Kατεβάσετε την εφαρμογή android του blog! DownLoad

FoulsCode: 2011-17


Πρόσφατα Σχόλια

Σύνολο αναρτήσεων

Συνολικές προβολές σελίδας

Εμφάνιση αναρτήσεων με ετικέτα password. Εμφάνιση όλων των αναρτήσεων
Εμφάνιση αναρτήσεων με ετικέτα password. Εμφάνιση όλων των αναρτήσεων

1,000+ usernames and passwords leaked for #OpRussia.

Written By Fouls Code on Τρίτη, 11 Ιουλίου 2017 | Ιουλίου 11, 2017


 teaser passwords:

 00b9843464e9c35007bf5824b8114453 (Z11iCZ7324)
 01d599755e63287dffcbbb20ebbf0feb (zEwZUjO34) 


 usernames: !!!Farm!!! 
!angel! !Pharmacy! 0ut0fhead 1encereal1 2help 

Ιουλίου 11, 2017 | 0 σχόλια | Διαβάστε περισσότερα

Password Cracker - Bρείτε τους ξεχασμένους σας κωδικούς πρόσβασης

Written By Fouls Code on Παρασκευή, 30 Ιουνίου 2017 | Ιουνίου 30, 2017

Η εφαρμογή Password Cracker είναι πολύ μικρή σε μέγεθος και θα σας βοηθήσει να βρείτε τους ξεχασμένους κωδικούς σας πρόσβασης στα πιο δημοφιλή προγράμματα περιήγησης.

Απαιτήσεις συστήματος: Windows XP, Windows Vista, Windows 7, Windows 8.1, Windows 10

LINK: http://www.amlpages.com/pwdcrack.shtml

via: thegreeksenergy.com
Ιουνίου 30, 2017 | 0 σχόλια | Διαβάστε περισσότερα

Password generator

Written By Fouls Code on Πέμπτη, 22 Ιουνίου 2017 | Ιουνίου 22, 2017

<?php $alpha = "abcdefghijklmnopqrstuvwxyz"; $alpha_upper = strtoupper($alpha); $numeric = "0123456789"; $chars = ""; if (isset($_POST['length'])){ // if you want a form like above if (isset($_POST['alpha']) && $_POST['alpha'] == 'on') $chars .= $alpha; if (isset($_POST['alpha_upper']) && $_POST['alpha_upper'] == 'on') $chars .= $alpha_upper; if (isset($_POST['numeric']) && $_POST['numeric'] == 'on') $chars .= $numeric; if (isset($_POST['special']) && $_POST['special'] == 'on') $chars .= $special; $length = $_POST['length']; }else{ // default [a-zA-Z0-9]{9} $chars = $alpha . $alpha_upper . $numeric; $length = 9; } $len = strlen($chars); $pw = ''; for ($i=0;$i<$length;$i++) $pw .= substr($chars, rand(0, $len-1), 1); // the finished password $pw = str_shuffle($pw); echo $pw; ?>
Ιουνίου 22, 2017 | 0 σχόλια | Διαβάστε περισσότερα

Hacking Resources

Written By Fouls Code on Σάββατο, 31 Δεκεμβρίου 2016 | Δεκεμβρίου 31, 2016


Application Logic

06/18/2013 - https://labs.spotify.com/2013/06/18/creative-usernames/ - Creative usernames and Spotify account hijacking
06/26/2013 - Hijacking a Facebook Account with SMS - https://whitton.io/articles/hijacking-a-facebook-account-with-sms/
03/25/2014 - Phabricator Bypass auth.email-domains - https://hackerone.com/reports/2233
05/15/2016 - The Bank Job - https://boris.in/blog/2016/the-bank-job/
05/19/2016 - InstaBrute: Two Ways to Brute-force Instagram Account Credentials - https://www.arneswinnen.net/2016/05/instabrute-two-ways-to-brute-force-i...
06/06/2016 - Trello bug bounty: Payments informations are sent to the webhook - https://hethical.io/trello-bug-bounty-payments-informations-are-sent-to-...
06/07/2016 - Pwning Pornhub (memcache) - https://blog.zsec.uk/pwning-pornhub/
07/01/2016 - Magento – Re-Installation & Account Hijacking Vulnerabilities - http://netanelrub.in/2016/07/01/magento-re-installation-account-hijackin...
08/08/2016 - Free way to Facebook Freebooting | Hacking Rights Manager - http://www.7xter.com/2016/08/free-way-to-facebook-freebooting.html
08/16/2016 - Google Chrome, Firefox Address Bar Spoofing Vulnerability - http://www.rafayhackingarticles.net/2016/08/google-chrome-firefox-addres...
08/18/2016 - How I hacked an Android App to Get Free Beer - https://breakdev.org/how-i-hacked-an-android-app-to-get-free-beer/
09/02/2016 - Response To Request Injection (RTRI) - https://www.bugbountyhq.com/front/latestnews/dWRWR0thQ2ZWOFN5cTE1cXQrSFZ...


