Episode 146: Hacking Horror Stories

Episode 146: In this episode of Critical Thinking - Bug Bounty Podcast Justin, Joseph, and Brandyn all sit down to celebrate the spooky season by swapping their scariest bug stories. From frightening fails and firings to hacks with chilling and critical consequences. Grab your flashlight and a blanket for this one!Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynoraterhttps://x.com/rez0__https://x.com/gr3pme====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor: ThreatLocker. Check out ThreatLocker Network Controlhttps://www.criticalthinkingpodcast.io/tl-nc====== This Week in Bug Bounty ======Methodology tips from top Bug Bounty huntersYesWeHack marks first year of partnership with Singapore’s GovernmentHackerOne Hacker-Powered Security Report====== Resources ======Critical Research LabHacking the World Poker Tour: Inside ClubWPT Gold’s Back OfficeFile Creation via SQLite Injection====== Timestamps ======(00:00:00) Introduction(00:10:11) Crit Research Lab News(00:21:31) Hacking the World Poker Tour & File Creation via SQLite Injection(00:30:40) Brandyn's Spooky Bug(00:38:02) Joseph's Spooky Bug(00:44:18) Justin's Spooky Bug(00:54:44) Banking Bugs, LHE Scares, and Workday weirdness.(01:14:52) Firings and failures(01:22:49) Bank Bug Redux(01:35:55) Wedding planning/registry app & Amazon Rufus bugs(01:40:52) New Relic bug

Episode 145: In this episode of Critical Thinking - Bug Bounty Podcast Brandyn lets us in on some of his notetaking tips, including his Templates, Threat Modeling, and ways he uses notes to help with collaboration.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater, Rez0, & gr3pme on Twitter:https://x.com/Rhynoraterhttps://x.com/rez0__https://x.com/gr3pme====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor: ThreatLocker. Check out ThreatLocker Network Controlhttps://www.criticalthinkingpodcast.io/tl-nc====== This Week in Bug Bounty ======The minefield between syntaxeshttps://www.yeswehack.com/learn-bug-bounty/syntax-confusion-ambiguous-parsing-exploits====== Resources ======Brandyn's Notion Templatehttps://terrific-dart-70e.notion.site/Example-Target-CTBB-294f4ca0f42481cca0b0ca6ac0a7c81d====== Timestamps ======(00:00:00) Introduction(00:07:25) Templates, Target, and Tech Stack(00:13:33) Threat Modeling and Attack Vectors

Episode 144: In this episode of Critical Thinking - Bug Bounty Podcast Joseph is joined by Vitor Falcão and Ciarán Cotter to discuss their success at the recent Mexico LHE, as well as their journey and routines in fulltime hacking. Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor: ThreatLocker. Check out ThreatLocker DAChttps://www.criticalthinkingpodcast.io/tl-dacToday’s Guests:Vitor Falcãohttps://x.com/busf4ctorCiarán Cotterhttps://x.com/monkehack ====== This Week in Bug Bounty======Securing the Age of AI Autonomy: Priorities for 2026https://www.hackerone.com/events/bionic-hacking====== Resources ======AI Vulnerability Reward Program Ruleshttps://bughunters.google.com/about/rules/google-friends/5222232590712832/ai-vulnerability-reward-program-rulesMy First 3 Months as a Full-Time Bug Bounty Hunterhttps://vitorfalcao.com/posts/3-months-as-a-full-time-bug-bounty-hunter/====== Timestamps ======(00:00:00) Introduction(00:02:32) Client side Bug Story & Vitor's BB journey(00:13:59) Google LHE Mexico takeaways(00:26:55) Full-time hunting reflections(00:33:39) Hacking routines(00:42:56) Hacking AI

Episode 143: In this episode of Critical Thinking - Bug Bounty Podcast Justin brings Brandyn back to announce him as our newest co-host. We chat about recent LHE experiences, and then break down some news. Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!====== This Week in Bug Bounty ======YesWeHack won the European commission: https://www.yeswehack.com/news/european-commission-tender-won-yeswehackYesWeHack now have authorised cve numbering authority: https://www.yeswehack.com/news/yeswehack-authorised-cve-numbering-authorityA wide range of highly used open source bug bounty program such as Log4J, Systemd, GNOME and a lot more: https://event.yeswehack.com/events/open-the-code-source-the-bounty====== Resources ======Attributes reference inside HTMLExplaining XSS without parentheses and semi-colonsBeyond Sandbox Domains: Rendering Untrusted Web Content with SafeContentFrameOne Token to rule them allflareproxCaido 101: How to master it====== Timestamps ======(00:00:00) Introduction(00:03:16) LHE approaches and accomplishments(00:30:54) Attributes reference inside HTML & Explaining XSS without parentheses and semi-colons(00:44:33) One Token to rule them all(00:57:13) Flareprox & Caido 101

Episode 142: In this episode of Critical Thinking - Bug Bounty Podcast Rez0 and Gr3pme join forces to discuss Websocket research, Meta’s $111750 Bug, PROMISQROUTE, and the opportunities afforded by going full time in Bug Bounty.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter:====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor: ThreatLocker. Check out ThreatLocker DACToday’s Guest: https://x.com/gr3pme====== This Week in Bug Bounty ======New Monthly Dojo challenge and Dojo UI designThe ultimate Bug Bounty guide to exploiting race condition vulnerabilities in web applicationsWatch Our boy Brandyn on the TV====== Resources ======murtasecWebSocket Turbo Intruder: Unearthing the WebSocket GoldmineRemote code execution though vulnerability in Facebook Messenger for WindowsFinding vulnerabilities in modern web apps using Claude Code and OpenAI CodexMind the GapPROMISQROUTE====== Timestamps ======(00:00:00) Introduction(00:05:16) Full Time Bug Bounty and Business Startups(00:15:50) Websockets(00:22:17) Meta’s $111750 Bug(00:28:38) Finding vulns using Claude Code and OpenAI Codex(00:39:32) Time-of-Check to Time-of-Use Vulns in LLM-Enabled Agents(00:45:22) PROMISQROUTE

