Critical Thinking - Bug Bounty Podcast

Episode 176: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by top Adobe hacker Jim Green to deep-dive AEM. We talk through Sling selectors, Permissions, and how to spot AEM Red Flags. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X:  https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/  Need a Pentest? We just launched CTBB Pentests! https://pentest.ctbb.show/ Hack full time? Check out the Full-Time Hunter’s Guild! https://ctbb.show/fthg ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor: Adobe. Earn more for AI bugs with Adobe’s new AI Tier! https://blog.adobe.com/security/adobe-expands-bug-bounty-program-to-incentivize-ai-security-research Also don’t forget to also grab a 10% bonus for valid AI vulnerabilities in Adobe Stock and Lightroom Web. Use code: CTBB063026 in your report. Expires June 30, 2026.  ====== This Week in Bug Bounty ====== Scaling Bug Bounty triage in the AI era (https://www.yeswehack.com/security-best-practices/scaling-bug-bounty-triage-ai) The AI impact: a triager’s perspective https://www.intigriti.com/blog/business-insights/the-ai-impact-a-triagers-perspective ====== Resources ====== Sling Selectors - The Key to Unlocking AEM's Attack Surface https://greenjam.co.uk/blog/sling-selectors/ Just a Moment CTF https://poc.greenjam.co.uk/just-a-moment.html General XSS jquery .text() https://poc.greenjam.co.uk/text-xss.html URL XXS Challenge https://poc.greenjam.co.uk/url-xss.html ====== Timestamps ====== (00:00:00) Introduction (00:04:35) Background and AEM Bug (00:17:40) Sling Selectors & the Tech Stack (00:38:14) Permissions & Apache Sling Resolution (01:01:37) The Bugs & AEM Red Flags (01:31:55) Moment in Time CTF (01:40:38) General XSS jquery .text() (01:45:45) URL XXS Challenge

Episode 175: In this episode of Critical Thinking - Bug Bounty Podcast we’re comparing Hackbot setups and results. We also talk about some of the recent ZDI drama, as well as the importance of freaking beautiful POCs Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X:  https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/  Need a Pentest? We just launched CTBB Pentests! https://pentest.ctbb.show/ Hack full time? Check out the Full-Time Hunter’s Guild! https://ctbb.show/fthg ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: Check out Zero Trust Cloud Access from ThreatLocker https://www.criticalthinkingpodcast.io/tl-ztca ====== Resources ====== Another day, another universal linux LPE https://x.com/v12sec/status/2054491454064746629 ZDI Drama https://x.com/ryotkak/status/2052881664909660521 Orange Tsai Bug on Edge https://x.com/thezdi/status/2054868495888777266 Chompie's Exploit in NV Container Toolkit https://x.com/chompie1337/status/2054882193055601140 GitHub Security April bug bounty stats https://x.com/GitHubSecurity/status/2054274356403138932 ====== Timestamps ====== (00:00:00) Introduction (00:02:14) q param prompt injection & Mobile CSPT (00:14:17) Admin API Key MegaCrit (00:17:13) Hackbots (00:37:10) Pretty POCs and ZDI Drama (00:44:48) GitHub Security April Stats

Episode 174: In this episode of Critical Thinking - Bug Bounty Podcast we follow up from last episode with some advice for BB platforms, as well as cover a slew of writeups from Searchlight Cyber, watchTowr, and Starstrike. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X:  https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/  ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Need a Pentest? We just launched CTBB Pentests! https://pentest.ctbb.show/ Hack full time? Check out the Full-Time Hunter’s Guild! https://ctbb.show/fthg ====== This Week in Bug Bounty ====== COST, AI frontier models and more: A measured take on the future of security testing https://www.yeswehack.com/security-best-practices/cost-mythos-future-security-testing Common AI misconceptions debugged! https://www.intigriti.com/blog/business-insights/common-misconceptions-debugged#trend-3-validity-ratios-remain-constant-ai-slop-isnt-rising-as-a-proportion BountySync + Social https://luma.com/bountysync_social ====== Resources ====== Ghosts of Encryption Past https://slcyber.io/research-center/ghosts-of-encryption-past-salesforce-exacttarget/ tessl Skill Optimizer https://tessl.io/registry/tessl/skill-optimizer/0.8.0 The Internet Is Falling Down, Falling Down, Falling Down https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/ High Fidelity Check for the cPanel Authentication Bypass https://slcyber.io/research-center/high-fidelity-check-for-the-cpanel-authentication-bypass-cve-2026-41940/ Achieving Deterministic Prompt Injection Through Client-Side Feedback Loops https://blog.starstrike.ai/posts/achieving-deterministic-prompt-injection-through-client-side-feedback-loops/ GPT-5.5: Mythos-Like Hacking, Open To All https://xbow.com/blog/mythos-like-hacking-open-to-all Remote Command Execution in Google Cloud with Single Directory Deletion https://flatt.tech/research/posts/remote-command-execution-in-google-cloud-with-single-directory-deletion/?utm_source=bugbountydaily.com&utm_medium=referral ====== Timestamps ====== (00:00:00) Introduction (00:09:20) AMPScript (00:25:10) Tessl Skill Optimizer (00:33:07) cPanel & WHM Authentication Bypass (00:40:46) Advice for Bug Bounty Programs (00:50:07) Prompt Injection Through Client-Side Feedback Loops (00:54:37) GPT 5.5 (01:01:00) Remote Command Execution in Google Cloud

Episode 173: In this episode of Critical Thinking - Bug Bounty Podcast we’re talking about the negative effects that AI is having on the Bug Bounty scene as a whole. Is it over, or are we so back? Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X:  https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/  ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: Check out Zero Trust Cloud Access: https://www.criticalthinkingpodcast.io/tl-ztca ====== Resources ====== We want your feedback on this! https://forms.ctbb.show/future_of_bug_bounty Evolving the Android & Chrome VRPs for the AI Era https://bughunters.google.com/blog/evolving-the-android-chrome-vrps-for-the-ai-era Paid Submissions? https://x.com/d0rsky/status/2047744193976742120 Keep the Robots Out of the Gym https://danielmiessler.com/blog/keep-the-robots-out-of-the-gym Is my data used for model training? https://privacy.claude.com/en/articles/10023580-is-my-data-used-for-model-training ====== Timestamps ====== (00:00:00) Introduction (00:06:28) Network effects of Bug Bounty (00:31:55) Hopium/Copium (00:47:21) The Great Training Data Debate

Episode 172: In this episode of Critical Thinking - Bug Bounty Podcast trying out a new structure of episode: a Meta Analysis of sorts of many Source Code Review techniques. This episode features tips gathered from Shubs, Rafax, and FSI. Justin highlights best approaches, patterns, and common pitfalls. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X:  https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/  ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor: Adobe - Get 10% bonus for valid AI vulnerabilities in Adobe Stock and Lightroom Web. Use code: CTBB063026 in your report. Expires June 30, 2026.  ====== This Week in Bug Bounty ====== Open-source security testing: the Bug Bounty guide to code analysis https://www.yeswehack.com/learn-bug-bounty/open-source-guide-code-analysis?utm_source=youtube&utm_medium=sponsor-critical-thinking&utm_campaign=open-source-guide-code-analysis ====== Resources ====== Abusing Windows, .NET quirks, and Unicode Normalization to exploit DNN (DotNetNuke) https://slcyber.io/research-center/abusing-windows-net-quirks-and-unicode-normalization-to-exploit-dnn-dotnetnuke/#:~:text=across%20different%20languages.-,A%20MUST%2DKNOW%20BEHAVIOUR%20OF%20PATH.COMBINE,-Another%20key%20implementation ====== Timestamps ====== (00:00:00) Introduction (00:06:49) Tracing Data Flow, knowing where your playload is landing, and developer mistakes. (00:17:33) Mapping the software (00:24:46) Sniffing for blood (00:31:54) Common Patterns and Pitfalls

Episode 171: In this episode of Critical Thinking - Bug Bounty Podcast Justin gives us some quick tips from his own hacking, including some clickjacking, using capital letters, and the potential value of leaking ages Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X:  https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/  ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: Check out ThreatLocker Ringfencing https://www.criticalthinkingpodcast.io/tl-rf ====== Resources ====== The ultimate Bug Bounty guide to OS command injection vulnerabilities https://www.yeswehack.com/learn-bug-bounty/ultimate-guide-os-command-injection?utm_source=critical-thinking-podcast&utm_medium=youtube&utm_campaign=article-os-command-injection Critical auth bypass in WordPress Azure AD SSO plugin due to missing OIDC id_token validation https://www.yeswehack.com/news/auth-bypass-wordpress-azure-plugin?utm_source=critical-thinking-podcast&utm_medium=youtube&utm_campaign=article-wordpress-bypass-plugin Aituglo featured on YWH https://www.yeswehack.com/community/developer-aituglo-bug-bounty-story Adobe will be sponsoring Ekoparty in Miami and hosting a live hacking event on May 21st https://ekoparty.org/ekoparty-miami-2026-super-live-hacking-event/ ====== Resources ====== SVG clickjacking https://lyra.horse/blog/2025/12/svg-clickjacking/  ====== Timestamps ====== (00:00:00) Introduction (00:06:35) Protobuff XSS (00:12:51) Leaking Age & CSPTs (00:15:59) Capital Letters and Clickjacking

Episode 170: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph their trip to Korea with some quick takeaways from the LHE.  Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X:  https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/  ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Timestamps ====== (00:00:00) Introduction (00:01:41) Google LHE Debrief (00:09:27) Old AI Exfils & AI report writing (00:18:14) Human Tokens (00:26:13) Protoscope & Caido Websocket Repeater

Episode 169: In this episode of Critical Thinking - Bug Bounty Podcast gr3pme goes over some of the changes from OAuth 2.0 vs 2.1 and how Hackers can capitalize. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X:  https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/  ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: Check out ThreatLocker Ringfencing https://www.criticalthinkingpodcast.io/tl-rf ====== This Week in Bug Bounty ====== Intigriti is providing free Burp Pro for Hackers! https://www.intigriti.com/blog/news/intigriti-collaborates-with-portswigger-to-support-ethical-hacking-excellence ====== Resources ====== Django-allauth Account Takeover (ZeroPath Audit) https://zeropath.com/blog/django-allauth-account-takeover-vulnerabilities CVE-2025-4144: Cloudflare Workers PKCE Bypass https://github.com/cloudflare/workers-oauth-provider/security/advisories/GHSA-qgp8-v765-qxx9 CVE-2025-54576: OAuth2-Proxy Auth Bypass https://zeropath.com/blog/cve-2025-54576-oauth2-proxy-auth-bypass ====== Timestamps ====== (00:00:00) Introduction (00:02:16) OAuth 2.0 Standards (00:12:08) Agent to Agent Communication (00:17:19) CVE Case studies

Episode 168: In this episode of Critical Thinking - Bug Bounty Podcast we’re getting a visit from the XSS Doctor. Jonathan joins us to go through his Client-side workflow, run labs, and diagnose some bugs live. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X:  https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/  ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Guest: https://x.com/xssdoctor ====== Resources ====== The Dot-Dot-Slash That Frameworks Hand You: CSPT Across Every Major Frontend Framework https://lab.ctbb.show/research/the-dot-dot-slash-that-frameworks-hand-you URL validation bypass cheat sheet https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet ====== Timestamps ====== (00:00:00) Introduction (00:01:37) Home Automation AI Hack & E-signature bug stories (00:12:15) E-signature bug (00:17:01) XSS DR Intro and Bug Bounty Journey (00:31:51) CSPT Workflows (01:07:57) Wildcard Path Parameters  (01:30:34) Custom Sinks

Episode 167: In this episode of Critical Thinking - Bug Bounty Podcast we welcome Valeriy Shevchenko to talk about program management, anchor programs, and Theft in Bug Bounty. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X:  https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/  ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: Check out ThreatLocker Ringfencing https://www.criticalthinkingpodcast.io/tl-rf Today’s Guest: https://x.com/Krevetk0Valeriy ====== This Week in Bug Bounty ====== HackerOne’s Bug Bounty Maturity Framework: https://www.hackerone.com/blog/program-maturity-framework-bug-bounty-operations Intigriti is hiring a Product Security Analyst https://jobs.criticalthinkingpodcast.io/jobs/product-security-analyst-25ef4706 ====== Resources ====== Valeriy’s Blog https://krevetk0.medium.com/ ====== Timestamps ====== (00:00:00) Introduction (00:03:15) Valeriy's Bug story (00:19:48) Anchor Programs and Bug Hunting Motivation (00:29:50) Stealing Bugs

Episode 166: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Rez0’s Claude Skill Secrets, when AI Generated reports fall apart, and agents vs filters. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X:  https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/  ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor: Adobe ====== This Week in Bug Bounty ====== Intigriti launched their ambassadors program. https://www.intigriti.com/ambassador Adobe will be at Hack The Bay https://www.hackthebay.org/ Bug Bounty Maturity Framework https://bugbountymaturity.com/ ====== Resources ====== h1-brain https://github.com/PatrikFehrenbach/h1-brain caido skills http://github.com/caido/skills Tweet from Karpathy https://x.com/karpathy/status/2031767720933634100?s=20 Find every inefficiency in your Claude workflow with one prompt https://x.com/shannholmberg/status/2030605364421595468 ====== Timestamps ====== (00:00:00) Introduction (00:08:28) Claude skills (00:30:00) How AI Generated reports fall apart (00:38:44) Orchestration (00:49:10) Agents vs Folders

Episode 165: In this episode of Critical Thinking - Bug Bounty Podcast Justin recaps his Zero Trust World experience, before we dive into Permissions issues client-side bugs, New Hardware Hacking Classes, and using AI to hack. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X:  https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/  ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: Check out ThreatLocker Ringfencing https://www.criticalthinkingpodcast.io/tl-rf ====== Resources ====== bbscope Update https://x.com/sw33tLie/status/2029344643154919720 Matt Brown's Youtube Channel https://www.youtube.com/channel/UC3VDCeZYZH7mCihtMVHqppw Matt's Twitter: https://x.com/nmatt0 MCP server for HackerOne to search reports https://x.com/OriginalSicksec/status/2029503063095124461?s=20 Caido Skills https://github.com/caido/skills The Agentic Hacking Era: Ramblings and a Tool https://josephthacker.com/hacking/2026/03/06/the-agentic-hacking-era.html Announcing AI-driven Caido https://caido.io/blog/2026-03-06-caido-skill ====== Timestamps ====== (00:00:00) Introduction (00:06:23) bbscope report dumping & Matt Brown Training (00:13:10) MCP server for HackerOne to search reports & protobuff success (00:24:24) Hacking Mics with Permissions issues client-side bugs (00:27:26) Can AI Hack things?

Episode 164: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Tommy DeVoss to talk about his origin story, Yahoo bugs, and how Tommy first got Justin into Bug Bounty Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X:  https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/  ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Guest: https://x.com/thedawgyg ====== This Week in Bug Bounty ====== Python pitfalls: Turning developer mistakes into vulnerabilities https://www.yeswehack.com/learn-bug-bounty/python-pitfalls-turning-developer-mistakes?utm_source=critical-thinking&utm_medium=sponsored&utm_campaign=article-research-python-pitfalls ====== Timestamps ====== (00:00:00) Introduction (00:06:22) Yahoo SSRF (00:14:56) Tommy's Origin (00:44:10) Bug Bounty (00:51:47) SSRF Attraction, AI implementation, & Browser Hacking

Episode 163: In this episode of Critical Thinking - Bug Bounty Podcast It’s that time of year again! We’re looking at the Portswigger Research list of top 10 web hacking techniques of 2025. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X:  https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/  ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Resources ====== Parser Differentials: When Interpretation Becomes a Vulnerability https://www.youtube.com/watch?v=Dq_KVLXzxH8 XSS-Leak: Leaking Cross-Origin Redirects https://blog.babelo.xyz/posts/cross-site-subdomain-leak/ Playing with HTTP/2 CONNECT https://blog.flomb.net/posts/http2connect/ Next.js, cache, and chains: the stale elixir https://zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixir SOAPwn: Pwning .NET Framework Apps Through HTTP Client Proxies And WSDL https://watchtowr.com/wp-content/uploads/SOAPwnwatchtowr_soappwn-research-whitepaper_10-12-2025.pdf Cross-Site ETag Length Leak https://blog.arkark.dev/2025/12/26/etag-length-leak Lost in Translation: Exploiting Unicode Normalization https://www.youtube.com/watch?v=ETB2w-f3pM4 ORM Leaking More Than You Joined For https://www.elttam.com/blog/leaking-more-than-you-joined-for/ Novel SSRF Technique Involving HTTP Redirect Loops https://slcyber.io/research-center/novel-ssrf-technique-involving-http-redirect-loops/ Successful Errors: New Code Injection and SSTI Techniques https://github.com/vladko312/Research_Successful_Errors ====== Timestamps ====== (00:00:00) Introduction (00:02:33) Parser Differentials: When Interpretation Becomes a Vulnerability (00:11:02) XSS-Leak: Leaking Cross-Origin Redirects (00:18:25) Playing with HTTP/2 CONNECT (00:22:10) Next.js, cache, and chains: the stale elixir (00:29:15) SOAPwn: Pwning .NET Framework Apps Through HTTP Client Proxies And WSDL (00:34:27) Cross-Site ETag Length Leak (00:41:47) Lost in Translation: Exploiting Unicode Normalization (00:47:27) ORM Leaking More Than You Joined For (00:54:07) Novel SSRF Technique Involving HTTP Redirect Loops (00:58:40) Successful Errors: New Code Injection and SSTI Techniques

Episode 162: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph sit down with HackerOne Founder & CTO Alex Rice to discuss concerns of Using Hacker Data for AI and decreasing bounties. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X:  https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/  ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26 https://ztw.com/ Today’s Guest: https://x.com/senorarroz ====== This Week in Bug Bounty ====== XML external entity: The ultimate Bug Bounty guide to exploiting XXE vulnerabilities https://www.yeswehack.com/learn-bug-bounty/xml-external-entity-guide-xxe?utm_source=Critical_Thinking&utm_medium=Youtube&utm_campaign=XXE_Critical_Thinking&utm_id=XXE_CT Bug Bounty Maturity Framework https://bugbountymaturity.com/ ====== Resources ====== Confidential Information and Confidentiality Obligations https://www.hackerone.com/terms/general#:~:text=HackerOne%20may%20use%20Confidential%20Information%20to%20develop%20and/or%20improve%20its%20Services%20(for%20example%2C%20to%20identify%20trends%2C%20and%20to%20train%20AI%20models)%20provided%20such%20use%20does%20not%20result%20in%20disclosure%20of%20Confidential%20Information%20to%20unauthorized%20third%20parties Ownership and Licenses https://www.hackerone.com/terms/community#:~:text=8.%20Ownership%20and%20Licenses I argued with an AI regarding HackerOne using Hacker reports to train PtaaS https://bugbounty.forum/post/183ff0fc-eb9e-47f8-991d-c0aa5b0bba71 HackerOne PTaaS (likely training their AI on private reports data) https://www.reddit.com/r/bugbounty/comments/1r5hixk/hackerone_ptaas_likely_training_their_ai_on/ What Makes Agentic PTaaS Different in Real Environments https://www.hackerone.com/blog/agentic-penetration-testing-as-a-service#:~:text=Our%20agents%20are,real%20enterprise%20constraints ====== Timestamps ====== (00:00:00) Introduction (00:08:44) HackerOne AI Terms of Service  (00:24:56) Agentic PTaaS (00:38:09) Selling data (00:43:49) Decrease in Bounties

Episode 161: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gives us some quick hits regarding CSRF and Cross Consumer Attacks, and also touches on some breaking questions surrounding HackerOne Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X:  https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/  ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26 https://ztw.com/ ====== This Week in Bug Bounty ====== AS Watson https://app.intigriti.com/programs/aswatson/watsons/detail YesWeHack 2026 Report https://choose.yeswehack.com/bug-bounty-report-2026-trends-and-key-insights-yeswehack?utm_source=youtube&utm_medium=sponsor-critical-thinking&utm_campaign=yeswehack-report-2026  ====== Resources ====== PhoneLeak: Data Exfiltration in Gemini via Phone Call https://blog.starstrike.ai/posts/phoneleak-data-exfiltration-in-gemini-via-phone-call/ Max's Tweet about decreasing bounties https://x.com/0xw2w/status/2020788164378427483 HackerOne General Terms and Conditions https://www.hackerone.com/terms/general Research Review #-2: RCE in Google's AI code editor Antigravity (sudi) https://www.youtube.com/watch?v=JqvJSF2UMyY ====== Timestamps ====== (00:00:00) Introduction (00:03:26) YesWeHack 2026 Report (00:09:12) CSRF Realizations & Data Exfiltration in Gemini via Phone Call (00:14:38) 7urb0's Youtube, HackerOne decreasing bounties and Section    3.1 controversy. (00:19:06) Cross Consumer Attacks

Episode 160: In this episode of Critical Thinking - Bug Bounty Podcast Joseph and Brandyn. Chat through some news, Including a Cloudflare Zero-day, Turning List-Unsubscribe into an SSRF/XSS Gadget, & Magic String Denial of Service in Claude. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X:  https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/  ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor: Adobe. Use code CTBB040126, and get a 10% bonus on your bounty for any AI vulnerability which is mapped to the OWASP LLM top 10. Valid on Adobe Acrobat Web - AI Assistant / PDF Spaces / Content Creation and presentation features using Express Adobe Express AI Assistant.  Valid through April 1st, 2026 Also we have a Google Cloud VRP Swag Bonus! Mention the podcast in any rewarded (cash or credit) VRP report submission before the end of April to receive bonus swag! ====== Resources ====== Cloudflare Zero-day https://fearsoff.org/research/cloudflare-acme Turning List-Unsubscribe into an SSRF/XSS Gadget https://security.lauritz-holtmann.de/post/xss-ssrf-list-unsubscribe/ Breaking Multi-Tenant Isolation in Heroku Postgres https://allistair.sh/blog/breaking-heroku-postgres/ Parse and Parse: MIME Validation Bypass to XSS via Parser Differential https://lab.ctbb.show/research/parse-and-parse-mime-validation-bypass-to-xss-via-parser-differential Claude Magic String Denial of Service https://x.com/Frichette_n/status/2013988503336415522 From WebView to Remote Code Injection https://djini.ai/from-webview-to-remote-code-injection/ DOM XSS Is Not Dead: The Rise of Polyglot Payloads https://blogs.jsmon.sh/dom-xss-is-not-dead-the-rise-of-polyglot-payloads/ ====== Timestamps ====== (00:00:00) Introduction (00:06:17) Cloudflare Zero-day & Turning List-Unsubscribe into an SSRF/XSS Gadget (00:16:57) Breaking Multi-Tenant Isolation in Heroku Postgres & CTBB Research (00:25:46) Claude Magic String Denial of Service & From WebView to Remote Code Injection

Episode 159: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with the Google Cloud VRP Team to deep-dive policy and reward changes, what the panel process looks like, and how to best configure for success. Follow us on X Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Get some hacker swag Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26 https://ztw.com/ Google Cloud VRP Swag Bonus! Mention the podcast in any rewarded (cash or credit) VRP report submission before the end of April to receive bonus swag! Today’s Guests: Darby Hopkins Michael Cote ====== This Week in Bug Bounty ====== AI Red Teaming Explained by AI Red Teamers Good Faith AI Research Safe Harbor Join the Adobe LHE at NULLCON GOA ====== Resources ====== ‘Legendary Guy’ - Jakub Domeracki Google Cloud VRP rewards rules Google Cloud VRP product tiers Bug Hunters blog on the 2025 Google Cloud VRP bugSWAT Google VRP Discord Google VRP on X ====== Timestamps ====== (00:00:00) Introduction (00:10:03) CloudVRP Bugswat Event Breakdown (00:16:40) VRP Policy & Rewards Changes (00:04:50) Panel Process (01:00:08) Configuring for Success & Avoiding Downgrades (01:33:47) Scenarios for Success

Episode 158: In this episode of Critical Thinking - Bug Bounty Podcast we talk about our personal takeaways from the CTBB Charity Hackalong, and then break down some InsertScript POCs, what a $55,000 bug can look like, and if Smart People Ever Say They’re Smart. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X:  https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/  ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26 https://ztw.com/ ====== Resources ====== InsertScript - XSS Challenge Solution https://insert-script.blogspot.com/2020/03/xss-challenge-solution-refresh-header.html InsertScript - Redirect AuthHeader https://www.insert-script.com/examples/redirectAuthHeader/send.html CRLF injection on a 302 redirect https://x.com/0xdef1ant/status/2009040359482118500 Multiple XSS in Meta Conversion API Gateway Leading to Zero-Click Account Takeover https://ysamm.com/uncategorized/2025/01/13/capig-xss.html Arcanum Hack Tips https://github.com/Arcanum-Sec/hack_tips Trail of Bits Releases Claude Skills https://x.com/dguido/status/2011541318229533063 what a $55,000 bug can look like https://x.com/the_IDORminator/status/2007480636244697237 Pwning Claude Code in 8 Different Ways https://flatt.tech/research/posts/pwning-claude-code-in-8-different-ways/ Do Smart People Ever Say They’re Smart? https://labs.watchtowr.com/do-smart-people-ever-say-theyre-smart-smartertools-smartermail-pre-auth-rce-cve-2025-52691/ ====== Timestamps ====== (00:00:00) Introduction (00:04:18) Technical takeaways from CT Charity Hackalong (00:22:21) InsertScript POCs & Rez0 and teknogeek's IOT Adventures (00:32:16) CRLF injection on a 302 redirect & Multiple XSS in Meta (00:41:00) Trail of Bits, what a $55,000 bug can look like, & Pwning Claude Code (00:54:16) Do Smart People Ever Say They’re Smart?

