Critical Thinking - Bug Bounty Podcast

Episode 28: In this episode of Critical Thinking - Bug Bounty Podcast, the CSRF’s up, dude! We kick off with a debate about whether or not deep link vulns in mobile apps can be considered CSRF. We also talk browser extensions and tools like Hackbar, PwnFox, and JS Weasel, and Justin tries to invent a whole new vuln term. There’s plenty of good stuff here, so what are you waiting for? Jump on in!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterrez0's latest tiphttps://twitter.com/rez0__/status/168134822190014466019Hackbarhttps://addons.mozilla.org/en-US/firefox/addon/hackbartool/PwnFoxhttps://twitter.com/adrien_jeanneau/status/1681364665354289152JS Weaselhttps://www.jswzl.io/Charlie Eriksenhttps://twitter.com/CharlieEriksenLink to talk by Rojanhttps://twitter.com/uraniumhacker/status/1681381857383030785Bypassing GitHub's OAuth flowhttps://blog.teddykatz.com/2019/11/05/github-oauth-bypass.htmlGreat SameSite Confusionhttps://jub0bs.com/posts/2021-01-29-great-samesite-confusion/Check out Nahamsec's Channelhttps://www.youtube.com/c/nahamsecTimestamps:(0:01:45) The deep link debate(00:08:00) LHE and in-person interviews(00:09:25) SQLMAP and raw requests(00:11:11) Hackbar, PwnFox, and browser extensions(00:16:45) JS Weasel tool and its features(00:25:28) Rojan's Research and Public Talks(Start of main content)(00:28:36) Cross-Site Request Forgery (CSRF)(00:35:00) Bypassing GitHub's OAuth flow(00:45:00) A Small SameSite Story(00:48:50) CSRF Exploitation Techniques(01:07:15) CSRF Bug Stories(01:15:30) NahamSec and DEFCON

Episode 27: In this episode of Critical Thinking - Bug Bounty Podcast, we've switched places and now Joel is home while Justin is on the move. We break down seven esoteric web vulnerabilities, and talk Cookies, Config File Injections, Client-side path traversals and more. We also briefly discuss appliance hacking, new tools, and shout out some new talent in the hacking space. Don't miss this episode full of cool vulns, and experience Justin's vocal decline in real time.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterEncrypted Doesn't Mean Authenticated:https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/Tweet about headless chrome browserhttps://twitter.com/bhavukjain1/status/1678719047209484288?t=NWnZvwHTRMyH_lVC-uXe0g&s=19Shout out to new talent within the hacking spacehttps://twitter.com/haxrobhttps://twitter.com/atc1441Tweet about hacking Google Search Appliancehttps://twitter.com/orange_8361/status/1677378401957724160Bitquark releases shortscanhttps://twitter.com/bitquark/status/1677647450989838338Hacking Starbuckshttps://samcurry.net/hacking-starbucks/Justin's CookieJar Toolhttps://apps.rhynorater.dev/checkCookieJarOverflow.htmlHackTrickshttps://book.hacktricks.xyz/pentesting-web/hacking-with-cookies/cookie-jar-overflowXSLeakhttps://xsleaks.devTimestamps:(00:00:00) Introduction(00:04:00) Assetnote on ShareFile RCE(00:13:05) Headless Browsers(00:17:00) Hacker Content Creators(00:22:51) Appliance Hacking(00:30:31) Shortscan Release(Start of main content)(00:35:39) Config File Injection(00:44:00) Client-side Path Traversal(00:51:33) Cookie Bombing(00:58:00) Cookie Jar Overflow(01:03:50) XSLeak(01:10:49) UNC Path Injection(01:15:50) Impactful Link Hijack

In this episode of Critical Thinking - Bug Bounty Podcast, we're back with Joel, fresh (haha) off of back-to-back live hack events in London and Seoul. We compare the different vibes of each LHE, then we dive into the technical thick of it, and talk web browsers, XSS vectors, new tools, CVSS 4.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:______Hunting for NGINX alias traversals in the wildPortSwigger TweetSoroush's Follow-upTweet about magic math element<22 weird XSS behaviorLupin’s follow-upPatch diffingChanges to CVSS 4.0Ask FIRSTdotORG what's going onJsluiseJS import() behavior'JavaScript for Hackers'CSP Evaluator:Dom ClobberingHTML Injection Cheat SheetGareth Heyes website/game______Timestamps:(00:00:00) Introduction(00:04:10) LHE Vibes(00:07:45) "Hunting for NGINX alias traversals in the wild"(00:12:30) Payouts in BB programs(00:16:05) New XSS vectors and popovers(00:24:15) The "magical math element" in Firefox(00:27:15) LiveOverflow on HTML parsing quirks(00:32:10) Mr. Tux Racer, Woocommerce, and WordPress(00:40:00) Changes in the CVSS 4 draft spec(00:45:00) TomNomNom's new tool Jsluise(00:51:15) JavaScript's import function & "JavaScript for Hackers"(01:09:15) Prototype pollution & DOM clobbering(01:18:10) Base tags and CSS Games

