Critical Thinking - Bug Bounty Podcast

Episode 69: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Johan Carlsson to hear about some updates on his bug hunting journey. We deep-dive a CSP bypass he found in GitHub, a critical he found in GitLab's pipeline, and also talk through his approach to using script gadgets and adapting to highly CSP'd environments. Then we talk about his transition to full-time bug hunting, including the goals he’s set, the successes and challenges, and his current focus on specific bug types like ReDoS and OAuth, and the serendipitous nature of bug hunting. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Nuclei 3.2 Release: https://nux.gg/podcast Today’s Guest: https://twitter.com/joaxcar https://joaxcar.com/blog/ Resources Github CSP Bypass https://gist.github.com/joaxcar/6e5a0a34127704f4ea9449f6ce3369fc CSP Validator https://cspvalidator.org/ Cross Window Forgery https://www.paulosyibelo.com/2024/02/cross-window-forgery-web-attack-vector.html Gitlab Crit https://gist.github.com/joaxcar/9419b2df8778f26e9b02a741a8ec12f8 Timestamps (00:00:00) Introduction (00:09:34) Github CSP Bypass (00:38:48) Script Gadgets and growth through Gitlab (00:53:53) Gitlab pipeline bug (01:12:32) Full-time Bug Bounty

Episode 68: In this episode of Critical Thinking - Bug Bounty Podcast Mathias is back with some fresh HTMX research, including CSP bypass using HTMX triggers, converting client-side response header injection to XSS, bypassing HTMX disable, and the challenges of using HTMX in larger applications and the potential performance trade-offs. We also talk about the results of his recent CTF Challenge, and explore some more facets of CDN-CGI functionality. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Project Discovery Conference: https://nux.gg/hss24 ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://twitter.com/avlidienbrunn Resources: Masato Kinugawa's research on Teams https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=33 subdomain-only 307 open redirect https://avlidienbrunn.se/cdn-cgi/image/onerror=redirect/http://anything.avlidienbrunn.se Timestamps (00:00:00) Introduction (00:05:18) CSP Bypass using HTML (00:14:00) Converting client-side response header injection to XSS (00:23:10) Bypassing hx-disable (00:32:37) XSS-ing impossible elements (00:38:22) CTF challenge Recap and knowing there's a bug (00:51:53) hx-on (depreciated) (00:54:30) CDN-CGI Research discussion

Episode 67: In this episode of Critical Thinking - Bug Bounty Podcast we deepdive on the topic of Vulnerability Disclosure Programs (VDPs) and whether they are beneficial or not. We also touch on the topic of leaderboard accuracy, and continue the Program VS Hacker debate regarding allocating funds for bounties. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Project Discovery Conference: https://nux.gg/hss24 ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources: Nagli's Braindump on VDPs https://twitter.com/galnagli/status/1780174392003031515 Timestamps: (00:00:00) Introduction (00:05:37) VDP programs (00:34:10) Leaderboards (00:43:52) Hacker vs. Program debate Part 2 (01:07:24) Walling Off Endpoints

Episode 66: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the recent YesWeHack Louis Vuitton LHE, the importance of failure as growth in bug bounty, and Justin shares his research on CDN CGI. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Project Discovery Conference: https://nux.gg/hss24 ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources: YesWeHack Luis Vuitton LHE https://twitter.com/yeswehack/status/1776280653744554287 https://event.yeswehack.com/events/hack-me-im-famous-2 Caido Workflows https://github.com/caido/workflows Oauth Redirects https://twitter.com/Akshanshjaiswl/status/1724143813088940192 Bagipro Golden URL techniques https://hackerone.com/reports/431002 Roadmap I followed to make 15,000+$ Bounties in my first 8 months https://shreyaschavhan.notion.site/Roadmap-I-followed-to-make-15-000-Bounties-in-my-first-8-months-of-starting-out-and-my-journey-98b1b9ff621645c0b97d1e774992f300 Monke Hacks Blog https://monkehacks.beehiiv.com/ PortSwigger post https://x.com/PortSwiggerRes/status/1766087129908576760 post from Masato Kinugawa https://x.com/kinugawamasato/status/916393484147290113 Timestamps: (00:00:00) Introduction (00:04:19) Louis Vuitton LHE (00:13:57) Browser Market share (00:21:13) Justin's Bug of the Week (00:24:49) Caido Workflows (00:27:24) Oauth Redirects (00:32:24) Bug Bounty learning Methodology (00:41:03) 'Intent To Ship' (00:48:08) CDN-CGI Research