04/27/2016 - Microsoft Office 365 SAML Bypass - http://www.economyofmechanism.com/office365-authbypass.html
04/28/2016 - Slack bot token leakage exposing business critical information - https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-b...
06/01/2016 - Taking over Heroku accounts - http://esevece.github.io/2016/06/01/taking-over-heroku-accounts.html
10/20/2016 - Slack, a Brief Journey to Mission Control - http://secalert.net/slack-security-bug-bounty.html
11/02/2016 - Bypassing Two-Factor Authentication on OWA & Office365 Portals - http://www.blackhillsinfosec.com/?p=5396


04/04/2016 - CSP: bypassing form-action with reflected XSS - https://labs.detectify.com/2016/04/04/csp-bypassing-form-action-with-ref...
12/16/2016 - Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - http://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin...


05/17/2016 - How I bypassed Facebook CSRF in 2016 - http://pouyadarabi.blogspot.ca/2016/05/how-i-bypassed-facebook-csrf-in-2...
19/07/2016 - Paypal bug bounty: Updating the Paypal.me profile picture without consent (CSRF attack) - https://hethical.io/paypal-bug-bounty-updating-the-paypal-me-profile-pic...
26/10/2016 - Google Spreadsheet Vuln - CSRF and JSON Hijacking allows data theft - https://www.rodneybeede.com/Google_Spreadsheet_Vuln_-_CSRF_and_JSON_Hija...

CSV Injection

29/01/2013 - Cell Injection: Attacking the End User Through the Application - http://blog.7elements.co.uk/2013/01/cell-injection.html
04/17/2016 - CSV Injection in business.uber.com - http://blog.daviddworken.com/posts/csv-injection-in-businessubercom/


08/23/2015 - Twitter HPP vulnerability unsubscribing from emails - http://www.merttasci.com/blog/twitter-hpp-vulnerability/
12/03/2015 - Parameter Tampering Attack on Twitter Web Intents - https://ericrafaloff.com/parameter-tampering-attack-on-twitter-web-intents/
02/02/2016 - Bypassing Digits web authentication's host validation with HPP - https://hackerone.com/reports/114169

Host Header Injection
09/06/2016 - Internet Explorer has a URL Problem - http://blog.innerht.ml/internet-explorer-has-a-url-problem/
10/24/2016 - Combining Host Header Injection and Lax Host Parsing Service Malicious Data - https://labs.detectify.com/2016/10/24/combining-host-header-injection-an...


06/23/2016 - UBER HACKING: HOW WE FOUND OUT WHO YOU ARE, WHERE YOU ARE AND WHERE YOU WENT! - https://labs.integrity.pt/articles/uber-hacking-how-we-found-out-who-you...
06/23/2016 - Facebook's Bug - Delete any video from Facebook - http://www.pranavhivarekar.in/2016/06/23/facebooks-bug-delete-any-video-...
08/25/2016 - How I Could Have Hacked Multiple Facebook Accounts - https://medium.com/@gurkiratsingh/how-i-could-have-hacked-multiple-faceb...
11/22/2016 - You get a UUID! You get a UUID! Everybody gets a UUID! - http://www.rohk.xyz/uber-uuid/

Information Disclosure

12/21/2016 - Disclosing the primary email address for each Facebook user - http://www.dawgyg.com/2016/12/21/disclosing-the-primary-email-address-fo...


04/18/2016 - ESEA Server-Side Request Forgery and Querying AWS Meta Data - http://buer.haus/2016/04/18/esea-server-side-request-forgery-and-queryin...
02/23/2016 - FFMPEG File Disclosure - https://github.com/ctfs/write-ups-2015/tree/master/9447-ctf-2015/web/sup...
Trello Bug BOunty Access Servier Files Using Imagetragick - https://hethical.io/trello-bug-bounty-access-servers-files-using-imagetr...


04/25/2016 - Adapting AngularJS Payloads to Exploit Real World Applications - http://blog.portswigger.net/2016/04/adapting-angularjs-payloads-to-explo...

