Critical Thinking - Bug Bounty Podcast

Ciarán Cotter, known as MonkeHack, is a dedicated bug bounty hunter and Critical Lab Researcher. He shares his insights on navigating complex vulnerabilities, particularly in WebSockets and Angular applications, revealing advanced exploitation techniques. The conversation touches on the rise of AI-related threats like prompt injection and the use of AI tools to enhance hacking strategies. Ciarán also emphasizes the importance of community collaboration in cybersecurity, making it a captivating dive into the ever-evolving world of ethical hacking.

Kevin Mizu, a security researcher at Bisecure specializing in web app security, discusses the critical vulnerabilities associated with DOMPurify. He explores dangerous allow-lists, improper sanitization techniques, and the significance of managing configurations. Mizu shares insights into his own bug bounty experiences, including the exploitation of misconfigured regex patterns and the nuances of Unicode normalization. The conversations emphasize creative thinking in cybersecurity and the intricate methods used to bypass HTML sanitization, underscoring the complexities in maintaining web application security.

This discussion dives into the intriguing world of OAuth vulnerabilities and the tactics hackers employ to exploit them. It highlights a critical bypass in DOMPurify, explores AI's role in vulnerability testing, and underscores the importance of secure API key management. The speakers examine OAuth flows and common attack vectors, sharing insights on enhancing security practices. Additionally, they reveal shocking vulnerabilities in Azure AD, demonstrating the risks of inadequate token validation. It's an engaging mix of technical insights and community-driven education.

Dive into the latest drama surrounding DeepSeek and the implications of AI in security measures like CAPTCHA and 2FA. Discover the challenges of AI training costs and the vulnerabilities linked to an AI database. Explore innovative vulnerability reporting techniques, highlighting 'report pointers' for credibility. Get insights into alternative reconnaissance methods in bug hunting, and learn how to uncover hidden assets and vulnerabilities using modern tools and AI. An exciting blend of technology and security awaits!

Aaron Costello, a SaaS security expert known for his insights on misconfigurations, dives into the complexities of hacking Salesforce, ServiceNow, and Power Pages. He humorously contrasts hacker stereotypes with dedicated bug bounty hunters. Discussion includes the dangers of file upload vulnerabilities and the significance of proper access controls. Notably, he explores Sockle injection vulnerabilities and the intricacies of Salesforce Apex classes, while emphasizing collaboration in identifying security flaws across various SaaS platforms. Tune in for practical techniques and insider insights!

Dive into the world of cybersecurity as the hosts discuss the intricacies of cross-origin security headers and share insights from their experiences. Discover vulnerabilities in Google's OAuth system and learn about gift card hacking exploits. Explore the importance of teaching kids about tech through fun anecdotes and the role of community in supporting innovative research. With a new co-host and engaging discussions on AI in security, this episode is packed with information for both tech lovers and aspiring hackers alike!

The podcast introduces a new co-host, Joseph Thacker, who shares his journey into full-time bug bounty hunting. Highlights include discussions on double-click jacking and its implications for web security. The hosts delve into the significance of automation in bug hunting, showcasing various tools and techniques. They also explore character set attacks and SVG XSS vulnerabilities, while emphasizing the need for robust defenses. Finally, a look ahead reveals plans for enhanced community engagement and original research initiatives in the coming years.

This week features Sam Curry, a renowned bug bounty hunter known for secondary context bugs, and Johan Carlson, an expert in highly CSP environments. They discuss captivating topics like Blind XSS vulnerabilities, web exploits, and debugging techniques for IoT devices. Matan Bear shares insights on client-side attacks using DevTools, while Mariah Gardner highlights the balance between bug bounty hunting and personal relationships. Together, they explore the dynamic nature of cybersecurity and the importance of continuous learning in the field.

Reflecting on the highs and lows of 2024, the host dives into personal achievements and outlines ambitious goals for 2025. They introduce exciting community initiatives like the Bug Bounty Hunters Guild and Critical Research Lab. Insights into personal inventory reveal valuable lessons learned, emphasizing the importance of community and accountability in the bug bounty world. It's a thoughtful mix of reflection and forward-thinking that promises to inspire fellow hackers.

Dive into the potential vulnerabilities of ANSI codes and the world of large language models as the hosts uncover innovative hacking techniques. Explore the intricacies of Unicode normalization and its impact on web security, especially concerning command injections. Delve into cookie manipulation challenges and learn about the balance between hackbots and cybersecurity. The discussion also highlights success stories within the community, showcasing the importance of collaboration and sharing knowledge in the ever-evolving tech landscape.