1. Insecure Deserialization
1.1. Blogs
1.1.1. Blog 1
1.1.2. Blog 2
1.1.3. Blog 3
1.1.4. Blog 4
1.2. Tools
1.2.1. Python pickle
1.2.2. gadgetinspector
1.2.3. ysoserial
1.3. Burp Extensions
1.3.1. Java-Deserialization-Scanner
1.3.2. JavaSerialKiller
1.3.3. burp-ysoserial
1.3.4. SuperSerial
1.3.5. SuperSerial-Active
2. Clickjacking
2.1. Tools and burp extensions
2.1.1. Clickbandit
3. Command Injection
3.1. Payloads
3.1.1. Set 1
3.1.2. Set 2
3.2. Tools
3.2.1. commix
3.2.2. Practice labs
3.3. Burp Extensions
3.3.1. Command Injection Attacker
4. Cross-site scripting (XSS)
4.1. Types
4.1.1. Stored-XSS
4.1.2. Refelected-XSS
4.1.3. DOM-XSS
4.1.4. Blind-XSS
4.1.4.1. XSS Hunter (The Best tool for Blind XSS)
4.1.4.2. ezXSS (Has 2FA, email reports, share reports feature)
4.1.4.3. bXSS (Has slack/SMS notification feature)
4.1.4.4. Knoxss (has email feature & plugin)
4.1.4.5. Burp Collaborator
4.2. Payloads
4.2.1. WAF Bypass
4.2.1.1. Kona WAF (Akamai) Bypass
4.2.1.1.1. \');confirm(1);//
4.2.1.2. ModSecurity WAF Bypass
4.2.1.2.1. <img src=x onerror=prompt(document.cookie) onerror=prompt(document.domain) onerror=prompt(document.domain)>
4.2.1.3. Incapsula WAF Bypasses
4.2.1.3.1. <iframe/onload='this["src"]="javas cript:al"+"ert""';> <img/src=q onerror='new Function`al\ert\`1\"'>
4.2.1.4. Wordfence XSS Bypasses
4.2.1.4.1. <meter onmouseover="alert(1)"
4.2.1.4.2. '">><div><meter onmouseover="alert(1)"</div>"
4.2.1.4.3. >><marquee loop=1 width=0 onfinish=alert(1)>
4.2.2. XSS via file upload
4.2.2.1. XSS in file name
4.2.2.1.1. "><img src=v onerror=prompt(xss);>.jpeg
4.2.2.2. Metadata (exit tool)
4.2.2.2.1. exiftool -Artist=’ “><img src=1 onerror=alert(document.domain)>’ brute.jpeg
4.2.2.3. SVG content XSS
4.2.2.3.1. <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
4.2.2.4. Gif extension XSS
4.2.2.4.1. GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
4.2.2.5. Html extension
4.2.2.5.1. <!DOCTYPE html> <html> <head> <title>XSS</title> </head> <body> <script type="text/javascript">alert(document.cookie)</script> <script>prompt(1);</script> </body> </html>
4.2.3. Set 1
5. SQL Injection
5.1. Types
5.1.1. Union-based SQLi
5.1.2. Error-based SQLi
5.1.3. Blind SQLi
5.1.3.1. Boolean-based (content-based) Blind SQLi
5.1.3.2. Time-based Blind SQLi
5.1.4. Second-order SQL injection
5.1.4.1. end the query with "#" or "--"
5.1.5. Login SQLi
5.1.5.1. Login bypass payloads
5.1.5.1.1. SQL Query 1) SELECT * FROM users WHERE name='tom' and password='tom' 2) SELECT * FROM users WHERE name='tom' and password='' or '1'='1' 3) SELECT * FROM users WHERE name='tom' and password='' or 1='1' 4) SELECT * FROM users WHERE name='tom' and password='' or 1=1-- -' 5) SELECT * FROM users WHERE name='' or '1'='1' and password='' or '1'='1' 6) SELECT * FROM users WHERE name='' or ' 1=1' and password='' or ' 1=1' 7) SELECT * FROM users WHERE name='1' or 1=1 -- -' and password='blah'
5.2. Tools& extensions
5.2.1. Online tools
5.2.1.1. sql-injection-scanner-online
5.2.2. Offline tools
5.2.2.1. SQLmap