Reverse Engineering

04/19/2016 - Digging into a Facebook Worm -https://gist.githubusercontent.com/phwd/0ec21c6289543f35135e17aa11f7dec1...
07/01/2016 - How I Cracked a Keylogger and Ended Up in Someone's Inbox - https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keyl...
11/14/2016 - Hacking Team Back For Your Androids - http://rednaga.io/2016/11/14/hackingteam_back_for_your_androids/

Relative Path Overwrite

03/21/2014 - Relative vs Absolute - http://www.thespanner.co.uk/2014/03/21/rpo/
02/17/2015 - Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities - http://blog.portswigger.net/2015/02/prssi.html
07/03/2016 - RPO Gadgets - http://blog.innerht.ml/rpo-gadgets/


07/06/2010 - Facebook XSS via Cross-Origin Resource Sharinghttp://maustin.net/2010/07/06/facebook_html5.html
02/14/2013 - How I got the Bug Bounty for Mega.co.nz XSS - https://labs.detectify.com/2013/02/14/how-i-got-the-bug-bounty-for-mega-...
04/22/2015 - XSS via Host header - www.google.com/cse - http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html
12/08/2015 - Creative bug which result Stored XSS on m.youtube.com - http://sasi2103.blogspot.ca/2015/12/creative-bug-which-result-stored-xss...
04/17/2016 - XSS in pypi (and Uber!) - http://blog.daviddworken.com/posts/xss-in-pypi-and-uber/
04/17/2016 - XSS in getrush.uber.com - http://blog.daviddworken.com/posts/xss-in-getrushubercom/
04/19/2016 - Using a Braun Shaver to Bypass XSS Audit and WAF - https://blog.bugcrowd.com/guest-blog-using-a-braun-shaver-to-bypass-xss-...
05/09/2016 - XSS and RCE, domain takeover with remote loaded JS - http://brutelogic.com.br/blog/xss-and-rce/
06/13/2016 - Embedding XSS in SVG files - http://bini.tech/wordpress-remote-upload-unrestricted-file-upload/
07/02/2016 - OneDrive: an easter egg into MS library - XSS on Microsoft and not only - https://luc10.github.io/onedrive-an-easter-egg-into-ms-library/
07/04/2016 - Apple and the 5 XSSes - http://strukt93.blogspot.ca/2016/07/apple-and-5-xsses.html
07/19/2016 - Instagram Reflected XSS in Link Shim - http://ameeras.me/Instagram-Reflected-XSS-in-Link-Shim/
07/19/2016 - Blind XSS in Spotify - https://mhmdiaa.github.io/jekyll/update/2016/07/19/blind-xss-in-spotify....
07/22/2016 - United to XSS United - http://strukt93.blogspot.ca/2016/07/united-to-xss-united.html
08/29/2016 - Turning Self-XSS into Good XSS v2: Challenge Completed but Not Rewarded - https://httpsonly.blogspot.ca/2016/08/turning-self-xss-into-good-xss-v2....
08/31/2016 - Breaching a CA – Blind Cross-site Scripting (BXSS) in the GeoTrust SSL Operations Panel Using XSS Hunter - https://thehackerblog.com/breaching-a-ca-blind-cross-site-scripting-bxss...
09/19/2016 - Combination of techniques lead to DOM Based XSS in Google - http://sasi2103.blogspot.ca/2016/09/combination-of-techniques-lead-to-do...
12/07/2016 - Stored XSS Affecting All Fantasy Sports on Yahoo - http://dawgyg.com/2016/12/07/stored-xss-affecting-all-fantasy-sports-fan...


06/25/2014 - Identifying Xml eXternal Entity vulnerability (XXE) in GPX files - http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html
03/21/2015 - XML External Entity (XXE) Injection in Apache Batik Library [CVE-2015-0250] - https://www.insinuator.net/2015/03/xxe-injection-in-apache-batik-library...
08/14/2015 - XXE ALL THE THINGS!!! (INCLUDING APPLE IOS’S OFFICE VIEWER) - https://labs.integrity.pt/articles/xxe-all-the-things-including-apple-io...


