Pinned
I did not find an easy way to delete all my tweets, I will leave them for now. I might come back for that later.
For now: follow me on joaxcar.bsky.social for updates!
I will not engage with content here.
๐ฆ
Johan Carlsson
1,414 posts
Johan Carlsson
@joaxcar
Father and full-time bug hunter ๐
Joined January 2022
- Yesterday I made it into top 5 on @gitlab bug bounty program ๐ฅณ, at the same time crossing 100k in bounties from the same. Some people are asking me how to get started or where and what to look for. I thought I could share a practical guide if anyone care for a thread [1/6]
- I did not believe I could check off more bucket list items this year. This bug proved me wrong. Found my first ever proper RCE using command injection (through code review), really happy about this one
- Looks like this is the time to learn how to hunt for leaked GitLab tokens ๐
- I have finally done my first proper bug write-up! This one is about a SOP bypass in Chrome (escalated to ATO) using the Navigation API. Hope someone finds it interesting. Feel free to leave me any comments; I want to improve on this!
- Did a little writeup of the CSP bypass I reported to PortSwigger. It might be interesting to anyone who saw the disclosed report and wonders if CSP bypasses are the new ripe low-hanging fruit!
- Small XSS challenge. Real life situation that I solved today. Should be pretty easy, but good practice if you are just getting into XSS or is trying to get away from copy pasting payloads xss-playground.glitch.me/01.html?x=injeโฆ
- Everyone is raving about CSPT used as CSRF. Wy not celebrate that this was explained already in webapp hacker handbook?! See @PortSwigger blog from 2007: portswigger.net/blog/on-site-rโฆ Also, lets bring back the name โOn-site Request Forgeryโ
- Just dropped off my work computer at the office. From tomorrow I will do bug bounties full time for three months. After that evaluate if my mental health can cope with it.. Wish me good luck!
- My first disclosure to reach 100 up-votes on @Hacker0x01. Disclosures have been the number one learning resource for me, so to see people finding an interest in my own reports makes me happy! Also thanks @gitlab for allowing full disclosures, contributing to this great resource
- Thanks for the great explanations for this. Apparently, URL parsing (at least in browsers) is supposed to strip out "newlines" AND tabs. So all of these will land on /b
Can someone explain this - I just dropped the kids off at school on the first day after summer break. I am officially starting my new career as a full-time bug bounty hunter. Now I just have to find those bugs.
