- 252
- 486 603
Critical Thinking - Bug Bounty Podcast
Приєднався 7 гру 2022
A "by Hackers for Hackers" podcast focused on technical content ranging from bug bounty tips, to write-up explanations, to the latest hacking techniques.
Announcing our new cohost... (Ep. 106)
Episode 106: In this episode of Critical Thinking - Bug Bounty Podcast we are pleased to announce our new co-host of the podcast: Joseph Thacker Aka Rez0! We discuss Joseph's transition to full-time bug bounty hunting, his goals, and what he’s looking forward to bringing to the pod. We also cover some news items including doubleclickjacking, character set attacks, SVG XSS, and more.
Follow us on twitter at: ctbbpodcast
Feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to realytcracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater & Rez0 on twitter:
x.com/Rhynorater
x.com/rez0__
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Check out our new SWAG store at ctbb.show/swag!
Resources:
DoubleClickjacking: A New Era of UI Redressing
www.paulosyibelo.com/2024/12/doubleclickjacking-what.html
XBOW Validation Benchmarks:
github.com/xbow-engineering/validation-benchmarks
Jorian tweet:
x.com/J0R1AN/status/1871586792455163975
Simplified Payload:
portswigger-labs.net/xss/charset.php?x=%1b$B%1b(B%3Ca%20href=javas%1B(Jcript:alert(1)%3Etest%3C/a%3E&charset=
SVG XSS Payload:
x.com/garethheyes/status/1876953751245783534
curl-cffi:
pypi.org/project/curl-cffi/
Bypassing File Upload Restrictions To Exploit CSPT:
blog.doyensec.com/2025/01/09/cspt-file-upload.html
AI-Crash-Course:
github.com/henrythe9th/AI-Crash-Course?tab=readme-ov-file
Timestamps:
(00:00:00) Introduction
(00:02:15) Rez0's journey to Full-time hunter, Tool developer, and new Co-host
(00:21:04) DoubleClickjacking
(00:31:48) XBOW Validation Benchmarks, Charset Thoughts, and SVG XSS
(00:42:28) curl-cffi, CSPT, and AI Crash Course
Follow us on twitter at: ctbbpodcast
Feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to realytcracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater & Rez0 on twitter:
x.com/Rhynorater
x.com/rez0__
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Check out our new SWAG store at ctbb.show/swag!
Resources:
DoubleClickjacking: A New Era of UI Redressing
www.paulosyibelo.com/2024/12/doubleclickjacking-what.html
XBOW Validation Benchmarks:
github.com/xbow-engineering/validation-benchmarks
Jorian tweet:
x.com/J0R1AN/status/1871586792455163975
Simplified Payload:
portswigger-labs.net/xss/charset.php?x=%1b$B%1b(B%3Ca%20href=javas%1B(Jcript:alert(1)%3Etest%3C/a%3E&charset=
SVG XSS Payload:
x.com/garethheyes/status/1876953751245783534
curl-cffi:
pypi.org/project/curl-cffi/
Bypassing File Upload Restrictions To Exploit CSPT:
blog.doyensec.com/2025/01/09/cspt-file-upload.html
AI-Crash-Course:
github.com/henrythe9th/AI-Crash-Course?tab=readme-ov-file
Timestamps:
(00:00:00) Introduction
(00:02:15) Rez0's journey to Full-time hunter, Tool developer, and new Co-host
(00:21:04) DoubleClickjacking
(00:31:48) XBOW Validation Benchmarks, Charset Thoughts, and SVG XSS
(00:42:28) curl-cffi, CSPT, and AI Crash Course
Переглядів: 1 943
Відео
Best Moments of 2024 on the Pod (Ep. 105)
Переглядів 1,3 тис.День тому
Episode 105: In this episode of Critical Thinking - Bug Bounty Podcast we're back with another Best-of episode recapping some of our top moments of the year. Follow us on twitter at: ctbbpodcast We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io Shoutout to realytcracker for the awesome intro music! Links Follow...
2024 Hacker Stats & 2025 Goals (Ep. 104)
Переглядів 3,7 тис.14 днів тому
Episode 104: 2024 Hacker Stats & 2025 Goals Episode 104: In this episode of Critical Thinking - Bug Bounty Podcast Justin reflects upon the past year and walks through some of the bug bounty goals he had for 2024, and how he feels like he did. Then he sets some goals for 2025, as well as some exciting CT news for the coming year. Follow us on twitter at: ctbbpodcast We're new to thi...
Getting ANSI about Unicode Normalization (Ep. 103)
Переглядів 1,2 тис.21 день тому
Episode 103: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph delve into the vulnerabilities associated with ANSI codes and large language models (LLMs), as well as talk through some research about _json Juggling, cookie handling quirks, and the value of micro-blogging in general. Follow us on twitter at: ctbbpodcast We're new to this podcasting thing, so ...