03/15/2015 - Parse.com - X-Forwarded-Host Injection - Bypass secure & HTTP_only Vulnerability - https://www.youtube.com/watch?v=1yUw7rtTTeI

Remote Code Execution

12/09/2013 - Remote Code Execution exploit in WordPress 3.5.1 - https://tom.vg/2013/12/wordpress-rce-exploit/
02/15/2015 - RCE in Oracle NetBeans Opensource Plugins: PrimeFaces 5.x Expression Language Injection - http://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource...
11/06/2015 - Java unserialization - https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss...
11/12/2015 - XSS to Remote Code Execution with HipChat - http://maustin.net/2015/11/12/hipchat_rce.html
05/04/2016 - Remote Code Execution via ImageMagick - http://pastebin.com/aE4sKnCg (file)
05/10/2016 - Exploiting ImageMagick on Polyvore (Yahoo) - http://nahamsec.com/exploiting-imagemagick-on-yahoo/
07/22/2016 - Exploiting Java Deserialization via JBoss - https://seanmelia.wordpress.com/2016/07/22/exploiting-java-deserializati...
07/25/2016 - CVE-2016-5840: Trend Micro Deep Discovery hotfix_upload.cgi filename Remote Code Execution Vulnerability - http://www.korpritzombie.com/cve-2016-5840-trend-micro-deep-discovery-ho...
08/15/2016 - Jetbrains IDE Remote Code Execution and Local File Disclosure - http://blog.saynotolinux.com/blog/2016/08/15/jetbrains-ide-remote-code-e...
08/24/2016 - The Million Dollar Dissident - https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-...
09/21/2016 - pwn them for learn -http://bugdisclose.blogspot.ca/2016/09/pwn-them-for-learn.html
10/26/2016 - Details on the Privilege Escalation Vulnerability in Joomla - https://blog.sucuri.net/2016/10/details-on-the-privilege-escalation-vuln...

Memory Related

5/13/2016 - 7-Zip vulnerabilities found by Talos - http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html

Source Code Disclosure

03/27/2016 - A tale of an interesting source code leak - http://secalert.net/#scl-soh
07/19/2016 - Accessing PornHub's SVN repo - https://hackerone.com/reports/72243
07/22/2016 - Twitter's Vine Source code dump - https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/
10/14/2016 - Importance of up-to-date application usage plus complex password OR from directory traversal to admin panel takeover - http://zuh4n.blogspot.ca/


12/20/2016 - Flickr from SQLi to RCE - https://pwnrules.com/flickr-from-sql-injection-to-rce/
07/25/2016 - SQL Injection on sctrack.email.uber.com.cn - https://hackerone.com/reports/150156

Subdomain Takeover

10/21/14 - Hostile Subdomain Takeover using Heroku/Github/Desk + more - https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-h...
12/08/14 - Hijacking of abandoned subdomains part 2 - https://labs.detectify.com/2014/12/08/hijacking-of-abandoned-subdomains-...
07/26/16 - Uber Subdomain Takeover - http://blog.eseccyber.tech/article/uber.html
09/05/2016 - How I was able to read Uber logs and internal emails - http://blog.pentestnepal.tech/post/149985438982/how-i-was-able-to-read-u...

HTML Injection

07/26/2016 - Keeping Positive – Obtaining Arbitrary Wildcard SSL Certificates from Comodo via Dangling Markup Injection - https://thehackerblog.com/keeping-positive-obtaining-arbitrary-wildcard-...


02/07/2014 - How I Hacked GitHub Again. - http://homakov.blogspot.ca/2014/02/how-i-hacked-github-again.html
07/20/2015 - Bypassing Google Authentication on Periscope's Administration Panel - https://whitton.io/articles/bypassing-google-authentication-on-periscope...
01/04/2016 - Bypassing callback_url validation on Digits - https://hackerone.com/reports/108113
02/29/2016 - Swiping Facebook Official Access Tokens - http://philippeharewood.com/swiping-facebook-official-access-tokens/
04/03/2016 - Obtaining Login Tokens for Outlook, Office or Azure (OAuth) - https://whitton.io/articles/obtaining-tokens-outlook-office-azure-account/
06/16/2016 - Bypass Disabled Client OAuth Login in Facebook Pages Manager App - http://philippeharewood.com/bypass-disabled-client-oauth-login-in-facebo...
10/13/2016 - CVE-2016-4977: RCE in Spring Security OAuth - http://secalert.net/#CVE-2016-4977


04/12/2015 - Shopify android client all API request's response leakage - https://hackerone.com/reports/56002
07/26/2016 - Odnoklassniki Android application vulnerabilities - https://hackerone.com/reports/97295

12/06/16 - Firefox - SVG cross domain cookie vulnerability - https://insert-script.blogspot.ca/2016/12/firefox-svg-cross-domain-cooki...

