Podcast Critical Thinking - Bug Bounty Podcast by Justin Gardner (Rhynorater), Joseph Thacker (Rez0), & Brandyn Murtagh (gr3pme) Episodes

Explore every episode of the podcast Critical Thinking - Bug Bounty Podcast

Dive into the complete episode list for Critical Thinking - Bug Bounty Podcast. Each episode is cataloged with detailed descriptions, making it easy to find and explore specific topics. Keep track of all episodes from your favorite podcast and never miss a moment of insightful content.

	Title	Pub. Date	Duration
	Episode 163: Best Technical Takeaways from Portswigger Top 10 2025	26 Feb 2026	01:08:23
Episode 163: In this episode of Critical Thinking - Bug Bounty Podcast It’s that time of year again! We’re looking at the Portswigger Research list of top 10 web hacking techniques of 2025. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Resources ====== Parser Differentials: When Interpretation Becomes a Vulnerability https://www.youtube.com/watch?v=Dq_KVLXzxH8 XSS-Leak: Leaking Cross-Origin Redirects https://blog.babelo.xyz/posts/cross-site-subdomain-leak/ Playing with HTTP/2 CONNECT https://blog.flomb.net/posts/http2connect/ Next.js, cache, and chains: the stale elixir https://zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixir SOAPwn: Pwning .NET Framework Apps Through HTTP Client Proxies And WSDL https://watchtowr.com/wp-content/uploads/SOAPwnwatchtowr_soappwn-research-whitepaper_10-12-2025.pdf Cross-Site ETag Length Leak https://blog.arkark.dev/2025/12/26/etag-length-leak Lost in Translation: Exploiting Unicode Normalization https://www.youtube.com/watch?v=ETB2w-f3pM4 ORM Leaking More Than You Joined For https://www.elttam.com/blog/leaking-more-than-you-joined-for/ Novel SSRF Technique Involving HTTP Redirect Loops https://slcyber.io/research-center/novel-ssrf-technique-involving-http-redirect-loops/ Successful Errors: New Code Injection and SSTI Techniques https://github.com/vladko312/Research_Successful_Errors ====== Timestamps ====== (00:00:00) Introduction (00:02:33) Parser Differentials: When Interpretation Becomes a Vulnerability (00:11:02) XSS-Leak: Leaking Cross-Origin Redirects (00:18:25) Playing with HTTP/2 CONNECT (00:22:10) Next.js, cache, and chains: the stale elixir (00:29:15) SOAPwn: Pwning .NET Framework Apps Through HTTP Client Proxies And WSDL (00:34:27) Cross-Site ETag Length Leak (00:41:47) Lost in Translation: Exploiting Unicode Normalization (00:47:27) ORM Leaking More Than You Joined For (00:54:07) Novel SSRF Technique Involving HTTP Redirect Loops (00:58:40) Successful Errors: New Code Injection and SSTI Techniques
	Episode 162: HackerOne Training AI on Bug Bounty Data?	19 Feb 2026	00:53:22
Episode 162: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph sit down with HackerOne Founder & CTO Alex Rice to discuss concerns of Using Hacker Data for AI and decreasing bounties. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26 https://ztw.com/ Today’s Guest: https://x.com/senorarroz ====== This Week in Bug Bounty ====== XML external entity: The ultimate Bug Bounty guide to exploiting XXE vulnerabilities https://www.yeswehack.com/learn-bug-bounty/xml-external-entity-guide-xxe?utm_source=Critical_Thinking&utm_medium=Youtube&utm_campaign=XXE_Critical_Thinking&utm_id=XXE_CT Bug Bounty Maturity Framework https://bugbountymaturity.com/ ====== Resources ====== Confidential Information and Confidentiality Obligations https://www.hackerone.com/terms/general#:~:text=HackerOne%20may%20use%20Confidential%20Information%20to%20develop%20and/or%20improve%20its%20Services%20(for%20example%2C%20to%20identify%20trends%2C%20and%20to%20train%20AI%20models)%20provided%20such%20use%20does%20not%20result%20in%20disclosure%20of%20Confidential%20Information%20to%20unauthorized%20third%20parties Ownership and Licenses https://www.hackerone.com/terms/community#:~:text=8.%20Ownership%20and%20Licenses I argued with an AI regarding HackerOne using Hacker reports to train PtaaS https://bugbounty.forum/post/183ff0fc-eb9e-47f8-991d-c0aa5b0bba71 HackerOne PTaaS (likely training their AI on private reports data) https://www.reddit.com/r/bugbounty/comments/1r5hixk/hackerone_ptaas_likely_training_their_ai_on/ What Makes Agentic PTaaS Different in Real Environments https://www.hackerone.com/blog/agentic-penetration-testing-as-a-service#:~:text=Our%20agents%20are,real%20enterprise%20constraints ====== Timestamps ====== (00:00:00) Introduction (00:08:44) HackerOne AI Terms of Service (00:24:56) Agentic PTaaS (00:38:09) Selling data (00:43:49) Decrease in Bounties
	Episode 153: Hacking the Robots of the Future: Hardware, AI, and Bug Bounties with Matt Brown	18 Dec 2025	01:16:50
Episode 153: In this episode of Critical Thinking - Bug Bounty Podcast Matt Brown returns to talk with us about hacking robots, IOT hackbots, and his Zero-to-Hero Hardware Hacking Guide. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Guest: Matt Brown https://x.com/nmatt0 https://github.com/BrownFineSecurity/iothackbot ====== Resources ====== KeeYees USB Logic Analyzer Device Saleae logic analyzer XGecu Hardware Hacking Tutorial by Make Me Hack UART and SPI firmware extraction UART Root Shell on Linux Router UART Shell Jail and Unlocked Bootloader Chinese IP Camera Firmware Extraction Chip-Off Firmware Extraction ====== Timestamps ====== (00:00:00) Introduction (00:01:22) Incremental Session Token Story and Matt Brown Intro (00:10:42) Hardware Bug Bounty Scene & AI on Devices (00:24:30) Hacking Human Robot (00:41:33) Zero-to-Hero Hardware Hacking Guide (01:01:47) IOT Hackbot
	Episode 63: JHaddix Returns	21 Mar 2024	01:21:35
Episode 63: In this episode of Critical Thinking - Bug Bounty Podcast we welcome back Jason Haddix (From Episode 12) to talk about some updates to his The Bug Hunter's Methodology, as well as his own personal life and hacking journey. We talk about the start of his new company, and then venture into topics such as using threat intelligence and buying credentials from the dark web, recon techniques, and ways to integrate AI into your workflow (or target list). Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Today’s Guest: https://twitter.com/Jhaddix https://www.arcanum-sec.com/ Resources: Dehashed https://www.dehashed.com/ Flare https://flare.io/ CSP Recon https://github.com/edoardottt/csprecon Timestamps: (00:00:00) Introduction (00:05:37) Updates to The Bug Hunter's Methodology (00:14:46) Red Teaming (00:21:29) Bug Bounty on the Dark Web (00:36:19) FIS hunting (00:47:59) New Recon Techniques (00:58:32) AI integrations and bounties
	Episode 62: Frontend Language Oddities	14 Mar 2024	00:58:43
Episode 62: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with some additional research resources that didn’t make the Portswigger Top-Ten, but that are worth looking at. Follow us on twitter at: @ctbbpodcast Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Resources: Cool HTML Shit https://twitter.com/jcubic/status/1764311080661082201 https://twitter.com/encodeart/status/1764218128374943764 Bug bounty Hunting Journeys https://twitter.com/ajxchapman/status/1762101366057525521 https://monkehacks.beehiiv.com/p/monkehacks-02 Yelp Cookie Bridge Report Deobfuscating/Unminifying Obfuscated Code ChatGPT Source Watch Web Security Research Reddit Nahamsec Resources Portswigger Nominations list Abusing perspectives: https://hackerone.com/reports/2401115 PortSwigger CSS Exfiltration https://github.com/PortSwigger/css-exfiltration Timestamps: (00:00:00) Introduction (00:02:06) Cool HTML Shit (00:15:31) Bug Bounty Journeys (00:28:01) Yelp Cookie Bridge Bug (00:37:56) Additional Research Resources (00:46:34) CSS and abusing perspectives
	Episode 61: A Hacker on Wall Street - JR0ch17	07 Mar 2024	01:27:00
Episode 61: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Jasmin Landry to share some stories about startup security, bug bounty, and the challenges of balancing both. He also shares his methodology for discovering OAuth-related bugs, highlights some differences between structured learning and self-teaching, and then walks us through a couple arbitrary ATO’s and SSTI to RCE bugs he’s found lately. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: Jasmin Landry https://twitter.com/JR0ch17 Resources: Dirty Dancing blog post https://labs.detectify.com/writeups/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/ OAuth 2.0 Threat Model and Security Considerations https://datatracker.ietf.org/doc/html/rfc6819 OAuth 2.0 Security Best Current Practice https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics Timestamps: (00:00:00) Introduction (00:02:20) Meta Tag + DomPurify Bug (00:09:36) Jasmin's Origin story (00:28:23) Full time Bug bounty challenges (00:36:57) Career jumps in Security and current Role (00:47:32) OAuth Bug methodology and cool bug stories (01:02:35) Social Engineering and Bug Bounty (01:13:41) Arbitrary ATO bug (01:19:41) SSTI to RCE bug
	Episode 60: Our Take on PortSwigger's Top 10 Web Hacking Techniques of 2023	29 Feb 2024	01:24:37
Episode 60: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel review the Portswigger Research list of top 10 web hacking techniques of 2023. Follow us on twitter at: @ctbbpodcast Send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources: Top 10 web hacking techniques of 2023 1: Smashing the state machine 8: From Akamai to F5 to NTLM 3: SMTP Smuggling 4: PHP filter chains (Bonus Read) 5: HTTP Parsers Inconsistencies 6: HTTP Request Splitting 7: How I Hacked Microsoft Teams 9: Cookie Crumbles (Bonus Read) 10: Hacking root EPP servers to take control of zones Timestamps: (00:00:00) Introduction (00:04:26) 1: Smashing the state machine (00:11:56) 8: From Akamai to F5 to NTLM... with love (00:17:11) 3: SMTP Smuggling (00:26:27) 4: PHP filter chains (00:36:40) 5: HTTP Parsers Inconsistencies (00:44:56) 6: HTTP Request Splitting (00:53:43) 7: How I Hacked Microsoft Teams (01:02:25) 9: Cookie Crumbles (01:11:36) 10: EPP Server Takeover
	Episode 59: Bug Bounty Gadget Hunting & Hacker's Intuition	22 Feb 2024	01:39:09
Episode 59: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the concept of gadgets and how they can be used to escalate the impact of vulnerabilities. We talk through things like HTML injection, image injection, CRLF injection, web cache deception, leaking window location, self-stored XSS, and much more. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources: Even Better NahamSec's 5 Week Program NahamCon News CSS Injection Research Timestamps: (00:00:00) Introduction (00:03:31) Caido's New Features (00:15:20) Nahamcon News and 5 week Bootcamp and pentest opportunity (00:19:54) HTML Injection, CSS Injection, and Clickjacking (00:33:11) Image Injection (00:37:19) Open Redirects, Client-side path traversal, and Client-side Open Redirect (00:49:51) Leaking window.location.href (00:57:15) Cookie refresh gadget (01:01:40) Stored XXS (01:09:01) CRLF Injection (01:13:24) 'A Place To Stand' in GraphQL and ID Oracle (01:18:23) Auth gadgets, Web Cache Deception, & LocalStorage poisoning (01:27:46) Cookie Injection & Context Breaks
	Episode 58: Youssef Sammouda - Client-Side & ATO War Stories	15 Feb 2024	01:54:51
Episode 58: In this episode of Critical Thinking - Bug Bounty Podcast we finally sit down with Youssef Samouda and grill him on his various techniques for finding and exploiting client-side bugs and postMessage vulnerabilities. He shares some crazy stories about race conditions, exploiting hash change events, and leveraging scroll to text fragments. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://twitter.com/samm0uda?lang=en https://ysamm.com/ Resources: Client-side race conditions with postMessage: https://ysamm.com/?p=742 Transferable Objects https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Transferable_objects Every known way to get references to windows, in javascript: https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2d Youssef’s interview with BBRE https://www.youtube.com/watch?v=MXH1HqTFNm0 Timestamps: (00:00:00) Introduction (00:04:27) Client-side race conditions with postMessage (00:18:12) On Hash Change Events and Scroll To Text Fragments (00:32:00) Finding, documenting, and reporting complex bugs (00:37:32) PostMessage Methodology (00:45:05) Youssef's Vuln Story (00:53:42) Where and how to look for ATO vulns (01:05:21) MessagePort (01:14:37) Window frame relationships (01:20:24) Recon and JS monitoring (01:37:03) Client-side routing (01:48:05) MITMProxy
	Episode 57: Technical breakdown from Miami Hacking Event - H1-305	08 Feb 2024	00:32:34
Episode 57: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are live from Miami, and recap their experience and share takeaways from the live hacking event. They highlight the importance of paying attention to client-side routing and the growing bug class of client-side path traversal. They also discuss the challenges of knowing when to cut your losses and the value of tracking time and setting goals. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Timestamps: (00:00:00) Introduction (00:03:50) Miami LHE Recap and Takeaways (00:05:57) Keeping time and cutting losses. (00:19:07) Roles and Goals (00:23:33) OAuth (00:28:52) HTML5 image to img Tip
	Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston)	01 Feb 2024	01:47:40
Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston) Episode 56: In this episode of Critical Thinking - Bug Bounty Podcast, Justin sits down with Jon Colston to discuss how his background in digital marketing and data science has influenced his hunting methodology. We dive into subjects like data sources, automation, working backwards from vulnerabilities, applying conversion funnels to bug bounty, and the mayonaise signature 'Mother of All Bugs' Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ WordFence - Sign up as a researcher! https://ctbb.show/wf Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://hackerone.com/mayonaise?type=user Timestamps: (00:00:00) Introduction (00:12:07) Evolving Hacking Methodologies & B2B Hacking (00:23:57) Data Science + Bug Bounty (00:34:37) 'Lead Generation for Vulns' (00:41:39) Ingredients and Recipes (00:49:45) Keyword Categorization (00:54:30) Manual Processes and Recap (01:07:08) Data Sources (01:19:59) Digital Marketing + Bug Bounty (01:32:22) M.O.A.B.s (01:41:02) Burnout Protection and Dupe Analysis
	Episode 55: Popping WordPress Plugins - Methodology Braindump	25 Jan 2024	01:44:04
Episode 55: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Wordpress Security Researcher Ram Gall to discuss both functionality and vulnerabilities within Wordpress Plugins. Follow us on twitter Send us any feedback here: Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ WordFence - Sign up as a researcher! https://ctbb.show/wf --- Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: Ramuel Gall UpdraftPlus Vuln XML-RPC PingBack Unicode and Character Sets Reflected XSS POP Chain WordpressPluginDirectory Subscriber+ RCE in Elementor Subscriber+ SSRF Unauthed XSS via User-Agent header Timestamps: (00:00:00) Introduction (00:05:55) Add_action & Nonces (00:26:16) Add_filter & Register_rest_routes (00:38:39) Page-related code & Shortcodes (00:50:24) Top Sinks for WP (01:02:19) Echo & SQLI Sinks (01:15:07) Nonce Leak and wp_handle_upload (01:18:16) Page variables & Pop Chains (01:26:55) WP Escalations & Bug Reports
	Episode 54: White Box Formulas - Vulnerable Coding Patterns	18 Jan 2024	01:12:38
Episode 54: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with news items and new projects. Joel shares about his personal scraping project to gather data on bug bounty programs and distribution Next, they announce the launch of HackerNotes, a podcast companion that will summarize the main technical points of each episode. They also discuss a recent GitLab CVE and an invisible prompt injection, before diving into a discussion (or debate) about vulnerable code patterns. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Gitlab CVE https://github.com/Vozec/CVE-2023-7028 https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/ Fix commit: https://gitlab.com/gitlab-org/gitlab/-/commit/abe79e4ec437988cf16534a9dbba81b98a2e7f18 Invisible Prompt Injection https://x.com/goodside/status/1745511940351287394?s=20 Regex 101 https://regex101.com Regex to Strings https://www.wimpyprogrammer.com/regex-to-strings/ Timestamps (00:00:00) Introduction (00:01:54) Joel’s H1 Data Scraping Research (00:19:23) HackerNotes launch (00:21:29) Gitlab CVE (00:27:45) Invisible Prompt Injection (00:33:52) Vulnerable Code Patterns (00:37:51) Sanitization, but then modification of data afterward (00:45:39) Auth check inside body of if statement (00:48:15) sCheck for bad patterns with if, but then don't do any control flow (00:50:21) Bad Regex (01:00:36) Replace statements for sanitization (01:04:32) Anything that allows you to call functions or control code flow in uncommon ways
	Episode 152: GeminiJack and Agentic Security with Sasi Levi	11 Dec 2025	01:21:36
Episode 152: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Sasi Levi from Noma Security to talk about AI and Agentic Security. We also talk about ForcedLeak, a Google Vertex Bug, and debate if Prompt Injection is a real Vuln. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. CHeck out our New Christmas Swag at https://ctbb.show/merch! Today's Sponsor: ThreatLocker. Check out ThreatLocker Elevation Control https://ctbb.show/tl-ec And Noma Security! https://noma.security/ Today’s Guest: https://x.com/sasi2103 ====== This Week in Bug Bounty ====== Vercel Platform Protection Dedicated HackerOne program for Vercel WAF YesWeHack Open Source Programs Android recon for Bug Bounty hunters ====== Resources ====== Sasi's Tweet from 2015 ForcedLeak: AI Agent risks exposed in Salesforce AgentForce Is Prompt Injection a Vulnerability? ====== Timestamps ====== (00:00:00) Introduction (00:09:16) Google Vertex AI Bug (00:29:28) Sasi's Background and Bug Bounty Journey (00:38:55) Resources for AI and Agentic Security Methodology (00:50:34) ForcedLeak (01:02:06) Is Prompt Injection a Vuln?
