trabbit

Ethical hacker. Bug bounty hunter. Builder.

Transparency and speed in legal pentesting. No VPNs. High typing speed, patience, and logic.

years in

major highlights

995+

expired JWTs exposed

About

17-year-old bug bounty hunter and pentester since late 2022. Discovered critical issues like iframe injection for phishing previews, deceptive redirect flows, zero-click exploitation, and mass exposure of expired JWTs. Focused on responsible disclosure and education.

Stack

Platforms

Rig

Rebuilt ThinkPad, Blackweb keyboard, Dollarama wireless mouse
AVerMedia webcam, CAD Audio PodMaster mic
Asus RT-N12 + Helix routers
Ceiling RGB synced to keyboard

Habits

clear; for tidy terminals
Alias “trabbit” — magician’s hat meets hacker
Sensitive data vault: “im blue music.mp3”

Ethics: Strictly legal, educational, and responsible. No malicious hacking.

Highlighted Findings

Interactive Labs

Hands-on, in-browser, safe demonstrations. No external requests or scanning performed.

Phishing Preview Simulator (Iframe Injection)

Demonstrates how preview cards can be manipulated to show trusted content while linking elsewhere.

Preview Title Preview Description Visible URL Actual Link Target

Title placeholder

Description placeholder

https://url.placeholder

Lesson: Always inspect link targets, not just visible previews.

Obscured Domain Redirect Simulator

Shows how a warning banner can display a trusted domain while redirecting elsewhere.

Displayed Safe Domain Real Redirect Target

Awaiting simulation…

Expired JWT Analyzer

Paste a JWT. Decodes header/payload (no secret needed) and flags expiration.

JWT

{}

Recon: Subdomain & Sensitive Info Extractor

Offline parsing of pasted text for domains, emails, keys, and URLs — like a tiny BHunty demo.

Paste HTML/Logs/Text

Subdomains

Emails

URLs

API Keys

Tools & Projects

A place for interesting personal projects and tools. Here is a simple interactive terminal demo.

trabbit@portfolio:~$ _

trabbit@portfolio:~$