Critical Thinking - Bug Bounty Podcast
Posts
[HackerNotes Ep. 147]: Stupid, Simple, Hacking Workflow Tips

[HackerNotes Ep. 147]: Stupid, Simple, Hacking Workflow Tips

In this episode of the CTBB podcast, Justin and Joseph share efficiency hacks that can elevate your hack hacks.

Nin Jeeter
November 06, 2025

Hacker TLDR;

Auto-Decoding: Use built-in tools to avoid conversions outside of your HTTP proxy.
DevTools: Edit as HTML: Right-click DOM elements to edit HTML directly - perfect for feeding context to LLMs and checking if payloads are actually HTML encoded.
fuff: Interactive Mode: Press Enter during execution to pause, then use a whole new set of commands to dynamically adjust the scan. Also, use -c for color output so you don't strain your eyeballs.
Conditional Breakpoints: Run arbitrary JavaScript at specific execution points without match & replace rule headaches - perfect for testing feature flags.

https://www.criticalthinkingpodcast.io/tl-nc

With ThreatLocker® Network Control, you regain complete control over network access, no matter where your employees connect from. While traditional firewalls rely on static ACLs that require manual reconfiguration for every new location, our Zero Trust network protection solution provides your organization with:

✓ Direct connections between clients and servers

✓ A centrally managed firewall for every endpoint and server

✓ Dynamic access control that adapts automatically

✓ Granular policies by IP, user, device, or keyword

✓ Automatic port closure and invisibility to unauthorized devices

Start controlling your network—wherever your team works.

The Philosophy: Reduce Friction, Find More Bugs

Those extra seconds it takes to perform certain tasks will add up over time. Over the course of your bug hunting career, how much frustration will it ultimately cause you? There has to be a better way...

Quick Conversion: Even Better in Caido

Caido's Even Better plugin adds some quality-of-life frontend components that make testing easier. This includes a component that auto decodes selected text that you can type in and your new additions will be automatically encoded to match.

Justin reveals that by the time the episode airs, Caido will have released a new convert drawer with even more features. He also shares that all of the convert workflows are added to the command palette in his latest PR.

Learn how to customize keyboard shortcuts in Caido.

DevTools

When working with AI assistants or debugging UI issues, instead of manually typing in DOM elements into a prompt:

Right-click on a DOM element.
Select Edit as HTML.
Copy the entire parent and children to your clipboard.

No more typos or hours wasted. Exact context to share with your model of choice.

The second use case? Bypassing copy/download restrictions on documentation. During a live hacking event, Rez0 simply used Edit as HTML, copied the content, ran it through an HTML-to-markdown converter, and saved it for reference.

This feature is also a game changer for checking if payload characters are actually HTML encoded.

If you really want to min-max your conversations with AI, the context menu also has a Debug with AI option. Selecting Start a chat will provide the DOM element directly to Google's Gemini model.

Client-Side Toolkit: Justin's Quick Tools

Justin mentions his collection of "Quick Tools" on his server that handle common client-side testing scenarios. Including scripts for:

Triggering XSS on his own domain.
Various window.open() scripts - including window.open(null).
Various <iframe></iframe> scripts - including ones that apply sandbox properties.
Redirect scripts for navigation testing.
And a webpage with a CodeMirror editor that renders whatever you type in an <iframe></iframe> beneath it. The page will also encode the script and append it in a hash.

JSON: The Pretty Boy

To make JSON-escaped data more legible, paste it into DevTools and let it render or use JSON.parse().

Raycast: A Command Palette on Steroids

Justin has built an impressive Raycast command palette toolkit with keyboard shortcuts for useful things.

His arsenal includes:

cvss - Opens the CVSS calculator.
pyd - Drops into a Python console.
checks - Opens clipboard content in hex editor.
cedit - Opens clipboard content in text editor.
ccommand - Pipes clipboard content into a command and copies it back.
cookie - Takes current HTTP request and redacts cookies and Authorization headers (perfect for writing reports or sharing requests with AI).
jwt - Takes a JWT and puts it in jwt.io.
urlencodeall - URL encodes ALL characters (surprisingly hard to find).
ocr - Optical character recognition.
mr - Match & replace rules in the clipboard.

