Podcast Critical Thinking - Bug Bounty Podcast by Justin Gardner (Rhynorater) & Joseph Thacker (Rez0) Episodes

Explore every episode of the podcast Critical Thinking - Bug Bounty Podcast

Dive into the complete episode list for Critical Thinking - Bug Bounty Podcast. Each episode is cataloged with detailed descriptions, making it easy to find and explore specific topics. Keep track of all episodes from your favorite podcast and never miss a moment of insightful content.

	Title	Pub. Date	Duration
	Episode 94: Zendesk Fiasco & the CTBB Naughty List	24 Oct 2024	00:49:29
Episode 94: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel give their perspectives on the recent Zendesk fiasco and the ethical considerations surrounding it. They also highlight the launch of AuthzAI and some research from Ophion Security Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - AssetNote. Listen to their podcast https://www.criticalthinkingpodcast.io/sspod Resources: New music drop from our Boi YT https://x.com/realytcracker/status/1847599657569956099 AuthzAI https://authzai.com/ Ron Chan https://x.com/ngalongc Misconfigured User Auth Leads to Customer Messages https://www.ophionsecurity.com/post/live-chat-blog-1-misconfigured-user-auth-leads-to-customer-messages Zendesk Write-up https://gist.github.com/hackermondev/68ec8ed145fcee49d2f5e2b9d2cf2e52 Response from Zendesk https://gist.github.com/hackermondev/68ec8ed145fcee49d2f5e2b9d2cf2e52?permalink_comment_id=5232589#gistcomment-5232589 Timestamps (00:00:00) Introduction (00:05:29) AuthzAI and the return of Ron Chan (00:13:50) Ophion Security Research (00:18:12) Zendesk Drama
	Episode 93: A Chat with Dr. Bouman - Life as a Hacker and a Doctor	17 Oct 2024	01:41:29
Episode 93: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Dr. Jonathan Bouman to discuss his unique journey as both a Hacker and a Healthcare Professional. We talk through how he balances his dual careers, some ethical considerations of hacking in the context of healthcare, and highlight some experiences he’s had with Amazon's bug bounty program. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker. Checkout their ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detect Today’s Guest - https://x.com/jonathanbouman?lang=en Resources Anyone can Access Deleted and Private Repository Data on GitHub Filesender Github Remote Code execution at ws1.aholdusa .com APK-MITM Hacking Dutch healthcare system Fitness Youtube Channels https://www.youtube.com/channel/UCpQ34afVgk8cRQBjSJ1xuJQ https://www.youtube.com/@BullyJuice Timestamps (00:00:00) Introduction (00:07:28) Medicine and Hacking (00:19:36) Hacking on Amazon (00:34:33) Collaboration and consistency (00:44:13) SSTI Methodology (01:06:10) iOS Hacking Methodology (01:13:23) Hacking Healthcare (01:32:19) Health tips for hacking
	Episode 84: 0xLupin & Takeaways from Google's Las Vegas BugSwat	15 Aug 2024	00:27:15
Episode 84: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Roni Carta (@0xLupin) to discuss their MVH win at the recent Google LHE, and share some technical observations they had with the target and the event. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://x.com/0xLupin Today’s Sponsor - ThreatLocker Timestamps: (00:00:00) Introduction (00:02:12) MHV Debrief (00:09:05) Sandboxes and Comfort Zones (00:13:24) SDKs and Legal Compliance (00:19:29) Age of Target and Platform-Exclusive Hunters
	Episode 83: Brainstorming Proxy Plugins	08 Aug 2024	00:54:50
Episode 83: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin are brainstorming new features and improvements for Caido, such as the implementation of a 403 bypassing workflow, a text expander, Tracing Cookies, and more. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker Resources: Post from Gareth Heyes https://x.com/garethheyes/status/1811084674988474417 Wiki List of XML and HTML https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references#List_of_character_entity_references_in_HTML HackerOne Leaderboard Changes https://x.com/scarybeasts/status/1810813103354892666 Espanso https://espanso.org/ Critical Thinkers Discord ctbb.show/criticalthinkers Oauth Scan https://portswigger.net/bappstore/8ef2db1173e8432c8797831c2e730727 Timestamps: (00:00:00) Introduction (00:03:12) News (00:13:20) Into the Brainstorm (00:13:41) 403 Bypasser (00:20:34) "Expaido" (00:31:34) Trace Cookies (00:42:01) Highlight Decoding Expansion and AI integrations (00:49:08) OAuth Testing, API Highlighter, and Note-taking
	Episode 82: Part-Time Bug Bounty	01 Aug 2024	00:36:32
Episode 82: In this episode of Critical Thinking - Bug Bounty Podcast Joel Margolis discusses strategies and tips for part-time bug bounty hunting. He covers things like finding (and enforcing) balance, picking programs and goals, and streamlining your process to optimize productivity. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker Resources: Evernote RCE Post https://0reg.dev/blog/evernote-rce ServiceNow Bug Chain https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data Douglas Day's Talk on finding 'no's' https://youtu.be/G1RHa7l1Ys4?si=TY16ULsEIfJ9CMKk Timestamps: (00:01:37) Introduction (00:02:24) Evernote RCE Post (00:06:47) AssetNote ServiceNow Bug Chain (00:12:16) Part-Time Bug Bounty: Balance and Accountability (00:18:04) Picking programs: Impact and Payout (00:28:46) Streamline your process
	Episode 81: Crushing Client-Side on Any Scope with MatanBer	25 Jul 2024	02:04:48
Episode 81: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by MatanBer to go over some recent bug reports, as well as share some tips and tricks on client-side hacking and using DevTools effectively. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker Today’s Guest: https://x.com/MtnBer Resources: Beyond XSS https://aszx87410.github.io/beyond-xss/en/ Web VSCode XSS https://gitlab.com/gitlab-org/gitlab/-/issues/461328 Timestamps (00:00:00) Introduction (00:05:24) Learning and Labs (00:17:29) DevTools tips and tricks (00:49:49) General Client-Side hacking tips (01:09:59) Self-XSS Storytime (01:32:16) Bug Reports (01:46:37) Brainstorming a Client-side HUD
	Episode 80: Pwn2Own VS H1 Live Hacking Event (feat SinSinology)	18 Jul 2024	02:49:26
Episode 80: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Sina Kheirkhah to talk about the start of his hacking journey and explore the differences between the Pwn2Own and HackerOne Events Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker Today’s Guest: https://x.com/SinSinology Blog: https://sinsinology.medium.com/ Resources: WhatsUp Gold Pre-Auth RCE Advanced .NET Exploitation Training dnSpyEx QEMU Unicorn Engine Qiling libAFL Alex Plaskett interview TippingPoint Flashback Team Timestamps: (00:00:00) Introduction (00:12:45) Learning, Mentorship, and Failure (00:29:34) Pentesting and Pwn2Own (00:40:05) Hacking methodology (01:01:57) Debuggers and shells in IoT Devices (01:35:40) Differences between ZDI and HackerOne (02:02:27) Pwn2Own Steps and Stories (02:14:06) Master of Pwn Title (02:29:54) Bug reports
	Episode 79: The State of CSS Injection - Leaking Text Nodes & HTML Attributes	11 Jul 2024	01:10:25
