Justin Gardner, a full-time bug bounty hunter and podcaster, walks through hands-on web-hacking demos and practical training. He demonstrates IDOR, broken client-side access controls, reflected XSS, and CSRF using only the browser. Short guidance on a 200-hour learning roadmap, labs to practice, and what it takes to start earning in bug bounty work.
25:12
forum Ask episode
web_stories AI Snips
view_agenda Chapters
auto_awesome Transcript
info_circle Episode notes
insights INSIGHT
AI Scales Attackers But Persistence Wins
AI has lowered automation friction so skilled hunters can scale findings, making the landscape different but still full of opportunity.
Success still favours those who persist through many failures until one exploit clicks.
volunteer_activism ADVICE
Find IDOR By Iterating IDs In URLs
Test for IDOR by changing object IDs in URLs or API requests and iterating numeric IDs to enumerate records.
Justin reports getting bounties from Google, Uber, and Meta for such simple IDOR findings.
volunteer_activism ADVICE
Bypass Client Side Controls With DevTools Then Replay
Check client-side access controls by editing the DOM (e.g., remove disabled attributes) then replay the resulting request to the server.
Removing a disabled attribute only matters if the server actually performs the action (e.g., delete) afterward.
Get the Snipd Podcast app to discover more snips from this episode
Big thanks to @ThreatLocker for sponsoring my trip to ZTW26 and also for sponsoring this video. To start your free trial with ThreatLocker please use the following link: https://www.threatlocker.com/davidbombal
Are you looking to get into bug bounty hunting but feel overwhelmed or worried the field is oversaturated? In this video, full-time bug bounty hunter Justin Gardner shares a realistic, actionable guide to web hacking for beginners.
We dive straight into the practical side with five live demonstrations of common web vulnerabilities—all done using just your browser and DevTools. Justin explains how Insecure Direct Object Reference (IDOR), Broken Access Controls, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF) work in the real world, including stories of finding these exact bugs on major platforms like Google.
After the demos, we tackle the biggest questions new hackers have: Is there still money to be made in 2026? How has AI changed the landscape? And what is the exact roadmap to landing your first bounty? Justin breaks down his "200-hour rule" for learning, why you need to get comfortable with failing, and the best resources (like HackerOne and PortSwigger) to help you launch your cybersecurity career today.
// Labs and more here: //
Labs: https://ztw.ctbb.show/
More labs: https://labs.cai.do/
And more labs: https://portswigger.net/web-security
// Justin Gardner’s SOCIAL //
YouTube: / @criticalthinkingpodcast
LinkedIn: / rhynorater
X: https://x.com/Rhynorater
GitHub: https://rhynorater.github.io/aboutme/
/ David's SOCIAL //
Discord: discord.com/invite/usKSyzb
Twitter: www.twitter.com/davidbombal
Instagram: www.instagram.com/davidbombal
LinkedIn: www.linkedin.com/in/davidbombal
Facebook: www.facebook.com/davidbombal.co
TikTok: tiktok.com/@davidbombal
YouTube: / @davidbombal
Spotify: open.spotify.com/show/3f6k6gE...
SoundCloud: / davidbombal
Apple Podcast: podcasts.apple.com/us/podcast...
// MY STUFF //
https://www.amazon.com/shop/davidbombal
// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com
// MENU //
0:00 - Coming Up
0:40 - Introduction
01:50 - Getting Started in Bug Bounty
03:11 - Can I Make Money in Bug Bounty?
04:11 - Demo 1
06:55 - Demo 2
08:47 - Lessons for Upcoming Hackers
10:09 - Demo 3
13:49 - Are There Demos on Justin’s Podcast?
14:20 - Demo 4
18:11 - Real-Life Date of Birth Vulnerability
19:13 - Advice on Becoming a Hacker Like Justin
20:20 - What & Where to Study to Become a Bug Bounty Hacker
21:49 - How Long Does It Take?
25:07 - Outro & Conclusion
Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
Disclaimer: This video is for educational purposes only.
#webhacking #bugbounty #hack
David Bombal