CTF Writeups

03/03/2013 - Unauthorized Access: Bypassing PHP strcmp() - http://danuxx.blogspot.ca/2013/03/unauthorized-access-bypassing-php-strc...
06/09/2016 - Hack in the Box 2016 – MISC400 Writeup (Part 1) - http://rileykidd.com/2016/06/09/hack-in-the-box-2016-misc400-writeup-par...
10/03/2016 - Hacking the Hard Way at the Derbycon CTF - https://labs.signalsciences.com/hacking-the-hard-way-at-the-derbycon-ctf...
BSides Ottawa CTF - Second Place! - https://blog.fletchto99.com/2016/october/bsides-ottawa/
2016 Hack the Vote - https://github.com/ctfs/write-ups-2016/tree/master/hack-the-vote-ctf-2016

XXE Payloads in iOS - http://en.hackdig.com/08/28075.htm
Burp Tutorials - https://vimeo.com/album/3510171
Facebook CTF - https://github.com/facebook/fbctf
SSRF Bible - https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa...
Jerry Gamblin Hacking Blog - http://jerrygamblin.com/category/hacking
Filedescriptor XSS Polygots - http://polyglot.innerht.ml/
prompt.ml XSS Challenge - https://github.com/cure53/XSSChallengeWiki/wiki/prompt.ml#hidden-level--1
Hacking with Unicode - https://speakerdeck.com/mathiasbynens/hacking-with-unicode-in-2016
Programming Practice (paid premium) - https://coderbyte.com/
Online CTF Practice challenges - https://backdoor.sdslabs.co
Nicolas Grégoire Burp Pro Tips - http://www.agarri.fr/docs/HiP2k13-Burp_Pro_Tips_and_Tricks.pdf
Open Security Training - http://opensecuritytraining.info/
OWASP Mutillidae II Web Pen-Test Practice Application - https://sourceforge.net/projects/mutillidae/
DNS - https://haxpo.nl/haxpo2015ams/wp-content/uploads/sites/4/2015/04/D1-P.-M...
XSS without HTML: Client-Side Template Injection with AngularJS - http://blog.portswigger.net/2016/01/xss-without-html-client-side-templat...
File Upload XSS - http://brutelogic.com.br/blog/file-upload-xss/
CSV Injection Mitigations - https://blog.zsec.uk/csv-dangers-mitigations/
Comma Separated Vulnerabilities - http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/
Running your own anonymous rotating proxies - http://blog.databigbang.com/running-your-own-anonymous-rotating-proxies/
Reviewing bug bounties - a hacker's perspective - http://www.skeletonscribe.net/2016/08/reviewing-bug-bounties-hackers.html
Practical HTTP Host Header Attacks - http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks...
Practice CTF List / Permanant CTF List - https://captf.com/practice-ctf/
lcamtuf's blog - https://lcamtuf.blogspot.ca/
Backup File Artifacts - http://blog.mazinahmed.net/2016/08/backup-file-artifacts.html
Unicode Character 'PILE OF POO' - http://www.fileformat.info/info/unicode/char/1F4A9/index.htm
Decompile and Recompile Android APK - https://blog.bramp.net/post/2015/08/01/decompile-and-recompile-android-apk/
Frans Rosen - Time Based Captcha Protected SQLi - http://www.slideshare.net/fransrosen/time-based-captcha-protected-sql-in...
CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy - https://research.google.com/pubs/pub45542.html
How to View TLS Traffic in Android’s Logs - https://blog.securityevaluators.com/how-to-view-tls-traffic-in-androids-...
AngularJS Sandbox Escapes Explained - https://www.reddit.com/r/angularjs/comments/557bhr/xss_in_angularjs_vide...
Senate Republicans were skimmed for six months, quietly fix store - https://gwillem.github.io/2016/10/04/how-republicans-send-your-credit-ca...
Introduction to OSINT: Recon-ng Tutorial - https://strikersecurity.com/blog/getting-started-recon-ng-tutorial/
Exploiting CORS misconfigurations - http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-fo...
Abusing Dorking and Robots.txt - http://sten0.ghost.io/2016/10/13/abusing-dorking-and-robots-txt/
Brute Logic XSS Challenge I - http://brutelogic.com.br/blog/xss-challenge-i/
How Google and Bing Protect their APIs - https://rudk.ws/2016/10/23/how-google-and-bing-protects-their-api/
Free Dev Books - https://devfreebooks.github.io/
IOS Application Security Review Methodology - http://research.aurainfosec.io/ios-application-security-review-methodology/
Anatomy of a Subtle JSON Vulnerability - http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerabi...
Finding XSS Slidedeck - http://slides.com/mscasharjaved/deck-13#/
XSS Polyglots - https://blog.bugcrowd.com/xss-polyglots-the-context-contest?utm_campaign...
Bypassing Saml 2.0 SSO - http://research.aurainfosec.io/bypassing-saml20-SSO/
Bypassing CSP using polyglot jpegs - http://blog.portswigger.net/2016/12/bypassing-csp-using-polyglot-jpegs.html
Facebook Graphql Crash Course - https://www.facebook.com/notes/phwd/a-facebook-graphql-crash-course/1189...
New XXSI Vector Untold Merits of nosniff - https://www.hurricanelabs.com/blog/new-xssi-vector-untold-merits-of-nosniff
Research papers

