Critical Thinking - Bug Bounty Podcast

Episode 160: In this episode of Critical Thinking - Bug Bounty Podcast Joseph and Brandyn. Chat through some news, Including a Cloudflare Zero-day, Turning List-Unsubscribe into an SSRF/XSS Gadget, & Magic String Denial of Service in Claude.

Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!

====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
https://x.com/Rhynorater
https://x.com/rez0__
https://x.com/gr3pme

Critical Research Lab:
https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor: Adobe.
Use code CTBB040126, and get a 10% bonus on your bounty for any AI vulnerability which is mapped to the OWASP LLM top 10.
Valid on Adobe Acrobat Web - AI Assistant / PDF Spaces / Content Creation and presentation features using Express
Adobe Express AI Assistant.
Valid through April 1st, 2026

Also we have a Google Cloud VRP Swag Bonus! Mention the podcast in any rewarded (cash or credit) VRP report submission before the end of April to receive bonus swag!

====== Resources ======
Cloudflare Zero-day
https://fearsoff.org/research/cloudflare-acme

Turning List-Unsubscribe into an SSRF/XSS Gadget
https://security.lauritz-holtmann.de/post/xss-ssrf-list-unsubscribe/

Breaking Multi-Tenant Isolation in Heroku Postgres
https://allistair.sh/blog/breaking-heroku-postgres/

Parse and Parse: MIME Validation Bypass to XSS via Parser Differential
https://lab.ctbb.show/research/parse-and-parse-mime-validation-bypass-to-xss-via-parser-differential

Claude Magic String Denial of Service
https://x.com/Frichette_n/status/2013988503336415522

From WebView to Remote Code Injection
https://djini.ai/from-webview-to-remote-code-injection/

DOM XSS Is Not Dead: The Rise of Polyglot Payloads
https://blogs.jsmon.sh/dom-xss-is-not-dead-the-rise-of-polyglot-payloads/

====== Timestamps ======
(00:00:00) Introduction
(00:06:17) Cloudflare Zero-day & Turning List-Unsubscribe into an SSRF/XSS Gadget
(00:16:57) Breaking Multi-Tenant Isolation in Heroku Postgres & CTBB Research
(00:25:46) Claude Magic String Denial of Service & From WebView to Remote Code Injection

Episode 159: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with the Google Cloud VRP Team to deep-dive policy and reward changes, what the panel process looks like, and how to best configure for success.
Follow us on X
Got any ideas and suggestions? Feel free to send us any feedback
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Get some hacker swag
Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26
Mention the podcast in any rewarded (cash or credit) VRP report before the end of April to receive bonus swag!
https://ztw.com/
Today’s Guests:
Darby Hopkins
Michael Cote
====== This Week in Bug Bounty ======
AI Red Teaming Explained by AI Red Teamers
Good Faith AI Research Safe Harbor
Join the Adobe LHE at NULLCON GOA
====== Resources ======
‘Legendary Guy’ - Jakub Domeracki
Google Cloud VRP rewards rules
Google Cloud VRP product tiers
Bug Hunters blog on the 2025 Google Cloud VRP bugSWAT
Google VRP Discord
Google VRP on X
====== Timestamps ======
(00:00:00) Introduction
(00:10:03) CloudVRP Bugswat Event Breakdown
(00:16:40) VRP Policy & Rewards Changes
(00:04:50) Panel Process
(01:00:08) Avoiding Downgrades
(01:33:47) Scenarios for Success

Episode 159: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with the Google Cloud VRP Team to deep-dive policy and reward changes, what the panel process looks like, and how to best configure for success.

Follow us on X

Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater, rez0 and gr3pme on X:

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Get some hacker swag

Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26
https://ztw.com/

Google Cloud VRP Swag Bonus! Mention the podcast in any rewarded (cash or credit) VRP report submission before the end of April to receive bonus swag!