Episode 25: In this episode of Critical Thinking - Bug Bounty Podcast we talk to Cosmin (@Inhibitor181), fresh off of winning his 2nd MVH! We chat about the time management and strategy of hacking Multi-Target LHEs, determining when to pivot, and how to find normalcy in bug bounty hunting and Live Hacking Events. We also touch on setting up Vuln Pipelines, creating mental models, and Cosmin's terrifying naming schemes. Don't miss this episode packed with both laughs and valuable insights for beginners and seasoned bug bounty hunters alike.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterToday’s Guest:https://twitter.com/inhibitor181Justin's weird episode with all the Dr. Suess Shithttps://rss.com/podcasts/ctbbpodcast/966055/?listen-on=trueTimestamps:(00:00:00) Introduction(00:02:52) MVH club and Multi-Target stragety (00:12:00) Deciding when to pivot(00:17:00) File Organization and 'unique' naming approaches(00:23:56) Staying up to date on features and updates(00:25:46) Hacking Sleep Habits(00:28:15) Finding 'Normal Life' in bug bounty and LHE(00:33:30) Vuln Pipelines, Wordlists, and full time bug bounty tips(00:44:15) Benefits of the Bug Bounty Community(00:47:45) Relationships with target companies and programs(00:53:15) Creating mental models(01:00:30) The Importance of writing good reports(01:04:30) How to choose what to hack

Episode 24: In this episode of Critical Thinking - Bug Bounty Podcast, we chat with Daniel Miessler and Rez0 about the emergence and potential of AI in hacking. We cover AI shortcuts and command line tools, AI in code analysis and the use of AI agents, and even brainstorm about the possible opportunities that integrating AI into hacking tools like Caido and Burp might present. Don't miss this episode packed with valuable insights and cutting-edge strategies for both beginners and seasoned bug bounty hunters alike.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterToday’s Guests:https://twitter.com/rez0__https://twitter.com/DanielMiesslerDaniel Miessler’s Unsupervised Learninghttps://danielmiessler.com/Simon Willison's Python Function Search Toolhttps://simonwillison.net/2023/Jun/18/symbex/oobabooga - web interface for modelshttps://github.com/oobabooga/text-generation-webuiState of GPThttps://karpathy.ai/stateofgpt.pdf AI Canarieshttps://danielmiessler.com/p/ai-agents-canaries GPT3.5https://community.openai.com/t/gpt-3-5-turbo-0613-function-calling-16k-context-window-and-lower-prices/263263 GPT Engineerhttps://github.com/AntonOsika/gpt-engineerTimestamps:(00:00:00) Introduction(00:05:40) Using AI for hacking: Developing hacking tools and workflow shortcuts(00:11:40) GPT Engineer and Small Developer for Security Vulnerability Mapping(00:22:40) The potential dangers of centralized vs. decentralized finance(00:24:10) Ethical hacking and circumventing ChatGPT restrictions(00:26:09) AI Agents, Reverse API, and Encoding/Decoding Tools(00:31:45) Limitations of AI in context window and processing large JavaScript files(00:36:50) Meta-prompter: Enhancing prompts for accurate responses from GPT(00:41:00) GPT-35 and the new 616K context model(45:08) Creating a loader for Burp Suite files or Caido instances(00:54:02) Hacking AI Features: Best Practices(01:00:00) AI plugin takeover and the need for verification of third-party plugins and tools

