Critical Thinking - Bug Bounty Podcast

Episode 169: Attacking OAuth 2.1

Thu, 09 Apr 2026 05:00:00 -0400

Episode 169: In this episode of Critical Thinking - Bug Bounty Podcast gr3pme goes over some of the changes from OAuth 2.0 vs 2.1 and how Hackers can capitalize.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

Critical Research Lab:

https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== This Week in Bug Bounty ======

Intigriti is providing free Burp Pro for Hackers!

https://www.intigriti.com/blog/news/intigriti-collaborates-with-portswigger-to-support-ethical-hacking-excellence

====== Resources ======

Django-allauth Account Takeover (ZeroPath Audit)

https://zeropath.com/blog/django-allauth-account-takeover-vulnerabilities

CVE-2025-4144: Cloudflare Workers PKCE Bypass

https://github.com/cloudflare/workers-oauth-provider/security/advisories/GHSA-qgp8-v765-qxx9

CVE-2025-54576: OAuth2-Proxy Auth Bypass

https://zeropath.com/blog/cve-2025-54576-oauth2-proxy-auth-bypass

====== Timestamps ======

(00:00:00) Introduction

(00:02:16) OAuth 2.0 Standards

(00:12:08) Agent to Agent Communication

(00:17:19) CVE Case studies

Episode 168: XSSDoctor - Client-side Path Traversal Research

Thu, 02 Apr 2026 05:00:00 -0400

Episode 168: In this episode of Critical Thinking - Bug Bounty Podcast we’re getting a visit from the XSS Doctor. Jonathan joins us to go through his Client-side workflow, run labs, and diagnose some bugs live.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

Critical Research Lab:

https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Guest: https://x.com/xssdoctor

====== Resources ======

The Dot-Dot-Slash That Frameworks Hand You: CSPT Across Every Major Frontend Framework

https://lab.ctbb.show/research/the-dot-dot-slash-that-frameworks-hand-you

URL validation bypass cheat sheet

https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet

====== Timestamps ======

(00:00:00) Introduction

(00:01:37) Home Automation AI Hack & E-signature bug stories

(00:12:15) E-signature bug

(00:17:01) XSS DR Intro and Bug Bounty Journey

(00:31:51) CSPT Workflows

(01:07:57) Wildcard Path Parameters

(01:30:34) Custom Sinks

Episode 167: Stealing Bugs with Valeriy Shevchenko

Thu, 26 Mar 2026 05:00:00 -0400

Episode 167: In this episode of Critical Thinking - Bug Bounty Podcast we welcome Valeriy Shevchenko to talk about program management, anchor programs, and Theft in Bug Bounty.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

Critical Research Lab:

https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: Check out ThreatLocker Ringfencing

https://www.criticalthinkingpodcast.io/tl-rf

Today’s Guest: https://x.com/Krevetk0Valeriy

====== This Week in Bug Bounty ======

HackerOne’s Bug Bounty Maturity Framework:

https://www.hackerone.com/blog/program-maturity-framework-bug-bounty-operations

Intigriti is hiring a Product Security Analyst

https://jobs.criticalthinkingpodcast.io/jobs/product-security-analyst-25ef4706

====== Resources ======

Valeriy’s Blog

https://krevetk0.medium.com/

====== Timestamps ======

(00:00:00) Introduction

(00:03:15) Valeriy's Bug story

(00:19:48) Anchor Programs and Bug Hunting Motivation

(00:29:50) Stealing Bugs

Episode 166: Rez0’s Top Claude Skill Secrets

Thu, 19 Mar 2026 05:00:00 -0400

Episode 166: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Rez0’s Claude Skill Secrets, when AI Generated reports fall apart, and agents vs filters.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

Critical Research Lab:

https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor: Adobe

====== This Week in Bug Bounty ======

Intigriti launched their ambassadors program. https://www.intigriti.com/ambassador

Adobe will be at Hack The Bay

https://www.hackthebay.org/

Bug Bounty Maturity Framework

https://bugbountymaturity.com/

====== Resources ======

h1-brain

https://github.com/PatrikFehrenbach/h1-brain

caido skills

http://github.com/caido/skills

Tweet from Karpathy

https://x.com/karpathy/status/2031767720933634100?s=20

Find every inefficiency in your Claude workflow with one prompt

https://x.com/shannholmberg/status/2030605364421595468

====== Timestamps ======

(00:00:00) Introduction

(00:08:28) Claude skills

(00:30:00) How AI Generated reports fall apart

(00:38:44) Orchestration

(00:49:10) Agents vs Folders

Episode 165: Protobuf Hacking, AI-Powered Bug Hunting, and Self-Improving Claude Workflows

Thu, 12 Mar 2026 05:00:00 -0400

Episode 165: In this episode of Critical Thinking - Bug Bounty Podcast Justin recaps his Zero Trust World experience, before we dive into Permissions issues client-side bugs, New Hardware Hacking Classes, and using AI to hack.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

Critical Research Lab:

https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: Check out ThreatLocker Ringfencing

https://www.criticalthinkingpodcast.io/tl-rf

====== Resources ======

bbscope Update

https://x.com/sw33tLie/status/2029344643154919720

Matt Brown's Youtube Channel

https://www.youtube.com/channel/UC3VDCeZYZH7mCihtMVHqppw

Matt's Twitter:

https://x.com/nmatt0

MCP server for HackerOne to search reports

https://x.com/OriginalSicksec/status/2029503063095124461?s=20

Caido Skills

https://github.com/caido/skills

The Agentic Hacking Era: Ramblings and a Tool

https://josephthacker.com/hacking/2026/03/06/the-agentic-hacking-era.html

Announcing AI-driven Caido

https://caido.io/blog/2026-03-06-caido-skill

====== Timestamps ======

(00:00:00) Introduction

(00:06:23) bbscope report dumping & Matt Brown Training

(00:13:10) MCP server for HackerOne to search reports & protobuff success

(00:24:24) Hacking Mics with Permissions issues client-side bugs

(00:27:26) Can AI Hack things?

Episode 164: Tommy DeVoss: From Black Hat to Bug Bounty LEGEND

Thu, 05 Mar 2026 05:00:00 -0500

Episode 164: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Tommy DeVoss to talk about his origin story, Yahoo bugs, and how Tommy first got Justin into Bug Bounty

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

Critical Research Lab:

https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Guest: https://x.com/thedawgyg

====== This Week in Bug Bounty ======

Python pitfalls: Turning developer mistakes into vulnerabilities

https://www.yeswehack.com/learn-bug-bounty/python-pitfalls-turning-developer-mistakes?utm_source=critical-thinking&utm_medium=sponsored&utm_campaign=article-research-python-pitfalls

====== Timestamps ======

(00:00:00) Introduction

(00:06:22) Yahoo SSRF

(00:14:56) Tommy's Origin

(00:44:10) Bug Bounty

(00:51:47) SSRF Attraction, AI implementation, & Browser Hacking

Episode 163: Best Technical Takeaways from Portswigger Top 10 2025

Thu, 26 Feb 2026 05:00:00 -0500

Episode 163: In this episode of Critical Thinking - Bug Bounty Podcast It’s that time of year again! We’re looking at the Portswigger Research list of top 10 web hacking techniques of 2025.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

Critical Research Lab:

https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== Resources ======

Parser Differentials: When Interpretation Becomes a Vulnerability

https://www.youtube.com/watch?v=Dq_KVLXzxH8

XSS-Leak: Leaking Cross-Origin Redirects

https://blog.babelo.xyz/posts/cross-site-subdomain-leak/

Playing with HTTP/2 CONNECT

https://blog.flomb.net/posts/http2connect/

Next.js, cache, and chains: the stale elixir

https://zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixir

SOAPwn: Pwning .NET Framework Apps Through HTTP Client Proxies And WSDL

https://watchtowr.com/wp-content/uploads/SOAPwnwatchtowr_soappwn-research-whitepaper_10-12-2025.pdf

Cross-Site ETag Length Leak

https://blog.arkark.dev/2025/12/26/etag-length-leak

Lost in Translation: Exploiting Unicode Normalization

https://www.youtube.com/watch?v=ETB2w-f3pM4

ORM Leaking More Than You Joined For

https://www.elttam.com/blog/leaking-more-than-you-joined-for/

Novel SSRF Technique Involving HTTP Redirect Loops

https://slcyber.io/research-center/novel-ssrf-technique-involving-http-redirect-loops/

Successful Errors: New Code Injection and SSTI Techniques

https://github.com/vladko312/Research_Successful_Errors

====== Timestamps ======

(00:00:00) Introduction

(00:02:33) Parser Differentials: When Interpretation Becomes a Vulnerability

(00:11:02) XSS-Leak: Leaking Cross-Origin Redirects

(00:18:25) Playing with HTTP/2 CONNECT

(00:22:10) Next.js, cache, and chains: the stale elixir

(00:29:15) SOAPwn: Pwning .NET Framework Apps Through HTTP Client Proxies And WSDL

(00:34:27) Cross-Site ETag Length Leak

(00:41:47) Lost in Translation: Exploiting Unicode Normalization

(00:47:27) ORM Leaking More Than You Joined For

(00:54:07) Novel SSRF Technique Involving HTTP Redirect Loops

(00:58:40) Successful Errors: New Code Injection and SSTI Techniques

Episode 162: HackerOne Training AI on Bug Bounty Data?

Thu, 19 Feb 2026 05:00:00 -0500

Episode 162: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph sit down with HackerOne Founder & CTO Alex Rice to discuss concerns of Using Hacker Data for AI and decreasing bounties.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

Critical Research Lab:

https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26

https://ztw.com/

Today’s Guest: https://x.com/senorarroz

====== This Week in Bug Bounty ======

XML external entity: The ultimate Bug Bounty guide to exploiting XXE vulnerabilities

https://www.yeswehack.com/learn-bug-bounty/xml-external-entity-guide-xxe?utm_source=Critical_Thinking&utm_medium=Youtube&utm_campaign=XXE_Critical_Thinking&utm_id=XXE_CT

Bug Bounty Maturity Framework

https://bugbountymaturity.com/

====== Resources ======

Confidential Information and Confidentiality Obligations

https://www.hackerone.com/terms/general#:~:text=HackerOne%20may%20use%20Confidential%20Information%20to%20develop%20and/or%20improve%20its%20Services%20(for%20example%2C%20to%20identify%20trends%2C%20and%20to%20train%20AI%20models)%20provided%20such%20use%20does%20not%20result%20in%20disclosure%20of%20Confidential%20Information%20to%20unauthorized%20third%20parties

Ownership and Licenses

https://www.hackerone.com/terms/community#:~:text=8.%20Ownership%20and%20Licenses

I argued with an AI regarding HackerOne using Hacker reports to train PtaaS

https://bugbounty.forum/post/183ff0fc-eb9e-47f8-991d-c0aa5b0bba71

HackerOne PTaaS (likely training their AI on private reports data)

https://www.reddit.com/r/bugbounty/comments/1r5hixk/hackerone_ptaas_likely_training_their_ai_on/

What Makes Agentic PTaaS Different in Real Environments

https://www.hackerone.com/blog/agentic-penetration-testing-as-a-service#:~:text=Our%20agents%20are,real%20enterprise%20constraints

====== Timestamps ======

(00:00:00) Introduction

(00:08:44) HackerOne AI Terms of Service

(00:24:56) Agentic PTaaS

(00:38:09) Selling data

(00:43:49) Decrease in Bounties

Episode 161: Cross-Consumer Attacks & DTMF Tone Exfil

Thu, 12 Feb 2026 05:00:00 -0500

Episode 161: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gives us some quick hits regarding CSRF and Cross Consumer Attacks, and also touches on some breaking questions surrounding HackerOne

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

Critical Research Lab:

https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26

https://ztw.com/

====== This Week in Bug Bounty ======

AS Watson

https://app.intigriti.com/programs/aswatson/watsons/detail

YesWeHack 2026 Report

https://choose.yeswehack.com/bug-bounty-report-2026-trends-and-key-insights-yeswehack?utm_source=youtube&utm_medium=sponsor-critical-thinking&utm_campaign=yeswehack-report-2026

====== Resources ======

PhoneLeak: Data Exfiltration in Gemini via Phone Call

https://blog.starstrike.ai/posts/phoneleak-data-exfiltration-in-gemini-via-phone-call/

Max's Tweet about decreasing bounties

https://x.com/0xw2w/status/2020788164378427483

HackerOne General Terms and Conditions

https://www.hackerone.com/terms/general

Research Review #-2: RCE in Google's AI code editor Antigravity (sudi)

https://www.youtube.com/watch?v=JqvJSF2UMyY

====== Timestamps ======

(00:00:00) Introduction

(00:03:26) YesWeHack 2026 Report

(00:09:12) CSRF Realizations & Data Exfiltration in Gemini via Phone Call

(00:14:38) 7urb0's Youtube, HackerOne decreasing bounties and Section 3.1 controversy.

(00:19:06) Cross Consumer Attacks

Episode 160: Cloudflare Zero-days & Mail Unsubscribing for XSS

Thu, 05 Feb 2026 05:00:00 -0500

Episode 160: In this episode of Critical Thinking - Bug Bounty Podcast Joseph and Brandyn. Chat through some news, Including a Cloudflare Zero-day, Turning List-Unsubscribe into an SSRF/XSS Gadget, & Magic String Denial of Service in Claude.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

Critical Research Lab:

https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor: Adobe.

Use code CTBB040126, and get a 10% bonus on your bounty for any AI vulnerability which is mapped to the OWASP LLM top 10.

Valid on Adobe Acrobat Web - AI Assistant / PDF Spaces / Content Creation and presentation features using Express

Adobe Express AI Assistant.

Valid through April 1st, 2026

Also we have a Google Cloud VRP Swag Bonus! Mention the podcast in any rewarded (cash or credit) VRP report submission before the end of April to receive bonus swag!

====== Resources ======

Cloudflare Zero-day

https://fearsoff.org/research/cloudflare-acme

Turning List-Unsubscribe into an SSRF/XSS Gadget

https://security.lauritz-holtmann.de/post/xss-ssrf-list-unsubscribe/

Breaking Multi-Tenant Isolation in Heroku Postgres

https://allistair.sh/blog/breaking-heroku-postgres/

Parse and Parse: MIME Validation Bypass to XSS via Parser Differential

https://lab.ctbb.show/research/parse-and-parse-mime-validation-bypass-to-xss-via-parser-differential

Claude Magic String Denial of Service

https://x.com/Frichette_n/status/2013988503336415522

From WebView to Remote Code Injection

https://djini.ai/from-webview-to-remote-code-injection/

DOM XSS Is Not Dead: The Rise of Polyglot Payloads

https://blogs.jsmon.sh/dom-xss-is-not-dead-the-rise-of-polyglot-payloads/

====== Timestamps ======

(00:00:00) Introduction

(00:06:17) Cloudflare Zero-day & Turning List-Unsubscribe into an SSRF/XSS Gadget

(00:16:57) Breaking Multi-Tenant Isolation in Heroku Postgres & CTBB Research

(00:25:46) Claude Magic String Denial of Service & From WebView to Remote Code Injection

Episode 159: Avoiding Downgrades on Google Cloud VRP with Cote and Darby Hopkins

Thu, 29 Jan 2026 05:00:00 -0500

Episode 159: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with the Google Cloud VRP Team to deep-dive policy and reward changes, what the panel process looks like, and how to best configure for success.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Get some hacker swag

Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26

https://ztw.com/

Google Cloud VRP Swag Bonus! Mention the podcast in any rewarded (cash or credit) VRP report submission before the end of April to receive bonus swag!

Today’s Guests:

Darby Hopkins

Michael Cote

====== This Week in Bug Bounty ======

AI Red Teaming Explained by AI Red Teamers

Good Faith AI Research Safe Harbor

Join the Adobe LHE at NULLCON GOA

====== Resources ======

‘Legendary Guy’ - Jakub Domeracki

Google Cloud VRP rewards rules

Google Cloud VRP product tiers

Bug Hunters blog on the 2025 Google Cloud VRP bugSWAT

Google VRP Discord

Google VRP on X

====== Timestamps ======

(00:00:00) Introduction

(00:10:03) CloudVRP Bugswat Event Breakdown

(00:16:40) VRP Policy & Rewards Changes

(00:04:50) Panel Process

(01:00:08) Configuring for Success & Avoiding Downgrades

(01:33:47) Scenarios for Success

Episode 158: 10hr Marathon Hack-Along Recap + $300k Client-side Bugs

Thu, 22 Jan 2026 05:00:00 -0500

Episode 158: In this episode of Critical Thinking - Bug Bounty Podcast we talk about our personal takeaways from the CTBB Charity Hackalong, and then break down some InsertScript POCs, what a $55,000 bug can look like, and if Smart People Ever Say They’re Smart.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

Critical Research Lab:

https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26

https://ztw.com/

====== Resources ======

InsertScript - XSS Challenge Solution

https://insert-script.blogspot.com/2020/03/xss-challenge-solution-refresh-header.html

InsertScript - Redirect AuthHeader

https://www.insert-script.com/examples/redirectAuthHeader/send.html

CRLF injection on a 302 redirect

https://x.com/0xdef1ant/status/2009040359482118500

Multiple XSS in Meta Conversion API Gateway Leading to Zero-Click Account Takeover

https://ysamm.com/uncategorized/2025/01/13/capig-xss.html

Arcanum Hack Tips

https://github.com/Arcanum-Sec/hack_tips

Trail of Bits Releases Claude Skills

https://x.com/dguido/status/2011541318229533063

what a $55,000 bug can look like

https://x.com/the_IDORminator/status/2007480636244697237

Pwning Claude Code in 8 Different Ways

https://flatt.tech/research/posts/pwning-claude-code-in-8-different-ways/

Do Smart People Ever Say They’re Smart?

https://labs.watchtowr.com/do-smart-people-ever-say-theyre-smart-smartertools-smartermail-pre-auth-rce-cve-2025-52691/

====== Timestamps ======

(00:00:00) Introduction

(00:04:18) Technical takeaways from CT Charity Hackalong

(00:22:21) InsertScript POCs & Rez0 and teknogeek's IOT Adventures

(00:32:16) CRLF injection on a 302 redirect & Multiple XSS in Meta

(00:41:00) Trail of Bits, what a $55,000 bug can look like, & Pwning Claude Code

(00:54:16) Do Smart People Ever Say They’re Smart?

Episode 157: Crushing Pwn2Own & H1 with Kernel Driver Exploits

Thu, 15 Jan 2026 11:00:00 -0500

Episode 157: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Hypr to talk about hacking Mediatek and his experiences with HackerOne and Pwn2Own Ecosystems.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

Critical Research Lab:

https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Guest: https://x.com/hyprdude

====== This Week in Bug Bounty ======

Top 10 web hacking techniques of 2025: call for nominations

https://portswigger.net/research/top-10-web-hacking-techniques-of-2025-nominations-open

CVE-2025-13467

https://access.redhat.com/security/cve/cve-2025-13467

====== Resources ======

Hypr's Blog

https://blog.coffinsec.com

mediatek? more like media-rekt, amirite.

https://blog.coffinsec.com/0days/2025/12/15/more-like-mediarekt-amirite.html

kernel-utils

https://github.com/mellow-hype/kernel-utils

====== Timestamps ======

(00:00:00) Introduction

(00:03:23) Heap Overflow in Mediatek Kernel Drivers

(00:19:23) Kernel Debugging & ioctl Handlers

(00:43:30) Input Structs, Sync to Source, & Privilege Escalation

(00:51:30) HackerOne Ecosystem vs Pwn2Own Ecosystem

(01:17:00) Kernel Utils

(01:26:46) Real World Bugs for Exploit Development vs CTFs

Episode 156: Chill AMA from bugbounty.forum

Thu, 08 Jan 2026 11:00:00 -0500

Episode 156: In this episode of Critical Thinking - Bug Bounty Podcast we answer some fantastic questions from over at bugbounty.forum

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== Resources ======

Critical Thinking Lab

lab.ctbb.show

Cross-Site ETag Length Leak

https://blog.arkark.dev/2025/12/26/etag-length-leak

Clawdbot

https://github.com/clawdbot/clawdbot/

Post from Steve Caldwell

https://x.com/moreconfetti/status/2006494133159162008

====== Timestamps ======

(00:00:00) Introduction

(00:00:58) Crit Lab update

(00:04:36) Cross-Site ETag Length Leak

(00:13:26) Clawdbot

(00:16:56) Will bug hunting become obsolete, LHE invitations, and Fulltime vs Part time?

(00:30:52) 10 bugs at $5k or 1 bug at $5k, CTBB Background, & Future Plans

(00:38:32) Mentoring, Conquering Classes, and what angles we implement from the podcast

(00:49:27) Best approach on new targets, tips for making 500k in a year, AI/Vibecoding & Human in the Loop

(00:59:07) Mentally mapping the target, anti-patterns that waste time, and BB beliefs that were wrong.

(01:10:12) Tackling small scope, staying on one program, picking up after a break, & moving on

(01:17:41) Invisible elements that make the difference between $2k and $20k

Episode 155: 2025 Hacker Stats & 2026 Goals

Thu, 01 Jan 2026 11:00:00 -0500

Episode 155: In this episode of Critical Thinking - Bug Bounty Podcast Justin, Joseph, and Brandyn reflect on last year of Bug Bounty, and list their goals and predictions for what 2026 holds.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== Resources ======

2024 Hacker Stats & 2025 Goals

https://blog.criticalthinkingpodcast.io/p/hackernotes-ep-104-2024-hacker-stats-2025-goals

====== Timestamps ======

(00:00:00) Introduction

(00:02:08) 2025 Full Time Hunting Retrospective

(00:10:19) Most Fulfilling Moments and Bugs

(00:17:56) Satisfaction with 2025 Stats

(00:45:28) Automation, Organization, and Collaboration

(00:48:55) Time and Motivation

(01:08:01) Goals and Predictions for Bug Bounty in 2026

Episode 154: Starting a Pentesting Company on Top of Bug Bounty

Thu, 25 Dec 2025 11:00:00 -0500

Episode 154: In this episode of Critical Thinking - Bug Bounty Podcast Joseph and Brandyn talk through the transition from Bug Bounty hunting to Pentesting. We cover diversifying income streams, the challenges of pricing for Pentests, legal considerations, and what Bug Hunters can bring to the Pentesting world

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== Timestamps ======

(00:00:00) Introduction

(00:03:36) Starting a Pentesting Company

(00:12:25) Advantages of Pentesting as a Bug Bounty Hunter

(00:29:03) Pricing, Sales, and knowing your Market/Worth

(00:36:21) Compliance in Pentests & Rapid-Fire Takaways

Episode 153: Hacking the Robots of the Future: Hardware, AI, and Bug Bounties with Matt Brown

Thu, 18 Dec 2025 11:00:00 -0500

Episode 153: In this episode of Critical Thinking - Bug Bounty Podcast Matt Brown returns to talk with us about hacking robots, IOT hackbots, and his Zero-to-Hero Hardware Hacking Guide.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Guest: Matt Brown

====== Resources ======

KeeYees USB Logic Analyzer Device

Saleae logic analyzer

XGecu

Hardware Hacking Tutorial by Make Me Hack

UART and SPI firmware extraction

UART Root Shell on Linux Router

UART Shell Jail and Unlocked Bootloader

Chinese IP Camera Firmware Extraction

Chip-Off Firmware Extraction

====== Timestamps ======

(00:00:00) Introduction

(00:01:22) Incremental Session Token Story and Matt Brown Intro

(00:10:42) Hardware Bug Bounty Scene & AI on Devices

(00:24:30) Hacking Human Robot

(00:41:33) Zero-to-Hero Hardware Hacking Guide

(01:01:47) IOT Hackbot

Episode 152: GeminiJack and Agentic Security with Sasi Levi

Thu, 11 Dec 2025 11:00:15 -0500

Episode 152: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Sasi Levi from Noma Security to talk about AI and Agentic Security. We also talk about ForcedLeak, a Google Vertex Bug, and debate if Prompt Injection is a real Vuln.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

CHeck out our New Christmas Swag at https://ctbb.show/merch!

Today's Sponsor: ThreatLocker. Check out ThreatLocker Elevation Control

https://ctbb.show/tl-ec

And Noma Security! https://noma.security/

Today’s Guest: https://x.com/sasi2103

====== This Week in Bug Bounty ======

Vercel Platform Protection

Dedicated HackerOne program for Vercel WAF

YesWeHack Open Source Programs

Android recon for Bug Bounty hunters

====== Resources ======

Sasi's Tweet from 2015

ForcedLeak: AI Agent risks exposed in Salesforce AgentForce

Is Prompt Injection a Vulnerability?

====== Timestamps ======

(00:00:00) Introduction

(00:09:16) Google Vertex AI Bug

(00:29:28) Sasi's Background and Bug Bounty Journey

(00:38:55) Resources for AI and Agentic Security Methodology

(00:50:34) ForcedLeak

(01:02:06) Is Prompt Injection a Vuln?

Episode 151: Client-side Advanced Topics

Thu, 04 Dec 2025 11:00:37 -0500

Episode 151: In this episode of Critical Thinking - Bug Bounty Podcast we’re covering Client-side advanced topics. Justin talks Joseph (and us) through Third-Party Cookie Nuances, Iframe Tricks, URL Parsing, and more.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: ThreatLocker. Check out ThreatLocker Elevation Control

https://ctbb.show/tl-ec

====== Resources ======

Nowasky's Tweet #1

https://x.com/nowaskyjr/status/1993421017381744974

Nowasky's Tweet #2

https://x.com/nowaskyjr/status/1992717862398800081

rep+ in Chrome DevTools

https://x.com/BourAbdelhadi/status/1992622964077179229

Terjanq Post from 2021

https://x.com/terjanq/status/1421093136022048775

====== Timestamps ======

(00:00:00) Introduction

(00:02:58) Client-side news & AI Updates

(00:12:02) Third-Party Cookie Nuances & PostMessages

(00:30:09) Iframe Tricks

(00:47:43) URL Parsing, CSPTS, and Client-side Routes

Episode 150: ASP.NET MVC Patterns, Popping Oracle Identity, and Esoteric Subdomain Enumeration

Thu, 27 Nov 2025 11:00:16 -0500

Episode 150: In this episode of Critical Thinking - Bug Bounty Podcast we're highlighting some cool news and research, but not before expressing our gratitude to the Hacker community. We are so thankful for you all!

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: ThreatLocker. Check out ThreatLocker Elevation Control

https://ctbb.show/tl-ec

====== This Week in Bug Bounty ======

Cache Overflow on Cloudflare

====== Resources ======

Breaking Oracle’s Identity Manager

Who Needs a Blind XSS?

ASP.NET MVC View Engine Search Patterns

Heretic

Lesser known techniques for large-scale subdomain enum

Antigravity – Known Issues

Bug Bounty Daily

Caido version of AssetNote Surf

====== Timestamps ======

(00:00:00) Introduction

(00:09:47) Breaking Oracle’s Identity Manager & Who Needs a Blind XSS?

(00:20:37) ASP.NET MVC View Engine Search Patterns & Heretic

(00:29:04) Lesser known techniques for large-scale subdomain enum

(00:35:29) Gemini 3 & Antigravity.

