Episode 70: In this episode of Critical Thinking - Bug Bounty Podcast we’re once again joined by Ben Sadeghipour to talk about some Nahamcon news, as well as discuss a couple other LHE’s taking place. Then they cover CI/CD and drop some cool CSP Bypasses.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Guest: https://twitter.com/NahamSechttps://www.nahamcon.com/Resources:Depihttps://www.landh.tech/depiYoutube CSP:https://www.youtube.com/oembed?callback=alert()Maps CSP:https://maps.googleapis.com/maps/api/js?callback=alert()-printGoogle APIs CSPhttps://www.googleapis.com/customsearch/v1?callback=alert(1)Google CSPhttps://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1)//CSP Bypass for opener.child.child.child.click()https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/Timestamps:(00:00:00) Introduction(00:02:55) BSides Takeaways and hacking on Meta(00:12:12) NahamCon News(00:23:45) CI/CD and the launch of Depi(00:33:29) CSP Bypasses

Episode 69: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Johan Carlsson to hear about some updates on his bug hunting journey. We deep-dive a CSP bypass he found in GitHub, a critical he found in GitLab's pipeline, and also talk through his approach to using script gadgets and adapting to highly CSP'd environments. Then we talk about his transition to full-time bug hunting, including the goals he’s set, the successes and challenges, and his current focus on specific bug types like ReDoS and OAuth, and the serendipitous nature of bug hunting.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Nuclei 3.2 Release: https://nux.gg/podcastToday’s Guest:https://twitter.com/joaxcarhttps://joaxcar.com/blog/ResourcesGithub CSP Bypasshttps://gist.github.com/joaxcar/6e5a0a34127704f4ea9449f6ce3369fcCSP Validatorhttps://cspvalidator.org/Cross Window Forgeryhttps://www.paulosyibelo.com/2024/02/cross-window-forgery-web-attack-vector.htmlGitlab Crithttps://gist.github.com/joaxcar/9419b2df8778f26e9b02a741a8ec12f8Timestamps(00:00:00) Introduction(00:09:34) Github CSP Bypass(00:38:48) Script Gadgets and growth through Gitlab(00:53:53) Gitlab pipeline bug(01:12:32) Full-time Bug Bounty

Episode 68: In this episode of Critical Thinking - Bug Bounty Podcast Mathias is back with some fresh HTMX research, including CSP bypass using HTMX triggers, converting client-side response header injection to XSS, bypassing HTMX disable, and the challenges of using HTMX in larger applications and the potential performance trade-offs. We also talk about the results of his recent CTF Challenge, and explore some more facets of CDN-CGI functionality.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterProject Discovery Conference: https://nux.gg/hss24------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Guest:https://twitter.com/avlidienbrunnResources:Masato Kinugawa's research on Teamshttps://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=33subdomain-only 307 open redirecthttps://avlidienbrunn.se/cdn-cgi/image/onerror=redirect/http://anything.avlidienbrunn.seTimestamps(00:00:00) Introduction(00:05:18) CSP Bypass using HTML(00:14:00) Converting client-side response header injection to XSS(00:23:10) Bypassing hx-disable(00:32:37) XSS-ing impossible elements(00:38:22) CTF challenge Recap and knowing there's a bug(00:51:53) hx-on (depreciated)(00:54:30) CDN-CGI Research discussion

Episode 67: In this episode of Critical Thinking - Bug Bounty Podcast we deepdive on the topic of Vulnerability Disclosure Programs (VDPs) and whether they are beneficial or not. We also touch on the topic of leaderboard accuracy, and continue the Program VS Hacker debate regarding allocating funds for bounties.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterProject Discovery Conference: https://nux.gg/hss24------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Resources:Nagli's Braindump on VDPshttps://twitter.com/galnagli/status/1780174392003031515Timestamps:(00:00:00) Introduction(00:05:37) VDP programs(00:34:10) Leaderboards(00:43:52) Hacker vs. Program debate Part 2(01:07:24) Walling Off Endpoints

