Critical Thinking - Bug Bounty Podcast

Episode 78: In this episode of Critical Thinking - Bug Bounty Podcast we’re talking about writing reports. We share some tips that we’ve learned, and discuss ways that AI can (and can’t) help with that process. We also talk about the benefit of using tools like Fabric, Loom, and ShareX.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Sponsor - ThreatLockerResources:XSS WAF Bypass by multi-char HTML entitiesShazzerNext.js and cache poisoningNagli's Nuclei Templatehey why can't you fix this one bugJustin's reporting templating softwareFabricBB Report Formatter2to3 Automated Python ConverterShareXSkitchTimestamps:(00:00:00) Introduction(00:04:00) XSS WAF Bypass by Multi-char HTML Entities(00:11:59) Next.js and Cache Poisoning(00:18:03) Nagli's Nuclei Template and Sean Yeoh's Blog(00:27:34) Report Writing and AI(00:50:02) Reporting tips

Episode 77: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin discuss some fresh writeups including some MongoDB injections, ORMs, and exploits in Kakao and iOS before pivoting into a conversation about staying motivated and avoiding burnout while hunting.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Resources:MongoDB NoSQL Injectionhttps://soroush.me/blog/2024/06/mongodb-nosql-injection-with-aggregation-pipelines/Mongo DB Is Web Scalehttps://www.youtube.com/watch?v=b2F-DItXtZs1-click Exploit in Kakaohttps://stulle123.github.io/posts/kakaotalk-account-takeover/Unsecure time-based secret and Sandwich Attackhttps://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.htmlReset Tolkienhttps://github.com/AethliosIK/reset-tolkieniOS URL Scheme Hijacking Revampedhttps://evanconnelly.github.io/post/ios-oauth/PLORMBING YOUR DJANGO ORMhttps://www.elttam.com/blog/plormbing-your-django-orm/#contentTimestamps:(00:00:00) Introduction(00:02:07) MongoDB NoSQL Injection(00:12:42) 1-click Exploit in Kakao(00:33:21) Time-based secrets and Reset Tolkien(00:39:26) iOS URL Scheme Hijacking Revamped(00:51:42) ORMs(00:58:57) Community Bug Submission(01:07:45) Motivation, Mental Sharpness, and Burnout avoidance

Episode 76: In this episode of Critical Thinking - Bug Bounty Podcast we’re talking about Match and Replace and the often overlooked use cases for it, like bypassing paywalls, modifying host headers, and storing payloads. We also talk about the HackerOne Ambassador World Cup and the issues with dupe submissions, and go through some write-ups.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today's Sponsor - Project Discovery: https://nux.gg/podcastResourcesZoom Session Takeoverhttps://nokline.github.io/bugbounty/2024/06/07/Zoom-ATO.htmlSharePoint XXEhttps://x.com/thezdi/status/1796207012520366552Shazzerhttps://shazzer.co.uk/Timestamps:(00:00:00) Introduction(00:05:06) H1 Ambassador World Cup(00:13:57) Zoom ATO bug(00:33:28) SharePoint XXE(00:39:36) Shazzer(00:46:36) Match and Replace(01:13:01) Match and Replace in Mobile(01:21:13) Header Replacements

Episode 75: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are sick, So instead of a new full episode, we're going back 30 episodes to review.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!Today's Guest: https://twitter.com/fransrosen DetectifyDiscovering s3 subdomain takeovershttps://labs.detectify.com/writeups/hostile-subdomain-takeover-using-heroku-github-desk-more/bucket-disclose.shhttps://gist.github.com/fransr/a155e5bd7ab11c93923ec8ce788e3368A deep dive into AWS S3 access controlsAttacking Modern Web TechnologiesLive Hacking like a MVHAccount hijacking using Dirty Dancing in sign-in OAuth flowsTimestamps:(00:00:00) Introduction(00:11:41) Franz Rosen's Bug Bounty Journey and Detectify (00:20:21) Pseudo-code, typing, and thinking like a dev(00:27:11) Hunter Methodologies and automationists(00:42:31) Time on targets, Iteration vs. Ideation(00:58:01) S3 subdomain takeovers(01:11:53) Blog posting and hosting motivations(01:20:21) Detectify and entrepreneurial endeavors(01:36:41) Attacking Modern Web Technologies(01:52:51) postMessage and MessagePort(02:05:00) Live Hacking and Collaboration(02:20:41) Account Hijacking and OAuth Flows(02:35:39) Hacking + Parenthood

Episode 74: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Roni "Lupin" Carta for a deep dive into supply chain attacks and dependency confusion. We explore the supply chain attacks, the ethical considerations surrounding maintainers and hosting packages on public registries, and chat about the vision and uses of his new tool Depi.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today's Sponsor - Project Discovery: https://nux.gg/podcastToday’s Guest: https://x.com/0xLupinResources:Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companieshttps://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610git-dumphttps://github.com/tomnomnom/dotfiles/blob/master/scripts/git-dumpDepihttps://www.landh.tech/depiWeak links of Supply Chainhttps://arxiv.org/pdf/2112.10165Timestamps:(00:00:00) Introduction(00:07:13) Overveiw of Supply Chain Flow(00:15:14) Getting our Scope(00:23:46) Depi(00:29:12) Types of attacks and finding the 80/20(00:45:06) Maintainer attacks(01:10:40) Regestries, artifactories, and an npm bug(01:31:51) Grafana NPX Confusion

Episode 73: In this episode of Critical Thinking - Bug Bounty Podcast we give a brief recap of Nahamcon and then touch on some topics like WAF bypass tools, sandboxed iframes, and programs redacting your reports.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today's Sponsor - Project Discovery: https://nux.gg/podcastResources:?. Tweethttps://x.com/garethheyes/status/1786836956032176215NoWafPlshttps://github.com/assetnote/nowafplsRedacted Reportshttps://x.com/deadvolvo/status/1790397012468199651Breaking CORShttps://x.com/MtnBer/status/1794657827115696181Sandbox-iframe XSS challenge solutionhttps://joaxcar.com/blog/2024/05/16/sandbox-iframe-xss-challenge-solution/iframe and window.open magichttps://blog.huli.tw/2022/04/07/en/iframe-and-window-open/#detecting-when-a-new-window-has-finished-loadingdomloggerpphttps://github.com/kevin-mizu/domloggerppTimestamps(00:00:00) Introduction(00:03:29) ?. Operator in JS and NoWafPls(00:07:22) Redacting our own reports(00:11:13) Breaking CORS(00:17:07) Sandbox-iframes(00:24:11) Dom hook plugins

Episode 72: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss some hot research from the past couple months. This includes ways to smuggle payloads in phone numbers and IPv6 Addresses, the NextJS SSRF, the PDF.JS PoC drop, and a GitHub Enterprise Indirect Method Information bug. Also, we have an attack vector featured from Monke!Follow us on twitter at: @ctbbpodcastShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today's Sponsor - Project Discovery: https://nux.gg/podcastResources:PDF.JS Bypass to XSShttps://github.com/advisories/GHSA-wgrm-67xf-hhpqhttps://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/PDFiumNextJS SSRF by AssetNoteBetter Bounty Transparency for hackersSlonser IPV6 ResearchSmuggling payloads in phone numbersAutomatic Plugin SQLiDomPurify BypassBug Bounty JP PodcastGithub Enterprise send() bughttps://x.com/creastery/status/1787327890943873055https://x.com/Rhynorater/status/1788598984572813549Timestamps:(00:00:09) Introduction(00:03:20) PDF.JS XSS and NextJS SSRF(00:12:52) Better Bounty Transparency(00:20:01) IPV6 Research and Phone Number Payloads(00:28:20) Community Highlight and Automatic Plugin CVE-2024-27956(00:33:26) DomPurify Bypass and Github Enterprise send() bug(00:46:12) Caido cookie and header extension updates