Minded Security Expression Language Injection Paper - https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf
Sandboxing JavaScript in the Browser - https://var.thejh.net/thesis_excerpt.pdf
Does The Online Card Payment Landscape Unwittingly Facilitate Fraud? - http://eprint.ncl.ac.uk/file_store/production/230123/19180242-D02E-47AC-...
Online Courses / Training

Cyber Security Base with F-Secure is a free course series by University of Helsinki - https://cybersecuritybase.github.io/
Vulnerable Web Applications for Learning - https://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applica...
Jame Kettle's hackxor - http://hackxor.sourceforge.net/cgi-bin/index.pl#demo
Google XSS Game - https://xss-game.appspot.com/
Google DOM Based XSS - https://public-firing-range.appspot.com/address/index.html
Code Lab: Web Application Exploits and Defenses - https://google-gruyere.appspot.com/
Cheat Sheets

Path Traversal Cheat Sheet Linux - https://www.gracefulsecurity.com/path-traversal-cheat-sheet-linux/
XXE - https://www.gracefulsecurity.com/xxe-cheatsheet/
HTML5 Security Cheat Sheet - https://html5sec.org/
Brute XSS Cheat Sheet - http://brutelogic.com.br/blog/cheat-sheet/
MySQL SQL Injection Cheat Sheet - http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-c...
AngularJS Sandbox Bypass Collection (includes 1.5.7) - http://pastebin.com/xMXwsm0N
Java Deserialization - https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
Penetration testing tools cheat sheet - https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/
OAuth - https://github.com/homakov/oauthsecurity
Burp How Tos


Sublist3r is python tool that is designed to enumerate subdomains of websites using search engines - https://github.com/aboul3la/Sublist3r
EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible - https://github.com/ChrisTruncer/EyeWitness
Smart content discovery burp plugin with context awareness - https://github.com/pathetiq/BurpSmartBuster
An automated tool that checks for backup artifacts that may discloses the web-application's source code - https://github.com/mazen160/bfac

Recon-ng + Google Dorks + Burp = ... - https://averagesecurityguy.github.io/2016/10/21/recon-ng-dorks-burp/

Port Scanning
Resolve and quickly portscan a list of (sub)domains - https://github.com/melvinsh/subresolve

JD-GUI, a standalone graphical utility that displays Java sources from CLASS files. - https://github.com/java-decompiler/jd-gui
Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static, dynamic analysis and web API testing - https://github.com/ajinabraham/Mobile-Security-Framework-MobSF
An xposed module that disables SSL certificate checking for the purposes of auditing an app with cert pinning - https://github.com/Fuzion24/JustTrustMe
Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and OS X Apps - https://github.com/nabla-c0d3/ssl-kill-switch2
Android APK Tool - https://ibotpeaches.github.io/Apktool/
Android Dex2Jar - https://github.com/pxb1988/dex2jar

JPEXS Free Flash Decompiler - https://github.com/jindrapetrik/jpexs-decompiler
Flashbang, find theflashVars of a naked SWF and display them - https://github.com/cure53/Flashbang

Java Deserialization
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization - https://github.com/frohoff/ysoserial

Password Cracking
John the Ripper - http://www.openwall.com/john/

Hash Cracking
Online Hash Crack - http://www.onlinehashcrack.com/
CyberChef - https://gchq.github.io/CyberChef/

Vulnerability SaaS
SSRF Detector - https://ssrfdetector.com/
XSSHunter - https://xsshunter.com

via: www.torontowebsitedeveloper.com
Δεκεμβρίου 31, 2016 | 0 σχόλια | Διαβάστε περισσότερα

textdokumen password.txt

Written By Fouls Code on Δευτέρα, 31 Οκτωβρίου 2016 | Οκτωβρίου 31, 2016

Μερικά password από προφίλ πολύ πιθανόν να μην δουλεύουν πολλά αλλα υπάρχουν μερικά που δουλεύουν ;)

