Hamza Darghouth’s Post

A single unfiltered input field can open the door for attackers to take full control of users sessions. It's exactly how a Stored Cross-Site Scripting (XSS) attack works. Every time a user interacts with the page, the injected script silently executes, stealing session tokens and performing unauthorized actions in the background. What makes this kind of attack dangerous isn’t its complexity, it’s how simple it is to exploit. When an app fails to sanitize user input, attackers can inject malicious JavaScript that stays in the system and runs across sessions. This means user data can easily be exposed, credentials stolen, actions performed without permission, and trust slowly eroded. - Possible impacts: - Stolen credentials - Unauthorized actions under legitimate accounts - Loss of user trust - Compliance issues if user data is affected Even small oversights in input validation can open big security holes. Your users trust your platform every time they click a button, make sure that trust isn’t misplaced. Check out the carousel below to see how to fix it 👇 📌 Book a free 30-minute consultation (link in comments) to assess your app’s security posture.

🔑 JWT Tips Every Developer Should Know Working with JWT (JSON Web Tokens) can make authentication smooth and stateless—but only if used correctly. Here are some practical tips I’ve found useful: 1️⃣ Keep Access Tokens Short-Lived Short expiration times reduce risks if a token is compromised. Pair them with secure refresh tokens. 2️⃣ Always Verify the Signature Never trust a token blindly. Verifying ensures it hasn’t been tampered with. 3️⃣ Store Tokens Securely Avoid localStorage for sensitive apps. HTTP-only cookies provide better protection against XSS attacks. 4️⃣ Don’t Put Secrets in the Payload Remember: JWT payloads are base64-encoded, not encrypted. Only include information you’re comfortable exposing. 5️⃣ Choose Strong Signing Algorithms Use secure algorithms like HS256 or RS256. Weak or “none” algorithms are a security risk. 💡 Pro Tip: JWT is powerful, but it’s only as safe as your implementation. Treat it like a key—handle it with care. #WebDevelopment #Security #JWT #Authentication #FullStackDev #BestPractices

I just wrapped up the Web Attacks module on Hack The Box, which covered verb tampering, IDORs, and XXE. 🔎 This one took me a bit longer than some of the others. I got stuck more than once, spending an hour or two at a time troubleshooting. In the skill assessment, I ended up chaining all three vulnerabilities together. I started by crawling the app and spotting numeric user IDs that led me to an admin account through an access control gap. A password reset flow exposed a token endpoint that I could tamper with to view other users’ tokens, and switching the reset method let me change the admin password. Once inside, a new XML-based feature appeared, and testing it with XXE payloads paid off when a base64-encoded file response appeared right inside the XML. I decoded it in Burp and grabbed the flag. What stood out was how separate issues, like a weak reset flow and an XML parsing flaw, can stack into a full compromise when chained together. Best practices for securing these types of issues: apply authentication checks to every HTTP method and only allow the verbs each route actually needs. Use object-level access control so every request is verified on the server side, and stick with opaque IDs like UUIDs instead of predictable ones. Keep reset flows short-lived with strong, single-use tokens tied to the user and context, and do not trust client-side responses to confirm success. For XML, disable external entities, DTDs, parameter entities, XInclude, and entity expansion in the parser, or switch to JSON when possible. Keep validation consistent, monitor for unusual access patterns, and test these flows often so attackers cannot chain smaller weaknesses into bigger ones. 🛡️ #AppSec #IDOR #XXE #HTTP #HackTheBox

𝗔𝗿𝗲 𝘆𝗼𝘂𝗿 𝗮𝗽𝗽𝗹𝗶𝗰𝗮𝘁𝗶𝗼𝗻𝘀 𝗮𝗻𝗱 𝗔𝗣𝗜𝘀 𝘀𝗲𝗰𝘂𝗿𝗲? Modern attacks target web apps and APIs more than ever — and one missed vulnerability can open the door to data breaches, reputation damage, and regulatory fines. At BlackBox Pentesters, we go beyond automated scans. Our experts manually test, chain vulnerabilities, and simulate real-world attacker techniques to show you exactly what’s exploitable and how to fix it.  • OWASP Top 10 & business logic flaws  • API endpoint discovery & fuzzing  • Actionable remediation guidance  • Free retesting included Ready to take control of your security? https://lnkd.in/eMa6g7sb or scan the QR code in the carousel.

