Kατεβάσετε την εφαρμογή android του blog! DownLoad

FoulsCode: 2011-17


Πρόσφατα Σχόλια

Σύνολο αναρτήσεων

Συνολικές προβολές σελίδας

Εμφάνιση αναρτήσεων με ετικέτα online. Εμφάνιση όλων των αναρτήσεων
Εμφάνιση αναρτήσεων με ετικέτα online. Εμφάνιση όλων των αναρτήσεων

Ενσωματώστε Youtube Converter mp3 στο site σας.

Written By Fouls Code on Τετάρτη, 12 Ιουλίου 2017 | Ιουλίου 12, 2017

Ίσος ένα τέτοιο πράγμα μπορεί να το έψαχνε κάποιος.
Μπορείτε να το δείτε Live Demo εδώ.
Παρακάτω είναι ο κωδικός ενσωμάτωσης στο site σας.


Do you operate your own website? Do you want to give your users the opportunity to convert YouTube videos to mp3 or mp4 files? We'll show you, how easy it is to insert our api into your website.
  • Our api offers you following services
  • • Conversion of videos to mp3 (audio) or mp4 (video) files
  • • Conversion of videos up to a length of 2 hours
  • • Conversion of videos which are blocked or not available in your or other countries (deleted videos can not be downloaded)
  • • Responsive design (the api readjustes to the right display size - whether the user is using the computer, mobile phone or tablet)
  • • The user is staying on your website and won't be forwarded to another website
  • • Dropbox integrated - the user is able to save the converted file directly into his dropbox account (only iFrame API)

iFrame API

Example [iframe]
<iframe src="https://ycapi.org/iframe/" width="600" height="170" scrolling="no" style="border:none;"></iframe> 

Example [iframe / mp3]
<iframe src="https://ycapi.org/iframe/?v=KMU0tzLwhbE&f=mp3" width="600" height="170" scrolling="no" style="border:none;"></iframe>

Example [iframe / mp4]
<iframe src="https://ycapi.org/iframe/?v=KMU0tzLwhbE&f=mp4" width="600" height="170" scrolling="no" style="border:none;"></iframe>
Download example file: iFrame API
  • Parameters (optional)
  • v [youtube video id] - must contain a valid 11 digits YouTube video id (KMU0tzLwhbE)
  • f [format] - must contain a supported format (mp3 or mp4)

Button API

Example [mp3]
<iframe src="https://ycapi.org/button/?v=KMU0tzLwhbE" width="320" height="38" scrolling="no" style="border:none;"></iframe>
Example [mp3 / font-color / background-color]
<iframe src="https://ycapi.org/button/?v=KMU0tzLwhbE&fc=#ffffff&bc=#000000" width="320" height="38" scrolling="no" style="border:none;"></iframe>

Example [mp3 / title]
<iframe src="https://ycapi.org/button/?v=KMU0tzLwhbE&t=1" width="320" height="76" scrolling="no" style="border:none;"></iframe>

Example [mp3 / click]
<iframe src="https://ycapi.org/button/?v=KMU0tzLwhbE&c=1" width="320" height="38" scrolling="no" style="border:none;"></iframe>

Example [mp4]
<iframe src="https://ycapi.org/button/?v=KMU0tzLwhbE&f=mp4" width="320" height="38" scrolling="no" style="border:none;"></iframe>
Download example file: Button API
  • Parameters (required)
  • v [youtube video id] - must contain a valid 11 digits YouTube video id (KMU0tzLwhbE)
  • f [format] - must contain a supported format (mp3 or mp4)
  • Parameters (optional)
  • fc [font-color] - must contain a valid hex color code (#ffffff)
  • bc [background-color] - must contain a valid hex color code (#000000)
  • t [title] - must be 1 if t is true the title of the video will be added to the button
  • c [click] - must be 1 if c is true the conversion will start with a click of the button (will show Download MP3/MP4 before clicked)

Example [mp3 / href]
<a href="https://www.youtube.com/watch?v=KMU0tzLwhbE" target="_blank" class="y2m">Developers</a>

Example [mp3 / data-href]
<a href="" data-href="https://www.youtube.com/watch?v=KMU0tzLwhbE" target="_blank" class="y2m">Developers</a>

Example [mp4 / href]
<a href="https://www.youtube.com/watch?v=KMU0tzLwhbE" target="_blank" class="y2m mp4">Developers</a>

Example [mp4 / data-href]
<a href="" data-href="https://www.youtube.com/watch?v=KMU0tzLwhbE" target="_blank" class="y2m mp4">Developers</a>

<script type="text/javascript" src="https://ycapi.org/js/link.js"></script>

Ιουλίου 12, 2017 | 0 σχόλια | Διαβάστε περισσότερα

Δείτε αν τα αρχεία σας αν έχουν ιούς online

Written By Fouls Code on Πέμπτη, 6 Ιουλίου 2017 | Ιουλίου 06, 2017

Μια online εφαρμογή που ψάχνει με πολλά Antivirus προγράμματα να βρει οτιδήποτε είναι κακόβουλο αρχείο η κώδικα που αναγνωρίζει για κάποια συστήματα.

