Critical Thinking - Bug Bounty Podcast

Episode 170: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph their trip to Korea with some quick takeaways from the LHE. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Timestamps ====== (00:00:00) Introduction (00:01:41) Google LHE Debrief (00:09:27) Old AI Exfils & AI report writing (00:18:14) Human Tokens (00:26:13) Protoscope & Caido Websocket Repeater

Episode 169: In this episode of Critical Thinking - Bug Bounty Podcast gr3pme goes over some of the changes from OAuth 2.0 vs 2.1 and how Hackers can capitalize. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== This Week in Bug Bounty ====== Intigriti is providing free Burp Pro for Hackers! https://www.intigriti.com/blog/news/intigriti-collaborates-with-portswigger-to-support-ethical-hacking-excellence ====== Resources ====== Django-allauth Account Takeover (ZeroPath Audit) https://zeropath.com/blog/django-allauth-account-takeover-vulnerabilities CVE-2025-4144: Cloudflare Workers PKCE Bypass https://github.com/cloudflare/workers-oauth-provider/security/advisories/GHSA-qgp8-v765-qxx9 CVE-2025-54576: OAuth2-Proxy Auth Bypass https://zeropath.com/blog/cve-2025-54576-oauth2-proxy-auth-bypass ====== Timestamps ====== (00:00:00) Introduction (00:02:16) OAuth 2.0 Standards (00:12:08) Agent to Agent Communication (00:17:19) CVE Case studies

Episode 168: In this episode of Critical Thinking - Bug Bounty Podcast we’re getting a visit from the XSS Doctor. Jonathan joins us to go through his Client-side workflow, run labs, and diagnose some bugs live. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Guest: https://x.com/xssdoctor ====== Resources ====== Lab.ctbb.show URL validation bypass cheat sheet https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet ====== Timestamps ====== (00:00:00) Introduction (00:01:37) Home Automation AI Hack & E-signature bug stories (00:12:15) E-signature bug (00:17:01) XSS DR Intro and Bug Bounty Journey (00:31:51) CSPT Workflows (01:07:57) Wildcard Path Parameters (01:30:34) Custom Sinks

Episode 167: In this episode of Critical Thinking - Bug Bounty Podcast we welcome Valeriy Shevchenko to talk about program management, anchor programs, and Theft in Bug Bounty. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: Check out ThreatLocker Ringfencing https://www.criticalthinkingpodcast.io/tl-rf Today’s Guest: https://x.com/Krevetk0Valeriy ====== This Week in Bug Bounty ====== HackerOne’s Bug Bounty Maturity Framework: https://www.hackerone.com/blog/program-maturity-framework-bug-bounty-operations Intigriti is hiring a Product Security Analyst https://jobs.criticalthinkingpodcast.io/jobs/product-security-analyst-25ef4706 ====== Resources ====== Valeriy’s Blog https://krevetk0.medium.com/ ====== Timestamps ====== (00:00:00) Introduction (00:03:15) Valeriy's Bug story (00:19:48) Anchor Programs and Bug Hunting Motivation (00:29:50) Stealing Bugs

Episode 166: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Rez0’s Claude Skill Secrets, when AI Generated reports fall apart, and agents vs filters. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor: Adobe ====== This Week in Bug Bounty ====== Intigriti launched their ambassadors program. https://www.intigriti.com/ambassador Adobe will be at Hack The Bay https://www.hackthebay.org/ Bug Bounty Maturity Framework https://bugbountymaturity.com/ ====== Resources ====== h1-brain https://github.com/PatrikFehrenbach/h1-brain caido skills http://github.com/caido/skills Tweet from Karpathy https://x.com/karpathy/status/2031767720933634100?s=20 Find every inefficiency in your Claude workflow with one prompt https://x.com/shannholmberg/status/2030605364421595468 ====== Timestamps ====== (00:00:00) Introduction (00:08:28) Claude skills (00:30:00) How AI Generated reports fall apart (00:38:44) Orchestration (00:49:10) Agents vs Folders

