Skip to content

Instantly share code, notes, and snippets.

View xElkomy's full-sized avatar
🎯
Focusing

Khaled Mohamed xElkomy

🎯
Focusing
161 followers · 288 following
View GitHub Profile
@irsdl
irsdl / get_access_token_from_proxy.java
Created August 29, 2025 20:56
This is an example of a Burp Suite Action Script that can be used in Repeater. It extracts the `access_token` parameter from the most recent matching request in the Proxy tab and updates the Authorization Bearer header with the new value.
// @irsdl
// === Config: set what you want to match ===
final String TARGET_HOST = "oauth.example.io"; // target domain
final String PATH_PREFIX = "/auth/realms/onba/openid-connect/token"; // match exact or any child path
final short STATUS_CODE = 200; // match the status code where the response has access_token
// Build a ProxyHistoryFilter that only matches completed host+path hits
burp.api.montoya.proxy.ProxyHistoryFilter filter = new burp.api.montoya.proxy.ProxyHistoryFilter() {
@Override
public boolean matches(burp.api.montoya.proxy.ProxyHttpRequestResponse rr) {
@sinceohsix
sinceohsix / Installing LiveContainer+Sidestore.md
Last active April 28, 2026 19:45
Installing LiveContainer+SideStore from start to finish.

✴️ How to sideload with SideStore and LiveContainer

Last Edited: Mar 30, 2026 @ 7:45AM PST · Supports iOS versions 15.0 - 26.3

Make sure you are always using up-to-date guides to ensure full compatibility. The official SideStore documentation can be found here in case anything changes. For additional information and credits, scroll to the bottom of this page.

Important • iOS 26.4 broke the method used by SideStore and this tutorial to refresh apps. A new guide will come soon for people on iOS 26.4 once the necessary tools are available.

👋 Hello again, r/sideloaded!

@SecFathy
SecFathy / tool.py
Created June 9, 2025 13:33
Identify and confirm reflected XSS vulnerabilities using parameter discovery + AI-based validation (via Gemini API).
import warnings
from urllib3.exceptions import NotOpenSSLWarning
warnings.filterwarnings("ignore", category=NotOpenSSLWarning)
import subprocess
import requests
import urllib.parse
import json
import os
from datetime import datetime
@hackermondev
hackermondev / research.md
Last active April 30, 2026 19:12
Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform

hi, i'm daniel. i'm a 15-year-old high school junior. in my free time, i hack billion dollar companies and build cool stuff.

3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius. With a vulnerable app installed on a target's phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds--and you wouldn't even know.

I'm publishing this writeup and research as a warning, especially for journalists, activists, and hackers, about this type of undetectable attack. Hundreds of applications are vulnerable, including some of the most popular apps in the world: Signal, Discord, Twitter/X, and others. Here's how it works:

Cloudflare

By the numbers, Cloudflare is easily the most popular CDN on the market. It beats out competitors such as Sucuri, Amazon CloudFront, Akamai, and Fastly. In 2019, a major Cloudflare outage k

@BryceEWatson
BryceEWatson / clean-reporter.js
Created December 13, 2024 19:38
Jest clean-reporter.js file to clean up output and prevent Websurf / Cascade chat failure
// clean-reporter.js
class CleanReporter {
constructor(globalConfig, options) {
this._globalConfig = globalConfig;
this._options = options;
this._failedTests = [];
this._totalTests = 0;
this._passedTests = 0;
this._failedTestsCount = 0;
}
@mikl0s
mikl0s / globalGuidelines.md
Created December 13, 2024 11:23
Windsurf global guidelines

Windsurf Custom Instructions

Role and Expertise

You are Windsurf, a world-class full-stack developer and UI/UX designer. Your expertise covers:

  • Rapid, efficient application development
  • The full spectrum from MVP creation to complex system architecture
  • Intuitive and beautiful design
@hackermondev
hackermondev / zendesk.md
Last active April 30, 2026 19:35
1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies

hi, i'm daniel. i'm a 15-year-old with some programming experience and i do a little bug hunting in my free time. here's the insane story of how I found a single bug that affected over half of all Fortune 500 companies:

say hello to zendesk

If you've spent some time online, you’ve probably come across Zendesk.

Zendesk is a customer service tool used by some of the world’s top companies. It’s easy to set up: you link it to your company’s support email (like [email protected]), and Zendesk starts managing incoming emails and creating tickets. You can handle these tickets yourself or have a support team do it for you. Zendesk is a billion-dollar company, trusted by big names like Cloudflare.

Personally, I’ve always found it surprising that these massive companies, worth billions, rely on third-party tools like Zendesk instead of building their own in-house ticketing systems.

your weakest link

@poyotanp
poyotanp / how-to-disable-middle-click-paste.md
Last active April 26, 2026 21:06
How to disable middle-click paste in KDE Plasma (Wayland)

Environment

  • Arch Linux
  • KDE Plasma 6.1.5 (Wayland)

Solution

For native Wayland applications

  1. open the KDE system settings
  2. select "Workspace" -> "General Behavior"
@armenr
armenr / clipsync.sh
Last active October 31, 2025 02:01
ClipSync (2-way clipboard sync between Wayland and X11 + cliphy support)
#!/usr/bin/env sh
#
# Two-way clipboard syncronization between Wayland and X11, with cliphy support!
# !! Recommended use: Drop this file off @ /usr/local/bin/clipsync && make it executable
# Requires: wl-clipboard, xclip, clipnotify.
# Modified from: https://github.com/hyprwm/Hyprland/issues/6132#issuecomment-2127153823
#
# Usage:
# clipsync watch [with-notifications|without-notifications] - run in background.
# clipsync stop - kill all background processes.
@jhaddix
jhaddix / endpoints bookmarklet
Last active April 28, 2026 08:12
javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\%27|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\%60))/g,jsRegex=/(?<=(\"|\'|\%60))(?:\/|https?:\/\/)[a-zA-Z0-9_?&=\/\-\#\.]+\.js(?:\?[^"'%60]*)?(?=(\"|\'|\%60))/g;const results=new Set;const paramMap=new Map();const jsFiles=new Set();function processContent(t,src){var e=t.matchAll(regex);for(let r of e){results.add(r[0]);var params=r[0].split('?')[1];if(params){params.split('&').forEach(param=>{var [key,]=param.split('=');if(key){if(!paramMap.has(key)){paramMap.set(key,[]);}paramMap.get(key).push(src||'Inline script or HTML');}});}}var j=t.matchAll(jsRegex);for(let r of j){jsFiles.add(r[0]);}}for(var i=0;i<scripts.length;i++){var t=scripts[i].src;if(t){jsFiles.add(t);fetch(t).then(function(t){return t.text()}).then(text=>processContent(text,t)).catch(function(t){console.log("An error occurred: ",t)});}else{processContent(scripts[i].textContent);}}var pageContent=document.documentElement.outerHTML;processContent(pageContent