Ιουλίου 06, 2017 | 0 σχόλια | Διαβάστε περισσότερα

Θ.Ε.Π.Ε.Κ. Δελτίο Κυκλοφορίας - ΑΘΗΝΑ

Written By Fouls Code on Τρίτη, 4 Ιουλίου 2017 | Ιουλίου 04, 2017


Δελτίο Κυκλοφορίας - ΑΘΗΝΑ Link: http://www.astynomia.gr/traffic-athens.php
Ιουλίου 04, 2017 | 0 σχόλια | Διαβάστε περισσότερα

Ημερήσιο Δελτίο Τιμών Ατμοσφαιρικής Ρύπανσης

Το ημερήσιο δελτίο ρύπων ενημερώνεται καθημερινά περίπου στις 2 μ.μ.

Link: http://www.ypeka.gr/Default.aspx?tabid=708
Ιουλίου 04, 2017 | 0 σχόλια | Διαβάστε περισσότερα

SMS verification bypass

Written By Fouls Code on Τετάρτη, 21 Ιουνίου 2017 | Ιουνίου 21, 2017

Πολλα site ζητανε επιβεβαιωση SMS για την δημιουργια καποιου λογαριασμου

επιδη δεν ειναι ασφαλες να δινουμε τα προσωπικα μας στοιχεια

μπορουμε να χρισιμοποιησουμε αυτο το site ωστε να την προσπερασουμε δινοντας "ψευτικο νουμερο"


απλα διαλεγουμε την τοποθεσια και το νουμερο που θελουμε και τα εισαγουμε στην επιβαιβεωση.

τωρα απλα περιμενουμε να ερθει το μηνυμα στο νουμερο που επιλεξαμε στο site.


We receive SMS and calls from all over the world to our phone numbers in USA, UK, and Canada. Our virtual phone numbers allow you to verify and register for various websites, absolutely free. The phone numbers are disposable and all messages are discarded after 24 hours. Provided virtual phone numbers are refreshed with new ones every month. We also support international languages and Emoji, so feel free to use the numbers for messages in English, French, Russian, German, Chinese etc. Best of all, the service will always remain minimal and free. If you require free online service in a country not currently being listed, please contact us and we will try our best to add the country.


We strive to receive SMS online for free and make a promise to keep it operational without charging money for receiving SMS or calls. Send as many messages as you like to activate accounts that otherwise require personal information to verify. There are no limits on how often or how many SMS can be sent to the virtual numbers. If you have found our SMS service useful, please consider sharing it using the social buttons at the top of the page.


Many companies are beginning to demand a phone number to verify or activate accounts and to use their applications, luckily with our disposable and virtual service you can avoid providing personal information. We understand that privacy is important and our service allows you to keep your contact information secret while gaining access to online SMS activated services from these various companies. We do not retain any message data longer than about a day.


Message and calls are usually available within seconds of being received, just refresh the page to view. The virtual numbers displayed are temporary and disposable with completely new ones provisioned monthly. SMS and call messages we receive are permanently deleted after about 24 hours.
Ιουνίου 21, 2017 | 0 σχόλια | Διαβάστε περισσότερα

Δειτε ζωντανα τις διαδικτυακες επιθεσεις παγκοσμιως


Digital Attack Map is a live data visualization of DDoS attacks around the globe, built through a collaboration between Google Ideas and Arbor Networks. The tool surfaces anonymous attack traffic data to let users explore historic trends and find reports of outages happening on a given day.


DDoS Attacks Matter

Distributed Denial of Service (DDoS) attacks can be used to make important online information unavailable to the world. Sites covering elections are brought down to influence their outcome, media sites are attacked to censor stories, and businesses are taken offline by competitors looking for a leg up. Protecting access to information is important for the Internet and important for free expression.

Visualizing Trends

Understanding the raw data behind DDoS Attacks is not intuitive. As a result, the impact, scale and scope of the challenge can be easily overlooked. We hope this tool allows more people to understand the challenges posed by DDoS attacks. We also hope it triggers a dialogue about how we can work together to reduce the threat of DDoS Attacks, improving the Internet for everyone.


Google Ideas is a think/do tank at Google that explores how technology can enable people to confront threats in the face of conflict, instability or repression. We connect users, experts and engineers to research and seed new technology-driven initiatives. Google Ideas worked in partnership with Google's Big Picture Team to design and develop the Digital Attack Map.

The "Big Picture" team, a part of Google research, creates interactive visualizations to captivate and delight users. They blend algorithmic, data-driven approaches with fluid design to make complex data more accessible. They portray large-scale data sets -- such as books, videos, images, news, or social behavior -- in creative ways that simultaneously educate and entertain.

DDoS attack data is provided by Arbor Networks. Established in 2000, Arbor provides network security and management solutions for some of the world’s largest and most complex networks. DDoS attack data is sourced from Arbor’s ATLAS® global threat intelligence system. To learn more, visit the ATLAS Threat Portal.
Ιουνίου 21, 2017 | 0 σχόλια | Διαβάστε περισσότερα

Σαρωτής IoT δείχνει αν η συσκευή σας είναι ευάλωτη σε επιθέσεις DDoS

Written By Fouls Code on Δευτέρα, 22 Μαΐου 2017 | Μαΐου 22, 2017

Αν θυμάστε την επίθεση DDoS 1 Tbps στη γαλλική εταιρεία φιλοξενίας OVH, ίσως να θυμάστε ότι έγινε μέσω του botnet Mirai, χάρη στις 145000 IoT συσκευές.Αλλά πώς θα νιώθετε αν κάποιος σας έλεγε ότι υπάρχουν εκατομμύρια συσκευών που συνδέονται στο Διαδίκτυο (IoT) ευάλωτες σε hacking που μπορούν να χρησιμοποιηθούν για επιθέσεις στον κυβερνοχώρο;

