Critical Thinking - Bug Bounty Podcast

Episode 143: In this episode of Critical Thinking - Bug Bounty Podcast Justin brings Brandyn back to announce him as our newest co-host. We chat about recent LHE experiences, and then break down some news. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== This Week in Bug Bounty ====== YesWeHack won the European commission: https://www.yeswehack.com/news/european-commission-tender-won-yeswehack YesWeHack now have authorised cve numbering authority: https://www.yeswehack.com/news/yeswehack-authorised-cve-numbering-authority A wide range of highly used open source bug bounty program such as Log4J, Systemd, GNOME and a lot more: https://event.yeswehack.com/events/open-the-code-source-the-bounty ====== Resources ====== Attributes reference inside HTML Explaining XSS without parentheses and semi-colons Beyond Sandbox Domains: Rendering Untrusted Web Content with SafeContentFrame One Token to rule them all flareprox Caido 101: How to master it ====== Timestamps ====== (00:00:00) Introduction (00:03:16) LHE approaches and accomplishments (00:30:54) Attributes reference inside HTML & Explaining XSS without parentheses and semi-colons (00:44:33) One Token to rule them all (00:57:13) Flareprox & Caido 101

Episode 142: In this episode of Critical Thinking - Bug Bounty Podcast Rez0 and Gr3pme join forces to discuss Websocket research, Meta’s $111750 Bug, PROMISQROUTE, and the opportunities afforded by going full time in Bug Bounty. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: ThreatLocker. Check out ThreatLocker DAC Today’s Guest: https://x.com/gr3pme ====== This Week in Bug Bounty ====== New Monthly Dojo challenge and Dojo UI design The ultimate Bug Bounty guide to exploiting race condition vulnerabilities in web applications Watch Our boy Brandyn on the TV ====== Resources ====== murtasec WebSocket Turbo Intruder: Unearthing the WebSocket Goldmine Chaining Path Traversal Vulnerability to RCE — Meta’s 111,750$ Bug Finding vulnerabilities in modern web apps using Claude Code and OpenAI Codex Mind the Gap PROMISQROUTE ====== Timestamps ====== (00:00:00) Introduction (00:05:16) Full Time Bug Bounty and Business Startups (00:15:50) Websockets (00:22:17) Meta’s $111750 Bug (00:28:38) Finding vulns using Claude Code and OpenAI Codex (00:39:32) Time-of-Check to Time-of-Use Vulns in LLM-Enabled Agents (00:45:22) PROMISQROUTE

Episode 141: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Nick Copi to talk about CSPT, React, CSS Injections and how Nick hacked the pod. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: ThreatLocker. Check out ThreatLocker DAC https://www.criticalthinkingpodcast.io/tl-dac Today’s Guest: https://x.com/7urb01 ====== Resources ====== regexploit https://github.com/doyensec/regexploit Fontleak https://adragos.ro/fontleak/ debug(function) https://developer.chrome.com/docs/devtools/console/utilities#debug-function domloggerpp https://github.com/kevin-mizu/domloggerpp ====== Timestamps ====== (00:00:00) Introduction (00:02:40) Google Docs Bug and 7urb0 Introduction (00:13:26) Bring-a-bug story (00:20:21) 7urb0's DEFCON talk teaser & Intrusive Thoughts Worth Sharing (00:30:01) CSPTs and React Apps (00:51:31) CSS Injections (01:04:55) 7urb0's backstory and game hacking (01:18:33) Worst Crit

Episode 140: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph give an update from The Crit Research Lab, as well as some writeups on postMessage vulnerabilities, Cookie Chaos, and more. Follow us on X at: https://x.com/ctbbpodcast Got any ideas and suggestions? Send us feedback at info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord! Get some hacker swag here! ====== This Week in Bug Bounty ====== Cross-site request forgery HackerOne New Milestone Program Email santerra.holler@bugcrowd.com for media opportunities ====== Resources ====== Exploiting Web Worker XSS with Blobs Critical Research Lab Rez0's Tweet CVE-2022-21703: cross-origin request forgery against Grafana Conversation about Forcing Quirks Mode AI Busniess Logic & POC or GTFO Hunting postMessage Vulnerabilities – Part 1 Hunting postMessage Vulnerabilities – Part 2 Executive Offense Cookie Chaos: How to bypass Host and Secure cookie prefixes ====== Timestamps ====== (00:00:00) Introduction (00:05:48) Crit Research Update (00:13:00) Encouragement & Collaboration (00:19:37) Cross-origin request forgery & Anthropic's web fetch (00:29:17) Quirks Mode, AI Business Logic & POC or GTFO (00:44:21) Hunting postMessage & Claude Code browserbase (00:51:25) Community story, Executive Offense, & Cookie Chaos

