Hey Hunter's,
DarkShadow is here back again!
π₯ 100 Web Vulnerabilities, categorized into various types : π
β‘ Injection Vulnerabilities:
1. SQL Injection (SQLi)
2. Cross-Site Scripting (XSS)
3. Cross-Site Request Forgery (CSRF)
4. Remote Code Execution (RCE)
5. Command Injection
6. XML Injection
7. LDAP Injection
8. XPath Injection
9. HTML Injection
10. Server-Side Includes (SSI) Injection
11. OS Command Injection
12. Blind SQL Injection
13. Server-Side Template Injection (SSTI)
β‘ Broken Authentication and Session Management:
14. Session Fixation
15. Brute Force Attack
16. Session Hijacking
17. Password Cracking
18. Weak Password Storage
19. Insecure Authentication
20. Cookie Theft
21. Credential Reuse
β‘ Sensitive Data Exposure:
22. Inadequate Encryption
23. Insecure Direct Object References (IDOR)
24. Data Leakage
25. Unencrypted Data Storage
26. Missing Security Headers
27. Insecure File Handling
β‘ Security Misconfiguration:
28. Default Passwords
29. Directory Listing
30. Unprotected API Endpoints
31. Open Ports and Services
32. Improper Access Controls
33. Information Disclosure
34. Unpatched Software
35. Misconfigured CORS
36. HTTP Security Headers Misconfiguration
β‘ XML-Related Vulnerabilities:
37. XML External Entity (XXE) Injection
38. XML Entity Expansion (XEE)
39. XML Bomb
β‘ Broken Access Control:
40. Inadequate Authorization
41. Privilege Escalation
42. Insecure Direct Object References
43. Forceful Browsing
44. Missing Function-Level Access Control
β‘ Insecure Deserialization:
45. Remote Code Execution via Deserialization
46. Data Tampering
47. Object Injection
β‘ API Security Issues:
48. Insecure API Endpoints
49. API Key Exposure
50. Lack of Rate Limiting
51. Inadequate Input Validation
β‘ Insecure Communication:
52. Man-in-the-Middle (MITM) Attack
53. Insufficient Transport Layer Security
54. Insecure SSL/TLS Configuration
55. Insecure Communication Protocols
β‘ Client-Side Vulnerabilities:
56. DOM-based XSS
57. Insecure Cross-Origin Communication
58. Browser Cache Poisoning
59. Clickjacking
60. HTML5 Security Issues
β‘ Denial of Service (DoS):
61. Distributed Denial of Service (DDoS)
62. Application Layer DoS
63. Resource Exhaustion
64. Slowloris Attack
65. XML Denial of Service
β‘ Other Web Vulnerabilities:
66. Server-Side Request Forgery (SSRF)
67. HTTP Parameter Pollution (HPP)
68. Insecure Redirects and Forwards
69. File Inclusion Vulnerabilities
70. Security Header Bypass
71. Clickjacking
72. Inadequate Session Timeout
73. Insufficient Logging and Monitoring
74. Business Logic Vulnerabilities
75. API Abuse
β‘ Mobile Web Vulnerabilities:
76. Insecure Data Storage on Mobile Devices
77. Insecure Data Transmission on Mobile Devices
78. Insecure Mobile API Endpoints
79. Mobile App Reverse Engineering
β‘ IoT Web Vulnerabilities:
80. Insecure IoT Device Management
81. Weak Authentication on IoT Devices
82. IoT Device Vulnerabilities
β‘ Web of Things (WoT) Vulnerabilities:
83. Unauthorized Access to Smart Homes
84. IoT Data Privacy Issues
β‘ Authentication Bypass:
85. Insecure "Remember Me" Functionality
86. CAPTCHA Bypass
β‘ Server-Side Request Forgery (SSRF):
87. Blind SSR
88. Time-Based Blind SSRF
β‘ Content Spoofing:
89. MIME Sniffing
90. X-Content-Type-Options Bypass
91. Content Security Policy (CSP) Bypass
β‘ Business Logic Flaws:
92. Inconsistent Validation
93. Race Conditions
94. Order Processing Vulnerabilities
95. Price Manipulation
96. Account Enumeration
97. User-Based Flaws
β‘ Zero-Day Vulnerabilities:
98. Unknown Vulnerabilities
99. Unpatched Vulnerabilities
100. Day-Zero Exploits
Let me know i there any vulnerability i missed?!