Ναι, σύμφωνα με το BullGuard θα μπορούσαν να υπάρχουν πάνω από 185 εκατομμύρια συνδεδεμένες συσκευές στο διαδίκτυο που είναι απροστάτευτες και ευάλωτες στις επιθέσεις χάκερ.
Οι αριθμοί αυτοί συλλέχθηκαν με βάση τα αποτελέσματα σάρωσης μέσω του BullGuard’s Internet of Things Scanner που επιτρέπει στους χρήστες να πάνε για μια μοναδική σάρωση και να δουν αν οι οικιακές τους συσκευές είναι ευάλωτες στο Shodan.

Εάν οι συσκευές βρίσκονται στο Shodan, αυτό σημαίνει ότι είναι διαθέσιμες σε δημόσια πρόσβαση.

Το Shodan είναι μια μηχανή αναζήτησης που επιτρέπει στον χρήστη να βρει συγκεκριμένους τύπους υπολογιστών συνδεδεμένους στο Internet χρησιμοποιώντας διάφορα φίλτρα.

BullGuard Internet of Things Scanner

via: secnews.gr
Μαΐου 22, 2017 | 0 σχόλια | Διαβάστε περισσότερα

Εδώ μπορείτε να αναζητήσετε πατέντες προϊόντων

Written By Fouls Code on Κυριακή, 21 Μαΐου 2017 | Μαΐου 21, 2017

Εδώ μπορείτε να αναζητήσετε πατέντες προϊόντων. Μπορείτε να χρησιμοποιήσετε και ελληνικές λέξεις, αλλά τα αποτελέσματα θα είναι στα αγγλικά (μπορείτε να κάνετε αυτόματη μετάφραση). Θα ξαφνιαστείτε με το ποια προϊόντα έχουν πατέντες και ποια δεν έχουν!
Μαΐου 21, 2017 | 0 σχόλια | Διαβάστε περισσότερα

TCP Port Scan with Nmap

Written By Fouls Code on Πέμπτη, 18 Μαΐου 2017 | Μαΐου 18, 2017

About this tool

TCP Port Scan with Nmap allows you to discover which TCP ports are open on your target host.

Network ports are the entry points to a machine that is connected to the Internet. A service that listens on a port is able to receive data from a client application, process it and send a response back. Malicious clients can sometimes exploit vulnerabilities in the server code so they gain access to sensitive data or execute malicious code on the machine remotely. That is why testing for all ports is necessary in order to achieve a thorough security verification.

Port scanning is usually done in the initial phase of a penetration test in order to discover all network entry points into the target system. Port scanning is done differently for TCP ports and for UDP ports that's why we have different tools.

Target: This is the hostname of IP address(es) to scan
Ports to scan - Common: This option tells Nmap to scan only the top 100 most common TCP ports (Nmap -F).
Ports to scan - Range: You can specify a range of ports to be scanned. Valid ports are between 1 and 65535.
Ports to scan - List: You can specify a comma separated list of ports to be scanned.
Detect service version: In this case Nmap will try to detect the version of the service that is running on each open port. This is done using multiple techniques like banner grabbing, reading server headers and sending specific requests.
Detect operating system: If enabled, Nmap will try to determine the type and version of the operating system that runs on the target host. The result is not always 100% accurate, depending on the way the target responds to probe requests.
Do traceroute: If enabled, Nmap will also do a traceroute to determine the path packets take from our server to the target server, including the ip addresses of all network nodes (routers).
Don't ping host: If enabled, Nmap will not try to see if the host is up before scanning it (which is the default behavior). This option is useful when the target host does not respond to ICMP requests but it is actually up and it has open ports.

Μαΐου 18, 2017 | 0 σχόλια | Διαβάστε περισσότερα

Πως θα φτιάξετε ένα ψεύτικο domain name

Written By Fouls Code on Τετάρτη, 17 Μαΐου 2017 | Μαΐου 17, 2017

Βημα 1)

Πηγαίνετε στην ιστοσελίδα http://get.lgbt/ και κάντε καταχώρηση το domain name com-watch-fdgfdu743.

Δηλαδή τώρα έχετε φτιάξει το domain name com-watch-fdgfdu743.lgbt.

Βήμα 2)

Δημιουργήστε ένα subdomain name με το όνομα youtube.

Και το αποτέλεσμα είναι αυτο


κάποιος ο οποίος το δει, θα παρατηρήσει μπροστά το youtube.com οπότε θα το περάσει αληθινό, και μετά στο watch θα υποθέσει ότι είναι το βίντεο.

Αυτο μπορείτε να το κάνετε και πχ στη σελίδα της microsoft.

Δηλαδή κάνετε καταχώρηση το com-index-php.lgbt και απο μπροστά δημιουργείτε ενα subdomain name με το όνομα microsoft και το αποτέλεσμα θα είναι να έχετε φτιάξει το microsoft.com-index-php.lgbt

Τα ονόματα είναι τυχαία και πιθανόν κάποιος αλλος να τα έχει χρησιμοποιήσει, οπότε δοκιμάζετε κάθε φορα αλλα.

