Skip to content

Instantly share code, notes, and snippets.

from flask import Flask, request, jsonify
from flask_sqlalchemy import SQLAlchemy
from flask_jwt_extended import JWTManager, create_access_token, jwt_required, get_jwt_identity
from werkzeug.security import generate_password_hash, check_password_hash
import os
# Flask application setup
app = Flask(__name__)
app.config['SQLALCHEMY_DATABASE_URI'] = 'mysql+pymysql://<username>:<password>@localhost/humanRatsources'
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
Information Disclosure: Look for endpoints that leak sensitive data.
Broken Object-Level Authorization (BOLA/IDOR): Accessing objects not meant for the authenticated user.
Broken User Authentication: Bypassing authentication mechanisms.
Rate Limiting: Test for unprotected endpoints against DoS or brute-force attacks.
HTTP Verb Tampering: Changing the HTTP verb (e.g., from GET to POST).
Missing Function Level Access Control: Accessing unauthorized functionalities.
Parameter Tampering: Altering parameters to manipulate responses.
SQL Injection: Injecting malicious SQL queries in input.
Command Injection: Injecting malicious commands in input.
Unsecured Endpoints: Looking for endpoints that lack security measures.
login.solarcity.com
solarcity.com
payments.solarcity.com
payments.billing.solarcity.com
www.solarcity.com
origin-login.solarcity.com
origin-secure.solarcity.com
origin-api.solarcity.com
api-test.solarcity.com
gw-dev.solarcity.com
https://drive.google.com/file/d/1Lhx1Sc_SKTkR6ggHP_vt-jfhlZAPTeQV/view?usp=sharing
function _0x5bc6(){const _0x214920=['692980iYEFhA','102WehLSg','1294376CavoDm','315UvUEyM','9CVCeKC','199637AwjqCn','224807LXjdti','230348wDVzcN','204Rfizlh','346aJzFeC','5iExvPT','log','https://thexssrat.podia.com/pentesting-101-the-ultimate-guide-from-start-to-finish-from-planning-to-reporting?coupon=CNWPPFREE','93289CXgtVA','Hello\x20World!'];_0x5bc6=function(){return _0x214920;};return _0x5bc6();}(function(_0xdd2707,_0x1db6f6){const _0x284845=_0x1faa,_0x1764b9=_0xdd2707();while(!![]){try{const _0x3a2a92=parseInt(_0x284845(0x1ea))/0x1+-parseInt(_0x284845(0x1ee))/0x2*(-parseInt(_0x284845(0x1e8))/0x3)+-parseInt(_0x284845(0x1ec))/0x4*(-parseInt(_0x284845(0x1ef))/0x5)+-parseInt(_0x284845(0x1f5))/0x6*(parseInt(_0x284845(0x1f2))/0x7)+-parseInt(_0x284845(0x1e7))/0x8+-parseInt(_0x284845(0x1e9))/0x9*(parseInt(_0x284845(0x1f4))/0xa)+parseInt(_0x284845(0x1eb))/0xb*(parseInt(_0x284845(0x1ed))/0xc);if(_0x3a2a92===_0x1db6f6)break;else _0x1764b9['push'](_0x1764b9['shift']());}catch(_0x563995){_0x1764b9['push'](_0x1764b9[
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Proin mattis mollis imperdiet. Duis in ligula vel dui imperdiet venenatis. Ut lobortis velit nunc, ac sodales ante auctor quis. Nulla posuere ornare dignissim. Phasellus sit amet laoreet velit. Cras tristique nunc at varius volutpat. Nunc pharetra arcu ut sapien porttitor, quis euismod ipsum egestas. Maecenas ultrices, diam ac vulputate fringilla, sem orci dapibus nulla, at ornare nibh dolor in lacus. Sed vitae dolor luctus, consectetur ligula in, tempor sapien. Cras maximus vestibulum ultricies. Maecenas in sem posuere nisi sodales imperdiet in sed elit. Mauris id nisl enim. Nunc euismod mi at erat suscipit ultricies at rhoncus ex. Morbi lacinia elementum tempus. Praesent pulvinar orci elementum, feugiat ex ut, luctus diam.