(00:45:57) Bug Bounty Daily

(00:52:42) Surf for Caido

Episode 149: DEFCON Debrief: AI Vulns, Unicode Weirdness, and Wild Vulnerability Chains

Thu, 20 Nov 2025 11:00:00 -0500

Episode 149: In this episode of Critical Thinking - Bug Bounty Podcast The DEFCON videos are up, and Justin and Joseph talk through some of their favorites.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== Resources ======

Unicode surrogates conversion

Prompt. Scan. Exploit

Breaking into thousands of cloud based VPNs with 1 bug

Examining Access Control Vulnerabilities in GraphQL

Smart Bus Smart Hacking

Passkeys Pwned

Bypassing Intent Destination Checks

Gemini Agents in Google Calendar

Exploitation of DOM Clobbering Vuln at Scale

TheHulk

Smart Devices, Dumb Resets

Mac PRT Cookie Theft

====== Timestamps ======

(00:00:00) Introduction

(00:10:10) Prompt. Scan. Exploit

(00:23:52) Breaking into thousands of cloud based VPNs with 1 bug

(00:33:25) Access Control Vulns in GraphQL, Smart Bus Hacking, & Passkeys Pwned

(00:44:10) Bypassing Intent Destination Checks & Invoking Gemini Agents

(00:57:08) DOM Clobbering, Mac PRT Cookie Theft, & Smart Devices, Dumb Resets

Episode 148: MCP Hacking Guide

Thu, 13 Nov 2025 11:00:52 -0500

Episode 148: In this episode of Critical Thinking - Bug Bounty Podcast Justin gives us a crash course on Model Context Protocol.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== Timestamps ======

(00:00:00) Introduction

(00:02:51) MCP Architecture & Authentication

(00:13:08) Roots, Sampling, & Elicitation

(00:19:15) Tools and Resources

Episode 147: Stupid Simple Hacking Workflow Tips

Thu, 06 Nov 2025 11:01:16 -0500

Episode 147: In this episode of Critical Thinking - Bug Bounty Podcast we're talking tips and tricks that help us in hacking that we really should’ve learned sooner.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: ThreatLocker. Check out ThreatLocker Network Control

https://www.criticalthinkingpodcast.io/tl-nc

====== This Week in Bug Bounty ======

Netscaler's new program

https://hackerone.com/netscaler_public_program?type=team

The ultimate Bug Bounty guide to HTTP request smuggling vulnerabilities

https://www.yeswehack.com/learn-bug-bounty/http-request-smuggling-guide-vulnerabilities

Hackers now have 2 Request-a-Response

https://docs.bugcrowd.com/changelog/researchers/request-a-response-researcher/

Evan Connelly Spotlight

https://www.bugcrowd.com/blog/hacker-spotlight-evan-connelly/

Epic Games Jobs Openings

Jobs.ctbb.show

====== Timestamps ======

(00:00:00) Introduction

(00:09:23) Command Palette, Auto-decoding, & Evenbetter

(00:17:28) Chrome Devtools Edit as html & Raycast

(00:33:23) ffuf -request flag

(00:41:33) JXScout

(00:48:55) Conditional Breakpoints in Devtools & Lightning round tips

Episode 146: Hacking Horror Stories

Thu, 30 Oct 2025 10:00:44 -0400

Episode 146: In this episode of Critical Thinking - Bug Bounty Podcast Justin, Joseph, and Brandyn all sit down to celebrate the spooky season by swapping their scariest bug stories. From frightening fails and firings to hacks with chilling and critical consequences. Grab your flashlight and a blanket for this one!

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: ThreatLocker. Check out ThreatLocker Network Control

https://www.criticalthinkingpodcast.io/tl-nc

====== This Week in Bug Bounty ======

Methodology tips from top Bug Bounty hunters

YesWeHack marks first year of partnership with Singapore’s Government

HackerOne Hacker-Powered Security Report

====== Resources ======

Critical Research Lab

Hacking the World Poker Tour: Inside ClubWPT Gold’s Back Office

File Creation via SQLite Injection

====== Timestamps ======

(00:00:00) Introduction

(00:10:11) Crit Research Lab News

(00:21:31) Hacking the World Poker Tour & File Creation via SQLite Injection

(00:30:40) Brandyn's Spooky Bug

(00:38:02) Joseph's Spooky Bug

(00:44:18) Justin's Spooky Bug

(00:54:44) Banking Bugs, LHE Scares, and Workday weirdness.

(01:14:52) Firings and failures

(01:22:49) Bank Bug Redux

(01:35:55) Wedding planning/registry app & Amazon Rufus bugs

(01:40:52) New Relic bug

Episode 145: Gr3pme's Secret: Bug Bounty Note Taking Methodology

Thu, 23 Oct 2025 10:00:54 -0400

Episode 145: In this episode of Critical Thinking - Bug Bounty Podcast Brandyn lets us in on some of his notetaking tips, including his Templates, Threat Modeling, and ways he uses notes to help with collaboration.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, Rez0, & gr3pme on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: ThreatLocker. Check out ThreatLocker Network Control

https://www.criticalthinkingpodcast.io/tl-nc

====== This Week in Bug Bounty ======

The minefield between syntaxes

https://www.yeswehack.com/learn-bug-bounty/syntax-confusion-ambiguous-parsing-exploits

====== Resources ======

Brandyn's Notion Template

https://terrific-dart-70e.notion.site/Example-Target-CTBB-294f4ca0f42481cca0b0ca6ac0a7c81d

====== Timestamps ======

(00:00:00) Introduction

(00:07:25) Templates, Target, and Tech Stack

(00:13:33) Threat Modeling and Attack Vectors

Episode 144: Google’s Top AI Hackers: Busfactor and Monke

Thu, 16 Oct 2025 10:00:59 -0400

Episode 144: In this episode of Critical Thinking - Bug Bounty Podcast Joseph is joined by Vitor Falcão and Ciarán Cotter to discuss their success at the recent Mexico LHE, as well as their journey and routines in fulltime hacking.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: ThreatLocker. Check out ThreatLocker DAC

https://www.criticalthinkingpodcast.io/tl-dac

Today’s Guests:

Vitor Falcão

https://x.com/busf4ctor

Ciarán Cotter

https://x.com/monkehack

====== This Week in Bug Bounty======

Securing the Age of AI Autonomy: Priorities for 2026

https://www.hackerone.com/events/bionic-hacking

====== Resources ======

AI Vulnerability Reward Program Rules

https://bughunters.google.com/about/rules/google-friends/5222232590712832/ai-vulnerability-reward-program-rules

My First 3 Months as a Full-Time Bug Bounty Hunter

https://vitorfalcao.com/posts/3-months-as-a-full-time-bug-bounty-hunter/

====== Timestamps ======

(00:00:00) Introduction

(00:02:32) Client side Bug Story & Vitor's BB journey

(00:13:59) Google LHE Mexico takeaways

(00:26:55) Full-time hunting reflections

(00:33:39) Hacking routines

(00:42:56) Hacking AI

Episode 143: New Cohost + Client-Side Gadgets, LHE Meta — Instant Global Admin in Entra!

Thu, 09 Oct 2025 10:00:44 -0400

Episode 143: In this episode of Critical Thinking - Bug Bounty Podcast Justin brings Brandyn back to announce him as our newest co-host. We chat about recent LHE experiences, and then break down some news.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== This Week in Bug Bounty ======

YesWeHack won the European commission: https://www.yeswehack.com/news/european-commission-tender-won-yeswehack

YesWeHack now have authorised cve numbering authority: https://www.yeswehack.com/news/yeswehack-authorised-cve-numbering-authority

A wide range of highly used open source bug bounty program such as Log4J, Systemd, GNOME and a lot more:

https://event.yeswehack.com/events/open-the-code-source-the-bounty

====== Resources ======

Attributes reference inside HTML

Explaining XSS without parentheses and semi-colons

Beyond Sandbox Domains: Rendering Untrusted Web Content with SafeContentFrame

One Token to rule them all

flareprox

Caido 101: How to master it

====== Timestamps ======

(00:00:00) Introduction

(00:03:16) LHE approaches and accomplishments

(00:30:54) Attributes reference inside HTML & Explaining XSS without parentheses and semi-colons

(00:44:33) One Token to rule them all

(00:57:13) Flareprox & Caido 101

Episode 142: Gr3pme's Full-Time Hunting Journey Update, Insane AI research, And Some Light News

Thu, 02 Oct 2025 10:01:03 -0400

Episode 142: In this episode of Critical Thinking - Bug Bounty Podcast Rez0 and Gr3pme join forces to discuss Websocket research, Meta’s $111750 Bug, PROMISQROUTE, and the opportunities afforded by going full time in Bug Bounty.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: ThreatLocker. Check out ThreatLocker DAC

Today’s Guest: https://x.com/gr3pme

====== This Week in Bug Bounty ======

New Monthly Dojo challenge and Dojo UI design

The ultimate Bug Bounty guide to exploiting race condition vulnerabilities in web applications

Watch Our boy Brandyn on the TV

====== Resources ======

murtasec

WebSocket Turbo Intruder: Unearthing the WebSocket Goldmine

Remote code execution though vulnerability in Facebook Messenger for Windows

Finding vulnerabilities in modern web apps using Claude Code and OpenAI Codex

Mind the Gap

PROMISQROUTE

====== Timestamps ======

(00:00:00) Introduction

(00:05:16) Full Time Bug Bounty and Business Startups

(00:15:50) Websockets

(00:22:17) Meta’s $111750 Bug

(00:28:38) Finding vulns using Claude Code and OpenAI Codex

(00:39:32) Time-of-Check to Time-of-Use Vulns in LLM-Enabled Agents

(00:45:22) PROMISQROUTE

Episode 141: Hacking the Pod - Google Docs 0-day & React CreateElement Exploits with Nick Copi (7urb0)

Thu, 25 Sep 2025 10:01:10 -0400

Episode 141: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Nick Copi to talk about CSPT, React, CSS Injections and how Nick hacked the pod.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: ThreatLocker. Check out ThreatLocker DAC

https://www.criticalthinkingpodcast.io/tl-dac

Today’s Guest: https://x.com/7urb01

====== Resources ======

regexploit

https://github.com/doyensec/regexploit

Fontleak

https://adragos.ro/fontleak/

debug(function)

https://developer.chrome.com/docs/devtools/console/utilities#debug-function

domloggerpp

https://github.com/kevin-mizu/domloggerpp

====== Timestamps ======

(00:00:00) Introduction

(00:02:40) Google Docs Bug and 7urb0 Introduction

(00:13:26) Bring-a-bug story

(00:20:21) 7urb0's DEFCON talk teaser & Intrusive Thoughts Worth Sharing

(00:30:01) CSPTs and React Apps

(00:51:31) CSS Injections

(01:04:55) 7urb0's backstory and game hacking

(01:18:33) Worst Crit

Episode 140: Crit Research Lab Update & Client-Side Tricks Galore

Thu, 18 Sep 2025 10:01:17 -0400

Episode 140: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph give an update from The Crit Research Lab, as well as some writeups on postMessage vulnerabilities, Cookie Chaos, and more.

Got any ideas and suggestions? Send us feedback at info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord!

Get some hacker swag here!

====== This Week in Bug Bounty ======

Cross-site request forgery

HackerOne New Milestone Program

Email santerra.holler@bugcrowd.com for media opportunities

====== Resources ======

Exploiting Web Worker XSS with Blobs

Critical Research Lab

Rez0's Tweet

CVE-2022-21703: cross-origin request forgery against Grafana

Conversation about Forcing Quirks Mode

AI Busniess Logic & POC or GTFO

Hunting postMessage Vulnerabilities – Part 1

Hunting postMessage Vulnerabilities – Part 2

Executive Offense

Cookie Chaos: How to bypass Host and Secure cookie prefixes

====== Timestamps ======

(00:00:00) Introduction

(00:05:48) Crit Research Update

(00:13:00) Encouragement & Collaboration

(00:19:37) Cross-origin request forgery & Anthropic's web fetch

(00:29:17) Quirks Mode, AI Business Logic & POC or GTFO

(00:44:21) Hunting postMessage & Claude Code browserbase

(00:51:25) Community story, Executive Offense, & Cookie Chaos

Episode 139: James Kettle - Pwning in Prod & How to do Web Security Research

Thu, 11 Sep 2025 10:01:12 -0400

Episode 139: In this episode of Critical Thinking - Bug Bounty Podcast Justin finally sits down with the great James Kettle to talk about HTTP Proxys, metagaming research, avoiding burnout, and why HTTP/1.1 must die!

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Guest: https://x.com/albinowax

https://jameskettle.com

====== This Week in Bug Bounty ======

Building an Android Bug Bounty lab

Mobile Hacking Toolkit

====== Resources ======

CVE-2022-22720

So you want to be a web security researcher?

Hunting Evasive Vulnerabilities: Finding Flaws That Others Miss by James Kettle

HTTP/1.1 Must Die! The Desync Endgame

Practical HTTP Host header attacks

====== Timestamps ======

(00:00:00) Introduction

(00:05:01) Apache MITM-powered pause-based client-side desync

(00:15:33) HTTP Proxys and Burp Suite HTTP/2 in Repeater

(00:24:52) AI intagrations, life structure, and avoiding burnout

(00:35:23) Client-side to server-side progression

(00:47:39) The 'metagame' of security research

(01:29:43) Host Header Attacks & HTTP/1.1 Must Die!

(02:02:34) Is HTTP/2 the solution?

Episode 138: Caido Tools and Workflows

Thu, 04 Sep 2025 10:00:51 -0400

Episode 138: In this episode of Critical Thinking - Bug Bounty Podcast We’re talking Caido tools and workflows. Justin gives us a list of some of the Caido tools that have caught his interest, as well as how he’s using them.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== This Week in Bug Bounty ======

Meet YesWeHack at ROOTCON 2025

https://www.yeswehack.com/page/meet-yeswehack-at-rootcon-2025

New Dojo challenge featuring a Local File Inclusion in a Ruby application

https://dojo-yeswehack.com/challenge-of-the-month/dojo-44?utm_source=sponsor&utm_medium=challenge&utm_campaign=dojo-44

AI Red Teaming CTF

https://ctf.hackthebox.com/event/details/ai-red-teaming-ctf-ai-gon3-rogu3-2604

====== Resources ======

Web Security Labs

http://caido.rhynorater.com

====== Timestamps ======

(00:00:00) Introduction

(00:02:32) Common filters & command palette in EvenBetter

(00:06:49) Notes++

(00:09:28) Shift Agents and Drop

(00:15:34) Workflows

Episode 137: How We Do AI-Assisted Whitebox Review, New CSPT Gadgets, and Tools from SLCyber

Thu, 28 Aug 2025 10:00:32 -0400

Episode 137: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner and Joseph Thacker reunite to talk about AI Hacking Assistants, CSPT and cache deception, and a bunch of tools like ch.at, Slice, Ebka, and more.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== This Week in Bug Bounty ======

Vulnerability vectors: SQL injection for Bug Bounty hunters

Mozilla VPN Clients: RCE via file write and path traversal

====== Resources ======

Cache Deception + CSPT:

dig @ch.at

Searchlight Cyber Tools

Slice

Ebka-Caido-AI

postMessage targetOrigin bypass

====== Timestamps ======

(00:00:00) Introduction

(00:01:26) Claude, Gemini, and Hacking Assistants

(00:11:08) AI Safety

(00:18:09) CSPT

(00:23:26) ch.at, Slice, Ebka, & Searchlight Cyber Tools

(00:45:19) postMessage targetOrigin bypass

Episode 136: Hacking Cluely, AI Prod Sec, and How To Not Get Sued with Jack Cable

Thu, 21 Aug 2025 10:00:52 -0400

Episode 136: In this episode of Critical Thinking - Bug Bounty Podcast, Joseph Thacker sits down with Jack Cable to get the scoop on a significant bug in Cluely’s desktop application, as well as the resulting drama. They also talk about Jack’s background in government cybersecurity initiatives, and the legal risks faced by security researchers.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor - ThreatLocker. Checkout ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detect

Today’s Guest: https://x.com/jackhcable?lang=en

====== This Week in Bug Bounty ======

Nullcon Berlin

https://www.yeswehack.com/page/yeswehack-live-hacking-nullcon-berlin-2025?utm_source=sponsor&utm_medium=blog&utm_campaign=lhe-nullcon-berlin

BB Bulletin #15

https://www.linkedin.com/pulse/bug-bounty-bulletin-15-yes-we-hack-dntue/

2x Bounty on Grab

https://hackerone.com/grab?type=team

====== Resources ======

Corridor

https://corridor.dev/

disclose.io

https://disclose.io/

====== Timestamps ======

(00:00:00) Introduction

(00:03:33) Cluely Bug, Government involvement, & Disclosed.io

(00:12:33) AI in security & Corridor.dev

(00:29:23) Cluely Bug Fallout & Ethics of hacking outside of Programs

(00:41:20) Shift Agents

Episode 135: Akamai's Ryan Barnett on WAFs, Unicode Confusables, and Triage Stories

Thu, 14 Aug 2025 10:01:08 -0400

Episode 135: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Ryan Barnett for a deep dive on WAFs. We also recap his Exploiting Unicode Normalization talk from DEFCON, and get his perspective on bug hunting from his time at Akamai.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor - ThreatLocker. Checkout ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detect

Today’s Guest: https://x.com/ryancbarnett

====== Resources ======

Accidental Stored XSS Flaw in Zemanta 'Related Posts' Plugin for TypePad

https://webappdefender.blogspot.com/2013/04/accidental-stored-xss-flaw-in-zemanta.html

XSS Street-Fight

https://media.blackhat.com/bh-dc-11/Barnett/BlackHat_DC_2011_Barnett_XSS%20Streetfight-Slides.pdf

Blackhat USA 2025 - Lost in Translation: Exploiting Unicode Normalization

https://www.blackhat.com/us-25/briefings/schedule/#lost-in-translation-exploiting-unicode-normalization-44923

====== Timestamps ======

(00:00:00) Introduction

(00:02:49) Accidental Stored XSS in Typepad Plugin

(00:06:34) Chatscatter & Abusing third party Analytics

(00:11:42) Ryan Barnett Introduction

(00:21:11) Virtual Patching & WAF Challenges

(00:40:39) AWS API Gateways & Whitelisting Bug Hunter Traffic

(00:49:59) Lost in Translation: Exploiting Unicode Normalization

(01:11:29) CSPs at the WAF level & 'Bounties for Bypass'

Episode 134: XBOW - AI Hacking Agent and Human in the Loop with Diego Djurado

Mon, 04 Aug 2025 10:00:52 -0400

Episode 134: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Diego Djurado to give us the scoop on XBOW. We cover a little about its architecture and approach to hunting, the challenges with hallucinations, and the future of AI in the BB landscape. Diego also shares some of his own hacking journey and successes in the Ambassador World cup.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor - ThreatLocker User Store

Today’s Guest: https://x.com/djurado9

====== This Week in Bug Bounty ======

Announcement of our upcoming live hacking event at Nullcon Berlin, taking place on September 4-5

Bug Bounty Village Speakers 2025

Talkie Pwnii Caido showcase

Caido Masterclass – From Setup to Exploits

Access Control vs Account Takeover: What Bug Bounty Hunters Need to Know

====== Resources ======

CVE-2025-49493: XML External Entity (XXE) Injection in Akamai CloudTest

====== Timestamps ======

(00:00:00) Introduction

(00:05:56) Diego's ATO Bug

(00:12:01) H1 Ambassador World Cup and work with XBOW

(00:20:57) XBOW's CloudTest XXE Bug

(00:49:59) Freedom, Hallucinations, & Validation

(01:07:24) XBOW's Architecture

(01:23:50) Humans in the Loop, Harnesses, and Xbow's Reception

(01:44:21) Ambassador World Cup plans for the future

Episode 133: Building Hacker Communities - Bug Bounty Village, getDisclosed, and the LHE Squad

Thu, 31 Jul 2025 10:00:53 -0400

Episode 133: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Harley and Ari from H1 to talk some about community management roles within Bug Bounty, as well as discuss the evolution of Bug Bounty Village at DEFCON, and what they’ve got in store this year.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Guests:

Today’s Sponsor is Adobe. Use code CTBBP0907 in your first report on Adobe Behance, Portfolio, Fonts or Acrobat Web, and earn a one-time 10% bonus reward!

====== This Week in Bug Bounty ======

BBV Platform Panel about Triage

YesWeHACK Makes Debut at Black Hat USA 2025

New Dojo challenge featuring a time-based token prediction combined PyYAML deserialization

GMSGadget

====== Resources ======

Bug Bounty Village

Disclosed Online

Harley's Youtube Channel

====== Timestamps ======

(00:00:00) Introduction

(00:05:51) Bug Stories and Hacking Journeys

(00:32:37) Community Management within Bug Bounty

(00:39:43) Bug Bounty Village - Origin & 2025 Plans

(01:02:39) Disclosed Online and Harley's Upcoming Ebook

Episode 132: Archive Testing Methodology with Mathias Karlsson

Thu, 24 Jul 2025 10:00:39 -0400

Episode 132: In this episode of Critical Thinking - Bug Bounty Podcast, Justin Gardner is joined by Mathias Karlsson to discuss vulnerabilities associated with archives. They talk about his new tool, Archive Alchemist, and explore topics like the significance of Unicode paths, symlinks, and TAR before they end up talking about Charsets again..

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord!

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: ThreatLocker - Patch Management

Today’s Guest: Mathias Karlsson

====== This Week in Bug Bounty ======

Swiss Post's 2025 Public Intrusion Test starts on July 28

Intigriti teams with NVIDIA

Bugcrowd Ingenuity Awards

Hack the Hacker Series - AI Vulnerabilities and Bug Bounties

A Novel Technique for SQL Injection in PDO’s Prepared Statements

How We Accidentally Discovered a Remote Code Execution Vulnerability in ETQ Reliance

====== Resources ======

Archive Alchemist

Hacking Livestream #53: The ZIP file format

====== Timestamps ======

(00:00:00) Introduction

(00:10:04) Archive Alchemist

(00:36:05) Unicode Extensions, normalization, and confusion attacks on Zip parsers

(00:48:44) Character Sets

(01:01:49) 7zip & File Names

(01:06:44) Path Traversal, Symlinks & Identifying Techniques

(01:36:05) Hardlinks and TAR

Episode 131: SL Cyber Writeups, Bug Bounty Metastrategy, and Orphaned Github Commits

Thu, 17 Jul 2025 10:01:20 -0400

Episode 131: In this episode of Critical Thinking - Bug Bounty Podcast we're covering Christmas in July with several banger articles from Searchlight Cyber, as well as covering things like Raycast for Windows, Third-Person prompting, and touch on the recent McDonalds Leak

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor is Adobe. Use code CTBBP0907 in your first report on Adobe Behance, Portfolio, Fonts or Acrobat Web, and earn a one-time 10% bonus reward!

====== Resources ======

v1 Instance Metadata Service protections bypass

Would you like an IDOR with that? Leaking 64 million McDonald’s job applications

How we got persistent XSS on every AEM cloud site, thrice

Google docs now supports export as markdown

Abusing Windows, .NET quirks, and Unicode Normalization to exploit DNN (DotNetNuke)

How I Scanned all of GitHub’s “Oops Commits” for Leaked Secrets

Bug bounty, feedback, strategy and alchemy

====== Timestamps ======

(00:00:00) Introduction

(00:05:39) Metadata Service protections bypass & Mcdonalds Leak

(00:12:30) Christmas in July with Searchlight Cyber Pt 1

(00:19:43) Export as Markdown, Raycast for Windows, & Third-Person prompting

(00:23:56) Christmas in July with Searchlight Cyber Pt 2

(00:27:39) GitHub’s “Oops Commits” for Leaked Secrets

(00:36:53) Bug bounty, feedback, strategy and alchemy

Episode 130: Minecraft Hacks to Google Hacking Star - Valentino

Thu, 10 Jul 2025 08:20:06 -0400

Episode 130: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Valentino, who shares his journey from hacking Minecraft to becoming a Google hunter. He talks us through several bugs, including an HTML Sanitizer bypass and .NET deserialization, and highlights the hyper creative approaches he tends to employ.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: ThreatLocker - Patch Management

https://www.criticalthinkingpodcast.io/TL-patch-management

Today’s Guest: Valentino - https://blog.3133700.xyz/

====== Resources ======

JMX Manager

Stored XSS in reclamos

Command Injection in Vertex AI

whitepaper-net-deser.pdf

free-after-use.go

A Journey Into Finding Vulnerabilities in the PMB Library Management System

emulated-register_globals.php

====== Timestamps ======

(00:00:00) Introduction

(00:02:38) JMXProxy Bug Story

(00:09:46) Intro to Valentino

(00:29:08) HTML Sanitizer bypass on MercadoLibre

(00:37:16) Command injection in Vertex AI

(00:44:10) .NET deserialization, & Argument injection to LFR, & Free after use

(00:51:33) Luck, creativity, and evolution as Hacker

(00:59:31) Issues in file extension validation components, Emulated register_globals, & AI Hacking

Episode 129: Is this how Bug Bounty Ends?

Thu, 03 Jul 2025 11:01:06 -0400

Episode 129: In this episode of Critical Thinking - Bug Bounty Podcast we chat about the future of hack bots and human-AI collaboration, the challenges posed by tokenization, and the need for cybersecurity professionals to adapt to the evolving landscape of hacking in the age of AI

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== This Week in Bug Bounty ======

Improper error handling in async cryptographic operations crashes process

https://hackerone.com/reports/2817648

Recon Series #6: Excavating hidden artifacts with Wayback Machine

https://www.yeswehack.com/learn-bug-bounty/recon-wayback-machine-web-archive

====== Resources ======

This is How They Tell Me Bug Bounty Ends

https://josephthacker.com/hacking/2025/06/09/this-is-how-they-tell-me-bug-bounty-ends.html

Welcome, Hackbots: How AI Is Shaping the Future of Vulnerability Discovery

https://www.hackerone.com/blog/welcome-hackbots-how-ai-shaping-future-vulnerability-discovery

Glitch Token

https://www.youtube.com/watch?v=WO2X3oZEJOA

Conducting smarter intelligences than me: new orchestras

https://southbridge-research.notion.site/conducting-smarter-intelligences-than-me

====== Timestamps ======

(00:00:00) Introduction

(00:04:05) Is this how Bug Bounty Ends?

(00:11:14) Hackbots and handling leads

(00:20:50) Hacker chain of thought & Tokenization

(00:32:54) Context Engineering

Episode 128: New Research in Blind SSRF and Self-XSS, and How to Architect Source-code Review AI Bots

Thu, 26 Jun 2025 11:00:31 -0400

Episode 128: In this episode of Critical Thinking - Bug Bounty Podcast we talking Blind SSRF and Self-XSS, as well as Reversing massive minified JS with AI and a wild Google Logo Ligature Bug

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: ThreatLocker - Patch Management

====== This Week in Bug Bounty ======

BitK's "Payload plz" challenge at LeHack

====== Resources ======

Make Self-XSS Great Again

Novel SSRF Technique Involving HTTP Redirect Loops

Surf - Escalate your SSRF vulnerabilities on Modern Cloud Environments

Gecko: Intent to prototype: Framebusting Intervention

Conducting smarter intelligences than me: new orchestras

Mandark

Lumentis

jscollab

Google Logo Ligature Bug

====== Timestamps ======

(00:00:00) Introduction

(00:03:55) Self-XSS and credentialless iframe

(00:16:50) Novel SSRF Technique Involving HTTP Redirect Loops

(00:25:02) Framebusting

(00:29:13) Reversing massive minified JS with AI

(00:53:12) Google Logo Ligature Bug

Episode 127: Drama, PDF as JS Chaos, Bounty Profile Apps, And More

Thu, 19 Jun 2025 11:00:42 -0400

Episode 127: In this episode of Critical Thinking - Bug Bounty Podcast we address some recent bug bounty controversy before jumping into a slew of news items

Shoutout to YTCracker for the awesome intro music!

