Olivia
Online
turb0
@7urb01
CTBB Full-Time Hunters' Guild Member | JavaScript Survivor |
/((de)?bu(g+)?(ing)?)?/i
Bits, bytes, and bad ideas
Joined March 2024
181 Following
1K Followers
70 Posts
Found out I had this RR on my disk from March when I was getting way too excited about the RCE technique used here. I'm M̄ista bug isolation right now so we're balling out of the backlog. Research Review. https://t.co/kKH8rAKSUa
We've published a new blog post by RyotaK @ryotkak !
He exploited a directory deletion race condition in Google Cloud's Looker, leading to full RCE and K8s privilege escalation.
Read the technical details here:
https://t.co/3eFBt0tKbk
Went into this so unprepared to deal with the level of depth and intimacy with this target that was described. Some of the most fun I've had doing any of these. Research Review. https://t.co/3sNou9gIaR
StubZero: $148,337 RCE in Google Cloud Production
https://t.co/m7cBnSTaj4
A while ago, but a pretty interesting write up on a fun Azure bug with some serious impact. Pretty interesting seeing the attempted patches and the bypasses. Research Review. https://t.co/jriCrujqZV
One attacker vector closed, addt’l hardening recommended for #SynLapse. Here’s the full technical details in our latest post. Special thanks to Orca Security Researcher @TzahPahima for this important discovery that improves cloud security!
https://t.co/5RrNPDtT1j
If you ever have to tell me hacking bedtime stories, this is exactly the kind of tale I would want to hear. It has a lot of my favorite chain step characters. Research review. https://t.co/7FwOlY2Mhy
Running a Figma plugin is enough to land cross-platform zero-click RCE on Figma Desktop...
Read the writeup on the Critical Research Lab https://t.co/16w1iiWEmF
And thanks @Dav3nn for the incredible post, what an amazing chain! =)
@rez0__ Haha, fortunately humans aren't tokenizable.
He made the windows hug and now the LLM no longer bullies him by rolling to refuse to cooperate when triage tries to reproduce the bug. Thanks doc. Healing the world one iframe at a time. Research Review. https://t.co/iEzBuotlKt
This time we have a guest blog from @xssdoctor, showcasing a new technique in AI hacking to achieve more consistent exploitation. This was initially a research collision, but XSSDoctor masterfully exploited this in the wild.
Link below 👇
@BadAt_Computers Dude, hell yeah!
AI pentesting agent XSS findings finished in heavily charred barrels, filtering out harshness while infusing deep, toasted vanilla flavors. This research demonstrates a pattern that leads to some pretty natural and interesting conclusions. Research Review. https://t.co/lpajzmLl0e
New blog post is out! A few vulnerabilities in Mailcow.
A critical unauthenticated XSS, and another interesting Self-XSS escalation involving a Login CSRF with a leftover tab. Check it out:
https://t.co/OL2gV5H2J3
@wunderwuzzi23 I wonder if it's conceptually similar to the purpose of the 🎭 masks from classical Greek theater, where the expressions are exaggerated so a far away audience can still make them out. I bet the exaggeration here allows for easier intent classification when later reconsumed.
This writeup is crazy. Such a large build up and pushing through so many scenarios where I would have walked away multiple times over. Such a cool final payload that ends up much more concise. Research review. https://t.co/dBMDLuZXWu
Last year I found a MXSS (dream) bug in a Mail app,it involved bypassing 2 consecutive sanitizers recursive Dompurify calls plus CKEditor.Hope you will like it
https://t.co/ul0huEVt8t
All thanks to @kevin_mizu for putting such great content around mxss and those bypasses🙇♀️
Everybody wants to argue about how gif is pronounced but nobody wants to talk about how .svg should be pronounced "savage", cause this bug was pretty savage. Research Review. https://t.co/aZU8XsiVcG
Fun parser differential to fallback SVG sanitizer bypass:
https://t.co/rjVawMuqSK
@nmatt0 Shall not be infringed. Sorry. Gotta drop a switch into Sonnet 4.6 to turn it into Mythos.
After receiving a voucher in a giveaway by @ctbbpodcast, I just completed @arcanuminfosec's TBHM course. It strikes a balance between depth and approachability, delivering on both. @Jhaddix is a very knowledgeable instructor with a lot of unique insights to share!
🗣️ ʜᴀᴘᴘᴇɴɪɴɢ ᴛʜɪ𝘴 ᴡᴇᴇᴋ!
