Critical Thinking - Bug Bounty Podcast
Justin Gardner (Rhynorater) & Joel Margolis (teknogeek)
<p>A "by Hackers for Hackers" podcast focused on technical content ranging from bug bounty tips, to write-up explanations, to the latest hacking techniques.</p>
- 45 minutes 4 secondsEpisode 160: Cloudflare Zero-days & Mail Unsubscribing for XSS
Episode 160: In this episode of Critical Thinking - Bug Bounty Podcast Joseph and Brandyn. Chat through some news, Including a Cloudflare Zero-day, Turning List-Unsubscribe into an SSRF/XSS Gadget, & Magic String Denial of Service in Claude.
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
Critical Research Lab:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
Today’s Sponsor: Adobe.
Use code CTBB040126, and get a 10% bonus on your bounty for any AI vulnerability which is mapped to the OWASP LLM top 10.
Valid on Adobe Acrobat Web - AI Assistant / PDF Spaces / Content Creation and presentation features using Express
Adobe Express AI Assistant.
Valid through April 1st, 2026
Also we have a Google Cloud VRP Swag Bonus! Mention the podcast in any rewarded (cash or credit) VRP report submission before the end of April to receive bonus swag!
====== Resources ======
Cloudflare Zero-day
https://fearsoff.org/research/cloudflare-acme
Turning List-Unsubscribe into an SSRF/XSS Gadget
https://security.lauritz-holtmann.de/post/xss-ssrf-list-unsubscribe/
Breaking Multi-Tenant Isolation in Heroku Postgres
https://allistair.sh/blog/breaking-heroku-postgres/
Parse and Parse: MIME Validation Bypass to XSS via Parser Differential
https://lab.ctbb.show/research/parse-and-parse-mime-validation-bypass-to-xss-via-parser-differential
Claude Magic String Denial of Service
https://x.com/Frichette_n/status/2013988503336415522
From WebView to Remote Code Injection
https://djini.ai/from-webview-to-remote-code-injection/
DOM XSS Is Not Dead: The Rise of Polyglot Payloads
https://blogs.jsmon.sh/dom-xss-is-not-dead-the-rise-of-polyglot-payloads/
====== Timestamps ======
(00:00:00) Introduction
(00:06:17) Cloudflare Zero-day & Turning List-Unsubscribe into an SSRF/XSS Gadget
(00:16:57) Breaking Multi-Tenant Isolation in Heroku Postgres & CTBB Research
(00:25:46) Claude Magic String Denial of Service & From WebView to Remote Code Injection
5 February 2026, 10:00 am - 1 hour 46 minutesEpisode 159: Avoiding Downgrades on Google Cloud VRP with Cote and Darby Hopkins
Episode 159: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with the Google Cloud VRP Team to deep-dive policy and reward changes, what the panel process looks like, and how to best configure for success.
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Get some hacker swag
Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26
Google Cloud VRP Swag Bonus! Mention the podcast in any rewarded (cash or credit) VRP report submission before the end of April to receive bonus swag!
Today’s Guests:
====== This Week in Bug Bounty ======
AI Red Teaming Explained by AI Red Teamers
Good Faith AI Research Safe Harbor
Join the Adobe LHE at NULLCON GOA
====== Resources ======
‘Legendary Guy’ - Jakub Domeracki
Google Cloud VRP rewards rules
Google Cloud VRP product tiers
Bug Hunters blog on the 2025 Google Cloud VRP bugSWAT
====== Timestamps ======
(00:00:00) Introduction
(00:10:03) CloudVRP Bugswat Event Breakdown
(00:16:40) VRP Policy & Rewards Changes
(00:04:50) Panel Process
(01:00:08) Configuring for Success & Avoiding Downgrades
(01:33:47) Scenarios for Success
29 January 2026, 10:00 am - 58 minutes 30 secondsEpisode 158: 10hr Marathon Hack-Along Recap + $300k Client-side Bugs
Episode 158: In this episode of Critical Thinking - Bug Bounty Podcast we talk about our personal takeaways from the CTBB Charity Hackalong, and then break down some InsertScript POCs, what a $55,000 bug can look like, and if Smart People Ever Say They’re Smart.
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
Critical Research Lab:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26
https://ztw.com/
====== Resources ======
InsertScript - XSS Challenge Solution
https://insert-script.blogspot.com/2020/03/xss-challenge-solution-refresh-header.html
InsertScript - Redirect AuthHeader
https://www.insert-script.com/examples/redirectAuthHeader/send.html
CRLF injection on a 302 redirect
https://x.com/0xdef1ant/status/2009040359482118500
Multiple XSS in Meta Conversion API Gateway Leading to Zero-Click Account Takeover
https://ysamm.com/uncategorized/2025/01/13/capig-xss.html
Arcanum Hack Tips
https://github.com/Arcanum-Sec/hack_tips
Trail of Bits Releases Claude Skills
https://x.com/dguido/status/2011541318229533063
what a $55,000 bug can look like
https://x.com/the_IDORminator/status/2007480636244697237
Pwning Claude Code in 8 Different Ways
https://flatt.tech/research/posts/pwning-claude-code-in-8-different-ways/
Do Smart People Ever Say They’re Smart?
