Critical Thinking - Bug Bounty Podcast

Episode 77: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin discuss some fresh writeups including some MongoDB injections, ORMs, and exploits in Kakao and iOS before pivoting into a conversation about staying motivated and avoiding burnout while hunting.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Resources:MongoDB NoSQL Injectionhttps://soroush.me/blog/2024/06/mongodb-nosql-injection-with-aggregation-pipelines/Mongo DB Is Web Scalehttps://www.youtube.com/watch?v=b2F-DItXtZs1-click Exploit in Kakaohttps://stulle123.github.io/posts/kakaotalk-account-takeover/Unsecure time-based secret and Sandwich Attackhttps://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.htmlReset Tolkienhttps://github.com/AethliosIK/reset-tolkieniOS URL Scheme Hijacking Revampedhttps://evanconnelly.github.io/post/ios-oauth/PLORMBING YOUR DJANGO ORMhttps://www.elttam.com/blog/plormbing-your-django-orm/#contentTimestamps:(00:00:00) Introduction(00:02:07) MongoDB NoSQL Injection(00:12:42) 1-click Exploit in Kakao(00:33:21) Time-based secrets and Reset Tolkien(00:39:26) iOS URL Scheme Hijacking Revamped(00:51:42) ORMs(00:58:57) Community Bug Submission(01:07:45) Motivation, Mental Sharpness, and Burnout avoidance

27 Jun 20241h 50min

Episode 76: In this episode of Critical Thinking - Bug Bounty Podcast we’re talking about Match and Replace and the often overlooked use cases for it, like bypassing paywalls, modifying host headers, and storing payloads. We also talk about the HackerOne Ambassador World Cup and the issues with dupe submissions, and go through some write-ups.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today's Sponsor - Project Discovery: https://nux.gg/podcastResourcesZoom Session Takeoverhttps://nokline.github.io/bugbounty/2024/06/07/Zoom-ATO.htmlSharePoint XXEhttps://x.com/thezdi/status/1796207012520366552Shazzerhttps://shazzer.co.uk/Timestamps:(00:00:00) Introduction(00:05:06) H1 Ambassador World Cup(00:13:57) Zoom ATO bug(00:33:28) SharePoint XXE(00:39:36) Shazzer(00:46:36) Match and Replace(01:13:01) Match and Replace in Mobile(01:21:13) Header Replacements

20 Jun 20241h 34min

Episode 75: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are sick, So instead of a new full episode, we're going back 30 episodes to review.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!Today's Guest: https://twitter.com/fransrosen DetectifyDiscovering s3 subdomain takeovershttps://labs.detectify.com/writeups/hostile-subdomain-takeover-using-heroku-github-desk-more/bucket-disclose.shhttps://gist.github.com/fransr/a155e5bd7ab11c93923ec8ce788e3368A deep dive into AWS S3 access controlsAttacking Modern Web TechnologiesLive Hacking like a MVHAccount hijacking using Dirty Dancing in sign-in OAuth flowsTimestamps:(00:00:00) Introduction(00:11:41) Franz Rosen's Bug Bounty Journey and Detectify (00:20:21) Pseudo-code, typing, and thinking like a dev(00:27:11) Hunter Methodologies and automationists(00:42:31) Time on targets, Iteration vs. Ideation(00:58:01) S3 subdomain takeovers(01:11:53) Blog posting and hosting motivations(01:20:21) Detectify and entrepreneurial endeavors(01:36:41) Attacking Modern Web Technologies(01:52:51) postMessage and MessagePort(02:05:00) Live Hacking and Collaboration(02:20:41) Account Hijacking and OAuth Flows(02:35:39) Hacking + Parenthood

13 Jun 20242h 44min

Episode 74: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Roni "Lupin" Carta for a deep dive into supply chain attacks and dependency confusion. We explore the supply chain attacks, the ethical considerations surrounding maintainers and hosting packages on public registries, and chat about the vision and uses of his new tool Depi.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today's Sponsor - Project Discovery: https://nux.gg/podcastToday’s Guest: https://x.com/0xLupinResources:Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companieshttps://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610git-dumphttps://github.com/tomnomnom/dotfiles/blob/master/scripts/git-dumpDepihttps://www.landh.tech/depiWeak links of Supply Chainhttps://arxiv.org/pdf/2112.10165Timestamps:(00:00:00) Introduction(00:07:13) Overveiw of Supply Chain Flow(00:15:14) Getting our Scope(00:23:46) Depi(00:29:12) Types of attacks and finding the 80/20(00:45:06) Maintainer attacks(01:10:40) Regestries, artifactories, and an npm bug(01:31:51) Grafana NPX Confusion