5.2.2.1.1. Basic usage: sqlmap.py -u xyz.com/vuln.php?id=1*
5.2.2.1.2. Adv usage: sqlmap.py -u xyz.com/vuln.php?id=1* --level 3 --risk 3
5.2.2.2. NoSQLMap
5.3. References
5.3.1. sqlwiki
5.3.2. pentest-tools
6. Web cache poisoning
7. HTTP request smuggling
7.1. Blogs
7.1.1. Blog 1
7.1.2. Blog 2
7.1.3. Blog 3
7.1.4. Blog 4
7.2. Concept
7.2.1. TE:CE
7.2.2. CE:TE
7.2.3. TE:TE
7.3. Tools
7.3.1. smuggler.py
7.4. Burp extensions
7.4.1. http-request-smuggler
8. CRLF Injection (%0d%0a)
8.1. Payloads
9. Unristricted file upload
9.1. Tools
9.1.1. fuxploider
9.1.2. Burp extensions
9.1.2.1. Upload Scanner
9.2. Blogs
9.2.1. Blog 1
9.2.2. Blog 2
9.3. Payloads
9.3.1. Set 1
9.3.2. Set 2
9.3.3. Set 3
10. Template Injection
10.1. Tools
10.1.1. tplmap
10.2. Types
10.2.1. Twig
10.2.1.1. Payload: {{7*'7'}}
10.2.2. Jinja
10.2.2.1. Payload: {{7*'7'}}
10.2.3. Ruby
10.2.3.1. Payload: <%= 7 * 7 %>
10.3. Payloads & References
10.3.1. Set 1
10.3.2. Blog 1
11. Reporting Tool
11.1. Serpico
11.2. dradisframework
11.3. bountyplz
11.4. template-generator
12. Response manipulation
12.1. References
12.1.1. Ref 1
13. Git Recon
13.1. Tools
13.1.1. gitGraber
13.1.2. Gitrob
13.1.3. truffleHog
13.1.4. github-search
14. Race Condition
14.1. Blog 1
14.2. Blog 2
14.3. Blog 3
14.4. Blog 4
15. Google dorks
15.1. References
15.1.1. GHDB
15.1.2. Bugbounty dorks
15.1.3. Blog 1
15.1.4. Blog 2
15.1.5. google_Dorks_list
16. Web Cache Deception Attack
17. Email spoofing vulnerabilities
17.1. Mxtoolbox
17.2. Mail spoofer
18. Subdomain enumeration & takeover
18.1. Blogs
18.1.1. POC
18.1.1.1. Subdomain Take-over poc's github -https://hackerone.com/reports/363778 aws - https://hackerone.com/reports/186766 zendesk https://hackerone.com/reports/759454 Azure - https://hackerone.com/reports/665398 Uptime Robot - https://hackerone.com/reports/781614 fly.io - https://hackerone.com/reports/576857 icn.bg - https://hackerone.com/hacker_dashboard/overview Azure Traffic Manager - https://hackerone.com/reports/570651 tilda.cc - https://hackerone.com/reports/720992 Netlify - https://hackerone.com/reports/197489 Mashery service - https://hackerone.com/reports/275714 fastly - https://hackerone.com/reports/154425 Heroku - https://hackerone.com/reports/365853 UnbouncePages - https://hackerone.com/reports/209004 Tumblr - https://hackerone.com/reports/221631 Shopify -https://hackerone.com/reports/416474 ghost.io https://hackerone.com/reports/368119 CloudFront(CF Origin) - https://hackerone.com/reports/145224 legacy - https://hackerone.com/reports/389783 WordPress - https://hackerone.com/reports/274336 Desk - https://hackerone.com/reports/201796
18.1.2. Edoverflow
18.1.3. patrik
18.2. Tools
18.2.1. Online tools
18.2.1.1. Cyberint
18.2.1.2. Hackking
18.2.1.3. Sub enumeration
18.2.1.4. Virustotal
18.2.2. Offline tools
18.2.2.1. Amass
18.2.2.1.1. Basic-usage: [amass enum -d example.com]
18.2.2.2. Aquatone
18.2.2.2.1. Basic-usage: [cat targets.txt | aquatone {or} type targets.txt | aquatone]
18.2.2.3. Massdns
18.2.2.3.1. Basic-usage: [./bin/massdns {options} {domainlist}]