Episode 165: In this episode of Critical Thinking - Bug Bounty Podcast Justin recaps his Zero Trust World experience, before we dive into Permissions issues client-side bugs, New Hardware Hacking Classes, and using AI to hack. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: Check out ThreatLocker Ringfencing https://www.criticalthinkingpodcast.io/tl-rf ====== Resources ====== bbscope Update https://x.com/sw33tLie/status/2029344643154919720 Matt Brown's Youtube Channel https://www.youtube.com/channel/UC3VDCeZYZH7mCihtMVHqppw Matt's Twitter: https://x.com/nmatt0 MCP server for HackerOne to search reports https://x.com/OriginalSicksec/status/2029503063095124461?s=20 Caido Skills https://github.com/caido/skills The Agentic Hacking Era: Ramblings and a Tool https://josephthacker.com/hacking/2026/03/06/the-agentic-hacking-era.html Announcing AI-driven Caido https://caido.io/blog/2026-03-06-caido-skill ====== Timestamps ====== (00:00:00) Introduction (00:06:23) bbscope report dumping & Matt Brown Training (00:13:10) MCP server for HackerOne to search reports & protobuff success (00:24:24) Hacking Mics with Permissions issues client-side bugs (00:27:26) Can AI Hack things?

Episode 164: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Tommy DeVoss to talk about his origin story, Yahoo bugs, and how Tommy first got Justin into Bug Bounty Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Guest: https://x.com/thedawgyg ====== This Week in Bug Bounty ====== Python pitfalls: Turning developer mistakes into vulnerabilities https://www.yeswehack.com/learn-bug-bounty/python-pitfalls-turning-developer-mistakes?utm_source=critical-thinking&utm_medium=sponsored&utm_campaign=article-research-python-pitfalls ====== Timestamps ====== (00:00:00) Introduction (00:06:22) Yahoo SSRF (00:14:56) Tommy's Origin (00:44:10) Bug Bounty (00:51:47) SSRF Attraction, AI implementation, & Browser Hacking

Episode 163: In this episode of Critical Thinking - Bug Bounty Podcast It’s that time of year again! We’re looking at the Portswigger Research list of top 10 web hacking techniques of 2025. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Resources ====== Parser Differentials: When Interpretation Becomes a Vulnerability https://www.youtube.com/watch?v=Dq_KVLXzxH8 XSS-Leak: Leaking Cross-Origin Redirects https://blog.babelo.xyz/posts/cross-site-subdomain-leak/ Playing with HTTP/2 CONNECT https://blog.flomb.net/posts/http2connect/ Next.js, cache, and chains: the stale elixir https://zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixir SOAPwn: Pwning .NET Framework Apps Through HTTP Client Proxies And WSDL https://watchtowr.com/wp-content/uploads/SOAPwnwatchtowr_soappwn-research-whitepaper_10-12-2025.pdf Cross-Site ETag Length Leak https://blog.arkark.dev/2025/12/26/etag-length-leak Lost in Translation: Exploiting Unicode Normalization https://www.youtube.com/watch?v=ETB2w-f3pM4 ORM Leaking More Than You Joined For https://www.elttam.com/blog/leaking-more-than-you-joined-for/ Novel SSRF Technique Involving HTTP Redirect Loops https://slcyber.io/research-center/novel-ssrf-technique-involving-http-redirect-loops/ Successful Errors: New Code Injection and SSTI Techniques https://github.com/vladko312/Research_Successful_Errors ====== Timestamps ====== (00:00:00) Introduction (00:02:33) Parser Differentials: When Interpretation Becomes a Vulnerability (00:11:02) XSS-Leak: Leaking Cross-Origin Redirects (00:18:25) Playing with HTTP/2 CONNECT (00:22:10) Next.js, cache, and chains: the stale elixir (00:29:15) SOAPwn: Pwning .NET Framework Apps Through HTTP Client Proxies And WSDL (00:34:27) Cross-Site ETag Length Leak (00:41:47) Lost in Translation: Exploiting Unicode Normalization (00:47:27) ORM Leaking More Than You Joined For (00:54:07) Novel SSRF Technique Involving HTTP Redirect Loops (00:58:40) Successful Errors: New Code Injection and SSTI Techniques

