Episode 171: Path-Scoped Cookie Hacks with Uppercase & Post-based Raw Protobuf XSS
Episode 171: In this episode of Critical Thinking - Bug Bounty Podcast Justin gives us some quick tips from his own hacking, including some clickjacking, using capital letters, and the potential value of leaking ages
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
Critical Research Lab:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
Today's Sponsor: Check out ThreatLocker Ringfencing
https://www.criticalthinkingpodcast.io/tl-rf
====== Resources ======
The ultimate Bug Bounty guide to OS command injection vulnerabilities
www.yeswehack.com/learn-bug-bounty/ultimate-guide-os-command-injection
Critical auth bypass in WordPress Azure AD SSO plugin due to missing OIDC id_token validation
https://www.yeswehack.com/news/auth-bypass-wordpress-azure-plugin
Aituglo featured on YWH
https://www.yeswehack.com/community/developer-aituglo-bug-bounty-story
Adobe will be sponsoring Ekoparty in Miami and hosting a live hacking event on May 21st
https://ekoparty.org/ekoparty-miami-2026-super-live-hacking-event/
====== Resources ======
SVG clickjacking
https://lyra.horse/blog/2025/12/svg-clickjacking/
====== Timestamps ======
(00:00:00) Introduction
(00:06:35) Protobuff XSS
(00:12:51) Leaking Age & CSPTs
(00:15:59) Capital Letters and Clickjacking
