Episodes

  • Episode 96: In this episode of Critical Thinking - Bug Bounty Podcast we’re back with Matanber to hit some stuff we ran out of time on last episode. We talk about advanced cookie parsing techniques and exploitation methods, Safari's unique behaviors regarding cookie handling and debugging methods, and some of the writeups from the HeroCTF v6.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Guest: https://x.com/MtnBer

    Resources:

    Cookie Bugs - Smuggling & Injection

    https://blog.ankursundara.com/cookie-bugs/#:~:text=Cookie%20Smuggling

    iOS Webkit Debug Proxy

    https://github.com/google/ios-webkit-debug-proxy

    HeroCTF v6 Writeups

    https://mizu.re/post/heroctf-v6-writeups

    Timestamps

    (00:00:00) Introduction

    (00:01:29) Cookie exploits

    (00:21:32) Matan's Safari Adventure

    (00:29:49) HeroCTF 6 writeups

  • Episode 95: In this episode of Critical Thinking - Bug Bounty Podcast In this episode, Justin is joined by MatanBer to delve into the intricacies of browser extensions. We talk about the structure and threat models, and cover things like service workers, extension pages, and isolated worlds.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Sponsor - AssetNote. Listen to their podcast https://www.criticalthinkingpodcast.io/sspod

    Today’s Guest: https://x.com/MtnBer

    Resources

    Universal Code Execution by Chaining Messages in Browser Extensions

    https://spaceraccoon.dev/universal-code-execution-browser-extensions/

    DOMLogger++

    https://github.com/kevin-mizu/domloggerpp

    BBRE Metamask bug

    https://youtu.be/HnI0w156rtw?si=QixP8SX6JuRFz6PA

    Bench Press: Leaking Text Nodes with CSS

    https://blog.pspaul.de/posts/bench-press-leaking-text-nodes-with-css/

    Timestamps:

    (00:00:00) Introduction

    (00:03:08) Structure & Threat Model for Browser Extension

    (00:28:28) Extension Attack scenarios

    (01:01:26) Attacking Extension Pages

    (01:26:35) Attacking Service Workers

    (01:46:23) Getting source code and dynamic debugging

  • Episodes manquant?

    Cliquez ici pour raffraichir la page manuellement.

  • Episode 94: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel give their perspectives on the recent Zendesk fiasco and the ethical considerations surrounding it. They also highlight the launch of AuthzAI and some research from Ophion Security

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Sponsor - AssetNote. Listen to their podcast https://www.criticalthinkingpodcast.io/sspod

    Resources:

    New music drop from our Boi YT

    https://x.com/realytcracker/status/1847599657569956099

    AuthzAI

    https://authzai.com/

    Ron Chan

    https://x.com/ngalongc

    Misconfigured User Auth Leads to Customer Messages

    https://www.ophionsecurity.com/post/live-chat-blog-1-misconfigured-user-auth-leads-to-customer-messages

    Zendesk Write-up

    https://gist.github.com/hackermondev/68ec8ed145fcee49d2f5e2b9d2cf2e52

    Response from Zendesk

    https://gist.github.com/hackermondev/68ec8ed145fcee49d2f5e2b9d2cf2e52?permalink_comment_id=5232589#gistcomment-5232589

    Timestamps

    (00:00:00) Introduction

    (00:05:29) AuthzAI and the return of Ron Chan

    (00:13:50) Ophion Security Research

    (00:18:12) Zendesk Drama

  • Episode 93: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Dr. Jonathan Bouman to discuss his unique journey as both a Hacker and a Healthcare Professional. We talk through how he balances his dual careers, some ethical considerations of hacking in the context of healthcare, and highlight some experiences he’s had with Amazon's bug bounty program.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Sponsor - ThreatLocker. Checkout their ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detect

