Critical Thinking - Bug Bounty Podcast

Episode 164: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Tommy DeVoss to talk about his origin story, Yahoo bugs, and how Tommy first got Justin into Bug Bounty

Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!

====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
https://x.com/Rhynorater
https://x.com/rez0__
https://x.com/gr3pme

Critical Research Lab:
https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Guest: https://x.com/thedawgyg

====== This Week in Bug Bounty ======

Python pitfalls: Turning developer mistakes into vulnerabilities
https://www.yeswehack.com/learn-bug-bounty/python-pitfalls-turning-developer-mistakes?utm_source=critical-thinking&utm_medium=sponsored&utm_campaign=article-research-python-pitfalls

====== Timestamps ======
(00:00:00) Introduction
(00:06:22) Yahoo SSRF
(00:14:56) Tommy's Origin
(00:44:10) Bug Bounty
(00:51:47) SSRF Attraction, AI implementation, & Browser Hacking

Episode 163: In this episode of Critical Thinking - Bug Bounty Podcast It’s that time of year again! We’re looking at the Portswigger Research list of top 10 web hacking techniques of 2025.

Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!

====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
https://x.com/Rhynorater
https://x.com/rez0__
https://x.com/gr3pme

Critical Research Lab:
https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== Resources ======

Parser Differentials: When Interpretation Becomes a Vulnerability
https://www.youtube.com/watch?v=Dq_KVLXzxH8

XSS-Leak: Leaking Cross-Origin Redirects
https://blog.babelo.xyz/posts/cross-site-subdomain-leak/

Playing with HTTP/2 CONNECT
https://blog.flomb.net/posts/http2connect/

Next.js, cache, and chains: the stale elixir
https://zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixir

SOAPwn: Pwning .NET Framework Apps Through HTTP Client Proxies And WSDL
https://watchtowr.com/wp-content/uploads/SOAPwnwatchtowr_soappwn-research-whitepaper_10-12-2025.pdf

Cross-Site ETag Length Leak
https://blog.arkark.dev/2025/12/26/etag-length-leak

Lost in Translation: Exploiting Unicode Normalization
https://www.youtube.com/watch?v=ETB2w-f3pM4

ORM Leaking More Than You Joined For
https://www.elttam.com/blog/leaking-more-than-you-joined-for/

Novel SSRF Technique Involving HTTP Redirect Loops
https://slcyber.io/research-center/novel-ssrf-technique-involving-http-redirect-loops/

Successful Errors: New Code Injection and SSTI Techniques
https://github.com/vladko312/Research_Successful_Errors

====== Timestamps ======
(00:00:00) Introduction
(00:02:33) Parser Differentials: When Interpretation Becomes a Vulnerability
(00:11:02) XSS-Leak: Leaking Cross-Origin Redirects
(00:18:25) Playing with HTTP/2 CONNECT
(00:22:10) Next.js, cache, and chains: the stale elixir
(00:29:15) SOAPwn: Pwning .NET Framework Apps Through HTTP Client Proxies And WSDL
(00:34:27) Cross-Site ETag Length Leak
(00:41:47) Lost in Translation: Exploiting Unicode Normalization
(00:47:27) ORM Leaking More Than You Joined For
(00:54:07) Novel SSRF Technique Involving HTTP Redirect Loops
(00:58:40) Successful Errors: New Code Injection and SSTI Techniques

Episode 162: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph sit down with HackerOne Founder & CTO Alex Rice to discuss concerns of Using Hacker Data for AI and decreasing bounties.

Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!

====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
https://x.com/Rhynorater
https://x.com/rez0__
https://x.com/gr3pme

Critical Research Lab:
https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26
https://ztw.com/

Today’s Guest: https://x.com/senorarroz

====== This Week in Bug Bounty ======

XML external entity: The ultimate Bug Bounty guide to exploiting XXE vulnerabilities
https://www.yeswehack.com/learn-bug-bounty/xml-external-entity-guide-xxe?utm_source=Critical_Thinking&utm_medium=Youtube&utm_campaign=XXE_Critical_Thinking&utm_id=XXE_CT

Bug Bounty Maturity Framework
https://bugbountymaturity.com/

====== Resources ======
Confidential Information and Confidentiality Obligations
https://www.hackerone.com/terms/general#:~:text=HackerOne%20may%20use%20Confidential%20Information%20to%20develop%20and/or%20improve%20its%20Services%20(for%20example%2C%20to%20identify%20trends%2C%20and%20to%20train%20AI%20models)%20provided%20such%20use%20does%20not%20result%20in%20disclosure%20of%20Confidential%20Information%20to%20unauthorized%20third%20parties

