Critical Thinking - Bug Bounty Podcast

Episode 131: In this episode of Critical Thinking - Bug Bounty Podcast we're covering Christmas in July with several banger articles from Searchlight Cyber, as well as covering things like Raycast for Windows, Third-Person prompting, and touch on the recent McDonalds LeakFollow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today’s Sponsor is Adobe. Use code CTBBP0907 in your first report on Adobe Behance, Portfolio, Fonts or Acrobat Web, and earn a one-time 10% bonus reward!====== Resources ======v1 Instance Metadata Service protections bypassWould you like an IDOR with that? Leaking 64 million McDonald’s job applicationsHow we got persistent XSS on every AEM cloud site, thriceGoogle docs now supports export as markdownAbusing Windows, .NET quirks, and Unicode Normalization to exploit DNN (DotNetNuke)How I Scanned all of GitHub’s “Oops Commits” for Leaked SecretsBug bounty, feedback, strategy and alchemy====== Timestamps ======(00:00:00) Introduction(00:05:39) Metadata Service protections bypass & Mcdonalds Leak(00:12:30) Christmas in July with Searchlight Cyber Pt 1(00:19:43) Export as Markdown, Raycast for Windows, & Third-Person prompting(00:23:56) Christmas in July with Searchlight Cyber Pt 2(00:27:39) GitHub’s “Oops Commits” for Leaked Secrets(00:36:53) Bug bounty, feedback, strategy and alchemy

Episode 130: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Valentino, who shares his journey from hacking Minecraft to becoming a Google hunter. He talks us through several bugs, including an HTML Sanitizer bypass and .NET deserialization, and highlights the hyper creative approaches he tends to employ.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter:https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor: ThreatLocker - Patch Managementhttps://www.criticalthinkingpodcast.io/TL-patch-managementToday’s Guest: Valentino - https://blog.3133700.xyz/====== Resources ======JMX ManagerStored XSS in reclamosCommand Injection in Vertex AIwhitepaper-net-deser.pdffree-after-use.goA Journey Into Finding Vulnerabilities in the PMB Library Management Systememulated-register_globals.php====== Timestamps ======(00:00:00) Introduction(00:02:38) JMXProxy Bug Story(00:09:46) Intro to Valentino(00:29:08) HTML Sanitizer bypass on MercadoLibre(00:37:16) Command injection in Vertex AI(00:44:10) .NET deserialization, & Argument injection to LFR, & Free after use(00:51:33) Luck, creativity, and evolution as Hacker(00:59:31) Issues in file extension validation components, Emulated register_globals, & AI Hacking

Episode 129: In this episode of Critical Thinking - Bug Bounty Podcast we chat about the future of hack bots and human-AI collaboration, the challenges posed by tokenization, and the need for cybersecurity professionals to adapt to the evolving landscape of hacking in the age of AIFollow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!====== This Week in Bug Bounty ======Improper error handling in async cryptographic operations crashes processhttps://hackerone.com/reports/2817648Recon Series #6: Excavating hidden artifacts with Wayback Machinehttps://www.yeswehack.com/learn-bug-bounty/recon-wayback-machine-web-archive====== Resources ======This is How They Tell Me Bug Bounty Ends https://josephthacker.com/hacking/2025/06/09/this-is-how-they-tell-me-bug-bounty-ends.htmlWelcome, Hackbots: How AI Is Shaping the Future of Vulnerability Discoveryhttps://www.hackerone.com/blog/welcome-hackbots-how-ai-shaping-future-vulnerability-discoveryGlitch Tokenhttps://www.youtube.com/watch?v=WO2X3oZEJOAConducting smarter intelligences than me: new orchestrashttps://southbridge-research.notion.site/conducting-smarter-intelligences-than-me====== Timestamps ======(00:00:00) Introduction(00:04:05) Is this how Bug Bounty Ends?(00:11:14) Hackbots and handling leads(00:20:50) Hacker chain of thought & Tokenization(00:32:54) Context Engineering

Episode 128: In this episode of Critical Thinking - Bug Bounty Podcast we talking Blind SSRF and Self-XSS, as well as Reversing massive minified JS with AI and a wild Google Logo Ligature BugFollow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor: ThreatLocker - Patch Management====== This Week in Bug Bounty ======BitK's "Payload plz" challenge at LeHack====== Resources ======Make Self-XSS Great AgainNovel SSRF Technique Involving HTTP Redirect LoopsSurf - Escalate your SSRF vulnerabilities on Modern Cloud EnvironmentsGecko: Intent to prototype: Framebusting InterventionConducting smarter intelligences than me: new orchestrasMandarkLumentisjscollabGoogle Logo Ligature Bug====== Timestamps ======(00:00:00) Introduction(00:03:55) Self-XSS and credentialless iframe (00:16:50) Novel SSRF Technique Involving HTTP Redirect Loops(00:25:02) Framebusting(00:29:13) Reversing massive minified JS with AI(00:53:12) Google Logo Ligature Bug

