So when interviewing Johan two years ago for the podcast, we spoke about making 100, 000 in one year and it was impressive, but since then he's been really killing it, hacking not only on GitLab, but also programs like Apple, Google, or Yahoo. And in this interview, I'll try to uncover all his secrets. So enjoy my interview with Johan Carlsson. Hello, Johan. How are you doing? How has these two years been to you? Oh, thanks for having me again.
Yeah, you're the first, the first guest that makes a second appearance. Yeah, no, I'm, uh, I'm having a great time. It's been, uh, so has it been two years? Yes. The previous episode was in January, 2023 for the record. We were recording this in December, 2024 and you also in, in person in Sweden. Uh, so, um, it's almost two years. Yeah. Yeah. That's a crazy in a lot, in many ways.
Yeah. And yeah, it's been, uh, It's been a ride, uh, and, uh, a lot of things are the same, uh, and, uh, some things have changed. I'm still, uh, on GitLab, uh, and, uh, uh, but I also hunt on other programs and, uh, but I think the, the big thing, of course, is that I've gone, uh, full time. Yes. That's a big thing. Uh, from what I did previously.
Um, so I'm from this from August, so it's almost, I guess it's like four months or something, but I also did three months, uh, before the summer where I just tried it out, like taking a break from my regular job and, uh, testing it to see if it could fly. What pushed you to quit your job? It was a combination of, I really, it was not a problem with the job per se. I was working as a developer, like front end developer. I was a combination of the being able to be more free with my time.
Uh, having a big family and being able to like do whatever I want with my time, uh, and also with my interest in, uh, like security and that I, I didn't really get to like fulfill that, uh, doing, uh, regular development work. Yeah. So. How has the, the life changed since you quit? What did you expect it to be? Uh, yeah, I mean, I guess so. Uh, I've had a lot of, it has changed in many ways. It's not related to bug boundaries. Like I got my fourth, uh, child, uh, during this time.
Uh, so it's, I mean, I've, I've been doing it full time, but I have not been working full time. I've been a full time hunter, but my time has been, uh, a bit, uh, scattered between the different things, but it has given me like the feeling of like, I can control what I do myself, which has been, uh, amazing. And when we spoke two years ago. I felt like I'm saying the same things, but then it seemed incredible that you climbed the GitLab leaderboard so quickly.
I don't remember which place you were at two years ago. No, I don't remember. I was top 10 at least. Top 10 something. And I was like, wow, he made top 10 in GitLab in one year. But, uh, it seems like the bugs have to stop somewhere yet, you know, not, not two years have passed and you're now top one, huge congratulations on that. And how on earth is it possible there's still so many bugs?
I mean, that was definitely one of my big milestones, uh, that I wanted to reach because when I got at the top 10. That I think you could get into top 10. I don't remember the numbers now, but you can be at least like around one K in reputation points or something like that. And the people at the top at that time had like three K. So it still felt like there's a long way to go. Yeah, exactly. And, uh, I think I almost made one K reputation points, uh, this year or something.
It's like, so in the end I've, I did, uh, uh, a huge, uh, uh, rush, uh, but I mean, so that's also the strange thing with this reputation scoreboards that they keep this, a lot of the people at the top 10 are not really active hunters on GitLab anymore. Yeah. So. Uh, I think I'm definitely one of, um, they've added this new feature on HackerOne where you can actually see scoreboards for each year instead, so you can pick a year and they will like rearrange it.
And uh, I've been number one all of these years, except one for some reason, some guy beat me one year, like two years ago, uh, but uh, yeah, uh, yeah, I'm really happy with that. Are you planning to stay with GitLab for the future? Yeah. Yeah. I will definitely hang around there as long as it, uh, I'm still amazed that I find it's not, I don't even feel like I'm doing the same thing. I find new ways of like learning new skills and learning new techniques while staying at this target.
So, and they are very fair to me and to other people as well, like they're a really good program. So it's hard to change, yes, for the like. For whatever reason, uh, if they decide to stop paying or rewarding or doing another change, maybe I will move on. Is it more after so much time, more like just auditing the new codes or is it still after so much time, you still haven't explored all functionalities that have been there?
It's still definitely a mix, even if I think it's a bit more, uh, leaning towards Code, but people are definitely not only me, but other ones are definitely finding things deep inside the old code as well. So there's a lot of things to find there. I imagine I haven't, haven't looked at the source code, but I imagine there's just so many pieces of code that are just hard to trigger that, you know, you just.
Don't know this feature exists, or you don't know there was this particular case that and all of a sudden new code does a similar thing. And I imagine, you know, you just randomly discover this. Yeah. And that's actually one thing that.
I have, uh, uh, changed or that I've forced myself to actually finally do is to start using their, like the GitLab development kit, which is like the development, uh, um, environment that they are using when you're developing things in GitLab and as it's, uh, Ruby based. You actually have access to, it's like an interpreted. So it's like running the code as you can have like debug breakpoints. Yeah, exactly.
And you can also, you can also start a console where you have access to the code so you can trigger. Functions and you can call functions using things from the database, for example, so you can say like, give me the first project in the database and then throw it into this function here that takes a project or whatever. So you can speed up the testing a lot. No, yeah, definitely. Uh, so you can, uh, when you get a hang of it, you can start like.
Poking at things that you don't really know how to get to yet. Yeah, and, uh, it's really useful and I don't have no idea why I didn't, uh, transition to it earlier than I did. Well, last time we were recording the podcast, you were just after stopping talking. Uh, looking at the codes through the website. Yeah, yeah, yeah. Exactly. Because I watched it and I was like, oh, just recently I pulled GitLab to my local disk.
Yeah. Yeah, so there's definitely things that I'm doing a bit more structured. Yeah. At the moment, yeah. And now I think about it, for a lot of projects. Probably you can speed up the testing when you have the source code, obviously, and especially when you have the debugging access, you can, instead of like running the intruder attack or something like this. You can just do a for loop and run a function in the for with different inputs and stuff like this.
Yeah. And actually something that really inspired me as well was, uh, I don't know if you saw this, uh, this SAML bypass, uh, bug that was also like really impressive, uh, in the, on its own, like the bug was really impressive. Yeah. And also like really old code, uh, and super critical. But, uh, I saw some write up like when some other people like tried a similar thing, they were like recreating it or whatever.
