Critical Thinking - Bug Bounty Podcast

Frans Rosen, The OG Bug Bounty King, discusses S3 subdomain takeovers, attacking modern web technologies, account hijacking using Dirty Dancing in OAuth flows, and bug bounty methodologies. Topics include bug hunting strategies, automation, entrepreneurship, and managing growth in the cybersecurity field.

Expert 0xLupin discusses supply chain attacks, ethical considerations for maintainers, and new tool Depi. Topics include types of attacks, vulnerabilities in CI builds, challenges in managing software dependencies, detecting supply chain attacks, domain squatting, securing bug bounty programs, significance of lock files, bug hunting emotions, analyzing attack scenarios, and risks of NPM and Yarn supply chain attacks.

Discussion on WAF bypass tools, sandboxed iframes, programs redacting bug reports, optional chaining operator in JS, Chrome cache exploit, hacker team shoutout, and innovative iframe hijacking techniques.

Discussing PDF.JS XSS and NextJS SSRF, improving bug bounty statistics, concealing data in IPv6 addresses, navigating RFC compliance, business logic vulnerabilities, bug hunting strategies, JavaScript in software development, and transitioning to a new tool efficiently.

Cybersecurity expert Keith Hoodlet discusses VDPs and AI bias bounties, highlighting challenges in securing large organizations and the importance of understanding human biases when hacking AI. They also touch on bug bounty programs, government grants for VDPs, and testing scenarios with chatbots.

Cybersecurity researcher Ben Sadeghipour discusses NahamCon news, LHEs, CI/CD, and drops cool CSP Bypasses. Topics include WordPress hacking, bug bounty rewards, sponsorships, maximizing bonuses, anticipation for NahamCon, Deppie tool, CSP bypass techniques, and bypassing Google CSP.

Johan Carlsson, a dedicated bug bounty hunter, shares his journey transitioning to full-time bug hunting. He discusses the thrill of discovering vulnerabilities like a CSP bypass in GitHub and a critical flaw in GitLab. Johan highlights his focus on complex bug types like ReDoS and OAuth, emphasizing the unpredictability that accompanies bug hunting. He also offers insights into balancing personal life with his bug bounty career, navigating financial challenges, and the importance of community support in this unique profession.

Security researcher Mathias discusses HTMX vulnerabilities and bug bounty challenges like CSP bypass, XSS conversions, and HTMX disable bypasses. They also explore CDN-CGI functionality, CTF Challenge results, and the use of HTMX in larger applications with performance trade-offs.

Exploring the benefits of Vulnerability Disclosure Programs (VDPs) and the ongoing Program VS Hacker debate. Touching on leaderboard accuracy and financial support for talented individuals. Delving into bug bounty hunting challenges and governance of bug fixes and hacker compensation. Valuing research in bug bounty programs and the importance of immediate response in securing systems.

In this podcast, they discuss YesWeHack Louis Vuitton LHE, importance of failure in bug bounty, CDN CGI research, benefits of cold showers, Louis Vuitton live hacking event, bug bounty dominance, browser market share insights, OAuth flow vulnerabilities, Kaido workflows, Blink's features, DOM secrets, data attributes in frameworks.