CVE trends is a fun project that ranks recent CVEs based on how many people talk about them on Twitter. Well, I know that Twitter audience isn't the most important factor of any vulnerability but it is an indication of how many people are affected by the bug...
Tools
Finding postMessage bugs with DOM invader
As promised in the last issue, here’s the tutorial of using DOM invader for tracking and fiddling with postMessages. This tool is really awesome and it does make finding this type of bugs absurdly easy. postMessage 101 Let’s start with the explanation of what...
WebSocket security scanner
Basics of WebSockets and Cross-site WebSocket Hijacking were already covered in the BBRE Premium, here’s the link in case you missed it. Today, we’ll take a look at automating scanning for WebSocket bugs. I’ve watched the whole talk from AppSec by Erik Elbieh about...
TruffleHog V3
TruffleHog is one of the most common tools that you can use for scanning repositories to find secrets. It recently got even more powerful with the v3 version. It now supports over 600 credential detectors. Moreover, apart from returning the key, TruffleHog will make a...
Python as an HTTP client for hacking
Sometimes, you want to test a functionality but it is too complex to automate it with Burp. For example, it requires a few requests or some specific transformation. Maybe, some people can do magic on Burp’s macros but I am not one of them. That’s why in these specific...
Writing sqlmap tamper scripts
Sqlmap is a fantastic tool for exploiting SQL injections which seem to have received a second life recently. I remember that for a long time, when built-in sqlmap tamper scripts didn’t work for bypassing a filter, I defaulted towards writing my own script in python...