Episode 66: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the recent YesWeHack Louis Vuitton LHE, the importance of failure as growth in bug bounty, and Justin shares his research on CDN CGI.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterProject Discovery Conference: https://nux.gg/hss24------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Resources:YesWeHack Luis Vuitton LHEhttps://twitter.com/yeswehack/status/1776280653744554287https://event.yeswehack.com/events/hack-me-im-famous-2Caido Workflowshttps://github.com/caido/workflowsOauth Redirectshttps://twitter.com/Akshanshjaiswl/status/1724143813088940192Bagipro Golden URL techniqueshttps://hackerone.com/reports/431002Roadmap I followed to make 15,000+$ Bounties in my first 8 months https://shreyaschavhan.notion.site/Roadmap-I-followed-to-make-15-000-Bounties-in-my-first-8-months-of-starting-out-and-my-journey-98b1b9ff621645c0b97d1e774992f300Monke Hacks Bloghttps://monkehacks.beehiiv.com/PortSwigger posthttps://x.com/PortSwiggerRes/status/1766087129908576760post from Masato Kinugawahttps://x.com/kinugawamasato/status/916393484147290113Timestamps:(00:00:00) Introduction(00:04:19) Louis Vuitton LHE(00:13:57) Browser Market share(00:21:13) Justin's Bug of the Week(00:24:49) Caido Workflows(00:27:24) Oauth Redirects(00:32:24) Bug Bounty learning Methodology(00:41:03) 'Intent To Ship'(00:48:08) CDN-CGI Research

Episode 65: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with Sam Curry to discuss the ethical considerations and effectiveness of hacking, the importance of good intent, and the enjoyment Sam derives from pushing the boundaries to find bugs. He shares stories of his experiences, including hacking Tesla, online casinos,Starbucks, his own is ISP router, and even getting detained at the airport.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterProject Discovery Conference: https://nux.gg/hss24------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Guest:https://samcurry.net/Resources:Don’t Force Yourself to Become a Bug Bounty HunterhackcomputeStarbucks BugrecollapseTimestamps:(00:00:00) Introduction(00:02:25) Hacking Journey and the limits of Ethical Hacking(00:28:28) Selecting companies to hack(00:33:22) Fostering passion vs. Forcing performance(00:54:06) Collaboration and Hackcompute(01:00:40) The Efficacy of Bug Bounty(01:09:20) Secondary Context Bugs(01:25:01) Mindmaps, note-taking, and Intuition.(01:46:56) Back-end traversals and Unicode(01:56:16) Hacking ISP(02:06:58) Next.js and Crypto(02:22:24) Dev vs. Prod JWT

Episode 64: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Justin and Joel delve into .NET remoting and how it can be exploited, a recent bypass in the Dom Purify library and some interesting functionality in the Cloudflare CDN-CGI endpoint. They also touch on the importance of collaboration and knowledge sharing, JavaScript Deobfuscation, the value of impactful POCs, hiding XSS payloads with URL path updates.Follow us on twitter at: @ctbbpodcastsend us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Check out Project Discovery’s nuclei 3.2 release blog at nux.gg/podcastResources:.NET Remotinghttps://code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/https://github.com/codewhitesec/HttpRemotingObjRefLeakDOM Purify BugCloudflare /cdn-cgi/https://developers.cloudflare.com/fundamentals/reference/cdn-cgi-endpoint/https://portswigger.net/research/when-security-features-collidehttps://twitter.com/kinugawamasato/status/893404078365069312https://twitter.com/m4ll0k/status/1770153059496108231XSSDoctor's writeup on Javascript deobfuscationrenniepak's tweetNaffy's tweetTimestamps:(00:00:00) Introduction(00:07:15) .Net Remoting(00:17:29) DOM Purify Bug(00:25:56) Cloudflare /cdn-cgi/(00:37:11) Javascript deobfuscation(00:47:26) renniepak's tweet(00:55:20) Naffy's tweet

Episode 63: In this episode of Critical Thinking - Bug Bounty Podcast we welcome back Jason Haddix (From Episode 12) to talk about some updates to his The Bug Hunter's Methodology, as well as his own personal life and hacking journey. We talk about the start of his new company, and then venture into topics such as using threat intelligence and buying credentials from the dark web, recon techniques, and ways to integrate AI into your workflow (or target list).Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Today’s Guest:https://twitter.com/Jhaddixhttps://www.arcanum-sec.com/Resources:Dehashedhttps://www.dehashed.com/Flarehttps://flare.io/CSP Reconhttps://github.com/edoardottt/cspreconTimestamps:(00:00:00) Introduction(00:05:37) Updates to The Bug Hunter's Methodology(00:14:46) Red Teaming(00:21:29) Bug Bounty on the Dark Web(00:36:19) FIS hunting(00:47:59) New Recon Techniques (00:58:32) AI integrations and bounties

