

Episode 140: Crit Research Lab Update & Client-Side Tricks Galore
Sep 18, 2025
Discover the latest from the Crit Research Lab as experts unpack postMessage vulnerabilities and the intricacies of Cookie Chaos. Dive into the nuances of cross-origin request forgery, and learn about the latest AI-driven business logic bugs. The hosts share valuable insights for beginners in live hacking, covering everything from teamwork strategies to solo approaches at events. Plus, hear community stories that highlight innovative exploits and practical hunting techniques for effective web security.
AI Snips
Chapters
Transcript
Episode notes
Web Worker XSS Can Reach Main Origin
- XSS inside a web worker can be escalated to main-origin XSS using the Blob API and drag-and-drop techniques.
- This is a universal, long-lived technique because blobs remain same-origin and rely on browser behavior.
Publish Micro Research For Exposure
- Submit short micro-research writeups to the Crit Research Lab to get published and distributed.
- Expect modest payouts ($20–$250) and access to the research Discord channel as incentives.
Persist And Collect Leads
- If you struggle early in bug bounty, keep going and accumulate interesting leads rather than expecting instant bounties.
- Write down odd behaviors and share a batch of leads later to increase chances of a useful find.