Join bug bounty experts Nagli, Shubs, Douglas Day, Alex Chapman, Nahamsec, and Rez0 as they share their favorite bugs of 2024. Nagli dives into a complex Azure DevOps vulnerability, while Shubs discusses pre-authentication exploits. Douglas reveals an account takeover lapse in a streaming service, and Alex describes a tricky XSS issue. Nahamsec highlights teamwork in a collaborative bug event, and Rez0 explains a server-side template injection in Shift AI. Celebrate a milestone while gaining insights into the wild world of ethical hacking!

Episode 15: In this episode of Critical Thinking - Bug Bounty Podcast we talk with the latest Million-Dollar bug bounty hunter: @naglinagli . He talks about his climb from $1,000 in bounties to $1,000,000, recon tips and tricks, and some bug reports that made the news and landed him the "Best Bug" award at a H1 Live Hacking event.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterFollow Nagli and his new startup Shockwave:https://twitter.com/naglinaglihttps://twitter.com/shockwave_secHackMD Collaborative Notes:https://hackmd.io/Ian Carroll's Airline Miles Website:https://seats.aeroNagli's Tweet in ChatGPT Web Cache Deception:https://twitter.com/naglinagli/status/1639343866313601024Timestamps:(00:00:00) Intro(00:04:40) Nagli’s Climb(00:05:40) What kind of vulns do you look for?(00:09:25) Working with other hackers(00:10:20) Bug Bounty Hunter’s Guild(00:12:35) Shockwave product(00:14:12) Outsourcing tool development(00:18:46) What got you started?(00:21:13) Manual hacking vs recon suite + LHE focus(00:25:00) How do you take notes(00:29:42) Biggest things that you’ve learned over the past 2 years(00:31:29) How do you ingest new techniques?(00:31:50) Collaboration(00:37:20) Justin Ranting about “Trained Eyes”(00:40:18) Time spent coding vs hacking(00:45:28) Travel and spending habits(00:54:16) Grep is Nagli’s database(00:56:20) Nagli’s ChatGPT Web Cache Deception(00:58:44) What does your alerting look like?(01:01:50) Nagli’s “Most Critical” SSRF(01:04:30) Burp Active Scan

Nagli, cybersecurity expert and bug bounty hunter, joins Justin Gardner to discuss recent hacking discoveries. They explore finding and exploiting a backup file, vulnerabilities through Swagger files, and debate an 'undisclosed' domain. They reflect on the Live Hacking Event circuit in 2023 and preview what's to come in 2024. They also share strategies for getting invited to live hacking events and discuss their experience at previous events.