	Episode 53: 500k/yr as Full-Time Bug Hunter & Content Creator - Nahamsec	11 Jan 2024	01:40:47
Episode 53: In this episode of Critical Thinking - Bug Bounty Podcast,we’re joined by none other than NahamSec. We start by discusses the challenges he faced on his journey in bug bounty hunting and content creation, including personal struggles and the pressure of success.We also talk about finding balance and managing mental energy, going the extra mile, and the importance of planning and setting goals for yourself before he walks us through some Blind XSS techniques. Follow us on twitter at: @ctbbpodcast Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Timestamps: (00:00:00) Introduction (00:01:37) Costs of Content Creation (00:21:12) Hacking 'identities' and Pivoting (00:36:49) Hacking Methodology (00:58:59) Planning, Goals, and Nahamsec's 2023 Performance (01:10:19) Blind XSS (01:35:19) Going the extra mile in Bug Bounty
	Episode 52: Best Technical Content from Year 1 of CTBB Podcast	04 Jan 2024	03:00:00
Episode 52: In this episode of Critical Thinking - Bug Bounty Podcast we're going back and highlighting some of the best technical moments from the past year! Hope you enjoy this best of 2023 Supercut! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Timestamps: (00:00:00) Introduction (00:02:55) Episode 26: Meta tags and base tags in HTML (00:15:20) Episode 27: Client-side path traversal (00:23:18) Episode 27: Cookie bombing + cookie jar overflow (00:35:47) Episode 44: Cross environment authentication bugs (00:43:17) Episode 47: The open-faced Iframe Sandwich (00:50:19) Episode 47: js hoisting and classic Joel nerdsnipe (00:58:28) Episode 29: Sean Yeoh on Subdomains vs IP in recon (01:04:05) Episode 30: Shubs on reversing enterprise software (01:24:58) Episode 30: Shubs on building out a recon flow (01:29:36) Episode 30: Shubs on Hacking IIS Servers (01:36:45) Episode 37: 0xLupin on smart JavaScript analysis tools (01:45:42) Episode 45: Frans Rosen On App cache, Service workers cookie stuffing, and postMessage (02:15:02) Episode 50: Mathias Karlsson on XSLT and MXSS (02:39:26) Episode 27: Assetnote's sharefile RCE (02:48:18) Episode 31: Perforce RCE (02:53:48) Episode 48: Sam Erb's XSLT bug story (02:58:47) Final thoughts and Special Thanks
	Episode 51: Hacker Stats 2023 & 2024 Goals	28 Dec 2023	01:21:31
Episode 51: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are back for the last episode of 2023. We discuss some noteworthy news items including a Hacker One Crit, Caido updates, and some Blind CSS. Then we dive into our own personal ‘Hackers Wrapped’ recap of the year, before laying out some goals for 2024. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources Flow Powertoys Alfred Pyperclip Textgrab CTF Payload Challenge Hacker One Crit Report Blind CSS Injection Timestamps (00:00:00) Introduction (00:08:43) Keyboard Shortcut Utility Systems (00:21:28) CTF Challenge By Frans (00:32:40) Hacker One 25K Crit Disclosure (00:36:31) Caido Searchbar Rework. (00:40:51) Blind CSS Exfiltration (00:44:10) 2023 Personal Bug Bounty Stats (01:01:15) 2024 Personal Bug Bounty Goals
	Episode 50: Mathias 'Fall in a well' Karlsson - Bug Bounty Prophet	21 Dec 2023	02:24:31
Episode 50: In this episode of Critical Thinking - Bug Bounty Podcast, Justin catches up with hacking master Mathias Karlsson, and talks about burnout, collaboration, and the importance of specialization. Then we dive into the technical details of MXSS and XSLT, character encoding, and give some predictions of what Bug Bounty might look like in the future… Follow us on twitter at: @ctbbpodcast Send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest Episode Resources How to Differentiate Yourself as a Hunter MutateMethods hackaplaneten Article About Unicode and Character Sets Byte Order Mark: Character Encodings ShapeCatcher WAF Bypass BountyDash EXPLOITING HTTP'S HIDDEN ATTACK-SURFACE Timestamps: (00:00:00) Introduction (00:10:06) Automation Setup and Assetnote Origins (00:16:49) Sharing Tips, and Content Creation (00:22:27) Collaboration and Optimization (00:36:44) Working at Detectify (00:51:45) Bug Bounty Burnout (00:56:15) Early Days of Bug Bounty and Future Predictions (01:19:00) Nerdsnipeability (01:29:38) MXSS and XSLT (01:54:20) Learning through being wrong (02:00:15) Go-to Vulns
	Episode 49: Getting Live Hacking Event Invites & Bug Bounty Collab with Nagli	14 Dec 2023	00:51:33
Episode 49: In this episode of Critical Thinking - Bug Bounty Podcast, Justin Gardner is once again joined by Nagli to discuss some of their recent hacking discoveries. They talk about finding and exploiting a backup file in an ASP.NET app, discovering vulnerabilities through Swagger files, and debating the vulnerability of a specific ‘undisclosed’ domain. Then they reflect on 2023’s Live Hacking Event circuit, and preview what’s to come in 2024’s. This episode sponsored by Wordfence! Wordfence recently launched a game-changer of a bug bounty program with ALL WordPress plugins over 50k installs are in-scope. They are currently paying 6.25x their normal bounty amounts, and have agreed to give CT listeners a 10% bonus on top of that! If you wanna pop some crits and see those bounties roll in, head over to https://ctbb.show/wf for more info and keep an eye on the CTBB Discord for inspiration/collabs. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest Episode Resources: Shockwave Why So Serial New LHE Standards Dropped Timestamps: (00:00:00) Introduction (00:02:37) wwwroot .zip Hack Recap (00:13:44) Swagger File Hack Recap (00:18:27) Undisclosed URL Hack Recap (00:24:29) 2023 LHE Circut Recap (00:37:14) 2024 LHE Preview and New Standards (00:47:22) Bug Bounty Motivation
	Episode 48: MVH, DEFCON Black Badge, Googler - Sam Erb	07 Dec 2023	01:36:45
Episode 48: In this episode, joined by the spectacular Sam Erb, Google Security Engineer and DEFCON Black Badge winner. We talk about the importance of understanding how systems work to find vulnerabilities, and how his engineering background influences his hunting style and methodologies. Then we jump over to his Career Development and his work with Google, and then chat about some of the recent Google Vulnerability Programs. This episode is sponsored by Wordfence! Wordfence recently launched a game-changer of a bug bounty program with ALL WordPress plugins over 50k installs are in-scope. They are currently paying 6.25x their normal bounty amounts, and have agreed to give CT listeners a 10% bonus on top of that! Head over to https://ctbb.show/wf for more info and keep an eye on the CTBB Discord for inspiration/collabs. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! —— Links —— Follow your hosts Rhynorater & Teknogeek on twitter: —— Ways to Support CTBBPodcast —— Sign up for Caido using code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord Discord premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://twitter.com/erbbysam Sam Erbs Static Secret Security Now Podcast BIMI: And https://bimigroup.org/ Google Device Vulnerability Reward Program Initiatives Google Invalid Reports Hacking Google Transcripts (00:00:00) Introduction (00:02:50) Hacker Methodology with Sam Erb (00:12:20) Balancing Bug Hunting and Personal Life (00:15:53) Deep Diving on a program and using automation. (00:27:00) Optimizing Bug Hunting and Understanding Attack Vectors (00:39:22) Collaboration and Boundaries (00:45:42) Career Development and Entrepreneurship (00:55:13) Winning Black Badges at DEFCON (00:58:02) BufferOver (01:09:11) Working at Google (01:19:23) Google Bug Bounty Programs (01:31:41) BONUS Cool Bugs
	Episode 47: CSP Research, Iframe Hopping, and Client-side Shenanigans	30 Nov 2023	01:31:52
Episode 47: In this episode of Critical Thinking - Bug Bounty Podcast, the holidays are fast approaching, and Justin and Joel discuss some of the struggles of getting back into the hacking groove during and after breaks. We also celebrate the newly launched Critical Thinking Discord Community before diving into Iframe Sandwhiches, JS Hoisting, CSP Bypasses, and a host of new tools, techniques, and tangents. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! ThankUNext jswzl Rapid API SSRF Utility tool by Bebiks Tweet from Johan Carlsson Burp Extension from Google VRP Justin's Tweet about JS Hoisting Bypass CSP Using WordPress How to trick CSP in letting you run whatever you want Timestamps: (00:00:00) Introduction (00:01:58) Overcoming Bug Bounty struggles and getting back into the hacking groove (00:07:46) Taking notes and sticking to one program (00:14:50) Critical Thinking Discord, Community highlights, and Competition vs Collaboration (00:22:25) Secondary context bugs and Automationism (00:28:42) ThankUNext and Client-side Paths (00:33:45) Tool Tangents: Jswzl, Caido, Postman, and Rapid API (00:46:49) New SSRF Utility tool by Bebiks and the continuing evolution of hacking tools (00:51:45) Iframe Sandwiches (00:58:54) News Items (01:06:12) JS Hoisting (01:15:05) CSP Bypasses