Episode 65: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with Sam Curry to discuss the ethical considerations and effectiveness of hacking, the importance of good intent, and the enjoyment Sam derives from pushing the boundaries to find bugs. He shares stories of his experiences, including hacking Tesla, online casinos,Starbucks, his own is ISP router, and even getting detained at the airport. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater Project Discovery Conference: https://nux.gg/hss24 ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://samcurry.net/ Resources: Don’t Force Yourself to Become a Bug Bounty Hunter hackcompute Starbucks Bug recollapse Timestamps: (00:00:00) Introduction (00:02:25) Hacking Journey and the limits of Ethical Hacking (00:28:28) Selecting companies to hack (00:33:22) Fostering passion vs. Forcing performance (00:54:06) Collaboration and Hackcompute (01:00:40) The Efficacy of Bug Bounty (01:09:20) Secondary Context Bugs (01:25:01) Mindmaps, note-taking, and Intuition. (01:46:56) Back-end traversals and Unicode (01:56:16) Hacking ISP (02:06:58) Next.js and Crypto (02:22:24) Dev vs. Prod JWT

Episode 64: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Justin and Joel delve into .NET remoting and how it can be exploited, a recent bypass in the Dom Purify library and some interesting functionality in the Cloudflare CDN-CGI endpoint. They also touch on the importance of collaboration and knowledge sharing, JavaScript Deobfuscation, the value of impactful POCs, hiding XSS payloads with URL path updates. Follow us on twitter at: @ctbbpodcast send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Check out Project Discovery’s nuclei 3.2 release blog at nux.gg/podcast Resources: .NET Remoting https://code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/ https://github.com/codewhitesec/HttpRemotingObjRefLeak DOM Purify Bug Cloudflare /cdn-cgi/ https://developers.cloudflare.com/fundamentals/reference/cdn-cgi-endpoint/ https://portswigger.net/research/when-security-features-collide https://twitter.com/kinugawamasato/status/893404078365069312 https://twitter.com/m4ll0k/status/1770153059496108231 XSSDoctor's writeup on Javascript deobfuscation renniepak's tweet Naffy's tweet Timestamps: (00:00:00) Introduction (00:07:15) .Net Remoting (00:17:29) DOM Purify Bug (00:25:56) Cloudflare /cdn-cgi/ (00:37:11) Javascript deobfuscation (00:47:26) renniepak's tweet (00:55:20) Naffy's tweet

Episode 63: In this episode of Critical Thinking - Bug Bounty Podcast we welcome back Jason Haddix (From Episode 12) to talk about some updates to his The Bug Hunter's Methodology, as well as his own personal life and hacking journey. We talk about the start of his new company, and then venture into topics such as using threat intelligence and buying credentials from the dark web, recon techniques, and ways to integrate AI into your workflow (or target list). Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Today’s Guest: https://twitter.com/Jhaddix https://www.arcanum-sec.com/ Resources: Dehashed https://www.dehashed.com/ Flare https://flare.io/ CSP Recon https://github.com/edoardottt/csprecon Timestamps: (00:00:00) Introduction (00:05:37) Updates to The Bug Hunter's Methodology (00:14:46) Red Teaming (00:21:29) Bug Bounty on the Dark Web (00:36:19) FIS hunting (00:47:59) New Recon Techniques (00:58:32) AI integrations and bounties

Episode 62: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with some additional research resources that didn’t make the Portswigger Top-Ten, but that are worth looking at. Follow us on twitter at: @ctbbpodcast Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Resources: Cool HTML Shit https://twitter.com/jcubic/status/1764311080661082201 https://twitter.com/encodeart/status/1764218128374943764 Bug bounty Hunting Journeys https://twitter.com/ajxchapman/status/1762101366057525521 https://monkehacks.beehiiv.com/p/monkehacks-02 Yelp Cookie Bridge Report Deobfuscating/Unminifying Obfuscated Code ChatGPT Source Watch Web Security Research Reddit Nahamsec Resources Portswigger Nominations list Abusing perspectives: https://hackerone.com/reports/2401115 PortSwigger CSS Exfiltration https://github.com/PortSwigger/css-exfiltration Timestamps: (00:00:00) Introduction (00:02:06) Cool HTML Shit (00:15:31) Bug Bounty Journeys (00:28:01) Yelp Cookie Bridge Bug (00:37:56) Additional Research Resources (00:46:34) CSS and abusing perspectives

