Critical Thinking - Bug Bounty Podcast

Episode 98: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner sits down with Sharon,to discuss his journey from early iOS development to leading a research team at Claroty. They address the differences between HackerOne and Pwn2Own, and talk through some intricacies of IoT security, and some less common IoT attack surfaces.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Sponsor - ThreatLocker: Check out Network Control!https://www.criticalthinkingpodcast.io/tl-ncAnd AssetNote: Check out their ASMR board (no not that kind!)https://assetnote.io/asmrToday’s Guest: https://sharonbrizinov.com/ResourcesThe Claroty Research Teamhttps://claroty.com/team82Pwntoolshttps://github.com/Gallopsled/pwntoolsScan My SMShttp://scanmysms.comGotta Catch 'Em All: Phishing, Smishing, and the birth of ScanMySMShttps://www.youtube.com/watch?v=EhNsXXbDp3UTimestamps(00:00:00) Introduction(00:03:31) Sharon's Origin Story(00:21:58) Transition to Bug Bounty and Pwn2Own vs HackerOne(00:47:05) IoT/ICS Hacking Methodology(01:10:13) Cloud to Device Communication(01:18:15) Bug replication and uncommon attack surfaces(01:30:58) Documentation tracker, reCaptcha bypass, and ScanMySMS

Episode 97: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel jump into some cool news items, including a recent Okta Bcrypt vulnerability, insights into crypto bugs, and some intricacies of Android and Chrome security. They also explore the latest research from Portswigger on payload concealment techniques, and the introduction of the Lightyear tool for PHP exploits.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Sponsor - ThreatLocker: Check out Network Control!https://www.criticalthinkingpodcast.io/tl-ncAnd AssetNote: Check out their ASMR board (no not that kind!)https://assetnote.io/asmrResourcesOkta bcryptAndroid Web Attack Surface WriteupsConcealing payloads in URL credentialsDumping PHP files with LightyearLimit maximum number of filter chainsDom-Explorer tool launchedMultiHTMLParseJSON CrackCaido/Burp notes pluginTimestamps(00:00:00) Introduction(00:02:43) Okta Release and bcrypt(00:10:26) Android Web Attack Surface Writeups(00:20:21) More Portswigger Research(00:28:29) Lightyear and PHP filter chains(00:35:09) Dom-Explorer(00:45:24) The JSON Debate(00:49:59) Notes plugin for Burp and Caido

Episode 96: In this episode of Critical Thinking - Bug Bounty Podcast we’re back with Matanber to hit some stuff we ran out of time on last episode. We talk about advanced cookie parsing techniques and exploitation methods, Safari's unique behaviors regarding cookie handling and debugging methods, and some of the writeups from the HeroCTF v6.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Guest: https://x.com/MtnBerResources:Cookie Bugs - Smuggling & Injectionhttps://blog.ankursundara.com/cookie-bugs/#:~:text=Cookie%20SmugglingiOS Webkit Debug Proxyhttps://github.com/google/ios-webkit-debug-proxyHeroCTF v6 Writeupshttps://mizu.re/post/heroctf-v6-writeupsTimestamps(00:00:00) Introduction(00:01:29) Cookie exploits(00:21:32) Matan's Safari Adventure(00:29:49) HeroCTF 6 writeups

Episode 95: In this episode of Critical Thinking - Bug Bounty Podcast In this episode, Justin is joined by MatanBer to delve into the intricacies of browser extensions. We talk about the structure and threat models, and cover things like service workers, extension pages, and isolated worlds.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Sponsor - AssetNote. Listen to their podcast https://www.criticalthinkingpodcast.io/sspodToday’s Guest: https://x.com/MtnBerResourcesUniversal Code Execution by Chaining Messages in Browser Extensionshttps://spaceraccoon.dev/universal-code-execution-browser-extensions/DOMLogger++https://github.com/kevin-mizu/domloggerppBBRE Metamask bughttps://youtu.be/HnI0w156rtw?si=QixP8SX6JuRFz6PABench Press: Leaking Text Nodes with CSShttps://blog.pspaul.de/posts/bench-press-leaking-text-nodes-with-css/Timestamps:(00:00:00) Introduction(00:03:08) Structure & Threat Model for Browser Extension(00:28:28) Extension Attack scenarios(01:01:26) Attacking Extension Pages(01:26:35) Attacking Service Workers(01:46:23) Getting source code and dynamic debugging

