Episode 112: In this episode of Critical Thinking - Bug Bounty Podcast Joseph Thacker is joined by Ciarán Cotter (Monke) to share his bug hunting journey and give us the rundown on some recent client-side and server-side bugs. Then they discuss WebSockets, SaaS security, and cover some AI news including Grok 3, Nuclei -AI Flag, and some articles by Johann Rehberger.

Follow us on twitter at: https://x.com/ctbbpodcast

Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Guest - Ciarán Cotter

• https://x.com/monkehack

====== Resources ======

Msty

https://msty.app/

From Day Zero to Zero Day

https://nostarch.com/zero-day

Nuclei - ai flag

https://x.com/pdiscoveryio/status/1890082913900982763

ChatGPT Operator: Prompt Injection Exploits & Defenses

https://embracethered.com/blog/posts/2025/chatgpt-operator-prompt-injection-exploits/

Hacking Gemini's Memory with Prompt Injection and Delayed Tool Invocation

https://embracethered.com/blog/posts/2025/gemini-memory-persistence-prompt-injection/

====== Timestamps ======

(00:00:00) Introduction

(00:01:04) Bug Rundowns

(00:13:05) Monke's Bug Bounty Background

(00:20:03) Websocket Research

(00:34:01) Connecting Hackers with Companies

(00:34:56) Grok 3, Msty, From Day Zero to Zero Day

(00:42:58) Full time Bug Bounty, SaaS security, and Threat Modeling while AFK

(00:54:49) Nuclei - ai flag, ChatGPT Operator, and Hacking Gemini's Memory