Avsnitt

  • Episode 63: In this episode of Critical Thinking - Bug Bounty Podcast we welcome back Jason Haddix (From Episode 12) to talk about some updates to his The Bug Hunter's Methodology, as well as his own personal life and hacking journey. We talk about the start of his new company, and then venture into topics such as using threat intelligence and buying credentials from the dark web, recon techniques, and ways to integrate AI into your workflow (or target list).

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. 

    Today’s Guest:

    https://twitter.com/Jhaddix

    https://www.arcanum-sec.com/

    Resources:

    Dehashed

    https://www.dehashed.com/

    Flare

    https://flare.io/

    CSP Recon

    https://github.com/edoardottt/csprecon

    Timestamps:

    (00:00:00) Introduction

    (00:05:37) Updates to The Bug Hunter's Methodology

    (00:14:46) Red Teaming

    (00:21:29) Bug Bounty on the Dark Web

    (00:36:19) FIS hunting

    (00:47:59) New Recon Techniques 

    (00:58:32) AI integrations and bounties

  • Episode 62: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with some additional research resources that didn’t make the Portswigger Top-Ten, but that are worth looking at.

    Follow us on twitter at: @ctbbpodcast

    Feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. 

    Resources:

    Cool HTML Shit

    https://twitter.com/jcubic/status/1764311080661082201

    https://twitter.com/encodeart/status/1764218128374943764

    Bug bounty Hunting Journeys

    https://twitter.com/ajxchapman/status/1762101366057525521

    https://monkehacks.beehiiv.com/p/monkehacks-02

    Yelp Cookie Bridge Report

    Deobfuscating/Unminifying Obfuscated Code

    ChatGPT Source Watch

    Web Security Research Reddit

    Nahamsec Resources

    Portswigger Nominations list

    Abusing perspectives: https://hackerone.com/reports/2401115

    PortSwigger CSS Exfiltration

    https://github.com/PortSwigger/css-exfiltration

    Timestamps:

    (00:00:00) Introduction

    (00:02:06) Cool HTML Shit

    (00:15:31) Bug Bounty Journeys

    (00:28:01) Yelp Cookie Bridge Bug

    (00:37:56) Additional Research Resources

    (00:46:34) CSS and abusing perspectives

  • Saknas det avsnitt?

    Klicka här för att uppdatera flödet manuellt.

  • Episode 61: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Jasmin Landry to share some stories about startup security, bug bounty, and the challenges of balancing both. He also shares his methodology for discovering OAuth-related bugs, highlights some differences between structured learning and self-teaching, and then walks us through  a couple arbitrary ATO’s and SSTI to RCE bugs he’s found lately.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. 

    Today’s Guest: Jasmin Landry

    https://twitter.com/JR0ch17

    Resources:

    Dirty Dancing blog post

    https://labs.detectify.com/writeups/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/

    OAuth 2.0 Threat Model and Security Considerations

    https://datatracker.ietf.org/doc/html/rfc6819

    OAuth 2.0 Security Best Current Practice

    https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics

    Timestamps:

    (00:00:00) Introduction

    (00:02:20) Meta Tag + DomPurify Bug

    (00:09:36) Jasmin's Origin story

    (00:28:23) Full time Bug bounty challenges

    (00:36:57) Career jumps in Security and current Role

    (00:47:32) OAuth Bug methodology and cool bug stories

    (01:02:35) Social Engineering and Bug Bounty

    (01:13:41) Arbitrary ATO bug

    (01:19:41) SSTI to RCE bug

  • Episode 60: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel review the Portswigger Research list of top 10 web hacking techniques of 2023.

    Follow us on twitter at: @ctbbpodcast

    Send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord

    We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. 

    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. 

