Critical Thinking - Bug Bounty Podcast

Episode 28: In this episode of Critical Thinking - Bug Bounty Podcast, the CSRF’s up, dude! We kick off with a debate about whether or not deep link vulns in mobile apps can be considered CSRF. We also talk browser extensions and tools like Hackbar, PwnFox, and JS Weasel, and Justin tries to invent a whole new vuln term. There’s plenty of good stuff here, so what are you waiting for? Jump on in!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterrez0's latest tiphttps://twitter.com/rez0__/status/168134822190014466019Hackbarhttps://addons.mozilla.org/en-US/firefox/addon/hackbartool/PwnFoxhttps://twitter.com/adrien_jeanneau/status/1681364665354289152JS Weaselhttps://www.jswzl.io/Charlie Eriksenhttps://twitter.com/CharlieEriksenLink to talk by Rojanhttps://twitter.com/uraniumhacker/status/1681381857383030785Bypassing GitHub's OAuth flowhttps://blog.teddykatz.com/2019/11/05/github-oauth-bypass.htmlGreat SameSite Confusionhttps://jub0bs.com/posts/2021-01-29-great-samesite-confusion/Check out Nahamsec's Channelhttps://www.youtube.com/c/nahamsecTimestamps:(0:01:45) The deep link debate(00:08:00) LHE and in-person interviews(00:09:25) SQLMAP and raw requests(00:11:11) Hackbar, PwnFox, and browser extensions(00:16:45) JS Weasel tool and its features(00:25:28) Rojan's Research and Public Talks(Start of main content)(00:28:36) Cross-Site Request Forgery (CSRF)(00:35:00) Bypassing GitHub's OAuth flow(00:45:00) A Small SameSite Story(00:48:50) CSRF Exploitation Techniques(01:07:15) CSRF Bug Stories(01:15:30) NahamSec and DEFCON

Episode 27: In this episode of Critical Thinking - Bug Bounty Podcast, we've switched places and now Joel is home while Justin is on the move. We break down seven esoteric web vulnerabilities, and talk Cookies, Config File Injections, Client-side path traversals and more. We also briefly discuss appliance hacking, new tools, and shout out some new talent in the hacking space. Don't miss this episode full of cool vulns, and experience Justin's vocal decline in real time.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterEncrypted Doesn't Mean Authenticated:https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/Tweet about headless chrome browserhttps://twitter.com/bhavukjain1/status/1678719047209484288?t=NWnZvwHTRMyH_lVC-uXe0g&s=19Shout out to new talent within the hacking spacehttps://twitter.com/haxrobhttps://twitter.com/atc1441Tweet about hacking Google Search Appliancehttps://twitter.com/orange_8361/status/1677378401957724160Bitquark releases shortscanhttps://twitter.com/bitquark/status/1677647450989838338Hacking Starbuckshttps://samcurry.net/hacking-starbucks/Justin's CookieJar Toolhttps://apps.rhynorater.dev/checkCookieJarOverflow.htmlHackTrickshttps://book.hacktricks.xyz/pentesting-web/hacking-with-cookies/cookie-jar-overflowXSLeakhttps://xsleaks.devTimestamps:(00:00:00) Introduction(00:04:00) Assetnote on ShareFile RCE(00:13:05) Headless Browsers(00:17:00) Hacker Content Creators(00:22:51) Appliance Hacking(00:30:31) Shortscan Release(Start of main content)(00:35:39) Config File Injection(00:44:00) Client-side Path Traversal(00:51:33) Cookie Bombing(00:58:00) Cookie Jar Overflow(01:03:50) XSLeak(01:10:49) UNC Path Injection(01:15:50) Impactful Link Hijack

In this episode of Critical Thinking - Bug Bounty Podcast, we're back with Joel, fresh (haha) off of back-to-back live hack events in London and Seoul. We compare the different vibes of each LHE, then we dive into the technical thick of it, and talk web browsers, XSS vectors, new tools, CVSS 4.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:______Hunting for NGINX alias traversals in the wildPortSwigger TweetSoroush's Follow-upTweet about magic math element<22 weird XSS behaviorLupin’s follow-upPatch diffingChanges to CVSS 4.0Ask FIRSTdotORG what's going onJsluiseJS import() behavior'JavaScript for Hackers'CSP Evaluator:Dom ClobberingHTML Injection Cheat SheetGareth Heyes website/game______Timestamps:(00:00:00) Introduction(00:04:10) LHE Vibes(00:07:45) "Hunting for NGINX alias traversals in the wild"(00:12:30) Payouts in BB programs(00:16:05) New XSS vectors and popovers(00:24:15) The "magical math element" in Firefox(00:27:15) LiveOverflow on HTML parsing quirks(00:32:10) Mr. Tux Racer, Woocommerce, and WordPress(00:40:00) Changes in the CVSS 4 draft spec(00:45:00) TomNomNom's new tool Jsluise(00:51:15) JavaScript's import function & "JavaScript for Hackers"(01:09:15) Prototype pollution & DOM clobbering(01:18:10) Base tags and CSS Games

