Search the Community

Showing results for tags 'web'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Staff Control
    • Staff Announcements
    • Moderators
    • Staff
    • Administration
  • General doubts | News
    • General doubts
    • News
  • Hacking | Remote Administration | Bugs & Exploits
    • Hacking
    • Remote Administration
    • Bugs & Exploits
  • Programming | Web | SEO | Prefabricated applications
    • General Programming
    • Web Programming
    • Prefabricated Applications
    • SEO
  • Pentesting Zone
  • Security & Anonymity
  • Operating Systems | Hardware | Programs
  • Graphic Design
  • vBCms Comments
  • live stream tv
  • Marketplace
  • Pentesting Premium
  • Modders Section
  • PRIV8-Section
  • Pentesting Zone PRIV8
  • Carding Zone PRIV8
  • Recycle Bin
  • Null3D's Nulled Group


There are no results to display.

There are no results to display.

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start



About Me










Found 326 results

  1. 0x1

    Xepor - web routing framework

    Xepor (pronounced /ˈzɛfə/, zephyr), a web routing framework for reverse engineers and security researchers. It provides a Flask-like API for hackers to intercept and modify HTTP request and/or HTTP response in a human-friendly coding style. This project is meant to be used with mitmproxy. User write scripts with xepor, and run the script inside mitmproxy with mitmproxy -s If you want to step from PoC to production, from demo(e.g.,, to something you could take out with your WiFi Pineapple, then Xepor is for you! Features Code everything with @api.route(), just like Flask! Write everything in one script and no if..else any more. Handle multiple URL routes, even multiple hosts in one InterceptedAPI instance. For each route, you can choose to modify the request before connecting to server (or even return a fake response without connection to upstream), or modify the response before forwarding to user. Blacklist mode or whitelist mode. Only allow URL endpoints defined in scripts to connect to upstream, blocking everything else (in specific domain) with HTTP 404. Suitable for transparent proxying. Human readable URL path definition and matching powered by parse Host remapping. define rules to redirect to genuine upstream from your fake hosts. Regex matching is supported. Best for SSL stripping and server side license cracking! Plus all the bests from mitmproxy! ALL operation modes ( mitmproxy / mitmweb + regular / transparent / socks5 / reverse:SPEC / upstream:SPEC) are fully supported. Use Case Evil AP and phishing through MITM. Sniffing traffic from specific device by iptables + transparent proxy, modify the payload with xepor on the fly. Cracking cloud based software license. See examples/krisp/ as an example. Write complicated web crawler in ~100 lines of codes. See examples/polyv_scrapper/ as an example. ... and many more. SSL stripping is NOT provided by this project. Installation pip install xepor Quick start Take the script from examples/httpbin as an example. mitmweb --web-host=\* --set connection_strategy=lazy -s example/httpbin/ In this example, we setup the mitmproxy server on You could change it to any IP on your machine or alternatively to the IP of your VPS. The mitmproxy server running in reverse, upstream and transparent mode requires --set connection_strategy=lazy option to be set so that Xepor could function correctly. I recommand this option always be on for best stability. Set your Browser HTTP Proxy to [Hidden Content], and access web interface at [Hidden Content]. Send a GET request from [Hidden Content] , Then you could see the modification made by Xepor in mitmweb interface, browser devtools or Wireshark. The do two things. When user access [Hidden Content], inject a query string parameter payload=evil_param inside HTTP request. When user access [Hidden Content] (we just pretends we don't know the password), sniff Authorization headers from HTTP requests and print the password to the attacker. Just what mitmproxy always do, but with code written in xepor way. # [Hidden Content] from mitmproxy.http import HTTPFlow from xepor import InterceptedAPI, RouteType HOST_HTTPBIN = "" api = InterceptedAPI(HOST_HTTPBIN) @api.route("/get") def change_your_request(flow: HTTPFlow): """ Modify URL query param. Test at: [Hidden Content] """ flow.request.query["payload"] = "evil_param" @api.route("/basic-auth/{usr}/{pwd}", rtype=RouteType.RESPONSE) def capture_auth(flow: HTTPFlow, usr=None, pwd=None): """ Sniffing password. Test at: [Hidden Content]_ """ print( f"auth @ {usr} + {pwd}:", f"Captured {'successful' if flow.response.status_code < 300 else 'unsuccessful'} login:", flow.request.headers.get("Authorization", ""), ) addons = [api] Download [hide][Hidden Content]]
  2. FuzzingTool is a web penetration testing tool, that handles with fuzzing. After the test is completed, all possible vulnerable entries (and the response data) are saved on a report file. Changelog v3.14 New features Added a replay proxy option --replay-proxy PROXY; Added a Matcher option to match responses by regex -Mr REGEX; Added Filter: Exclude responses by status codes -Fc STATUS; Exclude responses by regex -Fr REGEX; Added recursion jobs feature: Plugin scanners now can enqueue payloads for the next job when needed; Added directory recursion feature (--recursion) on path fuzzing; The user can set the maximum recursion level from jobs (--max-rlevel RLEVEL); Added option to set multiple plugin scanners (when use multiple --scanner argument); Added plugin scanners: Backups; Wappalyzer; Removed features Removed the use of multiple http methods; Removed Find plugin (replaced by match by regex); Bugfix Fixed a bug with match logic on Matcher, when set multiple match options and only one is considered; Fixed a bug with DnsZone plugin when set an invalid hostname; Fixed a split string error on function split_str_to_list; CLI output changes When do a subdomain fuzzing, the ip address will no longer be shown on cli output. It’ll only be stored in the report file; Added a progress bar (credits to Dirsearch for the idea) Other changes Changed the program binary name from FuzzingTool to fuzzingtool; Now the Dictionary object will enqueue Payload objects into the payloads queue; Each Payload has his own recursion level attribute (Payload.rlevel) to tell about the job recursion level; Now the wordlist creation and build are threaded; Code refactored Added HttpHistory object to store the information about the request and response into the result object, including the ip address when do a subdomain fuzzing; Moved some functions from http_utils module to UrlParse class; Removed inspect_result method from scanners. Now they will append results in the _process method; Removed decorator append_args, no longer needed; Updated fuzz types and created a class to store the plugin categories on utils/consts; Moved both logger and reports to persistence directory; Updated the order of the parameters on PluginFactory methods; Moved the api to outside of a specific folder; Moved the argument build functions to utils/argument_utils; [hide][Hidden Content]]
