🔭 Reverse engineering JavaScript and CSS sources from sourcemaps

Mining URLs from dark corners of Web Archives for bug hunting/fuzzing/further probing

A fancier postMessage tracker with Chrome Manifest version V3 support and a few additional features, inspired by Frans Rosens postmessage tracker.

BackupFinder discovers backup files on web servers by generating intelligent patterns.

🐍 A toolkit for testing, tweaking and cracking JSON Web Tokens

Automated GitHub secret scanning with smart alerting & monitoring.

Fast exfiltration of text using only CSS and Ligatures

A Burp extension to Fuzz URLs for HTTP parser inconsistencies

Misconfig Mapper is a fast tool to help you uncover security misconfigurations on popular third-party services used by your company and/or bug bounty targets!

REcollapse is a helper tool for black-box regex fuzzing to bypass validations and discover normalizations in web applications

A simple script just made for self use for bypassing 403

convert case style of words

CeWL is a Custom Word List Generator

update-golang is a script to easily fetch and install new Golang releases with minimum system intrusion

Burp Suite extension for testing Passkey systems.

A collection of Turbo Intruder scripts.

This Chromium extension scans the page for external iFrames, Scripts, and Styles, logs them to the console, and checks if their domains are resolvable.

Crack hashes in seconds.

A tool for adding new lines to files, skipping duplicates

Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation

CSPBypass.com, a tool designed to help ethical hackers bypass restrictive Content Security Policies (CSP) and exploit XSS (Cross-Site Scripting) vulnerabilities on sites where injections are blocke…

AI-powered ffuf wrapper

An exhaustive list of all the possible ways you can chain your Blind SSRF vulnerability

Burp Suite extension that mutates ciphers to bypass TLS-fingerprint based bot detection

A fast, clean, responsive Hugo theme.

A ssh server that knows who you are. $ ssh whoami.filippo.io

a javascript change monitoring tool for bugbounties

This repo contains all the injections mentioned in my talk and enumerators.