Skip to content

Instantly share code, notes, and snippets.

const commonPaths = [
"/data/local/bin/su",
"/data/local/su",
"/data/local/xbin/su",
"/dev/com.koushikdutta.superuser.daemon/",
"/sbin/su",
"/system/app/Superuser.apk",
"/system/bin/failsafe/su",
"/system/bin/su",
"/su/bin/su",
@Fatimas1997
Fatimas1997 / intercept-HTTP-requests-from-Flutter-apps.md
Created October 9, 2023 21:31
How to intercept HTTP traffic from a Flutter application with Burp (Android and iOS)

Intercepting traffic on Android and iOS Flutter applications

I recently stumbled upon an application developed with Flutter, and since it was my first time seeing it, I surprisingly couldn't intercept its requests. After some digging on google, I created this tutorial with the steps that personally worked for me and I wanted to share them in hope to help someone else. Note that the applications that I tested didn't have certificate pinning implemented. I'll update this file once I get to test an application that has it (if I'll be able to bypass it 😃 ).
To simplify the explanation I refer to the machine that hosts Burp as Kali, but you can use whatever linux machine you want.

Android:

There are 2 ways to intercept HTTP connections from a Flutter application installed on an Android device (I'm sure there are more but these are the ones I know). Intercepting requests by changing the proxy settings of the device, through the classic settings of Android, doesn't work in this case, since Flutter applic

@deadbits
deadbits / Instruction-Bypass.yara
Last active May 1, 2025 10:50
Prompt injection datasets
rule Instruction_Bypass: PromptInjection
{
meta:
category = "Instruction Bypass"
description = "Detects phrases used to ignore, disregard, or bypass instructions."
strings:
$bypass_phrase = /(Ignore|Disregard|Skip|Forget|Neglect|Overlook|Omit|Bypass|Pay no attention to|Do not follow|Do not obey)\\s*(prior|previous|preceding|above|foregoing|earlier|initial)?\\s*(content|text|instructions|instruction|directives|directive|commands|command|context|conversation|input|inputs|data|message|messages|communication|response|responses|request|requests)\\s*(and start over|and start anew|and begin afresh|and start from scratch)?/
condition:
@numanturle
numanturle / frida.js
Created May 3, 2023 10:50
ssl-root-bypass
setTimeout(function() {
Java.perform(function() {
console.log('');
console.log('======');
console.log('[#] Android Bypass for various Certificate Pinning methods [#]');
console.log('======');
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
var SSLContext = Java.use('javax.net.ssl.SSLContext');
@incogbyte
incogbyte / mixunpin.js
Last active June 29, 2025 09:53
Frida script to bypass common methods of sslpining Android
console.log("[*] SSL Pinning Bypasses");
console.log(`[*] Your frida version: ${Frida.version}`);
console.log(`[*] Your script runtime: ${Script.runtime}`);
/**
* by incogbyte
* Common functions
* thx apkunpacker, NVISOsecurity, TheDauntless
* Remember that sslpinning can be custom, and sometimes u need to reversing using ghidra,IDA or something like that.
* !!! THIS SCRIPT IS NOT A SILVER BULLET !!
@azu
azu / javascript-protocol-XSS.md
Last active January 15, 2025 11:13
<a href=javascript:alert(1) traget=_blank>XSS</a> behavior in modern browser.

Almost browsers prevent to XSS that is using javascript: protocol.

<a href=javascript:alert(location.origin) traget=_blank>XSS</a>

Demo: https://nuvjcp.csb.app/

Summary

@ignis-sec
ignis-sec / lol.html
Created September 23, 2021 22:03
alert() without letters or numbers
<script>
/*
〱='',〳=〱,ᘓ=〱+{},ᘒ=〱+[][[]],〱+=[〱==〱],〳+=[!〱],ᘑ=+[],ᘐ=+!+[],ᘔ=ᘐ+ᘐ,ᘕ=ᘔ+ᘐ,ᘖ=ᘔ+ᘕ,ᘖ+=ᘖ+ᘖ+ᘔ,ᘗ=ᘖ+ᘐ,ᘘ=ᘓ[ᘔ+ᘕ],ᘙ=ᘓ[ᘐ],ᘚ=〱[ᘐ],ᘲ=〱[ᘑ],ᘳ=ᘘ+ᘙ+ᘒ[ᘐ]+〳[ᘕ]+ᘲ+ᘚ+ᘒ[ᘑ]+ᘘ+ᘲ+ᘙ+〱[ᘐ],ᘰ=[][ᘳ][ᘳ],ᘏ=''+ᘰ,ᘎ=〳[ᘐ]+〳[ᘔ]+〱[ᘕ]+ᘚ+ᘲ+ᘏ[ᘖ]+ᘏ[ᘗ],ᘰ`ᘳ${ᘎ}```
*/
〱=''
〳=〱 //''
ᘓ=〱+{} //'[object Object]' <- '' + [object Object]
ᘒ=〱+[][[]] //'undefined' <- '' + undefined
@BlockByBlock
BlockByBlock / rari-capital-checklist.txt
Last active June 11, 2023 18:23
Solidity Smart Contract checklist
security-checklist
Opinionated security and code quality checklist for Solidity smart contracts. Based off the BentoBox checklist.
Variables
V1 - Can it be private?
V2 - Can it be constant?
V3 - Can it be immutable/constant?
V4 - Is visibility set? (SWC-108)
V5 - Is the purpose of the variable and other important information documented using natspec?
Structs
@n1snt
n1snt / Oh my ZSH with zsh-autosuggestions zsh-syntax-highlighting zsh-fast-syntax-highlighting and zsh-autocomplete.md
Last active July 3, 2025 15:46
Oh my ZSH with zsh-autosuggestions zsh-syntax-highlighting zsh-fast-syntax-highlighting and zsh-autocomplete.md

Oh my zsh.

Oh My Zsh

Install ZSH.

sudo apt install zsh-autosuggestions zsh-syntax-highlighting zsh

Install Oh my ZSH.

@kawing-ho
kawing-ho / aem-list.txt
Created July 15, 2021 23:08
by @z0idsec
///bin///wcm///search///gql.json?query=type:base%20limit:..1&pathPrefix=
/security/.5..json?debug=layout
/online/.-1..json
/bin/querybuilder.json.css?path=/home/&p.limit=8
/bin/querybuilder.json?path=/libs/
/bin/querybuilder.json?path=/content
/bin/querybuilder.json?path=/content/test/test/en_nz/security/
/bin/querybuilder.json?path=/crx/&p.hits=full&p.limit=50
/bin/querybuilder.json?path=/home&p.hits=full&p.limit=-1
/bin/querybuilder.json?fulltext=admin&p.limit=30