Critical Thinking - Bug Bounty Podcast

Episode 160: In this episode of Critical Thinking - Bug Bounty Podcast Joseph and Brandyn. Chat through some news, Including a Cloudflare Zero-day, Turning List-Unsubscribe into an SSRF/XSS Gadget, & Magic String Denial of Service in Claude.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynoraterhttps://x.com/rez0__https://x.com/gr3pmeCritical Research Lab:https://lab.ctbb.show/ ====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today’s Sponsor: Adobe.Use code CTBB040126, and get a 10% bonus on your bounty for any AI vulnerability which is mapped to the OWASP LLM top 10.Valid on Adobe Acrobat Web - AI Assistant / PDF Spaces / Content Creation and presentation features using ExpressAdobe Express AI Assistant. Valid through April 1st, 2026Also we have a Google Cloud VRP Swag Bonus! Mention the podcast in any rewarded (cash or credit) VRP report submission before the end of April to receive bonus swag!====== Resources ======Cloudflare Zero-dayhttps://fearsoff.org/research/cloudflare-acmeTurning List-Unsubscribe into an SSRF/XSS Gadgethttps://security.lauritz-holtmann.de/post/xss-ssrf-list-unsubscribe/Breaking Multi-Tenant Isolation in Heroku Postgreshttps://allistair.sh/blog/breaking-heroku-postgres/Parse and Parse: MIME Validation Bypass to XSS via Parser Differentialhttps://lab.ctbb.show/research/parse-and-parse-mime-validation-bypass-to-xss-via-parser-differentialClaude Magic String Denial of Servicehttps://x.com/Frichette_n/status/2013988503336415522From WebView to Remote Code Injectionhttps://djini.ai/from-webview-to-remote-code-injection/DOM XSS Is Not Dead: The Rise of Polyglot Payloadshttps://blogs.jsmon.sh/dom-xss-is-not-dead-the-rise-of-polyglot-payloads/====== Timestamps ======(00:00:00) Introduction(00:06:17) Cloudflare Zero-day & Turning List-Unsubscribe into an SSRF/XSS Gadget(00:16:57) Breaking Multi-Tenant Isolation in Heroku Postgres & CTBB Research(00:25:46) Claude Magic String Denial of Service & From WebView to Remote Code Injection

Episode 158: In this episode of Critical Thinking - Bug Bounty Podcast we talk about our personal takeaways from the CTBB Charity Hackalong, and then break down some InsertScript POCs, what a $55,000 bug can look like, and if Smart People Ever Say They’re Smart.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynoraterhttps://x.com/rez0__https://x.com/gr3pmeCritical Research Lab:https://lab.ctbb.show/ ====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26https://ztw.com/====== Resources ======InsertScript - XSS Challenge Solutionhttps://insert-script.blogspot.com/2020/03/xss-challenge-solution-refresh-header.htmlInsertScript - Redirect AuthHeaderhttps://www.insert-script.com/examples/redirectAuthHeader/send.htmlCRLF injection on a 302 redirecthttps://x.com/0xdef1ant/status/2009040359482118500Multiple XSS in Meta Conversion API Gateway Leading to Zero-Click Account Takeoverhttps://ysamm.com/uncategorized/2025/01/13/capig-xss.htmlArcanum Hack Tipshttps://github.com/Arcanum-Sec/hack_tipsTrail of Bits Releases Claude Skillshttps://x.com/dguido/status/2011541318229533063what a $55,000 bug can look likehttps://x.com/the_IDORminator/status/2007480636244697237Pwning Claude Code in 8 Different Wayshttps://flatt.tech/research/posts/pwning-claude-code-in-8-different-ways/Do Smart People Ever Say They’re Smart?https://labs.watchtowr.com/do-smart-people-ever-say-theyre-smart-smartertools-smartermail-pre-auth-rce-cve-2025-52691/====== Timestamps ======(00:00:00) Introduction(00:04:18) Technical takeaways from CT Charity Hackalong(00:22:21) InsertScript POCs & Rez0 and teknogeek's IOT Adventures(00:32:16) CRLF injection on a 302 redirect & Multiple XSS in Meta(00:41:00) Trail of Bits, what a $55,000 bug can look like, & Pwning Claude Code(00:54:16) Do Smart People Ever Say They’re Smart?

