Critical Thinking - Bug Bounty Podcast

Episode 158: In this episode of Critical Thinking - Bug Bounty Podcast we talk about our personal takeaways from the CTBB Charity Hackalong, and then break down some InsertScript POCs, what a $55,000 bug can look like, and if Smart People Ever Say They’re Smart.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynoraterhttps://x.com/rez0__https://x.com/gr3pmeCritical Research Lab:https://lab.ctbb.show/ ====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26https://ztw.com/====== Resources ======InsertScript - XSS Challenge Solutionhttps://insert-script.blogspot.com/2020/03/xss-challenge-solution-refresh-header.htmlInsertScript - Redirect AuthHeaderhttps://www.insert-script.com/examples/redirectAuthHeader/send.htmlCRLF injection on a 302 redirecthttps://x.com/0xdef1ant/status/2009040359482118500Multiple XSS in Meta Conversion API Gateway Leading to Zero-Click Account Takeoverhttps://ysamm.com/uncategorized/2025/01/13/capig-xss.htmlArcanum Hack Tipshttps://github.com/Arcanum-Sec/hack_tipsTrail of Bits Releases Claude Skillshttps://x.com/dguido/status/2011541318229533063what a $55,000 bug can look likehttps://x.com/the_IDORminator/status/2007480636244697237Pwning Claude Code in 8 Different Wayshttps://flatt.tech/research/posts/pwning-claude-code-in-8-different-ways/Do Smart People Ever Say They’re Smart?https://labs.watchtowr.com/do-smart-people-ever-say-theyre-smart-smartertools-smartermail-pre-auth-rce-cve-2025-52691/====== Timestamps ======(00:00:00) Introduction(00:04:18) Technical takeaways from CT Charity Hackalong(00:22:21) InsertScript POCs & Rez0 and teknogeek's IOT Adventures(00:32:16) CRLF injection on a 302 redirect & Multiple XSS in Meta(00:41:00) Trail of Bits, what a $55,000 bug can look like, & Pwning Claude Code(00:54:16) Do Smart People Ever Say They’re Smart?

Joining the discussion is Hyprdude (Hypr), a notable security researcher and exploit developer acclaimed for his kernel driver research on MediaTek. He shares insights on exploiting a MediaTek Wi-Fi driver vulnerability, detailing the technical nuances of heap overflow and chaining primitives for successful exploits. Hypr recounts his experiences at Pwn2Own, highlighting the pressure of live demonstrations and the challenges of navigating bug bounty programs. He encourages other hackers to explore IoT, where low-level bugs abound, emphasizing the practical skills gained from real-world exploit development.

The hosts delve into the intricacies of bug hunting, examining whether time-boxing strategies can enhance performance. They discuss the merits of smaller versus larger bounties and stress the importance of sharing valuable techniques. Exciting insights on AI's impact on vulnerability discovery and the emergence of new attack surfaces are shared. The value of mentorship in the bug bounty community is highlighted, alongside strategies for maximizing yearly earnings in this competitive field.

Reflecting on the transformative year of 2025 for bug bounty hunters, the hosts celebrate the freedom and thrill of finding high-impact bugs. They share memorable moments from events in Tokyo and Seattle, discussing what truly makes a discovery fulfilling. With insights into the challenges of automation and balancing time, they lay out ambitious goals for 2026, including collaboration plans and a focus on AI research. The conversation also touches on evolving bug scoring methods and the exciting potential of AI-assisted hacking.

Discover how bug bounty hunters can transition to pentesting, emphasizing the importance of diversifying income streams and understanding market dynamics. Explore the realities of pricing, sales strategies, and the legal intricacies involved in setting up a pentesting business. Learn how to leverage public findings for sales and the value of strong client communication. The hosts discuss navigating regional pricing differences and the joy of collaborative pentesting while offering tips on maintaining steady income and overcoming initial financial dips.

Matt Brown, a hardware security researcher focused on IoT and embedded devices, dives into the intricacies of hacking robots and AI security. He shares his insights on hardware bug bounty payouts and the evolving landscape of humanoid robots, which present unique security challenges. Brown also discusses his Zero-to-Hero Hardware Hacking Guide, the nuances of firmware extraction, and the creation of automated hackbots for IoT devices. His expertise illuminates the potential risks and techniques in a future where AI and physical devices intersect.

Sasi Levi, a security researcher at Noma Security with a focus on AI and agentic security, shares his insights on cutting-edge vulnerabilities. He dives into the Google Vertex AI bug he discovered, revealing how it accessed confidential employee data. Sasi explains the mechanics of prompt injection and its implications, and discusses his innovative techniques for testing AI responses through documents. He also highlights his journey as a bug bounty hunter and the challenges facing security in AI applications.

Dive into the nuances of third-party cookies and learn how Chrome's partitioning impacts security. Discover clever iframe tricks and the intricacies of postMessage for cross-window communication. Explore the dangers of URL parsing quirks and how they can open doors to novel attacks. From sandboxed iframes to managing window hijacking, this conversation offers fresh insights into advanced client-side vulnerabilities and strategies to defend against them.

This discussion dives into breakthroughs in Oracle Identity Manager, revealing critical path parameter vulnerabilities. There's a clever technique for exfiltrating data using Google Sheets that showcases the power of automation. ASP.NET MVC patterns are explored, highlighting their potential for file write escalations. The hosts introduce under-the-radar subdomain enumeration methods and touch on intriguing AI developments, including the Gemini 3 release and innovative coding tools. A strong emphasis on community support and knowledge sharing rounds out the conversation.

This week, hosts dive into highlights from DEFCON, discussing groundbreaking research on exploiting cloud VPNs and the security pitfalls of smart devices. They explore the curious world of Unicode surrogates and their impact on database queries. The conversation moves to the risks associated with passkeys and potential vulnerabilities in GraphQL access controls. Not to be missed, they dissect innovative techniques for DOM clobbering and the clever use of calendar invites for security breaches. Tune in for insights on hacking and cutting-edge tools!