Critical Thinking - Bug Bounty Podcast (Justin Gardner (Rhynorater) & Joseph Thacker (Rez0))
Explorez tous les épisodes de Critical Thinking - Bug Bounty Podcast
| Date | Titre | Durée | |
|---|---|---|---|
| 20 Mar 2025 | Episode 115: Mentee to Career Hacker - Mokusou (So Sakaguchi) | 01:40:58 | |
Episode 115: In this episode of Critical Thinking - Bug Bounty Podcast Justin and So Sakaguchi sit down to walk through some recent bugs, before having a live mentorship session. They also talk about Reflector, and finish up by doing a bonus podcast segment in Japanese! Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to https://x.com/realytcracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor: ThreatLocker Cloud Control - https://www.threatlocker.com/platform/cloud-control Today’s Guest: https://x.com/Mokusou4 ====== Resources ====== So's last appearance in episode 40 ====== Timestamps ====== (00:00:00) Introduction (00:04:11) So's Facebook Bug (00:14:37) So and Justin's Google Bug (00:33:39) Live Mentorship Session (00:56:29) Reflector (01:13:22) Bonus - Podcast in Japanese | |||
| 25 Apr 2024 | Episode 68: 0-days & HTMX-SS with Mathias | 01:03:53 | |
Episode 68: In this episode of Critical Thinking - Bug Bounty Podcast Mathias is back with some fresh HTMX research, including CSP bypass using HTMX triggers, converting client-side response header injection to XSS, bypassing HTMX disable, and the challenges of using HTMX in larger applications and the potential performance trade-offs. We also talk about the results of his recent CTF Challenge, and explore some more facets of CDN-CGI functionality. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Project Discovery Conference: https://nux.gg/hss24 ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://twitter.com/avlidienbrunn Resources: Masato Kinugawa's research on Teams subdomain-only 307 open redirect https://avlidienbrunn.se/cdn-cgi/image/onerror=redirect/http://anything.avlidienbrunn.se Timestamps (00:00:00) Introduction (00:05:18) CSP Bypass using HTML (00:14:00) Converting client-side response header injection to XSS (00:23:10) Bypassing hx-disable (00:32:37) XSS-ing impossible elements (00:38:22) CTF challenge Recap and knowing there's a bug (00:51:53) hx-on (depreciated) (00:54:30) CDN-CGI Research discussion | |||
| 30 Jan 2025 | Episode 108: How to Hack Salesforce, ServiceNow, and Other SaaS Products With Aaron Costello | 01:31:08 | |
Episode 108: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph bring on Aaron Costello to discuss SaaS security and misconfigurations as a bug class. He also gives some in-depth examples from Salesforce, ServiceNow, and Power Pages. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to https://x.com/realytcracker for the awesome intro music! ====== Links ====== Follow your hosts on Twitter: ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor: AppOmni. Get AppOmni's Definitive Guide to SaaS Security https://www.criticalthinkingpodcast.io/AppOmni Today’s Guest: ====== Resources ====== Aaron's Blog Data Exposure and ServiceNow: The Elephant in the ITSM Room https://www.enumerated.ie/index/servicenow-data-exposure Salesforce Lightning - An in-depth look at exploitation vectors for the everyday community https://www.enumerated.ie/index/salesforce Lightning Components: A Treatise on Apex Security from an External Perspective Microsoft Power Pages: Data Exposure Reviewed https://appomni.com/ao-labs/microsoft-power-pages-data-exposure-reviewed/ ====== Timestamps ====== (00:00:00) Introduction (00:03:00) Aaron Costello, Arbitrary File Upload, & App Cache Manifest Poison bug (00:13:37) SAAS Misconfigurations as a bug class (00:43:27) SalesForce Misconfigurations (01:11:30) Microsoft Power Pages | |||
| 12 Oct 2023 | Episode 40: Bug Bounty Mentoring | 01:31:42 | |
Episode 40: In this episode of Critical Thinking - Bug Bounty Podcast, it’s all about mentorships! Justin sits down with Kodai and So, two hackers he helped mentor, to discuss what worked and what didn’t. We talk about the importance of mentorship, what mentors might look for in a candidate, the challenges of transitioning from being mentored to self-education, and the necessity of continuous learning in this ever-evolving field that is bug bounty. This episode is a treasure trove of insights, and if you’re interested in either side of the mentorship coin, you won’t want to miss it. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Today’s Guests: Congrats to @nchickens as our giveaway winner! The Bug Hunter's Methodology Live Course https://jasonhaddix.gumroad.com/l/lycucs Timestamps: (00:00:00) Introduction (00:04:00) Guest backgrounds and introduction into hacking (00:17:49) Where to start Learning and Teaching (00:25:40) Technical Training vs Conceptual Teaching (00:28:34) Mentorship Styles and Techniques. (00:39:15) Moving from being mentored to self-learning (00:46:20) Developing mental resilience and healthy habits (00:50:32) Elements in mentorships that were hard or haven’t worked (01:02:21) Being influenced by other hackers through mentorship or collaboration (01:06:20) Hacking Bilingually and language barriers (01:11:30) Hacking and learning goals for the future | |||
| 05 Oct 2023 | Episode 39: The Art of Architectures | 01:21:15 | |
Episode 39: In this episode of Critical Thinking - Bug Bounty Podcast, We're catching up on news, including new override updates from Chrome, GPT-4, SAML presentations, and even a shoutout from Live Overflow! Then we get busy laying the groundwork on a discussion of web architecture. better get started on this one, cause we're going to need a part two! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater CT shoutout from Live Overflow https://www.youtube.com/watch?v=3zShGLEqDn8 Chrome Override updates https://developer.chrome.com/blog/new-in-devtools-117/#overrides GPT-4/AI Prompt Injection https://x.com/rez0__/status/1706334160569213343?s=20 & https://x.com/evrnyalcin/status/1707298475216425400?s=20 Caido Releases Pro free for students https://twitter.com/CaidoIO/status/1707099640846250433 Or, use code ctbbpodcast for 10% of the subscription price Aleksei Tiurin on SAML hacking https://twitter.com/antyurin/status/1704906212913951187 Account Takeover on Tesla Joseph https://portswigger.net/bappstore/82d6c60490b540369d6d5d01822bdf61 Cookie Monster https://github.com/iangcarroll/cookiemonster HTMX Timestamps: (00:00:00) Introduction (00:04:40) Shoutout from Live Overflow (00:06:40) Chrome Overrides update (00:08:48) GPT-4V and AI Prompt Injection (00:14:35) Caido Promos (00:15:40) SAML Vulns (00:17:55) Account takeover on Tesla, and auth token from one context in a different context (00:24:30) Testing for vulnerabilities in JWT-based authentication (00:28:07) Web Architectures (00:32:49) Single page apps + a rest API (00:45:20) XSS vulnerabilities in single page apps (00:49:00) Direct endpoint architecture (00:55:50) Content Enumeration (01:02:23) gRPC & Protobuf (01:06:08) Microservices and Reverse Proxy (01:12:10) Request Smuggling/Parameter Injections | |||
| 06 Mar 2025 | Episode 113: Best Technical Takeaways from Portswigger Top 10 2024 | 01:29:19 | |
Episode 113: In this episode of Critical Thinking - Bug Bounty Podcast we’re breaking down the Portswigger Top 10 from 2024. There’s some bangers in here! Follow us on X at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on X: ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag! ====== Resources ====== Hijacking OAUTH flows via Cookie Tossing ChatGPT Account Takeover - Wildcard Web Cache Deception CVE-2024-4367 - Arbitrary JavaScript execution in PDF.js DoubleClickjacking: A New Era of UI Redressing WorstFit: Unveiling Hidden Transformers in Windows ANSI SQL Injection Isn't Dead: Smuggling Queries at the Protocol Level Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server Middleware, middleware everywhere – and lots of misconfigurations to fix ====== Timestamps ====== (00:00:00) Introduction (00:09:56) Hijacking OAuth flows via Cookie Tossing (00:17:30) ChatGPT Account Takeover (00:25:28) OAuth Non-Happy Path to ATO (00:29:24) CVE-2024-4367 (00:37:37) DoubleClickjacking: (00:44:54) Exploring the DOMPurify library (00:48:01) WorstFit (00:56:29) Unveiling TE.0 HTTP Request Smuggling (01:06:40) SQL Injection Isn't Dead: Smuggling Queries at the Protocol Level (01:14:05) Confusion Attacks | |||
| 20 Jun 2024 | Episode 76: Match & Replace - HTTP Proxies' Most Underrated Feature | 01:34:43 | |
Episode 76: In this episode of Critical Thinking - Bug Bounty Podcast we’re talking about Match and Replace and the often overlooked use cases for it, like bypassing paywalls, modifying host headers, and storing payloads. We also talk about the HackerOne Ambassador World Cup and the issues with dupe submissions, and go through some write-ups. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today's Sponsor - Project Discovery: https://nux.gg/podcast Resources Zoom Session Takeover https://nokline.github.io/bugbounty/2024/06/07/Zoom-ATO.html SharePoint XXE https://x.com/thezdi/status/1796207012520366552 Shazzer Timestamps: (00:00:00) Introduction (00:05:06) H1 Ambassador World Cup (00:13:57) Zoom ATO bug (00:33:28) SharePoint XXE (00:39:36) Shazzer (00:46:36) Match and Replace (01:13:01) Match and Replace in Mobile (01:21:13) Header Replacements | |||
| 10 Aug 2023 | Episode 31: Alex Chapman - The Man of Many Crits | 01:24:45 | |
Episode 31: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to be joined by Alex Chapman, a seasoned InfoSec hacker and bug bounty hunter. We kick off with Alex sharing his hacking journey, from a guest lecturer that inspired him, to working on internal Red Teams, to his transition to working with HackerOne, and finally as a bug bounty hunter focusing on searching out those few, high impact bugs. We also discuss the power of collaboration, the challenges of balancing hacking with other responsibilities, and the necessity of flexibility and taking breaks in bug bounty work. Don't miss this episode where we explore the depths of bug bounty with Alex Chapman! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guest: https://twitter.com/ajxchapman https://hackerone.com/ajxchapman?type=user Perforce RCE https://hackerone.com/reports/1830220 https://ajxchapman.github.io/bugreports/2019/04/04/perforce-local-file-disclosure.html (00:00:00) Introduction (00:01:50) Alex Chapman's InfoSec journey and evolution (00:05:55) Real-world experience vs. chasing degrees, and the pivot into Bug Bounty (00:13:12) The benefit of programming knowledge (00:16:50) Experience in Internal Red Team and hacker mentalities. (00:23:35) Transitioning to HackerOne and full time Bug Bounty (00:33:37) Bug Bounty tips, time management, and best practices (00:41:00) The importance of note-taking and organizational tools (00:46:27) Hunting Methodologies and focusing on Critical Exploitations (01:02:37) Collaboration in the hacking community (01:06:00) Binary Exploitation and Source Code Review (01:10:59) Configuration file injections (01:17:38) Justin vs. Alex at a LHE | |||
| 28 Mar 2024 | Episode 64: .NET Remoting, CDN Attack Surface, and Recon vs Main App | 01:08:04 | |
Episode 64: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Justin and Joel delve into .NET remoting and how it can be exploited, a recent bypass in the Dom Purify library and some interesting functionality in the Cloudflare CDN-CGI endpoint. They also touch on the importance of collaboration and knowledge sharing, JavaScript Deobfuscation, the value of impactful POCs, hiding XSS payloads with URL path updates. Follow us on twitter at: @ctbbpodcast send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Check out Project Discovery’s nuclei 3.2 release blog at nux.gg/podcast Resources: .NET Remoting https://code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/ https://github.com/codewhitesec/HttpRemotingObjRefLeak Cloudflare /cdn-cgi/ https://developers.cloudflare.com/fundamentals/reference/cdn-cgi-endpoint/ https://portswigger.net/research/when-security-features-collide https://twitter.com/kinugawamasato/status/893404078365069312 https://twitter.com/m4ll0k/status/1770153059496108231 XSSDoctor's writeup on Javascript deobfuscation Timestamps: (00:00:00) Introduction (00:07:15) .Net Remoting (00:17:29) DOM Purify Bug (00:25:56) Cloudflare /cdn-cgi/ (00:37:11) Javascript deobfuscation (00:47:26) renniepak's tweet (00:55:20) Naffy's tweet | |||
| 28 Sep 2023 | Episode 38: Mobile Hacking Maestro: Sergey Toshin | 00:43:29 | |
Episode 38: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to welcome mobile hacking maestro Sergey Toshin (aka @bagipro). We kick off with Sergey sharing his unexpected journey into mobile security, and how he rose to become the number one hacker in both Google Play Security and Samsung Bug Bounty programs. We then delve into the evolving perception of mobile bugs, a myriad of new and existing attack vectors, and discuss Sergey's creation of mobile security company Oversecured. You’re going to want to make time for this one! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today's Guest: Oversecured Oversecured Blog jadx https://github.com/skylot/jadx 'Golden Android Techniques' https://hackerone.com/reports/431002 Timestamps: (00:00:00) Introduction (00:01:28) Sergey Toshin’s hacking journey and achievements (00:08:20) Mobile hacking: Devices and attack vectors (00:12:35) Using Jadx (00:15:40) The creation of Oversecured (00:23:10) The Oversecured Blog and Sharing Information (00:28:08) New Spheres and Strategies of Mobile Hacking (00:35:13) Tips for getting into Mobile Hacking | |||
| 27 Jun 2024 | Episode 77: Bug Bounty Mental - Practical Tips for Staying Sharp & Motivated | 01:50:26 | |
Episode 77: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin discuss some fresh writeups including some MongoDB injections, ORMs, and exploits in Kakao and iOS before pivoting into a conversation about staying motivated and avoiding burnout while hunting. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources: MongoDB NoSQL Injection https://soroush.me/blog/2024/06/mongodb-nosql-injection-with-aggregation-pipelines/ Mongo DB Is Web Scale https://www.youtube.com/watch?v=b2F-DItXtZs 1-click Exploit in Kakao https://stulle123.github.io/posts/kakaotalk-account-takeover/ Unsecure time-based secret and Sandwich Attack https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html Reset Tolkien https://github.com/AethliosIK/reset-tolkien iOS URL Scheme Hijacking Revamped https://evanconnelly.github.io/post/ios-oauth/ PLORMBING YOUR DJANGO ORM https://www.elttam.com/blog/plormbing-your-django-orm/#content Timestamps: (00:00:00) Introduction (00:02:07) MongoDB NoSQL Injection (00:12:42) 1-click Exploit in Kakao (00:33:21) Time-based secrets and Reset Tolkien (00:39:26) iOS URL Scheme Hijacking Revamped (00:51:42) ORMs (00:58:57) Community Bug Submission (01:07:45) Motivation, Mental Sharpness, and Burnout avoidance | |||
