Critical Thinking - Bug Bounty Podcast

Episode 165: In this episode of Critical Thinking - Bug Bounty Podcast Justin recaps his Zero Trust World experience, before we dive into Permissions issues client-side bugs, New Hardware Hacking Classes, and using AI to hack.

Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!

====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
https://x.com/Rhynorater
https://x.com/rez0__
https://x.com/gr3pme

Critical Research Lab:
https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: Check out ThreatLocker Ringfencing
https://www.criticalthinkingpodcast.io/tl-rf

====== Resources ======

bbscope Update
https://x.com/sw33tLie/status/2029344643154919720

Matt Brown's Youtube Channel
https://www.youtube.com/channel/UC3VDCeZYZH7mCihtMVHqppw

Matt's Twitter:
https://x.com/nmatt0

MCP server for HackerOne to search reports
https://x.com/OriginalSicksec/status/2029503063095124461?s=20

Caido Skills
https://github.com/caido/skills

The Agentic Hacking Era: Ramblings and a Tool
https://josephthacker.com/hacking/2026/03/06/the-agentic-hacking-era.html

Announcing AI-driven Caido
https://caido.io/blog/2026-03-06-caido-skill

====== Timestamps ======
(00:00:00) Introduction
(00:06:23) bbscope report dumping & Matt Brown Training
(00:13:10) MCP server for HackerOne to search reports & protobuff success
(00:24:24) Hacking Mics with Permissions issues client-side bugs
(00:27:26) Can AI Hack things?

Episode 164: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Tommy DeVoss to talk about his origin story, Yahoo bugs, and how Tommy first got Justin into Bug Bounty

Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!

====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
https://x.com/Rhynorater
https://x.com/rez0__
https://x.com/gr3pme

Critical Research Lab:
https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Guest: https://x.com/thedawgyg

====== This Week in Bug Bounty ======

Python pitfalls: Turning developer mistakes into vulnerabilities
https://www.yeswehack.com/learn-bug-bounty/python-pitfalls-turning-developer-mistakes?utm_source=critical-thinking&utm_medium=sponsored&utm_campaign=article-research-python-pitfalls

====== Timestamps ======
(00:00:00) Introduction
(00:06:22) Yahoo SSRF
(00:14:56) Tommy's Origin
(00:44:10) Bug Bounty
(00:51:47) SSRF Attraction, AI implementation, & Browser Hacking

Episode 163: In this episode of Critical Thinking - Bug Bounty Podcast It’s that time of year again! We’re looking at the Portswigger Research list of top 10 web hacking techniques of 2025.

Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!

====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
https://x.com/Rhynorater
https://x.com/rez0__
https://x.com/gr3pme

Critical Research Lab:
https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== Resources ======

Parser Differentials: When Interpretation Becomes a Vulnerability
https://www.youtube.com/watch?v=Dq_KVLXzxH8

XSS-Leak: Leaking Cross-Origin Redirects
https://blog.babelo.xyz/posts/cross-site-subdomain-leak/

Playing with HTTP/2 CONNECT
https://blog.flomb.net/posts/http2connect/

Next.js, cache, and chains: the stale elixir
https://zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixir

SOAPwn: Pwning .NET Framework Apps Through HTTP Client Proxies And WSDL
https://watchtowr.com/wp-content/uploads/SOAPwnwatchtowr_soappwn-research-whitepaper_10-12-2025.pdf

Cross-Site ETag Length Leak
https://blog.arkark.dev/2025/12/26/etag-length-leak

Lost in Translation: Exploiting Unicode Normalization
https://www.youtube.com/watch?v=ETB2w-f3pM4

ORM Leaking More Than You Joined For
https://www.elttam.com/blog/leaking-more-than-you-joined-for/

Novel SSRF Technique Involving HTTP Redirect Loops
https://slcyber.io/research-center/novel-ssrf-technique-involving-http-redirect-loops/

Successful Errors: New Code Injection and SSTI Techniques
https://github.com/vladko312/Research_Successful_Errors

====== Timestamps ======
(00:00:00) Introduction
(00:02:33) Parser Differentials: When Interpretation Becomes a Vulnerability
(00:11:02) XSS-Leak: Leaking Cross-Origin Redirects
(00:18:25) Playing with HTTP/2 CONNECT
(00:22:10) Next.js, cache, and chains: the stale elixir
(00:29:15) SOAPwn: Pwning .NET Framework Apps Through HTTP Client Proxies And WSDL
(00:34:27) Cross-Site ETag Length Leak
(00:41:47) Lost in Translation: Exploiting Unicode Normalization
(00:47:27) ORM Leaking More Than You Joined For
(00:54:07) Novel SSRF Technique Involving HTTP Redirect Loops
(00:58:40) Successful Errors: New Code Injection and SSTI Techniques

Episode 162: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph sit down with HackerOne Founder & CTO Alex Rice to discuss concerns of Using Hacker Data for AI and decreasing bounties.

Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!

====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
https://x.com/Rhynorater
https://x.com/rez0__
https://x.com/gr3pme

Critical Research Lab:
https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26
https://ztw.com/

Today’s Guest: https://x.com/senorarroz

====== This Week in Bug Bounty ======

XML external entity: The ultimate Bug Bounty guide to exploiting XXE vulnerabilities
https://www.yeswehack.com/learn-bug-bounty/xml-external-entity-guide-xxe?utm_source=Critical_Thinking&utm_medium=Youtube&utm_campaign=XXE_Critical_Thinking&utm_id=XXE_CT

Bug Bounty Maturity Framework
https://bugbountymaturity.com/

====== Resources ======
Confidential Information and Confidentiality Obligations
https://www.hackerone.com/terms/general#:~:text=HackerOne%20may%20use%20Confidential%20Information%20to%20develop%20and/or%20improve%20its%20Services%20(for%20example%2C%20to%20identify%20trends%2C%20and%20to%20train%20AI%20models)%20provided%20such%20use%20does%20not%20result%20in%20disclosure%20of%20Confidential%20Information%20to%20unauthorized%20third%20parties

Ownership and Licenses
https://www.hackerone.com/terms/community#:~:text=8.%20Ownership%20and%20Licenses

I argued with an AI regarding HackerOne using Hacker reports to train PtaaS
https://bugbounty.forum/post/183ff0fc-eb9e-47f8-991d-c0aa5b0bba71

HackerOne PTaaS (likely training their AI on private reports data)
https://www.reddit.com/r/bugbounty/comments/1r5hixk/hackerone_ptaas_likely_training_their_ai_on/

What Makes Agentic PTaaS Different in Real Environments
https://www.hackerone.com/blog/agentic-penetration-testing-as-a-service#:~:text=Our%20agents%20are,real%20enterprise%20constraints

====== Timestamps ======
(00:00:00) Introduction
(00:08:44) HackerOne AI Terms of Service
(00:24:56) Agentic PTaaS
(00:38:09) Selling data
(00:43:49) Decrease in Bounties

Episode 161: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gives us some quick hits regarding CSRF and Cross Consumer Attacks, and also touches on some breaking questions surrounding HackerOne

Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!

====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
https://x.com/Rhynorater
https://x.com/rez0__
https://x.com/gr3pme

Critical Research Lab:
https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26
https://ztw.com/

====== This Week in Bug Bounty ======

AS Watson
https://app.intigriti.com/programs/aswatson/watsons/detail

YesWeHack 2026 Report
https://choose.yeswehack.com/bug-bounty-report-2026-trends-and-key-insights-yeswehack?utm_source=youtube&utm_medium=sponsor-critical-thinking&utm_campaign=yeswehack-report-2026

====== Resources ======

PhoneLeak: Data Exfiltration in Gemini via Phone Call
https://blog.starstrike.ai/posts/phoneleak-data-exfiltration-in-gemini-via-phone-call/

Max's Tweet about decreasing bounties
https://x.com/0xw2w/status/2020788164378427483

HackerOne General Terms and Conditions
https://www.hackerone.com/terms/general

Research Review #-2: RCE in Google's AI code editor Antigravity (sudi)
https://www.youtube.com/watch?v=JqvJSF2UMyY

====== Timestamps ======
(00:00:00) Introduction
(00:03:26) YesWeHack 2026 Report
(00:09:12) CSRF Realizations & Data Exfiltration in Gemini via Phone Call
(00:14:38) 7urb0's Youtube, HackerOne decreasing bounties and Section 3.1 controversy.
(00:19:06) Cross Consumer Attacks