59 episodes

A "by Hackers for Hackers" podcast focused on technical content ranging from bug bounty tips, to write-up explanations, to the latest hacking techniques.

Critical Thinking - Bug Bounty Podcast Justin Gardner (Rhynorater) & Joel Margolis (teknogeek)

    • Technology
    • 5.0 • 40 Ratings

A "by Hackers for Hackers" podcast focused on technical content ranging from bug bounty tips, to write-up explanations, to the latest hacking techniques.

    Episode 59: Bug Bounty Gadget Hunting & Hacker's Intuition

    Episode 59: Bug Bounty Gadget Hunting & Hacker's Intuition

    Episode 59: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the concept of gadgets and how they can be used to escalate the impact of vulnerabilities. We talk through things like HTML injection, image injection, CRLF injection, web cache deception, leaking window location, self-stored XSS, and much more.
    Follow us on twitter at: @ctbbpodcast
    We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
    Shoutout to YTCracker for the awesome intro music!
    ------ Links ------
    Follow your hosts Rhynorater & Teknogeek on twitter:
    ------ Ways to Support CTBBPodcast ------
    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. 
    Hop on the CTBB Discord at https://ctbb.show/discord!
    We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. 
    Resources:
    Even Better
    NahamSec's 5 Week Program
    NahamCon News
    CSS Injection Research
    Timestamps:
    (00:00:00) Introduction
    (00:03:31) Caido's New Features
    (00:15:20) Nahamcon News and 5 week Bootcamp and pentest opportunity
    (00:19:54) HTML Injection, CSS Injection, and Clickjacking
    (00:33:11) Image Injection
    (00:37:19) Open Redirects, Client-side path traversal, and Client-side Open Redirect
    (00:49:51) Leaking window.location.href
    (00:57:15) Cookie refresh gadget
    (01:01:40) Stored XXS
    (01:09:01) CRLF Injection
    (01:13:24) 'A Place To Stand' in  GraphQL and ID Oracle
    (01:18:23) Auth gadgets, Web Cache Deception, & LocalStorage poisoning
    (01:27:46) Cookie Injection & Context Breaks

    • 1 hr 39 min
    Episode 58: Youssef Sammouda - Client-Side & ATO War Stories

    Episode 58: Youssef Sammouda - Client-Side & ATO War Stories

    Episode 58: In this episode of Critical Thinking - Bug Bounty Podcast we finally sit down with Youssef Samouda and grill him on his various techniques for finding and exploiting client-side bugs and postMessage vulnerabilities. He shares some crazy stories about race conditions, exploiting hash change events, and leveraging scroll to text fragments. 
    Follow us on twitter at: @ctbbpodcast
    We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
    Shoutout to YTCracker for the awesome intro music!
    ------ Links ------
    Follow your hosts Rhynorater & Teknogeek on twitter:
    https://twitter.com/0xteknogeek
    https://twitter.com/rhynorater
    ------ Ways to Support CTBBPodcast ------
    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. 
    Hop on the CTBB Discord at https://ctbb.show/discord!
    We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. 
    Today’s Guest: https://twitter.com/samm0uda?lang=en
    https://ysamm.com/
    Resources:
    Client-side race conditions with postMessage: 
    https://ysamm.com/?p=742 
    Transferable Objects
    https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Transferable_objects
    Every known way to get references to windows, in javascript:
    https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2d
    Youssef’s interview with BBRE
    https://www.youtube.com/watch?v=MXH1HqTFNm0
    Timestamps:
    (00:00:00) Introduction
    (00:04:27) Client-side race conditions with postMessage
    (00:18:12) On Hash Change Events and Scroll To Text Fragments
    (00:32:00) Finding, documenting, and reporting complex bugs
    (00:37:32) PostMessage Methodology
    (00:45:05) Youssef's Vuln Story
    (00:53:42) Where and how to look for ATO vulns
    (01:05:21) MessagePort
    (01:14:37) Window frame relationships
    (01:20:24) Recon and JS monitoring
    (01:37:03) Client-side routing
    (01:48:05) MITMProxy