Episode 157: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Hypr to talk about hacking Mediatek and his experiences with HackerOne and Pwn2Own Ecosystems. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Guest: https://x.com/hyprdude ====== This Week in Bug Bounty ====== Top 10 web hacking techniques of 2025: call for nominations https://portswigger.net/research/top-10-web-hacking-techniques-of-2025-nominations-open CVE-2025-13467 https://access.redhat.com/security/cve/cve-2025-13467 ====== Resources ====== Hypr's Blog https://blog.coffinsec.com mediatek? more like media-rekt, amirite. https://blog.coffinsec.com/0days/2025/12/15/more-like-mediarekt-amirite.html kernel-utils https://github.com/mellow-hype/kernel-utils ====== Timestamps ====== (00:00:00) Introduction (00:03:23) Heap Overflow in Mediatek Kernel Drivers (00:19:23) Kernel Debugging & ioctl Handlers (00:43:30) Input Structs, Sync to Source, & Privilege Escalation (00:51:30) HackerOne Ecosystem vs Pwn2Own Ecosystem (01:17:00) Kernel Utils (01:26:46) Real World Bugs for Exploit Development vs CTFs

Episode 156: In this episode of Critical Thinking - Bug Bounty Podcast we answer some fantastic questions from over at bugbounty.forum Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Resources ====== Critical Thinking Lab lab.ctbb.show Cross-Site ETag Length Leak https://blog.arkark.dev/2025/12/26/etag-length-leak Clawdbot https://github.com/clawdbot/clawdbot/ Post from Steve Caldwell https://x.com/moreconfetti/status/2006494133159162008 ====== Timestamps ====== (00:00:00) Introduction (00:00:58) Crit Lab update (00:04:36) Cross-Site ETag Length Leak (00:13:26) Clawdbot (00:16:56) Will bug hunting become obsolete, LHE invitations, and Fulltime vs Part time? (00:30:52) 10 bugs at $5k or 1 bug at $5k, CTBB Background, & Future Plans (00:38:32) Mentoring, Conquering Classes, and what angles we implement from the podcast (00:49:27) Best approach on new targets, tips for making 500k in a year, AI/Vibecoding & Human in the Loop (00:59:07) Mentally mapping the target, anti-patterns that waste time, and BB beliefs that were wrong. (01:10:12) Tackling small scope, staying on one program, picking up after a break, & moving on (01:17:41) Invisible elements that make the difference between $2k and $20k

Episode 155: In this episode of Critical Thinking - Bug Bounty Podcast Justin, Joseph, and Brandyn reflect on last year of Bug Bounty, and list their goals and predictions for what 2026 holds. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Resources ====== 2024 Hacker Stats & 2025 Goals https://blog.criticalthinkingpodcast.io/p/hackernotes-ep-104-2024-hacker-stats-2025-goals ====== Timestamps ====== (00:00:00) Introduction (00:02:08) 2025 Full Time Hunting Retrospective (00:10:19) Most Fulfilling Moments and Bugs (00:17:56) Satisfaction with 2025 Stats (00:45:28) Automation, Organization, and Collaboration (00:48:55) Time and Motivation (01:08:01) Goals and Predictions for Bug Bounty in 2026

Episode 154: In this episode of Critical Thinking - Bug Bounty Podcast Joseph and Brandyn talk through the transition from Bug Bounty hunting to Pentesting. We cover diversifying income streams, the challenges of pricing for Pentests, legal considerations, and what Bug Hunters can bring to the Pentesting world Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Timestamps ====== (00:00:00) Introduction (00:03:36) Starting a Pentesting Company (00:12:25) Advantages of Pentesting as a Bug Bounty Hunter (00:29:03) Pricing, Sales, and knowing your Market/Worth (00:36:21) Compliance in Pentests & Rapid-Fire Takaways

Episode 153: In this episode of Critical Thinking - Bug Bounty Podcast Matt Brown returns to talk with us about hacking robots, IOT hackbots, and his Zero-to-Hero Hardware Hacking Guide. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Guest: Matt Brown https://x.com/nmatt0https://github.com/BrownFineSecurity/iothackbot====== Resources ====== KeeYees USB Logic Analyzer Device Saleae logic analyzer XGecu Hardware Hacking Tutorial by Make Me Hack UART and SPI firmware extraction UART Root Shell on Linux Router UART Shell Jail and Unlocked Bootloader Chinese IP Camera Firmware Extraction Chip-Off Firmware Extraction ====== Timestamps ====== (00:00:00) Introduction (00:01:22) Incremental Session Token Story and Matt Brown Intro (00:10:42) Hardware Bug Bounty Scene & AI on Devices (00:24:30) Hacking Human Robot (00:41:33) Zero-to-Hero Hardware Hacking Guide (01:01:47) IOT Hackbot

Episode 152: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Sasi Levi from Noma Security to talk about AI and Agentic Security. We also talk about ForcedLeak, a Google Vertex Bug, and debate if Prompt Injection is a real Vuln. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. CHeck out our New Christmas Swag at https://ctbb.show/merch! Today's Sponsor: ThreatLocker. Check out ThreatLocker Elevation Control https://ctbb.show/tl-ec And Noma Security! https://noma.security/ Today’s Guest: https://x.com/sasi2103 ====== This Week in Bug Bounty ====== Vercel Platform Protection Dedicated HackerOne program for Vercel WAF YesWeHack Open Source Programs Android recon for Bug Bounty hunters ====== Resources ====== Sasi's Tweet from 2015 ForcedLeak: AI Agent risks exposed in Salesforce AgentForce Is Prompt Injection a Vulnerability? ====== Timestamps ====== (00:00:00) Introduction (00:09:16) Google Vertex AI Bug (00:29:28) Sasi's Background and Bug Bounty Journey (00:38:55) Resources for AI and Agentic Security Methodology (00:50:34) ForcedLeak (01:02:06) Is Prompt Injection a Vuln?

Episode 151: In this episode of Critical Thinking - Bug Bounty Podcast we’re covering Client-side advanced topics. Justin talks Joseph (and us) through Third-Party Cookie Nuances, Iframe Tricks, URL Parsing, and more. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: ThreatLocker. Check out ThreatLocker Elevation Control https://ctbb.show/tl-ec ====== Resources ====== Nowasky's Tweet #1 https://x.com/nowaskyjr/status/1993421017381744974 Nowasky's Tweet #2 https://x.com/nowaskyjr/status/1992717862398800081 rep+ in Chrome DevTools https://x.com/BourAbdelhadi/status/1992622964077179229 Terjanq Post from 2021 https://x.com/terjanq/status/1421093136022048775 ====== Timestamps ====== (00:00:00) Introduction (00:02:58) Client-side news & AI Updates (00:12:02) Third-Party Cookie Nuances & PostMessages (00:30:09) Iframe Tricks (00:47:43) URL Parsing, CSPTS, and Client-side Routes

Episode 150: In this episode of Critical Thinking - Bug Bounty Podcast we're highlighting some cool news and research, but not before expressing our gratitude to the Hacker community. We are so thankful for you all! Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: ThreatLocker. Check out ThreatLocker Elevation Control https://ctbb.show/tl-ec ====== This Week in Bug Bounty ====== Cache Overflow on Cloudflare ====== Resources ====== Breaking Oracle’s Identity Manager Who Needs a Blind XSS? ASP.NET MVC View Engine Search Patterns Heretic Lesser known techniques for large-scale subdomain enum Antigravity – Known Issues Bug Bounty Daily Caido version of AssetNote Surf ====== Timestamps ====== (00:00:00) Introduction (00:09:47) Breaking Oracle’s Identity Manager & Who Needs a Blind XSS? (00:20:37) ASP.NET MVC View Engine Search Patterns & Heretic (00:29:04) Lesser known techniques for large-scale subdomain enum (00:35:29) Gemini 3 & Antigravity. (00:45:57) Bug Bounty Daily (00:52:42) Surf for Caido

Episode 149: In this episode of Critical Thinking - Bug Bounty Podcast The DEFCON videos are up, and Justin and Joseph talk through some of their favorites. Follow us on X Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Resources ====== Unicode surrogates conversion Prompt. Scan. Exploit Breaking into thousands of cloud based VPNs with 1 bug Examining Access Control Vulnerabilities in GraphQL Smart Bus Smart Hacking Passkeys Pwned Bypassing Intent Destination Checks Gemini Agents in Google Calendar Exploitation of DOM Clobbering Vuln at Scale TheHulk Smart Devices, Dumb Resets Mac PRT Cookie Theft ====== Timestamps ====== (00:00:00) Introduction (00:10:10) Prompt. Scan. Exploit (00:23:52) Breaking into thousands of cloud based VPNs with 1 bug (00:33:25) Access Control Vulns in GraphQL, Smart Bus Hacking, & Passkeys Pwned (00:44:10) Bypassing Intent Destination Checks & Invoking Gemini Agents (00:57:08) DOM Clobbering, Mac PRT Cookie Theft, & Smart Devices, Dumb Resets

Episode 148: In this episode of Critical Thinking - Bug Bounty Podcast Justin gives us a crash course on Model Context Protocol. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Timestamps ====== (00:00:00) Introduction (00:02:51) MCP Architecture & Authentication (00:13:08) Roots, Sampling, & Elicitation (00:19:15) Tools and Resources

Episode 147: In this episode of Critical Thinking - Bug Bounty Podcast we're talking tips and tricks that help us in hacking that we really should’ve learned sooner. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: ThreatLocker. Check out ThreatLocker Network Control https://www.criticalthinkingpodcast.io/tl-nc ====== This Week in Bug Bounty ====== Netscaler's new program https://hackerone.com/netscaler_public_program?type=team The ultimate Bug Bounty guide to HTTP request smuggling vulnerabilities https://www.yeswehack.com/learn-bug-bounty/http-request-smuggling-guide-vulnerabilities Hackers now have 2 Request-a-Response https://docs.bugcrowd.com/changelog/researchers/request-a-response-researcher/ Evan Connelly Spotlight https://www.bugcrowd.com/blog/hacker-spotlight-evan-connelly/ Epic Games Jobs Openings Jobs.ctbb.show ====== Timestamps ====== (00:00:00) Introduction (00:09:23) Command Palette, Auto-decoding, & Evenbetter (00:17:28) Chrome Devtools Edit as html & Raycast (00:33:23) ffuf -request flag (00:41:33) JXScout (00:48:55) Conditional Breakpoints in Devtools & Lightning round tips

Episode 146: In this episode of Critical Thinking - Bug Bounty Podcast Justin, Joseph, and Brandyn all sit down to celebrate the spooky season by swapping their scariest bug stories. From frightening fails and firings to hacks with chilling and critical consequences. Grab your flashlight and a blanket for this one! Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: ThreatLocker. Check out ThreatLocker Network Control https://www.criticalthinkingpodcast.io/tl-nc ====== This Week in Bug Bounty ====== Methodology tips from top Bug Bounty hunters YesWeHack marks first year of partnership with Singapore’s Government HackerOne Hacker-Powered Security Report ====== Resources ====== Critical Research Lab Hacking the World Poker Tour: Inside ClubWPT Gold’s Back Office File Creation via SQLite Injection ====== Timestamps ====== (00:00:00) Introduction (00:10:11) Crit Research Lab News (00:21:31) Hacking the World Poker Tour & File Creation via SQLite Injection (00:30:40) Brandyn's Spooky Bug (00:38:02) Joseph's Spooky Bug (00:44:18) Justin's Spooky Bug (00:54:44) Banking Bugs, LHE Scares, and Workday weirdness. (01:14:52) Firings and failures (01:22:49) Bank Bug Redux (01:35:55) Wedding planning/registry app & Amazon Rufus bugs (01:40:52) New Relic bug

Episode 145: In this episode of Critical Thinking - Bug Bounty Podcast Brandyn lets us in on some of his notetaking tips, including his Templates, Threat Modeling, and ways he uses notes to help with collaboration. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, Rez0, & gr3pme on Twitter: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: ThreatLocker. Check out ThreatLocker Network Control https://www.criticalthinkingpodcast.io/tl-nc ====== This Week in Bug Bounty ====== The minefield between syntaxes https://www.yeswehack.com/learn-bug-bounty/syntax-confusion-ambiguous-parsing-exploits ====== Resources ====== Brandyn's Notion Template https://terrific-dart-70e.notion.site/Example-Target-CTBB-294f4ca0f42481cca0b0ca6ac0a7c81d ====== Timestamps ====== (00:00:00) Introduction (00:07:25) Templates, Target, and Tech Stack (00:13:33) Threat Modeling and Attack Vectors

Episode 144: In this episode of Critical Thinking - Bug Bounty Podcast Joseph is joined by Vitor Falcão and Ciarán Cotter to discuss their success at the recent Mexico LHE, as well as their journey and routines in fulltime hacking. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: ThreatLocker. Check out ThreatLocker DAC https://www.criticalthinkingpodcast.io/tl-dac Today’s Guests: Vitor Falcão https://x.com/busf4ctor Ciarán Cotter https://x.com/monkehack ====== This Week in Bug Bounty====== Securing the Age of AI Autonomy: Priorities for 2026 https://www.hackerone.com/events/bionic-hacking ====== Resources ====== AI Vulnerability Reward Program Rules https://bughunters.google.com/about/rules/google-friends/5222232590712832/ai-vulnerability-reward-program-rules My First 3 Months as a Full-Time Bug Bounty Hunter https://vitorfalcao.com/posts/3-months-as-a-full-time-bug-bounty-hunter/ ====== Timestamps ====== (00:00:00) Introduction (00:02:32) Client side Bug Story & Vitor's BB journey (00:13:59) Google LHE Mexico takeaways (00:26:55) Full-time hunting reflections (00:33:39) Hacking routines (00:42:56) Hacking AI

Episode 143: In this episode of Critical Thinking - Bug Bounty Podcast Justin brings Brandyn back to announce him as our newest co-host. We chat about recent LHE experiences, and then break down some news. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== This Week in Bug Bounty ====== YesWeHack won the European commission: https://www.yeswehack.com/news/european-commission-tender-won-yeswehack YesWeHack now have authorised cve numbering authority: https://www.yeswehack.com/news/yeswehack-authorised-cve-numbering-authority A wide range of highly used open source bug bounty program such as Log4J, Systemd, GNOME and a lot more: https://event.yeswehack.com/events/open-the-code-source-the-bounty ====== Resources ====== Attributes reference inside HTML Explaining XSS without parentheses and semi-colons Beyond Sandbox Domains: Rendering Untrusted Web Content with SafeContentFrame One Token to rule them all flareprox Caido 101: How to master it ====== Timestamps ====== (00:00:00) Introduction (00:03:16) LHE approaches and accomplishments (00:30:54) Attributes reference inside HTML & Explaining XSS without parentheses and semi-colons (00:44:33) One Token to rule them all (00:57:13) Flareprox & Caido 101

Episode 142: In this episode of Critical Thinking - Bug Bounty Podcast Rez0 and Gr3pme join forces to discuss Websocket research, Meta’s $111750 Bug, PROMISQROUTE, and the opportunities afforded by going full time in Bug Bounty. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: ThreatLocker. Check out ThreatLocker DAC Today’s Guest: https://x.com/gr3pme ====== This Week in Bug Bounty ====== New Monthly Dojo challenge and Dojo UI design The ultimate Bug Bounty guide to exploiting race condition vulnerabilities in web applications Watch Our boy Brandyn on the TV ====== Resources ====== murtasec WebSocket Turbo Intruder: Unearthing the WebSocket Goldmine Remote code execution though vulnerability in Facebook Messenger for Windows Finding vulnerabilities in modern web apps using Claude Code and OpenAI Codex Mind the Gap PROMISQROUTE ====== Timestamps ====== (00:00:00) Introduction (00:05:16) Full Time Bug Bounty and Business Startups (00:15:50) Websockets (00:22:17) Meta’s $111750 Bug (00:28:38) Finding vulns using Claude Code and OpenAI Codex (00:39:32) Time-of-Check to Time-of-Use Vulns in LLM-Enabled Agents (00:45:22) PROMISQROUTE

Episode 141: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Nick Copi to talk about CSPT, React, CSS Injections and how Nick hacked the pod. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: ThreatLocker. Check out ThreatLocker DAC https://www.criticalthinkingpodcast.io/tl-dac Today’s Guest: https://x.com/7urb01 ====== Resources ====== regexploit https://github.com/doyensec/regexploit Fontleak https://adragos.ro/fontleak/ debug(function) https://developer.chrome.com/docs/devtools/console/utilities#debug-function domloggerpp https://github.com/kevin-mizu/domloggerpp ====== Timestamps ====== (00:00:00) Introduction (00:02:40) Google Docs Bug and 7urb0 Introduction (00:13:26) Bring-a-bug story (00:20:21) 7urb0's DEFCON talk teaser & Intrusive Thoughts Worth Sharing (00:30:01) CSPTs and React Apps (00:51:31) CSS Injections (01:04:55) 7urb0's backstory and game hacking (01:18:33) Worst Crit

Episode 140: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph give an update from The Crit Research Lab, as well as some writeups on postMessage vulnerabilities, Cookie Chaos, and more. Follow us on X at: https://x.com/ctbbpodcast Got any ideas and suggestions? Send us feedback at [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord! Get some hacker swag here! ====== This Week in Bug Bounty ====== Cross-site request forgery HackerOne New Milestone Program Email [email protected] for media opportunities ====== Resources ====== Exploiting Web Worker XSS with Blobs Critical Research Lab Rez0's Tweet CVE-2022-21703: cross-origin request forgery against Grafana Conversation about Forcing Quirks Mode AI Busniess Logic & POC or GTFO Hunting postMessage Vulnerabilities – Part 1 Hunting postMessage Vulnerabilities – Part 2 Executive Offense Cookie Chaos: How to bypass Host and Secure cookie prefixes ====== Timestamps ====== (00:00:00) Introduction (00:05:48) Crit Research Update (00:13:00) Encouragement & Collaboration (00:19:37) Cross-origin request forgery & Anthropic's web fetch (00:29:17) Quirks Mode, AI Business Logic & POC or GTFO (00:44:21) Hunting postMessage & Claude Code browserbase (00:51:25) Community story, Executive Offense, & Cookie Chaos

Episode 139: In this episode of Critical Thinking - Bug Bounty Podcast Justin finally sits down with the great James Kettle to talk about HTTP Proxys, metagaming research, avoiding burnout, and why HTTP/1.1 must die! Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Guest: https://x.com/albinowax https://jameskettle.com ====== This Week in Bug Bounty ====== Building an Android Bug Bounty lab Mobile Hacking Toolkit ====== Resources ====== CVE-2022-22720 So you want to be a web security researcher? Hunting Evasive Vulnerabilities: Finding Flaws That Others Miss by James Kettle HTTP/1.1 Must Die! The Desync Endgame Practical HTTP Host header attacks ====== Timestamps ====== (00:00:00) Introduction (00:05:01) Apache MITM-powered pause-based client-side desync (00:15:33) HTTP Proxys and Burp Suite HTTP/2 in Repeater (00:24:52) AI intagrations, life structure, and avoiding burnout (00:35:23) Client-side to server-side progression (00:47:39) The 'metagame' of security research (01:29:43) Host Header Attacks & HTTP/1.1 Must Die! (02:02:34) Is HTTP/2 the solution?

Episode 138: In this episode of Critical Thinking - Bug Bounty Podcast We’re talking Caido tools and workflows. Justin gives us a list of some of the Caido tools that have caught his interest, as well as how he’s using them. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== This Week in Bug Bounty ====== Meet YesWeHack at ROOTCON 2025 https://www.yeswehack.com/page/meet-yeswehack-at-rootcon-2025 New Dojo challenge featuring a Local File Inclusion in a Ruby application https://dojo-yeswehack.com/challenge-of-the-month/dojo-44?utm_source=sponsor&utm_medium=challenge&utm_campaign=dojo-44 AI Red Teaming CTF https://ctf.hackthebox.com/event/details/ai-red-teaming-ctf-ai-gon3-rogu3-2604 ====== Resources ====== Web Security Labs http://caido.rhynorater.com ====== Timestamps ====== (00:00:00) Introduction (00:02:32) Common filters & command palette in EvenBetter (00:06:49) Notes++ (00:09:28) Shift Agents and Drop (00:15:34) Workflows

Episode 137: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner and Joseph Thacker reunite to talk about AI Hacking Assistants, CSPT and cache deception, and a bunch of tools like ch.at, Slice, Ebka, and more. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== This Week in Bug Bounty ====== Vulnerability vectors: SQL injection for Bug Bounty hunters Mozilla VPN Clients: RCE via file write and path traversal ====== Resources ====== Cache Deception + CSPT: dig @ch.at Searchlight Cyber Tools Slice Ebka-Caido-AI postMessage targetOrigin bypass ====== Timestamps ====== (00:00:00) Introduction (00:01:26) Claude, Gemini, and Hacking Assistants (00:11:08) AI Safety (00:18:09) CSPT (00:23:26) ch.at, Slice, Ebka, & Searchlight Cyber Tools (00:45:19) postMessage targetOrigin bypass

Episode 136: In this episode of Critical Thinking - Bug Bounty Podcast, Joseph Thacker sits down with Jack Cable to get the scoop on a significant bug in Cluely’s desktop application, as well as the resulting drama. They also talk about Jack’s background in government cybersecurity initiatives, and the legal risks faced by security researchers. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor - ThreatLocker. Checkout ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detect Today’s Guest: https://x.com/jackhcable?lang=en ====== This Week in Bug Bounty ====== Nullcon Berlin https://www.yeswehack.com/page/yeswehack-live-hacking-nullcon-berlin-2025?utm_source=sponsor&utm_medium=blog&utm_campaign=lhe-nullcon-berlin BB Bulletin #15 https://www.linkedin.com/pulse/bug-bounty-bulletin-15-yes-we-hack-dntue/ 2x Bounty on Grab https://hackerone.com/grab?type=team ====== Resources ====== Corridor https://corridor.dev/ disclose.io https://disclose.io/ ====== Timestamps ====== (00:00:00) Introduction (00:03:33) Cluely Bug, Government involvement, & Disclosed.io (00:12:33) AI in security & Corridor.dev (00:29:23) Cluely Bug Fallout & Ethics of hacking outside of Programs (00:41:20) Shift Agents

Episode 135: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Ryan Barnett for a deep dive on WAFs. We also recap his Exploiting Unicode Normalization talk from DEFCON, and get his perspective on bug hunting from his time at Akamai. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor - ThreatLocker. Checkout ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detect Today’s Guest: https://x.com/ryancbarnett ====== Resources ====== Accidental Stored XSS Flaw in Zemanta 'Related Posts' Plugin for TypePad https://webappdefender.blogspot.com/2013/04/accidental-stored-xss-flaw-in-zemanta.html XSS Street-Fight https://media.blackhat.com/bh-dc-11/Barnett/BlackHat_DC_2011_Barnett_XSS%20Streetfight-Slides.pdf Blackhat USA 2025 - Lost in Translation: Exploiting Unicode Normalization https://www.blackhat.com/us-25/briefings/schedule/#lost-in-translation-exploiting-unicode-normalization-44923 ====== Timestamps ====== (00:00:00) Introduction (00:02:49) Accidental Stored XSS in Typepad Plugin (00:06:34) Chatscatter & Abusing third party Analytics (00:11:42) Ryan Barnett Introduction (00:21:11) Virtual Patching & WAF Challenges (00:40:39) AWS API Gateways & Whitelisting Bug Hunter Traffic (00:49:59) Lost in Translation: Exploiting Unicode Normalization (01:11:29) CSPs at the WAF level & 'Bounties for Bypass'

Episode 134: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Diego Djurado to give us the scoop on XBOW. We cover a little about its architecture and approach to hunting, the challenges with hallucinations, and the future of AI in the BB landscape. Diego also shares some of his own hacking journey and successes in the Ambassador World cup. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor - ThreatLocker User Store Today’s Guest: https://x.com/djurado9 ====== This Week in Bug Bounty ====== Announcement of our upcoming live hacking event at Nullcon Berlin, taking place on September 4-5 Bug Bounty Village Speakers 2025 Talkie Pwnii Caido showcase Caido Masterclass – From Setup to Exploits Access Control vs Account Takeover: What Bug Bounty Hunters Need to Know ====== Resources ====== CVE-2025-49493: XML External Entity (XXE) Injection in Akamai CloudTest ====== Timestamps ====== (00:00:00) Introduction (00:05:56) Diego's ATO Bug (00:12:01) H1 Ambassador World Cup and work with XBOW (00:20:57) XBOW's CloudTest XXE Bug (00:49:59) Freedom, Hallucinations, & Validation (01:07:24) XBOW's Architecture (01:23:50) Humans in the Loop, Harnesses, and Xbow's Reception (01:44:21) Ambassador World Cup plans for the future