| 26 Oct 2023 | Episode 42: Renniepak Interview & Intigriti LHE Recap | 00:59:03 | |
Episode 42: In this episode of Critical Thinking - Bug Bounty Podcast, we're live from a hacking event in Portugal, and joined by the extremely talented René de Sain! He helps us cover a host of topics like NFT, XSS, LHE, and tips for success. We also talk about the correlation between creativity and hacking, shared workspaces, and last but certainly not least, hacker tattoos. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Today’s Guest: https://www.linkedin.com/in/rene-de-sain/ https://app.intigriti.com/researcher/profile/renniepak Hacker Hideout Timestamps: (00:00:00) Introduction (00:04:40) NFT Vulns and web3 hacking (00:08:15) Hacker Tattoos (00:12:30) Intigriti vs. other platforms, and LHE approaches. (00:20:10) Loneliness, budgeting, and the pros and cons of full-time hunting (00:28:36) Target approaches, XSS, and extension tools. (00:37:40) Fostering hacker intuition and relationships (00:47:15) Final thoughts on the Intigriti Event | |||
| 25 Jan 2024 | Episode 55: Popping WordPress Plugins - Methodology Braindump | 01:44:04 | |
Episode 55: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Wordpress Security Researcher Ram Gall to discuss both functionality and vulnerabilities within Wordpress Plugins. Follow us on twitter Send us any feedback here: Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ WordFence - Sign up as a researcher! https://ctbb.show/wf --- Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: Unauthed XSS via User-Agent header Timestamps: (00:00:00) Introduction (00:05:55) Add_action & Nonces (00:26:16) Add_filter & Register_rest_routes (00:38:39) Page-related code & Shortcodes (00:50:24) Top Sinks for WP (01:02:19) Echo & SQLI Sinks (01:15:07) Nonce Leak and wp_handle_upload (01:18:16) Page variables & Pop Chains (01:26:55) WP Escalations & Bug Reports | |||
| 21 Sep 2023 | Episode 37: Tokyo Hacking & Interview with 0xLupin | 01:15:27 | |
Episode 37: In this episode of Critical Thinking - Bug Bounty Podcast we're joined by none other than Lupin himself! We recap the Tokyo LHE and the lessons we learned from it before diving into his legendary journey into security research and bug bounty. We also talk collaboration of all kinds: pair hacking, joining a team, and starting a business together. We even touch on some great tools that can collaborate with each other! This was a fun one, and we don't want you to miss it! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guest: Lupin and Holmes JSWZL Cursor Clairvoyance https://github.com/nikitastupin/clairvoyance Tweet about Command Injections https://twitter.com/win3zz/status/1703702550372078074 James Kettle article on security research https://portswigger.net/research/so-you-want-to-be-a-web-security-researcher Timestamps: (00:00:00) Introduction (00:01:00) Lessons learned from the latest LHE (00:09:30) JSWZL and the Cursor Combo (00:19:15) The Legend of Lupin (00:34:35) Code and Collaborating (00:38:48) Requests, Automation, and Testing (00:50:28) Joel's Helper scripts (00:52:50) Teamwork and Pair Hacking (00:57:29) Tips for learning to Hack (01:00:35) UUID and CTF (01:08:35) Dynamics of Collaboration with French Team | |||
| 05 Sep 2024 | Episode 87: 'Hacker Wife' Mariah Gardner on Bug Bounty mentality and relationships | 01:26:41 | |
Episode 87: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with none other than his wife Mariah to talk about Bug Bounty from the perspective of a Significant Other. They share how they’ve traversed travel and Live Hacking Events, household chores, hobbies, goals, rewards, as well as how best to encourage and support the hacker/non-hacker in your life. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Shop our new swag store at ctbb.show/swag Today’s Guest: https://x.com/MariahG017 Resources: Ruby Nealon's song https://x.com/_ruby/status/835306502546149376 Don't Force Yourself to Become a Bug Bounty Hunter https://samcurry.net/dont-force-yourself-to-become-a-bug-bounty-hunter Timestamps (00:00:00) Introduction (00:03:12) Technical Questions for a Bug Bounty Wife (00:16:11) Mariah's First LHE experience (00:31:12) LHEs as a Couple (00:41:57) Encouragement and Risk (00:55:55) Hacker Family Dynamics, goals, and keeping promises (01:17:35) How to care for your Hacker/Hacker Wife | |||
| 07 Nov 2024 | Episode 96: Cookies & Caching with MatanBer | 00:49:09 | |
Episode 96: In this episode of Critical Thinking - Bug Bounty Podcast we’re back with Matanber to hit some stuff we ran out of time on last episode. We talk about advanced cookie parsing techniques and exploitation methods, Safari's unique behaviors regarding cookie handling and debugging methods, and some of the writeups from the HeroCTF v6. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://x.com/MtnBer Resources: Cookie Bugs - Smuggling & Injection https://blog.ankursundara.com/cookie-bugs/#:~:text=Cookie%20Smuggling iOS Webkit Debug Proxy https://github.com/google/ios-webkit-debug-proxy HeroCTF v6 Writeups https://mizu.re/post/heroctf-v6-writeups Timestamps (00:00:00) Introduction (00:01:29) Cookie exploits (00:21:32) Matan's Safari Adventure (00:29:49) HeroCTF 6 writeups | |||
| 02 May 2024 | Episode 69: Johan Carlsson - 3 Month Check-in on Full-time Bug Bounty. | 01:49:04 | |
Episode 69: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Johan Carlsson to hear about some updates on his bug hunting journey. We deep-dive a CSP bypass he found in GitHub, a critical he found in GitLab's pipeline, and also talk through his approach to using script gadgets and adapting to highly CSP'd environments. Then we talk about his transition to full-time bug hunting, including the goals he’s set, the successes and challenges, and his current focus on specific bug types like ReDoS and OAuth, and the serendipitous nature of bug hunting. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Nuclei 3.2 Release: https://nux.gg/podcast Today’s Guest: Resources Github CSP Bypass https://gist.github.com/joaxcar/6e5a0a34127704f4ea9449f6ce3369fc CSP Validator Cross Window Forgery https://www.paulosyibelo.com/2024/02/cross-window-forgery-web-attack-vector.html Gitlab Crit https://gist.github.com/joaxcar/9419b2df8778f26e9b02a741a8ec12f8 Timestamps (00:00:00) Introduction (00:09:34) Github CSP Bypass (00:38:48) Script Gadgets and growth through Gitlab (00:53:53) Gitlab pipeline bug (01:12:32) Full-time Bug Bounty | |||
| 26 Sep 2024 | Episode 90: 5k Clickjacking, Encryption Oracles, and Cursor for PoCs | 00:51:42 | |
Episode 90: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin recap some of their recent hacking ups and downs and have a lively chat about Cursor. Then they cover some some research about SQL Injections, Clickjacking in Google Docs, and how to steal your Telegram account in 10 seconds. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Shop our new swag store at ctbb.show/swag Today’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinder Resources: Breaking Down Barriers: Exploiting Pre-Auth SQL Injection in WhatsUp Gold Content-Type that can be used for XSS Clickjacking Bug in Google Docs Justin's Gadget Link Stealing your Telegram account in 10 seconds flat Timestamps (00:00:00) Introduction (00:08:28) Recent Hacks and Dupes (00:14:00) Cursor (00:25:02) Exploiting Pre-Auth SQL Injection in WhatsUp Gold (00:34:17) Content-Type that can be used for XSS (00:40:25) Caido updates (00:43:14) Clickjacking in Google Docs, and Stealing Telegram account | |||
| 27 Feb 2025 | Episode 112: Interview with Ciarán Cotter (MonkeHack) - Critical Lab Researcher and Full-time Hunter | 01:07:37 | |
Episode 112: In this episode of Critical Thinking - Bug Bounty Podcast Joseph Thacker is joined by Ciarán Cotter (Monke) to share his bug hunting journey and give us the rundown on some recent client-side and server-side bugs. Then they discuss WebSockets, SaaS security, and cover some AI news including Grok 3, Nuclei -AI Flag, and some articles by Johann Rehberger. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Guest - Ciarán Cotter ====== Resources ====== Msty From Day Zero to Zero Day Nuclei - ai flag https://x.com/pdiscoveryio/status/1890082913900982763 ChatGPT Operator: Prompt Injection Exploits & Defenses https://embracethered.com/blog/posts/2025/chatgpt-operator-prompt-injection-exploits/ Hacking Gemini's Memory with Prompt Injection and Delayed Tool Invocation https://embracethered.com/blog/posts/2025/gemini-memory-persistence-prompt-injection/ ====== Timestamps ====== (00:00:00) Introduction (00:01:04) Bug Rundowns (00:13:05) Monke's Bug Bounty Background (00:20:03) Websocket Research (00:34:01) Connecting Hackers with Companies (00:34:56) Grok 3, Msty, From Day Zero to Zero Day (00:42:58) Full time Bug Bounty, SaaS security, and Threat Modeling while AFK (00:54:49) Nuclei - ai flag, ChatGPT Operator, and Hacking Gemini's Memory | |||
| 10 Oct 2024 | Episode 92 - SAML XPath Confusion, Chinese DNS Poisoning, and AI Powered 403 Bypasser | 00:47:38 | |
Episode 92: In this episode of Critical Thinking - Bug Bounty Podcast In this episode Justin and Joel tackle a host of new research and write-ups, including Ruby SAML, 0-Click exploits in MediaTek Wi-Fi, and Vulnerabilities caused by The Great Firewall Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker. Checkout their ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detect Resources: Ruby-SAML / GitLab Authentication Bypass 0-Click exploit discovered in MediaTek Wi-Fi chipsets New Caido Plugin to Generate Wordlists Arb Read & Arb write on LLaMa.cpp by SideQuest XSS WAF Bypass One payload for all Timestamps (00:00:00) Introduction (00:02:08) Vulnerabilities Caused by The Great Firewall (00:07:25) Ruby SAML Bypass (00:19:55) 0-Click exploit discovered in MediaTek Wi-Fi chipsets (00:24:36) New Caido Wordlist Plugin (00:31:00) CSPBypass.com (00:35:37) Arb Read & Arb write on LLaMa.cpp by SideQuest (00:43:10) Helpful WAF Bypass | |||
| 12 Dec 2024 | Episode 101: CTBB Hijacked: Rez0__ on AI Attack Vectors with Johann Rehberger | 00:51:24 | |
Episode 101: In this episode of Critical Thinking - Bug Bounty Podcast we’ve been hijacked! Rez0 takes control of this episode, and sits down with Johann Rehberger to discuss the intricacies of AI application vulnerabilities. They talk through the importance of understanding system prompts, and various obfuscation techniques used to bypass security measures, the best AI platforms, and the evolving landscape of AI security. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker. Check out their Elevation Control! https://www.criticalthinkingpodcast.io/tl-ec Today’s Guest: https://x.com/wunderwuzzi23 Resources Johann's blog https://embracethered.com/blog/ zombais https://embracethered.com/blog/posts/2024/claude-computer-use-c2-the-zombais-are-coming/ Copirate Timestamps (00:00:00) Introduction (00:01:59) Biggest things to look for in AI hacking (00:11:58) Best AI companies to hack on (00:15:59) URL Redirects and Obfuscation Techniques (00:24:05) Copirate (00:35:50) prompt injection guardrails and threats | |||
| 25 Jul 2024 | Episode 81: Crushing Client-Side on Any Scope with MatanBer | 02:04:48 | |
Episode 81: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by MatanBer to go over some recent bug reports, as well as share some tips and tricks on client-side hacking and using DevTools effectively. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker Today’s Guest: https://x.com/MtnBer Resources: Beyond XSS https://aszx87410.github.io/beyond-xss/en/ Web VSCode XSS https://gitlab.com/gitlab-org/gitlab/-/issues/461328 Timestamps (00:00:00) Introduction (00:05:24) Learning and Labs (00:17:29) DevTools tips and tricks (00:49:49) General Client-Side hacking tips (01:09:59) Self-XSS Storytime (01:32:16) Bug Reports (01:46:37) Brainstorming a Client-side HUD | |||
| 15 Feb 2024 | Episode 58: Youssef Sammouda - Client-Side & ATO War Stories | 01:54:51 | |
Episode 58: In this episode of Critical Thinking - Bug Bounty Podcast we finally sit down with Youssef Samouda and grill him on his various techniques for finding and exploiting client-side bugs and postMessage vulnerabilities. He shares some crazy stories about race conditions, exploiting hash change events, and leveraging scroll to text fragments. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://twitter.com/samm0uda?lang=en Resources: Client-side race conditions with postMessage: Transferable Objects https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Transferable_objects Every known way to get references to windows, in javascript: https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2d Youssef’s interview with BBRE https://www.youtube.com/watch?v=MXH1HqTFNm0 Timestamps: (00:00:00) Introduction (00:04:27) Client-side race conditions with postMessage (00:18:12) On Hash Change Events and Scroll To Text Fragments (00:32:00) Finding, documenting, and reporting complex bugs (00:37:32) PostMessage Methodology (00:45:05) Youssef's Vuln Story (00:53:42) Where and how to look for ATO vulns (01:05:21) MessagePort (01:14:37) Window frame relationships (01:20:24) Recon and JS monitoring (01:37:03) Client-side routing (01:48:05) MITMProxy | |||
| 12 Sep 2024 | Episode 88: News, Tools, and Writeups | 01:06:08 | |
Episode 88: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel tackle a whole slate of new research including a new cheat sheet for URL validation bypass from Portswigger, the introduction of Sanic DNS as a high-speed DNS resolver, xsstools, and the Dockerization of Orange Confusion Attacks. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Shop our new swag store at ctbb.show/swag Resources URL Validation Bypass cheat sheet Bypassing browser tracking protection DOM Clobbering And https://domclob.xyz/domc_payload_generator/ Timestamps: (00:00:00) Introduction (00:02:00) URL validation bypass (00:07:41) SanicDNS and Orange confusion attacks (00:20:06) WordPress GiveWP POP to RCE (00:31:29) Xsstools (00:43:56) Bypassing browser tracking protection (00:52:06) DOM Clobbering and mixing up your approach | |||
| 19 Dec 2024 | Episode 102: Building Web Hacking Micro Agents with Jason Haddix | 01:02:49 | |
Episode 102: In this episode of Critical Thinking - Bug Bounty Podcast Justin grabs Jason Haddix to help brainstorm the concept of AI micro-agents in hacking, particularly in terms of web fuzzing, WAF bypasses, report writing, and more.They discuss the importance of contextual knowledge, the cost implications, and the strengths of different LLM Models. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Check out our new SWAG store at https://ctbb.show/swag! Today’s Guest - https://x.com/Jhaddix Resources Keynote: Red, Blue, and Purple AI - Jason Haddix https://www.youtube.com/watch?v=XHeTn7uWVQM Attention in transformers, https://www.youtube.com/watch?v=eMlx5fFNoYc Shift The Darkest Side of Bug Bounty https://www.youtube.com/watch?v=6SNy0u6pYOc Timestamps (00:00:00) Introduction (00:01:25) Micro-agents and Weird Machine Tricks (00:11:05) Web fuzzing with AI (00:18:15) Brainstorming Shift and micro-agents (00:34:40) Strengths of different AI Models, and using AI to write reports (00:54:21) The Darkest Side of Bug Bounty | |||
