Avsnitt
-
Episode 90: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin recap some of their recent hacking ups and downs and have a lively chat about Cursor. Then they cover some some research about SQL Injections, Clickjacking in Google Docs, and how to steal your Telegram account in 10 seconds.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Find the Hackernotes: https://blog.criticalthinkingpodcast.io/
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Shop our new swag store at ctbb.show/swag
Today’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinder
Resources:
Breaking Down Barriers: Exploiting Pre-Auth SQL Injection in WhatsUp Gold
Content-Type that can be used for XSS
Clickjacking Bug in Google Docs
Justin's Gadget Link
https://www.youtube.com/signin?next=https%3A%2F%2Faccounts.youtube.com%2Faccounts%2FSetSID%3Fcontinue%3Dhttps%3A%2F%2Fwww.google.com%252Famp%252fpoc.rhynorater.com
Stealing your Telegram account in 10 seconds flat
Timestamps
(00:00:00) Introduction
(00:08:28) Recent Hacks and Dupes
(00:14:00) Cursor
(00:25:02) Exploiting Pre-Auth SQL Injection in WhatsUp Gold
(00:34:17) Content-Type that can be used for XSS
(00:40:25) Caido updates
(00:43:14) Clickjacking in Google Docs, and Stealing Telegram account
-
Episode 89: In this episode of Critical Thinking - Bug Bounty Podcast We’re joined live by Matt Brown to talk about his journey with hacking in the IoT. We cover the specializations and challenges in hardware hacking, and Matt’s personal Methodology. Then we switch over to touch on BGA Reballing, Certificate Pinning and Validation, and some of his own bug stories.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Find the Hackernotes: https://blog.criticalthinkingpodcast.io/
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinder
Today’s Guess Matt Brown: https://x.com/nmatt0
Resources:
Decrypting SSL to Chinese Cloud Servers
https://www.youtube.com/watch?v=3qSxxNvuEtg
mitmrouter
https://github.com/nmatt0/mitmrouter
certmitm Automatic Exploitation of TLS Certificate Validation Vulns
https://www.youtube.com/watch?v=w_l2q_Gyqfo
and
https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Aapo%20Oksman%20-%20certmitm%20automatic%20exploitation%20of%20TLS%20certificate%20validation%20vulnerabilities.pdf
https://github.com/aapooksman/certmitm
HackerOne Detailed Platform Standards
https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards
Timestamps:
(00:00:00) Introduction
(00:13:33) Specialization and Challenges of IOT Hacking
(00:33:03) Decrypting SSL to Chinese Cloud Servers
(00:47:00) General IoT Hacking Methodology
(01:26:00) Certificate Pinning and Certificate Validation
(01:34:35) BGA Reballing
(01:43:26) Bug Stories
-
Saknas det avsnitt?
-
Episode 88: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel tackle a whole slate of new research including a new cheat sheet for URL validation bypass from Portswigger, the introduction of Sanic DNS as a high-speed DNS resolver, xsstools, and the Dockerization of Orange Confusion Attacks.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Find the Hackernotes: https://blog.criticalthinkingpodcast.io/
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Shop our new swag store at ctbb.show/swag
Resources
URL Validation Bypass cheat sheet
SanicDNS
Orange Confusion Attacks
WordPress GiveWP POP to RCE
Xsstools
Bypassing browser tracking protection
Advanced iframe Magic
DOM Clobbering
https://www.ruhrsec.de/downloads/slides/Everything-You-Wanted-to-Know-About-DOM-Clobbering-But-Were-Afraid-to-Ask-Soheil-Khodayari-RuhrSec.pdf
And
https://domclob.xyz/domc_payload_generator/
Timestamps:
(00:00:00) Introduction
(00:02:00) URL validation bypass
(00:07:41) SanicDNS and Orange confusion attacks
(00:20:06) WordPress GiveWP POP to RCE
(00:31:29) Xsstools
(00:43:56) Bypassing browser tracking protection
(00:52:06) DOM Clobbering and mixing up your approach
-
Episode 87: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with none other than his wife Mariah to talk about Bug Bounty from the perspective of a Significant Other. They share how they’ve traversed travel and Live Hacking Events, household chores, hobbies, goals, rewards, as well as how best to encourage and support the hacker/non-hacker in your life.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Find the Hackernotes: https://blog.criticalthinkingpodcast.io/
