Critical Thinking - Bug Bounty Podcast

Episode 37: In this episode of Critical Thinking - Bug Bounty Podcast we're joined by none other than Lupin himself! We recap the Tokyo LHE and the lessons we learned from it before diving into his legendary journey into security research and bug bounty. We also talk collaboration of all kinds: pair hacking, joining a team, and starting a business together. We even touch on some great tools that can collaborate with each other! This was a fun one, and we don't want you to miss it!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterToday’s Guest:https://twitter.com/0xLupinLupin and Holmeshttps://landh.tech/JSWZLhttps://jswzl.io/Cursorhttps://cursor.so/Clairvoyancehttps://github.com/nikitastupin/clairvoyanceTweet about Command Injectionshttps://twitter.com/win3zz/status/1703702550372078074James Kettle article on security researchhttps://portswigger.net/research/so-you-want-to-be-a-web-security-researcherTimestamps:(00:00:00) Introduction(00:01:00) Lessons learned from the latest LHE(00:09:30) JSWZL and the Cursor Combo(00:19:15) The Legend of Lupin(00:34:35) Code and Collaborating(00:38:48) Requests, Automation, and Testing(00:50:28) Joel's Helper scripts(00:52:50) Teamwork and Pair Hacking(00:57:29) Tips for learning to Hack(01:00:35) UUID and CTF(01:08:35) Dynamics of Collaboration with French Team

21 Sep 20231h 15min

Episode 36: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel take a break from LHE prep to answer questions about the ethics of bug bounty and share their recent bug finds. We talk Iframes, mobile intercept proxies, open redirects, and that time Justin got shot at…Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterTimeshifter:https://www.timeshifter.com/Tweet about Google Open Redirecthttps://twitter.com/Rhynorater/status/1697357773690818844 Tweet about XSS Exploitation https://twitter.com/Rhynorater/status/1698059391700701424 Request Minimizerhttps://portswigger.net/bappstore/cc16f37549ff416b990d4312490f5fd1Timestamps:(00:00:00) Introduction(00:02:45) Hacker One LHE Preview(00:05:40) Is Bug Bounty Inherently Ethical(00:19:25) Ethics of Going out of scope(00:27:56) Justin’s story of getting shot at(00:30:22) Setting up a mobile intercept proxy(00:33:40) How to approach a new target(00:40:30) Google Open Redirect(00:43:35) Recent XSS Exploitation(00:46:28) ATO Trick(00:50:25) Joel’s Bug Report(00:55:40) Justin’s Bug Report

14 Sep 20231h 3min

Episode 35: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to welcome Douglas Day, a bug bounty hunter known for his unique methodologies and collaborative spirit. We talk about his approach to finding new endpoints in applications, his ingenious technique of exploiting Intercom widgets, and collaboration preferences and tips at LHEs. We also touch on the struggle of justifying hobbies that don't generate income and the importance of finding enjoyment in the process.We hope you enjoy this episode as much as we did!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterToday’s Guest:https://twitter.com/ArchAngelDDayhttps://hackerone.com/the_arch_angelhttps://bugcrowd.com/arch_angel100 Short Bug Bounty Ruleshttps://twitter.com/ArchAngelDDay/status/1661924038875435008Blog about Intercomhttps://dday.us/2021/11/03/h1vendorATO.htmlBlog about Mapping Hackinghttp://dday.us/2021/10/09/Mapyourhacking.htmlTimestamps: (00:00:00) Introduction(00:03:01) Douglas Day’s infosec and LHE intro(00:10:42) Evolution and philosophy of collaboration(00:23:08) Balancing Collaboration and Money(00:29:43) Recap of 100 Short Bug Bounty Rules(00:37:15) Bug-hunting Methodology(00:45:45) Using match and replace to find new endpoints in bug hunting(00:49:07) Exploiting Intercom widgets(00:52:35) Facing Failure and enjoying the journey(00:57:00) Managing work-life balance(01:05:55) Auth-Z testing and documentation(01:12:25) Vulnerabilities in applications(01:17:05) Mapping Hacking Sessions

