Pentesters & Bounty hunters inspirational guide
Contact @BBerastegui if you want to have edit permissions ( it’ll be helpful to get some help :) )
Introduction: How to use this
Ctrl+F (cmd+F if you are in a Mac)
Search for whatever you are looking for inspiration about.
Copy-and-paste template for sections at the end of the document.
Ex.: Ctrl+F “RoR”
Vulnerabilities knowledge database
Compilation of Facebook bug bounty writeups
[List of bounties won by SintheticLabs team]
How I Hacked Facebook, and Found Someone's Backdoor Script
Kerberoasting Without Mimikatz
Breaking The Facebook For Android Application
Hacking android apps with Frida I
Authentication / Authorization
Gaining access to private topics using quoting feature
Getting any Facebook user's friend list and partial payment card details
AWS Post Exploitation – Part 1
EC2 - Instance Metadata and User Data
How to perform S3 domain takeover
Scout2 - Security auditing tool for AWS environments
Zeus - AWS Auditing & Hardening Tool
Exploiting CORS Misconfigurations for Bitcoins and Bounties
Pre-domain wildcard CORS Exploitation
CBC "cut and paste" attack may cause Open Redirect (even XSS)
Exploiting CSRF on JSON endpoints with Flash and redirects
CSRF in 'set.php' via age causes stored XSS
Plain text considered harmful: A cross-domain exploit
Comma separated vulnerabilities
Everything about the CSV Excel Macro Injection
Reversing and exploiting BLE 4.0 communication
How to capture Bluetooth packets on Android 4.4
This Is Not a Post About BLE, Introducing BLEAH
XSS to RCE in Atlassian Hipchat
Modern Alchemy: Turning XSS into RCE
Exploring server-side template injection in Flask Jinja2
Uber 遠端代碼執行- Uber.com Remote Code Execution via Flask Jinja2 Template Injection
Thinking About Smart Contract Security
Linux Heap Exploitation Intro Series: Used and Abused – Use After Free
From Serialized to Shell :: Auditing Google Web Toolkit
Practical HTTP Host header attacks
HTTP Desync Attacks: Request Smuggling Reborn
Philips Hue Reverse Engineering (BH Talk ‘A Lightbulb Worm?’)
JWT (JSON Web Token) (in)security
Critical Vulnerability Uncovered in JSON Encryption
NodeJS / Javascript server-side
Starting with OAuth 2.0 – Security Check && Secure OAuth 2.0: What Could Possibly Go Wrong?
Login CSRF + Open Redirect -> Account Takeover
15 Ways to Bypass the PowerShell Execution Policy
Physical attacks / USB / HARDWARE
Real-world Rubber Ducky attacks with Empire stagers
Leveraging LFI to RCE using zip://
Yahoo! RCE via Spring Engine SSTI
Reverse engineering (Firmwares)
Hacking a counterfeit money detector for fun and non-profit
SQL Injection to MIPS Overflows: Rooting SOHO Routers
Airbnb – Ruby on Rails String Interpolation led to Remote Code Execution
GitHub Enterprise Remote Code Execution
Attacking Ruby on Rails applications
Github Enterprise SQL Injection
The road to your codebase is paved with forged assertions
Slack SAML authentication bypass
Java-Deserialization-Cheat-Sheet
Attacking Java Deserialization
CVE-2015-0935: PHP Object Injection in Bomgar Remote Support Portal
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization
Don’t Drop the SOAP: Real World Web Service Testing
Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper
Server Side Request Forgery Vulnerability
SSRF (Server Side Request Forgery) testing resources
SSRF Injection (PayloadsAllTheThings)
SSRF, Memcached and other key-value injections in the wild
Escalating XSS in PhantomJS Image Rendering to SSRF/Local-File Read
Subdomain takeover / domain takeover
Mailgun misconfiguration leads to email snooping and postmaster@-access
