New Research in Blind SSRF and Self-XSS, and How to Architect Source-code Review AI Bots (Ep. 128)

Episode 128: New Research in Blind SSRF and Self-XSS, and How to Architect Source-code Review AI Bots

Episode 128: In this episode of Critical Thinking - Bug Bounty Podcast we talking Blind SSRF and Self-XSS, as well as Reversing massive minified JS with AI and a wild Google Logo Ligature Bug

Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!

====== Links ======
Follow your hosts Rhynorater and Rez0 on Twitter:
https://x.com/Rhynorater
https://x.com/rez0__

====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: ThreatLocker - Patch Management
https://www.criticalthinkingpodcast.io/TL-patch-management
====== This Week in Bug Bounty ======
BitK's "Payload plz" challenge at LeHack
https://www.yeswehack.com/page/yeswehack-at-lehack-2025

====== Resources ======
Make Self-XSS Great Again
https://blog.slonser.info/posts/make-self-xss-great-again/

Novel SSRF Technique Involving HTTP Redirect Loops
https://x.com/infosec_au/status/1937103837334323472

Surf - Escalate your SSRF vulnerabilities on Modern Cloud Environments
https://github.com/assetnote/surf

Gecko: Intent to prototype: Framebusting Intervention
https://x.com/intenttoship/status/1937135319142293805

Conducting smarter intelligences than me: new orchestras
https://southbridge-research.notion.site/conducting-smarter-intelligences-than-me

Mandark
https://github.com/hrishioa/mandark

Lumentis
https://github.com/hrishioa/lumentis

jscollab
https://github.com/xssdoctor/jscollab

Google Logo Ligature Bug
https://www.jefftk.com/p/google-logo-ligature-bug

====== Timestamps ======
(00:00:00) Introduction
(00:03:55) Self-XSS and credentialless iframe
(00:16:50) Novel SSRF Technique Involving HTTP Redirect Loops
(00:25:02) Framebusting
(00:29:13) Reversing massive minified JS with AI
(00:53:12) Google Logo Ligature Bug