January 21, 2025 • 78 mins
This episode is the interview with Johan Carlsson, a full-time bug bounty hunter who specialises in client-side bugs and is currently the TOP1 hunter on GitLab.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
So when interviewing Johan two yearsago for the podcast, we spoke about
making 100, 000 in one year and itwas impressive, but since then he's
been really killing it, hacking notonly on GitLab, but also programs
like Apple, Google, or Yahoo.
And in this interview, I'lltry to uncover all his secrets.
(00:20):
So enjoy my interview with Johan Carlsson.
Hello, Johan.
How are you doing?
How has these two years been to you?
Oh, thanks for having me again.
Yeah, you're
the first, the first guestthat makes a second appearance.
Yeah, no, I'm, uh, I'mhaving a great time.
(00:42):
It's been, uh, so has it been two years?
Yes.
The previous episode was inJanuary, 2023 for the record.
We were recording this in December, 2024and you also in, in person in Sweden.
Uh, so, um, it's almost two years.
Yeah.
Yeah.
That's a crazy in a lot, in many ways.
(01:03):
Yeah.
And yeah, it's been, uh, It's been a ride,uh, and, uh, a lot of things are the same,
uh, and, uh, some things have changed.
I'm still, uh, on GitLab, uh, and, uh,uh, but I also hunt on other programs and,
uh, but I think the, the big thing, ofcourse, is that I've gone, uh, full time.
(01:28):
Yes.
That's a big thing.
Uh, from what I did previously.
Um, so I'm from this from August, soit's almost, I guess it's like four
months or something, but I also didthree months, uh, before the summer
where I just tried it out, like takinga break from my regular job and, uh,
(01:49):
testing it to see if it could fly.
What pushed you to quit your job?
It was a combination of, I really, itwas not a problem with the job per se.
I was working as a developer,like front end developer.
I was a combination of the beingable to be more free with my time.
(02:11):
Uh, having a big family and being ableto like do whatever I want with my
time, uh, and also with my interest in,uh, like security and that I, I didn't
really get to like fulfill that, uh,doing, uh, regular development work.
Yeah.
So.
How has the, the lifechanged since you quit?
(02:32):
What did you expect it to be?
Uh, yeah, I mean, I guess so.
Uh, I've had a lot of, ithas changed in many ways.
It's not related to bug boundaries.
Like I got my fourth, uh,child, uh, during this time.
Uh, so it's, I mean, I've, I'vebeen doing it full time, but I
(02:54):
have not been working full time.
I've been a full time hunter, butmy time has been, uh, a bit, uh,
scattered between the different things,but it has given me like the feeling
of like, I can control what I domyself, which has been, uh, amazing.
And when we spoke two years ago.
(03:15):
I felt like I'm saying the same things,but then it seemed incredible that you
climbed the GitLab leaderboard so quickly.
I don't remember which placeyou were at two years ago.
No, I
don't remember.
I was top 10 at least.
Top
10 something.
And I was like, wow, he madetop 10 in GitLab in one year.
But, uh, it seems like the bugs have tostop somewhere yet, you know, not, not
(03:38):
two years have passed and you're nowtop one, huge congratulations on that.
And how on earth is itpossible there's still so
many bugs?
I mean, that was definitely one of mybig milestones, uh, that I wanted to
reach because when I got at the top 10.
That I think you could get into top 10.
I don't remember the numbers now, butyou can be at least like around one K in
(04:03):
reputation points or something like that.
And the people at the top atthat time had like three K.
So it still felt likethere's a long way to go.
Yeah, exactly.
And, uh, I think I almostmade one K reputation points,
(04:23):
uh, this year or something.
It's like, so in the end I've, I did,uh, uh, a huge, uh, uh, rush, uh, but
I mean, so that's also the strangething with this reputation scoreboards
that they keep this, a lot of thepeople at the top 10 are not really
active hunters on GitLab anymore.
(04:44):
Yeah.
So.
Uh, I think I'm definitely one of,um, they've added this new feature
on HackerOne where you can actuallysee scoreboards for each year
instead, so you can pick a yearand they will like rearrange it.
And uh, I've been number one allof these years, except one for some
reason, some guy beat me one year,like two years ago, uh, but uh, yeah,
(05:07):
uh, yeah, I'm really happy with that.
Are you
planning to stay withGitLab for the future?
Yeah.
Yeah.
I will definitely hang around thereas long as it, uh, I'm still amazed
that I find it's not, I don't evenfeel like I'm doing the same thing.
I find new ways of like learning newskills and learning new techniques
(05:30):
while staying at this target.
So, and they are very fair to meand to other people as well, like
they're a really good program.
So it's hard to change, yes, for the like.
For whatever reason, uh, if they decideto stop paying or rewarding or doing
(05:50):
another change, maybe I will move on.
Is it more after so much time, morelike just auditing the new codes
or is it still after so much time,you still haven't explored all
functionalities that have been there?
It's still definitely a mix, even if Ithink it's a bit more, uh, leaning towards
(06:14):
Code, but people are definitely not onlyme, but other ones are definitely finding
things deep inside the old code as well.
So there's a lot of things to find there.
I imagine I haven't, haven't looked atthe source code, but I imagine there's
just so many pieces of code that are justhard to trigger that, you know, you just.
(06:38):
Don't know this feature exists,or you don't know there was this
particular case that and all of asudden new code does a similar thing.
And I imagine, you know, youjust randomly discover this.
Yeah.
And that's actually one thing that.
I have, uh, uh, changed or that I'veforced myself to actually finally do is
(06:59):
to start using their, like the GitLabdevelopment kit, which is like the
development, uh, um, environment that theyare using when you're developing things
in GitLab and as it's, uh, Ruby based.
You actually have access to,it's like an interpreted.
So it's like running the code as you
(07:20):
can have like debug breakpoints.
Yeah, exactly.
And you can also, you
can also start a console where you haveaccess to the code so you can trigger.
Functions and you can call functionsusing things from the database, for
example, so you can say like, giveme the first project in the database
and then throw it into this functionhere that takes a project or whatever.
(07:45):
So you
can speed up the testing a lot.
No,
yeah, definitely.
Uh, so you can, uh, when you geta hang of it, you can start like.
Poking at things that you don'treally know how to get to yet.
Yeah, and, uh, it's really useful andI don't have no idea why I didn't, uh,
transition to it earlier than I did.
(08:07):
Well, last time we wererecording the podcast, you were
just after stopping talking.
Uh, looking at the codesthrough the website.
Yeah,
yeah, yeah.
Exactly.
Because I watched it and Iwas like, oh, just recently I
pulled GitLab to my local disk.
Yeah.
Yeah, so there's definitely thingsthat I'm doing a bit more structured.
(08:30):
Yeah.
At the moment, yeah.
And now I think about it,for a lot of projects.
Probably you can speed up the testingwhen you have the source code,
obviously, and especially when youhave the debugging access, you can,
instead of like running the intruderattack or something like this.
You can just do a for loop andrun a function in the for with
(08:53):
different inputs and stuff like this.
Yeah.
And actually something that reallyinspired me as well was, uh, I don't
know if you saw this, uh, this SAMLbypass, uh, bug that was also like
really impressive, uh, in the, on itsown, like the bug was really impressive.
Yeah.
And also like really oldcode, uh, and super critical.
(09:15):
But, uh, I saw some write uplike when some other people like
tried a similar thing, they werelike recreating it or whatever.
And they sort of like broke out apiece of the code and built their
own little like in isolation andthey could remove the things that
they knew didn't really impact.
(09:35):
And then they could like iterate,uh, looking at this piece
of code, uh, really quickly.
And that's a really inspired me.
I will try to do more of that aswell doing during court code review.
Can you, can you specify this?
I don't think I fully got the,
so they, I think in that blog post,they wanted to see how GitHub in
that case were handling the sample.
(09:57):
Uh, their sample implementation, so theytook the code, uh, that you can extract
from GitHub if you, uh, figure it outand they just took that piece of the
library and they, uh, recreated like.
Almost like building a test case.
If you're a developer, like mockingsome parts and just like making
(10:18):
sure that it works good enough.
And then they could run like a lot oftests on it quickly because they don't
have to go through the whole application.
They just break out that piece of code.
Like try to break it and then try tofit it into the application again.
Oh, because there were two blogposts about the Samuel bypass
one was GitLab on GitHub, right?
And I think I only read the GitLab one.
(10:39):
Oh, yeah.
And the one you're saying is GitHub.
Yeah I think it was
from the so they discoveredthis back through like Buzzing
the, the, the, the, the Samu.
Yeah.
I don't know if they've busted, but atleast they broke it out to test it very
quickly with like automation to just likesend a bunch of, because then they could
remove some of the, the things that wouldmake it slow, that you would have like
(10:59):
certain timestamp checks or whatever.
That doesn't really matterfor the final exploit.
Yeah.
That's nice.
I also wanted to, to, to, uh, understandsomeone a bit after this, because
still I spend a lot of time on theSSO, but Samuel's, Samuel's like, he's
there and there's Samuel Ryder and Imay try the attack from, from this.
(11:24):
And then it's pretty muchend of my knowledge about it.
If you were to approach a new system thatis GitLab, how would you start doing this?
It's been on my to do list since likegoing full time to, to expand, to
have like, uh, one or two more targetsto be like my main go to targets.
(11:47):
Uh, I haven't really managed to do it yet.
Um, I think one of the reasons that I'vemanaged to stay for so long at GitLab
is to, uh, Because I, I found it likeinteresting as well, like the application,
the functionality connected to my job asa developer, like it's resonated with me.
(12:11):
Um, so I would approach it sort oflike I approach this, I guess, like.
Trying to find the functionality that Iwant to test that I have a like a hunch
that something could break and then Itest that and then like move around in
the application is to try to find andthat's sort of like what's the luxury,
(12:32):
I guess, with doing bug bounties isthat no one is checking on you, like how
thorough you go through the application orwherever you can just like, Browse around.
Yeah.
There's no, no, no consequencesfrom missing a bug.
No, exactly.
Uh, except like mental.
Yeah.
Yeah.
Uh, but, and also, I mean, you haveto, so one of the big changes for, from
(12:57):
going full time, uh, is that I now haveto rely on the income from bug bounties.
To actually pay my bills and myown salary and all of that so that
that sort of Shift did happen likefrom day one that you at least you
sort of have to find things, right?
(13:19):
Uh, and that there is like a mentalshift there that, uh, uh, if you don't
like constantly find something that islike bringing income, it starts to be.
So even if you're like free to dowhatever you want, at least you have
to like, it has to be bring something.
Yeah.
You're not, you don't
feel completely free.
(13:40):
No.
And I'm, I'm, but I'm still.
in the camp of, uh, uh, my big, uh, likeinspiration when, before I went full
time, I listened a lot to like interviewswith Alex Chapman and he's like ideas
of like finding fewer, but bigger bugs.
(14:01):
And also like not really doing itlike to maximize Uh, income, but like
a sufficient income and like enoughand also enough to be able to keep it
interesting and, uh, and doing it forthe fun of like learning and exploiting.
Yes.
(14:21):
But at the same time, I actually,it's funny because I thought about him
before you mentioned his name becausehe had the exchange, um, or just a post
on, on blue sky recently about Yeah.
Escalating some bugs, some asalways, probably a Chromium RCE
and also even though he keeps itfun, he also as a full time hunter
(14:43):
looks at the return on investment.
And he was saying, you know, um, on alow paying program, perhaps you can be,
if the program, let's say downgradesyour back to a medium in case in his
case, it's an RCE where he can, uh,access the, um, the AWS access keys.
So.
He can't really prove the impact.
(15:05):
He has to rely on the teamand the team says it's medium.
And the whole post was about escalatingthis to a more, a bigger severity bug.
But then he was like, if this programdoesn't play that well, there's no.
I actually had the similar shrink.
I had, as I told you before, I wasspending some time on the program that has
(15:27):
like the typical hacker one, uh, payouts.
So the medium is 500, the high is 1000.
So I thought if I have the, let's saythe SSRF and I would like to approach.
you to escalate from medium to high.
I'm still getting the same 500.
So, and also there's some, somebodyelse, um, puts in their time and
(15:51):
effort and maybe they are rewarded.
So in the end it's, it's plus EV, butthere's, it's not like a no brainer if
you think about it from the full time.
It's actually something that I'vebeen thinking about, like, Pros and
cons of different programs lately.
And one another thing that I'mreally happy about at the the
GitLab program is that they don'thave like a, a linear bounty table.
(16:15):
Yeah.
It's like, I don't know, it's exponential.
Exponential.
I don't think it's exponential.
Yeah.
But we
know that the, yeah.
Yeah.
That graph, if you have the curve that
if.
If you move from mediumthat tops at like 2.
4k or something, and you end upat high, which starts at like
five and ends at 15 or something.
(16:38):
And then the critical starts at like 20.
So there's a real incentive toat least try to escalate to high.
Like that jump is really important.
Yeah.
And other companies like say, for example,GitHub, where I haven't hunted as much,
but they really like, they pay like 4kfor mediums, which is, uh, impressive.
(16:59):
And I think you can get even more,you can get up to like 10k for
medium, but the criticals are stillend at 30, like the same as GitLab.
So it's much more linear and helping out,as you say, in that scenario makes less.
So I really like the, the exponentialthing because it's incentivized, like
(17:21):
working together and like pushing bugsto, uh, their limits sort of, so to speak.
Yeah.
Also makes sense.
If you have a lot of, I imagine you haveloads of gadgets hidden somewhere, so
all of a sudden you can chain them andthen instead of 500 plus 500, you have.
You know, much more than one plus one.
(17:43):
So yeah.
Interesting.
Although when I look at the program, Ithink I prefer the linear one because I
think in the, at the end of the day, youend up reporting highs, maybe, maybe the
one you said where the high is also higherthan it makes sense because there are.
quite a lot of programs thatare sort of flat up until
the high and then exponentialcritical, which they never pay.
(18:06):
No, exactly.
Yeah.
So I
definitely agree that you want tohave those high mediums as well.
Uh, and in a way you kind of getspoiled with like these big programs.
And I don't know, maybe that's atleast for me, that my way of working
is that I spend a lot of time.
pretty slowly on this one program, uh,finding like one, two, three issues,
(18:32):
uh, and then like nothing and thensomething more and like doing that
sort of work on a program that's likeTopes out that like three K wouldn't
be, it's just not worth it for me.
So I skip all of those, uh,invitations or whatever to, uh, I
think there's enough bugs on the,the big, the big targets out there.
(18:57):
So that's why I, If I'm not looking atGitLab, I'm usually just like looking
at, well, like Chrome or whateverelse, like big, big applications.