Authentication bypass via subdomain takeover
“research of security risks that exist in UPnP implementations”
Sending a video content to a DLNA/UPnP software/device using curl
Adventures in UPnP with cURL and netcat
How Cross-Site WebSocket Hijacking could lead to full Session Compromise
“Flaws of today's web service standards and implementations in regard to web service security”
Injecting code into remote process
What can be really done with Cross-site Scripting
Bypassing Signature-Based XSS Filters: Modifying Script Code
ECMAScript 6 for Penetration Testers
“Another vulnerability in Facebook”
XSS via a spoofed React element
7500$ worth DOM XSS in Facebook Mobile Site
AngularJS - Escaping the Expression Sandbox for XSS
Bypassing filters / Breaking context
Exploitation: XML External Entity (XXE) Injection
XML External Entity Injection in Jive-n (CVE-2018-5758)
* / Misc / Multiple
Information
Vulnerabilities knowledge database
https://portswigger.net/kb/issues
JSON Hijacking
Keywords: JSON, hijacking
https://haacked.com/archive/2009/06/25/json-hijacking.aspx/
Compilation of Facebook bug bounty writeups
Keywords: Facebook, compilation, writeup, bug bounty
https://www.facebook.com/notes/phwd/facebook-bug-bounties/707217202701640/
Posts / Examples
[List of bounties won by SintheticLabs team]
Keywords: H1, bounty
How I Hacked Facebook, and Found Someone's Backdoor Script
Keywords: SQLi, Facebook, RCE
http://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver/
How to Detect HTTP Parameter Pollution Attacks
https://www.acunetix.com/blog/whitepaper-http-parameter-pollution/
Active Directory
Information
A Red Teamer’s Guide to GPOs and OUs
Keywords: AD, red team, group policy
Abusing GPO Permissions
Keywords: AD, red team, GPO, group policy
https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
Posts / Examples
Kerberoasting Without Mimikatz
Keywords: Kerberos, AD
https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
Android
Information
Posts / Examples
Breaking The Facebook For Android Application
Keywords: Android, deeplink
https://ash-king.co.uk/facebook-bug-bounty-09-18.html
Hacking android apps with Frida I
Keywords: Frida, Android, DBI
https://www.codemetrix.net/hacking-android-apps-with-frida-1/
Hacking a game to learn FRIDA basics (Pwn Adventure 3)
Keywords: Frida, Android, game hacking
https://x-c3ll.github.io/posts/Frida-Pwn-Adventure-3/
Authentication / Authorization
Posts / Examples
Gaining access to private topics using quoting feature
Keywords: Discourse, authorization bypass, forum
https://hackerone.com/reports/312647
Getting any Facebook user's friend list and partial payment card details
Keywords: Facebook, authorization, GraphQL
https://www.josipfranjkovic.com/blog/facebook-friendlist-paymentcard-leak
AWS
Information
AWS Post Exploitation – Part 1
Keywords: aws, aws-cli
https://cloudsecops.com/aws-post-exploitation-part-1/
EC2 - Instance Metadata and User Data
Keywords: EC2
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
How to perform S3 domain takeover
Keywords: S3, domain takeover
S3 bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::exampledomain.com/*"
]
}
]
}
Posts / Examples
Tools
AWS pwn
Keywords: AWS
https://github.com/dagrz/aws_pwn
Scout2 - Security auditing tool for AWS environments
Keywords: AWS, Scout2, NCC
https://github.com/nccgroup/Scout2
Zeus - AWS Auditing & Hardening Tool
Keywords: AWS, hardening
https://github.com/DenizParlak/Zeus
https://github.com/RhinoSecurityLabs/pacu
https://github.com/andresriancho/nimbostratus
https://github.com/Ucnt/aws-s3-bruteforce
https://github.com/JR0ch17/S3Cruze
CORS
