HTTP Request Smuggling in one Screenshot. 🙂

Know how to look for #XSS step by step! brutelogic.com.br/blog/testing-f…

In preparation of the OSCP, here’s a write up I made on how to exploit “Optimum” on Hack The Box without Metasploit usage: gelosecurity.com/hackthebox-osc… #hackthebox #optimum #oscp

Some thoughts on the Collegiate Penetration Testing Competition finals last weekend: lockboxx.blogspot.com/2019/11/cptc-2…

Currently practicing BOF for #OSCP. I take my exam this Sunday, right after my University Finance final on Saturday 😅. VulnServer, SLMail, and brainpan down. Hopefully I pass it so I can start my journey into appsec and bug bounties :D

Let's say that during a pentest you discover requests to <name>.azure-api.net 🤔 🎉 Congratulations it means that you found an API hosted by Azure API Management! The root doesn't reveal anything but you can go to <name>.portal.azure-api.net to see its documentation (& more!) 🕵️

- Execute bash commands without spaces with two methods: 1- {ping,-c,1,127.0.0.1} 2- ping${IFS}-c${IFS}1${IFS}127.0.0.1 - terminal will translate ${IFS} into a space Thanks ippsec

Just got news that I passed my OSCP! And in my final week as a uni student! Thank you OffSec for an amazing course and exam. The labs and exam have humbled me and made me realize I have so much more to learn. This is just the beginning! #OSCP #PWK #student

Here's a command injection WAF bypass that works: using empty shell variables, like ${something} and ${thisdoesntexist}. example: cat /e${hahaha}tc/${heywaf}pas${catchthis}swd It works, currently bypasses Cloudflare and probably others. I don't want a bounty. Enjoy! Proof:

LFI to RCE 1. ffuf on "/" -> "redacted-api" -> 302 2. ffuf on "redacted-api/" -> "application.wadl" -> 200 3. all operations were auth protected 4. didn't give up and tested ~200 operations 5. fount LFI, no auth 6. admin creds in plaintext, logged in and got RCE #bugbountytips

Use ffuf for vhosting on every new domain to find hidden servers/admin panels: ffuf -c -u https://target .com -H “Host: FUZZ” -w vhost_wordlist.txt #BugBountyTips #BugBountyTip #BugBounty

I'm addicted to even the smallest methodology improvements. Grep out a list of IPs from unstructured data with this alias. alias grepip='grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"'

I've just uploaded my slides from /ˈziːf-kɒn/ for anyone who's interested github.com/mdsecresearch/…

i would develop my own vulnerable web application w vulnerabilities from OWASP Top 10. if you're new and trying to break into application pentesting/bounty hunting this is one project i overlooked and wish i did a lot sooner.

I hacked a gaming company this year. Here's how I did it:

Posting this so I don't forget a great XSS polyglot javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//> Anyone got anymore interesting polyglots?

SCCM takeover by abusing automatic client push installation has less requirements than I thought. Check this post out for a detailed walkthrough and recommendations. Install KB15599094 and disable NTLM for client push installation to prevent this attack. posts.specterops.io/sccm-site-take…

New writeup: Between March, 2023 and May, 2023 we found multiple critical vulnerabilities in points[.]com the global provider for major airline and hotel rewards programs. Full post is available here: samcurry.net/Points-com/ Work from: shubs Ian Carroll

Yelp disclosed a bug submitted by Lil Endian: hackerone.com/reports/2010530 #hackerone #bugbounty

After 2 years from the last release, APKiD v3.0.0 is out !🔥 - "Black Hawk edition" 📃 Changelog: github.com/rednaga/APKiD/… 🐍 Pypi package: `$ pip install --upgrade apkid` Thanks to Abhi for the stunning work 🙌