Episode 71: In this episode of Critical Thinking - Bug Bounty Podcast Keith Hoodlet joins us to weigh in on the VDP Debate. He shares some of his insights on when VDPs are appropriate in a company's security posture, and the challenges of securing large organizations. Then we switch gears and talk about AI bias bounties, where Keith explains the approach he takes to identify bias in chatbots and highlights the importance of understanding human biases and heuristics to better hack AI.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Today's Sponsor - Project Discovery: https://nux.gg/podcastToday’s guest: Keith Hoodlethttps://securing.dev/Resources:Daniel Miessler's article about the security poverty linehttps://danielmiessler.com/p/the-cybersecurity-skills-gap-is-another-instance-of-late-stage-capitalism/Hacking AI Biashttps://securing.dev/posts/hacking-ai-bias/Hacking AI Bias Videohttps://youtu.be/AeFZA7xGIbE?si=TLQ7B3YtzPWXS4hqSarah's Hoodlet's new bookhttps://sarahjhoodlet.comLink to Amazon Pagehttps://a.co/d/c0LTM8UTimestamps:(00:00:00) Introduction(00:04:09) Keith's Appsec Journey(00:16:24) The Great VDP Debate Redux(00:47:18) Platform/Hunter Incentives and Government Regulation(01:06:24) AI Bias Bounties(01:26:27) AI Techniques and Bugcrowd Contest

Episode 70: In this episode of Critical Thinking - Bug Bounty Podcast we’re once again joined by Ben Sadeghipour to talk about some Nahamcon news, as well as discuss a couple other LHE’s taking place. Then they cover CI/CD and drop some cool CSP Bypasses.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today's Sponsor - Project Discovery: https://nux.gg/podcastToday’s Guest: https://twitter.com/NahamSechttps://www.nahamcon.com/Resources:Depihttps://www.landh.tech/depiYoutube CSP:https://www.youtube.com/oembed?callback=alert()Maps CSP:https://maps.googleapis.com/maps/api/js?callback=alert()-printGoogle APIs CSPhttps://www.googleapis.com/customsearch/v1?callback=alert(1)Google CSPhttps://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1)//CSP Bypass for opener.child.child.child.click()https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/Timestamps:(00:00:00) Introduction(00:02:55) BSides Takeaways and hacking on Meta(00:12:12) NahamCon News(00:23:45) CI/CD and the launch of Depi(00:33:29) CSP Bypasses

Episode 69: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Johan Carlsson to hear about some updates on his bug hunting journey. We deep-dive a CSP bypass he found in GitHub, a critical he found in GitLab's pipeline, and also talk through his approach to using script gadgets and adapting to highly CSP'd environments. Then we talk about his transition to full-time bug hunting, including the goals he’s set, the successes and challenges, and his current focus on specific bug types like ReDoS and OAuth, and the serendipitous nature of bug hunting.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Nuclei 3.2 Release: https://nux.gg/podcastToday’s Guest:https://twitter.com/joaxcarhttps://joaxcar.com/blog/ResourcesGithub CSP Bypasshttps://gist.github.com/joaxcar/6e5a0a34127704f4ea9449f6ce3369fcCSP Validatorhttps://cspvalidator.org/Cross Window Forgeryhttps://www.paulosyibelo.com/2024/02/cross-window-forgery-web-attack-vector.htmlGitlab Crithttps://gist.github.com/joaxcar/9419b2df8778f26e9b02a741a8ec12f8Timestamps(00:00:00) Introduction(00:09:34) Github CSP Bypass(00:38:48) Script Gadgets and growth through Gitlab(00:53:53) Gitlab pipeline bug(01:12:32) Full-time Bug Bounty

Episode 68: In this episode of Critical Thinking - Bug Bounty Podcast Mathias is back with some fresh HTMX research, including CSP bypass using HTMX triggers, converting client-side response header injection to XSS, bypassing HTMX disable, and the challenges of using HTMX in larger applications and the potential performance trade-offs. We also talk about the results of his recent CTF Challenge, and explore some more facets of CDN-CGI functionality.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterProject Discovery Conference: https://nux.gg/hss24------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Guest:https://twitter.com/avlidienbrunnResources:Masato Kinugawa's research on Teamshttps://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=33subdomain-only 307 open redirecthttps://avlidienbrunn.se/cdn-cgi/image/onerror=redirect/http://anything.avlidienbrunn.seTimestamps(00:00:00) Introduction(00:05:18) CSP Bypass using HTML(00:14:00) Converting client-side response header injection to XSS(00:23:10) Bypassing hx-disable(00:32:37) XSS-ing impossible elements(00:38:22) CTF challenge Recap and knowing there's a bug(00:51:53) hx-on (depreciated)(00:54:30) CDN-CGI Research discussion

Episode 67: In this episode of Critical Thinking - Bug Bounty Podcast we deepdive on the topic of Vulnerability Disclosure Programs (VDPs) and whether they are beneficial or not. We also touch on the topic of leaderboard accuracy, and continue the Program VS Hacker debate regarding allocating funds for bounties.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Project Discovery Conference: https://nux.gg/hss24Resources:Nagli's Braindump on VDPshttps://twitter.com/galnagli/status/1780174392003031515Timestamps:(00:00:00) Introduction(00:05:37) VDP programs(00:34:10) Leaderboards(00:43:52) Hacker vs. Program debate Part 2(01:07:24) Walling Off Endpoints

Episode 66: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the recent YesWeHack Louis Vuitton LHE, the importance of failure as growth in bug bounty, and Justin shares his research on CDN CGI.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterProject Discovery Conference: https://nux.gg/hss24------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Resources:YesWeHack Luis Vuitton LHEhttps://twitter.com/yeswehack/status/1776280653744554287https://event.yeswehack.com/events/hack-me-im-famous-2Caido Workflowshttps://github.com/caido/workflowsOauth Redirectshttps://twitter.com/Akshanshjaiswl/status/1724143813088940192Bagipro Golden URL techniqueshttps://hackerone.com/reports/431002Roadmap I followed to make 15,000+$ Bounties in my first 8 months https://shreyaschavhan.notion.site/Roadmap-I-followed-to-make-15-000-Bounties-in-my-first-8-months-of-starting-out-and-my-journey-98b1b9ff621645c0b97d1e774992f300Monke Hacks Bloghttps://monkehacks.beehiiv.com/PortSwigger posthttps://x.com/PortSwiggerRes/status/1766087129908576760post from Masato Kinugawahttps://x.com/kinugawamasato/status/916393484147290113Timestamps:(00:00:00) Introduction(00:04:19) Louis Vuitton LHE(00:13:57) Browser Market share(00:21:13) Justin's Bug of the Week(00:24:49) Caido Workflows(00:27:24) Oauth Redirects(00:32:24) Bug Bounty learning Methodology(00:41:03) 'Intent To Ship'(00:48:08) CDN-CGI Research