| 26 Jan 2023 | Episode 3: H1-407 Event Madness & Takeaways Part 1 | 00:45:57 | |
Episode 3: In this episode of Critical Thinking - Bug Bounty Podcast we talk about some of the interesting things we’ve learned from participating in HackerOne's H1-407 Live Hacking event. We cover decompiling binaries in various different languages, Windows URI Handlers, Caido, and SameSite Lax + POST. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Frans Rosen S3 Bucket Authorization Blog Post: https://labs.detectify.com/2018/08/02/bypassing-exploiting-bucket-upload-policies-signed-urls/ Getting code from executables: Jub0b’s SameSite Article: https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/ Mgeeky’s Powershell Script to Enumerate Windows App URI Handlers https://gist.github.com/mgeeky/5a30a0619a7486b2fb0bd5233490fa64 | |||
| 21 Nov 2024 | Episode 98: Team 82 Sharon Brizinov - The Live Hacking Polymath | 01:43:57 | |
Episode 98: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner sits down with Sharon,to discuss his journey from early iOS development to leading a research team at Claroty. They address the differences between HackerOne and Pwn2Own, and talk through some intricacies of IoT security, and some less common IoT attack surfaces. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker: Check out Network Control! https://www.criticalthinkingpodcast.io/tl-nc And AssetNote: Check out their ASMR board (no not that kind!) Today’s Guest: https://sharonbrizinov.com/ Resources The Claroty Research Team Pwntools https://github.com/Gallopsled/pwntools Scan My SMS Gotta Catch 'Em All: Phishing, Smishing, and the birth of ScanMySMS https://www.youtube.com/watch?v=EhNsXXbDp3U Timestamps (00:00:00) Introduction (00:03:31) Sharon's Origin Story (00:21:58) Transition to Bug Bounty and Pwn2Own vs HackerOne (00:47:05) IoT/ICS Hacking Methodology (01:10:13) Cloud to Device Communication (01:18:15) Bug replication and uncommon attack surfaces (01:30:58) Documentation tracker, reCaptcha bypass, and ScanMySMS | |||
| 06 Jun 2024 | Episode 74: Supply Chain Attack Primer - Popping RCE Without an HTTP Request (feat 0xLupin) | 01:38:20 | |
Episode 74: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Roni "Lupin" Carta for a deep dive into supply chain attacks and dependency confusion. We explore the supply chain attacks, the ethical considerations surrounding maintainers and hosting packages on public registries, and chat about the vision and uses of his new tool Depi. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today's Sponsor - Project Discovery: https://nux.gg/podcast Today’s Guest: https://x.com/0xLupin Resources: Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 git-dump https://github.com/tomnomnom/dotfiles/blob/master/scripts/git-dump Depi Weak links of Supply Chain https://arxiv.org/pdf/2112.10165 Timestamps: (00:00:00) Introduction (00:07:13) Overveiw of Supply Chain Flow (00:15:14) Getting our Scope (00:23:46) Depi (00:29:12) Types of attacks and finding the 80/20 (00:45:06) Maintainer attacks (01:10:40) Regestries, artifactories, and an npm bug (01:31:51) Grafana NPX Confusion | |||
| 22 Feb 2024 | Episode 59: Bug Bounty Gadget Hunting & Hacker's Intuition | 01:39:09 | |
Episode 59: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the concept of gadgets and how they can be used to escalate the impact of vulnerabilities. We talk through things like HTML injection, image injection, CRLF injection, web cache deception, leaking window location, self-stored XSS, and much more. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources: Timestamps: (00:00:00) Introduction (00:03:31) Caido's New Features (00:15:20) Nahamcon News and 5 week Bootcamp and pentest opportunity (00:19:54) HTML Injection, CSS Injection, and Clickjacking (00:33:11) Image Injection (00:37:19) Open Redirects, Client-side path traversal, and Client-side Open Redirect (00:49:51) Leaking window.location.href (00:57:15) Cookie refresh gadget (01:01:40) Stored XXS (01:09:01) CRLF Injection (01:13:24) 'A Place To Stand' in GraphQL and ID Oracle (01:18:23) Auth gadgets, Web Cache Deception, & LocalStorage poisoning (01:27:46) Cookie Injection & Context Breaks | |||
| 23 Mar 2023 | Episode 12: JHaddix on Hacker->Hacker CISO, OG Hacking Techniques, and Crazy Reports | 01:46:37 | |
Episode 12: In this episode of Critical Thinking - Bug Bounty Podcast we talk with Jason Haddix about his eclectic hacking techniques, Hacker -> Hacker CISO life, and some crazy vulns he found. This episode is chock full of awesome tips so give it a good listen! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Follow JHaddix on Twitter: BuddoBot: BC Hunt: https://github.com/bugcrowd/HUNT/blob/master/README.md One List For All: https://github.com/six2dez/OneListForAll AssetNote Wordlists: https://wordlists.assetnote.io/ Backslash Powered Scanner: https://portswigger.net/bappstore/9cff8c55432a45808432e26dbb2b41d8 Jason’s Handy Dandy Acronyms: SSWLR - Sensitive Secrets Were Leaked Recently
COTS Software - Common Off-The-Shelf Software | |||
| 01 Feb 2024 | Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston) | 01:47:40 | |
Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston) Episode 56: In this episode of Critical Thinking - Bug Bounty Podcast, Justin sits down with Jon Colston to discuss how his background in digital marketing and data science has influenced his hunting methodology. We dive into subjects like data sources, automation, working backwards from vulnerabilities, applying conversion funnels to bug bounty, and the mayonaise signature 'Mother of All Bugs' Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ WordFence - Sign up as a researcher! https://ctbb.show/wf Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://hackerone.com/mayonaise?type=user Timestamps: (00:00:00) Introduction (00:12:07) Evolving Hacking Methodologies & B2B Hacking (00:23:57) Data Science + Bug Bounty (00:34:37) 'Lead Generation for Vulns' (00:41:39) Ingredients and Recipes (00:49:45) Keyword Categorization (00:54:30) Manual Processes and Recap (01:07:08) Data Sources (01:19:59) Digital Marketing + Bug Bounty (01:32:22) M.O.A.B.s (01:41:02) Burnout Protection and Dupe Analysis | |||
| 13 Apr 2023 | Episode 15: The Israeli Million-Dollar Hacker | 01:08:28 | |
Episode 15: In this episode of Critical Thinking - Bug Bounty Podcast we talk with the latest Million-Dollar bug bounty hunter: @naglinagli . He talks about his climb from $1,000 in bounties to $1,000,000, recon tips and tricks, and some bug reports that made the news and landed him the "Best Bug" award at a H1 Live Hacking event. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Follow Nagli and his new startup Shockwave: https://twitter.com/naglinagli https://twitter.com/shockwave_sec HackMD Collaborative Notes: Ian Carroll's Airline Miles Website: Nagli's Tweet in ChatGPT Web Cache Deception: https://twitter.com/naglinagli/status/1639343866313601024 Timestamps: (00:00:00) Intro (00:04:40) Nagli’s Climb (00:05:40) What kind of vulns do you look for? (00:09:25) Working with other hackers (00:10:20) Bug Bounty Hunter’s Guild (00:12:35) Shockwave product (00:14:12) Outsourcing tool development (00:18:46) What got you started? (00:21:13) Manual hacking vs recon suite + LHE focus (00:25:00) How do you take notes (00:29:42) Biggest things that you’ve learned over the past 2 years (00:31:29) How do you ingest new techniques? (00:31:50) Collaboration (00:37:20) Justin Ranting about “Trained Eyes” (00:40:18) Time spent coding vs hacking (00:45:28) Travel and spending habits (00:54:16) Grep is Nagli’s database (00:56:20) Nagli’s ChatGPT Web Cache Deception (00:58:44) What does your alerting look like? (01:01:50) Nagli’s “Most Critical” SSRF (01:04:30) Burp Active Scan | |||
| 17 Apr 2025 | Episode 119: Abusing Iframes from a client-side hacker | 00:33:54 | |
Episode 119: In this episode of Critical Thinking - Bug Bounty Podcast Justin does a mini deep dive into the world of iframes, starting with why they’re significant, their attributes, and how to attack them. CORRECTION: Some of my comments on the latest episode of the pod were woefully inaccurate about the `csp` attribute of an iframe. Def should have read the spec more thoroughly. Please see the #corrections channel in Discord for the deets. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Resources ====== Episode with JR0ch17 Exacerbating Cross-Site Scripting: The Iframe Sandwich https://coopergyoung.com/exacerbating-cross-site-scripting-the-iframe-sandwich/ ====== Timestamps ====== (00:00:00) Introduction (00:01:20) Why are Iframes useful (00:05:11) Attributes of Iframes (00:21:39) Iframe Attacks (00:29:53) Iframe Fun Facts | |||
| 14 Sep 2023 | Episode 36: Bug Bounty Ethics & CT Exclusive Bug Reports | 01:03:59 | |
Episode 36: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel take a break from LHE prep to answer questions about the ethics of bug bounty and share their recent bug finds. We talk Iframes, mobile intercept proxies, open redirects, and that time Justin got shot at… Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Timeshifter: Tweet about Google Open Redirect https://twitter.com/Rhynorater/status/1697357773690818844 Tweet about XSS Exploitation https://twitter.com/Rhynorater/status/1698059391700701424 Request Minimizer https://portswigger.net/bappstore/cc16f37549ff416b990d4312490f5fd1 Timestamps: (00:00:00) Introduction (00:02:45) Hacker One LHE Preview (00:05:40) Is Bug Bounty Inherently Ethical (00:19:25) Ethics of Going out of scope (00:27:56) Justin’s story of getting shot at (00:30:22) Setting up a mobile intercept proxy (00:33:40) How to approach a new target (00:40:30) Google Open Redirect (00:43:35) Recent XSS Exploitation (00:46:28) ATO Trick (00:50:25) Joel’s Bug Report (00:55:40) Justin’s Bug Report | |||
| 08 Aug 2024 | Episode 83: Brainstorming Proxy Plugins | 00:54:50 | |
Episode 83: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin are brainstorming new features and improvements for Caido, such as the implementation of a 403 bypassing workflow, a text expander, Tracing Cookies, and more. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker Resources: Post from Gareth Heyes https://x.com/garethheyes/status/1811084674988474417 Wiki List of XML and HTML HackerOne Leaderboard Changes https://x.com/scarybeasts/status/1810813103354892666 Espanso Critical Thinkers Discord Oauth Scan https://portswigger.net/bappstore/8ef2db1173e8432c8797831c2e730727 Timestamps: (00:00:00) Introduction (00:03:12) News (00:13:20) Into the Brainstorm (00:13:41) 403 Bypasser (00:20:34) "Expaido" (00:31:34) Trace Cookies (00:42:01) Highlight Decoding Expansion and AI integrations (00:49:08) OAuth Testing, API Highlighter, and Note-taking | |||
| 19 Oct 2023 | Episode 41: Mini Masterclass: Attack Vector Ideation | 00:17:09 | |
Episode 41: In this episode of Critical Thinking - Bug Bounty Podcast, Justin takes a break from his busy travel schedule to walk us through a few of his Attack Vector formulation strategies. We’re keeping this one short and sweet, so it can be better used as a reference when looking for new vectors. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Nahamcon talk by Douglas Day https://youtu.be/G1RHa7l1Ys4?t=295 Timestamps: (00:00:00) Introduction (00:02:53) Use the application like a human, not like a hacker (00:05:02) Reading documentation looking for "Cannot" statements (00:08:16) Look at the grayed out areas (00:10:08) Look for information in the API response (00:12:38) Differences in the UI between different accounts (00:13:42) Pay the paywall. | |||
| 31 Oct 2024 | Episode 95: Attacking Chrome Extensions with MatanBer - Big Impact on the Client-Side | 01:56:23 | |
Episode 95: In this episode of Critical Thinking - Bug Bounty Podcast In this episode, Justin is joined by MatanBer to delve into the intricacies of browser extensions. We talk about the structure and threat models, and cover things like service workers, extension pages, and isolated worlds. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - AssetNote. Listen to their podcast https://www.criticalthinkingpodcast.io/sspod Today’s Guest: https://x.com/MtnBer Resources Universal Code Execution by Chaining Messages in Browser Extensions https://spaceraccoon.dev/universal-code-execution-browser-extensions/ DOMLogger++ https://github.com/kevin-mizu/domloggerpp BBRE Metamask bug https://youtu.be/HnI0w156rtw?si=QixP8SX6JuRFz6PA Bench Press: Leaking Text Nodes with CSS https://blog.pspaul.de/posts/bench-press-leaking-text-nodes-with-css/ Timestamps: (00:00:00) Introduction (00:03:08) Structure & Threat Model for Browser Extension (00:28:28) Extension Attack scenarios (01:01:26) Attacking Extension Pages (01:26:35) Attacking Service Workers (01:46:23) Getting source code and dynamic debugging | |||
| 01 Aug 2024 | Episode 82: Part-Time Bug Bounty | 00:36:32 | |
Episode 82: In this episode of Critical Thinking - Bug Bounty Podcast Joel Margolis discusses strategies and tips for part-time bug bounty hunting. He covers things like finding (and enforcing) balance, picking programs and goals, and streamlining your process to optimize productivity. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker Resources: Evernote RCE Post https://0reg.dev/blog/evernote-rce ServiceNow Bug Chain https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data Douglas Day's Talk on finding 'no's' https://youtu.be/G1RHa7l1Ys4?si=TY16ULsEIfJ9CMKk Timestamps: (00:01:37) Introduction (00:02:24) Evernote RCE Post (00:06:47) AssetNote ServiceNow Bug Chain (00:12:16) Part-Time Bug Bounty: Balance and Accountability (00:18:04) Picking programs: Impact and Payout (00:28:46) Streamline your process | |||
| 04 Jan 2024 | Episode 52: Best Technical Content from Year 1 of CTBB Podcast | 03:00:00 | |
Episode 52: In this episode of Critical Thinking - Bug Bounty Podcast we're going back and highlighting some of the best technical moments from the past year! Hope you enjoy this best of 2023 Supercut! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Timestamps: (00:00:00) Introduction (00:02:55) Episode 26: Meta tags and base tags in HTML (00:15:20) Episode 27: Client-side path traversal (00:23:18) Episode 27: Cookie bombing + cookie jar overflow (00:35:47) Episode 44: Cross environment authentication bugs (00:43:17) Episode 47: The open-faced Iframe Sandwich (00:50:19) Episode 47: js hoisting and classic Joel nerdsnipe (00:58:28) Episode 29: Sean Yeoh on Subdomains vs IP in recon (01:04:05) Episode 30: Shubs on reversing enterprise software (01:24:58) Episode 30: Shubs on building out a recon flow (01:29:36) Episode 30: Shubs on Hacking IIS Servers (01:36:45) Episode 37: 0xLupin on smart JavaScript analysis tools (01:45:42) Episode 45: Frans Rosen On App cache, Service workers cookie stuffing, and postMessage (02:15:02) Episode 50: Mathias Karlsson on XSLT and MXSS (02:39:26) Episode 27: Assetnote's sharefile RCE (02:48:18) Episode 31: Perforce RCE (02:53:48) Episode 48: Sam Erb's XSLT bug story (02:58:47) Final thoughts and Special Thanks | |||