Episode 79: In this episode of Critical Thinking - Bug Bounty Podcast we deepdive CSS injection, and explore topics like sequential import chaining, font ligatures, and attribute exfiltration. Follow us on twitter at: @ctbbpodcast Send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources: SpaceRaccoon's Universal Code Execution Extensions Escalating Client Side Path Traversal Full-time Bug Bounty Blueprint Sequential Import Chaining CSS Exfiltation Link that Justin was talking about Font Ligatures Lava Dome bypass Stealing Data in Great Style Steal Script Contents Masato Kinugawa's tweet Attacking with Just CSS CSS Injection Primitives Timestamps: (00:00:00) Introduction (00:02:32) Universal Code Execution (00:11:32) Escalating Client Side Path Traversal (00:16:56) Justin's Defcon talk & Bug Bounty Blueprint (00:23:32) CSS Injection (00:39:23) Font Ligatures (00:54:30) Descent Override and display:block
	Episode 78: Less Writing, More Hacking - Reporting Efficiency Techniques	04 Jul 2024	01:06:25
Episode 78: In this episode of Critical Thinking - Bug Bounty Podcast we’re talking about writing reports. We share some tips that we’ve learned, and discuss ways that AI can (and can’t) help with that process. We also talk about the benefit of using tools like Fabric, Loom, and ShareX. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker Resources: XSS WAF Bypass by multi-char HTML entities Shazzer Next.js and cache poisoning Nagli's Nuclei Template hey why can't you fix this one bug Justin's reporting templating software Fabric BB Report Formatter 2to3 Automated Python Converter ShareX Skitch Timestamps: (00:00:00) Introduction (00:04:00) XSS WAF Bypass by Multi-char HTML Entities (00:11:59) Next.js and Cache Poisoning (00:18:03) Nagli's Nuclei Template and Sean Yeoh's Blog (00:27:34) Report Writing and AI (00:50:02) Reporting tips
	Episode 77: Bug Bounty Mental - Practical Tips for Staying Sharp & Motivated	27 Jun 2024	01:50:26
Episode 77: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin discuss some fresh writeups including some MongoDB injections, ORMs, and exploits in Kakao and iOS before pivoting into a conversation about staying motivated and avoiding burnout while hunting. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources: MongoDB NoSQL Injection https://soroush.me/blog/2024/06/mongodb-nosql-injection-with-aggregation-pipelines/ Mongo DB Is Web Scale https://www.youtube.com/watch?v=b2F-DItXtZs 1-click Exploit in Kakao https://stulle123.github.io/posts/kakaotalk-account-takeover/ Unsecure time-based secret and Sandwich Attack https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html Reset Tolkien https://github.com/AethliosIK/reset-tolkien iOS URL Scheme Hijacking Revamped https://evanconnelly.github.io/post/ios-oauth/ PLORMBING YOUR DJANGO ORM https://www.elttam.com/blog/plormbing-your-django-orm/#content Timestamps: (00:00:00) Introduction (00:02:07) MongoDB NoSQL Injection (00:12:42) 1-click Exploit in Kakao (00:33:21) Time-based secrets and Reset Tolkien (00:39:26) iOS URL Scheme Hijacking Revamped (00:51:42) ORMs (00:58:57) Community Bug Submission (01:07:45) Motivation, Mental Sharpness, and Burnout avoidance
	Episode 76: Match & Replace - HTTP Proxies' Most Underrated Feature	20 Jun 2024	01:34:43
Episode 76: In this episode of Critical Thinking - Bug Bounty Podcast we’re talking about Match and Replace and the often overlooked use cases for it, like bypassing paywalls, modifying host headers, and storing payloads. We also talk about the HackerOne Ambassador World Cup and the issues with dupe submissions, and go through some write-ups. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today's Sponsor - Project Discovery: https://nux.gg/podcast Resources Zoom Session Takeover https://nokline.github.io/bugbounty/2024/06/07/Zoom-ATO.html SharePoint XXE https://x.com/thezdi/status/1796207012520366552 Shazzer https://shazzer.co.uk/ Timestamps: (00:00:00) Introduction (00:05:06) H1 Ambassador World Cup (00:13:57) Zoom ATO bug (00:33:28) SharePoint XXE (00:39:36) Shazzer (00:46:36) Match and Replace (01:13:01) Match and Replace in Mobile (01:21:13) Header Replacements
	Episode 75: Rerun of The OG Bug Bounty King - Frans Rosen	13 Jun 2024	02:44:52
Episode 75: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are sick, So instead of a new full episode, we're going back 30 episodes to review. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! Today's Guest: https://twitter.com/fransrosen Detectify Discovering s3 subdomain takeovers https://labs.detectify.com/writeups/hostile-subdomain-takeover-using-heroku-github-desk-more/ bucket-disclose.sh https://gist.github.com/fransr/a155e5bd7ab11c93923ec8ce788e3368 A deep dive into AWS S3 access controls Attacking Modern Web Technologies Live Hacking like a MVH Account hijacking using Dirty Dancing in sign-in OAuth flows Timestamps: (00:00:00) Introduction (00:11:41) Franz Rosen's Bug Bounty Journey and Detectify (00:20:21) Pseudo-code, typing, and thinking like a dev (00:27:11) Hunter Methodologies and automationists (00:42:31) Time on targets, Iteration vs. Ideation (00:58:01) S3 subdomain takeovers (01:11:53) Blog posting and hosting motivations (01:20:21) Detectify and entrepreneurial endeavors (01:36:41) Attacking Modern Web Technologies (01:52:51) postMessage and MessagePort (02:05:00) Live Hacking and Collaboration (02:20:41) Account Hijacking and OAuth Flows (02:35:39) Hacking + Parenthood
	Episode 92 - SAML XPath Confusion, Chinese DNS Poisoning, and AI Powered 403 Bypasser	10 Oct 2024	00:47:38
Episode 92: In this episode of Critical Thinking - Bug Bounty Podcast In this episode Justin and Joel tackle a host of new research and write-ups, including Ruby SAML, 0-Click exploits in MediaTek Wi-Fi, and Vulnerabilities caused by The Great Firewall Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor - ThreatLocker. Checkout their ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detect Resources: Insecurity through Censorship Ruby-SAML / GitLab Authentication Bypass 0-Click exploit discovered in MediaTek Wi-Fi chipsets New Caido Plugin to Generate Wordlists Bebik’s 403 Bypassor CSPBypass Arb Read & Arb write on LLaMa.cpp by SideQuest XSS WAF Bypass One payload for all Timestamps (00:00:00) Introduction (00:02:08) Vulnerabilities Caused by The Great Firewall (00:07:25) Ruby SAML Bypass (00:19:55) 0-Click exploit discovered in MediaTek Wi-Fi chipsets (00:24:36) New Caido Wordlist Plugin (00:31:00) CSPBypass.com (00:35:37) Arb Read & Arb write on LLaMa.cpp by SideQuest (00:43:10) Helpful WAF Bypass
	Episode 74: Supply Chain Attack Primer - Popping RCE Without an HTTP Request (feat 0xLupin)	06 Jun 2024	01:38:20
Episode 74: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Roni "Lupin" Carta for a deep dive into supply chain attacks and dependency confusion. We explore the supply chain attacks, the ethical considerations surrounding maintainers and hosting packages on public registries, and chat about the vision and uses of his new tool Depi. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today's Sponsor - Project Discovery: https://nux.gg/podcast Today’s Guest: https://x.com/0xLupin Resources: Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 git-dump https://github.com/tomnomnom/dotfiles/blob/master/scripts/git-dump Depi https://www.landh.tech/depi Weak links of Supply Chain https://arxiv.org/pdf/2112.10165 Timestamps: (00:00:00) Introduction (00:07:13) Overveiw of Supply Chain Flow (00:15:14) Getting our Scope (00:23:46) Depi (00:29:12) Types of attacks and finding the 80/20 (00:45:06) Maintainer attacks (01:10:40) Regestries, artifactories, and an npm bug (01:31:51) Grafana NPX Confusion
