Critical Thinking - Bug Bounty Podcast

by Justin Gardner (Rhynorater) & Joel Margolis (teknogeek)

A "by Hackers for Hackers" podcast focused on technical content ranging from bug bounty tips, to write-up explanations, to the latest hacking techniques.

Podcast episodes

  • Season 1

  • Episode 58: Youssef Sammouda - Client-Side & ATO War Stories

    Explicit

    Episode 58: Youssef Sammouda - Client-Side & ATO War Stories

    Explicit

    Episode 58: In this episode of Critical Thinking - Bug Bounty Podcast we finally sit down with Youssef Samouda and grill him on his various techniques for finding and exploiting client-side bugs and postMessage vulnerabilities. He shares some crazy stories about race conditions, exploiting hash change events, and leveraging scroll to text fragments.  Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.  Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.  Today’s Guest: https://twitter.com/samm0uda?lang=en https://ysamm.com/ Resources: Client-side race conditions with postMessage:  https://ysamm.com/?p=742  Transferable Objects https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Transferable_objects Every known way to get references to windows, in javascript: https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2d Youssef’s interview with BBRE https://www.youtube.com/watch?v=MXH1HqTFNm0 Timestamps: (00:00:00) Introduction (00:04:27) Client-side race conditions with postMessage (00:18:12) On Hash Change Events and Scroll To Text Fragments (00:32:00) Finding, documenting, and reporting complex bugs (00:37:32) PostMessage Methodology (00:45:05) Youssef's Vuln Story (00:53:42) Where and how to look for ATO vulns (01:05:21) MessagePort (01:14:37) Window frame relationships (01:20:24) Recon and JS monitoring (01:37:03) Client-side routing (01:48:05) MITMProxy

  • Episode 57: Technical breakdown from Miami Hacking Event - H1-305

    Explicit

    Episode 57: Technical breakdown from Miami Hacking Event - H1-305

    Explicit

    Episode 57: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are live from Miami, and recap their experience and share takeaways from the live hacking event. They highlight the importance of paying attention to client-side routing and the growing bug class of client-side path traversal. They also discuss the challenges of knowing when to cut your losses and the value of tracking time and setting goals.  Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.  Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.  Timestamps: (00:00:00) Introduction (00:03:50) Miami LHE Recap and Takeaways (00:05:57) Keeping time and cutting losses. (00:19:07) Roles and Goals (00:23:33) OAuth (00:28:52) HTML5 image to img Tip

  • Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston)

    Explicit

    Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston)

    Explicit

    Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston) Episode 56: In this episode of Critical Thinking - Bug Bounty Podcast, Justin sits down with Jon Colston to discuss how his background in digital marketing and data science has influenced his hunting methodology. We dive into subjects like data sources, automation, working backwards from vulnerabilities, applying conversion funnels to bug bounty, and the mayonaise signature 'Mother of All Bugs'  Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ WordFence - Sign up as a researcher! https://ctbb.show/wf Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.  Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.  Today’s Guest: https://hackerone.com/mayonaise?type=user Timestamps: (00:00:00) Introduction (00:12:07) Evolving Hacking Methodologies & B2B Hacking (00:23:57) Data Science + Bug Bounty (00:34:37) 'Lead Generation for Vulns' (00:41:39) Ingredients and Recipes (00:49:45) Keyword Categorization (00:54:30) Manual Processes and Recap (01:07:08) Data Sources (01:19:59) Digital Marketing + Bug Bounty (01:32:22) M.O.A.B.s (01:41:02) Burnout Protection and Dupe Analysis

  • Episode 55: Popping WordPress Plugins - Methodology Braindump

    Explicit

    Episode 55: Popping WordPress Plugins - Methodology Braindump

    Explicit

    Episode 55: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Wordpress Security Researcher Ram Gall to discuss both functionality and vulnerabilities within Wordpress Plugins. Follow us on twitter Send us any feedback here: Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: ------ Ways to Support CTBBPodcast ------ WordFence - Sign up as a researcher! https://ctbb.show/wf --- Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: Ramuel Gall UpdraftPlus Vuln XML-RPC PingBack Unicode and Character Sets Reflected XSS POP Chain WordpressPluginDirectory Subscriber+ RCE in Elementor Subscriber+ SSRF Unauthed XSS via User-Agent header Timestamps: (00:00:00) Introduction (00:05:55) Add_action & Nonces (00:26:16) Add_filter & Register_rest_routes (00:38:39) Page-related code & Shortcodes (00:50:24) Top Sinks for WP (01:02:19) Echo & SQLI Sinks (01:15:07) Nonce Leak and wp_handle_upload (01:18:16) Page variables & Pop Chains (01:26:55) WP Escalations & Bug Reports

  • Episode 54: White Box Formulas - Vulnerable Coding Patterns

    Explicit

    Episode 54: White Box Formulas - Vulnerable Coding Patterns

    Explicit

    Episode 54: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with news items and new projects. Joel shares about his personal scraping project to gather data on bug bounty programs and distribution Next, they announce the launch of HackerNotes, a podcast companion that will summarize the main technical points of each episode. They also discuss a recent GitLab CVE and an invisible prompt injection, before diving into a discussion (or debate) about vulnerable code patterns. Follow us on twitter at: @ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to YTCracker for the awesome intro music! ------ Links ------ Follow your hosts Rhynorater & Teknogeek on twitter: https://twitter.com/0xteknogeek https://twitter.com/rhynorater ------ Ways to Support CTBBPodcast ------ Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Gitlab CVE https://github.com/Vozec/CVE-2023-7028 https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/ Fix commit: https://gitlab.com/gitlab-org/gitlab/-/commit/abe79e4ec437988cf16534a9dbba81b98a2e7f18 Invisible Prompt Injection https://x.com/goodside/status/1745511940351287394?s=20 Regex 101 https://regex101.com Regex to Strings https://www.wimpyprogrammer.com/regex-to-strings/ Timestamps (00:00:00) Introduction (00:01:54) Joel’s H1 Data Scraping Research (00:19:23) HackerNotes launch (00:21:29) Gitlab CVE (00:27:45) Invisible Prompt Injection (00:33:52) Vulnerable Code Patterns (00:37:51) Sanitization, but then modification of data afterward (00:45:39) Auth check inside body of if statement (00:48:15) sCheck for bad patterns with if, but then don't do any control flow (00:50:21) Bad Regex (01:00:36) Replace statements for sanitization (01:04:32) Anything that allows you to call functions or control code flow in uncommon ways