| 03 Oct 2024 | Episode 91: Zero to LHE in 9 Months (feat gr3pme) | 01:22:50 | |
Episode 91: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner sits down with Critical Thinking’s own HackerNotes writer Brandyn Murtagh (gr3pme) to talk about his journey with Bug Bounty. We cover mentorship, networking and LHEs, ecosystem hacking, emotional regulation, and the need for self-care. Then we wrap up with some fun bugs. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Shop our new swag store at ctbb.show/swag Today’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinder Today’s guest: https://x.com/gr3pme Resources: Lessons Learned for LHEs https://x.com/Rhynorater/status/1579499221954473984 Timestamps: (00:00:00) Introduction (00:07:02) Mentorship in Bug Bounty (00:16:30) LHE lessons, takeaways, and the benefit of feedback and networking (00:41:28) Choosing Targets (00:49:03) Vuln Classes (00:58:54) Bug Reports | |||
| 13 Mar 2025 | Episode 114: Single Page Application Hacking Playbook | 01:22:25 | |
Episode 114: In this episode of Critical Thinking - Bug Bounty Podcast we’re diving into SPA and how to attack them.We also cover a host of news items, including some bug write-ups, AI updates, and a new tool called Hackadvisor. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor: ThreatLocker Cloud Control ====== Resources ====== Hacking High-Profile Bug Bounty Targets: Deep Dive into a Client-Side Chain Research finds 12,000 ‘Live’ API Keys and Passwords in DeepSeek's Training Data Prompt Injection Attacks for Dummies ====== Timestamps ====== (00:00:00) Introduction (00:02:15) Bug Write-up from @busf4ctor (00:09:44) Scanning Common Crawl (00:16:30) Hackadvisor and WP/Chrome Extension News (00:24:15) Notebook LM, and Recent AI Updates (00:31:58) Write-up from @J0R1AN and Related POC from @RenwaX23 (00:38:10) Prompt Injection Attacks for Dummies (00:42:29) ShadowRepeater (00:47:04) Single-page applications | |||
| 11 Apr 2024 | Episode 66: CDN-CGI Research, Intent To Ship, and Louis Vuitton | 00:58:20 | |
Episode 66: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the recent YesWeHack Louis Vuitton LHE, the importance of failure as growth in bug bounty, and Justin shares his research on CDN CGI. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Project Discovery Conference: https://nux.gg/hss24 ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources: YesWeHack Luis Vuitton LHE https://twitter.com/yeswehack/status/1776280653744554287 https://event.yeswehack.com/events/hack-me-im-famous-2 Caido Workflows https://github.com/caido/workflows Oauth Redirects https://twitter.com/Akshanshjaiswl/status/1724143813088940192 Bagipro Golden URL techniques https://hackerone.com/reports/431002 Roadmap I followed to make 15,000+$ Bounties in my first 8 months https://shreyaschavhan.notion.site/Roadmap-I-followed-to-make-15-000-Bounties-in-my-first-8-months-of-starting-out-and-my-journey-98b1b9ff621645c0b97d1e774992f300 Monke Hacks Blog https://monkehacks.beehiiv.com/ PortSwigger post https://x.com/PortSwiggerRes/status/1766087129908576760 post from Masato Kinugawa https://x.com/kinugawamasato/status/916393484147290113 Timestamps: (00:00:00) Introduction (00:04:19) Louis Vuitton LHE (00:13:57) Browser Market share (00:21:13) Justin's Bug of the Week (00:24:49) Caido Workflows (00:27:24) Oauth Redirects (00:32:24) Bug Bounty learning Methodology (00:41:03) 'Intent To Ship' (00:48:08) CDN-CGI Research | |||
| 23 Nov 2023 | Episode 46: The SAML Ramble | 00:43:40 | |
Episode 46: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is deep diving the topic of SAML (Security Assertion Markup Language), and walks through what it is and why it can be intimidating, before going over some key attack vectors to look for. Then he closes out with a commentary on a sample payload, and some HackerOne reports. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. KazHACKstan Testing SAML security with DAST https://agrrrdog.blogspot.com/2023/01/testing-saml-security-with-dast.html How to break SAML if I have paws? https://speakerdeck.com/greendog/how-to-break-saml-if-i-have-paws?slide=20 How to Hunt Bugs in SAML; a Methodology https://epi052.gitlab.io/notes-to-self/blog/2019-03-16-how-to-test-saml-a-methodology-part-three/ SAML Raider https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e External Entity Injection during XML signature verification https://bugs.chromium.org/p/project-zero/issues/detail?id=2313 mTLS: When certificate authentication is done wrong https://github.blog/2023-08-17-mtls-when-certificate-authentication-is-done-wrong/ HackerOne Uber Report https://hackerone.com/reports/136169 Timestamps: (00:00:00) Introduction (00:05:25) Understanding SAML and its complexities (00:08:30) SAML Attack Vectors (00:14:15) XML Signature Wrapping (00:19:50) Some SAML tests to try (00:30:30) Sample Payload description (00:34:10) Token Recipient confusion (00:36:05) HackerOne Reports | |||
| 02 Feb 2023 | Episode 5: AI Security, Hacking WiFi, the New XSS Hunter, and more | 00:53:29 | |
Episode 5: In this episode of Critical Thinking - Bug Bounty Podcast we talk about the new XSS Hunter, MD5 collisions and using ChatGPT for security, and much more! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Save All Resources Chrome Extension: https://chrome.google.com/webstore/detail/save-all-resources/abpdnfjocnmdomablahdcfnoggeeiedb?hl=en Corben's AMA: https://twitter.com/hacker_/status/1620514351521366016 Collisions repo: https://github.com/corkami/collisions | |||
| 09 Mar 2023 | Episode 10: The Life of a Full-Time Bug Bounty Hunter + BB News + Reports from Mentees | 01:16:38 | |
Episode 10: In this episode of Critical Thinking - Bug Bounty Podcast we talk about what its like to be a full-time bug bounty hunter, a tonne of bug bounty news, and some great report summaries from Justin’s two mentees: Kodai and Soma. Follow us on twitter at: https://twitter.com/ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater HackVertor https://portswigger.net/bappstore/65033cbd2c344fbabe57ac060b5dd100 Not_An_Aardvark (Teddy Katz) Blog: https://blog.teddykatz.com/ Tweets from PortSwigger Research: https://twitter.com/PortSwiggerRes/status/1632742844535324677 https://twitter.com/PortSwiggerRes/status/1630221223874445314 https://twitter.com/PortSwiggerRes/status/1629131380473970688 HackerOne LHE Standards: https://www.hackerone.com/hackerone-community-blog/get-invited-how-live-hacking-event-invites-have-changed Rez0 Bug Bounty Tweet: https://twitter.com/rez0__/status/1553371602770960384?t=NCr_esHcEts9PrcjxIZ5uw&s=19 Rojan’s Github Bug: https://twitter.com/uraniumhacker/status/1633199768263593984 Goodbye Daily Swig: https://portswigger.net/daily-swig/were-going-teetotal-its-goodbye-to-the-daily-swig Gareth Heyes JavaScript for Hackers:https://leanpub.com/javascriptforhackers/ | |||
| 28 Dec 2023 | Episode 51: Hacker Stats 2023 & 2024 Goals | 01:21:31 | |
Episode 51: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are back for the last episode of 2023. We discuss some noteworthy news items including a Hacker One Crit, Caido updates, and some Blind CSS. Then we dive into our own personal ‘Hackers Wrapped’ recap of the year, before laying out some goals for 2024. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources Timestamps (00:00:00) Introduction (00:08:43) Keyboard Shortcut Utility Systems (00:21:28) CTF Challenge By Frans (00:32:40) Hacker One 25K Crit Disclosure (00:36:31) Caido Searchbar Rework. (00:40:51) Blind CSS Exfiltration (00:44:10) 2023 Personal Bug Bounty Stats (01:01:15) 2024 Personal Bug Bounty Goals | |||
| 14 Nov 2024 | Episode 97: Bcrypt Hash Input Truncation & Mobile Device Threat Modeling | 00:53:05 | |
Episode 97: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel jump into some cool news items, including a recent Okta Bcrypt vulnerability, insights into crypto bugs, and some intricacies of Android and Chrome security. They also explore the latest research from Portswigger on payload concealment techniques, and the introduction of the Lightyear tool for PHP exploits. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker: Check out Network Control! https://www.criticalthinkingpodcast.io/tl-nc And AssetNote: Check out their ASMR board (no not that kind!) Resources Android Web Attack Surface Writeups Concealing payloads in URL credentials Dumping PHP files with Lightyear Limit maximum number of filter chains Timestamps (00:00:00) Introduction (00:02:43) Okta Release and bcrypt (00:10:26) Android Web Attack Surface Writeups (00:20:21) More Portswigger Research (00:28:29) Lightyear and PHP filter chains (00:35:09) Dom-Explorer (00:45:24) The JSON Debate (00:49:59) Notes plugin for Burp and Caido | |||
| 16 May 2024 | Episode 71: More VDP Chats & AI Bias Bounty Strats with Keith Hoodlet | 01:45:21 | |
Episode 71: In this episode of Critical Thinking - Bug Bounty Podcast Keith Hoodlet joins us to weigh in on the VDP Debate. He shares some of his insights on when VDPs are appropriate in a company's security posture, and the challenges of securing large organizations. Then we switch gears and talk about AI bias bounties, where Keith explains the approach he takes to identify bias in chatbots and highlights the importance of understanding human biases and heuristics to better hack AI. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Today's Sponsor - Project Discovery: https://nux.gg/podcast Today’s guest: Keith Hoodlet Resources: Daniel Miessler's article about the security poverty line Hacking AI Bias https://securing.dev/posts/hacking-ai-bias/ Hacking AI Bias Video https://youtu.be/AeFZA7xGIbE?si=TLQ7B3YtzPWXS4hq Sarah's Hoodlet's new book Link to Amazon Page Timestamps: (00:00:00) Introduction (00:04:09) Keith's Appsec Journey (00:16:24) The Great VDP Debate Redux (00:47:18) Platform/Hunter Incentives and Government Regulation (01:06:24) AI Bias Bounties (01:26:27) AI Techniques and Bugcrowd Contest | |||
| 13 Jun 2024 | Episode 75: *Rerun* of The OG Bug Bounty King - Frans Rosen | 02:44:52 | |
Episode 75: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are sick, So instead of a new full episode, we're going back 30 episodes to review. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! Today's Guest: https://twitter.com/fransrosen Discovering s3 subdomain takeovers https://labs.detectify.com/writeups/hostile-subdomain-takeover-using-heroku-github-desk-more/ https://gist.github.com/fransr/a155e5bd7ab11c93923ec8ce788e3368 A deep dive into AWS S3 access controls Attacking Modern Web Technologies Account hijacking using Dirty Dancing in sign-in OAuth flows Timestamps: (00:00:00) Introduction (00:11:41) Franz Rosen's Bug Bounty Journey and Detectify (00:20:21) Pseudo-code, typing, and thinking like a dev (00:27:11) Hunter Methodologies and automationists (00:42:31) Time on targets, Iteration vs. Ideation (00:58:01) S3 subdomain takeovers (01:11:53) Blog posting and hosting motivations (01:20:21) Detectify and entrepreneurial endeavors (01:36:41) Attacking Modern Web Technologies (01:52:51) postMessage and MessagePort (02:05:00) Live Hacking and Collaboration (02:20:41) Account Hijacking and OAuth Flows (02:35:39) Hacking + Parenthood | |||
| 29 Jun 2023 | Episode 25: 2xMVH & Multi-million dollar hacker Inhibitor181 | 01:11:35 | |
Episode 25: In this episode of Critical Thinking - Bug Bounty Podcast we talk to Cosmin (@Inhibitor181), fresh off of winning his 2nd MVH! We chat about the time management and strategy of hacking Multi-Target LHEs, determining when to pivot, and how to find normalcy in bug bounty hunting and Live Hacking Events. We also touch on setting up Vuln Pipelines, creating mental models, and Cosmin's terrifying naming schemes. Don't miss this episode packed with both laughs and valuable insights for beginners and seasoned bug bounty hunters alike. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guest: https://twitter.com/inhibitor181 Justin's weird episode with all the Dr. Suess Shit https://rss.com/podcasts/ctbbpodcast/966055/?listen-on=true Timestamps: (00:00:00) Introduction (00:02:52) MVH club and Multi-Target stragety (00:12:00) Deciding when to pivot (00:17:00) File Organization and 'unique' naming approaches (00:23:56) Staying up to date on features and updates (00:25:46) Hacking Sleep Habits (00:28:15) Finding 'Normal Life' in bug bounty and LHE (00:33:30) Vuln Pipelines, Wordlists, and full time bug bounty tips (00:44:15) Benefits of the Bug Bounty Community (00:47:45) Relationships with target companies and programs (00:53:15) Creating mental models (01:00:30) The Importance of writing good reports (01:04:30) How to choose what to hack | |||
| 26 Dec 2024 | Episode 103: Getting ANSI about Unicode Normalization | 01:00:30 | |
Episode 103: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph delve into the vulnerabilities associated with ANSI codes and large language models (LLMs), as well as talk through some new research and the value of micro-blogging in general. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord! We offer Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Check out our new SWAG store! Join our Shift waitlist! Today’s Sponsor - ThreatLocker. Check out their Elevation Control! https://www.criticalthinkingpodcast.io/tl-ec Resources Cross-Site POST Requests Without a Content-Type Header Handling Cookies is a Minefield XS-Leaking flags with CSS: A CTFd 0day How I Became The Most Valuable Hacker Timestamps (00:00:00) Introduction (00:01:39) _json Juggling Attack and Cross-Site POST Requests Without a Content-Type Header (00:10:55) Worst Fit and Unicode Mapping (00:20:08) Handling Cookies is a Minefield (00:28:11) Terminal DiLLMa & CTFd 0day (00:41:18) Hacking Back the AI-Hacker (00:47:30) Becoming Most Valuable Hacker | |||
| 09 May 2024 | Episode 70: NahamCon and CSP Bypasses Everywhere | 00:43:08 | |
Episode 70: In this episode of Critical Thinking - Bug Bounty Podcast we’re once again joined by Ben Sadeghipour to talk about some Nahamcon news, as well as discuss a couple other LHE’s taking place. Then they cover CI/CD and drop some cool CSP Bypasses. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today's Sponsor - Project Discovery: https://nux.gg/podcast Today’s Guest: https://twitter.com/NahamSec Resources: Depi Youtube CSP: https://www.youtube.com/oembed?callback=alert() Maps CSP: https://maps.googleapis.com/maps/api/js?callback=alert()-print Google APIs CSP https://www.googleapis.com/customsearch/v1?callback=alert(1) Google CSP https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1)// CSP Bypass for opener.child.child.child.click() Timestamps: (00:00:00) Introduction (00:02:55) BSides Takeaways and hacking on Meta (00:12:12) NahamCon News (00:23:45) CI/CD and the launch of Depi (00:33:29) CSP Bypasses | |||