Episode 133: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Harley and Ari from H1 to talk some about community management roles within Bug Bounty, as well as discuss the evolution of Bug Bounty Village at DEFCON, and what they’ve got in store this year. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Guests: x.com/infiniteloginshttps://x.com/Arl_roseToday’s Sponsor is Adobe. Use code CTBBP0907 in your first report on Adobe Behance, Portfolio, Fonts or Acrobat Web, and earn a one-time 10% bonus reward! ====== This Week in Bug Bounty ====== BBV Platform Panel about Triage YesWeHACK Makes Debut at Black Hat USA 2025 New Dojo challenge featuring a time-based token prediction combined PyYAML deserialization GMSGadget ====== Resources ====== Bug Bounty Village Sign up for the Disclosed Newsletter Disclosed Online Harley's Youtube Channel ====== Timestamps ====== (00:00:00) Introduction (00:05:51) Bug Stories and Hacking Journeys (00:32:37) Community Management within Bug Bounty (00:39:43) Bug Bounty Village - Origin & 2025 Plans (01:02:39) Disclosed Online and Harley's Upcoming Ebook

Episode 132: In this episode of Critical Thinking - Bug Bounty Podcast, Justin Gardner is joined by Mathias Karlsson to discuss vulnerabilities associated with archives. They talk about his new tool, Archive Alchemist, and explore topics like the significance of Unicode paths, symlinks, and TAR before they end up talking about Charsets again.. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord! You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: ThreatLocker - Patch Management Today’s Guest: Mathias Karlsson ====== This Week in Bug Bounty ====== Swiss Post's 2025 Public Intrusion Test starts on July 28 Intigriti teams with NVIDIA Bugcrowd Ingenuity Awards Hack the Hacker Series - AI Vulnerabilities and Bug Bounties A Novel Technique for SQL Injection in PDO’s Prepared Statements How We Accidentally Discovered a Remote Code Execution Vulnerability in ETQ Reliance ====== Resources ====== Archive Alchemist Hacking Livestream #53: The ZIP file format ====== Timestamps ====== (00:00:00) Introduction (00:10:04) Archive Alchemist (00:36:05) Unicode Extensions, normalization, and confusion attacks on Zip parsers (00:48:44) Character Sets (01:01:49) 7zip & File Names (01:06:44) Path Traversal, Symlinks & Identifying Techniques (01:36:05) Hardlinks and TAR

Episode 131: In this episode of Critical Thinking - Bug Bounty Podcast we're covering Christmas in July with several banger articles from Searchlight Cyber, as well as covering things like Raycast for Windows, Third-Person prompting, and touch on the recent McDonalds Leak Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor is Adobe. Use code CTBBP0907 in your first report on Adobe Behance, Portfolio, Fonts or Acrobat Web, and earn a one-time 10% bonus reward! ====== Resources ====== v1 Instance Metadata Service protections bypass Would you like an IDOR with that? Leaking 64 million McDonald’s job applications How we got persistent XSS on every AEM cloud site, thrice Google docs now supports export as markdown Abusing Windows, .NET quirks, and Unicode Normalization to exploit DNN (DotNetNuke) How I Scanned all of GitHub’s “Oops Commits” for Leaked Secrets Bug bounty, feedback, strategy and alchemy ====== Timestamps ====== (00:00:00) Introduction (00:05:39) Metadata Service protections bypass & Mcdonalds Leak (00:12:30) Christmas in July with Searchlight Cyber Pt 1 (00:19:43) Export as Markdown, Raycast for Windows, & Third-Person prompting (00:23:56) Christmas in July with Searchlight Cyber Pt 2 (00:27:39) GitHub’s “Oops Commits” for Leaked Secrets (00:36:53) Bug bounty, feedback, strategy and alchemy

Episode 130: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Valentino, who shares his journey from hacking Minecraft to becoming a Google hunter. He talks us through several bugs, including an HTML Sanitizer bypass and .NET deserialization, and highlights the hyper creative approaches he tends to employ. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: ThreatLocker - Patch Management https://www.criticalthinkingpodcast.io/TL-patch-management Today’s Guest: Valentino - https://blog.3133700.xyz/ ====== Resources ====== JMX Manager Stored XSS in reclamos Command Injection in Vertex AI whitepaper-net-deser.pdf free-after-use.go A Journey Into Finding Vulnerabilities in the PMB Library Management System emulated-register_globals.php ====== Timestamps ====== (00:00:00) Introduction (00:02:38) JMXProxy Bug Story (00:09:46) Intro to Valentino (00:29:08) HTML Sanitizer bypass on MercadoLibre (00:37:16) Command injection in Vertex AI (00:44:10) .NET deserialization, & Argument injection to LFR, & Free after use (00:51:33) Luck, creativity, and evolution as Hacker (00:59:31) Issues in file extension validation components, Emulated register_globals, & AI Hacking

Episode 129: In this episode of Critical Thinking - Bug Bounty Podcast we chat about the future of hack bots and human-AI collaboration, the challenges posed by tokenization, and the need for cybersecurity professionals to adapt to the evolving landscape of hacking in the age of AI Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== This Week in Bug Bounty ====== Improper error handling in async cryptographic operations crashes process https://hackerone.com/reports/2817648 Recon Series #6: Excavating hidden artifacts with Wayback Machine https://www.yeswehack.com/learn-bug-bounty/recon-wayback-machine-web-archive ====== Resources ====== This is How They Tell Me Bug Bounty Ends https://josephthacker.com/hacking/2025/06/09/this-is-how-they-tell-me-bug-bounty-ends.html Welcome, Hackbots: How AI Is Shaping the Future of Vulnerability Discovery https://www.hackerone.com/blog/welcome-hackbots-how-ai-shaping-future-vulnerability-discovery Glitch Token https://www.youtube.com/watch?v=WO2X3oZEJOA Conducting smarter intelligences than me: new orchestras https://southbridge-research.notion.site/conducting-smarter-intelligences-than-me ====== Timestamps ====== (00:00:00) Introduction (00:04:05) Is this how Bug Bounty Ends? (00:11:14) Hackbots and handling leads (00:20:50) Hacker chain of thought & Tokenization (00:32:54) Context Engineering

Episode 128: In this episode of Critical Thinking - Bug Bounty Podcast we talking Blind SSRF and Self-XSS, as well as Reversing massive minified JS with AI and a wild Google Logo Ligature Bug Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: ThreatLocker - Patch Management ====== This Week in Bug Bounty ====== BitK's "Payload plz" challenge at LeHack ====== Resources ====== Make Self-XSS Great Again Novel SSRF Technique Involving HTTP Redirect Loops Surf - Escalate your SSRF vulnerabilities on Modern Cloud Environments Gecko: Intent to prototype: Framebusting Intervention Conducting smarter intelligences than me: new orchestras Mandark Lumentis jscollab Google Logo Ligature Bug ====== Timestamps ====== (00:00:00) Introduction (00:03:55) Self-XSS and credentialless iframe (00:16:50) Novel SSRF Technique Involving HTTP Redirect Loops (00:25:02) Framebusting (00:29:13) Reversing massive minified JS with AI (00:53:12) Google Logo Ligature Bug

Episode 127: In this episode of Critical Thinking - Bug Bounty Podcast we address some recent bug bounty controversy before jumping into a slew of news items Follow us on X Shoutout to YTCracker for the awesome intro music! Today's Sponsor: Adobe ====== This Week In Bug Bounty ====== Hackers Guide to Google dorking YesWeCaido New Dojo Challenge Smart Contract BB tips Red Team AAS ====== Resources ====== Disclosed PDF csp bypass Bypassing File Upload Restrictions To Exploit Client-Side Path Traversal OBS WebSocket to RCE Time in a bottle (or knapsack) How to Differentiate Yourself as a Bug Bounty Hunter Disclosed. Online hacked-in ‘EchoLeak’ Piloting Edge Copilot Newtowner Tips for agent prompting Firefox XSS vectors Tweet from Masato Kinugawa Chrome debug() function

Episode 126: In this episode of Critical Thinking - Bug Bounty Podcast we wrap up Rez0’s AI miniseries ‘Vulnus Ex Machina’. Part 3 includes a showcase of AI Vulns that Rez0 himself has found, and how much they paid out. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor - ThreatLocker Web Control https://www.criticalthinkingpodcast.io/tl-webcontrol ====== Resources ====== Claude Code System Prompt Attacking AI Agents Probability of Hacks New Gemini for Workspace Vulnerability Enabling Phishing & Content Manipulation How to Hack AI Agents and Applications ====== Timestamps ====== (00:00:00) Introduction (00:02:53) NahamCon Recap, Claude news, and wunderwuzzi writeups (00:08:57) Probability of Hacks (00:11:27) First AI Vulnerabilities (00:18:57) AI Vulns on Google (00:25:11) Invisible prompt Injection

Episode 125: In this episode of Critical Thinking - Bug Bounty Podcast Justin shares insights on how to succeed at live hacking events. We cover pre-event preparations, challenges of collaboration, on-site strategies, and the importance of maintaining a healthy mindset throughout the entire process. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== This Week in Bug Bounty ====== Decathlon Public Bug Bounty Program on YesWeHack ====== Resources ====== The Ultimate Double-Clickjacking PoC Grafana Full read SSRF and Account Takeover: CVE-2025-4123 Grafana CVE-2025-4123 Exploit What I learned from my first 100 HackerOne Reports Root for your friends ====== Timestamps ====== (00:00:00) Introduction (00:02:30) The Ultimate Double-Clickjacking PoC, Grafana CVE, & Evan Connelly's first 100 bugs (00:10:23) How to win at Live Hacking Events (00:11:53) Pre-event (00:11:45) Scope Call (00:33:11) Dupe window Ends (00:36:00) Onsite & and Day of Event (00:42:46) Don't define your identity on the outcome

Episode 124: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph cover some news from around the community, hitting on Joseph’s Anthropic safety testing, Justin’s guest appearance on For Crying Out Cloud, and several fascinating tweets. Then they have a quick Full-time Bug Bounty check-in. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor - ThreatLocker Web Control https://www.criticalthinkingpodcast.io/tl-webcontrol ====== This Week in Bug Bounty ====== Louis Vuitton Public Bug Bounty Program CVE-2025-47934 was discovered on one of our Bug Bounty program : OpenPGP.js Stored XSS in File Upload Leads to Privilege Escalation and Full Workspace Takeover ====== Resources ====== Jorian tweet Clipjacking: Hacked by copying text - Clickjacking but better Crying out Cloud Appearance Wiz Research takes 1st place in Pwn2Own AI category New XSS vector with image tag ====== Timestamps ====== (00:00:00) Introduction (00:10:50) Supabase (00:13:47) Tweet-research from Jorian and Wyatt Walls. (00:20:24) Anthropic safety testing challenge & Wiz Podcast guest appearance (00:27:44) New XSS vector, Google i/o, and coding agents (00:35:48) Full Time Bug Bounty

Episode 123: In this episode of Critical Thinking - Bug Bounty Podcast we’re back with part 2 of Rez0’s miniseries. Today we talk about mastering Prompt Injection, taxonomy of impact, and both triggering traditional Vulns and exploiting AI-specific features. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor - ThreatLocker User Store https://www.criticalthinkingpodcast.io /tl-userstore ====== This Week in Bug Bounty ====== Earning a HackerOne 2025 Live Hacking Invite https://www.hackerone.com/blog/earning-hackerone-2025-live-hacking-invite HTTP header hacks: basic and advanced exploit techniques explored https://www.yeswehack.com/learn-bug-bounty/http-header-exploitation ====== Resources ====== Grep.app https://vercel.com/blog/migrating-grep-from-create-react-app-to-next-js Gemini 2.5 Pro prompt leak https://x.com/elder_plinius/status/1913734789544214841 Pliny's CL4R1T4S https://github.com/elder-plinius/CL4R1T4S O3 https://x.com/pdstat/status/1913701997141803329 ====== Timestamps ====== (00:00:00) Introduction (00:05:25) Grep.app, O3, and Gemini 2.5 Pro prompt leak (00:11:09) Delivery and impactful action (00:20:44) Mastering Prompt Injection (00:30:36) Traditional vulns in Tool Calls, and AI Apps (00:37:32) Exploiting AI specific features

Episode 122: In this episode of Critical Thinking - Bug Bounty Podcast your boys are MVH winners! First we’re joined by Zak, to discuss the Google LHE as well as surprising us with a bug of his own! Then, we sit down with Lupin and Monke for a winners roundtable and retrospective of the event. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Check out the CTBB Job Board: https://jobs.ctbb.show/ Today’s Guests: Zak Bennett : https://www.linkedin.com/in/zak-bennett/ Ciarán Cotter: https://x.com/monkehack Roni Carta: https://x.com/0xLupin ====== Resources ====== We hacked Google’s A.I Gemini and leaked its source code https://www.landh.tech/blog/20250327-we-hacked-gemini-source-code ====== Timestamps ====== (00:00:00) Introduction (00:03:02) An RCE via memory corruption (00:07:45) Zak's role at Google and Google's AI LHE (00:15:25) Different Components of AI Vulnerabilities (00:24:58) MHV Winner Debrief (01:08:47) Technical Takeaways And Team Strategies (01:28:49) LHE Experience and Google VRP & Abuse VRP

Episode 121: In this episode of Critical Thinking - Bug Bounty Podcast we cover so much news and research that we ran out of room in the description... Follow us on X Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow Rhynorater and Rez0 on X: ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord! We also have hacker swag! ====== This Week in Bug Bounty ====== Hacker spotlight: Rhynorater Ultra Mobile BB Program - Mobile Apps Ultra Mobile BB Program - (Public) John Deere Program JD's's BB Program Boosts Cybersecurity Dojo #41 - Ruby treasure ====== Resources ====== slonser 0-day in chrome CT Additional useful primitives How I made $64k from deleted files CTBB episode with Sharon Brizinov Rez0's Subdomain Link Launcher Qwen3 Local Model May Cause Pwnage import WAF bypass Caido Drop Andre's tweet about encoded word Nahamcon Gemini prompt leak SVG Onload Handlers

Episode 120: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner welcomes Eugene to talk (aka fanboy) about his new book, 'From Day Zero to Zero Day.' We walk through what to expect in each chapter, including Binary Analysis, Source and Sink Discovery, and Fuzzing everything.Then we give listeners a special deal on the book. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor - ThreatLocker User Store https://www.criticalthinkingpodcast.io /tl-userstore Today’s guest: https://x.com/spaceraccoonsec ====== Resources ====== Buy SpaceRaccoon's Book: From Day Zero to Zero Day https://nostarch.com/zero-day USE CODE 'ZERODAYDEAL' for 30% OFF Pwning Millions of Smart Weighing Machines with API and Hardware Hacking https://spaceraccoon.dev/pwning-millions-smart-weighing-machines-api-hardware-hacking/ ====== Timestamps ====== (00:00:00) Introduction (00:04:58) From Day Zero to Zero Day (00:12:06) Mapping Code to Attack Surface (00:17:59) Day Zero and Taint Analysis (00:22:43) Automated Variant Analysis & Binary Taxonomy (00:31:35) Source and Sink Discovery (00:40:22) Hybrid Binary Analysis & Quick and Dirty Fuzzing (00:56:00) Coverage-Guided Fuzzing, Fuzzing Everything, & Beyond Day Zero (01:02:16) Bug bounty, Vuln research, & Governmental work (01:10:23) Source Code Review & Pwning Millions of Smart Weighing Machines

Episode 119: In this episode of Critical Thinking - Bug Bounty Podcast Justin does a mini deep dive into the world of iframes, starting with why they’re significant, their attributes, and how to attack them. CORRECTION: Some of my comments on the latest episode of the pod were woefully inaccurate about the `csp` attribute of an iframe. Def should have read the spec more thoroughly. Please see the #corrections channel in Discord for the deets. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Resources ====== Episode with JR0ch17 ctbb.show/61 Exacerbating Cross-Site Scripting: The Iframe Sandwich https://coopergyoung.com/exacerbating-cross-site-scripting-the-iframe-sandwich/ ====== Timestamps ====== (00:00:00) Introduction (00:01:20) Why are Iframes useful (00:05:11) Attributes of Iframes (00:21:39) Iframe Attacks (00:29:53) Iframe Fun Facts

Episode 118: In this episode of Critical Thinking - Bug Bounty Podcast we cover a host of news, including clientside tidbits, “Credentialless” iframes, prototype pollution, and what constitutes a polyglot in llms.txt. Follow us on X Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow Rhynorater and Rez0 on X ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! You can also find some hacker swag! ====== Resources ====== p4fg passed 1 Million! /reports/:id.json - $25K Crit Hacking Crypto pt1 The art of payload obfuscation Analyzing the Next.js Middleware Bypass Nahamsec's Merch store llms.txt polyglot prompt injection React Router and the Remix’ed path Pre-Authentication SQL Injection in Halo ITSM Pwning Millions of Smart Weighing Machines MCP Server Oauth Cline “Credentialless” iframes Tiny XSS Payloads Types of Pollution ====== Timestamps ====== (00:00:00) Introduction (00:05:56) Next.js Middleware bypass & Polyglots in llms.txt (00:16:35) CPDoS on React Router (00:24:26) Loose Types Sink Ships & Pwning Smart Scales (00:32:30) MCP Server Oauth & Cline (00:39:40) Clientside Tidbits & Prototype Pollutions

Episode 117: In this episode of Critical Thinking - Bug Bounty Podcast Joseph introduces Vulus Ex Machina: A 3-part mini-series on hacking AI applications. In this part, he lays the groundwork and focuses on AI reconnaissance. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Resources ====== Building Reliable Web Agents https://x.com/pk_iv/status/1904178892723941777 17 security checks from VIBE to PRODUCTION https://x.com/Kaamiiaar/status/1902342578185630000 How to Hack AI Agents and Applications https://josephthacker.com/hacking/2025/02/25/how-to-hack-ai-apps.html AI Crash Course Repo https://github.com/henrythe9th/ai-crash-course Deep Dive into LLMs like ChatGPT https://www.youtube.com/watch?v=7xTGNNLPyMI ====== Timestamps ====== (00:00:00) Introduction (00:01:54) AI News (00:08:09) How to Hack AI Agents and Applications (00:14:26) The Recon Process (00:25:06) Initial Probing & Steering

Episode 116: In this episode of Critical Thinking - Bug Bounty Podcast Justin gives a quick rundown of Portswigger’s SAML Roulette writeup, as well as some Google VRP reports, and a Next.js middleware exploit. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor: ThreatLocker Cloud Control - https://www.threatlocker.com/platform/cloud-control ====== Resources ====== SAML roulette: the hacker always wins https://portswigger.net/research/saml-roulette-the-hacker-always-wins Loophole of getting Google Form associated with Google Spreadsheet with no editor/owner access https://bughunters.google.com/reports/vrp/yBeFmSrJi Loophole to see the editors of a Google Document with no granted access(owner/editor) with just the fileid (can be obtained from publicly shared links with 0 access) https://bughunters.google.com/reports/vrp/7EhAw2hur Cloud Tools for Eclipse - Chaining misconfigured OAuth callback redirection with open redirect vulnerability to leak Google OAuth Tokens with full GCP Permissions https://bughunters.google.com/reports/vrp/F8GFYGv4g Next.js, cache, and chains: the stale elixir https://zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixir Next.js and the corrupt middleware: the authorizing artifact https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware ====== Timestamps ====== (00:00:00) Introduction (00:02:59) SAML roulette (00:13:08) Google bugs (00:20:16) Next.js and the corrupt middleware

Episode 115: In this episode of Critical Thinking - Bug Bounty Podcast Justin and So Sakaguchi sit down to walk through some recent bugs, before having a live mentorship session. They also talk about Reflector, and finish up by doing a bonus podcast segment in Japanese! Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to https://x.com/realytcracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor: ThreatLocker Cloud Control - https://www.threatlocker.com/platform/cloud-control Today’s Guest: https://x.com/Mokusou4 ====== Resources ====== So's last appearance in episode 40 ctbb.show/40 ====== Timestamps ====== (00:00:00) Introduction (00:04:11) So's Facebook Bug (00:14:37) So and Justin's Google Bug (00:33:39) Live Mentorship Session (00:56:29) Reflector (01:13:22) Bonus - Podcast in Japanese

Episode 114: In this episode of Critical Thinking - Bug Bounty Podcast we’re diving into SPA and how to attack them.We also cover a host of news items, including some bug write-ups, AI updates, and a new tool called Hackadvisor. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor: ThreatLocker Cloud Control ====== Resources ====== Hacking High-Profile Bug Bounty Targets: Deep Dive into a Client-Side Chain Research finds 12,000 ‘Live’ API Keys and Passwords in DeepSeek's Training Data Hackadvisor WP Extensions Notebook LM Pressing Buttons with Popups Response to @RenwaX23 Prompt Injection Attacks for Dummies Shadow Repeater parallel-prettier ====== Timestamps ====== (00:00:00) Introduction (00:02:15) Bug Write-up from @busf4ctor (00:09:44) Scanning Common Crawl (00:16:30) Hackadvisor and WP/Chrome Extension News (00:24:15) Notebook LM, and Recent AI Updates (00:31:58) Write-up from @J0R1AN and Related POC from @RenwaX23 (00:38:10) Prompt Injection Attacks for Dummies (00:42:29) ShadowRepeater (00:47:04) Single-page applications

Episode 113: In this episode of Critical Thinking - Bug Bounty Podcast we’re breaking down the Portswigger Top 10 from 2024. There’s some bangers in here! Follow us on X at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on X: ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag! ====== Resources ====== Hijacking OAUTH flows via Cookie Tossing ChatGPT Account Takeover - Wildcard Web Cache Deception OAuth Non-Happy Path to ATO CVE-2024-4367 - Arbitrary JavaScript execution in PDF.js DoubleClickjacking: A New Era of UI Redressing WorstFit: Unveiling Hidden Transformers in Windows ANSI SQL Injection Isn't Dead: Smuggling Queries at the Protocol Level Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server Middleware, middleware everywhere – and lots of misconfigurations to fix ====== Timestamps ====== (00:00:00) Introduction (00:09:56) Hijacking OAuth flows via Cookie Tossing (00:17:30) ChatGPT Account Takeover (00:25:28) OAuth Non-Happy Path to ATO (00:29:24) CVE-2024-4367 (00:37:37) DoubleClickjacking: (00:44:54) Exploring the DOMPurify library (00:48:01) WorstFit (00:56:29) Unveiling TE.0 HTTP Request Smuggling (01:06:40) SQL Injection Isn't Dead: Smuggling Queries at the Protocol Level (01:14:05) Confusion Attacks

Episode 112: In this episode of Critical Thinking - Bug Bounty Podcast Joseph Thacker is joined by Ciarán Cotter (Monke) to share his bug hunting journey and give us the rundown on some recent client-side and server-side bugs. Then they discuss WebSockets, SaaS security, and cover some AI news including Grok 3, Nuclei -AI Flag, and some articles by Johann Rehberger. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Guest - Ciarán Cotter https://x.com/monkehack====== Resources ====== Msty https://msty.app/ From Day Zero to Zero Day https://nostarch.com/zero-day Nuclei - ai flag https://x.com/pdiscoveryio/status/1890082913900982763 ChatGPT Operator: Prompt Injection Exploits & Defenses https://embracethered.com/blog/posts/2025/chatgpt-operator-prompt-injection-exploits/ Hacking Gemini's Memory with Prompt Injection and Delayed Tool Invocation https://embracethered.com/blog/posts/2025/gemini-memory-persistence-prompt-injection/ ====== Timestamps ====== (00:00:00) Introduction (00:01:04) Bug Rundowns (00:13:05) Monke's Bug Bounty Background (00:20:03) Websocket Research (00:34:01) Connecting Hackers with Companies (00:34:56) Grok 3, Msty, From Day Zero to Zero Day (00:42:58) Full time Bug Bounty, SaaS security, and Threat Modeling while AFK (00:54:49) Nuclei - ai flag, ChatGPT Operator, and Hacking Gemini's Memory

Episode 111: In this episode of Critical Thinking - Bug Bounty Podcast Justin interviews Kevin Mizu to showcase his knowledge regarding DOMPurify and its misconfigurations. We walk through some of Kevin’s research, highlighting things like Dangerous allow-lists and URI Attributes, DOMPurify hooks, node manipulation, and DOM Clobbering. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Resources ====== Exploring the DOMPurify library: Bypasses and Fixes (1/2) https://mizu.re/post/exploring-the-dompurify-library-bypasses-and-fixes Exploring the DOMPurify library: Hunting for Misconfigurations (2/2) https://mizu.re/post/exploring-the-dompurify-library-hunting-for-misconfigurations Dom-Explorer tool https://yeswehack.github.io/Dom-Explorer/shared?id=772a440c-b0c2-4991-be71-3e271cf7954f CT Episode 61: A Hacker on Wall Street - JR0ch17 https://www.criticalthinkingpodcast.io/episode-61-a-hacker-on-wall-street-jr0ch17/ ====== Timestamps ====== (00:00:00) Introduction (00:01:44) Kevin Mizu - Background and Bring-a-bug (00:15:09) DOMPurify (00:29:04) Misconfigurations - Dangerous allow-lists (00:39:09) Dangerous URI attributes configuration (00:46:08) Bad usage (00:59:55) DOMPurify Hooks: before, after, and upon SanitizeAttribute (01:29:15) Node manipulation, nodeName namespace case confusion, & DOM Clobbering DOS (01:36:51) Misc concepts for future research

