Masterr

@Mus_t4r

Don't Judge Too Early.

Vrijeme pridruživanja: svibanj 2015.

Tweetovi

Blokirali ste korisnika/cu @Mus_t4r

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @Mus_t4r

  1. proslijedio/la je Tweet
    3. velj

    XSS filter bypass using stripped </p> tag to obfuscate. P2 Stored XSS $1500 on a private bug bounty program. XSS Payload: <</p>iframe src=javascript:alert()//

    Prikaži ovu nit
    Poništi
  2. proslijedio/la je Tweet
    3. velj

    When testing for SSRF, change the HTTP version from 1.1 to HTTP/0.9 and remove the host header completely. This has worked to bypass several SSRF fixes in the past.

    Poništi
  3. proslijedio/la je Tweet
    30. sij

    Some hunters made over €50.000 in bug bounties with this simple trick. 🤑 Thanks for the , !

    Prikaži ovu nit
    Poništi
  4. proslijedio/la je Tweet
    29. sij

    One more: Find a subdomain such as <grafana>.corp.company.com which points to a external IP example however only accessible inside VPN and such SSRF could be leveraged in that way. You can often find such hosts over SSL. Have exploited such in pasts. Might even be a

    Prikaži ovu nit
    Poništi
  5. proslijedio/la je Tweet
    28. sij

    Hacker tip: when you’re looking for IDORs in a model that references another model, try storing IDs that don’t exists yet. I’ve seen a number of times now that, because the model can’t be found, the system will save the ID. (1/2)

    Prikaži ovu nit
    Poništi
  6. proslijedio/la je Tweet
    27. sij

    Did you know that the address '<a@b.com>c@d.com' when given to SES will send an email to a@b.com? this could lead to interesting exploit scenarios with some email parsing libraries/code

    Poništi
  7. proslijedio/la je Tweet
    23. sij

    2nd critical of this week. Abuse ouath Sign-up flow: 1) Use phone number instead email in 3rd party to sign-up. 2) Link victim's email to your 3rd party account while singnup on target. 3) Login to vicitim's account using your 3rd party account.

    Poništi
  8. proslijedio/la je Tweet
    23. sij

    "ondragend" event seems to bypass certain WAFs <p ondragend=[1].map(prompt) draggable="true">dragMe</p> cc

    Poništi
  9. proslijedio/la je Tweet
    21. sij

    time: when you see a POST request made with JSON, convert this to XML and test for XXE. You can use "Content-type converter" extension on to do achieve this! RT and Follow, book coming!

    Poništi
  10. proslijedio/la je Tweet
    19. sij

    Being an introvert isn't a flaw, it's a gift and real strength.

    Poništi
  11. proslijedio/la je Tweet
    16. sij

    So you believe UUID's are a sufficient protection against IDOR's? Think again! 🤦 Thanks for the ,

    Poništi
  12. proslijedio/la je Tweet
    15. sij

    If you had to teach cybersecurity classes in college, what would you recommend teaching to freshman? How would you teach it? What projects would you assign to students? I’m curious 🤓

    Poništi
  13. proslijedio/la je Tweet
    15. sij

    <Thread> Few days ago, I captured more than 600K tweets on trendy topics on the Indian Twitter. I was looking at this graph yesterday night and asked myself: How can I found spammy Twitter accounts in this dataset? 1/

    Prikaži ovu nit
    Poništi
  14. proslijedio/la je Tweet
    15. sij

    Ketika mahasiswa semester akhir disibukkan dengan skripsi, kadang mereka sampai lupa menyiapkan hal yg gak kalah penting buat bekal persiapan karir mereka. Menguasai skill MS Excel, misalnya. Ada beberapa website yg bs jd media Anda belajar otodidak, gaes. Selamat mencoba 😊

    Poništi
  15. proslijedio/la je Tweet
    13. sij
    Poništi
  16. proslijedio/la je Tweet
    13. sij

    While pentesting webapps, whenever you notice a redirect, check what caused it. If it's a client side redirect (caused by JavaScript), try redirecting to javascript:alert(), now you have XSS!

    Poništi
  17. proslijedio/la je Tweet
    12. sij

    If example[.]com points to IP 1.2.3.4 and redirect to www[.]example[.]com but www[.]example[.]com doesn't point to anything (No A, AAAA, CNAME), try submitting your HTTP request to http://1.2.3.4/ with a "HOST: www[.]example[.]com" header.

    Prikaži ovu nit
    Poništi
  18. proslijedio/la je Tweet
    12. sij

    Just posted Remote Code Execution in Three Acts: Chaining Exposed Actuators and H2 Database Aliases in Spring Boot 2. Using a payload containing three different programming languages :)

    Poništi
  19. proslijedio/la je Tweet
    9. sij

    I'm very excited to share my blogpost series (including PoC code) about a remote, interactionless iPhone exploit over iMessage:

    Prikaži ovu nit
    Poništi
  20. proslijedio/la je Tweet
    9. sij

    If anyone interested in modifying an Android app (.apk) and recompiling it again, check out my write up about a CTF style challenge I solved recently:

    Poništi

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·