Critical Thinking - Bug Bounty Podcast

Justin Gardner (Rhynorater) & Joel Margolis (teknogeek)

A "by Hackers for Hackers" podcast focused on technical content ranging from bug bounty tips, to write-up explanations, to the latest hacking techniques.

read less
TechnologyTechnology

Episodes

Episode 75: *Rerun* of The OG Bug Bounty King - Frans Rosen
Today
Episode 75: *Rerun* of The OG Bug Bounty King - Frans Rosen
Episode 75: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are sick, So instead of a new full episode, we're going back 30 episodes to review.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!Today's Guest: https://twitter.com/fransrosen DetectifyDiscovering s3 subdomain takeovershttps://labs.detectify.com/writeups/hostile-subdomain-takeover-using-heroku-github-desk-more/bucket-disclose.shhttps://gist.github.com/fransr/a155e5bd7ab11c93923ec8ce788e3368A deep dive into AWS S3 access controlsAttacking Modern Web TechnologiesLive Hacking like a MVHAccount hijacking using Dirty Dancing in sign-in OAuth flowsTimestamps:(00:00:00) Introduction(00:11:41) Franz Rosen's Bug Bounty Journey and Detectify (00:20:21) Pseudo-code, typing, and thinking like a dev(00:27:11) Hunter Methodologies and automationists(00:42:31) Time on targets, Iteration vs. Ideation(00:58:01) S3 subdomain takeovers(01:11:53) Blog posting and hosting motivations(01:20:21) Detectify and entrepreneurial endeavors(01:36:41) Attacking Modern Web Technologies(01:52:51) postMessage and MessagePort(02:05:00) Live Hacking and Collaboration(02:20:41) Account Hijacking and OAuth Flows(02:35:39) Hacking + Parenthood
Episode 74: Supply Chain Attack Primer - Popping RCE Without an HTTP Request (feat 0xLupin)
1w ago
Episode 74: Supply Chain Attack Primer - Popping RCE Without an HTTP Request (feat 0xLupin)
Episode 74: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Roni "Lupin" Carta for a deep dive into supply chain attacks and dependency confusion. We explore the supply chain attacks, the ethical considerations surrounding maintainers and hosting packages on public registries, and chat about the vision and uses of his new tool Depi.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Guest: https://x.com/0xLupinResources:Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companieshttps://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610git-dumphttps://github.com/tomnomnom/dotfiles/blob/master/scripts/git-dumpDepihttps://www.landh.tech/depiWeak links of Supply Chainhttps://arxiv.org/pdf/2112.10165Timestamps:(00:00:00) Introduction(00:07:13) Overveiw of Supply Chain Flow(00:15:14) Getting our Scope(00:23:46) Depi(00:29:12) Types of attacks and finding the 80/20(00:45:06) Maintainer attacks(01:10:40) Regestries, artifactories, and an npm bug(01:31:51) Grafana NPX Confusion
Episode 73: Sandboxed IFrames and WAF Bypasses
May 30 2024
Episode 73: Sandboxed IFrames and WAF Bypasses
Episode 73: In this episode of Critical Thinking - Bug Bounty Podcast we give a brief recap of Nahamcon and then touch on some topics like WAF bypass tools, sandboxed iframes, and programs redacting your reports. Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Resources:?. Tweethttps://x.com/garethheyes/status/1786836956032176215 NoWafPlshttps://github.com/assetnote/nowafplsRedacted Reportshttps://x.com/deadvolvo/status/1790397012468199651Breaking CORShttps://x.com/MtnBer/status/1794657827115696181Sandbox-iframe XSS challenge solutionhttps://joaxcar.com/blog/2024/05/16/sandbox-iframe-xss-challenge-solution/iframe and window.open magichttps://blog.huli.tw/2022/04/07/en/iframe-and-window-open/#detecting-when-a-new-window-has-finished-loadingdomloggerpphttps://github.com/kevin-mizu/domloggerppTimestamps(00:00:00) Introduction(00:03:29) ?. Operator in JS and NoWafPls(00:07:22) Redacting our own reports(00:11:13) Breaking CORS(00:17:07) Sandbox-iframes(00:24:11) Dom hook plugins