Episode 110: In this episode of Critical Thinking - Bug Bounty Podcast we hit some quick news items including a DOMPurify 3.2.3 Bypass, O3 mini updates, and a cool postLogger Chrome Extension. Then, we hone in on OAuth vulnerabilities, API keys, and innovative techniques hackers use to exploit these systems. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to https://x.com/realytcracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Resources ====== DOMPurify 3.2.3 Bypass Jason Zhou's post about O3 mini Live Chat Blog #2: Cisco Webex Connect postLogger Chrome Extension postLogger Webstore Link Common OAuth Vulnerabilities nOAuth: How Microsoft OAuth Misconfiguration Can Lead to Full Account Takeover Account Takeover using SSO Logins Kai Greshake ====== Timestamps ====== (00:00:00) Introduction (00:01:44) DOMPurify 3.2.3 Bypass (00:06:37) O3 mini (00:10:29) Ophion Security: Cisco Webex Connect (00:15:54) Discord Community News (00:19:12) postLogger Chrome Extension (00:21:04) Common OAuth Vulnerabilities & Lessons learned from Google’s APIs

Episode 109: In this episode of Critical Thinking - Bug Bounty Podcast we start off with a quick recap of some of the DeepSeek Drama that’s been going down, and discuss AI in CAPTCHA and 2FA as well. Then we switch to cover some other news before settling in to talk about Alternative Recon Techniques Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to https://x.com/realytcracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor - ThreatLocker. Check out their Managed Detection and Response! ====== Resources ====== Resources Wiz Research Uncovers Exposed DeepSeek Database Bypass Bot Detection Tweet from sw33tLie rsc 2fa Stealing HttpOnly cookies with the cookie sandwich technique Report Pointers for Collaborative Chains Clone2Leak: Your Git Credentials Belong To Us Deanonymization via cache GoogleChrome related-website-sets ====== Timestamps ====== (00:00:00) Introduction (00:02:03) DeepSeek debacle and Bypass Bot Detection (00:23:48) Stealing HttpOnly cookies with the cookie sandwich technique (00:30:54) Report Pointers for Collaborative Chains (00:34:43) Clone2Leak: Your Git Credentials Belong To Us (00:40:04) Deanonymization for Signal and Discord (00:41:53) Alternative Recon Techniques

Episode 108: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph bring on Aaron Costello to discuss SaaS security and misconfigurations as a bug class. He also gives some in-depth examples from Salesforce, ServiceNow, and Power Pages. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to https://x.com/realytcracker for the awesome intro music! ====== Links ====== Follow your hosts on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor: AppOmni. Get AppOmni's Definitive Guide to SaaS Security https://www.criticalthinkingpodcast.io/AppOmni Today’s Guest: https://x.com/ConspiracyProof ====== Resources ====== Aaron's Blog https://www.enumerated.ie/ Data Exposure and ServiceNow: The Elephant in the ITSM Room https://www.enumerated.ie/index/servicenow-data-exposure Salesforce Lightning - An in-depth look at exploitation vectors for the everyday community https://www.enumerated.ie/index/salesforce Lightning Components: A Treatise on Apex Security from an External Perspective https://go.appomni.com/hubfs/Collateral/AppOmni_Labs_White_Paper_Apex_Security.pdf?utm_campaign=Network%20Computing&utm_source=referral&utm_content=network_computing Microsoft Power Pages: Data Exposure Reviewed https://appomni.com/ao-labs/microsoft-power-pages-data-exposure-reviewed/ ====== Timestamps ====== (00:00:00) Introduction (00:03:00) Aaron Costello, Arbitrary File Upload, & App Cache Manifest Poison bug (00:13:37) SAAS Misconfigurations as a bug class (00:43:27) SalesForce Misconfigurations (01:11:30) Microsoft Power Pages

Episode 107: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph are tackling the subject of cross-origin security headers. They also cover some news items including Google’s OAuth login flaw, RAINK, and gift card hacking. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to https://x.com/realytcracker for the awesome intro music! ====== Links ====== Follow your hosts on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor - ThreatLocker. Check out their Managed Detection and Response! https://www.criticalthinkingpodcast.io/tl-mdr ====== Resources ====== A Proud Dad's Tale of Two Bug Hunting Daughters and Their Responsible Disclosures Google’s OAuth login flaw Rez0's Ai tweet Rez0's Follow-up Raink from BishopFox Gift cards security research Top 10 web hacking techniques of 2024 Cross-Origin-Opener-Policy: preventing attacks from popups ====== Timestamps ====== (00:00:00) Introduction (00:05:13) Hacking with your kids (00:09:46) H1/bc pentests (00:12:23) Google’s OAuth login flaw (00:18:01) Raink & Rez0's AI tweets (00:28:46) Giftcard hacking & Portswigger top 10 voting (00:34:23) Cross Origin Web Headers

Episode 106: In this episode of Critical Thinking - Bug Bounty Podcast we are pleased to announce our new co-host of the podcast: Joseph Thacker Aka Rez0! We discuss Joseph's transition to full-time bug bounty hunting, his goals, and what he’s looking forward to bringing to the pod. We also cover some news items including doubleclickjacking, character set attacks, SVG XSS, and more. Follow us on twitter at: @ctbbpodcast Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Rez0 on twitter: https://x.com/Rhynorater https://x.com/rez0__ ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Check out our new SWAG store at https://ctbb.show/swag! Resources DoubleClickjacking: A New Era of UI Redressing https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html XBOW Validation Benchmarks https://github.com/xbow-engineering/validation-benchmarks Jorian tweet https://x.com/J0R1AN/status/1871586792455163975 Simplified Payload https://portswigger-labs.net/xss/charset.php?x=%1b$B%1b(B%3Ca%20href=javas%1B(Jcript:alert(1)%3Etest%3C/a%3E&charset= SVG XSS Payload https://x.com/garethheyes/status/1876953751245783534 curl-cffi https://pypi.org/project/curl-cffi/ Bypassing File Upload Restrictions To Exploit CSPT https://blog.doyensec.com/2025/01/09/cspt-file-upload.html AI-Crash-Course https://github.com/henrythe9th/AI-Crash-Course?tab=readme-ov-file Timestamps (00:00:00) Introduction (00:02:15) Rez0's journey to Full-time hunter, Tool developer, and new Co-host (00:21:04) DoubleClickjacking (00:31:48) XBOW Validation Benchmarks, Charset Thoughts, and SVG XSS (00:42:28) curl-cffi, CSPT, and AI Crash Course

Episode 105: In this episode of Critical Thinking - Bug Bounty Podcast we're back with another Best-of episode recapping some of our top moments of 2024. Follow us on twitter at: @ctbbpodcast Ssend us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Rez0 on twitter: https://x.com/Rhynorater https://x.com/rez0__ ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Check out our new SWAG store at https://ctbb.show/swag! Today’s Sponsor - ThreatLocker. Check out their Elevation Control! https://www.criticalthinkingpodcast.io/tl-ec Resources Episode 53 ctbb.show/53 Episode 59 ctbb.show/59 Episode 65 ctbb.show/65 Episode 69 ctbb.show/69 Episode 80 ctbb.show/80 Episode 81 ctbb.show/81 Episode 86 ctbb.show/86 Episode 87 ctbb.show/87 Episode 91 ctbb.show/91 Episode 93 ctbb.show/93 Episode 99 ctbb.show/99 Timestamps (00:00:00) Introduction (00:03:59) Episode 53 (00:17:12) Episode 59 (00:32:45) Episode 65 (00:48:08) Episode 69 (01:02:37) Episode 80 (01:18:09) Episode 81 (01:28:59) Episode 86 (01:41:04) Episode 87 (01:54:48) Episode 91 (02:01:48) Episode 93 (02:09:37) Episode 99

Episode 104: In this episode of Critical Thinking - Bug Bounty Podcast Justin reflects upon the past year and walks through some of the bug bounty goals he had for 2024, and how he feels like he did. Then he sets some goals for 2025, as well as some exciting CT news for the coming year. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Rez0 on X: https://x.com/rhynorater https://x.com/rez0__ ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Check out our new SWAG store at https://ctbb.show/swag! Resources CTBB Full Time Guild ctbb.show/ft Critical Research Lab ctbb.show/crl CT Episode 51 - 2024 Goals https://www.criticalthinkingpodcast.io/episode-51-hacker-stats-2023-2024-goals/ Personal BB inventory and goals https://ctbb.show/blog Timestamps (00:00:00) introduction (00:00:57) Critical Thinking 2025 Announcements (00:04:21) Personal Inventory of 2024 (00:24:05) Goals for 2025

Episode 103: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph delve into the vulnerabilities associated with ANSI codes and large language models (LLMs), as well as talk through some new research and the value of micro-blogging in general. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord! We offer Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Check out our new SWAG store! Join our Shift waitlist! Today’s Sponsor - ThreatLocker. Check out their Elevation Control! https://www.criticalthinkingpodcast.io/tl-ec Resources _json Juggling Attack Cross-Site POST Requests Without a Content-Type Header Worst Fit Orange Tsai on Worst Fit Handling Cookies is a Minefield Terminal DiLLMa XS-Leaking flags with CSS: A CTFd 0day Hacking Back the AI-Hacker Johann Computer use demo How I Became The Most Valuable Hacker Timestamps (00:00:00) Introduction (00:01:39) _json Juggling Attack and Cross-Site POST Requests Without a Content-Type Header (00:10:55) Worst Fit and Unicode Mapping (00:20:08) Handling Cookies is a Minefield (00:28:11) Terminal DiLLMa & CTFd 0day (00:41:18) Hacking Back the AI-Hacker (00:47:30) Becoming Most Valuable Hacker

Episode 102: In this episode of Critical Thinking - Bug Bounty Podcast Justin grabs Jason Haddix to help brainstorm the concept of AI micro-agents in hacking, particularly in terms of web fuzzing, WAF bypasses, report writing, and more.They discuss the importance of contextual knowledge, the cost implications, and the strengths of different LLM Models. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Check out our new SWAG store at https://ctbb.show/swag! Today’s Guest - https://x.com/Jhaddix Resources Keynote: Red, Blue, and Purple AI - Jason Haddix https://www.youtube.com/watch?v=XHeTn7uWVQM Attention in transformers, https://www.youtube.com/watch?v=eMlx5fFNoYc Shift https://shiftwaitlist.com/ The Darkest Side of Bug Bounty https://www.youtube.com/watch?v=6SNy0u6pYOc Timestamps (00:00:00) Introduction (00:01:25) Micro-agents and Weird Machine Tricks (00:11:05) Web fuzzing with AI (00:18:15) Brainstorming Shift and micro-agents (00:34:40) Strengths of different AI Models, and using AI to write reports (00:54:21) The Darkest Side of Bug Bounty

Episode 101: In this episode of Critical Thinking - Bug Bounty Podcast we’ve been hijacked! Rez0 takes control of this episode, and sits down with Johann Rehberger to discuss the intricacies of AI application vulnerabilities. They talk through the importance of understanding system prompts, and various obfuscation techniques used to bypass security measures, the best AI platforms, and the evolving landscape of AI security. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker. Check out their Elevation Control! https://www.criticalthinkingpodcast.io/tl-ec Today’s Guest: https://x.com/wunderwuzzi23 Resources Johann's blog https://embracethered.com/blog/ zombais https://embracethered.com/blog/posts/2024/claude-computer-use-c2-the-zombais-are-coming/ Copirate https://embracethered.com/blog/posts/2024/m365-copilot-prompt-injection-tool-invocation-and-data-exfil-using-ascii-smuggling/ Timestamps (00:00:00) Introduction (00:01:59) Biggest things to look for in AI hacking (00:11:58) Best AI companies to hack on (00:15:59) URL Redirects and Obfuscation Techniques (00:24:05) Copirate (00:35:50) prompt injection guardrails and threats

Episode 100: In this episode of Critical Thinking - Bug Bounty Podcast we have a mixed bag. We celebrate 100 episodes of Critical Thinking, but also bid farewell to Joel, who will be leaving the show as a co-host, but returning as guest. Then we hear from a bunch of friends about their 'best bug of the year', before capping the episode with the announcement of a new AI tool we've been working on! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources Delorean https://github.com/jselvi/Delorean Shift shiftwaitlist.com Timestamps (00:00:00) Introduction (00:07:32) Nagli (00:19:09) Shubs (00:35:00) Matt Brown (00:39:42) Matanber (00:57:52) Douglas Day (01:05:18) Alex Chapman (01:15:02) Nahamsec (01:25:45) Rez0 (01:28:20) Shift Announcement

Episode 99: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Roni dissect an old thread of Justin's talking about how best to start bug bounty with the goal of making $100k in the first year. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - AssetNote: Check out their ASMR board (no not that kind!) https://assetnote.io/asmr Today’s Guest - https://x.com/0xLupin Resources Justin's Twitter Thread https://x.com/Rhynorater/status/1699395452481769867 Timestamps (00:00:00) Introduction (00:03:00) Web Fundamentals Education (00:46:01) Threat Modeling and Hacking Goals (01:18:58) Vuln Types and finding Specialization

Episode 98: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner sits down with Sharon,to discuss his journey from early iOS development to leading a research team at Claroty. They address the differences between HackerOne and Pwn2Own, and talk through some intricacies of IoT security, and some less common IoT attack surfaces. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker: Check out Network Control! https://www.criticalthinkingpodcast.io/tl-nc And AssetNote: Check out their ASMR board (no not that kind!) https://assetnote.io/asmr Today’s Guest: https://sharonbrizinov.com/ Resources The Claroty Research Team https://claroty.com/team82 Pwntools https://github.com/Gallopsled/pwntools Scan My SMS http://scanmysms.com Gotta Catch 'Em All: Phishing, Smishing, and the birth of ScanMySMS https://www.youtube.com/watch?v=EhNsXXbDp3U Timestamps (00:00:00) Introduction (00:03:31) Sharon's Origin Story (00:21:58) Transition to Bug Bounty and Pwn2Own vs HackerOne (00:47:05) IoT/ICS Hacking Methodology (01:10:13) Cloud to Device Communication (01:18:15) Bug replication and uncommon attack surfaces (01:30:58) Documentation tracker, reCaptcha bypass, and ScanMySMS

Episode 97: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel jump into some cool news items, including a recent Okta Bcrypt vulnerability, insights into crypto bugs, and some intricacies of Android and Chrome security. They also explore the latest research from Portswigger on payload concealment techniques, and the introduction of the Lightyear tool for PHP exploits. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker: Check out Network Control! https://www.criticalthinkingpodcast.io/tl-nc And AssetNote: Check out their ASMR board (no not that kind!) https://assetnote.io/asmr Resources Okta bcrypt Android Web Attack Surface Writeups Concealing payloads in URL credentials Dumping PHP files with Lightyear Limit maximum number of filter chains Dom-Explorer tool launched MultiHTMLParse JSON Crack Caido/Burp notes plugin Timestamps (00:00:00) Introduction (00:02:43) Okta Release and bcrypt (00:10:26) Android Web Attack Surface Writeups (00:20:21) More Portswigger Research (00:28:29) Lightyear and PHP filter chains (00:35:09) Dom-Explorer (00:45:24) The JSON Debate (00:49:59) Notes plugin for Burp and Caido

Episode 96: In this episode of Critical Thinking - Bug Bounty Podcast we’re back with Matanber to hit some stuff we ran out of time on last episode. We talk about advanced cookie parsing techniques and exploitation methods, Safari's unique behaviors regarding cookie handling and debugging methods, and some of the writeups from the HeroCTF v6. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://x.com/MtnBer Resources: Cookie Bugs - Smuggling & Injection https://blog.ankursundara.com/cookie-bugs/#:~:text=Cookie%20Smuggling iOS Webkit Debug Proxy https://github.com/google/ios-webkit-debug-proxy HeroCTF v6 Writeups https://mizu.re/post/heroctf-v6-writeups Timestamps (00:00:00) Introduction (00:01:29) Cookie exploits (00:21:32) Matan's Safari Adventure (00:29:49) HeroCTF 6 writeups

Episode 95: In this episode of Critical Thinking - Bug Bounty Podcast In this episode, Justin is joined by MatanBer to delve into the intricacies of browser extensions. We talk about the structure and threat models, and cover things like service workers, extension pages, and isolated worlds. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - AssetNote. Listen to their podcast https://www.criticalthinkingpodcast.io/sspod Today’s Guest: https://x.com/MtnBer Resources Universal Code Execution by Chaining Messages in Browser Extensions https://spaceraccoon.dev/universal-code-execution-browser-extensions/ DOMLogger++ https://github.com/kevin-mizu/domloggerpp BBRE Metamask bug https://youtu.be/HnI0w156rtw?si=QixP8SX6JuRFz6PA Bench Press: Leaking Text Nodes with CSS https://blog.pspaul.de/posts/bench-press-leaking-text-nodes-with-css/ Timestamps: (00:00:00) Introduction (00:03:08) Structure & Threat Model for Browser Extension (00:28:28) Extension Attack scenarios (01:01:26) Attacking Extension Pages (01:26:35) Attacking Service Workers (01:46:23) Getting source code and dynamic debugging

Episode 94: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel give their perspectives on the recent Zendesk fiasco and the ethical considerations surrounding it. They also highlight the launch of AuthzAI and some research from Ophion Security Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - AssetNote. Listen to their podcast https://www.criticalthinkingpodcast.io/sspod Resources: New music drop from our Boi YT https://x.com/realytcracker/status/1847599657569956099 AuthzAI https://authzai.com/ Ron Chan https://x.com/ngalongc Misconfigured User Auth Leads to Customer Messages https://www.ophionsecurity.com/post/live-chat-blog-1-misconfigured-user-auth-leads-to-customer-messages Zendesk Write-up https://gist.github.com/hackermondev/68ec8ed145fcee49d2f5e2b9d2cf2e52 Response from Zendesk https://gist.github.com/hackermondev/68ec8ed145fcee49d2f5e2b9d2cf2e52?permalink_comment_id=5232589#gistcomment-5232589 Timestamps (00:00:00) Introduction (00:05:29) AuthzAI and the return of Ron Chan (00:13:50) Ophion Security Research (00:18:12) Zendesk Drama

Episode 93: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Dr. Jonathan Bouman to discuss his unique journey as both a Hacker and a Healthcare Professional. We talk through how he balances his dual careers, some ethical considerations of hacking in the context of healthcare, and highlight some experiences he’s had with Amazon's bug bounty program. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker. Checkout their ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detect Today’s Guest - https://x.com/jonathanbouman?lang=en Resources Anyone can Access Deleted and Private Repository Data on GitHub Filesender Github Remote Code execution at ws1.aholdusa .com APK-MITM Hacking Dutch healthcare system Fitness Youtube Channels https://www.youtube.com/channel/UCpQ34afVgk8cRQBjSJ1xuJQ https://www.youtube.com/@BullyJuice Timestamps (00:00:00) Introduction (00:07:28) Medicine and Hacking (00:19:36) Hacking on Amazon (00:34:33) Collaboration and consistency (00:44:13) SSTI Methodology (01:06:10) iOS Hacking Methodology (01:13:23) Hacking Healthcare (01:32:19) Health tips for hacking

Episode 92: In this episode of Critical Thinking - Bug Bounty Podcast In this episode Justin and Joel tackle a host of new research and write-ups, including Ruby SAML, 0-Click exploits in MediaTek Wi-Fi, and Vulnerabilities caused by The Great Firewall Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker. Checkout their ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detect Resources: Insecurity through Censorship Ruby-SAML / GitLab Authentication Bypass 0-Click exploit discovered in MediaTek Wi-Fi chipsets New Caido Plugin to Generate Wordlists Bebik’s 403 Bypassor CSPBypass Arb Read & Arb write on LLaMa.cpp by SideQuest XSS WAF Bypass One payload for all Timestamps (00:00:00) Introduction (00:02:08) Vulnerabilities Caused by The Great Firewall (00:07:25) Ruby SAML Bypass (00:19:55) 0-Click exploit discovered in MediaTek Wi-Fi chipsets (00:24:36) New Caido Wordlist Plugin (00:31:00) CSPBypass.com (00:35:37) Arb Read & Arb write on LLaMa.cpp by SideQuest (00:43:10) Helpful WAF Bypass

Episode 91: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner sits down with Critical Thinking’s own HackerNotes writer Brandyn Murtagh (gr3pme) to talk about his journey with Bug Bounty. We cover mentorship, networking and LHEs, ecosystem hacking, emotional regulation, and the need for self-care. Then we wrap up with some fun bugs. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Shop our new swag store at ctbb.show/swag Today’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinder Today’s guest: https://x.com/gr3pme Resources: Lessons Learned for LHEs https://x.com/Rhynorater/status/1579499221954473984 Timestamps: (00:00:00) Introduction (00:07:02) Mentorship in Bug Bounty (00:16:30) LHE lessons, takeaways, and the benefit of feedback and networking (00:41:28) Choosing Targets (00:49:03) Vuln Classes (00:58:54) Bug Reports

Episode 90: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin recap some of their recent hacking ups and downs and have a lively chat about Cursor. Then they cover some some research about SQL Injections, Clickjacking in Google Docs, and how to steal your Telegram account in 10 seconds. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Shop our new swag store at ctbb.show/swag Today’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinder Resources: Breaking Down Barriers: Exploiting Pre-Auth SQL Injection in WhatsUp Gold Content-Type that can be used for XSS Clickjacking Bug in Google Docs Justin's Gadget Link https://www.youtube.com/signin?next=https%3A%2F%2Faccounts.youtube.com%2Faccounts%2FSetSID%3Fcontinue%3Dhttps%3A%2F%2Fwww.google.com%252Famp%252fpoc.rhynorater.com Stealing your Telegram account in 10 seconds flat Timestamps (00:00:00) Introduction (00:08:28) Recent Hacks and Dupes (00:14:00) Cursor (00:25:02) Exploiting Pre-Auth SQL Injection in WhatsUp Gold (00:34:17) Content-Type that can be used for XSS (00:40:25) Caido updates (00:43:14) Clickjacking in Google Docs, and Stealing Telegram account

Episode 89: In this episode of Critical Thinking - Bug Bounty Podcast We’re joined live by Matt Brown to talk about his journey with hacking in the IoT. We cover the specializations and challenges in hardware hacking, and Matt’s personal Methodology. Then we switch over to touch on BGA Reballing, Certificate Pinning and Validation, and some of his own bug stories. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinder Today’s Guess Matt Brown: https://x.com/nmatt0 Resources: Decrypting SSL to Chinese Cloud Servers https://www.youtube.com/watch?v=3qSxxNvuEtg mitmrouter https://github.com/nmatt0/mitmrouter certmitm Automatic Exploitation of TLS Certificate Validation Vulns https://www.youtube.com/watch?v=w_l2q_Gyqfo and https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Aapo%20Oksman%20-%20certmitm%20automatic%20exploitation%20of%20TLS%20certificate%20validation%20vulnerabilities.pdf https://github.com/aapooksman/certmitm HackerOne Detailed Platform Standards https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards Timestamps: (00:00:00) Introduction (00:13:33) Specialization and Challenges of IOT Hacking (00:33:03) Decrypting SSL to Chinese Cloud Servers (00:47:00) General IoT Hacking Methodology (01:26:00) Certificate Pinning and Certificate Validation (01:34:35) BGA Reballing (01:43:26) Bug Stories

Episode 88: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel tackle a whole slate of new research including a new cheat sheet for URL validation bypass from Portswigger, the introduction of Sanic DNS as a high-speed DNS resolver, xsstools, and the Dockerization of Orange Confusion Attacks. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Shop our new swag store at ctbb.show/swag Resources URL Validation Bypass cheat sheet SanicDNS Orange Confusion Attacks WordPress GiveWP POP to RCE Xsstools Bypassing browser tracking protection Advanced iframe Magic DOM Clobbering https://www.ruhrsec.de/downloads/slides/Everything-You-Wanted-to-Know-About-DOM-Clobbering-But-Were-Afraid-to-Ask-Soheil-Khodayari-RuhrSec.pdf And https://domclob.xyz/domc_payload_generator/ Timestamps: (00:00:00) Introduction (00:02:00) URL validation bypass (00:07:41) SanicDNS and Orange confusion attacks (00:20:06) WordPress GiveWP POP to RCE (00:31:29) Xsstools (00:43:56) Bypassing browser tracking protection (00:52:06) DOM Clobbering and mixing up your approach

Episode 87: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with none other than his wife Mariah to talk about Bug Bounty from the perspective of a Significant Other. They share how they’ve traversed travel and Live Hacking Events, household chores, hobbies, goals, rewards, as well as how best to encourage and support the hacker/non-hacker in your life. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Shop our new swag store at ctbb.show/swag Today’s Guest: https://x.com/MariahG017 Resources: Ruby Nealon's song https://x.com/_ruby/status/835306502546149376 Don't Force Yourself to Become a Bug Bounty Hunter https://samcurry.net/dont-force-yourself-to-become-a-bug-bounty-hunter Timestamps (00:00:00) Introduction (00:03:12) Technical Questions for a Bug Bounty Wife (00:16:11) Mariah's First LHE experience (00:31:12) LHEs as a Couple (00:41:57) Encouragement and Risk (00:55:55) Hacker Family Dynamics, goals, and keeping promises (01:17:35) How to care for your Hacker/Hacker Wife