Ακόμα μπορείτε να το κάνετε σε πολλές υπηρεσίες που παρέχουν δωρεάν subdomain name για παράδειγμα. xyz

via: greekhacking.gr
Μαΐου 17, 2017 | 0 σχόλια | Διαβάστε περισσότερα

Hacking Resources

Written By Fouls Code on Σάββατο, 31 Δεκεμβρίου 2016 | Δεκεμβρίου 31, 2016


Application Logic

06/18/2013 - https://labs.spotify.com/2013/06/18/creative-usernames/ - Creative usernames and Spotify account hijacking
06/26/2013 - Hijacking a Facebook Account with SMS - https://whitton.io/articles/hijacking-a-facebook-account-with-sms/
03/25/2014 - Phabricator Bypass auth.email-domains - https://hackerone.com/reports/2233
05/15/2016 - The Bank Job - https://boris.in/blog/2016/the-bank-job/
05/19/2016 - InstaBrute: Two Ways to Brute-force Instagram Account Credentials - https://www.arneswinnen.net/2016/05/instabrute-two-ways-to-brute-force-i...
06/06/2016 - Trello bug bounty: Payments informations are sent to the webhook - https://hethical.io/trello-bug-bounty-payments-informations-are-sent-to-...
06/07/2016 - Pwning Pornhub (memcache) - https://blog.zsec.uk/pwning-pornhub/
07/01/2016 - Magento – Re-Installation & Account Hijacking Vulnerabilities - http://netanelrub.in/2016/07/01/magento-re-installation-account-hijackin...
08/08/2016 - Free way to Facebook Freebooting | Hacking Rights Manager - http://www.7xter.com/2016/08/free-way-to-facebook-freebooting.html
08/16/2016 - Google Chrome, Firefox Address Bar Spoofing Vulnerability - http://www.rafayhackingarticles.net/2016/08/google-chrome-firefox-addres...
08/18/2016 - How I hacked an Android App to Get Free Beer - https://breakdev.org/how-i-hacked-an-android-app-to-get-free-beer/
09/02/2016 - Response To Request Injection (RTRI) - https://www.bugbountyhq.com/front/latestnews/dWRWR0thQ2ZWOFN5cTE1cXQrSFZ...


04/27/2016 - Microsoft Office 365 SAML Bypass - http://www.economyofmechanism.com/office365-authbypass.html
04/28/2016 - Slack bot token leakage exposing business critical information - https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-b...
06/01/2016 - Taking over Heroku accounts - http://esevece.github.io/2016/06/01/taking-over-heroku-accounts.html
10/20/2016 - Slack, a Brief Journey to Mission Control - http://secalert.net/slack-security-bug-bounty.html
11/02/2016 - Bypassing Two-Factor Authentication on OWA & Office365 Portals - http://www.blackhillsinfosec.com/?p=5396


04/04/2016 - CSP: bypassing form-action with reflected XSS - https://labs.detectify.com/2016/04/04/csp-bypassing-form-action-with-ref...
12/16/2016 - Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - http://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin...


05/17/2016 - How I bypassed Facebook CSRF in 2016 - http://pouyadarabi.blogspot.ca/2016/05/how-i-bypassed-facebook-csrf-in-2...
19/07/2016 - Paypal bug bounty: Updating the Paypal.me profile picture without consent (CSRF attack) - https://hethical.io/paypal-bug-bounty-updating-the-paypal-me-profile-pic...
26/10/2016 - Google Spreadsheet Vuln - CSRF and JSON Hijacking allows data theft - https://www.rodneybeede.com/Google_Spreadsheet_Vuln_-_CSRF_and_JSON_Hija...

CSV Injection

29/01/2013 - Cell Injection: Attacking the End User Through the Application - http://blog.7elements.co.uk/2013/01/cell-injection.html
04/17/2016 - CSV Injection in business.uber.com - http://blog.daviddworken.com/posts/csv-injection-in-businessubercom/


08/23/2015 - Twitter HPP vulnerability unsubscribing from emails - http://www.merttasci.com/blog/twitter-hpp-vulnerability/
12/03/2015 - Parameter Tampering Attack on Twitter Web Intents - https://ericrafaloff.com/parameter-tampering-attack-on-twitter-web-intents/
02/02/2016 - Bypassing Digits web authentication's host validation with HPP - https://hackerone.com/reports/114169

Host Header Injection
09/06/2016 - Internet Explorer has a URL Problem - http://blog.innerht.ml/internet-explorer-has-a-url-problem/
10/24/2016 - Combining Host Header Injection and Lax Host Parsing Service Malicious Data - https://labs.detectify.com/2016/10/24/combining-host-header-injection-an...


06/23/2016 - UBER HACKING: HOW WE FOUND OUT WHO YOU ARE, WHERE YOU ARE AND WHERE YOU WENT! - https://labs.integrity.pt/articles/uber-hacking-how-we-found-out-who-you...
06/23/2016 - Facebook's Bug - Delete any video from Facebook - http://www.pranavhivarekar.in/2016/06/23/facebooks-bug-delete-any-video-...
08/25/2016 - How I Could Have Hacked Multiple Facebook Accounts - https://medium.com/@gurkiratsingh/how-i-could-have-hacked-multiple-faceb...
11/22/2016 - You get a UUID! You get a UUID! Everybody gets a UUID! - http://www.rohk.xyz/uber-uuid/

Information Disclosure

12/21/2016 - Disclosing the primary email address for each Facebook user - http://www.dawgyg.com/2016/12/21/disclosing-the-primary-email-address-fo...