Episode 25: In this episode of Critical Thinking - Bug Bounty Podcast we talk to Cosmin (@Inhibitor181), fresh off of winning his 2nd MVH! We chat about the time management and strategy of hacking Multi-Target LHEs, determining when to pivot, and how to find normalcy in bug bounty hunting and Live Hacking Events. We also touch on setting up Vuln Pipelines, creating mental models, and Cosmin's terrifying naming schemes. Don't miss this episode packed with both laughs and valuable insights for beginners and seasoned bug bounty hunters alike.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterToday’s Guest:https://twitter.com/inhibitor181Justin's weird episode with all the Dr. Suess Shithttps://rss.com/podcasts/ctbbpodcast/966055/?listen-on=trueTimestamps:(00:00:00) Introduction(00:02:52) MVH club and Multi-Target stragety (00:12:00) Deciding when to pivot(00:17:00) File Organization and 'unique' naming approaches(00:23:56) Staying up to date on features and updates(00:25:46) Hacking Sleep Habits(00:28:15) Finding 'Normal Life' in bug bounty and LHE(00:33:30) Vuln Pipelines, Wordlists, and full time bug bounty tips(00:44:15) Benefits of the Bug Bounty Community(00:47:45) Relationships with target companies and programs(00:53:15) Creating mental models(01:00:30) The Importance of writing good reports(01:04:30) How to choose what to hack

Episode 24: In this episode of Critical Thinking - Bug Bounty Podcast, we chat with Daniel Miessler and Rez0 about the emergence and potential of AI in hacking. We cover AI shortcuts and command line tools, AI in code analysis and the use of AI agents, and even brainstorm about the possible opportunities that integrating AI into hacking tools like Caido and Burp might present. Don't miss this episode packed with valuable insights and cutting-edge strategies for both beginners and seasoned bug bounty hunters alike.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterToday’s Guests:https://twitter.com/rez0__https://twitter.com/DanielMiesslerDaniel Miessler’s Unsupervised Learninghttps://danielmiessler.com/Simon Willison's Python Function Search Toolhttps://simonwillison.net/2023/Jun/18/symbex/oobabooga - web interface for modelshttps://github.com/oobabooga/text-generation-webuiState of GPThttps://karpathy.ai/stateofgpt.pdf AI Canarieshttps://danielmiessler.com/p/ai-agents-canaries GPT3.5https://community.openai.com/t/gpt-3-5-turbo-0613-function-calling-16k-context-window-and-lower-prices/263263 GPT Engineerhttps://github.com/AntonOsika/gpt-engineerTimestamps:(00:00:00) Introduction(00:05:40) Using AI for hacking: Developing hacking tools and workflow shortcuts(00:11:40) GPT Engineer and Small Developer for Security Vulnerability Mapping(00:22:40) The potential dangers of centralized vs. decentralized finance(00:24:10) Ethical hacking and circumventing ChatGPT restrictions(00:26:09) AI Agents, Reverse API, and Encoding/Decoding Tools(00:31:45) Limitations of AI in context window and processing large JavaScript files(00:36:50) Meta-prompter: Enhancing prompts for accurate responses from GPT(00:41:00) GPT-35 and the new 616K context model(45:08) Creating a loader for Burp Suite files or Caido instances(00:54:02) Hacking AI Features: Best Practices(01:00:00) AI plugin takeover and the need for verification of third-party plugins and tools