	Episode 46: The SAML Ramble	23 Nov 2023	00:43:40
Episode 46: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is deep diving the topic of SAML (Security Assertion Markup Language), and walks through what it is and why it can be intimidating, before going over some key attack vectors to look for. Then he closes out with a commentary on a sample payload, and some HackerOne reports. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. KazHACKstan https://kazhackstan.com/en Testing SAML security with DAST https://agrrrdog.blogspot.com/2023/01/testing-saml-security-with-dast.html How to break SAML if I have paws? https://speakerdeck.com/greendog/how-to-break-saml-if-i-have-paws?slide=20 How to Hunt Bugs in SAML; a Methodology https://epi052.gitlab.io/notes-to-self/blog/2019-03-16-how-to-test-saml-a-methodology-part-three/ SAML Raider https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e External Entity Injection during XML signature verification https://bugs.chromium.org/p/project-zero/issues/detail?id=2313 mTLS: When certificate authentication is done wrong https://github.blog/2023-08-17-mtls-when-certificate-authentication-is-done-wrong/ HackerOne Uber Report https://hackerone.com/reports/136169 Timestamps: (00:00:00) Introduction (00:05:25) Understanding SAML and its complexities (00:08:30) SAML Attack Vectors (00:14:15) XML Signature Wrapping (00:19:50) Some SAML tests to try (00:30:30) Sample Payload description (00:34:10) Token Recipient confusion (00:36:05) HackerOne Reports
	Episode 45: The OG Bug Bounty King - Frans Rosen	16 Nov 2023	02:36:35
Episode 45: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to welcome Frans Rosén, an OG bug bounty hunter and co-founder of Detectify. We kick off with Frans sharing his journey bug bounty and security startups, before diving headfirst into a host of his blog posts. We also cover the value of pseudo-code for bug exploitation, understanding developer terminology, the challenges of collaboration and delegating tasks, and balancing hacking with parenting. If you're interested in bug bounty or entrepreneurship, you won't want to miss it! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Join our Discord! Today's Guest: https://twitter.com/fransrosen Detectify Discovering s3 subdomain takeovers Bucket Disclose A deep dive into AWS S3 access controls Attacking Modern Web Technologies Live Hacking like a MVH Account hijacking using Dirty Dancing in sign-in OAuth flows Timestamps: (00:00:00) Introduction (00:04:50) Franz Rosen's Bug Bounty Journey and the creation of Detectify (00:13:30) Benefits of pseudo-code, typing, and thinking like a developer (00:20:20) Hunter Methodologies (00:35:40) Time on targets, Iteration vs. Ideation, and tips for standing out (00:51:10) S3 subdomain takeovers (01:05:02) Blog posting and hosting motivations (01:13:30) Detectify and entrepreneurial endeavors (01:29:50) Attacking Modern Web Technologies (01:46:00) postMessage and MessagePort (01:58:09) Live Hacking and Collaboration (02:13:50) Account Hijacking and OAuth Flows (02:28:48) Hacking/Parenting
	Episode 44: URL Parsing & Auth Bypass Magic	09 Nov 2023	01:11:27
Episode 44: In this episode of Critical Thinking - Bug Bounty Podcast, the topic is URL structure, and Justin and Joel break down the elements that make up a URL and some common tips and tricks surrounding them which allow for all sorts of bypasses. We also round out the episode with some new tools, ato stories, and some controversial current events in the hacker scene. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. "XnlReveal" XNL h4ck3r OAuth article by Salt Labs H1 controversy recap ATO through Facebook Login https://twitter.com/Jayesh25_/status/1718543152296939861 https://twitter.com/itscachemoney/status/1721658450613346557 When URL Parsers disagree Golden techniques to bypass host validations in Android apps Mozilla article on HTTP Authentication Breaking Parser Logic talk by Orange Tsai URL Detector SSRF Bible Timestamps: (00:00:00) Introduction (00:04:10) “Xnl-Reveal” (00:07:22) OAuth vulnerabilities (00:13:17) Recap of controversy surrounding the handling of a vulnerability report on H1 (00:18:55) Hacker Success Manager Program (00:22:30) Facebook login ATO (00:27:45) When URL parsers disagree (00:34:34) URL Structures (01:02:22) Shared secrets across environments (01:09:40) Social Media Logins
	Episode 151: Client-side Advanced Topics	04 Dec 2025	01:07:26
Episode 151: In this episode of Critical Thinking - Bug Bounty Podcast we’re covering Client-side advanced topics. Justin talks Joseph (and us) through Third-Party Cookie Nuances, Iframe Tricks, URL Parsing, and more. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: ThreatLocker. Check out ThreatLocker Elevation Control https://ctbb.show/tl-ec ====== Resources ====== Nowasky's Tweet #1 https://x.com/nowaskyjr/status/1993421017381744974 Nowasky's Tweet #2 https://x.com/nowaskyjr/status/1992717862398800081 rep+ in Chrome DevTools https://x.com/BourAbdelhadi/status/1992622964077179229 Terjanq Post from 2021 https://x.com/terjanq/status/1421093136022048775 ====== Timestamps ====== (00:00:00) Introduction (00:02:58) Client-side news & AI Updates (00:12:02) Third-Party Cookie Nuances & PostMessages (00:30:09) Iframe Tricks (00:47:43) URL Parsing, CSPTS, and Client-side Routes
	Episode 43: Caido - The Up-And-Coming HTTP Proxy	02 Nov 2023	01:00:34
Episode 43: In this episode of Critical Thinking - Bug Bounty Podcast, we're joined by Emile from Caido, who shares his journey into the bug bounty and ethical hacking world. We kick off with a hilarious incident involving Joel, a child on an airplane, and an unfortunate cough. We then dive into the challenges of building an HTTP proxy tool, balancing basic features with nice-to-have features, and the importance of user feedback in shaping the development of Caido, a bug bounty tool. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount on the annual license. Today’s Guest: https://twitter.com/TheSytten Caido https://caido.io/ Caido’s Discord https://discord.com/invite/KgGkkpKFaq VS Code https://code.visualstudio.com/ DNSChef https://github.com/iphelix/dnschef HackMD https://hackmd.io/ Timestamps: (00:00:00) Introduction (00:01:34) Emile’s journey from general infrastructure development to co-founding Caido (00:07:00) The rundown on Caido, a lightweight and flexible HTTP proxy tool (00:11:00) Current and upcoming Caido Features (00:17:00) Caido crew and division of duties (00:19:40) Missing features and feature requests (00:23:49) Decision to use Rust (00:28:25) Workflows and walkthroughs (00:36:27) Intercepts and the Roadmap (00:41:15) Opinions on collaborator Functionality and HTTP Callback (00:46:19) Reporting and Collaboration
	Episode 42: Renniepak Interview & Intigriti LHE Recap	26 Oct 2023	00:59:03
Episode 42: In this episode of Critical Thinking - Bug Bounty Podcast, we're live from a hacking event in Portugal, and joined by the extremely talented René de Sain! He helps us cover a host of topics like NFT, XSS, LHE, and tips for success. We also talk about the correlation between creativity and hacking, shared workspaces, and last but certainly not least, hacker tattoos. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Today’s Guest: https://twitter.com/renniepak https://www.linkedin.com/in/rene-de-sain/ https://app.intigriti.com/researcher/profile/renniepak Hacker Hideout https://hackerhideout.xyz Timestamps: (00:00:00) Introduction (00:04:40) NFT Vulns and web3 hacking (00:08:15) Hacker Tattoos (00:12:30) Intigriti vs. other platforms, and LHE approaches. (00:20:10) Loneliness, budgeting, and the pros and cons of full-time hunting (00:28:36) Target approaches, XSS, and extension tools. (00:37:40) Fostering hacker intuition and relationships (00:47:15) Final thoughts on the Intigriti Event
	Episode 41: Mini Masterclass: Attack Vector Ideation	19 Oct 2023	00:17:09
Episode 41: In this episode of Critical Thinking - Bug Bounty Podcast, Justin takes a break from his busy travel schedule to walk us through a few of his Attack Vector formulation strategies. We’re keeping this one short and sweet, so it can be better used as a reference when looking for new vectors. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Nahamcon talk by Douglas Day https://youtu.be/G1RHa7l1Ys4?t=295 Timestamps: (00:00:00) Introduction (00:02:53) Use the application like a human, not like a hacker (00:05:02) Reading documentation looking for "Cannot" statements (00:08:16) Look at the grayed out areas (00:10:08) Look for information in the API response (00:12:38) Differences in the UI between different accounts (00:13:42) Pay the paywall.
