Password Resets via Forged JWT Tokens
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥10❤5👍1
Happy Durga Puja to all Brut Security members! May Maa Durga bless you with strength, wisdom, and protection in every battle you fight, both in life and in cyberspace. 😇 😇 😇
Please open Telegram to view this post
VIEW IN TELEGRAM
❤17🙏8👍2
Hey Hunter's,
Darkshadow here back again, just dropping another SSRF!
Look this SSRF in exif.tools that i got. Interesting but not impactful. But still it's confirmed SSRF presents.
✨Tip:
1️⃣If server made unauthenticated HTTP request and any how you see the http response content means critical SSRF
2️⃣If not showing any http response content means blind SSRF medium severity
#bugbountytips #ssrf
Darkshadow here back again, just dropping another SSRF!
Look this SSRF in exif.tools that i got. Interesting but not impactful. But still it's confirmed SSRF presents.
✨Tip:
1️⃣If server made unauthenticated HTTP request and any how you see the http response content means critical SSRF
2️⃣If not showing any http response content means blind SSRF medium severity
#bugbountytips #ssrf
🗿11🔥3❤1
Please open Telegram to view this post
VIEW IN TELEGRAM
❤15👍1
🌸 Happy Bijaya Dashami 🌸
From the Brut Security family, wishing you all joy, peace, and success on this special day of Bijaya Dashami.
As Maa Durga returns to her divine abode, may her blessings bring strength, wisdom, and prosperity into your life.
🆘 November Batch Enrollment is Now Open!
For all beginners and wanna-learners, we’re starting fresh batches for:
•bPEH (Brut Practical Ethical Hacking)
•bPWA / bPBB (Brut Practical Web Pentesting & Bug Bounty)
🎓 Special student discounts are available.
👉 Seats are limited, so do enroll early!
♾ wa.link/brutsecurity or +918945971332
From the Brut Security family, wishing you all joy, peace, and success on this special day of Bijaya Dashami.
As Maa Durga returns to her divine abode, may her blessings bring strength, wisdom, and prosperity into your life.
For all beginners and wanna-learners, we’re starting fresh batches for:
•bPEH (Brut Practical Ethical Hacking)
•bPWA / bPBB (Brut Practical Web Pentesting & Bug Bounty)
🎓 Special student discounts are available.
👉 Seats are limited, so do enroll early!
Please open Telegram to view this post
VIEW IN TELEGRAM
❤10😁2😢1
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥10👍4❤3
domains.txt
836.9 KB
🌀Download all bug bounty programs domains in scope items 🎯
😉Get a full list of domains from active bug bounty programs across platforms like HackerOne, Bugcrowd, Intigriti, and more – all in one place!💥
👇🏼Step 1: Download the domains.txt file
📂step 2: Extract only main/root domains
`cat domains.txt | awk -F '.' '{print $(NF-1)"."$NF}' | grep -Eo '([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}' | sort -u > main_domains`
📂Step 3: Extract all IP addresses:
`grep -Eo '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' domains.txt > ips.txt`
Don't forget to give reactions❤️
😉Get a full list of domains from active bug bounty programs across platforms like HackerOne, Bugcrowd, Intigriti, and more – all in one place!💥
👇🏼Step 1: Download the domains.txt file
📂step 2: Extract only main/root domains
`cat domains.txt | awk -F '.' '{print $(NF-1)"."$NF}' | grep -Eo '([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}' | sort -u > main_domains`
📂Step 3: Extract all IP addresses:
`grep -Eo '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' domains.txt > ips.txt`
Don't forget to give reactions❤️
❤34🔥8👍6
Hey hunters,
DarkShadow here back again!
🔥SSTI to RCE in URL 💀
POC:
target.com/docs/1.0/123 = not found.
so i tried:
target.com/docs/1.0/?123 = now it’s reflecting in source code like /docs/1.0/?123#
so i tried again:
target.com/docs/1.0/?{{7*7}} = /docs/1.0/?49#
and it’s worked! SSTI payload it executed here😏
after researching a while, code injection done by /docs/1.0/?{{phpinfo()}}
so guy’s always try be uniq and different. and if guy’s really love to read my buybounty methodologies then follow me in x x.com/darkshadow2bd
#ssti #bugbountytips
DarkShadow here back again!
🔥SSTI to RCE in URL 💀
POC:
target.com/docs/1.0/123 = not found.
so i tried:
target.com/docs/1.0/?123 = now it’s reflecting in source code like /docs/1.0/?123#
so i tried again:
target.com/docs/1.0/?{{7*7}} = /docs/1.0/?49#
and it’s worked! SSTI payload it executed here😏
after researching a while, code injection done by /docs/1.0/?{{phpinfo()}}
so guy’s always try be uniq and different. and if guy’s really love to read my buybounty methodologies then follow me in x x.com/darkshadow2bd
#ssti #bugbountytips
🔥30❤5👍3
This media is not supported in your browser
VIEW IN TELEGRAM
How to manually check for CL.TE Request Smuggling Vulnerabilities:
1️⃣ See if a GET request accepts POST
2️⃣ See if it accepts HTTP/1
3️⃣ Disable "Update Content-Length"
4️⃣ Send with CL & TE headers:
POST / HTTP/1.1
Host: <HOST-URL>
Content-Length: 6
Transfer-Encoding: chunked
0
G
5️⃣ Send request twice.
If you receive a response like "Unrecognized method GPOST", you've just confirmed a CL.TE vulnerability!
Try this out for yourself in our CL.TE lab: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
1️⃣ See if a GET request accepts POST
2️⃣ See if it accepts HTTP/1
3️⃣ Disable "Update Content-Length"
4️⃣ Send with CL & TE headers:
POST / HTTP/1.1
Host: <HOST-URL>
Content-Length: 6
Transfer-Encoding: chunked
0
G
5️⃣ Send request twice.