Episode 86: In this episode of Critical Thinking - Bug Bounty Podcast Frans blows Justin’s mind with a sneak peak of his new presentation. Note: This is a little different from our normal episode, and video is recommended. So head over to ctbb.show/yt if you feel like you’re missing something. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Shop our new swag store at ctbb.show/swag Watch this Episode on Youtube - ctbb.show/yt Today’s Guest: Frans Rosen - https://x.com/fransrosen View the slides of this presentation at https://speakerdeck.com/fransrosen/x-correlation-injections-or-how-to-break-server-side-contexts Timestamps (00:00:00) Introduction (00:04:09) x-correlation injection (00:21:10) Server-side JSON-Injection (00:32:10) Fuzz Blindly and Optimizing Blind RCE

Episode 85: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel talk through some of the research coming out of DEFCON, mainly from the PortSwigger team. Web timing attacks, cache exploitation, and exploits related to email protocols are all featured. Plus we also talk some fun Apache hacks from Orange Tsai Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! Check out our new SWAG store at https://ctbb.show/swag! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker Resources Listen to the whispers https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work Splitting the email atom https://portswigger.net/research/splitting-the-email-atom Gotta cache 'em all https://portswigger.net/research/gotta-cache-em-all HTTP Garden https://github.com/narfindustries/http-garden Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! https://blog.orange.tw/2024/08/confusion-attacks-en.html#%E2%9C%94%EF%B8%8F-2-2-2-Local-Gadget-to-XSS Trusted API Types https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API Untrusted Types https://github.com/filedescriptor/untrusted-types Timestamps: (00:00:00) Introduction (00:09:45) 'Listen to the whispers' (00:30:03) 'Splitting the email atom' (00:58:42) 'Gotta cache 'em all' (01:21:03) 'Confusion Attacks'

Episode 84: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Roni Carta (@0xLupin) to discuss their MVH win at the recent Google LHE, and share some technical observations they had with the target and the event. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://x.com/0xLupin Today’s Sponsor - ThreatLocker Timestamps: (00:00:00) Introduction (00:02:12) MHV Debrief (00:09:05) Sandboxes and Comfort Zones (00:13:24) SDKs and Legal Compliance (00:19:29) Age of Target and Platform-Exclusive Hunters

Episode 83: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin are brainstorming new features and improvements for Caido, such as the implementation of a 403 bypassing workflow, a text expander, Tracing Cookies, and more. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker Resources: Post from Gareth Heyes https://x.com/garethheyes/status/1811084674988474417 Wiki List of XML and HTML https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references#List_of_character_entity_references_in_HTML HackerOne Leaderboard Changes https://x.com/scarybeasts/status/1810813103354892666 Espanso https://espanso.org/ Critical Thinkers Discord ctbb.show/criticalthinkers Oauth Scan https://portswigger.net/bappstore/8ef2db1173e8432c8797831c2e730727 Timestamps: (00:00:00) Introduction (00:03:12) News (00:13:20) Into the Brainstorm (00:13:41) 403 Bypasser (00:20:34) "Expaido" (00:31:34) Trace Cookies (00:42:01) Highlight Decoding Expansion and AI integrations (00:49:08) OAuth Testing, API Highlighter, and Note-taking

Episode 82: In this episode of Critical Thinking - Bug Bounty Podcast Joel Margolis discusses strategies and tips for part-time bug bounty hunting. He covers things like finding (and enforcing) balance, picking programs and goals, and streamlining your process to optimize productivity. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker Resources: Evernote RCE Post https://0reg.dev/blog/evernote-rce ServiceNow Bug Chain https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data Douglas Day's Talk on finding 'no's' https://youtu.be/G1RHa7l1Ys4?si=TY16ULsEIfJ9CMKk Timestamps: (00:01:37) Introduction (00:02:24) Evernote RCE Post (00:06:47) AssetNote ServiceNow Bug Chain (00:12:16) Part-Time Bug Bounty: Balance and Accountability (00:18:04) Picking programs: Impact and Payout (00:28:46) Streamline your process

Episode 81: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by MatanBer to go over some recent bug reports, as well as share some tips and tricks on client-side hacking and using DevTools effectively. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker Today’s Guest: https://x.com/MtnBer Resources: Beyond XSS https://aszx87410.github.io/beyond-xss/en/ Web VSCode XSS https://gitlab.com/gitlab-org/gitlab/-/issues/461328 Timestamps (00:00:00) Introduction (00:05:24) Learning and Labs (00:17:29) DevTools tips and tricks (00:49:49) General Client-Side hacking tips (01:09:59) Self-XSS Storytime (01:32:16) Bug Reports (01:46:37) Brainstorming a Client-side HUD

Episode 80: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Sina Kheirkhah to talk about the start of his hacking journey and explore the differences between the Pwn2Own and HackerOne Events Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker Today’s Guest: https://x.com/SinSinology Blog: https://sinsinology.medium.com/ Resources: WhatsUp Gold Pre-Auth RCE Advanced .NET Exploitation Training dnSpyEx QEMU Unicorn Engine Qiling libAFL Alex Plaskett interview TippingPoint Flashback Team Timestamps: (00:00:00) Introduction (00:12:45) Learning, Mentorship, and Failure (00:29:34) Pentesting and Pwn2Own (00:40:05) Hacking methodology (01:01:57) Debuggers and shells in IoT Devices (01:35:40) Differences between ZDI and HackerOne (02:02:27) Pwn2Own Steps and Stories (02:14:06) Master of Pwn Title (02:29:54) Bug reports

Episode 79: In this episode of Critical Thinking - Bug Bounty Podcast we deepdive CSS injection, and explore topics like sequential import chaining, font ligatures, and attribute exfiltration. Follow us on twitter at: @ctbbpodcast Send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources: SpaceRaccoon's Universal Code Execution Extensions Escalating Client Side Path Traversal Full-time Bug Bounty Blueprint Sequential Import Chaining CSS Exfiltation Link that Justin was talking about Font Ligatures Lava Dome bypass Stealing Data in Great Style Steal Script Contents Masato Kinugawa's tweet Attacking with Just CSS CSS Injection Primitives Timestamps: (00:00:00) Introduction (00:02:32) Universal Code Execution (00:11:32) Escalating Client Side Path Traversal (00:16:56) Justin's Defcon talk & Bug Bounty Blueprint (00:23:32) CSS Injection (00:39:23) Font Ligatures (00:54:30) Descent Override and display:block

Episode 78: In this episode of Critical Thinking - Bug Bounty Podcast we’re talking about writing reports. We share some tips that we’ve learned, and discuss ways that AI can (and can’t) help with that process. We also talk about the benefit of using tools like Fabric, Loom, and ShareX. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker Resources: XSS WAF Bypass by multi-char HTML entities Shazzer Next.js and cache poisoning Nagli's Nuclei Template hey why can't you fix this one bug Justin's reporting templating software Fabric BB Report Formatter 2to3 Automated Python Converter ShareX Skitch Timestamps: (00:00:00) Introduction (00:04:00) XSS WAF Bypass by Multi-char HTML Entities (00:11:59) Next.js and Cache Poisoning (00:18:03) Nagli's Nuclei Template and Sean Yeoh's Blog (00:27:34) Report Writing and AI (00:50:02) Reporting tips

Episode 77: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin discuss some fresh writeups including some MongoDB injections, ORMs, and exploits in Kakao and iOS before pivoting into a conversation about staying motivated and avoiding burnout while hunting. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources: MongoDB NoSQL Injection https://soroush.me/blog/2024/06/mongodb-nosql-injection-with-aggregation-pipelines/ Mongo DB Is Web Scale https://www.youtube.com/watch?v=b2F-DItXtZs 1-click Exploit in Kakao https://stulle123.github.io/posts/kakaotalk-account-takeover/ Unsecure time-based secret and Sandwich Attack https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html Reset Tolkien https://github.com/AethliosIK/reset-tolkien iOS URL Scheme Hijacking Revamped https://evanconnelly.github.io/post/ios-oauth/ PLORMBING YOUR DJANGO ORM https://www.elttam.com/blog/plormbing-your-django-orm/#content Timestamps: (00:00:00) Introduction (00:02:07) MongoDB NoSQL Injection (00:12:42) 1-click Exploit in Kakao (00:33:21) Time-based secrets and Reset Tolkien (00:39:26) iOS URL Scheme Hijacking Revamped (00:51:42) ORMs (00:58:57) Community Bug Submission (01:07:45) Motivation, Mental Sharpness, and Burnout avoidance

Episode 76: In this episode of Critical Thinking - Bug Bounty Podcast we’re talking about Match and Replace and the often overlooked use cases for it, like bypassing paywalls, modifying host headers, and storing payloads. We also talk about the HackerOne Ambassador World Cup and the issues with dupe submissions, and go through some write-ups. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today's Sponsor - Project Discovery: https://nux.gg/podcast Resources Zoom Session Takeover https://nokline.github.io/bugbounty/2024/06/07/Zoom-ATO.html SharePoint XXE https://x.com/thezdi/status/1796207012520366552 Shazzer https://shazzer.co.uk/ Timestamps: (00:00:00) Introduction (00:05:06) H1 Ambassador World Cup (00:13:57) Zoom ATO bug (00:33:28) SharePoint XXE (00:39:36) Shazzer (00:46:36) Match and Replace (01:13:01) Match and Replace in Mobile (01:21:13) Header Replacements

Episode 75: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are sick, So instead of a new full episode, we're going back 30 episodes to review. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! Today's Guest: https://twitter.com/fransrosen Detectify Discovering s3 subdomain takeovers https://labs.detectify.com/writeups/hostile-subdomain-takeover-using-heroku-github-desk-more/ bucket-disclose.sh https://gist.github.com/fransr/a155e5bd7ab11c93923ec8ce788e3368 A deep dive into AWS S3 access controls Attacking Modern Web Technologies Live Hacking like a MVH Account hijacking using Dirty Dancing in sign-in OAuth flows Timestamps: (00:00:00) Introduction (00:11:41) Franz Rosen's Bug Bounty Journey and Detectify (00:20:21) Pseudo-code, typing, and thinking like a dev (00:27:11) Hunter Methodologies and automationists (00:42:31) Time on targets, Iteration vs. Ideation (00:58:01) S3 subdomain takeovers (01:11:53) Blog posting and hosting motivations (01:20:21) Detectify and entrepreneurial endeavors (01:36:41) Attacking Modern Web Technologies (01:52:51) postMessage and MessagePort (02:05:00) Live Hacking and Collaboration (02:20:41) Account Hijacking and OAuth Flows (02:35:39) Hacking + Parenthood

Episode 74: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Roni "Lupin" Carta for a deep dive into supply chain attacks and dependency confusion. We explore the supply chain attacks, the ethical considerations surrounding maintainers and hosting packages on public registries, and chat about the vision and uses of his new tool Depi. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today's Sponsor - Project Discovery: https://nux.gg/podcast Today’s Guest: https://x.com/0xLupin Resources: Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 git-dump https://github.com/tomnomnom/dotfiles/blob/master/scripts/git-dump Depi https://www.landh.tech/depi Weak links of Supply Chain https://arxiv.org/pdf/2112.10165 Timestamps: (00:00:00) Introduction (00:07:13) Overveiw of Supply Chain Flow (00:15:14) Getting our Scope (00:23:46) Depi (00:29:12) Types of attacks and finding the 80/20 (00:45:06) Maintainer attacks (01:10:40) Regestries, artifactories, and an npm bug (01:31:51) Grafana NPX Confusion

Episode 73: In this episode of Critical Thinking - Bug Bounty Podcast we give a brief recap of Nahamcon and then touch on some topics like WAF bypass tools, sandboxed iframes, and programs redacting your reports. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today's Sponsor - Project Discovery: https://nux.gg/podcast Resources: ?. Tweet https://x.com/garethheyes/status/1786836956032176215 NoWafPls https://github.com/assetnote/nowafpls Redacted Reports https://x.com/deadvolvo/status/1790397012468199651 Breaking CORS https://x.com/MtnBer/status/1794657827115696181 Sandbox-iframe XSS challenge solution https://joaxcar.com/blog/2024/05/16/sandbox-iframe-xss-challenge-solution/ iframe and window.open magic https://blog.huli.tw/2022/04/07/en/iframe-and-window-open/#detecting-when-a-new-window-has-finished-loading domloggerpp https://github.com/kevin-mizu/domloggerpp Timestamps (00:00:00) Introduction (00:03:29) ?. Operator in JS and NoWafPls (00:07:22) Redacting our own reports (00:11:13) Breaking CORS (00:17:07) Sandbox-iframes (00:24:11) Dom hook plugins

Episode 72: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss some hot research from the past couple months. This includes ways to smuggle payloads in phone numbers and IPv6 Addresses, the NextJS SSRF, the PDF.JS PoC drop, and a GitHub Enterprise Indirect Method Information bug. Also, we have an attack vector featured from Monke! Follow us on twitter at: @ctbbpodcast Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today's Sponsor - Project Discovery: https://nux.gg/podcast Resources: PDF.JS Bypass to XSS https://github.com/advisories/GHSA-wgrm-67xf-hhpq https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/ PDFium NextJS SSRF by AssetNote Better Bounty Transparency for hackers Slonser IPV6 Research Smuggling payloads in phone numbers Automatic Plugin SQLi DomPurify Bypass Bug Bounty JP Podcast Github Enterprise send() bug https://x.com/creastery/status/1787327890943873055 https://x.com/Rhynorater/status/1788598984572813549 Timestamps: (00:00:09) Introduction (00:03:20) PDF.JS XSS and NextJS SSRF (00:12:52) Better Bounty Transparency (00:20:01) IPV6 Research and Phone Number Payloads (00:28:20) Community Highlight and Automatic Plugin CVE-2024-27956 (00:33:26) DomPurify Bypass and Github Enterprise send() bug (00:46:12) Caido cookie and header extension updates

Episode 71: In this episode of Critical Thinking - Bug Bounty Podcast Keith Hoodlet joins us to weigh in on the VDP Debate. He shares some of his insights on when VDPs are appropriate in a company's security posture, and the challenges of securing large organizations. Then we switch gears and talk about AI bias bounties, where Keith explains the approach he takes to identify bias in chatbots and highlights the importance of understanding human biases and heuristics to better hack AI. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Today's Sponsor - Project Discovery: https://nux.gg/podcast Today’s guest: Keith Hoodlet https://securing.dev/ Resources: Daniel Miessler's article about the security poverty line https://danielmiessler.com/p/the-cybersecurity-skills-gap-is-another-instance-of-late-stage-capitalism/ Hacking AI Bias https://securing.dev/posts/hacking-ai-bias/ Hacking AI Bias Video https://youtu.be/AeFZA7xGIbE?si=TLQ7B3YtzPWXS4hq Sarah's Hoodlet's new book https://sarahjhoodlet.com Link to Amazon Page https://a.co/d/c0LTM8U Timestamps: (00:00:00) Introduction (00:04:09) Keith's Appsec Journey (00:16:24) The Great VDP Debate Redux (00:47:18) Platform/Hunter Incentives and Government Regulation (01:06:24) AI Bias Bounties (01:26:27) AI Techniques and Bugcrowd Contest

Episode 70: In this episode of Critical Thinking - Bug Bounty Podcast we’re once again joined by Ben Sadeghipour to talk about some Nahamcon news, as well as discuss a couple other LHE’s taking place. Then they cover CI/CD and drop some cool CSP Bypasses. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today's Sponsor - Project Discovery: https://nux.gg/podcast Today’s Guest: https://twitter.com/NahamSec https://www.nahamcon.com/ Resources: Depi https://www.landh.tech/depi Youtube CSP: https://www.youtube.com/oembed?callback=alert() Maps CSP: https://maps.googleapis.com/maps/api/js?callback=alert()-print Google APIs CSP https://www.googleapis.com/customsearch/v1?callback=alert(1) Google CSP https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1)// CSP Bypass for opener.child.child.child.click() https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/ Timestamps: (00:00:00) Introduction (00:02:55) BSides Takeaways and hacking on Meta (00:12:12) NahamCon News (00:23:45) CI/CD and the launch of Depi (00:33:29) CSP Bypasses

Episode 69: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Johan Carlsson to hear about some updates on his bug hunting journey. We deep-dive a CSP bypass he found in GitHub, a critical he found in GitLab's pipeline, and also talk through his approach to using script gadgets and adapting to highly CSP'd environments. Then we talk about his transition to full-time bug hunting, including the goals he’s set, the successes and challenges, and his current focus on specific bug types like ReDoS and OAuth, and the serendipitous nature of bug hunting. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Nuclei 3.2 Release: https://nux.gg/podcast Today’s Guest: https://twitter.com/joaxcar https://joaxcar.com/blog/ Resources Github CSP Bypass https://gist.github.com/joaxcar/6e5a0a34127704f4ea9449f6ce3369fc CSP Validator https://cspvalidator.org/ Cross Window Forgery https://www.paulosyibelo.com/2024/02/cross-window-forgery-web-attack-vector.html Gitlab Crit https://gist.github.com/joaxcar/9419b2df8778f26e9b02a741a8ec12f8 Timestamps (00:00:00) Introduction (00:09:34) Github CSP Bypass (00:38:48) Script Gadgets and growth through Gitlab (00:53:53) Gitlab pipeline bug (01:12:32) Full-time Bug Bounty

Episode 68: In this episode of Critical Thinking - Bug Bounty Podcast Mathias is back with some fresh HTMX research, including CSP bypass using HTMX triggers, converting client-side response header injection to XSS, bypassing HTMX disable, and the challenges of using HTMX in larger applications and the potential performance trade-offs. We also talk about the results of his recent CTF Challenge, and explore some more facets of CDN-CGI functionality. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Project Discovery Conference: https://nux.gg/hss24 ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://twitter.com/avlidienbrunn Resources: Masato Kinugawa's research on Teams https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=33 subdomain-only 307 open redirect https://avlidienbrunn.se/cdn-cgi/image/onerror=redirect/http://anything.avlidienbrunn.se Timestamps (00:00:00) Introduction (00:05:18) CSP Bypass using HTML (00:14:00) Converting client-side response header injection to XSS (00:23:10) Bypassing hx-disable (00:32:37) XSS-ing impossible elements (00:38:22) CTF challenge Recap and knowing there's a bug (00:51:53) hx-on (depreciated) (00:54:30) CDN-CGI Research discussion

Episode 67: In this episode of Critical Thinking - Bug Bounty Podcast we deepdive on the topic of Vulnerability Disclosure Programs (VDPs) and whether they are beneficial or not. We also touch on the topic of leaderboard accuracy, and continue the Program VS Hacker debate regarding allocating funds for bounties. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Project Discovery Conference: https://nux.gg/hss24 Resources: Nagli's Braindump on VDPs https://twitter.com/galnagli/status/1780174392003031515 Timestamps: (00:00:00) Introduction (00:05:37) VDP programs (00:34:10) Leaderboards (00:43:52) Hacker vs. Program debate Part 2 (01:07:24) Walling Off Endpoints

Episode 66: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the recent YesWeHack Louis Vuitton LHE, the importance of failure as growth in bug bounty, and Justin shares his research on CDN CGI. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Project Discovery Conference: https://nux.gg/hss24 ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources: YesWeHack Luis Vuitton LHE https://twitter.com/yeswehack/status/1776280653744554287 https://event.yeswehack.com/events/hack-me-im-famous-2 Caido Workflows https://github.com/caido/workflows Oauth Redirects https://twitter.com/Akshanshjaiswl/status/1724143813088940192 Bagipro Golden URL techniques https://hackerone.com/reports/431002 Roadmap I followed to make 15,000+$ Bounties in my first 8 months https://shreyaschavhan.notion.site/Roadmap-I-followed-to-make-15-000-Bounties-in-my-first-8-months-of-starting-out-and-my-journey-98b1b9ff621645c0b97d1e774992f300 Monke Hacks Blog https://monkehacks.beehiiv.com/ PortSwigger post https://x.com/PortSwiggerRes/status/1766087129908576760 post from Masato Kinugawa https://x.com/kinugawamasato/status/916393484147290113 Timestamps: (00:00:00) Introduction (00:04:19) Louis Vuitton LHE (00:13:57) Browser Market share (00:21:13) Justin's Bug of the Week (00:24:49) Caido Workflows (00:27:24) Oauth Redirects (00:32:24) Bug Bounty learning Methodology (00:41:03) 'Intent To Ship' (00:48:08) CDN-CGI Research

Episode 65: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with Sam Curry to discuss the ethical considerations and effectiveness of hacking, the importance of good intent, and the enjoyment Sam derives from pushing the boundaries to find bugs. He shares stories of his experiences, including hacking Tesla, online casinos,Starbucks, his own is ISP router, and even getting detained at the airport. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Project Discovery Conference: https://nux.gg/hss24 ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://samcurry.net/ Resources: Don’t Force Yourself to Become a Bug Bounty Hunter hackcompute Starbucks Bug recollapse Timestamps: (00:00:00) Introduction (00:02:25) Hacking Journey and the limits of Ethical Hacking (00:28:28) Selecting companies to hack (00:33:22) Fostering passion vs. Forcing performance (00:54:06) Collaboration and Hackcompute (01:00:40) The Efficacy of Bug Bounty (01:09:20) Secondary Context Bugs (01:25:01) Mindmaps, note-taking, and Intuition. (01:46:56) Back-end traversals and Unicode (01:56:16) Hacking ISP (02:06:58) Next.js and Crypto (02:22:24) Dev vs. Prod JWT

Episode 64: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Justin and Joel delve into .NET remoting and how it can be exploited, a recent bypass in the Dom Purify library and some interesting functionality in the Cloudflare CDN-CGI endpoint. They also touch on the importance of collaboration and knowledge sharing, JavaScript Deobfuscation, the value of impactful POCs, hiding XSS payloads with URL path updates. Follow us on twitter at: @ctbbpodcast send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Check out Project Discovery’s nuclei 3.2 release blog at nux.gg/podcast Resources: .NET Remoting https://code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/ https://github.com/codewhitesec/HttpRemotingObjRefLeak DOM Purify Bug Cloudflare /cdn-cgi/ https://developers.cloudflare.com/fundamentals/reference/cdn-cgi-endpoint/ https://portswigger.net/research/when-security-features-collide https://twitter.com/kinugawamasato/status/893404078365069312 https://twitter.com/m4ll0k/status/1770153059496108231 XSSDoctor's writeup on Javascript deobfuscation renniepak's tweet Naffy's tweet Timestamps: (00:00:00) Introduction (00:07:15) .Net Remoting (00:17:29) DOM Purify Bug (00:25:56) Cloudflare /cdn-cgi/ (00:37:11) Javascript deobfuscation (00:47:26) renniepak's tweet (00:55:20) Naffy's tweet

Episode 63: In this episode of Critical Thinking - Bug Bounty Podcast we welcome back Jason Haddix (From Episode 12) to talk about some updates to his The Bug Hunter's Methodology, as well as his own personal life and hacking journey. We talk about the start of his new company, and then venture into topics such as using threat intelligence and buying credentials from the dark web, recon techniques, and ways to integrate AI into your workflow (or target list). Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.  Today’s Guest: https://twitter.com/Jhaddix https://www.arcanum-sec.com/ Resources: Dehashed https://www.dehashed.com/ Flare https://flare.io/ CSP Recon https://github.com/edoardottt/csprecon Timestamps: (00:00:00) Introduction (00:05:37) Updates to The Bug Hunter's Methodology (00:14:46) Red Teaming (00:21:29) Bug Bounty on the Dark Web (00:36:19) FIS hunting (00:47:59) New Recon Techniques  (00:58:32) AI integrations and bounties

Episode 62: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with some additional research resources that didn’t make the Portswigger Top-Ten, but that are worth looking at. Follow us on twitter at: @ctbbpodcast Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.  Resources: Cool HTML Shit https://twitter.com/jcubic/status/1764311080661082201 https://twitter.com/encodeart/status/1764218128374943764 Bug bounty Hunting Journeys https://twitter.com/ajxchapman/status/1762101366057525521 https://monkehacks.beehiiv.com/p/monkehacks-02 Yelp Cookie Bridge Report Deobfuscating/Unminifying Obfuscated Code ChatGPT Source Watch Web Security Research Reddit Nahamsec Resources Portswigger Nominations list Abusing perspectives: https://hackerone.com/reports/2401115 PortSwigger CSS Exfiltration https://github.com/PortSwigger/css-exfiltration Timestamps: (00:00:00) Introduction (00:02:06) Cool HTML Shit (00:15:31) Bug Bounty Journeys (00:28:01) Yelp Cookie Bridge Bug (00:37:56) Additional Research Resources (00:46:34) CSS and abusing perspectives

