Critical Thinking - Bug Bounty Podcast

Episode 53: In this episode of Critical Thinking - Bug Bounty Podcast,we’re joined by none other than NahamSec. We start by discusses the challenges he faced on his journey in bug bounty hunting and content creation, including personal struggles and the pressure of success.We also talk about finding balance and managing mental energy, going the extra mile, and the importance of planning and setting goals for yourself before he walks us through some Blind XSS techniques.Follow us on twitter at: @ctbbpodcastFeel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Timestamps:(00:00:00) Introduction(00:01:37) Costs of Content Creation(00:21:12) Hacking 'identities' and Pivoting(00:36:49) Hacking Methodology(00:58:59) Planning, Goals, and Nahamsec's 2023 Performance(01:10:19) Blind XSS(01:35:19) Going the extra mile in Bug Bounty

11 Jan 20241h 40min

Episode 52: In this episode of Critical Thinking - Bug Bounty Podcast we're going back and highlighting some of the best technical moments from the past year! Hope you enjoy this best of 2023 Supercut!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Timestamps:(00:00:00) Introduction(00:02:55) Episode 26: Meta tags and base tags in HTML(00:15:20) Episode 27: Client-side path traversal(00:23:18) Episode 27: Cookie bombing + cookie jar overflow(00:35:47) Episode 44: Cross environment authentication bugs(00:43:17) Episode 47: The open-faced Iframe Sandwich(00:50:19) Episode 47: js hoisting and classic Joel nerdsnipe(00:58:28) Episode 29: Sean Yeoh on Subdomains vs IP in recon(01:04:05) Episode 30: Shubs on reversing enterprise software(01:24:58) Episode 30: Shubs on building out a recon flow(01:29:36) Episode 30: Shubs on Hacking IIS Servers(01:36:45) Episode 37: 0xLupin on smart JavaScript analysis tools(01:45:42) Episode 45: Frans Rosen On App cache, Service workers cookie stuffing, and postMessage(02:15:02) Episode 50: Mathias Karlsson on XSLT and MXSS(02:39:26) Episode 27: Assetnote's sharefile RCE(02:48:18) Episode 31: Perforce RCE(02:53:48) Episode 48: Sam Erb's XSLT bug story(02:58:47) Final thoughts and Special Thanks

4 Jan 20243h

Episode 51: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are back for the last episode of 2023. We discuss some noteworthy news items including a Hacker One Crit, Caido updates, and some Blind CSS. Then we dive into our own personal ‘Hackers Wrapped’ recap of the year, before laying out some goals for 2024.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.ResourcesFlowPowertoysAlfredPyperclipTextgrabCTF Payload ChallengeHacker One Crit ReportBlind CSS InjectionTimestamps(00:00:00) Introduction(00:08:43) Keyboard Shortcut Utility Systems(00:21:28) CTF Challenge By Frans(00:32:40) Hacker One 25K Crit Disclosure(00:36:31) Caido Searchbar Rework.(00:40:51) Blind CSS Exfiltration(00:44:10) 2023 Personal Bug Bounty Stats(01:01:15) 2024 Personal Bug Bounty Goals

28 Des 20231h 21min

Episode 50: In this episode of Critical Thinking - Bug Bounty Podcast, Justin catches up with hacking master Mathias Karlsson, and talks about burnout, collaboration, and the importance of specialization. Then we dive into the technical details of MXSS and XSLT, character encoding, and give some predictions of what Bug Bounty might look like in the future…Follow us on twitter at: @ctbbpodcastSend us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Hop on the CTBB Discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s GuestEpisode ResourcesHow to Differentiate Yourself as a HunterMutateMethodshackaplanetenArticle About Unicode and Character SetsByte Order Mark:Character EncodingsShapeCatcherWAF BypassBountyDashEXPLOITING HTTP'S HIDDEN ATTACK-SURFACETimestamps:(00:00:00) Introduction(00:10:06) Automation Setup and Assetnote Origins(00:16:49) Sharing Tips, and Content Creation(00:22:27) Collaboration and Optimization(00:36:44) Working at Detectify(00:51:45) Bug Bounty Burnout(00:56:15) Early Days of Bug Bounty and Future Predictions(01:19:00) Nerdsnipeability(01:29:38) MXSS and XSLT(01:54:20) Learning through being wrong(02:00:15) Go-to Vulns

21 Des 20232h 24min

Episode 49: In this episode of Critical Thinking - Bug Bounty Podcast, Justin Gardner is once again joined by Nagli to discuss some of their recent hacking discoveries. They talk about finding and exploiting a backup file in an ASP.NET app, discovering vulnerabilities through Swagger files, and debating the vulnerability of a specific ‘undisclosed’ domain. Then they reflect on 2023’s Live Hacking Event circuit, and preview what’s to come in 2024’s.This episode sponsored by Wordfence! Wordfence recently launched a game-changer of a bug bounty program with ALL WordPress plugins over 50k installs are in-scope. They are currently paying 6.25x their normal bounty amounts, and have agreed to give CT listeners a 10% bonus on top of that! If you wanna pop some crits and see those bounties roll in, head over to https://ctbb.show/wf for more info and keep an eye on the CTBB Discord for inspiration/collabs.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Today’s GuestEpisode Resources:ShockwaveWhy So SerialNew LHE Standards DroppedTimestamps:(00:00:00) Introduction(00:02:37) wwwroot .zip Hack Recap(00:13:44) Swagger File Hack Recap(00:18:27) Undisclosed URL Hack Recap(00:24:29) 2023 LHE Circut Recap(00:37:14) 2024 LHE Preview and New Standards(00:47:22) Bug Bounty Motivation