6 Jun 20241h 38min

Episode 73: In this episode of Critical Thinking - Bug Bounty Podcast we give a brief recap of Nahamcon and then touch on some topics like WAF bypass tools, sandboxed iframes, and programs redacting your reports.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today's Sponsor - Project Discovery: https://nux.gg/podcastResources:?. Tweethttps://x.com/garethheyes/status/1786836956032176215NoWafPlshttps://github.com/assetnote/nowafplsRedacted Reportshttps://x.com/deadvolvo/status/1790397012468199651Breaking CORShttps://x.com/MtnBer/status/1794657827115696181Sandbox-iframe XSS challenge solutionhttps://joaxcar.com/blog/2024/05/16/sandbox-iframe-xss-challenge-solution/iframe and window.open magichttps://blog.huli.tw/2022/04/07/en/iframe-and-window-open/#detecting-when-a-new-window-has-finished-loadingdomloggerpphttps://github.com/kevin-mizu/domloggerppTimestamps(00:00:00) Introduction(00:03:29) ?. Operator in JS and NoWafPls(00:07:22) Redacting our own reports(00:11:13) Breaking CORS(00:17:07) Sandbox-iframes(00:24:11) Dom hook plugins

30 Mai 202431min

Episode 72: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss some hot research from the past couple months. This includes ways to smuggle payloads in phone numbers and IPv6 Addresses, the NextJS SSRF, the PDF.JS PoC drop, and a GitHub Enterprise Indirect Method Information bug. Also, we have an attack vector featured from Monke!Follow us on twitter at: @ctbbpodcastShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today's Sponsor - Project Discovery: https://nux.gg/podcastResources:PDF.JS Bypass to XSShttps://github.com/advisories/GHSA-wgrm-67xf-hhpqhttps://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/PDFiumNextJS SSRF by AssetNoteBetter Bounty Transparency for hackersSlonser IPV6 ResearchSmuggling payloads in phone numbersAutomatic Plugin SQLiDomPurify BypassBug Bounty JP PodcastGithub Enterprise send() bughttps://x.com/creastery/status/1787327890943873055https://x.com/Rhynorater/status/1788598984572813549Timestamps:(00:00:09) Introduction(00:03:20) PDF.JS XSS and NextJS SSRF(00:12:52) Better Bounty Transparency(00:20:01) IPV6 Research and Phone Number Payloads(00:28:20) Community Highlight and Automatic Plugin CVE-2024-27956(00:33:26) DomPurify Bypass and Github Enterprise send() bug(00:46:12) Caido cookie and header extension updates

23 Mai 202452min

Episode 71: In this episode of Critical Thinking - Bug Bounty Podcast Keith Hoodlet joins us to weigh in on the VDP Debate. He shares some of his insights on when VDPs are appropriate in a company's security posture, and the challenges of securing large organizations. Then we switch gears and talk about AI bias bounties, where Keith explains the approach he takes to identify bias in chatbots and highlights the importance of understanding human biases and heuristics to better hack AI.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.Today's Sponsor - Project Discovery: https://nux.gg/podcastToday’s guest: Keith Hoodlethttps://securing.dev/Resources:Daniel Miessler's article about the security poverty linehttps://danielmiessler.com/p/the-cybersecurity-skills-gap-is-another-instance-of-late-stage-capitalism/Hacking AI Biashttps://securing.dev/posts/hacking-ai-bias/Hacking AI Bias Videohttps://youtu.be/AeFZA7xGIbE?si=TLQ7B3YtzPWXS4hqSarah's Hoodlet's new bookhttps://sarahjhoodlet.comLink to Amazon Pagehttps://a.co/d/c0LTM8UTimestamps:(00:00:00) Introduction(00:04:09) Keith's Appsec Journey(00:16:24) The Great VDP Debate Redux(00:47:18) Platform/Hunter Incentives and Government Regulation(01:06:24) AI Bias Bounties(01:26:27) AI Techniques and Bugcrowd Contest

16 Mai 20241h 45min

Episode 70: In this episode of Critical Thinking - Bug Bounty Podcast we’re once again joined by Ben Sadeghipour to talk about some Nahamcon news, as well as discuss a couple other LHE’s taking place. Then they cover CI/CD and drop some cool CSP Bypasses.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today's Sponsor - Project Discovery: https://nux.gg/podcastToday’s Guest: https://twitter.com/NahamSechttps://www.nahamcon.com/Resources:Depihttps://www.landh.tech/depiYoutube CSP:https://www.youtube.com/oembed?callback=alert()Maps CSP:https://maps.googleapis.com/maps/api/js?callback=alert()-printGoogle APIs CSPhttps://www.googleapis.com/customsearch/v1?callback=alert(1)Google CSPhttps://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1)//CSP Bypass for opener.child.child.child.click()https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/Timestamps:(00:00:00) Introduction(00:02:55) BSides Takeaways and hacking on Meta(00:12:12) NahamCon News(00:23:45) CI/CD and the launch of Depi(00:33:29) CSP Bypasses

9 Mai 202443min