🚀 API SECURITY TIP

"Trying to find BOLA (IDOR) in APIs, got 401/403 errors? AuthZ bypass tricks:

• Wrap ID with an array {“id”:111} --> {“id”:[111]}
• JSON wrap {“id”:111} --> {“id”:{“id”:111}}
• Send ID twice URL?id=<LEGIT>&id=<VICTIM>
• Send wildcard {""user_id"":""*""}"

🚀 Amazing XSS Guide

Collection of Awesome XSS resources and help you to understand XSS sanitization and tricks to bypass it

https://github.com/s0md3v/AwesomeXSS

#bugbounty #infosec #hacking #cybersecurity #penetrationtesting

[1,2,3]==[1,2,3] is false because JavaScript actually has two different approaches for testing equality. Primitives like strings and numbers are compared by their value, while objects like arrays, dates, and plain objects are compared by their reference. That comparison by reference basically checks to see if the objects given refer to the same location in memory.

In addition between string and integer. Js convert int to string sk '50'+1= 501
But for subtraction it convert string to int so '40'-1=39

#BugBountyTips

If the server only allows the GET and POST methods, then try adding “X-HTTP-Method -Override: PUT to achieve RCE via the PUT method.

Although Now it's a rare case but it works. So, Do consider this also

Bug Bounty Automation -{ Oneliner Commands }
- { V2 }

#bugbounty #Infosec #cybersecurity #hacking

👇🏼👇🔻🔻👇🏼👇

Again same reason!!
Both objects will have different locations !!
For non-primative data type js compare by the location of the object and they will have different locations. So it is
False !!