Episode 81: Crushing Client-Side on Any Scope with MatanBer Episode 81: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by MatanBer to go over some recent bug reports, as well as share some tips and tricks on client-side hacking and using DevTools effectively. Follow us…
Here's a slick trick for y'all. Next time you're brute forcing tokens, try brute forcing from both ends to leak tokens faster!
Here's a CSS tidbit for y'all! You can apply "display: block" to a script tag and the will just be displayed on the screen like it was like a p tag!
A great takeaway from Justin on the benefits of using AI... Followed by Joel being rebooted by his cat.
Hot tips from Justin on why you should grep for headers.
Episode 80: Pwn2Own VS H1 Live Hacking Event (feat SinSinology) Episode 80: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Sina Kheirkhah to talk about the start of his hacking journey and explore the differences between the Pwn2Own and HackerOne Events Follow us on…
You know when it’s coming from Gareth Heyes you did something right! XSS WAF bypass using multi-character HTML entities like >⃒ or <⃒ which are interpreted by the server respectively as 'less than' and greater than symbols (plus some other unicode character). Shout out also to @therceman!
Add parameters like $lookup, $unionWith, and $match to your wordlist for testing. Any errors or hits on these might give a hint to a potential NoSQL injection. Shout out to Soroush Dalili for this research!
Exploiting unsanitised user inputs in Django ORM filter methods to exfiltrate sensitive data. Shout out to @elttam for this HOT research! 🔥 #infosec #bugbounty #bugbounties #cybersecurity #criticalthinking #CTBBpodcast #bugbountytips #bugbountyhunters #hacking #hackers
iOS auth flaw ala evanconnelly and mrtuxracer 1. Install malicious app and register victim's scheme 2. User approves the evil app to login with attacker.com (ofc, why not) 3. Web view opens, attacker forces redirect to vuln auth flow for victim app w/ prompt=none 4. Auth code sent to attackers…
One-click account takeover: Deep link to Open redirect to XSS on subdomain to Attacker-controlled URL. Victim clicks chat link, attacker gets auth token. Simple.
Episode 79: In this episode of Critical Thinking - Bug Bounty Podcast we deepdive CSS injection, and explore topics like sequential import chaining, font ligatures, and attribute exfiltration. Follow us on twitter at: https://twitter.com/ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io…
Unwrapping wrappers to get to the real function that is actually being triggered with Frans Rosen's postMessage-tracker!
Here's an interesting one folks! Frans discovered state validation was happening before you acquire the code so you can get the victim to use your state instead.
Episode 78: In this episode of Critical Thinking - Bug Bounty Podcast we’re talking about writing reports. We share some tips that we’ve learned, and discuss ways that AI can (and can’t) help with that process. We also talk about the benefit of incorporating tools like Fabric, Loom, and ShareX.…
That time Frans Rosen roasted Justin live on the pod when discussing Frans' sick poster of Google's /etc/passwd file!
Another great example of the importance of gadget hunting as well as bug hunting!
Found a gadget where X-Forwarded-For was blocked, but x-forwarded-for was allowed. Tools like ffuf actually auto-capitalize headers so you would easily miss this without manually testing!
Episode 77: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin discuss some fresh writeups including some MongoDB injections, ORMs, and exploits in Kakao and iOS before pivoting into a conversation about staying motivated and avoiding burnout while hunting. Follow us on twitter at: https://twitter.com/ctbbpodcast We're…
Some seriously good research dropped on the pod last week. Shout out to Piotr Bazydło and The Zero Day Initiative for this crazy XXE in Microsoft Sharepoint!
Joel's tip of the week: Keep it simple. It's easy to overcomplicate things. Sometimes all you need is a simple match and replace instead of some next level regex!
H4R3L's "Cookie XSS" affecting almost every Zoom page and subdomain demonstrates the effectiveness of experimenting with escape characters in cookie values. It all started when @H4R3L discovered a CSP Nonce cookie that was being used in every page with a CSP policy. Because Zoom takes their security seriously, there was…
When unmotivated, reset. Ignore excuses, just start small. Just remember it's hard to begin but easy once you're rolling.