Information
HTTP access control (CORS)
Keywords: CORS
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
Posts / Examples
Exploiting CORS Misconfigurations for Bitcoins and Bounties
Keywords: CORS
http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
Pre-domain wildcard CORS Exploitation
Keywords: CORS
https://medium.com/@arbazhussain/pre-domain-wildcard-cors-exploitation-2d6ac1d4bd30
Crypto
Information
https://sites.google.com/site/cryptocrackprogram
https://r12a.github.io/uniview
https://github.com/nccgroup/featherduster
Posts / Examples
CBC "cut and paste" attack may cause Open Redirect (even XSS)
Keywords: CBC, crypto, redirect, token
https://hackerone.com/reports/126203
CSRF / SOP / CSP
Information
Authoritative guide to CORS (Cross-Origin Resource Sharing) for REST APIs
Keywords: CSRF
Posts / Examples
Exploiting CSRF on JSON endpoints with Flash and redirects
Keywords: CSRF, JSON
https://blog.appsecco.com/exploiting-csrf-on-json-endpoints-with-flash-and-redirects-681d4ad6b31b
CSRF in 'set.php' via age causes stored XSS
Keywords: Rockstar, CSRF, XSS
https://hackerone.com/reports/152013
Plain text considered harmful: A cross-domain exploit
Keywords: SOP, JSONP, CSRF, Javascript
http://balpha.de/2013/02/plain-text-considered-harmful-a-cross-domain-exploit/
Bypass Same Origin Policy - BY-SOP (Challenge + explanations)
Keywords: SOP
https://github.com/mpgn/ByP-SOP/
Tools
Cloud (generic)
Posts / Examples
Hacking the Cloud
Keywords: Azure, AWS, Active Directory (AD)
Bypassing and exploiting Bucket Upload Policies and Signed URLs
Keywords: buckets, AWS, Google Cloud (GCP)
https://labs.detectify.com/2018/08/02/bypassing-exploiting-bucket-upload-policies-signed-urls/
Csv injection
Information
Posts / Examples
Comma separated vulnerabilities
Keywords: Openoffice, Libreoffice, Excel, export to csv
https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/
Everything about the CSV Excel Macro Injection
Keywords: Excel, macro injection
http://blog.securelayer7.net/how-to-perform-csv-excel-macro-injection/
Exploiting ‘Export as CSV’ functionality:The road to CSV Injection
Keywords: export as csv
http://www.tothenew.com/blog/csv-injection/
Cloud Security Risks (P2): CSV Injection in AWS CloudTrail
Keywords: AWS
https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/
http://blog.zsec.uk/csv-dangers-mitigations/
Bluetooth
Posts / Examples
Reversing and exploiting BLE 4.0 communication
Keywords: BLE, Bluetooth
http://payatu.com/reversing-exploiting-ble-4-0-communication/
How to capture Bluetooth packets on Android 4.4
Keywords: BLE, Bluetooth, Android
https://www.nowsecure.com/blog/2014/02/07/bluetooth-packet-capture-on-android-4-4/
This Is Not a Post About BLE, Introducing BLEAH
Keywords: BLE, Bluetooth
https://www.evilsocket.net/2017/09/23/This-is-not-a-post-about-BLE-introducing-BLEAH/
Desktop apps / Binaries
Information
Posts / Examples
XSS to RCE in Atlassian Hipchat
Keywords: RCE, XSS, Desktop, Electron
https://maustin.net/2015/11/12/hipchat_rce.html
Modern Alchemy: Turning XSS into RCE
Keywords: RCE, XSS, Desktop, Electron
https://blog.doyensec.com/2017/08/03/electron-framework-security.html
Tools
Directory/path traversal
Information
Directory Traversal Checklist
Keywords: checklist, path traversal, directory traversal
- 16 bit Unicode encoding:
- . = %u002e, / = %u2215, \ = %u2216
- Double URL encoding:
- . = %252e, / = %252f, \ = %255c
- UTF-8 Unicode encoding:
- . = %c0%2e, %e0%40%ae, %c0ae, / = %c0%af, %e0%80%af, %c0%2f, \ = %c0%5c, %c0%80%5c
Django / Python
Information
Posts / Examples
Exploring server-side template injection in Flask Jinja2
Keywords: Flask, Jinja2
https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2/
Injecting Flask
Keywords: Flask
https://nvisium.com/blog/2015/12/07/injecting-flask/
Uber 遠端代碼執行- Uber.com Remote Code Execution via Flask Jinja2 Template Injection
Keywords: Flask, Jinja2
http://blog.orange.tw/2016/04/bug-bounty-uber-ubercom-remote-code_7.html
Tools
Ethereum
Posts / Examples
Thinking About Smart Contract Security
https://blog.ethereum.org/2016/06/19/thinking-smart-contract-security/
Exploiting
Information / Training
Linux Heap Exploitation Intro Series: Used and Abused – Use After Free
Keywords: use after free
https://sensepost.com/blog/2017/linux-heap-exploitation-intro-series-used-and-abused-use-after-free/
Return oriented programming
Keywords: ROP, training
Hunting In Memory
Keywords: shellcode injection, reflective DLL injection, memory module, process and module hollowing, Gargoyle (ROP/APC)
https://www.endgame.com/blog/technical-blog/hunting-memory
File upload / image upload
Posts / Examples
forum.getmonero.org Shell upload
Keywords: image upload, forum, php, shell, exif
https://hackerone.com/reports/357858
Google Cloud Platform
Tools
AWS pwn
Keywords: AWS
https://github.com/dagrz/aws_pwn
Google web toolkit (GWT)
From Serialized to Shell :: Auditing Google Web Toolkit
Keywords: GWT, RCE, serialization
https://srcincite.io/blog/2017/04/27/from-serialized-to-shell-auditing-google-web-toolkit.html
HTTP Headers
Practical HTTP Host header attacks
Keywords: HTTP Headers, Host, cache poisoning
http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
HTTP request smuggling
HTTP Desync Attacks: Request Smuggling Reborn
Keywords: smuggling, HTTP pipelining
https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn
iOS
Information / Tips
“Easy network monitoring on non jailbroken iOS:
1/ connect your iOS device to your macOS via USB
2/ rvictl -s <UDID>
3/ tcpdump|wireshark -i rvi0”
IoT / Hardware
Posts / Examples
Philips Hue Reverse Engineering (BH Talk ‘A Lightbulb Worm?’)
Keywords: Philips hue, IoT, Zigbee
http://colinoflynn.com/2016/08/philips-hue-r-e-whitepaper-from-black-hat-2016/
A Red Team Guide for a Hardware Penetration Test: Part 1
Keywords: Hardware, router, iot
https://adam-toscher.medium.com/a-red-team-guide-for-a-hardware-penetration-test-part-1-2d14692da9a1
Tools
JWT (Json Web Token)
Information
JWT (JSON Web Token) (in)security
Keywords: JWT, json web tokens
https://research.securitum.com/jwt-json-web-token-security/
Posts / Examples
Critical Vulnerability Uncovered in JSON Encryption
Keywords: JWT, json
http://blogs.adobe.com/security/2017/03/critical-vulnerability-uncovered-in-json-encryption.html
Tools
LFI/RFI
Information
https://highon.coffee/blog/lfi-cheat-sheet/
https://www.hackthis.co.uk/articles/shell-via-lfi-and-procselfenviron
https://blog.g0tmi1k.com/2012/02/kioptrix-level-4-local-file/
Posts / Examples
LOCAL FILE READ VIA XSS IN DYNAMICALLY GENERATED PDF
Keywords: XSS, LFI, pdf generator, pdf
http://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html
PHP Remote File Inclusion command shell using data://
Keywords: PHP, RFI, LFI, URI
https://www.idontplaydarts.com/2011/03/php-remote-file-inclusion-command-shell-using-data-stream/
NodeJS / Javascript server-side
Posts / Examples
[demo.paypal.com] Node.js code injection (RCE)
Keywords: Paypal, Node, NodeJS, RCE
http://artsploit.blogspot.com.es/2016/08/pprce2.html
Exploiting Node.js deserialization bug for Remote Code Execution
Keywords: Node, NodeJS, RCE
OAUTH
Information
Starting with OAuth 2.0 – Security Check && Secure OAuth 2.0: What Could Possibly Go Wrong?
