Episode 135: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Ryan Barnett for a deep dive on WAFs. We also recap his Exploiting Unicode Normalization talk from DEFCON, and get his perspective on bug hunting from his time at Akamai.
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater and Rez0 on Twitter:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
Today’s Sponsor - ThreatLocker. Checkout ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detect
Today’s Guest: https://x.com/ryancbarnett
====== Resources ======
Accidental Stored XSS Flaw in Zemanta 'Related Posts' Plugin for TypePad
https://webappdefender.blogspot.com/2013/04/accidental-stored-xss-flaw-in-zemanta.html
XSS Street-Fight
https://media.blackhat.com/bh-dc-11/Barnett/BlackHat_DC_2011_Barnett_XSS%20Streetfight-Slides.pdf
Blackhat USA 2025 - Lost in Translation: Exploiting Unicode Normalization
====== Timestamps ======
(00:00:00) Introduction
(00:02:49) Accidental Stored XSS in Typepad Plugin
(00:06:34) Chatscatter & Abusing third party Analytics
(00:11:42) Ryan Barnett Introduction
(00:21:11) Virtual Patching & WAF Challenges
(00:40:39) AWS API Gateways & Whitelisting Bug Hunter Traffic
(00:49:59) Lost in Translation: Exploiting Unicode Normalization
(01:11:29) CSPs at the WAF level & 'Bounties for Bypass'
Popular Podcasts
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com