And they sort of like broke out a piece of the code and built their own little like in isolation and they could remove the things that they knew didn't really impact. And then they could like iterate, uh, looking at this piece of code, uh, really quickly. And that's a really inspired me. I will try to do more of that as well doing during court code review. Can you, can you specify this?
I don't think I fully got the, so they, I think in that blog post, they wanted to see how GitHub in that case were handling the sample. Uh, their sample implementation, so they took the code, uh, that you can extract from GitHub if you, uh, figure it out and they just took that piece of the library and they, uh, recreated like. Almost like building a test case. If you're a developer, like mocking some parts and just like making sure that it works good enough.
And then they could run like a lot of tests on it quickly because they don't have to go through the whole application. They just break out that piece of code. Like try to break it and then try to fit it into the application again. Oh, because there were two blog posts about the Samuel bypass one was GitLab on GitHub, right? And I think I only read the GitLab one. Oh, yeah. And the one you're saying is GitHub.
Yeah I think it was from the so they discovered this back through like Buzzing the, the, the, the, the Samu. Yeah. I don't know if they've busted, but at least they broke it out to test it very quickly with like automation to just like send a bunch of, because then they could remove some of the, the things that would make it slow, that you would have like certain timestamp checks or whatever. That doesn't really matter for the final exploit. Yeah. That's nice.
I also wanted to, to, to, uh, understand someone a bit after this, because still I spend a lot of time on the SSO, but Samuel's, Samuel's like, he's there and there's Samuel Ryder and I may try the attack from, from this. And then it's pretty much end of my knowledge about it. If you were to approach a new system that is GitLab, how would you start doing this?
It's been on my to do list since like going full time to, to expand, to have like, uh, one or two more targets to be like my main go to targets. Uh, I haven't really managed to do it yet. Um, I think one of the reasons that I've managed to stay for so long at GitLab is to, uh, Because I, I found it like interesting as well, like the application, the functionality connected to my job as a developer, like it's resonated with me.
Um, so I would approach it sort of like I approach this, I guess, like. Trying to find the functionality that I want to test that I have a like a hunch that something could break and then I test that and then like move around in the application is to try to find and that's sort of like what's the luxury, I guess, with doing bug bounties is that no one is checking on you, like how thorough you go through the application or wherever you can just like, Browse around.
Yeah. There's no, no, no consequences from missing a bug. No, exactly. Uh, except like mental. Yeah. Yeah. Uh, but, and also, I mean, you have to, so one of the big changes for, from going full time, uh, is that I now have to rely on the income from bug bounties. To actually pay my bills and my own salary and all of that so that that sort of Shift did happen like from day one that you at least you sort of have to find things, right?
Uh, and that there is like a mental shift there that, uh, uh, if you don't like constantly find something that is like bringing income, it starts to be. So even if you're like free to do whatever you want, at least you have to like, it has to be bring something. Yeah. You're not, you don't feel completely free. No. And I'm, I'm, but I'm still.
in the camp of, uh, uh, my big, uh, like inspiration when, before I went full time, I listened a lot to like interviews with Alex Chapman and he's like ideas of like finding fewer, but bigger bugs. And also like not really doing it like to maximize Uh, income, but like a sufficient income and like enough and also enough to be able to keep it interesting and, uh, and doing it for the fun of like learning and exploiting.
Yes. But at the same time, I actually, it's funny because I thought about him before you mentioned his name because he had the exchange, um, or just a post on, on blue sky recently about Yeah. Escalating some bugs, some as always, probably a Chromium RCE and also even though he keeps it fun, he also as a full time hunter looks at the return on investment.
And he was saying, you know, um, on a low paying program, perhaps you can be, if the program, let's say downgrades your back to a medium in case in his case, it's an RCE where he can, uh, access the, um, the AWS access keys. So. He can't really prove the impact. He has to rely on the team and the team says it's medium. And the whole post was about escalating this to a more, a bigger severity bug.
But then he was like, if this program doesn't play that well, there's no. I actually had the similar shrink. I had, as I told you before, I was spending some time on the program that has like the typical hacker one, uh, payouts. So the medium is 500, the high is 1000. So I thought if I have the, let's say the SSRF and I would like to approach. you to escalate from medium to high. I'm still getting the same 500.
So, and also there's some, somebody else, um, puts in their time and effort and maybe they are rewarded. So in the end it's, it's plus EV, but there's, it's not like a no brainer if you think about it from the full time. It's actually something that I've been thinking about, like, Pros and cons of different programs lately. And one another thing that I'm really happy about at the the GitLab program is that they don't have like a, a linear bounty table.
Yeah. It's like, I don't know, it's exponential. Exponential. I don't think it's exponential. Yeah. But we know that the, yeah. Yeah. That graph, if you have the curve that if. If you move from medium that tops at like 2. 4k or something, and you end up at high, which starts at like five and ends at 15 or something. And then the critical starts at like 20. So there's a real incentive to at least try to escalate to high. Like that jump is really important.
Yeah. And other companies like say, for example, GitHub, where I haven't hunted as much, but they really like, they pay like 4k for mediums, which is, uh, impressive. And I think you can get even more, you can get up to like 10k for medium, but the criticals are still end at 30, like the same as GitLab. So it's much more linear and helping out, as you say, in that scenario makes less.
So I really like the, the exponential thing because it's incentivized, like working together and like pushing bugs to, uh, their limits sort of, so to speak. Yeah. Also makes sense. If you have a lot of, I imagine you have loads of gadgets hidden somewhere, so all of a sudden you can chain them and then instead of 500 plus 500, you have. You know, much more than one plus one. So yeah.
Interesting. Although when I look at the program, I think I prefer the linear one because I think in the, at the end of the day, you end up reporting highs, maybe, maybe the one you said where the high is also higher than it makes sense because there are. quite a lot of programs that are sort of flat up until the high and then exponential critical, which they never pay. No, exactly. Yeah. So I definitely agree that you want to have those high mediums as well.
Uh, and in a way you kind of get spoiled with like these big programs. And I don't know, maybe that's at least for me, that my way of working is that I spend a lot of time. pretty slowly on this one program, uh, finding like one, two, three issues, uh, and then like nothing and then something more and like doing that sort of work on a program that's like Topes out that like three K wouldn't be, it's just not worth it for me.
So I skip all of those, uh, invitations or whatever to, uh, I think there's enough bugs on the, the big, the big targets out there. So that's why I, If I'm not looking at GitLab, I'm usually just like looking at, well, like Chrome or whatever else, like big, big applications. Yeah, we can maybe jump to this. Last time you said you were planning to do some browser hacking. How has this gone? Yeah, it hasn't really gone as planned, I guess. I still have it on my, I report things.
