Critical Thinking - Bug Bounty Podcast Justin Gardner (Rhynorater) & Joel Margolis (teknogeek)

Episode 68: In this episode of Critical Thinking - Bug Bounty Podcast Mathias is back with some fresh HTMX research, including CSP bypass using HTMX triggers, converting client-side response header injection to XSS, bypassing HTMX disable, and the challenges of using HTMX in larger applications and the potential performance trade-offs. We also talk about the results of his recent CTF Challenge, and explore some more facets of CDN-CGI functionality.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
Project Discovery Conference: https://nux.gg/hss24
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today’s Guest:
https://twitter.com/avlidienbrunn
Resources:
Masato Kinugawa's research on Teams
https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=33
subdomain-only 307 open redirect
https://avlidienbrunn.se/cdn-cgi/image/onerror=redirect/http://anything.avlidienbrunn.se
Timestamps
(00:00:00) Introduction
(00:05:18) CSP Bypass using HTML
(00:14:00) Converting client-side response header injection to XSS
(00:23:10) Bypassing hx-disable
(00:32:37) XSS-ing impossible elements
(00:38:22) CTF challenge Recap and knowing there's a bug
(00:51:53) hx-on (depreciated)
(00:54:30) CDN-CGI Research discussion

Episode 67: In this episode of Critical Thinking - Bug Bounty Podcast we deepdive on the topic of Vulnerability Disclosure Programs (VDPs) and whether they are beneficial or not. We also touch on the topic of leaderboard accuracy, and continue the Program VS Hacker debate regarding allocating funds for bounties.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
Project Discovery Conference: https://nux.gg/hss24
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Resources:
Nagli's Braindump on VDPs
https://twitter.com/galnagli/status/1780174392003031515
Timestamps:
(00:00:00) Introduction
(00:05:37) VDP programs
(00:34:10) Leaderboards
(00:43:52) Hacker vs. Program debate Part 2
(01:07:24) Walling Off Endpoints

Episode 66: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the recent YesWeHack Louis Vuitton LHE, the importance of failure as growth in bug bounty, and Justin shares his research on CDN CGI.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
Project Discovery Conference: https://nux.gg/hss24
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Resources:
YesWeHack Luis Vuitton LHE
https://twitter.com/yeswehack/status/1776280653744554287
https://event.yeswehack.com/events/hack-me-im-famous-2
Caido Workflows
https://github.com/caido/workflows
Oauth Redirects
https://twitter.com/Akshanshjaiswl/status/1724143813088940192
Bagipro Golden URL techniques
https://hackerone.com/reports/431002
Roadmap I followed to make 15,000+$ Bounties in my first 8 months https://shreyaschavhan.notion.site/Roadmap-I-followed-to-make-15-000-Bounties-in-my-first-8-months-of-starting-out-and-my-journey-98b1b9ff621645c0b97d1e774992f300
Monke Hacks Blog
https://monkehacks.beehiiv.com/
PortSwigger post
https://x.com/PortSwiggerRes/status/1766087129908576760
post from Masato Kinugawa
https://x.com/kinugawamasato/status/916393484147290113
Timestamps:
(00:00:00) Introduction
(00:04:19) Louis Vuitton LHE
(00:13:57) Browser Market share
(00:21:13) Justin's Bug of the Week
(00:24:49) Caido Workflows
(00:27:24) Oauth Redirects
(00:32:24) Bug Bounty learning Methodology
(00:41:03) 'Intent To Ship'
(00:48:08) CDN-CGI Research

Episode 65: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with Sam Curry to discuss the ethical considerations and effectiveness of hacking, the importance of good intent, and the enjoyment Sam derives from pushing the boundaries to find bugs. He shares stories of his experiences, including hacking Tesla, online casinos,Starbucks, his own is ISP router, and even getting detained at the airport.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
Project Discovery Conference: https://nux.gg/hss24
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today’s Guest:
https://samcurry.net/

Resources:
Don’t Force Yourself to Become a Bug Bounty Hunter
hackcompute
Starbucks Bug
recollapse

Timestamps:
(00:00:00) Introduction
(00:02:25) Hacking Journey and the limits of Ethical Hacking
(00:28:28) Selecting companies to hack
(00:33:22) Fostering passion vs. Forcing performance
(00:54:06) Collaboration and Hackcompute
(01:00:40) The Efficacy of Bug Bounty
(01:09:20) Secondary Context Bugs
(01:25:01) Mindmaps, note-taking, and Intuition.
(01:46:56) Back-end traversals and Unicode
(01:56:16) Hacking ISP
(02:06:58) Next.js and Crypto
(02:22:24) Dev vs. Prod JWT

Episode 64: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Justin and Joel delve into .NET remoting and how it can be exploited, a recent bypass in the Dom Purify library and some interesting functionality in the Cloudflare CDN-CGI endpoint. They also touch on the importance of collaboration and knowledge sharing, JavaScript Deobfuscation, the value of impactful POCs, hiding XSS payloads with URL path updates.
Follow us on twitter at: @ctbbpodcast
send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Check out Project Discovery’s nuclei 3.2 release blog at nux.gg/podcast
Resources:
.NET Remoting
https://code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/
https://github.com/codewhitesec/HttpRemotingObjRefLeak
DOM Purify Bug
Cloudflare /cdn-cgi/
https://developers.cloudflare.com/fundamentals/reference/cdn-cgi-endpoint/
https://portswigger.net/research/when-security-features-collide
https://twitter.com/kinugawamasato/status/893404078365069312
https://twitter.com/m4ll0k/status/1770153059496108231
XSSDoctor's writeup on Javascript deobfuscation
renniepak's tweet
Naffy's tweet
Timestamps:
(00:00:00) Introduction
(00:07:15) .Net Remoting
(00:17:29) DOM Purify Bug
(00:25:56) Cloudflare /cdn-cgi/
(00:37:11) Javascript deobfuscation
(00:47:26) renniepak's tweet
(00:55:20) Naffy's tweet

Episode 63: In this episode of Critical Thinking - Bug Bounty Podcast we welcome back Jason Haddix (From Episode 12) to talk about some updates to his The Bug Hunter's Methodology, as well as his own personal life and hacking journey. We talk about the start of his new company, and then venture into topics such as using threat intelligence and buying credentials from the dark web, recon techniques, and ways to integrate AI into your workflow (or target list).
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. 
Today’s Guest:
https://twitter.com/Jhaddix
https://www.arcanum-sec.com/
Resources:
Dehashed
https://www.dehashed.com/
Flare
https://flare.io/
CSP Recon
https://github.com/edoardottt/csprecon
Timestamps:
(00:00:00) Introduction
(00:05:37) Updates to The Bug Hunter's Methodology
(00:14:46) Red Teaming
(00:21:29) Bug Bounty on the Dark Web
(00:36:19) FIS hunting
(00:47:59) New Recon Techniques 
(00:58:32) AI integrations and bounties