Critical Thinking - Bug Bounty Podcast

Discover how bug bounty hunters can transition to pentesting, emphasizing the importance of diversifying income streams and understanding market dynamics. Explore the realities of pricing, sales strategies, and the legal intricacies involved in setting up a pentesting business. Learn how to leverage public findings for sales and the value of strong client communication. The hosts discuss navigating regional pricing differences and the joy of collaborative pentesting while offering tips on maintaining steady income and overcoming initial financial dips.

Matt Brown, a hardware security researcher focused on IoT and embedded devices, dives into the intricacies of hacking robots and AI security. He shares his insights on hardware bug bounty payouts and the evolving landscape of humanoid robots, which present unique security challenges. Brown also discusses his Zero-to-Hero Hardware Hacking Guide, the nuances of firmware extraction, and the creation of automated hackbots for IoT devices. His expertise illuminates the potential risks and techniques in a future where AI and physical devices intersect.

Sasi Levi, a security researcher at Noma Security with a focus on AI and agentic security, shares his insights on cutting-edge vulnerabilities. He dives into the Google Vertex AI bug he discovered, revealing how it accessed confidential employee data. Sasi explains the mechanics of prompt injection and its implications, and discusses his innovative techniques for testing AI responses through documents. He also highlights his journey as a bug bounty hunter and the challenges facing security in AI applications.

Dive into the nuances of third-party cookies and learn how Chrome's partitioning impacts security. Discover clever iframe tricks and the intricacies of postMessage for cross-window communication. Explore the dangers of URL parsing quirks and how they can open doors to novel attacks. From sandboxed iframes to managing window hijacking, this conversation offers fresh insights into advanced client-side vulnerabilities and strategies to defend against them.

This discussion dives into breakthroughs in Oracle Identity Manager, revealing critical path parameter vulnerabilities. There's a clever technique for exfiltrating data using Google Sheets that showcases the power of automation. ASP.NET MVC patterns are explored, highlighting their potential for file write escalations. The hosts introduce under-the-radar subdomain enumeration methods and touch on intriguing AI developments, including the Gemini 3 release and innovative coding tools. A strong emphasis on community support and knowledge sharing rounds out the conversation.

This week, hosts dive into highlights from DEFCON, discussing groundbreaking research on exploiting cloud VPNs and the security pitfalls of smart devices. They explore the curious world of Unicode surrogates and their impact on database queries. The conversation moves to the risks associated with passkeys and potential vulnerabilities in GraphQL access controls. Not to be missed, they dissect innovative techniques for DOM clobbering and the clever use of calendar invites for security breaches. Tune in for insights on hacking and cutting-edge tools!

Dive into the intriguing world of Model Context Protocol (MCP) and its significance for AI pentesting. Discover the architecture and authentication quirks that hackers need to be aware of, including risks like dynamic client registration. Learn how sampling and elicitation can unveil dangerous vulnerabilities. Plus, explore the implications of using Git resources and templated URIs for potential exploits. Packed with insights on how to approach security research practically, this discussion is a must-listen for cybersecurity enthusiasts!

Discover essential workflow tips to enhance your hacking efficiency! Learn about the latest in bug bounty news, including Netscaler and HTTP request smuggling. Hear exciting stories from live hacking events that showcase teamwork’s power. Optimize your approach with tools like Chrome DevTools and CyberChef for decoding tasks. Explore clipboard transformations and macOS proxy techniques for API testing. Plus, dive into JXScout for JavaScript analysis and utilize AI assistants to speed up your processes. Perfect your hacking game with these clever shortcuts!

Get ready for a spooky ride as hosts share chilling bug bounty horror stories! From a browser extension leaking employee tokens to a live hacking event gone wrong with a massive zip file, the tales are gripping. Hear about accidental disruptions, like sysprepping a hypervisor and getting fired over a disruptive XSS tool. They explore the risks of weak credentials in guest Wi-Fi and how an open banking hack led to account takeovers. It's a mix of thrills and tech as they unveil the scariest sides of hacking!

Dive into innovative note-taking strategies that can elevate your bug bounty game! Learn how structured notes can boost collaboration and long-term success. Explore threat modeling techniques and essential attack vectors to watch for. Brandyn shares a Notion template and practical tips for monitoring JavaScript artifacts and other high-signal indicators. Plus, discover the benefits of turning past reports into valuable insights. Unlock the secrets to effective teamwork and streamlined investigations!