Episode 139: In this episode of Critical Thinking - Bug Bounty Podcast Justin finally sits down with the great James Kettle to talk about HTTP Proxys, metagaming research, avoiding burnout, and why HTTP/1.1 must die! Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Guest: https://x.com/albinowax https://jameskettle.com ====== This Week in Bug Bounty ====== Building an Android Bug Bounty lab Mobile Hacking Toolkit ====== Resources ====== CVE-2022-22720 So you want to be a web security researcher? Hunting Evasive Vulnerabilities: Finding Flaws That Others Miss by James Kettle HTTP/1.1 Must Die! The Desync Endgame Practical HTTP Host header attacks ====== Timestamps ====== (00:00:00) Introduction (00:05:01) Apache MITM-powered pause-based client-side desync (00:15:33) HTTP Proxys and Burp Suite HTTP/2 in Repeater (00:24:52) AI intagrations, life structure, and avoiding burnout (00:35:23) Client-side to server-side progression (00:47:39) The 'metagame' of security research (01:29:43) Host Header Attacks & HTTP/1.1 Must Die! (02:02:34) Is HTTP/2 the solution?

Episode 138: In this episode of Critical Thinking - Bug Bounty Podcast We’re talking Caido tools and workflows. Justin gives us a list of some of the Caido tools that have caught his interest, as well as how he’s using them. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== This Week in Bug Bounty ====== Meet YesWeHack at ROOTCON 2025 https://www.yeswehack.com/page/meet-yeswehack-at-rootcon-2025 New Dojo challenge featuring a Local File Inclusion in a Ruby application https://dojo-yeswehack.com/challenge-of-the-month/dojo-44?utm_source=sponsor&utm_medium=challenge&utm_campaign=dojo-44 AI Red Teaming CTF https://ctf.hackthebox.com/event/details/ai-red-teaming-ctf-ai-gon3-rogu3-2604 ====== Resources ====== Web Security Labs http://caido.rhynorater.com ====== Timestamps ====== (00:00:00) Introduction (00:02:32) Common filters & command palette in EvenBetter (00:06:49) Notes++ (00:09:28) Shift Agents and Drop (00:15:34) Workflows

Episode 137: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner and Joseph Thacker reunite to talk about AI Hacking Assistants, CSPT and cache deception, and a bunch of tools like ch.at, Slice, Ebka, and more. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor - ThreatLocker. Checkout ThreatLocker DAC! https://www.criticalthinkingpodcast.io/tl-dac ====== This Week in Bug Bounty ====== Vulnerability vectors: SQL injection for Bug Bounty hunters Mozilla VPN Clients: RCE via file write and path traversal ====== Resources ====== Cache Deception + CSPT: dig @ch.at Searchlight Cyber Tools Slice Ebka-Caido-AI postMessage targetOrigin bypass ====== Timestamps ====== (00:00:00) Introduction (00:01:26) Claude, Gemini, and Hacking Assistants (00:11:08) AI Safety (00:18:09) CSPT (00:23:26) ch.at, Slice, Ebka, & Searchlight Cyber Tools (00:45:19) postMessage targetOrigin bypass

Episode 136: In this episode of Critical Thinking - Bug Bounty Podcast, Joseph Thacker sits down with Jack Cable to get the scoop on a significant bug in Cluely’s desktop application, as well as the resulting drama. They also talk about Jack’s background in government cybersecurity initiatives, and the legal risks faced by security researchers. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor - ThreatLocker. Checkout ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detect Today’s Guest: https://x.com/jackhcable?lang=en ====== This Week in Bug Bounty ====== Nullcon Berlin https://www.yeswehack.com/page/yeswehack-live-hacking-nullcon-berlin-2025?utm_source=sponsor&utm_medium=blog&utm_campaign=lhe-nullcon-berlin BB Bulletin #15 https://www.linkedin.com/pulse/bug-bounty-bulletin-15-yes-we-hack-dntue/ 2x Bounty on Grab https://hackerone.com/grab?type=team ====== Resources ====== Corridor https://corridor.dev/ disclose.io https://disclose.io/ ====== Timestamps ====== (00:00:00) Introduction (00:03:33) Cluely Bug, Government involvement, & Disclosed.io (00:12:33) AI in security & Corridor.dev (00:29:23) Cluely Bug Fallout & Ethics of hacking outside of Programs (00:41:20) Shift Agents