Episode 61: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Jasmin Landry to share some stories about startup security, bug bounty, and the challenges of balancing both. He also shares his methodology for discovering OAuth-related bugs, highlights some differences between structured learning and self-teaching, and then walks us through a couple arbitrary ATO’s and SSTI to RCE bugs he’s found lately. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: Jasmin Landry https://twitter.com/JR0ch17 Resources: Dirty Dancing blog post https://labs.detectify.com/writeups/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/ OAuth 2.0 Threat Model and Security Considerations https://datatracker.ietf.org/doc/html/rfc6819 OAuth 2.0 Security Best Current Practice https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics Timestamps: (00:00:00) Introduction (00:02:20) Meta Tag + DomPurify Bug (00:09:36) Jasmin's Origin story (00:28:23) Full time Bug bounty challenges (00:36:57) Career jumps in Security and current Role (00:47:32) OAuth Bug methodology and cool bug stories (01:02:35) Social Engineering and Bug Bounty (01:13:41) Arbitrary ATO bug (01:19:41) SSTI to RCE bug

Episode 60: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel review the Portswigger Research list of top 10 web hacking techniques of 2023. Follow us on twitter at: @ctbbpodcast Send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources: Top 10 web hacking techniques of 2023 1: Smashing the state machine 8: From Akamai to F5 to NTLM 3: SMTP Smuggling 4: PHP filter chains (Bonus Read) 5: HTTP Parsers Inconsistencies 6: HTTP Request Splitting 7: How I Hacked Microsoft Teams 9: Cookie Crumbles (Bonus Read) 10: Hacking root EPP servers to take control of zones Timestamps: (00:00:00) Introduction (00:04:26) 1: Smashing the state machine (00:11:56) 8: From Akamai to F5 to NTLM... with love (00:17:11) 3: SMTP Smuggling (00:26:27) 4: PHP filter chains (00:36:40) 5: HTTP Parsers Inconsistencies (00:44:56) 6: HTTP Request Splitting (00:53:43) 7: How I Hacked Microsoft Teams (01:02:25) 9: Cookie Crumbles (01:11:36) 10: EPP Server Takeover

Episode 59: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the concept of gadgets and how they can be used to escalate the impact of vulnerabilities. We talk through things like HTML injection, image injection, CRLF injection, web cache deception, leaking window location, self-stored XSS, and much more. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.  Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.  Resources: Even Better NahamSec's 5 Week Program NahamCon News CSS Injection Research Timestamps: (00:00:00) Introduction (00:03:31) Caido's New Features (00:15:20) Nahamcon News and 5 week Bootcamp and pentest opportunity (00:19:54) HTML Injection, CSS Injection, and Clickjacking (00:33:11) Image Injection (00:37:19) Open Redirects, Client-side path traversal, and Client-side Open Redirect (00:49:51) Leaking window.location.href (00:57:15) Cookie refresh gadget (01:01:40) Stored XXS (01:09:01) CRLF Injection (01:13:24) 'A Place To Stand' in  GraphQL and ID Oracle (01:18:23) Auth gadgets, Web Cache Deception, & LocalStorage poisoning (01:27:46) Cookie Injection & Context Breaks

Episode 58: In this episode of Critical Thinking - Bug Bounty Podcast we finally sit down with Youssef Samouda and grill him on his various techniques for finding and exploiting client-side bugs and postMessage vulnerabilities. He shares some crazy stories about race conditions, exploiting hash change events, and leveraging scroll to text fragments.  Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.  Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.  Today’s Guest: https://twitter.com/samm0uda?lang=en https://ysamm.com/ Resources: Client-side race conditions with postMessage:  https://ysamm.com/?p=742  Transferable Objects https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Transferable_objects Every known way to get references to windows, in javascript: https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2d Youssef’s interview with BBRE https://www.youtube.com/watch?v=MXH1HqTFNm0 Timestamps: (00:00:00) Introduction (00:04:27) Client-side race conditions with postMessage (00:18:12) On Hash Change Events and Scroll To Text Fragments (00:32:00) Finding, documenting, and reporting complex bugs (00:37:32) PostMessage Methodology (00:45:05) Youssef's Vuln Story (00:53:42) Where and how to look for ATO vulns (01:05:21) MessagePort (01:14:37) Window frame relationships (01:20:24) Recon and JS monitoring (01:37:03) Client-side routing (01:48:05) MITMProxy

Episode 57: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are live from Miami, and recap their experience and share takeaways from the live hacking event. They highlight the importance of paying attention to client-side routing and the growing bug class of client-side path traversal. They also discuss the challenges of knowing when to cut your losses and the value of tracking time and setting goals.  Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.  Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.  Timestamps: (00:00:00) Introduction (00:03:50) Miami LHE Recap and Takeaways (00:05:57) Keeping time and cutting losses. (00:19:07) Roles and Goals (00:23:33) OAuth (00:28:52) HTML5 image to img Tip

Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston) Episode 56: In this episode of Critical Thinking - Bug Bounty Podcast, Justin sits down with Jon Colston to discuss how his background in digital marketing and data science has influenced his hunting methodology. We dive into subjects like data sources, automation, working backwards from vulnerabilities, applying conversion funnels to bug bounty, and the mayonaise signature 'Mother of All Bugs'  Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ WordFence - Sign up as a researcher! https://ctbb.show/wf Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.  Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.  Today’s Guest: https://hackerone.com/mayonaise?type=user Timestamps: (00:00:00) Introduction (00:12:07) Evolving Hacking Methodologies & B2B Hacking (00:23:57) Data Science + Bug Bounty (00:34:37) 'Lead Generation for Vulns' (00:41:39) Ingredients and Recipes (00:49:45) Keyword Categorization (00:54:30) Manual Processes and Recap (01:07:08) Data Sources (01:19:59) Digital Marketing + Bug Bounty (01:32:22) M.O.A.B.s (01:41:02) Burnout Protection and Dupe Analysis

Episode 55: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Wordpress Security Researcher Ram Gall to discuss both functionality and vulnerabilities within Wordpress Plugins. Follow us on twitter Send us any feedback here: Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ WordFence - Sign up as a researcher! https://ctbb.show/wf --- Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: Ramuel Gall UpdraftPlus Vuln XML-RPC PingBack Unicode and Character Sets Reflected XSS POP Chain WordpressPluginDirectory Subscriber+ RCE in Elementor Subscriber+ SSRF Unauthed XSS via User-Agent header Timestamps: (00:00:00) Introduction (00:05:55) Add_action & Nonces (00:26:16) Add_filter & Register_rest_routes (00:38:39) Page-related code & Shortcodes (00:50:24) Top Sinks for WP (01:02:19) Echo & SQLI Sinks (01:15:07) Nonce Leak and wp_handle_upload (01:18:16) Page variables & Pop Chains (01:26:55) WP Escalations & Bug Reports

Episode 54: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with news items and new projects. Joel shares about his personal scraping project to gather data on bug bounty programs and distribution Next, they announce the launch of HackerNotes, a podcast companion that will summarize the main technical points of each episode. They also discuss a recent GitLab CVE and an invisible prompt injection, before diving into a discussion (or debate) about vulnerable code patterns. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Gitlab CVE https://github.com/Vozec/CVE-2023-7028 https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/ Fix commit: https://gitlab.com/gitlab-org/gitlab/-/commit/abe79e4ec437988cf16534a9dbba81b98a2e7f18 Invisible Prompt Injection https://x.com/goodside/status/1745511940351287394?s=20 Regex 101 https://regex101.com Regex to Strings https://www.wimpyprogrammer.com/regex-to-strings/ Timestamps (00:00:00) Introduction (00:01:54) Joel’s H1 Data Scraping Research (00:19:23) HackerNotes launch (00:21:29) Gitlab CVE (00:27:45) Invisible Prompt Injection (00:33:52) Vulnerable Code Patterns (00:37:51) Sanitization, but then modification of data afterward (00:45:39) Auth check inside body of if statement (00:48:15) sCheck for bad patterns with if, but then don't do any control flow (00:50:21) Bad Regex (01:00:36) Replace statements for sanitization (01:04:32) Anything that allows you to call functions or control code flow in uncommon ways

Episode 53: In this episode of Critical Thinking - Bug Bounty Podcast,we’re joined by none other than NahamSec. We start by discusses the challenges he faced on his journey in bug bounty hunting and content creation, including personal struggles and the pressure of success.We also talk about finding balance and managing mental energy, going the extra mile, and the importance of planning and setting goals for yourself before he walks us through some Blind XSS techniques. Follow us on twitter at: @ctbbpodcast Feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Timestamps: (00:00:00) Introduction (00:01:37) Costs of Content Creation (00:21:12) Hacking 'identities' and Pivoting (00:36:49) Hacking Methodology (00:58:59) Planning, Goals, and Nahamsec's 2023 Performance (01:10:19) Blind XSS (01:35:19) Going the extra mile in Bug Bounty

Episode 52: In this episode of Critical Thinking - Bug Bounty Podcast we're going back and highlighting some of the best technical moments from the past year! Hope you enjoy this best of 2023 Supercut! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Timestamps: (00:00:00) Introduction (00:02:55) Episode 26: Meta tags and base tags in HTML (00:15:20) Episode 27: Client-side path traversal (00:23:18) Episode 27: Cookie bombing + cookie jar overflow (00:35:47) Episode 44: Cross environment authentication bugs (00:43:17) Episode 47: The open-faced Iframe Sandwich (00:50:19) Episode 47: js hoisting and classic Joel nerdsnipe (00:58:28) Episode 29: Sean Yeoh on Subdomains vs IP in recon (01:04:05) Episode 30: Shubs on reversing enterprise software (01:24:58) Episode 30: Shubs on building out a recon flow (01:29:36) Episode 30: Shubs on Hacking IIS Servers (01:36:45) Episode 37: 0xLupin on smart JavaScript analysis tools (01:45:42) Episode 45: Frans Rosen On App cache, Service workers cookie stuffing, and postMessage (02:15:02) Episode 50: Mathias Karlsson on XSLT and MXSS (02:39:26) Episode 27: Assetnote's sharefile RCE (02:48:18) Episode 31: Perforce RCE (02:53:48) Episode 48: Sam Erb's XSLT bug story (02:58:47) Final thoughts and Special Thanks

Episode 51: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are back for the last episode of 2023. We discuss some noteworthy news items including a Hacker One Crit, Caido updates, and some Blind CSS. Then we dive into our own personal ‘Hackers Wrapped’ recap of the year, before laying out some goals for 2024. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources Flow Powertoys Alfred Pyperclip Textgrab CTF Payload Challenge Hacker One Crit Report Blind CSS Injection Timestamps (00:00:00) Introduction (00:08:43) Keyboard Shortcut Utility Systems (00:21:28) CTF Challenge By Frans (00:32:40) Hacker One 25K Crit Disclosure (00:36:31) Caido Searchbar Rework. (00:40:51) Blind CSS Exfiltration (00:44:10) 2023 Personal Bug Bounty Stats (01:01:15) 2024 Personal Bug Bounty Goals

Episode 50: In this episode of Critical Thinking - Bug Bounty Podcast, Justin catches up with hacking master Mathias Karlsson, and talks about burnout, collaboration, and the importance of specialization. Then we dive into the technical details of MXSS and XSLT, character encoding, and give some predictions of what Bug Bounty might look like in the future… Follow us on twitter at: @ctbbpodcast Send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest Episode Resources How to Differentiate Yourself as a Hunter MutateMethods hackaplaneten Article About Unicode and Character Sets Byte Order Mark: Character Encodings ShapeCatcher WAF Bypass BountyDash EXPLOITING HTTP'S HIDDEN ATTACK-SURFACE Timestamps: (00:00:00) Introduction (00:10:06) Automation Setup and Assetnote Origins (00:16:49) Sharing Tips, and Content Creation (00:22:27) Collaboration and Optimization (00:36:44) Working at Detectify (00:51:45) Bug Bounty Burnout (00:56:15) Early Days of Bug Bounty and Future Predictions (01:19:00) Nerdsnipeability (01:29:38) MXSS and XSLT (01:54:20) Learning through being wrong (02:00:15) Go-to Vulns

Episode 49: In this episode of Critical Thinking - Bug Bounty Podcast, Justin Gardner is once again joined by Nagli to discuss some of their recent hacking discoveries. They talk about finding and exploiting a backup file in an ASP.NET app, discovering vulnerabilities through Swagger files, and debating the vulnerability of a specific ‘undisclosed’ domain. Then they reflect on 2023’s Live Hacking Event circuit, and preview what’s to come in 2024’s. This episode sponsored by Wordfence! Wordfence recently launched a game-changer of a bug bounty program with ALL WordPress plugins over 50k installs are in-scope. They are currently paying 6.25x their normal bounty amounts, and have agreed to give CT listeners a 10% bonus on top of that! If you wanna pop some crits and see those bounties roll in, head over to https://ctbb.show/wf for more info and keep an eye on the CTBB Discord for inspiration/collabs. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest Episode Resources: Shockwave Why So Serial New LHE Standards Dropped Timestamps: (00:00:00) Introduction (00:02:37) wwwroot .zip Hack Recap (00:13:44) Swagger File Hack Recap (00:18:27) Undisclosed URL Hack Recap (00:24:29) 2023 LHE Circut Recap (00:37:14) 2024 LHE Preview and New Standards (00:47:22) Bug Bounty Motivation

Episode 48: In this episode, joined by the spectacular Sam Erb, Google Security Engineer and DEFCON Black Badge winner. We talk about the importance of understanding how systems work to find vulnerabilities, and how his engineering background influences his hunting style and methodologies. Then we jump over to his Career Development and his work with Google, and then chat about some of the recent Google Vulnerability Programs. This episode is sponsored by Wordfence! Wordfence recently launched a game-changer of a bug bounty program with ALL WordPress plugins over 50k installs are in-scope. They are currently paying 6.25x their normal bounty amounts, and have agreed to give CT listeners a 10% bonus on top of that! Head over to https://ctbb.show/wf for more info and keep an eye on the CTBB Discord for inspiration/collabs. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! —— Links —— Follow your hosts Rhynorater & Teknogeek on twitter: —— Ways to Support CTBBPodcast —— Sign up for Caido using code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord Discord premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://twitter.com/erbbysam Sam Erbs Static Secret Security Now Podcast BIMI: And https://bimigroup.org/ Google Device Vulnerability Reward Program Initiatives Google Invalid Reports Hacking Google Transcripts (00:00:00) Introduction (00:02:50) Hacker Methodology with Sam Erb (00:12:20) Balancing Bug Hunting and Personal Life (00:15:53) Deep Diving on a program and using automation. (00:27:00) Optimizing Bug Hunting and Understanding Attack Vectors (00:39:22) Collaboration and Boundaries (00:45:42) Career Development and Entrepreneurship (00:55:13) Winning Black Badges at DEFCON (00:58:02) BufferOver (01:09:11) Working at Google (01:19:23) Google Bug Bounty Programs (01:31:41) BONUS Cool Bugs

Episode 47: In this episode of Critical Thinking - Bug Bounty Podcast, the holidays are fast approaching, and Justin and Joel discuss some of the struggles of getting back into the hacking groove during and after breaks. We also celebrate the newly launched Critical Thinking Discord Community before diving into Iframe Sandwhiches, JS Hoisting, CSP Bypasses, and a host of new tools, techniques, and tangents. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! ThankUNext jswzl Rapid API SSRF Utility tool by Bebiks Tweet from Johan Carlsson Burp Extension from Google VRP Justin's Tweet about JS Hoisting Bypass CSP Using WordPress How to trick CSP in letting you run whatever you want Timestamps: (00:00:00) Introduction (00:01:58) Overcoming Bug Bounty struggles and getting back into the hacking groove (00:07:46) Taking notes and sticking to one program (00:14:50) Critical Thinking Discord, Community highlights, and Competition vs Collaboration (00:22:25) Secondary context bugs and Automationism (00:28:42) ThankUNext and Client-side Paths (00:33:45) Tool Tangents: Jswzl, Caido, Postman, and Rapid API (00:46:49) New SSRF Utility tool by Bebiks and the continuing evolution of hacking tools (00:51:45) Iframe Sandwiches (00:58:54) News Items (01:06:12) JS Hoisting (01:15:05) CSP Bypasses

Episode 46: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is deep diving the topic of SAML (Security Assertion Markup Language), and walks through what it is and why it can be intimidating, before going over some key attack vectors to look for. Then he closes out with a commentary on a sample payload, and some HackerOne reports. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. KazHACKstan https://kazhackstan.com/en Testing SAML security with DAST https://agrrrdog.blogspot.com/2023/01/testing-saml-security-with-dast.html How to break SAML if I have paws? https://speakerdeck.com/greendog/how-to-break-saml-if-i-have-paws?slide=20 How to Hunt Bugs in SAML; a Methodology https://epi052.gitlab.io/notes-to-self/blog/2019-03-16-how-to-test-saml-a-methodology-part-three/ SAML Raider https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e External Entity Injection during XML signature verification https://bugs.chromium.org/p/project-zero/issues/detail?id=2313 mTLS: When certificate authentication is done wrong https://github.blog/2023-08-17-mtls-when-certificate-authentication-is-done-wrong/ HackerOne Uber Report https://hackerone.com/reports/136169 Timestamps: (00:00:00) Introduction (00:05:25) Understanding SAML and its complexities (00:08:30) SAML Attack Vectors (00:14:15) XML Signature Wrapping (00:19:50) Some SAML tests to try (00:30:30) Sample Payload description (00:34:10) Token Recipient confusion (00:36:05) HackerOne Reports

Episode 45: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to welcome Frans Rosén, an OG bug bounty hunter and co-founder of Detectify. We kick off with Frans sharing his journey bug bounty and security startups, before diving headfirst into a host of his blog posts. We also cover the value of pseudo-code for bug exploitation, understanding developer terminology, the challenges of collaboration and delegating tasks, and balancing hacking with parenting. If you're interested in bug bounty or entrepreneurship, you won't want to miss it! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Join our Discord! Today's Guest: https://twitter.com/fransrosen Detectify Discovering s3 subdomain takeovers Bucket Disclose A deep dive into AWS S3 access controls Attacking Modern Web Technologies Live Hacking like a MVH Account hijacking using Dirty Dancing in sign-in OAuth flows Timestamps: (00:00:00) Introduction (00:04:50) Franz Rosen's Bug Bounty Journey and the creation of Detectify (00:13:30) Benefits of pseudo-code, typing, and thinking like a developer (00:20:20) Hunter Methodologies (00:35:40) Time on targets, Iteration vs. Ideation, and tips for standing out (00:51:10) S3 subdomain takeovers (01:05:02) Blog posting and hosting motivations (01:13:30) Detectify and entrepreneurial endeavors (01:29:50) Attacking Modern Web Technologies (01:46:00) postMessage and MessagePort (01:58:09) Live Hacking and Collaboration (02:13:50) Account Hijacking and OAuth Flows (02:28:48) Hacking/Parenting

Episode 44: In this episode of Critical Thinking - Bug Bounty Podcast, the topic is URL structure, and Justin and Joel break down the elements that make up a URL and some common tips and tricks surrounding them which allow for all sorts of bypasses. We also round out the episode with some new tools, ato stories, and some controversial current events in the hacker scene. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. "XnlReveal" XNL h4ck3r OAuth article by Salt Labs H1 controversy recap ATO through Facebook Login https://twitter.com/Jayesh25_/status/1718543152296939861 https://twitter.com/itscachemoney/status/1721658450613346557 When URL Parsers disagree Golden techniques to bypass host validations in Android apps Mozilla article on HTTP Authentication Breaking Parser Logic talk by Orange Tsai URL Detector SSRF Bible Timestamps: (00:00:00) Introduction (00:04:10) “Xnl-Reveal” (00:07:22) OAuth vulnerabilities (00:13:17) Recap of controversy surrounding the handling of a vulnerability report on H1 (00:18:55) Hacker Success Manager Program (00:22:30) Facebook login ATO (00:27:45) When URL parsers disagree (00:34:34) URL Structures (01:02:22) Shared secrets across environments (01:09:40) Social Media Logins

Episode 43: In this episode of Critical Thinking - Bug Bounty Podcast, we're joined by Emile from Caido, who shares his journey into the bug bounty and ethical hacking world. We kick off with a hilarious incident involving Joel, a child on an airplane, and an unfortunate cough. We then dive into the challenges of building an HTTP proxy tool, balancing basic features with nice-to-have features, and the importance of user feedback in shaping the development of Caido, a bug bounty tool. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount on the annual license. Today’s Guest: https://twitter.com/TheSytten Caido https://caido.io/ Caido’s Discord https://discord.com/invite/KgGkkpKFaq VS Code https://code.visualstudio.com/ DNSChef https://github.com/iphelix/dnschef HackMD https://hackmd.io/ Timestamps: (00:00:00) Introduction (00:01:34) Emile’s journey from general infrastructure development to co-founding Caido (00:07:00) The rundown on Caido, a lightweight and flexible HTTP proxy tool (00:11:00) Current and upcoming Caido Features (00:17:00) Caido crew and division of duties (00:19:40) Missing features and feature requests (00:23:49) Decision to use Rust (00:28:25) Workflows and walkthroughs (00:36:27) Intercepts and the Roadmap (00:41:15) Opinions on collaborator Functionality and HTTP Callback (00:46:19) Reporting and Collaboration

Episode 42: In this episode of Critical Thinking - Bug Bounty Podcast, we're live from a hacking event in Portugal, and joined by the extremely talented René de Sain! He helps us cover a host of topics like NFT, XSS, LHE, and tips for success. We also talk about the correlation between creativity and hacking, shared workspaces, and last but certainly not least, hacker tattoos. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Today’s Guest: https://twitter.com/renniepak https://www.linkedin.com/in/rene-de-sain/ https://app.intigriti.com/researcher/profile/renniepak Hacker Hideout https://hackerhideout.xyz Timestamps: (00:00:00) Introduction (00:04:40) NFT Vulns and web3 hacking (00:08:15) Hacker Tattoos (00:12:30) Intigriti vs. other platforms, and LHE approaches. (00:20:10) Loneliness, budgeting, and the pros and cons of full-time hunting (00:28:36) Target approaches, XSS, and extension tools. (00:37:40) Fostering hacker intuition and relationships (00:47:15) Final thoughts on the Intigriti Event

Episode 41: In this episode of Critical Thinking - Bug Bounty Podcast, Justin takes a break from his busy travel schedule to walk us through a few of his Attack Vector formulation strategies. We’re keeping this one short and sweet, so it can be better used as a reference when looking for new vectors. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Nahamcon talk by Douglas Day https://youtu.be/G1RHa7l1Ys4?t=295 Timestamps: (00:00:00) Introduction (00:02:53) Use the application like a human, not like a hacker (00:05:02) Reading documentation looking for "Cannot" statements (00:08:16) Look at the grayed out areas (00:10:08) Look for information in the API response (00:12:38) Differences in the UI between different accounts (00:13:42) Pay the paywall.