    Resources:

    Top 10 web hacking techniques of 2023

    1: Smashing the state machine

    8: From Akamai to F5 to NTLM

    3: SMTP Smuggling

    4: PHP filter chains

    (Bonus Read)

    5: HTTP Parsers Inconsistencies

    6: HTTP Request Splitting

    7: How I Hacked Microsoft Teams

    9: Cookie Crumbles

    (Bonus Read)

    10: Hacking root EPP servers to take control of zones

    Timestamps:

    (00:00:00) Introduction

    (00:04:26) 1: Smashing the state machine

    (00:11:56) 8: From Akamai to F5 to NTLM... with love

    (00:17:11) 3: SMTP Smuggling

    (00:26:27) 4: PHP filter chains

    (00:36:40) 5: HTTP Parsers Inconsistencies

    (00:44:56) 6: HTTP Request Splitting

    (00:53:43) 7: How I Hacked Microsoft Teams

    (01:02:25) 9: Cookie Crumbles

    (01:11:36) 10: EPP Server Takeover

  • Episode 59: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the concept of gadgets and how they can be used to escalate the impact of vulnerabilities. We talk through things like HTML injection, image injection, CRLF injection, web cache deception, leaking window location, self-stored XSS, and much more.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    ------ Ways to Support CTBBPodcast ------

    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. 

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. 

    Resources:

    Even Better

    NahamSec's 5 Week Program

    NahamCon News

    CSS Injection Research

    Timestamps:

    (00:00:00) Introduction

    (00:03:31) Caido's New Features

    (00:15:20) Nahamcon News and 5 week Bootcamp and pentest opportunity

    (00:19:54) HTML Injection, CSS Injection, and Clickjacking

    (00:33:11) Image Injection

    (00:37:19) Open Redirects, Client-side path traversal, and Client-side Open Redirect

    (00:49:51) Leaking window.location.href

    (00:57:15) Cookie refresh gadget

    (01:01:40) Stored XXS

    (01:09:01) CRLF Injection

    (01:13:24) 'A Place To Stand' in  GraphQL and ID Oracle

    (01:18:23) Auth gadgets, Web Cache Deception, & LocalStorage poisoning

    (01:27:46) Cookie Injection & Context Breaks

  • Episode 58: In this episode of Critical Thinking - Bug Bounty Podcast we finally sit down with Youssef Samouda and grill him on his various techniques for finding and exploiting client-side bugs and postMessage vulnerabilities. He shares some crazy stories about race conditions, exploiting hash change events, and leveraging scroll to text fragments. 

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. 

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. 

    Today’s Guest: https://twitter.com/samm0uda?lang=en

    https://ysamm.com/

    Resources:

    Client-side race conditions with postMessage: 

    https://ysamm.com/?p=742 

    Transferable Objects

    https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Transferable_objects

    Every known way to get references to windows, in javascript:

    https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2d

    Youssef’s interview with BBRE

    https://www.youtube.com/watch?v=MXH1HqTFNm0

    Timestamps:

    (00:00:00) Introduction

    (00:04:27) Client-side race conditions with postMessage

    (00:18:12) On Hash Change Events and Scroll To Text Fragments

    (00:32:00) Finding, documenting, and reporting complex bugs

    (00:37:32) PostMessage Methodology

    (00:45:05) Youssef's Vuln Story

    (00:53:42) Where and how to look for ATO vulns

    (01:05:21) MessagePort

    (01:14:37) Window frame relationships

    (01:20:24) Recon and JS monitoring

    (01:37:03) Client-side routing

    (01:48:05) MITMProxy

  • Episode 57: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are live from Miami, and recap their experience and share takeaways from the live hacking event. They highlight the importance of paying attention to client-side routing and the growing bug class of client-side path traversal. They also discuss the challenges of knowing when to cut your losses and the value of tracking time and setting goals. 

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. 

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. 

    Timestamps:

    (00:00:00) Introduction

    (00:03:50) Miami LHE Recap and Takeaways

    (00:05:57) Keeping time and cutting losses.

    (00:19:07) Roles and Goals

    (00:23:33) OAuth

    (00:28:52) HTML5 image to img Tip

  • Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston)

    Episode 56: In this episode of Critical Thinking - Bug Bounty Podcast, Justin sits down with Jon Colston to discuss how his background in digital marketing and data science has influenced his hunting methodology. We dive into subjects like data sources, automation, working backwards from vulnerabilities, applying conversion funnels to bug bounty, and the mayonaise signature 'Mother of All Bugs' 

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    WordFence - Sign up as a researcher! https://ctbb.show/wf

    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. 

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. 