| 06 Apr 2023 | Episode 14: Mobile Hacking Dynamic Analysis w/ Frida + Random Hacker Stuff | 01:21:37 | |
Episode 14: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Dynamic Analysis within Mobile Hacking and a bunch of random hacker stuff. It's a good time. Enjoy the pod. Follow us on Twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on Twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Joel’s Alternative to UberTooth One: https://www.amazon.com/Bluetooth-UD100-G03-Exchangeable-Bluesoleil-Microsoft/dp/B0161B5ATM D3monDev’s Burp VPS Plug-in: https://github.com/d3mondev/burp-vps-proxy FireProx: https://github.com/ustayready/fireprox Joel’s Universal SSL De-pinning Frida Script: https://gist.github.com/teknogeek/4dc35fb3801bd7f13e5f0da5b784c725 Command-line Fuzzy Finder: https://github.com/junegunn/fzf Justin’s two article recommendations for using Frida: Copy screen of physical device: Flipper: BetterCap BLE Module: https://www.bettercap.org/modules/ble/ Timestamps: (00:00:00) Intro (00:00:55) Hacker Chats (00:03:27) Podcast Content Commentary (00:04:09) SSRF Rebinding Error Confession (00:06:02) Flipper Zero (00:07:58) Bettercap BLE (00:09:36) Sena USB Bluetooth Adapter (00:12:41) Burp VPS Proxy Plugin (00:13:55) Fireprox (00:15:40) Dynamic Mobile Hacking (00:17:40) Dynamic Analysis Overview (00:18:18) Emulator Talk (00:24:29) Joel’s APK Analysis Flow (00:26:30) Cert Pinning (00:32:17) Joel’s SSL Cert Pinning Script (00:35:29) Hands-on look at Frida (00:50:11) Frida on Non-rooted Devices (00:58:22) Tracing Errors to Overwritable Functions (01:00:39) Native Libraries (01:09:18) GenyMobile Screen Mirroring Tool (01:11:50) Justin’s Report of the Day and Custom SSL Pinning (01:18:15) Joel’s First Ever Bug, Jailbreak Detection Bypass | |||
| 25 May 2023 | Episode 20: Hacker Brain Hacks - Overcoming Bug Bounty's Mental Tolls | 01:06:30 | |
Episode 20: In this episode of Critical Thinking - Bug Bounty Podcast, we dive into the world of "hacker brain hacks'' and overcoming challenges in bug bounty hunting. We discuss custom word lists, the rising popularity of Caido as a potential Burp Suite replacement, and Cloudflared tunnels for hosting POCs. We also tackle the mental aspects of bug bounty hunting, from procrastination to imposter syndrome, and share tips for staying motivated and avoiding burnout. Don't miss this episode packed with valuable insights and advice for both beginners and seasoned bug bounty hunters! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Caido: Tweet from D3mondev on Sequence Diagram: https://twitter.com/d3mondev/status/1660803152755453952 Sequence diagram software: Timestamps: (00:00:00) Introduction (00:02:36) "Sequence Diagram": Sequence mapping for PoCs (00:04:10) "SubReconGPT": AI and GPT in Bug Bounty Hacking (00:08:30) "Caido": A Potential Replacement for Burp Suite (00:11:34) HackerOne's New Features (00:13:00) Cloudflared Tunnels for Red Team Assessments and Payload Hosting (00:16:07) Mental challenges in Bug Bounty Hunting (00:17:50) Procrastination Education: Letting fear of failure drive you into always learning, never doing. (00:22:46) Analysis Paralysis: Starting with Bug Bounty Programs vs VDPs (00:27:07) Automation Obsession: "When you're hacking, hack. When you're automating, automate." (00:14:34) Imposter Syndrome: You may not be the best, but you're not the worst either. (00:31:55) Motivation Deprivation: Stay curious, and set tiered goals (00:36:07) Automation Obsession pt2: Do we need to say it again? (00:37:25) Reconnaissance Cognizance: Spending too much time on recon and not enough time on hacking (00:40:00) Bad Rabbit Holes, RIP Your Goals: Identifying good and bad rabbit holes (00:46:01) Set Your Goal Poles: Setting specific goals for yourself. (00:48:29) Impact Lacked: Fixating on something that's funky, but simply doesn’t really have impact (00:51:00) The Burn-out turn-out: Mending, maintenance, and finding identity and self-worth outside hacking (00:58:19) Responsibility Volatility: Balancing Responsibilities and Freedom as a Bug Bounty Hunter (01:00:30) Payout Phase-out: Don't stop once you've found one bug. (01:02:04) Report on URN Injection | |||
| 17 Aug 2023 | Episode 32: The Great Write-up Low-down | 01:01:05 | |
Episode 32: In this episode of Critical Thinking - Bug Bounty Podcast, Joel caught a nasty bug (no, not that kind) so Justin is flying solo, and catches us up to speed on what's been happening in hacking news. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Smashing the State article Nagles Algorithm https://en.wikipedia.org/wiki/Nagle%27s_algorithm HTTP/2 RFC https://httpwg.org/specs/rfc7540.html Tweet by Alex Chapman https://twitter.com/ajxchapman/status/1691103677920968704?s=20 Cookieless Duodrop IIS Auth Bypass Xss and .Net https://blog.isec.pl/all-is-xss-that-comes-to-the-net/ Shopify Account Takeover https://ophionsecurity.com/blog/shopify-acount-takeover Short Name Guesser https://github.com/projectmonke/shortnameguesser Hacking Points.com https://samcurry.net/Points-com/ Hacking Starbucks https://samcurry.net/hacking-starbucks/ Bug Bounty Tag Request https://twitter.com/ajxchapman/status/1688892093597470720 Sandwich Attack https://www.landh.tech/blog/20230811-sandwich-attack Timestamps: (00:00:00) Introduction (00:01:25) Smashing the State (00:11:30) HTTP/2 RFC (00:17:30) Cookieless Duodrop IIS Auth Bypass (00:24:45) Takeovers and Tools (00:32:30) Sam Curry writeup (00:53:10) Community requests (00:55:10) Sandwich Attacks | |||
| 22 Aug 2024 | Episode 85: Practical Applications of DEFCON 32 Web Research | 01:30:30 | |
Episode 85: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel talk through some of the research coming out of DEFCON, mainly from the PortSwigger team. Web timing attacks, cache exploitation, and exploits related to email protocols are all featured. Plus we also talk some fun Apache hacks from Orange Tsai Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! Check out our new SWAG store at https://ctbb.show/swag! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker Resources Listen to the whispers https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work Splitting the email atom https://portswigger.net/research/splitting-the-email-atom Gotta cache 'em all https://portswigger.net/research/gotta-cache-em-all HTTP Garden https://github.com/narfindustries/http-garden Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! Trusted API Types https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API Untrusted Types https://github.com/filedescriptor/untrusted-types Timestamps: (00:00:00) Introduction (00:09:45) 'Listen to the whispers' (00:30:03) 'Splitting the email atom' (00:58:42) 'Gotta cache 'em all' (01:21:03) 'Confusion Attacks' | |||
| 15 Aug 2024 | Episode 84: 0xLupin & Takeaways from Google's Las Vegas BugSwat | 00:27:15 | |
Episode 84: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Roni Carta (@0xLupin) to discuss their MVH win at the recent Google LHE, and share some technical observations they had with the target and the event. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://x.com/0xLupin Today’s Sponsor - ThreatLocker Timestamps: (00:00:00) Introduction (00:02:12) MHV Debrief (00:09:05) Sandboxes and Comfort Zones (00:13:24) SDKs and Legal Compliance (00:19:29) Age of Target and Platform-Exclusive Hunters | |||
| 24 Oct 2024 | Episode 94: Zendesk Fiasco & the CTBB Naughty List | 00:49:29 | |
Episode 94: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel give their perspectives on the recent Zendesk fiasco and the ethical considerations surrounding it. They also highlight the launch of AuthzAI and some research from Ophion Security Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - AssetNote. Listen to their podcast https://www.criticalthinkingpodcast.io/sspod Resources: New music drop from our Boi YT https://x.com/realytcracker/status/1847599657569956099 AuthzAI Ron Chan Misconfigured User Auth Leads to Customer Messages Zendesk Write-up https://gist.github.com/hackermondev/68ec8ed145fcee49d2f5e2b9d2cf2e52 Response from Zendesk Timestamps (00:00:00) Introduction (00:05:29) AuthzAI and the return of Ron Chan (00:13:50) Ophion Security Research (00:18:12) Zendesk Drama | |||
| 04 Apr 2024 | Episode 65: Motivation and Methodology with Sam Curry (Zlz) | 02:29:05 | |
Episode 65: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with Sam Curry to discuss the ethical considerations and effectiveness of hacking, the importance of good intent, and the enjoyment Sam derives from pushing the boundaries to find bugs. He shares stories of his experiences, including hacking Tesla, online casinos,Starbucks, his own is ISP router, and even getting detained at the airport. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Project Discovery Conference: https://nux.gg/hss24 ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: Resources: Don’t Force Yourself to Become a Bug Bounty Hunter Timestamps: (00:00:00) Introduction (00:02:25) Hacking Journey and the limits of Ethical Hacking (00:28:28) Selecting companies to hack (00:33:22) Fostering passion vs. Forcing performance (00:54:06) Collaboration and Hackcompute (01:00:40) The Efficacy of Bug Bounty (01:09:20) Secondary Context Bugs (01:25:01) Mindmaps, note-taking, and Intuition. (01:46:56) Back-end traversals and Unicode (01:56:16) Hacking ISP (02:06:58) Next.js and Crypto (02:22:24) Dev vs. Prod JWT | |||
| 21 Dec 2023 | Episode 50: Mathias "Fall in a well" Karlsson - Bug Bounty Prophet | 02:24:31 | |
Episode 50: In this episode of Critical Thinking - Bug Bounty Podcast, Justin catches up with hacking master Mathias Karlsson, and talks about burnout, collaboration, and the importance of specialization. Then we dive into the technical details of MXSS and XSLT, character encoding, and give some predictions of what Bug Bounty might look like in the future… Follow us on twitter at: @ctbbpodcast Send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Episode Resources How to Differentiate Yourself as a Hunter Article About Unicode and Character Sets EXPLOITING HTTP'S HIDDEN ATTACK-SURFACE Timestamps: (00:00:00) Introduction (00:10:06) Automation Setup and Assetnote Origins (00:16:49) Sharing Tips, and Content Creation (00:22:27) Collaboration and Optimization (00:36:44) Working at Detectify (00:51:45) Bug Bounty Burnout (00:56:15) Early Days of Bug Bounty and Future Predictions (01:19:00) Nerdsnipeability (01:29:38) MXSS and XSLT (01:54:20) Learning through being wrong (02:00:15) Go-to Vulns | |||
| 09 Jan 2025 | Episode 105: Best Critical Thinking Moments from 2024 | 02:17:47 | |
Episode 105: In this episode of Critical Thinking - Bug Bounty Podcast we're back with another Best-of episode recapping some of our top moments of 2024. Follow us on twitter at: @ctbbpodcast Ssend us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Rez0 on twitter: ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Check out our new SWAG store at https://ctbb.show/swag! Today’s Sponsor - ThreatLocker. Check out their Elevation Control! https://www.criticalthinkingpodcast.io/tl-ec Resources Episode 53 ctbb.show/53 Episode 59 ctbb.show/59 Episode 65 ctbb.show/65 Episode 69 ctbb.show/69 Episode 80 ctbb.show/80 Episode 81 ctbb.show/81 Episode 86 ctbb.show/86 Episode 87 ctbb.show/87 Episode 91 ctbb.show/91 Episode 93 ctbb.show/93 Episode 99 ctbb.show/99 Timestamps (00:00:00) Introduction (00:03:59) Episode 53 (00:17:12) Episode 59 (00:32:45) Episode 65 (00:48:08) Episode 69 (01:02:37) Episode 80 (01:18:09) Episode 81 (01:28:59) Episode 86 (01:41:04) Episode 87 (01:54:48) Episode 91 (02:01:48) Episode 93 (02:09:37) Episode 99 | |||
| 20 Jul 2023 | Episode 28: Surfin' with CSRFs | 01:18:05 | |
Episode 28: In this episode of Critical Thinking - Bug Bounty Podcast, the CSRF’s up, dude! We kick off with a debate about whether or not deep link vulns in mobile apps can be considered CSRF. We also talk browser extensions and tools like Hackbar, PwnFox, and JS Weasel, and Justin tries to invent a whole new vuln term. There’s plenty of good stuff here, so what are you waiting for? Jump on in! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater rez0's latest tip https://twitter.com/rez0__/status/168134822190014466019 Hackbar https://addons.mozilla.org/en-US/firefox/addon/hackbartool/ PwnFox https://twitter.com/adrien_jeanneau/status/1681364665354289152 JS Weasel Charlie Eriksen https://twitter.com/CharlieEriksen Link to talk by Rojan https://twitter.com/uraniumhacker/status/1681381857383030785 Bypassing GitHub's OAuth flow https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html Great SameSite Confusion https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/ Check out Nahamsec's Channel https://www.youtube.com/c/nahamsec Timestamps: (0:01:45) The deep link debate (00:08:00) LHE and in-person interviews (00:09:25) SQLMAP and raw requests (00:11:11) Hackbar, PwnFox, and browser extensions (00:16:45) JS Weasel tool and its features (00:25:28) Rojan's Research and Public Talks (Start of main content) (00:28:36) Cross-Site Request Forgery (CSRF) (00:35:00) Bypassing GitHub's OAuth flow (00:45:00) A Small SameSite Story (00:48:50) CSRF Exploitation Techniques (01:07:15) CSRF Bug Stories (01:15:30) NahamSec and DEFCON | |||
| 01 Jun 2023 | Episode 21: Chill Chat with Legendary DoD Hacker Corben Leo | 01:13:50 | |
In this episode of Critical Thinking - Bug Bounty Podcast, we chat with Corben Leo about his journey in bug bounty hunting and ethical hacking. We discuss the state of DNS rebinding in 2023, a Twitter thread by Douglas Day (@ArchAngelDDay) on one-hundred bug bounty rules, and our own unique approaches to bug hunting. We also discuss Corben's recon-focused bug hunting methodology and how he developed it. Don't miss this episode filled with valuable tips, insights, and Corben's Boring Mattress Company. Follow us on twitter at: @ctbbpodcast Get on our newsletter for some exclusive content: https://www.criticalthinkingpodcast.io/subscribe We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guest: Article on the State of DNS Rebinding in 2023: https://research.nccgroup.com/2023/04/27/state-of-dns-rebinding-in-2023/ See @ArchAngelDDay's twitter thread about 100 bug bounty rules: https://twitter.com/ArchAngelDDay/status/1661924038875435008 Talkback - Cybersecurity news aggregator: PyPI announces mandatory 2FA: Timestamps: (00:00:00) Introduction (01:05) State of DNS rebinding in 2023 (04:40) 100 Bug Bounty Rules by @ArchAngelDDay (05:30) Give yourself a ‘no bug’ limit (07:00) The value of reporting Low and Medium Bugs for Bug Bounty Programs (11:15) Reporting Out of Scope Bugs (14:30) Reporting IDORs as Access Control Bugs (17:28) Talkback (18:12) PyPI's mandatory 2FA implementation for software publishers (Start of main content) (20:07) Starting out in bug bounty/ethical hacking (25:00) Hacking methodology and mentorship (28:15) Identifying Load Balancers (33:20) Triage and live events: (38:30) College and Computer Science vs. Cybersecurity (45:45) Importance of writing for the Hacker Community (51:21) Storytelling and report writing. (55:00) When to stop doing recon and start hacking (01:00:58) Lessons Learned from BreachlessAI and the pivot to Boring Mattress Co. | |||
