ContentPosts from @tutorialboy24..
Story
@tutorialboy24 shared a post, 2 years, 3 months ago
tut

An Authentication Bypass Vulnerabilities Methodologies

Overview Authentication Bypass Vulnerabilities are common flaws in web applications today, but they are not always easy to find. With the continuous development of technology and the integration of various platforms, traditional authentication methods are gradually decreasing. The new authentication..

oauth
Story
@tutorialboy24 shared a post, 2 years, 8 months ago
tut

A Summary of Fuzzing Tools and Dictionaries For Bug Bounty Hunters

Introduction

Testing for vulnerabilities by manually entering input can be unmanageable. In these days and age where people have low levels of time and patience, the idea of ​​manually providing input to find bugs/holes in a target can be overwhelming.

To reduce this overwhelming problem and save time, fuzzing can be a big advantage. Fuzzing is an automated process where all the heavy lifting is handled by a fuzzing tool. All the analyst has to do is see the response, time, and status code when the process is complete.

Consider a site with many input fields to test for XSS. In the manual method, all we do is feed the XSS payload to the input field one by one, which is too unmanageable.

Fuzzing is the process or technique of sending multiple requests to a target website within a certain time interval. In other words, it is also similar to brute force.

Pink Gaming YouTube Channel Art.png
Story
@tutorialboy24 shared a post, 2 years, 9 months ago
tut

A Remote Code Execution in JXPath Library (CVE-2022-41852)

Secured JXPath Functions ↗ PoCUsing pathContext.setFunctions(new FunctionLibrary()); we replace the default with empty function library, so the exploit payloads mentioned above will not work. Sending one of the payloads will lead to JXPathFunctionNotFoundException.ConclusionIf your application is af..

jb.png
Story
@tutorialboy24 shared a post, 2 years, 9 months ago
tut

Spring Actuator - Finding Actuators using Static Code Analysis - Part 2

Source :- https://tutorialboy24.blogspot.com/2022/10/spring-actuator-finding-actuators-using.htmlIn the first part of this series, we have discussed the risks inherent in exposing the Actuator functionality of the Spring framework. If you haven't read that part yet, I recommend that you do so b..

m.png
Story
@tutorialboy24 shared a post, 2 years, 9 months ago
tut

Android Security : A Checklist For Exploiting WebView

In this case, you must first validate the URL and then install the cookie. For example, if a sensitive cookie is installed for the attacker’s domain, but is not loaded immediately, then this still poses a threat, because this domain can be opened elsewhere in the app (remember that in one app all We..

k8s.png
Story
@tutorialboy24 shared a post, 2 years, 9 months ago
tut

Spring Actuator - Stealing Secrets Using Spring Actuators - Part 1:

Amazon Web Services Blogger Bugcrowd InfoSec Writeups

Spring is a set of frameworks for developing Applications in Java. It is widely used, and so it is not unusual to encounter it during a security audit or penetration test. One of its features that I recently encountered during a Whitebox audit is actuators. In this series of articles, I will use the..

Blue Sky Photocentric Youtube Channel Art.png
Story
@tutorialboy24 shared a post, 2 years, 9 months ago
tut

Turning cookie based XSS into account takeover

Amazon Web Services Blogger Bugcrowd Firebase JavaScript Infovis Toolkit

EpilogueI reported the exploitation scenario and was rewarded €500, as the impact was high. Be patient, don’t give up, and think out of the box. In this case, I used the company’s service to exploit the bug.Source :- https://tutorialboy24.blogspot.com/2022/09/turning-cookie-based-xss-into-account.ht..

xss.png
 Activity
@tutorialboy24 added new tool InfoSec Writeups , 2 years, 9 months ago.
Story
@tutorialboy24 shared a post, 2 years, 9 months ago
tut

Exploiting Amazon Simple Notification Service Improper Validation of SigningCertUrl

Amazon Associates Amazon EC2 Amazon Web Services Blogger Amazon CloudWatch

IntroductionCountless applications rely on Amazon Web Services’ Simple Notification Service for application-to-application communication such as webhooks and callbacks. To verify the authenticity of these messages, these projects use certificate-based signature validation based on the SigningCertURL..

v (1).png
News
@tutorialboy24 shared an update, 2 years, 10 months ago
tut

The Blind Exploits To Rule Watchguard Firewalls Vulnerabilities