Episode 135: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Ryan Barnett for a deep dive on WAFs. We also recap his Exploiting Unicode Normalization talk from DEFCON, and get his perspective on bug hunting from his time at Akamai. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor - ThreatLocker. Checkout ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detect Today’s Guest: https://x.com/ryancbarnett ====== Resources ====== Accidental Stored XSS Flaw in Zemanta 'Related Posts' Plugin for TypePad https://webappdefender.blogspot.com/2013/04/accidental-stored-xss-flaw-in-zemanta.html XSS Street-Fight https://media.blackhat.com/bh-dc-11/Barnett/BlackHat_DC_2011_Barnett_XSS%20Streetfight-Slides.pdf Blackhat USA 2025 - Lost in Translation: Exploiting Unicode Normalization https://www.blackhat.com/us-25/briefings/schedule/#lost-in-translation-exploiting-unicode-normalization-44923 ====== Timestamps ====== (00:00:00) Introduction (00:02:49) Accidental Stored XSS in Typepad Plugin (00:06:34) Chatscatter & Abusing third party Analytics (00:11:42) Ryan Barnett Introduction (00:21:11) Virtual Patching & WAF Challenges (00:40:39) AWS API Gateways & Whitelisting Bug Hunter Traffic (00:49:59) Lost in Translation: Exploiting Unicode Normalization (01:11:29) CSPs at the WAF level & 'Bounties for Bypass'

Episode 134: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Diego Djurado to give us the scoop on XBOW. We cover a little about its architecture and approach to hunting, the challenges with hallucinations, and the future of AI in the BB landscape. Diego also shares some of his own hacking journey and successes in the Ambassador World cup. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor - ThreatLocker User Store Today’s Guest: https://x.com/djurado9 ====== This Week in Bug Bounty ====== Announcement of our upcoming live hacking event at Nullcon Berlin, taking place on September 4-5 Bug Bounty Village Speakers 2025 Talkie Pwnii Caido showcase Caido Masterclass – From Setup to Exploits Access Control vs Account Takeover: What Bug Bounty Hunters Need to Know ====== Resources ====== CVE-2025-49493: XML External Entity (XXE) Injection in Akamai CloudTest ====== Timestamps ====== (00:00:00) Introduction (00:05:56) Diego's ATO Bug (00:12:01) H1 Ambassador World Cup and work with XBOW (00:20:57) XBOW's CloudTest XXE Bug (00:49:59) Freedom, Hallucinations, & Validation (01:07:24) XBOW's Architecture (01:23:50) Humans in the Loop, Harnesses, and Xbow's Reception (01:44:21) Ambassador World Cup plans for the future

Episode 133: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Harley and Ari from H1 to talk some about community management roles within Bug Bounty, as well as discuss the evolution of Bug Bounty Village at DEFCON, and what they’ve got in store this year. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Guests: x.com/infiniteloginshttps://x.com/Arl_roseToday’s Sponsor is Adobe. Use code CTBBP0907 in your first report on Adobe Behance, Portfolio, Fonts or Acrobat Web, and earn a one-time 10% bonus reward! ====== This Week in Bug Bounty ====== BBV Platform Panel about Triage YesWeHACK Makes Debut at Black Hat USA 2025 New Dojo challenge featuring a time-based token prediction combined PyYAML deserialization GMSGadget ====== Resources ====== Bug Bounty Village Sign up for the Disclosed Newsletter Disclosed Online Harley's Youtube Channel ====== Timestamps ====== (00:00:00) Introduction (00:05:51) Bug Stories and Hacking Journeys (00:32:37) Community Management within Bug Bounty (00:39:43) Bug Bounty Village - Origin & 2025 Plans (01:02:39) Disclosed Online and Harley's Upcoming Ebook

Episode 132: In this episode of Critical Thinking - Bug Bounty Podcast, Justin Gardner is joined by Mathias Karlsson to discuss vulnerabilities associated with archives. They talk about his new tool, Archive Alchemist, and explore topics like the significance of Unicode paths, symlinks, and TAR before they end up talking about Charsets again.. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord! You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: ThreatLocker - Patch Management Today’s Guest: Mathias Karlsson ====== This Week in Bug Bounty ====== Swiss Post's 2025 Public Intrusion Test starts on July 28 Intigriti teams with NVIDIA Bugcrowd Ingenuity Awards Hack the Hacker Series - AI Vulnerabilities and Bug Bounties A Novel Technique for SQL Injection in PDO’s Prepared Statements How We Accidentally Discovered a Remote Code Execution Vulnerability in ETQ Reliance ====== Resources ====== Archive Alchemist Hacking Livestream #53: The ZIP file format ====== Timestamps ====== (00:00:00) Introduction (00:10:04) Archive Alchemist (00:36:05) Unicode Extensions, normalization, and confusion attacks on Zip parsers (00:48:44) Character Sets (01:01:49) 7zip & File Names (01:06:44) Path Traversal, Symlinks & Identifying Techniques (01:36:05) Hardlinks and TAR