Episode 141: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Nick Copi to talk about CSPT, React, CSS Injections and how Nick hacked the pod.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter:https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor: ThreatLocker. Check out ThreatLocker DAChttps://www.criticalthinkingpodcast.io/tl-dacToday’s Guest: https://x.com/7urb01====== Resources ======regexploithttps://github.com/doyensec/regexploitFontleakhttps://adragos.ro/fontleak/debug(function)https://developer.chrome.com/docs/devtools/console/utilities#debug-functiondomloggerpphttps://github.com/kevin-mizu/domloggerpp====== Timestamps ======(00:00:00) Introduction(00:02:40) Google Docs Bug and 7urb0 Introduction(00:13:26) Bring-a-bug story(00:20:21) 7urb0's DEFCON talk teaser & Intrusive Thoughts Worth Sharing(00:30:01) CSPTs and React Apps(00:51:31) CSS Injections(01:04:55) 7urb0's backstory and game hacking(01:18:33) Worst Crit

Episode 140: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph give an update from The Crit Research Lab, as well as some writeups on postMessage vulnerabilities, Cookie Chaos, and more.Follow us on X at: https://x.com/ctbbpodcastGot any ideas and suggestions? Send us feedback at [email protected] to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord!Get some hacker swag here!====== This Week in Bug Bounty ======Cross-site request forgeryHackerOne New Milestone ProgramEmail [email protected] for media opportunities====== Resources ======Exploiting Web Worker XSS with BlobsCritical Research LabRez0's TweetCVE-2022-21703: cross-origin request forgery against GrafanaConversation about Forcing Quirks ModeAI Busniess Logic & POC or GTFOHunting postMessage Vulnerabilities – Part 1Hunting postMessage Vulnerabilities – Part 2Executive OffenseCookie Chaos: How to bypass Host and Secure cookie prefixes====== Timestamps ======(00:00:00) Introduction(00:05:48) Crit Research Update(00:13:00) Encouragement & Collaboration(00:19:37) Cross-origin request forgery & Anthropic's web fetch(00:29:17) Quirks Mode, AI Business Logic & POC or GTFO(00:44:21) Hunting postMessage & Claude Code browserbase(00:51:25) Community story, Executive Offense, & Cookie Chaos

Episode 139: In this episode of Critical Thinking - Bug Bounty Podcast Justin finally sits down with the great James Kettle to talk about HTTP Proxys, metagaming research, avoiding burnout, and why HTTP/1.1 must die!Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today’s Guest: https://x.com/albinowaxhttps://jameskettle.com====== This Week in Bug Bounty ======Building an Android Bug Bounty labMobile Hacking Toolkit====== Resources ======CVE-2022-22720So you want to be a web security researcher?Hunting Evasive Vulnerabilities: Finding Flaws That Others Miss by James KettleHTTP/1.1 Must Die! The Desync EndgamePractical HTTP Host header attacks====== Timestamps ======(00:00:00) Introduction(00:05:01) Apache MITM-powered pause-based client-side desync(00:15:33) HTTP Proxys and Burp Suite HTTP/2 in Repeater(00:24:52) AI intagrations, life structure, and avoiding burnout(00:35:23) Client-side to server-side progression(00:47:39) The 'metagame' of security research(01:29:43) Host Header Attacks & HTTP/1.1 Must Die! (02:02:34) Is HTTP/2 the solution?

Episode 138: In this episode of Critical Thinking - Bug Bounty Podcast We’re talking Caido tools and workflows. Justin gives us a list of some of the Caido tools that have caught his interest, as well as how he’s using them.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!====== This Week in Bug Bounty ======Meet YesWeHack at ROOTCON 2025https://www.yeswehack.com/page/meet-yeswehack-at-rootcon-2025New Dojo challenge featuring a Local File Inclusion in a Ruby applicationhttps://dojo-yeswehack.com/challenge-of-the-month/dojo-44?utm_source=sponsor&utm_medium=challenge&utm_campaign=dojo-44AI Red Teaming CTFhttps://ctf.hackthebox.com/event/details/ai-red-teaming-ctf-ai-gon3-rogu3-2604====== Resources ======Web Security Labshttp://caido.rhynorater.com====== Timestamps ======(00:00:00) Introduction(00:02:32) Common filters & command palette in EvenBetter(00:06:49) Notes++(00:09:28) Shift Agents and Drop(00:15:34) Workflows

Episode 137: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner and Joseph Thacker reunite to talk about AI Hacking Assistants, CSPT and cache deception, and a bunch of tools like ch.at, Slice, Ebka, and more.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: [email protected] to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter:https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!====== This Week in Bug Bounty ======Vulnerability vectors: SQL injection for Bug Bounty huntersMozilla VPN Clients: RCE via file write and path traversal====== Resources ======Cache Deception + CSPT:dig @ch.atSearchlight Cyber ToolsSliceEbka-Caido-AIpostMessage targetOrigin bypass====== Timestamps ======(00:00:00) Introduction(00:01:26) Claude, Gemini, and Hacking Assistants(00:11:08) AI Safety(00:18:09) CSPT(00:23:26) ch.at, Slice, Ebka, & Searchlight Cyber Tools(00:45:19) postMessage targetOrigin bypass