    • 1 hr 54 min
    Episode 57: Technical breakdown from Miami Hacking Event - H1-305

    Episode 57: Technical breakdown from Miami Hacking Event - H1-305

    Episode 57: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are live from Miami, and recap their experience and share takeaways from the live hacking event. They highlight the importance of paying attention to client-side routing and the growing bug class of client-side path traversal. They also discuss the challenges of knowing when to cut your losses and the value of tracking time and setting goals. 
    Follow us on twitter at: @ctbbpodcast
    We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
    Shoutout to YTCracker for the awesome intro music!
    ------ Links ------
    Follow your hosts Rhynorater & Teknogeek on twitter:
    https://twitter.com/0xteknogeek
    https://twitter.com/rhynorater
    ------ Ways to Support CTBBPodcast ------
    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. 
    Hop on the CTBB Discord at https://ctbb.show/discord!
    We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. 
    Timestamps:
    (00:00:00) Introduction
    (00:03:50) Miami LHE Recap and Takeaways
    (00:05:57) Keeping time and cutting losses.
    (00:19:07) Roles and Goals
    (00:23:33) OAuth
    (00:28:52) HTML5 image to img Tip

    • 32 min
    Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston)

    Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston)

    Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston)
    Episode 56: In this episode of Critical Thinking - Bug Bounty Podcast, Justin sits down with Jon Colston to discuss how his background in digital marketing and data science has influenced his hunting methodology. We dive into subjects like data sources, automation, working backwards from vulnerabilities, applying conversion funnels to bug bounty, and the mayonaise signature 'Mother of All Bugs' 
    Follow us on twitter at: @ctbbpodcast
    We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
    Shoutout to YTCracker for the awesome intro music!
    ------ Links ------
    Follow your hosts Rhynorater & Teknogeek on twitter:
    https://twitter.com/0xteknogeek
    https://twitter.com/rhynorater
    ------ Ways to Support CTBBPodcast ------
    WordFence - Sign up as a researcher! https://ctbb.show/wf
    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. 
    Hop on the CTBB Discord at https://ctbb.show/discord!
    We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. 
    Today’s Guest:
    https://hackerone.com/mayonaise?type=user
    Timestamps:
    (00:00:00) Introduction
    (00:12:07) Evolving Hacking Methodologies & B2B Hacking
    (00:23:57) Data Science + Bug Bounty
    (00:34:37) 'Lead Generation for Vulns'
    (00:41:39) Ingredients and Recipes
    (00:49:45) Keyword Categorization
    (00:54:30) Manual Processes and Recap
    (01:07:08) Data Sources
    (01:19:59) Digital Marketing + Bug Bounty
    (01:32:22) M.O.A.B.s
    (01:41:02) Burnout Protection and Dupe Analysis

    • 1 hr 47 min
    Episode 55: Popping WordPress Plugins - Methodology Braindump

    Episode 55: Popping WordPress Plugins - Methodology Braindump

    Episode 55: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Wordpress Security Researcher Ram Gall to discuss both functionality and vulnerabilities within Wordpress Plugins.
    Follow us on twitter
    Send us any feedback here:
    Shoutout to YTCracker for the awesome intro music!
    ------ Links ------
    Follow your hosts Rhynorater & Teknogeek on twitter:
    ------ Ways to Support CTBBPodcast ------
    WordFence - Sign up as a researcher! https://ctbb.show/wf
    ---
    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.
    Hop on the CTBB Discord
    We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
    Today’s Guest:
    Ramuel Gall
    UpdraftPlus Vuln
    XML-RPC PingBack
    Unicode and Character Sets
    Reflected XSS
    POP Chain
    WordpressPluginDirectory
    Subscriber+ RCE in Elementor
    Subscriber+ SSRF
    Unauthed XSS via User-Agent header
    Timestamps:
    (00:00:00) Introduction
    (00:05:55) Add_action & Nonces
    (00:26:16) Add_filter & Register_rest_routes
    (00:38:39) Page-related code & Shortcodes
    (00:50:24) Top Sinks for WP
    (01:02:19) Echo & SQLI Sinks
    (01:15:07) Nonce Leak and wp_handle_upload
    (01:18:16) Page variables & Pop Chains
    (01:26:55) WP Escalations & Bug Reports

