Critical Thinking - Bug Bounty Podcast Episode 143: New Cohost + Client-Side Gadgets, LHE Meta — Instant Global Admin in Entra!
Oct 9, 2025
A new co-host joins the discussion as they dive into the excitement of live hacking events and the strategic dynamics of report writing. Recent news highlights YesWeHack's major EU contract win. The hosts tackle tackling deep pentesting scopes and the advantages of non-chained gadgets. They explore the intricacies of exploiting backend implementations and share clever techniques like client-side attribute smuggling. Insights on the Entra actor token flaw reveal critical vulnerabilities, while practical discussion on tools like Flareprox enhances the technical insights.
AI Snips
Chapters
Books
Transcript
Episode notes
Use Blind Gadgets For Intel
- Use blind SSRFs or blind XSS as gadgets to infer internal routing and WAF presence.
- Probe internal-accessible assets via the gadget and observe responses or status codes to deduce protections.
Secondary Contexts Break RBAC
- Secondary-context bugs can bypass RBAC when front-end proxies implement access checks that don't extend to backend services.
- Supplying different org/account IDs in secondary contexts may let you escalate privileges inside the same org.
Think Like Backend Engineers
- Thinking like backend engineers reveals logical deductions you can make from black-box observations.
- Flex those backend-architecture muscles to turn odd app behavior into exploitable leads.