Episode 61: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Jasmin Landry to share some stories about startup security, bug bounty, and the challenges of balancing both. He also shares his methodology for discovering OAuth-related bugs, highlights some differences between structured learning and self-teaching, and then walks us through a couple arbitrary ATO’s and SSTI to RCE bugs he’s found lately. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: Jasmin Landry https://twitter.com/JR0ch17 Resources: Dirty Dancing blog post https://labs.detectify.com/writeups/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/ OAuth 2.0 Threat Model and Security Considerations https://datatracker.ietf.org/doc/html/rfc6819 OAuth 2.0 Security Best Current Practice https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics Timestamps: (00:00:00) Introduction (00:02:20) Meta Tag + DomPurify Bug (00:09:36) Jasmin's Origin story (00:28:23) Full time Bug bounty challenges (00:36:57) Career jumps in Security and current Role (00:47:32) OAuth Bug methodology and cool bug stories (01:02:35) Social Engineering and Bug Bounty (01:13:41) Arbitrary ATO bug (01:19:41) SSTI to RCE bug

Episode 60: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel review the Portswigger Research list of top 10 web hacking techniques of 2023. Follow us on twitter at: @ctbbpodcast Send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources: Top 10 web hacking techniques of 2023 1: Smashing the state machine 8: From Akamai to F5 to NTLM 3: SMTP Smuggling 4: PHP filter chains (Bonus Read) 5: HTTP Parsers Inconsistencies 6: HTTP Request Splitting 7: How I Hacked Microsoft Teams 9: Cookie Crumbles (Bonus Read) 10: Hacking root EPP servers to take control of zones Timestamps: (00:00:00) Introduction (00:04:26) 1: Smashing the state machine (00:11:56) 8: From Akamai to F5 to NTLM... with love (00:17:11) 3: SMTP Smuggling (00:26:27) 4: PHP filter chains (00:36:40) 5: HTTP Parsers Inconsistencies (00:44:56) 6: HTTP Request Splitting (00:53:43) 7: How I Hacked Microsoft Teams (01:02:25) 9: Cookie Crumbles (01:11:36) 10: EPP Server Takeover

Episode 59: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the concept of gadgets and how they can be used to escalate the impact of vulnerabilities. We talk through things like HTML injection, image injection, CRLF injection, web cache deception, leaking window location, self-stored XSS, and much more. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources: Even Better NahamSec's 5 Week Program NahamCon News CSS Injection Research Timestamps: (00:00:00) Introduction (00:03:31) Caido's New Features (00:15:20) Nahamcon News and 5 week Bootcamp and pentest opportunity (00:19:54) HTML Injection, CSS Injection, and Clickjacking (00:33:11) Image Injection (00:37:19) Open Redirects, Client-side path traversal, and Client-side Open Redirect (00:49:51) Leaking window.location.href (00:57:15) Cookie refresh gadget (01:01:40) Stored XXS (01:09:01) CRLF Injection (01:13:24) 'A Place To Stand' in GraphQL and ID Oracle (01:18:23) Auth gadgets, Web Cache Deception, & LocalStorage poisoning (01:27:46) Cookie Injection & Context Breaks

Episode 58: In this episode of Critical Thinking - Bug Bounty Podcast we finally sit down with Youssef Samouda and grill him on his various techniques for finding and exploiting client-side bugs and postMessage vulnerabilities. He shares some crazy stories about race conditions, exploiting hash change events, and leveraging scroll to text fragments. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://twitter.com/samm0uda?lang=en https://ysamm.com/ Resources: Client-side race conditions with postMessage: https://ysamm.com/?p=742 Transferable Objects https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Transferable_objects Every known way to get references to windows, in javascript: https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2d Youssef’s interview with BBRE https://www.youtube.com/watch?v=MXH1HqTFNm0 Timestamps: (00:00:00) Introduction (00:04:27) Client-side race conditions with postMessage (00:18:12) On Hash Change Events and Scroll To Text Fragments (00:32:00) Finding, documenting, and reporting complex bugs (00:37:32) PostMessage Methodology (00:45:05) Youssef's Vuln Story (00:53:42) Where and how to look for ATO vulns (01:05:21) MessagePort (01:14:37) Window frame relationships (01:20:24) Recon and JS monitoring (01:37:03) Client-side routing (01:48:05) MITMProxy

