WOW. Some next level chaining by @joaxcar for this CSP bypass in GitHub! Drag and drop triggers HTML injection which injects a form which triggers a hash change which triggers a button click which injects more and triggers another click gadget which triggers a hash change again which finally triggers…
When the pod guests brings a path-based 307 semi-open redirect gadget that affects a large portion of the internet to share on the pod - you know you've found the one. 😍 example[.]com/cdn-cgi/image/onerror=redirect/http://hello[.]example[.]com
Another one of Mathias' HTMX bugs from the pod. This one is an HTMX trigger attribute injection into an HTML element leading to XSS!
HTMX uses certain headers to help instruct the framework for certain behaviours. This can be abused via HX-Redirect: javascript:alert(1) for XSS if you can inject a response header. Mathias Karlsson explains how...
Episode 69: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Johan Carlsson to hear about some updates on his bug hunting journey. We deep-dive a CSP bypass he found in GitHub, a critical he found in GitLab's pipeline, and also talk through his approach to…
.@avlidienbrunn blew our minds with his latest HTMX research including this tasty CSP bypass. See Twitter for payload.
Shots fired on the pod last week on whether programs are incentivised NOT to pay. #infosec #bugbounty #bugbounties #cybersecurity #criticalthinking #CTBBpodcast #bugbountytips #bugbountyhunters #hacking #hackers
Joel getting fired up about the leaderboard problem in bug bounties. #infosec #bugbounty #bugbounties #cybersecurity #criticalthinking #CTBBpodcast #bugbountytips #bugbountyhunters #hacking #hackers
Episode 68: In this episode of Critical Thinking - Bug Bounty Podcast Mathias is back with some fresh HTMX research, including CSP bypass using HTMX triggers, converting client-side response header injection to XSS, bypassing HTMX disable, and the challenges of using HTMX in larger applications and the potential performance trade-offs.…
Things getting spicy on the pod when the VDP debate cropped up! #infosec #bugbounty #bugbounties #cybersecurity #criticalthinking #CTBBpodcast #bugbountytips #bugbountyhunters #hacking #hackers
Engineering blogs can be a gold mine of juicy info about a company's internal infrastructure, how it works, how it communicates and even problems they're encountering! Pretty much no one reads them... until now!
Joel dropped some truth bombs on the pod last week! Here's one of 'em!
Set up a Discord channel so we know what the Blink Dev Google Group are up to. Whenever they post about new features they're planning to ship, we'll know!
Here's one y'all been waiting for: @CaidoIO is dropping global workflows this week!
Episode 67: In this episode of Critical Thinking - Bug Bounty Podcast we deep-dive on the topic of Vulnerability Disclosure Programs (VDPs) and whether they are beneficial or not. We also touch on the topic of leaderboard accuracy, and continue the Program VS Hacker debate regarding allocating funds for bounties.…
Used a "?" before "@" to terminate an OAuth flow redirect URI, control the redirect location, and leak the oauth code.
Sam Curry explains how he found a bug in a video game where he could set the price of a $500 in-game package to a penny.
How Sam Curry gained access to someone else's Tesla via an integer parsing bug!
Sam Curry shares how he hacked a casino slot machine to generate an unlimited balance.
Just one of his many crazy stories from last week!
Episode 66: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the recent YesWeHack Louis Vuitton LHE, the importance of failure as growth in bug bounty, and Justin shares his research on CDN CGI. Follow us on twitter at: https://twitter.com/ctbbpodcast We're new to this podcasting…
Got paid 150% of what a bug normally gets paid just by adding more visual impact through answering these 3 questions: 1. How would the payload be distributed? 2. How it would be exploited once the user clicks on the link etc? 3. How could it be wormed?
DOM Purify Type Confusion by @slonser_ How? 1. DOM Purify converts XML tags to HTML comment tags 2. Leaving the closing bracket empty, escapes to an HTML context allowing for onerror="alert(1)" and other fun stuff!
If you do these two things well and with any kind of volume or repetition, you should be finding things!
