Episode 132: Archive Testing Methodology with Mathias Karlsson
- Author
- Justin Gardner (Rhynorater) & Joseph Thacker (Rez0)
- Published
- Thu 24 Jul 2025
- Episode Link
- https://rss.com/podcasts/ctbbpodcast/2133869
Episode 132: In this episode of Critical Thinking - Bug Bounty Podcast, Justin Gardner is joined by Mathias Karlsson to discuss vulnerabilities associated with archives. They talk about his new tool, Archive Alchemist, and explore topics like the significance of Unicode paths, symlinks, and TAR before they end up talking about Charsets again..
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater and Rez0 on Twitter:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord!
You can also find some hacker swag at https://ctbb.show/merch!
Today's Sponsor: ThreatLocker - Patch Management
Today’s Guest: Mathias Karlsson
====== This Week in Bug Bounty ======
Swiss Post's 2025 Public Intrusion Test starts on July 28
Hack the Hacker Series - AI Vulnerabilities and Bug Bounties
A Novel Technique for SQL Injection in PDO’s Prepared Statements
How We Accidentally Discovered a Remote Code Execution Vulnerability in ETQ Reliance
====== Resources ======
Hacking Livestream #53: The ZIP file format
====== Timestamps ======
(00:00:00) Introduction
(00:10:04) Archive Alchemist
(00:36:05) Unicode Extensions, normalization, and confusion attacks on Zip parsers
(00:48:44) Character Sets
(01:01:49) 7zip & File Names
(01:06:44) Path Traversal, Symlinks & Identifying Techniques
(01:36:05) Hardlinks and TAR