Once in a while, like smaller issues that I find when I still tinker a lot with Chrome and web standards and web features and things like that, even if I'm maybe in my main hunting, trying to move a bit more to the back end bugs and stuff like that as well to increase impact. But, uh, I definitely, I find some like quirks and strange things once in a while, and then I report them, but I haven't done it in the consistent way that I would have hoped.
So, so it's more like you're working on something and you have the idea of something that could be a bug in the browser and then you're more reported rather than actually spend time researching. Yeah. Uh, and I mean, I, I guess it's a big, it's quite a big hurdle to spend all that time to actually start finding things, uh, in the browsers. Uh, like consistently, but, uh, it's still a dream to be able to do that as well.
Uh, it's like one of the biggest like open source projects that you can attack. Would you like to learn like the memory related bugs to find actual RCEs and stuff in browsers? Or are you still trying to stick to To this kind of bug that sort of requires only the web web based knowledge. Yeah, it hasn't really caught my interest, uh, that much. So maybe because I, I think it looks really hard, but, uh, uh, yeah, maybe eventually.
I mean, I, I've been Trying to move to the back end and like more proper code review on GitLab during the last year at least. Uh, and it's been, uh, very interesting. So I'm like moving in that direction, but not at that like low level as when you are finding those kind of memory corruption things. Yeah. It's for me, it's, it's crazy. Can you give us an example of the, of a bug from the browser that you reported? I imagine if they are in Chromium, I guess the issue tracker is public, no?
Yeah. Yeah, I guess, uh, I think I actually saw, maybe you mentioned something about it, and I was supposed to write a blog post and then I found a bypass to it, but now that speaks as well. So, uh, that was, um, like a funny, uh, I hadn't really thought much about it, that you could like, serve HTML in xml? Yeah. Or like x html. Yeah. Uh, and also in sbg, like all of these, like XML based, uh, like languages that are baked into browsers.
And then I remember like, so this was, uh, maybe at the time where we had our last interview, like two years ago or something, I think Ren Reinepack, uh, he posted some tweet about like someone had stolen his, uh, POC, like bragged about it on Twitter about just like how to build like an XML, HTML attack and like getting execution through like. XML, HTML, and I started to play with that because I hadn't really thought too much about it.
So I played around with it and tested it and then all of a sudden, I, because I knew that you could get something so Uploaded on GitLab, which I always test my things on. And I put some HTML in an, I don't remember if it was in an, uh, s VG or, uh, some other XML file. I was on my bus from work and I, I was doing this on my phone, like hacking, uh, . And uh, all of a sudden, like I saw my eye frame that I have made, like on GIT Labs. web page in this XML document that I have created.
And I got like really hyped. This was during like a 20 minutes transit from work. And I was like, ran home and like, shit, this is like, probably like the biggest thing that I've ever found, like some sort of like bypass. On there, like, because it was on the, when you can look at like raw content of a file. Yeah, you can do that on GitHub and the GitLab and whatever. You can click the raw and you just see it in as a text plane I guess.
And I, I got home and I opened my computer and I looked at it and it was just text again. Uh, so that was really disappointing. But I looked at my phone and it was rendering at HTML and, uh, at that time it, it took a while for me to figure out what's actually going on, but I had stumbled on a bug where. Webkit were actually like mine sniffing, which is an old concept when the browsers try to figure out what sort of content you are providing.
Yeah. So which usually happens when there is no content type. Exactly. But the issue here with Webkit. On iOS. So like they have, uh, two different branches for one, for uh, uh, the desktop and one for iOS. And, um, yeah. So for some reason they were mime sniffing. Even if you served text plane, if you had like an a dot, like an extension of XML or SVG or whatever, or JP G or like, yeah, you could serve whatever sort of content you wanted. Oh, it worked for an extension? Yeah, yeah, yeah.
Oh, so you could serve just x remote. No, you could serve anything as long, so it will, it would first look at the extension of the name or the path. And then it would look at the name in the content disposition, I think. So even if that was like xml, and then it would look at the content or something like that. It was really messed up. And I had some fun with it because, Apparently, it worked on GitLab.
I didn't really manage to bypass CSP fully because you're still restricted by CSP, but on the self hosted one, you could get access and on GitLab, I could manage to do some like click jacking, yeah. Uh, CSRF thing to actually do things because you could render and also you could render like a login screen and yeah, I think that that was in the report. Yeah, exactly. You, that was form SRC and HTTPS URL. So I think you created the login form to your website Exactly, which would be auto-filled.
So if the user clicks the button or is, is somehow click jacked, it also, actually also send it back to get the two A code as well. I built this whole, okay, nice. PC so you have like two SBG files, one for the getting the passwords and one for the code. And everything was like loaded on the GitLab page. I, I had a lot of fun with it, but uh, in the end it didn't really. Uh, pay that much, but, uh, it was, so you reported it both to get lab and to Apple as well. Yeah, exactly.
Uh, and, uh, actually I also reported it to Chrome because it worked on Chrome on iOS. Okay. Which is sort of a bug bounty hack, uh, that they sometimes, uh, uh, step in and like push for changes, uh, because they are forced to use the web kit on iOS, but, uh, you can, uh, because Apple, they don't really pay for those kinds of issues. Yeah. So you didn't get paid from Apple? No. Uh, but Chrome paid me some. That's good. That's weird. Yeah. That's strange.
And then I was like a year ago or something, I was actually gonna write to like a blog post about this whole thing. And then when I was like testing my payloads, I found a bypass to it because They had only fixed like some of these extensions, but, and I think that I had left, for example, XHTML for some reason, they were still like mime sniffing that bug. So today is XHTML any helpful in terms of not looking for browser bugs, but bugs in websites? Not really.
I guess there are like lists out there of type of files that will allow you to render HTML. Yeah. And that's one of them. And SVG is another one. And there are some So it's useful if there is a block list of extensions. Yeah, sort of. If they look like HTML files or whatever and you can get HTML in there. Yeah. Uh, otherwise it's just, uh, uh, harder to work with HTML because you have to be strict to the . Yeah. Uh, XML standards.