    Today’s Guest - https://x.com/jonathanbouman?lang=en

    Resources

    Anyone can Access Deleted and Private Repository Data on GitHub

    Filesender Github

    Remote Code execution at ws1.aholdusa .com

    APK-MITM

    Hacking Dutch healthcare system

    Fitness Youtube Channels

    https://www.youtube.com/channel/UCpQ34afVgk8cRQBjSJ1xuJQ

    https://www.youtube.com/@BullyJuice

    Timestamps

    (00:00:00) Introduction

    (00:07:28) Medicine and Hacking

    (00:19:36) Hacking on Amazon

    (00:34:33) Collaboration and consistency

    (00:44:13) SSTI Methodology

    (01:06:10) iOS Hacking Methodology

    (01:13:23) Hacking Healthcare

    (01:32:19) Health tips for hacking

  • Episode 92: In this episode of Critical Thinking - Bug Bounty Podcast In this episode Justin and Joel tackle a host of new research and write-ups, including Ruby SAML, 0-Click exploits in MediaTek Wi-Fi, and Vulnerabilities caused by The Great Firewall

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Sponsor - ThreatLocker. Checkout their ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detect

    Resources:

    Insecurity through Censorship

    Ruby-SAML / GitLab Authentication Bypass

    0-Click exploit discovered in MediaTek Wi-Fi chipsets

    New Caido Plugin to Generate Wordlists

    Bebik’s 403 Bypassor

    CSPBypass

    Arb Read & Arb write on LLaMa.cpp by SideQuest

    XSS WAF Bypass One payload for all

    Timestamps

    (00:00:00) Introduction

    (00:02:08) Vulnerabilities Caused by The Great Firewall

    (00:07:25) Ruby SAML Bypass

    (00:19:55) 0-Click exploit discovered in MediaTek Wi-Fi chipsets

    (00:24:36) New Caido Wordlist Plugin

    (00:31:00) CSPBypass.com

    (00:35:37) Arb Read & Arb write on LLaMa.cpp by SideQuest

    (00:43:10) Helpful WAF Bypass

  • Episode 91: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner sits down with Critical Thinking’s own HackerNotes writer Brandyn Murtagh (gr3pme) to talk about his journey with Bug Bounty. We cover mentorship, networking and LHEs, ecosystem hacking, emotional regulation, and the need for self-care. Then we wrap up with some fun bugs.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Shop our new swag store at ctbb.show/swag

    Today’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinder

    Today’s guest: https://x.com/gr3pme

    Resources:

    Lessons Learned for LHEs

    https://x.com/Rhynorater/status/1579499221954473984

    Timestamps:

    (00:00:00) Introduction

    (00:07:02) Mentorship in Bug Bounty

    (00:16:30) LHE lessons, takeaways, and the benefit of feedback and networking

    (00:41:28) Choosing Targets

    (00:49:03) Vuln Classes

    (00:58:54) Bug Reports

  • Episode 90: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin recap some of their recent hacking ups and downs and have a lively chat about Cursor. Then they cover some some research about SQL Injections, Clickjacking in Google Docs, and how to steal your Telegram account in 10 seconds.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Shop our new swag store at ctbb.show/swag

    Today’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinder

    Resources:

    Breaking Down Barriers: Exploiting Pre-Auth SQL Injection in WhatsUp Gold

    Content-Type that can be used for XSS

    Clickjacking Bug in Google Docs

    Justin's Gadget Link

    https://www.youtube.com/signin?next=https%3A%2F%2Faccounts.youtube.com%2Faccounts%2FSetSID%3Fcontinue%3Dhttps%3A%2F%2Fwww.google.com%252Famp%252fpoc.rhynorater.com

    Stealing your Telegram account in 10 seconds flat

    Timestamps

    (00:00:00) Introduction

    (00:08:28) Recent Hacks and Dupes

    (00:14:00) Cursor

    (00:25:02) Exploiting Pre-Auth SQL Injection in WhatsUp Gold

    (00:34:17) Content-Type that can be used for XSS

    (00:40:25) Caido updates

    (00:43:14) Clickjacking in Google Docs, and Stealing Telegram account

  • Episode 89: In this episode of Critical Thinking - Bug Bounty Podcast We’re joined live by Matt Brown to talk about his journey with hacking in the IoT. We cover the specializations and challenges in hardware hacking, and Matt’s personal Methodology. Then we switch over to touch on BGA Reballing, Certificate Pinning and Validation, and some of his own bug stories.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinder

    Today’s Guess Matt Brown: https://x.com/nmatt0

    Resources:

    Decrypting SSL to Chinese Cloud Servers

    https://www.youtube.com/watch?v=3qSxxNvuEtg

    mitmrouter

    https://github.com/nmatt0/mitmrouter

    certmitm Automatic Exploitation of TLS Certificate Validation Vulns

    https://www.youtube.com/watch?v=w_l2q_Gyqfo

    and

    https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Aapo%20Oksman%20-%20certmitm%20automatic%20exploitation%20of%20TLS%20certificate%20validation%20vulnerabilities.pdf

    https://github.com/aapooksman/certmitm

    HackerOne Detailed Platform Standards

    https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards

    Timestamps:

    (00:00:00) Introduction

    (00:13:33) Specialization and Challenges of IOT Hacking

    (00:33:03) Decrypting SSL to Chinese Cloud Servers

    (00:47:00) General IoT Hacking Methodology

    (01:26:00) Certificate Pinning and Certificate Validation

    (01:34:35) BGA Reballing

    (01:43:26) Bug Stories

  • Episode 88: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel tackle a whole slate of new research including a new cheat sheet for URL validation bypass from Portswigger, the introduction of Sanic DNS as a high-speed DNS resolver, xsstools, and the Dockerization of Orange Confusion Attacks.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Shop our new swag store at ctbb.show/swag

    Resources

    URL Validation Bypass cheat sheet

    SanicDNS

    Orange Confusion Attacks

    WordPress GiveWP POP to RCE

    Xsstools

    Bypassing browser tracking protection

    Advanced iframe Magic

    DOM Clobbering

    https://www.ruhrsec.de/downloads/slides/Everything-You-Wanted-to-Know-About-DOM-Clobbering-But-Were-Afraid-to-Ask-Soheil-Khodayari-RuhrSec.pdf

    And

    https://domclob.xyz/domc_payload_generator/

    Timestamps:

    (00:00:00) Introduction

    (00:02:00) URL validation bypass

    (00:07:41) SanicDNS and Orange confusion attacks

    (00:20:06) WordPress GiveWP POP to RCE

    (00:31:29) Xsstools

    (00:43:56) Bypassing browser tracking protection

    (00:52:06) DOM Clobbering and mixing up your approach

  • Episode 87: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with none other than his wife Mariah to talk about Bug Bounty from the perspective of a Significant Other. They share how they’ve traversed travel and Live Hacking Events, household chores, hobbies, goals, rewards, as well as how best to encourage and support the hacker/non-hacker in your life.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Shop our new swag store at ctbb.show/swag

    Today’s Guest: https://x.com/MariahG017

    Resources:

    Ruby Nealon's song

    https://x.com/_ruby/status/835306502546149376

    Don't Force Yourself to Become a Bug Bounty Hunter

    https://samcurry.net/dont-force-yourself-to-become-a-bug-bounty-hunter

    Timestamps

    (00:00:00) Introduction

    (00:03:12) Technical Questions for a Bug Bounty Wife

    (00:16:11) Mariah's First LHE experience

    (00:31:12) LHEs as a Couple

    (00:41:57) Encouragement and Risk

    (00:55:55) Hacker Family Dynamics, goals, and keeping promises

    (01:17:35) How to care for your Hacker/Hacker Wife

  • Episode 86: In this episode of Critical Thinking - Bug Bounty Podcast Frans blows Justin’s mind with a sneak peak of his new presentation. Note: This is a little different from our normal episode, and video is recommended. So head over to ctbb.show/yt if you feel like you’re missing something.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Shop our new swag store at ctbb.show/swag

    Watch this Episode on Youtube - ctbb.show/yt

    Today’s Guest: Frans Rosen - https://x.com/fransrosen

    View the slides of this presentation at https://speakerdeck.com/fransrosen/x-correlation-injections-or-how-to-break-server-side-contexts

    Timestamps

    (00:00:00) Introduction

    (00:04:09) x-correlation injection

    (00:21:10) Server-side JSON-Injection

    (00:32:10) Fuzz Blindly and Optimizing Blind RCE

  • Episode 85: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel talk through some of the research coming out of DEFCON, mainly from the PortSwigger team. Web timing attacks, cache exploitation, and exploits related to email protocols are all featured. Plus we also talk some fun Apache hacks from Orange Tsai

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    Check out our new SWAG store at https://ctbb.show/swag!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Sponsor - ThreatLocker