	Episode 73: Sandboxed IFrames and WAF Bypasses	30 May 2024	00:31:13
Episode 73: In this episode of Critical Thinking - Bug Bounty Podcast we give a brief recap of Nahamcon and then touch on some topics like WAF bypass tools, sandboxed iframes, and programs redacting your reports. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today's Sponsor - Project Discovery: https://nux.gg/podcast Resources: ?. Tweet https://x.com/garethheyes/status/1786836956032176215 NoWafPls https://github.com/assetnote/nowafpls Redacted Reports https://x.com/deadvolvo/status/1790397012468199651 Breaking CORS https://x.com/MtnBer/status/1794657827115696181 Sandbox-iframe XSS challenge solution https://joaxcar.com/blog/2024/05/16/sandbox-iframe-xss-challenge-solution/ iframe and window.open magic https://blog.huli.tw/2022/04/07/en/iframe-and-window-open/#detecting-when-a-new-window-has-finished-loading domloggerpp https://github.com/kevin-mizu/domloggerpp Timestamps (00:00:00) Introduction (00:03:29) ?. Operator in JS and NoWafPls (00:07:22) Redacting our own reports (00:11:13) Breaking CORS (00:17:07) Sandbox-iframes (00:24:11) Dom hook plugins
	Episode 72: Research TLDRs & Smuggling Payloads in Well Known Data Types	23 May 2024	00:52:49
Episode 72: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss some hot research from the past couple months. This includes ways to smuggle payloads in phone numbers and IPv6 Addresses, the NextJS SSRF, the PDF.JS PoC drop, and a GitHub Enterprise Indirect Method Information bug. Also, we have an attack vector featured from Monke! Follow us on twitter at: @ctbbpodcast Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today's Sponsor - Project Discovery: https://nux.gg/podcast Resources: PDF.JS Bypass to XSS https://github.com/advisories/GHSA-wgrm-67xf-hhpq https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/ PDFium NextJS SSRF by AssetNote Better Bounty Transparency for hackers Slonser IPV6 Research Smuggling payloads in phone numbers Automatic Plugin SQLi DomPurify Bypass Bug Bounty JP Podcast Github Enterprise send() bug https://x.com/creastery/status/1787327890943873055 https://x.com/Rhynorater/status/1788598984572813549 Timestamps: (00:00:09) Introduction (00:03:20) PDF.JS XSS and NextJS SSRF (00:12:52) Better Bounty Transparency (00:20:01) IPV6 Research and Phone Number Payloads (00:28:20) Community Highlight and Automatic Plugin CVE-2024-27956 (00:33:26) DomPurify Bypass and Github Enterprise send() bug (00:46:12) Caido cookie and header extension updates
	Episode 71: More VDP Chats & AI Bias Bounty Strats with Keith Hoodlet	16 May 2024	01:45:21
Episode 71: In this episode of Critical Thinking - Bug Bounty Podcast Keith Hoodlet joins us to weigh in on the VDP Debate. He shares some of his insights on when VDPs are appropriate in a company's security posture, and the challenges of securing large organizations. Then we switch gears and talk about AI bias bounties, where Keith explains the approach he takes to identify bias in chatbots and highlights the importance of understanding human biases and heuristics to better hack AI. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Today's Sponsor - Project Discovery: https://nux.gg/podcast Today’s guest: Keith Hoodlet https://securing.dev/ Resources: Daniel Miessler's article about the security poverty line https://danielmiessler.com/p/the-cybersecurity-skills-gap-is-another-instance-of-late-stage-capitalism/ Hacking AI Bias https://securing.dev/posts/hacking-ai-bias/ Hacking AI Bias Video https://youtu.be/AeFZA7xGIbE?si=TLQ7B3YtzPWXS4hq Sarah's Hoodlet's new book https://sarahjhoodlet.com Link to Amazon Page https://a.co/d/c0LTM8U Timestamps: (00:00:00) Introduction (00:04:09) Keith's Appsec Journey (00:16:24) The Great VDP Debate Redux (00:47:18) Platform/Hunter Incentives and Government Regulation (01:06:24) AI Bias Bounties (01:26:27) AI Techniques and Bugcrowd Contest
	Episode 70: NahamCon and CSP Bypasses Everywhere	09 May 2024	00:43:08
Episode 70: In this episode of Critical Thinking - Bug Bounty Podcast we’re once again joined by Ben Sadeghipour to talk about some Nahamcon news, as well as discuss a couple other LHE’s taking place. Then they cover CI/CD and drop some cool CSP Bypasses. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today's Sponsor - Project Discovery: https://nux.gg/podcast Today’s Guest: https://twitter.com/NahamSec https://www.nahamcon.com/ Resources: Depi https://www.landh.tech/depi Youtube CSP: https://www.youtube.com/oembed?callback=alert() Maps CSP: https://maps.googleapis.com/maps/api/js?callback=alert()-print Google APIs CSP https://www.googleapis.com/customsearch/v1?callback=alert(1) Google CSP https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1)// CSP Bypass for opener.child.child.child.click() https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/ Timestamps: (00:00:00) Introduction (00:02:55) BSides Takeaways and hacking on Meta (00:12:12) NahamCon News (00:23:45) CI/CD and the launch of Depi (00:33:29) CSP Bypasses
	Episode 69: Johan Carlsson - 3 Month Check-in on Full-time Bug Bounty.	02 May 2024	01:49:04
Episode 69: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Johan Carlsson to hear about some updates on his bug hunting journey. We deep-dive a CSP bypass he found in GitHub, a critical he found in GitLab's pipeline, and also talk through his approach to using script gadgets and adapting to highly CSP'd environments. Then we talk about his transition to full-time bug hunting, including the goals he’s set, the successes and challenges, and his current focus on specific bug types like ReDoS and OAuth, and the serendipitous nature of bug hunting. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Nuclei 3.2 Release: https://nux.gg/podcast Today’s Guest: https://twitter.com/joaxcar https://joaxcar.com/blog/ Resources Github CSP Bypass https://gist.github.com/joaxcar/6e5a0a34127704f4ea9449f6ce3369fc CSP Validator https://cspvalidator.org/ Cross Window Forgery https://www.paulosyibelo.com/2024/02/cross-window-forgery-web-attack-vector.html Gitlab Crit https://gist.github.com/joaxcar/9419b2df8778f26e9b02a741a8ec12f8 Timestamps (00:00:00) Introduction (00:09:34) Github CSP Bypass (00:38:48) Script Gadgets and growth through Gitlab (00:53:53) Gitlab pipeline bug (01:12:32) Full-time Bug Bounty
	Episode 68: 0-days & HTMX-SS with Mathias	25 Apr 2024	01:03:53
Episode 68: In this episode of Critical Thinking - Bug Bounty Podcast Mathias is back with some fresh HTMX research, including CSP bypass using HTMX triggers, converting client-side response header injection to XSS, bypassing HTMX disable, and the challenges of using HTMX in larger applications and the potential performance trade-offs. We also talk about the results of his recent CTF Challenge, and explore some more facets of CDN-CGI functionality. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Project Discovery Conference: https://nux.gg/hss24 ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://twitter.com/avlidienbrunn Resources: Masato Kinugawa's research on Teams https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=33 subdomain-only 307 open redirect https://avlidienbrunn.se/cdn-cgi/image/onerror=redirect/http://anything.avlidienbrunn.se Timestamps (00:00:00) Introduction (00:05:18) CSP Bypass using HTML (00:14:00) Converting client-side response header injection to XSS (00:23:10) Bypassing hx-disable (00:32:37) XSS-ing impossible elements (00:38:22) CTF challenge Recap and knowing there's a bug (00:51:53) hx-on (depreciated) (00:54:30) CDN-CGI Research discussion
