Critical Thinking - Bug Bounty Podcast

by Justin Gardner (Rhynorater) & Joel Margolis (teknogeek)

A "by Hackers for Hackers" podcast focused on technical content ranging from bug bounty tips, to write-up explanations, to the latest hacking techniques.

Podcast episodes

  • Season 1

  • Episode 76: Match & Replace - HTTP Proxies' Most Underrated Feature

    Explicit

    Episode 76: Match & Replace - HTTP Proxies' Most Underrated Feature

    Explicit

    Episode 76: In this episode of Critical Thinking - Bug Bounty Podcast we’re talking about Match and Replace and the often overlooked use cases for it, like bypassing paywalls, modifying host headers, and storing payloads. We also talk about the HackerOne Ambassador World Cup and the issues with dupe submissions, and go through some write-ups. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources Zoom Session Takeover https://nokline.github.io/bugbounty/2024/06/07/Zoom-ATO.html SharePoint XXE https://x.com/thezdi/status/1796207012520366552 Shazzer https://shazzer.co.uk/ Timestamps: (00:00:00) Introduction (00:05:06) H1 Ambassador World Cup (00:13:57) Zoom ATO bug (00:33:28) SharePoint XXE (00:39:36) Shazzer (00:46:36) Match and Replace (01:13:01) Match and Replace in Mobile (01:21:13) Header Replacements

  • Episode 75: *Rerun* of The OG Bug Bounty King - Frans Rosen

    Explicit

    Episode 75: *Rerun* of The OG Bug Bounty King - Frans Rosen

    Explicit

    Episode 75: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are sick, So instead of a new full episode, we're going back 30 episodes to review. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! Today's Guest: https://twitter.com/fransrosen Detectify Discovering s3 subdomain takeovers https://labs.detectify.com/writeups/hostile-subdomain-takeover-using-heroku-github-desk-more/ bucket-disclose.sh https://gist.github.com/fransr/a155e5bd7ab11c93923ec8ce788e3368 A deep dive into AWS S3 access controls Attacking Modern Web Technologies Live Hacking like a MVH Account hijacking using Dirty Dancing in sign-in OAuth flows Timestamps: (00:00:00) Introduction (00:11:41) Franz Rosen's Bug Bounty Journey and Detectify (00:20:21) Pseudo-code, typing, and thinking like a dev (00:27:11) Hunter Methodologies and automationists (00:42:31) Time on targets, Iteration vs. Ideation (00:58:01) S3 subdomain takeovers (01:11:53) Blog posting and hosting motivations (01:20:21) Detectify and entrepreneurial endeavors (01:36:41) Attacking Modern Web Technologies (01:52:51) postMessage and MessagePort (02:05:00) Live Hacking and Collaboration (02:20:41) Account Hijacking and OAuth Flows (02:35:39) Hacking + Parenthood

  • Episode 74: Supply Chain Attack Primer - Popping RCE Without an HTTP Request (feat 0xLupin)

    Explicit

    Episode 74: Supply Chain Attack Primer - Popping RCE Without an HTTP Request (feat 0xLupin)

    Explicit

    Episode 74: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Roni "Lupin" Carta for a deep dive into supply chain attacks and dependency confusion. We explore the supply chain attacks, the ethical considerations surrounding maintainers and hosting packages on public registries, and chat about the vision and uses of his new tool Depi. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://x.com/0xLupin Resources: Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 git-dump https://github.com/tomnomnom/dotfiles/blob/master/scripts/git-dump Depi https://www.landh.tech/depi Weak links of Supply Chain https://arxiv.org/pdf/2112.10165 Timestamps: (00:00:00) Introduction (00:07:13) Overveiw of Supply Chain Flow (00:15:14) Getting our Scope (00:23:46) Depi (00:29:12) Types of attacks and finding the 80/20 (00:45:06) Maintainer attacks (01:10:40) Regestries, artifactories, and an npm bug (01:31:51) Grafana NPX Confusion

  • Episode 73: Sandboxed IFrames and WAF Bypasses

    Explicit

    Episode 73: Sandboxed IFrames and WAF Bypasses

    Explicit

    Episode 73: In this episode of Critical Thinking - Bug Bounty Podcast we give a brief recap of Nahamcon and then touch on some topics like WAF bypass tools, sandboxed iframes, and programs redacting your reports. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources: ?. Tweet https://x.com/garethheyes/status/1786836956032176215 NoWafPls https://github.com/assetnote/nowafpls Redacted Reports https://x.com/deadvolvo/status/1790397012468199651 Breaking CORS https://x.com/MtnBer/status/1794657827115696181 Sandbox-iframe XSS challenge solution https://joaxcar.com/blog/2024/05/16/sandbox-iframe-xss-challenge-solution/ iframe and window.open magic https://blog.huli.tw/2022/04/07/en/iframe-and-window-open/#detecting-when-a-new-window-has-finished-loading domloggerpp https://github.com/kevin-mizu/domloggerpp Timestamps (00:00:00) Introduction (00:03:29) ?. Operator in JS and NoWafPls (00:07:22) Redacting our own reports (00:11:13) Breaking CORS (00:17:07) Sandbox-iframes (00:24:11) Dom hook plugins

  • Episode 72: Research TLDRs & Smuggling Payloads in Well Known Data Types

    Explicit

    Episode 72: Research TLDRs & Smuggling Payloads in Well Known Data Types

    Explicit

    Episode 72: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss some hot research from the past couple months. This includes ways to smuggle payloads in phone numbers and IPv6 Addresses, the NextJS SSRF, the PDF.JS PoC drop, and a GitHub Enterprise Indirect Method Information bug. Also, we have an attack vector featured from Monke! Follow us on twitter at: @ctbbpodcast Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources: PDF.JS Bypass to XSS https://github.com/advisories/GHSA-wgrm-67xf-hhpq https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/ PDFium NextJS SSRF by AssetNote Better Bounty Transparency for hackers Slonser IPV6 Research Smuggling payloads in phone numbers Automatic Plugin SQLi DomPurify Bypass Bug Bounty JP Podcast Github Enterprise send() bug https://x.com/creastery/status/1787327890943873055 https://x.com/Rhynorater/status/1788598984572813549 Timestamps: (00:00:09) Introduction (00:03:20) PDF.JS XSS and NextJS SSRF (00:12:52) Better Bounty Transparency (00:20:01) IPV6 Research and Phone Number Payloads (00:28:20) Community Highlight and Automatic Plugin CVE-2024-27956 (00:33:26) DomPurify Bypass and Github Enterprise send() bug (00:46:12) Caido cookie and header extension updates