Lightnews — Scholar-powered news

Reposted by Johan Carlsson

Gareth Heyes @garethheyes.co.uk · Aug 28

Imagine you have a XSS vulnerability but you have a undefined variable before your injection. Is all hope lost? Not at all you can use a technique called XSS Hoisting to declare the variable and continue your exploit. Thanks to ycam_asafety for the submission.

portswigger.net/web-security...

<script>eval(myUndefVar);var inject="INJECTION_STARTS_HERE";var myUndefVar;alert(1);//";</script>

2 6 15

Johan Carlsson @joaxcar.bsky.social · Aug 28

Nice addition! The only one missing is let, const, class ”hoising in the temporal dead zone” 😉

on a serious note I dont think its needed. But all these snippets reminded me of my final challenge in this post joaxcar.com/blog/2023/12...

also made me realize glitch.me is gone. Need to re-host

Having fun with JavaScript hoisting

Writeup of three JavaScript challenges posted on Twitter during November/December of 2023

joaxcar.com

2 1 3

Johan Carlsson @joaxcar.bsky.social · Aug 18

I dont think thats a security boundary that is considered. But I might be wrong

1 1

Johan Carlsson @joaxcar.bsky.social · Aug 7

Made a new small challenge where you have to break out of a web worker to leak a token in the URL

Only works in Firefox and Safari

joaxcar.com/fun/worker/a...

Web Worker Test

joaxcar.com

2 1 5

Johan Carlsson @joaxcar.bsky.social · Jul 28

Feels like a good time to double down on this

Julien | MrTuxracer @mrtuxracer.bsky.social · Jul 10

I am a huge fan of the #BuyFromEU movement! So far, I've ditched a lot of US stuff already, including Microsoft, Dropbox, 1Password, Notion, Grammarly, Amazon, Slack, and Google.

This helped a lot: european-alternatives.eu

Homepage | European Alternatives

We help you find European alternatives for digital service and products, like cloud services and SaaS products.

european-alternatives.eu

4

Johan Carlsson @joaxcar.bsky.social · Jul 14

yep, innerText will return "what the user sees." and html entities will look like their real value to users. and thus also in the innerText

React and other frameworks will auto-encode input when used in their templates, but two here will undo that

1

Johan Carlsson @joaxcar.bsky.social · Jul 13

ChatGPT got it wrong, Gemini2.5 made a lucky guess that was not all wrong, but with the wrong explanation

1

Johan Carlsson @joaxcar.bsky.social · Jul 13

I often know that I know something. But when having to ask quickly, I stumble. I might have to start generating some "flash card" style questions for myself to try to ingrain some knowledge a bit deeper.

This is an example from earlier this week. It's not hard, but how quick and certain are you?

2 5

Reposted by Johan Carlsson

Julien | MrTuxracer @mrtuxracer.bsky.social · Jul 10

I am a huge fan of the #BuyFromEU movement! So far, I've ditched a lot of US stuff already, including Microsoft, Dropbox, 1Password, Notion, Grammarly, Amazon, Slack, and Google.

This helped a lot: european-alternatives.eu

Homepage | European Alternatives

We help you find European alternatives for digital service and products, like cloud services and SaaS products.

european-alternatives.eu

3 4 11

Reposted by Johan Carlsson

Geluchat @gelu.chat · Jul 4

Today was my last day as a pentester at Bsecure. After a three-year journey of hunting on the side, I’m ready to go all-in as a full-time bug bounty hunter. You can read about my journey from pentester to full-time hunter here: gelu.chat/posts/from-p...

Finding Freedom, One Bug at a Time: My Journey from Pentester to Full-Time Hunter

After seven years in pentesting, I transitioned full-time into bug bounty hunting, leveraging deep experience and continuous learning. This article shares key moments and insights from that journey.

gelu.chat

3 7 23

Johan Carlsson @joaxcar.bsky.social · Jul 5

Nice post! My journey followed a similar trajectory, but so far without the 200k LHE part :)

Inspiring. I will try to ramp up a bit after vacation and see if I can get to the next level as well. Even if I am quite happy where I am coasting right now

2

Johan Carlsson @joaxcar.bsky.social · Jul 2

At the same time I often think after a finding something strange and niche: ”wow nice the codebase must be full of similar issues, lets cash in!” only to find that the one issue I found is the only one that exists.

1 1

Johan Carlsson @joaxcar.bsky.social · Jun 18

where are you?

I have been enjoying south of France for two weeks now. A lot of great views, sunsets and the warm weather :)

1 1

Johan Carlsson @joaxcar.bsky.social · Jun 17

This is great! have not had time to play with it yet but its definitely something I did not know I needed really badly 😄

1 2

Johan Carlsson @joaxcar.bsky.social · Jun 11

what are you doing now?

1

Reposted by Johan Carlsson

Jorian @jorianwoltjer.com · May 25

Double-Clickjacking, or "press buttons on other sites without preconditions". After seeing and experimenting with this technique for a while, I cooked up a variation that combines many small tricks and ends up being quite convincing.
Here's a flexible PoC:
jorianwoltjer.com/blog/p/hacki...

The Ultimate Double-Clickjacking PoC | Jorian Woltjer

Combing a lot of browser tricks to create a realistic Proof of Concept for the Double-Clickjacking attack. Moving a real popunder with your mouse cursor and triggering it right as you're trying to bea...

jorianwoltjer.com

2 2 6

Johan Carlsson @joaxcar.bsky.social · May 25

Cool! This is the built out POC that I only hinted at in my report :) my version was way less stable. But I did have the “and now a super high pipe” trick in my flappy game. Inspiring work Jorian

1

Johan Carlsson @joaxcar.bsky.social · May 22

A good suggestion, I think someone did try to use CSS in the challenge but failed. Never thought about it as a DOS vector

Johan Carlsson @joaxcar.bsky.social · May 22

@garethheyes.co.uk feel free to ignore the challenge part here, but would be awesome with your thoughts on shared processes and stalling the cpu. Especially as I have seen hints that cross-origin could potentially share process, even as it sounds strange

1

Johan Carlsson @joaxcar.bsky.social · May 20

Here is the official writeup of my XSS challenge on Intigriti. I think it contains some fun browser trivia even for those who did not look at the chall

joaxcar.com/blog/2025/05...

Confetti: Solution to my Intigriti May 2025 XSS Challenge - Johan Carlsson

joaxcar.com

1 6 19

Johan Carlsson @joaxcar.bsky.social · May 19

links to blogs in discord is my new newsfeed. I recently found “the spanner” :)

my issue is that I am to much of a perfectionist to blog. write too much and too long. Need to learn to just post

1 5

Johan Carlsson @joaxcar.bsky.social · May 19

Yep too bad. For me it sort of just went into not using these platforms at all. Doing more Discord. But there is something to “tweets” that I like. My X feed is way better though (if you filter p0rn and crypto bots. and the gore). Will try reviving bluesky again to see if it can be done

3

Johan Carlsson @joaxcar.bsky.social · May 19

This might be it. I kind of quit mastodon but it did have its own edge, while this place felt more like a watered out X. Might give it another go

1

Johan Carlsson @joaxcar.bsky.social · May 18

I must have screwed up when setting up bluesky. Added to many “starterpacks”. My feed has been underwhelming.

Any one have any idea if there is an active bug bounty community here and how to tap into it?

2 8

Johan Carlsson @joaxcar.bsky.social · May 18

Oh now I remember how it all came together. I actually read about the inconsistency in “The tangled web”. Which made me look up the spec and found the table with invalid but parsable urls

1