Episode 57: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are live from Miami, and recap their experience and share takeaways from the live hacking event. They highlight the importance of paying attention to client-side routing and the growing bug class of client-side path traversal. They also discuss the challenges of knowing when to cut your losses and the value of tracking time and setting goals. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Timestamps: (00:00:00) Introduction (00:03:50) Miami LHE Recap and Takeaways (00:05:57) Keeping time and cutting losses. (00:19:07) Roles and Goals (00:23:33) OAuth (00:28:52) HTML5 image to img Tip

Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston) Episode 56: In this episode of Critical Thinking - Bug Bounty Podcast, Justin sits down with Jon Colston to discuss how his background in digital marketing and data science has influenced his hunting methodology. We dive into subjects like data sources, automation, working backwards from vulnerabilities, applying conversion funnels to bug bounty, and the mayonaise signature 'Mother of All Bugs' Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ WordFence - Sign up as a researcher! https://ctbb.show/wf Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://hackerone.com/mayonaise?type=user Timestamps: (00:00:00) Introduction (00:12:07) Evolving Hacking Methodologies & B2B Hacking (00:23:57) Data Science + Bug Bounty (00:34:37) 'Lead Generation for Vulns' (00:41:39) Ingredients and Recipes (00:49:45) Keyword Categorization (00:54:30) Manual Processes and Recap (01:07:08) Data Sources (01:19:59) Digital Marketing + Bug Bounty (01:32:22) M.O.A.B.s (01:41:02) Burnout Protection and Dupe Analysis

Episode 55: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Wordpress Security Researcher Ram Gall to discuss both functionality and vulnerabilities within Wordpress Plugins. Follow us on twitter Send us any feedback here: Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ WordFence - Sign up as a researcher! https://ctbb.show/wf --- Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: Ramuel Gall UpdraftPlus Vuln XML-RPC PingBack Unicode and Character Sets Reflected XSS POP Chain WordpressPluginDirectory Subscriber+ RCE in Elementor Subscriber+ SSRF Unauthed XSS via User-Agent header Timestamps: (00:00:00) Introduction (00:05:55) Add_action & Nonces (00:26:16) Add_filter & Register_rest_routes (00:38:39) Page-related code & Shortcodes (00:50:24) Top Sinks for WP (01:02:19) Echo & SQLI Sinks (01:15:07) Nonce Leak and wp_handle_upload (01:18:16) Page variables & Pop Chains (01:26:55) WP Escalations & Bug Reports

Episode 54: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with news items and new projects. Joel shares about his personal scraping project to gather data on bug bounty programs and distribution Next, they announce the launch of HackerNotes, a podcast companion that will summarize the main technical points of each episode. They also discuss a recent GitLab CVE and an invisible prompt injection, before diving into a discussion (or debate) about vulnerable code patterns. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Gitlab CVE https://github.com/Vozec/CVE-2023-7028 https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/ Fix commit: https://gitlab.com/gitlab-org/gitlab/-/commit/abe79e4ec437988cf16534a9dbba81b98a2e7f18 Invisible Prompt Injection https://x.com/goodside/status/1745511940351287394?s=20 Regex 101 https://regex101.com Regex to Strings https://www.wimpyprogrammer.com/regex-to-strings/ Timestamps (00:00:00) Introduction (00:01:54) Joel’s H1 Data Scraping Research (00:19:23) HackerNotes launch (00:21:29) Gitlab CVE (00:27:45) Invisible Prompt Injection (00:33:52) Vulnerable Code Patterns (00:37:51) Sanitization, but then modification of data afterward (00:45:39) Auth check inside body of if statement (00:48:15) sCheck for bad patterns with if, but then don't do any control flow (00:50:21) Bad Regex (01:00:36) Replace statements for sanitization (01:04:32) Anything that allows you to call functions or control code flow in uncommon ways