Today's Sponsor: Adobe

====== This Week In Bug Bounty ======

Hackers Guide to Google dorking

YesWeCaido

New Dojo Challenge

Smart Contract BB tips

Red Team AAS

====== Resources ======

Disclosed

PDF csp bypass

Bypassing File Upload Restrictions To Exploit Client-Side Path Traversal

OBS WebSocket to RCE

Time in a bottle (or knapsack)

How to Differentiate Yourself as a Bug Bounty Hunter

Disclosed. Online

hacked-in

‘EchoLeak’

Piloting Edge Copilot

Newtowner

Tips for agent prompting

Firefox XSS vectors

Tweet from Masato Kinugawa

Chrome debug() function

Episode 126: Hacking AI Series: Vulnus ex Machina - Part 3

Thu, 12 Jun 2025 10:00:43 -0400

Episode 126: In this episode of Critical Thinking - Bug Bounty Podcast we wrap up Rez0’s AI miniseries ‘Vulnus Ex Machina’. Part 3 includes a showcase of AI Vulns that Rez0 himself has found, and how much they paid out.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor - ThreatLocker Web Control

https://www.criticalthinkingpodcast.io/tl-webcontrol

====== Resources ======

Claude Code System Prompt

Attacking AI Agents

Probability of Hacks

New Gemini for Workspace Vulnerability Enabling Phishing & Content Manipulation

How to Hack AI Agents and Applications

====== Timestamps ======

(00:00:00) Introduction

(00:02:53) NahamCon Recap, Claude news, and wunderwuzzi writeups

(00:08:57) Probability of Hacks

(00:11:27) First AI Vulnerabilities

(00:18:57) AI Vulns on Google

(00:25:11) Invisible prompt Injection

Episode 125: How to Win Live Hacking Events

Thu, 05 Jun 2025 10:01:40 -0400

Episode 125: In this episode of Critical Thinking - Bug Bounty Podcast Justin shares insights on how to succeed at live hacking events. We cover pre-event preparations, challenges of collaboration, on-site strategies, and the importance of maintaining a healthy mindset throughout the entire process.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== This Week in Bug Bounty ======

Decathlon Public Bug Bounty Program on YesWeHack

====== Resources ======

The Ultimate Double-Clickjacking PoC

Grafana Full read SSRF and Account Takeover: CVE-2025-4123

Grafana CVE-2025-4123 Exploit

What I learned from my first 100 HackerOne Reports

Root for your friends

====== Timestamps ======

(00:00:00) Introduction

(00:02:30) The Ultimate Double-Clickjacking PoC, Grafana CVE, & Evan Connelly's first 100 bugs

(00:10:23) How to win at Live Hacking Events

(00:11:53) Pre-event

(00:11:45) Scope Call

(00:33:11) Dupe window Ends

(00:36:00) Onsite & and Day of Event

(00:42:46) Don't define your identity on the outcome

Episode 124: Bug Bounty Lifestyle = Less Hacking Time?

Thu, 29 May 2025 10:01:36 -0400

Episode 124: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph cover some news from around the community, hitting on Joseph’s Anthropic safety testing, Justin’s guest appearance on For Crying Out Cloud, and several fascinating tweets. Then they have a quick Full-time Bug Bounty check-in.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor - ThreatLocker Web Control

https://www.criticalthinkingpodcast.io/tl-webcontrol

====== This Week in Bug Bounty ======

Louis Vuitton Public Bug Bounty Program

CVE-2025-47934 was discovered on one of our Bug Bounty program : OpenPGP.js

Stored XSS in File Upload Leads to Privilege Escalation and Full Workspace Takeover

====== Resources ======

Jorian tweet

Clipjacking: Hacked by copying text - Clickjacking but better

Crying out Cloud Appearance

Wiz Research takes 1st place in Pwn2Own AI category

New XSS vector with image tag

====== Timestamps ======

(00:00:00) Introduction

(00:10:50) Supabase

(00:13:47) Tweet-research from Jorian and Wyatt Walls.

(00:20:24) Anthropic safety testing challenge & Wiz Podcast guest appearance

(00:27:44) New XSS vector, Google i/o, and coding agents

(00:35:48) Full Time Bug Bounty

Episode 123: Hacking AI Series: Vulnus ex Machina - Part 2

Thu, 22 May 2025 10:01:32 -0400

Episode 123: In this episode of Critical Thinking - Bug Bounty Podcast we’re back with part 2 of Rez0’s miniseries. Today we talk about mastering Prompt Injection, taxonomy of impact, and both triggering traditional Vulns and exploiting AI-specific features.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor - ThreatLocker User Store

https://www.criticalthinkingpodcast.io

/tl-userstore

====== This Week in Bug Bounty ======

Earning a HackerOne 2025 Live Hacking Invite

https://www.hackerone.com/blog/earning-hackerone-2025-live-hacking-invite

HTTP header hacks: basic and advanced exploit techniques explored

https://www.yeswehack.com/learn-bug-bounty/http-header-exploitation

====== Resources ======

Grep.app

https://vercel.com/blog/migrating-grep-from-create-react-app-to-next-js

Gemini 2.5 Pro prompt leak

https://x.com/elder_plinius/status/1913734789544214841

Pliny's CL4R1T4S

https://github.com/elder-plinius/CL4R1T4S

https://x.com/pdstat/status/1913701997141803329

====== Timestamps ======

(00:00:00) Introduction

(00:05:25) Grep.app, O3, and Gemini 2.5 Pro prompt leak

(00:11:09) Delivery and impactful action

(00:20:44) Mastering Prompt Injection

(00:30:36) Traditional vulns in Tool Calls, and AI Apps

(00:37:32) Exploiting AI specific features

Episode 122: We Won Google's AI Hacking Event in Tokyo - Main Takeaways

Thu, 15 May 2025 10:00:29 -0400

Episode 122: In this episode of Critical Thinking - Bug Bounty Podcast your boys are MVH winners! First we’re joined by Zak, to discuss the Google LHE as well as surprising us with a bug of his own! Then, we sit down with Lupin and Monke for a winners roundtable and retrospective of the event.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Check out the CTBB Job Board: https://jobs.ctbb.show/

Today’s Guests:

Zak Bennett : https://www.linkedin.com/in/zak-bennett/

Ciarán Cotter: https://x.com/monkehack

Roni Carta: https://x.com/0xLupin

====== Resources ======

We hacked Google’s A.I Gemini and leaked its source code

https://www.landh.tech/blog/20250327-we-hacked-gemini-source-code

====== Timestamps ======

(00:00:00) Introduction

(00:03:02) An RCE via memory corruption

(00:07:45) Zak's role at Google and Google's AI LHE

(00:15:25) Different Components of AI Vulnerabilities

(00:24:58) MHV Winner Debrief

(01:08:47) Technical Takeaways And Team Strategies

(01:28:49) LHE Experience and Google VRP & Abuse VRP

Episode 121: Slonser’s Image Injection 0-day -> ATO & New Caido Collab Plugin

Thu, 08 May 2025 10:00:25 -0400

Episode 121: In this episode of Critical Thinking - Bug Bounty Podcast we cover so much news and research that we ran out of room in the description...

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow Rhynorater and Rez0 on X:

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord!

We also have hacker swag!

====== This Week in Bug Bounty ======

Hacker spotlight: Rhynorater

Ultra Mobile BB Program - Mobile Apps

Ultra Mobile BB Program - (Public)

John Deere Program

JD's's BB Program Boosts Cybersecurity

Dojo #41 - Ruby treasure

====== Resources ======

slonser 0-day in chrome

CT Additional useful primitives

How I made $64k from deleted files

CTBB episode with Sharon Brizinov

Rez0's Subdomain Link Launcher

Andre's tweet about encoded word

Nahamcon

Gemini prompt leak

SVG Onload Handlers

Episode 120: SpaceRaccoon - From Day Zero to Zero Day

Thu, 01 May 2025 10:01:20 -0400

Episode 120: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner welcomes Eugene to talk (aka fanboy) about his new book, 'From Day Zero to Zero Day.' We walk through what to expect in each chapter, including Binary Analysis, Source and Sink Discovery, and Fuzzing everything.Then we give listeners a special deal on the book.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor - ThreatLocker User Store

https://www.criticalthinkingpodcast.io

/tl-userstore

Today’s guest: https://x.com/spaceraccoonsec

====== Resources ======

Buy SpaceRaccoon's Book: From Day Zero to Zero Day

https://nostarch.com/zero-day

USE CODE 'ZERODAYDEAL' for 30% OFF

Pwning Millions of Smart Weighing Machines with API and Hardware Hacking

https://spaceraccoon.dev/pwning-millions-smart-weighing-machines-api-hardware-hacking/

====== Timestamps ======

(00:00:00) Introduction

(00:04:58) From Day Zero to Zero Day

(00:12:06) Mapping Code to Attack Surface

(00:17:59) Day Zero and Taint Analysis

(00:22:43) Automated Variant Analysis & Binary Taxonomy

(00:31:35) Source and Sink Discovery

(00:40:22) Hybrid Binary Analysis & Quick and Dirty Fuzzing

(00:56:00) Coverage-Guided Fuzzing, Fuzzing Everything, & Beyond Day Zero

(01:02:16) Bug bounty, Vuln research, & Governmental work

(01:10:23) Source Code Review & Pwning Millions of Smart Weighing Machines

Episode 119: Abusing Iframes from a client-side hacker

Thu, 17 Apr 2025 10:01:33 -0400

Episode 119: In this episode of Critical Thinking - Bug Bounty Podcast Justin does a mini deep dive into the world of iframes, starting with why they’re significant, their attributes, and how to attack them.

CORRECTION: Some of my comments on the latest episode of the pod were woefully inaccurate about the `csp` attribute of an iframe. Def should have read the spec more thoroughly. Please see the #corrections channel in Discord for the deets.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== Resources ======

Episode with JR0ch17

ctbb.show/61

Exacerbating Cross-Site Scripting: The Iframe Sandwich

https://coopergyoung.com/exacerbating-cross-site-scripting-the-iframe-sandwich/

====== Timestamps ======

(00:00:00) Introduction

(00:01:20) Why are Iframes useful

(00:05:11) Attributes of Iframes

(00:21:39) Iframe Attacks

(00:29:53) Iframe Fun Facts

Episode 118: Hacking Happy Hour: 0days on Tap and SQLi Shots

Thu, 10 Apr 2025 10:01:05 -0400

Episode 118: In this episode of Critical Thinking - Bug Bounty Podcast we cover a host of news, including clientside tidbits, “Credentialless” iframes, prototype pollution, and what constitutes a polyglot in llms.txt.

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow Rhynorater and Rez0 on X

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

You can also find some hacker swag!

====== Resources ======

p4fg passed 1 Million!

/reports/:id.json - $25K Crit

Hacking Crypto pt1

The art of payload obfuscation

Analyzing the Next.js Middleware Bypass

Nahamsec's Merch store

llms.txt polyglot prompt injection

React Router and the Remix’ed path

Pre-Authentication SQL Injection in Halo ITSM

Pwning Millions of Smart Weighing Machines

MCP Server Oauth

Cline

“Credentialless” iframes

Tiny XSS Payloads

Types of Pollution

====== Timestamps ======

(00:00:00) Introduction

(00:05:56) Next.js Middleware bypass & Polyglots in llms.txt

(00:16:35) CPDoS on React Router

(00:24:26) Loose Types Sink Ships & Pwning Smart Scales

(00:32:30) MCP Server Oauth & Cline

(00:39:40) Clientside Tidbits & Prototype Pollutions

Episode 117: Hacking AI Series: Vulnus ex Machina - Part 1

Thu, 03 Apr 2025 10:01:04 -0400

Episode 117: In this episode of Critical Thinking - Bug Bounty Podcast Joseph introduces Vulus Ex Machina: A 3-part mini-series on hacking AI applications. In this part, he lays the groundwork and focuses on AI reconnaissance.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== Resources ======

Building Reliable Web Agents

https://x.com/pk_iv/status/1904178892723941777

17 security checks from VIBE to PRODUCTION

https://x.com/Kaamiiaar/status/1902342578185630000

How to Hack AI Agents and Applications

https://josephthacker.com/hacking/2025/02/25/how-to-hack-ai-apps.html

AI Crash Course Repo

https://github.com/henrythe9th/ai-crash-course

Deep Dive into LLMs like ChatGPT

https://www.youtube.com/watch?v=7xTGNNLPyMI

====== Timestamps ======

(00:00:00) Introduction

(00:01:54) AI News

(00:08:09) How to Hack AI Agents and Applications

(00:14:26) The Recon Process

(00:25:06) Initial Probing & Steering

Episode 116: Auth Bypasses and Google VRP Writeups

Thu, 27 Mar 2025 10:00:58 -0400

Episode 116: In this episode of Critical Thinking - Bug Bounty Podcast Justin gives a quick rundown of Portswigger’s SAML Roulette writeup, as well as some Google VRP reports, and a Next.js middleware exploit.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor: ThreatLocker Cloud Control - https://www.threatlocker.com/platform/cloud-control

====== Resources ======

SAML roulette: the hacker always wins

https://portswigger.net/research/saml-roulette-the-hacker-always-wins

Loophole of getting Google Form associated with Google Spreadsheet with no editor/owner access

https://bughunters.google.com/reports/vrp/yBeFmSrJi

Loophole to see the editors of a Google Document with no granted access(owner/editor) with just the fileid (can be obtained from publicly shared links with 0 access)

https://bughunters.google.com/reports/vrp/7EhAw2hur

Cloud Tools for Eclipse - Chaining misconfigured OAuth callback redirection with open redirect vulnerability to leak Google OAuth Tokens with full GCP Permissions

https://bughunters.google.com/reports/vrp/F8GFYGv4g

Next.js, cache, and chains: the stale elixir

https://zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixir

Next.js and the corrupt middleware: the authorizing artifact

https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware

====== Timestamps ======

(00:00:00) Introduction

(00:02:59) SAML roulette

(00:13:08) Google bugs

(00:20:16) Next.js and the corrupt middleware

Episode 115: Mentee to Career Hacker - Mokusou (So Sakaguchi)

Thu, 20 Mar 2025 10:01:33 -0400

Episode 115: In this episode of Critical Thinking - Bug Bounty Podcast Justin and So Sakaguchi sit down to walk through some recent bugs, before having a live mentorship session. They also talk about Reflector, and finish up by doing a bonus podcast segment in Japanese!

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to https://x.com/realytcracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor: ThreatLocker Cloud Control - https://www.threatlocker.com/platform/cloud-control

Today’s Guest: https://x.com/Mokusou4

====== Resources ======

So's last appearance in episode 40

ctbb.show/40

====== Timestamps ======

(00:00:00) Introduction

(00:04:11) So's Facebook Bug

(00:14:37) So and Justin's Google Bug

(00:33:39) Live Mentorship Session

(00:56:29) Reflector

(01:13:22) Bonus - Podcast in Japanese

Episode 114: Single Page Application Hacking Playbook

Thu, 13 Mar 2025 10:00:25 -0400

Episode 114: In this episode of Critical Thinking - Bug Bounty Podcast we’re diving into SPA and how to attack them.We also cover a host of news items, including some bug write-ups, AI updates, and a new tool called Hackadvisor.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor: ThreatLocker Cloud Control

====== Resources ======

Hacking High-Profile Bug Bounty Targets: Deep Dive into a Client-Side Chain

Research finds 12,000 ‘Live’ API Keys and Passwords in DeepSeek's Training Data

Hackadvisor

WP Extensions

Notebook LM

Pressing Buttons with Popups

Response to @RenwaX23

Prompt Injection Attacks for Dummies

Shadow Repeater

parallel-prettier

====== Timestamps ======

(00:00:00) Introduction

(00:02:15) Bug Write-up from @busf4ctor

(00:09:44) Scanning Common Crawl

(00:16:30) Hackadvisor and WP/Chrome Extension News

(00:24:15) Notebook LM, and Recent AI Updates

(00:31:58) Write-up from @J0R1AN and Related POC from @RenwaX23

(00:38:10) Prompt Injection Attacks for Dummies

(00:42:29) ShadowRepeater

(00:47:04) Single-page applications

Episode 113: Best Technical Takeaways from Portswigger Top 10 2024

Thu, 06 Mar 2025 11:01:36 -0500

Episode 113: In this episode of Critical Thinking - Bug Bounty Podcast we’re breaking down the Portswigger Top 10 from 2024. There’s some bangers in here!

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on X:

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag!

====== Resources ======

Hijacking OAUTH flows via Cookie Tossing

ChatGPT Account Takeover - Wildcard Web Cache Deception

OAuth Non-Happy Path to ATO

CVE-2024-4367 - Arbitrary JavaScript execution in PDF.js

DoubleClickjacking: A New Era of UI Redressing

WorstFit: Unveiling Hidden Transformers in Windows ANSI

SQL Injection Isn't Dead: Smuggling Queries at the Protocol Level

Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server

Middleware, middleware everywhere – and lots of misconfigurations to fix

====== Timestamps ======

(00:00:00) Introduction

(00:09:56) Hijacking OAuth flows via Cookie Tossing

(00:17:30) ChatGPT Account Takeover

(00:25:28) OAuth Non-Happy Path to ATO

(00:29:24) CVE-2024-4367

(00:37:37) DoubleClickjacking:

(00:44:54) Exploring the DOMPurify library

(00:48:01) WorstFit

(00:56:29) Unveiling TE.0 HTTP Request Smuggling

(01:06:40) SQL Injection Isn't Dead: Smuggling Queries at the Protocol Level

(01:14:05) Confusion Attacks

Episode 112: Interview with Ciarán Cotter (MonkeHack) - Critical Lab Researcher and Full-time Hunter

Thu, 27 Feb 2025 11:01:23 -0500

Episode 112: In this episode of Critical Thinking - Bug Bounty Podcast Joseph Thacker is joined by Ciarán Cotter (Monke) to share his bug hunting journey and give us the rundown on some recent client-side and server-side bugs. Then they discuss WebSockets, SaaS security, and cover some AI news including Grok 3, Nuclei -AI Flag, and some articles by Johann Rehberger.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Guest - Ciarán Cotter

https://x.com/monkehack

====== Resources ======

Msty

https://msty.app/

From Day Zero to Zero Day

https://nostarch.com/zero-day

Nuclei - ai flag

https://x.com/pdiscoveryio/status/1890082913900982763

ChatGPT Operator: Prompt Injection Exploits & Defenses

https://embracethered.com/blog/posts/2025/chatgpt-operator-prompt-injection-exploits/

Hacking Gemini's Memory with Prompt Injection and Delayed Tool Invocation

https://embracethered.com/blog/posts/2025/gemini-memory-persistence-prompt-injection/

====== Timestamps ======

(00:00:00) Introduction

(00:01:04) Bug Rundowns

(00:13:05) Monke's Bug Bounty Background

(00:20:03) Websocket Research

(00:34:01) Connecting Hackers with Companies

(00:34:56) Grok 3, Msty, From Day Zero to Zero Day

(00:42:58) Full time Bug Bounty, SaaS security, and Threat Modeling while AFK

(00:54:49) Nuclei - ai flag, ChatGPT Operator, and Hacking Gemini's Memory

Episode 111: How to Bypass DOMPurify in Bug Bounty with Kevin Mizu

Thu, 20 Feb 2025 11:01:35 -0500

Episode 111: In this episode of Critical Thinking - Bug Bounty Podcast Justin interviews Kevin Mizu to showcase his knowledge regarding DOMPurify and its misconfigurations. We walk through some of Kevin’s research, highlighting things like Dangerous allow-lists and URI Attributes, DOMPurify hooks, node manipulation, and DOM Clobbering.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== Resources ======

Exploring the DOMPurify library: Bypasses and Fixes (1/2)

https://mizu.re/post/exploring-the-dompurify-library-bypasses-and-fixes

Exploring the DOMPurify library: Hunting for Misconfigurations (2/2)

https://mizu.re/post/exploring-the-dompurify-library-hunting-for-misconfigurations

Dom-Explorer tool

https://yeswehack.github.io/Dom-Explorer/shared?id=772a440c-b0c2-4991-be71-3e271cf7954f

CT Episode 61: A Hacker on Wall Street - JR0ch17

https://www.criticalthinkingpodcast.io/episode-61-a-hacker-on-wall-street-jr0ch17/

====== Timestamps ======

(00:00:00) Introduction

(00:01:44) Kevin Mizu - Background and Bring-a-bug

(00:15:09) DOMPurify

(00:29:04) Misconfigurations - Dangerous allow-lists

(00:39:09) Dangerous URI attributes configuration

(00:46:08) Bad usage

(00:59:55) DOMPurify Hooks: before, after, and upon SanitizeAttribute

(01:29:15) Node manipulation, nodeName namespace case confusion, & DOM Clobbering DOS

(01:36:51) Misc concepts for future research

Episode 110: Oauth Gadget Correlation and Common Attacks

Thu, 13 Feb 2025 11:01:16 -0500

Episode 110: In this episode of Critical Thinking - Bug Bounty Podcast we hit some quick news items including a DOMPurify 3.2.3 Bypass, O3 mini updates, and a cool postLogger Chrome Extension. Then, we hone in on OAuth vulnerabilities, API keys, and innovative techniques hackers use to exploit these systems.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to https://x.com/realytcracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== Resources ======

DOMPurify 3.2.3 Bypass

Jason Zhou's post about O3 mini

Live Chat Blog #2: Cisco Webex Connect

postLogger Chrome Extension

postLogger Webstore Link

Common OAuth Vulnerabilities

nOAuth: How Microsoft OAuth Misconfiguration Can Lead to Full Account Takeover

Account Takeover using SSO Logins

Kai Greshake

====== Timestamps ======

(00:00:00) Introduction

(00:01:44) DOMPurify 3.2.3 Bypass

(00:06:37) O3 mini

(00:10:29) Ophion Security: Cisco Webex Connect

(00:15:54) Discord Community News

(00:19:12) postLogger Chrome Extension

(00:21:04) Common OAuth Vulnerabilities & Lessons learned from Google’s APIs

Episode 109: Creative Recon - Alternative Techniques

Thu, 06 Feb 2025 11:00:55 -0500

Episode 109: In this episode of Critical Thinking - Bug Bounty Podcast we start off with a quick recap of some of the DeepSeek Drama that’s been going down, and discuss AI in CAPTCHA and 2FA as well. Then we switch to cover some other news before settling in to talk about Alternative Recon Techniques

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to https://x.com/realytcracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor - ThreatLocker. Check out their Managed Detection and Response!

====== Resources ======

Resources

Wiz Research Uncovers Exposed DeepSeek Database

Bypass Bot Detection

Tweet from sw33tLie

rsc 2fa

Stealing HttpOnly cookies with the cookie sandwich technique

Report Pointers for Collaborative Chains

Clone2Leak: Your Git Credentials Belong To Us

Deanonymization via cache

GoogleChrome related-website-sets

====== Timestamps ======

(00:00:00) Introduction

(00:02:03) DeepSeek debacle and Bypass Bot Detection

(00:23:48) Stealing HttpOnly cookies with the cookie sandwich technique

(00:30:54) Report Pointers for Collaborative Chains

(00:34:43) Clone2Leak: Your Git Credentials Belong To Us

(00:40:04) Deanonymization for Signal and Discord

(00:41:53) Alternative Recon Techniques

Episode 108: How to Hack Salesforce, ServiceNow, and Other SaaS Products With Aaron Costello

Thu, 30 Jan 2025 11:00:47 -0500

Episode 108: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph bring on Aaron Costello to discuss SaaS security and misconfigurations as a bug class. He also gives some in-depth examples from Salesforce, ServiceNow, and Power Pages.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to https://x.com/realytcracker for the awesome intro music!

====== Links ======

Follow your hosts on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor: AppOmni. Get AppOmni's Definitive Guide to SaaS Security https://www.criticalthinkingpodcast.io/AppOmni

Today’s Guest:

https://x.com/ConspiracyProof

====== Resources ======

Aaron's Blog

https://www.enumerated.ie/

Data Exposure and ServiceNow: The Elephant in the ITSM Room

https://www.enumerated.ie/index/servicenow-data-exposure

Salesforce Lightning - An in-depth look at exploitation vectors for the everyday community

https://www.enumerated.ie/index/salesforce

Lightning Components: A Treatise on Apex

Security from an External Perspective

https://go.appomni.com/hubfs/Collateral/AppOmni_Labs_White_Paper_Apex_Security.pdf?utm_campaign=Network%20Computing&utm_source=referral&utm_content=network_computing

Microsoft Power Pages: Data Exposure Reviewed

https://appomni.com/ao-labs/microsoft-power-pages-data-exposure-reviewed/

====== Timestamps ======

(00:00:00) Introduction

(00:03:00) Aaron Costello, Arbitrary File Upload, & App Cache Manifest Poison bug

(00:13:37) SAAS Misconfigurations as a bug class

(00:43:27) SalesForce Misconfigurations

(01:11:30) Microsoft Power Pages

Episode 107: Bypassing Cross-Origin Browser Headers

Thu, 23 Jan 2025 11:01:45 -0500

Episode 107: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph are tackling the subject of cross-origin security headers. They also cover some news items including Google’s OAuth login flaw, RAINK, and gift card hacking.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to https://x.com/realytcracker for the awesome intro music!

====== Links ======

Follow your hosts on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor - ThreatLocker. Check out their Managed Detection and Response! https://www.criticalthinkingpodcast.io/tl-mdr

====== Resources ======

A Proud Dad's Tale of Two Bug Hunting Daughters and Their Responsible Disclosures

Google’s OAuth login flaw

Rez0's Ai tweet

Rez0's Follow-up

Raink from BishopFox

Gift cards security research

Top 10 web hacking techniques of 2024

Cross-Origin-Opener-Policy: preventing attacks from popups

====== Timestamps ======

(00:00:00) Introduction

(00:05:13) Hacking with your kids

(00:09:46) H1/bc pentests

(00:12:23) Google’s OAuth login flaw

(00:18:01) Raink & Rez0's AI tweets

(00:28:46) Giftcard hacking & Portswigger top 10 voting

(00:34:23) Cross Origin Web Headers

Episode 106: Announcing our new cohost...

Thu, 16 Jan 2025 11:00:25 -0500

Episode 106: In this episode of Critical Thinking - Bug Bounty Podcast we are pleased to announce our new co-host of the podcast: Joseph Thacker Aka Rez0! We discuss Joseph's transition to full-time bug bounty hunting, his goals, and what he’s looking forward to bringing to the pod. We also cover some news items including doubleclickjacking, character set attacks, SVG XSS, and more.

Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Rez0 on twitter:

https://x.com/Rhynorater

https://x.com/rez0__

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Check out our new SWAG store at https://ctbb.show/swag!

Resources

DoubleClickjacking: A New Era of UI Redressing

https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html

XBOW Validation Benchmarks

https://github.com/xbow-engineering/validation-benchmarks

Jorian tweet

https://x.com/J0R1AN/status/1871586792455163975

Simplified Payload

https://portswigger-labs.net/xss/charset.php?x=%1b$B%1b(B%3Ca%20href=javas%1B(Jcript:alert(1)%3Etest%3C/a%3E&charset=

SVG XSS Payload

https://x.com/garethheyes/status/1876953751245783534

curl-cffi

https://pypi.org/project/curl-cffi/

Bypassing File Upload Restrictions To Exploit CSPT

https://blog.doyensec.com/2025/01/09/cspt-file-upload.html

AI-Crash-Course

https://github.com/henrythe9th/AI-Crash-Course?tab=readme-ov-file

Timestamps

(00:00:00) Introduction

(00:02:15) Rez0's journey to Full-time hunter, Tool developer, and new Co-host

(00:21:04) DoubleClickjacking

(00:31:48) XBOW Validation Benchmarks, Charset Thoughts, and SVG XSS

(00:42:28) curl-cffi, CSPT, and AI Crash Course

Episode 105: Best Critical Thinking Moments from 2024

Thu, 09 Jan 2025 11:01:04 -0500

Episode 105: In this episode of Critical Thinking - Bug Bounty Podcast we're back with another Best-of episode recapping some of our top moments of 2024.