Yeah, we can maybe jump to this.
Last time you said you wereplanning to do some browser hacking.
How has this gone?
Yeah, it hasn't reallygone as planned, I guess.
(19:19):
I still have it on my, I report things.
Once in a while, like smaller issues thatI find when I still tinker a lot with
Chrome and web standards and web featuresand things like that, even if I'm maybe
(19:39):
in my main hunting, trying to move abit more to the back end bugs and stuff
like that as well to increase impact.
But, uh, I definitely, I find somelike quirks and strange things
once in a while, and then I reportthem, but I haven't done it in the
consistent way that I would have hoped.
So,
so it's more like you'reworking on something and you
(20:00):
have the idea of something thatcould be a bug in the browser
and
then you're more reported ratherthan actually spend time researching.
Yeah.
Uh, and I mean, I, I guess it'sa big, it's quite a big hurdle to
spend all that time to actually startfinding things, uh, in the browsers.
(20:21):
Uh, like consistently, but, uh, it's stilla dream to be able to do that as well.
Uh, it's like one of the biggest likeopen source projects that you can attack.
Would you like to learn likethe memory related bugs to find
actual RCEs and stuff in browsers?
Or are you still trying to stick to Tothis kind of bug that sort of requires
(20:46):
only the web web based knowledge.
Yeah, it hasn't really caughtmy interest, uh, that much.
So maybe because I, I thinkit looks really hard, but, uh,
uh, yeah, maybe eventually.
I mean, I, I've been Trying to move to theback end and like more proper code review
(21:06):
on GitLab during the last year at least.
Uh, and it's been, uh, very interesting.
So I'm like moving in that direction,but not at that like low level
as when you are finding thosekind of memory corruption things.
Yeah.
It's for me, it's, it's crazy.
(21:26):
Can you give us an example of the, of abug from the browser that you reported?
I imagine if they are in Chromium, Iguess the issue tracker is public, no?
Yeah.
Yeah, I guess, uh, I think I actuallysaw, maybe you mentioned something
about it, and I was supposed to writea blog post and then I found a bypass
to it, but now that speaks as well.
(21:48):
So, uh, that was, um, like a funny, uh,I hadn't really thought much about it,
that you could like, serve HTML in xml?
Yeah.
Or like x html.
Yeah.
Uh, and also in sbg, like all ofthese, like XML based, uh, like
(22:11):
languages that are baked into browsers.
And then I remember like, so this was,uh, maybe at the time where we had our
last interview, like two years ago orsomething, I think Ren Reinepack, uh,
he posted some tweet about like someonehad stolen his, uh, POC, like bragged
(22:32):
about it on Twitter about just like howto build like an XML, HTML attack and
like getting execution through like.
XML, HTML, and I started toplay with that because I hadn't
really thought too much about it.
So I played around with it and testedit and then all of a sudden, I,
(22:57):
because I knew that you could getsomething so Uploaded on GitLab,
which I always test my things on.
And I put some HTML in an, I don'tremember if it was in an, uh, s
VG or, uh, some other XML file.
I was on my bus from work and I, I wasdoing this on my phone, like hacking, uh,
(23:22):
. And uh, all of a sudden, like I saw my eyeframe that I have made, like on GIT Labs.
web page in this XMLdocument that I have created.
And I got like really hyped.
This was during like a 20minutes transit from work.
And I was like, ran home and like,shit, this is like, probably like
the biggest thing that I've everfound, like some sort of like bypass.
(23:47):
On there, like, because it wason the, when you can look at
like raw content of a file.
Yeah, you can do that on GitHuband the GitLab and whatever.
You can click the raw and you justsee it in as a text plane I guess.
And I, I got home and I openedmy computer and I looked at
it and it was just text again.
Uh, so that was really disappointing.
But I looked at my phone and it wasrendering at HTML and, uh, at that
(24:11):
time it, it took a while for me tofigure out what's actually going on,
but I had stumbled on a bug where.
Webkit were actually like minesniffing, which is an old concept when
the browsers try to figure out whatsort of content you are providing.
Yeah.
So which usually happens whenthere is no content type.
(24:32):
Exactly.
But the issue here with Webkit.
On iOS.
So like they have, uh, two differentbranches for one, for uh, uh,
the desktop and one for iOS.
And, um, yeah.
So for some reason theywere mime sniffing.
Even if you served text plane, if youhad like an a dot, like an extension
(24:55):
of XML or SVG or whatever, or JPG or like, yeah, you could serve
whatever sort of content you wanted.
Oh,
it worked for an extension?
Yeah, yeah, yeah.
Oh, so you could serve just x remote.
No, you could serve anything as long,so it will, it would first look at
the extension of the name or the path.
And then it would look at the namein the content disposition, I think.
(25:18):
So even if that was like xml,and then it would look at the
content or something like that.
It was really messed up.
And I had some fun with it because,Apparently, it worked on GitLab.
I didn't really manage to bypass CSP fullybecause you're still restricted by CSP,
(25:42):
but on the self hosted one, you couldget access and on GitLab, I could manage
to do some like click jacking, yeah.
Uh, CSRF thing to actually do thingsbecause you could render and also you
could render like a login screen and
yeah, I think that that was in the report.
Yeah, exactly.
You, that was form SRC and HTTPS URL.
(26:04):
So I think you created the loginform to your website Exactly,
which would be auto-filled.
So if the user clicks the buttonor is, is somehow click jacked,
it also, actually also send itback to get the two A code as well.
I built this whole, okay, nice.
PC so you have like two SBGfiles, one for the getting the
passwords and one for the code.
(26:27):
And everything was likeloaded on the GitLab page.
I, I had a lot of fun with it, butuh, in the end it didn't really.
Uh, pay that much, but, uh, it was,
so you reported it both toget lab and to Apple as well.
Yeah, exactly.
Uh, and, uh, actually I alsoreported it to Chrome because
(26:47):
it worked on Chrome on iOS.
Okay.
Which is sort of a bug bounty hack, uh,that they sometimes, uh, uh, step in and
like push for changes, uh, because theyare forced to use the web kit on iOS, but,
uh, you can, uh, because Apple, they don'treally pay for those kinds of issues.
(27:08):
Yeah.
So you didn't get paid from Apple?
No.
Uh, but Chrome paid me some.
That's
good.
That's weird.
Yeah.
That's strange.
And then I was like a year ago orsomething, I was actually gonna write to
like a blog post about this whole thing.
And then when I was like testingmy payloads, I found a bypass to
(27:30):
it because They had only fixed likesome of these extensions, but, and I
think that I had left, for example,XHTML for some reason, they were
still like mime sniffing that bug.
So today is XHTML any helpful interms of not looking for browser
bugs, but bugs in websites?
(27:52):
Not really.
I guess there are like listsout there of type of files that
will allow you to render HTML.
Yeah.
And that's one of them.
And SVG is another one.
And there are
some So it's useful if thereis a block list of extensions.
Yeah, sort of.
(28:12):
If they look like HTML files
or whatever and you can get HTML in there.
Yeah.
Uh, otherwise it's just, uh, uh,harder to work with HTML because
you have to be strict to the
. Yeah.
Uh,
XML standards.
Yeah.
I had the, the case recently, whichmakes less sense than your example.
(28:34):
'cause I was testing a website,um, and I could go through
the re and I, I wanted to.
Connect my Tik Tok account withlike the real account, which has
followers because I needed to pass somethresholds for some stuff, something.
And as the testing browser, I use anyChromium based browsers as my personal
(28:56):
browser, I use Safari, uh, which I know isinsecure and I shouldn't do it, but I like
it.
And I realized that I can go throughthe flow, uh, like register on the
website without confirming the emailif I go through the particular flow.
So then I was trying to reproducethis in a Chromium based browser.
It didn't work.
(29:17):
Of course, it took mea while to figure out.
And for some reason, in Uh, I don'tthink it's a client side thing.
It's like a server side profiling.
It allows me to go throughthe registration without
confirming the email on Safari.
Not on other browsers.
I like limited all the other variablesand I guess they just have, you
(29:37):
know, different flows for different.
Yeah.
It was, it was fun.
I mean, that's one of the fun thingswith the browser, looking for browser
quirks and bugs is that you have, atleast you have three big targets and
they behave differently sometimes.
And so you always have this like.
Uh, yeah, you can test it and it'spretty fun trying to find these
(30:00):
like discrepancies between them.
And I don't know, uh, so one thing thatactually came out of this, I made a small
challenge, uh, a web challenge thingthat I sometimes post on my social media.
Uh, I'm moving a bit more to blue sky.
Uh, then, uh, Twitter at the moment,but I made one that was, uh, it was
(30:26):
related to this XML XHTML thing.
Uh, I don't remember, reallyremember what I was trying to do.
I think it was.
It's like filtering a lot of thingsthat you could then in HTML, you could
like bypass it by using like namespaces.
So you could like prepend all of theHTML tags with like X colon and then the
(30:50):
release and you can like create this likefake HTML that could bypass something.
And then a lot of people sent insolutions where you can use this.
It's in XML, uh, which is also connectingto SAML because SAML is also XML.
So they also have this, uh, idea oflike some sort of like transformers.
(31:11):
So like tags that transformthe own, the document.
Um, maybe connected to like XXEthings as well, but you can like
transform the document in place.
Like when it's rendering, some peoplelike managed to bypass my sanitation by
like transforming the document in place.
(31:33):
And there's definitelysomething that you could.
There's things to learn there thatcould potentially do something.
So that was, uh, yeah, so maybethere is something to them,
uh, that you can still use.
Yeah.
Yeah.
I feel like a lot of the browserchallenges, even though they are
made by people like you, who know alot about the client side security,
(31:57):
still, they often have unintendedsolutions because of things like this.
So it just shows you howcomplex the client side is.
Yeah.
Speaking of these challenges, how often.
Or maybe, which features of thesechallenges, where you have like limited
car sets or strange CSP, which of thesethings you use in those challenges
(32:18):
are the most useful in real life bugs?
So, I have actually, this year, Ithink I've used Like three or four,
like really strange browser quirks in,uh, like escalations of, uh, client
side bugs that some things that I've,I thought like I would never probably
(32:43):
be like be able to use this or like,why, why would I ever have to use this?
But then I found myself in like a cornerwhere the only way to get out was like
using one of these like strange gadgets.
And that's what I find.
So a lot of time when I do my smallchallenges things, it's one way to get,
(33:03):
like, I like the interaction betweenthese, like, really smart people.
They're always like, it'ssort of like a fishing thing.
They send you like really smart payloadsso you can learn a lot from these
really like super talented people.
But um, It's also often they arelike based in something that I have
encountered on the real target.
(33:25):
And then I just tweak it tolike fit whatever I, either
what I found interesting.
So instead of like doing a blogpost or whatever, I do a small
challenge so that people can likeget the experience of finding.
Um, something themself, which issometimes like more useful than
reading about what someone has done.
(33:45):
Uh, but then also some, I made achallenge recently that was more
like an open ended research thing.
I don't know if you saw it, but likeyou, you were supposed to like try
to get like the smallest payload.
Yeah.
So I could like fetch.
A script and execute it.
And that was more like a researchquestion, like I didn't really have
time to do too much on it myself.
(34:10):
I did enough to use it on a real target,but then it was like this thought,
like, how small could you make this?
And it was really fun to see allthese people, uh, come together
and try to like break it down.
And then they also found like,uh, mistakes by me in my actual
challenge, abused it to make iteven smaller and stuff like that.
(34:32):
It's really fun.
Yeah.
So what were the other gadgets that youused in your life that you didn't expect?
So I guess some of them I still keep as.
Yeah, of course.
There's also like one change frombecoming like full time hunter.
You kind of have to start to buildyour own toolbox of things that
(34:54):
you, uh, that you can become likegood at and that you can bring
Forward when you need it, I guess.
But I had one really fun one thatI got to use together with Matan.
That's a good
call up story.
(35:14):
We have had some good, he foundsome fun things on GitLab that we
have then collaborated on, liketaking them a bit further and doing
some bypasses and things like that.
Uh, but we had one situation when we, andthat's like, and then this is really a
quirk and a niche, but we could, we werestuck in a web worker, which is a, like
(35:41):
a thread in, uh, like an execution threadof JavaScript, but we needed to get to
a service worker, which is another sortof web worker, but the service worker
is more like in control of navigation.
And.
You can use a service worker tolike control what sort of content is
served to the application and so on.
(36:02):
And then you usually youcannot really make that switch.
But for some reason, if you go to MDMand look at the description of web
workers, you can actually see thatlike there's one green box on like that
you can access the service worker, um,functionality or API from a web worker.
(36:27):
And then it's just like green onSafari, which is like super strange.
All of the other browsers have like,uh, close this off, like for a long time
ago, like you cannot touch or create aservice worker worker from a web worker.
But, uh, for some reason,Safari allows this.
Yeah.
So we were, and when, so yeah, wefound that and we managed to like.
(36:48):
make the jump.
If someone was using Safari, youcould make this jump and that could
finish our chain that would, it waslike a big chain of like random stuff.
But I was really, really happythat we managed to use this like
forgotten, I guess, uh, featurethat I don't see any use for it.
I have no idea why it's still there.
(37:08):
And it's also like documented, soit's not a bug or whatever, it's a
That's why I'm sayingI shouldn't use Safari.
Yeah.
But it is well integrated, what can I do?
I can't help myself.
How about content security policy?
What do you do when you havethe XSS or HTML injection?
(37:30):
And there is CSP, what's yourfirst What do you first look at?
Yeah, I don't remember if I, when wespoke two years ago, if I was already,
uh, deeply invested in, uh, CSP bypasses,
I don't think
so, but it's, it's becomeone of those things.
I really enjoy it just as Ienjoy cross site scripting,
(37:54):
which I find to be like a puzzle.
Like I, I enjoy it in the same way aslike solving Sudoku's or puzzles or
crosswords Uh, and the CSP bypassesa lot of times can be like, it's like
an extension of cross site scriptingand something that you can, uh, prove.
(38:15):
I like it way more than WAF bypasseslike web application firewalls.
Those to me feel very random andstrange and you cannot really use them.
I mean, you can use logic against them,but they don't really interest me because
they're very like, they're specificfor the application and they are like,
(38:39):
you, you have to throw like ugly thingsat it while a CSP bypass is often more
beautiful because you're bending therules and you're like finding these
gadgets and things to, to get passive.
So yeah, I don't know.
I don't know.
And the only, the way to do itis of course, just like the, the
(39:01):
holy grail is to get a full XSS.
So you have to first go to like scriptsource and see whatever they allow there.
And if it's too hard, maybeyou cannot do anything.
