GraphQL — Common vulnerabilities & how to exploit them
https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696
https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696
Medium
GraphQL — Common vulnerabilities & how to exploit them
Hello there! how you doin? , Bilal Rizwan here & I hope everyone is safe in this time of crisis and making complete use of your…
Cannot Delete Post on Facebook Group: Facebook Bug Bounty
https://medium.com/@saugatpokharel/cannot-delete-post-on-facebook-group-facebook-bug-bounty-4f2661655c3a
https://medium.com/@saugatpokharel/cannot-delete-post-on-facebook-group-facebook-bug-bounty-4f2661655c3a
Same Same But Different: Discovering SQL Injections Incrementally with Isomorphic SQL Statements
https://spaceraccoon.dev/same-same-but-different-discovering-sql-injections-incrementally-with
https://spaceraccoon.dev/same-same-but-different-discovering-sql-injections-incrementally-with
spaceraccoon.dev
Same Same But Different: Discovering SQL Injections Incrementally with Isomorphic SQL Statements
Despite the increased adoption of Object-Relational Mapping (ORM) libraries and prepared SQL statements, SQL injections continue to turn up in modern applications. In real-world scenarios, researchers need to balance two concerns when searching for SQL injections…
Akamai Web Application Firewall Bypass Journey: Exploiting “Google BigQuery” SQL Injection Vulnerability
https://hackemall.live/index.php/2020/03/31/akamai-web-application-firewall-bypass-journey-exploiting-google-bigquery-sql-injection-vulnerability/
https://hackemall.live/index.php/2020/03/31/akamai-web-application-firewall-bypass-journey-exploiting-google-bigquery-sql-injection-vulnerability/
Forwarded from Android Security & Malware
Android Webview Exploited
http://www.nuckingfoob.me/android-webview-csp-iframe-sandbox-bypass/index.html
http://www.nuckingfoob.me/android-webview-csp-iframe-sandbox-bypass/index.html
nuckingfoob
Android Webview Exploited
How an android app can bypass CSP, iframe sandbox attributes, etc. to compromise the page getting loaded in the webview despite the classic protections in place.
GraphQL injection
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.md
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.md
GitHub
PayloadsAllTheThings/GraphQL Injection/README.md at master · swisskyrepo/PayloadsAllTheThings
A list of useful payloads and bypass for Web Application Security and Pentest/CTF - swisskyrepo/PayloadsAllTheThings
Bypassing Xamarin Certificate Pinning on Android
https://www.gosecure.net/blog/2020/04/06/bypassing-xamarin-certificate-pinning-on-android/
https://www.gosecure.net/blog/2020/04/06/bypassing-xamarin-certificate-pinning-on-android/
GoSecure
Bypassing Xamarin Certificate Pinning on Android - GoSecure
A working Xamarin certificate pinning bypass Frida script for Android with technical walkthrough.
HTML-injection in PDF-export leads to LFI https://hackerone.com/reports/809819
Every Bug Bounty hunter should know the evil smile of the JSONP over the browser’s Same Origin Policy. https://medium.com/@secureITmania/every-bug-bounty-hunter-should-know-the-evil-smile-of-the-jsonp-over-the-browsers-same-origin-438af3a0ac3b
Medium
Every Bug Bounty hunter should know the evil smile of the JSONP over the browser’s Same Origin Policy.
JSONP stands for JSON with Padding. It is a JavaScript technique to request the data from the server and can access without worrying about
$3K Bounty For Elastic-Search Takeover
https://medium.com/@D0rkerDevil/3k-bounty-for-elastic-search-takeover-70c0847d2e40
https://medium.com/@D0rkerDevil/3k-bounty-for-elastic-search-takeover-70c0847d2e40
Medium
ABOUT
Hello, Everyone
Listing all registered email addresses on Google’s Crisis Map thanks to IDOR and incremental IDs
https://websecblog.com/vulns/listing-email-addresses-on-google-crisis-map/
https://websecblog.com/vulns/listing-email-addresses-on-google-crisis-map/
Web Security Blog
Listing all registered email addresses on Google’s Crisis Map thanks to IDOR and incremental IDs - Web Security Blog
The last write-up was about a security vulnerability on Google.org’s Crisis Map, and so is this one. In short, Google Crisis Map was quite an old project used for creating and sharing custom maps.To do that, you need to log in with a Google account first.…
Web Hacker's Weapons / A collection of cool tools used by Web hackers. Happy hacking , Happy bug-hunting
https://github.com/hahwul/WebHackersWeapons
https://github.com/hahwul/WebHackersWeapons
GitHub
GitHub - hahwul/WebHackersWeapons: ⚔️ Web Hacker's Weapons / A collection of cool tools used by Web hackers. Happy hacking , Happy…
⚔️ Web Hacker's Weapons / A collection of cool tools used by Web hackers. Happy hacking , Happy bug-hunting - hahwul/WebHackersWeapons
Full-time bug hunting: Pros and cons of an emerging career
https://www.helpnetsecurity.com/2020/04/07/bug-hunting-career/
https://www.helpnetsecurity.com/2020/04/07/bug-hunting-career/
Help Net Security
Full-time bug hunting: Pros and cons of an emerging career - Help Net Security
Being a bug hunter who discloses their discoveries to vendors (as opposed to selling the information to the highest bidder) has been and is an ambition of
How we abused Slack's TURN servers to gain access to internal services https://www.rtcsec.com/2020/04/01-slack-webrtc-turn-compromise/