Episode 127: In this episode of Critical Thinking - Bug Bounty Podcast we address some recent bug bounty controversy before jumping into a slew of news itemsFollow us on XShoutout to YTCracker for the awesome intro music!Today's Sponsor: Adobe====== This Week In Bug Bounty ======Hackers Guide to Google dorkingYesWeCaidoNew Dojo ChallengeSmart Contract BB tipsRed Team AAS====== Resources ======DisclosedPDF csp bypassBypassing File Upload Restrictions To Exploit Client-Side Path TraversalOBS WebSocket to RCETime in a bottle (or knapsack)How to Differentiate Yourself as a Bug Bounty HunterDisclosed. Onlinehacked-in‘EchoLeak’Piloting Edge CopilotNewtownerTips for agent promptingFirefox XSS vectorsTweet from Masato KinugawaChrome debug() function

Episode 126: In this episode of Critical Thinking - Bug Bounty Podcast we wrap up Rez0’s AI miniseries ‘Vulnus Ex Machina’. Part 3 includes a showcase of AI Vulns that Rez0 himself has found, and how much they paid out.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today’s Sponsor - ThreatLocker Web Controlhttps://www.criticalthinkingpodcast.io/tl-webcontrol====== Resources ======Claude Code System PromptAttacking AI AgentsProbability of HacksNew Gemini for Workspace Vulnerability Enabling Phishing & Content ManipulationHow to Hack AI Agents and Applications====== Timestamps ======(00:00:00) Introduction(00:02:53) NahamCon Recap, Claude news, and wunderwuzzi writeups (00:08:57) Probability of Hacks(00:11:27) First AI Vulnerabilities(00:18:57) AI Vulns on Google (00:25:11) Invisible prompt Injection

Episode 125: In this episode of Critical Thinking - Bug Bounty Podcast Justin shares insights on how to succeed at live hacking events. We cover pre-event preparations, challenges of collaboration, on-site strategies, and the importance of maintaining a healthy mindset throughout the entire process.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!====== This Week in Bug Bounty ======Decathlon Public Bug Bounty Program on YesWeHack====== Resources ======The Ultimate Double-Clickjacking PoCGrafana Full read SSRF and Account Takeover: CVE-2025-4123Grafana CVE-2025-4123 ExploitWhat I learned from my first 100 HackerOne ReportsRoot for your friends====== Timestamps ======(00:00:00) Introduction(00:02:30) The Ultimate Double-Clickjacking PoC, Grafana CVE, & Evan Connelly's first 100 bugs(00:10:23) How to win at Live Hacking Events(00:11:53) Pre-event(00:11:45) Scope Call(00:33:11) Dupe window Ends(00:36:00) Onsite & and Day of Event(00:42:46) Don't define your identity on the outcome

Episode 124: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph cover some news from around the community, hitting on Joseph’s Anthropic safety testing, Justin’s guest appearance on For Crying Out Cloud, and several fascinating tweets. Then they have a quick Full-time Bug Bounty check-in.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today’s Sponsor - ThreatLocker Web Controlhttps://www.criticalthinkingpodcast.io/tl-webcontrol====== This Week in Bug Bounty ======Louis Vuitton Public Bug Bounty ProgramCVE-2025-47934 was discovered on one of our Bug Bounty program : OpenPGP.jsStored XSS in File Upload Leads to Privilege Escalation and Full Workspace Takeover====== Resources ======Jorian tweetClipjacking: Hacked by copying text - Clickjacking but betterCrying out Cloud AppearanceWiz Research takes 1st place in Pwn2Own AI categoryNew XSS vector with image tag====== Timestamps ======(00:00:00) Introduction(00:10:50) Supabase(00:13:47) Tweet-research from Jorian and Wyatt Walls.(00:20:24) Anthropic safety testing challenge & Wiz Podcast guest appearance(00:27:44) New XSS vector, Google i/o, and coding agents(00:35:48) Full Time Bug Bounty

