#NahamCon2024
Вставка
- Опубліковано 27 вер 2024
- LIKE and SUBSCRIBE with NOTIFICATIONS ON if you enjoyed the video! 👍
Hacking the web often means you need data. A lot of that data is in JavaScript, but JavaScript is a hot mess. Let's take a look at some tools and tricks to make some sense of that mess, build hyper-focused wordlists, and find the deepest, darkest nooks and crannies of web applications without reading megabytes of source code.
📚 If you want to learn bug bounty hunting from me: bugbounty.nahamsec.training
💻 If you want to practice soem of my free labs and challenges: app.hacking.hub.io
🔗 LINKS:
📖 MY FAVORITE BOOKS:
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities -amzn.to/3Re8Pa2
Hacking APIs: Breaking Web Application Programming Interfaces - amzn.to/45g4bOr
Black Hat GraphQL: Attacking Next Generation APIs - amzn.to/455F9l3
🍿 WATCH NEXT:
If I Started Bug Bounty Hunting in 2024, I'd Do this - • If I Started Bug Bount...
2023 How to Bug Bounty - • How to Bug Bounty in 2023
Bug Bounty Hunting Full Time - youtu.be/watch...
Hacking An Online Casino - youtu.be/watch...
WebApp Pentesting/Hacking Roadmap - youtu.be/watch...
MY OTHER SOCIALS:
🌍 My website - www.nahamsec.com/
👨💻 My free labs - app.hackinghub...
🐦 Twitter - / nahamsec
📸 Instagram - / nahamsec
👨💻 Linkedin - / nahamsec
WHO AM I?
If we haven't met before, hey 👋! I'm Ben, most people online know me online as NahamSec. I'm a hacker turned content creator. Through my videos on this channel, I share my experience as a top hacker and bug bounty hunter to help you become a better and more efficient hacker.
FYI: Some of the links I have in the description are affiliate links that I get a a percentage from.
One cant deny that tomnomnom's voice has a therapeutic effect
how can get these slides?
when i tried command in the escape sequence, I'm not sure why the \u{002f} part is causing it not display any output, and when I tried to remove that part it is working as intended.
I have just wrote it like this in my notes when it worked:
input >>
echo '"\x2fapi\x2fv2\u003fobj\075users"' | jsluice query -j -q '(string) @s' | jq
output>>
"/api/v2?obj=users"
@@dans9762 this confused me for a bit because it *should* work, but I think I might have figured out why it's happening. Are you using zsh by any chance? Zsh needs a bunch of extra escaping like this:
echo '"\\x2fapi\\u{002f}v2\\u003fobj\\075users"' | jsluice query -j -q '(string) @s' | jq
The '\u' was going missing and the other escape sequences were actually all being interpreted by zsh before passing the string to jsluice!
@@TomNomNomDotCom thank you for taking the time to reply and explaining what happened. yes, I am using zsh and the escape sequence you commented is working. More power to you.
Tomnomnom is my favourite hacker :) . Understood whole conference. First time I watched that js video with stock :) and then I watched most of his videos and used all his tools 🔥.
Great Content
very nice, thanks man
:)
😍😍
@TomNomnom🤞🏾