Episode 40: In this episode of Critical Thinking - Bug Bounty Podcast, it’s all about mentorships! Justin sits down with Kodai and So, two hackers he helped mentor, to discuss what worked and what didn’t. We talk about the importance of mentorship, what mentors might look for in a candidate, the challenges of transitioning from being mentored to self-education, and the necessity of continuous learning in this ever-evolving field that is bug bounty. This episode is a treasure trove of insights, and if you’re interested in either side of the mentorship coin, you won’t want to miss it. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Today’s Guests: https://twitter.com/weeshter https://twitter.com/Mokusou4 Congrats to @nchickens as our giveaway winner! The Bug Hunter's Methodology Live Course https://jasonhaddix.gumroad.com/l/lycucs Timestamps: (00:00:00) Introduction (00:04:00) Guest backgrounds and introduction into hacking (00:17:49) Where to start Learning and Teaching (00:25:40) Technical Training vs Conceptual Teaching (00:28:34) Mentorship Styles and Techniques. (00:39:15) Moving from being mentored to self-learning (00:46:20) Developing mental resilience and healthy habits (00:50:32) Elements in mentorships that were hard or haven’t worked (01:02:21) Being influenced by other hackers through mentorship or collaboration (01:06:20) Hacking Bilingually and language barriers (01:11:30) Hacking and learning goals for the future

Episode 39: In this episode of Critical Thinking - Bug Bounty Podcast, We're catching up on news, including new override updates from Chrome, GPT-4, SAML presentations, and even a shoutout from Live Overflow! Then we get busy laying the groundwork on a discussion of web architecture. better get started on this one, cause we're going to need a part two! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater CT shoutout from Live Overflow https://www.youtube.com/watch?v=3zShGLEqDn8 Chrome Override updates https://developer.chrome.com/blog/new-in-devtools-117/#overrides GPT-4/AI Prompt Injection https://x.com/rez0__/status/1706334160569213343?s=20 & https://x.com/evrnyalcin/status/1707298475216425400?s=20 Caido Releases Pro free for students https://twitter.com/CaidoIO/status/1707099640846250433 Or, use code ctbbpodcast for 10% of the subscription price Aleksei Tiurin on SAML hacking https://twitter.com/antyurin/status/1704906212913951187 Account Takeover on Tesla https://medium.com/@evan.connelly/post-account-takeover-account-takeover-of-internal-tesla-accounts-bc720603e67d Joseph https://portswigger.net/bappstore/82d6c60490b540369d6d5d01822bdf61 Cookie Monster https://github.com/iangcarroll/cookiemonster HTMX https://htmx.org/ Timestamps: (00:00:00) Introduction (00:04:40) Shoutout from Live Overflow (00:06:40) Chrome Overrides update (00:08:48) GPT-4V and AI Prompt Injection (00:14:35) Caido Promos (00:15:40) SAML Vulns (00:17:55) Account takeover on Tesla, and auth token from one context in a different context (00:24:30) Testing for vulnerabilities in JWT-based authentication (00:28:07) Web Architectures (00:32:49) Single page apps + a rest API (00:45:20) XSS vulnerabilities in single page apps (00:49:00) Direct endpoint architecture (00:55:50) Content Enumeration (01:02:23) gRPC & Protobuf (01:06:08) Microservices and Reverse Proxy (01:12:10) Request Smuggling/Parameter Injections

Episode 38: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to welcome mobile hacking maestro Sergey Toshin (aka @bagipro). We kick off with Sergey sharing his unexpected journey into mobile security, and how he rose to become the number one hacker in both Google Play Security and Samsung Bug Bounty programs. We then delve into the evolving perception of mobile bugs, a myriad of new and existing attack vectors, and discuss Sergey's creation of mobile security company Oversecured. You’re going to want to make time for this one! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today's Guest: https://twitter.com/_bagipro Oversecured https://oversecured.com/ Oversecured Blog https://blog.oversecured.com/ jadx https://github.com/skylot/jadx 'Golden Android Techniques' https://hackerone.com/reports/431002 Timestamps: (00:00:00) Introduction (00:01:28) Sergey Toshin’s hacking journey and achievements (00:08:20) Mobile hacking: Devices and attack vectors (00:12:35) Using Jadx (00:15:40) The creation of Oversecured (00:23:10) The Oversecured Blog and Sharing Information (00:28:08) New Spheres and Strategies of Mobile Hacking (00:35:13) Tips for getting into Mobile Hacking

Episode 37: In this episode of Critical Thinking - Bug Bounty Podcast we're joined by none other than Lupin himself! We recap the Tokyo LHE and the lessons we learned from it before diving into his legendary journey into security research and bug bounty. We also talk collaboration of all kinds: pair hacking, joining a team, and starting a business together. We even touch on some great tools that can collaborate with each other! This was a fun one, and we don't want you to miss it! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guest: https://twitter.com/0xLupin Lupin and Holmes https://landh.tech/ JSWZL https://jswzl.io/ Cursor https://cursor.so/ Clairvoyance https://github.com/nikitastupin/clairvoyance Tweet about Command Injections https://twitter.com/win3zz/status/1703702550372078074 James Kettle article on security research https://portswigger.net/research/so-you-want-to-be-a-web-security-researcher Timestamps: (00:00:00) Introduction (00:01:00) Lessons learned from the latest LHE (00:09:30) JSWZL and the Cursor Combo (00:19:15) The Legend of Lupin (00:34:35) Code and Collaborating (00:38:48) Requests, Automation, and Testing (00:50:28) Joel's Helper scripts (00:52:50) Teamwork and Pair Hacking (00:57:29) Tips for learning to Hack (01:00:35) UUID and CTF (01:08:35) Dynamics of Collaboration with French Team

Episode 36: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel take a break from LHE prep to answer questions about the ethics of bug bounty and share their recent bug finds. We talk Iframes, mobile intercept proxies, open redirects, and that time Justin got shot at… Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Timeshifter: https://www.timeshifter.com/ Tweet about Google Open Redirect https://twitter.com/Rhynorater/status/1697357773690818844 Tweet about XSS Exploitation https://twitter.com/Rhynorater/status/1698059391700701424 Request Minimizer https://portswigger.net/bappstore/cc16f37549ff416b990d4312490f5fd1 Timestamps: (00:00:00) Introduction (00:02:45) Hacker One LHE Preview (00:05:40) Is Bug Bounty Inherently Ethical (00:19:25) Ethics of Going out of scope (00:27:56) Justin’s story of getting shot at (00:30:22) Setting up a mobile intercept proxy (00:33:40) How to approach a new target (00:40:30) Google Open Redirect (00:43:35) Recent XSS Exploitation (00:46:28) ATO Trick (00:50:25) Joel’s Bug Report (00:55:40) Justin’s Bug Report

Episode 35: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to welcome Douglas Day, a bug bounty hunter known for his unique methodologies and collaborative spirit. We talk about his approach to finding new endpoints in applications, his ingenious technique of exploiting Intercom widgets, and collaboration preferences and tips at LHEs. We also touch on the struggle of justifying hobbies that don't generate income and the importance of finding enjoyment in the process.We hope you enjoy this episode as much as we did! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guest: https://twitter.com/ArchAngelDDay https://hackerone.com/the_arch_angel https://bugcrowd.com/arch_angel 100 Short Bug Bounty Rules https://twitter.com/ArchAngelDDay/status/1661924038875435008 Blog about Intercom https://dday.us/2021/11/03/h1vendorATO.html Blog about Mapping Hacking http://dday.us/2021/10/09/Mapyourhacking.html Timestamps: (00:00:00) Introduction (00:03:01) Douglas Day’s infosec and LHE intro (00:10:42) Evolution and philosophy of collaboration (00:23:08) Balancing Collaboration and Money (00:29:43) Recap of 100 Short Bug Bounty Rules (00:37:15) Bug-hunting Methodology (00:45:45) Using match and replace to find new endpoints in bug hunting (00:49:07) Exploiting Intercom widgets (00:52:35) Facing Failure and enjoying the journey (00:57:00) Managing work-life balance (01:05:55) Auth-Z testing and documentation (01:12:25) Vulnerabilities in applications (01:17:05) Mapping Hacking Sessions

Episode 34: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel have both beaten COVID and now square off against each other in a mega-debate representing hackers and program managers respectively. Among the topics included are Disclosures, Dupes, Zero-Day Policy, payouts, budgets, Triage and Retesting. So, if you want blood-pumping, insult-hurling opinion-invalidating debate…then maybe look somewhere else. But if a thought-provoking discussion about bug bounty is more your style, then take a seat and get ready! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Prompt Injection Primer for Engineers https://twitter.com/rez0__/status/1695078576104833291 Portswigger on XSS https://twitter.com/PortSwiggerRes/status/1691812241375424983 Gunner Andrews talk https://www.youtube.com/watch?v=aaDe1ADh5KM Jhaddix live training Givaway https://tbhmlive.com/ ctbb.show/giveaway New Website ctbb.show Fight music composed by Dayn Leonardson https://www.daynleo.com/ Timestamps: (00:00:00) Introduction (00:02:00) Joel’s DEFCON Recap (00:04:45) Prompt Injection Primer for Engineers by Rez0 (00:07:00) Portswigger Research and XSS (00:08:36) Gunnar Andrews' talk on serverless architecture (00:10:10) ‘Bug Hunter Methodology’ Course Giveaway The Debate (00:13:34) Zero-Day Policy and Payment for Vulnerabilities (00:25:40) Disclosure (00:33:52) Dupes (00:51:23) CVSS (01:02:25) Budgets and Payouts (01:15:00) Triage and Retesting (01:34:55) Withholding Reports (01:41:50) Root Cause Analysis (01:52:25) Interacting with hacker reports from a security standpoint. (01:58:50) Internal Activity on a Report (02:01:15) Cost of running Bug Bounty Programs and LHE’s

Episode 33: In this episode of Critical Thinking - Bug Bounty Podcast, we welcome Inti De Ceukelaire, a seasoned bug hunter known for his creative storytelling and impactful show-and-tell bugs…and let us tell you, his stories do not disappoint! From his bug bounty journey to some pretty wild hacks, Inti captivates us as only Inti can. We discuss the potential life-saving impact of bug bounty reports, especially in areas such as transportation and medical devices. We also cover hacker mentality, the benefits of objective-based challenges, and the need for collaboration and alignment within the bug bounty community. It’s a mesmerizing episode, so sit back and be swept away by Inti’s tales. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guest: https://twitter.com/securinti Inti's Shopify Show-and-Tell https://hackerone.com/reports/1086108 Hakluke's article on Bug Bounty Standards https://github.com/hakluke/bug-bounty-standards Researching MissingNo Glitch in Pokemon https://youtu.be/p8OBktd42GI Intigriti https://www.intigriti.com/ Timestamps: (00:00:00) Introduction (00:03:01) Show-and-Tells and Storytelling in Live Hacking Events (00:08:30) Impact Assessment and the potential real-life significance of reporting vulnerabilities. (00:13:50) Ethical dilemmas, gaming the systems, and safe harbor. (00:23:30) Inti’s Hacking Journey (00:27:26) Hacker mentality, brainstorming, and goal-setting. (00:46:28) The benefit of mental resets, fresh perspectives, and ‘surprise collaboration’ (00:52:55) Inti’s Story 1: CSS Injection bugs (01:06:20) Inti’s Story 2: The Ticket Trick (01:14:00) Inti’s Story 3: The Gotcha PasswordBug (01:18:30) Upcoming Intigriti Live Hacking Event

Episode 32: In this episode of Critical Thinking - Bug Bounty Podcast, Joel caught a nasty bug (no, not that kind) so Justin is flying solo, and catches us up to speed on what's been happening in hacking news. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Smashing the State article https://portswigger.net/research/smashing-the-state-machine?ps_source=portswiggerres&ps_medium=social&ps_campaign=race-conditions Nagles Algorithm https://en.wikipedia.org/wiki/Nagle%27s_algorithm HTTP/2 RFC https://httpwg.org/specs/rfc7540.html Tweet by Alex Chapman https://twitter.com/ajxchapman/status/1691103677920968704?s=20 Cookieless Duodrop IIS Auth Bypass https://soroush.me/blog/2023/08/cookieless-duodrop-iis-auth-bypass-app-pool-privesc-in-asp-net-framework-cve-2023-36899/ Xss and .Net https://blog.isec.pl/all-is-xss-that-comes-to-the-net/ Shopify Account Takeover https://ophionsecurity.com/blog/shopify-acount-takeover Short Name Guesser https://github.com/projectmonke/shortnameguesser Hacking Points.com https://samcurry.net/Points-com/ Hacking Starbucks https://samcurry.net/hacking-starbucks/ Bug Bounty Tag Request https://twitter.com/ajxchapman/status/1688892093597470720 Sandwich Attack https://www.landh.tech/blog/20230811-sandwich-attack Timestamps: (00:00:00) Introduction (00:01:25) Smashing the State (00:11:30) HTTP/2 RFC (00:17:30) Cookieless Duodrop IIS Auth Bypass (00:24:45) Takeovers and Tools (00:32:30) Sam Curry writeup (00:53:10) Community requests (00:55:10) Sandwich Attacks

Episode 31: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to be joined by Alex Chapman, a seasoned InfoSec hacker and bug bounty hunter. We kick off with Alex sharing his hacking journey, from a guest lecturer that inspired him, to working on internal Red Teams, to his transition to working with HackerOne, and finally as a bug bounty hunter focusing on searching out those few, high impact bugs. We also discuss the power of collaboration, the challenges of balancing hacking with other responsibilities, and the necessity of flexibility and taking breaks in bug bounty work. Don't miss this episode where we explore the depths of bug bounty with Alex Chapman! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guest: https://twitter.com/ajxchapman @[email protected] https://ajxchapman.github.io/ https://hackerone.com/ajxchapman?type=user Perforce RCE https://hackerone.com/reports/1830220 https://ajxchapman.github.io/bugreports/2019/04/04/perforce-local-file-disclosure.html (00:00:00) Introduction (00:01:50) Alex Chapman's InfoSec journey and evolution (00:05:55) Real-world experience vs. chasing degrees, and the pivot into Bug Bounty (00:13:12) The benefit of programming knowledge (00:16:50) Experience in Internal Red Team and hacker mentalities. (00:23:35) Transitioning to HackerOne and full time Bug Bounty (00:33:37) Bug Bounty tips, time management, and best practices (00:41:00) The importance of note-taking and organizational tools (00:46:27) Hunting Methodologies and focusing on Critical Exploitations (01:02:37) Collaboration in the hacking community (01:06:00) Binary Exploitation and Source Code Review (01:10:59) Configuration file injections (01:17:38) Justin vs. Alex at a LHE

Episode 30: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to be joined by renowned bug bounty hunter Shubs. We kick off with him sharing his journey from burgers to bugs, and how his friendly rivalry with a fellow hacker fueled his passion for reconnaissance, as well as his love of collaboration. We then shift gears to talk about the art of debugging, ethics and economics of bug bounty hunting, the transition to Entrepreneur, and the evolution of Assetnote from a reconnaissance tool to enterprise security software suite. This one’s a banger, and we don’t want you to miss it! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guest: @infosec_au Intro Shoutouts https://twitter.com/bebiksior https://cvssadvisor.com/ Assetnote https://www.assetnote.io/ https://twitter.com/assetnote Bishop Fox https://bishopfox.com/ Shortscan https://github.com/bitquark/shortscan XXE Payload https://gist.github.com/Rhynorater/d0d19f757221a916a22476c3a5c6aba2 Timestamps (00:00:00) Introduction (00:05:48) History as a Hacker: Recon, rivalries, and Riot Games (00:12:13) Collaboration and Community in Bug Bounty (00:18:19) The Art of Debugging (00:21:48) Assetnote News and overview (00:30:43) CVE reversing (00:32:58) Zero-day vulns (00:42:48) Bug Bounty Ethics and Economics (00:52:53) Bug Bounty and Entrepreneurship (01:03:58) Business lessons learned (01:07:48) Advice for Hunters looking to grow (01:12:38) IIS Server Techniques

Episode 29: In this episode of Critical Thinking - Bug Bounty Podcast sit down with Assetnote Engineer Sean Yeoh, and pick his brain about what he's learned on his development journey. We talk about the place and importance of message brokers, and which ones we like best, as well as his engineering philosophy regarding bottleneck prevention and the importance of pursuing optimization. Don't miss this episode of terrific technical tips! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guest: https://twitter.com/seanyeoh Assetnote https://www.assetnote.io/ https://twitter.com/assetnote XKCD automation graph https://xkcd.com/1319/ Github repository https://github.com/alex/what-happens-when Article about Queues https://archive.is/Nan4e NATS https://nats.io/ MongoDB https://www.mongodb.com/ Timestamps: (00:00:00) Introduction (00:01:18) Story of Assetnote (00:05:20) Message Brokers and event-driven architectures (00:11:15) Preventing bottlenecks and pursuing optimization (00:21:35) Using a profiler (00:28:30) Choosing a Message Broker (00:33:00) Kubernetes and Conntrack Limits (00:37:13) Databases (00:46:30) Bug bounty tips: Sub-domain vs. IP Address (00:51:15) Engineering quandaries (00:53:38) DNS Wildcards

Episode 28: In this episode of Critical Thinking - Bug Bounty Podcast, the CSRF’s up, dude! We kick off with a debate about whether or not deep link vulns in mobile apps can be considered CSRF. We also talk browser extensions and tools like Hackbar, PwnFox, and JS Weasel, and Justin tries to invent a whole new vuln term. There’s plenty of good stuff here, so what are you waiting for? Jump on in! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater rez0's latest tip https://twitter.com/rez0__/status/168134822190014466019 Hackbar https://addons.mozilla.org/en-US/firefox/addon/hackbartool/ PwnFox https://twitter.com/adrien_jeanneau/status/1681364665354289152 JS Weasel https://www.jswzl.io/ Charlie Eriksen https://twitter.com/CharlieEriksen Link to talk by Rojan https://twitter.com/uraniumhacker/status/1681381857383030785 Bypassing GitHub's OAuth flow https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html Great SameSite Confusion https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/ Check out Nahamsec's Channel https://www.youtube.com/c/nahamsec Timestamps: (0:01:45) The deep link debate (00:08:00) LHE and in-person interviews (00:09:25) SQLMAP and raw requests (00:11:11) Hackbar, PwnFox, and browser extensions (00:16:45) JS Weasel tool and its features (00:25:28) Rojan's Research and Public Talks (Start of main content) (00:28:36) Cross-Site Request Forgery (CSRF) (00:35:00) Bypassing GitHub's OAuth flow (00:45:00) A Small SameSite Story (00:48:50) CSRF Exploitation Techniques (01:07:15) CSRF Bug Stories (01:15:30) NahamSec and DEFCON

Episode 27: In this episode of Critical Thinking - Bug Bounty Podcast, we've switched places and now Joel is home while Justin is on the move. We break down seven esoteric web vulnerabilities, and talk Cookies, Config File Injections, Client-side path traversals and more. We also briefly discuss appliance hacking, new tools, and shout out some new talent in the hacking space. Don't miss this episode full of cool vulns, and experience Justin's vocal decline in real time. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Encrypted Doesn't Mean Authenticated: https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/ Tweet about headless chrome browser https://twitter.com/bhavukjain1/status/1678719047209484288?t=NWnZvwHTRMyH_lVC-uXe0g&s=19 Shout out to new talent within the hacking space https://twitter.com/haxrob https://twitter.com/atc1441 Tweet about hacking Google Search Appliance https://twitter.com/orange_8361/status/1677378401957724160 Bitquark releases shortscan https://twitter.com/bitquark/status/1677647450989838338 Hacking Starbucks https://samcurry.net/hacking-starbucks/ Justin's CookieJar Tool https://apps.rhynorater.dev/checkCookieJarOverflow.html HackTricks https://book.hacktricks.xyz/pentesting-web/hacking-with-cookies/cookie-jar-overflow XSLeak https://xsleaks.dev Timestamps: (00:00:00) Introduction (00:04:00) Assetnote on ShareFile RCE (00:13:05) Headless Browsers (00:17:00) Hacker Content Creators (00:22:51) Appliance Hacking (00:30:31) Shortscan Release (Start of main content) (00:35:39) Config File Injection (00:44:00) Client-side Path Traversal (00:51:33) Cookie Bombing (00:58:00) Cookie Jar Overflow (01:03:50) XSLeak (01:10:49) UNC Path Injection (01:15:50) Impactful Link Hijack

In this episode of Critical Thinking - Bug Bounty Podcast, we're back with Joel, fresh (haha) off of back-to-back live hack events in London and Seoul. We compare the different vibes of each LHE, then we dive into the technical thick of it, and talk web browsers, XSS vectors, new tools, CVSS 4. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ______ Hunting for NGINX alias traversals in the wild PortSwigger Tweet Soroush's Follow-up Tweet about magic math element 22 weird XSS behavior Lupin’s follow-up Patch diffing Changes to CVSS 4.0 Ask FIRSTdotORG what's going on Jsluise JS import() behavior 'JavaScript for Hackers' CSP Evaluator: Dom Clobbering HTML Injection Cheat Sheet Gareth Heyes website/game ______ Timestamps: (00:00:00) Introduction (00:04:10) LHE Vibes (00:07:45) "Hunting for NGINX alias traversals in the wild" (00:12:30) Payouts in BB programs (00:16:05) New XSS vectors and popovers (00:24:15) The "magical math element" in Firefox (00:27:15) LiveOverflow on HTML parsing quirks (00:32:10) Mr. Tux Racer, Woocommerce, and WordPress (00:40:00) Changes in the CVSS 4 draft spec (00:45:00) TomNomNom's new tool Jsluise (00:51:15) JavaScript's import function & "JavaScript for Hackers" (01:09:15) Prototype pollution & DOM clobbering (01:18:10) Base tags and CSS Games

Episode 25: In this episode of Critical Thinking - Bug Bounty Podcast we talk to Cosmin (@Inhibitor181), fresh off of winning his 2nd MVH! We chat about the time management and strategy of hacking Multi-Target LHEs, determining when to pivot, and how to find normalcy in bug bounty hunting and Live Hacking Events. We also touch on setting up Vuln Pipelines, creating mental models, and Cosmin's terrifying naming schemes. Don't miss this episode packed with both laughs and valuable insights for beginners and seasoned bug bounty hunters alike. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guest: https://twitter.com/inhibitor181 Justin's weird episode with all the Dr. Suess Shit https://rss.com/podcasts/ctbbpodcast/966055/?listen-on=true Timestamps: (00:00:00) Introduction (00:02:52) MVH club and Multi-Target stragety (00:12:00) Deciding when to pivot (00:17:00) File Organization and 'unique' naming approaches (00:23:56) Staying up to date on features and updates (00:25:46) Hacking Sleep Habits (00:28:15) Finding 'Normal Life' in bug bounty and LHE (00:33:30) Vuln Pipelines, Wordlists, and full time bug bounty tips (00:44:15) Benefits of the Bug Bounty Community (00:47:45) Relationships with target companies and programs (00:53:15) Creating mental models (01:00:30) The Importance of writing good reports (01:04:30) How to choose what to hack

Episode 24: In this episode of Critical Thinking - Bug Bounty Podcast, we chat with Daniel Miessler and Rez0 about the emergence and potential of AI in hacking. We cover AI shortcuts and command line tools, AI in code analysis and the use of AI agents, and even brainstorm about the possible opportunities that integrating AI into hacking tools like Caido and Burp might present. Don't miss this episode packed with valuable insights and cutting-edge strategies for both beginners and seasoned bug bounty hunters alike. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guests: https://twitter.com/rez0__ https://twitter.com/DanielMiessler Daniel Miessler’s Unsupervised Learning https://danielmiessler.com/ Simon Willison's Python Function Search Tool https://simonwillison.net/2023/Jun/18/symbex/ oobabooga - web interface for models https://github.com/oobabooga/text-generation-webui State of GPT https://karpathy.ai/stateofgpt.pdf AI Canaries https://danielmiessler.com/p/ai-agents-canaries GPT3.5 https://community.openai.com/t/gpt-3-5-turbo-0613-function-calling-16k-context-window-and-lower-prices/263263 GPT Engineer https://github.com/AntonOsika/gpt-engineer Timestamps: (00:00:00) Introduction (00:05:40) Using AI for hacking: Developing hacking tools and workflow shortcuts (00:11:40) GPT Engineer and Small Developer for Security Vulnerability Mapping (00:22:40) The potential dangers of centralized vs. decentralized finance (00:24:10) Ethical hacking and circumventing ChatGPT restrictions (00:26:09) AI Agents, Reverse API, and Encoding/Decoding Tools (00:31:45) Limitations of AI in context window and processing large JavaScript files (00:36:50) Meta-prompter: Enhancing prompts for accurate responses from GPT (00:41:00) GPT-35 and the new 616K context model (45:08) Creating a loader for Burp Suite files or Caido instances (00:54:02) Hacking AI Features: Best Practices (01:00:00) AI plugin takeover and the need for verification of third-party plugins and tools

Episode 23: In this episode of Critical Thinking - Bug Bounty Podcast, we delve into a different aspect of hardware - Our personal loadouts. We go through the equipment and gear we use to get our jobs done, and share stories about why we picked what we have. We also touch on live hacking events, the growing acceptance of white hat hacking, and some pretty cool news going on in the hacker world. Don't miss this episode packed with tips and strategies for both beginners and seasoned hackers alike! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Blog post on hacking root EPP servers https://hackcompute.com/hacking-epp-servers/ Behind this Website: https://github.com/jonkeegan/behind-this-website Tweet about vRealize Network Insight: https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/ Zoom's new vulnerability impact scoring system: https://viss.zoom.com/specifications Uplift Desks https://www.upliftdesk.com/ Synergy https://symless.com/synergy Ahnestly chair reviews: https://www.youtube.com/c/Ahnestly Our producer’s new audio drama ‘Homicide at Heavensgate’ https://link.sentinelstudios.net/homicide Timestamps: (00:00:00) Introduction (00:02:28) Navigating hacking events and imposter syndrome (00:06:30) Blog post on hacking root EPP servers (00:10:01) The growing acceptance of white-hat hacking (00:12:25) Finding Website Owners and Contact Information (00:16:45) VMware vRealize Network Insight CVEs and nginx reverse proxy bypass (00:21:30) Zoom's new vulnerability impact scoring system (00:27:24) The Importance of Analyzing Systemic Problems in Black Box Testing (00:30:40) Documentation, Vulnerable by Design, and acceptable risk (Start of main content) (00:34:37) Leveling up your Hacker Setup (00:37:13) The Importance of your body (00:41:30) Investing in ergonomic equipment for computer work (00:42:27) Standing Desks: Uplift Desk and DIY standing desk options (00:46:00) Portable Tables: Flexible Workspace Solutions (00:47:30) Monitor Setup (00:54:40) Synergy: One keyboard and mouse across multiple devices (00:57:20) Capture Card: Using it as a software display (00:58:58) Keyboards and mice (01:03:27) Using a Chromebook for lightweight hacking (01:08:57) Chair Reviews: The Niche World of High-End Chairs

Episode 22: In this episode of Critical Thinking - Bug Bounty Podcast we talk about some basic/intermediate concepts related to Hardware Hacking. Specifically, we dive into extracting data from eMMC chips in order to get our hands on source code for IoT devices. Don't miss this episode packed with valuable insights, tips, and strategies for beginners and seasoned bug bounty hunters alike! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Checkout NahamCon: https://bit.ly/42vnpMS RiverLoop Security Write-up: https://bit.ly/3oSKL1o Good Chip-Off Write-up: https://bit.ly/3IWym3q Scratching chips to expose pins: https://bit.ly/45Tj21i https://bit.ly/3oJJt8Z Chat with Corben on Degrees: https://youtu.be/N9P5PUx-PNQ?t=2311 Gareth Hayes Tweet: https://bit.ly/3qvFNYW Huntress - John Hammond - MoveIt Response: https://bit.ly/42vTTXv Critical Thinking Hardware Hacking Setup - See the gear we're talking about (Affiliate links): https://linke.to/hardwarehackingset Timestamps: (00:00:00) Introduction (01:03) NahamCon's Live Hacking Event and Justin's Presentation on PCI DSS (02:40) Depreciation of Data URLs in SVG Use Element (04:55) Gareth Hayes and knowledge sharing in the hacking community (07:50) Move It vulnerability and and John Hammond’s epic 4 am rants (12:18) Identifying promising leads in bug bounty hunting, and knowing when to move on (Start of main content) (21:40) Hardware Recon, and using Test Pins to Access EMMC Chip (26:16) Identifying Chip Pinouts and Continuity Testing (29:01) Using Logic Analyzers for Hardware Hacking (33:01) Importance of Fundamental Knowledge in Hacking, and the benefits of understanding Electrical Engineering (35:46) Replay Protected Memory Block Protocol (40:00) Bug Bounty Programs and Hardware Testing Support (41:05) Chip Pulling techniques and Essential Equipment for Hardware Hacking (59:50) Tips for Buying Hardware Hacking Tools: Research and Specific Use Cases (01:06:35) Hardware Hacking: Just scratching the surface. (01:08:45) Vulnerability Disclaimer: Pulling OS from a chip does not constitute a Vulnerability.

