Episode 130: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Valentino, who shares his journey from hacking Minecraft to becoming a Google hunter. He talks us through several bugs, including an HTML Sanitizer bypass and .NET deserialization, and highlights the hyper creative approaches he tends to employ.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here:
[email protected] to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter:https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor: ThreatLocker - Patch Managementhttps://www.criticalthinkingpodcast.io/TL-patch-managementToday’s Guest: Valentino - https://blog.3133700.xyz/====== Resources ======JMX ManagerStored XSS in reclamosCommand Injection in Vertex AIwhitepaper-net-deser.pdffree-after-use.goA Journey Into Finding Vulnerabilities in the PMB Library Management Systememulated-register_globals.php====== Timestamps ======(00:00:00) Introduction(00:02:38) JMXProxy Bug Story(00:09:46) Intro to Valentino(00:29:08) HTML Sanitizer bypass on MercadoLibre(00:37:16) Command injection in Vertex AI(00:44:10) .NET deserialization, & Argument injection to LFR, & Free after use(00:51:33) Luck, creativity, and evolution as Hacker(00:59:31) Issues in file extension validation components, Emulated register_globals, & AI Hacking