🚀 Just released Reflix!
It takes a list of URLs, discovers parameters, and fuzzes them using discovered parameters support custom wordlists.
Supports multithreading, custom headers, proxy, and request delays.
Link : https://github.com/nexovir/reflix
#WebSecurity #BugBounty #EthicalHacking #BugBounty_tools
@zerosec_team
It takes a list of URLs, discovers parameters, and fuzzes them using discovered parameters support custom wordlists.
Supports multithreading, custom headers, proxy, and request delays.
Link : https://github.com/nexovir/reflix
#WebSecurity #BugBounty #EthicalHacking #BugBounty_tools
@zerosec_team
❤4🔥2
❌ BullShit Books :
1. Bug Bounty Bootcamp – Vickie Li
2. Web Hacking 101 – Peter Yaworski
3. Real-World Bug Hunting – Peter Yaworski
4. The Basics of Hacking and Penetration Testing – Patrick Engebretson
5. Penetration Testing: A Hands-On Introduction to Hacking – Georgia Weidman
6. Hacking Web Apps – Mike Shema
7. The Hacker Playbook 1 – Peter Kim
8. Gray Hat Hacking
#BugBounty #InfoSec #CyberSecurity #WebSecurity #HackThePlanet #RedTeam #BullshitBooks #CTF #EthicalHacking #HackTip
⭐️ @ZeroSec_team
1. Bug Bounty Bootcamp – Vickie Li
2. Web Hacking 101 – Peter Yaworski
3. Real-World Bug Hunting – Peter Yaworski
4. The Basics of Hacking and Penetration Testing – Patrick Engebretson
5. Penetration Testing: A Hands-On Introduction to Hacking – Georgia Weidman
6. Hacking Web Apps – Mike Shema
7. The Hacker Playbook 1 – Peter Kim
8. Gray Hat Hacking
#BugBounty #InfoSec #CyberSecurity #WebSecurity #HackThePlanet #RedTeam #BullshitBooks #CTF #EthicalHacking #HackTip
⭐️ @ZeroSec_team
👏5👎1
✅ Nice Books :
1. The Web Application Hacker's Handbook –Dafydd Stuttard & Marcus Pinto
2. The Hacker Playbook 2 & 3 – Peter Kim (not recommended)
3. Hacking: The Art of Exploitation – Jon Erickson
4. Advanced Web Attacks and Exploitation – Dafydd Stuttard
5. Web Security for Developers – Malcolm McDonald
6. Real-World Web Application Security – Andrew Hoffman
7. Bug Bounty Hunting Essentials – Carlos A. Lozano
8. Black Hat Python – Justin Seitz
#BugBounty #InfoSec #CyberSecurity #WebSecurity #HackThePlanet #RedTeam #Pentesting #EthicalHacking #Exploitation #AdvancedHacking
⭐️ @ZeroSec_team
1. The Web Application Hacker's Handbook –Dafydd Stuttard & Marcus Pinto
2. The Hacker Playbook 2 & 3 – Peter Kim (not recommended)
3. Hacking: The Art of Exploitation – Jon Erickson
4. Advanced Web Attacks and Exploitation – Dafydd Stuttard
5. Web Security for Developers – Malcolm McDonald
6. Real-World Web Application Security – Andrew Hoffman
7. Bug Bounty Hunting Essentials – Carlos A. Lozano
8. Black Hat Python – Justin Seitz
#BugBounty #InfoSec #CyberSecurity #WebSecurity #HackThePlanet #RedTeam #Pentesting #EthicalHacking #Exploitation #AdvancedHacking
⭐️ @ZeroSec_team
👍3❤1
🪲 #H2C Upgrade Bypass
Target: Applications using HTTP/2 Cleartext (h2c) upgrades.
The Core Idea: Many Web Application Firewalls (WAFs) and reverse proxies process HTTP/1.1 but fail to correctly inspect traffic after it's upgraded to HTTP/2.
How to Test:
1. Find a target that accepts an Upgrade: h2c header (common in Java, gRPC, and some reverse proxies like Nginx).
2. Send an initial HTTP/1.1 request with the upgrade header:
3. If the server agrees (responds with HTTP/1.1 101 Switching Protocols), the connection is now HTTP/2.
4. The Bypass: Craft and send malformed or smuggled HTTP/2 frames (e.g., with the :method header set to GET or POST). The downstream WAF may not parse this, allowing you to access internal endpoints or bypass security controls.
Why it works: The security boundary often only exists at the HTTP/1.1 layer. Once upgraded, your HTTP/2 traffic might be forwarded directly to the backend without inspection.
#BugBounty #Hacking #WebSecurity #WAFBypass #HTTP2
⭐️ @Zerosec_team
Target: Applications using HTTP/2 Cleartext (h2c) upgrades.
The Core Idea: Many Web Application Firewalls (WAFs) and reverse proxies process HTTP/1.1 but fail to correctly inspect traffic after it's upgraded to HTTP/2.
How to Test:
1. Find a target that accepts an Upgrade: h2c header (common in Java, gRPC, and some reverse proxies like Nginx).
2. Send an initial HTTP/1.1 request with the upgrade header:
GET / HTTP/1.1
Host: example.com
Upgrade: h2c
Connection: Upgrade
3. If the server agrees (responds with HTTP/1.1 101 Switching Protocols), the connection is now HTTP/2.
4. The Bypass: Craft and send malformed or smuggled HTTP/2 frames (e.g., with the :method header set to GET or POST). The downstream WAF may not parse this, allowing you to access internal endpoints or bypass security controls.
Why it works: The security boundary often only exists at the HTTP/1.1 layer. Once upgraded, your HTTP/2 traffic might be forwarded directly to the backend without inspection.
#BugBounty #Hacking #WebSecurity #WAFBypass #HTTP2
⭐️ @Zerosec_team
❤4
In this video, we solve the PortSwigger Web LLM Attack lab step by step.
🔹 Learn what Web LLM Attack is
🔹 See how to exploit it on the PortSwigger lab
🔹 Understand how this vulnerability can be applied in real-world scenarios
This video is perfect for anyone looking to improve their skills in web hacking, bug bounty, and penetration testing.
📌 Topics & Tags:
#WebLLMAttack #PortSwigger #WebSecurity #BugBounty #Hacking
💡 Tip: Don’t forget to like, comment, and subscribe for more web security tutorials!
https://www.youtube.com/watch?v=-UdUgl0pv4w
⭐️ @ZeroSec_team
🔹 Learn what Web LLM Attack is
🔹 See how to exploit it on the PortSwigger lab
🔹 Understand how this vulnerability can be applied in real-world scenarios
This video is perfect for anyone looking to improve their skills in web hacking, bug bounty, and penetration testing.
📌 Topics & Tags:
#WebLLMAttack #PortSwigger #WebSecurity #BugBounty #Hacking
💡 Tip: Don’t forget to like, comment, and subscribe for more web security tutorials!
https://www.youtube.com/watch?v=-UdUgl0pv4w
⭐️ @ZeroSec_team
❤2🔥1👌1