In this episode of Critical Thinking - Bug Bounty Podcast, we chat with Corben Leo about his journey in bug bounty hunting and ethical hacking. We discuss the state of DNS rebinding in 2023, a Twitter thread by Douglas Day (@ArchAngelDDay) on one-hundred bug bounty rules, and our own unique approaches to bug hunting. We also discuss Corben's recon-focused bug hunting methodology and how he developed it. Don't miss this episode filled with valuable tips, insights, and Corben's Boring Mattress Company. Follow us on twitter at: @ctbbpodcast Get on our newsletter for some exclusive content: https://www.criticalthinkingpodcast.io/subscribe We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guest: https://twitter.com/hacker_ Article on the State of DNS Rebinding in 2023: https://research.nccgroup.com/2023/04/27/state-of-dns-rebinding-in-2023/ See @ArchAngelDDay's twitter thread about 100 bug bounty rules: https://twitter.com/ArchAngelDDay/status/1661924038875435008 Talkback - Cybersecurity news aggregator: https://talkback.sh/ PyPI announces mandatory 2FA: https://www.bleepingcomputer.com/news/security/pypi-announces-mandatory-use-of-2fa-for-all-software-publishers/ Timestamps: (00:00:00) Introduction (01:05) State of DNS rebinding in 2023 (04:40) 100 Bug Bounty Rules by @ArchAngelDDay (05:30) Give yourself a ‘no bug’ limit (07:00) The value of reporting Low and Medium Bugs for Bug Bounty Programs (11:15) Reporting Out of Scope Bugs (14:30) Reporting IDORs as Access Control Bugs (17:28) Talkback (18:12) PyPI's mandatory 2FA implementation for software publishers (Start of main content) (20:07) Starting out in bug bounty/ethical hacking (25:00) Hacking methodology and mentorship (28:15) Identifying Load Balancers (33:20) Triage and live events: (38:30) College and Computer Science vs. Cybersecurity (45:45) Importance of writing for the Hacker Community (51:21) Storytelling and report writing. (55:00) When to stop doing recon and start hacking (01:00:58) Lessons Learned from BreachlessAI and the pivot to Boring Mattress Co.

Episode 20: In this episode of Critical Thinking - Bug Bounty Podcast, we dive into the world of "hacker brain hacks'' and overcoming challenges in bug bounty hunting. We discuss custom word lists, the rising popularity of Caido as a potential Burp Suite replacement, and Cloudflared tunnels for hosting POCs. We also tackle the mental aspects of bug bounty hunting, from procrastination to imposter syndrome, and share tips for staying motivated and avoiding burnout. Don't miss this episode packed with valuable insights and advice for both beginners and seasoned bug bounty hunters! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Caido: https://caido.io Tweet from D3mondev on Sequence Diagram: https://twitter.com/d3mondev/status/1660803152755453952 Sequence diagram software: https://sequencediagram.org Timestamps: (00:00:00) Introduction (00:02:36) "Sequence Diagram": Sequence mapping for PoCs (00:04:10) "SubReconGPT": AI and GPT in Bug Bounty Hacking (00:08:30) "Caido": A Potential Replacement for Burp Suite (00:11:34) HackerOne's New Features (00:13:00) Cloudflared Tunnels for Red Team Assessments and Payload Hosting (00:16:07) Mental challenges in Bug Bounty Hunting (00:17:50) Procrastination Education: Letting fear of failure drive you into always learning, never doing. (00:22:46) Analysis Paralysis: Starting with Bug Bounty Programs vs VDPs (00:27:07) Automation Obsession: "When you're hacking, hack. When you're automating, automate." (00:14:34) Imposter Syndrome: You may not be the best, but you're not the worst either. (00:31:55) Motivation Deprivation: Stay curious, and set tiered goals (00:36:07) Automation Obsession pt2: Do we need to say it again? (00:37:25) Reconnaissance Cognizance: Spending too much time on recon and not enough time on hacking (00:40:00) Bad Rabbit Holes, RIP Your Goals: Identifying good and bad rabbit holes (00:46:01) Set Your Goal Poles: Setting specific goals for yourself. (00:48:29) Impact Lacked: Fixating on something that's funky, but simply doesn’t really have impact (00:51:00) The Burn-out turn-out: Mending, maintenance, and finding identity and self-worth outside hacking (00:58:19) Responsibility Volatility: Balancing Responsibilities and Freedom as a Bug Bounty Hunter (01:00:30) Payout Phase-out: Don't stop once you've found one bug. (01:02:04) Report on URN Injection

Episode 19: In this episode of Critical Thinking - Bug Bounty Podcast we further discuss some tips and tricks for finding vulns once you’ve got source code and some banger tweets/tools that popped up in our feed this week. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Part 1: https://open.spotify.com/episode/2pdTaWHSzl9CY7PgRQtvTi Noperator’s Zip-Snip: https://twitter.com/noperator/status/1658313637189111808 https://github.com/noperator/zip-snip https://noperator.dev/posts/zip-snip/ Insecure’s SIP Bugs: https://twitter.com/ifsecure/status/1656591469518495745 AssetNote’s Sitecore Bugs: https://blog.assetnote.io/2023/05/10/sitecore-round-two/ Fyooer’s Shadow Clone: https://github.com/fyoorer/ShadowClone

Episode 18: In this episode of Critical Thinking - Bug Bounty Podcast, we dive into everything source-code related: how to get source-code and what to do with it once you have. This episode is packed with great examples of successful source code review, tips on how to review code yourself, and the tools you'll need along the way. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Crossing the KASM: https://www.youtube.com/watch?v=NwMY1umhpgg PWNAssistant by Elttam: https://www.elttam.com/blog/pwnassistant/#content Andre's Git Arbitrary Configuration Injection: https://blog.ethiack.com/en/blog/git-arbitrary-configuration-injection-cve-2023-29007 Jub0b's a Smorgasbord of a Bug Chain: https://jub0bs.com/posts/2023-05-05-smorgasbord-of-a-bug-chain/ Ankur Sundara's Cookie Bugs - Smuggling & Injection: https://twitter.com/ankursundara/status/1654556463703134208?t=7nTUSszPB6fS3MkATzxpaQ&s=19 James Kettle's Notes on Novel Pathways to Poisoning (cool quirks in here): https://twitter.com/albinowax/status/1654767919690031106?t=vbVEOML5_QnWByi0m8Nv4A&s=19 Ignore Irrelevant Scripts During Debugging by Johan Carlsson: https://twitter.com/joaxcar/status/1653787336105156616 Every known way to get references to windows: https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2d VS Code Todo Highlight: https://marketplace.visualstudio.com/items?itemName=wayou.vscode-todo-highlight VS Code: https://code.visualstudio.com/

Episode 17: In this episode of Critical Thinking - Bug Bounty Podcast we talk with five legendary hackers about some of their favorite bugs. Live. From LA. Corben Leo “Lorben CEO” @hacker_ Sam “ZLZ” “ZOZL” “The King” Curry @samwcyo Frans “The Legend” Rosen @fransrosen Jonathan “Doc” Bouman @JonathanBouman Nagli…NagliNagli @naglinagli Shoutout to Jonathan Bouman’s Mom! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater FOLLOW OUR LINKEDIN ACCOUNT FOR NAGLI: https://www.linkedin.com/company/ctbbpodcast Sam Curry’s shoutout - Ian Carrol’s Seats.Aero: https://seats.aero/

Episode 16: In this episode of Critical Thinking - Bug Bounty Podcast we talk about the hacker’s toolkit. Joel and Justin talk about their VPS setup, go-to hacking tools, most often used Linux commands, and the ways they duct tape all of these together for the big hacks. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on Twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Our Boi @rez0__ Dropping Some AI Hackz: https://twitter.com/rez0__/status/1648685943539245056?s=20 LiveOverflow Prompt Injection: https://www.youtube.com/watch?v=Sv5OLj2nVAQ Joel’s Private Network Solution: https://www.zerotier.com/ Stok & Tomnomnom on Vim/Bash: https://www.youtube.com/watch?v=l8iXMgk2nnY Latest GhostScript RCE: https://offsec.almond.consulting/ghostscript-cve-2023-28879.html Intigriti CSRF Basics & Jub0b's Legendary SameSite Article: https://twitter.com/intigriti/status/1646104705561403398 https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/ Nahamcon: http://nahamcon.com/ Pentah0wnage: https://research.aurainfosec.io/pentest/pentah0wnage/ DNSChef: https://github.com/iphelix/dnschef Httpx: https://github.com/projectdiscovery/httpx Espanso: https://espanso.org/ GoWitness: https://github.com/sensepost/gowitness

Episode 15: In this episode of Critical Thinking - Bug Bounty Podcast we talk with the latest Million-Dollar bug bounty hunter: @naglinagli . He talks about his climb from $1,000 in bounties to $1,000,000, recon tips and tricks, and some bug reports that made the news and landed him the "Best Bug" award at a H1 Live Hacking event. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Follow Nagli and his new startup Shockwave: https://twitter.com/naglinagli https://twitter.com/shockwave_sec HackMD Collaborative Notes: https://hackmd.io/ Ian Carroll's Airline Miles Website: https://seats.aero Nagli's Tweet in ChatGPT Web Cache Deception: https://twitter.com/naglinagli/status/1639343866313601024 Timestamps: (00:00:00) Intro (00:04:40) Nagli’s Climb (00:05:40) What kind of vulns do you look for? (00:09:25) Working with other hackers (00:10:20) Bug Bounty Hunter’s Guild (00:12:35) Shockwave product (00:14:12) Outsourcing tool development (00:18:46) What got you started? (00:21:13) Manual hacking vs recon suite + LHE focus (00:25:00) How do you take notes (00:29:42) Biggest things that you’ve learned over the past 2 years (00:31:29) How do you ingest new techniques? (00:31:50) Collaboration (00:37:20) Justin Ranting about “Trained Eyes” (00:40:18) Time spent coding vs hacking (00:45:28) Travel and spending habits (00:54:16) Grep is Nagli’s database (00:56:20) Nagli’s ChatGPT Web Cache Deception (00:58:44) What does your alerting look like? (01:01:50) Nagli’s “Most Critical” SSRF (01:04:30) Burp Active Scan

Episode 14: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Dynamic Analysis within Mobile Hacking and a bunch of random hacker stuff. It's a good time. Enjoy the pod. Follow us on Twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on Twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Joel’s Alternative to UberTooth One: https://www.amazon.com/Bluetooth-UD100-G03-Exchangeable-Bluesoleil-Microsoft/dp/B0161B5ATM D3monDev’s Burp VPS Plug-in: https://github.com/d3mondev/burp-vps-proxy FireProx: https://github.com/ustayready/fireprox Joel’s Universal SSL De-pinning Frida Script: https://gist.github.com/teknogeek/4dc35fb3801bd7f13e5f0da5b784c725 Command-line Fuzzy Finder: https://github.com/junegunn/fzf Justin’s two article recommendations for using Frida: https://tinyurl.com/5n94d6ry https://tinyurl.com/yfy3n5f5 Copy screen of physical device: https://tinyurl.com/ymdrscm5 Flipper: https://flipperzero.one/ BetterCap BLE Module: https://www.bettercap.org/modules/ble/ Timestamps: (00:00:00) Intro (00:00:55) Hacker Chats (00:03:27) Podcast Content Commentary (00:04:09) SSRF Rebinding Error Confession (00:06:02) Flipper Zero (00:07:58) Bettercap BLE (00:09:36) Sena USB Bluetooth Adapter (00:12:41) Burp VPS Proxy Plugin (00:13:55) Fireprox (00:15:40) Dynamic Mobile Hacking (00:17:40) Dynamic Analysis Overview (00:18:18) Emulator Talk (00:24:29) Joel’s APK Analysis Flow (00:26:30) Cert Pinning (00:32:17) Joel’s SSL Cert Pinning Script (00:35:29) Hands-on look at Frida (00:50:11) Frida on Non-rooted Devices (00:58:22) Tracing Errors to Overwritable Functions (01:00:39) Native Libraries (01:09:18) GenyMobile Screen Mirroring Tool (01:11:50) Justin’s Report of the Day and Custom SSL Pinning (01:18:15) Joel’s First Ever Bug, Jailbreak Detection Bypass

Episode 13: In this episode of Critical Thinking - Bug Bounty Podcast we talk about how to determine if a bug bounty program is good or not from the policy page. We also cover some news including Acropalypse, ZDI's Pwn2Own Competition, Node's Request library's SSRF Bypass, and a new scanning tool by JHaddix. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater JHaddix AWSScrape Tool: https://twitter.com/Jhaddix/status/1637140192728612865?s=20 Acropalypse Links: https://twitter.com/ItsSimonTime/status/1636857478263750656 https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse.html https://twitter.com/David3141593/status/1638222624084951040 https://twitter.com/David3141593/status/1638293029059477505 SSRF Bypass in NodeJS: https://blog.doyensec.com/2023/03/16/ssrf-remediation-bypass.html ZDI's Pwn2Own: https://twitter.com/thezdi Kuzu7shiki's Awesome Pixiv Report: https://hackerone.com/reports/1861974 https://twitter.com/kuzu7shiki Some of the Programs we talk about: https://hackerone.com/instacart https://hackerone.com/semrush https://hackerone.com/yahoo https://hackerone.com/paypal

Episode 12: In this episode of Critical Thinking - Bug Bounty Podcast we talk with Jason Haddix about his eclectic hacking techniques, Hacker -> Hacker CISO life, and some crazy vulns he found. This episode is chock full of awesome tips so give it a good listen! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Follow JHaddix on Twitter: https://twitter.com/jhaddix BuddoBot: https://buddobot.com/ BC Hunt: https://github.com/bugcrowd/HUNT/blob/master/README.md One List For All: https://github.com/six2dez/OneListForAll AssetNote Wordlists: https://wordlists.assetnote.io/ Backslash Powered Scanner: https://portswigger.net/bappstore/9cff8c55432a45808432e26dbb2b41d8 Jason’s Handy Dandy Acronyms: SSWLR - Sensitive Secrets Were Leaked Recently Status Size Words Lines Response Time COTS Software - Common Off-The-Shelf Software

Episode 11: In this episode of Critical Thinking - Bug Bounty Podcast we talk about CVSS (the good, the bad, and the ugly), Web Cache Deception (an underrated vuln class) and a sick SSTI Joel and Fisher found. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater MDSec Outlook Vuln: https://twitter.com/MDSecLabs/status/1635791863478091778 Jub0bs User-Existance Oracle Tweet: https://twitter.com/jub0bs/status/1633786349529513986 James Kettle's Tweet About BB ID Header Standardization: https://twitter.com/albinowax/status/1635951506791755776 15K Snapchat Numeric IDOR: https://hackerone.com/reports/1819832 Bug Bounty Reports Explained: https://www.bugbountyexplained.com/ CVSS Calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator Web Cache Deception Write-up: https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack.pdf

Episode 10: In this episode of Critical Thinking - Bug Bounty Podcast we talk about what its like to be a full-time bug bounty hunter, a tonne of bug bounty news, and some great report summaries from Justin’s two mentees: Kodai and Soma. Follow us on twitter at: https://twitter.com/ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater HackVertor https://portswigger.net/bappstore/65033cbd2c344fbabe57ac060b5dd100 Not_An_Aardvark (Teddy Katz) Blog: https://blog.teddykatz.com/ Tweets from PortSwigger Research: https://twitter.com/PortSwiggerRes/status/1632742844535324677 https://twitter.com/PortSwiggerRes/status/1630221223874445314 https://twitter.com/PortSwiggerRes/status/1629131380473970688 HackerOne LHE Standards: https://www.hackerone.com/hackerone-community-blog/get-invited-how-live-hacking-event-invites-have-changed Rez0 Bug Bounty Tweet: https://twitter.com/rez0__/status/1553371602770960384?t=NCr_esHcEts9PrcjxIZ5uw&s=19 Rojan’s Github Bug: https://twitter.com/uraniumhacker/status/1633199768263593984 Goodbye Daily Swig: https://portswigger.net/daily-swig/were-going-teetotal-its-goodbye-to-the-daily-swig Gareth Heyes JavaScript for Hackers:https://leanpub.com/javascriptforhackers/

Episode 9: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Headless Browser SSRF and drop a tool called RebindMultiA. Joel also walks us through a web3 bug and we cover some bug bounty news from the past week. As always, we drop some bug bounty tips and give you some attack vectors to think about. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Truffle Security End-To-End Encryption Video: https://www.youtube.com/watch?v=BBcZcoIZ1Jc HackerOne World Cup: https://www.hackerone.com/hackers/brand-ambassador-program HackerOne World Cup Sign Up Form for USA: https://docs.google.com/forms/d/e/1FAIpQLSeRQpH2y0J-opxlsz8dPkvnIu8BqC_DA3CJe_eFhTFroPwdcg/viewform ChatGPT API: https://openai.com/blog/introducing-chatgpt-and-whisper-apis Megachad RobertMD GitHub Issue: https://github.com/nccgroup/singularity/issues/2 Justin’s RebindMultiA Tool: https://github.com/Rhynorater/rebindMultiA Brandon Dorsey’s WhoNow Tool: https://github.com/brannondorsey/whonow NCC Group’s Singularity: https://github.com/nccgroup/singularity Chromium Disclosed Bugs: https://chromium-disclosed-bugs.appspot.com/ NahamSec Talk on Headless Browser SSRF: https://docs.google.com/presentation/d/1JdIjHHPsFSgLbaJcHmMkE904jmwPM4xdhEuwhy2ebvo/htmlpresen Jonathan Bowman - LFI via : https://medium.com/@jonathanbouman/local-file-inclusion-at-ikea-com-e695ed64d82f WASM Port Scanning: https://github.com/avilum/portsscan Jack Halon - Chrome Browser Exploitation: https://twitter.com/jack_halon/status/1583957704930131968 DNSChef: https://github.com/iphelix/dnschef

Episode 8: In this episode of Critical Thinking - Bug Bounty Podcast we drop some critical bugs which leak raw credit card info. We also discuss some CSS Injection & PostMessage related techniques. It's a short one but a good one! Don't miss it! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater CSS Escape Blog Post: https://mathiasbynens.be/notes/css-escapes Rez0’s blog on ChatGPT: https://rez0.blog/hacking/2023/02/21/hacking-with-chatgpt.html All the ways to get a reference to a frame (shoutout to @wcbowling for the article): https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2d CSS Painting API: https://developer.mozilla.org/en-US/docs/Web/API/CSS_Painting_API Import Chaining: https://d0nut.medium.com/better-exfiltration-via-html-injection-31c72a2dae8b

Episode 7: In this episode of Critical Thinking - Bug Bounty Podcast we talk about PortSwigger's Top 10 Web Hacking Techniques of 2022 (link below), some drama surrounding TruffleSecurity's XSS Hunter, and, as always, some great bug bounty tips. Sorry if the audio is a little rough around the edges this time, should be better than ever next time. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater PortSwigger's Top 10 Web Hacking Techniques of 2022: https://portswigger.net/research/top-10-web-hacking-techniques-of-2022 Ian Carroll Cookie Monster: https://github.com/iangcarroll/cookiemonster Frans Rosen's postMessage Tracker Chrome Extension: https://github.com/fransr/postMessage-tracker Notes from Justin on postMessages: https://rhynorater.github.io/postMessage-Braindump Frans Rosen's research on nginx misconfiguration that are similar to #6: https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/ "Mount" Wycheproof 😂: https://github.com/google/wycheproof https://en.wikipedia.org/wiki/Mount_Wycheproof Nathan Davison - Abusing Hop-by-Hop headers: https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers Awesome example of client-side path traversal: https://erasec.be/blog/client-side-path-manipulation/ Joohoi Ffuf 2.0: https://infosec.exchange/@joohoi/109806822104162973 FeroxBuster: https://github.com/epi052/feroxbuster

Episode 6: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with mobile hacking legend Joel Margolis and get the scoop on his approach to popping bugs on Android. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Joel’s HackerOne Android Hacking Introduction: https://t.ly/f87D Android Pixel Lock Screen Bypass https://t.ly/Q_qq Exploiting Deeplink URLs: https://inesmartins.github.io/exploiting-deep-links-in-android-part1/index.html Joel’s get_schemas tool: https://github.com/teknogeek/get_schemas Example AndroidManfest.xml we referenced: https://t.ly/mcN1 https://t.ly/ErVV Android docs for intent filters: https://developer.android.com/guide/components/intents-filters.html Android docs for “setAllowContentaccess”: https://t.ly/hXOZ Android docs for “setAllowFileAccess”: https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccess(boolean) Add JavaScript Interface to Webview: https://developer.android.com/reference/android/webkit/WebView#addJavascriptInterface(java.lang.Object,%20java.lang.String) Joel’s SSL Pinning Bypass: https://gist.github.com/teknogeek/4dc35fb3801bd7f13e5f0da5b784c725 Google Chrome Docs for Intent URLs: https://developer.chrome.com/docs/multidevice/android/intents/#considerations Joel’s Bug Bounty Report: https://hackerone.com/reports/423467

Episode 5: In this episode of Critical Thinking - Bug Bounty Podcast we talk about the new XSS Hunter, MD5 collisions and using ChatGPT for security, and much more! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Save All Resources Chrome Extension: https://chrome.google.com/webstore/detail/save-all-resources/abpdnfjocnmdomablahdcfnoggeeiedb?hl=en Corben's AMA: https://twitter.com/hacker_/status/1620514351521366016 Collisions repo: https://github.com/corkami/collisions

Episode 4: In this episode of Critical Thinking - Bug Bounty Podcast we have part two of our series on the H1-407 HackerOne Live Hacking Event. This time, we have a special guest SpaceRaccoon (@spaceraccoonsec) talking about techniques and takeaways from the event. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Spaceraccoon’s blog: https://spaceraccoon.dev/ Spaceraccoon’s twitter: https://twitter.com/spaceraccoonsec Responder (NTLM Hash harvesting tool): https://github.com/lgandx/Responder The malware reversing course Spaceraccoon recommended: https://courses.zero2auto.com/ Offensive Security Exploit Development Courses: https://www.offensive-security.com/courses-and-certifications/

Episode 3: In this episode of Critical Thinking - Bug Bounty Podcast we talk about some of the interesting things we’ve learned from participating in HackerOne's H1-407 Live Hacking event. We cover decompiling binaries in various different languages, Windows URI Handlers, Caido, and SameSite Lax + POST. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Frans Rosen S3 Bucket Authorization Blog Post: https://labs.detectify.com/2018/08/02/bypassing-exploiting-bucket-upload-policies-signed-urls/ Getting code from executables: ILSpy DotPeek Jadx-GUI Pyinstxtractor Uncompyle6 Jub0b’s SameSite Article: https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/ Mgeeky’s Powershell Script to Enumerate Windows App URI Handlers https://gist.github.com/mgeeky/5a30a0619a7486b2fb0bd5233490fa64

Episode 2: In this episode of Critical Thinking - Bug Bounty Podcast we talk about exploit writing/automation, some new tools released in the industry (Of-CORS), the age old question of "Do you have to know how to program to hack?", a walk-through of some very impactful bug bounty reports, and some tips and tricks for exploit writing. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Of-CORS by TruffleSecurity https://trufflesecurity.com/blog/of-cors/ https://github.com/trufflesecurity/of-cors CyberChef https://gchq.github.io/CyberChef/ Curl Converter https://curlconverter.com/ Caido https://caido.io/ Copy As Python Requests https://portswigger.net/bappstore/b324647b6efa4b6a8f346389730df160 eMMC Card Reader: https://www.allsocket.com/ Joel's Funny Automation XKCD: https://xkcd.com/1319/ Flipper: https://shop.flipperzero.one/

Episode 1: In this episode of Critical Thinking - Bug Bounty Podcast, Joel Margolis (aka 0xteknogeek) and Justin Gardner (aka Rhynorater) cover introductions, a couple of cool bug bounty reports, and some really helpful BB Tips. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: [email protected] Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater The report Joel was talking about: https://hackerone.com/reports/1672388