Disclaimer: I’m not a financial advisor or technical analysis expert. This post is purely for educational purpose. I do not recommend the use of technical analysis as a sole means of trading decisions.

  • One of the essential skills I had learned in a recent time is technical analysis, where we predict the price movements using historical price charts and market statistics trends.
  • So, I decided to spend the weekend automating the technical analysis on cryptocurrencies trading and applying it to the trading strategy.
  • Some indicators are focused primarily on identifying the current market trend, including support and resistance areas. In…

Tab view panel using IMessageEditorTab to dump all the links from the responses:

Workflow:

Dump links from respones,If url is hex/url encoded then decode it,Sort all the results to put the most likeable links at the top & rest junk(html/javascript junk) in the last.

Why to include junk? why not just links:

  • Finding all possible type links is really difficult task,There are many cases where the endpoints are stored in differential structures where they are hard to extract using regex.
  • So it’s a good practice a take a look around junks to find something interesting.

Customize:

Dump links from the responses of content-types defined at WHITELIST_MEMES list. Modify it accordingly, The more you keep it accurate the less memory it takes.

https://github.com/arbazkiraak/LinksDumper


  • SSRF(Server-side-request-forgery) have been quite a popular attack surface for the uploading functionality where application fetches the assets from external resources in form of images,documents etc
  • SVG is an XML based vector image used to display a variety of graphics on the Web and other environments, due it ’s XML structure it supports various XML features, one of the feature is XLink which is responsible for creating internal and external links within XML document.

During the testing process, I encountered with XLINK based SSRF to enumerate various internal libraries, installed tools, gnome version’s, much more etc,

POST /upload HTTP/1.1
Host: redacted.com
Connection: close
Content-Length…

  • Broken Link Hijacking (BLH) is lesser known attack.there is an brief introduction & exploitation about it by EdOverFlow.

https://edoverflow.com/2017/broken-link-hijacking/ by Ed

  • There is an already fully customize package for discovering BLH endpoints, https://www.npmjs.com/package/broken-link-checker but setting it up is really painful,Authentication based link validating was also an problem with it.
  • i decided to write a plugin based on following html tags,attributes

https://github.com/stevenvachon/broken-link-checker/blob/09682b3250e1b2d01e4995bac77ec77cb612db46/test/helpers/json-generators/scrapeHtml.js

Burp Extension to discover broken links using IScannerCheck & synchronized threads.

https://github.com/arbazkiraak/BurpBLH

Features:

Supports various HTML elements/attributes with regex based on following

https://github.com/stevenvachon/broken-link-checker/blob/09682b3250e1b2d01e4995bac77ec77cb612db46/test/helpers/json-generators/scrapeHtml.js

  • Concurrently checks multiple links using defined threads.
  • Customizing [STATUS_CODES|PATH-PATTERN|MIME-TYPE]

  • A Year Ago,While learning python,I had created a telegram bot to automate the cryptoworkflow of daily life for learning purpose which includes following features.
  1. Buy/Sell pairs on binance : set a Buy price & Sell price along with PAIR,Automatically BUY’S it if the pair hit’s the buying price and SELL’s if the pair hit’s the selling price.
  2. Information of pair on Binance : (OPEN PRICE,CLOSE PRICE,LOW,HIGH,VOL,STATUS,ACTIVE BUY,ACTIVE SELL)
  3. WATCH pair on binance : set a price to get notified on telegram.
  4. Gather history information Against the Token/Coin price to track the recent price in terms of years/months/days/minutes/hours.
  5. Buy/Sell pairs on Koinex: Same as (1).
  6. WATCH pair on Koinex.
  7. ZebPay Buying/Selling Price of all pairs.
  8. CoinMarketCap Asset Tracker.
  9. Profile/Loss Calculator in INR with BTC using google-finance-api

Project at Hackster.io : https://www.hackster.io/arbazhussain/distance-calculation-with-ultrasonic-sensor-26d63e

Ultrasonic distance sensors are designed to measure the distance between the source and target using ultrasonic waves.

Things used in this project


  • One of the major role of penetration testing is recon-asset.The more you gather information,the more you win.
  • It is possible for a organization to have one or many domains/sub-domains hosted under a certain iprange. To find out them It purely depends on hosting way they are using.
  • Many organization use services such as cloudflare,Amazon etc as there hosting-providers where scanning ipranges for them is pain,Also there are lot of organization’s which are self-hosted.
https://www.hostingchecker.com
  • I wrote a short script to gather all possible domains/subdomain under the ipranges by following steps.

IPRANGE => Takes one by one ip from range => Resolve…


In this blog post i would like to share some Content Negotiation behavior while Performing CSRF Request .

While Performing Penetration Testing on Application API , I Came across Content Negotiation behavior . Let’s discuss this with live example which i encountered .

Following is the Request which Server made with ClientID in order to generate AUTH Token.Since it has no protection against CSRF Attack .

Origin Request
  • As soon as i saw the above Request , I Quickly tried CSRF .

I Would like to share one simple trick to make clickjacking attack’s more impactful in simple Word’s.

Before getting into topic , let’s understand what click-jacking Means in 101 :

Clickjacking is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information while clicking on seemingly innocuous web pages. ~ Wikipedia

Clickjacking attack basically means Tricking the user into clicking something by framing Page to perform some malicious Action’s. ~ 101

  • Suppose we are Targeting (http://victim.com) Which is simple Blogging Website .
Simple Blogging Website
  • And…

This blog post will help Getting start to Machine Learning Journey to Deep Learning . I have tried to keep it short and clean .

Machine learning is a method of data analysis that automates analytical model building. Using algorithms that iteratively learn from data, machine learning allows computers to find hidden insights without being explicitly programmed where to look. Essentially, it is a method of teaching computers to make and improve predictions based on some data.

In the past decade, machine learning has given us self-driving cars, practical speech recognition, effective web search, and a vastly improved understanding of…

Arbaz Hussain

Security Analyst

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store