Episode 65: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with Sam Curry to discuss the ethical considerations and effectiveness of hacking, the importance of good intent, and the enjoyment Sam derives from pushing the boundaries to find bugs. He shares stories of his experiences, including hacking Tesla, online casinos,Starbucks, his own is ISP router, and even getting detained at the airport.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterProject Discovery Conference: https://nux.gg/hss24------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Guest:https://samcurry.net/Resources:Don’t Force Yourself to Become a Bug Bounty HunterhackcomputeStarbucks BugrecollapseTimestamps:(00:00:00) Introduction(00:02:25) Hacking Journey and the limits of Ethical Hacking(00:28:28) Selecting companies to hack(00:33:22) Fostering passion vs. Forcing performance(00:54:06) Collaboration and Hackcompute(01:00:40) The Efficacy of Bug Bounty(01:09:20) Secondary Context Bugs(01:25:01) Mindmaps, note-taking, and Intuition.(01:46:56) Back-end traversals and Unicode(01:56:16) Hacking ISP(02:06:58) Next.js and Crypto(02:22:24) Dev vs. Prod JWT

Episode 64: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Justin and Joel delve into .NET remoting and how it can be exploited, a recent bypass in the Dom Purify library and some interesting functionality in the Cloudflare CDN-CGI endpoint. They also touch on the importance of collaboration and knowledge sharing, JavaScript Deobfuscation, the value of impactful POCs, hiding XSS payloads with URL path updates.Follow us on twitter at: @ctbbpodcastsend us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Check out Project Discovery’s nuclei 3.2 release blog at nux.gg/podcastResources:.NET Remotinghttps://code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/https://github.com/codewhitesec/HttpRemotingObjRefLeakDOM Purify BugCloudflare /cdn-cgi/https://developers.cloudflare.com/fundamentals/reference/cdn-cgi-endpoint/https://portswigger.net/research/when-security-features-collidehttps://twitter.com/kinugawamasato/status/893404078365069312https://twitter.com/m4ll0k/status/1770153059496108231XSSDoctor's writeup on Javascript deobfuscationrenniepak's tweetNaffy's tweetTimestamps:(00:00:00) Introduction(00:07:15) .Net Remoting(00:17:29) DOM Purify Bug(00:25:56) Cloudflare /cdn-cgi/(00:37:11) Javascript deobfuscation(00:47:26) renniepak's tweet(00:55:20) Naffy's tweet

Episode 63: In this episode of Critical Thinking - Bug Bounty Podcast we welcome back Jason Haddix (From Episode 12) to talk about some updates to his The Bug Hunter's Methodology, as well as his own personal life and hacking journey. We talk about the start of his new company, and then venture into topics such as using threat intelligence and buying credentials from the dark web, recon techniques, and ways to integrate AI into your workflow (or target list).Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Today’s Guest:https://twitter.com/Jhaddixhttps://www.arcanum-sec.com/Resources:Dehashedhttps://www.dehashed.com/Flarehttps://flare.io/CSP Reconhttps://github.com/edoardottt/cspreconTimestamps:(00:00:00) Introduction(00:05:37) Updates to The Bug Hunter's Methodology(00:14:46) Red Teaming(00:21:29) Bug Bounty on the Dark Web(00:36:19) FIS hunting(00:47:59) New Recon Techniques (00:58:32) AI integrations and bounties

Episode 62: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with some additional research resources that didn’t make the Portswigger Top-Ten, but that are worth looking at.Follow us on twitter at: @ctbbpodcastFeel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Resources:Cool HTML Shithttps://twitter.com/jcubic/status/1764311080661082201https://twitter.com/encodeart/status/1764218128374943764Bug bounty Hunting Journeyshttps://twitter.com/ajxchapman/status/1762101366057525521https://monkehacks.beehiiv.com/p/monkehacks-02Yelp Cookie Bridge ReportDeobfuscating/Unminifying Obfuscated CodeChatGPT Source WatchWeb Security Research RedditNahamsec ResourcesPortswigger Nominations listAbusing perspectives: https://hackerone.com/reports/2401115PortSwigger CSS Exfiltrationhttps://github.com/PortSwigger/css-exfiltrationTimestamps:(00:00:00) Introduction(00:02:06) Cool HTML Shit(00:15:31) Bug Bounty Journeys(00:28:01) Yelp Cookie Bridge Bug(00:37:56) Additional Research Resources(00:46:34) CSS and abusing perspectives

Episode 61: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Jasmin Landry to share some stories about startup security, bug bounty, and the challenges of balancing both. He also shares his methodology for discovering OAuth-related bugs, highlights some differences between structured learning and self-teaching, and then walks us through a couple arbitrary ATO’s and SSTI to RCE bugs he’s found lately.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Guest: Jasmin Landryhttps://twitter.com/JR0ch17Resources:Dirty Dancing blog posthttps://labs.detectify.com/writeups/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/OAuth 2.0 Threat Model and Security Considerationshttps://datatracker.ietf.org/doc/html/rfc6819OAuth 2.0 Security Best Current Practicehttps://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topicsTimestamps:(00:00:00) Introduction(00:02:20) Meta Tag + DomPurify Bug(00:09:36) Jasmin's Origin story(00:28:23) Full time Bug bounty challenges(00:36:57) Career jumps in Security and current Role(00:47:32) OAuth Bug methodology and cool bug stories(01:02:35) Social Engineering and Bug Bounty(01:13:41) Arbitrary ATO bug(01:19:41) SSTI to RCE bug

Episode 60: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel review the Portswigger Research list of top 10 web hacking techniques of 2023.Follow us on twitter at: @ctbbpodcastSend us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------Hop on the CTBB DiscordWe also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources:Top 10 web hacking techniques of 20231: Smashing the state machine8: From Akamai to F5 to NTLM3: SMTP Smuggling4: PHP filter chains(Bonus Read)5: HTTP Parsers Inconsistencies6: HTTP Request Splitting7: How I Hacked Microsoft Teams9: Cookie Crumbles(Bonus Read)10: Hacking root EPP servers to take control of zonesTimestamps:(00:00:00) Introduction(00:04:26) 1: Smashing the state machine(00:11:56) 8: From Akamai to F5 to NTLM... with love(00:17:11) 3: SMTP Smuggling(00:26:27) 4: PHP filter chains(00:36:40) 5: HTTP Parsers Inconsistencies(00:44:56) 6: HTTP Request Splitting(00:53:43) 7: How I Hacked Microsoft Teams(01:02:25) 9: Cookie Crumbles(01:11:36) 10: EPP Server Takeover

Episode 59: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the concept of gadgets and how they can be used to escalate the impact of vulnerabilities. We talk through things like HTML injection, image injection, CRLF injection, web cache deception, leaking window location, self-stored XSS, and much more.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources:Even BetterNahamSec's 5 Week ProgramNahamCon NewsCSS Injection ResearchTimestamps:(00:00:00) Introduction(00:03:31) Caido's New Features(00:15:20) Nahamcon News and 5 week Bootcamp and pentest opportunity(00:19:54) HTML Injection, CSS Injection, and Clickjacking(00:33:11) Image Injection(00:37:19) Open Redirects, Client-side path traversal, and Client-side Open Redirect(00:49:51) Leaking window.location.href(00:57:15) Cookie refresh gadget(01:01:40) Stored XXS(01:09:01) CRLF Injection(01:13:24) 'A Place To Stand' in  GraphQL and ID Oracle(01:18:23) Auth gadgets, Web Cache Deception, & LocalStorage poisoning(01:27:46) Cookie Injection & Context Breaks