Episode 23: In this episode of Critical Thinking - Bug Bounty Podcast, we delve into a different aspect of hardware - Our personal loadouts. We go through the equipment and gear we use to get our jobs done, and share stories about why we picked what we have. We also touch on live hacking events, the growing acceptance of white hat hacking, and some pretty cool news going on in the hacker world. Don't miss this episode packed with tips and strategies for both beginners and seasoned hackers alike!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterBlog post on hacking root EPP servershttps://hackcompute.com/hacking-epp-servers/Behind this Website:https://github.com/jonkeegan/behind-this-websiteTweet about vRealize Network Insight: https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/Zoom's new vulnerability impact scoring system:https://viss.zoom.com/specificationsUplift Deskshttps://www.upliftdesk.com/Synergyhttps://symless.com/synergyAhnestly chair reviews:https://www.youtube.com/c/AhnestlyOur producer’s new audio drama ‘Homicide at Heavensgate’https://link.sentinelstudios.net/homicideTimestamps:(00:00:00) Introduction(00:02:28) Navigating hacking events and imposter syndrome(00:06:30) Blog post on hacking root EPP servers(00:10:01) The growing acceptance of white-hat hacking(00:12:25) Finding Website Owners and Contact Information(00:16:45) VMware vRealize Network Insight CVEs and nginx reverse proxy bypass(00:21:30) Zoom's new vulnerability impact scoring system(00:27:24) The Importance of Analyzing Systemic Problems in Black Box Testing(00:30:40) Documentation, Vulnerable by Design, and acceptable risk(Start of main content)(00:34:37) Leveling up your Hacker Setup(00:37:13) The Importance of your body(00:41:30) Investing in ergonomic equipment for computer work(00:42:27) Standing Desks: Uplift Desk and DIY standing desk options(00:46:00) Portable Tables: Flexible Workspace Solutions(00:47:30) Monitor Setup(00:54:40) Synergy: One keyboard and mouse across multiple devices(00:57:20) Capture Card: Using it as a software display(00:58:58) Keyboards and mice(01:03:27) Using a Chromebook for lightweight hacking(01:08:57) Chair Reviews: The Niche World of High-End Chairs

Episode 22: In this episode of Critical Thinking - Bug Bounty Podcast we talk about some basic/intermediate concepts related to Hardware Hacking. Specifically, we dive into extracting data from eMMC chips in order to get our hands on source code for IoT devices. Don't miss this episode packed with valuable insights, tips, and strategies for beginners and seasoned bug bounty hunters alike!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterCheckout NahamCon:https://bit.ly/42vnpMSRiverLoop Security Write-up: https://bit.ly/3oSKL1oGood Chip-Off Write-up:https://bit.ly/3IWym3qScratching chips to expose pins:https://bit.ly/45Tj21ihttps://bit.ly/3oJJt8ZChat with Corben on Degrees: https://youtu.be/N9P5PUx-PNQ?t=2311Gareth Hayes Tweet:https://bit.ly/3qvFNYWHuntress - John Hammond - MoveIt Response:https://bit.ly/42vTTXvCritical Thinking Hardware Hacking Setup - See the gear we're talking about (Affiliate links): https://linke.to/hardwarehackingsetTimestamps:(00:00:00) Introduction(01:03) NahamCon's Live Hacking Event and Justin's Presentation on PCI DSS(02:40) Depreciation of Data URLs in SVG Use Element(04:55) Gareth Hayes and knowledge sharing in the hacking community(07:50) Move It vulnerability and and John Hammond’s epic 4 am rants(12:18) Identifying promising leads in bug bounty hunting, and knowing when to move on(Start of main content)(21:40) Hardware Recon, and using Test Pins to Access EMMC Chip(26:16) Identifying Chip Pinouts and Continuity Testing(29:01) Using Logic Analyzers for Hardware Hacking(33:01) Importance of Fundamental Knowledge in Hacking, and the benefits of understanding Electrical Engineering(35:46) Replay Protected Memory Block Protocol(40:00) Bug Bounty Programs and Hardware Testing Support(41:05) Chip Pulling techniques and Essential Equipment for Hardware Hacking(59:50) Tips for Buying Hardware Hacking Tools: Research and Specific Use Cases(01:06:35) Hardware Hacking: Just scratching the surface.(01:08:45) Vulnerability Disclaimer: Pulling OS from a chip does not constitute a Vulnerability.

In this episode of Critical Thinking - Bug Bounty Podcast, we chat with Corben Leo about his journey in bug bounty hunting and ethical hacking. We discuss the state of DNS rebinding in 2023, a Twitter thread by Douglas Day (@ArchAngelDDay) on one-hundred bug bounty rules, and our own unique approaches to bug hunting. We also discuss Corben's recon-focused bug hunting methodology and how he developed it. Don't miss this episode filled with valuable tips, insights, and Corben's Boring Mattress Company.Follow us on twitter at: @ctbbpodcastGet on our newsletter for some exclusive content: https://www.criticalthinkingpodcast.io/subscribeWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterToday’s Guest:https://twitter.com/hacker_Article on the State of DNS Rebinding in 2023:https://research.nccgroup.com/2023/04/27/state-of-dns-rebinding-in-2023/See @ArchAngelDDay's twitter thread about 100 bug bounty rules:https://twitter.com/ArchAngelDDay/status/1661924038875435008Talkback - Cybersecurity news aggregator:https://talkback.sh/PyPI announces mandatory 2FA:https://www.bleepingcomputer.com/news/security/pypi-announces-mandatory-use-of-2fa-for-all-software-publishers/Timestamps:(00:00:00) Introduction(01:05) State of DNS rebinding in 2023(04:40) 100 Bug Bounty Rules by @ArchAngelDDay(05:30) Give yourself a ‘no bug’ limit(07:00) The value of reporting Low and Medium Bugs for Bug Bounty Programs(11:15) Reporting Out of Scope Bugs(14:30) Reporting IDORs as Access Control Bugs(17:28) Talkback(18:12) PyPI's mandatory 2FA implementation for software publishers(Start of main content)(20:07) Starting out in bug bounty/ethical hacking(25:00) Hacking methodology and mentorship(28:15) Identifying Load Balancers(33:20) Triage and live events:(38:30) College and Computer Science vs. Cybersecurity(45:45) Importance of writing for the Hacker Community(51:21) Storytelling and report writing.(55:00) When to stop doing recon and start hacking(01:00:58) Lessons Learned from BreachlessAI and the pivot to Boring Mattress Co.