Episode 23: In this episode of Critical Thinking - Bug Bounty Podcast, we delve into a different aspect of hardware - Our personal loadouts. We go through the equipment and gear we use to get our jobs done, and share stories about why we picked what we have. We also touch on live hacking events, the growing acceptance of white hat hacking, and some pretty cool news going on in the hacker world. Don't miss this episode packed with tips and strategies for both beginners and seasoned hackers alike!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterBlog post on hacking root EPP servershttps://hackcompute.com/hacking-epp-servers/Behind this Website:https://github.com/jonkeegan/behind-this-websiteTweet about vRealize Network Insight: https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/Zoom's new vulnerability impact scoring system:https://viss.zoom.com/specificationsUplift Deskshttps://www.upliftdesk.com/Synergyhttps://symless.com/synergyAhnestly chair reviews:https://www.youtube.com/c/AhnestlyOur producer’s new audio drama ‘Homicide at Heavensgate’https://link.sentinelstudios.net/homicideTimestamps:(00:00:00) Introduction(00:02:28) Navigating hacking events and imposter syndrome(00:06:30) Blog post on hacking root EPP servers(00:10:01) The growing acceptance of white-hat hacking(00:12:25) Finding Website Owners and Contact Information(00:16:45) VMware vRealize Network Insight CVEs and nginx reverse proxy bypass(00:21:30) Zoom's new vulnerability impact scoring system(00:27:24) The Importance of Analyzing Systemic Problems in Black Box Testing(00:30:40) Documentation, Vulnerable by Design, and acceptable risk(Start of main content)(00:34:37) Leveling up your Hacker Setup(00:37:13) The Importance of your body(00:41:30) Investing in ergonomic equipment for computer work(00:42:27) Standing Desks: Uplift Desk and DIY standing desk options(00:46:00) Portable Tables: Flexible Workspace Solutions(00:47:30) Monitor Setup(00:54:40) Synergy: One keyboard and mouse across multiple devices(00:57:20) Capture Card: Using it as a software display(00:58:58) Keyboards and mice(01:03:27) Using a Chromebook for lightweight hacking(01:08:57) Chair Reviews: The Niche World of High-End Chairs

Episode 22: In this episode of Critical Thinking - Bug Bounty Podcast we talk about some basic/intermediate concepts related to Hardware Hacking. Specifically, we dive into extracting data from eMMC chips in order to get our hands on source code for IoT devices. Don't miss this episode packed with valuable insights, tips, and strategies for beginners and seasoned bug bounty hunters alike!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterCheckout NahamCon:https://bit.ly/42vnpMSRiverLoop Security Write-up: https://bit.ly/3oSKL1oGood Chip-Off Write-up:https://bit.ly/3IWym3qScratching chips to expose pins:https://bit.ly/45Tj21ihttps://bit.ly/3oJJt8ZChat with Corben on Degrees: https://youtu.be/N9P5PUx-PNQ?t=2311Gareth Hayes Tweet:https://bit.ly/3qvFNYWHuntress - John Hammond - MoveIt Response:https://bit.ly/42vTTXvCritical Thinking Hardware Hacking Setup - See the gear we're talking about (Affiliate links): https://linke.to/hardwarehackingsetTimestamps:(00:00:00) Introduction(01:03) NahamCon's Live Hacking Event and Justin's Presentation on PCI DSS(02:40) Depreciation of Data URLs in SVG Use Element(04:55) Gareth Hayes and knowledge sharing in the hacking community(07:50) Move It vulnerability and and John Hammond’s epic 4 am rants(12:18) Identifying promising leads in bug bounty hunting, and knowing when to move on(Start of main content)(21:40) Hardware Recon, and using Test Pins to Access EMMC Chip(26:16) Identifying Chip Pinouts and Continuity Testing(29:01) Using Logic Analyzers for Hardware Hacking(33:01) Importance of Fundamental Knowledge in Hacking, and the benefits of understanding Electrical Engineering(35:46) Replay Protected Memory Block Protocol(40:00) Bug Bounty Programs and Hardware Testing Support(41:05) Chip Pulling techniques and Essential Equipment for Hardware Hacking(59:50) Tips for Buying Hardware Hacking Tools: Research and Specific Use Cases(01:06:35) Hardware Hacking: Just scratching the surface.(01:08:45) Vulnerability Disclaimer: Pulling OS from a chip does not constitute a Vulnerability.

