Episode 106: In this episode of Critical Thinking - Bug Bounty Podcast we are pleased to announce our new co-host of the podcast: Joseph Thacker Aka Rez0! We discuss Joseph's transition to full-time bug bounty hunting, his goals, and what he’s looking forward to bringing to the pod. We also cover some news items including doubleclickjacking, character set attacks, SVG XSS, and more.

Follow us on twitter at: @ctbbpodcast

Feel free to send us any feedback here: [email protected]

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Rez0 on twitter:

https://x.com/Rhynorater

https://x.com/rez0__

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Check out our new SWAG store at https://ctbb.show/swag!

Resources

DoubleClickjacking: A New Era of UI Redressing

https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html

XBOW Validation Benchmarks

https://github.com/xbow-engineering/validation-benchmarks

Jorian tweet

https://x.com/J0R1AN/status/1871586792455163975

Simplified Payload

https://portswigger-labs.net/xss/charset.php?x=%1b$B%1b(B%3Ca%20href=javas%1B(Jcript:alert(1)%3Etest%3C/a%3E&charset=

SVG XSS Payload

https://x.com/garethheyes/status/1876953751245783534

curl-cffi

https://pypi.org/project/curl-cffi/

Bypassing File Upload Restrictions To Exploit CSPT

https://blog.doyensec.com/2025/01/09/cspt-file-upload.html

AI-Crash-Course

https://github.com/henrythe9th/AI-Crash-Course?tab=readme-ov-file

Timestamps

(00:00:00) Introduction

(00:02:15) Rez0's journey to Full-time hunter, Tool developer, and new Co-host

(00:21:04) DoubleClickjacking

(00:31:48) XBOW Validation Benchmarks, Charset Thoughts, and SVG XSS

(00:42:28) curl-cffi, CSPT, and AI Crash Course