| 17 Oct 2024 | Episode 93: A Chat with Dr. Bouman - Life as a Hacker and a Doctor | 01:41:29 | |
Episode 93: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Dr. Jonathan Bouman to discuss his unique journey as both a Hacker and a Healthcare Professional. We talk through how he balances his dual careers, some ethical considerations of hacking in the context of healthcare, and highlight some experiences he’s had with Amazon's bug bounty program. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker. Checkout their ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detect Today’s Guest - https://x.com/jonathanbouman?lang=en Resources Anyone can Access Deleted and Private Repository Data on GitHub Remote Code execution at ws1.aholdusa .com Hacking Dutch healthcare system Fitness Youtube Channels https://www.youtube.com/channel/UCpQ34afVgk8cRQBjSJ1xuJQ https://www.youtube.com/@BullyJuice Timestamps (00:00:00) Introduction (00:07:28) Medicine and Hacking (00:19:36) Hacking on Amazon (00:34:33) Collaboration and consistency (00:44:13) SSTI Methodology (01:06:10) iOS Hacking Methodology (01:13:23) Hacking Healthcare (01:32:19) Health tips for hacking | |||
| 23 May 2024 | Episode 72: Research TLDRs & Smuggling Payloads in Well Known Data Types | 00:52:49 | |
Episode 72: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss some hot research from the past couple months. This includes ways to smuggle payloads in phone numbers and IPv6 Addresses, the NextJS SSRF, the PDF.JS PoC drop, and a GitHub Enterprise Indirect Method Information bug. Also, we have an attack vector featured from Monke! Follow us on twitter at: @ctbbpodcast Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today's Sponsor - Project Discovery: https://nux.gg/podcast Resources: PDF.JS Bypass to XSS https://github.com/advisories/GHSA-wgrm-67xf-hhpq https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/ Better Bounty Transparency for hackers Smuggling payloads in phone numbers Github Enterprise send() bug https://x.com/creastery/status/1787327890943873055 https://x.com/Rhynorater/status/1788598984572813549 Timestamps: (00:00:09) Introduction (00:03:20) PDF.JS XSS and NextJS SSRF (00:12:52) Better Bounty Transparency (00:20:01) IPV6 Research and Phone Number Payloads (00:28:20) Community Highlight and Automatic Plugin CVE-2024-27956 (00:33:26) DomPurify Bypass and Github Enterprise send() bug (00:46:12) Caido cookie and header extension updates | |||
| 31 Aug 2023 | Episode 34: Program vs Hacker Debate | 02:10:50 | |
Episode 34: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel have both beaten COVID and now square off against each other in a mega-debate representing hackers and program managers respectively. Among the topics included are Disclosures, Dupes, Zero-Day Policy, payouts, budgets, Triage and Retesting. So, if you want blood-pumping, insult-hurling opinion-invalidating debate…then maybe look somewhere else. But if a thought-provoking discussion about bug bounty is more your style, then take a seat and get ready! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Prompt Injection Primer for Engineers https://twitter.com/rez0__/status/1695078576104833291 Portswigger on XSS https://twitter.com/PortSwiggerRes/status/1691812241375424983 Gunner Andrews talk https://www.youtube.com/watch?v=aaDe1ADh5KM Jhaddix live training Givaway New Website Fight music composed by Dayn Leonardson Timestamps: (00:00:00) Introduction (00:02:00) Joel’s DEFCON Recap (00:04:45) Prompt Injection Primer for Engineers by Rez0 (00:07:00) Portswigger Research and XSS (00:08:36) Gunnar Andrews' talk on serverless architecture (00:10:10) ‘Bug Hunter Methodology’ Course Giveaway The Debate (00:13:34) Zero-Day Policy and Payment for Vulnerabilities (00:25:40) Disclosure (00:33:52) Dupes (00:51:23) CVSS (01:02:25) Budgets and Payouts (01:15:00) Triage and Retesting (01:34:55) Withholding Reports (01:41:50) Root Cause Analysis (01:52:25) Interacting with hacker reports from a security standpoint. (01:58:50) Internal Activity on a Report (02:01:15) Cost of running Bug Bounty Programs and LHE’s | |||
| 21 Mar 2024 | Episode 63: JHaddix Returns | 01:21:35 | |
Episode 63: In this episode of Critical Thinking - Bug Bounty Podcast we welcome back Jason Haddix (From Episode 12) to talk about some updates to his The Bug Hunter's Methodology, as well as his own personal life and hacking journey. We talk about the start of his new company, and then venture into topics such as using threat intelligence and buying credentials from the dark web, recon techniques, and ways to integrate AI into your workflow (or target list). Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Today’s Guest: Resources: Dehashed Flare CSP Recon https://github.com/edoardottt/csprecon Timestamps: (00:00:00) Introduction (00:05:37) Updates to The Bug Hunter's Methodology (00:14:46) Red Teaming (00:21:29) Bug Bounty on the Dark Web (00:36:19) FIS hunting (00:47:59) New Recon Techniques (00:58:32) AI integrations and bounties | |||
| 09 Nov 2023 | Episode 44: URL Parsing & Auth Bypass Magic | 01:11:27 | |
Episode 44: In this episode of Critical Thinking - Bug Bounty Podcast, the topic is URL structure, and Justin and Joel break down the elements that make up a URL and some common tips and tricks surrounding them which allow for all sorts of bypasses. We also round out the episode with some new tools, ato stories, and some controversial current events in the hacker scene. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. ATO through Facebook Login https://twitter.com/Jayesh25_/status/1718543152296939861 https://twitter.com/itscachemoney/status/1721658450613346557 Golden techniques to bypass host validations in Android apps Mozilla article on HTTP Authentication Breaking Parser Logic talk by Orange Tsai Timestamps: (00:00:00) Introduction (00:04:10) “Xnl-Reveal” (00:07:22) OAuth vulnerabilities (00:13:17) Recap of controversy surrounding the handling of a vulnerability report on H1 (00:18:55) Hacker Success Manager Program (00:22:30) Facebook login ATO (00:27:45) When URL parsers disagree (00:34:34) URL Structures (01:02:22) Shared secrets across environments (01:09:40) Social Media Logins | |||
| 16 Mar 2023 | Episode 11: CV$$, Web Cache Deception, and SSTI | 01:03:47 | |
Episode 11: In this episode of Critical Thinking - Bug Bounty Podcast we talk about CVSS (the good, the bad, and the ugly), Web Cache Deception (an underrated vuln class) and a sick SSTI Joel and Fisher found. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater MDSec Outlook Vuln: https://twitter.com/MDSecLabs/status/1635791863478091778 Jub0bs User-Existance Oracle Tweet: https://twitter.com/jub0bs/status/1633786349529513986 James Kettle's Tweet About BB ID Header Standardization: https://twitter.com/albinowax/status/1635951506791755776 15K Snapchat Numeric IDOR: https://hackerone.com/reports/1819832 Bug Bounty Reports Explained: https://www.bugbountyexplained.com/ CVSS Calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator Web Cache Deception Write-up: https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack.pdf | |||
| 22 Jun 2023 | Episode 24: AI + Hacking with Daniel Miessler and Rez0 | 01:03:49 | |
Episode 24: In this episode of Critical Thinking - Bug Bounty Podcast, we chat with Daniel Miessler and Rez0 about the emergence and potential of AI in hacking. We cover AI shortcuts and command line tools, AI in code analysis and the use of AI agents, and even brainstorm about the possible opportunities that integrating AI into hacking tools like Caido and Burp might present. Don't miss this episode packed with valuable insights and cutting-edge strategies for both beginners and seasoned bug bounty hunters alike. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guests: https://twitter.com/DanielMiessler Daniel Miessler’s Unsupervised Learning Simon Willison's Python Function Search Tool https://simonwillison.net/2023/Jun/18/symbex/ oobabooga - web interface for models https://github.com/oobabooga/text-generation-webui State of GPT https://karpathy.ai/stateofgpt.pdf AI Canaries https://danielmiessler.com/p/ai-agents-canaries GPT3.5 GPT Engineer https://github.com/AntonOsika/gpt-engineer Timestamps: (00:00:00) Introduction (00:05:40) Using AI for hacking: Developing hacking tools and workflow shortcuts (00:11:40) GPT Engineer and Small Developer for Security Vulnerability Mapping (00:22:40) The potential dangers of centralized vs. decentralized finance (00:24:10) Ethical hacking and circumventing ChatGPT restrictions (00:26:09) AI Agents, Reverse API, and Encoding/Decoding Tools (00:31:45) Limitations of AI in context window and processing large JavaScript files (00:36:50) Meta-prompter: Enhancing prompts for accurate responses from GPT (00:41:00) GPT-35 and the new 616K context model (45:08) Creating a loader for Burp Suite files or Caido instances (00:54:02) Hacking AI Features: Best Practices (01:00:00) AI plugin takeover and the need for verification of third-party plugins and tools | |||
| 14 Dec 2023 | Episode 49: Getting Live Hacking Event Invites & Bug Bounty Collab with Nagli | 00:51:33 | |
Episode 49: In this episode of Critical Thinking - Bug Bounty Podcast, Justin Gardner is once again joined by Nagli to discuss some of their recent hacking discoveries. They talk about finding and exploiting a backup file in an ASP.NET app, discovering vulnerabilities through Swagger files, and debating the vulnerability of a specific ‘undisclosed’ domain. Then they reflect on 2023’s Live Hacking Event circuit, and preview what’s to come in 2024’s. This episode sponsored by Wordfence! Wordfence recently launched a game-changer of a bug bounty program with ALL WordPress plugins over 50k installs are in-scope. They are currently paying 6.25x their normal bounty amounts, and have agreed to give CT listeners a 10% bonus on top of that! If you wanna pop some crits and see those bounties roll in, head over to https://ctbb.show/wf for more info and keep an eye on the CTBB Discord for inspiration/collabs. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Episode Resources: Timestamps: (00:00:00) Introduction (00:02:37) wwwroot .zip Hack Recap (00:13:44) Swagger File Hack Recap (00:18:27) Undisclosed URL Hack Recap (00:24:29) 2023 LHE Circut Recap (00:37:14) 2024 LHE Preview and New Standards (00:47:22) Bug Bounty Motivation | |||
| 20 Apr 2023 | Episode 16: The Hacker's Toolkit | 01:17:14 | |
Episode 16: In this episode of Critical Thinking - Bug Bounty Podcast we talk about the hacker’s toolkit. Joel and Justin talk about their VPS setup, go-to hacking tools, most often used Linux commands, and the ways they duct tape all of these together for the big hacks. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on Twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Our Boi @rez0__ Dropping Some AI Hackz: https://twitter.com/rez0__/status/1648685943539245056?s=20 LiveOverflow Prompt Injection: https://www.youtube.com/watch?v=Sv5OLj2nVAQ Joel’s Private Network Solution: Stok & Tomnomnom on Vim/Bash: https://www.youtube.com/watch?v=l8iXMgk2nnY Latest GhostScript RCE: https://offsec.almond.consulting/ghostscript-cve-2023-28879.html Intigriti CSRF Basics & Jub0b's Legendary SameSite Article: https://twitter.com/intigriti/status/1646104705561403398 https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/ Nahamcon: Pentah0wnage: https://research.aurainfosec.io/pentest/pentah0wnage/ DNSChef: https://github.com/iphelix/dnschef Httpx: https://github.com/projectdiscovery/httpx Espanso: GoWitness: | |||
| 27 Jul 2023 | Episode 29: Live Episode with Sean Yeoh - Assetnote Engineer | 00:59:40 | |
Episode 29: In this episode of Critical Thinking - Bug Bounty Podcast sit down with Assetnote Engineer Sean Yeoh, and pick his brain about what he's learned on his development journey. We talk about the place and importance of message brokers, and which ones we like best, as well as his engineering philosophy regarding bottleneck prevention and the importance of pursuing optimization. Don't miss this episode of terrific technical tips! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guest: Assetnote XKCD automation graph Github repository https://github.com/alex/what-happens-when Article about Queues NATS MongoDB Timestamps: (00:00:00) Introduction (00:01:18) Story of Assetnote (00:05:20) Message Brokers and event-driven architectures (00:11:15) Preventing bottlenecks and pursuing optimization (00:21:35) Using a profiler (00:28:30) Choosing a Message Broker (00:33:00) Kubernetes and Conntrack Limits (00:37:13) Databases (00:46:30) Bug bounty tips: Sub-domain vs. IP Address (00:51:15) Engineering quandaries (00:53:38) DNS Wildcards | |||
| 18 May 2023 | Episode 19: Audit Code, Earn Bounties (Part 2) + Zip-Snip, Sitecore, and more! | 00:53:24 | |
Episode 19: In this episode of Critical Thinking - Bug Bounty Podcast we further discuss some tips and tricks for finding vulns once you’ve got source code and some banger tweets/tools that popped up in our feed this week. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Part 1: https://open.spotify.com/episode/2pdTaWHSzl9CY7PgRQtvTi Noperator’s Zip-Snip: https://twitter.com/noperator/status/1658313637189111808 https://github.com/noperator/zip-snip https://noperator.dev/posts/zip-snip/ Insecure’s SIP Bugs: https://twitter.com/ifsecure/status/1656591469518495745 AssetNote’s Sitecore Bugs: https://blog.assetnote.io/2023/05/10/sitecore-round-two/ Fyooer’s Shadow Clone: https://github.com/fyoorer/ShadowClone | |||
| 06 Jul 2023 | Episode 26: Client-side Quirks & Browser Hacks | 01:33:20 | |
In this episode of Critical Thinking - Bug Bounty Podcast, we're back with Joel, fresh (haha) off of back-to-back live hack events in London and Seoul. We start with his recap of the events, and the different vibes of each LHE, then we dive into the technical thick of it, and talk web browsers, XSS vectors, new tools, CVSS 4, and much more than we can fit in this character limit. Just trust us when we say you don’t want to miss it! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ______ Episode 26 links: https://linke.to/Episode26Notes ______ Timestamps: (00:00:00) Introduction (00:04:10) LHE Vibes (00:07:45) "Hunting for NGINX alias traversals in the wild" (00:12:30) Various payouts in bug bounty programs (00:16:05) New XSS vectors and popovers (00:24:15) The "magical math element" in Firefox (00:27:15) LiveOverflow's research on HTML parsing quirks (00:32:10) Mr. Tux Racer, Woocommerce, and WordPress (00:40:00) Changes in the CVSS 4 draft spec (00:45:00) TomNomNom's new tool Jsluise (00:51:15) JavaScript's import function (00:55:30) Gareth Hayes' book "JavaScript for Hackers" (01:02:24) Injecting JavaScript variables (01:09:15) Prototype pollution (01:13:15) DOM clobbering (01:18:10) Exploiting HTML injection using meta and base tags (01:25:00) CSS Games (01:28:00) Base tags | |||
