75 episodes

A "by Hackers for Hackers" podcast focused on technical content ranging from bug bounty tips, to write-up explanations, to the latest hacking techniques.

Critical Thinking - Bug Bounty Podcast Justin Gardner (Rhynorater) & Joel Margolis (teknogeek)

    • Technology
    • 5.0 • 42 Ratings

A "by Hackers for Hackers" podcast focused on technical content ranging from bug bounty tips, to write-up explanations, to the latest hacking techniques.

    Episode 75: *Rerun* of The OG Bug Bounty King - Frans Rosen

    Episode 75: *Rerun* of The OG Bug Bounty King - Frans Rosen

    Episode 75: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are sick, So instead of a new full episode, we're going back 30 episodes to review.
    Follow us on twitter at: @ctbbpodcast
    We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
    Shoutout to YTCracker for the awesome intro music!
    ------ Links ------
    Follow your hosts Rhynorater & Teknogeek on twitter:
    https://twitter.com/0xteknogeek
    https://twitter.com/rhynorater
    ------ Ways to Support CTBBPodcast ------
    Hop on the CTBB Discord at https://ctbb.show/discord!
    Today's Guest: https://twitter.com/fransrosen
    Detectify
    Discovering s3 subdomain takeovers
    https://labs.detectify.com/writeups/hostile-subdomain-takeover-using-heroku-github-desk-more/
    bucket-disclose.sh
    https://gist.github.com/fransr/a155e5bd7ab11c93923ec8ce788e3368
    A deep dive into AWS S3 access controls
    Attacking Modern Web Technologies
    Live Hacking like a MVH
    Account hijacking using Dirty Dancing in sign-in OAuth flows
    Timestamps:
    (00:00:00) Introduction
    (00:11:41) Franz Rosen's Bug Bounty Journey and Detectify
    (00:20:21) Pseudo-code, typing, and thinking like a dev
    (00:27:11) Hunter Methodologies and automationists
    (00:42:31) Time on targets, Iteration vs. Ideation
    (00:58:01) S3 subdomain takeovers
    (01:11:53) Blog posting and hosting motivations
    (01:20:21) Detectify and entrepreneurial endeavors
    (01:36:41) Attacking Modern Web Technologies
    (01:52:51) postMessage and MessagePort
    (02:05:00) Live Hacking and Collaboration
    (02:20:41) Account Hijacking and OAuth Flows
    (02:35:39) Hacking + Parenthood

    • 2 hr 44 min
    Episode 74: Supply Chain Attack Primer - Popping RCE Without an HTTP Request (feat 0xLupin)

    Episode 74: Supply Chain Attack Primer - Popping RCE Without an HTTP Request (feat 0xLupin)

    Episode 74: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Roni "Lupin" Carta for a deep dive into supply chain attacks and dependency confusion. We explore the supply chain attacks, the ethical considerations surrounding maintainers and hosting packages on public registries, and chat about the vision and uses of his new tool Depi.
    Follow us on twitter at: @ctbbpodcast
    We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
    Shoutout to YTCracker for the awesome intro music!
    ------ Links ------
    Follow your hosts Rhynorater & Teknogeek on twitter:
    https://twitter.com/0xteknogeek
    https://twitter.com/rhynorater
    ------ Ways to Support CTBBPodcast ------
    Hop on the CTBB Discord at https://ctbb.show/discord!
    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
    Today’s Guest: https://x.com/0xLupin
    Resources:
    Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
    https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
    git-dump
    https://github.com/tomnomnom/dotfiles/blob/master/scripts/git-dump
    Depi
    https://www.landh.tech/depi
    Weak links of Supply Chain
    https://arxiv.org/pdf/2112.10165

    Timestamps:
    (00:00:00) Introduction
    (00:07:13) Overveiw of Supply Chain Flow
    (00:15:14) Getting our Scope
    (00:23:46) Depi
    (00:29:12) Types of attacks and finding the 80/20
    (00:45:06) Maintainer attacks
    (01:10:40) Regestries, artifactories, and an npm bug
    (01:31:51) Grafana NPX Confusion

