Critical Thinking – Bug Bounty Podcast
In this episode of Critical Thinking - Bug Bounty Podcast, we chat with Corben Leo about his journey in bug bounty hunting and ethical hacking. We discuss the state of DNS rebinding in 2023, a Twitter thread by Douglas Day (@ArchAngelDDay) on one-hundred bug bounty rules, and our own unique approaches to bug hunting. We also discuss Corben's recon-focused bug hunting methodology and how he developed it. Don't miss this episode filled with valuable tips, insights, and Corben's Boring Mattress Company.
Follow us on twitter at: @ctbbpodcast
Get on our newsletter for some exclusive content: https://www.criticalthinkingpodcast.io/subscribe
We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
Today’s Guest:
Article on the State of DNS Rebinding in 2023:
https://research.nccgroup.com/2023/04/27/state-of-dns-rebinding-in-2023/
See @ArchAngelDDay's twitter thread about 100 bug bounty rules:
https://twitter.com/ArchAngelDDay/status/1661924038875435008
Talkback - Cybersecurity news aggregator:
PyPI announces mandatory 2FA:
Timestamps:
(00:00:00) Introduction
(01:05) State of DNS rebinding in 2023
(04:40) 100 Bug Bounty Rules by @ArchAngelDDay
(05:30) Give yourself a ‘no bug’ limit
(07:00) The value of reporting Low and Medium Bugs for Bug Bounty Programs
(11:15) Reporting Out of Scope Bugs
(14:30) Reporting IDORs as Access Control Bugs
(17:28) Talkback
(18:12) PyPI's mandatory 2FA implementation for software publishers
(Start of main content)
(20:07) Starting out in bug bounty/ethical hacking
(25:00) Hacking methodology and mentorship
(28:15) Identifying Load Balancers
(33:20) Triage and live events:
(38:30) College and Computer Science vs. Cybersecurity
(45:45) Importance of writing for the Hacker Community
(51:21) Storytelling and report writing.
(55:00) When to stop doing recon and start hacking
(01:00:58) Lessons Learned from BreachlessAI and the pivot to Boring Mattress Co.