https://labs.watchtowr.com/do-smart-people-ever-say-theyre-smart-smartertools-smartermail-pre-auth-rce-cve-2025-52691/
====== Timestamps ======
(00:00:00) Introduction
(00:04:18) Technical takeaways from CT Charity Hackalong
(00:22:21) InsertScript POCs & Rez0 and teknogeek's IOT Adventures
(00:32:16) CRLF injection on a 302 redirect & Multiple XSS in Meta
(00:41:00) Trail of Bits, what a $55,000 bug can look like, & Pwning Claude Code
(00:54:16) Do Smart People Ever Say They’re Smart?
22 January 2026, 10:00 am - 1 hour 34 minutesEpisode 157: Crushing Pwn2Own & H1 with Kernel Driver Exploits
Episode 157: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Hypr to talk about hacking Mediatek and his experiences with HackerOne and Pwn2Own Ecosystems.
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
Critical Research Lab:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
Today’s Guest: https://x.com/hyprdude
====== This Week in Bug Bounty ======
Top 10 web hacking techniques of 2025: call for nominations
https://portswigger.net/research/top-10-web-hacking-techniques-of-2025-nominations-open
CVE-2025-13467
https://access.redhat.com/security/cve/cve-2025-13467
====== Resources ======
Hypr's Blog
mediatek? more like media-rekt, amirite.
https://blog.coffinsec.com/0days/2025/12/15/more-like-mediarekt-amirite.html
kernel-utils
https://github.com/mellow-hype/kernel-utils
====== Timestamps ======
(00:00:00) Introduction
(00:03:23) Heap Overflow in Mediatek Kernel Drivers
(00:19:23) Kernel Debugging & ioctl Handlers
(00:43:30) Input Structs, Sync to Source, & Privilege Escalation
(00:51:30) HackerOne Ecosystem vs Pwn2Own Ecosystem
(01:17:00) Kernel Utils
(01:26:46) Real World Bugs for Exploit Development vs CTFs
15 January 2026, 4:00 pm - 1 hour 23 minutesEpisode 156: Chill AMA from bugbounty.forum
Episode 156: In this episode of Critical Thinking - Bug Bounty Podcast we answer some fantastic questions from over at bugbounty.forum
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
====== Resources ======
Critical Thinking Lab
Cross-Site ETag Length Leak
https://blog.arkark.dev/2025/12/26/etag-length-leak
Clawdbot
https://github.com/clawdbot/clawdbot/
Post from Steve Caldwell
https://x.com/moreconfetti/status/2006494133159162008
====== Timestamps ======
(00:00:00) Introduction
(00:00:58) Crit Lab update
(00:04:36) Cross-Site ETag Length Leak
(00:13:26) Clawdbot
(00:16:56) Will bug hunting become obsolete, LHE invitations, and Fulltime vs Part time?
(00:30:52) 10 bugs at $5k or 1 bug at $5k, CTBB Background, & Future Plans
(00:38:32) Mentoring, Conquering Classes, and what angles we implement from the podcast
(00:49:27) Best approach on new targets, tips for making 500k in a year, AI/Vibecoding & Human in the Loop
(00:59:07) Mentally mapping the target, anti-patterns that waste time, and BB beliefs that were wrong.
(01:10:12) Tackling small scope, staying on one program, picking up after a break, & moving on
(01:17:41) Invisible elements that make the difference between $2k and $20k
8 January 2026, 4:00 pm - 1 hour 32 minutesEpisode 155: 2025 Hacker Stats & 2026 Goals
Episode 155: In this episode of Critical Thinking - Bug Bounty Podcast Justin, Joseph, and Brandyn reflect on last year of Bug Bounty, and list their goals and predictions for what 2026 holds.
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
====== Resources ======
2024 Hacker Stats & 2025 Goals
https://blog.criticalthinkingpodcast.io/p/hackernotes-ep-104-2024-hacker-stats-2025-goals
====== Timestamps ======
(00:00:00) Introduction
(00:02:08) 2025 Full Time Hunting Retrospective
(00:10:19) Most Fulfilling Moments and Bugs
(00:17:56) Satisfaction with 2025 Stats
(00:45:28) Automation, Organization, and Collaboration
(00:48:55) Time and Motivation
(01:08:01) Goals and Predictions for Bug Bounty in 2026
1 January 2026, 4:00 pm - 41 minutes 28 secondsEpisode 154: Starting a Pentesting Company on Top of Bug Bounty
Episode 154: In this episode of Critical Thinking - Bug Bounty Podcast Joseph and Brandyn talk through the transition from Bug Bounty hunting to Pentesting. We cover diversifying income streams, the challenges of pricing for Pentests, legal considerations, and what Bug Hunters can bring to the Pentesting world
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
====== Timestamps ======
(00:00:00) Introduction
(00:03:36) Starting a Pentesting Company
(00:12:25) Advantages of Pentesting as a Bug Bounty Hunter
(00:29:03) Pricing, Sales, and knowing your Market/Worth
(00:36:21) Compliance in Pentests & Rapid-Fire Takaways
25 December 2025, 4:00 pm - 1 hour 16 minutesEpisode 153: Hacking the Robots of the Future: Hardware, AI, and Bug Bounties with Matt Brown
Episode 153: In this episode of Critical Thinking - Bug Bounty Podcast Matt Brown returns to talk with us about hacking robots, IOT hackbots, and his Zero-to-Hero Hardware Hacking Guide.