Episode 20: In this episode of Critical Thinking - Bug Bounty Podcast, we dive into the world of "hacker brain hacks'' and overcoming challenges in bug bounty hunting. We discuss custom word lists, the rising popularity of Caido as a potential Burp Suite replacement, and Cloudflared tunnels for hosting POCs. We also tackle the mental aspects of bug bounty hunting, from procrastination to imposter syndrome, and share tips for staying motivated and avoiding burnout. Don't miss this episode packed with valuable insights and advice for both beginners and seasoned bug bounty hunters!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterCaido:https://caido.ioTweet from D3mondev on Sequence Diagram:https://twitter.com/d3mondev/status/1660803152755453952Sequence diagram software:https://sequencediagram.orgTimestamps:(00:00:00) Introduction(00:02:36) "Sequence Diagram": Sequence mapping for PoCs(00:04:10) "SubReconGPT": AI and GPT in Bug Bounty Hacking(00:08:30) "Caido": A Potential Replacement for Burp Suite(00:11:34) HackerOne's New Features(00:13:00) Cloudflared Tunnels for Red Team Assessments and Payload Hosting(00:16:07) Mental challenges in Bug Bounty Hunting(00:17:50) Procrastination Education: Letting fear of failure drive you into always learning, never doing.(00:22:46) Analysis Paralysis: Starting with Bug Bounty Programs vs VDPs(00:27:07) Automation Obsession: "When you're hacking, hack. When you're automating, automate."(00:14:34) Imposter Syndrome: You may not be the best, but you're not the worst either.(00:31:55) Motivation Deprivation: Stay curious, and set tiered goals(00:36:07) Automation Obsession pt2: Do we need to say it again?(00:37:25) Reconnaissance Cognizance: Spending too much time on recon and not enough time on hacking(00:40:00) Bad Rabbit Holes, RIP Your Goals: Identifying good and bad rabbit holes(00:46:01) Set Your Goal Poles: Setting specific goals for yourself.(00:48:29) Impact Lacked: Fixating on something that's funky, but simply doesn’t really have impact(00:51:00) The Burn-out turn-out: Mending, maintenance, and finding identity and self-worth outside hacking(00:58:19) Responsibility Volatility: Balancing Responsibilities and Freedom as a Bug Bounty Hunter(01:00:30) Payout Phase-out: Don't stop once you've found one bug.(01:02:04) Report on URN Injection

Episode 19: In this episode of Critical Thinking - Bug Bounty Podcast we further discuss some tips and tricks for finding vulns once you’ve got source code and some banger tweets/tools that popped up in our feed this week. Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterPart 1:https://open.spotify.com/episode/2pdTaWHSzl9CY7PgRQtvTiNoperator’s Zip-Snip: https://twitter.com/noperator/status/1658313637189111808https://github.com/noperator/zip-sniphttps://noperator.dev/posts/zip-snip/Insecure’s SIP Bugs: https://twitter.com/ifsecure/status/1656591469518495745 AssetNote’s Sitecore Bugs: https://blog.assetnote.io/2023/05/10/sitecore-round-two/ Fyooer’s Shadow Clone: https://github.com/fyoorer/ShadowClone