Όνομα: foulscode

Κωδικός: pass1

*Κάντε κλικ στο παρακάτω link και περιμένετε 5 δευτερόλεπτα
*Με αυτό μας βοηθάτε το FoulsCode.com να μην σταματάμε να βρίσκουμε καινούρια πράγματα συνεχεια και να τα μοιραζόμαστε στο blog ;)
Οκτωβρίου 31, 2016 | 0 σχόλια | Διαβάστε περισσότερα

Password dictionaries, Leaked

Written By Fouls Code on Τρίτη, 11 Οκτωβρίου 2016 | Οκτωβρίου 11, 2016

Password dictionaries

These are dictionaries that come with tools/worms/etc, designed for cracking passwords. As far as I know, I'm not breaking any licensing agreements by mirroring them with credit; if you don't want me to host one of these files, let me know and I'll remove it.
Name Compressed Uncompressed Notes
John the Ripper john.txt.bz2 (10,934 bytes) n/a Simple, extremely good, designed to be modified
Cain & Abel cain.txt.bz2 (1,069,968 bytes) n/a Fairly comprehensive, not ordered
Conficker worm conficker.txt.bz2 (1411 bytes) n/a Used by conficker worm to spread -- low quality
500 worst passwords 500-worst-passwords.txt.bz2 (1868 bytes) n/a
370 Banned Twitter passwords twitter-banned.txt.bz2 (1509 bytes) n/a

Leaked passwords

Passwords that were leaked or stolen from sites. I'm hosting them because it seems like nobody else does (hopefully it isn't because hosting them is illegal :)). Naturally, I'm not the one who stole these; I simply found them online, removed any names/email addresses/etc (I don't see any reason to supply usernames -- if you do have a good reason, email me (ron-at-skullsecurity.net) and I'll see if I have them.

The best use of these is to generate or test password lists.

Note: The dates are approximate.
Name Compressed Uncompressed Date Notes
Rockyou rockyou.txt.bz2 (60,498,886 bytes) n/a 2009-12 Best list available; huge, stolen unencrypted
Rockyou with count rockyou-withcount.txt.bz2 (59,500,255 bytes) n/a
phpbb phpbb.txt.bz2 (868,606 bytes) n/a 2009-01 Ordered by commonness
Cracked from md5 by Brandon Enright
(97%+ coverage)
phpbb with count phpbb-withcount.txt.bz2 (872,867 bytes) n/a
phpbb with md5 phpbb-withmd5.txt.bz2 (4,117,887 bytes) n/a
MySpace myspace.txt.bz2 (175,970 bytes) n/a 2006-10 Captured via phishing
MySpace - with count myspace-withcount.txt.bz2 (179,929 bytes) n/a
Hotmail hotmail.txt.bz2 (47,195 bytes) n/a Unknown Isn't clearly understood how these were stolen
Hotmail with count hotmail-withcount.txt.bz2 (47,975 bytes) n/a
Faithwriters faithwriters.txt.bz2 (39,327 bytes) n/a 2009-03 Religious passwords
Faithwriters - with count faithwriters-withcount.txt.bz2 (40,233 bytes) n/a
Elitehacker elitehacker.txt.bz2 (3,690 bytes) n/a 2009-07 Part of zf05.txt
Elitehacker - with count elitehacker-withcount.txt.bz2 (3,846 bytes) n/a
Hak5 hak5.txt.bz2 (16,490 bytes) n/a 2009-07 Part of zf05.txt
Hak5 - with count hak5-withcount.txt.bz2 (16,947 bytes) n/a
Älypää alypaa.txt.bz2 (5,178 bytes) n/a 2010-03 Finnish passwords
alypaa - with count alypaa-withcount.txt.bz2 (6,013 bytes) n/a
Facebook (Pastebay) facebook-pastebay.txt.bz2 (375 bytes) n/a 2010-04 Found on Pastebay;
appear to be malware-stolen.
Facebook (Pastebay) - w/ count facebook-pastebay-withcount.txt.bz2 (407 bytes) n/a
Unknown porn site porn-unknown.txt.bz2 (30,600 bytes) n/a 2010-08 Found on angelfire.com. No clue where they originated, but clearly porn site.
Unknown porn site - w/ count porn-unknown-withcount.txt.bz2 (31,899 bytes) n/a
Ultimate Strip Club List tuscl.txt.bz2 (176,291 bytes) n/a 2010-09 Thanks to Mark Baggett for finding!
Ultimate Strip Club List - w/ count tuscl-withcount.txt.bz2 (182,441 bytes) n/a
[Facebook Phished] facebook-phished.txt.bz2 (14,457 bytes) n/a 2010-09 Thanks to Andrew Orr for reporting
Facebook Phished - w/ count facebook-phished-withcount.txt.bz2 (14,941 bytes) n/a
Carders.cc carders.cc.txt.bz2 (8,936 bytes) n/a 2010-05
Carders.cc - w/ count carders.cc-withcount.txt.bz2 (9,774 bytes) n/a
Singles.org singles.org.txt.bz2 (50,697 bytes) n/a 2010-10
Singles.org - w/ count singles.org-withcount.txt.bz2 (52,884 bytes) n/a
Unnamed financial site (reserved) (reserved) 2010-12
Unnamed financial site - w/ count (reserved) (reserved)
Gawker (reserved) (reserved) 2010-12
Gawker - w/ count (reserved) (reserved)
Free-Hack.com (reserved) (reserved) 2010-12
Free-Hack.com w/count (reserved) (reserved)
Carders.cc (second time hacked) (reserved) (reserved) 2010-12
Carders.cc w/count (second time hacked) (reserved) (reserved)