Episode 162: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph sit down with HackerOne Founder & CTO Alex Rice to discuss concerns of Using Hacker Data for AI and decreasing bounties. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26 https://ztw.com/ Today’s Guest: https://x.com/senorarroz ====== This Week in Bug Bounty ====== XML external entity: The ultimate Bug Bounty guide to exploiting XXE vulnerabilities https://www.yeswehack.com/learn-bug-bounty/xml-external-entity-guide-xxe?utm_source=Critical_Thinking&utm_medium=Youtube&utm_campaign=XXE_Critical_Thinking&utm_id=XXE_CT Bug Bounty Maturity Framework https://bugbountymaturity.com/ ====== Resources ====== Confidential Information and Confidentiality Obligations https://www.hackerone.com/terms/general#:~:text=HackerOne%20may%20use%20Confidential%20Information%20to%20develop%20and/or%20improve%20its%20Services%20(for%20example%2C%20to%20identify%20trends%2C%20and%20to%20train%20AI%20models)%20provided%20such%20use%20does%20not%20result%20in%20disclosure%20of%20Confidential%20Information%20to%20unauthorized%20third%20parties Ownership and Licenses https://www.hackerone.com/terms/community#:~:text=8.%20Ownership%20and%20Licenses I argued with an AI regarding HackerOne using Hacker reports to train PtaaS https://bugbounty.forum/post/183ff0fc-eb9e-47f8-991d-c0aa5b0bba71 HackerOne PTaaS (likely training their AI on private reports data) https://www.reddit.com/r/bugbounty/comments/1r5hixk/hackerone_ptaas_likely_training_their_ai_on/ What Makes Agentic PTaaS Different in Real Environments https://www.hackerone.com/blog/agentic-penetration-testing-as-a-service#:~:text=Our%20agents%20are,real%20enterprise%20constraints ====== Timestamps ====== (00:00:00) Introduction (00:08:44) HackerOne AI Terms of Service (00:24:56) Agentic PTaaS (00:38:09) Selling data (00:43:49) Decrease in Bounties

Episode 161: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gives us some quick hits regarding CSRF and Cross Consumer Attacks, and also touches on some breaking questions surrounding HackerOne Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26 https://ztw.com/ ====== This Week in Bug Bounty ====== AS Watson https://app.intigriti.com/programs/aswatson/watsons/detail YesWeHack 2026 Report https://choose.yeswehack.com/hubfs/YWH%20Report/YesWeHack_2026_Report.pdf ====== Resources ====== PhoneLeak: Data Exfiltration in Gemini via Phone Call https://blog.starstrike.ai/posts/phoneleak-data-exfiltration-in-gemini-via-phone-call/ Max's Tweet about decreasing bounties https://x.com/0xw2w/status/2020788164378427483 HackerOne General Terms and Conditions https://www.hackerone.com/terms/general Research Review #-2: RCE in Google's AI code editor Antigravity (sudi) https://www.youtube.com/watch?v=JqvJSF2UMyY ====== Timestamps ====== (00:00:00) Introduction (00:03:26) YesWeHack 2026 Report (00:09:12) CSRF Realizations & Data Exfiltration in Gemini via Phone Call (00:14:38) 7urb0's Youtube, HackerOne decreasing bounties and Section 3.1 controversy. (00:19:06) Cross Consumer Attacks

