Rezultati pretraživanja
  1. 1. velj

    I was tired of outdated XSS cheat sheets that don't touch on frameworks, html5, filter bypasses and other important stuff, so I made my own. I hope you find it as useful as I do. :)

  2. 4. velj

    ==API TIPS== To welcome the new year, we published a daily tip on API Security & API Pentesting during the month of January 2020. Check out my new article and explore 31 tips + interesting insights about them.

  3. 31. sij
  4. 1. velj

    I just got a fancy idea to create strings in without using dangerous characters 😃 Inspired by challenge from .

    Prikaži ovu nit
  5. prije 20 sati
  6. 11. pro 2019.
  7. 24. sij

    Some lesser known 0-click XSS vectors: <object data="data:text/html,<script>alert(5)</script>"> <iframe srcdoc="<svg onload=alert(4);>"> <object data=javascript:alert(3)> <iframe src=javascript:alert(2)> <embed src=javascript:alert(1)>

  8. 14. sij

    CSP bypass for googleapis[.]com/customsearch/

  9. 21. pro 2019.

    Got my first remote code execution on bug bounty program.Nothing is more beautiful than...... Tip? Just keep scanning for hidden directory until you found something else.

    Prikaži ovu nit
  10. 30. sij

    Awesome Payloads Server-Side Template Injection Linux - Privilege Escalation

  11. 3. velj

    Hey bug hunters! Want a look at some of the top vulnerabilities ever found on ? They just released the last blog post I wrote before leaving. Enjoy!

    Prikaži ovu nit
  12. 15. pro 2019.

    Simple 2FA bypass tip: Account setting > Change email > Logout > Login with password via email confirm link > 2FA won't ask when the backend check for login email.(only for rare cases)

  13. 27. sij

    -API TIP:26/31- Looking for BOLA (IDOR) in APIs? got 401/403 errors? AuthZ bypass tricks: * Wrap ID with an array {“id”:111} --> {“id”:[111]} * JSON wrap {“id”:111} --> {“id”:{“id”:111}} * Send ID twice URL?id=<LEGIT>&id=<VICTIM> * Send wildcard {"user_id":"*"}

    Prikaži ovu nit
  14. 11. pro 2019.

    Login Page Authentication bypass: Any file name / authorize account/connect/authorize home/authorize dashboard/authorize account/authorize/

  15. 21. stu 2019.
  16. 16. pro 2019.

    Got a survey from? Don't only test for blind xss Try this once

  17. 19. pro 2019.
  18. 18. sij

    GET /xyz 404 NOT FOUND GET /xyz/abc 200 OK GET /xyz 403 FORBIDDEN GET /xyz/abc 200 OK Look everywhere !!!

  19. 19. pro 2019.

    For those who are asking How I found my last SQL injection Here is a simple POC

    Prikaži ovu nit

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.