Interested in going full-time bug bounty? Check out our blueprint!

Corben Leo: Legendary DoD Hacker (Ep. 21)

In this episode of Critical Thinking - Bug Bounty Podcast, we chat with Corben Leo about his journey in bug bounty hunting and ethical hacking. We discuss the state of DNS rebinding in 2023, a Twitter thread by Douglas Day (@ArchAngelDDay) on one-hundred bug bounty rules, and our own unique approaches to bug hunting. We also discuss Corben's recon-focused bug hunting methodology and how he developed it. Don't miss this episode filled with valuable tips, insights, and Corben's Boring Mattress Company.

Follow us on twitter at: https://twitter.com/ctbbpodcast

Get on our newsletter for some exclusive content: https://www.criticalthinkingpodcast.io/subscribe

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater & Teknogeek on twitter:
- https://twitter.com/0xteknogeek
- https://twitter.com/rhynorater

Today’s Guest: https://twitter.com/hacker_

Article on the State of DNS Rebinding in 2023: https://research.nccgroup.com/2023/04/27/state-of-dns-rebinding-in-2023/

See @ArchAngelDDay's twitter thread about 100 bug bounty rules: https://twitter.com/ArchAngelDDay/status/1661924038875435008

Talkback - Cybersecurity news aggregator: https://talkback.sh/

PyPI announces mandatory 2FA: https://www.bleepingcomputer.com/news/security/pypi-announces-mandatory-use-of-2fa-for-all-software-publishers/

Timestamps:
(00:00) Introduction
(Start of news)
(01:05) State of DNS rebinding in 2023
(04:40) 100 Bug Bounty Rules by @ArchAngelDDay
(05:30) Give yourself a ‘no bug’ limit
(07:00) The value of reporting Low and Medium Bugs for Bug Bounty Programs
(11:15) Reporting Out of Scope Bugs
(14:30) Reporting IDORs as Access Control Bugs
(17:28) Talkback
(18:12) PyPI's mandatory 2FA implementation for software publishers
(Start of main content)
(20:07) Starting out in bug bounty/ethical hacking
(25:00) Hacking methodology and mentorship
(28:15) Identifying Load Balancers
(33:20) Triage and live events:
(38:30) College and Computer Science vs. Cybersecurity
(45:45) Importance of writing for the Hacker Community
(51:21) Storytelling and report writing.
(55:00) When to stop doing recon and start hacking
(1:00:58) Lessons Learned from BreachlessAI and the pivot to Boring Mattress Co.