Yeah. I had the, the case recently, which makes less sense than your example. 'cause I was testing a website, um, and I could go through the re and I, I wanted to. Connect my Tik Tok account with like the real account, which has followers because I needed to pass some thresholds for some stuff, something. And as the testing browser, I use any Chromium based browsers as my personal browser, I use Safari, uh, which I know is insecure and I shouldn't do it, but I like it.
And I realized that I can go through the flow, uh, like register on the website without confirming the email if I go through the particular flow. So then I was trying to reproduce this in a Chromium based browser. It didn't work. Of course, it took me a while to figure out. And for some reason, in Uh, I don't think it's a client side thing. It's like a server side profiling. It allows me to go through the registration without confirming the email on Safari. Not on other browsers.
I like limited all the other variables and I guess they just have, you know, different flows for different. Yeah. It was, it was fun. I mean, that's one of the fun things with the browser, looking for browser quirks and bugs is that you have, at least you have three big targets and they behave differently sometimes. And so you always have this like. Uh, yeah, you can test it and it's pretty fun trying to find these like discrepancies between them.
And I don't know, uh, so one thing that actually came out of this, I made a small challenge, uh, a web challenge thing that I sometimes post on my social media. Uh, I'm moving a bit more to blue sky. Uh, then, uh, Twitter at the moment, but I made one that was, uh, it was related to this XML XHTML thing. Uh, I don't remember, really remember what I was trying to do. I think it was. It's like filtering a lot of things that you could then in HTML, you could like bypass it by using like namespaces.
So you could like prepend all of the HTML tags with like X colon and then the release and you can like create this like fake HTML that could bypass something. And then a lot of people sent in solutions where you can use this. It's in XML, uh, which is also connecting to SAML because SAML is also XML. So they also have this, uh, idea of like some sort of like transformers. So like tags that transform the own, the document.
Um, maybe connected to like XXE things as well, but you can like transform the document in place. Like when it's rendering, some people like managed to bypass my sanitation by like transforming the document in place. And there's definitely something that you could. There's things to learn there that could potentially do something. So that was, uh, yeah, so maybe there is something to them, uh, that you can still use.
Yeah. Yeah. I feel like a lot of the browser challenges, even though they are made by people like you, who know a lot about the client side security, still, they often have unintended solutions because of things like this. So it just shows you how complex the client side is. Yeah. Speaking of these challenges, how often.
Or maybe, which features of these challenges, where you have like limited car sets or strange CSP, which of these things you use in those challenges are the most useful in real life bugs? So, I have actually, this year, I think I've used Like three or four, like really strange browser quirks in, uh, like escalations of, uh, client side bugs that some things that I've, I thought like I would never probably be like be able to use this or like, why, why would I ever have to use this?
But then I found myself in like a corner where the only way to get out was like using one of these like strange gadgets. And that's what I find. So a lot of time when I do my small challenges things, it's one way to get, like, I like the interaction between these, like, really smart people. They're always like, it's sort of like a fishing thing. They send you like really smart payloads so you can learn a lot from these really like super talented people.
But um, It's also often they are like based in something that I have encountered on the real target. And then I just tweak it to like fit whatever I, either what I found interesting. So instead of like doing a blog post or whatever, I do a small challenge so that people can like get the experience of finding. Um, something themself, which is sometimes like more useful than reading about what someone has done.
Uh, but then also some, I made a challenge recently that was more like an open ended research thing. I don't know if you saw it, but like you, you were supposed to like try to get like the smallest payload. Yeah. So I could like fetch. A script and execute it. And that was more like a research question, like I didn't really have time to do too much on it myself. I did enough to use it on a real target, but then it was like this thought, like, how small could you make this?
And it was really fun to see all these people, uh, come together and try to like break it down. And then they also found like, uh, mistakes by me in my actual challenge, abused it to make it even smaller and stuff like that. It's really fun. Yeah. So what were the other gadgets that you used in your life that you didn't expect? So I guess some of them I still keep as. Yeah, of course. There's also like one change from becoming like full time hunter.
You kind of have to start to build your own toolbox of things that you, uh, that you can become like good at and that you can bring Forward when you need it, I guess. But I had one really fun one that I got to use together with Matan. That's a good call up story. We have had some good, he found some fun things on GitLab that we have then collaborated on, like taking them a bit further and doing some bypasses and things like that.
Uh, but we had one situation when we, and that's like, and then this is really a quirk and a niche, but we could, we were stuck in a web worker, which is a, like a thread in, uh, like an execution thread of JavaScript, but we needed to get to a service worker, which is another sort of web worker, but the service worker is more like in control of navigation. And. You can use a service worker to like control what sort of content is served to the application and so on.
And then you usually you cannot really make that switch. But for some reason, if you go to MDM and look at the description of web workers, you can actually see that like there's one green box on like that you can access the service worker, um, functionality or API from a web worker. And then it's just like green on Safari, which is like super strange.
All of the other browsers have like, uh, close this off, like for a long time ago, like you cannot touch or create a service worker worker from a web worker. But, uh, for some reason, Safari allows this. Yeah. So we were, and when, so yeah, we found that and we managed to like. make the jump. If someone was using Safari, you could make this jump and that could finish our chain that would, it was like a big chain of like random stuff.
But I was really, really happy that we managed to use this like forgotten, I guess, uh, feature that I don't see any use for it. I have no idea why it's still there. And it's also like documented, so it's not a bug or whatever, it's a That's why I'm saying I shouldn't use Safari. Yeah. But it is well integrated, what can I do? I can't help myself. How about content security policy? What do you do when you have the XSS or HTML injection?
And there is CSP, what's your first What do you first look at? Yeah, I don't remember if I, when we spoke two years ago, if I was already, uh, deeply invested in, uh, CSP bypasses, I don't think so, but it's, it's become one of those things. I really enjoy it just as I enjoy cross site scripting, which I find to be like a puzzle.
Like I, I enjoy it in the same way as like solving Sudoku's or puzzles or crosswords Uh, and the CSP bypasses a lot of times can be like, it's like an extension of cross site scripting and something that you can, uh, prove. I like it way more than WAF bypasses like web application firewalls. Those to me feel very random and strange and you cannot really use them.
I mean, you can use logic against them, but they don't really interest me because they're very like, they're specific for the application and they are like, you, you have to throw like ugly things at it while a CSP bypass is often more beautiful because you're bending the rules and you're like finding these gadgets and things to, to get passive. So yeah, I don't know. I don't know. And the only, the way to do it is of course, just like the, the holy grail is to get a full XSS.