If you receive a response like "Unrecognized method GPOST", you've just confirmed a CL.TE vulnerability!
Try this out for yourself in our CL.TE lab: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
❤30🔥3👍1
Here’s the thing: attackers hide simple payloads (eg. cat /etc/passwd) by stuffing params with backslashes, \x.. hex, IFS, and odd punctuation
(|/???/\b**\h). Don’t match raw strings — normalize first, then detect.Decode repeatedly until stable, then run signatures.
Flag mixed-encoding or repeated escape sequences.
Use allowlists for expected param formats.Please open Telegram to view this post
VIEW IN TELEGRAM
❤15🔥6👍1😁1
nuclei -list targets.txt -ai "Find exposed AI/ML model files (.pkl, .h5, .pt) that may leak proprietary algorithms or sensitive training data"
nuclei -list targets.txt -ai "Find exposed automation noscripts (.sh, .ps1, .bat) revealing internal tooling or credentials"
nuclei -list targets.txt -ai "Identify misconfigured CSP headers allowing 'unsafe-inline' or wildcard sources"
nuclei -list targets.txt -ai "Detect pages leaking JWT tokens in URLs or cookies"
nuclei -list targets.txt -ai "Identify overly verbose error messages revealing framework or library details"
nuclei -list targets.txt -ai "Find application endpoints with verbose stack traces or source code exposure"
nuclei -list targets.txt -ai "Find sensitive information in HTML comments (debug notes, API keys, credentials)"
nuclei -list targets.txt -ai "Find exposed .env files leaking credentials, API keys, and database passwords"
nuclei -list targets.txt -ai "Find exposed configuration files such as config.json, config.yaml, config.php, application.properties containing API keys and database credentials."
nuclei -list targets.txt -ai "Find exposed configuration files containing sensitive information such as credentials, API keys, database passwords, and cloud service secrets."
nuclei -list targets.txt -ai "Find database configuration files such as database.yml, db_config.php, .pgpass, .my.cnf leaking credentials."
nuclei -list targets.txt -ai "Find exposed Docker and Kubernetes configuration files such as docker-compose.yml, kubeconfig, .dockercfg, .docker/config.json containing cloud credentials and secrets."
nuclei -list targets.txt -ai "Find exposed SSH keys and configuration files such as id_rsa, authorized_keys, and ssh_config."
nuclei -list targets.txt -ai "Find exposed WordPress configuration files (wp-config.php) containing database credentials and authentication secrets."
nuclei -list targets.txt -ai "Identify exposed .npmrc and .yarnrc files leaking NPM authentication tokens"
nuclei -list targets.txt -ai "Identify open directory listings exposing sensitive files"
nuclei -list targets.txt -ai "Find exposed .git directories allowing full repo download"
nuclei -list targets.txt -ai "Find exposed .svn and .hg repositories leaking source code"
nuclei -list targets.txt -ai "Identify open FTP servers allowing anonymous access"
nuclei -list targets.txt -ai "Find GraphQL endpoints with introspection enabled"
nuclei -list targets.txt -ai "Identify exposed .well-known directories revealing sensitive data"
nuclei -list targets.txt -ai "Find publicly accessible phpinfo() pages leaking environment details"
nuclei -list targets.txt -ai "Find exposed Swagger, Redocly, GraphiQL, and API Blueprint documentation"
nuclei -list targets.txt -ai "Identify exposed .vscode and .idea directories leaking developer configs"
nuclei -list targets.txt -ai "Detect internal IP addresses (10.x.x.x, 192.168.x.x, etc.) in HTTP responses"
nuclei -list targets.txt -ai "Find exposed WordPress debug.log files leaking credentials and error messages"
nuclei -list targets.txt -ai "Detect misconfigured CORS allowing wildcard origins ('*')"
nuclei -list targets.txt -ai "Find publicly accessible backup and log files (.log, .bak, .sql, .zip, .dump)"
nuclei -list targets.txt -ai "Find exposed admin panels with default credentials"
nuclei -list targets.txt -ai "Identify commonly used API endpoints that expose sensitive user data, returning HTTP status 200 OK."
nuclei -list targets.txt -ai "Detect web applications running in debug mode, potentially exposing sensitive system information."Please open Telegram to view this post
VIEW IN TELEGRAM
❤8🔥6
Check Well Known Files/Paths - A JS console noscript to paste into console
It will attempt to identify and uncover potentially useful files for enumeration• Open the noscript URL and copy it to clipboard.
• Open the target site, Inspect → Console.
• Paste the noscript and run.
• Look for any requests returning HTTP 200, visit those URLs and validate exposure.
• /.git, /.env, backup files, robots.txt revealing sensitive paths, config files, or public storage with credentials.
• Any unexpected 200 on predictable filenames.
• Remove or restrict public access to sensitive files.
• Block common sensitive filenames at the webserver/WAF.
• Return 403/404 for those paths and avoid leaking contents in error pages.
----------------------------------------------------------------------------
📖 Your Ethical Hacking Journey Starts Here → topmate.io/saumadip/1391531
🎓 Ready to Skill Up? Enroll Now → wa.link/brutsecurity
📢 Join the Community: discord.gg/u7uMFV833h
Please open Telegram to view this post
VIEW IN TELEGRAM
❤18👍5🔥2
If you liked the posts, tap the heart. That tiny click means a lot. ❤️
Please open Telegram to view this post
VIEW IN TELEGRAM
❤49🔥5
Please open Telegram to view this post
VIEW IN TELEGRAM
❤10