DarkShadow is here back again!
π₯ 100 Web Vulnerabilities, categorized into various types : π
β‘ Injection Vulnerabilities:
1. SQL Injection (SQLi)
2. Cross-Site Scripting (XSS)
3. Cross-Site Request Forgery (CSRF)
4. Remote Code Execution (RCE)
5. Command Injection
6. XML Injection
7. LDAP Injection
8. XPath Injection
9. HTML Injection
10. Server-Side Includes (SSI) Injection
11. OS Command Injection
12. Blind SQL Injection
13. Server-Side Template Injection (SSTI)
β‘ Broken Authentication and Session Management:
14. Session Fixation
15. Brute Force Attack
16. Session Hijacking
17. Password Cracking
18. Weak Password Storage
19. Insecure Authentication
20. Cookie Theft
21. Credential Reuse
β‘ Sensitive Data Exposure:
22. Inadequate Encryption
23. Insecure Direct Object References (IDOR)
24. Data Leakage
25. Unencrypted Data Storage
26. Missing Security Headers
27. Insecure File Handling
β‘ Security Misconfiguration:
28. Default Passwords
29. Directory Listing
30. Unprotected API Endpoints
31. Open Ports and Services
32. Improper Access Controls
33. Information Disclosure
34. Unpatched Software
35. Misconfigured CORS
36. HTTP Security Headers Misconfiguration
β‘ XML-Related Vulnerabilities:
37. XML External Entity (XXE) Injection
38. XML Entity Expansion (XEE)
39. XML Bomb
β‘ Broken Access Control:
40. Inadequate Authorization
41. Privilege Escalation
42. Insecure Direct Object References
43. Forceful Browsing
44. Missing Function-Level Access Control
β‘ Insecure Deserialization:
45. Remote Code Execution via Deserialization
46. Data Tampering
47. Object Injection
β‘ API Security Issues:
48. Insecure API Endpoints
49. API Key Exposure
50. Lack of Rate Limiting
51. Inadequate Input Validation
β‘ Insecure Communication:
52. Man-in-the-Middle (MITM) Attack
53. Insufficient Transport Layer Security
54. Insecure SSL/TLS Configuration
55. Insecure Communication Protocols
β‘ Client-Side Vulnerabilities:
56. DOM-based XSS
57. Insecure Cross-Origin Communication
58. Browser Cache Poisoning
59. Clickjacking
60. HTML5 Security Issues
β‘ Denial of Service (DoS):
61. Distributed Denial of Service (DDoS)
62. Application Layer DoS
63. Resource Exhaustion
64. Slowloris Attack
65. XML Denial of Service
β‘ Other Web Vulnerabilities:
66. Server-Side Request Forgery (SSRF)
67. HTTP Parameter Pollution (HPP)
68. Insecure Redirects and Forwards
69. File Inclusion Vulnerabilities
70. Security Header Bypass
71. Clickjacking
72. Inadequate Session Timeout
73. Insufficient Logging and Monitoring
74. Business Logic Vulnerabilities
75. API Abuse
β‘ Mobile Web Vulnerabilities:
76. Insecure Data Storage on Mobile Devices
77. Insecure Data Transmission on Mobile Devices
78. Insecure Mobile API Endpoints
79. Mobile App Reverse Engineering
β‘ IoT Web Vulnerabilities:
80. Insecure IoT Device Management
81. Weak Authentication on IoT Devices
82. IoT Device Vulnerabilities
β‘ Web of Things (WoT) Vulnerabilities:
83. Unauthorized Access to Smart Homes
84. IoT Data Privacy Issues
β‘ Authentication Bypass:
85. Insecure "Remember Me" Functionality
86. CAPTCHA Bypass
β‘ Server-Side Request Forgery (SSRF):
87. Blind SSR
88. Time-Based Blind SSRF
β‘ Content Spoofing:
89. MIME Sniffing
90. X-Content-Type-Options Bypass
91. Content Security Policy (CSP) Bypass
β‘ Business Logic Flaws:
92. Inconsistent Validation
93. Race Conditions
94. Order Processing Vulnerabilities
95. Price Manipulation
96. Account Enumeration
97. User-Based Flaws
β‘ Zero-Day Vulnerabilities:
98. Unknown Vulnerabilities
99. Unpatched Vulnerabilities
100. Day-Zero Exploits
Let me know i there any vulnerability i missed?!