Episode 62: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with some additional research resources that didn’t make the Portswigger Top-Ten, but that are worth looking at.Follow us on twitter at: @ctbbpodcastFeel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Resources:Cool HTML Shithttps://twitter.com/jcubic/status/1764311080661082201https://twitter.com/encodeart/status/1764218128374943764Bug bounty Hunting Journeyshttps://twitter.com/ajxchapman/status/1762101366057525521https://monkehacks.beehiiv.com/p/monkehacks-02Yelp Cookie Bridge ReportDeobfuscating/Unminifying Obfuscated CodeChatGPT Source WatchWeb Security Research RedditNahamsec ResourcesPortswigger Nominations listAbusing perspectives: https://hackerone.com/reports/2401115PortSwigger CSS Exfiltrationhttps://github.com/PortSwigger/css-exfiltrationTimestamps:(00:00:00) Introduction(00:02:06) Cool HTML Shit(00:15:31) Bug Bounty Journeys(00:28:01) Yelp Cookie Bridge Bug(00:37:56) Additional Research Resources(00:46:34) CSS and abusing perspectives

Episode 61: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Jasmin Landry to share some stories about startup security, bug bounty, and the challenges of balancing both. He also shares his methodology for discovering OAuth-related bugs, highlights some differences between structured learning and self-teaching, and then walks us through a couple arbitrary ATO’s and SSTI to RCE bugs he’s found lately.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Guest: Jasmin Landryhttps://twitter.com/JR0ch17Resources:Dirty Dancing blog posthttps://labs.detectify.com/writeups/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/OAuth 2.0 Threat Model and Security Considerationshttps://datatracker.ietf.org/doc/html/rfc6819OAuth 2.0 Security Best Current Practicehttps://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topicsTimestamps:(00:00:00) Introduction(00:02:20) Meta Tag + DomPurify Bug(00:09:36) Jasmin's Origin story(00:28:23) Full time Bug bounty challenges(00:36:57) Career jumps in Security and current Role(00:47:32) OAuth Bug methodology and cool bug stories(01:02:35) Social Engineering and Bug Bounty(01:13:41) Arbitrary ATO bug(01:19:41) SSTI to RCE bug

Episode 60: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel review the Portswigger Research list of top 10 web hacking techniques of 2023.Follow us on twitter at: @ctbbpodcastSend us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------Hop on the CTBB DiscordWe also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources:Top 10 web hacking techniques of 20231: Smashing the state machine8: From Akamai to F5 to NTLM3: SMTP Smuggling4: PHP filter chains(Bonus Read)5: HTTP Parsers Inconsistencies6: HTTP Request Splitting7: How I Hacked Microsoft Teams9: Cookie Crumbles(Bonus Read)10: Hacking root EPP servers to take control of zonesTimestamps:(00:00:00) Introduction(00:04:26) 1: Smashing the state machine(00:11:56) 8: From Akamai to F5 to NTLM... with love(00:17:11) 3: SMTP Smuggling(00:26:27) 4: PHP filter chains(00:36:40) 5: HTTP Parsers Inconsistencies(00:44:56) 6: HTTP Request Splitting(00:53:43) 7: How I Hacked Microsoft Teams(01:02:25) 9: Cookie Crumbles(01:11:36) 10: EPP Server Takeover

Episode 59: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the concept of gadgets and how they can be used to escalate the impact of vulnerabilities. We talk through things like HTML injection, image injection, CRLF injection, web cache deception, leaking window location, self-stored XSS, and much more.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources:Even BetterNahamSec's 5 Week ProgramNahamCon NewsCSS Injection ResearchTimestamps:(00:00:00) Introduction(00:03:31) Caido's New Features(00:15:20) Nahamcon News and 5 week Bootcamp and pentest opportunity(00:19:54) HTML Injection, CSS Injection, and Clickjacking(00:33:11) Image Injection(00:37:19) Open Redirects, Client-side path traversal, and Client-side Open Redirect(00:49:51) Leaking window.location.href(00:57:15) Cookie refresh gadget(01:01:40) Stored XXS(01:09:01) CRLF Injection(01:13:24) 'A Place To Stand' in  GraphQL and ID Oracle(01:18:23) Auth gadgets, Web Cache Deception, & LocalStorage poisoning(01:27:46) Cookie Injection & Context Breaks