Text Transforms: The Power User Move

Justin's most impressive Raycast toolset is his text transforms subcommand. He's mapped single keys to encoding operations (q = URL encode, w = URL decode, a = base64 encode, etc.), allowing for muscle-memory-driven encoding chains.

On macOS, Joseph shares the native alternative: pbpaste | sed <command> | pbcopy for quick clipboard transformations in the terminal.

ffuf: Fuzz (Even) Faster U Fool

Don't forget to perform content discovery and fuzzing post-auth.

Use the -r command line argument in ffuf to provide authenticated requests.

Consider creating a bash alias for commonly used CLI tools that prompt for user input.

Also consider using a VPS to take the computational load (and risk of rate limiting) off your local connection.

The Game Changers: Color and Interactive Mode

Rez0 drops two bombs that Justin somehow never knew about:

Color output: Our boy admits he's been overloading his eyeballs by visually parsing fuff output for hits. If you've been doing the same, just use the -c flag to color code output.

Interactive mode: Pressing Enter during fuff execution pauses it, allowing you to update filters on the fly:

:: Progress: [326/5366] :: Job [1/1] :: 84 req/sec :: Duration: [0:00:04] :: Errors: 0 ::
[INFO] ------ PAUSING ------

entering interactive mode
type "help" for a list of commands, or ENTER to resume.
> help

available commands:
 afc  [value]             - append to status code filter
 fc   [value]             - (re)configure status code filter
 afl  [value]             - append to line count filter
 fl   [value]             - (re)configure line count filter
 afw  [value]             - append to word count filter
 fw   [value]             - (re)configure word count filter
 afs  [value]             - append to size filter
 fs   [value]             - (re)configure size filter
 aft  [value]             - append to time filter
 ft   [value]             - (re)configure time filter
 rate [value]             - adjust rate of requests per second (active: 0)
 queueshow                - show job queue
 queuedel [number]        - delete a job in the queue
 queueskip                - advance to the next queued job
 restart                  - restart and resume the current ffuf job
 resume                   - resume current ffuf job (or: ENTER)
 show                     - show results for the current job
 savejson [filename]      - save current matches to a file
 help                     - you are looking at it

Also, just save the results to a file so they're not lost in the terminal history.

JXScout: JavaScript at Your Fingertips

JXScout is a Caido plugin that hooks into your proxy, watches your scope, downloads all the JavaScript files, beautifies them, and saves them for analysis.

Beyond AI-assisted parsing, Justin often uses it simply for VS Code's "go to function definition" feature, combined with the bookmarks extension to navigate large codebases.

One caveat: "It does eat up disk space though."

macOS System-Wide Proxy

Don't be as thick as a thick client.

In macOS, to set a system-wide proxy:

Open the System Settings interface.
Select the Network tab.
Click on the Details... button of your network SSID.
Click on the Proxies tab.
Click on the radio buttons for Web proxy (HTTP) and Secure web proxy (HTTPS).
Type in the listening address of your HTTP proxy in the input fields.
Click on the OK button to save the configuration.

Conditional Breakpoints: The Feature Flag Killer

Set conditional breakpoints to run arbitrary JS code to toggle feature flags without having to use match & replace rules and dealing with hash issues.

Rapid Fire Tips

Use AI-imbued browsers like ChatGPT Atlas and Perplexity Comet to carry out tasks for you.
Use notification tools like terminal-notifier, ntfy.sh, and ProjectDiscovery's Notify to alert you when a task has been completed.
Enable the color-top-level-navigations passive workflow to color highlight the navigations you initiated and <iframe></iframe> navigations in the HTTP History traffic table, making it easy to keep track of the feed.
Offload tasks to Caido's official AI/LLM plugin Shift.
Easily (and securely) share requests between other Caido users with Drop.
If you're developing a Caido plugin, use the DevTools plugin to hot reload changes as they're made.

Closing Thoughts

Efficiency isn't just about working faster - it's about removing friction so you actually perform the tests you know you should be doing.

Finds more bugs in less time.

As always, keep hacking!