Episode 18: In this episode of Critical Thinking - Bug Bounty Podcast, we dive into everything source-code related: how to get source-code and what to do with it once you have. This episode is packed with great examples of successful source code review, tips on how to review code yourself, and the tools you'll need along the way.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterCrossing the KASM:https://www.youtube.com/watch?v=NwMY1umhpggPWNAssistant by Elttam:https://www.elttam.com/blog/pwnassistant/#contentAndre's Git Arbitrary Configuration Injection:https://blog.ethiack.com/en/blog/git-arbitrary-configuration-injection-cve-2023-29007Jub0b's a Smorgasbord of a Bug Chain:https://jub0bs.com/posts/2023-05-05-smorgasbord-of-a-bug-chain/Ankur Sundara's Cookie Bugs - Smuggling & Injection:https://twitter.com/ankursundara/status/1654556463703134208?t=7nTUSszPB6fS3MkATzxpaQ&s=19James Kettle's Notes on Novel Pathways to Poisoning (cool quirks in here):https://twitter.com/albinowax/status/1654767919690031106?t=vbVEOML5_QnWByi0m8Nv4A&s=19Ignore Irrelevant Scripts During Debugging by Johan Carlsson:https://twitter.com/joaxcar/status/1653787336105156616Every known way to get references to windows:https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2dVS Code Todo Highlight:https://marketplace.visualstudio.com/items?itemName=wayou.vscode-todo-highlightVS Code:https://code.visualstudio.com/

Episode 17: In this episode of Critical Thinking - Bug Bounty Podcast we talk with five legendary hackers about some of their favorite bugs. Live. From LA.Corben Leo “Lorben CEO” @hacker_Sam “ZLZ” “ZOZL” “The King” Curry @samwcyoFrans “The Legend” Rosen @fransrosenJonathan “Doc” Bouman @JonathanBoumanNagli…NagliNagli @naglinagliShoutout to Jonathan Bouman’s Mom!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterFOLLOW OUR LINKEDIN ACCOUNT FOR NAGLI:https://www.linkedin.com/company/ctbbpodcastSam Curry’s shoutout - Ian Carrol’s Seats.Aero: https://seats.aero/

Episode 16: In this episode of Critical Thinking - Bug Bounty Podcast we talk about the hacker’s toolkit. Joel and Justin talk about their VPS setup, go-to hacking tools, most often used Linux commands, and the ways they duct tape all of these together for the big hacks.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on Twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterOur Boi @rez0__ Dropping Some AI Hackz:https://twitter.com/rez0__/status/1648685943539245056?s=20LiveOverflow Prompt Injection:https://www.youtube.com/watch?v=Sv5OLj2nVAQJoel’s Private Network Solution:https://www.zerotier.com/Stok & Tomnomnom on Vim/Bash:https://www.youtube.com/watch?v=l8iXMgk2nnYLatest GhostScript RCE:https://offsec.almond.consulting/ghostscript-cve-2023-28879.htmlIntigriti CSRF Basics & Jub0b's Legendary SameSite Article:https://twitter.com/intigriti/status/1646104705561403398https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/Nahamcon:http://nahamcon.com/Pentah0wnage:https://research.aurainfosec.io/pentest/pentah0wnage/DNSChef:https://github.com/iphelix/dnschefHttpx:https://github.com/projectdiscovery/httpxEspanso:https://espanso.org/GoWitness:https://github.com/sensepost/gowitness

Episode 15: In this episode of Critical Thinking - Bug Bounty Podcast we talk with the latest Million-Dollar bug bounty hunter: @naglinagli . He talks about his climb from $1,000 in bounties to $1,000,000, recon tips and tricks, and some bug reports that made the news and landed him the "Best Bug" award at a H1 Live Hacking event.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterFollow Nagli and his new startup Shockwave:https://twitter.com/naglinaglihttps://twitter.com/shockwave_secHackMD Collaborative Notes:https://hackmd.io/Ian Carroll's Airline Miles Website:https://seats.aeroNagli's Tweet in ChatGPT Web Cache Deception:https://twitter.com/naglinagli/status/1639343866313601024Timestamps:(00:00:00) Intro(00:04:40) Nagli’s Climb(00:05:40) What kind of vulns do you look for?(00:09:25) Working with other hackers(00:10:20) Bug Bounty Hunter’s Guild(00:12:35) Shockwave product(00:14:12) Outsourcing tool development(00:18:46) What got you started?(00:21:13) Manual hacking vs recon suite + LHE focus(00:25:00) How do you take notes(00:29:42) Biggest things that you’ve learned over the past 2 years(00:31:29) How do you ingest new techniques?(00:31:50) Collaboration(00:37:20) Justin Ranting about “Trained Eyes”(00:40:18) Time spent coding vs hacking(00:45:28) Travel and spending habits(00:54:16) Grep is Nagli’s database(00:56:20) Nagli’s ChatGPT Web Cache Deception(00:58:44) What does your alerting look like?(01:01:50) Nagli’s “Most Critical” SSRF(01:04:30) Burp Active Scan