π₯8β€5π1
π¨ cPanelSniper β CVE-2026-41940
CRITICAL auth bypass in cPanel & WHM (CVSS 10.0)
Zero credentials β Full root WHM access via CRLF injection + session file poisoning.
~70 million domains affected.
### Exploit Chain (4 stages):
1. Pre-auth session minting
2. CRLF injection via Authorization header
3. do_token_denied gadget (raw β cache flush)
4. /json-api/version β PWNED
What you get:
- β Interactive WHM root shell
- β Account enumeration
- β Command execution
- β Backdoor admin creation
- β Ready for bulk scanning (stdlib only, no extra deps)
https://github.com/ynsmroztas/cPanelSniper
CRITICAL auth bypass in cPanel & WHM (CVSS 10.0)
Zero credentials β Full root WHM access via CRLF injection + session file poisoning.
~70 million domains affected.
### Exploit Chain (4 stages):
1. Pre-auth session minting
2. CRLF injection via Authorization header
3. do_token_denied gadget (raw β cache flush)
4. /json-api/version β PWNED
What you get:
- β Interactive WHM root shell
- β Account enumeration
- β Command execution
- β Backdoor admin creation
- β Ready for bulk scanning (stdlib only, no extra deps)
https://github.com/ynsmroztas/cPanelSniper
1π₯5β€3π1π«‘1
Forwarded from Brut Security
β‘Google Dorks - Cloud Storage: site:http://s3.amazonaws.com "target[.]com" site:http://blob.core.windows.net "target[.]com" site:http://googleapis.com "target[.]com" site:http://drive.google.com "target[.]com"
πFind buckets and sensitive data.
Combine:
site:http://s3.amazonaws.com | site:http://blob.core.windows.net | site:http://googleapis.com | site:http://drive.google.com "target[.]com"
Add something to narrow the results: "confidentialβ βprivileged" βnot for public releaseβ
β Credit- Mike Takahashi
πFind buckets and sensitive data.
Combine:
site:http://s3.amazonaws.com | site:http://blob.core.windows.net | site:http://googleapis.com | site:http://drive.google.com "target[.]com"
Add something to narrow the results: "confidentialβ βprivileged" βnot for public releaseβ
β Credit- Mike Takahashi
β€3π₯3π2
url/?f=etc/passwd ==> 403
encode etc/passwd as base64
url/?f=L2V0Yy9wYXNzd2Q= ==> 200
#note
you can use this trick in SQL , SSTI , XSS , LFI , Etc...
By:@GodfatherOrwa
#bugbountytips #BugBounty
encode etc/passwd as base64
url/?f=L2V0Yy9wYXNzd2Q= ==> 200
#note
you can use this trick in SQL , SSTI , XSS , LFI , Etc...
By:@GodfatherOrwa
#bugbountytips #BugBounty
β€23π5
site:example[.]com ext:log | ext:txt | ext:conf | ext:cnf | ext:ini | ext:env | ext:sh | ext:bak | ext:backup | ext:swp | ext:old | ext:~ | ext:git | ext:svn | ext:htpasswd | ext:htaccess | ext:json
Please open Telegram to view this post
VIEW IN TELEGRAM
π9β€5π€¨3π1
A tool to find open S3 buckets in AWS or other cloud providers:
- AWS
- DigitalOcean
- DreamHost
- GCP
- Linode
- Scaleway
- Custom
Source: https://github.com/sa7mon/s3scanner
- AWS
- DigitalOcean
- DreamHost
- GCP
- Linode
- Scaleway
- Custom
Source: https://github.com/sa7mon/s3scanner
π₯7β€4π4
Please open Telegram to view this post
VIEW IN TELEGRAM
topmate.io
Brut Offensive Playbook v1 with Saumadip Mandal
Pro hacker's playbook: recon, XSS, SQLi, SSRF & more
β€1π1
You've done 10 courses. You have zero projects. You're wondering why no one's calling back.