Episode 94: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel give their perspectives on the recent Zendesk fiasco and the ethical considerations surrounding it. They also highlight the launch of AuthzAI and some research from Ophion SecurityFollow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Sponsor - AssetNote. Listen to their podcast https://www.criticalthinkingpodcast.io/sspodResources:New music drop from our Boi YThttps://x.com/realytcracker/status/1847599657569956099AuthzAIhttps://authzai.com/ Ron Chanhttps://x.com/ngalongcMisconfigured User Auth Leads to Customer Messageshttps://www.ophionsecurity.com/post/live-chat-blog-1-misconfigured-user-auth-leads-to-customer-messagesZendesk Write-uphttps://gist.github.com/hackermondev/68ec8ed145fcee49d2f5e2b9d2cf2e52Response from Zendeskhttps://gist.github.com/hackermondev/68ec8ed145fcee49d2f5e2b9d2cf2e52?permalink_comment_id=5232589#gistcomment-5232589Timestamps(00:00:00) Introduction(00:05:29) AuthzAI and the return of Ron Chan(00:13:50) Ophion Security Research(00:18:12) Zendesk Drama

Episode 93: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Dr. Jonathan Bouman to discuss his unique journey as both a Hacker and a Healthcare Professional. We talk through how he balances his dual careers, some ethical considerations of hacking in the context of healthcare, and highlight some experiences he’s had with Amazon's bug bounty program.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Find the Hackernotes: https://blog.criticalthinkingpodcast.io/Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Sponsor - ThreatLocker. Checkout their ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detectToday’s Guest - https://x.com/jonathanbouman?lang=enResourcesAnyone can Access Deleted and Private Repository Data on GitHubFilesender GithubRemote Code execution at ws1.aholdusa .comAPK-MITMHacking Dutch healthcare systemFitness Youtube Channelshttps://www.youtube.com/channel/UCpQ34afVgk8cRQBjSJ1xuJQhttps://www.youtube.com/@BullyJuiceTimestamps(00:00:00) Introduction(00:07:28) Medicine and Hacking(00:19:36) Hacking on Amazon(00:34:33) Collaboration and consistency (00:44:13) SSTI Methodology(01:06:10) iOS Hacking Methodology(01:13:23) Hacking Healthcare(01:32:19) Health tips for hacking

Episode 92: In this episode of Critical Thinking - Bug Bounty Podcast In this episode Justin and Joel tackle a host of new research and write-ups, including Ruby SAML, 0-Click exploits in MediaTek Wi-Fi, and Vulnerabilities caused by The Great FirewallFollow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Find the Hackernotes: https://blog.criticalthinkingpodcast.io/Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Sponsor - ThreatLocker. Checkout their ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detectResources:Insecurity through CensorshipRuby-SAML / GitLab Authentication Bypass0-Click exploit discovered in MediaTek Wi-Fi chipsetsNew Caido Plugin to Generate WordlistsBebik’s 403 BypassorCSPBypassArb Read & Arb write on LLaMa.cpp by SideQuestXSS WAF Bypass One payload for allTimestamps(00:00:00) Introduction(00:02:08) Vulnerabilities Caused by The Great Firewall(00:07:25) Ruby SAML Bypass(00:19:55) 0-Click exploit discovered in MediaTek Wi-Fi chipsets(00:24:36) New Caido Wordlist Plugin(00:31:00) CSPBypass.com(00:35:37) Arb Read & Arb write on LLaMa.cpp by SideQuest(00:43:10) Helpful WAF Bypass

