Automated decryption tool based on natural language processing and artificial intelligence
Efficient collection of subdomains using template permutations
Firefox extension to improve DOM XSS search
Account capture by bypassing SSO authentication using the login function without a password
Traversing WAF through a large number of characters
BurpSuite extension for API audit
API Kit is an open source extension, which is a set of tools for detecting, scanning and auditing APIs. It has an active and passive mode.
Information Security Resources
SSRF on Facebook (https://medium.com/@win3zz/how-i-made-31500-by-submitting-a-bug-to-facebook-d31bb046e204 )
Deleting any Video or Reel on Facebook (https://bugreader.com/social/write-ups-general-delete-any-video-or-reel-on-facebook-11-250--100965 ?fbclid=IwAR16bED_J9-xqmnVq98jSp-JIyrCAhtfnns7gsdMGpFpEVZKr6VL7tVPebA)
And IDOR again. Perhaps one of the most insidious vulnerabilities of modern web applications, which, often, can be detected only by manual testing and careful study of the available functionality.
Account capture and bypass two-factor authentication in Facebook (https://medium.com/@yaala/account-takeover-and-two-factor-authentication-bypass-de56ed41d7f9 )
And again Facebook, but now, a vulnerability found when analyzing the basic functionality of the endpoints of a mobile application. A simple step-by-step change of parameters from false to true can lead to unexpected findings.
mkpath (https://github.com/trickest/mkpath )
A tool that allows you to create custom wordlists for a given list of words. It can be useful during directory brutalization.
Dorks for Shodan and Censys ( )
A selection of repositories on github with useful dorks for Shodan and Censys
OWASP Vulnerable App (https://github.com/SasanLabs/VulnerableApp )
good platform for studying common vulnerabilities on the web.
GitHub - Ciphey/Ciphey: ⚡ Automatically decrypt encryptions without knowing the key or cipher, decode encodings, and crack hashes ⚡
⚡ Automatically decrypt encryptions without knowing the key or cipher, decode encodings, and crack hashes ⚡ - GitHub - Ciphey/Ciphey: ⚡ Automatically decrypt encryptions without knowing the key or ...
github.com
Efficient collection of subdomains using template permutations
GitHub - projectdiscovery/alterx: Fast and customizable subdomain wordlist generator using DSL
Fast and customizable subdomain wordlist generator using DSL - GitHub - projectdiscovery/alterx: Fast and customizable subdomain wordlist generator using DSL
github.com
Firefox extension to improve DOM XSS search
GitHub - swoops/eval_villain: A Firefox Web Extension to improve the discovery of DOM XSS.
A Firefox Web Extension to improve the discovery of DOM XSS. - GitHub - swoops/eval_villain: A Firefox Web Extension to improve the discovery of DOM XSS.
github.com
Account capture by bypassing SSO authentication using the login function without a password
Захват аккаунта через обход аутентификации SSO с помощью функции входа без пароля
Оригинал статьи на английском тут. Во время поиска багов, я обнаружил функцию входа без пароля. Функция входа без пароля - это функция, которая используется для пользователей учетной записи и позволяет войти в систему без пароля или с помощью OTP (разового пароля), отправленного на привязанный...
telegra.ph
Traversing WAF through a large number of characters
Create a Random Text File - Online File Tools
This utility creates text files with random contents. You can customize the file size and adjust what goes in the file. Try it out!
onlinefiletools.com
BurpSuite extension for API audit
API Kit is an open source extension, which is a set of tools for detecting, scanning and auditing APIs. It has an active and passive mode.
GitHub - API-Security/APIKit: APIKit:Discovery, Scan and Audit APIs Toolkit All In One.
APIKit:Discovery, Scan and Audit APIs Toolkit All In One. - GitHub - API-Security/APIKit: APIKit:Discovery, Scan and Audit APIs Toolkit All In One.
github.com
Information Security Resources
GitHub - foorilla/allinfosecnews_sources: A list of online news & info sources in the InfoSec/Cybersecurity space
A list of online news & info sources in the InfoSec/Cybersecurity space - GitHub - foorilla/allinfosecnews_sources: A list of online news & info sources in the InfoSec/Cybersecurity space
github.com
SSRF on Facebook (https://medium.com/@win3zz/how-i-made-31500-by-submitting-a-bug-to-facebook-d31bb046e204 )
Deleting any Video or Reel on Facebook (https://bugreader.com/social/write-ups-general-delete-any-video-or-reel-on-facebook-11-250--100965 ?fbclid=IwAR16bED_J9-xqmnVq98jSp-JIyrCAhtfnns7gsdMGpFpEVZKr6VL7tVPebA)
And IDOR again. Perhaps one of the most insidious vulnerabilities of modern web applications, which, often, can be detected only by manual testing and careful study of the available functionality.
Account capture and bypass two-factor authentication in Facebook (https://medium.com/@yaala/account-takeover-and-two-factor-authentication-bypass-de56ed41d7f9 )
And again Facebook, but now, a vulnerability found when analyzing the basic functionality of the endpoints of a mobile application. A simple step-by-step change of parameters from false to true can lead to unexpected findings.
mkpath (https://github.com/trickest/mkpath )
A tool that allows you to create custom wordlists for a given list of words. It can be useful during directory brutalization.
Dorks for Shodan and Censys ( )
A selection of repositories on github with useful dorks for Shodan and Censys
OWASP Vulnerable App (https://github.com/SasanLabs/VulnerableApp )
good platform for studying common vulnerabilities on the web.