Keywords: OAuth
https://www.securing.pl/en/starting-with-oauth-2-security-check/index.html
https://www.securing.pl/en/secure-oauth-2-0-what-could-possibly-go-wrong/index.html
Posts / Examples
Login CSRF + Open Redirect -> Account Takeover
Keywords: Uber, CSRF, account takeover, Oauth theft
http://ngailong.com/uber-login-csrf-open-redirect-account-takeover/
Tools
Open redirects
Information
Open Url Redirects
Keywords: open redirect, location
https://zseano.com/tutorials/1.html
Posts / Examples
Airbnb – Chaining Third-Party Open Redirect into Server-Side Request Forgery (SSRF) via LivePerson Chat
Keywords: SSRF
Powershell / Windows CMD
Information
15 Ways to Bypass the PowerShell Execution Policy
Keywords: Powershell, policy, bypass
https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
DOSfuscation: Exploring the Depths of Cmd.exe Obfuscation and Detection Techniques
Keywords: cmd.exe, obfuscation, windows
https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf
Physical attacks / USB / HARDWARE
Information
Posts / Examples
Real-world Rubber Ducky attacks with Empire stagers
Keywords: Empire, Rubber Ducky, USB
https://www.sc0tfree.com/sc0tfree-blog/optimizing-rubber-ducky-attacks-with-empire-stagers
Red team exercises
Information
Red team tips
Keywords: red team, tips
https://vincentyiu.co.uk/red-team-tips/
Posts / Examples
From APK to Golden Ticket
Keywords: red team, apk, golden ticket
https://docs.google.com/document/d/1XWzlOOuoTE7DUK60qTk1Wz1VNhbPaHqKEzyxPfyW4GQ
Restricted shells
Information
Escape From SHELLcatraz - Breaking Out of Restricted Unix Shells
Keywords: shell escapes, restricted shell
https://speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells
Restricted Linux Shell Escaping Techniques
Keywords: shell escapes, restricted shell
https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/
RCE
Information
Server-side Template injection / SSTI
Keywords: template, Mako, Jinja, Twig, Smarty
Posts / Examples
Leveraging LFI to RCE using zip://
Keywords: Php, LFI, RCE, uri, data uri
http://www.sxcurity.pro/2017/01/01/zip-to-rce-lfi/
Yahoo! RCE via Spring Engine SSTI
Keywords: RCE, SSTI, template, Spring
https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/
Exploiting SSTI in Thymeleaf
Keywords: RCE, SSTI, template, thymeleaf, Java
https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/
RFID
INFOrmation
RFID Hacking with The Proxmark 3
Keywords: Proxmark 3, RFID, getting started
https://blog.kchung.co/rfid-hacking-with-the-proxmark-3/
Reverse engineering (Firmwares)
Posts / Examples
Hacking a counterfeit money detector for fun and non-profit
Keywords: money detector, reverse engineering, firmware
http://blog.ioactive.com/2013/10/hacking-counterfeit-money-detector-for.html
Router exploitation
Posts / Examples
SQL Injection to MIPS Overflows: Rooting SOHO Routers
http://media.blackhat.com/bh-us-12/Briefings/Cutlip/BH_US_12_Cutlip_SQL_Exploitation_WP.pdf
Flash Dumping - Part I
https://blog.quarkslab.com/flash-dumping-part-i.html
Unlocking the ZTE F680 router / Desbloqueando el router ZTE F680 (Spanish)
https://blog.eth1.es/2017/02/18/desbloqueando-el-router-zte-f680/ (English: here)
Ruby on Rails (RoR)
Posts / Examples
Airbnb – Ruby on Rails String Interpolation led to Remote Code Execution
http://buer.haus/2017/03/13/airbnb-ruby-on-rails-string-interpolation-led-to-remote-code-execution/
GitHub Enterprise Remote Code Execution
http://exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html
Attacking Ruby on Rails applications
http://phrack.org/issues/69/12.html
Github Enterprise SQL Injection
http://blog.orange.tw/2017/01/bug-bounty-github-enterprise-sql-injection.html
RoR SQL Injection cheatsheet
SAML
Information
Short SAML introduction
