Episode 160: Cloudflare Zero-days & Mail Unsubscribing for XSS

Episode 160: In this episode of Critical Thinking - Bug Bounty Podcast Joseph and Brandyn. Chat through some news, Including a Cloudflare Zero-day, Turning List-Unsubscribe into an SSRF/XSS Gadget, & Magic String Denial of Service in Claude.

Follow us on twitter at: https://x.com/ctbbpodcast

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X: 

https://x.com/Rhynorater

https://x.com/rez0__

https://x.com/gr3pme

Critical Research Lab:

https://lab.ctbb.show/ 

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor: Adobe.

Use code CTBB040126, and get a 10% bonus on your bounty for any AI vulnerability which is mapped to the OWASP LLM top 10.

Valid on Adobe Acrobat Web - AI Assistant / PDF Spaces / Content Creation and presentation features using Express

Adobe Express AI Assistant. 

Valid through April 1st, 2026

Also we have a Google Cloud VRP Swag Bonus! Mention the podcast in any rewarded (cash or credit) VRP report submission before the end of April to receive bonus swag!

====== Resources ======

Cloudflare Zero-day

https://fearsoff.org/research/cloudflare-acme

Turning List-Unsubscribe into an SSRF/XSS Gadget

https://security.lauritz-holtmann.de/post/xss-ssrf-list-unsubscribe/

Breaking Multi-Tenant Isolation in Heroku Postgres

https://allistair.sh/blog/breaking-heroku-postgres/

Parse and Parse: MIME Validation Bypass to XSS via Parser Differential

https://lab.ctbb.show/research/parse-and-parse-mime-validation-bypass-to-xss-via-parser-differential

Claude Magic String Denial of Service

https://x.com/Frichette_n/status/2013988503336415522

From WebView to Remote Code Injection

https://djini.ai/from-webview-to-remote-code-injection/

DOM XSS Is Not Dead: The Rise of Polyglot Payloads

https://blogs.jsmon.sh/dom-xss-is-not-dead-the-rise-of-polyglot-payloads/

====== Timestamps ======

(00:00:00) Introduction

(00:06:17) Cloudflare Zero-day & Turning List-Unsubscribe into an SSRF/XSS Gadget

(00:16:57) Breaking Multi-Tenant Isolation in Heroku Postgres & CTBB Research

(00:25:46) Claude Magic String Denial of Service & From WebView to Remote Code Injection