	Episode 67: VDPs & Accidental Program VS Hacker Debate Part 2	18 Apr 2024	01:19:51
Episode 67: In this episode of Critical Thinking - Bug Bounty Podcast we deepdive on the topic of Vulnerability Disclosure Programs (VDPs) and whether they are beneficial or not. We also touch on the topic of leaderboard accuracy, and continue the Program VS Hacker debate regarding allocating funds for bounties. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Project Discovery Conference: https://nux.gg/hss24 Resources: Nagli's Braindump on VDPs https://twitter.com/galnagli/status/1780174392003031515 Timestamps: (00:00:00) Introduction (00:05:37) VDP programs (00:34:10) Leaderboards (00:43:52) Hacker vs. Program debate Part 2 (01:07:24) Walling Off Endpoints
	Episode 66: CDN-CGI Research, Intent To Ship, and Louis Vuitton	11 Apr 2024	00:58:20
Episode 66: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the recent YesWeHack Louis Vuitton LHE, the importance of failure as growth in bug bounty, and Justin shares his research on CDN CGI. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Project Discovery Conference: https://nux.gg/hss24 ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources: YesWeHack Luis Vuitton LHE https://twitter.com/yeswehack/status/1776280653744554287 https://event.yeswehack.com/events/hack-me-im-famous-2 Caido Workflows https://github.com/caido/workflows Oauth Redirects https://twitter.com/Akshanshjaiswl/status/1724143813088940192 Bagipro Golden URL techniques https://hackerone.com/reports/431002 Roadmap I followed to make 15,000+$ Bounties in my first 8 months https://shreyaschavhan.notion.site/Roadmap-I-followed-to-make-15-000-Bounties-in-my-first-8-months-of-starting-out-and-my-journey-98b1b9ff621645c0b97d1e774992f300 Monke Hacks Blog https://monkehacks.beehiiv.com/ PortSwigger post https://x.com/PortSwiggerRes/status/1766087129908576760 post from Masato Kinugawa https://x.com/kinugawamasato/status/916393484147290113 Timestamps: (00:00:00) Introduction (00:04:19) Louis Vuitton LHE (00:13:57) Browser Market share (00:21:13) Justin's Bug of the Week (00:24:49) Caido Workflows (00:27:24) Oauth Redirects (00:32:24) Bug Bounty learning Methodology (00:41:03) 'Intent To Ship' (00:48:08) CDN-CGI Research
	Episode 65: Motivation and Methodology with Sam Curry (Zlz)	04 Apr 2024	02:29:05
Episode 65: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with Sam Curry to discuss the ethical considerations and effectiveness of hacking, the importance of good intent, and the enjoyment Sam derives from pushing the boundaries to find bugs. He shares stories of his experiences, including hacking Tesla, online casinos,Starbucks, his own is ISP router, and even getting detained at the airport. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Project Discovery Conference: https://nux.gg/hss24 ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://samcurry.net/ Resources: Don’t Force Yourself to Become a Bug Bounty Hunter hackcompute Starbucks Bug recollapse Timestamps: (00:00:00) Introduction (00:02:25) Hacking Journey and the limits of Ethical Hacking (00:28:28) Selecting companies to hack (00:33:22) Fostering passion vs. Forcing performance (00:54:06) Collaboration and Hackcompute (01:00:40) The Efficacy of Bug Bounty (01:09:20) Secondary Context Bugs (01:25:01) Mindmaps, note-taking, and Intuition. (01:46:56) Back-end traversals and Unicode (01:56:16) Hacking ISP (02:06:58) Next.js and Crypto (02:22:24) Dev vs. Prod JWT
	Episode 91: Zero to LHE in 9 Months (feat gr3pme)	03 Oct 2024	01:22:50
Episode 91: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner sits down with Critical Thinking’s own HackerNotes writer Brandyn Murtagh (gr3pme) to talk about his journey with Bug Bounty. We cover mentorship, networking and LHEs, ecosystem hacking, emotional regulation, and the need for self-care. Then we wrap up with some fun bugs. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Shop our new swag store at ctbb.show/swag Today’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinder Today’s guest: https://x.com/gr3pme Resources: Lessons Learned for LHEs https://x.com/Rhynorater/status/1579499221954473984 Timestamps: (00:00:00) Introduction (00:07:02) Mentorship in Bug Bounty (00:16:30) LHE lessons, takeaways, and the benefit of feedback and networking (00:41:28) Choosing Targets (00:49:03) Vuln Classes (00:58:54) Bug Reports
	Episode 64: .NET Remoting, CDN Attack Surface, and Recon vs Main App	28 Mar 2024	01:08:04
Episode 64: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Justin and Joel delve into .NET remoting and how it can be exploited, a recent bypass in the Dom Purify library and some interesting functionality in the Cloudflare CDN-CGI endpoint. They also touch on the importance of collaboration and knowledge sharing, JavaScript Deobfuscation, the value of impactful POCs, hiding XSS payloads with URL path updates. Follow us on twitter at: @ctbbpodcast send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Check out Project Discovery’s nuclei 3.2 release blog at nux.gg/podcast Resources: .NET Remoting https://code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/ https://github.com/codewhitesec/HttpRemotingObjRefLeak DOM Purify Bug Cloudflare /cdn-cgi/ https://developers.cloudflare.com/fundamentals/reference/cdn-cgi-endpoint/ https://portswigger.net/research/when-security-features-collide https://twitter.com/kinugawamasato/status/893404078365069312 https://twitter.com/m4ll0k/status/1770153059496108231 XSSDoctor's writeup on Javascript deobfuscation renniepak's tweet Naffy's tweet Timestamps: (00:00:00) Introduction (00:07:15) .Net Remoting (00:17:29) DOM Purify Bug (00:25:56) Cloudflare /cdn-cgi/ (00:37:11) Javascript deobfuscation (00:47:26) renniepak's tweet (00:55:20) Naffy's tweet
	Episode 63: JHaddix Returns	21 Mar 2024	01:21:35
Episode 63: In this episode of Critical Thinking - Bug Bounty Podcast we welcome back Jason Haddix (From Episode 12) to talk about some updates to his The Bug Hunter's Methodology, as well as his own personal life and hacking journey. We talk about the start of his new company, and then venture into topics such as using threat intelligence and buying credentials from the dark web, recon techniques, and ways to integrate AI into your workflow (or target list). Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Today’s Guest: https://twitter.com/Jhaddix https://www.arcanum-sec.com/ Resources: Dehashed https://www.dehashed.com/ Flare https://flare.io/ CSP Recon https://github.com/edoardottt/csprecon Timestamps: (00:00:00) Introduction (00:05:37) Updates to The Bug Hunter's Methodology (00:14:46) Red Teaming (00:21:29) Bug Bounty on the Dark Web (00:36:19) FIS hunting (00:47:59) New Recon Techniques (00:58:32) AI integrations and bounties
	Episode 62: Frontend Language Oddities	14 Mar 2024	00:58:43
Episode 62: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with some additional research resources that didn’t make the Portswigger Top-Ten, but that are worth looking at. Follow us on twitter at: @ctbbpodcast Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Resources: Cool HTML Shit https://twitter.com/jcubic/status/1764311080661082201 https://twitter.com/encodeart/status/1764218128374943764 Bug bounty Hunting Journeys https://twitter.com/ajxchapman/status/1762101366057525521 https://monkehacks.beehiiv.com/p/monkehacks-02 Yelp Cookie Bridge Report Deobfuscating/Unminifying Obfuscated Code ChatGPT Source Watch Web Security Research Reddit Nahamsec Resources Portswigger Nominations list Abusing perspectives: https://hackerone.com/reports/2401115 PortSwigger CSS Exfiltration https://github.com/PortSwigger/css-exfiltration Timestamps: (00:00:00) Introduction (00:02:06) Cool HTML Shit (00:15:31) Bug Bounty Journeys (00:28:01) Yelp Cookie Bridge Bug (00:37:56) Additional Research Resources (00:46:34) CSS and abusing perspectives
	Episode 61: A Hacker on Wall Street - JR0ch17	07 Mar 2024	01:27:00
Episode 61: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Jasmin Landry to share some stories about startup security, bug bounty, and the challenges of balancing both. He also shares his methodology for discovering OAuth-related bugs, highlights some differences between structured learning and self-teaching, and then walks us through a couple arbitrary ATO’s and SSTI to RCE bugs he’s found lately. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: Jasmin Landry https://twitter.com/JR0ch17 Resources: Dirty Dancing blog post https://labs.detectify.com/writeups/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/ OAuth 2.0 Threat Model and Security Considerations https://datatracker.ietf.org/doc/html/rfc6819 OAuth 2.0 Security Best Current Practice https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics Timestamps: (00:00:00) Introduction (00:02:20) Meta Tag + DomPurify Bug (00:09:36) Jasmin's Origin story (00:28:23) Full time Bug bounty challenges (00:36:57) Career jumps in Security and current Role (00:47:32) OAuth Bug methodology and cool bug stories (01:02:35) Social Engineering and Bug Bounty (01:13:41) Arbitrary ATO bug (01:19:41) SSTI to RCE bug
	Episode 60: Our Take on PortSwigger's Top 10 Web Hacking Techniques of 2023	29 Feb 2024	01:24:37
Episode 60: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel review the Portswigger Research list of top 10 web hacking techniques of 2023. Follow us on twitter at: @ctbbpodcast Send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources: Top 10 web hacking techniques of 2023 1: Smashing the state machine 8: From Akamai to F5 to NTLM 3: SMTP Smuggling 4: PHP filter chains (Bonus Read) 5: HTTP Parsers Inconsistencies 6: HTTP Request Splitting 7: How I Hacked Microsoft Teams 9: Cookie Crumbles (Bonus Read) 10: Hacking root EPP servers to take control of zones Timestamps: (00:00:00) Introduction (00:04:26) 1: Smashing the state machine (00:11:56) 8: From Akamai to F5 to NTLM... with love (00:17:11) 3: SMTP Smuggling (00:26:27) 4: PHP filter chains (00:36:40) 5: HTTP Parsers Inconsistencies (00:44:56) 6: HTTP Request Splitting (00:53:43) 7: How I Hacked Microsoft Teams (01:02:25) 9: Cookie Crumbles (01:11:36) 10: EPP Server Takeover
	Episode 59: Bug Bounty Gadget Hunting & Hacker's Intuition	22 Feb 2024	01:39:09
Episode 59: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the concept of gadgets and how they can be used to escalate the impact of vulnerabilities. We talk through things like HTML injection, image injection, CRLF injection, web cache deception, leaking window location, self-stored XSS, and much more. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources: Even Better NahamSec's 5 Week Program NahamCon News CSS Injection Research Timestamps: (00:00:00) Introduction (00:03:31) Caido's New Features (00:15:20) Nahamcon News and 5 week Bootcamp and pentest opportunity (00:19:54) HTML Injection, CSS Injection, and Clickjacking (00:33:11) Image Injection (00:37:19) Open Redirects, Client-side path traversal, and Client-side Open Redirect (00:49:51) Leaking window.location.href (00:57:15) Cookie refresh gadget (01:01:40) Stored XXS (01:09:01) CRLF Injection (01:13:24) 'A Place To Stand' in GraphQL and ID Oracle (01:18:23) Auth gadgets, Web Cache Deception, & LocalStorage poisoning (01:27:46) Cookie Injection & Context Breaks
	Episode 58: Youssef Sammouda - Client-Side & ATO War Stories	15 Feb 2024	01:54:51
Episode 58: In this episode of Critical Thinking - Bug Bounty Podcast we finally sit down with Youssef Samouda and grill him on his various techniques for finding and exploiting client-side bugs and postMessage vulnerabilities. He shares some crazy stories about race conditions, exploiting hash change events, and leveraging scroll to text fragments. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://twitter.com/samm0uda?lang=en https://ysamm.com/ Resources: Client-side race conditions with postMessage: https://ysamm.com/?p=742 Transferable Objects https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Transferable_objects Every known way to get references to windows, in javascript: https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2d Youssef’s interview with BBRE https://www.youtube.com/watch?v=MXH1HqTFNm0 Timestamps: (00:00:00) Introduction (00:04:27) Client-side race conditions with postMessage (00:18:12) On Hash Change Events and Scroll To Text Fragments (00:32:00) Finding, documenting, and reporting complex bugs (00:37:32) PostMessage Methodology (00:45:05) Youssef's Vuln Story (00:53:42) Where and how to look for ATO vulns (01:05:21) MessagePort (01:14:37) Window frame relationships (01:20:24) Recon and JS monitoring (01:37:03) Client-side routing (01:48:05) MITMProxy
	Episode 57: Technical breakdown from Miami Hacking Event - H1-305	08 Feb 2024	00:32:34
Episode 57: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are live from Miami, and recap their experience and share takeaways from the live hacking event. They highlight the importance of paying attention to client-side routing and the growing bug class of client-side path traversal. They also discuss the challenges of knowing when to cut your losses and the value of tracking time and setting goals. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Timestamps: (00:00:00) Introduction (00:03:50) Miami LHE Recap and Takeaways (00:05:57) Keeping time and cutting losses. (00:19:07) Roles and Goals (00:23:33) OAuth (00:28:52) HTML5 image to img Tip
	Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston)	01 Feb 2024	01:47:40
Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston) Episode 56: In this episode of Critical Thinking - Bug Bounty Podcast, Justin sits down with Jon Colston to discuss how his background in digital marketing and data science has influenced his hunting methodology. We dive into subjects like data sources, automation, working backwards from vulnerabilities, applying conversion funnels to bug bounty, and the mayonaise signature 'Mother of All Bugs' Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ WordFence - Sign up as a researcher! https://ctbb.show/wf Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://hackerone.com/mayonaise?type=user Timestamps: (00:00:00) Introduction (00:12:07) Evolving Hacking Methodologies & B2B Hacking (00:23:57) Data Science + Bug Bounty (00:34:37) 'Lead Generation for Vulns' (00:41:39) Ingredients and Recipes (00:49:45) Keyword Categorization (00:54:30) Manual Processes and Recap (01:07:08) Data Sources (01:19:59) Digital Marketing + Bug Bounty (01:32:22) M.O.A.B.s (01:41:02) Burnout Protection and Dupe Analysis
	Episode 55: Popping WordPress Plugins - Methodology Braindump	25 Jan 2024	01:44:04
Episode 55: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Wordpress Security Researcher Ram Gall to discuss both functionality and vulnerabilities within Wordpress Plugins. Follow us on twitter Send us any feedback here: Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ WordFence - Sign up as a researcher! https://ctbb.show/wf --- Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: Ramuel Gall UpdraftPlus Vuln XML-RPC PingBack Unicode and Character Sets Reflected XSS POP Chain WordpressPluginDirectory Subscriber+ RCE in Elementor Subscriber+ SSRF Unauthed XSS via User-Agent header Timestamps: (00:00:00) Introduction (00:05:55) Add_action & Nonces (00:26:16) Add_filter & Register_rest_routes (00:38:39) Page-related code & Shortcodes (00:50:24) Top Sinks for WP (01:02:19) Echo & SQLI Sinks (01:15:07) Nonce Leak and wp_handle_upload (01:18:16) Page variables & Pop Chains (01:26:55) WP Escalations & Bug Reports
	Episode 90: 5k Clickjacking, Encryption Oracles, and Cursor for PoCs	26 Sep 2024	00:51:42
Episode 90: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin recap some of their recent hacking ups and downs and have a lively chat about Cursor. Then they cover some some research about SQL Injections, Clickjacking in Google Docs, and how to steal your Telegram account in 10 seconds. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Shop our new swag store at ctbb.show/swag Today’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinder Resources: Breaking Down Barriers: Exploiting Pre-Auth SQL Injection in WhatsUp Gold Content-Type that can be used for XSS Clickjacking Bug in Google Docs Justin's Gadget Link https://www.youtube.com/signin?next=https%3A%2F%2Faccounts.youtube.com%2Faccounts%2FSetSID%3Fcontinue%3Dhttps%3A%2F%2Fwww.google.com%252Famp%252fpoc.rhynorater.com Stealing your Telegram account in 10 seconds flat Timestamps (00:00:00) Introduction (00:08:28) Recent Hacks and Dupes (00:14:00) Cursor (00:25:02) Exploiting Pre-Auth SQL Injection in WhatsUp Gold (00:34:17) Content-Type that can be used for XSS (00:40:25) Caido updates (00:43:14) Clickjacking in Google Docs, and Stealing Telegram account
	Episode 54: White Box Formulas - Vulnerable Coding Patterns	18 Jan 2024	01:12:38
Episode 54: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with news items and new projects. Joel shares about his personal scraping project to gather data on bug bounty programs and distribution Next, they announce the launch of HackerNotes, a podcast companion that will summarize the main technical points of each episode. They also discuss a recent GitLab CVE and an invisible prompt injection, before diving into a discussion (or debate) about vulnerable code patterns. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Gitlab CVE https://github.com/Vozec/CVE-2023-7028 https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/ Fix commit: https://gitlab.com/gitlab-org/gitlab/-/commit/abe79e4ec437988cf16534a9dbba81b98a2e7f18 Invisible Prompt Injection https://x.com/goodside/status/1745511940351287394?s=20 Regex 101 https://regex101.com Regex to Strings https://www.wimpyprogrammer.com/regex-to-strings/ Timestamps (00:00:00) Introduction (00:01:54) Joel’s H1 Data Scraping Research (00:19:23) HackerNotes launch (00:21:29) Gitlab CVE (00:27:45) Invisible Prompt Injection (00:33:52) Vulnerable Code Patterns (00:37:51) Sanitization, but then modification of data afterward (00:45:39) Auth check inside body of if statement (00:48:15) sCheck for bad patterns with if, but then don't do any control flow (00:50:21) Bad Regex (01:00:36) Replace statements for sanitization (01:04:32) Anything that allows you to call functions or control code flow in uncommon ways
	Episode 53: 500k/yr as Full-Time Bug Hunter & Content Creator - Nahamsec	11 Jan 2024	01:40:47
Episode 53: In this episode of Critical Thinking - Bug Bounty Podcast,we’re joined by none other than NahamSec. We start by discusses the challenges he faced on his journey in bug bounty hunting and content creation, including personal struggles and the pressure of success.We also talk about finding balance and managing mental energy, going the extra mile, and the importance of planning and setting goals for yourself before he walks us through some Blind XSS techniques. Follow us on twitter at: @ctbbpodcast Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Timestamps: (00:00:00) Introduction (00:01:37) Costs of Content Creation (00:21:12) Hacking 'identities' and Pivoting (00:36:49) Hacking Methodology (00:58:59) Planning, Goals, and Nahamsec's 2023 Performance (01:10:19) Blind XSS (01:35:19) Going the extra mile in Bug Bounty
	Episode 52: Best Technical Content from Year 1 of CTBB Podcast	04 Jan 2024	03:00:00
Episode 52: In this episode of Critical Thinking - Bug Bounty Podcast we're going back and highlighting some of the best technical moments from the past year! Hope you enjoy this best of 2023 Supercut! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Timestamps: (00:00:00) Introduction (00:02:55) Episode 26: Meta tags and base tags in HTML (00:15:20) Episode 27: Client-side path traversal (00:23:18) Episode 27: Cookie bombing + cookie jar overflow (00:35:47) Episode 44: Cross environment authentication bugs (00:43:17) Episode 47: The open-faced Iframe Sandwich (00:50:19) Episode 47: js hoisting and classic Joel nerdsnipe (00:58:28) Episode 29: Sean Yeoh on Subdomains vs IP in recon (01:04:05) Episode 30: Shubs on reversing enterprise software (01:24:58) Episode 30: Shubs on building out a recon flow (01:29:36) Episode 30: Shubs on Hacking IIS Servers (01:36:45) Episode 37: 0xLupin on smart JavaScript analysis tools (01:45:42) Episode 45: Frans Rosen On App cache, Service workers cookie stuffing, and postMessage (02:15:02) Episode 50: Mathias Karlsson on XSLT and MXSS (02:39:26) Episode 27: Assetnote's sharefile RCE (02:48:18) Episode 31: Perforce RCE (02:53:48) Episode 48: Sam Erb's XSLT bug story (02:58:47) Final thoughts and Special Thanks
	Episode 51: Hacker Stats 2023 & 2024 Goals	28 Dec 2023	01:21:31
Episode 51: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are back for the last episode of 2023. We discuss some noteworthy news items including a Hacker One Crit, Caido updates, and some Blind CSS. Then we dive into our own personal ‘Hackers Wrapped’ recap of the year, before laying out some goals for 2024. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources Flow Powertoys Alfred Pyperclip Textgrab CTF Payload Challenge Hacker One Crit Report Blind CSS Injection Timestamps (00:00:00) Introduction (00:08:43) Keyboard Shortcut Utility Systems (00:21:28) CTF Challenge By Frans (00:32:40) Hacker One 25K Crit Disclosure (00:36:31) Caido Searchbar Rework. (00:40:51) Blind CSS Exfiltration (00:44:10) 2023 Personal Bug Bounty Stats (01:01:15) 2024 Personal Bug Bounty Goals
	Episode 50: Mathias "Fall in a well" Karlsson - Bug Bounty Prophet	21 Dec 2023	02:24:31