Episode 91: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner sits down with Critical Thinking’s own HackerNotes writer Brandyn Murtagh (gr3pme) to talk about his journey with Bug Bounty. We cover mentorship, networking and LHEs, ecosystem hacking, emotional regulation, and the need for self-care. Then we wrap up with some fun bugs.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Find the Hackernotes: https://blog.criticalthinkingpodcast.io/Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Shop our new swag store at ctbb.show/swagToday’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinderToday’s guest: https://x.com/gr3pmeResources:Lessons Learned for LHEshttps://x.com/Rhynorater/status/1579499221954473984Timestamps:(00:00:00) Introduction(00:07:02) Mentorship in Bug Bounty(00:16:30) LHE lessons, takeaways, and the benefit of feedback and networking(00:41:28) Choosing Targets(00:49:03) Vuln Classes(00:58:54) Bug Reports

Episode 90: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin recap some of their recent hacking ups and downs and have a lively chat about Cursor. Then they cover some some research about SQL Injections, Clickjacking in Google Docs, and how to steal your Telegram account in 10 seconds.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Find the Hackernotes: https://blog.criticalthinkingpodcast.io/Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Shop our new swag store at ctbb.show/swagToday’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinderResources:Breaking Down Barriers: Exploiting Pre-Auth SQL Injection in WhatsUp GoldContent-Type that can be used for XSSClickjacking Bug in Google DocsJustin's Gadget Linkhttps://www.youtube.com/signin?next=https%3A%2F%2Faccounts.youtube.com%2Faccounts%2FSetSID%3Fcontinue%3Dhttps%3A%2F%2Fwww.google.com%252Famp%252fpoc.rhynorater.comStealing your Telegram account in 10 seconds flatTimestamps(00:00:00) Introduction(00:08:28) Recent Hacks and Dupes(00:14:00) Cursor(00:25:02) Exploiting Pre-Auth SQL Injection in WhatsUp Gold(00:34:17) Content-Type that can be used for XSS(00:40:25) Caido updates(00:43:14) Clickjacking in Google Docs, and Stealing Telegram account

Episode 89: In this episode of Critical Thinking - Bug Bounty Podcast We’re joined live by Matt Brown to talk about his journey with hacking in the IoT. We cover the specializations and challenges in hardware hacking, and Matt’s personal Methodology. Then we switch over to touch on BGA Reballing, Certificate Pinning and Validation, and some of his own bug stories.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Find the Hackernotes: https://blog.criticalthinkingpodcast.io/Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinderToday’s Guess Matt Brown: https://x.com/nmatt0Resources:Decrypting SSL to Chinese Cloud Servershttps://www.youtube.com/watch?v=3qSxxNvuEtgmitmrouterhttps://github.com/nmatt0/mitmroutercertmitm Automatic Exploitation of TLS Certificate Validation Vulnshttps://www.youtube.com/watch?v=w_l2q_Gyqfoandhttps://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Aapo%20Oksman%20-%20certmitm%20automatic%20exploitation%20of%20TLS%20certificate%20validation%20vulnerabilities.pdfhttps://github.com/aapooksman/certmitmHackerOne Detailed Platform Standardshttps://docs.hackerone.com/en/articles/8369826-detailed-platform-standardsTimestamps:(00:00:00) Introduction(00:13:33) Specialization and Challenges of IOT Hacking(00:33:03) Decrypting SSL to Chinese Cloud Servers(00:47:00) General IoT Hacking Methodology(01:26:00) Certificate Pinning and Certificate Validation(01:34:35) BGA Reballing(01:43:26) Bug Stories

Episode 88: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel tackle a whole slate of new research including a new cheat sheet for URL validation bypass from Portswigger, the introduction of Sanic DNS as a high-speed DNS resolver, xsstools, and the Dockerization of Orange Confusion Attacks. Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Find the Hackernotes: https://blog.criticalthinkingpodcast.io/ Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Shop our new swag store at ctbb.show/swagResourcesURL Validation Bypass cheat sheetSanicDNSOrange Confusion AttacksWordPress GiveWP POP to RCEXsstoolsBypassing browser tracking protectionAdvanced iframe MagicDOM Clobberinghttps://www.ruhrsec.de/downloads/slides/Everything-You-Wanted-to-Know-About-DOM-Clobbering-But-Were-Afraid-to-Ask-Soheil-Khodayari-RuhrSec.pdfAndhttps://domclob.xyz/domc_payload_generator/Timestamps:(00:00:00) Introduction(00:02:00) URL validation bypass(00:07:41) SanicDNS and Orange confusion attacks(00:20:06) WordPress GiveWP POP to RCE(00:31:29) Xsstools(00:43:56) Bypassing browser tracking protection(00:52:06) DOM Clobbering and mixing up your approach

