[HackerNotes Ep. 121] Slonser's Image Injection 0-day - ATO & New Caido Collab Plugin

A Chrome 0 day allowing IMG injection to query parameter leak, a writeup by Sharon Brizinov that netted 64k in bounties by searching Git repos for secrets, a tool drop featuring Subdomain link launcher & Drop for Caido, MCP Protocol Research, NahamCon and content from Pliny leaking the system Prompt Gemini-2.5-pro With Canvas plus a whole lot more.

[HackerNotes Ep. 120] SpaceRaccoon - From Day Zero to Zero Day

In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner welcomes Eugene to talk (aka fanboy) about his new book, 'From Day Zero to Zero Day.' We walk through what to expect in each chapter, including Binary Analysis, Source and Sink Discovery, and Fuzzing everything.Then we give listeners a special deal on the book.

[HackerNotes Ep. 119] Abusing iframes from a Client-side Hacker

In this episode Justin does a mini deep dive into the world of iframes, starting with why they’re significant, their attributes, and how to attack them.

[HackerNotes Ep. 118] Hacking Happy Hour: 0days on Tap and SQLi Shots

We've got some extra Next.js Middleware payloads for ya, LLM polyglots, fresh research on React Router & Remix, IOT research, MCP Security and some clientside tips. Check it out below.

[HackerNotes Ep. 117] Vulnus Ex Machina - AI Hacking Part 1

[HackerNotes Ep.116] Auth Bypasses and Google VRP Writeups

We've got Portswigger’s SAML Roulette writeup, as well as some Google VRP reports, and a Next.js middleware exploit.

[HackerNotes Ep. 115] Mentee to Career Hacker - So Sakaguchi

Justin and So Sakaguchi sit down to walk through some recent bugs, before having a live mentorship session. They also talk about Reflector, and finish up by doing a bonus podcast segment in Japanese!

[HackerNotes Ep.114] Single Page Application Hacking Playbook

We're diving into Single Page Applications (SPAs) and how to attack them. We also cover a host of news items, including some bug write-ups, AI updates, and a new tool called Hackadvisor.

[HackerNotes Ep.113] Best Technical Takeaways from Portswigger Top 10 2024

We’re breaking down some of the best takeaways from PortSwiggers Top 10 of 2024. There’s some bangers in here!

[HackerNotes Ep.112] Interview with Ciarán Cotter (MonkeHack) Critical Lab Researcher and Full-time Hunter

We've got Monke breaking down some of his cool bug chains, some fresh WebSockets research ideas, a bunch of AI news, prompt injection research and some newsletters. Check it out below.

[HackerNotes Ep.111] How to Bypass DOMPurify with Kévin Mizu

In this episode Justin interviews Kévin Mizu to showcase his knowledge regarding DOMPurify and its misconfigurations. We walk through some of Kevin’s research, highlighting things like Dangerous allow-lists and URI Attributes, DOMPurify hooks, node manipulation, and DOM Clobbering.

[HackerNotes Ep.110] Oauth Gadget Correlation and Common Attacks

A DOMPurify 3.2.3 Bypass, Ophion Security Cisco Webex research, a new postMessage Chrome Extension, and a whole lot of OAuth research. Check it out below.