1138 matches found
Cloudflare: // (double slash) inside es6 template literals interpreted as an inline comment by the auto-minifier
The following is valid javascript: var a = //; So is this: var url = https://hackerone.com; However, Cloudflare's auto-minifier removes the parts of both lines including and after the //, meaning in production, they look like this: var a = var url = https: This can either straight up break or...
Fsociety Hacking Tools Pack
Fsociety Menu Information Gathering Password Attacks Wireless Testing Exploitation Tools Sniffing & Spoofing Web Hacking Private Web Hacking Post Exploitation INSTALL & UPDATE Information Gathering : Nmap Setoolkit Port Scanning Host To IP wordpress user CMS scanner XSStracer Dork – Google Dorks...
V3n0M-Scanner - Popular Pentesting scanner for SQLi/XSS/LFI/RFI and other Vulns
V3n0M is a free and open source scanner. Evolved from baltazar's scanner, it has adapted several new features that improve fuctionality and usability. It is mostly experimental software. This program is for finding and executing various vulnerabilities. It scavenges the web using dorks and...
Unikrn: session_id is not being validated at email invitation endpoint
sessionid is not being validated at email invitation endpoint request sample: POST /apiv1/inviteemail HTTP/1.1 Host: unikrn.com User-Agent: Mozilla/5.0 Windows NT 6.1; Win64; x64; rv:57.0 Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5...
Popular Pentesting Scanner: v3n0m
v3n0m is a free and open source scanner. Evolved from baltazar’s scanner, it has adapted several new features that improve functionality and usability. It is mostly experimental software. This program is for finding and executing various vulnerabilities. It scavenges the web using dorks and...
Striker - Offensive Information And Vulnerability Scanner
Striker is an offensive information and vulnerability scanner. Features Just supply a domain name to Striker and it will automatically do the following for you: Check and Bypass Cloudflare Retrieve Server and Powered by Headers Fingerprint the operating system of Web Server Detect CMS 197+ CMSs a...
jQuery Official Blog Hacked — Stay Calm, Library is Safe!
The official blog of jQuery—most popular JavaScript library used by millions of websites—has been hacked by some unknown hackers, using the pseudonym "str0ng" and "n3tr1x." jQuery's blog website blog.jquery.com runs on WordPress—the world's most popular content management system CMS used by...
Hacker Hijacks CoinHive's DNS to Mine Cryptocurrency Using Thousands of Websites
When yesterday I was reporting about the sudden outbreak of another global ransomware attack 'Bad Rabbit,' I thought what could be worse than this? Then late last night I got my answer with a notification that Coinhive has been hacked — a popular browser-based service that offers website owners t...
Blazy - Modern Login Bruteforcer Which Also Tests For CSRF, Clickjacking, Cloudflare and WAF
Blazy is a modern login page bruteforcer. Features Easy target selections Smart form and error detection CSRF and Clickjacking Scanner Cloudflare and WAF Detector 90% accurate results Checks for login bypass via SQL injection Multi-threading 100% accurate results Better form detection and...
CloudFlare Boots Off Torrent Site For Using Cryptocurrency Miner
By Waqas CloudFlare says sites running mining code without notifying users are considered to This is a post from HackRead.com Read the original post: CloudFlare Boots Off Torrent Site For Using Cryptocurrency Miner...
Cloudflare CTO Goes Inside the Cloudbleed Bug
MADRID—John Graham-Cumming presided over a confessional Wednesday at Virus Bulletin 2017. Cloudflare’s chief technology officer was frank and apologetic about February’s Cloudbleed bug, which leaked memory from the content delivery network that included internal private keys and authentication...
cFire: IP Discovery for Domains behind Cloudflare
PenTestIT RSS Feed If you remember, I blogged about a CloudFail and HatCloud earlier. Those tools help you find the IP addresses of systems that are protected/behind Cloudflare. This post is about a new tool on the block - cFire, which just does not stop at detecting the systems restricted using...
The WireX Botnet: An example of cross-organizational cooperation
Introduction On August 17th, 2017, multiple Content Delivery Networks CDNs and content providers were subject to significant attacks from a botnet dubbed WireX. The botnet is named for an anagram for one of the delimiter strings in its command and control protocol. The WireX botnet comprises...
Russia boots off DailyStormer and CloudFlare removes DDoS protection
By Waqas It looks like the racist and neo-nazi website DailyStormer has no This is a post from HackRead.com Read the original post: Russia boots off DailyStormer and CloudFlare removes DDoS protection...
Discourse: CSRF-tokens on pages without no-cache headers, resulting in ATO when using CloudFlare proxy (Web Cache Deception)
Hi, I noticed this issue on one of your clients which was using CloudFlare in front of their Discourse. This is not affecting try.discourse.org but the same underlying issue can be seen there as well even though it's not exploitable on that specific domain. The TL;DR of issue is basically:...
Unikrn: Non-Cloudflare IPs allowed to access origin servers
Summary: Non-Cloudflare IPs allowed to access origin servers Description: Your origin servers are not blocking access from non-Cloudflare servers. This way crawlers can find your origin servers' IPs by checking random IPs until they found your origin servers. What makes this especially easy are...
Cloudflare: SSRF
Hi i make report grabtaxi for SSRF But grabtaxi answer me coffeecup closed the report and changed the status to Not Applicable. Jul 26th 2 hrs ago Hello @linkks - After further review, we have determined that this is not SSRF on any of our web properties or assets. All IP's mentioned in this repo...
Subdomain Enumeration Using Censys & Crtsh!
PenTestIT RSS Feed If you read my last post about V1D0m and liked it, I'm sure you will LOVE this post. As you will remember, the older post was about subdomain enumeration using VirusTotal, this post is about enumerating subdomains and DNS information using the following services: CloudFlare,...
Privacy Activists Suffer Legal Setback In National Security Letter Case
Privacy activists suffered a legal blow when a panel of California appeals court judges ruled Monday the Federal Bureau of Investigation could continue its practice of secretly issuing National Security Letter NSL requests for customer data from communications firms. The case involved a challenge...
CloudFail - Utilize misconfigured DNS and old database records to find hidden IP's behind the CloudFlare network
CloudFail is a tactical reconnaissance tool which aims to gather enough information about a target protected by CloudFlare in the hopes of discovering the location of the server. Using Tor to mask all requests, the tool as of right now has 3 different attack phases. 1. Misconfigured DNS scan usin...