Ownership and Licenses
https://www.hackerone.com/terms/community#:~:text=8.%20Ownership%20and%20Licenses

I argued with an AI regarding HackerOne using Hacker reports to train PtaaS
https://bugbounty.forum/post/183ff0fc-eb9e-47f8-991d-c0aa5b0bba71

HackerOne PTaaS (likely training their AI on private reports data)
https://www.reddit.com/r/bugbounty/comments/1r5hixk/hackerone_ptaas_likely_training_their_ai_on/

What Makes Agentic PTaaS Different in Real Environments
https://www.hackerone.com/blog/agentic-penetration-testing-as-a-service#:~:text=Our%20agents%20are,real%20enterprise%20constraints

====== Timestamps ======
(00:00:00) Introduction
(00:08:44) HackerOne AI Terms of Service
(00:24:56) Agentic PTaaS
(00:38:09) Selling data
(00:43:49) Decrease in Bounties

Episode 161: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gives us some quick hits regarding CSRF and Cross Consumer Attacks, and also touches on some breaking questions surrounding HackerOne

Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!

====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
https://x.com/Rhynorater
https://x.com/rez0__
https://x.com/gr3pme

Critical Research Lab:
https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26
https://ztw.com/

====== This Week in Bug Bounty ======

AS Watson
https://app.intigriti.com/programs/aswatson/watsons/detail

YesWeHack 2026 Report
https://choose.yeswehack.com/bug-bounty-report-2026-trends-and-key-insights-yeswehack?utm_source=youtube&utm_medium=sponsor-critical-thinking&utm_campaign=yeswehack-report-2026

====== Resources ======

PhoneLeak: Data Exfiltration in Gemini via Phone Call
https://blog.starstrike.ai/posts/phoneleak-data-exfiltration-in-gemini-via-phone-call/

Max's Tweet about decreasing bounties
https://x.com/0xw2w/status/2020788164378427483

HackerOne General Terms and Conditions
https://www.hackerone.com/terms/general

Research Review #-2: RCE in Google's AI code editor Antigravity (sudi)
https://www.youtube.com/watch?v=JqvJSF2UMyY

====== Timestamps ======
(00:00:00) Introduction
(00:03:26) YesWeHack 2026 Report
(00:09:12) CSRF Realizations & Data Exfiltration in Gemini via Phone Call
(00:14:38) 7urb0's Youtube, HackerOne decreasing bounties and Section 3.1 controversy.
(00:19:06) Cross Consumer Attacks

Episode 160: In this episode of Critical Thinking - Bug Bounty Podcast Joseph and Brandyn. Chat through some news, Including a Cloudflare Zero-day, Turning List-Unsubscribe into an SSRF/XSS Gadget, & Magic String Denial of Service in Claude.

Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!

====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
https://x.com/Rhynorater
https://x.com/rez0__
https://x.com/gr3pme

Critical Research Lab:
https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor: Adobe.
Use code CTBB040126, and get a 10% bonus on your bounty for any AI vulnerability which is mapped to the OWASP LLM top 10.
Valid on Adobe Acrobat Web - AI Assistant / PDF Spaces / Content Creation and presentation features using Express
Adobe Express AI Assistant.
Valid through April 1st, 2026

Also we have a Google Cloud VRP Swag Bonus! Mention the podcast in any rewarded (cash or credit) VRP report submission before the end of April to receive bonus swag!

====== Resources ======
Cloudflare Zero-day
https://fearsoff.org/research/cloudflare-acme

Turning List-Unsubscribe into an SSRF/XSS Gadget
https://security.lauritz-holtmann.de/post/xss-ssrf-list-unsubscribe/

Breaking Multi-Tenant Isolation in Heroku Postgres
https://allistair.sh/blog/breaking-heroku-postgres/

Parse and Parse: MIME Validation Bypass to XSS via Parser Differential
https://lab.ctbb.show/research/parse-and-parse-mime-validation-bypass-to-xss-via-parser-differential

Claude Magic String Denial of Service
https://x.com/Frichette_n/status/2013988503336415522

From WebView to Remote Code Injection
https://djini.ai/from-webview-to-remote-code-injection/

DOM XSS Is Not Dead: The Rise of Polyglot Payloads
https://blogs.jsmon.sh/dom-xss-is-not-dead-the-rise-of-polyglot-payloads/

====== Timestamps ======
(00:00:00) Introduction
(00:06:17) Cloudflare Zero-day & Turning List-Unsubscribe into an SSRF/XSS Gadget
(00:16:57) Breaking Multi-Tenant Isolation in Heroku Postgres & CTBB Research
(00:25:46) Claude Magic String Denial of Service & From WebView to Remote Code Injection