Electro0ne Bytes 🦅
@electro0ne_bytes
359 subscribers
5 photos
62 links
I publish articles related to hacking and security for you, so let's learn together.💪

Contact: @Electro0ne Blogs: electro0nes.github.io
Download Telegram
About
Blog
Apps
Platform
Join
Electro0ne Bytes 🦅
359 subscribers
Electro0ne Bytes 🦅
ChatGPT DeepSeek
👎1👏1
214 viewsᴍͥᴏᴇͣɪͫɴ
Electro0ne Bytes 🦅
Your mindset is your power.💸
Please open Telegram to view this post
VIEW IN TELEGRAM
3
212 viewsᴍͥᴏᴇͣɪͫɴ
Electro0ne Bytes 🦅
https://www.pmnh.site/post/writeup_spring_el_waf_bypass/
www.pmnh.site
Bug Writeup: RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass
Writeup of a collaborated bug on Bugcrowd where I was able to bypass Akamai WAF to exploit RCE on Spring Boot error page using SpEL
🔥1
228 viewsᴍͥᴏᴇͣɪͫɴ
Electro0ne Bytes 🦅
Common OAuth Vulnerabilities · Doyensec's Blog

https://blog.doyensec.com/2025/01/30/oauth-common-vulnerabilities.html
🔥3
216 viewsᴍͥᴏᴇͣɪͫɴ
Electro0ne Bytes 🦅
https://brutecat.com/articles/leaking-youtube-emails
brutecat.com
Leaking the email of any YouTube user for $10,000
What could've been the largest data breach in the world - an attack chain on Google services to leak the email address of any YouTube channel
3
201 viewsᴍͥᴏᴇͣɪͫɴ
Electro0ne Bytes 🦅
https://blog.voorivex.team/css-data-exfiltration-to-steal-oauth-token
Voorivex's Team
CSS Data Exfiltration to Steal OAuth Token
Use CSS injection to bypass CSP, exfiltrate OAuth tokens through unique chaining techniques. Discover vulnerability and exploit details
3
184 viewsᴍͥᴏᴇͣɪͫɴ
Electro0ne Bytes 🦅
https://medium.com/immunefi/how-to-stay-motivated-when-hunting-for-bugs-4966ac0d658
Medium
How to Stay Motivated When Hunting for Bugs
I’ve been hacking since 2014 and more recently focusing on bounty hunting in the blockchain space. For example, I found a critical bug in…
🔥1
185 viewsᴍͥᴏᴇͣɪͫɴ
Electro0ne Bytes 🦅
https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
codeanlabs
CVE-2024-4367 - Arbitrary JavaScript execution in PDF.js - Codean Labs
A vulnerability in PDF.js found by Codean Labs. PDF.js is a JavaScript-based PDF viewer maintained by Mozilla. This bug allows an attacker to execute arbitrary JavaScript code as soon as a malicious PDF file is opened. This affects all Firefox users (
2
207 viewsᴍͥᴏᴇͣɪͫɴ
Electro0ne Bytes 🦅
Forwarded from Brut Security
🔖Extracting endpoints from JavaScript bookmarklets

⬇️Usage
🔴Add a new bookmark in your browser’s toolbar
🔴Replace the bookmark’s URL with the following JavaScript code:
javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\'|\`))\/[a-zA-Z0–9_?&=\/\-\#\.]*(?=(\"|\'|\`))/g;const results=new Set;for(var i=0;i<scripts.length;i++){var t=scripts[i].src;""!=t&&fetch(t).then(function(t){return t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of e)results.add(r[0])}).catch(function(t){console.log("An error occurred: ",t)})}var pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const match of matches)results.add(match[0]);function writeResults(){results.forEach(function(t){document.write(t+"<br>")})}setTimeout(writeResults,3e3);})();