And then you can start looking at,so like what sort of like loose,
you know, like, Um, uh, HTML things.
Can you do, can you do like forminjections and, uh, form actions
(39:23):
or base tag, uh, take over thebase tag and stuff like that.
So we covered, you can do the formto your website if it's possible.
Yeah, exactly.
You need the, the, theforum SRC or form action.
Is that what controls this?
Yeah.
Form action.
Um, and it's, so the, the, thething with that one is that it's
not covered by default source.
(39:44):
Yeah.
Yeah.
That's important.
And the same with the base.
Yeah.
So base and form are like outside of thatdefault, because the default is usually
set to something like none or self.
So if you cannot execute JS, these arethe sort of two things that you look at.
Yeah.
Uh, but then also for the JavaScript, likeif they have a white list, you of course
(40:08):
go and look for like script gadget things.
And, uh, speaking of like gadgets thatI've been able to use, like just this
past year, I've been able to use the,this trick where you, you have a white
listed domain with a path, but then ifyou hit like a redirect on that path.
(40:28):
Then you're allowed to hit, uh, or likeload code that is like from the base.
Oh,
okay.
So after the redirect, any pathwill be ignored and they will
only look at the base URL ofeach of your whitelisted objects.
So wait again.
So you have some, some path.
(40:49):
In the CSP and the resource shouldstart with this path, but then if under
this part, there's a redirect, you areallowed to do anything on the same host.
Yeah, exactly.
Okay,
that's interesting that there is avalidation but only to the host, no?
Yeah, and I think one thing that alot of might miss there is that you
(41:10):
can also like, After the redirect,the path requirement is removed
from like everything on the CSP.
I guess you can actually start to lookagain on like these other ones as well.
Okay.
Like whatever, what, sofor example, the frame.
Source, like whatever you can frame,uh, you might find something there
(41:34):
that they are allowing you to framelike slash, uh, assets slash whatever.
But if you can redirect that, you can allof a sudden frame things from the base.
Uh, so that I've been able to use inlike these sort of like click jacking
scenarios where they maybe allow you toframe something, but then you can frame
(41:55):
something that is, uh, much more dangerousbecause it's like on the default.
Yeah.
And I believe still the Chromepassport manager autofills.
the password inside the iframe,even if it's different origin?
I don't think it's, if it's differentorigin, I don't think it does it anymore.
Okay.
I think it does it if it's sandboxed then.
(42:16):
Maybe.
Because I think we had this case.
Um, okay.
Yeah.
There's something with this.
It's a flip.
I've seen things like that as well,but uh, I think that's really It's
important to keep in mind that thereare more parts to the CSP as well.
Yeah.
So it's like the script is one thing, butyou can do other fun things like framing
(42:37):
and things that could be dangerous.
How to, let's say you have some customJavaScript that's whitelisted as a
script SRC, and it has, I don't know,thousands of lines after beautifying.
How would you start even looking fora, for a gadget to exploit to, to,
to To be able to escalate your, youraccess to, to execute JS through this.
(43:02):
Yeah,
I don't know.
I haven't really been in thatsituation too many times, I guess.
Like a lot of the, for some reason,the big companies actually have
their like source maps out there.
So you can see it, uh, where I'vebeen hunting GitHub and you can
actually see what's going on.
(43:23):
But otherwise, I mean, that's one ofthe things that you get Uh, not for
free, but what that, uh, like a bonus.
For spending a lot of time on, um, onetarget or like a couple of targets is that
you, you find these things and then youcan keep them in your notes, for example,
(43:46):
because I think you use the sameGitLab CSP bypass a few times at least.
No, because I think there was thesame bypass that kind of everyone knew
about and people used it for years.
Yeah.
Uh, there's been a few ofthem, uh, they've been starting
to close off More and more
it's not good for you, is it
(44:06):
, but there's still, there's still ways to, to get around it and depending on what
you can, uh, what you can inject or not.
So, and I mean, it also adds,even if it's boring, that when
they remove them, it also adds tothe game that you have to find.
Yeah.
And when you find a new one, you're,you get really happy about that as well.
(44:30):
What other client side bugs areyou, are you finding apart from XSS?
Something that I've been, uh, also havehad quite like a surprising amount of,
uh, success with is, uh, DOM clobbering.
Okay.
As, uh, I'm not.
On its own, but like as a part of achain or a gadget or whatever, um, it's
(44:56):
actually way more useful than you likeinitially think just to be able to,
for example, on, I had one bug on, uh,Gmail, it was sort of a combination.
The worst kind of in bug bountieswhen you mix programs, which ends up
(45:17):
that no one really wants to award you.
So it was a combination of like, you canin emails, of course, you can send HTML.
That's why it looks so beautifuland you can send forms.
If you want to, and some emailclients will actually render
(45:37):
these forms in different ways.
And they will do somesanitation and stuff like that.
But Gmail, for example, will actuallyrender the complete form with form.
It will change the passwordsfields to text fields.
So they will be of type text, but itwill have the whole form and everything.
(45:59):
Uh, and if you click submit, it willpop up a warning saying like, you're
submitting things to an external page.
Do you really want to do this?
And you click no.
Uh, so I, I found a bug, uh, using.
There was a couple of, uh, passwordmanagers that could do like auto
filling and they don't really care aboutwhether it's a password field or not.
(46:24):
They're really like.
Uh, happy to fill whatever, likeif you give it a name, a password
and not the type password, a lot ofthem will fill it anyway in plain
text, which is really strange.
Uh, but they will do it.
And I also found a way to tricksome of these password managers
to actually auto submit it.
(46:45):
If you put the text field insideof the submit button, because they
will actually to, because they wantto pretend that they are human.
So they will actually send likea click action to the form field.
And if that is inside of the submitbutton, the button will, the event
will propagate up to the buttonand it will click it and submit it.
(47:08):
So you have like.
Login field, a normal passwordfield, and another password
field inside of the button.
Yeah, or the password field thatthey want, because they will fill
it first, and then they will triggerthe Oh yeah, yeah, okay, so you're
saying the key to react, correct.
Uh, and I tried to submit that, but the,the, the, the password, uh, uh, storage
(47:28):
companies are like, I don't know theirthreat models, it's really strange,
they don't care about things like that.
Yeah, I'm not having a good time with
But so I, so that was like one sort ofa bug that I, I felt like it was a bit
strange that this one password managerdid actually allow you to autofill.
When you open an email, you had aform in Gmail and it would autofill
(47:50):
your Gmail credentials because asyou said, they will look at just
like Google, uh, or whatever, like,
yeah,
Yeah.
And, uh, and top,
top window.
Exactly.
And so some
people might have like the password savedthen on the Gmail, so it'll fill there and
it'll click, but then you will get blockedby this, uh, uh, Google protection thing.
(48:13):
Yeah.
And then I went into the sourcecode and, and found that this check
they were doing was like, they foundthe form element or like, they,
they catched the, the submission.
Uh, and then they looked atthe element and they did like.
Element dot target, uh, equalsblank, like question mark.
(48:34):
And one thing that they did was if youput the form in there, they would put
like target blank because they wanted thisthing to trigger Google when they rendered
the form, they wanted it to trigger.
Uh, but then I could use Domclobbering them to put, uh, to
name one of these fields to target.
(48:55):
So you have a form and insideof the form you have an input
field with the name target.
That's it.
And then if you have the element of theform and you do dot target, you will
get the input field and you will not getthe value of the target thing and the
input field will not equal equal blank.
So then you would skip the, so thefinal, uh, POC was actually like, if
(49:20):
you opened an email, your passwordthing would autofill and submit it
and you would lose your credentials.
Yeah.
That's a cool bug.
For which nobody has paid.
No, no, no.
Google actually paid me for it.
They paid me for the dom club ring.
So that was like one three,three, seven or whatever it is.
They're like, yeah, that's cool.
(49:41):
So that was really good.
And I think that to be fair, Ithink I got like 500 or something
for the From the password manager.
Okay.
So they did something.
I don't really know what theyfixed, but they did something.
But I thought it was, I mean,the book, the bug, it looks
much cooler than the payout.
(50:02):
Yeah.
Yeah.
And it's a cool idea as well.
I don't think I ever used dumbclobbering on the reward targets.
I feel like I see your bugs.
I see Martin bugs.
I see all the client and I'm like,Oh, I should spend more time on
the client.
Um, how about post message related bugs?
Do you?
(50:23):
Do you find a lot of stuff that,that starts with a post message?
I, I haven't actuallylooked too much into it.
Uh, I know that it's one of those fieldsthat are still like ripe with bugs.
Uh, so like one of those likeuntouched areas where there are, it
seems at least to be bugs everywhere.
(50:44):
But, uh, I haven't really spenttoo much time on it, actually.
Probably I should, but I
feel the same
way.
Um, maybe client side prototypepollution is the next one that
I don't spend too much time on.
Uh, yeah, yeah.
So, so when you, when you askedme, like, what sort of client side
(51:05):
bugs I found, find these days, uh,that was one that I thought about,
but I have actually never found it.
And it feels very strange andniche to me that it should exist.
I know that people sometimesfind them, um, but it's, yeah,
it's, to me, it doesn't feel likesomething that is like super common.
(51:27):
So it's definitely more common to find assomething else that you mentioned, these
like client side path, traversal things.
Yeah.
Which was actually somethingthat I, I think I, I think you
made a video of one of those.
Yeah, my, my video was about your clientside path traversal in GitLab because I
didn't see a real world example of this.
(51:48):
And then we had the interviewand they told me you had, so
then I covered it in the video.
And I don't think there ismany public write ups about
client side post reversals.
No, I mean, there's been alot of discussions with it.
And I think there's also beena lot of tooling made recently.
I haven't really used anything,but I think that people have
both, uh, Like Kaido plugins and
(52:14):
extensions to Chrome and stuff like that.
Yeah, I think the critical thinking guyscreated the browser extension for it.
For me, it's more, it'smore of a hierarchy.
Like I think that the reason why Ihaven't felt like I need to use it,
it's the way I'm looking for thesekinds of bugs is usually on GitLab.
(52:36):
Maybe I find a way, like a new wayof getting content into the app.
So that's like where I start like,okay, if I connect this piece here,
it will render data over here.
And then, so then I start from thetop, like, okay, I want it to set.
And then like, okay, it doesn't work.
(52:57):
Okay, then I want dumbclobbering or whatever.
I want to HML injectionand then that doesn't work.
And then I try like, Oh, maybe I can do aclient side path commercial or whatever.
Yeah.
And so it's more of a, I just gothrough different bugs depending on the
injection I have, like going from, Ifound like a source and I tried to like.
(53:18):
Do something with it.
So I've, I've actually found afew CSP, uh, client side path
protocols, uh, this year as well.
Uh, they're a bit hard sometimes to,if they only make, I found some that
just made like a get, uh, request andthat makes it quite hard to exploit.
(53:39):
Uh, I managed to show some impactby again, like chaining it with, uh,
as you hear, like there's a lot ofchaining of small things, but I managed
to chain it with a redirect and yeah,so, and so the, the get request.
(54:01):
It was a GET request made by Fetch, soit contained a CSRF token in a header.
Yeah.
And then if you redirect thatrequest, you would actually leak
the CSRF token to your page.
Yeah.
And then you could redirect that again.
Using the CSRF, so it kind of turnsinto a CSRF, uh, all the way to
(54:26):
run, or you can just wait for itto like land on your domain and,
Oh yeah, cause from your websiteyou can directly issue a redirect,
which is already the CSRF request.
Yeah, exactly.
So
there's never like top levelnavigation to your website.
No, or you could actually like leak itand then make sure that the user ends up
on your Domain somehow and you can seeit's a bit convoluted and it doesn't,
(54:51):
uh, work all the time, but it was likethe best I could using a get request.
Yeah, the best, but in, um,many targets that would use not
cookies, but some custom headerfor authorization, the header would
just be leaked to your website.
Then you don't have to do anything.
(55:11):
Have you had much success outside GitLabwith the client side bus traversals?
No, not really.
Uh, I think it's a, it's abug to me at least how I work.
It would be a bug that requires meto like know the application deeply
to know where to put it, to see wherelike IDs are rendered or whatever.
Uh, so I, I haven't really, the other workI've done has not been related to that.
(55:37):
Yeah.
I have found a few, butnever a gadget to exploit.
Once I had, uh, Uh, I had theclients I passed traversal and
it was an open source stuff.
So I was looking through all the,all the get routes because it was
a get based, all the get routesthat would make sense to chain it.
And I found one that was actuallymaking changes and I was happy
(55:57):
because I found the guidance forclient side cross reversal and then
I realized that I don't need theclient side cross reversal because
top level navigation is good enough.
So I, I got, uh, I reported this asa CSRF and never used the client side
cross reversal, so that's my experience.
Um, Another bug that I also saw forthe first time publicly exploited in
(56:23):
your bug is a cross window forgery.
Can
you
tell us what cross window forgery is?
So this is actually, it's aresearch from a guy that I
don't really remember his name.
It was sort of at the same time when I wasgoing to try to do full time bug bounties.
(56:45):
It's my first three months, I guess.
Uh, there was this blog postabout something that he had
named then cross window forgery.
I have his name, but I, I'mworried I will misspell it
badly, but now I think I have to.
Yeah.
Paulus.
I mean,
(57:08):
he found this strange quirk inbrowsers where you essentially
on if you are on the page.
And you, for example, startpressing enter and that triggers
a new window to open your click.
If you keep pressing enter, theclick will transfer to the new
(57:30):
window and click on maybe something.
Yeah.
And then you can chain that with,uh, uh, you can use the, the
hash or the fragment in the URL.
To actually like point to somethingdangerous, like a button that will
accept something or do something.
And the click will like transfer to thisnew window and click on that button.
(57:54):
Yeah,
because when you press thespace or the enter, it will
click the button that's focused.
And one way I usually use this isprobably when I do the tab on the
input field and then I do the tab forthe button and then I press the space.
So you can also do it.
If there's a hash with the IDof the button, then it's sort
of automatically focused, right?
(58:15):
Yeah, exactly, exactly.
Uh, and I mean, the, the,the, the, the write up is.
It's fun and fine and great in a lotof ways, but it's also like a, a pretty
strange bug to like, it's, it's hardto see if it's like, if it's good or
bad, like if it requires like reallystrange behavior in a way like pressing
(58:39):
enter, but I had some fun with it.
Uh, this year, because I, I took it aslike an, an exercise to, to build, uh,
POCs or like to convince companies,like, because the worst scenario that I
could think of was this, like you shamethis with this sort of like, Oh, uh,
(59:02):
requirement, uh, whatdo you call those pages?