Ssend us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Rez0 on twitter:

https://x.com/Rhynorater

https://x.com/rez0__

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Check out our new SWAG store at https://ctbb.show/swag!

Today’s Sponsor - ThreatLocker. Check out their Elevation Control! https://www.criticalthinkingpodcast.io/tl-ec

Resources

Episode 53

ctbb.show/53

Episode 59

ctbb.show/59

Episode 65

ctbb.show/65

Episode 69

ctbb.show/69

Episode 80

ctbb.show/80

Episode 81

ctbb.show/81

Episode 86

ctbb.show/86

Episode 87

ctbb.show/87

Episode 91

ctbb.show/91

Episode 93

ctbb.show/93

Episode 99

ctbb.show/99

Timestamps

(00:00:00) Introduction

(00:03:59) Episode 53

(00:17:12) Episode 59

(00:32:45) Episode 65

(00:48:08) Episode 69

(01:02:37) Episode 80

(01:18:09) Episode 81

(01:28:59) Episode 86

(01:41:04) Episode 87

(01:54:48) Episode 91

(02:01:48) Episode 93

(02:09:37) Episode 99

Episode 104: 2024 Hacker Stats & 2025 Goals

Thu, 02 Jan 2025 11:00:28 -0500

Episode 104: In this episode of Critical Thinking - Bug Bounty Podcast Justin reflects upon the past year and walks through some of the bug bounty goals he had for 2024, and how he feels like he did. Then he sets some goals for 2025, as well as some exciting CT news for the coming year.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Rez0 on X:

https://x.com/rhynorater

https://x.com/rez0__

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Check out our new SWAG store at https://ctbb.show/swag!

Resources

CTBB Full Time Guild

ctbb.show/ft

Critical Research Lab

ctbb.show/crl

CT Episode 51 - 2024 Goals

https://www.criticalthinkingpodcast.io/episode-51-hacker-stats-2023-2024-goals/

Personal BB inventory and goals

https://ctbb.show/blog

Timestamps

(00:00:00) introduction

(00:00:57) Critical Thinking 2025 Announcements

(00:04:21) Personal Inventory of 2024

(00:24:05) Goals for 2025

Episode 103: Getting ANSI about Unicode Normalization

Thu, 26 Dec 2024 11:00:37 -0500

Episode 103: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph delve into the vulnerabilities associated with ANSI codes and large language models (LLMs), as well as talk through some new research and the value of micro-blogging in general.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord!

We offer Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Check out our new SWAG store!

Join our Shift waitlist!

Today’s Sponsor - ThreatLocker. Check out their Elevation Control! https://www.criticalthinkingpodcast.io/tl-ec

Resources

_json Juggling Attack

Cross-Site POST Requests Without a Content-Type Header

Worst Fit

Orange Tsai on Worst Fit

Handling Cookies is a Minefield

Terminal DiLLMa

XS-Leaking flags with CSS: A CTFd 0day

Hacking Back the AI-Hacker

Johann Computer use demo

How I Became The Most Valuable Hacker

Timestamps

(00:00:00) Introduction

(00:01:39) _json Juggling Attack and Cross-Site POST Requests Without a Content-Type Header

(00:10:55) Worst Fit and Unicode Mapping

(00:20:08) Handling Cookies is a Minefield

(00:28:11) Terminal DiLLMa & CTFd 0day

(00:41:18) Hacking Back the AI-Hacker

(00:47:30) Becoming Most Valuable Hacker

Episode 102: Building Web Hacking Micro Agents with Jason Haddix

Thu, 19 Dec 2024 11:01:37 -0500

Episode 102: In this episode of Critical Thinking - Bug Bounty Podcast Justin grabs Jason Haddix to help brainstorm the concept of AI micro-agents in hacking, particularly in terms of web fuzzing, WAF bypasses, report writing, and more.They discuss the importance of contextual knowledge, the cost implications, and the strengths of different LLM Models.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Check out our new SWAG store at https://ctbb.show/swag!

Today’s Guest - https://x.com/Jhaddix

Resources

Keynote: Red, Blue, and Purple AI - Jason Haddix

https://www.youtube.com/watch?v=XHeTn7uWVQM

Attention in transformers,

https://www.youtube.com/watch?v=eMlx5fFNoYc

Shift

https://shiftwaitlist.com/

The Darkest Side of Bug Bounty

https://www.youtube.com/watch?v=6SNy0u6pYOc

Timestamps

(00:00:00) Introduction

(00:01:25) Micro-agents and Weird Machine Tricks

(00:11:05) Web fuzzing with AI

(00:18:15) Brainstorming Shift and micro-agents

(00:34:40) Strengths of different AI Models, and using AI to write reports

(00:54:21) The Darkest Side of Bug Bounty

Episode 101: CTBB Hijacked: Rez0__ on AI Attack Vectors with Johann Rehberger

Thu, 12 Dec 2024 11:00:22 -0500

Episode 101: In this episode of Critical Thinking - Bug Bounty Podcast we’ve been hijacked! Rez0 takes control of this episode, and sits down with Johann Rehberger to discuss the intricacies of AI application vulnerabilities. They talk through the importance of understanding system prompts, and various obfuscation techniques used to bypass security measures, the best AI platforms, and the evolving landscape of AI security.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Sponsor - ThreatLocker. Check out their Elevation Control! https://www.criticalthinkingpodcast.io/tl-ec

Today’s Guest: https://x.com/wunderwuzzi23

Resources

Johann's blog

https://embracethered.com/blog/

zombais

https://embracethered.com/blog/posts/2024/claude-computer-use-c2-the-zombais-are-coming/

Copirate

https://embracethered.com/blog/posts/2024/m365-copilot-prompt-injection-tool-invocation-and-data-exfil-using-ascii-smuggling/

Timestamps

(00:00:00) Introduction

(00:01:59) Biggest things to look for in AI hacking

(00:11:58) Best AI companies to hack on

(00:15:59) URL Redirects and Obfuscation Techniques

(00:24:05) Copirate

(00:35:50) prompt injection guardrails and threats

Ep 100 - 8 Fav Bugs of 2024, Farewell Joel, Hello Shift - Cursor of Hacking

Thu, 05 Dec 2024 11:00:58 -0500

Episode 100: In this episode of Critical Thinking - Bug Bounty Podcast we have a mixed bag. We celebrate 100 episodes of Critical Thinking, but also bid farewell to Joel, who will be leaving the show as a co-host, but returning as guest. Then we hear from a bunch of friends about their 'best bug of the year', before capping the episode with the announcement of a new AI tool we've been working on!

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Resources

Delorean

https://github.com/jselvi/Delorean

Shift

shiftwaitlist.com

Timestamps

(00:00:00) Introduction

(00:07:32) Nagli

(00:19:09) Shubs

(00:35:00) Matt Brown

(00:39:42) Matanber

(00:57:52) Douglas Day

(01:05:18) Alex Chapman

(01:15:02) Nahamsec

(01:25:45) Rez0

(01:28:20) Shift Announcement

Episode 99: Back to the Basics - Web Fundamental to 100k a Year in Bug Bounty

Thu, 28 Nov 2024 11:00:43 -0500

Episode 99: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Roni dissect an old thread of Justin's talking about how best to start bug bounty with the goal of making $100k in the first year.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Sponsor - AssetNote: Check out their ASMR board (no not that kind!)

https://assetnote.io/asmr

Today’s Guest - https://x.com/0xLupin

Resources

Justin's Twitter Thread

https://x.com/Rhynorater/status/1699395452481769867

Timestamps

(00:00:00) Introduction

(00:03:00) Web Fundamentals Education

(00:46:01) Threat Modeling and Hacking Goals

(01:18:58) Vuln Types and finding Specialization

Episode 98: Team 82 Sharon Brizinov - The Live Hacking Polymath

Thu, 21 Nov 2024 11:01:10 -0500

Episode 98: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner sits down with Sharon,to discuss his journey from early iOS development to leading a research team at Claroty. They address the differences between HackerOne and Pwn2Own, and talk through some intricacies of IoT security, and some less common IoT attack surfaces.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Sponsor - ThreatLocker: Check out Network Control!

https://www.criticalthinkingpodcast.io/tl-nc

And AssetNote: Check out their ASMR board (no not that kind!)

https://assetnote.io/asmr

Today’s Guest: https://sharonbrizinov.com/

Resources

The Claroty Research Team

https://claroty.com/team82

Pwntools

https://github.com/Gallopsled/pwntools

Scan My SMS

http://scanmysms.com

Gotta Catch 'Em All: Phishing, Smishing, and the birth of ScanMySMS

https://www.youtube.com/watch?v=EhNsXXbDp3U

Timestamps

(00:00:00) Introduction

(00:03:31) Sharon's Origin Story

(00:21:58) Transition to Bug Bounty and Pwn2Own vs HackerOne

(00:47:05) IoT/ICS Hacking Methodology

(01:10:13) Cloud to Device Communication

(01:18:15) Bug replication and uncommon attack surfaces

(01:30:58) Documentation tracker, reCaptcha bypass, and ScanMySMS

Episode 97: Bcrypt Hash Input Truncation & Mobile Device Threat Modeling

Thu, 14 Nov 2024 11:01:21 -0500

Episode 97: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel jump into some cool news items, including a recent Okta Bcrypt vulnerability, insights into crypto bugs, and some intricacies of Android and Chrome security. They also explore the latest research from Portswigger on payload concealment techniques, and the introduction of the Lightyear tool for PHP exploits.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Sponsor - ThreatLocker: Check out Network Control!

https://www.criticalthinkingpodcast.io/tl-nc

And AssetNote: Check out their ASMR board (no not that kind!)

https://assetnote.io/asmr

Resources

Okta bcrypt

Android Web Attack Surface Writeups

Concealing payloads in URL credentials

Dumping PHP files with Lightyear

Limit maximum number of filter chains

Dom-Explorer tool launched

MultiHTMLParse

JSON Crack

Caido/Burp notes plugin

Timestamps

(00:00:00) Introduction

(00:02:43) Okta Release and bcrypt

(00:10:26) Android Web Attack Surface Writeups

(00:20:21) More Portswigger Research

(00:28:29) Lightyear and PHP filter chains

(00:35:09) Dom-Explorer

(00:45:24) The JSON Debate

(00:49:59) Notes plugin for Burp and Caido

Episode 96: Cookies & Caching with MatanBer

Thu, 07 Nov 2024 11:01:34 -0500

Episode 96: In this episode of Critical Thinking - Bug Bounty Podcast we’re back with Matanber to hit some stuff we ran out of time on last episode. We talk about advanced cookie parsing techniques and exploitation methods, Safari's unique behaviors regarding cookie handling and debugging methods, and some of the writeups from the HeroCTF v6.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Guest: https://x.com/MtnBer

Resources:

Cookie Bugs - Smuggling & Injection

https://blog.ankursundara.com/cookie-bugs/#:~:text=Cookie%20Smuggling

iOS Webkit Debug Proxy

https://github.com/google/ios-webkit-debug-proxy

HeroCTF v6 Writeups

https://mizu.re/post/heroctf-v6-writeups

Timestamps

(00:00:00) Introduction

(00:01:29) Cookie exploits

(00:21:32) Matan's Safari Adventure

(00:29:49) HeroCTF 6 writeups

Episode 95: Attacking Chrome Extensions with MatanBer - Big Impact on the Client-Side

Thu, 31 Oct 2024 10:01:55 -0400

Episode 95: In this episode of Critical Thinking - Bug Bounty Podcast In this episode, Justin is joined by MatanBer to delve into the intricacies of browser extensions. We talk about the structure and threat models, and cover things like service workers, extension pages, and isolated worlds.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Sponsor - AssetNote. Listen to their podcast https://www.criticalthinkingpodcast.io/sspod

Today’s Guest: https://x.com/MtnBer

Resources

Universal Code Execution by Chaining Messages in Browser Extensions

https://spaceraccoon.dev/universal-code-execution-browser-extensions/

DOMLogger++

https://github.com/kevin-mizu/domloggerpp

BBRE Metamask bug

https://youtu.be/HnI0w156rtw?si=QixP8SX6JuRFz6PA

Bench Press: Leaking Text Nodes with CSS

https://blog.pspaul.de/posts/bench-press-leaking-text-nodes-with-css/

Timestamps:

(00:00:00) Introduction

(00:03:08) Structure & Threat Model for Browser Extension

(00:28:28) Extension Attack scenarios

(01:01:26) Attacking Extension Pages

(01:26:35) Attacking Service Workers

(01:46:23) Getting source code and dynamic debugging

Episode 94: Zendesk Fiasco & the CTBB Naughty List

Thu, 24 Oct 2024 11:00:14 -0400

Episode 94: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel give their perspectives on the recent Zendesk fiasco and the ethical considerations surrounding it. They also highlight the launch of AuthzAI and some research from Ophion Security

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Sponsor - AssetNote. Listen to their podcast https://www.criticalthinkingpodcast.io/sspod

Resources:

New music drop from our Boi YT

https://x.com/realytcracker/status/1847599657569956099

AuthzAI

https://authzai.com/

Ron Chan

https://x.com/ngalongc

Misconfigured User Auth Leads to Customer Messages

https://www.ophionsecurity.com/post/live-chat-blog-1-misconfigured-user-auth-leads-to-customer-messages

Zendesk Write-up

https://gist.github.com/hackermondev/68ec8ed145fcee49d2f5e2b9d2cf2e52

Response from Zendesk

https://gist.github.com/hackermondev/68ec8ed145fcee49d2f5e2b9d2cf2e52?permalink_comment_id=5232589#gistcomment-5232589

Timestamps

(00:00:00) Introduction

(00:05:29) AuthzAI and the return of Ron Chan

(00:13:50) Ophion Security Research

(00:18:12) Zendesk Drama

Episode 93: A Chat with Dr. Bouman - Life as a Hacker and a Doctor

Thu, 17 Oct 2024 11:01:03 -0400

Episode 93: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Dr. Jonathan Bouman to discuss his unique journey as both a Hacker and a Healthcare Professional. We talk through how he balances his dual careers, some ethical considerations of hacking in the context of healthcare, and highlight some experiences he’s had with Amazon's bug bounty program.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Sponsor - ThreatLocker. Checkout their ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detect

Today’s Guest - https://x.com/jonathanbouman?lang=en

Resources

Anyone can Access Deleted and Private Repository Data on GitHub

Filesender Github

Remote Code execution at ws1.aholdusa .com

APK-MITM

Hacking Dutch healthcare system

Fitness Youtube Channels

https://www.youtube.com/channel/UCpQ34afVgk8cRQBjSJ1xuJQ

https://www.youtube.com/@BullyJuice

Timestamps

(00:00:00) Introduction

(00:07:28) Medicine and Hacking

(00:19:36) Hacking on Amazon

(00:34:33) Collaboration and consistency

(00:44:13) SSTI Methodology

(01:06:10) iOS Hacking Methodology

(01:13:23) Hacking Healthcare

(01:32:19) Health tips for hacking

Episode 92 - SAML XPath Confusion, Chinese DNS Poisoning, and AI Powered 403 Bypasser

Thu, 10 Oct 2024 10:01:29 -0400

Episode 92: In this episode of Critical Thinking - Bug Bounty Podcast In this episode Justin and Joel tackle a host of new research and write-ups, including Ruby SAML, 0-Click exploits in MediaTek Wi-Fi, and Vulnerabilities caused by The Great Firewall

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Sponsor - ThreatLocker. Checkout their ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detect

Resources:

Insecurity through Censorship

Ruby-SAML / GitLab Authentication Bypass

0-Click exploit discovered in MediaTek Wi-Fi chipsets

New Caido Plugin to Generate Wordlists

Bebik’s 403 Bypassor

CSPBypass

Arb Read & Arb write on LLaMa.cpp by SideQuest

XSS WAF Bypass One payload for all

Timestamps

(00:00:00) Introduction

(00:02:08) Vulnerabilities Caused by The Great Firewall

(00:07:25) Ruby SAML Bypass

(00:19:55) 0-Click exploit discovered in MediaTek Wi-Fi chipsets

(00:24:36) New Caido Wordlist Plugin

(00:31:00) CSPBypass.com

(00:35:37) Arb Read & Arb write on LLaMa.cpp by SideQuest

(00:43:10) Helpful WAF Bypass

Episode 91: Zero to LHE in 9 Months (feat gr3pme)

Thu, 03 Oct 2024 10:00:50 -0400

Episode 91: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner sits down with Critical Thinking’s own HackerNotes writer Brandyn Murtagh (gr3pme) to talk about his journey with Bug Bounty. We cover mentorship, networking and LHEs, ecosystem hacking, emotional regulation, and the need for self-care. Then we wrap up with some fun bugs.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Shop our new swag store at ctbb.show/swag

Today’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinder

Today’s guest: https://x.com/gr3pme

Resources:

Lessons Learned for LHEs

https://x.com/Rhynorater/status/1579499221954473984

Timestamps:

(00:00:00) Introduction

(00:07:02) Mentorship in Bug Bounty

(00:16:30) LHE lessons, takeaways, and the benefit of feedback and networking

(00:41:28) Choosing Targets

(00:49:03) Vuln Classes

(00:58:54) Bug Reports

Episode 90: 5k Clickjacking, Encryption Oracles, and Cursor for PoCs

Thu, 26 Sep 2024 10:01:34 -0400

Episode 90: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin recap some of their recent hacking ups and downs and have a lively chat about Cursor. Then they cover some some research about SQL Injections, Clickjacking in Google Docs, and how to steal your Telegram account in 10 seconds.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Shop our new swag store at ctbb.show/swag

Today’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinder

Resources:

Breaking Down Barriers: Exploiting Pre-Auth SQL Injection in WhatsUp Gold

Content-Type that can be used for XSS

Clickjacking Bug in Google Docs

Justin's Gadget Link

https://www.youtube.com/signin?next=https%3A%2F%2Faccounts.youtube.com%2Faccounts%2FSetSID%3Fcontinue%3Dhttps%3A%2F%2Fwww.google.com%252Famp%252fpoc.rhynorater.com

Stealing your Telegram account in 10 seconds flat

Timestamps

(00:00:00) Introduction

(00:08:28) Recent Hacks and Dupes

(00:14:00) Cursor

(00:25:02) Exploiting Pre-Auth SQL Injection in WhatsUp Gold

(00:34:17) Content-Type that can be used for XSS

(00:40:25) Caido updates

(00:43:14) Clickjacking in Google Docs, and Stealing Telegram account

Episode 89: The Untapped Bug Bounty Landscape of IoT w/ Matt Brown

Thu, 19 Sep 2024 10:00:28 -0400

Episode 89: In this episode of Critical Thinking - Bug Bounty Podcast We’re joined live by Matt Brown to talk about his journey with hacking in the IoT. We cover the specializations and challenges in hardware hacking, and Matt’s personal Methodology. Then we switch over to touch on BGA Reballing, Certificate Pinning and Validation, and some of his own bug stories.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinder

Today’s Guess Matt Brown: https://x.com/nmatt0

Resources:

Decrypting SSL to Chinese Cloud Servers

https://www.youtube.com/watch?v=3qSxxNvuEtg

mitmrouter

https://github.com/nmatt0/mitmrouter

certmitm Automatic Exploitation of TLS Certificate Validation Vulns

https://www.youtube.com/watch?v=w_l2q_Gyqfo

and

https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Aapo%20Oksman%20-%20certmitm%20automatic%20exploitation%20of%20TLS%20certificate%20validation%20vulnerabilities.pdf

https://github.com/aapooksman/certmitm

HackerOne Detailed Platform Standards

https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards

Timestamps:

(00:00:00) Introduction

(00:13:33) Specialization and Challenges of IOT Hacking

(00:33:03) Decrypting SSL to Chinese Cloud Servers

(00:47:00) General IoT Hacking Methodology

(01:26:00) Certificate Pinning and Certificate Validation

(01:34:35) BGA Reballing

(01:43:26) Bug Stories

Episode 88: News, Tools, and Writeups

Thu, 12 Sep 2024 10:00:44 -0400

Episode 88: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel tackle a whole slate of new research including a new cheat sheet for URL validation bypass from Portswigger, the introduction of Sanic DNS as a high-speed DNS resolver, xsstools, and the Dockerization of Orange Confusion Attacks.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Shop our new swag store at ctbb.show/swag

Resources

URL Validation Bypass cheat sheet

SanicDNS

Orange Confusion Attacks

WordPress GiveWP POP to RCE

Xsstools

Bypassing browser tracking protection

Advanced iframe Magic

DOM Clobbering

https://www.ruhrsec.de/downloads/slides/Everything-You-Wanted-to-Know-About-DOM-Clobbering-But-Were-Afraid-to-Ask-Soheil-Khodayari-RuhrSec.pdf

And

https://domclob.xyz/domc_payload_generator/

Timestamps:

(00:00:00) Introduction

(00:02:00) URL validation bypass

(00:07:41) SanicDNS and Orange confusion attacks

(00:20:06) WordPress GiveWP POP to RCE

(00:31:29) Xsstools

(00:43:56) Bypassing browser tracking protection

(00:52:06) DOM Clobbering and mixing up your approach

Episode 87: 'Hacker Wife' Mariah Gardner on Bug Bounty mentality and relationships

Thu, 05 Sep 2024 10:01:33 -0400

Episode 87: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with none other than his wife Mariah to talk about Bug Bounty from the perspective of a Significant Other. They share how they’ve traversed travel and Live Hacking Events, household chores, hobbies, goals, rewards, as well as how best to encourage and support the hacker/non-hacker in your life.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Shop our new swag store at ctbb.show/swag

Today’s Guest: https://x.com/MariahG017

Resources:

Ruby Nealon's song

https://x.com/_ruby/status/835306502546149376

Don't Force Yourself to Become a Bug Bounty Hunter

https://samcurry.net/dont-force-yourself-to-become-a-bug-bounty-hunter

Timestamps

(00:00:00) Introduction

(00:03:12) Technical Questions for a Bug Bounty Wife

(00:16:11) Mariah's First LHE experience

(00:31:12) LHEs as a Couple

(00:41:57) Encouragement and Risk

(00:55:55) Hacker Family Dynamics, goals, and keeping promises

(01:17:35) How to care for your Hacker/Hacker Wife

Episode 86: The X-Correlation between Frans & RCE - Research Drop

Thu, 29 Aug 2024 10:01:54 -0400

Episode 86: In this episode of Critical Thinking - Bug Bounty Podcast Frans blows Justin’s mind with a sneak peak of his new presentation. Note: This is a little different from our normal episode, and video is recommended. So head over to ctbb.show/yt if you feel like you’re missing something.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Shop our new swag store at ctbb.show/swag

Watch this Episode on Youtube - ctbb.show/yt

Today’s Guest: Frans Rosen - https://x.com/fransrosen

View the slides of this presentation at https://speakerdeck.com/fransrosen/x-correlation-injections-or-how-to-break-server-side-contexts

Timestamps

(00:00:00) Introduction

(00:04:09) x-correlation injection

(00:21:10) Server-side JSON-Injection

(00:32:10) Fuzz Blindly and Optimizing Blind RCE

Episode 85: Practical Applications of DEFCON 32 Web Research

Thu, 22 Aug 2024 10:01:37 -0400

Episode 85: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel talk through some of the research coming out of DEFCON, mainly from the PortSwigger team. Web timing attacks, cache exploitation, and exploits related to email protocols are all featured. Plus we also talk some fun Apache hacks from Orange Tsai

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

Check out our new SWAG store at https://ctbb.show/swag!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Sponsor - ThreatLocker

Resources

Listen to the whispers

https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work

Splitting the email atom

https://portswigger.net/research/splitting-the-email-atom

Gotta cache 'em all

https://portswigger.net/research/gotta-cache-em-all

HTTP Garden

https://github.com/narfindustries/http-garden

Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!

https://blog.orange.tw/2024/08/confusion-attacks-en.html#%E2%9C%94%EF%B8%8F-2-2-2-Local-Gadget-to-XSS

Trusted API Types

https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API

Untrusted Types

https://github.com/filedescriptor/untrusted-types

Timestamps:

(00:00:00) Introduction

(00:09:45) 'Listen to the whispers'

(00:30:03) 'Splitting the email atom'

(00:58:42) 'Gotta cache 'em all'

(01:21:03) 'Confusion Attacks'

Episode 84: 0xLupin & Takeaways from Google's Las Vegas BugSwat

Thu, 15 Aug 2024 10:01:12 -0400

Episode 84: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Roni Carta (@0xLupin) to discuss their MVH win at the recent Google LHE, and share some technical observations they had with the target and the event.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

Follow your hosts Rhynorater & Teknogeek on twitter:

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Guest: https://x.com/0xLupin

Today’s Sponsor - ThreatLocker

Timestamps:

(00:00:00) Introduction

(00:02:12) MHV Debrief

(00:09:05) Sandboxes and Comfort Zones

(00:13:24) SDKs and Legal Compliance

(00:19:29) Age of Target and Platform-Exclusive Hunters

Episode 83: Brainstorming Proxy Plugins

Thu, 08 Aug 2024 10:00:38 -0400

Episode 83: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin are brainstorming new features and improvements for Caido, such as the implementation of a 403 bypassing workflow, a text expander, Tracing Cookies, and more.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Sponsor - ThreatLocker

Resources:

Post from Gareth Heyes

https://x.com/garethheyes/status/1811084674988474417

Wiki List of XML and HTML

https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references#List_of_character_entity_references_in_HTML

HackerOne Leaderboard Changes

https://x.com/scarybeasts/status/1810813103354892666

Espanso

https://espanso.org/

Critical Thinkers Discord

ctbb.show/criticalthinkers

Oauth Scan

https://portswigger.net/bappstore/8ef2db1173e8432c8797831c2e730727

Timestamps:

(00:00:00) Introduction

(00:03:12) News

(00:13:20) Into the Brainstorm

(00:13:41) 403 Bypasser

(00:20:34) "Expaido"

(00:31:34) Trace Cookies

(00:42:01) Highlight Decoding Expansion and AI integrations

(00:49:08) OAuth Testing, API Highlighter, and Note-taking

Episode 82: Part-Time Bug Bounty

Thu, 01 Aug 2024 10:01:19 -0400

Episode 82: In this episode of Critical Thinking - Bug Bounty Podcast Joel Margolis discusses strategies and tips for part-time bug bounty hunting. He covers things like finding (and enforcing) balance, picking programs and goals, and streamlining your process to optimize productivity.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Sponsor - ThreatLocker

Resources:

Evernote RCE Post

https://0reg.dev/blog/evernote-rce

ServiceNow Bug Chain

https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data

Douglas Day's Talk on finding 'no's'

https://youtu.be/G1RHa7l1Ys4?si=TY16ULsEIfJ9CMKk

Timestamps:

(00:01:37) Introduction

(00:02:24) Evernote RCE Post

(00:06:47) AssetNote ServiceNow Bug Chain

(00:12:16) Part-Time Bug Bounty: Balance and Accountability

(00:18:04) Picking programs: Impact and Payout

(00:28:46) Streamline your process

Episode 81: Crushing Client-Side on Any Scope with MatanBer

Thu, 25 Jul 2024 10:01:24 -0400

Episode 81: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by MatanBer to go over some recent bug reports, as well as share some tips and tricks on client-side hacking and using DevTools effectively.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Sponsor - ThreatLocker

Today’s Guest: https://x.com/MtnBer

Resources:

Beyond XSS

https://aszx87410.github.io/beyond-xss/en/

Web VSCode XSS

https://gitlab.com/gitlab-org/gitlab/-/issues/461328

Timestamps

(00:00:00) Introduction

(00:05:24) Learning and Labs

(00:17:29) DevTools tips and tricks

(00:49:49) General Client-Side hacking tips

(01:09:59) Self-XSS Storytime

(01:32:16) Bug Reports

(01:46:37) Brainstorming a Client-side HUD

Episode 80: Pwn2Own VS H1 Live Hacking Event (feat SinSinology)

Thu, 18 Jul 2024 10:01:04 -0400

Episode 80: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Sina Kheirkhah to talk about the start of his hacking journey and explore the differences between the Pwn2Own and HackerOne Events

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Sponsor - ThreatLocker

Today’s Guest: https://x.com/SinSinology

Blog: https://sinsinology.medium.com/

Resources:

WhatsUp Gold Pre-Auth RCE

Advanced .NET Exploitation Training

Alex Plaskett interview

TippingPoint

Flashback Team

Timestamps:

(00:00:00) Introduction

(00:12:45) Learning, Mentorship, and Failure

(00:29:34) Pentesting and Pwn2Own

(00:40:05) Hacking methodology

(01:01:57) Debuggers and shells in IoT Devices

(01:35:40) Differences between ZDI and HackerOne

(02:02:27) Pwn2Own Steps and Stories

(02:14:06) Master of Pwn Title

(02:29:54) Bug reports

Episode 79: The State of CSS Injection - Leaking Text Nodes & HTML Attributes

Thu, 11 Jul 2024 10:01:42 -0400

Episode 79: In this episode of Critical Thinking - Bug Bounty Podcast we deepdive CSS injection, and explore topics like sequential import chaining, font ligatures, and attribute exfiltration.

