Episodes

  • Episode 98: Team 82 Sharon Brizinov - The Live Hacking Polymath
    Nov 21 2024

    Episode 98: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner sits down with Sharon,to discuss his journey from early iOS development to leading a research team at Claroty. They address the differences between HackerOne and Pwn2Own, and talk through some intricacies of IoT security, and some less common IoT attack surfaces.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Sponsor - ThreatLocker: Check out Network Control!

    https://www.criticalthinkingpodcast.io/tl-nc

    And AssetNote: Check out their ASMR board (no not that kind!)

    https://assetnote.io/asmr

    Today’s Guest: https://sharonbrizinov.com/

    Resources

    The Claroty Research Team

    https://claroty.com/team82

    Pwntools

    https://github.com/Gallopsled/pwntools

    Scan My SMS

    http://scanmysms.com

    Gotta Catch 'Em All: Phishing, Smishing, and the birth of ScanMySMS

    https://www.youtube.com/watch?v=EhNsXXbDp3U

    Timestamps

    (00:00:00) Introduction

    (00:03:31) Sharon's Origin Story

    (00:21:58) Transition to Bug Bounty and Pwn2Own vs HackerOne

    (00:47:05) IoT/ICS Hacking Methodology

    (01:10:13) Cloud to Device Communication

    (01:18:15) Bug replication and uncommon attack surfaces

    (01:30:58) Documentation tracker, reCaptcha bypass, and ScanMySMS

    Show more Show less
    1 hr and 44 mins
  • Episode 97: Bcrypt Hash Input Truncation & Mobile Device Threat Modeling
    Nov 14 2024

    Episode 97: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel jump into some cool news items, including a recent Okta Bcrypt vulnerability, insights into crypto bugs, and some intricacies of Android and Chrome security. They also explore the latest research from Portswigger on payload concealment techniques, and the introduction of the Lightyear tool for PHP exploits.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Sponsor - ThreatLocker: Check out Network Control!

    https://www.criticalthinkingpodcast.io/tl-nc

    And AssetNote: Check out their ASMR board (no not that kind!)

    https://assetnote.io/asmr

    Resources

    Okta bcrypt

    Android Web Attack Surface Writeups

    Concealing payloads in URL credentials

    Dumping PHP files with Lightyear

    Limit maximum number of filter chains

    Dom-Explorer tool launched

    MultiHTMLParse

    JSON Crack

    Caido/Burp notes plugin

    Timestamps

    (00:00:00) Introduction

    (00:02:43) Okta Release and bcrypt

    (00:10:26) Android Web Attack Surface Writeups

    (00:20:21) More Portswigger Research

    (00:28:29) Lightyear and PHP filter chains

    (00:35:09) Dom-Explorer

    (00:45:24) The JSON Debate

    (00:49:59) Notes plugin for Burp and Caido

    Show more Show less
    53 mins
  • Episode 96: Cookies & Caching with MatanBer
    Nov 7 2024

    Episode 96: In this episode of Critical Thinking - Bug Bounty Podcast we’re back with Matanber to hit some stuff we ran out of time on last episode. We talk about advanced cookie parsing techniques and exploitation methods, Safari's unique behaviors regarding cookie handling and debugging methods, and some of the writeups from the HeroCTF v6.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Guest: https://x.com/MtnBer

    Resources:

    Cookie Bugs - Smuggling & Injection

    https://blog.ankursundara.com/cookie-bugs/#:~:text=Cookie%20Smuggling

    iOS Webkit Debug Proxy

    https://github.com/google/ios-webkit-debug-proxy

    HeroCTF v6 Writeups

    https://mizu.re/post/heroctf-v6-writeups

    Timestamps

    (00:00:00) Introduction

    (00:01:29) Cookie exploits

    (00:21:32) Matan's Safari Adventure

    (00:29:49) HeroCTF 6 writeups

    Show more Show less
    49 mins
  • Episode 94: Zendesk Fiasco & the CTBB Naughty List
    Oct 24 2024

    Episode 94: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel give their perspectives on the recent Zendesk fiasco and the ethical considerations surrounding it. They also highlight the launch of AuthzAI and some research from Ophion Security

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Sponsor - AssetNote. Listen to their podcast https://www.criticalthinkingpodcast.io/sspod

    Resources:

    New music drop from our Boi YT

    https://x.com/realytcracker/status/1847599657569956099

    AuthzAI

    https://authzai.com/

    Ron Chan

    https://x.com/ngalongc

    Misconfigured User Auth Leads to Customer Messages

    https://www.ophionsecurity.com/post/live-chat-blog-1-misconfigured-user-auth-leads-to-customer-messages

    Zendesk Write-up

    https://gist.github.com/hackermondev/68ec8ed145fcee49d2f5e2b9d2cf2e52

    Response from Zendesk

    https://gist.github.com/hackermondev/68ec8ed145fcee49d2f5e2b9d2cf2e52?permalink_comment_id=5232589#gistcomment-5232589

    Timestamps

    (00:00:00) Introduction

    (00:05:29) AuthzAI and the return of Ron Chan

    (00:13:50) Ophion Security Research

    (00:18:12) Zendesk Drama

    Show more Show less
    49 mins
  • Episode 93: A Chat with Dr. Bouman - Life as a Hacker and a Doctor
    Oct 17 2024

