Leaking the top-level window.location.href by accessing the document.baseURI of a sandboxed iframe with a srcdoc! Credit for this one goes to the one and only Johan Carlsson!
Episode 74: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Roni "Lupin" Carta for a deep dive into supply chain attacks and dependency confusion. We explore the supply chain attacks, the ethical considerations surrounding maintainers and hosting packages on public registries, and chat about…
It's possible to bypass WAFs by adding as little as 8KB of padding to your requests! Props to Assetnote for creating the O.G nowafspls and Justin for recreating the Caido version!
Did you know the optional chaining operator "?." can be used to bypass blacklists? Justin didn't but luckily Johan was there to call him out on it. Original tweet here: https://loom.ly/-KVqwlM
Here are some RFC-compliant payloads to try and put in your telephone number fields on your next target!
That time Cache-Money dropped a mega crit and ruined Peter Yaworski's Christmas...
Episode 73: In this episode of Critical Thinking - Bug Bounty Podcast we give a brief recap of Nahamcon and then touch on some topics like WAF bypass tools, sandboxed iframes, and programs redacting your reports. Follow us on twitter at: https://twitter.com/ctbbpodcast We're new to this podcasting thing, so feel…
Templating is huge for RCE when looking at source code. Stay on the look out for interactions with files, external APIs, Redis, deserialization of binary formats, YAML, JSON etc. They could lead to unintended RCE or prototype pollution.
Seen a trend recently where vulns are the result of indirect method invocation and there are LOADS of ways to do this. Ruby: obj.send(method, args) PHP: $obj -► $method Python: globals()[method]() Java: Method.invoke(), callable.call() JS: obj[method](), .apply()
The guys discussing the issue of affordability in starting and maintaining a bug bounty program.
Episode 72: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss some hot research from the past couple months. This includes ways to smuggle payloads in phone numbers and IPv6 Addresses, the NextJS SSRF, the PDF.JS PoC drop, and a GitHub Enterprise Indirect Method Information…
AI bias bugs can be subjective and tricky to prove actual impact. @securingdev shared a great tip on the pod which you may remember from science class: "Keep as many things consistently the same for your inputs with select independent variables."
Joel enters the idea of government subsidies into the VDP debate.
Things getting hot and spicy on the pod last week when @securingdev brought up the idea of "Security as a Feature"!
Nothing adds value like $50,000, right!? Nahamsec dropped some exciting news on the pod last week when talking bonuses for NahamCon.
Dropped this simple but effective recon tip on the pod last week.
Dang, dude, the Meta program is insane. Their biggest bounty is $300k. That's as much as an entire hacking event back in the day! Here's @nahamsec's explaining how crazy this is for hunting.
Episode 71: In this episode of Critical Thinking - Bug Bounty Podcast Keith Hoodlet joins us to weigh in on the VDP Debate. He shares some of his insights on when VDPs are appropriate in a company's security posture, and the challenges of securing large organizations. Then we switch gears…
Got schooled by @NahamSec when we showed him this common CSP bypass.
Script gadgets can be gold when normal script execution is blocked! Often applications will bind functionality to the action of adding elements with specific classes to the DOM. These can be leveraged as gadgets to build an exploit for your target.
Johan Carlsson takes proving impact to the extreme by showing that a GitLab bug could've resulted in an attacker being able to: - Trigger new and existing pipelines - Overwrite variables - Upload images for RCE - Gain full access to all CI variables - [INSERT IMAGINATION]
There's a first time for everything! Here's how @joaxcar discovered his first XSS (by accident) followed swiftly by his first experience with a CSP. Sorry Johan! #infosec #bugbounty #bugbounties #cybersecurity #criticalthinking #CTBBpodcast #bugbountytips #bugbountyhunters #hacking #hackers
Episode 70: In this episode of Critical Thinking - Bug Bounty Podcast we’re once again joined by Ben Sadeghipour to talk about some Nahamcon news, as well as discuss a couple other LHE’s taking place. Then they cover CI/CD and drop some cool CSP Bypasses. Follow us on twitter at:…
WOW. Some next level chaining by @joaxcar for this CSP bypass in GitHub! Drag and drop triggers HTML injection which injects a form which triggers a hash change which triggers a button click which injects more and triggers another click gadget which triggers a hash change again which finally triggers…