Send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Resources:

SpaceRaccoon's Universal Code Execution Extensions

Escalating Client Side Path Traversal

Full-time Bug Bounty Blueprint

Sequential Import Chaining

CSS Exfiltation

Link that Justin was talking about

Font Ligatures

Lava Dome bypass

Stealing Data in Great Style

Steal Script Contents

Masato Kinugawa's tweet

Attacking with Just CSS

CSS Injection Primitives

Timestamps:

(00:00:00) Introduction

(00:02:32) Universal Code Execution

(00:11:32) Escalating Client Side Path Traversal

(00:16:56) Justin's Defcon talk & Bug Bounty Blueprint

(00:23:32) CSS Injection

(00:39:23) Font Ligatures

(00:54:30) Descent Override and display:block

Episode 78: Less Writing, More Hacking - Reporting Efficiency Techniques

Thu, 04 Jul 2024 10:00:57 -0400

Episode 78: In this episode of Critical Thinking - Bug Bounty Podcast we’re talking about writing reports. We share some tips that we’ve learned, and discuss ways that AI can (and can’t) help with that process. We also talk about the benefit of using tools like Fabric, Loom, and ShareX.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Sponsor - ThreatLocker

Resources:

XSS WAF Bypass by multi-char HTML entities

Shazzer

Next.js and cache poisoning

Nagli's Nuclei Template

hey why can't you fix this one bug

Justin's reporting templating software

Fabric

BB Report Formatter

2to3 Automated Python Converter

ShareX

Skitch

Timestamps:

(00:00:00) Introduction

(00:04:00) XSS WAF Bypass by Multi-char HTML Entities

(00:11:59) Next.js and Cache Poisoning

(00:18:03) Nagli's Nuclei Template and Sean Yeoh's Blog

(00:27:34) Report Writing and AI

(00:50:02) Reporting tips

Episode 77: Bug Bounty Mental - Practical Tips for Staying Sharp & Motivated

Thu, 27 Jun 2024 10:01:49 -0400

Episode 77: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin discuss some fresh writeups including some MongoDB injections, ORMs, and exploits in Kakao and iOS before pivoting into a conversation about staying motivated and avoiding burnout while hunting.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Resources:

MongoDB NoSQL Injection

https://soroush.me/blog/2024/06/mongodb-nosql-injection-with-aggregation-pipelines/

Mongo DB Is Web Scale

https://www.youtube.com/watch?v=b2F-DItXtZs

1-click Exploit in Kakao

https://stulle123.github.io/posts/kakaotalk-account-takeover/

Unsecure time-based secret and Sandwich Attack

https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html

Reset Tolkien

https://github.com/AethliosIK/reset-tolkien

iOS URL Scheme Hijacking Revamped

https://evanconnelly.github.io/post/ios-oauth/

PLORMBING YOUR DJANGO ORM

https://www.elttam.com/blog/plormbing-your-django-orm/#content

Timestamps:

(00:00:00) Introduction

(00:02:07) MongoDB NoSQL Injection

(00:12:42) 1-click Exploit in Kakao

(00:33:21) Time-based secrets and Reset Tolkien

(00:39:26) iOS URL Scheme Hijacking Revamped

(00:51:42) ORMs

(00:58:57) Community Bug Submission

(01:07:45) Motivation, Mental Sharpness, and Burnout avoidance

Episode 76: Match & Replace - HTTP Proxies' Most Underrated Feature

Thu, 20 Jun 2024 10:00:47 -0400

Episode 76: In this episode of Critical Thinking - Bug Bounty Podcast we’re talking about Match and Replace and the often overlooked use cases for it, like bypassing paywalls, modifying host headers, and storing payloads. We also talk about the HackerOne Ambassador World Cup and the issues with dupe submissions, and go through some write-ups.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today's Sponsor - Project Discovery: https://nux.gg/podcast

Resources

Zoom Session Takeover

https://nokline.github.io/bugbounty/2024/06/07/Zoom-ATO.html

SharePoint XXE

https://x.com/thezdi/status/1796207012520366552

Shazzer

https://shazzer.co.uk/

Timestamps:

(00:00:00) Introduction

(00:05:06) H1 Ambassador World Cup

(00:13:57) Zoom ATO bug

(00:33:28) SharePoint XXE

(00:39:36) Shazzer

(00:46:36) Match and Replace

(01:13:01) Match and Replace in Mobile

(01:21:13) Header Replacements

Episode 75: Rerun of The OG Bug Bounty King - Frans Rosen

Thu, 13 Jun 2024 10:01:32 -0400

Episode 75: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are sick, So instead of a new full episode, we're going back 30 episodes to review.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

Today's Guest: https://twitter.com/fransrosen

Detectify

Discovering s3 subdomain takeovers

https://labs.detectify.com/writeups/hostile-subdomain-takeover-using-heroku-github-desk-more/

bucket-disclose.sh

https://gist.github.com/fransr/a155e5bd7ab11c93923ec8ce788e3368

A deep dive into AWS S3 access controls

Attacking Modern Web Technologies

Live Hacking like a MVH

Account hijacking using Dirty Dancing in sign-in OAuth flows

Timestamps:

(00:00:00) Introduction

(00:11:41) Franz Rosen's Bug Bounty Journey and Detectify

(00:20:21) Pseudo-code, typing, and thinking like a dev

(00:27:11) Hunter Methodologies and automationists

(00:42:31) Time on targets, Iteration vs. Ideation

(00:58:01) S3 subdomain takeovers

(01:11:53) Blog posting and hosting motivations

(01:20:21) Detectify and entrepreneurial endeavors

(01:36:41) Attacking Modern Web Technologies

(01:52:51) postMessage and MessagePort

(02:05:00) Live Hacking and Collaboration

(02:20:41) Account Hijacking and OAuth Flows

(02:35:39) Hacking + Parenthood

Episode 74: Supply Chain Attack Primer - Popping RCE Without an HTTP Request (feat 0xLupin)

Thu, 06 Jun 2024 10:01:29 -0400

Episode 74: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Roni "Lupin" Carta for a deep dive into supply chain attacks and dependency confusion. We explore the supply chain attacks, the ethical considerations surrounding maintainers and hosting packages on public registries, and chat about the vision and uses of his new tool Depi.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today's Sponsor - Project Discovery: https://nux.gg/podcast

Today’s Guest: https://x.com/0xLupin

Resources:

Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

git-dump

https://github.com/tomnomnom/dotfiles/blob/master/scripts/git-dump

Depi

https://www.landh.tech/depi

Weak links of Supply Chain

https://arxiv.org/pdf/2112.10165

Timestamps:

(00:00:00) Introduction

(00:07:13) Overveiw of Supply Chain Flow

(00:15:14) Getting our Scope

(00:23:46) Depi

(00:29:12) Types of attacks and finding the 80/20

(00:45:06) Maintainer attacks

(01:10:40) Regestries, artifactories, and an npm bug

(01:31:51) Grafana NPX Confusion

Episode 73: Sandboxed IFrames and WAF Bypasses

Thu, 30 May 2024 10:01:21 -0400

Episode 73: In this episode of Critical Thinking - Bug Bounty Podcast we give a brief recap of Nahamcon and then touch on some topics like WAF bypass tools, sandboxed iframes, and programs redacting your reports.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today's Sponsor - Project Discovery: https://nux.gg/podcast

Resources:

?. Tweet

https://x.com/garethheyes/status/1786836956032176215

NoWafPls

https://github.com/assetnote/nowafpls

Redacted Reports

https://x.com/deadvolvo/status/1790397012468199651

Breaking CORS

https://x.com/MtnBer/status/1794657827115696181

Sandbox-iframe XSS challenge solution

https://joaxcar.com/blog/2024/05/16/sandbox-iframe-xss-challenge-solution/

iframe and window.open magic

https://blog.huli.tw/2022/04/07/en/iframe-and-window-open/#detecting-when-a-new-window-has-finished-loading

domloggerpp

https://github.com/kevin-mizu/domloggerpp

Timestamps

(00:00:00) Introduction

(00:03:29) ?. Operator in JS and NoWafPls

(00:07:22) Redacting our own reports

(00:11:13) Breaking CORS

(00:17:07) Sandbox-iframes

(00:24:11) Dom hook plugins

Episode 72: Research TLDRs & Smuggling Payloads in Well Known Data Types

Thu, 23 May 2024 10:01:26 -0400

Episode 72: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss some hot research from the past couple months. This includes ways to smuggle payloads in phone numbers and IPv6 Addresses, the NextJS SSRF, the PDF.JS PoC drop, and a GitHub Enterprise Indirect Method Information bug. Also, we have an attack vector featured from Monke!

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today's Sponsor - Project Discovery: https://nux.gg/podcast

Resources:

PDF.JS Bypass to XSS

https://github.com/advisories/GHSA-wgrm-67xf-hhpq

https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/

PDFium

NextJS SSRF by AssetNote

Better Bounty Transparency for hackers

Slonser IPV6 Research

Smuggling payloads in phone numbers

Automatic Plugin SQLi

DomPurify Bypass

Bug Bounty JP Podcast

Github Enterprise send() bug

https://x.com/creastery/status/1787327890943873055

https://x.com/Rhynorater/status/1788598984572813549

Timestamps:

(00:00:09) Introduction

(00:03:20) PDF.JS XSS and NextJS SSRF

(00:12:52) Better Bounty Transparency

(00:20:01) IPV6 Research and Phone Number Payloads

(00:28:20) Community Highlight and Automatic Plugin CVE-2024-27956

(00:33:26) DomPurify Bypass and Github Enterprise send() bug

(00:46:12) Caido cookie and header extension updates

Episode 71: More VDP Chats & AI Bias Bounty Strats with Keith Hoodlet

Thu, 16 May 2024 10:01:24 -0400

Episode 71: In this episode of Critical Thinking - Bug Bounty Podcast Keith Hoodlet joins us to weigh in on the VDP Debate. He shares some of his insights on when VDPs are appropriate in a company's security posture, and the challenges of securing large organizations. Then we switch gears and talk about AI bias bounties, where Keith explains the approach he takes to identify bias in chatbots and highlights the importance of understanding human biases and heuristics to better hack AI.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today's Sponsor - Project Discovery: https://nux.gg/podcast

Today’s guest: Keith Hoodlet

https://securing.dev/

Resources:

Daniel Miessler's article about the security poverty line

https://danielmiessler.com/p/the-cybersecurity-skills-gap-is-another-instance-of-late-stage-capitalism/

Hacking AI Bias

https://securing.dev/posts/hacking-ai-bias/

Hacking AI Bias Video

https://youtu.be/AeFZA7xGIbE?si=TLQ7B3YtzPWXS4hq

Sarah's Hoodlet's new book

https://sarahjhoodlet.com

Link to Amazon Page

https://a.co/d/c0LTM8U

Timestamps:

(00:00:00) Introduction

(00:04:09) Keith's Appsec Journey

(00:16:24) The Great VDP Debate Redux

(00:47:18) Platform/Hunter Incentives and Government Regulation

(01:06:24) AI Bias Bounties

(01:26:27) AI Techniques and Bugcrowd Contest

Episode 70: NahamCon and CSP Bypasses Everywhere

Thu, 09 May 2024 10:01:01 -0400

Episode 70: In this episode of Critical Thinking - Bug Bounty Podcast we’re once again joined by Ben Sadeghipour to talk about some Nahamcon news, as well as discuss a couple other LHE’s taking place. Then they cover CI/CD and drop some cool CSP Bypasses.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today's Sponsor - Project Discovery: https://nux.gg/podcast

Today’s Guest: https://twitter.com/NahamSec

https://www.nahamcon.com/

Resources:

Depi

https://www.landh.tech/depi

Youtube CSP:

https://www.youtube.com/oembed?callback=alert()

Maps CSP:

https://maps.googleapis.com/maps/api/js?callback=alert()-print

Google APIs CSP

https://www.googleapis.com/customsearch/v1?callback=alert(1)

Google CSP

https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1)//

CSP Bypass for opener.child.child.child.click()

https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/

Timestamps:

(00:00:00) Introduction

(00:02:55) BSides Takeaways and hacking on Meta

(00:12:12) NahamCon News

(00:23:45) CI/CD and the launch of Depi

(00:33:29) CSP Bypasses

Episode 69: Johan Carlsson - 3 Month Check-in on Full-time Bug Bounty.

Thu, 02 May 2024 10:01:17 -0400

Episode 69: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Johan Carlsson to hear about some updates on his bug hunting journey. We deep-dive a CSP bypass he found in GitHub, a critical he found in GitLab's pipeline, and also talk through his approach to using script gadgets and adapting to highly CSP'd environments. Then we talk about his transition to full-time bug hunting, including the goals he’s set, the successes and challenges, and his current focus on specific bug types like ReDoS and OAuth, and the serendipitous nature of bug hunting.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Nuclei 3.2 Release: https://nux.gg/podcast

Today’s Guest:

https://twitter.com/joaxcar

https://joaxcar.com/blog/

Resources

Github CSP Bypass

https://gist.github.com/joaxcar/6e5a0a34127704f4ea9449f6ce3369fc

CSP Validator

https://cspvalidator.org/

Cross Window Forgery

https://www.paulosyibelo.com/2024/02/cross-window-forgery-web-attack-vector.html

Gitlab Crit

https://gist.github.com/joaxcar/9419b2df8778f26e9b02a741a8ec12f8

Timestamps

(00:00:00) Introduction

(00:09:34) Github CSP Bypass

(00:38:48) Script Gadgets and growth through Gitlab

(00:53:53) Gitlab pipeline bug

(01:12:32) Full-time Bug Bounty

Episode 68: 0-days & HTMX-SS with Mathias

Thu, 25 Apr 2024 10:01:17 -0400

Episode 68: In this episode of Critical Thinking - Bug Bounty Podcast Mathias is back with some fresh HTMX research, including CSP bypass using HTMX triggers, converting client-side response header injection to XSS, bypassing HTMX disable, and the challenges of using HTMX in larger applications and the potential performance trade-offs. We also talk about the results of his recent CTF Challenge, and explore some more facets of CDN-CGI functionality.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Project Discovery Conference: https://nux.gg/hss24

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Guest:

https://twitter.com/avlidienbrunn

Resources:

Masato Kinugawa's research on Teams

https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=33

subdomain-only 307 open redirect

https://avlidienbrunn.se/cdn-cgi/image/onerror=redirect/http://anything.avlidienbrunn.se

Timestamps

(00:00:00) Introduction

(00:05:18) CSP Bypass using HTML

(00:14:00) Converting client-side response header injection to XSS

(00:23:10) Bypassing hx-disable

(00:32:37) XSS-ing impossible elements

(00:38:22) CTF challenge Recap and knowing there's a bug

(00:51:53) hx-on (depreciated)

(00:54:30) CDN-CGI Research discussion

Episode 67: VDPs & Accidental Program VS Hacker Debate Part 2

Thu, 18 Apr 2024 10:01:45 -0400

Episode 67: In this episode of Critical Thinking - Bug Bounty Podcast we deepdive on the topic of Vulnerability Disclosure Programs (VDPs) and whether they are beneficial or not. We also touch on the topic of leaderboard accuracy, and continue the Program VS Hacker debate regarding allocating funds for bounties.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Project Discovery Conference: https://nux.gg/hss24

Resources:

Nagli's Braindump on VDPs

https://twitter.com/galnagli/status/1780174392003031515

Timestamps:

(00:00:00) Introduction

(00:05:37) VDP programs

(00:34:10) Leaderboards

(00:43:52) Hacker vs. Program debate Part 2

(01:07:24) Walling Off Endpoints

Episode 66: CDN-CGI Research, Intent To Ship, and Louis Vuitton

Thu, 11 Apr 2024 10:00:58 -0400

Episode 66: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the recent YesWeHack Louis Vuitton LHE, the importance of failure as growth in bug bounty, and Justin shares his research on CDN CGI.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Project Discovery Conference: https://nux.gg/hss24

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Resources:

YesWeHack Luis Vuitton LHE

https://twitter.com/yeswehack/status/1776280653744554287

https://event.yeswehack.com/events/hack-me-im-famous-2

Caido Workflows

https://github.com/caido/workflows

Oauth Redirects

https://twitter.com/Akshanshjaiswl/status/1724143813088940192

Bagipro Golden URL techniques

https://hackerone.com/reports/431002

Roadmap I followed to make 15,000+$ Bounties in my first 8 months https://shreyaschavhan.notion.site/Roadmap-I-followed-to-make-15-000-Bounties-in-my-first-8-months-of-starting-out-and-my-journey-98b1b9ff621645c0b97d1e774992f300

Monke Hacks Blog

https://monkehacks.beehiiv.com/

PortSwigger post

https://x.com/PortSwiggerRes/status/1766087129908576760

post from Masato Kinugawa

https://x.com/kinugawamasato/status/916393484147290113

Timestamps:

(00:00:00) Introduction

(00:04:19) Louis Vuitton LHE

(00:13:57) Browser Market share

(00:21:13) Justin's Bug of the Week

(00:24:49) Caido Workflows

(00:27:24) Oauth Redirects

(00:32:24) Bug Bounty learning Methodology

(00:41:03) 'Intent To Ship'

(00:48:08) CDN-CGI Research

Episode 65: Motivation and Methodology with Sam Curry (Zlz)

Thu, 04 Apr 2024 10:01:04 -0400

Episode 65: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with Sam Curry to discuss the ethical considerations and effectiveness of hacking, the importance of good intent, and the enjoyment Sam derives from pushing the boundaries to find bugs. He shares stories of his experiences, including hacking Tesla, online casinos,Starbucks, his own is ISP router, and even getting detained at the airport.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Project Discovery Conference: https://nux.gg/hss24

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Guest:

https://samcurry.net/

Resources:

Don’t Force Yourself to Become a Bug Bounty Hunter

hackcompute

Starbucks Bug

recollapse

Timestamps:

(00:00:00) Introduction

(00:02:25) Hacking Journey and the limits of Ethical Hacking

(00:28:28) Selecting companies to hack

(00:33:22) Fostering passion vs. Forcing performance

(00:54:06) Collaboration and Hackcompute

(01:00:40) The Efficacy of Bug Bounty

(01:09:20) Secondary Context Bugs

(01:25:01) Mindmaps, note-taking, and Intuition.

(01:46:56) Back-end traversals and Unicode

(01:56:16) Hacking ISP

(02:06:58) Next.js and Crypto

(02:22:24) Dev vs. Prod JWT

Episode 64: .NET Remoting, CDN Attack Surface, and Recon vs Main App

Thu, 28 Mar 2024 10:01:38 -0400

Episode 64: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Justin and Joel delve into .NET remoting and how it can be exploited, a recent bypass in the Dom Purify library and some interesting functionality in the Cloudflare CDN-CGI endpoint. They also touch on the importance of collaboration and knowledge sharing, JavaScript Deobfuscation, the value of impactful POCs, hiding XSS payloads with URL path updates.

send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Check out Project Discovery’s nuclei 3.2 release blog at nux.gg/podcast

Resources:

.NET Remoting

https://code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/

https://github.com/codewhitesec/HttpRemotingObjRefLeak

DOM Purify Bug

Cloudflare /cdn-cgi/

https://developers.cloudflare.com/fundamentals/reference/cdn-cgi-endpoint/

https://portswigger.net/research/when-security-features-collide

https://twitter.com/kinugawamasato/status/893404078365069312

https://twitter.com/m4ll0k/status/1770153059496108231

XSSDoctor's writeup on Javascript deobfuscation

renniepak's tweet

Naffy's tweet

Timestamps:

(00:00:00) Introduction

(00:07:15) .Net Remoting

(00:17:29) DOM Purify Bug

(00:25:56) Cloudflare /cdn-cgi/

(00:37:11) Javascript deobfuscation

(00:47:26) renniepak's tweet

(00:55:20) Naffy's tweet

Episode 63: JHaddix Returns

Thu, 21 Mar 2024 10:00:48 -0400

Episode 63: In this episode of Critical Thinking - Bug Bounty Podcast we welcome back Jason Haddix (From Episode 12) to talk about some updates to his The Bug Hunter's Methodology, as well as his own personal life and hacking journey. We talk about the start of his new company, and then venture into topics such as using threat intelligence and buying credentials from the dark web, recon techniques, and ways to integrate AI into your workflow (or target list).

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Guest:

https://twitter.com/Jhaddix

https://www.arcanum-sec.com/

Resources:

Dehashed

https://www.dehashed.com/

Flare

https://flare.io/

CSP Recon

https://github.com/edoardottt/csprecon

Timestamps:

(00:00:00) Introduction

(00:05:37) Updates to The Bug Hunter's Methodology

(00:14:46) Red Teaming

(00:21:29) Bug Bounty on the Dark Web

(00:36:19) FIS hunting

(00:47:59) New Recon Techniques

(00:58:32) AI integrations and bounties

Episode 62: Frontend Language Oddities

Thu, 14 Mar 2024 10:00:36 -0400

Episode 62: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with some additional research resources that didn’t make the Portswigger Top-Ten, but that are worth looking at.

Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Resources:

Cool HTML Shit

https://twitter.com/jcubic/status/1764311080661082201

https://twitter.com/encodeart/status/1764218128374943764

Bug bounty Hunting Journeys

https://twitter.com/ajxchapman/status/1762101366057525521

https://monkehacks.beehiiv.com/p/monkehacks-02

Yelp Cookie Bridge Report

Deobfuscating/Unminifying Obfuscated Code

ChatGPT Source Watch

Web Security Research Reddit

Nahamsec Resources

Portswigger Nominations list

Abusing perspectives: https://hackerone.com/reports/2401115

PortSwigger CSS Exfiltration

https://github.com/PortSwigger/css-exfiltration

Timestamps:

(00:00:00) Introduction

(00:02:06) Cool HTML Shit

(00:15:31) Bug Bounty Journeys

(00:28:01) Yelp Cookie Bridge Bug

(00:37:56) Additional Research Resources

(00:46:34) CSS and abusing perspectives

Episode 61: A Hacker on Wall Street - JR0ch17

Thu, 07 Mar 2024 11:00:37 -0500

Episode 61: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Jasmin Landry to share some stories about startup security, bug bounty, and the challenges of balancing both. He also shares his methodology for discovering OAuth-related bugs, highlights some differences between structured learning and self-teaching, and then walks us through a couple arbitrary ATO’s and SSTI to RCE bugs he’s found lately.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Guest: Jasmin Landry

https://twitter.com/JR0ch17

Resources:

Dirty Dancing blog post

https://labs.detectify.com/writeups/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/

OAuth 2.0 Threat Model and Security Considerations

https://datatracker.ietf.org/doc/html/rfc6819

OAuth 2.0 Security Best Current Practice

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics

Timestamps:

(00:00:00) Introduction

(00:02:20) Meta Tag + DomPurify Bug

(00:09:36) Jasmin's Origin story

(00:28:23) Full time Bug bounty challenges

(00:36:57) Career jumps in Security and current Role

(00:47:32) OAuth Bug methodology and cool bug stories

(01:02:35) Social Engineering and Bug Bounty

(01:13:41) Arbitrary ATO bug

(01:19:41) SSTI to RCE bug

Episode 60: Our Take on PortSwigger's Top 10 Web Hacking Techniques of 2023

Thu, 29 Feb 2024 11:00:42 -0500

Episode 60: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel review the Portswigger Research list of top 10 web hacking techniques of 2023.

Send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Resources:

Top 10 web hacking techniques of 2023

1: Smashing the state machine

8: From Akamai to F5 to NTLM

3: SMTP Smuggling

4: PHP filter chains

(Bonus Read)

5: HTTP Parsers Inconsistencies

6: HTTP Request Splitting

7: How I Hacked Microsoft Teams

9: Cookie Crumbles

(Bonus Read)

10: Hacking root EPP servers to take control of zones

Timestamps:

(00:00:00) Introduction

(00:04:26) 1: Smashing the state machine

(00:11:56) 8: From Akamai to F5 to NTLM... with love

(00:17:11) 3: SMTP Smuggling

(00:26:27) 4: PHP filter chains

(00:36:40) 5: HTTP Parsers Inconsistencies

(00:44:56) 6: HTTP Request Splitting

(00:53:43) 7: How I Hacked Microsoft Teams

(01:02:25) 9: Cookie Crumbles

(01:11:36) 10: EPP Server Takeover

Episode 59: Bug Bounty Gadget Hunting & Hacker's Intuition

Thu, 22 Feb 2024 11:00:30 -0500

Episode 59: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the concept of gadgets and how they can be used to escalate the impact of vulnerabilities. We talk through things like HTML injection, image injection, CRLF injection, web cache deception, leaking window location, self-stored XSS, and much more.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Resources:

Even Better

NahamSec's 5 Week Program

NahamCon News

CSS Injection Research

Timestamps:

(00:00:00) Introduction

(00:03:31) Caido's New Features

(00:15:20) Nahamcon News and 5 week Bootcamp and pentest opportunity

(00:19:54) HTML Injection, CSS Injection, and Clickjacking

(00:33:11) Image Injection

(00:37:19) Open Redirects, Client-side path traversal, and Client-side Open Redirect

(00:49:51) Leaking window.location.href

(00:57:15) Cookie refresh gadget

(01:01:40) Stored XXS

(01:09:01) CRLF Injection

(01:13:24) 'A Place To Stand' in GraphQL and ID Oracle

(01:18:23) Auth gadgets, Web Cache Deception, & LocalStorage poisoning

(01:27:46) Cookie Injection & Context Breaks

Episode 58: Youssef Sammouda - Client-Side & ATO War Stories

Thu, 15 Feb 2024 11:00:28 -0500

Episode 58: In this episode of Critical Thinking - Bug Bounty Podcast we finally sit down with Youssef Samouda and grill him on his various techniques for finding and exploiting client-side bugs and postMessage vulnerabilities. He shares some crazy stories about race conditions, exploiting hash change events, and leveraging scroll to text fragments.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Guest: https://twitter.com/samm0uda?lang=en

https://ysamm.com/

Resources:

Client-side race conditions with postMessage:

https://ysamm.com/?p=742

Transferable Objects

https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Transferable_objects

Every known way to get references to windows, in javascript:

https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2d

Youssef’s interview with BBRE

https://www.youtube.com/watch?v=MXH1HqTFNm0

Timestamps:

(00:00:00) Introduction

(00:04:27) Client-side race conditions with postMessage

(00:18:12) On Hash Change Events and Scroll To Text Fragments

(00:32:00) Finding, documenting, and reporting complex bugs

(00:37:32) PostMessage Methodology

(00:45:05) Youssef's Vuln Story

(00:53:42) Where and how to look for ATO vulns

(01:05:21) MessagePort

(01:14:37) Window frame relationships

(01:20:24) Recon and JS monitoring

(01:37:03) Client-side routing

(01:48:05) MITMProxy

Episode 57: Technical breakdown from Miami Hacking Event - H1-305

Thu, 08 Feb 2024 11:01:22 -0500

Episode 57: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are live from Miami, and recap their experience and share takeaways from the live hacking event. They highlight the importance of paying attention to client-side routing and the growing bug class of client-side path traversal. They also discuss the challenges of knowing when to cut your losses and the value of tracking time and setting goals.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Timestamps:

(00:00:00) Introduction

(00:03:50) Miami LHE Recap and Takeaways

(00:05:57) Keeping time and cutting losses.