So you have to first go to like script source and see whatever they allow there. And if it's too hard, maybe you cannot do anything. And then you can start looking at, so like what sort of like loose, you know, like, Um, uh, HTML things. Can you do, can you do like form injections and, uh, form actions or base tag, uh, take over the base tag and stuff like that. So we covered, you can do the form to your website if it's possible. Yeah, exactly. You need the, the, the forum SRC or form action.
Is that what controls this? Yeah. Form action. Um, and it's, so the, the, the thing with that one is that it's not covered by default source. Yeah. Yeah. That's important. And the same with the base. Yeah. So base and form are like outside of that default, because the default is usually set to something like none or self. So if you cannot execute JS, these are the sort of two things that you look at.
Yeah. Uh, but then also for the JavaScript, like if they have a white list, you of course go and look for like script gadget things. And, uh, speaking of like gadgets that I've been able to use, like just this past year, I've been able to use the, this trick where you, you have a white listed domain with a path, but then if you hit like a redirect on that path. Then you're allowed to hit, uh, or like load code that is like from the base. Oh, okay.
So after the redirect, any path will be ignored and they will only look at the base URL of each of your whitelisted objects. So wait again. So you have some, some path. In the CSP and the resource should start with this path, but then if under this part, there's a redirect, you are allowed to do anything on the same host. Yeah, exactly. Okay, that's interesting that there is a validation but only to the host, no?
Yeah, and I think one thing that a lot of might miss there is that you can also like, After the redirect, the path requirement is removed from like everything on the CSP. I guess you can actually start to look again on like these other ones as well. Okay. Like whatever, what, so for example, the frame. Source, like whatever you can frame, uh, you might find something there that they are allowing you to frame like slash, uh, assets slash whatever.
But if you can redirect that, you can all of a sudden frame things from the base. Uh, so that I've been able to use in like these sort of like click jacking scenarios where they maybe allow you to frame something, but then you can frame something that is, uh, much more dangerous because it's like on the default. Yeah. And I believe still the Chrome passport manager autofills. the password inside the iframe, even if it's different origin?
I don't think it's, if it's different origin, I don't think it does it anymore. Okay. I think it does it if it's sandboxed then. Maybe. Because I think we had this case. Um, okay. Yeah. There's something with this. It's a flip. I've seen things like that as well, but uh, I think that's really It's important to keep in mind that there are more parts to the CSP as well. Yeah. So it's like the script is one thing, but you can do other fun things like framing and things that could be dangerous.
How to, let's say you have some custom JavaScript that's whitelisted as a script SRC, and it has, I don't know, thousands of lines after beautifying. How would you start even looking for a, for a gadget to exploit to, to, to To be able to escalate your, your access to, to execute JS through this. Yeah, I don't know. I haven't really been in that situation too many times, I guess. Like a lot of the, for some reason, the big companies actually have their like source maps out there.
So you can see it, uh, where I've been hunting GitHub and you can actually see what's going on. But otherwise, I mean, that's one of the things that you get Uh, not for free, but what that, uh, like a bonus. For spending a lot of time on, um, one target or like a couple of targets is that you, you find these things and then you can keep them in your notes, for example, because I think you use the same GitLab CSP bypass a few times at least.
No, because I think there was the same bypass that kind of everyone knew about and people used it for years. Yeah. Uh, there's been a few of them, uh, they've been starting to close off More and more it's not good for you, is it , but there's still, there's still ways to, to get around it and depending on what you can, uh, what you can inject or not. So, and I mean, it also adds, even if it's boring, that when they remove them, it also adds to the game that you have to find.
Yeah. And when you find a new one, you're, you get really happy about that as well. What other client side bugs are you, are you finding apart from XSS? Something that I've been, uh, also have had quite like a surprising amount of, uh, success with is, uh, DOM clobbering. Okay. As, uh, I'm not.
On its own, but like as a part of a chain or a gadget or whatever, um, it's actually way more useful than you like initially think just to be able to, for example, on, I had one bug on, uh, Gmail, it was sort of a combination. The worst kind of in bug bounties when you mix programs, which ends up that no one really wants to award you. So it was a combination of like, you can in emails, of course, you can send HTML. That's why it looks so beautiful and you can send forms.
If you want to, and some email clients will actually render these forms in different ways. And they will do some sanitation and stuff like that. But Gmail, for example, will actually render the complete form with form. It will change the passwords fields to text fields. So they will be of type text, but it will have the whole form and everything. Uh, and if you click submit, it will pop up a warning saying like, you're submitting things to an external page. Do you really want to do this?
And you click no. Uh, so I, I found a bug, uh, using. There was a couple of, uh, password managers that could do like auto filling and they don't really care about whether it's a password field or not. They're really like. Uh, happy to fill whatever, like if you give it a name, a password and not the type password, a lot of them will fill it anyway in plain text, which is really strange. Uh, but they will do it.
And I also found a way to trick some of these password managers to actually auto submit it. If you put the text field inside of the submit button, because they will actually to, because they want to pretend that they are human. So they will actually send like a click action to the form field. And if that is inside of the submit button, the button will, the event will propagate up to the button and it will click it and submit it. So you have like.
Login field, a normal password field, and another password field inside of the button. Yeah, or the password field that they want, because they will fill it first, and then they will trigger the Oh yeah, yeah, okay, so you're saying the key to react, correct. Uh, and I tried to submit that, but the, the, the, the password, uh, uh, storage companies are like, I don't know their threat models, it's really strange, they don't care about things like that.
Yeah, I'm not having a good time with But so I, so that was like one sort of a bug that I, I felt like it was a bit strange that this one password manager did actually allow you to autofill. When you open an email, you had a form in Gmail and it would autofill your Gmail credentials because as you said, they will look at just like Google, uh, or whatever, like, yeah, Yeah. And, uh, and top, top window. Exactly.
And so some people might have like the password saved then on the Gmail, so it'll fill there and it'll click, but then you will get blocked by this, uh, uh, Google protection thing. Yeah. And then I went into the source code and, and found that this check they were doing was like, they found the form element or like, they, they catched the, the submission. Uh, and then they looked at the element and they did like. Element dot target, uh, equals blank, like question mark.
And one thing that they did was if you put the form in there, they would put like target blank because they wanted this thing to trigger Google when they rendered the form, they wanted it to trigger. Uh, but then I could use Dom clobbering them to put, uh, to name one of these fields to target. So you have a form and inside of the form you have an input field with the name target. That's it.