Episode 72: Research TLDRs & Smuggling Payloads in Well Known Data Types
May 23 2024
Episode 72: Research TLDRs & Smuggling Payloads in Well Known Data Types
Episode 72: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss some hot research from the past couple months. This includes ways to smuggle payloads in phone numbers and IPv6 Addresses, the NextJS SSRF, the PDF.JS PoC drop, and a GitHub Enterprise Indirect Method Information bug. Also, we have an attack vector featured from Monke!Follow us on twitter at: @ctbbpodcastShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Resources:PDF.JS Bypass to XSShttps://github.com/advisories/GHSA-wgrm-67xf-hhpqhttps://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/PDFiumNextJS SSRF by AssetNoteBetter Bounty Transparency for hackersSlonser IPV6 ResearchSmuggling payloads in phone numbers Automatic Plugin SQLiDomPurify Bypass Bug Bounty JP PodcastGithub Enterprise send() bughttps://x.com/creastery/status/1787327890943873055https://x.com/Rhynorater/status/1788598984572813549 Timestamps:(00:00:09) Introduction(00:03:20) PDF.JS XSS and NextJS SSRF(00:12:52) Better Bounty Transparency(00:20:01) IPV6 Research and Phone Number Payloads (00:28:20) Community Highlight and Automatic Plugin CVE-2024-27956(00:33:26) DomPurify Bypass and Github Enterprise send() bug(00:46:12) Caido cookie and header extension updates
Episode 71: More VDP Chats & AI Bias Bounty Strats with Keith Hoodlet
May 16 2024
Episode 71: More VDP Chats & AI Bias Bounty Strats with Keith Hoodlet
Episode 71: In this episode of Critical Thinking - Bug Bounty Podcast Keith Hoodlet joins us to weigh in on the VDP Debate. He shares some of his insights on when VDPs are appropriate in a company's security posture, and the challenges of securing large organizations. Then we switch gears and talk about AI bias bounties, where Keith explains the approach he takes to identify bias in chatbots and highlights the importance of understanding human biases and heuristics to better hack AI.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Today’s guest: Keith Hoodlethttps://securing.dev/Resources:Daniel Miessler's article about the security poverty linehttps://danielmiessler.com/p/the-cybersecurity-skills-gap-is-another-instance-of-late-stage-capitalism/Hacking AI Biashttps://securing.dev/posts/hacking-ai-bias/Hacking AI Bias Videohttps://youtu.be/AeFZA7xGIbE?si=TLQ7B3YtzPWXS4hqSarah's Hoodlet's new bookhttps://sarahjhoodlet.comLink to Amazon Pagehttps://a.co/d/c0LTM8UTimestamps:(00:00:00) Introduction(00:04:09) Keith's Appsec Journey(00:16:24) The Great VDP Debate Redux(00:47:18) Platform/Hunter Incentives and Government Regulation(01:06:24) AI Bias Bounties(01:26:27) AI Techniques and Bugcrowd Contest
Episode 70: NahamCon and CSP Bypasses Everywhere
May 9 2024
Episode 70: NahamCon and CSP Bypasses Everywhere
Episode 70: In this episode of Critical Thinking - Bug Bounty Podcast we’re once again joined by Ben Sadeghipour to talk about some Nahamcon news, as well as discuss a couple other LHE’s taking place. Then they cover CI/CD and drop some cool CSP Bypasses.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Guest: https://twitter.com/NahamSechttps://www.nahamcon.com/Resources:Depihttps://www.landh.tech/depiYoutube CSP:https://www.youtube.com/oembed?callback=alert()Maps CSP:https://maps.googleapis.com/maps/api/js?callback=alert()-printGoogle APIs CSPhttps://www.googleapis.com/customsearch/v1?callback=alert(1)Google CSPhttps://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1)//CSP Bypass for opener.child.child.child.click()https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/Timestamps:(00:00:00) Introduction(00:02:55) BSides Takeaways and hacking on Meta(00:12:12) NahamCon News(00:23:45) CI/CD and the launch of Depi(00:33:29) CSP Bypasses
Episode 69: Johan Carlsson - 3 Month Check-in on Full-time Bug Bounty.
May 2 2024
Episode 69: Johan Carlsson - 3 Month Check-in on Full-time Bug Bounty.