Building Web Hacking Micro Agents with Jason Haddix (Ep. 102)
Переглядів 5 тис.Місяць тому
Episode 102: In this episode of Critical Thinking - Bug Bounty Podcast Justin grabs Jason Haddix to help brainstorm the concept of AI micro-agents in hacking, particularly in terms of web fuzzing, WAF bypasses, report writing, and more.They discuss the importance of contextual knowledge, the cost implications, and the strengths of different LLM Models. Follow us on twitter at: ctbbp...
AI Attack Vectors - CTBB Hijacked - Rez0__ and Johann (Ep. 101)
Переглядів 2,1 тис.Місяць тому
AI Attack Vectors - CTBB Hijacked - Rez0 and Johann (Ep. 101)
8 Fav Bugs of 2024, Farewell Joel, Hello Shift - Cursor of Hacking (Ep. 100)
Переглядів 3,8 тис.Місяць тому
8 Fav Bugs of 2024, Farewell Joel, Hello Shift - Cursor of Hacking (Ep. 100)
Back to the Basics - Web Fundamental to 100k a Year in Bug Bounty (Ep. 99)
Переглядів 10 тис.Місяць тому
Back to the Basics - Web Fundamental to 100k a Year in Bug Bounty (Ep. 99)
Team 82 Sharon Brizinov - The Live Hacking Polymath (Ep. 98)
Переглядів 2,4 тис.2 місяці тому
Team 82 Sharon Brizinov - The Live Hacking Polymath (Ep. 98)
Bcrypt Hash Input Truncation & Mobile Device Threat Modeling (Ep. 97)
Переглядів 1,2 тис.2 місяці тому
Bcrypt Hash Input Truncation & Mobile Device Threat Modeling (Ep. 97)
Cookies & Caching with MatanBer (Ep. 96)
Переглядів 2 тис.2 місяці тому
Cookies & Caching with MatanBer (Ep. 96)
Attacking Chrome Extensions with MatanBer - Big Impact on the Client-Side (Ep. 95)
Переглядів 2,4 тис.2 місяці тому
Attacking Chrome Extensions with MatanBer - Big Impact on the Client-Side (Ep. 95)
Zendesk Fiasco & the CTBB Naughty List (Ep. 94)
Переглядів 1,8 тис.2 місяці тому
Zendesk Fiasco & the CTBB Naughty List (Ep. 94)
A Chat with Dr. Bouman - Life as a Hacker and a Doctor (Ep.93)
Переглядів 3,1 тис.3 місяці тому
A Chat with Dr. Bouman - Life as a Hacker and a Doctor (Ep.93)
SAML XPath Confusion, Chinese DNS Poisoning, and AI Powered 403 Bypasser (Ep. 92)
Переглядів 2,1 тис.3 місяці тому
SAML XPath Confusion, Chinese DNS Poisoning, and AI Powered 403 Bypasser (Ep. 92)
Zero to LHE in 9 Months (feat gr3pme) (Ep. 91)
Переглядів 5 тис.3 місяці тому
Zero to LHE in 9 Months (feat gr3pme) (Ep. 91)
5k Clickjacking, Encryption Oracles, and Cursor for PoCs (Ep. 90)
Переглядів 2 тис.3 місяці тому
5k Clickjacking, Encryption Oracles, and Cursor for PoCs (Ep. 90)
The Untapped Bug Bounty Landscape of IoT w/ Matt Brown (Ep. 89)
Переглядів 2,7 тис.4 місяці тому
The Untapped Bug Bounty Landscape of IoT w/ Matt Brown (Ep. 89)
News, Tools, and Writeups (Ep. 88)
Переглядів 2,3 тис.4 місяці тому
News, Tools, and Writeups (Ep. 88)
'Hacker Wife' Mariah Gardner on Bug Bounty Mentality and Relationships (Ep. 87)
Переглядів 4,3 тис.4 місяці тому
'Hacker Wife' Mariah Gardner on Bug Bounty Mentality and Relationships (Ep. 87)
The X-Correlation between Frans & RCE - Research Drop (Ep. 86)
Переглядів 7 тис.4 місяці тому
The X-Correlation between Frans & RCE - Research Drop (Ep. 86)
Practical Applications of DEFCON 32 Web Research (Ep. 85)
Переглядів 2,5 тис.5 місяців тому
Practical Applications of DEFCON 32 Web Research (Ep. 85)
0xLupin & Takeaways from Google's Las Vegas BugSwat (Ep. 84)
Переглядів 1,5 тис.5 місяців тому
0xLupin & Takeaways from Google's Las Vegas BugSwat (Ep. 84)
Brainstorming Proxy Plugins (Ep.83)
Переглядів 1,3 тис.5 місяців тому
Brainstorming Proxy Plugins (Ep.83)
Crushing Client-Side on Any Scope with MatanBer (Ep. 81)
Переглядів 7 тис.5 місяців тому
Crushing Client-Side on Any Scope with MatanBer (Ep. 81)
Pwn2Own VS H1 Live Hacking Event (feat SinSinology) (Ep. 80)
Переглядів 4,7 тис.6 місяців тому
Pwn2Own VS H1 Live Hacking Event (feat SinSinology) (Ep. 80)
The State of CSS Injection - Leaking Text Nodes & HTML Attributes (Ep. 79)
Переглядів 1,8 тис.6 місяців тому
The State of CSS Injection - Leaking Text Nodes & HTML Attributes (Ep. 79)
Less Writing, More Hacking - Reporting Efficiency Techniques (Ep.78)
Переглядів 1,8 тис.6 місяців тому
Less Writing, More Hacking - Reporting Efficiency Techniques (Ep.78)
Bug Bounty Mental - Practical Tips for Staying Sharp & Motivated (Ep.77)
Переглядів 3,9 тис.6 місяців тому
Bug Bounty Mental - Practical Tips for Staying Sharp & Motivated (Ep.77)
Is that his real voice or he is talking that way
Yoooooooooo
Did joel quite the podcast ?😢
🔥🔥🔥
Just wait a few months ... Justin will definitely be on the hunt for a new co-host, because let's face it, he simply can't resist the urge to cut off his guests mid-sentence!