    Today’s Guest:

    https://hackerone.com/mayonaise?type=user

    Timestamps:

    (00:00:00) Introduction

    (00:12:07) Evolving Hacking Methodologies & B2B Hacking

    (00:23:57) Data Science + Bug Bounty

    (00:34:37) 'Lead Generation for Vulns'

    (00:41:39) Ingredients and Recipes

    (00:49:45) Keyword Categorization

    (00:54:30) Manual Processes and Recap

    (01:07:08) Data Sources

    (01:19:59) Digital Marketing + Bug Bounty

    (01:32:22) M.O.A.B.s

    (01:41:02) Burnout Protection and Dupe Analysis

  • Episode 55: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Wordpress Security Researcher Ram Gall to discuss both functionality and vulnerabilities within Wordpress Plugins.

    Follow us on twitter

    Send us any feedback here:

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    ------ Ways to Support CTBBPodcast ------

    WordFence - Sign up as a researcher! https://ctbb.show/wf

    ---

    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

    Hop on the CTBB Discord

    We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Guest:

    Ramuel Gall

    UpdraftPlus Vuln

    XML-RPC PingBack

    Unicode and Character Sets

    Reflected XSS

    POP Chain

    WordpressPluginDirectory

    Subscriber+ RCE in Elementor

    Subscriber+ SSRF

    Unauthed XSS via User-Agent header

    Timestamps:

    (00:00:00) Introduction

    (00:05:55) Add_action & Nonces

    (00:26:16) Add_filter & Register_rest_routes

    (00:38:39) Page-related code & Shortcodes

    (00:50:24) Top Sinks for WP

    (01:02:19) Echo & SQLI Sinks

    (01:15:07) Nonce Leak and wp_handle_upload

    (01:18:16) Page variables & Pop Chains

    (01:26:55) WP Escalations & Bug Reports

  • Episode 54: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with news items and new projects. Joel shares about his personal scraping project to gather data on bug bounty programs and distribution Next, they announce the launch of HackerNotes, a podcast companion that will summarize the main technical points of each episode. They also discuss a recent GitLab CVE and an invisible prompt injection, before diving into a discussion (or debate) about vulnerable code patterns.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Gitlab CVE

    https://github.com/Vozec/CVE-2023-7028

    https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/

    Fix commit: https://gitlab.com/gitlab-org/gitlab/-/commit/abe79e4ec437988cf16534a9dbba81b98a2e7f18

    Invisible Prompt Injection

    https://x.com/goodside/status/1745511940351287394?s=20

    Regex 101

    https://regex101.com

    Regex to Strings

    https://www.wimpyprogrammer.com/regex-to-strings/

    Timestamps

    (00:00:00) Introduction

    (00:01:54) Joel’s H1 Data Scraping Research

    (00:19:23) HackerNotes launch

    (00:21:29) Gitlab CVE

    (00:27:45) Invisible Prompt Injection

    (00:33:52) Vulnerable Code Patterns

    (00:37:51) Sanitization, but then modification of data afterward

    (00:45:39) Auth check inside body of if statement

    (00:48:15) sCheck for bad patterns with if, but then don't do any control flow

    (00:50:21) Bad Regex

    (01:00:36) Replace statements for sanitization

    (01:04:32) Anything that allows you to call functions or control code flow in uncommon ways

  • Episode 53: In this episode of Critical Thinking - Bug Bounty Podcast,we’re joined by none other than NahamSec. We start by discusses the challenges he faced on his journey in bug bounty hunting and content creation, including personal struggles and the pressure of success.We also talk about finding balance and managing mental energy, going the extra mile, and the importance of planning and setting goals for yourself before he walks us through some Blind XSS techniques.

    Follow us on twitter at: @ctbbpodcast

    Feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Timestamps:

    (00:00:00) Introduction

    (00:01:37) Costs of Content Creation

    (00:21:12) Hacking 'identities' and Pivoting

    (00:36:49) Hacking Methodology

    (00:58:59) Planning, Goals, and Nahamsec's 2023 Performance

    (01:10:19) Blind XSS

    (01:35:19) Going the extra mile in Bug Bounty

  • Episode 52: In this episode of Critical Thinking - Bug Bounty Podcast we're going back and highlighting some of the best technical moments from the past year! Hope you enjoy this best of 2023 Supercut!