Episode 69: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Johan Carlsson to hear about some updates on his bug hunting journey. We deep-dive a CSP bypass he found in GitHub, a critical he found in GitLab's pipeline, and also talk through his approach to using script gadgets and adapting to highly CSP'd environments. Then we talk about his transition to full-time bug hunting, including the goals he’s set, the successes and challenges, and his current focus on specific bug types like ReDoS and OAuth, and the serendipitous nature of bug hunting.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Nuclei 3.2 Release: https://nux.gg/podcastToday’s Guest:https://twitter.com/joaxcarhttps://joaxcar.com/blog/ResourcesGithub CSP Bypasshttps://gist.github.com/joaxcar/6e5a0a34127704f4ea9449f6ce3369fcCSP Validatorhttps://cspvalidator.org/Cross Window Forgeryhttps://www.paulosyibelo.com/2024/02/cross-window-forgery-web-attack-vector.htmlGitlab Crithttps://gist.github.com/joaxcar/9419b2df8778f26e9b02a741a8ec12f8Timestamps(00:00:00) Introduction(00:09:34) Github CSP Bypass(00:38:48) Script Gadgets and growth through Gitlab(00:53:53) Gitlab pipeline bug(01:12:32) Full-time Bug Bounty
Episode 68: 0-days & HTMX-SS with Mathias
Apr 25 2024
Episode 68: 0-days & HTMX-SS with Mathias
Episode 68: In this episode of Critical Thinking - Bug Bounty Podcast Mathias is back with some fresh HTMX research, including CSP bypass using HTMX triggers, converting client-side response header injection to XSS, bypassing HTMX disable, and the challenges of using HTMX in larger applications and the potential performance trade-offs. We also talk about the results of his recent CTF Challenge, and explore some more facets of CDN-CGI functionality.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterProject Discovery Conference: https://nux.gg/hss24------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Guest:https://twitter.com/avlidienbrunnResources:Masato Kinugawa's research on Teamshttps://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=33subdomain-only 307 open redirecthttps://avlidienbrunn.se/cdn-cgi/image/onerror=redirect/http://anything.avlidienbrunn.seTimestamps(00:00:00) Introduction(00:05:18) CSP Bypass using HTML(00:14:00) Converting client-side response header injection to XSS(00:23:10) Bypassing hx-disable(00:32:37) XSS-ing impossible elements(00:38:22) CTF challenge Recap and knowing there's a bug(00:51:53) hx-on (depreciated)(00:54:30) CDN-CGI Research discussion
Episode 66: CDN-CGI Research, Intent To Ship, and Louis Vuitton
Apr 11 2024
Episode 66: CDN-CGI Research, Intent To Ship, and Louis Vuitton
Episode 66: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the recent YesWeHack Louis Vuitton LHE, the importance of failure as growth in bug bounty, and Justin shares his research on CDN CGI.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterProject Discovery Conference: https://nux.gg/hss24------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Resources:YesWeHack Luis Vuitton LHEhttps://twitter.com/yeswehack/status/1776280653744554287https://event.yeswehack.com/events/hack-me-im-famous-2Caido Workflowshttps://github.com/caido/workflowsOauth Redirectshttps://twitter.com/Akshanshjaiswl/status/1724143813088940192Bagipro Golden URL techniqueshttps://hackerone.com/reports/431002Roadmap I followed to make 15,000+$ Bounties in my first 8 months https://shreyaschavhan.notion.site/Roadmap-I-followed-to-make-15-000-Bounties-in-my-first-8-months-of-starting-out-and-my-journey-98b1b9ff621645c0b97d1e774992f300Monke Hacks Bloghttps://monkehacks.beehiiv.com/PortSwigger posthttps://x.com/PortSwiggerRes/status/1766087129908576760post from Masato Kinugawahttps://x.com/kinugawamasato/status/916393484147290113Timestamps:(00:00:00) Introduction(00:04:19) Louis Vuitton LHE(00:13:57) Browser Market share(00:21:13) Justin's Bug of the Week(00:24:49) Caido Workflows(00:27:24) Oauth Redirects(00:32:24) Bug Bounty learning Methodology(00:41:03) 'Intent To Ship'(00:48:08) CDN-CGI Research
Episode 65: Motivation and Methodology with Sam Curry (Zlz)
Apr 4 2024
Episode 65: Motivation and Methodology with Sam Curry (Zlz)