Today’s Guests:
Darby Hopkins
Michael Cote

====== This Week in Bug Bounty ======
AI Red Teaming Explained by AI Red Teamers

Good Faith AI Research Safe Harbor

Join the Adobe LHE at NULLCON GOA

====== Resources ======

‘Legendary Guy’ - Jakub Domeracki

Google Cloud VRP rewards rules

Google Cloud VRP product tiers

Bug Hunters blog on the 2025 Google Cloud VRP bugSWAT

Google VRP Discord

Google VRP on X

====== Timestamps ======

(00:00:00) Introduction
(00:10:03) CloudVRP Bugswat Event Breakdown
(00:16:40) VRP Policy & Rewards Changes
(00:04:50) Panel Process
(01:00:08) Configuring for Success & Avoiding Downgrades
(01:33:47) Scenarios for Success

Episode 158: In this episode of Critical Thinking - Bug Bounty Podcast we talk about our takeaways from the CTBB Charity Hackalong, and then break down some InsertScript POCs, what a $55,000 bug can look like, and if Smart People Ever Say They’re Smart.
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
Crit Research Lab:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag!
Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26
https://ztw.com/
====== Resources ======
InsertScript - XSS Challenge Solution
InsertScript - Redirect AuthHeader
CRLF injection on a 302 redirect
Multiple XSS in Meta Conversion API Gateway Leading to Zero-Click Account Takeover
Arcanum Hack Tips
Trail of Bits Releases Claude Skills
what a $55,000 bug can look like
Pwning Claude Code in 8 Different Ways
Do Smart People Ever Say They’re Smart?
====== Timestamps ======
(00:00:00) Introduction
(00:04:18) Takeaways from CT Charity Hackalong
(00:22:21) InsertScript POCs & Rez0 and teknogeek's IOT Adventures
(00:32:16) CRLF injection on a 302 redirect & Multiple XSS in Meta
(00:41:00) Trail of Bits, what a $55,000 bug can look like, & Pwning Claude Code
(00:54:16) Do Smart People Ever Say They’re Smart?

Episode 158: In this episode of Critical Thinking - Bug Bounty Podcast we talk about our personal takeaways from the CTBB Charity Hackalong, and then break down some InsertScript POCs, what a $55,000 bug can look like, and if Smart People Ever Say They’re Smart.

Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!

====== Links ======
Follow your hosts Rhynorater, rez0 and gr3pme on X:
https://x.com/Rhynorater
https://x.com/rez0__
https://x.com/gr3pme

Critical Research Lab:
https://lab.ctbb.show/

====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26
https://ztw.com/

====== Resources ======
InsertScript - XSS Challenge Solution
https://insert-script.blogspot.com/2020/03/xss-challenge-solution-refresh-header.html

InsertScript - Redirect AuthHeader
https://www.insert-script.com/examples/redirectAuthHeader/send.html

CRLF injection on a 302 redirect
https://x.com/0xdef1ant/status/2009040359482118500

Multiple XSS in Meta Conversion API Gateway Leading to Zero-Click Account Takeover
https://ysamm.com/uncategorized/2025/01/13/capig-xss.html

Arcanum Hack Tips
https://github.com/Arcanum-Sec/hack_tips

Trail of Bits Releases Claude Skills
https://x.com/dguido/status/2011541318229533063

what a $55,000 bug can look like
https://x.com/the_IDORminator/status/2007480636244697237

Pwning Claude Code in 8 Different Ways
https://flatt.tech/research/posts/pwning-claude-code-in-8-different-ways/

Do Smart People Ever Say They’re Smart?
https://labs.watchtowr.com/do-smart-people-ever-say-theyre-smart-smartertools-smartermail-pre-auth-rce-cve-2025-52691/

====== Timestamps ======
(00:00:00) Introduction
(00:04:18) Technical takeaways from CT Charity Hackalong
(00:22:21) InsertScript POCs & Rez0 and teknogeek's IOT Adventures
(00:32:16) CRLF injection on a 302 redirect & Multiple XSS in Meta
(00:41:00) Trail of Bits, what a $55,000 bug can look like, & Pwning Claude Code
(00:54:16) Do Smart People Ever Say They’re Smart?