  3. A multifunctional Android RAT with GUI based Web Panel without port forwarding. Features Read all the files of Internal Storage Download Any Media to your Device from Victims Device Get all the system information of Victim Device Retrieve the List of Installed Applications Retrive SMS Retrive Call Logs Retrive Contacts Send SMS Gets all the Notifications Keylogger Admin Permission Show Phishing Pages to steal credentials through notification. Steal credentials through pre built phishing pages Open any suspicious website through notification to steal credentials. Record Audio Play music in Victim's device Vibrate Device Text To Speech Change Wallpaper Run shell Commands Pre Binded with Instagram Webview Phishing Runs In Background Auto Starts on restarting the device Auto Starts when any notification arrives No port forwarding needed DISCLAIMER TO BE USED FOR EDUCATIONAL PURPOSES ONLY The use of the AIRAVAT is COMPLETE RESPONSIBILITY of the END-USER. Developers assume NO liability and are NOT responsible for any misuse or damage caused by this program. [hide][Hidden Content]]
  4. Find out about the OWASP top 10 most common Cyber Security and Web Application hacking threats. What you’ll learn Ethical Hacking: OWASP top 10 Web Application Hacking Find the top 10 threats from the OWASP list. Web Application Security: The basics. Each vulnerability has its own mitigations. There are ways that hackers can use the top 10 threats from the OWASP top 10. OWASP’s top 10 threats can be prevented with these methods. OWASP’s Top 10 Hacking Tips. Security for applications. The parts and features of a web application. Attack on the SQL Server. Attack on Parameter Tampering. An attack from behind that manipulates the hidden field. The attack is called “Cross Site Scripting.” Forceful Attack on Browsing. In this case, someone broke into your account. An attack on cookies that make you sick Attack on buffer overflow. The Attack: Security Misconfiguration Attack. Attack on Sensitive Data Vulnerability: Insufficient Logging and Monitoring. Requirements Willing: I want to learn A passion for cyber security interest in the security of Web applications Interest in the security of networks Description You’ve come to the “OWASP Top 10: Web Application Security Exploit for Beginners.” This is a good place to start. A lot of web applications are vulnerable to attacks called OWASP TOP 10. In this course, we’ll look at these attacks and learn how to take advantage of them. You’re going to: – Learn about the top OWASP attacks and how they work, as well as the tricks and techniques that go with them. – Find out how to get information about a target domain and look for people who might be victims. People from the Open Web Application Security Project will show you how to deal with 10 of the most common threats they have found (OWASP). You will learn: what are the OWASP top 10 threats? the effect on your business is that a security breach could have hackers/attackers / pen-testers who can carry out these threats. how these security threats can be dealt with You won’t have to know how to write code to understand the above points. A disclaimer: This course is for educational use only. At your own risk, use. You must get permission to use these and other techniques on things that aren’t yours. The author takes no legal responsibility for any illegal use of the techniques and methods in this course. If you like the course, please give it a good rating and tell your friends about it. Who this course is for: An Application Security Engineer is in charge of web application security. An engineer who works with network security and web applications In this case, the person is a “good hacker.” It is important to protect yourself on the internet [Hidden Content] [hide][Hidden Content]]
  5. This python script allows to extract of various information from a Microsoft Remote Desktop Web Access (RDWA) application, such as the FQDN of the remote server, the internal AD domain name (from the FQDN), and the remote Windows Server version. [hide][Hidden Content]]
  6. 1 download

