Write-ups for prompt injection ✅
https://embracethered.com/blog/

In the RESET-PASSWORD process, if the request's JSON allows adding values like an array:

{"email":["victim@test.com","attacker@test.com"]}

it could be exploited to send the reset password link/code to an attacker's email, making it easy to take over the account.✅

⚠️A neat trick for bypassing WAF/filters while testing for OS command injection vulnerabilities.


Use shell globbing / wildcard expansion. Here is an example

cat /e*c/p*s*d is equivalent to cat /etc/passwd. But how?

Before cat runs, the shell expands the glob pattern /e*c/p*s*d to match actual files and directories in the filesystem.

/e*c: The shell interprets this as "any path starting with /e, followed by zero or more characters (*), ending with c."


/p*s*d: This matches a path or file name starting with p, followed by zero or more characters (*), then s, then zero or more characters (*), then d

✅Credit- Devansh Batham