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
Today’s Guest: Matt Brown
====== Resources ======
KeeYees USB Logic Analyzer Device
Hardware Hacking Tutorial by Make Me Hack
UART and SPI firmware extraction
UART Root Shell on Linux Router
UART Shell Jail and Unlocked Bootloader
Chinese IP Camera Firmware Extraction
====== Timestamps ======
(00:00:00) Introduction
(00:01:22) Incremental Session Token Story and Matt Brown Intro
(00:10:42) Hardware Bug Bounty Scene & AI on Devices
(00:24:30) Hacking Human Robot
(00:41:33) Zero-to-Hero Hardware Hacking Guide
(01:01:47) IOT Hackbot
18 December 2025, 4:00 pm - 1 hour 21 minutesEpisode 152: GeminiJack and Agentic Security with Sasi Levi
Episode 152: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Sasi Levi from Noma Security to talk about AI and Agentic Security. We also talk about ForcedLeak, a Google Vertex Bug, and debate if Prompt Injection is a real Vuln.
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
CHeck out our New Christmas Swag at https://ctbb.show/merch!
Today's Sponsor: ThreatLocker. Check out ThreatLocker Elevation Control
And Noma Security! https://noma.security/
Today’s Guest: https://x.com/sasi2103
====== This Week in Bug Bounty ======
Dedicated HackerOne program for Vercel WAF
YesWeHack Open Source Programs
Android recon for Bug Bounty hunters
====== Resources ======
ForcedLeak: AI Agent risks exposed in Salesforce AgentForce
Is Prompt Injection a Vulnerability?
====== Timestamps ======
(00:00:00) Introduction
(00:09:16) Google Vertex AI Bug
(00:29:28) Sasi's Background and Bug Bounty Journey
(00:38:55) Resources for AI and Agentic Security Methodology
(00:50:34) ForcedLeak
(01:02:06) Is Prompt Injection a Vuln?
11 December 2025, 4:00 pm - 1 hour 7 minutesEpisode 151: Client-side Advanced Topics
Episode 151: In this episode of Critical Thinking - Bug Bounty Podcast we’re covering Client-side advanced topics. Justin talks Joseph (and us) through Third-Party Cookie Nuances, Iframe Tricks, URL Parsing, and more.
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
Today's Sponsor: ThreatLocker. Check out ThreatLocker Elevation Control
====== Resources ======
Nowasky's Tweet #1
https://x.com/nowaskyjr/status/1993421017381744974
Nowasky's Tweet #2
https://x.com/nowaskyjr/status/1992717862398800081
rep+ in Chrome DevTools
https://x.com/BourAbdelhadi/status/1992622964077179229
Terjanq Post from 2021
https://x.com/terjanq/status/1421093136022048775
====== Timestamps ======
(00:00:00) Introduction
(00:02:58) Client-side news & AI Updates
(00:12:02) Third-Party Cookie Nuances & PostMessages
(00:30:09) Iframe Tricks
(00:47:43) URL Parsing, CSPTS, and Client-side Routes
4 December 2025, 4:00 pm - 57 minutes 20 secondsEpisode 150: ASP.NET MVC Patterns, Popping Oracle Identity, and Esoteric Subdomain Enumeration
Episode 150: In this episode of Critical Thinking - Bug Bounty Podcast we're highlighting some cool news and research, but not before expressing our gratitude to the Hacker community. We are so thankful for you all!
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
Today's Sponsor: ThreatLocker. Check out ThreatLocker Elevation Control
====== This Week in Bug Bounty ======
====== Resources ======
Breaking Oracle’s Identity Manager
ASP.NET MVC View Engine Search Patterns
Lesser known techniques for large-scale subdomain enum
Caido version of AssetNote Surf
====== Timestamps ======
(00:00:00) Introduction
(00:09:47) Breaking Oracle’s Identity Manager & Who Needs a Blind XSS?
(00:20:37) ASP.NET MVC View Engine Search Patterns & Heretic
(00:29:04) Lesser known techniques for large-scale subdomain enum
(00:35:29) Gemini 3 & Antigravity.
(00:45:57) Bug Bounty Daily
(00:52:42) Surf for Caido
27 November 2025, 4:00 pm - More Episodes? Get the App