04/18/2016 - ESEA Server-Side Request Forgery and Querying AWS Meta Data - http://buer.haus/2016/04/18/esea-server-side-request-forgery-and-queryin...
02/23/2016 - FFMPEG File Disclosure - https://github.com/ctfs/write-ups-2015/tree/master/9447-ctf-2015/web/sup...
Trello Bug BOunty Access Servier Files Using Imagetragick - https://hethical.io/trello-bug-bounty-access-servers-files-using-imagetr...


04/25/2016 - Adapting AngularJS Payloads to Exploit Real World Applications - http://blog.portswigger.net/2016/04/adapting-angularjs-payloads-to-explo...

Reverse Engineering

04/19/2016 - Digging into a Facebook Worm -https://gist.githubusercontent.com/phwd/0ec21c6289543f35135e17aa11f7dec1...
07/01/2016 - How I Cracked a Keylogger and Ended Up in Someone's Inbox - https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keyl...
11/14/2016 - Hacking Team Back For Your Androids - http://rednaga.io/2016/11/14/hackingteam_back_for_your_androids/

Relative Path Overwrite

03/21/2014 - Relative vs Absolute - http://www.thespanner.co.uk/2014/03/21/rpo/
02/17/2015 - Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities - http://blog.portswigger.net/2015/02/prssi.html
07/03/2016 - RPO Gadgets - http://blog.innerht.ml/rpo-gadgets/


07/06/2010 - Facebook XSS via Cross-Origin Resource Sharinghttp://maustin.net/2010/07/06/facebook_html5.html
02/14/2013 - How I got the Bug Bounty for Mega.co.nz XSS - https://labs.detectify.com/2013/02/14/how-i-got-the-bug-bounty-for-mega-...
04/22/2015 - XSS via Host header - www.google.com/cse - http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html
12/08/2015 - Creative bug which result Stored XSS on m.youtube.com - http://sasi2103.blogspot.ca/2015/12/creative-bug-which-result-stored-xss...
04/17/2016 - XSS in pypi (and Uber!) - http://blog.daviddworken.com/posts/xss-in-pypi-and-uber/
04/17/2016 - XSS in getrush.uber.com - http://blog.daviddworken.com/posts/xss-in-getrushubercom/
04/19/2016 - Using a Braun Shaver to Bypass XSS Audit and WAF - https://blog.bugcrowd.com/guest-blog-using-a-braun-shaver-to-bypass-xss-...
05/09/2016 - XSS and RCE, domain takeover with remote loaded JS - http://brutelogic.com.br/blog/xss-and-rce/
06/13/2016 - Embedding XSS in SVG files - http://bini.tech/wordpress-remote-upload-unrestricted-file-upload/
07/02/2016 - OneDrive: an easter egg into MS library - XSS on Microsoft and not only - https://luc10.github.io/onedrive-an-easter-egg-into-ms-library/
07/04/2016 - Apple and the 5 XSSes - http://strukt93.blogspot.ca/2016/07/apple-and-5-xsses.html
07/19/2016 - Instagram Reflected XSS in Link Shim - http://ameeras.me/Instagram-Reflected-XSS-in-Link-Shim/
07/19/2016 - Blind XSS in Spotify - https://mhmdiaa.github.io/jekyll/update/2016/07/19/blind-xss-in-spotify....
07/22/2016 - United to XSS United - http://strukt93.blogspot.ca/2016/07/united-to-xss-united.html
08/29/2016 - Turning Self-XSS into Good XSS v2: Challenge Completed but Not Rewarded - https://httpsonly.blogspot.ca/2016/08/turning-self-xss-into-good-xss-v2....
08/31/2016 - Breaching a CA – Blind Cross-site Scripting (BXSS) in the GeoTrust SSL Operations Panel Using XSS Hunter - https://thehackerblog.com/breaching-a-ca-blind-cross-site-scripting-bxss...
09/19/2016 - Combination of techniques lead to DOM Based XSS in Google - http://sasi2103.blogspot.ca/2016/09/combination-of-techniques-lead-to-do...
12/07/2016 - Stored XSS Affecting All Fantasy Sports on Yahoo - http://dawgyg.com/2016/12/07/stored-xss-affecting-all-fantasy-sports-fan...


06/25/2014 - Identifying Xml eXternal Entity vulnerability (XXE) in GPX files - http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html
03/21/2015 - XML External Entity (XXE) Injection in Apache Batik Library [CVE-2015-0250] - https://www.insinuator.net/2015/03/xxe-injection-in-apache-batik-library...
08/14/2015 - XXE ALL THE THINGS!!! (INCLUDING APPLE IOS’S OFFICE VIEWER) - https://labs.integrity.pt/articles/xxe-all-the-things-including-apple-io...