Episode 65: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with Sam Curry to discuss the ethical considerations and effectiveness of hacking, the importance of good intent, and the enjoyment Sam derives from pushing the boundaries to find bugs. He shares stories of his experiences, including hacking Tesla, online casinos,Starbucks, his own is ISP router, and even getting detained at the airport.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterProject Discovery Conference: https://nux.gg/hss24------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Guest:https://samcurry.net/Resources:Don’t Force Yourself to Become a Bug Bounty HunterhackcomputeStarbucks BugrecollapseTimestamps:(00:00:00) Introduction(00:02:25) Hacking Journey and the limits of Ethical Hacking(00:28:28) Selecting companies to hack(00:33:22) Fostering passion vs. Forcing performance(00:54:06) Collaboration and Hackcompute(01:00:40) The Efficacy of Bug Bounty(01:09:20) Secondary Context Bugs(01:25:01) Mindmaps, note-taking, and Intuition.(01:46:56) Back-end traversals and Unicode(01:56:16) Hacking ISP(02:06:58) Next.js and Crypto(02:22:24) Dev vs. Prod JWT
Episode 64: .NET Remoting, CDN Attack Surface, and Recon vs Main App
Mar 28 2024
Episode 64: .NET Remoting, CDN Attack Surface, and Recon vs Main App
Episode 64: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Justin and Joel delve into .NET remoting and how it can be exploited, a recent bypass in the Dom Purify library and some interesting functionality in the Cloudflare CDN-CGI endpoint. They also touch on the importance of collaboration and knowledge sharing, JavaScript Deobfuscation, the value of impactful POCs, hiding XSS payloads with URL path updates.Follow us on twitter at: @ctbbpodcastsend us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Check out Project Discovery’s nuclei 3.2 release blog at nux.gg/podcastResources:.NET Remotinghttps://code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/https://github.com/codewhitesec/HttpRemotingObjRefLeakDOM Purify BugCloudflare /cdn-cgi/https://developers.cloudflare.com/fundamentals/reference/cdn-cgi-endpoint/https://portswigger.net/research/when-security-features-collidehttps://twitter.com/kinugawamasato/status/893404078365069312https://twitter.com/m4ll0k/status/1770153059496108231XSSDoctor's writeup on Javascript deobfuscationrenniepak's tweetNaffy's tweetTimestamps:(00:00:00) Introduction(00:07:15) .Net Remoting(00:17:29) DOM Purify Bug(00:25:56) Cloudflare /cdn-cgi/(00:37:11) Javascript deobfuscation(00:47:26) renniepak's tweet(00:55:20) Naffy's tweet
Episode 63: JHaddix Returns
Mar 21 2024
Episode 63: JHaddix Returns
Episode 63: In this episode of Critical Thinking - Bug Bounty Podcast we welcome back Jason Haddix (From Episode 12) to talk about some updates to his The Bug Hunter's Methodology, as well as his own personal life and hacking journey. We talk about the start of his new company, and then venture into topics such as using threat intelligence and buying credentials from the dark web, recon techniques, and ways to integrate AI into your workflow (or target list).Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Today’s Guest:https://twitter.com/Jhaddixhttps://www.arcanum-sec.com/Resources:Dehashedhttps://www.dehashed.com/Flarehttps://flare.io/CSP Reconhttps://github.com/edoardottt/cspreconTimestamps:(00:00:00) Introduction(00:05:37) Updates to The Bug Hunter's Methodology(00:14:46) Red Teaming(00:21:29) Bug Bounty on the Dark Web(00:36:19) FIS hunting(00:47:59) New Recon Techniques (00:58:32) AI integrations and bounties
Episode 62: Frontend Language Oddities
Mar 14 2024
Episode 62: Frontend Language Oddities
Episode 62: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with some additional research resources that didn’t make the Portswigger Top-Ten, but that are worth looking at.Follow us on twitter at: @ctbbpodcastFeel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Resources:Cool HTML Shithttps://twitter.com/jcubic/status/1764311080661082201https://twitter.com/encodeart/status/1764218128374943764Bug bounty Hunting Journeyshttps://twitter.com/ajxchapman/status/1762101366057525521https://monkehacks.beehiiv.com/p/monkehacks-02Yelp Cookie Bridge ReportDeobfuscating/Unminifying Obfuscated CodeChatGPT Source WatchWeb Security Research RedditNahamsec ResourcesPortswigger Nominations listAbusing perspectives: https://hackerone.com/reports/2401115PortSwigger CSS Exfiltrationhttps://github.com/PortSwigger/css-exfiltrationTimestamps:(00:00:00) Introduction(00:02:06) Cool HTML Shit(00:15:31) Bug Bounty Journeys(00:28:01) Yelp Cookie Bridge Bug(00:37:56) Additional Research Resources(00:46:34) CSS and abusing perspectives
Episode 61: A Hacker on Wall Street - JR0ch17
Mar 7 2024
Episode 61: A Hacker on Wall Street - JR0ch17