Episode 87: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with none other than his wife Mariah to talk about Bug Bounty from the perspective of a Significant Other. They share how they’ve traversed travel and Live Hacking Events, household chores, hobbies, goals, rewards, as well as how best to encourage and support the hacker/non-hacker in your life.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Find the Hackernotes: https://blog.criticalthinkingpodcast.io/Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Shop our new swag store at ctbb.show/swagToday’s Guest: https://x.com/MariahG017Resources:Ruby Nealon's songhttps://x.com/_ruby/status/835306502546149376Don't Force Yourself to Become a Bug Bounty Hunterhttps://samcurry.net/dont-force-yourself-to-become-a-bug-bounty-hunterTimestamps(00:00:00) Introduction(00:03:12) Technical Questions for a Bug Bounty Wife(00:16:11) Mariah's First LHE experience(00:31:12) LHEs as a Couple(00:41:57) Encouragement and Risk(00:55:55) Hacker Family Dynamics, goals, and keeping promises(01:17:35) How to care for your Hacker/Hacker Wife

Episode 86: In this episode of Critical Thinking - Bug Bounty Podcast Frans blows Justin’s mind with a sneak peak of his new presentation. Note: This is a little different from our normal episode, and video is recommended. So head over to ctbb.show/yt if you feel like you’re missing something.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Find the Hackernotes: https://blog.criticalthinkingpodcast.io/Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Shop our new swag store at ctbb.show/swagWatch this Episode on Youtube - ctbb.show/ytToday’s Guest: Frans Rosen - https://x.com/fransrosenView the slides of this presentation at https://speakerdeck.com/fransrosen/x-correlation-injections-or-how-to-break-server-side-contextsTimestamps(00:00:00) Introduction(00:04:09) x-correlation injection(00:21:10) Server-side JSON-Injection(00:32:10) Fuzz Blindly and Optimizing Blind RCE

Episode 85: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel talk through some of the research coming out of DEFCON, mainly from the PortSwigger team. Web timing attacks, cache exploitation, and exploits related to email protocols are all featured. Plus we also talk some fun Apache hacks from Orange TsaiFollow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Find the Hackernotes: https://blog.criticalthinkingpodcast.io/Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!Check out our new SWAG store at https://ctbb.show/swag!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Sponsor - ThreatLockerResourcesListen to the whispershttps://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-workSplitting the email atomhttps://portswigger.net/research/splitting-the-email-atomGotta cache 'em allhttps://portswigger.net/research/gotta-cache-em-allHTTP Gardenhttps://github.com/narfindustries/http-gardenConfusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! https://blog.orange.tw/2024/08/confusion-attacks-en.html#%E2%9C%94%EF%B8%8F-2-2-2-Local-Gadget-to-XSSTrusted API Typeshttps://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_APIUntrusted Typeshttps://github.com/filedescriptor/untrusted-types Timestamps:(00:00:00) Introduction(00:09:45) 'Listen to the whispers'(00:30:03) 'Splitting the email atom'(00:58:42) 'Gotta cache 'em all'(01:21:03) 'Confusion Attacks'

Episode 84: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Roni Carta (@0xLupin) to discuss their MVH win at the recent Google LHE, and share some technical observations they had with the target and the event.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Find the Hackernotes: https://blog.criticalthinkingpodcast.io/Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Guest: https://x.com/0xLupinToday’s Sponsor - ThreatLockerTimestamps:(00:00:00) Introduction(00:02:12) MHV Debrief(00:09:05) Sandboxes and Comfort Zones(00:13:24) SDKs and Legal Compliance(00:19:29) Age of Target and Platform-Exclusive Hunters