03/15/2015 - Parse.com - X-Forwarded-Host Injection - Bypass secure & HTTP_only Vulnerability - https://www.youtube.com/watch?v=1yUw7rtTTeI

Remote Code Execution

12/09/2013 - Remote Code Execution exploit in WordPress 3.5.1 - https://tom.vg/2013/12/wordpress-rce-exploit/
02/15/2015 - RCE in Oracle NetBeans Opensource Plugins: PrimeFaces 5.x Expression Language Injection - http://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource...
11/06/2015 - Java unserialization - https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss...
11/12/2015 - XSS to Remote Code Execution with HipChat - http://maustin.net/2015/11/12/hipchat_rce.html
05/04/2016 - Remote Code Execution via ImageMagick - http://pastebin.com/aE4sKnCg (file)
05/10/2016 - Exploiting ImageMagick on Polyvore (Yahoo) - http://nahamsec.com/exploiting-imagemagick-on-yahoo/
07/22/2016 - Exploiting Java Deserialization via JBoss - https://seanmelia.wordpress.com/2016/07/22/exploiting-java-deserializati...
07/25/2016 - CVE-2016-5840: Trend Micro Deep Discovery hotfix_upload.cgi filename Remote Code Execution Vulnerability - http://www.korpritzombie.com/cve-2016-5840-trend-micro-deep-discovery-ho...
08/15/2016 - Jetbrains IDE Remote Code Execution and Local File Disclosure - http://blog.saynotolinux.com/blog/2016/08/15/jetbrains-ide-remote-code-e...
08/24/2016 - The Million Dollar Dissident - https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-...
09/21/2016 - pwn them for learn -http://bugdisclose.blogspot.ca/2016/09/pwn-them-for-learn.html
10/26/2016 - Details on the Privilege Escalation Vulnerability in Joomla - https://blog.sucuri.net/2016/10/details-on-the-privilege-escalation-vuln...

Memory Related

5/13/2016 - 7-Zip vulnerabilities found by Talos - http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html

Source Code Disclosure

03/27/2016 - A tale of an interesting source code leak - http://secalert.net/#scl-soh
07/19/2016 - Accessing PornHub's SVN repo - https://hackerone.com/reports/72243
07/22/2016 - Twitter's Vine Source code dump - https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/
10/14/2016 - Importance of up-to-date application usage plus complex password OR from directory traversal to admin panel takeover - http://zuh4n.blogspot.ca/


12/20/2016 - Flickr from SQLi to RCE - https://pwnrules.com/flickr-from-sql-injection-to-rce/
07/25/2016 - SQL Injection on sctrack.email.uber.com.cn - https://hackerone.com/reports/150156

Subdomain Takeover

10/21/14 - Hostile Subdomain Takeover using Heroku/Github/Desk + more - https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-h...
12/08/14 - Hijacking of abandoned subdomains part 2 - https://labs.detectify.com/2014/12/08/hijacking-of-abandoned-subdomains-...
07/26/16 - Uber Subdomain Takeover - http://blog.eseccyber.tech/article/uber.html
09/05/2016 - How I was able to read Uber logs and internal emails - http://blog.pentestnepal.tech/post/149985438982/how-i-was-able-to-read-u...

HTML Injection

07/26/2016 - Keeping Positive – Obtaining Arbitrary Wildcard SSL Certificates from Comodo via Dangling Markup Injection - https://thehackerblog.com/keeping-positive-obtaining-arbitrary-wildcard-...


02/07/2014 - How I Hacked GitHub Again. - http://homakov.blogspot.ca/2014/02/how-i-hacked-github-again.html
07/20/2015 - Bypassing Google Authentication on Periscope's Administration Panel - https://whitton.io/articles/bypassing-google-authentication-on-periscope...
01/04/2016 - Bypassing callback_url validation on Digits - https://hackerone.com/reports/108113
02/29/2016 - Swiping Facebook Official Access Tokens - http://philippeharewood.com/swiping-facebook-official-access-tokens/
04/03/2016 - Obtaining Login Tokens for Outlook, Office or Azure (OAuth) - https://whitton.io/articles/obtaining-tokens-outlook-office-azure-account/
06/16/2016 - Bypass Disabled Client OAuth Login in Facebook Pages Manager App - http://philippeharewood.com/bypass-disabled-client-oauth-login-in-facebo...
10/13/2016 - CVE-2016-4977: RCE in Spring Security OAuth - http://secalert.net/#CVE-2016-4977


04/12/2015 - Shopify android client all API request's response leakage - https://hackerone.com/reports/56002
07/26/2016 - Odnoklassniki Android application vulnerabilities - https://hackerone.com/reports/97295

12/06/16 - Firefox - SVG cross domain cookie vulnerability - https://insert-script.blogspot.ca/2016/12/firefox-svg-cross-domain-cooki...

CTF Writeups

03/03/2013 - Unauthorized Access: Bypassing PHP strcmp() - http://danuxx.blogspot.ca/2013/03/unauthorized-access-bypassing-php-strc...
06/09/2016 - Hack in the Box 2016 – MISC400 Writeup (Part 1) - http://rileykidd.com/2016/06/09/hack-in-the-box-2016-misc400-writeup-par...
10/03/2016 - Hacking the Hard Way at the Derbycon CTF - https://labs.signalsciences.com/hacking-the-hard-way-at-the-derbycon-ctf...
BSides Ottawa CTF - Second Place! - https://blog.fletchto99.com/2016/october/bsides-ottawa/
2016 Hack the Vote - https://github.com/ctfs/write-ups-2016/tree/master/hack-the-vote-ctf-2016