Episode 61: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Jasmin Landry to share some stories about startup security, bug bounty, and the challenges of balancing both. He also shares his methodology for discovering OAuth-related bugs, highlights some differences between structured learning and self-teaching, and then walks us through a couple arbitrary ATO’s and SSTI to RCE bugs he’s found lately.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Guest: Jasmin Landryhttps://twitter.com/JR0ch17Resources:Dirty Dancing blog posthttps://labs.detectify.com/writeups/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/OAuth 2.0 Threat Model and Security Considerationshttps://datatracker.ietf.org/doc/html/rfc6819OAuth 2.0 Security Best Current Practicehttps://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topicsTimestamps:(00:00:00) Introduction(00:02:20) Meta Tag + DomPurify Bug(00:09:36) Jasmin's Origin story(00:28:23) Full time Bug bounty challenges(00:36:57) Career jumps in Security and current Role(00:47:32) OAuth Bug methodology and cool bug stories(01:02:35) Social Engineering and Bug Bounty(01:13:41) Arbitrary ATO bug(01:19:41) SSTI to RCE bug
Episode 59: Bug Bounty Gadget Hunting & Hacker's Intuition
Feb 22 2024
Episode 59: Bug Bounty Gadget Hunting & Hacker's Intuition
Episode 59: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the concept of gadgets and how they can be used to escalate the impact of vulnerabilities. We talk through things like HTML injection, image injection, CRLF injection, web cache deception, leaking window location, self-stored XSS, and much more.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources:Even BetterNahamSec's 5 Week ProgramNahamCon NewsCSS Injection ResearchTimestamps:(00:00:00) Introduction(00:03:31) Caido's New Features(00:15:20) Nahamcon News and 5 week Bootcamp and pentest opportunity(00:19:54) HTML Injection, CSS Injection, and Clickjacking(00:33:11) Image Injection(00:37:19) Open Redirects, Client-side path traversal, and Client-side Open Redirect(00:49:51) Leaking window.location.href(00:57:15) Cookie refresh gadget(01:01:40) Stored XXS(01:09:01) CRLF Injection(01:13:24) 'A Place To Stand' in  GraphQL and ID Oracle(01:18:23) Auth gadgets, Web Cache Deception, & LocalStorage poisoning(01:27:46) Cookie Injection & Context Breaks
Episode 58: Youssef Sammouda - Client-Side & ATO War Stories
Feb 15 2024
Episode 58: Youssef Sammouda - Client-Side & ATO War Stories
Episode 58: In this episode of Critical Thinking - Bug Bounty Podcast we finally sit down with Youssef Samouda and grill him on his various techniques for finding and exploiting client-side bugs and postMessage vulnerabilities. He shares some crazy stories about race conditions, exploiting hash change events, and leveraging scroll to text fragments. Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://twitter.com/samm0uda?lang=enhttps://ysamm.com/Resources:Client-side race conditions with postMessage: https://ysamm.com/?p=742 Transferable Objectshttps://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Transferable_objectsEvery known way to get references to windows, in javascript:https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2dYoussef’s interview with BBREhttps://www.youtube.com/watch?v=MXH1HqTFNm0Timestamps:(00:00:00) Introduction(00:04:27) Client-side race conditions with postMessage(00:18:12) On Hash Change Events and Scroll To Text Fragments(00:32:00) Finding, documenting, and reporting complex bugs(00:37:32) PostMessage Methodology(00:45:05) Youssef's Vuln Story(00:53:42) Where and how to look for ATO vulns(01:05:21) MessagePort(01:14:37) Window frame relationships(01:20:24) Recon and JS monitoring(01:37:03) Client-side routing(01:48:05) MITMProxy
Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston)
Feb 1 2024
Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston)
Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston)Episode 56: In this episode of Critical Thinking - Bug Bounty Podcast, Justin sits down with Jon Colston to discuss how his background in digital marketing and data science has influenced his hunting methodology. We dive into subjects like data sources, automation, working backwards from vulnerabilities, applying conversion funnels to bug bounty, and the mayonaise signature 'Mother of All Bugs' Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------WordFence - Sign up as a researcher! https://ctbb.show/wfSign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest:https://hackerone.com/mayonaise?type=userTimestamps:(00:00:00) Introduction(00:12:07) Evolving Hacking Methodologies & B2B Hacking(00:23:57) Data Science + Bug Bounty(00:34:37) 'Lead Generation for Vulns'(00:41:39) Ingredients and Recipes(00:49:45) Keyword Categorization(00:54:30) Manual Processes and Recap(01:07:08) Data Sources(01:19:59) Digital Marketing + Bug Bounty(01:32:22) M.O.A.B.s(01:41:02) Burnout Protection and Dupe Analysis