Critical Thinking - Bug Bounty Podcast

Dive into the nuances of third-party cookies and learn how Chrome's partitioning impacts security. Discover clever iframe tricks and the intricacies of postMessage for cross-window communication. Explore the dangers of URL parsing quirks and how they can open doors to novel attacks. From sandboxed iframes to managing window hijacking, this conversation offers fresh insights into advanced client-side vulnerabilities and strategies to defend against them.

This discussion dives into breakthroughs in Oracle Identity Manager, revealing critical path parameter vulnerabilities. There's a clever technique for exfiltrating data using Google Sheets that showcases the power of automation. ASP.NET MVC patterns are explored, highlighting their potential for file write escalations. The hosts introduce under-the-radar subdomain enumeration methods and touch on intriguing AI developments, including the Gemini 3 release and innovative coding tools. A strong emphasis on community support and knowledge sharing rounds out the conversation.

This week, hosts dive into highlights from DEFCON, discussing groundbreaking research on exploiting cloud VPNs and the security pitfalls of smart devices. They explore the curious world of Unicode surrogates and their impact on database queries. The conversation moves to the risks associated with passkeys and potential vulnerabilities in GraphQL access controls. Not to be missed, they dissect innovative techniques for DOM clobbering and the clever use of calendar invites for security breaches. Tune in for insights on hacking and cutting-edge tools!

Dive into the intriguing world of Model Context Protocol (MCP) and its significance for AI pentesting. Discover the architecture and authentication quirks that hackers need to be aware of, including risks like dynamic client registration. Learn how sampling and elicitation can unveil dangerous vulnerabilities. Plus, explore the implications of using Git resources and templated URIs for potential exploits. Packed with insights on how to approach security research practically, this discussion is a must-listen for cybersecurity enthusiasts!

Discover essential workflow tips to enhance your hacking efficiency! Learn about the latest in bug bounty news, including Netscaler and HTTP request smuggling. Hear exciting stories from live hacking events that showcase teamwork’s power. Optimize your approach with tools like Chrome DevTools and CyberChef for decoding tasks. Explore clipboard transformations and macOS proxy techniques for API testing. Plus, dive into JXScout for JavaScript analysis and utilize AI assistants to speed up your processes. Perfect your hacking game with these clever shortcuts!

Get ready for a spooky ride as hosts share chilling bug bounty horror stories! From a browser extension leaking employee tokens to a live hacking event gone wrong with a massive zip file, the tales are gripping. Hear about accidental disruptions, like sysprepping a hypervisor and getting fired over a disruptive XSS tool. They explore the risks of weak credentials in guest Wi-Fi and how an open banking hack led to account takeovers. It's a mix of thrills and tech as they unveil the scariest sides of hacking!

Dive into innovative note-taking strategies that can elevate your bug bounty game! Learn how structured notes can boost collaboration and long-term success. Explore threat modeling techniques and essential attack vectors to watch for. Brandyn shares a Notion template and practical tips for monitoring JavaScript artifacts and other high-signal indicators. Plus, discover the benefits of turning past reports into valuable insights. Unlock the secrets to effective teamwork and streamlined investigations!

In this discussion, Vitor Falcão, a full-time bug bounty hunter known for his client-side exploits, and Ciarán Cotter, a seasoned researcher focused on AI vulnerabilities, dive into their recent successes at the Mexico Live Hacking event. They share insights on transitioning from front-end to AI targets, strategies for submitting bugs, and the challenges faced in full-time hacking careers. Vitor highlights the balance needed to avoid isolation in the industry, while both explore the complexities of exploiting AI-related vulnerabilities.

A new co-host joins the discussion as they dive into the excitement of live hacking events and the strategic dynamics of report writing. Recent news highlights YesWeHack's major EU contract win. The hosts tackle tackling deep pentesting scopes and the advantages of non-chained gadgets. They explore the intricacies of exploiting backend implementations and share clever techniques like client-side attribute smuggling. Insights on the Entra actor token flaw reveal critical vulnerabilities, while practical discussion on tools like Flareprox enhances the technical insights.

Brandon, known as gr3pme, is an accomplished bug bounty hunter and AI security researcher who recently transitioned to full-time work and founded Murtasec. He shares insights on what going full-time means for his career and the unexpected opportunities it has presented. The conversation covers web vulnerabilities, including a notable $111,750 payout for a path traversal to RCE. They also delve into AI security tools, discussing the accuracy challenges with existing hackbots, and introduce innovative concepts like CVE Genie and PROMISQROUTE.