XXE Payloads in iOS - http://en.hackdig.com/08/28075.htm
Burp Tutorials - https://vimeo.com/album/3510171
Facebook CTF - https://github.com/facebook/fbctf
SSRF Bible - https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa...
Jerry Gamblin Hacking Blog - http://jerrygamblin.com/category/hacking
Filedescriptor XSS Polygots - http://polyglot.innerht.ml/
prompt.ml XSS Challenge - https://github.com/cure53/XSSChallengeWiki/wiki/prompt.ml#hidden-level--1
Hacking with Unicode - https://speakerdeck.com/mathiasbynens/hacking-with-unicode-in-2016
Programming Practice (paid premium) - https://coderbyte.com/
Online CTF Practice challenges - https://backdoor.sdslabs.co
Nicolas Grégoire Burp Pro Tips - http://www.agarri.fr/docs/HiP2k13-Burp_Pro_Tips_and_Tricks.pdf
Open Security Training - http://opensecuritytraining.info/
OWASP Mutillidae II Web Pen-Test Practice Application - https://sourceforge.net/projects/mutillidae/
DNS - https://haxpo.nl/haxpo2015ams/wp-content/uploads/sites/4/2015/04/D1-P.-M...
XSS without HTML: Client-Side Template Injection with AngularJS - http://blog.portswigger.net/2016/01/xss-without-html-client-side-templat...
File Upload XSS - http://brutelogic.com.br/blog/file-upload-xss/
CSV Injection Mitigations - https://blog.zsec.uk/csv-dangers-mitigations/
Comma Separated Vulnerabilities - http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/
Running your own anonymous rotating proxies - http://blog.databigbang.com/running-your-own-anonymous-rotating-proxies/
Reviewing bug bounties - a hacker's perspective - http://www.skeletonscribe.net/2016/08/reviewing-bug-bounties-hackers.html
Practical HTTP Host Header Attacks - http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks...
Practice CTF List / Permanant CTF List - https://captf.com/practice-ctf/
lcamtuf's blog - https://lcamtuf.blogspot.ca/
Backup File Artifacts - http://blog.mazinahmed.net/2016/08/backup-file-artifacts.html
Unicode Character 'PILE OF POO' - http://www.fileformat.info/info/unicode/char/1F4A9/index.htm
Decompile and Recompile Android APK - https://blog.bramp.net/post/2015/08/01/decompile-and-recompile-android-apk/
Frans Rosen - Time Based Captcha Protected SQLi - http://www.slideshare.net/fransrosen/time-based-captcha-protected-sql-in...
CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy - https://research.google.com/pubs/pub45542.html
How to View TLS Traffic in Android’s Logs - https://blog.securityevaluators.com/how-to-view-tls-traffic-in-androids-...
AngularJS Sandbox Escapes Explained - https://www.reddit.com/r/angularjs/comments/557bhr/xss_in_angularjs_vide...
Senate Republicans were skimmed for six months, quietly fix store - https://gwillem.github.io/2016/10/04/how-republicans-send-your-credit-ca...
Introduction to OSINT: Recon-ng Tutorial - https://strikersecurity.com/blog/getting-started-recon-ng-tutorial/
Exploiting CORS misconfigurations - http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-fo...
Abusing Dorking and Robots.txt - http://sten0.ghost.io/2016/10/13/abusing-dorking-and-robots-txt/
Brute Logic XSS Challenge I - http://brutelogic.com.br/blog/xss-challenge-i/
How Google and Bing Protect their APIs - https://rudk.ws/2016/10/23/how-google-and-bing-protects-their-api/
Free Dev Books - https://devfreebooks.github.io/
IOS Application Security Review Methodology - http://research.aurainfosec.io/ios-application-security-review-methodology/
Anatomy of a Subtle JSON Vulnerability - http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerabi...
Finding XSS Slidedeck - http://slides.com/mscasharjaved/deck-13#/
XSS Polyglots - https://blog.bugcrowd.com/xss-polyglots-the-context-contest?utm_campaign...
Bypassing Saml 2.0 SSO - http://research.aurainfosec.io/bypassing-saml20-SSO/
Bypassing CSP using polyglot jpegs - http://blog.portswigger.net/2016/12/bypassing-csp-using-polyglot-jpegs.html
Facebook Graphql Crash Course - https://www.facebook.com/notes/phwd/a-facebook-graphql-crash-course/1189...
New XXSI Vector Untold Merits of nosniff - https://www.hurricanelabs.com/blog/new-xssi-vector-untold-merits-of-nosniff
Research papers

Minded Security Expression Language Injection Paper - https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf
Sandboxing JavaScript in the Browser - https://var.thejh.net/thesis_excerpt.pdf
Does The Online Card Payment Landscape Unwittingly Facilitate Fraud? - http://eprint.ncl.ac.uk/file_store/production/230123/19180242-D02E-47AC-...
Online Courses / Training

Cyber Security Base with F-Secure is a free course series by University of Helsinki - https://cybersecuritybase.github.io/
Vulnerable Web Applications for Learning - https://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applica...
Jame Kettle's hackxor - http://hackxor.sourceforge.net/cgi-bin/index.pl#demo
Google XSS Game - https://xss-game.appspot.com/
Google DOM Based XSS - https://public-firing-range.appspot.com/address/index.html
Code Lab: Web Application Exploits and Defenses - https://google-gruyere.appspot.com/
Cheat Sheets

