Episode 118: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph cover a host of news and writeups, including clientside tidbits, “Credentialless” iframes, prototype pollution, and what constitutes a polyglot in llms.txt.

Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to https://twitter.com/realytcracker for the awesome intro music!

====== Links ======
Follow your hosts Rhynorater and Rez0 on Twitter:
https://x.com/Rhynorater
https://x.com/rez0__

====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== This Week In Bug Bounty ======

Congrats to p4fg for pssing 1 Million!
https://hackerone.com/p4fg

/reports/:id.json - $25K Crit
https://hackerone.com/reports/3000510

Hacking Crypto pt1
https://www.bugcrowd.com/blog/hacking-crypto-part-i/

The art of payload obfuscation
https://www.yeswehack.com/learn-bug-bounty/payload-obfuscation-techniques-guide

====== Resources ======

Doing the Due Diligence: Analyzing the Next.js Middleware Bypass (CVE-2025-29927)
https://slcyber.io/assetnote-security-research-center/doing-the-due-diligence-analysing-the-next-js-middleware-bypass-cve-2025-29927/

Nahamsec's Merch store
https://merch.nahamsec.com/

llms.txt polyglot prompt injection example
https://josephthacker.com/llms.txt

React Router and the Remix’ed path
https://zhero-web-sec.github.io/research-and-things/react-router-and-the-remixed-path

Loose Types Sink Ships: Pre-Authentication SQL Injection in Halo ITSM
https://slcyber.io/assetnote-security-research-center/loose-types-sink-ships-pre-authentication-sql-injection-in-halo-itsm/

Pwning Millions of Smart Weighing Machines with API and Hardware Hacking
https://spaceraccoon.dev/pwning-millions-smart-weighing-machines-api-hardware-hacking/

MCP Server Oauth
https://x.com/tweetsbycolin/status/1905268522357571663

Cline
https://x.com/cline/status/1907186512506306572

“Credentialless” iframes
https://developer.mozilla.org/en-US/docs/Web/Security/IFrame_credentialless

poc #1
https://poc.rhynorater.com/qt/test.html#%3Ca%20target%3Dabc%20href%3D%2F%2Fpoc.rhynorater.com%2Fqt%2Fxss.php%3Fhijacked%3Eclickme%3C%2Fa%3E%0A%0A%3Ciframe%20src%3Dhttps%3A%2F%2Fx.poc.rhynorater.com%2Fa%20name%3Dabc%3E

poc #2
https://poc.rhynorater.com/qt/test.html#%20%20%20%20%3Cdiv%20id%3Dx%3E%20x%3A%20%20%3C%2Fdiv%3E%0A%09%3Cdiv%20id%3Dy%3E%20y%3A%20%3C%2Fdiv%3E%0A%20%20%20%20%3Cscript%3E%0A%20%20%20%20%20%20%20%20x.innerText%2B%3DURL%0A%20%20%20%20%3C%2Fscript%3E%0A%3Csvg%20onload%3D%22document.getElementById('y').innerText%2B%3DURL%22%20%2F%3E%20

Tiny XSS Payloads
https://tinyxss.terjanq.me/

Johan Carlsson's types of Pollution
https://discord.com/channels/1110206757227216916/1174723465467662366/1354051658451259433

====== Timestamps ======
(00:00:00) Introduction(00:05:56) Analyzing The Next.js Middleware bypass & Polyglots in llms.txt
(00:16:35) CPDoS on React Router
(00:24:26) Loose Types Sink Ships & Pwning Millions of Smart Weighing Machines
(00:32:30) MCP Server Oauth & Cline
(00:39:40) Clientside Tidbits
(00:49:50) Prototype Pollutions
(00:53:14) “Lack of Hard-coded User Confirmation in Sensitive Agent Action”