Indonesian Offensive Security

05/11/2025

Advanced XSS Scanner for modern web apps (Hybrid crawler, WAF-aware, AI-assisted).

https://github.com/merdekasiberlab/xssgenai

What’s the difference from Dalfox? It validates XSS using specialized simulations such as onclick, onmouseover, etc. It’s slower than Dalfox, but its accuracy is better because it’s designed to reduce false negatives. It can be complemented with the Gemini API for deeper code analysis before executing with more precise and accurate payloads.

18/12/2024

🚨 Ransomware Attack Alert on Bank Rakyat Indonesia by APT73 🚨

In a shocking development, Bank Rakyat Indonesia, one of the nation's largest financial institutions, has fallen victim to a sophisticated ransomware attack orchestrated by the notorious group APT73. This breach exposes serious vulnerabilities within our financial security systems and puts customer data at risk. How secure is your personal information?

Let's discuss how we can better protect ourselves from these escalating cyber threats. Stay vigilant and informed!

Source: FalconFeedsio & Access Via TOR Browser APT73(BASHEE) Website

16/12/2024

𝗚𝗶𝘁𝗵𝘂𝗯: https://github.com/sultanzio/dorkingz
𝗗𝗼𝗿𝗸𝗶𝗻𝗴𝘇 is a high-performance Go-based tool designed for automated search engine querying using custom search dorks and rotating proxies. It efficiently retrieves unique domains from search results across multiple search engines, including Google, Bing, and DuckDuckGo.
𝗙𝗲𝗮𝘁𝘂𝗿𝗲𝘀:
- Multiple Search Engines: Supports Google, Bing, and DuckDuckGo.
- Rotating Proxies: Utilizes a pool of validated proxies to prevent IP blocking and bypass rate limits. You can use premium proxy or SSL Proxies Free!
- Concurrent Processing: Leverages Go's concurrency model to perform multiple searches simultaneously.
- Retry Mechanism: Implements exponential backoff retries with alternate proxies upon failures.
- Unique Domain Extraction: Parses search results to extract and store unique domain names.
- Configurable Parameters: Easily configurable through command-line flags for dorks, proxies, concurrency levels, and more.
- Efficient Logging: Provides informative logs to monitor the progress and status of searches.

𝗩𝗲𝗿𝘀𝗶𝗼𝗻: 1.2
*Note: there is no captcha bypass yet

18/09/2024

MalwareBazaar ── is a project operated by abuse.ch. The purpose of the project is to collect and share malware samples, helping IT-security researchers and threat analysts protecting their constituency and customers from cyber threats.

Read more: https://bazaar.abuse.ch/browse/

18/09/2024

Indonesian Ministry of Finance (Direktorat Jenderal Pajak / DJP) jen Jenderal Pajak) Data Leaked and Sold by BJORKA on Breach Forum..

The post, titled "6 MILLION INDONESIA TAXPAYER IDENTIFICATION NUMBER (NPWP)", was made on Wednesday, September 18, 2024, at 01:08 AM.

File size: 500 MB compressed, 2 GB uncompressed
Total records: 6,663,379
Breach date: September 2024
File format: CSV
Compromised data: Includes sensitive personal information such as names, national ID numbers (NIK), NPWP numbers, addresses, email, phone numbers, dates of birth, and various tax-related data (e.g., KPP name, tax status, types of taxpayers).

17/09/2024

Tenable ── Microsoft patched 79 CVEs in its September 2024 Patch Tuesday release, with seven rated critical, 71 rated as important, and one rated as moderate.

Read more: https://www.tenable.com/blog/microsofts-september-2024-patch-tuesday-addresses-79-cves-cve-2024-43491

Microsoft addresses 79 CVEs with seven critical vulnerabilities and four zero-day vulnerabilities, including three that were exploited in the wild.

17/09/2024

Pe*******on Testing Cheat Sheet ── This comprehensive guide provides quick references, commands, and techniques for various aspects of pe*******on testing. Whether you're a beginner or an experienced pentester, this cheat sheet has got you covered.

Read more: https://github.com/NoorQureshi/kali-linux-cheatsheet

Kali Linux Cheat Sheet for Pe*******on Testers. Contribute to NoorQureshi/kali-linux-cheatsheet development by creating an account on GitHub.

17/09/2024

Medusa Ransomware Exploiting Fortinet Flaw For Sophisticated Attacks — “Medusa gains access to a target system through a known weakness such as the Fortinet EMS SQL injection vulnerability. CVE-2023-48788 impacts environments that have FortiClient EMS, versions 7.2 to 7.2.2 and 7.0.1 to 7.0.10, installed to manage endpoints,” Bitdefender said.

Read more: https://cybersecuritynews.com/medusa-ransomware-exploiting-fortinet-flaw/
https://cyberpress.org/medusa-ransomware-exploits-fortinet-flaw/

14/09/2024

Apple Vision Pro Vulnerability Demo!

Founder : University Of Florida
https://sites.google.com/view/Gazeploit/

News:
https://secry.me/explore/apple-vision-pro-virtual-keyboard-vulnerability/

13/09/2024

indodax hacked

INDODAX Hacked - A major security breach has rocked Indonesia's largest cryptocurrency exchange, Indodax, sending shockwaves through the nation's crypto

11/09/2024

New Exploit Wordpress Litespeed Hijack account user/admin session from cookie wp-content/debug.log
https://github.com/absholi7ly/CVE-2024-44000-LiteSpeed-Cache

09/09/2024

Subdosec - is not just a fast and accurate subdomain takeover scanner with no false positives. It also provides a complete database containing a list of sites vulnerable to subdomain takeover (public results), as well as detailed non-vuln subdomain metadata information such as IP, CNAME, TITLE, and STATUS CODE, which you can use for reconnaissance to find sites that may be vulnerable to subdomain takeover on new services.

*Note: To run this tools, ensure Node.js already installed to your machine. For more details, you can read the docs on link below:

https://github.com/tegal1337/subdosec