Episode 58: In this episode of Critical Thinking - Bug Bounty Podcast we finally sit down with Youssef Samouda and grill him on his various techniques for finding and exploiting client-side bugs and postMessage vulnerabilities. He shares some crazy stories about race conditions, exploiting hash change events, and leveraging scroll to text fragments. Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://twitter.com/samm0uda?lang=enhttps://ysamm.com/Resources:Client-side race conditions with postMessage: https://ysamm.com/?p=742 Transferable Objectshttps://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Transferable_objectsEvery known way to get references to windows, in javascript:https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2dYoussef’s interview with BBREhttps://www.youtube.com/watch?v=MXH1HqTFNm0Timestamps:(00:00:00) Introduction(00:04:27) Client-side race conditions with postMessage(00:18:12) On Hash Change Events and Scroll To Text Fragments(00:32:00) Finding, documenting, and reporting complex bugs(00:37:32) PostMessage Methodology(00:45:05) Youssef's Vuln Story(00:53:42) Where and how to look for ATO vulns(01:05:21) MessagePort(01:14:37) Window frame relationships(01:20:24) Recon and JS monitoring(01:37:03) Client-side routing(01:48:05) MITMProxy

Episode 57: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are live from Miami, and recap their experience and share takeaways from the live hacking event. They highlight the importance of paying attention to client-side routing and the growing bug class of client-side path traversal. They also discuss the challenges of knowing when to cut your losses and the value of tracking time and setting goals. Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Timestamps:(00:00:00) Introduction(00:03:50) Miami LHE Recap and Takeaways(00:05:57) Keeping time and cutting losses.(00:19:07) Roles and Goals(00:23:33) OAuth(00:28:52) HTML5 image to img Tip

Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston)Episode 56: In this episode of Critical Thinking - Bug Bounty Podcast, Justin sits down with Jon Colston to discuss how his background in digital marketing and data science has influenced his hunting methodology. We dive into subjects like data sources, automation, working backwards from vulnerabilities, applying conversion funnels to bug bounty, and the mayonaise signature 'Mother of All Bugs' Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------WordFence - Sign up as a researcher! https://ctbb.show/wfSign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest:https://hackerone.com/mayonaise?type=userTimestamps:(00:00:00) Introduction(00:12:07) Evolving Hacking Methodologies & B2B Hacking(00:23:57) Data Science + Bug Bounty(00:34:37) 'Lead Generation for Vulns'(00:41:39) Ingredients and Recipes(00:49:45) Keyword Categorization(00:54:30) Manual Processes and Recap(01:07:08) Data Sources(01:19:59) Digital Marketing + Bug Bounty(01:32:22) M.O.A.B.s(01:41:02) Burnout Protection and Dupe Analysis

Episode 55: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Wordpress Security Researcher Ram Gall to discuss both functionality and vulnerabilities within Wordpress Plugins.Follow us on twitterSend us any feedback here:Shoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------WordFence - Sign up as a researcher! https://ctbb.show/wf---Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Hop on the CTBB DiscordWe also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Guest:Ramuel GallUpdraftPlus VulnXML-RPC PingBackUnicode and Character SetsReflected XSSPOP ChainWordpressPluginDirectorySubscriber+ RCE in ElementorSubscriber+ SSRFUnauthed XSS via User-Agent headerTimestamps:(00:00:00) Introduction(00:05:55) Add_action & Nonces(00:26:16) Add_filter & Register_rest_routes(00:38:39) Page-related code & Shortcodes(00:50:24) Top Sinks for WP(01:02:19) Echo & SQLI Sinks(01:15:07) Nonce Leak and wp_handle_upload(01:18:16) Page variables & Pop Chains(01:26:55) WP Escalations & Bug Reports

Episode 54: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with news items and new projects. Joel shares about his personal scraping project to gather data on bug bounty programs and distribution Next, they announce the launch of HackerNotes, a podcast companion that will summarize the main technical points of each episode. They also discuss a recent GitLab CVE and an invisible prompt injection, before diving into a discussion (or debate) about vulnerable code patterns.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Gitlab CVEhttps://github.com/Vozec/CVE-2023-7028https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/Fix commit: https://gitlab.com/gitlab-org/gitlab/-/commit/abe79e4ec437988cf16534a9dbba81b98a2e7f18Invisible Prompt Injectionhttps://x.com/goodside/status/1745511940351287394?s=20Regex 101https://regex101.comRegex to Stringshttps://www.wimpyprogrammer.com/regex-to-strings/Timestamps(00:00:00) Introduction(00:01:54) Joel’s H1 Data Scraping Research(00:19:23) HackerNotes launch(00:21:29) Gitlab CVE(00:27:45) Invisible Prompt Injection(00:33:52) Vulnerable Code Patterns(00:37:51) Sanitization, but then modification of data afterward(00:45:39) Auth check inside body of if statement(00:48:15) sCheck for bad patterns with if, but then don't do any control flow(00:50:21) Bad Regex(01:00:36) Replace statements for sanitization(01:04:32) Anything that allows you to call functions or control code flow in uncommon ways

Episode 53: In this episode of Critical Thinking - Bug Bounty Podcast,we’re joined by none other than NahamSec. We start by discusses the challenges he faced on his journey in bug bounty hunting and content creation, including personal struggles and the pressure of success.We also talk about finding balance and managing mental energy, going the extra mile, and the importance of planning and setting goals for yourself before he walks us through some Blind XSS techniques.Follow us on twitter at: @ctbbpodcastFeel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Timestamps:(00:00:00) Introduction(00:01:37) Costs of Content Creation(00:21:12) Hacking 'identities' and Pivoting(00:36:49) Hacking Methodology(00:58:59) Planning, Goals, and Nahamsec's 2023 Performance(01:10:19) Blind XSS(01:35:19) Going the extra mile in Bug Bounty

Episode 52: In this episode of Critical Thinking - Bug Bounty Podcast we're going back and highlighting some of the best technical moments from the past year! Hope you enjoy this best of 2023 Supercut!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Timestamps:(00:00:00) Introduction(00:02:55) Episode 26: Meta tags and base tags in HTML(00:15:20) Episode 27: Client-side path traversal(00:23:18) Episode 27: Cookie bombing + cookie jar overflow(00:35:47) Episode 44: Cross environment authentication bugs(00:43:17) Episode 47: The open-faced Iframe Sandwich(00:50:19) Episode 47: js hoisting and classic Joel nerdsnipe(00:58:28) Episode 29: Sean Yeoh on Subdomains vs IP in recon(01:04:05) Episode 30: Shubs on reversing enterprise software(01:24:58) Episode 30: Shubs on building out a recon flow(01:29:36) Episode 30: Shubs on Hacking IIS Servers(01:36:45) Episode 37: 0xLupin on smart JavaScript analysis tools(01:45:42) Episode 45: Frans Rosen On App cache, Service workers cookie stuffing, and postMessage(02:15:02) Episode 50: Mathias Karlsson on XSLT and MXSS(02:39:26) Episode 27: Assetnote's sharefile RCE(02:48:18) Episode 31: Perforce RCE(02:53:48) Episode 48: Sam Erb's XSLT bug story(02:58:47) Final thoughts and Special Thanks

Episode 51: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are back for the last episode of 2023. We discuss some noteworthy news items including a Hacker One Crit, Caido updates, and some Blind CSS. Then we dive into our own personal ‘Hackers Wrapped’ recap of the year, before laying out some goals for 2024.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.ResourcesFlowPowertoysAlfredPyperclipTextgrabCTF Payload ChallengeHacker One Crit ReportBlind CSS InjectionTimestamps(00:00:00) Introduction(00:08:43) Keyboard Shortcut Utility Systems(00:21:28) CTF Challenge By Frans(00:32:40) Hacker One 25K Crit Disclosure(00:36:31) Caido Searchbar Rework.(00:40:51) Blind CSS Exfiltration(00:44:10) 2023 Personal Bug Bounty Stats(01:01:15) 2024 Personal Bug Bounty Goals

