Photograph via snooOG

/r/Save3rdPartyApps | This subreddit has gone private until the API situation is resolved

In a world that is increasingly online Web Security takes on an important role. The exploitation of a single popular web server can be used to infect hundreds or thousands of individuals, compromise user identities, and otherwise add a lot of ick to someone's day.

Websec was created as a forum for discussed all web based vulnerabilities. This includes attacks directly against websites (XSS, SQL Injection, CSRF, code injection) as well as those that target infrastructure (DNS-based attacks, mitm). This intention is to go beyond just the basics for people who need practical knowledge (either as developers or hosts) to keep their projects secure.

We also encourage the discussion of active exploits, particularly in situations where the affected party was unresponsive. As the goal is education, novel approaches and explanations are appreciated.


7,286 Subscribers


Advanced Prototype Pollution Scanner

Just released pphack, a CLI tool for scanning websites for client-side prototype pollution vulnerabilities.

  • Fast (concurrent workers)
  • Default payload covers a lot of cases
  • Payload and Javascript customization
  • Proxy-friendly
  • Support output in a file
  • Rate-limit supported

Try it at https://github.com/edoardottt/pphack.

If you want to provide any feedback or you have doubts just open an issue :)

16:27 UTC


Unauthenticated web app pentest test cases

If we are not logged in to any web page, then what all test cases can we perform for pentesting process?

1 Comment
12:01 UTC


WordPress plugins bug bounty program

If anyone here is interested in code review based testing then you should check out the Patchstack bug bounty program, which pays bounties for vulnerabilities found in any WordPress plugins (more than 60K in WP.org repo).

There are guaranteed bounties that are paid out each month based on research score and just for November alone they set up over $4000 USD for those who report new vulnerabilities. There are also individual bounties for specific vulnerability types, etc.

I think it’s a great way to get started with bug hunting and maybe earn your first $ and CVE. Patchstack itself btw also assigns CVEs (is one of the biggest CVE assigner in the world). It could also be a good change for the more seasoned bug bounty hunters who have been doing blackbox testing and want to try something different and more in the direction of whitebox / code review.

The recent event announcement: https://x.com/patchstackapp/status/1723241552997159145

The bounty program website: https://patchstack.com/alliance/

There is also an active discord community where most of the info is posted: https://discord.gg/Xe2T5JjKbn

12:33 UTC


Awesome Hacker Search Engines

A curated list of awesome search engines useful during Penetration testing, Vulnerability assessments, Red/Blue Team operations, Bug Bounty and more -> https://github.com/edoardottt/awesome-hacker-search-engines.

It contains more than 250 useful tools carefully organized in 20 categories (General • Servers • Vulnerabilities • Exploits • Attack surface • Code • Mail addresses • Domains • URLs • DNS • Certificates • WiFi networks • Device Info • Credentials • Hidden Services • Social Networks • Phone numbers • Threat Intelligence • Web History • Surveillance cameras), added 40+ entries in the last week!

If you want to propose changes, just open an issue or a pull request.

15:23 UTC


cariddi v1.3.1 is out🥳

cariddi is an open source (https://github.com/edoardottt/cariddi) web security tool. It takes as input a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more.

Version 1.3.1 comes with a lot of improvements:

- Add JSON cli output

- Fix multiple info in the same URL

- Add new secrets

- Fix data image protocol link

- Fix snapcraft.yaml

- Create auto_assign.yml

- Minor fixes and changes

If you use Linux Ubuntu you can use the command: sudo snap install cariddi

or if you have Go installed:

go install -v github.com/edoardottt/cariddi/cmd/cariddi@latest

If you encounter a problem, just open an issue: https://github.com/edoardottt/cariddi/issues

19:45 UTC


Web Security Cert comparison

How does the burp suite practitioner certification compare to other web certifications(eWPT, eWPTXv2, PSWA, OSWE), in terms of marketability and difficulty? Also, are there any other certs in websec I should know about?(offensive focuse)

13:46 UTC

10:50 UTC


Claroty Team 82 Generic WAF Bypass. Only open-appsec blocked it.

Claroty Team82 has developed a generic bypass for web application firewalls (WAF). Major WAF products including AWS, F5, CloudFlare, Imperva, Palo Alto were found to be vulnerable. open-appsec pre-emptively blocked the bypass.



23:08 UTC


Bye Bye Bad Bots

" Bad bots are the worst... First the plugin adds a hidden trigger link to the footer of your pages. You then add a line to your robots.txt file that forbids all bots from following the hidden link. Bots that then ignore or disobey your robots rules will crawl the link and fall into the trap...

...I call it the “one-strike” rule: bots have one chance to obey your site’s robots.txt rule. Failure to comply results in immediate banishment. "

Jeff Starr

Wordpress plugin Black Hole for Bad Bots (doesnt work with page caching)

or use this robots.txt


20:42 UTC


Multiple hack attempts from different people immediately after posting a link on reddit?


secrets.yml xd

I mean the file doesn't exist but if it did this would stop them in nginx config (if you don't host these file types)

location ~* \.(git|rb|inc|ht|conf|env|yml)$ {

deny all;


08:25 UTC


preemptive protection (no WAF update needed) against the latest “Apache Commons Text” vulnerability (CVE-2022-42889)

17:16 UTC


17 hours to react to zero-day threats -- good enough? A perspective on Forrester’s WAF Vendors Wave

Recent Forrester report and some vendor follow-up comments offer an interesting demonstration of today’s expectations from WAF solutions and the bar that sets, especially regarding zero-days. They imply it is acceptable to have solutions many hours, and even days, after vulnerabilities are known.

Yet in other security domains, such as anti-malware and email security, the expectation today is for real-time and preemptive threat prevention. This blog raise some concerns about WAF security today and provide some possible solutions to raise the bar on what we should expect. Attackers are acting quickly. We can't afford waiting hours and hours until we can react to threats…

In today's environment of tested and proven ML, there is no reason to rely on outdated technology and accept low expectations for protection.


1 Comment
22:59 UTC

Back To Top