• Qidan even provides a prompt for how to find the bug using AI.

• View the accompanying blog post: BadResolve: Bypassing Android's Intent Checks to Resurrect LaunchAnyWhere Privilege Escalations

• View the accompanying slides: DEFCON Media Server

Save the Date: Calendar Injection

In their talk Invoking Gemini Agents with a Google Calendar Invite, Ben Nassi (@ben_nassi ), Or Yair (@oryair1999 ), and Stav Cohen introduce "targeted promptware attacks". The trio demonstrates 15 different exploitations of agent hijacking in the three most used Gemini for Workplace assistants.

By sending malicious invitations with prompt injections, an attacker can hijack the application context and invoke the integrated agents to exploit their permissions to carry out malicious actions.

Takeaways:

• By mirroring the model's expected language, you can convince it that instructions are part of its own response.

• Finding vulnerabilities in suggested prompts show clear impact as they are expected, pre-programmed functionality.

• View the accompanying blog post: Invitation Is All You Need! Promptware Attacks Against LLM-Powered Assistants in Production Are Practical and Dangerous

• View the accompanying slides: DEFCON Media Server

DOM Clobbering: Automated Gadget Discovery

Zhengyu Liu and Jianjia Yu, PhD students at Johns Hopkins University, presented a systematic approach to DOM clobbering and HTML injection exploitation in their talk: The DOMino Effect: Automated Detection and Exploitation of DOM Clobbering Vulnerability at Scale

Their research amounted to an automated tool named Hulk and 497 zero-day DOM clobbering gadgets in the Tranco Top 5,000 and over 200 websites vulnerable to HTML injection. Widely used libraries including the Google Client API, Webpack, Vite, and popular applications such as Jupyter Notebook/JupyterLab, HackMD.io, and Canvas LMS were affected.

• View the accompanying slides: Dom Clobbering Collection by Jack from East

• View the accompanying research paper: https://jackfromeast.github.io/assets/DOMinoEffect.pdf

Supply Chain: Backdoored Returns

Matei Josephs talk Smart Devices, Dumb Resets: Testing Firmware Persistence in Commercial IoT he recounts how easy it was to poison the supply chain of commercial IoT devices.

By flashing firmware on purchased IoT devices and returning them to the retailer, Jose was able to prove retailers shipped backdoored devices to new customers with zero validation.

Although the PoC was harmless (simple GET requests to his server), the implications are severe: buying IoT devices and routers from retail stores carries backdoor risk.

Takeaway: If you can persist through a factory reset on an IoT device, that's a valid vulnerability for many IoT bug bounty programs.

SSO Sin

Shang-De Jiang, Dong-Yi Ye, and Tung-lin Lee collaborated on research into Microsoft’s SSO implementation within the Intune Company Portal for macOS. In their talk, Original Sin of SSO: macOS PRT Cookie Theft & Entra ID Persistence via Device Forgery they demonstrate how attackers can bypass validation and obtain authentication tokens in flows between Windows and macOS.

Takeaway: If you want to deeply understand SSO flows and implementations, check out this talk for its diagrams and explanations.

Closing Thoughts

DEF CON 33 showcased the continuing evolution of hacking:

• AI is both tool and target: Using AI to find bugs (XBOW) while also exploiting AI systems (Gemini injection).

• Old vulnerabilities, new contexts: SAML breaks, race conditions, and supply chain attacks remain relevant.

• Formalization unlocks scale: The DOM clobbering research shows how formalizing attack patterns enables automated discovery.

• Delivery matters: From prompt injection to intent URIs, finding creative delivery mechanisms separates theoretical bugs from practical exploits.

And as always, keep hacking!