Episode 131: In this episode of Critical Thinking - Bug Bounty Podcast we're covering Christmas in July with several banger articles from Searchlight Cyber, as well as covering things like Raycast for Windows, Third-Person prompting, and touch on the recent McDonalds Leak Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor is Adobe. Use code CTBBP0907 in your first report on Adobe Behance, Portfolio, Fonts or Acrobat Web, and earn a one-time 10% bonus reward! ====== Resources ====== v1 Instance Metadata Service protections bypass Would you like an IDOR with that? Leaking 64 million McDonald’s job applications How we got persistent XSS on every AEM cloud site, thrice Google docs now supports export as markdown Abusing Windows, .NET quirks, and Unicode Normalization to exploit DNN (DotNetNuke) How I Scanned all of GitHub’s “Oops Commits” for Leaked Secrets Bug bounty, feedback, strategy and alchemy ====== Timestamps ====== (00:00:00) Introduction (00:05:39) Metadata Service protections bypass & Mcdonalds Leak (00:12:30) Christmas in July with Searchlight Cyber Pt 1 (00:19:43) Export as Markdown, Raycast for Windows, & Third-Person prompting (00:23:56) Christmas in July with Searchlight Cyber Pt 2 (00:27:39) GitHub’s “Oops Commits” for Leaked Secrets (00:36:53) Bug bounty, feedback, strategy and alchemy

Episode 130: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Valentino, who shares his journey from hacking Minecraft to becoming a Google hunter. He talks us through several bugs, including an HTML Sanitizer bypass and .NET deserialization, and highlights the hyper creative approaches he tends to employ. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: ThreatLocker - Patch Management https://www.criticalthinkingpodcast.io/TL-patch-management Today’s Guest: Valentino - https://blog.3133700.xyz/ ====== Resources ====== JMX Manager Stored XSS in reclamos Command Injection in Vertex AI whitepaper-net-deser.pdf free-after-use.go A Journey Into Finding Vulnerabilities in the PMB Library Management System emulated-register_globals.php ====== Timestamps ====== (00:00:00) Introduction (00:02:38) JMXProxy Bug Story (00:09:46) Intro to Valentino (00:29:08) HTML Sanitizer bypass on MercadoLibre (00:37:16) Command injection in Vertex AI (00:44:10) .NET deserialization, & Argument injection to LFR, & Free after use (00:51:33) Luck, creativity, and evolution as Hacker (00:59:31) Issues in file extension validation components, Emulated register_globals, & AI Hacking

Episode 129: In this episode of Critical Thinking - Bug Bounty Podcast we chat about the future of hack bots and human-AI collaboration, the challenges posed by tokenization, and the need for cybersecurity professionals to adapt to the evolving landscape of hacking in the age of AI Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== This Week in Bug Bounty ====== Improper error handling in async cryptographic operations crashes process https://hackerone.com/reports/2817648 Recon Series #6: Excavating hidden artifacts with Wayback Machine https://www.yeswehack.com/learn-bug-bounty/recon-wayback-machine-web-archive ====== Resources ====== This is How They Tell Me Bug Bounty Ends https://josephthacker.com/hacking/2025/06/09/this-is-how-they-tell-me-bug-bounty-ends.html Welcome, Hackbots: How AI Is Shaping the Future of Vulnerability Discovery https://www.hackerone.com/blog/welcome-hackbots-how-ai-shaping-future-vulnerability-discovery Glitch Token https://www.youtube.com/watch?v=WO2X3oZEJOA Conducting smarter intelligences than me: new orchestras https://southbridge-research.notion.site/conducting-smarter-intelligences-than-me ====== Timestamps ====== (00:00:00) Introduction (00:04:05) Is this how Bug Bounty Ends? (00:11:14) Hackbots and handling leads (00:20:50) Hacker chain of thought & Tokenization (00:32:54) Context Engineering

