bugbounty   203

« earlier    

#639684 The return of the <
In this report, the researcher was able to demonstrate a Stored XSS vulnerability in our Message system on the Social Club website. By taking advantage of the fact that '<' characters are normalized to '<', as well as discovering improper escaping of the aforementioned '<' character, the researcher was able to craft a payload to perform XSS attacks.

An example...
Security  bugbounty  xss  normalization 
11 weeks ago by fub
whitel1st/docem: Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids)
Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids) - whitel1st/docem
Security  bugbounty 
11 weeks ago by fub
nccgroup/tracy: A tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner.
A tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner. - nccgroup/tracy
security  bugbounty  domxss  javascript 
12 weeks ago by fub
Twitter
RT : File upload vulnerability scanner and exploitation tool.

infosec  pentest  bugbounty  from twitter
12 weeks ago by blackthorne
#431002 Golden techniques to bypass host validations in Android apps
# #1 Backslash tricks
Look at a typical host validation
```java
Uri uri = Uri.parse(attackerControlledString);
if("legitimate.com".equals(uri.getHost() || uri.getHost().endsWith(".legitimate.com")) {
webView.loadUrl(attackerControlledString, getAuthorizationHeaders()); // or webView.loadUrl(uri.toString())
}
```

There is a problem in ``` android.net.Uri ``` and ``` java.net.URL ```...
bugbounty  Security  android  bypass 
september 2019 by fub
Twitter
72 million users at risk, NBD.

Each org running a "managed" using a third party platform should pull th…
bugbounty  from twitter_favs
august 2019 by acdha

« earlier    

related tags

android  angular  asn  asp.net  automation  aws  bounty  bugbountytip  bypass  cache  cars  chatwork  cheatsheet  ciso  coin  csrf  css  cybersecurity  disclosure  dns  domain  domxss  etherum  ev  exploit  exploitdev  facebook  forum  fuzzing  github  google  hacker  hackernews  hackerone  hacking  hn  ico  imagemagick  imagetragick  infosec  injection  instagram  intelligence  itesec  itsec  javascript  jira  key  kubernetes  leak  list  malware  methodology  mobile  model3  normalization  notes  oauth2  open_redirect  osint  pentest  pentesting  recon  redirect  redteam  research  resolver  reverseengineering  s3  safeharbor  scanner  security  shodan  ssrf  subdomain  subdomaintakeover  tesla  threat  tools  travis-ci  tutorial  uno  viewstate  vulnerability  wayback  webapp  whitehat  xlsx  xss  xxe 

Copy this bookmark:



description:


tags: