Critical Thinking - Bug Bounty Podcast

Episode 62: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with some additional research resources that didn’t make the Portswigger Top-Ten, but that are worth looking at.Follow us on twitter at: @ctbbpodcastFeel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Resources:Cool HTML Shithttps://twitter.com/jcubic/status/1764311080661082201https://twitter.com/encodeart/status/1764218128374943764Bug bounty Hunting Journeyshttps://twitter.com/ajxchapman/status/1762101366057525521https://monkehacks.beehiiv.com/p/monkehacks-02Yelp Cookie Bridge ReportDeobfuscating/Unminifying Obfuscated CodeChatGPT Source WatchWeb Security Research RedditNahamsec ResourcesPortswigger Nominations listAbusing perspectives: https://hackerone.com/reports/2401115PortSwigger CSS Exfiltrationhttps://github.com/PortSwigger/css-exfiltrationTimestamps:(00:00:00) Introduction(00:02:06) Cool HTML Shit(00:15:31) Bug Bounty Journeys(00:28:01) Yelp Cookie Bridge Bug(00:37:56) Additional Research Resources(00:46:34) CSS and abusing perspectives

14 Mar 202458min

Episode 61: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Jasmin Landry to share some stories about startup security, bug bounty, and the challenges of balancing both. He also shares his methodology for discovering OAuth-related bugs, highlights some differences between structured learning and self-teaching, and then walks us through a couple arbitrary ATO’s and SSTI to RCE bugs he’s found lately.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Guest: Jasmin Landryhttps://twitter.com/JR0ch17Resources:Dirty Dancing blog posthttps://labs.detectify.com/writeups/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/OAuth 2.0 Threat Model and Security Considerationshttps://datatracker.ietf.org/doc/html/rfc6819OAuth 2.0 Security Best Current Practicehttps://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topicsTimestamps:(00:00:00) Introduction(00:02:20) Meta Tag + DomPurify Bug(00:09:36) Jasmin's Origin story(00:28:23) Full time Bug bounty challenges(00:36:57) Career jumps in Security and current Role(00:47:32) OAuth Bug methodology and cool bug stories(01:02:35) Social Engineering and Bug Bounty(01:13:41) Arbitrary ATO bug(01:19:41) SSTI to RCE bug

7 Mar 20241h 27min

Episode 60: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel review the Portswigger Research list of top 10 web hacking techniques of 2023.Follow us on twitter at: @ctbbpodcastSend us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------Hop on the CTBB DiscordWe also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources:Top 10 web hacking techniques of 20231: Smashing the state machine8: From Akamai to F5 to NTLM3: SMTP Smuggling4: PHP filter chains(Bonus Read)5: HTTP Parsers Inconsistencies6: HTTP Request Splitting7: How I Hacked Microsoft Teams9: Cookie Crumbles(Bonus Read)10: Hacking root EPP servers to take control of zonesTimestamps:(00:00:00) Introduction(00:04:26) 1: Smashing the state machine(00:11:56) 8: From Akamai to F5 to NTLM... with love(00:17:11) 3: SMTP Smuggling(00:26:27) 4: PHP filter chains(00:36:40) 5: HTTP Parsers Inconsistencies(00:44:56) 6: HTTP Request Splitting(00:53:43) 7: How I Hacked Microsoft Teams(01:02:25) 9: Cookie Crumbles(01:11:36) 10: EPP Server Takeover

29 Feb 20241h 24min

Episode 59: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the concept of gadgets and how they can be used to escalate the impact of vulnerabilities. We talk through things like HTML injection, image injection, CRLF injection, web cache deception, leaking window location, self-stored XSS, and much more.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Resources:Even BetterNahamSec's 5 Week ProgramNahamCon NewsCSS Injection ResearchTimestamps:(00:00:00) Introduction(00:03:31) Caido's New Features(00:15:20) Nahamcon News and 5 week Bootcamp and pentest opportunity(00:19:54) HTML Injection, CSS Injection, and Clickjacking(00:33:11) Image Injection(00:37:19) Open Redirects, Client-side path traversal, and Client-side Open Redirect(00:49:51) Leaking window.location.href(00:57:15) Cookie refresh gadget(01:01:40) Stored XXS(01:09:01) CRLF Injection(01:13:24) 'A Place To Stand' in GraphQL and ID Oracle(01:18:23) Auth gadgets, Web Cache Deception, & LocalStorage poisoning(01:27:46) Cookie Injection & Context Breaks