    Resources

    Listen to the whispers

    https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work

    Splitting the email atom

    https://portswigger.net/research/splitting-the-email-atom

    Gotta cache 'em all

    https://portswigger.net/research/gotta-cache-em-all

    HTTP Garden

    https://github.com/narfindustries/http-garden

    Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!

    https://blog.orange.tw/2024/08/confusion-attacks-en.html#%E2%9C%94%EF%B8%8F-2-2-2-Local-Gadget-to-XSS

    Trusted API Types

    https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API

    Untrusted Types

    https://github.com/filedescriptor/untrusted-types

    Timestamps:

    (00:00:00) Introduction

    (00:09:45) 'Listen to the whispers'

    (00:30:03) 'Splitting the email atom'

    (00:58:42) 'Gotta cache 'em all'

    (01:21:03) 'Confusion Attacks'

  • Episode 84: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Roni Carta (@0xLupin) to discuss their MVH win at the recent Google LHE, and share some technical observations they had with the target and the event.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

    Follow your hosts Rhynorater & Teknogeek on twitter:

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Guest: https://x.com/0xLupin

    Today’s Sponsor - ThreatLocker

    Timestamps:

    (00:00:00) Introduction

    (00:02:12) MHV Debrief

    (00:09:05) Sandboxes and Comfort Zones

    (00:13:24) SDKs and Legal Compliance

    (00:19:29) Age of Target and Platform-Exclusive Hunters

  • Episode 83: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin are brainstorming new features and improvements for Caido, such as the implementation of a 403 bypassing workflow, a text expander, Tracing Cookies, and more.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Sponsor - ThreatLocker

    Resources:

    Post from Gareth Heyes

    https://x.com/garethheyes/status/1811084674988474417

    Wiki List of XML and HTML

    https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references#List_of_character_entity_references_in_HTML

    HackerOne Leaderboard Changes

    https://x.com/scarybeasts/status/1810813103354892666

    Espanso

    https://espanso.org/

    Critical Thinkers Discord

    ctbb.show/criticalthinkers

    Oauth Scan

    https://portswigger.net/bappstore/8ef2db1173e8432c8797831c2e730727

    Timestamps:

    (00:00:00) Introduction

    (00:03:12) News

    (00:13:20) Into the Brainstorm

    (00:13:41) 403 Bypasser

    (00:20:34) "Expaido"

    (00:31:34) Trace Cookies

    (00:42:01) Highlight Decoding Expansion and AI integrations

    (00:49:08) OAuth Testing, API Highlighter, and Note-taking

  • Episode 82: In this episode of Critical Thinking - Bug Bounty Podcast Joel Margolis discusses strategies and tips for part-time bug bounty hunting. He covers things like finding (and enforcing) balance, picking programs and goals, and streamlining your process to optimize productivity.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Sponsor - ThreatLocker

    Resources:

    Evernote RCE Post

    https://0reg.dev/blog/evernote-rce

    ServiceNow Bug Chain

    https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data

    Douglas Day's Talk on finding 'no's'

    https://youtu.be/G1RHa7l1Ys4?si=TY16ULsEIfJ9CMKk

    Timestamps:

    (00:01:37) Introduction

    (00:02:24) Evernote RCE Post

    (00:06:47) AssetNote ServiceNow Bug Chain

    (00:12:16) Part-Time Bug Bounty: Balance and Accountability

    (00:18:04) Picking programs: Impact and Payout

    (00:28:46) Streamline your process

  • Episode 81: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by MatanBer to go over some recent bug reports, as well as share some tips and tricks on client-side hacking and using DevTools effectively.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Sponsor - ThreatLocker

    Today’s Guest: https://x.com/MtnBer

    Resources:

    Beyond XSS

    https://aszx87410.github.io/beyond-xss/en/

    Web VSCode XSS

    https://gitlab.com/gitlab-org/gitlab/-/issues/461328

    Timestamps

    (00:00:00) Introduction

    (00:05:24) Learning and Labs

    (00:17:29) DevTools tips and tricks

    (00:49:49) General Client-Side hacking tips

    (01:09:59) Self-XSS Storytime

    (01:32:16) Bug Reports

    (01:46:37) Brainstorming a Client-side HUD

  • Episode 80: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Sina Kheirkhah to talk about the start of his hacking journey and explore the differences between the Pwn2Own and HackerOne Events