    • 1 hr 38 min
    Episode 73: Sandboxed IFrames and WAF Bypasses

    Episode 73: Sandboxed IFrames and WAF Bypasses

    Episode 73: In this episode of Critical Thinking - Bug Bounty Podcast we give a brief recap of Nahamcon and then touch on some topics like WAF bypass tools, sandboxed iframes, and programs redacting your reports.
    Follow us on twitter at: @ctbbpodcast
    We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
    Shoutout to YTCracker for the awesome intro music!
    ------ Links ------
    Follow your hosts Rhynorater & Teknogeek on twitter:
    https://twitter.com/0xteknogeek
    https://twitter.com/rhynorater
    ------ Ways to Support CTBBPodcast ------
    Hop on the CTBB Discord at https://ctbb.show/discord!
    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
    Resources:
    ?. Tweet
    https://x.com/garethheyes/status/1786836956032176215
    NoWafPls
    https://github.com/assetnote/nowafpls
    Redacted Reports
    https://x.com/deadvolvo/status/1790397012468199651
    Breaking CORS
    https://x.com/MtnBer/status/1794657827115696181
    Sandbox-iframe XSS challenge solution
    https://joaxcar.com/blog/2024/05/16/sandbox-iframe-xss-challenge-solution/
    iframe and window.open magic
    https://blog.huli.tw/2022/04/07/en/iframe-and-window-open/#detecting-when-a-new-window-has-finished-loading
    domloggerpp
    https://github.com/kevin-mizu/domloggerpp
    Timestamps
    (00:00:00) Introduction
    (00:03:29) ?. Operator in JS and NoWafPls
    (00:07:22) Redacting our own reports
    (00:11:13) Breaking CORS
    (00:17:07) Sandbox-iframes
    (00:24:11) Dom hook plugins

    • 31 min
    Episode 72: Research TLDRs & Smuggling Payloads in Well Known Data Types

    Episode 72: Research TLDRs & Smuggling Payloads in Well Known Data Types

    Episode 72: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss some hot research from the past couple months. This includes ways to smuggle payloads in phone numbers and IPv6 Addresses, the NextJS SSRF, the PDF.JS PoC drop, and a GitHub Enterprise Indirect Method Information bug. Also, we have an attack vector featured from Monke!
    Follow us on twitter at: @ctbbpodcast
    Shoutout to YTCracker for the awesome intro music!
    ------ Links ------
    Follow your hosts Rhynorater & Teknogeek on twitter:
    ------ Ways to Support CTBBPodcast ------
    Hop on the CTBB Discord at https://ctbb.show/discord!
    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
    Resources:
    PDF.JS Bypass to XSS
    https://github.com/advisories/GHSA-wgrm-67xf-hhpq
    https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
    PDFium
    NextJS SSRF by AssetNote
    Better Bounty Transparency for hackers
    Slonser IPV6 Research
    Smuggling payloads in phone numbers
    Automatic Plugin SQLi
    DomPurify Bypass
    Bug Bounty JP Podcast
    Github Enterprise send() bug
    https://x.com/creastery/status/1787327890943873055
    https://x.com/Rhynorater/status/1788598984572813549
    Timestamps:
    (00:00:09) Introduction
    (00:03:20) PDF.JS XSS and NextJS SSRF
    (00:12:52) Better Bounty Transparency
    (00:20:01) IPV6 Research and Phone Number Payloads
    (00:28:20) Community Highlight and Automatic Plugin CVE-2024-27956
    (00:33:26) DomPurify Bypass and Github Enterprise send() bug
    (00:46:12) Caido cookie and header extension updates

    • 52 min
    Episode 71: More VDP Chats & AI Bias Bounty Strats with Keith Hoodlet