7 Sep 20231h 25min

Episode 34: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel have both beaten COVID and now square off against each other in a mega-debate representing hackers and program managers respectively. Among the topics included are Disclosures, Dupes, Zero-Day Policy, payouts, budgets, Triage and Retesting. So, if you want blood-pumping, insult-hurling opinion-invalidating debate…then maybe look somewhere else. But if a thought-provoking discussion about bug bounty is more your style, then take a seat and get ready!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterPrompt Injection Primer for Engineershttps://twitter.com/rez0__/status/1695078576104833291 Portswigger on XSShttps://twitter.com/PortSwiggerRes/status/1691812241375424983Gunner Andrews talkhttps://www.youtube.com/watch?v=aaDe1ADh5KM Jhaddix live training Givawayhttps://tbhmlive.com/ctbb.show/giveawayNew Websitectbb.showFight music composed by Dayn Leonardsonhttps://www.daynleo.com/Timestamps:(00:00:00) Introduction(00:02:00) Joel’s DEFCON Recap(00:04:45) Prompt Injection Primer for Engineers by Rez0(00:07:00) Portswigger Research and XSS(00:08:36) Gunnar Andrews' talk on serverless architecture(00:10:10) ‘Bug Hunter Methodology’ Course GiveawayThe Debate(00:13:34) Zero-Day Policy and Payment for Vulnerabilities(00:25:40) Disclosure(00:33:52) Dupes (00:51:23) CVSS(01:02:25) Budgets and Payouts(01:15:00) Triage and Retesting(01:34:55) Withholding Reports(01:41:50) Root Cause Analysis(01:52:25) Interacting with hacker reports from a security standpoint.(01:58:50) Internal Activity on a Report(02:01:15) Cost of running Bug Bounty Programs and LHE’s

31 Aug 20232h 10min

Episode 33: In this episode of Critical Thinking - Bug Bounty Podcast, we welcome Inti De Ceukelaire, a seasoned bug hunter known for his creative storytelling and impactful show-and-tell bugs…and let us tell you, his stories do not disappoint! From his bug bounty journey to some pretty wild hacks, Inti captivates us as only Inti can. We discuss the potential life-saving impact of bug bounty reports, especially in areas such as transportation and medical devices. We also cover hacker mentality, the benefits of objective-based challenges, and the need for collaboration and alignment within the bug bounty community. It’s a mesmerizing episode, so sit back and be swept away by Inti’s tales.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterToday’s Guest:https://twitter.com/securintiInti's Shopify Show-and-Tellhttps://hackerone.com/reports/1086108Hakluke's article on Bug Bounty Standardshttps://github.com/hakluke/bug-bounty-standardsResearching MissingNo Glitch in Pokemonhttps://youtu.be/p8OBktd42GIIntigritihttps://www.intigriti.com/Timestamps:(00:00:00) Introduction(00:03:01) Show-and-Tells and Storytelling in Live Hacking Events(00:08:30) Impact Assessment and the potential real-life significance of reporting vulnerabilities.(00:13:50) Ethical dilemmas, gaming the systems, and safe harbor.(00:23:30) Inti’s Hacking Journey(00:27:26) Hacker mentality, brainstorming, and goal-setting.(00:46:28) The benefit of mental resets, fresh perspectives, and ‘surprise collaboration’(00:52:55) Inti’s Story 1: CSS Injection bugs(01:06:20) Inti’s Story 2: The Ticket Trick(01:14:00) Inti’s Story 3: The Gotcha PasswordBug(01:18:30) Upcoming Intigriti Live Hacking Event

