NEW BOT Телеграм, страница

❤1

175 viewsᴍͥᴏᴇͣɪͫɴ, 15:13

https://trufflesecurity.com/blog/millions-at-risk-due-to-google-s-oauth-flaw

Millions of Accounts Vulnerable due to Google’s OAuth Flaw ◆ Truffle Security Co.

Millions of Americans can have their data stolen right now because of a deficiency in Google’s “Sign in with Google” authentication flow. If you’ve worked for a startup in the past - especially one that has since shut down - you might be vulnerable.

❤1

195 viewsᴍͥᴏᴇͣɪͫɴ, 17:56

Electro0ne Bytes 🦅

In the RESET-PASSWORD process, if the request's JSON allows adding values like an array:

{"email":["victim@test.com","attacker@test.com"]}

it could be exploited to send the reset password link/code to an attacker's email, making it easy to take over the account.✅

Please open Telegram to view this post

VIEW IN TELEGRAM

❤5

201 viewsᴍͥᴏᴇͣɪͫɴ, 19:51

Electro0ne Bytes 🦅

https://x.com/ImAyrix/status/1879456819673973036?t=yOvr3Rstp3k6jMgss8kbTA&s=19

195 viewsᴍͥᴏᴇͣɪͫɴ, 12:29

Electro0ne Bytes 🦅

https://medium.com/@HX007/a-journey-of-limited-path-traversal-to-rce-with-40-000-bounty-fc63c89576ea

Medium

A Journey of Limited Path Traversal To RCE With $40,000 Bounty!

#Introduce Myself:

❤3

199 viewsᴍͥᴏᴇͣɪͫɴ, 22:15

Electro0ne Bytes 🦅

https://nokline.github.io/bugbounty/2024/02/04/ChatGPT-ATO.html

Harel Security Research

ChatGPT Account Takeover - Wildcard Web Cache Deception

Here you can read all about my research and techniques I’ve gathered over time!

❤1

199 viewsᴍͥᴏᴇͣɪͫɴ, 22:36

Electro0ne Bytes 🦅

Forwarded from Brut Security

⚠️A neat trick for bypassing WAF/filters while testing for OS command injection vulnerabilities.

Use shell globbing / wildcard expansion. Here is an example


cat /e*c/p*s*d

is equivalent to cat /etc/passwd. But how?

Before cat runs, the shell expands the glob pattern /e*c/p*s*d to match actual files and directories in the filesystem.


/e*c:

The shell interprets this as "any path starting with /e, followed by zero or more characters (*), ending with c."


/p*s*d:

This matches a path or file name starting with p, followed by zero or more characters (*), then s, then zero or more characters (*), then d

✅Credit- Devansh Batham

Please open Telegram to view this post

VIEW IN TELEGRAM

❤1🔥1

221 viewsᴍͥᴏᴇͣɪͫɴ, 16:29

Electro0ne Bytes 🦅

ChatGPT ❌ DeepSeek ✅

👎1👏1

212 viewsᴍͥᴏᴇͣɪͫɴ, 20:18

Electro0ne Bytes 🦅

Your mindset is your power.💸

Please open Telegram to view this post

VIEW IN TELEGRAM

❤3

210 viewsᴍͥᴏᴇͣɪͫɴ, 00:12

Electro0ne Bytes 🦅

https://www.pmnh.site/post/writeup_spring_el_waf_bypass/

www.pmnh.site

Bug Writeup: RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass

Writeup of a collaborated bug on Bugcrowd where I was able to bypass Akamai WAF to exploit RCE on Spring Boot error page using SpEL

🔥1

226 viewsᴍͥᴏᴇͣɪͫɴ, 22:46

Electro0ne Bytes 🦅

Common OAuth Vulnerabilities · Doyensec's Blog

https://blog.doyensec.com/2025/01/30/oauth-common-vulnerabilities.html

🔥3

214 viewsᴍͥᴏᴇͣɪͫɴ, 08:08

Electro0ne Bytes 🦅

https://brutecat.com/articles/leaking-youtube-emails

brutecat.com

Leaking the email of any YouTube user for $10,000

What could've been the largest data breach in the world - an attack chain on Google services to leak the email address of any YouTube channel

❤3

199 viewsᴍͥᴏᴇͣɪͫɴ, 22:37

Electro0ne Bytes 🦅

https://blog.voorivex.team/css-data-exfiltration-to-steal-oauth-token

Voorivex's Team

CSS Data Exfiltration to Steal OAuth Token

Use CSS injection to bypass CSP, exfiltrate OAuth tokens through unique chaining techniques. Discover vulnerability and exploit details

❤3

182 viewsᴍͥᴏᴇͣɪͫɴ, 17:38

Electro0ne Bytes 🦅

https://medium.com/immunefi/how-to-stay-motivated-when-hunting-for-bugs-4966ac0d658

Medium

How to Stay Motivated When Hunting for Bugs

I’ve been hacking since 2014 and more recently focusing on bounty hunting in the blockchain space. For example, I found a critical bug in…

🔥1

183 viewsᴍͥᴏᴇͣɪͫɴ, 03:33

Electro0ne Bytes 🦅

https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/

codeanlabs

CVE-2024-4367 - Arbitrary JavaScript execution in PDF.js - Codean Labs

A vulnerability in PDF.js found by Codean Labs. PDF.js is a JavaScript-based PDF viewer maintained by Mozilla. This bug allows an attacker to execute arbitrary JavaScript code as soon as a malicious PDF file is opened. This affects all Firefox users (

❤2

205 viewsᴍͥᴏᴇͣɪͫɴ, 02:08

Electro0ne Bytes 🦅

Forwarded from Brut Security

🔖

Extracting endpoints from JavaScript bookmarklets

⬇️Usage
🔴Add a new bookmark in your browser’s toolbar
🔴Replace the bookmark’s URL with the following JavaScript code:

javanoscript:(function(){var noscripts=document.getElementsByTagName("noscript"),regex=/(?<=(\"|\'|\`))\/[a-zA-Z0–9_?&=\/\-\#\.]*(?=(\"|\'|\`))/g;const results=new Set;for(var i=0;i<noscripts.length;i++){var t=noscripts[i].src;""!=t&&fetch(t).then(function(t){return t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of e)results.add(r[0])}).catch(function(t){console.log("An error occurred: ",t)})}var pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const match of matches)results.add(match[0]);function writeResults(){results.forEach(function(t){document.write(t+"<br>")})}setTimeout(writeResults,3e3);})();

🔴Visit the target page and click the bookmarklet. The noscript will run in your browser, revealing previously undiscovered endpoints right on the page.

Please open Telegram to view this post

VIEW IN TELEGRAM

❤3👍2

211 viewsᴍͥᴏᴇͣɪͫɴ, 21:05

Electro0ne Bytes 🦅

https://bxmbn.medium.com/bank-offer-idor-fix-bypassed-how-i-accessed-unauthorized-offers-and-secured-a-10-000-bounty-41052b31a2fc

Medium

Bank offer IDOR Fix Bypassed: How I Accessed Unauthorized Offers and Secured a $10,000 Bounty — @bxmbn

Bank offer IDOR Fix Bypassed: How I Accessed Unauthorized Offers and Secured a $10,000 Bounty — @bxmbn Summary: I discovered a new weakness in the offer retrieval functionality that allows an …

👍2❤1

225 viewsᴍͥᴏᴇͣɪͫɴ, 18:03

Electro0ne Bytes 🦅