Episode 50: In this episode of Critical Thinking - Bug Bounty Podcast, Justin catches up with hacking master Mathias Karlsson, and talks about burnout, collaboration, and the importance of specialization. Then we dive into the technical details of MXSS and XSLT, character encoding, and give some predictions of what Bug Bounty might look like in the future… Follow us on twitter at: @ctbbpodcast Send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest Episode Resources How to Differentiate Yourself as a Hunter MutateMethods hackaplaneten Article About Unicode and Character Sets Byte Order Mark: Character Encodings ShapeCatcher WAF Bypass BountyDash EXPLOITING HTTP'S HIDDEN ATTACK-SURFACE Timestamps: (00:00:00) Introduction (00:10:06) Automation Setup and Assetnote Origins (00:16:49) Sharing Tips, and Content Creation (00:22:27) Collaboration and Optimization (00:36:44) Working at Detectify (00:51:45) Bug Bounty Burnout (00:56:15) Early Days of Bug Bounty and Future Predictions (01:19:00) Nerdsnipeability (01:29:38) MXSS and XSLT (01:54:20) Learning through being wrong (02:00:15) Go-to Vulns
	Episode 49: Getting Live Hacking Event Invites & Bug Bounty Collab with Nagli	14 Dec 2023	00:51:33
Episode 49: In this episode of Critical Thinking - Bug Bounty Podcast, Justin Gardner is once again joined by Nagli to discuss some of their recent hacking discoveries. They talk about finding and exploiting a backup file in an ASP.NET app, discovering vulnerabilities through Swagger files, and debating the vulnerability of a specific ‘undisclosed’ domain. Then they reflect on 2023’s Live Hacking Event circuit, and preview what’s to come in 2024’s. This episode sponsored by Wordfence! Wordfence recently launched a game-changer of a bug bounty program with ALL WordPress plugins over 50k installs are in-scope. They are currently paying 6.25x their normal bounty amounts, and have agreed to give CT listeners a 10% bonus on top of that! If you wanna pop some crits and see those bounties roll in, head over to https://ctbb.show/wf for more info and keep an eye on the CTBB Discord for inspiration/collabs. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest Episode Resources: Shockwave Why So Serial New LHE Standards Dropped Timestamps: (00:00:00) Introduction (00:02:37) wwwroot .zip Hack Recap (00:13:44) Swagger File Hack Recap (00:18:27) Undisclosed URL Hack Recap (00:24:29) 2023 LHE Circut Recap (00:37:14) 2024 LHE Preview and New Standards (00:47:22) Bug Bounty Motivation
	Episode 48: MVH, DEFCON Black Badge, Googler - Sam Erb	07 Dec 2023	01:36:45
Episode 48: In this episode, joined by the spectacular Sam Erb, Google Security Engineer and DEFCON Black Badge winner. We talk about the importance of understanding how systems work to find vulnerabilities, and how his engineering background influences his hunting style and methodologies. Then we jump over to his Career Development and his work with Google, and then chat about some of the recent Google Vulnerability Programs. This episode is sponsored by Wordfence! Wordfence recently launched a game-changer of a bug bounty program with ALL WordPress plugins over 50k installs are in-scope. They are currently paying 6.25x their normal bounty amounts, and have agreed to give CT listeners a 10% bonus on top of that! Head over to https://ctbb.show/wf for more info and keep an eye on the CTBB Discord for inspiration/collabs. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! —— Links —— Follow your hosts Rhynorater & Teknogeek on twitter: —— Ways to Support CTBBPodcast —— Sign up for Caido using code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord Discord premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://twitter.com/erbbysam Sam Erbs Static Secret Security Now Podcast BIMI: And https://bimigroup.org/ Google Device Vulnerability Reward Program Initiatives Google Invalid Reports Hacking Google Transcripts (00:00:00) Introduction (00:02:50) Hacker Methodology with Sam Erb (00:12:20) Balancing Bug Hunting and Personal Life (00:15:53) Deep Diving on a program and using automation. (00:27:00) Optimizing Bug Hunting and Understanding Attack Vectors (00:39:22) Collaboration and Boundaries (00:45:42) Career Development and Entrepreneurship (00:55:13) Winning Black Badges at DEFCON (00:58:02) BufferOver (01:09:11) Working at Google (01:19:23) Google Bug Bounty Programs (01:31:41) BONUS Cool Bugs
	Episode 47: CSP Research, Iframe Hopping, and Client-side Shenanigans	30 Nov 2023	01:31:52
Episode 47: In this episode of Critical Thinking - Bug Bounty Podcast, the holidays are fast approaching, and Justin and Joel discuss some of the struggles of getting back into the hacking groove during and after breaks. We also celebrate the newly launched Critical Thinking Discord Community before diving into Iframe Sandwhiches, JS Hoisting, CSP Bypasses, and a host of new tools, techniques, and tangents. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! ThankUNext jswzl Rapid API SSRF Utility tool by Bebiks Tweet from Johan Carlsson Burp Extension from Google VRP Justin's Tweet about JS Hoisting Bypass CSP Using WordPress How to trick CSP in letting you run whatever you want Timestamps: (00:00:00) Introduction (00:01:58) Overcoming Bug Bounty struggles and getting back into the hacking groove (00:07:46) Taking notes and sticking to one program (00:14:50) Critical Thinking Discord, Community highlights, and Competition vs Collaboration (00:22:25) Secondary context bugs and Automationism (00:28:42) ThankUNext and Client-side Paths (00:33:45) Tool Tangents: Jswzl, Caido, Postman, and Rapid API (00:46:49) New SSRF Utility tool by Bebiks and the continuing evolution of hacking tools (00:51:45) Iframe Sandwiches (00:58:54) News Items (01:06:12) JS Hoisting (01:15:05) CSP Bypasses
	Episode 46: The SAML Ramble	23 Nov 2023	00:43:40
Episode 46: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is deep diving the topic of SAML (Security Assertion Markup Language), and walks through what it is and why it can be intimidating, before going over some key attack vectors to look for. Then he closes out with a commentary on a sample payload, and some HackerOne reports. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. KazHACKstan https://kazhackstan.com/en Testing SAML security with DAST https://agrrrdog.blogspot.com/2023/01/testing-saml-security-with-dast.html How to break SAML if I have paws? https://speakerdeck.com/greendog/how-to-break-saml-if-i-have-paws?slide=20 How to Hunt Bugs in SAML; a Methodology https://epi052.gitlab.io/notes-to-self/blog/2019-03-16-how-to-test-saml-a-methodology-part-three/ SAML Raider https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e External Entity Injection during XML signature verification https://bugs.chromium.org/p/project-zero/issues/detail?id=2313 mTLS: When certificate authentication is done wrong https://github.blog/2023-08-17-mtls-when-certificate-authentication-is-done-wrong/ HackerOne Uber Report https://hackerone.com/reports/136169 Timestamps: (00:00:00) Introduction (00:05:25) Understanding SAML and its complexities (00:08:30) SAML Attack Vectors (00:14:15) XML Signature Wrapping (00:19:50) Some SAML tests to try (00:30:30) Sample Payload description (00:34:10) Token Recipient confusion (00:36:05) HackerOne Reports
	Episode 45: The OG Bug Bounty King - Frans Rosen	16 Nov 2023	02:36:35