(00:19:07) Roles and Goals

(00:23:33) OAuth

(00:28:52) HTML5 image to img Tip

Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston)

Thu, 01 Feb 2024 11:01:14 -0500

Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston)

Episode 56: In this episode of Critical Thinking - Bug Bounty Podcast, Justin sits down with Jon Colston to discuss how his background in digital marketing and data science has influenced his hunting methodology. We dive into subjects like data sources, automation, working backwards from vulnerabilities, applying conversion funnels to bug bounty, and the mayonaise signature 'Mother of All Bugs'

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

WordFence - Sign up as a researcher! https://ctbb.show/wf

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Guest:

https://hackerone.com/mayonaise?type=user

Timestamps:

(00:00:00) Introduction

(00:12:07) Evolving Hacking Methodologies & B2B Hacking

(00:23:57) Data Science + Bug Bounty

(00:34:37) 'Lead Generation for Vulns'

(00:41:39) Ingredients and Recipes

(00:49:45) Keyword Categorization

(00:54:30) Manual Processes and Recap

(01:07:08) Data Sources

(01:19:59) Digital Marketing + Bug Bounty

(01:32:22) M.O.A.B.s

(01:41:02) Burnout Protection and Dupe Analysis

Episode 55: Popping WordPress Plugins - Methodology Braindump

Thu, 25 Jan 2024 11:00:49 -0500

Episode 55: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Wordpress Security Researcher Ram Gall to discuss both functionality and vulnerabilities within Wordpress Plugins.

Send us any feedback here:

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

------ Ways to Support CTBBPodcast ------

WordFence - Sign up as a researcher! https://ctbb.show/wf

---

Hop on the CTBB Discord

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Guest:

Ramuel Gall

UpdraftPlus Vuln

XML-RPC PingBack

Unicode and Character Sets

Reflected XSS

POP Chain

WordpressPluginDirectory

Subscriber+ RCE in Elementor

Subscriber+ SSRF

Unauthed XSS via User-Agent header

Timestamps:

(00:00:00) Introduction

(00:05:55) Add_action & Nonces

(00:26:16) Add_filter & Register_rest_routes

(00:38:39) Page-related code & Shortcodes

(00:50:24) Top Sinks for WP

(01:02:19) Echo & SQLI Sinks

(01:15:07) Nonce Leak and wp_handle_upload

(01:18:16) Page variables & Pop Chains

(01:26:55) WP Escalations & Bug Reports

Episode 54: White Box Formulas - Vulnerable Coding Patterns

Thu, 18 Jan 2024 11:01:03 -0500

Episode 54: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with news items and new projects. Joel shares about his personal scraping project to gather data on bug bounty programs and distribution Next, they announce the launch of HackerNotes, a podcast companion that will summarize the main technical points of each episode. They also discuss a recent GitLab CVE and an invisible prompt injection, before diving into a discussion (or debate) about vulnerable code patterns.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Gitlab CVE

https://github.com/Vozec/CVE-2023-7028

https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/

Fix commit: https://gitlab.com/gitlab-org/gitlab/-/commit/abe79e4ec437988cf16534a9dbba81b98a2e7f18

Invisible Prompt Injection

https://x.com/goodside/status/1745511940351287394?s=20

Regex 101

https://regex101.com

Regex to Strings

https://www.wimpyprogrammer.com/regex-to-strings/

Timestamps

(00:00:00) Introduction

(00:01:54) Joel’s H1 Data Scraping Research

(00:19:23) HackerNotes launch

(00:21:29) Gitlab CVE

(00:27:45) Invisible Prompt Injection

(00:33:52) Vulnerable Code Patterns

(00:37:51) Sanitization, but then modification of data afterward

(00:45:39) Auth check inside body of if statement

(00:48:15) sCheck for bad patterns with if, but then don't do any control flow

(00:50:21) Bad Regex

(01:00:36) Replace statements for sanitization

(01:04:32) Anything that allows you to call functions or control code flow in uncommon ways

Episode 53: 500k/yr as Full-Time Bug Hunter & Content Creator - Nahamsec

Thu, 11 Jan 2024 11:00:39 -0500

Episode 53: In this episode of Critical Thinking - Bug Bounty Podcast,we’re joined by none other than NahamSec. We start by discusses the challenges he faced on his journey in bug bounty hunting and content creation, including personal struggles and the pressure of success.We also talk about finding balance and managing mental energy, going the extra mile, and the importance of planning and setting goals for yourself before he walks us through some Blind XSS techniques.

Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Timestamps:

(00:00:00) Introduction

(00:01:37) Costs of Content Creation

(00:21:12) Hacking 'identities' and Pivoting

(00:36:49) Hacking Methodology

(00:58:59) Planning, Goals, and Nahamsec's 2023 Performance

(01:10:19) Blind XSS

(01:35:19) Going the extra mile in Bug Bounty

Episode 52: Best Technical Content from Year 1 of CTBB Podcast

Thu, 04 Jan 2024 11:00:22 -0500

Episode 52: In this episode of Critical Thinking - Bug Bounty Podcast we're going back and highlighting some of the best technical moments from the past year! Hope you enjoy this best of 2023 Supercut!

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Timestamps:

(00:00:00) Introduction

(00:02:55) Episode 26: Meta tags and base tags in HTML

(00:15:20) Episode 27: Client-side path traversal

(00:23:18) Episode 27: Cookie bombing + cookie jar overflow

(00:35:47) Episode 44: Cross environment authentication bugs

(00:43:17) Episode 47: The open-faced Iframe Sandwich

(00:50:19) Episode 47: js hoisting and classic Joel nerdsnipe

(00:58:28) Episode 29: Sean Yeoh on Subdomains vs IP in recon

(01:04:05) Episode 30: Shubs on reversing enterprise software

(01:24:58) Episode 30: Shubs on building out a recon flow

(01:29:36) Episode 30: Shubs on Hacking IIS Servers

(01:36:45) Episode 37: 0xLupin on smart JavaScript analysis tools

(01:45:42) Episode 45: Frans Rosen On App cache, Service workers cookie stuffing, and postMessage

(02:15:02) Episode 50: Mathias Karlsson on XSLT and MXSS

(02:39:26) Episode 27: Assetnote's sharefile RCE

(02:48:18) Episode 31: Perforce RCE

(02:53:48) Episode 48: Sam Erb's XSLT bug story

(02:58:47) Final thoughts and Special Thanks

Episode 51: Hacker Stats 2023 & 2024 Goals

Thu, 28 Dec 2023 11:00:44 -0500

Episode 51: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are back for the last episode of 2023. We discuss some noteworthy news items including a Hacker One Crit, Caido updates, and some Blind CSS. Then we dive into our own personal ‘Hackers Wrapped’ recap of the year, before laying out some goals for 2024.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Resources

CTF Payload Challenge

Hacker One Crit Report

Blind CSS Injection

Timestamps

(00:00:00) Introduction

(00:08:43) Keyboard Shortcut Utility Systems

(00:21:28) CTF Challenge By Frans

(00:32:40) Hacker One 25K Crit Disclosure

(00:36:31) Caido Searchbar Rework.

(00:40:51) Blind CSS Exfiltration

(00:44:10) 2023 Personal Bug Bounty Stats

(01:01:15) 2024 Personal Bug Bounty Goals

Episode 50: Mathias 'Fall in a well' Karlsson - Bug Bounty Prophet

Thu, 21 Dec 2023 11:01:06 -0500

Episode 50: In this episode of Critical Thinking - Bug Bounty Podcast, Justin catches up with hacking master Mathias Karlsson, and talks about burnout, collaboration, and the importance of specialization. Then we dive into the technical details of MXSS and XSLT, character encoding, and give some predictions of what Bug Bounty might look like in the future…

Send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Guest

Episode Resources

How to Differentiate Yourself as a Hunter

MutateMethods

hackaplaneten

Article About Unicode and Character Sets

EXPLOITING HTTP'S HIDDEN ATTACK-SURFACE

Timestamps:

(00:00:00) Introduction

(00:10:06) Automation Setup and Assetnote Origins

(00:16:49) Sharing Tips, and Content Creation

(00:22:27) Collaboration and Optimization

(00:36:44) Working at Detectify

(00:51:45) Bug Bounty Burnout

(00:56:15) Early Days of Bug Bounty and Future Predictions

(01:19:00) Nerdsnipeability

(01:29:38) MXSS and XSLT

(01:54:20) Learning through being wrong

(02:00:15) Go-to Vulns

Episode 49: Getting Live Hacking Event Invites & Bug Bounty Collab with Nagli

Thu, 14 Dec 2023 11:00:28 -0500

Episode 49: In this episode of Critical Thinking - Bug Bounty Podcast, Justin Gardner is once again joined by Nagli to discuss some of their recent hacking discoveries. They talk about finding and exploiting a backup file in an ASP.NET app, discovering vulnerabilities through Swagger files, and debating the vulnerability of a specific ‘undisclosed’ domain. Then they reflect on 2023’s Live Hacking Event circuit, and preview what’s to come in 2024’s.

This episode sponsored by Wordfence! Wordfence recently launched a game-changer of a bug bounty program with ALL WordPress plugins over 50k installs are in-scope. They are currently paying 6.25x their normal bounty amounts, and have agreed to give CT listeners a 10% bonus on top of that! If you wanna pop some crits and see those bounties roll in, head over to https://ctbb.show/wf for more info and keep an eye on the CTBB Discord for inspiration/collabs.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Guest

Episode Resources:

Shockwave

Why So Serial

New LHE Standards Dropped

Timestamps:

(00:00:00) Introduction

(00:02:37) wwwroot .zip Hack Recap

(00:13:44) Swagger File Hack Recap

(00:18:27) Undisclosed URL Hack Recap

(00:24:29) 2023 LHE Circut Recap

(00:37:14) 2024 LHE Preview and New Standards

(00:47:22) Bug Bounty Motivation

Episode 48: MVH, DEFCON Black Badge, Googler - Sam Erb

Thu, 07 Dec 2023 11:00:17 -0500

Episode 48: In this episode, joined by the spectacular Sam Erb, Google Security Engineer and DEFCON Black Badge winner. We talk about the importance of understanding how systems work to find vulnerabilities, and how his engineering background influences his hunting style and methodologies. Then we jump over to his Career Development and his work with Google, and then chat about some of the recent Google Vulnerability Programs.

This episode is sponsored by Wordfence! Wordfence recently launched a game-changer of a bug bounty program with ALL WordPress plugins over 50k installs are in-scope. They are currently paying 6.25x their normal bounty amounts, and have agreed to give CT listeners a 10% bonus on top of that! Head over to https://ctbb.show/wf for more info and keep an eye on the CTBB Discord for inspiration/collabs.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

—— Links ——

Follow your hosts Rhynorater & Teknogeek on twitter:

—— Ways to Support CTBBPodcast ——

Hop on the CTBB Discord

Discord premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today’s Guest:

https://twitter.com/erbbysam

Sam Erbs Static Secret

Security Now Podcast

BIMI:

And

https://bimigroup.org/

Google Device Vulnerability Reward Program Initiatives

Google Invalid Reports

Hacking Google

Transcripts

(00:00:00) Introduction

(00:02:50) Hacker Methodology with Sam Erb

(00:12:20) Balancing Bug Hunting and Personal Life

(00:15:53) Deep Diving on a program and using automation.

(00:27:00) Optimizing Bug Hunting and Understanding Attack Vectors

(00:39:22) Collaboration and Boundaries

(00:45:42) Career Development and Entrepreneurship

(00:55:13) Winning Black Badges at DEFCON

(00:58:02) BufferOver

(01:09:11) Working at Google

(01:19:23) Google Bug Bounty Programs

(01:31:41) BONUS Cool Bugs

Episode 47: CSP Research, Iframe Hopping, and Client-side Shenanigans

Thu, 30 Nov 2023 11:00:20 -0500

Episode 47: In this episode of Critical Thinking - Bug Bounty Podcast, the holidays are fast approaching, and Justin and Joel discuss some of the struggles of getting back into the hacking groove during and after breaks. We also celebrate the newly launched Critical Thinking Discord Community before diving into Iframe Sandwhiches, JS Hoisting, CSP Bypasses, and a host of new tools, techniques, and tangents.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

ThankUNext

jswzl

Rapid API

SSRF Utility tool by Bebiks

Tweet from Johan Carlsson

Burp Extension from Google VRP

Justin's Tweet about JS Hoisting

Bypass CSP Using WordPress

How to trick CSP in letting you run whatever you want

Timestamps:

(00:00:00) Introduction

(00:01:58) Overcoming Bug Bounty struggles and getting back into the hacking groove

(00:07:46) Taking notes and sticking to one program

(00:14:50) Critical Thinking Discord, Community highlights, and Competition vs Collaboration

(00:22:25) Secondary context bugs and Automationism

(00:28:42) ThankUNext and Client-side Paths

(00:33:45) Tool Tangents: Jswzl, Caido, Postman, and Rapid API

(00:46:49) New SSRF Utility tool by Bebiks and the continuing evolution of hacking tools

(00:51:45) Iframe Sandwiches

(00:58:54) News Items

(01:06:12) JS Hoisting

(01:15:05) CSP Bypasses

Episode 46: The SAML Ramble

Thu, 23 Nov 2023 11:00:23 -0500

Episode 46: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is deep diving the topic of SAML (Security Assertion Markup Language), and walks through what it is and why it can be intimidating, before going over some key attack vectors to look for. Then he closes out with a commentary on a sample payload, and some HackerOne reports.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

KazHACKstan

https://kazhackstan.com/en

Testing SAML security with DAST

https://agrrrdog.blogspot.com/2023/01/testing-saml-security-with-dast.html

How to break SAML if I have paws?

https://speakerdeck.com/greendog/how-to-break-saml-if-i-have-paws?slide=20

How to Hunt Bugs in SAML; a Methodology

https://epi052.gitlab.io/notes-to-self/blog/2019-03-16-how-to-test-saml-a-methodology-part-three/

SAML Raider

https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e

External Entity Injection during XML signature verification

https://bugs.chromium.org/p/project-zero/issues/detail?id=2313

mTLS: When certificate authentication is done wrong

https://github.blog/2023-08-17-mtls-when-certificate-authentication-is-done-wrong/

HackerOne Uber Report

https://hackerone.com/reports/136169

Timestamps:

(00:00:00) Introduction

(00:05:25) Understanding SAML and its complexities

(00:08:30) SAML Attack Vectors

(00:14:15) XML Signature Wrapping

(00:19:50) Some SAML tests to try

(00:30:30) Sample Payload description

(00:34:10) Token Recipient confusion

(00:36:05) HackerOne Reports

Episode 45: The OG Bug Bounty King - Frans Rosen

Thu, 16 Nov 2023 11:00:31 -0500

Episode 45: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to welcome Frans Rosén, an OG bug bounty hunter and co-founder of Detectify. We kick off with Frans sharing his journey bug bounty and security startups, before diving headfirst into a host of his blog posts. We also cover the value of pseudo-code for bug exploitation, understanding developer terminology, the challenges of collaboration and delegating tasks, and balancing hacking with parenting. If you're interested in bug bounty or entrepreneurship, you won't want to miss it!

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Join our Discord!

Today's Guest:

https://twitter.com/fransrosen

Detectify

Discovering s3 subdomain takeovers

Bucket Disclose

A deep dive into AWS S3 access controls

Attacking Modern Web Technologies

Live Hacking like a MVH

Account hijacking using Dirty Dancing in sign-in OAuth flows

Timestamps:

(00:00:00) Introduction

(00:04:50) Franz Rosen's Bug Bounty Journey and the creation of Detectify

(00:13:30) Benefits of pseudo-code, typing, and thinking like a developer

(00:20:20) Hunter Methodologies

(00:35:40) Time on targets, Iteration vs. Ideation, and tips for standing out

(00:51:10) S3 subdomain takeovers

(01:05:02) Blog posting and hosting motivations

(01:13:30) Detectify and entrepreneurial endeavors

(01:29:50) Attacking Modern Web Technologies

(01:46:00) postMessage and MessagePort

(01:58:09) Live Hacking and Collaboration

(02:13:50) Account Hijacking and OAuth Flows

(02:28:48) Hacking/Parenting

Episode 44: URL Parsing & Auth Bypass Magic

Thu, 09 Nov 2023 11:00:28 -0500

Episode 44: In this episode of Critical Thinking - Bug Bounty Podcast, the topic is URL structure, and Justin and Joel break down the elements that make up a URL and some common tips and tricks surrounding them which allow for all sorts of bypasses. We also round out the episode with some new tools, ato stories, and some controversial current events in the hacker scene.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

"XnlReveal" XNL h4ck3r

OAuth article by Salt Labs

H1 controversy recap

ATO through Facebook Login

https://twitter.com/Jayesh25_/status/1718543152296939861

https://twitter.com/itscachemoney/status/1721658450613346557

When URL Parsers disagree

Golden techniques to bypass host validations in Android apps

Mozilla article on HTTP Authentication

Breaking Parser Logic talk by Orange Tsai

URL Detector

SSRF Bible

Timestamps:

(00:00:00) Introduction

(00:04:10) “Xnl-Reveal”

(00:07:22) OAuth vulnerabilities

(00:13:17) Recap of controversy surrounding the handling of a vulnerability report on H1

(00:18:55) Hacker Success Manager Program

(00:22:30) Facebook login ATO

(00:27:45) When URL parsers disagree

(00:34:34) URL Structures

(01:02:22) Shared secrets across environments

(01:09:40) Social Media Logins

Episode 43: Caido - The Up-And-Coming HTTP Proxy

Thu, 02 Nov 2023 10:00:24 -0400

Episode 43: In this episode of Critical Thinking - Bug Bounty Podcast, we're joined by Emile from Caido, who shares his journey into the bug bounty and ethical hacking world. We kick off with a hilarious incident involving Joel, a child on an airplane, and an unfortunate cough. We then dive into the challenges of building an HTTP proxy tool, balancing basic features with nice-to-have features, and the importance of user feedback in shaping the development of Caido, a bug bounty tool.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Today’s Guest:

https://twitter.com/TheSytten

Caido

https://caido.io/

Caido’s Discord

https://discord.com/invite/KgGkkpKFaq

VS Code

https://code.visualstudio.com/

DNSChef

https://github.com/iphelix/dnschef

HackMD

https://hackmd.io/

Timestamps:

(00:00:00) Introduction

(00:01:34) Emile’s journey from general infrastructure development to co-founding Caido

(00:07:00) The rundown on Caido, a lightweight and flexible HTTP proxy tool

(00:11:00) Current and upcoming Caido Features

(00:17:00) Caido crew and division of duties

(00:19:40) Missing features and feature requests

(00:23:49) Decision to use Rust

(00:28:25) Workflows and walkthroughs

(00:36:27) Intercepts and the Roadmap

(00:41:15) Opinions on collaborator Functionality and HTTP Callback

(00:46:19) Reporting and Collaboration

Episode 42: Renniepak Interview & Intigriti LHE Recap

Thu, 26 Oct 2023 10:00:45 -0400

Episode 42: In this episode of Critical Thinking - Bug Bounty Podcast, we're live from a hacking event in Portugal, and joined by the extremely talented René de Sain! He helps us cover a host of topics like NFT, XSS, LHE, and tips for success. We also talk about the correlation between creativity and hacking, shared workspaces, and last but certainly not least, hacker tattoos.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Today’s Guest:

https://twitter.com/renniepak

https://www.linkedin.com/in/rene-de-sain/ https://app.intigriti.com/researcher/profile/renniepak

Hacker Hideout

https://hackerhideout.xyz

Timestamps:

(00:00:00) Introduction

(00:04:40) NFT Vulns and web3 hacking

(00:08:15) Hacker Tattoos

(00:12:30) Intigriti vs. other platforms, and LHE approaches.

(00:20:10) Loneliness, budgeting, and the pros and cons of full-time hunting

(00:28:36) Target approaches, XSS, and extension tools.

(00:37:40) Fostering hacker intuition and relationships

(00:47:15) Final thoughts on the Intigriti Event

Episode 41: Mini Masterclass: Attack Vector Ideation

Thu, 19 Oct 2023 10:00:27 -0400

Episode 41: In this episode of Critical Thinking - Bug Bounty Podcast, Justin takes a break from his busy travel schedule to walk us through a few of his Attack Vector formulation strategies. We’re keeping this one short and sweet, so it can be better used as a reference when looking for new vectors.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Nahamcon talk by Douglas Day

https://youtu.be/G1RHa7l1Ys4?t=295

Timestamps:

(00:00:00) Introduction

(00:02:53) Use the application like a human, not like a hacker

(00:05:02) Reading documentation looking for "Cannot" statements

(00:08:16) Look at the grayed out areas

(00:10:08) Look for information in the API response

(00:12:38) Differences in the UI between different accounts

(00:13:42) Pay the paywall.

Episode 40: Bug Bounty Mentoring

Thu, 12 Oct 2023 10:00:50 -0400

Episode 40: In this episode of Critical Thinking - Bug Bounty Podcast, it’s all about mentorships! Justin sits down with Kodai and So, two hackers he helped mentor, to discuss what worked and what didn’t. We talk about the importance of mentorship, what mentors might look for in a candidate, the challenges of transitioning from being mentored to self-education, and the necessity of continuous learning in this ever-evolving field that is bug bounty. This episode is a treasure trove of insights, and if you’re interested in either side of the mentorship coin, you won’t want to miss it.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Today’s Guests:

https://twitter.com/weeshter

https://twitter.com/Mokusou4

Congrats to @nchickens as our giveaway winner!

The Bug Hunter's Methodology Live Course

https://jasonhaddix.gumroad.com/l/lycucs

Timestamps:

(00:00:00) Introduction

(00:04:00) Guest backgrounds and introduction into hacking

(00:17:49) Where to start Learning and Teaching

(00:25:40) Technical Training vs Conceptual Teaching

(00:28:34) Mentorship Styles and Techniques.

(00:39:15) Moving from being mentored to self-learning

(00:46:20) Developing mental resilience and healthy habits

(00:50:32) Elements in mentorships that were hard or haven’t worked

(01:02:21) Being influenced by other hackers through mentorship or collaboration

(01:06:20) Hacking Bilingually and language barriers

(01:11:30) Hacking and learning goals for the future

Episode 39: The Art of Architectures

Thu, 05 Oct 2023 10:01:11 -0400

Episode 39: In this episode of Critical Thinking - Bug Bounty Podcast, We're catching up on news, including new override updates from Chrome, GPT-4, SAML presentations, and even a shoutout from Live Overflow! Then we get busy laying the groundwork on a discussion of web architecture. better get started on this one, cause we're going to need a part two!

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

CT shoutout from Live Overflow

https://www.youtube.com/watch?v=3zShGLEqDn8

Chrome Override updates

https://developer.chrome.com/blog/new-in-devtools-117/#overrides

GPT-4/AI Prompt Injection

https://x.com/rez0__/status/1706334160569213343?s=20 & https://x.com/evrnyalcin/status/1707298475216425400?s=20

Caido Releases Pro free for students

https://twitter.com/CaidoIO/status/1707099640846250433

Or, use code ctbbpodcast for 10% of the subscription price

Aleksei Tiurin on SAML hacking

https://twitter.com/antyurin/status/1704906212913951187

Account Takeover on Tesla

https://medium.com/@evan.connelly/post-account-takeover-account-takeover-of-internal-tesla-accounts-bc720603e67d

Joseph

https://portswigger.net/bappstore/82d6c60490b540369d6d5d01822bdf61

Cookie Monster

https://github.com/iangcarroll/cookiemonster

HTMX

https://htmx.org/

Timestamps:

(00:00:00) Introduction

(00:04:40) Shoutout from Live Overflow

(00:06:40) Chrome Overrides update

(00:08:48) GPT-4V and AI Prompt Injection

(00:14:35) Caido Promos

(00:15:40) SAML Vulns

(00:17:55) Account takeover on Tesla, and auth token from one context in a different context

(00:24:30) Testing for vulnerabilities in JWT-based authentication

(00:28:07) Web Architectures

(00:32:49) Single page apps + a rest API

(00:45:20) XSS vulnerabilities in single page apps

(00:49:00) Direct endpoint architecture

(00:55:50) Content Enumeration

(01:02:23) gRPC & Protobuf

(01:06:08) Microservices and Reverse Proxy

(01:12:10) Request Smuggling/Parameter Injections

Episode 38: Mobile Hacking Maestro: Sergey Toshin

Thu, 28 Sep 2023 10:00:31 -0400

Episode 38: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to welcome mobile hacking maestro Sergey Toshin (aka @bagipro). We kick off with Sergey sharing his unexpected journey into mobile security, and how he rose to become the number one hacker in both Google Play Security and Samsung Bug Bounty programs. We then delve into the evolving perception of mobile bugs, a myriad of new and existing attack vectors, and discuss Sergey's creation of mobile security company Oversecured. You’re going to want to make time for this one!

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Today's Guest:

https://twitter.com/_bagipro

Oversecured

https://oversecured.com/

Oversecured Blog

https://blog.oversecured.com/

jadx

https://github.com/skylot/jadx

'Golden Android Techniques'

https://hackerone.com/reports/431002

Timestamps:

(00:00:00) Introduction

(00:01:28) Sergey Toshin’s hacking journey and achievements

(00:08:20) Mobile hacking: Devices and attack vectors

(00:12:35) Using Jadx

(00:15:40) The creation of Oversecured

(00:23:10) The Oversecured Blog and Sharing Information

(00:28:08) New Spheres and Strategies of Mobile Hacking

(00:35:13) Tips for getting into Mobile Hacking

Episode 37: Tokyo Hacking & Interview with 0xLupin

Thu, 21 Sep 2023 10:00:57 -0400

Episode 37: In this episode of Critical Thinking - Bug Bounty Podcast we're joined by none other than Lupin himself! We recap the Tokyo LHE and the lessons we learned from it before diving into his legendary journey into security research and bug bounty. We also talk collaboration of all kinds: pair hacking, joining a team, and starting a business together. We even touch on some great tools that can collaborate with each other! This was a fun one, and we don't want you to miss it!