14 Des 202351min

Episode 48: In this episode, joined by the spectacular Sam Erb, Google Security Engineer and DEFCON Black Badge winner. We talk about the importance of understanding how systems work to find vulnerabilities, and how his engineering background influences his hunting style and methodologies. Then we jump over to his Career Development and his work with Google, and then chat about some of the recent Google Vulnerability Programs.This episode is sponsored by Wordfence! Wordfence recently launched a game-changer of a bug bounty program with ALL WordPress plugins over 50k installs are in-scope. They are currently paying 6.25x their normal bounty amounts, and have agreed to give CT listeners a 10% bonus on top of that! Head over to https://ctbb.show/wf for more info and keep an eye on the CTBB Discord for inspiration/collabs.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!—— Links ——Follow your hosts Rhynorater & Teknogeek on twitter:—— Ways to Support CTBBPodcast ——Sign up for Caido using code CTBBPODCAST for a 10% discount.Hop on the CTBB DiscordDiscord premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today’s Guest:https://twitter.com/erbbysamSam Erbs Static SecretSecurity Now PodcastBIMI:Andhttps://bimigroup.org/Google Device Vulnerability Reward Program InitiativesGoogle Invalid ReportsHacking GoogleTranscripts(00:00:00) Introduction(00:02:50) Hacker Methodology with Sam Erb(00:12:20) Balancing Bug Hunting and Personal Life(00:15:53) Deep Diving on a program and using automation.(00:27:00) Optimizing Bug Hunting and Understanding Attack Vectors(00:39:22) Collaboration and Boundaries(00:45:42) Career Development and Entrepreneurship(00:55:13) Winning Black Badges at DEFCON(00:58:02) BufferOver(01:09:11) Working at Google(01:19:23) Google Bug Bounty Programs(01:31:41) BONUS Cool Bugs

7 Des 20231h 36min

Episode 47: In this episode of Critical Thinking - Bug Bounty Podcast, the holidays are fast approaching, and Justin and Joel discuss some of the struggles of getting back into the hacking groove during and after breaks. We also celebrate the newly launched Critical Thinking Discord Community before diving into Iframe Sandwhiches, JS Hoisting, CSP Bypasses, and a host of new tools, techniques, and tangents.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Hop on the CTBB Discord at https://ctbb.show/discord!ThankUNextjswzlRapid APISSRF Utility tool by BebiksTweet from Johan CarlssonBurp Extension from Google VRPJustin's Tweet about JS HoistingBypass CSP Using WordPressHow to trick CSP in letting you run whatever you wantTimestamps:(00:00:00) Introduction(00:01:58) Overcoming Bug Bounty struggles and getting back into the hacking groove(00:07:46) Taking notes and sticking to one program(00:14:50) Critical Thinking Discord, Community highlights, and Competition vs Collaboration(00:22:25) Secondary context bugs and Automationism(00:28:42) ThankUNext and Client-side Paths(00:33:45) Tool Tangents: Jswzl, Caido, Postman, and Rapid API(00:46:49) New SSRF Utility tool by Bebiks and the continuing evolution of hacking tools(00:51:45) Iframe Sandwiches(00:58:54) News Items(01:06:12) JS Hoisting(01:15:05) CSP Bypasses

30 Nov 20231h 31min

Episode 46: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is deep diving the topic of SAML (Security Assertion Markup Language), and walks through what it is and why it can be intimidating, before going over some key attack vectors to look for. Then he closes out with a commentary on a sample payload, and some HackerOne reports.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.KazHACKstanhttps://kazhackstan.com/enTesting SAML security with DASThttps://agrrrdog.blogspot.com/2023/01/testing-saml-security-with-dast.htmlHow to break SAML if I have paws?https://speakerdeck.com/greendog/how-to-break-saml-if-i-have-paws?slide=20How to Hunt Bugs in SAML; a Methodologyhttps://epi052.gitlab.io/notes-to-self/blog/2019-03-16-how-to-test-saml-a-methodology-part-three/SAML Raiderhttps://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802eExternal Entity Injection during XML signature verificationhttps://bugs.chromium.org/p/project-zero/issues/detail?id=2313mTLS: When certificate authentication is done wronghttps://github.blog/2023-08-17-mtls-when-certificate-authentication-is-done-wrong/HackerOne Uber Reporthttps://hackerone.com/reports/136169Timestamps:(00:00:00) Introduction(00:05:25) Understanding SAML and its complexities(00:08:30) SAML Attack Vectors(00:14:15) XML Signature Wrapping(00:19:50) Some SAML tests to try(00:30:30) Sample Payload description(00:34:10) Token Recipient confusion(00:36:05) HackerOne Reports

23 Nov 202343min