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Shop our new swag store at ctbb.show/swag
Today’s Guest: https://x.com/MariahG017
Resources:
Ruby Nealon's song
https://x.com/_ruby/status/835306502546149376
Don't Force Yourself to Become a Bug Bounty Hunter
https://samcurry.net/dont-force-yourself-to-become-a-bug-bounty-hunter
Timestamps
(00:00:00) Introduction
(00:03:12) Technical Questions for a Bug Bounty Wife
(00:16:11) Mariah's First LHE experience
(00:31:12) LHEs as a Couple
(00:41:57) Encouragement and Risk
(00:55:55) Hacker Family Dynamics, goals, and keeping promises
(01:17:35) How to care for your Hacker/Hacker Wife
-
Episode 86: In this episode of Critical Thinking - Bug Bounty Podcast Frans blows Justin’s mind with a sneak peak of his new presentation. Note: This is a little different from our normal episode, and video is recommended. So head over to ctbb.show/yt if you feel like you’re missing something.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Find the Hackernotes: https://blog.criticalthinkingpodcast.io/
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Shop our new swag store at ctbb.show/swag
Watch this Episode on Youtube - ctbb.show/yt
Today’s Guest: Frans Rosen - https://x.com/fransrosen
View the slides of this presentation at https://speakerdeck.com/fransrosen/x-correlation-injections-or-how-to-break-server-side-contexts
Timestamps
(00:00:00) Introduction
(00:04:09) x-correlation injection
(00:21:10) Server-side JSON-Injection
(00:32:10) Fuzz Blindly and Optimizing Blind RCE
-
Episode 85: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel talk through some of the research coming out of DEFCON, mainly from the PortSwigger team. Web timing attacks, cache exploitation, and exploits related to email protocols are all featured. Plus we also talk some fun Apache hacks from Orange Tsai
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Find the Hackernotes: https://blog.criticalthinkingpodcast.io/
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
Check out our new SWAG store at https://ctbb.show/swag!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today’s Sponsor - ThreatLocker
Resources
Listen to the whispers
https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work
Splitting the email atom
https://portswigger.net/research/splitting-the-email-atom
Gotta cache 'em all
https://portswigger.net/research/gotta-cache-em-all
HTTP Garden
https://github.com/narfindustries/http-garden
Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!
https://blog.orange.tw/2024/08/confusion-attacks-en.html#%E2%9C%94%EF%B8%8F-2-2-2-Local-Gadget-to-XSS
Trusted API Types
https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API
Untrusted Types
https://github.com/filedescriptor/untrusted-types
Timestamps:
(00:00:00) Introduction
(00:09:45) 'Listen to the whispers'
(00:30:03) 'Splitting the email atom'
(00:58:42) 'Gotta cache 'em all'
(01:21:03) 'Confusion Attacks'
-
Episode 84: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Roni Carta (@0xLupin) to discuss their MVH win at the recent Google LHE, and share some technical observations they had with the target and the event.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Find the Hackernotes: https://blog.criticalthinkingpodcast.io/
Follow your hosts Rhynorater & Teknogeek on twitter:
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today’s Guest: https://x.com/0xLupin
Today’s Sponsor - ThreatLocker
Timestamps:
(00:00:00) Introduction
(00:02:12) MHV Debrief
(00:09:05) Sandboxes and Comfort Zones
(00:13:24) SDKs and Legal Compliance
(00:19:29) Age of Target and Platform-Exclusive Hunters
-
Episode 83: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin are brainstorming new features and improvements for Caido, such as the implementation of a 403 bypassing workflow, a text expander, Tracing Cookies, and more.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today’s Sponsor - ThreatLocker
Resources:
Post from Gareth Heyes
https://x.com/garethheyes/status/1811084674988474417
Wiki List of XML and HTML
https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references#List_of_character_entity_references_in_HTML