The industry has 4.8M+ unfilled roles globally β and you're still unemployed. That's not bad luck. That's a bad strategy.
In this article we break down exactly what's broken in how beginners are approaching cybersecurity careers right now β and the 7 steps that actually get you hired in 2026:
No fluff. No "just get certified." Just what actually works.
π Want to build the skills this article talks about? Brut Practical Web Pentesting is open for enrollment β link in bio / website.
#CyberSecurity #InfoSec #CareerAdvice #PenTesting #BrutSecurity
Please open Telegram to view this post
VIEW IN TELEGRAM
Medium
Nobody Owes You a Cybersecurity Job in 2026. Hereβs How to Earn One Anyway.
Letβs get one thing straight before you read another word of this: you are not entitled to a cybersecurity job just because you finished aβ¦
β€5π₯2π2π1
Brut Security pinned Β«π¨ Nobody owes you a cybersecurity job in 2026. You've done 10 courses. You have zero projects. You're wondering why no one's calling back. The industry has 4.8M+ unfilled roles globally β and you're still unemployed. That's not bad luck. That's a bad strategy.β¦Β»
This media is not supported in your browser
VIEW IN TELEGRAM
How to manually check for CL.TE Request Smuggling Vulnerabilities:
1οΈβ£ See if a GET request accepts POST
2οΈβ£ See if it accepts HTTP/1
3οΈβ£ Disable "Update Content-Length"
4οΈβ£ Send with CL & TE headers:
POST / HTTP/1.1
Host: <HOST-URL>
Content-Length: 6
Transfer-Encoding: chunked
0
G
5οΈβ£ Send request twice.
If you receive a response like "Unrecognized method GPOST", you've just confirmed a CL.TE vulnerability!
Try this out for yourself in our CL.TE lab: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
1οΈβ£ See if a GET request accepts POST
2οΈβ£ See if it accepts HTTP/1
3οΈβ£ Disable "Update Content-Length"
4οΈβ£ Send with CL & TE headers:
POST / HTTP/1.1
Host: <HOST-URL>
Content-Length: 6
Transfer-Encoding: chunked
0
G
5οΈβ£ Send request twice.
If you receive a response like "Unrecognized method GPOST", you've just confirmed a CL.TE vulnerability!
Try this out for yourself in our CL.TE lab: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
β€9π5π₯4
βΊοΈYour support keeps me motivated to share more valuable content! If you found this helpful, drop a like & send stars β to help me keep going.
π¬ For queries, message me on Telegram: @wtf_brut
π For course enrollment, reach out on WhatsApp: wa.link/brutsecurity
π¬ For queries, message me on Telegram: @wtf_brut
π For course enrollment, reach out on WhatsApp: wa.link/brutsecurity
Telegram
Saumadip Mandal
Founder & Mentor of Brut Security
1β€11π¨βπ»1
π₯ BRUT SECURITY β DAILY PENTEST DROP π₯
"403 Forbidden" doesn't always mean forbidden.
Hit a locked admin panel? Don't walk away β try these path tricks first:
Servers parse paths differently than WAFs filter them. That mismatch = your way in.
Bonus move:
Some reverse proxies trust this header blindly. 200 OK where there should've been a wall.
β οΈ Always test on scope you're authorized for. This is recon, not a free pass.
π¬ Drop a like if you've ever bypassed a 403 like this in the wild.
---
"403 Forbidden" doesn't always mean forbidden.
Hit a locked admin panel? Don't walk away β try these path tricks first:
/admin β 403
/admin/. β 200 β
//admin// β 200 β
/./admin/./ β 200 β
/admin/.;/ β 200 β
/admin%20 β try it
Servers parse paths differently than WAFs filter them. That mismatch = your way in.
Bonus move:
GET /anything HTTP/1.1
Host: target.com
X-Original-URL: /admin
Some reverse proxies trust this header blindly. 200 OK where there should've been a wall.
β οΈ Always test on scope you're authorized for. This is recon, not a free pass.
π¬ Drop a like if you've ever bypassed a 403 like this in the wild.
---
β€6π5π₯5
π¨ Bug Bounty Tip: Password Reset Race Condition
Many applications generate a password reset token but fail to invalidate it when critical account details change. This can create a dangerous account takeover scenario.