I did some tests of my various dictionaries against the different sets of leaked passwords. I grouped them by the password set they were trying to crack:
Miscellaneous non-hacking dictionaries

These are dictionaries of words (etc), not passwords. They may be useful for one reason or another.
Name Compressed Uncompressed Notes
English english.txt.bz2 (1,368,101 bytes) n/a My combination of a couple lists, from Andrew Orr, Brandon Enright, and Seth
German german.txt.bz2 (2,371,487 bytes) n/a Compiled by Brandon Enright
American cities us_cities.txt.bz2 (77,081 bytes) n/a Generated by RSnake
"Porno" porno.txt.bz2 (7,158,285 bytes) n/a World's largest porno password collection!
Created by Matt Weir
Honeynet honeynet.txt.bz2 (889,525 bytes) n/a From a honeynet run by Joshua Gimer
Honeynet - w/ count honeynet-withcount.txt.bz2 (901,868 bytes) n/a
File locations file-locations.txt.bz2 (1,724 bytes) n/a Potential logfile locations (for LFI, etc).
Thanks to Seth!
Fuzzing strings (Python) fuzzing-strings.txt.bz2 (276 bytes) n/a Thanks to Seth!
PHPMyAdmin locations phpmyadmin-locations.txt.bz2 (304 bytes) n/a Potential PHPMyAdmin locations.
Thanks to Seth!
Web extensions web-extensions.txt.bz2 (117 bytes) n/a Common extensions for Web files.
Thanks to dirb!
Web mutations web-mutations.txt.bz2 (177 bytes) n/a Common 'mutations' for Web files.
Thanks to dirb!

DirBuster has some awesome lists, too -- usernames and filenames.
Facebook lists

These are the lists I generated from this data. Some are more useful than others as password lists. All lists are sorted by commonness.

If you want a bunch of these, I highly recommend using the torrent. It's faster, and you'll get them all at once.
Name Compressed Uncompressed Date Notes
Full names facebook-names-unique.txt.bz2 (479,332,623 bytes) n/a 2010-08
Full names - w/ count facebook-names-withcount.txt.bz2 (477,274,173 bytes) n/a
First names facebook-firstnames.txt.bz2 (16,464,124 bytes) n/a 2010-08
First names - w/ count facebook-firstnames-withcount.txt.bz2 (73,134,218 bytes) n/a
Last names facebook-lastnames.txt.bz2 (21,176,444 bytes) n/a 2010-08
Last names - w/ count facebook-lastnames-withcount.txt.bz2 (21,166,232 bytes) n/a
First initial last names facebook-f.last.txt.bz2 (67,110,776 bytes) n/a 2010-08
First initial last names - w/ count facebook-f.last-withcount.txt.bz2 (66,348,431 bytes) n/a
First name last initial facebook-first.l.txt.bz2 (37,463,798 bytes) n/a 2010-08
First name last initial facebook-first.l-withcount.txt.bz2 (36,932,295 bytes) n/a

Οκτωβρίου 11, 2016 | 0 σχόλια | Διαβάστε περισσότερα

"OpIsrael Of Gaza Hacker Team # In Password FaceBook And Email" .txt

Written By Fouls Code on Κυριακή, 9 Οκτωβρίου 2016 | Οκτωβρίου 09, 2016

Κλικ στον παρακάτω σύνδεσμο!

Τα αρχεία .txt δεν φιλοξενούνται στο blog!
5 seconds...

Οκτωβρίου 09, 2016 | 0 σχόλια | Διαβάστε περισσότερα
berita unik