HackerOne Leaderboard Changes
https://x.com/scarybeasts/status/1810813103354892666
Espanso
https://espanso.org/
Critical Thinkers Discord
ctbb.show/criticalthinkers
Oauth Scan
https://portswigger.net/bappstore/8ef2db1173e8432c8797831c2e730727
Timestamps:
(00:00:00) Introduction
(00:03:12) News
(00:13:20) Into the Brainstorm
(00:13:41) 403 Bypasser
(00:20:34) "Expaido"
(00:31:34) Trace Cookies
(00:42:01) Highlight Decoding Expansion and AI integrations
(00:49:08) OAuth Testing, API Highlighter, and Note-taking
-
Episode 82: In this episode of Critical Thinking - Bug Bounty Podcast Joel Margolis discusses strategies and tips for part-time bug bounty hunting. He covers things like finding (and enforcing) balance, picking programs and goals, and streamlining your process to optimize productivity.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today’s Sponsor - ThreatLocker
Resources:
Evernote RCE Post
https://0reg.dev/blog/evernote-rce
ServiceNow Bug Chain
https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data
Douglas Day's Talk on finding 'no's'
https://youtu.be/G1RHa7l1Ys4?si=TY16ULsEIfJ9CMKk
Timestamps:
(00:01:37) Introduction
(00:02:24) Evernote RCE Post
(00:06:47) AssetNote ServiceNow Bug Chain
(00:12:16) Part-Time Bug Bounty: Balance and Accountability
(00:18:04) Picking programs: Impact and Payout
(00:28:46) Streamline your process
-
Episode 81: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by MatanBer to go over some recent bug reports, as well as share some tips and tricks on client-side hacking and using DevTools effectively.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today’s Sponsor - ThreatLocker
Today’s Guest: https://x.com/MtnBer
Resources:
Beyond XSS
https://aszx87410.github.io/beyond-xss/en/
Web VSCode XSS
https://gitlab.com/gitlab-org/gitlab/-/issues/461328
Timestamps
(00:00:00) Introduction
(00:05:24) Learning and Labs
(00:17:29) DevTools tips and tricks
(00:49:49) General Client-Side hacking tips
(01:09:59) Self-XSS Storytime
(01:32:16) Bug Reports
(01:46:37) Brainstorming a Client-side HUD
-
Episode 80: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Sina Kheirkhah to talk about the start of his hacking journey and explore the differences between the Pwn2Own and HackerOne Events
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today’s Sponsor - ThreatLocker
Today’s Guest: https://x.com/SinSinology
Blog: https://sinsinology.medium.com/
Resources:
WhatsUp Gold Pre-Auth RCE
Advanced .NET Exploitation Training
dnSpyEx
QEMU
Unicorn Engine
Qiling
libAFL
Alex Plaskett interview
TippingPoint
Flashback Team
Timestamps:
(00:00:00) Introduction
(00:12:45) Learning, Mentorship, and Failure
(00:29:34) Pentesting and Pwn2Own
(00:40:05) Hacking methodology
(01:01:57) Debuggers and shells in IoT Devices
(01:35:40) Differences between ZDI and HackerOne
(02:02:27) Pwn2Own Steps and Stories
(02:14:06) Master of Pwn Title
(02:29:54) Bug reports
-
Episode 79: In this episode of Critical Thinking - Bug Bounty Podcast we deepdive CSS injection, and explore topics like sequential import chaining, font ligatures, and attribute exfiltration.
Follow us on twitter at: @ctbbpodcast
Send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Resources:
SpaceRaccoon's Universal Code Execution Extensions
Escalating Client Side Path Traversal
Full-time Bug Bounty Blueprint
Sequential Import Chaining
CSS Exfiltation
Link that Justin was talking about
Font Ligatures
Lava Dome bypass
Stealing Data in Great Style
Steal Script Contents
Masato Kinugawa's tweet
Attacking with Just CSS
CSS Injection Primitives
Timestamps:
(00:00:00) Introduction
(00:02:32) Universal Code Execution
(00:11:32) Escalating Client Side Path Traversal
(00:16:56) Justin's Defcon talk & Bug Bounty Blueprint
(00:23:32) CSS Injection
(00:39:23) Font Ligatures
(00:54:30) Descent Override and display:block
-
Episode 78: In this episode of Critical Thinking - Bug Bounty Podcast we’re talking about writing reports. We share some tips that we’ve learned, and discuss ways that AI can (and can’t) help with that process. We also talk about the benefit of using tools like Fabric, Loom, and ShareX.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today’s Sponsor - ThreatLocker
Resources:
XSS WAF Bypass by multi-char HTML entities
Shazzer
Next.js and cache poisoning
Nagli's Nuclei Template
hey why can't you fix this one bug
Justin's reporting templating software
Fabric
BB Report Formatter
2to3 Automated Python Converter
ShareX
Skitch
Timestamps:
(00:00:00) Introduction
(00:04:00) XSS WAF Bypass by Multi-char HTML Entities
(00:11:59) Next.js and Cache Poisoning
(00:18:03) Nagli's Nuclei Template and Sean Yeoh's Blog
(00:27:34) Report Writing and AI
(00:50:02) Reporting tips
-
Episode 77: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin discuss some fresh writeups including some MongoDB injections, ORMs, and exploits in Kakao and iOS before pivoting into a conversation about staying motivated and avoiding burnout while hunting.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Resources:
MongoDB NoSQL Injection
https://soroush.me/blog/2024/06/mongodb-nosql-injection-with-aggregation-pipelines/
Mongo DB Is Web Scale
https://www.youtube.com/watch?v=b2F-DItXtZs
1-click Exploit in Kakao
https://stulle123.github.io/posts/kakaotalk-account-takeover/
Unsecure time-based secret and Sandwich Attack
https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html
Reset Tolkien
https://github.com/AethliosIK/reset-tolkien
iOS URL Scheme Hijacking Revamped
https://evanconnelly.github.io/post/ios-oauth/
PLORMBING YOUR DJANGO ORM
https://www.elttam.com/blog/plormbing-your-django-orm/#content
Timestamps:
(00:00:00) Introduction
(00:02:07) MongoDB NoSQL Injection
(00:12:42) 1-click Exploit in Kakao
(00:33:21) Time-based secrets and Reset Tolkien
(00:39:26) iOS URL Scheme Hijacking Revamped
(00:51:42) ORMs
(00:58:57) Community Bug Submission
(01:07:45) Motivation, Mental Sharpness, and Burnout avoidance
-
Episode 76: In this episode of Critical Thinking - Bug Bounty Podcast we’re talking about Match and Replace and the often overlooked use cases for it, like bypassing paywalls, modifying host headers, and storing payloads. We also talk about the HackerOne Ambassador World Cup and the issues with dupe submissions, and go through some write-ups.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today's Sponsor - Project Discovery: https://nux.gg/podcast
Resources
Zoom Session Takeover
https://nokline.github.io/bugbounty/2024/06/07/Zoom-ATO.html
SharePoint XXE
https://x.com/thezdi/status/1796207012520366552
Shazzer
https://shazzer.co.uk/
Timestamps:
(00:00:00) Introduction
(00:05:06) H1 Ambassador World Cup
(00:13:57) Zoom ATO bug
(00:33:28) SharePoint XXE
(00:39:36) Shazzer
(00:46:36) Match and Replace
(01:13:01) Match and Replace in Mobile
(01:21:13) Header Replacements
-
Episode 75: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are sick, So instead of a new full episode, we're going back 30 episodes to review.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
Today's Guest: https://twitter.com/fransrosen
Detectify
Discovering s3 subdomain takeovers
https://labs.detectify.com/writeups/hostile-subdomain-takeover-using-heroku-github-desk-more/
bucket-disclose.sh
https://gist.github.com/fransr/a155e5bd7ab11c93923ec8ce788e3368
A deep dive into AWS S3 access controls
Attacking Modern Web Technologies
Live Hacking like a MVH
Account hijacking using Dirty Dancing in sign-in OAuth flows
Timestamps:
(00:00:00) Introduction
(00:11:41) Franz Rosen's Bug Bounty Journey and Detectify
(00:20:21) Pseudo-code, typing, and thinking like a dev
(00:27:11) Hunter Methodologies and automationists
(00:42:31) Time on targets, Iteration vs. Ideation
(00:58:01) S3 subdomain takeovers
(01:11:53) Blog posting and hosting motivations
(01:20:21) Detectify and entrepreneurial endeavors
(01:36:41) Attacking Modern Web Technologies
(01:52:51) postMessage and MessagePort
(02:05:00) Live Hacking and Collaboration
(02:20:41) Account Hijacking and OAuth Flows
(02:35:39) Hacking + Parenthood
-
Episode 74: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Roni "Lupin" Carta for a deep dive into supply chain attacks and dependency confusion. We explore the supply chain attacks, the ethical considerations surrounding maintainers and hosting packages on public registries, and chat about the vision and uses of his new tool Depi.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today's Sponsor - Project Discovery: https://nux.gg/podcast