| 23 Jan 2025 | Episode 107: Bypassing Cross-Origin Browser Headers | 01:06:17 | |
Episode 107: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph are tackling the subject of cross-origin security headers. They also cover some news items including Google’s OAuth login flaw, RAINK, and gift card hacking. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to https://x.com/realytcracker for the awesome intro music! ====== Links ====== Follow your hosts on Twitter: ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor - ThreatLocker. Check out their Managed Detection and Response! https://www.criticalthinkingpodcast.io/tl-mdr ====== Resources ====== A Proud Dad's Tale of Two Bug Hunting Daughters and Their Responsible Disclosures Top 10 web hacking techniques of 2024 Cross-Origin-Opener-Policy: preventing attacks from popups ====== Timestamps ====== (00:00:00) Introduction (00:05:13) Hacking with your kids (00:09:46) H1/bc pentests (00:12:23) Google’s OAuth login flaw (00:18:01) Raink & Rez0's AI tweets (00:28:46) Giftcard hacking & Portswigger top 10 voting (00:34:23) Cross Origin Web Headers | |||
| 02 Feb 2023 | Episode 4: H1-407 Event Madness & Takeaways Part 2 w/ Special Guest Spaceraccoon | 00:45:55 | |
Episode 4: In this episode of Critical Thinking - Bug Bounty Podcast we have part two of our series on the H1-407 HackerOne Live Hacking Event. This time, we have a special guest SpaceRaccoon (@spaceraccoonsec) talking about techniques and takeaways from the event. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Spaceraccoon’s blog: Spaceraccoon’s twitter: https://twitter.com/spaceraccoonsec Responder (NTLM Hash harvesting tool): https://github.com/lgandx/Responder The malware reversing course Spaceraccoon recommended: https://courses.zero2auto.com/ Offensive Security Exploit Development Courses: https://www.offensive-security.com/courses-and-certifications/ | |||
| 04 Jul 2024 | Episode 78: Less Writing, More Hacking - Reporting Efficiency Techniques | 01:06:25 | |
Episode 78: In this episode of Critical Thinking - Bug Bounty Podcast we’re talking about writing reports. We share some tips that we’ve learned, and discuss ways that AI can (and can’t) help with that process. We also talk about the benefit of using tools like Fabric, Loom, and ShareX. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker Resources: XSS WAF Bypass by multi-char HTML entities hey why can't you fix this one bug Justin's reporting templating software 2to3 Automated Python Converter Timestamps: (00:00:00) Introduction (00:04:00) XSS WAF Bypass by Multi-char HTML Entities (00:11:59) Next.js and Cache Poisoning (00:18:03) Nagli's Nuclei Template and Sean Yeoh's Blog (00:27:34) Report Writing and AI (00:50:02) Reporting tips | |||
| 19 Sep 2024 | Episode 89: The Untapped Bug Bounty Landscape of IoT w/ Matt Brown | 01:58:03 | |
Episode 89: In this episode of Critical Thinking - Bug Bounty Podcast We’re joined live by Matt Brown to talk about his journey with hacking in the IoT. We cover the specializations and challenges in hardware hacking, and Matt’s personal Methodology. Then we switch over to touch on BGA Reballing, Certificate Pinning and Validation, and some of his own bug stories. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinder Today’s Guess Matt Brown: https://x.com/nmatt0 Resources: Decrypting SSL to Chinese Cloud Servers https://www.youtube.com/watch?v=3qSxxNvuEtg mitmrouter https://github.com/nmatt0/mitmrouter certmitm Automatic Exploitation of TLS Certificate Validation Vulns https://www.youtube.com/watch?v=w_l2q_Gyqfo and https://github.com/aapooksman/certmitm HackerOne Detailed Platform Standards https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards Timestamps: (00:00:00) Introduction (00:13:33) Specialization and Challenges of IOT Hacking (00:33:03) Decrypting SSL to Chinese Cloud Servers (00:47:00) General IoT Hacking Methodology (01:26:00) Certificate Pinning and Certificate Validation (01:34:35) BGA Reballing (01:43:26) Bug Stories | |||
| 18 Apr 2024 | Episode 67: VDPs & Accidental Program VS Hacker Debate Part 2 | 01:19:51 | |
Episode 67: In this episode of Critical Thinking - Bug Bounty Podcast we deepdive on the topic of Vulnerability Disclosure Programs (VDPs) and whether they are beneficial or not. We also touch on the topic of leaderboard accuracy, and continue the Program VS Hacker debate regarding allocating funds for bounties. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Project Discovery Conference: https://nux.gg/hss24 Resources: Nagli's Braindump on VDPs https://twitter.com/galnagli/status/1780174392003031515 Timestamps: (00:00:00) Introduction (00:05:37) VDP programs (00:34:10) Leaderboards (00:43:52) Hacker vs. Program debate Part 2 (01:07:24) Walling Off Endpoints | |||
| 08 Jun 2023 | Episode 22: Chipping Away at Hardware Hacking | 01:11:48 | |
Episode 22: In this episode of Critical Thinking - Bug Bounty Podcast we talk about some basic/intermediate concepts related to Hardware Hacking. Specifically, we dive into extracting data from eMMC chips in order to get our hands on source code for IoT devices. Don't miss this episode packed with valuable insights, tips, and strategies for beginners and seasoned bug bounty hunters alike! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Checkout NahamCon: RiverLoop Security Write-up: https://bit.ly/3oSKL1o Good Chip-Off Write-up: Scratching chips to expose pins: Chat with Corben on Degrees: https://youtu.be/N9P5PUx-PNQ?t=2311 Gareth Hayes Tweet: Huntress - John Hammond - MoveIt Response: Critical Thinking Hardware Hacking Setup - See the gear we're talking about (Affiliate links): https://linke.to/hardwarehackingset Timestamps: (00:00:00) Introduction (01:03) NahamCon's Live Hacking Event and Justin's Presentation on PCI DSS (02:40) Depreciation of Data URLs in SVG Use Element (04:55) Gareth Hayes and knowledge sharing in the hacking community (07:50) Move It vulnerability and and John Hammond’s epic 4 am rants (12:18) Identifying promising leads in bug bounty hunting, and knowing when to move on (Start of main content) (21:40) Hardware Recon, and using Test Pins to Access EMMC Chip (26:16) Identifying Chip Pinouts and Continuity Testing (29:01) Using Logic Analyzers for Hardware Hacking (33:01) Importance of Fundamental Knowledge in Hacking, and the benefits of understanding Electrical Engineering (35:46) Replay Protected Memory Block Protocol (40:00) Bug Bounty Programs and Hardware Testing Support (41:05) Chip Pulling techniques and Essential Equipment for Hardware Hacking (59:50) Tips for Buying Hardware Hacking Tools: Research and Specific Use Cases (01:06:35) Hardware Hacking: Just scratching the surface. (01:08:45) Vulnerability Disclaimer: Pulling OS from a chip does not constitute a Vulnerability. | |||
| 18 Jan 2024 | Episode 54: White Box Formulas - Vulnerable Coding Patterns | 01:12:38 | |
Episode 54: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with news items and new projects. Joel shares about his personal scraping project to gather data on bug bounty programs and distribution Next, they announce the launch of HackerNotes, a podcast companion that will summarize the main technical points of each episode. They also discuss a recent GitLab CVE and an invisible prompt injection, before diving into a discussion (or debate) about vulnerable code patterns. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Gitlab CVE https://github.com/Vozec/CVE-2023-7028 https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/ Fix commit: https://gitlab.com/gitlab-org/gitlab/-/commit/abe79e4ec437988cf16534a9dbba81b98a2e7f18 Invisible Prompt Injection https://x.com/goodside/status/1745511940351287394?s=20 Regex 101 Regex to Strings https://www.wimpyprogrammer.com/regex-to-strings/ Timestamps (00:00:00) Introduction (00:01:54) Joel’s H1 Data Scraping Research (00:19:23) HackerNotes launch (00:21:29) Gitlab CVE (00:27:45) Invisible Prompt Injection (00:33:52) Vulnerable Code Patterns (00:37:51) Sanitization, but then modification of data afterward (00:45:39) Auth check inside body of if statement (00:48:15) sCheck for bad patterns with if, but then don't do any control flow (00:50:21) Bad Regex (01:00:36) Replace statements for sanitization (01:04:32) Anything that allows you to call functions or control code flow in uncommon ways | |||
| 07 Mar 2024 | Episode 61: A Hacker on Wall Street - JR0ch17 | 01:27:00 | |
Episode 61: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Jasmin Landry to share some stories about startup security, bug bounty, and the challenges of balancing both. He also shares his methodology for discovering OAuth-related bugs, highlights some differences between structured learning and self-teaching, and then walks us through a couple arbitrary ATO’s and SSTI to RCE bugs he’s found lately. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: Jasmin Landry Resources: Dirty Dancing blog post https://labs.detectify.com/writeups/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/ OAuth 2.0 Threat Model and Security Considerations https://datatracker.ietf.org/doc/html/rfc6819 OAuth 2.0 Security Best Current Practice https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics Timestamps: (00:00:00) Introduction (00:02:20) Meta Tag + DomPurify Bug (00:09:36) Jasmin's Origin story (00:28:23) Full time Bug bounty challenges (00:36:57) Career jumps in Security and current Role (00:47:32) OAuth Bug methodology and cool bug stories (01:02:35) Social Engineering and Bug Bounty (01:13:41) Arbitrary ATO bug (01:19:41) SSTI to RCE bug | |||
| 18 Jul 2024 | Episode 80: Pwn2Own VS H1 Live Hacking Event (feat SinSinology) | 02:49:26 | |
Episode 80: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Sina Kheirkhah to talk about the start of his hacking journey and explore the differences between the Pwn2Own and HackerOne Events Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker Today’s Guest: https://x.com/SinSinology Blog: https://sinsinology.medium.com/ Resources: Advanced .NET Exploitation Training Timestamps: (00:00:00) Introduction (00:12:45) Learning, Mentorship, and Failure (00:29:34) Pentesting and Pwn2Own (00:40:05) Hacking methodology (01:01:57) Debuggers and shells in IoT Devices (01:35:40) Differences between ZDI and HackerOne (02:02:27) Pwn2Own Steps and Stories (02:14:06) Master of Pwn Title (02:29:54) Bug reports | |||
| 20 Feb 2025 | Episode 111: How to Bypass DOMPurify in Bug Bounty with Kevin Mizu | 01:49:15 | |
Episode 111: In this episode of Critical Thinking - Bug Bounty Podcast Justin interviews Kevin Mizu to showcase his knowledge regarding DOMPurify and its misconfigurations. We walk through some of Kevin’s research, highlighting things like Dangerous allow-lists and URI Attributes, DOMPurify hooks, node manipulation, and DOM Clobbering. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Resources ====== Exploring the DOMPurify library: Bypasses and Fixes (1/2) https://mizu.re/post/exploring-the-dompurify-library-bypasses-and-fixes Exploring the DOMPurify library: Hunting for Misconfigurations (2/2) https://mizu.re/post/exploring-the-dompurify-library-hunting-for-misconfigurations Dom-Explorer tool https://yeswehack.github.io/Dom-Explorer/shared?id=772a440c-b0c2-4991-be71-3e271cf7954f CT Episode 61: A Hacker on Wall Street - JR0ch17 https://www.criticalthinkingpodcast.io/episode-61-a-hacker-on-wall-street-jr0ch17/ ====== Timestamps ====== (00:00:00) Introduction (00:01:44) Kevin Mizu - Background and Bring-a-bug (00:15:09) DOMPurify (00:29:04) Misconfigurations - Dangerous allow-lists (00:39:09) Dangerous URI attributes configuration (00:46:08) Bad usage (00:59:55) DOMPurify Hooks: before, after, and upon SanitizeAttribute (01:29:15) Node manipulation, nodeName namespace case confusion, & DOM Clobbering DOS (01:36:51) Misc concepts for future research | |||
| 10 Apr 2025 | Episode 118: Hacking Happy Hour: 0days on Tap and SQLi Shots | 00:58:29 | |
Episode 118: In this episode of Critical Thinking - Bug Bounty Podcast we cover a host of news, including clientside tidbits, “Credentialless” iframes, prototype pollution, and what constitutes a polyglot in llms.txt. Follow us on X Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow Rhynorater and Rez0 on X ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! You can also find some hacker swag! ====== Resources ====== The art of payload obfuscation Analyzing the Next.js Middleware Bypass llms.txt polyglot prompt injection React Router and the Remix’ed path Pre-Authentication SQL Injection in Halo ITSM Pwning Millions of Smart Weighing Machines ====== Timestamps ====== (00:00:00) Introduction (00:05:56) Next.js Middleware bypass & Polyglots in llms.txt (00:16:35) CPDoS on React Router (00:24:26) Loose Types Sink Ships & Pwning Smart Scales (00:32:30) MCP Server Oauth & Cline (00:39:40) Clientside Tidbits & Prototype Pollutions | |||
| 13 Jul 2023 | Episode 27: Top 7 Esoteric Web Vulnerabilities | 01:20:16 | |
Episode 27: In this episode of Critical Thinking - Bug Bounty Podcast, we've switched places and now Joel is home while Justin is on the move. We break down seven esoteric web vulnerabilities, and talk Cookies, Config File Injections, Client-side path traversals and more. We also briefly discuss appliance hacking, new tools, and shout out some new talent in the hacking space. Don't miss this episode full of cool vulns, and experience Justin's vocal decline in real time. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Encrypted Doesn't Mean Authenticated: https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/ Tweet about headless chrome browser https://twitter.com/bhavukjain1/status/1678719047209484288?t=NWnZvwHTRMyH_lVC-uXe0g&s=19 Shout out to new talent within the hacking space Tweet about hacking Google Search Appliance https://twitter.com/orange_8361/status/1677378401957724160 Bitquark releases shortscan https://twitter.com/bitquark/status/1677647450989838338 Hacking Starbucks https://samcurry.net/hacking-starbucks/ Justin's CookieJar Tool https://apps.rhynorater.dev/checkCookieJarOverflow.html HackTricks https://book.hacktricks.xyz/pentesting-web/hacking-with-cookies/cookie-jar-overflow XSLeak Timestamps: (00:00:00) Introduction (00:04:00) Assetnote on ShareFile RCE (00:13:05) Headless Browsers (00:17:00) Hacker Content Creators (00:22:51) Appliance Hacking (00:30:31) Shortscan Release (Start of main content) (00:35:39) Config File Injection (00:44:00) Client-side Path Traversal (00:51:33) Cookie Bombing (00:58:00) Cookie Jar Overflow (01:03:50) XSLeak (01:10:49) UNC Path Injection (01:15:50) Impactful Link Hijack | |||