    Episode 71: More VDP Chats & AI Bias Bounty Strats with Keith Hoodlet

    Episode 71: In this episode of Critical Thinking - Bug Bounty Podcast Keith Hoodlet joins us to weigh in on the VDP Debate. He shares some of his insights on when VDPs are appropriate in a company's security posture, and the challenges of securing large organizations. Then we switch gears and talk about AI bias bounties, where Keith explains the approach he takes to identify bias in chatbots and highlights the importance of understanding human biases and heuristics to better hack AI.
    Follow us on twitter at: @ctbbpodcast
    We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
    Shoutout to YTCracker for the awesome intro music!
    ------ Links ------
    Follow your hosts Rhynorater & Teknogeek on twitter:
    https://twitter.com/0xteknogeek
    https://twitter.com/rhynorater
    ------ Ways to Support CTBBPodcast ------
    Hop on the CTBB Discord at https://ctbb.show/discord!
    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.
    Today’s guest: Keith Hoodlet
    https://securing.dev/
    Resources:
    Daniel Miessler's article about the security poverty line
    https://danielmiessler.com/p/the-cybersecurity-skills-gap-is-another-instance-of-late-stage-capitalism/
    Hacking AI Bias
    https://securing.dev/posts/hacking-ai-bias/
    Hacking AI Bias Video
    https://youtu.be/AeFZA7xGIbE?si=TLQ7B3YtzPWXS4hq
    Sarah's Hoodlet's new book
    https://sarahjhoodlet.com
    Link to Amazon Page
    https://a.co/d/c0LTM8U
    Timestamps:
    (00:00:00) Introduction
    (00:04:09) Keith's Appsec Journey
    (00:16:24) The Great VDP Debate Redux
    (00:47:18) Platform/Hunter Incentives and Government Regulation
    (01:06:24) AI Bias Bounties
    (01:26:27) AI Techniques and Bugcrowd Contest

    • 1 hr 45 min
    Episode 70: NahamCon and CSP Bypasses Everywhere

    Episode 70: NahamCon and CSP Bypasses Everywhere

    Episode 70: In this episode of Critical Thinking - Bug Bounty Podcast we’re once again joined by Ben Sadeghipour to talk about some Nahamcon news, as well as discuss a couple other LHE’s taking place. Then they cover CI/CD and drop some cool CSP Bypasses.
    Follow us on twitter at: @ctbbpodcast
    We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
    Shoutout to YTCracker for the awesome intro music!
    ------ Links ------
    Follow your hosts Rhynorater & Teknogeek on twitter:
    https://twitter.com/0xteknogeek
    https://twitter.com/rhynorater
    ------ Ways to Support CTBBPodcast ------
    Hop on the CTBB Discord at https://ctbb.show/discord!
    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
    Today’s Guest: https://twitter.com/NahamSec
    https://www.nahamcon.com/
    Resources:
    Depi
    https://www.landh.tech/depi
    Youtube CSP:
    https://www.youtube.com/oembed?callback=alert()
    Maps CSP:
    https://maps.googleapis.com/maps/api/js?callback=alert()-print
    Google APIs CSP
    https://www.googleapis.com/customsearch/v1?callback=alert(1)
    Google CSP
    https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1)//
    CSP Bypass for opener.child.child.child.click()
    https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/
    Timestamps:
    (00:00:00) Introduction
    (00:02:55) BSides Takeaways and hacking on Meta
    (00:12:12) NahamCon News
    (00:23:45) CI/CD and the launch of Depi
    (00:33:29) CSP Bypasses

    • 43 min

Customer Reviews

5.0 out of 5
42 Ratings

42 Ratings

DAJOE2020 ,

Awesome Podcast!

As a beginner wanting to learn about bug bounty, I really enjoyed this podcast. They dive deep into a variety of topics, talk with other experts, and are very well informed themselves. Definitely give it a listen, it’s worth your time!

C3lt1c Hacker ,

Amazing Content!

I just found this podcast. I am a new bug bounty hunter.

In the morning, I’m a culinary chef, by night I’m a bug bounty hunter. I listen to this (just started 2 days ago) while I’m at work to get my hyped up and excited about after work.

Knowing these 2 guys literally pays their bills with bug bounties gives me hope I can too!

Thank you for the encouragement and the new tools you guys speak of! The methods are worth their weight in gold, and eager to start learning & doing more!

Reece O'Bryan ,

Informative

Terrific podcast

Top Podcasts In Technology

Acquired
Ben Gilbert and David Rosenthal
Lex Fridman Podcast
Lex Fridman
All-In with Chamath, Jason, Sacks & Friedberg
All-In Podcast, LLC
Catalyst with Shayle Kann
Latitude Media
TED Radio Hour
NPR
Darknet Diaries
Jack Rhysider

You Might Also Like

Bug Bounty Reports Discussed
Grzegorz Niedziela
Malicious Life
Malicious Life
Smashing Security
Graham Cluley & Carole Theriault
Darknet Diaries
Jack Rhysider
Hacking Humans
N2K Networks
CyberWire Daily
N2K Networks