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Sponsor - ThreatLocker

    Today’s Guest: https://x.com/SinSinology

    Blog: https://sinsinology.medium.com/

    Resources:

    WhatsUp Gold Pre-Auth RCE

    Advanced .NET Exploitation Training

    dnSpyEx

    QEMU

    Unicorn Engine

    Qiling

    libAFL

    Alex Plaskett interview

    TippingPoint

    Flashback Team

    Timestamps:

    (00:00:00) Introduction

    (00:12:45) Learning, Mentorship, and Failure

    (00:29:34) Pentesting and Pwn2Own

    (00:40:05) Hacking methodology

    (01:01:57) Debuggers and shells in IoT Devices

    (01:35:40) Differences between ZDI and HackerOne

    (02:02:27) Pwn2Own Steps and Stories

    (02:14:06) Master of Pwn Title

    (02:29:54) Bug reports

  • Episode 79: In this episode of Critical Thinking - Bug Bounty Podcast we deepdive CSS injection, and explore topics like sequential import chaining, font ligatures, and attribute exfiltration.

    Follow us on twitter at: @ctbbpodcast

    Send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Resources:

    SpaceRaccoon's Universal Code Execution Extensions

    Escalating Client Side Path Traversal

    Full-time Bug Bounty Blueprint

    Sequential Import Chaining

    CSS Exfiltation

    Link that Justin was talking about

    Font Ligatures

    Lava Dome bypass

    Stealing Data in Great Style

    Steal Script Contents

    Masato Kinugawa's tweet

    Attacking with Just CSS

    CSS Injection Primitives

    Timestamps:

    (00:00:00) Introduction

    (00:02:32) Universal Code Execution

    (00:11:32) Escalating Client Side Path Traversal

    (00:16:56) Justin's Defcon talk & Bug Bounty Blueprint

    (00:23:32) CSS Injection

    (00:39:23) Font Ligatures

    (00:54:30) Descent Override and display:block

  • Episode 78: In this episode of Critical Thinking - Bug Bounty Podcast we’re talking about writing reports. We share some tips that we’ve learned, and discuss ways that AI can (and can’t) help with that process. We also talk about the benefit of using tools like Fabric, Loom, and ShareX.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Sponsor - ThreatLocker

    Resources:

    XSS WAF Bypass by multi-char HTML entities

    Shazzer

    Next.js and cache poisoning

    Nagli's Nuclei Template

    hey why can't you fix this one bug

    Justin's reporting templating software

    Fabric

    BB Report Formatter

    2to3 Automated Python Converter

    ShareX

    Skitch

    Timestamps:

    (00:00:00) Introduction

    (00:04:00) XSS WAF Bypass by Multi-char HTML Entities

    (00:11:59) Next.js and Cache Poisoning

    (00:18:03) Nagli's Nuclei Template and Sean Yeoh's Blog

    (00:27:34) Report Writing and AI

    (00:50:02) Reporting tips

  • Episode 77: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin discuss some fresh writeups including some MongoDB injections, ORMs, and exploits in Kakao and iOS before pivoting into a conversation about staying motivated and avoiding burnout while hunting.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Resources:

    MongoDB NoSQL Injection

    https://soroush.me/blog/2024/06/mongodb-nosql-injection-with-aggregation-pipelines/

    Mongo DB Is Web Scale

    https://www.youtube.com/watch?v=b2F-DItXtZs

    1-click Exploit in Kakao

    https://stulle123.github.io/posts/kakaotalk-account-takeover/

    Unsecure time-based secret and Sandwich Attack

    https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html

    Reset Tolkien

    https://github.com/AethliosIK/reset-tolkien

    iOS URL Scheme Hijacking Revamped

    https://evanconnelly.github.io/post/ios-oauth/

    PLORMBING YOUR DJANGO ORM

    https://www.elttam.com/blog/plormbing-your-django-orm/#content

    Timestamps:

    (00:00:00) Introduction

    (00:02:07) MongoDB NoSQL Injection

    (00:12:42) 1-click Exploit in Kakao

    (00:33:21) Time-based secrets and Reset Tolkien

    (00:39:26) iOS URL Scheme Hijacking Revamped

    (00:51:42) ORMs

    (00:58:57) Community Bug Submission

    (01:07:45) Motivation, Mental Sharpness, and Burnout avoidance