    Complete Web Developer : Zero To Mastery Total Parts :- 4 Size :- 650MB Each Part Download LINK :- Download Free for users PRIV8

    $100.00 PRIV8

  7. View File Complete Web Developer : Zero To Mastery Complete Web Developer : Zero To Mastery Total Parts :- 4 Size :- 650MB Each Part Download LINK :- Download Free for users PRIV8 Submitter dEEpEst Submitted 13/03/22 Category Libro Online Password ********  
  8. dEEpEst

    Twitter in the Dark Web

    Twitter is now also on the Dark Web: [Hidden Content]
  9. I would like to talk about arachni, an open-source framework among many Web Vulnerability Scanners (WVS). I tested it briefly, and it seems to be usable. Also, you should learn how to secure coding plan. Arachni is a feature-full, modular, high-performance Ruby framework aimed at helping penetration testers and administrators evaluate the security of modern web applications. It is free, with its source code public, and available for review. It is multi-platform, supporting all major operating systems (MS Windows, Mac OS X, and Linux) and distributed via portable packages which allow for instant deployment. It is versatile enough to cover a lot of use cases, ranging from a simple command-line scanner utility to a global high-performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform. In addition, its simple REST API makes integration a cinch. Finally, due to its integrated browser environment, it can support highly complicated web applications which make heavy use of technologies such as JavaScript, HTML5, DOM manipulation, and AJAX. Arachni includes command-line and Web GUI versions. [hide][Hidden Content]]
  10. Millions of tech-lovers around the world are aware that multiple dimensions exist on the World Wide Web. The internet, to call it by its household name, does not solely consist of what we interact with, far from it. In fact, what we interact with and search for overall only makes up a few percent of the actual (estimated) size of the World Wide Web. There are indeed multiple “floors” on the internet itself, akin to hidden underground areas you would imagine Area 51 ( or e.g., a bank) would have. Because of this, several reasons exist why informing yourself about the dark web is useful. The deeper parts of the internet are like a vast iceberg below the surface area -the area we all know and use every day. A lot is going on in the vast universe of the internet that 90% of us are unaware of. You might have heard about the mysterious darknet or “dark web” and want to learn more, or you may want to visit the dark web lair and find out for yourself (more on this later.) Likewise, you may want to understand what the “deep web” is. You could also be wondering whether it is safe to access the deeper parts of the web. Whatever your reason may be, read on below and find out more about this fascinating topic. The Various Layers of the Internet To draw on an analogy, the internet is much like our universe in its structure. It is a seemingly endless space that consists of unique planets and galaxies that form to make a whole. It also resembles a living organism in the same way. Remember, the internet has no central authority of control, and that’s why it is truly the only free platform of communication we have. That is not to say that law enforcement does not patrol the internet, but more so to underline that the internet has taken on a life of its own and it is still possible to be truly invisible on it. We can use a metaphor to illustrate this even better, by saying the internet is like a party with lots of people. All of the people are together, but also behave individually at the same time, and there is no single entity responsible for, or controlling, everyone. Yet, all parts contribute to the whole as well. This is the internet in a nutshell. As for the structure of the internet, we can use yet another analogy to describe this. This would be the classic iceberg analogy, which consists of a top layer, an immediate layer beneath the water and a third layer much deeper down that completes the iceberg. The top layer is the surface web, the middle layer is the deep web, and finally, the dark web resides down below in the depths. What is the Surface Web? The surface web also called the “clear web”, is the internet that we interact with daily for activities such as e.g., email, social media, web browsing, shopping, and online searches. This part of the web is only a fraction of the entire platform. This layer is indexed by typical search engines, and only makes up about 10% of the entire internet’s size. What is the Deep Web? The deep web is the largest chunk of the internet and comprises the majority of it. We could compare this to a huge warehouse or factory where the inner workings of the internet are held and are not indexed by classical search engines. This content is mostly databases, unlisted items, and other storage databases. The deep web is not indexed by search engines but is not purposefully encrypted either. What is the Dark Web? The dark web, considered to be within the deep web that covers 90% of the entire size of the internet, is a purposefully encrypted layer of the internet that can only be accessed with search engines like Tor (The Onion Browser.) Much of the deep web, also called the darknet, contains extremely illicit and highly illegal material. Its users are hidden, and payments are also anonymized. Should You be