18.2.2.4. Findomain
18.2.2.4.1. Basic-usage: [findomain -t example.com]
18.2.2.5. Assestfinder
18.2.3. Automation
18.2.3.1. Link 1
18.2.3.2. Link 2
19. SAML/SSO
19.1. Blogs
19.1.1. https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/ https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/ https://epi052.gitlab.io/notes-to-self/blog/2019-03-16-how-to-test-saml-a-methodology-part-three/ https://github.com/kelbyludwig/saml-attack-surface http://secretsofappsecurity.blogspot.com/2017/01/saml-security-xml-external-entity-attack.html https://seanmelia.wordpress.com/2016/01/09/xxe-via-saml/ https://hackerone.com/reports/136169
19.2. Burp Extensions
19.2.1. SAMLRaider
20. Directory enumeration
20.1. Wordlist
20.1.1. jhaddix
20.1.2. SecLists
20.2. Tools
20.2.1. Meg
20.2.2. ffuf
20.2.2.1. Basic-usgae: [ffuf -w /path/to/wordlist -u https://target/FUZZ]
20.2.2.1.1. Fuzz file paths from wordlist.txt, match all responses but filter out those with content-size 42. Colored, verbose output. ffuf -w wordlist.txt -u https://example.org/FUZZ -mc all -fs 42 -c -v Fuzz Host-header, match HTTP 200 responses. ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200 Fuzz POST JSON data. Match all responses not containing text "error". ffuf -w entries.txt -u https://example.org/ -X POST -H "Content-Type: application/json" \ -d '{"name": "FUZZ", "anotherkey": "anothervalue"}' -fr "error" Fuzz multiple locations. Match only responses reflecting the value of "VAL" keyword. Colored. ffuf -w params.txt:PARAM -w values.txt:VAL -u https://example.org/?PARAM=VAL -mr "VAL" -c
20.2.3. Dirsearch
20.2.3.1. Basic-usage: [python3 dirsearch.py -u <URL> -e <EXTENSION>]
20.2.3.1.1. Options: -h, --help show this help message and exit Mandatory: -u URL, --url=URL URL target -L URLLIST, --url-list=URLLIST URL list target -e EXTENSIONS, --extensions=EXTENSIONS Extension list separated by comma (Example: php,asp) -E, --extensions-list Use predefined list of common extensions Dictionary Settings: -w WORDLIST, --wordlist=WORDLIST -l, --lowercase -f, --force-extensions Force extensions for every wordlist entry (like in DirBuster) General Settings: -s DELAY, --delay=DELAY Delay between requests (float number) -r, --recursive Bruteforce recursively -R RECURSIVE_LEVEL_MAX, --recursive-level-max=RECURSIVE_LEVEL_MAX Max recursion level (subdirs) (Default: 1 [only rootdir + 1 dir]) --suppress-empty, --suppress-empty --scan-subdir=SCANSUBDIRS, --scan-subdirs=SCANSUBDIRS Scan subdirectories of the given -u|--url (separated by comma) --exclude-subdir=EXCLUDESUBDIRS, --exclude-subdirs=EXCLUDESUBDIRS Exclude the following subdirectories during recursive scan (separated by comma) -t THREADSCOUNT, --threads=THREADSCOUNT Number of Threads -x EXCLUDESTATUSCODES, --exclude-status=EXCLUDESTATUSCODES Exclude status code, separated by comma (example: 301, 500) --exclude-texts=EXCLUDETEXTS Exclude responses by texts, separated by comma (example: "Not found", "Error") --exclude-regexps=EXCLUDEREGEXPS Exclude responses by regexps, separated