Path Traversal Cheat Sheet Linux - https://www.gracefulsecurity.com/path-traversal-cheat-sheet-linux/
XXE - https://www.gracefulsecurity.com/xxe-cheatsheet/
HTML5 Security Cheat Sheet - https://html5sec.org/
Brute XSS Cheat Sheet - http://brutelogic.com.br/blog/cheat-sheet/
MySQL SQL Injection Cheat Sheet - http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-c...
AngularJS Sandbox Bypass Collection (includes 1.5.7) - http://pastebin.com/xMXwsm0N
Java Deserialization - https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
Penetration testing tools cheat sheet - https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/
OAuth - https://github.com/homakov/oauthsecurity
Burp How Tos


Sublist3r is python tool that is designed to enumerate subdomains of websites using search engines - https://github.com/aboul3la/Sublist3r
EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible - https://github.com/ChrisTruncer/EyeWitness
Smart content discovery burp plugin with context awareness - https://github.com/pathetiq/BurpSmartBuster
An automated tool that checks for backup artifacts that may discloses the web-application's source code - https://github.com/mazen160/bfac

Recon-ng + Google Dorks + Burp = ... - https://averagesecurityguy.github.io/2016/10/21/recon-ng-dorks-burp/

Port Scanning
Resolve and quickly portscan a list of (sub)domains - https://github.com/melvinsh/subresolve

JD-GUI, a standalone graphical utility that displays Java sources from CLASS files. - https://github.com/java-decompiler/jd-gui
Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static, dynamic analysis and web API testing - https://github.com/ajinabraham/Mobile-Security-Framework-MobSF
An xposed module that disables SSL certificate checking for the purposes of auditing an app with cert pinning - https://github.com/Fuzion24/JustTrustMe
Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and OS X Apps - https://github.com/nabla-c0d3/ssl-kill-switch2
Android APK Tool - https://ibotpeaches.github.io/Apktool/
Android Dex2Jar - https://github.com/pxb1988/dex2jar

JPEXS Free Flash Decompiler - https://github.com/jindrapetrik/jpexs-decompiler
Flashbang, find theflashVars of a naked SWF and display them - https://github.com/cure53/Flashbang

Java Deserialization
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization - https://github.com/frohoff/ysoserial

Password Cracking
John the Ripper - http://www.openwall.com/john/

Hash Cracking
Online Hash Crack - http://www.onlinehashcrack.com/
CyberChef - https://gchq.github.io/CyberChef/

Vulnerability SaaS
SSRF Detector - https://ssrfdetector.com/
XSSHunter - https://xsshunter.com

via: www.torontowebsitedeveloper.com
Δεκεμβρίου 31, 2016 | 0 σχόλια | Διαβάστε περισσότερα

Περιοδικός πίνακας των χημικών στοιχείων

Written By Fouls Code on Σάββατο, 17 Ιανουαρίου 2015 | Ιανουαρίου 17, 2015

 Αντιγραφή τον παρακάτω κώδικα:

<script type="text/javascript" src="http://100widgets.com/js_data.php?id=238"></script>

Ιανουαρίου 17, 2015 | 0 σχόλια | Διαβάστε περισσότερα

Ενσωμάτωση Radio International στο blog/site σας

Αντιγραφή τον παρακάτω κώδικα:

<script type="text/javascript" src="http://100widgets.com/js_data.php?id=256"></script>

Ιανουαρίου 17, 2015 | 0 σχόλια | Διαβάστε περισσότερα

Online τα γραπτά και οι σημειώσεις του Νεύτωνα

Written By Fouls Code on Τετάρτη, 17 Δεκεμβρίου 2014 | Δεκεμβρίου 17, 2014

Την ψηφιοποίηση μεγάλου μέρους των γραπτών του Ισαάκ Νεύτωνα ολοκλήρωσε η ψηφιακή βιβλιοθήκη του πανεπιστημίου του Κέμπριτζ, δίνοντας ελεύθερη online πρόσβαση στο έργο ενός από τους μεγαλύτερους επιστήμονες της ιστορίας. Μεταξύ των διαθέσιμων έργων βρίσκεται το περίφημο Principia Mathematica, αλλά και πολλά ακόμη βιβλία και σημειώσεις που ο συνολικός τους όγκος φτάνει τις μερικές χιλιάδες σελίδες.

«Μέχρι χθες, όποιος ήθελε να δει αυτά τα έργα έπρεπε να επισκεφθεί το Κέμπριτζ. Τώρα φέρνουν την Βιβλιοθήκη του Πανεπιστημίου του Κέμπριτζ στον κόσμο», ανέφερε χαρακτηριστικά ο υπεύθυνος ψηφιοποίησης του έργου, στην επίσημη ανακοίνωση του Πανεπιστημίου, η οποία επισημαίνει επίσης πως «οποιοσδήποτε, όπου κι αν βρίσκεται μπορεί να δει με ένα απλό κλικ του ποντικιού τον τρόπο με τον οποίο εργάστηκε ο Νεύτωνας και πώς έφτασε να αναπτύξει τις θεωρίες και τα πειράματά του».
Μπορείτε να επισκεφθείτε τη συλλογή και να ξεφυλλίσετε τα διαθέσιμα έργα στη διεύθυνση


Δεκεμβρίου 17, 2014 | 0 σχόλια | Διαβάστε περισσότερα
berita unik