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Today’s Guest:

https://twitter.com/0xLupin

Lupin and Holmes

https://landh.tech/

JSWZL

https://jswzl.io/

Cursor

https://cursor.so/

Clairvoyance

https://github.com/nikitastupin/clairvoyance

Tweet about Command Injections

https://twitter.com/win3zz/status/1703702550372078074

James Kettle article on security research

https://portswigger.net/research/so-you-want-to-be-a-web-security-researcher

Timestamps:

(00:00:00) Introduction

(00:01:00) Lessons learned from the latest LHE

(00:09:30) JSWZL and the Cursor Combo

(00:19:15) The Legend of Lupin

(00:34:35) Code and Collaborating

(00:38:48) Requests, Automation, and Testing

(00:50:28) Joel's Helper scripts

(00:52:50) Teamwork and Pair Hacking

(00:57:29) Tips for learning to Hack

(01:00:35) UUID and CTF

(01:08:35) Dynamics of Collaboration with French Team

Episode 36: Bug Bounty Ethics & CT Exclusive Bug Reports

Thu, 14 Sep 2023 10:00:46 -0400

Episode 36: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel take a break from LHE prep to answer questions about the ethics of bug bounty and share their recent bug finds. We talk Iframes, mobile intercept proxies, open redirects, and that time Justin got shot at…

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Timeshifter:

https://www.timeshifter.com/

Tweet about Google Open Redirect

https://twitter.com/Rhynorater/status/1697357773690818844

Tweet about XSS Exploitation

https://twitter.com/Rhynorater/status/1698059391700701424

Request Minimizer

https://portswigger.net/bappstore/cc16f37549ff416b990d4312490f5fd1

Timestamps:

(00:00:00) Introduction

(00:02:45) Hacker One LHE Preview

(00:05:40) Is Bug Bounty Inherently Ethical

(00:19:25) Ethics of Going out of scope

(00:27:56) Justin’s story of getting shot at

(00:30:22) Setting up a mobile intercept proxy

(00:33:40) How to approach a new target

(00:40:30) Google Open Redirect

(00:43:35) Recent XSS Exploitation

(00:46:28) ATO Trick

(00:50:25) Joel’s Bug Report

(00:55:40) Justin’s Bug Report

Episode 35: King of Collaboration: Douglas Day

Thu, 07 Sep 2023 10:01:36 -0400

Episode 35: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to welcome Douglas Day, a bug bounty hunter known for his unique methodologies and collaborative spirit. We talk about his approach to finding new endpoints in applications, his ingenious technique of exploiting Intercom widgets, and collaboration preferences and tips at LHEs. We also touch on the struggle of justifying hobbies that don't generate income and the importance of finding enjoyment in the process.We hope you enjoy this episode as much as we did!

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Today’s Guest:

https://twitter.com/ArchAngelDDay

https://hackerone.com/the_arch_angel

https://bugcrowd.com/arch_angel

100 Short Bug Bounty Rules

https://twitter.com/ArchAngelDDay/status/1661924038875435008

Blog about Intercom

https://dday.us/2021/11/03/h1vendorATO.html

Blog about Mapping Hacking

http://dday.us/2021/10/09/Mapyourhacking.html

Timestamps: (00:00:00) Introduction

(00:03:01) Douglas Day’s infosec and LHE intro

(00:10:42) Evolution and philosophy of collaboration

(00:23:08) Balancing Collaboration and Money

(00:29:43) Recap of 100 Short Bug Bounty Rules

(00:37:15) Bug-hunting Methodology

(00:45:45) Using match and replace to find new endpoints in bug hunting

(00:49:07) Exploiting Intercom widgets

(00:52:35) Facing Failure and enjoying the journey

(00:57:00) Managing work-life balance

(01:05:55) Auth-Z testing and documentation

(01:12:25) Vulnerabilities in applications

(01:17:05) Mapping Hacking Sessions

Episode 34: Program vs Hacker Debate

Thu, 31 Aug 2023 10:00:28 -0400

Episode 34: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel have both beaten COVID and now square off against each other in a mega-debate representing hackers and program managers respectively. Among the topics included are Disclosures, Dupes, Zero-Day Policy, payouts, budgets, Triage and Retesting. So, if you want blood-pumping, insult-hurling opinion-invalidating debate…then maybe look somewhere else. But if a thought-provoking discussion about bug bounty is more your style, then take a seat and get ready!

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Prompt Injection Primer for Engineers

https://twitter.com/rez0__/status/1695078576104833291

Portswigger on XSS

https://twitter.com/PortSwiggerRes/status/1691812241375424983

Gunner Andrews talk

https://www.youtube.com/watch?v=aaDe1ADh5KM

Jhaddix live training Givaway

https://tbhmlive.com/

ctbb.show/giveaway

New Website

ctbb.show

Fight music composed by Dayn Leonardson

https://www.daynleo.com/

Timestamps:

(00:00:00) Introduction

(00:02:00) Joel’s DEFCON Recap

(00:04:45) Prompt Injection Primer for Engineers by Rez0

(00:07:00) Portswigger Research and XSS

(00:08:36) Gunnar Andrews' talk on serverless architecture

(00:10:10) ‘Bug Hunter Methodology’ Course Giveaway

The Debate

(00:13:34) Zero-Day Policy and Payment for Vulnerabilities

(00:25:40) Disclosure

(00:33:52) Dupes (00:51:23) CVSS

(01:02:25) Budgets and Payouts

(01:15:00) Triage and Retesting

(01:34:55) Withholding Reports

(01:41:50) Root Cause Analysis

(01:52:25) Interacting with hacker reports from a security standpoint.

(01:58:50) Internal Activity on a Report

(02:01:15) Cost of running Bug Bounty Programs and LHE’s

Episode 33: The Master of Hacker Show&Tell: Inti De Ceukelaire

Thu, 24 Aug 2023 10:01:13 -0400

Episode 33: In this episode of Critical Thinking - Bug Bounty Podcast, we welcome Inti De Ceukelaire, a seasoned bug hunter known for his creative storytelling and impactful show-and-tell bugs…and let us tell you, his stories do not disappoint! From his bug bounty journey to some pretty wild hacks, Inti captivates us as only Inti can. We discuss the potential life-saving impact of bug bounty reports, especially in areas such as transportation and medical devices. We also cover hacker mentality, the benefits of objective-based challenges, and the need for collaboration and alignment within the bug bounty community. It’s a mesmerizing episode, so sit back and be swept away by Inti’s tales.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Today’s Guest:

https://twitter.com/securinti

Inti's Shopify Show-and-Tell

https://hackerone.com/reports/1086108

Hakluke's article on Bug Bounty Standards

https://github.com/hakluke/bug-bounty-standards

Researching MissingNo Glitch in Pokemon

https://youtu.be/p8OBktd42GI

Intigriti

https://www.intigriti.com/

Timestamps:

(00:00:00) Introduction

(00:03:01) Show-and-Tells and Storytelling in Live Hacking Events

(00:08:30) Impact Assessment and the potential real-life significance of reporting vulnerabilities.

(00:13:50) Ethical dilemmas, gaming the systems, and safe harbor.

(00:23:30) Inti’s Hacking Journey

(00:27:26) Hacker mentality, brainstorming, and goal-setting.

(00:46:28) The benefit of mental resets, fresh perspectives, and ‘surprise collaboration’

(00:52:55) Inti’s Story 1: CSS Injection bugs

(01:06:20) Inti’s Story 2: The Ticket Trick

(01:14:00) Inti’s Story 3: The Gotcha PasswordBug

(01:18:30) Upcoming Intigriti Live Hacking Event

Episode 32: The Great Write-up Low-down

Thu, 17 Aug 2023 10:00:15 -0400

Episode 32: In this episode of Critical Thinking - Bug Bounty Podcast, Joel caught a nasty bug (no, not that kind) so Justin is flying solo, and catches us up to speed on what's been happening in hacking news.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Smashing the State article

https://portswigger.net/research/smashing-the-state-machine?ps_source=portswiggerres&ps_medium=social&ps_campaign=race-conditions

Nagles Algorithm

https://en.wikipedia.org/wiki/Nagle%27s_algorithm

HTTP/2 RFC

https://httpwg.org/specs/rfc7540.html

Tweet by Alex Chapman

https://twitter.com/ajxchapman/status/1691103677920968704?s=20

Cookieless Duodrop IIS Auth Bypass

https://soroush.me/blog/2023/08/cookieless-duodrop-iis-auth-bypass-app-pool-privesc-in-asp-net-framework-cve-2023-36899/

Xss and .Net

https://blog.isec.pl/all-is-xss-that-comes-to-the-net/

Shopify Account Takeover

https://ophionsecurity.com/blog/shopify-acount-takeover

Short Name Guesser

https://github.com/projectmonke/shortnameguesser

Hacking Points.com

https://samcurry.net/Points-com/

Hacking Starbucks

https://samcurry.net/hacking-starbucks/

Bug Bounty Tag Request

https://twitter.com/ajxchapman/status/1688892093597470720

Sandwich Attack

https://www.landh.tech/blog/20230811-sandwich-attack

Timestamps:

(00:00:00) Introduction

(00:01:25) Smashing the State

(00:11:30) HTTP/2 RFC

(00:17:30) Cookieless Duodrop IIS Auth Bypass

(00:24:45) Takeovers and Tools

(00:32:30) Sam Curry writeup

(00:53:10) Community requests

(00:55:10) Sandwich Attacks

Episode 31: Alex Chapman - The Man of Many Crits

Thu, 10 Aug 2023 10:00:53 -0400

Episode 31: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to be joined by Alex Chapman, a seasoned InfoSec hacker and bug bounty hunter. We kick off with Alex sharing his hacking journey, from a guest lecturer that inspired him, to working on internal Red Teams, to his transition to working with HackerOne, and finally as a bug bounty hunter focusing on searching out those few, high impact bugs. We also discuss the power of collaboration, the challenges of balancing hacking with other responsibilities, and the necessity of flexibility and taking breaks in bug bounty work. Don't miss this episode where we explore the depths of bug bounty with Alex Chapman!

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Today’s Guest:

https://twitter.com/ajxchapman

@ajxchapman@infosec.exchange

https://ajxchapman.github.io/

https://hackerone.com/ajxchapman?type=user

Perforce RCE

https://hackerone.com/reports/1830220

https://ajxchapman.github.io/bugreports/2019/04/04/perforce-local-file-disclosure.html

(00:00:00) Introduction

(00:01:50) Alex Chapman's InfoSec journey and evolution

(00:05:55) Real-world experience vs. chasing degrees, and the pivot into Bug Bounty

(00:13:12) The benefit of programming knowledge

(00:16:50) Experience in Internal Red Team and hacker mentalities.

(00:23:35) Transitioning to HackerOne and full time Bug Bounty

(00:33:37) Bug Bounty tips, time management, and best practices

(00:41:00) The importance of note-taking and organizational tools

(00:46:27) Hunting Methodologies and focusing on Critical Exploitations

(01:02:37) Collaboration in the hacking community

(01:06:00) Binary Exploitation and Source Code Review

(01:10:59) Configuration file injections

(01:17:38) Justin vs. Alex at a LHE

Episode 30: Recon Legend Shubs - From Burgers to Bounties

Thu, 03 Aug 2023 10:00:23 -0400

Episode 30: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to be joined by renowned bug bounty hunter Shubs. We kick off with him sharing his journey from burgers to bugs, and how his friendly rivalry with a fellow hacker fueled his passion for reconnaissance, as well as his love of collaboration. We then shift gears to talk about the art of debugging, ethics and economics of bug bounty hunting, the transition to Entrepreneur, and the evolution of Assetnote from a reconnaissance tool to enterprise security software suite. This one’s a banger, and we don’t want you to miss it!

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Today’s Guest:

@infosec_au

Intro Shoutouts

https://twitter.com/bebiksior

https://cvssadvisor.com/

Assetnote

https://www.assetnote.io/

https://twitter.com/assetnote

Bishop Fox

https://bishopfox.com/

Shortscan

https://github.com/bitquark/shortscan

XXE Payload

https://gist.github.com/Rhynorater/d0d19f757221a916a22476c3a5c6aba2

Timestamps

(00:00:00) Introduction

(00:05:48) History as a Hacker: Recon, rivalries, and Riot Games

(00:12:13) Collaboration and Community in Bug Bounty

(00:18:19) The Art of Debugging

(00:21:48) Assetnote News and overview

(00:30:43) CVE reversing

(00:32:58) Zero-day vulns

(00:42:48) Bug Bounty Ethics and Economics

(00:52:53) Bug Bounty and Entrepreneurship

(01:03:58) Business lessons learned

(01:07:48) Advice for Hunters looking to grow

(01:12:38) IIS Server Techniques

Episode 29: Live Episode with Sean Yeoh - Assetnote Engineer

Thu, 27 Jul 2023 10:00:23 -0400

Episode 29: In this episode of Critical Thinking - Bug Bounty Podcast sit down with Assetnote Engineer Sean Yeoh, and pick his brain about what he's learned on his development journey. We talk about the place and importance of message brokers, and which ones we like best, as well as his engineering philosophy regarding bottleneck prevention and the importance of pursuing optimization. Don't miss this episode of terrific technical tips!

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Today’s Guest:

https://twitter.com/seanyeoh

Assetnote

https://www.assetnote.io/

https://twitter.com/assetnote

XKCD automation graph

https://xkcd.com/1319/

Github repository

https://github.com/alex/what-happens-when

Article about Queues

https://archive.is/Nan4e

NATS

https://nats.io/

MongoDB

https://www.mongodb.com/

Timestamps:

(00:00:00) Introduction

(00:01:18) Story of Assetnote

(00:05:20) Message Brokers and event-driven architectures

(00:11:15) Preventing bottlenecks and pursuing optimization

(00:21:35) Using a profiler

(00:28:30) Choosing a Message Broker

(00:33:00) Kubernetes and Conntrack Limits

(00:37:13) Databases

(00:46:30) Bug bounty tips: Sub-domain vs. IP Address

(00:51:15) Engineering quandaries

(00:53:38) DNS Wildcards

Episode 28: Surfin' with CSRFs

Thu, 20 Jul 2023 11:00:23 -0400

Episode 28: In this episode of Critical Thinking - Bug Bounty Podcast, the CSRF’s up, dude! We kick off with a debate about whether or not deep link vulns in mobile apps can be considered CSRF. We also talk browser extensions and tools like Hackbar, PwnFox, and JS Weasel, and Justin tries to invent a whole new vuln term. There’s plenty of good stuff here, so what are you waiting for? Jump on in!

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

rez0's latest tip

https://twitter.com/rez0__/status/168134822190014466019

Hackbar

https://addons.mozilla.org/en-US/firefox/addon/hackbartool/

PwnFox

https://twitter.com/adrien_jeanneau/status/1681364665354289152

JS Weasel

https://www.jswzl.io/

Charlie Eriksen

https://twitter.com/CharlieEriksen

Link to talk by Rojan

https://twitter.com/uraniumhacker/status/1681381857383030785

Bypassing GitHub's OAuth flow

https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html

Great SameSite Confusion

https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/

Check out Nahamsec's Channel

https://www.youtube.com/c/nahamsec

Timestamps:

(0:01:45) The deep link debate

(00:08:00) LHE and in-person interviews

(00:09:25) SQLMAP and raw requests

(00:11:11) Hackbar, PwnFox, and browser extensions

(00:16:45) JS Weasel tool and its features

(00:25:28) Rojan's Research and Public Talks

(Start of main content)

(00:28:36) Cross-Site Request Forgery (CSRF)

(00:35:00) Bypassing GitHub's OAuth flow

(00:45:00) A Small SameSite Story

(00:48:50) CSRF Exploitation Techniques

(01:07:15) CSRF Bug Stories

(01:15:30) NahamSec and DEFCON

Episode 27: Top 7 Esoteric Web Vulnerabilities

Thu, 13 Jul 2023 11:00:42 -0400

Episode 27: In this episode of Critical Thinking - Bug Bounty Podcast, we've switched places and now Joel is home while Justin is on the move. We break down seven esoteric web vulnerabilities, and talk Cookies, Config File Injections, Client-side path traversals and more. We also briefly discuss appliance hacking, new tools, and shout out some new talent in the hacking space. Don't miss this episode full of cool vulns, and experience Justin's vocal decline in real time.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Encrypted Doesn't Mean Authenticated:

https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/

Tweet about headless chrome browser

https://twitter.com/bhavukjain1/status/1678719047209484288?t=NWnZvwHTRMyH_lVC-uXe0g&s=19

Shout out to new talent within the hacking space

https://twitter.com/haxrob

https://twitter.com/atc1441

Tweet about hacking Google Search Appliance

https://twitter.com/orange_8361/status/1677378401957724160

Bitquark releases shortscan

https://twitter.com/bitquark/status/1677647450989838338

Hacking Starbucks

https://samcurry.net/hacking-starbucks/

Justin's CookieJar Tool

https://apps.rhynorater.dev/checkCookieJarOverflow.html

HackTricks

https://book.hacktricks.xyz/pentesting-web/hacking-with-cookies/cookie-jar-overflow

XSLeak

https://xsleaks.dev

Timestamps:

(00:00:00) Introduction

(00:04:00) Assetnote on ShareFile RCE

(00:13:05) Headless Browsers

(00:17:00) Hacker Content Creators

(00:22:51) Appliance Hacking

(00:30:31) Shortscan Release

(Start of main content)

(00:35:39) Config File Injection

(00:44:00) Client-side Path Traversal

(00:51:33) Cookie Bombing

(00:58:00) Cookie Jar Overflow

(01:03:50) XSLeak

(01:10:49) UNC Path Injection

(01:15:50) Impactful Link Hijack

Episode 26: Client-side Quirks & Browser Hacks

Thu, 06 Jul 2023 11:00:40 -0400

In this episode of Critical Thinking - Bug Bounty Podcast, we're back with Joel, fresh (haha) off of back-to-back live hack events in London and Seoul. We compare the different vibes of each LHE, then we dive into the technical thick of it, and talk web browsers, XSS vectors, new tools, CVSS 4.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

______

Hunting for NGINX alias traversals in the wild

PortSwigger Tweet

Soroush's Follow-up

Tweet about magic math element

<22 weird XSS behavior

Lupin’s follow-up

Patch diffing

Changes to CVSS 4.0

Ask FIRSTdotORG what's going on

Jsluise

JS import() behavior

'JavaScript for Hackers'

CSP Evaluator:

Dom Clobbering

HTML Injection Cheat Sheet

Gareth Heyes website/game

______

Timestamps:

(00:00:00) Introduction

(00:04:10) LHE Vibes

(00:07:45) "Hunting for NGINX alias traversals in the wild"

(00:12:30) Payouts in BB programs

(00:16:05) New XSS vectors and popovers

(00:24:15) The "magical math element" in Firefox

(00:27:15) LiveOverflow on HTML parsing quirks

(00:32:10) Mr. Tux Racer, Woocommerce, and WordPress

(00:40:00) Changes in the CVSS 4 draft spec

(00:45:00) TomNomNom's new tool Jsluise

(00:51:15) JavaScript's import function & "JavaScript for Hackers"

(01:09:15) Prototype pollution & DOM clobbering

(01:18:10) Base tags and CSS Games

Episode 25: 2xMVH & Multi-million dollar hacker Inhibitor181

Thu, 29 Jun 2023 11:00:34 -0400

Episode 25: In this episode of Critical Thinking - Bug Bounty Podcast we talk to Cosmin (@Inhibitor181), fresh off of winning his 2nd MVH! We chat about the time management and strategy of hacking Multi-Target LHEs, determining when to pivot, and how to find normalcy in bug bounty hunting and Live Hacking Events. We also touch on setting up Vuln Pipelines, creating mental models, and Cosmin's terrifying naming schemes. Don't miss this episode packed with both laughs and valuable insights for beginners and seasoned bug bounty hunters alike.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Today’s Guest:

https://twitter.com/inhibitor181

Justin's weird episode with all the Dr. Suess Shit

https://rss.com/podcasts/ctbbpodcast/966055/?listen-on=true

Timestamps:

(00:00:00) Introduction

(00:02:52) MVH club and Multi-Target stragety

(00:12:00) Deciding when to pivot

(00:17:00) File Organization and 'unique' naming approaches

(00:23:56) Staying up to date on features and updates

(00:25:46) Hacking Sleep Habits

(00:28:15) Finding 'Normal Life' in bug bounty and LHE

(00:33:30) Vuln Pipelines, Wordlists, and full time bug bounty tips

(00:44:15) Benefits of the Bug Bounty Community

(00:47:45) Relationships with target companies and programs

(00:53:15) Creating mental models

(01:00:30) The Importance of writing good reports

(01:04:30) How to choose what to hack

Episode 24: AI + Hacking with Daniel Miessler and Rez0

Thu, 22 Jun 2023 11:00:29 -0400

Episode 24: In this episode of Critical Thinking - Bug Bounty Podcast, we chat with Daniel Miessler and Rez0 about the emergence and potential of AI in hacking. We cover AI shortcuts and command line tools, AI in code analysis and the use of AI agents, and even brainstorm about the possible opportunities that integrating AI into hacking tools like Caido and Burp might present. Don't miss this episode packed with valuable insights and cutting-edge strategies for both beginners and seasoned bug bounty hunters alike.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Today’s Guests:

https://twitter.com/rez0__

https://twitter.com/DanielMiessler

Daniel Miessler’s Unsupervised Learning

https://danielmiessler.com/

Simon Willison's Python Function Search Tool

https://simonwillison.net/2023/Jun/18/symbex/

oobabooga - web interface for models

https://github.com/oobabooga/text-generation-webui

State of GPT

https://karpathy.ai/stateofgpt.pdf

AI Canaries

https://danielmiessler.com/p/ai-agents-canaries

GPT3.5

https://community.openai.com/t/gpt-3-5-turbo-0613-function-calling-16k-context-window-and-lower-prices/263263

GPT Engineer

https://github.com/AntonOsika/gpt-engineer

Timestamps:

(00:00:00) Introduction

(00:05:40) Using AI for hacking: Developing hacking tools and workflow shortcuts

(00:11:40) GPT Engineer and Small Developer for Security Vulnerability Mapping

(00:22:40) The potential dangers of centralized vs. decentralized finance

(00:24:10) Ethical hacking and circumventing ChatGPT restrictions

(00:26:09) AI Agents, Reverse API, and Encoding/Decoding Tools

(00:31:45) Limitations of AI in context window and processing large JavaScript files

(00:36:50) Meta-prompter: Enhancing prompts for accurate responses from GPT

(00:41:00) GPT-35 and the new 616K context model

(45:08) Creating a loader for Burp Suite files or Caido instances

(00:54:02) Hacking AI Features: Best Practices

(01:00:00) AI plugin takeover and the need for verification of third-party plugins and tools

Episode 23: Hacker Loadouts

Thu, 15 Jun 2023 10:01:06 -0400

Episode 23: In this episode of Critical Thinking - Bug Bounty Podcast, we delve into a different aspect of hardware - Our personal loadouts. We go through the equipment and gear we use to get our jobs done, and share stories about why we picked what we have. We also touch on live hacking events, the growing acceptance of white hat hacking, and some pretty cool news going on in the hacker world. Don't miss this episode packed with tips and strategies for both beginners and seasoned hackers alike!

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Blog post on hacking root EPP servers

https://hackcompute.com/hacking-epp-servers/

Behind this Website:

https://github.com/jonkeegan/behind-this-website

Tweet about vRealize Network Insight: https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/

Zoom's new vulnerability impact scoring system:

https://viss.zoom.com/specifications

Uplift Desks

https://www.upliftdesk.com/

Synergy

https://symless.com/synergy

Ahnestly chair reviews:

https://www.youtube.com/c/Ahnestly

Our producer’s new audio drama ‘Homicide at Heavensgate’

https://link.sentinelstudios.net/homicide

Timestamps:

(00:00:00) Introduction

(00:02:28) Navigating hacking events and imposter syndrome

(00:06:30) Blog post on hacking root EPP servers

(00:10:01) The growing acceptance of white-hat hacking

(00:12:25) Finding Website Owners and Contact Information

(00:16:45) VMware vRealize Network Insight CVEs and nginx reverse proxy bypass

(00:21:30) Zoom's new vulnerability impact scoring system

(00:27:24) The Importance of Analyzing Systemic Problems in Black Box Testing

(00:30:40) Documentation, Vulnerable by Design, and acceptable risk

(Start of main content)

(00:34:37) Leveling up your Hacker Setup

(00:37:13) The Importance of your body

(00:41:30) Investing in ergonomic equipment for computer work

(00:42:27) Standing Desks: Uplift Desk and DIY standing desk options

(00:46:00) Portable Tables: Flexible Workspace Solutions

(00:47:30) Monitor Setup

(00:54:40) Synergy: One keyboard and mouse across multiple devices

(00:57:20) Capture Card: Using it as a software display

(00:58:58) Keyboards and mice

(01:03:27) Using a Chromebook for lightweight hacking

(01:08:57) Chair Reviews: The Niche World of High-End Chairs

Episode 22: Chipping Away at Hardware Hacking

Thu, 08 Jun 2023 11:01:13 -0400

Episode 22: In this episode of Critical Thinking - Bug Bounty Podcast we talk about some basic/intermediate concepts related to Hardware Hacking. Specifically, we dive into extracting data from eMMC chips in order to get our hands on source code for IoT devices. Don't miss this episode packed with valuable insights, tips, and strategies for beginners and seasoned bug bounty hunters alike!

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Checkout NahamCon:

https://bit.ly/42vnpMS

RiverLoop Security Write-up: https://bit.ly/3oSKL1o

Good Chip-Off Write-up:

https://bit.ly/3IWym3q

Scratching chips to expose pins:

https://bit.ly/45Tj21i

https://bit.ly/3oJJt8Z

Chat with Corben on Degrees: https://youtu.be/N9P5PUx-PNQ?t=2311

Gareth Hayes Tweet:

https://bit.ly/3qvFNYW

Huntress - John Hammond - MoveIt Response:

https://bit.ly/42vTTXv

Critical Thinking Hardware Hacking Setup - See the gear we're talking about (Affiliate links): https://linke.to/hardwarehackingset

Timestamps:

(00:00:00) Introduction

(01:03) NahamCon's Live Hacking Event and Justin's Presentation on PCI DSS

(02:40) Depreciation of Data URLs in SVG Use Element

(04:55) Gareth Hayes and knowledge sharing in the hacking community

(07:50) Move It vulnerability and and John Hammond’s epic 4 am rants

(12:18) Identifying promising leads in bug bounty hunting, and knowing when to move on

(Start of main content)

(21:40) Hardware Recon, and using Test Pins to Access EMMC Chip

(26:16) Identifying Chip Pinouts and Continuity Testing

(29:01) Using Logic Analyzers for Hardware Hacking

(33:01) Importance of Fundamental Knowledge in Hacking, and the benefits of understanding Electrical Engineering

(35:46) Replay Protected Memory Block Protocol

(40:00) Bug Bounty Programs and Hardware Testing Support

(41:05) Chip Pulling techniques and Essential Equipment for Hardware Hacking

(59:50) Tips for Buying Hardware Hacking Tools: Research and Specific Use Cases

(01:06:35) Hardware Hacking: Just scratching the surface.