I get what you are saying but he loves bugbounty so he is excited. Even though sometimes he stops guests when they are really giving something important. We try to give positive feedback
Which Douglas Days talk about " looking for nos" are they talking about at 36`15?
ua-cam.com/video/G1RHa7l1Ys4/v-deo.htmlsi=ZmQzBvXzVoqE-xMe
@criticalthinkingpodcast rhx
Ha ha mr fuffing
Nice nice
🖖
Thank you for the shout out guys 🙏
AI hacking agents... I hate the idea
great episode 😂
what would be bug bounty landscape as hack bots , AI automation is going wild ? would you suggest who are new to this field and thinking of starting a career in BB to start their career in bug bounty ?
yeah, i think it'll be a great industry for awhile and even if not, the skills you will pick up will be invaluable to pivoting into a post-ai security world.
@@joseph_thackerHow much ai will impact bug Bounty space?
Keep up the awesome content!
BROO I WAS WAITING FOR THIS..
Just turned 16 and this is the dude I gotta out hack. Only 1 bug $1,100 earned so far
hey i wanted to know that you cant start the saml interaction without creating a account on idp right before you do the SAML login capturing process you need to have an account right. So the first step in any bug bounty program I go to see the saml vuln I need to find a way to create a account on their idp
I have a question , jason did talk about github repo with all telegram and some onion websites can you please add it to the description
this was really helpful
mariah chan is so lucky, i have the biggest crush on rhynorator ˶ᵔᗜ ᵔ˶
he is the reason most people doing mobile apps bug bounty
25:45 his lips say "Half a Muffin"
Good content as usual and the Mariah episode was awesome thank you for adding it❤
How to download these 105 episodes of knowledge at once in my brain!!
:)
❤
First strategy: Focus on one target company, spending time familiarizing myself with all of its products, keeping up with updates, and hunting for various vulnerabilities in those. Secondly strategy: Cast a wider net, learning new techniques or exploitation methods, or analyzing newly disclosed vulnerabilities, and then perform broad scans or manual testing across multiple targets on bug bounty platforms. Which of these two strategies is better?
I'm trying to understand this - What you and Joel said are true to a certain extent... but wouldn't this be applicable to other instances of applications like Facebook (fbconnect) only because the application creator decided to open specific links that are either affiliated to that application or want the application workflow pivot from one application to another? Happens in certain cases where you want to open instances of those applications like clicking a UA-cam link from internet browser and playing the video in the application vs playing the video in browser.
Bruh Shubs bug so outta pocket 💀
This is so real
Lol "young and invincible" 😎
Been there, done that 😎
intro music is cool
1:13:56 🔥😂
Appreciate man thanks for all you do
I feel you. You wish there were 40 hours per day, so that you could do 8 hours of work, 12 hours of sleep & misc stuff and 20 hours of pure CySec: 10 hours bug bounty, 10 hours research & learning.
Thanks for sharing your insights. Ready and motivated to get back into the hunt as a part timer. Need to accomplish some professional goals that I set for myself but again really motivated to dive back in.
Temp home and revert home that’s a great idea Awesome pod as usual
Nice job on 2024 goals! Bug bounty guild and research group sounds cool 👀
Very useful tips. Thanks for sharing!
collab with @yshahinzadeh (thezodd in hackerone)
Hello Mr. Rhynorater, I wanted to say that your videos are inspiring! Thank you for what you are doing for the community!
Appreciate y’all so much! Looking forward to an amazing 2025 for us all! 🎉
Just wanted to say thank you so much for all the effort you put into this Podcast and the community. It's been my main source of motivation these last few months going through two CS50 courses to get my CS fundamentals down, to the point where I am now finally in a situation where I can justify making a full time attempt at your "1 year to 100k" plan this year! Absolutely love the idea of a full-time BB community and I'm looking forward to applying once I (hopefully) clear the 50% requirement sometime this year!
What was the crypto bug ??
half a mil? good goal ;)
🎉🎉
Doing god's work. Thanks Justin
i wish it was more in example video instead of just talk
Me too
why i have no idea what they're talking about but I been hacking for a year