🌉 Depi: Bridging the Gap in Software Supply Chain Security 🔗

Introducing Depi, a groundbreaking solution that aims to revolutionize Software Supply Chain security 🔒

Depi is the result of 4 years of intensive research and development by our team at Lupin & Holmes. Depi’s…

WOW. Next level chaining by Johan Carlsson for a CSP Bypass in GitHub!

Drag and drop > Triggers HTML injection > Injects form > Triggers hash change > Triggers button click > Injects more > Triggers another click gadget > Triggers 2nd hash change > Triggers click to submit form.

2. In this episode of Critical Thinking - Bug Bounty Podcast, Johan Carlsson shares updates on his bug hunting journey, including a CSP bypass on GitHub and a critical finding in GitLab's pipeline. He also discusses his approach to using script gadgets. [MORE](youtube.com/watch?v=Env8L2…)

HackerNotes has dropped featuring last week's Critical Thinking - Bug Bounty Podcast episode with Johan Carlsson! Check it out for:
- CSP Bypasses
- Browser behaviour gadgets
- Critical bug writeups
- Full-time bug bounty tips
👇👇👇
blog.criticalthinkingpodcast.io/p/hackernotes-…

When the pod guests brings a path-based 307 semi-open redirect gadget that affects a large portion of the internet to share on the pod - you know you've found the one. 😍 ­Mathias Karlsson

example[.]com/cdn-cgi/image/onerror=redirect/http://hello[.]example[.]com

Another one of ­­Mathias Karlsson's HTMX bugs from the pod. This one is an HTMX trigger attribute injection into an HTML element leading to XSS using a payload like this: <meta hx-trigger='x[1)}),alert(3);//]'>

Need a short domain for your XSS payload, but don't want to pay top dollar? Register a domain that can be written with alternate Unicode characters:

For example ㎉.℡ (3 chars) will be normalized to kcal.tel.

Cheat sheet: unicode.org/charts/normali…

#bugbountytips