Episode 160: In this episode of Critical Thinking - Bug Bounty Podcast Joseph and Brandyn. Chat through some news, Including a Cloudflare Zero-day, Turning List-Unsubscribe into an SSRF/XSS Gadget, & Magic String Denial of Service in Claude. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Sponsor: Adobe. Use code CTBB040126, and get a 10% bonus on your bounty for any AI vulnerability which is mapped to the OWASP LLM top 10. Valid on Adobe Acrobat Web - AI Assistant / PDF Spaces / Content Creation and presentation features using Express Adobe Express AI Assistant. Valid through April 1st, 2026 Also we have a Google Cloud VRP Swag Bonus! Mention the podcast in any rewarded (cash or credit) VRP report submission before the end of April to receive bonus swag! ====== Resources ====== Cloudflare Zero-day https://fearsoff.org/research/cloudflare-acme Turning List-Unsubscribe into an SSRF/XSS Gadget https://security.lauritz-holtmann.de/post/xss-ssrf-list-unsubscribe/ Breaking Multi-Tenant Isolation in Heroku Postgres https://allistair.sh/blog/breaking-heroku-postgres/ Parse and Parse: MIME Validation Bypass to XSS via Parser Differential https://lab.ctbb.show/research/parse-and-parse-mime-validation-bypass-to-xss-via-parser-differential Claude Magic String Denial of Service https://x.com/Frichette_n/status/2013988503336415522 From WebView to Remote Code Injection https://djini.ai/from-webview-to-remote-code-injection/ DOM XSS Is Not Dead: The Rise of Polyglot Payloads https://blogs.jsmon.sh/dom-xss-is-not-dead-the-rise-of-polyglot-payloads/ ====== Timestamps ====== (00:00:00) Introduction (00:06:17) Cloudflare Zero-day & Turning List-Unsubscribe into an SSRF/XSS Gadget (00:16:57) Breaking Multi-Tenant Isolation in Heroku Postgres & CTBB Research (00:25:46) Claude Magic String Denial of Service & From WebView to Remote Code Injection

Episode 159: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with the Google Cloud VRP Team to deep-dive policy and reward changes, what the panel process looks like, and how to best configure for success. Follow us on X Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Get some hacker swag Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26 https://ztw.com/ Google Cloud VRP Swag Bonus! Mention the podcast in any rewarded (cash or credit) VRP report submission before the end of April to receive bonus swag! Today’s Guests: Darby Hopkins Michael Cote ====== This Week in Bug Bounty ====== AI Red Teaming Explained by AI Red Teamers Good Faith AI Research Safe Harbor Join the Adobe LHE at NULLCON GOA ====== Resources ====== ‘Legendary Guy’ - Jakub Domeracki Google Cloud VRP rewards rules Google Cloud VRP product tiers Bug Hunters blog on the 2025 Google Cloud VRP bugSWAT Google VRP Discord Google VRP on X ====== Timestamps ====== (00:00:00) Introduction (00:10:03) CloudVRP Bugswat Event Breakdown (00:16:40) VRP Policy & Rewards Changes (00:04:50) Panel Process (01:00:08) Configuring for Success & Avoiding Downgrades (01:33:47) Scenarios for Success

Episode 158: In this episode of Critical Thinking - Bug Bounty Podcast we talk about our personal takeaways from the CTBB Charity Hackalong, and then break down some InsertScript POCs, what a $55,000 bug can look like, and if Smart People Ever Say They’re Smart. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26 https://ztw.com/ ====== Resources ====== InsertScript - XSS Challenge Solution https://insert-script.blogspot.com/2020/03/xss-challenge-solution-refresh-header.html InsertScript - Redirect AuthHeader https://www.insert-script.com/examples/redirectAuthHeader/send.html CRLF injection on a 302 redirect https://x.com/0xdef1ant/status/2009040359482118500 Multiple XSS in Meta Conversion API Gateway Leading to Zero-Click Account Takeover https://ysamm.com/uncategorized/2025/01/13/capig-xss.html Arcanum Hack Tips https://github.com/Arcanum-Sec/hack_tips Trail of Bits Releases Claude Skills https://x.com/dguido/status/2011541318229533063 what a $55,000 bug can look like https://x.com/the_IDORminator/status/2007480636244697237 Pwning Claude Code in 8 Different Ways https://flatt.tech/research/posts/pwning-claude-code-in-8-different-ways/ Do Smart People Ever Say They’re Smart? https://labs.watchtowr.com/do-smart-people-ever-say-theyre-smart-smartertools-smartermail-pre-auth-rce-cve-2025-52691/ ====== Timestamps ====== (00:00:00) Introduction (00:04:18) Technical takeaways from CT Charity Hackalong (00:22:21) InsertScript POCs & Rez0 and teknogeek's IOT Adventures (00:32:16) CRLF injection on a 302 redirect & Multiple XSS in Meta (00:41:00) Trail of Bits, what a $55,000 bug can look like, & Pwning Claude Code (00:54:16) Do Smart People Ever Say They’re Smart?