Using the Dark Web? First of all, browsing the dark web in itself is not illegal, inasmuch as torrenting isn’t if you use it for downloading files legally and not breaking copyright rules. However, since the dark web is home to vast amounts of illegal material, the automatic assumption is that the user may be there to conduct an illegal activity or even terrorism. It is a place with no filters at all. The dark web is a place where you can shop for everything from weapons, drugs, illegal porn to hiring a hitman. At the same time, the dark web is practically the only place e.g., journalists wishing to remain anonymous. Even some companies and academic institutions benefit from the dark web these days. Using the Tor browser (or any other onion browser for the dark web) is not illegal either, and you will not attract any attention to yourself unless you meddle in illegal or clandestine activities. Having said that, internet users are demanding more and more security and privacy every day, meaning that the menacing lair of the dark web is also the only place that can almost guarantee both complete privacy and complete security for anyone wishing to cloak themselves. You can use the dark web, but make sure to avoid clicking on any links that seem to lead to “dark” things. Many people use the dark web for private research, private communications, and even private cryptocurrency transactions. If you happen to stumble on a shady website, make sure to close the tab immediately and avoid it in the future. As long as you stick to normal habits, you can use the dark web for your privacy as much as you like. Remember, using a VPN or Virtual Private Network when browsing the dark web will give you even greater peace of mind and disambiguate you from the process.
  11. [Hidden Content]
  12. Welcome to OWASP Coraza WAF, Coraza is a golang enterprise-grade Web Application Firewall framework that supports Modsecurity’s seclang language and is 100% compatible with OWASP Core Ruleset. Coraza v2 differences with v1 Full internal API refactor, public API has not changed Full audit engine refactor with plugins support New enhanced plugins interface for transformations, actions, body processors, and operators We are fully compliant with Seclang from modsecurity v2 Many features were removed and transformed into plugins: XML (Mostly), GeoIP, and PCRE regex Better debug logging New error logging (like modsecurity) Why Coraza WAF? Philosophy Simplicity: Anyone should be able to understand and modify Coraza WAF’s source code Extensibility: It should be easy to extend Coraza WAF with new functionalities Innovation: Coraza WAF isn’t just a ModSecurity port. It must include awesome new functions (in the meantime, it’s just a port ) Community: Coraza WAF is a community project, and all ideas will be considered [hide][Hidden Content]]
  13. Description A website vulnerability is a weakness or misconfiguration in a website or web application code that allows an attacker to gain some level of control of the site, and possibly the hosting server. Most vulnerabilities are exploited through automated means, such as vulnerability scanners and botnets. There are a lot of common web application vulnerabilities as a result of insecure code development practices or using vulnerable software, some examples are: SQL Injection, Cross Site Scripting (XSS), Command Execution, File Injection, Cross Site Request Forgery (CSRF), etc. Kali Linux is a Linux distribution that is specialized for cybersecurity. It is an open-source product that involves a lot of customization for penetration testing, which helps companies to understand their vulnerabilities. It is maintained and funded by Offensive Security. A web application firewall (WAF) protects web applications from a variety of application layer attacks such as cross-site scripting (XSS), SQL injection, and cookie poisoning, among others. Attacks to apps are the leading cause of breaches—they are the gateway to your valuable data. In this course, you will learn about web application ethical hacking techniques including using some Kali Linux tools: Introduction to web penetration testing and ethical hacking Designing and building a lab environment for pen testing Understanding website vulnerabilities and general attacks Understanding how to protect your website against attacks Secure coding and web application firewalls Who this course is for: Cybersecurity engineers, experts and students Security professionals Penetration testers Web Application developers Requirements General knowledge about internet and website development General knowledge about Linux and networking [hide][Hidden Content]]
  14. Pentesters HackTools is a web extension facilitating your web application penetration tests, it includes cheat sheets as well as all the tools used during a test such as XSS payloads, Reverses shells, and much more. Current functions: Dynamic Reverse Shell generator (PHP, Bash, Ruby, Python, Perl, Netcat) Shell Spawning (TTY Shell Spawning) XSS Payloads Basic SQLi payloads Local file inclusion payloads (LFI) Base64 Encoder / Decoder Hash Generator (MD5, SHA1, SHA256, SHA512) Useful Linux commands (Port Forwarding, SUID) Changelog v0.4 The new update is out! Theme switcher, you can now switch between dark and white theme Powershell scripts has been added Obfuscated Files or Information is now available New SQLi payloads [hide][Hidden Content]]
  15. itsMe