Web apps and APIs are where attackers focus and a single overlooked flaw can cause massive damage. At BlackBox Pentesters, we think like attackers, manually test, chain vulnerabilities, and give you clear, actionable fixes.

🚨 Notepad++ DLL Hijacking Vulnerability Let Attackers Execute Malicious Code | Read more: https://lnkd.in/gvwf523e A newly discovered DLL hijacking vulnerability in Notepad++, the popular source code editor, could allow attackers to execute arbitrary code on a victim's machine. Tracked as CVE-2025-56383, the flaw exists in version 8.8.3 and potentially affects all installed versions of the software, putting millions of users at risk. The vulnerability enables a local attacker to achieve code execution by planting a malicious DLL file in a location where the application will load it. This type of attack undermines the integrity of the application and can be used to establish persistence or escalate privileges on a compromised system. #cybersecuritynews #vulnerability https://zurl.co/NFdJz

@The Hacker News - Update: TP-Link has released security updates to address four security flaws impacting Omada gateway devices, including two critical bugs that could result in arbitrary code execution. The vulnerabilities in question are listed below - CVE-2025-6541 (CVSS score: 8.6) - An operating system command injection vulnerability that could be exploited by an attacker who can log in to the web management

TP-Link has released security updates to address four security flaws impacting Omada gateway devices, including two critical bugs that could result in arbitrary code execution. The vulnerabilities in question are listed below - CVE-2025-6541 (CVSS score: 8.6) - An operating system command injection vulnerability that could be exploited by an attacker who can log in to the web management

TP-Link has released security updates to address four security flaws impacting Omada gateway devices, including two critical bugs that could result in arbitrary code execution. The vulnerabilities in question are listed below - CVE-2025-6541 (CVSS score: 8.6) - An operating system command injection vulnerability that could be exploited by an attacker who can log in to the web management

🛠️ 500+ Web App Pentesting Test Cases In ONE Checklist Just reviewed a monster PDF that every pentester, bug bounty hunter, and AppSec engineer should have pinned to their desktop. 📄 Web Application Pentesting Checklist built on OWASP methodology with clear, actionable, no-fluff test cases. 💣 Here’s a small taste of what it includes: 🔍 Information Gathering • Google Dorks, OSINT, DNS Enum, Meta Files • Framework fingerprinting with Wappalyzer & WhatWeb • Mapping execution paths with Dirsearch, Gobuster 🔓 Authentication & Authorization • Weak lockout, default creds, remember-me logic • IDOR, vertical/horizontal privilege escalation • Forced browsing, session fixation, 2FA/OTP bypass 🧪 Input Validation • Reflected/Stored XSS, SQLi, LFI/RFI • Command injection, SMTP injection, CSRF • DOM XSS, Clickjacking, CORS misconfigs 🧩 Business Logic Testing • Broken workflows, negative quantity bugs • Payment tampering, malicious file upload, race conditions 🛡️ Session & Transport Security • HSTS, cookies (secure, HttpOnly, SameSite) • SSL/TLS misconfigs (BEAST, POODLE, LOGJAM, etc.) 📦 Bonus Sections • Cloud misconfigs (AWS/GCP/Azure paths) • SSRF, SSTI, Broken Link Hijack, SPF, CORS, EXIF Geodata • And an entire section just on bypassing rate limits 😈 💬 If you’re teaching web security, doing bug bounties, or prepping for OSWE / CEH / PNPT this is an insane time-saver. 📩 Want the PDF? Comment WEBPENTEST or shoot me a DM. 🧠 Question for you: What’s the most underrated or overlooked vuln you’ve seen in prod apps? Let’s learn from each other 👇 #WebPentest #OWASP #BugBounty #AppSec #EthicalHacking #Infosec #WebSecurity #XSS #SQLInjection #CSRF #LFI #RFI #SSTI #SSRF #IDOR #SecureCoding #SecurityTesting #OSWE #BurpSuite #PenetrationTesting #SecureDev #WebAppSecurity #HackingTips