Episode 77: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin discuss some fresh writeups including some MongoDB injections, ORMs, and exploits in Kakao and iOS before pivoting into a conversation about staying motivated and avoiding burnout while hunting.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Resources:

MongoDB NoSQL Injection

https://soroush.me/blog/2024/06/mongodb-nosql-injection-with-aggregation-pipelines/

Mongo DB Is Web Scale

https://www.youtube.com/watch?v=b2F-DItXtZs

1-click Exploit in Kakao

https://stulle123.github.io/posts/kakaotalk-account-takeover/

Unsecure time-based secret and Sandwich Attack

https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html

Reset Tolkien

https://github.com/AethliosIK/reset-tolkien

iOS URL Scheme Hijacking Revamped

https://evanconnelly.github.io/post/ios-oauth/

PLORMBING YOUR DJANGO ORM

https://www.elttam.com/blog/plormbing-your-django-orm/#content

Timestamps:

(00:00:00) Introduction

(00:02:07) MongoDB NoSQL Injection

(00:12:42) 1-click Exploit in Kakao

(00:33:21) Time-based secrets and Reset Tolkien

(00:39:26) iOS URL Scheme Hijacking Revamped

(00:51:42) ORMs

(00:58:57) Community Bug Submission

(01:07:45) Motivation, Mental Sharpness, and Burnout avoidance