Critical Thinking - Bug Bounty Podcast

Nagli, cybersecurity expert and bug bounty hunter, joins Justin Gardner to discuss recent hacking discoveries. They explore finding and exploiting a backup file, vulnerabilities through Swagger files, and debate an 'undisclosed' domain. They reflect on the Live Hacking Event circuit in 2023 and preview what's to come in 2024. They also share strategies for getting invited to live hacking events and discuss their experience at previous events.

Sam Erb, Google Security Engineer and DEFCON Black Badge winner, discusses the importance of understanding how systems work to find vulnerabilities, his engineering background influencing his hunting style and methodologies, his career development and work with Google, recent Google Vulnerability Programs, centralized management and control of API endpoints, exploring majors and career paths in security engineering and computer science, accessing open data and hosting, experience at Google and involvement in bug bounty program, hacking on Google and manipulating protobufs, discussion on Brand Indicators for Message Identification (BIMI) and abuse-related methodologies, and bug reports and prioritizing fixes.

The podcast discusses the struggles of bug bounty hunting, including feeling disconnected after live hacking events and the frustration of not finding bugs. They highlight the significance of perseverance and getting into a flow state. They explore topics such as client-side paths, manipulating webpack map files, and exploiting XSS vulnerabilities in iframed domains. They also discuss the benefits of Google's extension for hacking and techniques for bypassing Content Security Policy.

This podcast delves into the world of SAML and its vulnerabilities, providing insights on bug hunting methodology, the SAML authentication flow, exploiting transformations, and various types of SAML bugs and vulnerabilities.

Frans Rosén, an OG bug bounty hunter and co-founder of Detectify, joins the podcast to discuss bug exploitation, developer terminology, collaboration challenges, and balancing hacking with parenting. They cover topics such as discovering s3 subdomain takeovers, attacking modern web technologies, and account hijacking using Dirty Dancing in sign-in OAuth flows.

The podcast delves into URL parsing and authentication bypass techniques, highlighting common tips and tricks for bypassing restrictions. It covers topics such as OAuth vulnerabilities, controversy surrounding vulnerability reports, Facebook login ATO, and the risks of centralization. The hosts also discuss the importance of understanding URL components, potential issues with OAuth flows in Android apps, and the vulnerabilities of URL parsing in bug bounty programs.

In this episode, they discuss the challenges of building an HTTP proxy tool, the importance of user feedback in shaping its development, and the balance between basic and nice-to-have features. They also explore the usefulness of collections in organizing HTTP requests, customization options for workflows, upcoming features in the Kaido tool, collaboration in bug bounty reporting, and the introduction of Kaido as an enterprise vulnerability management platform.

In this episode, the podcast covers topics like NFT vulnerability, XSS attacks, hacker tattoos, and the correlation between creativity and hacking. They also discuss shared workspaces, managing finances as bug bounty hunters, and different approaches to hacking and vulnerability types.

Learn how to think like a human instead of just a hacker to uncover vulnerabilities in web applications. Explore techniques for reading documentation, finding vulnerabilities in applications, and attack vector ideation in bug bounty programs. Discover the power of thorough testing, human-like usage, exploring GitHub issues, and modifying UI elements for bug discovery. Emphasize the importance of investigating the application from a user's perspective and not shying away from investing in bug bounties.

In this episode, the podcast explores the world of bug bounty mentorships. They discuss the importance of mentorship, challenges of transitioning from being mentored to self-education, and the necessity of continuous learning in bug bounty. The speakers also share their experiences with bug bounties, the significance of motivation and hard work, finding passion in bug bounty hunting, and collaborating with other hackers and mentors.