Test Flow:
1οΈβ£ Request a password reset for your account.
2οΈβ£ Do not use the reset link yet.
3οΈβ£ Log in normally using your current password.
4οΈβ£ Change your email address (or another identifier linked to password recovery).
5οΈβ£ Now open the old password reset link you received before the email change.
π₯ Potential Finding:
If the old reset token still resets the password after the email change, the application isn't invalidating previously issued reset tokens. An attacker with access to an older reset email could still take over the account even after the user updates their recovery email.
What to Verify:
β’ Is the old token still valid after changing the email?
β’ Does the reset affect the current account owner?
β’ Are all existing reset tokens revoked after sensitive account changes?
β’ Does changing the password or email invalidate outstanding reset links?
π― Impact: High (Account Takeover) if an attacker can obtain or intercept an old password reset email.
Always test only on accounts you own or are explicitly authorized to assess.
Many applications generate a password reset token but fail to invalidate it when critical account details change. This can create a dangerous account takeover scenario.
Test Flow:
1οΈβ£ Request a password reset for your account.
2οΈβ£ Do not use the reset link yet.
3οΈβ£ Log in normally using your current password.
4οΈβ£ Change your email address (or another identifier linked to password recovery).
5οΈβ£ Now open the old password reset link you received before the email change.
π₯ Potential Finding:
If the old reset token still resets the password after the email change, the application isn't invalidating previously issued reset tokens. An attacker with access to an older reset email could still take over the account even after the user updates their recovery email.
What to Verify:
β’ Is the old token still valid after changing the email?
β’ Does the reset affect the current account owner?
β’ Are all existing reset tokens revoked after sensitive account changes?
β’ Does changing the password or email invalidate outstanding reset links?
π― Impact: High (Account Takeover) if an attacker can obtain or intercept an old password reset email.
Always test only on accounts you own or are explicitly authorized to assess.
β€4π1
An anonymous GitHub account has begun releasing proof-of-concepts for exploits framed as undisclosed zero-days, accompanied by a note instructing readers to report the findings and claim credit for the associated CVEs themselves. π‘οΈπ
https://github.com/bikini/exploitarium π
https://github.com/bikini/exploitarium π
π4π₯4β€1
π¨ CVE-2026-20230: Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition Server-Side Request Forgery (SSRF)
Critical Vulnerability Alert!
Cisco Unified Communications Manager is affected by CVE-2026-20230.
Full Vulnerability Details & Analysis at DarkEye:
π https://darkeye.org/vuln/cve/CVE-2026-20230
π Identify Targets via ZoomEye:
Filter: vul.cve="CVE-2026-20230"
Search Dork: app="Cisco Unified Communications Manager"
Exposure: 5k instances identified globally.
ZoomEye Search Link:
π https://www.zoomeye.ai/searchResult?q=YXBwPSJDaXNjbyBVbmlmaWVkIENvbW11bmljYXRpb25zIE1hbmFnZXIi&t=all&utm_source=telegram&utm_medium=community&utm_campaign=cve_ops_20260626
Critical Vulnerability Alert!
Cisco Unified Communications Manager is affected by CVE-2026-20230.
Full Vulnerability Details & Analysis at DarkEye:
π https://darkeye.org/vuln/cve/CVE-2026-20230
π Identify Targets via ZoomEye:
Filter: vul.cve="CVE-2026-20230"
Search Dork: app="Cisco Unified Communications Manager"
Exposure: 5k instances identified globally.
ZoomEye Search Link:
π https://www.zoomeye.ai/searchResult?q=YXBwPSJDaXNjbyBVbmlmaWVkIENvbW11bmljYXRpb25zIE1hbmFnZXIi&t=all&utm_source=telegram&utm_medium=community&utm_campaign=cve_ops_20260626
β€1π1
βΊοΈYour support keeps me motivated to share more valuable content! If you found this helpful, drop a like & send stars β to help me keep going.
π¬ For queries, message me on Telegram: @wtf_brut
π For course enrollment, reach out on WhatsApp: wa.link/brutsecurity
π¬ For queries, message me on Telegram: @wtf_brut
π For course enrollment, reach out on WhatsApp: wa.link/brutsecurity
Telegram
Saumadip Mandal
Founder & Mentor of Brut Security
π7β€2