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Timestamps:

    (00:00:00) Introduction

    (00:02:55) Episode 26: Meta tags and base tags in HTML

    (00:15:20) Episode 27: Client-side path traversal

    (00:23:18) Episode 27: Cookie bombing + cookie jar overflow

    (00:35:47) Episode 44: Cross environment authentication bugs

    (00:43:17) Episode 47: The open-faced Iframe Sandwich

    (00:50:19) Episode 47: js hoisting and classic Joel nerdsnipe

    (00:58:28) Episode 29: Sean Yeoh on Subdomains vs IP in recon

    (01:04:05) Episode 30: Shubs on reversing enterprise software

    (01:24:58) Episode 30: Shubs on building out a recon flow

    (01:29:36) Episode 30: Shubs on Hacking IIS Servers

    (01:36:45) Episode 37: 0xLupin on smart JavaScript analysis tools

    (01:45:42) Episode 45: Frans Rosen On App cache, Service workers cookie stuffing, and postMessage

    (02:15:02) Episode 50: Mathias Karlsson on XSLT and MXSS

    (02:39:26) Episode 27: Assetnote's sharefile RCE

    (02:48:18) Episode 31: Perforce RCE

    (02:53:48) Episode 48: Sam Erb's XSLT bug story

    (02:58:47) Final thoughts and Special Thanks

  • Episode 51: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are back for the last episode of 2023. We discuss some noteworthy news items including a Hacker One Crit, Caido updates, and some Blind CSS. Then we dive into our own personal ‘Hackers Wrapped’ recap of the year, before laying out some goals for 2024.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Resources

    Flow

    Powertoys

    Alfred

    Pyperclip

    Textgrab

    CTF Payload Challenge

    Hacker One Crit Report

    Blind CSS Injection

    Timestamps

    (00:00:00) Introduction

    (00:08:43) Keyboard Shortcut Utility Systems

    (00:21:28) CTF Challenge By Frans

    (00:32:40) Hacker One 25K Crit Disclosure

    (00:36:31) Caido Searchbar Rework.

    (00:40:51) Blind CSS Exfiltration

    (00:44:10) 2023 Personal Bug Bounty Stats

    (01:01:15) 2024 Personal Bug Bounty Goals

  • Episode 50: In this episode of Critical Thinking - Bug Bounty Podcast, Justin catches up with hacking master Mathias Karlsson, and talks about burnout, collaboration, and the importance of specialization. Then we dive into the technical details of MXSS and XSLT, character encoding, and give some predictions of what Bug Bounty might look like in the future…

    Follow us on twitter at: @ctbbpodcast

    Send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    ------ Ways to Support CTBBPodcast ------

    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

    Hop on the CTBB Discord!

    We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Guest

    Episode Resources

    How to Differentiate Yourself as a Hunter

    MutateMethods

    hackaplaneten

    Article About Unicode and Character Sets

    Byte Order Mark:

    Character Encodings

    ShapeCatcher

    WAF Bypass

    BountyDash

    EXPLOITING HTTP'S HIDDEN ATTACK-SURFACE

    Timestamps:

    (00:00:00) Introduction

    (00:10:06) Automation Setup and Assetnote Origins

    (00:16:49) Sharing Tips, and Content Creation

    (00:22:27) Collaboration and Optimization

    (00:36:44) Working at Detectify

    (00:51:45) Bug Bounty Burnout

    (00:56:15) Early Days of Bug Bounty and Future Predictions

    (01:19:00) Nerdsnipeability

    (01:29:38) MXSS and XSLT

    (01:54:20) Learning through being wrong

    (02:00:15) Go-to Vulns

  • Episode 49: In this episode of Critical Thinking - Bug Bounty Podcast, Justin Gardner is once again joined by Nagli to discuss some of their recent hacking discoveries. They talk about finding and exploiting a backup file in an ASP.NET app, discovering vulnerabilities through Swagger files, and debating the vulnerability of a specific ‘undisclosed’ domain. Then they reflect on 2023’s Live Hacking Event circuit, and preview what’s to come in 2024’s.

