[bounty] Reading GitLab Hidden HackerOne Reports and Golang Parameter Smuggling

Published: Sept. 20, 2022, 8 p.m.

We are back at it, covering some write-ups and exploits we found  interesting this summer. From browse-powered desyncs, to account take  overs. 

\n

 Links are available on our website at:  https://dayzerosec.com/podcast/reading-gitlab-hidden-hackerone-reports-and-golang-parameter-smuggling.html 

\n


\n[00:02:17] Ridiculous vulnerability disclosure process with CrowdStrike Falcon Sensor
\n[00:15:03] [GitLab] Able to view hackerone report attachments
\n[00:26:59] Forwarding addresses is hard [CVE-2022-31813]
\n[00:32:18] "ParseThru" \u2013 Exploiting HTTP Parameter Smuggling in Golang
\n[00:46:41] Browser-Powered Desync Attacks
\n[01:09:30] Scraping the bottom of the CORS barrel (part 1)