Episode 128: In this episode of Critical Thinking - Bug Bounty Podcast we talking Blind SSRF and Self-XSS, as well as Reversing massive minified JS with AI and a wild Google Logo Ligature Bug Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: ThreatLocker - Patch Management ====== This Week in Bug Bounty ====== BitK's "Payload plz" challenge at LeHack ====== Resources ====== Make Self-XSS Great Again Novel SSRF Technique Involving HTTP Redirect Loops Surf - Escalate your SSRF vulnerabilities on Modern Cloud Environments Gecko: Intent to prototype: Framebusting Intervention Conducting smarter intelligences than me: new orchestras Mandark Lumentis jscollab Google Logo Ligature Bug ====== Timestamps ====== (00:00:00) Introduction (00:03:55) Self-XSS and credentialless iframe (00:16:50) Novel SSRF Technique Involving HTTP Redirect Loops (00:25:02) Framebusting (00:29:13) Reversing massive minified JS with AI (00:53:12) Google Logo Ligature Bug

Episode 127: In this episode of Critical Thinking - Bug Bounty Podcast we address some recent bug bounty controversy before jumping into a slew of news items Follow us on X Shoutout to YTCracker for the awesome intro music! Today's Sponsor: Adobe ====== This Week In Bug Bounty ====== Hackers Guide to Google dorking YesWeCaido New Dojo Challenge Smart Contract BB tips Red Team AAS ====== Resources ====== Disclosed PDF csp bypass Bypassing File Upload Restrictions To Exploit Client-Side Path Traversal OBS WebSocket to RCE Time in a bottle (or knapsack) How to Differentiate Yourself as a Bug Bounty Hunter Disclosed. Online hacked-in ‘EchoLeak’ Piloting Edge Copilot Newtowner Tips for agent prompting Firefox XSS vectors Tweet from Masato Kinugawa Chrome debug() function

Episode 126: In this episode of Critical Thinking - Bug Bounty Podcast we wrap up Rez0’s AI miniseries ‘Vulnus Ex Machina’. Part 3 includes a showcase of AI Vulns that Rez0 himself has found, and how much they paid out. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor - ThreatLocker Web Control https://www.criticalthinkingpodcast.io/tl-webcontrol ====== Resources ====== Claude Code System Prompt Attacking AI Agents Probability of Hacks New Gemini for Workspace Vulnerability Enabling Phishing & Content Manipulation How to Hack AI Agents and Applications ====== Timestamps ====== (00:00:00) Introduction (00:02:53) NahamCon Recap, Claude news, and wunderwuzzi writeups (00:08:57) Probability of Hacks (00:11:27) First AI Vulnerabilities (00:18:57) AI Vulns on Google (00:25:11) Invisible prompt Injection

Episode 125: In this episode of Critical Thinking - Bug Bounty Podcast Justin shares insights on how to succeed at live hacking events. We cover pre-event preparations, challenges of collaboration, on-site strategies, and the importance of maintaining a healthy mindset throughout the entire process. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== This Week in Bug Bounty ====== Decathlon Public Bug Bounty Program on YesWeHack ====== Resources ====== The Ultimate Double-Clickjacking PoC Grafana Full read SSRF and Account Takeover: CVE-2025-4123 Grafana CVE-2025-4123 Exploit What I learned from my first 100 HackerOne Reports Root for your friends ====== Timestamps ====== (00:00:00) Introduction (00:02:30) The Ultimate Double-Clickjacking PoC, Grafana CVE, & Evan Connelly's first 100 bugs (00:10:23) How to win at Live Hacking Events (00:11:53) Pre-event (00:11:45) Scope Call (00:33:11) Dupe window Ends (00:36:00) Onsite & and Day of Event (00:42:46) Don't define your identity on the outcome

Episode 124: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph cover some news from around the community, hitting on Joseph’s Anthropic safety testing, Justin’s guest appearance on For Crying Out Cloud, and several fascinating tweets. Then they have a quick Full-time Bug Bounty check-in. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor - ThreatLocker Web Control https://www.criticalthinkingpodcast.io/tl-webcontrol ====== This Week in Bug Bounty ====== Louis Vuitton Public Bug Bounty Program CVE-2025-47934 was discovered on one of our Bug Bounty program : OpenPGP.js Stored XSS in File Upload Leads to Privilege Escalation and Full Workspace Takeover ====== Resources ====== Jorian tweet Clipjacking: Hacked by copying text - Clickjacking but better Crying out Cloud Appearance Wiz Research takes 1st place in Pwn2Own AI category New XSS vector with image tag ====== Timestamps ====== (00:00:00) Introduction (00:10:50) Supabase (00:13:47) Tweet-research from Jorian and Wyatt Walls. (00:20:24) Anthropic safety testing challenge & Wiz Podcast guest appearance (00:27:44) New XSS vector, Google i/o, and coding agents (00:35:48) Full Time Bug Bounty