fixes and posts

This commit is contained in:
casual 2024-12-17 14:32:34 +03:00
parent 30ae58d906
commit 063cef6968
2 changed files with 128 additions and 1 deletions

View File

@ -1,8 +1,13 @@
+++ +++
title = 'BugBounty 101: Email Subscriptions' title = 'BugBounty l0l: Email Subscriptions'
date = 2024-12-18 date = 2024-12-18
image = 'https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Ffluentcrm.com%2Fwp-content%2Fuploads%2F2022%2F08%2FScreenshot_18-2.jpg&f=1&nofb=1&ipt=858152baa98a508508a431682741b98b40e1ccecde013176cd08d3072cfea690&ipo=images'
+++ +++
## Spam
![](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Ffluentcrm.com%2Fwp-content%2Fuploads%2F2022%2F08%2FScreenshot_18-2.jpg&f=1&nofb=1&ipt=858152baa98a508508a431682741b98b40e1ccecde013176cd08d3072cfea690&ipo=images)
The most common vuln in email subscription that I've seen is spamming: The most common vuln in email subscription that I've seen is spamming:
If you found any email subscription form, try to spam yourself by subscribing multiple times: If you found any email subscription form, try to spam yourself by subscribing multiple times:
@ -16,6 +21,31 @@ email+random2@example.com
Why company don't want it? It's possible to use this vuln to make all their emails appear in spam folder by-default by spamming innocent users which will report it as spam. Why company don't want it? It's possible to use this vuln to make all their emails appear in spam folder by-default by spamming innocent users which will report it as spam.
### No CSRF and captcha
If you can subscribe via cURL copied command and rate limit is low, then you can get bounty for that depending on the bugbounty rules.
To do that - select request in devTools/Burp and copy as cURL command. Edit email and send request.
## HTML Injection
If you can inject HTML into additional email subscription fields (like name) (those fields oftem have characters limit), than you can create legitemate looking spam/scam/phishing email with like:
```html
# Base payload
<h1><a href=https://blog.ca.sual.in>YOU WIN LOTTERY
# use bit.ly to make link more shorter
<h1><a href=https://bit.ly/random>YOU WIN LOTTERY
# In some browsers/email clients you may not need https declaration
<h1><a href=blog.ca.sual.in>YOU WIN LOTTERY
# You can close </a></h1> tags so it would be more legal
```
Needless to say, if you are not character limited, then you can rewrite email to your liking
---
Other email hacks: Other email hacks:
https://book.hacktricks.xyz/pentesting-web/email-injections https://book.hacktricks.xyz/pentesting-web/email-injections

View File

@ -0,0 +1,97 @@
+++
title = 'HowTo Social Media'
date = 2024-12-29
image = 'https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fi.imgflip.com%2F6f06pd.png&f=1&nofb=1&ipt=2f81db32331e1bc7c8b953df2d8146a98d1a9de456f8b5cc98c7e67f4a5b557e&ipo=images'
+++
## Privacy
Nowadays if you got asked:
> *"Can I have your Facebook account?"*
![](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fstatic.wikia.nocookie.net%2Fthe-mr-incredible-becoming-memes%2Fimages%2Fc%2Fc4%2FPhase_1.webp%2Frevision%2Flatest%3Fcb%3D20220823112208&f=1&nofb=1&ipt=6b996cf013dfeabfebfa935c49391b06d7a049a3887657f39b35b6cb6e16527b&ipo=images)
is a fancy way of saying:
> *"Can I get access to information about all people you are relate to, all your interest (profession, hobbies, music...), your home location and how you live your life, pretty please? OwO"*
![](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fi.imgflip.com%2F6f06pd.png&f=1&nofb=1&ipt=2f81db32331e1bc7c8b953df2d8146a98d1a9de456f8b5cc98c7e67f4a5b557e&ipo=images)
<!-- And our privacy even not the worst part (not worst, because you are the one, who willingly share all information about yourself with people/companies all around the world). The worst part is that your productivity and mental health also suffer greatly. -->
Oh wait, you even don't need anything to share with other people! Fancy algorithms will determine it by what you like, watch and search (tiktok, instagram...) and then use it to get maximum profit out of you as a consumer.
Ooh... Wait... It even don't need to be social media anymore, it is also marketplaces (amazon, aliexpress...) who knows anything about you.
And our privacy even not the worst part (thou **really bad**). The worst part is that your productivity and mental health also suffer greatly.
## Addiction
People today are consumers. We are thrilled to get our next dose of dophamine by:
- watching tik-tok,
- ~doom~ scrolling social media,
- searching your ideal product you want to ~not~ buy in marketplace.
But in fact we are just wasting our time and energy. Don't understimate energy wasted on this.
![](https://static.wikia.nocookie.net/mullet-madjack/images/1/15/Show.png)
<p style="text-align: center;">🎶 Playing: <a href=https://inv.nadeko.net/watch?v=QolTRBNWiPc>MULLET MADJACK OST - In Gods Image</a> 🎶</p>
> I like how it's pictured in game `MULLET MADJACK`
(and game have the style, definitely recomended to try).
### Attention span
TODO
NOTIFICATIONS TODO
## Considirations
### "But i will miss out how my friends are doing and what is happening in a world!"
You will not miss out things if you delete yourself out of social media.
If it's important enough you will learn it from people near you.
If it's important to you, you will learn it by yourself.
### "But I use it (youtube/tiktok) for educational purposes!"
TODO
"We are what we consume of"
and thus we need to get rid of tik-toks, yt shorts ultimately.
and watch choisen type of content that will benefitting for us
### "But I like to get notifications about TODO"
TODO
### TODO What are you talking about, i am not addicted
TODO
## TODO but i need it for my work
TODO
## TODO but loose my contacts
TODO
## TODO What to do next in one word - like CURE
TODO
{{< spoiler Examples >}}
TODO
&nbsp;
## Examples
I forgot to remove it from template
{{< /spoiler >}}
{{< source >}}
https://www.youtube.com/watch?v=f9W7pTqxh58&list=PLusAca3pUpLfhWIzQPQiFt-tX2G17PCz4&index=13
https://www.youtube.com/watch?v=XHAV87e0hLY
{{< /source >}}