Episode 156: In this episode of Critical Thinking - Bug Bounty Podcast we answer some fantastic questions from over at bugbounty.forumFollow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater, rez0 and gr3pme on X:https://x.com/Rhynoraterhttps://x.com/rez0__https://x.com/gr3pme====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!====== Resources ======Critical Thinking Lablab.ctbb.showCross-Site ETag Length Leakhttps://blog.arkark.dev/2025/12/26/etag-length-leakClawdbothttps://github.com/clawdbot/clawdbot/Post from Steve Caldwellhttps://x.com/moreconfetti/status/2006494133159162008====== Timestamps ======(00:00:00) Introduction(00:00:58) Crit Lab update(00:04:36) Cross-Site ETag Length Leak(00:13:26) Clawdbot(00:16:56) Will bug hunting become obsolete, LHE invitations, and Fulltime vs Part time?(00:30:52) 10 bugs at $5k or 1 bug at $5k, CTBB Background, & Future Plans(00:38:32) Mentoring, Conquering Classes, and what angles we implement from the podcast(00:49:27) Best approach on new targets, tips for making 500k in a year, AI/Vibecoding & Human in the Loop(00:59:07) Mentally mapping the target, anti-patterns that waste time, and BB beliefs that were wrong.(01:10:12) Tackling small scope, staying on one program, picking up after a break, & moving on(01:17:41) Invisible elements that make the difference between $2k and $20k

Episode 154: In this episode of Critical Thinking - Bug Bounty Podcast Joseph and Brandyn talk through the transition from Bug Bounty hunting to Pentesting. We cover diversifying income streams, the challenges of pricing for Pentests, legal considerations, and what Bug Hunters can bring to the Pentesting worldFollow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynoraterhttps://x.com/rez0__https://x.com/gr3pme====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!====== Timestamps ======(00:00:00) Introduction(00:03:36) Starting a Pentesting Company (00:12:25) Advantages of Pentesting as a Bug Bounty Hunter(00:29:03) Pricing, Sales, and knowing your Market/Worth(00:36:21) Compliance in Pentests & Rapid-Fire Takaways

Episode 152: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Sasi Levi from Noma Security to talk about AI and Agentic Security. We also talk about ForcedLeak, a Google Vertex Bug, and debate if Prompt Injection is a real Vuln.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynoraterhttps://x.com/rez0__https://x.com/gr3pme====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.CHeck out our New Christmas Swag at https://ctbb.show/merch!Today's Sponsor: ThreatLocker. Check out ThreatLocker Elevation Controlhttps://ctbb.show/tl-ecAnd Noma Security! https://noma.security/Today’s Guest: https://x.com/sasi2103====== This Week in Bug Bounty ======Vercel Platform ProtectionDedicated HackerOne program for Vercel WAFYesWeHack Open Source ProgramsAndroid recon for Bug Bounty hunters====== Resources ======Sasi's Tweet from 2015ForcedLeak: AI Agent risks exposed in Salesforce AgentForceIs Prompt Injection a Vulnerability?====== Timestamps ======(00:00:00) Introduction(00:09:16) Google Vertex AI Bug(00:29:28) Sasi's Background and Bug Bounty Journey(00:38:55) Resources for AI and Agentic Security Methodology(00:50:34) ForcedLeak(01:02:06) Is Prompt Injection a Vuln?

Episode 150: In this episode of Critical Thinking - Bug Bounty Podcast we're highlighting some cool news and research, but not before expressing our gratitude to the Hacker community. We are so thankful for you all!Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynoraterhttps://x.com/rez0__https://x.com/gr3pme====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor: ThreatLocker. Check out ThreatLocker Elevation Controlhttps://ctbb.show/tl-ec====== This Week in Bug Bounty ======Cache Overflow on Cloudflare====== Resources ======Breaking Oracle’s Identity ManagerWho Needs a Blind XSS?ASP.NET MVC View Engine Search PatternsHereticLesser known techniques for large-scale subdomain enumAntigravity – Known IssuesBug Bounty DailyCaido version of AssetNote Surf====== Timestamps ======(00:00:00) Introduction(00:09:47) Breaking Oracle’s Identity Manager & Who Needs a Blind XSS?(00:20:37) ASP.NET MVC View Engine Search Patterns & Heretic(00:29:04) Lesser known techniques for large-scale subdomain enum(00:35:29) Gemini 3 & Antigravity.(00:45:57) Bug Bounty Daily (00:52:42) Surf for Caido

Episode 148: In this episode of Critical Thinking - Bug Bounty Podcast Justin gives us a crash course on Model Context Protocol.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynoraterhttps://x.com/rez0__https://x.com/gr3pme====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!====== Timestamps ======(00:00:00) Introduction(00:02:51) MCP Architecture & Authentication(00:13:08) Roots, Sampling, & Elicitation(00:19:15) Tools and Resources