    Starus Web Detective 3.1

    Starus Web Detective – will helps you recover erased history and analyze a wide range of web browsers. The application will allow you to track your browsing history, bookmarks, download list and passwords, even if the user deleted this information from his browser. Features • Recover deleted data • View any browser data • Obtain information from incognito mode • Analyse user’s online activity • Filter data • Step-by-step wizard • Export the obtained data • Save deleted files [Hidden Content] [hide][Hidden Content]]
  16. A multi threads web application source leak scanner. [hide][Hidden Content]]
  17. Second Order Scans web applications for second-order subdomain takeover by crawling the app, and collecting URLs (and other data) that match certain rules, or respond in a certain way. Usage Ideas This is a list of tips and ideas (not necessarily related to second-order subdomain takeover) on what to use Second Order for. Check for second-order subdomain takeover: takeover.json. (Duh!) Collect inline and imported JS code: javascript.json. Find where a target hosts static files cdn.json. (S3 buckets, anyone?) Collect <input> names to build a tailored parameter bruteforcing wordlist: parameters.json. Feel free to contribute more ideas! [Hidden Content]
  18. This is a forked modified version of the great exploitation tool created by @welk1n. This tool can be used to start an HTTP Server, RMI Server, and LDAP Server to exploit java web apps vulnerable to JNDI Injection. Here is what I’ve updated on his tool: Added support to serialized java payloads to LDAP payloads. This allows exploitation of any java version as long the classes are present in the application classpath ignoring completely the trustURLCodebase=false. Added a proper menu with a help display and guidelines (and a fancy ascii banner just because :-p) Added some command line parameters to modify the IP:PORT of the services. This helps in situations where the target can only access specific ports like 25, 53, 80, 443, etc. Added standalone mode to all services, that way you can start only the JettyServer (HTTP), RMIServer, or LDAPServer. The HTTP address can also be changed on standalone mode to redirect requests to a different server. This is helpful in cases when the target can only access a single port (like port 53) and you need to jump across multiple servers in port 53 for successful exploitation. Modified the ASMified Transformer payload (java bytecode) to detect the operating system where the exploit code will be detonated (windows or Unix like systems) and automatically runs the command into a proper terminal shell using the command Runtime.getRuntime().exec(String[] cmd) automatically mapping it to “cmd.exe /c command” or “/bin/bash -c command”. That way we can control pipes and write output to files, etc. Added the JNDI bypass using groove published by @orangetw Modified the Expression Language in the EL bypass to a more concise payload that detects the operational system and runs the command in a proper terminal (similar to the modified ASMified Transformer code). Added two more JDK templates, JDK 1.6 and JDK 1.5. This is important in the case of legacy systems that have ancient Java versions. [hide][Hidden Content]]
  19. Damn Vulnerable NodeJS Application. ADDED BUGS Prototype Pollution No SQL Injection Cross-site Scripting Broken Access Control Broken Session Management Weak Regex Implementation Race Condition CSRF -Cross-Site Request Forgery Weak Bruteforce Protection User Enumeration Reset Password token leaking in Referrer Reset Password bugs Sensitive Data Exposure Unicode Case Mapping Collision File Upload SSRF XXE Open Redirection Directory Traversal [hide][Hidden Content]]
  20. dirsearch Current Release: v0.4.2 (2021.9.12) An advanced command-line tool designed to brute force directories and files in webservers, AKA web path scanner Features Multithreaded Keep-alive connections Support for multiple extensions (-e|–extensions asp,php) Reporting (plain text, JSON) Heuristically detects invalid web pages Recursive brute forcing HTTP proxy support User-agent randomization Batch processing Request delaying Changelog v0.43 Automatically detect the URI scheme (http or https) if no scheme is provided [hide][Hidden Content]]
  21. 5 downloads

    Intro To Bug Bounty Hunting And Web Application Hacking *What you'll learn? Learn 10+ different vulnerability types Ability to exploit basic web application vulnerabilities Basics of Reconnaissance How to approach a target Understand how bug bounties work Write better bug bounty reports Includes practical hands on labs to practice your skills. Link:- download Free for users PRIV8

    $100.00 PRIV8

  22. View File Intro To Bug Bounty Hunting And Web Application Hacking [3GB] Intro To Bug Bounty Hunting And Web Application Hacking *What you'll learn? Learn 10+ different vulnerability types Ability to exploit basic web application vulnerabilities Basics of Reconnaissance How to approach a target Understand how bug bounties work Write better bug bounty reports Includes practical hands on labs to practice your skills. Link:- download Free for users PRIV8 Submitter dEEpEst Submitted 28/11/21 Category Libro Online Password ********  
  23. FuzzingTool is a web penetration testing tool, that handles with fuzzing. After the test is completed, all possible vulnerable entries (and the response data) are saved on a report file. Changelog v3.12.1 Code refatored Entire code was refatored to pep8 notation; Repository updates Added workflows; Next steps Add unit tests; [hide][Hidden Content]]