And then if you have the element of the form and you do dot target, you will get the input field and you will not get the value of the target thing and the input field will not equal equal blank. So then you would skip the, so the final, uh, POC was actually like, if you opened an email, your password thing would autofill and submit it and you would lose your credentials. Yeah. That's a cool bug. For which nobody has paid. No, no, no. Google actually paid me for it.
They paid me for the dom club ring. So that was like one three, three, seven or whatever it is. They're like, yeah, that's cool. So that was really good. And I think that to be fair, I think I got like 500 or something for the From the password manager. Okay. So they did something. I don't really know what they fixed, but they did something. But I thought it was, I mean, the book, the bug, it looks much cooler than the payout. Yeah. Yeah. And it's a cool idea as well.
I don't think I ever used dumb clobbering on the reward targets. I feel like I see your bugs. I see Martin bugs. I see all the client and I'm like, Oh, I should spend more time on the client. Um, how about post message related bugs? Do you? Do you find a lot of stuff that, that starts with a post message? I, I haven't actually looked too much into it. Uh, I know that it's one of those fields that are still like ripe with bugs.
Uh, so like one of those like untouched areas where there are, it seems at least to be bugs everywhere. But, uh, I haven't really spent too much time on it, actually. Probably I should, but I feel the same way. Um, maybe client side prototype pollution is the next one that I don't spend too much time on. Uh, yeah, yeah. So, so when you, when you asked me, like, what sort of client side bugs I found, find these days, uh, that was one that I thought about, but I have actually never found it.
And it feels very strange and niche to me that it should exist. I know that people sometimes find them, um, but it's, yeah, it's, to me, it doesn't feel like something that is like super common. So it's definitely more common to find as something else that you mentioned, these like client side path, traversal things. Yeah. Which was actually something that I, I think I, I think you made a video of one of those.
Yeah, my, my video was about your client side path traversal in GitLab because I didn't see a real world example of this. And then we had the interview and they told me you had, so then I covered it in the video. And I don't think there is many public write ups about client side post reversals. No, I mean, there's been a lot of discussions with it. And I think there's also been a lot of tooling made recently.
I haven't really used anything, but I think that people have both, uh, Like Kaido plugins and extensions to Chrome and stuff like that. Yeah, I think the critical thinking guys created the browser extension for it. For me, it's more, it's more of a hierarchy. Like I think that the reason why I haven't felt like I need to use it, it's the way I'm looking for these kinds of bugs is usually on GitLab. Maybe I find a way, like a new way of getting content into the app.
So that's like where I start like, okay, if I connect this piece here, it will render data over here. And then, so then I start from the top, like, okay, I want it to set. And then like, okay, it doesn't work. Okay, then I want dumb clobbering or whatever. I want to HML injection and then that doesn't work. And then I try like, Oh, maybe I can do a client side path commercial or whatever.
Yeah. And so it's more of a, I just go through different bugs depending on the injection I have, like going from, I found like a source and I tried to like. Do something with it. So I've, I've actually found a few CSP, uh, client side path protocols, uh, this year as well. Uh, they're a bit hard sometimes to, if they only make, I found some that just made like a get, uh, request and that makes it quite hard to exploit.
Uh, I managed to show some impact by again, like chaining it with, uh, as you hear, like there's a lot of chaining of small things, but I managed to chain it with a redirect and yeah, so, and so the, the get request. It was a GET request made by Fetch, so it contained a CSRF token in a header. Yeah. And then if you redirect that request, you would actually leak the CSRF token to your page. Yeah. And then you could redirect that again.
Using the CSRF, so it kind of turns into a CSRF, uh, all the way to run, or you can just wait for it to like land on your domain and, Oh yeah, cause from your website you can directly issue a redirect, which is already the CSRF request. Yeah, exactly. So there's never like top level navigation to your website.
No, or you could actually like leak it and then make sure that the user ends up on your Domain somehow and you can see it's a bit convoluted and it doesn't, uh, work all the time, but it was like the best I could using a get request. Yeah, the best, but in, um, many targets that would use not cookies, but some custom header for authorization, the header would just be leaked to your website. Then you don't have to do anything.
Have you had much success outside GitLab with the client side bus traversals? No, not really. Uh, I think it's a, it's a bug to me at least how I work. It would be a bug that requires me to like know the application deeply to know where to put it, to see where like IDs are rendered or whatever. Uh, so I, I haven't really, the other work I've done has not been related to that. Yeah. I have found a few, but never a gadget to exploit.
Once I had, uh, Uh, I had the clients I passed traversal and it was an open source stuff. So I was looking through all the, all the get routes because it was a get based, all the get routes that would make sense to chain it. And I found one that was actually making changes and I was happy because I found the guidance for client side cross reversal and then I realized that I don't need the client side cross reversal because top level navigation is good enough.
So I, I got, uh, I reported this as a CSRF and never used the client side cross reversal, so that's my experience. Um, Another bug that I also saw for the first time publicly exploited in your bug is a cross window forgery. Can you tell us what cross window forgery is? So this is actually, it's a research from a guy that I don't really remember his name. It was sort of at the same time when I was going to try to do full time bug bounties. It's my first three months, I guess.
Uh, there was this blog post about something that he had named then cross window forgery. I have his name, but I, I'm worried I will misspell it badly, but now I think I have to. Yeah. Paulus. I mean, he found this strange quirk in browsers where you essentially on if you are on the page. And you, for example, start pressing enter and that triggers a new window to open your click. If you keep pressing enter, the click will transfer to the new window and click on maybe something.
Yeah. And then you can chain that with, uh, uh, you can use the, the hash or the fragment in the URL. To actually like point to something dangerous, like a button that will accept something or do something. And the click will like transfer to this new window and click on that button. Yeah, because when you press the space or the enter, it will click the button that's focused.
And one way I usually use this is probably when I do the tab on the input field and then I do the tab for the button and then I press the space. So you can also do it. If there's a hash with the ID of the button, then it's sort of automatically focused, right? Yeah, exactly, exactly. Uh, and I mean, the, the, the, the, the write up is.
It's fun and fine and great in a lot of ways, but it's also like a, a pretty strange bug to like, it's, it's hard to see if it's like, if it's good or bad, like if it requires like really strange behavior in a way like pressing enter, but I had some fun with it.