𝗧𝗵𝗲 𝗕𝘂𝗴 𝗛𝘂𝗻𝘁𝗲𝗿’𝘀 𝗠𝗲𝘁𝗵𝗼𝗱𝗼𝗹𝗼𝗴𝘆 (𝗧𝗕𝗛𝗠) — 𝗟𝗜𝗩𝗘
Join Jason Haddix as he shares on what’s actually working in 2026.
Inside:
• Live testing against real-world targets
• Automation + workflow optimization
• Direct access to experienced bug hunters
• Ongoing Discord community
📅 April 8–10
⏰ 10AM–5PM MST
Last chance to jump in.
🔗 https://t.co/a45eFpbvWi
@busf4ctor @rez0__ Submit when it reopens and make it onto the Google homepage. https://t.co/yUZe8aCFQw
I am an ant and this is sugar. Research review. https://t.co/5FMdmbF0lK
@xssdoctor's CSPT research covers eight frameworks: https://t.co/fM5TAY3xa5
React Router's .replace(/%2F/g, "/") in matchPath has no i flag, so double-decode only works when the F in %252F is uppercase. This was reintroduced after a previous fix and is still in the codebase. Splat routes (path="files/*") match with (.*) instead of ([^\\/]+), so ../../admin works with zero encoding.
Next.js uses the same await params API in page components and route handlers but they do opposite things. Page components re-encode through getParamValue(), route handlers fully decode through getRouteMatcher(). The traversal lands server-side.
Ember's normalizePath() re-encodes % after decoding, which accidentally kills double-encoding. Wildcard params skip the final decodeURIComponent entirely, so they need literal ../ instead of encoded payloads.
SvelteKit's param matchers reject bad values at the routing level before any load function even runs. Server load functions in +page.server.ts bypass hooks.server.ts, so auth middleware won't protect you.
Nuxt's island component payload revival (revive-payload.client.js) is a stored CSPT sink. If you can poison window.__NUXT__, the key traverses the $fetch URL. (CVE-2025-59414)
![ctbbpodcast's tweet photo. @xssdoctor's CSPT research covers eight frameworks: https://t.co/fM5TAY3xa5
React Router's .replace(/%2F/g, "/") in matchPath has no i flag, so double-decode only works when the F in %252F is uppercase. This was reintroduced after a previous fix and is still in the codebase. Splat routes (path="files/*") match with (.*) instead of ([^\\/]+), so ../../admin works with zero encoding.
Next.js uses the same await params API in page components and route handlers but they do opposite things. Page components re-encode through getParamValue(), route handlers fully decode through getRouteMatcher(). The traversal lands server-side.
Ember's normalizePath() re-encodes % after decoding, which accidentally kills double-encoding. Wildcard params skip the final decodeURIComponent entirely, so they need literal ../ instead of encoded payloads.
SvelteKit's param matchers reject bad values at the routing level before any load function even runs. Server load functions in +page.server.ts bypass hooks.server.ts, so auth middleware won't protect you.
Nuxt's island component payload revival (revive-payload.client.js) is a stored CSPT sink. If you can poison window.__NUXT__, the key traverses the $fetch URL. (CVE-2025-59414)](https://pbs.twimg.com/media/HFOwmHKWsAAcEBT.jpg)
Playing 21 questions with the Google Pixel volume trying to divine the true nature of the victim's spirit animal with respect to the trajectory of Mars. Research Review. https://t.co/0jjy6qoxGU
We took things further in hacking Gemini, and exfiltrated data via... volume settings! We also present a new technique for data exfiltration in LLM-based systems. Enjoy 🔥
Link in comments:
Research Review is back! This episode explores how SharkazFR used a really creative technique to escape "sandboxed" file reading code in n8n. https://t.co/bsrJ6cjyHA
The Research Lab is on fire this week, we just got a new writeup from SharkazFR:
- TOCTOU race condition leads to full ATO on popular open source automation platform n8n
https://t.co/Vgzwfl4WqE
@dmxjon It does a lot better when it has target specific details. Feeding it details of previously discovered/disclosed bugs and looking for bypasses and variants tends to be way more fruitful than "here are the kinds of bugs I want to find, go hack this."
Last Seen Users on Sotwe
ZAP-X 
Seen from Japan
Javan Anderson
Seen from Turkey
Kasırgalı
Seen from Turkey
مبادل الحفر ٢٥ مشعر
Seen from United Kingdom
.-.-.-.
Seen from Argentina
rubhimfinver
Seen from Thailand
Thích Thủ Dâm
Seen from Vietnam
ชอบเย็ดสาวใหญ่แม่หม้ายสาวอวบ
Seen from Thailand
jembut
Seen from Malaysia
produk lokal Indonesia
Seen from Singapore
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.2M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60M followers