Episode 123: In this episode of Critical Thinking - Bug Bounty Podcast we’re back with part 2 of Rez0’s miniseries. Today we talk about mastering Prompt Injection, taxonomy of impact, and both triggering traditional Vulns and exploiting AI-specific features.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter:https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today’s Sponsor - ThreatLocker User Storehttps://www.criticalthinkingpodcast.io/tl-userstore====== This Week in Bug Bounty ======Earning a HackerOne 2025 Live Hacking Invitehttps://www.hackerone.com/blog/earning-hackerone-2025-live-hacking-inviteHTTP header hacks: basic and advanced exploit techniques exploredhttps://www.yeswehack.com/learn-bug-bounty/http-header-exploitation====== Resources ======Grep.apphttps://vercel.com/blog/migrating-grep-from-create-react-app-to-next-jsGemini 2.5 Pro prompt leakhttps://x.com/elder_plinius/status/1913734789544214841Pliny's CL4R1T4Shttps://github.com/elder-plinius/CL4R1T4SO3https://x.com/pdstat/status/1913701997141803329====== Timestamps ======(00:00:00) Introduction(00:05:25) Grep.app, O3, and Gemini 2.5 Pro prompt leak(00:11:09) Delivery and impactful action(00:20:44) Mastering Prompt Injection(00:30:36) Traditional vulns in Tool Calls, and AI Apps(00:37:32) Exploiting AI specific features

Episode 122: In this episode of Critical Thinking - Bug Bounty Podcast your boys are MVH winners! First we’re joined by Zak, to discuss the Google LHE as well as surprising us with a bug of his own! Then, we sit down with Lupin and Monke for a winners roundtable and retrospective of the event.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter:https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Check out the CTBB Job Board: https://jobs.ctbb.show/Today’s Guests:Zak Bennett : https://www.linkedin.com/in/zak-bennett/Ciarán Cotter: https://x.com/monkehackRoni Carta: https://x.com/0xLupin====== Resources ======We hacked Google’s A.I Gemini and leaked its source codehttps://www.landh.tech/blog/20250327-we-hacked-gemini-source-code====== Timestamps ======(00:00:00) Introduction(00:03:02) An RCE via memory corruption(00:07:45) Zak's role at Google and Google's AI LHE(00:15:25) Different Components of AI Vulnerabilities(00:24:58) MHV Winner Debrief(01:08:47) Technical Takeaways And Team Strategies(01:28:49) LHE Experience and Google VRP & Abuse VRP

Episode 121: In this episode of Critical Thinking - Bug Bounty Podcast we cover so much news and research that we ran out of room in the description...Follow us on XShoutout to YTCracker for the awesome intro music!====== Links ======Follow Rhynorater and Rez0 on X:====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord!We also have hacker swag!====== This Week in Bug Bounty ======Hacker spotlight: RhynoraterUltra Mobile BB Program - Mobile AppsUltra Mobile BB Program - (Public)John Deere ProgramJD's's BB Program Boosts CybersecurityDojo #41 - Ruby treasure====== Resources ======slonser 0-day in chromeCT Additional useful primitivesHow I made $64k from deleted filesCTBB episode with Sharon BrizinovRez0's Subdomain Link LauncherQwen3 Local ModelMay Cause Pwnageimport WAF bypassCaido DropAndre's tweet about encoded wordNahamconGemini prompt leakSVG Onload Handlers

Episode 120: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner welcomes Eugene to talk (aka fanboy) about his new book, 'From Day Zero to Zero Day.' We walk through what to expect in each chapter, including Binary Analysis, Source and Sink Discovery, and Fuzzing everything.Then we give listeners a special deal on the book.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter:https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today’s Sponsor - ThreatLocker User Storehttps://www.criticalthinkingpodcast.io/tl-userstoreToday’s guest: https://x.com/spaceraccoonsec====== Resources ======Buy SpaceRaccoon's Book: From Day Zero to Zero Dayhttps://nostarch.com/zero-dayUSE CODE 'ZERODAYDEAL' for 30% OFFPwning Millions of Smart Weighing Machines with API and Hardware Hackinghttps://spaceraccoon.dev/pwning-millions-smart-weighing-machines-api-hardware-hacking/====== Timestamps ======(00:00:00) Introduction(00:04:58) From Day Zero to Zero Day(00:12:06) Mapping Code to Attack Surface(00:17:59) Day Zero and Taint Analysis(00:22:43) Automated Variant Analysis & Binary Taxonomy(00:31:35) Source and Sink Discovery(00:40:22) Hybrid Binary Analysis & Quick and Dirty Fuzzing(00:56:00) Coverage-Guided Fuzzing, Fuzzing Everything, & Beyond Day Zero(01:02:16) Bug bounty, Vuln research, & Governmental work(01:10:23) Source Code Review & Pwning Millions of Smart Weighing Machines