    Episode 93: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Dr. Jonathan Bouman to discuss his unique journey as both a Hacker and a Healthcare Professional. We talk through how he balances his dual careers, some ethical considerations of hacking in the context of healthcare, and highlight some experiences he’s had with Amazon's bug bounty program.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Sponsor - ThreatLocker. Checkout their ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detect

    Today’s Guest - https://x.com/jonathanbouman?lang=en

    Resources

    Anyone can Access Deleted and Private Repository Data on GitHub

    Filesender Github

    Remote Code execution at ws1.aholdusa .com

    APK-MITM

    Hacking Dutch healthcare system

    Fitness Youtube Channels

    https://www.youtube.com/channel/UCpQ34afVgk8cRQBjSJ1xuJQ

    https://www.youtube.com/@BullyJuice

    Timestamps

    (00:00:00) Introduction

    (00:07:28) Medicine and Hacking

    (00:19:36) Hacking on Amazon

    (00:34:33) Collaboration and consistency

    (00:44:13) SSTI Methodology

    (01:06:10) iOS Hacking Methodology

    (01:13:23) Hacking Healthcare

    (01:32:19) Health tips for hacking

    Show more Show less
    1 hr and 41 mins
  • Episode 92 - SAML XPath Confusion, Chinese DNS Poisoning, and AI Powered 403 Bypasser
    Oct 10 2024

    Episode 92: In this episode of Critical Thinking - Bug Bounty Podcast In this episode Justin and Joel tackle a host of new research and write-ups, including Ruby SAML, 0-Click exploits in MediaTek Wi-Fi, and Vulnerabilities caused by The Great Firewall

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Today’s Sponsor - ThreatLocker. Checkout their ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detect

    Resources:

    Insecurity through Censorship

    Ruby-SAML / GitLab Authentication Bypass

    0-Click exploit discovered in MediaTek Wi-Fi chipsets

    New Caido Plugin to Generate Wordlists

    Bebik’s 403 Bypassor

    CSPBypass

    Arb Read & Arb write on LLaMa.cpp by SideQuest

    XSS WAF Bypass One payload for all

    Timestamps

    (00:00:00) Introduction

    (00:02:08) Vulnerabilities Caused by The Great Firewall

    (00:07:25) Ruby SAML Bypass

    (00:19:55) 0-Click exploit discovered in MediaTek Wi-Fi chipsets

    (00:24:36) New Caido Wordlist Plugin

    (00:31:00) CSPBypass.com

    (00:35:37) Arb Read & Arb write on LLaMa.cpp by SideQuest

    (00:43:10) Helpful WAF Bypass

    Show more Show less
    48 mins
  • Episode 91: Zero to LHE in 9 Months (feat gr3pme)
    Oct 3 2024

    Episode 91: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner sits down with Critical Thinking’s own HackerNotes writer Brandyn Murtagh (gr3pme) to talk about his journey with Bug Bounty. We cover mentorship, networking and LHEs, ecosystem hacking, emotional regulation, and the need for self-care. Then we wrap up with some fun bugs.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Shop our new swag store at ctbb.show/swag

    Today’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinder

    Today’s guest: https://x.com/gr3pme

    Resources:

    Lessons Learned for LHEs

    https://x.com/Rhynorater/status/1579499221954473984

    Timestamps:

    (00:00:00) Introduction

    (00:07:02) Mentorship in Bug Bounty

    (00:16:30) LHE lessons, takeaways, and the benefit of feedback and networking

    (00:41:28) Choosing Targets

    (00:49:03) Vuln Classes

    (00:58:54) Bug Reports

    Show more Show less
    1 hr and 23 mins
  • Episode 90: 5k Clickjacking, Encryption Oracles, and Cursor for PoCs
    Sep 26 2024

    Episode 90: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin recap some of their recent hacking ups and downs and have a lively chat about Cursor. Then they cover some some research about SQL Injections, Clickjacking in Google Docs, and how to steal your Telegram account in 10 seconds.

    Follow us on twitter at: @ctbbpodcast

    We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

    Shoutout to YTCracker for the awesome intro music!

    ------ Links ------

    Find the Hackernotes: https://blog.criticalthinkingpodcast.io/

    Follow your hosts Rhynorater & Teknogeek on twitter:

    https://twitter.com/0xteknogeek

    https://twitter.com/rhynorater

    ------ Ways to Support CTBBPodcast ------

    Hop on the CTBB Discord at https://ctbb.show/discord!

    We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

    Shop our new swag store at ctbb.show/swag

    Today’s Sponsor: Project Discovery - tldfinder: https://www.criticalthinkingpodcast.io/tldfinder

    Resources:

    Breaking Down Barriers: Exploiting Pre-Auth SQL Injection in WhatsUp Gold

    Content-Type that can be used for XSS

    Clickjacking Bug in Google Docs

    Justin's Gadget Link

    https://www.youtube.com/signin?next=https%3A%2F%2Faccounts.youtube.com%2Faccounts%2FSetSID%3Fcontinue%3Dhttps%3A%2F%2Fwww.google.com%252Famp%252fpoc.rhynorater.com

    Stealing your Telegram account in 10 seconds flat

    Timestamps

    (00:00:00) Introduction

    (00:08:28) Recent Hacks and Dupes

    (00:14:00) Cursor

    (00:25:02) Exploiting Pre-Auth SQL Injection in WhatsUp Gold

    (00:34:17) Content-Type that can be used for XSS

    (00:40:25) Caido updates

    (00:43:14) Clickjacking in Google Docs, and Stealing Telegram account

    Show more Show less
    52 mins