http://www.economyofmechanism.com/office365-authbypass.html
SAML 2.0 Protocols
https://en.wikipedia.org/wiki/SAML_2.0#Web_Browser_SSO_Profile
How SAML Works
https://auth0.com/blog/how-saml-authentication-works/
Dev Overview of SAML
https://developers.onelogin.com/saml
Posts / Examples
The road to your codebase is paved with forged assertions
http://www.economyofmechanism.com/github-saml.html
Slack SAML authentication bypass
http://blog.intothesymmetry.com/2017/10/slack-saml-authentication-bypass.html
Tools
SAMLRaider - Burp extension
https://github.com/SAMLRaider/SAMLRaider
Serialization
Information
Java-Deserialization-Cheat-Sheet
Keywords: Java, serialization, deserialization, cheatsheet
https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
Posts / Examples
Attacking Java Deserialization
Keywords: Java, serialization, deserialization
https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/
CVE-2015-0935: PHP Object Injection in Bomgar Remote Support Portal
Keywords: PHP, serialization, deserialization
https://codewhitesec.blogspot.com/2015/05/cve-2015-0935-bomgar-remote-support-portal.html
Tools
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization
Keywords: Java, serialization, deserialization, ysoserial
https://github.com/frohoff/ysoserial/
SerializationDumper
Keywords: Java, serialization, deserialization
"A tool to dump Java serialization streams in a more human readable form."
https://github.com/NickstaDB/SerializationDumper
SOAP
Posts / Examples
Don’t Drop the SOAP: Real World Web Service Testing
https://media.blackhat.com/bh-us-11/Johnson/BH_US_11_JohnsonEstonAbraham_Dont_Drop_the_SOAP_WP.pdf
SQL Injection
Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper
Keywords: SQLi, sqlmap
https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/
SQL Injection on sctrack.email.uber.com.cn
https://hackerone.com/reports/150156
SSRF
Information
Server Side Request Forgery Vulnerability
Keywords: SSRF
http://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/
SSRF tips
Keywords: SSRF, tips, cheatsheet
http://blog.safebuff.com/2016/07/03/SSRF-Tips/
SSRF (Server Side Request Forgery) testing resources
Keywords: SSRF, tips, cheatsheet
https://github.com/cujanovic/SSRF-Testing
SSRF Injection (PayloadsAllTheThings)
Keywords: SSRF, tips, cheatsheet, bypass
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SSRF%20injection
Posts / Examples
On “Open Redirect” [1]
SSRF, Memcached and other key-value injections in the wild
Keywords: SSRF, memcached
https://medium.com/@d0znpp/ssrf-memcached-and-other-key-value-injections-in-the-wild-c8d223bd856f
Escalating XSS in PhantomJS Image Rendering to SSRF/Local-File Read
Keywords: SSRF, PhantomJS
https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/
SSRF and local file disclosure in https://wordpress.com/media/videos/ via FFmpeg HLS processing
Keywords: SSRF, FFmpeg
https://hackerone.com/reports/237381
https://hackerone.com/reports/115857 (On Imgur)
SVG Server Side Request Forgery (SSRF)
Keywords: SSRF, SVG
https://hackerone.com/reports/223203
Stored XSS, and SSRF in Google using the Dataset Publishing Language
Keywords: SSRF, XSS, Google, DSPL
https://s1gnalcha0s.github.io/dspl/2018/03/07/Stored-XSS-and-SSRF-Google.html
SSRF in Exchange leads to ROOT access in all instances
Keywords: SSRF, Google Cloud, Kubernetes
https://hackerone.com/reports/341876
Tips
“If the vulnerable server is using cURL to make HTTP requests, it’s possible to use the dict URL schema to make requests to any host on any port and send custom data.
The URL dict://locahost:11211/stat will cause the server to connect to localhost on port 11211 and send the string “stat”. Port 11211 is the default port used by Memcached.”
