Recent content by Prapattimynk

Stage 1 C2 for backdooring Electron applications to bypass application controls. This technique abuses the trust of signed vulnerable Electron applications to gain execution on a target system. Description At runtime, an Electron application reads JavaScript files, interprets their code and...

ZeroHuntAI is an advanced, modular, and extensible source code vulnerability scanner designed to detect exploits and security weaknesses in local directories or GitHub repositories. Leveraging static code analysis, pattern matching, and AI-driven risk scoring, ZeroHuntAI empowers developers and...

An easy-to-use script for wrapping files into self-dropping HTML payloads to bypass content filters. Features One-file payload: Wrap any file into a single self-contained HTML file Automatic extraction: The generated HTML auto-extracts and downloads the file when opened (no clicks needed) Data...

Below is an extensive and updated reference for 403 (Forbidden) bypass techniques and tricks for bug bounty hunters and penetration testers. Url Manipulation Methods Seclists jhaddix list Below are the top 77 ways to bypass access control on incorrectely protected pages. These work best on...

Name : CRTO - Red Teaming Command Cheat Sheet (Cobalt Strike) Course Link : https://training.zeropointsecurity.co.uk/courses/red-team-ops Original Cheatsheet Link : https://github.com/0xn1k5/Red-Teaming/blob/main/Red Team Certifications - Notes %26 Cheat Sheets/CRTO - Notes %26 Cheat Sheet.md...

((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps...

This Go package provides functionality to detect and defend against various forms of debugging tools and virtualization environments. By the way, for quick setup, run install.bat. Anti-Virtualization Triage Detection: Detects if the system is running in a triage or analysis environment...

SubCat is a powerful subdomain discovery tool that passively aggregates data from a variety of online sources to identify valid subdomains for websites. Designed with a modular and efficient architecture, SubCat is ideal for penetration testers, bug bounty hunters, and security researchers...

The GitHub repository OSCP serves as a comprehensive documentation of the author's journey toward achieving the Offensive Security Certified Professional (OSCP) certification. This certification is renowned in the cybersecurity community for its rigorous, hands-on approach to ethical hacking and...

DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Edge, Firefox and Chrome - as well as almost anything else using Blink, Gecko or WebKit). It doesn't break on MSIE or other legacy browsers. It simply does nothing. Note that DOMPurify v2.5.8 is the...

Full-featured C2 framework which silently persists on webserver with a single-line PHP backdoor Overview The obfuscated communication is accomplished using HTTP headers under standard client requests and web server's relative responses, tunneled through a tiny polymorphic backdoor: <?php...

Loxs is an easy-to-use tool that finds web issues like LFI - OR - SQLi - XSS - CRLF. Download Loxs FeaturesAbout LFI ScannerDetect Local File Inclusion vulnerabilities. OR ScannerIdentify Open Redirect vulnerabilities. SQL ScannerDetect SQL Injection vulnerabilities. XSS...

ZeusLeak is a browser extension that automatically detects leaked secrets and credentials in code while browsing. Features Detects various types of leaked credentials (API keys, OAuth tokens, private keys, etc.). Supports major platforms like AWS, Google, GitHub, Slack, and more. Provides...

This article examines a scenario that works similarly to the CVE-2024-7014 vulnerability. A file with an ".htm" extension is disguised as a video and sent via the Telegram API, and while the user expects a video, the JavaScript code inside the HTML is actually executed. Video: Technical...

OSWE, OSEP, OSED, OSEE OSWE Content Web security tools and methodologies Source code analysis Persistent cross-site scripting Session hijacking .NET deserialization Remote code execution Blind SQL injections Data exfiltration Bypassing file upload restrictions and file extension filters PHP...