	Episode 40: Bug Bounty Mentoring	12 Oct 2023	01:31:42
Episode 40: In this episode of Critical Thinking - Bug Bounty Podcast, it’s all about mentorships! Justin sits down with Kodai and So, two hackers he helped mentor, to discuss what worked and what didn’t. We talk about the importance of mentorship, what mentors might look for in a candidate, the challenges of transitioning from being mentored to self-education, and the necessity of continuous learning in this ever-evolving field that is bug bounty. This episode is a treasure trove of insights, and if you’re interested in either side of the mentorship coin, you won’t want to miss it. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Today’s Guests: https://twitter.com/weeshter https://twitter.com/Mokusou4 Congrats to @nchickens as our giveaway winner! The Bug Hunter's Methodology Live Course https://jasonhaddix.gumroad.com/l/lycucs Timestamps: (00:00:00) Introduction (00:04:00) Guest backgrounds and introduction into hacking (00:17:49) Where to start Learning and Teaching (00:25:40) Technical Training vs Conceptual Teaching (00:28:34) Mentorship Styles and Techniques. (00:39:15) Moving from being mentored to self-learning (00:46:20) Developing mental resilience and healthy habits (00:50:32) Elements in mentorships that were hard or haven’t worked (01:02:21) Being influenced by other hackers through mentorship or collaboration (01:06:20) Hacking Bilingually and language barriers (01:11:30) Hacking and learning goals for the future
	Episode 39: The Art of Architectures	05 Oct 2023	01:21:15
Episode 39: In this episode of Critical Thinking - Bug Bounty Podcast, We're catching up on news, including new override updates from Chrome, GPT-4, SAML presentations, and even a shoutout from Live Overflow! Then we get busy laying the groundwork on a discussion of web architecture. better get started on this one, cause we're going to need a part two! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater CT shoutout from Live Overflow https://www.youtube.com/watch?v=3zShGLEqDn8 Chrome Override updates https://developer.chrome.com/blog/new-in-devtools-117/#overrides GPT-4/AI Prompt Injection https://x.com/rez0__/status/1706334160569213343?s=20 & https://x.com/evrnyalcin/status/1707298475216425400?s=20 Caido Releases Pro free for students https://twitter.com/CaidoIO/status/1707099640846250433 Or, use code ctbbpodcast for 10% of the subscription price Aleksei Tiurin on SAML hacking https://twitter.com/antyurin/status/1704906212913951187 Account Takeover on Tesla https://medium.com/@evan.connelly/post-account-takeover-account-takeover-of-internal-tesla-accounts-bc720603e67d Joseph https://portswigger.net/bappstore/82d6c60490b540369d6d5d01822bdf61 Cookie Monster https://github.com/iangcarroll/cookiemonster HTMX https://htmx.org/ Timestamps: (00:00:00) Introduction (00:04:40) Shoutout from Live Overflow (00:06:40) Chrome Overrides update (00:08:48) GPT-4V and AI Prompt Injection (00:14:35) Caido Promos (00:15:40) SAML Vulns (00:17:55) Account takeover on Tesla, and auth token from one context in a different context (00:24:30) Testing for vulnerabilities in JWT-based authentication (00:28:07) Web Architectures (00:32:49) Single page apps + a rest API (00:45:20) XSS vulnerabilities in single page apps (00:49:00) Direct endpoint architecture (00:55:50) Content Enumeration (01:02:23) gRPC & Protobuf (01:06:08) Microservices and Reverse Proxy (01:12:10) Request Smuggling/Parameter Injections
	Episode 38: Mobile Hacking Maestro: Sergey Toshin	28 Sep 2023	00:43:29
Episode 38: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to welcome mobile hacking maestro Sergey Toshin (aka @bagipro). We kick off with Sergey sharing his unexpected journey into mobile security, and how he rose to become the number one hacker in both Google Play Security and Samsung Bug Bounty programs. We then delve into the evolving perception of mobile bugs, a myriad of new and existing attack vectors, and discuss Sergey's creation of mobile security company Oversecured. You’re going to want to make time for this one! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today's Guest: https://twitter.com/_bagipro Oversecured https://oversecured.com/ Oversecured Blog https://blog.oversecured.com/ jadx https://github.com/skylot/jadx 'Golden Android Techniques' https://hackerone.com/reports/431002 Timestamps: (00:00:00) Introduction (00:01:28) Sergey Toshin’s hacking journey and achievements (00:08:20) Mobile hacking: Devices and attack vectors (00:12:35) Using Jadx (00:15:40) The creation of Oversecured (00:23:10) The Oversecured Blog and Sharing Information (00:28:08) New Spheres and Strategies of Mobile Hacking (00:35:13) Tips for getting into Mobile Hacking
	Episode 37: Tokyo Hacking & Interview with 0xLupin	21 Sep 2023	01:15:27
Episode 37: In this episode of Critical Thinking - Bug Bounty Podcast we're joined by none other than Lupin himself! We recap the Tokyo LHE and the lessons we learned from it before diving into his legendary journey into security research and bug bounty. We also talk collaboration of all kinds: pair hacking, joining a team, and starting a business together. We even touch on some great tools that can collaborate with each other! This was a fun one, and we don't want you to miss it! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guest: https://twitter.com/0xLupin Lupin and Holmes https://landh.tech/ JSWZL https://jswzl.io/ Cursor https://cursor.so/ Clairvoyance https://github.com/nikitastupin/clairvoyance Tweet about Command Injections https://twitter.com/win3zz/status/1703702550372078074 James Kettle article on security research https://portswigger.net/research/so-you-want-to-be-a-web-security-researcher Timestamps: (00:00:00) Introduction (00:01:00) Lessons learned from the latest LHE (00:09:30) JSWZL and the Cursor Combo (00:19:15) The Legend of Lupin (00:34:35) Code and Collaborating (00:38:48) Requests, Automation, and Testing (00:50:28) Joel's Helper scripts (00:52:50) Teamwork and Pair Hacking (00:57:29) Tips for learning to Hack (01:00:35) UUID and CTF (01:08:35) Dynamics of Collaboration with French Team
	Episode 36: Bug Bounty Ethics & CT Exclusive Bug Reports	14 Sep 2023	01:03:59
Episode 36: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel take a break from LHE prep to answer questions about the ethics of bug bounty and share their recent bug finds. We talk Iframes, mobile intercept proxies, open redirects, and that time Justin got shot at… Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Timeshifter: https://www.timeshifter.com/ Tweet about Google Open Redirect https://twitter.com/Rhynorater/status/1697357773690818844 Tweet about XSS Exploitation https://twitter.com/Rhynorater/status/1698059391700701424 Request Minimizer https://portswigger.net/bappstore/cc16f37549ff416b990d4312490f5fd1 Timestamps: (00:00:00) Introduction (00:02:45) Hacker One LHE Preview (00:05:40) Is Bug Bounty Inherently Ethical (00:19:25) Ethics of Going out of scope (00:27:56) Justin’s story of getting shot at (00:30:22) Setting up a mobile intercept proxy (00:33:40) How to approach a new target (00:40:30) Google Open Redirect (00:43:35) Recent XSS Exploitation (00:46:28) ATO Trick (00:50:25) Joel’s Bug Report (00:55:40) Justin’s Bug Report
	Episode 35: King of Collaboration: Douglas Day	07 Sep 2023	01:25:24
Episode 35: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to welcome Douglas Day, a bug bounty hunter known for his unique methodologies and collaborative spirit. We talk about his approach to finding new endpoints in applications, his ingenious technique of exploiting Intercom widgets, and collaboration preferences and tips at LHEs. We also touch on the struggle of justifying hobbies that don't generate income and the importance of finding enjoyment in the process.We hope you enjoy this episode as much as we did! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guest: https://twitter.com/ArchAngelDDay https://hackerone.com/the_arch_angel https://bugcrowd.com/arch_angel 100 Short Bug Bounty Rules https://twitter.com/ArchAngelDDay/status/1661924038875435008 Blog about Intercom https://dday.us/2021/11/03/h1vendorATO.html Blog about Mapping Hacking http://dday.us/2021/10/09/Mapyourhacking.html Timestamps: (00:00:00) Introduction (00:03:01) Douglas Day’s infosec and LHE intro (00:10:42) Evolution and philosophy of collaboration (00:23:08) Balancing Collaboration and Money (00:29:43) Recap of 100 Short Bug Bounty Rules (00:37:15) Bug-hunting Methodology (00:45:45) Using match and replace to find new endpoints in bug hunting (00:49:07) Exploiting Intercom widgets (00:52:35) Facing Failure and enjoying the journey (00:57:00) Managing work-life balance (01:05:55) Auth-Z testing and documentation (01:12:25) Vulnerabilities in applications (01:17:05) Mapping Hacking Sessions
	Episode 34: Program vs Hacker Debate	31 Aug 2023	02:10:50
Episode 34: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel have both beaten COVID and now square off against each other in a mega-debate representing hackers and program managers respectively. Among the topics included are Disclosures, Dupes, Zero-Day Policy, payouts, budgets, Triage and Retesting. So, if you want blood-pumping, insult-hurling opinion-invalidating debate…then maybe look somewhere else. But if a thought-provoking discussion about bug bounty is more your style, then take a seat and get ready! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Prompt Injection Primer for Engineers https://twitter.com/rez0__/status/1695078576104833291 Portswigger on XSS https://twitter.com/PortSwiggerRes/status/1691812241375424983 Gunner Andrews talk https://www.youtube.com/watch?v=aaDe1ADh5KM Jhaddix live training Givaway https://tbhmlive.com/ ctbb.show/giveaway New Website ctbb.show Fight music composed by Dayn Leonardson https://www.daynleo.com/ Timestamps: (00:00:00) Introduction (00:02:00) Joel’s DEFCON Recap (00:04:45) Prompt Injection Primer for Engineers by Rez0 (00:07:00) Portswigger Research and XSS (00:08:36) Gunnar Andrews' talk on serverless architecture (00:10:10) ‘Bug Hunter Methodology’ Course Giveaway The Debate (00:13:34) Zero-Day Policy and Payment for Vulnerabilities (00:25:40) Disclosure (00:33:52) Dupes (00:51:23) CVSS (01:02:25) Budgets and Payouts (01:15:00) Triage and Retesting (01:34:55) Withholding Reports (01:41:50) Root Cause Analysis (01:52:25) Interacting with hacker reports from a security standpoint. (01:58:50) Internal Activity on a Report (02:01:15) Cost of running Bug Bounty Programs and LHE’s
	Episode 150: ASP.NET MVC Patterns, Popping Oracle Identity, and Esoteric Subdomain Enumeration	27 Nov 2025	00:57:20
Episode 150: In this episode of Critical Thinking - Bug Bounty Podcast we're highlighting some cool news and research, but not before expressing our gratitude to the Hacker community. We are so thankful for you all! Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: ThreatLocker. Check out ThreatLocker Elevation Control https://ctbb.show/tl-ec ====== This Week in Bug Bounty ====== Cache Overflow on Cloudflare ====== Resources ====== Breaking Oracle’s Identity Manager Who Needs a Blind XSS? ASP.NET MVC View Engine Search Patterns Heretic Lesser known techniques for large-scale subdomain enum Antigravity – Known Issues Bug Bounty Daily Caido version of AssetNote Surf ====== Timestamps ====== (00:00:00) Introduction (00:09:47) Breaking Oracle’s Identity Manager & Who Needs a Blind XSS? (00:20:37) ASP.NET MVC View Engine Search Patterns & Heretic (00:29:04) Lesser known techniques for large-scale subdomain enum (00:35:29) Gemini 3 & Antigravity. (00:45:57) Bug Bounty Daily (00:52:42) Surf for Caido
	Episode 33: The Master of Hacker Show&Tell: Inti De Ceukelaire	24 Aug 2023	01:22:01
Episode 33: In this episode of Critical Thinking - Bug Bounty Podcast, we welcome Inti De Ceukelaire, a seasoned bug hunter known for his creative storytelling and impactful show-and-tell bugs…and let us tell you, his stories do not disappoint! From his bug bounty journey to some pretty wild hacks, Inti captivates us as only Inti can. We discuss the potential life-saving impact of bug bounty reports, especially in areas such as transportation and medical devices. We also cover hacker mentality, the benefits of objective-based challenges, and the need for collaboration and alignment within the bug bounty community. It’s a mesmerizing episode, so sit back and be swept away by Inti’s tales. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guest: https://twitter.com/securinti Inti's Shopify Show-and-Tell https://hackerone.com/reports/1086108 Hakluke's article on Bug Bounty Standards https://github.com/hakluke/bug-bounty-standards Researching MissingNo Glitch in Pokemon https://youtu.be/p8OBktd42GI Intigriti https://www.intigriti.com/ Timestamps: (00:00:00) Introduction (00:03:01) Show-and-Tells and Storytelling in Live Hacking Events (00:08:30) Impact Assessment and the potential real-life significance of reporting vulnerabilities. (00:13:50) Ethical dilemmas, gaming the systems, and safe harbor. (00:23:30) Inti’s Hacking Journey (00:27:26) Hacker mentality, brainstorming, and goal-setting. (00:46:28) The benefit of mental resets, fresh perspectives, and ‘surprise collaboration’ (00:52:55) Inti’s Story 1: CSS Injection bugs (01:06:20) Inti’s Story 2: The Ticket Trick (01:14:00) Inti’s Story 3: The Gotcha PasswordBug (01:18:30) Upcoming Intigriti Live Hacking Event
	Episode 32: The Great Write-up Low-down	17 Aug 2023	01:01:05
Episode 32: In this episode of Critical Thinking - Bug Bounty Podcast, Joel caught a nasty bug (no, not that kind) so Justin is flying solo, and catches us up to speed on what's been happening in hacking news. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Smashing the State article https://portswigger.net/research/smashing-the-state-machine?ps_source=portswiggerres&ps_medium=social&ps_campaign=race-conditions Nagles Algorithm https://en.wikipedia.org/wiki/Nagle%27s_algorithm HTTP/2 RFC https://httpwg.org/specs/rfc7540.html Tweet by Alex Chapman https://twitter.com/ajxchapman/status/1691103677920968704?s=20 Cookieless Duodrop IIS Auth Bypass https://soroush.me/blog/2023/08/cookieless-duodrop-iis-auth-bypass-app-pool-privesc-in-asp-net-framework-cve-2023-36899/ Xss and .Net https://blog.isec.pl/all-is-xss-that-comes-to-the-net/ Shopify Account Takeover https://ophionsecurity.com/blog/shopify-acount-takeover Short Name Guesser https://github.com/projectmonke/shortnameguesser Hacking Points.com https://samcurry.net/Points-com/ Hacking Starbucks https://samcurry.net/hacking-starbucks/ Bug Bounty Tag Request https://twitter.com/ajxchapman/status/1688892093597470720 Sandwich Attack https://www.landh.tech/blog/20230811-sandwich-attack Timestamps: (00:00:00) Introduction (00:01:25) Smashing the State (00:11:30) HTTP/2 RFC (00:17:30) Cookieless Duodrop IIS Auth Bypass (00:24:45) Takeovers and Tools (00:32:30) Sam Curry writeup (00:53:10) Community requests (00:55:10) Sandwich Attacks
	Episode 31: Alex Chapman - The Man of Many Crits	10 Aug 2023	01:24:45
Episode 31: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to be joined by Alex Chapman, a seasoned InfoSec hacker and bug bounty hunter. We kick off with Alex sharing his hacking journey, from a guest lecturer that inspired him, to working on internal Red Teams, to his transition to working with HackerOne, and finally as a bug bounty hunter focusing on searching out those few, high impact bugs. We also discuss the power of collaboration, the challenges of balancing hacking with other responsibilities, and the necessity of flexibility and taking breaks in bug bounty work. Don't miss this episode where we explore the depths of bug bounty with Alex Chapman! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guest: https://twitter.com/ajxchapman @ajxchapman@infosec.exchange https://ajxchapman.github.io/ https://hackerone.com/ajxchapman?type=user Perforce RCE https://hackerone.com/reports/1830220 https://ajxchapman.github.io/bugreports/2019/04/04/perforce-local-file-disclosure.html (00:00:00) Introduction (00:01:50) Alex Chapman's InfoSec journey and evolution (00:05:55) Real-world experience vs. chasing degrees, and the pivot into Bug Bounty (00:13:12) The benefit of programming knowledge (00:16:50) Experience in Internal Red Team and hacker mentalities. (00:23:35) Transitioning to HackerOne and full time Bug Bounty (00:33:37) Bug Bounty tips, time management, and best practices (00:41:00) The importance of note-taking and organizational tools (00:46:27) Hunting Methodologies and focusing on Critical Exploitations (01:02:37) Collaboration in the hacking community (01:06:00) Binary Exploitation and Source Code Review (01:10:59) Configuration file injections (01:17:38) Justin vs. Alex at a LHE
	Episode 30: Recon Legend Shubs - From Burgers to Bounties	03 Aug 2023	01:19:25
Episode 30: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to be joined by renowned bug bounty hunter Shubs. We kick off with him sharing his journey from burgers to bugs, and how his friendly rivalry with a fellow hacker fueled his passion for reconnaissance, as well as his love of collaboration. We then shift gears to talk about the art of debugging, ethics and economics of bug bounty hunting, the transition to Entrepreneur, and the evolution of Assetnote from a reconnaissance tool to enterprise security software suite. This one’s a banger, and we don’t want you to miss it! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guest: @infosec_au Intro Shoutouts https://twitter.com/bebiksior https://cvssadvisor.com/ Assetnote https://www.assetnote.io/ https://twitter.com/assetnote Bishop Fox https://bishopfox.com/ Shortscan https://github.com/bitquark/shortscan XXE Payload https://gist.github.com/Rhynorater/d0d19f757221a916a22476c3a5c6aba2 Timestamps (00:00:00) Introduction (00:05:48) History as a Hacker: Recon, rivalries, and Riot Games (00:12:13) Collaboration and Community in Bug Bounty (00:18:19) The Art of Debugging (00:21:48) Assetnote News and overview (00:30:43) CVE reversing (00:32:58) Zero-day vulns (00:42:48) Bug Bounty Ethics and Economics (00:52:53) Bug Bounty and Entrepreneurship (01:03:58) Business lessons learned (01:07:48) Advice for Hunters looking to grow (01:12:38) IIS Server Techniques