Subdomain takeover / domain takeover
Information
Posts / Examples
Mailgun misconfiguration leads to email snooping and postmaster@-access
Keywords: takeover, email
https://hackerone.com/reports/174983
Authentication bypass via subdomain takeover
Keywords: takeover, authentication bypass, sso
https://hackerone.com/reports/172137
Tools
UPnP
Information
“research of security risks that exist in UPnP implementations”
http://www.upnp-hacks.org/upnp.html
Posts / Examples
Sending a video content to a DLNA/UPnP software/device using curl
Adventures in UPnP with cURL and netcat
https://coolaj86.com/articles/adventures-in-upnp-with-curl-and-netcat/
Tools
WAF
Information
Web Application Firewall (WAF) Evasion Techniques (I & II)
Keywords: WAF, bypass
https://medium.com/secjuice/waf-evasion-techniques-718026d693d8
https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0
Posts / Examples
Tools
Websockets
Information
Stream Updates with Server-Sent Events
Keywords: Websockets, long polling, Server-Sent Events, SSEs
https://www.html5rocks.com/en/tutorials/eventsource/basics/
How Cross-Site WebSocket Hijacking could lead to full Session Compromise
Posts / Examples
One Weird Kernel Trick - Hijacking the IPython Notebook’s WebSockets
Keywords: Websockets, CORS
http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython/
Web services
Information
“Flaws of today's web service standards and implementations in regard to web service security”
http://ws-attacks.org/Welcome_to_WS-Attacks
Posts / Examples
Tools
Windows - Penetration testing
RDP hijacking — how to hijack RDS and RemoteApp sessions transparently to move through an organisation
Keywords: RDP
Tools
Slui File Handler Hijack UAC Bypass Local Privilege Escalation
Keywords: Windows privilege escalation, UAC bypass
https://github.com/bytecode-77/slui-file-handler-hijack-privilege-escalation
Windows - exploiting
Information
Injecting code into remote process
http://www.tuxmealux.net/2015/03/10/code-injection/
Posts / Examples
Tools
XSS / Javascript-fu
Information
What can be really done with Cross-site Scripting
Keywords: XSS, Brutelogic, tips
https://docs.google.com/presentation/d/1v3Me8IWDuvSb1k96UB5RNyXE-hLHk0i6cf5MDJMaxuY/
Bypassing Signature-Based XSS Filters: Modifying Script Code
Keywords: WAF, bypass, XSS
ECMAScript 6 for Penetration Testers
Keywords: ECMAscript, Javascript, XSS
https://cure53.de/es6-for-penetration-testers.pdf
Bypass any WAF for XSS easily
Keywords: WAF, Javascript, XSS
https://teamultimate.in/bypass-waf-xss-easily/
Universal Cross-site Scripting DB [+ other browser vulnerabilities]
Keywords: data uri, Javascript, XSS
https://github.com/Metnew/uxss-db
XSS without HTML: Client-Side Template Injection with AngularJS
Keywords: Angular, template
http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html
Posts / Examples
“Another vulnerability in Facebook”
https://habrahabr.ru/company/pt/blog/247709/
XSS via a spoofed React element
Keywords: XSS, React
http://danlec.com/blog/xss-via-a-spoofed-react-element
https://hackerone.com/reports/49652
7500$ worth DOM XSS in Facebook Mobile Site
Keywords: XSS
https://medium.com/@johnssimon_6607/7500-worth-dom-xss-in-facebook-mobile-site-144351f00b6c
Stored XSS on Facebook
Keywords: XSS
https://opnsec.com/2018/03/stored-xss-on-facebook/
AngularJS - Escaping the Expression Sandbox for XSS
Keywords: Angular, XSS
https://spring.io/blog/2016/01/28/angularjs-escaping-the-expression-sandbox-for-xss
Persistent DOM-based XSS in https://help.twitter.com via localStorage
Keywords: Twitter, localStorage, DOM
https://hackerone.com/reports/297968
DOM XSS – auth.uber.com
