Videos

Another great example of the importance of gadget hunting as well as bug hunting!

Found a gadget where X-Forwarded-For was blocked, but x-forwarded-for was allowed. Tools like ffuf actually auto-capitalize headers so you would easily miss this without manually testing!

Episode 77: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin discuss some fresh writeups including some MongoDB injections, ORMs, and exploits in Kakao and iOS before pivoting into a conversation about staying motivated and avoiding burnout while hunting. Follow us on twitter at: https://twitter.com/ctbbpodcast We're…

Some seriously good research dropped on the pod last week. Shout out to Piotr Bazydło and The Zero Day Initiative for this crazy XXE in Microsoft Sharepoint!

Joel's tip of the week: Keep it simple. It's easy to overcomplicate things. Sometimes all you need is a simple match and replace instead of some next level regex!

H4R3L's "Cookie XSS" affecting almost every Zoom page and subdomain demonstrates the effectiveness of experimenting with escape characters in cookie values. It all started when @H4R3L discovered a CSP Nonce cookie that was being used in every page with a CSP policy. Because Zoom takes their security seriously, there was…

When unmotivated, reset. Ignore excuses, just start small. Just remember it's hard to begin but easy once you're rolling.

Episode 76: In this episode of Critical Thinking - Bug Bounty Podcast we’re talking about Match and Replace and the often overlooked use cases for it, like bypassing paywalls, modifying host headers, and storing payloads. We also talk about the HackerOne Ambassador World Cup and the issues with dupe submissions,…

Joel's top tips for staying motivated in bug bounty.

Lupin discovered that many companies were mistakenly calling a package that didn't exist. So what did he do? He claimed it so they downloaded his package instead.

From the peak of happiness to the pit of despair and back again.

Episode 75: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are sick, So instead of a new full episode, we're going back 30 episodes to review. Follow us on twitter at: https://twitter.com/ctbbpodcast We're new to this podcasting thing, so feel free to send us any…

How deep do you go when looking for secrets in CI/CD Pipelines? That's the question. Lupin discusses how devs are exposing orgs via insecure private CI/CD pipelines using their own npm tokens.

It's one thing when your script works first time. It's whole other thing when it works on the biggest public registry out there!

Whenever you see a pop-up or change happening in an iframe, look to see the window.open call that's doing it and check the name on that. If using a guessable iframe name, you might be able to hijack it and control the flow!

Leaking the top-level window.location.href by accessing the document.baseURI of a sandboxed iframe with a srcdoc! Credit for this one goes to the one and only Johan Carlsson!

Episode 74: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Roni "Lupin" Carta for a deep dive into supply chain attacks and dependency confusion. We explore the supply chain attacks, the ethical considerations surrounding maintainers and hosting packages on public registries, and chat about…

It's possible to bypass WAFs by adding as little as 8KB of padding to your requests! Props to Assetnote for creating the O.G nowafspls and Justin for recreating the Caido version!

Did you know the optional chaining operator "?." can be used to bypass blacklists? Justin didn't but luckily Johan was there to call him out on it. Original tweet here: https://loom.ly/-KVqwlM

Here are some RFC-compliant payloads to try and put in your telephone number fields on your next target!

That time Cache-Money dropped a mega crit and ruined Peter Yaworski's Christmas...

Episode 73: In this episode of Critical Thinking - Bug Bounty Podcast we give a brief recap of Nahamcon and then touch on some topics like WAF bypass tools, sandboxed iframes, and programs redacting your reports. Follow us on twitter at: https://twitter.com/ctbbpodcast We're new to this podcasting thing, so feel…

Templating is huge for RCE when looking at source code. Stay on the look out for interactions with files, external APIs, Redis, deserialization of binary formats, YAML, JSON etc. They could lead to unintended RCE or prototype pollution.

Seen a trend recently where vulns are the result of indirect method invocation and there are LOADS of ways to do this. Ruby: obj.send(method, args) PHP: $obj -► $method Python: globals()[method]() Java: Method.invoke(), callable.call() JS: obj[method](), .apply()