	Episode 29: Live Episode with Sean Yeoh - Assetnote Engineer	27 Jul 2023	00:59:40
Episode 29: In this episode of Critical Thinking - Bug Bounty Podcast sit down with Assetnote Engineer Sean Yeoh, and pick his brain about what he's learned on his development journey. We talk about the place and importance of message brokers, and which ones we like best, as well as his engineering philosophy regarding bottleneck prevention and the importance of pursuing optimization. Don't miss this episode of terrific technical tips! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guest: https://twitter.com/seanyeoh Assetnote https://www.assetnote.io/ https://twitter.com/assetnote XKCD automation graph https://xkcd.com/1319/ Github repository https://github.com/alex/what-happens-when Article about Queues https://archive.is/Nan4e NATS https://nats.io/ MongoDB https://www.mongodb.com/ Timestamps: (00:00:00) Introduction (00:01:18) Story of Assetnote (00:05:20) Message Brokers and event-driven architectures (00:11:15) Preventing bottlenecks and pursuing optimization (00:21:35) Using a profiler (00:28:30) Choosing a Message Broker (00:33:00) Kubernetes and Conntrack Limits (00:37:13) Databases (00:46:30) Bug bounty tips: Sub-domain vs. IP Address (00:51:15) Engineering quandaries (00:53:38) DNS Wildcards
	Episode 28: Surfin' with CSRFs	20 Jul 2023	01:18:05
Episode 28: In this episode of Critical Thinking - Bug Bounty Podcast, the CSRF’s up, dude! We kick off with a debate about whether or not deep link vulns in mobile apps can be considered CSRF. We also talk browser extensions and tools like Hackbar, PwnFox, and JS Weasel, and Justin tries to invent a whole new vuln term. There’s plenty of good stuff here, so what are you waiting for? Jump on in! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater rez0's latest tip https://twitter.com/rez0__/status/168134822190014466019 Hackbar https://addons.mozilla.org/en-US/firefox/addon/hackbartool/ PwnFox https://twitter.com/adrien_jeanneau/status/1681364665354289152 JS Weasel https://www.jswzl.io/ Charlie Eriksen https://twitter.com/CharlieEriksen Link to talk by Rojan https://twitter.com/uraniumhacker/status/1681381857383030785 Bypassing GitHub's OAuth flow https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html Great SameSite Confusion https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/ Check out Nahamsec's Channel https://www.youtube.com/c/nahamsec Timestamps: (0:01:45) The deep link debate (00:08:00) LHE and in-person interviews (00:09:25) SQLMAP and raw requests (00:11:11) Hackbar, PwnFox, and browser extensions (00:16:45) JS Weasel tool and its features (00:25:28) Rojan's Research and Public Talks (Start of main content) (00:28:36) Cross-Site Request Forgery (CSRF) (00:35:00) Bypassing GitHub's OAuth flow (00:45:00) A Small SameSite Story (00:48:50) CSRF Exploitation Techniques (01:07:15) CSRF Bug Stories (01:15:30) NahamSec and DEFCON
	Episode 27: Top 7 Esoteric Web Vulnerabilities	13 Jul 2023	01:20:16
Episode 27: In this episode of Critical Thinking - Bug Bounty Podcast, we've switched places and now Joel is home while Justin is on the move. We break down seven esoteric web vulnerabilities, and talk Cookies, Config File Injections, Client-side path traversals and more. We also briefly discuss appliance hacking, new tools, and shout out some new talent in the hacking space. Don't miss this episode full of cool vulns, and experience Justin's vocal decline in real time. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Encrypted Doesn't Mean Authenticated: https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/ Tweet about headless chrome browser https://twitter.com/bhavukjain1/status/1678719047209484288?t=NWnZvwHTRMyH_lVC-uXe0g&s=19 Shout out to new talent within the hacking space https://twitter.com/haxrob https://twitter.com/atc1441 Tweet about hacking Google Search Appliance https://twitter.com/orange_8361/status/1677378401957724160 Bitquark releases shortscan https://twitter.com/bitquark/status/1677647450989838338 Hacking Starbucks https://samcurry.net/hacking-starbucks/ Justin's CookieJar Tool https://apps.rhynorater.dev/checkCookieJarOverflow.html HackTricks https://book.hacktricks.xyz/pentesting-web/hacking-with-cookies/cookie-jar-overflow XSLeak https://xsleaks.dev Timestamps: (00:00:00) Introduction (00:04:00) Assetnote on ShareFile RCE (00:13:05) Headless Browsers (00:17:00) Hacker Content Creators (00:22:51) Appliance Hacking (00:30:31) Shortscan Release (Start of main content) (00:35:39) Config File Injection (00:44:00) Client-side Path Traversal (00:51:33) Cookie Bombing (00:58:00) Cookie Jar Overflow (01:03:50) XSLeak (01:10:49) UNC Path Injection (01:15:50) Impactful Link Hijack
	Episode 26: Client-side Quirks & Browser Hacks	06 Jul 2023	01:33:20
In this episode of Critical Thinking - Bug Bounty Podcast, we're back with Joel, fresh (haha) off of back-to-back live hack events in London and Seoul. We compare the different vibes of each LHE, then we dive into the technical thick of it, and talk web browsers, XSS vectors, new tools, CVSS 4. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ______ Hunting for NGINX alias traversals in the wild PortSwigger Tweet Soroush's Follow-up Tweet about magic math element <22 weird XSS behavior Lupin’s follow-up Patch diffing Changes to CVSS 4.0 Ask FIRSTdotORG what's going on Jsluise JS import() behavior 'JavaScript for Hackers' CSP Evaluator: Dom Clobbering HTML Injection Cheat Sheet Gareth Heyes website/game ______ Timestamps: (00:00:00) Introduction (00:04:10) LHE Vibes (00:07:45) "Hunting for NGINX alias traversals in the wild" (00:12:30) Payouts in BB programs (00:16:05) New XSS vectors and popovers (00:24:15) The "magical math element" in Firefox (00:27:15) LiveOverflow on HTML parsing quirks (00:32:10) Mr. Tux Racer, Woocommerce, and WordPress (00:40:00) Changes in the CVSS 4 draft spec (00:45:00) TomNomNom's new tool Jsluise (00:51:15) JavaScript's import function & "JavaScript for Hackers" (01:09:15) Prototype pollution & DOM clobbering (01:18:10) Base tags and CSS Games
	Episode 25: 2xMVH & Multi-million dollar hacker Inhibitor181	29 Jun 2023	01:11:35
Episode 25: In this episode of Critical Thinking - Bug Bounty Podcast we talk to Cosmin (@Inhibitor181), fresh off of winning his 2nd MVH! We chat about the time management and strategy of hacking Multi-Target LHEs, determining when to pivot, and how to find normalcy in bug bounty hunting and Live Hacking Events. We also touch on setting up Vuln Pipelines, creating mental models, and Cosmin's terrifying naming schemes. Don't miss this episode packed with both laughs and valuable insights for beginners and seasoned bug bounty hunters alike. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guest: https://twitter.com/inhibitor181 Justin's weird episode with all the Dr. Suess Shit https://rss.com/podcasts/ctbbpodcast/966055/?listen-on=true Timestamps: (00:00:00) Introduction (00:02:52) MVH club and Multi-Target stragety (00:12:00) Deciding when to pivot (00:17:00) File Organization and 'unique' naming approaches (00:23:56) Staying up to date on features and updates (00:25:46) Hacking Sleep Habits (00:28:15) Finding 'Normal Life' in bug bounty and LHE (00:33:30) Vuln Pipelines, Wordlists, and full time bug bounty tips (00:44:15) Benefits of the Bug Bounty Community (00:47:45) Relationships with target companies and programs (00:53:15) Creating mental models (01:00:30) The Importance of writing good reports (01:04:30) How to choose what to hack
	Episode 24: AI + Hacking with Daniel Miessler and Rez0	22 Jun 2023	01:03:49