The consent consent screens, uh,because the consent screen will ask
you, like, are you allowing this?
application to seeeverything and access you.
And you have one buttonthat says like, yeah, okay.
And if you click it, it's done.
And then you have likean account to take over.
(59:22):
So if that button has an ID, uh, then youcould focus that button and you can abuse
this to take over accounts essentially.
Yeah.
So my idea was that the impacthere is big, even if the, the,
like how you get there is kindof like goofy and not really.
I don't know if it's realistic or not,but I've sort of spent the time to
(59:46):
build this case that we have, or likecompanies as a community has moved to
make people just like the cookie barhas made people click on all the pages.
Yeah.
Um, you have, we have these likerecapture or capture things that When
(01:00:06):
you go to a page that you sort oftrust, like maybe you don't even trust
it, but you do something and theysay like, yeah, here's a Capcha game.
Uh, a lot of people will just dowhatever it says, like, yeah, five
clicks, type something and dragand drop and like do whatever.
Yeah.
So I, I built a case that like, it'snot that hard to convince someone like.
(01:00:29):
Yeah, press enter three times andthen you have like a progress bar that
is like filling up and if you dropenter, it will like go down again.
So you have to press it forlike three seconds to prove
you're a human or whatever.
Uh, so I did that POC and then I did likea, a built like a floppy bird game or I
cloned the game from, uh, from GitHub.
(01:00:49):
And I, I just, I edit the code.
So like when you play it with theenter and then like during a period
where you're supposed to like goa lot of like up with the bird.
Find the space.
You have to, yeah, you have to likeenter for like you have to keep it in.
Yeah.
To get the bird up.
And during that time, I openedthis window as like a small popup
(01:01:12):
and it'll do the, the thing.
Yeah.
Uh, and to you using those two POCs.
Uh, it actually became quite easy toconvince at least these big companies
that are like hosting these sort of likeconsent wealth things, uh, that this is
actually an issue because it's really,again, it's also really easy to fix.
(01:01:34):
So the impact is high.
The fix is easy.
You just remove the IDand, uh, you're done.
You cannot exploit it anymore.
Uh, and, uh, but still like, it'snot really maybe realistic, but.
It's, it's dangerous enough that youcould, uh, it could be worth fixing.
Yeah.
And also, it was also one of the reasonsI wanted to talk about this because I
(01:01:56):
even said it in one of the recent videosthat sometimes it's hard to get through
the triage with non standard things.
Yeah.
And because this, and I would likethis to be more standardized, so
maybe it's like widely accepted.
That, you know, okay, this isnot the, the interaction is
kind complex, but it's likely.
(01:02:18):
So, you know, it's, it's,maybe it's not, uh, critical.
Maybe not a high, but it's, it's, inmy opinion, it's definitely a bug.
Yeah.
I, and I mean, uh, I, I must admit thatthese are maybe the bugs where I found
I felt most, uh, like scammy in a way.
Like doing, uh, likeI, it's not like I was.
(01:02:40):
Super proud of what I created . Okay.
When, well, you created the
flowy, but it's cool episode.
Yeah, I, I thought it was fun to senda game and stuff like that because I've
been really inspired by, there's been oneguy that I've seen some bugs on Chrome.
Yeah.
A lot of like.
things when, uh, you kind of like clickon these different consent things in
(01:03:00):
Chrome that they pop like, are youallowed to use the microphone or whatever?
And there's one guy who has sent liketens or 20 reports, like abusing this.
And it's all, he always has like a Dinogame, like a dinosaur that runs and jumps
and you have to do like different things.
And I, I thought it wasreally fun to have like.
(01:03:22):
This aspect of like building asmall game as the POC, like a bit
goofy and a bit like light touch.
Yeah, it's
nice.
It was fun in that way.
And I
mean, it's worked out.
So it's, uh, it's good.
Yeah.
And it's also, I think the, asI said, I like it because it's
something I didn't know about and Ithink it's applicable fairly widely.
(01:03:44):
Yeah.
Let's now talk a little bitabout the server side bugs.
When browsing through your recent bugs onGitLab, at least from the issue tracker,
there was a lot of denial of service bugs.
Yeah.
Especially the regularexpression based ones.
Can you talk to us more about this?
(01:04:05):
Yeah.
I was turning into the The denial ofservice guy, uh, in the beginning of this
year, I, I think I counted them as well.
I think I had the 20 accepted reportson GitLab that are like denial of
(01:04:27):
service, uh, the two different kinds.
And I've also seen that there'sbeen a lot of other people
reporting that I was at the moment.
Uh, yeah.
Kind of one of those.
things that happens with one of thoseold programs that you see bug types like
come and go and they fix and then theylike fix the root cause uh eventually
(01:04:50):
and then people move on to something newand at the moment like there's still a
lot of like different sending bad Contentto a GitLab server and trying to crash.
Yeah.
Uh, I, I was moving it.
I had been on a break during like Decemberand January and I was moving into my like
(01:05:13):
three month trying out full time in March.
So in February, I felt like I hadto like start finding something
or like get something going priorto getting into it for full time.
And then I decided, I don'tremember how, but I had this hunch
that, okay, like we DOS bugs.
(01:05:36):
People have found them.
I have found some of them.
Regular expression denial of service.
And I decided to like, trying to actuallylike, root out all of the last ones.
In GitLab.
Like why does people findthem like, once in a while.
And always like in old code.
Like why doesn't, haven't anyone just,Found all of them, like, what's my idea?
(01:06:00):
So I started to grab through the codebase, uh, using regular expressions,
trying to find regular expressions.
Yeah.
So it was actually one of my maybe most,uh, structural, structural attacks ever.
Like I, I got this like list of like200, uh, potential, I think I grept for
(01:06:26):
a couple of patterns, like anything thatcontained more than one star or plus.
So that's the indicatorthat's sort of like
the main goal of a regular expression,denial of service is to get the regular
expression to go into a really, reallydeep nested search for something.
(01:06:49):
You have something called likebacktracking, so it tries to go as far
forward as it can, and then it goes back,and then it goes forward again, and back
and forward, and it creates this likeexponential, uh, amount of, paths through
this, uh, whatever you're trying to hit.
(01:07:11):
And when this happens are usuallywhen you have like multiple asterisks
or plus it can happen in otherscenarios as well, but that's like the
sort of simple example is.
If you have wildcards one or moretimes and wildcard one or more times,
and I have this string three A's,it can be the first group can be two
(01:07:35):
A's and the second can be one, andthen it can be one, two or two, one.
And then with this simple example,it's two different sort of, uh, I don't
know, it's the tree that's being thrownsomewhere, but, but it's two combinations.
And I assume your inputs are not, arenot three characters long, more like 3,
(01:07:55):
000.
And actually something that I had tolearn, because the theory is quite
easy, but then you actually had tolearn to break, uh, using your payload.
So after all the A's you have toput like a B or whatever, because
it has to fail and then go back andtry again, like different paths.
Yeah.
Uh, and that can be a bit more like,that's a super simple example, but in
(01:08:18):
different cases, it could be like, uh,quite like convoluted, but there are like,
so you want the sandwich to be like.
almost your whole input.
Yeah.
But not sort of the last character.
At
least like there are some differentones and that's, I actually
learned like there are some, it'sa classic like research topic.
(01:08:41):
Like there are universitypeople like doing like heavy
research into read, read us bugs.
Uh, and I actually tried somelike Java based Chinese research
things that I put out on this.
GitHub.
It didn't really catch more than my, like,maybe it could do, but in the end, what
(01:09:04):
you have to do is like, you have to firstfind the bad regex and then you have to
figure out if you can actually get there.
You have to figure out if it's badand that you can do with like a free,
there are web pages where you canjust paste regex and it will tell
you if it's, uh, like if you could,if it could be a problem or not.
(01:09:25):
Okay.
But then you also haveto find a way to get.
The payload to that placein the application, right?
And most of the times, as you kindof mentioned, is that most of the
bad RegExps are not that bad, butthey are bad if you give it like
500, 000 Ks or whatever, like, Yeah.
(01:09:47):
You give it like a lot of data, thenit will break because the computers are
like, if it would be a computer like 20years ago, it will probably break easier.
But nowadays, like they arereally, they can do a lot of work.
So, but there's a lot of thoseplaces in, for example, GitLab
where you can get like huge data.
(01:10:08):
Into like that you control into one ofthese like semi bad, uh, regis things.
Yeah.
How do they usually, whatseverity do they assign?
You have two levels.
Uh, I, I can also like stay, say nowthat I think Redos is in scope again.
(01:10:28):
But they have actually fixed it atlike a language level now at GitLab.
So it's sort of a dead bug.
But that's also why you seepeople transitioning into this
other sort of like DOS bugs.
But they, I mean, it's a medium if youhave to be, if you have to have a user.
But what you really want to do isyou want to have, be able to send
(01:10:51):
like an unauthenticated request.
And then you get like the full, theyhave some metric that you have to, you
have to, uh, trigger like a 10 seconddelay on like a specific like setup with
a set of course and stuff like that.
Oh, that's, that's cool.
Yeah.
So they have it in the policy, likehow bad you have to make it for it to
(01:11:14):
become high instead of low or whatever.
So, and I actually like, I found, I guessI found like 18 of these bugs or whatever.
And every bug I found, I found itlike one at a time and exploit them.
And I thought like, okay,yeah, that was the last one.
Like, uh, it cannot be better than this.
And then in the end, uh, like, Ithink it was like the last two I
(01:11:39):
found because I, then I had like anepiphany, like I was taking a shower or
whatever, like a classic shower moment.
And I had, I thought like, I sawsomething strange in the code.
Like, I remember that I sawsomething really strange and
I went back and found it.
And it was actually in themain, uh, speaking of old bugs,
like in the main search bar.
(01:11:59):
Yeah.
When you search for code in GitLab, youcan actually put like stars, asterisks in
your search search for wildcard matches.
And for some reason, I haven'treally thought about like how this is
implemented, but if you look at the code.
At that time, at least it, it would parseout because it's not regex, but it's just
(01:12:21):
like a star and it acts like dot star.
And if you looked at the code, they willactually like match and replace in your
string, all the stars with dot star.
Oh, and then create the regex from it.
And create a regex from it.
And so then I could actually create this.
Uh, the, the school book example oflike searching for, and you would, so
(01:12:46):
you could do it unauthenticated andsomething that almost always exist
in all repos is the read me file.
So I could do like a, a big Rstar, star, star, star, star,
star, star, star, and end it withsomething that is not MD, right?
So like markdowns, it hasto end with something else.
Yeah.
Okay.
Thank you.
(01:13:06):
Uh, and then you could like break itwith, uh, it's like, and usually these
read those things, you send like a bunchof requests to like kill all the course.
So they like end up at a hundredpercent usage, but it was really fun.
That's how I found like twodifferent of those in the end.
Uh, and they got rewarded as high.
So even when I thought like I hadfound like the last remaining one,
(01:13:31):
I found these two and that was theright before they put it out of scope.
So it was great.
Yeah.
You were the reason.
I
mean, they were actually really,really nice with this because
they had in the pipeline toactually upgrade and kill Ridos.
Uh, for good using like, uh,updating the, the Ruby to 3.
(01:13:54):
2 or whatever it is.
But as they hadn't, the roadmap was likein six months or something like that.
So they said like, yeah, if youhave reported it before now, it
will still be dangerous in likesix months, a six month period.
So we will still reward it and then,
okay.
Uh, we'll be heading to theend of the, of the interview.
(01:14:16):
I think it's actuallygetting quite dark here.
It is getting quite dark and we don't
have lights here, but
if
you cannot see us, we're still here.
Listen to us.
We're, we're still continuing.
Um, after just one, one morequestion after so much time and
so much things learn, how doyou still learn new stuff today?
(01:14:39):
Yeah.
I, I definitely, I have not.
I will still, I think I only will stilldo this as long as I am learning things.
I think that's one of the, Ican't really see myself just
doing it, the grind or whatever.
Like, uh, even if I find it reallyinteresting to be able to live off of it.
(01:15:03):
finding bugs and like being incontrol of my time and everything.
I, one of the reasons why I also, when I,I quit my job was that I felt like I could
learn more and quicker if I would do thison my own, like if I can control my time.
But that also includes that I I wantto and need to learn things and how
(01:15:24):
I do it is, uh, to remind myself tolike go to the correct sources, like
reading documentation, uh, tryingto become better at using like the
right tools and like learn tools.
Uh, so with all of this, likedebugging and setting up environments
and like taking a small step.
(01:15:45):
Yeah.
Uh, each day and then we'd likethe bug types and stuff like that.
It's more of a, if you put yourselfout there and like you try, you, you
cannot just try to find whatever youhave found before you have to like act.
be, I don't know, you cannot really callit brave, but you have to put yourself in
(01:16:07):
a position where you think you will fail.
Yeah.
And then sometimes you willactually succeed and you
will make a new step forward.
And so, for example, I found my firstRC this year as well, which I really
didn't think I could check moreboxes after becoming a number one
at GitLab this year, but yeah, Andthat's just the step when you finally
(01:16:31):
do it, it also feels quite easy.
And now maybe I only found one so far.
I have still a lot to learn.
Yeah.
Well, I think we, we all do.
Um, what are your plans for 2025
in a way, funny that I think that myanswer is really similar to when we lost.
(01:16:52):
Spoke becoming more structured, uh,structured, uh, creating some automation.
I've actually started taking notes.
It's always been my thing.
I don't take notes, but I actually,I've been using obsidian now and I
really, really enjoy it and, uh, I'm,I need to get better at it, but at
(01:17:15):
least I throw things in there and I'vefound myself searching for my own.
No, it's a lot.
Yeah.
Uh, so it, it definitely helps.
Uh, but yeah, and I'm browserhacking on the list as well.
Uh, yeah.
Uh, yeah.
I mean, the to do list is always likemove to a new program, uh, expand, but I
(01:17:38):
don't really have any super big, uh, I'mlooking forward to, I've had quite a good
success This year it's been intense andthere's been a lot, a lot of happening.
So I, I want, my big goalis to survive a year.
survive, not, but like mentally.
Yeah.
Feel like it's still interesting and fun.
(01:17:59):
I don't burn out and, uh.
Maybe like settle in this new situationof, of being in control of my own time.
Cool.
Good luck with this.
Uh, thank you so muchfor, for the interview.
If you enjoyed it, uh, also you cancheck out our interview from before two
years, which we mentioned a few timesthere, we spoke a little bit more about
(01:18:22):
the university, about the thesis, aboutgetting into the, The security so if you
enjoyed this one, you will definitelylike that one as well for now Thank
you so much for listening and goodbye
So when interviewing Johan two yearsago for the podcast, we spoke about
making 100, 000 in one year and itwas impressive, but since then he's
been really killing it, hacking notonly on GitLab, but also programs
like Apple, Google, or Yahoo.