24 Aug 20231h 22min

Episode 32: In this episode of Critical Thinking - Bug Bounty Podcast, Joel caught a nasty bug (no, not that kind) so Justin is flying solo, and catches us up to speed on what's been happening in hacking news.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterSmashing the State articlehttps://portswigger.net/research/smashing-the-state-machine?ps_source=portswiggerres&ps_medium=social&ps_campaign=race-conditionsNagles Algorithmhttps://en.wikipedia.org/wiki/Nagle%27s_algorithm HTTP/2 RFC https://httpwg.org/specs/rfc7540.html Tweet by Alex Chapmanhttps://twitter.com/ajxchapman/status/1691103677920968704?s=20Cookieless Duodrop IIS Auth Bypasshttps://soroush.me/blog/2023/08/cookieless-duodrop-iis-auth-bypass-app-pool-privesc-in-asp-net-framework-cve-2023-36899/ Xss and .Nethttps://blog.isec.pl/all-is-xss-that-comes-to-the-net/Shopify Account Takeoverhttps://ophionsecurity.com/blog/shopify-acount-takeoverShort Name Guesserhttps://github.com/projectmonke/shortnameguesserHacking Points.comhttps://samcurry.net/Points-com/Hacking Starbucks https://samcurry.net/hacking-starbucks/Bug Bounty Tag Requesthttps://twitter.com/ajxchapman/status/1688892093597470720Sandwich Attackhttps://www.landh.tech/blog/20230811-sandwich-attack Timestamps:(00:00:00) Introduction(00:01:25) Smashing the State(00:11:30) HTTP/2 RFC(00:17:30) Cookieless Duodrop IIS Auth Bypass(00:24:45) Takeovers and Tools(00:32:30) Sam Curry writeup(00:53:10) Community requests(00:55:10) Sandwich Attacks

17 Aug 20231h 1min

Episode 31: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to be joined by Alex Chapman, a seasoned InfoSec hacker and bug bounty hunter. We kick off with Alex sharing his hacking journey, from a guest lecturer that inspired him, to working on internal Red Teams, to his transition to working with HackerOne, and finally as a bug bounty hunter focusing on searching out those few, high impact bugs. We also discuss the power of collaboration, the challenges of balancing hacking with other responsibilities, and the necessity of flexibility and taking breaks in bug bounty work. Don't miss this episode where we explore the depths of bug bounty with Alex Chapman!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterToday’s Guest:https://twitter.com/ajxchapman@ajxchapman@infosec.exchangehttps://ajxchapman.github.io/https://hackerone.com/ajxchapman?type=userPerforce RCEhttps://hackerone.com/reports/1830220 https://ajxchapman.github.io/bugreports/2019/04/04/perforce-local-file-disclosure.html (00:00:00) Introduction(00:01:50) Alex Chapman's InfoSec journey and evolution(00:05:55) Real-world experience vs. chasing degrees, and the pivot into Bug Bounty(00:13:12) The benefit of programming knowledge(00:16:50) Experience in Internal Red Team and hacker mentalities.(00:23:35) Transitioning to HackerOne and full time Bug Bounty(00:33:37) Bug Bounty tips, time management, and best practices(00:41:00) The importance of note-taking and organizational tools(00:46:27) Hunting Methodologies and focusing on Critical Exploitations(01:02:37) Collaboration in the hacking community(01:06:00) Binary Exploitation and Source Code Review(01:10:59) Configuration file injections(01:17:38) Justin vs. Alex at a LHE

10 Aug 20231h 24min

Episode 30: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to be joined by renowned bug bounty hunter Shubs. We kick off with him sharing his journey from burgers to bugs, and how his friendly rivalry with a fellow hacker fueled his passion for reconnaissance, as well as his love of collaboration. We then shift gears to talk about the art of debugging, ethics and economics of bug bounty hunting, the transition to Entrepreneur, and the evolution of Assetnote from a reconnaissance tool to enterprise security software suite. This one’s a banger, and we don’t want you to miss it!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterToday’s Guest:@infosec_auIntro Shoutoutshttps://twitter.com/bebiksiorhttps://cvssadvisor.com/Assetnotehttps://www.assetnote.io/https://twitter.com/assetnoteBishop Foxhttps://bishopfox.com/Shortscanhttps://github.com/bitquark/shortscanXXE Payloadhttps://gist.github.com/Rhynorater/d0d19f757221a916a22476c3a5c6aba2Timestamps(00:00:00) Introduction(00:05:48) History as a Hacker: Recon, rivalries, and Riot Games(00:12:13) Collaboration and Community in Bug Bounty(00:18:19) The Art of Debugging(00:21:48) Assetnote News and overview(00:30:43) CVE reversing(00:32:58) Zero-day vulns(00:42:48) Bug Bounty Ethics and Economics(00:52:53) Bug Bounty and Entrepreneurship(01:03:58) Business lessons learned(01:07:48) Advice for Hunters looking to grow(01:12:38) IIS Server Techniques

3 Aug 20231h 19min