(01:08:45) Vulnerability Disclaimer: Pulling OS from a chip does not constitute a Vulnerability.

Episode 21: Chill Chat with Legendary DoD Hacker Corben Leo

Thu, 01 Jun 2023 10:01:24 -0400

In this episode of Critical Thinking - Bug Bounty Podcast, we chat with Corben Leo about his journey in bug bounty hunting and ethical hacking. We discuss the state of DNS rebinding in 2023, a Twitter thread by Douglas Day (@ArchAngelDDay) on one-hundred bug bounty rules, and our own unique approaches to bug hunting. We also discuss Corben's recon-focused bug hunting methodology and how he developed it. Don't miss this episode filled with valuable tips, insights, and Corben's Boring Mattress Company.

Get on our newsletter for some exclusive content: https://www.criticalthinkingpodcast.io/subscribe

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Today’s Guest:

https://twitter.com/hacker_

Article on the State of DNS Rebinding in 2023:

https://research.nccgroup.com/2023/04/27/state-of-dns-rebinding-in-2023/

See @ArchAngelDDay's twitter thread about 100 bug bounty rules:

https://twitter.com/ArchAngelDDay/status/1661924038875435008

Talkback - Cybersecurity news aggregator:

https://talkback.sh/

PyPI announces mandatory 2FA:

https://www.bleepingcomputer.com/news/security/pypi-announces-mandatory-use-of-2fa-for-all-software-publishers/

Timestamps:

(00:00:00) Introduction

(01:05) State of DNS rebinding in 2023

(04:40) 100 Bug Bounty Rules by @ArchAngelDDay

(05:30) Give yourself a ‘no bug’ limit

(07:00) The value of reporting Low and Medium Bugs for Bug Bounty Programs

(11:15) Reporting Out of Scope Bugs

(14:30) Reporting IDORs as Access Control Bugs

(17:28) Talkback

(18:12) PyPI's mandatory 2FA implementation for software publishers

(Start of main content)

(20:07) Starting out in bug bounty/ethical hacking

(25:00) Hacking methodology and mentorship

(28:15) Identifying Load Balancers

(33:20) Triage and live events:

(38:30) College and Computer Science vs. Cybersecurity

(45:45) Importance of writing for the Hacker Community

(51:21) Storytelling and report writing.

(55:00) When to stop doing recon and start hacking

(01:00:58) Lessons Learned from BreachlessAI and the pivot to Boring Mattress Co.

Episode 20: Hacker Brain Hacks - Overcoming Bug Bounty's Mental Tolls

Thu, 25 May 2023 09:00:55 -0400

Episode 20: In this episode of Critical Thinking - Bug Bounty Podcast, we dive into the world of "hacker brain hacks'' and overcoming challenges in bug bounty hunting. We discuss custom word lists, the rising popularity of Caido as a potential Burp Suite replacement, and Cloudflared tunnels for hosting POCs. We also tackle the mental aspects of bug bounty hunting, from procrastination to imposter syndrome, and share tips for staying motivated and avoiding burnout. Don't miss this episode packed with valuable insights and advice for both beginners and seasoned bug bounty hunters!

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Caido:

https://caido.io

Tweet from D3mondev on Sequence Diagram:

https://twitter.com/d3mondev/status/1660803152755453952

Sequence diagram software:

https://sequencediagram.org

Timestamps:

(00:00:00) Introduction

(00:02:36) "Sequence Diagram": Sequence mapping for PoCs

(00:04:10) "SubReconGPT": AI and GPT in Bug Bounty Hacking

(00:08:30) "Caido": A Potential Replacement for Burp Suite

(00:11:34) HackerOne's New Features

(00:13:00) Cloudflared Tunnels for Red Team Assessments and Payload Hosting

(00:16:07) Mental challenges in Bug Bounty Hunting

(00:17:50) Procrastination Education: Letting fear of failure drive you into always learning, never doing.

(00:22:46) Analysis Paralysis: Starting with Bug Bounty Programs vs VDPs

(00:27:07) Automation Obsession: "When you're hacking, hack. When you're automating, automate."

(00:14:34) Imposter Syndrome: You may not be the best, but you're not the worst either.

(00:31:55) Motivation Deprivation: Stay curious, and set tiered goals

(00:36:07) Automation Obsession pt2: Do we need to say it again?

(00:37:25) Reconnaissance Cognizance: Spending too much time on recon and not enough time on hacking

(00:40:00) Bad Rabbit Holes, RIP Your Goals: Identifying good and bad rabbit holes

(00:46:01) Set Your Goal Poles: Setting specific goals for yourself.

(00:48:29) Impact Lacked: Fixating on something that's funky, but simply doesn’t really have impact

(00:51:00) The Burn-out turn-out: Mending, maintenance, and finding identity and self-worth outside hacking

(00:58:19) Responsibility Volatility: Balancing Responsibilities and Freedom as a Bug Bounty Hunter

(01:00:30) Payout Phase-out: Don't stop once you've found one bug.

(01:02:04) Report on URN Injection

Episode 19: Audit Code, Earn Bounties (Part 2) + Zip-Snip, Sitecore, and more!

Thu, 18 May 2023 10:00:54 -0400

Episode 19: In this episode of Critical Thinking - Bug Bounty Podcast we further discuss some tips and tricks for finding vulns once you’ve got source code and some banger tweets/tools that popped up in our feed this week.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Part 1:

https://open.spotify.com/episode/2pdTaWHSzl9CY7PgRQtvTi

Noperator’s Zip-Snip: https://twitter.com/noperator/status/1658313637189111808

https://github.com/noperator/zip-snip

https://noperator.dev/posts/zip-snip/

Insecure’s SIP Bugs: https://twitter.com/ifsecure/status/1656591469518495745

AssetNote’s Sitecore Bugs: https://blog.assetnote.io/2023/05/10/sitecore-round-two/

Fyooer’s Shadow Clone: https://github.com/fyoorer/ShadowClone

Episode 18: Audit Code, Earn Bounties

Thu, 11 May 2023 10:00:31 -0400

Episode 18: In this episode of Critical Thinking - Bug Bounty Podcast, we dive into everything source-code related: how to get source-code and what to do with it once you have. This episode is packed with great examples of successful source code review, tips on how to review code yourself, and the tools you'll need along the way.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Crossing the KASM:

https://www.youtube.com/watch?v=NwMY1umhpgg

PWNAssistant by Elttam:

https://www.elttam.com/blog/pwnassistant/#content

Andre's Git Arbitrary Configuration Injection:

https://blog.ethiack.com/en/blog/git-arbitrary-configuration-injection-cve-2023-29007

Jub0b's a Smorgasbord of a Bug Chain:

https://jub0bs.com/posts/2023-05-05-smorgasbord-of-a-bug-chain/

Ankur Sundara's Cookie Bugs - Smuggling & Injection:

https://twitter.com/ankursundara/status/1654556463703134208?t=7nTUSszPB6fS3MkATzxpaQ&s=19

James Kettle's Notes on Novel Pathways to Poisoning (cool quirks in here):

https://twitter.com/albinowax/status/1654767919690031106?t=vbVEOML5_QnWByi0m8Nv4A&s=19

Ignore Irrelevant Scripts During Debugging by Johan Carlsson:

https://twitter.com/joaxcar/status/1653787336105156616

Every known way to get references to windows:

https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2d

VS Code Todo Highlight:

https://marketplace.visualstudio.com/items?itemName=wayou.vscode-todo-highlight

VS Code:

https://code.visualstudio.com/

Episode 17: LA Live Chat with Five Legendary Hackers

Thu, 04 May 2023 10:01:07 -0400

Episode 17: In this episode of Critical Thinking - Bug Bounty Podcast we talk with five legendary hackers about some of their favorite bugs. Live. From LA.

Corben Leo “Lorben CEO” @hacker_

Sam “ZLZ” “ZOZL” “The King” Curry @samwcyo

Frans “The Legend” Rosen @fransrosen

Jonathan “Doc” Bouman @JonathanBouman

Nagli…NagliNagli @naglinagli

Shoutout to Jonathan Bouman’s Mom!

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

FOLLOW OUR LINKEDIN ACCOUNT FOR NAGLI:

https://www.linkedin.com/company/ctbbpodcast

Sam Curry’s shoutout - Ian Carrol’s Seats.Aero: https://seats.aero/

Episode 16: The Hacker's Toolkit

Thu, 20 Apr 2023 10:00:43 -0400

Episode 16: In this episode of Critical Thinking - Bug Bounty Podcast we talk about the hacker’s toolkit. Joel and Justin talk about their VPS setup, go-to hacking tools, most often used Linux commands, and the ways they duct tape all of these together for the big hacks.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on Twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Our Boi @rez0__ Dropping Some AI Hackz:

https://twitter.com/rez0__/status/1648685943539245056?s=20

LiveOverflow Prompt Injection:

https://www.youtube.com/watch?v=Sv5OLj2nVAQ

Joel’s Private Network Solution:

https://www.zerotier.com/

Stok & Tomnomnom on Vim/Bash:

https://www.youtube.com/watch?v=l8iXMgk2nnY

Latest GhostScript RCE:

https://offsec.almond.consulting/ghostscript-cve-2023-28879.html

Intigriti CSRF Basics & Jub0b's Legendary SameSite Article:

https://twitter.com/intigriti/status/1646104705561403398

https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/

Nahamcon:

http://nahamcon.com/

Pentah0wnage:

https://research.aurainfosec.io/pentest/pentah0wnage/

DNSChef:

https://github.com/iphelix/dnschef

Httpx:

https://github.com/projectdiscovery/httpx

Espanso:

https://espanso.org/

GoWitness:

https://github.com/sensepost/gowitness

Episode 15: The Israeli Million-Dollar Hacker

Thu, 13 Apr 2023 10:00:22 -0400

Episode 15: In this episode of Critical Thinking - Bug Bounty Podcast we talk with the latest Million-Dollar bug bounty hunter: @naglinagli . He talks about his climb from $1,000 in bounties to $1,000,000, recon tips and tricks, and some bug reports that made the news and landed him the "Best Bug" award at a H1 Live Hacking event.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Follow Nagli and his new startup Shockwave:

https://twitter.com/naglinagli

https://twitter.com/shockwave_sec

HackMD Collaborative Notes:

https://hackmd.io/

Ian Carroll's Airline Miles Website:

https://seats.aero

Nagli's Tweet in ChatGPT Web Cache Deception:

https://twitter.com/naglinagli/status/1639343866313601024

Timestamps:

(00:00:00) Intro

(00:04:40) Nagli’s Climb

(00:05:40) What kind of vulns do you look for?

(00:09:25) Working with other hackers

(00:10:20) Bug Bounty Hunter’s Guild

(00:12:35) Shockwave product

(00:14:12) Outsourcing tool development

(00:18:46) What got you started?

(00:21:13) Manual hacking vs recon suite + LHE focus

(00:25:00) How do you take notes

(00:29:42) Biggest things that you’ve learned over the past 2 years

(00:31:29) How do you ingest new techniques?

(00:31:50) Collaboration

(00:37:20) Justin Ranting about “Trained Eyes”

(00:40:18) Time spent coding vs hacking

(00:45:28) Travel and spending habits

(00:54:16) Grep is Nagli’s database

(00:56:20) Nagli’s ChatGPT Web Cache Deception

(00:58:44) What does your alerting look like?

(01:01:50) Nagli’s “Most Critical” SSRF

(01:04:30) Burp Active Scan

Episode 14: Mobile Hacking Dynamic Analysis w/ Frida + Random Hacker Stuff

Thu, 06 Apr 2023 10:01:32 -0400

Episode 14: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Dynamic Analysis within Mobile Hacking and a bunch of random hacker stuff. It's a good time. Enjoy the pod.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on Twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Joel’s Alternative to UberTooth One:

https://www.amazon.com/Bluetooth-UD100-G03-Exchangeable-Bluesoleil-Microsoft/dp/B0161B5ATM

D3monDev’s Burp VPS Plug-in:

https://github.com/d3mondev/burp-vps-proxy

FireProx:

https://github.com/ustayready/fireprox

Joel’s Universal SSL De-pinning Frida Script:

https://gist.github.com/teknogeek/4dc35fb3801bd7f13e5f0da5b784c725

Command-line Fuzzy Finder:

https://github.com/junegunn/fzf

Justin’s two article recommendations for using Frida:

https://tinyurl.com/5n94d6ry

https://tinyurl.com/yfy3n5f5

Copy screen of physical device:

https://tinyurl.com/ymdrscm5

Flipper:

https://flipperzero.one/

BetterCap BLE Module:

https://www.bettercap.org/modules/ble/

Timestamps:

(00:00:00) Intro

(00:00:55) Hacker Chats

(00:03:27) Podcast Content Commentary

(00:04:09) SSRF Rebinding Error Confession

(00:06:02) Flipper Zero

(00:07:58) Bettercap BLE

(00:09:36) Sena USB Bluetooth Adapter

(00:12:41) Burp VPS Proxy Plugin

(00:13:55) Fireprox

(00:15:40) Dynamic Mobile Hacking

(00:17:40) Dynamic Analysis Overview

(00:18:18) Emulator Talk

(00:24:29) Joel’s APK Analysis Flow

(00:26:30) Cert Pinning

(00:32:17) Joel’s SSL Cert Pinning Script

(00:35:29) Hands-on look at Frida

(00:50:11) Frida on Non-rooted Devices

(00:58:22) Tracing Errors to Overwritable Functions

(01:00:39) Native Libraries

(01:09:18) GenyMobile Screen Mirroring Tool

(01:11:50) Justin’s Report of the Day and Custom SSL Pinning

(01:18:15) Joel’s First Ever Bug, Jailbreak Detection Bypass

Episode 13: How to Find a Good BBP + Acropalypse + ZDI

Thu, 30 Mar 2023 10:01:13 -0400

Episode 13: In this episode of Critical Thinking - Bug Bounty Podcast we talk about how to determine if a bug bounty program is good or not from the policy page. We also cover some news including Acropalypse, ZDI's Pwn2Own Competition, Node's Request library's SSRF Bypass, and a new scanning tool by JHaddix.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

JHaddix AWSScrape Tool:

https://twitter.com/Jhaddix/status/1637140192728612865?s=20

Acropalypse Links:

https://twitter.com/ItsSimonTime/status/1636857478263750656

https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse.html

https://twitter.com/David3141593/status/1638222624084951040

https://twitter.com/David3141593/status/1638293029059477505

SSRF Bypass in NodeJS:

https://blog.doyensec.com/2023/03/16/ssrf-remediation-bypass.html

ZDI's Pwn2Own:

https://twitter.com/thezdi

Kuzu7shiki's Awesome Pixiv Report:

https://hackerone.com/reports/1861974

https://twitter.com/kuzu7shiki

Some of the Programs we talk about:

https://hackerone.com/instacart

https://hackerone.com/semrush

https://hackerone.com/yahoo

https://hackerone.com/paypal

Episode 12: JHaddix on Hacker->Hacker CISO, OG Hacking Techniques, and Crazy Reports

Thu, 23 Mar 2023 09:00:23 -0400

Episode 12: In this episode of Critical Thinking - Bug Bounty Podcast we talk with Jason Haddix about his eclectic hacking techniques, Hacker -> Hacker CISO life, and some crazy vulns he found. This episode is chock full of awesome tips so give it a good listen!

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Follow JHaddix on Twitter:

https://twitter.com/jhaddix

BuddoBot:

https://buddobot.com/

BC Hunt:

https://github.com/bugcrowd/HUNT/blob/master/README.md

One List For All:

https://github.com/six2dez/OneListForAll

AssetNote Wordlists:

https://wordlists.assetnote.io/

Backslash Powered Scanner:

https://portswigger.net/bappstore/9cff8c55432a45808432e26dbb2b41d8

Jason’s Handy Dandy Acronyms:

SSWLR - Sensitive Secrets Were Leaked Recently

Status
Size
Words
Lines
Response Time

COTS Software - Common Off-The-Shelf Software

Episode 11: CV$$, Web Cache Deception, and SSTI

Thu, 16 Mar 2023 09:01:03 -0400

Episode 11: In this episode of Critical Thinking - Bug Bounty Podcast we talk about CVSS (the good, the bad, and the ugly), Web Cache Deception (an underrated vuln class) and a sick SSTI Joel and Fisher found.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

MDSec Outlook Vuln:

https://twitter.com/MDSecLabs/status/1635791863478091778

Jub0bs User-Existance Oracle Tweet:

https://twitter.com/jub0bs/status/1633786349529513986

James Kettle's Tweet About BB ID Header Standardization:

https://twitter.com/albinowax/status/1635951506791755776

15K Snapchat Numeric IDOR:

https://hackerone.com/reports/1819832

Bug Bounty Reports Explained:

https://www.bugbountyexplained.com/

CVSS Calculator:

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

Web Cache Deception Write-up:

https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack.pdf

Episode 10: The Life of a Full-Time Bug Bounty Hunter + BB News + Reports from Mentees

Thu, 09 Mar 2023 10:01:17 -0500

Episode 10: In this episode of Critical Thinking - Bug Bounty Podcast we talk about what its like to be a full-time bug bounty hunter, a tonne of bug bounty news, and some great report summaries from Justin’s two mentees: Kodai and Soma.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

HackVertor https://portswigger.net/bappstore/65033cbd2c344fbabe57ac060b5dd100

Not_An_Aardvark (Teddy Katz) Blog: https://blog.teddykatz.com/

Tweets from PortSwigger Research:

https://twitter.com/PortSwiggerRes/status/1632742844535324677

https://twitter.com/PortSwiggerRes/status/1630221223874445314

https://twitter.com/PortSwiggerRes/status/1629131380473970688

HackerOne LHE Standards: https://www.hackerone.com/hackerone-community-blog/get-invited-how-live-hacking-event-invites-have-changed

Rez0 Bug Bounty Tweet: https://twitter.com/rez0__/status/1553371602770960384?t=NCr_esHcEts9PrcjxIZ5uw&s=19

Rojan’s Github Bug: https://twitter.com/uraniumhacker/status/1633199768263593984

Goodbye Daily Swig: https://portswigger.net/daily-swig/were-going-teetotal-its-goodbye-to-the-daily-swig

Gareth Heyes JavaScript for Hackers:https://leanpub.com/javascriptforhackers/

Episode 9: Headless Browser SSRF & RebindMultiA Tool Release + Web3 Bug

Thu, 02 Mar 2023 10:01:12 -0500

Episode 9: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Headless Browser SSRF and drop a tool called RebindMultiA. Joel also walks us through a web3 bug and we cover some bug bounty news from the past week. As always, we drop some bug bounty tips and give you some attack vectors to think about.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Truffle Security End-To-End Encryption Video:

https://www.youtube.com/watch?v=BBcZcoIZ1Jc

HackerOne World Cup:

https://www.hackerone.com/hackers/brand-ambassador-program

HackerOne World Cup Sign Up Form for USA:

https://docs.google.com/forms/d/e/1FAIpQLSeRQpH2y0J-opxlsz8dPkvnIu8BqC_DA3CJe_eFhTFroPwdcg/viewform

ChatGPT API:

https://openai.com/blog/introducing-chatgpt-and-whisper-apis

Megachad RobertMD GitHub Issue:

https://github.com/nccgroup/singularity/issues/2

Justin’s RebindMultiA Tool:

https://github.com/Rhynorater/rebindMultiA

Brandon Dorsey’s WhoNow Tool:

https://github.com/brannondorsey/whonow

NCC Group’s Singularity:

https://github.com/nccgroup/singularity

Chromium Disclosed Bugs:

https://chromium-disclosed-bugs.appspot.com/

NahamSec Talk on Headless Browser SSRF:

https://docs.google.com/presentation/d/1JdIjHHPsFSgLbaJcHmMkE904jmwPM4xdhEuwhy2ebvo/htmlpresen

Jonathan Bowman - LFI via :

https://medium.com/@jonathanbouman/local-file-inclusion-at-ikea-com-e695ed64d82f

WASM Port Scanning:

https://github.com/avilum/portsscan

Jack Halon - Chrome Browser Exploitation:

https://twitter.com/jack_halon/status/1583957704930131968

DNSChef:

https://github.com/iphelix/dnschef

Episode 8: PostMessage Bugs, CSS Injection, and Bug Drops

Wed, 22 Feb 2023 10:00:54 -0500

Episode 8: In this episode of Critical Thinking - Bug Bounty Podcast we drop some critical bugs which leak raw credit card info. We also discuss some CSS Injection & PostMessage related techniques. It's a short one but a good one! Don't miss it!

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

CSS Escape Blog Post:

https://mathiasbynens.be/notes/css-escapes

Rez0’s blog on ChatGPT:

https://rez0.blog/hacking/2023/02/21/hacking-with-chatgpt.html

All the ways to get a reference to a frame (shoutout to @wcbowling for the article):

https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2d

CSS Painting API:

https://developer.mozilla.org/en-US/docs/Web/API/CSS_Painting_API

Import Chaining:

https://d0nut.medium.com/better-exfiltration-via-html-injection-31c72a2dae8b

Episode 7: PortSwigger Top 10, TruffleSecurity Drama, and More!

Thu, 16 Feb 2023 10:00:26 -0500

Episode 7: In this episode of Critical Thinking - Bug Bounty Podcast we talk about PortSwigger's Top 10 Web Hacking Techniques of 2022 (link below), some drama surrounding TruffleSecurity's XSS Hunter, and, as always, some great bug bounty tips.

Sorry if the audio is a little rough around the edges this time, should be better than ever next time.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

PortSwigger's Top 10 Web Hacking Techniques of 2022:

https://portswigger.net/research/top-10-web-hacking-techniques-of-2022

Ian Carroll Cookie Monster:

https://github.com/iangcarroll/cookiemonster

Frans Rosen's postMessage Tracker Chrome Extension:

https://github.com/fransr/postMessage-tracker

Notes from Justin on postMessages:

https://rhynorater.github.io/postMessage-Braindump

Frans Rosen's research on nginx misconfiguration that are similar to #6:

https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/

"Mount" Wycheproof 😂:

https://github.com/google/wycheproof

https://en.wikipedia.org/wiki/Mount_Wycheproof

Nathan Davison - Abusing Hop-by-Hop headers:

https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers

Awesome example of client-side path traversal:

https://erasec.be/blog/client-side-path-manipulation/

Joohoi Ffuf 2.0:

https://infosec.exchange/@joohoi/109806822104162973

FeroxBuster:

https://github.com/epi052/feroxbuster

Episode 6: Mobile Hacking Attack Vectors with Teknogeek (Joel Margolis)

Thu, 09 Feb 2023 10:00:37 -0500

Episode 6: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with mobile hacking legend Joel Margolis and get the scoop on his approach to popping bugs on Android.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Joel’s HackerOne Android Hacking Introduction:

https://t.ly/f87D

Android Pixel Lock Screen Bypass

https://t.ly/Q_qq

Exploiting Deeplink URLs:

https://inesmartins.github.io/exploiting-deep-links-in-android-part1/index.html

Joel’s get_schemas tool:

https://github.com/teknogeek/get_schemas

Example AndroidManfest.xml we referenced:

https://t.ly/mcN1

https://t.ly/ErVV

Android docs for intent filters:

https://developer.android.com/guide/components/intents-filters.html

Android docs for “setAllowContentaccess”:

https://t.ly/hXOZ

Android docs for “setAllowFileAccess”:

https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccess(boolean)

Add JavaScript Interface to Webview:

https://developer.android.com/reference/android/webkit/WebView#addJavascriptInterface(java.lang.Object,%20java.lang.String)

Joel’s SSL Pinning Bypass:

https://gist.github.com/teknogeek/4dc35fb3801bd7f13e5f0da5b784c725

Google Chrome Docs for Intent URLs:

https://developer.chrome.com/docs/multidevice/android/intents/#considerations

Joel’s Bug Bounty Report:

https://hackerone.com/reports/423467

Episode 4: H1-407 Event Madness & Takeaways Part 2 w/ Special Guest Spaceraccoon

Thu, 02 Feb 2023 10:00:37 -0500

Episode 4: In this episode of Critical Thinking - Bug Bounty Podcast we have part two of our series on the H1-407 HackerOne Live Hacking Event. This time, we have a special guest SpaceRaccoon (@spaceraccoonsec) talking about techniques and takeaways from the event.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Spaceraccoon’s blog:

https://spaceraccoon.dev/

Spaceraccoon’s twitter:

https://twitter.com/spaceraccoonsec

Responder (NTLM Hash harvesting tool):

https://github.com/lgandx/Responder

The malware reversing course Spaceraccoon recommended:

https://courses.zero2auto.com/

Offensive Security Exploit Development Courses:

https://www.offensive-security.com/courses-and-certifications/

Episode 5: AI Security, Hacking WiFi, the New XSS Hunter, and more

Thu, 02 Feb 2023 10:00:37 -0500

Episode 5: In this episode of Critical Thinking - Bug Bounty Podcast we talk about the new XSS Hunter, MD5 collisions and using ChatGPT for security, and much more!

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Save All Resources Chrome Extension: https://chrome.google.com/webstore/detail/save-all-resources/abpdnfjocnmdomablahdcfnoggeeiedb?hl=en

Corben's AMA: https://twitter.com/hacker_/status/1620514351521366016

Collisions repo: https://github.com/corkami/collisions

Episode 3: H1-407 Event Madness & Takeaways Part 1

Thu, 26 Jan 2023 09:30:14 -0500

Episode 3: In this episode of Critical Thinking - Bug Bounty Podcast we talk about some of the interesting things we’ve learned from participating in HackerOne's H1-407 Live Hacking event. We cover decompiling binaries in various different languages, Windows URI Handlers, Caido, and SameSite Lax + POST.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Frans Rosen S3 Bucket Authorization Blog Post: https://labs.detectify.com/2018/08/02/bypassing-exploiting-bucket-upload-policies-signed-urls/

Getting code from executables:

Jub0b’s SameSite Article:

https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/

Mgeeky’s Powershell Script to Enumerate Windows App URI Handlers

https://gist.github.com/mgeeky/5a30a0619a7486b2fb0bd5233490fa64

Episode 2: Exploit Writing & Automation / Do you need to know how to program to hack?

Wed, 18 Jan 2023 18:02:03 -0500

Episode 2: In this episode of Critical Thinking - Bug Bounty Podcast we talk about exploit writing/automation, some new tools released in the industry (Of-CORS), the age old question of "Do you have to know how to program to hack?", a walk-through of some very impactful bug bounty reports, and some tips and tricks for exploit writing.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Of-CORS by TruffleSecurity

https://trufflesecurity.com/blog/of-cors/

https://github.com/trufflesecurity/of-cors

CyberChef

https://gchq.github.io/CyberChef/

Curl Converter

https://curlconverter.com/

Caido

https://caido.io/

Copy As Python Requests

https://portswigger.net/bappstore/b324647b6efa4b6a8f346389730df160

eMMC Card Reader:

https://www.allsocket.com/

Joel's Funny Automation XKCD:

https://xkcd.com/1319/

Flipper:

https://shop.flipperzero.one/

Episode 1: Introductions, Bug Bounty Reports, and BB Tips

Mon, 09 Jan 2023 19:50:30 -0500

Episode 1: In this episode of Critical Thinking - Bug Bounty Podcast, Joel Margolis (aka 0xteknogeek) and Justin Gardner (aka Rhynorater) cover introductions, a couple of cool bug bounty reports, and some really helpful BB Tips.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

The report Joel was talking about: https://hackerone.com/reports/1672388