These patterns look for sensitive information directly embedded in the code.
-
Generic Passwords / Secrets / Tokens:
- Regex:
- Regex:
irsdl
/ update_cookie_BambdaCA.java
Last active
July 25, 2025 12:13
Automatically updates the Cookie header in Burp Repeater requests using Set-Cookie values from responses. This Bambda CustomAction preserves all existing cookies and only updates or adds values when necessary — ensuring session continuity without overwriting unrelated cookies.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Links: | |
| [Basic](javascript:alert('Basic')) | |
| [Local Storage](javascript:alert(JSON.stringify(localStorage))) | |
| [CaseInsensitive](JaVaScRiPt:alert('CaseInsensitive')) | |
| [URL](javascript://www.google.com%0Aalert('URL')) | |
| [In Quotes]('javascript:alert("InQuotes")') | |
| Images: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/bin/python3 | |
| import http.server | |
| import sys | |
| import random | |
| import string | |
| import argparse | |
| import socket | |
| import logging | |
| import signal |
0xdevalias
/ _deobfuscating-unminifying-obfuscated-web-app-code.md
Last active
February 24, 2026 18:58
Some notes and tools for reverse engineering / deobfuscating / unminifying obfuscated web app code
Some notes and tools for reverse engineering / deobfuscating / unminifying obfuscated web app code.
win3zz
/ GitHub-Leaked-API-Keys-and-Secrets.md
Last active
February 27, 2026 15:10
As a security professional, it is important to conduct a thorough reconnaissance. With the increasing use of APIs nowadays, it has become paramount to keep access tokens and other API-related secrets secure in order to prevent leaks. However, despite technological advances, human error remains a factor, and many developers still unknowingly hardcode their API secrets into source code and commit them to public repositories. GitHub, being a widely popular platform for public code repositories, may inadvertently host such leaked secrets. To help identify these vulnerabilities, I have created a comprehensive search list using powerful search syntax that enables the search of thousands of leaked keys and secrets in a single search.
(path:*.{File_extension1} OR path:*.{File_extension-N}) AND ({Keyname1} OR {Keyname-N}) AND (({Signature/pattern1} OR {Signature/pattern-N}) AND ({PlatformTag1} OR {PlatformTag-N}))
**1.
DanaEpp
/ dump-endpoints.jq
Created
November 26, 2022 00:05
jq query and filter to dump the HTTP method, route and description of every endpoint in an OpenAPI 3.0 document. Usage: jq -r -f dump-endpoints.jq openapidoc.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .paths | to_entries | map(select(.key | test("^x-") | not)) | map ( .key as $path | .value | to_entries | map( select( .key | IN("get", "put", "post", "delete", "options", "head", "patch", "trace")) | { method: .key, path: $path, summary: .value.summary?, deprecated: .value.deprecated? })[] ) | map( .method + "\t" + .path + "\t" + .summary + (if .deprecated then " (deprecated)" else "" end)) [] |
abbycantcode
/ BurpSuiteSSLPassTrough.json
Created
November 7, 2022 04:19
— forked from vsec7/BurpSuiteSSLPassTrough.json
Filter out the noise
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "proxy":{ | |
| "ssl_pass_through":{ | |
| "automatically_add_entries_on_client_ssl_negotiation_failure":false, | |
| "rules":[ | |
| { | |
| "enabled":true, | |
| "host":".*\\.google\\.com", | |
| "protocol":"any" | |
| }, |
defparam
/ MutateMethods.py
Last active
February 15, 2026 04:39
Example of using Turbo Intruder in a "listen and attack" mode. Because turbo intruder's jython interpreter is technically inside burp you can have turbo intruder scripts use the plugin API. Here we use burp.IProxyListener to intercept requests and reissue them inside turbo intruder mutating the method.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from threading import Thread | |
| import time | |
| class TrafficMagnet(burp.IProxyListener): | |
| def __init__(self): | |
| callbacks.registerProxyListener(self) | |
| self._helpers = callbacks.getHelpers() | |
| self._callbacks = callbacks | |
interference-security
/ android-ssl-cert-install.md
Last active
February 7, 2025 04:46
Android SSL Certificate Installation
openssl x509 -inform DER -in cacert.der -out cacert.pem
openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1
mv cacert.pem <hash>.0
adb push <hash>.0 /sdcard/Download/
adb shell
su
mkdir -m 700 /sdcard/cert/
cp /system/etc/security/cacerts/* /sdcard/cert/
mount -t tmpfs tmpfs /system/etc/security/cacerts
NewerOlder