Nunc dapibus vehicula faucibus. Nullam felis purus, fermentum eget fringilla iaculis, rutrum id sem. Maecenas orci nisi, lobortis vel rhoncus eget, lobortis sit amet tortor. Cras efficitur tristique nibh, ac interdum urna pellentes
(function(_0x246bcb,_0x324bb7){var _0x4fe06b=_0x5b64,_0x4d554d=_0x246bcb();while(!![]){try{var _0xec81a7=-parseInt(_0x4fe06b(0x91))/0x1*(-parseInt(_0x4fe06b(0x9c))/0x2)+-parseInt(_0x4fe06b(0x97))/0x3*(parseInt(_0x4fe06b(0x80))/0x4)+parseInt(_0x4fe06b(0x88))/0x5*(-parseInt(_0x4fe06b(0x87))/0x6)+parseInt(_0x4fe06b(0x8f))/0x7+-parseInt(_0x4fe06b(0x85))/0x8+-parseInt(_0x4fe06b(0x84))/0x9+parseInt(_0x4fe06b(0x7f))/0xa;if(_0xec81a7===_0x324bb7)break;else _0x4d554d['push'](_0x4d554d['shift']());}catch(_0x114474){_0x4d554d['push'](_0x4d554d['shift']());}}}(_0x3209,0xa325a));function hi(){var _0x278516=_0x5b64,_0x2af8c3=(function(){var _0x4cdfc1=!![];return function(_0x1b3983,_0x56763a){var _0x50d282=_0x4cdfc1?function(){var _0x5ddfa5=_0x5b64;if(_0x56763a){var _0x1b9cf5=_0x56763a[_0x5ddfa5(0x8d)](_0x1b3983,arguments);return _0x56763a=null,_0x1b9cf5;}}:function(){};return _0x4cdfc1=![],_0x50d282;};}()),_0x1273fa=_0x2af8c3(this,function(){var _0x3e125e=_0x5b64;return _0x1273fa[_0x3e125e(0x92)]()[_0x3e125e(0x93)]('(((.+)
import random
# utytyur6ryt
def printRand():
return random.randint(1, 11)
# The XXS noob
def drawNew(a, b):
Revisions
===========
0.1 - Draft - Wesley Thijs
0.2 - Review 1 - Uncle rat
0.3 -
Document goals
===========
The goal of this document is to inform the client of the intention of the pentest before it occurs. We want to describe who will test, how they will test and what tools they will be using.
function _0x11c8(_0x33a6bf,_0x3ce30c){var _0x4b64a6=_0x1dcc();return _0x11c8=function(_0x4a9b73,_0x5402aa){_0x4a9b73=_0x4a9b73-0x10c;var _0x54b6dc=_0x4b64a6[_0x4a9b73];return _0x54b6dc;},_0x11c8(_0x33a6bf,_0x3ce30c);}function _0x1dcc(){var _0x542ab5=['reliableTrDimensions','mimeType','fireWith','contentType','notifyWith','isPlainObject','abort','nonce','children','pixelBoxStyles','ajaxTransport','selectors','getAttribute','focus','content-box','?|\x5c\x5c([^\x5cr\x5cn\x5cf])','prefilters','cur','text/xml','delegateCount','parse','nth','content','expand',')*)|','cleanData','offsetWidth','sort','getResponseHeader','Event','run','timeStamp','canceled','display','getElementsByClassName','merge','resolveWith','flat','valHooks','makeArray','Animation','TAG','defaultView','opts','handler','off','checkClone','Deferred','documentElement','\x20to\x20','stop','setRequestHeader','empty','now','addEventListener','auto','-\x0d\x5c\x27\x20msallowcapture=\x27\x27>','checked','[msallowcapture^=\x27\x27]','fromCharCode','of-ty