Episode 106: In this episode of Critical Thinking - Bug Bounty Podcast we are pleased to announce our new co-host of the podcast: Joseph Thacker Aka Rez0! We discuss Joseph's transition to full-time bug bounty hunting, his goals, and what he’s looking forward to bringing to the pod. We also cover some news items including doubleclickjacking, character set attacks, SVG XSS, and more.
Follow us on twitter at: https://twitter.com/ctbbpodcast
Feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to https://twitter.com/realytcracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater & Rez0 on twitter:
https://x.com/Rhynorater
https://x.com/rez0__
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Check out our new SWAG store at https://ctbb.show/swag!
Resources:
DoubleClickjacking: A New Era of UI Redressing
https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html
XBOW Validation Benchmarks:
https://github.com/xbow-engineering/validation-benchmarks
Jorian tweet:
https://x.com/J0R1AN/status/1871586792455163975
Simplified Payload:
https://portswigger-labs.net/xss/charset.php?x=%1b$B%1b(B%3Ca%20href=javas%1B(Jcript:alert(1)%3Etest%3C/a%3E&charset=
SVG XSS Payload:
https://x.com/garethheyes/status/1876953751245783534
curl-cffi:
https://pypi.org/project/curl-cffi/
Bypassing File Upload Restrictions To Exploit CSPT:
https://blog.doyensec.com/2025/01/09/cspt-file-upload.html
AI-Crash-Course:
https://github.com/henrythe9th/AI-Crash-Course?tab=readme-ov-file
Timestamps:
(00:00:00) Introduction
(00:02:15) Rez0's journey to Full-time hunter, Tool developer, and new Co-host
(00:21:04) DoubleClickjacking
(00:31:48) XBOW Validation Benchmarks, Charset Thoughts, and SVG XSS
(00:42:28) curl-cffi, CSPT, and AI Crash Course