And in this interview, I'lltry to uncover all his secrets.
(00:20):
So enjoy my interview with Johan Carlsson.
Hello, Johan.
How are you doing?
How has these two years been to you?
Oh, thanks for having me again.
Yeah, you're
the first, the first guestthat makes a second appearance.
Yeah, no, I'm, uh, I'mhaving a great time.
(00:42):
It's been, uh, so has it been two years?
Yes.
The previous episode was inJanuary, 2023 for the record.
We were recording this in December, 2024and you also in, in person in Sweden.
Uh, so, um, it's almost two years.
Yeah.
Yeah.
That's a crazy in a lot, in many ways.
(01:03):
Yeah.
And yeah, it's been, uh, It's been a ride,uh, and, uh, a lot of things are the same,
uh, and, uh, some things have changed.
I'm still, uh, on GitLab, uh, and, uh,uh, but I also hunt on other programs and,
uh, but I think the, the big thing, ofcourse, is that I've gone, uh, full time.
(01:28):
Yes.
That's a big thing.
Uh, from what I did previously.
Um, so I'm from this from August, soit's almost, I guess it's like four
months or something, but I also didthree months, uh, before the summer
where I just tried it out, like takinga break from my regular job and, uh,
(01:49):
testing it to see if it could fly.
What pushed you to quit your job?
It was a combination of, I really, itwas not a problem with the job per se.
I was working as a developer,like front end developer.
I was a combination of the beingable to be more free with my time.
(02:11):
Uh, having a big family and being ableto like do whatever I want with my
time, uh, and also with my interest in,uh, like security and that I, I didn't
really get to like fulfill that, uh,doing, uh, regular development work.
Yeah.
So.
How has the, the lifechanged since you quit?
(02:32):
What did you expect it to be?
Uh, yeah, I mean, I guess so.
Uh, I've had a lot of, ithas changed in many ways.
It's not related to bug boundaries.
Like I got my fourth, uh,child, uh, during this time.
Uh, so it's, I mean, I've, I'vebeen doing it full time, but I
(02:54):
have not been working full time.
I've been a full time hunter, butmy time has been, uh, a bit, uh,
scattered between the different things,but it has given me like the feeling
of like, I can control what I domyself, which has been, uh, amazing.
And when we spoke two years ago.
(03:15):
I felt like I'm saying the same things,but then it seemed incredible that you
climbed the GitLab leaderboard so quickly.
I don't remember which placeyou were at two years ago.
No, I
don't remember.
I was top 10 at least.
Top
10 something.
And I was like, wow, he madetop 10 in GitLab in one year.
But, uh, it seems like the bugs have tostop somewhere yet, you know, not, not
(03:38):
two years have passed and you're nowtop one, huge congratulations on that.
And how on earth is itpossible there's still so
many bugs?
I mean, that was definitely one of mybig milestones, uh, that I wanted to
reach because when I got at the top 10.
That I think you could get into top 10.
I don't remember the numbers now, butyou can be at least like around one K in
(04:03):
reputation points or something like that.
And the people at the top atthat time had like three K.
So it still felt likethere's a long way to go.
Yeah, exactly.
And, uh, I think I almostmade one K reputation points,
(04:23):
uh, this year or something.
It's like, so in the end I've, I did,uh, uh, a huge, uh, uh, rush, uh, but
I mean, so that's also the strangething with this reputation scoreboards
that they keep this, a lot of thepeople at the top 10 are not really
active hunters on GitLab anymore.
(04:44):
Yeah.
So.
Uh, I think I'm definitely one of,um, they've added this new feature
on HackerOne where you can actuallysee scoreboards for each year
instead, so you can pick a yearand they will like rearrange it.
And uh, I've been number one allof these years, except one for some
reason, some guy beat me one year,like two years ago, uh, but uh, yeah,
(05:07):
uh, yeah, I'm really happy with that.
Are you
planning to stay withGitLab for the future?
Yeah.
Yeah.
I will definitely hang around thereas long as it, uh, I'm still amazed
that I find it's not, I don't evenfeel like I'm doing the same thing.
I find new ways of like learning newskills and learning new techniques
(05:30):
while staying at this target.
So, and they are very fair to meand to other people as well, like
they're a really good program.
So it's hard to change, yes, for the like.
For whatever reason, uh, if they decideto stop paying or rewarding or doing
(05:50):
another change, maybe I will move on.
Is it more after so much time, morelike just auditing the new codes
or is it still after so much time,you still haven't explored all
functionalities that have been there?
It's still definitely a mix, even if Ithink it's a bit more, uh, leaning towards
(06:14):
Code, but people are definitely not onlyme, but other ones are definitely finding
things deep inside the old code as well.
So there's a lot of things to find there.
I imagine I haven't, haven't looked atthe source code, but I imagine there's
just so many pieces of code that are justhard to trigger that, you know, you just.
(06:38):
Don't know this feature exists,or you don't know there was this
particular case that and all of asudden new code does a similar thing.
And I imagine, you know, youjust randomly discover this.
Yeah.
And that's actually one thing that.
I have, uh, uh, changed or that I'veforced myself to actually finally do is
(06:59):
to start using their, like the GitLabdevelopment kit, which is like the
development, uh, um, environment that theyare using when you're developing things
in GitLab and as it's, uh, Ruby based.
You actually have access to,it's like an interpreted.
So it's like running the code as you
(07:20):
can have like debug breakpoints.
Yeah, exactly.
And you can also, you
can also start a console where you haveaccess to the code so you can trigger.
Functions and you can call functionsusing things from the database, for
example, so you can say like, giveme the first project in the database
and then throw it into this functionhere that takes a project or whatever.
(07:45):
So you
can speed up the testing a lot.
No,
yeah, definitely.
Uh, so you can, uh, when you geta hang of it, you can start like.
Poking at things that you don'treally know how to get to yet.
Yeah, and, uh, it's really useful andI don't have no idea why I didn't, uh,
transition to it earlier than I did.
(08:07):
Well, last time we wererecording the podcast, you were
just after stopping talking.
Uh, looking at the codesthrough the website.
Yeah,
yeah, yeah.
Exactly.
Because I watched it and Iwas like, oh, just recently I
pulled GitLab to my local disk.
Yeah.
Yeah, so there's definitely thingsthat I'm doing a bit more structured.
(08:30):
Yeah.
At the moment, yeah.
And now I think about it,for a lot of projects.
Probably you can speed up the testingwhen you have the source code,
obviously, and especially when youhave the debugging access, you can,
instead of like running the intruderattack or something like this.
You can just do a for loop andrun a function in the for with
(08:53):
different inputs and stuff like this.
Yeah.
And actually something that reallyinspired me as well was, uh, I don't
know if you saw this, uh, this SAMLbypass, uh, bug that was also like
really impressive, uh, in the, on itsown, like the bug was really impressive.
Yeah.
And also like really oldcode, uh, and super critical.
(09:15):
But, uh, I saw some write uplike when some other people like
tried a similar thing, they werelike recreating it or whatever.
And they sort of like broke out apiece of the code and built their
own little like in isolation andthey could remove the things that
they knew didn't really impact.
(09:35):
And then they could like iterate,uh, looking at this piece
of code, uh, really quickly.
And that's a really inspired me.
I will try to do more of that aswell doing during court code review.
Can you, can you specify this?
I don't think I fully got the,
so they, I think in that blog post,they wanted to see how GitHub in
that case were handling the sample.
(09:57):
Uh, their sample implementation, so theytook the code, uh, that you can extract
from GitHub if you, uh, figure it outand they just took that piece of the
library and they, uh, recreated like.
Almost like building a test case.
If you're a developer, like mockingsome parts and just like making
(10:18):
sure that it works good enough.
And then they could run like a lot oftests on it quickly because they don't
have to go through the whole application.
They just break out that piece of code.
Like try to break it and then try tofit it into the application again.
Oh, because there were two blogposts about the Samuel bypass
one was GitLab on GitHub, right?
And I think I only read the GitLab one.
(10:39):
Oh, yeah.
And the one you're saying is GitHub.
Yeah I think it was
from the so they discoveredthis back through like Buzzing
the, the, the, the, the Samu.
Yeah.
I don't know if they've busted, but atleast they broke it out to test it very
quickly with like automation to just likesend a bunch of, because then they could
remove some of the, the things that wouldmake it slow, that you would have like
(10:59):
certain timestamp checks or whatever.
That doesn't really matterfor the final exploit.
Yeah.
That's nice.
I also wanted to, to, to, uh, understandsomeone a bit after this, because
still I spend a lot of time on theSSO, but Samuel's, Samuel's like, he's
there and there's Samuel Ryder and Imay try the attack from, from this.
(11:24):
And then it's pretty muchend of my knowledge about it.
If you were to approach a new system thatis GitLab, how would you start doing this?
It's been on my to do list since likegoing full time to, to expand, to
have like, uh, one or two more targetsto be like my main go to targets.
(11:47):
Uh, I haven't really managed to do it yet.
Um, I think one of the reasons that I'vemanaged to stay for so long at GitLab
is to, uh, Because I, I found it likeinteresting as well, like the application,
the functionality connected to my job asa developer, like it's resonated with me.
(12:11):
Um, so I would approach it sort oflike I approach this, I guess, like.
Trying to find the functionality that Iwant to test that I have a like a hunch
that something could break and then Itest that and then like move around in
the application is to try to find andthat's sort of like what's the luxury,
(12:32):
I guess, with doing bug bounties isthat no one is checking on you, like how
thorough you go through the application orwherever you can just like, Browse around.
Yeah.
There's no, no, no consequencesfrom missing a bug.
No, exactly.
Uh, except like mental.
Yeah.
Yeah.
Uh, but, and also, I mean, you haveto, so one of the big changes for, from
(12:57):
going full time, uh, is that I now haveto rely on the income from bug bounties.
To actually pay my bills and myown salary and all of that so that
that sort of Shift did happen likefrom day one that you at least you
sort of have to find things, right?
(13:19):
Uh, and that there is like a mentalshift there that, uh, uh, if you don't
like constantly find something that islike bringing income, it starts to be.
So even if you're like free to dowhatever you want, at least you have
to like, it has to be bring something.
Yeah.
You're not, you don't
feel completely free.
(13:40):
No.
And I'm, I'm, but I'm still.
in the camp of, uh, uh, my big, uh, likeinspiration when, before I went full
time, I listened a lot to like interviewswith Alex Chapman and he's like ideas
of like finding fewer, but bigger bugs.
(14:01):
And also like not really doing itlike to maximize Uh, income, but like
a sufficient income and like enoughand also enough to be able to keep it
interesting and, uh, and doing it forthe fun of like learning and exploiting.
Yes.
(14:21):
But at the same time, I actually,it's funny because I thought about him
before you mentioned his name becausehe had the exchange, um, or just a post
on, on blue sky recently about Yeah.
Escalating some bugs, some asalways, probably a Chromium RCE
and also even though he keeps itfun, he also as a full time hunter
(14:43):
looks at the return on investment.
And he was saying, you know, um, on alow paying program, perhaps you can be,
if the program, let's say downgradesyour back to a medium in case in his
case, it's an RCE where he can, uh,access the, um, the AWS access keys.
So.
He can't really prove the impact.
(15:05):
He has to rely on the teamand the team says it's medium.
And the whole post was about escalatingthis to a more, a bigger severity bug.
But then he was like, if this programdoesn't play that well, there's no.
I actually had the similar shrink.
I had, as I told you before, I wasspending some time on the program that has
(15:27):
like the typical hacker one, uh, payouts.
So the medium is 500, the high is 1000.
So I thought if I have the, let's saythe SSRF and I would like to approach.
you to escalate from medium to high.
I'm still getting the same 500.
So, and also there's some, somebodyelse, um, puts in their time and
(15:51):
effort and maybe they are rewarded.
So in the end it's, it's plus EV, butthere's, it's not like a no brainer if
you think about it from the full time.
It's actually something that I'vebeen thinking about, like, Pros and
cons of different programs lately.
And one another thing that I'mreally happy about at the the
GitLab program is that they don'thave like a, a linear bounty table.
(16:15):
Yeah.
It's like, I don't know, it's exponential.
Exponential.
I don't think it's exponential.
Yeah.
But we
know that the, yeah.
Yeah.
That graph, if you have the curve that
if.
If you move from mediumthat tops at like 2.
4k or something, and you end upat high, which starts at like
five and ends at 15 or something.
(16:38):
And then the critical starts at like 20.
So there's a real incentive toat least try to escalate to high.
Like that jump is really important.
Yeah.
And other companies like say, for example,GitHub, where I haven't hunted as much,
but they really like, they pay like 4kfor mediums, which is, uh, impressive.
(16:59):
And I think you can get even more,you can get up to like 10k for
medium, but the criticals are stillend at 30, like the same as GitLab.
So it's much more linear and helping out,as you say, in that scenario makes less.
So I really like the, the exponentialthing because it's incentivized, like
(17:21):
working together and like pushing bugsto, uh, their limits sort of, so to speak.
Yeah.
Also makes sense.
If you have a lot of, I imagine you haveloads of gadgets hidden somewhere, so
all of a sudden you can chain them andthen instead of 500 plus 500, you have.
You know, much more than one plus one.
(17:43):
So yeah.
Interesting.
Although when I look at the program, Ithink I prefer the linear one because I
think in the, at the end of the day, youend up reporting highs, maybe, maybe the
one you said where the high is also higherthan it makes sense because there are.
quite a lot of programs thatare sort of flat up until
the high and then exponentialcritical, which they never pay.
(18:06):
No, exactly.
Yeah.
So I
definitely agree that you want tohave those high mediums as well.
Uh, and in a way you kind of getspoiled with like these big programs.
And I don't know, maybe that's atleast for me, that my way of working
is that I spend a lot of time.
pretty slowly on this one program, uh,finding like one, two, three issues,
(18:32):
uh, and then like nothing and thensomething more and like doing that
sort of work on a program that's likeTopes out that like three K wouldn't
be, it's just not worth it for me.
So I skip all of those, uh,invitations or whatever to, uh, I
think there's enough bugs on the,the big, the big targets out there.
(18:57):
So that's why I, If I'm not looking atGitLab, I'm usually just like looking
at, well, like Chrome or whateverelse, like big, big applications.
Yeah, we can maybe jump to this.
Last time you said you wereplanning to do some browser hacking.
How has this gone?
Yeah, it hasn't reallygone as planned, I guess.
(19:19):
I still have it on my, I report things.