Episode 50: In this episode of Critical Thinking - Bug Bounty Podcast, Justin catches up with hacking master Mathias Karlsson, and talks about burnout, collaboration, and the importance of specialization. Then we dive into the technical details of MXSS and XSLT, character encoding, and give some predictions of what Bug Bounty might look like in the future…Follow us on twitter at: @ctbbpodcastSend us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Hop on the CTBB Discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s GuestEpisode ResourcesHow to Differentiate Yourself as a HunterMutateMethodshackaplanetenArticle About Unicode and Character SetsByte Order Mark:Character EncodingsShapeCatcherWAF BypassBountyDashEXPLOITING HTTP'S HIDDEN ATTACK-SURFACETimestamps:(00:00:00) Introduction(00:10:06) Automation Setup and Assetnote Origins(00:16:49) Sharing Tips, and Content Creation(00:22:27) Collaboration and Optimization(00:36:44) Working at Detectify(00:51:45) Bug Bounty Burnout(00:56:15) Early Days of Bug Bounty and Future Predictions(01:19:00) Nerdsnipeability(01:29:38) MXSS and XSLT(01:54:20) Learning through being wrong(02:00:15) Go-to Vulns

Episode 49: In this episode of Critical Thinking - Bug Bounty Podcast, Justin Gardner is once again joined by Nagli to discuss some of their recent hacking discoveries. They talk about finding and exploiting a backup file in an ASP.NET app, discovering vulnerabilities through Swagger files, and debating the vulnerability of a specific ‘undisclosed’ domain. Then they reflect on 2023’s Live Hacking Event circuit, and preview what’s to come in 2024’s.This episode sponsored by Wordfence! Wordfence recently launched a game-changer of a bug bounty program with ALL WordPress plugins over 50k installs are in-scope. They are currently paying 6.25x their normal bounty amounts, and have agreed to give CT listeners a 10% bonus on top of that! If you wanna pop some crits and see those bounties roll in, head over to https://ctbb.show/wf for more info and keep an eye on the CTBB Discord for inspiration/collabs.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s GuestEpisode Resources:ShockwaveWhy So SerialNew LHE Standards DroppedTimestamps:(00:00:00) Introduction(00:02:37) wwwroot .zip Hack Recap(00:13:44) Swagger File Hack Recap(00:18:27) Undisclosed URL Hack Recap(00:24:29) 2023 LHE Circut Recap(00:37:14) 2024 LHE Preview and New Standards(00:47:22) Bug Bounty Motivation

Episode 48: In this episode, joined by the spectacular Sam Erb, Google Security Engineer and DEFCON Black Badge winner. We talk about the importance of understanding how systems work to find vulnerabilities, and how his engineering background influences his hunting style and methodologies. Then we jump over to his Career Development and his work with Google, and then chat about some of the recent Google Vulnerability Programs.This episode is sponsored by Wordfence! Wordfence recently launched a game-changer of a bug bounty program with ALL WordPress plugins over 50k installs are in-scope. They are currently paying 6.25x their normal bounty amounts, and have agreed to give CT listeners a 10% bonus on top of that! Head over to https://ctbb.show/wf for more info and keep an eye on the CTBB Discord for inspiration/collabs.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!—— Links ——Follow your hosts Rhynorater & Teknogeek on twitter:—— Ways to Support CTBBPodcast ——Sign up for Caido using code CTBBPODCAST for a 10% discount.Hop on the CTBB DiscordDiscord premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Guest:https://twitter.com/erbbysamSam Erbs Static SecretSecurity Now PodcastBIMI:Andhttps://bimigroup.org/Google Device Vulnerability Reward Program InitiativesGoogle Invalid ReportsHacking GoogleTranscripts(00:00:00) Introduction(00:02:50) Hacker Methodology with Sam Erb(00:12:20) Balancing Bug Hunting and Personal Life(00:15:53) Deep Diving on a program and using automation.(00:27:00) Optimizing Bug Hunting and Understanding Attack Vectors(00:39:22) Collaboration and Boundaries(00:45:42) Career Development and Entrepreneurship(00:55:13) Winning Black Badges at DEFCON(00:58:02) BufferOver(01:09:11) Working at Google(01:19:23) Google Bug Bounty Programs(01:31:41) BONUS Cool Bugs

Episode 47: In this episode of Critical Thinking - Bug Bounty Podcast, the holidays are fast approaching, and Justin and Joel discuss some of the struggles of getting back into the hacking groove during and after breaks. We also celebrate the newly launched Critical Thinking Discord Community before diving into Iframe Sandwhiches, JS Hoisting, CSP Bypasses, and a host of new tools, techniques, and tangents.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Hop on the CTBB Discord at https://ctbb.show/discord!ThankUNextjswzlRapid APISSRF Utility tool by BebiksTweet from Johan CarlssonBurp Extension from Google VRPJustin's Tweet about JS HoistingBypass CSP Using WordPressHow to trick CSP in letting you run whatever you wantTimestamps:(00:00:00) Introduction(00:01:58) Overcoming Bug Bounty struggles and getting back into the hacking groove(00:07:46) Taking notes and sticking to one program(00:14:50) Critical Thinking Discord, Community highlights, and Competition vs Collaboration(00:22:25) Secondary context bugs and Automationism(00:28:42) ThankUNext and Client-side Paths(00:33:45) Tool Tangents: Jswzl, Caido, Postman, and Rapid API(00:46:49) New SSRF Utility tool by Bebiks and the continuing evolution of hacking tools(00:51:45) Iframe Sandwiches(00:58:54) News Items(01:06:12) JS Hoisting(01:15:05) CSP Bypasses

Episode 46: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is deep diving the topic of SAML (Security Assertion Markup Language), and walks through what it is and why it can be intimidating, before going over some key attack vectors to look for. Then he closes out with a commentary on a sample payload, and some HackerOne reports.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.KazHACKstanhttps://kazhackstan.com/enTesting SAML security with DASThttps://agrrrdog.blogspot.com/2023/01/testing-saml-security-with-dast.htmlHow to break SAML if I have paws?https://speakerdeck.com/greendog/how-to-break-saml-if-i-have-paws?slide=20How to Hunt Bugs in SAML; a Methodologyhttps://epi052.gitlab.io/notes-to-self/blog/2019-03-16-how-to-test-saml-a-methodology-part-three/SAML Raiderhttps://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802eExternal Entity Injection during XML signature verificationhttps://bugs.chromium.org/p/project-zero/issues/detail?id=2313mTLS: When certificate authentication is done wronghttps://github.blog/2023-08-17-mtls-when-certificate-authentication-is-done-wrong/HackerOne Uber Reporthttps://hackerone.com/reports/136169Timestamps:(00:00:00) Introduction(00:05:25) Understanding SAML and its complexities(00:08:30) SAML Attack Vectors(00:14:15) XML Signature Wrapping(00:19:50) Some SAML tests to try(00:30:30) Sample Payload description(00:34:10) Token Recipient confusion(00:36:05) HackerOne Reports

