F.tech

F.tech Información de contacto, mapa y direcciones, formulario de contacto, horario de apertura, servicios, puntuaciones, fotos, videos y anuncios de F.tech, Diseñador web, Barcelona.

Bug Type: ExceptionalBounty Received: $20What was the bug?While exploring a subdomain, I discovered a publicly accessibl...
15/04/2025

Bug Type: Exceptional
Bounty Received: $20

What was the bug?
While exploring a subdomain, I discovered a publicly accessible .zip file that contained the entire website’s source code, including database credentials, admin credentials, and other sensitive data.

How did I find it?
I accessed the subdomain:
support.example.com

Then I simply checked:
support.example.com/support.example.com.zip

Boom — full source code access!

Although they didn’t have an official bug bounty program, they appreciated the responsible disclosure and rewarded me with $20 — and honestly, it felt great!

🚨 XSS & HTML Injection: Understanding the Risks & Protections 🔥Cross-Site Scripting (XSS) and HTML Injection are two of ...
16/03/2025

🚨 XSS & HTML Injection: Understanding the Risks & Protections 🔥

Cross-Site Scripting (XSS) and HTML Injection are two of the most common web vulnerabilities that allow attackers to manipulate a website’s content and steal sensitive user data. These vulnerabilities can lead to session hijacking, phishing, and even full account takeovers! 🚨

---

💻 What is XSS (Cross-Site Scripting)?

XSS is a type of injection attack where an attacker injects malicious scripts into a trusted website, which then gets executed in a user’s browser. This can allow:

⚡ Stealing cookies & session tokens
⚡ Defacing websites
⚡ Redirecting users to malicious sites
⚡ Keylogging user inputs

🔹 Types of XSS:
✅ Stored XSS – The malicious script is permanently stored on a website (e.g., in comments, forums, or databases).
✅ Reflected XSS – The malicious script is sent as part of a request (e.g., in a URL) and executed in the victim’s browser.
✅ DOM-based XSS – The attack manipulates the Document Object Model (DOM) of a webpage, causing the browser to execute unintended scripts.

---

🏴‍☠️ What is HTML Injection?

HTML Injection is when an attacker injects malicious HTML code into a webpage, affecting its structure and content. Unlike XSS, which targets scripts, HTML Injection modifies the actual webpage’s layout.

🔹 Common Exploits:
✅ Fake login pages (Phishing attacks)
✅ Tampering with website content (Defacement)
✅ Injecting fake links & buttons for redirection

---

🔐 How to Prevent XSS & HTML Injection?

🛡️ Sanitize & Escape User Input – Strip out or encode special characters to prevent script ex*****on.
🛡️ Use Content Security Policy (CSP) – Restrict which scripts can be executed on your site.
🛡️ Implement Input Validation – Only allow expected input formats (e.g., no tags).
🛡️ Use Secure HTTP Headers – X-XSS-Protection and X-Content-Type-Options can help.
🛡️ Avoid innerHTML in JavaScript – Use .textContent or .innerText instead.

---

🎯 Why Does This Matter?

Web vulnerabilities like XSS and HTML Injection can affect millions of users, leading to data theft, reputational damage, and legal consequences. If you’re a developer, security researcher, or ethical hacker, understanding these risks is essential!

---

📌

⚠️ Disclaimer: This post is for educational purposes only. Misuse of these techniques is illegal. Always conduct security testing with permission!

Bug Bounty Win: 💰 $200 for Username Enumeration - Powered by Selenium!Yes, you read that right—F.Tech secured a $200 rew...
11/01/2025

Bug Bounty Win: 💰 $200 for Username Enumeration - Powered by Selenium!

Yes, you read that right—F.Tech secured a $200 reward 🏆 for uncovering a username enumeration vulnerability! But this wasn’t just any typical case. Let me take you through the thrilling journey where automation 🤖, creativity 💡, and persistence 💪 turned a hidden bug into a valuable discovery.

---

The Challenge:

While exploring a bug bounty program’s policy, we noticed username enumeration was listed as a valid vulnerability. Initially, it seemed like a straightforward task for F.Tech. However, the reality was quite different.

After thoroughly testing three domains within scope 🌐, we couldn’t find any direct functionality that revealed usernames or emails. At first, it felt like a dead end—until we stumbled upon a subtle vulnerability in the "change email" feature.

🔎 Here’s what we discovered:

Submitting a valid email triggered a 302 response ➡️.

After the 302, the server made a follow-up request, and its response revealed whether an email was already in use or not.

---

The Twist:

The 302 response alone wasn’t enough to differentiate valid and invalid emails. However, by carefully analyzing the follow-up request and its response, we identified a pattern 🔄 that exposed email enumeration indirectly 🚨.

---

The Roadblock:

When we initially reported this finding, the security team 🛡️ marked it as invalid ❌, stating that username or email enumeration couldn’t be performed at scale. That’s when we decided to bring in the power of Python 🐍 and Selenium 🖥️ to demonstrate the full impact.

---

The Automation Solution:

Using Python and Selenium, we automated the entire process to prove that enumeration could indeed be done at scale:

1️⃣ Wrote a Python script using Selenium to input a list of 100 emails 📧.
2️⃣ Automated interactions with the "change email" feature, capturing responses systematically.
3️⃣ Developed a simple UI to flag 🚩 which emails were already in use.

This approach not only saved time ⏳ but also demonstrated the vulnerability's potential impact 💥, ultimately changing the outcome of our report.

---

The Outcome:

🎉 The bug report was accepted, and F.Tech earned $200! Beyond the monetary gain, this experience reinforced the value of automation and perseverance in solving complex challenges.

---

Key Takeaways:

✅ Small vulnerabilities can have a big impact: Creativity and attention to detail are crucial in bug-hunting.
✅ Selenium is a game-changer: Automation tools like Selenium are indispensable in cybersecurity and bug bounty hunting.
✅ Proving impact is key: Automation helps validate vulnerabilities, even when they’re initially dismissed.

---

This success is a testament to the innovative problem-solving 🤓 and technical expertise 🔐 of F.Tech’s cybersecurity team. Have you ever used Python, Selenium, or similar tools in your cybersecurity journey? Let’s share experiences and learn together!

🚀 💰 🔒 🐍 🤖 ⚙️ 🔎 🕵️‍♂️

How I Uncovered Two Vulnerabilities in 10 Minutes: A Success Story by F.TechAt F.Tech, we take immense pride in employin...
21/12/2024

How I Uncovered Two Vulnerabilities in 10 Minutes: A Success Story by F.Tech

At F.Tech, we take immense pride in employing cutting-edge tools and methodologies to uncover and resolve security vulnerabilities. Recently, we identified two critical vulnerabilities on a public target in a mere 10 minutes! Here’s how we achieved it:

1️⃣ Subdomain Enumeration
We began with Subfinder to gather all subdomains. Top Tip: Always configure your API keys for the most accurate results.

2️⃣ Filtering with HTTPx Toolkit
Next, we utilised httpx-toolkit to filter subdomains returning a 404 status code.

3️⃣ Fuzzing with Ffuf
By running ffuf with a custom wordlist on the 404 subdomains, we uncovered two intriguing URLs:
https://[target].com/swagger/index.html

4️⃣ Testing with Nuclei
Finally, we employed Nuclei with a Swagger-specific template, which revealed two vulnerabilities:

HTML Injection

Cross-Site Scripting (XSS)

This swift discovery process showcases our proficiency in and . If your organisation uses Swagger or similar APIs, get in touch with F.Tech to safeguard your digital assets and maintain robust security.

Enhance your cybersecurity skills with these 13 essential Nmap commands. From host discovery to advanced scanning techni...
20/12/2024

Enhance your cybersecurity skills with these 13 essential Nmap commands. From host discovery to advanced scanning techniques, master the tools needed for effective network analysis. Stay ahead in the field! 🔐💻

HIDING PAYLOAD BEHIND AN IMAGE to remotely control a pc with an image all u need is winrar an image png or jpgconvert th...
22/11/2024

HIDING PAYLOAD BEHIND AN IMAGE

to remotely control a pc with an image
all u need is winrar
an image png or jpg
convert the image to an icon
create a payload using msfvenom or inject a shellcode into PE

if u are injecting the shelllcode into PE make sure the PE should nt ask for for permission to run(DO U WANT TO ALLOW THIS APP TO MAKE CHANGES TO YOUR DEVICE)

u can just inject a shell code into micorsoft visual c ++ 2015-2019redistributable x86
make sure the PE IS a very small size file (to reduce suspicious )

there are many website that convert images into icon files
make sure your icon has a reasonable height and high quality

using the image, PE and icon u should create a self extraction archive

When u click on this archive, two files will extract and run

the image and the PE or payload
to even reduce levels of suspicious make sure to make the image and PE to become hidden files

most average windows users they dont turn or enable view hidden files option

u need to hide those two files (the image and the PE or payload) so that when the person click on the image, he should not see those files after extraction

Am testing this in windows 11 highest version at the moment, and windows defender together with 360, they have failed to detect the PE.

Vs Code shortcut
20/11/2024

Vs Code shortcut

Mastering Wireshark Filters: A Must-Know Guide for Every Cybersecurity Analyst! 🚨 Dive into these essential Wireshark di...
14/11/2024

Mastering Wireshark Filters: A Must-Know Guide for Every Cybersecurity Analyst! 🚨 Dive into these essential Wireshark display filters to enhance your network analysis skills and protect against cyber threats. 💻🔥

☣️Best Malware Analysis Tools🔖
10/11/2024

☣️Best Malware Analysis Tools

🔖

🎫Windows Access Tokens🔖
10/11/2024

🎫Windows Access Tokens

🔖

Dirección

Barcelona

Página web

Notificaciones

Sé el primero en enterarse y déjanos enviarle un correo electrónico cuando F.tech publique noticias y promociones. Su dirección de correo electrónico no se utilizará para ningún otro fin, y puede darse de baja en cualquier momento.

Atajos

Compartir

Categoría