Episode 58: In this episode of Critical Thinking - Bug Bounty Podcast we finally sit down with Youssef Samouda and grill him on his various techniques for finding and exploiting client-side bugs and postMessage vulnerabilities. He shares some crazy stories about race conditions, exploiting hash change events, and leveraging scroll to text fragments. Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://twitter.com/samm0uda?lang=enhttps://ysamm.com/Resources:Client-side race conditions with postMessage: https://ysamm.com/?p=742 Transferable Objectshttps://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Transferable_objectsEvery known way to get references to windows, in javascript:https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2dYoussef’s interview with BBREhttps://www.youtube.com/watch?v=MXH1HqTFNm0Timestamps:(00:00:00) Introduction(00:04:27) Client-side race conditions with postMessage(00:18:12) On Hash Change Events and Scroll To Text Fragments(00:32:00) Finding, documenting, and reporting complex bugs(00:37:32) PostMessage Methodology(00:45:05) Youssef's Vuln Story(00:53:42) Where and how to look for ATO vulns(01:05:21) MessagePort(01:14:37) Window frame relationships(01:20:24) Recon and JS monitoring(01:37:03) Client-side routing(01:48:05) MITMProxy

Episode 57: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are live from Miami, and recap their experience and share takeaways from the live hacking event. They highlight the importance of paying attention to client-side routing and the growing bug class of client-side path traversal. They also discuss the challenges of knowing when to cut your losses and the value of tracking time and setting goals. Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Timestamps:(00:00:00) Introduction(00:03:50) Miami LHE Recap and Takeaways(00:05:57) Keeping time and cutting losses.(00:19:07) Roles and Goals(00:23:33) OAuth(00:28:52) HTML5 image to img Tip

Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston)Episode 56: In this episode of Critical Thinking - Bug Bounty Podcast, Justin sits down with Jon Colston to discuss how his background in digital marketing and data science has influenced his hunting methodology. We dive into subjects like data sources, automation, working backwards from vulnerabilities, applying conversion funnels to bug bounty, and the mayonaise signature 'Mother of All Bugs' Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------WordFence - Sign up as a researcher! https://ctbb.show/wfSign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest:https://hackerone.com/mayonaise?type=userTimestamps:(00:00:00) Introduction(00:12:07) Evolving Hacking Methodologies & B2B Hacking(00:23:57) Data Science + Bug Bounty(00:34:37) 'Lead Generation for Vulns'(00:41:39) Ingredients and Recipes(00:49:45) Keyword Categorization(00:54:30) Manual Processes and Recap(01:07:08) Data Sources(01:19:59) Digital Marketing + Bug Bounty(01:32:22) M.O.A.B.s(01:41:02) Burnout Protection and Dupe Analysis

Episode 55: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Wordpress Security Researcher Ram Gall to discuss both functionality and vulnerabilities within Wordpress Plugins.Follow us on twitterSend us any feedback here:Shoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------WordFence - Sign up as a researcher! https://ctbb.show/wf---Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Hop on the CTBB DiscordWe also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Guest:Ramuel GallUpdraftPlus VulnXML-RPC PingBackUnicode and Character SetsReflected XSSPOP ChainWordpressPluginDirectorySubscriber+ RCE in ElementorSubscriber+ SSRFUnauthed XSS via User-Agent headerTimestamps:(00:00:00) Introduction(00:05:55) Add_action & Nonces(00:26:16) Add_filter & Register_rest_routes(00:38:39) Page-related code & Shortcodes(00:50:24) Top Sinks for WP(01:02:19) Echo & SQLI Sinks(01:15:07) Nonce Leak and wp_handle_upload(01:18:16) Page variables & Pop Chains(01:26:55) WP Escalations & Bug Reports

