Critical Thinking - Bug Bounty Podcast Episode 168: XSSDoctor - Client-side Path Traversal Research
Apr 2, 2026
XSS Doctor, a cardiologist-turned-bug-bounty researcher and front-end security specialist, walks through client-side path traversal research and live lab demos. Short stories cover AI home-automation XSS and an e-signature signing flaw. There’s deep talk on framework decoding quirks, wildcard vs dynamic routes, double-decode gotchas, and building AI-powered labs to reproduce routing patterns.
AI Snips
Chapters
Transcript
Episode notes
Use AI Labs To Trace Route Decoding End To End
- XSS Doctor used AI to generate framework labs and then traced framework internals to see how routes decode path pieces.
- He asked AI to point to exact functions like React's useParams and followed decoding through to fetch calls and server code.
Client Side Routes Turn URLs Into Attack Gadgets
- Client-side routers map URL bar path components into app code rather than files on disk, and those values flow into API calls or HTML rendering.
- That flow creates a gadget: URL -> router function (useParams etc.) -> developer code -> fetch or DOM sink.
Hunt For useParams Then Fetch Or DOM Sinks
- When auditing React apps, search for useParams followed by a fetch or dangerous DOM sink because useParams often decodes path values and can lead to CSPT.
- If code does let {id} = useParams and then concatenates into fetch('/api/'+id), treat it as high priority.