| 09 Feb 2023 | Episode 6: Mobile Hacking Attack Vectors with Teknogeek (Joel Margolis) | 01:39:07 | |
Episode 6: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with mobile hacking legend Joel Margolis and get the scoop on his approach to popping bugs on Android. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Joel’s HackerOne Android Hacking Introduction: Android Pixel Lock Screen Bypass Exploiting Deeplink URLs: https://inesmartins.github.io/exploiting-deep-links-in-android-part1/index.html Joel’s get_schemas tool: https://github.com/teknogeek/get_schemas Example AndroidManfest.xml we referenced: Android docs for intent filters: https://developer.android.com/guide/components/intents-filters.html Android docs for “setAllowContentaccess”: Android docs for “setAllowFileAccess”: https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccess(boolean) Add JavaScript Interface to Webview: Joel’s SSL Pinning Bypass: https://gist.github.com/teknogeek/4dc35fb3801bd7f13e5f0da5b784c725 Google Chrome Docs for Intent URLs: https://developer.chrome.com/docs/multidevice/android/intents/#considerations Joel’s Bug Bounty Report: | |||
| 08 Feb 2024 | Episode 57: Technical breakdown from Miami Hacking Event - H1-305 | 00:32:34 | |
Episode 57: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are live from Miami, and recap their experience and share takeaways from the live hacking event. They highlight the importance of paying attention to client-side routing and the growing bug class of client-side path traversal. They also discuss the challenges of knowing when to cut your losses and the value of tracking time and setting goals. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Timestamps: (00:00:00) Introduction (00:03:50) Miami LHE Recap and Takeaways (00:05:57) Keeping time and cutting losses. (00:19:07) Roles and Goals (00:23:33) OAuth (00:28:52) HTML5 image to img Tip | |||
| 03 Apr 2025 | Hacking AI Series: Vulnus ex Machina - Part 1 | 00:32:20 | |
Episode 117: In this episode of Critical Thinking - Bug Bounty Podcast Joseph introduces Vulus Ex Machina: A 3-part mini-series on hacking AI applications. In this part, he lays the groundwork and focuses on AI reconnaissance. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Resources ====== Building Reliable Web Agents https://x.com/pk_iv/status/1904178892723941777 17 security checks from VIBE to PRODUCTION https://x.com/Kaamiiaar/status/1902342578185630000 How to Hack AI Agents and Applications https://josephthacker.com/hacking/2025/02/25/how-to-hack-ai-apps.html AI Crash Course Repo https://github.com/henrythe9th/ai-crash-course Deep Dive into LLMs like ChatGPT https://www.youtube.com/watch?v=7xTGNNLPyMI ====== Timestamps ====== (00:00:00) Introduction (00:01:54) AI News (00:08:09) How to Hack AI Agents and Applications (00:14:26) The Recon Process (00:25:06) Initial Probing & Steering | |||
| 29 Aug 2024 | Episode 86: The X-Correlation between Frans & RCE - Research Drop | 00:42:09 | |
Episode 86: In this episode of Critical Thinking - Bug Bounty Podcast Frans blows Justin’s mind with a sneak peak of his new presentation. Note: This is a little different from our normal episode, and video is recommended. So head over to ctbb.show/yt if you feel like you’re missing something. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Shop our new swag store at ctbb.show/swag Watch this Episode on Youtube - ctbb.show/yt Today’s Guest: Frans Rosen - https://x.com/fransrosen View the slides of this presentation at https://speakerdeck.com/fransrosen/x-correlation-injections-or-how-to-break-server-side-contexts Timestamps (00:00:00) Introduction (00:04:09) x-correlation injection (00:21:10) Server-side JSON-Injection (00:32:10) Fuzz Blindly and Optimizing Blind RCE | |||
| 13 Feb 2025 | Episode 110: Oauth Gadget Correlation and Common Attacks | 00:49:41 | |
Episode 110: In this episode of Critical Thinking - Bug Bounty Podcast we hit some quick news items including a DOMPurify 3.2.3 Bypass, O3 mini updates, and a cool postLogger Chrome Extension. Then, we hone in on OAuth vulnerabilities, API keys, and innovative techniques hackers use to exploit these systems. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to https://x.com/realytcracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Resources ====== Jason Zhou's post about O3 mini Live Chat Blog #2: Cisco Webex Connect nOAuth: How Microsoft OAuth Misconfiguration Can Lead to Full Account Takeover Account Takeover using SSO Logins ====== Timestamps ====== (00:00:00) Introduction (00:01:44) DOMPurify 3.2.3 Bypass (00:06:37) O3 mini (00:10:29) Ophion Security: Cisco Webex Connect (00:15:54) Discord Community News (00:19:12) postLogger Chrome Extension (00:21:04) Common OAuth Vulnerabilities & Lessons learned from Google’s APIs | |||
| 15 Jun 2023 | Episode 23: Hacker Loadouts | 01:14:34 | |
Episode 23: In this episode of Critical Thinking - Bug Bounty Podcast, we delve into a different aspect of hardware - Our personal loadouts. We go through the equipment and gear we use to get our jobs done, and share stories about why we picked what we have. We also touch on live hacking events, the growing acceptance of white hat hacking, and some pretty cool news going on in the hacker world. Don't miss this episode packed with tips and strategies for both beginners and seasoned hackers alike! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Blog post on hacking root EPP servers https://hackcompute.com/hacking-epp-servers/ Behind this Website: https://github.com/jonkeegan/behind-this-website Tweet about vRealize Network Insight: https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/ Zoom's new vulnerability impact scoring system: https://viss.zoom.com/specifications Uplift Desks Synergy Ahnestly chair reviews: https://www.youtube.com/c/Ahnestly Our producer’s new audio drama ‘Homicide at Heavensgate’ https://link.sentinelstudios.net/homicide Timestamps: (00:00:00) Introduction (00:02:28) Navigating hacking events and imposter syndrome (00:06:30) Blog post on hacking root EPP servers (00:10:01) The growing acceptance of white-hat hacking (00:12:25) Finding Website Owners and Contact Information (00:16:45) VMware vRealize Network Insight CVEs and nginx reverse proxy bypass (00:21:30) Zoom's new vulnerability impact scoring system (00:27:24) The Importance of Analyzing Systemic Problems in Black Box Testing (00:30:40) Documentation, Vulnerable by Design, and acceptable risk (Start of main content) (00:34:37) Leveling up your Hacker Setup (00:37:13) The Importance of your body (00:41:30) Investing in ergonomic equipment for computer work (00:42:27) Standing Desks: Uplift Desk and DIY standing desk options (00:46:00) Portable Tables: Flexible Workspace Solutions (00:47:30) Monitor Setup (00:54:40) Synergy: One keyboard and mouse across multiple devices (00:57:20) Capture Card: Using it as a software display (00:58:58) Keyboards and mice (01:03:27) Using a Chromebook for lightweight hacking (01:08:57) Chair Reviews: The Niche World of High-End Chairs | |||
| 06 Feb 2025 | Episode 109: Creative Recon - Alternative Techniques | 01:01:42 | |
Episode 109: In this episode of Critical Thinking - Bug Bounty Podcast we start off with a quick recap of some of the DeepSeek Drama that’s been going down, and discuss AI in CAPTCHA and 2FA as well. Then we switch to cover some other news before settling in to talk about Alternative Recon Techniques Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to https://x.com/realytcracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor - ThreatLocker. Check out their Managed Detection and Response! ====== Resources ====== Resources Wiz Research Uncovers Exposed DeepSeek Database Stealing HttpOnly cookies with the cookie sandwich technique Report Pointers for Collaborative Chains Clone2Leak: Your Git Credentials Belong To Us GoogleChrome related-website-sets ====== Timestamps ====== (00:00:00) Introduction (00:02:03) DeepSeek debacle and Bypass Bot Detection (00:23:48) Stealing HttpOnly cookies with the cookie sandwich technique (00:30:54) Report Pointers for Collaborative Chains (00:34:43) Clone2Leak: Your Git Credentials Belong To Us (00:40:04) Deanonymization for Signal and Discord (00:41:53) Alternative Recon Techniques | |||
| 11 Jan 2024 | Episode 53: 500k/yr as Full-Time Bug Hunter & Content Creator - Nahamsec | 01:40:47 | |
Episode 53: In this episode of Critical Thinking - Bug Bounty Podcast,we’re joined by none other than NahamSec. We start by discusses the challenges he faced on his journey in bug bounty hunting and content creation, including personal struggles and the pressure of success.We also talk about finding balance and managing mental energy, going the extra mile, and the importance of planning and setting goals for yourself before he walks us through some Blind XSS techniques. Follow us on twitter at: @ctbbpodcast Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Timestamps: (00:00:00) Introduction (00:01:37) Costs of Content Creation (00:21:12) Hacking 'identities' and Pivoting (00:36:49) Hacking Methodology (00:58:59) Planning, Goals, and Nahamsec's 2023 Performance (01:10:19) Blind XSS (01:35:19) Going the extra mile in Bug Bounty | |||
| 04 May 2023 | Episode 17: LA Live Chat with Five Legendary Hackers | 00:47:09 | |
Episode 17: In this episode of Critical Thinking - Bug Bounty Podcast we talk with five legendary hackers about some of their favorite bugs. Live. From LA. Corben Leo “Lorben CEO” @hacker_ Sam “ZLZ” “ZOZL” “The King” Curry @samwcyo Frans “The Legend” Rosen @fransrosen Jonathan “Doc” Bouman @JonathanBouman Nagli…NagliNagli @naglinagli Shoutout to Jonathan Bouman’s Mom! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater FOLLOW OUR LINKEDIN ACCOUNT FOR NAGLI: https://www.linkedin.com/company/ctbbpodcast Sam Curry’s shoutout - Ian Carrol’s Seats.Aero: https://seats.aero/ | |||
| 14 Mar 2024 | Episode 62: Frontend Language Oddities | 00:58:43 | |
Episode 62: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with some additional research resources that didn’t make the Portswigger Top-Ten, but that are worth looking at. Follow us on twitter at: @ctbbpodcast Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Resources: Cool HTML Shit https://twitter.com/jcubic/status/1764311080661082201 https://twitter.com/encodeart/status/1764218128374943764 Bug bounty Hunting Journeys https://twitter.com/ajxchapman/status/1762101366057525521 https://monkehacks.beehiiv.com/p/monkehacks-02 Deobfuscating/Unminifying Obfuscated Code Abusing perspectives: https://hackerone.com/reports/2401115 PortSwigger CSS Exfiltration https://github.com/PortSwigger/css-exfiltration Timestamps: (00:00:00) Introduction (00:02:06) Cool HTML Shit (00:15:31) Bug Bounty Journeys (00:28:01) Yelp Cookie Bridge Bug (00:37:56) Additional Research Resources (00:46:34) CSS and abusing perspectives | |||
| 02 Jan 2025 | Episode 104: 2024 Hacker Stats & 2025 Goals | 00:29:00 | |
Episode 104: In this episode of Critical Thinking - Bug Bounty Podcast Justin reflects upon the past year and walks through some of the bug bounty goals he had for 2024, and how he feels like he did. Then he sets some goals for 2025, as well as some exciting CT news for the coming year. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Rez0 on X: ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Check out our new SWAG store at https://ctbb.show/swag! Resources CTBB Full Time Guild Critical Research Lab CT Episode 51 - 2024 Goals https://www.criticalthinkingpodcast.io/episode-51-hacker-stats-2023-2024-goals/ Personal BB inventory and goals Timestamps (00:00:00) introduction (00:00:57) Critical Thinking 2025 Announcements (00:04:21) Personal Inventory of 2024 (00:24:05) Goals for 2025 | |||
| 03 Aug 2023 | Episode 30: Recon Legend Shubs - From Burgers to Bounties | 01:19:25 | |
Episode 30: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to be joined by renowned bug bounty hunter Shubs. We kick off with him sharing his journey from burgers to bugs, and how his friendly rivalry with a fellow hacker fueled his passion for reconnaissance, as well as his love of collaboration. We then shift gears to talk about the art of debugging, ethics and economics of bug bounty hunting, the transition to Entrepreneur, and the evolution of Assetnote from a reconnaissance tool to enterprise security software suite. This one’s a banger, and we don’t want you to miss it! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guest: @infosec_au Intro Shoutouts Assetnote Bishop Fox Shortscan https://github.com/bitquark/shortscan XXE Payload https://gist.github.com/Rhynorater/d0d19f757221a916a22476c3a5c6aba2 Timestamps (00:00:00) Introduction (00:05:48) History as a Hacker: Recon, rivalries, and Riot Games (00:12:13) Collaboration and Community in Bug Bounty (00:18:19) The Art of Debugging (00:21:48) Assetnote News and overview (00:30:43) CVE reversing (00:32:58) Zero-day vulns (00:42:48) Bug Bounty Ethics and Economics (00:52:53) Bug Bounty and Entrepreneurship (01:03:58) Business lessons learned (01:07:48) Advice for Hunters looking to grow (01:12:38) IIS Server Techniques | |||
| 11 May 2023 | Episode 18: Audit Code, Earn Bounties | 01:06:58 | |
Episode 18: In this episode of Critical Thinking - Bug Bounty Podcast, we dive into everything source-code related: how to get source-code and what to do with it once you have. This episode is packed with great examples of successful source code review, tips on how to review code yourself, and the tools you'll need along the way. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Crossing the KASM: https://www.youtube.com/watch?v=NwMY1umhpgg PWNAssistant by Elttam: https://www.elttam.com/blog/pwnassistant/#content Andre's Git Arbitrary Configuration Injection: https://blog.ethiack.com/en/blog/git-arbitrary-configuration-injection-cve-2023-29007 Jub0b's a Smorgasbord of a Bug Chain: https://jub0bs.com/posts/2023-05-05-smorgasbord-of-a-bug-chain/ Ankur Sundara's Cookie Bugs - Smuggling & Injection: https://twitter.com/ankursundara/status/1654556463703134208?t=7nTUSszPB6fS3MkATzxpaQ&s=19 James Kettle's Notes on Novel Pathways to Poisoning (cool quirks in here): https://twitter.com/albinowax/status/1654767919690031106?t=vbVEOML5_QnWByi0m8Nv4A&s=19 Ignore Irrelevant Scripts During Debugging by Johan Carlsson: https://twitter.com/joaxcar/status/1653787336105156616 Every known way to get references to windows: https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2d VS Code Todo Highlight: https://marketplace.visualstudio.com/items?itemName=wayou.vscode-todo-highlight VS Code: | |||