Episode 14: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Dynamic Analysis within Mobile Hacking and a bunch of random hacker stuff. It's a good time. Enjoy the pod.Follow us on Twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on Twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterJoel’s Alternative to UberTooth One:https://www.amazon.com/Bluetooth-UD100-G03-Exchangeable-Bluesoleil-Microsoft/dp/B0161B5ATMD3monDev’s Burp VPS Plug-in:https://github.com/d3mondev/burp-vps-proxyFireProx:https://github.com/ustayready/fireproxJoel’s Universal SSL De-pinning Frida Script:https://gist.github.com/teknogeek/4dc35fb3801bd7f13e5f0da5b784c725Command-line Fuzzy Finder:https://github.com/junegunn/fzfJustin’s two article recommendations for using Frida:https://tinyurl.com/5n94d6ryhttps://tinyurl.com/yfy3n5f5Copy screen of physical device:https://tinyurl.com/ymdrscm5Flipper:https://flipperzero.one/BetterCap BLE Module:https://www.bettercap.org/modules/ble/Timestamps:(00:00:00) Intro(00:00:55) Hacker Chats(00:03:27) Podcast Content Commentary(00:04:09) SSRF Rebinding Error Confession(00:06:02) Flipper Zero(00:07:58) Bettercap BLE(00:09:36) Sena USB Bluetooth Adapter(00:12:41) Burp VPS Proxy Plugin(00:13:55) Fireprox(00:15:40) Dynamic Mobile Hacking(00:17:40) Dynamic Analysis Overview(00:18:18) Emulator Talk(00:24:29) Joel’s APK Analysis Flow(00:26:30) Cert Pinning(00:32:17) Joel’s SSL Cert Pinning Script(00:35:29) Hands-on look at Frida(00:50:11) Frida on Non-rooted Devices(00:58:22) Tracing Errors to Overwritable Functions(01:00:39) Native Libraries(01:09:18) GenyMobile Screen Mirroring Tool(01:11:50) Justin’s Report of the Day and Custom SSL Pinning(01:18:15) Joel’s First Ever Bug, Jailbreak Detection Bypass

Episode 13: In this episode of Critical Thinking - Bug Bounty Podcast we talk about how to determine if a bug bounty program is good or not from the policy page. We also cover some news including Acropalypse, ZDI's Pwn2Own Competition, Node's Request library's SSRF Bypass, and a new scanning tool by JHaddix. Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterJHaddix AWSScrape Tool:https://twitter.com/Jhaddix/status/1637140192728612865?s=20Acropalypse Links:https://twitter.com/ItsSimonTime/status/1636857478263750656https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse.htmlhttps://twitter.com/David3141593/status/1638222624084951040https://twitter.com/David3141593/status/1638293029059477505SSRF Bypass in NodeJS:https://blog.doyensec.com/2023/03/16/ssrf-remediation-bypass.htmlZDI's Pwn2Own:https://twitter.com/thezdiKuzu7shiki's Awesome Pixiv Report:https://hackerone.com/reports/1861974https://twitter.com/kuzu7shikiSome of the Programs we talk about:https://hackerone.com/instacarthttps://hackerone.com/semrushhttps://hackerone.com/yahoohttps://hackerone.com/paypal

Episode 12: In this episode of Critical Thinking - Bug Bounty Podcast we talk with Jason Haddix about his eclectic hacking techniques, Hacker -> Hacker CISO life, and some crazy vulns he found. This episode is chock full of awesome tips so give it a good listen!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterFollow JHaddix on Twitter:https://twitter.com/jhaddixBuddoBot:https://buddobot.com/BC Hunt:https://github.com/bugcrowd/HUNT/blob/master/README.mdOne List For All:https://github.com/six2dez/OneListForAllAssetNote Wordlists:https://wordlists.assetnote.io/Backslash Powered Scanner:https://portswigger.net/bappstore/9cff8c55432a45808432e26dbb2b41d8Jason’s Handy Dandy Acronyms:SSWLR - Sensitive Secrets Were Leaked RecentlyStatusSizeWordsLinesResponse TimeCOTS Software - Common Off-The-Shelf Software

Episode 11: In this episode of Critical Thinking - Bug Bounty Podcast we talk about CVSS (the good, the bad, and the ugly), Web Cache Deception (an underrated vuln class) and a sick SSTI Joel and Fisher found.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterMDSec Outlook Vuln:https://twitter.com/MDSecLabs/status/1635791863478091778Jub0bs User-Existance Oracle Tweet:https://twitter.com/jub0bs/status/1633786349529513986James Kettle's Tweet About BB ID Header Standardization:https://twitter.com/albinowax/status/163595150679175577615K Snapchat Numeric IDOR:https://hackerone.com/reports/1819832Bug Bounty Reports Explained:https://www.bugbountyexplained.com/CVSS Calculator:https://nvd.nist.gov/vuln-metrics/cvss/v3-calculatorWeb Cache Deception Write-up:https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack.pdf

