Feb. 5, 2026

Episode 160: Cloudflare Zero-days & Mail Unsubscribing for XSS

The player is loading ...
Episode 160: Cloudflare Zero-days & Mail Unsubscribing for XSS
Episode 160: Cloudflare Zero-days & Mail Unsubscribing for XSS
Apple Podcasts podcast player badge
Spotify podcast player badge
Castro podcast player badge
RSS Feed podcast player badge
YouTube podcast player badge
Apple Podcasts podcast player icon Spotify podcast player icon Castro podcast player icon RSS Feed podcast player icon YouTube podcast player icon
Season 1

Episode 160: In this episode of Critical Thinking - Bug Bounty Podcast Joseph and Brandyn. Chat through some news, Including a Cloudflare Zero-day, Turning List-Unsubscribe into an SSRF/XSS Gadget, & Magic String Denial of Service in Claude.

 

Follow us on twitter at: https://x.com/ctbbpodcast

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

 

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X: 

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

 

Critical Research Lab:

https://lab.ctbb.show/ 

 

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

 

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

 

You can also find some hacker swag at https://ctbb.show/merch!

 

Today’s Sponsor: Adobe.

Use code CTBB040126, and get a 10% bonus on your bounty for any AI vulnerability which is mapped to the OWASP LLM top 10.

Valid on Adobe Acrobat Web - AI Assistant / PDF Spaces / Content Creation and presentation features using Express

Adobe Express AI Assistant. 

Valid through April 1st, 2026

 

Also we have a Google Cloud VRP Swag Bonus! Mention the podcast in any rewarded (cash or credit) VRP report submission before the end of April to receive bonus swag!

 

====== Resources ======

Cloudflare Zero-day

https://fearsoff.org/research/cloudflare-acme

 

Turning List-Unsubscribe into an SSRF/XSS Gadget

https://security.lauritz-holtmann.de/post/xss-ssrf-list-unsubscribe/

 

Breaking Multi-Tenant Isolation in Heroku Postgres

https://allistair.sh/blog/breaking-heroku-postgres/

 

Parse and Parse: MIME Validation Bypass to XSS via Parser Differential

https://lab.ctbb.show/research/parse-and-parse-mime-validation-bypass-to-xss-via-parser-differential

 

Claude Magic String Denial of Service

https://x.com/Frichette_n/status/2013988503336415522

 

From WebView to Remote Code Injection

https://djini.ai/from-webview-to-remote-code-injection/

 

DOM XSS Is Not Dead: The Rise of Polyglot Payloads

https://blogs.jsmon.sh/dom-xss-is-not-dead-the-rise-of-polyglot-payloads/

 

====== Timestamps ======

(00:00:00) Introduction

(00:06:17) Cloudflare Zero-day & Turning List-Unsubscribe into an SSRF/XSS Gadget

(00:16:57) Breaking Multi-Tenant Isolation in Heroku Postgres & CTBB Research

(00:25:46) Claude Magic String Denial of Service & From WebView to Remote Code Injection