In this episode of Critical Thinking - Bug Bounty Podcast, we chat with Corben Leo about his journey in bug bounty hunting and ethical hacking. We discuss the state of DNS rebinding in 2023, a Twitter thread by Douglas Day (@ArchAngelDDay) on one-hundred bug bounty rules, and our own unique approaches to bug hunting. We also discuss Corben's recon-focused bug hunting methodology and how he developed it. Don't miss this episode filled with valuable tips, insights, and Corben's Boring Mattress Company.Follow us on twitter at: @ctbbpodcastGet on our newsletter for some exclusive content: https://www.criticalthinkingpodcast.io/subscribeWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterToday’s Guest:https://twitter.com/hacker_Article on the State of DNS Rebinding in 2023:https://research.nccgroup.com/2023/04/27/state-of-dns-rebinding-in-2023/See @ArchAngelDDay's twitter thread about 100 bug bounty rules:https://twitter.com/ArchAngelDDay/status/1661924038875435008Talkback - Cybersecurity news aggregator:https://talkback.sh/PyPI announces mandatory 2FA:https://www.bleepingcomputer.com/news/security/pypi-announces-mandatory-use-of-2fa-for-all-software-publishers/Timestamps:(00:00:00) Introduction(01:05) State of DNS rebinding in 2023(04:40) 100 Bug Bounty Rules by @ArchAngelDDay(05:30) Give yourself a ‘no bug’ limit(07:00) The value of reporting Low and Medium Bugs for Bug Bounty Programs(11:15) Reporting Out of Scope Bugs(14:30) Reporting IDORs as Access Control Bugs(17:28) Talkback(18:12) PyPI's mandatory 2FA implementation for software publishers(Start of main content)(20:07) Starting out in bug bounty/ethical hacking(25:00) Hacking methodology and mentorship(28:15) Identifying Load Balancers(33:20) Triage and live events:(38:30) College and Computer Science vs. Cybersecurity(45:45) Importance of writing for the Hacker Community(51:21) Storytelling and report writing.(55:00) When to stop doing recon and start hacking(01:00:58) Lessons Learned from BreachlessAI and the pivot to Boring Mattress Co.

Episode 20: In this episode of Critical Thinking - Bug Bounty Podcast, we dive into the world of "hacker brain hacks'' and overcoming challenges in bug bounty hunting. We discuss custom word lists, the rising popularity of Caido as a potential Burp Suite replacement, and Cloudflared tunnels for hosting POCs. We also tackle the mental aspects of bug bounty hunting, from procrastination to imposter syndrome, and share tips for staying motivated and avoiding burnout. Don't miss this episode packed with valuable insights and advice for both beginners and seasoned bug bounty hunters!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterCaido:https://caido.ioTweet from D3mondev on Sequence Diagram:https://twitter.com/d3mondev/status/1660803152755453952Sequence diagram software:https://sequencediagram.orgTimestamps:(00:00:00) Introduction(00:02:36) "Sequence Diagram": Sequence mapping for PoCs(00:04:10) "SubReconGPT": AI and GPT in Bug Bounty Hacking(00:08:30) "Caido": A Potential Replacement for Burp Suite(00:11:34) HackerOne's New Features(00:13:00) Cloudflared Tunnels for Red Team Assessments and Payload Hosting(00:16:07) Mental challenges in Bug Bounty Hunting(00:17:50) Procrastination Education: Letting fear of failure drive you into always learning, never doing.(00:22:46) Analysis Paralysis: Starting with Bug Bounty Programs vs VDPs(00:27:07) Automation Obsession: "When you're hacking, hack. When you're automating, automate."(00:14:34) Imposter Syndrome: You may not be the best, but you're not the worst either.(00:31:55) Motivation Deprivation: Stay curious, and set tiered goals(00:36:07) Automation Obsession pt2: Do we need to say it again?(00:37:25) Reconnaissance Cognizance: Spending too much time on recon and not enough time on hacking(00:40:00) Bad Rabbit Holes, RIP Your Goals: Identifying good and bad rabbit holes(00:46:01) Set Your Goal Poles: Setting specific goals for yourself.(00:48:29) Impact Lacked: Fixating on something that's funky, but simply doesn’t really have impact(00:51:00) The Burn-out turn-out: Mending, maintenance, and finding identity and self-worth outside hacking(00:58:19) Responsibility Volatility: Balancing Responsibilities and Freedom as a Bug Bounty Hunter(01:00:30) Payout Phase-out: Don't stop once you've found one bug.(01:02:04) Report on URN Injection

Episode 19: In this episode of Critical Thinking - Bug Bounty Podcast we further discuss some tips and tricks for finding vulns once you’ve got source code and some banger tweets/tools that popped up in our feed this week. Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterPart 1:https://open.spotify.com/episode/2pdTaWHSzl9CY7PgRQtvTiNoperator’s Zip-Snip: https://twitter.com/noperator/status/1658313637189111808https://github.com/noperator/zip-sniphttps://noperator.dev/posts/zip-snip/Insecure’s SIP Bugs: https://twitter.com/ifsecure/status/1656591469518495745 AssetNote’s Sitecore Bugs: https://blog.assetnote.io/2023/05/10/sitecore-round-two/ Fyooer’s Shadow Clone: https://github.com/fyoorer/ShadowClone