Keywords: open redirect, dom xss, data uri
https://stamone-bug-bounty.blogspot.com/2017/10/dom-xss-auth_14.html
Tools / Tips / Bypasses
Bypassing filters / Breaking context
Keywords: XSS bypass, XSS
['alert\x281\x29'].map(eval)
['aler','t(1)'].join('').replace(/.*/,eval)
alert`1`
<svg%0Ao%00nload=%09((pro\u006dpt))()//
-->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
<x oncut=y=prompt,y``>z
<a id="link" href="javascript://:%0aalert(1)">test</a>
Exploiting CSRF
Keywords: XSS, CSRF
<img src='x' onerror='$.post('${DOMAIN}.com', {params});' >
XXE / XML attacks
Information
XXE Cheatsheet
Keywords: XXE, Cheatsheet
https://web-in-security.blogspot.co.uk/2016/03/xxe-cheat-sheet.html
XXE payloads
Keywords: XXE, payloads, injection
https://gist.github.com/staaldraad/01415b990939494879b4
Exploitation: XML External Entity (XXE) Injection
Keywords: XXE
https://depthsecurity.com/blog/exploitation-xml-external-entity-xxe-injection
XXE: How to become a Jedi
Keywords: XXE
https://www.slideshare.net/ssuserf09cba/xxe-how-to-become-a-jedi
Hunting in the Dark - Blind XXE
Keywords: XXE, blind
https://blog.zsec.uk/blind-xxe-learning/amp/
Playing with Content-Type – XXE on JSON Endpoints
Keywords: XXE, json, content-type
https://blog.netspi.com/playing-content-type-xxe-json-endpoints/
XML Vulnerabilities and Attacks cheatsheet
Keywords: XXE, Cheatsheet
https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870
Posts / Examples
XML External Entity Injection in Jive-n (CVE-2018-5758)
Keywords: XXE, Word, DTD
https://rhinosecuritylabs.com/research/xml-external-entity-injection-xxe-cve-2018-5758/
Cheatsheets (to be cleaned)
All in one References / Full blogs/sites
http://pwnwiki.io/#!index.md
https://jivoi.github.io/2015/07/01/pentest-tips-and-tricks/
https://philippeharewood.com/
OSCP Reviews
http://www.abatchy.com/2017/03/how-to-prepare-for-pwkoscp-noob.html
https://www.securitysift.com/offsec-pwb-oscp/
Enumeration Cheatsheet
https://highon.coffee/blog/nmap-cheat-sheet/
https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/
http://www.0daysecurity.com/penetration-testing/enumeration.html
Privilege Escalation
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
https://github.com/rebootuser/LinEnum
https://www.securitysift.com/download/linuxprivchecker.py
https://github.com/PenturaLabs/Linux_Exploit_Suggester
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
https://www.youtube.com/watch?v=kMG8IsCohHA
http://www.fuzzysecurity.com/tutorials/16.html
https://toshellandback.com/2015/11/24/ms-priv-esc/
https://github.com/51x/WHP
https://isc.sans.edu/diary/Windows+Command-Line+Kung+Fu+with+WMIC/1229
Abusing SUDO (Linux Privilege Escalation)
http://touhidshaikh.com/blog/?p=790
Reverse Shell Cheatsheet
https://www.phillips321.co.uk/2012/02/05/reverse-shell-cheat-sheet/
https://highon.coffee/blog/reverse-shell-cheat-sheet/
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Get TTY shell
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
https://netsec.ws/?p=337
Buffer Overflow
https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
http://netsec.ws/?p=180
Msfvenom Cheatsheet
http://security-geek.in/2016/09/07/msfvenom-cheat-sheet/
Porting Metasploit Exploits
https://netsec.ws/?p=262
Port forwarding & Pivoting
https://artkond.com/2017/03/23/pivoting-guide/
http://atropineal.com/2016/11/18/pivoting-with-ssh-and-proxychains/
http://netsec.ws/?p=278
Client-Side Attacks
https://www.offensive-security.com/metasploit-unleashed/client-side-exploits/
Practice
https://www.hackthebox.eu/
https://www.vulnhub.com/
https://exploit-exercises.com/
https://shellterlabs.com/en/