Once in a while, like smaller issues thatI find when I still tinker a lot with
Chrome and web standards and web featuresand things like that, even if I'm maybe
(19:39):
in my main hunting, trying to move abit more to the back end bugs and stuff
like that as well to increase impact.
But, uh, I definitely, I find somelike quirks and strange things
once in a while, and then I reportthem, but I haven't done it in the
consistent way that I would have hoped.
So,
so it's more like you'reworking on something and you
(20:00):
have the idea of something thatcould be a bug in the browser
and
then you're more reported ratherthan actually spend time researching.
Yeah.
Uh, and I mean, I, I guess it'sa big, it's quite a big hurdle to
spend all that time to actually startfinding things, uh, in the browsers.
(20:21):
Uh, like consistently, but, uh, it's stilla dream to be able to do that as well.
Uh, it's like one of the biggest likeopen source projects that you can attack.
Would you like to learn likethe memory related bugs to find
actual RCEs and stuff in browsers?
Or are you still trying to stick to Tothis kind of bug that sort of requires
(20:46):
only the web web based knowledge.
Yeah, it hasn't really caughtmy interest, uh, that much.
So maybe because I, I thinkit looks really hard, but, uh,
uh, yeah, maybe eventually.
I mean, I, I've been Trying to move to theback end and like more proper code review
(21:06):
on GitLab during the last year at least.
Uh, and it's been, uh, very interesting.
So I'm like moving in that direction,but not at that like low level
as when you are finding thosekind of memory corruption things.
Yeah.
It's for me, it's, it's crazy.
(21:26):
Can you give us an example of the, of abug from the browser that you reported?
I imagine if they are in Chromium, Iguess the issue tracker is public, no?
Yeah.
Yeah, I guess, uh, I think I actuallysaw, maybe you mentioned something
about it, and I was supposed to writea blog post and then I found a bypass
to it, but now that speaks as well.
(21:48):
So, uh, that was, um, like a funny, uh,I hadn't really thought much about it,
that you could like, serve HTML in xml?
Yeah.
Or like x html.
Yeah.
Uh, and also in sbg, like all ofthese, like XML based, uh, like
(22:11):
languages that are baked into browsers.
And then I remember like, so this was,uh, maybe at the time where we had our
last interview, like two years ago orsomething, I think Ren Reinepack, uh,
he posted some tweet about like someonehad stolen his, uh, POC, like bragged
(22:32):
about it on Twitter about just like howto build like an XML, HTML attack and
like getting execution through like.
XML, HTML, and I started toplay with that because I hadn't
really thought too much about it.
So I played around with it and testedit and then all of a sudden, I,
(22:57):
because I knew that you could getsomething so Uploaded on GitLab,
which I always test my things on.
And I put some HTML in an, I don'tremember if it was in an, uh, s
VG or, uh, some other XML file.
I was on my bus from work and I, I wasdoing this on my phone, like hacking, uh,
(23:22):
. And uh, all of a sudden, like I saw my eyeframe that I have made, like on GIT Labs.
web page in this XMLdocument that I have created.
And I got like really hyped.
This was during like a 20minutes transit from work.
And I was like, ran home and like,shit, this is like, probably like
the biggest thing that I've everfound, like some sort of like bypass.
(23:47):
On there, like, because it wason the, when you can look at
like raw content of a file.
Yeah, you can do that on GitHuband the GitLab and whatever.
You can click the raw and you justsee it in as a text plane I guess.
And I, I got home and I openedmy computer and I looked at
it and it was just text again.
Uh, so that was really disappointing.
But I looked at my phone and it wasrendering at HTML and, uh, at that
(24:11):
time it, it took a while for me tofigure out what's actually going on,
but I had stumbled on a bug where.
Webkit were actually like minesniffing, which is an old concept when
the browsers try to figure out whatsort of content you are providing.
Yeah.
So which usually happens whenthere is no content type.
(24:32):
Exactly.
But the issue here with Webkit.
On iOS.
So like they have, uh, two differentbranches for one, for uh, uh,
the desktop and one for iOS.
And, um, yeah.
So for some reason theywere mime sniffing.
Even if you served text plane, if youhad like an a dot, like an extension
(24:55):
of XML or SVG or whatever, or JPG or like, yeah, you could serve
whatever sort of content you wanted.
Oh,
it worked for an extension?
Yeah, yeah, yeah.
Oh, so you could serve just x remote.
No, you could serve anything as long,so it will, it would first look at
the extension of the name or the path.
And then it would look at the namein the content disposition, I think.
(25:18):
So even if that was like xml,and then it would look at the
content or something like that.
It was really messed up.
And I had some fun with it because,Apparently, it worked on GitLab.
I didn't really manage to bypass CSP fullybecause you're still restricted by CSP,
(25:42):
but on the self hosted one, you couldget access and on GitLab, I could manage
to do some like click jacking, yeah.
Uh, CSRF thing to actually do thingsbecause you could render and also you
could render like a login screen and
yeah, I think that that was in the report.
Yeah, exactly.
You, that was form SRC and HTTPS URL.
(26:04):
So I think you created the loginform to your website Exactly,
which would be auto-filled.
So if the user clicks the buttonor is, is somehow click jacked,
it also, actually also send itback to get the two A code as well.
I built this whole, okay, nice.
PC so you have like two SBGfiles, one for the getting the
passwords and one for the code.
(26:27):
And everything was likeloaded on the GitLab page.
I, I had a lot of fun with it, butuh, in the end it didn't really.
Uh, pay that much, but, uh, it was,
so you reported it both toget lab and to Apple as well.
Yeah, exactly.
Uh, and, uh, actually I alsoreported it to Chrome because
(26:47):
it worked on Chrome on iOS.
Okay.
Which is sort of a bug bounty hack, uh,that they sometimes, uh, uh, step in and
like push for changes, uh, because theyare forced to use the web kit on iOS, but,
uh, you can, uh, because Apple, they don'treally pay for those kinds of issues.
(27:08):
Yeah.
So you didn't get paid from Apple?
No.
Uh, but Chrome paid me some.
That's
good.
That's weird.
Yeah.
That's strange.
And then I was like a year ago orsomething, I was actually gonna write to
like a blog post about this whole thing.
And then when I was like testingmy payloads, I found a bypass to
(27:30):
it because They had only fixed likesome of these extensions, but, and I
think that I had left, for example,XHTML for some reason, they were
still like mime sniffing that bug.
So today is XHTML any helpful interms of not looking for browser
bugs, but bugs in websites?
(27:52):
Not really.
I guess there are like listsout there of type of files that
will allow you to render HTML.
Yeah.
And that's one of them.
And SVG is another one.
And there are
some So it's useful if thereis a block list of extensions.
Yeah, sort of.
(28:12):
If they look like HTML files
or whatever and you can get HTML in there.
Yeah.
Uh, otherwise it's just, uh, uh,harder to work with HTML because
you have to be strict to the
. Yeah.
Uh,
XML standards.
Yeah.
I had the, the case recently, whichmakes less sense than your example.
(28:34):
'cause I was testing a website,um, and I could go through
the re and I, I wanted to.
Connect my Tik Tok account withlike the real account, which has
followers because I needed to pass somethresholds for some stuff, something.
And as the testing browser, I use anyChromium based browsers as my personal
(28:56):
browser, I use Safari, uh, which I know isinsecure and I shouldn't do it, but I like
it.
And I realized that I can go throughthe flow, uh, like register on the
website without confirming the emailif I go through the particular flow.
So then I was trying to reproducethis in a Chromium based browser.
It didn't work.
(29:17):
Of course, it took mea while to figure out.
And for some reason, in Uh, I don'tthink it's a client side thing.
It's like a server side profiling.
It allows me to go throughthe registration without
confirming the email on Safari.
Not on other browsers.
I like limited all the other variablesand I guess they just have, you
(29:37):
know, different flows for different.
Yeah.
It was, it was fun.
I mean, that's one of the fun thingswith the browser, looking for browser
quirks and bugs is that you have, atleast you have three big targets and
they behave differently sometimes.
And so you always have this like.
Uh, yeah, you can test it and it'spretty fun trying to find these
(30:00):
like discrepancies between them.
And I don't know, uh, so one thing thatactually came out of this, I made a small
challenge, uh, a web challenge thingthat I sometimes post on my social media.
Uh, I'm moving a bit more to blue sky.
Uh, then, uh, Twitter at the moment,but I made one that was, uh, it was
(30:26):
related to this XML XHTML thing.
Uh, I don't remember, reallyremember what I was trying to do.
I think it was.
It's like filtering a lot of thingsthat you could then in HTML, you could
like bypass it by using like namespaces.
So you could like prepend all of theHTML tags with like X colon and then the
(30:50):
release and you can like create this likefake HTML that could bypass something.
And then a lot of people sent insolutions where you can use this.
It's in XML, uh, which is also connectingto SAML because SAML is also XML.
So they also have this, uh, idea oflike some sort of like transformers.
(31:11):
So like tags that transformthe own, the document.
Um, maybe connected to like XXEthings as well, but you can like
transform the document in place.
Like when it's rendering, some peoplelike managed to bypass my sanitation by
like transforming the document in place.
(31:33):
And there's definitelysomething that you could.
There's things to learn there thatcould potentially do something.
So that was, uh, yeah, so maybethere is something to them,
uh, that you can still use.
Yeah.
Yeah.
I feel like a lot of the browserchallenges, even though they are
made by people like you, who know alot about the client side security,
(31:57):
still, they often have unintendedsolutions because of things like this.
So it just shows you howcomplex the client side is.
Yeah.
Speaking of these challenges, how often.
Or maybe, which features of thesechallenges, where you have like limited
car sets or strange CSP, which of thesethings you use in those challenges
(32:18):
are the most useful in real life bugs?
So, I have actually, this year, Ithink I've used Like three or four,
like really strange browser quirks in,uh, like escalations of, uh, client
side bugs that some things that I've,I thought like I would never probably
(32:43):
be like be able to use this or like,why, why would I ever have to use this?
But then I found myself in like a cornerwhere the only way to get out was like
using one of these like strange gadgets.
And that's what I find.
So a lot of time when I do my smallchallenges things, it's one way to get,
(33:03):
like, I like the interaction betweenthese, like, really smart people.
They're always like, it'ssort of like a fishing thing.
They send you like really smart payloadsso you can learn a lot from these
really like super talented people.
But um, It's also often they arelike based in something that I have
encountered on the real target.
(33:25):
And then I just tweak it tolike fit whatever I, either
what I found interesting.
So instead of like doing a blogpost or whatever, I do a small
challenge so that people can likeget the experience of finding.
Um, something themself, which issometimes like more useful than
reading about what someone has done.
(33:45):
Uh, but then also some, I made achallenge recently that was more
like an open ended research thing.
I don't know if you saw it, but likeyou, you were supposed to like try
to get like the smallest payload.
Yeah.
So I could like fetch.
A script and execute it.
And that was more like a researchquestion, like I didn't really have
time to do too much on it myself.
(34:10):
I did enough to use it on a real target,but then it was like this thought,
like, how small could you make this?
And it was really fun to see allthese people, uh, come together
and try to like break it down.
And then they also found like,uh, mistakes by me in my actual
challenge, abused it to make iteven smaller and stuff like that.
(34:32):
It's really fun.
Yeah.
So what were the other gadgets that youused in your life that you didn't expect?
So I guess some of them I still keep as.
Yeah, of course.
There's also like one change frombecoming like full time hunter.
You kind of have to start to buildyour own toolbox of things that
(34:54):
you, uh, that you can become likegood at and that you can bring
Forward when you need it, I guess.
But I had one really fun one thatI got to use together with Matan.
That's a good
call up story.
(35:14):
We have had some good, he foundsome fun things on GitLab that we
have then collaborated on, liketaking them a bit further and doing
some bypasses and things like that.
Uh, but we had one situation when we, andthat's like, and then this is really a
quirk and a niche, but we could, we werestuck in a web worker, which is a, like
(35:41):
a thread in, uh, like an execution threadof JavaScript, but we needed to get to
a service worker, which is another sortof web worker, but the service worker
is more like in control of navigation.
And.
You can use a service worker tolike control what sort of content is
served to the application and so on.
(36:02):
And then you usually youcannot really make that switch.
But for some reason, if you go to MDMand look at the description of web
workers, you can actually see thatlike there's one green box on like that
you can access the service worker, um,functionality or API from a web worker.
(36:27):
And then it's just like green onSafari, which is like super strange.
All of the other browsers have like,uh, close this off, like for a long time
ago, like you cannot touch or create aservice worker worker from a web worker.
But, uh, for some reason,Safari allows this.
Yeah.
So we were, and when, so yeah, wefound that and we managed to like.
(36:48):
make the jump.
If someone was using Safari, youcould make this jump and that could
finish our chain that would, it waslike a big chain of like random stuff.
But I was really, really happythat we managed to use this like
forgotten, I guess, uh, featurethat I don't see any use for it.
I have no idea why it's still there.
(37:08):
And it's also like documented, soit's not a bug or whatever, it's a
That's why I'm sayingI shouldn't use Safari.
Yeah.
But it is well integrated, what can I do?
I can't help myself.
How about content security policy?
What do you do when you havethe XSS or HTML injection?
(37:30):
And there is CSP, what's yourfirst What do you first look at?
Yeah, I don't remember if I, when wespoke two years ago, if I was already,
uh, deeply invested in, uh, CSP bypasses,
I don't think
so, but it's, it's becomeone of those things.
I really enjoy it just as Ienjoy cross site scripting,
(37:54):
which I find to be like a puzzle.
Like I, I enjoy it in the same way aslike solving Sudoku's or puzzles or
crosswords Uh, and the CSP bypassesa lot of times can be like, it's like
an extension of cross site scriptingand something that you can, uh, prove.
(38:15):
I like it way more than WAF bypasseslike web application firewalls.
Those to me feel very random andstrange and you cannot really use them.
I mean, you can use logic against them,but they don't really interest me because
they're very like, they're specificfor the application and they are like,
(38:39):
you, you have to throw like ugly thingsat it while a CSP bypass is often more
beautiful because you're bending therules and you're like finding these
gadgets and things to, to get passive.
So yeah, I don't know.
I don't know.
And the only, the way to do itis of course, just like the, the
(39:01):
holy grail is to get a full XSS.
So you have to first go to like scriptsource and see whatever they allow there.
And if it's too hard, maybeyou cannot do anything.
And then you can start looking at,so like what sort of like loose,
you know, like, Um, uh, HTML things.
Can you do, can you do like forminjections and, uh, form actions
(39:23):
or base tag, uh, take over thebase tag and stuff like that.