Episode 10: In this episode of Critical Thinking - Bug Bounty Podcast we talk about what its like to be a full-time bug bounty hunter, a tonne of bug bounty news, and some great report summaries from Justin’s two mentees: Kodai and Soma. Follow us on twitter at: https://twitter.com/ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterHackVertor https://portswigger.net/bappstore/65033cbd2c344fbabe57ac060b5dd100 Not_An_Aardvark (Teddy Katz) Blog: https://blog.teddykatz.com/ Tweets from PortSwigger Research:https://twitter.com/PortSwiggerRes/status/1632742844535324677https://twitter.com/PortSwiggerRes/status/1630221223874445314https://twitter.com/PortSwiggerRes/status/1629131380473970688HackerOne LHE Standards: https://www.hackerone.com/hackerone-community-blog/get-invited-how-live-hacking-event-invites-have-changed Rez0 Bug Bounty Tweet: https://twitter.com/rez0__/status/1553371602770960384?t=NCr_esHcEts9PrcjxIZ5uw&s=19Rojan’s Github Bug: https://twitter.com/uraniumhacker/status/1633199768263593984Goodbye Daily Swig: https://portswigger.net/daily-swig/were-going-teetotal-its-goodbye-to-the-daily-swig Gareth Heyes JavaScript for Hackers:https://leanpub.com/javascriptforhackers/

Episode 9: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Headless Browser SSRF and drop a tool called RebindMultiA. Joel also walks us through a web3 bug and we cover some bug bounty news from the past week. As always, we drop some bug bounty tips and give you some attack vectors to think about.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Truffle Security End-To-End Encryption Video:https://www.youtube.com/watch?v=BBcZcoIZ1JcHackerOne World Cup:https://www.hackerone.com/hackers/brand-ambassador-programHackerOne World Cup Sign Up Form for USA:https://docs.google.com/forms/d/e/1FAIpQLSeRQpH2y0J-opxlsz8dPkvnIu8BqC_DA3CJe_eFhTFroPwdcg/viewformChatGPT API:https://openai.com/blog/introducing-chatgpt-and-whisper-apisMegachad RobertMD GitHub Issue:https://github.com/nccgroup/singularity/issues/2Justin’s RebindMultiA Tool:https://github.com/Rhynorater/rebindMultiABrandon Dorsey’s WhoNow Tool:https://github.com/brannondorsey/whonowNCC Group’s Singularity:https://github.com/nccgroup/singularityChromium Disclosed Bugs:https://chromium-disclosed-bugs.appspot.com/NahamSec Talk on Headless Browser SSRF:https://docs.google.com/presentation/d/1JdIjHHPsFSgLbaJcHmMkE904jmwPM4xdhEuwhy2ebvo/htmlpresenJonathan Bowman - LFI via <annotation>:https://medium.com/@jonathanbouman/local-file-inclusion-at-ikea-com-e695ed64d82fWASM Port Scanning:https://github.com/avilum/portsscanJack Halon - Chrome Browser Exploitation:https://twitter.com/jack_halon/status/1583957704930131968DNSChef:https://github.com/iphelix/dnschef

Episode 8: In this episode of Critical Thinking - Bug Bounty Podcast we drop some critical bugs which leak raw credit card info. We also discuss some CSS Injection & PostMessage related techniques. It's a short one but a good one! Don't miss it!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterCSS Escape Blog Post:https://mathiasbynens.be/notes/css-escapesRez0’s blog on ChatGPT:https://rez0.blog/hacking/2023/02/21/hacking-with-chatgpt.htmlAll the ways to get a reference to a frame (shoutout to @wcbowling for the article):https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2dCSS Painting API:https://developer.mozilla.org/en-US/docs/Web/API/CSS_Painting_APIImport Chaining:https://d0nut.medium.com/better-exfiltration-via-html-injection-31c72a2dae8b

Episode 7: In this episode of Critical Thinking - Bug Bounty Podcast we talk about PortSwigger's Top 10 Web Hacking Techniques of 2022 (link below), some drama surrounding TruffleSecurity's XSS Hunter, and, as always, some great bug bounty tips.Sorry if the audio is a little rough around the edges this time, should be better than ever next time.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterPortSwigger's Top 10 Web Hacking Techniques of 2022:https://portswigger.net/research/top-10-web-hacking-techniques-of-2022Ian Carroll Cookie Monster:https://github.com/iangcarroll/cookiemonsterFrans Rosen's postMessage Tracker Chrome Extension:https://github.com/fransr/postMessage-trackerNotes from Justin on postMessages:https://rhynorater.github.io/postMessage-BraindumpFrans Rosen's research on nginx misconfiguration that are similar to #6:https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/"Mount" Wycheproof 😂:https://github.com/google/wycheproofhttps://en.wikipedia.org/wiki/Mount_WycheproofNathan Davison - Abusing Hop-by-Hop headers:https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headersAwesome example of client-side path traversal:https://erasec.be/blog/client-side-path-manipulation/Joohoi Ffuf 2.0:https://infosec.exchange/@joohoi/109806822104162973FeroxBuster:https://github.com/epi052/feroxbuster

