Critical Thinking - Bug Bounty Podcast Episode 158: 10hr Marathon Hack-Along Recap + $300k Client-side Bugs
Jan 22, 2026
A thrilling recap of a 10-hour charity hack-along reveals unexpected challenges and insights. The hosts dive into $55,000 vulnerabilities, including injections and dangerous iframe exploits. They share techniques like postMessage race exploitation and CRLF vulnerabilities leading to XSS. Discussions on partial authentication issues and the risks of delegated permissions add a layer of complexity. With compelling tales of bug discoveries and innovative research tools, this conversation is a treasure trove for aspiring hackers.
AI Snips
Chapters
Transcript
Episode notes
Pair Hacking Streams With A Prepared Co-Host
- When live-narrating hacking sessions, pair each hacker with a co-host to bounce ideas and keep flow.
- Prepare scope and threat models ahead so handoffs can close exploits quickly.
Use Popups To Avoid JS Throttling
- window.open can throttle background tabs and break race-condition attacks with postMessage.
- Opening a small popup (width/height) keeps both pages active and restores fast postMessage timing.
Probe With Partial-Auth Tokens Immediately
- If you can reach a partial-auth state, enumerate SPA and API endpoints using those cookies/tokens immediately.
- Fuzz endpoints with the partial auth to find access to other tenants or parent-company resources.