by comma (example: "Not foun[a-z]{1}", "^Error$") -c COOKIE, --cookie=COOKIE --ua=USERAGENT, --user-agent=USERAGENT -F, --follow-redirects -H HEADERS, --header=HEADERS Headers to add (example: --header "Referer: example.com" --header "User-Agent: IE" --random-agents, --random-user-agents Connection Settings: --timeout=TIMEOUT Connection timeout --ip=IP Resolve name to IP address --proxy=HTTPPROXY, --http-proxy=HTTPPROXY Http Proxy (example: localhost:8080 --http-method=HTTPMETHOD Method to use, default: GET, possible also: HEAD;POST --max-retries=MAXRETRIES -b, --request-by-hostname By default dirsearch will request by IP for speed. This forces requests by hostname Reports: --simple-report=SIMPLEOUTPUTFILE Only found paths --plain-text-report=PLAINTEXTOUTPUTFILE Found paths with status codes --json-report=JSONOUTPUTFILE
20.2.4. wfuzz
21. SSRF
21.1. Online tools
21.1.1. ssrftest
21.1.2. postb.in
21.2. Github tools
21.2.1. httprebind
21.2.2. ssrftest
21.2.3. Ground control
21.2.4. SSRF map
21.3. Blogs & Payloads
21.3.1. https://github.com/jdonsec/AllThingsSSRF https://gist.github.com/jhaddix/78cece26c91c6263653f31ba453e273b https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978 https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-2-a085ec4332c0
22. CSRF
22.1. CSRF Bypass
22.1.1. Replacing value of same length
22.1.2. Removing the CSRF token from requests entirely
22.1.3. Decoding CSRF tokens
22.1.4. Extracting token via HTML injection
22.1.5. Using only the static parts of the token
22.1.6. Changing request method
22.1.7. Try to remove the referer header
22.2. Burp extension
22.2.1. EasyCSRF
22.3. JSON-Based CSRF
22.3.1. Blog 1
23. File Inclusion
23.1. RFI
23.2. LFI
23.3. GitHub References & Tools
23.3.1. LFISuite
23.3.2. liffy
23.3.3. fimap
23.4. Payloads
23.4.1. Set 1
23.4.2. Set 2
23.4.3. Set 3
23.4.4. Burp Intruder list
24. IDOR
24.1. Burp Extensions
24.1.1. Authz
24.1.2. AuthMatrix
24.1.3. Authorize
24.2. Blogs
24.2.1. Blog 1
24.2.2. Blog 2
24.2.3. Blog 3
25. XXE
25.1. Online tools
25.1.1. XXE.SH
25.2. Types
25.2.1. Inbound-Xml Inj
25.2.2. OOB-Xml Inj
25.2.3. Error based Xml Inj
25.3. Github tools
25.3.1. oxml_xxe
25.3.2. XXEinjector
25.4. Blogs
25.4.1. https://0xatul.me/posts/2020/02/external-xml-entity-via-file-upload-svg/ https://mahmoudsec.blogspot.com/2019/08/exploiting-out-of-band-xxe-using.html https://github.com/setuid0-sec/Swiss_E-Voting_Publications/blob/master/xxe_setuid0.pdf https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/ https://honoki.net/2018/12/12/from-blind-xxe-to-root-level-file-read-access/ https://www.corben.io/XSS-to-XXE-in-Prince/ https://medium.com/@zain.sabahat/an-interesting-xxe-in-sap-8b35fec6ef33
26. Some Git repo's, Burp extensions...etc
26.1. Git repos
26.1.1. AWS offensive/defensive
26.1.2. Key hacks
26.1.3. Github Monitoring
26.1.4. Pentest-tools
26.2. Shodan monitoring
26.3. Burp extensions
26.3.1. HUNT
26.4. Blogs
26.4.1. pentester.land
27. Redirect
27.1. Online tools
27.1.1. Hackking
27.2. Blogs
27.2.1. Blog 1