    • 1 hr 44 min
    Episode 54: White Box Formulas - Vulnerable Coding Patterns

    Episode 54: White Box Formulas - Vulnerable Coding Patterns

    Episode 54: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with news items and new projects. Joel shares about his personal scraping project to gather data on bug bounty programs and distribution Next, they announce the launch of HackerNotes, a podcast companion that will summarize the main technical points of each episode. They also discuss a recent GitLab CVE and an invisible prompt injection, before diving into a discussion (or debate) about vulnerable code patterns.
    Follow us on twitter at: @ctbbpodcast
    We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
    Shoutout to YTCracker for the awesome intro music!
    ------ Links ------
    Follow your hosts Rhynorater & Teknogeek on twitter:
    https://twitter.com/0xteknogeek
    https://twitter.com/rhynorater
    ------ Ways to Support CTBBPodcast ------
    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.
    Hop on the CTBB Discord at https://ctbb.show/discord!
    We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
    Gitlab CVE
    https://github.com/Vozec/CVE-2023-7028
    https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
    Fix commit: https://gitlab.com/gitlab-org/gitlab/-/commit/abe79e4ec437988cf16534a9dbba81b98a2e7f18
    Invisible Prompt Injection
    https://x.com/goodside/status/1745511940351287394?s=20
    Regex 101
    https://regex101.com
    Regex to Strings
    https://www.wimpyprogrammer.com/regex-to-strings/
    Timestamps
    (00:00:00) Introduction
    (00:01:54) Joel’s H1 Data Scraping Research
    (00:19:23) HackerNotes launch
    (00:21:29) Gitlab CVE
    (00:27:45) Invisible Prompt Injection
    (00:33:52) Vulnerable Code Patterns
    (00:37:51) Sanitization, but then modification of data afterward
    (00:45:39) Auth check inside body of if statement
    (00:48:15) sCheck for bad patterns with if, but then don't do any control flow
    (00:50:21) Bad Regex
    (01:00:36) Replace statements for sanitization
    (01:04:32) Anything that allows you to call functions or control code flow in uncommon ways

    • 1 hr 12 min

Customer Reviews

5.0 out of 5
40 Ratings

40 Ratings

DAJOE2020 ,

Awesome Podcast!

As a beginner wanting to learn about bug bounty, I really enjoyed this podcast. They dive deep into a variety of topics, talk with other experts, and are very well informed themselves. Definitely give it a listen, it’s worth your time!

C3lt1c Hacker ,

Amazing Content!

I just found this podcast. I am a new bug bounty hunter.

In the morning, I’m a culinary chef, by night I’m a bug bounty hunter. I listen to this (just started 2 days ago) while I’m at work to get my hyped up and excited about after work.

Knowing these 2 guys literally pays their bills with bug bounties gives me hope I can too!

Thank you for the encouragement and the new tools you guys speak of! The methods are worth their weight in gold, and eager to start learning & doing more!

Reece O'Bryan ,

Informative

Terrific podcast

Top Podcasts In Technology

Cool Zone Media
Boston Consulting Group BCG
Lex Fridman
Jason Calacanis
BBC Radio 4
BG2Pod

You Might Also Like

Johannes B. Ullrich
Malicious Life
Grzegorz Niedziela
Hacked
Jack Rhysider
Recorded Future News