New Cohost + Client-Side Gadgets, LHE Meta — Instant Global Admin in Entra! (Ep. 143)

Episode 143: In this episode of Critical Thinking - Bug Bounty Podcast Justin brings Brandyn back to announce him as our newest co-host. We chat about recent LHE experiences, and then break down some news.

Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to https://twitter.com/realytcracker for the awesome intro music!

====== Links ======
Follow your hosts Rhynorater and Rez0 on Twitter:
https://x.com/Rhynorater
https://x.com/rez0__

====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== This Week in Bug Bounty ======

YesWeHack won the European commission: https://www.yeswehack.com/news/european-commission-tender-won-yeswehack

YesWeHack now have authorised cve numbering authority: https://www.yeswehack.com/news/yeswehack-authorised-cve-numbering-authority

A wide range of highly used open source bug bounty program such as Log4J, Systemd, GNOME and a lot more: https://event.yeswehack.com/events/open-the-code-source-the-bounty

====== Resources ======
Attributes reference inside HTML
https://portswigger-labs.net/xss/xss.php?x=%3Cinput%20onclick=attributes[0].value=%27`%27+URL+%27`%27%3E#${alert(1)

Explaining XSS without parentheses and semi-colons
https://blog.huli.tw/2025/09/15/en/xss-without-semicolon-and-parentheses/

Beyond Sandbox Domains: Rendering Untrusted Web Content with SafeContentFrame
https://bughunters.google.com/blog/6715529872080896/beyond-sandbox-domains-rendering-untrusted-web-content-with-safecontentframe

One Token to rule them all
https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/

flareprox
https://github.com/MrTurvey/flareprox

Caido 101: How to master it
https://aituglo.com/caido/

====== Timestamps ======
(00:00:00) Introduction
(00:03:16) LHE approaches and accomplishments
(00:30:54) Attributes reference inside HTML & Explaining XSS without parentheses and semi-colons
(00:44:33) One Token to rule them all
(00:57:13) Flareprox & Caido 101