Combined

Too many tips, can't keep adding new subpages.

1. Read minified JS files.

RCE due to Dependency Confusion — $5000 bounty!Medium

Extracting JavaScript from SourcemapsPulse Security

GitHub - denandz/sourcemapper: Extract JavaScript source trees from Sourcemap filesGitHub

More js endpiint extraction: https://lnkd.in/gcwrJSxC

2. Dependency confusion

Apart from famoous alex blog

RCE via Dependency ConfusionMedium

Tool to check: https://github.com/visma-prodsec/confused

How to publish packages:

https://dhiyaneshgeek.github.io/web/security/2021/09/04/dependency-confusion/

3. Null byte injection in JSON data type.

%00 is null character and it often leads to unexpected behavior in applications. Don't believe me? search for sam curry null byte overflow writeup. You will love it.

However if you send %00 in JSON data it might not be treated as null character by JSOn parser.

You should instead use \u0000 .

one more e.g https://medium.com/@0xold/null-byte-on-steroids-23f8104a25ec

Extra tip \u2063 is also a special space like character might be useful in fuzzing.

4. recollapse tool by 0xacb

This tool can be useful for validation bypass checks

GitHub - 0xacb/recollapse: REcollapse is a helper tool for black-box regex fuzzing to bypass validations and discover normalizations in web applicationsGitHub

5. Portswigger URL validation cheatsheet

good resource for url validation scenarios.

URL validation bypass cheat sheet for SSRF/CORS/Redirect - 2024 Edition | Web Security AcademyWebSecAcademy

PreviousTips & Tricks NextCSP Bypasses & open redirect

Last updated 1 month ago