Episode 83: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin are brainstorming new features and improvements for Caido, such as the implementation of a 403 bypassing workflow, a text expander, Tracing Cookies, and more.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Sponsor - ThreatLockerResources:Post from Gareth Heyeshttps://x.com/garethheyes/status/1811084674988474417Wiki List of XML and HTMLhttps://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references#List_of_character_entity_references_in_HTMLHackerOne Leaderboard Changeshttps://x.com/scarybeasts/status/1810813103354892666Espansohttps://espanso.org/Critical Thinkers Discordctbb.show/criticalthinkersOauth Scanhttps://portswigger.net/bappstore/8ef2db1173e8432c8797831c2e730727Timestamps:(00:00:00) Introduction(00:03:12) News(00:13:20) Into the Brainstorm(00:13:41) 403 Bypasser(00:20:34) "Expaido"(00:31:34) Trace Cookies(00:42:01) Highlight Decoding Expansion and AI integrations(00:49:08) OAuth Testing, API Highlighter, and Note-taking

Episode 82: In this episode of Critical Thinking - Bug Bounty Podcast Joel Margolis discusses strategies and tips for part-time bug bounty hunting. He covers things like finding (and enforcing) balance, picking programs and goals, and streamlining your process to optimize productivity.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Sponsor - ThreatLockerResources:Evernote RCE Posthttps://0reg.dev/blog/evernote-rceServiceNow Bug Chainhttps://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-dataDouglas Day's Talk on finding 'no's'https://youtu.be/G1RHa7l1Ys4?si=TY16ULsEIfJ9CMKkTimestamps:(00:01:37) Introduction(00:02:24) Evernote RCE Post(00:06:47) AssetNote ServiceNow Bug Chain(00:12:16) Part-Time Bug Bounty: Balance and Accountability(00:18:04) Picking programs: Impact and Payout(00:28:46) Streamline your process

Episode 81: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by MatanBer to go over some recent bug reports, as well as share some tips and tricks on client-side hacking and using DevTools effectively.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Sponsor - ThreatLockerToday’s Guest: https://x.com/MtnBerResources:Beyond XSShttps://aszx87410.github.io/beyond-xss/en/Web VSCode XSShttps://gitlab.com/gitlab-org/gitlab/-/issues/461328Timestamps(00:00:00) Introduction(00:05:24) Learning and Labs(00:17:29) DevTools tips and tricks(00:49:49) General Client-Side hacking tips(01:09:59) Self-XSS Storytime(01:32:16) Bug Reports(01:46:37) Brainstorming a Client-side HUD

Episode 80: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Sina Kheirkhah to talk about the start of his hacking journey and explore the differences between the Pwn2Own and HackerOne EventsFollow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Sponsor - ThreatLockerToday’s Guest: https://x.com/SinSinologyBlog: https://sinsinology.medium.com/Resources:WhatsUp Gold Pre-Auth RCEAdvanced .NET Exploitation TrainingdnSpyExQEMUUnicorn EngineQilinglibAFLAlex Plaskett interviewTippingPointFlashback TeamTimestamps:(00:00:00) Introduction(00:12:45) Learning, Mentorship, and Failure(00:29:34) Pentesting and Pwn2Own(00:40:05) Hacking methodology(01:01:57) Debuggers and shells in IoT Devices(01:35:40) Differences between ZDI and HackerOne(02:02:27) Pwn2Own Steps and Stories(02:14:06) Master of Pwn Title(02:29:54) Bug reports

Episode 79: In this episode of Critical Thinking - Bug Bounty Podcast we deepdive CSS injection, and explore topics like sequential import chaining, font ligatures, and attribute exfiltration.Follow us on twitter at: @ctbbpodcastSend us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Resources:SpaceRaccoon's Universal Code Execution ExtensionsEscalating Client Side Path TraversalFull-time Bug Bounty BlueprintSequential Import ChainingCSS ExfiltationLink that Justin was talking aboutFont LigaturesLava Dome bypassStealing Data in Great StyleSteal Script ContentsMasato Kinugawa's tweetAttacking with Just CSSCSS Injection PrimitivesTimestamps:(00:00:00) Introduction(00:02:32) Universal Code Execution(00:11:32) Escalating Client Side Path Traversal(00:16:56) Justin's Defcon talk & Bug Bounty Blueprint(00:23:32) CSS Injection(00:39:23) Font Ligatures(00:54:30) Descent Override and display:block