    This episode sponsored by Wordfence! Wordfence recently launched a game-changer of a bug bounty program with ALL WordPress plugins over 50k installs are in-scope. They are currently paying 6.25x their normal bounty amounts, and have agreed to give CT listeners a 10% bonus on top of that! If you wanna pop some crits and see those bounties roll in, head over to https://ctbb.show/wf for more info and keep an eye on the CTBB Discord for inspiration/collabs.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    ------ Ways to Support CTBBPodcast ------

    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Guest

    Episode Resources:

    Shockwave

    Why So Serial

    New LHE Standards Dropped

    Timestamps:

    (00:00:00) Introduction

    (00:02:37) wwwroot .zip Hack Recap

    (00:13:44) Swagger File Hack Recap

    (00:18:27) Undisclosed URL Hack Recap

    (00:24:29) 2023 LHE Circut Recap

    (00:37:14) 2024 LHE Preview and New Standards

    (00:47:22) Bug Bounty Motivation

  • Episode 48: In this episode, joined by the spectacular Sam Erb, Google Security Engineer and DEFCON Black Badge winner. We talk about the importance of understanding how systems work to find vulnerabilities, and how his engineering background influences his hunting style and methodologies. Then we jump over to his Career Development and his work with Google, and then chat about some of the recent Google Vulnerability Programs.

    This episode is sponsored by Wordfence! Wordfence recently launched a game-changer of a bug bounty program with ALL WordPress plugins over 50k installs are in-scope. They are currently paying 6.25x their normal bounty amounts, and have agreed to give CT listeners a 10% bonus on top of that! Head over to https://ctbb.show/wf for more info and keep an eye on the CTBB Discord for inspiration/collabs.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    —— Links ——

    Follow your hosts Rhynorater & Teknogeek on twitter:

    —— Ways to Support CTBBPodcast ——

    Sign up for Caido using code CTBBPODCAST for a 10% discount.

    Hop on the CTBB Discord

    Discord premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Guest:

    https://twitter.com/erbbysam

    Sam Erbs Static Secret

    Security Now Podcast

    BIMI:

    And

    https://bimigroup.org/

    Google Device Vulnerability Reward Program Initiatives

    Google Invalid Reports

    Hacking Google

    Transcripts

    (00:00:00) Introduction

    (00:02:50) Hacker Methodology with Sam Erb

    (00:12:20) Balancing Bug Hunting and Personal Life

    (00:15:53) Deep Diving on a program and using automation.

    (00:27:00) Optimizing Bug Hunting and Understanding Attack Vectors

    (00:39:22) Collaboration and Boundaries

    (00:45:42) Career Development and Entrepreneurship

    (00:55:13) Winning Black Badges at DEFCON

    (00:58:02) BufferOver

    (01:09:11) Working at Google

    (01:19:23) Google Bug Bounty Programs

    (01:31:41) BONUS Cool Bugs

  • Episode 47: In this episode of Critical Thinking - Bug Bounty Podcast, the holidays are fast approaching, and Justin and Joel discuss some of the struggles of getting back into the hacking groove during and after breaks. We also celebrate the newly launched Critical Thinking Discord Community before diving into Iframe Sandwhiches, JS Hoisting, CSP Bypasses, and a host of new tools, techniques, and tangents.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

    Hop on the CTBB Discord at https://ctbb.show/discord!

    ThankUNext

    jswzl

    Rapid API

    SSRF Utility tool by Bebiks

    Tweet from Johan Carlsson

    Burp Extension from Google VRP

    Justin's Tweet about JS Hoisting

    Bypass CSP Using WordPress

    How to trick CSP in letting you run whatever you want

    Timestamps:

    (00:00:00) Introduction

    (00:01:58) Overcoming Bug Bounty struggles and getting back into the hacking groove

    (00:07:46) Taking notes and sticking to one program

    (00:14:50) Critical Thinking Discord, Community highlights, and Competition vs Collaboration

    (00:22:25) Secondary context bugs and Automationism

    (00:28:42) ThankUNext and Client-side Paths

    (00:33:45) Tool Tangents: Jswzl, Caido, Postman, and Rapid API

    (00:46:49) New SSRF Utility tool by Bebiks and the continuing evolution of hacking tools

    (00:51:45) Iframe Sandwiches

    (00:58:54) News Items

    (01:06:12) JS Hoisting

    (01:15:05) CSP Bypasses

  • Episode 46: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is deep diving the topic of SAML (Security Assertion Markup Language), and walks through what it is and why it can be intimidating, before going over some key attack vectors to look for. Then he closes out with a commentary on a sample payload, and some HackerOne reports.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