Uh, this year, because I, I took it as like an, an exercise to, to build, uh, POCs or like to convince companies, like, because the worst scenario that I could think of was this, like you shame this with this sort of like, Oh, uh, requirement, uh, what do you call those pages? The consent consent screens, uh, because the consent screen will ask you, like, are you allowing this? application to see everything and access you. And you have one button that says like, yeah, okay.
And if you click it, it's done. And then you have like an account to take over. So if that button has an ID, uh, then you could focus that button and you can abuse this to take over accounts essentially. Yeah. So my idea was that the impact here is big, even if the, the, like how you get there is kind of like goofy and not really.
I don't know if it's realistic or not, but I've sort of spent the time to build this case that we have, or like companies as a community has moved to make people just like the cookie bar has made people click on all the pages. Yeah. Um, you have, we have these like recapture or capture things that When you go to a page that you sort of trust, like maybe you don't even trust it, but you do something and they say like, yeah, here's a Capcha game.
Uh, a lot of people will just do whatever it says, like, yeah, five clicks, type something and drag and drop and like do whatever. Yeah. So I, I built a case that like, it's not that hard to convince someone like. Yeah, press enter three times and then you have like a progress bar that is like filling up and if you drop enter, it will like go down again. So you have to press it for like three seconds to prove you're a human or whatever.
Uh, so I did that POC and then I did like a, a built like a floppy bird game or I cloned the game from, uh, from GitHub. And I, I just, I edit the code. So like when you play it with the enter and then like during a period where you're supposed to like go a lot of like up with the bird. Find the space. You have to, yeah, you have to like enter for like you have to keep it in. Yeah. To get the bird up. And during that time, I opened this window as like a small popup and it'll do the, the thing.
Yeah. Uh, and to you using those two POCs. Uh, it actually became quite easy to convince at least these big companies that are like hosting these sort of like consent wealth things, uh, that this is actually an issue because it's really, again, it's also really easy to fix. So the impact is high. The fix is easy. You just remove the ID and, uh, you're done. You cannot exploit it anymore. Uh, and, uh, but still like, it's not really maybe realistic, but.
It's, it's dangerous enough that you could, uh, it could be worth fixing. Yeah. And also, it was also one of the reasons I wanted to talk about this because I even said it in one of the recent videos that sometimes it's hard to get through the triage with non standard things. Yeah. And because this, and I would like this to be more standardized, so maybe it's like widely accepted. That, you know, okay, this is not the, the interaction is kind complex, but it's likely.
So, you know, it's, it's, maybe it's not, uh, critical. Maybe not a high, but it's, it's, in my opinion, it's definitely a bug. Yeah. I, and I mean, uh, I, I must admit that these are maybe the bugs where I found I felt most, uh, like scammy in a way. Like doing, uh, like I, it's not like I was. Super proud of what I created . Okay. When, well, you created the flowy, but it's cool episode.
Yeah, I, I thought it was fun to send a game and stuff like that because I've been really inspired by, there's been one guy that I've seen some bugs on Chrome. Yeah. A lot of like. things when, uh, you kind of like click on these different consent things in Chrome that they pop like, are you allowed to use the microphone or whatever? And there's one guy who has sent like tens or 20 reports, like abusing this.
And it's all, he always has like a Dino game, like a dinosaur that runs and jumps and you have to do like different things. And I, I thought it was really fun to have like. This aspect of like building a small game as the POC, like a bit goofy and a bit like light touch. Yeah, it's nice. It was fun in that way. And I mean, it's worked out. So it's, uh, it's good.
Yeah. And it's also, I think the, as I said, I like it because it's something I didn't know about and I think it's applicable fairly widely. Yeah. Let's now talk a little bit about the server side bugs. When browsing through your recent bugs on GitLab, at least from the issue tracker, there was a lot of denial of service bugs. Yeah. Especially the regular expression based ones. Can you talk to us more about this?
Yeah. I was turning into the The denial of service guy, uh, in the beginning of this year, I, I think I counted them as well. I think I had the 20 accepted reports on GitLab that are like denial of service, uh, the two different kinds. And I've also seen that there's been a lot of other people reporting that I was at the moment. Uh, yeah. Kind of one of those.
things that happens with one of those old programs that you see bug types like come and go and they fix and then they like fix the root cause uh eventually and then people move on to something new and at the moment like there's still a lot of like different sending bad Content to a GitLab server and trying to crash. Yeah. Uh, I, I was moving it. I had been on a break during like December and January and I was moving into my like three month trying out full time in March.
So in February, I felt like I had to like start finding something or like get something going prior to getting into it for full time. And then I decided, I don't remember how, but I had this hunch that, okay, like we DOS bugs. People have found them. I have found some of them. Regular expression denial of service. And I decided to like, trying to actually like, root out all of the last ones. In GitLab. Like why does people find them like, once in a while. And always like in old code.
Like why doesn't, haven't anyone just, Found all of them, like, what's my idea? So I started to grab through the code base, uh, using regular expressions, trying to find regular expressions. Yeah. So it was actually one of my maybe most, uh, structural, structural attacks ever. Like I, I got this like list of like 200, uh, potential, I think I grept for a couple of patterns, like anything that contained more than one star or plus.
So that's the indicator that's sort of like the main goal of a regular expression, denial of service is to get the regular expression to go into a really, really deep nested search for something. You have something called like backtracking, so it tries to go as far forward as it can, and then it goes back, and then it goes forward again, and back and forward, and it creates this like exponential, uh, amount of, paths through this, uh, whatever you're trying to hit.
And when this happens are usually when you have like multiple asterisks or plus it can happen in other scenarios as well, but that's like the sort of simple example is. If you have wildcards one or more times and wildcard one or more times, and I have this string three A's, it can be the first group can be two A's and the second can be one, and then it can be one, two or two, one.
And then with this simple example, it's two different sort of, uh, I don't know, it's the tree that's being thrown somewhere, but, but it's two combinations. And I assume your inputs are not, are not three characters long, more like 3, 000. And actually something that I had to learn, because the theory is quite easy, but then you actually had to learn to break, uh, using your payload.
So after all the A's you have to put like a B or whatever, because it has to fail and then go back and try again, like different paths. Yeah. Uh, and that can be a bit more like, that's a super simple example, but in different cases, it could be like, uh, quite like convoluted, but there are like, so you want the sandwich to be like. almost your whole input. Yeah. But not sort of the last character.
At least like there are some different ones and that's, I actually learned like there are some, it's a classic like research topic. Like there are university people like doing like heavy research into read, read us bugs. Uh, and I actually tried some like Java based Chinese research things that I put out on this. GitHub.