Episode 157: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Hypr to talk about hacking Mediatek and his experiences with HackerOne and Pwn2Own Ecosystems. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme Critical Research Lab: https://lab.ctbb.show/ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Guest: https://x.com/hyprdude ====== This Week in Bug Bounty ====== Top 10 web hacking techniques of 2025: call for nominations https://portswigger.net/research/top-10-web-hacking-techniques-of-2025-nominations-open CVE-2025-13467 https://access.redhat.com/security/cve/cve-2025-13467 ====== Resources ====== Hypr's Blog https://blog.coffinsec.com mediatek? more like media-rekt, amirite. https://blog.coffinsec.com/0days/2025/12/15/more-like-mediarekt-amirite.html kernel-utils https://github.com/mellow-hype/kernel-utils ====== Timestamps ====== (00:00:00) Introduction (00:03:23) Heap Overflow in Mediatek Kernel Drivers (00:19:23) Kernel Debugging & ioctl Handlers (00:43:30) Input Structs, Sync to Source, & Privilege Escalation (00:51:30) HackerOne Ecosystem vs Pwn2Own Ecosystem (01:17:00) Kernel Utils (01:26:46) Real World Bugs for Exploit Development vs CTFs

Episode 156: In this episode of Critical Thinking - Bug Bounty Podcast we answer some fantastic questions from over at bugbounty.forum Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Resources ====== Critical Thinking Lab lab.ctbb.show Cross-Site ETag Length Leak https://blog.arkark.dev/2025/12/26/etag-length-leak Clawdbot https://github.com/clawdbot/clawdbot/ Post from Steve Caldwell https://x.com/moreconfetti/status/2006494133159162008 ====== Timestamps ====== (00:00:00) Introduction (00:00:58) Crit Lab update (00:04:36) Cross-Site ETag Length Leak (00:13:26) Clawdbot (00:16:56) Will bug hunting become obsolete, LHE invitations, and Fulltime vs Part time? (00:30:52) 10 bugs at $5k or 1 bug at $5k, CTBB Background, & Future Plans (00:38:32) Mentoring, Conquering Classes, and what angles we implement from the podcast (00:49:27) Best approach on new targets, tips for making 500k in a year, AI/Vibecoding & Human in the Loop (00:59:07) Mentally mapping the target, anti-patterns that waste time, and BB beliefs that were wrong. (01:10:12) Tackling small scope, staying on one program, picking up after a break, & moving on (01:17:41) Invisible elements that make the difference between $2k and $20k

Episode 155: In this episode of Critical Thinking - Bug Bounty Podcast Justin, Joseph, and Brandyn reflect on last year of Bug Bounty, and list their goals and predictions for what 2026 holds. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Resources ====== 2024 Hacker Stats & 2025 Goals https://blog.criticalthinkingpodcast.io/p/hackernotes-ep-104-2024-hacker-stats-2025-goals ====== Timestamps ====== (00:00:00) Introduction (00:02:08) 2025 Full Time Hunting Retrospective (00:10:19) Most Fulfilling Moments and Bugs (00:17:56) Satisfaction with 2025 Stats (00:45:28) Automation, Organization, and Collaboration (00:48:55) Time and Motivation (01:08:01) Goals and Predictions for Bug Bounty in 2026