Episode 24: In this episode of Critical Thinking - Bug Bounty Podcast, we chat with Daniel Miessler and Rez0 about the emergence and potential of AI in hacking. We cover AI shortcuts and command line tools, AI in code analysis and the use of AI agents, and even brainstorm about the possible opportunities that integrating AI into hacking tools like Caido and Burp might present. Don't miss this episode packed with valuable insights and cutting-edge strategies for both beginners and seasoned bug bounty hunters alike. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guests: https://twitter.com/rez0__ https://twitter.com/DanielMiessler Daniel Miessler’s Unsupervised Learning https://danielmiessler.com/ Simon Willison's Python Function Search Tool https://simonwillison.net/2023/Jun/18/symbex/ oobabooga - web interface for models https://github.com/oobabooga/text-generation-webui State of GPT https://karpathy.ai/stateofgpt.pdf AI Canaries https://danielmiessler.com/p/ai-agents-canaries GPT3.5 https://community.openai.com/t/gpt-3-5-turbo-0613-function-calling-16k-context-window-and-lower-prices/263263 GPT Engineer https://github.com/AntonOsika/gpt-engineer Timestamps: (00:00:00) Introduction (00:05:40) Using AI for hacking: Developing hacking tools and workflow shortcuts (00:11:40) GPT Engineer and Small Developer for Security Vulnerability Mapping (00:22:40) The potential dangers of centralized vs. decentralized finance (00:24:10) Ethical hacking and circumventing ChatGPT restrictions (00:26:09) AI Agents, Reverse API, and Encoding/Decoding Tools (00:31:45) Limitations of AI in context window and processing large JavaScript files (00:36:50) Meta-prompter: Enhancing prompts for accurate responses from GPT (00:41:00) GPT-35 and the new 616K context model (45:08) Creating a loader for Burp Suite files or Caido instances (00:54:02) Hacking AI Features: Best Practices (01:00:00) AI plugin takeover and the need for verification of third-party plugins and tools
	Episode 149: DEFCON Debrief: AI Vulns, Unicode Weirdness, and Wild Vulnerability Chains	20 Nov 2025	01:02:33
Episode 149: In this episode of Critical Thinking - Bug Bounty Podcast The DEFCON videos are up, and Justin and Joseph talk through some of their favorites. Follow us on X Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Resources ====== Unicode surrogates conversion Prompt. Scan. Exploit Breaking into thousands of cloud based VPNs with 1 bug Examining Access Control Vulnerabilities in GraphQL Smart Bus Smart Hacking Passkeys Pwned Bypassing Intent Destination Checks Gemini Agents in Google Calendar Exploitation of DOM Clobbering Vuln at Scale TheHulk Smart Devices, Dumb Resets Mac PRT Cookie Theft ====== Timestamps ====== (00:00:00) Introduction (00:10:10) Prompt. Scan. Exploit (00:23:52) Breaking into thousands of cloud based VPNs with 1 bug (00:33:25) Access Control Vulns in GraphQL, Smart Bus Hacking, & Passkeys Pwned (00:44:10) Bypassing Intent Destination Checks & Invoking Gemini Agents (00:57:08) DOM Clobbering, Mac PRT Cookie Theft, & Smart Devices, Dumb Resets
	Episode 23: Hacker Loadouts	15 Jun 2023	01:14:34
Episode 23: In this episode of Critical Thinking - Bug Bounty Podcast, we delve into a different aspect of hardware - Our personal loadouts. We go through the equipment and gear we use to get our jobs done, and share stories about why we picked what we have. We also touch on live hacking events, the growing acceptance of white hat hacking, and some pretty cool news going on in the hacker world. Don't miss this episode packed with tips and strategies for both beginners and seasoned hackers alike! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Blog post on hacking root EPP servers https://hackcompute.com/hacking-epp-servers/ Behind this Website: https://github.com/jonkeegan/behind-this-website Tweet about vRealize Network Insight: https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/ Zoom's new vulnerability impact scoring system: https://viss.zoom.com/specifications Uplift Desks https://www.upliftdesk.com/ Synergy https://symless.com/synergy Ahnestly chair reviews: https://www.youtube.com/c/Ahnestly Our producer’s new audio drama ‘Homicide at Heavensgate’ https://link.sentinelstudios.net/homicide Timestamps: (00:00:00) Introduction (00:02:28) Navigating hacking events and imposter syndrome (00:06:30) Blog post on hacking root EPP servers (00:10:01) The growing acceptance of white-hat hacking (00:12:25) Finding Website Owners and Contact Information (00:16:45) VMware vRealize Network Insight CVEs and nginx reverse proxy bypass (00:21:30) Zoom's new vulnerability impact scoring system (00:27:24) The Importance of Analyzing Systemic Problems in Black Box Testing (00:30:40) Documentation, Vulnerable by Design, and acceptable risk (Start of main content) (00:34:37) Leveling up your Hacker Setup (00:37:13) The Importance of your body (00:41:30) Investing in ergonomic equipment for computer work (00:42:27) Standing Desks: Uplift Desk and DIY standing desk options (00:46:00) Portable Tables: Flexible Workspace Solutions (00:47:30) Monitor Setup (00:54:40) Synergy: One keyboard and mouse across multiple devices (00:57:20) Capture Card: Using it as a software display (00:58:58) Keyboards and mice (01:03:27) Using a Chromebook for lightweight hacking (01:08:57) Chair Reviews: The Niche World of High-End Chairs
	Episode 22: Chipping Away at Hardware Hacking	08 Jun 2023	01:11:48
Episode 22: In this episode of Critical Thinking - Bug Bounty Podcast we talk about some basic/intermediate concepts related to Hardware Hacking. Specifically, we dive into extracting data from eMMC chips in order to get our hands on source code for IoT devices. Don't miss this episode packed with valuable insights, tips, and strategies for beginners and seasoned bug bounty hunters alike! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Checkout NahamCon: https://bit.ly/42vnpMS RiverLoop Security Write-up: https://bit.ly/3oSKL1o Good Chip-Off Write-up: https://bit.ly/3IWym3q Scratching chips to expose pins: https://bit.ly/45Tj21i https://bit.ly/3oJJt8Z Chat with Corben on Degrees: https://youtu.be/N9P5PUx-PNQ?t=2311 Gareth Hayes Tweet: https://bit.ly/3qvFNYW Huntress - John Hammond - MoveIt Response: https://bit.ly/42vTTXv Critical Thinking Hardware Hacking Setup - See the gear we're talking about (Affiliate links): https://linke.to/hardwarehackingset Timestamps: (00:00:00) Introduction (01:03) NahamCon's Live Hacking Event and Justin's Presentation on PCI DSS (02:40) Depreciation of Data URLs in SVG Use Element (04:55) Gareth Hayes and knowledge sharing in the hacking community (07:50) Move It vulnerability and and John Hammond’s epic 4 am rants (12:18) Identifying promising leads in bug bounty hunting, and knowing when to move on (Start of main content) (21:40) Hardware Recon, and using Test Pins to Access EMMC Chip (26:16) Identifying Chip Pinouts and Continuity Testing (29:01) Using Logic Analyzers for Hardware Hacking (33:01) Importance of Fundamental Knowledge in Hacking, and the benefits of understanding Electrical Engineering (35:46) Replay Protected Memory Block Protocol (40:00) Bug Bounty Programs and Hardware Testing Support (41:05) Chip Pulling techniques and Essential Equipment for Hardware Hacking (59:50) Tips for Buying Hardware Hacking Tools: Research and Specific Use Cases (01:06:35) Hardware Hacking: Just scratching the surface. (01:08:45) Vulnerability Disclaimer: Pulling OS from a chip does not constitute a Vulnerability.
	Episode 21: Chill Chat with Legendary DoD Hacker Corben Leo	01 Jun 2023	01:13:50
In this episode of Critical Thinking - Bug Bounty Podcast, we chat with Corben Leo about his journey in bug bounty hunting and ethical hacking. We discuss the state of DNS rebinding in 2023, a Twitter thread by Douglas Day (@ArchAngelDDay) on one-hundred bug bounty rules, and our own unique approaches to bug hunting. We also discuss Corben's recon-focused bug hunting methodology and how he developed it. Don't miss this episode filled with valuable tips, insights, and Corben's Boring Mattress Company. Follow us on twitter at: @ctbbpodcast Get on our newsletter for some exclusive content: https://www.criticalthinkingpodcast.io/subscribe We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Today’s Guest: https://twitter.com/hacker_ Article on the State of DNS Rebinding in 2023: https://research.nccgroup.com/2023/04/27/state-of-dns-rebinding-in-2023/ See @ArchAngelDDay's twitter thread about 100 bug bounty rules: https://twitter.com/ArchAngelDDay/status/1661924038875435008 Talkback - Cybersecurity news aggregator: https://talkback.sh/ PyPI announces mandatory 2FA: https://www.bleepingcomputer.com/news/security/pypi-announces-mandatory-use-of-2fa-for-all-software-publishers/ Timestamps: (00:00:00) Introduction (01:05) State of DNS rebinding in 2023 (04:40) 100 Bug Bounty Rules by @ArchAngelDDay (05:30) Give yourself a ‘no bug’ limit (07:00) The value of reporting Low and Medium Bugs for Bug Bounty Programs (11:15) Reporting Out of Scope Bugs (14:30) Reporting IDORs as Access Control Bugs (17:28) Talkback (18:12) PyPI's mandatory 2FA implementation for software publishers (Start of main content) (20:07) Starting out in bug bounty/ethical hacking (25:00) Hacking methodology and mentorship (28:15) Identifying Load Balancers (33:20) Triage and live events: (38:30) College and Computer Science vs. Cybersecurity (45:45) Importance of writing for the Hacker Community (51:21) Storytelling and report writing. (55:00) When to stop doing recon and start hacking (01:00:58) Lessons Learned from BreachlessAI and the pivot to Boring Mattress Co.

About us Privacy Policy