    KazHACKstan

    https://kazhackstan.com/en

    Testing SAML security with DAST

    https://agrrrdog.blogspot.com/2023/01/testing-saml-security-with-dast.html

    How to break SAML if I have paws?

    https://speakerdeck.com/greendog/how-to-break-saml-if-i-have-paws?slide=20

    How to Hunt Bugs in SAML; a Methodology

    https://epi052.gitlab.io/notes-to-self/blog/2019-03-16-how-to-test-saml-a-methodology-part-three/

    SAML Raider

    https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e

    External Entity Injection during XML signature verification

    https://bugs.chromium.org/p/project-zero/issues/detail?id=2313

    mTLS: When certificate authentication is done wrong

    https://github.blog/2023-08-17-mtls-when-certificate-authentication-is-done-wrong/

    HackerOne Uber Report

    https://hackerone.com/reports/136169

    Timestamps:

    (00:00:00) Introduction

    (00:05:25) Understanding SAML and its complexities

    (00:08:30) SAML Attack Vectors

    (00:14:15) XML Signature Wrapping

    (00:19:50) Some SAML tests to try

    (00:30:30) Sample Payload description

    (00:34:10) Token Recipient confusion

    (00:36:05) HackerOne Reports

  • Episode 45: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to welcome Frans Rosén, an OG bug bounty hunter and co-founder of Detectify. We kick off with Frans sharing his journey bug bounty and security startups, before diving headfirst into a host of his blog posts. We also cover the value of pseudo-code for bug exploitation, understanding developer terminology, the challenges of collaboration and delegating tasks, and balancing hacking with parenting. If you're interested in bug bounty or entrepreneurship, you won't want to miss it!

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

    Join our Discord!

    Today's Guest:

    https://twitter.com/fransrosen

    Detectify

    Discovering s3 subdomain takeovers

    Bucket Disclose

    A deep dive into AWS S3 access controls

    Attacking Modern Web Technologies

    Live Hacking like a MVH

    Account hijacking using Dirty Dancing in sign-in OAuth flows

    Timestamps:

    (00:00:00) Introduction

    (00:04:50) Franz Rosen's Bug Bounty Journey and the creation of Detectify

    (00:13:30) Benefits of pseudo-code, typing, and thinking like a developer

    (00:20:20) Hunter Methodologies

    (00:35:40) Time on targets, Iteration vs. Ideation, and tips for standing out

    (00:51:10) S3 subdomain takeovers

    (01:05:02) Blog posting and hosting motivations

    (01:13:30) Detectify and entrepreneurial endeavors

    (01:29:50) Attacking Modern Web Technologies

    (01:46:00) postMessage and MessagePort

    (01:58:09) Live Hacking and Collaboration

    (02:13:50) Account Hijacking and OAuth Flows

    (02:28:48) Hacking/Parenting

  • Episode 44: In this episode of Critical Thinking - Bug Bounty Podcast, the topic is URL structure, and Justin and Joel break down the elements that make up a URL and some common tips and tricks surrounding them which allow for all sorts of bypasses. We also round out the episode with some new tools, ato stories, and some controversial current events in the hacker scene.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

    "XnlReveal" XNL h4ck3r

    OAuth article by Salt Labs

    H1 controversy recap

    ATO through Facebook Login

    https://twitter.com/Jayesh25_/status/1718543152296939861

    https://twitter.com/itscachemoney/status/1721658450613346557

    When URL Parsers disagree

    Golden techniques to bypass host validations in Android apps

    Mozilla article on HTTP Authentication

    Breaking Parser Logic talk by Orange Tsai

    URL Detector

    SSRF Bible

    Timestamps:

    (00:00:00) Introduction

    (00:04:10) “Xnl-Reveal”

    (00:07:22) OAuth vulnerabilities

    (00:13:17) Recap of controversy surrounding the handling of a vulnerability report on H1

    (00:18:55) Hacker Success Manager Program

    (00:22:30) Facebook login ATO

    (00:27:45) When URL parsers disagree

    (00:34:34) URL Structures

    (01:02:22) Shared secrets across environments

    (01:09:40) Social Media Logins