🔴Visit the target page and click the bookmarklet. The script will run in your browser, revealing previously undiscovered endpoints right on the page.
Please open Telegram to view this post
VIEW IN TELEGRAM
3👍2
213 viewsᴍͥᴏᴇͣɪͫɴ
Electro0ne Bytes 🦅
https://bxmbn.medium.com/bank-offer-idor-fix-bypassed-how-i-accessed-unauthorized-offers-and-secured-a-10-000-bounty-41052b31a2fc
Medium
Bank offer IDOR Fix Bypassed: How I Accessed Unauthorized Offers and Secured a $10,000 Bounty — @bxmbn
Bank offer IDOR Fix Bypassed: How I Accessed Unauthorized Offers and Secured a $10,000 Bounty — @bxmbn Summary: I discovered a new weakness in the offer retrieval functionality that allows an …
👍21
227 viewsᴍͥᴏᴇͣɪͫɴ
Electro0ne Bytes 🦅
https://bxmbn.medium.com/hijacking-sessions-with-idor-and-xss-bxmbn-396f99761a85
Medium
Hijacking Sessions with IDOR and XSS— @bxmbn
Picture a platform designed to handle sensitive documentation — think insurance claims or identity verification — turning into a goldmine…
1
274 viewsᴍͥᴏᴇͣɪͫɴ
Electro0ne Bytes 🦅
https://rikeshbaniya.medium.com/account-takeover-using-sso-logins-fa35f28a358b
Medium
Account Takeover using SSO Logins
Companies often provide various login methods for users to authenticate their accounts.
219 viewsᴍͥᴏᴇͣɪͫɴ
Electro0ne Bytes 🦅
https://medium.com/@renwa/client-side-path-traversal-cspt-bug-bounty-reports-and-techniques-8ee6cd2e7ca1
Medium
Client Side Path Traversal (CSPT) Bug Bounty Reports and Techniques
Over the past year, CSPT bugs have gained significant attention, with numerous blogs and disclosed reports highlighting their impact…
265 viewsᴍͥᴏᴇͣɪͫɴ
Electro0ne Bytes 🦅
https://blog.doyensec.com/2024/07/02/cspt2csrf.html
Doyensec
Exploiting Client-Side Path Traversal to Perform Cross-Site Request Forgery - Introducing CSPT2CSRF
To provide users with a safer browsing experience, the IETF proposal named “Incrementally Better Cookies” set in motion a few important changes to address Cross-Site Request Forgery (CSRF) and other client-side issues. Soon after, Chrome and other major browsers…
293 viewsᴍͥᴏᴇͣɪͫɴ
Electro0ne Bytes 🦅
https://blog.koalasec.co/2500-dollars-in-bounties-hacking-graphql
KoalaSEC's blog
2500 Dollars in bounties, Hacking GraphQL
Hi, amazing hackers! I hope you're doing well.In this article, I’ll share my learning process and experiences in finding multiple vulnerabilities in GraphQL APIs application.
In February, I started learning GraphQL API security using the book Black H...
296 viewsᴍͥᴏᴇͣɪͫɴ
Electro0ne Bytes 🦅
👍3
267 viewsᴍͥᴏᴇͣɪͫɴ
Electro0ne Bytes 🦅
https://kpwn.de/2023/05/javascript-analysis-for-pentesters/#dynamic-analysis
kpwn.de
JavaScript Analysis for Pentesters
Pentesting web applications thoroughly requires you to analyze their JavaScript. I’ve summarized my knowledge from 5 years of pentests into this blog post.
298 viewsᴍͥᴏᴇͣɪͫɴ
Electro0ne Bytes 🦅
https://x.com/moeinerfanian/status/1912599404558839825
309 viewsᴍͥᴏᴇͣɪͫɴ
Electro0ne Bytes 🦅
https://x.com/thelilnix/status/1912558357635801536
X (formerly Twitter)
LIL NIX (@thelilnix) on X
When you use "Tagged Templates" (e.g, alert`123`), JavaScript passes something like this to the function:
alert(["123"])
NOTE: Since alert uses "toString" on the given parameter, it becomes ["123"].toString() and then "123".
310 viewsᴍͥᴏᴇͣɪͫɴ
Electro0ne Bytes 🦅
https://medium.com/@AlQa3Qa3_M0X0101/how-i-was-able-to-get-account-takeover-via-idor-form-jwt-caaf7ea58aa
Medium
How I was able to get account takeover via IDOR form JWT
Hello guys, today I’m gonna explain how I got IDOR and exploit it to make account takeover.
🔥2
332 viewsᴍͥᴏᴇͣɪͫɴ
Electro0ne Bytes 🦅
https://seanpesce.blogspot.com/2024/09/exploiting-android-client-webviews-with.html
Blogspot
Exploiting Android Client WebViews with Help from HSTS
TL;DR I discovered a one-click account takeover vulnerability in a popular Indonesian Android app called Tokopedia . Th...
325 viewsᴍͥᴏᴇͣɪͫɴ