Episode 45: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to welcome Frans Rosén, an OG bug bounty hunter and co-founder of Detectify. We kick off with Frans sharing his journey bug bounty and security startups, before diving headfirst into a host of his blog posts. We also cover the value of pseudo-code for bug exploitation, understanding developer terminology, the challenges of collaboration and delegating tasks, and balancing hacking with parenting. If you're interested in bug bounty or entrepreneurship, you won't want to miss it!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Join our Discord!Today's Guest:https://twitter.com/fransrosenDetectifyDiscovering s3 subdomain takeoversBucket DiscloseA deep dive into AWS S3 access controlsAttacking Modern Web TechnologiesLive Hacking like a MVHAccount hijacking using Dirty Dancing in sign-in OAuth flowsTimestamps:(00:00:00) Introduction(00:04:50) Franz Rosen's Bug Bounty Journey and the creation of Detectify(00:13:30) Benefits of pseudo-code, typing, and thinking like a developer(00:20:20) Hunter Methodologies(00:35:40) Time on targets, Iteration vs. Ideation, and tips for standing out(00:51:10) S3 subdomain takeovers(01:05:02) Blog posting and hosting motivations(01:13:30) Detectify and entrepreneurial endeavors(01:29:50) Attacking Modern Web Technologies(01:46:00) postMessage and MessagePort(01:58:09) Live Hacking and Collaboration(02:13:50) Account Hijacking and OAuth Flows(02:28:48) Hacking/Parenting

Episode 44: In this episode of Critical Thinking - Bug Bounty Podcast, the topic is URL structure, and Justin and Joel break down the elements that make up a URL and some common tips and tricks surrounding them which allow for all sorts of bypasses. We also round out the episode with some new tools, ato stories, and some controversial current events in the hacker scene.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount."XnlReveal" XNL h4ck3rOAuth article by Salt LabsH1 controversy recapATO through Facebook Loginhttps://twitter.com/Jayesh25_/status/1718543152296939861https://twitter.com/itscachemoney/status/1721658450613346557When URL Parsers disagreeGolden techniques to bypass host validations in Android appsMozilla article on HTTP AuthenticationBreaking Parser Logic talk by Orange TsaiURL DetectorSSRF BibleTimestamps:(00:00:00) Introduction(00:04:10) “Xnl-Reveal”(00:07:22) OAuth vulnerabilities(00:13:17) Recap of controversy surrounding the handling of a vulnerability report on H1(00:18:55) Hacker Success Manager Program(00:22:30) Facebook login ATO(00:27:45) When URL parsers disagree(00:34:34) URL Structures(01:02:22) Shared secrets across environments(01:09:40) Social Media Logins

Episode 43: In this episode of Critical Thinking - Bug Bounty Podcast, we're joined by Emile from Caido, who shares his journey into the bug bounty and ethical hacking world. We kick off with a hilarious incident involving Joel, a child on an airplane, and an unfortunate cough. We then dive into the challenges of building an HTTP proxy tool, balancing basic features with nice-to-have features, and the importance of user feedback in shaping the development of Caido, a bug bounty tool.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount on the annual license. Today’s Guest:https://twitter.com/TheSytten Caidohttps://caido.io/Caido’s Discordhttps://discord.com/invite/KgGkkpKFaqVS Codehttps://code.visualstudio.com/DNSChefhttps://github.com/iphelix/dnschefHackMDhttps://hackmd.io/Timestamps:(00:00:00) Introduction(00:01:34) Emile’s journey from general infrastructure development to co-founding Caido(00:07:00) The rundown on Caido, a lightweight and flexible HTTP proxy tool(00:11:00) Current and upcoming Caido Features(00:17:00) Caido crew and division of duties(00:19:40) Missing features and feature requests(00:23:49) Decision to use Rust(00:28:25) Workflows and walkthroughs(00:36:27) Intercepts and the Roadmap(00:41:15) Opinions on collaborator Functionality and HTTP Callback(00:46:19) Reporting and Collaboration

Episode 42: In this episode of Critical Thinking - Bug Bounty Podcast, we're live from a hacking event in Portugal, and joined by the extremely talented René de Sain! He helps us cover a host of topics like NFT, XSS, LHE, and tips for success. We also talk about the correlation between creativity and hacking, shared workspaces, and last but certainly not least, hacker tattoos.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Today’s Guest:https://twitter.com/renniepakhttps://www.linkedin.com/in/rene-de-sain/ https://app.intigriti.com/researcher/profile/renniepakHacker Hideouthttps://hackerhideout.xyzTimestamps:(00:00:00) Introduction(00:04:40) NFT Vulns and web3 hacking(00:08:15) Hacker Tattoos(00:12:30) Intigriti vs. other platforms, and LHE approaches.(00:20:10) Loneliness, budgeting, and the pros and cons of full-time hunting(00:28:36) Target approaches, XSS, and extension tools.(00:37:40) Fostering hacker intuition and relationships(00:47:15) Final thoughts on the Intigriti Event

Episode 41: In this episode of Critical Thinking - Bug Bounty Podcast, Justin takes a break from his busy travel schedule to walk us through a few of his Attack Vector formulation strategies. We’re keeping this one short and sweet, so it can be better used as a reference when looking for new vectors.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Nahamcon talk by Douglas Dayhttps://youtu.be/G1RHa7l1Ys4?t=295Timestamps:(00:00:00) Introduction(00:02:53) Use the application like a human, not like a hacker(00:05:02) Reading documentation looking for "Cannot" statements(00:08:16) Look at the grayed out areas(00:10:08) Look for information in the API response(00:12:38) Differences in the UI between different accounts(00:13:42) Pay the paywall.

Episode 40: In this episode of Critical Thinking - Bug Bounty Podcast, it’s all about mentorships! Justin sits down with Kodai and So, two hackers he helped mentor, to discuss what worked and what didn’t. We talk about the importance of mentorship, what mentors might look for in a candidate, the challenges of transitioning from being mentored to self-education, and the necessity of continuous learning in this ever-evolving field that is bug bounty. This episode is a treasure trove of insights, and if you’re interested in either side of the mentorship coin, you won’t want to miss it.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Today’s Guests:https://twitter.com/weeshterhttps://twitter.com/Mokusou4Congrats to @nchickens as our giveaway winner!The Bug Hunter's Methodology Live Coursehttps://jasonhaddix.gumroad.com/l/lycucsTimestamps:(00:00:00) Introduction(00:04:00) Guest backgrounds and introduction into hacking(00:17:49) Where to start Learning and Teaching(00:25:40) Technical Training vs Conceptual Teaching(00:28:34) Mentorship Styles and Techniques.(00:39:15) Moving from being mentored to self-learning(00:46:20) Developing mental resilience and healthy habits(00:50:32) Elements in mentorships that were hard or haven’t worked(01:02:21) Being influenced by other hackers through mentorship or collaboration(01:06:20) Hacking Bilingually and language barriers(01:11:30) Hacking and learning goals for the future

Episode 39: In this episode of Critical Thinking - Bug Bounty Podcast, We're catching up on news, including new override updates from Chrome, GPT-4, SAML presentations, and even a shoutout from Live Overflow! Then we get busy laying the groundwork on a discussion of web architecture. better get started on this one, cause we're going to need a part two!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterCT shoutout from Live Overflowhttps://www.youtube.com/watch?v=3zShGLEqDn8Chrome Override updateshttps://developer.chrome.com/blog/new-in-devtools-117/#overridesGPT-4/AI Prompt Injectionhttps://x.com/rez0__/status/1706334160569213343?s=20 & https://x.com/evrnyalcin/status/1707298475216425400?s=20Caido Releases Pro free for studentshttps://twitter.com/CaidoIO/status/1707099640846250433Or, use code ctbbpodcast for 10% of the subscription priceAleksei Tiurin on SAML hackinghttps://twitter.com/antyurin/status/1704906212913951187Account Takeover on Teslahttps://medium.com/@evan.connelly/post-account-takeover-account-takeover-of-internal-tesla-accounts-bc720603e67dJosephhttps://portswigger.net/bappstore/82d6c60490b540369d6d5d01822bdf61Cookie Monsterhttps://github.com/iangcarroll/cookiemonsterHTMXhttps://htmx.org/Timestamps:(00:00:00) Introduction(00:04:40) Shoutout from Live Overflow(00:06:40) Chrome Overrides update(00:08:48) GPT-4V and AI Prompt Injection(00:14:35) Caido Promos (00:15:40) SAML Vulns(00:17:55) Account takeover on Tesla, and auth token from one context in a different context(00:24:30) Testing for vulnerabilities in JWT-based authentication(00:28:07) Web Architectures(00:32:49) Single page apps + a rest API(00:45:20) XSS vulnerabilities in single page apps(00:49:00) Direct endpoint architecture(00:55:50) Content Enumeration(01:02:23) gRPC & Protobuf(01:06:08) Microservices and Reverse Proxy(01:12:10) Request Smuggling/Parameter Injections