Episode 45: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to welcome Frans Rosén, an OG bug bounty hunter and co-founder of Detectify. We kick off with Frans sharing his journey bug bounty and security startups, before diving headfirst into a host of his blog posts. We also cover the value of pseudo-code for bug exploitation, understanding developer terminology, the challenges of collaboration and delegating tasks, and balancing hacking with parenting. If you're interested in bug bounty or entrepreneurship, you won't want to miss it! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Join our Discord! Today's Guest: https://twitter.com/fransrosen Detectify Discovering s3 subdomain takeovers Bucket Disclose A deep dive into AWS S3 access controls Attacking Modern Web Technologies Live Hacking like a MVH Account hijacking using Dirty Dancing in sign-in OAuth flows Timestamps: (00:00:00) Introduction (00:04:50) Franz Rosen's Bug Bounty Journey and the creation of Detectify (00:13:30) Benefits of pseudo-code, typing, and thinking like a developer (00:20:20) Hunter Methodologies (00:35:40) Time on targets, Iteration vs. Ideation, and tips for standing out (00:51:10) S3 subdomain takeovers (01:05:02) Blog posting and hosting motivations (01:13:30) Detectify and entrepreneurial endeavors (01:29:50) Attacking Modern Web Technologies (01:46:00) postMessage and MessagePort (01:58:09) Live Hacking and Collaboration (02:13:50) Account Hijacking and OAuth Flows (02:28:48) Hacking/Parenting
	Episode 89: The Untapped Bug Bounty Landscape of IoT w/ Matt Brown	19 Sep 2024	01:58:03
Episode 89: In this episode of Critical Thinking - Bug Bounty Podcast We’re joined live by Matt Brown to talk about his journey with hacking in the IoT. We cover the specializations and challenges in hardware hacking, and Matt’s personal Methodology. Then we switch over to touch on BGA Reballing, Certificate Pinning and Validation, and some of his own bug stories. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinder Today’s Guess Matt Brown: https://x.com/nmatt0 Resources: Decrypting SSL to Chinese Cloud Servers https://www.youtube.com/watch?v=3qSxxNvuEtg mitmrouter https://github.com/nmatt0/mitmrouter certmitm Automatic Exploitation of TLS Certificate Validation Vulns https://www.youtube.com/watch?v=w_l2q_Gyqfo and https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Aapo%20Oksman%20-%20certmitm%20automatic%20exploitation%20of%20TLS%20certificate%20validation%20vulnerabilities.pdf https://github.com/aapooksman/certmitm HackerOne Detailed Platform Standards https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards Timestamps: (00:00:00) Introduction (00:13:33) Specialization and Challenges of IOT Hacking (00:33:03) Decrypting SSL to Chinese Cloud Servers (00:47:00) General IoT Hacking Methodology (01:26:00) Certificate Pinning and Certificate Validation (01:34:35) BGA Reballing (01:43:26) Bug Stories
	Episode 44: URL Parsing & Auth Bypass Magic	09 Nov 2023	01:11:27
Episode 44: In this episode of Critical Thinking - Bug Bounty Podcast, the topic is URL structure, and Justin and Joel break down the elements that make up a URL and some common tips and tricks surrounding them which allow for all sorts of bypasses. We also round out the episode with some new tools, ato stories, and some controversial current events in the hacker scene. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. "XnlReveal" XNL h4ck3r OAuth article by Salt Labs H1 controversy recap ATO through Facebook Login https://twitter.com/Jayesh25_/status/1718543152296939861 https://twitter.com/itscachemoney/status/1721658450613346557 When URL Parsers disagree Golden techniques to bypass host validations in Android apps Mozilla article on HTTP Authentication Breaking Parser Logic talk by Orange Tsai URL Detector SSRF Bible Timestamps: (00:00:00) Introduction (00:04:10) “Xnl-Reveal” (00:07:22) OAuth vulnerabilities (00:13:17) Recap of controversy surrounding the handling of a vulnerability report on H1 (00:18:55) Hacker Success Manager Program (00:22:30) Facebook login ATO (00:27:45) When URL parsers disagree (00:34:34) URL Structures (01:02:22) Shared secrets across environments (01:09:40) Social Media Logins
	Episode 43: Caido - The Up-And-Coming HTTP Proxy	02 Nov 2023	01:00:34
Episode 43: In this episode of Critical Thinking - Bug Bounty Podcast, we're joined by Emile from Caido, who shares his journey into the bug bounty and ethical hacking world. We kick off with a hilarious incident involving Joel, a child on an airplane, and an unfortunate cough. We then dive into the challenges of building an HTTP proxy tool, balancing basic features with nice-to-have features, and the importance of user feedback in shaping the development of Caido, a bug bounty tool. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount on the annual license. Today’s Guest: https://twitter.com/TheSytten Caido https://caido.io/ Caido’s Discord https://discord.com/invite/KgGkkpKFaq VS Code https://code.visualstudio.com/ DNSChef https://github.com/iphelix/dnschef HackMD https://hackmd.io/ Timestamps: (00:00:00) Introduction (00:01:34) Emile’s journey from general infrastructure development to co-founding Caido (00:07:00) The rundown on Caido, a lightweight and flexible HTTP proxy tool (00:11:00) Current and upcoming Caido Features (00:17:00) Caido crew and division of duties (00:19:40) Missing features and feature requests (00:23:49) Decision to use Rust (00:28:25) Workflows and walkthroughs (00:36:27) Intercepts and the Roadmap (00:41:15) Opinions on collaborator Functionality and HTTP Callback (00:46:19) Reporting and Collaboration
	Episode 42: Renniepak Interview & Intigriti LHE Recap	26 Oct 2023	00:59:03
Episode 42: In this episode of Critical Thinking - Bug Bounty Podcast, we're live from a hacking event in Portugal, and joined by the extremely talented René de Sain! He helps us cover a host of topics like NFT, XSS, LHE, and tips for success. We also talk about the correlation between creativity and hacking, shared workspaces, and last but certainly not least, hacker tattoos. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Today’s Guest: https://twitter.com/renniepak https://www.linkedin.com/in/rene-de-sain/ https://app.intigriti.com/researcher/profile/renniepak Hacker Hideout https://hackerhideout.xyz Timestamps: (00:00:00) Introduction (00:04:40) NFT Vulns and web3 hacking (00:08:15) Hacker Tattoos (00:12:30) Intigriti vs. other platforms, and LHE approaches. (00:20:10) Loneliness, budgeting, and the pros and cons of full-time hunting (00:28:36) Target approaches, XSS, and extension tools. (00:37:40) Fostering hacker intuition and relationships (00:47:15) Final thoughts on the Intigriti Event
	Episode 41: Mini Masterclass: Attack Vector Ideation	19 Oct 2023	00:17:09
Episode 41: In this episode of Critical Thinking - Bug Bounty Podcast, Justin takes a break from his busy travel schedule to walk us through a few of his Attack Vector formulation strategies. We’re keeping this one short and sweet, so it can be better used as a reference when looking for new vectors. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Nahamcon talk by Douglas Day https://youtu.be/G1RHa7l1Ys4?t=295 Timestamps: (00:00:00) Introduction (00:02:53) Use the application like a human, not like a hacker (00:05:02) Reading documentation looking for "Cannot" statements (00:08:16) Look at the grayed out areas (00:10:08) Look for information in the API response (00:12:38) Differences in the UI between different accounts (00:13:42) Pay the paywall.

About us Privacy Policy