Episode 54: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with news items and new projects. Joel shares about his personal scraping project to gather data on bug bounty programs and distribution Next, they announce the launch of HackerNotes, a podcast companion that will summarize the main technical points of each episode. They also discuss a recent GitLab CVE and an invisible prompt injection, before diving into a discussion (or debate) about vulnerable code patterns.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Gitlab CVEhttps://github.com/Vozec/CVE-2023-7028https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/Fix commit: https://gitlab.com/gitlab-org/gitlab/-/commit/abe79e4ec437988cf16534a9dbba81b98a2e7f18Invisible Prompt Injectionhttps://x.com/goodside/status/1745511940351287394?s=20Regex 101https://regex101.comRegex to Stringshttps://www.wimpyprogrammer.com/regex-to-strings/Timestamps(00:00:00) Introduction(00:01:54) Joel’s H1 Data Scraping Research(00:19:23) HackerNotes launch(00:21:29) Gitlab CVE(00:27:45) Invisible Prompt Injection(00:33:52) Vulnerable Code Patterns(00:37:51) Sanitization, but then modification of data afterward(00:45:39) Auth check inside body of if statement(00:48:15) sCheck for bad patterns with if, but then don't do any control flow(00:50:21) Bad Regex(01:00:36) Replace statements for sanitization(01:04:32) Anything that allows you to call functions or control code flow in uncommon ways

Episode 53: In this episode of Critical Thinking - Bug Bounty Podcast,we’re joined by none other than NahamSec. We start by discusses the challenges he faced on his journey in bug bounty hunting and content creation, including personal struggles and the pressure of success.We also talk about finding balance and managing mental energy, going the extra mile, and the importance of planning and setting goals for yourself before he walks us through some Blind XSS techniques.Follow us on twitter at: @ctbbpodcastFeel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Timestamps:(00:00:00) Introduction(00:01:37) Costs of Content Creation(00:21:12) Hacking 'identities' and Pivoting(00:36:49) Hacking Methodology(00:58:59) Planning, Goals, and Nahamsec's 2023 Performance(01:10:19) Blind XSS(01:35:19) Going the extra mile in Bug Bounty

Episode 52: In this episode of Critical Thinking - Bug Bounty Podcast we're going back and highlighting some of the best technical moments from the past year! Hope you enjoy this best of 2023 Supercut!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Timestamps:(00:00:00) Introduction(00:02:55) Episode 26: Meta tags and base tags in HTML(00:15:20) Episode 27: Client-side path traversal(00:23:18) Episode 27: Cookie bombing + cookie jar overflow(00:35:47) Episode 44: Cross environment authentication bugs(00:43:17) Episode 47: The open-faced Iframe Sandwich(00:50:19) Episode 47: js hoisting and classic Joel nerdsnipe(00:58:28) Episode 29: Sean Yeoh on Subdomains vs IP in recon(01:04:05) Episode 30: Shubs on reversing enterprise software(01:24:58) Episode 30: Shubs on building out a recon flow(01:29:36) Episode 30: Shubs on Hacking IIS Servers(01:36:45) Episode 37: 0xLupin on smart JavaScript analysis tools(01:45:42) Episode 45: Frans Rosen On App cache, Service workers cookie stuffing, and postMessage(02:15:02) Episode 50: Mathias Karlsson on XSLT and MXSS(02:39:26) Episode 27: Assetnote's sharefile RCE(02:48:18) Episode 31: Perforce RCE(02:53:48) Episode 48: Sam Erb's XSLT bug story(02:58:47) Final thoughts and Special Thanks

Episode 51: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are back for the last episode of 2023. We discuss some noteworthy news items including a Hacker One Crit, Caido updates, and some Blind CSS. Then we dive into our own personal ‘Hackers Wrapped’ recap of the year, before laying out some goals for 2024.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.ResourcesFlowPowertoysAlfredPyperclipTextgrabCTF Payload ChallengeHacker One Crit ReportBlind CSS InjectionTimestamps(00:00:00) Introduction(00:08:43) Keyboard Shortcut Utility Systems(00:21:28) CTF Challenge By Frans(00:32:40) Hacker One 25K Crit Disclosure(00:36:31) Caido Searchbar Rework.(00:40:51) Blind CSS Exfiltration(00:44:10) 2023 Personal Bug Bounty Stats(01:01:15) 2024 Personal Bug Bounty Goals