Episode 38: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to welcome mobile hacking maestro Sergey Toshin (aka @bagipro). We kick off with Sergey sharing his unexpected journey into mobile security, and how he rose to become the number one hacker in both Google Play Security and Samsung Bug Bounty programs. We then delve into the evolving perception of mobile bugs, a myriad of new and existing attack vectors, and discuss Sergey's creation of mobile security company Oversecured. You’re going to want to make time for this one!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterToday's Guest:https://twitter.com/_bagiproOversecuredhttps://oversecured.com/Oversecured Bloghttps://blog.oversecured.com/jadxhttps://github.com/skylot/jadx'Golden Android Techniques'https://hackerone.com/reports/431002Timestamps:(00:00:00) Introduction(00:01:28) Sergey Toshin’s hacking journey and achievements(00:08:20) Mobile hacking: Devices and attack vectors(00:12:35) Using Jadx(00:15:40) The creation of Oversecured(00:23:10) The Oversecured Blog and Sharing Information(00:28:08) New Spheres and Strategies of Mobile Hacking(00:35:13) Tips for getting into Mobile Hacking

Episode 37: In this episode of Critical Thinking - Bug Bounty Podcast we're joined by none other than Lupin himself! We recap the Tokyo LHE and the lessons we learned from it before diving into his legendary journey into security research and bug bounty. We also talk collaboration of all kinds: pair hacking, joining a team, and starting a business together. We even touch on some great tools that can collaborate with each other! This was a fun one, and we don't want you to miss it!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterToday’s Guest:https://twitter.com/0xLupinLupin and Holmeshttps://landh.tech/JSWZLhttps://jswzl.io/Cursorhttps://cursor.so/Clairvoyancehttps://github.com/nikitastupin/clairvoyanceTweet about Command Injectionshttps://twitter.com/win3zz/status/1703702550372078074James Kettle article on security researchhttps://portswigger.net/research/so-you-want-to-be-a-web-security-researcherTimestamps:(00:00:00) Introduction(00:01:00) Lessons learned from the latest LHE(00:09:30) JSWZL and the Cursor Combo(00:19:15) The Legend of Lupin(00:34:35) Code and Collaborating(00:38:48) Requests, Automation, and Testing(00:50:28) Joel's Helper scripts(00:52:50) Teamwork and Pair Hacking(00:57:29) Tips for learning to Hack(01:00:35) UUID and CTF(01:08:35) Dynamics of Collaboration with French Team

Episode 36: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel take a break from LHE prep to answer questions about the ethics of bug bounty and share their recent bug finds. We talk Iframes, mobile intercept proxies, open redirects, and that time Justin got shot at…Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterTimeshifter:https://www.timeshifter.com/Tweet about Google Open Redirecthttps://twitter.com/Rhynorater/status/1697357773690818844 Tweet about XSS Exploitation https://twitter.com/Rhynorater/status/1698059391700701424 Request Minimizerhttps://portswigger.net/bappstore/cc16f37549ff416b990d4312490f5fd1Timestamps:(00:00:00) Introduction(00:02:45) Hacker One LHE Preview(00:05:40) Is Bug Bounty Inherently Ethical(00:19:25) Ethics of Going out of scope(00:27:56) Justin’s story of getting shot at(00:30:22) Setting up a mobile intercept proxy(00:33:40) How to approach a new target(00:40:30) Google Open Redirect(00:43:35) Recent XSS Exploitation(00:46:28) ATO Trick(00:50:25) Joel’s Bug Report(00:55:40) Justin’s Bug Report

Episode 35: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to welcome Douglas Day, a bug bounty hunter known for his unique methodologies and collaborative spirit. We talk about his approach to finding new endpoints in applications, his ingenious technique of exploiting Intercom widgets, and collaboration preferences and tips at LHEs. We also touch on the struggle of justifying hobbies that don't generate income and the importance of finding enjoyment in the process.We hope you enjoy this episode as much as we did!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterToday’s Guest:https://twitter.com/ArchAngelDDayhttps://hackerone.com/the_arch_angelhttps://bugcrowd.com/arch_angel100 Short Bug Bounty Ruleshttps://twitter.com/ArchAngelDDay/status/1661924038875435008Blog about Intercomhttps://dday.us/2021/11/03/h1vendorATO.htmlBlog about Mapping Hackinghttp://dday.us/2021/10/09/Mapyourhacking.htmlTimestamps: (00:00:00) Introduction(00:03:01) Douglas Day’s infosec and LHE intro(00:10:42) Evolution and philosophy of collaboration(00:23:08) Balancing Collaboration and Money(00:29:43) Recap of 100 Short Bug Bounty Rules(00:37:15) Bug-hunting Methodology(00:45:45) Using match and replace to find new endpoints in bug hunting(00:49:07) Exploiting Intercom widgets(00:52:35) Facing Failure and enjoying the journey(00:57:00) Managing work-life balance(01:05:55) Auth-Z testing and documentation(01:12:25) Vulnerabilities in applications(01:17:05) Mapping Hacking Sessions

Episode 34: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel have both beaten COVID and now square off against each other in a mega-debate representing hackers and program managers respectively. Among the topics included are Disclosures, Dupes, Zero-Day Policy, payouts, budgets, Triage and Retesting. So, if you want blood-pumping, insult-hurling opinion-invalidating debate…then maybe look somewhere else. But if a thought-provoking discussion about bug bounty is more your style, then take a seat and get ready!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterPrompt Injection Primer for Engineershttps://twitter.com/rez0__/status/1695078576104833291 Portswigger on XSShttps://twitter.com/PortSwiggerRes/status/1691812241375424983Gunner Andrews talkhttps://www.youtube.com/watch?v=aaDe1ADh5KM Jhaddix live training Givawayhttps://tbhmlive.com/ctbb.show/giveawayNew Websitectbb.showFight music composed by Dayn Leonardsonhttps://www.daynleo.com/Timestamps:(00:00:00) Introduction(00:02:00) Joel’s DEFCON Recap(00:04:45) Prompt Injection Primer for Engineers by Rez0(00:07:00) Portswigger Research and XSS(00:08:36) Gunnar Andrews' talk on serverless architecture(00:10:10) ‘Bug Hunter Methodology’ Course GiveawayThe Debate(00:13:34) Zero-Day Policy and Payment for Vulnerabilities(00:25:40) Disclosure(00:33:52) Dupes (00:51:23) CVSS(01:02:25) Budgets and Payouts(01:15:00) Triage and Retesting(01:34:55) Withholding Reports(01:41:50) Root Cause Analysis(01:52:25) Interacting with hacker reports from a security standpoint.(01:58:50) Internal Activity on a Report(02:01:15) Cost of running Bug Bounty Programs and LHE’s