Episode 119: In this episode of Critical Thinking - Bug Bounty Podcast Justin does a mini deep dive into the world of iframes, starting with why they’re significant, their attributes, and how to attack them.CORRECTION: Some of my comments on the latest episode of the pod were woefully inaccurate about the `csp` attribute of an iframe. Def should have read the spec more thoroughly. Please see the #corrections channel in Discord for the deets.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter:https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!====== Resources ======Episode with JR0ch17ctbb.show/61Exacerbating Cross-Site Scripting: The Iframe Sandwichhttps://coopergyoung.com/exacerbating-cross-site-scripting-the-iframe-sandwich/====== Timestamps ======(00:00:00) Introduction(00:01:20) Why are Iframes useful(00:05:11) Attributes of Iframes(00:21:39) Iframe Attacks(00:29:53) Iframe Fun Facts

Episode 118: In this episode of Critical Thinking - Bug Bounty Podcast we cover a host of news, including clientside tidbits, “Credentialless” iframes, prototype pollution, and what constitutes a polyglot in llms.txt.Follow us on XShoutout to YTCracker for the awesome intro music!====== Links ======Follow Rhynorater and Rez0 on X====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!You can also find some hacker swag!====== Resources ======p4fg passed 1 Million!/reports/:id.json - $25K CritHacking Crypto pt1The art of payload obfuscationAnalyzing the Next.js Middleware BypassNahamsec's Merch storellms.txt polyglot prompt injectionReact Router and the Remix’ed pathPre-Authentication SQL Injection in Halo ITSMPwning Millions of Smart Weighing MachinesMCP Server OauthCline“Credentialless” iframesTiny XSS PayloadsTypes of Pollution====== Timestamps ======(00:00:00) Introduction(00:05:56) Next.js Middleware bypass & Polyglots in llms.txt(00:16:35) CPDoS on React Router(00:24:26) Loose Types Sink Ships & Pwning Smart Scales(00:32:30) MCP Server Oauth & Cline(00:39:40) Clientside Tidbits & Prototype Pollutions

Episode 117: In this episode of Critical Thinking - Bug Bounty Podcast Joseph introduces Vulus Ex Machina: A 3-part mini-series on hacking AI applications. In this part, he lays the groundwork and focuses on AI reconnaissance. Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!====== Resources ======Building Reliable Web Agentshttps://x.com/pk_iv/status/190417889272394177717 security checks from VIBE to PRODUCTIONhttps://x.com/Kaamiiaar/status/1902342578185630000How to Hack AI Agents and Applicationshttps://josephthacker.com/hacking/2025/02/25/how-to-hack-ai-apps.htmlAI Crash Course Repohttps://github.com/henrythe9th/ai-crash-courseDeep Dive into LLMs like ChatGPThttps://www.youtube.com/watch?v=7xTGNNLPyMI====== Timestamps ======(00:00:00) Introduction(00:01:54) AI News(00:08:09) How to Hack AI Agents and Applications(00:14:26) The Recon Process(00:25:06) Initial Probing & Steering

Episode 116: In this episode of Critical Thinking - Bug Bounty Podcast Justin gives a quick rundown of Portswigger’s SAML Roulette writeup, as well as some Google VRP reports, and a Next.js middleware exploit.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today’s Sponsor: ThreatLocker Cloud Control - https://www.threatlocker.com/platform/cloud-control====== Resources ======SAML roulette: the hacker always winshttps://portswigger.net/research/saml-roulette-the-hacker-always-winsLoophole of getting Google Form associated with Google Spreadsheet with no editor/owner accesshttps://bughunters.google.com/reports/vrp/yBeFmSrJiLoophole to see the editors of a Google Document with no granted access(owner/editor) with just the fileid (can be obtained from publicly shared links with 0 access)https://bughunters.google.com/reports/vrp/7EhAw2hurCloud Tools for Eclipse - Chaining misconfigured OAuth callback redirection with open redirect vulnerability to leak Google OAuth Tokens with full GCP Permissionshttps://bughunters.google.com/reports/vrp/F8GFYGv4gNext.js, cache, and chains: the stale elixirhttps://zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixirNext.js and the corrupt middleware: the authorizing artifacthttps://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware====== Timestamps ======(00:00:00) Introduction(00:02:59) SAML roulette(00:13:08) Google bugs(00:20:16) Next.js and the corrupt middleware