Today’s Guest: https://x.com/0xLupin
Resources:
Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
git-dump
https://github.com/tomnomnom/dotfiles/blob/master/scripts/git-dump
Depi
https://www.landh.tech/depi
Weak links of Supply Chain
https://arxiv.org/pdf/2112.10165
Timestamps:
(00:00:00) Introduction
(00:07:13) Overveiw of Supply Chain Flow
(00:15:14) Getting our Scope
(00:23:46) Depi
(00:29:12) Types of attacks and finding the 80/20
(00:45:06) Maintainer attacks
(01:10:40) Regestries, artifactories, and an npm bug
(01:31:51) Grafana NPX Confusion
-
Episode 73: In this episode of Critical Thinking - Bug Bounty Podcast we give a brief recap of Nahamcon and then touch on some topics like WAF bypass tools, sandboxed iframes, and programs redacting your reports.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today's Sponsor - Project Discovery: https://nux.gg/podcast
Resources:
?. Tweet
https://x.com/garethheyes/status/1786836956032176215
NoWafPls
https://github.com/assetnote/nowafpls
Redacted Reports
https://x.com/deadvolvo/status/1790397012468199651
Breaking CORS
https://x.com/MtnBer/status/1794657827115696181
Sandbox-iframe XSS challenge solution
https://joaxcar.com/blog/2024/05/16/sandbox-iframe-xss-challenge-solution/
iframe and window.open magic
https://blog.huli.tw/2022/04/07/en/iframe-and-window-open/#detecting-when-a-new-window-has-finished-loading
domloggerpp
https://github.com/kevin-mizu/domloggerpp
Timestamps
(00:00:00) Introduction
(00:03:29) ?. Operator in JS and NoWafPls
(00:07:22) Redacting our own reports
(00:11:13) Breaking CORS
(00:17:07) Sandbox-iframes
(00:24:11) Dom hook plugins
-
Episode 72: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss some hot research from the past couple months. This includes ways to smuggle payloads in phone numbers and IPv6 Addresses, the NextJS SSRF, the PDF.JS PoC drop, and a GitHub Enterprise Indirect Method Information bug. Also, we have an attack vector featured from Monke!
Follow us on twitter at: @ctbbpodcast
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today's Sponsor - Project Discovery: https://nux.gg/podcast
Resources:
PDF.JS Bypass to XSS
https://github.com/advisories/GHSA-wgrm-67xf-hhpq
https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
PDFium
NextJS SSRF by AssetNote
Better Bounty Transparency for hackers
Slonser IPV6 Research
Smuggling payloads in phone numbers
Automatic Plugin SQLi
DomPurify Bypass
Bug Bounty JP Podcast
Github Enterprise send() bug
https://x.com/creastery/status/1787327890943873055
https://x.com/Rhynorater/status/1788598984572813549
Timestamps:
(00:00:09) Introduction
(00:03:20) PDF.JS XSS and NextJS SSRF
(00:12:52) Better Bounty Transparency
(00:20:01) IPV6 Research and Phone Number Payloads
(00:28:20) Community Highlight and Automatic Plugin CVE-2024-27956
(00:33:26) DomPurify Bypass and Github Enterprise send() bug
(00:46:12) Caido cookie and header extension updates
-
Episode 71: In this episode of Critical Thinking - Bug Bounty Podcast Keith Hoodlet joins us to weigh in on the VDP Debate. He shares some of his insights on when VDPs are appropriate in a company's security posture, and the challenges of securing large organizations. Then we switch gears and talk about AI bias bounties, where Keith explains the approach he takes to identify bias in chatbots and highlights the importance of understanding human biases and heuristics to better hack AI.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.
Today's Sponsor - Project Discovery: https://nux.gg/podcast
Today’s guest: Keith Hoodlet
https://securing.dev/
Resources:
Daniel Miessler's article about the security poverty line
https://danielmiessler.com/p/the-cybersecurity-skills-gap-is-another-instance-of-late-stage-capitalism/
Hacking AI Bias
https://securing.dev/posts/hacking-ai-bias/
Hacking AI Bias Video
https://youtu.be/AeFZA7xGIbE?si=TLQ7B3YtzPWXS4hq
Sarah's Hoodlet's new book
https://sarahjhoodlet.com
Link to Amazon Page
https://a.co/d/c0LTM8U
Timestamps:
(00:00:00) Introduction
(00:04:09) Keith's Appsec Journey
(00:16:24) The Great VDP Debate Redux
(00:47:18) Platform/Hunter Incentives and Government Regulation
(01:06:24) AI Bias Bounties
(01:26:27) AI Techniques and Bugcrowd Contest
- Visa fler