Episode 53: In this episode of Critical Thinking - Bug Bounty Podcast,we’re joined by none other than NahamSec. We start by discusses the challenges he faced on his journey in bug bounty hunting and content creation, including personal struggles and the pressure of success.We also talk about finding balance and managing mental energy, going the extra mile, and the importance of planning and setting goals for yourself before he walks us through some Blind XSS techniques. Follow us on twitter at: @ctbbpodcast Feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Timestamps: (00:00:00) Introduction (00:01:37) Costs of Content Creation (00:21:12) Hacking 'identities' and Pivoting (00:36:49) Hacking Methodology (00:58:59) Planning, Goals, and Nahamsec's 2023 Performance (01:10:19) Blind XSS (01:35:19) Going the extra mile in Bug Bounty

Episode 52: In this episode of Critical Thinking - Bug Bounty Podcast we're going back and highlighting some of the best technical moments from the past year! Hope you enjoy this best of 2023 Supercut! Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Timestamps: (00:00:00) Introduction (00:02:55) Episode 26: Meta tags and base tags in HTML (00:15:20) Episode 27: Client-side path traversal (00:23:18) Episode 27: Cookie bombing + cookie jar overflow (00:35:47) Episode 44: Cross environment authentication bugs (00:43:17) Episode 47: The open-faced Iframe Sandwich (00:50:19) Episode 47: js hoisting and classic Joel nerdsnipe (00:58:28) Episode 29: Sean Yeoh on Subdomains vs IP in recon (01:04:05) Episode 30: Shubs on reversing enterprise software (01:24:58) Episode 30: Shubs on building out a recon flow (01:29:36) Episode 30: Shubs on Hacking IIS Servers (01:36:45) Episode 37: 0xLupin on smart JavaScript analysis tools (01:45:42) Episode 45: Frans Rosen On App cache, Service workers cookie stuffing, and postMessage (02:15:02) Episode 50: Mathias Karlsson on XSLT and MXSS (02:39:26) Episode 27: Assetnote's sharefile RCE (02:48:18) Episode 31: Perforce RCE (02:53:48) Episode 48: Sam Erb's XSLT bug story (02:58:47) Final thoughts and Special Thanks

Episode 51: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are back for the last episode of 2023. We discuss some noteworthy news items including a Hacker One Crit, Caido updates, and some Blind CSS. Then we dive into our own personal ‘Hackers Wrapped’ recap of the year, before laying out some goals for 2024. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources Flow Powertoys Alfred Pyperclip Textgrab CTF Payload Challenge Hacker One Crit Report Blind CSS Injection Timestamps (00:00:00) Introduction (00:08:43) Keyboard Shortcut Utility Systems (00:21:28) CTF Challenge By Frans (00:32:40) Hacker One 25K Crit Disclosure (00:36:31) Caido Searchbar Rework. (00:40:51) Blind CSS Exfiltration (00:44:10) 2023 Personal Bug Bounty Stats (01:01:15) 2024 Personal Bug Bounty Goals

Episode 50: In this episode of Critical Thinking - Bug Bounty Podcast, Justin catches up with hacking master Mathias Karlsson, and talks about burnout, collaboration, and the importance of specialization. Then we dive into the technical details of MXSS and XSLT, character encoding, and give some predictions of what Bug Bounty might look like in the future… Follow us on twitter at: @ctbbpodcast Send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest Episode Resources How to Differentiate Yourself as a Hunter MutateMethods hackaplaneten Article About Unicode and Character Sets Byte Order Mark: Character Encodings ShapeCatcher WAF Bypass BountyDash EXPLOITING HTTP'S HIDDEN ATTACK-SURFACE Timestamps: (00:00:00) Introduction (00:10:06) Automation Setup and Assetnote Origins (00:16:49) Sharing Tips, and Content Creation (00:22:27) Collaboration and Optimization (00:36:44) Working at Detectify (00:51:45) Bug Bounty Burnout (00:56:15) Early Days of Bug Bounty and Future Predictions (01:19:00) Nerdsnipeability (01:29:38) MXSS and XSLT (01:54:20) Learning through being wrong (02:00:15) Go-to Vulns