It didn't really catch more than my, like, maybe it could do, but in the end, what you have to do is like, you have to first find the bad regex and then you have to figure out if you can actually get there. You have to figure out if it's bad and that you can do with like a free, there are web pages where you can just paste regex and it will tell you if it's, uh, like if you could, if it could be a problem or not. Okay. But then you also have to find a way to get.
The payload to that place in the application, right? And most of the times, as you kind of mentioned, is that most of the bad RegExps are not that bad, but they are bad if you give it like 500, 000 Ks or whatever, like, Yeah. You give it like a lot of data, then it will break because the computers are like, if it would be a computer like 20 years ago, it will probably break easier. But nowadays, like they are really, they can do a lot of work.
So, but there's a lot of those places in, for example, GitLab where you can get like huge data. Into like that you control into one of these like semi bad, uh, regis things. Yeah. How do they usually, what severity do they assign? You have two levels. Uh, I, I can also like stay, say now that I think Redos is in scope again. But they have actually fixed it at like a language level now at GitLab. So it's sort of a dead bug.
But that's also why you see people transitioning into this other sort of like DOS bugs. But they, I mean, it's a medium if you have to be, if you have to have a user. But what you really want to do is you want to have, be able to send like an unauthenticated request. And then you get like the full, they have some metric that you have to, you have to, uh, trigger like a 10 second delay on like a specific like setup with a set of course and stuff like that. Oh, that's, that's cool.
Yeah. So they have it in the policy, like how bad you have to make it for it to become high instead of low or whatever. So, and I actually like, I found, I guess I found like 18 of these bugs or whatever. And every bug I found, I found it like one at a time and exploit them. And I thought like, okay, yeah, that was the last one. Like, uh, it cannot be better than this.
And then in the end, uh, like, I think it was like the last two I found because I, then I had like an epiphany, like I was taking a shower or whatever, like a classic shower moment. And I had, I thought like, I saw something strange in the code. Like, I remember that I saw something really strange and I went back and found it. And it was actually in the main, uh, speaking of old bugs, like in the main search bar.
Yeah. When you search for code in GitLab, you can actually put like stars, asterisks in your search search for wildcard matches. And for some reason, I haven't really thought about like how this is implemented, but if you look at the code. At that time, at least it, it would parse out because it's not regex, but it's just like a star and it acts like dot star. And if you looked at the code, they will actually like match and replace in your string, all the stars with dot star.
Oh, and then create the regex from it. And create a regex from it. And so then I could actually create this. Uh, the, the school book example of like searching for, and you would, so you could do it unauthenticated and something that almost always exist in all repos is the read me file. So I could do like a, a big R star, star, star, star, star, star, star, star, and end it with something that is not MD, right? So like markdowns, it has to end with something else. Yeah. Okay. Thank you.
Uh, and then you could like break it with, uh, it's like, and usually these read those things, you send like a bunch of requests to like kill all the course. So they like end up at a hundred percent usage, but it was really fun. That's how I found like two different of those in the end. Uh, and they got rewarded as high. So even when I thought like I had found like the last remaining one, I found these two and that was the right before they put it out of scope. So it was great.
Yeah. You were the reason. I mean, they were actually really, really nice with this because they had in the pipeline to actually upgrade and kill Ridos. Uh, for good using like, uh, updating the, the Ruby to 3. 2 or whatever it is. But as they hadn't, the roadmap was like in six months or something like that. So they said like, yeah, if you have reported it before now, it will still be dangerous in like six months, a six month period. So we will still reward it and then, okay.
Uh, we'll be heading to the end of the, of the interview. I think it's actually getting quite dark here. It is getting quite dark and we don't have lights here, but if you cannot see us, we're still here. Listen to us. We're, we're still continuing. Um, after just one, one more question after so much time and so much things learn, how do you still learn new stuff today? Yeah. I, I definitely, I have not. I will still, I think I only will still do this as long as I am learning things.
I think that's one of the, I can't really see myself just doing it, the grind or whatever. Like, uh, even if I find it really interesting to be able to live off of it. finding bugs and like being in control of my time and everything. I, one of the reasons why I also, when I, I quit my job was that I felt like I could learn more and quicker if I would do this on my own, like if I can control my time.
But that also includes that I I want to and need to learn things and how I do it is, uh, to remind myself to like go to the correct sources, like reading documentation, uh, trying to become better at using like the right tools and like learn tools. Uh, so with all of this, like debugging and setting up environments and like taking a small step. Yeah. Uh, each day and then we'd like the bug types and stuff like that.
It's more of a, if you put yourself out there and like you try, you, you cannot just try to find whatever you have found before you have to like act. be, I don't know, you cannot really call it brave, but you have to put yourself in a position where you think you will fail. Yeah. And then sometimes you will actually succeed and you will make a new step forward.
And so, for example, I found my first RC this year as well, which I really didn't think I could check more boxes after becoming a number one at GitLab this year, but yeah, And that's just the step when you finally do it, it also feels quite easy. And now maybe I only found one so far. I have still a lot to learn. Yeah. Well, I think we, we all do. Um, what are your plans for 2025 in a way, funny that I think that my answer is really similar to when we lost.
Spoke becoming more structured, uh, structured, uh, creating some automation. I've actually started taking notes. It's always been my thing. I don't take notes, but I actually, I've been using obsidian now and I really, really enjoy it and, uh, I'm, I need to get better at it, but at least I throw things in there and I've found myself searching for my own. No, it's a lot. Yeah. Uh, so it, it definitely helps. Uh, but yeah, and I'm browser hacking on the list as well. Uh, yeah. Uh, yeah.
I mean, the to do list is always like move to a new program, uh, expand, but I don't really have any super big, uh, I'm looking forward to, I've had quite a good success This year it's been intense and there's been a lot, a lot of happening. So I, I want, my big goal is to survive a year. survive, not, but like mentally. Yeah. Feel like it's still interesting and fun. I don't burn out and, uh. Maybe like settle in this new situation of, of being in control of my own time.
Cool. Good luck with this. Uh, thank you so much for, for the interview. If you enjoyed it, uh, also you can check out our interview from before two years, which we mentioned a few times there, we spoke a little bit more about the university, about the thesis, about getting into the, The security so if you enjoyed this one, you will definitely like that one as well for now Thank you so much for listening and goodbye