𝐗𝐒𝐒 𝐢𝐧 𝐏𝐡𝐨𝐧𝐞 𝐍𝐮𝐦𝐛𝐞𝐫 𝐅𝐢𝐞𝐥𝐝 ? 👇
Recently I re-watched the NahamCon2022EU: RTFR (Read The Bleeping RFC) by securinti
One thing I was surprised to find out was that phone number fields can be vulnerable to XSS.
How is that possible?
According to the RFC it is possible to append "optional parameter" to the number. Something like:
• 10203040;𝐞𝐱𝐭=+22
• 10203040;𝐢𝐬𝐮𝐛=12345
• 10203040;𝐩𝐡𝐨𝐧𝐞-𝐜𝐨𝐧𝐭𝐞𝐱𝐭=𝐞𝐱𝐚𝐦𝐩𝐥𝐞
This can lead to XSS if:
1. The library parses phone numbers according to RFC and accepts optional parameters such as "phone-context"
2. The phone number is reflected on the web interface without input validation or output encoding
So payloads like "10203040;𝐩𝐡𝐨𝐧𝐞-𝐜𝐨𝐧𝐭𝐞𝐱𝐭=<𝐬𝐜𝐫𝐢𝐩𝐭>𝐚𝐥𝐞𝐫𝐭(1)</𝐬𝐜𝐫𝐢𝐩𝐭>" CAN be a valid phone number and trigger XSS
Recently I re-watched the NahamCon2022EU: RTFR (Read The Bleeping RFC) by securinti
One thing I was surprised to find out was that phone number fields can be vulnerable to XSS.
How is that possible?
According to the RFC it is possible to append "optional parameter" to the number. Something like:
• 10203040;𝐞𝐱𝐭=+22
• 10203040;𝐢𝐬𝐮𝐛=12345
• 10203040;𝐩𝐡𝐨𝐧𝐞-𝐜𝐨𝐧𝐭𝐞𝐱𝐭=𝐞𝐱𝐚𝐦𝐩𝐥𝐞
This can lead to XSS if:
1. The library parses phone numbers according to RFC and accepts optional parameters such as "phone-context"
2. The phone number is reflected on the web interface without input validation or output encoding
So payloads like "10203040;𝐩𝐡𝐨𝐧𝐞-𝐜𝐨𝐧𝐭𝐞𝐱𝐭=<𝐬𝐜𝐫𝐢𝐩𝐭>𝐚𝐥𝐞𝐫𝐭(1)</𝐬𝐜𝐫𝐢𝐩𝐭>" CAN be a valid phone number and trigger XSS
1👍28🗿6❤2
Please open Telegram to view this post
VIEW IN TELEGRAM
GitHub
GitHub - RevoltSecurities/Subdominator: SubDominator helps you discover subdomains associated with a target domain efficiently…
SubDominator helps you discover subdomains associated with a target domain efficiently and with minimal impact for your Bug Bounty - RevoltSecurities/Subdominator
❤3👍1
https://github.com/tomnomnom/gron
This is one of the best tools for dealing with large JSON data. It makes it easier to query complex JSON and turn it into different formats
This is one of the best tools for dealing with large JSON data. It makes it easier to query complex JSON and turn it into different formats
GitHub
GitHub - tomnomnom/gron: Make JSON greppable!
Make JSON greppable! Contribute to tomnomnom/gron development by creating an account on GitHub.
I use it always to test web api that sends or receives big json blobs to understand what it's actually doing
👍3
Free TryHackMe Access
If you’re unable to purchase a personal voucher, you can use the following account for learning purposes:
TryHackMe Premium Account
Email: elmsi.youssef@gmail.com
Password: pasderemarque@123
Please use the account responsibly—do not change or delete any settings or information.
If you’re unable to purchase a personal voucher, you can use the following account for learning purposes:
TryHackMe Premium Account
Email: elmsi.youssef@gmail.com
Password: pasderemarque@123
Please use the account responsibly—do not change or delete any settings or information.
❤86👍11🔥2
Please open Telegram to view this post
VIEW IN TELEGRAM
Teachable
Windows Api Security Professional
❤3
XSS from javanoscript hidden params
assetfinder *.com | gau | egrep -v '(.css|.noscript)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Z0-9]+" | sed -e 's,'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=xss/g'); echo -e "\e[1;33m$url\n\e[1;32m$vars"
2🔥19👍3❤2
- Register An account with email service@intl.paypal.com on the target
- navigate to support section and see if there are any emails converted into support tickets
credit - NinadMishra
#bugbountytips
- navigate to support section and see if there are any emails converted into support tickets
credit - NinadMishra
#bugbountytips
🐳9👍3
Offsec has been acquired by an private equity.
https://www.prnewswire.com/news-releases/leeds-equity-partners-acquires-offsec-302275836.html
https://www.prnewswire.com/news-releases/leeds-equity-partners-acquires-offsec-302275836.html
PR Newswire
Leeds Equity Partners Acquires OffSec
/PRNewswire/ -- Leeds Equity Partners ("Leeds Equity") announced today that it has acquired OffSec (the "Company"), the leading provider of continuous...
🧑💻CloakQuest3r - Uncover the true IP address of websites safeguarded by Cloudflare & Others
https://github.com/spyboy-productions/CloakQuest3r
https://github.com/spyboy-productions/CloakQuest3r
2🔥12👍3
Argus is an all-in-one information gathering tool crafted for ethical hackers and cybersecurity experts. It seamlessly integrates network analysis, web exploration, and threat detection, all in a sleek and intuitive interface. Argus turns complex reconnaissance into an art of simplicity.
---
Please open Telegram to view this post
VIEW IN TELEGRAM
GitHub
GitHub - jasonxtn/Argus: The Ultimate Information Gathering Toolkit
The Ultimate Information Gathering Toolkit. Contribute to jasonxtn/Argus development by creating an account on GitHub.
👍7
CVE-2024-9634: RCE in GiveWP WordPress Plugin, 9.8 rating 🔥
Another one critical vulnerability in GiveWP. This time, attackers can inject PHP code using one parameter.
Search at Netlas.io:
👉 Link: https://nt.ls/9tUYx
👉 Dork: http.body:"plugins/give/assets/dist"
Read more: https://github.com/advisories/GHSA-6fx6-wrpf-cpgv
Another one critical vulnerability in GiveWP. This time, attackers can inject PHP code using one parameter.
Search at Netlas.io:
👉 Link: https://nt.ls/9tUYx
👉 Dork: http.body:"plugins/give/assets/dist"
Read more: https://github.com/advisories/GHSA-6fx6-wrpf-cpgv
👍5❤3
POC for CVE-2024-4577 PHP CGI Argument Injection 🔥 🔥 🔥
Nuclei Template: https://github.com/11whoami99/CVE-2024-4577/blob/main/CVE-2024-4577.yaml
Nuclei Template: https://github.com/11whoami99/CVE-2024-4577/blob/main/CVE-2024-4577.yaml
1❤9👍2