Episode 106: In this episode of Critical Thinking - Bug Bounty Podcast we are pleased to announce our new co-host of the podcast: Joseph Thacker Aka Rez0! We discuss Joseph's transition to full-time bug bounty hunting, his goals, and what he’s looking forward to bringing to the pod. We also cover some news items including doubleclickjacking, character set attacks, SVG XSS, and more.
Follow us on twitter at: @ctbbpodcast
Feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Rez0 on twitter:
https://x.com/Rhynorater
https://x.com/rez0__
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Check out our new SWAG store at https://ctbb.show/swag!
Resources
DoubleClickjacking: A New Era of UI Redressing
https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html
XBOW Validation Benchmarks
https://github.com/xbow-engineering/validation-benchmarks
Jorian tweet
https://x.com/J0R1AN/status/1871586792455163975
Simplified Payload
https://portswigger-labs.net/xss/charset.php?x=%1b$B%1b(B%3Ca%20href=javas%1B(Jcript:alert(1)%3Etest%3C/a%3E&charset=
SVG XSS Payload
https://x.com/garethheyes/status/1876953751245783534
curl-cffi
https://pypi.org/project/curl-cffi/
Bypassing File Upload Restrictions To Exploit CSPT
https://blog.doyensec.com/2025/01/09/cspt-file-upload.html
AI-Crash-Course
https://github.com/henrythe9th/AI-Crash-Course?tab=readme-ov-file
Timestamps
(00:00:00) Introduction
(00:02:15) Rez0's journey to Full-time hunter, Tool developer, and new Co-host
(00:21:04) DoubleClickjacking
(00:31:48) XBOW Validation Benchmarks, Charset Thoughts, and SVG XSS
(00:42:28) curl-cffi, CSPT, and AI Crash Course