Episode 6: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with mobile hacking legend Joel Margolis and get the scoop on his approach to popping bugs on Android.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterJoel’s HackerOne Android Hacking Introduction:https://t.ly/f87DAndroid Pixel Lock Screen Bypasshttps://t.ly/Q_qqExploiting Deeplink URLs:https://inesmartins.github.io/exploiting-deep-links-in-android-part1/index.htmlJoel’s get_schemas tool:https://github.com/teknogeek/get_schemasExample AndroidManfest.xml we referenced:https://t.ly/mcN1https://t.ly/ErVVAndroid docs for intent filters:https://developer.android.com/guide/components/intents-filters.htmlAndroid docs for “setAllowContentaccess”:https://t.ly/hXOZAndroid docs for “setAllowFileAccess”:https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccess(boolean)Add JavaScript Interface to Webview:https://developer.android.com/reference/android/webkit/WebView#addJavascriptInterface(java.lang.Object,%20java.lang.String)Joel’s SSL Pinning Bypass:https://gist.github.com/teknogeek/4dc35fb3801bd7f13e5f0da5b784c725Google Chrome Docs for Intent URLs:https://developer.chrome.com/docs/multidevice/android/intents/#considerationsJoel’s Bug Bounty Report:https://hackerone.com/reports/423467

Episode 5: In this episode of Critical Thinking - Bug Bounty Podcast we talk about the new XSS Hunter, MD5 collisions and using ChatGPT for security, and much more!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterSave All Resources Chrome Extension: https://chrome.google.com/webstore/detail/save-all-resources/abpdnfjocnmdomablahdcfnoggeeiedb?hl=enCorben's AMA: https://twitter.com/hacker_/status/1620514351521366016Collisions repo: https://github.com/corkami/collisions

Episode 4: In this episode of Critical Thinking - Bug Bounty Podcast we have part two of our series on the H1-407 HackerOne Live Hacking Event. This time, we have a special guest SpaceRaccoon (@spaceraccoonsec) talking about techniques and takeaways from the event.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterSpaceraccoon’s blog:https://spaceraccoon.dev/Spaceraccoon’s twitter:https://twitter.com/spaceraccoonsecResponder (NTLM Hash harvesting tool):https://github.com/lgandx/ResponderThe malware reversing course Spaceraccoon recommended:https://courses.zero2auto.com/Offensive Security Exploit Development Courses:https://www.offensive-security.com/courses-and-certifications/

Episode 3: In this episode of Critical Thinking - Bug Bounty Podcast we talk about some of the interesting things we’ve learned from participating in HackerOne's H1-407 Live Hacking event. We cover decompiling binaries in various different languages, Windows URI Handlers, Caido, and SameSite Lax + POST.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterFrans Rosen S3 Bucket Authorization Blog Post: https://labs.detectify.com/2018/08/02/bypassing-exploiting-bucket-upload-policies-signed-urls/Getting code from executables:ILSpyDotPeekJadx-GUIPyinstxtractorUncompyle6Jub0b’s SameSite Article:https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/Mgeeky’s Powershell Script to Enumerate Windows App URI Handlershttps://gist.github.com/mgeeky/5a30a0619a7486b2fb0bd5233490fa64

Episode 2: In this episode of Critical Thinking - Bug Bounty Podcast we talk about exploit writing/automation, some new tools released in the industry (Of-CORS), the age old question of "Do you have to know how to program to hack?", a walk-through of some very impactful bug bounty reports, and some tips and tricks for exploit writing.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterOf-CORS by TruffleSecurityhttps://trufflesecurity.com/blog/of-cors/https://github.com/trufflesecurity/of-corsCyberChefhttps://gchq.github.io/CyberChef/Curl Converterhttps://curlconverter.com/Caidohttps://caido.io/Copy As Python Requestshttps://portswigger.net/bappstore/b324647b6efa4b6a8f346389730df160eMMC Card Reader:https://www.allsocket.com/Joel's Funny Automation XKCD:https://xkcd.com/1319/Flipper:https://shop.flipperzero.one/

Episode 1: In this episode of Critical Thinking - Bug Bounty Podcast, Joel Margolis (aka 0xteknogeek) and Justin Gardner (aka Rhynorater) cover introductions, a couple of cool bug bounty reports, and some really helpful BB Tips.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterThe report Joel was talking about: https://hackerone.com/reports/1672388