So we covered, you can do the formto your website if it's possible.
Yeah, exactly.
You need the, the, theforum SRC or form action.
Is that what controls this?
Yeah.
Form action.
Um, and it's, so the, the, thething with that one is that it's
not covered by default source.
(39:44):
Yeah.
Yeah.
That's important.
And the same with the base.
Yeah.
So base and form are like outside of thatdefault, because the default is usually
set to something like none or self.
So if you cannot execute JS, these arethe sort of two things that you look at.
Yeah.
Uh, but then also for the JavaScript, likeif they have a white list, you of course
(40:08):
go and look for like script gadget things.
And, uh, speaking of like gadgets thatI've been able to use, like just this
past year, I've been able to use the,this trick where you, you have a white
listed domain with a path, but then ifyou hit like a redirect on that path.
(40:28):
Then you're allowed to hit, uh, or likeload code that is like from the base.
Oh,
okay.
So after the redirect, any pathwill be ignored and they will
only look at the base URL ofeach of your whitelisted objects.
So wait again.
So you have some, some path.
(40:49):
In the CSP and the resource shouldstart with this path, but then if under
this part, there's a redirect, you areallowed to do anything on the same host.
Yeah, exactly.
Okay,
that's interesting that there is avalidation but only to the host, no?
Yeah, and I think one thing that alot of might miss there is that you
(41:10):
can also like, After the redirect,the path requirement is removed
from like everything on the CSP.
I guess you can actually start to lookagain on like these other ones as well.
Okay.
Like whatever, what, sofor example, the frame.
Source, like whatever you can frame,uh, you might find something there
(41:34):
that they are allowing you to framelike slash, uh, assets slash whatever.
But if you can redirect that, you can allof a sudden frame things from the base.
Uh, so that I've been able to use inlike these sort of like click jacking
scenarios where they maybe allow you toframe something, but then you can frame
(41:55):
something that is, uh, much more dangerousbecause it's like on the default.
Yeah.
And I believe still the Chromepassport manager autofills.
the password inside the iframe,even if it's different origin?
I don't think it's, if it's differentorigin, I don't think it does it anymore.
Okay.
I think it does it if it's sandboxed then.
(42:16):
Maybe.
Because I think we had this case.
Um, okay.
Yeah.
There's something with this.
It's a flip.
I've seen things like that as well,but uh, I think that's really It's
important to keep in mind that thereare more parts to the CSP as well.
Yeah.
So it's like the script is one thing, butyou can do other fun things like framing
(42:37):
and things that could be dangerous.
How to, let's say you have some customJavaScript that's whitelisted as a
script SRC, and it has, I don't know,thousands of lines after beautifying.
How would you start even looking fora, for a gadget to exploit to, to,
to To be able to escalate your, youraccess to, to execute JS through this.
(43:02):
Yeah,
I don't know.
I haven't really been in thatsituation too many times, I guess.
Like a lot of the, for some reason,the big companies actually have
their like source maps out there.
So you can see it, uh, where I'vebeen hunting GitHub and you can
actually see what's going on.
(43:23):
But otherwise, I mean, that's one ofthe things that you get Uh, not for
free, but what that, uh, like a bonus.
For spending a lot of time on, um, onetarget or like a couple of targets is that
you, you find these things and then youcan keep them in your notes, for example,
(43:46):
because I think you use the sameGitLab CSP bypass a few times at least.
No, because I think there was thesame bypass that kind of everyone knew
about and people used it for years.
Yeah.
Uh, there's been a few ofthem, uh, they've been starting
to close off More and more
it's not good for you, is it
(44:06):
, but there's still, there's still ways to, to get around it and depending on what
you can, uh, what you can inject or not.
So, and I mean, it also adds,even if it's boring, that when
they remove them, it also adds tothe game that you have to find.
Yeah.
And when you find a new one, you're,you get really happy about that as well.
(44:30):
What other client side bugs areyou, are you finding apart from XSS?
Something that I've been, uh, also havehad quite like a surprising amount of,
uh, success with is, uh, DOM clobbering.
Okay.
As, uh, I'm not.
On its own, but like as a part of achain or a gadget or whatever, um, it's
(44:56):
actually way more useful than you likeinitially think just to be able to,
for example, on, I had one bug on, uh,Gmail, it was sort of a combination.
The worst kind of in bug bountieswhen you mix programs, which ends up
(45:17):
that no one really wants to award you.
So it was a combination of like, you canin emails, of course, you can send HTML.
That's why it looks so beautifuland you can send forms.
If you want to, and some emailclients will actually render
(45:37):
these forms in different ways.
And they will do somesanitation and stuff like that.
But Gmail, for example, will actuallyrender the complete form with form.
It will change the passwordsfields to text fields.
So they will be of type text, but itwill have the whole form and everything.
(45:59):
Uh, and if you click submit, it willpop up a warning saying like, you're
submitting things to an external page.
Do you really want to do this?
And you click no.
Uh, so I, I found a bug, uh, using.
There was a couple of, uh, passwordmanagers that could do like auto
filling and they don't really care aboutwhether it's a password field or not.
(46:24):
They're really like.
Uh, happy to fill whatever, likeif you give it a name, a password
and not the type password, a lot ofthem will fill it anyway in plain
text, which is really strange.
Uh, but they will do it.
And I also found a way to tricksome of these password managers
to actually auto submit it.
(46:45):
If you put the text field insideof the submit button, because they
will actually to, because they wantto pretend that they are human.
So they will actually send likea click action to the form field.
And if that is inside of the submitbutton, the button will, the event
will propagate up to the buttonand it will click it and submit it.
(47:08):
So you have like.
Login field, a normal passwordfield, and another password
field inside of the button.
Yeah, or the password field thatthey want, because they will fill
it first, and then they will triggerthe Oh yeah, yeah, okay, so you're
saying the key to react, correct.
Uh, and I tried to submit that, but the,the, the, the password, uh, uh, storage
(47:28):
companies are like, I don't know theirthreat models, it's really strange,
they don't care about things like that.
Yeah, I'm not having a good time with
But so I, so that was like one sort ofa bug that I, I felt like it was a bit
strange that this one password managerdid actually allow you to autofill.
When you open an email, you had aform in Gmail and it would autofill
(47:50):
your Gmail credentials because asyou said, they will look at just
like Google, uh, or whatever, like,
yeah,
Yeah.
And, uh, and top,
top window.
Exactly.
And so some
people might have like the password savedthen on the Gmail, so it'll fill there and
it'll click, but then you will get blockedby this, uh, uh, Google protection thing.
(48:13):
Yeah.
And then I went into the sourcecode and, and found that this check
they were doing was like, they foundthe form element or like, they,
they catched the, the submission.
Uh, and then they looked atthe element and they did like.
Element dot target, uh, equalsblank, like question mark.
(48:34):
And one thing that they did was if youput the form in there, they would put
like target blank because they wanted thisthing to trigger Google when they rendered
the form, they wanted it to trigger.
Uh, but then I could use Domclobbering them to put, uh, to
name one of these fields to target.
(48:55):
So you have a form and insideof the form you have an input
field with the name target.
That's it.
And then if you have the element of theform and you do dot target, you will
get the input field and you will not getthe value of the target thing and the
input field will not equal equal blank.
So then you would skip the, so thefinal, uh, POC was actually like, if
(49:20):
you opened an email, your passwordthing would autofill and submit it
and you would lose your credentials.
Yeah.
That's a cool bug.
For which nobody has paid.
No, no, no.
Google actually paid me for it.
They paid me for the dom club ring.
So that was like one three,three, seven or whatever it is.
They're like, yeah, that's cool.
(49:41):
So that was really good.
And I think that to be fair, Ithink I got like 500 or something
for the From the password manager.
Okay.
So they did something.
I don't really know what theyfixed, but they did something.
But I thought it was, I mean,the book, the bug, it looks
much cooler than the payout.
(50:02):
Yeah.
Yeah.
And it's a cool idea as well.
I don't think I ever used dumbclobbering on the reward targets.
I feel like I see your bugs.
I see Martin bugs.
I see all the client and I'm like,Oh, I should spend more time on
the client.
Um, how about post message related bugs?
Do you?
(50:23):
Do you find a lot of stuff that,that starts with a post message?
I, I haven't actuallylooked too much into it.
Uh, I know that it's one of those fieldsthat are still like ripe with bugs.
Uh, so like one of those likeuntouched areas where there are, it
seems at least to be bugs everywhere.
(50:44):
But, uh, I haven't really spenttoo much time on it, actually.
Probably I should, but I
feel the same
way.
Um, maybe client side prototypepollution is the next one that
I don't spend too much time on.
Uh, yeah, yeah.
So, so when you, when you askedme, like, what sort of client side
(51:05):
bugs I found, find these days, uh,that was one that I thought about,
but I have actually never found it.
And it feels very strange andniche to me that it should exist.
I know that people sometimesfind them, um, but it's, yeah,
it's, to me, it doesn't feel likesomething that is like super common.
(51:27):
So it's definitely more common to find assomething else that you mentioned, these
like client side path, traversal things.
Yeah.
Which was actually somethingthat I, I think I, I think you
made a video of one of those.
Yeah, my, my video was about your clientside path traversal in GitLab because I
didn't see a real world example of this.
(51:48):
And then we had the interviewand they told me you had, so
then I covered it in the video.
And I don't think there ismany public write ups about
client side post reversals.
No, I mean, there's been alot of discussions with it.
And I think there's also beena lot of tooling made recently.
I haven't really used anything,but I think that people have
both, uh, Like Kaido plugins and
(52:14):
extensions to Chrome and stuff like that.
Yeah, I think the critical thinking guyscreated the browser extension for it.
For me, it's more, it'smore of a hierarchy.
Like I think that the reason why Ihaven't felt like I need to use it,
it's the way I'm looking for thesekinds of bugs is usually on GitLab.
(52:36):
Maybe I find a way, like a new wayof getting content into the app.
So that's like where I start like,okay, if I connect this piece here,
it will render data over here.
And then, so then I start from thetop, like, okay, I want it to set.
And then like, okay, it doesn't work.
(52:57):
Okay, then I want dumbclobbering or whatever.
I want to HML injectionand then that doesn't work.
And then I try like, Oh, maybe I can do aclient side path commercial or whatever.
Yeah.
And so it's more of a, I just gothrough different bugs depending on the
injection I have, like going from, Ifound like a source and I tried to like.
(53:18):
Do something with it.
So I've, I've actually found afew CSP, uh, client side path
protocols, uh, this year as well.
Uh, they're a bit hard sometimes to,if they only make, I found some that
just made like a get, uh, request andthat makes it quite hard to exploit.
(53:39):
Uh, I managed to show some impactby again, like chaining it with, uh,
as you hear, like there's a lot ofchaining of small things, but I managed
to chain it with a redirect and yeah,so, and so the, the get request.
(54:01):
It was a GET request made by Fetch, soit contained a CSRF token in a header.
Yeah.
And then if you redirect thatrequest, you would actually leak
the CSRF token to your page.
Yeah.
And then you could redirect that again.
Using the CSRF, so it kind of turnsinto a CSRF, uh, all the way to
(54:26):
run, or you can just wait for itto like land on your domain and,
Oh yeah, cause from your websiteyou can directly issue a redirect,
which is already the CSRF request.
Yeah, exactly.
So
there's never like top levelnavigation to your website.
No, or you could actually like leak itand then make sure that the user ends up
on your Domain somehow and you can seeit's a bit convoluted and it doesn't,
(54:51):
uh, work all the time, but it was likethe best I could using a get request.
Yeah, the best, but in, um,many targets that would use not
cookies, but some custom headerfor authorization, the header would
just be leaked to your website.
Then you don't have to do anything.
(55:11):
Have you had much success outside GitLabwith the client side bus traversals?
No, not really.
Uh, I think it's a, it's abug to me at least how I work.
It would be a bug that requires meto like know the application deeply
to know where to put it, to see wherelike IDs are rendered or whatever.
Uh, so I, I haven't really, the other workI've done has not been related to that.
(55:37):
Yeah.
I have found a few, butnever a gadget to exploit.
Once I had, uh, Uh, I had theclients I passed traversal and
it was an open source stuff.
So I was looking through all the,all the get routes because it was
a get based, all the get routesthat would make sense to chain it.
And I found one that was actuallymaking changes and I was happy
(55:57):
because I found the guidance forclient side cross reversal and then
I realized that I don't need theclient side cross reversal because
top level navigation is good enough.
So I, I got, uh, I reported this asa CSRF and never used the client side
cross reversal, so that's my experience.
Um, Another bug that I also saw forthe first time publicly exploited in
(56:23):
your bug is a cross window forgery.
Can
you
tell us what cross window forgery is?
So this is actually, it's aresearch from a guy that I
don't really remember his name.
It was sort of at the same time when I wasgoing to try to do full time bug bounties.
(56:45):
It's my first three months, I guess.
Uh, there was this blog postabout something that he had
named then cross window forgery.
I have his name, but I, I'mworried I will misspell it
badly, but now I think I have to.
Yeah.
Paulus.
I mean,
(57:08):
he found this strange quirk inbrowsers where you essentially
on if you are on the page.
And you, for example, startpressing enter and that triggers
a new window to open your click.
If you keep pressing enter, theclick will transfer to the new
(57:30):
window and click on maybe something.
Yeah.
And then you can chain that with,uh, uh, you can use the, the
hash or the fragment in the URL.
To actually like point to somethingdangerous, like a button that will
accept something or do something.
And the click will like transfer to thisnew window and click on that button.
(57:54):
Yeah,
because when you press thespace or the enter, it will
click the button that's focused.
And one way I usually use this isprobably when I do the tab on the
input field and then I do the tab forthe button and then I press the space.
So you can also do it.
If there's a hash with the IDof the button, then it's sort
of automatically focused, right?
(58:15):
Yeah, exactly, exactly.
Uh, and I mean, the, the,the, the, the write up is.
It's fun and fine and great in a lotof ways, but it's also like a, a pretty
strange bug to like, it's, it's hardto see if it's like, if it's good or
bad, like if it requires like reallystrange behavior in a way like pressing
(58:39):
enter, but I had some fun with it.
Uh, this year, because I, I took it aslike an, an exercise to, to build, uh,
POCs or like to convince companies,like, because the worst scenario that I
could think of was this, like you shamethis with this sort of like, Oh, uh,
(59:02):
requirement, uh, whatdo you call those pages?
The consent consent screens, uh,because the consent screen will ask
you, like, are you allowing this?
application to seeeverything and access you.
And you have one buttonthat says like, yeah, okay.
And if you click it, it's done.
And then you have likean account to take over.