Episode 154: In this episode of Critical Thinking - Bug Bounty Podcast Joseph and Brandyn talk through the transition from Bug Bounty hunting to Pentesting. We cover diversifying income streams, the challenges of pricing for Pentests, legal considerations, and what Bug Hunters can bring to the Pentesting world Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Timestamps ====== (00:00:00) Introduction (00:03:36) Starting a Pentesting Company (00:12:25) Advantages of Pentesting as a Bug Bounty Hunter (00:29:03) Pricing, Sales, and knowing your Market/Worth (00:36:21) Compliance in Pentests & Rapid-Fire Takaways

Episode 153: In this episode of Critical Thinking - Bug Bounty Podcast Matt Brown returns to talk with us about hacking robots, IOT hackbots, and his Zero-to-Hero Hardware Hacking Guide. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today’s Guest: Matt Brown https://x.com/nmatt0https://github.com/BrownFineSecurity/iothackbot====== Resources ====== KeeYees USB Logic Analyzer Device Saleae logic analyzer XGecu Hardware Hacking Tutorial by Make Me Hack UART and SPI firmware extraction UART Root Shell on Linux Router UART Shell Jail and Unlocked Bootloader Chinese IP Camera Firmware Extraction Chip-Off Firmware Extraction ====== Timestamps ====== (00:00:00) Introduction (00:01:22) Incremental Session Token Story and Matt Brown Intro (00:10:42) Hardware Bug Bounty Scene & AI on Devices (00:24:30) Hacking Human Robot (00:41:33) Zero-to-Hero Hardware Hacking Guide (01:01:47) IOT Hackbot

Episode 152: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Sasi Levi from Noma Security to talk about AI and Agentic Security. We also talk about ForcedLeak, a Google Vertex Bug, and debate if Prompt Injection is a real Vuln. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. CHeck out our New Christmas Swag at https://ctbb.show/merch! Today's Sponsor: ThreatLocker. Check out ThreatLocker Elevation Control https://ctbb.show/tl-ec And Noma Security! https://noma.security/ Today’s Guest: https://x.com/sasi2103 ====== This Week in Bug Bounty ====== Vercel Platform Protection Dedicated HackerOne program for Vercel WAF YesWeHack Open Source Programs Android recon for Bug Bounty hunters ====== Resources ====== Sasi's Tweet from 2015 ForcedLeak: AI Agent risks exposed in Salesforce AgentForce Is Prompt Injection a Vulnerability? ====== Timestamps ====== (00:00:00) Introduction (00:09:16) Google Vertex AI Bug (00:29:28) Sasi's Background and Bug Bounty Journey (00:38:55) Resources for AI and Agentic Security Methodology (00:50:34) ForcedLeak (01:02:06) Is Prompt Injection a Vuln?

Episode 151: In this episode of Critical Thinking - Bug Bounty Podcast we’re covering Client-side advanced topics. Justin talks Joseph (and us) through Third-Party Cookie Nuances, Iframe Tricks, URL Parsing, and more. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater https://x.com/rez0__ https://x.com/gr3pme ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! Today's Sponsor: ThreatLocker. Check out ThreatLocker Elevation Control https://ctbb.show/tl-ec ====== Resources ====== Nowasky's Tweet #1 https://x.com/nowaskyjr/status/1993421017381744974 Nowasky's Tweet #2 https://x.com/nowaskyjr/status/1992717862398800081 rep+ in Chrome DevTools https://x.com/BourAbdelhadi/status/1992622964077179229 Terjanq Post from 2021 https://x.com/terjanq/status/1421093136022048775 ====== Timestamps ====== (00:00:00) Introduction (00:02:58) Client-side news & AI Updates (00:12:02) Third-Party Cookie Nuances & PostMessages (00:30:09) Iframe Tricks (00:47:43) URL Parsing, CSPTS, and Client-side Routes