Episode 33: In this episode of Critical Thinking - Bug Bounty Podcast, we welcome Inti De Ceukelaire, a seasoned bug hunter known for his creative storytelling and impactful show-and-tell bugs…and let us tell you, his stories do not disappoint! From his bug bounty journey to some pretty wild hacks, Inti captivates us as only Inti can. We discuss the potential life-saving impact of bug bounty reports, especially in areas such as transportation and medical devices. We also cover hacker mentality, the benefits of objective-based challenges, and the need for collaboration and alignment within the bug bounty community. It’s a mesmerizing episode, so sit back and be swept away by Inti’s tales.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterToday’s Guest:https://twitter.com/securintiInti's Shopify Show-and-Tellhttps://hackerone.com/reports/1086108Hakluke's article on Bug Bounty Standardshttps://github.com/hakluke/bug-bounty-standardsResearching MissingNo Glitch in Pokemonhttps://youtu.be/p8OBktd42GIIntigritihttps://www.intigriti.com/Timestamps:(00:00:00) Introduction(00:03:01) Show-and-Tells and Storytelling in Live Hacking Events(00:08:30) Impact Assessment and the potential real-life significance of reporting vulnerabilities.(00:13:50) Ethical dilemmas, gaming the systems, and safe harbor.(00:23:30) Inti’s Hacking Journey(00:27:26) Hacker mentality, brainstorming, and goal-setting.(00:46:28) The benefit of mental resets, fresh perspectives, and ‘surprise collaboration’(00:52:55) Inti’s Story 1: CSS Injection bugs(01:06:20) Inti’s Story 2: The Ticket Trick(01:14:00) Inti’s Story 3: The Gotcha PasswordBug(01:18:30) Upcoming Intigriti Live Hacking Event

Episode 32: In this episode of Critical Thinking - Bug Bounty Podcast, Joel caught a nasty bug (no, not that kind) so Justin is flying solo, and catches us up to speed on what's been happening in hacking news.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterSmashing the State articlehttps://portswigger.net/research/smashing-the-state-machine?ps_source=portswiggerres&ps_medium=social&ps_campaign=race-conditionsNagles Algorithmhttps://en.wikipedia.org/wiki/Nagle%27s_algorithm HTTP/2 RFC https://httpwg.org/specs/rfc7540.html Tweet by Alex Chapmanhttps://twitter.com/ajxchapman/status/1691103677920968704?s=20Cookieless Duodrop IIS Auth Bypasshttps://soroush.me/blog/2023/08/cookieless-duodrop-iis-auth-bypass-app-pool-privesc-in-asp-net-framework-cve-2023-36899/ Xss and .Nethttps://blog.isec.pl/all-is-xss-that-comes-to-the-net/Shopify Account Takeoverhttps://ophionsecurity.com/blog/shopify-acount-takeoverShort Name Guesserhttps://github.com/projectmonke/shortnameguesserHacking Points.comhttps://samcurry.net/Points-com/Hacking Starbucks https://samcurry.net/hacking-starbucks/Bug Bounty Tag Requesthttps://twitter.com/ajxchapman/status/1688892093597470720Sandwich Attackhttps://www.landh.tech/blog/20230811-sandwich-attack Timestamps:(00:00:00) Introduction(00:01:25) Smashing the State(00:11:30) HTTP/2 RFC(00:17:30) Cookieless Duodrop IIS Auth Bypass(00:24:45) Takeovers and Tools(00:32:30) Sam Curry writeup(00:53:10) Community requests(00:55:10) Sandwich Attacks

Episode 31: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to be joined by Alex Chapman, a seasoned InfoSec hacker and bug bounty hunter. We kick off with Alex sharing his hacking journey, from a guest lecturer that inspired him, to working on internal Red Teams, to his transition to working with HackerOne, and finally as a bug bounty hunter focusing on searching out those few, high impact bugs. We also discuss the power of collaboration, the challenges of balancing hacking with other responsibilities, and the necessity of flexibility and taking breaks in bug bounty work. Don't miss this episode where we explore the depths of bug bounty with Alex Chapman!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterToday’s Guest:https://twitter.com/ajxchapman@[email protected]://ajxchapman.github.io/https://hackerone.com/ajxchapman?type=userPerforce RCEhttps://hackerone.com/reports/1830220 https://ajxchapman.github.io/bugreports/2019/04/04/perforce-local-file-disclosure.html (00:00:00) Introduction(00:01:50) Alex Chapman's InfoSec journey and evolution(00:05:55) Real-world experience vs. chasing degrees, and the pivot into Bug Bounty(00:13:12) The benefit of programming knowledge(00:16:50) Experience in Internal Red Team and hacker mentalities.(00:23:35) Transitioning to HackerOne and full time Bug Bounty(00:33:37) Bug Bounty tips, time management, and best practices(00:41:00) The importance of note-taking and organizational tools(00:46:27) Hunting Methodologies and focusing on Critical Exploitations(01:02:37) Collaboration in the hacking community(01:06:00) Binary Exploitation and Source Code Review(01:10:59) Configuration file injections(01:17:38) Justin vs. Alex at a LHE

Episode 30: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to be joined by renowned bug bounty hunter Shubs. We kick off with him sharing his journey from burgers to bugs, and how his friendly rivalry with a fellow hacker fueled his passion for reconnaissance, as well as his love of collaboration. We then shift gears to talk about the art of debugging, ethics and economics of bug bounty hunting, the transition to Entrepreneur, and the evolution of Assetnote from a reconnaissance tool to enterprise security software suite. This one’s a banger, and we don’t want you to miss it!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterToday’s Guest:@infosec_auIntro Shoutoutshttps://twitter.com/bebiksiorhttps://cvssadvisor.com/Assetnotehttps://www.assetnote.io/https://twitter.com/assetnoteBishop Foxhttps://bishopfox.com/Shortscanhttps://github.com/bitquark/shortscanXXE Payloadhttps://gist.github.com/Rhynorater/d0d19f757221a916a22476c3a5c6aba2Timestamps(00:00:00) Introduction(00:05:48) History as a Hacker: Recon, rivalries, and Riot Games(00:12:13) Collaboration and Community in Bug Bounty(00:18:19) The Art of Debugging(00:21:48) Assetnote News and overview(00:30:43) CVE reversing(00:32:58) Zero-day vulns(00:42:48) Bug Bounty Ethics and Economics(00:52:53) Bug Bounty and Entrepreneurship(01:03:58) Business lessons learned(01:07:48) Advice for Hunters looking to grow(01:12:38) IIS Server Techniques

Episode 29: In this episode of Critical Thinking - Bug Bounty Podcast sit down with Assetnote Engineer Sean Yeoh, and pick his brain about what he's learned on his development journey. We talk about the place and importance of message brokers, and which ones we like best, as well as his engineering philosophy regarding bottleneck prevention and the importance of pursuing optimization. Don't miss this episode of terrific technical tips!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterToday’s Guest:https://twitter.com/seanyeohAssetnotehttps://www.assetnote.io/https://twitter.com/assetnoteXKCD automation graphhttps://xkcd.com/1319/Github repositoryhttps://github.com/alex/what-happens-whenArticle about Queueshttps://archive.is/Nan4eNATShttps://nats.io/MongoDBhttps://www.mongodb.com/Timestamps:(00:00:00) Introduction(00:01:18) Story of Assetnote(00:05:20) Message Brokers and event-driven architectures(00:11:15) Preventing bottlenecks and pursuing optimization(00:21:35) Using a profiler(00:28:30) Choosing a Message Broker(00:33:00) Kubernetes and Conntrack Limits(00:37:13) Databases(00:46:30) Bug bounty tips: Sub-domain vs. IP Address(00:51:15) Engineering quandaries(00:53:38) DNS Wildcards