(59:22):
So if that button has an ID, uh, then youcould focus that button and you can abuse
this to take over accounts essentially.
Yeah.
So my idea was that the impacthere is big, even if the, the,
like how you get there is kindof like goofy and not really.
I don't know if it's realistic or not,but I've sort of spent the time to
(59:46):
build this case that we have, or likecompanies as a community has moved to
make people just like the cookie barhas made people click on all the pages.
Yeah.
Um, you have, we have these likerecapture or capture things that When
(01:00:06):
you go to a page that you sort oftrust, like maybe you don't even trust
it, but you do something and theysay like, yeah, here's a Capcha game.
Uh, a lot of people will just dowhatever it says, like, yeah, five
clicks, type something and dragand drop and like do whatever.
Yeah.
So I, I built a case that like, it'snot that hard to convince someone like.
(01:00:29):
Yeah, press enter three times andthen you have like a progress bar that
is like filling up and if you dropenter, it will like go down again.
So you have to press it forlike three seconds to prove
you're a human or whatever.
Uh, so I did that POC and then I did likea, a built like a floppy bird game or I
cloned the game from, uh, from GitHub.
(01:00:49):
And I, I just, I edit the code.
So like when you play it with theenter and then like during a period
where you're supposed to like goa lot of like up with the bird.
Find the space.
You have to, yeah, you have to likeenter for like you have to keep it in.
Yeah.
To get the bird up.
And during that time, I openedthis window as like a small popup
(01:01:12):
and it'll do the, the thing.
Yeah.
Uh, and to you using those two POCs.
Uh, it actually became quite easy toconvince at least these big companies
that are like hosting these sort of likeconsent wealth things, uh, that this is
actually an issue because it's really,again, it's also really easy to fix.
(01:01:34):
So the impact is high.
The fix is easy.
You just remove the IDand, uh, you're done.
You cannot exploit it anymore.
Uh, and, uh, but still like, it'snot really maybe realistic, but.
It's, it's dangerous enough that youcould, uh, it could be worth fixing.
Yeah.
And also, it was also one of the reasonsI wanted to talk about this because I
(01:01:56):
even said it in one of the recent videosthat sometimes it's hard to get through
the triage with non standard things.
Yeah.
And because this, and I would likethis to be more standardized, so
maybe it's like widely accepted.
That, you know, okay, this isnot the, the interaction is
kind complex, but it's likely.
(01:02:18):
So, you know, it's, it's,maybe it's not, uh, critical.
Maybe not a high, but it's, it's, inmy opinion, it's definitely a bug.
Yeah.
I, and I mean, uh, I, I must admit thatthese are maybe the bugs where I found
I felt most, uh, like scammy in a way.
Like doing, uh, likeI, it's not like I was.
(01:02:40):
Super proud of what I created . Okay.
When, well, you created the
flowy, but it's cool episode.
Yeah, I, I thought it was fun to senda game and stuff like that because I've
been really inspired by, there's been oneguy that I've seen some bugs on Chrome.
Yeah.
A lot of like.
things when, uh, you kind of like clickon these different consent things in
(01:03:00):
Chrome that they pop like, are youallowed to use the microphone or whatever?
And there's one guy who has sent liketens or 20 reports, like abusing this.
And it's all, he always has like a Dinogame, like a dinosaur that runs and jumps
and you have to do like different things.
And I, I thought it wasreally fun to have like.
(01:03:22):
This aspect of like building asmall game as the POC, like a bit
goofy and a bit like light touch.
Yeah, it's
nice.
It was fun in that way.
And I
mean, it's worked out.
So it's, uh, it's good.
Yeah.
And it's also, I think the, asI said, I like it because it's
something I didn't know about and Ithink it's applicable fairly widely.
(01:03:44):
Yeah.
Let's now talk a little bitabout the server side bugs.
When browsing through your recent bugs onGitLab, at least from the issue tracker,
there was a lot of denial of service bugs.
Yeah.
Especially the regularexpression based ones.
Can you talk to us more about this?
(01:04:05):
Yeah.
I was turning into the The denial ofservice guy, uh, in the beginning of this
year, I, I think I counted them as well.
I think I had the 20 accepted reportson GitLab that are like denial of
(01:04:27):
service, uh, the two different kinds.
And I've also seen that there'sbeen a lot of other people
reporting that I was at the moment.
Uh, yeah.
Kind of one of those.
things that happens with one of thoseold programs that you see bug types like
come and go and they fix and then theylike fix the root cause uh eventually
(01:04:50):
and then people move on to something newand at the moment like there's still a
lot of like different sending bad Contentto a GitLab server and trying to crash.
Yeah.
Uh, I, I was moving it.
I had been on a break during like Decemberand January and I was moving into my like
(01:05:13):
three month trying out full time in March.
So in February, I felt like I hadto like start finding something
or like get something going priorto getting into it for full time.
And then I decided, I don'tremember how, but I had this hunch
that, okay, like we DOS bugs.
(01:05:36):
People have found them.
I have found some of them.
Regular expression denial of service.
And I decided to like, trying to actuallylike, root out all of the last ones.
In GitLab.
Like why does people findthem like, once in a while.
And always like in old code.
Like why doesn't, haven't anyone just,Found all of them, like, what's my idea?
(01:06:00):
So I started to grab through the codebase, uh, using regular expressions,
trying to find regular expressions.
Yeah.
So it was actually one of my maybe most,uh, structural, structural attacks ever.
Like I, I got this like list of like200, uh, potential, I think I grept for
(01:06:26):
a couple of patterns, like anything thatcontained more than one star or plus.
So that's the indicatorthat's sort of like
the main goal of a regular expression,denial of service is to get the regular
expression to go into a really, reallydeep nested search for something.
(01:06:49):
You have something called likebacktracking, so it tries to go as far
forward as it can, and then it goes back,and then it goes forward again, and back
and forward, and it creates this likeexponential, uh, amount of, paths through
this, uh, whatever you're trying to hit.
(01:07:11):
And when this happens are usuallywhen you have like multiple asterisks
or plus it can happen in otherscenarios as well, but that's like the
sort of simple example is.
If you have wildcards one or moretimes and wildcard one or more times,
and I have this string three A's,it can be the first group can be two
(01:07:35):
A's and the second can be one, andthen it can be one, two or two, one.
And then with this simple example,it's two different sort of, uh, I don't
know, it's the tree that's being thrownsomewhere, but, but it's two combinations.
And I assume your inputs are not, arenot three characters long, more like 3,
(01:07:55):
000.
And actually something that I had tolearn, because the theory is quite
easy, but then you actually had tolearn to break, uh, using your payload.
So after all the A's you have toput like a B or whatever, because
it has to fail and then go back andtry again, like different paths.
Yeah.
Uh, and that can be a bit more like,that's a super simple example, but in
(01:08:18):
different cases, it could be like, uh,quite like convoluted, but there are like,
so you want the sandwich to be like.
almost your whole input.
Yeah.
But not sort of the last character.
At
least like there are some differentones and that's, I actually
learned like there are some, it'sa classic like research topic.
(01:08:41):
Like there are universitypeople like doing like heavy
research into read, read us bugs.
Uh, and I actually tried somelike Java based Chinese research
things that I put out on this.
GitHub.
It didn't really catch more than my, like,maybe it could do, but in the end, what
(01:09:04):
you have to do is like, you have to firstfind the bad regex and then you have to
figure out if you can actually get there.
You have to figure out if it's badand that you can do with like a free,
there are web pages where you canjust paste regex and it will tell
you if it's, uh, like if you could,if it could be a problem or not.
(01:09:25):
Okay.
But then you also haveto find a way to get.
The payload to that placein the application, right?
And most of the times, as you kindof mentioned, is that most of the
bad RegExps are not that bad, butthey are bad if you give it like
500, 000 Ks or whatever, like, Yeah.
(01:09:47):
You give it like a lot of data, thenit will break because the computers are
like, if it would be a computer like 20years ago, it will probably break easier.
But nowadays, like they arereally, they can do a lot of work.
So, but there's a lot of thoseplaces in, for example, GitLab
where you can get like huge data.
(01:10:08):
Into like that you control into one ofthese like semi bad, uh, regis things.
Yeah.
How do they usually, whatseverity do they assign?
You have two levels.
Uh, I, I can also like stay, say nowthat I think Redos is in scope again.
(01:10:28):
But they have actually fixed it atlike a language level now at GitLab.
So it's sort of a dead bug.
But that's also why you seepeople transitioning into this
other sort of like DOS bugs.
But they, I mean, it's a medium if youhave to be, if you have to have a user.
But what you really want to do isyou want to have, be able to send
(01:10:51):
like an unauthenticated request.
And then you get like the full, theyhave some metric that you have to, you
have to, uh, trigger like a 10 seconddelay on like a specific like setup with
a set of course and stuff like that.
Oh, that's, that's cool.
Yeah.
So they have it in the policy, likehow bad you have to make it for it to
(01:11:14):
become high instead of low or whatever.
So, and I actually like, I found, I guessI found like 18 of these bugs or whatever.
And every bug I found, I found itlike one at a time and exploit them.
And I thought like, okay,yeah, that was the last one.
Like, uh, it cannot be better than this.
And then in the end, uh, like, Ithink it was like the last two I
(01:11:39):
found because I, then I had like anepiphany, like I was taking a shower or
whatever, like a classic shower moment.
And I had, I thought like, I sawsomething strange in the code.
Like, I remember that I sawsomething really strange and
I went back and found it.
And it was actually in themain, uh, speaking of old bugs,
like in the main search bar.
(01:11:59):
Yeah.
When you search for code in GitLab, youcan actually put like stars, asterisks in
your search search for wildcard matches.
And for some reason, I haven'treally thought about like how this is
implemented, but if you look at the code.
At that time, at least it, it would parseout because it's not regex, but it's just
(01:12:21):
like a star and it acts like dot star.
And if you looked at the code, they willactually like match and replace in your
string, all the stars with dot star.
Oh, and then create the regex from it.
And create a regex from it.
And so then I could actually create this.
Uh, the, the school book example oflike searching for, and you would, so
(01:12:46):
you could do it unauthenticated andsomething that almost always exist
in all repos is the read me file.
So I could do like a, a big Rstar, star, star, star, star,
star, star, star, and end it withsomething that is not MD, right?
So like markdowns, it hasto end with something else.
Yeah.
Okay.
Thank you.
(01:13:06):
Uh, and then you could like break itwith, uh, it's like, and usually these
read those things, you send like a bunchof requests to like kill all the course.
So they like end up at a hundredpercent usage, but it was really fun.
That's how I found like twodifferent of those in the end.
Uh, and they got rewarded as high.
So even when I thought like I hadfound like the last remaining one,
(01:13:31):
I found these two and that was theright before they put it out of scope.
So it was great.
Yeah.
You were the reason.
I
mean, they were actually really,really nice with this because
they had in the pipeline toactually upgrade and kill Ridos.
Uh, for good using like, uh,updating the, the Ruby to 3.
(01:13:54):
2 or whatever it is.
But as they hadn't, the roadmap was likein six months or something like that.
So they said like, yeah, if youhave reported it before now, it
will still be dangerous in likesix months, a six month period.
So we will still reward it and then,
okay.
Uh, we'll be heading to theend of the, of the interview.
(01:14:16):
I think it's actuallygetting quite dark here.
It is getting quite dark and we don't
have lights here, but
if
you cannot see us, we're still here.
Listen to us.
We're, we're still continuing.
Um, after just one, one morequestion after so much time and
so much things learn, how doyou still learn new stuff today?
(01:14:39):
Yeah.
I, I definitely, I have not.
I will still, I think I only will stilldo this as long as I am learning things.
I think that's one of the, Ican't really see myself just
doing it, the grind or whatever.
Like, uh, even if I find it reallyinteresting to be able to live off of it.
(01:15:03):
finding bugs and like being incontrol of my time and everything.
I, one of the reasons why I also, when I,I quit my job was that I felt like I could
learn more and quicker if I would do thison my own, like if I can control my time.
But that also includes that I I wantto and need to learn things and how
(01:15:24):
I do it is, uh, to remind myself tolike go to the correct sources, like
reading documentation, uh, tryingto become better at using like the
right tools and like learn tools.
Uh, so with all of this, likedebugging and setting up environments
and like taking a small step.
(01:15:45):
Yeah.
Uh, each day and then we'd likethe bug types and stuff like that.
It's more of a, if you put yourselfout there and like you try, you, you
cannot just try to find whatever youhave found before you have to like act.
be, I don't know, you cannot really callit brave, but you have to put yourself in
(01:16:07):
a position where you think you will fail.
Yeah.
And then sometimes you willactually succeed and you
will make a new step forward.
And so, for example, I found my firstRC this year as well, which I really
didn't think I could check moreboxes after becoming a number one
at GitLab this year, but yeah, Andthat's just the step when you finally
(01:16:31):
do it, it also feels quite easy.
And now maybe I only found one so far.
I have still a lot to learn.
Yeah.
Well, I think we, we all do.
Um, what are your plans for 2025
in a way, funny that I think that myanswer is really similar to when we lost.
(01:16:52):
Spoke becoming more structured, uh,structured, uh, creating some automation.
I've actually started taking notes.
It's always been my thing.
I don't take notes, but I actually,I've been using obsidian now and I
really, really enjoy it and, uh, I'm,I need to get better at it, but at
(01:17:15):
least I throw things in there and I'vefound myself searching for my own.
No, it's a lot.
Yeah.
Uh, so it, it definitely helps.
Uh, but yeah, and I'm browserhacking on the list as well.
Uh, yeah.
Uh, yeah.
I mean, the to do list is always likemove to a new program, uh, expand, but I
(01:17:38):
don't really have any super big, uh, I'mlooking forward to, I've had quite a good
success This year it's been intense andthere's been a lot, a lot of happening.
So I, I want, my big goalis to survive a year.
survive, not, but like mentally.
Yeah.
Feel like it's still interesting and fun.
(01:17:59):
I don't burn out and, uh.
Maybe like settle in this new situationof, of being in control of my own time.
Cool.
Good luck with this.
Uh, thank you so muchfor, for the interview.
If you enjoyed it, uh, also you cancheck out our interview from before two
years, which we mentioned a few timesthere, we spoke a little bit more about
(01:18:22):
the university, about the thesis, aboutgetting into the, The security so if you
enjoyed this one, you will definitelylike that one as well for now Thank
you so much for listening and goodbye
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Ridiculous History
History is beautiful, brutal and, often, ridiculous. Join Ben Bowlin and Noel Brown as they dive into some of the weirdest stories from across the span of human civilization in Ridiculous History, a podcast by iHeartRadio.