Bypassing Firefox's HTML Sanitizer API
portswigger
#bypass #API
——————
0Day.Today
@LearnExploit
@Tech_Army
portswigger
#bypass #API
——————
0Day.Today
@LearnExploit
@Tech_Army
PortSwigger Research
Bypassing Firefox's HTML Sanitizer API
The HTML Sanitizer is a great new API that allows web developers to filter untrusted HTML natively in the browser rather than use a JavaScript library such as DOM Purify. Microsoft created a similar A
➖ 97 JSON tests for authentication EndPoints
🧾 API Security CheatSheet
🔽 Tap to Download Here
#API #Securiry #CheatSheet
➖➖➖➖➖➖➖➖
IR0Day.Today Bax
@LearnExploit
@Tech_Army
🧾 API Security CheatSheet
🔽 Tap to Download Here
#API #Securiry #CheatSheet
➖➖➖➖➖➖➖➖
IR0Day.Today Bax
@LearnExploit
@Tech_Army
HTTP Parameter Discovery Suite
Arjun can find query parameters for URL endpoints. If you don't get what that means, it's okay, read along.
Web applications use parameters (or queries) to accept user input, take the following example into consideration
http://api.example.com/v1/userinfo?id=751634589This URL seems to load user information for a specific user id, but what if there exists a parameter named
admin
which when set to True
makes the endpoint provide more information about the user?This is what Arjun does, it finds valid HTTP parameters with a huge default dictionary of 25,890 parameter names.
The best part? It takes less than 10 seconds to go through this huge list while making just 50-60 requests to the target. Here's how
GET/POST/POST-JSON/POST-XML
requestsYou can install
arjun
with pip as following:➜ ~
pip3 install arjun
or, by downloading this repository and running➜ ~
python3 setup.py install
BugCod3#Recon #Api #Testing #Fuzzer #Fuzzing
0Day.Today
Please open Telegram to view this post
VIEW IN TELEGRAM
On demand query API for Threat-Intel project.
apiosintDS is a python client library for public API lookup service over OSINT IoCs stored at DigitalSide Threat-Intel repository. It can be defined a Service as a Library tool designed to act both as a standard Python library to be included in your own Python application and as command line tool. Query can be performed against souspicious IPs, domains, urls and file hashes. Data stored has a 7 days retention.
The easy way via pip:
pip3 install apiosintDS
`apiosintDS
python3 -m pip install .`
apiosintDS -e 7cb796c875cccc9233d82854a4e2fdf0
apiosintDS -e h[REMOVED]p://193.35.18.147/bins/k.arm -st -p -nc
LearnExploit
#api #ioc #cybersecurity
0Day.Today
Please open Telegram to view this post
VIEW IN TELEGRAM