Episode 115: In this episode of Critical Thinking - Bug Bounty Podcast Justin and So Sakaguchi sit down to walk through some recent bugs, before having a live mentorship session. They also talk about Reflector, and finish up by doing a bonus podcast segment in Japanese!Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to https://x.com/realytcracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today’s Sponsor: ThreatLocker Cloud Control - https://www.threatlocker.com/platform/cloud-controlToday’s Guest: https://x.com/Mokusou4====== Resources ======So's last appearance in episode 40ctbb.show/40====== Timestamps ======(00:00:00) Introduction(00:04:11) So's Facebook Bug(00:14:37) So and Justin's Google Bug(00:33:39) Live Mentorship Session(00:56:29) Reflector(01:13:22) Bonus - Podcast in Japanese

Episode 114: In this episode of Critical Thinking - Bug Bounty Podcast we’re diving into SPA and how to attack them.We also cover a host of news items, including some bug write-ups, AI updates, and a new tool called Hackadvisor.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today’s Sponsor: ThreatLocker Cloud Control====== Resources ======Hacking High-Profile Bug Bounty Targets: Deep Dive into a Client-Side ChainResearch finds 12,000 ‘Live’ API Keys and Passwords in DeepSeek's Training DataHackadvisorWP ExtensionsNotebook LMPressing Buttons with PopupsResponse to @RenwaX23Prompt Injection Attacks for DummiesShadow Repeaterparallel-prettier====== Timestamps ======(00:00:00) Introduction(00:02:15) Bug Write-up from @busf4ctor(00:09:44) Scanning Common Crawl(00:16:30) Hackadvisor and WP/Chrome Extension News(00:24:15) Notebook LM, and Recent AI Updates(00:31:58) Write-up from @J0R1AN and Related POC from @RenwaX23(00:38:10) Prompt Injection Attacks for Dummies(00:42:29) ShadowRepeater(00:47:04) Single-page applications

Episode 113: In this episode of Critical Thinking - Bug Bounty Podcast we’re breaking down the Portswigger Top 10 from 2024. There’s some bangers in here!Follow us on X at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on X: ====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag!====== Resources ======Hijacking OAUTH flows via Cookie TossingChatGPT Account Takeover - Wildcard Web Cache DeceptionOAuth Non-Happy Path to ATOCVE-2024-4367 - Arbitrary JavaScript execution in PDF.jsDoubleClickjacking: A New Era of UI RedressingWorstFit: Unveiling Hidden Transformers in Windows ANSISQL Injection Isn't Dead: Smuggling Queries at the Protocol LevelConfusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP ServerMiddleware, middleware everywhere – and lots of misconfigurations to fix====== Timestamps ======(00:00:00) Introduction(00:09:56) Hijacking OAuth flows via Cookie Tossing(00:17:30) ChatGPT Account Takeover(00:25:28) OAuth Non-Happy Path to ATO(00:29:24) CVE-2024-4367(00:37:37) DoubleClickjacking:(00:44:54) Exploring the DOMPurify library(00:48:01) WorstFit(00:56:29) Unveiling TE.0 HTTP Request Smuggling(01:06:40) SQL Injection Isn't Dead: Smuggling Queries at the Protocol Level (01:14:05) Confusion Attacks

Episode 112: In this episode of Critical Thinking - Bug Bounty Podcast Joseph Thacker is joined by Ciarán Cotter (Monke) to share his bug hunting journey and give us the rundown on some recent client-side and server-side bugs. Then they discuss WebSockets, SaaS security, and cover some AI news including Grok 3, Nuclei -AI Flag, and some articles by Johann Rehberger.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter:https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today’s Guest - Ciarán Cotterhttps://x.com/monkehack====== Resources ======Mstyhttps://msty.app/From Day Zero to Zero Dayhttps://nostarch.com/zero-dayNuclei - ai flaghttps://x.com/pdiscoveryio/status/1890082913900982763ChatGPT Operator: Prompt Injection Exploits & Defenseshttps://embracethered.com/blog/posts/2025/chatgpt-operator-prompt-injection-exploits/Hacking Gemini's Memory with Prompt Injection and Delayed Tool Invocationhttps://embracethered.com/blog/posts/2025/gemini-memory-persistence-prompt-injection/====== Timestamps ======(00:00:00) Introduction(00:01:04) Bug Rundowns(00:13:05) Monke's Bug Bounty Background(00:20:03) Websocket Research(00:34:01) Connecting Hackers with Companies(00:34:56) Grok 3, Msty, From Day Zero to Zero Day(00:42:58) Full time Bug Bounty, SaaS security, and Threat Modeling while AFK(00:54:49) Nuclei - ai flag, ChatGPT Operator, and Hacking Gemini's Memory