22 Feb 20241h 39min

Episode 58: In this episode of Critical Thinking - Bug Bounty Podcast we finally sit down with Youssef Samouda and grill him on his various techniques for finding and exploiting client-side bugs and postMessage vulnerabilities. He shares some crazy stories about race conditions, exploiting hash change events, and leveraging scroll to text fragments. Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest: https://twitter.com/samm0uda?lang=enhttps://ysamm.com/Resources:Client-side race conditions with postMessage: https://ysamm.com/?p=742 Transferable Objectshttps://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Transferable_objectsEvery known way to get references to windows, in javascript:https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2dYoussef’s interview with BBREhttps://www.youtube.com/watch?v=MXH1HqTFNm0Timestamps:(00:00:00) Introduction(00:04:27) Client-side race conditions with postMessage(00:18:12) On Hash Change Events and Scroll To Text Fragments(00:32:00) Finding, documenting, and reporting complex bugs(00:37:32) PostMessage Methodology(00:45:05) Youssef's Vuln Story(00:53:42) Where and how to look for ATO vulns(01:05:21) MessagePort(01:14:37) Window frame relationships(01:20:24) Recon and JS monitoring(01:37:03) Client-side routing(01:48:05) MITMProxy

15 Feb 20241h 54min

Episode 57: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are live from Miami, and recap their experience and share takeaways from the live hacking event. They highlight the importance of paying attention to client-side routing and the growing bug class of client-side path traversal. They also discuss the challenges of knowing when to cut your losses and the value of tracking time and setting goals. Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Timestamps:(00:00:00) Introduction(00:03:50) Miami LHE Recap and Takeaways(00:05:57) Keeping time and cutting losses.(00:19:07) Roles and Goals(00:23:33) OAuth(00:28:52) HTML5 image to img Tip

8 Feb 202432min

Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston)Episode 56: In this episode of Critical Thinking - Bug Bounty Podcast, Justin sits down with Jon Colston to discuss how his background in digital marketing and data science has influenced his hunting methodology. We dive into subjects like data sources, automation, working backwards from vulnerabilities, applying conversion funnels to bug bounty, and the mayonaise signature 'Mother of All Bugs' Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------WordFence - Sign up as a researcher! https://ctbb.show/wfSign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s Guest:https://hackerone.com/mayonaise?type=userTimestamps:(00:00:00) Introduction(00:12:07) Evolving Hacking Methodologies & B2B Hacking(00:23:57) Data Science + Bug Bounty(00:34:37) 'Lead Generation for Vulns'(00:41:39) Ingredients and Recipes(00:49:45) Keyword Categorization(00:54:30) Manual Processes and Recap(01:07:08) Data Sources(01:19:59) Digital Marketing + Bug Bounty(01:32:22) M.O.A.B.s(01:41:02) Burnout Protection and Dupe Analysis

1 Feb 20241h 47min

Episode 55: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Wordpress Security Researcher Ram Gall to discuss both functionality and vulnerabilities within Wordpress Plugins.Follow us on twitterSend us any feedback here:Shoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------WordFence - Sign up as a researcher! https://ctbb.show/wf---Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Hop on the CTBB DiscordWe also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Guest:Ramuel GallUpdraftPlus VulnXML-RPC PingBackUnicode and Character SetsReflected XSSPOP ChainWordpressPluginDirectorySubscriber+ RCE in ElementorSubscriber+ SSRFUnauthed XSS via User-Agent headerTimestamps:(00:00:00) Introduction(00:05:55) Add_action & Nonces(00:26:16) Add_filter & Register_rest_routes(00:38:39) Page-related code & Shortcodes(00:50:24) Top Sinks for WP(01:02:19) Echo & SQLI Sinks(01:15:07) Nonce Leak and wp_handle_upload(01:18:16) Page variables & Pop Chains(01:26:55) WP Escalations & Bug Reports

25 Jan 20241h 44min